#modules

lol this might seem stupid but can somebody help me with hacking roblox/discord accounts?

hi,BROKEN AUTHENTICATION>Bruteforcing Passwords, I tried grep '[[:upper:]]' rockyou-50.txt | grep '[[:lower:]]' | grep -E '^.{8,12}$ 'and
grep '[[:lower:]]' rockyou-50.txt | grep -E '^.{8,12}$' and grep -E '^.{8,12}$' rockyou-50.txt but no Success, prompt: Too many login failures, what to do next

hi guys, i want ask something

Has anyone else had trouble with the ssh on Web attacks skill assessment? I keep getting a kex error

i was read Vulnerability Assesment modules and i found target machine is linux machine but the question is about windows machine, are u have any suggestion guys?

Can anyone help me with the easy lab at the end of the footprinting module?

the problem is with ur regex

Hi there. Has someone finshied the module "FOOTPRINTING"? I am stuck in a few sections. Now in the section IMAP/POP3 with the question to find a flag inside IMAP. any help? thanks in advance

Hello everyone. I am having problems with the Using Web Proxy module

For some reason, whenever I use either Zap or Burp, the web proxy takes forever to load

Some times BurpSuite

I had problems with zap in the pwnbox - I ended up running from vpn with my own Kali - not sure if it would help but maybe you could try to update zap on pwnbox?

Anybody do Shells and Payloads and could help me understand what i am doing wrong with the live assessment second computer?

dm me

👍

Hi! I just started on HTB academy and I am trying to connect to the vpn on kali.
I already download the vpn key that is on the lesson, went to the terminal and typed 'sudo openvpn academy.ovpn '.
My ip has changed but the console is hanging with 'Initialization Sequence Completed'.
I tried open another terminal and do the lesson but it does not work
Does anyone know what I am doing wrong?

@humble fog You should be connected , but your ssh command is wrong. Needs to be: ssh htb-student@ipaddress

And you need to spawn the target as well to get the target IP address

thanks @west canopy

Module server-side attacks: SSRF using a pdf generator. What if file:///xyz is not allowed, any alternative to reading local content? Or maybe using my own ip to GET something? like a reverse shell?

Question on the Introduction to Web Applications module, in cross site scripting, how is it that JavaScript code that I am able to enter on my client side then get to another user, if that makes sense?

In the example given, it shows how JavaScript code can be used to fetch the cookie from the HTML DOM, but I don't see how that is any different from just checking my browser DevTools.

I understand that this code could even be setup to send the cookie of the user that runs it to a netcat session or something, but it is lost on me as to how a different user will get that code to be executed on their browser.

Forgive any ignorance, I tried googling before asking here but no explanation quite satisfied me.

Could someone write a piece of JavaScript to potentially make (say the homepage) of a website a big script that, when users visit the website, would send a cookie (or do any other things) to an attacker?

Hacking wordpress: directory index. I do not know what directory I am supposed to be looking in for the flag. I’ve checked all the key wordpress directories. I am confused and need help.

@raven cairn DM me 🙂

My question is resolved, found a superb answer on a very old forum.

Very cool! Would you mind sharing the link? I'm curious

Thanks for advice

https://en.wikipedia.org/wiki/Cross-site_scripting#Non-persistent

I didn't think to check wikipedia first but it made total sense after I looked over it.

Much appreciated, I'll read it now.

hey can anyone help with a general metasploit question?

cant seem to set USERPASS_FILE

disregard im blind

Module Server-Side Attacks, SSTI exploitation example 1: I can't find the env. var. in the --os-shell ...

@sweet heron Are you using tplmap? I was able to find the flag using curl

Hey there! Can someone give me some help. I’m in the Wordpress module. Last part, the one about getting a shell, I already tried using metasploit, as well uploading my shell manually with the credentials I found but I keep getting an error message

@carmine hill we can use the same technique as the "RCE via Theme Editor" section i.e. by editing the Twenty Seventeen 404 template with a php wrapper, then using curl to execute system commands

Thanks, it just worked after resetting the target twice more 😅

Thank you! 😄

UwU

Could you explain to me which suspicious index brings me to use --prefix='`)' without using the case6 clue in the SQLMAP essentials module?

Yo

I think I downloaded GitHub in Kali Linux but I'm not sure how could I check to be sure.

Downloaded github? The whole webpage??
If you're referring to git, type it in the terminal and if nothing red appears then all good.

Hello! I am looking for some help on the live engagement of the Shells & Payloads module...

Has anyone managed to complete the Command Injections module, I feel like there is an error in the second to last assignment

guys isnt this module so easy?
Server-Side Attacks - Skills Assessment

do we have another way to solve it?

yep

can u tell me plz?

look at the source code

i solve with that bro.i just thinking that is too easy.do we have another way?

then register an account

the other way

oh.thanks

2 ways are there

one by registering an account

another is source code analysis

Hello guys can anyone help me? I'm stuck in Vulnerability Assessment module at Nessus Skills Assessment, the question where it says
What were the targets for the authenticated scan?
What does it exactly mean?

I found the target with authentication protocol but how to write it down?

You can DM me

Thanks problem solved

Hi all, I cannot seem to crack the password with hydra in this exercise: https://academy.hackthebox.com/module/57/section/503

I am using this command: ||hydra -l admin -P rockyou.txt 157.245.40.139 -s 31199 http-post-form "/login.php:username=^USER^&password=^PASS^:F=<button class='btn block-cube block-cube-hover' type='submit' formmethod='post'>"||

Can anyone provide some feedback or hint of what I am doing wrong?

Anybody online that can give me a hint on 'Web Proxies' module, repeating requests with Burp? I have to repeat to different IP's to try and locate a flag, I think I'm doing it right, but I'm at 127.0.0.13 and no flag yet.

at the footprinting module

dm me

I am still looking for some help on the Shells & Payloads live engagement, if anyone can help.

Dm me

sorry, after i solved it i took an immediate break.
The module is Linux Fundamentals, the section is Working with Web Services. There was nothing about NPM that I had seen while working the module. Not even in the "Cheat Sheets" and the hint was very vague.

I also attempted to DM you but I do not have the permissions necessary apparantly.

Hey people, I am doing the MySQL on footprinting module. When i do mysql -u name -ppassword IP i get errors like
ERROR 1698 (28000): Access denied for user 'robin'@'localhost'
or ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/run/mysqld/mysqld.sock' (2)

Any idea how to proceed

-p

then u will get a prompt to enter the password

mysql -u user_name -h database_host -p

...

Yes thank you. But why? Why does this work
Why not the other way around

this is how i usually connect with mysql

there are some alternate switches but i am not aware of that

u can specify the password on the go

like --password=yourpassword

but instead of the shorthand switch u need to specify --password

Looking for a hint on Broken Authentication: Predictable reset token question1, please DM me

Can some one help me with the broken auth skill assesment

Pls dm

Can anyone give me a nudge on the Active Directory Enum and attacks skills assessment 1?

any chance I could DM you for skills assessment 1 nudge?

ok, dm

Hi, did anyone manage to perform a Cross Domain DCSync via secretsdump? Am having trouble trying to complete the cross forest section for Active Directory Enum and Attack skills

i'm doing the getting started module and the service scanning section has nmap but i cannot manage to use it, it says the host is down

i am connected to the vpn and everything

are you using your own machine or a pwnbox

i'm using linux on a virtual machine

can you ping the host

i can't apparently

do you still have the terminal open with the vpn running?

yes

kill it and redo the vpn

Has anyone gone through the AD courses on htb academy? I’ve started Intro to AD. Curious if anyone is going down this path to learn more about AD. Plan to take on Offshore Prolabs.

done, but it still doesn't work. not sure what i'm doing wrong

ok dm me

I got stuck at broken auth skill assesment found 2 accounts and dont know were to continue any hints?

any luck on that?? i have tried many roles too xD

can you give me a hint on bruteforcing cookies, first question, ser?

ive tried all the super user names i can remember, even professor xD

Ill dm you

sure

appreciate

Sent you

Hey guys, I have some issues on the Shells and Payloads module, section live engagement. Problem with a metasploit module showing a nil error... Anyone?

if anyone has done the server-side attacks module can dm me with some assistance in getting the proper environment set up to do the module it would be appreciated. im at the 'apache reverse proxy & ajp' section.

i need some help with the attacking common applications module, os ticket section question. I'm so confused.

Can anyone help me with easter bunny?

Can someone help with Linux local privilege Escalation

can someone hack me

module ad enum and attacks

section Credentialed Enumeration - from Linux

[-] [Errno Connection error (172.16.5.125:445)] [Errno 113] No route to host

psexec exercice

same error for wmiexec

So I've been a bit stuck on the Skills assessment of Module 54 (Attacking Web Applications with Ffuf )
The hint for the third question says: `Run a recursive scan on all sub-domains you found, and use all of the extensions you found. Use 'PORT' instead of the port shown above, like http://xxxxx.academy.htb:PORT/xxxxxxx ..etc'
Is it telling me to literally type 'PORT' instead of the port number in the target Socket?

take a look at the URL syntax, you will find the reason why its not working

I hadn't noticed that the syntax in the URL changed. I'll mess with that.

I think I mistyped the hint I was asking about. The hint seems to be implying to literally write POST instead of the provided port number in the target address. Is that correct?

Yes using tplmap. I tried passing manually a printenv command, but not with curl. I'll check that later, thank you for the cue.

I found it finally. It was telling me to use PORT in the answer, not for the scan.

Try finding out the username of the support user, it's in the format of support.xx (where xx is a country code). From there you can filter the rockyou.txt wordlist for passwords that meet the complexity requirement, and then bruteforce your way in as support.xx

@wise meteor Yes I have completed all the AD modules , if you get stuck or need help let me know 🙂

@novel echo Which section are you stuck on?

@manic zealot Feel free to DM me 🙂

Hey all, currently working on the shells and payloads - The Live Engagement. Stuck on host 1. I have an exploit that should be working but I am getting a 404 error when clicking the war file. is the Lhost supposed to be a target that we spawn and use to login to the foothold via nomachine? Not sure if it is a Lhost error because I am not getting any response back on my netcat

@west canopy thnx ❤️

anyone know how to get proxychains working with the Proxying Tools section? i'm trying: proxychains curl http://google.com/robots.txt
but i keep getting curl: (7) Couldn't connect to server

@arctic lark maybe it needs to be https?

Edit: its okay turns out i dont need to use it to complete the section anyway

hey having some trouble in networking module

i am unsure of how we got the values and binaries from 192

@pliant summit so there are eight bits in the octet. Each bit has a "value" , going from right to left: 128 - 64 - 32 -16 - 8 - 2 - 1

When a bit is 1 we can think of it as being "turned on" so to speak.

So the far left bit is turned on , and it's value is 128

the next bit has a value of 64 and it's also turned on

if all eight bits were turned on , it would be 255

^ reason why values for ip addressing only contain values between 0 and 255

specifically for ipv4

ohhh so the "values" part is the same for all ipv4 addresses?

just which ones are turned on is differnt

or which ones have '1'

for octets

Yea basically

you can get any value between 0 and 255 by flipping those bits on or off

okay makes sense, and subnet masks follow the same concept right>?

for bit values yes although the purpose of the subnet mask is different from an ip address

correct me if im wrong jared im half awake

Yea the subnet mask is basically a representation for which part of an IP address represents the network , and which represents the hosts

a subnet mask of 255.255.255.0 means the first three octets of an IP address are the network

http://penta2.ufrgs.br/trouble/ts_ip9.gif

wait isnt that what CIDR does? i.e. if its /16 then first two octets, /24 first three octets

Yep you got it 🙂

CIDR is a different way to represent that information

so subnet mask and cidr show the same thing?

Yes just a different format of representing it. 255.255.255.0 = /24

255.255.0.0 = /16

that makes much more sense, thank you

https://www.bogotobogo.com/DevOps/AWS/images/VPC/IPv4-CIDR-Chart.png

some examples for you

and usually, the first address in ipv4 is the defualt gateway (or router) and the last one in subnet mask is the broadcast address?

Yes, typically

and .0 will be the network ID

so on my home network, 192.168.1.0 is the network id, 192.168.1.1 is the gateway, and 192.168.1.255 is the broadcast

so why do we care about subnet masks then

subnet masks tell us how the ip address is 'divided'

the first image i posted above

the smaller the subnet mask , the more possible hosts on the network

ah but we could also just the /16 prefix right to know right?

or actually, a subnet mask is more specific?

they both tell the same information

so lets look at a full ip address

in bits

its 4 octets

so thats 00000000 00000000 00000000 00000000

right

so now

a CIDR

like what you just posted, the /16

says the first 16 of those are the network

so 00000000 00000000

and then the last 2 octets

are the host

still in this example

00000000 00000000

so lets make this a little more unique

we can use what jared posted, 192.168.1.0

11000000.10101000.00000001.00000000

this is a class C network as well, which says 'hey the first 24 bits is the network, the last 8 are for hosts'

there is a great tool on linux called ipcalc which calculates and visualizes all this kind of stuff too

yes ^ this

so the first 24 bits dont change for this network

so thats 192.168.1

but the last 8 bits will, and are associated with hosts

so you can consider those devices on this network

so 192.168.1.1 is the first

usually the default gateway unless configured otherwise

then 192.168.1.2 will be some device, etc. etc. up to 192.168.1.255

so the network can fill up

so if you need to add another device what do you do? you need to change the network

so you change from a /24 CIDR to lets say a /23

this frees up a bit

11000000.10101000.0000000

this is now the network

only 23 bits

but the hosts: 1.00000000

another bit is allowed, increasing how many hosts can be allowed

allowed is not the right word, how many hosts can be associated with that network uniquely

if you filled up all the way to .255 and need another device right?

right

like you have all those addresses used

254 actually

bc of broadcast address

that makes sense, so I imagine its handy to keep those "values" nearby right?

unless you use it a lot and start to know it by heart

its good to know them, or know a tool that allows you to break them down into different ways. eventually you will be able to identify those networks naturally and how they are divided

but the values for octets yes

start at 128 for first position and divide by 2 until you run out of bits

per octet

@west canopy the skills assessment, I got flags 1,2, and 3. #4 I found the file but having trouble with getting the right user to read it

oh just noticed haha

or you can read it from the furthest right and consider it 2^0, next is 2^1, 2^2, etc etc

okay and if its like a CDIR more than 24 I take the remainder right?

@novel echo try looking in /etc/tomcat9 for tomcat credentials. From there we can log into the tomcat server and upload a WAR file to get a reverse shell as a user who can read the flag

like if its /29, i divide it by 8 and the remainder is how many of the bits are reserved for network?

so for that

@west canopy yep, I'm at the screen for adding a vhost

Never made a war file

00000000.00000000.00000000.00000|000

this would be how its divided in bits, network|hosts

so per network you have a rather small amount of hosts

but many different networks are possible

5 bits and then the | because the remainder is 5?

@novel echo you will want to use msfvenom to generate a malicious war file

its 5 bits out of the last quartet because you have /29, you have reserved 29 bits for network and the remainder for hosts

so 8+8+8+5=29

all of the first 3 octet and 5 of the last

short answer: yes

Perfect!

Last one I assume is a kernel exploit

As I cannot find the file even

Last one is a GTFOBin 🙂

Lol, I love those for the name alone

thanks

so if im asked to state the broadcast adress of CIDR: 10.200.20.0/27

would it be 10.200.20.255 since .255 is the last one on the network?

not in this case. In a /24 network it would be 255

but we have another three bits going towards to the network, with values 128, 64, and 32

oh in a /27 i just add upt first 3?

^ this is why i shouldnt give advice when im half asleep

no youre good i understood what you said

it gets kind of tricky when working with subnet masks that aren't the usual /16 , /24, etc

you add up the values of the host bits

yep so it would be 16 + 8 + 4 + 2 + 1

by the way, sorry if this sounds dumb but there are all private IP addresses right? Two network interfaces at different places in the world could have the same address?

Yes , basically if you google your IP address it's going to be the IP of your router

so would it be 10.200.20.224 then?

nope

remember

the first 3 bits of the last octet cannot be used

and the broadcast address lands in the host bits

so its 10.200.20.31

also just so you understand in case you didnt know, the reason you can have private IP addresses is because of network address translation (NAT) that was invented due to how quickly the public IPv4 space was taken

so a private ipv4 address can be repeated, public can not

didnt they make ipv6 to resolve that problem?

yes

because we ran out of ipv4 public addresses

NAT saved the internet

well they thought we would run out of IP addresses

https://en.wikipedia.org/wiki/IPv4_address_exhaustion

some fun references in this article

ipv6 allows for an insane amount of address space

ive only seen ipv6 a few times, it hasnt been fully adopted yet has it?

or is ipv6 used for public addresess?

it can be used for private addressing as well

there are ranges for ipv6 like ipv4

personally i have never seen ipv6 in the wild

sometime in the future there is the possibility of converting entirely from ipv4 to ipv6, but it will most likely not be anywhere in the immediate future

probably not in our lifetime

instead you will have what we have now for a long time: being able to use both ipv4 and ipv6

Tuff

I have it at my house and WAN, but less than half of the services actually useit

Internet Society has some interesting research, stats and reading regarding IPv6 adoption around the world. Check it out if you get some free time: https://pulse.internetsociety.org/technologies

I would like some help on File upload attacks : type filters. So far I have fuzzed for uncommon php file extensions, edited the front-end, changed content and Mime type. I would appreciate help

anyone can help me w xfreerdp

I did two IPv6 only external pentests in my career and for the same client. It was interesting . There are a few boxes on HTB that show some ipv6 , Sneaky is one: https://0xdf.gitlab.io/2021/03/02/htb-sneaky.html …also the P.O.O. Endgame has some

anyone can help me w xfreerdp, i los the connection on 15 seconds since i connect through pwnbox

xfreerdp not work on windows machine

Try removing the ‘s in the command

whats meant with splitting an ipv4 address into 4 subnets

Read through the networking fundamentals module. It helped me understand.

yea im doing that one rn lol, thanks

If anyone is still there I still need help with the file upload attacks module

Fake

Woo, finished the Ffuf module. Got hung up on the 3rd to last question for a while. Don't forget your commas , AND periods . for fuzzing multiple extensions.

hi, i need help at the LOGIN BRUTE FORCING module, at the first skill assessment

personally used it since 200X- first with tunnels (SixXS),... It's good to know, because it has Priority over IPv4 and there are new interesting Attacks -SLAAC attack. It can also bypass IDS/IPS - IPv6 Extension Headers. IPv4 isn't dead, IPv6 allows new Attack Vectors 😉 https://www.google.de/ipv6/statistics.html about 40% not bad 😉

hello,
i need help with the Skills Assessment - Windows Fundamental
do not advance for hours

hi Bruzzler, on what question are you stuck?

thank you for the quick reply
What is the name of the group that is present in the Company Data Share Permissions ACL by default?

Hey! I'm stuck on the bypassing web applications section of the Sqlmap Essentials module. I've tried various methods but most of my approaches fail because it seems that "t0ken" is not the csrf-token? I can't find what else would be considered the token. Anyone willing to help me out? Thanks! 🙂

sry smeboo, i haven't done the sql wet

That's okay! 😛

when you open the tab of the groups ass indicated on the 'NTFS vs. Share Permissions' part it has a default group. The answer is its name

(i think its against server rules to just give out the answers)

can you a screenshot from this ? i cant find this

hi, i need help for the module Determine the Length for Shellcode - Linux x86 BOF.. ping me for DM TY

its the 4th on the table of contents

any hint on the SQLmap essentials skills assessment?
I found the post parameter and also a way to get a working injection, I can find the table names for the not sysdb, but I cannot dump them nor dump the sys dbs nor find the flag table

Try putting php code injection

but instead pwd try something that helps to see content

what do you mean exactly? I do not have read or write access, shell also doesnt work. I dont quite understand what you mean.

I'm soooo close, I run that gtfobin but it doesnt stick around for additional input, no errors. going to try some different payloads for a better shell

Maybe it doesn't works because you haven't found the place where u can have permissions, find that place first to make a file

Use the cheatsheet

and I got the root shell, thanks @west canopy

thanks for your effort but I really am stuck. Tried brute forcing locations, file read wont give me anything and file write wont work due to stacked queries not allowed

Well maybe u can dm me show me where u exactly are and might give u some more hints

hi, is anyone available to help for the module, ACTIVE DIRECTORY ENUMERATION & ATTACKS ?

Same for me. Did you find an answer to that ? Can you make it work with mimikatz ?

I haven’t tried mimikatz, let me try in awhile and get back to you!

All right. It does not work for me either... There might be a bug somewhere

Anybody online that has done the Metasploit section in the 'Web Proxies' module? I am trying to use MS to run an http_put auxiliary on a site, and I'm not getting any feedback through burp. I can send screenshot if that would help.

Did you remember to set the proxy?

set Proxies HTTP:127.0.0.1:8080

yeah

Run the previous job and use the correct IP address and port . Maybe this will help

use auxiliary/scanner/http/http_put
set Proxies HTTP:127.0.0.1:8080
set rhosts 138.68.175.87
set rport 30959
run
something like that

ok trying now.

Still not popping up in my burp

disable intercept and go to http history

and then run

works?

Got it, thank you!

no problem : D

I appreciate it brother! Happy hacking!

mimikatz is working fine. PM me if needed

i got both to work already! let's dm each other to avoid spamming this chat

Hello i have a problem with Module Information Gathering - Web Edition
Active Information Gathering => Active Subdomain Enumeration (The rest I did)
The problem is as follows:
nslookup and dig don`t work with generate target from HTBa (IP address), but with publicly available domains everything works great.
How do I get started?
I'd appreciate it

Skills Assessment - File Inclusion

Help - I try Burp but server don't return last logs :(

@rustic sage Maybe you did module Information Gathering, any hints will be great

hello anyone who made the section "Active Subdomain Enumeration" from "Information Gathering" module who can give me a hint

setup cannot continue this program requires that you have windows 8 or greater os version installed
i cant setup VMware

I have not been able to solve the question FQDN related

any clue?

hint

something

@tight mesa Hey and how did you start?,does not return any results for me

I edited /etc/host at first

I did ;c

cause is a vpn involved

;c?

after that, when i ran nslookup inlanefreight.htb i am receiving this message:

nslookup inlanefreight.htb 1 ⨯
Server: 192.168.11.2
Address: 192.168.11.2#53

** server can't find inlanefreight.htb: NXDOMAIN

@tight mesa try doing a zone transfer using: dig axfr inlanefreight.htb @ipaddress

ok.

ty

it works perfectly

I forgot about DNS ... @1.1.1.1 in this case our dns it is address ip 😄

Thank you

Nice work 🙂

@tight mesa
https://www.cyberciti.biz/faq/linux-unix-dig-command-examples-usage-syntax/

The /lucky.php page has a button that appears to be disabled. Try to enable the button, and then click it to get the flag. Now this question on the web proxies skill assessment is ridiculous. Lost count of the time spent altering the code in either repeater or just inspecting element and getting nothing. Is this just a temperamental piece of code or is there some secret sauce I've missed?

@lone gull I was able to get the flag by inspecting element but it took around 20+ tries

@lone gull Discard from server response disabled, intercept the click request and go to repeater, and send request 20x

or use match and replace and click on the website until the flag appear

Thanks @rustic sage @abstract frost honestly though I've literally done that so many times. It's just nauseating now 😅

i need help with linux based BOF

module

contact me

please

@cold marsh which section ?

Determine the Length for Shellcode

i terminate the module, i have problem with the associated question of this section

All good i got you

bad format for the answer, i got this, thank you @west canopy

ty

could you find the answers?

Polish?

ah?

Hey. Anyone able to help with the Footprinting modules, DNS sections last question. I think I know what I should enumerate, but I'm having trouble figuring what I'm doing wrong with dnsenum. Cheers in advance

Hi am really new in hacking and I have some python coding skills and am really interested in hacking, I want to try to learn hack to achieve something at the holiday.

hello anyone who made the section "Active Subdomain Enumeration" from "Information Gathering" module who can give me a hint

So where do we start?

there are several answer that are not shown when a transfer zone is done

I didnt understand...

sorry..

for instance "What is the FQDN of the IP address 10.10.34.136?"

Are you a bot?

ok., if you perform a dns transfer zone with dig axfr command some of the question I guess must be shown in the output

LoL i'm not

Plz some1 help me

@tight mesa try doing a zone transfer against the subdomains you found from the initial zone transfer

Can i mention a mod?

guys?

can i ask about help?

in machines?

Hello @earnest flame , can you help me to get started?

@bronze patrol DM me 🙂

Hey @gentle condor. I might recommend you start with the Cracking into Hack the Box skill path on the academy

Will do

It isnt an online academy?

Oh ok i see

Thank you so much @bronze patrol .

am just a little bit confused

Skills Assessment - File Inclusion
Help - I try Burp but server don't return last logs :(

someone?

A quick thought on "AD Enumeration & Attacks - Skills Assessment Part I". Maybe I got this all wrong and there's an easier way to do this, but I think the procedure to get the cleartext password of the second user is quite hard for beginners. I'd like to speak to one of the authors to understand the right path and to assess my enumeration flaws. I'll obviously tell what I did to achieve the goal. To clarify: I found the cleartext password in the end.

can you help me

@sly nebula you can DM me about it

thank you!

This is not a critique to the module, which I find awesome, rather a cry for help 🙂

always open to feedback!

hi, any hint for getting the flag from attacking common services section Attacking SQL Databases (Questions 2)

i got the mssqlsvc user password but it doesn't work on the mssql database

anyone up for helping on the sqlinjection module?

Anyone can help me with Command Injection / Skill assessment?

yes i can try

try to fuzz the move parameters

any help ?

and today i cannot rdp to my target

re downloaded vpn / reset multiple time the box

i think its my vm im trying another one

Re-asking:
Hey! I'm stuck on the bypassing web applications section of the Sqlmap Essentials module. I've tried various methods but most of my approaches fail because it seems that "t0ken" is not the csrf-token? I can't find what else would be considered the token. Anyone willing to help me out? Thanks! 🙂

I woke back up a little while ago so I haven't tried anything new

I actually figured it out but would someone be willing to elaborate a little more about why not including the phpsessid cookie would cause this issue?

Can anyone help me? Can't open openVAS

ok nvm solved

Hi everyone 🙂 Is there anyone I can msg about getting CT***'s credentials in the Skilll assessment II AD enum & attacks module

Dm

Guys, help, tried to use exploit on SimpleBackupCMS, but it says that auth failed, but passwd, login correct, what should i do? Thats "knowledge check" in "getting started"

hi everyone

I'm trying to copy linenum.sh to my ssh machine and host it from my kali linux (using python3 -m http.server). However it's not working. Can someone help me out?

what do you mean by its not working

give the commands you used maybe screenshots etc..

@rose maple try using wp_simple_backup_file_read in metasploit

Thanks)

why windows machines on htb are slow?

It's normal or cause i'm on a free plan?

cannot rdp to target on AD enumération & exploitation module anyone facing this problem ?

used multiple rdp software on multiple vms

its just doing a black screen

yeah thats what im talking abt, windows machines are slow

i just can enter 15 seconds

Help, I'm currently reverse shelling, from the target machine to my parrot OS. I made sure I'm using VPN and tun0 IP but nothing shows on 'nc' listening port.

still stuck i'm i missing something?

@mild mango @drifting knoll could you help us ?

hey DM

DM me

Trying to DCsync with mimikatz on AD skills assessment but getting an error and not sure why. Anyone available to check it out?

care if I DM for a quick question on this module as well?

Sqlmap case5 I am having issues having it find anything. Changed levels and risk. Basically it’s saying not exploitable or that I should crawl. Anyone have a direction I can look towards to try and work it out?

sure

Hey!, are you copying the request as cURL trough the Web Developer Tools?

I’ll do that again, but I have done most with and without

Have you tried adding an * at the GET parameter "id"?

thanks. DM sent

I need help on this question. I've been stuck on it for a while and it is giving me much confusion.

Btw this is on the Hacking wordpress module: Login section

@raven cairn basically what we need to do is put some data in the body of a POST request to list all the method calls

https://the-bilal-rizwan.medium.com/wordpress-xmlrpc-php-common-vulnerabilites-how-to-exploit-them-d8d3c8600b32

Then in the response we can see all of the methods and count them

I will try that out. Thank you for advice!

Got it! 👊

Nice work 🙂

I have also been stuck on this problem for quite a while. Not sure if I am doing something wrong, or if the module is wrong

I have been following the instructions exactly.

Hacking wordpress : Attacking Wordpress users

@raven cairn might be you need to attack the target:port instead of www.inlanefreight.com

academy is awesome :D im eaglery awaiting the lateral movement module :)

even when I think I know about the contents of a certain module, I find myself learning more :)

thanks also to the community for helping me learn

Hmmm. The module doesn't really say how you would go about doing that... And I haven't been able to find a way to specify without --url

Try this command instead: wpscan --usernames <> --passwords <> -t 50 --url <>

@raven cairn just use the target ip and port for the url

Both of those methods have not worked for me.

need to put http://

before the ip:port

Got it! It was a couple fixes to my command. I needed to use sudo and specify http://

lol

i love it

i cannot even rdp to it

@rustic sage I've had issues with RDP disconnections too, usually if I stop and restart my vpn I can re connect to the target

i even created a new vm for it

it dosent work

just black screen

maybe there is something to do with "domain" field

were you able to connect to targets from previous section(s)?

ya

just had a problem with 2 tools

I had some trouble when I was working through Windows Priv Escalation , I would RDP and get a black screen. And on the targets that I could connect to, I could not download files to them. But after I restarted my router it fixed it.

oh i will give it a try later

Hi Tom, can you please give me a hint of getting the password for mssqlsvc account?

Hi, in BROKEN AUTHENTICATION > Bruteforcing Cookies N0.2, after I try base64/hex/rot13 and other methods, the decryption still fails, I don't know what the correct decoding is

reread the "Authentication Mechanisms" part of that section

you can use the method in ||Capture MSSQL Service Hash|| in that section

Thanks a lot. Appreciate it:)

Remember logging with domain syntax 🙂

Module Introduction to Python 3I can not understand what is the question?

Perhaps this will help you
https://www.geeksforgeeks.org/python-type-function/

hi guys im doing sqlmap essentials skill assessment and i cant seem to find the potential attack vector on the site. ive tried to use burp and take requests of each page and added the "id=1" parameter for testing but i get no results. could someone hint me how i could find the attack vector? thanks.

Attacking Common Services Attacking DNS anyone have problem submit the flag i have found the answer but i get error

i need help with the linux priv esc module skill assessment. i managed to find right user and checked gtfobins, but the questions is i don't have interactive shell and tty don't seem to be able to access?

hi i just signed up for the academy after getting to the god rank on thm

has anybody finished all the modules that are out?

i'm just wondering how long it took and if the estimates near the modules for the time to complete are accurate

hey performing active infrastructure identification against the host https://i.imgur.com how can I identify the server name in the host?

its working now thanks

I'm completely stuck I have not being able to find the name server under an "Active Infrastructure Identification"

I performed a transfer zone with dig with no sucess

whatweb, wappalyzer done with no success either

what I'm doing wrong?

any hint will be appreciate it

what is the question?

also what is the module

module information gathering - skill assessment section

and this is the question, "Perform active infrastructure identification against the host https://i.imgur.com. What server name is returned for the host?"

your imgur link does not link to anywhere

i didnt do this module tho

ty

Is there a way to access the modules after the CTF closes?

the ctf close?

hackthebox academy is mainly for learning

oops

so it dosent expire

wrong chat

but yeah with vip you can acces retired machines

I was talking about the Cyberapocalypse

their ctf from this last week

then i dont know i did not participate

After all that effort, went back to it today, second go!

not really. But the write ups are starting to show up

I have a few of the challenges downloaded so that Ican practice

@west canopy the next question is horrendous though!

Hello! I'm doing the Cracking Passwords with Hashcat module and I need a pointer for for Hybrid Mode section. I've double checked that I'm doing a hybrid attack and I've done all the possible attack modes for the given hash. Any help would be appreciated!

dm

hi guys

iam new hear can somebody tell me whats goint on in this server for what is this server ?

visit hackthebox.com

i will see

Hey guys, still stuck on the Hybrid Mode question. I know it's a SHA1 hash but all the hashcat commands I try don't work

but are you going to learn hacking ore something else in this server

who invited you?

I don' t know what I did, but I'm glad I did it!

did you get this answer?

yes, ty

Could use a hint on Windows Privesc Event Log Readers mary question. wevtutil qe Security /rd:true /f:text | Select-String "/user" just spins without finding anything, and AFAIK I don't have tha powa to run the Get-WinEvent cmdlet

Nvm, just had to kill the box and try it on a fresh one

does anyone know why when I run hashcat it runs for a few seconds and then shows me this: [s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>

and I'm not able to continue the brute force attack

I think its related to the restore support from hashcat. Does anyone know how to disable this?

should be that if you hit s for status it'll show you the progress. It should still be running in the background. If it stopped running, it'd show you a cmd prompt, not hashcat's interactive menu

@lone gull lol. there's one question on the skill assessment where you have to fuzz a cookie and encode it bunch of times, that one gave me trouble

That's the one! I had to walk away I was ready to smash the keyboard! @west canopy

@lone gull feel free to DM if you need any assistance

Thanks. It's only 0600 but will do later 😅 @west canopy

I need some help on the “FILE UPLOAD ATTACKS” module, “Skills assessment” section. I’ve been stuck for hours with no progress 😩

@sage jackal DM me

In File Uploads Attacks module, when I'm looking for alternative to .php to infect with, do I need to change the 'shell.php' to let's say 'shell.php2' according to the one I find with the fuzzing ? - As I try that, all that I get when I open the file is the string of the CMD prompt (<?php system($_REQUEST['cmd']); ?>) and not the actual shell

What I mean is, after successfully uploading the shell and opening it with: 178.62.119.24:30900/profile_images/shell.php2 > All I get is empty page saying '<?php system($_REQUEST['cmd']); ?>'

hi everyone, I'm stuck in "Server-Side Attacks - Skills Assessment", someone can help me ? I searched for past hints but nothing helped me 😥

@soft timber have you viewed page source and looked at the javascript?

thanks a lot for the hint, I found the flag. But... wtf ??? it looks more like a random ctf than a server-side attacks module 🥵 (but very nice module anyway !)

hi can anyone help me with the first skill assessment at the LOGIN BRUTE FORCING module?

where are you stuck exactly? You can DM me with what you have tried so far

Does anyone have a nudge on Attacking Common Services -> attacking DNS? I just got an IP provided and dont know what to do -> edit: i got it

I can help with bruteforcing as well @west olive

thank you very much but i think i got it from here

I need help in OSINT Corporate recon module, I don't know what have I missed but I can't find the bucket in Cloud storage section..

Looking for some advice on graduate school degree track if anyone wants to offer their assistance. I have a B.S. in Computer Information Systems and I was thinking about going for an M.S. in a Cybersecurity degree or possibly AI and Machine Learning. I'm just not sure what I want to do and wanted to ask the community if anyone might be able to steer me in a better direction.
Feel free to DM me!

@rustic sage yes DM me

Hi,
I am having issues with the Active Directory Enumeration & Attacks labs. The Linux machine is not able to reach any of the target machine since past 24 hours. DO anybody know how to report this problem or reach the technical support.

Hello! If you're in the U.S., I'd recommend only going to an approved school [[ https://www.caecommunity.org/cae-map ]]. I finished my M.S. in Information Assurance (now Cybersecurity) from Capitol Technical University [[ https://www.captechu.edu/ ]] in 2012, and would highly recommend it.

@normal marsh Is it online by chance?

My school was, yes. It might have changed in 10 years, however. But I know several other schools were entirely online as well. We can continue in #careers-and-certs or a DM, if you'd like. Not quite a "Modules" topic :-P

Can anyone point in the right direction on the command injection skills assessment?

I am correct in saying that the ||move|| parameter ||(move=1)|| is the vulnerable parameter?

||http://<ip-address>:<port>/index.php?to=&from=tmp%2F51459716.txt&finish=1&move=1||\

I tried various inputs instead of ||1 in move=1|| , such as: ; %3b \n %0a & %26 && %26%26 | %7c || %7c%7c

@naive ravine injection point is a little bit off. Feel free to DM

Hello guys, can someone help me? I'm stuck really badly at STACK-BASED BUFFER OVERFLOWS ON LINUX X86 module on last question, I need /root/flag.txt really badly

hmm

Stuck at attacking common services, attacking sql db

and also dns and smtp...

@sweet heron I can help. DM

@lucid mirage and me can't figure out the DNS section of attacking common services. Any help?

just started going through the new metasploit module. Just wanted to say 0nenine9 did an excellent job. His writing is some of the best I have seen on the platform so far. To anyone that can forward this praise to him I would be grateful 😄

Attacking common services, easy skills assessment. Anyone?

Agreed! Was very enjoyable to QA and extremely well written. We 💚 0nenine9!

Active Directory Enumeration & Attacks

section Living Off the Land

using the provided command

cannot start it

dm

anyone available to help me on Active Directory Enumeration & Attacks
section Living Off the Land ?

stuck on getting the flag in description

oh shit i got it

YEs

i can now go sleep without any problems

Just search bucket into source code of the page I use the browser tools and look inside the code for the bucket name

hello in windows fundamental module, i created a folder on the win10 machine with folder sharing enabled

but when i try to use smbclient to connect to it I get this error: do_connect: Connection to 10.129.201.57 failed (Error NT_STATUS_IO_TIMEOUT)

my command is just smbclient -L <ip> -U htb-student any help?

Hey can anyone help me with skills assessment last question from stack-based buffer overflows on linux x86? damned flag

have you tried reseting the target? / re connecting your vpn ?

im using pwn box

and tried my own

and yes, tried resetting

ur trying to list the shares ?

without the -U htb-student flag what it does ?

Hi all. Can anyone give me a nudge on 'AD Enumeration & Attacks - Skills Assessment Part II?' 'Use a common method to obtain weak credentials for..' I don't know what the common method is? I've exhausted nearly all of the commands in the module, so obviously I'm doing it wrong.

Try password spraying

hey, can anyone help me please!!there’s a guy on tiktok pretending to be me and i wanted to see if anyone knew how to hack so they could possibly delete the account. I contacted tiktok so many times and they’ve done nothing about it but the account is starting to get popular and my followings are seeing the fake persona thinking it’s me

Hello, you are on the wrong Discord

is there a discord to help?

Uhhhhh nothing here no

Anyone down to start a beginner group & learn together? if so lmk!

hi, i'm having issues with crud api in the web requests module, the pwnbox loads but when inserting the given generated ip address and port, the webpage doesn't load

noone will help you there

okay thanks

Script Bash https://youtu.be/oyGNZwTbyQ0

hello, my name is camilo Vargas i'm from chile i'm in the second year of cibersecurity technitian degree . And i have a quiestion if you can help me... i have to choose between red team or blue team ... o can i learn fron both ?

heyo

red teaming is more attacking than defending while blue teaming is focused on defending

i guess you dont have to choose 1 of the too just do what you like to do

ok, thank you ...

Hey!, im stuck on the Server-Side Attacks, Nginx Reverse Proxy & AJP.

Each time i try to set up the enviroment i got this message:
nginx: [emerg] "location" directive is not allowed here in /etc/nginx//conf/nginx.conf:65

I dont know what am i doing wrong...

Hello, I am on the 'Using web proxies' 'Proxying tools' page. Having trouble with the metasploit example, using msfconsole > use auxiliary/scanner/http/robots_txt > set PROXIES HTTP:127.0.0.1:8080 > set RHOST SERVER_IP > set RPORT PORT > run, and I get this error: 'Msf: OptionValidateError The following options failed to validate: RHOSTS. Could someone help me understand what I might be doing wrong? I fired up zaproxy in case that is needed, and that didn't resolve.

alright at the Active Subdomain eumeration, but i've having issue finding the TXT record, was able to find zone transfers but no TXT record

have you try set RHOSTS SERVER_IP ? show options could help

I did set RHOST SERVER_IP per the instructions, and then also tried adding an S for set RHOSTS SERVER_IP, but no dice

run show options, it willl displays all variables with theirs settings

I also got an error for set RPORT PORT : the following options failed to validate, value 'port' is not valid for option rport

and then says rport=>80

maybe that's the actual issue going on

just to be clear you need to secifify the IP and PORT in digit number; set RHOSTs 10.120.256.23; set RPORT 8080

oh... lol

where do you get 10.120.256.23?

I just put a random IP for sample, you need to set the IP of the web server you want to join

or set RHOTS mywebserver.domain.com

so I tried the exercise 'Try running 'auxiliary/scanner/http/http_put' in metasploit on any website, while routing the traffic through Burp. Once you view the requests sent, what is the last line in the request? ' --- so I tried use auxiliary/scanner/http/http_put > set RHOST www.oldschool.runescape.com > set RPORT 8080 > run, and I get 'File doesn't seem to exist. The upload probably failed'. When I check ZAP (used this instead of burp), I don't see any requests that were intercepted. I made sure the red light was on. Any ideas? Thank you for your help btw

check the proxies settings in ZAP maybe it's not 127.0.0.1 but your eth0 or tun0 IP , idem for the proxy port. You can do nc -v 127.0.0.1 8080 to chek if you can connect to proxy, chek the url or put params in the options of the metasploit module

so my zap local proxies setting shows address: localhost, but I should change that to be 127.0.0.1 for it to work? I see that as an option in the dropdown

I've just been following along in the htb academy module and figured my settings should be configured to work with the exercises lol

localhost it 's the same that 127.0.0.1

particularly considering I have used zap w/ foxyproxy, and the foxy proxy is set for 127.0.01

yeah ok that makes sense then

but also means switching it to 127.0.0.1 won't fix my metasploit issue lol

exact

the proxy port is the good one?

proxy port is set to localhost port 8080 in ZAP, and that has worked with all the exercises using foxyproxy in firefox. And since the proxy in metasploit is set as HTTP:127.0.0.1:8080, should be good on that end right?

yes

and for "File doesn't seem to exist", it shouldn't be that the use auxiliary/scanner/http/http_put is incorrect, since I ran msfupdate before getting started?

something I do not get iy's tha you want to get the robots.txt file and you are using a PUT exploit ... should be GET for download a file

I gave up on that one and started using the auxiliary/scanner/http/http_put per the module exercise instructions

the robots_txt was for the module example

primarily b/c I wasn't sure what IP to use lol, and the exercise said to use whatever website I wanted

yes for a get almost any website should work

but for a put you need a url that allows you to upload a file

or send request

should google.com work in that case? Tried that one too w/ no luck

no, you need a rest API that allows a PUT, you do not have some hosts to tests in the section module?

nope, that's what confused me most about this section. No target.

'Try running 'auxiliary/scanner/http/http_put' in metasploit on ANY WEBSITE, while routing the traffic through Burp. Once you view the requests sent, what is the last line in the request?'

Ok, you should see the request with a response ( 404 or 403 forbidden )

either way, when I hit run shouldn't a request show up in my ZAP window?

yes, if proxi its set in metasploit you should see it

rip 😒

FILE UPLOAD ATTACKS | Can someone help me with the part where you're supposed to look for a working .php file variable to infect with, I've found a bunch of working ones through Burp, but when I uploads them, instead of a webshell, all I get is a string saying the shell command and a blank page: <?php system($_REQUEST['cmd']); ?>

try <?php system('linux command'); ?>

.

i need help Vulnerability Assessment

hi, would it be possible to unlock a whole path, instead of separate modules?

nvm needs shitload of cubes for everything

I'd need a nudge on metasploit framework module meterpreter part (specifically how to detect which exploit to use)

Why is that a rip?

You just showed the options for the module...

Can anyone say if im missing something in Attackin common Services. The question is "What is the password for the username "jason"?" and i have been bruteforcing SMB username jason and robin with different wordlists without luck. (crackmapexec, msf smb_login...)

@urban anchor I think I know what the issue is. I had the same issue. cme showed me a false negative

and so did hydra for that matter

All of my used bruteforcing tools do same. Just failures.

read the list manually I think you'll figure out which password was supposed to work

Hydra is giving me error. Do i need install something to support smb2/3 ? [ERROR] target smb://10.129.92.48:445/ does not support SMBv1

did I say hydra? I meant metasploit

hydra does not work for SMBv3 iirc

i feel so stupid. i didnt read the list from resources i just used my own.

Nmap Service detection. The banner is the hint

Hai any one completed server-side attack skill assessment am not able to find a endpoint any one able to help me

hi everyone

I have a question on module Information Gathering

who can help me?

just ask the question bro

Identify how many zones exist on the target nameserver. Submit the number of found zones as the answer.

I type nslookup -type=any -query=AXFR <domain> <nameserver>

can't seem to remember this one, but the answer is usually in the cheatsheet

who want's help

Hi everyone, I have a questions related to the bug bounty program. I didnt find the flag and struggling since 3 hours who can help with request model?

Im struggling on the post part

Hi I have a question

What is the FQDN of the IP address 10.10.34.136?

but into Zone Transfer list It isn't present

why?

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

Module: METASPLOIT FRAMEWORK
Sec: Meterpreter

because I had the proxy set up but wasn't seeing it come through zap. I opened up burp with exact same settings, and was able to see the request come through from metasploit. Do you know what I might have been doing wrong in zap? Skyfr couldn't see it in zap either but did in burp

anyone have issue with file upload module the one with bypass filter ? My payload got reflected as a comment in the page, and same problem using phpbash payload

for which module?
There are several possibilities:

• You did not find all zones and therefore could not perform a zone transfer.
• The server does not allow zone transfer.

Hello! I encounter some interrogations on the Footprinting module, in the DNS section. A bit of help?

What do you want to know? If you specify your questions, you will surely find help here.

Information gathering module

You have not identified all the zones.

Hi, last time I tried 'web requests - CRUD API' I updated and removed city then searched but did not find any flag

When stuck on DNS issues, check the man pages for dig. ;-)

but I don't see this ip from subdomains list

because you did not query all zones. There is more than one zone 😉

thanks 😉

Hi all,

I am currently doing the File Upload Attacks, Type Filters exercise: https://academy.hackthebox.com/module/136/section/1290

I think that I managed to find the right combination of file type allowed; ||.jpeg or .jpg|| the correct format of php file extension; ||from php to php 7 as the server response is just "extension not allowed" rather than only "images are allowed" when I attempted to use files like .phps, .phar, .pht, .phtm, .phtml, .phpt anf .pgif.|| and
the correct whitelist filter; ||shell.php\x00.jpeg||

The response from the webserver is that the file has been uploaded successfully:

#modules message

However, when I attempt to locate the file as man4.php without the: \x00.jpeg part I cannot locate it:

I believe that its not the same issue

what section are you on my account is F so i can't check your link

Type Filters

The above server employs Client-Side, Blacklist, Whitelist, Content-Type, and MIME-Type filters to ensure the uploaded file is an image. Try to combine all of the attacks you learned so far to bypass these filters and upload a PHP file and read the flag at "/flag.txt"

how do i get ips and locations

Ok I'm loosing my cool on the hard skills assessment of the attacking common services. I'm at the last steps, but using mssql is such a pain and I need to work from the pwnbox because it doesn't work from my own box so it's double pain xD

Finally. It was a quote problem: you can't use '' inside '', but only "" inside '': ok ' "x" ' ; not ok ' 'x' '

I need some serious help with information gathering-web edition. In the Active subdomain enumeration. I can't figure out how to find the FQDN or maybe I have and just don't know the answer format?

@broken warren DM me 🙂

I started today in the academy on the path cracking into hack the box . And the first module was the http but I'm stuck, is that the first module should I start ?

anyone know a place with unbiased reviews of individual modules? Seeing them all as 4.5-5 stars on the HTBa website makes it hard to pick the good from the bad.

I've enjoyed every module except SQLMap Essentials and Broken Authentication

Have you done any of the Active Directory ones?

Yep

Are they all as wall-of-text as the Intro one? Or does it get a bit more dynamic?

All the enumeration ones are pretty challenging

but its all running queries

There's a lot of reading

I'm cool with that. The intro one just seemed like an endless series of definitions with only occasional reference to why it was important to know

thank you

np

Which Windows NT version is installed on the workstation? (i.e. Windows X - case sensitive)Find the non-standard directory in the C drive. Submit the contents of the flag file saved in this directory.

SQLMAP skill assesment, I cannot find where the injection point is on the website.

I cant see anything in burp or the network tab

This is a bad skill assesment Imo

The answer will be pretty easy; don’t overthink it. Type in Get-WmiObject -Class win32_OperatingSystem | select Version, Buildnumber .

Lol I actually didn’t mean to send this. I was searching for the questions on the search bar. My bad

I’ve found sometimes when you search the questions. Sometimes angels reply with cryptic hints. It’s cool

For the broken authentication module, predictable reset token exercise: do you also need to take account for the timezone difference?

@raven cairn try adding an item to your cart and intercept, it will be a POST request

Did you solve this?

Helllo, need help!

How can I convert hash password to normal password?

Hi All can anyone help on the Type Filters section exercise of the File Upload attacks module?

No not yet I feel i am close but not yet

Did you manage?

No I realized I'm stuck in an earlier stage, blacklist filters, I'm having the same issue:

When trying to open the file all I get is blank text

I managed to get a file uploaded successfully in BurpSuite but then I am having trouble
finding the file when I try to find it by navigating to the URL

I'm not here yet, but maybe you have to add the \x00.jpg ending to the url as well ?

I tried,... the \x00 should cause the web server to drop the last file extension as far as I am aware.... not sure what I am doing wrong though

what if you replace \ with %5C, sometimes the URL bar changes \ to /, just guessing though lol, I'm still stuck in an earlier part 😄

same issue

same error with phpbash payload

any payload tbh

it always reflect on the site like a comment

I've tried all the extensions that are available and the same issues persists, is there a possibility that it's broken

yea doesnt seems like its a extension problem, because the file upload anyway

i think the page is broken a header has been remove maybe idk

guys i have a problem

tell us more maybe?

hi, in the Active Subdomain Enumeration inside the Information Gathering module, there's a question: " Submit the FQDN of the nameserver for the "inlanefreight.htb" domain as the answer."

but... I don't really get how we can get the NS of the DNS resolving inlanefreight.htb... cause I can't find any DNS resolving it (should I?); mine is inside /etc/hosts, so I don't think any NS is gonna work?

One of the commands in the module will show you the FQDN

I still don't understand how that command can get me the FQDN of a NS when inlanefreight.htb is not resolved by anything but my hosts file

try with just IP:PORT

yup nothing seems to work m8 hahahah

idk why I got stuck in this I mean I think I understand everything in this module and had no problems answering the previous questions

Password Attacks: Password Mutations. I am stuck here forever. I am enumerating and enumerating and I cannot find a hint to reduce the length of my password wordlist. I have found one thing about the password policy but this does still leaves me with around 90K passwords, so brute forcing will take forever. Anybody did that module and can give me a hint?

does this work: nslookup -type=NS inlanefreight.htb {IP:PORT}

hm yes.. what would be the dig alternative?

dig inlanefreight.htb {IP:PORT}

I was using this but doesn't work: dig NS inlanefreight.htb @10.129.92.229

nslookup -type=any inlanefreight.htb {IP:PORT} -- try this

and this one doesn't work too, maybe it's a thing with dig? I thought I could choose any of them

I solved this issue. MAJOR SPOILER AHEAD!!!!!!! If you have been stuck for a very long time this is the solution: ||http://<ip-address><port>/profile_images/wsh.jpeg.phar?image=cat /flag.txt||

Thanks this worked, weird that no other extension worked even though they returned 193

Welcome

How about dig any inlanefreighthtb @white rock:port | I remember I struggled with this one alot as well

yea this does seem to work haha, tho now I'm stuck with the "Find and submit the contents of the TXT record as the answer." question, there are no TXTs in inlanefreight.htb lol

I had similar issues here as well, remember to choose the cookie 😉

Hey guys. Need a nudge on file inclusion

Thanks, I was to work through it. I had to review the response and replay the correct one.

try with txt instead of any

no that's not gonna be it 😦

im on attacking common applications assesment 1, found answers 1,2,3 but im stuck on 4. In the modules i used the manager page but that seems to be disabled, anyone able to give me a nudge in the right direction?

Good evening!

Active Directory enumeration and attacks
AD Enumeration and Attacks - Skill Assessment Part I

I have two questions: 1. Can you help me with "Find cleartext credentials for another domain user. Submit your username as an answer."
2. I was able to get the MS01 flag via ||"Invoke-Command ***"||. Are there other ways to get the flag?

Does any know how to write this in the URL: - The x00.gif part does not seem to there even though I uploaded it succesfully

Same issue with different kind of file:

you are correct, there is no txt record in inlanefreight.htb. But there is a record attached to one of the sub domains.

All this does is upload an image, why is this, this is exactly how they do it in the instructions:

any hint on sqlmap essentials -> skills assessment? I am stuck, I know I have to use one specific tamper script but I tried adding some more and using proxy and so on but I cant figure it out

yo whatsup with this new module I tried eternalromance and eternalplue exploits but still doesn't work

I'm talking about USING THE METASPLOIT FRAMEWORK

module

DM me

dm me

no its fine thanks

The problem was that LHOST was on my local ip as a default

thats why it didnt worked xDDD

DM me if you still need help

im stuck on attacking common applications skill assessment II iv done it all the way to the flag.txt but im stuck on the waht is the url of the wordpress instance part

Thx, I'll send you a message later 👍

dm me

Look at your URL bar, you have .pht instead of .php

Anyone can help on broken authentication, reset token section. I'm not sure why my script doesn't give the right token. What am I missing.

hello! can anyone give me a hint on Broken Authentication - skill assessment??

dm

dm

should I be inspecting them one by one?

I'm not understanding the logic here tbh

the subs? yes

dm me and I will explain in detail

I think I'll go crazy now. Been at this for like an hour or two and log poisoning just doesn't work. I don't see any other way to get RCE on the server.
https://youtu.be/bD8FBM7jZkY
Skills Assessment - File Inclusion BTW

dm bro I will help you get there

Will do, thanks

Does anyone know if one can use ovpn in ones VM instance?

yes you can

Broken authentication module, cookie bruteforce. I can't seem to find the right "super user" role for the question 1. Tried a lot of possibilities, not sure how to script it for real bruteforcing. Red it was guessable, but not sure from which wordlist.

LOGIN BRUTE FORCING module 2nd skill assessment. Can't find the name of the user ...

dm me

dm me

Its on purpose, .php is blacklisted, .pht is not

i have no idea wat yall r saying

so cool

Hi! Im stuck on XSS module. Can somebody help me please?

Which part precisely?

Phishing, i have a payload that works but when i try to send it to the server from /send.php i got "Issue in sending URL!"

Hello! I'm having an issue with the Shells and Payloads module's Live Engagement section. Can someone assist?

I'll go check it, did you url encode it (just a guess)

Its url encoded yes

I can dm you with it if you want

sure

If someone can help @mellow turtle , I don't remember enough.

Disregard my previous request. I figured it out.

@runic rampart DM me!

@rustic sage I got you too dawg DM me

I'm making progress in the skills assessment of broken authentication, but kinda lost at what to do next with all this info.

@mellow turtle I might be able to help, DM me

@rustic sage DM me brah i got u

Hey, is it possible to open smbclient in windows?

Hi, trying File Inclusion updated, unable to read the flag in the Automated Scanning section
Fuzz the web application for exposed parameters, then try to exploit it with one of the LFI wordlists to read /flag.txt
I tried finding exposed parameters and then used one of them that to exploit using LFI wordlist, but the response I am getting are huge and don't know how to proceed after this

can anyone help

@rancid holly DM me!

I’m in the using web proxies module. I have to do a spider scan with the HUD and nothing loads. Is there another route to go to find the flag? I wanted to use the tool it was based on but I feel I am missing something

Nvm looks like if I open Firefox from zap it breaks but if I use foxy proxy in the regular it works…..

hello fellows, can somebody help me a little bit with the web attacks assesment? i've been stuck for a while here.....

Hello everyone, can anyone help me with this?

Which exploit should I use?

fml

got it

it was obvious after i looked at the source code but what that has to do with module?

it's a good habit to get: reading code. The more you do it, the clearer it gets.

Where exactly, maybe I can help.

Can you or anyone help me with this? Im stuck on the same

@edgy flame DM me

Trying web proxy final assessment second Q have to encrypt it again, do I add the “$”s around the full cookie or just the end?

click clear and then highlight what you want to fuzz and click add

Sweet, the adding a number to fuzz at the end and encode the whole thing is throwing me.

you can DM if you need help !

can anyone help me with this one?

its from new module using the metasploit framework

Start machine, and then start recon, and you find a vulnerability those exploited via Metasploit, use this exploit, and gain a shell on victim machine, and see who you are on victim machine.

I see ssh and http ports open, im trying different exploits but still no success

I have a gobuster question

I was told Gobuster will look down subdirectories in DIR mode, but it doesn't seem to do that for me

I only get directories in the path I give it

i don't think gobuster can go recursive?

PASSWORD ATTACKS / Network Services

"Find the user for the SSH service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer."

Someone could solve this task of password attacks that knows if the username and password there in the resources lists? i have already tested the entire list of users several times from the pwnbox and a virtual machine but I didn't find the username. I accessed by winrm and took out the users but it is none of those.

I'm using these commands:

hydra -t 4 -L <userlilst> -P <passwordlsit> <ip> ssh -V

hydra -t 4 -L <userlilst> -P <passwordlsit> ssh://<ip>

In the Using Web Proxies exercise, I used zap to fuzz cookies, and the exercise said to use md5 hash for the cookie. How could I have figured out that the hash needed to be md5 if the exercise didn't tell me so?

Can anyone give me a nudge on Broken Authentication skill assess?

It's been hours trying to break them

Can someone help me with the Broken Authentication module, Predictable Reset Token "Create a token on the web application exposed at subdirectory /question1/ using the Create a reset token for htbuser button. Within an interval of +-1 second a token for the htbadmin user will also be created. The algorithm used to generate both tokens is the same as the one shown when talking about the Apache OpenMeeting bug. Forge a valid token for htbadmin and login by pressing the "Check" button. What is the flag?"

Anyone can give me a nudge with common web app skill assesment 2, i found everything but the wordpress url. I am missing something obvious but i am out of ideas at this point

when you click on get token for htbuser, a token for htbuser is generated based on the code mentioned in the module. And in the interval [-1,+1] arround the creation point of htbuser, token for admin is created

look at the vulnerable code you see that generated token use value of unix time in milisecond

get unix time of current time in milisecond and try generating token for every value in [-1000,+1000]

then use it to check to get flag

Oke thank you

Hey guys need a nudge on File inclusion (automated scanning part)

Check the banner ssh/http

solved

Try different wordlists than the provided one. It is one of the users. You can actually kick out a few of the found users (those that you used for other services, those that are unlikely to be cracked). This left me with just two candidates

hey guys i can not solve the Broken Authentication Default Credentials question

can u help me plz?

This challenge is more like OSINT bro. You should refer to some documents the module mentioned

And don't forget the title of the page, it will give you most important information

Hey Guys, SQLMAP Essentials => Skills Assesment

Do you have any idea where i can find any parameter? Every feature on website don`t work : D

i found this ||advantech||but i can not find answer

Yes it's advantech

and what is the password?

search google for this keyword "webaccess hmi/scada default credentials"

you will see it in 192-168-1-1 url

thanks bro

got it thanks

You're welcome

are you still stuck?

not gonna lie, struggling a bit with this one... still hitting walls on the pw reset

ive done it. I can help

I have the admin user, have token etc, but failing on the pw reset for some reason