#modules

are there other services on the machine?

There should be

yes, rdp, smb, ssh, winrm and so on

i am doing the module of passwords attack section 4 "Network services"

try something else

not ssh

^

It doesn't sound like ssh is even running on this Window's server

ok will try. thanks

Thank you so much , it works for me . You make my day !

i got the ssh credentials

Hello everyone, I'm passing the zephyr
I’m faced with the fact that I can’t go beyond ZPH-SVRCA01.ZSM.LOCAL, I received a session on behalf of Jamie, but I don’t understand further that ESC7 is simply not being done.
help me please

Wrong channel

Read and follow #welcome and there's a #prolabs-zephyr

should'nt it only execute when i write go;?

With mssqlclient it goes immediately

You can do it as one big multi-line thing

Or on the windows host: sqlcmd in the command line

aaah. 😆

both of them do not have admin priviliges? idont get it...

Well they don't have admin privs... on that server

Also be careful pasting steps, as it can still be spoiler (spoiler text does nothing)

hey, can i store a hash inside a file with no extension to use it with hashcat

Yes

The file extension really doesn't mean anything

It's just an organization thing

thank yo

So you know it's the hash(es) for x thing

what do you mean by that?

It means what it means, they aren't sysadmin on that sql server, maybe a linked server

hey there! I got stuck but was able to retrieve the file and complete the challenge. However, I'm trying to figure out why I can't use the regular command to display and read the file while other files work. Any idea why specifically flag.txt cannot be displayed?

hey can someone explain what the -1 stands for

hashcat -a 3 -m 0 md5_mask_example_hash -1 01 'RANDOM?l?l?l?l?l20?1?d'

Password Attacks Lab - Hard
Examine the third target and submit the contents of flag.txt in C:\Users\Administrator\Desktop\ as the answer.
Hey guys i am stuck in this section, they said that there is user named Johanna. I am able to bruteforce and able to find the password for johanna and i am logged into RDP. there i got a File named Logins.kdbx i tranfered that file to my machine using FTP. and i used keepass2john and got hash for that file. I am trying to bruteforce with the passwordlist which is provided in resources, from yesterday i am stuck in this phase. I even tried mutating the password list with custom rule provided in the resources alos tried rockyou.txt. Thankyou for any help!x

Should be in rockyou iirc

i even tried rockyou but no use

¯_(ツ)_/¯

It should be there

Also make sure you didn't get an empty file in the 2john file

ok let me try again

Also you may need to run it with python2

python2?

A lot of the 2john python things are written in python2.7

okk! got it

Sounds like potentially your network connection

yeah i am also not able to connect to rdp using my own machine whenever i need to use rdp i use pwnbox

I've had little to no issues with rdp via my own vm

yeah in my case

When encountering issues, changing regions often fixes it

¯_(ツ)_/¯

If you're constantly facing issues: reaching out to support is the best way to resolve them

what pain
SQL (WIN-HARD\Fiona guest@master)> EXECUTE ('SELECT @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [LOCAL.TEST.LINKED.SRV];
[-] ERROR(WIN-HARD\SQLEXPRESS): Line 1: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

You're getting closer

any last hint before i quit?

Execute as

did also not work treid before

if you in the Footprinting module dont bruteforce the acuired Hash.
there is a footprinting word list under resources that would help you out!

so about the -1 thats the custom charset im pretty sure
For example, if you specify -1 ?l?d, hashcat will use lowercase letters (?l) and digits (?d) for the first position in the password, and then follow it with characters according to other specified character sets or rules.
?l: Lowercase letters (a-z)
?d: Digits (0-9)

So, when you use -1, you're defining the character set for the first position

so in your example:
-1 01 'RANDOM?l?l?l?l?l20?1?d'

-1 01: This specifies that the first position in the password will be either '0' or '1'. This means that the password will start with either '0' or '1'.
'RANDOM?l?l?l?l?l20?1?d': This part defines the character set for the rest of the password. Let's break it down further:
RANDOM: This indicates that hashcat should use a random character for the position.
?l?l?l?l?l: This specifies that the next 5 characters should be lowercase letters (a-z).
20: This indicates that the next two characters can be any characters (since '20' is not a special placeholder).
?1?d: This specifies that the next character should be either '0' or '1', followed by a digit (0-9).

I hope that helps a little bit. I hope i didnt accidently missed something or missunderstood

https://hashcat.net/wiki/doku.php?id=mask_attack
here is the wiki link to it

EXECUTE AS LOGIN = 'sa'; SELECT SYSTEM_USER; SELECT IS_SRVROLEMEMBER('sysadmin'); REVERT;
[-] ERROR(WIN-HARD\SQLEXPRESS): Line 1: Cannot execute as the server principal because the principal "sa" does not exist, this type of principal cannot be impersonated, or you do not have permission.

Maybe a different login

Linked server is the right step too

ok thanks, but i am out

Execute as n at b

It's mostly explained in the sql section

my life is too short for that

well all I can say is you're close to the answer ¯_(ツ)_/¯

oh man that was the clearest explanation

I can’t get pwnbox to display conetent in academy this is what it does pls help

Refresh the tab

and call an exorcist

I’ve reset it multiple times all the same

I need pwnbox for this exercise will be to slow on my computer

Probably is not a good idea to nest VNC sessions in an VNC session

Open the section/module in one tab and keep pwnbox in another

Well I can’t get the password list to paste thru the bin

Download the file, use wget

I have it downloaded

Then there is no reason for you to open/access academy from pwnbox

K

Hey - Basic Bypasses section for File Inclusion. Im stuck on the challenge

I have tried URL encoding. I have tried languages/....////....////. I am aware of the languages approved path

Parse the MFT file (not USN journal) and take a look at all files with a zone identifier. In the MFT the zone identifier contains the full original download path, including filename, and it stays when you rename the file. So if you find a file named 1.exe but the zone identifier says someip/virus.exe you know it has been renamed.

The question is worded confusingly because while you used the USN j to see the filerename stream, the actual information you need to see what it has been renamed to is not in USN j but in the MFT.

no need to encode., just use one of the recursive payloads in the section

Thanks ive never used ..../ before. is it just ..../..../..../..../..../..../etc/passwd? as an example

See the below picture. Discord filters lol

Is that from the section?

i meant the picture discord took out the other slash but yes its referenced

I mean start from the first example used and try if it doesn't work, move on to the next.

Sounds good thx

Helen Walter?

https://tenor.com/view/breaking-bad-walter-white-gif-8086630669522815021

hes back

Helen pls

hellen Keller didn't see that one coming

Parse the MFT file (not USN journal) and take a look at all files with a zone identifier. In the MFT the zone identifier contains the full original download path, including filename, and it stays when you rename the file. So if you find a file named 1.exe but the zone identifier says someip/virus.exe you know it has been renamed.

The question is worded confusingly because while you used the USN j to see the filerename stream, the actual information you need to see what it has been renamed to is not in USN j but in the MFT.

On my pc it works fine not pwnbox but is so slow with brute forcing I want to use this and cannot wget whet to work

Ctrl shift S brother

Er, win shift s

For screenshots

So you don't have to take bathroom mirror selfies with your terminal

Not answering my question

When you're trying to exploit the login form but the creds are in the assessment question.

so is port 2121 supposed to be closed in the ftp section of common services

the last 3 ips have the port as closed

Are you doing a full scan?

yes and when i used -p 2121 to scan the specific port it comes up as closed

the last 3 IPs were closed.

Sometimes it takes a few spawns

can someone give me a hint to what the gotcha is in the SMTP part of http attacks. I've already tried writing a script that tests all the mentioned headers etc. only clue that i have is the "disconnected" status of the mailhog that would mean it's a broken question?

Use NSE and its scripts to find the flag that one of the services contain and submit it as the answer.Our client wants to know if we can identify which operating system their provided machine is running on. Submit the OS name as the answer

Good evening masters, I would like to ask a question (file upload attack: blacklist filter) I think there is a problem with his source code, I used webfuzz to traverse his suffix name, uploaded successfully, but not executed, I see the tutorial is used (phtml) but I upload this is filtered

I checked the content of the post and it didn't seem to be very helpful（https://forum.hackthebox.com/t/file-upload-attacks-blacklist-filters/258817）

The reproduction process is a bit inconsistent, do the masters know what's going on?

The example is just showing you an example, you need to find your own extension that will work.

how is it i found the smb section stuff before the FTP stuff...

anyone available for some questions regarding the http attacks skill assessment?

Hey, im probably stupid but why i cant connect? Was trying regenering machine and still it is not working https://cdn.discordapp.com/attachments/1127953059335655444/1223316634249199677/image.png?ex=66196965&is=6606f465&hm=25126f7dbd968bae346ed767c0f30a6d63a0201f4a8f78815679eb578f148340&

https://cdn.discordapp.com/attachments/1127953059335655444/1223316537516228648/image.png?ex=6619694e&is=6606f44e&hm=006f532909f39dd4a4ac2ee61f9d8c2397d8e49db49d5a6a8b091a8cedcd6e38&

how are you trying to connect?

oh theres a second picture 😄

ssh htb-student@ip

unless they specifically stated that the ssh port is somewhere else, I would reset the box

well it worked now but i was trying it before and it didnt worked so idk (propably i typed ip wrong or username idk now) but thanks

It looks like the box you're attempting to ssh to is dead, respawn the target

If you want to embed pictures you can read and follow #welcome

Is there a secret to getting multiple connections over ssh with dictionary cuz this is taking forever already been hrs had to reset machin change list etc

best to say what module/question you're working on. nothing is going to require you to brute force for hours so you're probably doing something wrong.

Don't attack ssh?

I’m on passwords module with mutated password list it goes one by one haven’t done anything wrong

then why are you asking for help

Yeah, don't attack ssh, go for a different protocol

if you know you're doing it right

Because it’s slow

Because ssh is slow

and we're telling you, you're doing it wrong

We understand what the question states

I’m using crackmapexec because hydra is updated to fullest version won’t ssh

But try a different service that's running

Ok

Thanks for the help without bashing

Rule 0: don't just assume the question is telling you everything

Ok

Thanks I seen ssh in I should of read more carefully could have saved me a lot of time

Many times, in this module especially, the question gives you the last step

Ok

I don’t understand why ppl like to point out how stupid you are without pointing you in the right direction I could do without that. Thanks marcilee for answering without the typical social media bash

I only bash if you're being extremely dumb. Like you clearly didn't read/try anything dumb

no one bashed you

They're saying thanks for not bashing

How may I get base64 encoded version but without running var env ?

Well I used base64 -w 0, I don't know if it's the good tech.

why do you want to encode this?

Because the command was not working as deaault, I had to encode |but the only thing I found is ";" or "()" etc but I have only the ping :(.

Last payload: || fIND${IFS}${PATH:0:1}usr${PATH:0:1}share${PATH:0:1}${IFS}%0a${IFS}gREp${IFS}root${IFS}%0a${IFS}gREp${IFS}mysql${IFS}%0a${IFS}%0a${IFS}tAIl${IFS}-n${IFS}1 ||

what module and question

https://academy.hackthebox.com/module/109/section/1039

My problem is |.

I tried it as well as encoded char : %7c

But not working.

are you able to inject a simple command like 'whoami' or 'id'

Yep.

But not gettting the valid answer.

Just ping.

Or I found maybe something.

why not encode the string you are tasked to find rather ?

if you think about it, where is the filter being applied. on the web application, or on the system?

I was doing this but I restarted to try to find the basic commands who were passing.

I found something I use strings.

Just I have a lot of lines so maybe the last cmd isn't working...

use the previous injection operator, the new line one.

To replace | ?

yes pretty sure that runs through the whole module

you're making this a lot more complicated than ti has to be. again, where is the filter being applied, the web app or the system?

except the skills assessment ofc.

Already using it.

Just I have a big result and not only one line.

then you are doing something wrong.

Yeah I am trying to fix the cmd.

how did you encode the string in bs64?

I didn't.

Firstly, I think greps are not working & tail no as well.

bro that's a lot of command you need to bypass lol.

Yes.

4 cmds with |.

can i write u here?
Im trying to use the module drop_sc. It worked, But when I used ntmlrelax i get connection received.
I see that J...s is trying to connect. Would be possible to give a hint on that?

if you can make it work then Mazel tov!

?

just know that b64 method is simpler cuz' you might break the code.

???

And my deducation was good, its due to |... 😭

find ... | grep ... | grep ... | ...

How may I encode it to have the 3 more cmds :(?

again, this is very simple

^

answer my question

?

where is the command being filtered from, the system, or the web application

web app.

okay, so if the command is being filtered by the web app, why are you obfuscating the command on the system's side

do you know that | / grep is filtered?

all you need to do is bypass the filter on the web app

^((\d{1,2}|1\d\d|2[0-4]\d|25[0-5]).){3}(\d{1,2}|1\d\d|2[0-4]\d|25[0-5])$

as Humangod said, the base64 method is a lot easier

It's the pattern.

I juste encode the full cmd ,

?

yes

if you utilize base64, you don't need to use the {IFS} etc bypasses, because those bypasses are only good for the web filter.

In base64 & decode it in when sending?

there's no reason to go crazy with command obfuscation if you're already able to send a command

yes as shown in the section

you see, the obfuscation only helps you get past the filter, which is the web app

😭

I think the hardest always xd :(.

fr its a lot of work. cause you may not know that grep or | is blacklisted hence more obfuscation.

I'll now pass the cmd to decode it when running, now I know how to bypass filter to run cmd.

excellent

you will have to slowly change that mentality.

Well it's working 😭, I lost 3HHHHH !!!

but you learned a lot, so not really lost

agreed.

Yes :(.

gl on the skills assessment!

Thx xd.

that dopamine hit when you get the flag

So if I see a pattern from code source, I can just use base64 / xxd or another encoder ?

sometimes the bash command will be blacklisted
so you will have to just bypass that one with something like this ba's'h

or it wouldn't accept a space in the bs64 command but that should be enough to work.

Yeah I know that :).

I saw it in the section :>.

And thx guys :).

The htb academy modules are necessary to be able to violate the "headless" machine.

Huh?

can anyone help me out, test if the splunk machine works in the attacking common applications module?

it works

can you actually check? I've been trying to access it and it seems down

i can ping and connect to the server but the webapp itself splunk seems to not be working

My English is basic, sorry. I need to know which modules are necessary to exploit the 'HEADLESS' machine.

you can reboot the machine if you don't think it's functioning correctly, but the walkthrough gives you exact steps on how to complete the task

Still 0 idea what that means, are you referring to a machine on htb?

yes.

It's an active machine, so you won't receive any guidance or hints for it

it works fine

you connected via port 8000?

yep

reboot the machine, verify you're on the (correct) vpn, give it a minute to fire up, and try accessing it again

quick question on scp

also, use https not http

scp source destination

It requires that the remote host is running ssh

https://academy.hackthebox.com/module/226/section/2416 doing this one right here

And ofc that you have creds

It works from start to finish. DM me if you're having troubles.

Also just ask your question

so yeah my pcap is on the ssh desktop right now and trying to get it on the pwnbox

alright

Friends, please, an important question that doesn't let me move forward:
How to open a .txt file that I found inside an XML file or HTML file. Anyone who knows?

You're better off providing the module/section/question you're on

htb is telling me to use this byevincent@htb[/htb]$ scp htb-student@[TARGET IP]:/home/htb-student/pcaps/patchwork.pcap . but it just lands the file back onto the ssh desktop

thx ill try

Regardless of that, there is a question in which it sends me to look for a flag and I know where the flag is but it is inside a txt file inside an xml file I just have to open that txt file and that's it, in the module it doesn't say how open it

notice in the 'copy remote file to local pc' command the . at the end, replace that with whatever directory you want

Again, no one can help you unless you provide the required details I already mentioned. We need to know the module you're on, we have no idea why you're trying to scp a 'text file inside a xml file' because that doesn't make any sense whatsoever

is that file path the path you want the file to be placed on the local

https://www.geeksforgeeks.org/scp-command-in-linux-with-examples/

this isn't even probably what you need to achieve what you want. if it's a text file you can just copy/paste it over.

port enumeration with nmap

that's why we need to know what you're actually working on instead of not knowing about scp

alright well i didn't do that module so maybe it does need scp, i don't know, someone else can chime in for that.

based on the question alone, it sounds like you get the flag from running the correct NSE script rather than scp

Likely did a -oX which outputs xml, which you can convert to html

Iirc the module shows how to do that

yes

Then do the xsltproc or whatever command to convert it to html as it shows

I performed the scan, I opened the file in html and within the web page I could not open the txt file either.

contacted support @cloud urchin i examined wireshark and it's throwing back at me rst flagged packets, I'm able to touch the port with nmap but something internal seems to be wrong with my acc idk.

Can you show me the URL you're using?

http://10.129.116.39:8000

try https, not http, like i mentioned earlier...

it worked

awesome

the ssl/http part of the scan just flew past my eyes

it happens

can i dm somebody i am stuck at the last question from the module attackiong common servies int he skill assesment: Submit the contents of the flag.txt file on the Administrator Desktop.

sure

Hello, I'm stuck on the port enumeration module with Nmap.
In a question asks me to find a flag, I performed the scan with Nmap on the destination port 80 and I know that the flag is in _http-enum within a txt file
sudo nmap 10.129.2.49 -p 80 -sV --script vuln
The problem now is how to open that txt file that I found in an Nmap scan that contains the HTB flag, someone help me please

?

oops

idk how i typed that

Hello im doing broken authentication module this section

Create a token on the web application exposed at subdirectory /question1/ using the Create a reset token for htbuser button. Within an interval of +-1 second a token for the htbadmin user will also be created. The algorithm used to generate both tokens is the same as the one shown when talking about the Apache OpenMeeting bug. Forge a valid token for htbadmin and login by pressing the "Check" button. What is the flag?

did i write the script wrong?

Someone?

Robots.txt is a file on the webserver

You can just visit it via http://ip/robots.txt

Ohhhhh, wow, it hadn't occurred to me before.
great, thank you very much

gonna have to think outside the box if you wanna succeed sometimes

I will have to go over the learning module again

I'm working on the final question for pivoting skills assessment. I've found the DC and ran a portscan against it. I've identified listening service that I can pth through. I've tried both users, but get the not permitted message. I suspect i need the-watcher's credentials; dcsync doesn't work either...any nudge?

hello guys, i need help

Module - Password attack
TAsk- Credential hunting in linux
My Problem - i use scp and i send lazagne.py file but lazagne need to python2.7, this machine have python3 and when i run this command not runing python3 lazagne.py all

machine should also have 2.7 iirc

Is anyone having issues with freerdp I am trying to finish intro to AD but I get a blank screen on win server or it disconnects really annoying

no issues

if you get a black screen with rdp; just hit enter

im on thick client section, im redoing exact steps as in the module but executing the monta.ps1 to create the restart-service.exe doesnt work

i get this error, any help would be appreciated

powershell wont work

nvm worked when ran as administrator

still don't know why but whatever

try to question

In footprinting easy lab, I have gained access to ftp and proxy but when issuing commands it returns nothing.

what command did you try?

After establishing connection with proxy;
proxy ls
proxy dir

maybe check for hidden files

Already done that only thing that returns is “Entering Passive mode and Transfer Complete”

on what port did you connect to ftp?

Initially regular port 21 and then from there to its proxy

So it’s 2121

perhaps type the command passive before running ls -la.

Oh shoot I was only trying ls -l and dir. so dumb thanks

Hi, anyone can help to clarify some queries i have on the module Kerberos Attacks?

probably, just ask here

I have managed to complete the assessment with some nudges

Am curious how do ppl get the intutition to complete the assessment w/o any nudges.

For example

1. Finding out which user can RDP into the server (Bloodhound for example, didn't show any hints / clues on this)
2. Finding out which user can access the fileshare on the DC? (Is this because only 1 user could be seen accessing the machine we're on?)

Kerberos isn't really a beginner module, so I think it assumes you know things about AD already

a great tool for those specific things you mentioned would be CrackMapExec

I completed the AD enumeration path previously, while i am definitely not an expert in AD related stuff, i hope i am conversant enough to know what's going on 😓

i have to imagine the ad path covered finding shares, rdp, etc

indeed, i didn't try to "enum" the shares once i got a new user (for example). point taken!

right, especially those later modules it kind of expects you know some things, or to look them up

one of the first modules i did i felt that way, i did the adcs module and wasn't sure how to proceed, i had mimikatz and could dcsync but i thought i had to do it purely through certificate services, but no, you just dcsync and get it which it didn't really say

yea i guess i had the impression / mindset of it being a standalone module, and not relying on knowledge from other modules. Since this is the first "advanced" module i took, i guess there is a need for some mindset shift

yeah pretty much

thank you! 😄

Working on CWEE - Attacking Authentication Mechanisms - JWT part. For insecure KID parameter processing it gives us 2 sort of "tests" to check for command injection but I'm not quite understanding the methodology I might use to fuzz for these types of erros and this particular thing

obviously in the instanced it gives it to me so I can follow along but I'm not following how I might actually fuzz this character set to confirm this vulnerability in this instance

and would love some additional explanation if anyone understands it better ❤️

someone ?

On the FFUF Skills Assessment, why is this command missing the /courses directory?

The recursive command found it right away

Recursion does not matter in this case because it's the first directory, so the first command should have worked too.

This wasn't reported on any of the github issues I searched through that seemed relevant.

I know this isn't a HTB problem, more of a FFUF problem, just wondering if there is a workaround for this if I'm not scanning recursively.

Okay that makes no sense at all, just throw a slash behind it and it shows up with courses, and oddly icons

WTF?!?!

WHAT. THE. FFUF?!?!?!

All jokes aside this tool is garbage. I'm going back to gobuster after this module.

Is that directed at me? If so, what skill issue?

the extension

php?

the first command is php7, the second is php

Yeah, no. I went through all combinations, didn't matter.

The non-recursive command doesn't work with the extension on it for some reason.

I tried without the slash at the end and that worked, also without the extension

There's really no rhyme or reason, that's why I'm experimenting with every option. Just frustrating, but I'm at least learning what to trust and what not to trust.

Friends and mentors, I am yet again defeated. I'm on attacking WordPress. It's asking me to find another user whose shell is set /bin/bash I have the passwd file and have tried those users with said shell. Am I missing something here?

I have rce

what module is that?

Sorry, its attacking common apps

maybe learn how the tool works first

I did I'm just pointing out the anomalies.

I'm done with the module, I'm on the skills assessment.

if you have rce, you can cat the etc/passwd file and literally read line by line for a user with that shell opt...

What is first thing you check after gaining local file access on Linux ? Answer lies in that.

Also I've found that DNS scanning kills my connection and errors out.

I thought so too. I even got chat gpt to read it too in case I was just blind

or you can leverage the vuln plugin code for that xd.

it's not an anomaly, that's how the tool works

At least that I was able to find a known issue on their github

I'll check again

What exactly are you talking about?

One command worked and one didn't

False alarm, I had already answered it I just saw the red error and didn't read it. I'm up since 4am

do directories have extensions

Also I was running DNS with the -sa flag and had immediate "[WARN] Receiving spurious errors, exiting."

Based on my research it seems like some people have that problem and some don't, but there wasn't really a fix for it and the logs didn't show much.

It was at least fun to try and go through the module. I'll probably stick with gobuster, but I've seen wfuzz mentioned so I might try that too.

Hello can you help me please ?

I search I search I don't find

look for an injection operator that is not blacklisted

I tested all the operators of the "black list" course, are there others?

try the url-encoded ones

you dont need to add the other commands yet, just try the operators until you get one that is working

That was a fun one indeed

then you proceed.

Yes, I was trying all sorts of full commands but when I went back to systematically getting an operator then a ce it all fell into place

Okok man so I delete my big command and I search a operator correct for injection of my command "ls" for exemple ?

ls is not an operator

Injection operators are the |, ; and whatnots.

yes it is my command I know

For moment I must to use my operator and this

did you get a working injection character?

No I test this yet

I don't have any results, so what should I do?

What do you consider to be a result?

when I have a display other than all other displays? Or that I have malicious command injection alert

when you don't get the alert.

euhh so my command injection it is okay ?

where did you capture this request in the web app?

yes

take a look at this req.

the one you told me to delete? okay I look

that's where the vulnerability is.

I told you to delete the commands you were using to test for the injection and look for a working injection character first not the whole request.

ok but in fact if I come to you it's because I don't really understand in fact, precisely when I do my command injections without this request I have nothing and obviously it's normal so how do I know if my command injection is good or not? And to finish at the base I needed a hand on the prcq command, I think I'm close to the goal but I'm stuck

you are very close.

you first used some commands and there was an alert, which is a good sign.

Yes I suspect it, I don't see where I'm blocking

so you only need to find a way to bypass that.

did you capture the previous request again?

yup

replace the ${IFS}ls with the injection commands.

yes but no need to add the ls right now, we will gradually build the payload later. we want to see if %3b is accepted by the server.

if you still get the alert, you try the other characters.

you only use it on one parameter eg. from:xxxx.txt%3b not the others like to and move.

okok now I know

Like this and I test all operators ?

yes,

you still have a trailing $ after the move, is it supposed to be there?

no well seen

Thanks Marcie

its best to just capture another req.

How so?

nvm just use | what do you get?

Hello friends!
Faced with the problem of creating a python server

sudo python3 -m http.server -b 10.10.14.x

But it only works on a local network
The firewall is turned off. OS: mac OS Sonoma

something might be broken when you type the commands on all the parameters, thats why i suggest capturing another one.

you didnt click send btw.

Yes you must be connected to the same network, then you can also use the ports method

I clicked

I don't find and I'm demotivated

find what?

I find

im doing the Passwd, Shadow & Opasswd and I cannot access or edit the passwd file? What can I do to get the root password?

To find the operator that works, you only need to add 1 operator at a time to the request in the parameter you have found.

See if any of them have a different error message or even no error message. Then you'll know which one passes the filter without causing an error.

Make a note of which ones you've tried

Try them all! URL encoded too

This is all you have to do right now

No bypassing characters or anything yet

how long should it take to crack the root hash?

because its showing me 1 hour and 48 mins

Guys I can't see any other Channesl

I joined this server today

machine have python, 3.8 and 3.9

what is your proble

question 3.
-M drop-sc = succedd
ntmlrelax = get a connection from J....s, but no hash

modüle sectiion

ntmlrelax doesn't capture hash

rockyou.txt

the subsection ist called "Stealing Hashes with drop-sc Module"

also made the mut_password and it gets exhausted

and Relaying Using NTLMRelayx and drop-sc

if you want to capture the hash, why relay?

because that is the objective of the question.

cme -M drop-os -o OPTIONS

listen with ntmlrelax --relaylist
as i said i see tha user tries to connect but it come no hashes

are you doing skills assessment or the section?

also again, ntmlrelax does not capture hashes

skills assessment

no questions in the skills assessment specifically told you what to do

ok.

so could u help with me question 3 please?

if you want to capture the hash, why relay?

thks bro ill find another way

hey, sorry for bothering you. were u able to finish the module? could I ask u a question?

I've already given you a hint

also, just ask your question, don't ask to ask

that was very kind of you, but i am reformulating my question to another person. but i really appreciate your help

Is there a faster way to crack the root hash? Because with the rockyou.txt is 2hours

when i mutated the custom rule with the password.list

it sayed exhausted

im using hashcat

it's in the mutated list

your mutated list should have 94k lines and make sure your hashcat command is correct

and you're trying to crack the right hash

im using the command from course

and I have put the root hash in a single file

send the hash here

hashcat -m 1800 -a 0 unshadowed.hashes mut_password.list -o unshadowed.cracked

the hash itself

$6$XePuRx/4eO0WuuPS$a0t5vIuIrBDFx1LyxAozOu.cVaww01u.6dSvct8AYVVI6ClJmY8ZZuPDP7IoXRJhYz4U8.DJUlilUw2EfqhXg.

after the mutation i get 606 passwords

how to make 90k?

told you to check that earlier

what's the command you used to mutate it

hashcat --force password.list -r custom.rule --stdout > mut_password.list

don't use --force

ok

and you're missing something from the command given in the module

where can I read and find about the missing part? In the module again?

yes, there's a section specifically for password mutations

The cheatsheet is missing it

thank you guys

cracked it

Nah, the cheatsheet that has the mutation command is missing the one part

Ye

I am stuck in this module. Lazagne does not work in Python 3 and above versions. Has anyone experienced this?

lazagne doesn't really work on linux, compile with pyinstaller if you want

but you can use other tools for that section

Do you have any suggestions similar to lazagne?

you can't cat /home try listing the files rather with ls

use other tools in the section

ls it is not okay

what do you mean?

you're typing Ls instead of ls. and you cant 'list' a flag either.

obfuscate the ls ¯_(ツ)_/¯

the same way you did for cat.

Yes I have been doing it for a while

just use a simple ' in between them

it has to be even. you did only one '.

dude, instead of waiting for someone to guide you step by step, why don't you go through the module again to understand the techniques

who's doing the skills assessment here

Because I've already done everything right

apparently it's not bro.

lmao

if you've done everything right then how are you not getting the flag

The section does not recommend any other tools, but they gave scripts for manual search, I used them, but it took too long and I haven't found them yet. -_-

you should try changing your injection character.

try the firefox one

Good question since I do everything for after they give me advice but it doesn't help me so I suppose that you are not more advanced than me currently not knowing why my orders do not go through

oky

I'm going to do it, I have 4 working ones, I've already used 3

you should prolly reconsider that, his badge says differently tho

calm down mate. we know you're frustrated and we get it but this is the way to learn XD.

my advice is to go through the module again to understand the techniques, simple as that

I know but I'm just learning, he must take that into consideration as well. My goal is also to succeed and understand but I'm happy to bang my head against the wall but a little help from time to time doesn't hurt

when you use an injector, for example %0a try appending with l's' and see if it lists the files
if it doesn't, use another injector, simple as that before you add the rest of the commands...

I will give you a hint, your injector is wrong. it something very simple than that. and read my above message.

Like this?

No sir.
first of all, I was giving an example not the actual working character.

I mean type xxxxx.txt(injector)l's' only and see if it list the files, then keep changing the injectors until you get the files listed

So if I don't get the alert message, do we agree that my injection operator is working?

yes, and to be sure add it to l's' command.

that will show the files in the current dir if its working...

Okay so as I said earlier, I have 3 operators that work, here they are as proof

dont add any other commands apart from these first

okok

you have to take time and try everything until you get a hit

yes keep trying them all

I find

Where am I making mistakes?

which one?

did you get the latest version from github?

yes

https://github.com/unode/firefox_decrypt

this tool

well from the output its working..

Passwd, Shadow & Opasswd section yeah? aren't you supposed to be the will user?

The previous episode asks for Will's password, I'm trying to find it.

https://academy.hackthebox.com/module/147/section/1320

now list the files in the / dir

thanks you, it helps me a lot and I was able to understand something else thanks to you, other operators can pass but it is really necessary to test all the conditions before ordering with each of its functional operators in order to identify the one which will be useful for command injection. I think frustration played a big part too. THANKS

yes now it is easy ^^" I was just stuck against a wall I had to find the door thanks man

you dont just start firing the commands.
the skill assessment builds on each section

is there way not to use the initial box and just do the rest from my own in shells and payloads

the rdp is slow and small af

ah right, did you try it with python3.9 like in the section?

you can pivot, but it's more work to set up revshells and stuff

ah okey

I was going to pull my files to myself and do that, but it worked, thank you.

Every time I have to run crackmap for a while my VM loses internet connection/seems to get throttled. Then starts working again after a couple minutes. Has anyone else dealt with this? I'm attacking rdp, running Kali on Virtualbox.

bruh i think someone jammed the 8080 port on hospital machine cuz i cant access it

that's not related to modules

ye

hi

I need help uploading a file to a windows machine

ask

as I've said, include module, section and more details

module is "file transfers" and the section is Windows File Transfer Methods and also it has ftp open but i cant connect to it for some reason

Okay, Usually when windows host dont have internet connection. Along with xfreerdp, you can use ":drive" option to include files from the linux you are using the xfreerdp command.

I've not got to that module for now. I need help with

i got the answer but i dont think i got it the right way

how does that work?

ftp isn't the only way you can transfer files, the seciton went through multiple methods

xfreerdp /u:username /p:password /v:remote_server /drive:path to file you maye ask more details for gpt

you could also look into the python methods or enabling copy/paste using rdp

hey , can anyone help me with the windows privesc skill assessment 2 , i am stuck in the first question , and solved the other two

cool

ty

can u send what you are typing in a screenshot

also as xreous said, it just wants you to transfer files, you can use other methods than ftp

like iwr, or wget from a local python server

i understand if you want to do the ftp method tho

yeah I checked, the given creds doesn't work with ftp

have any of you completed yara and sigma module?

then again the section didn't go through ftp for windows

this

ok so maybe they locked it down

ahh

just try doing a iwr file transfer

since you have rdp access to machine

can u please guide me 😅

or could just attach the drive in xfree

this is best way if you have rdp

exactly

dude, the section went through that

yeah i have frexrp

i havent 😦

ok let me see

okay

but why is ftp open and u cant connect to it..very misleading to noobies like me

thats in the SOC path right

there's literately a section on "PowerShell Web Downloads"

yes. i'm having a bit trouble. Imagine getting the right answer but being unsure that you found it in wrong way.

having problems

says address in use

I havent used it anywhere

also i did a sudo killall smbclient

netstat -ano | grep 445

something is already listening on 445 it seems

netstat -ano won't show the process name

(netstat -punta || ss --ntpu) | grep 445

i forgot its like nlp

nvm

that will tell u what process running

good job xreous

https://tenor.com/view/the-office-office-dwight-schrute-sniper-gif-25130487

jk u have to use the paratheses

445 should be smb

sudo netstat -nlp | grep 445

that will list process

yeah

lmao just reboot

cool

'netstat-tulnp | grep -i LISTEN ' never gets me wrong

On the passwords module I ram thru all mutated passwords on smb with no success is there a timeout or jitter interval that will help me succeed

I’m looking thru old posts here but not finding anyone asking same question yet

In Documentation and Reporting Skills practice lab, I'm looking for the command injections finding. I know it's not necessary for completion, but I'd Like to know what I am missing. Any help would be appreciated.

the one in the linux machine?

Yes

it's very simple, don't overthink it

getting the source code would help

Yeah that part i am blanking on as well.

try the simplest thing

any1 having difficulties when tryin to do splunk module, and when trying acccess the webpage, it say the connection was reset?

Anyone able to help with Advanced SQL Injection Attacks? Section: Reading and Writing Files

Question: There is a SQL injection inside the signup functionality that we haven't explored yet. Use it to create the file /var/lib/postgresql/proof.txt on the target over port 8080 and then check /server-info for your flag.

I'm pretty sure about the injection point and have tried many payloads and fiddling with that query but I just cant a payload to work. Would be nice if someone can explain me about my payloads and that injection point.

SOLVED: Hint for someone finding same problem: check logs

@next bronze May I DM you questions about the Command Injection Finding

in coldfusion section where we execute the payload to read password.properties file, we get an encrypted password, how can we decrypt it?

Any hint at the Exploitation of Request Smuggling at http attacks? I'm not being able to get the admin cookie

What section?

http attacks

Skills assessment? I mean what exercise are u stuck on

I mean literately just content=somefile

the exercise is called Exploitation of Request Smuggling

thanks @next bronze I was overthinking it

hi, could i dm you a question about the third question

Good day. I have a question I have reecntly bought a VIP+ sub. But this does not give access to the Academy. is there a way to swap them or just drop and resub on academy?

labs and academy are separate platforms, if you want to cancel it, contact support

hey... i've been given a task to learn and prepare a report about how the ACTIVE DIRECTORY works and what are the different ways to attack an AD and how can i mitigate them... so i just want the list of relevant modules in serialized order to help me with this...

URGENT

what exactly is this for

just curious

AD enum & attack, ADCS, kerberos, relay, dacl

the cme modules also has them, most of those are tier 3 tho

Introduction to Active Directory is also good

yeah but don't think that covers attacks

he's apparently tasked with showing how AD works so it should also be beneficial

Hi there, so how does the help in the academy work? Been trying to click on get help on discord but nothing to happen after that?

you'll need to connect your discord in academy settings, provided you have the annual plans

I already have it connected but anyhow, I was kind of stuck on one for the skill assessments for Intro to Windows Command Line, can I post my query here?

if it's connected right you'll see the "academy user" role, and sure

Hello, does anyone know how to request a restart of a machine that i pivot and got freeze, from the skill assessment of pivoting, tunneling and port forwarding. I already request help from the botom.

I will relink my account just in case as well, not really sure why I dont have that role on here.

Just relinked my account with it

i have the same problem i think

As for the question, I was stuck on the user07 task, For this level, you must successfully authenticate to the Domain Controller host at 172.16.5.155 via SSH after first authenticating to the target host. This host seems to have several PowerShell modules loaded, and this user's flag is hidden in one of them.

I have sshed into the 172 machine, checked the loaded module list, there's one module that stands out, "Get-Flag", I get an output that says the flag youre looking for is "....."

But it doesnt accept that as the answer though

Yeah, seems like my account never got linked, even though HTB academy is showing in my list of connected apps on Discord

probably contact support to get it sorted

what's the first and the last character

Ooooof! Question # 3 on the Web Proxy Skills Assessment had me bent. Stupid mistake on my part but hey I learned something! I'm just shouting into the void because it feels gooooooooood

My bad, I was putting the answer in with the brackets, just removed them and it worked. Sometimes it is the simplest of things, thanks for your help though.

Thank you, I will just get both for 2months while I wait maybe my company will re-imburs if I take a full year.

Looks like i have the same also. Acadamy is not showing

Just submitted a request via the support bot on the academy site regarding this as well, thanks again.

question abt Get-DomainObjectACL in powerview

when we do it it for a certain user, it show us there rights, right?

but this command used in the AD attacks module kinda confuses me, Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid},
cuz here when we do it, we get what the user with $sid, have OVER the searched objects

so im fumbbling here, whats happening 😅

this is correct

what's wrong with that

like let's say we do it with the wley user, it gives us what wley user can do right?

but when doing this, one of the result is the dana user, so IFFF im understadning correctly, when a right is controlled by another user, that user sid is mapped via the last portion right? ? {$_.SecurityIdentifier -eq $sid}

just wanna make sure of it cuz idk am i getting right or what 😅

Get-DomainObjectAcl -Identity targetUser | ?{$_.SecurityIdentifier -eq $controlledUser}

yeahhh so the variable is for the controlled user, not the user we are "targeting" let's say

yes

aha

thank you ❤️

Hi, I'm working through the network enumeration with nmap and it says ack scans are harder to detect for firewalls. I took a look at the pictures and I don't see a reason to use the ack scan because the normal syn scan was also able to identify the same port was open. Can someone clarify the difference in the results of these 2 scans and ack scan's importance?

Hey guys! I have a question. So I now pay for HTB academy and also for labs on their main platform. I feel that I’m really lacking in the pentesting domain….atleast not where I want to be. I want to work as an analyst, so I was going to go through the CDSA path but not sure if maybe I should study more of the pentesting stuff and then go through their CDSA path once I’m better at attacking. What do you guys think? Regardless I have crazy imposter syndrome.

Hey man, you are on the right path. If you want to get better at pen testing you can never go wrong with the penetration path certificate.As it is very hands on. It will even help you become a better analysis

it's broken at least for that bit if you're already linked, it's dumb af

I passed the CDSA without much practical knowledge of pentesting stuff. The SOC analysis path does a great job of preparing you for the CDSA exam, and cover relevant pentesting concepts - such as Windows attacks (Kerberoasting, pass-the-hash, brute force).

We need to get the password from root and we know the hash. I use the rockyou.txt file but it takes too long. Am I proceeding correctly?

surprised it took so long

this is the module section regarding the shadow/passwd/opasswd yeah?

yeap

and you extracted the related files to your machine?

yes im copy the hash root my machine and use the hashcat

did you copy the entire line? and also use the right mode?

it should be in the mutated list

root hash?

this sha512 mode 1800

yes, the root password should be in the mutated list

hm i use the rockyou

well then if it's not in rockyou, try another list -- the mutated one

always start with the module resources then try others

Hi everyone, I am working in Intro to Deserialization Attacks. Skill Assessment II. I am inserting the auth= cookie but get the following error. Anyone can help me out?

oky im try

anyone else facing connection issues or is it only me? 🥲

vpn and boxes are soo laggggy

Your cookie is wrong, check it again and remember to encrypt hash with right secret

Do i need to be run powershell as admin to register the dll

hello i find the password of the mssqlsvc but when i try connect i doesn't work :/

https://academy.hackthebox.com/module/116/section/1169

This question and issue has been asked and answered: defender isn't the only protection to worry about

I find the solution sry

I'm sorry it wasnt about defender / real time protection. I wasn't running PS as administrator, resolved by launching it as administrator. Btw I got this following error when connecting to user jason like the server is down!

There's another machine in the middle

Oh okay

You have the ip/creds in the section

connection bad

anyone online that could give a hint on crackmapexec? If you could write in private please. There may be some spoilers and I dont wnat to polute the groupe

just ask your question here

How did you get the red team role though? Is that based on your performance on the hackthebox boxes or server based roles?

Nope

/join

hey guys, why is crackmapexec not working, i even tried the github script : ┌──(kali㉿kali)-[~]
└─$ crackmapexec smb 10.129.42.197 -u username.list -p password.list
/home/kali/.local/lib/python3.11/site-packages/requests/init.py:102: RequestsDependencyWarning: urllib3 (1.26.18) or chardet (5.2.0)/charset_normalizer (2.0.12) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "

Sounds like your python packages are out of date or something

i even tried updating and upgrading

You'd need to update via pipx like pipx install urllib3 and see what it says

There's 3 python packages listed there

i was able to compelet the file upload skill assesment by stealing the location of uploaded files from internet but i dont know how to find the location by my self. can some one help with that plz?

┌──(kali㉿kali)-[~]
└─$ pipx install urllib3

No apps associated with package urllib3 or its dependencies. If you are attempting to install a library, pipx should not be used. Consider using pip or a similar tool instead.

┌──(kali㉿kali)-[~]
└─$ crackmapexec smb 10.129.42.197 -u username.list -p password.list
/home/kali/.local/lib/python3.11/site-packages/requests/init.py:102: RequestsDependencyWarning: urllib3 (1.26.18) or chardet (5.2.0)/charset_normalizer (2.0.12) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "

Try installing the library with pip instead

If you read it tells you to try that instead

Hello

How do i gain access to general

read and follow #welcome

i tried it

i tried xxe but it only returns the base64 enoding of the payload

Cross-Site Scripting module

• Session Hijacking section

Spawning the target http://10.129.11.67/ is not letting me access anything in the web browser. It's a white page, and if I navigate to the 'login.php' page or an 'index.php' page, the page is not found on the server.

Challenge: Try to repeat what you learned in this section to identify the vulnerable input field and find a working XSS payload, and then use the 'Session Hijacking' scripts to grab the Admin's cookie and use it in 'login.php' to get the flag.

So I'm a little confused how I'm supposed to find any injectable fields when I can't access the web page at all. Am I doing something wrong or is this something wrong on the HTB backend?

edit: the learning shows the /hijacking directory, and after navigating to /hijacking/, I see the input fields. I would recommend adding that clarification to the challenge description moving forward, or redirecting immediately to that directory. SuperNuts to answer your below question, no there was no port included.

does the spawned victim machine include a port to use?

How did anybody finish the damn enterprise module

It should.

http://SERVER_IP:PORT/hijacking/

Getting that damn exploit to work takes like 30 minutes because of the "quality" RDP connection

Is there a trick to getting a better one that I m missing or is it just a sad truth

Hey for Log Poisoning module: Log Poisoning section: is it possible to get a reverse shell using &cmd= because I can only read files and run system commands. Encoded or not doesnt seem to make a difference. Even using revshells. Am I missing something or does this not allow for that? Thanks

i have no idea about that module, but if you can execute commands on the system i don't see why you couldn't create a reverse shell

Hello everyone, there is something I don't understand about dumping with mimikatz.

The command he gives gives the user's ntlm hash, then we see that hash again in the command output. If we have the karma why are we trying to dump it again?

I dumped the lsa and sam file using cme, just I did not understand this usage of mimikatz.

mimikatz can do that too

yes but the mimikatz command have ntlm hash

this hash we already have

not sure what you're getting at

Do we need to have hashes to dump hashes with mimikatz?

generally you need admin/system privs

for example i need the david hash how can i dump daved hash

yup im admin

you can dump sam, secrets, ntlm from memory, etc

in your screen shot you have an incomplete command that's attempting to pass the hash

hm

mimikatz.exe privilege::debug "sekurlsa::pth /user:julio /rc4:64F12CDDAA88057E06A81B54E73B949B /domain:inlanefreight.htb /run:cmd.exe" exit

you can also get tgt/tgs etc

Can I get David's hash with this command now?

i do think so bcs julio hash usage and output julio hash

no, that command should open a new command window impersonating the user julio

yes new cmd

yep

I guess what I don't understand is extracting user hashes with mimikatz.

are you on the dc

yes and i have julio and administrator

lsadump::sam

or lsadump::secrets

sekurlsa::logon passwords full

there are lots of commands you should look them up

ah oky sekurlsa::msv

understand thx

last question :9

this have 2 username but one username null

What should I learn from this output?

the $ at the end of MS01$ means it's a computer, hence it's not a user, which is why there is no user name populated in that field

that is the NTLM hash of the machine

This karma won't work for me, right?

just hash machine

karma?

hash

sometimes i use translate english sory

computers need to authenticate too. that's why machines also have a hash.

so you can impersonate a computer as well as a user

oh understand

or use the computer's hash, just as you can with a user's hash, etc

I am grateful

Why this is telling me it's uploaded in the Intruder but in the repeater to test it's not working lol :
https://academy.hackthebox.com/module/136/section/1288

I am using the dicts from SecLists.

hard to tell by your screenshots exactly what you're doing, but it sends the data effectively the same way so if everything is the same it'll act the same

I will send you DMs.

Hey for File inclusion: Final Skills Assessment: I tried fuzzing with encodings and non encodings and I tried automated scanning. I know what the parameter is but having an issue triggering the vulnerability

this command not working on cmd

Import-Module .\Invoke-TheHash.psd1

module pass the hash usage invoke thehash

this scrreen htb panel its working but when im try runing my target machine in cmd not working

Screenshot shows powershell

PS indicates powershell

You can either type powershell in cmd or open a powershell window

im runing powershell true, but not opening second windows cmd on dc01 my target hostname dc01 my hostname ms01

Oh that is a weird visual thing, try viewing the directory with the user

I'm stuck on the Supply Chain Attacks skills assessment. I've got what I think is supposed to be the login, but it's not working. Anyone available for dm?

dir \\dc01\

this question

And you modified the reverse shell to use the appropriate ips yeah?

And are listening using nc.exe. as shown

yes i modified the target name local host vs but not runing actually i dont understand this questin i reading module but not understand

And stated

You don't use localhost

You use the ip of the system you're using that shares the same network as the dc01

yes

PS c:\tools\Invoke-TheHash> Invoke-WMIExec -Target DC01 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command "powershell -e BASE64 code

and im waiting with powershell

but not connect or new window

In another window

You need to start the netcat listener

So you need to specify ip and port for the revshell

trying

I ended up on the admin page but am stuck

Guys which one is better to learn the htb academy or the htb labs? I don’t want to subscribe both of them..

academy for learning

Idk i was trying the academy for a while and i always get stuck

academy is literally their educational place that teaches you everything

the lab is to practice the skills you learned

that should be easy, you should now have a new exposed parameter.

I couldn't do it

The bad thing is they don’t have walkthroughs of their modules Questions! Or labs even in YouTube

you can utilize an automatic LFI fuzz

Did you manage to solve this @devout pelican ?
I'm currently on this one.
I also had an issue with this one. I managed to exfiltrate /home.php successfully for myself as a low-privileged user, then it started 404ing as exfiltrate.htb:PORT/home.php doesn't exist.
I'm not sure how it worked successfully initially, though perhaps it's cached something somewhere?
I can see why /home.php needs to be there (to avoid cross-site and CORS error) but I'm a bit stuck with this one. I might reset everything just to be sure.

the module is the walkthrough, it teaches you how to do it, you need to apply the learning. the walkthrough in a lab doesn't actually TEACH you how

You can find stuff on the t0 modules: however content regarding other modules is expressly forbidden

im starting other window nc listener

you just have to read it ^^

and im run'ng th's command but base64 coding customize

If they could change this policy, everything would be much better-.-

Yeah i know

Anyway thx guys

They're not going to

Lol

This field can be a lot of reading and research. If you can't cope with that, sorry

Totally agree..thanks

I didn't need a video walk-through, all I did was re-read content and it clicked

Yeah i got /etc/passwd to print out but I looked for .ssh file didnt aee any it seems like an LFI I tested for RFI and automated and .etc.passwd is all thats printing. Flag.txt doesnt print, I also tried looking for log poisioning and didnt see anything

well maybe the flag is not named flag.txt

Yeah I understand that but since I dont have RCE I cannot see what it would be called

||log poisoning|| should work.

Okay I will try harder on that

figure out the back end server used, if its apache / nginx..

Okay yeah I tried both default linux paths/

you can just look it up in burp suite req.

or curl the IP; curl -I http://IP.

Okay thanks I didnt know that about curl and I retraced my steps and I was able to get this to work. Can you get reverse shell from this?

I had just initially assumed it could be either

nvm, got it

I'm still stuck at the Exploitation of Request Smuggling at http attacks. I'm not being able to get the admin cookie. Any hint? I already discover the CL size, but it does not return the cookie.

https://academy.hackthebox.com/module/116/section/1512
Is it normal that it takes so long?

It can take a few minutes

im "Attacking Applications Connecting to Services" , i've followed step by step of what shown in the section, but when i try to run the program after adding the breakpoint , i get this error

nvm