#modules

This was in regards to the Cracking Into Hack the Box / Web Requests / GET. Thanks

I did try to search this discussion thread and saw a reference but no answer on if the page is working correctly or not.

DM me, lets see if we can work through it.

Hey Total new person here. I'm currently working through Linux Fundamentals, and I'm on Service and Process Management. I can't seem to SSH to this target here, and I swear I'm providing the correct syntax. Any ideas what I could be doing wrong? https://i.imgur.com/kqRoPSr.png https://i.imgur.com/CcRaeJh.png

Oh ignore me, continuing connecting worked anyways, but I didn't have to do that last time they wanted me to SSH to another user. It really threw me off.

It's expected to return 200 for all since you are only changing the header. Please add the filter flag to ffuf and your result is right there.

Can someone give me a hint for the Windows Privilege Escalation Skills Assessment - Part I, for the privilege escalation part? I got a reverse shell back from the web application and tried the obvious thing to privesc which should work when I understand it correclty but I can't get it to work 😦 So It's probably not what I should do. Any tips for this?

Is anyone else having issues submitting answers on the OSINT module? There are at least 4 answers that I can't submit (just hangs)

Hello together, I got the flag in the Modul XSS/Pishing part, but it wont be accepted. I already restarted it. Im relative sure I did everything right. Inserted right XSS in urlform, start a server, send the creds to me, and copied the link to the send.php, which sends the real credentials. With those I got the flag... but doesn't work. Any help?

The specified CTF is invalid.

hello everyone

Do you know that when using ssh2, if you do not operate for a long time, it will exit?

How did he quit automatically

plases,help me.

It will disconnect an idle connection due to security reasons. Are you on the host or client-side?

host

Client-side won't?

Hi everyone!

new to the channel! wanted info of books to read while doing the htb academy

thanks in advance to all!

🙂

Thanks for answering. I does not understand whether its my fault or is it a problem in the box? If the box has a problem, get the students who bought it an info, when its fixed? Thanks!

Only client-side. What are you trying to solve exactly? You can configure the client to send a KeepAlive signal so the server will not disconnect.

Hi, regarding the « File upload » module. I am stuck at the skill assessment section and I can’t find a way to upload a php file. I did exactly what is indicated in the hint : find an valid extention and find a valid content-type header through fuzzing. I have tried them separately they work (with an image) but when I try to use them in a request with a php file is still fails. Am I missing a step ?

What are you doing? Because you can upload a real image that you know will be accepted, then intercept in burp, change the extension to .php, add your php code at the end of the file data

has anyone done the linux/win privesc modules? if so, do u feel it was worth the price? just seems so expensive

I was trying to craft an acceptable php file, I didn’t it was possible to add php code at the end of image data. I’ll try that thanks

Hey all, was curious how you guys felt about the academy modules. Trying to study for OSCP and was wondering if these modules has helped anyone a lot on their journey for OSCP. Currently spamming HTB boxes and even though I am learning, I feel like I need to more fundamental learning for some specific processes that kind of match the hierarchy of HTB modules. Any insight at all is appreciated 🙂

Many of the modules provide a lot og value that can be utilized in the OSCP exam and course itself

There is not a specific "study path" though however many of the topics covered are topics you will need to know to pass

Keep in mind though that the course part of OSCP is fairly extensive too

Have you checked out the ToC of the training material? You don't want to buy a module at HTB that is already extensively covered in the OSCP course material

(There are only so many different ways to explain what a simple SQL Injection is)

If you mean the pwk, I have taken a peak at it. Problem with that guy is that its like 1500 dollars for 90 days access which is crazy expensive. I am for sure getting it, just down the road as that will be my last training material before I attempt the exam. Before that however, I definitely wanted to view other trainings/courses so when I get to doing OSPG labs/The pwk, I will have a strong structure/experience of different common tools and methodologies.

I am going off the tjnull HTB list and starting with the easier boxes first, but I find even the easy boxes to be incredibly difficult. Was hoping of learning different concepts first through some sort of modules/learning academies hence being interested in HTB academy. I have bought/completed the Tiberous linux/win priv escalation udemy courses which were super helpful and was hoping that maybe the HTB academy modules were like that too. But I see what you mean, there are a ton of resources out there that teach the same things. I am hoping to purchase the pwk and not have everything be a new thing to learn, but some to be content I have already seen. (escpecially if I only have 90 day access haha)

PWK yes, but I think they call it ... SP-200? something-200? But yes... that one.

but I find even the easy boxes to be incredibly difficult
If you didn't it meant you were ready to prepare for the exam itself and perhaps even pass it on first try

@deft stratus as for tons of resources out there, what I meant was that I wouldn't recommend that you spend $200 on HTB Academy and then purchase PWK and realise that 4/5 things that you purchased from HTB you would have learned in PWK anyway. That would be a shame

That said, the modules on HTB Academy tend to dive a lot deeper than PWK does for their topics

Where PWK tends to give the student the basics and enable them to continue their studies, HTB Academy will include much more for that particular topic even if they still expect you to do some self-studying and thinking "outside the box"

Take scripting or nmap as an example: in PWK introduction to scripting and nmap was - 3 years ago when I did it - very simple and just brushing the surface. Certainly not enough knowledge to just start writing your own tools and scripts and certainly not more than the basics of basics in nmap

the Academy modules for Python Introduction (one that I wrote) and nmap (forgot who the author is), the student is taught a lot more than the mere basics. My scripting module teaches you enough concepts for you to be able to write much more complicated scripts than you'll ever need during OSCP for example, even if the learning curve perhaps is a little steep for complete beginners.

The same goes for nmap: you'll learn more about the tool than you'll ever need in OSCP

(e.g. you don't need to care about a blue team trying to stop you so there's no need to learn how to stay covert)

I would personally recommend that you try to stick to the list of easy boxes along with watching IppSec doing easy/medium boxes on YouTube as well. I promise you will learn a ton from doing that because he tends to do the same exploits multiple times, if there are interesting alternative paths. Even experienced people learn new tricks from him from time to time 😄

Oh, and the Starting Point machines if you haven't already. That, and perhaps you could look at the Dante Prolab. It's supposedly a really good pre-coursor to OSCP. A little tough still perhaps if you are struggling with easy boxes, but when you get a better feeling for the easy ones and feel that you can do them with some or minimal help, definitely check that out too

@high zinc Thank you for all that info. Much appreciated! Yea its hard to define a path to take that cert when there is no defined path lol. I am used to cisco certs where you generally do a video course, lab anything up, do some practice exams and call it a day which the OSCP is DEFINITELY a different process haha. But I appreciate all of that, I think I'll stick to doing that list and basing each lab off the ippsec videos. I did all of the starting point but I will definitely take a look at HTB academy. If that goes way deeper than what I will need for OSCP vs the pwk just touching surface level, I would rather go way deeper. 🙂

Also I might do the intro to dante path too, that looks inticing

Anyone able to lend some insight into the Windows Privilege Escalation Skill Assessment #1? Specifically the ldapadmin question?

Would you recommend doing the First few easy boxes while watching the Video or try them on ur own First?

Also, when to attempt Dante? Do a dozen of easy boxes First?

just discovered that list, that lists netmon as more challenging than oscp. that gives me confidence 😄

hi everyone! I'm doing the skills assessment and have found the IDOR and HTTP Verb Tampering, but don't see a way to get RCE or read a file from the system. If anyone could please advise I'd be very grateful 🙂

Hey guys. I'm doing the "Using Web Proxies" module and I'm at a module that requires me to use ZAP Scanner however I don't seem to have ZAP altogether on my instances, and Burp Scan is a pro only feature. Anyone know where/how I can get access to ZAP on the instance or do I just suck it up and go use an alternative ?

I just did the Server-Side Attacks Skill Assessment with no hints. Took me 2 days but man was that one rewarding.

Well done :)

Not sure about that one..

Isn't dante easy ad? 😋

It's not solely "AD"

Hint:Examine the user database carefully.

Hi! About the File Upload Attack skills assessment, I have troubles finding the upload directory, I searched in /contact and /contact /submit.php and the js script. Does anyone have a hint for this part? Also do you know any better methods to find the upload directory than reading the source code?

i did the linux privesc module. Totaly worth the price, learned alot 🙂

Cool, thanks. Think I'll do it anyways. Did you have any experience at all with linux priv esc before?

Is it? I have no clue 😄 Just feels to me that it's way more advanced than 'just' doing easy boxes. Probably just my wrong perception

where do we ask help?

just ask?

oww best way to crack a pass?

and where can i test that thing? of cracking a pass ( im sad i just said i will crack googles pass and i got banned ) :(

anyway where can i test that pass cracking thing?

what passes you wanna crack?

hmm idk

i only have 4hr of xp in kali

and very little knowledge abot hecking

but what passwords you're talking?

1 min let me think of that

when i think of pass i only think of google and other web accounts >>>>>>>>

they are types of pass? ig i should watch a tutorial

https://lmgtfy.com?q=password hash

https://lmgtfy.com?q=cracking password hashes

Hi! About the File Upload Attack skills assessment, I have troubles finding the upload directory, I searched in /contact and /contact /submit.php and the js script. Does anyone have a hint for this part? Also do you know any better methods to find the upload directory than reading the source code?

Best hint I can give you is to look at the other file upload attack sections and read the hint from the skill assessment. If you do both of these you will get it

Module: Web Proxies
Section: Skills Assessment
Question: Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload)

This question is driving me crazy! I know I have decoded the cookie correctly and I know how to re-encode the cookie with the .txt file reference. I've tried fuzzing the following 3 URLs with GET requests: /; /admin.php; and /lucky.php. I don't know how I could modify the POST request without trying to find a collision with the MD5 decoded cookie but that seems outside the scope of the module. The only way I see that being useful is in order to hack the password which is posted in cleartext.

I'm out of ideas. Can someone please give me a little hint to help me solve this puzzle???

I would use burp and simply do all the requests with each cookie, the one that is accepted is the correct cookie, once you have that you can set it in your browser and access the pages

Thanks, Greyer! Turns out i was encoding the cookie incorrectly. I thought i verified the encoding but I guess I didn't 🤦‍♂️

Hello, module File Inclusion - Skills Assesment looks like broken, no one of methods from module does not work (( any help pls

@winged hedge help pls

You have been infected with virus. Please evacuate !

my virus is working buahahah

can u help me with task pls? i think crackers down it

feel free to dm

what does mean dm? )

it means you may send me a personal message

Hello, module File Inclusion - Skills Assesment looks like broken, no one of methods from module does not work (( any help pls

My issue too. Were you able to get that directory or did you just do it without?

Can someone help with the Intro to Python 3 module? I am stuck on the last section "Managing Libraries in Python (Continued)" I have answered questions 1 and 3 and I know the answer to 2 has to be tuple but it doesn't accept it. Anyone have a hint at what I am missing? EDIT: I wasn't typing the < > . Always the simple mistakes.

you have to enumerate the nibbleblog directory which will lead you to the upload directory. Upload a php reverse shell and then use curl to run it. Make sure you have a listener going.

see my comment on alpha's original post.

Hi guys ! how many % did you get at the Hashcat Skill Assessment ? 🙂

so far, i spent the time.. got around 82% of passwords recovered. What's yours ?

can someone help on the skills assessment for attacking common applications? close to the flag but missing something

nvm, figured it out

Is Foxyproxy disabled for anyone else when doing the Web Requests module?

kudos to the creater of attacking common application module, great module

Hello, module File Inclusion - Skills Assesment looks like broken, no one of methods from module does not work (( any help pls

Yeah some exp from the boxes, so some things were familiar but a lot of things were new. And the approach in the module is manual rather than just rushing through linpeas.

Does anyone fix log4jbug?

I'm stuck on the ZAP Fuzzer section within the Using Web Proxies module: I have found the cookie no problem, but I can't see how I'm supposed to use the fuzzer on it? I can't see where I can fuzz the response? Can someone help?

Also very stuck!

in that image, the cat command and pipe aren't being used correctly I think

you need to get into the directory you want, cat "file" to read its contents

Yes, thanks I understand that part it's the dir path I can't seem to find "./../ "

I found it by cd .. one step at a time

eg: 1;cd ..; cd ..; etc

hmm any resources you could point too?

not really, I just added a cd .. to ls+-a; until I found something interesting

Hi . I am stuck on Active directory LDAP search filters with this question: "Find another group, not listed in the section output, that harry.jones is a member of...

I tried to enter a lot of Powershell commands but results the same

https://lmgtfy.com?q=who is ur mom

cringe

Tip of the day: When using Pwnbox and Ctrl is not working, press ESC twice on your keyboard and that should be the same as if pressing Ctrl.

Thanks for the reply. Finished it as well today great module. Glad I took it 🙂

Hey guys, I hope it's okay to ask this question.

Has anyone done Cracking passwords with hashcat? and if so, did anyone have issues when attempting the Working with Rules assessment? I'm following the hint provided but I keep getting the exhausted status. I even tried to use a Combination Attack instead

anyone around that can assist a little on the login brute forcing - web login assessment? Im working through it, hint says to re-use a username previously found but nothing is clicking after 4h of running wordlists at it

@formal vessel DM me.

@gray wing DM me.

@main vapor Have a moment for a DM question on Getting Started mod?

@crimson path I did not do that one but no problem I will try to help.

Can you please provide me a hint been stuck for awhile!

@lean saddlerator Is there an issue with the Cracking into Hack The Box / Web Requests / GET? I feel confident that I have the correct answer to the flag.php question, and I can curl and get the flag through the browser., but the question I cannot seem to make happy.

happy to discuss DM

@trim scaffold you can DM me. I did that one a few hours ago.

can someone help me with the Attacking Common Applications skill assessment 1 module? i tried using msfconsole/fuzzing and got nothing

Hello, everyone. I am having trouble with JavaScript Deobfuscation Module. This has to do with this question:

"Try applying what you learned in this section by sending a 'POST' request to '/serial.php'. What is the response you get?"

what files did you fuzz for? 🙂

anythign

thing

What I am trying to do is to intercept the HTTP requests for the target using Burp

got a working uri on metasploit and it wrote that its vulnerable but still didnt work

Unfortunately, the Firefox proxy is turned off by default. I am not sure how to turn it on....

hint: cgi-servlet

didnt found cgi-servlet 0_0

ty

However, the curl command didn't work. My curl command was curl -s 167.99.89.198:32759 -X POST

I also tried curl -s 167.99.89.198:32759/serial.php -X POST, but I got the same result as I did for the previous POST request to /serial.php

I was thinking that maybe burp might work

AGrinch helped me out. thank you. I was getting the correct answer but misunderstanding what the question was asking for.

😂. You can’t ping staff so you pinged a random member

sorry about that

new to Discord

isn't it explained in the module? not sure if this was a different module. you don't need to intercept anything for this question tho

Please provide hint if solved !

Hello everyone, I am is developer php and nodejs , i want to learn hacking

Haven't solved it yet

@mild kettle @quick hollow DM me.

Well, I am doing what the module says, as you have to send a Curl request to /serial.php. I am not sure if the problem is how I am formatting the request.

For example, I am doing curl -s 167.99.89.198:32759 -X POST

but this request has to point to the /serial.php (script?)

curl -s 167.99.89.198:32759/serial.php -X POST. I am thinking that /serial.php might be a script.

this will give you the answer to the question

unless your box is down that will return you the string for the quesiton

or if you have the wrong ip

I am new

hello

What

hey guys i need help with a question from HTB academy. Im using burp intruder to find .html files under admin directory not sure if its the list of payloads im using or i have the payload position wrong. Im working on "using web proxies" module.

hey

i need help, im doing the web enamuration module under getting started

and whenever i do the gobuster dns section

i get an unable to validate base domain error

any ideasa?

ive tried basically eveerything

send your full command

sorry for the screenshot

i mean i got the answer for the module just confused why gobuster wasnt cooperating

hi . has anyone an idea or solution how to solve this problem:

Traceback (most recent call last):
File "joomla_dir_trav.py", line 25, in <module>
import click
ImportError: No module named click

its in module attacking common applications -> joomla

i have done now everything i found to fix this but its not possible to fix it

i deleted the modules, reinstall pip nothing helped

its this exploit to run it in python2

https://www.exploit-db.com/exploits/46710

You need to put the url switch

-u or --url

ohhhhh

small brain

thank you soc1ety

anytime

@rustic sage mind if i ask you one more thing

yep go on ofc

im doing the public exploits module

and im using nmap rn

and for some reason

it shows 0 services

nmap 167.99.202.131:31219, says cant resolve

and nmap 167.99.202.131 aswell

if i add -Pn it scans but finds nothing

tried refreshing the box 167.99.202.131:31230

same thing host seems down

try nmap 167.99.202.131 -p31219

or -p followed by your port

host seems down

Shoot me a friend request we'll see in DM if you don't mind

not accepting friend requests

you shoot me one

aye yeah I always forgot, pardon my dumbery

sent

run it with python2.7

and you need click for python 2.7

Ok, thanks. My pwnbox was down, and I got the flag. However, I have another problem with question 3 under the Skills Assessment for that module: "As you may have noticed, the JavaScript code is obfuscated. Try applying the skills you learned in this module to deobfuscate the code, and retrieve the 'flag' variable."

The deobfuscated var flag was HTB{n" + "3v3r_" + "run_0" + "bfu5c" + "473d_" + "c0d3!" }

You can use Decoder for that in Burp suite

I am not sure what the hint means to stitch it all together

@weary forum is that a real flag? If yes please delete it. Don't post flags of active modules

No, it's not the correct flag

OK then just ignore me

did you get it? you don't even need decoder for it, can also just console log it to get the correct output

dm me if you need more help

can anyone help me in web attacks - skills assessment? 🙂

Anyone around that can give me a hand with the MIC flag in the Hashcat module?

I've triple checked my syntax against the lesson, verified no failures during the binary creation, every time I get exhausted using the rockyou wordlist. A search here found 2 others that had the problem, one of them said they got it working by trying it on an a pwnbox, I've done it now on my own Parrot VM as well as PWN and I'm getting the same result on both.

@lament hollow DM me.

Yes, I got it, thanks so much. It's just that the hint was confusing.

HI! about file upload attack skills assesment i am able to read /etc/password but i couldnt get the flag any hint pls

HI! about file upload attack skills assesment i am able to read /etc/password but i couldnt get the flag any hint pls
Replying to M4d3y3
ON

Message #modules

Hi, so I'm doing Knowledge check on getting started module, got admin credentials, connected to admin login page but says that credentials are not correct. Any idea?

Hi everyone! I can't find the upload directory for the skills assessment for the File Upload module. I've searched the JS code and all the other code on the site. Any help would leave me forever in your debt 🙂

im thinking my javascript reading is off :S

Can anyone give me some help with the hashcat Perform MIC cracking?

MIC cracking?

if you are having issues with hashcat, let me know

I think the xss phishing module exercise is broken... its been loading for about 10mins

i've refreshed the page a couple of times

HTB academy having some outages?

OSCP grads, how prepared would I be after completing all skill paths, including solving a few boxes each week? (I'm taking the next semester off Uni, so I'll have too much time to waste)

How to hack

Look for "url"

Hi everyone. Can someone help me on the the section " RCE via theme editor" exercise from module "attacking wordpress" from the hack academy? I am stuck. thanks in advance.

Hi, can anyone help me with privilege scalation for root flag in getting started module, knowledge check, 2nd part

I already got directory with sudo privilege with sudo -l. I dont know what to do with gtfobins

if i try to run reversed shell command from gtfobins it gives me error unable to connect

Got it working now

can anyone help me in web attacks skills assessment i stucked 🙂

Where are you stuck?

thanks for your interest i found the solution!

can anyone tell me how to start learning

you have to create an acadamy account

https://academy.hackthebox.com

Hi, anyone can help me in the Hacking Wordpress module? WPScan give me that the host not running wordpress.

I only found the /contact/upload.php :(. I have no way of viewing the upload.php source code

is there anyone that I can dm about this? 🙂

Currently fighting Firewall and IDS/IPS Evasion - Medium Lab, any tips?

Scans seem to be running far longer then they should as well.

Hi, I am stuck on the Skills Assessment - File Inclusion/Directory Traversal module. I feel I am really close to the flag but for some reason my cmd's are not going through to display the flag.

are you using pwnbox or the VPN file? I had a box I couldn't reach unless I was connected to the VPN

I was using a VPN key. Switched to Pwnbox.

ah

LOL Main part....... I was forgetting to check the status.php I was tripping the alerts and getting blocked. LOL Got carried away and was forgetting stealth....

lol

@slow ruin DM me.

I wish I could figure out how to find the directory for uploads in the uploads skills assessment 😦

I think I've read all the code... and found the php file the upload is making the post request to

but I cant see the source code of the php file

im not good with webapps :/

Hey don’t post that please as it’s a solution

👍

Who can fix this mistake, she is more than 3 months old.

What ?

Writes that the flag is not correct.

Thats because it’s not

The \xYZ is just a representation of non-printable characters

Remove those

Is it possible that the last Skill Assessment (Service Login) in the "Login Brute Frocing" Module does not work. I cannot reach a server, equal what I do. No contact in server, nmap, ping... Is it down since at least a day? VPN or From Box, both shows the same issue.

I wrote a weak ago, that the flags will not get accepted. Maybe they build it new. A pitty that the communication seems to be so underdeveloped. Guess they forgot, you pay for this...

guys for some reason the HTB website wont let me submit the answer :/

any1 know a fix ?

its just stuck on this

wont tell if its a correct or a wrong answer

maybe remove the extra quotes

thats not the prooblem

it just the same for any input

no response from site

maybe you're missing the http://

In the Shells & Payloads module (Reverse Shells section) - I keep receiving an error of missing ")", ";", etc. in the provided PowerShell command. I copied and pasted into notepad of target as provided. Does anyone know if I need to further modify the PowerShell statement to remove the errors

Have you tried running in cmd?

I had not - and that works. What is the difference between the two (or why does it work in one and not the other). Thanks for the feedback!

This module teaches us and says that a certain shell gives us different opportunities. I only started in cmd (disabled WD?)

Hey guys just a quick question. Who should i contact if there is a backdoor-programm in the Cheat Sheet from sql-injections cours?

i know a bit ironic

Did you by any chance forget turning off BrupSuite?

i didn’t use it

@solar zodiacFYI, forgot to mention, I was able to get this quickly in the Pwnbox.

sometimes you have to go back to dashboard, login back in, then try and submit.

ill try that now

no luck :c

I went back and looked and my answer is the same as yours without the quotes. i.e <a href="website">

its all about the script you run in nmap and make sure you only check the open ports

Yep. I was having issues because I tripped the Firewall, couple spot lower I mentioned that. LOL 🙂

Has anyone completed the module "DNS enumerationg using python"? I am stuck on the main function.

ahhh i forgot how easy it was to do that. I just slowed down the scan time with -T2

LOL Don't work on HTB while exhausted....LOL

its not that

its just that the webpage doesnt give me a response when i input something

its just stuck on this

no incorrect answer either

I guess contact support then. Does the hint work?

yea

strange.

ikr

never happened before

has anyone done DNS enumeration using python?

Hi everyone! is anyone available to discuss the skills assessment for the web attacks? I've found IDOR, but am not sure what the next step is

Hi, I'm doing SQL Injection module and I'm stuck at Subverting Query Logic. I tried bypassing with or operator but when i try to login it always says error in syntax

Also checked query and there are no error but page says that they are

guess we are all stuck here for now lol

i really wanna do some AD/windows boxes the upcoming weeks, best module to buy is probably the windows privesc one for this?

Im stuck on a python script that seems to stop here - zone = dz.from_xfr(dq.xfr(nameserver, domain)) - i can verify it works up till that line then nothing after seems to work nor does it throw up any errors.

Check this, maybe it is a AXFR denied
https://stackoverflow.com/questions/60784723/why-is-dnspython-zone-transfer-sporadically-failing

I tried that one. Most of the code in it is depreciated.

Help, how yo verificate?

To

message the bot "HackTheBox" at the top of the server members list with ++verify and follow the steps

Thanks

Hi everyone! I'm still stuck on the web attack skill assessment. I've found IDOR ,nifty tokens, and verb tampering. Im not sure how to identify which account is an admin account since there is no role in the json data, and don't know how that would lead me to RCE anyways. If anyone wants to help I would greatly appreciate it 🙂 I

hello friends! I was wondering if someone could give me a nudge in the right direction, been stuck on a question regarding active subdomain enumeration for a while now. how do I query individual zones for domains and how do I query these subdomains? 🙂

hey, how did you go with this? I'm pretty stuck on this section.. I can't get my head wrapped around on the zone transfer.

I’ve solved it. Will DM you shortly

Im trying to reach out to a support engineer for 2.5 hours now but still no answer...

I made a 450 eur purchase which needs to be resolved asap

can someone from the team pm me?

anyone here subscribe student plan?

If i've already taken student plan, are the student plan will be available again?

Hii 🙂
Someone have a nudge for Server-Side Attacks SA ?
Am unable to identify the technique to use.

https://github.com/B1rby/Stack-Based-Buffer-Overflows-on-Linux-x86

Find a hidden Web page. Read every source you can read.

hey there, im struggling with the correct answer in module "Introducing to Academy" Section " Interactive Section with Terminal" . They want to know the Operating System flavour. Isn't it " Debian 5.10.28" ?

Thank's i got it😊

should i put the osi model on my wall or will that give me ptsd

in vocational school while i was in high school it was what i hated the most

everyone，how do you know mysql_core

I want to know how he executed it

Same here, still not in my head, all i know is that there are 7 layers

anyone free to give a nudge on firewall IDS/IPS evasion hard lab

i guess my big issue right now is I'm only seeing two ports open

Hi, I'm stuck on the command injection module with the Skills Assessment, I've found the command injection but I can't make it works to show me the flag.txt. Any hint? 🙂

@scarlet finch Are you sure this approach is correct? I opted to find the path on Pwnbox and got it correct from first time. ||"locate laudanum" does the trick I think 😇 . ||

will send u a message in dm

yeah pretty much the same thing here

Hello to all colleagues, could I get here a little orientation with a module?

Ofc but you have to directly state your problem in order to get help

Thanks, it's my first time interacting here. I am in the final part of the Getting Started module, and in the final exercise, I have been able to obtain the user.txt file, my problem is that I cannot give root privileges from www-data and I only have access to the / usr / bin / php any suggestion on how to get rid of the privilege?

the plataform is getsimple

@hollow hearth ||Have you checked GTFOBins? https://gtfobins.github.io||

yes, I have tried some commands, but I am not sure if I have tried the correct ones,

i use https://gtfobins.github.io/gtfobins/php/#reverse-shell

Use what the ||sudo section teaches. ||

ty i tried too whit comands https://gtfobins.github.io/gtfobins/php/#sudo What I really don't know if I'm using the command correctly, since I've followed the example but didn't have success

@hollow hearth DM me.

ok

<@&861185840277487616>

Thanks

need some help with php web shells (last question) on #Shells & Payloads module #HTB: Academy. I'm doing something wrong, but not sure what

Feel free to DM me when you have time. Ill help

Hey all, I'm on the Knowledge Check of the Getting Started module. I feel like a dumbass, but I can't find the 'user.txt' file for the life of me; I've used metasploit and successfully got a shell on the machine, but looking through the directories I really can't find it. Short of dm'ing me, what's the most likely location for such a file to be?

i didn't do that module, though I'd probably try using locate or find first

That's the odd thing, I went all the way to the root and did 'search -f user.txt' and it said there were no matches at all.

Have you looked in the home directory for user directories?

gahhh, of course, there it is! thanks a ton!

No problem! Anytime 🙂

Open question to anyone who has been doing the Academy courses. Does it matter if I use Kali on my own computer or is there benefit to using the PWNBOX instead. I notice that on occasion the results in the walk through / instruction pages do not always match what I see in Kali, so is that something that others are seeing? Sorry, noob asking noob questions.

have you tried downloading the vpn key for the modules

I am using the openvpn and it works fine. I have been using VMWare and run Kali then VPN to my openVPN connection and work from there.

I think it depends of the courses but I always used Kali personally. I dont like pwnboxes

I figured I would float the question since I am pretty new to the Hacking / Testing. I have been working with computers for 17 years as a manager of an IT department, but this stuff is pretty new. I want to start off on the right foot.

Great to have you. Id recommend starting with Introduction to Academy and Getting Started modules. Ultimately follow what interests you most and feel free to reach out here if you need a nudge.

https://academy.hackthebox.com/course/preview/introduction-to-academy

https://academy.hackthebox.com/course/preview/getting-started

Thanks for the recommendations. I will take them. I have gone through the Starting point Tier 0 and 1 and part of 2, but I think that I need to go back and do these.

good call, I had done the Intro but not the getting started.

The starting point is great to learn the methodology to do boxes, that and ippsec videos

Also read ctf writeups

I will put that in my notes.

I would also suggest making an htb account (not academy) so that you can ask stuff in the relevant channels

I have an account for both.

but the best way to learn is to practice, struggle and understand so don t hesitate to start a box.

Then you can use /verify and give your discord token to the bot in dm

roger that. I would have to agree with that as well.

isn t in the bot command ?

Like itnbob said, the best is to focus on what you like

this is great feedback. thank you all for the help

But yeah take your time, enjoy the different stuff and ask whatever!

Np Np, have fun dude

Hello everyone,
I'm stuck at the Module "NETWORK ENUMERATION WITH NMAP" and I feel really stupid:

The task is to " Enumerate the hostname of your target and submit it as the answer. (case-sensitive)"
I can't figure out what I am supposed to do:

I tried:

• nmap -sL $TARGET : 0 hosts up --> So the hostname is not in DNS
• nmap -sC $TARGET -p- yields 7 open ports but I can't find anything resembling a hostname
• Opening the Website on the Target IP-Adress: Apache2 Default Page (no hostname here)
• ping $TARGET Target responds but still no hostname
• "www" is also not the correct answer

The current task teaches how to Discover open TCP Ports and UDP Ports. It is supposed to be a fundamental task but I'm stuck for like 1 hour. What am I missing? Can anyone help?

Solved.

Hello everyone! Does any of you know the XSS module skill assessment? I remember the first days I approached it, when I tried to publish the comments, after the refresh of the page, the comments appeared, not comments don't appear anymore. Is it intended or not? I'm afraid it could affect my xss injection

looking for a little nudge in the right direction on this one;
Module name: "Web Requests" - Section: "POST Method"
Q; "Login with the credentials (guest:guest), and try to get to the admin user from what you learned in this section and the previous section."
I have been able to login using guest, then manipulate the cookie to get to the admin user's dashboard, however I haven't been able to get a flag to pop.

if anyone's free, I need a nudge on Network Enumeration with Nmap - Hard Lab. Mainly having issues finding a port

Hello everyone,

Please can anyone help me with the module Getting Started - Knowledge Check.

The target is a web application using get simple cms which is vulnerable to php file upload vulnerability.

As of now I have enumerated the machine using nmap, gobuster etc.

I have found admin username and password of the machine and tried to use an exploit available in the metasploit. But it gives me an error stating exploit aborted due to failure. $ip upload failed. I tried changing the TARGETURI to all the available directories but still the same issue is coming. Please help if possible

Thanks in anticipation

hi - I'm working on the web requests module, I'm on the PUT and DELETE page where you have to create a flag.php file containing <?='cat flag.txt';?>, PUT it on the target system, and then request it. I've done all of this, successfully put the file there and successfully requested it, it contains the right stuff, but I don't see a flag - can someone possibly guide me towards doing it how the module wants me to? thanks in advance

nevermind

wow

so to anyone reading this having trouble with that module - don't bother reading the cheatsheet for help

the answer isn't in there

nor is it in the actual module content, just do 'curl -h' and you'll see the option you should use

What did you put for TARGETURI exactly ?

hey. could someone help me a bit with the web attacks module?

im stuck here and idk what im doin wrong

i have a problem with the bypassing security filters part in http verb tampering section

Hello! Module academy - "Attacking Web Applications with Ffuf" - "Skills Assessment - Web Fuzzing". Task "One of the pages you will identify should say 'You don't have access!'. What is the full page URL?" says that im wrong. But i found it. Whats wrong?

@stark tapir check your DM's bud 🙂

@wind pebble check DMs 🙂

@steel trout check DMS too!

Did you ever figure out how get a shell on this one? I am stuck also on the last question of the assessment. I can't find a way into the tomcat application.

Can someone give me a hand with the last question in Attacking Common Applications Skills Assessment 1 please?

Yes, ghostcat is not the exploit you're looking for. There ist another one where you have to guess a folder and fuzz the file name

Hi im on getting started module section knowledge check and i have gained access to the console with msfconsole with an exploit but i do not know how to transfer the lineum.sh file to it because it doesnt have curl or wget

Hey all, after some guidance/ nudge if possible, seems im partially losing the plot. the question is: Submit the FQDN of the nameserver for the "inlanefreight.htb" domain as the answer. Despite adding to /etc/hosts... im getting an error in nslookup, and for life of me cannot workout what im doing incorrectly. The error im getting is: "** server can't find inlanefreight.htb: NXDOMAIN"

Still fighting with the NMAP Hard, I find the open port, but am getting

nc: bind failed: Permission denied

Stopped the service that uses Port 53 and no change.

This is via the Pwnbox, tried last night and was the same for both the pwnbox and vm.

Holy crap I'm dumb!

Just about to type u need to sudo the nc lol

LOL

until i read the rest of your message lol

When something doesn't work that you know should work...... its irritating because you know its going to be something stupid simple! LOL

In the Hacking Wordpress module on section "Directory Indexing" the target site loads infinitely when adding /wp-content to the end of the url, despite that literally being what it wants you to do. Nothing comes up using curl.

try /wp-contents/ with a trailing slash. I think i had that problem too

This module is making me go crazy, on the skill assessment section wpscan doesn't even recognize the target site as a wordpress site.

Hi everyone 🙂 can anyone nudge on the directory traversal skills assessment?

I've leaked the php code and read index.php. I looked for config.php but it wasnt there 😦 I also noticed there was a filter on ../

hi, you can solve the problem? im add blog.inlanefreight.local at host.conf and resolv.conf. nothing work.

Hi all. I'm stuck in the (hack wordpress) module in the last instance. I can't resolve the host of my target. (blog.inlanefreight.local) add to host.conf and resolv.conf file "blog.inlanefreight.local" but still not resolved. When entering the objective directly this load without problem, I mean the start page. but seeing the link where I understand that the target will be, I cannot resolve the host. Use vpn and also PAWN machine. in both change the settings several times. I also respawn on the target. I just can't resolve the host. or I think that's the problem. Any ideas?

Windows Fundamentals- skill assessment
Can someone help me for this 3 questions?
-What are the commands to type in the powershell to solve thees questions

ZAP Scanner, found high-level vulnerability yet can't seem to grasp how to find the flag. HELP!

Hi, can anyone please help me understand where I'm going wrong in this question - under the web requests module in htb academy

You're looking for the sum of two numbers

Thank you. I realised it could be two values that I need to find out. I just tried ip:port/flag.php?num1 in the browser but I get a
Parameters not found! Error.

Hi all. I'm stuck in the (hack wordpress) module in the last instance. I can't resolve the host of my target. (blog.inlanefreight.local) add to host.conf and resolv.conf file "blog.inlanefreight.local" but still not resolved. When entering the objective directly this load without problem, I mean the start page. but seeing the link where I understand that the target will be, I cannot resolve the host. Use vpn and also PAWN machine. in both change the settings several times. I also respawn on the target. I just can't resolve the host. or I think that's the problem. Any ideas?

@true gyro check DMS

@deft ruin sent you a DM too brother 🙂

Stuck on the Web Attacks skill assessment. Every time I try to change a user password within settings and hit ‘submit’ nothing happens. Any ideas as to why?

which module? part? question?

Anyone for Firewall and IDS/IPS Evasion - hard lab?

I passed that one.

there is an IPS/IDS evasion module :O?

yes, part of the Network Enumeration with NMAP module.

I am stuck on the Shells and Payloads module, Skills Assessment, Host-2. I know what exploit to use but I am either missing the targeturi, or the vhost setting. Anyone have any tips?

what url did you come up with. It took me 6 steps to get the proper dir. DM me for some help

Hi all. I'm stuck in the (hack wordpress) module in the last instance. I can't resolve the host of my target. (blog.inlanefreight.local) add to host.conf and resolv.conf file "blog.inlanefreight.local" but still not resolved. When entering the objective directly this load without problem, I mean the start page. but seeing the link where I understand that the target will be, I cannot resolve the host. Use vpn and also PAWN machine. in both change the settings several times. I also respawn on the target. I just can't resolve the host. or I think that's the problem. Any ideas?

Hi, how are you? I'm stuck in that section and I can't move forward, I don't understand the question very well, what is this?
Login with the credentials (guest: guest), and try to get to the admin user from what you learned in this section and the previous section.
But I try to climb and can't find the flag

What happens is that I already tried to use what I learned in the section to find the answer to the flag and could not find it, since I thought that with the cookies when decoding them in base 64 a flag would come out but it was not the correct one and when logging in in The page left me another flag (being an administrator) and neither, and I had no idea where the flag is to pass that section, I do not know if someone could help me in guiding, in what steps to follow to get it, I would very much appreciate the help

@jolly jasper check your DM's brother 🙂

@hallow saddle check DMs brochacho 😉

hello me from the past! We solved this after two days but we finally succeeded. sudo nano / etc / hosts edit the file with (target's iP) tab (blog.inlanefreight.local) done! it is not editing the hosts.conf file or resolv.conf it is directly the etc / hosts path

<@&861185840277487616>

👀

hello can someone help me, im stuck at #OS exploitation of #sqlmap-essentials, couldnt find the another flag within the host. appreciate any guidance!

hello, thx i've done it, the problem was that i should type word "PORT", but not actually port number of spawned machine )

Hi! Noob help please. Can someone help with with the last skill assestment - wordpress? you can DM in needed (discord search button not working. thats why asking because maybe its already questioned) I am accessing LFI through site-editor but cant find the flag

I am adding ...ajax_shortcode_pattern.php?ajax_path=/home/erika/flag.txt but that is not the correct answer I suppose

Does anyone know where I can download the Academy VPN from please?

I can't seem to find it anywhere

Not every modules need to connect with openvpn, either that or Docker that you have to deploy (IP:Port)

if you need a VPN key it will be given to you with the questions you need to answer

has anyone done the shells and payloads module?

I have a question regarding the BugBounty Path, 3rd module, using WebProxies, section, webFuzzer, Zap Fuzzer. On the virtual machine in the browser, ZAP cannot be found/isnt installed. I attempted to install and or update the htb vm, to no avail. Is there a certain way I need to attempt to install zap or Do i need to create my own vm etc?

DM me if you need some help still.

Hi! guys, I have a question does taking note important because I don't love to

It saves you a lot of time by not googling the same things everytime

I'd say that would change per person depending how to learn and retain information.

but also that ^

• it helps you to build a metholodogy when you don't have one, tldr its up to you but really useful

I actually take notes when I am hacking but I don't love to take notes when I am learning

It's not mandatory to take notes on everything you're learning of course, only on what you think is useful / may be important to remember and/or use later for example

It really depends on you & how you learn things the most efficient way

(e.g if you have a really good memory or more a video learner or idk)

that good info man thanks

If you find yourself going back to old modules 50 times when you're trying to remember something to use, you may want to take notes etc

+1

Anytime, even though I'm saying very basic stuff

but if it can help

I use sheetcheet all the time it's good for me because I know what I am searching for

I have a cherry tree doc that looks like the crazy guy from beautiful mind went at'r

https://book.hacktricks.xyz/ is a very good one if you don't already have it

Obsidian ftw by the way

Off to work- have a good day

I went back and wrote documentation with screenshots for most of the modules i have completed and it's been a huge help

I have this HackTricks too. it's very good

you too man

https://anhtai.me/pentesting-cheatsheet/

Hi, i guess i might need a hint. I am quite a HTB-Academy beginner and choose the wordpress module (Dont worry, i completed other modules before and got some pw cracking knowledge). I completed the module with reasonable ease (or so i thought), but now i am stuck at the Skill Assessment. I am failing to locate the wordpress parts of the website, i tried several things but i failed. I feel a bit bad asking for help tho haha.

Same with me, using wpscanner it said that it wasn't able to detect wordpress. Pretty sure its broken but I dunno.

The problem is, that i am not really sure if it is part of the assessment 💀 😂

Yeah I don't think it is..

Hi, I have some problems with the module Setting Up, someone can help me?

We can try, what is the problems ?

hi i got a question about the getting started module and the section Public Exploits i don know wich exploit i need to search for to get into the Target Machine can somebody tell me the name of the Exploit or so and also i don know if iḿ supposed to be able to ping the machine but i can not so i don know if iḿ propperly connected

Hellooo

?

im a noob but let me check if i can help you with that

are you connected to HTB VPN ?

if you cant ping the target you probably are not connected to the VPN

First try to do a nmap on the target, that you learned in "Service Scanning"

The machine in "Public Exploits" is open to the internet, so you do not need VPN, but it will take some time to start up.

ok i guess iḿ not connected atm so iĺl work on that

but i should be able to ping the target right?

no, ping, but try with your browser 😉

and should nmap work?

Let me check to make sure ...

Is that "Nibbles - Privilege Escalation" ?

it is the question/Test machine in the Public Exploits section

How can I insert date and time in Kali Linux? In module 4 there is some script that i don't have in my machine

I can't paste the command here, but there is a PS1 variable definition that require some script, i don't have it and i can't declare the PS1

@untold kiln i need to find a public exploit to try out on the machine but iǘe already tried many and don t know how to search for the right one

No, nmap.

arh, ok, try and open it in your browser/firefox first.

When you say module 4 , do you mean at "Nibbles - Privilege Escalation" ?

Hey all, I am doing file transfers, first module second problem, Upload the attached file named upload_win.zip to the target using the method of your choice. Once uploaded, RDP to the box, unzip the archive, and run "hasher upload_win.txt" from the command line. Submit the generated hash as your answer.

what did you use to upload the file?

sorry I could be kinda dumb, ive been waiting for a target to spawn for a while now, but its just stuck on 'Target is spawning'.
is there a way to debug this? thanks

just refresh the page and wait without pressing the button

it happens to me everytime i try to spawn a machine , it maybe because of the ad blocker or something on my end i didn't actually ask around if this is a problem everyone is having

neat thanks, i tried chrome (instead of opera) with adblock disabled and its working now

happy to help man

hi

Hi

dm me if you still need help with that

Hi, i'm doing the Skills Assessment - Web Fuzzing and I don't know why don't I get all extensions for all subdomains
||
ffuf -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -w ext.txt:FUZZ2 -u http://academy.htb:31146/index.php7 -H 'HOST: FUZZ2.academy.htb'
||
the contennt of ext.txt is
||
archive
faculty
test||

But I do find the third one when i do :
||ffuf -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://faculty.academy.htb:31146/indexFUZZ||

And for the last answer I gave the wrong wordlist but ffuf gave me some results (false ones)

where are the docker instance for File Inclusion / Directory Traversal . how do i follow the examples?

Hi

how are you?

are my messages displayed?

hello! I'm stuck. #Cracking passwords with hashcat> section cracking wireless (WPA / WPA2) in the first problem. I download and extract the .cap file generated the .hccapx file with ./cap2hccapx.bin. I make this .hccapx file hashcat -a 0 -m 2500 to indicate wpa, then it used the rockyou.txt dictionary in addition to this I tried different rules of the hashcat directory several .rules until I created some custom ones. everything works fine only the scan ends and the cracking fails. I calculate that I have the wrong mode or for some reason the conversion from .cap to .hccapx fails somehow and so I cannot solve it.

Solved!

i havent figured out a way to upload without using rdp first.

Even with rdp, I am having an issue becasue the box cant connect to the internet

🥲

Hello everyone! I am stuck on the Knowledge Check exercise at the end of the Getting Started module. I am not able to gain the initial foothold. Would someone be able to help me out ?

fyi 2500 is a deprecated mode

22000 is the current wireless mode

Hello Im stuck on the SQL Injection Subverting Query Logic Question. Whats wrong here: Executing query: SELECT * FROM logins WHERE username='tom' AND password = ''or'1'='1'; I always get logged in as admin instead of tom

Thanks yes, and in the tutorial show 1500.

Is it normal in htb academy I can't reset my password since 1.5 month ? do someone can help me i paid 2 month...

pls contact support

Where ?

because nobody respond

can anyone help me with Toby htb ?

yeah, I'm aware

working with the module creator to update all of that over the holidays

once you RDP, you can start an python http server on your attack box to serve the file to the target.

Thank you!

Ill give that a try

On the XSS module on the target page trying to add a comment is very difficult, it just doesnt let you comment. I have commented before but it took multiple attempts and i dont know how but I somehow managed to get it to start commenting. It seemed random.

Hey all, I am stuck at the "Active Subdomain Enumeration" of "Information Gathering". I found the Nameserver FQDN and also the quantity of the zones. But I cannot get the contents of the txt record. They always show empty, no matter if I look them up with dig or nslookup. Am I missing something important?

Hi how are you

So I've connected to ovpn and when I open up a second terminal to ping the target ip address it says destination host unreachable {continuous}

any ideas what im doing wrong?

Does the last line at openvpn says "Initialization Sequence Completed" ?

yes it does, but than how do I continue to use that particular terminal without opening another?

it doesnt just stay put, its restarting every 5 seconds

the OpenVPN terminal, can not be used and must be open for VPN to work. So you need to open another one.

sure, I tried that as regular user and as root user, it still cannot connect to the host destination

openvpn resets every 5 seconds could that be the problem?

you need to do "sudo openvpn xxx.ovpn"

yes, its open

the terminal is initializing every 5 seconds

that sounds weird

are you running a vpn on host or anything

it says initialization sequence complete every 5 seconds

no im not running vpn on my main os

just in virtual box

linux

perhaps i need an update and upgrade?

odd.. doesn't hurt to stay updated but check out the help faq for openvpn on the website and see if anything is applicable there

im connecting on machines and starting point

do I only need one of them to be connected?

on htb not academy? just make sure you're connecting to the proper ovpn for whichever range of machines/startingpoint/academy you're targeting

starting point has its own VPN connection

are you VM connected to the network by NAT og BRIDGE ?
Could be a security like IPS on you main OS that blocking/resetting it.

im vm connected by nat

and I see that starting point and machine have two different ips

so i need vpn for one at time?

Yes

Only one VPN connection at a time.

okay let me try it with machine so i can try to ping

I just want to say that the server-side attacks module is absolutely incredible. It has so much useful information. It adds in amazing info about bash scripting, python coding, exploit development, virtual environments to a treasure trove of info about the topic. It may be my favorite module from HTB academy. Good job guys!!!

Hey, guys! I just got into HTB and it's awesome! I got vip + in HTB and I'm wondering if it gives me access to HTB academy premium stuff too

Or I need to pay a different type of subscription? Thanks!

HTB Academy is a different platform

Oh, I see. Thanks for the answer

work through the 0 tier stuff just bouncing from module to module earning back the 10 cubes. great stuff

Is anyone else having trouble spawning the target in SQLmap essentials?

i had issues spawning an academy instance earlier

so i logged into starting-point to continue them

I am

Are you on the tom problem?

I’m in attack tuning. Seems it’s working again though

Can I ask someone about sql injection module, subverting query logic?

What browser are you using?

Nvm I got it

Maybe try running in Incognito mode. That disables extensions and other stuff

Hey, guys, how can I scan/connect to a target IP like 167.99.95.121:31153

it's different from the usual ones

do I have to register for the linux academy? it wont accept my current HBT credentials

Yes it's a different account

Okay, that makes sense now

identify the port 31153 or whatever it may be, ip:port - which connection method could change how you will use it ie: ssh user@ip -p 31153 etc

DM

half the fun though right

can anyone help on last question of the wordpress module?

Idk

the harry potter themed one?

Hi! Anyone finished the hashcat module? Got a weird situation with the last question in it (ntds.dit analysis), maybe someone could clarify what am I doing wrong? Thanks! 🙂

Hey

Could someone help with the last question on the skills assessment on the active directory bloodhound module ?

anyway im kinda confused on the "Attacking common applications" module. the OSTicket part is kinda unclear, it says to login with the corp email but where the hell do you find the password?

Hello I think there is a bug in the Web Requests module in Fundamental. If you want to do the task "Request and Response" using Burp Suite, Burp Suite is not set and you have to configure the options yourself. According to the task you only have to start burp and the extension should appear in the browser, but this is not true. You have to configure Burp yourself and as a beginner is somewhat overwhelmed. I hope you can help me 🙂

HTB Academy is the BEST !!!

thank you guys for a very awesome materials and well done work on the learning methods you using !

Amen to that.

It's very similar to Jetbrains.

Module: attacking web applications with ffuf
Skills Assement last question.

With what list did. you get the value of the parameter?

Yes that is not good. I had this problem myself. There are 2 versions of burp suite. In one version there is a builtin Browser that works. I did. all exercises with that and it worked fine for me

Oh cool I tried it and it works. I think in this case, only the task points should be changed. It should be pointed out that BurpSuite should be started instead of Burp and the builtin browser should be used instead of Firefox 🙂 Thanks a lot

No not the kOTH room. I mean the Wordpress academy module. Stuck on how to get a shell

Hi, did someone finished the Brute Forcing module ? I'm stuck on Skills assessment

Module: attacking web applications with ffuf
Skills Assement last question.

With what list did. you get the value of the parameter?

Cans someone help ? You can DM me too

sent dm

yeah i figured that but you can open the browser that related to burp suite and thank me after

is it recommended to use HyperV as the Virtual Machine for Kali or should i stay at VirtualBox?

so its not set to work with firefox and the setup is not actually hard , but to save time just use the browser related to the burpsuite itself

exactly ...

i guess we are on the same path learning would you like to keep contact and maybe study together , would be fun to try , im about to finish the post requests and move to the next module

Anyone having issues with the sql injections module? Most queries i try firfox says the 'connection was reset'.

Nvm I am a smooth brain

folks im in starting point with a question if anybody has the time to help me out. I would appreciate it

I am not all the way through but I can try.

DM

ok, im in starting point

I have gone through the first two tiers, happy to help if I can

Ditto ^

im talking with a guy in #starting-point

come there if you can

It looks like ToxDK has you covered.

Can anyone give me a nudge on Linux Privilege Escalation "Privileged Groups"? The hint says to "Grep within the directory this user has special rights over". The examples provided in the section don't seem to match up with what is being asked. For example it shows unzipping of the file "Alpine.zip" while under user "devops" --- but when I ssh in as user "secaudit" I do not have the permissions to unzip it. Should I be looking for some variant of the find command to determine which directory "secaudit" has special rights over?

Edit: I have tried using the example find commands that were provided in the "Special Permissions" section.

@trim scaffold So it says my scan is being blocked by host

any ideas what that might mean?

nmap -Sv

the regular ping works on the target machine IP

but cant get beyond that

I have changed my NAT to Bridged to try that and am still having issues

Im using Kali

If it's an IDS blocking your probes then maybe try something like spoofing source port 53, or using -T0 for paranoid mode.

https://redtm.com/docs/privilege-escalation/linux-privilege-escalation-cheatsheet-for-oscp/

I dont know much @west canopy but are you trying to open and write to a file? you cant save changes unless you are root user.

ehhh i'm making some progress . Pretty sure they aren't asking me to follow the steps that they provided in the section , which seems unusual. I managed to extract alpine.zip by using chmod +x , but I can't use the lxd command against it.

Like i just need to find which folder my current user has special permissions over. I'm probably overthinking it.

im not as far along as you

sudo nano {pathoffile}

thats about as much as I know about editing files, but perhaps thats not what you need to do

for instance I had to lookup steps and remove/add an app in the file and write out just to install discord on linux bullseye 11

it looked like you got squared away so I had to go back to doing some work. Looked like you got through the machine. nice. be careful with your commands. Linux is very case sensitive. for example, nmap -sV -sC would be ok. -Sv would not mean the same thing.

yes, its working now, he helped me figure out the problem I was having.

thats great

i've been spending a long time on this but do u know how i could solve this, like where to start off at? "Try applying what you learned in this section by sending a 'POST' request to '/serial.php'. What is the response you get?"

@rustic sage which module is that from?

Without knowing all the details --- I feel like you could probably use curl , or navigate to the page in your browser and use Burpsuite to Intercept the request and modify it to POST.

JAVASCRIPT DEOBFUSCATION

@rustic sage check DM's 🙂

anyone around

i need help 😦

module https://academy.hackthebox.com/module/35

POST Method

Login with the credentials (guest:guest), and try to get to the admin user from what you learned in this section and the previous section.

i did that and i got a cookie but i dont know what im actually supposed to do with that , since i dont have any other username and password

i tried admin : password and it worked , im just wondering did i obtain the flag by accident or it supposed to be obtained like that , sound to me its pointless exercise , i spent 2 hours trying to figure something out and it didnt work , tried to use json and {"$ge":"0"}

that didnt work aswell

so if the whole exercise was about guessing i think i just wasted 2 hours for nothing

@fierce pond about to send you a DM brother

why you need to send me a dm ?

Because i'm full of spoilers

oh

lol

dumb exercise

yea in real life websites use https so its kinda pointless

but its also possible i'm missing something

Any chance I could get a hint with that same problem? I've been struggling with this one for way too long too.

👍

Thanks for the help! @west canopy

Does anybody know if the Into to Assembly Language course covers 64Bit Bof please? https://academy.hackthebox.com/module/details/85

On file transfer: How do I get the zip file to the parrot machine (to then upload it to the target)? The vm has no internet connection

I tried base64 encoding it and then copy to vm and decode to zip file but it smh didn't work getting an error when trying to unzip

Also when I base64 encode and then decode and encode again I get different output?! Edit: It worked after saving the b64 in a file and reading from there, pasting directly into terminal smh messed it up

Sure ! DM me 🙂

Hi. I need help with a single question from BROKEN AUTHENTICATION in Academy. I am stuck on the “Weak Bruteforce Protections” on page 5, question 2: “Work on webapp at URL /question2/ and try to bypass the login form using one of the method showed.” Hint: “This web server doesn't trust your IP!”.

I forged a X-... header and sent it using different IP, with BurpSuite and Curl. I also used the python script to no result. I don’t find anything. I went through other questions later in this module without any problem, I just need this one to finish. Please help!

i havent started the academy because i created an account on the main hackthebox website and it doesnt let me create an account on the same email for the academy

by the way, does hackthebox work on wsl?

I think you can just login with your normal account

i just restarted my account (deleted and recreated in the academy)

As long as you're connected with OpenVPN client on your host it should work

I didn't try

does openvpn work on a windows pc?

windows 11 to be exact

Yes

okay, perfect.

https://openvpn.net/vpn-client/

Yes it does

Keep in mind that if you are connecting to any of HTBs networks from your personal system where you store your personal data there are penetration testers in training on the network. Its strongly advised to use a dedicated VM, computer or Pwnbox when learning with HTB and connecting to our network environments 🙂.

I am using WSL.

WSL is cool tech but it mounts to the file system in Windows so it has access to your files. Just be aware of that.

can i ask a question related to academy here?

sure

challenge on Remote File Inclusion gives me an ip no port and i cant even ping the machine. what is the trick?

File Inclusion / Directory Traversal module?

yup

make sure you're using Pwnbox or connected to the VPN

vpn looks good from host.

did you try to access it via browser?

yes

feel free to pm me

is https supported on this ip?

http works for me

because ff redirects it to https

check your ff settings, you most probably configured it to force https

same here, i dont get it

the pwnbox was able to access the web page. however something weird seems going on on my setup. because i dont see the trafic i should.

can someone help on Linux Fundamentals module? couple of questions system information are not making sense to me, they have many answers.

nv i just figure it out. i did not know that you have to ssh in order to answer the questions, the information you get from the pwnbox is not the right one .

Hiya, I'm trying to do the RFI section of the File Inclusion module, but am having trouble. I managed to get the flag using directory traversal, but I want to do it the proper way to learn. I'm trying to test the SMB protocol, but instead of the smbserver.py debug showing up like it does in the module, I get no output. Has anyone else had this happen? Thanks.

turns out the command I was using was a bit wack, this PDF helped a lot:
https://pdfhost.io/v/Hq5PEVrih_FileInclusionDirectoryTraversal
Thanks ^-^

Hi! Can you pls help me with Stack-Based Buffer Overflows on Linux x86 -> Generating Shellcode : " Submit the size of the stack space after overwriting the EIP as the answer. (Format: 0x00000)". After payload shell i have
0x5655557d <bowfunc+48> mov -0x4(%ebp),%ebx
0x56555580 <bowfunc+51> leave
0x56555581 <bowfunc+52> ret <----- now i am here, after this step will go to start of payload section in stack
And on this moment i have register:
esp 0xffffd0bc
ebp 0x810bb302
eip 0x56555581

And right after overwriting EIP:
esp 0xffffd0c0
ebp 0x810bb302
eip 0xffffd64c

How determene size of stack? ebp-esp (tried but answer is wrong)?

hello! Has anyone had trouble finding DNS module host x.x.x.203? I'm stuck in the module, I don't know which dictionary to use, I've already tried several and I can't find that host

any hint would appreciate it!

I mean the new module footprint DNS

Hey guys need a little hint in File Transfers module (Windows File Transfer Methods)

solved

Guys who could explain this (file transfers module):
Bash (/dev/tcp)

There may also be situations where no obvious file transfer tools are available. In this case, as long as bash version 2.04 or greater is installed (compiled with --enable-net-redirections), the built-in /dev/tcp device file can be used for simple file downloads.

Connect to Target's Webserver

Dm@htb[/htb]$ exec 3<>/dev/tcp/10.10.10.32/80

How I could use it? I don't understand.

in the setup module is anybody here setting up password1 or anything else? I am under the impression that this is for security professionals who work for a company

Hey would you mind clarifying your question?

setup modules in academy teaches you what a security professional uses when working for a corporation

That remote file inclusion was fun 🙂

I guess maybe its really just a matter of choice

Absolutely. There are various setups security pros can use for the work they do. My setup is VMware esxi server where I use different vms for testing and learning. Others use containers more than vms, some make use of cloud environments and many try using a mixture of all of them.

so than the setup module is just knowledge based to show a security professional the different avenues that they can use, but for learning purpose. Should I set any of those up in my VM even though I don't currently hold a position in a corporation

? @unique valve

dm if you are still need tips

Absolutely! Thats one of the great things about this field. A lot of the technology is accessible and affordable even if you dont work for a corporation.

Okay well perhaps I will see what I can work in there

Did you figure this one out? Shoot me a dm

Hey everyone, did anyone do the "Attacking Web Applications with Ffuf"?

I'm stuck at "Skills assessment" where task is to find a page with the content: 'You don't have access!'

I'm tried: ffuf -w /home/kali/wordlist/common -w found_hosts:HOSTS -e .php:,.phps,.php7 -u http://HOSTS:32765/FUZZ -recursion -recursion-depth 1 -fc 403 | tee subdirectories

I also don't understand what the hint is supposed to mean? Am I supposed to try all 65535 ports? This would literally take years.

If someone could give me a hint, that would be absolutely amazing

im not doing that module yet, but I think there is a command whereyou can run 1000 ports by a range at a time @neat kindle

@neat kindle hey bud i'm gonna DM you in a sec 🙂

In setup it's working through security OS in vmware, I setup VB with Kali Linux, do I need parrot os instead to proceed with the academy or can I use Kali Linux?

@muted kite i personally use kali with no issues

ok, so great, sounds like its personal choice

Parrot, Kali, BlackArch, they all can have the tools you need, so it is just a matter of look, feel and preference ...

You can even make your own by starting with a distribution of Linux and adding tools to it. People also have turned Windows into a pentesting system: https://github.com/mandiant/commando-vm

Wow, gotta try that 😄

Its pretty cool. You start with a windows 10 install and then run the script they have in that Github repo. The script installs a bunch of tools, its cool to watch it work.

well there goes the xmas days

But you should defiantly try different distros to see what they feels like. and it is pretty easy as a VM.

I think I will, but perhaps not straight away

Always nice to have a todo list 🙂

I downloaded the windows 11 VM and imported to my virtualbox. Do I need to reconfigure the settings? There was a hyper link provided, Im guessing it's not configured the way is necessary

none of the commands are recognized in the windows11 virtual machine I just installed

I'm in the setup module. Perhaps I will skip it for now.

anything that costs money to do, i'm not doing right now, will this prevent me from moving forward in HTB academy?

Crickets

Eventually, once the tier 0's are complete you'll probably have 40 cubes. From there the cost of cubes rises and the return lowers so there would be cost.

I means like setting up vps, password1

Services that cost money every month

@crimson path

Oh well then no you shouldn't have to spend anything you don't want to spend

DM me.

I'm having problem with finding foothold on the LFI final section box, I have had some progress, but not enough is there any tips?

Is this free vps service?

The one recommended by HTB costs money

i think it requires a web domain, not sure thats the correct one

I am having some problems with hack the box can some one help me

Hello i dont understand how i can create the wordlist rockyou with 2020 at the end of each password in the list. Can you help me please ?
module : CRACKING PASSWORDS WITH HASHCAT
section : Working with Rules

@muted kite i deleted the link since i don't trust a random 'get a Free VPS' Website

hey is this where the academy modules are being discused?

if so, INTRO TO NETWORK TRAFFIC ANALYSIS on the question " Given the capture file at /tmp/capture.pcap, what tcpdump command will enable you to read from the capture and show the output contents in Hex and ASCII? (Please use best practices when using switches)" cant get it solved and the obvious switches are -X for hex and ascii and -r for reading the pcap file, so final answer would be -Xr /tmp/capture.pcap

but no, wont work, obviously tried playing with both switches like mb they're in a diff order but nope

You can discuss it here and #858470491676737536 if you think there is something wrong with the answer

No problem, neither will I than.

@worldly grotto DM me.

@sudden shore check DM's 🙂

Did you figure it out? I'm stuck with that question too. Any hint?

@rough pelican DM me.

Doing the Linux fundamental course and when I try to login into the SSH it keeps saying permission denied even though I'm 100% putting the password in correct

Any tips?

Nvm got it

I'm stuck in "web requests -> POST method". I don't understand what is the answer supposed to be... the cookie?

Can you send a ss of the full question?

is it the one with num1 num2 by any chance ?

I don't remember what kind of answer it expects, try with the cookie yes

or maybe a flag once you're logged in as admin

I tried multiple things, but it doesn't seem to work

pls be careful with spoilers

okay, sorry, but I mean, it doesn't work

I'll DM ya we can try to walk it through

I can't log in to HTB rn so not able to help further, sry

In intro to network traffic it says' Utilizing TCPDump-lab-2.zip in the optional resources, perform the lab', where are the optional resources?

I found it, smooth brained

@frank forum about to send you a DM bro 🙂

Hey everyone. Just to test how things work I'm sending this msg. I'm new to hacking and much newer to discord. Any suggestions would be greatly appreciated. Merry Christmas. Cheers.

solved it. I was having problems because of a trailing '\n'

@scenic swallow welcome!

did you end up figuring it out?

No still have not figured out,, not yet tried because of the christmas either ^^

all good, sorry for the ping

np

you need to make a rule to add 2020 at the end

hence the name of the challenge

@worldly grotto sending you a DM 🙂

Thanks

I checked all the directories but wont be able to find the another flag

Its in the Using web proxies module in bounty hunter path

can someone please help me where the other flag might be hiding since I can only find one

you should deploy a reverse shell

and maybe privilege escalation to root

idk

but that module is literally just proxy tutorial

and its stated as easy

oh probably just search for other files named flag

it's probably just hidden

.........

find / - type f - iname flag2.txt

btw what is that machine?

thats the module named using web proxies

and its the repeating requests section

oh okay

can you send me the url

i think i haven't done that yet

nvm i got it

even with the ls -a that should also show hidden files I only see 1 flag

Try to search in other places

nvm I found it

it was just in the root directory 😭

what did i tell you

it was hidden

I thought it would be hidden in the sub folders lel

i always take a look at the root folder

In SQLMap final_flag skill assessment, I found the injection point and got the banner. However, dumping DB is failed. any hint

File Upload Attacks: File Upload Attacks. Appears to be bugged as not even SVG files can be uploaded. Does anyone have the same problem?

Good afternoon everyone

I'm new here, and already asking for help beacuse I'm stuck in first exercise of module "web request"

Send a GET request to flag.php with two parameters num1 and num2 such that their sum is 1337.

And stuck as well in second

Login with the credentials (guest:guest), and try to get to the admin user from what you learned in this section and the previous section.

For this one look up on Google how to put parameter using cURL

I did it, but I keep face the error screen

Which one ?

Send me your full command

@rough pelican I did this module long time ago but I can try help 🙂

Hi, I'm new to both HTB academy as the HTB discord server. I can't verify with the bot, not a HTB identity, is that correct?

I came over here because I lost my spawn about a copy-paste issue in the first interactive section 😦 wasn't able to paste the spawned URL into Firefox. I'm on Firefox IRL; does HTB academy have issues with FF? Should I better use Chrome or some other browser?

Module Name: Getting Started
Section: Privilege Escalation
Question 1: SSH into the server above with the provided credentials, and use the '-p xxxxxx' to specify the port shown above. Once you login, try to find a way to move to 'user2', to get the flag in '/home/user2/flag.txt'.
Quesdtion 2: Once you gain access to 'user2', try to find a way to escalate your privileges to root, to get the flag in '/root/flag.txt'.

I search for vuln. and find a little bit but nothin that gives me acces to user 2 ? 😦

Can someone help me pls ?

Did you do the most basic of the basics, i.e., ||sudo -l||?

Yeah i change to user2 and stuck with the priv. escal.

@cinder kelp about to send you a DM bro 🙂

thank you for the hint ❤️

On the brute force skills assessment - service login

Is the employee user list the same one from the prior examples for bill gates?

how can i get the ovpn file??

In HTB academy modules you will see a button at the bottom of a section that has challenge questions. Feel free to DM if you still run into issues with this.

can i have a hint for File Inclusion / Directory Traversal assessment?

what part are you stuck on?

not sure what should i do from now on. I have tried most of the things i found in the previous modules but none seems to work

even so,i think i know what parameter can be exploited but i cant figure it out

so far I dont like how the academy is structured, I like how starting point is structured comparatively.

What do you wish academy had but doesnt currently in terms of how its structured?

I think it makes a lot of suggestions but not necessarily step by step guide on configuration. I know the internet has a lot of how to information that makes up for that, also some of the commands are not recognized and there is not really a guide for what to do when errors occur.

needs 'common issues and how to fix them'

i know that their are forums, but response times vary

What errors or issues have you been experiencing recently?

When I setup windows in VirtualBox none of the commands worked. I'm not sure if this is because the guide was created for windows 10 and windows 11 sucks and it's what I downloaded

or if perhaps I didn't configure the VM correctly in the first place

I have linux on VM and it works well, the windows 11 VM I have not been able to download chocolately package manager or anything else, the commands are not recognized

I'm not here to complain, its stacked with lot's of knowledge. Maybe I am just overwhelmed

No you are fine. Feedback is always welcome. Theres always room for improvement. Are you ok with moving to DMs? I may be able to help with the issue you are running into.

well, im on the wrong side of platform for this, i'm in windows and I will have to move over to my linux side. Can I DM you later after I finish this and get over to my linux side?

Sure. Feel free to.

okay great.

On the brute force skills assessment - service login

Is the employee user list the same one from the prior examples for bill gates?

so apparently im stuck in the fear zone and i also have a low frustration level.

@patent sinew about to send you a DM brother

i got stuck on this yesterday, the correct port is in the list it returns. try running a version check on them to find which one is telnet

nice nice

yea running version checks on all 60000 something ports is going to take a while 😅

xD

usually I use a normal nmap scan to pick up the open ports, then run the scripts on those specific ports with -p 22,80,443 etc

helps speed it up a wee bit

i just finished the ilf challenge. but there is something i dont get. Can i pm to someone?