#modules

but other tools should work just fine

I'm not seeing a question that's asking or requiring that tbh

I have already sent him the answer. This question should not stop him from taking the exam.

But if you're having issues: is it by chance with paydiant.com

exactly 😛 , will try what you recommended 👍🏻

Oh wait

I'm dumb

Read as the info gathering not attacking services

@fathom pendant Maybe you thought its the footprinting module 😛

I need a longer nap

☕ mate

Coffee doesn't have an effect on me

Aside from bathroom

either monster energy or red bull coffee never work

2x of dark roast > energy drinks

My body literally is unaffected by caffeine

I can down a can of monster and still sleep

that is both a blessing and a curse

Drink a vietnamese coffee. This is guaranteed to help and is super tasty

or from a caffeine addicted guy named networkchuck

Have you ever ordered coffee from him? Is it good?

Wanted to ask the same

i think i did but it's been a while ago and it's i would say medium not that good but not bad like at all

Hi, Currently im doing the Public exploits section (in getting started module) where I have to use msfconsole with the /windows/smb/ms17_010_psexec exploit.
When I do only the things what the site tell me to do (set RHOSTS and LHOST) I get an error, and when I set the port number as well, i get a different error (both can be seen in the ss). What am I missing here?

alright my workaround to make crackmapexec work is to install poetry and use it through that 😛

idk what happened with the install that comes with parrotos sec

That's because I don't think eternalblue (msf017_010) is the exploit here, did you enumerate the target spawned to verify that's what you should be using?

I did everything according to the website

Hint: this is a web server; not a host machine

The eternal blue sploit is just an example

Perhaps you should visit that IP in a browser ;) that will help you find the actual exploit

Step 1 of any attack: enumerate/find info

That's clear, I just wanted to replicate the example in my vm

You can't

good to know... 😄

thanks

Eternalblue is specifically an exploit targeting SMB (port 445)

you can use info to get a description of the module you currently have selected

^

I'm stuck at the SSRF Exploitation Example module. When I try to follow the SSRF exploit I get no response back even though I have my nc listener on port 8080:

Is that the IP of the spawned target?

the first ip, yes

Are you able to ping it to verify its up?

let me check

hello guys, someone already did the Login brute forcing module ?

Don't ask to ask, just ask your question

ahhhhhh im dumb. somehow it always crashes???

Are you able to visit the page?

The IP*

oh ok, i used hydra for username and password and idk why but it's doesn't work

If I generate a public key from open SSH private key with "ssh-keygen -y -f <file> > whatever.pub" and when I try to use it with ssh login and I get: Load key "whatever.pub": error in libcrypto. Whats wrong with my public key? I added 600 permissions to it.

not now, it crashed somehow

let me respawn it

iam stck again somebody help ? What user account on the Domain Controller has many Event ID (4625) logon failures generated in rapid succession, which is indicative of a password brute forcing attack? Flag is the name of the user account.

i tryed everything

someone help

this is the last thing i tried

wevtutil qe Security /c:30 /rd:true /f:text /q:"Event[System[(EventID=4625)]]" | findstr /i "time provider status code user"

Module?

sry

if you can't find it on the machine you're on, maybe it's on another machine..?

INTRODUCTION TO WINDOWS COMMAND LINE

Footprinting Lab Hard

You can't just arbitrarily use your own key to ssh into something

Hint: look at the type of server it is and start there

Could I sanity check something from you in DM?

If it's about what the "public string" is remember there's a tool to help find that

onesixtyone

Nooo, I think Im past that already

i dont understand your answer iam already on user10,'th machine

Yeap, I got the string and got the first set of credentials and that lead me to this point :D

Well look at the other type of server it is then

That I did. Thats where I got the private key

Why do you need the private key????

Like ask why first

But also maybe a look at some history may serve you well

FFFFFFF, sorry., sorry, sorry.

in the login brute forcing module in "skills assessment - web"

Maybe a list of all the files you land in can help

hi

im kinda new in hack the box

Yeah, Im just blind / confused. Nvm. I have everything I need for next step. Sorry about that

Lol all good, that's why I was like "why are you overcomplicated this lmfao"

/starthere

anyone that has completed the attacking common services module, im on the smb section atm and can't find jason's pw. tried using crackmapexec to bruteforce it with the list provided and didnt find anything. anyone can give me a nudge?

Reee bot autofill commands not working

Anyway

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

who knows why i have this results ?

Haven't done that yet, be patient and someone may have the answer, in the meantime try and look for other things i.e. is there a hint it gives you that may narrow your results

i'm implying that the answer you're looking for might be on another machine

Are you on the domain controller (DC01) do a whoami command to find out

ok thanks

okay maybe i need to do that but which ine

You used || pws.list ||? I did it with Metasploit back then, but it should work with CME as well

read what marcie told you

i have tried with that and username jason. do i need to specify the share i found i can read?

not really, no

i dont get it iam on the 10 machine i think

can i pm you the command im using?

sure

shells & payloads skill assessment freerdp dies instantly

pretty much 30s -1m after logging in i can't use it anymore

this is not the server name?

^^ skill assessment of information gathering - web edition

save the request with Burp and use it along with -T (searching for the flag)

no, look closely at the output

Hehe was a bit to quick. Thnx 🙂

"The Live engagement is literally unusable... xfreerdp on the jump box dies instantly

by the time i launch msfvenom it dies

and i have to wait like 5 minutes for it to respanw

and try again

any admins can takea look

and the bottom right help thing completely invisible to me i have not clue why, this is so frustrating

soo frustrating..

Try Remmina

Try removing the \ before the !

I am working on the Responder box where I have to use the Responder utility, but I get an error when I try to run it. Installing the 'missing package' hasn't been successful so far

Verify your htb account in #bot-commands and ask in #boxes

finished a box... but had to use a hint for the first time :(, doesn't feel like I Really earned it even though I spent like 3-4 hours trying to figure out what to exploit

hello

Pivoting Remote/Reverse Port Forwarding with SSH

This was the given code.

ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:8000 ubuntu@<ipAddressofTarget> -vN

Would the internalIPofPivothost be the ip given to us here?

Or is it the IP address that connects to the windows target? the one thats the answer for Question one....

IPADDRESSofTARGET? Same...

I'm confused so i want to make sure i am doing this right.

No. The internal IP is the one that connects the machine to the internal network

So in this image, you used the correct IP for the first part, but for the second part, you need to be using an IP you can access from your attack machine (the 10.129.x.x address)

So the ip for question 1?

oh

Soooo the ip that it gives me?

Idk what the questions are. I'm in the car stuck in traffic lol

in the picture above. That's the linux pivot ip

Well, in order to understand you need to break down the command. -R specifies to create a reverse port forward. You specify that with the format <Internal IP>:<PORT>:<External IP>:<PORT>. The internal IP is the IP that's on the internal network that you want to access. The port can be whatever. The external IP is the IP of the machine that you can ALREADY access. In this case it's 0.0.0.0 which means all interfaces on the target will be used.

Then you need to specify your ssh login. The format for that is the same as any ssh command. <user>@<External IP>. The external IP is the one you can access from your attack machine (here you need the actual ip not 0.0.0.0)

I hope that makes sense

@hazy grotto

can someone please send me an RDP link

I It looked like everything was working but no meterpreter shell appeared.

I was prompted for a password for ubuntu pivot server.

Hello am new gere

Wrong lhost

Internal IP

Hope am welcome

Your profile doens't look sus at all.

You have nothing to do with my profile okay

00000?

or the 129?

I have just finished the file upload skills assessment and am now looking into the web servers configurations.
Can someone point me ||to the file were the (reverse) double extension (e.g., .php.jpg) misconfiguration|| may appear?

hi

Yes

Oh I am in the Pentester job role path

not sure on that one

Please who can teach me here

Okay

might try community help

Don that no one replied am tried

Read the rules. We don't do malicious things here and that sounds very malicious. Stop asking

What is the name of the accessible share on the target? can someone hint me in the right direction

@novel matrix

I am stuck in SMB Module

module -> footprinting/DNS. For "What is the FQDN of the host where the last octect ends with "x.x.x.203"? question , I used dnsenum with all the txt pages on the SecList/Discovery/DNS directory and still didn't see any IP with the "203" octect. Any ideas?

Subdomains of subdomains

Am I in trouble

No the ping wasn't about you

oh ok

And why do you want to know?

What is the name of the accessible share on the target? can someone hint this in the SMB module

Anyone done "Pass The Ticket in Windows" in Password Attacks? I'm trying to RDP to the host with the provided credentials, and it keeps coming back with Logon Failure.

Ah nevermind, enclose the password in single quotes.

Hi! I’m in Linux Fundamentals in Page 10 “Navigator” at second question for index number on sudoers

With comand ls -i sudoers i see number 964110

But it’s wrong

By htb

@sharp cove

Is someone going to boot this loser?

can anyone dm me about password mutaliations in the password cracking module?

What about

nvm got it

i found some hints that will lower the time

idk how it hasn't gotten an update

@novel matrix You going to kick that obvious scammer?

Hi!

I'm having a bit of a problem with the public exploits part of the "getting started" module. I don't understand how I can exploit the server, I can't find any vulnerabilities that I can use on the Apache server and I am just completely lost on what I should do. Could someone help me? Thanks

In Attacking Common Services - Lab Hard I've got some questions about my bruteforcing results if anyone has a minute?

If youre still stuck, checkout ||themes tab|| and tinker around
If it helps read this too https://www.hackingarticles.in/wordpress-reverse-shell/

View the webpage; it tells you explicitly what plugin to attack

Hey can I dm? I have a couple questions

No I'm not at my computer to check anything

Alright then...

hey would anyone be able to assist in Information Gathering - Web Edition Active Infrastructure Identification. im having issues reaching the 2 addresses listed

you added the vhosts?

added?

to my host file?

yes

IP app.inlanefreight.local
IP dev.inlanefreight.local to /etc/hosts

no i didnt. but ill do that. thanks

Not VPN: the IP they give you

please i need help in C programming

For the target

yup my bad

right i understand that

just didnt say in the module that those needed added. my B

#bot-commands verify your hackthebox account and post your question in #programming or ask your question in #1024429874246590575

thanks

thanks @fathom pendant and @honest ridge

So I am working on File Upload Attacks (Client-Side Validation). When I inspect the page and take out the validation, it still tells me I can only upload images. Even if I take out the file types, or add .php, I still get the same message. I am not sure what I am doing wrong, but I can't get it to let me upload a shell I can access.

someone finish linux buffer overflow could hep me?

could use assistance in the active subdomain enumeration. is there something im supposed to add when searching for the given name server? anytime i use the nslookup or tools and using the given ip i get a communication error and then server cant find <address>

or dig tools*

^^ im having issues aswell.

if someone could dm me or jump in a disc channel to help explain some things would be super helpful

im just going to skip that section for now. its like the only thing i can do is ping the IP address and visit the apache page

I get the gist of it but not enough to do much. just waiting for help while reading through it. ill message you later if i figure it

sure same here. and yea i get it too but when there is nothing but communication errors im not sure what i can do at this time.

Use the plaintext switch to encrypt the forge cookie

hi I need help with the second to last section of AD module

its not giving me permission to add the user which doesn't make any sense

Please read the rules.

hi nevermind I am figuring it out fine

I'm having trouble with the second to last module but a different section

You can specify ns in the dig command dig ns <ip/website>

i was doing that and got communication errors as well as nothing in response

same with nslookup -type=ns

And you're on the VPN?

yes. using the udp connection

when i went to the next section i was able to start grabbing flags

Give me an hour I'll be back at my computer to sanity check

sure

thanks

hey guys, in Passwd, Shadow & Opasswd section of Password Attack module, are we suppose to complete the question as we learned from the section? becuase whenever, I try to get the /etc/shadow, it needs a root permission in order to copy it, but the files could be found else where on the sys (not saying where to not become a spoiler)?

And you've tried the nslookup with both the IP and the domain name? nslookup -type=NS {IP}

yes

no matter which command i used in whatever way i just got a communication error. thought it was a vpn issue too but i can grab header flags in the next section with no problem

Ok

@analog tendon im on "Find and submit the contents of the TXT record as the answer." you sus that one?

figured it be easy with just dig txt @ url/ip

gues not. lol

no i went to the next section because i couldnt get any tool to to make a connection.

did you add inlanefreight.htb to your /etc/hosts

i did this time lol. first thing i did

almost finished with Active Directory Module

lol this is great

I love this stuff

on very last section of module and still haven't figured it out

once I finish AD I'm gonna go onto the next thing which probably is bash scripting and windows command line

lol

I like how HTB Modules can be used as prerequisites to get to HTB Main Platform boxes

and how there is a system to match HTB Modules with HTB Main Platform boxes

that's what I'm gonna spend my time on

lol

can I dm?

sure

Sorry for OffTopic, Is it possible for us to have a white mode theme of Academy instead of always black one...

wanting white mode

but in all seriousness that's more of something you may squeak by asking in #1024429874246590575 or something

I'll ask there, sorry for disturb. I'm here to ask because that I guess there might not be official ones in #1024429874246590575

either way; like you said OffTopic; and possibly even able to be asked in #general as that's also an offtopic channel :^)

That's why; remove it from your /etc/hosts and do the nslookup command with the nslookup -type=NS inlanefreight.htb $IP

thats funny that you messaged. i did all that bout 10 seconds ago and got it

Same for you too; if you're having the error cannot find ... in-addr.arpa: NXDOMAIN

@honest ridge also it's not on the main domain; the txt record is on a subdomain :)

yeah, just not sure im ment to do. been over and read it again but im just blocked

there may be other zones you can transfer to

doable with the nslookup as well

though if you're searching for txt records you'd do -query=txt

isnt it the same thing with dig? ive done dif axfr inlanefreight.htb ip then does its thing. then im blank on next step. been at it for hours still noidea

so if you've done the dig; you should see a list of the different subdomains yeah?

yeah

then try query txt against them. altho it was manly not sure how to put all in file then run dig txt agaisnt each

manual*

you'd need to first basically strip the dig to JUST the sudomains

that requires some extra knowledge of commands ; but you can start with dig ... | grep -v ";" | cut -f1 | sort -u

each pipe basically ripping out different parts

from that you may be able to do a for loop

if you know how to use sed you can further cut that list down

i really dont know much about txt manipulation

grep -v does an inverse search for what you input (the ";" is used as a comment character), cut takes the out put and -f says in the first field only show that, sort -u just sorts by unique so it takes care of any weird dupes

do they really want us to count all these subdomains up? there is alot

mmmm confusing. might have to find a tutorial on it

yes there is; but what question are you on? identify the number of zones?

yea. after getting that one thing straightened out i was able to fly through getting zone transfer records. i was able to get the TXT file. did @honest ridge figure that out or is that what you all are working on?

stil trying 😂

i mean there is a manual way to check; hint look at the ip address of some of the A records

i got the number. i just copy pasted all the records into a numbered text editor and then divided by 2

for the zones; here's a hint - what type of record defines zones?

i mean

that works ig

¯_(ツ)_/¯

lol

if you know how to filter results it's super easy

grep, cut, sed are all powerful tools

yea but im tired and i didnt want to play with the syntax. but perhaps next time

maybe im just so spent and cant think. is there any site you recommend to learn?

yes. hackthebox.com 😉

just look up the man pages or google "how to do x"

for instance how do I show the opposite result of a grep command

first result on google

you can get pretty far if you google

because 9 times out of 10 your question has been asked

:)

been googling all day but think im just whacked out for today. i got the answer after manually doing it, which would get pretty shit after a while. really do need to get better and grep/cut etc

if you're wondering the pipe | just says "take the standard output of this command, and use it as the standard input of the next command"

yeah, thats about the only thing i know lol

https://www.geeksforgeeks.org/sed-command-in-linux-unix-with-examples/ regarding sed

https://cheatography.com/davechild/cheat-sheets/regular-expressions/

regex is a useful thing to keep in mind

as it can substitute a LOT

yeah, its overwhelming

that's why i posted the cheatsheet for regex :)

cheers, completed this module, altho ima have to go back over it at some stage as i clearly have alot to learn and be more proficient at

cheers @fathom pendant

run this :) it will tell you all your loopback, eth0,tun0, etc. ip a | grep "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*/[0-9]*"

@faint rampart @fathom pendant Thank you for your help!

Not the appropriate question for this channel unless it is module related.

hi guys, can someone help me please with the module: ATTACKING COMMON SERVICES-Attacking DNS?, I tried all kind enumeration (fierce, subfinder, subbrute) but there is nothing, even I tried gobuster and found 4 subdomains (ns, control, helpdesk, NS) but none have the flag. Edit (Solved): finally I got it, for whoever that is stuck in this section, my hint is: Don't add the target ip spawned to the /etc/hosts, use subbrute and any query with dig, do it with @<Target ip spawned>. Regards

Hi there, for the IMAP/POP3 section of the Footprinting module. I am trying to obtain the admin email address, I have gotten it from one of the commands they used within the resource but it wont accept it?

got it

any hint for module 57 section 516?..
been trying for hours with no success... 😦

<?php
if(!isset($_GET['page'])) {
include "main.php";
}
else {
$page = $_GET['page'];
if (strpos($page, "..") !== false) {
include "error.php";
}
else {
include $page . ".php";
}
}
?>

Hello everyone, I'm stuck here, I tried to bypass the extension using empty bytes but I couldn't. Is there anyone who can help?

Is one supposed to use the LinPEAS script to do the privilege escalation part of "Getting Started"?

I have gotten access to user2 but I'm not sure how to get root

I can't write to root's SSH keys, I have not been able to run a kernel exploit (although I found one), I'm not sure what else I can do

What is kernel version ?

5.10.0

Unlucky

It is vulnerable to DirtyPipe but I haven't been able to get any of the scripts I found to run successfully

İf be 4.15 you can use PwnKit

And Metasploit seems to need a meterpreter session first to run its script but I don't have it

i can't remember bro

i don't remember how i solved it

Thank you for being willing to help

Hello, it is possible to make all modules as free user? Or i must buy cubes?

You get cubes for completing modules so those are probably enough

Yes, but i must spend some to buy module. Example module is for 500 and i can earn 200 if completed

So im -300

Oh I see

Well, I'm very new to this, so I can't answer that

And in fact I'm kind of lost right now as well

only tier 0

Ok thx

no

read the #rules

Keep it legal yea 😬

Ok I will try to find difrend server

Is there any kind of walkthrough for people who are lost? The hint just tells me to not forget to chmod but I assume it's talking about SSH keys, I can't use the keys, I can't write to root's keys file

@past grove what is the problem

Did you download the key @past grove but can’t open it ?

I am in the privilege escalation part of "getting started", I have gained access to user2 but I am not sure how to get the root user, the hint and the stuff in the computer lead me to believe I should plant an SSH key but I can't modify root's authorized_keys so I am not sure what to do

I have found that the computer's kernel (5.10.0) is vulnerable to the dirty pipe exploit, but I haven't been able to run a script for it

I am not sure if I remember correct, but I think thats the module where you log as user2, and there there is a file id_rsa you can download

I think thats the whole case of that module, that you can use other options to authenticate via ssh

Oh my yes I can read that

Thank you!

Wow that worked

Damn

Thank you!

Module Password-Attacks, section Protected-Archives: i am unable to crack Kira's file Notes.zip. I tried Hashcat (all zip formats), John with the provided password list, rockyou, etc. Nothing works. Any hint?
Edit: got it (use custom.rule)

hey all, im trying to understand some code i just wrote lol i dont want to be a script kitty.. so pretty much i need to obtain the source code of this website and filter all unique paths of that domain.. i have done that but i do not understand the hole code, i get most of it but some is still a little hard for me to understand.

the output is not a code

and what you are executing is a set of commands in certain order

I have just finished the file upload skills assessment and am now looking into the web servers configurations and trying to find were it would be fixed.
Can someone point me ||to the file were the (reverse) double extension (e.g., .php.jpg) misconfiguration|| may appear?

For the "shells and payloads" final skills assessment (pen tester path), how are we supposed to get a browser to reach the targets? The foothold PC doesn't have firefox and the other browsers dont seem to work. Haven't figured out how to get the pwnbox browser to reach the target ip's either

I am new, please help me*

i literally just joined hackthebox

idk how to hack

and idk any codes

or coding languages

Rule No 1 of any dev : If the code works do not touch it lol

#welcome

Https://academy.HackTheBox.com

Lets climb that mountain bro

Any tips for the easy lab in Password Attacks? I tried to brute force both ssh and ftp, with the provided username, password list, the mutated version with the custom rule, rockyou, etc. Nada, nothing. Ugh.

hey everyone, im on the MSSQL section of attacking common services. i just need a nudge on the first question Nevermind i got the next step

#welcome

#710108839063846964

Should I buy VIP on hackthebox.com or is there other websites I can learn hacking and programming?

Hello i am stuck at Automated Scanning

https://academy.hackthebox.com/module/23/section/1494

I managed to scan for a parameter and i am able to read the /etc/password

But nothing else seams to work, no log poisoning, there is no session cookie
PHP wrappers are not working
There is no image upload so i can remote hack it

I am stuck, stuck, stuck

Hello, I'm currently unable to successfully run the loader.py script from module 85 section 905:

#!/usr/bin/python3

import sys
from pwn import *

context(os="linux", arch="amd64", log_level="error")

run_shellcode(unhex(sys.argv[1])).interactive()

When executing the command:
python3 loader.py '4831db66bb79215348bb422041636164656d5348bb48656c6c6f204854534889e64831c0b0014831ff40b7014831d2b2120f054831c0043c4030ff0f05'

I get the following error:

pwnlib.exception.PwnlibException: There was an error running ['/usr/bin/x86_64-linux-gnu-ld', '--oformat=elf64-x86-64', '-EL', '-z', 'execstack', '-o', '/tmp/pwn-asm-d5l4ohgp/step3-elf', '/tmp/pwn-asm-d5l4ohgp/step2-obj']:
It had this on stdout:
/usr/bin/x86_64-linux-gnu-ld: warning: /tmp/pwn-asm-d5l4ohgp/step3-elf has a LOAD segment with RWX permissions

Anybody know what to do from here?

the fuzzing of the ffuf section suddenly seems to go really slow 😦

Got the flag ! I was being a bit stupid

You can't reach the targets from pwnbox, try typing in firefox in the remote systems terminal

It helps more if you give the actual name and section rather than numbers

@fathom pendant - Shellcodes

Thanks I will give this a shot when I get back on it later

Anyone i can dm for "information gathering - web edition, active subdomain enumeration section" question 2?

Just ask the question

i did dig axfr

is the number of zones not the number shown at the btm?

so 22

records are not zones.

No; hint, what type of record holds the number of zones and zone information
Also your screenshot shows IPS which are used to answer other questions

so close.

mb

Either way, your output has the answer if you look closely.

(not the ss you shared)

oh got it

just had to re read the module

thanks

Yeah that tends to help answer questions:)

someone desn't have connection too right now ?

or i am alone?

?

PS C:\htb> Get-Service | ? {$_.Status -eq "Running"} | select -First 2 |fl

sorry what is {$_.Status -eq

Is it the same grep ?

what do you mean by that

connection is down with all target

for me

did you reset the vpn connection?

i am on the pwnbox

i have

"the connection was reset"

ok. what are you trying to do to reach it? how much time is left on target?

http://138.68.164.196:32752/admin_login.php

that

83 min

actually, when i was doing the log poisoning section of the file inclusion module, whenever i put <?php system($_GET["cmd"]); ?> as the user agent header, the target machine completely died and resetting the machine didn't help... i needed to reset the machine until i got an entirely different IP for the site to display on my browser

can someone help me with the module network enumeration with nmap on the section Firewall and ids/ips evasion - medium lab, i was able to scan the network using the evasion techniques and scanned on the dns port and i got a version but its not correct am i just looking at the wrong port?
edit: the problem was that i was using the tcp vpn option, switching it to udp worked and now i got the flag

Hello, I can't start openvpn, it says "Unrecognized option or missing extra parameters(s) in (name file.ovpn):12: data-ciphers-fallback"
I am using VirtualBox Ubuntu 20.04.5

whats the command your putting in?

sudo openvpn filename (terminal in the directory with the file)

.

try redownloading the file. i would download one of each (tcp,udp) and renaming them so you know which is which and then attempt to connect with one or the other.

see if they both give you an error or if only one connects

Kali or parrot will have a lot of the tools you’ll need already installed for you and make things a lot easier if you are a beginner

Hi team, I dont realy understand the question of the Skills Assessment - Web Fuzzing module : Before you run your page fuzzing scan, you should first run an extension fuzzing scan. What are the different extensions accepted by the domains? I know how to add extensions with -e or add wordlists with -w but not really how to run extension fuzzing. Can somebody help me?

unfortunately no

there will be some of the HTB machines that you use to learn with in the academy though

okay one second

Not necessarily; they recommend htb machines to further practice what you learn, but they are mostly retired machines

well yea they are retired. but still htb machines available if you have the VIP which i may grab here in the next month or so

Rank is earned on active machines/challenges; if your rank increases on completing academy content it's basically pay to win at that point, gating people that don't have the means to pay

Lol that's the student discount: not everyone has a student email

if your a student sure

I tried everything, doesn't work.

Yes : and completing courses does not equate to actually learning a skill

msg me a screenshot

You can put the cert on your resume once you obtain it. The htb rank gating is mostly to filter out people who are inactive

If you can afford it

vip gives you access to a bunch of retired boxes; and retired boxes tend to have writeups and walk-throughs ¯_(ツ)_/¯

Well writeups are a good tool to learn too; how readable is the write-up , how can you use some of the formatting in your own writeup as cpts requires a write-up alongside pwning the systems

Also it doesn't hurt to see if there's a way to do it faster

Improve your own methodology and such

check Attacking Web Applications with Ffuf - Page Fuzzing

yes but which part I dont find nothing interesting that respond this question

there is a part where it explains how to do extension fuzzing.

hey there, Im looking for pen testers for the new project, if some one interested dm me

or how about a mod like @winged hedge removes both yall

hi guys, need some tips on the DOCUMENTATION & REPORTING - Skills Assessment module

im kinda stuck on that 1st question

theres a lot of stuff in there and i tried something but with no great results so far

Firewall and IDS/IPS Evasion - Medium Lab - I keep getting ||TXT CHAOS? version.bind.in tcpdump|| and version ||NLnet Labs NSD|| but my version isn't accepted as the answer. Anyone feel like helping? I am stuck. I also get this (||Probe DNSVersionBindReq matched with DNSVersionBindReq line 12571): 10.129.37.80:53 is domain. Version: |NLnet Labs NSD|||||

The first question is basically "Do the whole pentest" and the notes left for you give you some tips on what steps you can take

You're expected to rely on skills from the whole entire coursework for it

thanks, yeah i tried some stuff like gaining a shell on tomcat, or cracking some hashes inside the htb-academy folder on desktop and found a lot of passwords here and there, also got access to the smbshares but all empty folders, got a connection on a DEV01 host but nothing interesting again, im surely missing something stupid hahah

@sly mantle I removed your message.

hey guys, I am 100% stuck, can anyone help me?

I am on the footprinting easy challange lab in Htb academy. I have spend 2 days on this and I am just completely stuck. I talked with someone who have solved it and he ran this command using hashcat:
hashcat -m 7300 crackme.txt SecLists\Passwords\Leaked-Databases\rockyou.txt -a 3

1. Using -a 3 without any pattern, makes no sense(?)
2. I used: hashcat -m 7300 crackme.txt SecLists\Passwords\Leaked-Databases\rockyouv2.txt -a 0 and the hash is not cracked.
3. I also tried the hashcat -m 7300 crackme.txt SecLists\Passwords\Leaked-Databases\rockyouv2.txt -a 3 -o cracked.txt and that did not work either (I ran it for a long time and got no cracked hash into cracked.txt)

I ran the -a 3 attack, for about 40min on a 3080

can someone help me fix this so I can go on to the next challange? I have also tried this command:
hashcat -m 7300 crackme.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u no sucess

@winged hedge nice to meet you. why did you remove?

If user input is not handled carefully, it could be interpreted as a comment. Use a comment to login as admin without knowing the password. What is the first word on the webpage returned?

isnt the answer should be like administrator'--?

well sadly I cant help with specifics yet as Im planning on starting the assessment myself tonight. But it might be worth tackling it from a black box perspective as well as there are definitely gaps in the findings. Treat it like the AD skill assessments that has a dash of more web stuff.

can someone help me with this :/

yeah i'm gonna try again in few hours, my mind is exhausted haha been doing the academy the whole day, good luck with the assessment!

Yeah this one definitely strikes me as a longer assessment, especially if youre actually making the report like youre supposed to, it warns about needing to reset the lab and saving your work. Def dont expect yourself to clear it one day.

It's really weird, other people are cracking it using rockyou, but it does not work on my end? Is there something wrong with the lab? the hash is loaded by hashcat with no issue

haha i honestly skipped the part of those reporting exercises cuz i already have my strategy for taking notes

:/ need some help anyone? knows the answer?

Well its less about notes and more about the report, but if you already have experience making reports than more power to ya

patience, less than 6 minutes since youve asked and you never even said which module youre working on

really sorry new to this platform working on appointment level1

never heard of that module

on the starting point TIER 1 machines : machine name 'appointment'

It's an SQL task, you need to inject a comment to after giving the username

This is a great resource: https://portswigger.net/web-security/sql-injection

yeah have done all the sqli labs from this

but doesn't ring any bells thats why

at that labs its like union select then command follows

and to enter as admin we simply modify the request by administrator'--

Shouldn't the question be in boxes rather than modules?

Go to the page, on the "Retrieving hidden data" it should show yhou how to

or in starting-point?

yeah, that should work, right?

Maybe you need to do # instead of -- depending on what DBMS they use

but its not working

i tried i know the flag that i passed using the admin'#

Use a comment to login as **admin** without knowing the password.

maybe try admin?

need to share a pic the flag in that hint is way to big

not even administrator fits on it

if you dont mind can i dm you?

I am confused, are you guessing the flag?

the flag is: What is the first word on the webpage returned? so, the first word returend after you login as admin

Try using Admin as the username, instead of administaror

admin*

can i dm you ':)

sure

Hello, im struggeling with the "Attacking Gitlab" Module. I downloaded the GitLab User Enumeration Script but get always different errors when running the Script (locally and pwnbox)

any Hints?

this is the wrong channel then, you need the #starting-point channel

Oh damn it has been a long time since I did that section

Gimme a sec to think what I did

I remember the script was acting weird

Which is stupid.

I think I used 49821.sh from searchsploit

hey sorry had to work.. so what i really wanted to know was why this is happening, so for cut my -d is " ' " so on file 2 and again for ' " ' on file 2 why does that need to be put in.. why can i not just do something like //// cat hacker.txt | grep "http link " and forget tr and cut

I also get this ||HTB984NIFN97CBO783QBNJCPAS984UIN|| but it won't accept my the flag with {} around. Am I doing something wrong?

]

ey madf0x, can you take a look at my question about hashcat? I don't understand why It does not work and I have been stuck for 2 days because I can't crack the hash using rockyou, which other people have done to solve the task

really? lol come one tF lol

sorry

i thought i was in my terminal

lol

yeah, i did this already

but thanks

no worries lol

I am stuck

on what

anyone did web attacks skill assessment?

unfortunately I have no notes on that module and its been ages. Id have to go back and check it out again

iirc that easy lab was actually the hardest of the three labs

why does this happen

yeah it's just frustratng to sit with a hash that I can't crack... like I just wanna move on, I am not learning anything from not being able to crack it with rockyou, like my friend has been able to do

I dont actually remember a hash needing to be cracked for that lab, but that could just be how little I remember it

has anyone done the modul pivot, tunneling and port forwarding and can remember, if in the sectionDynamic Port Forwarding with SSH and SOCKS Tunneling, whether we should be able to follow this step at the screenshot? Because no Password is provided for the ssh login

@timber hatch the password was provided at the end

ah shit. my bad. thanks!

Firewall and IDS/IPS Evasion - Medium Lab on getting this flag

So far my command sudo nmap 10.129.37.80 -Pn -sS --disable-arp-ping --packet-trace --source-port 53 -sV -e tun0 and is also run the same command with -sU and I get a version and some sort of flag but it it's not accepted as an answer. Firewall and IDS/IPS Evasion - Medium Lab - I keep getting ||TXT CHAOS? version.bind.in tcpdump ||and version|| NLnet Labs NSD|| but my version isn't accepted as the answer. Anyone feel like helping? I am stuck. I also get this ||(Probe DNSVersionBindReq matched with DNSVersionBindReq line 12571): 10.129.37.80:53 is domain. Version: |NLnet Labs NSD|||||

that way to advance for me but sometimes when i put in answers there is a space and it mess everything up

iirc I had to use a non-nmap way to get the version properly

mind if I message you quickly?

At work atm and I dont have notes on that section so wouldnt be very useful to you

ok no worries

other than knowing theres other ways to research doing it

tried ncat, and nc

can anyone explain to me why this would happen

what is the importance of the cut and the tr... what does \n do to the space and why remove ' " ' " ' "

if it makes it easier, the version you get is not a real version format, itll be in HTB{} flag format

Evertime you run the command it add a newline with

no its counting

hmmm

im trying to get the number of unique paths from a source code

I have the flag that says HTBXXXX with all caps no curly braces but i didn't run -sU, running with -sU

dont output to wc and examine with your eyeball what the difference looks like

weird, try putting the curly braces where youd expect em to be HTB{XXX}

I did it won't accept the answer

you can DM the flag and I can at least say if it looks right or not

oh well, try harder https://www.youtube.com/watch?v=6Aw0yOMBbiY

ok thanks, I sent it

Nm - I got it - had to run the -sU option

nice

quick question on the dns section of attacking common services module - for the question what method would you normally use to find the subdomain of the dns server?

I used subbrute

how do you know what the subdomain for the dns is?

thats the point of subbrute

to find out

can you do subbrute without adding a resolver?

its not magic

No, but you can use the Target as Resolver

so you just use inlanefreight.htb as the resolver?

No, inlanefreight.htb as Domain and the Target IP as resolver

ok i get it

big click in my brain

gotcha

$cat resolvers.txt
10.129.203.6

how long does it usually take for it to run?

Does HiveMind pop up for you? I can't join the chat support.

is there an off topic channel for chatting?

channels under HTB:offtopic I guess

Sometimes after doing something 200x over and over again trying to get something to work. You wonder..... Is this worth it?

Hey whats the pwnbox bloodhound neo4j server user and password?

#welcome and verify your account

He's only here to chat. Not hack.

I read his profile.

¯_(ツ)_/¯

I'm at the end of the windows fundamentals module. Not sure how the page would know the answer to the last two questions (SIDs for an account and a group)

I'm just kidding. idk but it appeared so.

theyre sequential

oh. time to reset the machine then, haha

PLEASE SOMEONE HELP ME

Pivoting

question two

I cna't get metasploit to catch the shell

cheers madf0x, I'm through the module now 🥳

@vital adder Are you available? I feel like you have delt with my problem already.

how is this not right

I believe you need to start your answer with 41

Spoilers: remove the picture please; but yes if it's asking max, then it's implied that the number you provide is what the question is asking for

sorry about that, i have tired all combos

still keep getting it wrong

What module is it?

Also leading/trailing spaces can fuck it up

Crackmapexec

😱 i had a space lol

sone of

:)

It happens

https://tenor.com/view/sorry-gif-18453366

why can't i get rce on any of these webshells on file upload attacks - whitelist filters

Please remove the spoilers.

That's spoil. Sorry.

ignore the fact that i screwed up the php

...

Does it work now

no.

i'm trying it with every php extension in PayloadsAllTheThings with different payloads

using the bash script to generate each payload

there's no way a reverse shell is going to work but let's just try anyway

Did you actually confirm any valid extensions yet

Personally I used a script generated list of extensions and then used ffuf to brute upload all of them, and then used ffuf again to call ID on each of them and filtered out for ones that returned data

was like 2-3~ of em that worked

looking in burp suite and there are successful file uploads which i run into repeater and navigate to in the browser

but the php is always commented out

not all successful uploads are good payloads

well your posted example has you commenting then out so

how about you roll over and die useless parasite

hmm..

I mean, your payload is just a comment. Im not really sure what you were expecting

yeah but i'm not commenting the payload

whats your raw payload youre uploading

What payload are you usint?

||<?php system($_REQUEST['cmd']); ?>||

Then your looking in the wrong place

Cuz the image you uploaded is co oletely different

Not just the comments. This payload uses $REQUEST the one in the image dosent

i ask you ignore the typo

looks sane, might just be looking at uploads that simply dont work

On the Intro To Windows Command Line - Skills Assessment, can someone help me with the 5th question. Where there are lots of directories and files and the flag is one of them.

if the file name is ||shell.pgif%0a.jpg|| or something similar how do i ... type?? it in the browser

just like that

also that doesnt look like one of the valid extensions I remember fwiw

ok just making sure.. the target timed out so i have to wait 30 minutes again

if your list is good, ffuf makes this like a 10minute challenge to pass

oh yeah ffuf's a thing i forg.t.

tunnelvision is real

I haven't done it myself but usually flags are ||named flag.txt . try dir /? for a start||

yo wsg yall

hello all 🙂 Requesting help for that challenge please After the configurations are transferred to the system, our client wants to know if it is possible to find out our target's DNS server version. Submit the DNS server version of the target as the answer. Went trough reading the forum already. Tried many Firewall bypass combination but no luck. Tried to go slower, same, tried to spoof, tried proxying, tried ncat... Thx for your help.

Have you tried simple dns enumeration methods

and why would you try to bypass AV on a network enumeration issue?

I meant "Firewall" bypass (tired ;)) Yes, I did try simple enumeration methods. -sS, sV, sC, n, Pn, f .... I tried decoys also and using different source IP and proxying

well if you used decoys and diff source IP youre never gunna get a response back

not sure what in the environment you could use to proxy either

The section info does tell you what method to use

the hint does not talks to me ||During the meeting, the administrators talked about the host we tested as a publicly accessible server that was not mentioned before.||

yeah that hint is nonesense that means nothing

so do you mind directing me to the correct flag? spend hours on that one, loosing a lot of time I think...

Try combining flags

Also this flag is tricky

At what point are you stuck?

Sometimes it's best to just do it from pwnbox

For some reason it works better there

Yea i had a problem using the tcp vpn

it would be a lot of wasted time if it was the case 😉 I'd go for -n -sS -Pn

But using the udp one it did work

Still need a -sV option since it's asking for version

yeah that one of course 😉

But tbh this is one of the few that is just a pain even with the right answer

Also think about what things an ids might not look at when a server needs to be publicly accessible

The IDS/IPS thing really doesn't matter here fwiw

Wel you have to bypass it to avoid it shutting you down right? Or am i thinking of the wrong section

It's the hard lab that focuses on it more

Oh wel i might have just gotten lucky with the options i tried to avoid the ids

It'll still work lol

Just not necessary

doing it from pwnbox.... suspens....

nope, still not

Reset target repeat command

did it 😦

This is the footprinting module yes? Firewall IDS/IPS evasion medium?

yes

the medium one

Try a UDP scan

finally got it

Nice

yep, did that, was just expecting a VERSION (as the prompt says), not a flag.........

thx for your quick responses 🙂

Again if it looks like a duck...

The hard lab though focuses a lot more on the IDS/IPS deployment

the hint for Footprint/SMTP- for the enumerating username says "use the Footprinting-wordlist provided as resource". Where is that file? I tried running the ones from seclists unsuscesfully.

hi guys how are u?

i have a problem but i don't understand the cuestion on the module introduction to window

this one: What is the Build Number of the target workstation?

where can i found that?

google is your friend

what a pain.. here we go again (type filters - file upload attacks)

well it was a lot quicker than the last section

There's a resources button that you can click on it will have all the resources, usually a zip file, you will need to transfer it to your attack machine to use it

oh yeah i forgot about that

maybe i will get around to it

its that or start chatting about academy modulea

oh boy it's skills assessment time. on the academy module file uploads

DM me so I can help you out 🙂

The purpose of running the following commands in nmap: -Pn -n --disable-arp-ping are to reduce the noise of our scans correct? Or can they help obtain information we might not have been able to get without them?

noise and startup time when you already know the box is up

ahh. so if I know the link is active there is no point in doing the scans that those cut out?

Can you restart a lab? Or once you submitted the correct answer will it not let you start again?

did you get out of it? I'm stuck in the same thing as you

Does anybody know how long it takes to crack the password on Password attacks - Passwd, Shadow & Opasswd ??

moron

What's actually your business with me?

read the server rules

Alright

you dont even know where you are

useless trash

this channel is for discussing HTB Academy modules not your useless waste of oxygen

Lol i love how salty you get @thorn urchin

This is my low level

it's a good reason tho. these dip shits wont shut up

-A includes the scans that would be performed in -sV plus more correct?

i can't find the file i am uploading on file attacks - skill assessment

i have the source code in front of me why can't i find it

<@&861185840277487616> second time hes posting this in here

bro what is happening

I have the same problem… Anyone can help with this?

This. Sorry. Replied tot he worng message

https://tenor.com/view/summoned-i-have-been-summoned-power-gif-15859341

Lmao

Has anyone done, or is doing, the "Firewall and IDS/IPS Evasion - Medium Lab" module? I got the version of dns but I don't think is right

👢

I like how of you squint that dude was technically offering to sell passing module sections lol

Thanks 🙂

np!

I got this ||Version: |NLnet Labs NSD|||||

hi

but it's not right

There should be HTB followed by a alphanumeric string

thats the answer

already found but entering it doesn't work. I can try again with a new target. I will let you know shortly

IE HTB{XXXXXXXXXXXXXXXXXXXXXX}

I am actually going back through this one. I stumbled in to the answer yesterday, but have no idea how I did it

I would suggest using the mutated list ;)

I have this string again, but it doesn't work

Do you have any extra spaces before or after?

do you have an extra space?

nope

Double check, go to the first character and hit backspace a few times

Got it already. Thanks for the tip tho

Mhm

That one was more of a pain to me than the PtH and PtT

actually, I'm in the medium module, not hard hahahahahha

so I got hard flag but not the medium hahahhahah

Medium footprinting lab has you looking for the DNS server version

yep

Which is super simple

HAHAHA, ok. theoretically this is the version ||NLnet Labs NSD||

Nope

Reset target

The server version should come up as a HTB{..}

I'll see how I can get out of it

If I am getting the state as filtered, it means I need to get around that to get to the answer?

The module explains how

No, I didnt mean, how do you do it. I mean if I see that, then it should tell me that I have to get around it

sometimes it's weird with boxes as well; if you're having trouble getting the answer from your vm; try using the pwnbox with the same command

hint: there's a scan that checks Versions

also fun fact so you don't have to do -sA -sS -sV... you can combine them like so -sSV, -sSCV, etc

makes life easier

really? that is great to know! thankyou

yep

it's similar to if you're using netcat ; nc -lvnp you can do -l -n -v -p {port} if you want

can you combine -Pn -n --disable-arp-ping?

no

the reason that those are able to be combined is because one; it's coded that way - and two they share the prefix -s

ahh. that makes sense.

You are better than chatgpt

it's just something you pick up ¯_(ツ)_/¯

it's good to have in your notes a bit of info regarding whatever is your most common scan options

also with nmap you can put the IP at the very end

so you can have nmap {options} IP where the nmap {options} part is a copy paste

if you're familiar with creating variables you can take it a step further and export target={targetIP};

nmap {options} $target

lots of neat things really

oh I get it. baically have a notepad of all my different searches. And then when I went to use them, i just copy them and plant the ip at the end so I dont have to backspace to the front?

sanity check for file uploads - skills assessment?

yep also in terminal you can just arrow key; no need to backspace

but you should keep a list of commands in your notes; alongside just general notes of the course

:)

I will start doing that. Thanks again!

I suggest a notetaking application such as Obsidian; some people use cherry tree

but it makes it a lot easier to go back and check a specific section if you're like "oh god how do I upload files again, Oh yeah"

Currently getting rekt on File Inclusion skills assessment. Fuzzing for hours. So many word lists. help.

omg...nevermind...i swear

Hi guys
am new hear......how to start on hackthebox.....

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

i'm so done with this module...

I think the key is the type of scan you do

i got the flag

still wont take it?

no it took it

i'm just really pissed

ahh. gotcha.

obviously the key takeaway from this experience is to not do this during US nightly hours because you will never get the flag that way

the machines definitely seem to slow down at night.

it's not that

hackthebox is based in EU

i'm over in US which screwed everything up because of the timezone difference

ahh gotcha.

hello, could any good soul help me with the bufferflow linux module? I've been stuck for 3 days. I get eip x66666666, I delete the characters but I don't get the reverse shell. please

I am having such a hard time with the getting started | knowledge check privilege escalation. Anyone mind pointing me in the right direction? I know I have a no passwd for /usr/bin/php. I am just not sure how to exploit that

check gtfobins

but in general if you have root access to a programming language interpreter its gg

essentially I have to figure out how to run a reverse shell command with the php interpreter?

This probably wouldn't take so long if these shells wouldn't work like garbage

yes except why run a reverse shell when you already have shell

dont need to reverse anything

^

just need to gtfobins to escalate privilege

yea these target spawns don't work half the time...

hard to know if it's my own incompetence or their issue..

https://gtfobins.github.io/

most of the time it's not the boxes fault; though if you're doing the AD stuff; it seems those break fairly often and need resetting

AD?

well so far i've had a target spawn and not return anything from any enumerations

Active Directory

then i have a friend spawn one and it works just fine

what module are you working on?

have you tried resetting your vpn connection/regenning your vpn key? sometimes that can be an issue

now i am if you still need help and yep i know what issue you are having, if are doing this on your machine the pivot route will be 3 jump and a meterpreter is way too big to through that try with a different shell type and also an shell should always work

the getting started one. I've done bit of the linux fundementals but decided to try this one.

Yeah, i've done all that. Changed the tcp/udp as well

if it's giving you the IP in the form of IP:PORT then it's a web server/docker container and standard enumeration techniques will not apply

weird thing is webservers will load in browser

gobuster seems to work to find the robot.txt

yes

it taught on webserver

but nmap and ping tend to not

:)

they are designed that way

weird...would think you could scan a webserver

nope

gobuster/ffuf/etc. work because they do directory enumeration not scanning

they actively try and visit ip:port/page to see if it responds or not

yea issue is sometimes the provided webservers won't even be reached. They just give an error.

it's all relative usually

I've had the issue where I literally used the same enumeration on my target with no success, then used a friends and easily found the flag

¯_(ツ)_/¯

my target just did no work

i take it you're using the pwnbox?

not your own vm?

nah, vm

ah

succesfully connected to the vpn

and it works sometimes

annoying as hell

thought dude up there was maybe having my same issue

¯_(ツ)_/¯

so guess i should stop this 8 intensity nmap sV scan that's got 5 hours remaining then huh lmao

yeah

i did get some info from a webserver with a nmap scan before though

because it's not going to yield anything

if the ip is not 10.x.x.x you're generally not gonna get anything out of the nmap scan

This makes me feel very stupid 😡

what's your issue?

:)

See I just literally tried doing a gob on friends provided and it worked. Then i used it on my own and no ...

So, I have a unprivileged shell on the system. I see that I need to use php somehow. I went to gtfobins and am looking at the php stuff. I am using sudo php -a to start the interpreted, but none of the commands do anything

what's sudo php -a? 😄

https://gtfobins.github.io/gtfobins/php/

i'm not seeing anything about sudo php -a on this page

I thought that is how you start a shell? I must be wrong there

DM me the IP:PORT let me see

not the kind of shell you're wanting @thick dove

literally just read the gtfobins php page

what do you mean by start a shell?

you also don't need to start a shell

since you're IN a shell

you just need to break out

in fact there's a section on the gtfobins page that tells you exactly what to do with SUDO

sudo make me a sandwich 👀

lager is not in the sudoers file. This event will be reported

this from an exploit on thm 🤣

oof, gotta hax more

other way around sudo make me a sandwich is ancient

or
make: *** No rule to make target 'me'. Stop.

oh wait nope i remember this wrong it's was sudo-hax-me-a-sandwich

Gah it does turn out that I am an idiot

just type in the commands as they were and forget about the php interpreter

bingo

Thanks for you help

Hello. all. In Attacking Common Services - Attacking FTP, the port that is the correct answer to the first question is closed, is that suppose to be the case? How am I suppose to get into it for the purpose of the example?

My shell kept crapping out every 30 seconds. That made it harder

php -r "{command}" is the php syntax for running a command; much like python3 -m runs the module you tell it to

Yeah that makes sense to me now

I don't know why I got it in my head to run the interpreter

all good; part of the learning process :D

Now I can go take a nap. Catch you all tomorrow

here's the takeaway; are you likely to make that same mistake again?

there is a know issue where the right port is closed if this is your case try restart the target machine a few time

Alrighty. After the 7th time ill ask support what to do.

Can you tell me what you have done so far?

Nope!

oh neat, documentation and reporting has at least one thing that ought to be a finding thats not listed.

Hey I have caught up in footprinting-easy lab I have logged in as ceil via ssh but can't find the flag.txt I have seen viminfo file for searching vim history and details regarding flag.txt file

maybe {user} isn't who has access to the flag ;)

dig around to see

lateral movement may be required

So like for documentation and reporting, if the first thing you do pops a domain admin, like is that just what you put down for your attack path 🤔

you mean got domain admin from the pops/pop3?

or

no, I mean literally the first thing I sat down to do popped two domain admins for the skill assessment

I suppose still need to test that they actually work and that some tooling is not lying to me

popped == I have cleartext password for

ah

the attack path would be
using tool: x - i was able to retrieve y, and verified manually that y is indeed correct

can anyone help me with INFORMATION GATHERING - WEB EDITION virtual hosts question 3 onwards?

am i suppose to use another wordlist to fuzz for more vhosts?

are you using the SecLists List

which one?

well yeah, Im just amused cause like the example they give for attack path is like this long narrative of doing X,Y, and Z but here its just "I did X, I won". So this section is gunna ve brutally short.

i used the one they provided for qn2

yes

it should all be the same list

i only found app tho

/opt/useful/SecLists/Discovery/DNS/namelist.txt

how do u know to use this list

you may also have luck with the list provided in the part "vHosts" List; it is talked about in the module - under "Name-Based Virtual Hosting"

yea i used this and i found the vhost for qn 2

Needs some help. Am stuck on the ZoneTransfer Module.
after running 'dig axfr inlanefreight.htb @10.129.87.233' .

1. how do you figure out what the 2nd zone is?

2. how the hell do you query it?

read up on SOA records