#modules

Directory Indexing

Can't find the flag

I cannot understand what I am supposed to do

I followed every directory

even in the source code

same, ho did you figure it out?? I'm still stuck

I wish they had it censored out like Try hack me does ***

it would be so helpful

I cant tell you how many times I had a flag but wasnt pasting it properly

Hint: ||it's under one of the plugins' directories||

What is the answer for this: Active Directory Enum & Attacks
What is the ObjectAceType of the first right that the forend user has over the GPO Management group?

I've been inputting the "answer" over and over, to no avail. I've literally had my fill of this course and its stupid nuances

man... litterally 120 minutes changing directories.. nothing

I wouldn't do it by hand. It's quite obscure to be fair, I also lost quite a bit of time on that. Try using Burp Content Discovery if you can (not sure if the free version has it)

the module says "manually"

i tried that way

headache and nothing else

plese a little hint in private

congrats, its definitely a monster of a module

Anybody

Bro why is nmap so inconsistent

I swear to god something that works 5 min ago

stops working on the same lab with a different ip

I already got the answer but now im not even sure

how I did it

Network Enumeration with Nmap

the medium difficulty

what section?

You mean like the "table of contents"

or whatever its called

Im on the medium lab

yes so "Network Enumeration with Nmap" is the module and within the table of contents are different sections

Fire wall and IPS/IDS evasion

medium lab

I got the answer

and I was trying to look at what I did and take note

but now it deosnt work

im so confused

command history?

yeah I hit up

used the same command

Netcat denies it thinking im trying to use my loopback

0.0.0.0

weirdest thing

Im going crazy why did this work like 2 seconds ago

but not now

I haven't done this module yet so I cannot help besides basic nmap usage. I'll try to complete the module today and if I figure out the answer I'll let you know. I'm not really sure how the lab is setup

sure its up to you im gonna keep trying it for now ill let you know if I figure it out as well.

might help to just reset the lab and re-execute the command

Yeah good idea

Finally got it. Thanks to a list of all of the ObjectACETypes and me brute forcing each and every one until i got it right

Firewall rules and IDS/IPS protect the systems, so we need to use the techniques shown to bypass the firewall rules and do this as quiet as possible. Otherwise, we will be blocked by IPS.

@rustic sage that frog looks dangerous 😵‍💫

Shells & payloads:

For some reason this https://www.exploit-db.com/exploits/50064 exploit is not in my metasploit, tried to import too but no matter how much I try, It does not work metasploit does not know where the exploit is, can someone give me a help?

using pwnbox?

tried in my kali and the box that they provide in the exercise

cause pwnbox definitely had it built in just fine

I will try one last thing here and I will tell If It works, If not I will try with pwnbox and port fowarding

Can I have some help with this question???

What about it

The queries take forever and I am not sure if I am inputting the corrects ones

@thorn urchin not even on pwnbox shows to me

dont search for lightweight

what should I search then?

ill confess I dont remember exactly, but try different terms in there. I think facebook brought it up for me.

I wasnt taking the greatest of notes in the intro modules cause I just blasted past em

Is one of this?

nah

I have a quick minute let me see if I can search it again

ok

Also if anybody wants to help me with my issue feel free to DM

Okay yeah didnt find it, but you can use searchsploit with -x to get the full path of of the exploit and then move it to the metasploit modules directory(usr/share/metasploit-framework/modules/exploits/)

then you can use exploits/50064 and itll work

it wont pop up in search even after moving it but you can still use it

I did in the box they provided, and It worked, I will try again later in my kali don't know why but thanks anyways

ah yeah that question indeed does take an absurdly long time

You should just go take a dump or make a sandwhich while you wait

Was that the correct query tho?

My pwnbox died : ( while it was going

its what I have in my notes so I believe so

whats annoying is that bloodhound finds it super fast but has a slightly different name for it that isnt accepted by the question

I tried to see if I could work backwards from the bloodhound results to find the name it wanted so I could keep in mind for the future but couldnt figure it out within a reasonable time

I'm going to try it again and wait for like 30 minutes.

Would it be ok if I DM you afterward if that doesn't work?

Sure but work is shaping up to be a hectic day so I may be going dark here for some hours

No prob. Focus on your life and work first !!!

@thorn urchin What user did you find for the skills assessment for the pivot on the windows machine? || I've dumped the hashes and only got apendragon , but I also see a user named vfrank on the machine||

my notes are light for that one. But it does look like I got some cleartext creds for vfrank that dont look crackable

so youre probably on the right track and just missed it in your dump

I trippled checked mimikatz isnt dumping them

@thorn urchin why is the password of melfay not working on pivoting module

you typing it right?

its a weird one

The password should work make sure you have it in ''

Thanks i did not use @pastel ginkgo ''

issue im having is that the next user isn't part of my dump

yeah any time there are spaces use ''

try a different dump method

my notes just have ||dumped lsass|| but not what I used

note taking is one of things im trying to improve on in this course 😅

i think is not melfay

but mlefay

@placid quest

that too

could just be discord typo

maybe u need to set "set +H"

because of the !

@placid quest

after smashing my head on the keyboard and googling another method you were right. This is the last time I read their damn hints and go the wrong way.

@mellow turtle yes i need to use ''

yeah like im a huge fan of secretsdump.py but even it has let me down a few times

Oh thats not what I did, || In Mimikatz I dumped the passwords located in memory instead of targeting the lsass. || ||sekurlsa::logonPasswords full ||

yeah idr what Im using im just commenting on the nature of why its good to try different tools, cause even my fav tool can miss things

just in time too since I ran out of time and have to refresh it

idk how im going to rdp to the next workstation, I was able to ping it but when I tried to rdp to it, it failed

Well I finished it but, || Do you know if its possible to setup a netsh proxy on the windows machine to allow you to rdp to the next windows machine? ||

I figured || netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=172.16.5.35 connectport=3389 connectaddress=172.16.6.25 || would work on the windows machine to direct traffic, I'm just not sure how to get the linux pivot host to direct || 172.15.6.0 || traffic forward towards || 172.16.5.0 ||

I wonder if I can add it to the routing table

havnt messed with netsh much so idk

I think its possible you just need to direct the traffic on the remote host on how to get back to you

The routing is good on the linux machine with the added chisel server

Hi

I just think the issue is with the far machine, probably have to get that double piviot thing working

i'm just nerding out, as I do network engineering as my day job lol

I have a problem mit smbmap. When I type the command smbmap -H host it gets execute and list me the shares. But after I add the /share it does not work

No error message

shoot a screen shot

Same problem with smbclient

Okay

I send you a picture @pastel ginkgo

Because I can't upload the image here;

The output is "Finding open SMB ports….."

Not more

iirc to upload here you need to verify your discord profile

Hi! I'm trying to solve my first machine and I am stuck! I am currently trying to get the flag for the RedPanda machine. I tried a few different injection methods in the search bar but haven't come to any results yet other than getting a 500 Error for using unclosed tags which I inserted in the search form

#boxes : )

Ah thank you very much!

I apologise, I'm a bit new here

No prob

Try harder :d

Did you encoded them?

Anyone done the Metasploit module? I'm not sure how to exactly phrase this but what does it mean by calling us lazy

If you aren't going to use tools then what do you use really? build everything from scratch or what? Or am I taking the phrase tools to literally i.e. tools like nmap, metasploit(obv), burpesuite, and etc

Are we not supposed to use them the choice of words they use is confusing to me

I have not done the Metasploit module but generally from my experience when someone says "oh I'm lazy" it's right after they just created some crazy tool that will make it so they don't have to waste time doing tedious repetitive work anymore. In that sense tools are lazy I guess. But also just using tools without understanding what it's doing or why you are using it is bad for learning if that's the context instead.

Yeah I wholeheartedly agree

and believe what you've said

but I don't know its odd the way they put it.

To me the whole essence of hacking is being a jack of many trades using many different tools while understanding their protocols exploiting them

someone else could put it into better words but thats the best i can do

I don't think Metasploit is lazy at all. Best to use the easiest thing for the job

🤷‍♂️

However you should know how to manually use exploits

And metasploit is mostly useful for exploits that have already been discovered

Password Mutations SUCKED! @steady hawk helped, and also recommend cracking FTP and increasing your thread count to 48. It'll go way faster than SSH.

There is a book on the mindset of hacking that I was reading that said something along the lines that hacking is fundamentally finding unintended uses for something. In cyber security and ethical hacking you can become as jack of all trades or as specialized as you wish from what I've seen. As far as Metasplot being "lazy", it's lazy in the tech sense in which freeing your time to do greater things by automating the things that hold you up is "lazy". I don't know if it's the same everywhere but many of the people I've known in the tech world compliment themselves by calling themselves lazy.

That is exactly my logic if our employer wants the job done effectively and fast its best to start with it! It gets all the easy and obvious stuff out of the way first! by the way great channel man checked out your videos last night keep it up!

I was thinking about this the other day, and was like man… what if I could combine all of these tools in one python script and just have it output to a text file or something

Bro thanks so much! If you want any video recommendations just let me know : )

Also I hope cryptocat collabs with me

🥹

I once heard a saying, I think by Steve Jobs. He said, “If you have a difficult task, have the laziest person you know do it. They’ll find the easiest way to get it done.”

That would be dope man I've watched tons of his videos lol

100%

It’s also stupid logic if you apply it to almost anything else. “Oh, you used a lighter to start your fire? What a lazy turd! You should’ve gotten a flint rock and kindling and done it from scratch!”

You absolutely can. And some tools can integrate with each other in cool ways. Some tools also have their own scripting engines, nmap is a great example.

It's what technology is all about. Why would I spend 30 minutes banging different sets of rocks together if I could light a fire with a lighter then get on to a new task?

A lot of people hate on metasploit because it is very easy to use, however i would say you only use it in certain situations

Some people think you can just use metasploit haha

metasploit is a powerful tool, but its not a substitute for understanding the actual exploits and techniques being used under the hood, but since its so easy a lot of people DO try to use it as a crutch instead if understanding. Those people are whose being called out as lazy.

based

You should, have the capability of being able to run an exploit without metasploit.

its basically the iron man speech to spiderman. If youre nothing without the tool you dont deserve the tool.

#858470491676737536 : )

not erratum theyre asking a question lol

Im goona try the bug bounty hunter exam soon i think

no

AronRICH

You could work a bit on your social engineering my guy 😉

Yep you’re full of shit lol

this channel is for discussing academy modules, not for begging for cash, so shutup

@violet gyro explain a buffer overflow

youre doing it in a pretty shitty way then

nobody cares

Cool cool

If you need any advice just lmk.

Lol

Skid

https://tenor.com/view/breezy-hacker-im-in-matrix-laptop-gif-22983973

no embed

sad

💀

Yes I can create a buffer overflow 😸

Yea use the right buffer and it will work perfect

So he s hacking people to play robin hood?

The man with the bow

This shit is too funny haha

[x] we believe you dont worry

I’m legit dying inside

@winged hedge can we get this moron removed or at least shut up please and thankyou

how old are you may I ask

Amazing how smart 22 year olds can be

Go to codecademy

Good place to start coding

care to dm me please?

click the red quick

done

you have no coding knowledge but can “make 100k year black hat hacking”

This is soooooooo good 🤣

negative iq

Buzzword hustling 101

50k i swear

Hahahaha

me resisting not to bully this 22 year old who has the intellectual capacity of a raccoon

How dare you insult raccoons like that

I dislike raccoons 🦝

unpopular opinion

Those motherfuckers can get into anything, that dude can hardly turn the power on a computer.

Definitely a difference

Racoons are awesome

Very cute

HTB is so fun

Please keep conversations on topic.

^ boo this man

https://tenor.com/view/boo-boo-this-man-mad-angry-gif-16849857

🤣🤣🤣

thats not smart

Ban speedrun any%

but yes lets get back on topic please, the bozo is gone

Alright fine ill try to keep getting better

Ok fine shitposting was funny

@winged hedge thank you for banning that user

how long have you guys been doin htb

Greetings, I have another question for the Active Directory Module... In the "Living Off the Land" section. There is a good amount of this section that talks about downgrading PowerShell to 2.0 and some things to try after you do that. When I try to follow the course work I cannot downgrade, I get the error "Version v2.0.50727 of the .NET Framework is not installed." did anyone else encounter this or find a way to downgrade? Many Thanks!

https://tenor.com/view/sad-walk-gif-24718162

poor guy just tryna do his job

Not on topic!!!! 💢💢💢

😅

why is there no general chat

#general I would not recommend going there tho

This channel is much more chill

I don’t see it

prolly need a role

same lol

wait nvm found it

its under offtopic

I only see bot-commands

weird af doesn’t even look like it’s a private channel

probably do need verified

tbh this channel should prob be locked behind verified

am I not verified?

^

no

how do I verify then

#welcome

Ty

I've got an 8 hour roadtrip tomorrow...Hopefully can get in some work on the trip

feel free to dm if you need a hand

Hi !

I am stuck on the last part of skills assessment - file inclusion

I managed to poison the log in the admin control panel and execute basic commands : id,pwd,ls

But everytime that I try to ls the / directory to get the flag file, the admin panel crash

Any hints ?

havnt done the module, but have you tried just loading a reverse shell and trying from there

Yup it doesn't work either

odd, can try cheating and using the newish base64 php filters to get cmd execution that way. might be more stable

Hoo didn't hear about this one, can you point it to me please ?

https://defendtheweb.net/discussion/2033-remote-code-execution-through-php-wrappers

https://book.hacktricks.xyz/pentesting-web/file-inclusion/lfi2rce-via-php-filters

keep in mind its almost certainly outside the scope of the module

have you tried ../?

but its too good to not add to your toolbox if youre doing lfi

theres a ton of boxes with LFI segments you can straight up skip with this method:)

Hmm this method is indeed teached in the module

dope

But it doesn't work in my case

that was a fast check

I'd love to take a look, can you dm me a screenshot?

Sure

yeah if your commands are only failing on certain paths and they've neutered php filters I've got nothing off the top of my head, im a few modules away from starting that one, so good luck.

I would also change my user agent to some php and see if its rendering 😄

something like <?php phpinfo(); ?>

it seems that the fastcgi is bugging

Got 1 more redbull

ok I found the issue

Problem sovled

What was your issue? I checked my payload and what you used is correct (except you're missing the web shell parameter to exec commands)

Also I recommend putting that message in spoiler tags haha

hello

https://discordapp.com/channels/473760315293696010/774040263278592041

HACKTHEBOX PLEASE ADD A DEAL FOR BLACK FRIDAY

Hi, I am stuck at Attacking Common Services - Easy. I got full credential but having trouble executing webshell. I saw my shell uploaded but i was only able to download not execute. Is there an efficient way to FUZZ path to find out execution path or i am overthink this.. Can anyone please give me a nudge?

Did you find the ||phpinfo|| page?

Helloooo

Yep. phpinfo is on the dashboard of port 80. however, i saw my shell uploaded in https: page

check that phpinfo page real well. If you need another hint let me know

Broken Authentication Module - Brute Force Usernames : Find the valid username for the web application based at subdirectory /question2/. I need a bigger hint..i have tried so many different things here, I have also looked at all the source in response...nothing...can anyone assist?

there is no execution path and hint this is a ||windows box|| and it can't run normal php if you upload your shell through the vuln for some reason i end up have to use a php payload with powershell code

hint ||Remember me||

Interesting, I was able to get a PHP shell to work fine from ||MariaDB||.

oh yep if you upload a shell from the ||db|| it will run normal php just fine for some reason, wait but i remember the it was ||mysql|| did they change it to MariaDB?

At least in my notes that what it was. I did it fairly recently, within the last couple months.... I think anyway, it all blends together..

Thanks man, That's strange.. now it's mysql.

thanks!

if you get the flag try to read it and you will see there ||multiple way|| to get that flag

Wasssup!!!!!!

My boi MRtom is alive !!!

how you doin?

someone can help me with Windows Privilege Escalation Skills Assessment - Part II ?

not really after the 22 hours god of war video

hint ||exploit_suggester||

@vital adder thanks :}

somebody get Mrtom a ps5

he deserves one lol

hello

In active directory living off the land... the last question, I am not understanding how to setup my DSQuery and LDAP filter.. Can anyone help me out? "Utilizing techniques learned in this section, find the flag hidden in the description field of a disabled account with administrative privileges. Submit the flag as the answer"

please help me Directory Indexing Wordpress

I'm going crazy as hell

Shells & Payloads - Laudanum is the site filtering uploads? It says "uploaded" and yet it's not there.

Do I need to change magic-numbers or something?

or add a .zip to the end? The module doesn't say anything about filters.

did you remember to edit the shell properly first?

if youre not in the whitelisted ip addresses it'll 404 you 😉

ah, i reset the box and forgot to...

fuck

lmao

ty

happens

blaze erry day, ig

feels that way...

good lord

yo has anybody succeeded in using rpivot to get the web server homepage in pivoting tunneling and port forwarding session?

@pliant sage use sshuttle like sshuttle -r ubuntu@ip the pivot ip and after browser to the ip address

nah it's ok actually I figured out the rpivot problem

for those interested, running prxychains firefox-esr with another firefox window already opened does not work

hey can u give me hint too for
Find the existing exploit in MSF and use it to get a shell on the target. What is the username of the user you obtained a shell with?

did you find the solution?

@sly grotto use id u will get the user

i could not get shell actually

my question is what is the exploit

@sly grotto what is the question

how can i get reverse shell?

which exploit i should use??

@sly grotto if u have a shell why do u need to make a reverse shell

i dont have

@sly grotto use Metasploit

which exploit?

@sly grotto how will i know the exploit if cannot see the vulnerability

Hello frens, can someone help me with the second question of Kerberoasting - from Linux from the Active Directory Enumeration & Attacks i find the response but I think there are a better way to do it

responder?

what more could you want

i used eternalblue , fortilogger but none of them work

hi guys

im new here

new to cybersecurity in general

@sly grotto maybe the problem is lhost

no it is correct

does anyone have any course i can start with?

@sly grotto can u send me the screen shot

hint ||the example||

which module are in?

both of this video have a lot of great resources to get started so give this is it check to see where you should started
https://www.youtube.com/watch?v=0vu_Hs4N8B8
https://www.youtube.com/watch?v=lhz0-qAQlBM

@vital adder Metasploit module

and he's replying to people need help with Server-Side-Attacks module?

@sly grotto search the answer of ||question 1|| in metasploit and try the exploit that metasploit give you if that doesn't work try a different one

i do all the things the best
just metasploit problem
after run 10times it worked :/

@placid quest @vital adder

what it means

check the ||directory|| show one of the ||example||

thanks

solved

was under my nose and i was searching elsewhere

hey, care what enters in your nose! @rustic sage

Hello,

Missing something obvious again.

https://academy.hackthebox.com/module/116/section/1171

question 3. I have a password and a hash. cant use the hash, cant seem to get the password to work either.

What am i missing please?

wdym you can't use the hash?

that hash doesnt pass. its rejected so says xfreerdp.

does xfreerdp say it or does the window that opens say the user can't use rdp?

Ah. the user cant use RDP.
I cant set that registry entry without admin access tho no?

idk man try to add it see what happens

and run ps as admin if you want to it in the command line

hello guys

can anyone help me in one HTB challenge?

its called ''Weather App''

#challenges

there is no channel like this

use ++verify at #bot-commands

Yeah.. now i know why. I didnt check the users permissions when i realised they werent admin... though they do have registry control so... now it makes sense.......... thanks for the help.

has anybody done the tunneling w/ chisel part of tunneling and port forwarding? If so, how? When i try to run chisel on the pivot an error get thrown

for the chisel on the target machine use the amd64 version on github or if you have chisel installed on your machine you can upload and use that binary on the target machine

i scp'ed my compiled version of chisel on the pivot and it doesn't run properly

yea just use the pre-compiled one

wdym the pre-compiled one?

the stuff in the tool github releases page

Skills Assessment - SQL Injection Fundamentals

Hello,
I just finished the skill assessment.
The key was to upload the shell payload not directly to the web root but a directory further. I found out by guessing. My question is know, is there a way to find out in which directory I am able to write files?

if its linux:

• /tmp
• /dev/shm

if its windows I always use:

• ProgramData

how long does it take subbrute.py to find all the subdomains in Attacking common services / Attacking dns.

for this if subbrute is taking too long you can use gobuster but there is a chance gobuster will miss the subdomain with the flag and there is a chance gobuser will find a pornhub subdomain

check my setup in DM please?

sure

yeah... that's the default writable directory but in this situation you can't really access a webshell (write through sql injection) in any of those directory

hay, i stuck in html injection question i can't find the answer

Hello colleagues, I have a problem connecting to smbclient. What should I do in this case?

smbclient -L 10.129.218.228 -U htb-student
do_connect: Connection to 10.129.218.228 failed (Error NT_STATUS_IO_TIMEOUT)

is there any discount for black Friday?

Correct, I’m wondering if there is a away (a rights file or something) to find out which directory in the web root can be used

my way is just to test every directory you can find but usually www-data have write permission in the web root

try smbclient -L \\\\10.129.218.228\\ -U htb-student but you got a TIMEOUT error so not sure if this will work

thank you.}

Note in that skills assessment you cant actually write to the webroot, you can only write a few directories in, which is where their question is coming from

Im not sure either outside of guessing

i fotgot but i'm pretty sure they did say something about writing permission in that module

they do, but for that one it doesnt return anything specific

I'm going to check again in the scenario to see what could have happened.

I happened to have also cleared the sqli assessment last night before bed. It was pretty easy overall, but the writing part without a little guessing is annoying. but thats life

the checking writing perms is only if mysql itself is setting a restriction on where writes can be done, but for the assessment that seems to not be the case, so I presume its being limited by the actual user. tempted to go back and double check

yep the ||mysql|| user don't have write permission in the web root

In the module Password Attacks/Protected Files, after finding the RSA Private key, i tried cracking it using John with both rockyou and the mutatedlist but nothing works. Any help would be appreciated 🙂

mut list. use hashcat. its better imo.

check the hashcat examples page for what the hash needs to be formatted like

Working through the PIVOTING, TUNNELING, AND PORT FORWARDING module... i feel like it's very easy to get lost in the sauce if you're not keeping track of which host your running commands on. Words like "local host" are being used but it really means the pivot server's local host lol

Absolutely. Try drawing diagrams as you go, itll help you visualize where you are. I use draw io but theres lots of ways to draw network diagrams

Yeah, but in the sql you can only check if it’s overall possible to write from sql to a dir. Or in what dir it is possible. But as I understood then you don’t know for sure because the OS user also needs to have permissions.

So you also don’t know which OS user you use before writing your shell, don’t you?

And that’s the point where my question comes from. Where do I know my OS user and which rights my OS user has ?

i think u need a shell for that

u can check what user u are in mysql and what rights u have there

then if the user of the sql server have write permissions then you can try writing a shell

or if u can read with load_data u can poison logs and then read them with load_data

@obtuse moth where are u stuck at

WEB REQUESTS - crud api

dont use ''

@rustic sage

ohk

xD

curl http://IP/api.php/city/flag its enough

how to find flag, im done with this

Thanks but with that sql user permission „check“ you only can Check if the DBMS does a allow it but not if there is a directory which correct?

it basically just comes down to educated guessing

How do you fix this?

Ok but I’m I am correct in my assumption with the permission check?

Yes, except you can sometimes get the directory IF a specific directory was configured for it.

inside mysql

or creating an error log and reading the error.log

cd /tmp

Can u increase storage in PWNBOX?

I'm doing the Getting Started knowledge check and running an nmap ssh brute script

How does that work, if I guess it boots me after 3 guesses, does it know how to work around that?

just reconnects

robot faster than human

were boned when quantum computing is here haha

can

someone

help me

with beef-xss

Havnt touched beef-xss since it came out, is it covered in a module somewhere?

i don't think so. You mean the full beef framework?

Possibly, Im just responding to the message above me

ah gotcha

Beef framework is fun to mess around with

Not sure how useful it actually is

its basically just a client side xss exploitation framework. It has the contrivances though on needing to convince the user to keep the tab open while youre doing things though. So often youre gunna be better off being a bit more...precise with your payload.

Any suggestions which academy I should do before doing the in the “real” htb boxes

Is it possible to send a message to all Windows users?

The modules in the CPTS path will be helpful. Each module also has suggested HTB boxes at the end.

As a free user I think these boxes aren’t available 😅
Just want to check the basic so I am ready for the boxes

HTB easy boxes are other places medium and hard, tough to pinpoint what constitutes the basics for ya. Background varies

Mhm I understand
And then learning with the walkthrough?

Hello. I was wondering if somebody can give me a hint concerning "What is the admin email address?" on Footprinting IMAP/POP3? I have tried cto.dev@dev.inlanefreight.htb. I have also logged in as robin.. Any recommendations?

Hi, some1 for a nudge on Skill Assessment - Broken Authentication (privesc)?

Hi everyone. I have a problem with Web Server Pivoting with Rpivot.

Moduel question:
*Using the concepts taught in this section, connect to the web server on the internal network. Submit the flag presented on the home page as the answer. *

My problem is: Once I execute server.py (on attacking host) client.py (on pivote host) and proxychains firefox-esr 172.16.5.135:80 on my attacking host to see the webbpage I got an error "The connection has timed out"

Someone faced the same issue?

I'm able to see the flag because of curl (proxychains curl 172.16.5.135:80) command but it shouldn't be the way to solve the module

ive never heard of someone using proxychains on firefox, there are browser extensions for proxies like FoxyProxy thats better instead

hi guys, Skills Assessment AD pt 1, have run Winpeas and got admin has, got svc_sql but stuck on tpetty as don't know how to transfer tools from 172.16.6.100 to 172.16.6.50

The command proxychains firefox-esr 172.16.5.135:80 is from that module

yeah I still dont know anybody who uses it that way

Yes. Starting point machines and the modules recommended by starting point.

• ippsecc

how tf did you get RCE but you need the admin account for the flag

role privesc v:

oh 🤣 hint ||cookie||

I've used it with Tor/proxychains. it's just a pain in the ass. But that's surfing the web. Not the same thing.

you can just use tor browser or if you want to route tools over tor you can use whonix (gateway)

Sure.

yeah when I need to use tor its a QubesOS container getting pointed at a whonix gateway qube

Teach me the way of qubes

https://www.qubes-os.org/doc/getting-started/

😉

Thanks !!

Ill slowly corrupt the whole server into qube fanatics

Check for errors in the URL.

Check for errors in the URL.

it already got resolved 🙂

Can I DM you?

yes

I'm in Firefox Dev Tools, trying to follow along with the 'Web Requests' module. In this part, I'm copying the request as Fetch, and pasting it into the console. But I can't figure out how to see this bottom section as shown in the module page

ii'm very stuck in Windows Privilege Escalation Skills Assessment - Part II , may someone help me in dm?

i used windows-escalation-suggester but anyone seens works

sure shoot me a dm if you still need help with that also exploit suggester give like 17 exploit and only ||3|| work

Attacking Common Services - Easy: for those who still struggling, I used ps encoded base64 payload via ||sql path|| and got the flag. This community has been really friendly and helpful to beginners.🙏

yeah... that's a bit too much spoiler, maybe you can get away with spoiler tag only and also for that method i didn't have to encode my payload with base64

I thought regex could cause some error so i encoded it because most of the time my commands somehow failed.

where the heck is the "login" button? It's in the source....

I'm not strong with cURL but ig I could login that way...

but I also can't seem to find that anywhere in any of the directories

idk what's happening, man

which module sammy?

Live Engagement on Shells n' payloads

Host 2

I have creds if you want to check it out

nah I definitely didnt have any visual issues like that when I did it

Is it a Links2 problem?

I don't like this thing to begin with. I want my Firefox

But, alas... no firefox.

ey dudes what going on?

I never used Links2

That's all the workstation has.

other than Tor, but Tor requires "an update" on first run, so it doesn't want to work.

Or am I insane?

I just proxied everything across the host

so maybe you are insane lol

SSH?

idr what I specifically used

probably chisel

Hopefully it has a static binary, somwhere. Otherwise, I'm lost.

for chisel you can just build the binary

its literally go build

ty for the tip.

unless its a windows box

ik but still

then you gotta do a little env magic to cross build for windows

I'll have to install it on Kali and base64 copy/paste it to the wrk-station

no clue, lol

luckily it's not tho

git clone https://github.com/jpillora/chisel.git
cd chisel
GOOS=windows GOARCH=amd64 go build

dropping the goos and goarch if the dest is not windows

I have to get it on the jmp station. No internet connection.

yeah I know

So base64 -w 0 > dumb.txt then copy-paste lol

i don't think that will work tho

does that work??

the webshell ought to have pretty easy file upload

it's not a webshell. I'm just on the internal testing-host.

so it won't be too bad.

Remmina

the initial foothold they give you is a webshell I thought?

I'm not sure yet. I can't log in to find any vectors lol

I'm not explaining myself lol

no I mean literally the foothold they give you as part of the scenario premise

foothold is just RDP

you start from the inside the network

my memory seems to be almost completely different

lol

I can tell you're way past this point

I have the same memory issues

its been like a month since I did that modulr

and I wasn't taking greatest of notes

oh you can ssh into the foothold too not just rdp

that's why my memory is different, fuck rdp lol

scp over any files if need be or just ssh proxy

I wouldn't have visual though.

why would you need it

My web skills are weak

skill issues. I need to "see it"

If I could cURL login to the page, I would.

maybe I should revise.....

or you could proxy the foothold and then use firefox at your leisure

Yeah. I could scp chisel over and do it that way...

host 2 def also doesnt need visibility, you can get all the necessary information with nmap and the the question basically tells you what to do

so for this they did update the lab not not long ago (more like a downgrade) but everything you need to exploit all 3 target is already on the foothold machine also i remember nothing you can ssh into this machine if you can it will be great because the rdp thing suck

in the AD module... Does anyone know how I would determine what groups a user is a member of on the DC using just linux?

originally for host 2 you have to enum the page and find a exploit from there now for the updated target and the issue with the web server i'm not sure if this is still the intended way

Not sure... Looking through all the directories I don't see any login form.

just a mysql config file

with passwords n all, but not sure how I'm supposed to know what 50064.rb is (clearly, MSF but how was I supposed to discover it?)

unless that's not the point of the exercise...

nmap to get version and then searchsploit

idk why i make this shit more complicated...

never skip the basics 😉

when I could just use metasploit

tryhard mode ig

my little notes did warn I had a slight stumbling block with using it but unhelpfully not what the solution for.

good news though the third host is actually the easiest host of them all but youll probably wrack your brain overthinking it if you dont read the scenario hint for it.

pssst spoilers

"Lightweight facebook-styled blog" though?

really?

funny enough I don't believe thats the only time it pops up in the course

originally one of the post on host 2 is supposed to mention it

problem with rendering page lmao

cause rdp is ass

so i can't see anything properly/ too lazy to sift through the source ig

i'm going to look at the source and see if u rite

yeah i'm also checking right now and nothing seem to load for me too

Uh oh...

are you using ass rdp or proxying Firefox

They don't teach you that early on lol

no fair

I've only been doing this for 7 months lol

quit flexing on blue chat

youre a hacker, cheat

I should still probably report it as a bug though. Honest to god, I could not figure out what was wrong.

oh wait it take a good bit for me but eventually the web did load and i can see the post (with the right exploit)

Not everyone knows what "proxying" is.

and I've never done it a day in my life, so no fair sire

When I was on the now defunct securityoverride forums my web skills werent good enough to pass all the challenges. So instead I discovered a hidden .git repo that has the source code for the whole forum(no db backup though), and so I dumped all the challenges answers.

Nobody revoked my score.

welp, time to go learn how to use chisel lol

or just ssh proxy

good point...

see what I mean? lol

never would have thought twice

or since youve already found what you needed to know, you might not need either

yeah but...

idk meng...

or maybe you do, idr

¯_(ツ)_/¯

I guess that's why they straight up give the answer in the question

nah.

fuck it.

this thing is frankensteined.

okay, am I just getting flustered or??

maybe i should just walk away...

you need to import the exploit from the rb file

i have to manually import it?

yep

why must i work?

manually importing it is just cp over to the right directory

guess i had to do it at some point

I'm spoiled from being on THM for too long, kek

youve been drinking milk all your life, youre now ready for whiskey

oh wow rank 5309 on thm in just 7 months? that's impressive

why u doxxin me brah?

jk

not really though... haha

🤣 sr just want to check on a fellow thm

you put sammy in your own screenshot, you dont have room to complain about doxxing lol

good luck finding sammy:"Pennsylvania" lol

🙂

not my real name, on purpose either

goteem

im going to Pennsylvania in January

why would you do something so stupide?

visiting a friend

for a pagan feast

oooooh

bro...

the f...

I'm sticking it in the main folder. Fuck this...

under "antivirus"...

🖕

idk why it won't load

Hi guys, I am stuck on Assessment of PIVOTING, TUNNELING, AND PORT FORWARDING

I read the file "for-admin-eyes-only", it only shows me the username, how to get the password?

@rich mulch use the ssh key to connect

yes I can use id_rsa to connect under webadmin account. But how to answer this question?

I mean what is the password of this user?

@rich mulch the password maybe at the end of maybe like the plaintext

@placid quest yes plain human work

I dont get it. I did try to put mlefay:PlainHumanwork! but it not work @@

@rich mulch can u dm me

Already bro. Thanks in advance

a hint for Active Directory , how to transfer tools to the svc_sql account, there's no chisel, no mimikatz, am using the Windows way because meterpreter is like a dumbshell(but probably it is me who is dumb). I have NT/SYSTEM hash and I launched Winpeas either. Not managing to connect the two ip's:the 172.6.6.*0 and the 172.16.6.5..

can you use certutil/Net.WebClient/iwr?

Or is it blocked?

will try them immediately,thank you

If they're blocked by AMSI/AV then idk heh

!!!awesome,thanks

@forest tapir he can try to use evil-winrm to upload files

that too.

am such a noob 😐

That's why following Career Paths is nice. It steps you thru the basics, first.

Everyone's a noob at first

Hey can somebody please help me with a question of a module

@deft lagoon what question

IN footprinting imap pop3 the admin question

if my pc wont lag i can send a screen wait a sec

i cant send a screen maybe i dont have the permission

can we go private chat for a sec

@placid quest

@deft lagoon yea

@placid quest cool i dm you

@deft lagoon ok

@placid quest already done

does anybody have another idea

I am really stuck on the “Broken Authentication Module” page 5 Weak Bruteforce Protections
I changed the ip to the ip of the website, tried the python script but nothing

I finally got it, but I used hydra

you need to brute force credentials, it is not just about bypassing

Hey guys, with OpenVPN, I'm finding nmap is super slow, I'm in Australia but can only connect to US or EU is this causing the slow scan?

Hello,
Doing the medium box on Attacking Common services. Got a user name from an anon connection but cant seem to brute force the pass. What am i missing?

check your ping to the boxes. if its super laggy then yeah, that would be why.

@loud sapphire u maybe missing something but hard to know if u are not seeing anything

im seeing 6 services. one of them has anon access. there be a file. the file is a name of a person. if you check that with the mail server, it says ok. I tried brute forcing with hydra but not getting positive results.
i have the pass list from resources etc.

The ms is about 250-300ish which I assumed is slow, any fix apart from changing nmap scan

yeah.. thats some lag right there....... are there no other servers?

I fixed this with a nmap t4 instead of -p- which is good. But hoping for future machines I can get a better ms ?

Only EU and US

If I go VIP do I get an AU?

There's a fundamental difference of what -T4 and -p- do in nmap. One scans all the ports, the other only the top (most common) 1000 ports

Are you having issues with HackTheBox machines or the Academy machines?

wonderful everyone is in pc

I have completed a few of the beginner challenges, but notice my MS is high when pinging, I have only two choices for OpenVPN which is EU and US. Since I'm from Australia it's not very fast.

I am preferring to use OpenVPN over the HTB machine so I can get use to the real thingI guess that's how I would describe it

Are you saying if I use HTB (pwnbox) machine it would be fast?

No. I'm asking if you're doing HTB or HTB Academy

They are 2 different platforms really

Ahh ok sorry, HTB ATM. But also working through academy

I don't know if there's a dedicated AU server for VIP (there probably is, but don't take my word for it), but note that it won't speed up your scans 10x

If you're doing big scans (like full port scans) it's still going to take a while, even with a closer server

Ok understood thankyou, what is a good nmap scan? Do you recommend -p-? It estimated about 20-30 mins

That depends on what you're doing

The way I approach is I run a fast scan (like nmap -T4 <IP> -sVC), and launch a full scan (like nmap -T4 <IP> -p-) in the background, after

I say it depends because you can maybe find all the open ports with just the top 1000, or you might not and then you need to do a full port scan

That way you can also poke at the open ports while waiting for the full scan to finish

Ok sounds good I'll use that thanks mate

You're welcome

what is this ? can someone tell me what to do here?

@rustic sage where

my name

what happend to my nick name

@rustic sage delete " and +

still wrong

open console

and use console.log() on that flag string

@rustic sage stop coping and pasting

?

man java error

wait

online compiler

still buffring

nah man something wrong with question

how to tell them

my bad

f my bad

@rustic sage pls be careful with spoilers

bruh

i forgot to run code xdd

sorry guys my bad

i very often cope & paste

you should delete that SS

kk

@drifting knoll sir can u help in this?

Web Requests - crud api last question

maybe you should move on to something else, until another time.

there's nothing wrong with that. I've done it.

nah its ok but...

that's normal

growing pains

want all complete

looks cool

you wanna supplement your knowledge as well. Don't just rely on HTB.

if you're just doing htb and trying to "get through the modules" you won't get far

it should be an obsession, tbh

and "looking cool" should only be a side effect, not the primary purpose

everyone gets frustrated. that's when you step away for a while.

not a very healthy advice

okay, not "obsession" but a very strong drive

hey can someone help me with footprinting snmp

the last question

Enumerate the custom script that is running on the system and submit its output as the answer.

=====
Hello guys,
I am in Skill Assessments of Pivoting, Tunneling, & Portforwarding module.
I am in the machine of user "mlefay" and I found that this machine also have 2 NICs which are

1. 172.16.5.0, include its machine: 172.16.5.35 and the Linux machine: 172.16.5.15
2. 172.16.6.0

I try to discovery hosts by running script to ping all IP in range 172.16.6.1-17.16.6.254 in 172.16.6.0 network, but does not found any new machine
→ I think machine in Network 172.16.6.0 was configured to block ICMP ping

What I should do next to find out other machines?

Hello everyone, Can someone get me going in the right direction with the skill assessment for Using Web Proxies. I am trying to enable the button on a website but I a may be going about it the wrong way

doing the final assessment Attacking Common Services - Hard.

I am on the DB and can see the linked server. What i cant get my head around is writing code to execute code on that linked server past what was taught in the module. Can someone help me out please?

for that section you can use snmpwalk to answer ||all 3 question||

nope the next machine on that network doesn't block ICMP a ping sweep only work like half of the time for me and for that i use a gui tool call wnetwatcher (also recently i found out a ping sweep on cmd will work better)

hint ||elements||

hi this is pre-write thing so if you don't understand any shoot me a dm

for example the EXECUTE command if you run 1 command like EXECUTE('select @@servername') AT [LOCAL.TEST.LINKED.SRV] you only need to use 1 single quote but if you need to run 2 command (which is how you get the flag) like EXECUTE('xp_cmdshell ''dir''') AT [LOCAL.TEST.LINKED.SRV] you need to use 2 single quote
so EXECUTE('xp_cmdshell ''dir''') instead of EXECUTE('xp_cmdshell 'dir'')

this is what i was doing wrong.........

Disregard I ended up using developer tools to change it, I for some reason couldn't get it using Burp or ZAP

same

if I have a brute force attack running(ftp which seems to take forever), and I walk away and am signed out, does it continue to run?

but I did run script powershell to ping all machines from 172.16.6.1 to 172.16.6.255, all host are down = =!

yeah the powershell ping sweep one doesn't work for me like at all

try the cmd one or the wnetwatcher tool

which command in cmd I should use?

i forgot but look in the cheat sheet for cmd ping sweep

I did but there were so many services i cant find the one

btw "wnetwatcher " is wireless network watcher?

nope it's the name of the tool

hint the last question answer is ||a flag||

oh wait i just give this a try and the only different thing changing the||elements|| will do is let you send the ||post|| request and i wasn't able to get the flag if i send it in burp repeater but i can with a normal curl request

Hey guys, need a hint for attacking common services - attacking smb: What is the password for the username "jason"?. Where do I find a passwords list to try for it? The hint says it's in the resources, but I can't find it. I have found an interesting file on the shares (||id_rsa||), but can't access it

Edit: if you're blind like me, there's a Resources button at the top right of the page

can u help me to give the link of that tool. As I checked on Google, all results point to Wireless Netwatcher Tool...

here https://www.nirsoft.net/utils/wireless_network_watcher.html

wait what?

Just found it

Never checked that before lol

lol I asked u is that Wireless Network Wacher tool? you said NO = =!
by the way, thank you for giving me the hint

oh wait so that's what the name stand for??? i didn't notice that

Can someone give me a hint how i can transfer files in the password attacks hard lab module? Copy + Paste not working and connecting to an smbserver is forbidden

Hey I was working on The Payloads section of Using the Metasploit Framework

and im stuck I can get the exploit to run but I don't think I'm using the correct payload

what kind of payload should I be looking for its a Apache Druid server that im running the exploit on

I tried running a few payloads related to https but couldn't get them to work either

I think by default Metasploit tries using the tcp_reverse shell payload

what kind of file are you trying to upload or download? you can use updog or if the thing you need to download is in a ||smb share|| you can just use smbclient for that

I think you need to start a upload server (python3 -m uploadserver ) and then upload via http with living off the land , curl etc

@leaden quail

if you use the right exploit and set both the ||SRVPORT|| and ||RPORT|| right what payload you use shouldn't matter (except some) but i use the default one metasploit give and i did noted down if the exploit fail run it a again a few time

okay I was setting some other options thanks for the feedback

ill look into what those are

Can anyone answer please in my account showing unranked in htb I am new to htb just today I completed the all tasks of starting point can anyone tell what I have to do later

you can verify if you want, then start doing boxes or Academy

So you mean a service (with the letters "f,l,a,g" in this order: flag) in its name?

i can't remember but there should be a flag in the format HTB{} in the tool output

I just did it using just PHP, DM me to exchange ways

Someone for a sanity check on Attacking Common Services - Medium assessment?

sanity check on XSS Session Hijacking

I'm really struggling on find and locate it is ridiculous

i lost my 2fa and backup code and i need any help to login

working on the last question of the Skills Assessment for Cracking Passwords With Hashcat. i found the hash that appears the most and cracked it, but inputting the password as the answer appears to be wrong. what should i be looking for?

oh, the question in the paragraph above is different than the question where you submit the answer

Hello,
can somebody pls give me some hint on file upload module - blacklist filters ?

anyone available to assist with Attacking Common Services - Easy? I figured out how to upload a webshell but now im stuck and don't know how I can execute it.

hi

i need help with something

import random

data_list = "abcdefghijklmnopqrstuvwxyz0123456789"
chardData = list(data_list)

password = str(input("password"))
myguess = ""
while(myguess != password):
myguess =random.choices(chardData,k=len(password))
print(myguess)
myguess="".join(myguess)
print("your password is" + myguess)

There is a handy browser extension called Hack Tools with reverse shells, TTY shells, useful Linux/PowerShell commands and one-liners. LFI, XSS, SQL payloads, data encoding, and more that is helpful.

did you figure it out

@mild grove i do not remember the details but just change the extension to .jpg.php or .php.jpg, then you try using different versions of php there

I think thats a different part of that module..
|| He needs to get around the source code, which can be done if you edit it and upload a unblacklisted .php file||

is it practical to do bug bounty pathway while doing infosec fundamentals pathway since bug bounty pathway has no prerequisites?

also where is the Exercise Script in the introduction of bash scripting conditions module

#!/bin/bash
# Count number of characters in a variable:
#     echo $variable | wc -c

# Variable to encode
$var="nef892na9s1p9asn2aJs71nIsm"

for counter in {1..40}
do
        var=$(echo $var | base64)
        if [counter -eq 35]
        then
        echo $var
        fi
done

that's my code

can someone point me in the right direction with it?

can someone please help with this error using getuserSPNS -- Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

this variation on my code also doesn't work:

#!/bin/bash
# Count number of characters in a variable:
#     echo $variable | wc -c

# Variable to encode
$var="nef892na9s1p9asn2aJs71nIsm"

for counter in {1..40}
do
        var=$(echo $var | base64)
    if [counter -eq $var | wc -c]
    then
    echo $var | wc -c
        fi
done

👍

sick, man

DM me

same here, this module is mindblowing,but I've learned an abnormous quantity of things. Afterall, it wouldn't be interesting if it were too simple. Still have the Skills Assessment part 2 to do 🙂

Is there any way to increase my chances of success with the eternalblue module? Or is it just against the wind...

i'm trying a generic payload at this point.

i'm guessing it's latency but I don't actually know for sure.

praying for patience right now...

For attacking common services - attacking sql, I found the password of the user mssqlsvc, but I can't use it to connect or impersonate someone else to read the flag. Any hints?

@solar granite where are u stuck

Enumerate the "flagDB" database and submit a flag as your answer.
I already found the password for the mssqlsvc user, but can't use it to do anything

Edit: SMB user/pass isn't required I don't think. Let me know if i'm stupid/wrong

@solar granite can u dm me

Regardless, this Workstation "Inlanefreight decided to give me" is fucking annoying. I hope this isn't what it's like in real engagements...

everything is broken/outdated + no internet connection... fml.

• 644x480 screen resolution.

I don't need display at this point, i'm just bitching/complaining

hello,
Pivoting proxy and portforwarding.

proxychains nmap -v -sn 172.16.5.1-200 does nothing but give me host down for everything.

My attack host is listening on the correct port. proxychains.conf is setup....

Whats wrong?

it just worked... what the fffffffffffffffff

I spent an entire day @ my work trying this lmao... sorry for taking chat hostage, i'll shut up now.

We need more info than that to help. Which section? How are you listening, etc

Hi guys, I need a 16 GB RAM chip, can you suggest any good one?

Go with Crucial

https://academy.hackthebox.com/module/158/section/1426
last question.

Screenies.

Ah, you can't use -sn. Only full TCP connections are allowed with proxychains

also the ip is in the question so you don't need to look for it

You also don't need to find hosts, you are given the address of the host in question

i know i dont need to look for it. but i couldnt get the same output..... if i hit something i cant replicate then i stop moving forward until i can.

-sn removed. same result. all down.....
Its not forwarding correctly.

SHould i just skip as suggested?

As I said, only full TCP connections can go through proxychains

just for a sanity check try re-try that command but change the range to a few ip before the actual target

A ping is not a TCP connection

Pings are ICMP and they don't go past proxychains

oh yea i forgot i don't think you can use a ping scan with proxychains

then why is it an example in the module if i cannot replicate it.....

ill just continue.. i guess.

but just for sure try changing range to something like 172.16.5.18-20

i changed it to 1-20. same result.

still no hit?

From the page you linked:
This part of packing all your Nmap data using proxychains and forwarding it to a remote server is called SOCKS tunneling. One more important note to remember here is that we can only perform a full TCP connect scan over proxychains.

Can you please stop trying to ping scan. It's not going to work regardless of which hosts you are trying to ping

i just give it a try and yep without the ping tag the nmap scan work fine

it should be working for me then. i dunno why i cant replicate.. weird.

No blackfriday ?

@solar granite @vital adder so i figured out why it wasnt working.

proxychains dont like running as root..... or at least not for me. So i ran as my normal user for shits/giggles and it started reporting back info.

thank you both for the help though.

might help: https://0xdf.gitlab.io/2020/09/03/htb-mantis.html#shell-as-system

Hey could i get a small hint on hard password cracking lab ? I found the encrypted vhd on the share folder but cracking this thing would take ages.. Also I cant mount it in windows because it requires admin privs so instead i mounted it in my VM. John gave me a guess after like 10 minutes of waiting (~1% pw tryed then) with ||123456789! || but that was not correct.

Have some issues with
Linux Fundamentals: Filter contents
Task: Use Curl to obtain the source code of www.inlanefreight.com and filter all unique paths of that domain. Submit the number of paths as the answer.

All this stuff is going straight over me now, I've managed to grep the individual links and listed them, but I'm always getting the numbers wrong.

I've managed to curl and grep the individual links, but even counting them manually doesn't work.
|| I believe one path is duplicated? I have the answer now ||

Uhm are u sure its inlanefreight.com and not inlanefreight.htb?

Yes

I really dislike filtering stuff

pipe it untill u make it 😄

I still didn't really understand much of the code, it's just putting in flags and stuff until it works

did not do the module so i dont rly know what to do there

¯_(ツ)_/¯

I did after the Getting started one, I only did it to get a better grasp but I left more confused ahaha

😄

Hey guys!

At PTH, connected to the Rdp and opened mimikatz but forgot how to extract hashes, any suggestions?

At password attacks

@twin gulch use sekurlsa::logonPasswords full

Thanks

No problem

Could use some help with Live Engagement in shells and payloads module if anyone is free

I am stumped at the very start of: AD Enumeration & Attacks - Skills Assessment Part I - I'm given a password-protected web shell to start but I don't know what to do with that. Any hint would be greatly appreciated.

Good morning everyone ✨✨✨

Good luck on those academy modules 🔥🔥🔥

https://chng.it/z5Rqd4VSfB

Petition to get MR Tom a PS5

jesus christ pls don't

Lol

Every single exercise in the module has started with ssh or xfreerdp to an attack host...what am I missing ??

working on the last question of the Skills Assessment for Cracking Passwords With Hashcat. i have the hash i need to crack, but i was really tired so i used a big rule and let hashcat run overnight. it wasn't able to crack it... can someone point me in the right direction?

oh for that you can just use ||rockyou wordlist|| and without rule also you don't need to crack ||100%|| of the hash

eeeeaaa did i check and see if i already cracked it

lol

i'm supposed to submit the password that appears 5 times right?

even though i only see one that appears 6 times

you need to submit the password that repeat the most time, i don't have to number in my note but i'm pretty sure it's not 5 or 6 time

i did that but it wasn't the right answer though

i think the right one repeat something like 20 time maybe but i'm going off memory

oh wait

maybe using grep the correct way will work

holy shit

i'm a fucking genius

nice

thanks for the help

genius

For attacking common services - email attacks, I have found the email and password, but how do I login? I tried ||AUTH LOGIN|| and then supplying ||base64 encoded email and password||, but I get the following error on port 25: 535 Authentication failed. Restarting authentication process.

https://tenor.com/view/think-about-it-use-your-brain-use-the-brain-think-brain-gif-7914082