#modules

is this a meme?

In fairness hijacking discord accounts has been a profitable venture in recent years. Tho in most instances here you've got random creepers stalking people

If you look at some big nft scams you'll see people get access to creators discord for launch day. Post non genuine nft. Run away with crypto.

I mean nft scams in the meta sense. Nft is a scam in and of itself. Scamming people already being scammed. 🤷‍♂️

Does anyone else get transport failure with xfreerdp? I'm using proxychains so i'm not sure if that might be the issue.

"certificate verification failure",

that would be ssh using the key from d.
Done: thanks for the hint 🙂

Find additional information about the specific share we found previously and submit the customized version of that specific share as the answer. any help for that, I have tried multiple ways like: /home/sambauser/sambashare and other ones, but nothing worked out

https://tenor.com/view/waking-up-monkey-just-woke-up-get-up-gif-16655750

waking up realizing you have CS code to write and another module to finish

anyone do the live engagement of shells and payloads recently ? i am unable to get the shell on host 1 there is some shitty error

*] Started reverse TCP handler on 10.129.204.126:4444 [*] Retrieving session ID and CSRF token... [*] Uploading and deploying YbaqAfJDIGA1I6CJ0zdEykhnGwrrIH... [*] Executing YbaqAfJDIGA1I6CJ0zdEykhnGwrrIH... [-] Exploit aborted due to failure: unknown: Failed to execute the payload [*] Exploit completed, but no session was created.

https://academy.hackthebox.com/module/77/section/859 I'm missing something on this to move laterally from metasploit grabbing the web vuln but idk what it is

In th minishop from sqlmap essentials skill assessment, I keep getting hints about using * character. I don't understand it. Can anyone explain???

The '*' character is a wildcard for you to grab anything matching after a point so for instance . Finds all files

Yes got it..Thanks

Anyone here working on or already done the DNS module?

Has anyone finished the footprinting Module, DNS section?

So I have broken something in linux and don't know how, trying to run ftp [ip] and it says that it cant find ftp, anyone know what I broke and how I can fix it

Ignore previous question, just gonna reinstall parrot again and just run all the commands I need to to get everything again

what advice do you give to anyone who wants to become a hacker and has never used a computer

Have you found a solution yet?

first let themuse a computer then let them decide again

I finally found it, I just had to re read the source code. I guess my eyes were scanning over what I was looking for. I need to load up an IDE on my kali box so I can read code rather than just cating it out lol

Also huge shoutout to chatgpt helping me understand php code

I DID IT MY FRIEND!!!

Thank youuuu!!!! 🥰❤️

https://academy.hackthebox.com/module/136/section/1289
can anyone please help me?
i found some methods which can upload the file but i cant find the path to execute the file
shell.phps/.jpg shell.php/x00.jpg

these two gave me 403 error like i have no access
file upload > whitelist filters
heres the url im using
http://178.62.88.144:32124/profile_images/shell.phps/.jpg?cmd=id

why are you adding a /.jpg?

that breaks it entirely as your saying a new subdirectory

also I found it handy to first run intruder to upload my shell, then run another separate intruder to see which one actually executes the code

i tried url encoding still didnt work

How are you fuzzing it?

w/o the encoding

have you tried playing with shell.jpg.php and flipping it with shell.php.jpg

Hello! I am new to HTB, I downloaded Virtualbox yesterday together with Ubuntu 22.04 and Kali (Virtual Machine Image).

The kali downloads as a zip, but should I import it to Virtualbox instead of creating a new vm?

can you elaborate?

?

Sorry, I didn't understand

You mean you want me to make my question easier to you to understand?

yeah

its saying extension not allowed

Sure!

So yesterday I downloaded Oracle Virtualbox, I also downloaded a Image of Kali named "Virtual Machines" and Ubuntu 22.04.

I am really new and I dont know how to add my kali (which is a zip) to my Virtualbox.
I am not sure if I need to import my Kali zip to Virtualbox. Could you guys help me please?

ig you can double click or directly import that zip file

https://www.youtube.com/results?search_query=setup+kali+linux+virtualbox

theres like a billion videos lol

I was seeing NetworkChuck video but I think it's not up to date

should be as simple as downloading the viirtual box vm from kali site

open virtual box

unzip the dl

drop the vm into virtual box

can you please help me @pastel ginkgo

I can't think of a good hint atm I kinda breezed through whitelisting

I got stuck for hours on blacklisting lol

lol

i solved that

now am stuck on whitelisting idfk whats gonna happen in skill assesment

cough it comes back up cough

just finished it this morning

am frustrated atp

tried everysingle method

now im stuck on cmd injections. Once again on blacklist filters

except I found a way around the blacklist with fuzzing but none of the answers are the answer to their question lol

i can help you if you want

hint: payloadsallthethings wordlist

whoops I see theres a blacklist page, im stuck on the Identifying filters one

I know the following work but htb says no

Thought of one, are you fuzzing from .<fuzz>.jpg or <fuzz>.jpg

because the first is an error I made

am using the generated wordlist

yeah that wont help you, use this wordlist https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload Insecure Files/Extension PHP/extensions.lst

idk how you got past the blacklist with that generated one

nah

you need that one for the blacklist

rip I never used it, that wordlist IS REALLY GOOD cough cough

Also if your not familiar with php code like myself chatgpt is bae

lol

im not used to chatgpt yet

"can you explain this code" <paste code>

ohh

sounds interesting

ty

I had no idea how some functions worked and the php site was kinda confusing so I just asked it what x function would match

thats cool

now

i need to fix this whitelist asap

been stuck for more than 2 hours

use the wordlist I sent you and you should breeze through until the assessment

how am i supposed to use backslash in the url

uploads/<whatever your fuzzing> like any other site

i tried

but

my browser automatically converts a \ into a / which ultimately turns into a sub dir imo

send a pic of what your trying and mark it as a spolier

use burp intruder

i did

once burp finds it id just send it to repeater to ls out the flag.

like here

this \ automatically turns into a / after entering

yeah use burp like he said, not your browser

burp will send exactly what you tell it to send

i didnt understand

can you kindly elaborate more

if you send you payload with burp such as via the repeater, it wont convert the backslash into a forward slash

got it

i tired its not working ugghh

can you please check is this the correct path url?

http://68.183.47.198:31864/profile_images/sx.phpx\00.png

i tried with diff extensions

yeah trying with different extensions is the entire point of the section/module.

only 6 extensions are able to upload the file and none of em seem working while executing the uploaded shell

what I did was use ffuf to fuzz the entire range of possible extensions that they recommend from building the custom list(which I extended). Uploaded them all that way, then used the same fuzz list except formatted for executing the respective shells.

you actually get like a solid half dozen of em that will pass filters

i made the custom list

use the wordlist I sent to fuzz upload them, then use again with a get request and see content length

i did

what is your payload?

get req one? or fuzzing one

fuzzing

you just want output atm, worry about cmds later

remember KISS, Keep it simple stupid

its for the payloadsallthethings paylod

Try using || <?php system('id'); ?> ||

that way it will actually print something on the screen and you know if you got a working cmd

these 3 are working

with my payload in the response do you see uid?

nah

then its not executing

HTTP/1.1 200 OK
Date: Sun, 18 Dec 2022 16:33:17 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 26
Connection: close
Content-Type: text/html; charset=UTF-8

File successfully uploaded

heres the response

do a get request now

yeah he meant after uploading and you checking the uploaded files do you see a response

nah it throws either 403 or 404

which one is the correct pathway?

http://68.183.47.198:31864/profile_images/....

the one listed in the module

or

http://68.183.47.198:31864/upload.php/....

use the one listed in the module

http://SERVER_IP:PORT/profile_images/shell.php.jpg?cmd=id

okay i got a diff response now

lemme try more

brb

can you please give me a hint?

ive got nothing that hasnt been reiterated already

Hey uhm

How do I connect my htb openvpn with my kali VPN?

I see some cmd commands

But they throw err

I have that one already

How come on file upload attacks {ls,..${PATH:0:1}} works but if you do something like {ls,${PATH:0:5}} it wont work, but will work in my normal shell 🤔

nvm I figured out with a little playing

it works its just that the path is different for the remote host

even if your user is www-data that user should still be able to access /usr/ that is kinda weird (i test it on wsl but ${PATH:0:5} should be /home not /usr/)

now why cant I chain it like a true masochist ${PATH:0:1}${PATH:1:1}${PATH:2:1}${PATH:3:1}${PATH:4:1}

nvm that worked too

maybe I was doing something wrong earlier

Yeah I already got the flag I just wanted to play with it more

it gets the usr directory for whatever reason

oh i got the same thing on wsl

but a the pwnbox give me /home

When I echo the path on the remote host Im command injecting I get

which explains why

I thought it be fun to whip up a python script that would let you write commands in just env variable chars

but it would only work for your local host lol

Someone pls?

the instructions are right next to where you download the vpn

Yeah ik

But they dont work

check out the comunity help and #faq

of you don't have hackthebox academy account make one and do the Getting Started module
https://academy.hackthebox.com/module/details/77

the Connecting Using VPN section should have everything you need to know to use open vpn

i am yet stuck on live engagement host 1

the reverse shell just doesnt work

any help?

How do I find out what she’ll is specified for the htb-student user? And the path to htb-students mail? I got the rest of the questions stuck on these 2 any tips?

*shell

which module

Linux fundamentals section system info

It drops error "Error opening configuration file: user.ovpn"

the user.ovpn is just a placeholder for your vpn file

In live engagement host 3 i have got reverse shell using antak but i am just stuck there do we have to perform some sort of priv esc to get admin

replace 'user' with the ovpn file you downloaded

And what if my file is on downloads

Do I have to move its location?

Hack the box should write blogs

nope you just need to put in 'user'.ovpn you can specify absolute path if you want

About currently active topics

About hacking

Still says the same error

they do…

Wrong room:p

after the lab get updated the new intended way to do it is the one you are doing and a hint for your next step is you can use something like exploit suggester to priv esc but the old method is still usable and the last time i check the hint didn't get updated and with the old exploit you should be able to get nt system

Damn didnt know that

It's the same err with my file

can you send a screenshot?

Uhhh

Give me a sec

this is the first the firefox spam you when open on the pwnbox https://www.hackthebox.com/blog

thanks for the info Also about host 1 is there anything weird? i have done everything but the reverse shell doesnt seem to be working

Tnx👍

after the update nothing so far but i try with a shell that give you RCE instead of a rev shell

i never saw or got that error code before and searching that error on htb discord only give me 48 results so no idea but try re-generate your vpn and download that new one

so basically another metasploit payload hmm

uh?

hint nope one of the RCE show in previous section

wait a sec

make sure your vpn file is even there 🤣

it is ._.

i mean my ovpn file is on downloads

and are you running the openvpn command in downloads?

no-

yeah well thats maybe the problem

the thing is... how do I run in downloads

💀

ok but this antak webshell thing is such a pain

i am trying to et winpeas on it but i have no permissions

powershell is shit

earlier i did send you 2 video i think both should have some stuff about linux you need to know how to linux work first before you can even start learn hacking

but you can just use cd into downloads (cd Downloads)

wait i you are using the wrong shell

cd Downloads

yeh, i remembered

Jezus holy crist haha

i am using antak.aspx webshell i can also use a normal aspx shell tho i know it will work

the target website should have some info on what shell you should use or something like that

i use the normal one

for that the normal did you add your ip into the whitelist or something?

here just use this cp /usr/share/webshells/laudanum/aspx/shell.aspx ~/; sed -i 's/192.168.0.1/'$(/opt/vpnbash.sh)'/g' ~/shell.aspx

you talking about host 1 or 3

1

atm i was talking about 3

it said completed, but now my htb doesnt show it is connected

Cd /home/<user>/Downloads; sudo openvpn file

If ur running linux

you need to wait a sec for htb to show that or try refresh the page

it worked the refresh

ty

oh i just double check i also use the same normal shell on that host

didnt know apache also uses aspx shells hmm i should try that

Or why bother cd?

Works fine whitout

wait but tomcat allows only .war uploads

is burpsuite the way

What are you trying to do?

the only note i got on getting a shell in copying the shell but nope i didn't use burp for this

i am trying to get a revrese shell on a tomcat manager

bruh what?

don't hack the website

rip

I am not trying that

I just tried logging on my account

Do you have file upload? Have you tried the metasploit tomcat module?

i have got .war payload using msfvenom and manual ways

Usually beginner tomcat boxes are trying to force you into using the metasploit module lol

uploaded them

run them

yes metasploit gives me exploited but no session created

i just wanted to enter my account

how to I take that ban off?

#1053986848394985492 message

contact support

WHYYY do i have to use this shitty box with rdp its so slow my eyes just hurt tryng to move around the windows

it says it is a temp ban

so it means I can just wait?

rdp shouldn't be slow. use remmina or something.

unless you're using a potato

either its s legit ban and you wait it out, or its a mistake and you contact support.

wait what are you trying to do? rdp into a windows box and get a reverse shell from a linux server? is it a pivoting room or smth?

the update i mentioned is more like a downgrade to an older lab or something because of too much complain about the original nomachine

how do I contact support?

also give me a sec i'll double check host 3

also

if i gtg

do I send my vpn to sleep?

like turn it off?

or i just close my virtualbox

power it off

how

suspending it generally gives you issues on next startp

on top right corner there should be a power button

like a small circle with arroe

clock on that and click power off

Also @quartz surge everytime you power on you will have to setup openvpn dont forget that

i dont see it

I figured it out! Ha!

what i mean is openvpn

how do i turn it off

ohh

just close the terminal running it

kk

ty

cya!

exploit aborted due to unknown failure -_-

tried remmina and rdesktop its pretty much the same

it could be becoz of firefox running on the rdp

i just give it a check and host 3 is supposed to be ||Microsoft IIS|| not tomcat

i know host 3 is not tomcat

i was talking about host 1

nope whatweb show host 1 is the same thing

so basically
Host 1 : Tomcat .war shell with metasploit exploit doesnt seem to work for me
Host 3 : aspx webshell works but i am unable to escalate and go to the directory with the flag

for host 3 hint ||exploit suggester||

and for host 1 no idea where did you found tomcat

hello, good afternoon, does anyone know what the wl command is to do a sql injection attack on a website?

this is so messed up

what module is this for?

so basically i see the etc/hosts file i see status.inlanefreight.local

because this is the modules channel for academy so clearly your question must be about a module right?

??

||172.16.1.11:8080||

This is what host 1 is supposed to be according to the module @vital adder

youre in the wrong place

i think it is but not on that port

and where can you help me with this?

nowhere, get bent

can i dm you a ss

sure

i enrolled for modules got 200 cubes

what will be the best way to start spending the cubes

unless you decide to start doing academy and do some modules, then get unbent and come back to learn and then be more than happy to help

depends in your background

i m in academy section

that was for someone else, dont worry

i m used with nmap and other things

if you need more fundementals, theres a couple of good fundementals modules you can grind out, otherwise Id stick with the CPTS pen tester path and just follow those modules in order.

worst case scenario is itll help you ascertain if you need better fundementals or not, but otherwise its a very well laid out out path, and 200 cubes will get you pretty far through the beginner sections.

most people doing academy are either aiming for the CPTS or the CBBH cert as a goal

i m aiming for cpts

then yeah just enroll in the path and do the modules in order and take notes

ok any good notes making app for mac

obsidian, regardless of OS

obsidian does not work in m2

news to me

everything Ive seen says it still works

anyone wanna help me figure out how to pivot? I'm remoted in and can execute commands as www-data but cannot pivot

trying to figure out from here (already grabbed the user flag) need to pivot to root

what module?

https://academy.hackthebox.com/module/77/section/859

im on mobile and dont want to click links, just say it

Knowledge Check for the getting started course...

GetSimple exploit

ah I didnt take any notes for that one sorry, best of luck

but if youve exhausted normal manual checks for privesc, try out linpeas on it

i'll see if I can pull it i'll have to download it but that may work I was trying linenum but when trying to pull it it said 404 file not found :^)

hint go back to the PrivEsc section

linenum isn't as good as linpeas imo

the last time linenum get updated was like years ago and linpeas also check for PrivEsc vuln like Pwnkit

i tried downloading obsidian mac dmg on kali vm

lol it works fine

only risk with that is it can be so new itll suggest things that are completely unintended paths lol

I'm more trying to get it to pull on my end but It's giving me a 404 file not found when doing the request should i be trying a ||curl -L instead of wget?||

so you can go down a rabbit hoke trying something super complex if youre not like, "well this box made in 2015 isnt going to be intended to ve solved by pwnkit, I ought to look deper"

are you trying to pull from the host straight to the github?

I'm pulling from my machine from the host

then either should be fine, if youre getting 404 youre probably hosting it wrong

sudo python3 -m http.server {port}

should be 80 or 8080 or?

for this you don't need linpeas but if you want to learn how tool like that work by all means do it but you can just do some manual check and get root in no time

it should be the port you give

whatever youre not using, I like 80 because its more realistic for the rare outbound firewall rules

My manual Checks are proving fruitless I'm not sure what I'm missing

what manual checks have you done

sudo -l showing I can run php

welp there ya go

hint: if you can run any programming language interpreter as root, you can always privesc with it

if i unlocka module will it be available even my subscription is over

even though it's showing ||All:All - nopasswd /usr/bin/php|| it still prompts for password

did you specify the full path

yes

show your exact command

www-data@gettingstarted:/var/www/html$ sudo /var/www/html/index.php

yeah thats not gunns work at all

yes i subribed for a monthly 18 dollar basis help

you dont have sudo rights to a random index.php page

you have sudo rights to /usr/bin/php

sudo is very literal in what it allows or not

I feel like I'm missing something crucial that I'm not thinking about

you have sudo rights to specifically the /usr/bin/php executable, no more no less

so you need leverage the executable /usr/bin/php to get to root

GTFOBins is a fantastic resource you may want to take a look at

I think part of what is breaking me is that I'm breaking in using metasploit so maybe some of that pivots that should work just aren't because of that?

no that wouldnt be a factor at all

Nope. If you can use sudo to run php as root then GTFObins has your answer

remember you dont have to get a reverse shell or anything like that

not me timing out so wondering why I couldn't do the thing

any on thats done module Pivoting, Tunneling, and Port Forwarding? Stuck on section
"ICMP Tunneling with SOCKS" been trying with built in ptunnel and ptunnel-ng programs and just cant get them to work. If anyone done this exercise could use some help

THANKS! I found what I was looking for... my session timed out before I was able to root for the flag x-x

Well now you know what to do. Congrats!

I was hyperfocused on one thing I didn't even think! and since I already knew where I was starting just had to change IPs

||Tried Decrypting the "password," using john, found in the admin.xml for fun, it's not useful||

Had to exclude my notes from Windows Defender LOL it kept trying to quarantine and delete them

To save myself headache in future, if i do sudo -l and see /bin/{executable type} I should check gtfobins for something if possible?

Yes

GTFObins won't always have the answer but if you find SUID or Sudo access it's always a good place to start

If not searching 'location' + exploit in google should generally work

but it really is appreciated the guidance because I guess being tired last night made me overlook it and coming back to it and getting to where I needed (slowly gaining mastery of metasploit)

basically leaving a terminal open that has msfconsole running

sometimes even google wont help you and you have to do some manual analysis to see if theres a way to leverage the sudo perms on your own

had to do that with a box I did recently

^

Most recent box I remember doing that with was precious

any one here complete Pivoting, Tunneling, and Port Forwarding module? Need help with the section ICMP Tunneling with SOCKS.

ironically I did that one yesterday but wasnt what I was thinking of lol

Haha

Hiyah, a little stuck on the question "What is the FQDN of the IP address 10.10.34.136" in the Active Subdomain Enumeration section of the Information Gathering - Web Edition module. I thought a reverse lookup with dig -x would work, but no dice. Any nudge towards the right direction?

Disregard, Had to keep doing zone transfers on the list given

Friends can anyone give me a roadmap to become a hacker. I am absolute beginner with no it experience and degree.

Hackthebox Academy. There are modules called Windows Fundamentals, Linux Fundamentals, and Networking fundamentals. Start there

Networking and OSs are enough

need to crawl before you can walk

is anyone else experiencing targets timing out rn?

asking for a roadmap to become a hacker(which is such a nebulous goal) when you have no background is like asking how does one become a professional athlete when they havnt figured out how this whole standing upright without losing balance thing yet.

Yea exactly

Thanks brothers I understand i will try my best

That my friend, is a good metaphor

yep because if you don't know what makes it tick, you can't really understand what makes it break; like why (on linux systems) sudo -l is a good first step when on a machine as a user

anyone here doing PIVOTING or already done it?

Hey I got a question about about the Linux fundamentals user management section can anyone help?

https://dontasktoask.com/

Which option need to be set to create a home directory for a new user

-m

Not to be mean but a simple Google search will find you that answer

You won't get far in any tech related field if you aren't good at google

I’m new man. I actually tried the long version of that - -move- home but it didn’t work overlooked it

All good. Just giving you some advice for the future

For sure, I appreciate it

can anyone help me with the 2nd question on the AD enumeration module, Kerberoasting from Linux? I got the answer but it feels janky.. wondering if there's a better way

The MacOS Fundamental module has a problem - finishing it only gives back 8 cubes instead of 10

from a Linux host, what is the best tool to pull the list of groups a user is a member of? i used enum4linux but feels like there's probably a more concise method

anyone do module Pivoting, Tunneling, and Port Forwarding stuck on section RDP and SOCKS Tunneling with SocksOverRDP getting an error at step one when trying to load the SocksOverRDP-Plugin.dll using regsrv32.exe

nevermind figured it out I loaded the wrong binary used arm64 insteead of just x64

The Enumeration module intro just called me out LOL " Most of the time, however, it's not the tools we haven't tried, but rather the fact that we don't know how to interact with the service and what's relevant.

That's precisely the reason why so many people stay stuck in one spot and don't get ahead"

ok the xsltproc to turn the xml to html for the nmap scan is so neat

Hey everone, on the type filters for the File Upload Attacks module
I have found an extension that works, have uploaded it and adjusted mime type and added GIF8 as magic bytes. This gets the file onto the webserver but I keep getting the image can't be displayed because it contains errors.

Any ideas?

@primal crag it is not the right extension, it have to be another one

guys anyone did finished the attacking authentication mechanisms module? having hard time solving the skill assessment, appreciated much the response

Hey folks, why is it that when I connect to a particular FTP server and run DIR, LIST, etc., it basically comes up empty (nothing returned), but utilising wget --no-passive -m ftp://user:pass@w.x.y.z downloads a bunch of files? What does it do under the hood that allows it to see more than I can?

Has anyone done the Password Attacks Lab - Hard module? I am stuck on the last part and can't see any crackable hashes (can't pth with them either)

Have you run Hydra on all the users?

I'm right at the end after extracting the files from the encrypted drive

You should just need to crack the password over Hydra for the users.

Yes, I'm already well past that

Did you get the Administrator’s password?

That’s what I’m having issues with

Should just be Hydra and the mutated password list

Hmm that doesn’t sound right

Need some help for the broken authentication brute forcing username

This is the hard module, correct?

Yep

So there should be three users: Johanna, David, and Administrator. David and Administrator are discovered after cracking Johanna. After that you just need to crack those two passwords (or really just one of them).

Spoilers pls … thank you

@pastel ginkgo i solved that section thanks for the help that section is quite cheeky so gl

stuck with third question on web proxies skill assessment(SOLVED)

i have the 31 characters long decoded cookie

i know im supposed to fuzz the last character of it then encode the whole thing with base64 then ascii hex, but idk how to encode the whole thing after fuzzing a character

and its kind of driving me crazy (SOLVED)

Incorrect.. if you solve all questions you get 10 cubes back. You can verify by counting the total number of cubes next to all questions in the module.

for the AD enumeration module, does PowerView sometimes just... not work? trying to work through ACL enumeration and follow along but some of the commands just hang and never complete

Hello, does zapp proxy support recursive fuzzing?

Wow... I just did the easy firewall one in the academy super easy... I was able to do the scans and enum and only hit it < 40

by far the quickest one and I learned some more convenient bash scripting to smooth my workflow :D

like how the Pipe actually works... I should read back up on terminal commands in linux

Are you importing the module? import-module .\PowerView.ps1

https://www.youtube.com/watch?v=QSq-aYYQpro&t=221s&ab_channel=NahamSec

This is an interesting watch for you, was on NahamCon this weekend.

I actually counted and it summed up to an 8. Otherwise please correct me for my count in the picture?

Sorry, my bad.. corrected.. thanks for the note

I am doing hack the box academy cross site scripting phishing and session hijacking modules, I am getting struck in middle, I am bit confusing over there. Is anyone is done before kindly ping me and we both solve the issue.

Can somein help me on Brute forcing module - Login forms

I'm using hydra but it gets nowhere

I saw other had the same issue

What does your current Hydra call look like (make sure to wrap it in spoiler tags)?

I am on the ssh part

i tried using rockyou and it takes something like 10000h

40 tries at minute

stuck at this place too. There's no l1 in default zshrc file.

hydra -l b.gates -P Workspaces/Sicurezza/Seclists/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt -t 4 ssh://167.71.143.119:31444

Has anyone finished the Intro to Windows Command Line Module Skills Assessment? I'm currently stuck on: "For this level, you must successfully authenticate to the Domain Controller host at 172.16.5.155 via SSH after first authenticating to the target host. This host seems to have several PowerShell modules loaded, and this user's flag is hidden in one of them. " I found the name of the Domain Controller, but whenever I try to ssh into it, it's asking for a password that I'm not sure how to get. Could someone give me a nudge? Thanks.

Does the student monthly subscription get access to all the modules? Or would I still need to buy cubes?

Modules upto tier 2. For tier 3 and 4 you will need cubes.

It should give you access to all modules up to tier 2

Says includes everything through tier 2, but looking at the pentester path - it doesn't show what tier each module is

Though personally, I just did the platinum subscription

All the modules in cpts and cbbh. Have modules upto tier 2.

OK cool, thanks

Hi I'm new in hacking, please can I know for what we need nmap?

DM me and I can help answer your questions

Okay

Hello, sorry if this is the wrong place, i am currently at the tier 1 machine called responder. I am at the final steps using evil-winrm to get the flag file however i keep getting an error from evil saying openssl:digest:digest error, message is digest initialization error, exiting with code 1. Any ideas?

That doesn't sound like it's on academy

its on htb, its at starting point

if this is the wrong channel could you tell me which one it is?

Oh okay one second let me take a look

#starting-point , you will have to verify your discord account

check #welcome and #rules

i see, thank you

Thanks @autumn pilot

I've been doing Windows and AD modules for so long I keep wanting to right click in terminal x(

Which ones have you done?

Just done Windows Privesc and finishing up Ad Attacks and Enumeration back to back.

Dang man, that's intense. I haven't done them yet, but I've heard their long and intense

They're really good modules. I've got so many notes haha.

Have you done the new intro to windows command line yet?

No I haven't, I've done some other random modules before these hehe.

Gotcha. Yeah I've been working on that one and it's helping me sharpen my windows blade. Honestly, I know that windows scares a lot of intro to IT people off

Windows is wild. There's a lot going on I think and people just get comfy with Linux

I know I do!

Haha me too man!

Just got the flag, but if anyone else is stuck on this one, feel free to DM me. (:

How many hashes does the Domain Cached Credentials mechanism save to a host by default?

i can't find that

Anyone here who can give me a nudge for the Active Directory Skills Assessment I?

i've got everything but the very last thing 😄

??

In the module RDP and SOCKS Tunneling with SocksOverRDP, i can run the .dll and connect to 172.16.5.19 (the 2nd box) but how am i suppose to send the SocksOverRDP-Server.exe to 172.16.5.19 (the 2nd box)? There is no internet to download it or webserver on the first box we rdp onto

Hey guys is there any free labs that involves tunneling over a compromised machine plus pivoting?

Dm

Hi guys, need some help with STACK-BASED BUFFER OVERFLOWS ON WINDOWS X86 - Finding a Return Instruction. I searched the pattern and found ||5 addresses||, but none are accepted as the answer.

Edit: solved! I was looking at the wrong address space

I've never done that module. But I've done BOF in other courses. Can you elaborate? I can try to help if possible

Sure, thanks. The question is: Try to search the 'cdextract.exe' binary for the 'PUSH ESP; RET' instruction as pattern '54C3'. What is the address of the first result you get?
We are using x32dbg on Windows to search for the pattern 54C3 by pressing Ctrl+B and get 5 addresses back, but none are accepted.

Well, I've done basic BOF with immunity and can't recall using this step. You have to wait for others to help you

Ye, I was afraid of that. Thanks anyway mate

Guys which VPS is best?

Saved thanks

Hi, I am stuck in the Skills Assessment of the Broken Authentication module. I have identified the eight users (9 if you count guest) via the message function and have now reduced the rockyou.txt file to 14 passwords fitting the requirements. This leaves me with 126 or 112 possible user:pw combinations. I then used the rate_limiter.py file to generate requests but I have not been able to identify valid credentials even after creating an account and trying to log on with the script. I also tried copying the curl request from the browser and including the headers etc. The curl request with my created account as a standalone worked but not converted into my script. My current script with comments with removed due to the length limit:

import requests
import time
userpass_file = "pw.txt"
url = "http://165.22.119.202:30444/login.php"
lock_time = 30
lock_message = "Too many login failures"
with open(userpass_file, "r") as fh:
for fline in fh:
if fline.startswith("#"):
continue
print(fline)
username = fline.split(":")[0]
password = ":".join(fline.split(":")[1:])
print(password)
data = {
"userid": username,
"passwd": password,
"submit": "submit"
}
res = requests.post(url, data=data)
if "Invalid credentials" in res.text:
print("[-] Invalid credentials: userid:{} passwd:{}".format(username, password))
elif lock_message in res.text:
print("[-] Hit rate limit, sleeping 30")
time.sleep(lock_time+0.5)
elif "Welcome" in res.text:
print("[+] Valid credentials: userid:{} passwd:{}".format(username, password))
else:
print("[/] Nothing here?")

hi

hey can anyone help me with the file upload module and skills assesment section

i have found the path

im unable to find the correct extension cuz the get req is kinda weird compared to other section's get reqs all of the extensions get submitted no matter what i submit

When you run mstsc.exe, there’s an option in the tabs at the top where you you can link drives and printers and stuff like that.

Read the source code

Also https://en.wikipedia.org/wiki/List_of_file_signatures is super handy

should honestly be part of the module itself lol

i did im just unable to find the executable extension

also did you complete this module?

yup

My hint should be more than enough

nice

GET /contact/submit.php?Name=safdsaf&Email=asdfasdfsadff%40gmail.com&Message=asd&uploadFile=§htb.jpg§ HTTP/1.1
Host: 178.62.88.144:31842
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.72 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://178.62.88.144:31842/contact/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

the get req is weird

looks normal to me

compared to other sections its kinda weird

wait is it using content type and mime in one header?

can i get a last hint which extension list should i use?

its in the source code

use chatgpt to explain the code to you like I did lol

Anyone for little assistance with using web proxies module

sure

im talking bout the fuzzing extension list

For the assessment?

yeah

it seems like the backend server is accepting every single extension

Read the source code

it will tell you what is black listed

what is white listed

alr cool

gotcha ty

are you doing the cbbh path?

cpts

there is a lot of overlap

im doing cbbh then gonna do cpts

would you mind if i send you friend req?

sure

hey I’m pretty new to cyber security and I’m stuck on a section in the Wordpress module, can someone help me out?

https://academy.hackthebox.com/module/17/section/88

it’s this one, I went into the /wp-includes directory but I can’t find the flag.txt file

idk if I’m doing something wrong

lol the AD skills assessment. Here's a bunch of AD tips and techniques. BTW I hope you learned to pivot.

Ok am I crazy but on the Web Attacks module, Bypassing Security Filters. It tells us to use the following payload: file; cp /flag.txt ./ As I've used that payload and have changed it to every http verb and NONE have worked. I even changed the payload and was getting my initial file to be created but Im still not seeing the flag.

Yup Lmao

Also I've refreshed the docker a couple times now and each time it behaves differently xD

hey, can i connect to a machine using my own instance

Yes. A VPN key is provided when needed. Otherwise, target instances are public facing.

Note that not every machine will be public facing. Some will intentionally be on internal networks where you don't have internet access such as the ones on Pivoting Tunnelling and Port Forwarding and Active Directory modules

Pff im doing skill assessment of intro to assembly language

But cant seem to grasp the whole idea

Fckng frustrating

Need to be working on my thesis too but fuck

Wanna complete this

https://youtu.be/6jSKldt7Eqs This guy has some good videos to try and get a grasp imo

Tnx gonna check it out

The whole series is a good watch I think

LiveOverflow is underrated

Yeah

on the XSS final assessment is it intended to be a manual or use a tool listed sort of thing?

The CVE-2022-23093 I suggested for root part, I found from LiveOverFlow

https://youtu.be/bkkVClq9aGw

I used a tool to find the first bit but the rest I did by hand

Gotcha hadnt started on it but wasnt sure of the "intended" way they wanted it to be solved

For Web Attacks - Bypassing Security Filters, is it bugged? || I found it will accept Head Request without filtering them|| but I can't get it to execute the payload they provide. Or even my own hand crafted one that should also work.

Yet to watch this video? How was it?

Sometimes you gotta try different verbs

Only watched first minutes but incredible interesting, someone should definetly make a root part of the cve

Would fit a "insane" or "hard" box

So i've tried all of them, and each time ive reset the machine it acts differently One time it would only take get request. Anything else returned a server error

hence why im starting to wonder if its bugged

Box creaters are now getting some cool ideas 🤣

This is a really unique CVE, I'm tryna get some1 to do it

Is https://academy.hackthebox.com/module/134/section/1178 Bugged? I cannot get any verb to work with their payload. When I provide my own I can get the file to be created but not the flag file. im at a loss right now with my only guess being the flag isn't located in /flag.txt or even at ../../../../../../../flag.txt

@lethal latch would you mind if i dm you?

Of course, go ahead

You can pm me

Anyone on SQLMap Skill Assessment? Just want a sanity check no real hint

Any hint on footprinting lab hard ? . i have ssl access to the server but coulnt access to mysql or privilage escalation ?

Hey guys, I was wondering - is there a module in the academy that covers the topic of "anti-forensics"? I just recently discovered that and would love to learn more about it. Seems like a fascinating topic!

I had worked with smbclient in several days and get stuck. in Password Attacks: Pass the Ticket (PtT) from Linux module I have to "read the contents of julio.txt from the domain share folder \DC01\julio."
smbclient //dc01/julio -k -c ls -no-pass list the file in that dictory. But I have no clue how to read the julio.txt file. I have tried smbclient //dc01/julio -k -c more 'julio.txt' -no-pass . I have tried different kind like: -c 'more julio.txt' -c more julio.txt, etc but it not work. Can anyone help me with a hint?

you copy the file over

Isn't liveoverflow a Minecraft youtuber?

lol

he only relatively recently went on a minecraft hacking bent

No?

I mean he plays the game, but mainly I don't think so.

smbclient //dc01/julio -k -c get 'julio.txt' -no-pass is that correct?

dunno never used -c Ive always used the interactive portion when doing smbclient

run it and find out

I was joking haha

I like liveoverflow's technical videos

Anyone finish the Attacking Authentication Mechanisms skill assessment? I've found the vulnerability, got the key, crafted my token but unsure where to send it.

anyone?

Hey

can someone help me with the User injection section? i been trying this section for a week and i dont get it, someone please

Oh well AD Assessment 1 wasn't so bad.

It kidna sucks for people who haven't done any pivoting though to hit that suddenly I bet.

sure shoot me a dm if you still need help with that

which module are you on?

hint ||password spraying||

@vital adder Have you done the Web Attacks Module?

yep

BROKEN AUTHENTICATION module

fixed it already but thanks

For the Bypassing Security Filters, did you use their payload?

I cannot get it to work at all ive tried all the verbs lol

oh yeah i did noted down that section was super buggy for my if something isn't work restart your target machine

06 16 30 15 62

if you think you are doing something wrong shoot me a dm i'll help you with that

Can i DM you?

sure

hint for you'll some ||command injection|| but a hint about the main part i the ||request method||

Hello, for the module "Using the Metasploit Framework", on the section "Payloads", my metasploit said "The target is vulnerable" but no session was created. I'm in wrong or my metasploit troll me ?

So i've dont this payload and I can see a file being created but no flag. || file&&${IFS}cp${IFS}${PATH:0:1}flag.txt${IFS}.${PATH:0:1} ||

oh no for this you don't need to use any bypass you can just cat /flag.txt

Someone can help here.

I am doing Setting UP module and I am unable to attack the targets, it happened me 2 days ago and yesterday, I have no connection with them. I tried reloading my VM, downloading another VPN (such as different servers and protocols) and I am still unable to establish connection. I even reloged to my academy account and nothing happens. I would like to upload a photo but I can't

i did noted down if the exploit fail run it again so try that or restart your target machine if running it a few time doesn't worked

Ive done that

nothing happens

still unable to ping, do banner grabbing or nmap

Nope didnt work It does not display the flag at all

I cant copy it to the local directory

oh sorry i forgot to ping the other guy but that wasn't for you

Im convinced its bugged at this point

i did noted down if the exploit fail run it again so try that or restart your target machine if running it a few time doesn't worked

check my second hint

if even changing that doesn't help yep give your target machine a restart

06 16 30 15 62

I fuzzed all the verbs and nothing

same as before

been at this now for like 6 hours x)

try at #general

if you doing this in burp shoot me dm with a screenshot (of burp)

why you drop a french mobile phone number here ? Creepy

Can some1?

to upload anything you'll first need to verify your account first use ++verify at #bot-commands

and for the you can't access the target thing because there is no target is that module

yeah, I think it was just taking a long time. it would eventually spit out the results, just took 3-5 minutes for the command to run for just one SID

of course there is, im on setting up module, the part of the METASPLOIT

so you are in the metasploit module? which section?

yeah that doesn't look like a htb academy target ip

oh wait is that a public ip?

https://academy.hackthebox.com/module/77/section/843

that's a docker container you can't scan or ping it

that port is the only thing you have access to

so?

just go to that on your browser

i cant

no things load

eternal loading

yep i just give that target a try and nothing load try restart your target

keeps giving me the same target

can you try with this one

139.59.161.137:30843

worked

tahnks

that load just fine for me

Yeah the targets do a little bit of trolling sometimes

Can someone help me with the module of metasploit

When I run a searchsploit capable of run on the web said, there are like 20 exploits

I tried using one but it is not working

I feel like this part of the module is partially empty of info

looks like the right one to me

yep

but it is auxiliary

i tried with another

but not working neither

I mean you tried to create a reverse handler on an internal vpn IP address when the target is an external public IP

how should I do it

the module only show an example that have nothing to do with the exercise

and I cant understand it

youre supposed to be able to expand beyond the module lessons

you could try a bind shell, but im 99% sure thats not the right exploit to use

Hello I'm new here

im very very new

I just know linux, some networking and kind

you had an exact version match and dismissed it cause it said aux instead of exploit

silly reason to ignore a potentially useful avenue

sometimes its not about getting shell

yes I know but with the auxiliary one i just got this (photo) and I should get to the flag.txt

yeah cause it defaults to /etc/passwd, gotta change the settings

ok, thanks I didn't think on thatt

Yep the 'show options' command shows you what options you can set even if not required

yeah, I am trying changing it but only with the /etc/passwd is giving me the file, Im trying to search where flag.txt is but at the moment im unable

Are you doing it as /dir/to/flag.txt, you do need to have the leading / I believe to start from root

yes but I don't know in which dir flag.txt is

I find difficulties installing discord on my pc some one help

this is not the place to ask that

Sorry I'm very new here

you are on a hacking server, go and look over the internet, this is not the place

Not the place to ask especially when you can contact discord directly for assistance

Is there any XSS or stuff like that modules to work with?

i don't want to shill but XSSRat has good content

Can someone help with the module of metasploit from the academy I ve tried like 20 exploits and none of them work

im getting crazy

I had worked with smbclient in several days and get stuck. in Password Attacks: Pass the Ticket (PtT) from Linux module I have to "read the contents of julio.txt from the domain share folder \DC01\julio."
When I try: smbclient //dc01/julio -k -c 'get julio.txt' -no-pass I get NT_ACCESS_DENIED /julio.txt I need to read the content of the julio.txt file but I'm stuck. Can anyone give me a hint?

How many hashes does the Domain Cached Credentials mechanism save to a host by default?
i can't find that

which module and section are you in?

hint make sure you are using the right and not ||expired|| ticket

introduction to active directory

NTLM authentication

Does anybody know how to get around the mount.nfs: failed to apply fstab options error? Most of what I can find via Google suggests running it as root (sudo) - but that ends up with the mount's files/directories being mapped to nobody - which I then cannot access. I've tried adding a new user and manually updating /etc/passwd so that the user's SID/GID matches nobody, but I still get a permission denied error.

I'm on the footprinting - medium lab btw.

Password Attacks: Pass the Ticket (PtT) from Linux

introduction to active directory
NTLM authentication

hint read the stuff under ||Domain Cached Credentials (MSCache2)||

oh that was for the other guy the hint was for you

I have two irrelevant questions since Im a beginner...

I'm looking and there is nothing there, is in another section or something?

when I type in cmd 'arp -a', I only see a few MAC address and judging by the IP address related to the MAC

I can't see other's MAC address in my network

nope i just check it and it's in there but it's a number it's word

Ugh having issues with the Firewall/IDS/IPS can't figure out why I can't tag the domain name I feel like there's something obvious I'm missing

The medium one

make sure you are using the -t nfs also go back to the NFS section they show you 1 example command and you can just use that command

I was able to determine that if I specify port 53 I "open" the ports but after that I'm lost

i can't find that

I copy the ccache file for julio and used Imported it about 1-2 minutes later in current session. Can that be too late?

give me a sec i'll send you a screenshot of that

okey thanks

I am using that, e.g, ||mount -t nfs w.x.y.z:/ ./mount-nfs/ -o nolock|| - which then gives me the fstab error.

for some reason, they were both expired for me.

then suddenly one updated and I have no f* clue how

nope use klist to get the imported ticket info

try mount -t nfs (IP):/(share name) /mnt -o nolock

I reread the goal... I swear if this is the answer..

thought i was the only one who got that dumb issue

noooope.

I used klist and directly after that the smbclient. So I not know how it can be expired

2 days

for nothing

I don't know if hack the box has some kind of automated script that updates tickets??

i mean use klist to get the Expires info

whatever it is they need to fix it

I just found it thanks anyway I have looked well and I have reread it

i think yes but for something like evey new target

to make a screenshot on it or what?

i just done taking the screenshot but nice

Ends up with the same result, unfortunately.

||```
mount -t nfs IP:/Share /mnt -o nolock
mount.nfs: failed to apply fstab options

if you like to but nope if the ticket isn't expired you can use it if not then restart the target because that could be a bug on the target site

@ripe terrace @deep tendon for the love of god don't post spoiler

try with sudo

deleted sorry

also shoot me a dm if that still doesn't work

okey I try it then. Now I need to take a sleep (long day today)

Still having issues with the Firewall one

The target system has an old version of Sudo running. Find the relevant exploit and get root access to the target system.

Metasploit Module, Sessions, last question

I'm stumped on this one.... I'm trying to figure a command that will give me the sudo version but I'm lost on that.

Firewall IDS/IPS evasion - medium lab still having problems

Sudo -v or -V?

it says sudo is an unknown command in meterpreter

hint other protocol

i just check it's sudo -V

that isn't a meterpreter command

use shell to get a bash (or sh) shell and use that command on the target linux machine

lol yeah. ive gone through the list of commands. nothing really works

guess that user don't have sudo permissions

🙂

hello

im new comer

So... maybe you can explain this.. I'm pretty new to all of this so certain fundamental things I may not get. (I've done all the fundamental modules)

The target system has an old version of Sudo running. Find the relevant exploit and get root access to the target system.

So this question is telling me to find the old version... Does this mean the only way to tell the sudo version is if you have sudo priv?

@vital adder

guys how i could hack facebook account easy!

any method

get a life

for this you'll need to research about old sudo version vuln / exploit and use the one on metasploit but for finding the sudo version i'm sure there is a lot of way but most if all of the some i just use linpeas to check so manual check command i got no idea

also a tip for privesc you can use metasploit exploit suggester for thing like this

if there is a way to Fing hack a $911.054 billion company everyone would do it and if there is a way to do it no one would just share it on Fing discord so like RudeRaph said get a life will ya

also

Give me your facebook account... I'll show you. lol

bro i want to learn

not hurting anybody

if u cant help me just let me go away

and dont judging me

Please tell me what reason you would have to hack someones facebook if it wasn't for bad reasons?

thats simple

thats not allowed here and even if it was this wouldnt be the chat for it.

im sorry everyone

Youre lucky nobodies bothered to tag a mod to remove you yet

im sorry

@proud wigeon if you just want to do stupid stuff like hack facebook pls F off but if you are interesting to learn cybersecurity give both of these video a check to see where you should start
https://www.youtube.com/watch?v=0vu_Hs4N8B8
https://www.youtube.com/watch?v=lhz0-qAQlBM

Ok thanks for the tip on the protocol shift and I was able to use that protocol @vital adder I feel like there's just a crucial thing ik I'm missing just not sure how to resolve the DNS version

Why don't you just break up with her if you think she's cheating?

because i love her so much and its not easy to broke up

thank you so much

Man, IDk what the heck im doing.

If you break up and got a new girlfriend give glimpse of us by JoJi a try

I actually got some stuff do to now so can't help for the time but if you got any questions just ask it here

Ok thanks buddy! Have a good day!

could i get anyone to help me with AD assessment 1

1

What youre looking for is sudo --version if you havent figured that out yet

Alternatively, running something like linpeas will instantly identify a sudo version thats vulnerable to an exploit

So I'm trying to run this exploit.... I watched a video where they used this to get the answer but i'm getting this and i'm unsure what to do.

Am i barking up the wrong tree here?

not sure what module youre doing lol. Just saw you were trying to get the sudo version

whats the question youre trying to answer?

That would be metasploit sessions and jobs last question

I'm connected via meterpreter.

Ugh how can I use smb to resolve the DNS version, what the heck am I missing

The target system has an old version of Sudo running. Find the relevant exploit and get root access to the target system.

Unless I'm really wrong and looking in the wrong tree

try this post/multi/recon/local_exploit_suggester

I'm trying that but it's not finding it

hmm. Drop into a shell then, run sudo --version and get googling? idk

wait i may have something.... I was having issues running "sessions" i didn't know the background command was what i was missing

meterpreter changed some of the post exploitation module stuff, but idr what the new way was

here it looks like you have the wrong target set. Type show targets to see what targets can be used with that exploit. Choose the one mopst closely matches the target system

||can't you also do exec (command)?||

hm? I was pointing him to the exploit suggester tot ry to find the vuln hes looking for

HMMM i think it's working

I just meant I thought msf had a way to run without dropping to shell

oh yea, i think you can use exec but i honestly dont remember

i dont use metasploit a ton

One of my first times lol. Besides maybe a few starting point boxes if the walkthrough used it.

That's fair

Yea. Its definetly worth learning tho

So uhm

I tried HTB Academy

Think you can help unstuck me, Tom pointed me in the right direction of what service to use but not sure where to go from here

but it doesnt let me make another terminal (pwnbox)

is there an alternative?

use screen

What do you mean by another terminal?

Well unles you tell me whatmodule and question youre on probably not

pwnbox

the instance you create

screen -S test

No. He used his 1 pwnbox for the day