#modules

Hello

Guys I need help with Parameter Fuzzing - GET

*** EDIT - Just found it. Failure string was the issue. ***

Login Brute forcing web assessment - question, is it the same 'user'name as question and is the password in the password file specified in the cheatsheet? The scan has ran over 200K passwords and still not found it. Do I need to look at me failure string?

Please see your DMs for instructions on how to verify your HTB account.

Hi, not sure if this is the right place for this, but: Im trying to learn and getting into cybersec. I started TryHackMe, but switched to HTB since companies mention HTB in their job listings from time to time. So I started Academy, and the Jr Pentest Path, but since it wasn't 100% complete with lots of -coming soon- modules I went for the Cracking into HTB-skill path instead. And since I already started I had the Getting Started-module so I continued that one. Anyway, some things seem a bit out of my current knowledge. Am I approaching this the wrong way? Should I do every fundamental module first, then easy, and so forth? Or should I stick with paths, and do the module/boxes that are mentioned on the way? (sorry long message)

@meager lynxI had the same problem as you.
I started by starting from the basic modules that offer interesting ideas and topics and then moving on to modules with a more demanding level.

@glad orbit That sounds good. I'm glad im not along on this one. It so much new stuff. I thought I was kinda well versed, but clearly not. So much is new: Linux, ftp, ssh, etc. So finding good external sources on top makes my head spin a bit. I guess google dorking might be a good start 😛

But there are some lightbulbs that switch on every now and then. And thats so much fun!

can someone help me get my account verified in this server?

This Account Identifier does not appear to be the right length (must be 60 characters long).

dats the error im getting

Hey guys. I need help at password attacks module. Can anyone help me?

DM me.

Any one managed the last flag for vHost task within the INFORMATION GATHERING - WEB EDITION module? I have the flag, but it says its incorrect

Make sure there is no space at the end when you copy and paste. I've had this happen before.

happened to me a few times as well.

it is also possible to find a flag that is for another section. Happened to me yesterday

Can someone help me with this one: Submit the FQDN of the nameserver for the "inlanefreight.htb" domain as the answer. - the website doesn't seem to exist and the IP address provided gives apache default website

This is from the: INFORMATION GATHERING - WEB EDITION

I made sure there were no spaces, but it seem that I used the same flag twice. I need to find the last flag from the vHost starting with "d"

You can query the name of a nameserver with dig NS domain.tld @ipofdnsresolver

look at the dig command in the cheat sheet

Unfortunately, he couldn't help me. Wrong module. If someone can help me. The module is Password Attacks.

worked, thanks!

you can dm me and I will help

Damn this 'Active Subdomain Enumeration' part is rough

yes it is.

I've been stuck on this module too, where are you?

I’m stuck on Password Mutation and Password reuse because you must have the Password of password mutation and Credentials on Linux

Dm

Hey, I'm on module Login Brute Force, section service authentication, found the first flag, managed to connect to the first user with ssh but can't find the second user ftp access, used several lists, the one I generated for the first user, the one that was in its directory, and some other common known list but nothing seems to be working, anyone would have a hint for me pls?

@prisma knoll you will want to run Hydra from inside the target, against the loopback IP address using the rockyou-10.txt wordlist that is on there.

oooh damn

will try that right now thanks !

could someone give some tips on the Active subdomain Enumeration? My txt record shows nothing

dm me

LETS GET READY TO RUMBLE

@lethal atlas @west canopy Good morning and happy friday!

what up @livid pier

Whats good bruh, getting back to that mod grind, just got a freshie

Binaries kill me on these boxes

Im looking to change all that🤣

hell yeah. Im almost done with the bug bounty path. Just gotta finish web attacks I think.

something about writing about AD with @mellow whale and @unique valve that get's me pumped on a Friday 😉

https://tenor.com/view/friday-rebecca-black-weekend-gif-21133470

Is this a hint about the next mod to drop?

Sysadmins hate him! Learn this one secret trick to get Domain Admin.

The supplied password list doesn't work for the "Credential Hunting in Linux" section of Password Attacks

why not try the mutated one?

Not working either. Did you figure out this one?

The breaking passwword mods is killing me

dm

Nginx Reverse Proxy & AJP ServerSide Module. I cannot setup the proxy/nginx on the pwnbox but to complete module i need to know Tomcat version. Anybody can provide answer? Answer format: X.X.XX

@brazen warren I struggled for a bit on that section . DM me and i can send you my nginx.conf file.

so yeah it was nginx issue, after replacing it worked like charm, thanks!

I don't know if I'm missing something REALLY obvious, but:
Web Requests Module, first part (HTTP)

Every target machine that I spawn is unreachable. I can't curl the webserver at the provided port, I can't ping the IP address, I can't access it via browser. Both when I try from within the HtB network on my VPN and outside of it. Any thoughts? Maybe just a temporary issue?

Did you use the Academy VPN?
https://academy.hackthebox.com/vpn/key

This happens to me occasionally as well, be sure to refresh the module page before spawning the instance. That usually helps, and then wait 1 min before probing the ip and port. Also check that you are connected to VPN if the lab requires it, some of them do and some of them don't

Are you including the port number in the URL?

If it spawns with a port it's a docker target and is only accessible at that port.

Can I ssh to the htb-student on my own Kali instance in virtual box nothing seems to work out just times out

@rustic sage DM me.

anyone know why ffuf is suddenly so slow? on both my own kali vm and the pwnbox, ffuf initially is able to do thousands of requests per second, but soon can only do one per second, and the issue persists after multiple resets as well

@true tendon yes i had that issue before so i sometimes refresh the pwnbox and re assign the hosts too

and it should work

sometimes i noticed the arguments are kinda messed up by stupid me but once fixed it's all fuzzing fast

hello guys how can i find a box in which i need to crack a password? but for beginners and free

Hello, I'm stuck in Skill Assessment of Server-side Attacks. Without registering an account the application does nothing.

Yes I do. Sometimes I find it easier to be on my own machine.

Take a close look at the source code

Yes I finally did it, thanks.

hi, all, I wondered if it was possible for a nudge in regards to: Web gathering module, active sub domain enumeration - on face of it i seem to be everything correct, but cannot answer the question... so obviously ive taken a wrong turn somewhere.

Hi all, I'm dealing with the skill assessment service of Login Brute Forcing, the question say I have the name of an employee but I don't... It might be what I find in the previous skill assessment but that doesn't work... Anyone can help me ?

Nvm, I find it... I took a break retake from the beginning and I got it

kind of stuck on the assessment for file upload attacks. i was able to read the source code of the uploads.php. i found out the naming scheme and location of where the files i upload go to. However, im kind of stuck at making a payload to get a simple webshell. can any one nudge me in the right direction? i found 2 potential file extensions that can allow me to send a payload

try to bruteforce available extensions

Hello guys, stuck on the Predictable Reset Token Question 2. I got the encryption algorithm but how should I forge a password without knowing it. Tried it with prefix rockyou and with the htbuser password. Anyone a little Hint?

From the Broken Authentication Module*

@winged roost feel free to DM me 🙂

@modest moth DM me too dawg

literally just got it!

nice!

had to think outside the box on this one

had like 3 repeater tabs in burp open.

i was tripped up because after brute forcing possible extensions, i got .log and .reg are valid ones. so i spent like 2 hours reading up on those file extensiosn and seeing if they can send payloads lol

i def learned A LOT

oh, and learned about changing hex signatures to trick a whitelist into accepting a file type.

Nvm found it, If you read carefully its easy lol 🤡

hey all, im working on the skills assessment part of cracking passwords with hashcat and im on the last step 'After cracking the NTLM password hashes contained in the NTDS.dit file, perform an analysis of the results and find out the MOST common password in the INLANEFREIGHT.LOCAL domain.'. At this point with the file provided in the module, should i be extracting the hashes from the file and then cracking or can I crack the hashes as is?

I think it is the second option

You can feed hashcat the whole file

so when i do that im getting a token length exception error in hashcat

@devout cliff You just want to run hashcat against the provided .ntds file . But will need to add a few options to make hashcat crack the same hash multiple times (by default, once a known hash is cracked it's added to the potfile and won't crack it again)

the module says its NTLM so thats the mode im using, but its not taking it

-m 1000 should work

ok so it doesnt throw me an error when i use that mode so thats great but its also exhausting the list. so the options the module talks about i believe i understand via the hint its giving, but even if i dont use that option it should give me some hashes back on the crack i just did, but it doesnt.

Anyone do this one? (Password Attacks)

--show

@devout cliff Send a screenshot when you initialize and start the crack

What did i do wrong?(Getting Started ,Question:Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file. (note: the web server may take a few seconds to start)

I did got the flag.txt add cat it

@livid pier PM'd

These Password Attacks modules are very time-consuming, not sure if I'm on the right track

@lyric mason try navigating to the target in your browser, you should see a certain Wordpress Plugin being used and you will want to find an exploit to target that

Anyone free to give me a nudge with the Web Service & API Attacks module. stuck with the file upload with RCE, I have followed the instructions and have super limited RCE?

@tribal linden is that from the "Arbitrary File Upload" section?

yes

This might sound stupid but definitely double check your backdoor.php file. It took me three tries to get it right because I kept having typos in my script.

the weird thing is i do have some RCE, like i can execute which python and get a response but little else works. I will double check it all

Yea that's weird. So i was uploading my backdoor.php file then running web_shell.py against the target. And it looked like I had RCE but when I ran commands I would get no response whatsoever

dm if you need help. They really time consuming...

Oh , i will try it , thank you for helping.

Academy > Cracking Into HTB > Getting Started > Privilege Escalation

kept trying password1

@unreal sigil try doing user1@134.209.28.38

anyone done the Skills Assessment - Using Web Proxies. Need help with the last two questions

seems to have worked, thx

@steep sable i got you dawg, DM me 🙂

m

this keeps happening

I've tried closing, reopening, refreshing, terminating, restarting

keeps happening

yeah so i think the VPN service is down cause i had issues pinging VMs

oh ok right on thx

yeah connect to HTB is red on the site

so i can't do the starting point vms

yeah, site went down, i got kicked

idk I'm able to start a pwnbox on htb but still doesn't connect to target

let me try connecting again

i'll go over port 443 tcp this time

woo! got a reply

@unreal sigil I noticed there was not a pwnbox in that Privilege Escalation section. I added one. can you try spawning the target in that section + a Pwnbox and try again?

@unreal sigil for me personally sometimes i need to spawn Docker targets a few times before I can connect or interact with them

yes I had tried spawning several times and kept getting that same result

tried some more now but it's still happening

guess I just had to say yes

I apparently can't get on the unika.htb site for responder

i've added it to my hosts file

i restarted NetworkManager

@summer shoal you may want to try asking some of the folks in the #starting-point channel

academy > getting started > what's next > Knowledge check I am stuck on the first alone box. I got a www-data shell but only the cat command work so I can't escalate privilege. I could get the user flag with it though I did not gain access to that user. Running rockyou against that ssh user at the moment

@opaque fiber Are you familiar with GTFOBins? Try doing sudo -l

suso -l fail "command not found"

are you typing suso or sudo?

sudo

echo fail too

only command that work are ls, cd and cat

can I pm you the exploit I used? it might be the issue. I don't want to spoil though

yea DM me

hello guys, idk how to do it, im in USING WEB PROXIES module so im answering the question and i need to use ZAP tool for intercept request, but the off/on break button doesn't work, i cant make the intercept, what should i do ?

@proud sparrow not sure which section you are on but for the "Zap Fuzzer" section i just ended up using Burpsuite

Why can't I post in general?

@west canopy its Intercepting Web Requests section and all the section talks about using zap

Yea I used burpsuite on that section too. I only used Zap on the "Zap Scanner" section. I did this module a while ago but I remember feeling like the zap UI was not intuitive so I honestly never used it again

@west canopy idk what to choose yet cus still not familiar with each of them enough, so i think cus ZAP had the HUD thing idk how i can see the flag using burpsuit, l

@west canopy i did it using bupsuite but thats not fair tbh, took me a while to understand how to solve it and still didn't start with burpsuite yet 🙂

Hey it's all fair game in my opinion!

Hi guys, somebody can help me with the Skill Assessment - Broken Authentication? I can't found the right account. I want to say more details but, I don't want spoil a new one that start this module. Then can someone tell me if I can send you a DM?

what am I doing wrong lol

academy > cracking into htb > getting started > privilege escalation

I've already done all this

already got first flag of module too

Shells & Payloads The live Engagement final question.

Note for Host-3 is that its a 2017 exploit that makes System Admins Blue.

Eternal Blue is not cracking it though.

Anyone want to point me in a direction?

Also ran smbclient and it said SMB was disabled.

still stuck

Yes

DM

@fickle spruce i believe i was able to get in using the psexec eternalblue in Metasploit

How could I use the exploit from searchsploit ?

searchsploit -m ?

^ this followed by the file's name

Hi can someone point me in the right direction for Case#4 of the SQLMap essential module? I have tried everything over the past 2 days, I used the -r option but no result. I am very new to all this so any help will be much appreciated.

Did somebody finsih the web proxy module? I have a question to the previous question "Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, ..." in the Skills Assessment. Im wondering where i should put the cookie in the Header.

I do it this way, but it does not work

Any one get certificate CBBH

😦

Does anyone know why I get this when I use wpscan? -->Aborted: The remote website is up, but does not seem to be running WordPress.<-- I'm in the final section Skills Assessment - WordPress

🤨

Did you make sure that the URL is pointing right to the wordpress installation ?

Yes, the strange thing is that they give me only the IP but without any port

So it means that it's on 80/8080 port I guess

I haven't done that module so I may be totally wrong

I have tried, but it does not detect that it has wordpress. And I have looked at ports with nmap and nothing appears to me apart from 22 and 80

Can i ask the hbt-academy staff?

I think you can yeah, they'll be able to help in a better way that I can

Where should I write to them?

You can open up a ticket on the website

And in this discord?

The best you can do here is wait for members / staff to notice I guess, I don't really know to be honest

Are you connected through the VPN? The exercise gives you a VPN key, which you can use to access the web app.. it's on port 80, so no port is needed to be entered

In htb-academy I have never used the vpn, only with the interactive instance it lets you get in

Are you using pwnbox? If yes then you don't need a VPN as it connects you automatically

Yes i use pwnbox

The problem with the last section is that wpscan doesnt detect that the page has wordpress

Oh, so you can access the web app? Yeah thats part of the exercise

Yes

I also tried to restart the pwnbox and the target

And without wpscan I can't do anything

As mentioned above, this is part of the exercise. You're skipping one step

Any tip?

I don't understand what you mean

Check the wp blog

#wpscan --url ip -->Scan Aborted: The remote website is up, but does not seem to be running WordPress.

command= "sudo -l" talk to you what you can!

I also have problems using this exploit (50064). Should it be uploaded to http://blog.inlanefreight.local/ or used in msf ? in msf at startup gives an error!

There is no flag here. Get back to hacking!

msf6 > use /modules/50064.rb
[*] Using configured payload php/meterpreter/bind_tcp
msf6 exploit(50064) > options

Probably requires login/password options?

Do I need to brute force Nick with a password?

msf6 exploit(50064) > run

[] Got CSRF token: f9edfa075a
[] Logging into the blog...
[+] Successfully logged in with demo
[] Uploading shell...
[-] Exploit aborted due to failure: unexpected-reply: Unexpected json response
[] Exploit completed, but no session was created.

what is Username/pass? Demo?

VHost -blog.inlanefreight.local !

No, you have other credentials

Hey guys, I am stuck in the module Information Gathering - Web Edition in the Active Submodule Enumeration. So far I have done the zone transfer but now I don't know how to get the FQDNs and the A records and how many zones are on the server

I would really appreciate some help

@west canopyYeah I accidentally typed LHOSTS instead of LHOST when setting the IP. LOL

No

Are you sure that your target is actually a Wordpress site?

I have put in ip the ip of the target machine

look at the source code of the website. Is it a Wordpress site? The error message says that your target website does not use Wordpress.

This is exactly what 21y4d tried to explain to you

look at the source code

I really like HTB academy, courses are really good, but honestly I have to say that questions are often unclear. It makes me loose much time.

what question do you mean?

Please let us know if you find any question to be unclear, and we'll do our best to fix and clarify the question

I'm currently doing Broken Authentication / Bruteforcing Cookies / Question 1. I am trying all the "super user" roles I can think of, because the difficult part here is not the cookie handling but the guessing one.
But my remark applies for several questions of several modules, it's not the first time I find a question unclear. I discussed with a friend the other day and she agreed too.

We'll check this one. Let us know of all others and we'll look into them as well

Ok I'll let you know, thank you.

Hi!! I'm stucked in the file upload module, someone could give me a hint? I have tried to fuzz all possible extensions and the ones allowed did not execute code

Hello, I am stuck on the broken Authentication Skill Assignment. Can anybody give me tip? I got the decoding algorithm and the other users

What question exactly do you need help with? Feel free to dm me

feel free to dm me

posted issues in channel #858470491676737536 hope it's the right one
#858470491676737536 message

@zealous fiber You will first need to identify the the username for the support user. It is in the format of support.xx (the extension being a possible country code). Once you have identified the correct support account, you will need to filter the rockyou.txt wordlist for passwords matching the requirements for the website

I think i had to change the payload to TCP_Reverse_Shell (by default it is set to Bind shell i believe)

can anyone help please?

try explaining your logic rather than just paste a screenshot of the questions

you will benefit more

i dont know how to find that

@slender eagle also try to include what module/section you are working on 🙂

linux fundamentals

im confused

Try to re read the section carefully. What environmental variable is used to identify the shell? What command can you use to output it to your terminal?

There should be examples provided in the section to help you solve the questions

There isn't anything for what they are looking

Also in this question they were asking for kernel version but correct answer was kernel release

so correct answer was kernel release but they asked which kernel version is installed on system

Hello, I just want to confirm something with the web requests module. On the GET section, it is broken right? No way to get the flag? And if so is there a way I can get it just so I have the module done? Thanks guys

@west canopy

@ornate oxide DM me 🙂

how to find a shell for user

Is it normal spending one week trying to find one valid credential in "PASSWORD ATTACKS" - Credential Hunting in Linux? Or am I missing something?

academy isnt worth it. its broken and they put one thing in questions and answer is something different

@sly nebula

look at thids

hello guys, idk what to do,,,im in PROXYING TOOLS and trying to setup /etc/proxychains.conf so i can make any command with proxychains also did the same as HTB steps and tried to test it by cURL http://......, and show error :[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
error: invalid item in proxylist section: https 127.0.0.1 8080

how to fix it

?**

PROXYING TOOLS section in USING WEB PROXIES module ******

@west canopy

nothings happening when I run my ncat

Dm if you still need help.

Keep in mind that command you issued is starting a netcat listener on port 9443. Typically the purpose of that is to catch a reverse shell connection that gets initiated from the target system.

@proud sparrow I wasn't able to get it to work either, but you can find the answer to the challenge questions by looking at the options for the exploit in Metasploit

@west canopy im still trying 😐

@west canopy i didnt understand what do you mean "but you can find the answer to the challenge questions by looking at the options for the exploit in Metasploit"

so it asks what the the last line of the request is

if you look at the options for the http_put exploit

like this

it's three words 🙂

i changed the options but what next, sorry im missing something here?

there should be an option called FILEDATA , so take a look at that

msf test file?

try it 🙂

didnt work as answer

Would anyone be able to give a nudge on the "Zap Scanner" section for the "Using Web Proxies" module? I cannot seem to get the high-level vulnerability even though I'm using the active scan

@rotund gust DM me 🙂

Hi guys. Somebody can help me with the Skill Assessment - Broken Authentication? I'm really stuck and so frustrated😣

DM

@west canopy im in ZAP FUZZ section and dk what exactly the question want..this is the question: -----------------The directory we found above sets the cookie to the md5 hash of the username, as we can see the md5 cookie in the request for the (guest) user. Visit '/skills/' to get a request with a cookie, then try to use ZAP Fuzzer to fuzz the cookie for different md5 hashed usernames to get the flag. Use the "top-usernames-shortlist.txt" wordlist from Seclists.----------------- so i did the first step and got the cookie but what to do next like?

@proud sparrow so i used Burp intruder because I'm not a fan of zap

yeah but what the question want?

then try to use ZAP Fuzzer to fuzz the cookie for different md5 hashed usernames to get the flag. Use the "top-usernames-shortlist.txt" wordlist from Seclists.

here i didnt understand

so you need to fuzz the cookie using a wordlist

in burpsuite it looks like this

should i use the cookie as what? directory?

then set the Wordlist as the payload and encode with MD5

yo in zap i cant make ATTACK on the request i got thats why im stuck

@west canopy do you use burpsuite for FUZZING?

yep

burp intruder

but its not good for fuzz speed

yea it's hella slow

i can use ffuf for fuzzing or gobuster and continue with burp

but how you do fuzz for cookie as md5hash ?in burp

i figured out 🙂

Anyone have a recommendation for what path to take the modules in? So far I have done Linux Fundamentals -> Windows fundamentals and I am thinking of continuing on to do Networking Fundamentals-> Analyzing Network Traffic -> Web Requests -> Web Applications but I do not know where to go from there really

personally i started with intro to networking -> linux fundamentals -> windows fundamentals -> Nmap -> Login Bruteforcing -> Hashcat -> FFuF

hmm. Maybe im overthinking this and should just go with the flow

Yea you can't really go wrong

in

Can someone help with the: INFORMATION GATHERING - WEB EDITION - Active Subdomain enumeration part

None of the commands shown in the module work with the inlanefreight.htb

nslookup -type=NS inlanefreight.htb 10.129.42.195
Server: 10.129.42.195
Address: 10.129.42.195#53

inlanefreight.htb nameserver = ns.inlanefreight.htb.

Got this just like shown in the module

nslookup -type=txt -query=AXFR inlanefreight.htb ns.inlanefreight.htb
nslookup: couldn't get address for 'ns.inlanefreight.htb': not found

but the next part doesn't give me anything

I can't find anything, the only thing that i can see is: http:// w3layouts.com/

Have you been able to solve it?

Can I get some help with buffer overflow linux?

I'm unsure what a question is asking for

Username == htb-student
Password == HTB_@cademy_stdnt! ????

[-] Exploit aborted due to failure: unexpected-reply: Unexpected json response

Nick? i have't pass

There is a menu on the page, right?
Look around the whole website. Maybe you will discover something?

No, there are other credentials.
I am no longer sure where I found them. I didn't write that down at the time.

Hi, anyone can help me with the predictable reset token of the broken authentication module ?

I can sure try

I'll be very stupid but I don't see anything 😂

Can anyone help with this: What is the FQDN of the IP address 10.10.34.136? None of the commands like whois/nslookup/dig find anything about this

You're in the skills assessment in the wordpress module, right?

Take a close look at the target website. Navigate around it. Look at the source code. It doesn't seem to be a Wordpress site. But you are in the Wordpress module and expect a Wordpress page.
Are there links to other pages?
Are there any hints in the source code?

No

I have tried it

Have you ever tried a zone transfer?

I've done-->Ctrl+U then Ctrl+F (http) and then with each of the pages that have come out I have used wpscan

Then you may have attacked pages that you did not want to attack. 👀

Take a look at the website at your leisure.
Surf around on it. Look around in the source code.

There is a menu at the top of the page. Could any item in the menu indicate a Wordpress installation?

Do not attack! Only look

Can you elaborate more on this, I've read about it but don't quite understand it

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc781340(v=ws.10)?redirectedfrom=MSDN

hi! Could someone kindly assist me on "Attacking Web Applications with Ffuf "
The skills assesment fuzzing extensions? Please and thank you

what part do you need help with?

the second question in the skills assesment, fuzzing extensions

i think my ffuf is misbehaving... but I am not sure what to make of it

did you get question 1?

yes, but its hard, I really think my ffuf is confused, or I dont know how to sort through its results

ok so using the subdomains you found in question 1 do a fuzz for web extentions.

/SecLists/Discovery/Web-Content/web-extensions.txt:FUZZ

it will require 4 fuzz attempts, 1 for each sub

[Status: 200, Size: 985, Words: 423, Lines: 55, Duration: 186ms]
| URL | http://academy.htb:32386/#.js
* FUZZE: .js
* FUZZ: #

[Status: 200, Size: 985, Words: 423, Lines: 55, Duration: 187ms]
| URL | http://academy.htb:32386/#.jhtml
* FUZZ: #
* FUZZE: .jhtml

[Status: 200, Size: 985, Words: 423, Lines: 55, Duration: 186ms]
| URL | http://academy.htb:32386/#.jsp
* FUZZE: .jsp
* FUZZ: #

it seems like everything is a success, but they are not

so I started looking for odd ones out with -ms 0, but thats not very practical

you likely need to filter out 985

dm me

Hi 👋🏻

are there any new news with these modules?

I mean, I ask this because in 9 days my access expires

so knowing that I'll know if I have to pay another month

(sorry, I forgot to send the message 😅)

I wonder where I was supposed to find this data, except in the tooltip?

If this data needed to be taken from other servers, then it was necessary to warn about it.

what are you talking about? they give you that info so you can login to do the module

Anyone complete the intro to assembly language mod?

hey everyone, doing the skill assessment for sqlmap today and im really close to finishing it but i am stuck on fully exploiting the vulnerability on the target. anyone around that has done it before that i can talk details with, specifically what syntax i might be missing?

hit me up bro. I got you

Hey I've been lost for a while with the whole "Active Subdomain Enumeration" section of Information Gathering, I've successfully completed a zone transfer and now I'm looking for the TXT record. Here are some images if it helps, help would be greatly appreciated.

@flint helm try running dig txt against all of the subdomains you discovered, one of them should reveal the answer

ok I'll try it out ty

ayy thanks man

dm me

Can someone help me with the footprinting lab - hard>

hey so i just started and Interactive Section with Terminal instance is not loading, i have the student membership and good internet throught ethernet connection

nvmd lol

loaded after 15 minutes

Hey ! Just for my curiosity : I saw that HTB added time estimates for modules. But, how many hours are there in one day ? 7, maybe 8 ?

(Yeah, very important question 😄 )

I'm in serious need of help on getting start > nibbles initial foothold

been trying for two days

nothing happens when I try to start my netcat

i feel a bit cheated on a question in Intro to network traffic analysis

True or False: when utilizing HTTPS, all data sent across the session will appear as TLS Application data?

i feel this question is worded a bit too ambiguously

Nothing...😩

Did you find the website menu?

No

anyone here able to give me some assistance with nmap?

Whats up?

i am doing this module asked to figure out the dns server version

but i can't understand the commands. if able to help dm me so we don't spoil anything

ya sure

@west canopy@livid pier i have problem in ZAP scanner section in USING WEB PROXIES module , so i can't use burp instead cus scanning with burp needs the pro version of it so i must use ZAP scanner to find the FLAG.TXT and when im trting to use the HUD of ZAP nothing of the buttons works i have tried to make it by the ZAP tool not from the HUD but it didnt shows the critical or high alerts as it says in the questions? any help?

@proud sparrow I had to use ZAP's built in browser in order to get the HUD to show up

thats how i use it either but still i cant use the buttons :/

I forgot that section, what are you scanning?

active scan for ZAP tool they want me to do it by ZAP

scanning for vulnerabilities

this is the question----------Run ZAP Scanner on the target above to identify directories and potential vulnerabilities. Once you find the high-level vulnerability, try to use it to read the flag at '/flag.txt'

I was able to do it without the HUD though

silly question, have you tried refreshing the browser after you fire up zap?

i know its silly question its not letting me do it

im trying without but its there is no high level shows up for me so i can head to

no, my question is silly. But the browser wont let you refresh?

ah sorry , its refreshing normally

like when i press on the Spider Start button its telling me i need to put the site into the scope and by pressing start its automatically moves to the scope and should start but when i press start its nothing happening

any one pleas? i cant skip the question otherwise im loosing cubes

maybe try restarting your comp, that is a good first step

@livid pier same still not working....

Trying to work through windows fundamentals module, seems totally f'd, can't RDP to any of the machines without it killing itself

@proud sparrow have you tried to enumerate the webpage manually?

yes it works

and you found the flag?

no it shgould be an high-level alert so the flag.txt inside it

and there is no high level alert

ok what i am saying is get creative and do it manually

@proud sparrow do those screenshots make sense to you?

I had same problem with ZAP HUD not working. I tried from my own kali via VPN and had the same problem until I updated ZAP - you could maybe try from your own machine on VPN or try updating zap in the pwnbox. Also you can do it without HUD in ZAP as the main interface shows high alerts.

yes let me go through it..

hi guys how to change a langugae?

what do you mean?

in website

hackthebox

change language

Not sure

@stiff tiger how can u make it through VPN?

@proud sparrow I dont think the alert was going to give you the flag, just show you what the vuln was

yeah im trying to make and understand what happend

thank yuo though

@proud sparrow GL the answer is there

The mods teach you some other important stuff that isnt always in the mod

for instance, some times things dont work. But there is typically multiple paths to where you need to go

if one path is blocked go another route

I have a .opvn cert from a prior lab - I used that.

i need to hack someone like really badly. They are a terrible person. Because of them i have lost contact with many new friends because i cant dm those new freinds because now i dont share a server with them. l noow cant find people to play with in a game i love. they are a zoophile peice of trash. please i need anybody who can hack them

WIll this be in exchange for V-Bucks?

And what do you mean when you say hack the person? Like what specifically?

anybody provide a hand on the assembly language module?

Im working on it, where you at?

@livid pier jne . can i dm?

What section is that?

I'm currently stuck on the Host & Port Scanning Module. Does anyone by chance have advice on how to get htb-student@10.129.2.49's password?

I understand you might be upset, but what you are proposing is illegal. What we learn here is to be used only for good, no matter how much someone may deserveit.

Like with an axe?

He is filled with vengeance. I see a post like this once a month, I wonder how they hear about this channel

Hey guys, looking for some help on the module for Web Requests PUT and DELETE.

I'm instructed to input this command:

However, this is the response I get:

jq: command not found

Any idea what's going on here?

bash not able to parse what jq is that you are piping to

im not familiar with jq, is it suppose to be a command you know?

I'm just following the instructions in the HTB module, this is the first I've heard of it

so apparently its a command-line JSON processor

do you have it installed?

see what happens if you type 'which jq'

Gives no response at all

so

you dont have it installed

so you need to install it

Ah weird. Do these modules often have you execute programs that aren't already installed?

sometimes yeah, ive had it happen

or something out of date

you should have the credentials for the box you are on

Ok so I'm guessing I'd need to sudo install it, but I don't see my password anywhere in this instance

its on the desktop

or should be

Has a target ID, but nothing else

on your pwnbox it doesnt have a credential file?

There some easy way to find it?

Credential file?

Oh snap, I've been in the command line the whole time didn't realize there was a folder right there

yeah

beautiful

there should be a credential folder in there with sudo pw

can run: sudo apt install jq

so i just checked myself and didnt ahve it installed in my version of parrot either

^

found where somebody had a similar issue on stack overflow

Looks like a github link there was posted I'll try that

double check the link and make sure it looks correct

should be for a command-line JSON processor from what i read

gotta change my VM credential now lol

at least thats easy

but @idle cliff i will be sleeping so hopefully if you still got problems someone else can help you ❤️

gl

No worries, I appreciate it. Just wanted to make sure it wasn't just me messing something up

am i looking at the wrong thing for service version in the nmap module? i type in the service version for the ssh and it's apparantly the wrong solution?

I believe to find the service version for SSH you're working with is:
ssh -v localhost

yeah that just connects me to it. doesn't seem to give the right answer

What section? I don't recall there being a question asking for an SSH version

just me being stupid i figured that i am hitting the firewall so i am reassesing how to get through it

ah gotcha 🙂

the --source-port doesn't work and i now see it may be slightly out of date with how nmap works now

--source-port 53 should work for the Hard Lab

yeah i will try -g 53

will hit this again tomorrow

my bad, I misunderstood your question

I'm having really hard time with the zone transfer, do I need to copy the steps with the 'nslookup -type=any -query=AXFR zonetransfer.me nsztm1.digi.ninja' OR use my own domain -> inlanefreight.htb? | I'm getting nothing but errors whichever I try

Connection to 81.4.108.41#53(81.4.108.41) for zonetransfer.me failed: timed out.

Hi, Any one can help with osint Module > Section Location > i am having trouble submitting city's coordinates i cant figure out the right answer format i think

need some help on the file uploads module 😛

Hi I need help with the first question of bruteforcing cookies in broken authentication... I tamper the session cookie but I still get no flag...

Any section

nvm solved it! Thx

hello y'all, who can help me with fuff mocule?

I'm having an issue with the extensions question..!!!

@tiny ledge Is that for information gathering web edition? Usually for a zone transfer the format would be something like: dig axfr inlanefreight.htb @ipaddress

@tacit topaz You should be able to get the flag once you modify the cookie to be|| "role:super"||

Sqlmap fundamentals case#3. I'm confused what the question is asking and what the hint is referring to. I've tried intercepting with burp and running sqlmap -r req.txt --crawl=2 but the only value given in burp is cookie: ID=1. Am I even close?

@broken warren try setting the injection point to be --cookie='id=*'

OK, thanks I tried multiple role but not this one 😄

Yep I was not a fan of that question . Basically just makes you guess what the super role is.

Module: Footprinting lab#1: I just cannot seem to grok how to enumerate ftp in such a way as to gain access on the ftp server running on an alternative port. Any hints?

Hey, speaking of Sqlmap fundamentals... I'am stuck at the Skills assessment I know where to attack but every time I run sqlmap after a few checks I am "unable to connect to the target URL ('No route to host')" is something wrong with my Internet? Or is this just a obstacle I have to overcome😅

@tender dock you can connect to the vsftpd service on port 2121. The command is just: ftp ipaddress 2121 . From there you will find a file that will help you SSH into the target

Much appreciated 👍

@leaden sail Sounds like you might need to respawn the target. I know on my end, docker targets i sometimes have to spawn multiple times before i can connect

hm, ok I'am stuck on this problem for a few hours now and restarted it multiple times...
I'll try it again

@west canopy I'm afraid it's not working. and it's not vsftpd, but proftpd. not the username that is hinted to, and not anonymous

hello guys, I'm stuck with extension question under fuff module

@tender dock check for hidden files/folders 🙂

who can give me a hint, because I could found 3 different .php extension but when I write my answer is not working..!!!

that's already beyond the step I'm at. brute forcing didn't give me a password. Guess I'll continue trying that. Once I am in, I know what to do 😉

Thanks a lot for helping out

Check the hint, you want to connect to ftp as the ceil user

I know, but you appear to have the pwd, which I don't

it's in the hint 🙂

ooooh! haha facepalm

my lord... it's the simple stuff....

@tight mesa the solution is three different variants of the php extension , just need to type them in the right order and it should accept your answer 🙂

yep I now that, but I did with not success, let me try again

Restarted it twice again but the problem persists :/

Module: Windows Fundamentals.

Skills Assessment.Can anyone help me with the first question.

@jagged summit Edit: Removing Spoilers. DM me 🙂

Hi can I dm someone about the skill assessment of the broken authentication module ? I think I'm doing the "right" thing but I get nothing...

@tacit topaz i got you dawg

Hi, could someone help me with OS Exploitation module. The last flag. I managed to get the OS shell, but all I can find is the flag from the previous question

Hi, I'm on broken authentication / skill assessment too, I got an account, but I've not idea what the next step of the exercise is. May I ask to someone?

@rustic sage you will want to find out the username for the support user and then try to log in as him

@tribal cargo I'm logged as a support already. May I pm you to explain what I did? I'm not sure what I can say here and what is actually spoil.

Yes DM me 🙂

I am trying the question (After obtaining a foothold on the target, escalate privileges to root and submit the contents of the root.txt flag.) in GETTING STARTED and i dont know how to get root After sudo -l and run LinEnum.sh I got this : www-data@gettingstarted:/var/www/html/plugins$ sudo -l
sudo -l
Matching Defaults entries for www-data on gettingstarted:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

User www-data may run the following commands on gettingstarted:
(ALL : ALL) NOPASSWD: /usr/bin/php How should I use the path /usr/bin/php to gain to root?

@lyric mason so php is actually a "GTFOBin" which means it's a linux binary that can be used to break out of restrictive environments. Try some of the techniques shown here: https://gtfobins.github.io/gtfobins/php/

thx a lot

If you get stuck DM me and I can go into more detail 🙂

how do i get nmap to list the filtered ports?

-p- -Pn scans all ports as up

Yea I don't think there's an option to specifically show filtered ports. Typically it's not something you would look for . A port will show up as filtered if nmap isn't exactly sure if it's open or not.

well i am trying to get through the firewall of the filtered ports. but since i got no clue which ports i should target i am a bit stumped

Hey all! I'm wondering if the password attacks module is suppose to be completed only with the resources files or do we need other lists like rockyou or 500worst? It is not possible to complete most of the exercises since it takes ages using the default lists (and I can't seem to find anything...). Any hint (for all exercises in the remote password attacks section!)? Thanks in advance. I must add, I searched this chat history and even with some hints on the usernames/password, I can't connect with evil-winrm (first exercice in network services).

what module are you working on?

Hi
Someone finished Footprinting Medium lab ? I'm stuck

Where you stuck?

nmap emuration

i got 129 ports that are filtered and i need to figure which one so i can narrow down my attack

yeah, but which exercise?

its the firewall hard one

i know i am looking for a particulare port that is among the filtered ones. in order to find it's service version. but first i need to figure out what ports are filtered

no you dont, just need the proper nmap scan

stuck on this question in Intro to Network Traffic Analysis

What are the client and server port numbers used in first full TCP three-way handshake? (low number first then high number)

dm me and I will help you

i think i know how to read it but it is not working

@steel flume try doing nmap -p- with --source-port 53

@devout cliff

yeah i found it, i thought it was asking for the https not http

woops

Hey, Is there anyone who can help with the LFI module?

yep, dm me

Nobody for password attacks?

DM if you need, i'm on the last question

I'm scared to try that module brother lol

What’s the question? Dm if you need help

some exercices are bs... but they're not giving cubes at least. I was able to complete the ones that give +1 cubes at least.

is that the module for hydra or something else?

@devout cliff It's a new module. The Login Bruteforcing with Hydra is pretty tame but this new one looks rough.

no, it's the new medium one

oh boy

here i go brute-forcing again

password attacks be booty

@livid pier how goes the Assembly?

That is a great mod, taking a break and getting beat up on talkative at the moment

I stepped back to do the updated LFI module. Hated that it didnt show complete still lol

I finally got VIP on the main HTB website so the other night I was working through the starting point machines that i couldn't access before

Nice, I havent upgraded there yet

im new

Welcome.

how do i get roles

how do i become a "hacker"

Look into #welcome and verify.

Your role on Discord depends on your level on the HTB site @valid peak

ok

someone have solved the wordpress module? please dm me

ahh okay

Don't do that here.

ok

@solid lark same

sorry

@valid peak This is your Discord rank, depending how active you are here... nothing to do with "roles"

im aware, im in a few other servers with this ranking system

netcat won't work with the nmap module even my own box won't let it work as the module ays it should

@steel flume Which section of the NMAP module?

the hard part at the end. i found the port iin question doing a stealth scan. so i now have the port but i can't do the netcat part someone else did.. so i wonder why the pwnbox or my own vm box can't

if it is a tool issue on my end i need to know how to fix and verify

that still didnt work? Did you update your vm?

yes

i am confused

Yeah I am super confused. I am using Kali, updated at least 3 times a week.

parrot

should i try install netcat a different way?

is your 7.92?

ok according to the man page, you should be able to use -p instead of --source-port

nc -nv -p 53

will try that

now i keep get a mesage saying can't resolve hostname

cool website

@steel flume For the hard lab I had to use source port of 53 when connecting with netcat as well

@solid lark I might be able to help 🙂 What section/question?

hmm i managed to mess up my nmap tool do i need to do a reinstall or is there a less destructive way to fix it?

How did you mess it up?

Hey I'm stuck on the SQLMAP ESSENTIALS'S Skills Assessment. I've found and attacked a*****.php and I've found out I had to use a certain tamper script but it seems I need more bypasses. I've tried a lot of things and I just can't figure out what I'm missing. I would greatly appreciate a nudge.

@flint helm you will need to do a Timing based attack

I've also tried that with my tamper, you mean --technique=T right?

Yes, feel free to DM me and i can get more specific

Ok I'll reset my machine, try again and if I'm still stuck I will ty 👍

Hello, can i have a nudge on Skills Assessment - File Inclusion ? Thanks 🙂

sure

his problem is the the netcat command doesnt work for him. I even tested on my machine and the command works perfectly.

i had the same problem just 1-2 days ago. the solution was rather funny

I think we got it resolved

I think it's working but it's kinda slow

I guess it's that i forgot to use --dump

I have a problem in password attacks, network services section. Using hydra to bruteforce smb, it instantly give back ERROR invalid reply from target. My line: hydra -L names.list -P rockyou-30.txt smb://10.129.124.150 -I
I can ping the target just fine. Also can't use xfreerdp, getting some errors. SSH and winrm work just fine

ok I got RDP (used the wrong creds), but still can't use hydra for smb. Any alternative?

Can anyone help with assembly module (proc) section

Patator mmaybe?

I'm trying ncrack RN. There are medusa and msf smb_login too. I'll try them later... But still, I don't get why it's not working.

have you tried: "hydra -L names.list -P rockyou-30.txt 10.129.124.150 smb"?

yes, same error

module 23 (File inclusion ) have a image error 🙂

I‘m not 100% anymore but try the msf smb_login. It didn’t run because smb accepts any password.

Waw

!work

what is this rank about :p

Active

I don't know

anybody doing the assembly module?

😂

sorry

Is this a ranking system just for Academy?

No i dont think so

but i have no idea how it works

where you stuck?

procedures?

Now I konw

Can anyone help me with the Getting Started module. It wont accept the user flag, but the retired machine itself will. IDK how that happens

The Nibbles box?

yes

I help you

anyone a hand on assembly module (procedues) 🙂

Hello

Stuck on last question for LDAP skill assessment: "What non-default privilege does the htb-student user have?". Anyone available for a nudge?

whoami /priv ?

Also need to run it from an elevated powershell 🙂

Hey, I've been trying to do the SQLMap Essentials skills assessment for about 2 days now and I can't seem to be able to dump the db, i found the table and its' contents but i cannot seem to be able to get the flag. i'd love a hint 😄

Iam stuck on htb academy web requests put and delete module pls help to solve

Maybe DM me

Someone can help about the exercice in POST requests please?

Help...

What have you tried that far?

Can I DM you?

Yes

Anyone? Plz?

someone else had problems with Login Brute force module where an error in ssh appears? [Error] could not connect to ssh://<ip>:22 - Timeout connection ?. When running hydra

You have to use OpenVPN tunnel

download the academy.ovpn Edit: and run sudo openvpn academy.ovpn on a terminal, in the background.

ok, I'll try that

Did it worked? If you do it on Pwnbox, you don't have to download it. I just did it on my machine, because I daily drive my ParrotOS anyways, so... eh.

Looks like the server or something seems down, and so Kvesta and I can't complete the task. RIP.

Hi, Any problem with the academy infrastructure ? I can't access any spawned target...

No problem for me with the vpn

OK, I'm not using the vpn, maybe i should... My pwnbox can't access any target.. pretty weird...

sometimes i need to respawn 3-4x before accessing the machine..

Especially with the container

I respawned like ten times, waiting and testing multiple time between each respawn but nothing...

You'll probably need to wait for them to fix the problem, or upgrade the server :/

Yep... I'll read without doing the practice for the moment...

Still struggling with this, i'd love if someone could give me a nudge on this

DM

Reading over the comments, looks like I'm not the only one have issues spawning machines in the academy.

I try again and I can't access the target of the IDOR section of the Web attacks module...
But I can spawn target of xxe section of the same module... it's weird...

Good morning friends 🙂

Good morning

*** Just started working again ***
Snap! I can spawn a server and get an IP\port but I can't connect to it, although the idor section are public IPs but the xxe are internal via the VPN.

DM me

Yep your right, and yep i have the same problem i can spawn but can't connect

Looks to be working again. Someone must have switched it off and on again! 🤣

Nice ! I will finish the xxe section and I go back to the IDOR after

can you help me to solve one section in file uploads module

can i dm you ? 🙂

@torpid ermine I got you dawg!

can i dm you ?

sure

Hello guys

How get certificate cbbh

I imagine they would email it to you or something once you complete the exam

how do I start with this. Where do I go to start learning with the academy

@strange arrow https://academy.hackthebox.com/ , sign up , use Cubes to purchase modules 🙂

@west canopy thank you for the quick responce

NP, you will definitely want to start with the Fundamental modules like Intro to Academy, Learning Process, Linux Fundamentals, Windows Fundamentals

On it.. thnxx

someone that has done Login Brute Forcing module that could help me with why my command does not work? im doing the Service Authentication Brute Forcing lab

@steep sable I can take a look

Was there an update on the Academy interface, or did I become magically smarter overnight? If it's the former, bravo. Something clicked and made it much easier to follow. Also, thanks for the "Operating Fundamentals System" path, never saw it there before but I was somehow automatically enrolled!

The bipolar in me thinks someone heard my ultra-beginner cries

they have updated and added some things but the more you do on here the easier it is to understand.

Anybody online that might be able to help me with a Bash code question. I'm doing the 'Login Brute Forcing' module and ran into a snag.

I'm a noob with Bash but if you're stuck on the module I can probably help

lol, ty bro, so I'm attempting to 'remove no special characters' from the custom wordlist for the SSH hack, and I keep getting 'sed: -e expression #1, char 20: unterminated address regex' error.

wait 1 I think I might have found my problem.

I figured it out. I had a curly brace instead of a bracket. Thanks anyways bud.

Ah nice work. Sed trips me out lol

also my smooth brain ape mind isn't capable of understanding regex

somehow i've made it this far though

lol

Well, let's not go so fast on the nice work, I figured that out and immediately ran into another problem, this time with cloning username-anarchy.

It won't let me follow the example in the module.

Any ideas.....anyone?

need to go into the username-anarchy directory

when you git clone it , it makes a directory

inside is the actual script

lol, so who has the ape brain here? bcuz I think I win that.

i am a fellow chimpanzee eating the bugs off your back

😛👍

hey, What is the root password for virtual computers in academy ?

try toor

root

admin

<blank>

@mystic perch do you mean for the Pwnbox? Check the desktop for a my_credentials.txt file

My hydra attack on SSH keeps timing out, any suggestions?

If you have the right command and wordlist, it should crack the password pretty fast

Any help on assembly module binary exploitation

Hey i'm having some trouble with the Getting Started skill assessment, i got access to the target website's admin panel and found a way to upload files, the problem is that if i try clicking the "upload a file or image" button, nothing happens

am i supposed to do something else or is htb acting up

@dapper flare This is the Knowledge Test correct? You should be able to find an exploit in Metasploit to get the initial foothold 🙂

Does some of you have issues for connecting to the targets machines in htb academy modules. I succesfully connect to the vpn and launch the target machine but im unable to ping the target machine even if I try to ping from the pwnbox instance 🙂

@rustic sage For docker targets it usually takes me a few respawns before they actually fire up. Also, docker targets typically are not pingable.

Can anyone point me in the right direction for "Active Subdomain Enumeration" on Information Gathering - Web Edition? I have the same exact issue as this: #modules message I have spent a total of about 12 hours trying to figure out how to get past this. I cannot seem to figure out what it is I need from dig/nslookup to get the answer I need. Any clue would be appreciated.

@warm lava DM me 🙂

having an issue in the Intro to Network Traffic Analysis module. im at the part where you use nomachine to set up the target to sniff on and have that up and sitting on a login page. module says i should be able to see an interface on my VM in wireshark that is listed as ENS224 that i will be using. that interface is not listed. do i need to login to the machine after i connect via nomachine to this weird login page?

@devout cliff I'm not sure if the NoMachine environment even works anymore. I was able to complete the module just by using the provided pcap files in the Resources Section.

which resource, the RDP-Analysis or guided analysis?

actually both or those resources dont look like they are for this part of the module. they look like they will be for the last 2 parts, guided lab: traffic analysis workflow and Decrypting RDP connections

the resource for wireshark i don't think is correct either because i used it for the previous section

unless they are using that resource for both sections? ill double check

actually it might be

yup it is

thats weird that this module is not updated with that information

considering how well used wireshark is

Yea there's another question where it's like "which employee is suspected of performing malicious actions in the live environment" and I solved it by just SSHing into the target and looking for which users existed in /home/

yeah thats the next question lol

I'm like 95% sure you can't solve it with the pcaps

hint says you can by looking at all protocols?

I mean I'm decently wireshark-savvy but I couldn't find the solution in the pcaps.

In the File inclusion module, File inclusion prevention, the question: "Edit the php.ini file to block system(), then try to execute PHP Code that uses system. Read the /var/log/apache2/error.log file and fill in the blank: system() has been disabled for ________ reasons."

Is blocking system() the same as disabling it?

@severe birch I believe so, i think it's basically stopping the server from running system commands via PHP.

Hmm ok, I'd imagine my problem is elsewhere then.

apparently in the pcap they login somewhere, im going packet by packet now and checking

like i have the desktop host, still looking for that username lol

Hey, I'm currently working on Firewall & IDS invasion, hard. Does anyone by chance have any pointers?

I found a way to hack any website

but its only on chrome browser wanna know how?

@dusk sandal try using the source port for a common service to evade the IDS, and be sure to scan for ALL ports

whoami /priv doesn't work in this case. Tried both privs listed by this command but both are the wrong answer

ok this is ridiculously hard, i still can't find it. been through every packet it feels like, no username anywhere from what i can see

I came to the same conclusion

im doing string searches

hex searches

everything

@crystal isle use an elevated powershell

right click run as administrator 🙂

like i get that the user had to log in at some point but i dont see that request anywhere

Unfortunately creds only provide standard domain-joined user, unless I privesc there's no way to get admin powershell but I don't think that's what's being asked

You can right click and run as administrator with the standard user

Right-clicked run as admin > entered creds

Gimme a minute I'll try it on my end

there is no way you find that answer normally

thats ridiculous

i ssh'd like you did

@devout cliff yea that's the conclusion i came to

and then searched wireshark

there is no way you find that

@crystal isle Just tried it on my end and it works fine for me

wth

you RDP with htb-student account? This is the last module skills assessment

Yes

I can show you if you want

Yes please, I must be missing something obvious

Any hint for password attacks module, password reuse/default password section? (mysql creds)?

Could anyone give me a nudge on the File inclusion skills assessment? There was a lot of information and I think I am a little lost.

Hey, still having issues with The Traffic Analysis module?

I'm having difficulty with this question of the Traffic Analysis module: "If i wished to filter out ICMP traffic from out capture, what filter could we use? ( word only, not symbol please.)"

shoot me a message

Dm if you still need help

Awesome, I'll give that a try. Thank you for the advice!!

What is the registrar IANA ID number for the githubapp.com domain? | Am I supposed to do something else than whois to get this, because I cannot get that to work, pinging the target works though

whois should work, if not you should may try another vm

Im Struggeling "What's the contents of table flag5? (Case #5)" from SQLMAP Essentials

ich have the flag from table flag5 but in says "incorrect Answer"

any hints?

Yeah, whois not working on any VM, but managed to dig out the answer from virustotal

ooh alright thanks

Thank you so much 🙂

use auxiliary/scanner/smb/smb_ms17_010

@urban flume thanks,

I was exhausted the night;. Posted that question and had misstyped an item in Metasploit which is why it wasn't cracking. Got it the next morning.

Hi ! Can I DM someone about the skill assessment of Web attacks module ?

Sure

could someone help me with Broken Authentication Weak Bruteforce Protections question two

Hey how do you read .txt files from an ftp again? I'm logged in as user and need to read this flag.txt file.

Get the file and read it locally

Has anyone finished the Using web proxies module?

If I remember correctly you have to be careful about the header of your request 😉

Yes I have, what's the problem ?

Anyone able to get me pointed in the right direction? 🙂

DM

What module is most relevant in the academy for CTF's ?

Any, depend of the ctf.

Can anyone explain what I'm supposed to comment out in the /etc/nginx/conf/nginx.conf/ the section says to comment out the entire server block. But I see multiple parts that say server. So I'm not sure which one to comment out. The error msg I get is nginx: [emerg] getpwnam ("www") failed in /etc/nginx/conf/nginx.conf:1

You can comment all of them in the http section, be careful of to the opening and the closing of the server section
If you can, send me the file (or a screenshot) in DM to see what the file looks like (with the line numbers)

Hello all, I saw that the lfi module was updated and I would like to add 1 more tool for auto-exploitation of lfi vulns which tries all the things in the module and with the capability to gain rce and return a reverse shell directly. Also it is tested on the lfi module. The tool is https://github.com/kostas-pa/LFITester

What does exploit -k -z in msf do ?

@maiden slate you can use the "get flag.txt" command to move the file to your machine, from there you can read it

🌞

TY

Hey ! Can I dm someone about the skill assessment of the file inclusion module

?

hi

Hello!

what up

sure

@blissful verge @unique valve What you guys think about a pwntools mod?

hello everyone, I'm stuck with 2nd exercise in LFI path transversal module

I tried already the commands described in the cheat sheet with no success, any hint?

that would be interesting. or maybe part of another module

I'm not sure if I allowed to disclose the commands I tried

dm me and we can work thru it

Can anyone help on the decoding question for using proxies? Like do I need to decode like 100 times or closer to 10?

@vital bough I think you need to base64 decode a few times. Each time you decode you should see the string getting smaller

so decoding with 'octal' 5 times in a row is not the right path?

nope

oh man I feel dumb I had it but my notepad was counting 32 characters...i just submitted it again and got it

🤦‍♂️

Is it possible to reset your progress on a module or overall in the academy?

so im working on the HTB academy 'Getting started' part 9 'Public exploits'. i cant ping the target ip in or outside of the pwnbox which means i can not get vulnerabilities, go to the port number or set up MSF

any reason why?

@heavy edge navigate to the target wit your browser, you should see a wordpress plugin being used. Try attacking that 🙂

inside pwnbox or outside?

with pwnbox

I am trying to do Windows Priv Esc: Server Operators, am I supposed to be able to view the flag once my user's role appears under 'net localgroup Administrators' or am I supposed to do another step after this? I am having troubles getting the flag.

@severe birch I believe so , I think I had to disconnect and then RDP back into the machine once I was added to Administrator group. Unfortunately my notes on that section aren't very good 😦

anyone can give a hint for the LFI updated version

I'm stuck with the basic bypass

@tight mesa make you are using the path /index.php?language=languages/

Hi everyone. I could really use some help on the File Inclusion Skills Assessment. I've reached the|| admin panel ||and found the LFI vulnerability that allows me to ||view access.log and error.log|| so I assumed I have to try|| a log poisoning attack to gain command execution.|| However, when I try ||inserting a php command shell in the User Agent Header|| as the instructions show, nothing happens. UPDATE: Got the flag. ||I think using double quotes in the php payload was the problem.||

I am

@tight mesa using four dots and two slashes should do the trick 🙂

but the commands from the cheat sheet are not working

uhm this bypass is not working

Feel free to DM me !

help please, im facing problem with the INFORMATION GATHERING module ACTIVE SUBDOMAINS ENUMERATION section , every question has its problem, i managed to answer the two questions but the third question i tried alot ways to solve it with no results back.

any help available for password attacks module? 🙂

help please, im facing problem with the INFORMATION GATHERING module ACTIVE SUBDOMAINS ENUMERATION section ,anyone??

@proud sparrow which question?

Anybody online that has gone through the file upload attacks module? Having issues and could use a little assistance

Ya no luck for me, I know I can get hashes with secretsdump.py but I figured that being in the Administrators group according to 'net localgroup' would give me permissions to view the Administrators folder on its own

@final salmon Which section ?

@west canopy The final skills assessment.

@final salmon DM me 🙂

I am able to run "klist -li 0:0x3e7 purge" which would require elevation, but still cannot access the Administrator user directory at all

Hey guys I'm sort of stuck on the "Using Web Proxies" section where I'm tasked with retrieving the flag using Burp Suite. I can't seem to snag a 200 Ok for the flag in the admin section. Wondering if maybe I've got my burp pointer improperly configured?

Here's what I've got set up so far:

All other settings are as directed in the module with Payload Processing etc

I'm thinking there is something I don't quite understand with the pointer, any help would be appreciated

@severe birch I was able to get the flag by using wmiexec.py and passing the hash for the Administrator user

@severe birch feel free to DM and i can go into more detail 🙂

Getting a syntax error. What am I doing wrong (same command they show in intro to network traffic): sudo tcpdump -r TCPDump-lab-2.pcap proto udp and port 53

@sweet heron try removing "proto"

the proto option wants an actual protocol number, rather than just a name. So doing "proto udp" makes it error out.

right right! So there is an error in the module then.

well looking at these two examples, in the bottom one they show "proto 17" and mention that the syntax requires proto [protocol number]

exactly. But they suggest this:

ahh nice catch

and no sudo too

yes that is incorrect

And for some reason, the first answer won't work. I write XX XXXXX (they even tell you the answer in the file)

Hi, I hope I have come to the right place to ask this question, I am really stuck on the Web Requests Module - specifically GET Parameters. The page seems to be broken and I cannot view any of the attached images. I have tried to continue on without it but I think the images are required in order to understand the explanation. I am completely stuck, is there an issue with the course content? or is it most likely my browser.

@tired cliff I have heard other people report this as well but personally they load fine on my end. Do the images load on any other section?