#modules

Gothca. Does this mean decompiling a binary, or hooking a process and reading it's memory, is showing the addresses in 'virtual' memory, not necessarily the actual physical memory addresses?

Yeah

Innnnntersting

Unless you have a kernel debugger open and read the page tables, you won't see physical addresses

https://wiki.osdev.org/Paging

perfect, exactly the right track i need to read on! I started realizing how much i didn't know today when i was reading on heap allocation and how bins and arenas and sub-heaps work

I guess i never really looked into how 'threading' actually worked either

whew, weird study rabbit hole I jumped into today

@sterile hawk Thx for clearing this up for me!

Hiya, not sure if this is the right place but I'm doing the ffuf module atm, value fuzzing section, and it just handed me like 6 (IP, port) combos that wouldn't respond before finally assigning me one that would.

DM

@whole cosmos did u figure it out?

im doing the same module

issue on value fuzzing

@feral gyro nope, i actually finished that part, but actually just now I'm having some weird issue on the assessment

what

|| extension fuzzing on subdomains only shows .php as an extension ||

cant be right

I did the vhost fuzzing correctly || archive faculty and test||

it's correct

specify ||indexFUZZ ||

||http://test.academy.htb:30483/indexFUZZ||

|| ffuf -w /opt/SecLists/Discovery/Web-Content/raft-small-extensions.txt -u http://{subs}.academy.htb:30715/indexFUZZ||

uh oh, something weird is going on, I was gonna reset my openvpn connection but there isn't one

||-w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ||

try to add all the subdomains to /etc/hosts

oh whoops || was using raft-extensions instead of web-extensions ||

yep

nice thx, btw what's the 'raft' mean?

idk am not aware

compare both side by side

also, this is still weird, how am I communicating with the server outside of openvpn?

no 'tun0', no openvpn sessions..

it's not private

oh is it not? thats a relief, thought I broke something

ok u don't need vpn right

gotcha

ip can be accessed by anyone

@feral gyro well thought that was it

|| web-extensions.txt || still only brings up php

|| ffuf -w /opt/SecLists/Discovery/Web-Content/web-extensions.txt -u http://academy.htb:30715/indexFUZZ||

something u are doing is wrong

@feral gyro ya, i'm doing something dumb somewhere

not this url

fuzz on ||test|| etc

@feral gyro I have unfortunately || archive and faculty || too

yep u need to scan them tooo

||u need add all of them to /etc/hosts||

yup already done

then start Fuzzing

i meant already added to || etc/hosts||

|| <SNIP>

whoops

ok then start fuzzing for valid extensions

still only php

send me the code

|| ffuf -w /opt/SecLists/Discovery/Web-Content/web-extensions.txt -u http://archive.academy.htb:30715/indexFUZZ||

changed to || test. and faculty. too||

maybe reset the target?

yep do something like that

so far so good, reset, got a new ip, added the subs to /etc/hosts

i tried it now and got it

ffs, still only php

hang on ill paste the command

|| ffuf -w /opt/SecLists/Discovery/Web-Content/web-extensions.txt -u http://test.academy.htb:30525/indexFUZZ||

dm

|| ffuf -w /opt/SecLists/Discovery/Web-Content/raft-small-extensions.txt -u http://test.academy.htb:30525/indexFUZZ||

don't much spoil here

@feral gyro

Hi community I'm doing File Upload Attacks - Blacklist Filters.
I need some help I've found the extensions that works also i can upload a file but when i go to the site of my file and pass the parameter the page gives me nothing, someone can help me please?

only some of the extensions are capable of code execution

I have like 7 different extensions accepted, it would be only some of that?

try harder

Ok bro i'll try it

if u still find it harder dm me

Yes bro, i really appreciate that, if I'm already stuck with it tomorrow i'll let you know

ok

Broken authentication anyone?

Which task?

final assessment

Still not there :/

It is torture

the whole module kills me

You did already.

For what?

why hack the box get me Access denied error?! :(

@rose peak The main site?

yeh

how can i solve my problem?

Is it block for Iranian?

oh yeh, is it :(

@rose peak First time this occurs? Have you ever got access?

I change my proxy and it's work :)

now i'm in website

@rose peak Good.

thank for your help

@rose peak I didn't. I just listened to you :) Have a good one.

❤️

Please see your DMs for instructions on how to verify your HTB account.

hack the box had so many change :||| Wooow

OoooOooo

@rustic sage sorry to disturb you..on Archetype, its asking for a 'user flag'. Im unsure as to what/where it can be located. I have to root flag..

Look under C:\Users\...... for a file called user.txt

@rustic sage so glad i didnt close that terminal 😅 🥺

Thank you

Hi everyone.

It's been 4 days I'm stuck on a question on the module "Attacking Common Applications". It's the last question of the section "Attacking Common Applications - Skills Assessment I":

"""Exploit the application to obtain a shell and submit the contents of the flag.txt file on the Administrator desktop."""

With the 3 previous question, I know that the application is vulnerable but all exploit I've tested failed... One work but I can only read files but I don't get any information that helps me.

I feel like I'm on the wrong track, can someone help me?

Hello friend, https://wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232/

Ok thanks for the big hint 🙂 So I need to find what i can't find 😄 But now I it exists 😉

There is a bigger hint

Ho ! I need to dig more because I can't access this one oO

Finally!!!!!!

congratz !

:rainbowwizard:

anyone finish command injections?

Hi guys.
in a certain point of "buffer overflow in linux" module i've encountered a problem. Is there someone that can show me the way to modify the behaviour of zsh in kali managing hex string in the way it can behave as bash? If i create a variable with an hex string in zsh and echo the content it is converted automatically in ascii. This doesn't happen in bash where te output is the same hex string entered at the creation of the variable.

can you just type bash?

Yes this may be a way

Is there another way maybe modifying some zsh configuration file or using some special characters?

There might be, I have no idea how to do that, sounds like alot of effort if you know bash will work

I think that swapping from zsh to bash and vice versa make me lose the variable i've created that i'm using

I have to try

Thanks for the help

Yes when i move from bash to zsh i lose the variables i'm creating

So i have to find a better solution

What variables?

Local variables i'm working with

@livid pier I'am looking for a way to create a variable with the content of an hex string because i have to use this string in it's format several times.
If i move to bash and create my variable there it is not present when i go back to zsh.

Can you print the variable, copy it in another platform switch to bash then paste it into bash?

What do you mean with platform?

@livid pier another terminal windows?

a text editor, anything

Yes i can do all you are suggesting but it is not very handy!

HOw many variables do you have, it has to be quicker than editing the zsh config files

@livid pier in the creation of a shellcode in a buffer overflow for example you have to try several times to enter a string with hex characters to find bad characters that you have to remove. So you have to menage with this string several time in a buffer overflow technic and several time every time you want to use that technic. Maybe is better to find a way to zsh to behave the proper way. At the end modifying a configuration file occurs just one time

Maybe, goodluck, just a FYI I did that module and didnt need to do any of that

Is not just that module. I'm looking for a way to make my workflow smoother in general.
But thanks again

Ok i've found a way.
Reading the man of echo it tells that the flag -E disable the interpretation of backslash escape and that it is set by default.
I don't know why but in zsh shell in kali it is not the defaul but it seems that -e (enable the interpretation of backslash escape) is.
So what i have to do to achieve my goal is to call echo with the -E flag.

as i remember, you can switch to CMD and the e switch will work

What do you mean?

in the powershell type CMD and it will switch to dos command line.
and the echo with -e switch will work

Ok maybe in windows. My question was about a zsh shell in linux.
But good to know!

ohhh, sorry about that

hey all

just finished the XSS module here.. great one..

a not so nice feedback... in the last exercise.. terrible lab machine performance

the hard thing was not to hack it, but to have the box processing my requests

regarding the material / lessons content, really nice!

yesterday i finished it same issue

"Attacking Common Applications - Skills Assessment I" finaly done! Tanks a lot @livid pier !

Hi guys someone knows how to get the stack size in gdb?

hi

i finishes this moduleSTACK-BASED BUFFER OVERFLOWS ON LINUX X86

but cant submit this question answer + 1 Determine the file type of "leave_msg" binary and submit it as the answer.

it is elf 32 i tried it different ways bit it doesnt work

gdb) info files
Symbols from "/home/htb-student/leave_msg".
Local exec file:
`/home/htb-student/leave_msg', file type elf32-i386.

setuid ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=8694607c1cba3fb3814a144fb014da53d3f3e49e, not stripped

@lilac halo try with the file command in bash

@lilac halo i'm still not there however

@lilac halo can you help me show me the way to find the stack size?

Yes

Type info proc all in gdb

any command injection finishers?

It is not working

Hello does anybody solved blind XXE ?

Hey is there any way we can retrieve our VPN key so we can use our own VM? I cannot find the key anywhere.

can anyone help me with the module of Linux Privilege Escalation

i am in the priviliged groups sections

i need to grep for a flag at /var/log

i have used "flag" "htb" , etc

and nothing pops up

i dont know what to grep for

how about anything in the folder * @civic wraith

@lilac halo @honest flower

https://github.com/B1rby/Stack-Based-Buffer-Overflows

I did a writeup about it

check it out

https://github.com/B1rby/Stack-Based-Buffer-Overflows/blob/Skill-Asessment/Skill Asessment.md#question-1

Anyone happen to know why this is failing?

Nvm figured it out, if anyone runs into this, here ya go: https://stackoverflow.com/questions/51062160/sc-create-binpath-error

Found it?

Though I cannot read the file specified within the module even though I am part of the admin group now?

Anyone know why this might be happening?

@civic wraith DM me if you need a nudge

Not only am I local admin, but I have sebackup but still getting access denied when I try to read OR copy the flag.txt file

Is anyone able to offer a hint for the second question is Skill Assessment - Website for Login Brute Forcing? I brute forced the admin panel but the creds do not seem to work even though hydra says they are valid. Also, should the password and login be a pair? example(Login - Root:Um9vdA== Password - root:cm9vdA==)

Not sure if it matters but is powershell running as admin?

It is yeah

@scarlet finch great 👍

Thanks

It is usually placed at the bottom of the module page near the questions

i solved it, thanx

Anyone online done the footprinting module. I have a question about NFS results from NMAP.

Has anyone completed the repeating requests module in the using web proxies section. I'm lost on finding the flag.

check on some other dirs

Is it possible to connect to HTB Academy over open VPN from my own machine? I can do it for the main platform but strugfling with how to do it for the academy platform?

Whenever you can AND need, there is going to be a button at the bottom next to the question to download the VPN key

Not all modules require VPN. VMs do, Dockers don't

Thanks, I'll look out for that

Module: Broken Authentication
Section: Bruteforcing Usernames
Question #2: Find the valid username for the web application based at subdirectory /question2/.
Anyone can assist?

check the source

after submitting a valid username

Hello i'm on the module windows file transfer , after uploading the zip i'm unable to connect via rdp to the box

I saw that hint and got to see that there is a ||wronguser|| piece of data showing the last attempt. But how do you fuzz this kind of thing?

manually check all the responses use ||top usernames from seclists||

This is what I am trying to avoid :/

i think here burp filter can be used but am not much aware

i tried it again , u can use burp to match the response

Great. Now I only need to know how to do that from the command line :P

Will learning the php code be helpful? So far I've been only looking at them briefly, just memorizing their syntax so I can recognize when I see one. Is it actually helpful to learn this? Since so far my search history has been filled with php one liner shells, and I feel like its one of those 'niche' details which aren't needed as much. Am unsure though

i have a question about Linux Local Privilege Escalation. I am in the last excercise (skills assesment)

i found that sudo version 1.8.31 have a vuln, but the exploits doenst work

i have tried several and it returns always: Segmentation fault (core dumped)

please give me a nudge, do I insist with this vuln, or I am supposed to look for another one?

'shell.php.\.jpg'
'shell.php..jpg'
'shell.phps.\.jpg'
try this

||-fr 'wronguser'|| did the trick

with ffuf

im new..

Hey - what do you want to hack?

I've downloaded once the vpn key like inturbidus explain you before and i use it in every module. I'm always using my vm to go through the academy modules using always the same vpn key

yes

That's handy to know , thanks!

What are you up to?

hack someone

Like who? Like his social media account?

yes

@sterile hawk Help?

wat

Someone is being foolish

I've been looking through all the directories that I can find but I haven't been able to find the flag yet. re there any significant directories that I should be looking for?

find / -type f -name flag.txt 2>/dev/null

try to url encode

That helped me figure it out. Thanks for your help!

Having some trouble at the end of the "Network Enumeration with Nmap" module. "Firewall and IDS/IPS Evasion - Medium Lab" I can't work out what it is looking for me to do. I can see that port 53 is filtered, do I need to spoof the source IP address and/or port? I've tried an ACK scan but that didn't give me any more details...

Think of the possibility of using scripts in NMAP. They may also work if ports are filtered.

I'm on the Archetype machine and I keep getting "The remote server returned an error: (405) Method not allowed." when trying to download nc64.exe from my server while listening on 443

Oh nvm I got past that

Hi, if I unlock a module, will I need to unlock it again and spend cubes every month until I finish it?

no

So, if I get a platinum sub and unlock a tier 4 module, at the end of the month I can switch to a silver sub and still have access to it?

yes

Oh ok, thanks for the help 👍

hello colleagues, I am in the ffuf module, my query is if the boxes have pwnbox installed or should it be done manually? since following the steps I can't run the tool, any suggestions? and thank you for your collaboration always!

Hi Guys - Can I get some guidance in my Nmap scan: I am working on the Enum Network Module and on the Hard Firewall lab.
nmap -Pn -F --disable-arp-ping -n --script dns-zone-transfer, --source-port 45398 --initial-rtt-timeout 55ms --max-rtt-timeout 100ms --max-retries 1 -T1 -sU -sV -sA -O -vv 10.129.120.212 -A --packet-trace -oA HTB/Nmap/scans/10.129.120.212

@unique wharf DM me if you need a nudge

The only way as a free user is to clone it from Git.

It's supposed to be pre-installed but it's not.

Therefore:
git clone https://github.com/ffuf/ffuf
cd ffuf
go get
go build
./ffuf
@hollow hearth

hi everyone i am in the Server-Sides attacks skill assessment and i have tried fuzz all input parameter looking for SSTI or SSRF if someone could give a hint , thanks

ty bro i go to try

The reason why you could not install it with apt is because as a free user you don't have access to the internet, except to GitHub.

ok ty bro

Module: Broken Authentication
Section: Bruteforcing Usernames
Question 3
Did someone get the answer using the timing.py script? I've made some changes to it but I am getting similar response times for all user names :/

Solved. Part of the header was missing.

For the Broken Authentication: skills assessment, I know how to "switch" to different users, having found 2 thus far (beyond the user I created), but there's no admin panel that I can find, suggesting either (a) I'm NOT in the right user (and at a loss how to find said user) or (b) I'm supposed to find an admin panel (although dirbusting proved unfruitful thus far). Can anyone DM me a nudge? Thx.

EDIT: Still working on, but got some much needed nudges to at least keep trying to progress. Thx @livid pier 🙇

You got it!

Hey

bro i dont know why target IP is not working

in the LFI module

even i had connected the VPN

wanna merge exe in png or jpg ;-;

hello 🙂

i wanna learn hacking :))

Youre in the right place

yaay

Welcome!
https://academy.hackthebox.com/

but i dont wanna use it in bad stuff

whats that

You good bro>

What?

the liink

The place you want to be. HackTheBox academy. Learn how to hack

okay so if u am gonna learn there then what is the importance of this server

i dont unerstand anything

Here you can ask questions and get help

ok

How do I find the answers to the startup questions ?

u think

...

What's the start up question? What are you working on?

Meow mission

Is HackThebox free?

Active challenges and active boxes are free. But u wont be able to access the retired challenges and the retired boxes. Also u wont be able to do retired fortress, retired endgames and vip starting point boxes

What are retired things?

It s like the old challenges, boxes etc. And with the retired things u won t have point thanks to them

Ok.

But they are really interesting for practice

Anyone having trouble with the xss section from the introduction to web applications module?

Cant seem to connect to the target

Like it s better to do 10 retired boxes about AD than a really hard boxes that u wont be able to do because u dont have the required knowledge

Nor my machine nor the pwnbox

I assume that u are connecting with a vpn ?

Not really, those are internet faced machine afaik

Also not working with VPN as i suspected

when trying to use the go command in both it gives me "time out"

Where can i find the .ovpn file on pwnbox?

How can I get it on the pwnbox though

I think that is where you get the vpn config

Give it another try. Just tried it again and it works.

ok

How can I open an image captured by Wireshark?
My problem is that I don't know how to open a jpg that was captured by Wireshark using the ftp port. In the first image you can see the client request an jpg image. Then there is transfering a lot of FTP Data. Then in the second image you can see the Transfer is completed. But how can I open the image? I would be very happy if somebody could help me!
https://pasteboard.co/HZmJNhA86YyP.png
https://pasteboard.co/SgN5WQxWo056.png

you can tray import objetc?

*try

Hi all, quick update. We just deployed VPN region switching on Academy with new servers in the US region (previously we only had pwnbox and targets spawning in the EU region) you can go here to switch back and forth if you’ve been experiencing any slowness https://academy.hackthebox.com/vpn you can also switch between TCP and UDP

Thank you

It isn't possible to export ftp

Only http, Tftp and some others

anyone here can help with command injections?

Ask directly

pls careful with spoilers

oh

yes sorry my bad

can you guys help me with this question?

which module?

ehh Windows Fundamentals

I have not completed this module yet, but I see you have credentials. Log in via RDP and open the PowerShell.

|| Get-WmiObject -Class win32_OperatingSystem | select Version,BuildNumber ||

yes thats what i have done

but i cant find it

wait

What do you get as an answer?

This command may also help:
|| Get-ComputerInfo -Property OS*,Windows* ||

https://fantashit.com/the-term-get-wmiobject-is-not-recognized/

nope

I deleted my account for some reasons but i want to ask, i am born in 2007 can i put my real age?

or i cant get in?

Machines on HTB module getting started last task is very slow, when accessing web or something 😦

nvm will try with VPN key

Just swinging by here - did you get help with this already or ?

I just tried.The command || Get-ComputerInfo || works and returns the desired result.

How I feel doing command injections

ty guys

i am sad now :{

how is it on academy pwnboxes im suppsed to edit /etc/hosts and save the file but im not provided with a sudo password 🙃

working on the information gathering-web edition one on the active infrastructure identification and im getting so stressed out

Check the desktop, creds file

heck ya! will do

ohhh thanks 😂 i got it

eh

guys its 11:57 should i wait until tomorrow or i just can wait 3 min?

😂

The easiest way is to install VMWare or VirtualBox and then install Kali or ParrotOS there. Then you can connect with VPN and use your own software. As a free user you can only start a pwnbox once per day.

You are my hero ❤️

im at the linux beginners module doing the ssh questions but none of the ips are working i keep getting port 22: no route to host error

you on pwnbox?

nope i was on my own virtualbox

Did you connect with the vpn?

yeah i set it up still nothing

i figured the problem i kept closing the terminal while the vpn was running

sudo nohup openvpn ~/Downloads/academy.ovpn &> /dev/null

Anyone knows how to fix academy.htb add to /etc/hosts issues?

?

on ffuf

Anyway what I did that I think is wrong is grabbing the ip from hackthebox.com or something, the website with the module on, and set it as my SERVER_IP for academy.htb. Was there a way of finding something that won't resolve like academy.htb's IP? I also played around with the instances IP and port I was given and attached that as the SERVER_IP even set up reverse connections for some... Nothing works

on which module

ffuf

when u try to access it specify the port on browser

Hi, I'm on the question Information Gathering module. Question Submit the FQDN of the nameserver for the "inlanefreight.htb" domain as the answer. But for this, I keep getting ** server can't find inlanefreight.htb: NXDOMAIN

I have something similar but where you get the ips from

I added hosts with the IP but still the same... does anyone know if this is a bug?

yeah I did that well tried port 80 and made my way up lol

send me ur ip

let me check

ur spawned target ip

doesn't look like a safe practice and im normally diligent about that but

oh ok

lemme go back and see

am not asking ur ip brother lol

🤣

loll I was like "woo wait a sec..."

on a pwnthebox server no less

64.227.39.88:31000

so 64.227.39.88 needs to be the one added to my hosts file and I use the port for ffuf and http access only? Like grabbing the hackthebox.comip was a mistake and was lucky to get to 70% completion with that ip set?

is it working now

Lemme check, I haven't tried yet as am baffled that it was that simple

ping is not working so I do need the port number in my hosts setup?

no

ping will not work

Dunno what is not working then

I added both admin.academy.htb and academy.htb with the ip I was given no port then ran ffuf and failed then ping failed obviously

precisely which section are u in

Filtering results

show me the command u ran

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://64.227.39.88:31000 -H 'Hosts: http://FUZZ.academy.htb' -c -fs 900

it's wrong

yeah just figured the fs 900 was wrong as it was from before

maybe i can now try with the domain name as it should resolve

yep

read the section again and again

Oh believe me I did and found nothing on getting the initial ip as you start your instance at the end, that is after you are prompted to do sh 'echo "SERVER_IP academy.htb" >> /etc/hosts" so did not make the link and immediately went to hunt for that ip lol

try harder

yup but anyway I got my answer even if it's not working I know it will eventually work as I know what I did wrong so thank you for that! I was starting to write non-sense in that hosts config file setuping reverse dns lookups and stuff

I'll buy you a beer if I ever see you or with donation platform id in private.

Im out! And I am serious btw. Ill stay logged in case you want a beer. Sleeper timez for a happy work day. im on the threshold of pulling an all nighter or go to sleep late still...

how u got it

Hey guys

How do we get the sudo password for pwnbox

I don’t see any option in the academy

YAYAY

Look on the desktop

in a file called credentials

@abstract hollow

I'm trying to cracking the following hash by john, but I don't know how

important.zip/index.html:$pkzip2$1220aea296b969020440ae96b97619aa34c273258abebd9babb4c7a84d3218ae23d7c370562a14cb0bf5911be198b717622dd5d1a909bd5c139145f078e105097528633ae86c7c04fd92ec76a6bb82c6cc5631089b9be7026011a7858ac53e4055d4ff593198f55663cbbc5ed1ca371270bb8f8d2c9a5a907e70100079b282e2c8bd76ce872e0674aaea3e258b009a13bfc6d298bc8c199be6fcef19eead3c7c9537f02f4656ff28012ca01ddd67b311ded9c8d154ef0f3eb60d29a435$/pkzip2$:index.html:important.zip::important.zip
I would be very thankful for help!

which module?

where did you get this from?

Thanks

Hi guys, what are some of the things you’d to transfer files from victim Windows machine to attack Linux machine other than smb, ftp and netcat

I’m struggling to transfer ntds file to my machine, for some reason netcat doesn’t preserve the integrity of the file

hi guys, I am stuck on the last section for windows fundamentals. Is anyone willing to help with one of the questions? I am stuck, thanks

powershell Invoke-WebRequest

👋

?

Who change my name?

@rustic sage your name might have been changed cuz ur name didn't follow #rules

Hi all, Happy Friyay! Just popping into let you all know that we have recently made some changes to the Academy platform to address an issue with duplicate usernames and make way for some new features coming later this year. You may have noticed your username changed (i.e. if your username was just john you may now be john-18). If you do not desire this user name you can navigate to the account settings & change it to something custom.

Can't you also have a change on the number of cubes we have? For example, if I owned 100 previously and I do not desire that number, it turns into 1000?

Any updates on when some of these new mods are going to be released?

Hi everyone. Could someone help me with the question "Which employee is suspected of performing potentially malicious actions in the live environment " within the module INTRO TO NETWORK TRAFFIC ANALYSIS in the "Packet Inception, Dissecting Network Traffic With Wireshark section? I am stuck 🤦‍♂️ Thank you in advance.

you still need help?

Hey everyone. Please do not DM staff or anyone else asking for their help if you do not have their permission. It is rude and often time cause them to get really annoyed with you.

Monday, 14th February, from 7:00 AM to 8:00 AM UK Time (GMT0/UTC), we will be undergoing planned maintenance on 50% of EU-ACADEMY VPN servers. Users impacted can switch their assigned VPN server through this page: https://academy.hackthebox.com/vpn.

The only impacted modules are those that contains fully fleshed out machines that require a VPN connection to access. Docker instances across the majority of Academy Modules are, of course, not affected and can be played as usual without further changes.

Further such maintenance will occur on Wednesday during the same timeframes as long as the first planned maintenance runs successfully on the controllers.

Yes! send you a PM

Could someone please help me with INFORMATION GATHERING - WEB EDITION module..?

I am keep getting ** server can't find inlanefreight.htb: NXDOMAIN

Can someone please check if this Information gathering web edition module has been broken or something? Seems lik

What section?

Thank you for the reply. It's Active Subdomain Enumeration.

you added it to /etc/hosts?

yes

so added the target ip inlanefreight.htb there..

seems like there were lots of questions about this above in this channel

What command are you running?

nslookup -type NS inlanefreight.htb

start there and think about if you can replace the zonetransfer and nsztm1.... with what you are interested in

Or are you still on the first question?

If anyone has a second, I could use a push on a specific part of Javascript Deobfuscation

I feel like I'm staring right at the answer but it says it's incorrect

What section?

The deobfuscation portion

I've deobfuscated and prettified secret.js

I literally see the variable that I believe is the answer, and It's refusing to accept it.

DM me and send it

Wondering if I'm formatting the answer incorrectly

Ok

Could someone please help me with Find and submit the contents of the TXT record as the answer.?

hey i'm trying to do the academy but the vpn keeps resetting on me?

Happy Friday!

Happy Friday

Hey all, I'm hoping for a helping hand with:
Module: broken authentication - bruteforcing cookies
Question: Tamper the session cookie for the application at subdirectory /question1/ to give yourself access as a super user. What is the flag?

I've decoded the cookie and played around with as many roles as I can think of (bunch of username wordlists in a simple python script), but can't get any different response. There was some mention in chat about "enumerating roles" but I have no clue what that might mean.

EDIT: Literally seconds after posting, one of the user wordlists from seclists (in the passwords directory) landed the correct role required. It is a relatively basic one which can be intuited from the question so it shouldn't need a full script (I'm just thick haha).

it's a bit tricky, answer is itself on the question

I've solved the first one but no clue how to decode the second questions token?

Log in to the target application and tamper the remember-me token to give yourself super user privileges. After escalating privileges, submit the flag as your answer

this one ?

Yep, thats the one...I've tried every tool under the sun to decode it and find something sensible and can't

analyze %2B this

what does it mean

%2B is URL encoded "+"?

cool

u are now on the right track

Hmm, is the token a cookie?

yep

try some 🪄

Im trying to do the Shells and Payloads in academy
last module, when trying to get a shell on host2 (blog.inlanefreight.local)
I imported 50064.rb on msfconsole
but when trying to use it Im getting this error (NoMethodError undefined method 'split' for nil:NilClass)

Have you set the values for RHOST, USERNAME, PASSWORD and VHOST?

the vhost is where most get hung up.

Hi there 🙂
I'm currently stuck at Task 2 (case3) of "SQLMap Essentials" - Running SQLMap on an HTTP Request.
I was able to solve every other task, except this one. I copied the cURL thingy, I tried it with a file containing the request, I .. etc.. I'm totally out of ideas.
The strange thing is, that sometimes it works, but in a way, that I get the content of "flag1" although I have /case3.php in my request.
Anybody else had this expereience?
Anyways, any help would be really appreciated in solving this one...
There just doesn't seem to be a table "flag3" anywhere..

@rustic sage feel free to DM me

Thanks @west canopy 🙂

@shrewd sorrel My memory might be wrong, but I think i remember going in and manually editing the script and changing the payload that way

Case3 - Cookie value (id)
You have to set a cookie

Thanks, I already got help(ed) 🙂

nervermind, i set VHOST and it worked. Thanks

A web server can be configured to provide different content for different hostnames. This is called "virtual hosting" and is useful for providing many websites on one web server.

Hello everyone,
I couldn't solve the "Blacklist Filters" question of the "FILE UPLOAD ATTACKS" module. Is there anyone who can help?

I found the answer.

Stuck at command injections - skills assestment, I believe I have found the injection point, and get the malicious code message from burp, but having trouble excecuting anything, anyone willing to help?

Feel free to DM

the docker for Login Brute Force Service Auth module is not starting. How can I get this reported/fixed to admins?

hey i'm doing "Web Requests" and the documentation is referencing PHPSESSID for the cookies, but the target website is using 'auth' instead. Are these different technologies?

lol nvm i figured it out

hello, can someone give me a hand?

I'm working on the Flow Control - Loops exercise from the Bash module, but getting strange error in the result:
*** WARNING : deprecated key derivation used. Using -iter or -pbkdf2 would be better. bad decrypt 140125355476352:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:610:

the exercise asks for a loop and take the lenght of the result variable to another variable, i think that part is ok in my script...

DM me

hello. just some noob here trying to follow the "setting up" module and got a bit confused..

I wanted to see if i could quickly get this done so I could continue doing the HTB challenges (im out of pwnbox alloted time)

in this section, under 'operating systems' is the linux section for linux users and windws section for windows users?

im a windows user that- i believe- wants a linux parrot or kail vm.. sorry if im being a noob..

im confused because i want a Linux pentesting environment. I read the Linux section and started following directions.. for setting up a Linux distribution, but the pictures show what it looks like to do this in a Linux environment. That makes me think I'm reading the wrong section :/

Thanks for your help!

If you are on a windows machine and want a linux enironment you will want to get a vm and use a linux enviroment. The windows sections is describing what you would do if you wanted a windows environment.

In "Active Subdomain Enumeration" I run nslookup -type=any -query=AXFR inlanefreight.htb 10.129.244.216 and get some other subdomains to appear

-One of them contains a TXT record
-And 2 questions want the FQDN from the IP, but those IPs aren't listed from the above query.

Feeling stuck

running that same command; exchanging 10.129.244.216 for the answer to the first question; what does that get you

or are you still on the first question?

I've found the nameserver ns.inlanefreight.htb

So I have answered the first question

but most of the rest are stumping me

ALright dont give spoilers

ok well then use the first piece of advice i gave

so swap out 10.129.244.216 with the nameserver FQDN?

yes

it says address not found

did you add it to /etc/hosts?

i thought so but maybe it reset when I had to reset the pwnbox

add 10.129.244.216 nameserver to /etc/hosts?

The FQDN

xx.inla....

can I DM?

yea

great ty VivisGhost

sry i was getting some help from someone and got distracted

hey so i am getting SMB errors after connecting to the share in 'windows fundamentals'

Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available

i followed the recommendations on the SMB enum issues post on forums and still getting the error

Did you end up solving the final assessment?

which mod?

Broken Authentication

I have bruteforced usernames, bruteforced (taking into account timeouts) compliant passwords for these users and can't log in, I've tried cookie tampering but the "support can't be role" issue stumps me, and I'm trying to crack the SHA1 persistence cookie but not getting far

get some more privileged user

s*****? Am I meant to bruteforce login with the mentioned password wordlist?

rockyou ?

read the web app more carefully

Is it something to do with the country code?

ur are on the right track

Check firewall on the windows target😁

Thanks! This got me further. I can be the escalated user(s) and the right role, but no flag?

dm if u need any further hints

Hi all, im currently stuck with information gatherin - web edition at active subdomain enumeration, for the question fqdn for ip address 10.10.34.136 and 10.10.1.5, i can't see any information about those ip address when im hit the "host -al inlanefreight.htb" command, do you guys have any idea? any support is greatly appreciated 🙂

dig is your friend.

DNS can contain multiple zones. You have found one zone with your command, but there are more. Each subdomain can be configured as an independent zone.

Hey everyone! Im doing the Footprinting module and currently stuck on the last two questions for the SMB section. Anyone willing to give me nudge with them?

thx buddy, just solved it

Read the section Footprinting the Service carefully
There you will be shown how to enumerate SMB

Hey! I did and I was able to to get the first second to last question - jus need the last one now

pretty confused tbh - i read the hint and used the necessary commands i felt were needed but still nothing (not giving up tho! lol)

The file system on Linux is different than on Windows.
The root directory of Linux is / that of Windows is C:\

yes ik - ive tried all the different ways - ofc excluding the c drive

You don't need any commands.
You just have to think about where the data would be on a Linux system.

is it okay if i shoot u a pm?

sure

can someone help me with this please

what am i supposed to do in this

u apply what u learned thanks to the module

i mean yeah

but

i cant find the "language" attribute

like

the website layout

is different

than other times

;-;

Visit the website, click on every category you can and see if you can find this "language" thing

tried

trial and error

I can tell by head where is the thing lol, you sure didn't try enough

💀

have the website go through your burp, visite every link, burp will make a sitemap while you do so

where

literally

then you can look at all the urls from that website and see what loads in the background

^^^^^^^^^^^^

oh

alternatively the company name might be a hint

i am not very familiar with burp, how will it make a sitemap

just have your firefox use burp as a proxy, deactivate intercept in butp

and then browse the website

how will i have firefox use it as a proxy?

ok maybe using burps is too much for that simple challenge. just browse, use your eyes, look at source code (right click view source)

ig so

otherwise this has everything explained https://www.codegrazer.com/tutorial/burp-tutorial-beginner.html#target

and yes the certificate is broken

it doesnt have any language thing 💀

otherwise learn burp with portswigger https://portswigger.net/burp/documentation/desktop/tools/target/site-map

ok

thank you

hello dudes! I am working on the Footprinting module (tier 2). Have anyone solved the last question from the DNS subsection (What is the FQDN of the ...) ? I have used several wordlists with gobuster to brute force it but I have not find the correct wordlist (used all from the SecLists). I found one best-dns-wordlist.txt but it's too large and I run out of time when I try this one. Any suggestions?

did anyone do the module about ffuf? I found a flag and when i want to submit it it says its the wrong answer. There are no extra spaces or anything and im really confused.

which one

page fuzzing

i can dm you you the flag

ok

hi, can someone help me i struggle a lot on the web request module

Send a GET request to flag.php with two parameters num1 and num2 such that their sum is 1337.

there is the question.

Look up on Google how to use parameters using cURL & get request

pretty straightforward

Hi everyone. I'm still having mysql trouble on the SQL injection fundamentals lab. Sometimes I'm able to log into mysql, then the next I'm not and get the error 200 unable to connect. I've tried everything and It's driving me crazy. I can connect to my localhost, and every so often connect to the target in the lab. But as soon as I close the connection it won't let me back in. Any help would be greatly appreciated. A pm, instead of a post on here would also really help. I get responses lost in the shuffle in the thread. I'm using my own kali box and not the pwn box on academy. Thanks in advance for any help.

Can someone help me answer this question?

The Question Is:

What is the name of the group that is present in the Company Data Share Permissions ACL by default?

On WIndows Fundamentals In HTB Academy

Proceed step by step as described. Then you will see the group name

i done that but i do not know what it means by step 8:

Using PowerShell to list details about a service

Is it Possible To Send Me The Command For Powershell ?

there is a certain command for that all you need to do it look it up

ok

you can DM me if you still need a hint.

i did find it in the module

was very easy just i didnt understood the question first, thanks for the fast response also.

Oh k I see, I thought you were struggling with how to do it

nice then

np

i also got a question about buying cubes ? i am planning on buying monthly subscription, is there any min month of buying like i am signing for X months ?

I am trying to answer the second question on the Login Brute Forcing section of Skill Assignment - Website. I have used hydra to brute force the admin panel and have tons of hit. However, when I enter matching usernames and passwords in the admin panel it just loops back to the admin panel login screen. Anyone have any advice?

@small sluice feel free to DM me bud 🙂

Thanks for the help and great tips.

Im having alot of trouble with the web proxy module

Intercepting web requests. At the part where it talks about HUD

Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.

Guys someone pls tell me the answer

Hey everyone, just wondering if someone could help me out here. I'm currently up to the "working with web services" in the linux fundamental course. I am attempting to use the following command (apt install apache2 -y) in the workstation box and am currently getting the following error. I've attempted to solve it by googling and haven't gotten anywhere.

When it refers to network error, my side of the connection is operating fine from what I've gathered.

E: Failed to fetch https://deb.parrot.sh/parrot/pool/main/a/apache2/apache2-utils_2.4.52-1~deb11u2_amd64.deb Cannot initiate the connection to deb.parrot.sh:443 (2001:41d0:303:d269:aaaa:feed:dead:beef). - connect (101: Network is unreachable) Cannot initiate the connection to deb.parrot.sh:443 (2001:41d0:602:3520:bbbb:feed:dead:beef). - connect (101: Network is unreachable)
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?

Im having alot of trouble with the web proxy module
Intercepting web requests. At the part where it talks about HUD

I can't get to this screen.

Has anyone completed the OSINT module? I have a question about one of the answers

yup, I did

hello i enrolled in linux fundamentals but cannot ssh into the target

i ran this command: ssh htb-student@ip

you need to change the IP with the IP address of the target

yes i did

connection timed out

where are you running the command in the workstation on academy or somewhere else?

in my own comp shell? because i cannot run the instance in the academy

then, have you connected to the VPN

you mean the ovpn right

correct, yup

im unable to import in virtual box thou

this article will help you connect to the VPN, it is for the main platform, but the same steps are applied with the VPN in academy https://help.hackthebox.com/en/articles/5185687-gs-introduction-to-lab-access

thanks a lot i will have a look and try to do it. will study now for test tomorrow haha

Information gathering module - active subdomain enum section

Could anyone give me a hint please with question one? :)

I've read the written hints here but I not get any result from nslookup or dig.

what is the nslookup command you tried?

It is
nslookup -type=NS inlanefreight.htb
like written in the beginning of the section

you need to add the target ip to the end of the command.

if you read the man page it mentions that sometimes you need to put the address of the name server as well as the host.

Hi all, currently stuck at Virtual Hosts module at Information Gathering Web Edition, in the last question regarding the specific vHost that starts with the letter "d", I already tried ffuf with the namelist.txt from SecLists and filter it to match 3 words, but still can't find the vHost that starts with the letter "d", is there any other clue?

can I see the command you used.

I just checked and the vhost is definitely in the namelist.txt file.

Thx. It's working 😀

yw

Can i shoot u a pm?

yes

btw i feel like a little fundamental dns knowledge is needed for pass this module.

Is there any good article that fills the gap? Mainly in a pentesting perspective of course :)

Read up on zone transfers as much as you can find. You will need to understand how it works to pass the module. Although active Subdomain Enumeration is probably the hardest part.

Thx!

Please guys. I’m having trouble with web proxies. Specifically the part with the zaproxy and getting the HUD button on break to toggle on and off

hi ! I'm on the Windows Fundamentals module and I don't understand how we're suppose to read the file to access the flag. I have try to update the permission of the users but I always get the "Access Denied"

It's working here, i just clicked on flag.txt and it worked

But I can't connect to the IP using Smbclient, i also can't ping the ip adresss, but im connected to it remotely using xfreerdp

So the intro to assembler task 1 has me stumped. xor is not an issue but the byte order is. Can anyone provide a hint on the order of the xor'd bytes? Start at the top of the stack or the bottom and does the byte order need to be reversed? Seems like I've tried every combination and still fail.

hi guys

i'm in the skills assessment of stack based buffer overflow in windows x86 module

i've downloaded the zip folder with the vulnerable .exe and i've installed it in my windows vm to debug it

when i try to connect remotely to the app by nc.exe or by a python script i wrote the app crashes before i can enter any input

any suggestion?

which part of the module?

structure

I was able to just browse to the directory and read the file.

the fuck

as htb-student ?

yeah. Let me go back and verify.

so yes, logged in with xfreerdp, opened a cmd prompt, went to the directory and then used type flag.txt to get the flag. you can also use file explorer and just double click it

have you something also about stack based buffer overflow on windows x86? i'm stuck on the last skills assessment...

i log using rdesktop, maybe that's why... I'm gonna try again, thank you !

also make sure you are trying to get into the correct directory. the one with a bunch of letters and numbers is not it

I didn t do it tbh cause I wanted to advanced exploitation on linux I will do it for windows soon

but if u want there are some videos about this skill asessment

on google

https://www.youtube.com/watch?v=gLK3_WsjSag Remember. The main purpose is to understand what are u doing. Not to earn cubes. So dont watch this video jus for the cubes

i really appreciate. i will take a look. thanks to pointing me in the right direction

np

Afternoons, I am having a good doubt, when executing ffuf, it does not show me the results like the examples, however I have seen another guide and it has worked more with the results of the different directories, but here from the pwnbox I cannot advance , there is some step that I am omitting if you could guide me, thanks!

I can help you with that. Show me the command you are trying

this is my comand to try

do you have hackthebox.eu in the /etc/hosts file?

no

or academy.htb

you need to

and what this is ip?

would that be the ip?

Hang on I am checking.

Right now I don't have anything in that file, but I could add it with that command from the previous page.

i think the pwnbox has no internet connection.

try it from your PC or VM.

I thought that, but I saw the example of another person and it worked for him

ok for that one you really only need to ffuf the hackthebox.eu site. not academy.htb.

yes

now my question is if i should add with that ip and domain, within hosts?

no you dont need to

.

I tried that and it didn't work for me, I think I'm missing something

are you trying to do virtual host fuzzing? you should be using this according to the ffuf docs: ffuf -w /path/to/vhost/wordlist -u https://target -H "Host: FUZZ"

try http only

ok

strange tho cause it works with both htttp and https for me

if you are a subscriber, as far as I know you have internet in the pwnbox, but as a free user you do not.

good point bunny, I am using my own Kali VM

but, then I must add that ip and domain to the hosts if I do not have internet in the pwnbox, I did not try the latter. I will try the same in my local virtual machine

i use also my own VM

undrstnd

ty for u help

without internet access the pwnbox wont do anything even if you change hosts.

no, this does not help you.
You only need the entry in the hosts file if your DNS resolver cannot resolve the iP, or if you want to overwrite an entry.

ty brothers

i can

on my vm

I plan to start the Bug Bounter Hunter path, how much time does it take approx. to finish it ?, from a beginner's perspective.

Depends on how fast you learn and how much time you have to dedicate towards it. I am working on it now, started 3 weeks ago but I worked thru all the tier 0 and tier 1 stuff before I started a path. I am currently at 50%

I also had Covid and didnt touch my computer last week.

Alright, thanks. The idea for me is to complete it in one semester, with 3 hours/week of work.

Hello all, I'm having trouble with a question:

a semester ?

it s gonna be enough dw

trying to figure out how to get the screenshots uploaded

I'm clicking the "+" and it just says "use / command"

Welcome back

thx bro. How have you been.

Pretty good, finished academy last week. Just waiting for them to release the last modules

Hell yeah. Congrats on teh accomplishment.

Thank you

@livid pier you finished every module?

now i just need to get a job😂

Everything up to tier 2

I have the student plan

I need you to complete every single module available

so i can go to you when i need help

lol I need more cubes

I am going to be able to buy one 500 cube mod but thats it

Im thinking linux privesc or bloodhound

linux priv esc is very nice

Hey! If you don't mind me asking, do you think it was worth it? Quite a lot must have been overlapping?
I did the intro to both pentest and bug bounty where I also continued and now at 20%. But now that I read your comment im considering doing something similar 😛

@lethal atlas can you help me please?

Ok I got this. Hints for those struggling: 1) the top of the stack after the original encoded values are added is the start of the shellcode - so decode 0x69751244059aa2a3 and you have the start of the shellcode; 2) I used cyberchef (https://gchq.github.io/CyberChef/) to xor this first value and the last value on the stack, so I knew what to look for in my gdb dump - this will tell you if you need to reverse byte order and/or instruction order; 3) watch out for padding that gets dropped by gdb - when combining the QUAD WORDS they need to have those leading zeros.

Hey carnales, someone can help me?, pls. I'm on "File Upload Attacks" - "Limited File Uploads"

Can anyone help me with Web Proxies module and the zaproxy app?

Does the PWNBOX work witht he modules too?

If i remember correctly, yes

@twin raft Have you done the web proxies module?

Yes man

Dude this is like 24 hours now stuck

PLEASE HELP me

@twin raft I can't get to this screen in zaproxy

Oh i see

You need to get into HUD

Yeah

I get it open

Can i PM you?

Sure

Can I DM you about something on the OSINT module?

Has anyone here started off a complete beginner and became a decent pen tester just from hack the box ?

Anyone able to give me a nudge on Information Gathering Web Edition "Active Subdomain Enumeration" , first question? I've tried using nslookup and gobuster fuzzing for dns but I can't find the nameserver. I really don't understand what I'm supposed to do.

Good day to all. I'm having trouble with one question in the "Linux Fundamentals" module. "Which kernel version is installed on the system? (Format: 1.22.3)". I went through all the unname functions, but I still can’t find the right version of the kernel. (Linux pwnbox-base 5.14.0-2parrot1-amd64 #1 SMP Debian 5.14.6-2parrot1 (2021-09-25) x86_64 GNU/Linux neither 5.14.0-2parrot1-amd64 nor 5.14.0 nor 5.14.6 -2parrot1 or 5.14.6 the bot doesn't take it as a correct answer...) Help me please.

How do you guys get the root password for your pwnbox? I'm trying to do commands but it needs sudo access.

@solar flume there is a document on the desktop with credentials 🙂

Thank you so much.

@rustic sage might be a silly question but you are SSH'd into the target right?

yes

I thought that you need to put Parrot OS on hardware, and not dance with a tambourine in the VM... oh

Yea i'm seeing a bunch of "Parrot" so it looks like you might be running the command just on the pwnbox.

You want to SSH into the target from the pwnbox and then run the command

still gives an error ... ok, you have to demolish Ubuntu and deal with

Any reason why this is doing this? linux fund

Use sudo

you still stuck?

Yes I need a sanity check

you da bomb

This is what i get when i go to the local host after install apache

@livid pier just saved me from having a complete mental breakdown , thank you good sir!

🥳

I’ve been stuck on this problem for ~2 hours in the hashcat module. I’ve been using the hashid command. Is there anything I’m doing wrong?

Try “Sudo systemctl start apache” i think

@raven cairn try putting the hash into a file and run hashid against that

@hazy grotto try lowercase sudo 🙂

Case sensitive!!!

Holy crap you are a lifesaver. I am still a bit confused why i need to put the hash into a file for it to work! 🤣

Yep . Also later in the module when you run into super long hashes, you will need to put them into a file and run hashcat against the file in order to crack it

It might be something with the way your terminal interprets the $ sign

Try apache2

My b

that's prolly what it is

lol

nvm lol

Do they leave out stuff on purpose in these modules?

This module is difficult if you dont know much about linux

If you want to get better at linux i would recommend using it as a daily driver

cuz ive been working on like 3 different ones and man. i feel like im missing huge parts of instructions

thank god for @twin raft. He helped me alot on my web proxy question

i tried doing a dual boot with kali and that was the biggest mistake ive ever made

Why?

Because ive never touched linux before. I was watching some dork on youtube and the next thing you know my keyboard stops working

You learn by failing and breaking things

once i got that working kali woulnd't boot but windows wouldn't

yeah. it was a learning experience i wish i wouldn't have had to learn.

That has happened to me a couple times lol

Do you know how to use vm’s?

personally. i'm really happy there is material out there. but i think maybe someone needs to go through this again and make it a little more friendly

Yeah. I have kali set up on my vm now

you got any more ideas on this pache2 ubuntu default page?

The modules are quite hard but so is pentesting

It worked on my machine. It is difficult doing tech support online. That part isn’t the most important part of the module as a whole so i suggest skipping it and coming back to it later.

Probably a nooby question but i have also been stuck on this problem for quite a long time. It is on the hashcat module.

I tried doing this in the pwnbox and it didnt work either so i dont think it is a problem with my machine. Probably something pretty stupid i am overlooking 🤣

You need to download that library

🤦🏻‍♂️

🤣 thank you sooooo much. I’m so tired and i can barely think

@raven cairn try this command

It used to be native on the pwnbox, i guess since they updated it the pwntools is missing

Go for it

guys someone can help me for the introduction to hack th box .I have serious doubts and I don't try to keep going with the default modules of the platform

?

What do you need help with?

are you new to hacking?

Intro is a pretty difficult module if you are new. What do you need help with? If that is your first module i would recommend doing some other ones first.

HTB intro to assembly

Code:
global _start

section .data
message db "Fibonacci Sequence:", 0x0a

section .text
_start:
call printMessage ; print intro message
call initFib ; set initial Fib values
call loopFib ; calculate Fib numbers
call Exit ; Exit the program

printMessage:
mov rax, 1 ; rax: syscall number 1
mov rdi, 1 ; rdi: fd 1 for stdout
mov rsi,message ; rsi: pointer to message
mov rdx, 20 ; rdx: print length of 20 bytes
syscall ; call write syscall to the intro message
ret

initFib:
xor rax, rax ; initialize rax to 0
xor rbx, rbx ; initialize rbx to 0
inc rbx ; increment rbx to 1
ret

loopFib:
add rax, rbx ; get the next number
xchg rax, rbx ; swap values
cmp rbx, 10 ; do rbx - 10
js loopFib ; jump if result is <0
ret

Exit:
mov rax, 60
mov rdi, 0
syscall

Question:
Try assembling and debugging the above code, and note how "call" and "ret" store and retrieve "rip" on the stack. What is the address at the top of the stack after entering "Exit"?

What I’ve done:

• From what I understand the stack pointer (rsp) points to the top of the stack

• I set a breakpoint after I enter the exit procedure and $rsp is 0x007fffffffe028 so I enter that and it is wrong

• So I try this, the call instruction pushes the $rip (next instruction pointer) to the stack then jumps to the specified procedure, so I break right before the call instruction is processed and we enter the exit procedure and look at the $rip

• I see the $rip is 0x0000000040100f which will be pushed to the stack upon processing the call instruction and entering the exit procedure

• I enter this and it is also wrong

My question: What am I not understanding, what am I missing

Note: I have tried to attach my gdb output but the images are not uploading.... Im not sure what's up with that

Hi guys, just started Linux Fundamentals and I'm at the user management section. When I try and use the sudo command it asks for a password. Is this just a generic password?

in where

Just in the terminal, first command is $ sudo cat /etc/shadow and it asks for a password

i mean

target from the exercice or on you own machine

oh sorry, target from the exercise

so if its the target you should be giver a password that you can use

the password that you used to ssh into the target

I'll give it a go, thanks

Still not working. The password worked on the last section to ssh. Now i've exited the ssh and I'm trying to use sudo commands

can you send a screenshot

maybe try to reset the target

okay, i terminated the instance and now I can't spawn it again until tomorrow lol

tf ?

you terminated the wrong one buddy

you had to restart the target not you pwnbox

🤦

sorry man, complete noob

Run a parrot vm

what was the prize for the ffuf module. I am on my mobile phone and can't see it😂