#modules

IPMI module can someone who knows the answer dm me

If you can use the metasploit module, it’ll run the hash through a known IPMI wordlist. Probably root:calvin. But use the metasploit module if you can.

its admin and it does nt find the password

This doesnt help you?

take the admin: out

then run it in hashcat it will crack in 5 seconds

hey, where does secrestdump.py sit in the windows boxes? I can't find it to run the command

windows priv esc module

its not in tools

@slow venture its part of the impacket suite

um.. could you explain more? When i run it in cmdline is says that its not recognized as a command. Do I need to be in a certain directory? in PS? Running as admin?

oh wait

no still confused

@zenith schooner for flag #5 you will need to upgrade your shell, and then use the busctl GTFOBin

oop got it

key word 'locally' lol

@slow venture yes you would run it from your attack machine

@silk niche

where am i able to use crackmapexec locally @west canopy ? Getting command not recognized for that one

someone already helped

but thank you anyway 🙂

@slow venture you might need to install it if your terminal doesn't recognize it as a comman

My native language is also not english and it's not that easy to understand everything in HTB Academy but I'm trying my best. Personally I think, English is one of the importants skills if you want to learn hacking

English is hard and it is my first language :/

So many dumb rules

me too, its a stupid language

kansas -- arkansas

@livid pier Random question. My pwn box isn't working . Is it working on your end?

I use kali

Me too but I don't have my laptop with me :/

i can check tho

looks good

Cool. Got it to work on my end. It was probably not working because of all the security extension I have on firefox 🤣

How do you change directories in an smbexec shell? I get the error 'You cant CD under smbexec. Use full paths."

and not sure what syntax it wants 🙂

i used

ERROR 1222 (21000): The used SELECT statements have a different number of columns```

and questions is

Connect to the above MySQL server with the 'mysql' tool, and find the number of records returned when doing a 'Union' of all records in the 'employees' table and all records in the 'departments' table.

and ive tried this ```UNION SELECT * FROM employees AND departments;

ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'UNION SELECT * FROM employees AND departments' at line 1

Has anyone done the windows privilege escalation - vulnerable services module? I have used the Set execcution command but it still restricts, can anyone help me with this? 🙂

@stiff stream not sure if this helps but this is what I have in my notes

can someone help me here ? I dont get it 😄

You have 95% of the answer right on your Desktop actually :p

you found the flag :-p

I'm faster

corey

yeah but whats the once like xD

can u help me out with SQL?

@dense wolf try this:

Does the two tables have the same amount of columns ?

(tips : it's a condition to use the UNION operator)

no

thank you

for helping me outž

out*

Jared gave a pointer you must thank him instead of me

@west canopy mind if I dm you?

sure

Finally got it haha should have double clicked on it to see it 🤣

Question is there any particular order to start the modules on the path

@opaque marlin If you check a module before unlocking it, it usually says what the "recommended" completed modules are before you start it.

https://academy.hackthebox.com/module/49 when i try to spawn my target instance it says

Error
Request validation failed any tips?

tried refreshing logging in and out and pc restart

subscriber or free user?

free user

for free users only be able to do one spawn

yeah but it says 1/1 spawns left so no idea if it's that

ok then contact the support

they will help u

thanks

Hi I new too

Hi, for Word Press Assessment, does anyone get this error when trying to update the theme? Unable to communicate back with site to check for fatal errors, so the PHP change was reverted. You will need to upload your PHP file change by some other means, such as by using SFTP.

hello , i hope you're all doing well so...

i have and issue with the module "Getting Started" specifically with this "Knowlage check"

which i could pass this login page i found a user
and i hashed the password but after i loged in there's a problem with upload files button in the page so why can i solve this?

otherwise i did and i suppmeted the flag using a metasploit module . but i'm still wondring how to do it manually

Hey!

has anyone here done the LFI/RFI module ?

i'm struggling to accomplish the final assessment

could anyone gimme some help?

🙌

my rdp session for the windows server is too big and i cant get to the start bar, but it won't let me resize. How do you fix that? lol

ah ha found a work around

hi - if the remote machine allows it, then tagging /dynamic-resolution onto the end of xfreerdp connection command may allow the remote terminal to be resized.

Hi all, I am completing the DNS footprinting section in HTB Academy and I cannot seem to get what they are looking for. I have tried enumerating subdomains using a variety of wordlists and a variety of command line tools. I can't seem to find the A record for the host that ends with 203. The hint states that not all wordlists are the same. I am stuck. Can anybody help me?

You need to find all zones

Once you have found all the zones, you can play with the word lists to find the right one

Thanks for the hint

Have you found what you were looking for?

I need a nudge on a module. I've been stuck on the skill assesment for the linux priv esc module. Trying to get the contents of flag2.txt

The hint is "Users are often the weakest link..."

_< dont make fun of me for being stupid lol

@raven cairn try looking at the .bash_history file for a clue

Thank you so much! This module can be a little tricky.

Now i just got to get flags 4 and 5 😭 . This module has many tricky questions.

Sometimes if you are stuck just take a 10-15 mins break, make a cup of coffee, take a poop or go for a walk that will help 😉

In this oder? 🤔

I’ll make sure to poop some more

PowerView Module > Skills Assesment > Find a non-standard share on the ENUM2-DC01 host. Access it and submit the contents of share.txt. any help pls

correct sir 😉

hey anyone mind giving me a hand with the 'hashcat' module question???

What question?

What section?

im on the Cracking Common Hashes page and i cant seem to crack it

I dont have access to a computer right now but I am very familiar with the module so I will try to help

can i pm you?

@ruby sapphire Yeah.

@livid pier @west canopy @rustic sage I’ve been trying to help this poor child on the hashcat section but I dont have access to a computer. Could you possibly help him out? I have to go to work : (

really stuck on the file upload assessment. straight up don't even know where to start. i've fuzzed file extensions and content-type headers but they all return the same page that says "Thank you for submitting your feedback". prettu sure it has something to do with the fact that these are GET requests now and the whole module was using POST requests, but honestly i'm missing something here or don't know that a technique i need to use is possible.

still stuck

yep 0 progress so far.

dm

Just did it. Worked for me. @ruby sapphire

@ruby sapphire

Awh I didn’t have that rule set when I ran it

hey can any one help me i m not able to connect to hack the box

That IP does not respond to ping.

as long as you have an IP for Tun0 you should be good when you spawn a target

???

i respawn my target many time but it's still not working

what do you get when you run ip a

i have tun0

ip or my local ip

what module are you working on?

windows fundamantls

Windows Fundamentals

this one

which section?

second

i was trying to conecte to windows target but ip is not working i respawn it many times and download vpns many times but still not working

YOu have to use a remote desktop program

I used xfreerdp

i used bro

but ip doesn't even not replying

no it doesnt reply but xfreerdp connects just fine

xfreerdp /v:<Target-IP> /u:htb-student /p:Academy_WinFun!

@onyx wasp on some targets ping will be disabled. Particularly on Docker targets

??

docker

ooh yeahh i have docker in my system

should i stop it ??

No, basically whenever you spawn a Target in a module, it will be either a VM or a Docker instance.

You can usually tell because it will be a five digit port number.

I have docker running on my own workstation too . it shouldn't affect anything 🙂

i m doing this module and i have only ip

ooh okiee

so wt should i do now

it's still not working

Are you trying to connect with xfreerdp?

yeahh

it shows this

Yea that doesn't look good lol

lol yeahh

it's waiting for too long

First I would probably try and connect through the pwnbox to see if the error persists. Or maybe try respawning the target if you haven't already.

i already tryed it bro i redownload or restart my openvpn but nothing is works lol

and now it's not even pinging

it's stuck here

Sir have you tried ping -c option?

ooh wait

-c it's for counts

and it's not it won't do anything spacial

but i tryed it and still same problem

did you try the xfreerdp command I gave you?

yeahhhh

i tryed

bro

i knew that command before u told me and i saw that command in that module too and i tryed it too many times

and? you have never shown output from that command.

this

this is the output of xfreerdp command

ok sorry I missed that.

what IP do you have for tun0

=_= really bro should i give u my ip wt if u start hacking my after connecting htb acadmy vpn ??? should i believe u lol ??

and yeahh one more thing

see this y docker is not getting uninstalled

??

docker command is working even docker is working but it is not showing any thing about docker if i use dpkg -s o dpkg --list

but when i locate then it shows docker files

even i purged it

I dont mess with docker. but does apt remove docker not work?

i used that command it's not working not only in docker on anything

you used auto-remove

i think there is something wrong in kali 2021.3

yeahh i m still useing old version lol

I havent experienced any issues.

any issues really ??

well, I dont get a response from ping but I can connect with rdp soooo

lol

that's wired

i m not able to connect to rdp and not getting any responce from ping

not really, its common for servers to disable icmp responses

This might sound silly but I would try restarting your router. I had problems on Windows Priv Esc where it wouldn't let me download files to the target, but restarting my router fixed it.

ooh okiee

wait

man if nothing else try it from pwnbox. I just did it there and it worked fine.

wow it's working in pwnbox but not in my system why lol

dude this file upload attack module can kick rocks. either don't have the mime right, or i get a 500 error.

aaaaaand the server just timed out for the 4th time tonight... time to call it before this PC goes through the window.

??

@sullen hill I have notes on that module so if you're stuck feel free to DM me

I believe in you!!!! 🙌🏻

I had issues getting the magic byte formed correctly

Good morning everyone ☕

Hi is anyone done with Using Web Proxies module?

Which section?

Hey 🙂 I am doing the 'Web Attacks' module and I am kinda of stuck on the second question 'Bypassing Security Filters', it seems that in order to bypass I should change the http method, I've tried them all and only 'HEAD' does not return 'Malicious reqesut denied!' , but when I reopen the page the injection ('file; cp /flag.txt ./' ) is not working and there is no flag? any ideas

the intereception responses and automatic modifcation sction

I'm not sure how they manage to display the html content

You mind DM me?

sure man

I am working on the file upload module, and i seem to be stuck on the content filter section. i can upload files, but none are interpreted as php code
edit: turns out it was working the whole time, i was just not trying the right thing to get a response

I'm working on the labs of the privesc module, in credential theft, I've found the file for the first question I think but it's not working, I'm pretty sure it's the right password tho, altready tried a reset

Hi all. I realize I'm asking this in a HTB discord, but is the academy worth it? I'm new to the site and HTB itself has been pretty good for me.

sure 🙂

you can enroll all fundamentals module for free (cost 10 blocks and unlock 10 blocks after finished and you have 40 blocks when you create your academy account)

Nice 🙂

100% worth it!!! I am not sure what plan is the best for you, but as @heady nova mentioned you can get a lot of stuff for free

@slender kayak Definitely worth it

@signal topaz Dm me brother 🙂

@silk aspen feel free to DM too!

Found it 😅

Heck yea!

@sullen hill Verify bro :/

Nice!!!

Cool cool 😎

hi i working on the htb Academy modul http Request so the Question is "Send a GET request to the above server, and read the response headers to find the version of Apache running on the server? (answer format: X.Y.ZZ)" the answer must be 2.4.29 is in the get requst but it dosent accept it any idears?

@olive gorge

thx!!!

I Will recommend to combine htb with thm

yeah, thm teaches the basics a bit better in my oppinion but htb academy goes more in depth

THM is Super Mario Brothers, HTB is Dark Souls

😂

Is THM paid as well?

Anyone have any ideas on how to troubleshoot this? I'm not able to import data into bloodhound.

I think the ps script u used and latest bloodhound doesn't support it so use the sharphound.exe file to generate the zip and try to upload it

@graceful coyote Ah Gotcha. Thanks for getting back to me. I was able to import it into Bloodhound on the Pwnbox, so only a minor obstacle 🙂

I have a question about the "Linux File Transfer Methods" part in the " File Transfers" Module. I have uploaded the .zip file to the target mashine with the following command: curl -v -F filename=upload_nix.zip -F upload=@upload_nix.zip http://<tatget IP>
After that I SSH to the target mashine, but I didn't found it. I looked up in the /var/www/html folder, but there wasn't anything and it looks like that the file isn't on the mashine. Has anyone any idea?

Anyone got time to help me out with the Shells & Payload module? Metasploit is throwing me errors and i wan't to see if its from my end or the exploit is just not working.

Hello everyone any hint login brute force skill assessment service login

@jagged zenith question 1 or 2?

1

Not this skil assessment service login ,

Oh my bad

This is website skill assessment

DM me

I don't understand name user of an employee

That confused me too. It's from the previous section:

You will want to create a custom username list, a custom password list with cupp, and then enforce complexity rules using sed

Thank you

Why is the answer not correct?Module--> INTRO TO NETWORK TRAFFIC ANALYSIS
Section--> Interrogating Network Traffic With Capture and Display Filters
Questions--> What are the client and server port numbers used in first full TCP three-way handshake? (low number first then high number)

My answer: 80 53 443

@distant cradle Isn't it supposed to be two ports only instead of three?

sure?

The question reads so

doesn't work either

I think is bugged

@distant cradle They are looking for the Port numbers used by the specific two machines that are connecting with each other. So one of them is going to be an ephemeral port, and the other would be something like 80 or 443.

I'm losing my mind here. I cannot use sudo because I do not know my password. I might just be straight-up stupid but I can't continue with these modules if I can't use sudo. Any idea where to find the password?

@ashen flower Check the desktop for a credentials.txt file

@west canopy Thanks, brother

anyone solved the nmap module hard lab can DM me and help me figure out what it is I am missing?

@pearl torrent DM me bud 🙂

anyone else stuck on the brute forcing assessment on the website portion:?

i've set the parameters and what should be the failure indicator, but i'm not getting anything

Question 1 or 2?

2

the one with the admin panel

Check what I highlighted in burp suite, for the username and password the parameters are "user" and "pass", and then fail statement will be "log-in"

yeah, that's what i have

Does your command match mine more or less?

ugh...i had the wrong url

Guys I need help.

Hashcat module, Working with rules section

I tried cracking the hash with correct rules and rockyou.txt but hashcat response with "exhausted" everytime.

welp...i am not in the mood to do the password profiling part. so i'll pick this up another day.

@manic zealot

@west canopy

Yep your rule is a little off. You want to append 2020 to the example rule provided earlier in the section. So it's not just "2020".

Oh I see, thanks a lot man

pwd

nc

hello, I have some troubles with **SHELLS & PAYLOADS **, on the section Infiltrating Windows

and I have done 1/3

this are the questions

Anyone help me with last question on BloodHound skill assessment: find the percentage of users with a path to Domain Admin? Thanks.

what are you having issues with?

what do you mean? I cant find the answer, can you help me?

ok the answer for the first question is in the module.

and to get the answer for the third question you had to use the answer for question 2

so what exploit did you use to get the flag?

I closed my pwnbox, and I forget which one. Can I send you in dms later? @lethal atlas

Yes

@stiff tiger Sent you a DM dawg 🙂

looking for a bump with intro to bash > Conditional Execution. Please DM me if you can and want to help.

Can anyone help me with this question on the Information Gathering - Web Edition module, i tried what the module says about nameservers but the servers im getting are not the answer

whatweb

wdym

@plucky nimbus

🤦‍♂️ 🤦‍♂️ 🤦‍♂️

I was just messing with nslookup and dig, thanks yet again xD

you can also use whatweb -a 1 https://gear.githubapp.com -v

I sent this to a friend of mine but I figured you guys could help as well.

What's going on with me unable to use vimtutor?

@ashen flower try running: sudo apt-get install vim-runtime

Installed (properly?)

Honestly i've never used vimtutor so I'm not sure what it's supposed to look like

Eh, its whatever I already completed the next module.

Hi there. Has someone finshied the module "FOOTPRINTING"? I am stuck in a few sections. Now in the section IMAP/POP3 with the question "What is the admin email address?" and find for a flag inside IMAP. any help? thanks in advance

Connect to the IMAP server with a mail client of your choice. Then you can read the emails 😉

Beginner level university student here; Working on the 'paper' box and have a few questions if anyone has any spare time to lend an ear. Much love!

@swift trench you probably want to check out the "Boxes" room on HTB Discord if you haven't already (this room is primarily for discussing modules on the Academy platform.) Also I would suggest checking out the forums, there should be an official thread there for the Paper box 🙂

Thanks you're the best!!

Hi, i'm sure this has been asked but I can't find it. Is there any roadmap detailing the timeline for when modules are targeted to be released? I'm looking into the job paths and I see a few interesting modules that are listed as coming soon but I'm not exactly sure what soon means in this case.

Soon. Really soon

like really really soon

Awesome, thanks

ITs a bad joke, we keep asking and thats the answer we get

hi, can anyone give me a nudge for the following questions in the module, Active-Directory LDAP:
Credentialed LDAP Enumeration - What is the password history size of the domain? (How many passwords remembered.)
Skills Assessment last qn: What non-default privilege does the htb-student user have?

I love learning hacking, I didn't knew about htb academy but i recently found out they have courses...

I am already learning the Linux fundamentals course even though I know 60% of it...

What course should I do next?

i am new to hacking i got this while i was roaming in discord. so, which courses should i do as a free user?

All the Tier 0 courses are free basically, so take your pick

yo 🙂 can someone check if I got the correct password list for the 'Skill Assessment - Broken Authentication' ?

Hey guys, hows it going ? Can someone help me out with this? So Im trying to get the 'flag' folder from the user bob but when connecting I get this error message... can someone explain me what Im doing wrong ? 😄 thx

hey 🙂 you can check this video:
https://youtube.com/watch?v=tDbVw6uGx8g&t=345

I just finished that module. Not sure I can help, but you can DM me if you are still stuck.

Will do once Im home, thanks mate ! 😄

@molten cove DM me if you still need help with AD LDAP 🙂

hi to all/ Who can help me with module Cross-Site Scripting (XSS) - 'Try to use XSS to get the cookie value in the above page' I can't figure out what the link should look like. There is no example in the module itself, there is only a phrase that the task is similar to the previous module. But I don't have enough knowledge.
For a week now I can't find examples or resources where it is explained in a simple way. What is in the mind of the course developers if they give a task on tier0 that assumes knowledge of html, css, syntax?
http://64.227.39.88:31820/index.php?task=img src=/ onerror=alert(document.cookie) - how to connect it all without knowing the syntax?

@rustic sage which Section is that from?

Cross-Site Scripting (XSS)

Yes but which section

Stored, Reflected, DOM?

Hi, can you please help me with a question regarding the Academy Windows Priv Escalation section, in the SeDebugPrivilege exercise, the exercise is simple, but apparently in order to practice it, SeDebugPrivilege rights must be enabled for the user "jordan" and the guide indicates how, but to do it you must change the account to administrator, but I don't have that password, I should have obtained it from the previous numbers or something like that? Thank you.

@raw hornet you should be able to use mimikatz to find the password hash for the sccm_svc account. It took me a few tries, i think i had to make sure procdump.exe , lsass.dmp, and mimikatz.exe were all in the same directory

jarednexgent thank you for your answer, you are very kind, can you please clarify I understand that the idea of the exercise is to log in with the user "jordan" and of course you have that password, then run the whoami /priv command to verify that you have the right " SeDebugPrivilege " and continue with Mimikatz or am I wrong? because when running whoami /priv I only have "SeChange... and SeIncrease..." enabled

@raw hornet Let me check it on my end. Give me a few minutes 🙂

thank you

@raw hornet Try right clicking CMD and run as administrator

Correct I must assign as administrator, but I do not need a password for that?

just use jordan's password

when you launch an elevated CMD shell you will see the SeDebugPrivilege

oh with Jordan's ok, I'm going to try it, I really appreciate it, I was stuck so I thought I should have an administrator password for the exercise apart from Jordan's, again thanks for responding and helping.

You were absolutely right jarednexgent, thank you!!!!

bye I will continue with my exercises !

happy hacking 🙂

What are sections? There is an Academy, it has modules, paths. Modules are divided into topics

these things lol

Introduction to Web Applications. it has a theme about XSS injection. I'm sorry that I'm being stupid, I've just started studying, I haven't figured everything out yet

Is the first one introduction?

@rustic sage No worries dawg! I was confused too because there is a whole module just for Cross Site Scripting.

@rustic sage sent you a DM 🙂

I am having problem with the module **SHELLS & PAYLOADS ** on the section PHP Web Shells and when i am changing the network proxy settings, I cant reach the targets ip

anyone that can help me?

i am using pwnbox

could anyone help me with the skills assessment in the SQL Injection Fundamentals module? i found a ||db.sql|| file with credentials in it but they won't work in the login page

i am on my kali machine

kinda driving me nuts been on this question for an hour Information Gathering - Web Edition Active Discovery And I'm Supposed to find CMS used for app.inlanefreight.local. I cannot for the life of me firgure out how i'm supposed to check that. I've tried whatweb etc and i just get nothing

someone kick me in the face and point me in the right direction but fuck this one has been so frustrating but i know this shits so easy

tilts me

did you check the page manually?

cant connect to the page

did you set the ip address in the hosts file?

do i have to?

(no)

what a waste of fucking time

im retarded

still not able to connect

can you elaborate?

can you ping the host?

host unreachable

you are trying to open web.htb. is that defined in your hosts file?

yes

thats what its defined in my host file

does it match what's listed in the module?

are you connected to the vpn?

connected to vpn

can you ping the ip address listed in the module

ughh i can try

but the "target' is what im trying to work with?

sec

are you on the correct vpn?

yes

academy.ovpn

did the target die? if it doesn't have the remaining time, you need to reset it

98 minutes left

i reset it like 15 minutes ago

if you can't ping the ip address listed as the target, then idk what to tell you to do.

you could try disconnecting and reconnecting to the vpn

yea host is unreachable

okay lemme kill everything again

and rerun it

new ip still dwon

reconnected to the vpn as well

no connection

what is the output of ip a

why do you have 3 vpn connections active? that may be the source of the error

idk ive killed it a couple times

other then that no clue

how do i kill them?

is this on pwnbox or your vm?

my vm

pwn box didnt work either though

so switched to my vm

the same issue or something else?

same issue though I didnt put in etc hosts

in pwn box

sudo pkill openvpn i think

or reboot

ok retrying

pings working

so the rest should work if you fix the hosts file. make sure the ip address you have matches the target on the page

yea just changed and trying

still unable to connect through firefox

ip addresses both match

is web.htb the dns entry it expects?

i thought that was just like our own labeling

isn't it supposed to be something inlanefreight?

oh i thought it was just a lableing thing

not when the server is using vhosts

<

fuck im really good at wasting hours

on nothing

yes, that's usually how this works

waste hours on something simple

so when you have multiple vhosts

how does it differentiate between the 2? So like we have 10.xx.xx.xx linked to both app.inlane and dev.inlane

how does it differentiate between naming

or its just like a reference to the "section"

you're supposed to be?

when you send a web request, there is a host header that is sent. The http server (apache/nginx) routes that request to a different virtual host.

virtual hosts let you have separate web roots for discrete apps

you can't access websites with just the ip address when it is using a vhost. sometimes they might route 10.10.x.x to some sort of "default" host, but not always.

in this case, the server didn't respond because you were asking for web.htb and that isn't defined on that server. it's like getting mail without a "to" address

okay that makes sense

i just wasnt fully grasping what was going on thanks for the explanation

yeah, no prob. i totally get where you got that idea, because sometimes it does work like that, but not when there are multiple sites on a single host

Hey can anyone give me a nudge for the Footprinting model - dns section? I'm on the last question for the section

I might be wrong, but I remember that the login request is vulnerable to sqli and you can bypass it using a common trick.

||you can try username: admin' or 1=1-- - , password: whatever||

its what i tried but it doesnt seem to work

hmm do you get an error or?

i just get "Invalid Login"

I will send u DM

I have shown you the complete way. You only have to walk it.

Can someone verify the password list that I am using for 'Skill Assessment - Broken Authentication' ?

Which question are you on?

Skill assesment

final one

feel free to dm me

Does anybody have more info on this?

@dapper flare

yeah i tried this before but it didnt work, dnnnt told me to reset the machine

now everything works

Hey guys, first time here for me, I was working on the sqlmap module and i found the flag of the skills assesment. The flag has the right format and is in the right place but is not accepted by htb, what should i do?

check for spaces or extra chars

yeah already did

should have length of 24

it has

the flag i found has a ) before } but there is no ( in the string, i don't know if its s typo, i tried to remove it or add a ( but does not work

hmm there are no ( or )

i can send you a screenshot in pm

sure

send it

hello hackas

I am stuck on the question "Use NSE and its scripts to find the flag that one of the services contain and submit it as the answer." On the network enumeration module and I cannot get passed it. I am so confused how I am supposed to find the flag.

Having some trouble with Windows Privilege Escalation Skills Assessment - Part 1. I have the initial foothold on the target and was able to upload the exploit. Was also able to run the exploit but I am not receiving a shell with Admin privileges. A bit confused on where this shell is opening and how can I access it

nice

Hii.
I have one little problem on Cracking Miscellaneous Files & Hashes.
I "reverse" the hash, but incorrect answer. Someone can help ?

||1########a||

👋

You need to submit the flag.txt not the pw

Ho thank !

hi i'm on the Skill Assessment on SQLi Fundamentals, i managed to bypass the login and now i'm trying to upload a webshell, the problem is that i don't seem to have permissions to write files despite the SECURE_FILE_PRIV value being empty. what am i doing wrong?

I've been having trouble with the skill assesment of the linux privilege esclation module. I need some help with the fourth flag.

The module says for me to look at the external services on the box. When i do a ps -aux, I see that tomcat is running.

But I don't know what to do from there. I am still a little inexperienced at some of this pentesting stuff unfortunately.

@raven cairn

Once you log into Tomcat you will want to use a file upload attack to get a reverse shell 🙂

Wtf i haven't done the file upload attack module before

Have you ran nmap against the target?

No. But I will.

Ok. So I ran an Nmap scan on the target and port 8080 is running tomcat.

I found out how to login to tomcat. I have never done a file upload attack. Could I have a little help with that?

earlier in the module it says that if that value is empty we can freely write files

I'm having trouble using nmap with the spawned IP:Port for the getting started module. Do you guys know what sort of command I need to run to just be able to get nmap to work successfully?

might need sudo

also when i run ||UNION SELECT 1, user(), 3, 4-- -|| it tells me that i am the root user so i dont think i should have trouble writing a file

try sudo

Okay yeah, that worked

Thank you

i also tried resetting the machine but it doesnt do anything

Could i still have some help on the file uplod atracj if anybody is availible?

@raven cairn use msfvenom to generate a WAR file and then upload it

Ok. I will try to do that 🙂 . I’ll see how it goes

Also thank you @west canopy for always helping out : D

of course brother 🙂

also i tried logging in as ||ilfadmin|| which is a user whose credentials can be found in the ||db.sql|| file

but it doesn't work

I was able to get flag4! Pretty difficult since I have never done a file upload attack, and because I had little familiarity with tomcat : D

Heck yea, nice work!

could someone help me

pls

Any idea when Session Security will be released?

hello,

im on the Attacking web applications with ffuf module > DNS Records, where im supposed to add a DNS record for academy.htb, although im confused on how to get hold of the IP?

could someone help me get me going? might be self explanatory.... but not for me atm

theres no target to spawn on this page

I'll wait a few seconds to ask my question till this one gets a response

@upper haven That section is mostly just explaining the functionality of the /etc/hosts file. You will be using it later in the module.

oh... lol, thanks

I'm still stuck on the "Public Exploits" section of the Getting Started module, it seems.

I'm supposed to determine what services are running on the given IP & Port, find a public exploit, use it to gain access, and find the flag.

Well, the service for this appears to be "Apache httpd 2.4.41".

Msfconsole does not return any results for either 'apache 2.4.41' or 'httpd 2.4.41'. It returned results for unrelated Apache/http services I couldn't use. There was only one specific Apache exploit for 2.4.49 which fails to work ofc.

I turned to searchsploit, and I've found a handful of C or Python exploits for either Apache 2.4.41 or httpd 2.4.41, but they ended up not working. Mostly because the C programs I cloned to my working directory were absolutely riddled with compilation errors. xD

I'm left feeling like this spawned machine doesn't have any specific exploit I was supposed to find, with which it was tailored to be exploited.

@dull robin try navigating to the target in your browser. You will want to target the wordpress plugin that is being used.

I see. I'll try that then, and maybe try using some of the...um...

Oh the "web enumeration" commands i used for the last end of page challeng

You should be able to find an exploit for the Plugin using msfconsole 🙂

hey anyone around to help me finish they last of the SQL ESSENTIALS module?!?!?! --- nvm completed!

can anyone help me with the other files - windows priv esc module? Don't understand finding bob_adm creds

you can dm me about bob_adm

I was close to getting the wordpress plugin exploit working, but I had to give up for the day. I think free users have a restricted number of times that they can spawn a machine instance for the module or something.

I kept resetting the box thing, as I kept trying to find a way to figure it all out, and so recently my browser is no longer able to connect to the provided IP address and Port. So I think I have to wait to try again tomorrow or something.

Free users can run the pwn box for a few hours (maybe 3) and can only start the pwnbox instance once., but I think the target machines do not have a limit. I think you could download a vpn certificate and continue from your own kali instance on your local machine via vpn.

@dull robin

😮

I think my eyes completely glazed over the filepath option. I was setting the RHOSTS and RPORT options.

And if I tried the searchsploit for the Simple Backup exploit, I would get a text log of folder paths that I suspected were from my own computer, not the IP address', so I was confused there lol

Can someone please help me find the size of the stack space, for module "Stack-Based buffer overflows linux x86", section "generating shellcode"

@odd shore

@west canopy 0x000fa doesn't work

@west canopy oh sorry, it's a couple sections after that one

Derp, my bad . I was looking at the wrong section. One sec.

@west canopy Ty!! that is from the command info proc all?

Honestly brother I'm not sure, I did this module a while back and this all I had in my notes haha

I should probably revisit it. Still need to do the Windows Stack Buffer module and Intro to Assembly

@west canopy Thats ok! I really appreciate the help!

how to get permissions on HTB: SERIOUS DISCUSSIONS channel?

@sinful flower No clue dawg 😦

@sinful flower you need to verify your account

Hey can anyone help me with the interacting with users - windows priv esc module? Just want to make sure im doing it right cause nothing is happening

@slow venture you need to put the SCF file onto one of the shares. I don't remember which one though, it might have been "IT" but i'm not certain. Then you want to have Responder running and it will intercept the hash

So, just a general question... I got done with Linux Fundamentals and I took a look at machines on HTB and it's still leaps and bounds ahead of me in experience necessary to solve. I'm just getting starting on this, and I have all these other "General" "Fundamnetal" "Tier 0" modules in front of me. Do I just randomly complete these? I saw that one of the modules mentioned taking notes, how much has that helped you guys with the retention of information?

Taking notes is of the upmost importance. I am regretful i didnt take notes. Helping people when you finish will help to solidify and remember what you learned.

Start with the starting point machines, they have walk throughs if you get stuck. The machines are tough and will take a lot of time

Also make sure you take notes when you do a machine, structure them like the starting point walk throughs

Got it. Soo, the whole idea is to gain root access to these machines? Is there a general idea of how this "starting point structuring" can be done, like in the walkthroughs? And lastly I can always grab a notepad and paper for my notes, but do you have a recommended notetaking app?

@ashen flower Before you start each module there is a list of recommended prerequisite modules. For example, on the Login Bruteforcing module:

Lots of people like CherryTree for notes. For live boxes on the main HTB site I usually use cherrytree. For HTB Academy modules I usually just make a Google Doc and copy/paste screenshots of the steps I did for each section

Personally, I started with Introduction to Networking --> Linux Fundamentals --> Windows Fundamentals --> Network Enumeration with NMap

But I would definitely recommend doing the "Fundamental" modules because the more advance ones might be a bit too much

Well... this is a little more involved than I had originally thought, and even then I figured this would be a little more than screw-around-until-you-get-it type of learning, like one might do with Photoshop or something. Thanks for the tips, I'm installing CherryTree now and I'll go through a few more modules.

I mean you can definitely screw around just to have fun, and there's not a right way or wrong way to learn

But generally it's a pretty steep learning curve, particularly for people coming in with no prior IT background

Yeah, we'll see how it turns out. I've got a long road ahead of me if I have any hope to do this as a career, though I am a sophomore CompSci major, I haven't experienced much of anything that has been introduced to me these past few months in class. It's a matter of finding a path that works well for me now, as I am used to seeing this being built in front of me in real time. I would use the metaphor of a maze to describe pentesting as I currently understand it, moreso than building a structure, like in programming.

I think htb could do better at providing a birds eye view of pentesting

Yes on the main HTB website, the goal is to get Root access on a box. They also have the "starting point" machines which include walkthroughs and are a good introduction. For HTB Academy they have "modules" each dedicated to a specific topic.

It would be nice to understand the lay of the land in pentesting and understanding there are certain obstancles and tools on this path and understanding that is the object of the modules

currently it does feel like a maze or dark room.

@livid pier True but I feel like no matter how they do it, it's going to kind of be information overload. The baseline knowledge required just to get started is vast.

agreed

I'm just a huge hands-on learner. If I could have a question or exercise for every single little thing that is taught to me, I would keep the information very well.

If you have played zelda or skyrim(prob other games too) I like to think of the boxes like those dungoens

Me too, I think thats where htb excels

In zelda you need certain tools to get a key in a room to unlock a door in another room, the boxes are like that

After enough boxes you will be able to formulate a map and compass that will help guide you

when you are new you waste a lot of time looking in places that an experienced player knows are useless

Though you spend exponentially more hours running into walls in the dungeon than you would in those games, so it seems. lol

Once things start to click though it's incredibly rewarding

very true

lol idk i started playing zelda as a kid and i spent hours confused in some dungeons

Link's Awakening on Gameboy was my jam

But ya like @west canopy the information needed to start here is crazy

you need to know operating systems, and languages, and services

The level of quality over quantity when it comes to resourceful YouTube videos seems to be lacking as well, though I am tempted to start looking at these 3, 5, 15-hour long freeCodeCamp tutorials for linux, ethical hacking, etc..

Linux proficiency is a must

watch ippsec videos

and use ippsec.rocks

also read and refer tohttps://book.hacktricks.xyz/about-the-author

Oh wow.

Hack tricks would be a good way to structure your notes too. Everything you learn from doing a box you can put in a set of notes to refer to later

Just when I thought asking in this channel would taper some of the information overload... 😂 Im just kidding. Thanks so much for the help you guys.

lol no this is a problem of our age, information overload

just take your time, set goals and be persistant, it will start to click

Try to reflect and not forget about the big picture either

The way I am with anything with a real learning curve is I just need to find a way to have fun with it. I'll be honest, reading walls of text on HTBAc modules is not my cup of tea, though I am in a limbo of not knowing enough to complete these easy boxes on my own yet. When I can make those connections I'm sure I'll have a lot of fun with it

I think the amount of text on htb academy cant be worse than the text books in college

Though both of those together is quite a lot of reading. lol

module: INFORMATION GATHERING - WEB EDITION
content: Active Infrastructure Identification
question: Which CMS is used on app.inlanefreight.local? (Format: word)
is there any problem with the ans, I am giving right ans but still it says wrong !!!

module: Footrpinting/MSSQL
content: Connect to the MSSQL instance running on the target using the account (backdoor:Password1), then list the non-default database present on the server.
question: Can't connect with backdoor:Password1. And can't connect by bruteforcing passwords with some common lists. Can you give me a hint about what password list should i use?

The given password should work.
You do not need to bruteforce the access.

mssqlclient.py backdoor:Password1@10.129.201.248
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Encryption required, switching to TLS
[-] ERROR(ILF-SQL-01): Line 1: Login failed for user 'backdoor'.

i missed -windows-auth

thx!

@kind path sent you DM dawg 🙂

194.613.716.24

Need help with first question in "OSINT: Corporate Recon" module. Question asks for coordinates for a city in Germany. I know the city, but can't find one specific set of coordinates for the city in Google / Google Maps. The hint didn't help.

Yoo im playing the new one on the switch rn. 🔥🔥🔥🔥

Haven't gotten to the OSINT module yet , looks pretty tough

I just downloadedd ffX. super excited to start

I’ve been having trouble with the same question. I think the question might be wrong. I want to contact htb staff about this.

The coordinates that you find on google do not work.

Maybe the tectonic plates of the earth shifted the geographic location of the city

Maybe. I know the coordinates for the USA location worked…

How should i contact staff just to double check?

Hi everybody, am I in the right section to ask about Tier 1 VIP bascis labs?

"Stack-Based Buffer Overflows on Windows x86" - "Finding a return instruction"

76FDD627 does not work as an answer

@cobalt night If that involves HTB Academy modules then yes!

Or is that the Starting Point labs on the main site?

hi, i get a trouble in a module of web request

can i post it here to get help?

I'm stuck on the skills assessment for sqlmap essentials. I think I found the attack vector but everything I throw at it isn't working. Can anyone find what I'm missing?

@covert tusk DM me brother 🙂

I contacted them few days ago for that already, I'm waiting for an update, they told me that Google updated the cordonates since the creation of the module

Module : OSINT
Question : What is the hosting provider for the inlanefreight.com domain?
I'm struggling with this one, I guess that I have the good hosting provider, but I don't have the good format ? Help would be appreciate

im the module "web request", i get stuck here bc when i execute cURL, theres no flag that i can see

i use the devtools to see the "search.php" but when i open it with cURL, i dont find any flags. i "login" with the credentials btw

@past glen

in my devtools doesnt appear that flag, idk why

imma try again rn

Yea try refreshing it

I am so close to finishing the linux privilege escalation module. I am needing help on the fifth flag.

I've been trying to exploit this command on GTFO bins and it hasn't been working for me. If i could have some hints it would be greatfully appreciated since I am getting very frustrated with the module.

Am i looking at the right thing?

@raven cairn You need to upgrade your shell first

After that the GTFOBin should work 🙂

@west canopy tysm

Lol that was a very easy fix. 🤣 I kinda forgot about upgrading the shell

I like how the terminal spazzes out once you run the command

Yeah I was not sure I was running the command right lol

Terminal has a stuttering problem

Could anyone help me with the proxy section of the bug bounty course. The instructions say to use https in the configuration file for proxychains. That isnt possible, it doesnt accept https. If I just use http I get the following, Im stuck. Google search isnt helping. Found the same issues, but only suggestions when using TOR with proxychains

@rustic sage Which module is that? It doesn't look familiar to me.

Using web Prroxies for the bug bounty course

This module?

yes

under the proxying tools section

Sorry for the dumb questions . I don't remember using proxychains at all so just wanted to double check my sanity

No worries, if you can figure this out Id owe you one lol

I think on this section I mostly looked over that part and just went straight to the question at the end of the section

I could do that, but I really wanna be able to route nmap/curl/ etc through zap Dx

Wait, how did you route metasploit through burp without proxychains?

This is one of the modules I did before I decided to start taking good notes. I actually have no idea lol

Dx lol

I think I actually just ended up guessing, based off the Options shown for the exploit in msfconsole

I'm also not understanding how to route the traffic through burp 😦

Maybe something with the "Proxies" option for the exploit. Like route it through 127.0.0.1:8080.

In the older version of proxychains we could just put https 127.0.0.1 8080. The new version of proxychains doesnt allow https. Just http socks4 and socks5. Im messing with the connections options in zap, but I really dont know what I am doing lol

Think I need a refresher on networking xD

ok I figured it out, and Ima make a guide on this tomorrow. Its a certificate issue. Even though I have zaproxy cert setup with mozilla, that isnt enough for curl. I can bypass it using -k, but Im going to symlink the cert tomorrow. I am tired now. I did manage to get the request to show up in zap though. Thats enough progress for me tonight. Im going to sleep, gn everyone!

Ill figure that out later xD... gn

Later dawg!

Anybody still here? I am almost finished with the linux privilege escalation module and I have been having some troubles!

In the module the C code that they give does not work. I am not super familiar with C so I do not know how to fix this.

Obviously the problem is that the function 'system' has not been declared.

Which section is that?

It is under miscallaneous techniques

Oh you actually don't need to do that. You can just navigate to /var/nfs/general to find the flag

I actually had problems on the very first section "Kernel Exploits", i had to remove a line of code at the bottom of the exploit to get it to compile. GCC is weird.

Yooooooo. I FINISHED THE MODULE

I AM GOING TO CRY

I am proud of you bro you're doing awesome

The instructions on that section were a bit confusing lol.

I am trying to make it a habit of practicing htb academy everyday so I will be asking a lot of questions 🤣

Now you gotta do Windows Privilege Escalation

Is that one gonna be hard?

Not gonna lie to you dawg lol

Why didn't this module teach me linpeas

It's a beast

like 30+ sections

two skills assessments

I really need to start taking better notes so i can help out people more : (

Honestly with LinPeas i can maybe understand like 5% of the output it gives lol

need a little nudge on the SQLMAP essentials module. im currently at "bypassing Web Application Protections"
I am trying to run the --csrf-token flag with sqlmap but i am stumped on how to retrieve a token

@modest moth which Case #?

#8

So unfortunately this is another module I did before I decided to start taking good notes. But here is the command:

sqlmap -u "http://64.227.36.32:30000/case8.php" --data="id=1&t0ken=tl6lgGmtEKbJoztg6KLezWq4aVzWknanJ6mUiY8bc" --csrf-token="t0ken" --batch --dump

omfg

im so mad

so i intercepted the requests

and i got t0ken

i thought i was looking for a fucking value

i used burp to intercept it and i knew i had t0ken, but i thought i was looking for an actual token to throw into --csfr-token flag

I rode the struggle bus hard on this module. I should probably revisit it. I think this is the only module I left a negative review on.

I felt like I was just copying/modifying examples in order to find the flags, and I really had no idea what was actually happening

super hard for me to get all the info while just reading. i might just read the rooms out loud and record it

to relisten to them

i do a lot better with audio vs reading

i literally had the entire command right, but for --csrf-token flag, i was entering a token value form the previous request.

Yea you were right there man

Some academy related announcements 😉

https://sh1.sendinblue.com/3gkhmyqz2pxpfe.html

nice :)

Is the answer not an IP-address here? Hmm cant post a pic here

Utilizing the output shown in question-1.png, who is the server in this communication? (IP Address)

This is the TCPDump fundamentals module

how to get on top

Need direction for Nmap enumeration course: Firewall and IPS/IDS Evasion - Hard lab
I found the sun-answerbook port , it seems like a database that fits the hint by HTB, but I have no idea how to reveal the version even using -sC, -sV, -sS

Working through Windows Privilege Escalation - Part II and stuck on trying to find a NTLM hash of the disabled local admin user. Is there a way to check in windows what systems a user is able to interact with?

Look at the chapter "Connect To The Filtered Port" again.

Nope, its not working , I have tried many way on forum with the 50000 ibm-db2 port

you can dm me for a comment if you still need it.

DM me the command you tried. Then we look at what goes wrong.

@tiny ledge

Guys, need help with lab 2 (medium) footprinting module

Dumb question but how do I unset proxies in metaaploit used "set proxies" but can't seem to undo it

hi, I have a problem with the Information gathering module. I am on the Active Infrastructure Identification page. Can anyone help me there please? So for the questions

@eternal rover I think it's just "unset proxies"

Tried that but still flags as unable to run the exploit as the proxy is set, I think I'll restart metaaploit and force it through and see how it behaves, thanks

@misty remnant Feel free to DM me 🙂

hi guys i have a problem with the end of web enumeration

i use ping to check the ip target and i dont have response

i use gobuster and i get that Error: error on running gobuster: unable to connect to http://138.68.160.106/: Get http://138.68.160.106/: context deadline exceeded (Client.Timeout exceeded while awaiting headers)

i made it!!! hahaha its a problem with the ip target

you can pm if you still need help

Module--> INTRO TO NETWORK TRAFFIC ANALYSIS
Section--> Interrogating Network Traffic With Capture and Display Filters
Questions
Answer the question(s) below to complete this Section and earn cubes!

• 1 What are the client and server port numbers used in first full TCP three-way handshake? (low number first then high number)
  My answer is 80 43804

🤔

@distant cradle

the 80 / 43804 conversation is not a complete three way handshake

So the tcpdump-lab-2-answers.md in tcpdump-lab2.zip is wrong

New module out boys!

Let’s gooooooooooo

I'm trying to do the broken authentication module. I am stuck on the predictable token part, and i had a working script, and validated that the user level token worked, once, but stopped

unless by some miracle i got an md5 hash collision

Haven't done that module yet 😦

ok, i ended up getting it. resetting the lab seemed to fix it? bizarre that my script worked once, then failed for > hour, then started working again

I was having problems with Attacking Common Applications, there was a section where you had to use a script to bruteforce Gitlab users but the target kept disconnecting.

So my script never finished

i didn't have any trouble with that one

were you able to get it

I was eventually

Just had to take a break and come back to it later

hey guys, probs a stupid af question but in "Web Requests", specifically the GET section, I cannot figure out how to get this answer, anyone have any like tips or what I've gotta do?

@bronze coyote

Ty king 👑

Any time brother 🙂

Hi guys, try to contact HTB via the support bubble to talk about student subscription and don't know what to choose? Can anyone help?

It doesn't matter which one you pick don't worry

Thx!

npnp

I am continuing to struggle with the broken authentication module. i'm on the skill assessment, and I found 2 different hashed values. one i know how to decode, but can't get any valid responses with the wordlist i'm using, and the other i have no idea. can someone validate whether i'm on the right path?

@astral sirenfeel free to dm me

can somebody help meee !!!

???

What do you need help with?

To get the flag, use cURL to download the file returned by '/download.php' in the above server.

how do you do this question

@acoustic owl

If you need help, it is always useful to specify the module and the corresponding question. No one here knows which module you are working on, let alone which question you need help with.

HyperText Transfer Protocol (HTTP)

web fundamentals

@acoustic owl

You mean Web Requests?

yes!

can you help me or no

yes, i can help you.

What have you already tried?

much

but

i dont now

i have a target and i dont now what i have to do with it

The task is to download a file with curl.

This is how you can download a file.
curl http://10.10.10.10/file.txt

Adapt the path to your needs.

Maybe read the part cURL again.

ok i will try

what do i have to do wth teh 10.10.10.10£

You can use any IP address or domain instead of 10.10.10.10.

but what do i have do do with the target

157.245.37.27:32517

You need to download the flag.

but this is teh question : To get the flag, use cURL to download the file returned by '/download.php' in the above server.

Exactly. You should download the flag on the given IP address (target) with cURL.

download a file with cURL works like this:
curl http://10.10.10.10/file.txt

Familiarize yourself with cURL. You will need it again and again.

but they say you have to do it like this

curl -s -O inlanefreight.com/index.html

no, the question is
To get the flag, use cURL to download the file returned by '/download.php' in the above server.
HINT: The downloaded file will be called 'download.php' and it will contain the flag

curl inlanefreight.com/index.html is only one example in the chapter

yes but in the theorie above

it says nothing about the things you sended

The questions want to know if you have understood the content of the chapter and if you are able to apply what you have learned.

this is the first page of the hole capter

Here is an example explaining how cURL works

Exactly what I wrote to you

okay yeah true

Its okay thanks a lott

Did you make it?

Get well acquainted with the tool. You will need it again and again.

does anyone else have an issue where the docker hosts take >5 minutes before they actually respond to requests

@astral siren Nothing like that on my end , typically for me a docker target will either spawn almost instantly or not spawn at all .

anyone done the web attacks module? i cannot get the xxe to work on advanced file disclosure. i am recieving the request for my xxe file that i'm hosting, but i'm not getting any output

i've got the flag, but i don't understand why i couldn't get the page source

This is what I have in my notes

i was trying to do the cdata one

again, i got the flag with both, but i wasn't able to get the source like in the example. i was trying to figure out if that was by design or not.

any details on when these modules will be released?

Next week i believe

Hello all,
In the "Procedures" chapter of the "Intro to Assembly Language" module,
I want to respond at the following question"
Try assembling and debugging the above code, and note how "call" and "ret" store and retrieve "rip" on the stack. What is the address at the top of the stack after entering "Exit"?
I proceed at following actions:

||I launch gdb with the assembler.sh script and I write "b *Exit+0" and "run"

Is my actions bad ?||
Solved 🙂

@languid ginkgo Wish I could help dawg but I haven't done that module yet 😦

@west canopy just finished the skill assessment for sqlmap. Thanks for your help with that one room.

Halfway done with the big bounty path and I'm def feeling a lot more confident and comfortable. Might start doing some boxes on the main website.

np 😉

Hello All!
I'm having a problem with the last part of the "SHELLS & PAYLOADS" with the 2nd host , who has done it ?

I have

What problems do you have?

Need a little sanity check for Windows Privesc skills exam, I'm going crazy

sorry I havent done that one.

@silk aspen DM me dawg 🙂

Hey everyone, new to the HTB world. Software engineer by day, trying some HTB at night, going through the bug bounty path at the moment

if you are still stuck you can DM me.

So going through the HTML injection section and the XSS injection section, when I inject the html or javascript, isn't that only pertain to your PC, how is that userful?

@ashen orbit if a website is vulnerable to Stored XSS then it will affect any user who browses to the page

ok i'm losing it w/ this Recursive Fuzzing section, adding more extensions & whatnot but to no avail

@round lagoon My bad, this should be it

You all should know that your commitment to learning and lifting each other up in the process is inspiring.

Also keep in mind that growth doesnt always feel good. Personally when im learning something new I feel driven but overwhelmed by the new information mostly. Keep studying and practicing until it makes sense. Most of this wont be easy at first until one day you’ve practiced so much it becomes muscle memory. Its also healthy to remember where you were when you started, thats often when you’ll recognize you’ve grown. Not in the process but upon reflection. I keep a learning journal that I add to on occasion to just write down what Ive learned and accomplished. Keep going, stay focused, and have fun.😁

The freshie

I think new modules next week too

My Timer is going super fast it goes from 90 minutes to 74 in 3 minutes

is that a bug?

any hints? I'm stuck on this too - fairly sure I'm entering the correct memory address but it keeps saying I'm wrong

Ive had that happen too, dont know if its a bug or what to do about it but ive seen it.

and if anybody could help with Login Brute Forcing Skills Assessment - Website I would be really happy

Does your address have the right number of bits to be complete?

Needing some help with the Web Requests POST section where the question is "Obtain a session cookie through a valid login, and then use the cookie with cURL to search for the flag through a JSON POST request to '/search.php'" I am not entirely sure what the question is asking for an answer. I have the cURL command as curl -v -X POST -d '{"search":"london"}' -b 'PHPSESSID=1uhh6r3jlcj9cuknra0da02i4v' -H 'Content-Type: application/json' http://46.101.61.42:30757/search.php thanks in advance

could someone dm me about footprinting - dns? i want to check that i have found the correct zones

I'm stuck at this question in Linux privilege escalation, I found a bunch of files with a setuid bit not shown in the section command output but it are so many and the first ones werent working and I feel like putting them in all by hand is not the right approach, can someone dm me or give me a pointer?

Search flag, not london 😉

@jaunty patrol DM me if you still need help on Bruteforcing 🙂

@unreal patio

@west canopy Thanks for the solution but I have no clue what I did wrong

I also hope the next week

on a parrot vm I use openvpn academy.ovpn to connect to academy : from there I could curl a phpfile , and execute remote code (in an uploaded php file). apparently on my vm, I don't have a tun0 interface , how can I have a reverse shell call me ?

@quick raven hmmm if you are connected to the vpn then you should have a tun0 IP address.

Hi guyz, Im new to hack the box and hacking all in all, I've never done any hacking in my life and so I wanna learn but I dont know exactly where to start, can u tell me where I can learn and may it be a free site if possible cz I dont think I'll even be able to hack the first box on HTB .

open hackthebox academy, and follow getting started

@ashen sage Yes, check out the "Fundamental" modules on HTB Academy

Thank u guys lemme check it out right now

I dont get it : not tun0 created when I invoke openvpn aca.ovpn shout I use sudo ?

hum with sudo it seems better

got it this time tun0 maybe I can finally receive the callback

@quick raven If i don't use sudo the vpn doesn't connect for me , so it's likely that was the issue

I need some help on the XSS module, Phishing section. The instructions aren't very clear to me of the section.

@ebon wigeon google @raven cairn name

🤩

anyone else can't ping maschines even though connected to the vpn?

Hi, what is the password for the sudo command please ?

Verify!!!!!!

@halcyon copper look for credentials.txt on the desktop . Then verify

privesc

@raven cairn

Thank you bro

no

how do i fix se debug

@urban sage that name should be banned from this server , fucking degernates @raven cairn

google what it is

You dont like Yaoi ?@ebon wigeon

No, im not a degen

thats a lie

hi

@west canopy Just did it! The instructions were overly convuluted so it was hard to understand lol.

Nice! Yea I think it took me a while to figure out what I was doing on that section

Going over the Introduction to web applications even though I just built a web page and api, might be a nugget of something I don't know haha

I did learn that firebase is a nosql solution

@ashen orbit Get it big dawg!

Sorry, for another newb question, but is hack the box login credentials different for academy and the normal hack the box?

Need Help With
Parameter Fuzzing - GET
if Anybody is available I would be happy

@jaunty patrol

I had too many echos

Yes , the two platforms each require a separate account

I'm staying in the academy as I have no clue what is going on in Hack the box to try one haha

I would definitely recommend knocking out a few modules before attempting Live boxes

Any modules that are good for improving ctf skills?

Kind of hard to say because every box is different

I really liked Windows Privilege Escalation , i was able to immediately use one of the techniques to beat the "Driver" box.

I am struggling on the XSS-module, section: session hijacking. They tell you to try different payloads. I have been trying a bunch of xss payloads and none of them have been working for me. I have made sure that my XSS payloads connect back to my php server.

The payload will be one of these formats:

I know : ( . For some reason none of those have worked for me? Might be doing something wrong?

I was using those payloads

I think it's this one

Do i need to specify a port number?

Ok i will try that

Not if your php server is using port 80

Awesome. The payload worked. I tried so many of those payloads. 🤣

Hi everyone, please give a suggestion for service enumeration section in nmap module. I have tried nc -nvl ... to listen to the server, but i couldn't find the flag.

@undone shale you don't want to use the -l option. Try just netcatting directly into the highest port that you scanned earlier.