#modules

Ahh okay. After you said this, I went back and looked at the distinguished name and the krbtgt account is under Users, so makes sense why it showed now 😂

you can also make chatgpt hallucinate

It's hallucinating the majority of the time for me, I'm lucky when it's not 😂

that's the thing, you'll need to know what you're doing to catch those, can't just blindly rely on it

true

Is AS-REP roasting even covered under the Penetration Tester path?

that's the funny thing, to make use of it you actually need to already know the terms and how things work and present the question like that

it just helps speed up the process like 10000x

which is why chatgpt stronk 🦾

yeah it's in the AD module

Oh okay, I didn't see it as a section heading so I was wondering, it's probably under one of the sections.

Btw what's the average time a person takes to get thru the AD Enumeration & Attacks module?

Idk depends on your prior knowledge

and how much extra reading you wanna do

Ah ok.

My prior knowledge with AD can be summed up to the Intro to AD module and even that I don't remember the minor stuff, I remember the basics tho, mostly... (it's been a while) 💀

if you understand windows fundamentals then it's a lot easier to grasp, it has many of the same ideas like users, groups, policies, access controls, except it automates and centralizes the resources

Yeah, went through that module, so I get all the basic concepts.

https://learn.microsoft.com/en-us/sysinternals/resources/windows-internals

Does any one know how to solve this question?
last question in the INFORMATION GATHERING - WEB EDITION module.
" What is the API key the inlanefreight.htb developers will be changing too?"

They extended the module? So now I've gotta complete this for the Penetration Tester path to be considered completed?

I'm doing this too, took me 15 minutes to finish the updated content.

but stuck at last question 😦

Anybody know why my open vpn connection stats wont stay above 0 any more for more than like 10 seconds no matter what I switch to? It wont let me rdp to the IP

I'm gonna finish my current module then I'll go back to this.

Cool

15 minutes ain't bad tho, it's not very long?

Nah you just read and click complete the module, only few new exercises

Ah ok.

redownload your vpn file

hi

in this module https://academy.hackthebox.com/module/57/section/491 login bruteforce

i found the password but the ssh server is configured to only allow public key

is HTB trolling us?

use the right port

DM me if you still stuck 😄 That last question is confusing

Yes i'm haha

DMing you

sure!

i did

I've tried that unfortunately. Ive tried different servers, ive redownloaded the vpn files, changed to tcp, updated openvpn, redownloaded vpn, restarted my computer

n't

worked fine a couple days ago now its a disaster lol

Hi, I am doing Credentialed Enumeration - from Linux section of "ACTIVE DIRECTORY ENUMERATION & ATTACKS" module. It teaches us how to use ingestor and BloodHound GUI to visualize the relationships. I have run the ingestor and collected the user, computer information in json format and zipped it. I also started the neo4j service using sudo neo4j start command which started a web server at http://localhost:7474/ and another listener at port 7687. On my pwnbox, I did local portwarding to the target and successfully logged in:

what OS are you running on your vm or whatever you're running openvpn on?

im just running it on windows and using rdp from there

However, I cannot see the bloodhound UI where I can upload the collected data.

why windows for openvpn?

also check your error logs

you're looking at the no4j db that bh uses, the bh gui itself is somewhere else

The section text says that I have to start bloodhound. But when I run the bloodhound command on the target machine, I get the error:

oh

try with sudo maybe

bh doesn't need sudo

check if neo4j is running

I know

i already had it installed from tryhackme I think so it was easier than creating a vm

make a vm

what are your error logs for openvpn?

How do I do that?

I mean it is listening at the two ports mentioned above

sudo systemctl status neo4j

└──╼ $sudo systemctl status neo4j
Unit neo4j.service could not be found.

this is your own screen right

Anyone I can dm for file inclusion skill assessment section?

No. This is the target machine.

start it then

start the service

Right I can do this on my own pwnbox mahcine!

neo4j start

im looking in the logs on the app but im not seeing any errors

you should still make a vm with kali or parrot on it

use that for openvpn and for academy, it'll have everything you need

I actually did create one with parrot on it to try that but maybe i was doing something wrong

sudo openvpn academy-regular.ovpn ?

When starting neo4j service on the pwnbox, I get the error:

try the command I sent

did the module not say how to run it?

Yes I already did that. First I ran the command sudo neo4j start. Then,

└──╼ $sudo systemctl status neo4j
○ neo4j.service - Neo4j Graph Database
     Loaded: loaded (/lib/systemd/system/neo4j.service; disabled; preset: enabled)
     Active: inactive (dead)

Then,

┌─[✗]─[htb-ac-885875☺htb-ts2ftrlqd2]─[~]
└──╼ $sudo systemctl start neo4j
┌─[htb-ac-885875☺htb-ts2ftrlqd2]─[~]
└──╼ $sudo systemctl status neo4j
× neo4j.service - Neo4j Graph Database
     Loaded: loaded (/lib/systemd/system/neo4j.service; disabled; preset: enabled)
     Active: failed (Result: exit-code) since Fri 2024-06-21 08:18:09 BST; 2s ago
   Duration: 1.551s
    Process: 5526 ExecStart=/usr/share/neo4j/bin/neo4j console (code=exited, status=1/FAILURE)
   Main PID: 5526 (code=exited, status=1/FAILURE)
        CPU: 4.057s

try with sudo neo4j console

neo4j needs sudo perms because it's starting a service

damn the vm is giving me errors, thanks for the help ill just wait til support is available I guess

What does this do? This has not been mentioned in the section

I am using sudo

sudo neo4j start

Yes I did that

what's the output?

you can also use docker for bloodhound

just use bh CE

you won't have the same features tho cause the docker version is a web ui

works most of the time

they've massively improved it since and it's pretty good now

imo

nice

Directories in use:
home:         /var/lib/neo4j
config:       /etc/neo4j
logs:         /var/log/neo4j
plugins:      /var/lib/neo4j/plugins
import:       /var/lib/neo4j/import
data:         /var/lib/neo4j/data
certificates: /var/lib/neo4j/certificates
licenses:     /var/lib/neo4j/licenses
run:          /var/lib/neo4j/run
Starting Neo4j.
Started neo4j (pid:5404). It is available at http://localhost:7474
There may be a short delay until the server is ready.

looks like it works then

oh, your problem was with bloodhound. Does it work now?

Damn so it worked for a second and it got disconnected on the linux machine

Previously I was running neo4j on the target machine and neo4j:HTB_@cademy_stdnt! allowed me to login. However, I am running it on the pwnbox now and the credentials are not working.

What are the default credentials that I can use?

neo4j:neo4j

why do you need to login to neo4j tho if all you're using is bh

bh will do the connection

This worked!

Thanks!

It was also asking for username and password

This module took me wayyy too long

But it was really cool and fun

Indeed it is!

.. anyone?

In Footprinting Lab - Medium, I'm on the last part of the SQL Server exo. I understand that the user "alex" and "sa" are not the users to connect to SQL Server. The only other user is the admin, but I don't know how to find his credentials. Am I in the right path?

dm

Any guess what module is coming up next

can i get a hint for web attacks skills assessment? ive enumerated all the accounts, and i cant seem to reset their passwords.

@lofty sparrow feel free to dm me

You can dm me

Hello, sorry to bother you, I'm studying web attacks but my english isn't good.
In server side request forgery, litteraly means the forgery of a request is triggered on the server side?

Basically you tricking the server to send a request to some type of resource that it has access to.

@old oasis Thabk you, I understand the general concept, I have done some labs, but I'm just taking notes in my native language, I want to make sure the translation is correct.
The way I understand forgery in server side forgery is that we trick the server in forging a request and sending it

Yes the term "forgery" here means that the attacker is tricking the server into creating and sending a request that the server would not normally send on its own. Essentially, the attacker manipulates the server into "forging" or crafting a malicious request.

@old oasis ok, that's what I thought.
Thanks a lot.
Sorry about the stupid question, I wanted to make sure where the forgery occurs and this was right

No worries. Glad I could help 🙂

I like how the VPN servers suggest workload levels. That seems new... but it's 6:45 on the US East Coast and all US servers are at medium load. ☠️

Hi, would anyone be available for a hint for the last Skill Assessment question - INFORMATION GATHERING - WEB EDITION: "What is the API key the inlanefreight.htb developers will be changing too?"
I'm doing the update part

UDP scan? also reading; "This server is a backup server"

thanks

Hi, can you give a hint for that question?

Sure DM

how do i view hidden files? 'ls -la' does not work...

wdym "does not work"?

nvm im looking in the wrong place

starts with . apparently

yes

hidden files start with .

if you do ls -l and ls -la you'll find that the hidden files indeed do start with .

yeah i found it, thanks anyway

Trying to find 'how many total packages are installed on the target system' using the given commands they have told me. I have entered the number returned however it is incorrect? What am I doing wrong?

are you sure that the command you are running outputs only the packages? 😉

Only the installed packages

dpkg uses ii to indicate a fully installed package

Has anyone actually managed to complete 'Password Attacks' in 8 hours ?

Probably a few

If you don't get too hung up on skill issue, and don't attack ssh

yup, but iis are not the only thing that gets outputted though

cant figure it out

Yes, I'm referring to how to grep for ot

Im going to need to put hashcat on windows I think, Need that gpu boost

Nah not really

aaa gotcha

I'm using a 10 year old cpu, and max time spent was 5 minutes, if that

It can be completed with a relatively low-spec cpu

try with single quotes ?

Maybe I am getting skill issued then

What section?

The general flow is: non-mutated --> mutated --> rockyou

hmmm, when you use the command dpkg --list that includes some lines that are not the installed packages, aka ii, you will have to grep something to get the correct result

when you mean grep do you mean remove

theres a command for that i think

include only what youre looking for 🙂 ||ii||

Grep matches content you search for

got it

'Passwd, Shadow & Opasswd'

Cracked it now with your tip, it was on the mutated list. Not rockyou as per the example

<command> | grep "<output you're looking for>"

dpkg -l | grep ^ii | wc -l

worked

The mutated list gets used a lot. I also suggest saving any user:pass you come across

only in this specific module or like all modules?

In this module

Pretty much all modules are self-contained

copy

You won't use the resources for one module for another one, aside from the generic lists

aaa I see

So the mutated list you generate in password attacks is just for that

Because it's a specialized list

in attacking web applications with ffuf
value fuzzing

Try to create the 'ids.txt' wordlist, identify the accepted value with a fuzzing scan, and then use it in a 'POST' request with 'curl' to collect the flag. What is the content of the flag?

i created the ids.txt scanned it, got the id
but where do i use it?

i used curl http://admin.academy.htb:38633/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded'
and replaced the FUZZ with the number i got from the scan (if that would change anything but nothing)

Module: AD Enumeration & Attack
Section: Kerberoasting - from Linux

What powerful local group on the Domain Controller is the SAPService user a member of?

What have I tried?

• I've tried using rpcclient to enumerate groups, but it only gave me the domain group it is a part of, not local groups.
• I've tried psexec.py, didn't work since no writeable shares.
• wmiexec.py didn't work either.
• Couldn't RDP

The only thing I've confirmed so far is that SAPService is part of the Domain Admins group.
Is my only option to use bloodhound now? Or would bloodhound not show local groups?

Did you filter out the false positive results?

yeah

-fs xxx

You don't need the header btw

oh

wait

Also where do you think you put the value you just fuzzed

forget it i already got the answer

it was at the very top
didnt see it

You can use grep btw

ye
i got it
it was on the first line of the source code
and i was looking elsewhere

Could please someone nudge me in the right direction for this?

You shouldn't need any logging in

I think I've used every tool they've mentioned in the module for credentialed enumeration though, except for windapsearch, which I checked the documentation for and didn't find an option to enumerate local groups.

The GetUsersSPN.py should output the group

You'll just need to use that user and password for the query

Should output the group? All it output was the name and DN.

There should be a cn in there

cn={group}

Isn't that a domain group tho?

The a... group.

Yeah, I managed to get the group.

cn=BuiltIn

Oh? So those groups mentioned are always local groups?? Not domain groups?

Generally yes

Dang, here I always thought they were domain groups since they were part of the DN.

DN != domain group

It's just an identifier

There can be domain groups, but if you google as well you'll find that it is a local group

No, I know it means Distinguished name, but I thought the Common Name at the front was usually either the domain username for the account or the domain group name.

Understood.

Incorrect

cn is just another thing that can identify it

Okay, so it could be a local group or a domain group or just a domain user?

DN is just a name, and the line between local and domain becomes blurry on DC because it's the domain controller

Like in this record it's a domain group since it's Domain Admins, yeah?

Yes

we're talking about AD groups not CA groups bud

but the concept is similar

So essentially it's just a name?

Just a way the DC identifies it

Like full government name vs nickname

Now in this case, even though the SAPService user I got the password for was a domain admin, I wasn't able to RDP into the DC or anything. How would I usually log onto the DC in such a case if it was an assessment?

Usually pivot

Okay, gotcha, thanks for the analogy.

Also most of the time, for DCs, RDP is disabled

Pivot? But I can already access services on the DC? What's the need to pivot?

probably just doesn't have RDP rights, but if you're DA you can do anything, including giving yourself RDP rights

But since I can't RDP, or psexec, or anything, how would I give myself rights?

You don't need to do those actions on the DC

why can't you psexec

Nmap report for reference.

No writeable shares.

If you're a DA you can write to shares

are you sure that's a DA then

100%, checked with rpcclient.

I'm gonna check, if that's wrong I will bonk you

if the target ever spawns

Spoiler btw, pw is an answer to a question

yoo

that's domain users

That's just the group rid

🤦‍♂️

But also yes domain user

I'm so sorry. I misread 🫠

https://tenor.com/view/monkey-gif-26412572

guyss
just made a new book related to AI
if you interested in having it it would be a great pleasure if u dm me so i give u the details
the name of it is artificial simulation it talks specific details about ai and also its intriguing and fascinating future such as mars colonisation and much more advanced and mind blowing features

I didn't see any pw in there?

description "all domain users"

Domain/user:password you goon

Oh, passwd 🤦‍♂️

Brain ain't working rn.

We don't care, stop spamming

Do it again and I'm pushing the red button

Read #rules and #welcome when you join a server

ok

Even if people cared, it's not relevant to this channel

I am doing Reverse Shells skills assessment, the RDP fails to connect everytime I try on pwnbox and my machine.

"Fails to connect" elaborate

Anyways, thanks ya'll for explaining the CN thing to me!

Do you get an error?

Are you sure you're copy/pasting the username and password

yes

Are you getting a black screen

it opens the session for 5 seconds I open cmd and it crashes.

then doesnt open until I change the target and does the same thing again.

xfreerdp /v:ip /d:HTB /u:htb-student /p:'HTB_@cademy_stdnt!' /dynamic-resolution

alright
Skill Assessment Web Fuzzing
Run a sub-domain/vhost fuzzing scan on '*.academy.htb' for the IP shown above. What are all the sub-domains you can identify? (Only write the sub-domain name)

spoiler

/timeout:99999 /auto-reconnect

still spoiler

ill fix it after this

no commas just subdomain1 subdomain2 subdomain3

does the order matter?

unsure

still wrong

do it in alphabetical order maybe

but there's no commas

just a.. b.. c..

ye just space

and not the full domain as a.academy.htb

JUST the subdomain found

still wrong
lemme try with commas

so JUST A

yeah

well your answer is correct

with the 3

i honestly can never figure out the commands, i spend a while looking through the --help, then often find nothing then just look the command up on google. is this what i am supposed to be doing??

oh nvm
forgot the y in faculty

doesnt feel right

take a second to step back, google better

how you google determines what results you get

If you google "how do I use <tool>" you'll usually get a dozen results

like instead of asking the whole question, i only ask a certain part like 'finding the number of unique paths with curl'

tbh that one is just bullshit, i went to the HTB forums for that one when I did it

i still cant do it

online ones dont work for me

#modules message

what does that even mean?

the commands that some places have given me dont give a straight answer

or a correct answer

the forum article my message links to has an answer

i definitely recommend against using chatGPT

makes sense

anyone facing the sam problem Target(s) are spawning...

yes

weird

took 10 mins to spawn the last one

I thought I will finish the update in 20 min

now it takes 20 min just to spawn the first target

it be like that

WTF ?

what

read this

using rdesktop worked. thanks.

yeah it's hilarious

why xfreerdp is not connecting
but works fine on remmina

use single quotes on the password

didn't work

/timeout:99999

it looks like it's timing out

also, why tf do youhave the swastika in your terminal

Could someone help me with the Advanced Command Obfuscation Section of command Injection Module.

only if you actually ask your question

why not?

because people don't associate that symbol with Hindu

they associate it with Nazis

ohh

Here is the Q:- Find the output of the following command using one of the techniques you learned in this section: find /usr/share/ | grep root | grep mysql | tail -n 1 . I tried this but doesn't work. ip=127.0.0.1%0a${LS_COLORS:10:1}$(rev<<<'dnif')${IFS}${PATH:0:1}usr${PATH:0:1}share%0a<<<$(rev<<<'perg')%09root%0a<<<$(rev<<<'perg')%0amysql%0a<<<$(rev<<<'liat')%0a-n%0a1

wrap the command in backticks (`) so that discord makes it look neater

`like this`

think dumber, try the examples in the module

done

this command show the list of Find output but doesn't filter out.

yes because the answer is simpler than that

Thank you, i'll try.

Thanks @fathom pendant , I was spending 2 hours to figure this out

Hey everyone, does any one know if this is a bug or if im doing something wrong? I am at the AD attack and enumeration Priv esc.
Question:
Leverage SQLAdmin rights to authenticate to the ACADEMY-EA-DB01 host (172.16.5.150). Submit the contents of the flag at C:\Users\damundsen\Desktop\flag.txt.

I have to ssh to the IP 172.16.5.150.
I copy paste the password and I've tried following the solution but I still get the error "Permission denied, please try again."

I've been having this issue since yesterday. I've tried pretty much everything.

You do something wrong. I can log in without a problem (directly and through the windows host)

That’s weird

I’ve tried resetting the box 2-3 times

I followed the whole official solution but I still get the error. I’ve seen in forums and everyone says it works so I’m not sure what I’m doing wrong

You tried typing the password instead of pasting?

Yeah multiple times just to make sure

Just tried copy paste again and now it works

idk what the hell went wrong the first 30 times

but thanks anyway for the support!

Identify the following hash: $S$D34783772bRXEx1aCsvY.bqgaaSu75XmVlKrW9Du8IQlvxHlmzLc on this question i have found the ans , but when i submit its says its wrong

crack with hashcat -module

try checking the example hashes on hashcat's website

yeah i found the ans from there only

attacking common services module, I have an issue interfacing with the mssql service

||I can use this command to authenticate as the htbuser sqlcmd -S 10.129.247.219 -U htbdbuser||
||but when I try to authenticate at mssqlsvc user with the cracked password it fails ||
||kali@kali:~$ sqlcmd -S 10.129.203.12 -U .\mssqlsvc ||
||Password: ||
||Sqlcmd: Error: Microsoft ODBC Driver 17 for SQL Server : Login failed for user '.\mssqlsvc'..||
not sure what to do, I could try from a windows vm, but no idea why it does not work

can i dm ?

no, i am leaving now

k

You can use haiti too to identify hashes, I got the answer with haiti '$S$D34783772bRXEx1aCsvY.bqgaaSu75XmVlKrW9Du8IQlvxHlmzLc'
(Assuming it got it right ;))

https://github.com/noraj/haiti

i hope its not D.....7

wao it was format error ,they should have tell that in the question thou

Hello 👋, on the updated information gathering - web edition module i was finished the module then showed up later on there is an update and need to finish the new parts, yet at web archive section it saved my old answers and not related to this section!

And showing it is completed and can go to the next section! (With wrong answers)

this is known

it's an issue that happens when they update modules/questions

Hi :), I'm doing the knowledge check on the getting started module, and I am having troubles getting a shell manually, I can't seem to upload a php file, and if I try to upload an image it works but then I can't execute it, is it supposed to be "only done" via the pre-made exploit?

there's another manual way, the premade exploit should give you somewhat of a hint as to what it's editing/uploading

if you're unsure: check the versions again

Mmmm okok, the getSimple version you mean?

nope

iirc the knowledge check has to do with a plugin

unless that's the plugin, it's been a minute

yes; the vhost is hosted on that IP

ip domain in your /etc/hosts

Mmmmm I kinda ignored those after I saw the upload part 😅 , I'll look into it, tyty

yeah it's related to GetSimple

those nibbles modules were crazy
are there more like that?

i mean sort of; a lot of the skill assessments are like that, but no hints on what to do

the nibbles sections (Not modules) were just a basic showcase of how you'd pwn a box

not modules got it

Modules are the overarching names of the learning content; Info Gathering - Web Edition; Getting Started, Introduction to Academy

Sections are the smaller learning segments within a module

what do you mean?

what module are you working on?

oh got them confused

updated* not new

it just says new because they changed the name, then changed the name back

I guess my main confusion is what do you mean by "main" inlanefreight

Are you asking if they pass through "Inlanefreight.com"?

if so, then no

they don't "pass through" anything

no

you need to do filtering

you should notice a common size between them

the common size is what you want to filter out

because if you actually curl those
curl http://inlanefreight.htb -H "subdomain.inlanefreight.htb" on any of the ones that have the same size you'll notice something

it's being routed through the IP

to further answer your question

also just to be sure for the vhosts it's JUST the ip that goes in your /etc/hosts not the ip:port

and in this case it's http://inlanefreight.htb:port

oh yeah cracking passwords with hashcat 🗣️ 💯

I'm limited with the amount of instances i can make to once a day, I can set up my own Parrot OS enviroment right? And just use that instead?

Yes.

yeah
download their vpn

you can use your own environment forever

Perfect, I thought so. I just needed reassurance. Thank you everyone.

Ah, I see they want you to use gobuster for it, i'm not familiar with all of gobuster's filtering options

ffuf works better

https://academy.hackthebox.com/module/23/section/251

anyone have issues with this module? im following along the reading material but i swaping es.php for /etc/passwd doesnt display anything

`ffuf -u <url> -H "<Header>: <value>" -w /path/to/wordlist -fs <response size filter>

that's odd; I just ran it and got a consistent size with the incorrect subdomains

the correct subdomains will have varying sizes

also the list i used was the 110000 list

but there's only a handful of correct ones

the correct ones are way less than 300

but the correct ones are indeed between those sizes

ok it after doing testing it looks like gobuster does filter out the unnecessary hosts

it should give around like 5-10 actual positive results

thanks @fathom pendant been stuck on this for awhile now

you never put ports in /etc/hosts

the only : accepted are those for IPv6 addresses

I got there xxx1337 and stopped there! And yes I checked the xxx.txt and got the hidden path but the key i got gives me wrong answer!

huh?

please don't reply to an unrelated comment if i helped you earlier

it's just further confusion

You’re right, i am at the same section with @dusky gyro

Anyone else find the Active Directory Module really hard? feel like there are so many methods I've just not understood everything :/

then the same should apply... I got all the new expected answers

if you didn't do the Intro to AD module, then the AD enum and attacks module is throwing a lot at you that it already expected you to understand

Thanks, I will. cos man I am struggling with the skill assessments

the skill assessments are literally just follow the steps one at a time

enum; get in; use another tool...

im not running on a lot of sleep atm so maybe thats some of my issue

tbh though, your best bet for the first one is elevating your shell to either a reverse shell or using the Web01 host as a pivot point

yh im on the second assessment

second one is practically the same as the first, except you start from a linux host instead

it does require a tool/technique that WAS mentioned, but wasn't showcased btw

it has to do with SQL and privileges

potatoes or printing, pick your poison

ok thanks

if that's where you may be stuck at

the rest is fairly simple

just start from the top down from the section list LOL

Hi, I'm doing the AD enumeration & attacks skill assessment and I've noticed that PowerView fails to execute when running from a evil-winrm terminal (on the foothold server), any idea why? This is the error. This doesn't happen in the reverse shell btw

Exception calling "FindAll" with "0" argument(s): "The specified domain either does not exist or could not be contacted.
"
At C:\temp\PowerView.ps1:5253 char:20
+             else { $Results = $UserSearcher.FindAll() }
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : COMException

Edit: This is due to double hop kerberos problem, you'd need to create a PSCredential object and pass it to powerview. Check module section "Kerberos 'Double Hop' Problem"

could just be a weird thing with Shit-RM i mean Evil-WinRM

Did you have bad experiences with it?

where did evil-rm touch u

I mean if we take it at face value its annoying that u can't use arrow keys natively, always get bugged by the "press y to exit" and when u hit y it still doesn't kill your session, along with other things that make ur blood boil

alt f4

Hello everyone, I'm faced with a problem that I'd like some advice and directions on. A straight answer isn't required.

I want to go down the path of penetration testing / red-teaming. I want to eventually be red-team simulating real-life threats without being caught. Though, when I look at the HackTheBox modules there's so many, I feel it's hard to know where to start from and what to end with.

What would you guys do?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Thank you

There is a path named "penetration tester", that's what I'm currently studying

Has anyone completed the updated Information Gathering - Web Edition Module? I’m stuck on finding the api key and finding where it’s supposed to be moved to

I found an a key that didn’t work 🙂
And it shows that I already done with this part because i was finished it a few days ago so i just moved on to the next module:)

Thanks 😂 can u dm me the steps u took to find it? I just need the peace of mind at this point💀 this updated module is driving me crazy

Where are you stuck ?!

Questions 3-5

I tried brute forcing virtual hosts but so far I don’t have any luck.

Tool?

Curl and Ffuf

You can get it done with gobuster/ffuf and it depends on the wordlsit for sure
Use filters with ffuf.

Okay I see, thanks! Here’s my current syntax Ffuf --w /home/kali/Downloads/virtual-host-wordlist.txt -u http://94.237.63.201:38585 -H "HOST: FUZZ.inlanefreight.htb -fs 120

I filtered out size 120 because all of those results weren’t reliable

Add -mc all
Add the ip and the domain + sub domains to /etc/hosts
Wordlist seclists-dns-11000

Okay, I’ll try it now, thanks again

Hello everyone, could someone help me with the server side attacks module in the blind ssrf part since according to what I should upload a joint file but it really appears a message "bad application"

That's all the source code

<html>
<!-- ubuntu-web.lalaguna.local & internal.app.local load resources via q parameter -->
<body>
<h1>Bad App</h1>
<a>Hello World!</a>
</body>
</html>

That's not needed

Adding the ip to /etc/hosts is. But leaving -mc alone

-mc matches the status code, which will be 200

But default is fine

Does anyone have answer to question from Updated Fingerprinting Web
What is the API key the inlanefreight.htb developers will be changing too?

Well if you have to bruteforce you try all found subdomains

It doesn't need to be directly stated

It all starts with a "can I?"

You can bruteforce any subdomain you find, as those would be in-scope

i don't understand how that's a cheap trick

well... its stated we could brute force inlanefreight.htb that should be enough right? nope. you have to do something not shown at all..

it caught me off guard, made me ask myself how on earth i would have come up with this?

you need outside-the-box thinking

well... its noted in bold characters now

in my notes forever

if you can brute force inlanefreight.htb, what's stopping you from brute forcing one of its subdomains

there's always more to enumerate

in my head its because theres a gap between my instance and the subdomains

I found the vhost needed, and the secret admin directory (or where it used to be)… still no api key lol. Am I missing some steps?

im just gonna read more about it tomo... can't leave anything behind.. if dns is in the module, its on the exam...

just remember you can't expect everything that they show you to lead you to the solution

some creative thinking is necessary, in the path and in real life

did you do the vhosts exercise yet?

im only on the footprinting module

ok

I'm trying to figure out why when I use the target socket with gobuster as recommended, I don't get the vhost enumeration I need. But when I use the vhost domain they provide, it does work.

Anyone else make it to here yet?

explain: provide your command that isn't working, they provide a domain because that's what's required to get the answer

gobuster doesn't magically know what the domain of the vhost you're looking for

without using the domain it's just being pointed at an IP and told to just spam (single word) wordlist at it

http://a http://b http://c.....

with the domain it's actually doing http://a.domain http://b.domain ...

That's what I'm trying to resolve in my head. Even gobuster's doc says 'you probably want to use the IP here'.

it depends

since it's a docker instance, public nameservers don't know what .htb is

.htb isn't even a valid tld for all intents and purposes

so even trying to route it doesn't know

but what's "recommended" isn't generally the "do this all the time"

in vhost mode you need a domain for the wordlist to attach to

Thinking through it, my first step was adding the vhost and IP to hosts, and using the domain with gobuster. That got what I needed. Then I tried with the IP like the module and help both recommend and, not surprisingly, it didn't work and I was just left wondering so I've been experimenting with different options.

otherwise it's just spamming words without a domain

and it will give errors

right. haha

the alternative is using FFUF with the -H "HOST: FUZZ.inlanefreight.htb"

so why in gobuster vhost mode would you ever use the IP instead of a domain?

it depends

if it's a publicly routable ip that maps to a domain, it'll do just fine

because DNS knows what it's looking at

I tried FFUF but just had "Host: FUZZ", thanks for that clarification

and what it's querying

Hi! I'm working on Modern Web Exploitation Techniques -> Second-Order LFI and for the question, I have attempted several different pathnames, including root, admin, and tmp, with ../../, but am still not able to grab the flag. I'm wondering if I'm just missing something about the username, or the pathing?

the host header is allways gonna be the subdomain.domain.tld

the important bit here is also using the port

otherwise http:// defaults to port 80

yeah, realized that too

and since the websites aren't on port 80...

thanks, @fathom pendant

base point is: if you're explicitly given a vhost to use, use it

don't worry about what's "recommended" because then you end up driving yourself crazy trying to get something to work that might never work

so true. this isn't the first time. haha

there's nothing that makes it inherently more special

it's just a thing that can be done

I also suggest refrain from actually dropping the subdomains, as it'll spoil it for others

the point is you don't know what can be bruteforced or not, and it just so happens that the one that works can be

it's not some magic formula that you can use to figure out why it works

i was looking for a cue or a sign.. there are none. which makes it more interesting! thanks!

what I did when just goofing about was 2 stages: create a subdomain list from the initial zone transfer dig axfr inlanefreight.htb @ip then do a for loop to go through each subdomain until it hit

¯_(ツ)_/¯

I've been working through the Footprinting Medium Lab and have hit a wall. I've enumerated NFS, SMB, WinRM, & RDP and the common denominator seems to be I need a login to access either the computer via RDP or the TechSupport share. I know the hint talks about MSSQL, but the port is closed on the target, so not sure how to use that information. The hint also speaks of the local administrator account, so I tried logging in using that with some common weak passwords to no avail. Any ideas I'm not seeing?

the share is the first step

MSSQL comes after; as it's running locally

and no you don't need a login to access the share

hey @fathom pendant , im not sure why the domain I got isn't working for creepy crawlies in web edition from the comments

I haven't done that section

planning on tackling that over the weekend as I redo the module to revamp my notes, since sections and answers got changed so to will my notes so I can at least be accurate with them

okie dokie, will keep workin at it

all of these are new additions to the module

literally went from 100% to 50% that's how much they added

Really? Whenever I mount the share, I get access denied to get into the TechSupport folder

How do you feel about additions to modules like that marcie?

switch to root, it's like the only time you'll have to use root to browse

Noted, I'll give that a try, thank you

As frustrating to others as it can seem, this is definitely one of the modules i felt was lacking information, and even the Virtual Hosts section revamped I feel (at least just looking at the diagram) it explains how vHosts work instead of just "here's a definition, and basics of how it works." And I can also get some other people's frustrations as when they added the Thick Clients section to Common Apps, it was pretty much a universal negative response. I enjoy that it's expanding on concepts, and introduces a section dedicated to just explaining DNS since previously it was weakly explained, or at the very least needed a LOT of clarification from others to get why the tool works

TL;DR - Change Good

@ocean night one thing lacking with the modules is the ability to reset them. my guess is we can't because once you complete the module it's unlocked forever and resetting it may reset that flag too? it would be nice and many people mention it. especially for those modules that get reworked.

help

Worth chucking in to /feedback 😉

I cant find the flag and i filtered all the files for flag

to add on, if a module section is changed with answers changed it definitely needs to be wiped

If I were a user, I'd want a soft reset, as it were

Retain completion, but have the ability to run through again

@ocean night can u confirm the answer for the creepy crawly Q is correct? the hint helps find it but... not sure if i should be hitting that with anything

I wonder if it has some backend meta-data to section number 🤔

I cannot help with answers, sorry

not with answer, just want to know its in-scope

I cannot advise on content

kk

guys help im doing using web proxies > repeatiung requests

when i filter all of the files

the scope of the question is just to find the subdomain

for flag only one appears, and there is supposed to be a second

am i an idiot or is something wrong

inlanefreight.com is a real (fictional) website hosted by HTB

it's used in a fair bit of the academy engagements when a live target needs to exist

its referencing aws s3 bucket

this section? https://academy.hackthebox.com/module/144/section/3079

yup

Don't see anything regarding anything crazy; the hint is regarding an html comment

like <!-- Work in progress -->

or <!-- future content will be moved to subdomain.site.com -->

yup but the TO-DO: part I can scan and nmap and stuff?

well the idea is to crawl it

not scan it with nmap

it's a website

it's a "live" website

you can browse to www.inlanefreight.com at your leisure and check it out if you want a silly laugh

this is after the crawl, the future reports in To-Do

well then look for other pages that you may find it in

either that or the live site hasn't been updated for the new content

it gives a url but its for a s3.amazona

¯_(ツ)_/¯

did you try inputting that as the answer?

if that's the answer, then that's the answer

yup tried the various ones

well i plan on tackling this over the weekend, if you still need help ¯_(ツ)_/¯

otherwise though I'd reach out to support to confirm it's not an issue with the live site missing something

I also suggest using the showcased tool, reconspider

yup thats what i used

then idk ¯_(ツ)_/¯

Doing using web proxies > Repeating requests
I filtered all of the files for flag and only the origional one appeared, while there is supposed to be a second

Am i doing this wrong; is it hidden elsewhere?

brother... read the comment carefully, maybe make your terminal screen larger

check what's before the s3 part 😉

time to uninstall

did you check the filesystem root?

another way to potentially find it would be injecting find+/+-name+flag.txt+2>+/dev/null

was actually the size cutting off .htb perfectly but still pinging and dig nslookups still worked without it

givenin me an ip and all

tends to be the case but as soon as I saw it cutting off i was like "oof... can't read... neither can I"

you the best

np; got my curiosity peaked enough to run the silly little tool

and added it to my list of basic web recon tools

whats that

(im kinda new if you couldnt tell))

also is there a reason why tree doesnt work

tree isn't a linux command afaik

oh wait

tree just checks the current directory

it doesn't go backwards

do linux fundamentals

filesystem root is the base of the filesystem, the beginning of all filepaths

like how C:/ is for windows / is for linux

any directories and files you add to the system are added after

i did that one a while ago but i forgot most of it

ls -la is the better command in linux

ty though, im doing it rn

then you should have taken notes

yeah

¯_(ツ)_/¯

there's no shame in taking notes, even on the basics

ㅡㅇuㅇㅡ

in fact it's how I "know" so much, just a lot of notes

thanks for the advice

and almighty google ¯_(ツ)_/¯

if you're unsure -- google

will do

but tbh before hacking you should know basics of filesystems

for instance with linux you need to know:
what ~ is, what / is, what /root/ is, what /tmp/ is and how to see/find hidden files

thank you

if you want to be somewhat more familiar with linux navigation commands, there's a terminal/text based 'game' called bashcrawl

it teaches you the basics of bash and filesystem navigation

thanks!

doesn't sound like an academy module

if it's a box; #boxes , if it's a challenge; #challenges, if it's a starting-point machine #starting-point

all i see is no access

you need to read and follow #welcome to access more of the server

you right

i forgot my password and it wont send a password change link so i camt verify

im waiting for the support email i sent to respond

Which platform (URL) did you try to reset your password for?

https://account.hackthebox.com/password/forgot

is this what youa re looking for?

Have you signed in to that before?

Anyway.. support will come back to you in the morning 🙂 They'll get you sorted

just drag mick out of bed to help him /s

🙈

Oh.. right.. it's Saturday

You may have a delay in response then fork. But yeah.. have you ever signed in to account.hackthebox before?

It's separate to your academy account

..but you can link your academy (and other HTB service) accounts to it - it's our SSO service

@grand loom tbqh; if you're doing the web proxy module with zap and identifying a vulnerability with the spider, it's a high level vuln, i think it took around 15 minutes or so to get to it

so it definitely takes time

a lot of the requests stuff through burp/zap will just take time as they're checking a LOT of things

but I can confirm the vuln they're looking for is a high severity one

i see i see do u have like a small list u try for each type of injections until u figure it out?

idk what module you're working on so I can't give much, i'm just going off vague context

in order for people to be able to help you, you need to provide context

module name
section name
social security number
what you're stuck on, what you've tried

the question is vague about how could i figure out a vulnerability with a list of them existing for a form

not for any mod or box

ah then I misunderstood

you'd just run automated tools like zap or sqlmap

there's no magic wand or list that will find everything, just the most common ones ¯_(ツ)_/¯

oh so i try the most commons one in order and btw u run all of them automated to "find" the vulnerability?

cause i know some people just do

Google sqli polyglots 😉 Some have put together strings that try to cover most injection techniques in one or few strings

', ' admin -- -, admin' --

if this dont work they go on to the next one for injections

' admin or 1 == 1 --

either way it sounds like you're trying to overcomplicate it

while yes there's "thousands" of different strings you can do to exploit a vulnerability, you want to first even test if it exists

yes i think so too

of which there's a significant fewer amount

of which you can google, and the HTB modules have plenty of test examples

basic logic stuff that generally work

hi information gathering web edition added additional material. I'm thinking of completing that before trying file transfers again as its necessary to complete the path. I feel like it would give my brain a break to work on other material because I'm having trouble getting my focus up for file transfers you know? Since they literally just added ten sections to the Information Gathering Module, wouldn't this be a smarter idea? I'm coming from a perspective of wanting to not waste time staring at a screen because of some recent events that have gone on.

I think from a learning idea this would be smarter when getting back on track with HTB Academy and then I could go from there.

especially since I can't complete the CPTS path until the current, whole thing is completed at once.

not at once sorry

until there's nothing left I haven't already done in path

Can someone help me with XPath - Blind Exploitation challenge

can anyone advise on the skills assessment for broken authentication? I'm having some trouble with the 2fa

Module: AD Enumeration & Attacks
Section: Kerberoasting - from Windows

Under the semi-manual method, it states the following:

We will focus on user accounts and ignore the computer accounts returned by the tool.
Why do they choose to ignore the computer accounts that have SPNs?

The redirect will back to plank page, make sure the port number with the URL all the way.

looking for initial foothold for hard lab of password crack module

So it seems like the questions in the skill assessment of the Information Gathering - Web Edition were changed but since I've solved the older questions, it marks those questions as solved with my older answers

machine accounts passwords are not set manually and it's 120 characters on rotation, and they will usually always have SPNs set for their services, so if you don't filter out machine accounts, you'll just get back a bunch of junk when kerberoasting

Hey, so Im doing Password Attacks Lab - Hard. Ive been trying to download the file from David's smb share but I keep getting 'NT_STATUS_IO_TIMEOUT' message 😦 What should I do?

How do I filter out the computer accounts? Also, aren't the 120 characters on rotation only when LAPS is activated?

increase the timeout? 😛

nope LAPS is a separate mechanism, that only takes care of the local admin account

all the tools that does kerberoasting will filter those out by default, you don't need to manually do it

i've added '-t120' to my command but it is still giving me the same error msg (NT_STATUS_IO_TIMEOUT) 😦

Ah okay. Understood. I forgot that LAPS was local accounts only. I looked up the documentation for setspn.exe but didn't see any flag to filter. I'm guessing since it's a native Windows binary, there isn't a way to filter out computer accounts? So, I'll just have to use one of the other tools mentioned in the module to filter?

you can use objectCategory=person in powershell

but just use the tools

Hi all,
Is this the right place to ask about an error regarding the funnel box in starting point?

well then you might try another client, reset the target or try via pwnbox

#starting-point

Its redirecting me here for some reason. Thanks tho for replying I'll figure it out

read #rules and #welcome (including the verification part ;))

Makes sense thanks man really appreciate it

I want to install Kali Nethunter on my Redmi 9T phone without rooting it. Can anyone guide me on how to do this?

Alrighty. I'll use the tools, but just for knowledge. Could you please provide an example of the command using objectCategory=person?

You are in the wrong channel. It's best to ask in #homelab-sysadm
If you have no access, read and follow #welcome
This channel is about the HTB Academy modules

https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1
https://github.com/fortra/impacket/blob/master/examples/GetUserSPNs.py

Has anybody done the finished skill assessment on the updated Information Gathering - Web Edition?

Its literally impossible to crack a machine account password, so its a waste of time requesting a ST if a machine account has an SPN attached

Out of curiousity, is it possible to request a ST with GetUserSPNs with a nopreauth user just like its possible with Rubeus

I tried to, but it fails
I was hoping the next section in the "Kerberos Attacks" module for kerberoasting from linux would show that but it didnt, but there's an option for -no-preauth

this? https://www.semperis.com/blog/new-attack-paths-as-requested-sts/

Yess, I followed this
It would be really cool if it's possible from linux, imagining an attack chain where you found an asreproastable user but they have a complex password, so instead of cracking you could request for a TGS ticket for a service account that could be cracked using the no preauth user (or I'm trippin lol)

i'm poking at it but i can't figure it out, it seems like there is nothing to crawl.

Same lol

The new skill assessment in information gathering - web edition is little bit harder 😂

like "Is what I'm doing right or not? Because the results aren't coming out." but in the end you will realize that 🤣

does't it work here

yeah it is really frustrating as i thought: ok i'll go for it a in hour or two just to update my notes and now i'm troubleshooting stuff

__Windows Privilege Escalation : SeImpersonate and SeAssignPrimaryToken __ no output when using impacket mssqlclient cmdshell, can someone help ?

oh no it didnt, thats a list of tgs tickets with the export-csv function I transferred over. Included to show I used the correct SPN

if you try others and it doesnt work, just use BadPotato lol

I think I've got it to work before but it's been a while

but that edge is so specific you would probably never see it irl

hmph, okay okay

thanks!

imagine not using godpotato

Its GodPotato I wanted to type actually 🤣

theres so many potatoes 💀

time to write another one

I typically just use PrintSpoofer or Godpotato, too impatient to play around with CSLIDs

Do blog about it when its done

I'm saying you should do it

I just tested right now, it works for me. Maybe restart the box?

objectCategory=person is to be used as part of an LDAP filter, right? With dsquery?

Oh, it's meant to be used with this (GetUserSPNs.py). My bad. But it can be done with dsquery and an LDAP filter too, right?

what does dnsquery got to do with this?

im pretty sure u will not see any output from this unless the command resulted in errors

hashcat -a 3 -m 0 md5_mask_example_hash -1 01 'ILFREIGHT?l?l?l?l?l20?1?d' in the module hashcat and mask i can't understand the use of -1 and 01 can someone explain it , i have read from other source still getting confused

it's explained in the module, what do you not get?

Nah, I just recalled that when using LDAP filters with dsquery, there's a parameter objectCategory=person as well. So I was just wondering if that could be used to query for service accounts with SPN set.

probably but again using tools to kerbroast from linux is much better since you don't have to worry about extracting the tickets from LSASS

Noted on the tools. LSASS? Are you talking about having to extract the ticket from memory using Mimikatz?

yeah but that depends on which mimi commands you run

how do i know which prefix/suffix to use in sqlmap?

do i just increase the level and make the server cry for its life?

someone, tell me

I am wondering if I should start HTB Academy. Is this a good service?

I am studying for my OSCP.

I landed here because I was interested in obtaining the OSCP but many people suggested HTB CPTS was more difficult and, so, basically prepped you for the OSCP. Since I don't have hands on with OSCP material I can't say for sure, but the material is good so far and the price is right compared to the OSCP.

i'm about 20% through

HTB is one of the best places to learn ever, cost every spent penny

Technically yeah lol

Well you could also refine your payload with specific prefix and suffix options, adjust other SQLmap options like --risk, and manually analyze application responses for clues on injection points and techniques....

yeah i am exactly asking on how to i know which boundary to use. in the sqlmap module they just hint you to use this a prefix and they don't explain where did they bring that prefix from

haha, deleted my question if anyone saw it. I'm a doofus.

Microsoft stuff makes me irrationally angry sometimes

it all depends on what you value more, HR Clout or Knowledge.

that was my conclusion as well, and I don't expect I'll land a readteam job but HTB stuff makes me better almost anything else IT related. I figure if I get the redteam opportunity and need the OSCP I'll let them pay for it.

for real though, if anyone read some primer-tutorial on PowerShell that made them go "Ahhh! It all makes sense now!" please link me. I can not understand why Microsoft designed PS almost with an intention of making it impossible to comprehend any pattern to their command structure.

Have you tried this? https://www.youtube.com/watch?v=UVUd9_k9C6A&t=1s

No, but I will now. Thank you for the link!

The guy who made powershell is in it. I found it very easy to follow. Good luck 🙂

fuck

man

how do i force logrotate to rotate as non root user?

linux priv esc module

i don't have write permission on /var/lib/logrotate.status

and ofc can't just logrotate -f

maybe i should wait a full day?

help i cannot find my account identifier but i cant message in any channels but this one

Read and follow #welcome

It's on https://app.hackthebox.com

Academy doesn't have an identifier

any help would be great

Have a look in your user directory 😉

I am doing the Info Gathering web edition, on Skills Assessment task 3, I can not seem to find the the admin hidden directory, I have used gobuster with the medium-2.3 list (from SecList). I also used Zap. Still nothing is coming up. Any hints. I also burtofroced for any subdirectories, still nothing comes up. The only thing that I see is this.

i know the log i need to rotate

how do i rotate it?

fill it with junk?

you have an ip address, not a domain
there is a section that discuss bruteforcing that

you have to find out when the file is rotated. So write something in and see what happens.

hi is is worth it to go back and finish updated information gathering path?

before doing file transfers?

I thought I had finished info gathering but they added a bunch of sections

good day everyone is someone available to tell me what im doing wrong on this module its the citrix breakout one and for some reason i cant import bypass-UAC.ps1. even after seting the execution policy

Yes

can i send you a video call

https://tenor.com/view/im-sorry-do-i-know-you-christina-applegate-jen-harding-dead-to-me-gif-17811424

My reply wasn't to you

oh you didnt respond to me my bad

I also don't do private calls

well actually its a screen share

would you be willing to assist?

ok got shell but it dropped instantly

would you say if I'm having trouble doing file transfers I can go back and finish those updates then try file transfers again? I'm confident my issue is my focus and not something related to being able to understand file transfers.

so maybe will give my brain a break from reading same thing again

File transfers is independent of those skills

Try another way to read the file than getting a shell...

right exactly so its different skills

Same answer: no

so could give my brain a break from file transfers skills for a while before trying again

what do you think?

If you can't explain what's going wrong, then you're not gonna get much help

That's up to you dude

ok

well its alot to type and i figured it would be easier to see it

Copy/pasting the error is also effective

And if you want to post screenshots, instructions to verify are in #welcome

But I don't do dms for a reason

Path not found, you're inserting a .\ for some reason

even after Set-ExecutionPolicy Bypass -Scope Process

You only need .\ if you're calling it from the current directory without the full filepath

That's part of your issue

its in a different directory and i cant copy it to system 32

i get denied

Top of your screenshot "path not found"

So whatever you were trying to run before wasn't run properly

Reading comprehension is the first step in fixing errors

Look in your filepath you're trying to import from as well

tells me the execution of scripts is diabled

i got the right path

My point was you did c:/path/to/.\file.ps1

When that just... isn't correct

what would be the correct way

Without the .\

But also it looks like you didn't actually disable the execution bypass

what should I bruteforce, am I looking for a subdomain or a domain reverese lookup

Set-ExecutionPolicy Bypass -Scope Process

yea im not sure why its not working

this section couldn't be more annoying

at the end i just cpped the flag

Shouldn't it be -ExecutionPolicy Unrestricted?

As part of the command

Bypass isn't a keyword afaik

Nvm it is

specify the scope, it's taught in the module

can someone help with this, I still do not know what to do

i cant ssh off my vm

and i have the vpn on for the module 😦

'port 22: no route to host'

and when i ping it dont work

maybe i should use the htb vm not parrot for security

im talking to my self i swear im losing it

Are you running the vpn?

no route to host
Means that it has no route to the 10.129 ip

yeah i ran the commands

it connected me to ton1 or something like that

tun1 and it sounds like you have multiple running

As it should be tun0 (if that's your only vpn running)

ps aux | grep openvpn

sudo killall openvpn then rerun the connection command

holy god

i had a few

ok ty

Nah the command itself runs like 3 processes each time afaik

oh i see

there was still two different ones tho ty

also im taking notes now 🫡 🀄

You don't need to run the vpn for every target, just once per learning session you are doing

yeah

but fo like different modules and stuff i do, correct?

No

All modules will use the same vpn config

oh ok

*if it's needed

alr tysm

ok it worked your actually my favorite person marcielee

i nominate you for htb discord user of the year

try some of the other techniques covered in the module, not everything can be solved with bruteforcing 🙂

Have a question on Web Attacks --> Chaining IDOR Vulnerabilities.

I was able to get the flag, and hopefully this isn't really a spoiler, but wondering what causes the 'Edit Profile' page to populate with information that allows us to make changes to it. In the previous section, IDOR in Insecure APIs, the info is already pre-populated, and is referenced at the beginning (and really throughout) the Chaining IDOR Vulnerabilities section as if we should just be able to go in there and edit/update the profile but that's not the case. Once you do the initial legwork that will allow you to change the admin's email, that edit profile page populates with info...but I don't really understand the trigger that makes that happen

hi guys, what is the matter with Footprinting Lab - Easy ? any hints ?

where are you stuck?

got the key and give it the premisson and still can't login

did you use the correct username or the key?

let me go check my notes to be sure tho. i dont quite remember details

it is on the ||ceil ||directory, and i used ||ceil ||as the user name on ssh with -i key that i got from ftp

give me 2 minutes im walking to my PC to look at my notes