#modules

Can someone help me on the getting started module, section public exploit, i am loosing some hair. I have the flag, it wasn't difficult with metasploit but i can't find the way to do it with searchsploit, i download an empty file

Have you tried curl?

@normal marsh I will give it a shot lol thanks

If it's Windows, there are other ways.

Anybody help me with getting started module 😦 just apparently my Linux privilege escalation game is awful

Hey I could use a nudge on the skills assessment of the web attacks module. 🙂

I finished this one a few weeks ago, so might be able to help - where are you up to?

Mostly at the beginning. I've found an Idor, fuzzed pages (two access denied), enumerated users, but find no admin stuff. I see nothing except two scripts in sources. Might be able to manipulate them to read a file? But how? I feel like I'm missing something.

Could I please get some help with Bruteforcing Passwords part from Broken authentication module?

Did you find the admin username from your list of enumerated users?

There is an administrative user in there. You can then use a vulnerability to priv esc to this user

no. Must've missed it. went from 1 to 100 (nothing at 0 nor >101)

feel free to dm!

Yep, I did 0 to 200 but only got UIDs 1-100...Look through them and you will find an interesting user that you will want to escalate to. Feel free to DM if you'd prefer

Ok thank you very much! I'll get back to it then!

Hi Does anyone have advice on how to complete teh Hacking word press Directory Indexing

I would really appreciate advice on how to complete this, thank you!! 😊

@dusk sandal DM me 🙂

Could someone please help me with the RCE via the Theme Editor section for the Hacking Wordpress module? I'm able to upload a webshell to my target but I don't know what to do next

@rain spindle should be able to run system commands by curling the URL i.e. curl -X GET http://ip:port/wp-content/themes/twentyseventeen/404.php?cmd=ls

help i don't know how to get the flag

by using the techniques/methods explained in the section

anyone with the vulnerability assessment module nessus scan answers? The machine expired before scan complete

I don't know

I can't play hack the box

To play hack the box you have to use parrotOS?

What tipe of parrot?

anyone done the xxe from web_attacks?

like HOW TF is nothing showing on my burp

Tried like so many times, even the example isn't showing anytin

solved Thanks @marble flume

Hi, I am getting this "Permission denied (publickey,password)" with ssh connection can someone help i tried the solution of modifying the file "sshd_config" but no permission to do so; Thanks in advance for your time.

did you chmod it

Hello guy

I need some help

Skills Assessment - File Upload Attacks

I think i find the directory but can find how to upload the shell

some hint???

thanks

The scan has run before, so you can see the Reports/Results. You don't need to run the scan, but you can 😉

I am gonna try it i was afraid of doing so since it's the labs provided by htb.

Stuck in the Hacking WordPress module... I found the vulnerability to Download file from the system, but I don't know where to find the file "containing a flag value"

what's the hint

The hint is: "Review the WPScan output" and useless

oh😳

hey guys, anyone done the web attacks skills assessment?

I've finished it but have some questions. Or if any mods are seeing please, please do dm me.

I've found the administrator, but I'm currently stuck on what to do next. I tried resetting password, changing http method, but in vain.

changing. the password is correct

dm me

it is quite tricky

you finished it ?

i told u already

For everyone who needs help with this too: run the wp-scan with a token and look through found vulnerabilities. then google the CVE and copy-paste the exploit... this is how you will find the flag

Can anyone give me some guidance on the SQLMap section that asks you to count the columns and specify them for SQLMap?

what section exactly?

Building attacks--->Attack Tuning---->flag7 (dealing with specifying columns for SQLMap)

Does the last paragraph UNION SQLi Tuning help? Where are you stuck? You can DM me.

Sorry guys, major brain fart, DID NOT see something in a paragraph

the HTB parrot boxes are garbage

are these parrot boxes alays so laggy and slow

holy fuck

A Code Review module would be great

hi is anyone able to assist with the information gathering?

dm me 🙂

L.rlpussy

lol

Anyone available to assist me in the file upload attacks module? on the type-filter section and getting a weird error that doesnt make sense. 'The image "INSERT-URL-HERE" cannot be displayed because it contains errors.

feel free to dm if u haven't gotten it already!

Hey there! Can someone give me a hint with the Hacking Wordpress module? I just feel like I’m in a rabbit whole in the directory indexing section. I haven’t been able to find the flag.txt. I’ve tried to use ffuf to enumerate, as well enumerating manually little by little but no luck yet

@carmine hill DM me 🙂

Hello, I am working through the using web proxies module and I am stuck on the Zap Fuzzer; fuzzing a cookie. I have tried wfuzz wiht no luck. I didn't wnat to use Burp yet, because I feel defeated. lol. Anyone have any sugesstions? When I run the fuzzers, all I get back is stats 200s. I am folowing instructions; using right word list, coverting the payload, etc. Any help would be greatly apreaciated.

you need to filter for the response size. The response size of the working cookie should be larger than the others.

guys if i finish bug bounty i will got cert ?

need to do the path and also pass the exam

yes

Has anyone bought the cbbh voucher?

I purchased but did not get my receipt..

JavaScript Deobfuscation
the first module's FLag i get however its not valid.

after completing this awesome module I've gone back to question 1 just to get that 100% finish however still can't seem to get the flag working.
I cant help but notice that this flag was used in a later question that made me believe that the fist modules flag might be incorrect at the code.

can someone please just double check this for me so I know i'm not an idiot.

ps. sorry for edit> discord Shift+enter is the worst

Resolved: Was looking at the wrong flag

remove the flag please

Hi fellas, what exploit are you using in the public exploits section, in getting started module???

on what question?

In public exploits, at the end of the page, to access a vulnerable webpage

@drowsy hare have you identified any services running? if so, search for exploits of those services and you should come up with 1 that will stand out.

.

@rough pelican I can try, which section?

I'm currently doing the new AD module. In it, it says that NT Aythority\System is the highest privileged account. I always thought that TrustedInstaller was. I tried double checking, but can't find mention of it in too many articles. Am I wrong on that?

hi

where is turkish guys

@raven echo I believe files owned by TrustedInstaller just means they are protected by Windows , so it won't let you delete or change them and accidentally break your computer. But yes NT Authority\SYSTEM is the highest privilege of a local windows account.

One more question - I've never done a HTB academy module before. I'm at the first section of questions. I spun up the VM that's embedded in the browser. But then I saw the part that said I can SSH into it (or another VM?) as htb-student, which would be vastly preferred over the embedded GUI. However, it doesn't say an IP or hostname to SSH into.

I downloaded the VPN from the button in that screenshot and connected. I did an ifconfig of that embedded OS and tried to SSH into that using the creds, but they don't work. Is the IP that I'm supposed to SSH into listed somewhere?

can someone help me with this?

module getting started, privilege escalation section

I think I can get my way if I get access to user2
I connected to the machine with ssh as user1
but am unable to switch to user2

You have an IP address to SSH into in your screenshot

Why don't I get that...

@raven echo click on Spawn the Target

Yes I have no problems connecting
thing is user1 has no permissions at all
unable to escalate my permissions
lemme grab a screenshot

Ahhh... So I can either spawn VM to SSH into or spawn the GUI one?

@astral perch try doing: sudo -u user2 /bin/bash

It wasn't there until I killed the embedded VM

You will always spawn a target to interact with, then you can either SSH into it from the browser based pwnbox or from a VM

that worked! ❤️

may you explain to me the science behind it?

I tried this command but it didn't work
what makes /bin/bash work?

so if we type: sudo -l

we can see the sudo permissions for our current user

and you'll notice it says user2 NOPASSWD /bin/bash

basically we can use sudo to run a command as another user without requiring that user's password

inside /bin/bash oh

got it ❤️

Where can I find the vpn file to access the pwnbox?

well the pwnbox doesn't require a VPN. If we use the pwnbox we should be able to interact with any target we spawn. The VPN would be if we want to use our own VM instead of the pwnbox

I have no spawns left, that's why I am asking

I can't find the section where I can download the ovpn file

Some modules/sections do not have the link for the VPN key

so you might need to dig around a bit

I don't have that :c

It's an optional exercise

Getting started module

try jumping to the Knowledge Check Section at the end

they have a link to the VPN there

Oh, I see it, thank you very much!

Is the new Active Directory Enumeration & Attacks enough to prepare someone for Dante?

Like, if I purchase Dante access after completing the module, am I going to be able to move through mostly using the concepts from the academy module, or is Dante fairly more complex/advanced than what the academy module alone covers? In terms of AD knowledge, specifically.

Dante only has a small AD component. AD EA would prepare you for Offshore in terms of AD. for Dante I'd focus on other modules in the junior penetration tester path, but it wouldn't hurt you to do the AD EA one

a weekend gift from @drifting knoll and @mild mango . a fun one, enjoy!

Ty for the answer. What other modules would you recommend?

Attacking Common Services, Hacking WordPress, Attacking Common Applications, Attacking Web Applications with Ffuf, Getting Started, Stack-Based Buffer Overflows on Windows x86, Password Attacks, Login Brute Forcing, Footprinting should be plenty provided you are already familiar with Nmap and "basic" techniques

Ahhh... Sorry, lemme rephrase: General concepts aside (enumeration, privesc, etc), is the Active Directory Enumeration & Attacks good enough to cover specifically the AD knowledge to tackle Dante? I'm finishing up OSCP course and just here to supplement my AD knowledge before the exam. I think I have a fair grasp on the rest of that stuff

oh ok. yes its far far beyond the amount of AD that is in Dante. that lab is mostly non-AD boxes with a small component. you'd probably be fine as is with just what you know so far. i'd just do Dante after OSCP, then do the AD Enumeration & Attacks module and then tackle Offshore (but maybe tackle the Attacking Common Applications module before Offshore too 😉 )

Oooh, I was thinking Dante was AD heavy. Well thanks for the advice. I'll take a look at Attacking Common Applications and Offshore 🙂

Ah yeah it’s not. If you want AD definitely start with Offshore and then Rastalabs and so on. I heard the creator of Offshore is in this Discord too

...is that you? lol. I recognize your name. Maybe from the AD Enum & attacks that I'm doing?

Regardless, thanks for the content 🙂

yep, anytime. Enjoy it!

Anybody online that can help with Linux privilege escalation?

@final salmon sure, what section?

Try pico ctf and YouTube, John Hammond is a good resource for pico ctf. Ippsec is a good resource for HTB. David bombal is good for wire shark and network. Message me if you want I had no background in IT when I started last year and I still don't even work IT I'm a waste water plant operator, but I can definitely tell you what was easiest for me

There is definitely a large learning curve. I suggest being familiar with a lot of IT concepts.

The journey starts out very difficult but if you be patient you will make a lot of progress. If you don’t know a concept Researching is your best friend.

Random question but does anybody know the markdown they use on their modules?

Can I message someone concerning the SQLi of the Web Service & API Attacks - Skills Assessment?

@hallow remnant what’s up?

DMing you, one sec

if anyone has finished the file upload attacks skill assessment i need some assistance in reading the .js file, i dont understand what im looking at

Can I have help with the SQL injection fundamentals, skill assesment?

hi, why is the module Attacking Common Services only reward 18 Cubes, and how can I buy 2 Cubes

@vital adder You cannot buy only two cubes.

Could I please get a hint for the password attacks medium lab? I am on the box as the j.... user but can't find a way to privesc and find the flag...

Could I please get some help with broken authentication module?

the privesc to root part is going to be harder but ||did you check what is running on the server||

hi everyone! I was wondering why my powerview query wasn't working. If anyone can help me out i'd be forever in your debt 😄

i've waited about 10mins and it just hangs

I think so, but I'll have a closer look. Is it a DB?

||y||

@solar zodiac The same thing happened to me, the query just hangs

i pressed cntrl+c to cancel and it gave me some output

Could someone please help me with the second question (Remember me token
)for Bruteforcing Cookies module?

I did intercept the response and managed to modify the response with token role:super... but doesn't let me be the super user

@rare jackal hmm... that should work

do you mind if I pm you?

ok

Ok almost there.. i'm on the Predictrable reset token part , where I manged to get the epoch for the htbuser user token time

Still couldn't get the nudge how this can be used for htbadmin user

Could I still have a nudge on the SQL injection fundamentals skill assesment? I am still stuck

@raven cairn dm me

hi can anyone assist me with sql map essentials case 5?

I got the flag but not sure why the flag is incorrect.

encoding issues i think so

s

@summer lakeDid you solve the issue?

yup

Thanks to @west canopy

@summer lake Good to hear.

🙂

hey guys
can some one help me plz?

With?

this is a xss challenge
i can not solve it

https://demo.honoki.net/xss-challenge.html

and can not found answer

LOL, srry buddy I'm not good with XXS yet, wish I could help, I probably wouldn't be able to shed light on it.

ok bro np

Best of luck brother.

Also, try the community help channel, and the challenges channel, they might be able to help you more.

hope some one help me

thanks

No worries.

if anyone is available to assist with the skills assessment portion of file upload attacks it would be appreciated

if you still need help, dm me

@rough pelican DM me 🙂

Anyone knows how to ennumerate hostnames with nmap?

Hello,

I bought a month of cubes for 69€ but i wont spend them in a month so i canceled my subscription and i will buy again when i need more cubes

Will the cubes remain on my account if i canceled ?

@drowsy hare try using nmap -A

yes

Thanks man!!

np!

This new AD module is information overload!

🦾

Glad you are enjoying it. Yeah, it's a BEAST!

• rep too i am doing it

hey

hey

Can someone explain me this?

add those vhosts to /etc/hosts with the IP address of the instance you spawned

Need help with this question

I ran the right command but it only provides info for the dpayne user

@late beacon DM me 🙂

On the Windows Fundamentals Module, whenever I connect with RDP to the target machine, it will usually only stay connected for a few seconds then suddenly disconnect. Has anyone else had this issue? I have tried using Remmina on my debian machine as well as xfreerdp on the HTB web machines and both render the same result.

@late beacon Thanks

I’m also stuck on one of the questions under this section. I don’t know how I can get the CMS the website is using. Are you able to get through now? And please how did you post a picture on this platform? I have to looking for a way to post one but I could not find how to post one

hi Guys, I am doing the ffuf module and I cannot seem to execute the subdomain scan without a ton of errors after ~40 words, once past that, everything words errors. when I do any other scans with ffuf all is well.
This is syntax ia am using for subdomain. (I have added the IP/name in most hosts file)
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://FUZZ.academy.htb:32587 -v -c -sa

Thanks. That did the trick.

Heyo, I'm currently working on the WordPress module for HTB and am on the last one where it says to get a shell into the system. Do you guys have any advice on how I may be able to do this?

@dusk sandal try replacing the Twenty Seventeen 404 Template with a php shell , and then use curl to run system commands

Sorry I should have been more clear. I'm currently working on the Skills Assessment. I remember doing that one for the RCE Theme Editor. Do I do that again in the skills assessment? Thank you!

Yep 🙂 Same technique. Might need to bruteforce some credentials first in order to get logged in

Awesome, that's what I'll try. Thank you!

I'm currently looking for rockyou.txt, do you by chance know where that is?

on the pwnbox it should be in /usr/share/wordlists

but you might have to gunzip it

Awesome!! Thank you!!

Hi everyone someone is having issues to find the password for jason user in the new module attacking Common services? This question is into SMB section

I'm using medusa, hydra and other tools but without luck 😅

Also i'm not sure why says the share has read & write permissions because I only see read permissions 🤔

So to get the password I tried bruteforcing using the rockyou.txt but it ended up taking 25 mintues and timed out my system. Do you have any advice on how I might get the password of either erika, admin, or frank.mclane?

I think rockyou should work for erika

How long does it take?

Do you think?

Like, would it take over 2hrs to crack it?

no it shouldn't take that long

Should it take 25 minutes?

Because I might have just missed it...

only a few minutes

Okay, I'll try it again

Thank you

Can anyone give me a hint for how to exfil a document from windows via rdp?? I am on the password attacks hard lab

Got the flag, thank you for all your help!!

nice! You're welcome 🙂

Can Burp or Zap perform dobule encoding during fuzzing, e.g. double b64 encoding a cookie.

I’m having a hard time with module 77 if anyone could lend a hand

@west canopy if you’re available I’d like to pick your brain

sure

@small panther burp should be able to do it , in the "Payload Processing" section of Burp Intruder

Windows Privilege Escalation Skills Assessment - Part II last question.

There is only 1 local admin that is disabled, pulled the hash, went to crackstation and HTB says it is the wrong password.

Anyone want to point me in the correct direction?

crashing for the night, so I check in the morning.

I’ve been having problems connecting to the sql server in the “Using Comments” section of SQL Injection fundamentals. I left it alone months ago but now that I started the bounty track I’m having the same issue.Did anyone else have the same issue?

@fickle spruce are you cracking the hash for the wksadmin user?

yes

3 admins, that was the one that was disabled.

pulled 7 accounts total

DM me 🙂

Little help please?

rather I should say Hello

Or Hi there. I am Greg.

@twin wigeon well on the "Using Comments" section we don't need to connect with the mysql command, instead we can just navigate to the target in our browser

Perfect. Thanks

@loud thorn I can try, what's up?

Anyone available to help with the password attacks hard lab?

can anyone help me figure out why I can enumerate winrm with cme?

I always have a problem with winrm... is it not a reliable service?

it seems to work when I connect to it from the windows host, but CME never says the credentials are valid

if anyone can help me understand this i'd be forever in your debt

🙂

its bizzare because the smb module of CME seems to work great with the metasploit proxy.. but winrm not so much

update: it seems CME's WINRM doesn't work with a metasploit socks proxy, and actually breaks the proxy every time

Anyone online able to help with password attacks hard lab?

I am stuck on the vhd / img...don't know how to mount it

Please I’m stuck here. I don’t know how to identify the CMS the website is using. Anybody can help me with this? 🥺

try the wappalyzer Browser extension... It should tell you what cms is running on the specified vhost

Hi, a question regarding "Initial Enumeration of the Domain" from the AD Enumeration and Attafcks module. The section text tells me to RDP into the Parrot Linux mache and fire up wireshark. But when I run "sudo wireshark" from the command line, I get an error:

No protocol specified
04:12:52.858 Main Warn could not connect to display :10.0
04:12:52.858 Main Info Could not load the Qt platform plugin "xcb" in "" even though it was found.
Aborted
And when I try it via the "Application" menu, it prompts me for the sudo password but nothing happens afterwards. Where is my mistake?

nvm, I realized it's not needed to open the questions. But still, why didn't it work though..

@manic ermine sure if still need help

"Next, add a DNS Server such as 1.1.1.1 to the /etc/resolv.conf file." Anyone know what is that mean ? (In Cracking into Hack the Box Path/Getting Started Module/Web enumeration section)

hey have somes questions for Footprinting Lab - Medium if i can DM someone ?

You can DM me and I can try to help.

Anyone done the Skill Assessment of Cross-Site Scripting (XSS). Am I supposed to see some injectable fields when I load the website?

Hello

Any hint for the method here? I tried Snaffler and kerberoasting to no avail. 2nd assessment of AD enums

dm if you still need help

check the security blog

Got it thanks, had to add /assessment to the url

ahh ok nicee

@late beacon try revisting the "Password spraying from Windows" section 🙂

Hi there,

I have a bit of trouble with 'Using Web Proxies'. I've reached the 'ZAP Fuzzer' section.

Problem is that I can't figure out how to import Seclists into ZAP. There doesn't seem to be an option to browse the directory for a custom list in the GUI. By default gobuster and jbrofuzz lists are showing up.

I tried copying Seclists from its default directory at usr/share/ to usr/share/wordlists/ without any luck.

So, does anyone know how to add Seclists to ZAP?

if you're using the pwnbox then SecLists is located in /opt/useful/

I'm using Kali in a VM. The problem is not locating Seclists, it's importing it into ZAP so I can use it to fuzz.

┌──(kali㉿kali)-[~]
└─$ ls -lah /usr/share/seclists          
total 56K
drwxr-xr-x  11 root root 4.0K Apr 13 08:33 .
drwxr-xr-x 336 root root  12K Apr 25 09:35 ..
drwxr-xr-x   9 root root 4.0K Apr 13 08:32 Discovery
drwxr-xr-x   8 root root 4.0K Apr 13 08:33 Fuzzing
drwxr-xr-x   2 root root 4.0K Apr 13 08:33 IOCs
drwxr-xr-x   6 root root 4.0K Apr 13 08:33 Miscellaneous
drwxr-xr-x  12 root root 4.0K Apr 13 08:33 Passwords
drwxr-xr-x   3 root root 4.0K Apr 13 08:33 Pattern-Matching
drwxr-xr-x   9 root root 4.0K Apr 13 08:33 Payloads
-rw-r--r--   1 root root 2.1K Jan 31 18:23 README.md
drwxr-xr-x   4 root root 4.0K Apr 13 08:33 Usernames
drwxr-xr-x  10 root root 4.0K Apr 13 08:33 Web-Shells

ohh then for type go to "Files" and then you can choose it

not "File Fuzzers"

Doh! Thank you 😄

Attacking Common Services

Please can someone help me with this?

@drifting knoll

thx, fixed

@late beacon pls be careful with spoilers

I still can't complete those last two questions. jason's pass is not bruteforceable with the password list from the ftp server

Others are having the same issue

i have uploaded an additional password list to the Resources, refresh the page and feel free to use it

Works now, thank you

Is it somehow possible to do ASCII Hex encoding with ZAP fuzzer?

havent used it myself but feel free to take a look: https://www.zaproxy.org/docs/desktop/addons/encode-decode-hash/

dont know if it works as a processor

Anybody tell me what the difference is between normal boxes and prolabs?

Prolabs are a separate fee from the main website , but they are full blown virtual environments with multiple machines and multiple flags. For example, Offshore is like a 20+ machine active directory environment I believe.

Not sure if they contribute to your ranking but you get a certificate once you complete them

Ok I was curious about if they add to your rank may have to tweet at HTB and ask

Pro labs don’t add towards platform ranking

you get a certificate of completion, several badges for each, and a boatload of knowledge/fun 😉

i think your best bet is to just use parrot os for your vm, it will have basically all the tools as pwnbox and even if you have to add something the modules will show you how to

hi

question, is there a tip to begin to solve the rce tiny file server for the command injection module?

i've tried to find where do I have to inject command to find the flag

but nothing yet

Which part of the module are you on?

Ok, I think you're on the skills assessment. I would suggest having a look at all the functionalilty that the site provides regarding the files. Try all the features with some really simple command injection to try and precipitate an error which indicates a filter has caught your input. From there its just a matter of working around the filter (not trivial). DM if you need more of a nudge!

Hi there! Did anybody work on the "HTB Academy - Attacking FTP" module? In the "FTP - Attacking FTP" section, it says: "What port is the FTP service running on?" In fact, there is no FTP port open (0-65535). Is that a misconfiguration? Or do we have to think outside the box?

hey guys, I'm a bit stuck and could need some help with bash scripting

In the Attacking Common Applications? Maybe the spanned Machine is "buggy". There is a port with ftp. dm if still something doesn't work.

im getting stuck with active enumeration, anyona can DM me pls?

Can anyone assist with broken Authentication : Predictable Reset Token?

anyone know which word list to use for the last question in Footprinting DNS?

feel free to dm

hi! so what was the problem?

DM me

I'm stuck at AD Enumeration & Attacks - Skills Assessment Part II. Need a nudge please..

Dm if you still need help

im stuck 😅 can anyone help with getting started - privelege escalation?

Hey I'm stuck on the first part of Attacking Common Services (Attacking FTP) for some reason (the box don't have FTP service) scanned all ports (-p-) and only get ssh,DNS and SMB

the last assessment or nibbles?

before nibbles, at the end of pentesting basics

I can get access to user2, but not sure how to get root

@wild furnace try copying the id_rsa key from the root directory to a file on your own machine, then SSH in as root 🙂

could anyone help with nmap

@marble scarab I can try, what's up?

Thats what i figured, but the only thing i can see in root is flag.txt and i dont have permission to read

i feel like im being dumb 😅

im on this question but when i try to scan for services i get this @west canopy

@wild furnace i think there is a hidden folder called .ssh

🤦‍♂️

thanks

@marble scarab right , so on this section we actually don't need to use nmap. Try navigating to the ip:port in your browser , you should see a certain wordpress plugin being used and will want to attack that

oh great thanks @west canopy

@marble scarab but if we did want to scan a specific port it would look like: nmap 157.245.40.78 -p 30467

oh i see

@west canopy would you be able to help with the next step as im not sure. im very new

@high zinc scam link?

Can anyone give me some help? I'm stuck at Initial Enumeration of the Domain. I'm supposed to "Scroll to the bottom, spawn the target, connect to the Linux attack host using xfreerdp and fire up Wireshark to begin capturing traffic." Which machine is the Linux Attack Host? All I've got is the PwnBox and the Target machine. Which one of these are supposed to be the Linux attack host?

@marble scarab sure

can i dm

ya DM me 🙂

thanks

Who knows such a list of words - use the Footprinting-wordlist?

@quaint marsh it's probably listed under the "Resources" section of the footprinting module

PANTHER/falcon
hawk.crest.local

which on is the domain

PANTHER

pwnbox is a box set up for you to attack from just in case you do not have your own linux VM or machine.

Target will always be the "Target"

I really need help I’m stuck on “INFORMATION GATHERING - WEB EDITION” module on Active Subdomain Enumeration section and question “Find and submit the contents of the TXT record as the answer” I have completed a zone transfer but I cannot find any TXT records

I’m literally stuck on this question for hours now with no progress 😵‍💫

Please can someone help me here. I don’t even know what to do

scan the sub domains you found

follow the nslookup example

Will I run the nslookup on the spawned IP address or the inlanefreight.htb or is it like the Vhost example from the previous section

as a rule, I add the ip to the /etc/hosts first thing.

that way either the ip or inlanefreight.htb will resolve

Wow! I just did that and it worked. Thanks a bunch

hey guys, who can give me a hint regarding this question "What security policies can block certain users from running all executables?" from Introduction to Active Directory..!!!

Targets are not reachable in the Vulnerability Assessment's skills assessment. I can connect to other academy targets just fine. Anyone else having this issue?

I'm dumb, it's an SSH. They should not call it a "web interface" then...!

Anyway, what's the point to connect there? I want to scan 172.16.16.100

@sweet heron should be able to open nessus web interface on port 8834

ok now I get it! I was really confused. Thanks xD

Aqautone just sits still doing nothing. Is it only: "./aquatone -nmap nmapoutput.xml -out aquatone_output_dir" or am I missing something?

Check out my post on the forums (just google search HTB academy active subdomain enumeration and you will see the thread on the forum)....follow my walkthrough and it should work

hey guys if im stuck on a priv escalation step for the last "getting started" "review what you know" box... what would be a good hint/ push in the right direction? i have tried everything i know so far to no avail

i guess for greater clarification... im running into a permissions issue...i dont want to give anything away though for the greater body audience

Can I have help with File Inclusion :Basic Bypasses

I'm on the same one. I've tried everything from the section, and different combinations. I tried fuzzing to see if I could find a document for the filters but only got the languages directory returned. I can't find any writeups either. Can't find the version of PHP either, which I feel could help if there is truncation or not.

Where is Jarednexgent when we need him ?

IIRC I had problems on file inclusion but ended up just needing to traverse way more folder layers...i.e. needed a bunch more '../' before the file I wanted to include.

no filters?

it says the web application employs more than one filter

Thank you. I figured it was going to be more complicated cause it said it employed multiple filters.

Yeah, I figured the same. You can play around with some of the bypasses, but there's no need to attempt the last part of section in trying to bypass it.

@scenic plover So where you able to get the flag?

Hey i'm here lol

Aes0p gave me some hints. I should be able to get the flag

Hmm still not getting it....

are you using the right path? needs to be /index.php?language=languages/

Nope. I will try this.

Got it 👏

Heya, can you offer any tips when testing for LFIs for newbies? At least things to look for when going through the LFI module that can provide signs of progress / going in the right direction? I'm still trying to figure out tells aside from the "illegal path specified" / errors that are being thrown.

Is there a way to automate the process? I am lazy lol

hi, i need some hints for the upload directory path for the module File Upload Attacks section Skills Assessment I managed to upload a payload (i think) but can't find the upload path

someone could help me with the broken authentication module? im stucked at the part Predictable Reset Token second question.

Hey, what have you tried so far? Where are you stuck? The question walks through the key steps - but my first hint would be to carefully inspect the temporary password then see if you can forge a similar pass for admin.

Does anyone have any tips for how to access the MS01 host for the Active Directory Enumeration & Attacks Skills assessment part 1? I have most of the questions answered and I know the attack used to compromise the domain. For the life of me I don't know how to access the host needed for it though. DMs are welcome

I've looked for remoting options in blood hound, tried MITM for creds, looked for passwords in description fields, tried using the creds from the MYSQLSvc spn, and so far no luck

anyone can help me with the module Active Subdomain Enumeration

Hi , can I please DM you?

dm if you still need help

+1

No problem

nvm got it

Hello, I don't understand the DCSync attack in the Active Directory Enumeration & Attacks module, section "Attacking Domain Trusts - Child -> Parent Trusts - from Windows/Linux". How can I get the KRBTGT hash? The examples list "mimikatz" for Windows and secretsdump.py for Linux, but it doesn't really work for me... In Linux, I get like:

┌─[htb-student@ea-attack01]─[~]
└──╼ $secretsdump.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 -just-dc-user LOGISTICS/krbtgt
Impacket v0.9.24.dev1+20211013.152215.3fe2d73a - Copyright 2021 SecureAuth Corporation

Password:
[-] RemoteOperations failed: SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
[*] Cleaning up...

And Windows:

mimikatz # lsadump::dcsync /user:LOGISTICS\krbtgt
[DC] 'LOGISTICS.INLANEFREIGHT.LOCAL' will be the domain
[DC] 'ACADEMY-EA-DC02.LOGISTICS.INLANEFREIGHT.LOCAL' will be the DC server
[DC] 'LOGISTICS\krbtgt' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439)

According to the examples, this should throw the KRBTGT hash I think

Hey, could you found out how to solve it? 🙂 I‘m struggling at the same point 😄

hey guys some help on Skills Assessment - File Upload Attacks ???

you need to set the same port inside script.js to fetch index.php (ie:5555) that your PHP server is listening on

dm

hlo

Can anyone give me a hint on broken authentication - predictable reset token? Im a bit stuck on that

Can anyone help me on File Inclusion - Automated Scanning? im stuck with the question

hey guys, who can give me a hint regarding this question "What security policies can block certain users from running all executables?" from Introduction to Active Directory..!!!

look in the section Group Policy Security Settings

DM me

DM me

LoL from there is where my answers came..!!!

Hi Guys i'm stuck at "Stack-Based Buffer Overflows on Linux x86"
Generating Shellcode can someone help me ?

dm me

@knotty hemlock This Section don't have something with DCSync. Ist about misusing Trust. I can recall that for Attacking Domain Trusts - Child -> Parent Trusts - from Windows I didn't use krgt.

"https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer. i am stuck on this curl question on linux fundamentals

i have successfully used the curl and downloaded the webpage source code
my question is what do i have to do with source code now?

is there a issue with the file inclusion module? if i try doing path traversal as outlined on the first part it just doesn't work

What’s the question

Can anyone assist me on Perform active infrastructure identification against the host i.imgur.com. What server name is returned for the host

Hello everyone. I'm stuck on Webrequests. I'm trying to figure out what i'm doing wrong with the authenticating cookies part.

What’s the question

Hey quick, I wish i could help you but its not a question. just rying to figure out why I'm not seeing anything

As we can see, we were able to interact with the search function directly without needing to login or interact with the web application front-end. This can be an essential skill when performing web application assessments or bug bounty exercises, as it is much faster to test web applications this way.

hello @lethal atlas Massal2007 Here, can you help me with Hacking Wordpress?

I'm trying to be able to interact with the search function on this website buy using a validated cookie.

add me as friend so I can dm you @lethal atlas

I'm not quite sure what i am missing here.

something is not right with the cookie

i cant figure out why. I keep trying to redo it.

I'm an idiot. I took a logn break due to work and i feel more stupid than ever. lol

Don’t you hate that!

anyone know if local inclusion second part is working?

the second part?

@hazy grotto what module is that from?

web requests

under the post part

is the module called file inclusion

for some reason the path traversol for etc/passwd is not working and i cant figure out why

In the module attacking common applications, tomcat attacking section: the bruteforcing part takes ages for me. I must be doing something wrong. I've found the user.

DM me so we dont disclose anything

DM me, I just helped a guy thru this so I know its working

🙂 Got it guys. I'm a Legend lol

congrats man

crazy how stupid you can be and as soon as the flag is returned. You ascend to a new level

i hear ya

Hi!
I'm at the attacking web applications with ffuf module at the skill assessment and i have trouble finding the working value for the params
I've tried cirt default usernames wordlist and top usernames shortlist and didin't find any working values
If i've used the inccorect wordlist please dm me the correct one
If the problem resides somewhere else, just tell me so and I'll try to figure it out
Thanks!

Hey people whats up? Anyone active that can help me in a DM in the reverse shells module? At the last one the live engagement

@shell violet DM me and lets see what we can do

are you referring to the Reverse shells section in the Shells and payloads module?

What’s the question you’re stuck on?

Who can please help me with this active subdomain enumeration. I have been stuck on that topic for too long. I added the inlanefreight.htb to /etc/hosts and I was able to get the name server and I even went on to add the name server to the /etc/hosts but didn’t get anything tangible to solve other questions under the exercise. I used nslookup and dig and still got nothing

has anyone done the intro to assembly module, stuck on the Unconditional branching chapter.

cant seem to find the location to jmp to func. the program will either terminate early or go into an infinite loop

next time you see @west canopy online hit him up. I think he has finished it.

that man is a legend haha. always has the answers

oh nvm

im an idiot

its supposed to terminate the program early

LMFAO

anyone have any further resources on getting around an access denied on a linux server when trying to curl or wget an exploit to the machine?

im a little stuck

this is from the getting started section, last modules for junior pen testing

anyone knows why this command "xfreerdp /v:<IP> /u:<User> /p:<Password>" is not working on the first lab from Active Directory Fundamentals?

@tight mesa I had issues with the target ip timing out and not pinging

sudo?

hum let me check,

is not working either..!!!

is like the command was wrote wrong

I had to keep respawning until ping responded

the ping is responding

I will checking tomorrow cause im burnout

ty btw @lethal atlas

ty @lethal atlas , im reading up on that now

Need help with Attacking Common Applications module, Gitlab attack section: the script to enumerate users doesn't work../throws "poc.sh: 51: Syntax error: "(" unexpected" and using bash just loops the usage message.

Line 51: Syntax error: "(" unexpected

@sweet heron Maybe try it from the pwnbox?

looks like it's working. Thanks. But why? The script looks fine...! Weird.

it keeps disconnecting though, so I can't get very far down the list...

Can anybody help me with this question?

Broken Authentication: Weak Bruteforce Protections Question 2

Try using cirt-default-usernames.txt as your wordlist

Thanks for the tip! It looks more stable now also.

Yea it kept disconnecting for me too .

@raven cairn DM me 🙂

It didn't find it!

well crap

the right username should be in that wordlist though

I've run through it twice now. I'm trying random user lists now xD Did you completed that part?

ok I did it! thanks! At first it didn't accept "http"//" so I omitted it and it started working. Turns out you need it...!

What up @west canopy

@lethal atlas hey bud

can you post the question?

is msfconsole considered like cheating in some way or

spent like 4 days on that last getting started challenge, nothing works, fire up msfconsole and in 30 seconds i have root flag

im also brand new to this so

I'm stuck at the "other notable applications" section in the module "Attacking Common Applications". I've found the vulnerable app, but the exploits I'm trying don't work.

@sweet heron try using the weblogic_admin_handle_rce exploit in msfconsole

Yeah that's where I'm at now. Will let you know...!

i´m stuck in password attacks module in network services on first question, says 'Find the user for the WinRM service and crack their password'. I´ve tried: 'crackmapexec winrm <ip> -u <path-user-dict> -p <path-password-dict>' but i not seen some output except when use --verbose but nothing about login attempts, i need to get user from other way?

Git it! Thanks again @west canopy !

Would be cool though if the other CVEs worked too. I didn't try to debug. Another time maybe xD

ofc not

thats the first go to when ur trying to exploit something

i appreciate that insight @pine bough

have u done the shalls and payloads module ?

This is a pretty dumb question. Im on the File inclusion module section LFI and file uploads. I have been able to get RCE but i cannot find the flag !!(which is supposed to be in /). Help would be appreciated

@raven cairn its not called flag.txt, it's basically just a long string of letters and numbers

@pine bough i have not yet no, ive got a fairly good understanding of shells in general but im guessing theres more than meets the eye. is there priv escalation material in there as well?

not really

haha word

Can someone help me with the instructions I will follow if I want to use external OS. I mean how to connect the VPN or if there is any on the academy someone can just help me point out

you download the academy.ovpn and then run from a terminal sudo openvpn path/to/your/academy.ovpn

However there is a lot of help available from htb itself... therefore you should consider to look for help by yourself using Google etc before asking questions here

Thanks

Skills assessment of Shells and Payloads
tried first with a public exploit

no good

then tried a custom exploit :

still no luck

any help will be appreciated

NVM GOT IT

Hello

who broke my instagram
teaches

hey, im trying to complete the "nessus skills assessment" section from the vulnerability assessment module. It says I should be able to access nessus from localhost:8834 but there doesnt seem to be anything there. I tried to start the nessus service and it says nessusd.service not found. Am i doing something wrong or is the box loading incorrectly?

i have a challange where i must find winrm user and crack their password, how can i find that username? i tried with crackmapexec winrm <ip> -u <userlist> -p <password>

I had issues with nessus and openvas in that module. I ended up using the output files and not actually doing the scan. I was finally able to get openvas to work. BTW in Kali its a pain in the ass, and used the saved files in there as well.

Which host are you working on?

we’re forced to use parrot OS

using NoMachine

otherwise i’m running Kali on a Vm

lol in the skills assessment there are 3 hosts, which one are you working on?

oh u mean that

i’m done now

ok

i was using the wrong ip

nvm i got it

Footprintin IPMI

msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > run

[+] 10.129.202.5:623 - IPMI - Hash found: admin:471957fe820c0000a8868cf3aa667333a04711a91950d5abaac0c572db697898ec7e186695466812a123456789abcdefa123456789abcdef140561646d696e:420bb935e0ef7b008d52cf36f02a7ee9c3c61d1d
[] Scanned 1 of 1 hosts (100% complete)
[] Auxiliary module execution completed

Why didn't he crack the Hash?

A hashcat does not accept such a format for hacking.

Hash '/home/yurij/impi1.txt': Separator unmatched
No hashes loaded.

look for options

msf > set output_john_file /home/zorro/john_hash.txt
msf > set output_hashcat_file /home/zorro/hashcat_file.txt

try john hash.txt

it will work

||hashcat -m 7300 hashcat_file.txt /usr/share/wordlists/rockyou.txt --username||

👍 Thx

👍

I'd need a bit of a nudge for one of the questions in Active Directory Enumeration & Attacks Skills Assessment I

guys i was thinking to ssh to target with my local vm

i got the vpn key

but idk how to install it

download /paste the key into a file then sudo openvpn <file>

ok thanks dhekhnaur

Dm

hey im on moduel setting up section vps hardening i got through it all but at the end it says i have the wrong answer but i am 100% i have it right can anyone help?

Could I have a little bit of guidance on a question? I am on the file inclusion module, Automated scanning section. Instructions are a bit confusing for me and I would appreciate help

@raven cairn first we have to fuzz for the right parameter name "index.php?FUZZ=value" and then once we find it we can fuzz for the value "index.php?something=FUZZ"

Does anyone ever feel that depression of finally solving a puzzle and it is just thinking the days and hours spend to find an answer that is legit right in front of your face

you mean have I had moments where I thought, "really, that was it?" umm yeah

exactly, and then I just feel like an idiot, a relieved idiot but an idiot non the less.

I'd feel more depressed if i can't solve it though

Web attacks module, IDOR section, bypassing encoded references. Is anyone else having trouble connecting to excersise? Im using Firefox and have to try several times to get the page to load correctly, and when I try to intercept the download contracts request, I get an entirely different contract than what's displayed in the actual section. Very confused to say the least

To answer the question, some results are needed. Without the right endpoint you can't fuzz the parameter. Check if you have all 1) subdomains/vhosts, then check if you have detected the 2) paths from each subdomain/vhost, did you also check the 3) subpaths, did you find the 4) file extensions and the 5) correct filename? If you have checked all this, you will get another information to fuzz the parameter. I hope I could help you a little bit without taking out the challenge. 🙂

Hi @brazen hinge just be patience and you will get the user/pass ✌️

Attacking Common Services, SMB section: the password list given in ressources did not find the password of user jason (question 2).

I got it working with msf smb_login, but not with crackmapexec ftr.

I'm unable to edit the theme code in wordpress for RCE at the wordpress skills assessment.. Pretty sure if I really needed other means those means would've been covered in the module... Anyone knows how to fix it?

are you trying to edit the active site?

I'm trying to edit from the dashboard of blog.inlanefreight.local

but if the theme you are trying to edit is active it wont work. you have to edit another theme then make it active.

aah

I'll try that

The section should give you an idea of which theme to edit

all good, thanks

In the Attacking Common Applications module, they tell you you don't have to activate the theme to execute it, as long as you can access it via /wp-content/themes/<themename>/<page>.php

Please I have a question on information gathering module. The Vhosts part. No path that’s ./vhosts. Will I use the wordlists in the SecList or there is a way I can import a wordlists into the ./vhosts path or just in a sentence, can someone help me with the wordlists to use

dm me

thanks! i'm continue in that, there was a problem with the installation of crackmapexec, now i have an output and can see every attempt, but i continue with dictionary attack.

Anybody else have to delete two entries in web attacks to finish it? I just don’t understand why it has to be like this….. pure fucking hell

bruh why slangs

I don’t understand what you are getting at?

shells and payloads

why does this keep happening w the foothold pc

Which ok the keys? All or can I just use the file downloaded from the website directly

Im on the attacking wordpress module, on the last question to get the flag from root. Im trying to use metasploit with the wordpress admin account but it returns Exploit aborted due to failure: unexpected-reply: Failed to upload the payload
Anyone got any hints on how to continue?

hello

I am doing HyperText Transfer Protocol (HTTP)

||curl -O http://GIVEN_IP:GIVEN_PORT/download.php||

I used this command to get the flag file, but when I cat the ||download.php|| file I don't see any output?

between given_ip and given_port is NO / , e.g. 127.0.0.1:1337/

Found another way in and got the flag.

gawd dam, gotta wait for tomorow

respwan every 24 hours ?

hello guys

some hint for Server-Side Attacks - Skills Assessment

Hello everyone, in Introduction to bash scripting -> flow control I only get bad decrypt error message when trying to run the program

Anyone have time for some sanity check on #1 on Intro to Assembly Language -> Skills Assessment?

i find the flag

guys
can someone help me with this
"List the SMB shares available on the target host. Connect to the available share as the bob user. Once connected, access the folder called 'flag' and submit the contents of the flag.txt file."
hint: Bob likes to use weak passwords.

Yes. But I seem to recall in the original module that you had to delete ALL the entries except the one you added.

Has anyone gotten through Web attacks module xml advanced file disclosure? I copied everything but I don't get the results they show. The external document I wrote gets pulled ok but I just get the "check your email for further instructions.

Do you know what program allows you to access SMB shares?

There are times in a module that you will not get the exact output that they show. This changes with updates and such. You just have to keep at it. DM me and we can discuss what you have tried

Did you ever figure this out? Im having the same issue. If not, how did you complete the section without it.

Hi, im stucked on web attacks module / Bypassing Encoded References, anyone would help me?

DM me

Hi, please help me: In SERVER-SIDE ATTACKS > SSTI Exploitation Example 1, after I successfully executed the tqlmap script, I checked the environment variables such as printenv/PATH, but no hidden flag was found. how do i fix it?

Where do we get assistance with our dedicated labs?

dm

Like on the main HTB site?

No it's an enterprise dedicated lab. There is a link to contact support but it doesn't do anything

I'll try contacting our sales rep

sounds like the best approach for an enterprise thing.

Any help with the final assessment for the Broken Authentication module? I've ran through quite a few different ideas and I am stuck

I'll DM you

dm me

@coral patrol Are you having trouble with the syntax for smbclient or figuring out what Bob's password is?

@royal shale DM me 🙂

I didn't really figure this out, but it noticed that it's actually not needed to solve the questions brecause the ticket is given in clear text later 😕 not very satisfying but worked

Any opinions about Jr Penetration Tester Course?

I went bug bounty hunter so I cant help

has anyone done snmp footprinting in footprinting module? I am stuck at last question where apparently there is a custom script running and we need to get an output of it, any pointers? is it an obvious custom script or will it take digging through all the running processes?

I took that and enjoy it so far, I like the links to resources and more explanations of the problem presented.

@rose harbor we can actually just run snmpwalk against the target and look for a flag in the output

damn I thought its going to be that easy, I am working over the browser at this version does not have snmpwalk will see if can install, thanks a lot

np!

hello

i can't connect with (my terminal)?

try sudo

check ip

ip a

smbclient

@rustic sage is your VPN connected?

Which skill path/job role path would you recommend starting out with? I work level 1/2 IT support currently and have some fundamental security knowledge, but not overly versed in CTFs.

@odd lance i would start with Basic Toolset

Any hint for attacking common applications, skills assessment 1. All the exploits I try don't work. Do I really need to go through the vulnerable app to get the flag, or od I need to use the other services running?

Can I have a hint how to do these questions (Information gathering - Web Edition : Virutal hosts)?I've used FFUF to fuzz for vhosts but I have only found 1 out of 5. Is there anything else I should be doing?

@west canopy

hey bud give me a bit sorry

No problem

@raven cairn we should be able to find all five vhosts using the wordlist they suggest in the section

Thank you very much. I've been on the section a while and I was not able to see the wordlist 😅.

Anyone able to help me with the burp intruder section of the using web proxies module? I believe I'm doing everything correctly, but the free burp intruder goes so slowly that the target machine expires before I'm able to find the url

@wraith creek read this thread

@wraith creek it should only take around 50 requests before finding a valid hit

Using the directory-list-2.3-small.txt worked nearly instantly. Thanks @feral gyro !

Anyone else have issues connecting to the attack host on the AD enumeration and attack module? I'm stuck on the Initial enumeration of the domain because xfreerdp just loads a black screen for me. I also tried ssh, which hung for about 60 seconds and said the connection was dropped.

@manic ermine no issues on my end when i was going through the module

For anyone running into this issue in future, be sure you don't have a VPN running. I had Nord running on my laptop, and a kali vm hosted on virtual box. No issues connecting to the openvpn, and was able to ping the box, but no ability to connect! Turned off the VPN on my laptop and boom, it works!

hi, in Session Security - Skills Assessment, it has been added to the payload to Country, open http://minilab.htb.net/submit-solution?url=http://minilab.htb.net/profile?email=julie.rogers @example.com, returns adminVisited true, what should I do next.

@amber sorrel try doing XSS on julie rogers profile page to steal the cookie, then use the API endpoint to make the admin visit her page (thus stealing the admin cookie). If you have done the Cross Site Scripting module , try revisiting the Session Hijacking section. You can use the same technique

@west canopy This man is great

Thanks for your help, I'll try again

Hi ! any hint for sqlmap essentials assessment ? 😢

still stuck

specify the data

More info about your problem?

@timid grove Try finding the lone POST request on the website , there is JSON in the body which will be in the injection point . You will likely need to do a bit of fine tuning to get the attack to work

no, couldn't not connected

hi, in LOGIN BRUTE FORCING>Skills Assessment, how does NO.1 generate a custom password vocabulary that conforms to the password policy, I tried cupp and ./username-anarchy usernameGenerator > bill.txt to generate users, using betterdefaultpasslist.txt and rockyou. txt as the password, but the blasting did not succeed, I don't know what went wrong.

in AD enum & attacks skills assessment 2 I'd need a nudge for privesc

DM me

can i DM someone for the Bypassing Web Application Protections case#11?

SQLMap Module*

here

dm me

@feral gyro @glad orbit i found the payload which in JSON file like @west canopy mentioned last night.

I also use a switch to bypass protection

So my only struggle now is to find tune it 😦

I just realise one thing, i did something last night that tells me i can use time based, but when i try to list for database it fail.

But now i couldnt achieve what i did yesterday with the json file

https://tenor.com/view/sad-pablo-lonely-alone-gif-12928789

can someone help me find a page for hackthebox academy thats not expired

?

what u mean

since when did it expired

when i sign into the page it says page EXPIRED

idk when it expired\

what was the website did u try to sign in ?

in micorsoft edge

i typed

hackthebox academy register

its called regsiter hackthebox academy

hello guys, anyone who could run the PowerShell commands on the Active Directory Fundamentals labs can tell me how they did it?, cause when I tried I received a no privileges access message error..!!!

based on that I had to made the labs under the GUI

find some way to bypass the waf

@feral gyro can i dm you about it ?

sure

thank you ! friend request sent !

@timid grove

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Can Someone help me with
-Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file. (note: the web server may take a few seconds to start)

Exploit being used auxiliary(scanner/http/wp_simple_backup_file_read)

so with my exploit My settings are
Depth = 1 (only one jump back to root from filepath)
Filepath = (.htaccess)
RHOST = Host IP
RPORT = Host PORT
TARGETURI = https://rhost+rport (i mean that is its url)
Threads = 1 (pre set)

However I still get
[] Scanned 1 of 1 hosts (100% complete)
[] Auxiliary module execution completed

the problem, is I've tried configuring the settings to even some Ridiculous things however i still get the same feedback
[] Scanned 1 of 1 hosts (100% complete)
[] Auxiliary module execution completed
My big question is how do you config this exploit to be able to give feed back.

module getting started
Public exploits

Can anyone check that sqsh is in the standard parrot repo?

I've been trying to get it installed, but apt says it isn't available, but according to everything else i've read says sqsh is installed by default

which module ist that?

module getting started
Public exploits

not the page... the module

ur file path is not correct

public exploits

there is no module that has this name

getting started

specify the location of the flag

the module is Getting Started and the page is public exploits

https://rhost+rport/.htaccess doesnt work either and still give same results

target uri is already there i think u don't need to set that

but u need to specify the file path

hoo u are not getting me

on the question itself , they mentioned the flag path

Well I cant think of another way of specifying the file path.
As it appears https://rhost+rport is the root directory for the wp site.
so in my mind https://rhost+rport/File shoud be the filepath

👆

thanks for the help. manage to get it

i must be missing something. how are you supposed to get the password from the mssqlsvc user on attacking common services?

this target seems really unstable and I can't run any of the sql commands i'm supposed to. edit - got the password, but i can't figure out how to enumerate the database i don't have access to

I could use some nudge(s) with the Attacking Common Services module

which part

ftp, smb, dns

haven't tried the windows vm yet for the other services

because at the moment this feels like brute force attacks 2: electric bugaloo

i'm on the sql part right now. i can't figure it out

I give up (for today)

hello I'm on module Getting started Section Privalage escalation I answer the first question and became user2 I now have access to user2 SSH key but im stuck now any help?

@molten epoch try grabbing the id_rsa key from the root directory and SSH in as root 🙂

yea i can see the id_rsa key but i dont know how to get it and login with it i tried to use vim

Yes use vim, copy and paste the contents of the id_rsa key into a file on your own machine, then run chmod against it to set the right permissions. After that it should let us SSH in as root

Please who can help me with these two. For the first one, the name servers I got using nslookup none of them is correct and for the second one I used a series of tools and even used the certificate tool and even got over 100 results but still couldn’t find the subdomain that has elephants in it.

@fast herald for the server name, try just running curl -I against the target. For the elephants subdomain, try using https://subdomainfinder.c99.nl

Oh thanks

hi anyone can help with vulnerability assessment module i have one question left ?

@orchid patio sure, which question?

can i DM

yep 🙂

Anyone know why nc -lvnp does not show anything when script in remote host already triggered

Have you executed NC before the script in the remote host was triggered or afterwards?

If you executed NC afterwards, NC can't intercept the connection request of the remote host, because it was send right afterwards the script was triggered.

Otherwise it depends.... Are you connected to the machine via VPN?

I execute the nc first the i triggered the script. And i connected to the machine via VPN in my own computer

Hmm.. I fear I might need some hints for the skills assessment II of attacking common applications! FOund a bunch of stuff, but lost at what to do with them.

No port number?

hi can anyone help me with the File Inclusion module? I'm in the File Disclosure section I have 2 questions left

Can I have help in the command injections module: Bypassing blacklisted commands section?

@raven cairn you have a small typo, missing the dollar sign on the last ${PATH:0:1}

Thank you so much. I was so confused what i have been doing wrong

🤦‍♂️ I'm stupid for not seeing that lol

I think your command should work though

@sweet heron Feel free to DM me if you still need help 🙂

hey guys, linux fundamental module asking for user mail path, i used locate mail but i get too many results, any help?

@pliant summit try running the command: env

ah I had the /var/mail attempt but not the last part, thanks

file inclusion module automated scanning question: i got to the point where i found the payloads but for the life of me i can't figure out how to get to the access.log file. I tried looking up the files ffuf results returned to see if there was an exploit that wasn't mention in the module but i've come up empty so far. I can read the /etc/passwd, /etc/apache2/apache.conf and /etc/apache2/envvars no problem. And the envvars mention the /var/log/apache2 but i can't lfi into it

when using proxychains do you need to pass the proxychain augment with every command?

@rustic sage I believe so

ok.

thanks

at least that's how i've always done it

np

yea i was just going through the web proxies module again and got curious.

dm me

@rustic sage You could create new alias for each proxychains command you need.

How to hack?

i'll look into it thanks for the tip!

Study, practice, try harder

😦

hack what?

hi everyone! I was wondering if someone could nudge me on getting the second user's cleartext password in the AD module's first skills assessment

I've tried a few things and don't really know where to go from here. I just changed the registry for RDP access, added a user, and ran inveigh, but im not capturing any interesting traffic.

also tried lateral movement to dump LSASS on another machine, but for some reason I couldnt start the service manager with psexec

any tips would be greatly appreciated! 🙂

@solar zodiac Try running lazagne from an elevated powershell on MS01

Has anyone done FTP/SMB/DNS of Attacking Common Services?

hello in linux fundamentals module, need to find config file that has been created after 2020-03-03 and is smaller than 28k but larger than 25k. I used this command find / -type f -name *.conf -newermt 2020-03-03 -size +25k -size -28k but i get too many results, what did i do wrong?

That command seems to work correctly.

hm, then why am i getting bunch of files?

This is a good question.

Let me check.

Uh? I haven't answered that specific question in the course, but I'm pretty sure I finished the course. Has the module been updated meanwhile?

Anyway, I'll try to do this.

couldnt tell you tbh

I stand corrected. I did indeed finish the module, but I can't see my own answers anymore.

does it let you spawn the target to run the command against?

yes

and I have one plausible clue of why you are getting so many hits.

Just checking one thing.

bet

Hi

On common service attacks hard lab is a m** link broken .. Normal ?

I am getting only one file. Are you connecting on 10.129.x.y or are you trying the command on the local Parrot VM?

DM if you are still in trouble

Hi

Any one tried Redeemer machine in starting point.

I dont know how to nmap it. Its very dificult for me.

Any one tell me how to namp the redmeer machine

Anyone able to help with the last question on the DNS, footprinting module?
What is the FQDN of the host where the last octet ends with "x.x.x.203"?

Dm

YOU

need advise please. In the log in brute forcing skill assessment the second question asks "Once you access the login page, you are tasked to brute force your way into this page as well. What is the flag hidden inside?" I got the credentials but the password is not working?? this is my script "hydra -l user -P ftp-betterdefaultpasslist.txt -f 138.68.183.104 -s 32146 http-post-form "/admin_login.php:username=^USER^&password=^PASS^:F=<form name='login'"

I don't know what role that is. Did you spell it right?

This Account Identifier does not appear to be the right length (must be 60 characters long).

I can help if you DM me.

Hi everyone, has anyone completed the "Web Service & API Attacks" skills assessment? I have found a valid SQL injection payload but am unable to get to the admin user. Any help or hints would be greatly appreciated, thanks!

Is HTB Academy down? I can't manage to spawn a box, trying since 5PM.

Can’t spawn some of mine but others work

I dont think it is down but the servers are being hammered by people for Cyber Apocalypse

mine just spawned

any one know how connect with htb docker of ctf

k\

if you go to the ctf page and once logged in you can click a machine then click the power icon button to spaqn the instance

The web request module is absolutely amazing. The curriculum found on HTB is better than any I have ever seen, for me at least.

I feel like I finally am making progress in understanding the things that I missed before. It’s insane.

hey im working on the server side attacks module and getting an error when im trying to set up my nginx reverse proxy and ajp

nginx: [emerg] "location" directive is not allowed here in /etc/nginx//conf/nginx.conf:65

if anyone has any idea what im doing wrong please let me know

im guessing it has something to do with what you append in nginx.conf but i think atm im following the instructions so not sure what im missing

Hello good afternoon, someone made the Brute Force module with hydra, to help me in the question of brute force, evaluation of skills website

will do! thanks :)

okay what am i doing wrong with the "find a way to start a simple http server....using "npm""

dm me

Try to gain RCE using one of the PHP wrappers and read the flag at / - FILE INCLUSION

HELP

@rustic sage Npm was not something covered in the modules, it took a lot of outside research and htb forum searching to get the proper direction for the answers regarding npm server commands

module?

Heyo, I'm currently working on the File Inclusion Skills Assessment, I'm kinda stuck any help would be greatly appreciated. Thank you!

@devout cliff let me know and i can send you a working nginx.conf file

yeah if you could i would appreciate it

hi

Hello

im just starting to use Hack the Box

already stuck on first modual and downloading scan tool

I'm stuck on the same one just can't seem to crack it. hydra -l admin -P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt -f 134.209.20.90 -s 31656 http-post-form "/admin_login.php:username=user&password=^PASS^:F=<form name='login'"

Hello everyone! I am new to this field and discord server and I just recently started HTB Academy.

I have a question, do I start out by finishing/learning all of the fundamental modules first? Also, where do I go after finishing all those fundamental modules?

Thanks! 😄

@hearty jay Try inspecting the POST request in burpsuite. The parameter names for username and password are slightly different and so is the fail statement

@unique nest Welcome 🙂 I would suggest going through the fundamental modules and then choose a Path that interests you i.e. Bug Bounty Hunter, Binary Exploitation, etc

Ok I will do that now thanks for the help.

@hearty jay NP feel free to DM me if you get stuck!

hey in linux fundmentals, need to find all listening services on all interfaces. i ran lsof -Pnl | wc -l but the answer i get is wrong, any idea?

@pliant summit try using netstat and then grep to remove instances of 127.0.0.1 (you will likely need to get a bit more granular but feel free to DM me if you get stuck)

Hi, FILE INCLUSION>Skills Assessment - File Inclusion, after the found page and message parameters, I tried LFI/RFI/Log Poisoning and other methods, but failed, I don't know where the problem is. Please help me

Try to gain RCE using one of the PHP wrappers and read the flag at / - FILE INCLUSION

Helpppppp

User-Agent: <?php system($_GET['cmd']); ?>, access.log&cmd=id, but the id returns empty, why

I'm currently stuck on this module. What did did you end up doing? Not sure if I'm over complicating the question or missing something.

Use PHP Wrappers to see index, not index.php, this is something to pay attention to@glass pawn

sorry w1m, that a reply to wh093 concerning the Web Request module for the GET exercise.

use cURL and follow syntax from this: curl 'http://<SERVER_IP>:<PORT>/search.php?search=le' -H 'Authorization: Basic YWRtaW46YWRtaW4=' replacing the necessary data

Hello is anybody familiar with The starting point module. Ive tried connecting to the Pwnbox to get it to work and I've tried downloading the Openvpn to get it to work and nothing is working. When I try to download the starting point open vpn it says the VPN server is currently unavailable. And when I do Pwnbox is open the VM but dosnt do anything else. I'm so frustrated upside_down

Hey everyone, Im stuck in the smtp section within the footprinting section:
Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.
Could someone give me some pointers please?

I am already trying to enumerate users with the smpt-user-enum and the file they give us

But i think i dont have the right domain selected or something

You can try kali's openvpn command, or window download openvpn, and then import@hollow wren

@fair cove try using smtp_enum in metasploit along with the footprinting-wordlist.txt

Ah thanks man

Guys can someone tell me how to download Kali Linux on mac I'm kind of new to ethical hacking

when is this pentesting module in academy coming out?

https://www.kali.org/get-kali/ choose either VMware or VirtualBox follow the instructions in the provided documentation link

Thanks

I'm doing the live engagement in the Shells & Payloads module, but so far no success with getting the ||50064|| exploit working. ||I've set the username and password as it should be, but no matter the circumstance,|| the exploit always fails on some split method||, that is powered on the response from the site. The failure is caused by the fact that the response is equal to null, which means that I must have entered the RHOSTS and VHOST incorrectly. I've tried so far setting the RHOST directly to the ip address, I've also tried breaking the url down to the RHOST and VHOST, yet nothing that I've tried so far succeeded to make the exploit work.|| Would love any type of help

@dusk bronze so unfortunately i don't have full notes on that module, but on the skill assessment i recall actually going into one of the scripts and modifying the payload inside the script. By default it's set to a bind_tcp payload which did not work

it's an rce exploit tho

I would assume bind_tpc infers you're referring to a reverse shell exploit

correct me if I'm wrong

yea it's weird, the default payload is set to a bind shell

hm

I thought it's just an rce module

my bad

will change to reverse

getting the same error :/

thinking on just exploiting it myself

this exploit module is clearly not right

The above web application employs more than one filter to avoid LFI exploitation. Try to bypass these filters to read /flag.txt