#modules

really really @flint moth you gave a too good guidance! Thanks

Bro where you are practising?

@silk grail DM

@celest elbow im having the exact same problem, did you solve it?

im having the same issue even with PwnBox or my Kali VM

tried US + EU VPN servers, made 0 difference. I think this issue started occurring yesterday?

DM

use this command in the target machine

@pearl nymph already solved it + the challenge. misunderstood the challenge

Can anyone give me a hint about the question " Which Windows NT version is installed on the workstation? (i.e. Windows X - case sensitive)"? I know the version but I don't think Windows NT is installed. Windows 10 is installed.

Hi, I'm learning the "Getting Started" module, in the section "Pentesting Basics" , at "Service Scanning" there is a question where it tells me to do a nmap scan and answer this question: Perform an Nmap scan of the target. What service is running on port 8080? (two words)
As you can see on the screen the service running on port 8080 is http-proxy. However when I entered my answers it says wrong answer.

Am I missing something?

You can probably find more detailed information through with some scan options.

@maiden kiln Nice job! Just removed the messages because spoilers. 🤫

goodnight 2 all

On getting started/Privilege Escalation I have found an exploit to gain root but I can't get it to run

explain better the issue and someone will help you for sure

I don't know how to explain it without spoiling it for someone else. I found a vuln that will let me gain root but I can't run the exploit properly

I tried running the exploit again a few hours later and it worked

I don't know if there are different ways but I barely touched user2

You need to pull that id_rsa to your machine and ssh in with that key. That's where I'm stuck. I keey getting "invalid format" and it asks for a password. I've been trying to figure this out for days and I just can't seem to figure it out.

I managed to get root without using ssh keys

now i can't even get the target to spawn 😩

Please reach here: #613049811481919508 message

@burnt stone copy, but that doesn't seem to apply. I'm not trying to spawn a box, but a target. Is this part of the outage?

Same issue

You can't spawn on academy either

Most likely

@versed zealot may know better.

This is a part of the issue that we are experiencing with spawning Pwnboxes and Machines. We've identified the cause of the problem and are working on resolving it. Sit tight for now!

The problem also affects target instances, unfortunately.

i guess that gives me more time to figure out how to convert an openssh private key to whatever it is that I need. 🙃

Target FIXED!! Thanks, HTB staff!

Hi, someone can I help me with this exercise? I can't understand English grammatically well yet.
In Linux Fundamentals, exercise: Filter Contents.
Point 3: use cURL from your pwdbox to obtain the source code.. filter all unique paths of that domain.

What does the exercise with unique routes refer to?

Hi, I'm doing module where i have to exploit a website. I can access the website in web browser, but I cannot ping it or run that exploit. What am I doing wrong?

u have to use metasploit

but which module are u talking about

Cracking into Hack the box, Public Exploits

ok wait

which module ?

getting started

Ok

SHIT SORRY BRO. I don't have enough cube to unlock it. Can u show the question here plz?

use the cheetsheet

Can u send me a screen of the entire page. cause u have to use the stuff of the page to do it

||personally, I would use Nmap and Metasploit for that but in the page u should see some stuff to use ||

Ok lol. So I was right u have to use metasploit

and nmap. And normally if u follow the intructions of the page u can do the thing. U have ti use google, exploit-db etc.

or searchsploit

just a thing. if u do ping <ip of the machine> there is no response ?

when i try to use metasploit and do check, it says this:

name or service not known

because u just have to put the ip and not the URL

set RHOSTS 138.68.182.108

only one left

show options

yep so what. It's fine.

thank you, it looks like it's working now

👍 noice

Hi, I'm learning Getting Started, in the Priv Sec part , there is a target that I'm trying to download the linpeas script from my vm via http server, but it keeps saying connection timed out

Is there anything wromg? I switch to another wifi and still got this problem

Double check your firewall rules. sudo ufw status

Here is the output

Hmmm... Might try checking with ping and or netcat to try and reach back to your box. You might need to find another way to transfer the the file.

Don't know how to say this but recently my home network has silly problem, I cannot ping google, it says destination unreachable, same for hackthebox.eu, but if I ping exploit-db it just fine. Traceroute works by the way

I've been stuck on this too all day. I keep getting invalid format, and keeps asking for a pssword

🤔 But you can reach google over https? Sounds like there is some weird filtering. You could also try pwnbox and see if you can get it up there.

my connection is weak, use pwnbox on browser is laggy. Cannot ping google but use web browser and go to google.com works fine, maybe I have to contact my ISP

Maybe. Something is odd. I still don't think that would affect the VM itself though. Communication between your VM and the target should be in the VPN.

Seems like I have no problem at all beside transfer the file, I just copy the content of the id_rsa inside root's .ssh folder and ssh in with the key, got root without asking for the password

Yeah, if I can ssh into the target, it's mean VPN is working fine

Tomorrow I will try again on pwnbox, if the samething happen I will ask later

Thank you for your dedicated support man!

No problem. Hope you get it figured out. You could also try reaching out the support team.

I'm doing the same thing, including the chmod 600, but it will not work for me, keeps with the invalid message

what command did you type, I typed ssh root@ip -i id_rsa

well i had tried that before, but this time in my kali box i decided to add sudo to the beginning, and go figure im in

wow that's weird

i'm more angry than relieved that it worked lol

but i guess it's a good lesson on KISS

lol I just speechless when something go wrong, tooks some good lessons too

.

I didn't really understand that question either, just guess until i got the right answer so i could move on lol

As always, there are many ways to do something in Linux, I personally used || grep, with regular expressions, to look for the unique paths and sort to filter out duplicate results. I recommend the following websites: ||
|| More on grep: https://www.howtogeek.com/496056/how-to-use-the-grep-command-on-linux/ ||
|| In case you want to learn RegEx: https://learn-regex.com/ ||
|| More on sort: https://linuxhandbook.com/sort-command/ ||

@celest elbow Have you found the "Upload files and/or images" button? What happens when you click it?

Nothing happens when I click on it. I think it might be calling a flash file

I used metasploit myself. I'm going to try and work out how it did it after. I'm just looking for root at the moment

I've also got a question on the knowledge check for getting started. I'm pretty sure I know the idea for the priv esc vector, but I'm having trouble finding a php one liner that should work. does anyone having any they can share?

Message the php that you have so far and I'll help you figure it out. php is a pain

Hey everyone. I am working on the getting started module. Finished the nibbles section and on to the 'Knowledge Check' where you exploit a box in a similar matter without the guide.
I've clearly missed something. I have located and identified the services, identified the services being used and an exploit. However, I need an admin login and I can't seem to crack it. I tried brute-force with hydra but it was saying it would be over 24 hours - clearly the wrong direction.

Anyone have some suggestions for me?

Hi everybody, i am currently working on the Linux Fundamentals and stuck in the "Services and Processes Management" section.
the goal is: "Use "systemctl" command to list all units of services and submit the unit name with the description "Load AppArmor profiles" as the answer."
My command does not get accepted: ||systemctl -l --type=service | grep "Load AppArmor profiles"||

Have you tried a more vague grep search? Maybe just one specific word

i tried "|grep Load"

What about armor?

still no success

i found no option to search with systemctl directly for the description

the HTB hint is: Systemctl has an option to list particular units defined as "--type=<type>"

@potent moss any ideas?

you could try --type=profiles???

┌─[user10381@htb-lh2hzpmdgb]─[~]
└──╼ $systemctl -l --type=profiles
Unknown unit type or load state 'profiles'.
Use -t help to see a list of allowed values.
┌─[✗]─[user10381@htb-lh2hzpmdgb]─[~]
└──╼ $systemctl --type=profiles
Unknown unit type or load state 'profiles'.
Use -t help to see a list of allowed values.
┌─[✗]─[user10381@htb-lh2hzpmdgb]─[~]
└──╼ $

Hmm sorry - I don't have access to my HTB right now. I am pretty sure I used service for my command...

something like 'systemctl list-units --type=service | grep armor

okay, thx for the guesses

You ssh'd into the target too right??

HTB Academy, Firefox vnc on the Target

you have to ssh into the target IP with the login provided... htb-student or something?

i use the Spawn VM from the Academy with the "integrated" remote desktop

You can find the password hash for admin if you snoop around

Look above the question and you will see you have to ssh into the target with a username and password.

Doesn't matter if you use the remote desktop or openvpn

Ok thanks. I thought I found the password hash (don't know how to hide the text so I won't say how or where) but the login still didn't work.

@potent moss
i am on the Target VM
htb-student@nixfund:~$ systemctl -l --type=service | grep "Load AppArmor profiles"
snapd.apparmor.service loaded active exited Load AppArmor profiles managed internally by snapd
htb-student@nixfund:~$

It's the hash not the actually password, you need to crack the hash first

You got it!

LoL I was just about to ask that... I realized it after I responded 🙄

Thanks for the help

You're welcome

Hey guys I'm doing the getting started module but have ran out of instances to use the pwnbox, is there some way I can continue doing the lessons by using my own kali linux to scan the attack machines in the lessons or can I only use the pwnbox provided?

Hi,
Sorry for this message but..
Where can I ask for help for a ctf?

is it related to anything on HTB?

#613049811481919508

strange, earlier today i was able to get user on the "knowledge check" machine in the starting point module, but now the metasploit script keeps failing at the authentication check

Can someone help about "Getting started" module

yup say

Hi, can someone give me a hint, I'm learning Network Enumeration With Nmap, in the section Service Section, I use nmap with the flag -sC and -sV but I found nothing seems like a flag too me

bro but you found services!! what are that?

here is what I find

then try to connect one by one to them

and then if you can't find the way then please search about it

thank you for the hint

i hope you got my point

lmao I found it, also found another key for later section

can anyone help me out with "Privilege Escalation"? (Getting Started)

You can DM me

yea one sec

is it recommended to do tier 0 modules before moving onto easy HTBs or just the fundamental modules? Not sure how essential Ffuf will be when doing HTB (haven't used it thus far)

Hi, could someone please give me a hint? I'm doing Cracking into hack the box, getting started module and I am at Knowledge check, the question is "After obtaining a foothold on the target, escalate privileges to root and submit the contents of the root.txt flag". The hint for this question was to run LinEnum or LinPEAS, I've used LinPEAS but found nothing interesting.

i got the flag.txt contents on Public Exploits, but it wont accept it as an answer [Solved] = Certain misconfigured settings

isn't the flag encrypted?

It is but idk what in, ive tried so many decryption things

https://www.boxentriq.com/code-breaking/cipher-identifier try this

it says hexadecimal

then i decode it

and it comes out with invalid characters

Can someone help me about "Public exploits" section in "Getting started" module. I have problem finding right exploit. I can't use full nmap scan bcs it takes more than 12 hours, and there is nothing on first 1000 ports.

I'm working on getting started - knowledge check. It's to crack the getsimple web page.

I've got the admin login and access to the page settings. I can't seem to figure out how to execute php or python code to gainshell access. I've tried several exploits on seachsploit but have not tried metasploit.

I wanted to manually try to figure it out vs using metasploit. Can anyone offer some guidance?

What command are you running for nmap?

sudo nmap -p- -A 138.68.141.81

Maybe try -sV instead of -A? It would only check for services instead of multiple things plus scripts

You could also do a fast scan to see what ports are open, then do specific tests on the ports discovered vs all 65535 ports

look at themes on the website

@potent moss I ran scan on specific port and i know the version of wordpress (but i can't find exploits). And when i clicked on hint, it said "Search for plugin exploits" so it have to do something with plugin. I tried yesterday to find some plugin exploits, but everything i found didn't work.

Did you try looking at the website? The WordPress plugings would be for the website, not related to nmap I think

I know, i looked on metasploit and on searchsploit for plugin exploit but i dindn't find anything helpful.

Do you know what version of WordPress it is using?

5.6.1

Hi :^)/

Check the site in your web browser for your target ip:port

You will see what you need to exploit there. It's not WordPress

But version of plugin is 2.7.10, and i found one exploit but it didn't work. And i found one for 2.7.11 for downloading files, and when I tried to use it i couldn't find ./flag.txt and every file i downloaded was 0 bytes.

Did you try metasploit?

The way in for me was indeed metasploit, I feel like although they mentioned a manual way of doing it, it's a rabbit hole

Where I'm stuck is the priv esc portion

Yeah, but i got file that i don't know how to use, and i think its not the right file.

Did you specify the directory to download from in metasploit?

No? But i tried root directory for flag.txt and i got nothing

@potent moss On exploit-db i found this as a soulution: http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&download_backup_file=backup-2016-02-21-111047.tar But the problem is that i don't know file name.

Can someone give me a hint for knowledge check in getting started module? The second question. I didn't find anything useful in LinPEAS.

So you're stuck on enumeration? Could you tell us more about the output?

I have netcat reverse shell on www-data@gettingstarted and have to get root shell

or I mean i have to open file with root access

Alright, gimme a few.

I am pretty new myself.

Do you already have the user flag?

yes

Ok good

I only found one file in LinPEAS, that was about saving passwords and there was location where they save passwords, but the location didnt exist when I tried to open it

What box are you on?

I'll take a crack at it myself

I don't understand

The name of the module?

getting started

Trying to figure out the htb website myself, I have only ever really done reverse engineering.

But I'mma learn alongside ya

anyone have the issue of metasploit working previously on the knowledge check machine, but not working the next day?

@rapid bramble Did you finish "Public exploits"?

Nope...

I literally joined yesterday. I'm not gonna bs you, I am exceptionally new.

However I have been taking notes and am a huge fan of John Hammond

Could you send a link?

Cause when I search for that, I get no results,

Do I have to pay for it? I'm on a free account.

@rapid bramble Its in getting started module

Hey guys i am in privilage escallation tab in getting started i got flag of user2 but now u can not understand what to do

see if you have read access over a certain directory in root. the last portion of that section will show you the way!

@pearl nymph

and be very careful when copying over what you find, I was stuck for a bit trying to figure out the exact format

bro i didn't get you

Hi, I need help with the module Network Enumeration With Nmap, the final section: Firewall and IDS/IPS Evasion - Hard Lab . I tried many times to scan the target provided but still not find any flag, can someone gave me a hint?

I use this command: sudo nmap -sC -sV [target] -T 2 -D RND 5

Can someone give me a hint? I stuck at this part for like 3 hours

Not exactly, I was something about a external cft

Anyway thanks

Hello, I have a problem with the web request module, POST section. I log in as admin by changing the cookie, but the flag is still not there.

someone has an idea?

@rustic sage I’m having the same issue. So frustrating.

I had trouble with that one. Think of guest_... as an identifier

admin

Hey guys. I'm starting out in HTB academy but i've come into a fundamental issue. For some reason in the Interactive Section with Terminal it wont let me spawn a new instance
when I try to start the instance is says
Error There are no available instances. Please try again later.

It says I still have a spawn that I can use today as well

Any help would be greatly appreciated. Thanks!

We are aware of the issue. Please be patient.

Are targets acting wonkey again?

We are aware of an issue with spawning Pwnbox instances and are working on resolving it as soon as we can.

This includes targets, too? I'm not running pwnbox.
Thanks in advance.

Target systems may be affected, though the issue is intermittent and you may be able to spawn one successfully.

I was able to spawn it. I just can't connect. I'm just trying to figure out if it's because of the issues, or because I'm a ignorant noob. 🤦‍♂️

DM me if you want and I'll look over your command

has the issue with instance spawning been resolved?

how can i look up for the npm commands when it's not installed?

Google.

@rustic sage try jus admin

@fallow mesa instead of != try to use NOT

Hi everyone :). Im trying to find a .ovpn file in the academy to use, but i cant find it. There is a possibility to find it in website?, Or we only can use the pwnbox ??. Thanks (btw im in "Getting Started" module)

@fair narwhal

But that doesn't appear

Maybe "Getting Started" module dont give vpn key

If there is no VPN key provided the target instance will be a public facing docker container. You can access such without being connected to a VPN.

Ohh okay, thank you!

No problem. Happy hacking!

I'm running into a metasploit issue on the final portion of "Getting Started". Getting the following error:

"10.129.81.22:80 - Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:9443)."

The [bad-config] tells me that I'm probably doing something stupid, so I'm reaching out to you guys. Search engines are offering no good help.

Do you have a listener on port 9443?

Yes. I've aso tried switching the listening port on nc and metasploit

Metasploit has it's own listener

You can kill netcat, that's what's causing the issue

ah, thanks!

You're welcome

hi

my name is lakshith and im new to hacking, anyone who can help me in here?

++academy

Go to that and to the getting started module

ok

Can anyone give suggestions on " What non-standard application is running under the current user? ( case sensitive)". I have tried all manner of Get-Service calls and have tried all running processes related to RDP or remote connections

ah Sorry, Windows Fundamentals Module, Windows Security section. Ty'

I have solved it. TY

can anyone can help out? why is it the wrong format

@late cedar did you assign the correct permissions to the id_rsa

and is it priv?

whats "priv" ?

Hey everyone. I'm working on getting started - knowledge check to escalate privileges.

I'm stuck on the sudo -l command and finding a way to upload an exploit shell.

I think I'm not understanding the sudo -l results or don't understand it enough. Or am I in the totally wrong direction?

sudo -l should return a binary for you that can be ran as sudo

take a look at gtfo bins on how to use that binary to escalate

I'm following along the POST method section in the Web Request lab, but when sending the request to repeater, my cookie isn't showing the cookie as phpsession:

anyone else run across this issue?

You have the cookie.

hmm, so i guess my next question would be why burp is showing it as auth instead of PHPSESSID

That I don’t know but you are on the right track.

cool cool, thanks man!

You’re welcome.

Got it thank you. I didn't realize I was looking at a binary and thought it was a file.

Also thanks for the GTFO page. I didn't know that existed but it's good.

@uncut ivy seems like u just need to type out the command to start it

Hey dudes, please can someone give me a pointer with the first part of the skills assessment - website part of login brute forcing, i have brute forced both b.gates and m.gates users using personalised wordlist aswell as rockyou word lists but still no luck

Hi, i'm doing the linux fundamentals module - Find Files and Directories, I cannot find this answer. I tried all of those commands, but I still cannot find it. What am I doing wrong?

Read the question more carefully

did you found out?

yes

ty

wtf am i doing wrong

What module is it?

Setting Up

last section

||you have to write it as plural||

||add "s" at the end||

bruh

thanks

np

btw ig you should mark that as spoiler

i did it, thx

.

I don't get it

You can see the different sections of the module you are doing on the left

I put in Interactive Section

That is the name of the current section

It's listed on the side bar of the page.

There should be a button to spawn pwnbox.

No problem. Just takes time. Reading everything really helps.

Some sections have the cubes icon, but they don't offer any questions at the end to earn any. Is this just a bug, or am I missing something?

Isn't there optional question? Or idk what is it called.

They could just have optional activities, like a box saying “trying running x command and see what happens”

Does that earn cubes? If so, how do I know I've earned them?

They dont earn cubes

Hello everyone, I want to ask you, have you had any problems with Foxy Proxy on firefox and Burp suite in the pwnboxes recently?

When I open firefox, it appears as disabled and I have not been able to get it to work properly 🥲

I don't use the pwnbox, I just installed the OS to its own drive. They've been acting wonky lately.

In the long run I think that is better.

Could you please tip me off as well, I finally got the flag, but to be honest not sure why I had to do what I did to get it 🙂

anyone having issues with the SQL Injection Fundamentals lab? I'm in the last page. But the spawnbox is really slow ( i think it cant load from googleapifonts.google.com ) but doing the attacks from my own kali box will result always in this.

Can you curl the page maybe? Double check it's going to the right place.

Hi people!
Does anybody face issue with FoxyProxy in the Web Requests module/"Request and Response" page? FoxyProxy is disabled in Firefox and it doesn't have Burp in it's list like in tutorial described.

Yep , going to the same url. The problem occurs after then "=" sign. So for example "' or 1" works , but as soon as i type "'or 1=" the page gives an error after clicking on login.

i did have this with every challenge btw

It's possible that your input is making it unstable. 🤔

i was thinking about it aswell , but that doenst explain why in the spawn-box the same input does work correctly

i'm really stuck on getting started:Privilege Escalation

any tips for how to escalate to root?

currently trying to use sudo -u user2 /bin/bash -c

but i think i lack knowlege somewhere

Take a close look at the ssh module again, then see if you can read that same folder the lesson mentions

thanks will do

can someone help me understand how apply the robots.txt method to solve this Web Enumeration question?

hi :), first, you can make a gobuster, after that, you know some important to keep going. With that, you can answer your question

Hi, thank you for trying to help but this does not help at all.

i cant give spoilers ahaha, when you do the gobuster, it says something about robots.txt. See everything that this sections says

For example, in the section explanation, when it do the gobuster, it appears a /wordpress, and it visit its page 👀

now when I try and do gobuster its telling me its unable to connect to the ip add

what am i doing wrong

i have the same problem when i did that, copy and paste the same example but change the 10.10.... for target

i changed the target IP in the example to the target IP we are supposed to target

mmm weird, i did the same and it works

maybe the file location

are you adding the port number or just the IP

both, ip and port

with the http too

http://178.62.109.63:32506 you adding it like this

yes

/usr/share/dirb/wordlists/common.txt

yep

you write the flags correctly?

dir -u for ip:port and -w for .txt location?

gobuster dir -u http://178.62.109.63:32506/ -w /usr/share/dirb/wordlists/common.txt

it works for me

Keeps giving me an error and saying unable to connect

Mmm weird

Sorry, i dont know why you have error, but i wait too if someone knows why

thanks for trying!

can someone explain why im getting an error?

Can you ping the machine?

nope ive even started a new machine

Are you connected to the vpn?

Oh you’re doing it the the instance

Through *

Hmmm

your not supposed to do it that way lol

Try running it with -v see what errors if any come back

i cant even get a ping response...

Huh. Strange

sorry, guys. Does anybody know why FoxyProxy does not contain Burp in the list? And it is kind of "disabled"?

you have to manually add Burp yourself

and then configure manually the proxy in firefox in settings

Hey guys

i am in nibbles lesson right now in getting started module.... i can not get that how they found out that site is enabled blacklisting protection for avoiding brute-force attacks??

hoe they got to knwo this?

know*

Hi, so I used searchsploit and msf to search for plugin related exploits as hinted on this Public Exploits module, and the plugin based exploit requires a wordpress username and pass.. which I've been trying with no luck to get on this particular module. Is there something I'm missing, or I am perhaps not using the right exploit?

Guys I aqm getting one new issue

i can not get my reverse shell in netcat after adding php payload in my image plugin and browsing it on firefox....it reloads nirmally but not showing anything

or not giving any listening port to netcat

Yo guys

In the Getting Started module, they ask me to do this

add a DNS Server such as 1.1.1.1 to the /etc/resolv.conf file.

as part of DNS Subdomain Enumeration

But the file is read-only

How should i edit this file?

You can use sudo to run any command as root but you shouldn't run any code you don't trust. To use nano to open and edit it would be sudo nano /etc/resolv.conf

use ctrl-s to save and ctrl-x to exit

ay thanks

it worked

I tried the same thing but with vim

It didnt allow me to edit it though

Hello I just joined the server and I have no prior hacking/coding experience! I completed the verification and made an account on hackthebox. Does anyone know how to identify the os system flavor (I don't even know what that means lol)

What module are you doing?

I think it's the introduction

It's this question

I put in the command it said to but I don't know how to read it 🤷‍♂️

Linux flavors tend to have a name that is easy to remember. If you look through the output there are only a few actual words. One of them will be the flavor name

ok

I'll try those words then

Also the man page is helpful. If you type man uname it will break it down for you. And also give you a switch for just the os.

man uname?

@odd iris definitely look at the linux fundamentals after you have finished this module

Annoyingly uname doesn't have an option for the os flavor

Man being short for manual. Built in to linux. Has documentation for the commands. And I sencond the Linux fundamentals module.

Is the linux fundamentals on hackthebox?

Yes

It's definitely worth taking notes on the commands and what they do.

Ok

Thanks for your help!

Will try the module now

@quiet vault Thank you!

Just click the little cirlce icon next to the ip address

how do i find terminal in the second modual

im very new to hacking and my coding backround is just css html and bits of python

nvm

did you find? @short jungle

yes i just didnt read carfully enough lol

Thank you! It was not obvious for me

the academy is wack only letting spawn one instance a day lmao

Use your own vm

@odd iris pls be careful with spoilers

?

what did I spoil?

what is a vm

A virtual machine. It is basically a computer running as a program inside your computer

https://www.howtogeek.com/196060/beginner-geek-how-to-create-and-use-virtual-machines/ looks like a decent introduction to virtual machines

bros this machine is minfucking me

Getting Started

Public exploits

I dont wanna spoil it for anyone

so id rather dm my query

solved with the help of @ancient oriole

Is there a way to do every module without paying?

Idk where I would ask this question but it is something I am interested in

No, but you can get all tier 0 modules free.

Cool thank you

np

Im on the Web Applicaiton layot section within Introducing to Web Applicaiton module - Could someone clarify what is the difference between client-server and One server models cuzz I didnt see the difference?

you guys have any tips for a slow ssh connection?

i can't get anything working as it suddenly freezes every once in a while

tried reinstalling the vpn but its still freezes a lot

opinions on the Stack-based buffer overflows with Linux x86 module

this hard lab in the nmap module is a doozy. I think i finally have a combination that won't get me banned, but the hour might pass without results being returned smh

Im stuck in Privilege escalation in the Getting started module

Im supposed to ssh into a server

Im stuck with the ssh code part

dm if you could help

thanks

anyone available for the hard module for nmap? i've discovered the new port, but attempting netcat for version info will not work, connection just times out...

I did this yesterday, DM me I can try and assist I'm relatively new to all this though

Hi guyz. Want to clarify some point. Is author suggests to change interfreight.com to 127.0.0.1 in Web Requests Module/ GET method ?

I dont think so

once you click on spawn it will give you a IP at the bottem

something like this

you can then use that link

Thank you, bro

👍👍 glad it worked

so i am currently on the getting started module and im in the last section. I have ran a directory scanner and found a login page but it simply just wont load.

idk why, but this machine is just slow everytime, just try it later idk

Hi, can someone tell me what am I doing wrong?
Introduction to networking - Subnetting

Well, firstly the CIDR notation /29 is not necessary when submiting the network address, and secondly, the answer itself is wrong

In case you want to learn more about subnetting, and a very easy way to solve subnetting problems, I highly recommend this series: https://youtu.be/BWZ-MHIhqjM

And also the channel in general for more about networking

Thank you 🙂

yea thats what i figured. im going to try again later today

Can someone give me a hint about the second question of Skills Assessments : Website in the module Login Brute Forcing? I just need a hint of username

Getting started, Privelege escalation

I'm stuck

why am i asked to input a password, I already tagged the key

I haven't done that module but the key could be being rejected for some reason.

Hi, have you done the module Login Brute Forcing?

rename your key file to key.rsa

maybe it could help

didn't make a difference

that's weird

tell me abt it, ive been stuck for around 24 hours now

I do the same like you

copy root 's key

exactly

here is how to do it when you got the key

solved with the help of @maiden kiln

Yeah and you also got Rickrolled in 2021 xD

Ill give you a hint to this one. Start first by converting the /27 (subnet mask) into binary.

I've already solved it, but thx anyway, maybe i will use it next time 🙂

Does subnetting make sense now?

Somehow yes

Its a good skill to have. In my personal opinion it is most important to be able to look at the ip address and subnet of 2 or more devices and tell whether or not they are on the same network or not.

DM if you want

is it bad to be using the walkthroughs for boxes if I'm just learning how to do all this

I guess it would depend on whether you can learn that way. The module getting started walks you through a box then has another for you to do by yourself. I know someone has recommended watching ippsec do a box then attempt it. (ippsec has a youtube channel where he goes through some of the boxes)

i'm using it to learn what things i even need to google 😅

getting started seems like a good place to learn from

is that different from starting point?

Have you gone through some of the academy modules? They'll give you an idea of the sorts of tools to use and the process of hacking the box

i haven't! but thats a good idea

i just jumped straight into ARCHETYPE

Starting point is a collection of 'easy' machines on htb, academy is interactive lessons on different aspects that talk you through something then have a few questions for you to practice what you just read

that seems like a lot more of what I'm looking for

since for each step in the archetype walkthrough I had to go on a long google search to figure out whats going on

Look at "Introduction to Academy" first then I would recommend "Linux Fundamentals"

yup! just pulled it up

tysm :)

excited to be learning

You're welcome

@blissful mortar the cool thing about academy modules is they are really well written writeups & lessons with challenges throughout. They provide detailed guidance. Its good that you are referencing writeups during boxes, dont feel guilty about that :). Try to challenge yourself occasionally to get it without the writeup until you are right on verge of giving up then reference the writeup for motivation.

yeah! they seem like a lot more of what i was looking for in coming to hackthebox

thanks for the advice :)

this seems like such a nice community

It is. Lots of talented, gifted and caring people here.

:)

it's nice that academy has it's own built in linux instance

don't have to switch back and forth between my vmbox now

Yes absolutely. Keep in mind that when connecting to that pwnbox you are on a remote network, when you launch the target boxes it spawns another computer that your pwnbox can communicate with. Ive personally found it easier to use the pwnbox in full screen mode while reading the content on another monitor, tablet screen or smart phone screen.

good to know! ty

is there any easy way to paste into the pwnbox?

Yes theres a clipboard. Its a little easier in Windows to copy and paste directly into pwnbox. On most other OSs you will need to use Pwnboxes’s clipboard. It is a couple extra steps but faster than manually typing the commands.

There is a clipboard icon in the bottom right of the screen

ty!

||follow up to the getting started module "knowledge check" section. It still simply doesn't load the /admin directory i found. This is extremely frustrating, i just want to make sure i understand everything in this module. I am a completionist and really want to finish this module. Anyone know a work around or is this just how this box is? the admin page never loads.||

^ follow up to my previous problem.

@modest moth Pm me

hello

whats up

im trying to get the privilege escalation on the "Knowlege Check" of the "Getting Started Module" im in the server as normal user, but im not able to get the privilege escalation...

can anyone help? 🙂

This is from the "Introduction to Windows" of "Windows Fundamentals". I got the Windows version using the PowerShell and CMD. But I'm unable to understand in which format I've to type the answer. I've tried multiple times but it is not working. Can anyone help please?

By Windows X it means "Windows" then the number given to that version of windows for instance "Windows 95"

Thanks a lot...It has been completed...I was trying using the full version number..

as stated in the hint, use LinEnum to find for vulnerabilities, keep note at what sudo privilege do the user possess.
then try a specific method taught in the privilege escalation part 🙂

hello

i a getting disconnetced with vpn often in knowledge check lesson

can anyone have solution?

I assume this is a human mistake where the code executed is supposed to be "curl" rather than "url"

Hi ladies and gentlemen!
I've a question regarding Web Requests/POST. In the challenge I have to get admin user from guest account by manipulating with cookies. Is the main point of it to decode gifted to guest cookie and change username key in it and then put it back to GET request to /admin/dashboard.php? If it so, I don't understand what exactly I have to provide in "Submit answer" field. If I'm wrong about solving it, could you give a hint?

play with the cookie

maybe try deleting some characters here and there

If the cookie is unique to every user's session, so how it can be faked to convert session of user A to session of user B? Maybe I don't understand the core concept of all this stuff

each account has their own cookie, storing data related to the account holder

think of it as a locker room in school

the website gives you a locker room linked to you

whenever you go back to the website you open your locker

your locker number wont change

Ok, so ... I have to get access to locker of my classmate in that case. I go to my locker, open it with my locker number and then ...? What should I do to switch lockers?

find the admin's cookie combo

https://www.youtube.com/watch?v=xdH9zsW1CK0

for a better understanding of cookies

Thank you, I will check

anytime

I've figured out that cookies is set by server to the client and identifies client session or whatever it's data. It's clear. But the crucial point is that cookie is set by the server to authorized client. I mean, if I'm the 'guest' so I will have only 'guest' cookie. Of course, I can pretend to be someone else, but it seems to be useless, because in order to get 'someone else' cookie I need to authorize with his/her creds. For me it is a kind of logical trap or loop.

dm

@muted mist don’t over think it. Think simple.

i still have the same problem, i dont know what to do in the privilege escalation on the "Knowlege Check" of the "Getting Started Module" with the php file i can use as root... :c

I got it.... it was so simple... i was thinking way to complicated... xD

Love when that happens. Lightbulb just flicks on

Absolutly.... I feel a Bit dumb but thats how it is 😂

I'm not afraid to be stupid

It's more fun that way

I'm a bit confused on the getting started module. It is telling me to type in what service is on port 8080 and I believe I am imputing it correct, but it is telling me I am wrong

Also for the question about locating what port telnet is on. I am scanning all ports but there is no open port with telnet

@strong drift you may have to stop and restart the machine. I was having issues mainly with nmap scans and that usually resolved the problem.

I ended up figuring it out. I wasn't using the -sV flag which is why I was getting limited information

Aah good.

wow u guys are all like me

i use parrot as daily

Hello boys and girls, a quick one please: in the fuff module, the "Parameter fuzzing - GET". This is the question I'm getting. I ran a parameter fuzzo n this page and also on pretty much every other page on the website (after fuzzing for directories) but every parameter gives me a 200 result. What am I doing wrong? I feel like something is missing, thanks in advance

nvm I think I just found out. Man the explanation of how to access the correct page is not clear at all, let me just say this 😛

Im tryna get a foothold in the nibbles machine as requested in the getting started module

I'm tryna use the msf exploit

but it's unable to upload the payload

any potential remedies?

hi! I'm doing the linux fundamentals and I'm trying to get the number of installed packages on the system

I want to know why apt list --installed | wc -l

isn't giving me the right answer

i know it's wrong but I don't know in which way it's wrong

maybe it's b/c I'm only looking at packages installed through apt

^ Yep. Just that iirc.

dpkg gives another 10, but thats still wrong

adding snap packages might be it

hmm no

dpkg-query -l | wc -l
doesn't work

maybe I'm looking at this the wrong way entirely

@blissful mortar check the output manually and make sure you wc is counting the packages only

oh! ty!

it looks like it is?

well hmm

^ solved

Uh

I'm doing Linux fundamentals

It asks to use systemctl to name one of the units with a description but when I supply the name of the unit the answer is wrong?

Idk of I'm missing something or what

in which part is the question? @tough dust

Nevermind

Figured it out

can i leave my pwnbox on or does it terminates by itself in a period off time?

Hey there, I am kinda having trouble with a question in Linux Fundamentals

the only file I could find doesnt match the criteria 😞

Please don't post spoilers. :P

oops sorry the || doesnt seem to work with code block

Even if it did, avoid posting them. The point of the modules is for people to learn. If they can click block of text on Discord it kind of defeats the point. That said, I've noted the comment about the size being incorrect. I'll see if I can get someone to check into that.

kk Thanks and also sorry abt that

@urban sage do u want me to remove this too?

Yeah. That would be good. And no problem. I appreciate you bringing it up.

👍

someone here for Fuzzing Parameter Overflow Windows, plz dm

Hello wonderful people

So I'm stuck on module 35 on the POST method. The goal is to login with guest credentials and go to he admin then submit a flag. I'm unable to do so. Could you please help me? Thank you

Ping me when you answer please

dm

Yes I did

If anyone stuck in Getting started module , PM me!!

hello

any onne there

Yep

hey, who has completed the login brute force section

What do you need?

i feel like I'm doing everything right in connecting to the vpn but I'm still having problems even pinging the targets

For me it helps to re-dowload the vpn file and removing the old one.

yeah just did that

See if it helps out.

No luck?

sadly

the vpn says initialization sequence completed also

so that sounds like it's working

Had it yesterday on the linux buffer overflow that I was not able to ping or connect to the box either.

Yeah, should be.

hmm

maybe some problem in their network

Could be.

Also make sure you don't have any specific firewall rules that might be blocking traffic to the boxes.

yeah thats a good idea to check again

it had been working earlier tho so idk what would have changed

is it maybe different that this target came with a specific port?

Also depending on what lab your antivirus might be in your way.

For me requesting /etc/passwd from fileservers had the ip / request blocked by my ip

Took me a few hours to figure out my AV was blocking it.....

I'm doing the getting started academy one

me too

guys, i've a question that's struggling me, on PUBLIC EXPLOITS sector in GETTING STARTED module there's this question "Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file. (note: the web server may take a few seconds to start)

the service running on that port and url is simple backup plugin 2.7.10 but the exploit is for simple backup plugin 2.7.11....is this good ?

Generally if a version is vulnerable older versions are also vulnerable

ok...

i found a file...it seems the flag.txt

but it has a long name.....anyway i opened it and i found all the etc/passw directory inside...

what's the real content the question ask to me ?

try to get the content of the '/flag.txt' file.

but the content is huge !!!! Maybe i wrong something : or the exploit or the flag file

I think there should be a file in the root director called flag.txt (/flag.txt). The contents will be something like HTB{h@ck_Th£_B0x}

in the root directory of the target machine ?

Yes

i could not access to it

maybe i wrong setting the exploit...

Do you have a remote shell?

The exploit you use doesn't matter. You want to get a shell regardless of the exploit used

no i didnt have a remote shell

it told me the host is scanned completely but i didn't have anything..............

have i to write the exact path in the " FILEPATH" section ?

Once you scanned the host you need to find an exploit that would work. Work out how to use the exploit to get a shell on the machine

the default is "etc/passwd"

i did not get a shell

so i've to set the payload ...imho

Module options (auxiliary/scanner/http/wp_simple_backup_file_read) ----this is the exploit

it means that can read a file...in the path i give to it

You want to set the the FILEPATH to be /flag.txt

OMGGGGGGGGG

I CANNOT BELIEVE...ahahaha

i setted the filepath wrong

it was : /root/simple-backup/flag.txt >>>>>>> instead of : /flag.txt

how they could make such an error like this ? the plugin talks about a directory called : simple-backup inside the root dir....anyway i did it ! Thanks a lot and good night

This might be a silly question but the number after the colon in <target>:<#> is the port of the target, correct?

Yes

I think i need some more... In depth help with the getting started module if anyone is free to pm 🤦‍♂️

Actually possibly the same part you were talking about above, which i will skim, but still doesn't solve my general problem which i think is just a lack of understanding i need to talk my way out of

struggling with the medium IDPS section of the HTB academy.... can anyone help please. Im really unsure how i can have the port not show as not filtered.

DM me if you like

i got there in the end, but thankyou!

brilliant

@worn ridge How can I help?

Module: Web Requests
Section: Post Method

Guys, I am stuck on it. Any clue is welcome
||
The response contains no PHPSESSID cookie, but an auth cookie and the /admin/dashboard.php just print anything base64 encoded in the auth cookie with anything inside html tags stripped.
||

Think super simple.

I think I may be too smart for this that I don't know what to include in the answer box

I really think that the answer is misleading for a task that just want you to train cookie manipulation

||Just changing the cookie from guest_<..> to admin_<...> should have returned the flag, the current answer make it more a guess than a task||

@mint lava offered to help me earlier but i don't think he's around anymore if someone else is available to help on getting started

@worn ridge what’s your Question or what do you need help with?

Anytime that i try to run nmap on a target it tells me that the host may be down and anytime i try netcat, it just hangs

are you connected to the vpn?

I don't think there is one for that module cause it usually has the download link if it is

Err not module, but section

It happens in the pwnbox also

anything to do with scanning or htb machines need a vpn

theyre on their own network

not the internet

Okay well i get the same thing when i open the virtual instance on site as well

The Getting started module has a page for common pitfalls

VPN issues are included

check it out

So that just seems to tell me how to change my VPN stuff when I'm on the actual htb website, but it still doesn't help with academy. It just tells me how to change my VPN if I'm on the main site

I got it, but i didn't need to be on a VPN. I just needed to visit the IP in a browser

So I've got to the admin panel on the task from module 35

Now what should I put in the answer Field?

ASAP help needed

Ping me please

which page

POST method@modest vector

everyone is getting stuck there

modify the cookie

try to make it show "welcome admin"

not "welcome admin_fn3h3489rh34fi34n" nor "welcome guest_doeffrfrfef32..."

Then what?@modest vector

What am I supposed to give as the answer?

in the response tab you will see a flag

Owwwww

Thanks @modest vector

anytime

Which host are you trying to scan? You is only able to scan the target, as it is the only other host in your lab network.

Every other host is unreachable and will be down

it depends on what kind of option u set before to start nmap

i usually use as best performing state these options : -sC -sV -A -Pn

can i have some help for the academy privilege escalation

for the second part of the challenge getting from user2 to root

i feel like it's something to do with the id_rsa file but i have no idea how to use that

@kind geyser dm I can help

hey could someone help me with this i put right version but somehow it not accepting it

Take the hyphen out maybe

not working

Can you show me the scan result

Reset the target and run nmap again

[-] Handler failed to bind to 0.0.0.0:1234:-  -
[-] Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:1234).
[*] Exploit completed, but no session was created.```

i'm getting this error trying to do the nibbles box

using the exploit

i've got a listener on port 1234 on my ip

everything seems to be done as it should be

but it still isn't working

Hi I have the same problem as @torn sonnet I reset the target and re-run nmap but the service name is still http-proxy

What module are you doing @rustic sage

getting started

I don’t remember what scan I ran to get the answer. Probably-A and -vv

You need to enumerate that port more and get as much info as you can @rustic sage

Yeah, you have to give the name of the service of this port ?

Yes. But it’s not http proxy

OK thank you I just understood the question and I found it thank youuu

😎

@ebon wigeon

Anyone?

Do I have to submit the admins cookie?

Login as guest:guest but catch it with burp and look at the GET request, if you get stuck feel free to DM

I had been stuck for an hour

So I am finishing up the getting started module... I was wondering if anyone had any recommendations on which courses I should take next?

@strong drift basic tools or web enum

Somebody can help me with this? idk what i need to do exactly

if you still need help DM

How do you copy a file from an ssh connection to your local machine?

Look up how to use scp

I have subscriptions at INE (eLearnSecurity) and LinuxAcademy, and HTB Academy is hands down the most interactive and engaging one. Good job guys!

Hi people.
Can somebody tell me where can I get the password for spawned vm (not target machine) in the Linux Fundamentals/Service and Process management page?

but you are already logged in, no? in the pwnbox

Hi y-all, I'm currently doing the Linux Fundamental Module, Section File Descriptors and Re-directories. I'm stuck at the How many total packages are installed on the target system? question.

||I am using both dpkg and dpkg-query to find/list the packages and wc to count all the outputs, however, I still getting an incorrect answer.||

Any help/advice would be appreciated? 😁

i'm stuck exactly there right now!

ah no, a different one regarding listening processes

i misread, my fault

for that one, you may want to use the package manager, and list the packages

if you read the man pages, there might be a parameter to list the packages, and in your case you can specify to list only the ones which are installed

I had a feeling this was the direction I needed to head, thank you!

you are very close with the approach you followed. You just need to filter out the result a bit

Did you get it, @twin solar ?

Sure, so why it requires a password?

you are trying to start sshd service from the pwnbox where you are currently logged in.

Can I DM someone about the web module? About sending a GET request to flag.php

Is it a requirement for the module?

yea, its kind of instruction in the tutorial https://academy.hackthebox.eu/module/18

Let me check

"Use "systemctl" command to list all units of services and submit the unit name with the description "Load AppArmor profiles" as the answer."

this is the task I get. Is it the same?

in "Service and Process Management"

No, I'm trying to walk through the article

Ah, in that case it probably does not apply to your Pwnbox, as you are already logged in in SSH, but the article is trying to "start ssh"

not yet, just taking a short study break

you may want to try with a different service other than SSH, if you want to replicate what the article is going through: spawning up a process on-demand (systemctl start) or making it persistent (systemctl enable) so it survives reboots

I've used ||get selection parameter|| from dpkg but if I understand correctly, that parameter only gives me the packages that is available for my system to install right?

Hey guys! I was just wondering whether its good to start using Parrot OS to do HTB Academy courses or stay with Kali Linux which I'm using now

You may want to check with apt, even though I am sure you can do it with dpkg as well. Check the output of the installed apps with the relevant flag, and you may be able to filter out so it only shows you the relevant results

@abstract hollow

@rustic sage i deleted cause it contains spoiler

But doesn't using the spoiler tag suffice?

no

you provided the answer

Can someone help me with the Services and Processes section? I've been stuck for about a week and I feel so dumb considering that I've been able to finish the Web Path. Please someone aid me, I asked this same question, literally no one replied. If someone can dm me, then that would be very much appreciated

TL;DR I need help with services and processes, dm pls

Ah I see, sorry about that 😅 But I needed clarification on why it was correct and why my previous attempt was wrong. I couldn't ask it any other way

You can

Just don't include the answer 🙂

This might be a dumb question, but what does the word "enumerate" actually mean? I tried googling around for a concise answer, but I am still a bit confused.

Anyone else having issues with the target ssh freezing for several minutes following each command?

yeah I had that problem

A few months ago, though I don't experience it now

Did it just go away?

Well, its hard to say exactly. I didn't use HTB or my VM for a while so I forgot my password and had to create a fresh Kali installation. I'm not sure if that made it go away or whether it just went with time 🤔

cool, ty

np

And I found this question posted on Server Fault too, maybe it might help you: https://serverfault.com/questions/575112/why-do-my-ssh-sessions-freeze-after-some-time

this could be it since others on my lan are using academy as well

In pwnbox ssh user@10.10.10.10 hangs.
In my vm with vpn running ssh user@10.10.10.10 gives ssh: connect to host 10.10.10.10 port 22: No route to host

I'm not sure what I'm doing wrong. I have the vpn from https://www.hackthebox.eu/home/htb/access https://i.gyazo.com/4255ccc5c22d539490b47ac29148e02e.png

In pwnbox 10.129.0.0 10.10.14.1 255.255.0.0 UG 0 0 0 tun0 appears in netstat -rn
While in my vm none of the destinations are 10.129.0.0,

instead the 10.10.14.1 gateway is
10.10.10.0 10.10.14.1 255.255.255.0 UG 0 0 0 tun0

Does anyone know what trivial mistake I'm making?

Try a different vpn

Hey

I need help for this question ⁉️

Moudel bash script

@jagged zenith well do you know how to creat a for loop?

Yes

*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
140671661004096:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:583:

Error

for i in {1..28};do var=$(echo $var |base64);done

I need to find out how many services are listening on the target system on all interfaces? (Not on localhost and IPv4 only) Help plz?

@jagged zenith are you using mac?

oh wait nvm I got it.

No i use backbox Linux

hmmm

I have been trying for more than 20 days

Yeah give me a few i will try and simulate

Well actually I can't

Why ?

I need to Determine what user the ProFTPd server is running under and I am SO stuck. Can someone PLZ help?

hey, do you still need help?

sure, what have you tried so far?

well, I saw that looking in proftpd.conf as well as a general search of the system but I got nothing.

let me open up that challenge. Is it services and processes?

Filter contents

right. Do you know to check current running processes?

yep

if you check the current running processes, usually one of the columns tells you what user is running each process. The point of the exercise is to filter that output so it shows you only the relevant one

in that module you will have been told about tools like more, less, grep, awk, head, tail

so if you concatenate the command to check current running processes with the filtering command (read Pipes on the previous module), you may obtain the desired output

I did but I dont see anything containing FTPd

*ProFTPd

are you connected to the target machine?

ya

one sec, let me run it

FOUND IT!!

yep, it's running

jeeez

the reason it wasnt working is because i used uppercase in my search

yep

@mortal lichen als btw how do you search for partial words? like if there is a user listed as "proftpd", how do I search for "ftp" and "proftpd" still come up?

*also

you can use regex for example

which allows you to define search parameters, like "starts with"

or "contains an unknown character in this position"

I believe you will see regex in following modules, in that same course

ok, thanks for the help 👍

anytime!

you can "man grep" to find out more about the regex thing

in "Pattern Syntax"

but to answer to your question more specifically, if you grep "ftp", you will get both ftp, proftpd and any other words which contain ftp in it

regex can help you in more complex situations like... instead of grepping ftp, you know between the F and the P there is a letter, but you don't know which one, so you can define a wildcard in that specific character for example.

ok, I see

I just use my own instance of parrot in vmware workstation to get the tasks done, you can also use pwnbox unlimited if you have vip+.

I don't use the port when doing bounties, why is it needed here?

naughty parents, there supposed to be encouraging. humph!!!

Ok so I'm stuck again. "Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer." is SO hard. can someone plz help?

a good moment to use your regex skills!

since the parent URL is always the same, www.inlanefreight.com, you can take that as a starting point

Hi, I'm on the Skill Assessments of Attacking Web Application with ffuf and I'm stuck, really need some hint

Can anyone give me some advice?

where it goes ?

@rustic sage it will be on your computer

yes I just found it in /home/ while I was looking for it in the download

th😋

Yeah if you don’t specify a directory it goes to /home

hey i'm new here! and i'm stuck at a particular question from Windows Fundamental Module. anyone who could help me

i tried looking for guidance under the htb forum and tried all the methods kept case sensitive answers in mind but there's something i'm missing

Send me a message

Hi team, when using NMAP, we can identify if ports are being blocked on the firewall at the destination. However, when issuing an NMAP scan at the source, how do we identify if a firewall at the source could be blocking? This would effectively fudge results, because whereas the ports might be open at the destination, they could be getting blocked by the firewall at the source. Therefore, how do we identify the list of "allowed" ports at the source using NMAP. Hope my question is clear. Thank you 🙂

You can message me I'll see if I can help

Out of curiousity, who all have done the LDAP module. Have you used the knowledge on a machine or real engagement

Hello, someone here who also hates Windows?

On HTB

Hello dudes, i am currently on the Brute forcing section, skills assessment - service login, seconds question, i have brute forced ssh for the first question then used the wordlist on the server as advise to brute force the second user to no avail, please can anyone point me in the right direction

@everyone Hi guys, I'm not looking for the answer but perhaps someone can give me a clue. I am currently using HTB Academy and I'm on the POST method section. It wants me to login to the guest account and manipulate the cookie to gain access to the admin account from there. I managed to manipulate the cookie and elevate but I have no idea what to submit as the answer. I have tried submitting the cookie itself.

Hey guys please 🥺 please i need help you

Moudel bash script

DM I will give you a nudge

Module : getting started , chapter : public exploit

I have tested a lot of exploit with the keywords apache, tomcat, wordpress but I can't find the right one

what does nmap show?

Hello, I'm in the "Intro to Assembly Language" course and I'm on the skills assessment, "loaded_shellcode" question. I know that I've properly decoded the xor'd shellcode because when I run the shellcode using pwntools, it pops a shell on the system. But after pasting the shellcode into the form to submit the answer, it doesn't do anything other than the Submit button darkens. I've tried with both Chrome and Firefox browsers.

i haven't done that module yet, but on other modules usually the copy-paste doesn't work. You might try to write your answer, instead of copy-pasting.

can someone give me a hint on the easy machine Cap

i am stuck

Please ask in #boxes

open the webserver and search for an exploit

I have succeeded 😁

Has any one done the windows buffer overflow module and installed x32dbg localy?

I heard back from support this morning. Evidently I needed to submit a flag, not the shellcode. It's confusing because all of the course submit buttons have a flag icon on them, but some exercises require submitting a flag, and others shellcode, and others are specific numbers or other found in the debugger. That question didn't say what to submit, only that you are to edit the code to recover the shellcode by xor'ing the values on the stack with the key. It doesn't tell you to submit a flag. I was thinking that my shellcode was correct because it pops a shell character "$" when you run it using pwntools, but then I later discovered that even faulty shellcode results in that output when run with pwntools.

has anyone completed + confident on the FFUF module. im stuck on the Filtering Results part...

@tribal linden what's up

@frank vigil think I did it

correct me if i am wrong... if had a list of results with a HTTP response size of 798 after running a ffuf command, by using -fs 798 would this show me every result apart from the ones with a response size of 798?

No

Ls list directory contents. For file specifics use grep.

I’m doing the JavaScript deobfuscation. The first section titled source code. Now I’ve found the flag after using jsnice however it keeps rejecting my answer. I’ve retyped it, copied and paste it multiple times even restarted the machine as well thinking something was going wrong. Has anybody have had my problem before or is it just me?

If its the one I'm thinking of you are not submitting the correct flag

Okay, thanks. I’m guessing there is more deobfuscation to do I guess. A nudge to the right direction would be appreciated. Thanks

The clue is in the title source code, how do you view source code of a web page?

Oh just by curl -s …. But not the secret.js file okay let me try this again thanks

Even simpler Ctrl ÷U

Oh yeah. I’ve done that to the page. Right I found it had a secret.js file.

With in that long string of OS obfuscated js. Which I used prettier and than jsnice on.

Ignore the secret.js for now

Oh okay

Navigate to the IP ctrl÷U and have a read

Can a pm you. I think I found the answer don’t want to give it away. Here

sure

Anyone that's done intro to bash scripting is it worth doing some wider reading first or does the module cover what you need to know?

Hey guys, I'm new to the HTB discord, I have ParrotOS natively installed on my machine and have no need for VM's or the Pwnbox, I can connect to the Starting Point VPNs to pen test machines, but I can't seem to get it working on HTB Academy, any links or info that might help?

You'll have to download the academy vpn

Not all of the modules have the VPN key, but you only need it once.

Got mine in the "Getting started" module

Just pwned my first box

@wraith creek Ok thanks, I'll look in the first module again and try to get connected. Grats on the first pwn!

You should get the key around the "nibbles" section

@wraith creek I found it, thanks again.

Of course!

Anyone have time to give a hint on the fuzzing module? I am 99.9% sure I have the right answer but it's saying it's incorrect....

Edit: nevermind I'm an idiot. it said to USE port, not replace port -_-
Reading is hard apparently

Hi someone here for Stack-Based Buffer Overflows on Windows x86 i stuck on bad chars, and i dont know why

@marsh hollow whats up, you can dm if ya like. im working on that module too.

Hi all I'm on the "ATTACKING WEB APPLICATIONS WITH FFUF" Q3 "One of the pages you will identify should say 'You don't have access!'. What is the full page URL?" I did what the hint suggests and ran a recursive scan with a PORT instead of the actual port number from the target we spawn and no joy. Could someone give me a hint please?

DM me if you need help

@novel yoke I found the module pretty inclusive. the module gives you extra reading as you go along.

So I have this ssh key that I want to copy to a file on my pc to connect in ssh with this key. I would like to know how to copy it because with VIM I can't and I don't know the format

did you just past a private key file ?

This never is a good idea to share private keys with anyone, anywhere

you should void your key pair now and regen new ones