I need to get the flag for the last ffuf assessment question I found the two parameters but when I curl them I neither returns a flag can someone help me understand what step I'm missing

for Attacking Common Services - Easy . I uploaded .php but instead of it being executed it gets downloaded. Is this a rabbit hole?

it only downloads right? did you figure it out?

hiii

hi]\

Ah yes I did!

i uploaded a .php but when i execute it. it just downloads the file

any hint?

@wind gust You can send me a dm 🙂

Hello everyone, I have some trouble with Firewall and IDS/IPS Evasion - Medium Lab in HTB academy. I would like to know, once I have a connection with ncat, what can I do?

a ping sweep doesn't alway work for this i don't know why but i recommend a gui tool all wnetwatcher

sure

strangely, couple of hours later I was able to find the host with ping sweep

you should be able to find the flag if you got a shell check in ||/usr/local/nagiosxi/html/admin||

yep the ping sweep only work like 50% of the time

hint the right parameters start with an ||h|| and when you use curl did you include this in your command ? -d 'username=(parameter you found)'

Hi i'm working on the hard lab of nmap and i'm trying to listen the following the traffic: SENT (0.0546s) TCP <my tun0 ip>:53 > 10.129.202.160:<spoiler_port> S ttl=52 id=62986 iplen=44 seq=635094032 win=1024 <mss 1460> and with netcat: sudo nc -lvnp 53 <my tun0 ip> but nc did not receive anything where could the problem be?

For the sql injection fundamentals module skills assessment, is it possible to ||get the initial login bypass|| manually? I used an automated tool for it, but even so I couldn't reproduce it manually without referencing the tool's payload

yes you can bypass the login manually and like the fourth or somehting payload i try on payloads all the things work

hint use the ||ncat|| command show in previous section

thanks already grabbed the flag but also understood why this works

it's just basically connect to the target port with your port ||53|| and the nv tag you can just find it in the help menu

hi can someone help me please, I'm having trouble with using Using Web Proxies Zap fuzzer. I cant get Set-cookie: so show up so i can then fuzz it. i can get cookie: to show up but it won't let me change the input of that one. hope some can help and thank you in advance.

for that it's way easier to do it in burp all you need to to is in burp intruder Add the cookie and in the Payloads tab go to Payload Processing section click Add and choose Hash > MD5

I cant see CPTS section but how does it compare to ejpt? Im A+ and Network+ with linux experience- and have taken CEH course - not exam- so is it like OSCP or ejpt? oscp is far beyond me at this point - I need to start at my level- any thoughts?

You can explore the modules available in CPTS here - https://academy.hackthebox.com/preview/certifications/htb-certified-penetration-testing-specialist/

Click on Related Job Role path

It lists all the modules in CPTS. Other way to know this information is to simply register on the website and navigate to job roles or Certification tab itself and look out for modules in there.

hello I contact you because I have a problem in the section FOOTPRINTING and DNS with question What is the FQDN of the host where the last octet ends with "x.x.x.203"?
I tried all the wordlists that are present in the folder seclist/discovery/DNS and I can't find the answer
Can you help me please ?

Kinda same level as OSCP, eCPPTv2 and GPEN.

But I believe its more than that.

Love the subtitles

@worldly grottobrute force dev

yes i use dnsenum

for brute force

@worldly grotto for sub in $(cat /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt);do dig $sub.dev.inlanefreight.htb @ip address| grep -v ';|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done

oh ok thanks you

not in that images but in the live stream mrb3n look a bit dead inside

He was consistent with that

i'll be sure to check on him and make sure everythings ok

lol

How can i hack hidden ssid network ?

Is it possible

nothing more special than a regular network

you just need a client to deauth to capture the ssid

and tbh Im not 100% positive even that is necessary anymore.

What i can use to know the password of it after i knew the ssid

there are entire books written on that particular subject

google some newbie wifi hacking tutorials

can anyone help me with the Advance File Disclosure in the "Web Attacks" module
I tried the CDATA approach as mentioned in the blog but getting no result in the response section

can someone help im having a problem with it

like i cant connect to any of the websites in my hackbox

so you can't accesss hackthebox.com or can't access any of your target?

try the error method

if the target machines are not reachable please connect with VPN first

ok

ok

cant get any

so you can't connect to both?

in my pwnbox i cant connect to any website

so i cant even get a vpn

yes if you don't have a subscription you can't access the full internet inside the pwnbox

go on to htb website on your machine not the pwnbox and download a vpn

hey. im at the information gathering - web edition at the active enumeration part and it says that i need some sort of vhosts. im sure its a noob question but idk. like do i need to start them myself somehow or connect to something?

Add the provided ones to the /etc/hosts file and use the ip of the machine spawned for the challenge

vhosts basically is a subdomain but on the same ip as the main domain

it can also just be entirely seperate domains hosted on the same IP, shared hosting being the most common real world example.

gotta sudo

sudo

hello people I need help, I'm new, I want to subscribe and it asks me for a promotional code, what do I have to do or put?

well, do you have a promotional code?

no xD

then put in nothing lol

READY FRIEND THANK YOUUUUU

xD

mmmmmmmmm....what if the server that is running is a python server while the question in the module asks for the apache server version????i mean shouldn't this server run on apache? i tried a quick nmap -sV to check the background services but no apache

is this ok or im just f-in retarded?

fyi i used curl -I as it is shown in the module

so which scan show app.inlanefreight.local is running python?

also which module is this in regards to

he did said Information Gathering - Web Edition module and the only section that have vhost question is the Active Infrastructure Identification section

ah I missed that part

the curl -I says that the running server is python 2.7.18(tried it as answer.doesn't work). also the nmap said: "80/tcp open caldav Radicale calendar and contacts server (Python BaseHTTPServer)"

information gathering - web part. active enumeration

i don't think you can use nmap to scan vhost

the Active Infrastructure Identification section?

yup. and to be more specific thats what i get from curl Server: WebSockify Python/2.7.18

well idk if im allowed to write these out here so sry if i shouldn't

so you run this and get the server is running python? curl -l app.inlanefreight.local

capital i not l as it is shown at the beginnig of this section

wanna go private? i can show pics

sure shoot me a dm

this sounds kinda wrong

well ofc i don't want you to tell me the exact answr

privately just to lead me to it

it was a joke because out of context that question asks like youre going to send nudes

i got a question about final part of password attack lab - hard, anyone i can DM?

sure shoot dm me

Oh Alr that makes sense thanks for you time and help

np

i can i get help a q i am lost trying to figure it out

What apps should I get on my kali machine to do all the challenges

I mean modules

just install as you discover your needs

Ok

When using gobuster to dir bust, what switch do we add to make sure it finds PHP pages? i am lost

iirc -x php

but dont quote me

you are a life saver

thank you

on the same lab as well, wasn't able to complete due to misbehaviour of the box

trying but not even getting the base error which we use for checking that whether this is possible or not
the output is coming clean

got it, I was making a mistake

ok nice

also what is the issue with this box?

hmm, I am at the smbclient part got specific user and the password as well password
when inspecting there is a file which is there, which needs to be downloaded for further process, which I am unable to due to timeout

oh yeah that file 130 MB and download it through the vpn is going to be hell

yup

i think you should use the pwnbox for this

I tried from there as well but same thing

maybe my connection issue 🤔

yeah but it the connection should be more stable on the pwnbox

https://unix.stackexchange.com/questions/31900/smbclient-alternative-for-large-files

the answer has some nice flags to try for smbclient

tried this as well, adding flags and all
but thank you for sharing

theres a couple other alternatives in there as well

for those who struggle with file transfers, check this out. https://infinitelogins.com/2020/04/24/transferring-files-via-base64/

needing a slight nudge on one of the module labs

Network Enumeration with nmap, "Host and Port Scanning" section

Second task is to enumerate the hostname. Is this supposed to be done via nmap, or just with anything possible?

Any idea why am getting this? for attacking common services - hard

i don't think you can login to the mssql from the target machine you can just use sqsh on linux

I can't find it installed. I tried apt-get but not found also

you can do it either way

oh yeah i forgot about that also the pwnbox remove that tool or no reason, try python3 mssqlclient.py USER@IP -windows-auth

thx

Hi there, I'm working on the hard Firewall/IPS lab for the network enumeration with nmap module and I'm looking for some help. I've found the hidden service and I have an idea of what other restrictions are in place to prevent service enumeration but I'm not quite sure how to bypass those restrictions. Would anyone who has completed it be willing to DM me to point me in the right direction?

I believe this is meant to be done with nmap. I was able to do it with nmap

finding the service is the hard part. if youve already done that, theres nothing extra special that you havnt already done to get version scanning to work.

can someone give me a nudge on password attacks hard lab? rdp in using J's credential. found a kdbx file. I guess I need to crack the master key but not sure how to download it to my kali machine

DM me 😉

Hey guys, I'm a new beginner hack the box. I need help

Also, I'm new on this server

need help with XSS PHISHING Question.

what's the issue?

https://www.youtube.com/watch?v=lhz0-qAQlBM

The first parts asks to craft a malicious url, which I understand is done by document.write (same used in the walkthrough). But then I am confused about the /phishing/send.php. If I enter the crafted url in the url search on that page I get invalid url.

try putting this at the end of your payload <!--'); instead if the given thing

also the url format before send need to be something like this http://10.129.135.2/phishing/index.php?url=

Thanks for the nudge, @fathom swift @thorn urchin

What is the command used for listing out the collections in a database? on mongodb

try https://www.mongodb.com/docs/mongodb-shell/run-commands/

I dont like how in the Footprinting easy lab, a mandatory part of the challenge is only revealed to you in the hint section. I like to tackle the labs without the hint helps first, so it turning out to require information only provided to you in the hint section feels bad. If its mandatory it should just be in the lab prompt.

Hello all,
"Server-side Attacks"->"SSTI Exploitation Example 1"
I have to create a python2 virtual environment and install package with pip2 for install tplmap but pip2 is not available on Kali 2022.3 Release
How can I do that ?
Thank's in advance

i will bring this up.

https://stackoverflow.com/questions/65869381/pip2-installation-on-ubuntu-20-04

thatd be awesome thanks!

the Footprinting medium lab however was simply a total blast. Very fun.

hard one was also a blast.

can anyone guide me about Nmap(Network Mapper)

Just a quick tip about sqlmap assesment

Does it take a lot of time ? I found the injection point but it takes hours to retrieve the tables
Should I add more options in my sqlmap payload?

Take nap
Think of effective ways to get data quickly or in less time

I might have resolved it with some -T and -D payloads

Thanks

Yep it's done

Hello everyone! Im going nuts with the footprinting medium lab! Diggin in the mssql database but cant find the user 😦 😦 any hints?!?!?!

dont unsolicited dm people 😡

I'll give a golden rule to maintain your sanity and don't go nuts over anything in penetration testing engagement.
Think about this - there's only a bunch of things you could do to achieve your objective. So its finite, note them down, lay out your strategy

Sorry! First time around here... wont do it again...

yeah read #rules 8 Do not DM people without their prior permission

Just did... first time in discord as well... million icons everywhere....

had ya asked Id probably have said, "maybe tomorrow because Im going to bed, good luck but you are very very close"

Im taking baby steps, no harm done 🙂

yea i also make some dumb mistake the first time i use discord

so what's the issue?

you can't find the HTB user in the databases or you can't find a user that can access the databases?

I`m reading an SQL manual at the moment, I got access with the correct user to the DB but looking around to find the HTB user!

You have to execute basics sql statements

if you right click around a bit you can have the management software build a query that gets ya 90% of the way there

Like see the existing databases, the tables inside and then dump the table

Where the HTB password is looks pretty obvious when you do these commands

Thanks everyone!! I`m going over the things you advice me!

and here is a tip for ya when you found the right database and use the method show in the hint (the 200 something) that will run a script at the end of the script at this to filter only the htb user WHERE NAME = N'HTB';

Ok!! I`m on it!

Now the instance got frozen hahaha

oh it may run out time

1 minute left 😦 😦 I gotta wait a bit

that happened to my pwnbox instance right when I wrote down the sa creds. super glad I saved it on my phone notes and not inside the instance lmao

Now the gnome-box is lazy :/ :/

Finally in!! Why if I type the password I don`t get access... only if I copy and paste it works.... going nuts now haha

I think I found the correct DB, with 3 colums...

Finally got it!!!!!

Thanks to everyoneeeeeeeeee

does anyone understand about discord

can you join my discord server without link access?

this happened a long time ago

there is a way to join my discord server without access link?

i need help with a module i am a complete noob

who would be helpfull and where to find it

Which module?

Hey

hey guys i still cant access the website in the first module even with a vpn

Answer the question(s) below to complete this Section and earn cubes!

Target: 138.68.162.164:31871
Time Left: 73 minutes

• 4 What is the proof text displayed in the Target website you browsed?

this one

linux fundimentals

it wont let me on the website even with vpn

system information whats the path to htb students mail,

for docker targets we don't need a vpn. Just make sure you are using http protocol.

not https?

correct

oh so the site is wrong alr

thanks for the help

YES IT WORKED

ONLY TOO 3 HOURS

OVER THE CORSE OF 2 DAYS

Hey, don't see any command injection possibility in Document and Reporting Module Assignment. Can someone give a hint on which host's webserver should I look for it?

what the path to a users mail tho

Hello,

I'm working on IDS/IPS - Hard I was able to find the what it think to be the hidden port ||50000|| using ||sudo nmap -sSUVC -vv <target ip> --source-port 53 -oN <file name>|| Is anyone able to let me know if I'm on the right track and if so what to do next?

Hey could someone suggest a couple modules and boxes in the academy and htb to me that would help me get better at reverse shells

for some reason theyre a difficult concept for me and I struggle with them a good bit

youve already done the hard part, sometimes you just need to be more patient 😉

I got it thanks. You were right just took a little re-evaluating

@brazen apex payloads and shells module

Thanks ill check them out

@brazen apex no p

maybe it can be on 172.16.5.130 host, but I can't access it

I have a question about the wordlist wich is used in the ATTACKING WEB APPLICATIONS WITH FFUF module. Where can I get it from it seems not to be pre installed in kali linux. Where can I dwonload from ?

havnt done it yet, but likely to be in the Resources button at the top of the module.

yo has any1 got any tips for windows ip steals

tryna firewall my wifi better than the organiser

cos recently sum1 hacked it and stole my work files

btw any1 wanna counterhack them w me?

🙄

lol

fr tho xd

this isnt the place for like...any of that

LOL

so anyway whats this channels module thing anyways?

btw my names nyka : )

its for discussion of htb academy modules

and that is what exactly?

wait nvm

i just didnt read it properly

ty

Module: DNS ENUMERATION USING PYTHON

When providing the answer to the number of subdomains, I have to supply one less then I see. Is this because of the @.inlanefreight.htb doesn't count? Maybe nice to explain it in the module if that is the case.

SQL Injection Fundamentals final page:
Attempting to write shell.php to a location within the web directory but unable to find an accessible location where I have write permissions. The only location I've been able to write a file is ||/tmp|| but when attempting to reach https://[location:port]/injected.php?id=0 brings me a 404 error. I attached a file with all of my notes including all attempted locations and SQL enum. Not sure how to move forward, any help would be appreciated

Hello guys im new

If I want to install an operating system like parrot, do I have to install the iso but to configure everything? or can I install the one that comes without putting a password, is there to log in?

in kali linux you have an account with which you log in everything, parrot is the same?

if you know how to install kali parrot will be very similar and yes parrot is very similar to kali. Theyre both debian linux based platforms and once you learn one using the other is a peice of cake.

they just have little different GUI and pre installed programs.

Yes, but what I want to say is that you saw that to do certain things in the terminal it asks for the user's password? Well, it asks me for the password now and I tried many passwords and none of them work for me, it never asked me to register or something like that, I don't know what to do

usually when your intalling the OS it ask you to create an account. YOu saying you never did this?

might try looking up the default password for the Operating system its probably that if you never set it

install the first option that they give you on the page, I think that option was the one that does not ask you to register and you already have all the programs, I don't know

might want to try to follow a youtube video guide in how to install the operating system. Theres many and theyll show you step by step what to do.

I used this instruction to install parrot on a vm. The link shows the step where you typed your password.
https://docs.parrotsec.org/docs/virtualization/install-parrot-on-virtualbox/#step-57---creating-a-new-user-account

check where you're sending your webshell, the default directory for web pages it's usually ||/var/www/html/|| in this case if you did ||ffuf|| on this lab you'll find another directory ||/dashboard|| that's where you need to send your webshell

Okay thanks guys

if you have another device you can look on . Pull up the tutotial on that and follow along

I get access denied writing into this directory

I still put the operating systems inside a flash drive, it's not in virtual box or something like that, notice

send me a dm with the command you're using

https://www.youtube.com/watch?v=nH4FNVWY8ns

ohh I understand thank you very much broo!!

did you use etcher or some other program similar to write the iso to the flash drive?

https://www.balena.io/etcher/ program allows you to make a bootable USB flash drive from an OS iso image. You write the OS iso image to the flash drive using etcher. Then you modify your computers bios to boot from the usb. THen when you booot up intially theyre usually option to install the OS or theyll be an install OS link on the desktop home page when you first boot up into the OS

I don't know much about that, I don't know etcher

ooh

you say to put the operating system inside the pendrive?

if you ask about that, use rufus

Yes etcher will help you install the OS on the usb drive then you boot up from the usb drive and then install the OS on your computer

https://www.youtube.com/watch?v=GWZvGu8LjNc (how to use etcher)

But another thing, when I want to use parrot and I'm in windows, will I always have to restart the pc, connect the pendrive and open it like this? or can I do something to not always connect the pendrive and that the parrot is saved

Hm okay

I can not open another hard drive in windowd or something like that and in that new drive I put the parrot?

You could choose to just boot from the pen drive too and not install the OS on your computer but non of the data will be saved by default . But you can also choose to install the OS on your computer permenatnly. By default this will get rid of your windows OS but its possible to install both OS's at the same time. By creating at least two partitions on your hard drive this is a little more advanced though.

but if you just want to use parrot and not install it permanently you can also download a program called virtual box. And install a parrot OS virtual machine and use that inside windows.

bro the pc i use is from the kitchen part of the house, my family uses it too i can't delete windows :/

yes, I know, my idea is not to touch virtual box anymore because when starting the operating systems they are very stuck, my pc has 3gb of ram xd, 285gb free and well, it is not very good the truth for what I want to do

https://www.virtualbox.org/ this will allow you to install parrot OS "virtually" insdie your wondows OS

the pc is half old so to speak 😦

I really don't think I can learn hacking

When you can be best to get a dedicated desktop or better a nice laptop for your offensive security journey.

get another decent laptop like at a pawn shop or something they got good deals on newer laptops and then install your parrot OS or kali on that. Alot of tpwn shops will allow you to make payments over time too. So you dont haft to have all the money upfront and can just pay a little and get a laptop to use quickly.

My father has an EXO brand notebook, there are bad reviews of that brand, I installed an operating system inside the virtual box to see if it went well and it was stuck!!! on top it has good components I don't know what happens

Oh nice okay thanks

I'm still from Argentina here I don't know if there are tpwn stores

sure you could still find someone on Craigslist Argentina selling one or order one on Amazon.com

https://buenosaires.craigslist.org/

https://www.amazon.com/ref=nav_logo?language=es_US

my parents say that those pages from abroad (south america) like ebay or amazon do not reach your location here and that they leave it for you at the border, also here the dollars are very expensive imagine buying something from there while in argentina

well thank you very much for everything, it's still complicated, I can't do much

gotta be someone where you are that knows how to get a computer/ laptop.

Emmm i dont know, I would have to investigate but now I'm lazy, I'll search later, also my parents won't want to buy me another laptop because this is the one my father bought, and that's kk, that's good, I could delete the windows it has and install parrot but i dont know

as a follow up to this question, I saw a reply that said it's working, continue with portscanning, but nmap fails too. This is the expected behavior if I'm not even able to ping the machine. I tried changing VPN servers and even tried accessing from the PWNBOX, but it still fails. Can someone point me in the right direction?

is there anyone that could help me with the shells & payloads hosts 1 and 3

sure what is the issue?

what do you mean by fails and also which module are you in?

for host 1 i tried to post a shell and listen on the assigned port but nothing comes though, i then tried the metasploit mgr upload and it wont work keeps saying payload fails. i tried changing all the payloads to all available payloads and it wont work. i also tried uploading a war webshell and that hasent work for me also

first did you set the LHOST or the ip to 172.16.1.5 (i think this is tun0 on the nomachine) but in my note i use the shell.aspx and just change the ip in that shell

yeah 172.16.1.5 dosent work as well

host 1 is tomcat server

host 3 has aspx i believe

on so there is something else on host 3

and for host on try the shell.aspx

as i got a webshell with antak.aspx on host 3 but etenalblue i cant get to work

"Host seems down" error.
I'm in the FFUF module but this error is not unique to this module I've been facing this at various places

which section?

oh yeah you are not the first one that have this issue try auxiliary/admin/smb/ms17_010_command

ill give it a try now

that metasploit module only let you run 1 command but you only need 2 for the flag

and also i think most of the section in that module give you a public ip (a docker container) which you can't ping or scan that you can only access that target on the given port also which section are you in?

By access, you mean via browser right?

yep

and tools will also work if you use the right one like you can't use gobuster to scan ssh (if that port is ssh)

but the browser renders a blank page

okay I'll try directly using the tool specified. Thankyou

that's mean you can access the target but the target have a blank page

if you can't access the target your browser will give you something like 404 (wrong code it will give This Site Can’t Be Reached) not a blank page

hey in pwnbox is there a way i can get that background because that is so so cool

check in /usr/share/backgrounds

You can learn. There are cheaper options. For example you can run Parrot on a RaspberryPi. Or use a LiveCD on your old PC.
To me it seems you are a candidate for the PwnBox here on HTB; take advantage of the discount this month for VIP+.

wait there is a discount?

where?!?! (still $20 for me)

I think it is only on annual subscriptions with the hacktheboo promo

yep, only the annual. and also not for the academy, i believe? or is it?

yeah it's 25% OFF for annual

anyone on attacking enterprise networks - lateral movement can help me?

bro I have no money my parents would not pay me that

oh tf can windows 10 run 3gb?

Academy gives you a couple hours free pwnbox a day I think and the tier 0 modules are free

or if you have a usb you can use a live live system

and this is why tryhackme free stuff is better (for beginner) https://blog.tryhackme.com/free_path/

👍

join computer club in your neighborhood.
and well, I worked for months to buy my first computer when I was 15...

@coral ginkgo try this if your machine can't run vm https://www.youtube.com/watch?v=n2olKupv9fY

When you do the Challenges, then you probably can do that without VM

Hmm yes xd

what neighborhood? and what computer club? I remind you that I am in Argentina, there is no such thing here:/

Okay thanks

ve al ciber mas cercano xd

Bro q puedo hacer en un ciber jajajaja

Cerro el q estaba cerca de mi casa nc q paso

Heya I had a quick question about the HTB Academy Module Windows fundamentals. Could anyone give me a hand?

I'm trying to connect to the share using the smbclient and can't make a successful connection to the host

still need help? pm me if so

I need help with this dang box

when I click the "upload files" button nothing happens

I am in an admin page

https://academy.hackthebox.com/module/77/section/859

this is the one I am doing

I am gonna use metasploit, but I like to do things the hard way

and try to avoid using metasploit

I can't tell if me not being able to upload a file is a mistake or not

please @ me on this so you can get back to me

hint that upload button is fake you can't upload file you need to find another way

figured out through doing a reverse tcp

nice

I just have to escalate privs now

and if you need help with that check back the in Privilege Escalation section

I think I can get it

but yeah, I will, thx

now I have a different problem

I have complete access to the system using sudo in /usr/bin/php

but when I go to that, I get stuck in some weird thing

that I can't get out of

can't enter any commands or anything

if ctrl + c doesn't work then i have no idea

||I don’t think you have to go there. If you have a sudo control over php, you can just call ‘sudo php script.php’ and it will be executed with the root privileges||

Hey, I have a trouble with the second question in "Shells & Payloads" module in "Laudanum, One Webshell To Rule Them All". I'm pretty sure I got the right answer but apparently it's not...

How can I fix it?

Ok, nvm I used a different shell than the one specified in the module, and somehow this one was landing me in a different directory

hi guys i am having issue with openvas skill assessment, my understanding is that i can check scans on nessus since i am unable to connect to openvas? any help is appreciated

||Am I missing something? I have to search for the name of the unit and found it pretty fast but I still get an error
ps: hope this isn't the wrong sub (?)||

Not sure if it's ok to give away the answer for academy stuff or not, but I guess I'd suggest try grepping for something a bit less specific.

You should spoil that pls

didn't know how to spoil it after posting

I was trying to subscribe student benefits using my university mail but i cannot subscribe in the student benefits.
what to do now?

trying to get sqsh installed on parrot seems to be a nightmare now.. i downloaded the .deb but there's loads of missing dependencies that cant be installed with apt-get 😣

hey can sum1 add me and help me find a good new terminal operating system please? thanks

Hi!!!

Module - Active Directory Enumeration & Attacks
Did you manage to do all the examples in the "Bleeding Edge Vulnerabilities" task
Interest in attack - PetitPotam (MS-EFSRPC)
On the attacking host ATTACK01 something does not pass this attack.((
This is when I have already received the hash and am trying to make a TGT request for DC

On this topic, only here is such information:

im having problems with the "Attacking Common Services - SQL" section.. Tried to install sqsh in Parrot unsuccessfully, switched to mssqlclient.py and got errors about SSL/TLS, updating impacket tds.py file as per online instructions and now I get error: Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication, can only see one issue about it on the impacket github, was due to typo but pretty sure mine is correct 😕

oh wtf i was using htbduser instead of htbdbuser 🙄

hello
in the footprinting modul medium lab i was able to login via rdp and found the sa file. but can't now login..any hints?

Hello everyone! I`m on the "Footprinting Hard Lab" I got some user name and credentials but the command line openssl only gives me -ERR Unknown command 😦 😦

You have to do some right clicking along with the newly found informations!

i have the answer to this question just by doing a google search but wondering if anyone can help with the actual curl command?
Edit the php.ini file to block system(), then try to execute PHP Code that uses system. Read the /var/log/apache2/error.log file and fill in the blank: system() has been disabled for __ reasons.

Guys, someone can give me a little tip on the XSS MODULE ?

Its the phishing module. I did everything correctly, set up net cat to listen and when I acess the send.php page it says "URL SENT"

but nothing shows up in netcat

can i dm you?

Feel free to Dm me if you still need help 🙂

yes!

have you guys ever heard of Mystopians it seems like they will be worth a lot of money in the future

sir this is a wendys

did u finish ?

Hey, on the piovting, tunneling, and port forwarding module section rpiovt. I did everything but i cant find the flag on the web server any hints?

Thanks @lethal atlas and @vital adder i completed Broken Authentication https://academy.hackthebox.com/achievement/433014/80

i literally lost my mind on that question where you have to guess the role for the super user. Like you know exactly what you have to do it's just getting the right role.

for me the most difficult was the right filtering of rockyou. @lethal atlas gave me the final push there

have even create this: https://github.com/josemlwdf/PasswordPolicyChecker

Good job! Crazy skills assessment haha 🤣

ok it's been fun, but i'm out now (not for good), bye guys 👋

Nope, now im getting the error "Issue in sending the url"

anyone helping me here???!!!! i've trying hours ((What is the FQDN of the host where the last octet ends with "x.x.x.203"?)) Footrprinting-DNS

I figured out an alternate, and easier way, anyway, but I will keep that in mind, thanks!

I've been struggling with this question the whole day

nothing works :(

Struggling with Attacking Common Services - SQL. Got the hash cracked but cannot login as MSSQLSVC. Edit: NVM I figured it out with mssqlclient.py. Seems to be easier to try through this method.

Dm if you still need help

Does seem kinda tragic that SQSH won't install properly on parrotos

Hey could someone help me understand what im doing wrong? I m in the Active Directory Enumeration and Attacks.. and during the guide it says to log into the target server and open wireshark.. however, everytime I try to open Wireshark, I am prompted for the htb-user credentials.. When I put those in, nothing happens!

Hello, Could Wfuzz can use fake IP to brute forcing?

I can't search the information by the "fake IP "change IP" and so on of the key words

why, you wouldnt get results back if you could

hi, in the second question of BROKEN AUTHENTICATION"Brute Forcing Cookies, it is prompted that Correct decoding is the key. I tried the decryption method in the article, but still no success, please help me

hi evryone please need help on the final assessment of the LFI module what i have tried so far

what i have tried so far:
-i have fuzz for parameter using ffuf and saw that one working param is the page param
-i have tried fuzzing with the LFIjhadix.txt file in order to spot a path traversal i can use but no success
-i have look for cve concerning php v7 and nginx without success
-i have gone through the source code but no hint

How necessary is buying a VPS to work with for these modules?

not that really necessary on my own point of view

I'll just skip any VPS stuff for now I guess and if I need it I guess I can set it up later, I just don't have the money to try out a VPS on a whim atm

you will just be good to go even without it

Hello , I am stuck on Skill Assessment - Broken Authentication.
I brute forcing the ||'supprot' ||account by ||grep '[[:upper:]]' /usr/share/wordlists/rockyou.txt | grep '[[:punct:]]' | grep '[[:lower:]]' | grep -E '^.{20,20}$' | grep '[[:digit:]]$' > testlist.txt|| wordlist, but can't login
Could anyone give me hints?

hey hsiao, try adding the country code (us) at the end of the login name [support.us]

Thanks,But how do you know adding (.us)? Could you share your idea to me ?😀

no prob, havent gone back and looked exactly at the labs wording, but I believe there is some type of wording on the website or page that indicates the user country code. And when you try to login with support.us, it indicates that it may be a valid user. Hopefully this helps, but Im trying to remember the lab wording and just going of my notes.. It was very tricky to know to add .us. It took me a while and I stubled on it after feeling like I tried everything else lol

Not able to connect to htb academy using VPN.

please anyone can help out with the LFI final assessment ??

❤️ htb academy

so much good content

🙂

dm me

Can you DM me the solution? Because I solved it the way I described and wonder about easier ways...

Great

where academy provides a username/password list in resources, they should either a) contain the correct user:pass or b) the lab should come with a note that says "you might need to try other wordlists" 🙄

Hello. Trying to put in my training requests for work for the next 12months. Just wondering if there was a roadmap of upcoming modules?

Morning all! I'm working on the footprinting lab labelled MEDIUM, and I'm stuck when connecting to the SQL management Server. I keep receiving errors that "a connection was successfully established with the server, but then an error occurred during the login process. No process is on the other end of the pipe. I have connected to this server, and I have found the credentials that I believe to be correct, but I'm not sure why it's not working. Any hints, tips, suggestions? I think I'm near the end of the lab...

HEy guys can anyone help me on password attacks module on linux cred hunting section

Hello all, completely new here and new to coding/programming etc when i say new i mean completely new 😂 but its something that has always interested me. I found HTB via a youtube video i watched and have just started working my way through the modules at the moment. Boy is there a lot to take in but im enoying it! im working my way through all the tier 0 then i will move on to tier 1 and so on. Would you all agree this is the best way to proceed through the learning modules? Thanks, Chris

Also starting with the fundamentals first?

@fathom mortar what is the problem

Hey, can someone help me with Attacking Enterprise Network module? Got id_rsa for root user, but can't connect via ssh to it

@brave prawn maybe you need to crack the id_rsa

hi, i have problem to register university, how i can resolv this ?

nope, it is not encrypted

Dm

Just starting it right now too

Hi Everyone! I'm working on the footprinting lab labelled MEDIUM, Penetration Tester Track, and I'm stuck when connecting to the SQL management Server. I keep receiving errors that "a connection was successfully established with the server, but then an error occurred during the login process. When I chek the logs it's saying the password supplied is incorrect. However, in RDPing into the Server, I was able to find the file that listed the sa credentials; at least what I beleive to be correct as they start with sa:, in a little file. Any tips, suggestions, or what I'm missing here?

Thanks!

that method of authentication is disabled 😉 and the user youre running as doesnt have permissions to use windows login method.

Damn i really like HTB Academy

its a ton of fun

Thanks madf0x. I had literally just tried backing out and xfrerdp with one of the other users, and guessed my way into the next step.

...and break time. I'm seriously frustrated that I'm now trying to understand SQL Server. I have no clue how to find the tables, or search in this software. I get that it's good to know. It frustrating as this is not the focus of the lab at all and very time consuming to dig through 😛 End of rant

@spice onyx use select

Can anyone please help with the password attack - hard. Have got Johanna's pass. Have explored on the box, cannot get anything else

@bronze frigate download the kdbx file

can anyone please help with simplehttp server

pleaseee

i hate

BRO

I SPENT LIKE 2 MIN ON THAT GUY

🖕🏿

whats the point of having a giant emoji WHEN U CANT EVEN USE IT

FUCKING

FUCK

@rustic sage can you please go to sleep

sure

@rustic sage or stop using those words

🗿

Question for y'all

Is upgrading to VMware Workstation Pro worth it?

I only have the player version rn and it feels quite cramped in what it can do

@leaden mango If you want to install more virtual machines

I have VirtualBox but getting it to work with ParrotOS with the clipboard was finnicky and not worth it

i use hackertyper.com to hack what do yall use?

so with the module attacking common web applications section attacking tomcatm question:

Obtain remote code execution on the http://web01.inlanefreight.local:8180 Tomcat instance. Find and submit the contents of tomcat_flag.txt

is it neccesary to get root?

i use both whatever bro its your style

i actually identify with this type of rage

nice

Help:(

hi guys ❤️

Right now im in pwnbox and working on a crappy lptop

Fucked up

thats been my fav way to work through the modules lmao

Haha nice

can anyone tell me how to start learn ❤️

its convenient because means I can work on em during slow patches at work too

Thats true

from where*

Hey guys, need help at passwords attacks section with the hashcat attack

And how do I fix the error about my machine don’t have enough memory on vm?

I think by adding more memory

Ii have the same problem on this laptop

I think its the ram

More memory dude

Dm me

okay

Got rid of it thanks!

Just added a little more

bunch of work left over from weekend crew so can't do modules instead.

having some issues with the flow control lesson in the intro to bash scripting module

is anyone available to help?

I'm pretty sure the code is right but I keep getting a bad decrypt error

At first i thought that i needed the 28 char of the hash

Bit they meqnt the hash of the var

I mean the 28. Hash

yeah it's failing on the decrypt

└──╼ [★]$ ./test.sh
34070
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
140522067588416:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:610:

Code is not right

Encode it 28 eight times and assign it to salt

not the length of it?

Yes

encode var 28 times and assign the results to salt

Use

Wc -c

salt=$var

To count the chars

ok

yup

was using ${#var}

thanks

owe ya a coffee 😄

Haha

Nice

I also hd the same problem btw

Looked on the forum and found this

Hi - is there somewhere I can get help with receiving CPE credits at ISC2 for completing HTB Academy modules? I completed them months ago and have my ISC2 information in my Account Settings listed correctly.

Hi there. I'm stuck in the nmap IDS/IPS evasion - medium lab. I need to get the target's DNS server version, but the 53 port is being filtered. I've tried different switches on nmap to get it, but I get no different output.
The hint: During the meeting, the administrators talked about the host we tested as a publicly accessible server that was not mentioned before. I think I need a different approach scanning the target's web server as the clue says... though I got no idea how to get the DNS server version trough a port that isn't 53

you could try doing some reconnaissance via https://dnsdumpster.com/

Did you scan both with TCP and UDP? 🙂

Okay, I'm going to give it a try

I've only tried with TCP. Good point
I'm going to try UDP

bruh
that's it
my bad, I totally forgot about UDP. It wont happen again. Thank you

Been there, done that, and I'm sure I'll do it again.

it definitely happens

lol

Hi. I am stuck on Attacking Common Applications - Skills Assessment I. I have the first three answers but am stuck on the fourth. I looked in the default locations for the /manager and /host-manager pages and even searched for custom ones using Gobuster but so far no luck.

Thanks crean. Part of the magic was taking a break in order to think through the problem more clearly. Select definitely made it easier, once I found the overall db I was looking for. Since completely unfamiliar with SQL Server, it was the part that took the most time in all of it - which was frustrating. But at the end, when I applied a default filter, I was able to modify it for the record I was looking for. Then voila. Done. 🙂 Thanks!

I need help

Attacking tomcat tomcat_dlag.txt

I was able to use GhostCat to read /WEB-INF/web.xml but did not see anything interesting....

Htb should make a module about social emginering haha

The system is as weak as its people

I DM'd you about Attacking Tomcat. I completed that a few weeks ago

I agree, but itd be more difficult and time consuming to implement a skills assessment section.

hi everybody
if I use this command: ssh -i id_rsa <name>@<IP> then I should not be prompted for a password?
or is it possible that a password will still be required?

password can still be required if server policy dictates so

itll also often failover to asking for password if something went wrong with the id_rsa

Thank you. because i asked myself if something is wrong with the key or if server policy dictates a key and a password...

could be both so...

usually if something is wrong with the key itll give you an error to clue off of

otherwise at the end of the failed prompt itll list what it takes. if pubkey is accepted itd be something like (pubkey, password)

or if it is only pubkey no passwords allowed then just (pubkey) and vice versa

mh..now i got acces. deleted the key and created a new file with the key.
but at the moment i do not know what was wrong in the frist place...

thanks for your help madf0x

probably copied the key wrong or encoding issues

np

happened to me on the Footprinting module lab.

yeah i am on this module right now 🙂

the hard lab

aye thatd be the one, had a feeling lol

That’s a fun one… keep it up 💪🏼

definitely the most fun module Ive done in the path so far

👍

Hi. I am stuck on Attacking Common Applications - Skills Assessment I. I have the first three answers but am stuck on the fourth. I looked in the default locations for the /manager and /host-manager pages and even searched for custom ones using Gobuster but so far no luck.

Hi how to have the student discount?

hi guys and girls! i need some help with Introduction to Assembly assessment (just task 1). If somebody is available, thanks in advance.

Hi guys! Stuck at Attacking Common Services - Medium i'm having difficulties discovering the username

use an email address at an accepted educational institution in your HTB Academy account

have you tried doing|| an all ports nmap scan?||

hey. im doin the information gethering - web edition module and im at the active subdomain enumeration. could someone help me a bit? i'd have a few question

let me guess its the last one about triage

well first of all i can't reach the inlanefreight.htb. do i need to add it to the hosts file as in the prev part of the module?

oh nvm Im thinking of a diff one in that module

and yes gotta add it to /etc/hosts

when doing these modules or active boxes, get in the habit of just adding stuff to /etc/hosts

thx. i think i can start from that

ummmmm. what if i can't reach it even after adding it to the hosts file? lol

then you added it wrong lol

copy pasted it so i don't think

remember etc hosts doesnt support wildcards, so you have to add it for each and every subdomain as well

ooooooooooo.......??????????????im noob. talk to me simply 😄

like im not sure what you mean

if you want to access www.inlanefreight.htb then just having a record for inlanefreight.htb isnt enough

but like why? in the prev part of the module when i just added the dev.inlanefreight.com with the target IP i just work without trouble

yes because you added dev.inlanefreight.com

the dev. part is important

i mean ye that a subdomain but like how would i know what do i need to add? like this part supposed to be about subdomain enumeration. the whole story is about finding out the subdomains. or like am i jsut retarded as usual??

sry if i am 😄 most of the time i just miss completely obvious things... -.-

not a fan of the word retarded personally.

and nah, you basically want to add the inlanefreight.htb domain to your etc, and then use THAT as the nameserver for your sub domain enum tool.

itll still give you the subdomains, then you can individually add them to your /etc/hosts to access them

Hi jared! Actually yes, but for some reason the highest port open is 995

used nmap -sC -sV -Pn -p- BoxIP

this is medium lab right? Attacking common services?

Yea

actually i got it, reseted the box and did the scan again and came as expected

try respawning. there should be ||another hidden port||

Thx for the help! Awesome work you and @vital adder are doing here HTB should employ you guys

Any one do password attacks module stuck on the section "Passwd, Shadow & Opasswd" question - "Examine the target using the credentials from the user Will and find out the password of the root. Then, submit the password as the answer." that shadow file is locked down seemingly cant get any access unless im root am I supposed to priv escelate?

think jared is employed by htb lol

i used the skills I learned in Academy to hack mrb3n .

turns out extortion can be highly effective for getting what you want.

thats epic

This Discord channel is actually fueled by MrTom's literal blood, sweat, and tears

anyone who has finished Broken Auth module?

nope

Hey guys helppp

I'm trying to make the parrot persistent and I have problems I don't know what to do, and here it won't let me send images

thank you

any other who has finished Broken Auth module, to ask some?

you randomly showed up in my facebook suggested friends lol

didnt know if it was a catfish account or really you

it had ur htb account pic tho

pretty sure my facebook profile is private so not sure how that would happen

oic thats strange

must've been someone using ur pic

send me a request see what happens

the last name started with an L

yes thats me

oh cool 🙂

i'll add you if u want 😄

idk if ur still on my suggested friends though

I was just swiping through and recognized the picture

I just sent you a request

im alex

looking over my privacy settings right now lol

lol

I thought it was strange because we have 0 mutual friends

maybe we were destined to meet 😮

or maybe the FB algorithm is working its magic lol

your last names sounds french '

je suis francais 😄

its french canadian

ah

no hablo ingles dawg

haha

well thanks for the add 🙂

np

bump no one done password attacks module? section Passwd, Shadow & Opasswd

i might be able to help

ok ill DM you

Someone available to help me understand commands used to pawn support (easy). I did find a walkthrough but my goal is not to just mark machine as done but learn what actually some of those commands are doing. Any help is greatly appreciated. Thanks

is that a main hack the box box? Try going to the htb community-help chat. This room for discussing htb academy content

ok thanks, I'll go there

ya that or community content

Hi guys! Any help on Attacking Common Services - Hard? Already have the j user(the one who's inside the linked server) creds but not quite sure where to use them

DM me 😉

For Attacking Common Services - DNS is there a particular wordlist for the dns enumeration? I've tried everything in SecLists.

@tight mesa DM me for Broken Authentication

hi everyone

i was wondering if I get the silver annual subscription, after a year if my subscription runs out, will I lose access to all the modules?

once you complete a module you will always be able to revisit it

if your license expires in the middle of a module you will have to re purchase it

the file transfer windows module keeps having the target crash during the rdp session and having to reset it :/ doesnt last long enough to do anything at all

doesnt matter if try avoiding rdp and try looking a diff way, it just cashes not too long after starting the machine

if you have bought a module and you haven’t finished it do you lose access? 🤔

No if you buy a module you always have it. But if you unlock a module as part of a license, when your license expires and you are in the middle of the module, you will have to purchase it

hope that makes sense

Yup thanks I was confused

oic ok thanks. These new certs are nifty 😄

Its such an insane opportunity. The lab environment for CPTS especially... not sure if you have completed Attacking Enterprise Networks but it should be similar to that but more complex

We get into hacking and want to be ethical, here is an opportunity to hack an actual network

I actually just bought the module yesterday 🙂

just finished reading through it a couple minutes ago

you could literally pass it off as a real pentest in an interview

yeah its incredible

htb academy is the best learning platform out there imo

I just wish the certs were more popular with HR departments but I think that will come with time

I also like the fact that there is feedback for the exams

I just failed my OSEP exam. really wish I could get some feedback lol

oof that stinks

@west canopy tried the support chat but I think the windows file transfer skill assessment for the file transfer module is broken. The box crashes shortly after RDPing into it, doesnt stay long enough to run anything and have to reset the box to even ping again. Makes the question pretty uncompletable.

give me a minute and I will test it on my end. Are you using PwnBox or VM?

I tried both

same results

which section? Windows File Transfer methods?

a friend of mine who works in logistics wants to start a pentesting LLC with me... by coincidence the theme behind the pentesting cert is for a freight company. I honestly feel like HTB is catering to my every need with academy lol

yeah

just found out my motherboard is damaged so see y'all in a week or two
and last day of helping so yay

The cert is quite impressive

i think you've earned some time off

shoot me a dm if you still need help with that
edit: didn't see you got help sorry for the ping

Yeah man you have earned some free days

@thorn urchin just connected with RDP through the PwnBox, will let you know if it crashes

seems fine at the moment

seems functioning good now as well

oh that part is kinda dumb try this and if you still need help with that shoot me a dm
#modules message

rough, ironically thats an area Im pretty decent at 😛 my day job is fixing mobos

I just did a file transfer... only took me three tries

user error T__T

Yeah had no issue transferring files, I had an issue with the machine staying alive long enough to do so

Started working again though

sweet

that section is kinda weird, me and some other people have issue with that section i was able to found the right subdomain with gobuster but some people have more luck with other tool and one guy found 2 pornhub subdomain and i use the subdomains-top1million-110000.txt wordlist but you should be able to find 6 subdomain include 2 ns subdomain and 2 subdomain start with an ||h|| one of them have the flag

I'm working the same module, and went the gobuster route from the start, with subdomains-top1million-110000.txt, but I had no luck with it.

yeah you should try the "names.txt" or something with the recommended subbrute tool

for sending images you need to use ++verify at #bot-commands and for the parrot persistent try this https://www.youtube.com/watch?v=--5XxkZDXu8

XSS Module: Session Hijacking section: How do you know that the "fullname" input field is called "/fullname" in the back end? It could be called anything...

if you are testing to see which field is vulnerable just put a different thing in each field to see which call back

https://academy.hackthebox.com/module/23/section/1491

Need some hint of where to go here. i know i have to use more than one filter but i am not doing something right or not seeing something simple.

Any help would be appreciated related to login brute force module

Service authentication

I can't seem to figure out the wordlist with cupp i tried different variations but no luck

hint you can use the method show in the ||second images|| named ||lfi_blacklist_passwd||

hint you can use the cupp setting from the previous cupp sesction

let me check that

guys i am stil stuck with openvas skill assessment, i am unable to open the web interface of the server provided... to respond the FTP question and the HTTP.. any hint or advise on how to complete this module? thanks

so first what do you mean by "unable to open the web interface" so you can't access the web on port 8080 or the given cred doesn't work or something? and also a hint for both FTP and HTTP question you can find both answer in a ||Reports ||

++verify

Please see your DMs for instructions on how to verify your HTB account.

thanks i have completed, silly me i thought openvas on the server host was running on the same default port (as per nessus assessment) i have found the answer i need thanks.

hey, I have added myself to local admins, but I am getting Access denied when trying to enter Administrator folder. Is that a bug of pwnbox or am I skipping something?

that sound like a section in the Windows Privilege Escalation module and if you mean that then yes i think that is a bug but not on the pwnbox

it is not windows privesc module, but we have discussed with you on this theme, and I am wondering if anyone found the solution for this instead of reverse shell

i have no clue what we have discussed on this, the last thing i can see i help you with in dm in the Attacking Common Applications module (i think) and what module is this? this bug sound familiar

Attacking Enterprise Networks module, Lateral Movement Section

i haven't done that module but you are the second guy have issue with that section

yeah, not good for me though)

I'm currently doing the easy lab for bypassing firewall and IDS/IPS on the nmap enumeration module, whenever I attempt to spoof my source IP I get the error "failed to determine route to target". I've searched in this channel and so far the only information I've received is that -S doesn't with with HTB at the moment. And considering the hint, this module isn't completable the way that was intended.

Spoofing ip is not needed for that challenge at all whatsoever

then i guess im just dumb

your task is to scan the target quietly and using a spoof ip doesn't help that much

Ill make the bold argument that spoofing IP isnt all that relevant in the modern world either.

I'm doing the Attacking Common Applications: Gitlab and found the version number to be /spoiler ||13.10|| but that's not accepted... Confused on where else to locate the version number HTB is looking for.

you need 2 || on each side for the spoiler tag and hint that's right but you are missing some number ||at the end||

weird cause the application literally says "Your Version..." lol

got it, thanks

I hate how I spent hours on the nmap easy lab and finished the medium lab in 5 minutes

Back to htb academy

Im addicted to it

Not even doing boxes anymore

I wanna see those balls with fluid filled

Im still busy with the assessment

shoot me a dm if you still need help

Active directory and ransomware goes hand in hand

I really underestimated it

i am stucked in this

• 1 Submit the contents of the flag.txt file located in the /usr/share/flags directory.
  File inclusion

Just Curious
So Im doing SQLi
learned about LOAD_FILE() which can read files
I was wondering if there is a function which can list out a file within a directory?
like ls /var/log/ but with SQLi

142.93.45.50:31124

click into this and you can see and do

Hello comrades

@everyone hello

I hate to keep asking questions, but I'm just wanting to know whether this is an error I need to fight through, or if it's a HTB problem. I'm doing the Attacking Common Applications module, and when running the Gitlab User Enumeration Script, it keeps saying The target is unreachable. Please make sure that you entered target's URL correctly and you have connection with it!

doesn't matter if I run it from the PwnBox or from local VM

same response

yet I can navigate to the host just fine in the browser, and can manually curl it

command I'm running ./gitlab-userenum.sh --url http://gitlab.inlanefreight.local:8081/ --userlist /usr/share/commix/src/txt/usernames.txt

i'm trying to work on the password attacks module and every time a put in this code "crackmapexec winrm 10.129.202.136 -u user.list -p password.list" my powershell shuts down. does anyone know why? do i have to update powershell

I'm stuck on question 2 of the Predictable Reset Token module. Can someone help me please ?
I've decoded the password reset token for the htbuser, but I'm not sure how this will help me login as the htbadmin user?

generally for these approaches if you can find the common pattern for the tokens you could change the token, re-encode the token and have the application accept it. Or in the case of password reset, you may be able to predict the final token.

i.e if youve decoded the token, you want to look at what elements you can predict for a hypothetical different user

stuff like the username is obviously easy, time stuff is pretty common and often easily predictable as well(its time after all!), you may have some slightly harder elements like a hash of predefined values(in which youd need to figure out what those would be, could be other values in the decoded token) or even like an incremental ID.

(note, I havnt actually done this module yet, so idk specifically what it wants, Im just speaking from general knowledge)

@plain karma , try changing the value of htbuser for the adm user and just change your password using the new token

Hi, I'm working on Footprinting Hard Lab and I'm trying this command: "sudo ssh -i private.key tom@10.129.53.210" with the key found in the imap server. But I got this error: 'Load key "private.key": error in libcrypto
tom@10.129.53.210: Permission denied (publickey).'

likely a copy paste problem, very common for people doing this module

try opening it in sublime, copying in there and then save it

You mean the private key?

yes

I have something like this : -----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----

I found the same key on both imap and pop3 so i think its right

you have to give the right permission for ||id_rsa||. Hint: ||chmod||. The ssh key is found ||in inbox of imap server||. You have to ||fetch ||it.

I have tried with both chmod 400 and chmod 600

dm me

Really, complete an SkillAssesement (Web Attacks) was never so easy. 30min only https://academy.hackthebox.com/achievement/433014/134

Bruh that skills assessment was rough haha 😅

Hi, actually i am studying the "NETWORK ENUMERATION WITH NMAP" Module, but i cant continue. I am trying to solve the "Firewall and IDS/IPS Evasion - Hard Lab" with no success. If someone have did this lab, i will be really happy to receive some tips.

which part if it are you stuck on

I found the services but i dont know how to obtain the versions.
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
50000/tcp open ibm-db2

And the hint is "Our client also mentioned that they were forced to add a service that plays a vital role for their customer because they require large amounts of data." I deduce that i need to find the version from the ibm-db2.

correct

sometimes you have to be more patient

and sometimes nmap just doesnt do the job and its easier to grab the banner yourself

if you finish a 500 cube module, do you get 500 + 100 back, or just 100

just 100

gr8 ty

hello, anyone who has completed the Broken Auth module?, to ask some..!!!

sure what's the issue?

DM

kk

you only make it look easy 😉

doing password attacks module section "Protected Archives" on the question " Use the cracked password of the user Kira, log in to the host, and read the Notes.zip file containing the flag. Then, submit the flag as the answer." Getting a strange error using john wondering if anyone else had this happen to them. I extract the hash from the protected zip file using zip2john. Then run john using rockyou wordlist on the extracted hash and john doesnt spend anytime cracking and just says session complete with zero time spent.

john --wordlist=/usr/share/wordlists/rockyou.txt zip_hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:00 DONE (2022-10-11 20:56) 0g/s 19383Kp/s 19383Kc/s 19383KC/s "2parrow"..*7¡Vamos!
Session completed.

try cracking it with the mut_password.list instead of rockyou

ok will try that but john went thorugh the whole rockyou wordlist in 0 seconds? I mean my computer is epic but not that epic

what does your zip_hash file look like? Does it look like hash?

if you cat it

should be yes zip_hash file contains the output from zip2john.

||Notes.zip/notes.txt:$pkzip$1220261ad0ced23b0430267ef8b154046595e5f738ad20bd1cda08958a8814bd6c6153218183c0496d728da36461c0c7b77e1c*$/pkzip$:notes.txt:Notes.zip::Notes.zip||

yea i think thats right

try the other wordlist see if it cracks it

Yes mut list worked and also took 0 seconds holy crap!! seriously john is able to parse the whole list and determine the password or not is in list in less than a second!!!

thats crazy man!

must be a really easy algorithm to hash

john --wordlist=/home/kali/Downloads/Password-Attacks/mut_password.list zip_hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
<redacted> (Notes.zip/notes.txt)
1g 0:00:00:00 DONE (2022-10-11 21:29) 100.0g/s 819200p/s 819200c/s 819200C/s 123456..andrea05!
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

guess so thats what was throwing me off though didnt think it should complete that quickly

Yes i forgot exactly how big that rockyou.txt wordlist is but its mind boggling that computers can run through it so quickly

like no matter what type of math its doing, it's impressive

the updated rockyou has over 14 million entries but ya guess that ziphash is very easy to crack

I know so john on my pc went through and compared all of them against that ziphash and didnt even take 1 second!

hey can anyone help with Linux Escalation lab

*privilege

yes whats your question?

I've just started but ik alot of people struggled with it so Ill probably have questions throughout the night lol

right especially since the main htb platform recommends that module for newbies. Its is kind of advacned for someone who is totally new to pen testing.

hi

Module Name: BROKEN AUTHENTICATION

Brute Forcing Cookies : Questions 2

After using dcode/CyberChef/xxd -r -p/ and the ASCII of Questions 1 to base64, the correct decoding is still not found

Hi, iam stuck in skill assessment of server-side attacks. Someone can help me?

Hello. I’m stuck on the skills assessment with sqlmap essentials. I’ve got to the point where I can dump the final flag table, but I only get an id 3 and a blank content for the single row in the table. I’m missing something and would appreciate a hint or nudge in the right direction.

very happy to be apart of hack the box

Welcome!

I wonder if there is going to be a binary exploitation cert and job path in academy 🙂

I think im going to take a break from OSEP and do the bug bounty and pentester job paths 😄

Dm

Can someone try to login with nomachine to host in Shells&Payloads module? Just trying htb-student and HTB_@cademy_stdnt! creds, but it shows invalid creds(

PEOPLE

Can someone help me with the Footprinting Lab - Easy? I only need this to finish the module.

Yes of course

Can I dm you?

yeah

Surely this would an easy thing to fix in the labs, rather than every user having to do 🤔

i'm on password attacks - network services and i found the username and password for ssh but when i log in with this command "ssh user@10.129.42.197" I don't see any flag. can someone help point me in the right direction

I get a different error with real-time threat protection disabled

try find / -name 'flag.txt' 2>/dev/null

do it from powershell

same error as above

did you try elevated ps?

it should be on ||Dennis ||desktop

oh yeh cheers!

I love the cheatsheets that HTB provides but is there a better way to view them once downloaded?

i uploaded mine to private git repo

you can also get a plugin for vscode/codium to render markdown

ohh so i just need to render the .md for it to look better than viewing it in firefox

does it work with Notion?

hey guys im in linux fundamentals and in this questions "Which option needs to be set to execute a command as a different user using the "su" command? (long version of the option)" im says : sudo but he say me is wrong its a bug ?

not too sure about notion, probably though

hello, anyone who can share a hint regarding this exercise(question) Find the valid username for the web application based at subdirectory /question2/. Under Bruteforcing Usernames | Broken Auth..!!! thanks in advanced

su, do

wrong i think my question is bug

you tried to enter -c or c?

yes

hmmm ok yeh that's what i would of thought

oh wait it says long version

wrong

i really thinks my question is bug bro

Attacking Domain Trusts - Child -> Parent Trusts - from Linux
Perhaps this has already been fixed.
Does not allow to get the NTLM hash under adunn(((
Most likely there should be another way.
I went through all the previously found accounts and passwords.
It is logical that the login and password would work there -** htb-student_admin**
But I haven't earned anything yet.
Error different.

ah ok must be

what do i do i pass the question?

anyone who has completed Broken Authentication module?, to ask some

Hello! Sorry for the late reply. I've managed to do it. The trick was to add the listener port to the encodend url

@plain karma Hello. Where did you find your avatar ?