Also tried hash cracking and can't get anything

stuck on the file uploads attack assessment, have ||read php source and the only check im having trouble bypassing is "whitelist". everything i try either doesn't execute or i can't find the filename||

passwd, shadow & opasswd module, from Password attack. I have obtained the shadow file with the hashes, and I have tried with rockyou and mut_password and it does not find any password. Will I have to try some more password list?

Hey guy - working on bash scripting module - conditional execution and got this error

im pretty sure my script should work

yeah try using echo $var | wc -c instead of ${#var}

salt=$(echo $var | wc -c)

thanks!

In my opinion this bash scripting module is poorly made

did that work?

that's what I was missing and someone on here set me straight, not sure why the other idea didn't work...

yup, thanks mate

the other also works but with a little tweak

you need to + 1 and don't use the echo -n flag

Dm if you still need help

ahhh ok thanks was wondering

I have been working with this section of the module for 2 days now, I have tried several lists to crack the hashes, but there is nothing. Can someone give me some idea with this?

every password meant to be cracked in the module can be done with either the basic provided list, rockyou, or the mutated password list.

Or provided as reused credentials found on the system

I have tried rockyou, mutations, and some that have been created for other sections. And find nothing. Either I'm doing something wrong or I'm thinking that the password is somewhere else, but it doesn't make sense that it gives you two backup files of shadow and passwd and I don't have to crack them.

wdym you dont have to crack the backups

is where the hashes are. That whole section tells you about getting hashes in both /etc/passwd and /etc/shadow, that's why they put both backups of those files, so you can see the hashes without being root. Now they ask me for the root password

yeah, but that doesnt mean you dont crack the backups, you absolutely crack the backups

because I can not do it with any list

You absolutely can

maybe your mut password list was genned wrong.

Idr which list was used for that page, but I remember that section being very straightforward

the mut list is well generated, I have cracked the rest without problems, I think the problem comes from somewhere else. Here I separate the encrypted passwords of all users and use this command -m 1800 for Sha512 or 6

and it does not find any password of any, I must be doing something wrong

any hints on windows privilege escalation skills assessment II question 2? Escalate privileges to SYSTEM and submit the contents of the flag.txt file on the Administrator Desktop

i'm stuck at Parameter Fuzzing - GET, so if you help me I can help you soon 😉

try john instead

for the wordlist you can just use the mut_password.list but for read the hash don't try to crack them all

what are stuck on?

using the burp parameter names on the provided IP, but not getting any parameter names

I have also tried separating only root, since it is the one that asks me, and also with both rockyou and mut, but none of them works for me

you should be sending <URL>?FUZZ=key

well, <URL>:<PORT>?FUZZ=key

yep you just need root cred also try with john and use the mut list

ok

that's what im doing, except giving IP instead of URL:

is there a specific page you should send it to?

😉

if you still need help with that then hint you need some ||magic number|| also that box is using ||BST +0100|| time zone

I ran ffuf again and found nothing on /blog and /forum (these were other ffuf results, I'll try recursive now)

anyone else had to install rdesktop over xfreerdp on Parrot? I kept running into issues trying to install xfreerdp (assuming you vpn into the academy)

try remmina

I already found the problem, it was creating the unshadow file, I hadn't done it right. Create it again and I already found it. Thanks for your help, it helped me to review everything again and realize the error.

np

trying to install FreeRDP, and in the end I did it with flatpak and it works, although it is a bit more cumbersome. But remmina works great, you just can't copy and paste files from one site to another like with FreeRDP

Thanks I will also try out remmina!

Im working on the command injection skill assessment and Im having trouble getting started. I had a lot go on after I completed the sections and I am drawing a blank coming back to the skills assessment after all this time. Just need a push to get me moving again.

if you need help dm is open, big fan dude 🙂

MRtom helped me out, cheers!

HOW AN OPERATING SYSTEM CAN BE HACKED

WITH HACKER SKILLZ

WITH A DIFFERENT OPERATING SYSTEM

i would recommend you re-visit some if not most if the section in that module and with a fresh mid of what is going on i think you should be good for the skills assessment also i would say the main task of the assessment is ||finding the injection point|| and for the bypass part it isn't that hard

what to do to get banned from linux

ya as you referred to it the main task is what im having trouble with for some reason its not working for me

hint ||the move parameters|| also if you hit an error then you are in the right spot

thanks thats all I needed

Can anybody assist me with Password Attacks - Hard Lab? I did the following: ||Brute forced Johanna's RDP login, pulled the keepass file, cracked that file, logged in using the alternate creds, pulled the system.save and same.save, and cracked the associated hash.|| Now I don't know how to proceed with the new creds for ||Johanna||

check that user ||documents||

Via the new login credentials?

i mean the ||documents folder||

oh wait

wait what where did find ||system.save and same.save|| and after crack the ||keepass|| which user cred did you found?

I was just checking my notes, I cracked the ||logins.kdbx|| and logged in with the info included in that file. From there, that is where I was able to get the ||Sam/Security Files in order to get the hash to crack. I then cracked that hash for Johanna||. Don't know what to do from there

Ohhhh

Wait I think I had the username wrong

yep

Misread it in the hash file I made

Bless up

I am just dumb

after cracking the ||logins.kdbx|| you should found the cred for user ||d|| and from there a different file and that will have the ||sam|| file

I was trying to use the new password for ||Johanna instead of Administrator||

ohh

Yeah just a brain fart

Thanks for the help 😄

hello everyone

under Web Service & API Attacks, anyone knows if the api is running over UDP..?

Hi, I'm working on Footprinting Lab - Hard, and I've found the SNMP server, but cant find any valid community strings. Am I doing something wrong?

still not finding the right extensions for web fuzzing... maybe I'm using the wrong list?

hint check back at the snmp section

which module and section are you on again?

I've already used onesixtyone and the corresponding seclists wordlist. Perhaps it isn't working due to it being SNMP v3 instead of v1/v2c?

yep that is the same issue i have the first time i do this i still can't get snmpwalk to work with snmp v3

hint in the snmp section they show 3 tool

ffuf, the skill assessment

||braa||?

which question?

yep

enumerating the extensions

The second one

Thank you for the help, but as far I can see, I cannot use braa to brute force community strings, and onesixtyone still isnt showing me any results.

so i just check and i don't know why that question don't have a subdomain because there 3 subdomain so you may running ffuf with the wrong subdomain but for the wordlist you can just use seclist ||web-extensions.txt||

shoot me a dm i'll help you with this also braa isn't for brute force community strings

yeah that was part of the issue, I was trying to run on all the subs in a for loop

I'll throw that list at it then

thanks

when setting up a reverse shell for module targets, do I need to use eth0 or tun0? I thought I read somewhere that tun0 is what I should use after connecting to the academy vpn, but I can't seem to connect for the reverse shell. Code looks fine on paper

How long should scanning all port in Getting Started > Service Scanning take?
When I use nmap with -p- flag the scan time grows to over an hour. Which is insane considerin that target spawn time is 120min. Am I doing something wrong? Using Kali linux with VPN

scanning with -p- takes a hot minute. I remember leaving one going for about half an hour and it was only 56% or so

Hmm, the code looks fine for the reverse shell, it's uploaded to the site, but navigating only triggers the id part that was used to see if it would actually work.

you can also adjust timing by using faster timing templates such as -T4 or -T5 its also useful to use verbose output such as -v so that you can investigate new interesting porta manually as they come in before the scan finishes.

So, uh. I tried a different script for setting up the reverse shell and that worked. I think the example php code for setting up a reverse shell given for module 77, section 852 seems to be incorrect in some way? Unless it's just something on my end

Has anyone also had trouble with the last question on the Hacking WordPress module -- the RCE component.

I've tried ||using msfconsole to get an interactive shell, but it couldn't properly upload the file (but auth was successful so I know I wasn't screwing up the options at least)||

I've also tried the obvious path of ||using the themes editor to insert my php shell (I tried both a reverse shell and just a simple web shell). I can edit the 404.php file just fine, but when it comes to actually accessing the file under the wp-content/themes directory it results in a 500 error.||

The module is rated easy so I'm sure I'm missing something very obvious here. Can anyone point me to the right direction? It's the last question I need to answer before CBBH haha 😄

Edit -- I figured it out. It's because of the silly little way that PHP executes code blocks..

||The 2nd method works, but you have to put your payload before any of the other functions get called (so right at the beginning)||

wow I thought I knew windows privesc... but this module has so much good content that I never knew about. ❤️ academy

hi everyone! how you doing? anyone can drop a hint about the question "What's the contents of table flag3? (Case #3)", from Running SQLMap on an HTTP Request << SQLMap Essentials?

Can anybody help on this one ? Command injection Bypassing Other Blacklisted Characters

Have you gotten to Pillaging?

was my hint not sufficient? I gave quite a bit haha

ok will try a bit more after the night shift : )))

I actually skipped ahead and read it 🙂 lol

loved it 😄

i got trashed by the final question

hehe

curious to see how you fare

I havent been doing the questions yet

I like to read the module first 🙂

yes that is good practice

im kinda surprised that it doesnt involve backing up a db and exfiltrating it

thats what i would expect pillaging to be

not what i expected out of the module - but better 🙂

I didnt know about all the other stuff u can do 😄

Pillaging for the sake of windows privilege escalation rather than Pillaging for pure data extraction

🙂 good point. Im going to go buy some more cubes after I finish this module hehe 😄

Is this a problem with pwnbox?

maybe try --fix-broken?

its already on pwnbox, use cme instead of crackmapexec

binary has different name

must use sudo with it as well i believe

I hear the paid vesion of CME has RDP spraying in it

kinda nifty 😄

when?

since the update where they added the little hacker guy background i believe

I wonder when the pwnbox will be available from parrot os's site

it says coming soon 😄

hi, did you finally manage to get the root flag ?

👍

Is this a problem on my end?

To me it looks like I am following the modules instructions

Jared I am doing this command ||127.0.0.1%0a%09${IFS}${PATH:0:1}ls /home|| om Command injection Bypassing other blackilsted Characters can you give me a hint ?

Anyone got a hint for Attacking Common Services - Hard? Trying to impersonate but it's just not working.

why do you have a space between ls /home?

that is certainly not right

any nudge on windows privesc skills assessment 2 question 2? Escalate privileges to SYSTEM and submit the contents of the flag.txt file on the Administrator Desktop

check Miscellaneous Techniques section 😉

good enough. thank you.

Jared, found a picture witch had the original command and I must say I really had no clue I had to put the ls command as the first command

If anyone available to help with password attacks - hard skill assessment. Found the password for backup.vhd file and have mounted it on a windows VM. But now im stuck doesn't appear to have anything immediately useful. Has some files that say access denied and two files which appear to be encrypted.

Hi, anyone available to provide some guidance on the Credential Hunting in Linux question? I have tried brute forcing the services, but can't find the password

Figured out Attacking Common Services - Hard that syntax was a lil rough lmao.

Hi All, not sure if this is the right channel, feel free to point me else where.

Did anyone actually start doing doing Bug Bounty Hunting after completing the path? Is it doable or did you continue improving your knowledge further?

anyone have problem with spawn a host?

hosts is downing here

Hi

Can u help me how to do first task...

@crystal widget what is the problem

I can't connect vpn

@flint agate look for 1nj3ct0r here on the channel and use the script i shared to generate your payloads. It works like a charm

@naive ravine i have 1 more module to finish the path and i'll start just after. I was busy solving the hacktheboo web challenges and i did it 💪. I think the bbh path is fair enough

Am I suppose to hack....hack the box.....for more cubes? I only have 20

Windows Privilege Escalation Skills Assessment. I managed to get webshell from vuln app but still have no clue how to turn it into a reverse shell. Could someone pls gimme me a nudge?

yo, whats'up

Reverse shell always involves having the target computer call you on a listening port.

And once it does that, you escalate privileges from there

As you do lessons and answer questions or do the mini labs you earn more

Your reverse shell can be done through something like metasploit or ftp

hey guys, can anyone help me on password attacks ?

sure what's the issue?

@vital adder hey dude?

hi

How can I play the CTFs challenges in HTB

Bcoz it's asking me to submit a flag ???

Can I DM ?

sure

How can I know my Flag name???

Help me to find out it 😥

@vital adder ???

which box?

Wait I wanna dm u

Hi, someone does have a good source to get code injection snippets please ?

Have you checked out Payload all the things ??

true, thank you

I think I have another resource, give me one sec

Let turn on my computer

that's one slow computer!

😆

Hey guys i am stuck on this question from network module: Split the network 10.200.20.0/27 into 4 subnets and submit the broadcast address of the 2nd subnet as the answer. Any ideas?

Hi, has anybody done the webshells and payload module? I'm trying to do the assessment but the browser of the machine that I access with NoMachine can't access any other website than the three designed for the assessment, which is preventing from answering a question. Has anyone faced the same problem?

the broadcast would be ||before|| the ||network address of the 3rd subnet||

really slow! https://book.hacktricks.xyz/pentesting-web/sql-injection

Hello people
Im doing the Nginx Reverse Proxy & AJP.
Im getting the following error

I have block the original server block and added modules code

is HackTheBox academy down rn? Im trying to run any of the boxes in the module im in and they wont spawn

Thank you!

Can anybody assist with the Network Enumeration with NMap, I am trying to use ||netcat on port 80|| which the section of the module is focusing on, but it won't return the flag. ||The command I was using was: nc -nv myipaddress 80||

nvm fixed it

have you used the ||nmap -A flag||

How can I use your tool ? It gives me the invalid decimal literal error because of it's name

I have not, shouldn't I be passing in ips to NMap?

Hello, I am on the Attacking Common Services modules and on the "Attacking FTP" tab. I am not able to find any open FTP ports on the spawned box, I have ran nmap -sC -sV -p- {TARGET_SERVER_IP} against the target box and I am not able to see any open FTP ports. I have tried respawning the box multiple times, same thing.

this is the console output of that command

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 71:08:b0:c4:f3:ca:97:57:64:97:70:f9:fe:c5:0c:7b (RSA)
|   256 45:c3:b5:14:63:99:3d:9e:b3:22:51:e5:97:76:e1:50 (ECDSA)
|_  256 2e:c2:41:66:46:ef:b6:81:95:d5:aa:35:23:94:55:38 (ED25519)
53/tcp  open  domain      ISC BIND 9.16.1 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.16.1-Ubuntu
139/tcp open  netbios-ssn Samba smbd 4.6.2
445/tcp open  netbios-ssn Samba smbd 4.6.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

bruh i must ask a question, i am wanted now, what i must do?

Its been a while since I have completed that one but let me try it

Hey guys, I need some help with the file upload attacks skills assessment. I have found read the upload.php and see where my stuff gets uploaded, figured the naming convention, but I just can't find the files. I am trying to submit a file to /contact/upload.php, with a filename="ss.png", which is successful, but when I try accessing it at ||/contact/SPOILER-REMOVED_submissions/SPOILER_ss.png|| all I get is a 404. I also tried submitting via /contact/submit.php?Name=asdf1&Email=asdf2%40admin.com&Message=asdf3&uploadFile=ss.png, but the end result is the same: 404.

Edit: solved

try ||without specifying the port||

Dynamic Port Forwarding With SSH and SOCKS tunneling - The password specified for victor doesn't work.

And i've jumped VPN packs. This is ridiculous.

Got it, ended up just using the wrong port

Anyone?

Hey in network enumeration with nmap. firewall and IDS/IPS evasion -Hard Lab i found 4 different service info. non work as the answear? im on the wrong track? 🙂 Thanks

ty

Anyone finish windows privilege escalation, the new pillaging section? I have the admin hash for the last question but it won't take it no matter what format I put it in.

Hey guys, on shells & payloads module stuck on exploiting the first host “Host-01” I see the file upload vulnerability and i just can’t seem to get the reverse shell to work. I’m setting up the .war exploit file inside of the NoMachine VM. So I should up the listener for the shell with the spawned IP for LHOST, correct? Every time I travel to the created directory with the .WAR file, no revshell is received so I have a feeling my issue is my payload.

How long should the LOGIN BRUTE FORCING - Skills Assessment take? I'm still on the first part, using seclists/names and rockyou...

skill assestment?

Yep. Have messed around with different payloads over the past few hours and can’t seem to get a shell

Hey friends --
I am a lifelong member of TryHackMe but recently got a sub to HTB Academy as I am scheduled to take the OSCP on December 8th. I just completed the "AD Enumeration & Attack" course and it is really well done. Thank you to the team at HTB for your excellent work. For those who are interested in learning AD Enumeration & Attacks, this is one of the best courses I have done (and I've done quite a few!) -- It's a perfect mix of theory and hands-on learning. I documented all my steps and notes and now I have a full AD Attack notebook that walks through the various steps and enumeration. Excellent stuff!

A special thank you to @west canopy for allowing me to bug him when I would get stuck 😄

oh nice I need to schedule my next attempt but I'll check that out first

I'm really dissappointed with the quality of teaching you get with the OSCP and their bloated PDF. HTB is a much better platform for learning and I sincerely hope the HTB certs begin to take over and get more name recognition with HR.

How the guys do you afford OSCP??

With tears

I'm 20 and broke so just wondering

A lot of company's will pay but I paid $1,500 out of pocket for 90 days of lab access to terrible infrastructure

I got so fed up with OSCP, I made a diss song. Yes. I really did.
https://youtu.be/3XULwH5NSUk

Based

Subscribed to your channel btw

im gonna recall myself that one

i thought that companies dont hire pentesters full time

if you're a student sometimes they gift lab time

My job paid for academy

it really wasn't so bad

but you get your own infra

Trust me, the OSCP lab time isn't worth it. It's really really bad. All the VMs are shared with students. They randomly get reset when you're working on them or do not work properly. The "labs" they have you do require randomly having to reset the VMs for the exploits to work.

HTB Academy, on the other hand, is top notch

so you dont have to share with the normal students who just buy time

Agreed. HTB > OSCP

I just want to get hired

Anybody have advice?

Im still college student btw

Yeah, OSCP is unfortunately the standard with HR. I started a YouTube channel as a virtual portfolio and to buld a personal brand so I can break into red team-type roles. I am not there yet though. I currently work as a senior analyst on the blue team side of things. My pay is great but I'd be willing to tkae a pay cut to move to red team or pentesting just because I find the work really interesting

If you're comfortable speaking, I think starting a YouTube channel to share what you're learning and to interview industry leaders is a great idea. I had the honor of interviewing John Hammond when I was just started. I literally just send him an email and, to my surprise, he got right back to me and was happy to sit down for a conversation.

I'm cyberesecurity club president at my school so I've been trying to publish my videos on my lectures

in fact today I am teaching about Car hakcing (reversing Can bus mostly)

Hi

sup homie

OSCP is still riding the rep from when they were the only hands on cert in the industry

John's a really nice guy, he's a local

I think this is why they did academy and the win update

that's most people's issue with ocsp

no guidance

at all lol

"tRy HaRdEr...."

lol

in some repsects they're right buuuut, this is something I paid for....

well in their defense it originally wasnt necessarily meant to be a cert where you came in and learned. It was a cert where you came in and prover you already knew what you were doing.

I agree on the YouTube idea, also get involved with your local infosec groups, DEF CON local group is a great place to start

didn't know that!

they used to be super hesitant about saying beginners could take it. It was always, "we've had beginners take it and pass, but dont expect to succeed on your first attempt if youre new"

and I'm not poopoo-ing offsec, just noting that the market has changed

I suppose at some point that changed because $$$ but the content and format never did

the academy was a great step in the right direction imho

anyone know if I'm heading in the right direction with this?

this nomachine is constantly disconnecting me, you tried uploading this on status.inlanefreight.local?

i mean your payload

wrong person I'm doing login bruteforcing

thanks tho!

thats right xd

i think you're using wrong exploit

Thanks for the feedback, I’ll check it out

sorry that nomachine is disconnecting me all the time

ignore for now that message

I feel like this list is too big....

not names.txt but rockyou lol obvs

there is a way to use exploits without crafting them

Bump

not there yet sry

also hint for the uploaded directory the first one with ||SPOILER-REMOVED is the right one||

Hi Folks, I'm working on the Password attacks module, is there a way to get crackmap to not show me every invalid input? For example I have about 2000 lines of this

nope but you can put | grep "Pwn3d!" at the end

Would something like this work then ? crackmapexec <prot> <ip> -u <list> -p <list> 2>/dev/null > answers.txt | cat answers.txt | grep "Pwn3d!"

or would that dump all the output to null?

As when I run it without the 2>/dev/null I get a ton of python errors

Bro shit is fire

🔥 🔥 🔥

I need help at the command injection assesement please

re-bump

Thanks mate i have to spend some time on networking as it is an area i am weak in 🙂

ATTACKING ENTERPRISE NETWORKS - Active Directory Compromise
Question: After obtaining Domain Admin rights, authenticate to the domain controller and submit the contents of the flag.txt file on the Administrator Desktop.
How can authentication in the domain controller?

Id like to give some feedback / complaint on the "Documentation & Reporting" academy module. Is this the right place?

erratum is for feedback

Hey guys, can someone help with the Footprinting Lab - Easy? I’ve found the ssh files from the server but not sure where to go now. I’ve tried to connect using the id_rsa file but no luck

did you have the right permissions set on the id_rsa file

That was the problem! Tnx mate

guys

i just got banned from anime souls fighter because my dumbass put a loadstring inside of a metatable

im so fucking stupid

and disappointed in myself

Did they just add more to the password attacks module? I had it completed and now I no longer do

Someone already finished cracking into hack the box path?

yup, like today even

This is unfortunate and exciting at the same time

For the Passwd, Shadow & Opasswd section on PASSWORD ATTACKS, I unshadowed the .bak files, but hashcat says it's going to take 5 hours to process. Can anyone help by verifying my root hash and hashcat command?

Can I get a hand with the footprinting lab - hard? I am struggling with the SSH, I know I have to find another credentials to login ssh and then mysql but Im stuck, I cant find it

@worn forge did u scan udp

Yes I got the first SSH credentials but this user cant login mysql,
I searched for hidden directories, but nothing interesting

theres something else in UDP?

@worn forge how did u connect to mysql

I found the Mysql history but i cant find something interesting

@worn forge what username did u use

tom

@worn forge use the password of tom to connect to the database like mysql -u tom -p

I tried to crack the tom's password with ssh2john but still dont know what is the tom's pw

@worn forge what u got the password when u used snmp

I got a private key but no password

@worn forge dm me

Hello everyone! Please help me pass the module (https://academy .hackthebox.com/module/110/section/1054)
Task #1 Use Burp Intruder to search for '.html' files in the /admin directory to find the file containing the flag.
I was able to find the directory "/admin 200 OK" using Burp and ZAP. What should I do next? How do I get the flag?

Thank you! I can find the file now. Didn't notice the digits..

The php docs has a very similar example, but it's capital Y and returns all the digits of the year

Hi

I'm trying to do 'Automated Scanning' part of File Inclusion, I'm at the part where I'm supposed to use ffuf to fuzz the parameter, can someone explain to me, what do I gain from this information shown here, the module does not explain at all, what am I supposed to be looking at? :

like what does this sentence mean, how do I get this information from the ffuf output?

Be mindful of the wordlist you are using. We can't see what it is from the picture. Your command looks alright except for the -fs 2287 (which you shouldn't copy from the lesson, but figure it out on the web app) and for the wordlist

Seems pretty clear to me. Identifying an unlinked parameter is similar to directory bruteforcing. As in, if it's not appearing anywhere, it doesn't mean it doesn't exist

I'm working on the footprinting module. Domain information section.

I'm connected via the VPN and I'm running the same commands they are but I am getting drastically different outputs.

This is what they get.

What I am getting.

@hazy grotto and ip address

Are you saying I am suppose to supply a IP address? The module didn't give one and they also didn't use one in there command

Thank you for responding btw

@hazy grotto like dig ns inlanefreight.com @rustic sage address

OK. I understand that now. My next question is why didn't the module need an ip address in their command to get those results? I'm thinking if you run the same command as them. You should get the same results? Or am I missing something?

@hazy grotto because it is not a vhost

Thanks buddy

No p

Got it thanks!

Any help with: File Inclusion last assignment before Skills Assessment:

I don't have permission to write in the php.ini file or place a php file in the /var/www/html/

@tough ibex how do u do pass the hash when doing reverse shell

If only there was a linux command to run something as root.. Spoiler: ||sudo||

I got a question, when multi encoded, how do you know which decoder to use ?

you do test randomly ?

What do you mean? If you can guess the encoding, just reverse it. Otherwise, you can try randomly or maybe use some online tools to help

It's multi encoded so How I know which encoding it is ? to use decoder

What's the string? Is it from some module?

yes it is

VTJ4U1VrNUZjRlZXVkVKTFZrWkdOVk5zVW10aFZYQlZWRmh3UzFaR2NITlRiRkphWld0d1ZWUllaRXRXUm10M1UyeFNUbVZGY0ZWWGJYaExWa1V3ZVZOc1VsZGlWWEJWVjIxNFMxWkZNVFJUYkZKaFlrVndWVmR0YUV0V1JUQjNVMnhTYTJGM1BUMD0=

I just want to know if tools exist to detect the encoding, so I can know which encoder to use, I already found for this one

but it took me some times

That's b64

you know it because of = at the end ?

There are tools for encoding but they mostly don't work

You can check the size of the string, if it's a multiple of 4 that's probably b64

@lyric quiver use cyber chef

There probably is, but I can't think of any from the top of my head. Try using cyberchef if you want to see some decodings. Also, knowing encodings usually comes with experience. For example, that's b64, and the string that comes after decoding b64 is ||url encoded||.

If it is not a multiple of 4 then it's something else

I got the flag, it's ok you're not spoiling me 😉

nice tips ty

Essentially, yes. But it doesn't have to end in = to be a valid bas64 string. For example YWIK is also valid base64

so we just try randomly

You get used to encodings

It's not really random, you can usually tell the encoding just by looking at it

They are relatively easy to tell apart

And they all have specific RFCs

So it's absolutely not random

yes but on challenge

they are pretty random

You get used to it.

I can now read basically anything that is ascii but encoded

Be it hex or base 10 or whatever

Protip, have the ascii table on hand when dealing with strings

And cyberchef to switch encodings easily

Ok, ty for your messages and help guys 🙂

I'll keep going 😄

hmmm

hi

hi

i have some problem with my code where should i share

is it here?

Found out this tools ! https://github.com/Ciphey/Ciphey

Pretty cool, didn't know about it. I'll check it out next time I deal with encodings. For manual stuff you could also try https://gchq.github.io/CyberChef/ as it also allows you to encode

ty

For the module Command Injections - Advanced Command Obfuscation, is there a way to bypass | and ;? I tried it the tr way: ||$(tr%09'!-}'%09'"-~'<<<:)||, but it doesn't seem to work. On my machine it works fine with both tabs and spaces, but the output is blank whenever I try it on the victim

I have solved the question using another method, just wondering about this

hi. need some help with Linux Local Privilege Escalation - Skills Assessment, how to get the tomcat manager password?

the encoding and decoding in Burp isnt bad...i was a bit confused when i used cyber chef

Hey I need help with the footprinting module section IPMI. For the question what is the account's cleartext password ?

I've been trying to change the ||PASS_FILE for the file rockyou.txt || and when I try to run the || metasploit module ipmi_dumpashes it says The following options failed to validate: PASS_FILE||

If someone can dm me it would be really appreciated

check log files|| in /etc/tomcat9 ||

Guys

Is there a major difference between using burp intruder and wfuzz?

having way too much struggles with https://academy.hackthebox.com/module/112/section/1069, last question: What is the FQDN of the host where the last octet ends with "x.x.x.203"? Anyone around to offer a tip?

I know with ffuf you can emulate the different fuzz types (clusterbomb, sniper, etc.), not sure with wfuzz

nvm i got it... of course, apparently i missed trying one thing, and just had to go back through everything and make sure i checked all the boxes

still having some issues with the login bruteforcing skill assessments

taking too long, I must be using the wrong lists

could someone at least just confirm that I shouldn't be using rockyou for this?

lol

for the new password attack stuff, "pass the ticket from linux" section.. i'm root and i've tried to import Julio's ticket to access SMB but for both tickets I get an error.. the output of "klist" looks like it does in the example though 😕 solved after checking (||cron||) but dont think it was intended route

I need help I am trying to run pdf document file in my kali linux but it is not working it claims the pdf file is not supported and how can I move my pdf file from linux to windows 10

Currently doing the "Getting Started" module, specifically the "Service Scanning" section. Under the "SMB" part, the command nmap --script smb-os-discovery.nse -p445 x.x.x.x is ran against the target machine with the following output:

Nmap scan report for doctors.htb (x.x.x.x)
Host is up (0.022s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: CEO-PC
|   NetBIOS computer name: CEO-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-12-27T00:59:46+00:00

Nmap done: 1 IP address (1 host up) scanned in 2.71 seconds```

The only problem is that when I run the command against the target machine, there is no "Host script results" section. Any advice?

what command are you running and what output are you getting

Anyone else having problems with the using web proxies module, specifically the burp intruder part? For the love of god it just doesn't want to find the 200 OK and it's painfully slow

can't even ping the ip so idk if it even has an established connection

I am running nmap --script smb-os-discovery.nse -p445 10.129.83.70 and only get the following output:

Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-26 14:42 EDT
Nmap scan report for 10.129.83.70
Host is up (0.041s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 0.75 seconds

what do you get if you run it with verbose as well -v

i would just run nmap -A against that port. Seems to return more banners than -sC -sV

I was just getting ready to mention that the very next command in that module puts out similar results

Either I am doing something very wrong or this module is broken atm

I need some help with Skills Assessment - File Upload Attacks. I understand that I'm supposed to try to read the uploads.php file to see where the uploaded files are going, probably with ||xxe || but I don't understand how I can trigger the ||xxe|| if none of the images I upload ever get displayed...

Did you add .html to intruder, after the payload? You can add it as a suffix, or directly into the line of the Get request

affirmative

GET /admin/§§.html HTTP/1.1

I think the correct payload is really far along in that "common" list

Yeah I'm using the same SecLists common.txt

as presented in the module

but something in my mind is telling me that something is off because it's literally taking hours (1 request per second)

and I can't even ping the presented ip

Yea, the servers are always acting wacky, I would regenerate the ip and try again. If it's 1 request per second then it should find it within 3 minutes

I don't think that works

I have another question regarding my module, namely the SMB share enumeration. The command includes 4 backslashes before the IP of the machine, is there a reason for this?

what happens when the link is clicked?

what happens when the link is clicked

nothing I didn't click it but it's hosted on 192.168.xxx.xxx

thats like your home network

ik that

bruh that's a private IP address range

no

its a virtual machine

....

on a vpn network

yes

I know

it would work probably on your own network

but it doesnt work over the internet

lmao some people

ok

lookup what the private ip address ranges are

cause youre lack of fundementals are showing and embarrassing yourself

ok

(s)he/they/them will learn

lmao

im quite new

Go over the fundamental modules in htb academy to get some understanding

ok

my recommendation would be if youre new to tread carefully and learn to ask good questions

is there a way to get the link to work on diffenent networks

and pls dont dos me

lmao

and dont try to test things you dont understand to random strangers

ok

thx

you would need to port forward your public IP to the server youre hosting

im just glad someone with good intentions saw it

ok

theres nothing anyone could do, its was a private ip address

ok

thx

bye

its like if I said guess what I know your local ip, 127.0.0.1 ooh scary

I answered my own question, those backslashes aren't needed

ok

Humm can you send me screenshots of your intruder setup? You can't ping server, that's normal, neither can I

Sure

@lethal atlas thanks for the last push. Also thanks @vital adder . https://academy.hackthebox.com/achievement/433014/path/17

Looks good to me, I found it using that, the regex filter you used makes it even faster

Actually your regex is different from mine, I used the one they mention in the guide.

In the “Grep - Match” screen of Burp, you should try disabling the “Exclude HTTP headers” (check it) as what you are probably looking for is in the header.

No, sorry. Looked back at my notes. That's not right either. Sorry.

I used the same one

Idk I think that this part of the module is broken

theres no reason why zap fuzzer wouldn't work on the burp part,right?

interesting, i am at the module file inclusion, and there when i do the ../../../../..etc/passwd, than my antivurs pops up with the message: Attention intrusion prevented

why? did I not try to read the webpage /etc/passwd file?

You can try FFUF as well. I honestly think you should just keep regenerating the IP address of the server. I find they get corrupted often, sometimes a few in a row

With FFUF, this is my command : ffuf -request "burp file" -w commons.txt:FUZZ -request-proto http -x http://127.0.0.1:8080

To get the burp file, send the request to repeater, then right click on it and do copy to file. You have to do that from repeater window

Thanks

No problem, I tend to use FFUF whenever intruder is involved because I can't stand that 1 request per second nonsense

Yeah it's quite dumb

but hey they gotta make money somehow I guess

If it's any use, this is what burp file looks like

Update, for anyone having the same problem as I had with the burp scanner in this module

Just use pwnbox for this task

something is wrong with the server

pwnbox fixes that

so in the first images you are basically fuzzing /admin/(stuff from the wordlist).html but i can see thing like .bash_history in you wordlist so basically your burp are trying to access /admin/.bash_history.html and so on with the other stuff

Yeah but there was something wrong with the server because I applied the same options in pwnbox and got different results

Same page (won't say which one) returned 400 on my machine and 200 on pwnbox

multiple times

all with the same settings

hint for the ||xxe|| ||(in burp)|| and for the source it isn't named ||uploads.php||

so on your machine you get 400 (Bad Request) which you should because you can't request (.bash_history.html) but on the pwnbox it's fine?

oh wait i think i did the same thing

It 400s every request meanwhile on pwnbox I got a bunch of 400s and a 200 in the first 30 seconds

i'm using bitdefender and sometime when i try to access passwd from a target machine it block me it didn't in that module so yes it is interesting

Theres something fishy with the server definitely

yep the target some time bug out like that

just restart the target a few time and you should be good (i think)

spent like 5 hours waiting for burp to go through 4000+ requests

if some thing take that long i would just use other tool

Should've went straight for the pwnbox

I'm working on Server-Side Attacks. Section SSTI Exploitation Example 1.

The message in the flag made me smile. Shout out to the maker

Could someone point me in the right direction? I'm doing Password attacks and I used the custom ruleset they provide with their password list and made a new password list for hydra. But im 6000 tries in and I still havent gotten in xD

in the "network services" section?

Section after

Password Mutations

delete the first 17000 from the list then start it again

been stuck on network enum with nmap medium firewall evasion if somebody can help point me in the right direction

Which flags are u using?

sudo nmap 10.129.2.28 -p 21,22,25 -sS -Pn -n --disable-arp-ping --packet-trace

like the reg kind of ones it shows in firewall and ids/ips evasion

i did nc -s 10.129.2.48 -v 8.8.8.8 53 as well but cant find the dns v ;-;\

pls help

Try some of the evasion techniques listed

trick question and realize part of the section name is called DEFAULT passwords

i keep seeing port 53/tcp filtered domain no response

this time sudo nmap ip -Pn --script=dns-zone-transfer -p 53

do i need to use netcat for anything in this part? im not as used to nc yet

part of me thinks i have to use the nmap evasion technique scans while listening w nc but maybe im on wrong track :((

yeah you're just not using the right suggestions from the module

read over it closer again

and try to understand why one thing would be useful in one context or the other

okay

i did it!!!!!!!

:D!!

woohoo!

thank you all!

Any of you guys do the smb course in the pen test certification path?

In footprint?

Footprinting***

Hii

Remember what they said about forgetting something else?

Oh you got it nvm

I am new

I have no PC

I use Termux in android smartphone

hello

Can someone help me please I'm new and I speak Spanish

I don't know Spanish

I'm trying to get help but they're just bsing about the details of soc analysis

what are you stuck on

congrats

I'm stuck on footprinting

The smb part

"find additional info about the specific share we found previously and submit the customized version of that specific share as the answer"

I figured it referred to editing smb.conf but that didn't seem to have the same results as the course, but maybe it wasn't the right one

And the share we found was samba share

I dont have notes written down for that let me see if I can solve it real quick

Right on

It's like the second one from the bottom. Tore the other ones up pretty easily.

Yeah I dont remember spending long on smb

aka why I dont have notes

@pastel ginkgo From the beginning

When did Ryan Reynolds ever have a moustache?

aha ha

found it

Was i right about the. Conf?

|| Try using one of the tools listed on the page, you might need to use git to clone it ||

I'll give that a go. I think i know what you're talking about

Got it

Thanks

so im working on some of the new conttent in the password attacks module section Pass the hash question is "Connect via RDP and use Mimikatz located in c:\tools to extract the hashes presented in the current session. What is the NTLM/RC4 hash of David's account?" any one more familiar with using mimikatz know what commands need to be used? Not much explanation in the module its self on how to use mimikatz.

FTP How did you do this?

Can you help with this?

They talked about types of ftp

And a certain type of ftp has a certain default password

Nmap lets you know during the scan if it is such an ftp

nice

when you download it. Where does it go again?

wait i think i got it thanks buddy

Not a problem

just as I was about to complete the passwords attack module they add more stuff to it.

Can someone help me with this? " Edit the php.ini file to block system(), then try to execute PHP Code that uses system."
I'm not a programmer and don't really know how to write up a php script to do this. I'm pretty sure I managed the block system part, but it's the testing it that I can't do

Can you share the link of module, i can definitely help you

https://academy.hackthebox.com/module/23/section/622

I created a php file with this code and ran it with php command and it seems to have executed successfully even though I blocked system function in php.ini
||<?php
$variable = system("cat /home/maxor/test.txt");
echo $variable;
?>||

https://www.cyberciti.biz/faq/linux-unix-apache-lighttpd-phpini-disable-functions/

If its running system command then probably you havent configured ini file correctly

I followed that guide, maybe I'm missing something

Just do it again and tell where you stuck

That's my php.ini

Can we talk in dm?

Sure, no problem

Wait, I figured it out, needed to ||run a webshell and use curl||

hi im at the shell&payload module anatomy of shell, i found the second answer but the first one still kinda stuck. how can i find the answer?

someone can help me with this question https://academy.hackthebox.com/module/67/section/603

WINDOWS PRIVILEGE ESCALATION

Module: WINDOWS PRIVILEGE ESCALATION

Section: DnsAdmins

Question: Leverage membership in the DnsAdmins group to escalate privileges. Submit the contents of the flag located at c:\Users\Administrator\Desktop\DnsAdmins\flag.txt

Problem: I got a association to DNSAdmins Group but i can't get the flag.

Attempts: send DLL, got inside DNSAdmins group with netadm, used "sc.exe start dns" "sc stop dns" "sc query dns", still got ERROR: Access is denied to reg query or type c:\Users\Administrator\Desktop\DnsAdmins\flag.txt

@tranquil carbon

got it! wtf this section, everything goes wrong, i got a reverse shell easy with this method: https://medium.com/@parvezahmad90/windows-privilege-escalation-dns-admin-to-nt-authority-system-step-by-step-945fe2a094dc

instead use smbserver.py use python server to transfer the dll

admins need to make this section better, i saw a lot of peoples stuck in this section here

@blissful verge

Usually whatever they ask you to do was covered in the module.

can anyone help with file transfer in AD Enumeration & Attacks - Skills Assessment Part II onto SQL01

Not there yet unfortunately

Can I get a hint for the command injection - skills assessment? I can't figure which parameter is vulnerable.

Greetings everyone !
I am currently working on Pivoting, Tunneling, and Port Forwarding - Skill assessment

I fail to find the third host to pivot to I found the credentials of a new users

Can someone help me ?

I tried :

Ping sweep from bin metrepeter shell
Ping sweep powershell & cmd
Zenmap ping sweep

i recommend a gui tool call wnetwatcher

Hi, I'm stuck on the last question skills assessment in Documenting and reporting. I see that the svc_rep does not belong to any group?

yeah i think the even admin or mod know about the issue in this module or something i did saw someone mention it also i end up making the dll payload run a another meterpreter rev shell

@vital adder Can I dm you ? The tool didn't find something new

sure

got it.. just mistyping

Asking for help: Module "Active Directory enum and attacking - Credential Enumeration - from windows"

When connecting to the windows box from the attackbox, the RDP connection stays for about 1 min and kicks me off. Is there a way to stop this and make it stable to use?

After connecting and using the system for 1 min, I get kicked with failed to connect messages.

Randomly comes back up and isn't usable (no clicks register etc)

a min later and back to

Have tried xfreerdp and remmina

FIX: change connection quality to Medium from Poor (connection is now stable)

Tell a lie back to old tricks!!! grr

Is there any support for these paid modules at all??

best lesson ever

Have you opened a ticket and raised the issue with support?
If not I suggest you try that option, HTB staff doesn't officially do support from the discord, they have a dedicated support platform.

Yes sorry I didn't see this option until i read the FAQ, Spoke to Stefan who helped me resolve.

If anyone else gets similar, Change your VPN settings to TCP if on UDP for a better connection.

Seems a lot more stable now and I can run SharpHound.

Thanks for replying @languid dawn

No problem, happy to see it resolved and thank you for sharing how, that's not something everyone does 😄

No problems at all, Have an awesome day ahead too! (thanks again all)

Did you get it? Can you provide any more hints? I've found where to attack (ac**.php) and the errors returned is 400 but I'm stuck. Thx

Thank you mate. Solved!

Could you also help me with this #modules message, I'm not sure I understand how to bypass | and ; if they're not allowed and I had to circumvent their use

hint ||base64||

Yep, that's what I ended up doing. Thought there was another way to escape it without ||encoding to base64||

Can I have some help ?

Module: Footprinting

Section: Footprinting Lab - Easy

Question: Enumerate the server carefully and find the flag.txt file. Submit the contents of this file as the answer.

Problem: I can't connect to ftp

Attempts: I did a nmap scan and found 2 ftp port open 21 and 2121. I tried to connect to both of these with the credentials given in hint and it take an eternity to load to finally say 530 Login incorrect

Hi, I'm trying to complete the shells and payload live assessment thing (on NoMachine). I'm at the last question but I'm having some trouble, as eternablue through metasploit keeps failing to give me a shell. I've also tried uploading a .aspx shell directly through the website and have only suceeded once (other times it gets deleted or smth despite having removed all comments in the shell code) and even then that didn't give me enough privilege to read the flag. I'm kind ok stuck now, anybody could help?

the eternablue exploit on nomachine only work like half of the time for me so if that doesn't work try auxiliary/admin/smb/ms17_010_command and for the command you can just set it to read the flag at the administrator user desktop but ||the flag isn't named flag.txt||

i think you need to restart your target machine but hint only of your ||attempts is right||

I already restarted the target machine 2 times and I've been trying on my personnal vm and the htb vm

god damn man I cannot thank you enough for this

i just try, with the given cred it work just fine for me on the pwnbox

I've just reset pwnbox it was way faster but I still have the same problem with the credential. I'm not sure to understand what you mean by your first message

dm me

Hello everyone, wondering if I could get some guidance. Thank you.

Module: PASSWORD ATTACKS

Section: Passwd, Shadow & Opasswd

Question: Examine the target using the credentials from the user Will and find out the password of the "root" user. Then, submit the password as the answer.

Problem: I can't crack the root hash

Attempts: unshadowed both .bak files (tried more than once from own VM and pwnbox ), used hashcat with the 1800 hash mode on the unshadowed file and also just the root hash.

@spark vector try using the mutated password.list as wordlist

I have a problem using xfreerdp :
xfreerdp /v:10.129.159.254 /u:.\Administrator /p:AnotherC0mpl3xP4$$
Can someone tell me what im doing wrong? I can't see the fault :/

I'll try that. Thank you!

Module name: Introduction to Bash Scripting

Section name: control flow - loops

I’m stuck at Control flow - loops.
My for loop:
for i in {1…28}
do
var=$(echo $var | base64 -w 0)
if [[ $i -eq 28 ]]
then
salt=$(echo -n $var | wc -c) #also used without -n and echo ${#var}, same result
fi
done

Result:
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
140511816897856:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:…/crypto/evp/evp_enc.c:610:

I used pwnbox.
Can anyone help me please?

I’m having an issue logging in on the IMAP footprint module I know the commands for imap but when I login through OpenSSL but the Robin creds aren’t working for me. What am I doing wrong?

Did you try Administrator instead of .\Administrator?

yes 😦

Disregard , sorry. What module/question is this for?

Like this?

Solution: xfreerdp /v:10.129.159.254 /u:.\Administrator /p:'AnotherC0mpl3xP4$$'

That was my next suggestion, haha

i tried with double

hi lxuxer

Anyone here I can DM about "AD Enumeration & Attacks - Skills Assessment Part II"? 🙂

i read the error message you could use two thing , first (try not to exceed the performance ,this is not good for hashcat) ,second (try to make file call [wddm_timeout_patch.reg] then Run this registry file as Administrator and reboot

#Module: SHELLS & PAYLOADS
#Sections: Anatomy of a Shell
#Question: Which two shell languages did we experiment with in this section? (Format: shellname&shellname)

#Problem: cannot find the shell name
#Attempts: use ps, env

Can anyone helped with a ssh issue of mine? I've obtained a ssh private key however I am not sure what to do or how to properly add it the the ssh config files in order to allow me to login to the target machine via ssh.

@wide river Are you entering the answer in the correct format?

@wide river did u try powershell

i also use $0 and it return bin/bash

@wide river did u write bash&powershell

WHAT THE !!!!!

i only know it is bash but the other one idk, thank you so much

The basics are that the public key (called id_rsa.pub usually) is added to the authorized_keys (usually in /home/USER/.ssh/authorized_keys), and you log in with the corresponding private key as ssh USER@HOST -i id_rsa

Thank you!

Footprinting, DNS. Last question, "what is the fqdn of the host where the last octet ends with 203?" I tried every word list in discovery/DNS/ and i haven't found any such DNS

idr for that module specifically but have you checked for zone transfers?

There was a separate question for zone transfers. What do you mean specifically though?

How do you get image posting privileges? I could post screenshots

Oh NVM

One sec

And the hint...

if you can pull a zone transfer its worth also trying zone transfers on the various subdomains as well.

oh that one

I see

yeah iirc now theres a specific but common wordlist you want to use for that

iirc its a fiercer wordlist than others

There's the one they used in the example, and there's 2 more like it, 5 and 20k but they didn't pull more

I'll try that one again

At least i think i used that one

its also been a couple weeks so I could be jumbling some of the module questions in my head

The struggle is real

I know for certain that wordlist is used for one of the dns related early module questions, and I think its the one youre on, but I could be misremembering

I'll try that transfer thing too

@marsh ocean Theres a certain wordlist you need to use, a fierce one

yeah I think they got that hint. But confirmation its the question I was thinking of is good.

if your tool doesnt find it with that wordlist, try a different tool. Good practice anyways

equally popular doesnt always mean equally effective. I remember one of the first security tools I wrote was a ftp bruteforcer because I was mad in the early 2010s that medusa kept missing the correct password in my tests.

#Module: Attacking Common Services
#Sections: Attacking SQL Databases
#Authentication required: Authenticate to (IP) with user "htbdbuser" and password "MSSQLAccess01!"
#Question: What is the password for the "mssqlsvc" user?

#Problem: Cannot download sqsh on parrot OS which is needed to connect to MSSQL servers from linux. However I have used mssqlclient.py however login attempts are throwing and error. One error with windows auth enabled is non trusted domain. Another is a simple login failure.

did you try mssqlclient with -windows-auth? also this sounds like a post for the erratum channel

alright, i give... I'm in DNS footprinting. Main domain and 1 subdomain allow for Zone Transfers, nothing else.

Looking for a particular host that's not listed in either, but also doesn't have a hostname included in most wordlists?

sounds like you could be on the same q as nosferotica

Ah sorry, was not aware of that channel. I will post it there. And forgive me if my post wasn't clear, I have tried the flag -windows-auth but it gives me the following output:

sudo python3 mssqlclient.py htbduser@10.129.203.12 -windows-auth

Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

Password:
[*] Encryption required, switching to TLS
[-] ERROR(WIN-02\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.

ah gotcha

I remember mssqlclient working for me on that one, but had to fiddle with the options

I've tried using the fierce list internally. nothing hits for me.

dnsenum gets refused. not sure why

have you also tried it against some of the already discovered subdomains as well? I remember at least one question like that

already discovered meaning the external ones?

or "on the inside"?

pretty sure everything that's internal are just hosts

yeah but the dns server doesnt know that

hi, im currently on attacking sql. I managed to get cred for mssqlvc user. But Im stuck, I would aprreciate a hint, thanks

Can I get a helpful nudge with this? I'm at the questions for module 77, section 859 and I'm nearly done with it. But I'm at the bit I need to work on- privilege escalation. I've managed to dig around the target ip and I think I know what I need to do, I'm just not sure how.

||I know it has to do with php, but I don't have access to write, so using tee to add in the reverse shell onto it isn't an option. linPEAs shows two vulnerabilities, but both require sessions for the options in metasploit and I haven't learned anything about that yet. I could look it up, but one would think that with a knowledge check, the answers can be obtained with what's covered in the module. ||

Hello everyone, I'm currently doing the skill assessment for STACK-BASED BUFFER OVERFLOWS ON LINUX X86. Only problem, every time I try to connect to the target in SSH (from pwnbox) the SSH connection crashes after I issue a command such as GDB. I reseted the target numerous time but it keeps happening. Am I the problem or is it the target ?

hot off the presses, excellent new module written by @dense ferry ... check it out!

why did no one tell me about this????

sorry for my late response, was working between ;)!
but why...? i do read the file from the webpage...what has that to do with my home network who the firewall wants to protect?

can somebody tell me what to do in the shells and payload assesment? Im so confused by the no machine thing and all that.

Dropping knowledge bombs on us! Looking forward to this one for sure.

still struggling with this one. Gonna give it another half hour before taking a break

same dude, same

can I ask how you authenticated to the MSSQL server?

hi

@iron basin use mssqlclient

I am, however I get login errors.

https://discordapp.com/channels/473760315293696010/774040263278592041/1035256558344478780 Getting these errors.

@iron basin what command are u using

Well, what's module 77 section 859?

ok now it worked...

never mind

@placid quest remove -windows-auth

it's the knowledge check for the getting started module

Ahh... One sec

I'll try it again, however i threw an error last time when I tried without -windows-auth. Ill report back if its successful or gives and error.

Ok, what i did here is actually run it through metasploit

I've got two vulnerabilities via linPEAs, but one is a dead end because it requires software that isn't installed on the target machine and the other requires a session for one of the options and I wasn't sure on how to set that up. Could google it, but then I figured the answer, or one of them, would require stuff learned in the module itself

If you do the reverse shell, you just need to make sure... I think it's linenum.shll, it has to be in the directory you're in when you run PHP and execute the reverse shell

Ok, are you doing the nibbles part or are you actually doing the knowledge check part

?

knowledge check

Ok, what i did there was metasploit

If you do the php thing, you're exploiting the plugin by uploading the code, triggering the reverse shell, and you're actually uploading that missing software with ftp

so what do I put then for the sessions option for metasploit?

Fall back to: Nibbles - Alternate User Method - Metasploit

what I'm saying is when I show options to set them for the two exploits, they both have SESSION yes The session to run this module on

@placid quest I got it to work. I believe that my issue previously was I didn't realize till examining my command closely that I put the user as htbduser and not htbdbuser, so when I tried to authenticate without adding the -windows-auth flag I still got a login error. I thought this was due to me misusing mssqlclient.py or some other issue. Sometimes its the smallest error on the users parts lol...

unless there are other exploits to find, but searching php brings up 500 options.

It should say file upload exploit or something. I pointed you toward the walkthrough

In the example it was 0, but it might be 1

that's for nibbleblogs though, not this one. I don't think that would work if this target isn't using nibbleblogs

The knowledge check in getting started... Does it say this?

no, but enumeration of the target ip shows it's using gettingstarted, not nibbleblogs

Crap, i meant to edit it

"spawn the target, gain a foothold..."

which I've done

Now you need to get user. Txt

it's escalating to root that's my weak spot lol

the first question I've already completed

Yes it is php

Um...

You do a user LS thing, and you enter it into the command line

One sec

right, which I can't figure out how to exploit. I don't have write privileges and the two exploits from running linPEAS seem to be a dead end unless I wanna look up how to work with the sessions option for metasploit. I could do, but would rather figure this out with the knowledge given in the module.

I've got you, one moment

They mentioned a website in the lesson, I'm trying to find it

I think it's GTFO bins

You search php ok think

I think***

And you'll find a code you can use

@wind egret what is the problem

is the base summary of the issue

That's what I did

ah, completely forgot about this site. Lemme try that

You'll find out. I found the one i used, you'll know it when you see it

need to reset the connections, didn't realize how long I've been at this lol

Lol been there plenty of times

annnnnnd finally completed. Tyvm for the hints

Not a problem

Glad i could help

Hi

yea, i might use another way to login thanks

Shells & Payloads - Live Engagement - Any pointers as to why I’m unable to land a shell using the .war file upload for the first host (Host-01). I create the JSP reverse shell payload with msfevon, but i may be setting the LHOST incorrectly. The LHOST should be the foothold IP (spawned IP), right? So i setup the payload and upload it to Tomcat manager. I set up with listener with the foothold (Inside VM). When I navigate to the upload directory, no shell is received. I have tried various payloads and I feel like I’m so close but missing something simple, I use ifconfig on the foothold machine to grab IP and I’m setting that as LHOST in the payload but having no success.

You went in a totally different direction compared to how I attacked that machine. Heres my hint to how I did it, || Try attacking via your web browser, there should be some pages on how up upload stuff to sites. ||

also make sure your Lhost points to your machine aka check your vpn tunnel

if your going down that route

Thanks for the tips. I’ll give that a shot

Trying to figure out how you would figure out the path to a sambashare. I know the answer because I did this module without taking notes and now I'm going through it trying to "relive the experience."

smbclient -N -L //10.129.202.5

Sharename       Type      Comment
---------       ----      -------
print$          Disk      Printer Drivers
sambashare      Disk      InFreight SMB v3.1
IPC$            IPC       IPC Service (InlaneFreight SMB server (Samba, Ubuntu))

Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available

Can someone give me the exact curl command to run for "File Inclusion - Skills Assessment"? I'm done playing around with trying to ||poison the log with an agent header.|| Every time I go and inspect the log at ||ilf_admin/index.php?log=../../../../../var/log/nginx/access.log|| it just shows me the same annoying characters: "-" ""

OK Massive HINT. ||You need to use one of the "Notes" in the PHP Wrappers section to do this. Don't only rely on the log poisoning section.||

Hola

Hola

I need help for hakear Facebook

I’m pretty sure there is a tool to send multiple get requests and find out the correct path

Wrong channel m8

Wrong discord group

Quien abla español

@woeful oxide I am in the correct

You speak Spanish

No one is going to help to do some ilegal activity

Hey guys, for some reason I just finished the intro module and it won't let me purchase any of the other teir 0 ones

is there something else I need to do?

Hi, how many cubes you have? Have you purchased other modules before?

Hey guys, I'm stuck in "Print Operators" from "Windows Privilege Escalation/Windows Group Privileges"
I'm following the instructions but Capcom.sys driver is not loading

Furthermore, I have this message when lauching EnableSeLoadPrivilege.exe, which is different from the training material 😅

Any help would be appreciated 🙏

did you run cmd as administrator?

hello all.

Why this?

Its a GIF8 shell.php file that i have successfully uploaded but i get that error......

I've launched cmd as administrator but when seeing UAC, I thought I couldn't access it, without even trying credentials...
Thanks for your help 🙏

Currently doing Three (still in starters) where you should try to find a subdomain. Now, I tried with gobuster vhost, ffuf changing the host,... but for some reason this fails. Even created my own wordlist with all two letter/digit combinations before I took a small look at the walkthrough and noticed that the subdomain was in my list.

So I started testing further and for some reason nor gobusternor ffuf correctly gives me the result that was needed while a simple curl does.

Ah, I can't create a thread here. But what I wanted to show was the result of both things without spoiling. I even made a wordlist purely with the word needed but it still gives no results with gobuster 😕

So not sure what I am doing wrong with gobuster/ffuf here that works fine with curl

Scratch that, with gobuster I got it working with the new --append-domain

Interested to know if anybody was able to use the metasploit joomla_bruteforce_login module for the Joomla - Discovery & Enumeration section. Even knowing the correct password (and setting the vhost) option in MSF I wasn't able to get it working

check gobuster version if you are using 3.2.0 it's been updated with a new option oh you found it already 😄

module Password Attack. in the medium lab, to find Mr. D’s password, is it another one of using the mut list and waiting 4 hours?

😔

hint for that user nope

I found pass Mr. J, but for D, nothing

tom help me :/

yep and hint ||you have to use user J to find userD||

sure what's the issue

Passwords Attacks - Pass The Ticket - last question

oh i haven't done the new thing in that module yet

f

i dont know why i cant import that keytab

I already have user D, but I need his password. And then hydra + ssh + mut.list , right?

wydm by "I already have user D,"? also no hint ||you can't brute force||

I've searched everywhere for files and can't find anything, I can only think of brute force.

hint it isn't in a "file"

I think not

lxuxer have u completed Passwords Attacks - Pass The Ticket ?

@echo zenith

nop

._.

I want to finish the lab medium first

@echo zenith shoot me a dm if you still need help with the medium lab

Thank you. Save me another day

hello i am currently studying in class 12th in india right now if there any indian here who will kindly help me with my future study planing about my ethical hacking course. or which stream to choose after 12th class btw i have chosen bio group beacuse of my insufficient knowledge about computer science. please kindly help me. I'm planning to take BSC course after 12th class. please help me. thank you so much.

i'm not from india or about to take the BSC course so i can't help you with any of that but if you want to learn more about ethical hacking or just computer science in general check this video to see which foundation skill do you need https://www.youtube.com/watch?v=lhz0-qAQlBM

thank you so much for video🥹

Hi currently solving Information Gathering - Web - Skills Assessment, searched the forums and discord chat for the hints of the last question ( Perform active subdomain enumeration against the target githubapp.com. Which subdomain has the word 'triage' in the name? ). Found one domain with triage in it but doesn't seem to be the answer. Am I missing something? ( PS I found the domain through results from https://subdomainfinder.c99.nl/ )

so the question have been changed and i answer that question before it was changed to now i'm stuck with the old answer so i can't confirm your subdomain but that is the right tool try refresh the page or even a hard refresh to see if that work

/hi, have you discovered anything apart the known dnsenum --dnsserver <ip> --enum -p 0 -s 0 -o found_subdomains.txt -f /usr/SecLists/Discovery/DNS/fierce-hostlist.txt ns.inlanefreight.htb
it gave:app.inlanefreight.htb. 604800 IN A 10.129.18.15
ns.inlanefreight.htb. 604800 IN A 127.0.0.1

randomly worked with the same answer I was trying for the last hour. Thank you.

yea sometime htb page have i bug if you keep it open for too long (at least for me)

hint for that secion you need to run dnsenum on a ||subdomain|| but ||it isn't the one you are trying||

thanks a lot!!!

its the app one???

or internal?

just run the tool i can't tell you that far

may I ask you only if the ip is just the target ip?

this is what i read in the forum

i think so

thanks a lot,Mrtom

Can anyone provide some help with the module Attacking Common Services - Attacking SQL Databases? Currently able to connect utilizing impacket mssqlclient.py to the SQL server, however I am unable to execute any commands. I tried to use enable_xp_cmdshell however I was not able to run it due to denied permissions.

@iron basin use another user

@placid quest Yeah, trying to figure out how to execute the proper commands to use the impersonate functionality. Just not able to get any commands to work.

@iron basin use responder to get the password of another user

Shells&Payloads - Live Engagement - Essentially my question for the first Windows server we are attempting to get a shell on, do we start the listener on the foothold (spawned IP (NoMachine)that we remote into) or do we start the listener on our attack host (tun0)?

@shy warren on ur local machine

@placid quest thank you for the response. Will the msfvenom payload in the cheat sheet work for the .war file upload in tomcat manager?

Or does that payload need tweaking ?

Create a war file and start a listener execute the file after u will receive a shell

@placid quest I understand how to start responder to listen to capture the hash, however I am not sure how to get the hash to be sent. I am assuming i need to interact with the SMB server in someway in order for a connection process to occur where the responder can then capture the hash exchange.

@iron basin no

can somebody help me on File Upload attacks ? The part with Type Filters

you need to start the listener on NoMachine tun0

hint you can use the method show in ||Capture MSSQL Service Hash||

what's the issue?

I don't know how to fuzz the parameters they are all blocked.
I don't understand why people use \x00.

i didn't use that

I uploaded a file with \x00.gif but can't find it

wait so you are having issue finding the upload directory?

.

I know the directory it's profile_images/

but I can't get cmd

yeah because i don't think that extension would work

hint ||double extension||

yeah I read your hints on older messages

I use the double extension

oh if you scroll down a bit from this messages you will see i said my access was F at that time so that isn't a right hint and i was just pointing that guy to the right payload

Thanks for the tip. On my NoMachine, the only interfaces available are eth0, eth1, lo, and docker0. I assume I should start the listener on docker0?

nope use the one that have 172.16.1.5 (which i don't think is the docker one)