#modules

exist a difference?

yeah ... thanks it seems like I can read ....

my question was, what exactly would a component be in the scheme ? is one server serving the front-end and passing the requests to another server that's running the back-end etc .... ?

And you want to open the page in the browser in the pwn box?
You may have to specify http:// before the IP.
Like this: http://10.10.10.10:1234

or would all 3 servers do it all, front and back, key signing and such things ? If yes, the question would be what's the added value of having these, strictly speaking about security and not redundancy

i'll try it

Hi guys i have a little problem, web request module>HTTP methods>PUT &DELETE just i can't connect with curl, it show me "(7) failed to connect to 64.227.39.88 port 31175: connection refused"

F

it didn't work

I use $curl http://ip:port/api.php/city/london

Did you get the answer? im trying to figure this out

bro i think.... that i have the same problem ...

can i dm you?

Yes no problem

Maybe Load balancing?

It just depends on what you want to do.
Reduce traffic? Redundancy? Isolate individual services from the Internet (security)?

the load balancer would sit in front of the servers

well redundancy is obvious, but as I said, they're saying "each component" which to me means each server does something specific, and that was the actual object of my question 😛

I have opened the chapter again.
Under each scheme is explained how the creator meant it.

Maybe I don't understand your question correctly.
But basically each server can run a single component, or it can run several components at the same time.
It just depends on what exactly should be implemented.

component is a word, this word is a noun. See the thing is, everything has a thing, this thing can be this, or that

Its all nouns or verbs

sometimes adjectives

The thing or the process. But underlying each thing is a set of processes and you cant have a process without the things that make up process

Its pretty simple really

question about the Introduction to Academy - On the interactive section with target, I spawn the target but can not connect to http://<ip>:<port> in a web browser from the workstation. I have refreshed the target but each ip/port combo gets a connection refused, any idea what I could be missing?

we are 3 with the same problem, we guess is a problem with HTB Academy

good to know...guess I will try again later

They are experiencing an outage. Was told so by the HTB support team.

Update: I just managed to connect to a Docker target.

same...thanks!

remark: InFreight SMB v3.1
path: C:\home\sambauser
password:
type: 0x0
perms: 0
max_uses: -1
num_uses: 1

I am having an issue in Footprinting. SMB. Last question: What is the full system path of that specific share?

I believe it's asking for the InFreight SMB share full system path. Ive spent hours on this questions and ive tried everything? Why isn't the path above i posted the right answer?

Take a look at the hint:
„Remember that Linux-based operating systems do not have a "C:" drive.“

Guys i tried a little bit but i can’t find my first lesson, i have some logic but that’s it. How can i start, any tips?

which module are you working on

Actually I’m still new no one yet, but the question is how what should i do as a first step

sign up with academy and start with the tier 0 getting started

Hey, is there anyone who can help me with Academy - linux priv esc - miscellaneous module?

@slow venture sent you a DM bud 🙂

i noticed that hint. i gave up. i tried everything. i spent 10 ours on that smb section.

Hello all, I'm trying to figure out what's going wrong on the first exercise with ffuf. I'm 95% sure i'm using the right wordlist based on the hint

did anyone else run into an issue on this?

on which section

Directory Fuzzing, this seems silly. I would think I'm using the right word list

am i going crazy or is the Parameter Fuzzing - GET room in the attacking web application with ffuf module not working? i added the ip to /etc/hosts

it i cant reach the subdomains found with ffuf

like, when i run the ffuf command, it returns 200. when i try to go to the page in a web browser it says "we cant contact to the server (FQDN)"

need help

i think im doing every thing correctly. i can dm to keep spoiler free

ok

hi can someone help with joining this academy

What do you need help with?

i want to join this academy

Did you go to the website?

https://academy.hackthebox.com

im doing the web request module. what is the domain im supposed to input in the /etc/hosts/ ?

in which section

curl

the first section

for solving the final question

yea

this one

yes

u don't need to enter anything on /etc/hosts

just use curl url

ahh ok

thank you for the help

Giving up is not an option 😉

You just have to translate your path to Linux.
Linux has no C:\ but uses a /
Instead of \ Linux uses / to separate directories:

So C:\Users becomes /home under Linux

You can DM me if you are still stuck.

I gave up on that section and switched to box. Got about halfway and got stuck and really lost faith. I’ll prolly try that smb part again. I was trying to switch the slashes

i thought i had tried that. thanks man.

i got it to work

hello everyone can anyone help me with this

im not getting this part

make an account

can anyone help me with the last question for the DNS aspect of the footprinting module?

so far ive done a zone transfer on the internal.inlinefreight.htb domain

just need the last host FQDN with the 203 end octet

You have to find all zones

Note that you can configure DNS servers to allow zone transfer only to certain servers.

Which module is this?

Footprinting

What is the FQDN of the host where the last octet ends with "x.x.x.203"?

i cant find .203 subdomain anywhere ive tried using dnsenum with various wordlists

dnsenum --dnsserver 10.129.42.195 --enum -p 0 -s 0 -o subdomains.txt -f /home/michael/SecLists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb

i tried this command

Hi, can somebody give me a hint on the last section with finding the upload folderin the file upload attacks ? the hint on the page tells me that i should look on the source code but i cant find anything useful, did i miss sth ?

u need to look on the source code carefully

can someone dm me i need help

hey all, im having trouble with the miscellaneous techniques in the linux priv esc academy module. The mount seems to work, but when i run ./shell nothing happens. Can anyone help me? Please

the instructions aren't clear on how they go from their local user to htb@nix02

has anybody done the Footprinting module?

You can DM me, if you need help

Hi everyone. I am new here. Just wanted to ask if anyone here has completed the OSINT: Corporate Recon module?

Hi! I bought a VIP+ subscription on HackTheBox, but when I went to spawn a workstation in the academy it warned me that I only have 1 a day. Does it take a bit to register the payment, or do I need to tie it to my HackTheBox account of something?

HTB and HTB Academy are not the same thing.
For the Academy you need either Cubes or a academy subscription.

VIP+ is for HTB.

Oh! Shoot, okay, I misunderstood. I'll do the academy one then. Thanks!

is this the right way to make a fuzzing extension scan?

does anyone knows?

I had big trouble on DNS foot printing module & someone kindly helped me. If you are still struggling you can DM me.

You still need the word index between 30846/ and FUZZ at the end.

what do you mean

ffuf -w …/web-extensions.txt:FUZZ -u http://10.10.10.10:12345/indexFUZZ

ok ty

Hi has anyone done the SMTP module im trying to find the valid user account i am using the Resource wordlist that they have provided however running it just seems to crash the server

does anyone know the valid account name? if so please dm me the answer

ive used msf -- smtp-enum

but it crashes the machine

hey everyone, for the linux priv esc - skills assessment , flag5, does any one have any hints? I've got an interactive shell. Looked at sudo -l, root has nopasswd for /usr/bin/busctl but the gtfobins doesn't seem to work... any clues?

https://www.kali.org/tools/smtp-user-enum/

@slow venture try upgrading your shell with python3 -c 'import pty;pty.spawn("/bin/bash")'

then the gtfobin should work

i've got it upgraded, i think im getting the gtfobin command wrong. is it sudo /usr/bin/busctl --show-machine?

cause that just opens the info but when its done it closes and goes back to tomcat

sec let me check my notes. I'm on super spotty hotel internet

thank you vvvvvvvvv much

looks like its just: sudo busctl --show-machine

BALLER

thank you, i got confused, it worked. You rock!!

@rich heron did you sort out your question with the corporate recon osint room? I have answered all but one question so far I might be able to help

I did! Thanks for offering to help

Its the web requests module

I was using curl to get this but dont understand

Or do i have to use burp for this

on module **Attacking Web Applications with Ffuf **

i cant find the right word list for the last section, the last question

the hint is:

the question is

can anyone help?

hi - I made a progress on this but I am stuck on this after trying everything I can think of - if you figured it out, could you help me - or want to DM to compare notes and try to work on this together?

@rustic sage try this command:

@stiff tiger If you need a nudge on windows priv esc feel free to DM me 🙂

@rich heron thats awesome! Would it be ok if I asked you for help with the one question I haven't completed?

Of course!

can I DM you... not sure if we are allowed to post questions on here about rooms?

Yes

Hi

Howdy

What exactly do you not understand?

In the Dev Tools in the browser (F12) you can see which URL is called.

Then do a query with curl on this URL.

Greetings earthling

sooooooo how do i hck

hack

thx

Hey, can somebody give me a hint at "SQL Injection" "Writing Files"?
Im lost rn :/

DM me what you have tried

Are the docker instances down again?

Module : Web request
Section : GET
I have no idea what I'm supposed to do to answer the only question there is

this is all i think I'm supposed to do but i don't know hoe to get the flag

i also did this way but still no flag

try changing your parameter

from le to something else

perameter means change my search?

yes, the search=XX

@molten epoch

@molten epoch Got it?

i changed it

but same thing just different citys

Well, are you looking for ar?

i have no idea

Read the question again

im so ned im just copeing the examples

new*

It's simpler than you think

i dont understan the question at all

and use cURL to search for 'flag' and obtain the flag.

search for flag

yea ik but it wont give me a flag

Show me what you tried

thast all i have done

just with different citys

you are searching for ar and not for flag

you are over-thinking it...

got it!!!

but how in the world was i suposssed to know to search for flag?

How did u know ????

ty tho !

read the question again

it says clearly

search for flag :D

yea it says search for flag but i imagened like search for flag idk ig i just overcomplicated it

np, glad you got that

i dont know how but yea i got it

🥳

any ETA on when the bug bounty career path will be finished? im excited about taking the HTB certified Bug Bounty Hunter exam.

If you find out let me know

hey im new

can u help me coding cuz im new

i wanna be a game developer

thats why

You are in the wrong place, this is for hacking

ik

For hacking we need to know coding thats why

Why mention game developer then?

☕
Good morning everyone

@rustic sage good morning!

good morning

Hi. Any idea why it is Welcome1?

Sorry it has been ages since I did that but I added:
(The ls command resulted in an access denied message, indicating that guest access is not permitted. Let us try again using credentials for the user bob (bob:Welcome1).)

(I think it was part of the description maybe)

Are we having issues with servers again today? I keep spawning the target but cant reach it

Moduel JavaScript Deobfuscation Section Decoding is this not what the answer is i did everything correctly right i cover what i think the answer should be because i don't know if we can show that but it says my answer is wrong what am i doing wrong??

well your curl is incomplete

@molten epoch dm me

has anyone done the sqlmap module and issues with the flag in case 5? I got the flag HTB{700xxxxxxxxxxxxxxxxxxxxxxxxxx7} but it says incorrect when I submit. I'm curious if I am overlooking something obvious.

let me check.

which sql module?

sqlmap or sql injections?

sqlmap page6 'Attack Tuning'. Case 5 - 7 are the exercises for this page.

make sure you dont have a space at the end of your flag when you paste

happens fairly easily

i just verified no leading or trailing space

dm me what you have

cause the part you posted is right

does any one remember the applocker command for windows priv esc - situational awareness question "What executable other than cmd.exe is blocked by AppLocker?" the one in the instructions is just from cmd.exe

What up Jared

chillin at the airport in las vegas

Lost my wallet as soon as i flew in on Tuesday so it's kind of been a disaster

Why the explanation about DNS servers differ so much on DNS enumerating with python module and Footprinting module?

It feels like 2 different concepts 😅

What do you mean? Where do you see differences?
A zone transfer is attempted in both modules.

For example server explanation

DNS enumerating with python explains 4 servers where one is root dns server and one TLD server.. But footprinting module is explaining about 6 servers and telling root servers are responsible also about TLDs

also DNS enumerating with python directly says there is 4 types of dns servers

not 4 or more

Having some trouble in the Windows Escalation Privileges - Interacting with Users. I am trying to do the SCF on a File Share exploit but only getting htb-student hashes while launching responder. Needing the SCCM_SVC user hash and not sure how to proceed

... did not realize there was a hint that I was completely missing... nvm I got this lol

Can somebody give me a hint in "Broken Authentication, Default Credentials"?
Having trouble with the Bruteforce

did you get past it or are you still stuck? I finished the module, so happy to help with any parts.

still stuck

@raven cairn

yeah

so how can i enroll in university ??

@onyx wasp Go to your profile in htb academy

Are you already using htb academy?

yahh

i just started with htb acamdy i have completed some of tired 0 mobules and some others

You are going to go into your profile and click billing

but now i need more cubes for other modules

The student subscription is pretty affordable and grants you a lot of content

Once you click on the button it should be very straightforward

8 $ for me it's 600 INR so

hmm

but should i enroll in it ??

and i don't have that option

If you are enrolled in a university, are serious about hacking, and can afford 8$ I would highly recommend.

ooh but see in img i don't have that 8$ option

student* $8

now wt should i do

and yeahh i m really really serious about hacking

@raven cairn hello r u there ??

Weird

Didnt happen to me. I would reach out to HTB support maybe

?

?? so now wt should i do ??

Don't know where to help you from there 😦 . You can still accomplish quite a bit without a subscription tho.

😑 okiee but i want to buy Linux and windows privilege escalation modules

In the "Footprinting" module, the root servers are described a bit awkwardly.
A DNS root server can answer directly if it has the corresponding data in the cache, but it also knows which TLD server is responsible.

https://www.cloudflare.com/learning/dns/glossary/dns-root-server/

In the module "DNS Enumeration with Python" the author explains which servers are necessary, while the author of the module "Footprinting" shows which types are available. These are two different approaches. But both are correct.

https://www.cloudflare.com/learning/dns/dns-server-types/

However, only four server types are necessary (Resolver, Root, TLD, Authoritative Nameserver) for a successful DNS query. nevertheless, there are other types as well.
For example, a DNS server can be configured so that it simply forwards a DNS request to another DNS Resolver. This is then a DNS forwarding server.

Hey I just sent u DM

Is there anyone who's online can give me a bit of a nudge on windows privilege escalation

Can somebody give me a hint in "Broken Authentication, Default Credentials"?
Having trouble with the Bruteforce

You have to find a list first.

In the chapter you will be given a list. Search on this list for a suitable vendor.
Then search in Google for the default password for the found vendor and the found software.
So you should find a list with less than 10 entries, which you then have to try out.

It’s grayed out because you university domain is not on their database yet. You can contact the support to add it.

But make sure you use your university email for your Academt HTB account

Hmmm, cant find the right login

i don't have university email

What software did you find?
Which vendor did you find?

||Siemens Corp - Simatic WinCC SCADA||

Does HTB Academy offer a discount for students?

Yes! You can enroll for a student subscription in the billing section on HTB Academy, https://academy.hackthebox.com/billing

If you are registered on HTB Academy using an academic email that is included in our list of valid academic domains, the student subscription will be readily available. Please note that you can change your Academy account’s email via the account settings page.
If your academic email's domain is not in our current list of valid academic domains, the student subscription will appear as unavailable (greyed out). In this case, contact us via the support bubble at the bottom right of the page. The HTB team will verify the validity of the domain you will specify. After the academic email verification process is complete, you will be able to enroll for a student subscription and enjoy Academy's modules! The process may take up to two business days.

Note: Access to Academy modules requires an active student subscription. Make sure to renew your plan monthly to not lose access to your learning material!

Ok, your informations are wrong.
Look in the browser tab and you will see a software.

Okay found it thx

I can't be the only one that would love to see a "hide completed" button for the module overview in HTBAcademy.. Right?

hey but i m preparing for my collage entrens exam and i don't have any collage or university or academy email i have account with google gmail so wt can i do ??

Can somebody give me a hint at "Broken Authentication, Weak Bruteforce Protections, Question 2"?
||I know it's not about bruteforceing, but I have no idea what IP I should use to bypass the login or where to find the IP...||

As soon as you are an admitted student, you will receive an e-mail address from your university. Then you can use it and you will get the discount.
Unfortunately, according to the FAQ on the website, there is no discount during the preparation for the student.

but it takes months and i want to learn those thing now ?

the hint says that the server does not trust your IP. Who could it trust?

I know what to do but it doesn't work, i will try further

can I dm you? I am stuck :/

nvm i got it xD

Yes, sure

Hi there

where do i get roles

@languid fjord

@polar bough

ok

mid ahh server tbh

/join in #bot-commands

i'm having trouble with the xss module. i'm on the phishing part, but it seems that my javascript is being cut off half way through.

oh, i'm using the wrong type of payload

lil help so i can earn 10 cubes †-†

in the setting-up academy module, Im asked "what does the acronym Linux PAM stand for?" As far as I can see, the module never explains the acronym so I looked it up, most sites say it means Pluggable Authentication Module, which makes perfect sense

when i type this in though, wrong!

oh pfft

its "Pluggable Authentication Modules"

plural - modules 😦

nvm sorry!

hello everyone

i need some help please

With what?

trying to add image

WHERE?

not help with adding image. That did sound confusing. I have an issue trying to find flag using curl POST command. I tried to copy the command in here but is erased it. Now trying to copy image of what I typed in terminal but i have not figured that out either

In the Web Request section the task is "Obtain a session cookie through a valid login, and then use the cookie with cURL to search for the flag through a JSON POST request to '/search.php'"

@gritty karma #welcome varify :)

???

Varify

ohhhh, ok i see

curl -X POST -d '{"search":"london"}' -b 'PHPSESSID=7mgvp398o8ano29mhftgkfenkq' -H 'Content-Type: application/json' 'http://157.245.40.241:31803/search.php?search=flag'
["London (UK)"]

I cant figure out why this will not return the flag

thats for letting me know that i had not done the varify

@rustic sage go to bed

🤣

One sec, did you copy it from dev tools?

@gritty karma

@raven cairn One second, just ONE second

You need sleep!!!

yes, the curl PHPSESSID never works

I remember doing it for someone last week

Hm.

Which module is this again?

And section?

I need to help

Web Request - POST

Getting a ☕ - one min

Solved?

remove the query in your URL

then it tells me that the POST data is empty

exactly

you need to query it with "data"

This is POST, not GET

confused.... i dont think i understand. I query with data and it returns no flag. I query without data and it tells me data is empty.

Let's go back

Send a request from the website while your dev tools are open

Let's say request "london"

And copy that request then from the dev tools with "Copy to cURL"

and i get {"London (UK)"}

Great

Now, where in the curl command do you see London?

Not in the URL, right?

Rather in --data

in --data-raw

Right

so --data-raw is really the flag?

Now, in your curl request you are going to have many more parameters that need to get removed, otherwise you are just repeating your request

This is where you put your query

TFW you feel like writing a blog about how to design a C2 framework

why, brain

why

so I should have used curl with ip/port, content type cookie and data-raw should search for flag

me: "I don't know how to do this"
my brain: "who cares, let's go!"
me: "But it's past midnight and it's a huge project and we've never tried this before, ever"
my brain "So? We'll figure it out, come on, it'll be fun"

_>

my brain is a bully

Yes

@high zinc Are you talking to someone?

no

@high zinc Happens to all of us.

I do wonder how a staged payload works

@rustic sage thanks man. it could not figure this out. your instructions made sense too. you really helped me out

hey, is there something that needs to be done when the target instance ip address just opens a blank white page. Refreshing instance does same thing

@gritty karma which module?

you put the payload on a stage and tell it to perform for you

Can I have some help with the linux privilege escalation module?

This is on the shared libraries section

I don't understand the error that I am getting.

@west canopy Thank you very much. SSH'ing into htb-student fixed my problems

Which is stupid because I literally followed the instructions 😦

Yea i'm not sure. This is just what I had in my notes

Working on Linux Fundamentals > Service and Process Management. How do I get the password?

Split the network 10.200.20.0/27 into 4 subnets and submit the network address of the 3rd subnet as the answer.

#613049811481919508 message

Good morning, everyone ☕

Solved?

https://www.site24x7.com/tools/ipv4-subnetcalculator.html

did you figure this out? everything i see is empty

oh, it's not the domain i was trying

Good morning

Hi someone can help me the location in the moule "OSINT :Open-Source Intelligence" ? I got coordinate as mentionned in the hint, but not working, really frustrasting

i am really struggling with this last question on information gatheing - active subdomain enumeration

Has anyone does the Chase lab in Intro to Blue Team track?

Did you ever end up figuring this one out? I have been trying the techniques it has listed in the module but none seem to work. Do you remember what technique you used to get the contents of the creds.txt?

@slow ruin yes it's actually super simple but not something you would expect. Look for a powershell one liner provided in the section

wow I did that earlier and it went right past me lol

@astral siren i think I just manually bruteforced the answer on that one haha

hey can someone helo me with under constuction from beginner track

im stuck at the sql injection and its not working

Do we have here some moderator who can give us some hints ?

@mild grove i was able to find the solution using google

ok thank you I will try

Module:SQL Injection Fundamentals
Section:SQL Operators

for some reason mysql won't do anything, after i log in it won't give any output. (Yes i am connected to the academy vpn)

i'm using this line: || mysql -u root -h (target ip) -P (target port) -p||

does anyone know what i'm doing wrong?

@dapper flare what happens when you run the command: use employees

does it just hang? I know a couple weeks back there were some technical issues going on with that module and people were unable to connect to mysql

yeah it just hangs

Maybe respawn the target if you haven't already. I am working on Hacking Wordpress and I just had to respawn the target twice before it would load.

okay thank you

Let me know if it keeps acting up and I can test it on my end

it worked thx

There's a tool called that similar to what's mentioned in the hint that found the answer

Solved?

I solved all of it

Good.

The active dns portion I guessed and managed to get it

So you did not "solve"

:)

I was getting 29 a records, but that was too high

I am not sure why that wasn't the answer

The correct number was less

@astral siren Because if you would have tried to zone transfer those 29, you would not have succeeded, just with X of them

That wasn't the question that was asked

The question was how many of these return a records

Which question exactly? I thought the second Q in Active Subdomain Enum @astral siren

No, the last question

Oh, sorry. One min...

in th dns enum with python, where do i put an ip address in the script to make it work ?

i mean i dont know what to do with it but i know i need it

Guys I am not a Noob anymore : )

Hacker here I come : D

@raven cairn Awesome work bud!

Some help with Broken Authentication skill?

Web Request - PUT & DELETE

Hello, I'm a band new user at the Academy and am starting from square 1. I'm starting off in Linux Fundamentals. One of my first interactive modules/quizzes has to do wit ssh login which i was able to do with no problem, but now the quiz is asking me the path the users home directory, I used "cd /home" and that worked and brought me there, but it the quiz isn't accepting that as the correct answer. Any tips as to what I'm not getting?

pwd

pwd

thanks

What exactly do you want to do?
Specify the DNS server?

there is a python script provided above, but i dont know how its supposed to work

for example when i use dig i write something like dig inlanefreight.htb @ip

and i dont know what to do with the ip, should i put it in /etc/hosts or specify it in the script

its in dns enum with python - Main Function section

guys please im stuck here """""Submit the FQDN of the nameserver for the "inlanefreight.htb" domain as the answer""""" i get ** server can't find 128.165.129.10.in-addr.arpa: NXDOMAIN i try dig $target @10.129.165.128 fqdn but i dont get nothing

help

Module? Section?

Information Gathering - Web Edition

Active Subdomain Enumeration

@zenith gyro added inlanefreight.htb to /etc/hosts?

yes

@zenith gyro And what is the command you tried?

without vars

nslookup -type=ns

and dig

|| dig ns inlanefreight.htb @white rock || should work @zenith gyro

tankyou

i did the wrong dig command

Hello, I am stuck in the Web attacks - skills assesment. I already found the IDOR vulnerability and the administrator user. The problem i have is that i cant find a way the reset the password of this user. I keep getting access denied

hi

submit a valid token

hello

I've already thried that

dm

Can anyone help?

module WEB REQUEST

last section

I am in the linux section, there is a question that I cannot answer, which says: Which shell is specified for the htb-student user?
I tried with bash, shell bourne and many names, but I don't know what the question refers to
could you help me with this please? I looked at the photo and it doesn't appear either

I'm a newbie, sorry

need the full path

Try to get the $SHELL environment variable

the full path of the module?

nope the shell

try env

echo $SHELL should be

there u go

is bash?

specify the full path

ahhhh, nice

hey @real hare this will also works and quite simple

u don't need to use env instead u can use this command

Many thanks!

sorry

thanks ❤️

Thanks ❤️

Hi, someone can tell me why i cant send or see msgs in most chats?

Need to verify. Look at #welcome

LINUX PRIVILEGE ESCALATION --- Miscellaneous Techniques

Review the NFS server's export list and find a directory holding a flag.

I have no idea what he want , tried mount but access denied to mount on target server

hi guys, anyone knows if you can reset a module and do it all over again?

Do exactly what is described in the module. The module guides you step by step to the goal.

@shadow mist I don't believe you actually need to mount anything, just navigate to /var/nfs/general and the flag should be there

To get the flag, use cURL to download the file returned by '/download.php' in the above server.

Good day everyone.

curl http://target/download.php dosent seem to work

@silk niche you do realize you have to change the part where it says "target" to the IP and PORT of the actual target?

and to download the file you have to pass along the flag -O and give it a name. i.e. -O download.php

-O, --remote-name Write output to a file named as the remote file

@lethal atlas top of the morning

@livid pier how are you today?

Good morning : )

Who's ready to finish some modules

🙄

obviously

it worked

thanks 🙂

yw

Alittle bit of everything, excited to start the week. I am doing the phoenix box and a sqli is taking 2 days, so that is annoying

Ready for a new mod to drop

@lethal atlas How you doing?

Im good. Working on file upload attacks. Im 3/4 way thru the bug bounty path.

Nice , you going to start some bug bounties when youre done?

hope to.

hi can someone please help me with Active Subdomain Enumeration

@haughty helm sure, which questions?

That section was pretty difficult. Like the way to actually solve the questions was not mentioned at all in that section

qn 2,3,4,5,6

@west canopy yeah i tried a lot but couldn't figure out the answers

So basically all of them? lol

yeah

but how did u find the internal.inlanefreight.htb subdomain? @west canopy

Hey I'm looking at the Active Directory Bloodhound module, I've started my pwn box and additionally am on the vpn on my kali box, neither of the two seem to be able to reach the supplied domain. Also, it reads as if there should be a Windows environment supplied to run a collector on yet I cannot locate a reachable IP in any of the modules pages?

like how did u know that txt is present in this specific subdomain

I had to run the "dig txt" command against every subdomain

ohhh right

Yea. No pretty way of doing it lol

and what about the identification of zones

i guessed the answer as 2 but

i dont know how to identify it

Yea I ended up guessing it too. But i asked my instructor about it and he explained it like this:

So the presence of an "A" record (or multiple "A" records) is one zone. The presence of an "NS" record makes it two. If there was an "MX" record, then it would be three.

alright !

next is to find the number of A records

from all zones

Anyone able to give me a sanity check on Web Attacks "Bypassing Security Filters"? It looks like the verb to use is HEAD, but I am still unable to create a new file called "file;" let alone copy the flag over.

Edit: Solved!

@west canopy ?

@haughty helm was that the last question in the section?

yeah

Yea so I just manually bruteforced that one too. I don't have a good explanation as to why the answer is what it is 😦

also i want to know how to find the FQDN for the given ip address

alright

@west canopy

so you will want to try doing a zone transfer against all of the subdomains you found initially. It turns out the one you want is going to be "internal.inlanefreight.htb"

fine got a lot of info Thank You soo much for helping me out , I spent lots of hours on this @west canopy

NP! I was losing my mind on this section too until my buddy helped me out 🙂

Fortunately the sections after this one are pretty straight forward

Great !!

@west canopy I figured out the answer for this , when u dig inlinefreight.htb we get 19 A records and the rest of the A records we get from zone 2 which is internal.inlinefreight.htb

Ah gotcha

that makes sense. So when you add them up does it come out to 27?

exactly

i need help on **JAVASCRIPT DEOBFUSCATION **

on section Skills Assessment

what do i have to do now?

i have found the javascript code, but i dont understand what i have to do with it

after that i tried to decode it but i found this

it need more deobfuscation

How

Can you help me?

hey can anyone help with the assessment in ffuf im kinda stuck

do i need to add the domains found to the /etc/host/ file?

Probably

@rustic sage what is your problem? I can try to help

i think i just need to add the domains.

stuck here

cant seem to navigate to the pages i found.

they all end up blank or a google search

any assistance will be appreciated. curl http://178.62.57.180:30202/api.php/city?search='flag'. This just returns all the Cities and Countries. Module Web Request - PUT & DELETE

*curl http://178.62.57.180:30202/api.php/city?search=flag

thanks alot. I tried that, but I did not use curl -s

NP. I had to delete the two HTB cities that I made earlier too before it spit out the flag

You figure anything out? im on the NFS. I can't mount or configure the config file

I was stuck on this for a long time. did you figure it out? someone on here did.

Hey @hazy grotto ! I did figure it out hahaha thank you : )

Man did you have the answer the whole time and just had the wrong format?

I had tried like 5 different answers tried using reversed slashes. But somehow I had missed it. I spent about 2 days in that question

Right so I actually had the right answer in the right format - that's why I was really confused because I knew I was right. I'm confident it was something messing up on htb - after refreshing the website - it finally accepted my answer

Can any one help with Broken Authentication- Bruteforcing Cookies- Question 1?

yep

Need some help with Skill Assessment - Broken Authentication 😄

need some help on "Advanced File Disclosure" section from Web attacks

let me help u , dm

can somebody help me i tried to connect to the windows target using xfreerdp but its not working

whats the command you're using?

Good Morning, I am in need of some help with Web Requests - GET exercise

What's your question?

I thin I have done the correct curl command but I am not seeing any of the flags that the exercise says should be present

*I think

Hey can someone help with the 'Skills Assessment - File Upload Attacks' I've managed to bypass the filters, but can't get code execution, since the request is returning <img> with base64 encoded source. I've tried to find the upload location so I can access the file directly, but that did not also work?

Can you DM your command?

Hello there, guys does anyone have information about email-subscribers plugin vulnerability for Wordpress task?

Find and submit the contents of the TXT record as the answer..... Any help???

what section are you on?

I can help

can i dm you

yes

What would you like to know?

The chapter describes how to read PHP files. Try it with this.

hey, for the windows priv esc, how did you all get accesschk to work? Looks like it doesnt come on the box

and my windows machine through HTB can't connect to the internet

I am still having an issue on file upload attacks myself. I am on "Type Filters" have found an extension that I can upload, and I have removed the whitelist filters but after uploading and browsing to the page I get an error that the file cannot be displayed because it contains errors.

Question: Is there a reason why after 10:30am Eastern Time I start having issues with spawing the targets? I have seen this happen for the last 3 days.

I have refreshed my browser and I have refreshed the page but I still am not getting through to the target. I even do a simple curl -v http://<target ip>:<target port> and I get "trying" followed by "failed to connect"

I have even tried to refresh the target and still no luck

Im afraid I have no answers for that . Definitely a question for the admins

I've been having some trouble with Docker targets, typically i have to respawn them a few times

Something that is popping into my mind: Is there a preferred browser that we should be using?

I use strictly firefox

Ok that I will try and see, I appreciate the help!

Ok so I have the Docker target spawned and I can communicate with it, now I am having issues with one of the commands in the Web Requests exercises

curl -s http://139.59.167.115:31487/api.php/city/london | jq
which returns:
bash: jq: command not found
(23) Failed writing body

Am I doing something wrong

looks like you need to install jq

i think its just: sudo apt install jq

ok thank you for that tidbit

ok so what is the password

password = ||Never gonna give you up
Never gonna let you down
Never gonna run around and desert you ||

jk password is in the creds file on the desktop

thank you can you tell I am a newbie to this

lol no, that question gets asked all the time

thank you so much, now I can keep working on the Web Requests exercises

PS: Might someone think about putting that piece of information into that exercise - ensure you install jq on your terminal

@livid pier did you get your scan done last night?

its still going

holy cow

Ya it is ridiculous

@lethal atlas you still stuck?

is there a windows cmd line command to download accesschk? Its not on the machine i spawned and need it to get the flag

but also don't have internet access on this machine

yes

@slow venture which section is that?

windows priv esc!

sectionnnn

communications with processes

try looking in the directory C:\Tools\

thank you 🙂

We back!

@livid pier hello

Hello!

woohoo

Ngl I thought it was a Russian cyberattack

Not yet

its coming tho

What are we gonna do during the dark ages?

Imagine spending a year to learn cyber security then we lose the internet for a year

If I can't survive without discord and Spotify for one hour, then I would be screwed in an actual cyber attack

Anyone able to give me some assistance on Web Attacks Skills Assessment? I'm able to enumerate all of the Users and their Tokens but not sure what to do next. I believe I need to reset the password for an Admin user, but I can't figure out which user is an Admin.

You find the admin?

Sorry just read the second half

You are right, read that list close there is an admin there

I haven't. I was using a list of numbers 1-100 for the UID's in burp intruder , so in the response I can see usernames, employee full name, and company

But nothing stands out as to which user is an Admin 😦

All of my pictures wont load

@livid pier 😭 same

NOOOOO!!!! lol

:/ stupid Putin

initals AC

Hmmm for #42 I'm seeing an "Asaad Yin"

Derp i found it.

You da man Vivi ❤️

It happened to me too

@livid pier Is it cool if I DM you?

Hi do we have some moderator who can I ask DM about one module ?

@unique valve is good

ARGGHHHH

I just am not seeing what the hell Im missing on this damn question.

Alright Im coming out of retirment

lets do it

lol ok

hi

Bro i did it without jq 🤣 its more dificult but if i can, you can, keep going

Some one knows there is any problem with the plataform? I try to "curl http... -X POST -d "serial=you_decoded_output"

And i get curl (28) Failed to connect to IP Port

Yo you got any tips for getting the tomcat part.

hi evryone + 0 What Group Policy Object is created when the domain is created?
any one have solved this in INTRODUCTION TO ACTIVE DIRECTORY module

What section?

anyone doing Secure Coding 101: JavaScript assesment?

i used xfreerdp /v: (IP-Adress) /u:htb-student /p:Academy_WinFun! still it didnt wanted to work

Hi
I'm currently at Module 35 at Web Requests (GET)
This shouldn't look like this, should't it:

Tried both chromium and firefox with no success

Can't find the section. Can you make sure the name of the module is Web Requests and the section is Get Requests?

Here is the URL, I think that's the easiest way ^^
https://academy.hackthebox.com/module/35

Ok then it seems to be just me... strange. But thank you for the image

Try accessing https://academy.hackthebox.com/storage/modules/35/raw_request.png

yeah that worked

thx

I am currently on the brute forcing skills assessment (website). i got the first flag and im trying to brute force the admin login form. I understood that the user there is not admin but a user I discovered before (there are not many in this module anyway, so I added them all to a user.txt for hydra). I adapted the fail string and the user/pass fields but I still don't get a matching login anywhere. I would be happy for some pointers 🙂

thanks mate 🙂

oi eu sou do brasil

DM me and I will help you

💪 Who is ready to pown some modules today?!

yo me

Anybody explain the host client to me?

Im doing NFS install

on fingerprinting module

On the Host

On the host server, install the nfs-kernel-server package, which will allow you to share your directories. Since this is the first operation that you’re performing with apt in this session, refresh your local package index before the installation:

sudo apt update
sudo apt install nfs-kernel-server

Once these packages are installed, switch to the client server.
On the Client

On the client server, we need to install a package called nfs-common, which provides NFS functionality without including any server components. Again, refresh the local package index prior to installation to ensure that you have up-to-date information:

sudo apt update
sudo apt install nfs-common

Is PWNbox the host or the client?

I belive the PWNbox is the host

hroughout this tutorial, we refer to the server that shares its directories as the host and the server that mounts these directories as the client. You will need to know the IP address for both. Be sure to use the private network address, if available

Ok i just spotted this.

This leads me to think its the opposite.

I don't have much experience with this but with SMBClient. the side that shares its directories is the target,

Can any one tell me the password for the parrot box ?

it's on the desktop

help

i just spawned my linux maschine but it didn't start

so i realoaded the page

and now i have 0 spawns left and the machine didn't start

why))):

free users are only able to make 1 spawn

ik ik

but i had on bc i didn't use mine today

but it never starded and my spawn is gone

wwhyyyyyyyy)):

chat with the support team i think it might help

oke :/

Just pay. you will end up buying anyways

no i won't

bed

why would i wan't to pay

Footprint Module NFS tip

The first code to run before you start the lesson.
sudo apt update

sudo apt install nfs-common

why

like you mean my mashien might be broken?

Hi, I tried several different ways to find users in the Remote Management Users group and failed. Did you manage to find a solution? - anyone else out there find a solution to this one? (PowerView - enumerating groups task 2)

@hazy grotto How you doin 😁

Hey there, I'm a lil stuck in Getting Started -> Public Exploits. Is the search via nmap supposed to take like 45+ Min? I need to add the tags "-Pn" "-p-", or else it tells me that the host website may be down. Any info on this?

I'm in Linux Fundamentals Module 18: Filter Contents and I was doing the cURL question for finding unique paths. I wasn't able to figure it out so I looked around and found a line that went like this: curl https://www.inlanefreight.com > . . .| cut -d"'" -f2 | cut -d'"' -f2 | . . . (I cut most of it for spoilers) while I was able to find the correct answer with this line I found I cannot for the life of me figure out why would " be the -f2 in href="https://www.inlanefreight.com/" can anyone shed some light on this?

@paper python Yes, adding the -Pn option might be required if the target is blocking your pings. And adding the -p- option makes it scan all 65,000+ ports so it typically takes a very long time.

@versed iris So if " is the delimiter, Field 1 would be: href= and Field 2 would be https://www.inlanefreight.com/

That makes sense, thank you!

Let it run through, the targets time is over before the scan is even finished

@paper python You actually don't need to scan all ports. For a typical nmap scan most people just use -sC -sV. For the "Public Exploits" section in particular, you will just want to try and exploit the WordPress plugin that is displayed when you navigate to the target in your browser

So in your case the -p would be 30511 right?

Yes if you wanted to nmap scan that specific port. But I don't think its even necessary. Can just copy paste the target:ip into your browser and then go from there

@mortal basin Hey I was wondering if there had been any word on the completion of the Bug Bounty pathway / Certification. Loved the current material and am eager to jump into the last 3 modules. Thanks!

Stay tuned.. coming very soon 😉

we want MOAR CONTENT!!!

Thanks for the help! One more thing, do I need to make use of the PHPMailer in any form to get to the solution?

I don't think so. I was able to get the flag using Metasploit.

well damn, got stuck on the filepath...

Hey friend!. I've noticed when i have better internet things work alot better. 🙂 I just completed the NFS section of footprint. this module seems to be quite difficult for a beginner.

How are you doing?

@hazy grotto I am doing good! Seems like you have become much better at hacking recently!

2 more things

1. you just used the filepath mentionend in the question right? "/flag.txt"

2. how did you know that you need to use the simple back up file read? just expierence, or was there a way to know that otherwise?

Well the plug-in on the wordpress site was "Simple Backup" so I figured I would try a corresponding metasploit exploit

...... yup, thats never gonna happen to me again. gonna scan the whole site next time

been stuck here for 2+ hours, thanks!

Firewall and IDS/IPS Evasion - Medium Lab & Hard Lab don't seem possible

@errant ivy Actually this is probably too spoilery , feel free to DM me

Noob question: what am I doing wrong here?

"Perform a WHOIS lookup against the paypal.com domain. What is the registrant Internet Assigned Numbers Authority (IANA) ID number?"

Information gathering -Web edition module

Looks like you are doing it right. Maybe try using sudo? Not sure if that would make a difference though

Weird. I did the same thing on my kali Linux machine and it worked fine

Very odd issue

So after doing the: ATTACKING WEB APPLICATIONS WITH FFUF module I am very confused with virtual hosts. I'm looking for someone to explain or point me to a resource explaining why when I have "[ip] academy.htb" in my /etc/hosts file I can't visit academy.htb/admin/admin.php but when I append "[same ip] admin.academy.htb" to my /etc/hosts, I can visit admin.academy.htb/admin/admin.php .

Wouldn't these just resolve to the same ip and therefore trying to reach the same page? I see the line "VHost is basically a 'sub-domain' served on the same server and has the same IP, such that a single IP could be serving two or more different websites." If that's the case then how does a DNS server know what site to send you if they resolve to the same ip? Thanks

Anyone able to give me a sanity check on Server Side Attacks "Nginx Reverse Proxy & AJP"? I am editing the nginx.conf file but have no idea what I am doing wrong.

Edit: Solved

have you figured out how to solve it? i could use a nudge in the right direction

how would you add a subdomain to the /etc/hosts file? like i know you sudo nano but what would the subdomain look like. im kinda confused

thanks

ffuf is kicking my a**a

ass**

I like GoBuster better #ChangeMyMind

haven't had the chance to use it yet.

FFuF output looks like just a bunch of vomit in my terminal

lol yea i feel ya on that one.

you can put them on the same line too

Hi

can someone help me figure out where to inject code in the command injection > skill assignment?

look around the functionalities, specially how to copy/move files.

People, I am stuck at the Firewall evasion challenges of the NMAP enumeration modules. Is there some who did this module and is willing to help me? I don't know which commands I should use to get the right result. I already tried a lot,

been doing that, i read that you will get a "malicious request" rended on the page when you find it but i cant get it anywhere.

did you found the copy file functionality? if so, try to imagine how it's working on the backend and you will get it (check the request which copies a file from one folder to another and see what query params accepts) 🙂

In the XSS skills assessment I can only post one comment (preview only), subsequent comments don't get posted at all and I have to reset the instance. Is this normal?

you sure copy is the injectable one? when i try to ||move a file to the tmp folder, that is already there|| i get the malicious request because of the ||/ is the url that is generated by the server||. Ive been toying with the copy and i cant get anything, i understand how it works, heck i could even write the code of it cause its so similar to the host check that was present in the module, but i cant add a command to it for the life in me

where exactly are you injecting the command?

i also faced some issues

Did you find a way to complete the task anyway?

yep

ok thanks

hey guys. How can I find the most common password in a file (is separated by \n paragraph) ? I have searched but cant find a command that works (normally crop at a special char)

like this

as you can see the command doesn't work well

on which module

CRACKING PASSWORDS WITH HASHCAT - Skills Assessment
Resolving the last question

sorry i haven't done that

@acoustic owl will help u

This question?
After cracking the NTLM password hashes contained in the NTDS.dit file, perform an analysis of the results and find out the MOST common password in the INLANEFREIGHT.LOCAL domain.

all the passwords are unique

I have solved it with dpat.py.

?

First, crack the passwords with Hashcat in the file DC01.inlanefreight.local.ntds.
Then create a report with dpat.py.

https://securityonline.info/dpat-domain-password-audit-tool-pentesters/

hey all, I keep getting access denied errors for the windows priv esc - windows built-in groups module. Did anyone else run into errors even if in whoami /priv, SeBackupsPrivilege is properly enabled?

trying to share an image but discord wont let me. the error is: Copy-FileSeBackupPrivilege : Opening input file. - Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

nvm it decided to work now

at the end of the URL

check the hint.

ohh, ive missread it

thanks

no problem 🙂

┌──(kali㉿kali)-[~]
└─$ hydra -C /opt/useful/SecLists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt 64.227.39.88 -s 31960 http-get /
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-03-10 10:34:15
[ERROR] File for colon files (login:pass) not found: /opt/useful/SecLists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt

Does anyone know why this is happening?

Is hydra broken?

does anyone know how to get the admins email for the imap module

hi all, Long awaited (sorry!) but I've updated the wireless cracking section in the Cracking Passwords with Hashcat module to reflect mode 22000 and using hcxpcaptool vs hcxcapngtool ... if anyone else had noticed issues with this section that I missed, please DM me

You can reach support by opening a ticket on the HTB website

Solved with bash?

@rustic sage DM me if you still need help 🙂

@pulsar elm Check this: #modules message CC @acoustic owl

Hey, did anyone have this problem or know how to fix this? I got this error when doings the windows priv esc - dnsadmins module Command failed: RPC_S_SERVER_UNAVAILABLE 1722 0x6BA

@errant ivy Just tested on my VM and it looks OK

Your command looks correct. Maybe retry spawning the target? I've had some issues with Docker targets not spawning properly.

Are the instructions correct for the DnsAdmins section of windows priv esc? Everything seems to be working but when I try to navigate to the flag i get access denied

@slow venture I actually had to use a reverse shell .dll

🥲

hey man can you help me a bit more, i am using this payload ||index.php?to=tmp&from=tmp${PATH:0:1}51459716.txt$(tr${IFS}'!-}'${IFS}'"-~'<<<{{)${IFS}wh"o"ami&finish=1&move=1||and i dont get any output, only a blank erorr ||Error while moving:||
When i used something like ||c"a"t%09${PATH:0:1}flag.txt|| i get a second error for cat and a permission denied for the flag.txt

Which section is that?

command injection, skill assignment

the trasnform is to get ||

||try with 'to' , not from (as i said earlier try to imagine how the command will look like)||

missed that, i was so foccused on the parameter i tried cause that was where i got the error firt

thanks, i feel dumb now haha

The error indicates that your text file is not found. Check the path to make sure it is correct. On my Kali VM I dont have an /opt/useful directory.

@lethal atlas It's a Pwnbox thing. They have seclists in a weird location.

Thanks

Yeah, I know on pwnbox they have that folder, but still think he should check the path and make sure its correct.

haha no worries, glad it worked 🙂

yes but didnt get it why it wasnt working

didnt worked

don't use ever --force. Put --show instead

run hashcat w/o --show and you'll see that you don't get the results. you need, therefore --show. and --force is meant only for devs. @pulsar elm

I use --force because with it doesnt work

I am just saying things over. #starting-point message

Thanks. I have tried to search but couldn't find the answer why it only works with --force

maybe @paper gust can help here...

sup

oh boy

@pulsar elm what runtime do you have installed?

hashcat clearly doesn't agree with whichever one it is

hashcat -I may give you more information if you dont know

also, to clarify, @rustic sage is correct, you should never run with --force

if it's not working without it, then you need to try to solve the problems elsewhere, by fixing or installing proper runtimes for example

If you run it in a VM then it might not work,I am running it on my pc in a Collab

Google hashcat Collab

that's another way to do it

well

couple of things

it is not in VM

It is my laptop OS

1, that version of hashcat is several years old

so you should definitely update that

2, what compute devices are you trying to use?

There is a command to update it?

pull either the release from our website, hashcat.net, or you can clone and build from the github, github.com/hashcat/hashcat.git

compute device?

yes, what hardware device are you trying to have hashcat use?

it needs either a CPU or GPU to use

and the runtime you need to install will depend on what device

well... I haven't choose

you will need to know which one you are going to use and install the runtime/drivers for that device before you can run hashcat

whats the difference between cpu and gpu usage?

the difference is which device is being used

GPUs tend to be faster

but you need to actually have one for it to work, and if this is a laptop that may not be the case

(*have a discrete GPU, integrated are often buggy)

Anyone got time to help me out a bit with the File Upload Attacks module? Stuck on the self-assessment

How can I install the runtime?

well first you need to know what hardware you have

@plucky nimbus Feel free to DM dawg 🙂

I am having some trouble with the linux privilege escalation module, section 'privileged groups'. Doing the privilege escalation was easy. The hard part is finding the flag because I am having difficult understanding the instructions. I have been stuck on this question for quite some time so I would appreciate the help. Where am I supposed to be looking for the flag?

what is this group for

?

@here

you find it?

No. I don't know where they want me to be looking for @livid pier

k i havent done it but

it looks like first step would be use the groups command

that will tell you the groups your user is apart of

I am part of the root group it looks like

ok

one sec let me check my notes, i had to use a similar command for my last box

use that second command

find / -group root 2>/dev/null

maybe pipe that with grep and flag.txt

full command would be

find / -group root 2>/dev/null | grep flag.txt

whoops no network