it makes email enum a lot better

im stuck on ad skill assesment 2 i found the first user but at the scond user i tried password spraying and it seems its the right approach but cme doenst work and i cant import the DomainSpray.ps1

in fact I was thinking about it but I didn't want to turn on the virtual machine since I work from a Macbook. I think however, that evolution is the only solution.

you're on the right track. go through the section again, maybe you'll stumble upon something you wanna try

should still be able to enum with the IMAP commands

I'm pretty sure I did it with commands if we're talking about the footprinting module, so yes, it does work like that

yes it is doable with commands :) just other options

Request for Help. Module: Nessus Skills Assessment
Q: Navigate to the web interface at the end of this section and log in with the provided credentials. Once logged in, perform a BASIC NETWORK SCAN (modify the scan template to scan ALL ports, leave all other options the same) against the target: 172.16.16.100. Additionally, set up the scan to be authenticated using administrator:Academy_VA_adm1! as the credentials.

The scan will take up to 60 minutes to finish. Note: It may take 1-2 minutes for your target instance to spawn. Additionally, it may take up to an hour for the scan to run

Alternatively, use the pre-populated scan data to answer the questions below without having to wait for the scan to finish but feel free to practice configuring and running it.

Nessus doesnt start on the pwnbox. I get an error "Failed to start nessusd.service: Unit nessusd.service not found."

That aside -- I'm not waiting 60 minutes to run a scan when there's a sample scan provided. However, I cant seem to locate where the pre-populated scan data is. I spooled up the pwnbox and dont see it in the home directory of the pwnbox. Any help would be very welcomed.

dm if someone need help

it's in the box that you spawn you can rdp in and open firefox and navigate to the firefox page and it will work fine

https://tenor.com/view/engineering-engineer-trust-me-im-gif-18131208

Thx

I believe the module also informs you of that

Finally using ||evolution|| I was able to get to the flag

pls give me a little bit more i dont get it

password spraying is very guessy and they wouldn't want you to be unable to guess it, so usually the answer is rather close to the examples you've seen

So I tried both xfreerdp and rdesktop to authenticate into the spawned host but Im getting the following errors respectively.

xfreerdp
└─$ xfreerdp /u:'htb-student' /p:'HTB_@cademy_student!' /v:10.129.46.86
[10:57:05:891] [18588:18589] [ERROR][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_FAILED [0x00020006]
[10:57:05:893] [18588:18589] [ERROR][com.freerdp.core] - failed to connect to 10.129.46.86

rdesktop
└─$ rdesktop -u 'htb-student' -p 'HTB_@cademy_student!' 10.129.46.86
Autoselecting keyboard map 'en-us' from locale
Core(error): tcp_connect(), unable to connect to 10.129.46.86

Hey guys, qq: Can we ask questions related to modules here? For example if we are stuck with a task etc? Thanks

yep

are you using the pwnbox/connected to the vpn?

Connect via VPN and personal VM. I replaced the .ovpn file just incase that was causing issues. Same result.

one moment

Thanks for confirming. I am struggling with the Attacking my first box - Nibbles and I am at step "Nibbles - Initial Foothold". I am uploading the image.php file with the reverse shell, but when I start listening to port 9443 it doesn't say 'listening to any" but rather "0.0.0.0::9443". I have checked if I have uploaded the php file correctly few times + checking if there are any typos and all looks good. Do you have a clue what I have done wrong here? Thanks

connect to the scan visiting https://ip:8834/ in your browser

you can use the --username flag in hashcat

did you try running "reverseshell.php" by doing "http://ipaddress.htb/reverseshell.php". Or something like that anyway?

I have not

just try

without backupagent

Bingo. Whatever they're paying you -- it should be more. Muchly appreciated!

it also just looks like an encoding issue; aka it doesn't recognize the encoding tag

it says "No such file or directory"

what module is this?

section?

I'll have to double check later but that looks correct not sure what's giving you the error then

try copying and pasting it in different text editors

hmm

try to enumerate the subdirectory and u will find something like "/uploads" and then try to execute on browser "http://ip.htb/upload/reverseshell.php".

thanks, will do

let me know

not sure if it is going to be today, because I just ran out of time 😄 perhaps in the next few days I will have again some time to play with it, will let you know if it worked out.

yeah john tends to be more friendly

hashcat likes to break a lot

this shouldn't be your first impression with hashcat if you're following the cpts path

ah

your school has you doing htb as the curriculum? interesting

password attacks has a better overview of hashcat

and there is a hashcat module iirc

not in cpts but in the academy itself

https://academy.hackthebox.com/module/details/20

Sometimes the questions don't align with the lesson but it is teaching a lot

BUT THERE"S SO MUCH FREAKING READING...

Not when you're dyslexic xD

Is it possible to do this on moblie by chance?

Request for Help. Module: OpenVAS Skills Assessment
Q: What type of FTP vulnerability is on the Linux host? (Case Sensitive, four words)

Reading the results -- its obvious what the issue is with FTP. But I guess HTB is looking for four hyper specific words? Ive tried copying and pasting a number of options from the scan results with no success.

Edit: Disregard. Solved.

reading works fine but doing the exercises on mobile not so much

dm if someone need help

Possible: yes, Recommended: no

yea but better in computer

unless is just reading in that case where u want

Can anyone help me in LFI final assessment?
I got LFI but not able to get flag or cmd execution?
Can anyone help me a bit !!
I'm missing something in between !!

dm

I believe that's the intended way, yes. I definitely did it that way too

Noob question, I want to use the parrotOS system in the academy but it's telling me to SSH into another machine, where to find the IP for that machine in the module?

It's going to be the target machine from the "spawn target" button

The space where the IP will be is blank if you haven't spawned it yet

aaaah I see, sneaky

Thanks MarcieLee, you tha real mvp

The modules/sections generally tell you the method they want you to connect with. Skill assessments will be a bit tougher but will use the tools/techniques discussed to achieve results

<@&861185840277487616>

<@&861185840277487616>

We got it.

ty

Thanks NightWolf

what is <@&861185840277487616>

?

lol

oh

I am sorry !

What does this mean

Greetings! It has been determined by a member of the staff team that your nickname was breaking the rules. As a result your nickname has been randomized. Please verify your HTB account (see #welcome for how) to have your name reset to your HTB username.

@teal mountain

maybe read it

We only allow usernames with ascii chars

what is ascii cahrs?

also you just pinged a random user

means what it says it means lol

lmfao

no

@teal mountain knew what they were doing

@teal mountain pings a moderator

lmao

hi

hello

no, no it doesnt

yes it does

i need something from u ...

ok sure !

A literal moderator told you it doesnt

this has to be someone's alt

who

grey

asked?

100% an alt

i need usb to reset windows pasword with out formatting (not hacking or craking)

bruh

Very new to HTB and ethical hacking. Thank you in advance.

wrong channel

wrong ???

You nicely ask whoever set the original password to tell you what it is.

300 iq

friendly reminder to encrypt your drives

wat how

alo

read #rules and #welcome then ask in a more appropriate channel and you may get your answer

Glad to have you around 🙂

👍

Here you go! :WIZARD6:

why did mute?

admin no reply

what is appropriate channel?>

Hello

youll find out after you read them and follow directions. If you cannot then youre not ready for this field and good luck 👍

hello

ok

is any one on "network enumeration with Nmap" module - service enumeration section

It's better to just ask the question

http://dontasktoask.com

A good read on how to ask better questions in this field

someone can help scripting one thing in bash i dont really know how to do it

https://dontasktoask.com

i had just got the flag from the robots.txt but it seems not to be the correct flag

and i can not find a flag any where else

Make sure there's no weird spaces in front or behind your copy/paste

already checked everything properly

Even if it "looks" right sometimes it's weird and adds in Unicode characters that are 0space

can i dm you the flag

Yeah

just curious is Attacking Common Applications - Skills Assessment III a newly added assessment?

I want to make a script to do curl -s http://10.129.122.65 -H "HOST: inlanefreight.htb" | grep -i 'htb' from a txt that i did called name.txt

yes

the name.txt strings here STRING.inlanefreight.htb

What are you trying to achieve with this in clear words not just commands

the assessment was easy but man those sections were hard

If you break your command/goal down then you might be able to get it better

guys, i just finished PIVOTING, TUNNELING, AND PORT FORWARDING module and have some question on final step, because i have some suspicions that i solved it unintended way

@surreal rain, I know a way how to bypass the chat filter (aka Automod) and say the N-word and other (racial) slurs.
I can tell you how I did that and how to fix it, but I want some "gold" in return.

can i pm someone or maybe discuss right here if it not prohibited

Or @sterile hawk, can you please DM a big daddy of this server (the one, who owns it or can give me some gold in return for the recipe on how to bypass the automod)?

most likely it was still the intended way if you're meaning being able to access a specific fileshare from a certain user

lmao gfc pinging mods randomly

this isn't the way nor the right place

try posting something about it in #1024429874246590575 and maybe they'll look at it

"Maybe"...

exactly, but i think i need to enumerate one more host because this is so easy to get access two flags on one host?

What you're doing now is an easy way to get yourself banned

afaik that's intended; I asked other people when I grabbed that flag as well and they said it seemed intentional

i don't recall if I asked jared about it

interesting, okay, let it be

Well, then they won´t fix the N-word bypass

cool story bro they can just ban/mute people manually still

¯_(ツ)_/¯

who cares

It will take them some time to ban/mute the guy who says the racial slurs.

weve already known of the bypass

Cool

Then why they haven´t fixed it yet?

Lmao

Automod bots are best effort, we'll just ban anyone we see saying slurs

Bruh, then it means no gold for me

If you'd like to share that would be nice

there's no real incentive for them to reward you for it tho

theres no gold to even give out

You can get a solid high five if you like?

Sharing is cool.

they dont know about the secret mod team pot of gold

SHHHH

😄

what 1860s prospector is trying to get paid in gold over a naughty word filter anyways

https://tenor.com/view/dagobert-mickey-cartoon-mickey-mouse-gif-10344924

Nervous Nancy never knew noisily nibbling on nachos near Niagara Falls could result in a nasty nosebleed.

🙈

So many N words used

But seriously, if you know something, be a good person and share it. Sharing is caring

kek

I thought the n word was nuclear

man trump lied to me

is this the right one? cat please | while read please; do curl -s http://10.129.122.65 -H "HOST: ${please}.inlanefreight.htb" | grep -i "htb";done

If you're reading from a file named please yeah

Otherwise it's cat name.txt

Right?

the file is please

but it doesnt work

:/

can you help me scripting one thing in bash i dont really know how to do it

the main one I know is using unicode lookalikes for some letters so it looks normal to a human but the bot parses it as a different word.

Mmhm

it doesnt use each string of the file

what did you just call me ?

i dont know why

Like if you do something simple, like replace the curl command with an echo ${please}, do you get the contents of the file?

👀

no

f

You're sure the file is called please? You originally said it was called name.txt?

(sorry for stupid question, but sometimes we derp 😉 )

yea

i changed the name because it couldnt read name.txt

Are you trying to make it do sub in the lines of please?

if i do cat ./please i get the strings

i want to do curl in each subdomain

like: for i in cat blab.txt; do echo $i;done?

grepping 'htb'

cat please | while read please; do curl -s http://10.129.122.65 -H "HOST: ${please}.inlanefreight.htb" | grep -i "htb";done

"for i in `cat blab.txt`; do echo $i; done"

How the hell do you escape lol

There we go haha, discord being discord

I think something like for i in cat please; do curl curl -s http://10.129.122.65 -H "HOST: ${i}.inlanefreight.htb" | grep -i "htb";done

Gotta wrap that cat please in "`" characters

Otherwise you just get cat please 😅

If you're still struggling hop on screen share here if you like

am doing the information gathering web edition module

in the virtual hosts part

There is already a command in the examples that mimicks the one you want to create

Additionally, using ffuf will make your life easier, since you have the ability to use filters to filter out any false positives

Yeah you want to use ffuf

yea i took that one as example

i used ffuf already and got that list that i saved in please

and i wanted to use curl in all of them grepping 'htb' to get the flags

Why do you want to grep on the domain?

the flags are in the domains

They're not greping the domain, but the result from curl?

i did inlanefreight.htb | grep -i 'htb'

to get the first flag

it doesnt work the curl with that script

give error all time

@zinc marsh want to jump on a screen share quickly, it'd be so much easier

400 bad request i get

Oh

Not 100%, but this might be a good start for a script

#!/bin/bash

while read -r hostname; do
  result=$(curl -s "http://10.129.122.65" -H "HOST: ${hostname}" | grep -i "htb")
  echo "Results for ${hostname}:"
  echo "${result}"
done < name.txt```

Could be an issue with the host?

no

when i use curl manually it works

Ok, well I guess give @autumn pilot example a go, if that fails still then something very odd is going on with the list of subdomains you have 😉

cat please | while read please; do curl -s http://10.129.122.65 -H "HOST: ${please}.inlanefreight.htb" | grep -i "htb";done i did this but not sure why is bad request

capture it with wireshark or burp and inspect the request

i did cut -d " " -f 1 name.txt > please

if that is important for the please list

That command should work @zinc marsh - it does here anyway. Something else is screwy

My offer stands, otherwise good luck

i just tried with a new file i created

with 1 string and my script works

so yea must be something wrong in the please file

So.. file permissions or for some reason odd characters at end of line 🤷

Could be using CRLF as line end for some reason?

Having that passed in to the HOST header would certainly cause a bad request response

(the CR part of it, that is)

yea i tried this list i did with 3 strings and the command works

so i will check the please file

Nice

i know why is wrong

this idk why

^[[2K

Weird

How did you cut it?

I'd suggest taking a break for a moment

cut -d " " -f 1

On top of that, if you are using the example "vHost List" you will only get one flag

i got ittttttt

no how i wanted but well

i used the whole dns enumeration list

doing curl in the domain and grepping htb

what do i do if I cant afford any modules and I can't afford to buy cubes

just joined can someone tech me how to hack

trolling?

nope

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

go on youtube and look up how to get started

kk

ye

go tryhackme do all the paths

the come to academy.hackthebox

and app.hackthebox and do the introduction

then start looking for certifications like ejpt-oscp-cpts

wdym with what can u do

there are some free modules

hoiyah

HELLO

I'm still here

not relevant to the channel, read #rules and #welcome

@tacit lava and stop spamming

dm me if someone need help

Hey Hackers,
iam in the Getting Started module section public exploits. iam connected via VPN (the academy vpn) but the target host has a public ip from digital ocean. i have assumed that it is a private 10.x.x.x ip ?!
i belive that the target hosts are droplets at digi ocean but iam a bit suspicious

what is the question?

which is the target?

u should have an option of spawn target when u go to the questions

some of the lab targets are public facing docker instances

yeah if u have not the option to spawn the target then is a public target that they tell u in the questions like: facebook.com, githubapp.com or something like that

OK thanks 😉 i mean the wp site seems being htb. so i continue . thank you

@wispy marsh

if there is any target u will have this option before start the questions

it will create an ip to attack

@zinc marsh i have a target thank you, i just was concerned it was an public ip from digital ocean rather a private ip in the academy ip spce.

Rare exception but I believe required due to the nature of the target @wispy marsh - expected behaviour 🙂

@ocean night 🙂 yeah, i just felt a bit unsave because until now everything was in the private networks. if they have all hosted at DO i belive you can also put the droplets on a dedicated net, but haven't tinkered much with DO by now.

and iam just guessing because of the pub ip

Honestly I can't remember all the reasons for it being on a public droplet, but.. I know there are reasons hehe

Have fun!

We've a good relationship with them, so don't worry about hitting up the target, it's all good 😉

First, try to update any city's name to be 'flag'. Then, delete any city. Once done, search for a city named 'flag' to get the flag. can anyone help with this

Its ok got it

Thank you and i have alot of fun 😉 .. and i haven't seen black SUVs around so i guess iam fine

Hello is there a channel for the Bug Bounty

#cwes

Questions related to the modules in the path can be asked here

k

#cwes is more for questions and info on the exam Itself

https://academy.hackthebox.com/achievement/badge/cb888b04-d5b3-11ed-acfc-bea50ffe6cb4

Congrats

This question qsk for port 5500 but nothing is using port 5500 ever, is that a bug ? If so what answer is expected ?

a big thanks to @acoustic owl for the help and the motivation

thank you

https://academy.hackthebox.com/module/113/section/2134

Read the section carefully

Google ColdFusion and the services behind it 😉

And yeah, read the section again

Wow, I actually entered 50 different variant of this, pretty weird that actually no 5500 port is opened

thanks anyway 🙂

Everything you need is in the section 🙂

just saw u are htb staff, u all doing an amazing job in hackthebox

❤️ thank you

Big team effort from everyone, and the community is what has helped us to grow what we are today, so thank you too for being here!

yes I mean i had like the correct word in reverse order after googling a bit. What I meant is that it's pretty weird that a question is asked about a port that isn't opened, and not entirely relevant to the exploit of the service

Started with 3 people, and we are now over 200, it's crazy!

and yeah congrats on founding HTB 🙂

pretty awesome

happy 6th anniversary

Some academy questions help to assess reading comprehension I believe, but if you think content can be improved or adjusted, there is the #858470491676737536 channel 🙂

Thank you!

🙂

@ocean night maybe htb can create content for people that start from zero knowledge like they have in tryhackme

that would bring much more newbies in this world to htb

thats what starting point and the tier 0 modules are for

Exactly that 🙂

esp recommend the infosec fundementals skill path for newbs

except for like two modules, its all tier 0 stuff

Always open to feedback if you think the tier 0 modules and starting point are still too high of an entry point, but yeah.. we've tried to tailor the content to be approachable for anyone entering the field, whether they have been active for some time and are looking to sharpen their skills, or if they're completely new and looking to get in to infosec

if you have an injection point you can use sqlmap with --os-shell , I did this trick with SQL Injection Fundamentals and saved time

More content always under development 🙂

i mean 0 knowledge in IT

this doesn't work unfortunately

imho, if we were to introduce paths relating to introducing people to IT in general, it might digress from the main focus of HTB which is infosec. Get where you're coming from, and yeah the more we can get people engaged and learning the better.. Just not sure if this would be a focus for our content team right now

2023 got a lot on its plate already 😅

i started around 4 months ago and first came to hackthebox but didnt understand too much, then i moved to tryhackme did all the paths and returned to hackthebox.

just from my point of view from 0 knowledge

So, was it knowledge around systems in general, e.g. interacting with a console, definition of what for example a service is, that kind of thing you think you couldn't get from us?

i just knew coding in python, c# and c++

Honest question, always open to feedback

the vulnerability management module was fantastic

anyone new to infosec digests all the info in that can easily get an entry level job in vm management

I missed the challenge to sign up honestly, does it still exist somewhere ?

Heh no, that went away a long time ago

We opened up the flood gates 🙈

yea when i wanted to start in this world when i joined hackthebox the modules were a bit advanced to my knowledge because i had no idea about IT

but well now im able to help people and pwn easy and medium machies 🙂

and you didn't have to spend 2 grand on learning all that!

yea true

very competitive prices

in hackthebox

when I get my CPTS I'm going to push to get the cert recognized as a managerial cert at where I work

yaaaas

I mean again the infosec fundementals skill path covers a chunk of this. It has students get up to speed with both windows and linux fundementals

We're new to the cert game, but we hope that the quality of our content and assessment will show value, above what value employers already see in HTB on a CV 😉

Also.. more to come

Watch this space 😄

Im completely convinced that HTB is staged to become a dominant force in the infosec cert scene

well your competition will bankrupt anyone who doesn't have a company to pay for it

yea for sure

8000 dollar sans class lmaooooo

for what i heard cpts is harder than oscp

Pricing people out of being certified, that's just crap. Knowledge and education should be accessible to all.

since oscp just covered exploits

thats been the consensus

and cpts cover all exploits and misconfigurations

CPTS is more practical/realistic stuff you'd see out on the job

oscp until they revamped in 2022 and 2023 was just public exploit galore

I still don't think holding a cert is a golden ticket, but if it teaches you the skills you need to hit the ground running, hell yeah

I have yet to hear anyone say that oscp is tougher than cpts. Its solely been cpts harder than oscp so far

yea that is what i heard

OSCP finally removed buffer overflow as necessary to learn

on the otherside, the number of cpts holders are quite low. so small sample size

it's now shifted that focus to ad

and CPTS blows them out the water in AD

I belive it

i was talking about that with sr no

he has the cbbh and cpts

if youve completed the AD attacks and enumeration module for CPTS relatively comfortably, the OSCP's ad section should be free points for you(from what Ive heard about the AD sets)

They removed buffer overflow? The exam module that hasn't been updated in probably nearly 10 years?

yup

gone completely

I think there's value in that knowledge tbh

I'm not shitting on offsec, I got great value from osco

Oscp

It taught me how to research, document and apply knowledge

But you gotta keep current

offsec has just really poor business practice imo

I shouldn't have to invest so much money for their content when other platforms offer it for a fraction of the price or free

im sure once I tackle it ill learn some good stuff too and itll bring me value, but Im bummed at the prospect of how its almost mandatory these days if youre not already established in the field

at the point you are paying for the LinkedIn search bar

yea they changed it and added misconfigurations as well if im right

because recruiters just search oscp and dm enmasse

yea all the jobs i have seen ask for oscp

literally the only reason why im still planning to get it lmao

oh I agree but I think the oscp is finally gearing towards more realism in a modern enterprise environment

the liklihood of finding buffer overflow vulns versus ad misconfigs

mm true

it's a pride thing for me, I have no degree or certs to my name and I'm sitting in a red team position because I got a giant jumpstart by being a consultant

I would like a fancy piece of paper that says I know what I'm doing lol

id rather go for CRTO in you position then

after cpts 😉

Ye I was looking at that too

One thing I'm extremely proud of with HTB, is the number of people (and employers) have fed back saying they got positions in the field thanks to HTB. I just find that amazing, that we are actually achieving our goal of getting more people in to the game

our red team is brand spanking new, building a program from scratch is so hard

and it's just me and two others plus our director

but the really cringe part is we are in charge of pci compliance for the company

ew

why that is? I don't know

that was not fun

That surely doesn't belong with red team?

it does not.

I mean yeah, advisory role perhaps, but in charge of? nah

policy

but we are the only people who know about penetration testing

but we contract out 90% of it to a third party but we manage that process

i wish, i get job in this field as well :), am young but i have been all day everydays here stuying. Rn trying to prepare for the oscp

we are working to rely less on the third party either by building a pentest team or this tool we are trialing right now makes pentesting so easy, 3 people can pentest an entire global enterprise and still have time for red team stuff

it's definitely been rough 😦

well thanks for all i will go to sleep

gn, good luck tomorrow

nn 🙂

I'm doing blacklist filters in file upload attacks. I used intruder to find extensions that are able to be uploaded, once checking all php related extensions no code was executed. Any ideas?

having some issues with XSS discovery module question Utilize some of the techniques mentioned in this section to identify the vulnerable input parameter found in the above server. What is the name of the vulnerable parameter?
I ran this but nothing came back: python xsstrike.py -u “http://46.101.14.124:31324/?fullname=admin&username=admin&email=admin%40admin.com”

PNPT is getting a lot of traction out there. I would imagine CPTS is not far behind. Everyone is aware of this platform, so.

Whitelist filter for file uploads,

Do I really have to test 20+ paths..??

Huh? Why reinvent the wheel?

Sure, adopt and improve, but you're suggesting that using other peoples tools and software is wrong?

lol

Yeah ok, you do you

Irrrony

This is a channel for discussing Academy modules. Take this in to #general if you really want to continue this

Please take this to #general or so as this has nothing related to academy.

you've been asked to move to another channel

#general

You'll have to read #rules

And #welcome

jesus

he is banned. just gonna cause grief in the end

😂

Whitelist filter for file upload attacks, can anyone help me pls?

I've made a custom wordlist, ran intruder on it, for those where it's been uploaded I have created another list of all the extensions, then used a curl script on each one and tried to view the response where ?cmd=id is called

No response on any of the extensions that were successful

Hi can anyone please help me with a nudge for Advanced SQL injection: Skills assessment final question? I have the injection point but having trouble getting cmd execution

Did you disable URL encoding when fuzzing for extensions?

Yup

From what I can remember you're able to upload some extensions, but only a few of them will work

😭

I just reviewed my notes, try ||double extensions||

Yea I'm doing that atm

I'm trying a bigger wordlist

One of them should work, dm if you get stuck

also use ffuf

faster than burp intruder

Anyone here complete the Intro to Python?

Python gurus, anyone point me in the direction to find this answer in the python intro module? I've tried every answer I can think of. x_coordinate = (42,) The type of foo from question 1 is <class 'set'>. What is the type of x_coordinate?

If you haven't been able to by tomorrow, let me know, tomorrow I'm going to finish that module and I'll send you a message to tell you how I did it

Maybe give a nudge rather than just the answer @final python 🙂

All the questions within the Academy modules have the answers within the content provided. Sometimes you need to go over it a few times, either in practice or simply by re-reading

Yes, what I told him is that tomorrow I will finish the module, and then I can explain how I did it so that he can understand. I didn't say that I was going to give him the answer

Cool beans

Thanks 🙂

Perhaps I didn't explain myself well. See you later.

It's all good 🙂

Which chapter is that?

If its the one I think it is... just do a google for something like ||"determine type of variable python"|| and you should be able to figure it out.

@rare violet Check out some information on Google about Python variable types. I'm fairly sure the information you need is within the module section you're on, but it never hurts to research yourself

Huh?

I was responding to a question....

Whoops, sorry pinged the wrong person

🙂

It's as if it never happened 🥷

As if what happened?!

https://tenor.com/view/the-universe-tim-and-eric-mind-blown-mind-blown-meme-mind-explosion-mind-explosion-meme-gif-18002878

i have a general question
How was I supposed to guess that you need to use the python2.7, instead of the installed 3?

Anyone here who is able to give me a hint to ADEnumeratrion Assessment Part 2 question 3?

👋
Modul - File Inclusion
[File Inclusion Prevention]
Help me, please.
In no way can my mind figure out what else to add to the ini file so that I can get an error in the logs.

I would be grateful for help in this exercise.
File Inclusion Prevention
I understood it, so I need to insert the code:
while(substr_count($input, '../', 0)) {
$input = str_replace('../', '', $input); };
and set the parameters:
allow_url_fopen - Off allow_url_include - Off
But I'm not sure that's what they want me to do

ad skills assessment part 2 Q7 cant access the flag ist there a way to privesc? or is there another way?

I am not on this question... But do you have a hint for me for part 2 question 3?
May be I can help you when I get to this question...

Well if you don't have the privileges to access a file, priv esc surely is something you should look at 🙂

Hi, better ask on "HTB:OFFTOPIC -> general"

Dm me with some more details if you want 🙂

can anyone help me with answers of linux fundamental module ? here is the question --- Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.

Hello,
Im new to cybersecurity training and learning the fundamentals right now.
I have an issue with logging in via ssh to a target where i believe that i typed all correctly but the response from the terminal is unclear.
Can anyone help?

can you show me error ?

Thank you for the hint!
I thought it must be possible via smb or ... with the creds from question 1+2

I was replying to voldemort404. As for question 3, yes those credentials do work

i DM'ed you

sure give us some details

I think there's a thread on forum.hackthebox.com that goes over that question specifically.

sure , I will go for it

You're probably on the right track, just need to build a regex to filter. Let me know if you need more help.

it's alright i got some help, thanks.

Hey. Can someone help me to understand this stuff the correct way? I have a hard time understanding it and I am not sure if I got it now:
Active Directory is a way (mostly Windows) to share resources and to authenticate. AD uses a Domain Controller with LDAP for resource sharing and either NTLM or Kerberos for authenticating users. A domain is all PC's that are connected under the same DC. If that is correct I still have some questions:

What is a workgroup?
For some stuff I need to know the domain name of the network domain. How do I find out the domain if I only have something like the domain controller IP. Is it even possible to find the network domain name?

anyone who can help with skills assesment part 2 ? AD ENUM & ATTACK third question

I am not able to do anything, how can I access MS01?

u not explaining too much about ur issue

so yeah, basically I have no idea how I have access to MS01, any advice or little hints? what am I supposed to use?

hello friend which question is it please ?

"Edit the php.ini file to block system(), then try to execute PHP Code that uses system. Read the /var/log/apache2/error.log file and fill in the blank: system() has been disabled for ________ reasons. "

Hello

i drop you some DM go check them

Any can help me

http://dontasktoask.com

anyone know what do do when hydra is saying every password provided in a list is valid

Dm me with some details

Your valid/invalid condition is likely not setup correctly. Which module/section are you referring to?

owo once sec

still stucky

someone can help me with nessus i dont understand this

Once logged in, perform a BASIC NETWORK SCAN (modify the scan template to scan ALL ports, leave all other options the same) against the target: 172.16.16.100.

but i have a spawned target as well

which should i use to respond the questions because the scan can take up to 1-2 hours and i dont want to waste the time

Hey all, hope someone can get me out this pickle.
I am doing** Attacking common services - hard**. I have creds for f*** and I am trying to authenticate to the MSSQL server using mssqlclient.py without success. Am I supposed to get access with that user?

can someone get a hint what exactly wordlist from seclists need to be use on the last step of the ffuf assessment ?

Hi, did you see my DM?

dm me if you want

I believe they offer pre-populated scans so you won't need to run them yourself

from my notes I did access the mssql service at some point. feel free to dm me with more details 🙂

well, seclists only has so many username wordlists. only a few of them seem suitable. go through those, one will work

yea just saw it

does corrected wordlists located under SecLists/Usernames folder?

it's one of them under that path

i checked all except xato-net

might wanna go deeper 😉

hate fuzzing guessing

well trying different wordlists is part of it. you won't have one that always works

i checked 35k usernames and no one was right

ugh yeah wordlist you're looking for has like 800 ish I think

hi, is there anyone who can give me some pointers on the webfuzzers section of burp intruder and zap?
-burp intruder your supposed to scan for files under admin, my scan doesn't complete before the vm's time runs out.
-zap fuzzer - i used zap to convert the username shortlist and matched it against the cookie. i didn't know how to do it through zap. after manually matching the cookie to a username. i'm not sure what to do next. i tried using the decode as a file name "decoded_username.html". that didn't work.

doesn't worked :/ damn so simple and annoying module

dm me then

dm me

what module

https://academy.hackthebox.com/module/54/section/511

u missing the last question?

yes, and i finally solved and this is VERY VERY DUMB from the HTB academy task

why i should complete this task only with ffuf

and why they can just accept different tools

they have maybe some check on UA or maybe something like this

why with burp it didn't worked

so you should put disclaimer to use ONLY FFUF not other tools

why i should guess which tool should i use to complete this if from technical point of view this is exactly the same

and fuzzing tasks is so dumb and not so realistic

this is like much guessing or who has the more powerful wordlists

well it's teaching basics. hard to make it realistic while keeping it that simple

a disclaimer might be an idea, that'd be something for #858470491676737536 then. but word it as a nice suggestion

u was literally doing a module called Skills Assessment - Web Fuzzing

ATTACKING WEB APPLICATIONS WITH FFUF

Thanks for the reply. I've spent hours searching. I thought it was a tuple.

so, after investigating what the difference between burp request and ffuf + curl, i spot that i just add line in the end of the request that is breaks all

sorry for blaming this section and i think this will be helpful for others

https://academy.hackthebox.com/module/51/section/476
I understand and I did exploit the shared object, and I did use readelf and ldd, but the version of GLIBC that I find isn't working for the answer, can someone check with me that I ahve the correct version ?

I've also gone through and reread all the course content

Module: Web Attacks. Section: Bypassing Encoded References.

"Try to download the contracts of the first 20 employee, one of which should contain the flag, which you can read with 'cat'. You can either calculate the 'contract' parameter value, or calculate the '.pdf' file name directly."

Im hard stuck on the question above for two days now, I assume that the script provided for mass enumeration needs to be modified. I tried to modify numerous ways but don't know what I'm doing wrong. Can I DM someone please?

Finally got it, it was what I though just entering it in the wrong format. Thanks!!

it says u can calculate the the contract parameter value

or the .pdf file

so i assume that the others 19 are empty or with the same size

anyway u can just cat all while read and grep the htb flag

anyone got a rough number for me as to how long it takes to brute force the creds for question 2?
https://academy.hackthebox.com/module/57/section/515

What's the name of the module?

Login Brute Forcing

I have a feeling my fail condition for hydra isn't quite right but don't wanna cancel too early either. that's why I'm asking

hello I am doing Shells & Payloads: The Live Engagement via xfreerdp, i need to use msvenom to produce a shell, what ip should i use ??

Hello I found the exploit for Wordpress N-media Website Contact Form Upload Vulnerability for the Getting Started Module; Public Exploits Sections. I tried setting the RHOST to the IP of the target, IP:port (even though I know that was silly). I also tried changing the default RPORT to the port of the docker. Yet no matter what I can't run the exploit on the docker instance, even after using my openvpn connection. Its probably something stupid, point me in the right direction please and thank you

Generally it'll be your IP (tun0) but if you're using a primary host it will be the one that matches the subnet

RHOST: IP
RPORT: PORT
if you think you have it set up right: check the options command

Good lord I didn't notice the TARGETURI option. layer 8 issue haha. @fathom pendant Thank you I was in my head too much!

I don't recall needing to change that option

Filepath maybe

I just didn't notice is before so I was thinking that coulde be it but it already has the / symbol. Everything else is set like the RHOSTS and RPORT

I only changed the RHOST right now after resetting the docker

If anything else: reset msfconsole by exiting and restarting it

And do the same steps

Sometimes it's dumb

feeling was right, figured it out

hi

I think I might have the wrong file upload vulnerability there are a lot to pick from, put nothing seems to correlate directly to the version 5.1.6 I'll check this out before continuing. @fathom pendant thank you for the advice

It's been a minute since I've done it

still need help on that (linux privesc, i finished the module except this one question about glibc)

everywhere I look the answer is something like GLIBC_2.X.Y but no matter how many times or variation i tried, htb won't accept the answer

well, I ended up kinda bruteforcing it, if someone has the real answer please let me know

hmmm

Looking for hints for Protected Files module. I have extracted hashes for kira's private ssh key and the zip file. trying to crack with john using the password.list file provided in the resources, I have a mutated version of passwords generated using hashcat custom.rules provided in resources, I also used best64 hashcat rules to create additional variations + tried simple rockyou and other password lists in seclists. Nothing has worked on eithe the notes file hash or the ssh key hash.

guys Server-Side Attacks Example 1, how do you find the flag. I tried printenv, env, and set, basically everything but still no clues

Module: Web Attacks. Section: Bypassing Encoded References.

"Try to download the contracts of the first 20 employee, one of which should contain the flag, which you can read with 'cat'. You can either calculate the 'contract' parameter value, or calculate the '.pdf' file name directly."

Im hard stuck on the question above for two days now, I assume that the script provided for mass enumeration needs to be modified. I tried to modify numerous ways but don't know what I'm going wrong. Can I DM someone please?

which section are you referring to? I'll take a look

1332 i believe and thank yu

found it. dm me with the commands you used and I'll see where the error is

Hi, the answer lies in the question. "...SNIP... Practice using ldd ...SNIP..."

dm me

Ok thanks.

can anyone help me with "Attacking Thick Client Applications" first section

• i followed the steps and F8 until it hit the banner
• i dumped that file
• when i drag and drop onto de4dot.exe it says
  The file isn't a .NET PE

Hello, I am new to this, how do you recommend me to start?

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

tryhackme.com --> hackthebox --> certificates

Downloading/uploading files using bitsadmin, is the protocol encrypted

like with openssl or is plain text

not relevant to this channel

read #rules and #welcome

okay okay

still need help?

yes please

Hi, I'm doing the module "Web Requests" under "Cracking into Hack the Box"
I'm at the "GET" section and i need help with obtaining a flag, I'm pretty sure my command is all correct and i don't understand what's wrong and why it wont output anything.
Is there anybody that can DM me that could also help me?

Sure, I'm happy to try and help. DM me your question.

Thank you

I am doing Linux Fundimentals, and I am trying to connect to a remote host but it keeps timing out

is this because i am using my own vm instead of pwnbox?

and if so how can i set it up so i can do this on my own vm

Make sure you don't have pwnbox and openvpn running at the same time

are you connected to the vpn?

i tried but i am not sure

what is the output of your openvpn command initialization?

it was something along the lines of "successfully initialized"

but then when i tried to ping my target it still timed out

take a screenshot of the openvpn command and its output

i cant find it but it was the same as how it ended in this video

https://www.youtube.com/watch?v=uyqk4zl6eyU&ab_channel=MatthiasHartmann

where it says initialization sequence complete

2:19

not helpful to be fair

sorry I am very new to all this

np, if you run ifconfig and you see that you have multiple tun interfaces, e.g. tun0, tun1 or more either kill the openvpn process or restart your vm

anybody remmember nibbles on getting started module?

seams like theres a big hole between gobuster and getting admin access

i suppose i could just cheat and watch the walkthroughs online

Module: Password Attacks, Section Cred Hunting Linux
guys im stuck with the username kira, i have the password from the hint, i tried making a mutated password list, but it didn't work, i tried it against FTP, SSH, SMB is configured to allow all logins.

if anyone could drop a hint that would be appreciated, i've been stuck on it for a couple hours now

i've went through the forums but with no use, i couldn't get a grasp on what i should do, i tried bruteforcing all the services, i've obtained access to the Mysql server but couldn't find anything useful

one thing i didn't try is to check the user i've got against the smb service...one sec

i want hacking tools for windows

https://academy.hackthebox.com

what

google is ur friend

ok

Did you get it?

did you create the mutated list from the custom.rules in the Password-Attacks resources file?

you should have these 3 files from the resources @burnt sluice

cleanup of 'image.php' on the target any body ever get that on metasploit module?

nop i couldn't, i used the password in the hint to generate a mutated list.

i created the custom wordlist using the rules and the given password for Kira

i read around that i need to remove the last number from the password, i did that and im trying one last time, after that im going to try the original mutated password list.

Just as a note your mutated Kira list should have around 459 lines

yes, it does

406 exactly, eliminating the 2-3 numbers passwords

I mean to give you a hint: you shouldnt eliminate any

oh, okay, i'll put back the one's i removed in a sperate list if the one i'm using didn't work

ty ty

Hello

The only time it's been advised to cut a list is the full list just because it's enormous

Password Attacks: Pass the Ticket (PtT) from Linux: I am trying to impersonate LINUX01$ via Kerberos ticket

export KRB5CCNAME=/root/krb***

klist

klist: Bad format in credentials cache (filename: /root/krb**)

any help ?

im still on that section

if you can help me im still stuck on the Cred hunting Lab, here is what i did
I took the given password in the hint "LoveYou1"
generated a custom wordlist based on the rules given
made a 542 word wordlist.
launched crackmapexec and tried hydra against "kira" and "Kira" on ssh
nothing turned out
i'm now trying it against ftp

no, stick to ssh

as kira, using hrdya

if you wish dm

I was using the wrong ticket; SOLVED

You're looking in the wrong place

As stated earlier if you used the custom.rule in the "password-attacks" resource folder you should have it: note this list is different from the arbitrary rules given in the earlier section as an example

Hey guys, I’m at skill assessment hard lab at password attacks. Trying to get johannas password with a few tries at cracmapexec hydra and crpwbar but with no real results. Tried mut passwords file also. Any clue?

i am currently doing it, if i got something i will tell you

Thanks

did you use Johannas or Johanna ?

Johanna

Of course

Find a baby who is playing Angry Birds on their phone or tablet. Approach the baby and take their device without their consent. Locate and download hacking software from the internet. Install the software on the baby's device without their knowledge. Use the hacking software to gain access to the game's code. Manipulate the code to give yourself an unfair advantage in the game. Save the modified code and close the software. Return the device to the baby, without them noticing any changes. Watch as the baby struggles to play the game, while you easily beat their high score. Laugh as the baby becomes frustrated and eventually gives up, feeling defeated and helpless.

not the relevant channel for shitposting, read #rules and #welcome

i just found valid creds. using cracmapexec smb

Ohhh I did winrm

Well a little mistake

Trying again

winrm is usually only enabled for administrators so unless you know youre going for an admin account its usually best to test the other methods first before winrm

🙏🏻

hello

i like coding

not the channel for introductions, read #rules and #welcome

oh

anyone here willing to give a tip for this one?

Enumerate the target and find a vHost that contains flag No. 3. Submit the flag value as your answer (in the format HTB{DATA}).

It's in information gathering - web edition (Active information gathering: virtual hosts)

I tried the vhost file that they provide and tried every thing I could, but using other files is giving status code 200 for every entry :/

hi, I am currently doing the fundamentals of getting started on offensive, and I am currently doing the nmap section, where I need to go into the users shares and download the file password flag.txt and when I use either vim, cat, or nano, the terminal says command is not found, so how else am I supposed to open the file

I just did it. It was the same method as the last one. It timed out on me at first though.

How do you mean?

Like just take the same file?

Same method as the previous questions. Find the Vhost name using ffuf and add it to your hosts file. Then use curl.

Curl on the name you found.

I did it now, because I know how many lines it contains 🙂 but this isn't the right way I think

Can I dm you @karmic dagger

That's fine

It's 'type flag.txt' if you're on the windows machine.

I am on a linuc machine

linux machine

Hello All, this is my first message in this community, i am hoping to find help with this question .... password attacks module network services section

Because if you're using SMB to connect, you only have the availability to download the file

Not read it

https://dontasktoask.com

@fathom pendant so what should I use instead of SMB?

You're using the right tool

Think of how you can get the file

hello marcie, what good is this link for

How to ask questions in a tech forum

:)

thanks

That's not just "is there any experts"

Worst case scenario with academy content is you get redirected to this channel

I got a new ssd but i have no way to download or install windows to the usb drive since I only have one laptop currently and it has no os
But i have windows on a external hdd
Is there any possible way i can display the content of the external hard drive and copy the windows file to the usb using cmd ?

then i believe i hit rock bottom haha

Also read the section carefully if I'm not mistaken it either links you to a resource to reference, or tells you what to do explicitly

ya I think I found it, I had to use ftp

Not the channel for this, maybe ask in #1024429874246590575 also #rules #welcome

You can retrieve files with SMB, you don't need to use a different protocol

so I did download the file using the SMB, but I have no idea where it is being stored

or how to open it since I cant use vim, nano or cat

Are you sure that's the password. Also be careful when asking for assistance try to avoid spoiling things by just typing password in your question

Quit/exit the SMB session - then do ls

bruh

oh sorry about that deleted my message

thank you so much for that

I was going insane from that

Because those commands aren't smb commands ;)

Simple mistake/issue it happens often

Always double check the info

What's the section again?

am getting confused by the smb one, because i used crackmapexec and it showed me that it found the credentials but when i use them to connect i don't get connected

password attacks module

network services section

Sec

Sanity checking for you

if anonymous logins are enabled for smb, any cred combo is gunna pop as valid

idr if that applies to that section or not though

It doesn't

They're hung up on a set of valid credentials but for a different service

Here's a hint: you have John's winrm credentials. Windows systems have a list of users in C:\Users narrow down your list to those usernames first and make sure to use the password.list each question in this section is a different user

Thanks for the hint Marcie, i will keep that in mind

omg i get it now

its a good website

it is!!!

It narrows your list from like 104 to like 5... So it saves a huge chunk of time

Yeah we tend to post it not necessarily to be snarky but because it's actually useful

also where do i find the api indentification thing?

snarky but actually useful is my entire personality

im totally going to use that site against everyone now lol

If youre talking about for verification ATM I think it's only on the main site not academy (iirc it used to be or there's some weird thing)

oh

maketh sense

They are two separate things/logins

well this is going to be fun lol

Huh upon revisiting footprinting module I realized there's more to IMAP that I just didn't care to learn at the time... Neat

uh

But now I have a handy link to provide people when they get stuck on that module

what module whould i start with?

im kinda lost

If you're extremely new: fundamentals

Any of the tier 0 content; getting started as well

Those are decent introductions to how courses and everything are laid out

how new do you classify as "extremely new"

As in you kinda know Linux but mostly use windows as a daily driver so commands in Linux get lost on you

thank you marcie, now am sure of the user and the password .... i used them before to try and connect but sadly i was not able to

thats extremely new??/

ive never used linux

only windows and macos

I just sanity checked with the correct user password combo c* and 1* are correct for smb

There's a linux fundamentals module.

should i download the parrot software???

Parrot is a Linux os

so start with that got it

should i download it

Not necessarily software... I mean all OS are software

smbclient --user c* //ip/sharename

true

wut

Then either copy/paste or type in the user password

yeah these are what i meant, the show the smb console but the current directory am in when i connect is not the share i specified

where do i put this in??

im on a windows machine

This is irrelevant for you

Sorry I replied wrong

oh

Is there a flag.txt

Anyway Parrot has documentation on how to install on a virtual machine

ok

If you're stuck on anything in terms of getting things set up, Im giving permission to either dm me or make a post in #1024429874246590575 and @ me

thank you

Np gl, hh(happy hacking)

so i do need to download parrot as a vm?

Parrot is downloaded as an iso

Again there is documentation on the site

And I believe getting started module kinda walks through it

no when i "pwd" it shows my pwn box directory that's where am confused, i think am not getting connected to the specified share

Make sure when you connect to the share it's in ALL CAPS also to list shares with crackmap you can add --shares at the end

I'm doing the skills assessment for Windows Command Line module. I'm trying to figure out using PowerShell how to view hidden contents of files within a folder

don't give me the answer but if you could help me figure it out that would be great

I keep trying Get-Content, Get-ChildItem, etc.

is it not a powershell thing?

Linux Fundamentals?

No there is literally a module called "getting started"

you are a rockstar it worked, i tried a day ago the same command this time with your hint i tried to put the username all caps

i did that one and it just went over the browser parrot

hi can anyone help me? I am about to go out to dinner. Should I come back later?

thanks btw

@fathom pendant do you know why we should type the username in all caps, even though in the list it is mentioned small letters

Not the username but the sharename

Usernames in Windows specifically are case-agnostic meaning you can have any letter be a capital and windows will be like 'eh close enough'

i tried a day ago with the share name all caps and the username small letters it did not work, when you provided me with the hint i said why not and tried with the username all caps as well and it worked

aha, thank you for youe help Marcie

Eh sometimes it just be buggy

so no one wants to help me?

I will come back later then

https://dontasktoask.com

Hi, everyone!
I'm starting on cybersecurity, and I'm doing the getting started module. I'm on the public exploits page, and trying to complete the lab.
But for the life of me, I don't know how to get the list of services.
I tried to use nmap to get the list of open ports on the target VM, but I keep getting a message saying that the "Host seems down. If it is really up, but blocking our ping probes, try -Pn"
my command is nmap 139.59.181.223
I also tried using nmap 139.59.181.223 30656
I tried using -Pn to try to get something else, but I get the following

Nmap scan report for 139.59.181.223 Host is up (0.084s latency). Not shown: 995 filtered tcp ports (no-response) PORT STATE SERVICE 30000/tcp closed ndmps 30718/tcp closed unknown 30951/tcp closed unknown 31038/tcp closed unknown 31337/tcp closed Elite

I believe this is not the correct information I should be looking for, because these ports are closed, and I can't interact with them

Am I doing something wrong? Or missing something?

Thank you!

thats a public IP address. Im assuming the port they gave for you is the 30656? in which case youd want to scan for that port specifically. Check the nmap help page for how to do so.

@thorn urchin this was their question btw

Thanks, I'll look into that!

Even still public IP is going to usually be a webpage (not always guaranteed) so try visiting that ip:port combination in firefox

I believe I should be using this command
nmap -p 32327 139.59.181.223
(I had to respawn the target, so the IP changed)

But this still gets this result:

Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-15 01:56 BST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.08 seconds

And address on Firefox shows a Wordpress site

But I understand the lab wants me to scan the available services and identify public exploits

So I want to undestand if I'm doing something on the nmap wrong

How does the course work

i still cant figure it out

😭

Public facing should use other tools like whatweb

Ohhh

I see

I think there's an introduction to academy course if you want to do that

Nmap will literally not get you the results (this is done on purpose) another tool is curl

Iirc that section talks about those tools

And some other ones

I am working on attacking email services and ||evolution has hung up on me. It's not even asking for the password to authenticate||, can I dm someone?

Yeah, I was totally on the wrong path, I needed to search for exploits for the plugin of the wordpress webpage

Thanks a lot for the help!

hey ive been trying to do enumerattion on getsimple

i found some directories with gobuster

i tryed a get simple metasploit attack but so far i can't see anything

module name and section?

which module?

@rustic sage getting started final section

knowlege check

Literally - intro to academy or something: there's a search bar at the top of academy

unfortunately I didn't keep a note of this, I thought you were doing live engagement.

oh ok

i found quite a bit in the /data

It's legit as simple as checking all options. Then hitting run (rhosts rport)

In the msf module

seems like my target uri is off

And lport

maybe ill just try a few others