#modules

which module are you on?

Yes, ok i'll trying later x) Thx to your help ! ^^

FILE INCLUSION / DIRECTORY TRAVERSAL

*local file inclusion for the section

I’m still stuck on the Getting Started/Publix Exploits

Weird part is I see the flag but when I submit it its says incorrect....

well that was annoying. The flag had an extra! at the end of it...

for networking fundamentals they talk about putting your printer on a seperate network. does that just mean a second router? or does it need a second internet connection like a second modem?

essentially a different subnet, I believe, is what they mean. if it was a whole different network then no one could print...

oh ok

hahaha i feel the same way when i find out that "htb-student" is not the username😅

how to find the windows NT version? can someone help

please

I'm doing the windows fundamental

please help me

then what is the password

INTRODUCTION TO NETWORKING
Page 10
Subnetting

is this a typo? 192.168.129-254

i think that should show 192.168.1.129-254

anyway, its not important

can i get some help with the first question?

Submit the decimal representation of the subnet mask from the following CIDR: 10.200.20.0/27

i know what the remainder is and i tried the number associated with the remainder in the chart but it says its incorrect

then i tried typing the ip with the range of that number but that was incorrect too

can someone pm me?

@atomic light Dm'ed you

Anybody else fall at the first hurdle trying to ssh without choosing a user? 😆

I'm stuck here too. Can someone help please ?

Can anyone help me with this question in the linux fundementals cthing: "Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer."

yea sure

shoot me a dm

kk

Hi guys, i need your help.

i'm having trouble to start instance

the site is prompting an error message

Error message --> `There is no available instances. Please try again later.

how do fix this

Please help me out guys, I want complete the current module I'm working on today

🥲

its the same for others to, i guess all we can do is wait for the fix.

try terminating the instance. then close the tab and go to the section. start instance. then start target

Restart my machine😂

still the same problem

Started learning python while they fix this issue

always usefull

its working again

BANZAI!!

alright so i've done this both on and off the VPN and i get the same result, but i'm on the first question of the Service Scanning section of the Getting Started module.

"Perform an nmap scan of the target. What service is running on port 8080?"

I run 'nmap <target> -Pn -p8080' and I get back the service as being http-proxy, but it keeps telling me the answer is wrong

Send me a PM

Hey all! I'm on the Knowledge Check part of Getting Started. I've found the correct (I think) exploit on metasploit and everytime I try to use it, I get a "no session created" error. I setup the RHOSTS to the target IP and LHOST to my IP. Anyone have advice on what else to look at?

Dm me bruv

I tried but cant find the answer. It gives me lots of lines when i execute command

What is the damn name of the config file 😭

tbh you can find the command in the same page mate, just read it again...and you will find the command for that question hence the name of that file

yes, use metasploit can pass it. i also did it. but Exploiting vulnerabilities manually is important

Hey there, i´m working my way through the "Linux Fundamentals" and got stuck at the last question of the "File Descriptors and Redirections"-part. Could someone give me a hint?

sure!

Dm me

Can someone help me with that config file name?

sure

Shoot me a dm

@bronze idol dm me.. Cox i have almost finished

took a break for a few days and I come back and it all makes more sense 😊

In subnetting, I dont understand the purpose of adding 2 to the mask. In the module it says "Now we increase our subnet mask by 2 bits". Yes but fucking why?

You're dividing the network by 4. To add more 4 more addresses to the network part you add 2 bits (2 bits can hold 4 different values 2^2=4). Because the whole address is 32 bits in total you lose 2 bits that can hold the host part of the address

@fading moth

I am stuck on the linux fundamentals and i am on the working with web services part. it says to start a simple http server on port 8080 with npm and im not sure how to do it

the hint says "Npm is a package manager that allows you to download a basic web server package. This package also provides the option to specify the port. No need to install it. How would the command look after installing the corresponding package with a specified listening port?" but idk what package to download

its easier than you would expect. Try duckduckgo (or google) searching for how to start a http server

You don't need to download anything... just run the command to get started

i got it

thx

can someone help me pls? im stuck at the union question at sql injection fundamentals because i don't know how to connect with the sql server without credentials and nmap shows that the given port is closed

Hi guys is anyone else having issues with the remote mysql server on the SQL INJECTION FUNDAMENTALS module?

I honestly think something is wrong with the mysql server

Anyone got a minute to help with a getting started module? Can’t get this php reverse shell to work

make sure ufw has ports open, and you have edited the reverse shell script to point to your attack box ip

@dusky temple in the question its "connect to the mysql serever above" and the server hast no webserver on it which i can use

Hello Everyone,
anyone has a minute to help me with the Firewall and IDS/IPS Evasion - Hard Lab , just need to bounce some ideas ...

Hello guys. Trying to figure this out but I don't have idea how to make it. At now I came with "curl https://www.inlanefreight.com | grep https://www.inlanefreight.com/" and then I don't know how to "split" the paths from the source code line. I do know that after that, I'll need to use sort --unique and then wc -l to count it. Can somebody help me?

ls

I am having a bit of trouble with a part of the linux module in the academy. it is asking me to find a config file that has been created after 2020-03-03 and is smaller than 28k but larger than 25k? i used the find command and got 2 results and neither work. anyone know what is wrong?

i have a question for the linux fundamentals course. i did ssh username@ipaddress and i have to find the machine hardware name using uname. it says it is "Linux", howver the answer is incorrect and the hint only says to try uname. i'm kinda at a loss here, can anyone tell me what i'm doing wrong?

look at the uname options or man page

got it, thanks!

Which option needs to be set to execute a command as a different user using the "su" command? (long version of the option)?

can anyone help me with this?

i am not sure what you need

sudo su????

I got hung up on the su command question last night. The key is make sure you understand the question is asking about executing a single command, not starting a login shell as that user

idk

sr

i'm too

need help here!

@quaint marsh

can you?

htb-suo6...?

yes or no?

no

it didnt worked

wait

no

@quaint marsh pls be careful with spoilers

yeah, this question is confusing

but you can do it

i just lost 10cubes at this 😁

can i get my cubes back?

you'll get your cubes back when you finish that module

nah i just have 10 cubes less

it's easy man, u can try every single word on that output

you're on the right track

ok

Come on!!!!

Having trouble finding a display filter for wireshark that only shows reply packets. Anyone know what to use?

who finished Linux basics?

right?

or apt list --installed | wc -l

?

Hello buddy. I think with this way you are counting the packages from dpkg, not the installed

Maybe. Need try

@quaint marsh I found the command for that in google, you should use | grep -e .....

both are the correct way of looking up the installed packages, but if you inspect the output before counting it (e.g. save it to a file and open it), you might understand why it's not quite the correct number right away

need help here!!!!!!

What is the HTTP method used while intercepting the request? (case-sensitive)

i got stucked here i tried some answers like MITM/ man in the middle attack/ intercept client request and such. Does the answer shows on the burp suite tab and on the results ?

idk

can you help me?

@rustic sage im actually new also i dont know the answer but i think you need ssh username@targerIPAddress im not sure

I haven't done that section yet but you don't need to ssh. It's a SMB share you use a different client to connect.

@rustic sage are you sure you put the password in right?

yes i dont have the password

sudo?

np it ask for bobs password

not mine

i changed the user name from bob to mine

but

ACCESS_DENIED

@stray prairie get?

can anyone assist with the nmap hard lab ?

not yet i skipped it i go to other question

I just started htb but i am also clueless on how to access the share to get flag.txt

@stray prairie soo the answer wasn't "get"?

hi guys ,i am suck in the GETTING Started Module on Privilege Escalation. sudo -l shows me user1 can not do anything.any hint?

done,

i cant try it yet i forgot my password right now and it seems that the resend reset link for password is broken i dont receive any emails

oh it was right it was get

Alr

++join Moderation

You've been added to Moderation

apreel fools btw

===========================================

Anyone who spams this channel get muted for 24 hours
(with the ++join moderation command)

===========================================

++join moderation

You've been added to Moderation

have you solved that problem yet? I am having the same problem and cant escalate privileges

++join moderation

You've been added to Moderation

Hi everyone, as a preface I have ADHD so I am terrible at reading things and remembering them, so please go easy on me.

I have no idea what I should do for this question, should I be using the bash terminal? And then am I supposed to somehow get access to the target IP and find out the info? This is in the Linux module fyi

on the terminal use ssh username@targetIP
then enter the password
the info for ip, username and password is below the question

U gotta use bobs account: smbclient -U bob \\\\targetiphere\\users replace targetiphere with the ip address

bobs password is: Welcome1

I have a question, in the Getting Startedmodule in the section Service scanning it says that you are supposed to use the command ps smbclient -U bob \\\\10.129.42.253\\users
(The ls command resulted in an access denied message, indicating that guest access is not permitted. Let us try again using credentials for the user bob (bob:Welcome1).)

How do they know that the username is bob and that the password is Welcome1?

I had to do that to be able to asnwer the question:
Access the SMB share folder called 'flag' and submit the contents of the flag.txt file.

I dont understand where the bob user comes from

I am on working with files and directories from linux fundamentals, My question is how do I know inode number of shadow.bak? I tried ls -i and stat commands but no use.

do I need to count from top to bottom this file in order?

what index are we talking about?

I'm just from Russia and I have to translate the entire text, because of this there are translation errors.🤷‍♂️

Maybe there is someone here who speaks Russian?

hello

nmap easy firewall evasion - can someone give me a hint?

this is my first CTF (datadog CTF). I am not sure what I am supposed to do. Reading stuff like "You will find the first flag there" means nothing to me.

It is the same for me.

Was there supposed to be instructions in email that was to sent yesterday? If so I did not get them.

could someone help me with the Public Exploits getting started module

what is the filepath, im using metasploit

what do you need to answer?

non-actuality

Remmina for Rdp 👍 programm

Module: Linux
Filter Contents
q: Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.?

||curl http://10.129.175.42 | grep "http:*" | wc -l||

nmap easy firewall evasion - can someone give me a hint?

well anyone intrested in teaming up for ctf competition

nmap easy firewall evasion - can someone give me a hint? please...

can't believe i managed to plow through the subnetting tasks, what a chore lol

nice going!

When doing the POST method exercise on the Web Request section I cannot login using admin:password. Am I supposed to be able to do this or not?

nmap easy firewall evasion - can someone give me a hint? please...

what do you need a hint with?

As far as remember, no you can not
There is another way you have to do it

Good evening everyone.
I’v been working in File Inclusion – skills assessment for while, and so far I was to read the source code of
||admin ||

and

||ilf_admin/index.php||

However I’m not getting any futher than this.
Reading through the discussion I notice that is log poisonning, but I’m not even able to read /etc/passwd

I would appreciate if anyone helped me

hi ,how to copy the key?

Windows Fundamentals - Introduction to Windows
the command Get-WmiObject -Class win32_OperatingSystem does not work

Just copy and paste : ctrl+shift+c and then to a normal text file ctrl+v
Remember to copy all the key and not just the code

Has anyone found the second flag on knowledge check on getting started?

Yes. Finished it earlier tonight

can I pm u?

sure

whats wrong in here
PUT /flag.php HTTP/1.1

flag.php <?=cat/flag.txt;?>

GET /flag.php HTTP/1.1
it gives me

flag.php NANtxt why this answer is wrong

Create a file named "flag.php" with contents '<?=cat /flag.txt;?>' and request it to get the flag. this is the question

am i wrong in the syntax ?

i figured it out

is there any way to change to do this ` why it need space bar

Hey guys sorta having trouble here : Which option needs to be set to execute a command as a different user using the "su" command? (long version of the option)
I've used su --command, and pretty much all the other options i can use for su

Hi, Im stuck in the question of WebRequest module > section Post Method where is asking to login via guest:guest, and try to get to the admin user from what you learned in this section.

so what i've done was opened burp and tried to intercept the login post form that sending to the /login.php.

im able to login by just setting user n pass as guest. however i tried to send it with json type but redirect me to the login page again. so that doesn't accept json

POST /login.php HTTP/1.1
Host: 188.166.168.204:32701
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 29
Origin: http://188.166.168.204:32701
DNT: 1
Connection: close
Referer: http://188.166.168.204:32701/login.php
Upgrade-Insecure-Requests: 1

{"username":"guest","password":"guest"}

since the server doesn't accept json type, i have no other option to try the admin in this way username=admin&password[$ge]=0 and i get to the login page and i get Login Failed msg right away.

The question is abit confusing for me. asking to login as guest and get admin ?

what am i missing here? anybody can guide me pls?

even when i try username=guest&password[$ge]=0 i get Login Failed. is that technique really works? if so why cannot get the guest to login in this way?

just wondering

do i need scripts for example..??

There is another strategy taught in the module that you can use to “trick” the server into thinking you are admin. Examine the data you receive in the request sent from a successful login, and see if there’s any way to manipulate that data to your own advantage.

Hello everyone!

could you help? i cant solve this task: Use "systemctl" command to list all units of services and submit the unit name with the description "Load AppArmor profiles" as the answer.
I use this command systemctl list-units --type=service | grep apparmor, after that the system give me these strings: apparmor.service loaded active exited AppArmor initialization
snapd.apparmor.service loaded active exited Load AppArmor profiles managed internally by snapd

what shall I write in the answer-string? I've tried all possible variants.
(oh yeah, and i already connected to ssh)
sorry for the stupid question 🙂

try to use just --comand

oh my god

you absolute beast

HOW CAN I BE SO DUMB, it says AFTER SU, i kept typing, su --comand

Have a closer look at the cookie

Thank you so much :)

no problem

@frigid vector You found your answer look at the service that has "Load AppArmor profiles" Just name the full service

please help i have a question about File Inclusion / Directory Traversal module on academy

What is the question?

Using the LFI to RCE vulnerability run the command 'uname -a'. Submit just the Linux Kernel version number as your answer (i.e. Debian 3.19.42-2)

this is on the second page

Are you using Bursuite?

i already tried everything like session poisoning and run command &cmd=id

yes

or the 2nd method?

the burpsuite method

oh thx, I just entered the answer wrong:)

No problem

Is there any staff member available to check the SQL injection module. I believe there is an issue with the server in the INTRO SQL . Tried form instance Pwnbox and get this error message ERROR 2002 (HY000): Can't connect to MySQL server on '188.166.168.204' (115)

i did like this: ||User-Agent: <?php system('uname -a'); ?>||

because, should start with ||HTB {4lw4y5||

i dont understand it

should i send a post with that to get the flag ?
or just decode it

atlas i solved thanks @quaint marsh i was required to use curl i was just stucked on the repeater

@rustic sage it's a good investment :) Iam so impressed how nice HTB and how much effort they invest for the modules but I also still not know the answer
Where is the different between List 1 & list 2 ,but do not tell me still keep trying maybe I can find it

@haughty pendant thanks for the highlight. i will try again and pay more attention to the request.

@mint lava thanks

Btw, the burp > proxy tab in the pwnbox doesnt have button to open the builtin browser, i must open up the firefox and set the proxy then use. is that the way you guys do as well?

thanks for the command bro appreciate it!

Hey everyone! I'm confused by the answer for the fundamentals GET method module. I think I have the answer but it won't accept the answer I'm, so I assume it's the way I'm formatting it. Can anyone assist me by letting me bounce my answer off them?

@haughty pendant no chance, spent 2 hours to manipulate the cookie and other techniques on the section itself. but still no idea how to the get admin user.
The question at the end of the POST section is also confusing. idk what should i look for really? admin user? what is that mean? haha

what kind of the crypto is this btw b351d0a59e56a2cd6676 ?

@vagrant loom I'm stuck at the exact same problem as you, have you figured out a way to get this done?

@vagrant loom Nvm i figured out how to do it, Dm me if you still need some help!

Hi everyone I'm stuck, I need a hint, although I change from guest to admin cookies, I don't see any other options:
"Login with the credentials (guest:guest), and try to get to the admin user from what you learned in this section and the previous section."

Can someone help me with this please

Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file. (note: the web server may take a few seconds to start)```

which module is that?

I think it's easy or fundamental

In the module they discuss a specific keybind in burp you can use to decode that! To avoid spoilers I will only say that the string you have in your message is an encoding. Burp has a keybind as well as it’s own tab/tool for decoding the method used for that as well as others.

A further hint to get you to the right place is the keybind to decode that to plaintext instantly is ctrl + something.

Lmk if you still can’t find the right spot.

I decoded the word guest to admin, but this is not the answer

What is the path to htb-student's home directory?

There is an additional step, hint: the opposite of decoding

Hey all! I'm stuck in windows fundamental module, in the windows security section: "What non-standard application is running under the current user ?" I'm using powershell to list tasks with tasklist but I can't find it...

WEB REQUESTS - POST Method
I'm also having a problem with this activity. after decrypting, editing and resending the cookie in the request, I receive a page with "welcome admin_XXXXX"
I realized that the cookie accepts anything in the edit, but nothing works. I didn't see any flag

Need hints as to what exactly needs to be given as an answer ?! Cookies or something else(HTB{....})?

Did you manage to solve it?

!rank

@rapid mesa Please use bot commands in #bot-commands

If i have an exploit like: CVE-2020-1927

how would i search for that using msfconsole?

Can somone please give me a hint:

Is it an Apache or wordpress exploit i have to use?

The hint says: "Search for plugin exploits" so i assume it has something to do with word press

nvm i just read that

Can someone help me in Remote file Inclusion , I am getting ==> system () expect parameter 1 to be string , array is given in http://xx.xx.xx.xxx:8080/shell.php on line 1

Hello, I'm a beginner. If anyone has any tips for me to start hacking, feel free to DM me. I hope you guys can help me.

++academy

Hello guys! I am stuck at these questions (at the Linux fundamentals): Find a way to start a simple HTTP server using "npm". Submit the command that starts the web server on port 8080 (use the short argument to specify the port number); Find a way to start a simple HTTP server using "php". Submit the command that starts the web server on the localhost (127.0.0.1) on port 8080.
Could you help me to solve it and explain? I just broke my head but don't know how do this task.
here the hint:
"Npm is a package manager that allows you to download a basic web server package. This package also provides the option to specify the port. No need to install it. How would the command look after installing the corresponding package with a specified listening port?"
Have tried so many variants like: python3 -m http.server 8080 etc....

Thanks in advance!

Read the question again

And use Google for that package Manager

yeah, I've spent more than 2 hours for it but all my tries goes without results:)
There is no mention about this process (i mean at this module), and of course I've tried to find the answer at google.

https://forum.hackthebox.eu/discussion/4408/starting-web-server-with-npm

but anyway the answer at this question don't need already (did it):Find a way to start a simple HTTP server using "php". Submit the command that starts the web server on the localhost (127.0.0.1) on port 8080.
first question is still actual

It is a really badly worded question. I managed to find something in the forum about it when I was stuck

thx, yeah I agree. and it's harder to understand when your english as bad as mine:)) (I mean my engl is so bad)

Is there any issues known to the web requests module and the burp task? When i press forward the thing just dissapears and doesnt give me the pink response

But did you googled npm web server ?

yeah

oh my God i did it!)

😆

Nice

See, wasn't that hard right

yeah easier than i thought:)

but I've spent more than two hours on it "facepalm"

In the web requests fundamental module - im supposed to intercept a request to the 206.189.25.23:30147 and click forward to get a server response, but when i click forward the whole section just goes empty and doesn't give me the response. Anyone know why?

Can you send me a screenshot of the question

it's not really a question, it's part of the module itself to do the burp request thing

Which section ?

Web requests

3rd section

Request and response

i get this screen where it says request to http://206.189.25.23:30147, but when i click forward it just disappears and doesn't give response

Show me your responses

^ above

btw i wish these pictures in the modules used headers, so it would be easier to point out what picture im talking about

Followed this : After this, the request should be intercepted by Burp and appear as above. In order to intercept responses, click on Options and tick Intercept Server responses.

yes i did all that

i have the intercept responses enabled

then i went back to proxy

and clicked forward

but no response, everything just dissapears

After a time i do get a response from http://detectportal.firefox.com:80*/success.txt, but is this the right one? in the example it shows that the response comes from http://206.189.25.23:30147, but i don't get that

anyone know why?...

It's not right

Send me screenshots in dm

wait, thats not right? it gave me that response too (from detectportal.firefox.com) thing, but then I was able to answer the questions from the information in the box it gave me so I just... oh no did I just get the answer and the thing not work as intended?

O.o

I am confused.

I am able to answer the questions, because that has nothing to do with what your doing on the pwnthebox

you can just get the answers from the module screenshots

yeah you can lol

wait then I have to go do it again

These modules can be so freaking confusing

mhm but they are fun, and I enjoy them and in the end i just want to learn something new each time, and I always do.

also, actually re-doing the one that apparently was not working and I didnt know 😂

I mean yeah they are fun when you are actually learning and progressing. But some of these modules, just like this, first of all you have no idea wtf you are actually doing, and second of all you follow the steps 100% but don't reach the same end result

then what do you do? Im stuck on this one step of the module for hours

Yea you're right there, which is why we all should probably mke a habit of coming back and referencing what we are doing with other users :) i sure will from now on, when I was doing the windows one (we i have not finished) i asked on each one, but felt i was being a pain always trying to be 100% so i stopped.

I see that may have been a bad idea, lol.

Very tilting

i guess i just move on without ever figuring out why it didnt work

hi i m new here but i cant talk in general why not ?

General is for HTB i believe. This is just the AHTB

You have to gain access to the HTB site, here is just the Academy chat. :)

ow i wanna hack an game but i m new in that things

Well you have your goal, now learn :)

and good luck 🌿

true.

yeah but how i can learn it ?

AHTB starts from fundamentals. If your only purpose is to hack a specific game i guess just google that.

and i guess its an very hard game to hack

Also hacking a game can be illegal so i suggest not going for it

i can mod some little games but thats all

sign up for the academy, and like everything in life you can't want to run before you can walk, so start with some basics on the site then move up, although I cannot see this discord condoning an illegal activity like hacking a game.

for your goals you probably want a subscription too 😉

ok but is that an kind of an class or something

i dont have really the money for it

its free

its the accompanying site to this Discord (well, one of them, the learning side. https://academy.hackthebox.eu/)

ok thx but i wanna hack fortnite but i guess thats inpossible

and its free, but if you want the harder stuff, that costs more cubes (which you earn from completing free stuff that you get) you probably have to pay, as you cannot acquire that much with it being free.

wouldn't know, I'm just bored and doing a fun thing i thought would be fun :D

do you have tried it ?

or can you try it ?

Tried what?

hacking fortnite

Gosh no, dont even play games, lol.

And even if I did, I would not do that.

Yeah jolocool i dont think this is the right platform for you

Its again, illegal.

o ok

or for your purpose that is

i think i go bye

More your purpose, the entire thing is "ethical use" - so illegal stuff no no

Read the rules

Can someone help me in Remote file Inclusion , I am getting ==> system () expect parameter 1 to be string , array is given in http://xx.xx.xx.xxx:8080/shell.php on line 1

can i have a nudge on the privilege escalation section of the getting started module? i can see how to escalate to root as user2, but not how to login to user2

Question regarding an Nmap fundamental course. One of the questions is regarding finding the host name, it provides you the target IP, yet any commands I run with nmap are not displaying the host name, I even tried the -A option , still same issue , exact wording of question is "Enumerate the hostname of your target and submitg it as the answer. (case-sensitive)

Is the target on linux or windows?

I think it should be -sP but idk

target linux , -sP displays 1 host up but won't give specifics

idrk i think you need the distro maybe find custom scripts to do that

Hi guys , any one online here ?!

Here

@lavish anchor

Hi guys, need a little help regarding the windows fundamentals module

Question : What non-standard application is running under the current user ? (The answer is case sensitive).
Section : Windows Security

If anyone is online please point towards the right direction

Thanks in advance!

Hey it okay guys, i got the answer. Just have to remove .exe from the application😂

The question didn't specify not to include the .exe extension😩

@quiet forum same thing happened to me lol

hey

I'm working on the Getting Started module under Service Scanning. I'm trying to access the SMB share folder 'flag'. Ive enumerated the share folders but I am unable to interact with them using the smbclient tool. Any suggstions?

i dont really know much about hacking and coding and stuff

can i learn something in this server?

:>

Actually you can’t, but you can go to the HackTheBox Academy >> academy.hackthebox.eu

And you can learn something, but this server is only for support.

^^

@rustic sage

Kind of a good way to think of it yeah. Learning is really up to you.

Hi, is there any way I can earn cubes for free?

@timid marlin Buy modules since, you spend 10 and you get 10 back

I'm new to HTB and I just hacked my login. I would like to try some labs but I don't have the skillset and I don't have the money to buy cubes to learn them

Tier0 modules are available for free.

Network enumeration with Nmap is 50 cubes and I just have 40

Hey! Can anyone help with the Web Request module POST method section question? I feel like I've tried everything i know and made a lot of new progress but still can't figure it out : (

@timid marlin I just reckon you do the the modules you can afford since you don't have the money for them

@lavish needle Sure, hit me with a dm if you still need help

hi

what are we doing here ?

can anyone clear my doubts ?

Asking questions regarding the htb academy questions

Like learning the way to solve it and not just the answers

htb academy what

++academy

Can some help me in Remote file Inclusion please

Which shell is specified for the htb-student user? how can i find that answer

I'm stuck in buffer overflow academy
[19:59]
Buffer = "\x55" * (1040 - 100 - 150 - 4) = 786
NOPs = "\x90" * 100
Shellcode = "\x44" * 150
EIP = "\x66" * 4'
[19:30]
How large can our shellcode theoretically become if we count NOPS and the shellcode size together?
[19:59]
I think 250 but it's wrong

Can some help me

Which shell is specified for the htb-student user? how can i find that answer

Have you carefully read the material in the section/module

Little help in Remote file Inclusion!! anyone please

yes i read it

but after that i find so much difficulties to understand the questions.....

can anyone help me a little ?

bas thoda sa

@dim plover I think you should check Environment

i check every where

but i can't get a single help

Can you tell what you found till now?

i found some answer

but not alll

because i can't understand it's meaning properly

what's problem?

@unborn yarrow it saying expect parameter 1 to be string, array in httpxxxx on line 1

@dim plover check Environment you will find your answers

means

i already used that hint part

so... it end now

So what you found?

Can I dm you @dim plover ?

Attack the target, gain command execution by exploiting the RFI vulnerability, and submit the contents of the flag.txt file located in the /exercise directory.?

ok

@unborn yarrow when I Attack the target instead of execution of command it says it is expecting string ==> expects parameter 1 to be string , array in http://xx.xx.xx.xx:8080/shell.php on line 1

I haven't see this error in this module yet, just follow course and find the flag.

hey guys, just want to ask if you know the command for this question? i have been on this question for 6 hours already. somebody help

Here is the question.
"Find a way to start a simple HTTP server using "npm". Submit the command that starts the web server on port 8080 (use the short argument to specify the port number)"

Here is the hint for the question.
"Npm is a package manager that can allow you to download a basic web server packet. This packet also provides the option to specify the port. No need to install it. How would the command look after installing the corresponding package with a specified listening port?"

@hardy quarry can I dm for help?

Sureee

@unborn yarrow I am doing like this

1. Made that shell.php
2. Turned on the allow_url_include
3. Attacked the target same as mentioned in module passing http://xx.xx.xx.xz:8080/shell.php&cmd=id in language parameter
   But getting ==>expects parameter 1 to be string , array in http://xx.xx.xx.xx:8080/shell.php on line 1

cat shell.php and check your code again, it will be lack some char when you use echo.

@unborn yarrow yeah you are right but why it happens?

I don't know, it takes me 5 minutes

Have you finished buffer overflow?

@unborn yarrow Nope I haven't started it yet , thanks a lot !!!!!!!👍 👍 😭

"Once you gain access to 'user2', try to find a way to escalate your privileges to root, to get the flag in '/root/flag.txt'." does anyone know how to do this one? (Getting started, Privilege Escalation)

No problem!

Check the permissions of user2 in the list /(root)

if you need help send pm

hello

Anyone know how to find the kernel version for the Linux Fundamentals course? I tried using uname -v as well as uname -r and it said neither one were correct

Are you submitting the command itself or the result ?

I pm'd you 😄

I figured it out! I didn’t realize you have to ssh in as htb-student. The text is pretty small and not super explicit

Oh yeahh.. . that happened to me as well

Hi dudes. I have quastion. How do I get cubes?Buy or with each solved module will be more cubes?

You get cubes with each solved module, but just the ones you spent on the module
So basically you stay the same

thx

Hello I'm new to HTB, I need help in finding Apache😅

What?

That module named "Cracking into the hack box"

cracking into the hack box > web requests > request and response

I'm totally new to this sorry😵

Pm me and will try to help you out if you want!

Hey, could someone help with a question of Windows fundamentals ?
I feel like I am not even looking for the right think or I am submitting the answer with the wrong format

Did you figure it out already ?

Hi everyone, sorry, i need help. I am on Linux Fundamentals; service and process managment. I don't know how i can solve the question, the question says: Use "systemctl" command to list all units of services and submit the unit name with the description "Load AppArmor profiles" as the answer. But I have no idea how to do it, I would appreciate if someone could tell me what to put in the terminal to get the answer

snapd.apparmor.service

Is the answer?

Yes

How can I get to that answer?

systemctl list-units --type=service | grep apparmor

you have to ssh before, not in your machine

I see, The ssh thing, if I have it, but then grep is the one that helps a lot, right? :O

it helps you search keyword

for the getting started module privilege escalation part, i have been stuck on how to go to user 2 for a while. could i get a nudge in dms?

ye sure

gimme a dm

Hello I am trying to connect to MySQL through command line and i get next error "ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/run/mysqld/mysqld.sock' (2)" This error happens in SQL Injection Fundamentals in UNION clause

specifically, you get an error in which module's topic

@unborn yarrow SQL Injection Fundamentals - Union Clause (page 11)

I have omitted this section because there could be a server-side version error.

but if you want to practice command in database, you can setup in your machine or search w3schoo database

so this section cannot be solved at the moment?

not all topic, you still can pentest with other topic by browser

ok. i will move to next lesson and later finish this one

thanks for info!

In the module Web Requests, Section POST Method. What am I supposed to submit? It asks for the admin user but it doesn't accept the name displayed when you log in as admin or the admin cookie. I've tried including and removing the word admin and the underscore

Hello everyone! I'm new member and got my first problem. I started with first module and I got stuck with question in 'learning process' - 'What is the difference between the two numbers of the learning progress mentioned above?' 😦 For real, I tried with almost everything and I feel dumb when all of my answers are incorrect. This is such easy question and I'm lack of ideas. Does anyone got same problem?

Well

Both of you, send me a dm

The numbers are 1 and 37.7 you might be misreading them

@tawny plume you still need help?

Please

Yea, I know what numbers are

I've gotten to the page where it says admin_<rest of the cookie> but I don't know what I'm supposed to enter into htb

I sent you a message on that

Hello!
I need help with this question of Windows Fundamentals
Which Windows NT version is installed on the workstation? (i.e. Windows X - case sensitive)
I've found the OS version, name, etc with the systeminfo command and even graphically, but know I think I am looking for the wrong thing, any advise would be really helpful!

but now*

@ivory bough Use cmd prompt and type winver

i think it's help you

Thanks a lot! I will try it

it's ok 🙂

Hi! I'm stuck on this question:

What is the path to the htb-student's mail?

I'm using LS to look at all the differnt folders but I can't find anything

Hi PhoenixBug, I just solved it. The login as admin is a red herring, i.e., it doesn't work at all. The trick here is to login as guest:guest and manipulate the cookie to get the flag. When you do it correctly, you will see "The flag is..." PM me if you need more advice. This one was tricky.

Hi Stewy, I just solve the POST question. PM me with what you did and I'll give you some pointers.

NVM found it

If I remember correctly, you need..

alright 😄

I used env

and it showed a bunch of info

That´s a way I guess
When I solved it I just looked around using cd and ls

I couldn't find the right path using LS 😦

It was confusing indeed

Check the environment

then you find your all answer

yeah, I used env

and found everything I needed for that section

then you see the MAIL in it

just check it

again

Hi guys, tying for quite some time now, but I cannot get the flag resolved for JavaScript Deobfuscation (https://academy.hackthebox.eu/module/41).

Got the .js file looking good and readable and followed the instructions in there (from my pov). I always receive a keychain back which I want to decrypt. This ends in a text that's readable half the way but ends with an error message.

Thanks in advance for someone who can guid me through!!

Hello, Im stuck on the POST method question of the Web Requests module. I can make the page say Welcome admin_somethingsomething but that is obviously not correct. Does anyone have a hint on what I have to do here? Thx!
edit: ok got it ...

Hi guys/girls, i'm wondering what i'm doing wrong with the module "getting started" and with the service scanning subject. The question about the service on port 8080 is bothering me.
I see that multiple people have the problem on finding the right answer and it seems i have the same issue. I see the result from the Nmap + the service scanning. But the results are not current. So what am I missing here? Can someone push me in the right direction on what i should look for?

guys, anyone know how to solve this?

How many files exist on the system that have the ".bak" extension?

find / name *.bak -type f 2>/dev/null | wc -l ... i think this is right but dont work rn

-name *

im dumb

😛

What command are you trying?

Still need help?

I too need help with hydra on the brute force module, assessment 1: I'm getting a "missing colon" error in my command if someone wants to check it out please! EDIT: The error was in the file, not in my command. I'm good.

Yea, still stuck 😦

what section of the module? I'll try to help.

Please tell me the answer to one question "Identify one of the non-standard update services running on the host. Submit the full name of the service executable (not the DisplayName) as your answer."

You got to find from the running services one that is non-standard, so not default on windows. It's not an obscure or difficult process to find. And the answer is the name of the executable, so don't forget .exe

Can anyone please help me wit this question? I tried many answers lol

Use WMI to find the serial number of the system.

@next lava wmic bios get serialnumber

i tried that

with the vm pare

part?

maybe wrong format?

theres spaces

Sorry that's windows command.

Have you tried
sudo dmidecode -s system-serial-number

lol its this Get-WmiObject -Class Win32_OperatingSystem | select SystemDirectory,BuildNumber,SerialNumber,Version | ft

prob just need to select SerialNumber

Ah so powershell

ya i couldnt find it using MS-DOS

Couldn't determine if this was a linux box or windows. Good to know

yep hopefully helped someone else lol

Weird that it didn't let you use cmd commands

it does

doesnt give right answer lol

Maybe launch cmd from powershell then run wmic bios get serialnumber ?

ahh

yea i tried maybe a formatting issue

ya

i think it formatting thing

Powershell is the way to go anyway

true, true!

@next lava by chance with the cmd command did it return SerialNumber To Be Filled By O.E.M. ?

No it returned this

Serial Number

VMware-42 [hex]

Your command would usually work,

I think its bc its a vm

Agreed

Could somebody help me

I need some help for the privilege escalation question 2

"Once you gain access to 'user2', try to find a way to escalate your privileges to root, to get the flag in '/root/flag.txt'." does anyone know how to do this one? (Getting started, Privilege Escalation)

Can’t get the correct answer for the first question here. (https://academy.hackthebox.eu/module/41).

Got the .js file looking good and readable and followed the instructions in there (from my pov). I always receive a keychain back which I want to decrypt. This ends in a text that's readable half the way but ends with an error message.

@old lynx still need help?

Hey @hybrid urchin , shoot me a dm

thats really how you do it? I havent been taught any of this yet in academy

@stray prairie

@hybrid urchin we got diffrent module i was on javascript deobfunction

Whom you are taking to? 😅

Used your syntax + xml header but receive a partly wrong answer. The key was HTB in my case. But I receive blablabla + error message. Blablabla = the flag (at least partly) but the line ends with an error message though.

i was asking anyone if my syntax was wrong

well

That key doesn't seem decoded

Hello, I am having difficulty with this easy module: INTRODUCTION TO BASH SCRIPTING, comparison operator.
Create an "If-Else" condition in the "For"-Loop that checks if the variable named "var" contains the contents of the variable named "value". Additionally, the variable "var" must contain more than 113,469 characters. If these conditions are met, the script must then print the last 20 characters of the variable "var". Submit these last 20 characters as the answer. Firstly I am checking for if var contains the value, if it does I am checking the number of chars, but there is nothing that matches both criteria. Don't know what I am doing wrong. Need some help, thanks.

I used : nmap -sV -sC -P- (ipaddress) showed me a lot of information. But it seems that my answers and not what the question is looking for 🙂

this is the section where I'm stuck in - Source Code:
https://academy.hackthebox.eu/module/41

• found the script
• applied deobfuscation (jsnice.org) and got the nice .js with the instructions
• instructions applied:
  curl -s http://ip/:PORT/serial.php -X POST -H "Content-Type: text/xml" -d "<Request><flag>HTB{1_4m_7h3_53r14l_g3n3r470r}</flag></Request>

--> received a flag back, but after decoding it with Base64 following outcome appears:
7h15_15_a_53cr37_m3554g3base64: invalid input

Poki, I´ve found the admin and password, but cant login with the credentialf found.....I was able to upload a php shell inside var/liv/mysql.....but i can ivoke it.... any hints ?

you should definitively make that a spoiler or delete it, following htb's rules

try uploading shell to a different folder

becuase /var/liv isnt part of the website

thought about that but no clue how to do that. any hint?

which part are you stuck

this is the section where I'm stuck in - Source Code:
https://academy.hackthebox.eu/module/41

• no clue how to select my previous post as kind of "spoiler"

whats th question

#modules message

Using what you learned in this function, try to deobfuscate 'secret.js' in order to get the content of the flag. What is the flag? this question ?

meaning I need to deobfuscate the readable flag until receiving something like XXXX-XXXX-XXXX-...?

yep

this was the hint Don't just beautify it, deobfuscate it!

given

no need to decode there

thx!

i always use jsnice for Deobfuscation

I did for the content of the .js file

can anyone help with the very last question in the file inclusion/ directory traversal? I must be missing something I have tried I think everything from the course and had no luck... Skills Assessment - File Inclusion/Directory Traversal "Assess the web application and use a variety of techniques to gain remote code execution and find a flag in the / root directory of the file system. Submit the contents of the flag as your answer."

hey everyone i hope you are all well i need some help about service scanning module

Try to use php wrapper to view the source code

What is the name of the hidden "history" file in the htb-user's home directory?

i just cant figure this one out

ive been to the folder and have ls -al |grep history

all that shows me is bash_history..., yet that isnt the answer

can anyone help?

btw Linux Fundamentals

the . is part of the file name

@rustic sage

?

really

that is all

thank you so much!!!

A lot of the answers need to be exact. The . is considered part of the filename so it needs to be included

ive been trying everything and thought im stupid

you are the best

@rustic sage I think it might be noteworthy why there's a . before the filename, and why it's part of the file name: they're hidden files (so for instance if you use ls they wouldn't be listed but ls -a does. So the file bash_history is vastly different that the file .bash_history, the latter being hidden

ah ok thank you

Can someone help me please with this question? Send a GET request to flag.php with two parameters num1 and num2 such that their sum is 1337.
Web requests on Get Method. I am brainstorming for almost an hour and I ran out of patience and ideas. If someone can help me pls dm

Can someone help me with this problem https://forum.hackthebox.eu/discussion/4559/use-wmi-to-find-the-serial-number-of-the-system

The answer I got for the source code section is simply displayed in the html source code of the target ip.

Still there?

Having issues with the same module. Can't get anything to satisfy the answer. Any luck?

At the same section "source code"? Read my previous message where I cite the same comment. I can try to help

I got it. || Forgot to add the -d||

Im so lost with this, its literally the first thing and i feel so dumb

its the Interactive Section with Target of the first module and i just dont know what theyre asking or how i do it

And what is the question @static crypt

@sweet heron thx man. I was totally stuck in doing the stuff learned on the page.

Hey all! I'm stuck on fundamentals > knowledge check, its the module where we need to bust into the getsimple server. I got a shell on it with metasploit, got the user data and upgraded the shell, then I piped linenum.sh in and ran that. I got the results back and saved them but I feel like such an idiot because i dont know what to do with them. I know that the way to get root probably has something to do with ||/usr/bin/php|| and maybe this too? ||sudo_as_admin_successful ||but I'm just too dumb to figure what to do next. I have all the pieces in front of me but Im too much of a baboon to put them together!!! can someone plz give me a kick in the right direction? maybe drop a hint? 🙂 ????? plz??

hey susjustice im stuck just like anastasispap on the knowledge check's 2nd flag. can i pm u as well with a question?

@modest token try to use that to Privilege escalate to root https://gtfobins.github.io/

im stuck on the linux fundamentals module. I dont understand how you find the path to the htb-student's home directory or the email this whole section confused me tbh

@hot tartan , I'll Dm u

im stuck on the linux fundamentals module. I dont understand how you find the path to the htb-student's home directory or the email this whole section confused me tbh

What is the proof text displayed in the Target website you browsed?

sorry for the late response, i slept and did some other stuff

Can anyone give me a nudge on the very last box on the getting started module? Feel free to PM me and I can explain my situation further.

Can someone help I am stuck on linux fundamentals. I can't seem to start apache2 service whenever I do sudo systemctl start apache2. This is what is highlighted in red: (code=exited, status=1/FAILURE)

Guys, how do i get this file .txt ??

File saved in: /root/.msf4/loot/20210408182022_default_138.68.189.41_simplebackup.tra_255543.txt

I got it from a exploit

But i dont have this ".msf4" in my machine, or even "loot".

ATTACKING WEB APPLICATIONS WITH FFUF - Parameter Fuzzing - GET: Can you some give me a hint on how to answer it? I've added the domain and subdomains to the hosts, I've ran the commands, but I don't understand what they want, I probably have the answer but I don't how to put it. Thanks! PM accepted!

@restive siren You need to find the parameter accepted by the page, http://www.webpage.com?parameter=value

They want you to find the accepeted parameter for that page

so you neet to use ffuf to FUZZ and find that parameter 😛

I think I've tried that, I guess I need to try harder LOL, Thanks @uncut temple !

@restive siren sometimes the answer is so simple that we miss it in the output of the command. I had problems with the VM since the progress doesn't stay in the last line and keeps filling the screen with progress lines, I had to use the parameter that ffuf provides to avoid that. Are you using it to display only the results?

Not really, which command is it? I'll give it a try

@uncut temple can I PM you?

PM me 🙂

Anyone good with bash scripting? I need a hint for the comparison operator section. I can't seem to create a good if-else statement to compare two strings.

Hi there, could someone please give me a nudge on getting started module - knowledge check. I got the meterpreter session open and got user flag. I type shell to get the shell, but it`s not responding to any commands. What am I doing wrong here?? Ta

thankz!

@loud dew Hey so I'm stuck on the same part of the knowledge check. Do you mind if I PM you a question real quick?

u can PM me too if you need help.

HELP plz
Getting started
Web Enumeration
Q: Try running some of the web enumeration techniques you learned in this section on the server above, and use the info you get to get the flag?
Nmaps says it seems to be down
I cant ping the target
I cant gobuster it
I cant enumerate for suddomains
I cant curl or banner grab anything

What iam missing here ?

*Getting started
-Public exploits
I scanned all the open ports on my target, the public exploits match the service but not the version so what I’ve used on metasploit doesn’t work for me. Help please and thank you!

Did you find the answer for this I’m going through the same lol

Sure

Did you make sure the server is up and running? if your time expires you may need to restart it. If it is up, then make sure you are accessing the right port.

Hey Everyone!
I'm stuck on the last section of the getting started module (Knowledge section). I got the user flag through metasploit, looking up GetSimple, running the first exploit with a generic shell and also managed to run LinEnum.sh in the shell which told me that /usr/bin/php can be run with root but i can't figure out how to get root access from this. i've tried running php comands but it just gets stuck in a weird loop where everything i type just gets printed back to me. Is there anyone who can offer some help on this? Cheers and thank you for any help!

check php documentation, think about all the possible ways for php to run something.

Please don't post here what you do, you may spoil some others path ;). I haven't used that function so I don't know if that one works the same way. In this case I was more oriented on getting what I wanted that getting a shell 😉

haha sorry i'm really new here so still learning my way around 😉 thank you for the tip, i deleted the message so it doesn't spoil it for anyone else. ahhhh okay, i think i'll try that, thank you so much

Once you've solved it try getting the shell with another function I will try that too 😛

woooooow i finally got it hahah don't know what i would have done without you. You're a life saver man 😉

congrats!!!

You need to think outside the box 😛

Hello guys. I have trouble in the web requests module. When I try connect to target with burp on it will not load in my browser (just stuck loading). Everything is correct and i think that I've found the solution https://forum.hackthebox.eu/discussion/4255/problems-with-web-requests-in-academy (may be) but i don't know how I can do that (change the port)

Hey please don't post your commands here, it might spoil things for someone else

copy

Hi. i need your help if you can give me hint on how to tackle this question:

Module - Linux Fundamentals
Path - File Descriptors and Redirections

Question:

• 0 How many total packages are installed on the target system?

Hope you can provide me insights on this. you can DM also. Thanks

If I understand your question, your problem is that once you have burp and your redirecting your browser to burp you don't receive anything on the web browser. Is that correct?

yeah, browser just stuck on loading

What question are you at?

Ok, the problem is that you are not forwarding the communication

You have to forward the reuqests in order to send them to the browser

In the intercept tab of burp

you have a button in burp and you need to forward the message to the server in order for it to pass through

you mean the forward button?

yes

I tap on it but the load is still going

You have to forward all the requests

keep taping until no message is received in burp

then you will have the web page in your browser

Yeah, I tapped on it and even got the response - "HTTP/1.1 200 OK", but in the example (in section of the module) they got a cookie, so I'am not

and my browser still didn't load the page (after I text my login and password)

as the result - I cant log in and intercept the data I need? https://forum.hackthebox.eu/discussion/4255/problems-with-web-requests-in-academy This guy said that changing of port is solved his problem. So I did the same (if I did it correct) but it's still doesn't working

try accessing the page without burp on the proxy on

if it loads, it's not burp

or the port

I'm going to assume the target and instance are working correctly

You need to log in with user guest. Did you do that?

just log in without burp, then start burp and reload page, you will be able to intercept the communication and see the cookie

Oh guys it's working now:))

thank you!

yeah it works without burp

no I 've tried to log in with admin 🤦‍♂️

but you can't, you don't know the password 😄

in this case (at this section ) I know the admin password actually but anyway is working with only guest log in 😐

anyway I can continue:) sorry for stole your time

then you get farther than where I got, I didn't need the admin password to complete the task, just needed the system to take me as an admin

you know actually I could be wrong and mb I made mistake in translating the task (I 'm still try to learn English)

😆 it's getting more and more fun

)

Then you have a double challenge, understanding the task and acomplishing it 😛 . Let me know if you need an explanation of what the challenge is

thanks man!) appreciate...

This problem in POST lession in web request module?

All this time I thought, in order to hack into anything, you'd need help with that

That there's no way you can do it on your own

Guess I was wrong

clear

Hi there!

Thanks for accepting me on the server

I have a question:

I am doing the module on Web requests and in the section on POST requests and we are asked to "try to get the admin user from what we learnt from this section" but after doing it I see no flag. Is there anything to get?

I had issues of conectivity with my virtual machine that relates to those encountered by so I tried to do the section from my own machine with curl. I loged as guest with curl to get the cookie and save it and then going as guest to /admin/dashboard.php with that cookie but I don't see anything interesting to submit.

literally as i posted it it ran lmfaooooooo sods law strikes again

smh

@tame trout you see no flag because you haven't done it yet. Keep trying 😉 the flag will be displayed on the webpage.

umm im new the first link sent me here

Hello!

yeah

and I'am still trying to do this crappy task:Login with the credentials (guest:guest), and try to get to the admin user from what you learned in this section and the previous section. (web requests module - post method section)

do you need a hint

i am on javascript obfuscation module and stuck with the question where i have to send POST request using curl in /serial.php can someone help me with that

sure

send me a dm

hint says it starts with 'N' and ends with 'Z' please help me

I sent you a dm

Manipulate the cookie as discussed in the previous section? hm I thought that I tried all possible variants... so could someone explain me, why I didn't get phpsessid cookie? only auth=

did you do anything relate to base64?

yeah i've tried to decode cookie auth=... to base64

but it was my cookie

and it doesnt get a result

that cookie is just for 1 user

and you can see the name of user in cookie after decode

so if you want login to admin you must have cookie of admin

you should guest the cookie and encode

use it in burpsuit to login

i've tried to text one more user like admin=... and forward

hm ok anyway

don't need '='

you don't need password

I'll continue my tries

oh

you can try encode 'admin'

🙂 I think I began to understand ... right now I'll try

thanks

you can't guess because you do not really understand how cookies work

hm

yeah

what shall I know to solve it?

You guessed the rule of cookie is related to user name

in this case, decode(username)=cookie

Try each case you can guess

encode(username)=cookie, \I wrote mistakenly

thanks:)

I'll try

Thank you for accepting me on this server! I appreciate it!

@unborn yarrow that was a huge hint 😉

I think he already tried :v

That was tricky, though I knew what to do mimiking the guest coockie is what took me banging my head with the wall, then I tried something different and bingo.

That's why I say that the hint is huge 😛

What's this all about?

haha

Guys, anyone?

yes

What's this all about?

Nevermind, I'm logging off now

See later

so dude

could you slightly direct me?;)

I encode adm

after I encode the cookie which I have default (guest cookie)

adm name encode to base64

cookie encode to ASCII

wrote that in the cookie string

and I've got this - Welcome, ��{�n��^{ߍ�!

😫

mb I text it in wrong string?

@frigid vector read the hints you were given here, you over complicate it. Try to simplify it for you so you understand it

now I've got this Welcome, a�in!

I'm on the right track

:)))

finish question?

Hi can someone help me I am stuck at LFI Harding Tips 2nd question how I can use curl to execute a php file ?!

i am stock in my path

questiom

question

not yet,

but I think that almost finish

i give u answer, not a hint

what wrong with u?

hm sounds good actually

could you explain what I do wrong?

I don't know how I can use Curl to execute a php file on my system

Do what I said above, you will see the answer

you don't need to use curl if u can't

copy ip website and past to url browser

contact with url instead

@unborn yarrow In hint it is written ==> "Place a PHP File in /var/www/html/ which contains a PHP Webshell using SYSTEM(), then use curl to execute the file. Be sure to restart apache after editing the PHP Configuration!"

which lession in LFI why i don't have the hint

@unborn yarrow FILE INCLUSION / DIRECTORY TRAVERSAL module Harding Tips under Wrap Up

I have problem with ssh so I ignored that question

check source code php again, maybe u use echo, it make your shell lack char

encodebase64('admin') that's cookie u need

@unborn yarrow Yeah I have already checked my code but the thing is How I am gonna execute it using curl

how I can do dat? could you explain?

ty

can you show your shell, i will write cmd

I mean the sequencing

o

i did

encode admin

google search base64 encode --> type admin --> get the strings and replace it to cookie user guess in burpsuit and forward

yeah I did this, I don't know where to insert this code

I did this a few hours ago:))

delete cookie user guess in burpsuit and replace cookie of admin

What I could recommend you in order to more less understand it, is to log multiple times, step by step using Burp so you can see where you should change it (in what step)
You already know how to do it, but probably are doing it in the wrong moment (as It happened to me)

yeah I think same, I just text the encoded 'admin' to this string auth=Z3Vlc3RfNWQxOWZmMDQxZTkzZTdjZDM5M2

and tap on forward

SUCCESS!!!!!!!

that vm just has insane crazy lag... and I just i couldn't wait for the browser response

You know, anonymously

and NOT by phone

hi everyone. got a question about SQL Injection module's very last challenge. I want to double check something..

can I ping someone? 😄

actually nvm

hi guys

im doing the getting started module

and im stuck in the enumeration section

"Access the SMB share folder called 'flag' and submit the contents of the flag.txt file."
After connecting to the SMB port and seeing the shared files, i cant find the flag folder

ive tried both smb ports, 445 and 139

What's inside the user share?

i already connected to the users folder but i cant list the directories inside it( dir command)

What table of contents section are you in?

Service Scanning

sorry

i said enumeration

fuck xd i meant port scanning

i need to go to bed after completing this hahaha

You have one kind of access denied, have you tried others?

yes

one of them i cant connect at all

the other one doesnt let me "dir" neither

I am stuck on the Login Brute Forcing module, on question #1 before the skills assessment. The questions say to "try to brute force the SSH login in the server shown in the server below" but I am having no luck. I have tried hydra with most of the username/password combination files. I have also tried several of the username lists and password lists from SecLists without luck. I do not know any information about employees at this point so creating a custom username and password list doesn't sound like that would work. I'm sure I must be missing simple since I'm not even to the skills assessment yet. A nudge would be greatly appreciated.

@deep tartan so you are connected right?

yes i am

you don't have listing access

yes

try other things

The hint here is on the test question itself

i got it

cool

xd thanks

hehehe

YW

hi guys

i got yet another problem xd

so 2 modules later and now im in the Public Exploits section

this is the only task to do
" Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file. (note: the web server may take a few seconds to start)"

i was thinking about nmaping the server to see the running services and then starting my search on exploits related to those services

I am doing the Windows Essentials course on Academy and I am sort of confused by the syntax of something like this:

PS C:\htb> Get-Service | ? {$_.Status -eq "Running"} | select -First 2 |fl

Can anyone explain the " $_.Status " portion of this?

$_.Status is the status of the service...This can be "running" or "Stopped"

Get-Service (gets all services) | ? {$_.Status -eq "Running"} (only show the running ones) | select -First 2(out of the running ones, show only the first 2 ones of that list) |fl

https://tenor.com/view/whos-awesome-reaction-you-are-you-are-awesome-pointing-gif-15769676

Thanks @deep tartan

np bro :3!

On yours, you can always "nmap -oX" to output nmap to an XML and then use "searchsploit --nmap {filename}" to look for vulnerabilites from the nmap

is $_ an alias for the info being piped from the first command then?

I am terrible with Windows lol

is there any website where I can rent a system like the academy one that I can view from my browser? I want it to have a gui just like the academy box but I need persistent storage too

Any of the cloud service providers will let you... Azure, AWS

oh, time to use the free credit then

ty

Im sure its been asked but, on the linux fundamentals, i cant seem to get the right answer for the "run command as a different user" ive always used -l. in this case it wants the long version but it wont accept -login as correct. Im sure its something obvious that im missing.

Su

Hi guys, I need help, I don't understand how ffuf filter respond. In the Filtering Result lession, there is an example that uses the -fs 900 flag to filter the result size = 900 but the result displays size = 0.

user@htb[/htb]$ ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb' -fs 900

   /'___\  /'___\           /'___\       
   /\ \__/ /\ \__/  __  __  /\ \__/       
   \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
    \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
     \ \_\   \ \_\  \ \____/  \ \_\       
      \/_/    \/_/   \/___/    \/_/       

   v1.1.0-git

:: Method : GET
:: URL : http://academy.htb:PORT/
:: Wordlist : FUZZ: /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.academy.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403
:: Filter : Response size: 900

<...SNIP...>
admin [Status: 200, Size: 0, Words: 1, Lines: 1]
:: Progress: [4997/4997] :: Job [1/1] :: 1249 req/sec :: Duration: [0:00:04] :: Errors: 0 ::

we can see size of admin is 0

all other outputs are filtered, which is what you want, don't you?

in above examble. filter size 900

but result admin size 0

you are telling ffuf to avoid printing results with size 900, admin is printed because it doesn't have a size of 900

Wow thanks, and match is opposite with filter?

exact, you want to filter out sizes you don't want. you don't know the size of the files you are looking for

Thank you very much, I have understood the problem

yw

@uncut temple what modules did you do on htb academy?Im a newbie but i am taking a web related computer science course in Uni so i already know something

my goal is to be able to do some htb machines

atleast the easy ones completly by myself

I am taking all of the free ones, some of them I already knew the stuff explain (though you always learn something new) and other completly new to me like the ffuf.

noice

i already did most of those

except "Linux Fundamentals", "Intro to web applications" and "Learning Process"

how did you reach Script Kiddie on htb then?

did you learn outside of htb academy?

I already knew about those courses

aah fair enough

some times easy machines are too easy 😛

the starting point ones are not easy xd

Archetype requires doing a bunch of stuff

they could make it easier tbh xd

do you think i can hack any machine using only port scanning and public exploits?

with this ^, i mean is there any machine that requires only these 2 aspects of pentesting?

in the easy ones probably, but not straight forward they always have sonmething to make you think a bit

uhmm fair enough xd

i guess trying one doesnt hurt

did you do the starting point ones?

if yes, which one was the easiest for you

It's been a long time I'm not active there, and it has changed.

do you have VIP?

uhmm i dont! Do you think its worth it?

It was for me, you have access to the old machines thus, you can whatch videos or read walkthroughs (there are a lot, but ippsec vids are great and 0xdf walkthroughs) and then you can practices that on the old machines

its very usefull to learn

not strictly necessary, but if you can aford it I would recommend it

i can afford it and was already thinkin about buying it tbh

i also bought some modules on HTB Academy

I might buy some when I have finished the free ones

the Login Brute-Forcing and the Network Enumeration one too

I want to start playing on HTB again, but time is a constraint in my case

same here, uni gets tough sometimes! But i always find little bit of time to learn a bit on HTB 🙂 my major problem is procrastination.

wait till you're working 😛

xd damn

basically you only have weekends i assume xd

not only that, and a lot of interesting topics pending for time

!rank

@wild spire Please keep bot commands in #bot-commands channel.

hi

Hi can anyone help me in ==>Edit the php.ini file to block system(), then try to execute PHP Code that uses system. Read the /var/log/apache2/error.log file and fill in the blank: system() has been disabled for __ reasons .

In hints it asked to execute a php file using curl but I don't know how to do it

Can anybody give me a nudge regarding the first question before the skills assessment in Login Brute Forcing?

so uuum any hints for these 2 problems in the linux fundementals course:

Which kernel version is installed on the system? (Format: 1.22.3)

What is the name of the network interface that MTU is set to 1500?

https://academy.hackthebox.eu/module/23

Using the file inclusion find the name of a user on the system that starts with "b".

im stuck on this part and i cant find the user i dont have any clue on which directory it goes

have already tried both 5.5.0 and 5.5.17 but neither gives results
and the other there are multiple interfaces with a MTU of 1500 according to ip a and ifconfig

have you connected to the target?