#modules

haha

Python is very cool. It has saved my ass at the CBBH

Yeah. I am a big fan of Python, although I was listening to a podcast (I think it was Luke from LTT WAN Show), and a comment that was made was that Python is one of the worst languages to start learning programming. Not because its hard, but because it teaches so many bad behaviours that other programming languages don't allow, i.e. adding Integers to strings.

Good morning everyone! Im trying to do the Pass the Ticket from Linux section on PASSWORD ATTACKS and david's provided password isnt working? Anyone experience this?

ACTIVE DIRECTORY ENUMERATION & ATTACKS  
Privileged Access

The Hint says i need to use mssqlclient.py but from the VPN i cant access 172.16.5.150 do i need to perform Port Forwarding

Leverage SQLAdmin rights to authenticate to the ACADEMY-EA-DB01 host (172.16.5.150). Submit the contents of the flag at C:\Users\damundsen\Desktop\flag.txt.

Did you use port 2222 or the standard port?

i come from a bunch of years of software dev. i can understand that argument, but i think the basic skills are super important. loops, functions, conditionals.. that stuff transfers to most other languages really well, and once you learn it, its mostly just a matter of syntax and keywords. it does play fast and loose with types which, if youre unprepared for, can be a challenge if you move to say C++. also python has what id call an imperfect implementation of OOP, and its not the language id recommend for learning that paradigm 😛 but for scripting? fantastic.

Password2

Ive moved back a couple sections to the gneral pth, i need to do this too. The object is to crack davids hash, maybe it will be different

Yes it may be different

made me sad though. They have to learn something horrible like C, before they can use a nice easy language like Python 😉

Try using a different VPN. Just change the region to US or EU, depending on what you are using now. I had this problem once with another module with a Windows client.

It's been a moment since I did this module

I was thinking about this, I will try it. Thank you

im biased, but C is dope 😛

ssh david@inlanefreight.htb@TARGET_IP -p 2222

Its very fast.

From my notes, I had a port forward setup from the last chapter in the module, so to answer your question, yes.

Thank you, I did not see that. But you are right.
@livid pier your username is wrong

Thank you

Hey guys please help on shells and payload s metasploit module

i can not scan the machine

at all

but i can ping it

so i know its online

please hel

p

"Exploit the target using what you've learned in this section, then submit the name of the file located in htb-student's Documents folder. (Format: filename.extension) "

i tried -Pn also but nope

i got it, i was scanning with scripts

Are you stuck on this: https://academy.hackthebox.com/module/115/section/1139 ?

Follow the steps exactly as shown

They already solved it 🙂

I got it... i was just supposed to follow the module

not do anything on my own

lol

i was trying ot fingerprint it etc...

Lol yeah the shells/payloads section is very much follow the steps

now i was following

for infiltrating windows

but i get this error when i try to exploit

in metasploit

and it says exploit completed but no session

Ah I forget what I did fully I think it was a case where I just had to restart msfconsole because dumb

yup

same case

thanks

No problem, not entirely sure what causes it to be fucky wucky but turning it off and on, age old solutions

hey how i can connect to my hackthebox profile?

#welcome

hey on php web shells, i am supposed to log in on /login.php to run web shell but they didnt provide any

creds

how do i log in?

php webshells?

yeah

im doing the footprinting module section dns and im stuck on the question Identify if its possible to perform a zone transfer and submit the TXT record as the answer.

ive found one zone but wasnt there

Hi guys is there anyone by any chance that tried to set up a Windows11 VM on Virtualbox on Linux as a host operating system? And installed wsl2 on it and was able to run let's say Ubuntu?

anyone able to figure this out?

Exploit the Heartbleed bug to obtain the server's private key. Submit the first 10 digits of d

in https attacks

the .jar heartbleed exploit in tls-breaker doesn't work..

use metaploit

which 1?

axfr and look for what subdomains exist "internally"

do you know it by any chance?

I don't know neither the module nor the section

lol

haahah

its shells and payloads module

php webshell section

admin:admin ?

https://tenor.com/view/sending-love-gif-25755600

hello, I have a little problem I can't get a return from "ping (ip address)" on the getting started module: public exploits, is that normal? i have restart target lot of time and download a new vpn file and test on the interactive instance , same problem

does the target have a port

yes

how can you ping a target with a port

I ping without the port and so far I've had feedback!

have you tried to use the target with the port in a web browser

can anyone help me with the sells and payloads live engagement. im still at the beggining just connected to the rdp

cant seem even to answer the 1st question lol

thanks

the first question can be solved with knowledge from a previous module

I had tried without return, I have just restarted the instance and I finally have something by typing the address thank you!

anyone can give me a nudge on https/tls attacks skill assessment

Anyone working on the "Attacking Domain Trusts - Child -> Parent Trusts - from Windows" section in the Active Directory Enumeration & Attack module? If yes, are you able to rdp to the htb-student_adm?

yes?

my friend who is a hacker says he can explode boilers and set a fire in houses with hacking. is that true?

I mean. Theoretically yes, though setting a fire in a house is less likely

he says he set 3 houses on fire

Boiler just requires the fail-safes to also be electronic

He might be talking out his ass

im sorry what?

i sound stupid for saying this but what?

please keep the channel on topic

Sorry

I'm just prodding at bullshit

yea wdym by that?

This is getting off-topic and Google is free, Google what a failsafe is

ok

@Staff - Any plans on adding some type of Offensive C# module to the academy?

Almost a year after you still help man 😉 Tnx

I cannot connect to RDP -.-

also read #rules and #welcome

Fail to connect: is that the IP of the target?

Yep, and I have respawned the target

Have you tried using Remmina? To see if it's just something up with xfreerdp

thx

will investigate remmina

can you please tell me how this thing works does it just boot people or something?

ive noticed sometimes that the rdp services take a hot minute to actually spin up too

hes doing an academy module which is what this channel is for

oh alr

i got banned in a rando server for being toxic to a toxic person 😂 i did go a bit too far tho

this isnt a generic chat or learning channel. if you want those you have to verify your account

remmina seems to work a lot better, but the connection still dropped after a couple minutes

do you have pwnbox and vpn active at same time?

Yes

thats your problem

one or the other

never both

Oh I thought I needed the VPN

oops

causes problems

ggs xD

if you disable vpn your vpn and xfreerdp will magically work again

the vpn is if you want to use your own machine/vm for the labs instead of pwnbox.

Aaaaaaaaah

oh wait, so I didnt need to spend the $18 to have unlimited pwnboxes? I could have just used my local? .-.

Yes

Though pwnbox is useful for ts

I mean, I do just want to get more familiar with Linux so its whatever ig 😛

I mean you want to use a Linux vm

Not your host system

In case you do a fucky wucky

Ah yeah

lol

Stealing

Also Linux VM because the commands in modules won't line up with windows cli/PowerShell

did anyone do this?

i think i got it figured it out, but its not taking my answer

i even tried different combinations but its not budging :/

hi is anyone able to help me with the Intro to BASH module's for-loops section?

anyone I can DM to get help with my code?

sure just ask your question

thanks

just say it here 😄

no need to ask to ask

Bloodhound Module, right?

yeah

this new azure stuff is interesting

Hey can Someone give me a nudge on transferring files to MS01 on ad enum and attacks skill assessment im pretty stuck

yes, I have done

ill dm u then

sure

Please don't just give me the answer I want to be guided to the answer so I can figure it out.

Instructions:
Create a "For" loop that encodes the variable "var" 28 times in "base64". The number of characters in the 28th hash is the value that must be assigned to the "salt" variable.
My code:

#!/bin/bash

# Decrypt function
function decrypt {
    MzSaas7k=$(echo $hash | sed 's/988sn1/83unasa/g')
    Mzns7293sk=$(echo $MzSaas7k | sed 's/4d298d/9999/g')
    MzSaas7k=$(echo $Mzns7293sk | sed 's/3i8dqos82/873h4d/g')
    Mzns7293sk=$(echo $MzSaas7k | sed 's/4n9Ls/20X/g')
    MzSaas7k=$(echo $Mzns7293sk | sed 's/912oijs01/i7gg/g')
    Mzns7293sk=$(echo $MzSaas7k | sed 's/k32jx0aa/n391s/g')
    MzSaas7k=$(echo $Mzns7293sk | sed 's/nI72n/YzF1/g')
    Mzns7293sk=$(echo $MzSaas7k | sed 's/82ns71n/2d49/g')
    MzSaas7k=$(echo $Mzns7293sk | sed 's/JGcms1a/zIm12/g')
    Mzns7293sk=$(echo $MzSaas7k | sed 's/MS9/4SIs/g')
    MzSaas7k=$(echo $Mzns7293sk | sed 's/Ymxj00Ims/Uso18/g')
    Mzns7293sk=$(echo $MzSaas7k | sed 's/sSi8Lm/Mit/g')
    MzSaas7k=$(echo $Mzns7293sk | sed 's/9su2n/43n92ka/g')
    Mzns7293sk=$(echo $MzSaas7k | sed 's/ggf3iunds/dn3i8/g')
    MzSaas7k=$(echo $Mzns7293sk | sed 's/uBz/TT0K/g')

    flag=$(echo $MzSaas7k | base64 -d | openssl enc -aes-128-cbc -a -d -salt -pass pass:$salt)
}

# Variables
var="9M"
salt=""
hash="VTJGc2RHVmtYMTl2ZnYyNTdUeERVRnBtQWVGNmFWWVUySG1wTXNmRi9rQT0K"

# Base64 Encoding Example:
#        $ echo "Some Text" | base64

for i in {1..28}
do
    $var=$(echo $var | base64)
    $salt=${#var}
done

# <- For-Loop here

# Check if $salt is empty
if [[ ! -z "$salt" ]]
then
    decrypt
    echo $flag
else
    exit 1
fi

Errors in terminal:

greg@greg-IdeaPad-5-15ARE05:~/Documents/htb bash$ ./for-loops 
./for-loops: line 34: 9M=OU0K: command not found
./for-loops: line 35: =2: command not found
./for-loops: line 34: 9M=OU0K: command not found
./for-loops: line 35: =2: command not found
<SNIP>

can someone help me figure out what's causing the error?

and help me correct my code?

do 
  var=$(echo $var | base64)
done
salt=$(echo -n $var | wc -c)

@quasi wave

might not need the -n tho

in the second echo

that's all I was doing wrong? hold on

sorry i just updated it

ok

you need to put the salt after tht for loop so that it can be the lattest

I only get a EvilWinrm shell and wget scp and using rdp to transfer files have all not worked and i think i need mimikatz for this question. Find cleartext credentials for another domain user. Submit the username as your answer.

ok

I did that

I am getting same error.

greg@greg-IdeaPad-5-15ARE05:~/Documents/htb bash$ ./for-loops 
./for-loops: line 34: 9M=OU0K: command not found
./for-loops: line 34: 9M=OU0K: command not found
./for-loops: line 34: 9M=OU0K: command not found
./for-loops: line 34: 9M=OU0K: command not found
./for-loops: line 34: 9M=OU0K: command not found
./for-loops: line 34: 9M=OU0K: command not found
./for-loops: line 34: 9M=OU0K: command not found
./for-loops: line 34: 9M=OU0K: command not found
./for-loops: line 34: 9M=OU0K: command not found
./for-loops: line 34: 9M=OU0K: command not found
./for-loops: line 34: 9M=OU0K: command not found
./for-loops: line 34: 9M=OU0K: command not found
./for-loops: line 34: 9M=OU0K: command not found
./for-loops: line 34: 9M=OU0K: command not found
./for-loops: line 34: 9M=OU0K: command not found
./for-loops: line 34: 9M=OU0K: command not found
./for-loops: line 34: 9M=OU0K: command not found
./for-loops: line 34: 9M=OU0K: command not found
./for-loops: line 34: 9M=OU0K: command not found
./for-loops: line 34: 9M=OU0K: command not found
./for-loops: line 34: 9M=OU0K: command not found
./for-loops: line 34: 9M=OU0K: command not found
./for-loops: line 34: 9M=OU0K: command not found
./for-loops: line 34: 9M=OU0K: command not found
./for-loops: line 34: 9M=OU0K: command not found
./for-loops: line 34: 9M=OU0K: command not found
./for-loops: line 34: 9M=OU0K: command not found
./for-loops: line 34: 9M=OU0K: command not found
./for-loops: line 36: =3: command not found

not same error

similar error

can someone help me out further?

var=

not $var

u missed what i wrote

wait that just solved it

ok so syntax at that point

thanks man I really appreciate it

I can't believe I was that close

not exactly me being led to answer but since I was so close I guess I can forgive that

thank you

Has anyone had any luck catching a reverse shell with https://raw.githubusercontent.com/decoder-it/psgetsystem/master/psgetsys.ps1 and SeDebugPrivilege?? I've tried revshells.com and some custom powershell scripts with no success.

keep it up dude

dont worry about asking for help

professionals ask for help forever

It's why stackoverflow exists

And forums like superuser

Not sure what I am doing wrong

Made sure cifs was installed already

Pass the Ticket (PtT) from Linux - Question : Try to get the credentials of the user svc_workstations

The hash is SHA-256 and I don't feel like it's crackable despite the text clearly stating
"Carlos has a cronjob that uses a keytab file named svc_workstations.kt. We can repeat the process, crack the password, and log in as svc_workstations."

Are you finding any scripts in Carlos crontabs? this one frustrated me, the script didnt show up till 3 lab resets later and id already guessed the password, dm me if you need more help

i found a video online regarding this. basically they didn't even use nmap (b/c it wasn't working). They just pasted the IP:PORT in the url and saw the version of wordpress being run (it's right on the front page) and used that for the metasploit portion. hope that helps

Can anyone help me with the Password Attacks > Pass the Ticket from Linux > Optional Exercises > From Windows (MS01), export Julio's ticket using Mimikatz or Rubeus. Convert the ticket to ccache and use it from Linux to connect to the C disk?

I am trying to see if its possible to get the ticket exported with Rubeus that I can then take to a Linux box. I tried the /outfile:file.kirbi but it doesn't create the file.

Anyone can help verify my flag for sqlmap essentials skills assement? I think i got it but it says its wrong

No, this is not necessary

Make sure you have no spaces at the beginning or at the end of the flag

Ye i checked that alrd

You can send me the flag or a part of it by DM. Then I look at it.

Can I DM anyone to help me out with "File Upload Attacks Skills Assessment"?
I cant figure out where the uploaded files are going?

Has anyone completed "FILE INCLUSION - LOG POISONING" ?

I poisoned access.log and error.log with CURL setting the User Agent to :<?php system($_GET["cmd"]); ?>

But still executing any command doesn't work

You may not use double quotation marks

@acoustic owl Thanks, i will try again with single quotation

Double quotes are used in the log file. Your payload is thus torn apart

You have to try to read the PHP source code to find the upload directory

So, I could read the php source code with one of the attacks mentioned in the module, but I would need to know where the uploaded images are being stored. ( I think) I have treid to find the upload directory with dirb but no luck.

There are other options.
You won't find anything here with GoBuster or Dirb

Hi, i am struggling with: Exploiting Web Vulnerabilities in Thick-Client Applications. Been at it now for to days now, i am just before the SQL injection part of the module but can't get the java code correct (every time i try to compile the java code I get a bunch of errors) If any one just can give me a hint at what i am doing wrong

@acoustic owl Looking carefully at the traffic, I cant even see the request that contains the image that im uploading.

You need to read the PHP code.

Hi, can you please tell me, what variable i should write out in "Tcpdump Fundamentals", question "Were absolute or relative sequence numbers used during the capture?"
"yes" and "no" doesn't apply

because it is not an yes or no quesiton

Were absolute or relative sequence numbers used during the capture?

I type in the absolute sequence number and neither

FILE INCLUSION - LOG POISONIG:

Still not working

Have been trying this for 4 hours now

Use the repeater and send a few requests

Finally got it 🥵 🥳

Hello, I'm trying to --data-urlencode a curl GET request, but I'm unsure on how to do it since the flag is mainly for Post requests.

The exercise is about a bash script, but I didn't find any options to url encode data in the terminal either

This module hard

the answer is one word

relative answer

Ok I'm hacing issues finding the domain in the SMB section in footprinting module. I tried dig, nothing... I tried smbclient -L... nothing. I tried domain.glass. no results... I just need the answer and how to get it.

Why dig? dig is for querying DNS

I figured a domain naming service will give me the domain if I give it an IP? I'm probably wrong obv...

try || enum4linux-ng ||

Isn't that a || script ||

I rather do things || manually || the first time

You can use verbosity to see. What commands enum4linux is running

and then just run those commands manually

to get that hacker feeling

It uses RPC to request the information

ok I'll try rpc, thanks!

found it. THANKS!

For anyone wondering the GET data request gets automatically url encoded since it's included in the header

Stuck on Active Directory Enumeration Skills Assessment II - need a nudge.|| I am Admin on SQL01 but can't figure out how to get back to MS01 as Admin to submit the flag||

dm me what you've got/tried so far

Hello everyone.
I'm on Footprinting Module, and I have a problem with FTP servers.
I am on tethering on my laptop, using a Kali VM. I can connect on FTP servers, but I can't get any data. I know that FTP uses port 20 to send data.
I tried shutting down my Firewall on my host, and to use passive command, nothing works.
When I do a ls or dir, I got a 226 Transfer complete, but nothing appear.
Does someone already have this issue and/or know how to fix it please ?

Stuck on SqlMap essentials Case 5. I got what looks like the flag, but it keeps telling me it's the wrong answer. Any ideas?

somebody can help me with skills assesment with lfi?

I suppose you need to get the flag.txt, right? Better say, do you need help with the second question?

did you succeed?

yes a little hard

nice well done! Yeah, sometimes you have to get to work hard since there won't be always someone holding your hands

working on active directory enumeration and attacks / privileged access walkign through example on page should the establishing WinRm Session from Windows example for on the target when connected via rdp? i get a connection failure and it looks like the example password given of "Klmcargo2" might be wrong

I am working on the Burp intruder section of the using web proxies module, and the machine that spawns is not functional no matter how many times I restart it. Can someone help me?

dm me with some more details (command used, error message, etc)

Im doing module password attacks section network services stuck on the questionFind the user for the SMB service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer. I have the credentials but when i connect i get this error ```_samba_cmd_set_machine_account_s3: failed to open secrets.tdb to obtain our trust credentials for WORKGROUP

dm me

hello! everybody.

Hi ruck33! Are you like dancing?

Hello, Im trying to Fuzz web app in FIle inclusion - Automated Scanning lesson but, i get response code 200 fot everything

looks like you're missing a filter

guys

if anyone is interested in turkish data etc

dm

this doesn't belong here. not at all

hack the box innit 🥰

read #rules please. looks like you haven't

It's the same with filter

And also the page show the main page no matter what the parameter is

So no matter what, the code is 200

I think 😅

well I'd assume you get different response sizes if you found a parameter that exists

Yes, good idea

@heady tusk Got it, Thanks

Can I DM someone about the Footprinting - Medium Lab? Not sure where to go next.

sure

For FIle inclusion - Automated Scanning, Is this even the right place to search for exposed parameters ?

Cause i found something, but after searching for LFI in that directory didn't show too much

Ok, i got it, it was kind of confusing

great 🙂

guys

Apple MacBook Pro M1 Pro 10C CPU 14C GPU for this device

is 1.6k euro good ?

wrong channel

read #rules and #welcome

ok

Hello friends. can someone help me with Skill assessment task please

I;ve exploited and found the answers except for host 2

I stuck

Exploit the blog site and establish a shell session with the target OS. Submit the contents of /customscripts/flag.txt

what module

Shell & Payload

Shell & Payload's skill assessment

The Windows Attacks & Defense Lab has to be the most unstable, temperamental lab environment I've ever used, it defies troubleshooting, whether or not I can connect to a machine seems to depend on which way the wind is blowing..

almost 2 days I cant exploi it

Shell & Payload

I saw what you typed no need to reply to me

I don't recall what I did and don't have my notes on me

oh ok sorry

I was asking to clarify the module so other people may be able to help

Also you don't need to reply

That feature pings the user you replied to

Guys, who can guide me, to exploit the host-2 Module: Shel & Payload, thanks in advance

dm me

Module: PASSWORD ATTACKS
Section: Pass the Hash (PtH)
Question: Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt.

Okay. So, I'm able to RDP in, launch a PowerShell session using Julios NTLM hash. I push my reverse shell to the DC and it says "[+] Command executed with process ID xxx on DC01" but my NC listener isn't catching the shell. I have no idea what's going on here. Ive triple checked the callback IP and port. Any ideas?

hey guys

dm me the commands and payload you used

hello 🙂

hru

this is not the channel for general chat. head over to #general for that

are any of you guys good at data analysis

and data science

oh

wait

forgot I was in the wrong channel

DM'd

Footprinting - DNS Hi Im quite stuck with the last question: "What is the FQDN of the host where the last octet ends with x.x.x.203?"

I've done the following:

• Zone transfer of inlanefreight.htb and internal.inlanefreight.htb and think I have all the subdomains listed and the zones
• I've tried to dnsenum the subdomains, and the SOAs but keep getting a "NX failed: REFUSED" error when it comes to try and brute the domains under each one.
• The hints I've received I have an idea of what wordlist to use but I feel like I'm running my commands incorrectly.
  Can anyone provide some direct assistance? I'm confused what how I'm supposed to execute the next step? Thanks in advance!

dm me

Hint: d*.inlanefreight.htb, double check your list. Also the list should be a fierce list

Has anyone done the "Windows Privilege Escalation" Module section "SeDebugPrivilege" and can help me on the exercise ?

lol

Can anyone help me with the Password Attacks > Pass the Ticket from Linux > Optional Exercises > From Windows (MS01), export Julio's ticket using Mimikatz or Rubeus. Convert the ticket to ccache and use it from Linux to connect to the C disk?

I am trying to see if its possible to get the ticket exported with Rubeus that I can then take to a Linux box. I tried the /outfile:file.kirbi but it doesn't create the file.

Can you tell me how you got the password for

"Check Carlos' crontab, and look for keytabs to which Carlos has access. Try to get the credentials of the user svc_workstations and use them to authenticate via SSH. Submit the flag.txt in svc_workstations' home directory."

I found it by guessing, but not sure how to pull password from the sha256 HASH

Can anyone give me a nudge for this question Take over the domain and submit the contents of the flag.txt file on the Administrator Desktop on DC01 i cant rdp or get a shell as tXX and secretsdump.py isnt working

which section is that exactly? I can take a look if necessary

Password Attacks > Pass the Ticket from Linux >

secretsdump should work. I've had it act up a bit, but trying again once or twice it usually works. if not, dm me

Hi Guys, i'm stuck at Active Subdomain Enumeration, is there someone available to help me?

http://dontasktoask.com

aight gimme a few minutes to read up on that

guys how do i find a home path in an other linux computer(im using ssh)

on the current user or other user?

in general most Linux systems use /home/<user>/ if I'm remembering right

How do I find the FQDN from an IP Address?

Not sure if I'm following. Generally if you ping or visit a site via IP it redirects you to the website

Fqdn is in the form generally a.b.c

echo $HOME

im pretty sure

thats the answer or command?

thanks anyway

That's a command

ah okay

command

np

You can use dig or dnsenum

alright dm me so we don't spam everyone here

yeah im still checking.. On other hand, im also stuck with the following question: "Find and submit the contents of the TXT record as the answer." --- My guess is to run the following command: nslookup -type=any -query=AXFR inlanefreight.htb ns.inlanefreight.htb as I've seen in the course that it provides the .txt, but i'm not getting that info.. Im i missing sth?

try with dig

Hi, I'm working in File Inclusion module, section Log poisoning second question, I don't understand why after sending my request with curl I can't access /access.log and I have access to /etc/passwd, the file is inaccessible with ?cmd=id and even without the parameter, I don't know if it's clear sorry for my English!
Ty for you response

https://www.baeldung.com/linux/check-ptr-records

Thanks

Hi, I am on the module Attack Common Applications, and I'm stuck on the section on thick clients, on the restart oracle application.

I dumped the address so I have this MZ magic byte. However, the file appears to not be a .NET app. So I'm stuck with a dump and nowhere to go.

Any nudge would be appreciated

hello

can someone simplify this to me ?

We can see from the SENT line that we (10.10.14.2) sent a TCP packet with the SYN flag (S) to our target (10.129.2.28). In the next RCVD line, we can see that the target responds with a TCP packet containing the RST and ACK flags (RA). RST and ACK flags are used to acknowledge receipt of the TCP packet (ACK) and to end the TCP session (RST).

What don't you understand? It's just describing the conversation that happened between your computer and the target. In that case, the target computer acknowledges the SYN packet and then ends the interaction.

thanks

so you checked it whit strings and tried to reverse, right?

guys

Hello

I am new user on HTB

I just want to know

about HTB academy for cubes

how can I get cubes free

Can I do somethings to get cubes free in HTB academy?

Yes, I dumped it, and stringed it, but all I have is "This program cannot be run in DOS mode " and some .data .text , etc

I don't have the string indicating that it is actually a .NET app that I can convert in a proper format to analyse with dnspy

And therefore, trying to use the tool to convert it won't work as intended and will fail with an error message indicating that the file does not appear to be a .NET app

does htb offer university apprenticeship degrees in the uk?

just curious to know

hi I'm having issues with this one question in network traffic analysis module

in the TCPDump Fundamentals section

I did all the other questions in section and got it right so without giving away the answer, here is the instructions:

Given the capture file at /tmp/capture.pcap, what tcpdump command will enable you to read from the capture and show the output contents in Hex and ASCII? (Please use best practices when using switches)

My answer tends to be something like:

tcpdump -rX /tmp/capture.pcap

or

sudo tcpdump-rX /tmp/capture.pcap

or

tcpdump -r /tmp/capture.pcap -X

I don't see what it is I'm doing wrong here

could someone give me a hint

thanks

Sudo

I got it I had them in the wrong order but thank you

I solved it

no, you get a certain number of cubes for free to start with to let you have a taste of academy. Tier 0 modules notably will award you cubes equal to their cost if you complete them so theyre free so long as you finish the module.

But the academy at large is a paid training center.

There is the HTB seasons going on right now where you can win a small amount of cubes but not a whole lot.

I have a technical question related to nmap. If I send a packet to a server with a spoofed IP address, the server is technically supposed to reply back to that spoofed IP address(like in a ddos smurf attack) . However, in practice, the server ends up sending the response back to my actual IP address instead. So how does it really work?

If it were on the same subnet, arguably it's because it's going by MAC address via ARP, not IP address... if on another subnet... then no idea

yes on local net its because its responding to the mac address not the IP address. Otherwise you didnt actually spoof it or you sent along your real packets with the spoofed ones. You can check with wireshark to confirm the behavior

it feels like you dump the wrong part

but you are saying you have MZ for magic bytes

did you check your dump file start with MZ

Anyone do the HTTP ATTACKS - HTTP Response Splitting? I get the concept, but can't get the XSS to work locally (yet alone attempt to get admin cookie). In Firefox, it states it won't resolve and therefore done, and in Chrome & Chromium, just displays the text... I've got a suspicion on what the issue is, but tried unsuccessfully thus-far to get it to work.... would love to chat with someone whose done it to see if I'm on the right track or not.

EDIT: Got reflected XSS, but now struggling to figure out how the heck to get the cookie...

EDIT2: Solved. As a small hint/nudge, break it apart into steps... and then it all comes together (relatively) easily AND beautifully.

I'm in the Active Directory Enumeration and Attacks module in the Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux section and confused by how to get the second question. I followed the steps and I don't see where I'm supposed to get a TGS to crack. I can't seem to get bloodhound to run either. Any ideas on what the issue might be? Everything ran pretty smoothly up to this point.

GetUserSPNs.py -request

This messed me up too. i had to ensure i was targeting the MAP type in the debugger.

Going to ask this again here, hopefully someone can give my a push in the right direction....Hello, I am working on the Active Directory BloodHound Module, on the NODES section the last question is stumping me. Which non-default Group Policy affects all users? In this section they just give me the BH.zip file to look at in Bloodhound. Well I may well be not understanding the question correctly, I cannot figure out how to List the GPO or non-default GPO for all users. Could someone help clarify what they are asking and how to go about finding it please? Thank you!!

There is also this question in the Analyzing Bloodhound data section, I feel like its almost asking the same thing just for the DC. What’s the name of a non-default GPO that affects the Domain Controller container and can be used to escalate privileges in the Domain? Hopefully someone can help me understand this better! Thanks!

hello are you still stuck ?

hi i have a question, im going through the beginning and i refreshed my page, and my pwnbox disappeared, so do i have to wait a day to finish the module?

hello are you on the free plan ?

yes

i just joined so i wanted to try it

Unfortunately yes then, unless you set up your own vm

how can i do that

I believe the getting started talks about how

Module =Pivoting, Tunneling, and Port Forwarding
section= Skill assessment

have initial credentials and see the id_rsa, but cant connect to ssh ? prob missing something basic here but dont know why i cant connect to ssh?

thank you very much

are you sure youre using the correct username for the rsa key

@mystic light mlefay?

find other users on that system and throw it at all of them

kk ty

Can someone help me with the Live Engagement Host 1 in the Shells and Payloads module? I am able to upload the file using the ||tomcat_mgr_upload|| exploit in ||metasploit||, but it says the payload was unable to execute. I am sure I'm just missing something, but I'm not sure what and have been stuck on this for the last couple of days. I have also tried creating a payload via ||msfvenom|| using the payload ||java/jsp_shell_reverse_tcp|| and configuring the file as a ||war file||. When manually uploaded into tomcat and clicking on the uploaded file (with nc listening) it just opens a blank page and doesn't return a shell. Any help would be appreciated!

to execute msfvenom war file you can use curl for example

curl http://<vuln-website>/<file>/cmd.jsp

I'll give that a try really quick

I get a 404 error code when running curl

on the vuln-website its the same syntax. Maybe you trying file.war instead of file

I just needed to specify the specific jsp file that was created, so your syntax was correct, but it doesn't seem to be working still. Curl returns blank and no shell is created

dm

In the Footprinting module, In 'Footprinting Lab Easy' exercise, the login credentials were provided in the hint. However, I am interested in learning if there is an alternative method to obtain the credentials without relying on the hint. I attempted to use brute force by running a Medusa attack on the FTP service using the rockyou.txt wordlist, but it is taking a significant amount of time. I am wondering if anyone knows of any other methods to obtain the credentials ------ ( Nevermind ,Hydra got the job done!👍)----------

Has anyone solved BROKEN AUTHENTICATION - Brute Forcing Passwords (Using rockyou-50.txt as password wordlist and htbuser as the username, find the policy and filter out strings that don't respect it. What is the valid password for the htbuser account?)? I'm stuck in this module,

Hello Aspi, yes im stuck

Hello Autom4il, thanks for your return.

I'm on Easy Lab, I did manage to get the ssh private key, but I don't know if it is a normal behavior. I got to do some stranges moves to get the key, but it means that the problem isn't from port 20 being blocked.
Even in SSH, none of ls or dir commands show me results.
Is it normal to do all the stuff blindly ? Or do I have some technical problem ? Is the DNS server of Footprinting module secured that way ?

let me get this straight, are you working on "Footprinting" module, "FTP" section, question "Enumerate the FTP server and find the flag.txt file. Submit the contents of it as the answer."?

No, I done all the section, I'm on Easy Lab to terminate the module : "Enumerate the server carefully and find the flag.txt file. Submit the contents of this file as the answer."

I see. Anyway I haven't done it yet hopefully someone else will help you get in the right direction

Ok, thanks for your help 🙂
Edit : Ok I found the flag. It is not a technical problem 😉

ls

can someone give me a hint im at file inclusion skill assessment and try to log poison but i cant write in access.log..

Haha, no table, big problem 🤣
One dot? Really, one dot?!?
This module almost drove me crazy.
The thing with the dot was really nasty 🤪

But it was really great! Thanks @dense ferry for this module.
I am looking forward to your other modules

After the injection test is completed using sqlmap, the flag in the obtained form is submitted

Hi, is there anyone that can help for "Attacking LSASS" module ? I got errors while trying to dump the lsass.dmp file

I used pypykatz, lsassy, SAM dump but nothing work

SERIOUS QUESTION: I'm on CPTS Path - Footprinting -IPMI and its asking me what the Username of the Host and Clear Text Password.

Username was found off First Guess and Reading....
However the question "What is the account's cleartext password?" bothers me. Because the only example of how to use metasploit gave me a large hash that was not what everyone else got when they looked at the forums. A lot of people are talking about the Hashcat function and I'm wondering am I supposed to learn password cracking with hashcat to understand this? and if so... WHY THE HELL ISNT IT IN THE DAMN CPTS PATH

It is explained here
https://academy.hackthebox.com/module/112/section/1245

always coming in clutch

In the Dangerous Settings section

I see it

I'm just so confused xD

sure, dm me

Anybody can help a bit? I am doing footprinting academy and stuck in Oracle TNS. pwnbox seems not to have odat installed and my one that I tried to get to work will fail to open with errors on missing files.

had the same problem last night. DM me

We do a little trolling

Hey guys, did anyone use softether vpn ?

It was really a cool module. Many thanks for this

i am working on the Vulnerability Assessment - openvas section and when I start the target server for the assessment. i can log in via ssh but not through https :8080 .. when i log into the system and do a systemctl status | grep reen . I do not see the Greenbone Security Assistant (gsad) running nor can i find a valid .service file. i am under the understanding it should be already installed and running on the target and using a find / and some greping i can find some gvm data files so it looks like it the reports "exist" . am i misunderstanding something?

What is the command can you help me

thanks

you can test and see the meesage

multiple resets of the target have solved the problem

can you need help?

how can i verify myself if i'm from hack the box academy if i dont have a unique account identifier?

I am doing the Dcsync module. I am receiving the following error: ```powershell
mimikatz # lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administrator
[DC] 'INLANEFREIGHT.LOCAL' will be the domain
[DC] 'ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL' will be the DC server
[DC] 'INLANEFREIGHT\administrator' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439)

Hi ALL , I AM ALSO stuck on the "PIVOTING, TUNNELING, AND PORT FORWARDING" Skills Assessment, final question. I hav hopped liked rabbit on one other with alot of duin RnD & finally standing now on PIVOTWIN10 (not disclosing IP), just one step before DC -INLANEFREIGHT.LOCAL (not disclosing IP) ,where seems RDP is not enabled on it so Any assistance how to grab last DC flag??? thanks

Hi there fellows I am stuck with this question I am doing the possible combinations to use the best practices of switches but I have no answer .
The question is as follows

Given the capture file in /tmp/capture.pcap, what tcpdump command will allow you to read from the capture and display the output content in Hex and ASCII (Use best practices when using switches)?

These are my combinations

sudo tcpdump /tmp/capture.pcap -rX

tcpdump -rX /tmp/capture.pcap

sudo tcpdump -rX /tmp/capture.pcap

module:INTRO TO NETWORK TRAFFIC ANALYSIS

sudo tcpdump -XX -r /tmp/capture.pcap

But I can't find an answer to this question

oops sory got it >>>it was there only > a bit of enumeration needed with OPEN EYES

What is a method for selecting only the content of the token? I was thinking grep

According to the documentation for tcpdump which causes it to save the packet data to a file for later analysis, and/or with the -r flag, -XX When parsing and printing, in addition to printing the headers of each packet, print the data of each packet, including its link level header, in hex and ASCII.

sudo tcpdump -rXX /tmp/capture.pcap

But I haven't got the answer to this flag either

jq can do it. something like cat file | jq .token

I'm stuck here too xD

On the Easy Lab of Footprinting, I'm lost after accessing the FTP files and looking in the hidden files and finding the flag.txt... or the history of the damn flag.txt and Im still like confused as to how to actually grab the flag

thanks! it really works

youve discovered the hidden files thats great... whats another thing you could grab in the hidden files you found that could get you better access to that system

Can't you list hidden files with ls -la?

yeah but I'm confused as to how I saw the flag.txt file and couldnt access it.

FTP on the default port has no content. Have a look at other services/ports

assuming the username since I found it was "Ceil" after the failed scann

2121 is the one I used

unless thats the default because I thought 21 was

That's right. Then you can list the files with || ls -la ||

right. No i got to that part. Only seeing this:

cant post a picture

dm if you want

You need to verify #welcome

bet

h

hey can someone help me with shells and payloads last live engagement section

im on the last host host 3

and i know the vuln is

||eternalblue||

my rhosts is 172.16.1.3 and lhost is the attack box ip

🤷‍♂️

pls help im stuck on this for hours

idk whats wrong...

h

Dm me with some more details. You're on the right track already

ih

my phone just got switch off and i am trying to hack it can anyone help me?

okay

The first step recharge your phone. The second step find somewhere else. This room is solely for module discussions.

I just remov my sim card I just need to hack it

I need help to hack my phone

Can we chat in DM?

Read the #rules and #welcome and evaluate if your question is even worth asking here

https://tenor.com/view/google-exists-google-search-it-geekboy-geekboy-cz-gif-25933207

https://tenor.com/view/im-serious-adams-family-gif-5385478

A google website try to hack my system

That's I am hear

"Google website" more than likely a paid malvertisement either way still off-topic for this chat

I blocked it 🤣

I just forgot to turn my brave shield up

Read my sentence, this is off-topic for this channel.

Aka not relevant

Ok😒

Aka means?

Aka = also known as

This channel is for discussion of modules found at https://academy.hackthebox.com

Not for helping people hack things

I just freacking to hack my phone not my neighbours phone

I did the cmd thing also

You can potentially throw it at #1024429874246590575 , or verify your https://app.hackthebox.com account and there may be a more relevant channel to ask in

Ok thanks for helping ☺️

Either way still off-topic, idk if you own the phone or not

You'd know how to do this if you visit the #welcome channel and learn how to read

I won my phone own my what you are saying

And I don't care

My brother in Christ read the words

O I just hacked my phone

We do not care about your phone

this channel is for academy module discussiononly if you want chatting channels verify your account.

or continue talking about off topic shit nobody cares about until you get kicked. your call.

Y you are getting rude & angry

Because this is a daily occurrence and you lack reading comprehension skills

Its the rules, stay on topic or get the boot, your choice

Y everyone getting angry to me when I am in a big problem 😢 o sorry no one care about me

We've explained how you're being annoying. Learn how to read (specifically #rules and #welcome )

Ok i am sorry

were getting angry with you because youre incapable of taking five minutes to follow instructions to be able to see the channels where you could ask for help. If you cant even follow these instructions how can anyone expect you to follow the instructions needed to resolve your issue?

I am sorry

Hi everyone I am doing the linux fundamentals module, did you guys really finished it in 6 hours ?

I spend at least 10 hours on it and i'm still at 18h section !

This isn't the place for that read #rules and #welcome there is a channel you can post in once you follow steps to verify #community-content

Don't worry about the time estimate it gives, it's very much an average and not a strict number.

👍🏻

Different levels of experience will net different times than estimated

Haha i know linux but it's still longer than estimated

maybe it's underestimated

or maybe I am very very slow

¯_(ツ)_/¯

Some people can probably breeze through in 5 minutes

¯_(ツ)_/¯

Ive had some modules Ive knocked out the whole thing in 10 minutes flat, and others taken me a month

the time estimates should be ignored entirely

till 2020*

lol 😂

Hey guys, i need help with this question as i dont know what am i looking for:
"What is the index number of the "sudoers" file in the "/etc" directory?"

can someone help me pls?

im in etc directory but have no idea what index number do they mean

yea, its a gold well for programmers and the IT sector

but it might suck at other more "real" things

Hello

Make sure you understand it .. I would recommend to use chatGPT not that much if you are a starter. Since it would take away the learning curve.

Can someone help

Me

Your opinion ; )

I am a beginner who is diving in ethical hacking I have learned python css html and will soon finish learning numpy pandas and javascript and within 1 month I will master all of them. I am hardworking person who works all day and sleep and I need a proper roadmap about the courses I need to learn and practice to master ethical hacking and start doing bug bounty from experienced pro ethical hacker.

Anybody please help me

https://dontasktoask.com/

Well can anybody help me hack an acc in a game I play

#rules

Can you teach me how you mastered python, css, html, numpy pandas and javascript in 1 month

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Thanks

https://tenor.com/view/lmao-laughing-hysterically-gif-26398146

No me deja publicar en #community-content

https://tenor.com/view/kitty-forman-debra-jo-rupp-laugh-meme-hysterical-laughter-lol-gif-24893555

https://tenor.com/view/kill-bill-master-gif-10355953

Hello

Porque se necesite veridad su accuenta, leer #rules y #welcome asi: Este server es primero Ingles

Can you teach me php html css js jqury and laravel

You can learn it here: https://www.google.com/

Spanish

Php and laravel

For hindi and english

Existing, middle school, living with a Spanish speaker and visiting their parents every now and then

well u gotta use the internet bro

u can try apps such as Mimo or go straight to Youtube and learn it with utubers

🇨🇴

XD

My Spanish is awful however

Yes XD

Soso

But hopefully you got what I was meaning

You need to verify your HTB following #welcome

Then you should be able to post

In the appropriate channel

Understand

My English si very bad

Thanks

deepl helps

Deepl si very good

I like

I use deepl for traductor PDFd of English to spanish

XD

Is cool, mex, yes i need verify My account

You overestimate my ability to care

Either way we are straying far off-topic

Ok sorry

hi guys, i joined this server because i need a favour

its hacking related

@everyone

pls help me

anyone knows how to hack?

Ask your question in #1024429874246590575

but i need a person's help

According to this statement, no
#modules message 🤷‍♂️

It's a good thing I'm not a moderator of this chat. I would be banning people left and right. Heck, I would have probably banned myself with some of the posts I've made here

guys my account got hacked and the person isnt giving it back

@quartz fox hey how about you read the #rules and then get fucked?

what did i do😭

Not read the rules

sorry im new idk anything

this channel is for module discussion only

okok

sorry

I dont care

i apologise

I hope you never get your account back 👍

That would just be heaven. I suggest/request server validation for these channels very often for this exact reason.

@rustic sage Now would be a good time to move on.

Just to highlight that this channel is related to "questions" about the HTB Academy. Please keep it respectful and if someone makes a mistake and asks the wrong type of question, then please guide them to the correct channels.

Can someone hlep with initial foothold on the footprinting hard module?

what have you tried so far

Just namp scan really. I tried to do some enumeration on the IMAP/POP3 ports but not finding much.

well it is the footprinting module after all. Just go service by service and refer to your section notes

All i see are pop3/imap

I did the enumeration ports, the rest of the section refers to having creds

did you check udp as well(I dont remember the specific lab)?

and full port scan or nah?

yeah I did full port, let me see if I can add other switches to find more ports

snmp especially can be a gold mine if thats running

doing AD-LLMNR/NBT-NS Poisoning - from Linux and it's not clear how do capture the hashes, any help ?

ideally that ought to be in their notes already

what have you tried

responder

yeah, found the missing port. Will make sure to scan UDP as part of my normal process

from which machine

one sec please

hola

this channel isnt for hellos/introductions its for module discussion only. Read #rules and #welcome

so that's what i tried sudo responder -I tun0 -wdF

and logged into ssh

so the attack machine?

yes

did you verify thats the right interface its got two of em(idr which one it needs)?

and assuming its the right one what output are you getting and how long have you waited? hashes dont always come in instantly.

make sure tun0 is the internal 172 network

is anybody able to help me with a few of the basics.. like i mean literal basic basics

no, this channel is for module discussion only. Read #rules and #welcome

bet ty

np

i will into that, thanks

https://academy.hackthebox.com/path/preview/information-security-foundations

now things are working properly

sweet

probably just had to wait. the stuff sending the hashes are on a periodic timer

theres a later module where you can skip 90% of the lab if you wait an extra 10 minutes or so collecting hashes.

I wont spoil which one though.

thanks for the heads up !!

Yeah I was like "oh it's giving me more"

According to the documentation for tcpdump which causes it to save the packet data to a file for later analysis, and/or with the -r flag, -XX When parsing and printing, in addition to printing the headers of each packet, print the data of each packet, including its link level header, in hex and ASCII.

sudo tcpdump -rXX /tmp/capture.pcap

ÑBut I haven't got the answer to this flag either

You may need to separate the -r and -XX

Having an issue with the first skills assessment for Active Directory Enumeration and Attacks. The 2nd question asks to kerberoast an account, but I can't seem to get any of the commands needed for this to run in PowerShell. I've even tried to downgrade it and it fails. Anyone else run into this?

any hint after getting SSH access?

Look around for what you can find

hi, I have a question about Footprinting lab - Easy. After spending hours not able to progress, I finally gave up and clicked on the Hint button 😦 I was very dissapointed with I discovered that the password could be bruteforced... Could one of you tell me how I could have find it myself please ? When trying hydra, according to the bruteforce rate and the location of the "good" password in rockyou, it should be found in about 20 minutes ... (I am not very used to having to brute during so much time... ) were there other ways to do it please ?

yeah this part was bogus. Apearantly there is a wordlist (not rockyou or the one provided) that you can brute force the password with. I have not went back and tested this. I used about 4-5 different wordlists from the built in image but nothing worked for me.

but how could I even try multiple wordlist if the first one to try is estimated to finish after 230+ hours ?

well, other wordlists are not as big as rockyou

I usually start with the SecLists optoins

Ive complained about that question as well

one of the only questions where the hint is mandatory information

if its any consolation that doesnt really come up often

facts

by all means make an erratum post complaining about it. If people consistently complain it may get changed eventually

I actually figured it out

To get the username there's a specific port you can see, and when you connect to it it says <user>'s server

Then from there it's hydra

well, my main concern is to try to understand how, in a real life scenario I would have failed and how to succeed, it the hint was providing a random 15 char password, I would be confident to not have done something wrongly, but since the password was a guessable one...

yup the answer is you dont

I also tried rockyou using the gathered hashed from ipmi

but it seems that the password was not the same (or maybe I did something wrongly with jtr / hashcat (in fact, I don't know much about hashcat and am impatient to deep dive into it in a next module

its just a bad question

dont sweat it too much. Make a complaint about it and move on

But yes the username is findable, and the password list does contain it

I don't get why I would complain, perhaps because it is rated as easy, but it's the game of learning to try again and again, this time I failed, but not the fault of htb imo

which password list ?

I mean, rock you as it and perhaps a lot of other ones but the ftp service is quite slow

complain cause its a broken question and they might fix it

unless were all talking about different questions here

I think I used rock you but I may have used a provided one if it had one

But idk if we're referencing the same question

The one with the hint c*:<password>?

im talking about the one where literally the hint contains the password and there was no list or any way to find the password and htb staff has confirmed checking the hint is the intended routem

yes

but how did you used rock you ? with nmap nse script ? with hydra ? some other tool ?

Hydra

Because one of the services you can scan for has the users name plastered on the banner when you connect

So you don't need to guess a name

umm, my hydra scan has just finished after about 30 minutes... this is definatly the way to go... I am just not (at all) used to having to wait so much time before getting a positive result ! another lesson learned today

Also you can adjust the threads hydra uses

oh ...

I've found 48 to be reliable for ftp

64 drops too many

many thanks for the share

Np because I redid this module recently and decided to try and figure out how to brute it

But yeah make sure you check all ports for a double number of a common port

What ip address does the dns server give for inlanefreight

what address does inlanefreight.com resolve to

Can someone message me. I'm currently working on the windows exploitation module and I'm struggling to get the ntds.dit onto my attack host. I've gone through the file transfer module and tried the different windows upload techniques but none are working.

which section are you on?

also I could be wrong but im pretty sure ntds.dit is a protected system file. you could only really copy it if you had like a shadow volume copy of it, did you try that?

Hi anyone needing an editor

Off-topic; read #rules and #welcome ... Also soliciting lol

It's the windows built in groups section. And yeah I used the diskshadow.exe to make a copy of it

Huh ntds.dit is (NT directory System).(Directory Information Tree)

then if youre having issue copying the shadow version of the file over its likely an issue with your system, have you tried copying it over in the pwnbox?

I haven't tried it with pwnbox. Do you think it's just a connection issue

do you have winrm or rdp available for that box? because evil-winrm and xfreerdp can move files

I'm using xfreerdp. Is there an easy way to copy files. Like click and drag. I've been setting up smb and ftp servers and they're not working

with xfreerdp yes you can drag and drop. if you open windows explorer > Networks > tsclient > your-attack-box
but you can do it if you add this flag
/drive:<any-name>,.

Okay I'm gonna try this tomorrow. Thank you!

i have something like this in ~/Documents and its come in handy more than once. https://gist.github.com/UniIsland/3346170
just run this with python, hit it with a browser and you can upload/download files.

Can someone please help me with Bypassing Encoded References exercise?

If still stuck on the HTTP Response Splitting, feel free to DM me -- just solved it. In working it over last few days, realized I over-complicated it / need to break it apart into steps and then once you think it'll work (based on the steps) -- odds are it will -- vs. my original approach of #YOLO (and failing miserably).

did you fix the errors?

According to the documentation for tcpdump which causes it to save the packet data to a file for later analysis, and/or with the -r flag, -XX When parsing and printing, in addition to printing the headers of each packet, print the data of each packet, including its link level header, in hex and ASCII. But I haven't got the answer to this flag either

In this one you don't have a lab to spawn, instead you can use the name of the given website

i am a newbie to hacking stuff but i wanna learn it but dont know where to start
can anyone guide?

tryhackme.com

i like know nothing

no programming languages

tryhackme.com

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

???? RE and programming are just tools, just as much as ping and nmap are. You use them when, and if, needed.

Start Powershell as Administrator

Module: Cross Site Scripting/Session hijacking

Try to repeat what you learned in this section to identify the vulnerable input field and find a working XSS payload, and then use the 'Session Hijacking' scripts to grab the Admin's cookie and use it in 'login.php' to get the flag.

I have followed everything mentioned on the page but I am not getting a request back on my php server. I have even reverted the machine a couple of times.

make sure you are using the proper IP address and port

@autumn pilot I am

then check the payload you are using

it's the second payload from the tutorial

and changed the ip to my ip

tun0 ip

So I figured it out. Using the /drive command allowed me to copy the file. Also in order to Crack it you need the system file as well. But.. apparently none of that mattered because all I was supposed to do is copy the flag directly with copy-filebackupprivelege. 🤣🤣

h

h

h

Hey so I have a dumb question, I felt maybe I didnt read it well enough but, I was in the first interactive section with target. I felt pretty confused because I would type in the ip address as is and run it in firefox and it kept telling me it timed out and etc. So I didnt know what to do. am I missing something?

In which module, which section?

Hi all, I am currently struggling with the DNS section of the Footprinting module. The last question where I need to find the fqdn of the host ending in .203. I have tried both the 5000 and the 110000 wordlist. I have also been trying the subdomains of subdomains and I am not really sure where else to go with this.

Do u have the IP address of it

of the subdomain?

No of the host ending in .203

Do u have the full IP address

the very first beginner course

module/15/section/453

I dont think so

Do you know what subnet it’s on?

Subdomains of subdomains also a fierce host list

The section/course numbers mean nothing what is the name of it

you can do a ping sweep maybe if you know the subnet

nmap -sn 10.10.10.*

and if you find the host ending in .203 then u can do a reverse dns lookup

I think nmap actually does reverse dns lookup automatically for active hosts

I need a sanity check on the "Error-based SQL Injection" section of the "Advanced SQL Injections" module. Is anyone available? @dense ferry ?

Dnsenum is easier to use for this portion

I am still stuck...

So. You know with dnsenum you can use subdomains (x.inlanefreight.htb) are you sure you exhausted all discovered subdomains

And the right word list is a little more fierce

I have the fierce word list running now

I am going through all the subdomains again

You can ignore NS and internal since you could already see those

Am I supposed to be changing the IP in the dnsenum command? The subnet suggestion has me a bit confused now.

Interactive Section with Target

Getting Started module

No

Ignore their subnet suggestion

The intended way is to use dnsenum or some dig command syntax I'm not aware of at this time

I just got it. The new wordlist showed me that last domain

Thank you!

Their suggestion is more for if you know the specific subnet it would be under

Which you don't

No problem

Are you using the provided pwnbox or your own vm?

Spawn the Target (Docker Container)
Then copy the IP and Port and enter it into your Browser

Oh yeah that one is a docker

Thanks! I managed to pull it off after a lot of tinkering

All you have to do is enter the ip address into Firefox right?

IP and Port

http://10.10.10.10:12345

Oh I see. Haha maybe I should of read deeper. I must of missed it because it's obvious

but i see its not on firefox

is that the pwnbox

No, the PwnBox does not have Internet access as far as I know.
You can access it on your PC with your browser

hi, sorry for late reply.
It does start with MZ yes

No clue what I am doing wrong as other addresses won't give me a proper DOS MZ executable

Stupid Question - Shells and payloads - live engagement - I RDP to the foothold box and do not see a web browser installed. Am I missing something ? the tor browser will not install saying im not connected to the internet.

you can call the web browser from your terminal

It says downloading tor browser for the first time and then errors out as the box is not connected to the internet.

hint: the browser is not tor

thanks! its always the simple things - got it going

hi! is anyone here doing the dante pro labs? i'm a bit stuck and would like some nudge in the right direction. i have completed about 53% of the lab already and am stuck in what steps to take next.

please dm me so that i can explain further and avoid any spoilers

Read #welcome and verify your account, there is a channel specifically for Dante #prolabs-dante

Find a file with the setuid bit set that was not shown in the section command output (full path to the binary).

Can anyone help give a nudge on these two questions in the Linux Priv Esc? I have finished everything but this and I feel like I'm overcomplicating it. I'm running both commands to find the binaries with both setuid and setgid set and know how to read the permissions but I'm not sure what file I should be looking for? Any help, thank you!!

search for the file

for the password attacks module, starting off the first section with a VM has me enumerate winrm service. Currently using crackmapexec using the recourse lists provided, im guessing this will work. But crackmap is fairly slow. Are there any other tools recommended for this situation?

Is it a blatant obvious file? I just got a bit confused when the question says "not show in the section command output." Thanks if you're able to clarify, I've tried pasting what I thought was the full path but I'm just stuck tbh

¯_(ツ)_/¯

It's something to do with new-object and not being able to identify what you're doing, you sure you don't need to put the kerberos request inside parentheses? ()

Already tried this

im not familiar with ps error messages, only other thing is that it's stating "verify the assembly containing this is loaded" ¯_(ツ)_/¯

For the kerberos request

Can I get help with SQLmap essentials bypassing web application protections, case 8?

Footprint Lab Medium: am I supposed to be seeing an error after mounting the dir?

Error like can't cd to the directory

Its an Antak Webshell

Im not logged in thats the problem i think

Webshells suck try upgrading to a reverse shell first

is it possible to change profile picture on htb academy?

Afaik, no

Will use meterpreter Shell

Whatever works for you

Error like [error opening dir]

Try running as sudo and I think there's a flag -o no_root_squash I think

this what when I did the tree . command

hi guys anyone has got problem with with machine in windows priv escalation... the rdp always crashes after a couple of mins

Because of how it's mounted try sudo chmod o+xr on the share

So sudo chmod o+xr /sharefolderyounamed

I'm just looking google

Lol

Or switch to root and you can navigate

hi need a nudge for Skills Assessment - File Inclusion, i've tried fuzzing params, lfi wordlists, fuzzing for server files, but still cant seem to find any direction of where to proceed

This is about what i've found so far but nothing works ||http://167.99.84.66:30117/index.php?page=||

Have you tried directory traversal after page= such as ../../../../etc/passwd?

yes

all i see is invalid input

like i ran ffuf on it

and alot of the payloads get this reply

havent done that module so not sure. Maybe need more ../ ¯_(ツ)_/¯

:/

Review the sections under File Disclosure

under web attacks module xxe injection section?

You're in the File Inclusion module right? There's a section called File Disclosure in there.

oh

ok

was blind xd

👍

ive gotten to the point where i can see the php code for index, but from my understanding: only .. is being filtered but url encoding does not work

Add an additional '../' such that ....//

oh nvm found an admin panel :X

That works too lol

does anyone know the Username file and Password file we are suppose to use for the Skill assessment -website first question within Login Brute Forcing module? I keep trying the different files that are mention in the learning section but either nothing comes up or it takes for ever and time out (or seems to times out)

the first assessment or the last?

the first

this is the question: When you try to access the IP shown above, you will not have authorization to access it. Brute force the authentication and retrieve the flag.

there is a wordlist that will help you

it was mentioned in the cheatsheet

I have been using them

Hey, this is for anyone who doesn't know, but you can make you RDP windows bigger if you use xfreerdp to rdp in. Just use /size:WxH. For example, /size:1920x1080

Iirc you can do like /dynamicresolution as well

ah, not aware, Ill have to try that out!

im on password attacks and im doing the password mutaation module, its been 15 minutes of me trying to crack the password for the user sam

his password start with the letter b

i mean im still waiting for the cracking so idk xd

:/