#modules

it should work idk

which section

Advanced Command Obfuscation

click the link

without the pipe everything is working

sending you a dm

Module: session security
Section: Skills Assessment
Question: Read the flag residing in the admin's public profile. Answer format: [string]

Anyone available for nudge?

https://academy.hackthebox.com/module/109/section/1042
anyone can give me a hint to start off

it can't be login

maybe the advanced document search on the top right

Sure

What are u stuck on?

Look at the title of the webpage again

tinyfilemanager

yeah so it has got to do with file managing

https://www.exploit-db.com/exploits/50828

not sure if i understasnd what you mean

explore the webpage more and discover new functionalities that you would normally see when u think about file mangement

but don't we need to do the inclusion on POST request?

Got an issue. I've never used BloodHound on this VM before and it won't take the default password neo4j:BloodHound. Is there a way around this?

play around with the functions u discovered and take a look at the url GET parameters and try to do your command injections there

what is mean mounted file system?

A mounted filesystem is a filesystem that isn't your native filesystem. Like a network fileshare that's hosted on a different system

When you "mount" the filesystem you are telling your system that you wish to access the information on that shared folder(s)

like usb?

Technically speaking, when you plug in a USB storage device it mounts it to the system while plugged in

I'm referring more to remote file shares

ok , i am understand the mounted file system is external file and i take copy from it and i put the copy in another directory

Basically, this is something you can also just google

ok thanks

If I made a tunnel with ligolo, with what ip should I set the shell file?

I opened wireshark and I have this ip for the 172.16.x.y network

Can anyone recommend VIP machines on HTB with real life scenarios and not CTF Style?

what is ur level

https://app.hackthebox.com/machines/498/information

this one has 8.3/10 on realistic

That’s great thanks for the recommendation , I will try this

most of the hard/insane boxes are realistic. Mainly the insane boxes have higher rating in realistic. U can do pro labs as well

hello? can someone help me with this?

im having trouble with the Attacking Common Services - Hard module

im at the final question but i cannot impersoante john

Did you get anywhere on this? I've been banging my head against it for a bit now.

nvm, just solved it lol

would u like some help or did u get it?

he probably asking for help

you going down the pentester path?

ik it's off but i just noticed ur XSS question so i thought to ask u

If you want more realistic then you're looking for prolabs

how the hell I get rid of this quote> thing? I know that its correct answer but everytime I get this quote thing

you have a single quote behind the first curly bracket behind search

so close it on the other end and u should be good to go

kinda, I'm trying to complete all the module

did u finish the AD enum module?

not yet

oke oke, ty

hello guys, May I ask you about the Penetration Tester does it have any prerequires to go straight?

as I newbie to the cybersecurity world, which path should I take it?

Hi are there anyone has issue while working evil winrm and powerview

?

especially using Get-DomainObjectAcl ?

\

How do you guys manage your time with these modules? Curious to see how others are working through them.

on school day I do it at night, then almost full day at weekend

Going through the MySQL footprinting lesson, I had to use -T5 on the nmap script given in the lesson for the script to work.

That didn't give me the version, only the script information, so I had to run a scan without the script and just on the port to get that info

Any rhyme or reason, or is this just slow response time for HTB servers

?

sudo nmap <IP> -sV -sC -p3306 --script mysql* -T5

sudo nmap <IP> -sV -sC -p3306

this is the --script scan above

this is the normal port scan above

When I was doing the script scan without the -T5 it kept creeping up exponentially slower and slower towards 100% and stayed at an average of about 17 seconds remaining

forgot to add, I also used -vvv

Is this normal?

hello, how do i apply modifications to a sql server

i mean like execute them so they 'save'

or is it continuous

i think i found it in sql server configuration manager

im having trouble with one of the last steps in attacking common services hard

You should run scripts when you know the ports

I was using port 3306 for MySQL

Is there a different port I should be using

I don't recall using Nmap scripts for sql

||if anyone read this later on you need to be in rdp, and not in linux by sqsh||

It's in the footprinting module for MySQL

Like I said I don't recall using Nmap to complete it

It's been a bit

No rhyme or reason as to why my scans showed up the way they did. just had to do it in two scans

Nmap is used for the scanning section

then mysql for the interacting section

Thanks but I just cracked it.

this is probably an extremely basic question but I'm doing https://academy.hackthebox.com/module/details/35 and for some reason curl -s -0 (target) does the exact same thing as curl (target) and I don't know how to fix this

what section?

https://academy.hackthebox.com/module/35/section/219

why do you need to use -s -O anyway?

the goal is to download the file right?

you didn't have to download the file to get flag

just curl (target) do the job

I mean the hint even suggests that I download the file

idk, I solved it without download any file

don't forget to add /download.php after the target

yeah weirdly enough when I tried that it actually just didn't work at all

it went from giving responses to breaking entirely

idk, to be fair my copy and paste wasn't working properly and since it's late it's likely I just overlooked a typing error

I figure I'll try this tomorrow and have better luck, thank you for the help though.

try curl TARGET_IP:PORT/download.php

yeah that's what I did

I terminated the process like 5 minutes ago because I had something come up but I just wanted to know if maybe I did something wrong

can you ss in dm what the result you got by using curl?

again terminated but thank you for the help

okay

hi everyone. I have a problem with Wordpress hacking - Skills assessments.

Scan Aborted: The remote website is up, but does not seem to be running WordPress.

what should I do?

who can help me?

Look at the source code of the website. Especially the links

I can't start a skill assessment because WPScan says the remote site is running, but wordpress isn't

Enumerate

Can someone hint me in module attacking common applications, section osTicket. I login with kevin******** email and there's no open or closed tickets, i found other email and try to brute force it but doesn't work

The exercise tells me this, but they only give me the nameserver, but I need a domain to be able to enumerate the server, how do i find this domain?

Probably inlanefreight.htb

Or inlanefreight

There is a big problem with "AD enumeration & attacks", printnightmare and petitpotam doesnt work... Time to fix it, i Lost too much on it and not the only one.

Aaa ok, thanks

It probably says it. But it's also not out of reason to assume

I'm glad they changed this to have the credentials instead of needing to hunt or use the hint

Did you have to find the credentials before

?

F 💀

The hint gave the credentials. But the previous way was connecting to a service and seeing the banner was a username. And using a weak wordlist to bruteforce it

People complained enough (rightfully) about it

And what about the AD modules @fathom pendant ? Can you make the issue raise UP the module owner or anyone who can fix the issue

Idk if you think it's a legit issue #858470491676737536 is there for that

Ok will try

Where can I find the SSH key, ive looked at all the txt records on the subdomains and there is none

I just have a shit ton of subdomains and subsubdomains now xd

Well you're not gonna find ssh on dns

But they told me to enumerate it

Think. Why would they give you credentials

i thought itwas going to be in a txt record

I thought it was too easy to just use those

Lol

"Fully enumerate the target"

why would anyone store a ssh key inside a txt record

even by ctf standards

I have no clue, lol

Try using Nmap first

I did, and I found some hostkeys

If they're giving you credentials, they're intending you to use it for a running service

?

Are you running a full Nmap scan, not against a specific port?

Wait

You narrowed your thought process way too early

Whoops

"Find as much information as possible "

I thought they meant on the SSH/DNS things

Not including FTP

Even when given some specific info: always verify that there isn't more. They only tell you the primary purpose of the server. Doesn't mean it can't be used for more

Aaa I am not used to this, my teachers always told me to look, there is no other way or whatever

You are given credentials, think of all services that can use credentials, verify if those services exist

All in your methodology

When it is in the assesment you must treat it like a normal CTF box

bad teachers, thats the literally opposite mindset of good hacking

you always look for more ways

Huh, but I always think there is no way, but there is lmao

there is never no way, only ways that arent realistically feasible with your resources or constraints

That's the difference in making progress and getting stuck. Always check if you've tried everything

and ways you havnt discovered yet. but never no way.

Go step by step in your process

Dead branches happen, or paths not immediately available to you

Thanks for letting me know hehe

This is also why note taking is important. Even on skill assessments. Note what you've done, results, etc.

ayayay

It also helps you ask for assistance if you can properly provide info of what you have and haven't done. And sanity check specific processes

Then I might need one now, I am on the FTP server trying to list directories and i get this

Nothing happens, but when I do "pwd" I get a response

Maybe files are hidden

;)

True

Nvm, I found .. and .

lol

Did you do -p- in your Nmap scan?

Indeed

I found 4 ports

wait

there is a ftp server

lmao

no, port

:)

Not on the default port*

Yes, aaaa its nice, combining things and then its like quirky things trying to make you take the wrong decision

Like I said. Get used to hitting a wall, then taking a step back and reevaluating

It's how you improve your methodology. Learning to think outside the box makes finding the right steps easier.
My general process is; what do I have, what can I access, how can I leverage it. As I find more things, the leverage gets easier to do

aaa oke

Also, because the skills assessments are wordy, learning how to boil down large blocks of text into important info

Question, I did something and now I have this file I have no clue how to remove named "-R"

For example with this lab:
The fact that it's a dns server is just a red herring.
You are told you cannot leverage any exploits (so no exploitdb or msf exploits).
You are given credentials, and told there is mention of ssh.
Finally you're told you're looking for a flag.txt

rm '-R' should work?

It didnt, but i deleted the folder

And created it again

lol

Or mv "-R" randomfilenamelol

Hmm true

One question

What you do with base info is purely up to your methodology. But if your methodology constantly runs into brick walls, maybe rethink how you approach the problem

Heheeeeeeee, thats a good option

AAA

ITs a folder

Nvm

lol

Yep

Your -la results show its a directory

Super simple once you start from a wide base to narrow it down

Yes, it said something about that in the course aswell, like "The learning process" module, but its been like 4 months since i did that one heh

That's why practice it every time is important

Even if you're told what you're looking for. Always doing the basics is important

But thanks for the help

Try changing to the directory first

Also a lot of your screenshots can be considered spoilers

Sorry

its all good, just common practice to delete them a short time after getting help about it

This user has no rights to access the database

Oh, ok

yall tryna clikc this weird link i send yall?

Because the user you are logged into Windows with has no rights to access the database.
Consider what role the user you found has and what the role is called in Windows.

Hi, I need some help with the "Public Exploits" module

Task: "Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file. (note: the web server may take a few seconds to start) "

i found out that the webserver is running a vulnerable version of the simple backup plugin

used metasploit and the "auxiliary(scanner/http/wp_simple_backup_file_read)" exploit however i only got shit back

cat /home/user/.msf4/loot/20230713110330_default_94.237.54.69_simplebackup.tra_540693.txt
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
mysql:x:101:102:MySQL Server,,,:/nonexistent:/bin/false
systemd-timesync:x:102:103:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:103:105:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:104:106:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:105:107::/nonexistent:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin

In the exploit you need to specify what you want to get

makes sense

Hello, I'm working on ATTACKING COMMON APPLICATIONS Splunk - Discovery & Enumeration but seems the splunk application is unstable. Already tried to restart 3 times and wait at least 15mins still can't connect to port 8000. Should I wait more?

Are you using http or https

http

I see

Thank you!

Reach out to support

Hey guys! Am stuck with one of the HTB Academy's boxes. Basically, i obtained an RCE on a low level user. I realised that Nmap's SUID bits are set. However, I'm having difficulty performing privesc, as:

1. nmap version does not allow for --interactive
2. my user is not inside sudoers list, i cant use sudo

I have tried to manipulate by chmod u+s /bin/bash, but changing permissions was denied. Been stuck here for days, any help will be appreciated!

-rwsr-xr-x 1 root root 3026928 Mar 23 2020 /usr/bin/nmap

Preferably tell us which module and section ur working on

It’s a private box called liberty machine, not sure if you guys can access it though 😭

I'm on password attacks module, network services section. || I can't seem to find the right username and password list to brute force any of the services.||

read #welcome and #rules after that use /verify at #bot-commands and ask that at #boxes if you are having issue with a box on HTB main platform

use the given one in Resources

Facepalm

Can't believe I missed that lmao

Hi!
I’m doing the “getting started” module, and I am stuck at the Privilege Escalation section last question.
Once you gain access to user2, try to find a way to escalate your privileges to root, to get the flag in /root/flag.txt. I manage to get access to the user2 and read the private key in the id_rsa file.
I then went back to my profile and copied the key to a file pkey.txt and add access limitation with the chmod 600 I then tried an ssh connection with the flag -i pkey.txt but it doesn’t work.
Any tips to move forward? Thanks in advance

i'm having hard time with hard module on attacking common services

impersonated user, but cannot proceed further

Hi everyone, i'm in the kerberoasting from linux section in AD module, and when i want to enumerate the SPN the tool ask me for a password, but idk why it don't accept the password of htb-student

with chmod 700 also run file with your ssh key it should say something like OpenSSH private key

first http://dontasktoask.com/ and which section are you on? what are you trying do to? and what exactly is the issue?

i already wrote the section, which is hard on attacking common services module. Stucked after impersonating required user

i think are you supposed to use a different user

what ?

for example this is the section name

how do you mean

the section is "Attacking Common Services - Hard"

that's the Skill Assessment 🤣

those cred i think is for a foothold box not for the actual target

oh, sorry 😆 , my bad

so i have to find the creds ? it's bizzare

in the course they use the forend creds

but they don't give the creds

they don't give the password

I'm stuck in "AD Enumeration & Attacks - Skills Assessment Part II" in question "Obtain credentials for a user who has GenericAll rights...". I have a|| Evil-WinRM ||connection and I have imported PowerView.ps1, but none of the PowerView commands work. Also when trying to run apps such as Mimikatz or Responder, I get an error "The specified executable is not a valid application for this OS platform". Even the hint says I should get the knowledge the same way as I did with the initial foothold, but that isn't even possible? Also tried RDPing with proxychains and chisel but it doesn't connect.

hint you should got the cred from a previous section

hint check for ||linked server||

Thanks MRtom actually I had to connect as root and not as user2! solve now! with thanks!

THank you!

wdym rdp with proxychains and chisel? you can use ssh dynamic port forwarding (-D tag) when ssh into the given foothold box and on your machine use proxychains to login via rdp

For some reason I don't even recall using that tag before. But finally I got the rdp connection. Thank you very much!

thanks @west canopy

I'm still facing the problem that PowerView doesn't work at all. I can't passthehash with xfreerdp as any user, so I am stuck as a low privileged user (username & password) since none of the hashes could be cracked that I found. I'm missing something very badly here. Never been this badly stuck. Like am I supposed to try to figure out a way to become admin on the system or am supposed to tackle this problem without that account

Wrong channel. #1024429874246590575

Someone could help me with Brute Forcing Cookies - Broken Authentication module? I'm stuck.

you should be able to rdp into MS01 with the first user cred, for pass the hash make sure you are using an ntlm hash not a ntlmv2 hash from responder and for powerview make sure you are using a new version downloaded from the author github

hint the role is ||super|| (it's in the question 🤣)

https://dontasktoask.com/
Send the problem you're going through here

i do not understand what he mean by "Why is the printer network talking to the servers over HTTP?"

Why would a printer send HTTP requests to your web servers? It doesn't make sense, right? So, if it's happening it's probably a compromised printer

ok thanks

Please can someone help me in this module: Attacking Common Services - Easy

what is not working?

I can upload the shell, but I don't know where it's stored

you'll have to be more specific

which module and which section

send screenshots, the commands used etc

istfg we need a verbosity flag for human interaction

I know it, but with to do with that? Need make a reverse encrypt to base64 and try to use the cookie? I'm really confused...

oh that part should be straight forward, just use CyberChef

I have afraid to give spoilers 🥵

I have a question ? can i find the objectAceType a user has over a group with bloodhound ??

dm me then

i can't get the ObjectAceType of the first right that the forend user has over the GPO Management group in the ACL section in the AD module can someone help me pls ?

Hi anyone has an issue while tunelling to internal target and accessing using xfreerdp?

i am able to access the target, with ping evilwinrm and others. but can not access the rdp

googling already didnt found the solution

what error u got

If I am member of administrators but there is no AD how can I open a cmd as administrator?

#modules message ask better question next time and hint you can use ||Get-DomainObjectACL|| like the section show but if you want to do it in bloodhound just look for some cypher query cheat sheet

Anyone know if there’s a channel where you can submit requests for future content?

this channel is for HTB academy module if you are not having an issue with one of the modules then verify your account and ask this in the appropriate channel

currently there isn't one but i've seen some people leave suggested content in #858470491676737536

you mean no rdp? also this is a quick google but if you are was stuck in a shell that have admin privileges i think you can just use something like PsExec to spawn a shell as system

Anyone Please Help : Attacking Common Applications - Skills Assessment II What is the URL of the WordPress instance?

Have you tried ||fuzzing||?

just do some basic web enum and you will find it

ok bro thanks

thanks bro

No worries, if you weren't able to solve it, feel free to dm me.

I managed to get to the end of AD skills assessment 2, but my NTLM hash isn't taken as a correct answer. Anyone care to elaborate?

last question?

Yes

if you are using secretsdump for this try using -just-dc-user krbtgt just to make sure you got the right hash

Yep I'm doing that, which is why I'm a bit confused

so did you found answer?

Well yes, but the form on the website says it's incorrect

shoot me a dm with the hash that you got i'll confirm it for you

timeout

guys i do not understand this

We'll need to see more. It doesn't really make sense without any more context.

Oh, I see what they mean.

They basically scanned their own subnet but didn't scan any other subnets. I bet they didn't use -Pn too.

If you don't understand subnetting, you might want to go study up on networking with the intro to networking module or some other resource

can I dm u to ask 1 thing about 1 exploit?

am not sure if I am modifying it right

sure

https://academy.hackthebox.com/module/109/section/1042
anyone can give me a hint to start off

found a link https://academy.hackthebox.com/module/109/section/1035
and also got that && isn't filtered
/index.php?to=&dl=51459716.txt&&

it is module of introduction of network

oh lol, I thought it was the pivoting one 😅

in that case, don't worry if you don't get it the first time, subnetting is always a slightly confusing topic at first

all good it worked

hey,
Any 1 can access Windows RDP labs?
I'm on DACLs attacks module and I can't RDP to any of the IPs, I tried multiple times + restart + from another server the same issue. Is this a known issue?

anyone got that issue with basfucator as well?

running install
/usr/lib/python3/dist-packages/setuptools/command/install.py:34: SetuptoolsDeprecationWarning: setup.py install is deprecated. Use build and pip and other standards-based tools.
  warnings.warn(
/usr/lib/python3/dist-packages/setuptools/command/easy_install.py:146: EasyInstallDeprecationWarning: easy_install command is deprecated. Use build and pip and other standards-based tools.
  warnings.warn(
Traceback (most recent call last):
  File "/home/htb-ac-886032/Desktop/Bashfuscator/setup.py", line 32, in <module>
    setup(
  File "/usr/lib/python3/dist-packages/setuptools/__init__.py", line 108, in setup
    return distutils.core.setup(**attrs)
  File "/usr/lib/python3.9/distutils/core.py", line 148, in setup
    dist.run_commands()
  File "/usr/lib/python3.9/distutils/dist.py", line 966, in run_commands
    self.run_command(cmd)
  File "/usr/lib/python3/dist-packages/setuptools/dist.py", line 1213, in run_command
    super().run_command(command)
  File "/usr/lib/python3.9/distutils/dist.py", line 985, in run_command
    cmd_obj.run()
  File "/usr/lib/python3/dist-packages/setuptools/command/install.py", line 74, in run
    self.do_egg_install()
  File "/usr/lib/python3/dist-packages/setuptools/command/install.py", line 117, in do_egg_install
    cmd.ensure_finalized()  # finalize before bdist_egg munges install cmd
  File "/usr/lib/python3.9/distutils/cmd.py", line 107, in ensure_finalized
    self.finalize_options()
  File "/usr/lib/python3/dist-packages/setuptools/command/easy_install.py", line 335, in finalize_options
    self.local_index = Environment(self.shadow_path + sys.path)
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 1044, in __init__
    self.scan(search_path)
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 1077, in scan
    self.add(dist)
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 1096, in add
    dists.sort(key=operator.attrgetter('hashcmp'), reverse=True)
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2631, in hashcmp
    self.parsed_version,
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2685, in parsed_version
    raise packaging.version.InvalidVersion(f"{str(ex)} {info}") from None
pkg_resources.extern.packaging.version.InvalidVersion: Invalid version: '1.14.0-unknown' (package: gpg)

not working as describe here: https://academy.hackthebox.com/module/109/section/1040

A /24 network has address 0 to .255. So 192.168.0.0/24 would refer to a network with addresses from the range of 192.168.0.0 to 192.168.0.255. /25 would have ranges from 0-127 and 128-255.

So if they fat-thumbed a /25 instead of a /24, they would have missed out on half the addreses.

Reporting that the domain controller is down in an actual report is pretty funny tbh.

anybody able to give me some leads on shared object hijacking from linux priv esc mod?

nvm it just requries a glib version no.

hi there! who can help me with sqli in Web-Service & api attacks. I'm stack in here
Identify the username of the user that has a position of 736373 through SQLi.
My payload: Select+username+from+users+where+position=736373. It's doesn't work

id

nope, it's doesn't work too(

Does it work without the where clause?

guys i am confused with this question

Ask your question

i am not sure if i need to put there the result of the name account or i need to get an access using that

or my machine is broken

i am confused

i got the results and try all the things but dont works

The username

can be broken ?

let me show

"User account"

with double cuotes ?

No

I'm telling you what it's asking for

dont works

I remember looking up my question

Are you sure you have the right account

yes

let me show you

Look at all of the info given

what the hell XD

for example there is the output

i am not sure how to explain it XD

...

because i think i can reveal some information to solve the module

Because that's not how you're meant to get the answer

Lol

you're probably meant to be looking at logs.

but you know what exactly i do ?

Use event logs via powershell

There's a reason it tells you "event logon failures"

i am looking the logs

with what command

using get-winevent

adn put the result of bad loggon per grather than

wait shouldn't they literally tell you how to go about this from the module

There's a way to filter it iirc I ended up using Google and stack overflow

Probably

bro is asking us as if he didnt read the module 😭

hm

It's the windows command line module

my english is bad may be i miss something

nope

It is ok, unfortunately this platform is mostly English only.

omg why so hard

Anyways, i googled it and it was the first google result.

So.....

but in therory what i understand is this

i am understanding wrong ?

Then your injection isn't correct.

you want to look at the event logs and filter by logon failures.

They even give you the event id to filter by.

Then it will show the user account.

Username of user account is the answer.

is it a free module?

Yes

after that i got this list

i back later i am stucked i need to think in another way

Yes

Keep on thinking sir

It is da way

xd

i dont be sacre to feel like stupid

i cant tell if this is a language issue or a skill issue

Both
But I like him

This is da wai

Recheck the log section

Probably a skill issue. The variable name they use isn't wrong after all.

It gives you some info that you may need to work around

Maybe they're counting the number of users in $username

i count the logs

yeah which is why im wondering if there's a language problem

per user

do not count logs, just filter logs by event id

i filtered by the id an then i use a format table -wrap

They aren't

Hey guys, thought id ask a question about the power of XSS, especially stored xss. If finding stored XSS exists on a web application. Could you not insert a php shell into the html so whenever the page is loaded the shell runs and connects to your local machine ?

https://www.itprotoday.com/powershell/how-find-failed-logon-attempts-powershell

Literally first Google result

i litteraly do the same

and i thing the response starts with "A"

but dont works, i am doing something wrong but i am not sure what

It does not

i go fo a coffe and i check again what i can miss

oh so i am wrong, that make me feel better

i back in 5 min

Copy and paste from that website I linked

❤️

It also explains each element

at least give us the command ur using

but that can be a spoiler for another people

i can do it ?

Well, you aren't spoiling anything if it isn't working lol.

You can delete it after we confirm or deny

that is debatable

ok

wait me a sec

💀

one of what i test is this one
||

Import-Module -Name Microsoft.PowerShell.Diagnostics
$eventLogName = 'Security'
$loginEvents = Get-WinEvent -FilterHashtable @{
    LogName = $eventLogName
    ID = 4625
}
$loginAttempts = @{}
foreach ($event in $loginEvents) {
    # Obtener el nombre de usuario del evento
    $username = $event.Properties[5].Value

    # Verificar si el usuario ya existe en el hash table, y si no, inicializar su contador en 0
    if (-not $loginAttempts.ContainsKey($username)) {
        $loginAttempts[$username] = 0
    }

    # Incrementar el contador de intentos de inicio de sesión para el usuario actual
    $loginAttempts[$username]++
}
foreach ($user in $loginAttempts.Keys) {
    $attempts = $loginAttempts[$user]
    Write-Output "Usuario: $user - Intentos de inicio de sesión fallidos: $attempts"
}

```||

I tried to do a Nmap scan and I got this, I tried to connect to the ssh as htb and it didnt work, so I tried to login to pop3s and imaps without a username and password, neither worked

You're limiting your output from the beginning, you don't need to use a full script to do it

yes but

if i put this one from the website

You get a lot of info. But read through it. Just scroll through what it gives you

This script doesn't do what you want it to do.

if i use this one the result of the counts is the same for the name accounts
||```
Get-WinEvent -FilterHashTable @{LogName="Security"; ID=4625} | format-table -wrap

The question doesn't ask who has the most failed login attempts.

It asks who had a rapid sequence of failed login attempts.

I am stuck, (Skill assessment footprinting - Hard lab)

yes but what i understand if that is the case the response if still in the "name account" right ?

i try all the possible name accounts and dont works

That's why I said read the output

what i undesrtand with this is "not who get more logs, is who try more fast" i am right ?

Yes.

It will become glaringly obvious what user

They throw in a handful of extra fails for users to force you to look at the whole thing

Hi Guys - Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an SPL search against all 4624 events the account name that made the most login attempts within a span of 10 minutes? Any ideas?

sourcetype="WinEventLog:Security" Account_Name=*
| bucket _time span=10m
| stats count(eval(action="success")) as successes count(eval(action="failure")) as failures by Account_Name dest _time
| where successes>0 AND failures>5

so the answer still there in the name account, if that is the case i try with all posibilites, but i gonna keep there some hours more, i know i miss something, and i thing is something obiously that i cant see

Stop trying to brute force the answer, you won't learn

so you think i solve the another 9 cases using brutte force ?

i am just stucked, i back in some hours

No. I'm saying you're trying to brute force this one

i gonna keep see the output

Which is not needed

@uneven dune Just look at the output and don't filter it.

Yep easy

ok

thanks guys

Cause it's possible the username being bruteforced isn't actually a username on the system

Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an SPL search against all 4624 events the account name that made the most login attempts within a span of 10 minutes? Any ideas?

ref to UNDERSTANDING LOG SOURCES & INVESTIGATING WITH SPLUNK Mini-Module

sqlmap module is much fun

some courses are reaally good to learn

others need some better cleanup and especially not jumping from one tool to another outta nowhere

how can i delete the local storage form sqlmap

--flush-session

Hey hows it going. Did you get the answer to this one? I found the answer but dont quite understand how I got there and was wondering if anyone could help out (dont want to say anything and spoil it here)

can anyone help me with footprint module? The final question to DNS What is the FQDN of the host where the last octet ends with "x.x.x.203"?

I am stuck on the password mutations oin the password attacks module. I have used the mutation file and used hashcat to mutate the password list provided and when I go to brute force ftp for the sam account user I can't find a valid password. I have split the wordlist into wordlists containing 10000 words that way I have better efficiency and am running -t 64 for hydra but even after doing all the wordlists I can't seem to get sam's password.

dnsenum --dnsserver 10.129.64.162 --enum -p 0 -s 0 -o subdomains.txt -f SecLists/Discovery/DNS/subdomains-top1million-110000.txt dev.inlanefreight.htb "i'm trying this"

i believe for that one you have to do a zone transfer to find the FQDN

Am I on the right path on the skill assignment named "Footprinting labs hard"?

Idk If I have gone down a rabbithole

lmao

Im looking at my notes from the footprinting lab and that definitely is a rabbit hole

why?

I know what you're thinking but this is not the right way

Definitely a rabbit hole ahah

I had the same thought

But u're not too far from it

Take the smallest list under SecLists. If you don't find anything, use the next larger list. 5000 entries are too many

He's right looking back its not a zone transfer its a different wordlist you need

Ayayay, ive tried enumerating the account and i found 3 users, the passwords dont work on these users on imap, pop3 or shell. I tried using the password I found for ||tom|| on these accounts but it dosent work. I also tried to ||SSH into all the accounts with the id_rsa file I found, but this key only works for tom||

All you need is to ssh into tom then your very very close

Ive tried enumerating it so hard, but i guess ill keep going lmao

See what groups tom is a part of

see what hes been up too

Has anyone done this module and kerberoasting across a forest? Neither John or Hashcat will recognize the hash that I get

Huh, now he seems sus

lmao

Any moderator can help me with my acc issue

anyone tryna help me out

I'll check my notes real quick

thanks bro i really appreciate it

moderators dont deal with that

contact support

It's about my acc verification in Discord

I was a member of HTB since 2020
This shows me as a new user!!

Your account is not verified, go read #welcome

I know
I want to know the reason

Bruh just go verify your account

the bot can't verify it

I used the provided password list and rule file then removed the first 17000 passwords from the mutated list

i'm trying this right now "dnsenum --dnsserver 10.129.221.137 --enum -p 0 -s 0 -o subdomains.txt -f SecLists/Discovery/DNS/subdomains-top1million-5000.txt dev.inlanefreight.htb"

Try the fierce word list

It shows error

well I just looked and you hadnt even attempted

go read #welcome

5000 entries are too many. You need a smaller list

Yes I did Multiple times last night

Not on this account

I found out he is a part of the ||MySQL|| group, but how am I supposed to access the folder if I do not have permissions?

The error was "Identification error: please contact an online Moderator or Administrator for help."

like this? "dnsenum --dnsserver 10.129.221.137 --enum -p 0 -s 0 -o subdomains1.txt -f fierce-hostlist.txt dev.inlanefreight.htb"

Try it

i'm trying right now

ok

A lot of people stuggle with DNS it seems, not just me 😎

Clubby or Roadrunner may remember me and help me with that

I know I help very often with this question. Therefore, I was already called DNS Bunny. 😂

:))

Hahahhaah

DNS is notoriously fickle and is amongst the first real hard interactions with a protocol that people on the CPTS course face

Once you understand the principle of zones, DNS is actually not particularly difficult

I remember there was an off-topic general server
Admins delete it?

I also can't find any place for help or etc.

as madfox already said. Verify your account and you will find what you are looking for

Read and follow #welcome

I did
"Identification error: please contact an online Moderator or Administrator for help."

Im completely restarting, Im trying to do it exactly how you said. Would you delete the first 17000 with a command like this: tail -n +17001 original_wordlist.txt > modified_wordlist.txt?

you access it off toms account

use toms username and no password and you should be able to get into it

im not sure about the no password part though

What do you mean? There is no ||MySQL|| server running on the target

xd

there is no outfacing mysql server

wait

but there is an internal sql server

Then do what it says and contact a mod/admin

AAaaaa

Thanks

This goes back to my earlier advice: double check you've done everything

Thank you, I did
I'm waiting for a response

Anytime, the way I realized this was looking at toms recent bash history

That also helps

I did the same, but I saw "cat .Important"

And that took away all my attention

But I am happy I finished it, after like 1 week or something lol. https://academy.hackthebox.com/achievement/badge/eadb7e2b-21c2-11ee-acfc-bea50ffe6cb4

You're told about the service in the documentation that gives credentials btw

i solved but to be honstly i cant get the result of the logs XD

Iirc unless I'm misremembering

starts with j

now i need answer may be i today i not gonna sleep

Using the command from earlier just loom at the results and timestamps

i need to know why i cant get the result looking the logs xD

True, but now ill have to complete my notes (For this module lol)

https://tenor.com/view/sheldon-cooper-bbt-sleep-i-dont-need-sleep-gif-5115394

Actually I remember now: you're meant to check history

Ah, lol what a coincidence

yes but i see something intersting, the name are you sure is printed there ?, because i see one that have nothing like -

Yes you just have to look at the whole thing

so reading some things in internet that say can be an user with privileges

completely restarted and did exactly what I did the other couple times and it worked!

If you copy the whole command from earlier and scroll its super duper obvious

Just try it

That's what a lot of our own trial and error boiled down to

Right.
I mean, asking here if a command works is really pointless. Until an answer comes, you have tried it yourself for sure 🤷‍♂️

bro i wanna die, 5 hours solving something that i needed to trace

https://tenor.com/view/crying-cute-anime-sad-tears-gif-16038248

i understand now, know i can sleep
||```
Administrator usernames may not appear in login events in some cases. This is because administrators may have special settings or privileges that allow them to perform actions without logging events in certain circumstances.

but, happy

https://tenor.com/view/dancing-lizard-gecko-dance-gif-14516748

Idk what does it tell you

https://academy.hackthebox.com/module/160/section/1474
Identify the username of the user that has a position of 736373 through SQLi. Submit it as your answer.

can someone help me :((

So do that

When you hit a wall, check your notes. More often than not, the answer is there

SQL injection vulnerabilities can affect APIs as well. That id parameter looks interesting. Try submitting classic SQLi payloads and answer the second question.

yes i know the ID is vulnerable

Look at the two IP addresses in that first screenshot

but not how to read the position

Responder works when machines connect to the machine it’s listening on (your attacking machine)

NVM

were you able to solve the query for this?

I'm stuck on it myself

Explain what your xp_dirtree command is doing here

Yes

Always helps to step back and ask yourself what you’re doing 😉

That too

Usually taking a break has a similar effect for me, as much as I refuse to do it in the moment

Lmao

o7

https://academy.hackthebox.com/module/160/section/1500
what's wrong right there?

sorry for the ping but could I get some help on the splunk module first section:

Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an SPL search against all 4624 events the account name that made the most login attempts within a span of 10 minutes. Enter it as your answer. 

My current query looks like this:

sourcetype="WinEventLog:Security" "eventcode=4624"
| bucket _time span=10m
| stats count by Account_Name, _time
| sort - count

I'm unsure of how to continue, and the documentation for the range() function is somewhat hard to understand. Thanks for reading

<@&861185840277487616>

is this general

No

#welcome verify your acc and you’ll get access to the other channels

ooh ok

Hey gusy can someone help me in the module Getting started: Public Exploits

I used searchsploit to find three exploits, but I'm struggling making use of them

the searchsploit codes are 34553, 44943, 48918

is that the GetSimple CMS 3.3.15

https://academy.hackthebox.com/module/160/section/1475
already checked the servers /etc/passwd via SOAPAction spoofing but didn't find anything

just this, but i don't know where i should use SQLi

```also tested with sqlmap 
```http://10.129.64.112:3002/wsdl?wsdl``` ![pepecry](https://cdn.discordapp.com/emojis/949266103799001118.webp?size=128 "pepecry") ![pepecry](https://cdn.discordapp.com/emojis/949266103799001118.webp?size=128 "pepecry")![pepecry](https://cdn.discordapp.com/emojis/949266103799001118.webp?size=128 "pepecry")

hi, I’m facing same issue.
i also checked file as binary, but there is no interesting readable character rather than just get and cat file.
should i reverese aes256 hash of a kt file?

uh.... I am hacin solving Unified starting point machine

chould anyone help me?

no you need the #starting-point channel.

read #welcome and verify your account to access the rest of the server

it doesnt say to put those in as script.js those are a variety of potential xss payloads to try launching a hosted script

if your xss payload is good

xss imo is very finicky and you have to play with payloads sometimes tweaking single characters at a time.

Without backend source code xss is a lot of fiddling intuition and persistent guessing to get something working rather than outright knowledge.

as far as initial payloads go

usually you have to at least close out the html tag wrapping your input, so I suggest looking at the html and seeing if you cant guess it, assuming its not a blind xss

hence a lot of payloads starting with "> and variants.

Then suffer 😂

did you solve it?

iirc that whole module I had to tweak and deviate things constantly to make it work

im skipping module over module just because i'm missing some small details lol

thats ill advised

You can, Id just not recommend

me?

yeah

on the contrary what should i do

complete one by one, focus on honing the lessons of the module and understanding the material

if you skip around when things get tough then youre just not challenging yourself or dwelling on a topic long enough to understand it. Itll slow overall progression

i'm not missing many sections

yes but sometimes it's just too random

But everyone learns different so if you insist, that's your prerogative, I just dont recommend

if modules do something similar to the tasks before like fuzzing, sqlmap whatever i get it

but with some it feels like there is no path

I dont normally like to parade status, but this advice is coming from someone that has actually passed the CPTS exam, so Im not advising this lightly.

Many modules expect you to be using techniques from previous modules. The more you keep that up, the more you're going to end up with things that don't make sense.

Yeah, many modules presume expected prior knowledge. you very well can be running into obstacles purely because you skipped the prior knowledge, causing you to skip again and then miss prior knowledge for the next one too

no for sure, but some tasks require you to have a feeling for things

I've checked my notes

There's a fake flag

The exam will, too. Gotta learn it some time.

Or the wrong one

I never got sqsh to work, I used mssqclient.py

doing the path for cbbh

im just saying

some courses are better to follow than others

wer you learn one tool but really good

instead of 5 attacks, of which only one will be used in the assignment task

but if you are unable to handle all of them, then you've missed critical training in previous modules. Academy is not about 'getting the answer', it's about learning and applying the information.

thank you, im relieved that its not a bug.
ill check more carefully.

Jumping ahead on modules makes your progress bar go up, but it doesn't prepare you for an exam.

I've dm you

whatever have had 100% on all modules btw

just modules don't make sense to me, especially their binding to the sections before

You just got done saying different here: #modules message

cus im pissed

lol

this is the trap thinking that makes people fail CBBH and CPTS exams

like seriously probably the #1 reason

right up there with time management

The exam had me scouring sections for things I deemed unimportant enough to put into my notes and didnt absorb fully. I was wrong and humbled for it.

doesn't look like im skipping much (red cross not counting, had no time to continue)

but just saying at some point it would make more sense to get hints instead of randomly pasting commands

username typo

its same creds as sqsh

lol

2 modules i've had problems with

Keep thinking this. Im feeling confident youre not going to pass the CBBH exam even if you do finish all the modules like this due to your mindset.

You might prove me wrong but I feel the odds are low

damn stop being toxic

But feel free to do so, this is the sort of thing where Id feel happier being proven wrong than proven right

If you're randomly pasting commands, that's your problem. Again, you're trying to 'get the answer', instead of 'learn the material'. It's also telling that the modules you are giving up on are medium modules, which more often than not, do not have answers that are simple copy/paste.

sure

dante is easier than the exam, finishing dante doesnt necessarily mean youll pass

its just nice extra practice

definetely

am doing dante and is easy

skipping the sql injection module to do sqlmap essentials is kinda sus imo

the exam is between zephyr and offshore

did sqli on another acc

had to register on another mail cus of cheaper tier2 subs

aight

but fair point

but dante is very good to master the fundamentals

If were have a brutal honesty session here moo, I think youre going to struggle greatly with the exam too.

You clearly have overall persistence and drive, but you consistently give up far too quickly judging from the type and frequency of questions you ask.

You should try pushing a but harder before you ask for help.

A lot of the mistakes you make or struggle with you definitely had all the tools to figure out yourself

Like youre not dumb, you just dont seem to make that extra willpower push where real growth happens

if you did Id bet your learning rate would skyrocket

These are just my observations, what you do with them or not is up to you.

The life doesn't care about the problems of the people

It just checks the results

yea

everyone has strenghts, weaknesses

Yeah, Im just pointing out problems I see, ones I may not be correct about. The causes or solutions behind the problems are outside what I could comfortably comment on

I see u everydays here a lot of hours studying and asking doubts

some people help you, some don't and rather laught at you but as lond as you keep going you'll be fine

just keep consistency and hard-work and u will arrive far

Ill help and people get mad cause they dont like what I have to say and then I laugh

As a noob I'm trying to get through the fundamentals but tend to get stuck on the Linux one, I've used the search function and read a few comments about people highlighting that it might expect some prior knowledge. Yet research doesn't always help me.
ATM I'm trying to do the SELinux exercises of network configuration, but just can't get SELinux to launch in the first place. Whatever I do SELinux stays disabled post reboot, any tips?

from what i've learned

try better

Ive never actually touched SELinux lul

heres how to get linux fundementals down: erase windows, single boot linux as your daily driver and struggle solving problems with it till you get comfortable

fr

me either

at some point you'll get the base commands

I have a windows desktop I still use for games and some stuff, Im not one of those linux only puritans. but practice is practice

I think at the beginning I learnt linux with a lab

which was like finding flags using just linux commands

but I don't remember the page

If you are having errors and copy paste them into chatgpt and ask it to explain everything, I've learned a great deal doing that as well

anyway from my point of view tryhackme is still better to learn the basics from zero

then move to hackthebox

i agree

🤮

I mean I have some background, I can get some things to work as I had like a crash course into pen testing before. It's just consistently disabled. I'll take @valid hamlet's advice since that one seems solid.

I am not sure if in the starting point they teach u basic commands for linux

#starting-point

I learned the insane way by daily driving backtrack 3 like a lunatic

unless the linux fundamentals module should

and later installing LFS

Having an issue with nmap hanging at around 88-95%. Has anyone ran into this issue before? I'm using the pwnbox and running -A on 7 ports, it shouldn't take longer than 5 minutes no?

You got the answer? Kindly DM me the output of the query, as such discussion can potentially serve as a spoiler for others. Thanks.

You're probably thinking of the over the wire wargames

Personally, I booted up a kali vm and started grinding and getting used to Linux.

I started a couple projects like creating a docker container for pentest tools and it forced me to get even more used with Linux commands.

nah, it’s to find wordpress plug-in exploits

you figure it out?

nah 😅

ima do it real quike

much appreciated

Does anyone know if there are any academy modules that cover PenTest/VA of Operational Technology networks?

I don't believe so

Yeah, i had a look around and couldn't find anything. Be good to know some industry standard tools and procedures so I don't go inadvertently opening valves or something

Hi someone knows why in getting started module (Nibbles initial foothold) Im listenig in the right port and everything but I don't have the tty

So i can use the reverse shell

neither the user flag nor the root flag

Been a while since i did this one, you upload a php file rev shell code?

Is the code correct?
Is your IP correct?
Have you navigated to the uploaded file?

yep, I copy and paste it ( of course switching <attackers ip and <port> with the correct ones

I try to find the upload file but dont find it

Try uploading again. You need to navigate to the uploaded file so the code executes.

I did I upload two timws. I will do it by 0 with other ip

sounds good?

I guess, its difficult to help without more info. Feel free to PM with screen shots and I can help you further if you can't get it

Tysm

The ip you should use is the tun0 ip

sup

probs one of those AD ones

i mean i personally enjoyed AD a lot, on my home lab at least.

Dunno how it's like on HTB's academy platform.

I live very far away from the US/EU so it's very laggy to do AD stuff on htb.

I do recommend starting up an AD home lab at some point, it's real fun and let's you configure attacks for yourself. (and obfuscation/bypass techs)

AD itself is just interesting

No sanity

The ratings are a combination of number of distinct steps plus overall complexity

well hard normally the first blood are in 6h

insane I have seen some with +24h

Oh if all of those password attacks skill assessments were part of main platform boxes, they'd all be under easy 😆

maybe medium at best

from the last season

+2 days for the 1st blood

imagine for an average hacker

An insane box like that is not too common these days though

Insane boxes have their own spectrum from your Brainfucks to your Bookworms to your RopeTwos

also this discussion is more appropriate for #boxes

This is the last hard machine

yea sorry

don't apologize to me lol, I just know if other people want to look at modules discussion it gets a bit cluttered

@rustic sage I recommend u doing dante after finishing the cpts path

i think u should place them in a one-liner

idk I write the report in all what I do

u have impersonate permission

u just check what users are there and u impersonate which u think could be interesting

that is just an example...

like when someone says person x and person y

Take it one part of the command at a time

You can look at the submissions guide for boxes as they clearly detail how they differentiate the difficulties.

Also details the rules like which wordlist should a password appear in.

Hey guys, could somebody help me in the getting started module: public exploits part

yeah man, what have you done so far?

i've used searchsploit, to find exploits, and found three exploits, but don't think they're applicable since I need admin privilages for 2 of them. And I found a couple of exploits on google but couldn't pinpoint the exact exploits

I will pm you so we can talk without spoiling

@pine galleon can we talk in dms?

why?

i need help and i prefer talk in private bc people tend to judge alot

😆

well I don't do help in private unless I already know what it's about and it's not bs

and i think i can see where this is going already 🙃

where do u think its going?

let's keep this channel on topic please

ok

sorry

There are no restrictions on tools. You will not be able to ask any humans for help.

yup

Honestly I couldnt spot many points where advanced paid tools that normally would be banned would be even useful

You don't need scans that's just a waste of time

Huh?

I guess is referring to the burp scan and not any port scanner which will help you find out the services running on the machine

How is he confusing Nmap w burpsuite pro

Also isn't burpsuite pro web scan only

exactly

Who let bro cook 💀

on ATTACKING COMMON SERVICES Attacking DNS

is the TXT domain a fake answer flag?

On attacking common services for tomcat I have found host manager but what can I do from here

What did the module teach you to do?

I went derp mode and got ahead of myself

I was trying to attack the manager when I was still in the enumeration module

you solve it?

Maybe it is for another module?

please does anyone know how to access/trigger an apache tomcat .war payload that has been uploaded I'm trying the solve the first target in live engagemnt of the shells and payloads module

https://null-byte.wonderhowto.com/how-to/hack-apache-tomcat-via-malicious-war-file-upload-0202593/

read the question closely

yeah

my bad

👍 it happens

saw this image( https://img.wonderhowto.com/img/original/40/70/63700333927920/0/637003339279204070.jpg) in the link you sent but when I tried to access my shell in the browser through the same location in the image I get error 403

that's the manager where you need to upload the war file. After deploying it you can view the path if i remember correctly

and the link there is a GET request. probably just go to /manager

I get to this link "http://172.16.1.11:8080/manager/html/start?path=/revshell2&org.apache.catalina.filters.CSRF_NONCE=42B8FA0F8D8B3571E2F189FE7E06A4CA" and the manager dashboard gives me this error "FAIL - Tried to use command [/start] via a GET request but POST is required"

I've already uploaded a msfvenom .war file

aight, you should view the path in the deployment page. Then you can navigate to the shell

hard to tell with a link to be honest

can I send a screenshot?@sly reef nevermind , all I had to do was click it lol

https://tenor.com/view/ok-okay-gokuok-goku-danielrds-gif-20976699

https://academy.hackthebox.com/module/144/section/1252

As far as I see Virustotal does not offer "Relations" anymore.

is anyone up rn

im a little stupid and new to all this, so i could use some help
i assume its pretty basic though

Just ask your question here. Someone will then give you an answer

I think the most non-technical thing CPTS has taught me is how to organize my notes haha

Everything is so much easier once your notes are organized and you understand them

big emphasis on understanding them

That said if anyone needs note taking tips or wants to give any note taking tips for obsidian please pm me

i cant copy paste

on those browser based vms

cant i just connect to an academy .ovpn file ?

its weird because it says here that those clipboard settings are on

If you open the VM in full screen, then you have a possibility to copy texts back and forth in the lower right corner.

i am in fullscreen

ah lower right corner

ill try that

thanks

that works great!

also yes you can just use your own vm with academy vpn

u can ?

the option is right next to launching the pwnbox instance

in academy ?

i think thats only on the regular pwnbox

https://academy.hackthebox.com/vpn

random but is fuff acting werid for anyone else

went from being able to do like 2500 things in like 5 seconds to its been 3 minutes and its on 498/2588

connection is fine, idk why its suddenly going slow

Okay so my question is
on the first part of HTTP fundamentals, there's a question where it needs you to download a file returned by /download.php with curl
but every time i try it says it needs a URL
where do i find this url
im confused
again, excuse me, im really new to this stuff

We are all here to learn new things. No need to apologize.

When you start the machine at the end of the lesson, you get an IP address with or without a port, depending on the module.

The URL is then for example
http://10.10.10.10:12345/

so i have to write it with the http: on the command prompt?

i guess that was what i was missing
i put that first and then curl and the name i suppose

i'll try it

enumerate the mounted tech support drive better

cat them all at once using * only one should actually have text

let me know if it works

lol what went wrong

See it sucks that you had to be so blunt here, but I honestly think the lab is a bit unfair because it almost goes against what you learnt in the NFS module, which is perhaps why it seems a few people are struggling here. We learn that being in the nobody group means you’re being root squashed, and although your not technically being root squashed when you log it as your default user, thats where the student’s brain is going, so I was never going to try as the root user. Furthermore I wasn’t actually aware I could switch to the root user in pwnbox outside of sudo. I didn’t realise it was the same password as the default user. Doing your own research into nobody group when you’re not root user takes you down a massive rabbit hole of something being wrong on the server. So here I am trying to change the NFS version when the answer was way more simple. I think the lab should be changed to show that the root group owns the folder, rather than the nobody group.

In saying that I did learn a valuable lesson in making sure I truly look properly at the folder permissions. Despite being in the nobody group, we can still ascertain which user we need to mount as via the folder folder permissions output, as ONLY the root user has permissions on the folde

I hate when HTB does these kinds of stuff, not the first time. I understand that we need to learn but this is just stupid. I like the content but the tasks are not noobies friendly.

My question to HTB staff, how can I know this if I have never even encountered it before? How can I research into something that I did not know was possible?

anyone here do the web service api skill assesment?

Completely forgot about that part

connected to rdp but bumped to sql server logs

I never finished my notes on this assessment smh but I would try playing around with the server authentication types but I really dont know

What does the SQL Server require?
A Windows password?
With which user are you logged in? Does the user have access to the database?

By the way, some users and also admins are lazy and use the same password for multiple logins.

does anyone know why when i import Powerview.ps1 i dont get all the functions. like Get-DomainObjectACL

i tried the credentials from important.txt and tried to run as admin. it didn't work

Because your Windows user has no rights for it.

Did you download the latest version from the Github repo?

can i logout and log back in as administrator? is this what you are hinting at?

Try it

thanks !! i'l try it

i'm enumerating the footpringtin lab - hard. tried all tcp ports and nothing came worth while i think. i'm checking udp snmp but when i run: snmpwalk -v2 -c publick <ip>

snmpwalk: No securityName specified
it gives me

Module: Windows Attack & Defense. I can't connect to PKI host no matter how many time i reboot the lab infraestructure. Anyone got the same problem?

you will need to supply a community string

in : Skills Assessment - File Inclusion i cant seem to logpoison the access.log with burp

i wonder why this is

Where do you set your payload and what do you use as payload?
Hint: ||Look at the quotation marks.||

in the useragent

just an example to see why it doesnt work

but its not getting there