#modules

so far people have helped me.

I just need to know what i am missing with adm group.

I do nslookup -type=NS ns.inlanefreight.htb

doesnt work, but dig does. but I believe the issue is not mapping the IP address to the hostnames.

ns.inlanefreight.htb is the nameserver. if you did nslookup -type=NS inlanefreight.htb you should get ns.inlanefreight.htb in the response.

@lethal atlas still doesn't work

Got it. i was in the right place but wasnt paying attention

but dig works?

@lethal atlas Yes, not sure why nslookup isn't.

I mapped the proper hosts to IPs in /etc/hosts

ooooohhh i remember.. add the ip to the end of the command

the target ip

nslookup -type=NS inlanefreight.htb <targetip>

@lethal atlas Thank you! I answered most of the questions already i just wanted to figured out why that tool wasn't working. I tried that earlier but did it with @rustic sageip and this time just tried it with the IP and it worked

glad I could assist you

Hey, can someone help with this question in Active Directory Enumeration and Attacks module Assignment 2?

hi can u help me too, with this one?

I know the answer is in front of me but I'm past the point of overthinking it. I'm stuck on Login brute forcing, assessment - website question #2

I believe in you

I have the username, but the passlist doesn't turn up anything

if you got the right user the password should be in ||rockyou|| but if you still get nothing after a while or get some false positive check your fail string in hydra (the F= thing)

check under ||SCAN TECHNIQUES|| in nmap help and hint it isn't ||TCP||

thank you for the reply, rockyou has been running for about 25m now and nothing's come of it

I'm almost certain I have the fail string, because I was getting false pos originally, but I haven't gotten them since

that's weird if you are still stuck dm me your hydra command i'll help you with that

i found this video walkhtrough online , the guy recording is a noob though:
https://rumble.com/vrjon5-hack-the-box-academy-login-bruteforcing-with-hydra.html

and a sense of humor! thank you so much

oh wait the guy in that video use the same syntax as @bitter comet but his work

almost identical, but it seems that I skimmed over part of the burp suite output

my fault, and thank you @vital adder @west canopy

Anyone able to give a nudge on Web Service & API Attacks - Skills Assessment? created a custom soap request but script seems to just hang

I'm doing the labs in the VMs though, and foxyproxy isn't preinstalled. Guess it makes more sense to do them on my own

pwnbox should have burp and foxyproxy ready to go

nope that's dumb the new pwnbox remove foxyproxy and that is F ing annoying also the terminal spawn you in /root so you have to cd out

no clue what changed then, I've had to install foxy each instance

So i am doing the "getting started module". I feel like a little kid that is learning all the chess pieces. Loads of fun.

tons of good info in there, I learned some new strategies going through it

hint ||you can use a payload show in previous section||

interesting , i just checked and it looks like you're right

and try using the terminal it will spawn you in /root

that's what I was doing but changing it. Mind if I DM quick?

sure

Have a look with ||Mimikatz on SQL01 for credentials||

Any hints for Footprinting HARD lab? I can't access mysql db, couldn't figure out password(figured out user's group being mysql)

Got it!

Can someone give me a hint in which directory I can find the flag of the Hacking Wordpress - Directory Indexing flag? I've been enumerating directories for 90 mins now and can't find it. Is it really in the /wp-includes/ directory?

how do i hack a google account

????????????????????????????

we don't do that here

"directory listing enabled" mean you can view all file in that directory so find the directory that you can access file and look for the flag there and hint it isn't in ||/wp-includes||

Thanks for the hint. Another user here suggested that the flag indeed is in the ||/wp-includes/ ||, so I guess it's my bad to actually believe that. Apart from that, what is the sense in making an exercise that let's you easily go down a path where you waste 90 min with no learning effect at all. Now I'm really good at changing directories after having "practiced" it for 90min. I feel really prepared for the exam now, wohoooo. How would I know that they wouldn't hide the flag in some sub-sub-sub directory of ||wp-includes||? Just one more example of HTB not caring about stating the point of the exercises clearly enough and wasting my (as in "the paying client's") time and money. This is so utterly disrespectful.

I really enjoyed this academy in the beginning, but over time I realize that I've become so frustrated and disheartened about the way the exercises are designed. I don't care if it's hard. It's supposed to be hard, that's how you learn. But "hard" is not the same things as "having no clue about what you actually shoud do". And that problem cannot be solved by just saying "think outside the box" all the time. That's neither helpful nor funny (except for the ones who designed the exercises maybe, I don't know, maybe I just don't get their humor).

yeah some stuff on htb academy is a bit dumb especially the new pwnbox but in this case the question clearly said there is directory listing enabled so you need to find the directory that have directory listing enabled

i mean i still lost more brain cell on htb academy then tryhackme

yeas hi is right

watch go ingon

You're one of the many nice people here who (thank god) help people like me when the exercises are not made well enough to understand them, so thank you. I'm not arguing against anything you say, and you're absolutely right, in this case, it was clearly stated what they want (not so in many other cases). The problem with this one is that there are just so many folders to look through, and that can take a lot of time with no learning effect at all. So, they should have reduced the amount of possible folders to manually sift through. What good does it do me to do the same (tedious) step 100 times instead of 10 times.

I guess this one was just the last bit that unleashed my rant, there are so many exercises that are either time wasting, or not explained well, or utterly confusing. So, I just couldn't hold it in anymore. It's super disrespectful from HTB's part.

ARE ANY PEOPLE HEARE WHO CAN TEACH ME ABOUT SOME DENGARUS TOOL OF TERMUX

IF ANY ONE CAN TEACH ME THAN DM ME

oh yeah you're right there is a lot of directory in ||wp-includes||

can i dm you?

sure

use terminal

Please can someone help me with CISCO IOS images..

Could somebody help me with the ATTACKING ENTERPRISE NETWORKS Service Enumeration & Exploitation

Question: Enumerate the accessible services and find a flag. Submit the flag value as your answer (flag format: HTB{ }).

I found with Gobuster the login page...tried to fuzz... that did not work... does anybody have a hint for me?

@timber hatch maybe try sql injection or default passwords

i would say far but not that far and i would not move on to college there is a lot of cyber security certifications out there i would go for that

hi somaone that help me with a hit broken authentication bruteforce password please

Dm me

have you done the module? i've tried now also with sqlmap...no succes. I dont know...shouldn't be that hard i think...but at the moment im stuck😩

there are other services than the web server 😉

Sorry, can I ask you some questions about Active Enumeration and Attacks. Can't really understand one thing

Sure

Hello

Hi, I am stuck on Bruteforcing Cookies in quesiton 2, I have my HTBPERSISTENT cookie decode it using URL and Base64 but after I don't know what I use to have it in plain text ? can someone help me ? 🙂

really... I thought i tried the other ports within the explanation of the module...

and at the end the conclusion was, only the webserver is left...

Dm me

The web server is still coming, but is not the right choice for this question

If anyone was able to get a sqli work on Web Service & API Attacks - Skills Assessment send me a DM. I solved it but with sqli

hi

I need some hackers to help me.

I will pay 1-2btc as a thank you.

I tried

1. ftp login with anonmyous; there you see al flag.txt; can't open
2. trieh ssh connection with the following credentials: admin:admin, root:toor, admin:Welcome, admin:Pass123
3. Trie to enumerate the smtp server with nmap -p25 --script smtp-enum-users --script-args smpt-enum-users.methods={VRFY} 10.129.68.4
   and nmap -p25 --script smtp-enum-users --script-args smpt-enum-users.methods={VRFY} 10.129.68.4 and nmap -p25 -Pn --script smtp-open-relay 10.129.68.4
4. connected with telnet; verified with VRFY that the user root exits and also www-data
5. made connection with telnet to 10.129.68.4 110; tried user www-data; that gives me -ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
6. tired rpcinfo 10.129.68.4 and have consulted hacktrick but found nothing.

could you give me a hint which number i should further investigate?

#rules No. 4 ;)

No 1
||ftp> mget *||

ok

hello evryone please need someone to help me on the metasploit module precisely on the session and jobs section i have precise question to ask

permission denied... tried to change permission with chmod... doesnt work...am I dumb? haha

Are you running from a local folder your current user has write access to?

can't really change the directory... with ls -la there is the file, and "." and also ".."

On your end

Make sure the folder you connect to ftp from you can write to without sudo

oh god...thanks....

Yeah, made that mistake myself!

thanks man.. but i think on my own kali i never had that problem...

It happened to me on my kali vm, I rarely use pwnbox

ok. thanks. learned something new :)!

yo question!

ive been working on this animation for 4 years though quarter half of it is nearly finished know how to speed up the process?

the default pwnbox directory in your terminal is /root which isn't writeable by your htb user ^^

Should probably be changed

I've seen like 3 people with this issue already

Anyone have any advice on how to properly use ffuf? I am on the web information gathering module for HTB academy. Currently on the vhosts part but I am stuck on successfully using ffuf. The following command gives me output error “ffuf -w /opt/useful/SecLists/Discovery/DNS/namelist.txt -w www.inlanefreight.htb -H “Host: FUZZ” -fs 612”

FUZZ.inlanefreight.htb

@iron basin look for the content-length

-fs is filter size!

@rustic sage I tried that, am I suppose to put that with the -w flag or like this: -H “Host: FUZZ.inlanefreight.htb”?

ye i have is filter 612 as the module said its the default response length

In the host header

@rustic sage you need to have content-length to use -fs

@placid quest Ye I am just not able to have it to operate properly

@iron basin To get the content-length you need to use curl and grep the content-length

Or you just run it for a few seconds and see what is coming up most of the time!

Which can be useful for fuzzing attempts where the fuzzed input is included in the output and you may need to filter by word or line count

Dm

Hmm, gonna have to keep working on this. @placid quest I am trying this now, Ill keep working on tryin. Thank yall for your help

Have you done the ffuf tier 0 module?

@rustic sage No, was working on the web information gathering module. Think ima go give it a gander cause I finally got ffuf to work but still a little confused.

Hey Guys,

Going through the Priv Escalation Module. I am trying to follow this based on the description given. I was able to SSH in and after 1 hour transfer my linpeas.sh file over. But failed due to having no permissions. I managed to get access using chmod but it didn't seem to do anything when i run the file.

Looks like i run out of time and had to reset the box. Now i can't seem to scp it over. Once the command has bee run, nothing shows up on the victim's box like it did before. Am i doing this section correctly?

Just need a nudge in the correct direction.

https://academy.hackthebox.com/module/77/section/844#questionsDiv << Link to module

No file transfers are necessary in this section.. in fact i think the box is configured not to allow file transfers last time i tested.

gotcha, i'll take another look at it.

we should be able complete the exercises using techniques shown in the section 😉

yeah it showing to use Enumeration Scripts, which is what i was attempting. But must be another way to do so

You should be able to upload the script using a simple webserver on your vm and wget it from the target

yeah i tried that, but just get a returned connection error

I don't remember the exact process, have you tried using a common port like 80 for the webserver?

Yeah just get a ``unable to resolve host address`

Normally i would just look via nmap but the IP doesn't show any ports. shows as offline

open ports is not the issue, you're connecting back from the target, so its about ports that are blocked by a firewall

I'll have a dig around, thanks

Just loaded it up again, and jared is right. maybe look at how you can enumerate manually?

hello, i'm new in htb communtiy
i try to do Academy\Windows Fundamentals but i'm stuck at this question :
What is the name of the group that is present in the Company Data Share Permissions ACL by default?
i got all other question, can someone help me ?

Yeah i was looking at the now

docker targets typically dont need to be nmapped as they will just have a single port open

gotcha cheers

Looks like the default group might be...|| Everyone ??||

OH, i just misunderstood the question...
thanks you

till now at the academy i always used the browser based workstation, is it also possible with the own kali?

yes you can use a VM, just need to download a vpn key
https://academy.hackthebox.com/vpn

thanks 🙂

It was interesting for me and i am not sure that such themes are discussed in this channel. Does the Junior Penetration Tester Path make you real junior penetration tester?) And are here any people who got the job after finishing this course and making some machines? I mean this path seems to be kinda hard, but I haven't got experience in this field to know exactly what level it gives to you

@brave prawn you need to practice more

how did you solve this?

Error running chisel on victim: ./chisel: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found (required by ./chisel)
anyone can help on how to fix this?

https://github.com/jpillora/chisel/releases?

use a compiled one

i used socks4 i think

and use the right binary i took the wron one lmao

i had the same error when i compiled the binary on my kali vm, when i compiled on PwnBox it worked fine

thanks, i am past that and now stuck on errors on ptunnel-ng on client

thank yo sir

np gl man ❤️

RDP and SOCKS Tunneling with SocksOverRDP - RDP to host with proxifier is taking forever saying "Configuring Remote Session". I have even changed to "modem" under "experience". any suggestions? nevermind

Any nudge on the hard lab in nmap module, please? I think I established the port but I can't get past the firewall.

||I think the target port is 990 (ftps). I tried setting source port to 53, using decoys, setting a source ip to some ip which should be in the target's subnet (cannot establish the connection then) and different types of scans (SYN, ACK)||

I'm stuck with the Web Service & API skill assessment. I can do the ||SOAP Action spoof||, but I don't know how to go on from there. I tried|| fuzzing the parameters||, but no luck.

I'm confused about how I cut put the steps from the lessons together to solve this. Any help would be very appreciated.

Hi

hint check the re-check the ||Firewall and IDS/IPS Evasion|| section and if you still can't get it feel free to dm me

did you use any ||payload from SOAPAction Spoofing?|| and if you already got RCE the flag ||should be in one of the file||

Found it. Thanks a lot (again) 😃 .

hi @cyan parrot @swift dune sorry for the ping but i think i found the intended way of exploiting the sql vuln in "Web Service & API Attacks - Skills Assessment " to get the flag and like the questions said you will need a "proper SQLi payload" mean if you send a request that doesn't have any kind of sql injection payload the server will hang so you can't test with normal cred and you also need to send it in a valid xml format

Hello everyone ! I need help on this :
Module (Shells & Payloads) Section
(The live engagement #host

the live engagement host#3.
I managed to get an aspx webshell on the target because on its HTTP port we can upload files and execute it.
But the user I land in has no rights at all, I can't move can't upload nothing

I tried Windows escalation privilege on Hacktricks but I don't manage to get it

What kind of Windows is it? Maybe you can find an exploit for it? A very well known exploit...

I tried psexec eternal blue module on Metasploit but it says "The exploit sucess but no session was created"
And also I checked the SMBV1 shares are disabled on the target so I can't do it 😦 #help

Try it with this Module ||exploit/windows/smb/ms17_010_eternalblue||

Ok I will try thanks, coming back !

Thank you very much it worked ! sometimes my mind gets confused xD, spend a good week-end !

Hey, I have some troubles with Web Proxy Assessment. I am sure that payloads built corretly, but I am not getting even response codes or some bodies with error html. Can someone help me to solve the problem? The result cookies are exactly 88 characters long as they are needed to be

Feel free to DM me

hello
i work on the module attacking enterprise network
currently i am at the section Web Application Enumeration and there I try to upload a reverse shell with the help of burp.
when you try to upload than it says php is not allowed, with the help uf burp you cahgne within the repeater the content type to image/png and than you should be able to upload the shell.
I mean the i get a response with 200 status ok...but with curl i am not able to interact with the shell.
so i think it did not work. anybody knows why?

when i curl i get the the response 404 not found, so i think the upload with the repeater did not work. but why...?

Which question are you on?

Web Enumeration & Exploitation is the chapter and than HTTP verb tampering.
i suppose the second question should i be able to answer after i am able to upload a shell

This Question?
Exploit the HTTP verb tampering vulnerability to find a flag. Submit the flag value as your answer (flag format: HTB{})

yes

If so, you can upload a WebShell exactly as explained in the module.
Do step by step exactly what the module shows.

iirc for the entire web section in Enterprise Networks i was mostly able to just follow and recreate the steps

some of the later sections definitely threw me for a loop though

yeah i mean i thought i did...that's why i can't explain why it's not working.. 😉
but i'll watch it again 🙂

response:
HTTP/1.1 200 OK
Date: Sat, 17 Sep 2022 14:13:16 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 1
Content-Type: text/html; charset=UTF-8
Via: 1.1 dev.inlanefreight.local
Connection: close

that's the response from the repeater after sending the request with the shell, seems that to be okay?

Is there any schedule for upcoming Academy modules?

You should get the message "File uploaded /uploads/5351bf7271abaa2267e03c9ef6393f13.php".

there are several modules currently in development and should be released october/november i believe 😉

can you let me know specifically which question # you are working on? I can check my notes and see what it looked like on my end when i went through it

Yeah 🎉
Any hints what modules there will be?

let me make sure i wont get in trouble first lol

#modules message

okei I give up. Does not work 😉

here are the steps i have in my notes

i was a bad boy and named the file shell.php instead of a random hash value

thank you...i see my mistake....
It has two Content-Type and I always changed the upper one, but at the bottom it also has one and that should be changed...
Annoying I should have seen...and tried....

np 🙂 hope this helps!

Anyone able to help out with the Session Security Assessment. I am pretty sure I am doping the right thing at the provided endpoint. I have the admin browsing to my hosted payload and pick it up, but he's not being very nice and dropping off his cookie like I asked him to...

Hey, great advice! Thanks! But when I put the ||XSS payload on Julie Roger's profile|| and test the ||"cookie stealing" by clicking on "share"|| it works great, I see the ||auth-session cookie in the php server log||. But when I request her profile page via the API endpoint, the server log just says|| "GET /script.js"|| and shows nothing else. I must be missing something but I don't see what. Any advice?

thats super weird... are you on PwnBox or VM?

On VM.

maybe ||respawn the target, make the api endpoint visit her page prior to the XSS so it can generate a session cookie, and then try the attack again?||

Will try. Thanks.

we can also do it without ||script.js|| i think , but exactly how to do it and what it looks like i couldnt tell you

I got it. My bad. I put the wrong IP in the ||script.js|| file. I put in 127.0.0.1 instead of the tun0 IP. So, the ||script.js|| got called, but not the|| index.php|| afterwards.

Hello, can anyone help me with the "GET" module from "Web Request" section, I can't find the flag

Can I ask someone a question about Attacking Web Apps with Ffuf Assesment?

help needed if can. stuck on pivot, tunnel skills assessment 5th question "For your next hop enumerate the networks and then utilize a common remote access solution to pivot. Submit the C:\Flag.txt located on the workstation."

Transferred |lsass.exe| to my machine but cracking with rockyou provided nothing.

hey there, need a little nudge on Network Enumeration with Nmap, lab 11 (Firewall and IDS/IPS Evasion - Hard Lab)

I've tried all possible decoy combinations, no avail

have you done an ||all tcp ports|| scan? we defintiely need to|| spoof our source port to masquerade as a trusted service.||

yes, I know that the "service" in question is using TCP now, I also did the source port spoof like you said, still says "filtered"

or am I missing something?

DM me 😉

sure

Hey fellow hackers, im stuck at the IDOR enumeration, my bash script is not working and I don’t really understand why, someone could give me a hand?

Web Attacks - Mass IDOR Enumeration?

That’s right

i just ||fuzzed the uid parameter in burpsuite||

Got it, let me try that

So we can use this search.php to search for different city names... what if we just|| search for "flag"|| ?

It was really easy, thanks @west canopy

htb-student is not in the sudoers file. This incident will be reported.

why does it keep getting reported

@west canopy hey, thanks about the GET problem, but could you help me with the next one? "POST"

Thats just the default text when you try to sudo without being in the group

Usually just gets logged somewhere on the machine

linux always finds a way to make everything sound scarier than it is

Or anyone

https://xkcd.com/838 ^^

fr

Flag should be coal.

Is there anybody who have troubles with target machine? Can't ping machine almost 2 hours. Tried to restart hundreds of times, but nothing

@brave prawn check your vpn

i am on the pwnbox

Change the server of vpn@brave prawn

what? i am not using my local machine, but virtual environment by hackthebox

I don't understand wtf....

docker targets aren't pingable 😉

that s not about ping only, i can't access the url now that could access 2 hours ago

Targets with port are able to access externally

Meaning vpn is not required

i am on the pwnbox

after banging my head, i got the root flag on the last section "getting started". that feeling tho

Seriously though, knowing what I needed to do, but then getting it to do what I want and get the exact subtle command right. I need a nap

same thing if i curl externally. PS I added this domain to hosts

Is anyone able to help with "Active Directory Lab" - the "Credentialed LDAP Enumeration" section. The last question, is asking which userAccountControl bitmask for 2 specific properties. I have validated I have the right decimal values from 3 separate websites, including Microsoft, and no matter what I type, its not accepting the values.

OMG I am an idiot, it was literally asking to add the two together, and provide the cumulative bitmask. I spent 2 hours for such a silly mistake. Disregard

I spent 2 hours today on asking why the "shell command" didnt work on meterpreter, turns out, it just didn't show a prompt or anything. you can just start typing. 2 hours of breathing. Just gone into black abyss of cold space.

Its always something silly

I think we're all idiots its just matter of being less of one as time goes on

or trying to lol

I just spent 10 minutes trying to figure out why I couldn't LFI /etc/passwd until I remembered I was on a windows box, so yeah always something silly :D

Can anyone assist with common services easy lab? I am having trouble figuring out how to upload my shell to the web server.

which module is this and what is the section name of the module?

i think that's the common services module skills assessment easy lab

if you are trying to upload your shell with the ||ftp|| method you will need to use a ||php payload with powershell|| and for the location recheck the ||ftp|| section, the directory in the example is at ||C:\ || and try to upload your shell it in to web directory

algum br ai?

I have a problem with wpscan (for Hacking Wordpress module, Skill Assessmnet). When I try to scan the target it says, "Scan Aborted: The remote website is up, but does not seem to be running WordPress." (on my VM)

On Pwnbox, I get a ton of error messages (see screenshot).

I researched the problem here, someone said, "it's DNS", but changing my DNS in the network settins didn't help.
Any ideas, anyone? 🤔

Take a good look at the website. ||The main page is not Wordpress||

first for the wpscan the new pwnbox break it try running just wpscan you will get the same error to fix that just re-install wpscan with sudo apt-get purge wpscan -y && sudo gem install wpscan

oh wait didn't you already done this section? the last time you ||know that page isn't running wordpress||

No, I haven't done the skill assignment yet. I asked about the same problem a while back, though, but didn't get any answers so I did other assignments meanwhile.

Thanks, I'll take a closer look.

ok that's weird the last time you did the directory listing enabled thing and you did access some wordpress stuff which you can't if you didn't found the site

Oh, now I know what you're talking about. The last one was another exercise from the wordpress module. This one is the skill assignment from the wordpress module.

ohh

Anyone knows where to report the constant crashes of the "File Inclusion" skill assessment machine? At least on my side it crashed every couple of minutes, which makes doing the assignment virtually impossible. I've complained about it in the past and did other assignments meanwhile, but it's still the same. Does anyone know who best to contact about these problems?

Support

Hey, can someone test target machine on Attacking Web Application with FFUF Module Assesment? I think there are some technical problems with it...

Skills assesment?

@brave prawn

what's the issue?

@brave prawn If your problem is that u cant find hosts read this again: https://academy.hackthebox.com/module/54/section/500

I have already found vhosts and made almost all questions, but in one moment the target stopped to response

Target machine doesn't response. I added vhosts to /etc/hosts, but not able to curl something

time limit?

I restarted the target, pwnbox and my device multiple times, nothing

Mine works

dm me how you are doing the curl

anyone can help me with this question "Crack the following hash: 978078e7845f2fb2e20399d9e80475bc1c275e06 using the mask ?d?s." I tried using hashid to fine the hashing mode but nothing works any hint ?

can someone help me with this question: Enumerate the custom script that is running on the system and submit its output as the answer. It's under the snmp portion of footprinting

Hi, im at 'Skills Assessment - WordPress' . And i try to put in the /etc/hosts on my VM not on the HTB VM. I try : 10.129.2.37 blog.inlanefreight.local / 10.129.2.37 inlanefreight.local / 10.129.2.37 inlanefreight.HTB . The page not open ☹️ the connection take to long to respond.

be sure to specify http:// in your browser

Not working

hey, can I dm you about Login Brute Forcing Module Website Assesment?

sure

i believe its a ||SHA1 ||hash 😉

What are you struggling with exactly? I believe we just need to grab the right banner with ||snmpwalk||

just tested on my kali VM, working fine on my end

Wath you ptu in /etc/hosts ?

just ip address and domain name

Samething block i do not know wath, i keep search. Tnx for the help. meby the firewall setings

do i not need to use onesixtyone or braa?

Hey, what should I do if the target ip's that HTB gave me are unreachable?

I am in the Getting started module, the "service scanning" challenge

@shrewd wasp change the vpn server

Should I change from "Us" to "Eu"?

Still nmap cant scan it

OK, so I'm trying to do the "File Inclusion" skill assignment on the target machine that breaks down every couple of minutes. But I'm eager to get it done since it's the last skill assignment missing for the bounty hunter path.
Problem is, I've spent hours and days going through the stuff in the lesson, but I can't find the injection point or "hidden things" that other commentaries are talking about. Judging from other commentaries it can't be too hard, but I'm just not seeing it.
Any hint would be greatly appreciated. Thanks.

Dm if you still need help

Hi, thanks for offering help. Am I right that either the “||page||” or the “||message||” parameter must be LFI vulnerable or am I looking in the wrong place? I know that “||page” filters commands that contain two “..”||.

i know you already got help with this in the dm but if you or anyone esle need help with this part there is actually something in the cheat sheet that you can use for this part

also one of the parameter that you list are the right one so you may need to put spoiler tag on both

I hope you learnt about encodings correctly in File Inclusion module

For hint i would say, find visible pages name on the web and just use that || page || with encodings to read the source

Thanks I will try that

I am working on the Hacking Wordpress Assessment, and I have all of the questions answered except for this super vague one:

Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download.

And the hint is a bit silly, can anyone help?

I have a stable reverse shell and ran find / -name "*flag*" 2>/dev/null which showed nothing...

Nothing I haven't already found, anyway.

Doing grep -rn "HTB{" / 2>/dev/null but I feel as if I am missing something really obvious...

Also, I did run the scan with an API token...

I found it. 🙄

Took a little digging into the results for anyone looking back at this from the future....

In the using web proxies module, setting up proxy chain sock4 with https 127.0.0.1 8080 throws an error even though the instructions say to use that set up?

nope 😉

Hello happy to Start learning with you 😇

can I get help with this question in footprinting - ipmi: What is the account's cleartext password? I found the hash but I'm unsure how to get it into cleartext. I've tried using the hashcat command as it's given to us but I think I'm missing something

whats the hashcat command your using?

hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u
i also tried using ipmi_passwords.txt

Might want to use just straight worldist attack using switch -a 0 and the popular rockyou.txt wordlist

Indeed. Use a standard wordlist.

I cracked it with john

hashcat -m 7300 -a 0 ipmi.txt <wordlist file path> possibly something like this

https://www.blackhillsinfosec.com/hashcat-4-10-cheat-sheet-v-1-2018-1/

are you saying like this: hashcat -m 7300 -a 0 ipmi.txt OUTPUT_JOHN_FILE

are you saying like this: hashcat -m 7300 -a 0 ipmi.txt OUTPUT_JOHN_FILE

hashcat -m 7300 -a 0 ipmi.txt /usr/share/wordlists/rockyou.txt

hashcat -m 7300 -a 0 ipmi.txt /usr/share/wordlists/rockyou.txt thats the default file path to rockyou.txt wordlist in kali

Hey, is there a word list that parrot or the vm have that is a good word list for vhosts?

i usually use a wordlist from Seclists/Discovery/DNS

Thank you @west canopy

Go pack Go

So I'm working on Active Directory Enumeration and Attacks and I'm in the ACL Enumeration section. Trying to figure out the last question, about the ObjectAceType that the forend user has over the GPO Management group. I'm trying to use Get-DomainObjectACL, but it keeps freezing on me. Can anyone give me a quick bit of help?

yes the command hangs, i was able to find the solution with google

Word. I'll look then. Thanks!

Heyy frnds 🙌🏻🙌🏻🙌🏻🙌🏻

I am new here

And I am trying to start my career in cybersecurity......so can anybody help me out to .......

How and when should I start my new career 😬🥲🥲

Please some of this server suggest me about it🥲🥲🥲🥲

@odd kayak https://www.youtube.com/watch?v=lhz0-qAQlBM

Bruhhh I had already seen these type of stuffss

But I want suggest from a Hacker 😬😬😬😬

That how he /she had started his/her career

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

alternatively, just do CTFs

Hi - Start off with verifying /verify. This allows you gain access to more channels and ask your question in a relevant channel

This channel is for HTB Academy

Please see your DMs for instructions on how to verify your HTB account.

#bot-commands please

@mellow turtle

Sorry 🙂

Having issues with the broken auth module - bruteforcing passwds. I found the minimum policy needed, cant find the right passwd and keep getting rate limited. What am i doing wrong here? Thankss

Hello, could i get some help please?
I'm trying to do the last question in the getting started module in the service scan section.
For some reason i can't seem to get the flag.txt file but i keep getting the "Error opening local file flag.txt"
Did i miss a step?

@muted hull try get * or get . Also maybe do a dir first to check for available files

I end up with "get <filename> [localname]"

does that mean i must put the bob user?
i.e. "get flag.txt bob"
edit: didn't work either

woops forgot to include error section

well error still the same

@muted hull get flag.txt flag.txt

no cigar

Dm me

tropkal

I replied to my own post a few minutes ago @mellow turtle

I found the pwd but the challenge isnt working properly

A*?

Oh i see, so i'm not missing something very obvious

Cheers

get flag.txt

hello mohit, please refer to

i dont know but ./flag.txt?

"get ./flag.txt"

Not either, but tropkal did say the challenge isn't working properly

so it looks like we should give up

i dont think so

i did try your suggestion though

didn't work

I think he said the exercise he was taking isnt working properly

try this "get flag.txt /home/{username}/Desktop/flag.txt"

maybe its trying to write a file in a folder without permissions

Oh damn

you were correct

Mohit's answer should be correct too

Why didn't it have permission though

idk, maybe u are trying to write a file in / without root privs

i didnt taked that module yet

heh you certainly know more than me though

thanks again

i need help on finding someone's ip address

For what @pliant panther

good question. some guy is saying he is gonna hack my account and sending me threats

spamming accounts

Call the police

okay

hi folks, need a little nudge with exercise 8 in the Footprinting module of the pentester path

What is the FQDN of the host where the last octet ends with "x.x.x.203"?

I tried all DNS seclist files on pwnbox but no luck

@forest fulcrum do brute force on dev subdomain

-.-

that should have been in the challenge hints

thanks @placid quest

one more quick question: where is this list provided exactly?

@forest fulcrum look on the resources

@mellow turtle @muted hull no i wasnt referring to your challenge, i was referring to my own which was pwd bruteforce because after finding out the pwd policy you get around 15 pwds to test and you almost immediately get banned because of “too many tries”

And i dont think that works ok because the good pwd you need to find gets put at the end of the wordlist when you build it so 100% of the time right now you’ll get banned b4 actually trying out the good pwd

You shouldnt be banned in a pwd bruteforce challenge after 5 automated requests in a list of 15 like come on

Hey, can someone give a hint on SQL Injection Fundamentals Assesment? This module's sections seemed to be easy, but here I can't even login with injection...

@brave prawn what is the problem

can i dm you?

@brave prawn yeap

already wrote to you, maybe you are offline or you don't see because of settings, anyway

is anyone online that has completed the Skill Assessment - Broken Authentication? I've got the user and a pass list but must be missing something as nothing in my pass list is working

🙋‍♂️ @eager rivet

it was probably the local directory you were in on your vm. If you didnt have write permissions in that folder the get command would not work. Make sure you are in your home folder next time

i see

how would i do that?

i just opened bash and started smbclient

wait

unless i had to sudo?

chmod or sudo @muted hull

@muted hull before you connect to smb in terminal do cd ~/

then execute smbclient and try to get the flag

i see

thank you for the info

Dm if your problem not resolved

I still need help with the first question of skills assessment in Intro to Assembly Language.

You need help with ASM?

yes

What's the question? 🙂

I have pulled the shellcode out of the data section, but I can decode it as 32 or 64 bit and the 32 bit has commands not discussed in the module.

I haven't been on HtB for years, so I'm not sure about the modules etc. but I do have Assembly knowledge. What did you use to decode to opcode?

can I dm you?

Sure

please is anyone online that has complete the metasploit module ??

@latent sage what is the problem

in the module footprinting in the smb section there's a question that ask to find out which domain the server belongs to. I've been searching and i don't find anything. Can I get a hint ?

alreay solved, thanks

@maiden field use enum4linux

thanks i completely forgot about that

i have difficulties completing the session and jobs section

hi can someon help out?
I've been trying to "get" flag.txt from Bob, but it just never downloads. it's speed is 0 and i never get a confirmation for the completion of its download
also, how long does a nmap -p- scan take? it's been over 30mins.

Nmap -p- scans all ports

yeah, i get that.

So it can take a long time. Really depends on what you are scanning

Usually you don’t need to do a full port scan tho

well thats kind of painful, considering this module needs me to find thru all the ports.

what about flag.txt?

What module is this?

@ripe musk

Service Scanning

In the Nmap module ?

yeah, thats what the hint says and thats what the question implies.

Dm

I'm getting a bit different pwn box

like it doesn't have useful repos and all

any idea how to get to the previous one

I could use some assistance with foot printing easy lab (https://academy.hackthebox.com/module/112/section/1078) I've scanned for ports, found three open. scanned the first open one with all nmap scripts and logged onto the service but i can's list any files. I also tried using the given creds to ssh in but obviously that wont work lol.

I'm having problem with the ERC plugin in Windows Stack Based-Buffer Overflows 'Controlling EIp' section. I've done buffer overflows many times so I understand that I am supposed to do 'ERC --pattern o B5eB'.

However because the ERC plugin isn't working for me I can't get the flag.

There's should be more ports. Did you try scanning all ports with nmap?

Can I DM?

is anyone having issues with the IMAP exercises?

server isnt responding to curl and not showing the correct results with nmap

I ran "nmap -A <target ip> -p- " on my first scan I'll try running it again though

@forest fulcrum can you ping the ip

I can

this is not how TLS response should look like

and this is curl curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to 10.129.193.197:993

@forest fulcrum that looks like nmap results

shouls look something like this no?

110/tcp open  pop3     Dovecot pop3d
|_pop3-capabilities: AUTH-RESP-CODE SASL STLS TOP UIDL RESP-CODES CAPA PIPELINING
| ssl-cert: Subject: commonName=mail1.inlanefreight.htb/organizationName=Inlanefreight/stateOrProvinceName=California/countryName=US
| Not valid before: 2021-09-19T19:44:58
|_Not valid after:  2295-07-04T19:44:58
143/tcp open  imap     Dovecot imapd
|_imap-capabilities: more have post-login STARTTLS Pre-login capabilities LITERAL+ LOGIN-REFERRALS OK LOGINDISABLEDA0001 SASL-IR ENABLE listed IDLE ID IMAP4rev1
| ssl-cert: Subject: commonName=mail1.inlanefreight.htb/organizationName=Inlanefreight/stateOrProvinceName=California/countryName=US
| Not valid before: 2021-09-19T19:44:58
|_Not valid after:  2295-07-04T19:44:58
993/tcp open  ssl/imap Dovecot imapd
|_imap-capabilities: more have post-login OK capabilities LITERAL+ LOGIN-REFERRALS Pre-login AUTH=PLAINA0001 SASL-IR ENABLE listed IDLE ID IMAP4rev1
| ssl-cert: Subject: commonName=mail1.inlanefreight.htb/organizationName=Inlanefreight/stateOrProvinceName=California/countryName=US
| Not valid before: 2021-09-19T19:44:58
|_Not valid after:  2295-07-04T19:44:58
995/tcp open  ssl/pop3 Dovecot pop3d
|_pop3-capabilities: AUTH-RESP-CODE USER SASL(PLAIN) TOP UIDL RESP-CODES CAPA PIPELINING
| ssl-cert: Subject: commonName=mail1.inlanefreight.htb/organizationName=Inlanefreight/stateOrProvinceName=California/countryName=US
| Not valid before: 2021-09-19T19:44:58
|_Not valid after:  2295-07-04T19:44:58
MAC Address: 00:00:00:00:00:00 (VMware)```

cert details contains answers to some of the challenge questions

Cert has no answers to the questions

can I DM you?

Yeap

Need some help with whitebox pentesting syntax errors section. I have the right command connector and I have a successful ping but can't get any other system commands to execute

Can someone help me with a question from the web request module?

I for some reason can not get a DNS version for the medium module in the NMAP module, I have used multiple flags, scripts and the only version it will come up with the the NLnet Labs NSD as a version an that isn't the right answer

$sudo nmap -sSV -p 53 10.129.2.48 -D RND:50
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-19 15:59 EDT
Nmap scan report for 10.129.2.48
Host is up (0.045s latency).

PORT STATE SERVICE VERSION
53/tcp open domain NLnet Labs NSD

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.79 seconds

basically i'm running a curl get request on a web server but i'm not getting any output for some reason

@rustic sage did you read the man page of curl

your request is not formed correctly

Anyone know i can't connect or ping a machine in a specific challenge?

anyone can help me with "nest" machine? im facing problem with smbclient ??

Solved it

vpn ?

Yeap

The "Hivemind" bot is actually usefull

Stuck on the skills assessment for "Shells and Payloads." I have solved 2 machines though. Just need to confirm if I'm on the right track. Any help is appreciated!

Is there voice channels on this discord server?

Where people talk

I can try helping out

What is the issue?

So I was stuck on the second machine. The one where metasploit module was always crashing on some split error. I tried assigning the vhost and it worked.

Thanks for offering help though @raven cairn !😄

I have a question regarding machine 3 on "Shells and Payloads." There is an upload functionality on the webpage where you can upload files. I uploaded the Antak web shell and got a working web shell. However, the intended way was to exploit a known vulnerability. My question is, I was unable to view any files under the Administrator directory from the Antak webshell, but could see them very well in the meterpreter shell. How does that happen?

So I'm working on the Abusing ACLs section of the Active Directory Enumeration & Attacks and when I attempt to use Set-DomainUserPassword it tells me that it is unable to find user 'damundsen', which would make sense if it didn't seem to be necessary for this section.

anyone around finish windows priv esc skills 1?

i put it in as you gave me and got this "Hash 'ipmi.txt': Separator unmatched
No hashes loaded.

did you run the command from the directory that contained ipmi.txt file you put your hash in?

could also mean the mode your using -m 7300 might not be right for the hash

can use a program called hash id using command "hashid -m <hash> "will show the hashcat mode of the hash if it can identify it

no i was running it in the root directory

youd need to cd into the directory containing the ipmi.txt file or you can specify the file path as was done with the rockyou wordlist

I've tried every tool, and even found one subdomain with elephants using the SecLists wordlists but it wasn't it. I've found it by using https://subdomainfinder.c99.nl. BUT it isn't at first sight, so I suggest reading all the page

Hey can anyone help me out with finding the FQDN of an ip I've tried dig and can't get any kind if info

i tried this "hashcat -m 7300 -a 0 ipmi.txt /usr/share/metasploit-framework/data/wordlists/ipmi_passwords.txt" and i get the same error. I must be missing something but I don't know what

hashcat -m 7300 -a 0 ||4af9ee3a82040000c70d59c758d07070f8805bc997c280c6eb48ba0868237f937bc6e631eed477e6a123456789abcdefa123456789abcdef140561646d696e:32b3335b435c8f8b13c0e23f200735606a654221|| /usr/share/wordlists/rockyou.txt this worked for me

Pls try to avoid spoilers

Hey! Im stuck on Footprinting DNS last Question. Regarding finding the FQDN of the host the ends with x.x.x.203. Could someone please help? thanks.

What’s best setting up a server with Mac or Linux ?

Can anyone help with Footprinting FTP, Cant get the flag.txt file for the second question. Keep getting 331 Password required. Dont know the pass and cant seem to login anonymously

hey! You can DM me

Hey! Im stuck on Footprinting DNS last Question. Regarding finding the FQDN of the host the ends with x.x.x.203. Could someone please help? thanks.

I can help with that. DM me.

I can help. DM me.

Hello, I am stuck with sqlmap essentials case#5 I managed to get the flag but when submitting it I get that it is wrong answer

@lyric echo what is the problem

hey crean, I was stuck on the Footprinting DNS section.. last question, regarding finding the FQDN for octet ending in x.x.x.203.. but OverFlaw gave me some pointers and I just figured it out

@lyric echo you can brute force dev subdomain

Hello, I am stuck with the Password Cracking Skills Assessment Hard. I have the password for the first user and can rdp into the machine. ||However, I am stuck trying to exfiltrate a .kdb file from the machine (blocked by GPO)|| Would anyone be able to point me in the right direction?

try updog or download it with a meterpreter shell

Hey, can someone help with Sqlmap Essentials Skills Assesment? Can't find any POST or GET endpoints to run sqlmap on it(
EDIT: Someone who struggles with it, dm me)

DM me

Hey, I am stuck with BROKEN AUTHENTICATION -> Predictable Reset Token, I added a script to check a token for the htbadmin within an interval of +-1 second (I check in milliseconds *1000) but it not works I also noticed that the timezone is not the same between the machine and the website I tried other timezones but it not works 😦 Someone can help ? I can show the script in DM

What’s updog?

it's like using python SimpleHTTPServer but you can also upload file

Need some help with the stability of the academy targets, where should i post ?

like youll be ssh'd on and they just die suddenly with no warning?

and your timer still has plenty on it

More or less... i am spawning a target and after around 2-3 mins i am starting to get connection refused... and the target is no longer working.

This is both with VPN from my own attack machine and the pwnbox...

Yo I gotta say that I've just manually pwned Sqlmap essentials case6 instead of doing it through sqlmap. I've spent hours trying different prefixes etc...Somehow it was easier to exploit it that way which is kinda weird I've you've asked me. Now I'm kinda confused because I got the flag but didn't do it as intended.

same boat. glad its not just me

Any reason for that ?

i figured it might have had something to do with my additional vpn. turning it off does seem to help but still some unreliability.

help someone. GTFOBins. busctl.

Doesnt give me much to work on for escalation...... or im just blind. can someone dm me pleasE?

for the intended way use the prefix tag in sqlmap with the stuff recommended ||'`)'||

I think I did that but somehow I'm missing something

i have the ||suffix|| tag with the ||risk|| and ||level|| set to ||max|| in my note but i think i did test it without those tag and it's working fine so i think the tag you need is just prefix but i'm not 100% sure

Ok thanks I'll try to play around with it a little more

hey, are you doing the task where it is said that you need to add ') as --prefix?

Yeah

are u trying `) instead of ')?

Yes

i will test it locally, 1 sec

anyone done the Info Gatering- Web Servers module for active subdmain enumeration?

Ok

yes

I'm a little confused if my resolving is messed up or if it's the design of the lab but if I try to query the domain with anything other than dig I get a timeout and there's no TXT records on any of the servers

have you tried a transfer?

yeah that's kinda where the kicker is for me, because none of the subdomain bruteforcing tools resolve anything and the two/three that return with dig refuse a transfer

did you put an entry for inlanefreight.htb in /etc/hosts?

yep!

can you ping inlanefreight.htb?

yep!

Good evening, i need help please. I'm on AD Enumeration & Attacks - Skills Assessment Part I Question 2. I already tried to bruteforce the open ports and i tried to upload powerview, mimikatz, rebeus, inveigh.ps1 and a few other things, but i can't get them to work on the webshell/remote box. I hope someone can dm me please with a big hint, because I'm stuck for about 2 days on question 2.

then your command must be off. Feel free to dm me and we can look at what you have without spoiling it for others

yeah I will just a little odd because I'm using the same commands that I used to solve footprinting which imo is supposed to be harder lol

I am still stuck on the skills assessment of intro to assembly. I am pretty sure I have the code right but I dont know how to get it to print out

it worked for me, dm

DM

Hey everyone, I am still stuck on the password attacks - Skills Assessment Hard. I was wondering if I could reach out to someone to get a nudge?

sure shoot me a dm if you still need help with that

Hello, in FILE INCLUSION module- Remote File Inclusion section (question), when I tried to gain remote code execution through RFI with http://<SERVER_IP>:<PORT>/index.php?language=http://<ip>:<port>/shell.php&cmd=id, with shell.php hosted on python http server, I get "connection time-out" error. Does anyone know what am I doing wrong ?

and did you see any request on your python server?

No, the page had been loading for a long time until it threw the PHP connection time-out error

i mean on your python server do you see any request from the target ip

No

that's weird

shoot me a dm i'll help troubleshoot

was anyone able to help me with that elevation?
Linux Local Privilege Escalation - Skills Assessment
Flag 5
User can run b**ctl as root. but i cant seem to use it... im doign it wrong.

DM me?

I may not have solved it the way it was once intended. But I got root.
Carlos Polop is your friend. With the help of his scripts you should find a ||CVE|| which you can use.

hi, im at footprinting LAB2, i cannot find the password of the username HTB, in fact i stuck right at beginning. anyway can give me a hint?

make sure you ||upgrade your shell with the python one liner or the gtfobin won't work||

check the what service is running on the ||lowest port|| from your nmap and go from there

ill have a look

Hey can anyone give me help with the file inclusion skill assessment. I keep l breaking the server when I put the php in the User-Agent. I also for the ||/proc/|| I tried to poison that but broke it there too. If someone’s free can you walk me through?

you mean 111?

||yes|| and you may want to put some spoiler tag on that

im new here so idk about spoiler tag, how you do it?

Can anyone give me a clue for: nmap firewall and ids/ips evasion, the lab?

@wide river use the double “||”

||ok

Like quotes lol

Sorry

"oh"

So do that in the front and back

for images use this

@vital adder did you finish the file inclusion?

hint the log file you need isn't in ||/proc/||

yep

I found ||/access.log|| too but I break it there too

I tried curling it different headers

that should be the right one and also did you found that in ||nginx log||

Base64,URL

oh yeah can you send me the payload that you use for that

Yup yeah

I will when I get back to my desk

no you can't use encode for log poisoning

Ok I figured because my code came up as text

Then I got ‘-‘ “

i have no idea why you got that but about the payload that you use?

you still need to put spoiler tag on this also i haven't ask if anyone else also have this issue yet but in the hard lab when you get the ||ssh key|| and you can't use it there is a chance that the ||key|| is corrupted and you can fix it quickly with putty but if you don't have it install or don't know how to fix it shoot me a dm with that ||ssh key||

For anyone interested humblebundle.com has a good deal on Linux material. They are ebooks (can be downloaded as .pdf)

python isnt on box. cant do it that way. tried the bash ones and nothing.

what about python3 😉

i was sure i tried that.....
completed.... thankyou very much.

No Starch Press is the best, never been disappointed by their books

hi, its me again with the footprinting lab2 medium, this is where i am now but why it still say permission deny even when i use chmod? what should i do, tks

try it like this
$sudo mount -t nfs 10.10.10.10:/TechSupport ./target-NFS/ -o nolock

hah XD?

Any help finding the DNS Version in the NMAP module - medium lab would be much appreciated

try sudo mount -t nfs 10.129.114.179:/ ./target-NFS/ -o nolock

i did

and then when i go inside target-NFS

and use tree .

permission denied

hey guys

anyone here have done the hard lab on firewall ids/ips evasion? I need some help, and the hint button isn't working

working on the skill assessment of web attacks module

do a sudo su then change directories

try scanning UDP and use the banner script

someone could give me a hand? idk why I'm getting this error

just the UDP flag worked for me

I have

dm me

thanks

hey, i done you advice and this is what i got. is that the right answer? what should i do next

that looks good.

use those creds now

is there any thing need to login?

xfreerdp

oh yaya, im doing it rn

i do something wrong?

you need to put single quotes around the password due to the exclamation point.

xfreerdp /u:alex /p:'lol123!mD' /v:10.129.114.179

uhhhh

it's not working

google that error about the display environment

ok im here now

Alex has no rights to access the database. Search for another Windows user.

Administrator?

Try it

if so, how do i know the password

There is a file, it has a password in it.

i think xfreerdp might not work with root on PwnBox

Can I have help with the windows buffer overflows module

My machine can't download the ERC plugin

@raven cairn ERC plugins are already set up on the RDP box

Awesome. Needed to attach it to a process, and configure it before running the tool

I just keep getting NLnet Labs NSD for a version no matter what I do lol shrug no clue what is going on

What other flags do you have? Feel free to PM me 🙂

Hello, anyone knows the reason for that I can connect to a target with the browser but can't ping it?

Just started the SQLi module. How to connect to the SQL terminal ?.. nothing is woking

Firewall in the way perhaps?

does nmap detect the target?

No

http?

I don't think so, i could do the previous challenges without any problem

send us some screencaps

not ignoring you, I don't remember sorry

Of what exactly?

your commands that you are sending, the ping, and nmap scans

and another one with the browser, should give enough info to help you out hopefully

Ok, give me a min

that's fine?

@warm kernel

try nmap <ip> -p 30340

by default nmap isn't scanning that port

same response

tried -Pn?

ok, worked with Pn for that port

the 30340 one

perfect, now you can run you scans with that flag/port up

how?

ex: nmap <ip> -p 30340 --script vuln

for example

not sure, what you re looking to do next past this point

It doesn´t work for me, I´m losing my mind

welp, it seems like it have a lot of vulnerabilities but now I am burried with information, what should I do?

depends on what the lesson covered, pretty vague without more info

"public exploits" challenge in Getting Started module

I have to search for vulns in that target and exploit it to find the flag

the lesson covered "searchexploit" and "msf"

I guess I should search for more ports, in particular if it is ftp or ssh, right?

I can't scan any other port tho, it says that the ports are in "ignored states"

with or without -Pn

Solved it. It wasn´t the browser, the encoding needs to be only in some portions of the URL. I´ve shared it in the HTB forum page.

Likely a web based lab, based on interactions with the web application

I don't get what you are saying because I am kinda new, but thanks for the help

Can anyone teach me also some basic coding

I am 11 class student

@everyone

Meaning, the web page that you visit, that's where you have to exploit of some sort, to get to the flag.

yes no need for nmap, just navigate to the ip:port with your browser 😉

alot of basic coding tutotrials on youtube

Ugh, stuck on last question of Footprinting module, IMAP/POP3. I am sure the answer is staring me in the face, but drawing blanks. Anybody able to assist?

Anyone here with azure pentest experience

Hi! I need help with Privilege Escalation. Im trying to Sign In to the ssh by using: ssh root@host -p xxxx -i id_rsa AND it says me "Load key "id_rsa": error in libcrypto". I did chmod 600 but still nothing. Can you help me pls?

I can help. DM me.

Hi, can anyone help me with the whitelist filters for File Upload Attacks? I managed to upload the file with something like ||.php\x00.jpg|| but i cant seem to access the files

Is it related to a module?

Can anyone help me to hack a email ID ?

ankurjyotinath70021@gmail.com

This is the email

https://support.google.com/accounts/answer/7682439?hl=en

I can't get help from that thing

@rustic sage do you want to hack someone's email

Actually Yes

That person ruined my career

I wanna ruin his YouTube channel

Im stuck on find the easy pass - I have little knowledge on debugging an exe in kali... this walkthrough I was trying to use, after searching for strings, the address values are missing. I assume this is because it's not actually running the exe, just looking into it - how do I get ghidra to run it? is that possible with the current version of ghidra?

(that screenshot is from the walkthru images)

my view of ghidr doesnt have those ref addresses

this is what I see

im thinking this is because its just static, not running... and that somehow I need to link ghidra to a debugger that can run it...

Hello, I just have started in learning more about Windows from the Windows fundamentals module, and I was wondering what is the Windows Build Number ? I searched about it, but all what I found from searching is some info about Windows versions. So, does this mean that the Windows build number is the same as the Windows version ?

Typically Microsoft uses a number to identify the Windows version. Apple uses something fancy like an animal or location in the world. For example the current version of Windows is Windows 11. Consider this within the context of that challenge question.

Hi! I need help with Privilege Escalation. Im trying to Sign In to the ssh by using: ssh root@host -p xxxx -i id_rsa AND it says me "Load key "id_rsa": error in libcrypto". I did chmod 600 but still nothing. Can you help me pls?

its on my local VM

I used searchsploits to search for exploits, (obviously) and found it, but don't know how to download or use it.
can someone explain me how to do it?

Morning folks. I find myself stuck again on a module. It's the cracking passwords with hashcat. I'm on the cracking common passwords section. The test question is : Crack the following hash: 7106812752615cdfe427e01b98cd4083 I've tried everything. Even looked at the hint which states "Use hashid to identify the hash, and then use one of the Hashcat built-in rule sets or hybrid mode to help you crack it.". I used hashid, and got a few possibilities as the type of hash but nothing specific. Even if I start at the top of them, I still wouldn't know which rule set to use. I'm missing something I'm sure. Any help would be appreciated. Feel free to pm me. Thanks so much.

@shrewd wasp use searchsploit -m the exploit

it seems that it throws an error

[!] Could not find EDB-ID #

@shrewd wasp what error

[!] Could not find EDB-ID #

it's a error, right?

Read the man page of searchsploit

ok, EDB-ID # it is the dir where it copys, but in where should I copy it?

Can i see the screen shot

that was the screenshot that you wanted?

@placid quest

let say you found a exploit that you need from searchsploit use -m like this to copy that exploit into your current directory searchsploit -m linux/remote/69420.py

shoot me a dm if you still need help with that

nope, it wouldn't

also this error mean the exploit you are trying to copy don't exist or you copying from the wrong directory

In the footprinting module in the dns section for the last question "What is the FQDN of the host where the last octet ends with "x.x.x.203"?" I've try a lot of things but i cant find this fqdn. Any tips ?

Hi guys. I'm new to htb challenges. I was trying to root the new shoppy machine but I got stuck somewhere, can I ask for any hint/ideas on how to proceed from there?

thanks for the explain man, it worked
I was confused about which dir i did have to insert there, I thougth that i needed to put the dir that I wanted the exploit to be copied on ,now I get that it was the one that searchsploit says

reread the part of DNS zones carefully

ask this in #1020723396524396594 if you can't access that verify first

I can't access it, so I guess I need to verify first but how do I go about that?

use ++verify in #bot-commands

be careful with spoilers trev0ck

Thanks for the assist. It worked.

java.io.FileNotFoundException: C:\Users\meera\OneDrive\Desktop\MarsUltor (Access is denied)

how to resolve this exception

hi sorry for the ping but in the linux privesc module Skills Assessment i found some cve that give me root instantly is this intended?

feel free to DM

sure thanks

i think i know what exploit it is 😉

EDIT: i was wrong!!!!

Just a heads up to the ones that do not know yet, I had a lab that no matter what I did it wouldn't work with my VM but worked with the VM instance on the site.

which lab was that?

the NMAP module medium lab when trying to find the DNS version

it was giving me a weird NLNet Lab NSD as I posted above but doing the same thing in the instance I got the flag

I know of a couple of people who have that issue, however that is not the case for me. I can complete the task from my vm without issue.

👍

Did anyone have to reboot the target every time on during the Bypassing Other Blacklisted Characters Module exercise of the Command Injections Section of https://academy.hackthebox.com/module/109/section/1037 ?

Dm me if you need it

Great, I got you thanks man XD

Can anyone tell

every time I try to log with ssh to the server in Getting Started | privilege escalation it throws me "connection refused"
what should I do?

can you show me your command?

ssh user1@159.65.90.3 -p 31100

do you want a screenshot or you're ok with that?

that looks right

maybe try respawning the target? just tested on my kali vm and i was able to ssh

fresh target

and nothing @west canopy

i would try the PwnBox

or a different vpn key

ok, thanks for the help ❤️

got a question about the Footprinting Lab - Easy, any staff free? n/m, i'm a n00b 😅

you don't need a VPN for the docker targets

if your ISP is blocking somehow the outbound connection to the targets, then you should either use the workstation or a VPN to change your location and etc

oh right ... good call 😉

hi, i'm using bloodhound at Active directory module, and the upload of the files to the bloodhound program is freezed at 0%, it has happened before and i don't know how to fix it

the command i used was basically the one they give

anyone have time to help me with ftp lab in the module footprinting?

@warm kernelwhat is the problem

hey thanks for reaching out! 🙂 Current problem is that I don't have permissions to access the file, and I've tried countless combinations of creds with the hint to use full email address as the password

so are you on the ftp section or the Skills Assessment lab?

host based enumeration: FTP

and my note is a bit dumb for this part so give me a sec i need to check some stuff

oh yeah you can't get the flag for some reason

Hey any help on NMAP module, hardlab question? I found the port and service, cant find the version. Been trying out the steps in the module and looking at hints online. I tried using netcat with the sourceport however the source port throws an error of saying its a binding issue.

i have nothing in my note about this you should be able to just get the flag

you are on the right path shoot me a dm i'll help you with that

ill go try on my VM instead of the pwnbox, although im not sure, the permissions seems set this way

oh wait

i hate the new pwnbox the terminal spawn you in /root but you aren't root

so if you use the get command in ftp it will download to flag to /root so the permission denied error is from the pwnbox not the target machine

yep just cd out of /root and you are good

RIP, I just sudo'd it, and it worked...

yep or that

sometimes.... just the stupidest little thing xD

thanks for the help

no this is case the new pwnbox is stupid

I told myself yesterday I wasn't going to use the pwnbox anymore for other issues xD

and here I am being lazy again, and costing me an hour of nose bleeds

😆

can someone help me with this question for intro to python3. "The type of foo from question 1 is <class 'set'>. What is the type of x_coordinate?" i've tried all the different python data types and i can't figure out what the question is asking for

Make sure you're entering it in the right format, it's most likely looking for an answer in the form of <class 'datatype'> or similar

wow, yes thank you, i got it!

hey, just was interesting to ask..about 6 modules left in jr penetration tester path. have made starting point machines and they are labeled as “very easy”, but personally it was not so easy) and my question is, is it okay overall? and can anybody who switched from academy to machines recommend the right way to do it and gain the level? is it real to find good machines without vip?

can someone help me udnerstand what the diff bw these two packets are? https://imgbox.com/thClf6jl -- beyond the basic that one is a tcp packet and the other an http packet, and that both are being sent on port 80, im having a hard time understand the true difference... as the data in the tcp packet contains the http request.

so is the host informing the server of an incoming http request, and the second packet is the request itself, or ... ?

yeah same thing is on 27,28 lines before GET request

so the host sends a tcp packet to inform the server of an incoming get (or other type of) request?

then sends the request? seems a little redunant?

can’t tell exactly what is going on the lowest level, but i think, firstly it asks the host like “do you exist” and then request a resource from the webserver

ah, that makes sense.

im also noticing that for wireshark you can issue a tcp.stream == [0,...,n] but you cannot do that for udp.stream, its either udp.stream or nothing you cannot do udp.stream == [0,...,n] does that seem correct? a limitation of the software?

or does it have to do with udp being connectionless so theres no way to quantify a stream or conversation?

wireshark seems to be able to colorize the "conversation" (or perhaps what it believes to be the conversation) pretty reliably, so i figured you'd be able to filter by it as well, but i do notice that wireshark is also grouping all the packets, even tho "conversations" are colorized, as one stream group