#modules

Is la will work In linux

Then??

are u using windows or linux? coz i just figured out the command for windows

for linux, ls -la

u can find who has permissions

if u dont have the permission

then u can change it by using chmod command

Windows

https://stackoverflow.com/questions/55254785/how-to-view-folder-permission-in-windows-using-command-line-for-particular-user

u use icacls or somethin

If anyone has a sec, I'm stuck on SQLMap Essential case 6. (If I'm giving too many spoilers, let me know and I'll edit)

What I'm trying: ||sqlmap -r attackTuning2.txt --batch --dump --threads=10 -T flag6 --level=5 --risk=3 -v 3 --prefix='`)'||

Contents of attackTuning2.txt:

GET /case6.php?col=1 HTTP/1.1
Host: 178.128.173.79:32711
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1

I'm not sure if there's something I'm supposed to be looking for in the verbose output or not.

the main thing for case 6 is the ||prefix|| tag you got it right you i don't know that didn't work

I'll try clearing the cache and starting fresh. The fact that the scan takes so long is a buzz kill

yeah i think you need to restart your target i just try your command but with the url and it's working fine for me

Could ||--risk 3|| be messing it up?

no

i'm not sure but i just try your command the only thing i change is i use the url instead

and i can get the flag just fine on the pwnbox

Ty. I'll give it a shot

Can someone send me the full XSS command under the XSS - Phishing lab? The one provided doesn't work correctly. This gets reflected back instead of being run: ');document.getElementById('urlform').remove();

use this instead <!--');

Where do I insert that? I tried at the end, but didn't work

put it at the end of your payload like this: (your payload here)<!--');

I just have to authenticate vs code?

if you still have issue then check this
#modules message

Found the issue. Instead of ||http://178.128.173.79:30800/case6.php?col=1||, use ||http://178.128.173.79:30800/case6.php?col=id||.

No luck, even with all that. I still get a ) at the end. I also can't remove the image url box

oh i don't think you can remove that but you can put an icon on that

oh yeah i just try and that old dm have a typo at the end it should be </form><!--'); and not </form>)<!--');

I’m also having a SQL injection issue. In the section about “using comments” I end up injecting code so that the end code is

SELECT * FROM logins WHERE (username=“asd” OR id = 5)

Then the rest is commented, but it still doesn’t work. I think I’m missing a fundamental thing. I’m trying to get into the user who’s id is 5. What am I missing?

EDIT: Solved. It was as simple as putting a space at the end... Thanks to those who reached out.

Attacking WordPress

and what's the issue? you should have a user at this point just get a rev shell and get the flag

1

i have the users credentials, when i do it i get an error

so the cred from question 1,2 don't work?

Anyone have any advice on the IPMI section of the Footprinting module? The last question is what I am stuck on. Deals with password cracking after grabbing a hash.

Nvm lol, it solved it finally.

going through fuzzing, found this on a random port? ```
███ ███
â–ˆ â–ˆ â–ˆ â–ˆ
█ ◍ ◍ █ █ ◍ ◍ █
â–ˆ â–ˆ â–ˆ â–ˆ
█████████ █████████
███ ███


Welcome adventurer! Before we begin, please tell us your glorious name (max 20 chars):
Now, what is your class GET / HTTP/1.1
Host: admin.ac?

1. Tank (increased Health)
   2. Mage (increased Dexterity)
   3. Assassin (increased Attack)

>>
[-] There is no demy. class! You will follow the Tank path..

[*] First levels of the game, every character will start with a Sword even though it's not class efficient!

Here is your first sword:

[+] You just obtained: Level 1 smol sword!

â–šâ–šâ–šâ–šâ–šâ–šâ–šâ–šâ–šâ–šâ–šâ–š
â–š â–š
â–š â–Ÿâ–:tm: â–š
â–š â–‘â–‘â–‘â–‘ â–š
â–š â–‘â–‘â–‘â–‘ â–š
â–š â–‘â–‘â–‘â–‘ â–š
▚ ██████ ▚
▚ ██ ▚
▚ ██ ▚
â–š â–š
â–šâ–šâ–šâ–šâ–šâ–šâ–šâ–šâ–šâ–šâ–šâ–š

Energy: [4]

What will you do now?

███████████████████████████████
â–ˆ â–ˆ
â–ˆ 1. Craft sword (1 energy) â–ˆ
â–ˆ 2. Show info (No cost) â–ˆ
â–ˆ 3. Show stats (No cost) â–ˆ
â–ˆ 4. Farm XP (1 energy) â–ˆ
â–ˆ 5. Change name (Only twice) â–ˆ
â–ˆ 6. Fight Boss (5 energy) â–ˆ
â–ˆ 7. Rest â–ˆ
â–ˆ â–ˆ
███████████████████████████████

Everyone needs some rest.. See you soon!```

It worked! Wasn't able to make the box disappear with it, but honestly I'm so tired of XSS at this point, just going to solve it and move on. I'd love to be good at it, but I have no experience with html and javascript

yeah you can't make the box disappear but you can put an icon on it

which part?

Has anyone had any problems connecting in security sessions to vhost? I keep getting “No Route to Host” but the IP address pops up in the forward request area.

Via Burpsuite

Firefox works

Interesting lol

I wanna know what he was fuzzing to find that

me too haha, looks interesting

@lethal atlas dunno, but interesting seeing a text based adventure game displayed like that lol

Is there walkthroughs for the HTB academy module 67 (Windows Privilege Escalation)? Been searching but there's none. I wanted to check out the the different solutions.

what a headache

i am on a module File Upload Attacks section Whitelisting, found needed extension, and burp tells me that file uploaded successfully, but i can't exec the code, because it tells me that file not found. can someone help me?

Hey Guys

Its possible to remove a word from a file using terminal?

I wan to remove the word payload

i think yes, you can google it

Dm me

idk how

just google

I mean dm to help you with the whitelist exercise

I'm on module "Information Gathering - Web Edition" in the Active Subdomain Enumeration. I have to identify a FQDN from a IP address but neither nslookup or dig are working. I must be doing something stupid but I have tried every command as shown in the material.

@gloomy sigil what is the problem

hi all , my machine suddenly became unable to connect to the hackthebox openvpn

i need help

@paper swan download another

hint do a ||dns zone transfer|| and look carefully at the output

tried but no luck

@paper swan use sudo maybe

double check if your pwnbox is on then you will get kick out of your vpn so you can't use both as the same time and if your vpn isn't working checkout htb vpn troubleshooting and try asking this in #613049811481919508

I have to find the FWDN for the Ip 10.10.X.X I tried "dig -x 10.10..X.X @10.129.X.X (the IP given for the exercises) but I just no results. The stranger thing is that I'm able to do the zone transfer.

I got the zone transfer but it doesn't show the IP that I need

hint the info you need isn't in the ||given domain||

Can someoe PM me the XSS Payload for Session Hijacking in XSS section of the academy before I jump off my balcony. I'm also willing to accept hints, but make it a really good one because I've exhausted a lot of possibilities

sure shoot me a dm and also you can just yeeted your pc out the windows if you can't find the answer

I swear they need to make a mental health support group for hackthebox academy. Sometimes I feel like they purposely make the instructions wrong and vague to send us down never-ending rabbit holes

thanks

Can someone explain how tplmap works on the pwnbox for server side attacks? I can't even find it using "locate tplmap" and when I try to install on pwnbox it gives the same errors as I would get on my VM. I reallllly need a solution to this to finish the server side attacks module.

How are you installing it?

I just have the Windows buffer overflow skills assesment left

Going to see if I can finish it today

I've tried installing verbatim from the module instructions. On my current machine, and even installed a fresh VM with Kali. I always get an error saying relating to 'Opera' and no mapping attribute. Ive seen a couple articles say try running with python 2 and that hasn't worked either. I'm only 9% from completing the bug bounty hunter path

I’ll check it out on my end

hi for the installing tplmap on the pwnbox i have this in my note but this is before the pwnbox get updated so i'm not 100% sure this will work on the new pwnbox

git clone https://github.com/epinna/tplmap.git
cd tplmap
pip install virtualenv
virtualenv -p python2 venv
source venv/bin/activate
pip install -r requirements.txt

update i just try on the new pwnbox no issue for me so far

The python 2 sounds on par with what I have found in my research, I will try when I get home 🤞

anyone know the location of etc/hosts on the pwnbox VM?

it's at /etc/hosts

if i try to cd there it says not a directory

yes because it isn't a directory

it's pwnbox hosts file

Hi

Hi everyone, how you doing?

I am struggling with the Session Hijacking from the XSS module. I got my PHP server working, found the payload to use, and made the configurations as suggested in the course material, but I keep getting [200]: (null) /script.js

Any hint on that?

Thanks in advance!

open it w nano

or your preferred text editor

Hi

I'm struggling to start my first instance in Starting Point

getting stuck here:

and did you setup the script.js? and did you host it with python or php?

"creating instance"

spawning machine? It takes a couple moments

It's been about 8 minutes

hey bud you might want to check out the #starting-point channel 😉

check #welcome first to verify

else you probably won't see the channel

Prueba con 2 extensiones, una ejecutable y otra de imagen y luego revisa el inspector para que sepas la ruta del archivo

"Sudo vim /etc/hosts" everytime vim is friend

Hey guys

quick question

I got everything alright but I don't understand how to curl it

like this

Same way you would curl any other file

like this: curl ||-s 'ip/var/ww/html/shell.php?cmd=id'|| ?

no, its relative to the path the webserver is running at, if you access the ||index.php|| using ||ip/index.php|| how would you access ||shell.php||?

using ||index.html?value=||

PM me, easier to talk there without spoiling ^^

Can I have help with the windows buffer overflows skills assesment

I am super confused why my exploit isn't working haha

Normally I would post my code, but I don't want to spoil the badchars, the offset and the jump addresss

pls

😭

@raven cairn

Do you know the answer?

dm me the code

this is interesting after getting the ||hash|| i used ||impacket-wmiexec inlanefreight/administrator@<DC_IP> -hashes "LM:NT"|| and landed straight to the DC

hi guys, its me again who stuck at lab2 footprinting. I got some progress now but idk what will be my next step to find the HTB username and its password

you need to select the ||dbo.devsacc|| then right click on it and choose ||Edit Top 200 Rows|| you'll be able to retrieve the pass

which folder is it

on the left pane you should be able to see all the dbs listed, the one you're looking is under ||WINMEDIUM.accounts - db0.devsacc||

nail it

thanks bro

Q: On a spawned machine within an exercise, if the time to live left is quickly dropping, 9 to 10 minutes every minute or so, is that something I am doing or causing?

Killed my vpn rebooted my machine fixed it

guys

i am new here

i just wanted to ask u guys

how to download proxychains on the linux app

on windows

This is happening to me right now lol. So weird

Right?

yeah guys can we also use proxy on games

right

online website game

guys, need a bit of help on the web section in Attacking Enterprise Networks.
what's the flag location for attacks involving LFI? the SSRF and XXE ones.

It's not in /root/flag.txt?

Or try ~/flag.txt

nope

If it's SSRF / XXE maybe try poking around /var/www/html

else you can run find

that's what i first tried, /var/www/html/flag.txt

cant run commands, it's just LFI

Ah yeah that sounds really annoying. Maybe LFI some pages that you already know exists?

The flag could be hidden as a comment in index.php or something

guys we cant use proxychains when we are only using terminal right

On the NMap module, hard lab, anyone got time for a DM? Trying to do something maybe I need to adjust my thinking?

got it, it was just /flag.txt. thx

Of course 🙂 glad to hear it

Dm

On module File Upload Attacks section Whitelisting I have all my files successfully uploaded, but they can't be found on webserver. Can i get a hint?

Password Attacks Lab - Medium

I need help.. i already got the first user and the second user but still couldn't find the root

Read the page source and you'll get a hint at where the file is being stored

yeah, i see the directory /profile_images/, but 404 anyway

I think you need to review how you're attempting to bypass the filter. I just tried it on my VM and I got it to work

can i dm you to discuss?

Sure

hello guys can i use vmvare

Nmap module hard lab exercise. need a final little nudge, dm?

for a vm

for linux

Morning All! I'm in the HTB academy module, footprinting IMAP and POP3; the very last two questions. "What is the admin email address, and Try to access the emails on the IMAP server." While I've been able to enumerate the servers, and the email cto.dev@dev.inlanefreight.htb, I'm not able to sucessfully figure out how to get in - I'm assuming I need to figure out the pw for the cto.dev account. Any suggestions, tips, hints to point me in the right direction? I've used the nmap imap-brute script, but it times out after 10 minutes...

hi all

shut up

@rustic sage ?

?

what?

you responded with, "shut up". The question mark was in response to that

shut up

classy

fuck off\

niggqa

@umbral marlin are you 8 years old? Really.

@umbral marlin Go find something better to do than to harass others thanks

Cringe Af lol

🤔 currently tryin to figure out why the exploit i found for Jerry (begiiner track) aint working... trying to use CVE-2020-9484 - am I barking up the right tree here?

For Jerry you dont use a CVE

Also there is the #boxes channel. Do some research on attacking Apache tomcat. If you get stuck you can watch the Ippsecc video. This channel is focused on Academy.

oh shoot ok thanks

Hiya. On the last exercise of Nmap, I could use a bit of a nudge. Im at the very last of it, so dm is more appropriate if someone is floating around.

@little helm when I was going through it, I didn't wait long enough after connecting, to get the flag. After I connected and waited for 30 sec to 1min, it appeared...if I recall correctly

Perhaps that was the medium? But just to be sure I also ran a -d and a -w with 60 seconds on each

@spice onyx Plus, doe port 31337 have anything to do with it? I just connected to port 80 for giggles

@little helm I recall having to go back over the step by step of the section, to get the final flag. I believe another tool was mentioned, which you need to use to connect with, to get that last flag.

Is it ok I dm you? Im aware of both tools. Funnily enough....the connection to port 80 IS the second tool

@little helm certainly. Also, I'd suggest looking at the source port you're trying to connect from 🙂

yup got that too

and to scan TCP and UDP.

What am I doing wrong with this module: information gathering web edition - skill assessment section and this is the question, "Perform active infrastructure identification against the host https://i.imgur.com/. What server name is returned for the host?" I cannot seem to find the answer it is looking for

@heady nymph use curl

I have used curl -I and still not seeing it

im sure I am staring right at it or something but....

I think ive pasted every line of the return n to the answer and none of them worked

Ill try again

the "OpenVAS Skills Assessment" tells you to launch an instance and connect to the openVAS interface but doesn't say which port.. Default is 8080 but that's not open, am I missing something? thought it would just be like the previous (Nessus) assessment n/m i didn't wait long enough for it to start

Got it I must have copied a space or something Thank you

Hey did you get this? Feel free to dm me 😊

can i dm someone about file upload attacks skills assessment?

sure

ah, just finished, thanks)

need a bit of help with intro to ad module

Hello

So in the Privileged Access section of Active Directory Enumeration & Attacks it asks what other user has the CanPSRemote privilege, but when I run SharpHound on the Windows box and then upload the data into Bloodhound, there seem to be no users with RDP execution privileges and I've checked all the domain entries. Can I get a nudge? Nvm. Got it

DM if you need

can someone tell me why the newly created OU is not visible in ADUC

you have two quotation marks at the end of the command, remove one

Command is not complete. It's still waiting for input. Like @ancient oriole said, remove the > "

Yeah just noticed that ..

Thx 👍

no problem, it happens

The solution guide had two " needs to be corrected

Same goes for the selection in PowerShell. If you select something in PowerShell like in the screenshot, it waits for you to enter. If you don't, it keeps waiting and you wonder why it doesn't continue. Also if you select something like in the screenshot, it's in your clipboard. This happend to me so many times that you can a single character in your clipboard when you wanted to paste code so you have to copy the code again 🤦‍♂️

Ic

Using powershell seems to be more intriguing as compared to the ADUC gui

Just started with the into to ad module on htb academy

yeah, but I believe they fixed this in the new windows terminal so maybe once if microsoft makes it default, we will be free from this thing

Yeah, the terminal is the way to go. Or use VSCode 🙂

whats the meaning of this cmdlet?

What you've highlighted is a property and not a commandlet "cmdlet". The cmdlet in this example is New-ADGroup and you give the group the attribute "samaccountname".

I shouldnt have skipped the theory..

Just remember that the samaccountname needs to be unique 🙂

Yeah, or just ask. I'm happy to help with AD questions.

should I dm u or its ok to ask here?

Just ask here so others can read it too.

btw I believe you can use 1 instead of security in group caterory

and 0 for distribution

but that doesn't matter

Thx for the info 👍

Yep

Distribution or 0
Security or 1```

Pretty sure 99% of the time it's security though 😉

I believe distribution is for regular users, while the security is used for managing stuff

What does group scope mean and should it be set to domain local or global

it decides how much does the group cover

if only the domain, the tree or the whole forest

👍

Distribution is used for e-mail and security for ACL.

oh, thanks

any way to bypass the academy vpn openvpn error "OpenSSL: error:0A00018E:SSL routines::ca md too weak"? an openvpn CLI flag perhaps? seems the VPN key given by academy is too weak?

happened to me too

i will tell you, I added one line to the ovpn file and then it worked

i will check what it was

@vocal musk open the ovpn file and after the key-direction 1 line add this line: tls-cipher "DEFAULT:@SECLEVEL=0", then save and it should work

I am not sure what it does but it works

you can google the error for yourself and you should find some website telling you this

here it is: https://superuser.com/questions/1737052/openssl-error0a00018essl-routinesca-md-too-weak

completely lost over this error

followed the steps

can someone help me

hi so which section is this?

Hi everyone, how you doing today?

Anyone can drop me a hint in the skill assessment of the XSS module? Been trying payloads without success for a while,

Any hint?

Thanks in advance!

dm me

Can anyone see the error?

Hello Nmap hard exercise. Spoke with 2 people who state this and this are the final answers but not working. I waited for each of those to produce a result 10 minutes. also ran after establishing the connections in pic, I have tried to run 2 scripts associated with that service thru the appropriate channel. Would love to chat about it with someone

try moving out of the /root directory. It's probably messing things up

i hate that part in the new pwnbox

maybe try to put the password into quotation marks, it might be because of the exclamation mark

trying now

Thank you so much for replying. i have learned more about nmap than this module was intended to teach

also your netcat commands are off a little bit, if we are netcatting into another machine we need specify the port we are connecting to

I had tried the switch as well. I will attempt both your suggestions now

Both failed...

isn't the password ac...AD instead of DA?

got in the domain name is INLANEFREIGHT

not INLANEFREIGHT.LOCAL0 lol

although you have to figure this out first because it tries to log in to a DC by default

so confusing haha

yeah sometimes these instructions on academy are unclear and require you do to some extra step you didn't expect

Hello in AD Enumeration and Attacks - Skills Ass part 2
Any hint for how to connect to MS01 as Administrator? Got some hashes on SQL01 but none of them seems to work

I'm just stupid for not reading the task before going into the terminal lol - everything is clearly laid out in the instruction

Got out of the root director and ran sudo. Thank you so much. I can't tell you how grateful I am.

np nice work 😉

No really last night, I was reading about idle scans, and reading much deeper into tcp flags and zombie scans...

i ran the two db2 scan scripts

and how to read the packet trace socket programming...

turns out directory.

I've been working pretty hard on the windows buffer overflow skills assessment and I am still stuck. I am able to get the buffer overflow to work on locally, however when I do it remotely it doesn't work...

I am pretty confident I got the Bad chars, and offset correctly

My return instruction worked on my box. But I think this is what my be wrong

Can someone direct me to the channel for n00bs, if there is one? I'm an experienced analyst. Breezed through the preliminaries but am stuck on my first box ... I need some quick assistance. Found a hidden port using Nmap but I need to cut through it quick so I can bounce through subsequent boxes....

Hacked shit in the real world but this emulation shit isn't the same.

Yeah, like I hacked stuff as a kid ... along time ago and broke through ...

#613049811481919508 is helpful. I wouldn't say there is a specific channels just for noobs

Also Ippsecc is just a god tier resource in genearl

I'm not getting more specific than that. I also broke a CTF for a screening in a job interview and I Have the screenshots to prove it

So before the shit-talking begins, if that's how it works, I have the screenshots from a Palo Alto interview

They rejected it because I circumvented their block

*bot

You can't say you are skilled and not be able to do a noob box tho buddy

The bot didn't pick it up because I literally built a server on their ec2

Yeah, yet, I have screenshots from an actual CTF in a job screening

so wut tho lol

I like how you size me up in 2 min, @raven cairn

I can see the CTO in you

You must be the stage hand that left Mr. Robot

1

https://lmgtfy.com?q=1

So your shit talking or my screenshots from Palo Alto

NOt shit talking bro. Just being realistic haha

So let's do that. I'll post the screenshots so you can talk shit after that

https://lmgtfy.com?q=5

So, this is how it works: in the real world, you don't have walk through and cryptic "Star Wars" hints

There isn't a tutorial or VPN

*well the VPN is there

But it's not a hackthebox VPN

@stuck elm There are also box writeups you can look at on the site.

THere are only writeups for the retired machines. Those can help you out.

No writeups for active machines.

Yes, and this is interesting ... with the fancy GUI on here. I am moving here from old school IRC, running weechat in the CLI etc

Browsing irc on weechat is nostalgic

rip freenode

On the surface it's much more user friendly but when I use nothing but the cli for work, it's halfway confusing

haha

*cli for weeks

Well, for work too

Cli is awesome

I'm an instructor and business owner

Yes, it is

Hard to do web browsing, burp suite or watch videos tho

I think if people never quit using stuff like DOS normal folks wouldn't be intimidated but they are taught to only understand the GUI so they just won't touch it

I would use only CLI for pentesting but i don't really see a good Web proxy for terminal haha. Other than that CLI tools for the win.

Yeah, I don't even know how to post the photos on here. "Use the slash command" which works on IRC but surely that's not it for photos ...

Are photos blocked on this channel for security purposes to avoid noobs getting trojans?

you can post photos

Well, for blackbox pentesting, someone should know how to script Python and BAsh from scratch

yes I am a light mode user. fuck dark mode haha

Finished the module

thanks for help @rustic sage

@raven cairn for the sessions security I for compromised ||input form|| but I don’t know what I’m missing. I have the submit-solution and it says the admin visits but I’m lost.

What module

What section

This will make it easier for me to help

Skills Assessment sessions security

I see the ?url=<>

I'll take a look at it in a sec

I got stuck on this same problem haha

I have a feeling im over thinking it

Look at the image I just sent

/submit-solution?url=(payload)

I did. I’m just thinking of the payload

Once take over admin page you will find a pcap file

If you go to the XSS section there is a section on stealing Session Hijacking

following the steps should be pretty similar

That’s what I’m looking at now

Awesome. Let me know if you need anymore help

I have my notes but I feel like I missed something

Ok will do. Thank you!😁

Any one do shells and payloads module stuck on the Antak Webshell section last question. " Establish a web shell with the target using the concepts covered in this section. Submit the name of the user on the target that the commands are being issued as. In order to get the correct answer you must navigate to the web shell you upload using the vHost name. (Format: **, 1 space) "

I got webshell and exexcute whoami command and get ||iis apppool\defaultapppool|| not sure how this question is wanting me to format this answer.

that is incorrect so it wont matter how you format it. Im not sure about whoami but try a powershell command

hi, im at footprinting hard lab, this is where im at right now, what should i do next

I may not be understanding the question but ive tried " [System.Security.Principal.WindowsIdentity]::GetCurrent().Name" "whoami /user" "[System.Environment]::UserName" all return different formatting of the same thing apppool\defaultapppool

enumerate using techniques discussed in the email sections pop3 enumeration

can you throw me another hint?

enumerate snmp as well

uhh

snmp?

i saw non of it in nmap

the command you need is in the hint

We can use termux and GMT also

Termux is safe

Can anyone suggest me termux is safe

@wide river scan udp

Attacking Common Service - Attacking SQL Databases section - Trying to connect to the SQL server just like in the example but recieving this:

Nmap finds the service open though so is it my connection or?

Need some hint on Password Attacks-Mutations section. The password list after mutation is around 94k. Brute forcing is taking time. Is this the intended way?

@pearl island You can cut the password list much shorter, say first 5-10k passwords and see if that helps

Hey there! I have the same issue. How did you manage to fix it ?

Alright, Let me try that rq. @stiff stream

I think I cutted them down to first 5k

hi

i am a newby

@worldly garden Welcome! I'd suggest you to start with academy and from there to htb 🙂

@stiff stream Can I dm?

@pearl islandYes of course!

Hey guys

Can someone help me get rid of hashcats error about not enough memory for the attack?

Cannot make progress at password attacks module

Hey guys! Who knows how to fix the issue with the Bloodhound when it shows "Upload Completed" of a .zip file with 0% ?

my program searches for ifsc codes and tells the details of all banks in my country so how will i upload this to the internet

with all the 200 + files that come with it for it to search

all are json files

is there a way without paying

are you using pwnbox?

Well I’m using Vpn and running VM

@twin gulch Check if your vm needs more ram or what I did also was that I used my windows computer with hashcat so that made it was able to crack it

@raven cairn I did it, but the worse part of all I did this but I didn’t pay attention to see the difference in the cookie…smh

hey everybody
this command brute forces User RIDs:
for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name|user_rid|group_rid" && echo "";done

can someone break down and explain the command a little more?

...

How the shit does anyone game or do anything with Discord given it's utter incompatibility with VPN hopping

I literally gave up on 2FA because the security is on fucking steroids ... It will not allow MFA from more than one region at a time regardless of meta-levels of authentication etc.

Have a look here: https://explainshell.com/

thanks👍

why would you be on a vpn while gaming :D

anyone can give me a nudge on active directory skills 1? i can kerberoast the spn but i can't seem to find the SQL01 machine?

@shadow tiger Keep your comments relevant to the channels you post in.

what encryption type do you think is $2y$10$PWeS5OrZJ96EKhTi30fsYes0vkQCXtCtNQGIExfSYXEuKCjua.BAS

https://hashcat.net/wiki/doku.php?id=example_hashes

but if it has $2*$ you can just guess it's bcrypt.

Dm

did you run it thru hashid

so can you solve it or can you tell me how i can solve it?

just throw rockyou.txt at it.

or one of the smaller password lists

as it is bcrypt and will take a long time

depending on your machine you might not even get 50 hashes per seconds.

anyone know where the numbers.txt file is located? I can't seem to find it

@ashen orbit use find command

Tried the find command and it doesn't find anything

@ashen orbit use readlink

I'm trying to run sublist3r and I'm getting an error saying virustotal is probably blocking my requests anyone able to help me work around that

Sorry - I've been MIA

I need to post my violative Palo Alto CTF photos

Breaking their damn CTF ...

Not just passing it but breaking it with my backdoor

Hi guys, can I DM somebody for the broken authentication skills assessment? I am stuck...

Hello everyone! I'm struggling with the footprinting med lab. Here's what I've gotten so far:

Alex creds
Sa creds
Logged in through RDP with Alex creds
Now I'm unable to login to ssms with either of these creds. Please DM me with a nudge in the right direction

I know which are the users, I know how the token is encoded but the token tampering is not working...

Alex ||doesn’t have access to the database… you need to find another Windows “default” user ||to log in through RDP

Don’t forget to ||look into SMB||

dm my If you still need help

I'm on the last question for the information gathering module and I found a list of subdomains using gobuster I used go buster again to trying and go another level down I found two more sites but nothing else. I can't get sublist3r to run right as the hint suggests can someone help me with a nudge

Why can't you use sublist3r?

Hello, I started the Password Attacks module. Can anyone tell me a list of usernames for this module?

Look under Resources

Thx mate

@tough ibex enumerate smb

I want to share a java program with my brother in new york without sending him all the files meaning he does not have to download all the files so I need like a vps server or anything else (the files are like 2.61 gb)

any ideas?

you could use google drive

then how will he run the code

he still would have to dowload it

then you shall go with heroku

what is heroku?

got it

server

you have to create a File named Procfile

add it in your code base

and push it to heorku

is it free

or paid?

its's free till november

Heroku axed their free tier iirc. Ah okay. So a little longer.

sorry i am still a student

so dont know how to do that

me too

age?

17

16

country?

india

same

where in india

up

gorakhpur

in up

u?

me raptinagar

arey bhai tum toh padosi ho

holy god

i live near fatima hospital

which school?

lfs dharampur

name?

sahaj

nice to meet another brother

nice to meet you

too

can u tell how to do that

or is there a tutorial

sure

do you have experience reading documentation

keep the channel on topic

sorry for tat

brother msg personally

@tough ibex what is the problem

@tough ibex try login mysql

@tough ibex find the ssh key

@tough ibex it will be for root

hey, im at footprinting lab3, so far i got nmap of pop3, imap, and snmp. what step should i do next ?

I need help with the intro to ad module

The support system is so bad on the website

Hello in AD Enumeration and Attacks - Skills Ass part 2
Any hint for how to connect to MS01 as Administrator? Got some hashes on SQL01 but none of them seems to work

have u done the intro to ad module labs?

yep, and already done the skills ass part 1

Can u pls help me with the ad administration guided lab part 2 ?

dm me

i’m assuming that may be the issue

hello, some one can give me the right wordlist to solve the default credentials section on the broken authentication module??

Can anyone confirm that the final challenge for the information gathering - web edition is still doable?

the one where you have to find the subdomain of githubapp.com that has elephant in it

i did it

use sublister

Or you can use any online resource to check for subdomains

Cal99 something like that worked for me

dm the cred you found

Help with AD Enumeration & Attacks - Skills Assessment Part I ? (below error)

https://cdn.discordapp.com/attachments/774040263278592041/1012035586598633533/SPOILER_unknown.png

unable to run powerview for AD skills assessment part 1 question 2

cal99 didn't have a subdomain with elephants

Honestly wondering if that subdomain got removed by github or something

@sly kelp if you could check and see if you are still able to find the right domain, I would be very appreciative 🙂

I was able to solve it couple of weeks ago

Can’t say if it has change

hmm

I assume you two are referring to https://subdomainfinder.c99.nl/?

https://subdomainfinder.c99.nl/scans/2022-09-19/githubapp.com

ctrl-F finds no elephant

Use sublist3r and grep for elephant, you'll find it in 3 minutes

I tried with|| sublist3r -d githubapp.com | grep -i 'elephant'||, got nothing

I do not know about -i option of grep but the sublister command is how i got it

-i just ignores case

Try several times then, sometimes the sources of su lister does not respond at the 1st try

Anyone having trouble connecting to the VPN with the keys, seemed to work fine yesterday and today nothing connects

@proven jay i can't even get sublist3r to work for me right now so i can't say if that tool work or not but i did found the right subdomain with c99 before and now the same scan give me nothing but if you scroll down a bit after the scan you can find "More scans of" that's scan in the past and i was a able to find the right subdomain there

Thanks @vital adder, glad its not just me who can't find it with sublist3r

try generating a new vpn key by switching the vpn server

https://github.com/AetherBreeze/Sublist3r.git

This has a working sublist3r, they are trying to get it merged into main @vital adder

this is all i god if i try to scan something

hmm, I was only getting the VirusTotal error

but it give me nothing after that

oh wait i just try to scan pornhub and that's the only domain work for me 🤣

Tried generating a new key, no go, I'm going to reboot and see if it is me

is your pwnbox on?

Yeah, its on

oh then that's the issue

Hate using it though, so slow

yep the new pwnbox is bad

typical penetration tester)

and that's still the only domain that work well for me so far

you can't have both pwnbox and your vpn on both are trying to kick each other out of the network so don't have both on

oohh, just rebooted but that is probably it

Packers killing it, woot

nevermind, figured it out

I’m stuck on the SQLi “Reading Files” section

Not sure what I don’t know here

Could someone point me in the right direction on that page? I’m sure it’s there I’m just not seeing it

Got it… I’m dumb

Guys help me please, I can't find this hidden "history" file.

@rustic sage try to list hidden files

How?

-a

I'll try this..

It worked...

Hello to everyone! I'm taking the Information Gathering - Web Edition, Active Subdomain Enumeration Section but I'm stuck in this question: Submit the number of all "A" records from all zones as the answer.. Any hints pleasee ?? 😦

https://academy.hackthebox.com/module/144/section/1256

always worth giving it a bash...

Hey i'm a few days into the modules wanted if theres anything special you have to do in order to use your own virtual machine instead of the instance or browser parrot supplied. Is there anything special you have to do and if so any walkthroughs for what to do?

Hola

if you don't want to use the pwnbox use your machine with the vpn and for instance if you mean the target machine then no you can't run the target machine on your vm

when i click the vpn button it just redirects me to a blank page

did you click download?

help AD Skills Assessment I question submit the users cleartext password ||lazagne.exe just opens and closes,|| does not really work. any suggestions

ok i downloaded the file but now what do i do with the file? I have nothing on my mac that will open it

i don't use mac so i can't help you troubleshoot but try using openvpn and if you have kali it should be pre-install

do a ||dns zone transfer|| on all of the zone you found hint ||the answer on question 2|| and manually count all of the A records

nevermind, figured it out. thanks

could I get a hint on AD Enumeration & Attacks - Skills Assessment Part II first question? ( Obtain a password hash for a domain user account that can be leveraged to gain a foothold in the domain. What is the account name?)
i really don't know what to do, I am stuck there for like 2 hours now

Has anyone ever used XSSStrike or Dalfox to succesfully trigger the blind XSS in the session hijacking exercise? Solving the problem is easy now, but can't for the life of me get a tool to automate this step. Both tools support blind xss, and I use the same blind payload that I used manually, but neither tool will trigger it. I refuse to believe both of these tools can't do a basic blind XSS on a form made to be vulnerable

Command I use for dalfox:
dalfox url "http://IP/hijacking/index.php?fullname=x&username=x&password=x&email=dsfs%40joe.com&imgurl=a" -b "http://IP:8080" --skip-bav --skip-mining-all -p imgurl

Command for XssStrike:
python xsstrike.py -u "http://IP/hijacking/index.php?fullname=x&username=x&password=x&email=dsfs%40joe.com&imgurl=a" --crawl --blind

Ok, legit question, cuz I’m beyond stuck. Is there a prerequisite to the SQL Injection course? The assessment on “writing files” is blowing my mind and I just want to know if I need to know something before this module in order to do it. If not, I’m sure I’ll find it.

have you tried ||running responder?||

That one does go from 0 to 100 specially on the skills assessment. Unfortunately don't have anything helpful, just yeah, it is odd how it is super basic then suddenly not

got it, thanks so much 🙂 , i forgot about this

whoami outputs iis apppool\defaultapppool this is not accepted as an answer

oh wait that's weird the first half is correct

if you done the module Shells & Payloads at this point id appreciate if you dm the correct answer and how you got it if you remember or have notes on it.

But no prereqs? The skills I need are all in that module?

If I remember correctly to get that flag you use what is in that module but the method is not given and there are several steps. So yes and no

@acoustic peak the skills assessment did grab my dick and twist it so it's no way in hell easy but if you break each step down and learn how the Injection payload work it's still hell but at least now you have a sense of what to do, and as the dumb ass i am i didn't note down any thing i learn, just the stuff in the module

What is programming languages i need to learn for to be pro hacker ?

learn linux

and python

😆

I need to learn c ?

nope

Ok, then I guess I’ll try again tomorrow

Hello, anyone can give me a nudge for the wordlist to use in the default credentials module?

Do u recommend any full source to learn python that is completely free ?

the default credentials section in the Broken Authentication module?

Yes plz

I have used every word in the seclists scada defaults and nothing

hint view the web source code and google that page default cred

I have tried many others wordlists but obviously not the right one 🙂

Yes it says admin/blank

But admin is not the answer

nope not the right one

keep search it on google you should find the default cred for that page

I'll do that then

there is a ton of video about learning python on youtube start from there htb also have a module about python3 but i'm not sure it's free

Thx anyway MRtom

and if you still can't find it like the hint said google the page ||title||

I was wondering if I could get some help with AD Enumeration & Attacks - Skills Assessment Part I. I'm inside of MS01 and the need to find "cleartext credentials" for another domain user... I've been looking around MS01 for a long time and I haven't been able to see any 'clear text' credentials anywhere. Maybe I'm just missing something obvious? could someone familiar with the module give me a hint? ty!

do all regular HTB boxes require programming knowledge? Would I be able to work on my skills for a while without learning programming? I do want to learn a dedicated programming language, like Python. The thing is, I'm wondering because I heard everything that can be done in Python for hacking, at least in terms of what most people can write for hacking tools, is already covered by existing tools and I am pressed for time to learn fundamentals. Would it be ok to go through HTB Academy and then merely practice real world without advanced programming knowledge at first until I really cement the fundamentals?

see what I mean?

I'm thinking of doing HTB Academy and then Pentester Academy maybe or HTB Academy, then real world practice for a while, then learn a few additional things on Pentester Academy to reinforce the material and build upon it, but then maybe when I have more time actually dedicating time to learning Python, in order to get to the next steps?

I like this Python course I have been taking but I have trouble spreading myself thin.

so ya

@quasi wave There are some stuff you should learn. For me having knowledge of programming bases have helped me a lot. You do not care about know about every python library but at least you should learn the basics of programming (variables, types, functions, collections, loops, etc) all of that will help you on any field of cybersecurity. Once you will learn how to do it in one language, the rest like bash, ruby, php, js will be more clear to you.

Mimikatz is your friend

Dear friends, I see that you have completed the module: "DOCUMENTAZION E REPORTING". I ask you information about the first question. I dont' undestand what is the way to get an answer
I found this password in one file on remote pc: HTB_@c****************
But i don't undestand how use it

anyone still online

Why ask?

well do u have experience with single board computers

Just ask and see if anyone responds 🙂

ty

Hello everyone. I'm on module web proxies, section Proxying Tools. There are a some kind of a problem with proxychains syntax, but I don't really get where

Getting a little stuck and frustrated on mod 20 sec 226

Any nudge appreciated

Hello all,
trying to do flag5 on SQLMap Essentials.
https://academy.hackthebox.com/module/58/section/526

Not sure where to start with this one. Nothing i have tried works.

Can i get a hint please?

@frigid ingot what is the problem

lol... i got it. me just dumb.

Screenshots to come

@frigid ingot ok

I following the example but I’m getting these errors when I’ve done everything the example has done

I’ve downloaded the pcap twice

@frigid ingot The hash is not loaded

I’m so confused

How is it not loaded

I’m following the example, where is the hash im supposed to load lol

@frigid ingot on exercise down you will down the file

Correct I downloaded the file and got pcap

@frigid ingot fellow along how the example was

Yes if you look at the screen shots, it’s doing the exact same thing the example did

On both sets matches exactly the example and still get the error

Did you check the file which you are cracking if it has the hash

@frigid ingot try using this: https://hashcat.net/cap2hccapx/ helped for me idk why but mine cap2hccapx complied from source on my kali could successfully open only .pcap files

can anyone help me with Login Brute Forcing - Skills Assessment

Once you access the login page, you are tasked to brute force your way into this page as well. What is the flag hidden inside?

I don't know what dictionaries should i use? tried with -L bill.txt -P williams.txt from previous sections and got no result. Also tried -l user -P rockyou.txt but it take way too long. no luck with ftp-betterdefaultpasslist.txt either :/

my last try:
|| hydra -l b.gates -P william.txt 165.22.117.21 -s 31327 http-post-form "/admin_login.php:user=^USER^&pass=^PASS&:F=<form name='log-in'" ||

Hey. Anyone for broken auth, tampering with cookies? I feel that something is wrong here, pls dm me

Hey, does anyone know where I can find the provided resources on the pwn-box? Im doing the footprinting on SMTP, and they say there is a footprinting-wordlist somewhere, but the find doesn't find it...

look at the Resources button

lol, I just found it there now...

of course its after I complain, sorry for the distraction

No problem, I also searched at that time

using the wordlist isn't giving me any results on the footprinting of the smtp server. Command im using, smtp-user-enum -M VRFY -U <PATH TO FILE> -t <IP>

also doing the same with msfconsole, and getting 0 hits... :S

@obtuse root @frigid ingot FYI, hccapx is a deprecated format

please see here: https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2

@paper gust when you look at my screenshots provided, I’m doing the same thing as the example, I’m using 22000 as the mode

yes but you have loaded a hccapx file

which is the deprecated format and won't work with 22000

you need to use hcxpcapngtool or https://hashcat.net/cap2hashcat/ to convert your capture to the 22000 format

the module is out of date, we've made changes since it was released and it probably needs to be updated sooner rather than later

For anyone interested, both msfconsole and smtp-user-enum didn't return any answer. I did it manually and ended up getting the flag. Rather annoying

@blissful verge heads up, the wifi portion of the hashcat module is going to start causing more of this issue, especially with the 6.2.6 release we just pushed as people update and find hccapx fully deprecated

it needs another update? I did update it a few months back to change modes. can DM me about what changes I need to look at?

sure, its an easy fix

hello, someone can point me to the right wordlist to use in the default credentials section of the broken authentication module. i can not find the hmi/scada default login needed to complete it after several days. plz 😫 i'm really frustrated

Can I write to you for another module which probably needs an update?

Um anyone for what I said a few posts ago? Thanks

If i purchased the $210 option for Academy, but want to upgrade to the 400 one, will it only cost the difference between the two or am i screwed out of the extra cash

send them an email and see what they say

this is such a PITA

This is a little bit of a rant but the new pwnbox is garbage

Foxy proxy not installed by default?

Automatically dropping you into the root directory?

Wtf lol

ok i'm still figuring this out. I have my own parrot virtual machine. Can I just run the excercises without using hackthebox's specific vpn? I'd like to use the key supplied by them but I don't know what to do with the file after I download it.

Hello
sorry for the question but is it possible to Writeup from the academy modules or is there any restriction in one case
could you help me with this question please
thanks

I'm a little stuck on this question from Broken Authentication -- Guessable Answers

Am I suppoed to OSINT?

As the name says, you have to guess an answer.
Not every question can be guessed.

Should I be using OSINT or bruteforcing then?

Once you've found the right question, there are a few options you can try.

I wonder if the typo is intentional

Thank you for help 👍. Got the flag

@meager plover after download the open vpn file just use: openvpn filename and voila, you will be connected to the corresponding vpn. There are not the same vpn for the boxes, academy or beginners challenges

@cosmic dock it will cost just the difference. I upgraded from silver to gold and i paid just the difference

When I did it, it charged the full price

Hi! I'm currently doing the "Getting Started" module and I got stuck at the last task in "Service Scanning" part. It's my first time using SMB and I'm getting this kind of response from the machine. Would anyone be so kind to give me a tip to find out what am I doing wrong? It looks like the server is kicking me out due to "no compatible protocol selected by server"? How can I fix it if it's the server selecting the protocol? And what about the last line "nor workgroup available"?

My money tree can't grow that fast @warm turret

And just for my clarification - if you do the 400 (Silver annual) one, does that mean you can skip fulfilling the modules and just attempt the exam?

Alright digging through some old HTB forum posts I found that this command should work:
smbclient -U bob \\10.129.31.240\users
and indeed it does. Now I am able to list the shares and get the flag. I still don't understand the problem with the first command though...

hey @sterile hawk can i get some help here? broken authentication module - Cookie token tampering ? not working properly, would appreciate it, thanks

you can see the name of the shares with the first command.
\users is already a share..

so it just shows me the shares and kicks me out?

yes

it is the idea of -L (list) yes

why is it screaming about these protocols and workgroups instead of just showing me the shares then? I'm probably overthinking xd

🙂

then you can enumerate those shares by providing the names one by one, and that way you can list the content of those shares

(if you have permission)

@sharp cedar It did show you the shares. Are you talking about the contents of the shares?

now I understand that everything worked like it should and it was me who expected something else to happen

I expected to stay in the connection and be able to choose a share to enumerate

Ah

@red obsidian anyone can point me to the right wordlist to use in the Default Credentials Section of the Broken Authentication Module??

Get rid of the -L then lol

haha yes that's what solved the "problem" 😄

the pwnbox is giving private key errors even after resetting and terminating it, is something down right now?

@warm turret that's just a bot, made that mistake myself

but apparently htb crew doesnt respond, been trying for the past few hours now

@sudden shore it means??

I've also been waiting in their contact queue for a while as well.

is there a contact queue? lol ?

Yeah the help center thing

I'm looking for a solution to raise the nr. of active connections with cloudflare rate limiting. By any chance do any of you know if they can help with that? (for a university the public WAN IP getting rate limited)

shoot me dm

try asking this is #613049811481919508

thanks

How do I bypass "tcpwrapped"?

Is there like other vulnerability that I can use of?

I'd venture to say that we shouldn't do public write-ups of the Academy modules. It's not so much for the courtesy like it is for Dedicated Labs/Machines, but rather that Academy is an individual learning journey.

can someone help me with the password attacks module? i want to run this command crackmapexec winrm <ip> -u user.list -p password.list but i don't know what i should insert as the user.list or password.list

Going on 3+ hours now waiting for a response in Help Center for academy... loving it

mind if i ask what issue are you having? also you need to refresh the page for the staff message to show

what section are you on? and the user.list is the username wordlist and the password.list is the password wordlist

network services, i'm trying to answer the first question

I've refreshed many times

I'm looking for a solution to a purchase in academy - looking to upgrade to silver annual rather than having to buy a whole other thing outright when I just paid $250. I didn't think the modules were a mandatory pre-requisite to attempt the exam

I'm confused because I don't appear to be finding a user

Thanks! you saved my lifeee

it's going to take a bit

Can I dm someone about Web Attacks Assessment?

sure shoot me a dm if you still need help

Need a hint for the Command Injections skill assessment; The injection point should be a POST request, right? Or is it possibly a GET request?

i am losing my mind on the simple flag hunt for Wordpress Hacking - Directory Indexing. is the module broken? the flag is not in any WP directory and there are no solutions available, thanks for your help

figured it out haha, i was way overthinking it

I believe that would go under #858470491676737536 . You can look at the pinned message there to see how to format your feedback

Thanks

anyone know how to upgrade privelages to root in Parrot OS?

sudo su

oh wow thank you

could I get some hint on AD Enumeration & Attacks - Skills Assessment Part II - Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.?|| I found some ~110 characters password for username SQL01$, I tried to use that password with the mssql user, but it did not work. I am not sure but I feel like it's a rabbit hole.|| ||Edit: Now I found a password for user mssql in memory which seems a lot more human, but I still cannot RDP with it.||

dm me 😉

Alright, I'm struggling with Active Directory Enumeration & Attacks: Child - Parent Trusts from Linux. I can't figure out how to get the NTLM hash for bross.

Is anyone around that can help out with the "Getting Started" Knowledge Check? I have been struggling all evening. In the Forums people say to use metasploit but I cant get a shell. Edit: I got a shell finally!

hey, just curious, whats gonna happen if i click this button ?

I can't use the 'sudo -l' command after using msf to get the reverse shell, but I saw on Youtube that others can use the 'sudo -l' command after using the 'Shell' command, what is the reason?

The shell has to be tty capable: https://www.shell-tips.com/linux/sudo-sorry-you-must-have-a-tty-to-run-sudo/#gsc.tab=0

There is a way with python to 'upgrade' the shell.

thanks for the advice @acoustic owl, I set up a network share on MS01 and uploaded mimikatz to it, ran it was admin, I know the user's name who is supposed to have cleartext credentials t*****, but in the output that's returned I've only got an unbreakable NTLM hash for that user. I grabbed a lsass minidump and ran mimikatz on it as well, no luck... Strangely enough it did give me the cleartext password for MS01 which is a ridiculously long string of random special characters, numbers and letters... I guess I'll try brute forcing the NTLM hash next.

@forest drum thank you so much!

Okay, in the Cross-Forest Trust Abuse Section of the AD Enumeration Module, it wants you to log in toe the ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL Domain Controller. I am having a serious memory issue on how to connect to it.

maybe try using evil-winrm 😉

Ahhh right! Thanks!

You should find the password from the user you identified in the previous question, in the output of Mimikatz under the section kerberos.

In the Windows Fundamentals module Skills Assessment I completed all the questions except for the first. Who can help me answer: "What is the name of the group that is present in the Company Data Share Permissions ACL by default?"

I already tried all the options output by icacls

nm - figured it out.

can anyone help a noob out on the opensource machine?

im trying to find the mac address of the server running the app

Can anyone tell me if I'm missing something here?

The target for the exercise of the XXE portion of the Web Attacks module is just an IP. It doesn't resolve to a web app, which is what I would've expected

I feel like I'm missing something trivial here

just guessing: did you do a port scan?

Yeah did top 10k just in case that was it, but it's not. The module isn't about scanning though so I would've been surprised if there was a hit

Oh nvm, my VM must've disconnected from the VPN 🤡

It works now

@warm lichen if it's xxe you will need to use brup

I'm aware 🙂 That wasn't the problem there, but it's resolved now!

Layer 8 problem

@warm lichen what is the problem

My connection to the VPN was just cut off for some reason, so I couldn't resolve the host

Can someone ping, i have a question about the web attacks module

@crisp remnant what question

is your pwnbox on?

sure shoot me a dm if you still have an issue with that module

what's the issue?

sure

I am having some issues with a module

Obtain a session cookie through a valid login, and then use the cookie with cURL to search for the flag through a JSON POST request to '/search.php'

this one was called web requests

I obtained the session cookie, and I used the JSON post request to try and get the flag, but all it returns me is: "A valid authentication cookie is required!"

curl: (6) Could not resolve host: application A valid authentication cookie is required!

Nah I'm using my own VM and just using the openvpn config provided

Post your curl command. It looks like you're trying to hit a host called application, there's a good chance your syntax isn't right

I was using the example the module gave me

curl -X POST -d '{"search":"london"}' -b 'PHPSESSID=c1nsa6op7vtk7kdis7bcnbadf1' -H 'Content-Type: application/json' http://<SERVER_IP>:<PORT>/search.php

(also I changed the server IP to the correct stuff lol)

Oh sorry no that's correct, I just didn't fully read the error message. You're sure that the cookie you used is correct?

I am pretty sure, I logged in with the correct creds, and looked in the network tab, and copied the session cookie

Hmm you're doing something wrong. You're absolutely sure you copied the correct cookie? I just tried it on my end and it was fine

You might have kept the cookie from the example and forgot to replace it with the valid cookie you got after logging in

yknow, it might be that I am using windows

I was using my linux system earlier

and I did challenges fine

Nah that shouldn't matter for this exercise I don't think

I will try again, hold on

Wait yeah it might be because of Windows. I think you might need to escape the double quotes with \

ahh, I heard that somewhere

its proof OS based on the linux kernel is so much better XD

so this would appear like?

Sorry, to be more accurate I think that curl executed from cmd doesn't like ' (single quotes)

so it'll need to be something like

curl -X POST -d "{\"search\":\"flag\"}" -b "PHPSESSID=<your cookie>" -H "Content-Type: application/json" http://<your target>/search.php

that makes sense, and thanks for clarifying the correct way to input the slashes, I was pretty sure it was that way but couldnt remember

All good

this time I got

Received content contained invalid JSON!

lemme try something rq

paste your exact command here

lmao its like javascript and semicolons, I swear

I forgot a "

I got the code, thanks for the help

I will remember the difference between curl on linux and windows now

👍

No worries

I just cant believe I spent over an hour on that because of quotes where if I was on a linux system I would have done it in 5 minutes 😂

Happens to every one 🙂

i guys, can anyone help me with Broken Authentication "password Bruteforce" module on question "Using rockyou-50.txt as password wordlist and htbuser as the username, find the policy and filter out strings that don't respect it. What is the valid password for the htbuser account?" ... i have found the password policy but have a problem on modify rockyou-50.txt with regex and it doesn't work

What's not working with it? Is your regex not correct

can i DM you?

i'm not really expert of regex and i can't make a working regex

When will a new module be released?

I'm not really home right now so I can't help you. No one's good at regex man, you just struggle through it each time 🥲

I still need to complete 80% hahahaha

thanks man

Hello, may i dm some one for AD Enumeration & Attacks - Skills Assessment Part I Question about ||tpetty|| cleartext password.

Hey, can I get a hint on Attacking Common Application Wordpress Enumeration? I think it is an easy one, but i can't find other plugins instead of contact-form-7, wpdiscuz and mail-masta. Tried even with ffuf to find all pages and grep their plugins, but nothing.

can someone help me out on hydra module?

Hey, someone who can help me with the web attacks module?

i hope yes, dm me

thanks for quick response

can't seem to find a correct pair on bruteforce module. hydra has been running 30m what should i search for?¿

what module?

Login Brute Forcing

and section?

skill assessment - website second flag

check your fail string, you don't need to use exactly the string that htb tells you to use. just choose what you like and what u think can be unique for login page

im running

S=HTB

as there will be a flag

i didn't use S=, i was using F=, and specified string from login page source code, so that hydra can differ success login attemps from unsuccessful

i have tried that aswell

Hi guys

didnt get a working pair so i went with S

Sup boys

try another fail string, i also had the same problem, but i don't remember what string i've used and don't have any notes, sorry(

np thanks 🙂

I don't recall if successful log in returns a 302 HTTP response so the flag may not be there, so it's better to use F
I think I did F=<input name='user' according to my notes

trying it thanks

can i dm you about attacking common applications, it seems like i am really struggling with basic thing(

-l user or -l admin

heyyy

I don't fully recall the exercise but I thought you were supposed to use OSINT to get a valid user?

thats the last section

How do you know there's a user / admin user then?

basic http auth creds are user:password

hint says to use the username u found so i assume it is user

have been running hydra 30+minutes which seems not ok for an academy simulation

Oh

Have you solved Q1?

It's the user you found for that

Nvm sorry I misread you entirely

Can I see your hydra command?

one sec

hydra -l user -P /usr/share/wordlists/rockyou.txt -f -t 4 167.99.202.193 -s 32119 http-post-form "/login.php:username=^USER^&password=^PASS^:F=<input name='user'"

Lol I see where your mistake is

no way

admin_

lemme retry

I was going to suggest you proxy hydra to burp and inspect the response 🙂

but you got it

anyway this morning i was testing with admin_login and didnt get creds

I spot another mistake

would appreciate a hint

Log in with a dummy user/pass on the website and then inspect the request on burp

on it. thanks

If you get stuck, the mistake was:
||the variables for the username/password don't match up with what the webserver is expecting (i.e. user / pass)||

took a while but i got it. Thank you for ur time 🙂

works with S=HTB aswell

Hey, a question about Footprinting Lab - Easy. What's going on with the Entering Extended Passive Mode when connecting to ftp? It tells me that command (say ls) was successful, but there is no result. Am I doing something wrong, or is this intended?

maybe dir?

Same thing. However I think I was able to connect via Filezilla, so let's say problem solved (managed to download some files 🙂 )

Ok, I finished that lab. What was the DNS part in the description about? || I did some enumeration of it, but I think it's just a dead end? Is there any useful information in that?||

same thing happened to me with the ftp server on Dante. This vid shows how to fix it https://www.youtube.com/watch?v=i5furEJlySY

I'm on the attacking web apps with ffuf in the value fuzzing section they want me to write a bash script to make a custom word list I wrote the commands they provided and got permission denied tried to add sudo to the front of the command and got an error within the command what do I do

cd to home

I'm already at root

not root

home

like cd ~

can i dm you about attacking common apps?

sure

Hi, on the sqlmap fundementals module, I'm having some trouble solving flag6.... I think I've tried everything.... Do any of you have some additional hints that I can try?

Hi. In the CTF platform. Is there any option to change the name of my team?

Hello, when i complete a module but a later date have another look at it do i have to do all the optional questions done again or re-spend cubes to open it?