#modules

you need a wordlist

ok, now I'm completely confused... Why would they show terminal and Websites if I just need the websites?

@coarse escarp to be honest if you don't know how basic tool like curl or gobuster work then i would recommended thm it's way more beginner friendly, htb even the academy need the try harder mental

That kinda comment is only gonna make me push further into this lesson untill I complete it

I will brute force it untill I get it done

yea i know but without the basic you will eventually bang your head against everything in your room like me 🤣

been there done that

willing to do it again

my lack of understanding is only macheted by my unyielding iron to move foreword.

i can use smbclient to get final flag ？

i guess you are in the path for gessing that tool but hint no need for that

hint enum of the third or the win10 machine

so in this section there is a flag some in some directory on the target web side you need to use gobuster which is can brute force directory using a wordlist that have a lot of directory name which is the -w tag is for and in the example they use the wordlist at /usr/share/dirb/wordlists/common.txt so maybe give that a try

Okay question, why do some of the module tests ask you concepts that were never explained in the actual modules

WIndows Fundamentals is asking me to create a group, none of the modules in windows fundamentals explain how to create a group

You might be a little too caught up in trying to get the answer, without realizing that the academy is trying to teach you both function and methodology. Don't treat answering a question as a measure of success.

figured it out

there is a ":" where shouldn't be

make sure to slow down, fingers are going faster than the brain

it's http:// not http//:

ok

ok well the correct way says that I can't log in

which is even more confusing

you didn't get a redirect to an admin page that is the robots.txt file and the admin directory thing is just a disallowed entries

ok but do I need the robots file?

also refresh that page to make the pwnbox screen bigger

first you need to know what is a robots file and what does it do

oh well thats nice

in CTFs it's usually review directory's and stuff

but for modern site read more here https://developers.google.com/search/docs/crawling-indexing/robots/intro

so basically it acts like traffic controlls

and can also hide stuff to

hide things like flags

it's can but hint it's not really the case for this

so I don't need it then

here is a bigger hint you may want to check something that's "disallowed"

of way they explain this quite well under the Robots.txt part in the section 🤣

yeah I figured that much

If someone doesn't want me there then it's a good idea of where important information is

problem is how

reading a book on stuff like this isn't a good way to learn for me so simple CTF that have these kinda of stuff help me a lot when i fist started

I'm gonna take a men in black adivce and take a break

have some pie (even though I don't have pie)

or a redbull 🤣

I got that Hawiian Punch

bruh...i tried to do the Meow very easy module hours ago and i couldnt even ping the machine. i do the same thing now and it works perfectly

https://tenor.com/view/krule-john-c-reilly-what-face-reaction-gif-16881707

hi

hi im working on Nmap Firewall and IDS/IPS Evasion - Medium Lab, already made port 53 open and got version, but when i answer it incorrect

that isn't a HTB academy module, read #welcome and #rules after that use /verify at #bot-commands and ask that at #starting-point

you need to use the pwnbox for this because of some shenanigans. I had the same problem

alright, got flag now

Hello, I'm stuck on question 2 for Active directory

Kerberoast an account with the SPN MSSQLSvc/SQL01.inlanefreight.local:1433 and submit the account name as your answer

I can't seem to import powerview whenever I do Import-Module .\PowerView.ps1 it doesn't seem to work any ideas?

Check if its loaded

Like the module

Hi guys, I'm currently doing the payload and shell module and there is a question asking us for Powershell Version.

I don't know what i'm doing wrong i tried $host.version in Pwnbox but the reply doesn't work with x.x.x or Powershell x.x.x

So I thought that maybe it could only be the one wrote in the lecture

But 7.1.3 and Powershell 7.1.3 are not valid answer

Also not working with PowerShell instead of Powershell

I tried by writing it by myself without any CTRL+V but still not work

Read the question again. Carefully.

Thank you @proud pine

It was just in front of me

If one field is not working then how about other fields?

Looking for help with attacking common services DNS "submit the flag found as a dns record" I have enumerated the subdomains. However whenever I attempted zone transfers etc it just fails and times out. What am I doing wrong? I do dig axfr <subdomain> @<ip>

The command looks okay so far.
Which zone did you query?

I have queried all zones I have found.
and I get a time failed time out error

||control||, ||helpdesk|| & ||root||

These are the wrong subdomains

Been using this ||dnsenum --dnsserver 10.129.8.236 --enum -p 0 -s 0 -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb|| to enumerate.

root comes from SOA Entry, right?
But then it is a mail address and not a subdomain 😉

True

Can you give me a nudge where my enumeration is going wrong?

Try a smaller list.
Not every list contains every entry

thanks

So, I'm trying to find a way to gain access to robots.txt to be able to get to the flag

My suspisson is that it has to do with the fact that wordpress was moved. Moved where?

I have the idea of transferring robots.txt to wordpress but I can't log in so smb commands wont work

the puzzle has to do with wordpress though..

can someone play if I'm hot or cold on this one?

I think you need to go back, and redo the sections in the module. You're missing a lot of core skills.

I got the flags for them though

?

Yeah, but as I said before, this isn't about just getting a flag. You can't use that as a judge of progress. It's about understanding.

MRtom gave you a bunch of help on this, but you're missing some core concepts.

Service scanning is all about finding entry points to your target.
Basic tools is about what things you'll be using throught your cyber security career

Getting started with a pentest distro is about setting up an OS for your workflow

If I'm missing some core oncepts then what are they?

hello guys i need some advice i want to start learning to

It's not very helpful to say I'm missing something then give vague solutions on what I should do. Because then I don't know wha to look for in my gaps of knowledge.

It's not just a simple thing to point to, but a general fundamental experience. I'm not trying to pull you down here, but just point out that this might be a little ahead of where you're at right now.

I'm not saying your bringing me down I'm saying I need details.

otherwise I won't know what to go for

because the door will be to open

Are you trolling?

I have ADD and Dyslexia didn't wanna bring out that card but no

I'm not

As MRtom said, you might be better off getting a hang of the basics on something like THM, as it can start you out with the simple stuff.

Once you have a better grasp, it would make progressing through these modules easier.

Can I get a link?

https://tryhackme.com/

You don’t want to gain access to robots.txt - the main purpose of the robots.txt file is to guide web crawlers and prevent them from indexing specific pages or directories that website owners wish to keep private and exclude from search engine results.

is this ran by HTB? Cause it has the same vibe

ok

No, it's a different site entirely. It's not as good as HTB, but it is easier if you're just starting out.

HTB generally expects a little more experience, at the beginning.

may I dm you?

actually nvrmnd

I could skip the step

wellll

I already came accross a problem with THM

How often are these sites updated?

I actuall do need to dm you now

if updated if you mean new modules or rooms or box then for thm i would say about a few room every week or 2 for HTB every week now because of the seasons and for the academy it's a bit random

I'm talking about the site he showed me

use you use .co ??

this is something else

i listed all 3 site mentioned?

well THM I can't get passed the first module because of a connection error

that's really off putting for someone trying to learn if they are brand new

at least with HTB I was able to connect and complete modules

i have no idea if this will affect anything but you shouldn't follow 100% what example showed, like if an example run gobuster on a domain that is clearly fake or only for demonstrate purpose like example.com or like fakebank.com you still shouldn't follow the example and run the tools on these domain because in most case you are running pentesting on a site that didn't allow you to

wait....

I'm the dumb dumb

I thought you meant my url used at the top not what I wront

wrote

if you mean in the screenshot then you are running the tool against a fake site that isn't owned by thm

I had figured out the issue, I'm just a bit slow sometimes

look I am genuinely trying to learn and I do want to learn

@zinc marsh figure it out that quick? 🤣

yea I am dumb lol

I need to read better lol

hey sometimes all you need is to see it in a different place

i'm 1 double check away from helping 🤣

I'VE GO THE SAME FREAKIN THING!!

God I hate dyslexia

well I didn't try it but I guess I got what I have to do lol

am gonna try it now. Yea it worked

@coarse escarp look i've been on all 3 platform THM, HTB and HTB academy so if you are new to this and need some help feel free to shoot me a dm if you questions on those platform

what's his problem

mostly he's just new to this, the actual problem is just simple stuff but the hard part is learning how things work

oh

will do, sent a friend request

well he can ask the doubts and someone will answer him

I enjoy learning how things work, it's actualy a favorite pass time. But certain things just get in the way for me.

or pwnning will give him the 👢 the doubts is not academy related 🤣 (jk)

ah lol

already been pwnd I think

I ask sometimes general doubts or about something I am doing

one of my main reasons for getting on the force

like i said feel free to take it to dm if you have question or ask here but in the appropriate channels

not from the academy content

yea that's mostly because me and 3 other great guy are here 24/7 😂

I suggest making a note taking methodolgy on obsidian this has helped me ALOT

I'll have to look into the staying organized section again.

@coarse escarp #resources-tools message

The Firewall and IDS/IPS Evasion - Hard Lab test in the Network Enumeration with Nmap module seems rather unreliable... is that so?
Anyone got experiences with this / tips?
I've read "the relevant section" but even so I'm not getting any additional findings

Hello! Can someone help me with https://academy.hackthebox.com/module/51/section/1589 ?

I run logrotten on ~/backups/access.log

I am on SOCKS5 Tunneling with Chisel and i am setup like so:

But when I try rdp I get:

I see the copy with payload in /etc/bash_completion.d and get deleted, but the payload doesn't execute.

use the non root account

oh ok

DNS enumeration with Python - Determine the IPv4 address of "ns1.inlanefreight.htb" from your target and submit it as the answer.
nsloopup gave me 178.128.39.165 but that is not ok. Other enumeration gave me the same results. Did i miss anything?

are you using the right DNS-server IP? Did a quick nslookup and everything works as it should

Are you using .htb or .com

.htb

would you mind to paste your command in spoiler tags?

teach me how to use those spoiler tags please 🙂

Use two pipes before and after

Ah thanks

||nslookup ns1.inlanefreight.com
Server: 1.1.1.1
Address: 1.1.1.1#53

Non-authoritative answer:
Name: ns1.inlanefreight.com
Address: 178.128.39.165||
like this?

You used .com

meh

aaah

better with ||test|| as well

Do nslookup {domain} {ip}

nvm, found it... hand to "cut my handshake short" to find it.... >_>

Or just nslookup {ip}

Hello world!

||```nslookup ns1.inlanefreight.com
Server: 1.1.1.1
Address: 1.1.1.1#53

Non-authoritative answer:
Name: ns1.inlanefreight.com
Address: 178.128.39.165```|| It is easier to read like this in my opinion

it is, nice tip

.5 seconds error find

inlanefreight*.com*

Speed run leaderboards

Yes I pointed that out already

modules any%

I found out I can tether and connect to academy Still

🫵

it is markup language if you wanna learn a bit about it

Get rekt if that was your wall of text

nah, I just was talking about the use of || with ``` that I didn't think about

I am looking for some help on the Web Proxies Skill assessment, I do not understand the question about fuzzing the md5 cookie. Can I DM someone about it?

BTW you need to verify your main htb account following #welcome

Automod stuff removes certain things

DNS enumeration with Python - I get only these results: ** server can't find 236.226.129.10.in-addr.arpa: NXDOMAIN / ** server can't find ns1.inlanefreight.htb: NXDOMAIN / ** server can't find inlanefreight.htb: NXDOMAIN

What did i do wrong with the enumeration?

@frozen mesa

tried smaller list & one provided by ||subbrute|| as per the hint and still the same results.....

.htb isn't a registered tld and the target is spawned in an internal container. External dns won't find it

Hello, I'm stuck at the same point: Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_)
Found several cache ticket files, but not sure which one is connected to linux01...

thanks!

@zinc marsh just notice your github cheat sheet and i think you can't share that not 100% sure if the sharing the cheat sheet is also against TOS but for the academy you can't be sharing anything but the tier 0

Hello I'm stuck on question

Find cleartext credentials for another domain user. Submit the username as your answer`

I can't seem to upload anything to ms02 so how can I check for clear-text credentials? Any tips on how to do this? Thanks 😄

@vital adder where can you read the TOS

the short version is here

https://app.hackthebox.com/rules

and that will link the TOS

hey friends, i am at Login Brute Forcing Skills Assessment at 2nd question and keep getting this response, whats wrong with this?

the site is up

maybe vpn issue?

it works fine at the other questions

Are you sure the post form is correct?

i will double check it but i think yes

really?

90% sure

it says solutions for tier 0

I don’t think you are allowed to share academy cheatsheets no, but tbh all those things are known online so if you’d make an own cheatsheet the contents would be similar

I am not giving a solution to anything

i asked someone in the academy team but he isn't on right now maybe tomorrow

yes i am sure

yea but it's still paid private content

I will change it to private repo

it should be private now

backing up or making your note on github is good and recommended by the holy god John Hammond but just don't share private stuff like imagine John shere is Offsec notes 🤣

been stuck on this module for way too long. just want it to end already. I enumerated root, and got a bunch of subs, but none of those were it. As mentioned, guess they are not. I ran dnsenum with a certain wordlist and found 2 subdomains(1 ns). At this point, no matter what I try, nothing works. dig TXT on all subdomains I found, sublist3r, even gobuster, though go was the one that found all the roots.

in the windows privilege escalation module, Windows server section, the spawned machine is refusing RDP connections, even when the task says to connect to the machine via RDP. what to do?

this?

yes probably

literally my notes about this question are

I finally finished this one. Use ||subbrute|| as per the instructions on the page (but subsitute the ||ns.inlanefreight.htb for the actual insance ip|| and it should work. Ironicallly I also used the the wordlist which is supplied by ||subbrute|| in ||dnsenum|| and it didnt' actually give the correct result so 😬

You're the second one to mention some kind of issue related to this, maybe this will help? #858470491676737536 message

Can't test it myself right now, but I think I did that one a little over a week ago and I didn't have any problems with it, so genuinely not sure

yea I am checking the section I think I could rdp with no problem

Probably just need to wait a few minutes for the server when spawning then

That solves a lot of issues

no i respawned it 3 times and also waited quite some time. I think the issue is that it is running Windows Server 2008 and newer versions of RDP clients have trouble connecting to it. But it seems like i can use the pwnbox to connect to it.

Just installed xfreerdp on my Ubuntu 22.04 VM and can confirm that the issue exists

The solution in the erratum message I linked works though

xfreerdp /u:htb-student /p:'HTB_@cademy_stdnt!' /v:10.129.26.28 /sec:rdp

#modules hello guys i stuck at knowledge check at getting started module , how can i esclate to get root privilege

User www-data may run the following commands on gettingstarted:
(ALL : ALL) NOPASSWD: /usr/bin/php

is there someone who completed https://academy.hackthebox.com/module/20/section/226. Question 1 not sure if it is out of date

https://gtfobins.github.io/

sudo php -r "system('$CMD');" ?

why ask when you can try

you mind if I DM you? just have a couple quick questions.

i know i will change cmd to listner with ip and port i guess and get reverse shell not sure

no sweat.

What is the version of xfreerdp you guys are using @trail leaf and @radiant abyss

overcomplicating

checking right now

this is what I used when I did that module

FreeRDP version 2.6.1 (2.6.1)

update it

Seems like an older version from the one in the workstation, and the one in kali

Are you both using Ubuntu?

same

no need, the /sec:rdp switch makes it work

I was because I was too lazy to boot up my Kali machine

oh u got it work in ur box?

Didn't realize how behind the Ubuntu repo was

yes but the connection seems to crash every 3 minutes or so, i think i will just get the flag and be done with this section xD

if you have multiple tun interfaces, that could cause the mentioned crashing behavior

is there any better hints from your side ?

I don't think there is a better hint than https://gtfobins.github.io/

thanks bro i will try now

.

@autumn pilot sorry could I ask u about 1 question? I am not sure if it is out of date

sure, go ahead

https://academy.hackthebox.com/module/20/section/226

the first question Perform MIC cracking using the attached .cap file.

feel free to dm

ok

if it is this question, use xfreerdp without tls by using /sec:rdp

nope it is from the windows box

the problem is the windows 2008 server iirc

yes i already figured it out from you post yesterday xD

cool it helps 🙂 i had this problem and was like you 🙂

since you will do it in Skill Assesment part I, dont bother with the ldapadmin question until you have priv esc with others questions, this question must be answered at the end of the assesment

alright thank you for the heads up

uid=0(root) gid=0(root) groups=0(root)
DONE 🔥

now u can do the same to the NSA

how can i priv esc in linux

sudo -l

(ALL : ALL) NOPASSWD: /usr/bin/php

@trail leaf ah shit, here we go again

Hey, just started on Penetration Testing Process

and going through section: Academy Modules Layout

it links to several modules under each Penetration testing processes phase https://academy.hackthebox.com/module/90/section/1559

Is it meant to be taken now or just suggestions?

read above

Aka, is it enough that I just follow the CPTS path or do I need to take these first?

use google!

the entire internet is at your fingertips!

For example

this isn't the first time someone has tried to privesc with PHP, surely someone has written about it before!

php zeroday

All of the information there is stuff that the course assumes you already know

any help please

if you got hacker rank without cheating, you should be fine tbh

Hello friends
I am very tough situation in survive at the time because I am jobless need to help you regarding the job.
So please help me.

might be worth skimming the modules though

priv esc with php

I got my hacker rank about 4 or 5 years ago though I work as DevOps, so do have fundamental knowledge. But my question was basically in regards to the cubes as I would just like to pay for what CPTS requires.

oh, then every module you have to pay for is in the penetration tester job path

u need to complete the 100%

for the cpts

Currently I was told that 1x Platinium and 1x gold sub is enough to get CPTS (course content) since you also earn some cubes from completing.

the information security fundamentals stuff isn't explicitly required to do the CPTS

that is the information u need to know before starting the module

if u think u know it just skip it

🤣 🤣 🤣

https://academy.hackthebox.com/module/19/section/108
Hello. I'm a bit stuck on this one since yesterday. Did many different scans on the target using different scripts but still can't find the flag.
Is the flag this form : HTB{.....} ?

yea, I might and if I see myself getting stuck I can revist said modules it suggests. I just assumed some of it would be covered by the CPTS path itself.

use a script mention in the question

yeah it is HTB{...}

Hydra can't reach the website. If you can access it in Firefox but not through hydra, your flags are probably just bad.

I like using Wireshark or proxying through BurpSuite to troubleshoot what requests my tool is making

thats really weird because i am sure of them, i will try proxying

Hello, can someone help me with the Authority box? I am stuck

Thx for your answer
I used :
sudo nmap IP -sV -p80 --script discovery,external,fuzzer,version,vuln | tee result
Then grep -E 'HTB' result (lazy me)
But no flag ... 😭
Any idea to make me go further ?

Hey, just ask your question.

use command /verify

it will tell you how to

nmap does not give you flag

service running on the target will give you flag

he is using scripts via nmap that do something, which he then stores in a file called 'result'

ok, so one of these then

Ah, this is an active box. I would suggest asking in #boxes and maybe don't mention where you got the users from as it appears to be a spoiler.

Ok, sorry! Just deleted the message.

no sweat, maybe just ask for a person to DM in #boxes that has completed the machine.

Hi,
I can someone help me for the C# module please ?

try the most common web servers nse scripts google it you will know

which one

Introduction to C#

i haven't done yet

OK thanks anyway

Hey I'm on Attacking SQL Databases, the second question Enumerate the "flagDB" database and submit a flag as your answer. I'm supposed to login as mssqlsvc. sqsh, does work for me to login I tried .\mssqlsvc. I was only able to get on with htbdbusre when i used impacket-mssqlclient.

sqsh connects me to my own machine

sqsh does not work

windows auth

yo can anyone help me with the footprintg medium lab, ive gotten to the point where ive found the creds for sa. ive tried then logging to sql server with the creds but with no luck and also tried re RDP into sa but again no joy

In whitch module i learn more about
HTTP Headers and Content Security Exploit.
?

Did you checkout HTTP Attacks module yet?

no thanks for the name

can anybody explain what is rainbow table attacks

this is the right flag

check spaces before and after the flag

For Privilege Escalation do I need to run a shell on the host to run the enumeration tools? I'm kinda confused I feel like given the last lesson that's what I'm supposed to do but also the cheatsheet makes it seem like I should be able to run the enumeration script while logged into the host.

ok

youre trading time for disk space basically

also only valuable if you intend to reuse the table on more than one campaign

so usually people dont make salted rainbow tables at all outside special circumstances

Yes, NTLM rainbow tables are pretty popular

what are salts now

🤔

you can get ntlm tables for every possible combination under certain amount if digits

extra bit of info to make a password hash unique specifically so rainbow tables cant be used

like this

exactly like this

so p@ssw0rd would be the password generated by the user thats entered into applications or login portals and 123456 would be the salt that the application adds to the users password on the backend

ok understand thanks

in the real world the salt is usually a randomly generated string during application installation

its also worth noting that for many algos, the salt is given in cleartext as part of the resulting hash

its NOT secret information

its just a clever trick to defeat people precomputing things to give em the middle finger

when it's a secret, we've taken to calling it a "pepper" or in the case of an HMAC construction the "key"

pepper is a per application salt that's added to the hash, in addition to the salt.

the rabbit hole is always deeper

Hi any help with the footprinting medium lab got creds for sa but when i use them login into the mysql server it doesnt work when i run as admin i need to specify admin password but dont have one and the sa creds wont work with

also tried remmina but that doesnt work either just keeps flashing up specify RPD authentication

i don't know if i'd call it "per application" but yeah, it's typically done "in addition to" but there are quite a few examples of peppers being employed on their own as well

its just a way to differentiate salts, which are public by nature, from values that are kept private/secret

the terminology isn't extractly strict, with pepper only making a handful of "official" docs of any type

Per application, as in used inside that DB only.

yeah that makes sense

"per instance" or such

Its to help prevent salt reuse between different applications/instances.

i.e. if a DB happened to have the same salt + pass in a different DB

I'm not sure that really makes sense, salts should be random

Yeah, but if your salt is only 4-5 characters that only gives you a certain number of combinations.

You could increase the salt length, but eh

sure, but no modern algorithm or construction should have that limited of a salt

almost all modern algorithms have a fixed or at least default generation scheme that provides a nice long salt per invocation of the algorithm

But adding a pepper makes it even less likely 🙂

fair enough

Active Directory : Take over the domain and submit the contents of the flag.txt file on the Administrator Desktop on DC01

Can someone help me with the last question please, I can't get either methods to work 😦

what does not work?

There might be some credential reuse.

How do I hit 100% in Academy? I've already done all the modules 🙂

Perhaps the planned modules are already included there.

Nope. All modules done, including all updates.

You cant complete the modules if you dont answer them 100%

Only thing I could think of. Which doesn't bode well for me on the blue team track 😄

That is simply not true.

At least two DACL modules are in the pipeline.
More Defense Modules are likely to be released for the upcoming exam

if you complete a module and an update comes out youll still have the badge and show as completed but the percentage will drop down.

But PayloadBunny is most likely correct

that completion gap is too big to just be random module updates

Today HTB announced another path on Twitter, later deleted the tweet.
Also here are certainly more modules planned

So running into an issue and I don't know if I'm just thinking weird but for Priveledge Escalation I'm trying to run a shell on user2 since user1 has bash priveledges over them but when I try to connect to the listener on both lan0 and tun0 neither result in the listener grabbing the connection. Is there something I'm doing wrong?

Awww maaaaaan

Without know what commands you are sending, its difficult to say what you're doing wrong.

So several new modules are to be expected

time to actually take the exams while you wait 😉

Why does the Packet carver badge look like Jigsaw? lol

This is the reverse shell I'm trying to use obviously replacing the IP with the one from either the tun0 or lan0 same port.

I'm starting onto boxes!

That's the listener command I'm using.

exams after I feel a bit more confident in box cracking

Is that a newline between tcp and /?

broski youve solod the entire academy

if you aint ready for the exams you never will

but... but... boxes....

Not to my understanding. Looks like one command from 'Bash to 0>&1'

Yeah I meant are you sending them as a single line or not

And need to change the IP address to your tun0 address

I am. I have it wrapped in sudo -u user2 <insert command here>

madf0x is right. With your knowledge you should pass the exam without problems

Does the listening port matter too? That's the only thing I haven't tweaked.

it does if you have a firewall blocking it for whatever reason

if youre using base kali it shouldn't

youve spent more on modules with content nothing to so with the exams than the actual exams cost.

At this point the absolute best practice and preparation you could do for the exam is to just take the exam.

Yeah, it's base kali running in VMWare player.

certificates maybe

yea for the new soc cert

tried some surface level idors to leak new cert info but no dice

SOC Cert
CREST CCT INF
2x DACL

yea the firewall may be blocking it

use common ports like 53,80,443...

it shouldn't be blocked

unless hes doing something weird

like NAT vm, but the vpn is running in host

thatd cause problems lul

damn

they are adding game hacking as well

Yes, but I cannot currently assign this module to any of the leaked paths

https://infosecmachines.io/

u can search boxes here. You can filter them by certificates, skills needed, difficulty...

they added games challenges so I guess it is for that

gotta be careful, its possible to overprepare

I am just mastering web attacks now and I will go to the exam after that

👍

I am starting the labs from port swigger rn about sql injection, xss, csrf and all that things covered in the path

I mean I could be but I don't know, the VM is configured with pretty much base settings aside from an encrypted LVM and the hardware settings are set to use higher than what VMWare reccomended because it was recommending like 4gb of ram and 1 cpu.

Could it be the .ovpn file?

are you running the vpn inside kali or from the host

Inside Kali.

Does it need to be ran from in the host? I haven't had issues with it the past few lessons...

good

try using wget or curl to see if you can make a connection at all.

ping too

-_-

theres ofc also the easy way

I just realised why it may not be working.

but the easy way wouldnt troubleshoot why no connection

On these hosts the only port that's open is the port you connect from.

Nmap shows that.

thats not how ports work

??

either way, do you want to continue troubleshooting the rev shell, or do you want to just finish it the correct way?

both are valid endeavors

I'll do the correct way. I was trying to do a shell because I was under the impression we were supposed to use a shell since the last lesson on shells didn't have a pracapp portion. Either way I'm probably still going to try and establish a shell after the fact just to get some practice in.

yeah in this instance you already have a shell, so unless there was some exploitation constraints you wouldnt really want to spawn another shell, itd just be extra noise.

I feel like I missed something somwhere along the way that makes this much simpler than my brain is trying to brain it out to be.

My line of thinking is that from our SSH connection we have access to user1 who has sudo rights to utilize user2's bash directory therefore running a reverse shell to user2 seems like the most straightforward path to the goal and from that shell we can further move through and enumerate the target system.

youre overgeneralizing

you're thinking that 'new access' = 'new shell'

but you can completely reuse your current shell

by just launching a new process under the new user

this is what happens if you use 'sudo su' on your machine to switch to a root terminal

-_-

It was that simple...

It's always simple.

Overgeneralization is a normal concept when learning a new subject or skill

It means youre actually progressing

its the same phenomenon of why kids learning how to talk for the first time will use words in wrong grammar cases or make up new ones by mishmashing language rules they havnt fully learned yet

I don't know, I did this on the last lesson too and every time it hasn't been like an "Ah-hah!" moment. Moreover my forehead is sore from how many times my palm has hit it at this point.\

Does anyone know if Remmina can be used without the GUI? I did some brief looking around and found some (janky) workarounds that people have used to do it, but not much else. I'm aware there other options, this is more about understanding the tool (and satisfying my own curiousity) than anything 🤷

Im just saying this is a very normal part of the learning process. Youre not dumb, youre learning. Itll take time for the overgeneralization to go away.

so basically I can have you on speed dial for any questions I might have with academy module?

….no? 🙂

100% academy

Anyone please?

You should tell me people which module/chapter you're asking for help on, because we dont memorise them.

also if its a skill assessment the answer is probably going to be, "Its a skill assessment, figure it out"

or try harder

sounds like your working on active directory attacks and enum if you still need some help dm me

Hi everyone, I was at 50% of CPTS,
kinda bored of doing the trial alone, with noone to talk about it

if there's any Hispanic going for CPTS or CBBH DM me, I'm bored and drunk asf
Muchas grasias

I forget somethings?

Sorry my english

Password attacks module

Just passing by,
Did you make the mutate_password. List?

Anyway, be patient with hydra, good luck

"kira"?

Kira, kira and Will/will,,,,,,, with mutate.list to 90k+ AND mutate.list to 35k+

Ftp, smb AND ssh

You should get your first hit with kira and ftp

Thx, i followed to test

After that it's not too many steps to reach will

kira pw is in the mutated list, you created the list with the custom.rule from the resources, yes?

I'm still stuck on the Footprinting Lab - Easy......... Can someone help assist me in this module? Once I log into the ftp sever with the creds provided, I can't seem to progress form there.

Are you sure you're on the right ftp server :)

I did, i have 2 mutate list, with 95k+ AND 35k+

I did with 2 mutate.list AND none, but i followed to test :/

why do you have two mutated lists

^

you should be using the ONE mutated list they instructed you to build

sounds like you did your own thing which means no gurantee your list has the correct password generated

Yea, I belive so... am I supposed to be on port 21?

Nope

The original mutate list with 90k+ word AND other new_mutate with grep -E ‘^.{11,}$’

what are you talking about

What is that grep for

cat mutated.list | grep -E ‘^.{11,}$’ > new_mutated.list

How would I access 2121??

https://tenor.com/view/but-why-wtf-wth-gif-18627417

Just add the port after ip ftp ip port

You are targeting the inlanefreight.htb domain. Assess the target server and obtain the contents of the flag.txt file. Submit it as the answer. Attacking Common services - Easy. I'm trying to put the reverse shell through mySQL but no joy.

can I dm someone my code to see what I'm doing wrong?

My skill issue with this was incorrect slash direction

okay i'll try /

it was pain

it really is, I'm just throwing shit and hoping something sticks 😛

SELECT "<'myreverse shell']);?>" INTO OUTFILE 'c:\xampp\shell10.php';

The way I figured it out was when I repeated the command

I then load /shell10.php in browser no joy and do load in mySQL and it says Null

Also

That's not the web root of xampp

i've trioed /xampp/htdocs/

Did you do C:/xampp/htdocs/'shell'

I thought so but I'll give it another go ty

I tried that also but I was putting -p2121 instead of 2121 by itself. I logged into the sever now and obtained the authorized_keys but I still get denied when I try to ssh with the file?

Take notes of the error

Learning how to read and understand what an error is helps

I made sure to chmod 600 against the file before ssh'ing into it but I still get a Permission denied (publickey,password)

Has anyone else had trouble running Eyewitness on their local Kali (2023.2) instance? Its clearly a problem with Selenium, but I did install Eyewitness using apt so you'd think the dependencies would be taken care of. 🙂

$ eyewitness -f scope_list --web -d inlanefreight_eyewitness
Starting Web Requests (7 Hosts)
WebDriver.__init__() got an unexpected keyword argument 'capabilities'
...
Finished in 0.29549288749694824 seconds
[*] No report files found to open, perhaps no hosts were successful

UPDATE:
Seems to be a known issue that is being worked on.
https://github.com/RedSiege/EyeWitness/issues/615

Not too jazzed about the current fix (Selenium downgrade):
https://github.com/RedSiege/EyeWitness/commit/539d074b8edb433f9d6160201d097a7e961f4393

Are you using the right syntax?

Note that XAMPP has a free download, so you could always download that and figure out the webroot and the location of everything from there

chmod 600 authorized_keys Is what I did before ssh -i authorized_keys 10.129.x.x

Are you trying to SSH with the authorized_keys file?

Shouldn't you specify a user@ip

But also this

I'm tired so didn't catch it at first

Yes

Why

The authorized_keys file is a store of the public SSH keys associated with a user

You need the private key

Well I was trying to lead up to that point

But yeah, basically when have you ever used the authorized_keys to authenticate

either, he stored the private key in a file named authorized_keys or he's actually using real authorized_keys file. (I doubt anyone would name their private key that lol) and as marcie said, you're missing the username to authenticate.

👍

hi guys

Hello i am a few hours into the AD Enumeration & Attacks - Skills Assessment Part I , answered half the questions and was running smoothly but now constantly running into this errors when trying commands/uploads in the ps webshell, have reset the box waiting 5-10mins between resets.. sometimes i get a few commands in and this error again? anyone experience it?

I wouldn't rely on that webshell for anything other than downloading a real shell.

i'll try that cheers

Everyone has their own preference, but I'm a fan of:
https://github.com/antonioCoco/ConPtyShell

Help in the Windows credentials section of the Password Attacks module question 3 says: What credentials does Bob use with WinSCP to connect to the file server? (Format: username:password, Case-Sensitive) ...... but each time I send the tool over to target with powershell and run it it just crashes...https://academy.hackthebox.com/module/147/section/1318

Looking for advice / resources for help with the buffer overflow courses. I have been struggling with them for some time. Buffer Over flow is one of those things I am having a hard time grasping.

Use the given tool in the module

use nvim

60 days in and i am have 4 modules to complete in Hackthebox Academy towards CPTS and then the prolabs... \o/

LaZagne crashes

Might be getting corrupt in transit. Check file hash to make sure it's okay.

If I am not mistaken the tool already exists in the target machine

i'll check next time i try that lab

hydra bryteforce gives no valid passwords and msf ssh login just says completed command ran... hydra -l Will -P /home/kali/Downloads/Password-Attacks/password.list ssh://10.129.44.134...https://academy.hackthebox.com/module/147/section/1320

hey, what's up? did someone completed the password attacks labs? I'm stuck on the middle one

check the hint

I having an issue with this question from the last question of the section of this module(https://academy.hackthebox.com/module/22/section/382):

"Find the number of users in the IT OU. "

This is the command I used to attempt to find the "IT OU": (Get-ADUser -SearchBase $ouDistinguishedName -Filter *).count

what's your query

I just solved the issue, I was trying users without the "." which broke everything no samba

I am stuck with the SocksOverRDP question, and it seems to be a technical issue. The .dll has been loaded successfully, but after starting mstsc.exe, I do not get a prompt the the plugin is enabled and info about the listener. I have tried rebooting the machine etc with no effect. (Hence, if I go further and attempt to start the server, it does not find a listener and it all stops)... Any tips on what I can do?

ran hydra with user Kira against the provided pass list and tried Kira user with love password and didn't work either I'm still stuck

yeah this was on the forum, try mutating kira's password and checking if any of the mutations work

also, once you find that pw SAVE IT SOMEWHERE, you will use it in the future and it would be a pain to re-do all of that again (as I did)

thought it was a more direct/straightforward process but i guess htb wants us to "learn" thanks for the help

Hello anyone on to nudge me in the right path for AD Enumeration & Attacks - Skills Assessment Part II the very last question " "Submit the NTLM hash for the KRBTGT account for the target domain after achieving domain compromise. " i have the access to DC01 via ps session/ user C*** and have transfered most tools
i try with the mimikatz but it just spams the screen

PSRemoting is not an interactive shell, so you can't use interactive prompts

There's a way to specify all of your arguments on one line in mimikatz, that will work

sorry im burnt out here, ill be sure im understanding i have Enter-PSSession -ComputerName DC01.INLANEFREIGHT.LOCAL from the rdp session im in

Yep, that's not an interactive shell

You can run commands, but nothing that is interactive, like when something will prompt you to enter a password

Been trying to get through "Windows Server" of "Windows Privilege Escalation" module. Sometimes my RDP connection doesn't work and the other times the Rundll (smb_delivery) exploit doesn't work. I managed to get the reverse shell once, but then the RDP connection broken down once again. This section is simple as it can be but the problem with the target box is making this the most difficult part of this module. I can't be the only one not managing to get through this?

any recommendation for it >?

There is a way to run Mimikatz commands without the interactive prompt (google search, shouldn't be that hard to find 😉 ). Alternatively, you can use that PSRemote session to spawn yourself a meterpreter shell or some other interactive reverse shell that will let you use Mimikatz the way you like.

Perhaps there is a way to dumper secrets remotely and target a specific user? 🙂

Lowercase kira and mutate the password they provide you (the password is also in the large wordlist they provide you the resources to mutate with)

https://academy.hackthebox.com/achievement/710422/143

The secrets have revealed themselves to me XD

Hello! Right now I am in the Introduction to Network Traffic Analysis module, I am in the Start of packets area, dissecting network traffic with Wireshark, I have already activated the VPN and entered the host that is requested, but they tell me that I must I need to connect to the ENS224 interface from Wireshark, but no success. Can someone give me a hand?

Following lesson - Exploiting Web Vulnerabilities in Thick-Client Applications
Clicking on the newly created file doesn't do anything. Anyone able to work throug this recently?

Good luck with that section

Hi guys, I’m wondering if there’s an issue with the SocksOverRDP module. I’m trying to log in as Jason as the module shows, with some fixes from the forums too I might add, and I’ve got no way to get in still sadly. I can’t even get in with Jason and says it’s being used so shuts me out of the RDP as it’s booting it. Anyone know of a work around or if somethings wrong?

just follow step by step all

FML lol

u did something wrong

It's step 1 I did nothing wrong

But atleast you must be right

I'll respond back in 2 weeks

well

then why it doesn't work

the section would be easier if we hadn't to change the java code with the notepad lol

I am used to using wfuzz and I want to use ffuf instead just because. I can't figure out how to get the results of the same code to show up on one line. I get this instead

just filter it

the size is 280 for all so just filter the size

-fs 280

yeah but it does it with 200 as well

I don't know just play with the filters

filter the ms, words, status whatever u need

each 301 or 200 response is on a new line instead of showing 200 response then the results below and 301 response with result below

Like this -

how do I get the output to show up like the above screenshot? It looks so much cleaner

I don't know I never cared about that

u can grep them to a file

and sort them as u want

yeah true wfuzz or feroxbuster is winning over ffuf

I use dirsearch

I just use ffuf for subdomains

that one too is better

I figured I would try ffuf to see if I like it better than my current "go-to" tools .

thank you

Google = https://github.com/ffuf/ffuf/issues/645 lol should of just googled it.

wfuzz - way cleaner

Anyone got a hint on password attack medium going from d***** user to root?

On Password Attacks -Medium lab: I ssh'd into j**** and got into the mysql using his password. Once in the mysql, nothing shows up or works. Am I doing this right?

What do you mean nothing shows up?

Can you show databases;

nah

empty

Show me the mysql command you are using g

mysql --password=jasonspass

show databases

Try removing --password and just use -p

And then enter the password in the prompt

and the user

still getting -> empty line after show databases

Are you using correct syntax?

With a ; to end the line

...

bruh

Have you got root in medium lab?

im embarrassed

no ;

You won't make that mistake again haha

the mysql should tell u to use ;

been on this for too long lol

anyways

?

I'm stuck trying to proves to root

Privesc

I found a passphrase for the ssh key and thought it could be password reuse to get root but that's not right

Solved it

could some1 help with linux privEsc - logrotate? I found file, running logrotten, writing some data to log file, logrotten returns 'waiting 1 seconds before writing payload', but nothing shows up in /etc/bash_completion.d, and no shell is obtained

You're close

Ssh is definitely the right direction

But why is it pw protected

hello anyone is there?

nope

LOL!

Doing the Skills Assessment 1 of Windows Privilege Escalation and would like some help. I have reverse shell. I know what the system is and how to use ||JuicyPotato|| I also know what CLSID I should be using (||Using Tasklist I found out a task that is running that I can use||). But I'm still getting the same 10038 error when trying to run juicypotato. Just to be sure I tried out all the CLSID's from the list, but none of them worked. I also can't run the test.bat successfully since the output from web page is limited and the reverse shell doesn't give proper output for all commands.

This place isn't for idle chatter, read #welcome and #rules

can explain me What information can be withheld from the ICO , What is an ICO Dawn Raid and What are the ICO's Power's in a Dawn Raid

juicy potato never seems to work for me, try one of the newer potatoes

This is unrelated to academy modules

I need a hand if possible,
Password Attacks Lab - Hard. Still trying to brute force the||johanna|| user, being 1hs:30min still going zzzZzzz. Trying ||rdp,smb and winrm|| with cme

nothing to do with this server or channel. Read #rules and #welcome or leave

if you're doing it right it should take 30 seconds

Well then i will retry. Im using|| mutad pwlist|| that was generated with the passwordlist provided with the resources and custom rules too

idr which list I used. but I usually start with the unmutated list first cause its faster

Discovered creds -> original list -> mutated list -> rockyou

that order for me

ok thanks

Tried Rogue and Sweet potatoes but didn't help. Been on this one problem for a couple of hours already. I seem to be doing everything correctly as far as I know, but getting errors. This might once again be a HTB issue. I'll just stop for today and refresh the box a couple of times tomorrow...

nvm, some box issue, has done the same thing for 1,5hour and after 2nd reset of target box it worked like a charm

Hi all.
I believe the final challenge for "Injection Attacks" is bugged. At some point, it becomes pretty obvious what should be done next, but it just doesn't work. Can anyone confirm?
edit: pretty much right b4 i discover what the first vulnerability is. can't exploit it in any way described in the module. perhaps im doing something wrong - can anyone help?

Module: Active Directory and Enumeration Q. Obtain credentials for a user who has GenericAll rights over the Domain Admins group. What's this user's account name?

I've been stuck on this question I found the username I am suppose to get but I don't know how to obtain their credentials and I'm a bit lost can I get some help please? When I try to use Get-DomainUser on MS01 I get an error "The specified domain either does not exist or could not be contacted"

did you obtain mssql_scv user creds ?

@sleek urchin yes I was able to get those creds

good, login on MS01 either via evil-winrm or rpd, then use Inveigh.exe or Inveigh.ps1, get the hash and crack it

hey, I'm doing Attacking Common Services - Hard. Stuck on the last question I see people talking about a linked server... I don't know how to find it or what I would do.

@sleek urchin Thanks for the help I got it 😄

You are welcome

I was able to finish the lab from information gathered from this forum

https://forum.hackthebox.com/t/attacking-common-services-hard/259742

ty

once you find the answer and paste the full URL into the answer dialog, then replace the actual port number (ex. 53121) with the word PORT.
http ://...academy.htb:54321/the_rest_of_the_url --> http://...academy.htb:PORT/the_rest_of_the_url

test

why cant i post qestions, the bot keeps removing my messages.

read #rules and #welcome

I recently saw there is a new C# module, will there be a C programming module someday? I would happy for that

Done that...but ok. Didn't get me my answer since i dont flood the same messages. I'm only using same start since it is the same module (but the rest of the message is totally different).

so i cannot post any info about the module...

only these kind of reactions, otherwise it is marked as spam

well considering your name is still white, you didnt read em very closely

Step 1: Login to your HTB Account and navigate to https://app.hackthebox.com/profile/settings,
Step 2: Copy your Account Identifier
Step 3: Go to ⁠bot-commands and type /identify (ACCOUNT_IDENTIFIER) @frozen mesa

Thanks, thought i completed that part already.

Has anyone solved Windows Privilege Escalation: Citrix Breakout? I am trying to use the command Import-Module .\PowerUp.ps1

But it gives error

Try
Set-ExecutionPolicy Bypass -Scope Process

im stuck on the getting started module, the section is Public Exploits. The question is Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file. (note: the web server may take a few seconds to start). Ive done a nmap scan (nmap -T5 -pn -p- (ip) ) but im stuck there

It is obviously about a web server.
You have found ports with your scan.
What happens when you call up the website with the browser?

Thank you

any help here im stuck too lol

Ive succefully logged into the MSSQL Managment server but I suck at db stuff and im not really sure where to go from here

I used the find feature to look for the 'HTB' string hoping it would lead to the user login info but I was SoL. Any ideas for a DB noob ?

You can query the database with SQL.
Look at the tables and then list the data.
How to do this was discussed in the module.

ok awesome. ill re read the section on that.

I SEE SAID THE BLIND MAN. Now impacket comes in to save the day again i see

You don't need impacket

its certainly more handy though if you do imo

tbh i hate to admit it but gui's confuse me too much lol. too many options 🤣

but it looks like the impacket-mssqclient is having an issue connecting

:0000

https://www.sqlshack.com/overview-of-microsoft-sql-server-management-studio-ssms/

oh snap ok let me touch back up on searching for strings using sql queries

so i tried using SQLCMD Mode and the command to list the most recent entries as the hint suggest but no luck. Im on the right path tho ?

I am in the live engagement on the shells and payloads module. I am in the foothold machine provided and there doesn't seem to be a browser on it? anyone else encounter this?

BOOO YES thank you for the guidance my dude

I finsihed that section a few days ago. Whats going on my dude any way I can help ?

It should have a browser, probably just need to look a little harder

Parrot layout can be weird if you don't use it often

you can usualy run 'firefox' from terminal

that too

oh dang I was using "firefox.exe"

that worked

Im really enjoying kali piurple over parrot but that might just be cause im used to the kali theme and layout lul

hey guys im doing the netmon machine right now and port 80 doesnt show on nmap scan nor can i access the page through browser. anyone knows why?

Hey guys, i'm currently doing the "using crackmapexec" module and i'm completely stuck after the second q of the skill assessment, i know it's oddly specific but if anyone have any hints i'll gladly take them

Hi!
Im still stucked on Password Attacks Lab - Hard
||I cant manage to bruteforce johanna's password. I grabbed the passwd list from resources and mutated with the cust rules. I tried bruteforcing rdp, winrm and smb. With hydra,crowbar and cme. Still nothing. I dont know what to do||

dm

Hi did you manage to get admin password ? I am stuck in the same place
edit : i am connected

Hello its me again. I am still stuck on question 8 on Active Directory part 2 I have done everything I can think of and even in my troubleshooting was able to find the answer to question 9. But still unable to find a way to get the answer to question 8. ||I have tried to do the same things that got me the answer to question 1 from my elevated privileges on SQL01 but i only get the same user from question 1 when i use inveigh and no users with responder.exe any help would be appreciated.||

it say i am unable to connect. I just put the ip in the url right?

anyone who has finished Password attack module | PtT in Linux section?

Finally found the flag!! this module took me way longer than it should have, especially knowing the steps to it now. WOW!

Doesn't that section give you ip:port?

anyone who can give me a hint with the last question of Linux PtT

I guess I found the ccache file for Linux01 but can't find the flag

also I'm not sure if I'm using the ticket for the right user

hi can someone help me with the last section of Getting Started module? I am logged in as admin to the website but its not letting me upload files

is this not a file upload vuleratbility unlike nibbles which is the one I solved previously?

I am unsure because when I click on "upload files" it does nothing. Should I look for a way to upload a file or look for another vulnerability?

nevermind I think I figured out its not FTP

If you want to DM me I can provide an assist.

hi I found out its not FTP but can I DM someone to ask about the final section of getting started module? I get that its a PHP vulnerability. I just need a hint in the right direction.

yes

I find that the vulnerability has to do with editing PHP in themes. Can someone help me in the right direction? What should I plug into google?

Visit http://ip:port

Has anyone else tried the new section Docker in Linux Privilege Escalation? There appears to be an issue with the way they explain to go about escalating your privileges. There doesn't appear to be a way to do it because the requisite permissions necessary to even run the commands aren't granted to the HTB-Student user.

says unable to connect

And are doing the given ip

Refresh the target and try again

Look closely at the permissions, I finished it today. You can dm me if you get stuck

sorry, just saw this. At time of my issues, no, but at time of resolve, yes.

The explanation was a bit funny. I reviewed GTFOBINs which has a thing on Docker.

Morning to all. I have found the options 'Enable disabled form fields' . 'Remove input fields length limit' and 'Remove JS from validation' in Burp. But I dont understand why somebody will want to do that. Why disable JS validation for example?

I suppose to bypass client side validation?

Buit is it possible to remove input field length without burp? with a html code?

Well if you inspect the page you should be able to.
ex;
<input type="text" name="username" maxlength="20">

can change to
<input type="text" name="username">
or
<input type="text" name="username" maxlength="100">

Is this done through Developer mode in a webbrowser?

yea

OK cool thanks 😄

Just wanted to make my head around this. thank youuuuu

anybody? >< i'm running desperate

If ive done all the easy modules in the cpts path, should i be able to do an easy box (Active)?

Try it

After all, nothing can happen.
Either you make it, or you don't.

ok

lol

thanks

Hi all. I am currently stuck in the last section of Footprinting Module. I am unable to find the community string to be used along with snmpwalk. Can someone who has solved this, can provide a hint

tried using the tool they recommend for enumerating SNMP?

Infect I actually found the community string and used it with snmp. I meant to ask how to interpret the snmp results and way forward

It gives you something you can use to access another service found when doing an NMAP scan. Although that service might be using a secure version of it, so you'll need to use a tool like openssl to access it.

Let me try that

I just got the flag in Attacking Common Services - Easy.
The flag implies that there are multiple ways, anyone who could share the other option?

Hello cyber security experts, can anyone guide me through linux privilege escalation docker. I'm not good with dockers, I would love a good explanation.

Not an expert, but you'll find almost everything you need on hack tricks

Just google "Linux pic esc hack tricks"

*priv esc

Thanks,mate. will have a look.

Sorry docker

Not linux

whereas it should just display post request to download.php

Hey guys, I am on the module "Command Injections" and section "Bypassing Other Blacklisted Characters" .
The assignment in this section is asking me to find the user in the /home folder. I have already solved this challenge but I am still confused as to why I am getting 2 different outputs by using slightly different payloads.
If I use this payload

1. ip=127.0.0.1%0a${IFS}{ls,${PATH:0:5}} --- I get the genric folders like bin,usr,lib

but if I use below payload:-

2. ip=127.0.0.1%0a${IFS}ls%09${PATH:0:1}home -- i get the username(which is the correct answer).

I have attached screenshots for both outputs as well.

In example one you use the first 5 characters of the path variable as argument for ls, this could be /usr/ and then you’d see what’s in that folder. In example two you use the first char of path and add home afterwards. That’d be / followed by home

Anyone I could message about Windows Privilege Escalation Skills Assessment - Part I. I've been banging my head against the wall for way too long. I understand how it's working and I feel like I'm doing the exact right thing but it's not working. -> So I'm doing something wrong

I was looking for good materials to learn tcpdump and Wireshark until someone recommended htb 😌. just concluded the intro to network traffic analysis module using tcpdump and Wireshark and it literally gives you everything you need to know about those tools

W module 🔥

ah I got it now. I was assuming that will always give me /home but thats not the case. Thank you!

I am working on windows privilege escalation: pillaging I cannot not figure out the last question Restore the directory containing the files needed to obtain the password hashes for local users. Submit the Administrator hash as the answer. I have restored the SYSTEM and SAM files from restic and moved all the different copies i could find them to my attack box and then ran them through samdump2 but i have only got empty hashes aad3b435b51404eeaad3b435b51404ee what am I missing?

try secretsdump from impacket instead, samdump2 seems to not work sometimes

Hi!! Im doing the Windows PrivEsc module and i need to use SecretsDump but i have this error. Can someone help me?

ABUSING HTTP MISCONFIGURATIONS:
Use WCVS to identify an HTTP header vulnerable to web cache poisoning in the provided web application. WCVS didn't find any vulnerable header!! any help pls?i used the same wordlist with burp intruder but no luck!

ok i will try that thanks

which section is this?

Server Operators

the problem is with secretsdump

command looks good to me

yes

you sure youare using the right creds and ip

yes

maybe try reinstalling the impacket tool kit

hey so i'm doing this module

I'm stuck on this question

when i run this command i get nothing

any tips for this module, i know they have a password.list for this lab however i wanted to use the resources in kali to crack this lab

i have not done this Module but what do you mean by resources in kali

at the buttom of the page, they have this to use

it conatins a PW.list

oh, so you want to use your own passwordlist?