#modules

that's not append,that's overwrite. If you want to append, use >>

Aaa Thanks i will try

I've been smashing my head against the desk for a couple days on this NMAP Firewall and IDS/IPS Evasion - Hard Lab. I don't understand what the "version of the service" could be. I've tried every combination of NMAP parameters I could think of and I'm hard stuck. Anyone got any tips or hints? I'm only seeing 2 services available.

||"Now our client wants to know if it is possible to find out the version of the running services. Submit the version of the service our client was talking about as the answer."

Hint: Our client also mentioned that they were forced to add a service that plays a vital role for their customer because they require large amounts of data.||

||I already changed the source IP to one adjacent to the target box to try to avoid firewalls. I've tried ack and syn. Triggering IDS/IPS is not an issue, its just that I'm not seeing the service that I think the box is implying I should find.||

PHISHING^

Spelling is incorrect in domain

@languid fjord please take a look at the link above

Cheers

how do i stop machines from timing out all the time

Can anyone help me with the first question on the File Inclusion / Directory Traversal lab? I found the source code for index.php and config.php. I try to connect to the mysql database using the credentials from config.php but after typing in the password the terminal hangs and the request never finishes?

@quiet wadi Were you able to figure it out?

I didnt actually I walked away from it for a bit @stiff stream

@quiet wadi okay here's my tip; you only got to see 2 ports that are open, if those 2 aren't the ones you're looking for, how can you search for more ports then? 🙂

Not gonna lie, that was a hard flag to get

lol I swear I -p-'ed but everything came back filtered

The hint made me think database or something

You're extremely close 🙂

Ahhhhh lol

I also tried every sql port directly. I think I'm maybe misconfiguring my scan

Take a break, night sleep and all that, helped me too 😄

Yeah whenever I get stuck I walk away for a bit. I started a new module lol. Thanks for your help!

No problem, anytime!

Hello guys, i try to answer this

i did this but its not working, anyone can help ?

got it

Could somene please help me with this ^^

Hello. I am going through the Linux Fundamentals course. It has taught me some new concepts I never knew about, but I am not understanding why you would use them.

An example is the << or <. Why would you want to use these? Another is << EOF >. I can't work out why it is an advantage to use EOF in the example given in the course. Can anyone shed some light as to why these would be used?

You have a few different things going on there (but they are all related to redirections). I haven't done that course, so I don't know what they said. But explain (in your own words) what > means, and we can take it from there. @reef barn

the action > means to me, that you will either forward the output into a new or existing file, over-ridding any pre-existing information in that file. @dusk saffron

whilst >> is forwarding in addition to any existing information in that file. @fol\

Yeah, truncate or append. But they both redirect the output to that file. You would use that when you want to save the output of a command to a file instead of printing it to your shell.

Still unclear why you would want to use this? 🙂

Correct. That is how I see > and >>. but what about < and <<?

and why would EOF be used?

I think that we should start with <, and then take here doc(the << [WORD] construct) after that. (Edit: "docstring" -> here doc)

Describe, in your own words, what < means!

I would think it would be redirecting anything saved from a file into the shell

but wouldnt cat do that same thing?

All of these things are part of the shell executing commands, the standard streams that you redirect are that command's standard streams -- not the shells.

If that makes sense.

sorry im not quite understanding that

If you issue the shell command line mycommand <foo.txt >bar.txt, that means "execute mycommand, redirect its standard input to read from foo.txt, send its standard output to bar.txt".

So "inside" the mycommand, "stdin" will read from foo.txt (the shell will make this happen as part of executing your command).

And vice versa for stdout.

so is < the same as cat?

as they both use stdin?

No, "cat" is "a program", "<" is a "shell redirect construct".

so if a machine doesn't have cat installed, < will still function regardless as it is built into the shell?

Yes, "<" is handled by the shell, and is not part of any particular program that you are about to run (cat or other).

ok. so <, >, etc. are built in constructs on all Linux machines. this is just the standard. Cat uses these constructs to function?

I think we need to take a step back here.

"linux" is an operating system (up for debate, but for the sake of this discussion, it is!). "the shell" is a program that runs in this operating system, the program is "a command line interpreter".

Said interpreter/shell reads command lines one after the other and executes them, the redirections are part of this "execute command line" task.

Does this make sense?

yeah understand that

but why would someone want to use < or << when you can use cat or a few other commands that function in the same way?

the functions > and >> i understand and I use often

but it thrown out EOF which is < EOF >> that adds an end of file tag to the end but it isn't displayed, I can't understand the advantage of that.

or why you would use < or << in general.

Cat does not function in the same way. "cat" is a program that concatenates a list of files and print the result on "standard output".

Are you familiar with "standard streams" in programming? (stdin / stdout / stderr)?

the module was talking about them just then, but I am not familiar

stderr shows the errors when running a stream

stdin is the input of a request (like cat?)

stdout is the output

neither of these streams "show" anyting, they are just pre-opened files that a programmer can use to read or send data "somewhere".

That "somewhere" is the key.

You, as as shell hacker, can "redirect" these streams before the program starts.

The programmer writing "cat" or "sort" or "tr" only need to know that "the input that I am supposed to work with comes on stdin", and then the operator using the program decides at run-time, not compile time, where those streams go.

ok. I think I understand what you are saying

i dont have a programmers brain, which may be obvious. but are you saying that using < or << allows for reading the information at runtime, potentially bypassing any compile time that may be inplace on the machine?

So if someone was to have a lower spec machine where a large file being run via compile may slow it down, < should bypass this as it is run in runtime?

I probably look like a moron in all of this lol

I'm saying that these arrows allow for "choosing what the program should read from and write to when you run it" (as opposed to be decided by the programmer when (s)he wrote the program).

We are all morons, better get used to it early! 🙂

but I dont understand the advantage or use of it

i have reread the module and I feel I understand it, but they use the example

cat < stdout.txt

it is using that direction into the command cat still

why is that different to cat stdout.txt?

In this particular case (cat), there is no difference. (Because cat reads from stdin if the file list is empty.)

So this is an unfortunate example, imo.

so its a null example?

I think that we should use another command than cat for this discussion.

please do

can you relay an example. I feel I am understanding what you are saying but I lack comprehension as too why.

What linux shell commands are you familiar with?

(Other than cat)

cat, ls, find, type, which, cd, nano, vim

a bit more. I have been doing CTF for a while now, still a beginner tho.

Do you know "grep"?

apt-get, apt, pip, pip3

yeah I know grep

What happens if you run "grep foo"?

(Without any file names.)

does it search for any file within the current location for foo?

doing it on my linux machine appears to have locked it up, like it is a process now running non-stop

It isn't locked up. Try typing "foo bar baz" into the terminal and press enter.

Did it echo the line back to you?

yes with foo as a red

so it is a process that is running

What happens if you type "bar baz quux" into the terminal and press enter?

it doesnt return because the word foo wasnt in it

Yes, the "grep process" is running, with its stdin reading from your terminal and its stdout writing to your terminal.

Exactly.

ok i get that

That's the default behaviour for shell commands, if you don't do any redirections. stdin will read from your terminal and stdout (and stderr) will write to your terminal.

You can choose to redirect these streams with "shell redirections" when you issue the command.

ok that makes sense

For example, "grep foo <a.txt >b.txt" will start a grep process with stdin reading from a.txt and stdout written to the file b.txt.

so in that example we could use grep < file.txt and it would output all we request

grep foo < file.txt i mean

The grep process does not need to be aware of this, it just needs to follow the strategy of "reading from stdin and writing to stdout".

ok I understand that so much better now

If you run "grep foo <file.txt", it will read all lines from file.txt and echo those matching "foo" to your stdout (your terminal, by default).

Great.

so i can see why you would use <

but what about EOF? any idea why you would use that?

Many commands can read from both "stdin" or from "a list of files given as arguments"; which makes this a bit harder to wrap your head around.

i think for cat < I just saw it as stdin, stdin, stdout. I couldnt see why that would be an advantage for that example

For example, idiomatic use of grep in file.txt will not use the "stdin-form", but supply file.txt as an argument instead (like grep foo file.txt).

with grep I totally get it now having seeing that it runs the process as its own shell

The << [SOME WORD] construct is used to redirect stdin of a command to "a chunk of text inlined in the script". (Or written on the terminal.)

so grep foo < file.txt. != grep foo file.txt?

It's basically so that you won't need to first write some hard coded text to a temporary file and then redirect the command's stdin to read from this file.

(There are other use cases, for example with parameter expansion in this block of text, but basically it is used when you want to inline a program's stdin in your script.)

ok i understand why they used cat as an example now

🙂

< and << would be more prevalent when wanting to write a python or bash script tho

It is a pretty common use case for here docs, I'd say. "Fill a file with some text".

they are making me aware, that it is there?

that is for < and <<. > and >> I use often

What do you mean with "<<"? (There is no appending version of the stdin redirector, << is usually seen as part of a here doc, like above.)

I am not understanding the EOF as too why it would be used in a file

I guess so, I haven't done this module so you are the expert here!

The here doc is using "some word", EOF is just a commonly used one.

aint no expert infront of my PC. I do appreciate the time you have taken to help me tho

(The here doc ends where "THAT WORD" sits alone on a line.)

And since the here doc can be whatever text you like, the choice of "end marker" must be picked by you.

For example, if the text in your here doc actually contains the line "EOF", you would need to pick another end-of-input-marker.

this im not understanding sorry

My suggestion is that you either acknowledge that there are a bunch of redirections, and then you look one up as you need it -- or you read up on them in your shell's manual for primary source goodness.

OH i get it now that I tried it out

Great 🙂

ok I understand the different between < and <<

and why you would use them. thanks for that

There is no <<! 🙂

There is <, << WORD, > and >> (and others).

well << is being used to allow for heredoc input until you input the end string

Yeah, but the word (often "EOF") is part of the syntax.

So to avoid confusion, you should think of it as "<< WORD", not "<<".

(Imo.)

makes sense too as it only functions with a word, not on its own

Yeah

I think that the main takeaway is that command line programs can be designed to work with "standard streams", so that the program itself won't need to know where the input comes from and where the output goes.

But that can be redirected as necessary by the shell hacker when the command is executed.

For example by redirecting them to files, letting one or several of them be connected to your terminal -- or by stringing them together with pipes (example: sort foo.txt | head).

Anyway, I need to get to bed. I hope that you found some motivation for these redirections -- and some inpiration reading up on standard streams and shell commands 🙂

Good night!

Thank you for your time @dusk saffron

EOF means end of feed/file

This style originates as heredoc / heretag
https://en.wikipedia.org/wiki/Here_document#Unix_shells

https://stackoverflow.com/questions/2500436/how-does-cat-eof-work-in-bash

Really useful way of keeping formatting when adding to a file / stream rather than having to use printf magic 😄

could anyone point me to where to look to identify a site's WAF?

nvm i got it

Skill Assessment - Windows Fundamentals
I'm stuck on the last question
What is the SDDL string for the HR security group's permissions over the Company Data folder? (Format: x;xxxxx;xxxxxxx;;;x-x-x-x-x-x-x-x, no parentheses in final answer)
I used Get-Acl and got A;OICI;0x1301bf;;;S-1-5-21-2614195641-1726409526-3792725429-1004
but it seems I'm missing something. Any Advice is much appreciated

in Attacking web applications with ffuf it is not quite clear what is the difference between subdomains and vhosts, and how they relate to dns, Are there some resources out there what I might missed, which clarifies that topic? Actually I got some findings (in the fuzzing), but I'm unable to post them as valid answers in section 9: Filtering results (these are blank pages)

Initially, a Web server serves content for a single hostname (associated to an IP address). To make it serve content for multiple Web sites, you recur to virtual hosts.
A virtual host is "virtual" Web server that is actually backed up by a real Web server. There can be many in a single Web server. Each virtual host is assigned a unique name and the IP of the Web server. When HTTP clients contact a specific virtual host, they contact the IP of the Web server and specify the desired virtual host with the 'Host: Virtual_host_name' request header.
A subdomain is the domain part of the FQDN virtual host name. It may happen that a Web server hosts several virtual hosts, grouped into subdomains, e.g.:

• ftp.website.com, www.website.com, mail.website.com
• ftp.uk.website.com, www.uk.website.com, mail.uk.website.com
  (notice website.com vs. uk.website.com; both are subdomains, whereas ftp.website.com would be a FQDN for a virtual host).
  As a pentester, it is often your duty to enumerate possible subdomains and virtual host names (usually through brute forcing attacks with ffuf and the likes).

am I correct in assuming the question "Submit the full path of the "xxd" binary." means I need to look for ||a file called xxd.bin||?

Why do you believe that, BitfyPro?

(In particular, where did you get .bin from?)

when I looked up binary file wikipedia said "".bin" redirects here" and I have no clue what else it could be

So deciding whether if it's a subdomain or a vhost I might think of "functionality" at the first place, if I get it right... Tyvm davidlightman

Yes, that's one of the criteria.

Think at subdomains and vhosts as a way to hierarchically organize the Web site namespace.

The common case is a very well hardened www.mysite.com and a sloppy admin.mysite.com that can be abused to obtain RCE or otherwise log into some admin dashboard.

That ffuzzing course was so much fun!

Like it's another world out there what kind of files and entry points you could find in subdomains.

2

same anyone who could help

fyi you might wanna disable pings if they're not necessary

could you explain a bit more !!

I'm currently working on the easy Firewall and IDS/IPS Evasion lab and I'm a bit lost on what i'm supposed to be targeting. Is there a certain port I'm supposed too be going after?

not sure what you mean - the target spawns and you target that to discover whats available

ok to clarify the task is to identify which operating system their provided machine is running on and submit the OS of it. Is there a specific port I should look for or something?

So scan it how you normally would to identify OS - but add in evasion methods as shown

So I am a bit of an idiot and forgot netcat existed

so could I get some kind of hint on what a binary is?

I know there's the 0&1 stuff but if that's what this is referring to then I have no idea what to do

god I probably sound stupid

UNIX system binaries are usually stored in key first level directories

There's a couple builtin shell commands that tell you exactly in which directory these commands are

And yes, xxd is a system binary

If you are on a Debian-based system, you could check the builtins out with man bash-builtins

Otherwise, you man bash

and read the commands section.

PM if you are lost.

Not that kind of server

Hey, can someone help me with the Linux Fundamentals module?

I'm at a section where I use 'find' to look for a .config file, but nothing seems to be coming up and I can't recognise what I may be doing wrong

Thank you

I was there too, question 2?

ah 1

what is the command you used?

This was what I first command used

find / -name *.config -size +25k -newermt 2020-03-03 -exec ls -al {} ; 2>/dev/null

I've done some other variations of that too

It does bring up some files, but not the ones I need

should be *.conf

Omg

beside that it seems correct :)

Sorry - I'm just gonna get in the bin now

thanks 😂😂😅

haha it's fine!

thank you so much!

no problem 🙂

Hello, I am doing the js obfuscation module. I am stuck on exercise 4 from the assesment. I found the key but it says wrong answer. I even send the POST request to the given url passing the key and everything worked fine.

i just did that one last week

The deobfuscation module?

yeah

what section is it

I am on the Skills Assessment

4th question

"Try to Analyze the deobfuscated JavaScript code, and understand its main functionality. Once you do, try to replicate what it's doing to get a secret key. What is the key?"

yeah thats the wrong anser

answer

u need a key

not a flag

That was the decoded from hex key

thats the wrong answer bro

im telling you

ye

I found it

thanks

dont post it in here lmao

I think I deleted everything

thanks again

np

hey people what's up? i'm having some issues in the linux fundamentals - user manager. the question is: Which option needs to be set to create a home directory for a new user using "useradd" command?

i've tried the options that were related on useradd and got nothing

i've also been through man and got nothing also

i think i'm thinking out of scope but i can't get it

Re-read the man page, and don't rush it 🙂

that's good advice

thanks

thank you for answering, I finally got it. I was really looking too far haha the answer was pretty easy

I got it mate. I just had to fkin chill

thank you

yw 🙂

May I ask a question about the Linux Fundamentals here?

i ask same question

I'm on the last bit of the Linux Fundamentals now - so I can try and help if you'd like 😅

I just needed a little more time to explore and I found the answers I was looking for!

Thanks for the response @rustic sage

No worries, glad you got it! 🙂

I can try and give you a hand if you'd like one - let me know where you're at

I've been stuck on the priv escal lab. the second part where you need to find the flag on the root user; how do I copy the generated keys to the remote machine? the notes mention you generate the public/private key on the htb machine. I get that far. now, I need to copy the public key to the remote host and running in circles on this part. any advice? thanks guys

I'm also stuck on this one. Did you ever manager to get it?

Yes, I got some help on the piece I was missing. Feel free to DM if you need a hint.

hik

hey, sorry for the ping but do you know how to list packages for "File Descriptors and Redirections"? I tried ||apt list|| and just counting the output of ||ls'ing /bin|| but it isn't correct apparently

Hey guys, can I get some hints here, i'm stucked at Network Enumeration with Nmap Hard Lab. I managed to scan an open port but its tcpwrapped. Further findings reveal that I may need to scan from another IP source. Given the target IP, what methods can I use to determine which subnet/IP lists are allowed to communicate with the service?

guys how do I list packages?

I can't remember the exact question, but apt list should give you the packages, add extra flags if you are trying to find if it is installed

oh my god I just found it

I'm stupid af

I listed all the packages correctly but the first line said "Listing... Done" or smth so I had to do -1

thank you :)

can anyone help me when im trying to search for the target in academy ?

it just says that

Can some one help me i in the Module Linux Fundamentals:

What is the index number of the "sudoers" file in the "/etc" directory?

I ssh in the maschine but still get wrong answer (Submit Inode Right?)

htb-student@nixfund:/etc$ stat sudoers
  File: sudoers
  Size: 755           Blocks: 8          IO Block: 4096   regular file
Device: 801h/2049d    Inode: 147627      Links: 1
Access: (0440/-r--r-----)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2020-11-12 18:17:31.922746204 +0000
Modify: 2018-01-18 00:08:16.000000000 +0000
Change: 2021-08-03 12:08:36.494845988 +0000
 Birth: -

1573625 <-- got this number from a youtube video it worked and is same command ls -i in path /etc
Is this bugged or am I Stupid?

does anyone know why when i search on mozilla it just says Error code: SSL_ERROR_RX_RECORD_TOO_LONG

Has anyone here completed the windows fundamentals module??

Feel free to DM me

can someone help me with the SSH login into target the password is not working

anyone able to help with the SQLi final assessment via DM?

I'm having the same issue, I have the 147627 ID and am getting it wrong as well

@muted crow yeah i found an video on youtube

it had the right solution there a few more mistakes are there too

ok

thanks

i thought i am crazy

in the later phase you need to count files and i got 32 log files but its not

for example

hmm

its funny the next chapter has the same question

just an other file where need get the inode/index and its right

Could I talk to anyone on the word press assessment first question?

yeah just did that and am even more confused what the issue was lol

yeah i was like wait a minute am i stupid now or did the box want to kidding me

i wrote erratum for the support now so they can fix it

kind of annoying doing the right thing and they won´t accept that

Hello everyone...I'm at the hashcat module where I'm stuck on the question: Crack the following hash: 7106812752615cdfe427e01b98cd4083 ... I have tried multiple ways to crack this MD5 hash.. with built in rule sets in hashcat.. using kwprocessor.. wordlist as rockyou.txt but won't work.. anyone have a suggestion about it?

@remote dome I'm not in that module yet, have you tried to search it?

or use decrypt site

yes but unlucky.. was another user that asked about it but I didin't see any advice

ah

I don't want to use decrypt site I want to understand

maybe use different wordlist though?

use that https://hashcat.net/wiki/doku.php?id=hashcat

Sorry that I can't help much, once I get there I'll try to see if I can figure it out

and rockyou.txt as wordlist

@remote dome which module did you use

what you mean for module?

ahh yes

hashcat -m (number)

module 0

-m 0

that won´t work

hashid identify it as md5

hash-identifier too

yeah its maybe 500 look my wiki

there 2 kinds of md5

md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)

yeah could be

its an common mistake

there so many kinds of md5

how I can filter understand about it

i often watch here

https://hashcat.net/wiki/doku.php?id=example_hashes

after hashid

and look after which one has the same pattern

some has obvious patterns like $2$ something

yes but this one seems mode 0

module

did 500 worked?

no it won´t

not tryied yet

$1$28772684$iEwNOgGugqO9.bIz5sk8k/

that's an example of the hash

maybe it's NTLM

yeah not $1$

Domain Cached Credentials (DCC), MS Cache

which exercises is it

i gone try too now

CRACKING PASSWORDS WITH HASHCAT > Cracking Common Hashes

maybe ntlm

yeah maybe

don't work

Psls

Pls

Has anyone done the File Inclusion lab?

Whats up yall, I am going through the linux fundamentals and am having some issues running a process in the background. I run the ping, then kill it with ctrl+z and can see it in jobs. When I execute the bg command it starts running in the foreground again. Am I doing something wrong?

Hi, can somebody get hint about NMAP last IDS task? Which service should I look for? I was able to find the following ports:

68/udp  open|filtered dhcpc
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm

SSH and HTTP

Thx

Also if I run the ping command with & at the end it is running in the foreground also.

Yea, & - run task in the foreground, you can list all jobs via

jobs

Command

Also you can get job in the foreground via

fg %<job_num>

DESCRIPTION
bg sends jobs to the background, resuming them if they are stopped.

A  background  job  is executed simultaneously with fish, and does not have access to the keyboard. If no job is specified, the last job to be used is put in the background. If PID is
specified, the jobs containing the specified process IDs are put in the background.

For compatibility with other shells, job expansion syntax is supported for bg. A PID of the format %1 will be interpreted as the PID of job 1. Job numbers can be seen in the output of
jobs.

When at least one of the arguments isn't a valid job specifier, bg will print an error without backgrounding anything.

When all arguments are valid job specifiers, bg will background all matching jobs that exist.

Someone help me with file inclusion module?

skills assessment?

Yeah the first question :(

I've got credentials for a mysql server but can't connect and I've got an API key idk how to use. Makes me think they're not actually set up

https://academy.hackthebox.eu/module/complete/23 is this the module?

Yep

I completed it so you can DM, but I have no idea what mysql server or API you're talking about

Ok lol I'll DM you

lol

can someone help with the linux fundamentals, File descriptors and redirections. I need to find how many total packages are installed on the target system, I ssh'd into the target, did dpkg -l | wc -l and it gave 750, yesterday it gave me 748, both answers are incorrect

did also apt list --installed and | wc -l and got 738

Hi 2 all , i'm stuck on the last step in GettingStarted module ...anyone can nudge me ?

what i've to write on the TARGETURI ?

maybe i donnow how to configure this option on the exploit settings...

just a question bros , what i've to write in TARGETURI ?

me too.... maybe some config are wrong in the options of the exploit

A little hint for wordpress skill assessment?

i want to learn ethical hacking

++academy

everybody here in this place idem too !!!

hi, i'm at the start of SQL injection module, at question Connect to the database using the MySQL client from the command line. Use the 'show databases;' command to list databases in the DBMS. What is the name of the first database?, I can't connect to the provided host, it doesn't even reply to a ping

check up the hosts again and again

@dull orchid done it for 10 min or so, so strange I've tried in pwnbox and my own Linux machine, and it doesn't work in any

has never happened before in any of the modules I've done

Anyway guys , i've question about the last check in the GS module : Should be wise to upgrade the version of the getsimple cms from 3.3.15 to 3.3.16 ? And after that, proceding with the exploit manually with the searchsploit finding ?

this is the hint message too....use the searchsploit to find other way to exploit the server manually...

isn't it ?

HELP! Im lost with this question. Use NSE and its scripts to find the flag that one of the services contain and submit it as the answer.

I'm trying to find the proof text from a docker target but on my workstation, the firefox application will not load anything. Am I doing something wrong or is the site bugging?

I figured it out im dumb lmao

Nmap task?

PM me

Do you basically have to buy cubes for the tiers that cost 500 to 1000 cubes or can you earn these from doing modules and sections? I'm new to hack the box.

IDK, I just bought the student sub, but I think for high tier modules you will need to buy more cubes.

ah I see. That's what I thinking. How much is the student sub?

7 euros per month

ok I don't get the option to click that one

it is listed but I can't click on it

yea, you need student email

my school doesn't have those 😦

So you can't =\

I'm going to speak with chat about other ways of proving that I am a student. Maybe that will work?

probably not huh?

I don't think it will help, maybe they will ask u to confirm ur status in some other way. But u can try 🙂

Good luck!

Ok I will. Thanks for your help!

Are you majoring in comp sci? @verbal marsh

I'm just a beginner in information security, I work as a system administrator and am studying for a hardwire engineer.

ah very cool. I'm aiming for an internship in a year when I'm a junior

thought i'd get a headstart

I plan on getting A+. Sec+. Net+ within the next year to year and a half

and learn the basics of pentesting

I've found out why I can't ssh into the god damn module.

They didn't give me the IP address for the target ssh machine.

Please fix this.

Feel free to ask me smthing in PM 🙂

Try to re-spawn

I tried it billions of times. Some even suggest me to create a new account. :/

I only have one spawn, bc I'm using free plan.

That's EA for ya. :/

Try to respawn the target machine

I tried to reset the target machine

It does nothing

Unless I have to buy a VIP plan for it.

Try reloading the page. It sometimes doesn't work properly for me if I leave the page open too long

It turns out that it will just use up the current spawn, and now I have none

gg

EA belike. Pay me to win!

I think you get unlimited spawns of the target machines. #613049811481919508 is the best channel for getting help

You don't

By the way, Can someone help me with Nmap?

You'll get one spawn per day

But, thank you for your time.

I some how refreshed the page for a trillion times and get it to work. Thank god.

Hey @ocean brook . I have just spent the last hour or so on the same problem. I would recommend reading through the man for apt. that helped me out.

its supposed to show a website right?

thanks for responding, I skipped that question but I still dont understand, if apt list --installed returns all the packages why is my answer incorrect?

or even

dpkg -l

like what is the difference?

the number that is given wasn't the exact number. I read a post by BitfyPro that was posted yesterday at about 1245 the helped me get the right answer. Sorry Im being a bit round about I dont want to spoil it for people.

anyone know why this command doesnt work?

use sudo

is that another os i have to install ugh

sometimes when you don't have the correct privileges, you'll get that error instead of saying you can't run it

ugh okay

ty for help

so what do i need to enable

no, the full command will be sudo nmap -sS -A IP

oh okay

? nah didnt work oh well

On the right vpn?

That ip doesn't look right for academy

in academy you need to spawn the target first it will be another ip

that ip looks like a box

? its what it says to do

also its not academy

just starting point

oh thats diferent

check your target ip

probably just an example

or you are not connected to starting-point labs

Make sure you are on the right vpn....but also #starting-point is better for starting point stuff

ah hh true

Currently on Windows Fundamentals. Trying to find user Jim's SID. Ran a few PS commands still can't find friggin Jim. Checked the registry. Hints? ❤️\

not SSID lmaooooo SID

Oh wait, I have to add him myself, nvm

Carry on

Hi, looking for nudge for flag4 Linux priv Esc assessment... Have access to tomcatadm manager and tomcat host manager. Can't reuse pword for tomcat user though

Who can help with the Nmap last task?

nvm

anyone available for a nudge on broken authentication - skill assessment?

Yes sand

Sand

Zand

I lost 3 weeks there 😁

Hello I need some advice for the module fundamentals I don’t find the exploit for that service

which module ? please be more clear in explanation

Getting started …fundamental

ok ... tell me which service do u mean ?

Finding public exploit

which service ? nibbles or getsimple ?

you've to be more clear bros

Getting started

i finished getting started yesterday so i'm fresh about it

but i still don't understand you...tell me exactly what do you need

I use nmap -sC -sV ip port -Pn -n —script vuln (exploit,discovery)but when I ho inside to msfconsole

I can’t find exploit

And on google gind cve-number but on msfconsole. I don’t find

in which section you are ?

Pentesting base public exploit

anyway...listen to me carefully, NMAP needs for finding the service running on the server etc etc...Once you got this, You' ve to look for this service/web app etc in google or by "searchsploit"or msfconsole by the tool "search (name of the target)"

I done this mate

Apache 4. Bla bla Ubuntu

If you find the exploit inside msfconsole , this will be easy but not satisfyng as manually mode...

that's the point

You're looking for the wrong name bro

No I don’t know how to find only cve

apache is the name of the server..

you 've to look for the name of the service...

nibbles...

getsimple...

that's the way...

Am i clear ?

Yes but and http etc I try

u need just the name of the web service and its version that's all

Show me the syntax how I have to check because I want to understand where is the problem

once u got them u can procede findind the exploit for it..

ok ... in the last step , we've a service based on CMS ( content management system) called GetSimpleCms

so i searched : getsimple 3.3.15 exploit

that's enough bro

i'm spoilering too much

Thanks I will lock later

i'hope i was helpful for you

tell me later

bye

If no I will write you again 😁

Thank you

if the service is that i helped you...anyway let me know ciaooo

Anyone available to help with ffuf module

I’m stuck on the skills assessment section on the file extensions

for what is #858470491676737536 channel?

If you find something you clearly believe to be a mistake that needs correcting put it in #858470491676737536 and we will look into fixing it. This includes typos, broken links or technically incorrect content.

Alright, thanks

Can I talk to someone about the buffer overflow on Linux skill assessment?

How can i get more cubes free?

Anyone for a hint on Skill Assessment - Broken Authentication?

Academy is not a free service, you buy them.

Hmm okay, i will see if i can buy it

Thanks for the info

subscribing is cheaper than buying though

if youre a student you can get a lot of the modules for ~$8/month

its a really good deal tbh

Has anyone done the linux buffer overflow?

Could anyone help me with the Windows Fundamental module?

I need to use smbclient to connect to a Windows desktop but I keep getting this error: nt_status_io_timeout

I've been using this:

smbclient -L <IP address> -U <username>

Thanks 🙂

Howdy,

If anyone could assist me on this with Windows Fundamentals.

I am on the SDDL String. I've followed the green highlighted instructions to the T. I've found the correct PowerShell cmd to run to obtain the SDDL string. When i enter the SDDL string, without parenthesis of course, I am told I am wrong.

If anyone can assist, please do. I've been struggling on this for awhile and used up my entire HTB Instance on this question.

I can help. DM me when you are ready.

how to use my

hi, i have a problem in linux buffer overflow x86, i have my payload, but when i use it inside gdb like run $(python -c 'print .......') it will give me a reverse shell, but as htb-student user, not root, and i don't know how to put the payload directly to the binary, i think that's the reason im not getting root

Edit: solved. To help others with the same problem:

./binary $(python -c 'print <PAYLOAD>')

when I attempt to ssh to a target on module "Getting Started" it always gives the same error of "ssh: connect to host 188.166.173.208 port 22: Connection timed out" anyone know if im doing something wrong or if its just broken ? when i ping the ip it gives no response either

└─$ ssh user1@188.166.173.208
ssh: connect to host 188.166.173.208 port 22: Connection timed out

I need some help in LFI module, can i dm someone?

Is this windows fundamentals?

hello guys

how is it possible

??

Have to be ssh user@ip -p(xxxx)

is there a way to access the academy targets from my kali box?

or vpn is only for the htb targets

There is a button near the questions to download a ovpn file for academy

can't really see it 😮

it's not there

kali live usb, firefox

right after an apt upgrade

What module and section are you doing?

web applications with ffuf

but i reviewed the older modules I didn't see it either there

ah the nmap enum has the icon so I remembered correctly that i saw it already

wonder if that works for other modules as well within the path?

If you can't see the vpn key button then you probably don't need a vpn for those questions. If you click spawn target you should be able to interact with it over the internet without a vpn

ah it works, seems the vpn key is only listed at the first module of a path. thanks 🙂

No it's "Getting Started"

Are you using -p for the port?

user@ip -p <port number>

can anyone help me with linux fundamentals

Whats up?

I’m stuck with finding the mail for the student

Have you tried using grep to help find the directory?

No but I’ll try it now

This is probably the most I can give without giving you the answer directly.
Try searching for environment variables using the env command. This works well with piping env into grep using the |

If you need another hint, let me know.

Thanks

thanks for the help. was stuck on that one for hours. 👍

Hey has anyone done here with the last assigment of wordpress, getting that reverse shell?

Hi bud. You say you just had to read and pay attention. Could you suggest what to read. I am having the same problem and I've tried reading the man page of su but everything I try doesn't seem to work.

hey

anyone knows the answer to this one?
Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.

in the linux fundamentals

i tried stuff like curl <lin> | grep <link> | wc -l but that doesn't account for the same paths

| sort -u

The man page should be good enough, but don't just skim through it — take your time and actually read it. Also, re-read the question carefully.

thx. but either i screw something or idk but still not good

You're very close to the answer using those commands. I had to literally count the amount of directories. Don't forget to use 2>/dev/null for those access denied errors if you get them.

Is anyone online and available to help me with an smbclient issue I'm having?

It's related to the Windows Fundamentals module

Thanks!

I can help. Feel free to dm

Sure thing, I will now 🙂

guys
what is likely to be the operating system flavor of this instance?
guys i putting the anser on the basis of command -uname -a
but its showing wrong answer agai nand again
anyone who can give me hint

help ?

any

Try logging onto the target instance instead of pwnbox

Spawn target. Ssh into it. Run command

so how can i get flavor of the system

its non-understanble kernal for me

thats why !

its from the acedemy

The command you are running tells you

Doesnt mean that all the output you get is needed for the answer. This is about understanding, not copy pasting command output

hey anyone who could help me with my virtualbox setup....for some reason my guest os gets disconnected.....

it's stuck at this !

hey. im in the getting started modul at the service scanning part and i have the task to run nmap to check the 8080 port of the traget. question is what service running on it and i get http-proxy for that port but it doesn't accept it as correct answer. any guess?
https://imgur.com/NLo0Sku

solved

anyone know wh its saying in need root privleges

check your VM Network settings to ensure that its connected via NAT/Bridged. Those wired interface errors indicate your OS is not receiving information from your host-os

Depending on how your OS is setup, you need root privleges to run certain commands that could cause issues if ran incorrectly. to run those commands, use sudo <command>. It will ask you for the user password. Enter your password you used to login, or your sudo password if you changed it, and viola

Anyone working on the Lfi module?

I'm currently working on the last question of the Fuzzing with FFUF module but I'm a bit stuck. ||The hint is telling me to find a wordlist in one of the directories to use as a parameter for the fuzzing parameter process, but I cannot for the life of me figure out which one its asking for. I have the two parameters accepted by the page but they don't seem to work as the parameter.||

Anyone able to point me in the right direction?

hey guys, total noob here, Im currently in Linux fundamentals module and Im being told to SSH into a server, I cant use the workstation instance anymore today apparently as I am a free user I only get one instance per day, so Im trying to connect to the server via Kali Linux in VM. However everytime I try "ssh student-htb@ipaddress" I get "ssh: connect to host <ip> port 22: connection refused. So I cant connect to the server to complete the questions, really stuck here and would appreciate any guidance

I imagine you'll need to connect to a VPN first before you SSH into an internal HTB IP

I'd probably send this question in the #613049811481919508 chat as this chat is primarily for module questions and discussions. People are monitoring the support chat to help with issues like yours

thank you!

No problem

Look for any "words" list in seclists

in the gettin started modul in the public expliots part how do i find out what plugin is running? it took some time but i found that its wordpress that running there so it have to be a wordpress plugin(i guess) but idk how to find it

if you're referring to finding which Wordpress version and Plugins/versions of Plugins are running on a website, wpscan with the API key works just fine!

Hi, at module buffer overflow on windows x86, i'm at Try to search the 'cdextract.exe' binary for the 'PUSH ESP; RET' instruction as pattern '54C3'. What is the address of the first result you get?, i find the address of the push esp instruction, but for some reason it is incorrect.

Edit: was at the wrong DLL

ty

many ppl said that the ffuf module is fun. just finished it and indeed it was fun 🙂

On the Public Exploit module of the Getting Started module, I am trying to scan the target and I am getting a lot of "Host seems down" or "the ports appear to be filtered". Is this how it is supposed to be? I've tried a lot of different nmap options to avoid firewalls. I don't think thats the intention of the module though. Can someone let me know if this is how it is supposed to be?

Nvm I think I figured it out

i was doing web request module i was at the post request

i completed the module by logging as admin but i dont see any flag or any thing like that ??

i am a bit confused

@wispy fern that means you haven't really got the admin yet . Admin is unique

How do you do the "Skills Assessment - File Inclusion/Directory Traversal"? I can't find any entry point to hack the web.

hi , I'm new into using linux, as well as using the shell. so I have started in Linux Fundamental - I am struggling with 1 section, find & locate. the questions are asking to using what i have learnt to to find the associated information. I have logged in using ssh and thats no problem, but when i use the find function, either i get a permission denied response, or nothing returns. has anyone else had an issue, i think im doing something wrong, i just dont know where.

The find command will "list all files and folders under a search root", if that helps. @graceful scroll

$ find / -type f -name *.config -user root -size -28k -size +25k -newermt 2020-03-03 2>/dev/null does this look right?

I guess that depends on what you want to filter on, but it looks like a "real find command" to me. (Mind that your shell mind expand *.config before find sees the argument, quote it if you don't want this.)

(A neat trick is to prepend "echo" to your command line and check the output if you suspect that shell expansion is pulling your leg.)

yeah they are set at Bridged and still troubles connecting to the internet on guest os

Hey guys, I was wondering if I could get some help so I can figure out what I'm doing wrong when I'm trying to compile the kernel exploit in the Linux Privilege escalation.

it says to do this: gcc kernel_expoit.c -o kernel_expoit && chmod +x kernel_expoit

i download the exploit with wget and try to compile it but it doesnt work.

it comes downloaded as a regular file and not .c btw, so i also downloaded another version of it that is .c. still can't compile

Try using NAT. If that doesn't work, send me a DM and I can help you when I'm available.

I was trying to use this exploit btw: https://vulners.com/zdt/1337DAY-ID-30003

Nvm I got it. Wasn't getting the raw code and just using wget from the url 🤦‍♀️

would anyone mind giving me a hand with Skills Assessment - Web Fuzzing second question? I've scanned all the sub-domains and only found 2 file extension, but its looks like a missed something

in the ATTACKING WEB APPLICATIONS WITH FFUF module

Did you really find all the vhosts/subdomains? The hint reads: "Don't forget to add the sub-domains you found to '/etc/hosts', and then run the scan on all of them."

@tribal remnant i believe so. i added all the sub-domains from the previous question and scanned them

pm me how many

just got it, thanks!

Hey was wondering if anyone could give me a hint for how to get the flag4.txt on Linux Local Privilege Escalation - Skills Assessment? it says to check for external services but I'm not sure what to look for. Apache2? Mysql?

Okay, i found a password to become host manager on their apache server

Alright I know where the flag is, but I need to become tomcat to get it. any hints?

what is sql injection ?

try remote file inclusion (generate payload and upload to server)

@fleet moth Thanks so much man! Got the fourth flag.

nice

Sweet now im root

very great how you crack oscp

has anyone done the sqlmap section? Can anyone point me in the right direction for flag #10? Thanks!

Actually I got it!

Need some help in Intro to Network Traffic Analysis, its bugging me so long

The question: What addressing mechanism is used at the Link Layer of the TCP/IP model?

what kind of addressing mechanisms does the section talk about?

solved

Yup deleted. Tq ❤️

Hi again all 😅 I am completely lost on Stack based buffer overflow - windows x86 skills assessment ... I get as far as locating the jmp esp address, however I am struggling to locate a way in which to interpret any code ... I assume that it is someway through .dll file calls etc however I am just getting myself confused 😆 .... anyone who can help, please dm me to avoid spoilers etc ... appreciate your time!

There is no such possibility. You can redo the sections that You have done in the past.

maybe htb could help you completely reset a certain module if you contact them

in the nibbles priv esc part after i append the monitor.sh file and run it with sudo why does it ask for passwd? shouldn't it just run?

that weird...i was in the files folder and there with sudo monitor.sh it didn't work but it worked with the full path of the file

Do you recommend to redo the module after x month or not at all ?

Feel like kinda a lot of stuff to digest at first

can anyone help me with this question..
linux fundamentals module, filter contents last question

i ran the following command on the pwnbox
curl https://www.inlanefreight.com/ | grep "https" | wc -l

whichever way works out best for you to consolidate the learning

thats not all unique paths, that just everything with a https in it

Looks like i will do redo them in the future. thanks for the answer

so how do i filter it down to the unique paths to domain?

thats the point of the question - to get you experimenting on ways you can filter data like that

using the various tools / commands available to you

it better imo to grep for www.inlanefreight.com and other thing you should use a sort command before the wc and look up it options. there is one what you need to use(also i did use it and didn't work so im missing something too)

this might help(also i'll have to try this way too)

https://stackoverflow.com/questions/618378/select-unique-or-distinct-values-from-a-list-in-unix-shell-script

what is the important thing in social engineering attack

The fun story about the physical pentest in the fundamental of network is very nice :). Will take care of my printer now

hey all, I just published a new module

I appreciate the help! Sorry about the delay in response. I'm about to hop back in and look for it.

I'm not sure what the question is asking... Is it asking for a port scan using PORT as the port number and using a list of common http ports or is it saying that the directory is :PORT? Confusing the way it is worded..

okay now i see... PORT is referring to how you enter the answer into the submit your answer box.

Create an "If-Else" condition in the "For"-Loop that checks if the variable named "var" contains the contents of the variable named "value". Additionally, the variable "var" must contain more than 113,469 characters. If these conditions are met, the script must then print the last 20 characters of the variable "var". Submit these last 20 characters as the answer.

I'm pretty new to this and don't know what to put.

Alright I completed all the other ones including getting the hidden flag by inputting the salt. I know this is pretty basic but I really just don't know what do.

nvm i got it

Hi, i'm doing window stack based overflow, but stuck in this ques:
Try to fuzz the program with '.wav' files of increments of 1000 bytes '1000, 2000, 3000...', and find the smallest payload size that crashes the program and overwrites EIP with '41414141'.

I found the exact bytes to for the payload including overwritting the EIP is 4116, but i not sure why it isn't correct

sorry for my lack of knowledge, but what is a module actually?

dont ban me because i sucks please

Module is a small course of a specific topic

oh, got it thanks

what type of course?

You can try looking at https://academy.hackthebox.eu/

👍

you are submitting the exact offset as answer , but that's not what the question is asking

i see, what does it means payload size?

file size?

While FUZZING size at which EIP got overwritten is the answer

I guess the size that is when we generate payload using msfvenom

haven't into msfvenom yet

Okk my bad

i don't understand...

what module should i unlock

im new

and i want to hack :))

How to use HTB

any guess why i get this error? Exploit aborted due to failure: no-access:
im on the getting started modul at the knowladge check

i have a workin admin usrname and pwd

but can't exploit with matasploit

i set trhe USERNAME and the PASSWORD

After finishing the ffuf module, I was wondering that is this knowledge useful against https sites as well?

Ola!! wow so many stuff from the modules

yes - why wouldn't it be?

no idea what could prevent that, but the module listed only http services, that's why I wasn't sure

whoever made this

nice explanation

https is just a http service via a secured session

Hey 🙂 Could someone please help me with a Module in from the Academy? I'm pretty new to this. Would be great! 🙂

I am in the Path "Cracking into Hack the box" and Module "POST Method". The question is "Login with the credentials (guest:guest), and try to get to the admin user from what you learned in this section and the previous section." ... I actually did chance the cookie to get to the admin page, but I don't know what to put into the answer box below. Could someone give me a hint or something? 😄

change*

when you do it correctly the flag will be displayed once logged in

so i get a code or something to put into the answer box?

the problem is, I don't know if it's my fault but the Module says that, when I am logging in, I should get the cookie "PHPSESSID" in Burp. But I only get "auth" as a cookie. Is it because I do something wrong?

I only want to know, if its my fault or a problem with burp or the pwnbox?

the module is giving you an example of a type of cookie you may come across

the names may vary

the one you get in the assessment is correct and how it is meant to be

okey, thanks

i try

Hey guys I was wondering if I could have some help with the module "Hacking Wordpress". I'm on the Directory Indexing section and I can't seem to find the flag hidden in the directory. I believed I searched everywhere through /wp-includes

hey guys can someone help me ?
i have problem in "intro the packet analysis"; the question about find the image... can someone help me pls ?

@dense crow did you try following the TCP stream

yes but i really canto find it.... the hint speaker about htb.jpeg, water.jpeg(if i remember right) and the third one ( the answer)... but i cant even find the htb and water...

@dense crow you have the Wireshark-lab-2.pcap open right?

@dense crow if i remember correctly you'll find it in the Wireshark-lab-2.pcap if you follow the directions. It's not in the Live capture.

ight nvm guys figured out where to look and finished the rest of hacking wordpress aswell

Thank you! I was getting "Exploit completed, but no session was created." and thanks to you I've noticed that it was because I didn't set the LHOST to my "VPN IP address".

Hi, did the Window Stack Based Buffer Overflow Module Final Assessment must be done through our own VM?

this question : "What was the filename of the image that contained a certain Transformer Leader? (name.filetype)" it isn't in the file, but in live capture, am i right?

can someone please help me with tcpdump question What are the client and server port numbers used in first full TCP three-way handshake? (low number first then high number)

im 90% sure i have the answer (the first complete syn, synack, ack), have the port numbers but the asnwer isnt accepted and im not sure on the format.

u have to write the 2 port used in this handshake, the lower first

with comma between or no?

also i have the same issue as you gimball - the images arent going over the network,

all i saw was a file in ftp

but that answer doesnt fire

the images are in the wireshark lab 2 resources

@glad notch ah ... sarebbe?? cuz i found the first answer in a live capture

the images wouldnt load in there for me - no image was transferred in the live capture but as soon as i looked at the wireshark2 lab resources i got the answer right away

ok thanks bro... i ll try later

Hi, can someone help me with the last question of the "SQL Injection Fundamentals" course? I passed the login page, checked if I'm the root account, check priviledges, but I can't find the place where write a file (a shell). Can someone help me?

Hay there, im struggling with Case #9 of the SQL Injection Fundamentals. Can someone assist me?

you are in the developments page so put the shell in /var/www/html/developments and use cd /root

please use cd / +space+ root to access root else you are not done

whats the question

Would anyone help me with Linux fundamentals? Having issues getting apache to run on my box.

Working with web servers section of Linux fundamentals: I install apache2 as the code instructs and then it says to start the web server. I get notification of syntax errors [Thu Aug 12 17:29:31.946290 2021] [core:warn] [pid 11619] AH00111: Config variable ${APACHE_RUN_DIR} is not defined
apache2: Syntax error on line 80 of /etc/apache2/apache2.conf: DefaultRuntimeDir must be a valid directory, absolute or relative to ServerRoot

any suggestions would be appreciated. Thanks.

I'm having exactly the same problem now. Did you find a solution to fix this? xfreerdp connects for a minute or two, and then the connection suddenly drops

feel free to pm

Hello. I am looking at the LFI module and this piece of text isn't making sense to me. I am not a developer so I am unsure if that may be the reason or not:

If someone could help dumb it down it would be appreciated

I used ‘sudo’ and I haven’t had the issue since… very strange

Thank you! Will try!

Which parts of the text does not make sense to you?

Hello!! Has anyone finished the Linux privilege escalation module? I'm stuck on the 5th (and last) flag. Thank you very much in advance!

I'm reading it as its telling me that there are wildcards that work in Bash, but for PHP they are useless. Or am I reading it incorrectly?

ok so i was doing the introduction to networking module

im on subnetting i really dont understand the dividing into small subnets

we need to divide the number of hosts possible into the number of subnets we want?

like

if hosts are 30

and subnets we want are 4

then 30/4?

which is 7.5

but decimal? D:

nvm the total host in each subnet will be 8 cuz rounding i think?

Hi guys im doing the nibble machine (actually im doing the academy module) and in this 2 days on obatain the reverse shell using the file upload vuln of nibbleblog using the PHP script in the image and a netcat listener on port 9443 but after i loaded the script with "my image" plugin and then activate the script nothing happen just infinite waiting
I've tried a lot of different shells but nothing changed idk what im doing bad right here

if you are uploading a shell than make
sure you are using right ip (lhost) and port (lport) or maybe use different shell
Or it couldn't you wasn't really able to activate shell

Can be that my firewall is blocking the shell?

Maybe possible but I don't think so that would be the case

Idk how is possible that all other script like getting the id works and the one the module gave me don't and just infinite loading

@lilac quiver can dm we can look into it?

Yaya

Need some help for Window Stack Based Overflow Modules Final Skill Assessment

the number of hosts would always be 2^(x) and now if we want to add let's say 8 subnets that would be 2³ so we would require 3 extra bits
That's how I get it

Sure

Can i dm?

does anyone knows this?
Split the network 10.200.20.0/27 into 4 subnets and submit the network address of the 3rd subnet as the answer. is suck at that subnet counting

Sure

like afaik the first address i have is 10.200.20.0 and last is 10.200.20.31. shouldn't i just div it by 4?

ok solved

30 hosts

Sounds about right, I don't know what the "above function is", but I presume that it checks the path for ".." or similar in an attempt to prevent path traversal. (Bash will expand ? and * to match pathnames — the parent directory (..) will match both of those glob patterns.

Spot on to whar it said above. So I am reading it correctly, it is an over complicated way of saying wild cards don't work in PHP?

I'm doing "'windows fundamentals" and stuck on a question in "NTFS and Share Permissions". What's the predefined firewall rule that has to be enabled to allow SMB connections from the PwnBox?

I've tried querying SMB rules with Get-NetFirewallRule but nothing I find seems to be the answer

yo so im doing the getting started module

List the SMB shares available on the target host. Connect to the available share as the bob user. Once connected, access the folder called 'flag' and submit the contents of the flag.txt file.```

i have to do this question

smbclient \\\\10.129.42.254 -U bob

i tried this

entered password

its givgin this error

Enter WORKGROUP\bob's password: 
tree connect failed: NT_STATUS_BAD_NETWORK_NAME

nvm

You arent specifying the share to connect to

yep i did it

had to do //users

Cool

Well done

:D

Hey 👋🏽, when i revers shell the box, I accidentally exited the connection from netcat , i used netstat and i see a tcp connection is established, how can I connect to it again? Any help please

Feel free to DM me for help.

What is the SDDL string for the HR security group's permissions over the Company Data folder? (Format: x;xxxxx;xxxxxxx;;;x-x-x-x-x-x-x-x, no parentheses in final answer)...I am stuck at this....plz help

this is the final question of windows fundamental module

Please no spoilers

I can help you with this. Feel free to DM.

No Spoilers

If you existed the shell then you need to reactivate the payload ,by again starting netcat and activating the payload

As you guys are going through the Academy is it worth it?

anyone available for the Windows Privesc??

Doing Windows Fundamentals. The question is "what is the alias set for ipconfig.exe". ipconfig /? doesn't mention any alias, and duckduckgoing doesn't help either. How am I supposed to get the alias

?

nvm found it

I'd like some help with a couple of questions in the Windows Fundamentals module, the last chapter

I can help

DM me

in this question

what will be the answer format

also how do i find txt files inside a website?

woaaah

i just completed this questionn

so cool

hello All

could anyone advise and recommend roadmap for web

In network traffic and analysis module in interrogating network traffic with capture and display filer section

How to answer both of those questions their no file to to look in or image to see.

That's one way to see it 🙂 But no, PHP does not normally expand wildcards in pathnames -- but there is a glob function if you want to mimic what the shell does. (Take this with a grain of salt, I haven't been using PHP since several major versions ago.)

Alright cool. Thank you for your response.

I am currently stuck on the Public Exploits section of the Getting Started module. It seems I need to be able to gather some information about the given target before I can utilize metasploit, however no enumeration tools are working

I run a netcat scan on the port associated with the web app, but it just sits there loading

basically I don't know how to identify any of the services running on the ip as all the commands I know so far just fail

Is this on the pwnbox or you trying to run the scans from a VM?

I attempted both

Neither had any success

I have found something that seems to be the flag but i just cant make sense of it.
Would really appreciate some help

It probably is some kind of hint to what the flag is supposed to be but I just cant make sense of it

kk got it added a suggestion to #858470491676737536

heyo i was doing the getting started module and i spawned the target but the problem is i cant ssh into it i tried on my machine with the ovpn file started in another terminal and in the pwnbox too

142.93.35.92:31613

this is the server spawned

i used this command ssh user1@142.93.35.92

it times out even in pwnbox

i tried respawning as well

SSH to 142.93.35.92 with user "user1" and password "password1"

i tried pinging the server too

doesnt work

someone?

try with sudo..mine always works with sudo

tried

still not working

wtf

why do i have so many tuns

because you aren't closing tunnels down properly before launching new ones

but that will be why you are having issues

Yup, try to ifconfig tun4 down and all the others as well

or even better: reboot

reboot works the best

get's the job done

ah ok

i closed all

and then

oh wait

ill

reboot

better kill the openvpn process

i just rebooted and started the ovpn with sudo openvpn academy.ovpn and then

opened another terminal and tried ssh

still not working

at what number is your tun interface from ifconfig

its 0

now

are you able to ping the machine

i dont think so

tried

not working

which module and section you are on

in getting started its the privilege escalation section

is this a problem with me not doing it correctly or there is some problem with the vpn

what is the syntax of your command

first i initialize vpn in a terminal with sudo openvpn academy.ovpn(this is the file i downloaded from one of starting sections in the getting started module)

then i open another terminal copy the server ip from the website(139.59.166.56) and then run ssh user1@139.59.166.56 pinging with ping 139.59.166.56 doesnt work too

ok, but you need to specify the port that you see in the target

when i do that it says unknown service

have you specified the parameter/flag

where do i do that?

ohhhhhhhhh

thats how its done

OMGGG

ITS WORKING

THANK YOU!

after years

What is the SDDL string for the HR security group's permissions over the Company Data folder? (Format: x;xxxxx;xxxxxxx;;;x-x-x-x-x-x-x-x, no parentheses in final answer)...I am stuck at this....plz help
this is the final question of windows fundamental module

hello all,
im trying to do the sql injection module and im stuck at the last task can some one help me please?

Hi, I'm doing the Basic Toolset path. In the module "Login Brute Forcing" is the Section Skill Assessment - Service Login. It refers to an employee's name. But there is no name to find. the target is only ssh service

Hey rando question do you get Certificates from doing modules on HTB Academy

Running into issues with the writing files challenge of the SQLI fundamentals. Using the provided web shell I cant get any commands to execute with options. For instance I can run "ls" but not "ls -al" or "ls%20-al" or anything like that. Any time I try to run with options it just returns a blank page both in-browser and curl. Anyone have any suggestions to move forward?

so im doign the privilege escalation part in getting started i ssh'ed into the machine as user1 now i need to become user2

the hint is to review what i learned in the module

i ran linpeas transferring it from my machine to the server

kernel exploits i dont think so are the way to go

im not sure what user2: user2 means here

OMG

OMGOGMOGOGM

I MADE A BASH FILE WITH VIM AS USER 1

OMGGGGGGGG

IM SO SMORT

I CANT BELIEVE IT

FIRST TIME WITHOUT SEEING HTB FORUMS!

but how do i gain proper access to user2

nvm i did the whole thing again without getting help from google

Well done

I'm doing the FFUF module and a scan in the final section is taking forever, possibly longer than the machine is gonna stay up. Can someone with the answer narrow some params down for me to speed it up?

question 3: A page saying "You don't have access"

500k req at 200 req/s takes too much time, I'm afraid the server is gonna go down before it can finish

Has anyone completed INTRO TO ASSEMBLY LANGUAGE , In the Shellcoding Tools chapter, the last exercise asked me to use "nc SERVER_IP PORT" to connect to the server and send the shellcode. Does it mean to exploit the vulnerability first, or directly use the nc command to connect to the port? Then how to send the shellcode? ps. I have generated shellcode.

pls be careful with spoilers

[Update] Finally found it. !!
Has anyone find ldapadmin password in Windows Privilage Module (It is my last step in Windows Privilege Escalation Skills Assessment and I stuck). Any hints would be appriciated 🙂

I cant send messages in general

help

Anyone who can push me into the right direction?

doesn't it reference it in the materials?

or that you identify the username in a previous step

it's a few months since i did that module

thx for the reply, in the previous mission you just have to brute force into a website, and then bruteforce the new site again. the credentials i found are not names...
in the last skill assessment, the one i struggle with , just mentioned an online academy and an employee's name thats it. the target IP is just an open ssh port no webseite nothing

which section of the module is it? I will have a look over and see if I can spot it

Basic Toolset -> Login Brute Forcing -> Skills Assessment - Service Login

the last one

ok, so you should identify some employee names in the previous section

you then use that information in this one

it should flow just like the examples you did before the skills assessment

can i pm you?

Anyone available for Windows Privesc module - DnsAdmins section??

going through the steps of uploading the dll, etc & I verified that I am part of the DnsAdmins group, but its still not letting me read the flag

You have a nudge for the DnsAdmins section?? Running through the exercise but having issues after loading the dll with reading the flag

Just DM me if you still need nudge

The assembly module is in the General category, so there's no exploitation needed, except for demonstration purposes.
Simply connect with the NC command and paste your shellcode, and the server will verify it

how do i hack

@haughty belfry please don't post the answers to academy questions

need help on these last two questions in the linux fundamentals

Hey all! I'm starting the Hacking Wordpress module and cannot find the flag for Directory Indexing. Could use some help 🙂

Heya, I'm doing the Windows PrivEsc module on the SeDebugPrivilege part.
After accessing the machine, my user doesn't have the SeDebugPrivilege set. I am doing something very wrong or is it bugged?

Try running powershell or command prompt as admin if you havent already.

well fuck me that was easy... shouldn't do training in the morning
thanks

Np. You got this.

@haughty belfry I'm not doing Linux fundamentals but can give some help
man uname and ifconfig should help

I'm doing File Inclusion and am confused about page 2 (LFI) question 1: the name of a user on the system starting with "b"
I've included /etc/passwd and found 2 usernames starting with "b" but they aren't accepted.

Also, in section 3, LFI to RCE, I'm supposed to poison something but there's no session cookie (or login) and /var/log/apache2/access.log returns permission denied. What am I supposed to poison then?

try this with sudo

simply use the system related commands described up top in the module

@rustic sage It's LFI, there's no sudo

In Linux fundamentals, "System Information", what's the path to the htb-student's mail? It's not /var/mail or /var/spool/mail and there's nothing in home

nvm got it

Well done

I need help in Linux Fundamentals, section "filter contents", all 3 questions

i need help for LFI please dm me

How to list all the listening services as wanted? ss -tuwxl doesn't seem to be the answer.
How to see what user is running a service?
The page to curl, what "paths" exactly? I've grepd and counted all the URLs and it's not accepting.

I've sent you a DM

https://tenor.com/view/hello-there-private-from-penguins-of-madagascar-hi-wave-hey-there-gif-16043627

anyone please give me an nudge in the active directory ldap skill assesment final quetion

skills assessment?

yeah...

I've been trying for 3 hours

ok dm me where u at

Hello I need help with hacking Wordpress - RCE Theme Editor I’m stuck idk why

how to connect to htb academy

my whole module does not give a vpn key

and i cant access the other modules coz they are completed

got it thanx

if there is no vpn key the targets may be public facing docker containers

you should be able to reach them without a vpn

if a vpn is required the vpn key is available at the questions

ok thanx

Omg it’s ok I found it finally after 3 hours 😌

Hello, it is normal that i cannot spawn any target or workstation ?

In network module what are BGP and RFC 1918?

I've used nslookup AND dig, input every record i have gotten. Still nothing. What exactly does the question n mean by "unique"? Because I even found a HTB flag! Still wrong answer. Help??

For anyone who finds this, use a different webshell than the one provided in the module. For whatever reason it wont take any commands with arguments. I had luck with a webshell that's based on user agent string.

Anyone familiar with JS available to help breakdown the indexing function static analysis from the Secure Coding 101 module? I understand what the write up/ article is trying to say but I'm not coming to the same conclusions based on the code.

Hello, I'm currently working on web requests, and I'm on POST requests.
More exactly to the question below.
I found the answer but I don't know what to put in the box

I got it. I'm such an idiot. Left the quotes in lol smh

please ping me if you answer

once you have successfully logged in as admin there will be a flag. that just looks like a guest username

Like on the second screen I sent?

the second screen is still a guest account

it even says...welcome guest 👀

hey guys for the Network Analysis Module i'm having trouble getting the answer to the following question: What addressing mechanism is used at the Link Layer of the TCP/IP model?