┌──(kali㉿kali)-[~]
└─$ sudo apt install odat
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package odat

Weird

Why ?

https://github.com/quentinhardy/odat/blob/master/README.md

Try directly here?

Yes, try again

Is your kali up-to-date?

Yes

¯_(ツ)_/¯

Good luck in resolving it

The Readme has direct links to the downloads it looks like

I agree

But I think you're only like a small handful of people that have complaints on it from Kali

hey I'm stuck in "AD Enumeration & Attacks - Skills Assessment Part I" in Question: "Find cleartext credentials for another domain user. Submit the username as your answer. "

can someone hint a way please ...

i mean the services come from the DLL right which are then loaded by some process like svchost?

No

The DLL just points to the service executable

o shit.

ok

walk the dog. XD

i was so confused LOL

let me research more about it

DLL stands for Dynamic Link Library

So an executable will call the associated DLL to load the needed services

Or usually start them

ok. BUT the DLL != the services right?

Yeah

I don't complain

Complaint being that you're having issues installing it

hey there anyone available for help with:
https://academy.hackthebox.com/module/216/section/2325

I m having trouble completing the assessment, due to missing data from the log.
Plz feel free to DM me about this.

../kali/Documents/oracle-instantclient-sqlplus-linuxx64(2).rpm is for architecture amd64 ; the package cannot be built on this system

Read the Readme on how to convert it to a usable package

It literally has instructions under the links

hey - feeling pretty dumb rn as i cant progress past the smbclient section in the first stages - i can show the list of drives but when i use smbclient \\the ip\WorkShares i get the NT status not found error - where am i going wrong?

i actually wrote 4 backslash and then two as seperators but discord has deleted some of those?

Hey folks, can I ask a hint on AD Enumeration & Attacks - Skills Assessment Part II - Locate a configuration file containing an MSSQL connection string? I'm trying to move forward from the previous question just with the tools available in the given Parrot instance, but don't see a clear path

Good evening gang, where do I put suggestions for fixes to modules - noticed a pretty annoying problem in the new Malware analysis module that has a very easy fix.

Report it in #858470491676737536

Cheers

how did u retrieve the zip from the 3rd machine ??

cause I can't do it from my VM 4 some reason ...

Can someone teach me how to exploit this possible LFI??

<?php
if (isset($_GET['language'])) {
    $lang = $_GET['language'];
} else {
    $lang = "en.php";
}
?>
`<SNIP>`
            <?php
            include('./languages/' . $lang);
            echo $p2;
            ?>

Fcrackzip doesn’t seem to want to want to reconize dictionaries

is that from a challenge?

~~any admin available for the flag on thick client applications module? found the hard coded string but it is not accepted!? thank you!~~nvm got it..

\\ip\share is right

the hint is useful

oh ok thanks

so only 2 and one not four and two - doh!

both should work

Im currently doing the Documentation & Reporting module, and I've done more than what was outlined in the sample report but I found this in an index.php.bak

4+2 fails - ill go back and try again

include('./languages/' classic path transversal LFI

RIGHT

but i cant seem to get any callback...

no read

I went to the LFI module to brush up but cant find any that include dot sourcing (i think thats what thats called)

i wrote this and then tried...

We can see that if the 'language' parameter is set while a client makes a GET request, $lang is set to the value of the 'language' parameter. If the language parameter is not set, then $lang will be a string, "en.php". Later in the code we see the include() method being called with unsanitized user based input from the 'language' parameter. We can abuse this functionality of the code to read files...

maybe a link to some resource online that refrences this would help...

I just dont feel comfortable moving on and using the code as evidence for this finding without producing something tangible for the client.

why can't you get lfi to work?

not dot sourcing

I'm not actually seeing output for the different languages, i cant get anything to show.

I already found the XSS vuln in the content parameter.
Maybe i should fuzz for more parameters?

I was working through Attacking Common Services - Attacking DNS and came up with a question. (DNS / Zones are definitely on my list of things to get a deeper understanding of)

Why am I able to use inlanefreight.htb instead of ns.inlanefreight.htb when doing an AXFR? Does the AXFR automatically know the nameserver based on a lookup it does itself?

I realized I can specify ns.inlanefreight.htb if I add it to /etc/hosts, but being able to just use the domain itself is throwing me off. Every example I'm coming across is dig AXFR @<ns> <subdomin>.

Specific example from assessment. I can use:

dig axfr @inlanefreight.htb xxxxx.inlanefreight.htb

instead of

dig axfr @ns.inlanefreight.htb xxxxx.inlanefreight.htb

I'm about to blow your mind. You can use the ip too

It's because .htb isn't a valid tld so subdomains don't redirect

oh, okay, okay, I'm just blind, thanks for reaffirming

Like you can do dig axfr domain @ip

That makes sense, domain and ip being interchangable

It also cascades, even though ns is a valid subdomain, because it's not a public domain, it doesn't redirect

Even with inlanefreight.htb in your hosts

Gotcha, I think. So when the lookup happens for the tld of .htb it returns "invalid" and basically exits out of the "lifecycle"?

Yep

🙌 some stuff is clicking, going to do a bit more reading, but thank you!!

It says "oh this tld doesn't exist" so it doesn't keep going left

I downloaded parrot on my own VM, and I want my hostname to show my IP like it does in HTB academy. Anyone know how?

use this at the end of your ~/.bashrc file

PS1='\[\e[96m\][\e[92m\D{%D} \[\e[92m\]\t\[\e[96m\]] \[\e[92m\]\u\[\e[96m\]@\[\e[92m\]\h\[\e[96m\]:\[\e[38;5;27;1m\]\w\n \[\e[0;96m\]\$\[\e[96m\]> \[\e[0m\]'

then source ~/.bashrc

https://bash-prompt-generator.org/

where is that file found, do I just nano it?

sudo nano /home/parrot/.bashrc

.bashrc

^

It's a hidden file, need the .

ah

I did it before but saw it empty so I thought I did something wrong

I like how i make one tiny mistake.. its not like i hadnt already given the proper filename XD

it's possible you're using .zshrc if it is empty

Default in parrot is bash

zshrc isnt emtpy

lol

is

Zshrc and bashrc are different so you can't just copy over

should I go with bashrc anyways?

I think its in /etc/profile now

Or something like that

ill try with bashrc

I think it got moved or removed

ok that works, just looks lil bit ugly

Do ls /etc/

Because you overrode what it was initially using

Also it's only gonna show the ip for htb if you're connected to the vpn

d

make your own here https://bash-prompt-generator.org/

I tried

It looks so ass wtf have I done hahah

any way to reset everything to 0? or just reinstall the instance

You overrode the default it was using

XD

Just sudo rm .bashrc

ill reinstall the instance ahaha no prob

ill try that

Then reset

nope

if i edit bashrc its empty

so it removed it but now its doomed, ill just reinstall it no prob ahahah

Close and reopen terminal

Can someone help me in {Attacking Enterprise Networks -> Exploitation & Privilege Escalation] module?

@fathom pendant Would you mind helping me understand why I can't achieve LFI in the Documentation and Reporting module? Or is this fully up to me to understand/complete?

I haven't done that module

My guess is you aren't properly trying to go back enough for the file

it could be this BUT, the source code im reading:

<!DOCTYPE html>
<?php
if (isset($_GET['language'])) {
    $lang = $_GET['language'];
} else {
    $lang = "en.php";
}
?>

<SNIP>

            <?php
            include('./languages/' . $lang);
            echo $p2;
            ?>

is from index.php.bak found at http://victimhost/files/ where a File Directory Listing was found.

So that's the off part.. it could be that this old code has been replaced by something, or moved to another parameter, i've used ffuf to fuzz the parameters and found ONLY the "content" param and NO "language" param. This might be a rabbit hole... i just wish i could confirm...

?language=file

exactly

ive tried EVERYTHING and cant get a callback

have you looked at the whole page when you tried? ¯_(ツ)_/¯

oh mf

lemme try it all again XD

i mean i looked at source plenty of times but

i used -fs 5053 when fuzzing with ffuf... THAT should have caught any diff in the size of the body!

For the Skills assessment for service login brute forcing. Any suggestions on how detailed to get when generating the potential password list using cupp? I used baseline information and after removing the ones that don't meet the policy using sed it's still showing almost 24hrs to run the brute force

Don't attack ssh if other services are running

The exercise specifically says to try brute forcing the ssh server though

Does the question specifically state "attack ssh with these rules?"

Or something to that effect

Haven't done that module so genuinely asking

" As you now have the name of an employee from the previous skills assessment question, try to gather basic information about them, and generate a custom password wordlist that meets the password policy. Also use 'usernameGenerator' to generate potential usernames for the employee. Finally, try to brute force the SSH server shown above to get the flag. "

Ahhh ok

Any hints in Intro to Whitebox Pentesting --> Code Review Authentication? I have tried with all functions as answer... Please

I can be more specific but getting to this required getting a name from the previous flag. Assuming we shouldnt post specific details about the contents of the boxes here if we can avoid so as to not spoil it for others?

Hi guys!!! I just started hack the box but anytime I scan an up address I get this error:

-# птар -T4 - р- -A 10.10.11.236
Starting Nmap 7.94 ( https: //nmap.org ) at 2023-11-22 13:13 EST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nap done: 1 IP address (0 hosts up) scanned in 3.24 seconds

Pls how can I solve it.

That doesn't look related to academy, read #welcome so you can find where to ask in a more appropriate place

When I am logged in as backdoor for module MSSQL footprinting....is the hostname not QF....ec or do I need to add something else to it? I ran this query in SQL - SELECT HOST_NAME() AS HostName, SUSER_NAME() LoggedInUser - any assistance please

got it. I was just being too thorough even with the base info for cupp

Module : modern web exploitation ,, second order command injection ,, changed the command multiple time and it did't work out anyone can help ?

Anyone able to give a hint or so for When I am logged in as backdoor for module MSSQL footprinting....is the hostname not QF....ec or do I need to add something else to it? I ran this query in SQL - SELECT HOST_NAME() AS HostName, SUSER_NAME() LoggedInUser - any assistance please

nvm - figured it out

Module: Attacking Common Services
Section: Attacking Tomcat
I've got the RCE on the web app but having trouble navigating the server. what's the syntax for changing dir?

have tried with a +, '', "" nothing seems to work

Depending on what payload you used changing directories might not be possible

youd have to specify full path for all your commands

check out laudanum webshell jsp

I got to work just now

oof

i felt that

now I Just need to find the flag

Hello I have a question, I have this exercice which does not stop the bug I do not know how to carry out the exercise what should I do?

Hey, exactly how many findings are in the Documentation and Reporting module?

¯_(ツ)_/¯

as many as you can find

awesome.

thats what i thought

I ended up half assing it and not doing the actual report. I caught DA in five minutes, submitted the flag and moved on

😦 i cant do that.. my pride wont allow it.....

i have to prove it to myself yaknow

I get it

i guess that's why noone wants to help with it XD

I was just having big anxiety about the report stuff so I eventually said fuck it and just finished the module

I spent like two months on the module due to getting into my own head

Oh i have crazy anxietty bout it too, its just that i took a professional communications class in highschool that i did really well in. So i figure i should do the report..

oh im on day 3

Yeah no doubt you def should

Im just saying why I didnt lul

right right

for this, anyone got any good tips on how to easy look for the flags when you got RCE? flag wasn't in web root, so I'm a little bit consfused on where to start looking

Hello everyone. Would appreciate some help here: I am getting this error "[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)" while using impacket-GetUserSPNs in the "Attacking Enterprise Network" modules. Anoyone here who have had the same issue?

your time is off from the DC

sync your time to the DC

The question tells you where to look

Clock skew too great; that's the tell there

Iirc it's a linux host so some linux commands work

does it?

Just can't cd due to the nature of the shell

it just say Find and submit the contents of tomcat_flag.txt

I don't know how to authenticate to connect to the box

Also that's common application module not common services module

ah sorry my bad

Then work backwards start at ls /

And move from there

thats gonna take some time 🙂

And?

It seems like i, for some reason, can't reach the DC with rdate for some reason

Or go ls ../

then use something else

It really seems like you didn't try anything, just couldn't cd and went "well I'm out of ideas"

Sometimes hacking takes time.

I've started to go throug them all

Theres a couple clever tricks you can try, but they only work with the knowledge that youre trying to get a flag file

just thought it might be a smarter way

in the Linux privesc skill assessment I got root and every flag but the very first flag. Got so annoyed I grepped the entire filesystem for the flag format

ah ok

found it

woop

proably not the smartest way , but I got there

Sorry if I am being intrusive and asking straight forward questions. I have been trying with rdate and ntpdate for almost an hour now. All i get is "ntpdig: no eligible servers" and "rdate: Unable to get a reasonable time estimate". I'm not sure what I am doing wrong here.

Whats the exact commands youre running

I have been attempting a few different one, but these are the last two: "sudo proxychains rdate -t 4 -n <DC IP>" and "sudo proxychains ntpdate <DC IP> "

both use UDP and proxychains doesnt traffic UDP

Either manually update your time or use a better pivoting method like ligolo

So I got to use another method of forwarding the traffic to the DC?

Right, thank you. I will try

Or manually update your time yeah

Hey Could you give me a nudge on this? I got added to local, then i restarted but still denied access to the admin directory

Anyone have a nudge on windows priv esc section Weak Permissions? I was added to local admin. Tried restarting but still can't get access to admin directory

Have you tried to check if you are assigned to the group?

You mean restarted the instance from the section portal or hit a restart inside the machine itself?

machine

Did you disconnect or log out when you restarted the machine?

Do a sign out and sign in. That should refresh the access tokens for your newly added administrator.

Restarting should have done the same, not sure why that didn't work

once i sign out. it closes the rdp session

I restart and try it doesn't work again

It closes the rdp session. Yup. Just rdp again without restarting.

i think you have to sign out not just close the rdp session

Correct ^

This correct?

Yup

Once i click that. It signs up and shuts down rdp

signs out

That's expected.

Just RDP again

Yes

Then you just connect it back up, and the group policy should be updated

but don't restart the instance.

no i didn't do that

... try running command line as administrator

^

You're still running it in context of a user account

this is another case of skill issue

@dreamy solar cause you're going an additional level too deep the file path is //DC01/julio/julio.txt/

🤣 dont be upset im another noob

He probably saw that and deleted it asap lol

Hold on let me diffuse this situation

i mean if you see yourself in administrators group…

why you tried to do it from command line also

do it from explorer he will ask for admin rights

Eh command line isn't bad per se

yap

And probably comfortability with it

Anybody worked on bumblebee on sherlocks?

Sir

but having windows GUI

access to a folder is easier from explorer.exe imho

I directed you to the right place earlier @rustic sage

This is for academy modules not sherlocks

once you go cmd there is no going back

Hes just ribbing you tbh he literally just did it to the guy before you. He's not actually talking shit

And his time will and has come before

For being called out on skill issue

Because at this point it's a meme

We all have dumb moments

broo

took it serious?

And once figured out we can have a collective laugh about it because it was likely something simple

come on haha the best part is to laugh at ourselves, you dont wanna know the things i miss and fail at 🤣

https://tenor.com/view/my-goodness-what-an-idea-why-didnt-i-facepalm-the-simpsons-gif-17489109

but i learn a lot

go sleep man

health is priority

Me when I was told I was being big dumb on an ad enum question

So i know if i have a question on ad enum i have to ask to Marcie since i won't get claped

I'll still call you a bozo

aaarg, my heart is bleeding, i am a bozo anyway tho

Cause I am terrible at AD

That do be how blood flows

I am losing my mind at this impacket-GetUserSPNs error. I still get the "[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)" Even though the timezone on both machines are the same

I also get this message if that is to any help: [-] CCache file is not found. Skipping...

doesnt matter if the timezones are the same, that actual time needs to be the same

As I said earlier, you need to sync your time to the DC. Either by manually setting the time, or by using a better pivot method so you can use one of the tools to sync

Ntpdate and rdate legit fail for some, haven't figured out why, faketime has never failed anyone afaik though

theyre failing for them atm cause they were trying to proxychains it

Then I wouldn’t be able to hack

https://tenor.com/view/sheldon-i-dont-need-sleep-i-need-it-gif-20600532

https://academy.hackthebox.com/module/113/section/1097 I can't get the shell from this app , I found CVE but can't exploit it ?

I mean historically Ive seen YOU be that bully, not bullying other bullies.

You've calmed down mostly since then though.

https://tenor.com/view/perfect-popcorn-michael-jackson-gif-26271837

Yaoi is my friend though?????

Wtf revisionist history is this lmao

Youre also posting some manifesto rant type stuff in #modules right now

@fathom pendant I forgot to say thank you.

guys ifk if its only m,e but im really struggling to understand the xxe exploitation part advanced file disclouser section

i dont feel like its a good explication

or im just dumb

sure

can someone let me know if this is correct for the IPMI module...I have the hash in a txt file and am running it like this: ||hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u||, but I know you are supposed to leave off the ?1?1?1?1?1?1?1?1 - is that the only part to leave off? So then do I run it as this: ||hashcat -m 7300 ipmi.txt -a 3 -1 ?d?u||

if someone can either let me know here or DM that would be awesome - ty

Wrong

That specific mask is relevant to a specific scenario

You need to use the password list

The ?1?1?1?1?1?1?1?1 is a mask for a specified length of string for a default password

The section explains that if you're dealing with that scenario- do that

@fathom pendant ok - let me figure out the correct hashcat syntax command - thanks for the info

You're close you really don't need too many additional arguments just hash and wordlist (and mode)

@fathom pendant got it - used THE wordlist - thanks again

Like fo real guys

That section of xxe advanced file disclosure is driving me crazy

Attacking Common Services Easy Lab: I have the SQL username and password, but the SELECT INTO OUTFILE isn't working

the easy lab is actually the hardest lab in the module

Really?!

That sucks! lol

into outfile does work but it takes a little conceptual mind bending

any hints, I've tried something that worked for somebody else, but is not working for me.

Make sure you're putting the slashes the right way

Guys need some external references about blind xml if anyone knows annything that can help me plzz send it to me

i was digging but still struggling

Okay I got a shell, but I can't do anything with it. Not sure how specific I can be here without revealing spoilers

I guess I should say I was able to get a webshell uploaded, but no shell

Getting this error in the web interface:

Warning: shell_exec(): Cannot execute a blank command in C:\xampp\htdocs\backdoor2.php on line 1

did you uhh supply a command

Tried whoami

your shell is bad

$_GET['whoami'] would be querying the parameter named whoami, not executing whoami

The one from the module didn't work either

what error did you get with that one

I forget

and did you supply a command to the c parameter

Module was pretty light on this, so no

I just tried CMD from another example in one of the links I found

well try that one again and supplying a command to the c param

Is there a man page or whitepaper I can read on this before I waste my time trying random commands?

its a web shell that executes commands you supply to it

its not any more complex than that

the path is wrong

you gotta use the correct path you found from earlier

how do I even find that path in the first place? I found that from somewhere on the HTB forums

C:\xampp\htdocs\backdoor2.php

I dont remember its been far too long since I did that lab

finding that path was def one of the hardest parts of that lab though

If it's not covered in the module I have no clue

Is there a good walkthrough for this somewhere so I can go step by step and fill in the gaps?

isn't that the default webroot for xampp though

yes but knowing to use the default xampp webroot is the issue

true

its covered in the you need to synthesize information youve learned to discover it.

Its why its a skill ASSESSMENT

my only gripe is that the order of the labs is wrong

What do I need to do in order to make this work?

None of the commands are working

you find out that it's an xampp hosted site on a windows system

i forget exactly how but there's breadcrumbs

backdoor.php?CMD=command

what commands are you supplying to the shell

So if I'm trying to put my research plan together for this: I'm looking at XAMPP, then looking at PHP webshells, and then identifying ways to write commands for those two services into a webshell?!

whoami

to test it

okay and what output did you get

One moment

thats the same thing we already covered

I've been trying a lot

you dont embed it in the $_GET, you supply it to the parameter you specify in $_GET

if your parameter is $_GET['cmd'] your request should be backdoor.php?cmd=whoami

I thought I already tried that, let me try again

make sure youre using the correct webshell and changing cmd to whatever youve supplied for that webshell

cause it can be literally whatever you name it

Ive had it be 0 for space reasons before

Tried that, no go

what's the full url you used?

http://10.129.27.215/xammp/htdocs/backdoorgo.php?cmd=whoami

wasn't it backdoor15 here?

I've redone it and renamed it over a dozen times

I'm now using noun names to keep track

That's how ridiculous this is

I understand your confusion though

use the file name of whatever backdoor you've created, it shouldn't return a 404 if you have created it

Use that filename where?

the file name you created using this command

or however you're creating the backdoor

I don't have a reverse shell or anything, it's the one-liner from the module

I know

the webroot is without the system directory names

Hes saying you can use one of the several webshells you've already uploaded

Link to stack overflow, probably won't help, lol

why are you googling that

I plugged it into the address bar

???

why??

What do you want me to try?

you already know you need to supply the target host first...

thats not even fundementals knowledge, thats can you use a web browser knowledge

what's the url you're using now? have you changed it since the previous returns a 404?

it'll just be http://10.129.27.215/backdoorgo.php?cmd=whoami

Youve clearly accessed your webshells before to even see their errors

just do the same thing again

You shouldnt be regressing this hard

okay now did you supply a command to CMD

??

what is the EXACT url you used to access this

Should I restart this machine?

and what's the command you used to create that?

did you try CMD

Thank you guys for the help, but I think I might need to restart

if CMD doesnt work. then something about your command to generate the webshell broke

just try it with capital letters as madf0x said

MariaMaria she reminds me of a westside story!

THERE WE GO!!!

okay now super important

do you understand now why your earlier attempts werent working

does the different elements make sense now

No

I will be honest

I was waiting for someone to tell me to RTFM so I could find out where the FM was

Then I would have read up and tried later

Theres no manual for this because this is basic webshell 101 stuff

https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/

So what was I doing wrong? Capitalization?

yes

the parameter has to be exactly what you defined it to be

you can make the parameter nearly anything but its gotta be the same in your request

this article might help understand it better

Thank you for linking supplemental content.

So what do I do now? This is not an interactive shell

Just text

you deal with your limitations 🙂

So should I try FTP?

either try to leverage a rev shell payload, or issue commands until you get what you need

Now that I've got through all of this it seems like a bummer that it's a dead end.

its not a dead end

youre system

youve won

you just gotta collect your prize now

a shell doesnt have to be interactive to be useful

So what now?

nt authority\system is basically the root user for windows

go get the flag

Yeah, I know that, I just don't see how I can use html text to root a system?!

???????

bruh

like this ^

Im at my limit Im sorry man

Good luck, im off to play bg3 with the gf

Thanks for all of the help

a shell is just text, doesn't matter if it's interactive or not

You're leveraging system commands my guy

only thing I could add is you need to loosen up your concept of what a shell is

hit me up when you get a 3d rendered shell

VR Hacking

So how do I interact with the shell?

you already are, you can issue any command you want

by sending commands in your parameter

?CMD=dir

?CMD=imdumb

doesn't work, I want a refund

😆

That's funny.

You're funny

Yeah now the backdoor is not working at all.

Had to reset the machine, it's back

No flag.txt

lol

It's still just html

its always html

🤦‍♂️

the html is just the output of your commands

literally no different than getting text back from any other shell

gotta go look for the flag.txt

idr if the lab tells you where it is or not. You may have to look around on the machine

Not in hidden text, I don't know where else to look.

bruh

are you trolling now

Lab just says the target server

It was a longshot!

the html you see is just the command output

I don't know how to explain that conceptually any simpler

I'm trying to use the module's content, but it seems more like a CTF now

have you used ANY shell before

Yes

same shit

literally the exact same

rev, bind, metasploit, etc

only difference is you cant cd to different directories

and you see the output with your browser instead of a terminal

theres no hidden text, theres nothing fancy about it being html

its JUST regular text from the command

So is there a way to upgrade the shell?

You can but its really not necessary

What would you recommend I do?

use regular normal system commands to look around for the flag

checking the adminstrators desktop is typically a good spot if not the c:\ root

nothing but whoami and dir works

everything else just hangs

I'm assuming I just put commands after CMD=

?

Tried to cd C: a bunch of ways

you can't cd, said it right here

use full path

so what is the full path? without me knowing I can't "type flag.txt"

Is there a brute force tool for this

find it

?

you should know the default Windows directory structure man

is extranet considered as a wan?

Just use dir commands to find it

You can dir a full file path much like ls

Yeah, I figured it out, time-consuming, but I got the flag.

It alluded to a second method?!

There are two ways to get the flag!?!?!?!

Probably getting a Rev shell

Or something

That's what I was trying to do

¯_(ツ)_/¯

I just added myself as admin and RDPd in lol

Then again there was not much guidance

because it's a skills assessment...

Skill assessments generally don't have guidance my guy

net add....??

you're on the right track

are you guys working?

So you're already admin so it would be an admin to make another admin

I'm working? What is it that you do for work?

Thank you for the guidance!

Not working for me for some reason

what's your command?

for the second command

you need to create the user before you can add them, have you done that?

sorry had to paste them in reverse

are you sure your syntax to add a user is correct

Is this right?

My screenshot got deleted

Probably a mod deleting it

Bc spoilers

How is it spoilers if it's not even covered in the MODULES!?!?

lol

Because it's still an alternative way to get the answer

Could also just be automod yeeting it

Try encasing it in code block

how in code block?

||http://<IP>backdoorgo.php?CMD=net user testuser 123456789 /add http://<IP>/backdoorgo.php?CMD=net localgroup administrators testuser /add ||

Like this?

http://<IP>backdoorgo.php?CMD=net user testuser 123456789 /add
http://<IP>/backdoorgo.php?CMD=net localgroup administrators testuser /add

Anyway, so what is wrong with these commands

?

looks good, what makes you think its wrong

it can't be reset

and did you try to ssh/rdp in with those creds?

you do the double brackets outside the code blocking btw

||like this||

anything inside the backticks is considered code to be printed

gotta love markdown

hey guys, I need a bit help with bloodhound using pivoting ( I keep getting error massage ...)

and the if I do ||.\SharpHound.exe -c All --zipfilename|| in the target machine I can't pass it back to my VM ...

If you have access via RDP just use the /drive: option, otherwise transfer the file to the external facing machine the one you use to tunnel the traffic

hhmm don't know this one /drive:

it's super useful, I use it by default just in case

read the man page

The /drive option allows you to redirect a directory as a named share. For example, suppose you have a Windows machine and you want to transfer files to it from a Linux machine. You can use the command:

xfreerdp /v:WINDOWS_IP /u:USERNAME /p:PASSWORD /drive:NAMED_SHARE_NAME,"LINUX_DIR"

Then, on your Windows machine, you navigate to C:\Share and use the command net use to see the path of the mapped drive.

Once you know it, any files within "LINUX_DIR" will be available to you in NAMED_SHARE_NAME

So you can use copy on them

thanks I just read it

Anyone know of a way to compile source for ipmitool AND its dependencies into one debian file or something? so that I can upload it the parrot foothold in one go?

tried to use ssh -L 4444:remote_host:623 htb-student@IP to forward local trffic at port 4444 to the remote IP at 623
but I cant do the same things with ipmitool(on Ubuntu-VM) as msfconsole(on Parrot). There seems to be python-ipmi, which is also unavailable on the parrotboxes.

my command in windows target :
powershell -ep bypass
. .\SharpHound.ps1
.\SharpHound.exe -c All --zipfilename got2work

but it doesn't get load 2 bloodhound ...

any advice please ??

hello everyone, I've been stuck on the AD Enumeration & Attacks - Skills Assessment Part II for a few days and was wondering if someone went through it recently? 🙂

are you using the right sharphound version

just ask your question

I'm stuck at "Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host. " and can't seem to be able to enumerate the users that I have access to enough so that I can get to Admin. I've tried Kerberoasting, creating a shadow copy of C, responder, all to no avail 🤔 I'm thinking I'm supposed to be able to force admin to change his password but can't find the powershell command to do so

you can find the ForceChangePassword commands here https://academy.hackthebox.com/module/143/section/1486 also remember to enumerate the rights of all the other users you have access to

thanks a lot, I'll do that! 🙂

i dont understand why these commands produce different results.

1. ss -l -4 | grep -v "127.0.0" | grep "LISTEN" | wc -l
2. ss -l -4 | grep -v "127.0.0" | wc -l

because ss -l tells it to only list listening sockets

but it still gives a diferent result when using it with grep

download the latest debug.zip from here:
https://github.com/BloodHoundAD/SharpHound/releases/tag/v2.0.1

when you run sharphound it will tell you what version of bloodhound it's compatible with

5.0.0

and what version is your bloodhound

hmmm

not 5 ....

use sharphound 2.0.0

same result...

both 4.3.1

Im on the GET section of the Web requests module. When doing the task at the end where you enter a city name, I dont have a line appear in my browser dev tools network section with the search.php?search= when i enter a city name. Any ideas why?

I use the release right b4 2.0.0 and it works

or you could update bloodhound ._.

it says in the github releases which goes with which

Hi, I am new in the Cyber Security and Pentesting field. I don't have much prior knowledge to practice. So I am going to complete these following modules to learn basics.
But the module seems boring to me. There is so much theory and absorbing all without practical application is though for me. I can't remember all the lesson from module.

1. Introduction to Computer Networking (Completed)
2. Windows Fundamentals (On going)
3. Linux Fundamentals
4. Web Requests
5. Introduction to Web Applications

Is there anything I can do for make my learning more interesting and effective? Please suggest me some tips or some additional resources if needed? Please, help me and guide me.

Hi everyone ! Where can I ask questions about machines ?

Yo ! Looking for a hint for Command Injection>Advanced Command Obfuscation.
Question:Find the output of the following command using one of the techniques you learned in this section: find /usr/share/ | grep root | grep mysql | tail -n 1

I've arleady tried to encode this command to base64, i was trying to use reverse
Some commands worked but non of them showed the resault.
EDIT:
Found a partial sulution for that ! Not sure if this is the correct approach but it worked 😄

take notes, no one is gonna remember all of them, the skills assessment at the end of each module is a chance for practical application, those modules can be boring yes, but they also help your fundamentals to use each OS effectively

#boxes , read and follow the instructions in #welcome to get verified

hello! i am currently pivuting and tunneling section and i need to transfer some binaries from linux to windows. Any tip? i tried smb i tried python

is the windows host behind the pivot host

like are you trying to go attack -> pivot host -> windows box

attack linunx -> pivot windows-> target windows

and i need to transfer from attack linux to povot windows

the module explains this better then I can but the windows host doesn't know how to reach you yet so you need to upload your binary to the jump host and then from jump host to Windows

and then when you trigger the binary on Windows with the remote port forward implemented the Windows box will know how to connect back to you

but the module does a good job of explaining it

Hi guys, need a bit of help regards: Skills Assessment - Using Web Proxies. managed to decode the cookie. For the next question, i have tried to encode the payload > som reason not getting the 88 character for the paylod.

hello, so after some consulting, i will subscribe to HTB Academy

i feel its the best resource for me

i was going to thm but someone told me its more in depth here, so i would like how you guys take notes, and you guys schedule your studying time and pratice

On my side, I just opened a new Word document and created chapters with headings and sub-headings, making brief notes. Some people prefer to just take the commands and enter them into cheertree, for example, or obsidian. I personally prefer to have context. Everyone has their own method for taking notes. As far as practice time is concerned, the ideal is to do it several times a week. If you take too big a break, you'll quickly lose your habits and it will take you a long time to get back into it. Do as much as you can 😉

ok

@dusky rivet thanks i am pretending to use the mornings like 2 to 3 hours

Hello everyone.
Hope you're good!

Question for the AD Enumeration & Attacks - Skills Assessment Part II on Question 4 :
"Use a common method to obtain weak credentials for another user. Provide the username of the user whose credentials you obtained."

Context: I got the user ABXXX via Responder.
I cracked his password using hashcat. I'm currently logged into the MS01 machine.

Problem: It doesn't seem possible to get a list of users on the domain. I have tried "import-module Activedirectory" and "import-module .\PowerView.ps1" (I have tried many things to make them work... None succeed)

Questions: I guess it will be password spraying via the password we already got for the account ABXXX. But without a list of users this will not be possible.
So:
1- Why isn't it possible to import these modules and do a "Get-ADUsers -Filter *" (it's an example)?
2- Are these modules only available on a domain controller? (PowerView + ActiveDirectory)
3- How to enumerate all the users of the domain without these modules?
4- The user ABXXX could log on to the server SQL01 to access the DB, I am not good enough on MSSQL to enumerate esaly users. Was it the good way to enumerate?

Thanks in advance for your time, enjoy your day ! 🙂

You cannot use any Powerview functions because of the Kerberos Double Hop problem if you recall

Youre using creds over more than a single hop, TGT isnt cached so its not sent with each request or interaction with the DC.

enumerate users using the methods thought in the modules, ALOT of those were given, try them

Hint for way forward : try common passwords

Not sure about that. I'm on ssh on the parrot os they give. Then I used evil winrm to log on the MS01. So it's a simple hop

I'll read them back!

lol, everytime you use Winrm its not a single hop
Not sure if thats exctly the reason, but I have tried it with a couple boxes and PowerView over WinRM would only work when you pass the credentials as a PS credential Object

all the best, I had a lot of fun on that one, I hope you do too!

Ok thanks for the tips, I'll try to cache the credntials in that way and to test PowerView again!

are you saying that logging in using winrm with domain credentials is not a single hop?

hey guys got NTLM, but when I run the hashcat it i only do 13% and doesn't show it
any idea y is that?

Im not sure, correct me if I am wrong, it would be a learning opportunity 😅 but whenever I use Domain credentials with Winrm I usually get the DCOM, findall blah blah Exception error which was the same from the Double Hop problem, unless I pass it as a credential Object

Well, I tried to cache credentials in PS and executed powerview again. Seems not working. problem isn't there

Weird it did for me

did you pass it with -Credential $creds?

Yes, same issue with -credential

I don't think that's right, when you connect using winrm, it's a single hop, it's when to trying to authenticate to another machine inside that winrm session, then it's a double hop

wdym only do 13%

you can get domain users in a lot of ways other than powerview btw

Okay okay, thank you very much.
Could you perhaps explain why you woudl get the same error as you would in a Double Hop problem scenerio in this case since we consider this to be a single hop.

I've not seen those error before in winrm, are you using evil-winrm?

hey all, i need help with module: password attacks section : password mutation i have already find the password for user sam with suggestion in this channel to remove 17k lines of the mutated password list and running the attack against ftp instead of ssh but still for some reason i m not able to login with the found password ||B@tm@n2022|| to any of the service even ftp ......plz help i am stuck here from 3 days

Just did the pivot skills assessment again, amazing how easy it is with ligolo

I did that about 4 months ago, and I had the error, also when I did Authority on HTB I had the same error

it gives a massage of "Approaching final keyspace - workload adjusted. "

or maybe I am remembering wrong lol 💀 I will redo it again.
I have a personal note on it tho and I just checked and saw the error in my walkthrough, but thank you tho

I used evil-winrm for authority and didn't have problems, hmm might want to reinstall yours

the wordlist ran out, use a bigger one

alrighty, thank you!

they tell you which use you should login as, if you can't, then the password is probably wrong

no way

stuck at the first section for environment enumeration, is this the correct channel to ask?

The password you've entered in the message is wrong.

okay

Perform the attack again or recheck your terminal output.

I mean, if hashcat went though rockyou and didn't crack it, then the password is not in rockyou

the policy is very weak I don't believe it went on all of it in a few seconds and didn't find

ntlm is md5, it will only take a few seconds to go through rockyou with a reasonable gpu

yes you are right i just copied the incomplete password from the terminal output thanks for pointing out.

use a rule or something

🔥

And that’s 15/15 😎

I need a bit help

I'm stuck on "AD Enumeration & Attacks - Skills Assessment Part I" 4 3 days now

if someone can help me please

which question?

Now release the surprise 😁 we all want to confirm what the 15/15 was for

Bigger spiders 🕷️🔜

CBBH vs whatever will come would feel like this

Find cleartext credentials for another domain user. Submit the username as your answer.

I didn't find clear text password, but did see a folder of t*
and using mimikatz found its NTLM, but can't crack it ....

as well I tried to get bloodhound but it just didn't work (DKW) ....

so I'm in "Submit this user's cleartext password." after guessing the user through the Q it self ...

When will the path be published?

Very 🔜

yeah understable, made the same as you

after CDSA I'm going to learn Python, PHP, C#, Java and Node.JS for the new path 😇

SIEM Visualization Example 4: Users Added Or Removed From A Local Group (Within A Specific Timeframe) - Followed instructions to a T, got a date but is not valid, could anyone please give me a hint?

try to do it remotely via secretdump

tried it as well

I tried it yesterday and it worked, come DM

hello i make the skill assesement of WEB attack i have already the user who is admin and the token but im stuck on part for changing the password anyone con give me hint thanks

What resources you are going to follow ?

I learned Python during the pandemic with Udemy courses. Just watch the video and follow along. Then build something yourself...
That actually worked quite well. I'm certainly not a programmer, but the scripts here at HTB have never overwhelmed me. I think I'll do the same with all the other languages.

Hey people, I've got a question about the broken authentification module, if anyone could help me, i'd be very grateful! I posted it in the #1024429874246590575 under "Broken Authentification --> Tmp Password Token". (I hope I am allowed to ask here "again").

Hi, can anyone help with Hashcat - Cracking Common Hashes?

If you say what exactly the problem is, I'm sure you'll get help here

I tried cracking with type md5, md4 and NTLM and tried all availabel rules liste here https://hashcat.net/wiki/doku.php?id=rule_based_attack but none worked. I read somewhere above that the hashid output may not be correct for the first lines of the results...

You are on the right track with ||NTLM||

Okay but is there really no better way than random guessing rules?

Okay I solved it now and no, there is no better way than trying all rules. But thx for the hint, the hashid output is confusing

i have tried like this HEAD /api.php/reset.php/user/||52||

I have tried SQL Injection on an Instagram account it doesn't work for some reason can someone say why it didn't work? #community-content

@tough fjord

I'm trying to crack the password.

did u solve it?

mimikatz is the way

https://tenor.com/view/kyloren-sad-star-wars-i-know-what-i-have-to-do-adam-driver-gif-11159545

So excited to tackle these

Enumeration & Attacks - Skills Assessment Part II Q7 having a bit of a dilemma here. I have rce on the sql server SQL01 and got a reverse shell using netcat. But I'm struggling with the privilege escalation. User has ||SeImpersonatePrivilege|| privilege and I know that there as some paths I could take from there, in particular ||printspooler|| which is what ||getsystem in meterpreter|| relays to. I just discarded them as an option as none of those exploits where given on the attack box and I don't think using ||metasploit|| is meant to be the path to follow. On the other hand I couldn't get Print Nightmare to work. I don't really see a path to follow other that what I mentioned, am I missing something else?

AD one? I used ||metasploit and meterpreter|| with the creds from the previous question. Try looking for a ||meterpreter for the service you compromised||.

Hey that's right ||metasploit > meterpreter > getsystem, some specific module or transferring a meterpreter reverse shell to the user temp directory as I did|| do the thing but I was wondering if anybody could achieve privesc without using ||metasploit||

||spoofer and the potato family|| lol

Hello, i m stuck on the question 2 on the skills assessment of using crackmapexec, i don't find any access to the SQL01 server. Any hint ?

hello guys im doing the web attack module error based xxe and im losing my min with it i want to understand the concept behind this i cannod do thing withpout understanding theme i hope some one of you guys can help me

so my question is why we need to host the payload in our host then called it externally

why including the whole patload in the request is not going to work

plzz guys im losing it i feel so dumb and stupid

and i didnt find any extrnel resources that may help me

i compiled printspoofer myself and transfered it to the sql01 computer

then used it to send me back a reverse as nt authority/system

sql server is not available check what you can do with the kerberoasted account on the other servers

I found credentials in smb shares but i can't do anything with these creds

hum, sounds like the way, I kind of wanted to stick just to the attack host and the exploits available there, not sure if that was the purpose of the scenario, doubting it now

there is no other way apart from abusing seimpersonate there

metasploit uses it when you issue getsystem

talking of AD Enumeration & Attacks - Skills Assessment Part I? PM me

correct, that made me ask

both approachs are valid

metasploit or manual

yeah, I just thought that since that privesc was not mention in the module maybe it wasn't the lesson to learn there

my bad, overcomplicating things

it’s mentioned

privileged access section

uh oh, let me zip my mouth for a while 🤐

Anyone can help this stupid person

Amny help about the secondo "Submit this user's cleartext password." of t... user ? AD Enumeration & Attacks - Skills Assessment Part I

hello i make the skill assesement of WEB attack i have already the user who is admin and the token but im stuck on part for changing the password anyone con give me hint thanks
I have tried like this :
HEAD /reset.php/api.php/user/||52||

Brother can i ask you in sms

try a different request method

i think this is wrong
you need to host DTD file on your machine and call it with the request, here you are using DTD payload in the request

ok

Im trying to figure out what is the difference what will change

Wht will make one work and the other fail

what do you mean other? you cant mix those two things and expect it to work

the answer is pretty simple dtd's must be hosted separately and cant be inline

and unless you have arbitrary upload its simpler to host it yourself

nevermind, rebooted the machine and the method worked

My man can i ask you just to understand something

https://dontasktoask.com

I want to say can i dm you

XD

no

Just ask here

My question was like we don’t use a dtd file we just write that payload in the request

I just told you why

you cant inline it

the designers of xml and dtd didnt allow it

Its like writing a buggy program and asking why cant the bug just not exist. Because thats not how the language was designed.

Why isnt ipmitool available on our parrot boxes???

Its like saying why isnt every pentesting tool on parrot (github repos). If it isnt on parrot, you will need to install it

well... i cant exactly just "install" it, and it has dependencies

I would LOVE to know how to take an apt package AND its dependencies and install them on another host machine.....

i just dont recall it being outlined in the cirriculum

i WAS able to get ipmitool configured and made on the parrot host... just not its dependencies, maybe I just GO find them and zip em all up????

thats like saying that you just need to use apt-get install

which you DONT

what a crap answer XD

Well install the dependencies

It's not really a crap answer, and sometimes you'll need to install or update packages to fix dependencies

¯_(ツ)_/¯

so thats AN answer. His reply stated i "needed to install it".

saying that i need the dependencies too is probably going to fix my issue

If ya dont have it, then you need to “install” it

That's how installing things works

does parrot have docker?

so i COULD install it on docker

In a windows environment the install.exe contains checks and calls to dependency fixes

yeah by your logic

all i have to do is install

bam

weird hill to die on ¯_(ツ)_/¯

We didn't know previously you were having dependency issues

hamburber hill

You just blank stated about not being able to install it

hmm

Or having issues with jt

?

ive asked questions multiple ways before

And this is the comment that he was replying to

As your other question about the tool was 12 hours ago it's not anyone's job to research your chat history for a more full context

lol

Oh @autumn pilot is there plans to update pwnbox to the 6.5 iteration once it's fully out and stable? It currently takes some effort to get from 5.x to 6.5 so idk how that works on backend

alguien de habla hispana?

Ingles solamente. Lee #rules

English please

Yeah all you have to do is install it. Whats the issue?

Oh not in apt-> look tool up -> find installation instructions -> follow them

I in a module where it asks me to examine all the ports and services of a specific host, then capture a flag that I suppose its content should be sent: I open 2 terminals, one is dedicated to examine the ports with nmap using the commands -p- -sV -sS , And the other I capture the traffic with tcpdump -n host -v -A(shows the content in Hexadecimal), all the ports filtered and no relevant flag, I am 2 days stuck, help

did this and there are missing dependencies

do i just do that same exact thing for the dependencies?

yup

welcome to learning computers

mimikatz

thank you, already did it after i reboot the machine

i think i did it with netexec tho

but dont remember exactly

Happy Thanksgiving everyone

DTD can be declared inline in your XML document

I have no idea what exercise you are working on, but, have you tried UDP?

i understand now its not the thing but now it make sens after 2 days of me being so stupid thank you btw so much

hello! I would need help, I cannot access any http://[IP] from the module ignition even when doing what i am supposed to

nvm found it

guys another question another question is bout the xxe section in web attack module its when i will call the %error it will expand to content SYSTEM '%nonExistingEntity;/%file;' but how it will read %file is it something about how paramter entity treat what is inside the entity normally it will need to throw invalid uri no

@thorn urchin I apologize for atting you.
Can I DM you a zip with my attack_path.md for Documentation & Reporting so that you can have context into what I am attempting to do?

Ignition is a box, not an academy module

why we couldnt just use

cuz it will throw invalid URI

but here will not treat that as a file but as aprametre wtf

i'm about to explode

Take a step back dude

Just take a breather and walk away for a minute

@fathom pendant was doing this prat for 2 days and i feel so dumb 😂

i was doing extrenal research but i have no luck with it i fixed the first confucion but i have another confusion after the fist one

That's because you are, but that's beside the point. Just take it step by step from the lesson

ah my bad sorry!

Hi everyone! Can someone who has worked on "Analyzing Evil With Sysmon & Event Logs" module help me? So, on Detection Example 1, I'm having difficulties trying to hijack Windows Calculator using reflective DLL. I placed both files to a writable directory (under Desktop), but I did not get the "hellow from DllMain!" message. Instead, the Calculator started running. Am I supposed to use a tool to gain access to any of the file's config script to execute it?

oh, i tried to restart my virtual machine/workstation but it said i can only do once per day .... can someone help me? I wished to continue the exercises still today

Are you talking about the PwnBox?

i am talking about the workstateion

anyways, i think i screwed up, Just in the tutorial, goddamn ~~

Hmm, can you fill in on which tutorial/exercise you're working on?

it was at the very first one, perhaps "Introduction to the academy" / "Interactive Section with Target" are the names you are searching for?

i turned off my workspace and then tried to turn it on to get it slate-clean

the pwnbox

Ah, "My WorkStation" is also referred to the PwnBox. You would need to have a subscription to have unlimited spawns.

Do you have an active subscription? or just doing it from saved cubes

Neither, created my account just now

"Free users are allowed one Pwnbox spawn per day. Each Pwnbox spawn allows for two hours of usage. Get unlimited Pwnbox access by either subscribing for any plan or buying any amount of cubes in Academy's billing page, https://academy.hackthebox.com/billing"

is the day reseted in some arbitrary world thing or is it more of an "after 24h of what you did has passed"

Safe to assume 24 hours after you've used PwnBox for 2H

tyvm for being so helpful, I think that's it for today.

hello... do people here discuss about internet routes or something similar? Like if your computer is being routed somewhere it shouldn't be?
i read the welcome but i didn't get exactly where i should post this

https://discord.com/channels/473760315293696010/1024429874246590575 This might be a good place to post about it.

hey
i can not buy Platinum plan in htb academy
how can i contact support?

via green bubble in academy

no answer after 12hour :((

hey, yes @dusky rivet helped me with that (thnx)

now I'm on trying to get to the DC01 ...

you got this brother

I'm still trying to find a common password for the first question from 3 days, can you give me some hints? I have to try normal pass or some wordlist from seclists?

🤯

can anyone help me with password cracking with hashcat im stuck in this question Crack the following hash: 7106812752615cdfe427e01b98cd4083

what module?

password cracking with hashcat

CRACKING PASSWORDS WITH HASHCAT

sorry haven't gone there yet ...

okay

which module

Using Crackmapexec Skill Assessment

try rockyou with a rule

Sorry no idea about this module

@next bronze i have tried it

But not getting any results

use a different rule then

try an attack instead of password spraying

which section?

Hello. I’m trying to use a VM for Ethical Hacking Course using Parallels. I have a Macbook air M1 ajd juat want to use a secure VM. Does this require to select “isolate system”? Saying this because its easy to paste and copy throught VMs, but worried about the security

not the right place for this, read #welcome and #rules after that use /verify at #bot-commands and take this to #1024429874246590575

im a bit confused on the priv esc linux module the section is special permissions "Find a file with the setuid bit set that was not shown in the section command output (full path to the binary). " ive ran the command tried all of the ones with different bits but i cant get the right answer any clues?

search for files with setuid set, it's in the results

has anyone finished the "ATTACKING COMMON SERVICES: Attacking DNS" part? I really have no idea what I am doing wrong here...

so not really related to an academy module but when watching some tryhackme koth videos i noticed they are able to ssh into a box without a password using a private rsa key they found somewhere on the box. did i understand right or did i miss something? is it possible to ssh into a box without a password using a private ssh key?

Yes if you have the key file you can pass that with ssh and it will give you access

thats neat. thanks!

shh -i file name@ip

i think it is the command for that if i am not wrong

yeah its
ssh -i key_file user@ip

That is used for mostly for Priv escalation scenarios

Without knowing what you have tried, we cannot tell you what might be wrong

New pathway dropping when ?

#modules message

Sure. 🙂
I edited the /etc/hosts and added the target IP given by HTB and the Domain of the module.
Then I discovered two subdomains. But zone transfer does not work. I might have done sth wrong so far, but can not find what...

Hi, I'm asking for help please... I entered SSH with Tom but then I'm blocked... Give me a tip please 😊

You do not actually need to edit /etc/hosts. The target server is the NameServer

So it should work withdig axfr <DOMAIN> @<nameserver> right?