thank!

@waxen totem I got an obsidian plugin u may find useuful. It's called "reminder" but for some reason it doesn't work for me, but it may for you. It seems super helpful tho

Hi everyone, I'm doing the AD enumeration and attack module, currently on the kerberoastong part but I cannot find creds for a valid domain user on the page. I'm probably missing it but I tried the basic htb-student creds, forend user (but i don't see the pass ?) And tried with sqldev creds that they retrieved during the explanation

you reuse the same set of creds quite often throughout the module

I guess, I will go back and see the other creds. I just needed to be sure that it's not me tweaking lmao

did you set your payload in the multi handler

Thanks !

Thank you!
I was stuck on this for longer that I'd like to admit

Hi guys, is anyone else having trouble connecting to the vpn?

hi guys i'm using kerbrute userenum -d domain.local --dc x.x.x.x wordlist.txt -o valid_user but the result in valid_user is empty like the output give nothing. even if kerbrute say there is 56 valid user

so i don't understand why the output file is empty

i think that kerbrute version is bugged

Hello! I'm still working on Linux tasks, but I can't figure out what I'm doing wrong when calculating the number of installed packages. The question is: How many total packages are installed on the target system?
I'm entering the command:
apt list --installed | wc -l
but the number I get is not the correct answer.
What am I doing wrong? (I'm running the command on the target machine.)

have you checked for any extra lines at start or end ?

(I haven't done the module)

Yes, thanks, that was the mistake... I just subtracted one, and it turned out to be correct. I don’t have enough experience to anticipate something so trivial.

happy to help, and it'll come. I've heard that the module leaves more to self-discovery than usual, so I think that's normal. But it's also important to take this opportunity to work on your troubleshooting skills (in this case, breaking the problem into parts)

hey, could anyone lead me on a path here?
bug bounty hunter, Information Gathering - Web Edition / Skill assesment.

What is the API key in the hidden admin directory that you have discovered on the target system?

i used gobuster and FFUF, but i only seem to get a /index.html dir.

i ned help with a question What is the name of the hidden "history" file in the htb-user's home directory? this one ive ran the command ls -la i tied opening .bash_history but it output was "exit" what shuld i do

He

Doe you jus hachs

.bash_history is the name of the file.

i knowbut why is the outut exit when i open it

Why do you need to open it?

You probably just don't have permission to read it.

ohh i must have missunderstood the as

aassignment

thanks

am new to this shit so dont know so much

could still use smt

Me too, bro, me too. And I'm on this module right now as well.

danm this is really frustrating like i want to give up so bad sum times and am just a newbie imagen when we get to like realy hard parts

Finishing something hard feels like a reward, keep up the works!

It's alright, as they say in the "Learning Process," mistakes are the main part of learning. It's always okay to make mistakes, the key is not to quit learning because of them.

yeh your right

Is this the place to ask questions if we are havin issues with a module? Sorry new to this channel

yes it is

I'm on the Pivoting section of module 'Intro to C2 Operations with Sliver'. I'm having issues running the cmd: 'make windowsdll_64'. For some reason it keeps throwing errors:

make windowsdll_64
env CGO_ENABLED=1 GOOS=windows GOARCH=amd64 CC=x86_64-w64-mingw32-gcc-win32 go build -buildmode=c-shared -trimpath -ldflags "-s -w " -o chisel.x64.dll .
go build: when using gccgo toolchain, please pass linker flags using -gccgoflags, not -ldflags

golang.org/x/sys/windows

/home/htb/go/pkg/mod/golang.org/x/sys@v0.0.0-20220908164124-27713097b956/windows/dll_windows.go:182:32: error: reference to undefined identifier ‘syscall.Syscall9’
182 | return syscall.Syscall9(p.Addr(), uintptr(len(a)), a[0], a[1], a[2], a[3], a[4], a[5], a[6], 0, 0)

Will there be any ctfs or htb events held in London this year?

Hello

hey im currently finishing up the Pivoting, Tunneling, and Port Forwarding module and im stuck on the SSH for Windows plink.exe page.
I am connected to the VPN in my Windows VM and can ping the target machine correctly and see open ports 22,80. What credentials am I supposed to use to connect to it with plink.exe? I tried the same credentials for the ubuntu user that are given in the other pages but that fails from my VM. It somehow works from the HTB Pwnbox though 🤔 Is there some kind of restriction not allowing me to connect from my Windows VM? I get the SSH prompt and 100% sure I enter the correct password but impossible to connect... I have also tried using the basic ssh client on windows and I get the same errors... Permission denied (publickey,password) any ideas on what's going on here 😂 ? turns out i just had to redownload a VPN file...

hey guys whats up ... why i cant do normal nmap scans ? (sau) machine. i wanna do nmap -sC -sV x.x.x.x have the lab vpn on but still problems

then i did a sT scan he show me the ports but could not secify with sV

hi , in the pentester path, module 'Getting Started ' it reads :
'Another option is VMware Workstation, which requires a paid license but offers many more features than the free options.'
isnt this misleading ? I mean like, this software is not paid provided one uses it non-professionally, right, or what ?

it also might be that it is not paid since recently, but this suggets the HTB materials are not updated regularly ☹️, what do you think ?

you can make a submission to #1234357888114364508 to have it corrected

DM?

So I’m in Linux fundamentals modules of the section system information.

I couldn’t find the answer to “what is the path to htb-students home directory”

Idk isn’t it supposed the answer to be “ /hoem/htb-ac-1733123??????

you spelled home wrong + you're supposed to ssh into a machine

Only thing I did differently in my notes is import Powerview first, but that literally shouldn't make a difference, what if you do Get-DomainUser -Identity damundsen

Wdym by ssh into machine ?

are you on the system information section?

In the ACL enumeration for AD enumeration & attack this question : What is the ObjectAceType of the first right that the forend user has over the GPO Management group? (two words in the format Word-Word)

Im using bloodhound but cant seem to find anything ? Like I've found 2 ObjectAceType for the forend user over GPO management group but nothing is two word ? Any tips on how to discover the answer using bloodhound cause the powerview command been going for 20 min and I still got nothing?

powerview is gonna take time going through every ACL

there's a machine you can spawn, right? you should SSH into that machine (either from pwnbox or your own VPN-connected computer)

So I do ssh htb-student [ip address]?

Into the pwnbox

Yea but I have in bloodhound i just dunno what cypher to use

I assume that you can spawn a machine at the end (usually modules work like that). If that's the case, it should tell you "ssh into <machine> as <user> using <password>" (or something to that effect).
If you need help around ssh syntax, google it or run man ssh.

I am guessing (not sure) that the user that you're running PowerView with isn't joined to the domain? That would explain why you're not finding damundsen.

I seem to remember that I right-clicked PS, ran it as wley, and just did your last three lines (import PowerView, set new password for damundsen). Didn't even create separate credentials for wley.

Be more precise in what happened, provide your outputs. Version detection is tricky (read the nmap manpage).

ich wanna do a nmap scan with nmap -sC -sV 10.10.11.224 -p- / But he dont scan and break up with 50 %

Can you edit your makefile? You have ldflags set there. As the error suggests, you should use something else.

└──╼ [★]$ nmap 10.10.11.224
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-04 21:03 CET
Nmap scan report for 10.10.11.224
Host is up (0.050s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp filtered http
55555/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 1.97 seconds

└──╼ [★]$ sudo nmap -sC -sV 10.10.11.224
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-04 21:03 CET
Stats: 0:00:47 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 21:05 (0:00:45 remaining)

running scripts and doing version probing takes time; your nmap scans should first cast a wide net, and you should run your scripts and more aggressive probes on things (ports) you know have something behind them

yeah but in the walktrough they do exactly the same and they give some thing back

when i let them run i get nothing back

Oh yeah I did it but why it tells me permission denied ?

Nvm it turned out I typed it in a wrong way

Thx guys

Finally got my first cube lol

Anyone able to help with Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file. (note: the web server may take a few seconds to start)

This is in the "Getting Started" module for pentesting

I found an exploit but I literally cannot find it in searchsploit or metasploit

||Port 22 is open for ssh, OpenSSH is running on debian 12/bookworm, there is a known exploit for the exact version of OpenSSH (9.2) on deb12u3 which is what the target has.||

I've been googling it but I can't find what the name of the exploit.. actually is??? It doesn't help that in the prior pages it does not mention how to actually find the exploit it just mentions eternalblue out of nowhere like we're supposed to fucking know that it exists for no reason

best to say what section you're on as well as the module

Public Exploits

when a target provides a specific port, focus only on that port. you don't need to look at any other ports

Hey guys, was wondering if anyone could help me through the API attacks.

I’m on the 1st module and have been able to retrieve the reports, but I cannot for the life of me find the flag.

try visiting the page in a browser, using the port provided

ohhh ok

i thought we were supposed to scan through all the ports and look at open ones or the ones potentially hosting webservers etc

when that's the case, you will only be given an IP. Like SuperNuts said, when you get IP:PORT, you just use that port

gotcha, thank you

ls /roorman ls

Hi there, I am doing the ICMP Tunneling with SOCKS section. I have troubles understanding this command: sudo ./ptunnel-ng -p10.129.202.64 -l2222 -r10.129.202.64 -R22. How come the proxy and remote address are the same? Shouln't be the attack box address be the proxy? Please help

Hi everyone, i’m doing the AI fundamentals and i’m stuck at question 5 no matter i answer is always wrong. If someone can please help me with it

@fresh stone hi brother

Go

Has anyone completed Dante?

Try #1263635449335910531

no answer

this channel is for discussion of the Academy modules

dm

yup I was instinctively running powershell as administrator, once I chose the run as wley it worked. thanks.

I did it blind. So not sure what the module itself says. But I suggest figuring it out on your own using notes from the relevant module

If you're absolutely sure it should work, restart the environment. Or reach out to support

ok fair! good advice. Thanks @fathom pendant

Also spoiling content for a module above t0

yeah I ended up spending a bit of time on the sql inj one and reviewing those modules, it was helpful.

I suggest continuing the module blind and only refer to the reading if you're truly stuck

ok

it's mostly because doign AEN blind is a test of methodology and shows how good (or bad) your methodology and notes are

the winodws privesc module is taking forever lol

Guys I got a question, just started HTB, I need to awnser "What does the acronym Linux PAM stand for" I tried "PLUGGABLE AUTHENTIFICATION MODULES" and many other things but can´t get the awnser wright. can anybody help me?

did you add linux in front of it also the module and section name is super helpful for us helping you

also wouldn't be authentification, just authentication

authentify isn't a word

well

at least in this context

Sometimes I see this out of the corner of my eye and get excited I found a flag 😮‍💨

Anyone would help to do Skill assesment of Information Gethering - Web Edition in last two Question

subdomains of subdomains
crawling

https://academy.hackthebox.com/module/54/section/502 pls help me in this module

Gotta be more specific mate...

i used the given command with the wordlist and it worked fine for me

you're likely overlooking the answer

as it's not something that's crazy

don't reveal answers 😉

overthinking the problem

Linux Local Privilege Escalation - Skills Assessment

Could someone give me a nudge on the ssh-less foothold? So far, I've the webpage (static), Tomcat, and the subdomain, and what looks like a mysql port, but I can't make sense of it.

my biggest issue lol

Simple question, simple answer

keep pressing

(was being stupid have removed :P)

Can I DM you?

sure

You can DM me

Inquiry about the annual subscription to HTB. My question is about the step by step feature. I want to take a look before buying. Is it explained somewhere?

can some help me with (Remote/Reverse Port Forwarding with SSH > Remote/Reverse Port Forwarding with SSH) practical part. As i cant do it nor i have any clue whats going on even after reading material lol

I mean what is there to explain? It provides solutions but doesn't explain them, as the reading does that

I want to take a look before buying

Wdym "take a look"

It's literally just solutions to the content lol

its also against the rules to post pictures of the solutions Faza

Because I will take the CWEE test and study the entire content.

So cant even show xd

Thx

The step by step feature is not explaining anything behind each step. It simply says do x,y,z to get the flag. So imo the only thing it contributes to is a sanity check after you solved it yourself, maybe the intended way was different, that's about it.

This ^ but also if you've exhausted all options of your methodology and still the answer alludes you, at least then you can learn something either new or sanity check how your approach is wrong

the explanation for the steps is in reading the content

the steps are assuming you read the content and just hit a wall

well the person was asking about the feature, so I answered the person's question about the feature

Thanks bro

has anyone ever had this issue with bloodhound ? Yesterday uploading a zip file worked, now the same zip file no longers works

it gets stuck in Waiting for upload forever

Is your neo4j db running?

yes, typically when I forget about that one bloodhound will not even login for me

ok I rebooted my machine and now it works, very strange

what was your expectation

I guess the 10-second tiktok format doesn't really lend itself to learning complex skills

https://tenor.com/view/actually-yes-dj-tanner-fuller-candace-cameron-bure-fuller-house-yes-gif-17868034

it helps when you didn't grow up on AI and instant gratification responses

DM and I can try explaining whatg you don't understand

Well.
Is at the end of the Web proxies module.
Am on proxychains but facing some problem: : proxychains nmap --proxies http://127.0.0.1:8080/ 94.237.61.111 -p 50193 -Pn -sC
and then I get that work but I only get what is caught in my terminal and not in burp which is the actual sentence. If I tx run proxychains curl http://sida.se/ it is captured in burp as it should be.

You only take an hour on a section? I typically re-read and internalize everything which can take more than an hour per section

(part of the reason I take so long is cos of distractions like discord 👀 )

why is the #general locked for me?

Hi! please read #welcome and #rules and follow the instructions to gain access to the other channels!

you're already telling nmap to go through a proxy, you don't run it through proxychains

one or the other

proxychains nmap http://127.0.0.1:8080 94.237.61.111 -p 50193 -Pn -sC do not sent it to burp....

I'd try it without the schema (http://) so just: proxychains nmap --proxies 127.0.0.1:8080 ... or use the connect:// schema

same problem...

Yeah I think it's a too many proxies in use issue like facsimilae said...

it do proxy [proxychains] Strict chain ... 127.0.0.1:8080 ... 94.237.61.111:50193 ... OK
but not into Burp

Might be the ports interfering

But if i do proxychhains curl it wors..

you mean you can see the curl request in burp?

yes

what's your proxychains.conf looking like?

I meant try
proxychains nmap 94.237.61.111 -p 50193 -Pn -sC
or
nmap --proxies http://127.0.0.1:8080 94.237.61.111 -p 50193 -Pn -sC

i done, the same problem!

`[ProxyList]

add proxy here ...

meanwhile

defaults set to "tor"

#socks4 127.0.0.1 9050
http 127.0.0.1 8080`

if you have proxychains set up this way you shouldn't have to tell nmap to use the proxy...

try removing the scripts, some of them may not work through the proxy

you need to uncomment quiet mode too

this was not correct, you removed --proxies but kept the proxy address

Ah

make sure you really try these as they are

did try. same same

alright, then I don't know

Ok. Thanx for trying

did you uncomment quiet mode ? if you cat /etc/proxychains4.conf| grep -v '#' | grep -v '^[[:space:]]*$' how is the config looking ?

yes it is done

julle@haxbox ~]$ cat /etc/proxychains.conf| grep -v '#' | grep -v '^[[:space:]]*$' strict_chain quiet_mode proxy_dns remote_dns_subnet 224 tcp_read_time_out 15000 tcp_connect_time_out 8000 [ProxyList] http 127.0.0.1 8080

if you do proxychains curl -i https://example.com -k does it send it through burp ?

yes

ok so it's failing for specific commands then

exactly

As I said, it is caught in the termianl but not forwarded to burp, precisely when it comes to nmap

then I have no more ideas, I am sorry chief 🤷‍♂️

I suspect that it may have something to do with the fact that I connect via VPN, I will test the same thing via pwnbox

Thanx anyway

It must be me doing something wrong here, I tested via pwnbox and couldn't get it to work there either.
Hmm.....

well, i will fix it some time:D

It's a docker IP right? If so, you don't need the VPN connection unless something changed.

Was bout to say: looks like a public ip, you don't need a VPN

The ip is a target machine in htb,,

but i seems so..

Hello guys I'm alvino new to cyber security and i have a small plan to do simple very simple tbh so if you can guide me i it would be wholesome

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

did try without VPN, same problem...

Yeah it doesn't matter if you're connected to the VPN, just wanted to to know for those targets you don't need the connection. I'll usually work them from my host PC with burp. Just an FYSA thing.

I can't figure this out...

But i will:D

Yah am tryna figure it out too, having the same results using caido

Anyone who can explain me some of nmap

No one's gonna hold your hand. I'd recommend reading the Network Enumeration with NMAP module

Like he said, take the modlules

Where to get modules

Academy

Can i dm you some doughts

Is it free??

join the Academy

Some are.

you ern and buy cubes

https://academy.hackthebox.com/module/113/section/1088
i have no idea how i can make this nmap scan succesful so i can move on

Are you connected to academy via vpn?

yeah openvpn is running

that part should be good considering it did give me some output

i just dont get the virtual hosts part i guess, i did append them to /etc/hosts/

please don't post flags, even with spoiler tags

oh i though it was fine because it was wrong

so i dunno what else i should be doin

add the ip before the list of host domains

oh dang

did you att the hosts to your hosts file?

i got it now

Bro why did you block me

and yeah u can see that here jull3hax0r

needed the ip in front of it

nother lesson learned

Someone help me in nmap pls

@strong wyvern no one is going to help you unless you have a legitimate question.
If you want to learn how to use nmap there's a module on: https://academy.hackthebox.com
however, I suggest starting with the beginner's bible:

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

As I said, I don't know about proxycains, now tested with msfconcole as the lab says, and it works, it seems only when I run with nmap it goes wrong!

he is a young one.

Bro my dought is how to use nmap pls

Then do like wee say! Sign up for Academy and do the module!

Ok bro

omg, thanks, I am dislexic and since in my country authentification is a word i did not find the error, thanks a lot it worke

@visual umbra can you try proxychains nmap 94.237.61.111 -p 50193 -Pn -sT -sC?

Hello, I am trying Nibbles. I am very new to kali/linux. The instructions are very unclear for me. Do I use Parrot Terminal? None of the commands I am doing are working. Is the IP address they provide in the instruction the same one I am supposed to use? I tried watching a video as well and their version of linux looks nothing like mine so I am at a loss

are you on the pwnbox ? @heavy thorn

I don't know

is that the linux VM they provide? then yes I am

thanks for the information, I will

yes the online vm ?

Yes I am, I figured out my problem but I am sure I will have more, the command was right but I didn't know which IP address to use.

I had to hit "show target" or something towards the bottom for them to provide me with an IP address. That was my issue.

did it before, same problem.. it is only when i use nmap it is problem...;(

It's telling host seems down when I'm nmaping

whats wrong with htb ssh, keep getting stuck

helloo everyone

currently doing file inclusion and ive reached the file inclusion prevention section

i have modified the php.ini file as you can see

disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,system

i added system to the disabled functions

when i run the following i dont get the error message : sudo tail -n 20 /var/log/apache2/error.log
[Wed Feb 05 14:55:12.773536 2025] [mpm_prefork:notice] [pid 929] AH00163: Apache/2.4.41 (Ubuntu) configured -- resuming normal operations
[Wed Feb 05 14:55:12.773582 2025] [core:notice] [pid 929] AH00094: Command line: '/usr/sbin/apache2'
[Wed Feb 05 16:10:13.482041 2025] [mpm_prefork:notice] [pid 929] AH00169: caught SIGTERM, shutting down
[Wed Feb 05 16:10:13.545133 2025] [mpm_prefork:notice] [pid 3455] AH00163: Apache/2.4.41 (Ubuntu) configured -- resuming normal operations
[Wed Feb 05 16:10:13.545164 2025] [core:notice] [pid 3455] AH00094: Command line: '/usr/sbin/apache2'
[Wed Feb 05 16:21:56.749425 2025] [mpm_prefork:notice] [pid 3455] AH00169: caught SIGTERM, shutting down
[Wed Feb 05 16:21:56.811869 2025] [mpm_prefork:notice] [pid 3799] AH00163: Apache/2.4.41 (Ubuntu) configured -- resuming normal operations
[Wed Feb 05 16:21:56.811896 2025] [core:notice] [pid 3799] AH00094: Command line: '/usr/sbin/apache2'

any help?

having trouble with https://academy.hackthebox.com/module/113/section/1208 again

doesnt say anything special after update file is pressed. any ideas?

i found the answer to my problem. i had to add a php shell to var/www/html and execute it to trigger the error

Have you tried a different theme?

ill try that later thank u for the idea

Hello guys, I would appreciate a nudge in the right direction on the Penetration Testing path. I'm in the Privileges Escalation module and can't figure out
how am I supposed to echo the public key into remote server's /root/.ssh/authorized_keys file without having root access. I've spent 2 days on this.

which section is that ?

Page 11 of the "Getting Started" section.

I don't want a complete solution. Just a hint. The hint provided isn't very helpful. It just says "Review the page".

did you note that you need to get access to the user2 account first?

I'm assuming getting access means using the user2 as root. Not merely cd into user2 directory.

okay lets phrase this differently

what user are you currently on?

user1 on the remote server.

so you need to get access to the account "user2" before being able to privesc to root

Thanks for pointing me in the right direction.

np 😄

got it now; you cant edit it while also having the theme active, didnt realize u could select other themes from the editor

Good Afternoon people someone can help me? i cannot find flag here. The module is stack-based Bufffer overflows on linux x86

Hello, can someone please give me a push in the right direction. Im on Information Gathering - Web Edition skills assessment I found the hidden directory but when i try and go to the hidden directory to find the api key it gives me a 301 moved permanently.

You can DM

i am stuck in answer and dont know whats the problem anyone ?

Best to provide which module you're on, and a brief question instead of just posting a screenshot like that 🙂

Learn the basics
of Penetration Testing

You're just asking for the answer to the question

Right, ok

Fawn

Oh, Fawn

no the answer is ftp -h

and its not working .

It's not though

okay

#starting-point that's also a Starting Point

hi, pleas i stuck in the introduction to windows command line (the skill assessment) user2 i realy anser the question ,but when i try to login to the user2 , the password dosen't work , pleas any help

do you guys take updates to solution requests/feedback here? seen a T2 module solution just have slightly wrong numbers being referenced in part of the solution. Not a big deal just thought id mention it

#1234357888114364508

does anyone else have severe issues accessing the platform ever since the CTF announcement? I've been unable to access anything :/

alright, I am back in. Maybe it was a cookie issue or something.

Hello, I've been stuck for hours on question 3 of 'pivoting, tunneling, and port forwarding' skills assessment. I've been scanning the internal network of the target, but Nmap takes forever, without a single output. I don't understand what I'm doing wrong, as I am using TCP connect scans and configured proxychains as advised in the course. Please, give me a hint.

Did you use sudo?

Also add -v so your not wasting your time

No I didn't use sudo. I am trying and will give you some feedback.

Hello guys! How many machines I need to complete to get "Hacker" Rank??

not what this discord is about

careful not to spoil content from anything above tier 0 modules

mb i thought the pw not being there was enough one sec

that alright? hope thats good

You’re listening on localhost

It gives you a warning

yea i was trying that cus none of the addresses assigned to me are working atm

just double checked them just in case

but ive tried all the adresses from here

i use 0.0.0.0 or tun0

you can see it's failing to upload the payload though

you could always do the other option they showed

yeah this aint working for me for whatever reason

ill give the other options a whirl

that's how i did it

i tried 0.0.0.0 and i double checked if i set up the exploit correctly so im just gonna blame technology and move on

damn did i post a spoiler again or am i good

There was information specific to the module and completion, and if it's the same one (e.g. above tier 0), then yeah.. I removed out of abundance of caution.

my bad ill try to cut down on as much info as possible next time

Thanks!

anyone around for a nudge on the Login Brute Forcing / Web Services (Medusa) module?

Dont ask if anyone arround, just ask the question

Not that kind of server mate

If you wanna learn hacking ETHICALLY

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Nope, we're ethical hackers

.

We don't do things that are illegal or to cause harm

https://tenor.com/view/jessicasprings0-mulsup-dog-mask-gif-25564159

For learning ethical hacking.

This server isn't for you then. This server is to talk about the various HackTheBox platforms, this channel specifically is for modules on the Academy platform.

Wtf is the deep discord

You don’t know

Is it like some skid version of the deep web

Telegram 😂

https://tenor.com/view/chace-crawford-the-boys-the-deep-wink-gif-14839780402090172878

master hacker shit

Genuinely don't and also don't care lmao

#challenges

I only want to know this skill cause it will be helpful

If you wanna learn ethical hacking

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

😞

https://tenor.com/view/mmhmm-mmhmm-meme-mmhmm-gif-mmhmm-twitch-gif-23291803

Read and flow #welcome to access it

and read #rules

No bro I don’t want to be kind in this field

Think you're in the wrong server then, sorry

https://tenor.com/view/you-are-the-weakest-link-goodbye-jane-lynch-weakest-link-goodbye-no-mercy-gif-18893048

I implore you to read #rules and #welcome to see what the server is about

I already know what it’s about

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Thats just skid tricks, and not worth the time to learn illegal things

okay
to know, I had no idea it was included in the rules

https://tenor.com/view/bye-bye-bye-gif-12807868928498541318

is there a problem on the servers? have been trying to spawn a windows box for ad enum &n attacks - Additional AD Auditing Techniques but multiple IPs are unreachable and now I have a spinning circle of doom for 5 minutes. I know sometimes windows boxes can take longer but this time seems off. tried terminating and rebooting a few times. changed to a tcp connection as well. it worked briefly maybe an hour ago

Typically windows boxes don't reply to icmp echo requests

Haven't seen anyone else post about this, so my guess is no. Try changing VPN regions entirely (ie. US -> EU or EU -> US.) After changing regions on the page press CTRL+SHIFT+R to hard refresh the site and then spawn the target and wait ~5 mins and try again. Also make sure not to run the pwnbox at the same time as being on the VPN.

its randomly spawned, I will give it 5 minutes and see as its still saying broken pipe as error

there's likely more to the error than "broken pipe"

First question of the lab on Login Brute Forcing / Web Services (Medusa) module asks for the passwd for the ftp user but the service on that port is SSH. I tried to use the SSH module with it but it yielded no results. If I use the ftp module I receive an error for failed regex pattern match. Any advice?

i.e. an NT_STATUS_ error

read the whole section

it starts with bruteforcing sshuser
then bruteforce ftpuser from within ssh

I also figured that would be the case too

did you try restarting your machine?

Aye, I did see that. I got the creds for ssh user but they're using public key auth

no?

lol

i was able to log in just fine

yeah multiple times, I was on udp then changed to a tcp ovpn config too

you forgot to specify the port, didn't you

it's a public IP

worked fine for me

ok

is it -p and not -P for ssh?

yikes, thank you

:P

its only a P.O.C thing, I changed VPNs so it could be that and restarted the machine, I will just give it another whirl in the morning. I got the AD explorer snapshot. No big deal

Thanks anyway

I've been trying the Information Gathering - Web Edition- Skills Assessment. I can't find any subdomains or Vhosts. I've tried with gobuster, ffuf, etc. Is it just a matter of picking the right wordlist, or am I doing something wrong?

With ffuf you need the host header, with gobuster you need to append the domain with --append-domain --domain [domain name]

I didn't use --append-domain this time, but I have in the past. Anyway, this is the command I used: gobuster dir -u http://94.237.50.46:34186 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt

And ffuf: ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://94.237.50.46:34186 -H FUZZ:inlanefreight.htb

And finalrecon: /finalrecon.py --url http://inlanefreight.htb:34186 --full

finalrecon found an ||index|| nothing else

Sounds like you didn't fuzz for subdomains

Also host header would be -H "HOST: FUZZ.inlanefreight.htb"

dir is <directory> searching in gobuster btw

As a Texas resident and user of your services, I am writing to exercise my rights under the Texas Data Privacy and Security Act (TDPSA) and Texas Business and Commerce Code Section 521.053 regarding the recent data breach affecting your company.

I hereby request the following information:
Confirmation of whether my personal data was affected by the breach
If affected, a detailed description of the specific information compromised
If affected, a copy of the exact information that was accessible

As mandated by the TDPSA, you are required to respond to this request within 45 days. Please provide a written acknowledgment of receipt of this request and confirm that you are processing it in accordance with the law.

Additionally, I would like to remind you of your obligation under Texas Business and Commerce Code Section 521.053 to notify affected individuals "without unreasonable delay and in each case not later than the 60th day after the date on which the person determines that the breach occurred". Failure to do so may result in penalties as outlined in the statute.

Never heard of HTB having a data breach. If so, this should be requested from support on the website not in discord.

Nah this works

They can read it

No it doesn't as staff doesn't monitor this for that kind of stuff.

Ummm you read it?

They can to

You'd contact privacy@hackthebox.com

They don't. You'd have to open a ticket on the site or do what marcielee said.

Posting on here is like farting in the wind, and you'd be told to make an official request via official communication methods

Hmmm i don't think it works like that

It does work like that

it does, we're telling you it does lol

If it's in the wind, it will eventually get to a moderator

As this isn't an official way to get in touch with the right people

you need to go through the proper channels just like anything else

???

You read what I said

<@&861185840277487616>

For the purposes of the data protection legislation Hack The Box, is the controller of your personal data. Our Contact details are:

Hack The Box LTD
email: info@hackthebox.com
postal address: 38, Walton Road, Folkestone, Kent, UK, CT19 5QS

If you have any concerns about the way in which we handle your Personal Data, you can contact privacy@hackthebox.com. You have the right to make a complaint at any time at the Hellenic Data Protection Authority Postal Address: Data Protection Authority Offices: Kifissias 1-3, 115 23 Athens, Greece, Call Centre: +30-2106475600 Fax: +30-2106475628 E-mail: contact@dpa.gr

The use of our web pages and the services provided requires your agreement with the Privacy Policy of this site. Therefore, you must carefully read the contents of this page before using the services of our Website. If you do not agree, you must leave this website and not make use of its services or content.

https://academy.hackthebox.com/privacy

no

No

You can read

sounds like you don't really give a shit if you're not even willing to submit your request through the proper channels

^

Then following up with "i want to abuse an smtp port"

@stray gust reach out to us. You will need to delete your own account.

I doubt they're actually serious g0b but appreciate you treating it as such

We do not remove accounts purely on an email, users are able to remove their accounts u sing their own credentials, and this is in order to avoid data loss by account loss or misuse. Reach out to the details above if you need to, and don't ask for SMTP servers.

Yeah

I'll do you a favour though

I'll delete some data for you

And g0blin told you what we've been telling you

Reach out to appropriate channels

what a weirdo

Skids coming in hot and heavy on a Wednesday

It is hump day

They're already gone

whew!

Appreciate it also @ruby shadow, but the address is being updated 🙂

It's still valid

Just.. if anyone visits, they'd find an angry scott with a bat by the door

(I get the mail, but I don't live there any more)

Hopefully this is the year we finally get the address updated properly to an office 😆

in sliver c2 module, i am unable to get shell on srv01. psexec stuck on this like forever. any help please?

didnt they use wmiexec?

Does anyone wanna get into a group call and carry each other in this ‘game’ until we complete all modules that are free?

doesn't that defeat the purpose of learning?

will try that too

https://discord.com/channels/473760315293696010/1336863222220849162

I think we’ll learn, but it’ll be fun cause it’s multiplayer.

this channel is about HTB's Academy, not ctf stuff

We can test first hand if it’s helpful for learning to do so together, and find out later if it advantages us or disadvantages us.
As for ctf stuff, like I said, I’m new, so new that I’m not familiar with this server or acronyms, but my main point is learning and doing whatever hack related together for more learning.

In my experience learning together has its benefits but... more often than not you just get distracted by the other people

Well, it’s up to what you want.
I’m not serious about the most efficient way to get through the content, because so long as I get through the content in the end do I learn what’s in it.
I want to do it with others, even if it has the potential to have what is considered to be distraction within the context of purely learning.

How do I access general btw?

It just says check modules (this)

Read #welcome and #rules for instructions on how to access general

best to ask in the appropriate channel, like i said this channel is for HTB's Academy platform. Try asking in #1336347627452629033

I’m saying that it applies to academy stuff as well, I only mentioned the cyber apocalypse thing as an inspiration.

that's right!

Thank you 🙏 🙂‍↕️

I am working on RDP and SOCKS Tunneling with SocksOverRDP. I have done everything correctly. I don't know what is not working. I even edited the proxychains.conf file (socks5 127.0.0.1 1080) on my kali. Can somone give me a nudge?

i would wager it's not actually setup correctly.. can't really tell where, but i would just comb over everything again and make sure each piece/setting is in place. also disable real time protection when registering the .dll

I did

this isn't a hacker for hire server, this server is about the HTB platforms

well, if you did, it would be working...

you'll need to reach out on the website for support for that, not discord https://www.hackthebox.com/contact-us

Do you know why we have to modify the proxychains.conf file on my kali?

my notes don't have any of that, i don't believe you need to

as i said, this isn't the place for that. this isn't some hacker for hire discord. only the service provider can assist you, reach out to whoever provides the service.

has anyone completed the network enumeration with nmap mod

Many have

im a beginner and stuck on the labs at the end

ask

the first lab is trying to bypass the firewall to detect os

i've used -sS -O and decoys

it cant determine the os still

I recommend reading the proxy subsection in the ids/ips evasion reading

You don't have to specify the port from the example

This section has three hosts
A: the target host
B: A middle host
C: The host for the question

A <--> B --> C

@little shadow this may relate to your issue as well

i ended up using an aggressive scan and was able to find it that way too

but i will review the proxy section regardless

O nvm you said first lab

I'm used to people getting stuck on the last one

stuck there now lol

Well, what i said applies there lol

thank u

Also fun fact -g is the shorthand for --source-port

that's handy

hi guys, need help with cpts getting started module, knowledge check.. i already got the user.txt via metasploit

now, how can i get root.txt via meterpeter?

cant seem to find a way to root haha been hours already

Did you check what your user can (su)do?

GTFObins is a great website

how can i check that? i tried su and whoami in meterpeter but shows error

Did you enter the shell

:p

sup npcs

I would heavily recommend taking the metasploit module and understand how it works

thanks guys im starting to get hings now lollllll

now my next prob haha

Linenum is always something you upload to the machine… otherwise, youll be enumerating your own machine

😭

didnt really get this at first as i was just reading and reading haha nowwwwww...

Don't reveal solutions

:p

oh sorry hahahah got too excited

woohoooooooo proudest achievement lol

can the astronaut see out of that helmet

all he can see are boxes he needs to hack

awesome

always thought i'll be in the blue team lol, since i tried htb, i prefer being in the red team now lolll

Awesome sauce

Pretty fun until you are in front of the screen for hours and have no idea why and easy lab is so freaking hard or what you did wrong in the process lol

Part of the learning process 0_0

Amount of times I've been in that exact same position, not just in security

You either work through it, put it down to come back to later, or drop it

Whether you work through it alone or with others, really it's a personal decision, but HTB is better suited to those that can research and investigate under their own steam, take the knowledge they've learned realise how it could be used in various situations, and then of course there's the persistent inquisitiveness. Rarely does anything of value come easy, and if you do not find it easy, then it just means you've got more to learn 🙂

There's never a day when there is not something to learn, regardless of experience, of position or public image

I recently started academy doing some path like cracking into HTB, basic tool set but anytime I try some labs in the main platform I see that the knowledge I have is not enough to do the whole thing and with the academy x HTB I found the modules covering each retired machine. I wanted to ask if it would be better to focus solely on the academy for the time being since there are practical labs in most modules or if I should continue balancing things like suggested in the getting started module.

Hey quick question can I run ssh on my own terminal not the website?

if you mean interacting with the targets on your own machine, you will need to download the VPN file

Yep that is what I meant

yea, download the VPN file and connect to the VPN with it

Ty u made my life easier

Helloo everyone. Any idea what i gotta do to be able to chat in #general?

#welcome #rules

guess time to cut on a movie lol (doing password attacks)

looks like you're using the rockyou wordlist for some reason or some other wordlist

the mutated password list provided

the mutated list is only 94k long

the cheatsheet is missing the pipe to | sort -u

ah

ye

combos and stuff

also you can use like 48 threads instead of 30

48 has been the most consistently reliable/fastest

im gonna cancel that one and try it with the non mutated list first actually. could save a lot of time if its in there

i'm a bit confused about the documentation and reporting practice lab. i've got the credentials for a bunch of users and am attempting to perform DCSync using one of them since bloodhound says that they have the permissions, but secretsdump is giving me errors stating that they don't have permission. has anyone else encountered that?

Guys, I am taking the NTLM relay module and have a theoretical question.

Is putting .lnk files to assesible shares an authentication coercing method?

Or is it another method of pre relay like coercing and name resolution poisoning?

Do the user have replicating directory changes, replicating directory changes all?

Verify with powershell «dsacls "CN=Configuration,DC=domain,DC=com"
dsacls "DC=domain,DC=com"»

you could also try to dump it with mimikatz

I have question in Web attacks. In Bypassing Basic Authentication the scripts said that use OPTIONS Method to see what HTTP method are accepted. But when I use options method using curl I can't find an Allow headers.
Can anyone know why this cause?

are you sure the url is correct?

if it is, try to restart the target

I restart the target but It is same..

And I tried in burp but I can't find an Allow header in response.

The exercise can differ with what is written in the section

I got the header, don't focuse on /

that's all im saying

I have found that / and index.php don't return Allow headers. But when I use index.html it returns Allow headers. Is that right??

submit it, try

Thx. I just focus on / and index.php. Using index.html I can find an Allow headers.

issue is likely that php is not handling OPTIONS request properly

not returning allow headers

Thanks. I am so confused that I can't find an Allow headers. Now I can understand why it didn't return header and how to get an allow headers. Thx!! 🙂

hi guys, ive a question. Ffuf didn't discover the dirs that gobuster did. Why such happens? I can provide the outputs

Did you use the same wordlists?

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://xyz.htb/index.php/

This found a directory named admin
But
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u "http://xyz.htb/index.php/FUZZ"

this ffuf didn't

I can provide whole outputs in DM so as to not spoil anything

I usually prefer ffuf because of speed, but this was really deceiving

could be filtrering or response codes, is ffuf actually finding anything at all?

nothing at all

gobuster spotted some status 302 directories

i can try ffuf with -mc 302

try and remove :FUZZ from the wordlist

it should automatically look for it anyway

which module and section is it ? I'd like to try

It's a box, I can dm the outputs.
Tried removing FUZZ and adding matching case, nothing useful

When gobuster found admin, it was likely at http://xyz.htb/admin/, not http://xyz.htb/index.php/admin/

that'll do it ^

ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u "http://xyz.htb/FUZZ"

yeah, my best guess is something to do with that. Or the quotes. Still curious how gobuster handles it in a way that makes that work

you could send it through burp to see what's going on

you can also add -recursion flag in ffuf in case it is in a subdirectory

tried running ffuf on http://xyz.htb/FUZZ but it still didn't catch admin directory. Even tried -recursion flag.

Can I DM someone?

Probably a resp code then

would be super surprised but can you remove the quotes from the url ? If you haven't already

https://github.com/ffuf/ffuf/issues/800

in that issue, double quotes work though... maybe it's a shell shenanigan

Hi I need a nudge on AD assessment 2,
Q: Obtain credentials for a user who has GenericAll rights over the Domain Admins group. What's this user's account name?

I ran ||sharphound ||but I keep encountering errors related to machine cant connect to ldap

The error below shows both on ||MS01 ||and ||SQL01||:
||
|ERROR|Unable to connect to LDAP, verify your credentials
||

Running powerview tool
||
Error in retrieving forest schema path from Get-Forest
||

Hi,

I followed all the steps in the provided solution to complete the task: ||"Use the concepts taught in this section to pivot to the Windows server at 172.16.6.155 (jason:WellConnected123!). Submit the contents of Flag.txt on Jason's Desktop."|| in the section ||"RDP and SOCKS Tunneling with SocksOverRDP"||.

However, when I attempt to connect to the internal host ||172.16.6.155||, I receive the following pop-up message:

Remote Desktop can't connect to the remote computer for one of these reasons:

1) Remote access to the server is not enabled
2) The remote computer is turned off
3) The remote computer is not available on the network

Any ideas on what might be causing this issue?

#modules message pinged you on this yesterday btw

Ah my bad, didn't notice your ping. Thanks!

hello there can any one help me with windows attack and defense module section PKI ESC1 when connect to WS001 it says there is trust issue with domain controller

troubleshooting these labs takes longer than the lab it self most sections of windows attack and defense module have some sort of a problem

Someone who maanged to pass the skill assestment lab on the WPA2 module?
I would need some help on the second flag

Anyone has done AI Red teamer skill assessment? I trained the model but it says Invalid model file even tho I uploaded .joblib model

Tried with .pth yet invalid

Hi all, I am currently doing the nmap module and can´t get the flag for the NSE part. Could need a small hint

common port; as a note for some reason it seems some nmap installations may not properly have the enum script

nvm. got it

I was expecting the nmap nse output to contain the flag, not "digging deeper"

yup

Working on the Wifi-WPA/WPA2 module and I'm at the start of the WPS PIN cracking. I'm not able to crack the WPS, I restarted the lab VM twice, I also turned on verbosity and I'm seeing lots of timeouts to the SSID. Is there a chance there is an issue with this lab?

hello ! if i have a question about the box cat where can i ask ?

#boxes

i don't have access

read #welcome and #rules and follow the instructions to get access

ok thank you

Third reboot of LAB VM did it

good afternoon people someone can help me with this? i cannot find it the flag

You should get a shell in your listener, then you retrieve the flag on the system

🇪🇸

what what can you explain better?

triple check all your quotes and double quotes and parenthesis and all that jazz

As i see in the module, you have to run that python command in a gdb context, read well all the module

okey i will trying thanks

in linux? openvpn <vpn file name> &

go to where you downloaded the vpn configuration file

most likely in your downloads folder

then do sudo openvpn <your conf file name>

it should work

in kali you should see a small ip on the top right

something like 10.10.32.123

that usually means you are connected

you need to verify your account in order to send pictures -> #welcome

you need to verify your acc

In terminal run

cd /downloads

sudo openvpn path/to/vpn_file

sudo apt install openvpn

you're using archlinux, it's notorious to be difficult to setup and requires a lot of customization. since you seem new, i would recommend using kali or parrotos as they both come preinstalled with the tools you need to get started.

Oh arch uses pacman I believe

all of them are

https://tenor.com/view/pacman-video-game-eating-marshmallow-gif-6008098

Arch package manager is pacman

just found the solution to nmap hard module - not sure how I could have done it with nmap I did it with ncat

-S

Need some help. Attacking Thick Client Applications: Trying to retrieve the hard coded credentials. I ||Disabled the autodelete from the temp folder and modified the .bat file so that the other files won't get deleted. Now I get an error that the restart-service.exe doesn't exist so I cannot move forward.|| I restarted the machine and still get the same error anyone else experience this?

it always tells me "failed to determine route to xxxx"

That was for pacman, not you

ah

A long time since I did that module, and not at pc atm

ohh wait... it says to use ncat in the academy as well.. must have skipped it

This isn't the channel for support.. try asking in #1024429874246590575 . As I mentioned before, you're going to struggle really hard on Arch because it appears as if this is all very new to you. I'd suggest again to use Kali or ParrotOS. Maybe take some of the fundamental modules so you can get a feel for how to operate Linux too.

sometimes you have to send the request twice in order for it to work

If I remember correctly, there was a small detail I missed as well and it took me hours to manage to do it. Something with the way I inputted the UA

known issue. you need to use pwnbox

I used parrotOS, isn’t it the same?

Was there a possibility to solve only with nmap?

no.. for some reason, pwnbox will give you the answer without requiring anything besides nmap

Hmm… interesting

and it's only through pwnbox

so if you do it through vpn, you'll never get the flag unless you use something like nc

Ncat gave me the flag through vpn

yea. nc, ncat, netcat,

Wait. Is there a way to specify source port connection in nc/netcat? seems that ncat is unique for it

yes

Whats the flag?

you just put the port after the ip

oh the source port? yeah, --source-port

Did not work with nc

i used ncat

i believe i used nc

Yeah thats the only tool that it worked with

on the Windows PrivEsc skill assessment part 1 question: " Find the password for the ldapadmin account somewhere on the system." Any hints? I'm struggling with it. I have a shell on the systme just cant find any creds. Tried running inveigh through a rev shell and its not working out so well

Excuse me, this is very important!

now, do i need to always use a virtualenv to use PIP?

because it's annoyingg to keep activating the tool before i would be able to use it, i mean any tool i installed using pip

im stuck on https://academy.hackthebox.com/module/113/section/1210
ive tried three methods of getting into the system but the listed methods seen on the assignment arent workin; my curl isnt returning any information, and the dir travel python script tells me the logon information is wrong.

the last method i tried im not sure how to describe without it potentially being a spoiler, but it involves netcat listener and that isnt working either

Hi! How would I ever find out the answer to this module here?

https://academy.hackthebox.com/module/77/section/847

I revealed the answer already, but how in the world would I ever get to that result? I tried to ssh into the target machine on port 22 and 37072

But how would I know that the answer is/would be:
(warning - answer revealer)
||SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1||

so glad that you were there before me. and there goes my three hours of hate me time

read Using Netcat

any ideas? hard for me to give any additional info without revealing details i think

Anyone can help me get my acc back ?!

for what service

Tik tok

contact TikTok support

I did many times nothing

anyone offering account recovery services is trying to scam you. the only way to get support for your account is through the service provider

Still doesn’t help me

none of us can help you

that's what i'm saying

contact TikTok support.

I thought someone can hack so I can get it back

if they can't help then you're out of luck

no, that is illegal.

Alr

we also are not a hacker for hire server

Ok

I get 404 not found when trying to instal NFS

https://deb.parrot.sh/parrot lory/main amd64 nfs-kernel-server amd64 1:2.6.2-4

https://deb.parrot.sh/parrot/pool/main/n/nfs-utils/nfs-kernel-server_2.6.2-4_amd64.deb

i am on the live engagement for https://academy.hackthebox.com/module/115/section/1139 i rdp'd into the foothold, do i need to configure the tor browser or anything like that? i'm not seeing any other browser to use

:solved updated package lists

Why would you need to configure a TOR browser?

because when i launch it, it is giving me an error displaying 'Trying to download over Tor. Are you suer Tor is configured correctly and running?'

You should just be able to launch Firefox from your terminal.

glad it helped my friend. Good luck in your journey.

Excuse me, anyone knows why pip install pyftpdlib doesn't work and gives externally-managed error EVEN tho, i used and activated myself in a virtual environment using virtualenv and source?

i have to rdp into the foothold, to access the other targets

that foot hold doesn't seem to have firefox

i can't install it at all unless i use --break-system-pack

Right and on that foothold you should be able to open a terminal right?

yes

Then use the terminal to launch Firefox if you can't find it anywhere.

Good now?

jeez yeah thanks

Then you probably screwed up the environment or did not activate it

I didn't have any issues on my end

stuck on file uploads attack skills assessment. I have found the source code for up*****,php and know the naming convention but still cant get to the file. any thoughts

Anyone here for a quick chat on the skills assessment for application of ai in infosec?

Hi everyone Im looking for a services I need

You’re getting the name wrong

Maybe you’re in a different time zone?

2 digit month and date or one, time zone?

If you know your file was uploaded, maybe verify the path where you think the it is being uploaded.

Somebody know how to find the delivery address from a tracking number

Please help

Read #rules

Run as sudo

I did... didnt I? lol

every command starts with sudo... no?

Not journalctl

and appache typo on second command

oh... right

corrected that one, no luck

Curious on the skills assessment for the applications of ai in infosec. Looks like the training data label is the inverse of what the submitted model is looking for... wondering if that is intended?

nvm, got it

It's likely because default port is 80 and that's in use by pwnbox

i think you are right

changed the port to 8080

no more errors

but, now nothing happens... it should open a browser with apache page?

@safe star What do you mean by different time zone?

maybe you're one day ahead where you are

seen that before

Well running the service runs it on your pwnbox, you'll need to visit http://localhost:8080

ok, I am done with pwnbox, I ll use virtual machine

if its ok with you lol

In the Windows Priv Esc module Part 1. I’m trying to go from the web service user to SYSTEM.

I see I have the impersonate privilege . I have tried all the potato attacks and printnightmare but no luck. I can’t find any other escalation path.

Any hints?

You can DM.

Why would me being ok with it matter? Lol

JK. I lost like 3 hours on this section, just because pwnbox is fluffing me, so I am a bit sarcastic

¯_(ツ)_/¯

Use your own vm then

Do you have to run apache, or is it just being shown.

Correct me if I'm wrong, but Vhosts & subdomains look the same to a user. The technology behind them may be different, but they both look like: something.inlanefreight.htb. If I use gobuster in fuzz, dir, or vhost mode, aren''t they all going to try to append a word from the wordlist? What would be the difference?

A subdomain is a second level domain and therefore part of an address.
A vHost is a technology that allows a web server to be operated with a single IP, but is still capable of hosting multiple websites.
For example, it can display different websites for www.example.com and web.example.com.

This way you can also run example.com and inlanefreight.htb on the same web server.

@acoustic owl But they both look like web.example.com to the end user?

Anyone know the uber eats method ?

you can ask in #general

lol wht

The type of request is different
In dir mode, Gobuster sends a simple GET request to the domain
curl https://example.com

In vHost mode, Gobuster sends a GET request to the IP with the header “Host”
curl https://10.10.10.10 -H “Host: example.com”

Hi guys, in the whilelist extension section for file upload attacks when I fuzz the extensions I either get "only images are allowed" or "extension not allowed"

could anyone please give me some tips?

okay so it seems like the "extension not allowed" was for php only, however the wordlist I used had a few php extensions in them which is a bit bias if you ask me

https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/web-extensions.txt

I keep getting a 404 not found when I upload and try to go to the extensions

I think they provide a php list in the reading

the php extensions have been accepted but when I try go to them it gives a 404

Are you accessing the right endpoint?

I believe I am?

in the browser \ gets converted to /

Nope, \ is an escape character in the upload

[Also not needed]

okay well can u pls give me some tips? do u know why all of the endpoints are returning 404 😅

¯_(ツ)_/¯

Well if it's giving certain errors like x only allowed, then it's likely not uploading and is getting blocked

nah its getting uploaded cos im doing it through repeater in burp and its saying "file uploaded successfully"

Can I DM someone for an issue where gobuster and ffuf outputs for directory search don't match?

I have no clue whats really causing this difference

I have tried ffuf matching filters, recursion, and what not

I don't know if at this point I should even use ffuf over gobuster..

I'll try to paste here with hidden details

||This is a spoiler test!||

Spoiler text does nothing

Anyone can click on it or disable it from their end

man, i've been stuck on this since yesterday. Just doesn't feel right when the tools you trust the most do sh like this

that's why you learn multiple tools for the job ¯_(ツ)_/¯

If one tool doesnt work try it again, if it still doesnt work, try another tool

Thats my rule

The thing is- I won't even think of running long directory scans from different tools. I would usually just use one on different URLs to figure out and would trust the outputs. Using two tools seems out of scope

How would i differentiate if it isn't working or no directories exist at all?

Using more than 1 tool is usual, like I'd never just try to crack a hash with john, if it doesnt work I'll use hashcat or crackstation

Use more then 1 tool

ok, so this is a general practice. RIghto

any tweaks for gobuster? I find it way too slow than ffuf

What module and section?

its a box

Which box?

Welp, time to delete spoilerss

yeah i was avoiding the name

theres no spoilers

All good, now we've got something to test off of

i've hidden the urls

You mentioned a couple subdirs

um, righto

Now we can help test at least

If an IP has more than 1 hostname associated with it, is it ok to edit the hosts file like this: 127.0.0.1 example.com, test.example.com, web.example.com

Yep

But dont do 127.0.0.1 its your localhost address

The homeless guys also use crackstation

Don't need commas

Just spaces between

why use john and hashcat? if it cracks or not would just depend on the wordlist you're using. I just use hashcat if I know the mode for the hash since its fastest, and john if i dont

Cos sometimes john is a bitch and would complain about not finding hashes when hashcat can find em

For this:https://academy.hackthebox.com/module/67/section/1637
does anyone have an issue with the password provided to restore the backups with restic? When I save it as an environment variable or type it myself it is written as wrong. Was it modified by mistake?

I cant talk in generak

general

follow the instructions in #welcome to gain access

@steel snow solved or not?

no idea, i just created before it didn't now it did, i will experiment more to see

nope it didn't

for pyftpdlib it did, probably because earlier i used --break-system-packages to install it globally

now i am trying to install --break-system-packages.

and nope, not a chance to install it

Even tho other files are installable, but this and some others didn't work

i am trying to use this command now

"sudo pip3 install wsgidav cheroot", and i am absolutely sourcing /bin/activate of a virtual env

which python
which pip
python --version

tell me the results

3.12.8 for python

pip 24.2

hm weird

not sure honestly

i am using kali-linux if that's some input to this issue

i tried to install odat before, same issue

odat should be easy to install

nope, it crushed my soul to install it and i failed in ALL ways

sudo apt update && sudo apt install odat

hmmmm well maybe i didn't know that but i used the github ones

i followed multiple paths

kalis system python is tightly managed

so it's really risky to --break-system-packages?

can be

Well it's risky because some packages use different versions of libraries, which is why it's best to use separate virtual environments for each tool

For each tool? can't i use one env for a lot of installed tools?

what is better?

~~that being said... no one uses a different one for each tool we all just use 1 venv ~~

hahahaha I was actually using one for each tool

That is best practice

and i thought i was stupid so i switched to one for all TwT

But... it's annoying to keep switching

Exactly

that's why i switched to one for all

just today i did that

or you know... just let pipx do the work for you