#modules

But I get connection timed out when I try to nmap scan or ping it

That's by design

Oh thanks for the fix, it works now!

You're not meant to be able to ping or nmap the target in "public exploits" from Getting Started

You're meant to use the web enumeration techniques

I need to pwn the box and submit the flag and I need to access the machine so you want me to do it without being able to connect to the vpn?

hey guys
in "Service Authentication Brute Forcing" part of "LOGIN BRUTE FORCING" module i can't gain the flag
i brute force with user "b.gates" and Password list "William.txt" that made by "cupp" script but it doesn't work
anybody can help me :_) ?

You can connect to it in the browser yes?

Use the techniques referenced in the section to enumerate

Which question are you on?

first

 Using what you learned in this section, try to brute force the SSH login of the user "b.gates" in the target server shown above. Then try to SSH into the server. You should find a flag in the home dir. What is the content of the flag?

Have you used username-anarchy and hydra to get the password yet?

i used hydra for get password

the question say username for ssh login is "b.gates"

can i DM you?

Sure, I'm actually at work right now but I have my notes with me on this module. You really should just need to follow the steps outlined in this section.

Bro what module is this

LOGIN BRUTE FORCING

ok

I'm trying to do an enumeration for the "Privilege Escalation" lesson of Getting Started and whenever I try to run an enumeration I'm getting an error

Anyone can help?

I'm basically trying to find the exploit that would allow me to create a reverse shell but I can't figure it out

What does sudo -l tell you

Sir you haven't even gotten the foothold

That sudo -l is on your own machine

Ok then I am not sure what to do, I did the nmap scan on the target port and tried to run an enumeration in order to find the exploit but its not working

So you did an nmap scan on the target IP?

That is the 10.x.x.x IP?

No that IP is my own, the target is 134.x.x.x

Oh

Then nmap isn't going to help you

It's a public ip

http://IP:port

Any spawned system that isn't 10.x.x.x is a public IP on a docker container which generally means you're doing web enumeration
Gobuster, ffuf, whatweb, etc.

https://www.ibm.com/docs/en/networkmanager/4.2.0?topic=translation-private-address-ranges

Familiarize yourself with the private range prefixes so you can easily determine things :)

Ive got a question. Im doing the Responder box in tier 1 starting point, You have to add the ip address to ur /etc/hosts file for it load unika.htb. yesterday i got it to work. but then i got stuck trying to get responder to pick up anything. today everytime i go to the ip address it cant find page. on this particular one they give you an IP address instead of <target ip> Am i supposed to use the ip adress givven or the one i get when i spawn the box?

#starting-point

Short answer is that it redirects

I don't understand. I thought the order of operations is that run nmap to look for exploits on the target, I run gobuster to look for exploits on the target, and then based on those findings I can run the exploits and that would allow me to set up the shell on the target?

You may be able to run exploits if you search hard enough for certain plugins that are on the webserver

You are on the Nibbles - PrivEsc part or the Knowledge check?

getting command not found this is for the file transfer module and the windows file transfer section

The Knowledge check for the initial Privilege Escalation lesson

Because you're not on the system that would have it

You're on your own pwnbox

it says the rdp to the box

which i assume is the pwnbox

Is it the last section of the module? Or is it the one before 'transferring files'

ive unzipped it on that

Incorrect

HI.....im having trouble with two questions on the footprinting dns portion What is the FQDN of the host where the last octet ends with "x.x.x.203"? and Interact with the target DNS using its IP address and enumerate the FQDN of it for the "inlanefreight.htb" domain I have tried using different wordlists like Jhaddix, fierce and using smalling wordlists. still no luck what am i missing?

Whenever it talks about RDP/ssh into anything it's referring to the target

The one before "Transferring Files"

Pwnbox is an attack machine that's an alternative to setting up your own vm

yeah but earlier its says to rdp to the target

and upload the file

Read the first question carefully, it tells you exactly what to do

then it says to rdp to the box

i assumed thats another box

They use box and target interchangeably

ohhhhh

ffs

Pwnbox is never actually needed

Always assume it's referring to target

If it doesn't give an IP then you may need to spawn target.

They'll generally use the terms; server,box,target

To refer to the target or initial jump host (for pivoting)

fair

Ok I don't know how to SSH into the server, doesn't it want me to set up a shell?

Nope

Ssh is a tool that's already installed

openssh is the package for ssh

Syntax: ssh <username>@IP

Note * remove the brackets

I'd suggest doing Linux Fundamentals course

As most tier1+ modules assume a previous working knowledge of Linux

And basic tools/commands

Hey guys, I'm doing the Login Brute Forcing Skills Assessment and on the very last question. I ran ||netstat ||and don't see|| ftp open just port 80||, which was the case when I was doing the Service Authentication Brute Forcing section. I checked the ||other home directory|| and have that ||username|| part of the puzzle. The hint says to|| use the wordlist on your home directory||, which is the second piece of the puzzle. What am I missing?

Are you using netstat -antp | grep -i list within the compromised machine?

Yes, exactly like it is used in the Service Authentication Brute Forcing section. I had the same issue during that section too. The FTP service didn't show up in the list

That's odd. Are you using the pwnbox or your own VM? It might work better in the pwnbox.

I'm using the pwnbox. I'm SSH'ed into the docker VM after figuring out the first answer and trying to use Hydra within the VM, so there might be something going on with this docker image

the file i got was 0 length for the windows file transfer

Yes, that's possible. I had a similar issue if I recall when I was doing this assessment.

you got it

finished the windows file transfer yesterday

Figured this out...for anyone stuck on this question, the hint gives you the answer, but the brute forcing process takes a very long time even with the -t 4 switch. It took well over 30 minutes for me and timed out a few times in earlier attempts. I think this section of the module needs to be edited so it doesn't take so long. That was disappointing. Other than that it was a good module.

anyone stuck at ACL Abuse Tactics? I always get 'unable to find user damundsen' when trying to execute Set-DomainUserPassword command

what can i do if my vm crashed lol

Cry

i restarted the machine and i cannot even log in now

Oof

fuck ffuf 😢

What happened with your VM?

idk

was using ffuf to complete the module

i couldnt desactivate the proxy and restarted the machine

F

i got it work

with this video

https://youtu.be/DFkLgUa_MKE

Ohhh it broke the gui

Which you just have to reinitialize

fu** this men fu** this😭 😩

Trying to get Lazagne.py working on linux, and I keep getting errors as such:

I know I've asked this before, but so far I haven't been able to get any help. I'm in the Advanced Database Enumeration section in SQLMap Essentials and having an issue getting the first answer. It's asking what's the name of the column containing "style" in it's name? (Case #1) Does anyone have any hints or clues for this?

I am not sure if I have done something wrong during installation, but I am at a dead end rn and would appreciate any help

I directly copied the source code

python 2.7?

I've found that even when I have finally gotten Lazagne installed, when I ran it, it just finishes and then closes. I've found it pretty useless to be honest.

isnt that finished?

try updating python

Most of the boxes use and have python 2.7

i remember i had a problem with the python version in a module

but i dont remember which

And some of the tools haven't been update to work with 3.x

I have tried to update python and also install 2.7

Probably the password attacks module with the <filetype>2john

the Password attacks module shows both 2.7 and 3 being used

How long is it till the sunset date? The sunset date has now passed; it was January 1st, 2020. What happens now? As of January 1st, 2020 no new bug reports, fixes, or changes will be made to Python 2, and Python 2 is no longer supported.

Some of the 2johns are in 2.7

its the Credential Hunting in linux section

i use hashcat always so idk

is the tool absolutely neccessary?

¯_(ツ)_/¯

I've found that it's not necessary.

The x2johns?

what module and section?

Password Attacks, Credential Hunting in Linux, with lazagne.py

oh i remember that

I am trying to run it on my own VM currently, is that even neccessary?

No

It's like linpeas

i couldnt run it with python2.7 the lazagne.py i think

You should be running it on the system that you're exploiting

It's possible yeah I just never cared enough to try harder xD

I was just doing it to test it out prior the exercises

with python3 should works

at least when i did it

spinning up the target now

I was gonna say there's no harm

Iirc it's just an enum tool

i was using Ubuntu when i did it

the last version

I have been having a lot of issues with the PW Attacks module... I am also trying to work out pypykatz, but I am going to circle back to that one at the end

@fathom pendant is there any command to empty a file

without deleting it?

You can maybe do echo "" > file.extension

make sense lol

i did truncate 0 /path

Or

Iirc you can echo file > file

Er cat file > file

Iirc that breaks

And voids it

I know I've asked this before, but so far I haven't been able to get any help. I'm in the Advanced Database Enumeration section in SQLMap Essentials and having an issue getting the first answer. It's asking what's the name of the column containing "style" in it's name? (Case #1) Does anyone have any hints or clues for this? I also for some reason keep getting HTTP error codes detected during run 400 (Bad Request). I'm using the --schema switch and so many others like --risk, --level, --random-agent, --no-cast, --batch --dump, --dbms=mysql ... etc. I just can't seem to get this one no matter what I try.

who here is good at hacking

i need help hacking into my old account

?

?

I think you're in the wrong chat. This is for modules. I think you need either General or maybe community-content.

where is general

Contact support and also read #rules and #welcome

is their a way to uncap googles 60 fps cap useing a script preferably javascript ?

where fo i contact support

Those channels aren't visible to users who haven't verified their account following the instructions in #welcome

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

This isn't the appropriate channel to ask, read #rules and #welcome

ugg i just need help ;-;

Well if you look at welcome it shows you other channels you'll have access to once you verify your htb account following the instructions there

i am verified :/

Now go ask in like #web or #programming

Never mind about my sqlmap question. I think there was an issue with the instance. I got it, finally.

That happens on occasion

any hint for SQLMap skill assessment , I found a db but it seems like empty

Is the file inclusion final assessment broken

@limber river make sure to tamper

ty , I'll try

Let me know! You can PM me

shouldnt be but its super easy to brick it

had to restart like 30 times debugging some payloads

I get it

thanks a lot

So I'm at the east lab of the footprinting, they ask for flag.txt but I don't see no DNS TXT records of it. there are serveral IP's but all are unreachable. I don't know if it's a problem on the machine part... or maybe I just don't know what to look for.

Hey! Someone can give a me a tip on the sql essentials module, more specific on the case 9 ?

The case is about: Unique Value Bypass - this is the command im using: sqlmap -u "http://167.99.85.143:30940/case9.php?id=1&uid=798200900" --randomize=uid --batch -v 5 | grep URI

When i try to run it, it gives a bunch of random URI that doesnt work

Okay so I finally got it. I just can't cat the flag for some reason. I can ls to see it but I can't cat it

did u try the nfs?

I never greped for a URI I just let it run

so in the command i dont need the grep right ?

No you can PM me if you need to

Nevermind I got it lol

is there any option to show only the results with ffuf

i get too much trash in the screen

im in the Widnows fundamental thing but i get "do_connect: Connection to 10.129.203.195 failed (Error NT_STATUS_IO_TIMEOUT)" when trying to use smbclient

im on NTFS vs. Share Permissions

do you know some the most recent/up to date blogs related to: retired HTB boxes, write-ups on recent exploits/attacks, Active Directory exploitation techniques, CTF event write-ups, bug bounty report write-ups sites etc.

guessing classic overthinking how to get the contents lol

Online Ive read stuff about the firewall but the section doesn’t mention that at all

Hello. Im stuck on the footprinting lab Medium. I would appreciate any help. Please DM me if you can offer any help. Currently, I mounted the NFS and logged in as alex in the RDP port but I can't access the database and I can't log in using the user sa.

Alex is not allowed to access the database. You need another Windows user

@acoustic owl can i ask u about the ffuf module?

sure

im in the section value fuzzing

i know that the value i have to do is ||id=FUZZ||

i created a list with 1000 of them but no luck, now i created one with 100000 and nothing either

Send me the command you used by DM

A list with 1000 entries should be enough

I can’t spawn an instance of pwnbox. Can all the submitted exercises be completed using the Parrot OS HTB pwnbox in a VM?

You can use a VM with the operating system of your choice instead of the PwnBox. To access the exercises (except Docker), you need a VPN connection.

Is there anyone available to assist with the Bypassing Web Application Protections section in SQLMap Essentials? None of this makes any sense and I can't even get the first question answered.

theres a small couple of labs that are a bit buggy if youre not using pwnbox, but otherwise the vast majority of content can be completed with VM

What exactly doesn't make sense in your opinion?

Did you specify the CSRF token name?

Well, I don't know what happened. I just hit rerun and the flag popped up. I'm working on case9 now.

Have I asked this in another Channel?

Send me the command via dm

Okay, will do.

nsf?

can anyone here help me real quick with the dns section in footprinting? SO If i cannot perform a zone transfer I a assuming I have to brute force the sub domain but every time I try to brute force it with fierce it takes forever to load then times out. What should I do?

You have to find all the zones first. Once you have found all the zones, you can, as you correctly guessed, query the zone accordingly

The app and the Academy each use their own accounts.

SO I did a dig axfr with the target ip and I see the same sub domains as when I brute forced it. I cannot dig all the sub domains as it says transfer denied or connection timed out. Can I get a hint please what am I missing. I am trying to answer these two questions What is the FQDN of the host where the last octet ends with "x.x.x.203"? and Interact with the target DNS using its IP address and enumerate the FQDN of it for the "inlanefreight.htb" domain.

Then I have to pay for both when I want a Abo. Right?

Why do you want to bruteforce a zone (automated queries with dig/nslookup) if the zone allows a zone transfer and thus gives you all data voluntarily?

Yes, the Academy and the main page are separate things. There are subscriptions for the Academy and there are subscriptions for CTFs

The specific zone with 203 doesn't allow axfr iirc

It's a subdomain of a subdomain though

a.b.inlanefreight.htb

I was trying to brute force the zone that gave me the "transfer failed" and it keeps timing out. You said I have to find all the zones first before I can brute this?

Hint: make sure you have all the subdomains to try and brute

For instance the command will have b.inlanefreight.htb using the automated tool

I've seen some people's subdomain list missing the proper subdomain to brute into

Remember that not every zone allows a zone transfer from everyone

ahhhh ok that does clear some stuff up for me thank you. I guess I havent found what I was looking for yet appreciate the hint.

Hey payload I have an idea how the automated tool works but can I dm you to see if I'm right (not at my computer to actually look at it)

I am currently not at the computer either. But yeah sure, send me a DM

I like to look at it this afternoon

and app.hackthebox.com and ctf.hackthebox.com are different, too?

yes

I'm in the middle of doing the easy lab of the footprinting module. I did the nmap scan and discovered || ftp.int.inlanefreight.htb || but I don't have any credentials and || anonymous login seems to be disabled ||, however, I did not discover it with || dig axfr inlanefreight.htb @rustic sage || which leads me to think the || DNS server is hiding some domains||, but no mutter what list I used it doesn't seem to work. any ideas?

Have you tried using nmap?

yes

What switches have you tried using?

|| -sS -sV -sC ||

🙃

Oh and || -Pn ||

Anything?

OMFG

I don't care... the Hint has credentials in it. that's dumb af.

Oh, right. Yeah, I thought that was kind of dumb as well. you really can't get anywhere without the hint.

weird. maybe there is but very few has found it? still

I fucking can't with this unstable boxes.. either they block you way too early or they are just borked. I rather download them and do this offline if I can.

The ability to adapt and overcome is a solid skill to have in your toolkit

This is the one with the c* user yeah? And the ftp on port 2121?

Ye

Guess what happens when you connect to the alternative port. (It's in the banner)

I dunno... But one bad login attempt and I'm locked out

Dude I just can't with this... the box is fucked. I even restarted the box it still gives me || permission denied public key || but it let me the first time I try. and then bamm, donezo.

is there any techsupport regrading these? this can't be expected behavior

Can i DM?

well, if you are not giving the proper permission on the file it will always throw out the permission denied publickey error

I don't have a file. I tried enumerating for hosts to get it from but every single host returns "out of reach". I just tried to login with the credentials.

also there is a service running on non-default port

Yes.

You mean the proftpd one?

play around and you will find out

I have

That's what i found

and feel free to check the hint for the exercise

I did

That's the credentials we talked about earlier

In the Password Attacks - Hard Lab, I can see there's a .vhd file. I can only run as the dav** user with runas and can't take any other session. Should we download this to the local and mount it? It's a big file and trying to download it failed just now and I'm wondering if It's my network issue and I should try again

nothing stops you from following that logic

it might be helpful

I tried using the credentials in the hint to login to the ftp server || both 21 and 2121 || to no success, i noticed the.url does shows a subdomain || ftp.int.inlanerfreight.htb || but enumerating that gave nothing. As well as all hosts discoveres in || dig axfr inlanefreight.htb @{IP} || . I exaustes my attack serfuce.

I have no idea what else to do

the credentials are not an issue, all I'm going to say is that they are valid

and there is no need to enumerate any kind of subdomains or domains

That's weird... Because the "story" here is that we are asked to enumerate the DNS server. So i figured it's part of the exercise

I dunno... Am i supposed to get a file somewhere?

yes

Can I DM someone about Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt. it's in Password Attacks Pass the Hash

Is it okay to ask this? I just see that I posted the same question in #1024429874246590575 and It got locked?

well, I have given you a hint, so there is no need open a thread

Oh this reply was for me? My bad.

yup, so go for it

@dapper star I was able to complete this but I still have a bit trouble understanding how it actually works. I have doubts like why it worked, so if you get an explanation, can you share the logic alone?

Sure, tried it several times but this one confuses me

Like, why I wasn't able to explore the share when I logged in as Julio user but I was able to when I opened a cmd with pth for julio

I got the full file downloaded, I tried using a different file transfer method this time rather than winrm download. Not sure if the issue was with my network or winrm.

Thanks tho

Do i get the file before using the credentials? Do i get it from the same host?

🤷‍♂️

I tried going over all the services... All give access denied

I'm not learning anything new or excercising something I learned a tthis point. I'm looking for solutions online...

taking breaks usually helps

I took 3 breaks at this point.

there... fixed

is there something wrong with the instances lately. Im doing attacking common services and it takes me 3-5 restarts of the instance for it to even work properly

Module Introduction to Windows command line Command to start Windows Defender Service is Start-Service -Name WinDefend and hackthebox refuses it

there is NO WAY I would have thought of doing that without outside help... there are too many possiblities and the fact you || can't login striaght up with the credentials || is a huge throwoff.

Ok now what does a proxy FTP server intail? I searched online I couldn't find any good explanation

Hey guys is there a way to make an android game play on itself using any script

Like it farms on itslef

No use of fingers

Maybe there will be something in the new game hacking module, either way that sounds illegal.

I have a question on the Pivoting, Tunneling, and Port Forwarding module, in the "Remote/Reverse Port Forwarding with SSH" section.

I see that first we create a windows payload with msfvenom, then we get the listener set up in msfconsole, then we transfer the payload to the pivot host and start a web server on the pivot host with python in order to download the payload to the windows machine from the pivot host, but this is where my confusion starts. The next step says to use the PowerShell cmdlet Invoke-WebRequest from the windows target, but wouldn't that mean we already have a shell on the target windows machine if we have powershell access in order to run this cmdlet?

If we have shell access on the windows host, why do we need to download this msfvenom payload at all?

I'm stuck in the skills assessment part of the web service and api module. can you give me a hint?

any hints please ?

module/17/section/88 too much time wasted any hints on the f

Proceed as shown in the module

I believe the whole point is to get a meterpreter shell (any kind of shell) on the windows machine directly in the attacker machine, so that you have more flexibility and can do more such as using direct exploits from the meterpreter session.

The line the module that starts with "There are several times during a penetration testing engagement.." would give a detailed answer to your doubts.

Remember that in XML special characters must be encoded differently. Sorry, the link is german, but you can translate it for sure.
https://wiki.selfhtml.org/wiki/XML/Regeln/Zeichen

Much appreciated, I am not certain how your comment actually helped but it did

anyone done this question? been stuck for 3 days now cx
Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_).

Skill Assessment- Web Fuzzing- Anyone experience ffuf not passing arguments you give it? I've used it "okay" thus far but, now it's being all wonky and won't filter any results I tell it to filter.

For instance- It won't filter out any 403 codes when I use the "-fc 403" and also won't output to any files anymore.

It's way too much data to just parse through, hence the filters.

Anyone know how to keep it from being all janky? 🥴

Anyone else having issues with Windows Privilege Escalation Skills Assessment - Part I, I cant ping the target with my own attack box or the htb pwn box, tried resetting the vpn multiple times but still cant ping the target. I tried other modules and it works just fine.

Hi Admins, I have made a mindmap for Pass the ticket section and I needed to confirm, Can i share mindmap( self made )here for ease of others?.

how can i unzip in ssh

cant install unzip and i cant see any other way after googling it

I have a question. If I successfully complete a module, will I still have access to the learning materials and their respective lab after my subscription ends?

Yup, as long as you complete it.

Don't you have jason's password? No need for rsa file.

Even if you drop the -i flag?

Restart the machine.

VPN or pwnbox?

I'll load it up. DM me.

Can I get some help with Login bruteforcing section's skill assessment - service login?
I have been stuck on this for quite sometime, I have tried multiple methods to create the wordlist but I am not getting any hits whether my wordlist is 5k, 8k or 15k.

im getting virus detected every time i try to download a cheat sheet from a module

In "Password Attacks - Credential Hunting in Linux" I am on the target as Kira, and I have been searching for two hours now for wills password/a way to login as will. Any nudges? I am pretty lost with this now

Reading the bash history is always useful.

Thanks, I just created the needed file myself and was able to grab the password easily. didn't realize that was the hint... definitely changes the way I look at things that could be potential hints

guys im totally new to coding and im planning to study hacking

what coding language should i use?

python?

depends what you want to do

also this is not the appropriate channel for programming questions, better to ask in #programming

Hi, in the footprinting module, in the easy lab i don't know what to do.
I found the ftp and the ipmi (which i tried to access using cipher zero, but it didn't work). Looking at the hint I can access at the ftp with the credentials and get the flag but without the hint I would have no clue in how to find this credentials

to exploit IPMI I tried doing
||ipmitool -I lanplus -C 0 -N 15 -H 10.129.X.X -U USERNAME -P randomPass ||
with USERNAME as admin, root, administrator
I always get in return ||Error: Unable to establish IPMI v2 / RMCP+ session||

why it says i dont have access

Ask mods idk

And I'm stuck again... man these labs are kinda the worst. the meduim footprinting lab hint is talking about || sql server and that systems have administrators || but I got nothing.

read #welcome and #rules

You need to verify your account

Which employee is suspected of performing potentially malicious actions in the live environment? == Bob

godamit bob...

Intro to Network Traffic Analysis 🙂

Hlw

Stick to the tools discussed in the module

Hint: the foothold account has plaintext credentials somewhere

I just went on the internet for help. I'm done doing these "blind". I learned more from just looking up the answer tbh

Eh

If you use the answer as a crawl back space of 'how did I get here'

Can somebody help me on sqlmap Attack Tuning Case6? I've wasted days of my life and I just don't get what they want me to do. 😫

• I get that case 6 it's about changing the prefix. I did that.
• I already tried a gazillion possibilities, including raising level and risk, randomizing user agent, focusing on the right table, ...
  I'm not able to figure out what I'm missing...
  I'm using this flags --batch -T flag6 --prefix='`)' --technique=U -t outuput.txt -p col ...
  I know that there is something I'm missing. Any nudge in the right direction is greatly appreciated before I throw the computer out the window. Thanks.

dm

I looked up how to start. || the rpcbind version confused me from checking what the port belonged to. it was NFS, my fev, got alex and his password now looking for a service to log into with his credentials ||

You got this

Hey guys, I have a question about the File Upload Attacks Skills Assessment. When I go to upload an actual jpeg file and hit the submit button I just see a GET request with 4 parameters (name, email, message, and uploadfile). I don't see any data from the jpeg file. I tried intercepting the request and changing it from GET to POST, also tried change body encoding, but I don't see any data in Burp. Is that by design? or is my pwnbox having issues?

Turns out the pwnbox was the issue. For anyone working on the File Upload Attacks Skills Assessment be careful when using the pwnbox because the local Firefox install has issues and will not display items properly and you will miss important traffic in Burp Suite like the POST request when uploading an image

Why would you use the Firefox install rather than the built in Burp Suite browser?

So in medium lab footprinting || I was able to login with xfreerdp to alex with his password, but when trying to connect with sql management I get a weird error that says there is no service at the other hand of the pipe || ideas?

did you click the green upload button

On Active Directory Enumeration and Attacks Module - Privileged Access section. The second question “What host can this user access via WinRM? (just the computer name)”. Does anyone know an effective way to find this information manually using PowerView rather than Bloodhound?

The modules teach you to use Foxy Proxy and I forgot about the built in chromium browser

Yes. It is 100% a pwnbox issue, likely FireFox. I also noticed that more of the Contact page loaded when I used my own personal VM instead of the pwnbox

Is there somewhere that you can notify a pwnbox issue so it can be fixed ?

Yup, in the bottom-right corner of the HTB academy site there is a Messages icon you can click to get support. I started the request so when someone gets back to me I'll let them know so they can fix it

Did anyone else have issues with the Password Attacks - Password Mutations module? Haschcat has been running for almost two hours and still hasn't cracked the password.

Try ||cutting out the first 17000 lines from your mutated list.||

Does it matter if you're using the pwnbox or not?

I tried downloading the file on to pwnbox to work on it that way, but it crashes when I try to log on to the website.

Got it. Thank you very much.

Now I am 4 hours and cant answer any lol and was sure user is htb-student and now not so much

happend to me on local file inclusion too so I am probbly the problem lol

I learned so much before going to hack the box and now I feel like I know nothing everytime they challange me to death lol

||there are more credentials to be found still||

hello all please give me a hint on this question .... am not able to spawn a reverse shell although i followed the steps in the module

section: password attacks

module: pass the hash

Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt.

appreciate any help 🙂

I sent you a message.

anyone complete the Documentation & Reporting practice lab?

Not yet, but will be excited to start.

Hello, I am in the "linux password attacks/credential hunting" section. I am supposed to find Will's password. I tried to ssh the machine using
"Kira:LoveYou1" as stated by the hint. Didn't work.
kira:LoveYou1 didn't work either
I tried then
hydra -l Kira -P password.list ssh://IP
hydra -L kira -P password.list ssh://IP
Nothing worked.
Is this expected? Did I miss something?

sorry hydra -l kira ...

You have to create your own password list with the given password

you can use hashcat mask attack: https://hashcat.net/wiki/doku.php?id=mask_attack feature for this

incidentally, that's what I'm doing right now 😮

but for something unrelated

ok thx

im doing the active directory enum and attacks module and the rdp connection to the parrot host is painfully slow, is there anything i can do to imprive it?

Are you using pwnbox or your own VM

Wait you’re RDP’d into a parrot host?

Or you’re using an RDP client on a parrot host to remote into a windows host?

im on my own vm, rdp'd into a linux host, "Scroll to the bottom, spawn the target, connect to the Linux attack host using xfreerdp and fire up Wireshark to begin capturing traffic."

Ohh okay, I was curious what the purpose of RDP into Linux host would be, but I assume it’s because Wireshark is generally taught through GUI. If the RDP connection is too slow to the point of being unusable, you can alternatively SSH into the machine and use tcpdump and apply the same rules and you should get the same PCAP file which you can analyze on your own VM with wire shark

Because both wireshark and tcpdump use the libpcap packet capture library to produce the PCAP file

thanks, ill try it that way 👍

worked a treat

great!!

can someone help me rectify the following

Hi, I'm currently in DNS footprinting and stuck in the last question "What is the FQDN of the host where the last octet ends with "x.x.x.203"?". Just want to ask if the dev subdomain is the right path? Thank you.

Did you try single or double quotes?

I've been doing the ad one and it tells you to RDP because the ad is an internal network to simulate multiple boxes. You would have to use the tunnel through the windows/parrot box to get to the internal network.

@spark vector on the password and username fields ? no i have not.... i can try though

@spark vector so it kinda worked.... this was the result with double quotes

but then with single quotes .. i got the same error but the session opened

is this lost magic ?

https://tenor.com/view/judging-stare-bored-dont-you-dare-annoyed-gif-22904796

dm

Look up string literals in bash. Try putting a dollar sign in front of the double quote $"pssword123"

When you use double quotes in bash, bash does what’s called “parameter expansion”. It replaces, or “expands”, the parameters (indicated by $ sign) with the parameter’s value. In this case, you entered “$$” which expands to the PPID of the current process iirc.

For example if you enter the following command you will get the PPID of the shell:

echo $$

So your first command is really using that number^

When you use single quotes, it’s called literal string, and there is no parameter expansion

GETTING STARTED-Public Exploits
My question is “Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the ‘/flag.txt’ file. (note: the web server may take a few seconds to start)”, i used nmap -Pn -cV -cS -p[port] [host] then gain:
"└─$ nmap -Pn -sC -sV -p31770 46.101.2.67
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-22 00:02 EDT
Nmap scan report for 46.101.2.67
Host is up (0.22s latency).

PORT STATE SERVICE VERSION
31770/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Getting Started – Just another WordPress site
|_http-generator: WordPress 5.6.1
|_http-server-header: Apache/2.4.41 (Ubuntu)

Service detection performed. Please report any incorrect results at Nmap OS/Service Fingerprint and Correction Submission Page .
Nmap done: 1 IP address (1 host up) scanned in 31.80 seconds"
I tried searching on Google with ‘WordPress 5.6.1 exploit,’ but I couldn’t find any public exploits to use for ‘msf>search exploit [plugin_name].’ Can anyone help me with this step?

Nmap will get you nowhere, perhaps visiting that site in a browser will get you better results ( http://IP:port )

Module:ATTACKING COMMON SERVICES
Section: Attacking DNS
Question: Find all available DNS records for the "inlanefreight.htb" domain on the target name server and submit the flag found as a DNS record as the answer.
Results:
Stuck on this one. Any hints would be appreciated.

1. I located all three subdomains h*******.inlanefreight.htb, c******.inlanefreight.htb and n*.inlanefreight.htb.
2. Performed dig on all subdomains (dig any @ip subdomains).
3. Used subbrute on domain and all subdomains.

I accessed http://46.101.2.67:31770, but I'm not sure how to exploit it to retrieve the contents of the 'flag.txt' file. Can you guide me through the process?

Perhaps there's a vulnerable plugin

You're missing one

Iirc

But you also shouldn't need to subbrute for the text record

If you can axfr

I am losing my mind over how to crack WINRM when theres no password or username I used about 5 wordlists and no luck

Here's the part where you learn there's probably a wordlist in resources

attempted the rockyou.txt too T_T

Look at the page of the module. Look for a button that says resources

OMG

and thats 8 hours on nothing folks

Thank you so much!

Hit on how to obtain the missing domain lirc? I can't find this one.

Since I guess the first time I said it was too vague

Iirc just means if I recall correctly

lol I went looking for folder in pwnbox lol but thank you too 🙂

It's not the name of the subdomain

as long as I am not the problem lol

it's always user error

lol yeah

Module: Getting Started
Section: Public Exploits
Question: Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file. (note: the web server may take a few seconds to start)

Can anyone who has solved this question help me with the steps to solve it? Thank you very much in advance

Use the tools from this section to solve it

Lol

It's not something crazy

So far I only see the 3 subdomains - h**.inlanefreight.htb, c**.inlanefreight.htb and n.inlanefreight.htb. I'm brute forcing.

I have tried, but I didn't get good results and I'm not sure what to do next, Can you help me with the specific steps I need to take

It doesn't have to do with WordPress, rather the plugin it's using

Which it's nice enough to tell you

hey so i just wanted to ask if it's possible to download for example the wordlists that are on the vm from the academy. I mean ik that i could copy-paste etc, but yh just wanted to ask if there is like an easier download from the files that are in there

The are mostly from seclists

thank you :)

I might be dumb but i am on the Learning process Module and i cant answer the last question

What's the question?

can i dm u

Math

ah damn

got it

50064.rb

Hi

Greatings toast's haver's. I have come to ask a question. if a host have 2 ports used for nfs? will it follow I should somehow scan both for diff shares?

|| I have the sa:87N1ns@slls83 and alex:lol123!mD, I get the error with sa, and with alex's credentials I get invalid credentials || I need a hint.

have you selected a database before trying to log in?

default?

I didn't change anything and ran into the same issue that you're having right now. check through the available databases and see which one would be interesting. you'll have access to that one

ok, I'll check it thanks!

sure thing 🙂

I can't seem to even get available databases.

I think user || sa is not configured to login... I'm getting login failed for sa after the first attempt, which fails with "no service on the other end" error || @heady tusk

alright my notes on this one are pretty bad so gimme a couple of minutes to run through it again

thank you 🙏

https://academy.hackthebox.com/module/115/section/1109 In this section on the last question, I got shell and got flag too but the academy section isn't accepting the flag, can anyone help me ?

alright, which user are you rdp'ed in as?

|| alex, I tryed sa with the password but got login error ||

||Think about what 'sa' means||

|| sa == system administrator, ||

oop

got it

😄

feel free to dm me, I can verify

awesome 🙂

def adding that to my notes

definitely a good idea to check that 🙂

well the || HTB user isn't on the DB. which sucks. but maybe I need access to somwhere else with these accounts? ||

nvm

found it

😄

great 🙂

Hello everybody. I'm in "Reverse Shell & Payloads - The live engagement" and I've some trouble to add the payload in metasploit. The file is in the correct directory with correct permission, but it never show in metasploit. Any advice?

any program on htb recos for people who are just starting on a entry level job as infosec analyst

i think you copied flag look if you d'ont copied space too and remov them

where did you put the module?

daim the hard footprinting is tough...

Has a bunch of steps for sure. But it's doable, just keep methodically running through everything you've learned

Am I supposed to use previous credentials?

No

Ok, so || I only see ssh, 2 imaps and 2 pop3's ports. all of which require credentials...||

Then you're missing a service

huh...

it's -sT for steath (full handshake) right?

my notes are kinda off on that

No need to worry about stealth in this case

But yes, -sT is full handshake

Well I did -sS I got || only 5 ports open... 2 pop 2 imap 1 ssh ||

Well yes. And that's the correct result for that scan

oh,

ok

I'll play around with it

Good luck 🙂

-p- (I'mma go make me coffee ig...)

Did anyone have the same problem with vaccine tier and vi program? Because when I tried to type the command :set shell=/bin/sh and then I have typed :shell it showed me an error Not an editor command: shell

r u sure?

100%

|| so 6 ports should be open? right? ||

Well for which protocol?

Or anyone that could help me with this problem?

I don't know, I'm asking to know if I should look more into nmap or maybe there is some other tricks I'm missing

Nmap is the tool for the job here. Look into different scan types

aight thanks! don't tell me more 🙂 unless I'm really going off the path..

|| My slow UDP scan seems to found 50+ ports wtf ||

Ugh that shouldn't happen

most probably are false positives

the command || sudo nmap -sU -sV -sC 10.129.202.20 -oA nmap_scan_udp ||

I'd probably omit the -sC cause it's really slow

butbutbut

it's almost done anyway but oki

Well if it's fast enough sure keep it

I just figured while I'm doing other stuff I'll let it run. so didn't mind adding some stuff

Fair point

/usr/share/metasploit-framework/modules/exploits/linux/http/XXXXX.rb even a copy in /rrot/.msf4/..... after folders creation.

I FUCKING KNEW IT! || it's snmp on 161 I was missing right? ||

Yes

That does seem correct. Did you reload msfconsole?

a lot of time, with and without sudo... It work on my local Kali indeed.

And on pwnbox it doesn't?

good point! I'll try.

not working on the pwnbox...

Even if the module doesn't show up in search, can you load it using it's full path?

nothing... 😫

|| how come it responds to v2c when it says it's snmp version 3? is that the miss configuration? backward compatibility? ||

Seems like it

hey guys, would anyone be willing to help me / give me hint with one question form Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux module?

sorry, the module is ACTIVE DIRECTORY ENUMERATION & ATTACKS

that was a section

which question

filanly got it... just made a copy paste in a new file with nano then call it directly with the path

last one.

logging in the DC.

psexec

boxes are so unstable 😦

I'mma cry

ok I get hang every like3 minutes... is it just me?

Thank you! I've tried playing around with psexec.py but it didnt work for me the first time. ||I was not supposed to use -k flag.. since well, its not a Kerberos login. ||

do you have a forum acc? i will tag you and answer me my question.

most probably, yes

how do I fix 😦

check your tun interface, if there are multiple kill the process and reinitiate it

nope. only 1

anything else?

reach out to support for further checks

I think I figured it out

I am using a vm. and on my host I also started the vpn connection.

so I closed the one on the host and now it's stable.

Yeah that'll do it

as you can see, nothing happens

well, you are in the home directory which most probably doesn't contain any of the specified files you are looking for

footprinting hard || I got tom's pirvate key and password, logged in. now I now he has a file in /opt/ that should change his password.. it seems bad, but tom also doesn't have root. I see mysql evidence but I don't really know how to proceed.|| any tips?

so what should I do?

damn i feel like such a spoiled little kid for asking these questions

think about the filesystem, how it is structured and you will be one step closer

hi, anyone knows to take the htb cpts, if i am a beginner, do i have to complete all the tier 0 module first before embarking on the htb cpts path?

you mean me?

nope kikirikikokos

probably me

ok

wait

don't tell me I think I found something

BAM.

done.

finished footprinting! yaay!

it says i'm at /home/htb-student

isn't that where im supposed to be?

idk all this "ssh" thingy confuses me so much

Don't you bring that here buffet

Ssh is just secure shell aka remote access. When you ssh as a user you land in their home directory. Doesn't necessarily mean that's where you need to be

Think of ssh as just being on a system

you either need to be at the root folder or to specify the path in your command

@rustic sage not the place

is like being drop in an island from the plane, you have no control of where you land? is this analogy correct?

well, to be precise -> I don't understand how do I get to that system

like htb-student

ssh htb-student@white rock address

Yes

what is "htb-student"

The user

their email address?xd

the username

?

username of what

Yes

The user on the remote IP

do you type your username and password when starting up linux?

God this feels like a "the door to the microwave" moment

you can specify a specific port number when you ssh too.
with a -p option if i remember correctly

Not always it depends how many users there are

thanks. i find htb academy more comprehensive than other website. is pretty good.

That sounds correct

so if i have your username, pass and ip, i can look through your pc and all of it's files?

the port number is like a door number.
the ip address and the port forms the socket.
the socket is an interface between the application and transport layer.

like i understand it only enough for the module, so i can finish the questions

i am not sure if i am correct though😅

but that's what i read from books

some places might have restricted access i guess.
you must use ls -la to see the permission

Just what's restricted to that user

there are generally 3 kind of permission.
r - read
w - write
x - execute

then there are 3 kinds of user based permission group
owner, group, others
each one of them has their own set of permission which is mainly rwx

??

wait

so if you are not the owner && if you are not part of the group that have read permission && the "others" does not have read permission THEN you cannot read the file

i think im having issues with either my internet connection or htb

because i wasnt able to do basically anything

can you access google🤣

i was like typing and nothing executed

Probably your connection

Or box timed out

:p

Question: Is the information in the "Hint" of footprinting Easy possible to find by enumeration alone?

Yes. If it's the c* user look at the open ports. Iirc when you connect to one (username not needed) you get a banner. all that's left is a password to rock with hydra or crackmapexec

Thanks.

I did it the brute way on my second go of it to fix notes

@edgy trellis

i cannot remember so many stuff.
guess taking down notes is impt for cpts 😅

The exam is open notes

true, but i guess some things are important to remember by heart.
like what port correspond to what protocol

some of those things are learning by repetition ¯_(ツ)_/¯

since there are so many information in a single module. how do you choose which part to include in your notes?

isnt http port 80?

Don't lie

🤣🤣🤣🤣🤣🤣

What is the 2021 OWASP Top 10 classification for this vulnerability?

for starting point

sometimes i feel i started learning too late.

Stop spreading disinformation

What is the 2021 OWASP Top 10 classification for this vulnerability? I cant answer this question on "Appointment Bot" in starting point.

don't believe everything you see on the internet - abraham lincoln

Google it also not the right channel read #rules and #welcome

I did

I cant chat on pwnbox

where tf am i supposed to ask then

There are instructions on how in #welcome also pwnbox isn't the right chat, there is a starting-point chat you'll be able to access once you follow instructions from welcome

@spring tundra it's Suit, message me pal

Which makes me highly doubt you actually read

Yakhi ks omak

#starting-point

Don't know wtf you said

Search it up on google

I don't care enough

Ok then smd

No need to be hostile my guy I'm pointing you in the right direction

you said i cant read ur trying to be a asmartass

Do you realize how many people come into this server daily on some dumb shit?

Hello smart people! I'm doing File Upload attacks - Blacklist filters. I've found some extensions that give me a good response. But when I run any php code it ends at the first ">". Is this because the extension can't properly run php code and I have to find another one or am I doing something else wrong?

You act like I murdered your father just because the verify may not have gone through yet to prove you read and did it

@fathom pendant said he doubt you actually read, he did not said you can't read

do you get paid by htb to reply to everyones comments

It looks like it's blacklisting it potentially

I wish

Ok then stop licking the tip

Chill bro

dude stop being toxic

hahaa

With an attitude like that I'm surprised if you get any actual help

And I was actually going to be willing to help you in that channel too

debate about hacking related stuff, not some random bullshit

Yes correct sorry about that

Either way we're straying off topic of this channel

Did you figure the module out?

gonna do it later

i have to touch some grass broski

🌳

Nice

in the information gathering - web edition they recommend signing for hackerone and reproducing something? I didn't quite understand what they mean.

That's just if you wanna try bug bounty

There's no need to however

OH, ok. seems to pay very little anyway

I have a question on the Password Attacks module but a picture would spoil it. I am trying to crack a hash but I am not sure if I have this in the correct format, I keep exhausting the wordlists.

yooo can we please keep this chat on topic

it's not?

it's not a channel for chit chat unless it is module related.

If it's the first one then there's an open server to crab creds from: the rest of them use the mutated wordlist you craft from the resources from the module

With some tools you can hash the wordlist and check if the hash matches

Sorry

can you point out where? I'm confused. just for future referance

otherwise, take it to #general or DMs

Also hashcat will straight up tell you if it's an incorrect hash most of the time

Its the Passwd, Shadow & Opasswd section. I am exhausting both the password.list and mut_password.list

Maybe I'm crazy but isnt the supposed hash missing a character? Iirc you have to use a charlist do add the last char and then dehash...

It should be in the mut_passwd

I am going to re mutate the list to ensure it is working properly

For the pass attacks module? No

got it, I may have the wrong thing in there

Make sure you're using the correct mode as well

cracked... thanks

hello all please give me a hint on this question .... am not able to spawn a reverse shell although i followed the steps in the module
section: password attacks
module: pass the hash
Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt.
appreciate any help

.

any help plz

hi, i'm stuck with imap command. i need do command 1 FETCH 1 all but did not show

1 fetch 1 body[]

solved. thank you)

Read this section again
Pass the Hash with PowerShell Invoke-TheHash (Windows)

@sonic moon I am having the same issue, mind if I ping ya for a nudge?

hey, i need a hint at the file inclusion module, to be more precise with php wrappers. So i was able to create a cmd shell and can use cmd commands at the end of the url (i use the data wrapper to complete the exercise.) However if i type something like "cmd=dir" at the end of the url, it doesn't showed me a flag file. I also tried to add (idk if that works) more cmd commands by adding them with "&cmd=cd .." for example because i thought i might need to go a directory above, but it won't

WTF IS HAPPENNING WITH ACADEMY SITE????

I CANNOT DO A SHIT IN ACADEMY

I am also stuck there

idk what to do

that's weird

i just solved it.... the issue was that reverse powershell was not working on port 8001 i don't know why although in the module they used 8001 ................. i tried port 443 and it worked

feel free to dm me if you're still stuck

I kept looking and found it eventually. Thanks tho!

awesome 🙂

So... Much....repetition ;~ ;
Signed---Windows AD Enum & Att

feel free to dm me if you still need a hint

The pivoting module is by far the worst on repetition

Different tools same results

agreed

The website works normally
By the way, your caps lock key seems to be broken.

ssh htb-student@<ip>
ssh: connect to host <ip> port 22: No route to host

Are you connected to the Academy VPN?

yeap, even I changed it

are you running the pwnbox and VPN at the same time?

Also when you changed it did you redownload and restart the ovpn service?

nope

Are you using the in-browser pwnbox

that's strange

nope

Ok so VM > you downloaded the new config file to your VM and are running it there yes?

yes, I did restarted the instance

That's not the question

sure

It's a yes/no question... Not a 'sure'

yes

I mean, "sure" == "yes"

Ok so if you do ip a do you have a tun0 interface?

yep

Sure can be ambiguous, as I'm unsure of your actual technical knowledge

The command would look like this then:
ssh htb-student@<ip>
Note, replace <IP> with the "spawn target" IP

You aren't also running the VPN on your host machine, are you?

could it be bc of some "broken" packages?

As far as I know Parrot OS likes these type of errors, as I am using Parrot.

so I dont know, maybe smth wrong with my OS, let me try on pwnbox

No

I use parrot myself and haven't had issues

*aside from sqsh

yeah I know it, I just did not want to show it

No route to host indicates most likely a DNS/network issue

Hey academy password attack ?????

After changing VPN region did you hit the refresh button next to the target IP to respawn it?

What's your actual question

I am stuck in rdp username enumeration.

try to use other lists, that you have created on your own, I had this issue while going through it, so try to change your list, basically this is the problem in most cases, good luck

Guys anyone done DNS takeover?

Which section

What module does this relate to?

It's a real world vulnerability

I dont have such problem on pwnbox

Read #rules and #welcome this channel is dedicated to questions about the modules found at https://academy.hackthebox.com

That wasn't my question lol which exact section are you on so I can walk back through it

on the footprinting medium lab, did anyone have issues with the password throwing a bash error all the time?

Put it in single quotes

And sometimes distinction is unreachable ????? Why.

idk about that one specifically but if youre supplying a password as a cmd line argument its special characters can sometimes get interpreted as bash special chars, so you have to wrap it in quotes

It's reading $$ as a variable

Network issues on your end most likely

single mother effing quotes that worked 🙂

Module: Linux Privilege Escalation
Section: Kernel Exploits

Although I had a problem with Attacking common apps
Section:Attacking Thick Client Applications

then I jumped on the next module, just hoping that I wouldn't have a problem, that's basically it.

Other option is to put a \ before every special character

now its strange

Network services

Winrm services to find username. ???

I forget what services are running on that lab

just look around, u will find it I am sure, only if you look closely for which service to look at, and which wordlist to use

is there anything to suggest to fix my problem?

dm if someone need help

okay, now it works, I redownloaded config for vpn and restarted the session

thanks for assisting me G.

out of curiosity, is there a module for c2 servers/tools in general?

I used hydra it show me root and a password but it can not work

nice question, I would take it if there is one

hm, maybe u are connecting with wrong tool?

no but Ive heard rumors that they might make one

it'd be cool if it included how to write your own basic C2. i know there are lots of examples out there, but htb content is great

Hello there 🙂 Could someone give me a hint for Windows Privilege Escalation Skills Assessment - Part II - 2nd Question?

You end up figuring it out? I'm not seeing the memory address they reference // MAP -RW-

Use the wordlists from the resources tab

I have follow up to this. In the challenge it says we cannot attack as it's supposed to be production servers, would a brute force not count as an attack/exploit?

It's an attack that does not cause a denial of service

That's more of fluff to say don't remove or delete files on the accessed server

Perfect, thanks for clearing that up. Just fyi It said my attack with with rock you was going to take like 945 hours even with doubling the threads, is that normal?

actually will use crackmap to see

someone who completed login bruteforce - login form attacks

i got the flag but it doesnt work lol

Afaik hydra doesn't have a winrm option as well

well spoilers, turns out I was bruteforcing the wrong service

so that makes sense

crackmapexec has it

no? if i remember well

Yes

You may also need to add the --local-auth flag

Disregard, figured it out... read all the steps folks

reload the page and make sure you have no spaces at the beginning or end of the flag

Best tip: once you get initial access look for the C:\users directory that will narrow your user list down :)

Hi everyone, I'm in the nmap module, in the hard lab, and I'm a bit stuck, I found some ports open with their versions, and others filtered but after being banned several times while trying I didn't succeed. Can I dm someone who can help me pls?

Make sure you use the correct source also you might need to do a -sS scan alongside it. I'd recommend looking at the IDS/IPS evasion section carefully

I think we are talking about different things as the easy check is a linux machine?

also winrm is not running

Thank you for your answer, I was wondering about: how to choose the right port? When I read the IDS/IPS section, I was wondering if the port that is chosen for the source is filtered or not?

Sorry responding to wrong thing.

It talks about misconfiguration that allows you to just use a specific port. But look specifically under the DNS proxying

If you run the scan without the specified port but with the (source) port of DNS then all will be revealed

The examples are definitely helpful

I pm'd you, just for clarification.

Oh i got it ! THANKS

yo im back

and i got the same issue again...

it's not returning absolutely anything

What's the module name again?

Linux Basics - Find Files and Directories

if I knew how to search it up on google, i wouldnt be bothering you bro

cd / then run the command again

nope, nothing again

Should there be a space between -name and *.conf

Probably

and should there be a . or / between find and -type f

Hey! Can anyone give me a nudge for File Upload Attack - Skill Assessment? I've made some progress but I can't get any of my payloads to run properly : (

nothing i guess

it's working now

You changed literally nothing and it began working?

so spaces are really important in linux i guess

name (space) *.conf

there ya go

and also "cd /"

idk if that helped

if it worked now, didn't before, and that's what you changed, then there's a good chance

well i had this same issue before with correct command so im guessing "cd /" is the important one

why tho?

Most of the time there should be a space after a flag especially if the flag is a full word and not a letter

Is there no bug report channel on this discord for the academy modules?

What does cd / do and that'll tell you

What bug and what module

If it's the Linux one where it's not telling you that it's parrot that's being worked on

because you aren't specifying where to run the find command it's probably just defaulting to current folder. If you had put the find / -type f (...) it would have worked wherever you were in the system.