you have to start openvpn with the downloaded file
sudo openvpn academy-regular.ovpn

Feel free to write me

I'm already in root and I'm getting ip too but its on different subnet

This is how vpn works:)

Then I why can't ping the box

Maybe because of firewall rules on the box

No its the first section on getting started module its not some medium level box I'm pretty sure it doesn't have that but still I tried -Pn probe scan on nmap but no results

Try to reset the machine

Not every box can be ping, so maybe you don't need to do it

I do have reset the meachine

It's a docker container telling you to do Web enumeration.

Why are you running nmap?

Visit it in a browser.

Thank you bruh

I have been simply over complicated things

Wow, I don't catch that you need such direct explanation, sorry:)

lol as I said I have above

However you've got nmap practice:)

Doing the Attacking Common Services Lab - Hard
cant get a foothold.. tried bruteforcing smb with the given resources and with the user "simon" but nothing works.. null session are not allowed and when trying to bruteforce it with msq/hydra/crackmack i get alot of "success" messages but these passwords dosent work.
A little confused how thats even possible.. even if i choose a complete different userlist + rockyou it gives me a success after the it checked the first row

Bro I have been THM- top 3% its just I'm new to HTB so just chill

What is THM?

Tryhackme bro

I don't want, thank you. It is illegal

hey, have anyone finished the command injection Skills Assessment?

the output of my flag.txt is wrong

Your role in this server justify your talk

@dim hound Did you find the solution on this one? Can I DM you?

Sure, dm me 😀

Top 3% I thought everyone started at top 1%

Linux Local Privilege Escalation - Skills
get the flag5.txt

help!!! I got a reverse shell with NC, but I can see that it is limited, despite that, I can run the command Sudo -l and I get that /usr/bin/busctl can be run as root. I go into GTFobins and it shows me a simple command to escape the limitation or get root, which is what I need, but I don't understand how to do it, it shows me like this in GTF:

sudo busctl --show-machine
!/bin/sh

I execute the commands one after the other and the first one shows me information, and the second one is blank, I can't do it.
What am I doing wrong or what am I missing?

Hello. I am doing LINUX PRIVILEGE ESCALATION >> Shared Object Hijacking. I just can't reach the required answer. Can someone please guide me.

I am doing exactly what it is asking for. Replicating the steps. I can't figureout.

It is asking you for the version of ldd

Bruh.

how did you figured out?

I passed the question to ChatGPT 3, the AI ​​is very smart;)

really smart.

using smbclient everything works fine until I put in the password provided and it times out? Tried this on my VM and on the pwnbox and same issue, anyone experience something similar?

also tried it as sudo, and smbclient -U bob \\IP\users to the same effect

Try \\\\ip\\share

Also usual are you connected to vpn etc.

Hey all, I am in the Attacking SAM section of the Password Attacks Module. Trying to solve one of the questions but I get this response... Any idea why this is the case?

yeah same thing - the syntax is fine because it prompts for password, but then times out when input. so strange...

[refreshed target IP but same]

You sure the files copied properly?

You can also use crackmapexec to dump SAM

well the files are there in the folder ... will check with crackmapexec. Thanks

They're very large files. How did you transfer them? It's very easy fir them to get mangled in transit sometimes

WHO PINGED ME !!?

i think so i far i'm the only one that have this issue but the first time i do that both of my file is corrupted or something but check of your have the same sha256 hash

The only thing I can suggest is try restarting the lab one more time and wait about five minutes for the lab to fully finish setup before trying anything. After about five minutes try again and make sure you're using the right password.

couldn't really solve it after trying on VM and PWNBOX editing the shell and not editing (leaving default parameters)... not sure why... found the answer with the help of a kind soul but would be interested in understanding why it did not work for any of the attempts I tried

thansk @thorn urchin

hmm did you use the vhost like the question said?

Web Attacks -Bypassing Encoded References challenge if failing to stay up

):

double checked the page and yeah the answers pretty close to what you got but not quite. Not totally sure why yours would ve different

Yeah just ran through the section again, still got the normal correct answer

fixed with log out && login ):

should i use Kali or parrot OS?

yup i tried everything but keep getting the same result... may try with a new vpn or logging out htb academy and trying again... very strange though cause i reset like 5-6 time

and the result i obtained is so close to the one that is correct

Whatever works for you.

both

i cant choose which one i should use daily

I usually use kali but haven't used parrot in some time. However felt like parrot was the closest thing to kali if you have only used kali up to that point.

Okay thanks!

Hello. Can I get some assistance with Live Engagement from Shells & Payloads first box?

Hi, I can't SSH as user MTanaka in the "User and Group Management" section of the "Introduction to Windows Command Line" module. It's the third day in a row that it seems not working, although I can ping the machine and see that port 22 is open with nmap... Anyone else having this issue? There is no error message, just a timeout:
❯ ssh mtanaka@10.129.203.105 Connection reset by 10.129.203.105 port 22

Theres more than 1 way to skin a cat. Can you make a different rev shell?

I am at Live Engagement section module Shells & Payloads

when I rdp into the foothold machine

there is no web browser on it? Or am i getting blind?

thx for help

I had the same issue chronosbolt

no way

how did you solve it? can I dm

?

you can use burpsuite built in browser

I and actually using sshuttle

that's what I thought yeah with burpsuite

wanted to make sure i was not out of my mind

thx @old verge

I started ssh on the foothold box and using sshuttle to pivot

Hi to all, i have an issue with the mysql login using default creds into the password attacks module, lesson password reuse. In fact the mysql port is closed on the target machine.Did you get the same issue?

that way I can use my kali box

if you find a way on box one, please provide what you found. I am stuck

ok I am looking at it.... definitely the ||hostname|| you got it right?

yes.. want to do it together in a private chat?

sure let me DM give me a sec ... got the last question too

and the previous one regarding machine 3

type firefox in the terminal

theres no shortcut to it for some dumb reason

I found it with pure dumb luck

oh gosh ok!

@old verge suggested to pivot and use kali

I am checking if that works

Hi all,

I am doing final machine in Getting started module
I am stuck at next things:

I got API KEY
I got admin.xml file with username 'admin' and password that looks like this: 033e22ae348aeb5660fc2140aec3585XXXXXXX

Also, I got admin panel access. But still IDK how I am supposed to get foothold onto server 😅

I try to use this password from admin.xml file and to put it into file then ssh with that file that contains that password but it requires me admin password. I don't know how I am supposed to log in with API key (is that possible at all?).

@rustic sage possibly that is hashed. Tried running in cyberchef? or anything similar? crackstation?

no, I actually didn't try to crack it.

Hello Everyone! Sorry for the off topic (didn't find the right room for it). Do I have to verifciate my discord account with HTB account, or is it fine if I don't do that? Have only HTBA account, but if it's a must, then i'll to a HTB account right now

I tried to change admin password in control panel and it said:

"Error: Unable to continue: Unable to write the configuration file. CHMOD 755 or 777 the /data, /backups folders & sub-folders and retry."

ask this in #general

You have to verify your Discord account if you want access to the other channels.

#welcome

Does thou need to verificate to thrust mine shitpost upon thee

Got it, thank you

Crack it with hashcat

Im doing it right now. Is "Token lenght exception" normal thing?

Means wrong hash type chosen or hash isn’t formatted properly

Use this command hashid puthashhere

Hello, I need guidance with the password manipulation section under Password Attacks. I have used multiple rules and still am unsuccessful of cracking the password with hydra using the user sam.

@rustic sage And then hashcat -h | grep hashtypehere

Than put that in the -m for hashcat

Also…

Make sure the hash in the file you’re cracking doesn’t have any hidden spaces or tabs or hidden double chars or even a newline if it’s only one hash

Also can try crackstation.net website always try that for a hash first @rustic sage

wow. I acutally didnt specified hashed file. I found password

But it doesnt let me log now with that password lmao

Login how?

I am getting permission denied

with ssh

directly to that machine

Dm me command you’re running

okay

Sometimes things can only be accessed internally is what I'm guessing

Hi! I struggled 2 days on that too. I finally read your comment that helped me out. They definitely need to rewrite the question.
I've tried multiple times without payload, and with the pattern as payload, nothing worked.
I finally used the 'dumb' payload ... and got it ... thank you again.

Does anyone have the solution for this?

Maybe there's an admin page

use the given rule

if it is talking too long cut the first ||17000|| word

trojan that does not come out formatting the pc can replace the memory?

Sam is the SMB user right? I had to use the netasplout module to crack that one

For the password mutations thing

Okay I have used the custom rule, but perhaps cutting the wordlist will be less pressure on hydra.

Its an SSH user called "sam"

I couldn't do ssh with hydra

Had to use ncrack

i don't have the brute forcing command in my note so i think i also used metasploit for this

What's ncrack? Because I agree I have used multiple rules and sources such as metasploit scanner.

Google it lol

hello guys can i ask which one parrot OS edition i should download: Security , Home or the Hack the box edition?

both is for hacking (use the Security one)

Okay I'll try learning about ncrack and using it.

If you're doing academy module the hack the box version will prolly be best

trojan on motherboard

is there a difference between HTB edition and others

The htb version was made and is maintained by htb lol

i mean in usability

Not thay I know of

But I don't use parrot

Kali?

There are not 1700 rules within the file? Am I missing something?

When you apply the rule they give, you'll get a wordlist with like 90000 passwords. You can take off the first 17000

Okay heres the problem then, I must be running the wrong command because I'm not getting that many.

hashcat --force sam.txt -r custom.rule --stdout | sort -u > mut_password.list

This is the command I'm running, its not giving out that many passwords.

sam.txt just holds "sam"

Well why would you do that? You're given a "password.list" file to use

You need to mutate that

oh.

I assume I was suppose to alter sam because he had a bad password

hi everyone

Mutating the username would be useful if you know you have a valid password but don't have a valid username

If you have the username, you need to figure out the password

Does somebody know how to 'update' meterpreter shell. Because meterpreter shell can't do basic commands like whoami, pwd, sudo -la

It can

You need to drop into a shell

shell

Will get you there

Sorry I'm having difficulty understanding this, whats the difference of brute forcing with a password list that has nothing to do with sam, compared to a mutated password list that also has nothing to do with sam.

could you explain a little bit more futher? I didnt understant so well

Password lists contain lists of common passwords. Mutating that list with the custom rule will give you many many more to try. It dosent need to be related to Sam because you're just trying general common passwords

Ohhhh. I kept getting caught up on the sam part, but that makes complete sense thank you.

Meterpreter itself cannot execute commands such as whoami because it isn't just a shell. If you want to interact with the target as if you have a normal shell, execute the shell command with meterpreter

You are G bro. Thanks 🙂

This is going to take a long time isnt it.

I have an idea, ill split up the mutated file into 3 files, and use ncrack, hydra and metasploit at the same time.

tfw when you realize you don't know how to grep for the first 17000 lines.

Does somebody know why I am getting permission denied?

I set python server to run on local host in order to download .sh file from remote machine

did you try to run this command with sudo before?

youre trying to wget into the /usr/bin folder where write permission for regular users are normally locked down

you should run it from a directory you have permissions for such as a home dir, or a web dir in the case of a webserver user, or from /tmp or a dozen other valid locations

otherwise you a user could just wget a new passwd file from /etc/ and instantly priv esc on any linux box lol

You were right. I downloaded it in /var/www/ directory. I cant run that .sh script. I am getting permission denied. Before I uploaded it to remote host. I did "chmod 700 FILE.sh" and I still cant ran it

idr the octal codes, you do chmod +x

The thing that is useful and Idk what that means is when I do "sudo -l" I get:

User www-data may run the following commands on gettingstarted:
(ALL : ALL) NOPASSWD: /usr/bin/php

This is taking forever, any advice on how I could speed up the process @graceful rampart

what command did you use?

hydra -l sam -P ~/Downloads/HTB/Academy/PasswordAttacks/Password-Attacks/mut_password2.list ssh://10.129.68.220

ncrack -p 22 --user sam -P ~/Downloads/HTB/Academy/PasswordAttacks/Password-Attacks/mut_password2.list 10.129.68.220

Have you already taken the first 17000 words off of the password list?

Yes

7 minutes before my ip despawns 😦

yeah look up sudoers and then gtfobins and the path will become clear

oh wait off I only kept the first 17000!

Lmao

Hello guys, I must say, in the introduction to cybersecurity path, the "Setting up" module comes before the OS's modules although it requires knowledge in them as prerequisites, doesn't make much sense.

Bruh. I just learned the head command to do all that, how would I use grep to remove the first 17000 and cat everything else.

sed '1,17000d' mut_password.list > cut_mut_password.list

hmm I have to look into the sed command, but thank you friend.

np

Solution attained, thanks for the assistance!

Im stuck. I have:

Matching Defaults entries for www-data on gettingstarted:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

User www-data may run the following commands on gettingstarted:
(ALL : ALL) NOPASSWD: /usr/bin/php

But still don't know what I am supposed to do. Any hint?

Yes, and im saying thats the right path, to understand what you need to do you should google sudoers to learn how that works, then google gtfobins to see how that works

combining the two bits of information will show you how to use it

Check a website called gtfobins, you have the ability to use sudo as root. You can run /usr/bin/php with sudo, but gtfo bins will show you commands you can use.

I dont believe in telling people the answer but ill tell you how to go find the answer for yourself

Thats what I am asking

Make sure you understand why though its a really important thing to learn!

Im gonna do those things you and @rustic sage mentioned

Like madf0x said: Answer the following Questions:

1. What is the sudo command and what does it do?
2. What is /usr/bin/php

yes so start literally googling "sudoers" and read

Only then should you go to GTFObins to find out how to abuse the relationship

Yes, take their advice mine might get you the answer but this is a very common tactic in priv esc and so its best to understand how it works.

Thank you all!

Im still learning it too

but you see here :User www-data may run the following commands on gettingstarted:
(ALL : ALL) NOPASSWD: /usr/bin/php

right now you are www-data, if you check your id

dont give away the answer

hes gotta find it himself to learn

Okay you're right

tbf the module in question I believe specifically mentions this attack path, but it also assumes you have a certain amount of linux fundementals under your belt, of which sudoers definitely counts

Ill be the first to say you dont actually have to grind fundementals before you get started on the fun offensive stuff because thats what I did back in the day, but it does mean knowing when you have to weave in a bit of fundementals to understand whatever you're currently trying to tackle

I believe this is so easy, but I am 1hr stuck on this part where I need to run sh scrip LMAO

the .sh script wont find anything you didnt already find

it wont exploit it for you, only tell you its there, and youve already seen its there

spend another 30 minutes reading on sudoers and then 30 minutes on gtfobins. Or an hour each. It aint a race.

Why are you running a .sh?

To enumerate possible PrivEsc

But I guess I already found it with sudo -l command

like madf0x said

Answer these questions

You were given the nudge where to look

have you googled sudoers yet?

By all means if you have and are struggling with it, share what youve gathered so far and what part youre having issues with.

understand how sudoers work and then you can move on to the next step

I think some of this may get to spoilers because tbh the answer is the spoiler

Sudoers isn't necessary but a good read

its fundemental to understand what sudo -l is showing you and how to read the format

as sudoers is how you configure it in the first place

oh

ergo understanding sudoers will show you why thats bad, and the first stage of how to exploit it. The second stage of exploiting it will come from looking into gtfobins. But gotta nail the first stage in understanding before the second makes any sense.

cause the gtfobins part wont make any sense to you at all until you know the first part, as it already assumes you understand how dangerous privileges work. Of which sudoers is just one example of a possible permission misconfiguration

Thank you a lot. I got root shell and also flag. I think I'll read a little bit about Shell. That was confusing me a lot, especially with commands from GTFOBins for php 🙂

if you cant answer the 2 questions i asked you, you shouldnt have gone to GTFObins yet. You had the answer given to you. You didnt learn anything. You will never make any progress in this field like that

Sorry, to answer on your question "What is /usr/bin/php?"

Its actually php program in /usr/bin direcory, right?

yes and what is sudo?

In my case, I was able to run it as Super User or sudo

right?

so what does that mean? You can run php as root

So I leveraged that and put sh shell into CMD variable

yes

Hey, I think I'm facing some dumb config issue. Trying to finish the "Getting Started" module, "Knowledge check". I can port scan the target, find some folders in it, navigate those, and already found a set of credentials, but can't actually browse to the page at all. In nibbles I managed to solve this by adding the domain in my /etc/hosts but that doesn't seem to be working in this case? Any help?

yea exactly, you can use php to execute code which in turn executes commands on the OS. Which means any commands that you execute via php as root are executed as root

gotcha. In my case, I executed shell as root?

Exactly

Haha. Thank you a lot mate, and thanks all others (if reading this) 🙂

np

yeah so fun tidbit to rememberany programming language interpreter if you can run as root means you can escalate as root

without exception

In the future, regardless of where you may find a command, you should never execute any command unless fully understand what it does

Yup. I'll have this in my mind. For the sake of my improvement 😄

Did you try browsing it like this:

http://yourMACHINEIP/folders

in web browser

yep, that's what I was doing. Folders load fine, it's just the main page. I think it's just super suuuuper slow, left it loading in a separate tab and it loaded now, after some 20min

Maybe you should download VPN for server that is closest to you, depending on where you live

so it could load things faster

It's already the closest. Don't think it's anything VPN/network related because everything else is loading fine. I can curl files just fine, it's just when trying to browse to the page

not sure if its just the bind shell module, but anyone else having issues with boxes losing connecting. i literally get not response from the box after its been up for about a minute.

Hello all,
Im currently doing Attacking common services module, section Attacking SQL Databases.
I have reached the last question which basically state to enumerate database flagDB, i have already the credentials for user mssqlsvc but no idea how to actually use.
I have tried to login using that user and password and domain but i just get failed login.
Could anyone who already did the module drop a small hint. Thanks in advance.

Update: Resolved.

Think I got it. It timeouts waiting for ajax.googleapis.com every single request. Sink that in /etc/hosts and it now works just fine

Hi. I need a little push for this question here : Getting Started > Web Enumeration > Try running some of the web enumeration techniques you learned in this section on the server above, and use the info you get to get the flag?

I've tried multiple things

but I cant find the answer

I tried gobuster, cURL, whatweb, checked the robots.txt, checked the page source of the index.php, robots.txt and the wordpress page.

Any god hacker around?

no they all died and went to vxheaven

Lol

ftr this channel is for HTB Academy discussion. If youre not here to discuss that, find somewhere else.

Also read the server rules, literally everyone that asks something like what you asked winds up breaking the rules and risking a ban.

can anyone help me with a question in the footprinting module - easy lab? for some reason it wont let me ||wget the contents to complete the rest of the lab||. i figured out how to get that to work but ||dont understand why it was hiding the files from me after i downloaded them?||

For host 1 on the live engagement in the shells and payloads section, the application returns a server error when attempting to active the war file reverse shell, is this host bugged?

That requires a single level then to the admin page

Because you're not intended to wget the info

You're supposed to use the tools from that module to enumerate the information

Already got a shell. My "fix" wasn't really a fix since it seems to still happen randomly, just super slow to load every now and then. guess it's just the box kinda messed up

Nah

I mean yeah sometimes the boxes are buggy

how are you supposed to ||ssh in without the keys that you get from the ftp server||?

I don't know what I am missing on this question, but in Shells & Payloads - Automating payloads & Delivery with Metasploit, What command language interpreter is used to establish a system shell session with the target?

I tried everything that I thought it could be and I get nothing

DomainPAsswordSpray.ps1 giving me issues

i want to punch it

I can't recall how I did it but it's generally not intended as wget because it's not an open webserver iirc but always look for all

i ended up ||using wget and getting the files and the key but now it is not letting me ssh using the key?||

Can someone explain me the hint given by this question : "
Everything you need to login is given to you" ?

check the key perms

ssh only accepts keys with correct perms set on it

i did chmod 644

thats wrong

ok whats right

does the module tell you

google ssh key perms

iirc it does

when i did that it told me 644

so i set it to 644

is it 600 instead?

if you did google youd see people saying they were having errors with 644, not use 644

600 yeah

also the module in the section talking about ssh does not mention changing permissions to make it work

644 is fine for pub keys, not priv keys

i know you need to but thats frustrating

Thought the module did mention it, but even if it doesnt it very frequently by design throws you stuff you need to look up on your own

priv keys being 600 perm to work is also something most would consider a linux fundementals

i knew about the chmod, but my problem is that even with EITHER 600 or 644 it is not working

you got the right key?

id_rsa

from the ftp server

and how are you using it?

ssh ||-i KEYHERE ceil@IPHERE||

and what does it give?

nothing, it hangs and then closes the connection

thats not a sshkey issue then, thats a connection issue

ok im resetting the box

if something was wrong with the key itd have given you a permissions error or a login failure

i got it

my vpn was messing with it

if its any consolation you were going to run into the perm issue regardless, so at least you got that cleared up too

You're right @thorn urchin, the restriction of privileges on private keys is explained, but in the "Getting Started - Privilege Escalation" module. 644 isn't usually restrictive enough because it still provides "read/write" permissions to the Group and Others

It actually does tell you

hello guys,i have a question how can i know exactly if i have connected to the vpn, e.g in windows can i see it but i don't know kali exactly is there an exact command or something?(openvpn)

In a new terminal window you can type the command ifconfig and it will give you your ip address on the HTB server (e.g., 10.10.14.xxx). The IPv6 address starts "dead:beef:...). If you see that, then you should be connected.

yes i see it but why do i have problems with ssh?

If you are connected to the HTB servers, then you shouldn't have any issues with SSH, as long as you are trying to SSH into a valid (and active) HTB server (box) and have valid SSH credentials for that server/box.

^

Can anyone help with a question on Intro to Networking?

Just ask the question don't need to ask to ask.

If someone knows they know, and can nudge you, if not then oh well

But it helps to just ask

Has anyone completed the skill assessment for using crackmapexec? I'm struggling a bit with question 3.

Ask questions better: what have you done, what is troubling you, what is the error you're getting. Or what is the unexpected results you're seeing. It doesn't help to be kinda vague...

Can anyone tell me how i can grab this file?

I used a pass the hash with mimicats to get in here. I'm currently in system 32\ need to connect to the shared drive and grab david.txt

Have you tried using net share to see if it's connected / mapped? Just my suggestion, if I'm wrong - let me know!

you mean like smbclient?

I think so - I thought it would be a good shout to try

I don't think so. I would need the password. All i have is the hash which is why im "PTH" --- maybe i'm trying to connect to it wrong

──(ruderaph㉿kali)-[~]
└─$ smbclient -U david \\10.129.148.2\david
Password for [WORKGROUP\david]:
session setup failed: NT_STATUS_LOGON_FAILURE

Ah well, I thought I'd lend a hand 😛

Just do type Dave.txt no need for extra die info ur already in it

Did you figure this out?

It should tell you in the module :)

Glad you found the module useful. As for CMM, I've used many MacOS software over the past 15 years, and it truely is a software that deserves to be on the recommended list. It bundles a lot of features of many other applications, so it may be the only software you need for a bunch of things, which is why we recommended it, mainly based on personal experience. Give it a shot and don't go by what others say without trying it.
Another useful application that comes to mind is iStatMenus, but CMM also has a built in system monitor, though not as detailed.

CMM is basically junkware.

I literally get paid to remove it at work for customers

You get paid to drag it from the applications folder to the trash? 🤷🏻‍♂️

you think thats it 😬

might wanna check over your launch daemons and other junk that doesnt get removed

yes security but not privacy. At least not from apple. They can monitor everything on your device collecting data making profiles.

Perhaps you can use the CMM uninstaller.. it does a great job in removing applications and their files 😄

if you believe so

I have some other tools I use as part of my toolbox to make sure I clean out unwanted apps and the likes for customers. Can never trust built in uninstallers. Some can be fine, many arent. Not worth the time to sort out which is which

and ftr Ive been in the repair industry for about 8 years now and been pretty involved with the repair community at large. CMM has a terrible reputation

Other than the reputation, if there's any evidence of wrong doing or adware etc then we'll remove the recommendation from the module..

Also please feel free to suggest macOS apps you find useful.. we wanted to build a list of apps to get users going who are new to macOS

Other people will claim its adware but I dont go that far. Its just junkware. It gives the illusion that its doing helpful things when really, what is actually doing thats a tangible benefit? Its smoke and vapors to talk up a good enough game to sucker people into paying for it when theres no need.

https://www.youtube.com/watch?v=6i2XV_BmszM apple is evil apple is digital slavery

thanks i figured it out. It was type \d01\david\david\txt

When you're doing ffuf / fuzz

1. is it taking bandwidth from the server?
2. If I have monitors on the server can I see the actions?

Any way to block fuzzing?

Another question, why when I run fuzzing on my own server I get nothing?

ffuf -w list.txt:FUZZ -u my-domain.com/FUZZ

Yes, no results

I tried this code

also I need to mention that it's an app that running on port 3000

mm.. let's say I have the contact keyword

If you're running on a non-standard port for your webserver, you'd need to do my-domain.com:3000/fuzz

Ok, it's probably something, idk
But if you already here maybe you can help me with the fuzzing params lesson.

I'm trying to run this
ffuf -w params.txt:FUZZ -u http://admin.academy.htb:30421/admin/admin.php?FUZZ=key -ic

@wheat garden that guy seems unhinged

from this module I'm not sure if I need to put in the -u admin.academy.htb or the ip address

1. I don't know why everytime I'm fuzzing, I'm getting

: Progress: [1555/2588] :: Job [1/1] :: 1814 req/sec :: Duration: [0:00:02] :: Progress: [1959/2588] :: Job [1/1] :: 5087 req/sec :: Duration: [0:00:02] :: Progress: [1959/2588] :: Job [1/1] :: 5087 req/sec :: Duration: [0:00:03] :: Progress: [1959/2588] :: Job [1/1] :: 5087 req/sec :: Duration: [0:00:03] :: Progress: [1959/2588] :: Job [1/1] :: 5087 req/sec :: Duration: [0:00:03] :: Progress: [1959/2588] :: Job [1/1] :: 5087 req/sec :: Duration: [0:00:03] :: Progress: [1959/2588] :: Job [1/1] :: 5087 req/sec :: Duration: [0:00:03] :: Progress: [2354/2588] :: Job [1/1] :: 6913 req/sec :: Duration: [0:00:03]

lol trynot to let your emotions get too involved just listen to the information.

@wheat garden I can't when he's yelling into the microphone

Completely unhinged. Really shouldn't be here.

dont let your emotions determine the veracity of information. I know were used to being told beautiful lies in soft sweet tones.

I need help with this Parameter Fuzzing - GET fuzzing, I'm not sure if I need to use this extra location /admin/admin.php

I am beautiful

My dude, there is nothing emotional about it. Your guy goes on rants about satan infiltrating software development, and government.

Really not useful or appropriate.

then don't watch it. Shut it off no ones making you watch it.

As soon as I hear globalist satanic elites I turn it off

but hiding away from uncomfortable information and truths doesn't make it go away,

@wheat garden let's stick to the module exercises

This is not the place to push conspiracy theories. This is a chat about modules.

only make conditions worse in the long run

I found a download interface that does not require authentication, but I only know a certain file name and cannot download other unknown file names. Is blasting the best option

what module is this related to? certainly if youre commenting in the academy module channel it must be academy module related correct? you wouldnt be some scumbag spammer posting irrelevant information to the modules channel would you? Thatd be not very cash money of you.

@thorn urchin Do you know why when I try to ffuf I get nothing?
I'm on the Value Fuzzing

I'm trying
ffuf -w params.txt:FUZZ -u http://admin.academy.htb:32348/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded'

define nothing, are you getting error numbers in the job progress? if so check the ffuf error logs to see what may be going wrong

Everytime I Fuzz I get many lines like that
:: Progress: [35/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Er.....

the many lines is cause the terminal width is too short, maximize your terminal

itll make the progress status cleaner to read as well as any results

0 req/sec would suggest its not finding a path to the host though

Not directly to any academy module. But not 100% of everything on this chat is academy conversations. I posted that in response to someones comments about apple. But actually think it it is important information to consider especially of tech inclined folks as ourselves.

yes.. but those lines not telling me anything about the result

it's not finding any keywords

so I assume I'm doing something wrong

We were discussing a specific module actually. So youre in fact still being off topic and should shut up unless its about a module.

yes, but 0/req a second like I said suggests a connection issue, and if it is giving number of errors in the status you can read the log to find out whats going on. But you have to actually open up the log file and read it

What's the location of this log?

idr, google ffuf log location

I know this but I can go off topic a little.

you're going off topic by a landslide

and arguing about it instead of taking the L

no I made one post and I may be wrong but I thing you guys got emotionally charged by the information because it made you uncomfortable. Thats your problem not mine.

I literally have not watched the video and couldnt care less.

it just has no basis belonging in this channel whatsoever

move on

then you disrespected me telling me to shut up

Yes, because you have actively earned less respect

Now Im done discussing it further, if you got a module question to ask then ill listen, otherwise ill just start pinging mods.

I logged a report to HTML, I got html file and in it Showing 0 to 0 of 0 entries

ok well if your done discussing it dont reply to me then cause I had dropped the subject until you replied to me addressing me.

not logging a report, you need to read the error log, its different

If you directly reply to me im going to respond most likely.

@thorn urchin are you talking about debug-log or something else?

I have a feeling it's because I need to spawn the server again

ok, I just didn't understand the -fs part which is weird

for example, I get many results like
adminpwd [Status: 200, Size: 798, Words: 227, Lines: 54, Duration: 0ms]

now why do I need to do -fs 798
to get the desired results?

I assume if I filter by this number I should get the same list.. because they all have 798.
So how come it's filtering it, and we're getting only 2 results?

Correct. You're looking for the size (in bytes) of the HTML reply, which all your failures should be the same. When you filter the size out, you should only see the ones that are valid.

oh it's filtering out?

Yeah, -fs will stop showing you any entry with a size that matches the value you give it.

Got it, I thought it's the opposite, I thought it's selecting only the 798

So they key is to run the fuzz for a second or two, to determine what the 'false' size is.

Then cancel it, and start it again with a filter in place.

the key is just to narrow down the big list

so you see bunch of 798.. so you start with that

Correct.

Yeah, ok let's see if I can solve the curl thing, the next step

Thanks

Do you know maybe what is the syntax if I want to use ffuf with regex?
I tried to add -mr "\w\.\w"

but it's not filtering by that regex

AD assessment 2 nudge?

" Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host."

You still need help?

Hey how y'all doing? I need a little bit help with a question. The question is Create an "If-Else" condition in the "For"-Loop of the "Exercise Script" that prints you the number of characters of the 35th generated value of the variable "var". Submit the number as the answer. The bash script I wrote is:
#!/bin/bash

Count number of characters in a variable:

echo $variable | wc -c

Variable to encode

var="nef892na9s1p9asn2aJs71nIsm"

printf '=%.0s' {1..35}

var=$(echo "$var" | base64)

if true; then

echo "Given argument is greater than 10."

fi

done

Please let me know. If you can please. Thank you

Yea

Can I dm you

sure

What argument are you passing to the statement for true?

Yes u can dm me

Not sure what you mean

"if true" is just an infinite loop

O okay make sense

I have a question related to coding

I wanna download a game however I am not sure if its a virus so what should I do?

https://ryanstutorials.net/bash-scripting-tutorial/bash-if-statements.php

That's... Not a coding question lol

Thank you MarcieLee appreciate it

Uh true but yeah what do I do to see?

Submit the executable into https://www.virustotal.com/gui/home/upload

I did that but It's just totaling the link

Can you scan a file you haven't downloaded

Sorry if I am confusing

What's the source?

... BAHAHA no don't download

Whats wrong with it?

"steam unlocked.net"

Yeah what is wrong with the site?

Is it malicious?

"who claim to have scanned them"

Hm

Pay for the game and download it legitimately.

Can you virus total it?

It went off sale though back in like 2018

Virustotal is free to use bro

What game?

The file not the link

Minecraft: Story Mode

Coming back for the nostalgia

Download the exe yourself and submit it

It can't do anything unless you run it

What if it destroys my pc tho immediatly after downloading it?

True

I don't wanna mess up my PC

Does anyone got a VM?

Also recommended to visit the site thru a vpn

VirtualBox is free brother

Oh weird. Just yolo run it. Tell us how it went.

I know

I'm trying to save PC storage though

Aren't VM's large files?

And you're downloading a game

Trying to avoid clogging up my PC lol

So

I mean true but any space helps-

When I was a kid on the internet everything was a virus.

Listen

This isn't even the right place for this anyway;

I know

Where is the right place?

Not this discord

Can you refer me to a server that would help*

Nope

Don't know a server that would

Hmph okay should I download the EXE?

Without being a complete dick about it to you

Ok so basically

Can downloading an EXE

Destroy your PC?

Or you must run it first?

Wait wait, you're asking if an illegal file that you want to download might be a virus?

Are you good with legal stuff

Is downloading a game that went bankrupt or well

From a company that went bankrupt*

illegal

It's still a pirated version

True so

Is it illegal to play

If you just play them for yourself

Eh

I wanna make sure

I mean TBH I owned it legit a few years ago :/

No one enforces DRM but you're not seeing the point kid. We are not going to do the work for you.

I know

Kinda thought you would know

Just searched up in the server directory

Can't know without actually looking at the file

Ok

So can I download it without it harming my PC?

Because its a .exe

It's a zip file

Not an exe

Oh yeah

Oh so just downloading it could harm your pc...

No

This discussion doesn't belong here, or anywhere. Take it elsewhere.

Sorry just trying to find advice

Your the first server I could find

Listen, if windows or any av detects it when you download it then it's bad

Came here for advice

Yeah true

So should I just yolo it?

If it doesn't then you roll the dice

Alright so Ill end it here

Is it worth the risk?

I advise creating a restore point (Google is your friend)

Fucking go do it and stop beating around the bush

I know

Thats legit my last question

Can we please keep this channel on topic

Do the risks outweigh the benefits?

This can be taken to DM or community help section

Sorry I was playing with food

Sorry for making it off-topic, this is the only channel I could find

Who can I DM for help

#1024429874246590575

And ill be on my way

Ok Tysm

still need help with that ?

Hi, i'm trying to solve the section "ZAP Scanner" in the module "Using Web Proxies". Task is to run a ZAP Scanner on a target to identify directories and potential vulnerabilities. "Once you find the high-level vulnerability, try to use it to read the flag at /flag.txt" . Problem is, that ZAP only comes up with medium and low level vulns, when i scan the given target. i dont know what i'm missing out. EDIT: got the flag manually

anyone can give me nudge on the The Live Engagement of Shells & Payloads? thx

related to the blog exploitation question

I am working on the NETWORK ENUMERATION WITH NMAP module The Service Enumeration section I am trying to get all the ports but I have tried about everything but I am still only getting the same 7 ports. Can someone assist me with that?

Can't remember the question but where you at?

Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer.

can you dm your command?

from the exercise: sudo nmap 10.129.2.28 -p- -sV -Pn -n --disable-arp-ping --packet-trace and it throws out a ton of info that isn't really needed.

try ||sudo nmap -sS -sV -Pn -p- <ip>||

copy

I am stuck on the final assessment of the File Upload Attack, anyone can help?

Hi there,
I started with the "JobRolePath" Penetration Tester.
There is a section called "ServiceScanning". To perform some nmap scans as shown in the description / or answer the questions at the end /
Which VPN connection is necessary to reach out the host "10.129.42.253" ?

Academy vpn. Possible to download it when you click on your username in top right and the VPN Settings

thank you, but it doesn't work. (EU Academy1 & 2)
the VPN connection seems to be ok, but the host does not reachable (10.129.42.253)
what can i do to troubleshoot this issue?

@rustic sage try to use ping

@rustic sage change the vpn server

already done, is the same

@rustic sage what vpn server are u using

can someone get my fortnite account back i got hacked please😭

i got the info of the guy who hacked me plesae

EU1 and EU2 also US1 all of them the same

@rustic sage ok

If I'm using the htb original vpn are the boxes (not Academy) available, so I think that could be an Issue of the Academy Network?

@rustic sage if u are connected to the wrong vpn server it will not work

why? I'm working in the Academy "JobRolePath" (have a look here #modules message)

you should be in /tmp whenever ur downloading these kinda of scripts because no matter which user you are you always have write permission in /tmp folder .

Been trying to solve the Attacking LSASS section in Password Attacks and pwnbox rdp keeps crashing and the virtual box show this transfer error:

Safe to assume HTB has issues?

Hi! Any tip to solve Skill Assessment nº9 of Introduction to Windows Command Line?

"Use the tasklist command to print the started services and then sort them in reverse order by name. The fourth service is the flag for this user."

There is an example in the same section relating to sorting services ... that should serve as a good tip

I dm you

@covert vault Can I DM you regarding the last question of Pass the Ticket (PtT) from Linux?

Not the place to ask read #welcome

When you switch server you may need to reset target btw

Regarding Web Enumeration exercise https://academy.hackthebox.com/module/77/section/728

What is command needed to enumerate the server 142.93.37.215? I tried what web, and gobuster on this IP, but I get nothing or error returns

Do all the methods shown in the module not only directory enumeration

Have you managed to solve it?

@sleek elbow what is the problem

@sleek elbow what wordlist are you using with gobuster also what output are you getting please share a ss

im using common.txt

How to share screenshot? can't attach

dm

can anyone help me with the footprinting medium lab? i am hardstuck after i get access via RDP

@devout cliff ok how are u stuck

not able to authenticate in MSSQL SMS

@devout cliff maybe try administrator has the username

isnt working

ive tried ||sa, alex, admin, administrator, Administrator, Admin|| for the usernames

@devout cliff Maybe you have the right info for the user/pass, but you're missing a flag with the command

@lethal schooner im using the program MSSQL SMS not a terminal

Everything that you need is in the module if I recall correctly

In Attacking Common Services // Attacking SQL Databases, i got the password of the mssqlsvc user but login doesn't work with mssqlclient.py. Any idea what i should do?

nope

Try using sqsh

ok, well ill keep hitting my head against a different wall for awhile then

@devout cliff What exercise are you on

the medium lab

footprinting

Have you checked all the services like nfs?

The medium one is a bit of a pain: but here's a hint. You have the credentials you need. And take a look at the protocols being used

Unless you didn't read the medium fully

#Module: Attacking Common Services
#Sections: Attacking SQL Databases

I need help, I find the hash, decode it and get the password.
Then I use ||rdesktop -u mssqlsvc -p mypassXXXXX 10.129.177.184|| and it appears that remote access has been removed.

Someone tell me if I'm on the right track or am I missing something?

It tells you something that isn't obvious on a scan

Is RDP enabled on that?

hint use the domain syntax

It appears to me that it is not enabled for this user

I don't understand because i could login with the other account this way: python3 mssqlclient.py -p 1433 htbdbuser@10.129.203.7

hint the first user isn't a domain user (i think)

hint there are no rdp also hint #modules message

the same is happening to me.
i use this
||EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [10.129.65.234\SQLEXPRESS]||
but this appears
Verify that the correct server name was specified. If necessary, execute the stored procedure sp_addlinkedserver to add the server to sys.servers.

@fathom pendant not rdp but mssql

you are on the right path but i think that's the wrong i mistake the sql mistake with one of the skill assessment sr but hint if you are logged you should be able to find the flag

also could you remove the password in this it's a bit too much spoiler

password changed 🤭

Have you found the 'sa' credentials?

no i just have alex

Can I DM someone regarding the last question of the Password Attacks / Pass the Ticket (PtT) from Linux??

So you have access to the RDP with alexs' credentials? Enumerate his windows machine a bit.

just ask the question here

the username and password found seems to be for an smb server.
can i use this same user to connect to a database like this ||mssqlclient.py -p 1433 mssqlsvc@10.129.177.184||?

yes but i don't know what's the domain syntax for that tool i only got the syntax save for sqsh in my note

ok found those credentials now. so they dont work with logging in on that same machine though, so i guess i try some other tools to do it?

The key is that every windows machine has an administrator account.

@vital adder The domain syntax is documented in the module

oh nice good to know

ok got the flag

i hated every second of that LOL

hi guys whats up?

now i use this sentence
||sqsh -S 10.129.177.184 -U .\WIN-02\mssqlsvc -P mypassXXX -h||
and I get this messages
Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
please help 🥹

that doesn't look like the right domain but sure give me a sec let me give that a check

oh wait you are using sqsh how tf did i miss that for the username add .\\(username)

thank you, now i managed to connect, you are the best 👏

hey guys!
I have a question...: is it possible to hack the administrator in win10?
Thanks in advance!
(sorry for the spelling mistake! 😐 google is just like that!)

The question says "Use the LINUX01$ Kerberos ticket to read the flag found in \\DC01\linux01. [..]". The LINUX01$ Kerberos ticket is the ||/etc/krb5.keytab||, right? I used this to export it in the KRB5CCNAME variable and then tried to read the contents in \\DC01\linux01 but can't access it..

I don't know that one I just meant don't ask to ask; just ASK lol and someone may be able to nudge in the right direction

hint use ||kinit||

hey guys!
I have a question...: is it possible to hack the administrator in win10?
Thanks in advance!
(sorry for the spelling mistake! 😐 google is just like that!)

nope you can't use the root username for this

I'm having difficulty understand the Default Password section under the Password attacks module. I have the credentials from the user in the last section and I know how to brute force the MySQL service. I made a file called user_pass.list where I separated the credentials by a colon. Am I suppose to manipulate this file with rules? What does this have to do with default credentials.

hint the cred ||is in one of the link||

I don't understand? What link?

the link show in that section

It's the same for other users too

oh you can do that? i didn't even know that

but i think this is a domain user on a another domain or something that's why you can't use root for this

So all I have to do is use MySQL default credentials? What does that have to do with the user from the last section in password manipulation? I'm confused.

yep and nope you don't need that user at all

Why does it say than to use those credentials? Okay well I have the default user for MySQL I suppose now I have to add root:password, and somehow just manipulate the password part?

oh wait the question did ask that 🤣 i think this is just another case of thb being evil

lol... am I on the right track? Do you know how I would just manipulate the password part of root:password

hint nope there are multiple default cred for mysql you'll need to find the right onw

Okay sounds good.

so the one I mentioned, is the correct Kerberos ticket?

yep

I used all the default credentials for MySQL, they did not work? Am I overthinking this?

The wording of the question has confused me. I can't understand what it wants me to do.

Nevermind solution solved, I was actually trying to login to MySQL which did not work but the answer did for HTB.

You should be able to log in to MySQL

How were you trying to log it?

(Take the username and password out if the command. Don't want to spoil it for others in here)

How am I supposed do understand to which user the ticket corresponds?

Hi guys new to this discord… I have a question… In the Windows Fundamentals Mod do you have to do the mods all in one sitting? Because when I go back to it like “File System “ #3 the xfreerdp from Parrot to windows isn’t working. I’m starting to bang my head.

hit the one that the ticket belong to

I left the module i spent time on last time and came back the same spot. However if you are working on a machine i believe you have to go trough it all, since progress is reset

wdym? and no you don't need to do all of the section at one

i cant say for sure since im still taking notes for the beginning but i assume the boxes are reset if youre gone for too long

That's what I'm trying to figure out. To whom this ticket belongs?

But no you do not need to spend your time completing a whole module in one sitting

yes the target machine will run out of time and it will be reset

it's on the question 🤣

The ticket located at /etc/krb5.keytab belongs to the machine account

I assumed it was just like instances of machines. Thanks for clarifying it for me aswell

So something like ||kinit LINUX01$@INLANEFREIGHT.HTB -k -t /etc/krb5.keytab|| ?

I can’t remote access windows with xfreerdp from Linux at the 3rd mod.

How about you try it and let me know

almost right

I tried and got the same error (don't want to spam with screenshots)

which section?

Windows Fundamental “file system” #3

no worries for spamming we got it here all of the time but hint the you got the right username but that user isn't a local user on the given linux machine (just ls /home)

so from your machine you can't rdp in with the xfreerdp tool?

No it doesn’t take me to windows like it did in the first two.

so linux?

Have you tried Reminna?

That’s another remote access tool right?

Yup

I’ll try that.

I was struggling with xfreerdp on the footprinting module but Reminna worked

It comes pre-installed on ParrotOS

I just thought that maybe I didn’t do the mod all in one sitting was the prob.

Oh good to hear. Thanx

They do mention it in the mod briefly.

Figure it out. Thank you!

Hi guys! I have a question: how to hack a win10 administrator?

what module is it about?

cause youre in the modules channel so surely this is about s module youre doing

I'm sorry, I didn't know, I'm right there... I just thought this was a simple joke

??

any one know how to reach ... HTB support to stop a machine , because i am not able to connect by vpn suddenly... please help

What list are we supposed to use for the Footprinting module > DNS section. I'm on the last question asking for FQDN of xx.xx.xx.203 Ive tried all three subdomain-top1million lists and the namelist in SecLists DNS section.

i want to learn hacking ( professional ) and i am intermediate level rn in this field, i want to learn it (not just scripting) but actual technical stuff of hacking, can you guys suggest me some course online (FREE)

what command are you running

because a couple of them should work

oh i see what is happening actually, expand your lists a bit

you are on the right track but try a different list outside of the ones you tried in that section

Ive run both shown in the exercise u(dnsenum and the bash one liner) using the subdomain-top1million-5000.txt and only got three entries I'm currently doing the subdomain-top1million-110000.txt but I'm assuming it won't work since the hint says to try another wordlist.

yeah try some of the others that are in Seclists DNS section

Alright well there's obviously a few more to try so I'll run them through, at least I know it's just a matter of lists and not something else.

God i hate this password attacks module so much. Every exercise feels like a full lab lmao

At least the labs will hopefully be fun

#modules message

Hello guys just finished Command Injection, and met some strange behavior with file manager(skills assessment), at first visiting the web app it was not fully rendered. Is it ok for htb labs or it was a part of task?

#modules message

if the target seem buggy just give the target a restart

also it's docker container so it's going to took like 2 sec

ok thank you

Using David's hash, perform a Pass the Hash attack to connect to the shared folder \DC01\david and read the file david.txt.

Module pass the hash
i have the ntlm hash but all the tools cme smbclient etc throw some error

am i missing something

||tree connect failed: NT_STATUS_BAD_NETWORK_NAME||

Yello, someone got a coupon code for academy and cares to share?

try this, also if you didn't run privilege::debug and token::elevate in mimikatz first that could be the issue
C:\tools\mimikatz.exe privilege::debug token::elevate "sekurlsa::pth /user:David /rc4:(david hash here) /domain:inlanefreight.htb /run:cmd.exe" exit

nope but here is one for prolab on htb main site it's 95$ off

AHH I ran privilege::debug

not token :: elevate

it wasnt there in the tutorial

#modules message

You shouldnt need token elevate for PtH

yeah that one give you nt authority system but no idea why no many place show that command not even in htb academy

oh yeah i think you're right a simple pass the hash shouldn't need nt system priv

yea. debug priv should be enough

but i need to access an smb share

yep it should be but just for sure i always run both and that save my ass many time without i'm even knowing

Yea but the SMB share isnt on your machine. Running as system gives you full control over the current machine, not a remote machine

fair

cant i directly use a tool to pth from my linux machine to access the share rather than using mimikatz

||smbclient -U David \\10.129.229.59\DC01\david --pw-nt-hash <hash> -W inlanefreight.htb||

i am using this

youre doing the PtH section of password attacks?

yep

which question?

tree connect failed: NT_STATUS_BAD_NETWORK_NAME

getting this error

Using David's hash, perform a Pass the Hash attack to connect to the shared folder \DC01\david and read the file david.txt.

oh thats cuz you cant interact with the DC from your kali machine

its on a different network'

you have to rdp into the windows machine and do it form there

oh makes sense now

You're learning through academy and having hard time? Or through the main HTB site?

easiest way is with mimikatz or rubeus

i got a cmd.exe running with mimikatz but how do i access a share from there

you spawned it with PtH?

yes

if you are new and want something easy to started with go for tryhackme

|| type \\dc01\david\david.txt || or you can mount the smb share with something like || net use n: \\dc01\david ||. Then you could do || cd n: || and access the share that way

so with use n: from what i have understood we are making a virtual temporary drive location and mounting the share there correct?

youre mounting the smbshare and mapping it to the n drive on the current machine

got it

thanks a lot

np

if you still got 1 year until your exam voucher expired but you are still new to this i would recommend give tryhackme a try learn the basic for a few week or even months if you need to then come back to the academy and continued the pentester path for the exam

Because you dont have access to the entire host. You only have access to one single port. nmap will attempt host discover (yes even if yopu supply the -Pn flag, it just does it without ICMP packets)

yea. You have to specify the specifc port. Nice

What module are you working on?

There you go. Do you know why -A works? Do you understand what it does?

no

-A includes the options for -sC -sV and -O

I like to remember -A as 'All'

Cuz it just runs everything

np

Anybody complete the CrackMapExec module. Currently stuck on the skills assessment. Very difficult to get the first flag. I'm probably missing one little detail.

isnt A like aggressive os detection or was that -O

-O is os detection

-A is just shorthand for a bunch of different aggressive flags

You can ping me

I'm on Module 88, Section 934. The question is asking.

# Question2

x_coordinate = (42,)

# What type is `x_coordinate`?

This answer should be ||tuple||, but the UI is saying that is incorrect.

i had a general doubt at what point in the pentesters path should i be able to tackle atleast a few easy or medium boxes?

Once you get your footing with the tools, you should be good. The only real thing is reading the box description to see if it's stuff you know/just learned so that way you're not diving into uncharted territory. But Uncle Google is always a friend if you know how to ask

the pentester path and doing boxes is not like a 1 to 1 match, its tough to really compare em

Something is wrong with the timer for the target spawn at least for me on the Footprinting lab > DNS section. I'm running dnsenum and have the questions open in that background so I can see the target through my terminal. And I literally have watched it count down 3 minutes but on my watch it's only been a minute. I respawned one like 15 minutes ago it said I had 90 minutes left I'm already at 32. Also Ive organized seclists DNS wordlists smallest to largest and have tried 6 of the 14 and still haven't come up with anything, and the box is just timing out before I can even finish the larger lists. It's now saying I have 11 minutes lefts so 32 to 11 in 6 minutes

the course is structured and has sequences of stuff to learn. Doing a box needs some specific domains and runs the whole gamut from enumeration to priv escalation. Theres also some common box attacks that arent covered by the course at all, but you need to be prepared to get yourself up to speed quickly on if you wanna do that box.

basically its too much of a case by case basis to say any broad strokes of if youre X% done you should be able to tackle Y ranked boxes

after all look at this very channel, youve got light green peeps struggling in some sections getting advice from blue and green names. It doesn't translate like that lol

It wanted ||<omitted>||... I'd argue that isn't the actual type. Any way to get feedback from staff?

This is considered spoiling

Anyone around for a sanity check on the password attacks labs? Not looking for the answer, just wanna make sure im not about to waste my time trying the wrong thing

I apologize for spoiling any of the content. This particular question I have issues with though. Is there a more appropriate place to submit such feedback? The website basically points me to the Discord server.

Bro this la is gonna make me cry lol. 1410 out of 21122 attempts. F me

#858470491676737536

^

I think It took me around 69 mins

bruh

I hate this module so much

Yeah it's the worst one

so far anyway

😭

I would run my attacks, then leave for a bit. Maybe run some errands or something .

Can i dm you real quick?

You don't have to ask to dm lol

You can substitute things like <my answer> and <their answer> just in case someone that's stuck on the same thing clicks your spoiler tag and then just gets the answer

Well, i mean, server rule. And i hate when people dm me without asking first

You actually do - it's part of the rules of the discord.

I guessed I missed that one

yeah its a rule lol

i am on Shells and Payloads doing the live Engagement. Is it just me or is the box that we RDP into stuck at a resolution that is a pain to work in.

It worked for me yesterday and today

it is a bit of a pain

you can also try pivoting as somebody suggested me

and use Kali

or Parrot VMs

whatever you have installed

in the "Linux Local Privilege Escalation - Skills Assessment" anyone find the shell w/o ssh with the creds provided?

Welcome to the club

It's literally pathetic

i was able to resize it with /size: 1920x1080 and its much more usable

For me it was the speed that was slow asf

Like dragging a firefox from one end to another was like moving a window in a windows Vista with 2gb Ram 💀

yeah, lol i am stuck on host 1 and i have done this exploit 1000 times before too.

i think i figured it out.... lol

I was stuck on this module for so long...
Just to realize i fucked up something so simple

probably the same thing I did too lol stupid simple

Was it related to host?

if you mean the host as in the machine I am accessing then yes.

hello i need help from someone proficient in computers.

hi

Hi guys

anyone facing slow issues on pwnbox academy?

If your question is unrelated to the modules found on the hackthebox academy site, you can post in #1024429874246590575 and maybe someone will answer depending on the question

I'm working on the final Nmap section (Firewall and IDS/IPS Evasion - Hard Lab). I tried specifying various source ports to bypass the firewall (21, 137, 445, 53). I also tried specifying a different ethernet interface to approach it from an "external" view. Does anyone have any tips or nudges?

I did find 137 available via UDP

I tried the ACK scan. I didn't see any benefits from it.

Hi all, so I'm stuck on the XSS module, Phishing section. I'm getting the dreaded "Issue in sending URL!" message when submitting my URL. When I test the URL, it works perfectly from credential capture to getting picked up by the PHP server and forwarding back to the original page...and yet the "send.php" page keeps kicking it back. I've been at this one issue all day and my brain has officially melted. So any assistance would be super appreciated.

/dynamic-resolution might also interest you

So you can just resize as necessary, on the fly.

which module is this ? lol..

Password Attacks

I'm almost done with the Metasploit module and I got to say I never took MSF seriously until I read through it here, very interesting and useful for organizing data
Is it going to be part of the exam or more of a general must-know?

Damn dude. You are killing it.

I just started PtT Linux

Nice. I'm in the middle of the hard lab. Stopped to eat some food

The easy lab was a load of bs. Half an hour of waiting to bruteforce a pssword

How many hours a day do you spend? I've been putting in about 4.. Still takes me a long time.

No judgement... Just curious

The medium one was a ton of fun

Hard too so far

Depends. I'm in college so I have a lot of free time. Also in between semesters at the moment and i have no life

Ahh nice.

This module has by far taken me the longest tho

Dude... The revshells.com

Did that work for you

I've been on it for a week. There were parts that pissed me off so much I just quit for the say

Yes

Really? everytime i tried to visit the site to generate the revshell it wouldn't work but i found a way around it.

Weird

I've used that site for a long time

Also, the hacktools Firefox extension is amazing

Yeah idk. couldn't use the Invoke method with that ps rev shell generator.

What i did was took the hash into hashcat.

Cracked it, then brought up RDP on the MS01 system.

RDP'd with those creds into DS01

I'm pretty sure you could get the rest of the flags from that but I just took that one.

I just passed the hash lmao

No cracking required

PtT was fun

Nvm. I looked back at my notes. I'm dumb, ignore me 😂

PtH and PtT are very fun.

No one is dumber than me here.

Take it back@

Lol

MSF is a very useful thing to learn and know; though not entirely necessary as the exploits could be done without it, however in a real environment it is a top tool that is preinstalled on most Hacking Distros because of it's usefulness

which metasploit module? the Using the Metasploit Framework one?