#modules

I can try. DM me?

Even tried with pwnbox as well, same result. What am i doing wrong? nmap 134.209.17.29 -sC -sV -Pn works perfectly on starting points machines but not on this specific section in academy

@placid osprey try just navigating to the ip:port in your browser. Typically nmap scans arent helpful against docker targets

Anyone can assist w/ Windows Privilege Escalation module with DNSAdmins group ? I'm unable to restart the dns service :/

@sharp torrent this section took me several tries to get it right, i don't really have any other suggestions besides going through the section very slowly. Make sure you are using cmd and not powershell, etc. I had to use a reverse shell dll in order to get the flag

ahhhh, okay, i'll give cmd a shot, thanks.

got it 🙂

nice work

Yo im stucked in SMTP module - question "Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.". I enumerated by nmap andf i got result

"| smtp-enum-users:
| root
| admin
| administrator
| webadmin
| sysadmin
| netadmin
| guest
| user
| web
|_ test"

but nothing is correct

can somebody help me?

@warm shadow try using ||smtp_enum in metasploit||

Thanks

I'm doing the Windows Privilege Escalation Module and for a task, I need to run accesschk.exe and PipeList.exe. I get an error for both. Is there a folder where these to programs are installed?

@quiet halo check C:\Tools\

thank you

fail, no user detected......

THREADS in options are important?

HI, im stuck at the Web Service & API Attacks - Skills Assessment, can someone help

just get the response "Missing SoapAction header"

How can I fix this for the XSS module. I can't listen to port 80.

dont use port 80

you should always use ports < 1023 for custom stuff

yeah i did thx

hey all, working on cross-forest kerberoasting from linux in the AD enum module and keep getting "Temporary failure in name resolution" when running GetUserSPNs.py; I've tried specifying nameservers for both domains in resolv.conf and it didn't seem to help. any help?

Hey, has anyone finished the Knowledge Check on Getting Started? I'm stuck on the second half, I'm able to get a foothold just fine but I'm afraid I'm not sure where to go for privilige escalation. I'm not sure what to do with the info gained from LinEnum or sudo -l. I'm afraid I don't know what to do with GTFObins either.

hey im working on the LFI Module i was able to find the answer to the first question but im unable to traverse paths because the webpage doesnt really give me any clue on the directory im in can someone help

@main scarab DM me

@devout vector Ah apologies. Turns out I was ||using the GTFO commands incorrectly before running the php shell||

hi everyone

but ty!!

in windows fundamentals module,the target is not responding with ping command

do you know any solutions for this problem.Thanks

also it wont work using ssh protocol

Has anyone finished the Footprinting module? I'm stuck on the last question in the IMAP/POP3 section: Q: Try to access the emails on the IMAP server and submit the flag as the answer. (Format: HTB{...}) --- This is what I've done, I've added the IMAP server along with robin's username and creds to thunderbird, but I get an empty mailbox. Then I used the openssl s_client command to connect to the IMAP server from them command line I found 1 email in one of the inboxes, subject of the email is ||flag || but its blank! I'm really stuck on this one. Can someone give me some advise?

Are you on a school or work internet connection? That might mess with your VPN

No the vpn connection works

I finished LInux Fundamentals Module it works normally

Im tackling the SQL Injections Fundamentals and im stuck at the writing a file section the exercise im supposed to write a web shell to find the flag but after succesfully injecting a web shell dont know how to proceed.Any tips..

@modest token DM me 🙂

Cheers mate, since nmap was mentioned like the chapter before i thought it would be the case

What happens when you browse to the webshell?

From what I see in the screenshot, you're supposed to RDP to the box. SSH and ping (ICMP requests) might not work. Go straight to RDP and see what happens.

Help I’m stuck in the web request module- specifically with the first challenge. I can’t seem to figure out how to get the flag using curl to download the file returned by ‘/download.php’ in the server. I tried curl “ip address:port” / download.php … I’ve tried curl “ip address “/download.php … and a dozen other ways. I can download a file named “download.php “ but it doesn’t have a flag in it

curl -o

Tried that and didn’t come back with a flag

Oooh, nevermind. Let me think...

It’s been killing my brain. I’m not even sure if this flag will come back looking like previous ones (bunch o letters and numbers)

@solid ravine just need to curl the download.php URI

That’s what I did. So is the flag the is the damn name next to HTB?! Seriously? I was thinking it would be letters and numbers similar to the machine challenges.

Tricky tricky tricky

Yea sometimes it will just be a hash, other times it will be a phrase in leetspeak

Thank you for the help! Sincerely appreciate! I was pulling out my hair haha

Stuck on the knowledge check of the Junior pen test… I was able to get a foot-hole but I am having a hard time now… I see my user has access to run ||sudo in usr/bin/php|| plz help

@errant lava php is ||a GTFOBin 🙂 https://gtfobins.github.io/#php||

Ty

could someone assist me with the File Upload Attacks Module, Type Filters Section please?
Question: The above server employs Client-Side, Blacklist, Whitelist, Content-Type, and MIME-Type filters to ensure the uploaded file is an image. Try to combine all of the attacks you learned so far to bypass these filters and upload a PHP file and read the flag at "/flag.txt"

@normal laurel DM me 🙂

kk

can someone help me with LFI PHP Filters i found the php file that they want but idk how to read it

Atom is typing

Our saviour

Among with Jared and Bunny

use the method show in ||Source Code Disclosure|| but my note don't have the ||read=|| part so remove that if you still can't

me?

Good evening anyone available for a chat on Firewall IDS/IPS evasion hard lab

im so close i know it lol

@austere pendant sure

hi there and thank you

did you find ||the "hidden" port?||

@west canopy scanned it and two ports are open 80 and 22

try doing ||an all ports scan and set your source port to be something trusted||

im doing a -sU scan now did a nmap -p- and 22 and 80 were open

ok so use source port as 22

try 53

ok thank you brb

to make it look like you are DNS 🙂

example nmap -p- -g53

target ip?

i found the hidden service lol

now i nc to it right

Hi, I just finished the Pivoting, Tunneling, and Port Forwarding module Skills Assessment and I'm a bit confused with the last question why is the drive that has the flag on the Domain Controller mounted on the ||workstation from question 6?|| Is that intended? And why? Shouldn't you need to pwned the Domain Controller to get the flag?

@west canopythank you i solved it lol i appreciate this communityt

Could someone give me a nudge on finding the ldapadmin password for the Windows Priv Esc Skills Assessment Part I? I have elevated privileges and have answered all the other questions, but this one is eluding me. I've used findstr and tried going through files, but no luck.

@vale salmon i was able to get it with findstr

Okay. Maybe I'm just not using the right parameters then

Ah found it. Not the wrong parameters, but looking from the wrong base location. Lol. Thanks.

/rank

Hi, I'm already stuck in the Default Credentials section of the Borken authentication module. I've been fuzzing/bruteforcing the page with Zap and Ffuf using the mentioned CIRT lists for both username and password. I've tried various other default credential/password lists from the SecLists dir, in addidtion to that I've also tried a few custom lists, all without any luck. DM me please, many thanks!

Password Attacks: Kira's zip and ||Will bak's|| files are taking forever to crack the hashes, any sanity check?

view source of the page and check the ||title|| tag, search that name on google

for will Shadow file the password should be in the top ||44000|| of the mutated wordlist and Kira zip should be cracking very fast if you use the mutated wordlist

Much thanks! was using rockyou the whole time

I'm kinda wonder if girls, ever hack ? anyone here ?

Anyone who's doing bug bounty hunter pathway

I need a company
Couldn't get much time these days and it has exhausted me

So wanna continue it

Hello, I am stuck for quite some time on the last question of Attacking Active Directory - Skills Assessment 1.
I have the credentials for user TPY.
I copied Mimikatz over to MS01 and tried to use “lsadump::dcsync” and the NTLM hash for user TB* to pull of the DCSync attack on MS01 via Powershell remoting.
However, I am getting an RPC error message:

"ERROR kull_m_rpc_drsr_getDCBind ; RPC Exception 0x00000005 (5)"

I also tried to perform the DCSync-Attack using Impacket (wmiexec.py and secretsdump.py). However, the 10.X.X.X network of our Kali Box can only reach out to the Winweb Server that served us as entry point into the network. MS01 and Domain Controller are located in 172.X.X.X. Is there any other way to reach out to the DC from Linux?

I have tried Impacket’s secretsdump, wmiexec, psexec, evil-winrm... against the winweb-server without any success.

did you resolve this? I have the same problem (btw I think the format is correct)

@sly nebula Can I DM you?

@spare condor shoot me a DM if you still need help and pls don't spam people twice

Can anyone DM or point me in the right direction for Basic Bypasses in File Inclusion module? I am stuck at "The above web application employs more than one filter to avoid LFI exploitation. Try to bypass these filters to read /flag.txt" tried to path encoding and null bytes but did not get anywhere.

try using ||....//|| if one is not enough, ||add one more until you get the flag||

i used ||..// || 4 times consecutively then did the same with encoding .. got nothing.

should I keep adding more before the flag?

yes and use ||....//|| not ||..//|| (that's what my note say)

I did use ||....//|| but I guess I will try to add more than 4 Thanks for the direction!

Is anyone else unable to connect to any machines via pwnbox or vpn I can only ping them and that’s it

Happens for me on a regular basis. Try resetting the VPN

Tried so many times different vpns different machines 🤕

I contacted support numerous times. They never were of any help. After resetting waiting, trying again it worked at some point

Did you try running lazagne after having elevated privileges?

Ahh thanks

can someone help me with the nmap hard lab?

Anyone completed PA hard lab mind dm'ing me? ||VHD||

Hey!

Attacking Common Services - Attacking DNS section. It's not clear what the answer should be submitted. I did all the enumeration using several tools but it's not clear what to submit?

I tried, but kept getting traceback errors from lazagne. I ended up finding it with findstr.

even better!

Good Day,
could someone assist me in DMs with the Skills Assessment Question for File Upload Attacks?

@strange aspengood morning i can help you

"Enumerate the custom script that is running on the system and submit its output as the answer."

My ideas ran out, any hints to this? SNMP module

i tried snmpwalk / braa / onesixtyone (with few SNMP diciotaries) but i can't find that script

it's there, you need to walk through snmp data

geez im not too patient - found that

thx 🙂

Dm

can someone give me a hint for LFI RCE for PHP Wrapperss

Footprinting/imappop3 can someone give me a hint? What is the admin email address?

Footprinting/imap+pop3 can someone give me a hint? What is the admin email address?

@strange aspen DM me

Could I get some help with Active Subdomain Enumeration in Information Gathering - Web Edition? I've been stuck for about a day and what I feel like should be simpler than it should.

can anyone help with Web Service & API Attacks - Skills Assessment please, i cannot find where we are supposed to send the xml to,

anyone able to help with AD enumeration & attacks - skills assessment 1?

@rapid pine sure, where are you stuck?

Just kerberoasted the sql service account but can't seem to get any further. it's like there's no dns

right, we will need to set up ||port forwarding in order to pivot to machines on the 172.16.6.0 network||

@west canopy cool to dm?

of course 🙂

i will try thanks

@west canopy Last question of AD skills assessment 1, can you help me regarding DC sync (see my post above)?

@full mica i was able to solve it using ||secretsdump.py (authenticating as tpetty) , and then after obtaining the admin hash connected to the smb share (passing the hash)||

Okay, but you cannot reach MS01 from your linux server, just the foothold machine, correct?

I can interact with all machines on the 172.16.6.0 from my attack machine

thanks to meterpreter autoroute + socks proxy

and proxychains

how to connect using RDP to a windows machine with command line,

@tawny rain i usually just use xfreerdp

thanks

Hmm, I stared the port forwarding / pivoting module after AD and didn't consider that option during that time. Just tried netsh forwarding yesterday without any success ...

You are not allowed to use + and = in here PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8+Cg==
You need to convert these characters into HTML code(%2b, %3d). You can do that with Burp Suite

Hi @exotic ginkgo , did you get any reply to your message?I think I'm in the same position, I got the filename the folder and the domain. And when I assemble all of that into an URL (that I tested in my browser and which open a nice page with a big "You don't have access!" in the middle), it says "wrong answer". I tried to remove the PORT (because I found that logic for a generic answer), but the same "wrong answer" .... what do they call "full page URL"?

Am I crazy, or is this just wrong? "NTFS permissions on files and folders in Windows can be managed using the File Explorer GUI under the security tab." -This is mentioned in the awful Windows Fundamental academy that I am finding I have to literally spend a week on each page in order to understand what is kind of going on and seeing other things being just wrong. Why did they even waste time writing that NTFS permissions can be accessed through File Explorer, when 1.) that's wrong, or at least I can't access it through there, but rather 2.) it's just easier to right click and go to properties to the security tab? Again, am I wrong?

Welcome to my nightmare of the Windows Fundamentals.

you can just use remmina or xfreerdp

after you find the right page submit your full URL but replay your port number with the word "PORT"

😂

oh ! OK 🙂 thx a lot , it worked !!

Just a suggestion, but maybe they should document that in the question 😉

yes it was in the hint but that still took me a while to figure that dumb part out

Good Day,
could someone assist me in DMs with the Skills Assessment Question for the File Upload Attacks module?

sure shoot me a DM if you still need help with that

ok

is anybody around who can assist with broken authentication - skills assessment ??

i need to know if i am making my password list the right way

dm

@pulsar pilot sqlmap essentials right? i can try

sure

How did you solve it?

because the function isn't working for me-

anybody worked on werkzeug, but it didnt have a console to exploit?

I'm on Windows Privilege Escalation Skills Assessment Part II. Could someone possibly give me a nudge on the first part? (Finding the iamtheadministrator domain admin account credentials)

Hey could someone give me a hint on Linux privilege escalation , the flag4
I was able to get it but not on the intended way

External services, it implies you should run nmap to findout the weird services

ping if you still need help

So I have been working on Attacking Web Apps with ffuf and feels like I have hit a bolder in the road. I have got to Parameter Fuzzing - GET and I am getting nothing. could use a little push in the right direction

gm guys

Can anyone help me

couldnt install apache2 on pwnbox

didnt connected to deb.parrot.sh

jr pt path, should be Medusa not Hydra

Other way around

#858470491676737536

any hint on Attacking FTP task? non of the provided lists worked for the brute force including making a mutated one. Did extra enum and found another user tried BF'ing it on FTP and still. Would appreciate the help

hi everyone, i am stuck at Command Injection - Skills Assessment module, i found ||"from"|| parameter where move file can inject command, i use ||2470930823.txt%7c%7cwh'oa'mi ||to get username but only getting the message ||"malicius request denied"|| , can someone suggest me about Command Obfuscation ?

hello

Hello guys , I just need any one to correct me if i'm wrong
in this question i've decoded the temp pass first from ||base64|| then ||hex|| and the structure was pretty obvious so i've written the following for the temp pass of the admin ||htbadmin:admin@academy.hackthebox.eu:unbreakable|| and encoded it first to ||hex|| then ||base64|| but it still gives me wrong credits when logging in , am i doing anything wrong ?

I'm trying to crack a hash using the following command.
sudo hashcat -a 0 -m 100 hash.txt /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt -r rule.txt
however all i get is the output "exhausted" after only running for a few seconds.My problem is am i forced to believe that hashcat ran through the entire rockyou.txt wordlist in seconds.
anyone have a suggestion

i'm trying to crack an SHA1 hash

I solved it using the bash script provided. I had trouble earlier because I was copy/pasting the whole script into the terminal and hadn't realized that the > symbol was just the terminal prompt, and not a part of the script. So you shouldn't be pasting the all the > symbols into your command line --just the contents that follow it. Dumb oversight on my part.

Yeah I read up more on how bash scripts worked and all of that stuff and ended up getting the flag

Thanks for the info tho

Session..........: hashcat
Status...........: Exhausted
Hash.Name........: SHA1
Hash.Target......: 46244749d1e8fb99c37ad4f14fccb601ed4ae283
Time.Started.....: Sat Jul 16 15:40:38 2022 (4 secs)
Time.Estimated...: Sat Jul 16 15:40:42 2022 (0 secs)
Guess.Base.......: File (/opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 3443.1 kH/s (0.33ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 0/1 (0.00%) Digests
Progress.........: 14344384/14344384 (100.00%)
Rejected.........: 0/14344384 (0.00%)
Restore.Point....: 14344384/14344384 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: $HEX[206b6d3831303838] -> $HEX[042a0337c2a156616d6f732103]

hello

hi

can anyone help me pls

im just getting started

@carmine lark make sure you are using the right rule

Has anyone done it and can give me some suggestions?

You make my life easy @west canopy , thanks man

lol np

Hey, can someone give me a hint in Linux Privilege Escalation? I need to read the flag4.txt. What is the external service that is running on the box? I find only mysql. How can I escalate the privileges on mysql?

@rustic sage for flag4 we actually want to attack ||Tomcat||

@worthy yoke i think your injection point might be a bit off.

I get the password and the username for the website which is running on port 8080, there is anything what I can do in this website

@rustic sage we can use|| msfvenom to create a malicious WAR file , upload to the tomcat server, and catch a reverse shell||

something like LFI/RFI ?

Is my injection point wrong?

sec ill DM you

hey anyone in here can help me with the last question for hacking word press i tried this command curl -X GET http://blog.inlanefreight.local/wp-content/themes/twentyseventeen/404.php?cmd=ls ../../../../../../../.. /home/erika/

any ideas ?

@sick quest i might be able to help 1 sec

DM me 🙂

@rustic sage DM me

hey guys

did anyone finished stack-based overflow windows x86

im stuck on remote exploitation for 8 hours

i made exploit and did everything they asked for but somehow i cant get a reverse shell connection

The above server has 'CloudMe' listening on port 8889 Try use the exploit you built to get a reverse shell and read the flag on desktop user?

Hi guys,
I am stuck as question 2 (Attacking SMB Services)
Any hints?

Could someone please help me with the Footprinting module? I'm stuck on the last question of the smb section where it asks to submit the full path to the specific share. I've tried entering the path I got from rpcclient netsharegetinfo sambashare, and every linux compatible version of the path I can think of but none of them have worked.

@rustic sage i might be able to help

@sturdy agate make sure you are not|| including the C: drive||

@sturdy agate start with /

XD facepalm thank you @placid quest and @west canopy ! I was wayy overcomplicating that

hello, I need help

did you brute force jason smb with the password list in the resource?

Ouch I did try to rockyou.txt, didnt know that there will be a "resources" for passwd list

pls go dm

wait didn't you read the hint

I did read the hint, but I don't expect that HTB will provide the password list in the resource. Bad thing is that, I have not scroll my page to there = =!

kk good luck

thanks

Hello. I am working on HTB Academy Module Linux Local Privilege Escalation - Skills Assessment. I have recovered flags 1 - 3. I am struggling on Flag4.txt. I have found the credentials needed to login to an external service. I have found the location of Flag4.txt. However, I do not have the access to use 'cat' on Flag4.txt. I am fairly new to HTB, and the discord community, so if I need to put my question into a different format or include other information, please let me know. If anyone could give me a nudge, or ask me a question to get my brain pointed in a better general direction, on how to recover Flag4.txt, that would be appreciated.

@onyx dust did you get your shell ||through metasploit , or by using msfvenom to create a WAR file?||

Apologies, I am still pretty new, so I may not understand this terminology. (Though I recognize it is embarrassingly basic.) I am logged in as user2 (using an alias for the actual user name to avoid spoilers). So logged in as user2@targethost.

have you ran nmap against the target?

Yes. I see two external services. I am have admin login credentials recovered for one of them, on port 8080.

Also, now that I see the rest of the message, I have not used metasploit or msfvenom.

I have found several WAR files, however, related to the target external service.

try logging into ||tomcat and get to a place where you can upload a war file. Then use msfvenom to create a reverse shell war file .||

Once you upload it , navigate to it and catch a shell 🙂

Thank you. I will take a look at that as a path forward. I will also investigate metasploit to see if I can learn two ways to overcome the challenge. @west canopy , thanks for the advice.

So I am working on the Second Skills Assessment for Windows Privilege Escalation and I have tried everything I can think of to find the credentials for the iamtheadministrator admin domain account, but cannot seem to figure out what to do to get it. A nudge in the right direction would be fantastic.

@vale salmon try using findstr

Is this thing working?

ok i'm at the whitelist filters of the file upload. I get the correct extensions and uploaded correctly, but getting File Not Found 😦

thanks bro

hey guys im trying to finish this part of Try to gain RCE using one of the PHP wrappers and read the flag at / but when i run the command "curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://206.189.26.97:31610/index.php?language=php://input&cmd=cat /" it doesnt work 😢 can someone help me the cmd =id works but the other command doesnt

Your command appears to be trying to do 'cat /' which would be trying to "cat" the directory "/" -- you'd want cat /flag.txt. But as you're putting it into a URL, you'd want to URL encode it -- you could try cmd=cat+/flag.txt as an example

okay i will url encode it

thank you

@fossil crescent so i tried using url encoding and i end up with an empty result is there anything else i can try

Hello could someone assist me with: SERVER-SIDE ATTACKS > SSTI Exploitation Example 1, I executed the os-shell-
but this hidden environment variable is really hidden because I can't find it 😭

So, in finishing up the Windows Privilege Escalation Skills Assessment Part II I was able to use pwdump to dump password hashes, but when running them through hashcat, I keep getting separator unmatched. What might cause that? Nevermind. I need more coffee.

Hey I am having problem with same question could you help me ?

I'm having issues in the Windows Fundaminetals module in the "Introduction to Windows" selection at the point where setting the target for RDP command: { xfreerdp /v:<targetIp> /u:htb-student /p:Password} I'm getting errors in the Workstation, one of which is "WARNING: CERTIFICATE NAME MISMATCH! Might anyone know where I may have messed up at or could assist in guiding me in the right direction to resolve this issue?

I need help with Type Filters Section in File Upload Attacks Module. I have uploaded the shell but it is showing an error while I try to execute it

@rain marlinhi there im having trouble with the same model even after i specified /cert:ignore

Hello, I am having trouble in connecting to the academy machines. Host is unreachable even from the VM instance provided. Can anyone help?

if you run ifconfig what are you getting for your utun3 also check the netstat -rn

there is nothing as utun3

https://pasteboard.co/NEYPqXUAemgx.tiff

if you look at the screenshot on this link you will see what exact error I am having now...

it is same if I connect via vpn and my own machine or if I open the vm instance given on the academy website

I see what you mean I am having the same issues

I can ping the machine so I would suspect it is up

I can not even ping them now it is stuck at that. Please help if you have any solution.

i dont seem to understand your question. let me break down what i did. i injected the web shell using the union injection payload an im able to navigate to the shell.php that i created but i dont know how to go about finding the flag

You are connected with VPN?
Try changing the VPN server

tried that no success

what does ifconfig tun0 say?

https://pasteboard.co/nGUA1DgFIOXQ.png

look at the ss for refrence

Hi, can you please help me with the LOGIN BRUTE FORCING Skills Assessment web, question 2. I try this : hydra -l user -P /opt/useful/SecLists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt -f 206.189.25.173 -s 31216 http-post-form "/login.php:user=^USER^&pass=^PASS^:F=<form name='login'" no wordlist .txt work the parameters ar user=admin&pass=password rockyou, -05, -10, etc. .txt not work. Wath i not see ? I wish you a god day.

Which VPN server are you connected to? Try using a US VPN server.

How can i get the IP for academy machines ?

I mean..... It's not posted anywhere in the module page.

Look at the bottom, by the section "Questions"
There is a link next to Taget:
Click on it, then your machine will start and the IP will be displayed.

Yeah.

I understand......

I mean in a instance where the time to spawn the box has expired.

So i can attack the machine locally by connecting to the VPN.

No, then you have to start a new instance.
Then you can access it again.

It cannot be done though.

It says 0/1

What is the purpose of the VPN file then.

Oh, you mean the PwnBox.
If you haven't bought any cubes, you can only start it once a day. But you can use a VM instead and then connect via VPN. Then you can reach the target via VPN.

Right, Though this cannot be done without the IP. The problem is that the IP is not provided.

You can download your VPN file here
https://academy.hackthebox.com/vpn
then you can establish the VPN connection from your VM.
sudo openvpn yourfile.ovpn

That's not the problem.

The problem is that the IP for the target machine is not posted.

Click on this link and the IP from the target will be displayed after a short time.

Oh my......

That's the problem.

After the first instance of the box has been spawned it becomes impossible to obtain the target IP.

Why not?
You just can't get a PwnBox anymore.
But the target can be restarted.

Oh..... HaHaHa.

I didn't see "Click her to spawn the target system!"

Thanks.

I think the VPN is broken...........

2022-07-18 00:16:22 Initialization Sequence Completed

Though cannot ping the machine.

What does ipconfig tun0 say and what have you pinged?
You can only ping your active target machine.

Right......

I deleted all my tun interfaces.

did, nothing is working. I can not even ping from the VM instance provided on academy webpage

maybe there is some issue with the target machine

cause VPN is working properly

I have checked it multiple times, made a new linux VM to start fresh.

is there anything with free account, do I have to buy the subscription to get proper access.

That is logical. You can't reach hosts on the internet.
From your VM, if you are correctly connected with VPN, you can only reach your own target machine.

my VPN is connected properly just not able to ping the target machine maybe this is some issue with the target machine only will raise this in customer support tomorrow.

@devout turtle what openvpn version are you using?

openvpn 2.5.7

Do you use Kali?
Maybe this will help you
https://twitter.com/rootsecdev/status/1541646509061586944?s=20&t=gZU7lgzFTlsde4Mx7FQZnA

that issue is from openvpn 2.6

ah okay

Parrot OS is currently still using version 2.5.1
openvpn --version OpenVPN 2.5.1 x86_64-pc-linux-gnu

So I thought it might help.

this is already updated in the ovpn file...

and yes I am using Kali...

@rich mulch try using ||metasploit smb_login . Also you might need to a specify a port other than 445 :)||

"What is the FQDN of the host where the last octet ends with "x.x.x.203"?", Footprinting module, been stuck in this for a while ago, can somebody help?

@austere pendant yeah still having issues with this if you figure it out please let me know.

@vapid grove DM me 🙂

I have a simple question about scanning/enumeration

i might have a simple answer

When it comes to scanning a machine what is the most efficient way to go about doing a udp scan?

Should I be doing a separate scan for udp or is there a way to include both tcp and udp

i think you have to do them separate but im not 100% on that

i will usually do like regular nmap scan followed by all ports scan followed by udp scan

Okay. I should start regularly including udp scans then

yes for sure

Im on footprinting - hard thats why im asking

If using --top ports I'm pretty sure nmap knows to bounce between TCP and UDP. But if you're doing a -p- without specifying -sU it might only scan 65k TCP ports. I'm not entirely certain... So hooray for experimentation!

hey guys, anyone assist on What is the FQDN of the host where the last octet ends with "x.x.x.203"?". Think I've found all the zones.

Feel free to DM me

thank you much appreciated

Anyone completed Attacking SQL (Attacking common services module)?

Hey Jared ! I am at skills assessment-using web proxies 3rd and 4th question. And When I was looking back to get some tips I saw you helped all the people who has a problem with it. I was wondering If you could help me to solve them?

sure

Thank you thank you! Can I dm you If you dont mind?

ok

what's the issue?

Can i dm?

sure

Hey, anyone able to discuss IMAP and find flag, logged into imap and found one email but no flag, what am i missing?

Which module do you need help with? Footprinting?

@acoustic owl yeah, tried adding to mail client aswell but get no mail

dm

SUP

I have the private key on footprinting lab - hard, and changed the permissions to 400. User is T and not authenticating. A slight nudge please.

Do I have to get the other key using what i got?

@hollow thunder change permissions to 600

Tried it just now

"Permission Denied (publickey)"

It's not the permissions are to open error. Triple check if i pasted it incorrectly

@hollow thunder which module are you on

Footprinting Lab - Hard

@hollow thunder if you have private key change permissions and use ssh with tom

Hey yall!! Anyone able to help provide any hints for the command injection assessment? been stuck on this for for a while now

@lyric echo have you found the injection point?

I get the principle behind it, but still not working

I believe I have. I am using the "from" argument in the URL string to try and inject

Anyone else having problems trying to connect or use basic commands on the spawned machines? Can't even ping the box

can you run a simple command like ls

@west canopy No, I get an "Malicious command" error

@heady hamlet yep i just had an RDP session disconnect now i cant ping the box

ok thanks

@hollow thunder check if your private key is correct

someone help Use what you learned in this section to obtain the flag which is hidden in the environment variables SSTI module

@quiet rune i might be able to help

@rustic sage i get the same error on my kali VM , i have not found a fix for it

have you tried it from pwnbox?

try hcxpcapngtool

Hello, I'm stuck in "Server-Side Attacks - Skills Assessment" and I have cheked the js file- but I have no idea whats happening in it 😭 can someone assist?

What is the pwnbox we spin up for every module? Is that supposed to be some version of Kali?

its ParrotOS, similar to kali

i feel like its a more lightweight kali

Ok, so when I tell it to install a tool, say searchsploit for example, does it get it from the same place as Kali?

sorry not sure what you mean exactly

i mean stuff like file/folder locations will vary

like seclists is in /opt/useful/ on pwnbox

but /usr/share on kali

@normal laurel i might be able to help

Can I Dm you later

okie

I'm just trying to understand how, when one of these modules says "You can install [toolName]", this ParrotOS or Kali or whatever platform we're using knows where to go to get that tool.

Kind of new to this whole Linux thing

i mean usually we will install tools using apt or by cloning a github repository

and the process is basically the same for any linux distro

What's apt short for?

aptitude i believe

apt package manager

Gotcha.

Hi anyone who has made the OSINT module that let me DM him , its about the Locations coordinates question

I'm working on it
Though it'll be till next week that I get some time to work on Academy Modules again

hello

please i need some help, with my openvpn

i can't connect to the vpn key for the module 'SETTING UP'

this is the error message i get..

2022-07-18 00:54:04 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-07-18 00:54:04 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
2022-07-18 00:54:04 OpenVPN 2.5.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 5 2022
2022-07-18 00:54:04 library versions: OpenSSL 3.0.3 3 May 2022, LZO 2.10
2022-07-18 00:54:04 OpenSSL: error:0A00018E:SSL routines::ca md too weak
2022-07-18 00:54:04 Cannot load inline certificate file
2022-07-18 00:54:04 Exiting due to fatal error

please can someone help me out with a fix?

Downgrade the version of your openvpn binary.

how do i do that ?

hey guys, I'm stuck at attacking common services - sqldb. I can't seem to install sqsh as "E: Package 'sqsh' has no installation candidate ". I thought sqsh came pre-installed on ParrotOS. Can anybody please offer me tips? 🙂

Thanks.. how can I go about this ?

If you search on this chat ,there is an old comment for a user whith the commands you need , just search the error here or google maybe

here if you still need to downgrade your openvpn #modules message

thanks.. let me check it out asap

it worked.. thanks so much .. love you guys

Although just changing the vpn file would have worked

hello, please does anyone know how i can get my ISC2 Member ID

still stuck in Attacking Common Services - Attacking DNS section, help me

hint there are ||8|| subdomain and one of them have the flag

I tried several tools but each time there is simply not enough time to brute sub-domains. I mean the time 90 minutes of the target. Maybe it shouldn't be slow?

you can just use gobuster

ok, thanks
so the answer is in one of the sub-domains and there is no difference what tool I'll use for their bruteforcing

yep

what is the wordlist to brute? I tried several from seclists and nothing, three of them only found

i use ||subdomains-top1million-110000.txt|| and remember to use "custom DNS server" in gobuster

@rustic sage btw this module is verry buggy and there is one guy i help in my dm about this section he can't find the right subdomain the have the flag and i can confirm that's a bug, that subdomain will not show up in any brute force no matter what tool you use so if you found all 8 subdomain (include 2 nameserver subdomain) and still can't find the flag dm me

seems like the case, dm-ing

i agree been on it since 3 hrs already very slow too

use gobuster

yeah i did, nothing found, ill keep resetting on every failed brute just incase

did you use the custom DNS server in gobuster?

yup

oh if you still can't get it dm me

sure thing

need help with this i am submitting the name server but it's not accepting

you need to submit the the name with to domain name

so both domain and ns

yep

how would that look like?

how to you it going to look like hint ||(nameserver).(domain)||

I am stuck on Firewall and IDS/IPS Evasion - Easy Lab (Network Enumeration with Nmap). The problem is that while i was looking at the status.php my wappalyzer showed it was ||Ubuntu|| but when doing nmap it only shows only ||Linux versions||. I accidentally entered ||Ubuntu|| and it was right answer, but i don't want to do modules like that (where i guess the answer). What is the right way to get to the answer?

It got me wondering if there might be a problem with the US VPN connection. So I have tried both the US and EU servers with zero luck

why do everytime i run the vpn a new tunnel opens up and the previous opened tunnels remain open? i tend to change their status to down everytime

hi

Try using request repeating to be able to quickly test commands. With that, try looking for the other flag. can anyone help me with this

got stuck😩

Can someone point me in the right direction on footprinting final lab easy. I used ssh audit and found fingerprints I guess? But I'm not sure how my config file plays into it?

You still need some enlightenment or you're convinced

Kindly be specific with module and section

module = using web proxies ; sec= repeating req

?

Aight

DM

Because I'm not on desktop

was stuck for 7hrs straight lol

k

I didn't even think about that XD

can someone give me a hint getting started knowledge check last question?

After obtaining a foothold on the target, escalate privileges to root and submit the contents of the root.txt flag.

hi, can anyone help me with module "AD Enumeration & Attacks - Skills Assessment Part I" with the question "Submit the contents of the flag.txt file on the Administrator desktop on MS01" .... i don't know hot to do this question....

@strange aspen Dm ME

Get admin level or higher access on the system and submit the contents of flag.txt on Administrator's desktop as the flag.

I may be worth reworking through the module to achieve this goal. Everything you need to know/do is in the module.

i don't understand how to connect to MS01

hi all , any one can help in using web proxies module ?

Use the Web Server as a pivot host to get acces the intranet

ok thanks

It's a lab. Gaining access to the machine is part of the challenge

Someone on OSINT module, Location question i am sure that i have the cities but that digits for the coordinates , nothing works !

any bump on where to find creds for ||tpetty|| in AD skills assesment 1?

@rapid pine try running ||lazagne from an elevated powershell||

has anyone had trouble installing Openvas? from the vulnerability assesment module? i ran sudo apt-get install gvm && sudo openvas, but i get an error saying (openvas:44634): sd main-WARNING **: 15:52:28.249: init_openvas: Can not open or create log file or directory. Please check permissions of log files listed in /etc/openvas/openvas_log.conf. but when i check the config file i dont see anything that really pertains to user permissions. i went back and re ran sudo apt-get install && sudo openvas it said everything was installed, but i still cant openvas.

Did you ever figure out the issue you had? I am having the same issue when logging in to the Management Studio. I do have the creds from the i********.txt

@slow ruin were you able to ||RDP into the target as the administrator?||

@broken warren i have openvas as it's own vm in virtualbox. I think openvas/nessus should already be installed on the machines in the module.

Currently rdp as ||alex|| have not found admin creds just the ||alex and sa creds||

@slow ruin try to ||RDP as administrator but use the same password as sa||

i could be totally off on this btw my memory is foggy

Will give it a go thanks!

is anyone else getting an issue with the LFI File Uploads i got to the GIF8*****.txt file but the flag isnt there ?

nevermind i got it

hello world.

wondering if someone might help me figure something out.. currently working through HTTP methods and I dont understand one of the exercise descriptions. I do wish the entry level stuff had more "hand holding" and explain what it wants me to do. lol

which module/section do you need help with?

Exercise: Try to view the response headers by adding -i to the above request, and see how an authenticated response differs from an unauthenticated one.

http://admin:admin@<SERVER_IP>:<PORT>/

typing that in produces nothing. which I get, there is no address.

sounds like they just want you to do curl -i

however its telling to type that in

but curl -i what exactly?

admin:admin@<SERVER_IP>:<PORT>/

any website?

with port 80, or 443?

one sec ill take a look at it

btw... your arms... jesus..

lol thanks for noticing

i appreciate the help man. thank you

which module is tis

this*

HTTP Fundamentals>HTTP methods and codes. first page i belive

scroll down past the GET command area

or rather GET request.

do you mean Web Requests?

yes

the exercise for "HTTP Basic Auth"

oh i see it now

my bad

I THINK i got it now.. the website it wants me to go to the the "target" 104.248.173.13:31892

sounds right 🙂

why didnt it just say that?! lol "scroll down to the target to get the link you need for this exercise" would be amazing

nope. stilll not working. Id learn so much faster if I didnt have also figure our what it is they want me to do lol

spawn the target at the bottom and then use that ip:port for all of the steps of the section, you should be able to recreate each step

I did, and I got the flag.. BUT, I'm wanting to understand it. I proved I can follow directions, but I need the why.. and how. So for instance, I go to google analytics and can see the search =flag. why would I then do a cURL search? and how what I know what to put in the cURL command line? Such as the Authorization?

Hi hi, is it just me or is the binary exploitation module is gone

looks fine on my end

oh, my bad., its a pathway. I thought it was a module.

yep 4 modules make up the path

Thanks @west canopy 🙂

Hello

i need some help in HTB Academy
Working With curl

who can help me ? . . .

Im right there with you lol

:))))

do U have any way to solve this ?!

i'm working on this for 2 days
and i have only 1 response
the server says it need a verificated cookie 😐

Which module is this?

Web Requests

DM me (:

For anyone struggling with the CRUD API section of the Web Requests module ("First, try to update any city's name to be 'flag'. Then, delete any city. Once done, search for a city named 'flag' to get the flag."):

You need to delete more than one city. I had to delete two before it would give me the flag when I searched for the one I'd renamed to flag.

i got delete all cities
but i didn't find flag !

im bashing my head against the wall with the xss module, can anyone give me a nudge? "find the name of the user in the /home folder" question on "bypassing other blacklisted characters" - i've got characters that dont get caught, but i cant get any output for commands afterwards

@cedar folio you mean Command Injections?

i was able to complete it using ||a combination of ${IFS} and ${PATH:0:1}||

thanks - even just "ls" isnt returning anything, did you go straight for the target directory with that?

what if you try ||ls /home|| ?

i only see the successful ping - maybe i need to use something thats not && as the operator?

yes try a different character

ok thanks, thats prob where im messing up

im trying with escaping ; now, but still running into a wall - am i still being slow?

these early mods absolutely need to be better explained lol what they want me to do, and WHY im doing it, and WHY i would want to do it, and WHEN its time to do it.. lol having to spend 2 days trying to figure out the question is kind of a buzz kill.

sec ill DM

i think i have it, it wasnt ; 😐

When I mount an smb using sudo impacket-smbserver share -smb2support /tmp/smbshare. How do I access the files in that /tmp/smbshare? Like, view , move and remove from my linux terminal, so I can then copy to another machine using powershell

just open another terminal and navigate to /tmp/smbshare

I'll probably do the excersise using the pwnbox but it still wanna learn how to set one up on a VM. Possibly one on Linode?

Hey I stuck in same place ? Could you help me ?

@light yacht I never got a resolution or a response. I haven't been working on that module. Im gonna come back to it tomorrow once I'm done with sql injection fundamentals

Okay thank you so much !

@light yacht no worries.

Anyone avail for a nudge on Attacking Common Services - Easy Skills Assessment? (I found valid creds, and can do some things, but seemingly to no actual useful avail...)

you can use that cred for something else

@light yacht i was able to find the answer with ||whatweb||

Thank you so much after that I did that and solved the problem ! Thank you thank you

@silk helm which module

@vital adder -- realized what I was missing -- thanks

oh did you found the cve

no -- happy to dm you what I did (may well be CVE, just realized something I hadn't tried)

sure

Could someone assist me with the Broken Authentication Module, Weak Bruteforce Protections section, 2nd question?
Work on webapp at URL /question2/ and try to bypass the login form using one of the method showed. What is the flag?

The question should be more like "The web app blindly trusts traffic from certain IPs, spoof your IP and get the flag"

interesting-

I'm not quite following -

Are you familiar with X-Forwarded-For?

Now I'm facing it too. what can i do with the creds?

I was looking at it, yes

With the use of that you can spoof your IP to the web application,

Is a username and password required for that question or nah?

They are irrellevant

mmm..... interesting-
So just "spoof" my IP and get the flag?

Could it be a random IP or it needs to be soemthing specific

The IP is "logical" so to say

How familiar are you with IPs?

somewhat familiar

Can you tell me the difference between private and public IPs?

😭 I have no idea-

searches

^^

Simply,
Public - global
Private -local

indeed, like 192.168.0.1, where you might find your router

I'd suggest reading a bit about local host

@unreal patio I'm stuck on the same module you were asking about this time last year, the "cracking common hashes" exercise for the Hashcat module. I'm guessing you figured it out, even though nobody responded to you, because it looked like you moved on to asking about a different Hashcat question... can you give me any hints for this common hashes exercise? I've tried a few built-in rules already like best64.rule, combinator.rule, d3ad0ne.rule, leetspeak.rule and a few hybrid rules. I have a feeling its one of the bybrid rules, but I'm not so sure. There's so many to choose from! I've spent HOURS on this already. Plz. anybody.

@wind edge try using ||the d3ad0ne rule with hash mode 1000||

AD Enumeration & Attacks - Skills Assessment Part II :

Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host.

found the creds neXXb:D@ta_XXXXXn! Do I have to run some potatos to get a root(privilege escalated) reverseshell to the host? anyone here to give a nudge,please

@radiant dagger are you connected to the mssql database?

I connected mssqlclient got the SQL->

@radiant dagger so i suspect you used ||xp_cmdshell to run whoami /priv||.||Juicy potato would probably work here as well|| but personally i used ||printspoofer and move it over using certutil.exe, then used printspoofer to change the password of the administrator.||

Thank you Jared. turns out have to do it... 🥺 I thought I could just run a dsync attack

would be easier

I'll try the spoofer

also i tested and you can run ||powershell commands through xp_cmdshell , just need to put powershell.exe before the command||

great to know that, thank you!

np hope this helps

Hello. I could use a nudge in the right direction for the Linux Privilege Escalation module, Skills Assessment:

I have recovered flags 1 - 3. am trying to get flag 4.

I have a shell as User 2, but I do not have any sudo privelages as this user. I logged in at this user by finding credentials in a file.

I have found flag 4, located in a directory related to an external service. But I can't access it as User 2.

I have found admin login credentials for the external service with Flag 4. I have tried using Firefox and using Curl commands but I cannot access it.

How can I leverage the admin credentials I found? Or should I investigate other paths? I see a process running as root under this user, so I may try that.

I also found id_rsa information for this user, but when I try to SSH in using them, it keeps asking me for a password and does not escalate my privileges.

hello

i am new

how to setup htb

IN web

i have

@onyx dust did you find ||credentials for Tomcat? If so try logging in and then use msfvenom to generate a malicious war file and upload it.||

or i think ||tomcat_mgr_upload ||will work in metasploit

@west canopy, yes, I found the credentials for Tomcat. I tried msfvenom but I have not used msfvenom before and I have not trained myself on it yet, so I was having trouble.

I have two questions:

Is there an academy module that covers msfvenom?

Is there another way to look at the problem that draws from the material covered in the module? (msfvenom wasn't covered yet in the module or the prerequisites, as far as I can tell.)

i'm not sure , msfvenom is used quite a bit in the binary exploitation modules

No worries, thanks for the advice.I have gotten some experience with metasploit, I could give that a shot. If that doesn't go, I will try to learn more about msfvenom and give that a go.

if you are curious there is a retired box called Jerry where its basically just compromising tomcat

just google "msfvenom war file" to find a command

Good to know, thank you! Much appreciated.

Has anyone here finished the Intro to Assembly Skills Assessment? I could use a nudge.

AD :ennumeration and attack ... any support will help

You could search your question in the channel. Or just post it here is fine

I stuck on it too.

Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host

Hello! I need help with Footprinting Lab -Easy: i was able to get the public and private keys from ftp. I'm trying to copy the public key over to the remote server using the cmd: ssh-copy-id -i ~/.ssh/id_rsa.pub user@ip but i get identity_sign: private key /home/kali/.ssh/id_rsa contents do not match public
ceil@10.129.23.7: Permission denied (publickey).
Anyone please help

So far this morning I have tried the Getting Started, NETWORK ENUMERATION WITH NMAP, Web request and I can't ping any of the servers. Which Getting Started and Web Request share the same server

@rain valley you can copy the private key and change the permissions

I'm beginning the module... The first question for finding the flag in the inlanefreight records... ie HTB{******}

Hey guys

How complete privatege escation

Hi I'm stuck on Website Lab in Login Brute Forcing. I've really tried everything and seen all posts about it my command is ||sudo hydra -l user -P ../../usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt -f <IP> -s <PORT> http-post-form "/admin_login.php:username=^USER^&password=^PASS^:F=<form name='log-in'"|| Can anyone help me?

Has anyone had any issues with the Introduction to Web Applications Common Web Vulnerabilities not accepting the answer using the ||Arbitrary Code Execution vulnerability|| name or is it by another one?

Hi, im stuck in footprinting lab medium, after finding some creds in NFS, and doing rdp but seems like arent the same for SQL.. Im lost there

Scratch that left an extra space causing the error

Attacking Common Services-Attacking SMB

which password dictionary to use? the one given in the hint does not give the correct answer!

Could someone assist me with the Broken Authentication Module, Weak Bruteforce Protections section, 2nd question?
Work on webapp at URL /question2/ and try to bypass the login form using one of the method showed. What is the flag?

were you able to resolve the issue?

were you able to resolve the issue?

Has anyone else had trouble with File transfer module, windows section? copying the syntax for smb server and ftp server. i keep getting errors. windows will say directory doesnt exist when i try to follow the steps for smb server. And when i try sudo pip3 install pyftpdlib i get pip3 isnt installed. but if install it it says its already installed.

Yes, thanks anyway 🙂

Anyone out there that can give me a hand on sqlmap essentials skill assessment?

use the provided wordlist in the Resources

hint ||shop.html|| and burp

I have gotten well past that point

I have the attack vector and have configured some of the suggested options, examined errors and tried to rectify them

It looks like the underlying query is an insert to me based on context and the errors that pop up, so I configured the prefix to close it properly to do a stack injection. It says it is vulnerable to the stack injection, but then it does it with sleep and doesn't actually return any results or start doing anything useful

Have tried without the prefix then it says vulnerable to time based and also uses sleep and never returns

Footprinting Lab Medium - Getting this error and no way to get through it : No process is on the other end of the pipe

@safe leaf oh did you use the ||Tamper-Script|| ||between||

yes

looking up other people who have had problems, all the advice would seem to indicate that i've done everything required and it should just work, but it isn't, but no one else seems stuck where i am stuck

yeah i think you did

also did you set ||level / risk|| to max

I did

is the using the prefix correct?

It says vulnerable to injection with or without (just different types) but neither returns for me

oh that's weird shoot me a dm if you still need help with that i'll help troubleshoot

will do, let me get my environment up

Again thank you so much!

ad the end if your command try add ||"/admin_login.php:user=user&pass=^PASS^:F='log-in'"||

did you changing you ip to ||localhost||

Yes

with python or burp

Burp

@normal laurel can you send me a screenshot of you burp request

Kk

Anyone able to provide some insight for Footprinting Lab - Hard? Trying to get initial creds but having some trouble understanding community strings. Or maybe my commands are not giving me community strings because not sure how they are supposed to look like

my god just figured it out...

input value

can someone help me grasp a better understanding of log poisoning on the module File Inclusion

thanks i got it but still dont uderstand why mine doesnt work since ||username=user&password=^PASS^|| is formula from previous section

Attacking Common Services - Easy, need a hint please

I've found creds and two files on FTP

Wish i could help bud but you're farther into that module than me 😦

Introduction to Bash Scripting
I'm currently stuck at the very first question of the module for quite some time now.Have tried various methods all leading to the exact same results.Which correlates that I'm probably not understanding the question properly.Could anyone please gimme a DM to put some clearance on it?

@clear saffron sure DM me 🙂

Hello world. I'd appreciate any insight.. Working on HTTP Headers. On the

on the page it says "If we clear the Network tab in our browser devtools and try to log in again, we will see many requests being sent. We can filter the requests by our server IP, so it would only show requests going to the web application's web server (i.e. filter out external requests), and we will notice the following POST request being sent:"

I think I'm doing it right on chrome, but when I go to the search box and type in "server_IP" everything just disappears. Which, as would have guessed... left me confused. lol

What am i doing wrong? or is this a function of chrome on a mac?

Feel free to DM me

Anyone available to help me on Footprinting Lab - Hard? Found the ||.sh|| file on ||snmp|| however not sure how to look at the contents of the file using braa

Feel free to DM me

Can someone give me a quick sanity check regarding Attacking Common Services - Attacking SQL Databases?

sure

Hey,
I'm working on Login Brute Forcing -Skills Assessment - Service Login.
I've made my user.txt (15 login name) and my pass.txt (2245 passwords after cleaning up regarding the password policy).
Now I have try to brute force SSH but I got disconnected before it finishes.
I would enjoy a little hint as waiting is boring...

Feel free to DM me

Guys, could someone give me a hand?

Ik the ip is different but that 'cause I restarted the target

You have to put the IP follow by the domain name in the /etc/hosts file
And then you can use whatweb againste the domain name
Whatweb -a3 http://app.inlanefreight.local

got you

I was thinking i needed to do that but wanted to ask first

getting same error

don't use https

just http or nothing ?

http

ya see what happens

Found CMSmap tool

For me at least works better than the whatweb

https://github.com/Dionach/CMSmap

Hi can someone help me with the "Skill Assessment - Broken Authentication". I found all the information needed to access the user profile but I don't see the admin panel?

Hi, i'm stuck at module "Information Gathering - Web edition" at vHost, i can't seem to find any vhosts, because all are prompting the same size.

FIXED - Try using gobuster

Hey all, can i get a lead in "Web Service & API Attacks" module, skills assessment? I crafted a correct soap. Cant get sqli on it.

"Information Gathering - Web edition" skill assessment

IDK what's wrong

@woeful oxide yes sublist3r does not work, but I managed to find the answer by ||googling "subdomain finder"||

@tulip plinth were you able to log in as the ||support.xx|| user?

very much need some quick understanding can someone dm me for Local File Inclusion Automated scanning ive gotten everything else done just dont know how to make it search for /flag.txt using the worklist

@devout vector all of the LFI payloads point to /etc/passwd, so once you get a good match with FFuF, just modify the payload to point to /flag.txt

Yes but I cannot see the admin panel 😦

@tulip plinth try manipulating the cookie

Hi, can i get a lead in "Web Service & API Attacks" module please?

oh my god, it took me a lot to find that subdomain, thanks mate

np nice work 🙂

if you forged a new cookie use it.

DM me

how would i modify the payload to find the /Flag.txt?

instead of ../../../etc/passwd, you would do ../../../Flag.txt

thank you

Hi, I'm doing the File Inclusion module, in the section of uploads i have successfully did the rce, but I can't find the flag, just a strange file which doesn't give anything, if anyone could dm me for help please

I don't know if is an error of the machine or mine

@final frigate not sure if this helps but ||the name of the flag isn't "flag.txt", it's just a random file hash||

Yes I know, but for some reason the file is blank and the name it isn't the flag

Well, I can't get it with some of the uploads options, but other works for me

I don't really understand why but at least works

is this normal?

idk really understand how to get the flags

How does your /etc/resolv.conf look?

like this

I'm not 100% sure if I remember correctly, but I think you need to add the IP of the dns into the resolve.conf

i think you're talking about the hosts file

@woeful oxide try doing a ||zone transfer with dig axfr||

Fair haha

what do you mean?

the command right?

@woeful oxide you need to look for zone tranfer

like this ||dig inlanefreight.htb axfr|| ?

wdym?

The server that spawns is nameserver, so when you use dig you need to use that nameserver. The earlier DNS section of the module explains how to do so.

how do we identify the axfr zones?

anyone able to help out with hashcat module masked attack? there seems to be an inconsistency

I probably found a big issue for the usage of printspoofer. On maybe HTB instances issue. I obtain a reverseshell with printspoofer. and I'm on nt authority\system. But the lazagne.exe or mimikatz all giving back wrong NTLM hash. I can't use the hash to login to the MS01

The Administrator hash can only login to the SQL01

@radiant dagger i used the ||metasploit web_delivery exploit to get a meterpreter shell and then used hashdump.||

yep, I'll try that

anyone for som help with hashcat?

yeah, tried multi/handler not working. will try the web_delivery exploit

never used it before

be sure to set|| TARGET 2 (for powershell, by default its set to python) and set payload to a windows meterpreter||

I’m trying to find the DNS server version of this machine and I’m having hard time… any hint? I tried to run nmap -sS -sC -sV -p- -oA resolute but I didn’t get what I needed

Getting Started - Public Exploits:
I can't get nmap to return anything at all, so I'm not sure how I'm supposed to find the services that the target is running. If I run it vanilla, it tells "Host seems down. If it is really up, but blocking our ping probes, try -Pn. When I do that though, the only thing different that appears is that "All 1000 scanned ports are in ignored states", as well as "905 filtered tcp ports (no-response), 95 closed tcp ports (conn-refused).

the command you need for that section is already in the question, and if you have issue with that command try use something like in the "Hashcat - Mask Attack" example command

that is a website you don't need to scan with nmap

i have, i've looked at the hint

i'm not sure what i'm doing wrong

👍

if you still have issue with that dm your command i'll help you troubleshoot

added

Do you know how to find DNS server version?

I’m on the IDS/IPS evasion module

Network enumeration

try using other "SCAN TECHNIQUES" in nmap

It's weird that I can't even have a session

srvhost needs to be same as lhost

your LHOST looks unusual

not a standard tun0 ip

i'm running the msf on the ssh host

the tun0 is 10.x.x.x the ens224 is the 172.16.7.240

oh gotcha

yeah, just save one pivot

what payload did u set

i feel like that should be working

windows/meterpreter/reverse_tcp

try windows/x64/meterpreter

trying

success on that payload. Thank you Jared!

np nice work 🙂

Did you run it with the sprintproof.exe or promote yourself after the meterpreter shell?

i think i first just used|| printspoof.exe to change the admin password, then i authenticated as admin somehow, then ran the web_delivery. ||I could be totally off though my memory is foggy

cool cool

still the wrong hash. I think maybe HTB patched it. forcing you to use their intended way

sec letm e check my notes

i might be confused about where u are and what ur doing

This meterpreter shell is on SQL01. we got root access and dump the hash

The Administrator hash should be able to login to the MS01 as well

yea my notes the hash values are different

I know another clear credential way can access the MS01 now

i see mscache passwords and hashdump passwords

maybe i ran lazagne?

i ran lazagne, snaffler and mimikatz them all. All the same result, the hash is not working

I know your hash is probably bda..SNIP...99

nope

oh, okay. I know that one is working

Thank you Jared, I'll just drop it and go with the easy way.

anyone working on XSS

How can I get msfconsole to show me a list of relevant commands I can run while I have an active exploit?

help?

you mean when you under meterpreter?

Anyone able to help on Attacking Common Services - Easy Lab? I found a username for one of the services but couldn’t find valid passwords yet. Also noticed the vulnerable service but I need valid credentials first

guys

anyone out there who can give me a hand on the active subdomain enumeration?

with the axfr zones

you need to use ||rockyou|| for this

Good morning, can i ask here some questions?

@undone imp what question

@placid quest About the last page in windows foundamentals, Skills Assessment

Nothing?

Thanks for the help! Just completed it 🙂

can someone help me with the broken auth skill assessment? cant find the admin panel

if you are on the ||support|| user that ||isn't the admin user||

oh

thnx

like the panel should pop up if im on the correct?

yep

thnx

@undone imp i haven't done windows fundamentals

can you pls give me any hint about the roll?

im in the other but dont see it

hint ||the admin user have the same code as support ||

thnx

Hi All, Web Proxies - Encoding/Decoding (https://academy.hackthebox.com/module/110/section/1052) is stumping me, I have decoded and encoded in base64 and URL in every combination I can think of but its not resolving a flag... can someone assist?

@alpine vault you will need to decode base64 multiple times. If the string gets smaller each time you decode, you are on the right track

@west canopy thanks! ill try it out

that was it! thank you!!! in the future how do I figure that out on my own?

if you see an equal sign at the end of a string, its likely base64

you need to set your coockies .

1.send a request with your credentials like that:

1. curl -U user:pass -v(for verbose request an d respons) http://...

2. copy the cookie: PHPSSID:cookie value so:
   curl -b "paste hear the cookie" http://...
   if it's dosn't work DM me i will elp you

look around in the user profile you might find something else

I need help with Footprinting Lad - Medium: I found the credentials for the "sa" account but when i tried to login to the SQL server i got this error (see image).

You need another Windows account. The account you are currently using has no rights to access the database.

To find the Windows account, consider what role SA has in the database. Your Windows user should have the same role for Windows as SA has for the database.

File Inclusion Module

Anyone was able to solve this?

am able to execute the commands through CMD, but idk how to reach the flag

did you try ls / ?

it's cmd not linux

I want to do something like cd c:/ & type flag.txt
but am unable to run those

you will never be able to just change directories because you dont have a full blown shell.

im pretty shure that justo for the parameter its 'cmd' does'nt mean that its a windows host, but here one trick , if you have RCE you cand add in the end of the comand 2>&1 , on both system an you will see the error !

just need to enumerate using dir

Its not a Windows host, the cmd in the script is just an abbreviation of command. Try some Linux commands.

In general, all hosts in the Academy are Linux boxes, unless there's a specific reason they have to be Windows, like working with AD.

Can i get a sanity check on Attacking Common Services - Easy Lab? I can't seem to figure out what ||the xampp webroot is (i'm not having success writing to C:\xampp\htdocs\ )||

Edit: SOLVED! Thank you @acoustic owl

feel free to DM me

did you use double \ on the path

hey everyone looking a little help for getting flag4 on the Linux Local Privilege Escalation - Skills Assessment, i dont know if i'm on the right track or not

Check the services running on the server

hey folks, im embarassingly stuck on the 1st question of Broken Authentication - I tried making a list of the user/pass combos in scada-pass.csv from SecLists, but that didnt work, then just been guessing at which lists to use - any tips?

You need to find a list on the Internet with default passwords for this type of system

Thanks, not the one on seclists then i guess!

lol very simple manual copypasta - thanks - the question said "brute force", so i pulled out ffuf without even thinking

I am having trouble getting the correct answer to the first question in the Introduction to Bash Scripting module. My code is running without any errors but the value that I get isn't the right answer. Any help with where I am going wrong would help, thank you.

So just finished Attacking Common Services - Hard -- feel like in order to solve, one needs to make a bit of a leap... Not "difficult", but I only knew what to do because of other training...

Hi, don't know if you've found your fix yet, but a hint is:

"echo $var -n | wc -c" is not identical to "echo $var | wc -c"

@west canopy, I followed your advice and I got flag 4 in the Linux Privilege Escalation module. Thanks for the guidance! I'm tracking down the final flag 5 now, then I will (finally) 100% this module.

I’m stuck on Firewall and IDS/IPS evasion - Medium Lab. I’m having a hard time finding the DNS server version… plz help

@errant lava if you still need help feel free to DM me

Could I have help finishing up the command injections skills assesment? I have been stuck for waaaaay to long

What is the issue?

Just having issues getting my injection to work

Ok

I talked to jarednexgent. Should be able to get the flag now; issue is resolved

Thank you for the hint

I want to make this a new thing on HTB

FYI if you didn't know. It's a commercial

AD Enumeration & Attacks - Skills Assessment Part II OMG, worked on it for over two weeks now

Just last two questions left, need some nudge, please help me gang.

@radiant dagger did you find the password for the ||CT059|| user?

yes, I have that already

@radiant dagger In my notes I have myself ||RDPing into 172.16.7.50 as CT059, then using windows net user command to change the administrator password.||

I have the hash of administrator on .50 already. But yeah, I can do that as well

hmmm i am confused by my notes

because i show myself connecting to ||172.16.7.50 and then changing the administrator password there||

but then using ||evil-winrm to connect to 172.16.7.3 as administrator||

ohhhh because i did ||net user administrator <password> /domain ||

ooo

that gives Domain Admin 🙂

Thank you Jared, let me try it

ROOTED 😱

nice work 🙂

Thank you so much Jared. 🤩