#modules

Hello everyone, I'm new to htb academy, and I have a problem that I can't access the modules, that is, when I want to unlock it seems that the button is bugged, I don't know if anyone knows what to do or who to talk to exactly.

Can someone give me a hint on the Filter Contents section in the Linux Fundamentals module on the last question were I need to filter out all unique paths on the website. I was trying to filter out the void, than to sort but I can get further in that. Have anyone a hint in this what to do first?

Hello ! Did you able to solve the problem I stuck in same place too !

Yes, I made a small mistake. I may be able to help.

Is it okay if I DM you ?

Yes that’s fine

hi guys, need some help with the bash module

just ask

I need an "If-Else" condition in the "For"-Loop of the "Exercise Script" that prints you the number of characters of the 35th generated value of the variable "var".

I need some help nothing i do seems right

for things like nibbles foothold, i assume if netcat isnt getting a connect back, might need to dc and restart vpn and try to get a new box/ip

you can just leave an else statement black iirc

it gives it an out if it doesnt match

@static bloom was the above for me?

the above two were

dont understand

do you have an else statement in your code?

yes

if [counter -gt 35] / if [counter -lt 35] else, else echo var | wc -c

want to see the actual code i wrote?

i'll PM you the code

please dont

ok

leave stuff here so everyone may get value out of it

am windows person but im wondering if that done terminates your script right there and nothing else happens

i do get a count but it is wrong. this count is 4 , the first time is was 588K (code slightly diff)

another try

so when i upload the php file for nibbles, the box becomes unresponsive.

Nevermind, got it

I feel like an idiot on this one, but for some reason I am just not able to parse the question. I am doing the Vulnerability Assessment module, and I cannot for the life of me figure out the second Nessus question: "What were the targets for the authenticated scan?". Isnt the target the host itself, that Nessus was scanning? Or am I completely misunderstanding the wording?

Oy vey, ignore me. I got it, though I swear I put that answer in earlier and it marked it as wrong 😅

with someone with little to no tech knowledge, is Infosec foundations the best starting point on the academy? Is there any other recommendations?

Anonymous profile pic

I would say so. The modules have lots of information and can be brutal at times so I would recommend taking notes and reviewing. If you jump straight into red teaming without knowing the fundamentals you will not make it far. Good luck on your journey!

@raven cairn thanks for the reply and glad you noticed the joke. I shall start there.

Hi

I want to start learning about pen testing, should I learn about networking and sec before going into that or...?

https://m.youtube.com/watch?v=2LOtBpA7W_M

Watch the above video. It gives great advice

Good foundations are important. You don’t need to be an expert on networking and security but it will definitely be beneficial

has anyone else noticed the HTB Viewer being slow today?

I've also had more targets fail to spawn recently, though not too big of a problem since they sort themselves out after four or so refreshes

how to setup linux?

Are you trying to set it up in a VM, or bare metal, or WSLv2?

vm

If you're unfamiliar with linux, I'd recommend starting with something like linux mint or fedora

how do you get those?

You download the iso file from their websites, and in virtualbox, click new, set it up with memory and etc. and then add it under the storage option

I have hyper v

A youtube tutorial will show this better than I can type it

alr

https://getfedora.org/en/workstation/download/

how long does it take to download?

I think it's about 2 Gig's

So depends on your internet speed

ok

how do i get on the desktop in MSF

modules

Could I get a nudge on the 3rd question for the SQLMap Essentials Module under the Bypassing Web Applications Protections section?

Never mind just figured it out after reading through the curriculum again. If anyone needs help with SQLMap Essentials don't be afraid to DM me.

Active Directory skill assessment #2: + 1 Crack this user's password hash and submit the cleartext password as your answer.

can i get a hint plz

Struggling with targeted kerberoasting

In attacking common services section attacking sql databases, how I'm supposed to enumerate the flagDB database I have no rights to use the database, also I tried to impersonate but the output shows I have no impersonate rights?

Wondering if someone could point me in the right direction for solving the 2nd last question in the ffuf Web Fuzzing Skills assessment '...you should be able to find multiple parameters that are accepted by the page. What are they?" . I have tried the following but all results give 200 and Size 774 ffuf -c -w /opt/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://faculty.academy.htb:31950/FUZZED/FUZZED.php7 -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' I have fuzzed part of the answer not to give it away to others.

use the method in ||Capture MSSQL Service Hash|| in that section

i have used the method and captured and cracked the hash

but I did not find a way to use it to login mssql

how can i use it?

use ||Sqlcmd - Connecting to the SQL Server|| but for linux and domain syntax

Hmm not sure do I follow, can I dm?

yes

Has anyone been able to get zaproxy working in the HTB Viewer?

I'm unable to add items to the scope via the zap HUD, it stays greyed out

I had to use my own VM to get it working. I've heard you have to install it on the pwnbox manually

thanks, I even tried it on my own machine to confirm that this wasn't a zap bug

Do you know where the VPN file is? I've read that it shows up next to the Cheat Sheet on the bottom of the page, but its not there for me

I'm on the Using Web Proxies section

Or is this one of those sections that doesn't have a vpn file

I also grab my VPN from your profile settings

Make sure Zap is also updated.

Got it, thanks!

Every reddit comment was posting that it was next to cheat sheet, but I guess they changed it

Hi I am stuck with sqlmap essentials case 10. The HTTP request doesn't give me any info. Could anyone give me hint? Thanks

Is there a way to add a hex decoder to zap?

supposedly Encode/Decode/Hash provides this, but it's not showing this option for me

Yo ! Anyone good with Server Log Poisoning I can DM ?

damn, zed doesn't have from and to ascii hex, I wonder if it's to avoid copyright claims from burpsuite, cause it seems like a simple feature

Hey, I'm stuck on one of the exercises of the metasploit module. Specifically it's the final exercise about sessions. The general task is to exploit elfinder, get a session running and then to use another exploit to get root access. I found the elfinder exploit easily, but I'm having trouble finding the right exploit for the privilege escalation. The description states "The target system has an old version of Sudo running. Find the relevant exploit...."

Any hints on how to find the right exploit?

||CVE-2021-3156||

Hello, I have a problem when unlocking a module in the academy, the unlock button is malfunctioning, that is, it is bugged, it only moves the web text a little when I touch it and it does nothing else. What could I do?

?

What module do I unlock after I finish intro to the academy?

What module do I unlock next?

Take a look at this path: Information Security Foundations
https://academy.hackthebox.com/paths

You will get a good basic knowledge

can anyone give me a little nudge on SQLMap essentials skill assesment?

I can

Can I get a nudge on the SQLi part of the Web Services and APIs module?

https://academy.hackthebox.com/module/160/section/1474

@naive ravine second question? try using ||SQLMap||

Yes second question thanks

Hello guys. I'm doing the hacking wordpress module and I'm doing the final page with the final question, and I don't even see how can I obtain the wordpress version. Could anyone help me pls?

@hollow drum try exploring the website , eventually ||you will find a vhost which is using wordpress||

I have been exploring the website for a long time and didn't see anything. Maybe I'm too bad

Thanks for the help @west canopy I'll keep on trying

if you need a nudge feel free to DM me 🙂

Thank you 🙂

Okay thank you, I got what you were saying about de vhost. Thank you sir. You are a boss

someone for Linux Local Privilege Escalation - Skills Assessment (for the bonus) ?

anyone? Bueller?

@boreal vine which flag?

Could I get a nudge on the SQLMap skills assessment? EDIT: Actually I just got it. Thanks anyways guys! 😁

@kindred prism DM me

Hi guys. Anyone some help with "Trick" machine?

#boxes

I'm not understanding how to do this. could someone help me out?

I RDP using the creds at the bottom. Should I be using Bash or powershell?

Once the remote session opens i'm assuming i need to run get-alias -ipconfig ? Not sure where i run this command? Do i use the remote session window and open up a CMD prompt? this didn't work.. Any help would be greatly appreciated.

ahh nvm. i figured it out. meso silly

Any help with Web attacks question: Repeat what you learned in this section to get a list of documents of the first 20 user uid's in /documents.php, one of which should have a '.txt' file with the flag.

Hello everyone,
Stuck on this question.

What was the filename of the image that contained a certain Transformer Leader? (name.filetype)

Can anyone help me, I am trying to understand a certain command which gave me a correct answer. Was so frustrated I tried searching for the answer. But I can't quite figure out why certain flags are used.

Currently bussy on the Linux Fundamental course; filter contents.

Windows Fund.
Windows Subsystem for Linux.

I'm just going through the module and it tells me to do this.

WSL can be installed by running the PowerShell command Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux as an Administrator.

I try running this in PS in the RDP window but I don't have admin priv. Doesn't give any instructions other than that. Don't really want to skip past this. What would i need to do to get admin priv?

@weary stream i can try , feel free to DM me 🙂

@hazy grotto been a while since i went through that module, i don't recall working through this step but i don't think its necessary to solve any of the questions

@neon granite which module/section is that from?

If anyone out there had done intro to bash scripting module. On the section comparison operators.

Question- Create an "If-Else" condition in the "For"-Loop that checks if the variable named "var" contains the contents of the variable named "value". Additionally, the variable "var" must contain more than 113,469 characters. If these conditions are met, the script must then print the last 20 characters of the variable "var". Submit these last 20 characters as the answer.

@wheat garden DM me 🙂

Ok

@hazy grotto try|| thinking of what the linux equivalent of ipconfig is||

Hi there! I’m stuck in the Web Attack assessment. I could enumerate all users and change all their passwords, plus logged into their accounts with BurpIntruder to analyze the response in the profile.php. But I haven’t been able to find something to escalate privileges. I also fuzzed for other .php files, but I couldn’t bypass the 301 Moved Permanently. Am I missing something?

Nvm I just finished it

Hi. I am stuck on the Scripting Engine. I have looked at everything, even the http-enum. Am I suppose to be looking or the flag in the robot.txt file

@ornate tide check the ||robots.txt file||

is anyone around who can help with file upload attacks?

i'm on the skills assesment and i've managed to enumerate the accepted file names with burp and ffuf

and my browser

with ffuf i have

and burp i have

but when i attempt to access the file in hxxp://[machine:port]/user_feedback_submissions/[date]_ho.php it says 404

how do i find the file in the uploads directory?

https://academy.hackthebox.com/module/136/section/1310 for this

@onyx dust i used ||xxe to read upload.php , which then reveals the upload location and naming convention of our file||

i can read the file and i have read it to understand the naming convention. i can not access the php file that uses the null byte though.

if by naming convention u mean how it does date_filename

i just dont know how to get the file to execute with what it accepts

right i used a different file extension than you

DM me i can go into detail

i have questions in INFORMATION GATHERING - WEB EDITION :Active Infrastructure Identification:

where do i put these? in the /etc/hosts? or am i getting this confused with somethin else?

i dont understand the metasploit payloads

its giving me like 3 issues

i cant even send a pic

IP vhosts

In /etc/hosts

Yes in the /etc/hosts with the IP

word. i thought i was trippin. thanks

Thanks for your help with the second last question. Once I had that, the last questions was straightforward.

So, Im doing the "Using the Metasploit Framework" module, on the "Meterpreter" section, question 1.
The question is what is the username of the user I obtained a shell with after using MSF on the target host. Thing is...the exploit I used gave me ||a SYSTEM shell||, and neither|| "NT AUTHORITY/SYSTEM" nor "SYSTEM"|| are correct. Did I use the "wrong" exploit, or am I misunderstanding the question?

Omg, nevermind.

Stupid ||backslashes ||🤪

Skill Assessment - Broken Authentication

Am I doing something wrong? Can't bypass the login lockout using X-Forwarded-For, my bruteforce is being throttled to 30 seconds.

reduce your wordlist using the password policy.

INFORMATION GATHERING - WEB EDITION :Active Infrastructure Identification: can anyone give me a nudge. im not seeing the CMS listed anywhere.im running {whatweb -a3 http://10.129.140.178 -v} as well as browsing to the site with wappalyzer

I am stuck at the same thing.

i figured it out with some direction

add png to the bash script that generates the extensions list

I figured that out but I cannot access the payload.
I guess I am making a mistake in name thingy.

the format is ymd

date '+%y%m%d'```

on linux will show u the prefix

then put an underscore and the payload name

some how its still giving me 404

change the date to one day later

220707_payloadname.extension.whatever

i would change the 07 to 08

@tepid jolt did it work?

yea it worked thanks.

😎

man I making a stupid mistake I had a "." before date.

ahah yeah it's always the small oversights with me too

Password Attacks - Network Services. Any hint on the usernames? Am I supposed to spend hours trying to brute force both the username and password on all these services?

after you get the first service login and ||get the username in the target box||

Skill Assessment - Broken Authentication

I got into the support user but I am unable to find the flag / admin panel? I've ran directory busters to try to enumerate the path but still have had no luck. Anyone have any ideas?

Hi 👋

I am using Linux and I am importing sockets for threads with variables from void$ and it’s doing good yay

fuzz the ||add event|| on the admin profile and use the method show in section ||Local File Disclosure||

admin profile doesn't exist

the admin panel

if you still can't find it dm me it could be a bug

hi guys.. i would appreciate some help

i got stuck at "cracking common hashes".. i tried hybrid mode and some rules

but i think i am missing something else

i can't remember if you need to use rule or not but there is a ||$|| ad the end

if you are using rockyou cut the first ||250000|| word

the hash i am looking at doesnt have that at the end

i am using rockyou

https://academy.hackthebox.com/module/20/section/113

this is the module

no i mean the password have

ah

thats pretty arbitrary

was there a clue for this?

i tried rockyou?d?d?d and inverse

because there is something like that in the module

or how am i supposed to try that?

maybe i didnt get it

in the hashcat help menu it say use "?s" to add special character include the ||$|| but when i try use that it just ad "*" and notthing nothing else

i think it worked with me using ?s before

now it didnt find anything though

maybe your wordlist doesn't have the other special characters for some reason?

i have to go to work :(

thank you for your help!

wait i thought you got it

Having issues with the SQLMap Essentials, Running SQLMap on an HTTP Request Task 2 - What's the contents of table flag3? (Case #3)
I've tried all sorts of combinations, but can't seem to get the right one e.g.
||sqlmap -u IP:PORT/case3.php --data 'id=1' --dump --batch||
||sqlmap -u IP:PORT/case3.php --data 'id=1*' --dump --batch||
||sqlmap -u IP:PORT/case3.php --data 'id=1' --dump --batch --risk=3 --level=5||
And I'm getting nothing back, any pointers?

No sadly not :(

you are missing the database and table command

did you cut the first ||250000|| word in rockyou

No but the list gets extinguished, shouldn't it have turned up already?

hi guys, ive been stuck on sqlmap skill assessment question for a long time anyone can help? It is to find the flag in table "final_flag"given a minishop website, ive look throughout the site and found the "add to cart link" have an id:1 when intercepted with burp suite, but i use sqlmap -u "http://178.62.26.185:30387/action.php" --data "id:1" --batch --level 5 --risk 3, and many other command but can find the problem why cant get it

Hi, I'm stuck in the Blacklist Filters section of the File Upload Attacks module. I've successfully fuzzed and bypassed the blacklist filer ||(E.g. .cfm, .phtm, .asp, .php3, etc.)||, but the phpbash doesn't seem to work, I have also tried other payloads without success. DM me please, thanks!

Hi, I need some help with the "RDP and SOCKS Tunneling with SocksOverRDP" module, I have been able to transfer all the files loaded the DLL however connecting via RDP (mstsc.exe) with the creds provided for the user victor doesn't work. Anyone on this? Thanks in advance. Meanwhile I'll try to throubleshoot it myself.

I'm not sure how that would help, I'm trying to do a POST injection with id=1 as the vulnerable point, but it comes back saying that it isn't injectable

According to the training sqlmap 'http://www.example.com/' --data 'uid=1*&name=test' should be what we need, if there's more to it than that then it should be explained

are you still add section 2 case 3 and if you still can't get it dm me

Thank you @vital adder !

i am trying xss in module CROSS-SITE SCRIPTING (XSS) - XSS Stored however it seems that pwnbox firefox browser is not showing xss popup

<script>alert(document.cookie)</script>

hey guys, could somebody please help me with a module? Im currently stuck on the Meterpreter section in Using the Metaploit Framework.

I have gotten a shell, but I'm struggling to priv esc. ||So far, I have run the session in the background and then run the multi recon local exploit suggester, and then went through each exploit - but none of them appears to work? Can anybody please give me a hint? 🙂||

the Meterpreter section require you to dump hash not privesc

of you still need help dm me

Thanks tom, I ended up running that hash dump after loading the kiwi module - I didn't realise that's all I needed to do whoops

oh congratz

enum4linux

It's not but It bothers me that I can't do this and It doesn't show you in the module how to do it. Just tells you that you can and leaves it at that.

Thanks buddy. This was way easier than I thought. Thanks for helping Sir!

For Broken Authentication -> Bruteforcing Cookies, has anyone had luck decoding the rememberme token? (question 2)

did you click ||Remember me||

Yes, I have the token. Just having trouble decoding

have you looked thru the list of file signatures?

https://en.wikipedia.org/wiki/List_of_file_signatures

@covert tusk if you still can decode the cookie my trick is ||do a url decode manually first|| or dm me

Have you tried cyberchef,?

Finally got the flag, thank you @vital adder @lethal atlas @distant stream

w

Hello, I'm on the Skills Assessment for Windows Fundamental. I need help with this step.

6. Adding the HR security group to the shared Company Data folder and NTFS permissions list

   Remove the default group that is present
   Share Permissions: Allow Change & Read
   Disable Inheritance before issuing specific NTFS permissions
   NTFS permissions: Modify, Read & Execute, List folder contents, Read, Write

Is it recommended that a person who is inciante do the modules of The Box Academy Hack? Even though she has no prior knowledge in Cyber Security? 🤔

Or should she acquire prior knowledge, and then try the HTB Academy?

Hi peeps, I'm having some issues with the Responder challenge in starting point I've been able to get into the machine and get the flag etc but I'm stuck on a question on one of the tasks. Task 5: which of the following values for the 'page' parameter would be an example of exploiting a LFI vulnerability "french.html"

You will certainly learn a lot in the Academy, but any prior knowledge will help you. So if you don't have any knowledge of IT, I recommend that you take a few courses first.

But you can just try it out. There are many modules which cost 10 cubes. When you complete the module, you get the 10 cubes back.

I figured this out and completed Windows Fundamentals. Thanks to everyone who helped out. @coral sundial @feral gyro @west canopy You guys are awesome! If i forgot to mention anyone sorry. 🙂

hey guys has anyone completed file upload attack module? i need help with the limited file upload section

currently trying to use xml payloads to read files but isnt working

i will explain in detail what i have done so far on private dm

@granite prism dm

Thank you very match! 🤝

I need some help with the Windows Fundamentals module I am right now at the Windows Security Section on the second question were I need to find wich 3rd party security application is disabled by start-up for the current user. I am struggling right now a little bit in that. I was checking out the Local Group Policy Editor all the time, but I don't get any further in that for the question. Can someone give me a hint. Does this even have something do to with the Local Group Policy Editor? Please help!

I need some help on the module "Using the Metasploit framework" and im on the section Sessions and ive found the exploit and i ran it in the background as a session to run the sudo exploit but when i return to the session i still cant access the root dir

Hi, I'm stuck on SQLMAP Essentials Skills Assessment. I already found the attack vector, but I can't find the tamper to use

Check out the hint.
Use PowerShell

DM me

Try the tamper || between ||

Hey, I am searching for a exploit, but I don't find one. Which did you have used?

Anybody I can DM about the Service Login Skills Assessment on Login Brute Forcing? Making sure the "Employee" is the same that has been used in the sub sections.

not sure whats going on but im at the nibbles foothold reverse shell portion and neither curling nor browsing to the dir is establishing a connection to my reverse shell

when i do it, it seems to break my openvpn connection

also seems to break the instance as i can no longer access the apache contents

i withdraw that statement

might be something with wsl?

yeah

oops

that was long agp

lol

so for the pwnbox i can get netcat listening but not from my kali instance. kali breaks it out in to listeing on both the ipv6 address and the ipv4 instead of any.

could use help trying to figure out what is happening

know it's late, but wondering if I could get some assistance w/ the command injections skills assessment. I see the injection points but not getting any clear idea atm

If someone is available, I could use a bit of a nudge on the Windows Privilege Escalation SeDebugPrivilege section. I've dumped the lsass.exe and used mimikatz to analyze the lsass.dmp file, but I only see NTLM hashes for jordan and Administrator. It's the same hash and not the one for sccm_svc, which I don't see anywhere. What am I missing?

@round lagoon DM me 🙂

@vale salmon i was able to ||get the hash with mimikatz||. Maybe try ||running from an elevated cmd shell?||

I appreciate it. I was running as such. Turns out, I was analyzing the incorrect lsass.dmp 😅

i need help with a question

What is the command we need to run in order to display the 'ftp' client help menu?

hello guys is anyone working on the "using metasploit framework" module because i am running into an issue where im trying to exploit the iis but i keep getting an error. any help would be appreciated.

can somebody help me with Password Attacks - Password mutations? I have used the custom.rule file with the password.list provided, but it has spat out 94k lines which will take over 6 hours to bruteforce... is there another way? 🙂

shoot me a DM 🙂

Shoot a Dm

hi, can anyone help me with this question pleasee? "Which employee is suspected of performing potentially malicious actions in the live environment " within the module INTRO TO NETWORK TRAFFIC ANALYSIS in the "Packet Inception, Dissecting Network Traffic With Wireshark section

I did complete it with the 94k line wordlist, but I'd like to know the better solution, if you are willing to share it.

You can also attack the FTP account instead of SSH. The credentials are the same.

or
|| you delete the first 17000 lines from your password list. ||

@acoustic owl thanks

hi guys.. i would appreciate some help
i got stuck at "cracking common hashes".. i tried hybrid mode and some rules
but i think i am missing something else

Some more Tipps: If possible you can enumerate users, and reduce the userlist. Check the PW List for duplicates and remove them.

would someone here be able to tell me if im abt to get hacked on discord or no...?

not really

have a strong password, MFA, and recovery options.

thanks :3

Did you find an answer? I'm stuck in the same place.
I have found a hostname, but I can't get anywhere with it. The DNS server on the network does not seem to know this host.

Dm

Hey,
I can do what you need to do but I can't read the source code. Maybe we can have a chat together ?

meows

So I am stuck in the Windows Fundamentals HTB Academy, and been trying to grasp Windows for the life of me, and I am rereading the course over for whatever nth time, and I read from some of the links that is provided that the Get-WmiObject is deprecated in PowerShell 3.0 and above. This Module is also running on Windows 10 and we're in 11 now, and as far as I am concerned with Windows, the OS 11 is a whole new thing to learn. I am sorry, I am just really hating how lost I am with Windows, how none of it makes sense to me, and how people are fine with it for some reason. I just don't get it, and think that I am hopeless and it is making me want to give up on the years I have put into linux, unix, pentesting, and development. I cannot seem to grasp what makes up most of corporate computer structures, I am doubting myself. Just had to put this out there. Sorry everyone.

Hi guys, I'm trying to finish the last section of the Getting Started module but I'm stuck. I already got access to www-data and submitted the user.txt flag. I also did the step mentioned on the Hint for the second assessment but the output aren't really useful to me. May I ask for clue here?

Solved, I didn't take full attention to the command written on the previous section.

I need help with jndi and ldap, specifically unified module. I copied everything word for word and can't get a shell

Hi, I'm doing the hacking wordpress module and I'm in the last question. Does anyone knows how to get the reverse shell using de lfi? I'm kind of lost

Can anybody help with USING WEB PROXIES MODULE, ZAP FUZZER section's question?
I Fuzzed the cookie but it fuzz results turns out to be all 200 OK, i dont know what i doing wrong here

Maybe you can try to look at the size of the response

what does the size of the response tell?

the hint says look for a page for a different content length, but i dont understand that part

can i get some help with "Using the MetaSploit framework" on the task Meterpreter and i can seem to get my exploit to work

It means if the size is different, you get a different answer so your payload probably worked

Port Forwarding with Windows Netsh. The victor user doesn't seem to work.. Does anyone have a hint for what I could be doing wrong. DM would be fine. I feel like I have setup the correct netsh and I am able to nmap the port to verify the RDP connection. It is purely login-failure that seems to get me off

did you get all results 200 OK too? how did you know which one was it in the end? did u open it one by one?

is anyone else getting random session dying when working on the using the metasploit framework meterpreter portion ?

Can anybody help with USING WEB PROXIES MODULE, ZAP FUZZER section's question?
I Fuzzed the cookie but it fuzz results turns out to be all 200 OK, the only same size response with the original, the cookie content is the same as the original , and when I right click and open url in browser it turns out blank , anyone knows where I’m missing out ?

If all the results are 200 OK, You need to focus your attention on the Content-Length/Size of the response, if all payloads are the same in size i.e 3184 for 15 of the payloads and the 16th payload Size = 742, Have a look at the payload that has a different size in the response body.

@steep oxide Think of it as a page in a Where's Waldo book, You are trying to find Waldo, everyone on the page at the beach could be 200 OK but Waldo is the odd one out wearing a red stripy shirt. In this context, the red stripy shirt is the different response size.

I am supposed to enter the number of all installed packages. But I get an error message when I enter the result with this command:

apt list --installed 2>/dev/null | wc -l

anyone have an idea what i'm doing wrong?

In Zap - you want to focus on the Size Resp. Body tab - there will be a size in bytes that differs from the rest. Then you want to analyze the response of that particular request.

got it ! thank youuu!

found the solution myself. At the beginning of the output true comments were counted as a package! The counted and win!

hello ah, just a random question

is it possible to get more cubes without having to pay for it?

hello, am try to get the password of the tomcat user (Flag4, LINUX PRIVILEGE ESCALATION), I am able to get into the /manager, but there is no password or something else to get access of the tomcat user. Can someone get me a hint?

I am still stuck in the Windows Funtamentals module in the Windows Security section by the second question What 3rd party security application is disabled at startup for the current user? (The answer is case sensitive).. Does this have something do to with the registry's?

Hello, in module Attacking common services, the target doesn't have FTP port.

└──╼ [★]$ nmap -p 1-65535 10.129.43.221
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-08 15:44 BST
Nmap scan report for 10.129.43.221
Host is up (0.060s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
139/tcp open netbios-ssn
445/tcp open microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 51.46 seconds

Does anyone else have issues with targets taking forever to spawn during the evening hours(US eastern time zone, to be precise)

In particular, loading active directory enumeration/attack targets

Which section are you in?

https://academy.hackthebox.com/module/116/section/1165

Attacking FTP

I'm stuck in the same spot. Did it end up being a bug or am I missing a step?

i when read that my brain was going brrr and I thought it was a different module but no it not a bug is a message

I see lol

Hmm? Okay, there should definitely be an FTP server. But not on the standard port. But you have actually scanned all ports.

Restart the machine and wait about 5 minutes. Then try an nmap scan again.

Did you end up finding where the flag is? Stuck in same spot

i just try scan that box and the ftp port isn't open (finished that module)

hint ||the cookie||

Yes, the port is no longer open for me either. I have just tried it. HTB Support (@drifting knoll) may be able to help.

I've tried manipulating the role to see if that helps but no luck so far

hi, where i can ask for an help ?

now it works thanks

i reset target 5 tims

@acoustic owl thanks 🙂

the role for this is same as section ||Bruteforcing Cookies||

Hi.. I would need some help with the faculty machine

@vital adder thanks too

The #992853583538176171 room is where you need to go. Verify your account, and it will open to you.

That role isn't working. Mind if I DM you?

sure

can someone help me with the Vulnerability Assessment "Nessus Skill Assessment" im stuck trying to set up nessus

the target is nessus

yeah but im having an issue with the step up process

@devout vector nessus should be ready to go on port 8834 , and the scans are already there for us. I never had to do any setup

yea but it wont let me pass the activation code @west canopy

It keeps telling me Error you are not authorized to perform this request

Hi, I'm doing the hacking wordpress module and I'm in the last question. Does anyone knows how to get the reverse shell using de lfi? I'm kind of lost

have you tried using metasploit @hollow drum

sure, go ahead DM me.

hi guys so i have an auto clicker ( a hacker made it for me and im not programer) and i was wondring how to make it fast like it super fast but idk how to make it faster

clickDelay := 10
clickIncrementSize := 10
toggle := 0

does this what makes it faster?

anyone?

can someone tell ,e how?

@hollow drum try ||bruteforcing your way in, then use the same technique as the "RCE Via the Theme Editor" section||

@devout vector @west canopy thank you both. I'll try using those things. 🙂

@knotty falcon
Away for the weekend. I've finished the module though. You can DM me on Monday if you're still stuck

I've cleared the module now but thanks for the offer 👍

an you help me in something?

Has anyone done the file upload attacks?

Is anyone working on the Skills Assessment of Web Services and APIs?

I am not what I should do in this exercise

Hi, I'm stuck in the metasploit module at the exercise for sessions. I opened the session with elfinder (running meterpreter) and tried to get the privilege escalation with sudo_baron_samedit. I selected the session, but somehow the exploit doesn't go through (i also tried multiple targets, but the correct ones should be 1 or 2). The exploit tries to write files, but then stops without creating a root session. There aren't any errors given....any advice?

Can someone explain the whats being asked in the Linux fundamentals module? On the filter contents section, last question. They ask to curl https://inlanefreight com and filter all unique paths, I've tried a few ways (I don't completely understand the delimiter concept) but Im not sure what I should be filtering. Do I want all the href and src links? Just the paths after .com/? UPDATE: got the answer but it doesn't reflect what my actual results yielded. Would very much like to know what's kind of magic is happening

@uneven relic dm me

@broken warren It asks for the number of path so count them

DM me

Look closely at the endpoint wsdl.

can someone help me with Nessus Skill Assessment my scan isnt going for 60 mins like it says its suppose to

its only going for like 3 mins and finding nothing

To start with htb can I use windows or is better to use a virtual machine with another operating system?

The best is a VM with Kali or ParrotOS. Many tools you will need are already pre-installed there.

Thanks

Bunny speaks the truth. By having a virtual machine, you can also roll it back to an earlier snapshot when something goes wrong. Much safer than hosing your host OS. And things will go wrong! :-P

Could use some help on the Footprinting Medium Lab - Stuck trying to login to Management Studio. Getting a error message No process is on the other end of the pipe

DM me

hello guys, I am stuck at SQL basic because I don't get the question. What kind of expected result? I can findout the username and password in user table. But that is not the answer

Read the Hint
|| Try to replicate the last example ||

already read and do UNION but cannot figure out what question wants...

Do exactly what is explained here in this Section.
Instead of @@version use user()

someone have dedos maschine?

ah I got it. I thought enum in user table. thanks for enlighting me @acoustic owl

Hello, Im stuck on the Module Getting started at the privilege escalation the second questions is my problem. I managed to make it to user2 but I cant reach root. I did everything like explained above but it doesnt work. When I try to connect to root it just times out.

may not apply but sometimes still dont know why but trying exploits in pwnbox will work.

Unfortunately, I already tried it but that didn’t work

Could I get a nudge with Web Service & API Attacks - Skills Assessment?
I've tried using sqlmap on various parameters found in the wsdl file but no luck.

You doing "nibbles-privledge escalation" ? In the getting started module?

hola

Hmm if you need more help DM me

looks like your just generating ssh keys then uploading or copyi and paste the public key on the victim machine then this will allow you to ssh to the victim using the private key on your attack machine.

This is doable because on that machine the ssh folder is writable by anyone.

So I spent hours yesterday trying to get foothold on the Password Attacks - Credential Hunting In Linux -- only to (I swear literally) re-do the same steps just now (only difference is enjoyed a margarita before I sat down at the PC) and within 10s got my foothold... Either I did something wrong (and didn't realize it yesterday), or environment was messed up -- either way 😡, but I guess the life lesson is when life gives you lemons limes, make margaritas 😂

Can anyone assist or point me in the right direction for the Nmap Firewall and IDS/IPS Evasion - Medium Lab? The hint seem totally useless and I've attempted the source port parameter with no luck so far. What am I missing?

Hey can someone help with the the 1st adn 3rd question for the windows Fundamental Assessment

Hey, new to hackthebox. I'm struggling with the nmap module with the question that says "Enumerate the hostname of your target and submit it as the answer. (case-sensitive)". Can somebody walk me through this or point me in the right direction?

Try performing a more aggressive scan of the target to get the computer name

What do you mean by this? I tried using -A and -p-, but the server seems to be blocking my connection requests

I'm honestly like really lost

DM me and we could jump on a call

Figured out the right combination of parameters. All good now.

yeah i know late again, but even I made progress in the Command Injections Skill assessment, i'm still getting a blank response 😦

nslookup

If anyone needs assistance with broken authentication skill assessment I just finished it and created a step by step notes for it, without giving away password or flag. Just dm me.

hi guys, USING WEB PROXIES , SKILL ASSESSMENT , first question about enabling the disabled button in lucky.php, i intercepted the response using burp and change the value='true' disabled TO value='false' disabled IN the html, but after i forward the response still cant press the button and when i check the history, the response forwarded wasnt changed, anyone knows what im missing here?

Why cant i figure how to simply connect the VPN in hack a box

what is this server for

is this for hacking

pls reply

@north flax please use bot commands in the correct channe; #bot-commands

sudo openvpn your_vpn_profile.ovpn

Maybe also have a look at this module:
https://academy.hackthebox.com/module/details/77

Pivoting, Tunneling, and Port Forwarding: Port Forwarding with Windows Netsh. I can't get the rdp to work. I've set everything up and can even nmap the service through the port, but the logon credentials are denied. Are there anyone who can help. I am on day 3 with this now...

Would someone be able to help me with the forming of a SOAP request for the Skills Assessment of Web Services and APIs? I having a very hard time understanding how to do this.

Im stuck on the web proxies skills assessment: Question 3
Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload). I think its my payload position

Anyone able to please help or DM?

Change the VPN server to US1 or US2.

Already did. Ain't working. But I'll try again

sure

sorry for my poor english
Metasploit issue, Exploit completed but no session was created. Does anyone give me the solution please.

So for your general question -
https://www.infosecmatter.com/why-your-exploit-completed-but-no-session-was-created-try-these-fixes/#:~:text=You can try upgrading or,downgrading to MSF version 5.

I hope you have the cookie,
Now you can utilize burp suite's payload processing options (keep in mind the order in which the payload processing rules are applied)

would the payload position look similar to this?
GET /admin.php HTTP/1.0
Cookie: c=31chjaractercookie§§
Content-Length: 17

Anyone done the mssql section of attacking common services and can help with q2? I got the credentials from q1 but now having trouble using them. Edit: nevermind ||.\|| was the key,

It depends if you're adding that 31 character as a suffix or prefix to the actual payload

do you mind if I DM you?

Go ahead

I require a little nudge on command injection skills assessment!

hi guys! can anyone help me finish only remaining exercise on the cracking hashes moduel

i could not manage "cracking common hashes"

the hint says to use rule sets or hybrid mode but hybrid mode did not bear results and i dont know which rule set to use, i tried leetspeak but it didnt work

So i can confirm i have the 31 character as a prefix followed by the correct 2 encoding types. But when I run the attack the length of each is the same and response is 200

Wait till the wordlist is exhausted
Once the attack is successfully done, just tap that length segment on the top bar, and check the responses

Sadly all the same length at 2370. Should the cookie in the response header update with each new cookie it's trying?

Hi everyone, I just create a video for all HTB Academy beginners about how to set up a vulnerable web application on your local machine
https://www.youtube.com/watch?v=e1m_2M0c1J8&ab_channel=OceanicSix
Please let me know what you think, any feedback is appreciated!!

Hello, everyone! I need help on "Skills Assessment - File Inclusion". I am so close to finishing it, but struggling so much in the last part, can anyone give me a hint?

Hi, I'm stuck in the Blacklist Filters section of the File Upload Attacks module. I've successfully fuzzed the file extensions and tried all the non-blacklisted extensions. Problem is that it looks like the html/css part of phpbash loads, but the terminal part is not working (See attached image). I have also tried the other payloads mentioned without success.

DM me please, many thanks!

dm me

are you in the ||ilf admin|| part yet?

Hello!
I was given a gift code for HTB Academy. Now have a balance on my Account Balance, I would like to take a subscription for myself, but the balance is not removed and I am asked to enter my credit card on the payment page. What I should do to pay for a subscription by my account balance?

I this module "Attacking Common Services" , section "Attacking SQL Databases" ok? I can`t connect with mysql or sqsh to target machine. Just blank output.

Contact the official help support available via that ? / Help button

Chat with HTB staff and they'll figure it out
They're great

okay, thank you!

i got a randoms ip

he uses IPv6

OpenVAS assessment, need some clarification on q2 and q4

Can anyone help me out with Command Injection Skills Assessment?

I think my payload is wrong or something

can someone dm me i need help with windows skill assessment it jusat a hint for the 3rd question i did that rest already

I could use a hand with the "Web Services and API Attacks Skills Assessment" please

So far I've tried using sqlmap, crafting SOAP payloads with the help of the wsdler Burp Extension, and also tried using the automate.py script, but nothing seems to work.
Please DM if you can help.

Contact the help desk

Shells and payloads: php webshell

Having problems doing the section because of this

I swear I have followed the instructions to a T

I'm not sure, but have you tried http instead of https?

What do you need clarification with?

I fixed the issue. Don't know why but using the burp browser did the trick.

Can anyone give me a sanity check on the exercises at the end of the Attack Common Services module, I'm convinced I'm on the path, but having issues with the box falling over even with the single thread of password guesses.

hello friends

I'm honestly beginning to think these modules are just sanity checks

putting the mental in "fundamental"

DM me

Is anybody doing the Bug Bounty path?

yes i finished it, just havent taken exam yet

Going through the basics of operating systems and some of the questions go straight into having to use tools or navigation that weren't mentioned in the first place. where do I get info on using the tools to get the answer??

speaking of sanity check, I might need one again for this command injection skills assessment

can you give an example of one of the tools you are referring to?

dm

Im stuck on this also LOL

I might be able to help

@west canopy Can I dm?

sure

can anyone help me with page fuzzing

can someone give me a sanity check on javascript deobfuscation because i have the message from decoding but its not accepting it

anyone?

@azure vortex which module/section do you need help with?

@devout vector i can try, feel free to DM me

@west canopy I figured out but thank you for reaching as fast as you did

ATTACKING WEB APPLICATIONS WITH FFUF ,page fuzzing

sec ill DM you

sure

..

fuck

@west canopy Im stuck on the web proxies skills assessment: Question 3. Mind if I dm you?

If he isn't available, you're welcome to DM me too. I've done that one.

@tough mural sure DM me

@west canopy @shut owl thanks!

ok figured out this annoying command injection nonsense smh. Thnx @west canopy & @devout cliff for the advice 🙂

@harsh drum i dont think ive ever harassed you here 🤔

Good day,
Could someone assist me in "Information Gathering - Web Edition" module.
Active Subdomain Enumeration section, 2nd question? Identify how many zones exist on the target nameserver. Submit the number of found zones as the answer. because I got the answer however I definitely got it by luck- and I now need to know the exact process to answer the question after it.

DM me
We'll have to discuss it

ok

Yup I'm doing it too

can someone assist me for assessment 2 module active directory enum and attack?

Is your VM connected to the HTB Academy VPN?

always ping the target first.

That's weird. You can try to change the VPN server. If this does not help, please contact HTB support.

Hi all, can someone check if: https://academy.hackthebox.com/module/57/section/516 is working for you?

It appears as if it should fill in the blanks but it doesn't (see screenshot). Thx in advance.

The task is to find out the username and password by yourself

Thank you for clarifying!

Windows fundamentals, no IP given to RDP?

In fact, now that I'm looking further it looks like none of the questions a providing the IP to RDP into

Here you get the IP address

man do I feel dumb, thanks

Sometimes you overlook the most obvious things. 🤷‍♂️

Exactly 🤣.

Don't worry, it happens to all of us. 😂

Hi is there anybody who could help me with case 6 and 7 of sqlmap essentials?

hi i need help @raven leaf MODERATOR

@patent ruin sry for the ping but can ya help mehg???

Good Day,
I'm having a bit of issue with the Information Gathering - Web Edition module, Virtual Hosts Section-
3rd-5th question. I've used all the enumeration techniques discussed- yet I'm not getting anywhere-
Could someone maybe hint at what technique I'm to use without giving it away completely or assist me in completing the last 3 questions?

can ya help me??

I could try

what's the prob

System has not been booted with systemd as init system (PID 1). Can't operate.
Failed to connect to bus: Host is down

in kali linux for beEF attack

.

oh-
yeah- I don't use kali 😭
sorry

: (

;-;

nvrmind- just make it the last question only-

anyone available to help me out with some SQLi sqlmap essentials

hello is anyone available to chat about nmap im doing that module inthe academy and im having a little trouble?

dm

added

When i use SSH in the module "Linux Fundamentals", I need to enter a password. But when I try to type anything nothing is showing up. i have tried just copy pasting it but it still doesnt work?

The characters are hidden

The password is entered but not visible

I'll try thanks

I tried it multiple times but it says permission denied. I typed the password exactly as it is shown...

Nevermind i made it work my 1 key was broken lmao

Tried DNS zone transfer?

Which ones you're stuck on

I’m good now thank you. The prefix suffix thing needs to be clearer in the lesson. Or more targeted SQL lessons would be good. Take all my money 😂

Okay give me that money

Show me the knowledge 😂 soo many SQL rabbit holes 😂

Slide in my DM
Ask me questions, I'll tell u everything I know about it.

At my best

I am doing linux fundamentals, system info, "What is the path to the htb-student's mail?"

what is the command for finding this

nvm

i have found the problem

the cat command just isnt working

ight

Hi, i'm stuck on sqlmap skills assesment, i think i found the way but no way my command works, any help?

EDIT:just found it, nudge: check the post request, copy as cURL, and check between tampering

Used a different method and got the answer, but thanks alot tho 💯

DM me what was that

kk

anyone available to help me? i've got the answer but i'm sure there's a more elegant solution (SQLMap)

hi @acoustic owl can i dm you about the Pivoting, Tunneling, and Port Forwarding module?

Does anybody know when we will get more modules?

I want new ones sooooooo badly 😭

Perpare new certificate junior penetration tester

Like certificate cbbh

I think it would be sick if they added a blue team, cert, exploit dev cert, and OSINT cert!

Are you complete path cbbh

I am very close to completing cbbh

92%

Yes of course but i think not new

and 70% pentest path

I perpare myself certificate cbbh

Im complete path

I am training for the certification exam cbbh

Do you want to take the certification exam?

Yes

100%

Good luck

Ooh... I'm down for an exploit development one, that would be awesome!

I know OFFSEC has some exploit dev courses

But tbh

HTB > Offsec certs

And more economical also 😎

And $$$

I'm the sort who likes to learn the same thing from several different sources, so an exp dev course prior to taking OSED would be awesome.

Could anyone assist with the footprinting module? Stuck on DNS

can somebody please help me with a section in password attacks?

specifically the NTDS.dit section, I'm trying to move a file from the target machine to my attacker machine but I'm getting a nativecommand error. For some reason the discord bot isn't allowing me to paste the error message in this chat.

I have completed it with the crackmapexec method but I'd love to do it via the shadow copy method in evil-winrm too. thanks!

hey so i jsut started learning hack the box and i finished the module discussing how the acadamey works, what should i go with next?

Sure

legend, thank you! Start from there and found the way out

If I interpret this correctly, there should be content on cloud hacking soon

https://twitter.com/hackthebox_eu/status/1546147269707169797?s=21&t=RHjPytifi4clszqCqMfyGA

although the content might not be modules. could be HTB box

aws labs for users

(disclaimer I don't know about it, but that sounds like what is happening 😄 )

Hey everyone. Any hints for Password Attacks Lab - Medium? I am in as the user J. But cant find root pass

user-agent filtering?

Hi, i'm stuck at web attacks skills assessment. I'm able to extract users and information, but not able to change the passwd, keep getting Access Denied

who finished the ATTACKING COMMON SERVICES Module?

check ||what's running on the server|| try ||the cred you already have||

are you connected to the VPN because if you havent then metaploit wont find the ip and it will do nothing while the parrot VM is on the network by default which will allow you to run comands without issue

@digital storm dm me then

hello who can help me: which prefix in case 6 in module SQLMap Essentials

hello , PIVOTING, TUNNELING, AND PORT FORWARDING modules like has error , section RDP and SOCKS Tunneling with SocksOverRDP 172.16.5.19 credentials is error

who can help me ,tell me 172.16.5.19 credentials

Try to change the VPN connection
Take US1 or US2.

If it does not help, contact the support of HTB

@acoustic owl thank you ,i try, vpn take us1

I have the same problem😀

heeeeeeeeeeeeeelp

@runic rampart I'm guessing the server is shared and the password was changed

dm me btw did you answer case 7

not yet

yo on AD Enumeration & Attacks - Skills Assessment Part II im on the question:

Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host.

i found the creds netdb:D@ta_bAse_adm1n! (feels like SQLEXPRESS is the wrong username at this point) but dont know how to login to the host. anyone here to give a hint or nudge

Yoooo anyone I can DM about SOAP request really fast ?

Contact the support. Switching from EU to US worked for me

Contact the support. Switching from EU to US worked for me

hey just wanted to ask a question about "Attacking web Applications wiht ffuf" im running a Filtering Results part and when i run it i get thousands of code 200s but none of the filtering i guess has taken place and i even added the -fs 900 flag in my script but still so just wanted to see if someone could guide me a little to make sure what i was doing was okay or not

@devout vector Try ffuf -h and check for code filtering or all the filter options available

@crimson atlas thank you i will try that

@devout vector np dm if needed

It worked🙏

@acoustic owl may I DM you about web services and api skills assessment ?

sure

isnt there a module that goes over how to make a list of credentials from using 2 seperate lists/files? like combining rockyou.txt with a username list?

Yo guys how do I know if I got verified on this server

Hello, I need help on Password Attacks - Easy Lab, I’ve been trying for 2 days to brute force the ssh + ftp to find any valid credentials with no results. Can someone help me?

Awesome which module are you on?

Also, do you recommend subscribing to HTB Academy? (For the Bug Bounty Path) I've just been doing modules with the cubes I've earned so far.

I would. That is what I did

hi can someone help Active Directory Enumeration & Attacks,Kerberoasting - from Linux

I’m doing that currently on another course

From my point of view, the annual subscription is worth it. This way you can learn all modules from both paths (Bug Bounty Hunter and Jr. Penetration Tester).

quick q, why the machines (spawned IP) in the jr pt path keeps on crashing?

a 5 min task takes 1 hour to finish it ;/

Do you mean something like this?
https://stackoverflow.com/questions/32946238/concatenate-two-lists-from-two-files-into-one-file

So yesterday I was on one of the modules and when swiping from lower right to upper left. I might have clicked on an image but it opened up a binary text file.

Use the lists provided in the module. It takes a relatively long time, but with it I was able to get access.

I’ve been using the usernames and password lists provided and ofc I’ve mutated the password. So the issue it that only a very small percent gets tested so I’ve been using the -u on hydra to each try each password on each username first and I’ve split the usernames lists in 5 parts to try more but it seems that it’s still not enough so I’m thinking about splitting the username lists to even less names like 10 parts of 10 usernames each

yassssss

Feel free to DM me

Maybe in a month or two for me

I'm stuck at assembly skill assessment task 1, I keep getting broken pipe when I run the shellcode, can someone pm?

is there any way to use my VM rather than NoMachine for the assessment in shells and payloads path? it is really slow, buggy and keeps on timing out

836658793461841951 has been banned until 2035-04-16 17:53:41 (UTC).

already got the boot. thanks

which prefix in sqlmap essentials case 6???

Hey, anyone new into '' Junior Penetration Tester '', can you DM ?.. let's work it through together if you wish

hello

what module are you on

Getting Started, you ?

I'm throwing in the scatter, I've already gone through sql injection fundamental now I'm going through sqlmap essentials

How long did it took you to be there ?

on sql injection fundamental in my opinion 2 days

I mean from the beginning to sql

how long have been on the path

this is the only completed sql module so far

Got it, didn't you start as a beginner

hack the box was advised to me by a friend and he said first to go through sql and then I took the path of Junior Penetration Tester

@rocky apex do you know how i can get to the root user, without having the current user password

usually a bunch of login password is root / toor but in general you can somehow reset the password

i got it, i first took some fundamental modules and now walking through the Junior Penetration Tester Path.. and currently in the second module

i SSH to a box, meeting USER1 (using 'sudo -l' USER1 can only run BASH using USER2 without PASSWD ) and then i was able move to USER2.. Now i need to escalate privileges to ROOT but i got no password for USER2 when try using 'sudo su' command.. Please any idea on how to escalate to ROOT ?

hi can anybody help me with command injection last question What the content of /flag.txt.I tried to use bypasses but it gave me or file not found or permission denied

the hint is ||prefix ')'.|| so did you try ||--prefix=')'||

yes, I wanted to try exactly '`)' with quotes, but my terminal swears and does not skip such input

here is what i get

dquote bquote>

and it's waiting for new input

@rocky apex can you dm me your full command?

Yup I'll highly recommend having access to Bug Bounty Pathway, the modules in it are very well structured and neat for the purpose of teaching you nitty gritty of hunting for bugs.

hi all

im new

im 57 yrs old though

hope thts fine?

Hi
Why would that not be okay?

this feels like a bait because a friend of mine got asked the same question a few minutes ago, some random ass guy

on a server

asking if she was single and if she knows any women

Error: malformed user ID.

Awesome thanks!

Hi heroes, I am trying to complete the file upload attacks skill assessment. I am able to submit files bypassing all the white/blacklist due to the php file that I was able to discover, yet none of the php shells that I am uploading seems to be retrievable. Do you have any hints?
NVM: I had to fuzz harder. Try all the possible combination of file extensions

And @acoustic owl and @polar widget how long did you guys take to finish the Bug Bounty path

I started here in October 21 and took the exam in May.
However, not all modules were unlocked at that time. So I also did other modules outside of the BBH path.

Cool, thanks ! Imma hit you up shamelessly if I get stuck anywhere.

No problem.

sqlmap -u "http://167.71.134.235:31426/case6.php?col=id" --prefix="'`)'"

try with sqlmap -u "http://167.71.134.235:31426/case6.php?col=id" --prefix='`)'

Hey guys!, I'm very stuck on this section of using web proxies, I don't understand how to search for .html files

could someone give me a hand?

i can give you a great hand

I used ffuff for that question but feel free to dm me if you still need help

Anyone here who has finished the bug bounty path?

I wan to learn how to accomplish that using burp but thanks man!

After using ffuff I was able to do it within burp intruder as well. Let me know if you still need help

any help please im stuck command injection last flag

Just ahead of you at 60 years old

hint ||the move parameters||

cant move flag.txt permision denied

Are you running as root?

Hi! Stuck in same page could you help me ?

guest i dont know how to enter with root

When you ssh into a machine how are you logging in?

you supposed to fuzz ||the move parameters|| to find a foothold

4sure, send me dm

that is a command injection module

Just trying to catch up on topic.

i dont get it at all

try ||to=tmp(here)&from=||

btw you are trying to read the flag not move the flag so if you get that error you are doing something wrong

guys

any idea why the target time is going down so fast? its not taking even 30 secs to go down

i try to find flag with move command

oh you got it?

Hey I'm on the Windows Fundamentals Module skills assessment page - I'm trying to follow the steps I got to step 4, create a security group. I can't find any info online about that other than active directory but the machine I've rdped into doesn't have AD on it, so I'm kind of lost? Where / On what machine am I supposed to be following these setps? I've tried to install rsat onto it but it doesn't have any internet connection.

Any pointers?

hi guys sorry for disorder, i have a question about get-wmiObject -Class Win32_UserAccount, i have done this commando to get the SID of the bob.smith user, in the windows foundamental module. Now i would ask you, why when i went in the Users directory, the user bob.smith wasn't here? and why i could find it in powershell with get-wmiobject?

Anyone happen to know if an ExtraSids attack is the same as a golden ticket? Somewhat unsure of this, and is every goldenticket attack an ExtraSids attack? So if the environment has SID Filtering, can you still do golden ticket?

This is because the folder hasn't been created. You can see all the local accounts if you run get-localuser in powershell. Another way to see it is if you open file explorer, right click on this pc and click manage, then expand the folders for local users and accounts. bob.smith is there. It's an account on the computer, just missing a folder.

thanks ❤️

Thank you, Jare! one little thing from myself. I would say "i just used proxychains + secretsdump.py when/once authenticated as the tpetty user"

Victor's creds for the Pivoting module with netsh do not work

victor:pass@123 is invalid.

Could anyone assist with the footprinting module? Stuck on DNS

Need help on the “Intro to assembly” module data movement question-Add an instruction at the end of the attached code to move the value in "rsp" to "rax". What is the hex value of "rax" at the end of program execution?

I’ve tried moving the immediate data itself with the syntax

Mov rax, rsp

And also tried using brackets to move the actual value instead of the pointer

Mov rax, [rsp]

However using gdb to answer the question, both attempts failed

Could someone give me a bit of help with the Windows Privilege Escalation Other Files Module? I'm having issues finding the password for bob_adm.

Got it

Did anyone get past this?

If switching the VPN server to US1 or US2 does not help, contact support. This is a Bug

Has anyone finished the footprinting module

can somebody please help me with password attacks - easy lab? I managed to get the credentials to log into SSH, but I'm struggling to get the root password. can somebody please give me a nudge? thanks 🙂

Thank you, man. Another tip is this Answer format: [string] []

yup, feel free to shoot me a dm

thank you

use SOAPAction Spoofing session is enough. No need for SQL

Can anyone help me with introduction to networking(subnets)

then it writes

GET parameter 'col' does not seem to be injectable

I also watched this article, I even got errors like his, up to the last one, but nothing works

https://forum.hackthebox.com/t/htb-academy-sqlmap-essentials-case6-non-standard-boundaries/243441/23

Anyone up for help on the attacking common modules sql part?

I got the password but I cant login with mssqlsvc account

Having the same issue too. Getting error message while trying to connect. Google search reveals that I need to enable TCP but I couldn’t since I don’t have admin access.

i think this task is broken on the SQLMap essentials. last section before the skills assessment

i've got the flag and says it's incorrect

So I am working thru the python module Further Improvements and the flag tells me that the answer I have is incorrect

Any help here?

I am playing with the linux privilege escalation module. In the first task I should download a kernel exploit, compile it and then run it in the virtual machine. What is the best way to actually download the exploit into the VM since it does not have internet access?

Havent tried it but I assume you could download it on the pwnbox and from there ssh transfer it using SCP

Thanks for the tip. I ended up using VPN from my VM to the htb-vm, since my VM have internet access

No worries

File Transfer module details various methods of transferring files, binaries across the network

asking again
Anyone up for help on the attacking common modules sql part?
I got the password but I cant login with mssqlsvc account

why the flag does not fit in case 5 module sqlmap essentials?

i'm on the last part of that let me look at it for you now

you've got rogue characters in there mate what're the `\ doing there?

where are you getting those from? you should just get it to copy paste

dm me

who knows how many columns in case 7 module sqlmap essentials

Don't leak flags, even if partially.

ok

hey

i'm new and i got a question

for use a pwebox

did i need to install something ?

cause i cant connect

try from 1 to 10

thanks but I already decided, there are ||5|| of them

you should put some Spoiler tag on that

I am right now at the Intro to Network traffic analysis module on the Tcpdump part the last section. Does anyone know how this question is meant What are the client and server port numbers used in first full TCP three-way handshake? (low number first then high number). Do I need to know the server port and the client port and in wich order?. And I also can't really find a full TCP handshake. Please help

Hey I am in the File Inclusion module, with the command 'ffuf -w /Dir/to/file/fuzzParameter.txt:FUZZ -u 'http://206.189.26.97:31342/?FUZZ=value' -fs 2287' I would like to find the parameter. The result is every parameter in the file, the status is everything 200, but I don't think that the webpage has 6000 parameters. Can someone help me find the right parameter?

well you are only filtering the ones with a file size of 2287 so if you want to filter out the ones with 200 status code you will need to add mc=200

this sqlmap essentials module is no joke. digging for POST requests zzz

with the mc=200 I filtering also only the files with 200 status code, so it is no difference between

oo i think i got a vector Oo

nvm

Can someone help me? Identify if its possible to perform a zone transfer and submit the TXT record as the answer.

can someone dm me about this? i don't want help per say, just someone to bounce ideas off

(sqlmap essentials skills assessment)

I feel betrayed

Can someone help me? What is the FQDN of the host where the last octet ends with "x.x.x.203"?

ah you're here haha

You have to find all the zones.

but i have to brute force do i?

yes, one of them you have to bruteforce

hello. did you find how to use openvas for this module?

Yea I finished the module except the first question in Nessus Skills Assessment

Need a quick hint, I'm running back through the Web Proxies module, and I hit a wall on the skills assessment. Decoding the cookie didn't seem this difficult before, but I can't seem to figure out the correct sequence. The hint doesn't help either, says "first value start with multiple -encoders-"

you go to "results" and search for "smb shares enumeration".
one of the shares listed should work.

I'm kinda not getting the question in the Password Reuse task, any clarification?

I need help with using vim (while in a shell)
I'm on the Oopsie box, I've got a connection via php reserve shell, Trying to use vim to save a file named 'cat' with contents '/bin/sh' but when I type it gives the error pattern not found. Seemingly can't change modes the standard way.

I think you should stablize your shell

sorry if this has been asked before, can someone help me with sqlmap essentials attack tuning-case7?

this is the command i have been using to no avail

sqlmap -u 'http://46.101.32.158:32274/case7.php?id=1' --no-cast --dump --level=5 --risk=3 --random-agent --thread=2 --union-cols=5 --batch

I used:
python3 -c 'import pty;pty.spawn("/bin/bash")'

I think you need also to stty raw -echo

and maybe also stty col row

then vim should work fine

Hello ! I am living same problem getting 3949 files and I am getting 250 but still nothing I was wondering If you could give me a hint about it 🙃

welcome bro

dm me

Anyone solve this?

Yes, but there is a bug. Either it helps to change the VPN server or you have to contact the HTB support.

Any help with Web attacks, I'm stuck on : Bypassing Encoded References

Nvm, got it! 🙂

Any hint file upload attacks whitelist filters i fuzz with wordlist from bash script and no luck,when i upload its 404 not found

hey, im kinda new to htb and i was doing a module where i need to use the nmap, but when i do it, it just says that the host seems down. I have already tried to refresh the given ip but it doesnt work

is this normal but im not getting it, or is it a real bug or something

which module?

getting started, in the public exploits section

public exploits its meterpreter section

sorry but what does that mean=

can anybody provide direction for footprinting - hard lab. i made a custom wordlist using nixhard (the hostname) and tried to use every snmp list in seclists and onesixtyone but they do not work for guessing the community string. what list did you use?

DM me

Try using -Pn when you try to run nmap