#modules

if you ask the question itself instead of asking to ask, we all would save time

ive been stuck in this lab for days ... i finished all the module section expect this one and ive been writing the correct commands and saw some video but didn't solve it till now .... can anyone help

no information provided to help.

logrotate is a race condition abuse, dont try to establish a reverse shell

the attack is pretty straightforward if the system is vulnerable

idk in the module was explained as making reverse shell and yt videos ..

it can work but i would just make the bash have SUID

ohhh okay ...

yeah for that module, if you want to get a shell, it dies really fast for you to get the flag, setting SUID bash would be much easier

Hey Guys!

I am back with the same problem again

Now Attacking splunk module. Upload doesnt work

tried multiple browsers

even multiple internet connections too

oh no

if I remember right, you need the exact directory structure as the example, and I think there are some specific thing you need to do, can't remember what exactly

i think i have it

you sure uploading is the problem?

2 modules ago

attacking Jenkins

right

hmm, try using pwnbox to make sure?

it has a built in Script console
in firefox when i paste the commands which result as a rev shell it actually never went thru.. i opened up chromium and worked instantly
i just dont understand

its odd because it is only happens in HTB Academy

there's no proxy in the way?

nope

I'd say try this just to make sure

I look agains I don't see a passwd

what

https://academy.hackthebox.com/module/143/section/1457

look with open eyes

https://i.imgur.com/lJs4IRU.png

even the pwnbox is broken

lol

not sure what can be done about that lol

with the pwnbox it worked

so its my PC or internet

but idk what the fuck

reset everything, get a new vpn file, create a new network adapter, update, reinstall firefox

now its too fast:DDD

stuck at Q2 of Documentation and Reporting Lab, the krbtgt hash dumped from DC doesn't seem to be accepted

did it work?

i continued

but resetted everything

i hope it never comesback again

Just wanted to let you know that I did the same. I just spent the past few minutes trying to find what wordlist I should have used. lol

Meanwhile the txt file on the desktop

I feel so dumb. I was just excited to get started. 🤦‍♂️

LOL, I closed my workstation on the second module... only to find that it's one workstation per day. Don't feel dumb.

Just use a vm

Do I need linux for hackthebox or is mac fine?

https://tenor.com/view/how-is-that-possible-laura-bruh-how-did-it-happen-how-is-that-true-gif-25016807

you can use the hackthebox provided VM or use your own

definitely dont hack off your base machine

If you use a vm there are no time restrictions

Is the HTB VM unique for each module / section? Or just on the site somewhere?

https://academy.hackthebox.com/module/15/section/453

Makes it sound like each section has a unique VM, but I think I'm being dense right now...

each section is technically unique, as in nothing is really stored; however as stated multiple times by many people; you really should only be using the pwnbox (in-browser) vm if you have no other options

most modern(ish) computers can handle running vms

Most popular software being VirtualBox and VMware Fusion (for Windows Hosts) and Parallels for Mac M1/2 chips

So I am being dense. I need to set up a VM, slap an OS on it, then navigate to the IP / port it provided in a browser.

I can do that, LOL

if you're given an IP:port it's most likely a public IP that doesn't require vpn access

hello

hello, im currently doing the basic toolset module "network enumeration with nmap" and its explaining how you can use both icmp echo packets and arp packets to ping hosts to see if they're alive or not. but i dont understand the difference between arp and icmp echo packets?

how can i access the internet from the browser on the instance. i cant access website from there

You can read about ARP here: https://en.wikipedia.org/wiki/Address_Resolution_Protocol

Hi! Does anyone know if HTB is offering any cyber monday deals for the CPTS / Penetration Testing Certification bundle?
Thank you for any advice or info in advance. 🙂

That would be the silver annual subscription

yes, just wondering in reguards to black friday, cybermonday coming up. Just seeing if HTB is gonna have any sales on it

seeing as they're based in the UK idk ¯_(ツ)_/¯

hola

need help with Shells and Payloads: Automating Payloads & Delivery with Metasploit

Follow the section and you should be good

it said to connect with the credentials, when i did the rdp cli said pipe error

It helps if you be more descriptive

2nd line is me

Put the password in single quotes

Or double i forget which

neither work

I've not had too many issues with xfreerdp and creds

Also the question says rdp or ssh?

no ssh port open on the target

Oh

You're misreading then

You're meant to use the exploit using the provided credentials iirc

ok that makes sense

thanks

Your slashes are the wrong way

For the outfile

I'd also recommend deleting that as its a spoiler

Got a meterpreter session to work, the shell command times out

Hey, is there anyone available and could help with Attacking common services - Easy
Thanks 🙂

It would be better if you provide more information

I'm running into the situation where I put in the correct answer but it tells me the answer is incorrect. I reset the instance, reset the target machine, reset the HTB page, formatted the answer in both the way it came back from the curl request as well as added HTB{} format and nothing

i know it's the correct answer because i've reproduced the same answer every time and it's the only response the server has sent back

did you check spaces?

yeah, i've copy/pasted, typed it in

If you actually specified what module and section it is, someone might be able to verify if it's the right answer or not

it's the java obfuscation module

which part

because you may be one step ahead of what it's asking

decoding the base64

i used curl -s http:"theIPandport"/serial.php "serial=my_thingy" then piped it into the base64 decode and came out with the secret message

what's the exact section name?

also you can just do http://IP:Port

Javascript Deobfuscation > decoding

i don't want to just put the answer in here as I think that's against the rules

but it's leetspeak

First word of it?

7h15

Isn't there an extra request you have to make

yes it's meant to be leetspeek

With that as the data to get the final output

and yes you're meant to use that decoded output as the SERIAL= in your POST request

as indicated by the question

curl -s http://94.237.54.59:40887/serial.php -X POST "serial=YOU_ DECODED_OUTPUT" | base64 -d

that's my request

and i get the response i'm looking for

replace YOUR_DECODED_OUTPUT with the decoded output it gives you

and don't pipe to base64

oooooh

i see

thank you

you should learn how placeholder text works my guy

it's literally telling to use the decoded output as the variable

otherwise no matter WHAT your post message is it gives you the same result

you could leave it blank and it'll still give it to you

also you need to put -D for the data portion

i should learn that, thank you

i see now, thank you for the help

sorry lowercase d

not uppercase

also you may need to respawn the target if you're not getting an answer

RDP session keeps bugging out randomly, tried resetting the target a couple of times

Module: ATTACKING ENTERPRISE NETWORKS
Topic: Lateral Movement
Question: Obtain the NTLMv2 password hash for the mpalledorous user and crack it to reveal the cleartext value. Submit the user's password as your answer.

I tried Inveigh.ps1 but it prompted this error “windows version is not compatible”. Then I tried Inveigh’s exe version. It worked. I captured this hash indeed:
mpalledorous::ACADEMY-AEN-DEV::C30EDB1345CBDFE2075EBFB3E023DA82:0101000000000000AADD4DD31714DA012552338…redacted
When I use "hashcat -m 5600 hash rockyou.txt, it prompts “token length exception”. Can someone help pls?

try to understand the "token" that hashcat is expecting for the specified mode

Can you provide more information please? I couldn't understand what you said. I stuck in this topic for a week.

What kind of hash does hashcat expect for the mode that you are using, start from that

https://hashcat.net/wiki/doku.php?id=example_hashes

HI guys,
I moved on and found a password-protected zip. But I have no idea how to find it.
Any hints ? ty

b

Hey guys I am checking out Security Monitoring & SIEM Fundamentals to learn about Kibana, are there any other modules related to this topic on the academy?

Is it possible to automate testing all the auth bypass techniques for sqli instead of manually trying each and every one? I've just starting using sqlmap and I'm not sure if there's a script for it already

Hello

I have problem with this question, someone can help me ?

The exercise above seems to be broken, as it returns incorrect results. Use the browser devtools to see what is the request it is sending when we search, and use cURL to search for ‘flag’ and obtain the flag

It’s on the module web requests

hey guys
I'm in "Linux Privilege Escalation" ==>>"Privileged Groups"
the Q is: "Use the privileged group rights of the secaudit user to locate a flag. "

I did || id ||, saw that I'm in|| adm ||, and did || ls -lth /var/log/ || to see what interesting log there R.
went 2 || apache || and on and on

did someone did it some other way cause this way doesn't look like what I needed to do (at least not in the real world senecio)

@umbral fulcrum go in var/logs and use grep ri to find the flag

When i put cURL IP_SERVER/search.php they said me acces denied

@wheat scroll that means you don't have access to search.php

so basicity do ||grep in the /var/log||

btw || -rw flag|| show me a lot less mess

thank U

@umbral fulcrum no worries

I can’t put a command to have access to it ?

The flag is in this document or not ?

Hi, Anyone can we give some hint Attacking Common Applications - Skills Assessment II

Q5. What is the admin password to access this application?

I poke all around repo in the gitlab. Unablle to get.

are you sure? I would give another go to the gitlab repos

This is for the module sqli fundamentals, the final assessment.

Thanks I got it

you guys know if htb academy is eligible for dutch STAP budgets?

I'm not sure if this is the place to put feedback for modules, so please move or let me know so I can put in the right place.

System: VMware Workstation 17 Player - Ubuntu 22.04.3 LTS

For INFORMATION GATHERING - WEB EDITION module there is a portion to install Aquatone using go. The command in the module is no longer supported:

go get github.com/michenriksen/aquatone

'go get' is no longer supported outside a module.
To build and install a command, use 'go install' with a version,
like 'go install example.com/cmd@latest'
For more information, see https://golang.org/doc/go-get-install-deprecation
or run 'go help get' or 'go help install'.

Using go install github.com/michenriksen/aquatone@latest as mentioned gave me another error during install:

go/pkg/mod/github.com/michenriksen/aquatone@v1.7.0/parsers/regex.go:22:26: invalid operation: cannot call non-function xurls.Relaxed (variable of type *regexp.Regexp)

Ended up just grabbing the latest release from github and it worked without issue:

wget https://github.com/michenriksen/aquatone/releases/download/v1.7.0/aquatone_linux_amd64_1.7.0.zip

unzip aquatone_linux_amd64_1.7.0.zip

./aquatone --help
...snipped output...

made a question in community help for getting started module privilege escalation section https://discord.com/channels/473760315293696010/1173645702144983110

getting an error when using cat command vs no cat command

was able to get the flag though

but wanted to know if this was a platform error or an error on my end

switch from udp vpn to tcp

Which module do you need help with?

What do you mean by you can't access the PwnBox?

Can you not start them?

What exactly did you try?
The PwnBox does not require a VPN

Read and follow #welcome

Hey, just wanted to download the cheatsheet from File Inclusion and my windows virus protection blocked it 😮

any ideas on this one? i am so close, just need some more hints on how to escalate to root https://discord.com/channels/473760315293696010/1173645702144983110

Windows defender doesn’t like php webshells

really annoying 😄

@rustic sage how did you get screenshots in this main chat? everytime i try it just doesnt work lol

Hey guys, I need some help with the linux buffer overflow module. In the skills assessment we need to answer the question: Determine the file type of "leave_msg" binary and submit it as the answer.
I already used the file command and I know the answer but I do not know how to format it so that they will accept it.

It is best to ask the support team

is there a way for me to attach screenshots here?

i cant for some reason whether its copy and paste or upload

Read and follow #welcome

ohh, i dont have the hackthebox app, only academy right now

sweet i got it lol thank you

please do not include answers to the questions
follow the privesc techniques given in the section

what can user2 see/do

Enumerating SMTP for user on the system... Hint says to use the wordlist provided in footprinting, but there isn't one there

Yes there is

In resources

oh it was at the top instead of in the footprinting section, sorry

It's in the whole module

It's telling you to use the wordlist from resources

Which works for the whole module

any hint on how to use it?

yeah I got it now sorry

With a tool

smtp-user-enum is a good script

thanks, I don't have much exp with SMTP and that was a big help

it's useful ¯_(ツ)_/¯

Small tip regarding the Windows language package on lab VM 💡

If you aren't using English keyboard layout (QWERTY), every time you start a new instance, you'll need to install your language keyboard using the GUI
I've found a small PowerShell trick on this website: https://www.anoopcnair.com/add-language-packs-offline-in-image-using-dism/

$OldList.Add("fr-FR")
Set-WinUserLanguageList $OldList -Force```You can now quickly switch to your preferred keyboard layout in the bottom-right part of the taskbar (next to the clock)

PS: Language packs codes are available here --> https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/available-language-packs-for-windows?view=windows-10

working on the NETWORK ENUMERATION WITH NMAP : Service Enumeration. I'm on the question asking about "Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer."

I was able to get all my ports and services, using -sV, and also with the NSOCK INFO. But running the tcpdump and nc -nc command is giving me nothing useful. I'm assuming my host for the tcpdump is the ip in the terminal line next to us-adcademy 3. I'm not sure where I'm going wrong

If you use nc you need to wait

10-15 seconds

I use nc, 10-15 seconds, and nothing happens

I assume the format is nc -nv <target> port

it's more like 30

atleast that's how it was for me

Ye

its not displaying anything even after a minute, is there something I have to do priot?

No

Did you scan all ports?

sudo nmap 10.129.109.52 -p- -sV -Pn -n --disable-arp-ping --packet-trace

Hint: it's a not standard port

ran this command and it gave me 7 ports

Hmmm

Well what possible ports does that command miss?

That should hit the right port

Oh...

when I did nc -nv on the 80 i pressed enter and it said bad request

This is why I use RustScan

Nope

-p- is for all ports

The scan tool doesn't matter, this is a user issue

Then it's not on port 80, which is the standard http port btw

Like I said non-standard

I went through all the ports using nc -nv 22, 80, 110... and I they were either hanging or I clicked enter and it would throw wrong pipe

It's a high port

31337

I run that and nothing

Just wait

Like up to a minute

shoutout to @fathom pendant , should be offered a job with HTB for all the support

220 is the response code

Also spoiler so you should delete it

220[space]HTB{FLAG}

Got it thank you! I guess the wording of the question threw me off. I was thinking I would have to find it in the tcpdump

You can find it in tcpdump too

I was trying to get it to work but it wasn't displaying anything. I assume its a background process. How would I have it display items?

You need to specify the tun0 interface with -i

If I'm recalling correctly

sudo tcpdump -i eth0 host <terminal ip> and 10.129.84.185

I pretty much copied from module example

changing the ips

Use tun0

Instead of eth0

tun0 is academy interface

okay, and then would I do a nmap scan or nc scan>

Nc connect to port iirc the section goes over the order

yea I'm starting to doubt the section examples, using eth0 and displaying things that don't appear in my terminal

The examples are just that, examples

Sometimes you'll need to manipulate examples to fit your needs

In this example they use eth0 as the interface

I'm like fresh into this, so I'm unsure how I would know about tun0

If you do ip a you'll see multiple interfaces, one is the private network address 10.10.x.x (where x is the last 2 octets of your ip)

Hello, anyone who is in the command injections module?

Just ask your question

Module: WINDOWS ATTACKS & DEFENSE
Section: PKI - ESC1
I have already requested te Administrator certificate. I am attemping to convert it from PEM to PFX however I am confused how I am suppose to transfer the file over to the Kali box? It also doesnt help that the RDP sessions have high latency. Any permissible guidance would be appreciated.

Use tcp connection, if using xfreerdp do /drive:(whatever name),/path/to/local/directory

thank you

You should be able to download the tcp vpn from the site

I took your advice earlier and did that thank you it is working just not super well in teh portion where you rdp in that rdp session to the workstation

Ah

I'm trying to open the pem to pfx in the kali session to use in the workstation session

the inception is messing with me I guess lol

Ah ok

anyone can help me about this?

Well if you do port forwarding/pivoting

I swear if I Google and have your question answered I will tell you to Google

Yep found the answer quickly

IIS is tied to Windows Version

haha lol

Literally took 5 seconds

Google, click stackoverflow, one of the responses contains the answer

was this in response to me? I still don't understand how to run this command in the kali instance when it has me running a session in the workstation

cannot be upgraded separately?

i was looking to check if there is any possibility

nvm found it

good something new 😄

If you do port forwarding with like chisel or something then you can skip over foothold but that's just a suggestion. You can always transfer back a step each time

How did you go into the robots.txt>

Hello

I have problem with this question, someone can help me ? The exercise above seems to be broken, as it returns incorrect results. Use the browser devtools to see what is the request it is sending when we search, and use cURL to search for ‘flag’ and obtain the flag. I don’t know in which request i can get the flag

It’s in Web requests module

In Get sections

How do I access robots.txt? Do I put it in a url or is there a way to access it on the command line?

Http://ip/robots.txt

🐐

I have problem with this question, someone can help me ? The exercise above seems to be broken, as it returns incorrect results. Use the browser devtools to see what is the request it is sending when we search, and use cURL to search for ‘flag’ and obtain the flag. I don’t know in which request i can get the flag. It’s in Web requests module and it’s in Get section

Its not broken, you need to review the section materials and try again

Ok

Honestly imo burp intruder just sucks and not worth using. Lile the rest of burpsuite is a great tool but intruder is so fiddly and wonky

I review it for 1 hour

Review it as long as it takes to grasp the content it teaches

Understanding is more critical than rote memorization

Ok

Thx

I usually prefer something like ffuf

or if you absolutely need to save results then bash script curl or something

hello i make the chain idor module i have problem to enumerate all users can you help me

Did you uncheck the payload encoding checkbox in intruder?

i just updated the os and the latest version of metasploit removed an exploit 😦

how do you know they didnt just remove two shitty exploits and add one better written one for the same cve

Any help on the question for this module https://academy.hackthebox.com/module/147/section/1391 ?
I tried running hydra -l sam -P pwatk/mutations.list 10.129.202.64 ssh -V
the mutations.list file is created using hashcat --force password.list -r custom.rule --stdout | sort -u > mutations.list
(the custom.rule and password.list come from the module's given resources)

I let the hydra task run for about an hour, and I got no results. It only however got thru 9k out of like 94k results, I'm going to try using the best64.rule to mutate the passwords.list now but I wanted to ask here to save me some time incase im going in the wrong direction

To save you from having to click the link, the question is:
Create a mutated wordlist using the files in the ZIP file under "Resources" in the top right corner of this section. Use this wordlist to brute force the password for the user "sam". Once successful, log in with SSH and submit the contents of the flag.txt file as your answer.

i don't... gotta check their github for release notes

absolutely do not use the best64 rules, keep with the provided list

okay, do I just need to give it more time?

also ssh is super slow, dont target ssh if you dont have to 😉

Really its just nothing to worry about

I figured that's what I have to target because that's what it asked for, but I'll look into it

Dont let a questions wording stop you from applying critical thinking and better intuition

Alright, thank you

enumerating SMTP module: have a list of usernames in email format but unsure how to get the specific username the module wants... any nudges?

it mentions three different methods, have you tried all three

no I'm not really sure what to do from this point ||used smtp-user-enum -D inlanefreight.htb -U footprinting-wordlist.txt -w 10 -T footprinting-wordlist.txt -t <ip>|| which gave me a list of emails that says exist... I tried putting in the name without the email and then the whole thing, for the entire list, but it didn't work

hello i make the chain idor module i have problem to enumerate all users can you help me

well like I said they teach three different enumeration methods, you need to try all three. I suggest reviewing the section again

-M is used to specify method

That doesn’t seem like the command I’ve seen in module, and you should use -w 25

At least according to my notes

Or use the metasploit

I didn't even see this being ran at all in the module regardless but that was the nudge I got earlier was to use this

Anyone have any insight into why Linux Privilege Escalation -> Escaping Restricted Shells is so light on information? Seems like a waste of a section.

idk they got some new writer to add updated sections to modules and seems like the vast majority of new sections are just pretty bad

fun stuff

ran through all 3 methods, and I have two extremely long lists lol... Do I have to go through and manually enumerate each one to find a flag or something?

You find a username first then you look for a password to go with it

yeah this is where I'm a little lost, all I have is email addresses, are those considered the usernames for this?

Username@domain

Which path / module are you doing?

Pentest path, SMTP

Footprinting module yeah?

yeah

(I am many cubes away from that...)

If you do it correctly you should only have one valid user iirc

is there a faster way to tell which ones are valid? I have probably 40

As in it should only return one user

yes. follow the section instructions like I said

it teaches 3 different methods for confirming

try all three of em

This section doesn't go over the smtp-user-enum tool

and

two cents, based on my observations about the channel, it seems that everyone who seeks help hasn't ask himself the three questions Why, What and How

most of the people seeking help are actually seeking the exact command to get the answer

no? I've simply asked for a nudge as you could see if you read it

Just generally speaking, I'm not pointing fingers

https://tenor.com/view/montypython-witch-burnthewitch-gif-5477103

ok, I was about to say lol... I'm just confused and looking for a nudge, I've always had trouble with SMTP

Well youve gotten a couple nudges, so just waiting to see if you get a different result or have a real followup question

👍

hello i make the chain idor module i have problem to enumerate all users can you help me

Yep after careful troubleshooting I can confirm that the issue is user error

@royal sigil

No one can help you if you dont ask an actual question

OK I am going to think about it

I mean hey I give them props

It was pointed out they need to ask a real question, and they decided to pause to think of one first.

And tbh sometimes in the process of coming up with/asking a question you reveal the answer to yourself

Yeah. Its a highly amusing response but better than most randos that just get upset that people can't psychically implant the answer into their brains.

It's also why sometimes my response is "are you asking me or telling me" which is a hint to just do it ™️

is htb having problems with the vms?

mine is fine ¯_(ツ)_/¯

bruh im trying to rdp and its gonna make me go crazy

It made me laugh personally

Do you happen to be getting a black screen?

YESSS

It's a screensaver, just press enter

bruh

thank you

Another one bites the dust

lol screensaver strikes again

but sometimes it doesnt even connect and then I try again and it works

its ok tho im fine with screaming at my laptop

recommended to use tcp for vpn if you're having connection problems

I used to do vpn with wsl but it gave me so much errors that using the htb vm is just better

Screensaver 20 | htb users 2

Just use an actual vm WSL is trash

but wsl makes everything so easyyy

It's garbage

doing pentesting stuff on your host is a bad idea, wsl isn't isolated

Ya I dont do actual work on wsl but just learning I use wsl

Even learning platforms

After solving the active subdomain enumeration module, i would say that module needs a rewrite. The material is very loosely connected to the challenge. Its the worst feeling to put in a whole days worth of work and still thinking boy I didnt really learn anything.

I found it was alright

By far the weaker modules, by nature of the tools, are Vulnerability Assessment and Pivoting modules

Just because they're very much copy/paste

Sure i just like the material to translate into the challenge. For instance they list a command in their about using nslookup with the afxr type. Never used this. The comments in the forum kept specifying dig as the proper command line interface. So theres a lot of wasted time just trying to figure out on what terms the module really wants you to solve something as.

Nslookup works the same as dig basically

It's just an alternative way, to get subdomains

Never could work for me man. Maybe i suck. Also the module teaches gobuster. Never used that either

Learning new things is fun!

Again an alternate tool to do the same task

The module can be completed with nslookup

What did i learn? The module asks to identify multiple zones. Again i figured this out but that module doesnt go over that.

Anyways doesnt matter im over it

Peace out

DNS explanation is really lackluster in any module that goes over it

You've learned several new tools for tackling a common enumeration step.

I am stuck in the command injection module, skills assessment, I try to move the file with the flag to the tmp folder, first I try to move any other file and insert the payload in the GET request with the obfuscated whoami command to check the execution, but in the response it gives an error in which the command is reflected, but it is not executed, can someone help me please. Maybe it is another way the solution.

Has anyone here completed the game hacking modules? there is almost no forum posts that I am seeing to assist in the labs

https://dontasktoask.com

I havnt done the module but I have RL experience with game hacking/modding/reverse engineering so who knows I might be able to help anyways but we will never know if you only ask if people have done the module instead of just asking the question you have about what youre stuck on.

i'm doing the skills assessment for this module: https://academy.hackthebox.com/module/54/section/511

question number 3: One of the pages you will identify should say 'You don't have access!'. What is the full page URL?

i had to look up the answer because none of my commands are returning the correct answer i even followed a video and i'm not getting the same reuslts as the video :/

now it decides to work...

literally all the same commands and everything as i was doing before but nothing was showing up

how do we know if a command is working like it's supposed to? in this case i didn't do anything wrong and the expected results weren't showing up

¯_(ツ)_/¯

Tough to say when we cant see what you did and what results came back

maybe the instance just hadnt booted all the way, maybe there was connection issues, who knows

But that uncertainty is true to life as well

so it's good to run the same command multiple times to make sure i haven't missed anything?

as in yeah youll see that shit irl too, not just labs

depends. gotta use some judgement and intuition there

in the enumeration phase like when you're scanning for instance

Depends

Like if Im suspecting connection instability, Ill slow things down

For as much press as big DDOS attacks get, a lot of webservers can still cave over a too aggressive gobuster scan lmao

Also that particular assessment is a public docker container. Theres tons of connection reasons that could interfere with your enumeration.

that's crazy... thank god there are answers!

the youtube video's example works but mine doesn't even though i switched over to the web browser pwnbox

my command is on the left and the youtube video is on the right

i hope i won't encounter these types of issues in the exam

your commands not the same

Also do the bare minimum editing to block out the answer

fwiw your command looks more correct than their command, but unless theyre just using a wacky font, your commands are different lul

I think it's font

Though one is clearly FUZZ=key

im like 90%sure thats what its supposed to be but the vid looks like just FUZZ-key

Also in this instance the key sign that somethings not going right and you should try your steps again is that youre just fuzzing for parameters but not getting any error code for the page itself, which youve already confirmed exists. Even if your wordlist was shit you should be getting something back, not just blank results.

Thatd be the clue to answer the earlier depends about when you should rerun commands.

that makes a lot of thanks sense thank you!

I was able to find the flag, very good module, I learned a lot.

@thorn urchin It just seems fairly technical and extensive to generally ask here. I am surprised that there isnt posts and responses about it on the forums.

In "Identify and Dissect Data Structures" they reference using cheat engine to locate a point of interest then browsing the memory region. Looking for the red areas in the memory viewer to indicate change while the game is running. Converting those to 4 byte decimals in an attempt to locate specific values of interest. They offer the hackman game as a lab. Utilizing cheat engine with this game you can easily search and discover "score" however this seems to be a placeholder for the string "score" but not he actual score which is assumably a float. When searching the same area of memory, I cannot discover any red data points in the memory which could be related to the actual score. Also doing an initial scan, then follow-up scans for the score doesn't seem to present what I am looking for either. I am at a bit of a loss as to where to check next.

Are you referring to the academy module?

it could be a float but I also see score values often be a double, did you try scanning for that?

@fathom pendant yes

I do remember seeing a double but it did not seem to align with my current score.

Also while the score string may not itself be an indicator, you can check surrounding memory to see if its related. And if that doesnt work, putting a hook on the string to see what accesses it could also clue you in to the score value location

can you explain what you mean when you say put a hook on the string?

You can right click and do a find what accesses this address

oops meant to reply to this one

Sometimes what Ill also do if I suspect a value but it doesnt look right is add it and then edit/freeze it anyways just to see what happens. Worst case is the program crashes and I start again lul

also should we only be scanning the game process for these or all of the listed memory scan options?

eh kinda depends

nice I will mess with this more the hook seems like a good idea I wasnt aware of. I am loading it up now to check it out.

for more complex games Ill scan full memory space. For simple shit Id just stick to the main process memory

its far more useful when youre trying to patch code, but occasionally it can help with discovery. Though tbh I usually switch to static analysis with ghidra/dedicated decompiler if Im gunna be chasing strings

So while its worth a shot, dont be surprised if it doesnt lead anywhere useful for your scenario

is there a way to condense the memory viewer to only show actively changing data points?

not really because it cant predict whats an actively changing memory field or not

this is offtopic read #welcome

@thorn urchin I assume this game could be decompiled and values changed then recompiled. If that how this works with modern gaming when people create mods and such?

Sometimes

Mods tend to piggyback off existing libraries

And have to do some funky stuff if there's anti-cheat on the device

@thorn urchin got it. I was unable to find it by searching for score so I looked for the lives variable. I assumed it would be stored in memory around the same space. Thanks for the input.

Always a good thing to try as well nj 🙂

is there a web browser built into parrot os?

I hacked into the main frame

Firefox should be installed

I RDP'd into a VM for foothold and theres no firefox on the machine

Open a terminal and type firefox

sorted it, using burp

Fwiw it's not working bc you're doing it as root

Root doesn't have a display variable set

ok, thank you

Module: Windows Event Logs & Finding Evil
Request: Unclear what I'm looking for as IOC of DLL Hijacking

More generally, I understand that Sysmon ID 7 is indicative of a module load event, which itself may signal a DLL Hijacking effort. However, I'm less clear on what else I'd be looking for. I figured the presence of such an event ID isn't in-and-of-itself is sufficient.

For context, I'm stepping through the Skills assessment for the module and just found the process that is responsible for the DLL hijacking by just grabbing a list of processes and brute-forcing my way through. That may work for the purposes of the assessment, but I'm missing the key takeaway from the section.

Put another way, outside of stepping through all the ID 7 events (which seems terribly inefficient), I'm not sure what I was meant to be looking for.

So I'm in the Password Attacks Hard Lab and I have transferred the .VHD file to my attack machine. Where do I go from here?! I saw a mention to this

https://medium.com/@kartik.sharma522/mounting-bit-locker-encrypted-vhd-files-in-linux-4b3f543251f0

in the forums, but I'm wondering what I missed in the modules?!

The modules don't go over mounting that type of drive

That's a research and find out

I just did it on my Windows host

I was going to try transferring it back to the Windows target machine. Any guidance on how to get that to work?

The medium link seemed a bit vague

Don't remember the module and not at the computer to check my notes, but if you've got RDP access you can use the /drive option with xfreerdp, mount the entire folder where the file is

Is there a future module I could skip to for more info? I feel like something is missing here.

I don't think so, I just transferred it to my Windows host and googled how to mount it there, was very straightforward

Module: Windows Event Logs & Finding Evil
Section: Skills Assessment
Request: Answer attained, but rationale unclear

Task 5 is a simply "Yes" or "No" response, which I simply guessed. I'm not altogether certain why my answer is correct however. My intuition is that I'm meant to correlate the datetime of the event from Task 4 against the Security log, but I'm not certain how - at glancing at the Logon/Special Logon events, I'd determine the correct answer. Since I have the answer already, I'd appreciate some guidance on explaining the rationale.

Tried to copy the Backup.vhd back and got this error

I hosted the VHD from my attack machine with:

sudo impacket-smbserver share -smb2support /home/kali

how does the /drive option work?

would it be /drive:Backup.vhd?

i downloaded it with smbclient

after that i used a simple http server to transfer to Windows

then i double clicked it and it asked me for the password

after that it was mounted

this should be the credentials error we talked about

if you use google you will find the solution real quick

What is the credentials error?

I’m in 😇

Bad credentials

You didn't even try and crack the password

Is my guess

You just saw people suggest mounting a certain way without understanding why

no no

Since some windows version/security update you cant access smb as guest

Ohhh yeah

That you need to set a dummy pw

just use simple http server

Either way

File transfer module gotcha covered

or smbserver.py <folder> <sharename> -username <dummy user> -password <dummy password>

and from Windows net use x: \\<IP>\<sharename> /user:<dummy user> <dummy password>

move it to local folder with copy x:\Backup.vh <some local path>

but yea Google has all this commands xd

I mean a lot of this is gone over in file transfers long long ago

also 🤷

people seeking for straightforward commands is an usual thing

So I set a dummy password and got the VHD transferred to the desktop of the target machine. Now the cracked password I got is not working.

I don't want to post it here, spoilers.

to the desktop of the target?

you should be transferring it to your local windows host

I did bitlocker2john, pulled a single hash from that, then used hashcat with mode 22100.

is that one

YEAH!

should work

i did it on my Win11

Just saying you can do it on a Linux system pretty painless

I think one of the old articles that was shared around had like 20 steps

New one had like 8

since it is a native windows file, would hesitate on tryna do it on Unix tho

Yeah fair, but it's still good knowledge

it is

im just a windows lover xD

And it works fine, I tested it, helped someone else troubleshoot a step they skipped, and it's easy

Like legit all you gotta do is follow the steps

always hahaha

And not have to try and figure out what xyz means

Legit though that article is the easiest one to follow

This is what I'm getting

my boy

transfer it to your windows host

that password is totally unrelated to admin password on that host

if you do not have have a windows personal instance (weird tho) you can do it from your linux

My windows host is isolated from my vm

how that?

you dont have a LAN in your home?

No file transfer capability

with your ISP router

I keep them seperate

what xd

how is your VM getting access to the Internet

I'm in bridged mode

for network adapter

Is this any good?

https://medium.com/@kartik.sharma522/mounting-bit-locker-encrypted-vhd-files-in-linux-4b3f543251f0

never done

ask Marcie

It mounts a drive, but then closes it?!

bro

can you issue ip a

from your Parrot/Linux

Is this any good?

https://medium.com/@kartik.sharma522/mounting-bit-locker-encrypted-vhd-files-in-linux-4b3f543251f0

what output you get?

it mounts the drive and then unmounts and closes it

dont you have your parrot/kali connected to the same router than your Windows?

I keep my Windows and Kali seperate.

you have 2 internet subscriptions?

2 routers

No. Windows and then a VM for Kali.

I used to use a USB live boot, but now I just used the Kali in a VM with bridged mode.

🤦‍♂️

im done

I know, me too, this is rough

do you have Kali and Windows connected to the same router?

for internet access

yes or no?

I have one router, so yes.

I just don't transfer anything from HTB to my windows machine.

From what I understand the labs are shared.

Is that correct?

I should clarify, HTB Academy is shared from my understanding.

I get VIP+ with HTB main platform.

do what you did for the smbserver but from your windows machine xd

no one altered that backup.vhd, relax

for shells and payloads, the live engagement I put all the right creds but the exploit isnt working

I'm just going to run a windows VM and transfer via internal network tomorrow.

Thanks for the help!

nope, all HTB academy labs is personal and private for you only, only boxes on HTB is share

also may i ask is all of the troubleshooting so far is because you can't get the backup.vhd back to your kali?

No I got it on my kali easy, got it to the windows target machine easy too.

which question?

Password just doesn't work

no

"Exploit the blog site and establish a shell session with the target OS. Submit the contents of /customscripts/flag.txt"

its asking for admin password on WINSRV

that is a totally different password

hes afraid to transfer it to his Windows host

which makes no sense for me ...

same lol

sorry for the delay, my browser just hang for a bit but why tf did you put the vhost in rhost and the ip in vhost??

it keeps resetting

you'll need to set the target vhost to the vhost option not the ip

umm, that worked. Can i ask how?

lol

all you just did was set the right option

You keep them separate... By running in bridged mode?

last section, host 03. Exploit works fine but then no session was created

all my options are fine

i need help, disclaimer, im just started using HTB and take this course

you're gonna have to be a lot more specific

i cant copy paste picture here ?

:'

read #welcome

halp

should this be working? Enter-PSSession -ComputerName ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -Credential INLANEFREIGHT\administrator

it asks for a password but we do not have it

i think its just an example

is this from the double hop section? it's just a demonstration, section didn't have a lab attached

noo

attacking trusts cross forest

found it, yeah, it's an example

thx !

why i cant fix the clock skew problem?

tried ntpdate and rdate with the domain controllers ip

it is showing 08:58 but when i run ntpdate it shows 10:58

if these two aren't working, the last option is prepending all commands with faketime

faketime -f +7h or whatever the clock skew is

-1 hour from my timezone

i think

nmap shows it

also -debug with impacket o.O

worked like a fkn charm

nice

thx

Hi guys im having a trouble with a module

File Upload Attacks

I managed to upload a file called "shell.php.\.jpg" to a site in http://94.237.59.185:54581 but can't under stand how can i visit this file (because of the unconventional extesnsions)

Why?

If you have an actual question, ask it

i restarted my parrot and it works now without ant type of time adjustment

anyone understands kerberos time stuff?

Hi
I need help for http response splitting
I found XXS and I made my exploit
It’s work but when i trying to get “document.cookie”
I got empty
How to get admin session

Can someone help me please

Which module is this from?

HTTP attack => HTTP Response Splitting

You cannot read the cookie. You have to find another way

How ? Which way you mean !

Just i need hint

If you can't access the cookie, just get the user to do what you need

I need to get flag I think the flag on cookie that why i need to dump cookie but as you told me I have to control user to visit what i need i have control by JS code but how to use that to get flag

how can i access a internal web page through port forwarding

i want to open the web page with a browser

You have to make sure that a report is sent to the admin
Then you can check the log

From which module?

its for a htb machine

i thought i would ask in general

I used report Issues to send URL with JS code to exploit it when admin visit that link and I control it but no idea how to get flag

Then better ask in #boxes

okay

I am having trouble with the DNS ATTACK section of the Attack common services module:

"https://academy.hackthebox.com/module/116/section/1512"
"Find all available DNS records for the "inlanefreight.htb" domain on the target name server and submit the flag found as a DNS record as the answer. "

htb is not an official TLD. It can therefore not be resolved by the root name servers.
Enter the IP as nameserver

I am having the same problem. What flag did you add?

I am doing Kerberos Attacks Unconstrained Delegation User, but I am stuk at the last step. Already have the ticket but getting this error: ┌──(kali㉿kali)-[~/krbrelayx]
└─$ secretsdump.py -k -no-pass dc01.inlanefreight.local
Impacket v0.12.0.dev1+20231108.130828.33058eb2 - Copyright 2023 Fortra

[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Cleaning up...

Can someone tell me how to proceed, stuck for a while now

The flag to add would be the DC's IP address. It should be -ns or -dc-ip something. I don't remember exactly but play around those and it should work.

OMG.... I feel so stupid now haha

Thank you

on sqlmap module on skill assesment part im having a hard time finding the injection point i clicked already a lot of buttons but still no post request popping up on my network tab can someone help me with this?

Hi guys , i wanna ask that student plan has direct access to bug bounty and penetration tester path right ?

Yes

All tier 1 and tier 2 modules this includes those 2paths you mentioned

Thanks 👍🏻😀

No probbb

So I cracked the hash of the root user in the "Passwd,Shadow & Opasswd" section of the Password Attacks module, but when I submit the password which is ||named after a DC hero|| HTB doesn't accept the result

I checked for trailing spaces

I fixed it

By using John

Which is weird

The only thing I did was switch from hashcat to John

How the hell did I get two whole different hashes?

Yeah that's a mystery, lol

Shout out to John I guess

Has anyone completed Windows Event Logs & Finding Evil? I am so stuck on the second question. Seemingly you just need to do as they do in the tutorial but alas that has not worked

Module:Active Directory Section:Bleeding Edge Vulns Question:Apply what was taught in this section to gain a shell on DC01. Submit the contents of flag.txt located in the DailyTasks directory on the Administrator's desktop. Cant read Daily Tasks even with system shell... Any help would be appreciated

Help

For the homies in the future - just close and reopen everything 😄

Exploit completes but doesn’t work

I had this before - pretty sure I fixed by trying the other exploits

Ok

which ip address do we use for reverse shells in pwnbox?

whatever ip your pwnbox is, the one at the tun0 interface

tun0 is the first ip i tried from pwnbox and my reverse shell is not working 😦

z

Wanna DM me and tell me what you be doin?

yes

Hey
I'm a newbie to hackthebox academy and i just finished the ffuf module and i've taken the skilled assessment but it still shows on my dashboard as incomplete. What can i do?

You must answer all questions in the module to mark the module as completed

I have answered all the questions in the module already

On the Pass the Hash module, regarding the "Using David's hash, perform a Pass the Hash attack to connect to the shared folder \DC01\david and read the file david.txt." exercise, I think I'm supposed to use || Invoke-SMBExec, but I can't figure out what command to give it in order to connect to the \DC01\ share||

Take a look at the module. Is there no green check somewhere?

I believe the section shows you

I checked it, but I couldn't find anything about || specifying a share. Maybe I could try impacket-smbexec?||

Sorry if I'm blind. unless it's referring to || -Target DC01 but I think that's just specifing the hostname instead of the IP||

Launch a powershell session as David and it should work

Alright, thanks a lot

There is a -Hash option

If you actually read the full command line

Where it has -Target

thats container's root directory

Hello

ZAP don’t want to accept 8080 port

And i settle my ZAP with certficate but when i put the IP_ADRESS in the web i have a problem

I have an infinite loading

I think that it is due to the port

Help pls

hey , i am stuck in the Footprinting Hard Lab ... can anyone give me hints?

then change the port

Ok

Have you tried this in the PwnBox?

Hi, I am completely new here, and I am going through the linux fundamentals course. I cannot ssh into the server. It times out. I have tried using the pwnbox, setting up my own kali vm, and using a raspberry pi with parrot. I was able to do this one time about a week ago using the vm, but ever since it times out every time. Any ideas?

reach out to support

TY. This gives me a place to start.

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Anyone managed to finish most of the Defensive Modules out there in HTB ACADEMY?

Some people have all the modules completed

Im considering spending this year to try finish all the modules myself. That's why

@dreamy jacinth yes

i still have 2 years in Cyber Security in University and i wanna get as much information as possible

Go for it

Either youll learn something or you wont

Appreciate it

i don't really know which Plan to go with ...

hello, do someone the Web Fuzzing module of academy_

if you're asking about academy subscriptions, student plan, nothing else comes close in value

is there a student Plan?

that would really be nice

In academy? Yes, just need a university email from your school

Perfect, thank you

also if your uni isn't auto accepted, just message support they can usually verify the uni and add it

Okay Thank you!

the funny thing is gentlemen, is that i cant pay with my credit card in my country haha.

idr if they take paypal but you may be SoL

another funny fact, we still don't have Paypal in here 🙂

Emigrate

haha yeah thinking about it after i finsh my studies

No personal offense but if your country is enough in early development that you cant even properly pay for shit online then succeeding in a security IT role is highly difficult

Actually true, but you have to be really talented to find a good job in here

we have a lot of IT Companies in Tunisia but the only problem is the Salary is not enough.

that sucks

apply to an overseas company and get them to sponsor your relocation

I have time don't worry. Im chatting here while writing a Playbook in centos for a project

My Uni can pay for any certification i want to get as long as i Obtain it. But i don't really know if they can with HTB

Tunisia is one of those countries that spies in movies make vague references about doing special ops.

"I owe you one for the incident in Tunisia" type shit 😂

hahaha true

that's awesome, if your uni has a working credit card, then maybe you can pay though then? the student plan is pretty cheap

Its not a certificate tho

they paid for my Cisco CCNA and CCNP Security because i managed to get them.

But i don t think they heard of HTB haha

the course is mandatory for the cert

you need to finish the modules to get cpts, so it is a part of cpts

rough

oscp then? it's way too expensive for no reason, perfect to get someone else to pay

Actually considering CEH for my final year

but i wanna work with HTB first before CEH

if it's free then sure.. but ceh is trash

wait what

why is that?

I mean, it doesn't hurt to get it if it's free, but also, it doesn't really add any value

If someone is paying for it then do it, but if its your own money then a big nooo

I see

After CCNA and CCNP, CEH will be a let down.

tbh, im really interested in Audit and started on ISO 27001 Lead implanter which i think its awesome and easy to get. and CEH to get better at Pentesting and theory

best one to take is oscp is someone else is paying imo, purely because of the price, not really the quality

Im scared to get that one really..

if you want to do blue team then oscp isn't excatly for you though

its a really good certification but it takes a lot of time and practice

exactly im into Blue more then Red really

You did Certifications in Networking, Interested in Compliance, ready to take ceh and also wanted to do Blue team labs?

then ceh makes no sense tbh

Yes, i have TWO FULL YEARS to do all of that

then gentlemen i shall seek your opinion then

For compliance go with CISSP.

Im into Audit, i want to follow the Blue team Path. What are your suggestion? i have CCNA 200-301 and CCNP

https://pauljerimy.com/security-certification-roadmap/
take the rankings with a big grain of salt, but it's a good look at what certs are out there

This is perfect

No siir

This is really interesting

i've seen it before

It is a good cert if you are looking for more leadership in blue team.

yes but that's like for people with 5-10 years careers, not when you're just starting lmao

Oh

meh. It is just a cert. there are no requirements for entry.

You dont get the cert even if you pass the exam if you dont have relevant experience

Im trying to get the certs that allow me to get into entry level job quickly with good salary

I got mine 10ish years ago... I don't remember all the reqs.

but i will keep CISSP in mind for now

what about Cisco Certified CyberOps Associate?

Start with a job in mind. Then we can give you better suggestions.

Blue

Incident Response (SOC - SIEM - Forensics) and ISO 27001

Done it in a Internship for a company

iso 27001 is the oddball in that grouping. Do you want to be technical, or business? If your day consists of writing policies and attending meetings, will that be good?

Technical first

with experience i will lean towards management

does your uni have career guidance? I know those can be hit or miss, but it would be useful to consult given that we can only give suggestions based on our experience/countries

It does

but im not planning to stay long there

The CDSA sounds like a good option for you.

Im planning to head to the UK or Canada tbh

OSCP is often a good way to get a foot in the door for the positions you are describing.

lmao

still, they might be able give more revelant suggestions

Okay

really appreciate it gentlemen.

have a pleasant evening.

Good luck!

I'm doing the Active Directory - Skills Assessment 1 and the server constantly dies and restarts... is/was anyone else experiencing something similar?

--- inlanefreight.local ping statistics ---
515 packets transmitted, 232 received, 54.9515% packet loss, time 521124ms
rtt min/avg/max/mdev = 18.832/69.656/962.274/146.494 ms

Just for the record, it's not because I'm pinging - lol.

I am working on getting started and I am on the Nibbles box trying to do it with out the guide but this box keeps going offline or lagging to the point where I cant work on it. Any suggestions? I cant even browse the site half of the time to look around

Looks like I'm not the only one... maybe up the specs, HTB? 🙂

or let us pay for private instances.

the academy instances are private

ah then its just slow

restart the target, there might be some server hiccups atm

It was always soooo good.

I already did, like twice.

I'm able to get a stable shell on the first host

Weird. Which region are you on?

are you using vpn and pwnbox

eu 2

No, own box.

confirmed you dont have multiple openvpn sessions running?

Yes.

I'm trying a new connection pack.

use tcp

are TCM certs worth it or should you go Sec+ > HTB cert > OSCP for example?

Thanks, at least the connection seems stable - but now the reverse shell doesn't work anymore. 😅

did you update your IP for the rev shell

its saids waiting for rotating your log file, consider to read again the module.

yeah lol and it will no happend until you read again and change what you have to change

and what might you be able to do to trigger a log rotation early

oh new update

Hello, I'm on the Windows Priv Esc Module; Citrix Breakout page, I'm having issues uploading files onto the Citrix Server using smbserver.py. the ubuntu server won't allow me to run smbserver.py, sudo command isn't accepting the htb-student password to escalate linux privs. I've tried relocating the files to my local htb server and uploading that way through impacket smbserver.py but the citrix server is giving me errors when trying to connect to the share. I've also tried to xcopy but I have the same issues.

I also tried to simply curl/wget/Invoke-WebRequest the files onto the citrix server but none of the commands are available in the current shell

are TCM certs worth it or should you go Sec+ > HTB cert > OSCP for example?

Anyone available to DM on Broken authentication, predictable reset token? I'm stuck replicating the algorithm used to generate the token..

"sudo command isn't accepting the htb-student password to escalate linux privs", try again I just did a quick try and it works

Ty I’ll give it another try

Hey , has anyone done the codify active machine ?

might have a bit more luck in #1170418907513897001, flick me a dm also if you need

I think its not the right place

hi, do i really become unlimited pwnboxes if i buy any amount of cubes? Like for example lets say i'd buy 50 cubes, would i have unlimited pwnboxes forever or is it still limited somehow then?

Still stuck on connecting to \DC01\david using David's hash

I can't figure what command to pass to || Invoke-SMBExec|| if I try to set the || -Target flag to DC01 it tells me david doesn't have service control manager write privilege there||

Hi guys i just need some help for Password Attacks Lab - Medium i extracted a docx file from an encrypted archive. The docx file was also encrypted and i found the password, my problem is that i can't figure out how to open this file on linux using the password i found

yes, as soon as you have purchased cubes, the PwnBox is activated without limits

For example with LibreOffice

I couldn't find the apt repo to download it but i'll retry

We can’t help you with that

Just message support

Ok

I just had to fix apt, libreoffice is installed. Thanks for your help

heloo guys on the file upload module limited file upload

im having trouble doing the first question tried to read the source code but nothing the server keeps crashing

any hint what am doing wrong

never mind need to understand the xml

first

<@&861185840277487616>

I never tried it with SMBExec but it should also work with mimikatz. Give it a try

Hi guys, idk if i missing something or i´m just stupid. For Password Attacks: Passwd, Shadow & Opasswd i need to ssh in the target for initial access (with the creds from the last module), right? My connection from my own system and pawnbox just takes forever and then dies. Am i missing something or is this a techniqual issue? I scanned the target and ssh is running.

nvm, when i deactivated my vpn it worked -.- never had that issue before with htb

hey guy, in module "Linux Privilege Escalation" ==>> "Logrotate" they explained that needed to check the "/etc/logrotate.conf"
and C which version the Logrotate is & of curse have W on it

but I can't C any of that, someone can help?

Hey guys i'm new here and i have a little problem. I'm currently doing the "Starting point" to Learn the basics of penetration testing (Tier 0) and i'm doing the last room called "Synced" but when i'm trying to get the flag i just get "Permission Denied"
Any one who know the problem?

HEYA!
module: BROKEN AUTHENTICATION
section: Brute Forcing Usernames
question2: I know the answer but I don't get how I should catch it. Feel like i've tried everything in the section but nothing stands out.

Try fuzzing

Total time: 0.033627
Processed Requests: 17
Filtered Requests: 17
Requests/sec.: 505.5420

hey all...real quick...i am just starting on this journey and am at the web enum portion. I have my instance started in web browser...and the target spawned...shouldn't i be able to ping this box? or do i need to run ovpn? I'd get it if it is supposed to happen then i'll move on, but...

wfuzz -c -z file,/opt/useful/SecLists/Usernames/top-usernames-shortlist.txt -d "Username=FUZZ&Password=dummypass" --hs "Invalid credentials" http://94.237.56.76:36957/question2

nvm...looks like i need port included

im on Try to exploit the upload form to read the flag found at the root directory "/". and im really stuck on getting past the mime filter. ive tried a few magic bytes and ive successfuly uploaded but i cant locate it on the server.

and ive figured out where and what it should be called. but still cant find it

can anyone dm for a little help?

the explanation in the module is poor
and I can't get to the bottom of this

Check your hs switch value. You're hiding the wrong values

guys im on the upload skill assessement but how the fuck we can put image to the server with get request XD am i missing something

Yeah, Wolfiej is back. Long time no see

o/

I never left 😄

Just had other things on my mind.

(and I just wanted to reply to someone so that I could see if I was still listed as a hacker) 😄

I've gone through a few. could you send med the right one in a DM if you have the time.

Why should you no longer be listed as a hacker? Has your rank at HTB changed?

I thought it decreased as they removed things

got it XD

Had to go back and double check. Try checking the site out with Burp Suite, and try with some random names, and check the data string of the HTTP POST 🙂

You need to specify the port

Hello all, need a bit of advice.

Just finished the Attacking Common Applications module (UGH) and was wondering if I absolutely had to do the Linux PE module before doing the Windows PE module…long story short I’ve heard that the Windows PE module is a pain and I’d like to get that out of the way first

Tbh I'd do the linux one first as a sort of breather

yo, can somebody explain to me what this code is doing::

⏰ waiting

I can't post imgs for some reason smh

Because your account isn't linked

oh I see I see

https://imgur.com/a/IVPy5DW

It requires an account on https://app.hackthebox.com

Are links okay?

Meh

If you read under description it tells you

I'm assuming it's off the hacking WordPress module?

nope just experimenting, already finished the module

Can anyone give me a nudge on AD Enumeration & Attacks - Skills Assessment Part II - Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain.

the disc does not make any sense, it says rce, but the disc is something else
(am I re7ardd?)

.

Yes

good to know

If you're doing stuff outside the module you're really not gonna get much help

You're better off verifying and asking in #web

Or one of the other channels that become available

Alright I will right away, much obliged