#modules

ahhh

no my bad

The previous flag has you be elite to figure it out 😉 this one is web

@fathom pendant Do you keep notes per module or per chapter? If that makes sense not sure if those are the correct terms.

i find it but i thought it was the previous flag that was intercepted on port 39337 but i just realized that it's two different ports i'm so stupid sorry for the inconvenience

?

When I give help I keep it mostly vague

Get the end user to make the connections themselves

Do you take notes on the section as a whole or each module within the section? For example like Active Directory Enumeration Attacks is what I referring to as section v the skills assessmnet is the module.

they asked for how you keep notes

Just wondering how you're so organized

Ah

reading is hard

got em

Yeah I keep notes on modules and sections

Listen I'm eating pizza

My brain is at 1%

Try to klist it

This is what I see
~# export KRB5CCNAME=/var/lib/sss/db/ccache_INLANEFREIGHT.HTB

Ticket cache: FILE:/var/lib/sss/db/ccache_INLANEFREIGHT.HTB
Default principal: LINUX01$@INLANEFREIGHT.HTB

Valid starting     Expires            Service principal
01/05/24 23:50:02  01/06/24 09:50:02  krbtgt/INLANEFREIGHT.HTB@INLANEFREIGHT.HTB
    renew until 01/06/24 23:50:02
01/05/24 23:50:02  01/06/24 09:50:02  ldap/dc01.inlanefreight.htb@
    renew until 01/06/24 23:50:02
01/05/24 23:50:02  01/06/24 09:50:02  ldap/dc01.inlanefreight.htb@INLANEFREIGHT.HTB
    renew until 01/06/24 23:50:02```

That ccache looks weird to me idk

the question asked for flag in \\DC01\linux01, it could work? can't remember

try smbclient to dc

It should work

yeah i try:

session setup failed: NT_STATUS_CONNECTION_RESET```

Output of klist makes it look like it should work tbh

Well

Don’t you just dump the creds?

Try just DC01, bc it's not giving you a fail

Just status_reset

tree connect failed: NT_STATUS_BAD_NETWORK_NAME```

Hmm

You have krbtgt

Try without the -c

Iirc I did this with just the ccache

Shouldn’t you just get LINUX01$ ticket?

At least that’s what the question asks for

Ccache works just as fine

Iirc

I don’t remember this module ngl

My notes on this are sparse

The hint says “there is a file containing the credentials of Linux machines in active Directory”

yes

It's also the file pointed to with linikatz

What's the worst thing that you can do if you find a xss vulnerability

You've asked this like 20 times today, short answer: data exfiltration. This channel isn't a casual chatter channel, read #welcome

https://academy.hackthebox.com/module/143/section/1275

I am trying to answer the following question from this module section:

"What other user in the domain has CanPSRemote rights to a host?"

I launched 'bloodhound' and tried pasting the cypher query into the Raw query box and it returned no results.

||MATCH p1=shortestPath((u1:User)-[r1:MemberOf1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote1..]->(c:Computer) RETURN p2||

You need to load data for it to pull

I need to create a Bloodhound zip file with Sharphound.exe and then upload that zipfile to the Bloodhound program right ?

yep

there's a button to import in bloodhound

Or just drag and drop

that too

Can I DM anyone for help with Hydra

you can just ask here

hydra -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt whats-my-password-web.chal.irisc.tf http-post-form "/api/login:username=^USER^&password=^PASS^:F=Invalid username"
Everything works but I am getting every attempt as Successful.

This means the F=Invalid username" is not working. What do I put in there to make it work

probably because the response doesn't contain that string

U can test the link urself it contains that string

send it through burp and see for yourself

Here u go sir @next bronze

proxychains hydra, set proxychains.conf to the hdyra port
http 127.0.0.1 <port>

I never done that before. I can't even find the file

proxychains4.conf probably

That's not there either

Use locate

At least my parallels kali does have it

Locate proxychains4.conf

It’s in /etc/ for me

Okay I found it thank u

So now I add the hydra traffic to the burpsuite port which is 8080 correct?

it's whatever you have configured in burp

Okay but could you help me with the exact line to add into this config file assuming that the burp port is 8080?

I sent it, scroll up

Why is it trying to connect to port 9050 even though I specified port 8080

comment that line out

also I'm quite sure it's because the user and pass is posted as json data but hydra's is in url

So actually some of the responses have nothing at all? Possibly there is a timeout duration on the login form?

And then some of the responses have a "missing username" string even though there is a username in the request as shown below:

This does not look like a module to me

Most likely an active ctf

read what I sent, I already explained why

https://security.stackexchange.com/questions/57839/hydra-bruteforce-and-json have fun

If it’s an active ctf, we all can’t do it

U are correct. Thanks for the help

Wow burpsuite professional is so much better than hydra...

I wish I had it

#include <stdio.h>

they're for different things, hydra will be way faster

But with Burp Intruder on Professional mode it goes fast no?

faster like 2k req/s over http? no

Okay but am I right that some responses are blank due to a timeout duration on the web site?

🤷‍♂️ I'm not the one bruting it, couldn't tell ya

I only generate two users and I tried submitting either. I also tried searching for that 'CanPSRemote' option

Do u know what the heck is
[ERROR] Out of memory for HTTP headers (H).

I give up I'm gonna use burpsuite overnight

Nvm I can't even do that cause burpsuite freezes when I load rockyou into the payload

what are you trying to do here? rockyou is only good for hash cracking, way too long for bruting password

So what list do u recommend

there are smaller rockyou in kali or darkweb top 1xxx

use the cypher query given in the section

I did

the one you used is to find sqladmin

and the collector should collect everything

Nevermind , I redid it and got a different result

I don't know why the flag.txt is not in that directory:

" Leverage SQLAdmin rights to authenticate to the ACADEMY-EA-DB01 host (172.16.5.150). Submit the contents of the flag at C:\Users\damundsen\Desktop\flag.txt. "

" ||Get-SQLQuery -Verbose -Instance "172.16.5.150,1433" -username "inlanefreight\damundsen" -password "SQL1234!" -query 'Select @@version||'"

https://academy.hackthebox.com/module/143/section/1275

read carefully: it's asking you to read the flag on the DBO1 desktop; NOT the desktop of the machine you're on

I guess I would have to pivot from the windows machine into that address , just like in the last module

it's a lot simpler than you think even :)

refer back to attacking common services/footprinting and mssql to find the right command for reading a file

Hi everyone, can you help me with the last question in Attacking SMB, ATTACKING COMMON SERVICES? I cant ssh, it keeps showing this error:

• ssh permission denied (publickey)
  I tried using root, generate rsa keys, but no luck.

you can't generate your own RSA key to connect to it

since you're on Attacking SMB, perhaps you should do that; look at SMB and see what you can do to find an exposed id_Rsa key

thanks a lot, I managed to get the flag

For AD Enumeration & Attacks - Skills Assessment Part II

Could someone tell me whether or not you use SMB to connect to MS01 and retrieve the flag? Think I am approaching it the wrong way if not.

Never mind got it! Was able to RDP which wasn't working intiialy

I had the wrong IP :3

if you have enough privs and can access the SMB services, you can access the whole file system

Didn't have enough privs but somehow used SMBclient to identify the IP associated with MS01. Was trying an nmap ping sweep but the hostnames weren't being returned.

Used the IPs from nmap with SMB to get it.

for windows nmap -sV can usually grab the netbios name which is the hostname

or use netexec, probably the best tool for pentesting windows and AD

Anybody have a second to talk about Sau?

Thanks, I was trying -sn only so it makes sense it wasn’t working

This channel isn't for #boxes

Oof, thanks!

module "Introduction to Active Directory Enumeration & Attacks " in DCSync section can you plz upload secretdump.exe
cuz i couldn't find the correct complied version fow windows

Just ssh to the linux host, or use pivot techniques to use secretsdump.py to use it from your own system

I tried the command ||mssqlclient.py INLANEFREIGHT/DAMUNDSEN@10.129.136.18 -windows-auth
(and I tried it with the 172.16.5.150 address as well) and|| none of the solutions worked. I looked at my past notes for footprinting and attacking common services, and that was the command I found for mssql services.

hyy can anyone help me on SERVER-SIDE ATTACKS
Nginx Reverse Proxy & AJP
Is my conf right

worker_processes auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 768;
    # multi_accept on;
}

http {
    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # SSL Settings
    ##

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;

    ##
    # Gzip Settings
    ##

    gzip on;

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

    # Comment out the existing server block

    # upstream tomcats {
    #     server <TARGET_SERVER>:8009;
    #     keepalive 10;
    # }
    # server {
    #     listen 80;
    #     location / {
    #         ajp_keep_conn on;
    #         ajp_pass tomcats;
    #     }
    # }

    # Append the new server block inside the http block
    upstream tomcats {
        server 83.136.251.235:59388;
        keepalive 10;
    }

    server {
        listen 80;
        location / {
            ajp_keep_conn on;
            ajp_pass tomcats;
        }
    }
}

that's not the host with the SQL DB

Without a pivot, you're not gonna be able to access the db from the pwnbox

So use the windows target machine?

the DB would be on the Windows target machine I mean

The dB would be on a host the windows machine has access to

depends on how you want to do it, I would personally set up a pivot because I dislike having to open local shells

Anyone able to give me a nudge on this one please?

INTRODUCTION TO DIGITAL FORENSICS - Practical Digital Forensics Scenario

Q1 - Extract and scrutinize the memory content of the suspicious PowerShell process which corresponds to PID 6744. Determine which tool from the PowerSploit repository (accessible at https://github.com/PowerShellMafia/PowerSploit) has been utilized within the process, and enter its name as your answer.

I have identified the process and the process command line arguments, I have decoded the argument and believe I have an answer however it does not seem to be correct.

You are looking for the tool.
Have a look at the link provided to see which tool offers this repo

Is it a tool or a module from Powersploit?

According to the description, it is a tool

||There is also a module in the Academy about this tool ;-)||

Thanks, I got the answer, the hint was a little too OP

May I DM you to discuss please?

Sure

On the "Living Off the Land" section for AD I used the command

dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.804:=2)) " -attr description distinguishedName

and was able to find the disabled user accounts, but I can't filter further for administrative privileges.

What command would I use for that?

I tried this:

dsquery * -filter "(&(objectCategory=person)(objectClass=user)(memberof=CN=IT Admins,DC=INLANEFREIGHT,DC=LOCAL)(userAccountControl:1.2.840.113556.1.4.804:=2)) " -attr description distinguishedName

but that gave me no output

The original command gives me the answer I need for the module, I'm just trying to see if I can further filter it.

Module: Login Brute Forcing - Skills Assessment
Question: Once you access the login page, you are tasked to brute force your way into this page as well. What is the flag hidden inside?

Do I need to mutate the username for the second part to get the right password? I have tried using the password lists that take less time to brute force than the time that the Docker Machine is alive

Hi!
Who has information about where the "path" called "Junior Penetration Tester" has disappeared?
I remember there was such a path and it included 29 modules.
I even wrote them out for myself for training.
(jpg)
But now I see completely different paths of learning. Is that how it was intended?

There wasn't such a junior path, you are maybe mistaking it for the Peneteration Tester path

Yes, it is possible, but it definitely was and included a decent list of modules.

is it good idea to add downloads and desktop to the $PATH variable?

That’s just the CPTS path no? Modules look like they are the same

Module: Login Brute Forcing - Skills Assessment
Question: Once you access the login page, you are tasked to brute force your way into this page as well. What is the flag hidden inside?

If I remember correctly, today's CPTS path used to be called Junior Penetration Tester
However, it was renamed before the exam was released

https://x.com/hackthebox_eu/status/1541451359349637120?s=46

Trying the short password lists but theyre not working, the longer ones take more time than the docker instance is alive for

@tranquil axle@acoustic owl Yeah, yeah, that's right, it looks like it.
This is now visible not in the "path", but in the exams.
The modules really match.
Thanks, now something has cleared up!)

Try ||rockyou||

Hi, doing the Windows privilege escalation module, cannot connect to a Windows machine using freerdp. I am running version 2.11.2 on kali. Here the error messages:

Try wrapping the password in single quotes

the list that im using?

I was talking to the person having issues with freerdp

ok

I'm not downloading an rtf file on mobile to check it

the suggested password list for my module is taking 196 hours, that cant be right?

The list I have given you is the correct one. However, you should check the rest of your command again.

getting this error in RDP and SOCKS Tunneling with SocksOverRDP module

oh

no

hi~ I'm stack on Q3 either. Did u solve it ?

hi~ Did u solve it? I can help

https://tenor.com/view/good-night-goodnight-gif-24012717

fixed it but now its saying 2 passwords are valid?

yes it's painful, I'm stacking on Q3. Did you finish this assessment?

using the command in the cheatsheet results in finding incorrect passwords but hydra says theyre correct, adjusting the command to match the html of the server results in a 200 hour brute forcing attempt

can someone help?

can i ask here about the use cases of 2 windows exploits? its somewhat related with the modules

or maybe i can dm @next bronze ?

Real-time protection

why are my screenshots being deleted? I have a genuine question and am trying to pass these modules

Your screenshot likely contains spoilers

ok

Redact info my dude

Unless it's automod yeeting you

In which case idk

why would automod yeet me

¯_(ツ)_/¯

i havent broken ToS

Mee6 is dumb

I mean yeeting your messages

Is there someone I can speak to resolve this? Im paying out of pocket to get this cert and this isnt helping

There's a good portion of people paying out of pocket my dude, you're not special

point still stands

¯_(ツ)_/¯

asking a genuine question

Learn how to redact info better i.e. http://ip:port

-u u*

I told you what you have to do. Check your command. Look at what hydra needs for information and look at what you pass on to hydra

Is it mee6 yeeting?

Wrap your commands btw in backticks for better parsing

I don't know, I haven't looked at the logs.

Cause I doubt it's you

might be mee6 thinking that its a repeated message ¯_(ツ)_/¯

Also kinda weird to have rockyou on your desktop

Usually it's in /usr/share/wordlists/

(And normally zipped)

moved it there becuz lazy ¯_(ツ)_/¯

It's up to the rest of the command 😉
Hydra expects some information so that it can work properly

cheers

Why move and not just symlink

im not that smart

can anyone help password attack im on mutated password i mutated the password with hashcat and now hydra brute force but it taking ages for ssh

Don't attack ssh

what can i attack then

Run Nmap and see

Can someone help me with Password attack : Network Services , there is a mission : " Find the user for the SMB service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer." I connected to smb with credentials I cracked and I got a flag but when I paste it its says its wrong flag

did u do this before

Can someone help me with "Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the port that one of the two C2 callback server IPs used to connect to one of the compromised machines. Enter it as your answer." PS: I got the answer already but I don't think I did it the right way. Module Name:UNDERSTANDING LOG SOURCES & INVESTIGATING WITH SPLUNK '
Section: Intrusion Detection With Splunk (Real-world Scenario)
Please dm me and thank you in advance 🙂

Sometimes extra spaces happen

What? , no extra spaces same flag as 3 flags before

If it's same flag, then the user is wrong

:) --local-auth iirc or --windows-auth

All users for these questions are different

k king

thought kerberos

Not afaik

But you aren't specifying a domain anyway

👍

can someone plz help attack password mutable

Scan target with Nmap for other ports you can attack

ftp

Told you this earlier

i did i tried it

-t 48 works for most people

also for the mutable password should it be best64 or from the custom rules

like hashcat own rules or the folder rules

The custom rules from the resources

ok danke

And the wordlist

As instructed literally by the section

i did i tried ftp with it and found nothing..

Ftp has it

¯_(ツ)_/¯

the user is sam right

hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list

good module (brute forcing)

hydra -l sam -P mut_password.list ftp://10.129.202.64 -f

Why -f?

to stop when it finds

It will automatically stop

As you're only bruteforcing a single user

o right

-t 48, just have patience

danke bro

i finally got it...

For the Privileged Access section of the AD Enumeration and Attacks module, I am having trouble with the third question: "Leverage SQLAdmin rights to authenticate to the ACADEMY-EA-DB01 host (172.16.5.150). Submit the contents of the flag at C:\Users\damundsen\Desktop\flag.txt." The hint says to do this with mssqlclient.py with is an impacket tool yet the attack machine is a windows box. Can anyone help?

172.16.5.225 is a linux host: you can also use pivoting

yeah I thought about pivoting but it look's out of scope of the module for me

How do you know for 172.16.5.225 ? is it specified somewhere ?

It's not out of scope for the module

In most sections you'll find reference to this host at the top of it

One of the recommended pre-requisite modules is the pivoting module

You can also use a modified version of the example they use for the SQL query with PowerUpSQL to read file (refer back to attacking common services on reading local files)

ok I see thanks man !

:p but pivoting is very much in-scope for the module

Yes. DM me if u need help

I have a problem with live engagement in the shell and payloads module. When I connect via xfreerdp, I need to log in to tomcat manager. However, there is neither google chrome nor firefox on the machine. Which browser should I use? Thanks.

type in the terminal the command firefox

maybe

Man, that actually works. Thanks..

Hello guys, someone who did the HTTP Attacks module and would like to drop a nudge on HTTP Splitting part? Can't get my XSS to work...

#welcome #boxes

Hello everyone I am doing the linux privesc and having issues with log rotten the getting shell with logs if anyone has done it and keen to help please pm

Watch ‘ippsec - book’ on YouTube, he does the logrotten exploit

thank you having look now

i stuck the same point if you find something pls share with me :/

will do

ok to pm

?

Then I advice you to do the same thing

thanks this write up so helpful for me !

You’re welcome

Hello,I connect via openvpn ( i try with TCP & UDP with diffrent servers eu us same issue)

reach out to support via the website

Can anyone help with finding the credentials for the admin panel in Nibbles? I ultimately managed to get in by guessing but the Hydra scan I ran showed that the password was 123456 which wasn't the actual password.

your command syntax was probably wrong

any idea why responder is not capturing the hash?

It did find a valid pair of credentials though based on the username I provided (which ended up being the correct one)

It won't let me post screenshots here for some reason but I can show you. I'm aware that FPs exist, just wondering how I was supposed to obtain the password without guessing.

verify using the main platform

use #welcome message

Thanks

smb is on

Here's the screenshot from the Hydra scan. Seems that the syntax is correct

so whats the issue?

Well, the issue is that the "valid credentials" found were incorrect. I managed to eventually access the admin panel by guessing the password, but I'm trying to understand what I could have done differently to find it without just straight up guessing.

Oooo

any help on why i cannot start a rdp session from my vm to the target I could do it with pwnbox

I checked and I can ping the target

got it

Thank you worked sweet figured it out

Hi everyone, I am doing the AD attacks and enumeration module and having trouble with an answer for ACL enumeration section. I need to report the ObjectAceType of the first right of user forend over group GPO Management. I have found this with BloodHound and even went into the Active Directory Users and Computers to confirm, but have had no luck in submitting the answer. I've tried the actual ACL type (Access-X or sysaudit) and the resolved name of the rights. I have yet to get any results about the group from my PowerView query. Am I formatting something incorrectly or am I not looking at the right value?

The names are different on Bloodhound. You'd need to do some external research for the exact name academy expects or sometimes by resolving the name in PowerView.

Ok, that makes sense

Follow the section I guess

Any mods that I could DM? Would like to know about posting a script here and if I'm allowed to share it.

What’s the script about?

any help please?

What section are you doing

module: attacking common services
section: attacking common services Lab: Hard

I don’t have notes on that one, but why are you sure that is the way to go?

I need to get a user that has admin rights so I looked for people to impersonate found 2 none of them had sysadmin role. So I thought of using the service hash to login

try the tool impacket-smbserver

it was covered in the module iirc

you shouldn’t be using the module http-get

I got a hash from that but it was not working

What module would you use instead and why?

It's a simple auto-config script I've made to ease life a bit with some of the modules like advanced xss and csrf. Basically saves you from the trouble of manually changing the port in the URL everytime after adding vhost/domain to the /etc/host file. But, it's hosted on my github, so need to make sure I'm not breaking any rules.

Ah ok. I was querying PowerView with the wildcard identity from the module. This is better now. Thanks

Should be fine in #resources-tools or #community-content I guess

http-post-form when the authentication is handled through a POST request

Yeah, but was thinking it'd be more useful for everyone else here. As it's tightly efficient for people that are working on modules.

You can probably just link it there and refer to it if people ask about it

Shouldn’t be an issue if it helps people

Thanks I appreciate it

Hello everyone,
Happy new year!

Need a hint on the module : Web Attacks - skills assessment
Context: I already have the list with ||uid, username, fullname, compagny|| via the request : ||/api.php/user/||.
On this way, I also got the token for everybody via : ||/api.php/token/||
I'm currently logged on the htb-student account. I switched to admin user and I'm on his control panel. I tried to reset his password via the request : ||/reset.php||. I tried different things :
||verb tampering on the url /reset.php|| --> ||PUT, GET, OPTIONS, CONNECT, TRACE, DELETE=missing parameters (not working)|| / ||POST = Access denied, in that way I tried to swap the token, the uid etc. Nothing worked|| / ||HEAD = seems working but not anymore||
Question : Do I need to reset the admin password to continue? If yes, do I have to find the "||missing parameter||"?
Thanks in advance for your time!

I tried I get this

I tried only using aaaaa part but it still was an invalid hashs

That's a good idea and yup

that's clearly not a valid ntlmv2 hash

yea I guessed so still I tried. Now I am out of options

yo

I have no idea what section is that but try with another user

Osintgram is dead btw

wouldn't matter, against TOS to engage in illicit activities

Theres this school page violating ppl in da school

report it to the authorities or the school, TOS prohibits this sort of thing for good reason

hey everyone i've find the answer but you will have done how to find the answer quickly without being detected, personally I put its: nmap 10.129.219.80 -sV -sT -n --top-ports=1000 --initial-rtt-timeout 100ms --max-rtt-timeout 200ms --disable-arp-ping --reason -T 2 for https://academy.hackthebox.com/module/19/section/117

no one ?

sorry mate I haven't hit that module yet

no worry 😉

Hi, I'm working on AD Enumeration module first lab, ||I have found the credentials for svc_sql but can't connect to it using Enter-PSSession for some reason. I tried with: Enter-PSSession MS01.INLANEFREIGHT.LOCAL -Credential INLANEFREIGHT\svc_sql but don't get a prompt to enter the password ||. Any suggestions?

working on web edition information gathering, trying to obtain how many zones are on the target nameserver, I tried using hackertarger.com/zone-transfer but it says error check your api query and have also tried using dig and nslookup, but cannot find the answer, can someone give me a nudge

if you're doing it through the webshell it's not interactive, you need to create a pscredential object, or just set up a tunnel and use winrm

I did setup a tunnel, but the winrm shell is very slow as well. Wondered if the Enter-PSSession alternative is better
I also tried to create cred object from the webshell but it looked like it doesn't save them and you can't use them

evil-winrm

Yeah

why am I getting this error for PKI module?

[X] KRB-ERROR (16) : KDC_ERR_PADATA_TYPE_NOSUPP

figured it out, for everyone else struggling, there are other options available to you.

give it a while for the targets to startup properly, or reset

I did, I gave the target 10 minutes before doing anything

I restarted the vm twice

Vulnerability Assessment / Nessus Skills Assessment
the Task gives me IP/creds
but also there is a different IP/creds when spawning the target
do they want me to scan both?

use dig axfr

yeah everything throws back couldn't get address, have ||inlanefreight.htb and ns.inlanefreight.htb|| in /etc/hosts aswell

that or dig axfr gives me transfer failed

dig axfr <zone> @ip

login to the target using the creds at the bottom and scan with nessues using the va_admin creds iirc

Can anyone help HTTP ATTACKS with skill assessment?

if a target has an old version of sudo runnng how would I actually run the exploit? I've already got access to a user on the system

how do you run more exploits in a meterpreter session?

oh i tought i should scan from my machine, ah got it

i mean you can run the exploit locally in the shell

is that as simple as searching again and typing run?

background search

you need to make sure your msf session is still running

because a post-exploit stuff in msfconsole will have you enter a session# for it to work from

what module are you working on?

USING THE METASPLOIT FRAMEWORK <3

i don't recall there being anything to do with old version of sudo

in future include the name of the module and section you're working on in your help request

im trying sudoedit_bypass_priv_esc

that way someone can tell you if you're way off track

yeah

i think im on track, didnt know how to run post exploits

i don't recall needing to do any sudo privesc stuff

the last question just says the target has an old version of sudo running and to exploit it for root access

General question, how do I move files between two windows machines to whom I only got shell access? I tried setting up a smb share on one and access it from the other but it evil-winrm who runs the second shell crashes

oh wait yeah, it's been a minute

if you have a metepreter session you can use their cmds to download the files

download <filename> in the meterpreter console

I have regular rev shells on both

meterpreter isn't the be all end all btw

for info gathering web edition, do you add the ip and domain to /etc/hosts like this?
<ip> <domain>?

I'm getting really lost with these questions, I keep trying to mess around with dig and nslookup and I'm not getting anywhere, didn't know if I did that wrong

there's usually better tools for certain jobs

ah, i see

yeah the general construct of the /etc/hosts is ip domain

if it's a public IP you don't gotta do shit

just specify like a public NS like 1.1.1.1 or 8.8.8.8

so do 1.1.1.1 inlanefreight.htb?

oh

The evil-winrm shell runs thorugh proxychains and it behaves strange. I use techniques we've seen in preivous modules between two windows machine and it doesn't work

no

for x.htb stuff, the IP is the spawned IP for the target

the 10.129.x.x

what module?

if you can; try seeing if you can enable rdp

AD enumeration Lab 1, ||trying to upload mimikatz to MS01. I set up a smb share on the web01 machine using: New-SMBShare -Name "Vuln" -Path "C:\path\to\mimi" -FullAccess INLANEFREIGHT\svc_sql and I'm trying to access it from the proxychains evil-winrm shell using net commands but it crashes everytime||

win-rm is kinda a bit dumb

you can just upload directly with evil-winrm

also that

win-rm has an upload and download function

Thanks

There's few things, like virtual hosting and name servers. Names server map domain name to IP, this is can be set in your /etc/resolv.conf
Then there's virtual hosting where developers make use of a single IP to host multiple websites. They basically have a vhost domain passed to the host header in the request to know exactly which site a user is requesting the host for. This is set in your /etc/hosts.

What you need is to add the spawned target to /etc/resolv.conf or add it directly to your nslookup command

Can anyone please help me with: Introduction To Nosql Injection Skills Assessment II.
I got the username and I am trying to get the token but I am stuck. I guess the token needs to be somehow associated with the username so I tired few things but nothing worked.

i've never had to add anything to the resolv.conf for these purposes

yup, we just pass it to the nslookup or dig command directly

Atleast, that's what I too did for the modules.

i've generally just been able to do the nslookup target ns-ip or dig type target @IP

There's an attack type mentioned in the module but they don't go over it in detail. But it should be the same concept to exploit. You'd need to Google a bit too. If you need further hint it's ||Time||

Exactly

I think I used the method you are referring to to get the username and it does not work on the token

Anybody familiar with how meterpreter's download command exfiltrates data? I've been trying to find the code for the actual command itself but having trouble finding it

If you used the same method to get the username, then it's exactly the same way to get the token. Maybe the approach you're taking towards the method might be wrong.

I used || time based SSJI||. How does the app know for which user I am trying to get the token for? or is it not relevant?

Should take everyones advice and use igolo it makes life easier and probably more stable. You can also use remina to file share.

You just use ||the 'and' logic|| to make sure you're getting token for the user that you want. But, as far as I've experimented, you don't need to specify that logic. My guess is prolly there is only one user.

If there were multiple users, it would be relevant.

Thanks, I'll look into it

having trouble finding the TXT record for info gathering web edition, tried ||dig txt inlanefreight.htb <subdomains> gathered from dig axfr inlanefreight.htb|| and got nothing, am I missing something?

i ask you my query for https://academy.hackthebox.com/module/19/section/119
I put in the following command but gave me no clue. Can you please help me?
sudo nmap 10.129.2.47 --top-ports=1000 -sV -sS -n -Pn --disable-arp-ping --reason -T 2 but i don't see what service are they talking about?

do a full port scan -p-

attempt a zone transfer on the second zone you found

Second zone was ||root.inlanefreight.htb|| which I keep getting transfer failed on axfr

after first zone transfer, enumerate all listed again with zone transfer

like layer 2

Can anyone help HTTP ATTACKS with skill assessment?

No, this is the e-mail address, not a zone

wat

https://www.cloudflare.com/learning/dns/dns-records/dns-soa-record/

So when I did an axfr on inlanefreight.htb and see ||inlanefreight.htb and root.inlanefreight.htb 2|| on an SOA the second one isn't a zone?

This is the RNAME field and contains the e-mail address of the person responsible

See the link above

show me the command you used

https://en.m.wikipedia.org/wiki/SOA_record

so far most of the modules ive done are so high quality, worth every penny 😄

so to count all of the A records I used ||dig axfr inlanefreight.htb @IPADDR | grep -E "IN A|IN A" | wc -l|| and went down the line of sub domains from the original axfr, and the answer was wrong, did I miss something? I've ran through footprinting again and this module just has me lost

you need to escape the OR operand

\|

unless you are, discord uses markdown

and it interperets \ followed by a character as an escape

\ \\

both ^ are double slashes

I don't necessarily know what you're getting at, but running that netted me answers on certain subdomains, I just didn't get the right amount I guess?

i'm just referring to the command in the spoiler text

||` and `|| will encase a code in spoiler text
||like this||

right

i thought posting commands used that could be considered a spoiler weren't allowed, so I covered it or am I missing something

i can't tell if you did IN A\|IN A

or just | IN A

is what i'm getting at

oh oh gotcha, just | I didn't add a slash

just piped it

honestly i did ||grep " A " | grep -v "SOA"|| iirc

or something similar to that effect

before the wc -l you should evaluate the output to see if it's giving unexpected results

if you're doing an or operation in bash/with regex you need the \ to escape it

I always receive the same services on my way out. 😦

do you still have the --top-ports in your command? if so: that's why

no I removed it instead I put -F to scan the first 100 ports

sudo nmap 10.129.2.47 -sV -sT -n -F -p- --disable-arp-ping --reason -T3

...

you know what -p- is for yeah?

(to scan all ports) by adding -F it overrides it

:)

yes for scan all port but yes my bad i removed -p-

you will find the appropriate port with -p-

do NOT combine it with any other port scan flags

-F scans the top 100 ports, -p- all ports available

yes - iirc in docs and common sense; -F overrides other port scan flags

That was such a painful module, web is definitely my WEAK spot... lol

my weakness is Windows, i just hate Windows so much xD

all the A records in both zones

yeah I got the answer, just painful

ah okay i test

thank you though!

critical thinking is your weak spot :^)

it wasn’t that complicated

for me it was ¯_(ツ)_/¯

grep -E "\bA\b" shortens your filter, it is looking for A in the text that also has break chars like tab or spaces

strange

you dont have to if you use Egrep or grep -E

it's still more reliable to escape the "or" operation

he could just grep A

that would still get him SOA

👍

If you escape a pipe or any shell character using egrep you wouldnt match the characters you were grepping for really

But I feel you tho

|grep -v SOA

👍

ye

but as they showed

grep -E "\bA\b" is just better

Exploiting Web Vulnerabilities in Thick-Client Applications in Attacking Common Applications has to be my least favorite section out of every single module I've done. Wth is this 😭

can anyone tell me the password for mtuated passwords password hackingm? I did it and got flag then I went offline then next day I c the next section is asking for the credentials///

simply do it again

¯_(ツ)_/¯

that take 20 minute

take it as a lesson to keep note of your credentials as you do the modules

i’m assuming you remember the wordlist you used before😉

Hi, I'm on the last question of the AD module lab 1: ||I've set up earlier in the machine dynamic port forwarding through meterpreter and I can reach the MS01 with proxychains using ping, but for some reason it doesn't work for the DC, even though they're seemingly on the same network||. Can someone pour some light on this?
I will check ligolo soon because so many of you have recommneded it, but I still want to try and troubleshoot this

proxychains doesn't support ICMP (ping)

When trying to run ||secretsdump (which is why I need it)|| it doesn't work as well

doesn't work means what? what's the error

It just quits

no error message

run with -debug

I think I copied the wrong secretsdump.py lol, but it doesn't work now as well, I get a connection refused error

are you targeting the right ip?

Yeah

probe it with cme and see if it shows something

works now, removed and set up the proxy again

I'll look at ligolo before the next lab, it'll be the best option

When I go to connect to the VM, it doesn't allow me to put the password in for Linux Fundamentals section. Can anyone tell me why that happens?

wdym?

do you mean as you type it doesn't appear

that's normal

Ohhhh okay like it recognizes im putting it in there but it doesnt show it right?

if, for instance, in your vm you do sudo echo and it prompts you for the password, it will not show up there either

yes, security feature

baked right into ssh

Perfect okay thank you !

also copy/paste is better so you don't misspell

(for pasting into terminal, you need to do ctrl-shift-v)

Right on okay I will do that I appreciate that !

and likewise for copying From terminal, you need to add the shift-key

as ctrl-c is the cancel keyboard shortcut

Yeah i noticed when i did that it would put that line in to cancel lol

I went and did the Google Cybersecurity and just heard about the new cert that HTB introduced so I was excited to get more hands on with things.

from Coursera

but this is way better lol

i extracted LSA secrets and got flag but iw as just wondering what app/system uses those crendtials for example SMB 10.129.40.121 445 asd hu:asd

like it doesnt say what it used for

hello guys

Question for you guys, couldn't find a clear answer searching through the discord or the forums for this. I finished the "Attacking Common Services - Easy" assessment and the flag indicates there are 2 ways to get to the flag. I'm trying to figure out the 2 way to get to the flag, and I'm completely stuck. Any help would be appreciated.

The method I used was: ||uploading a PHP web shell via MySQL and then executing commands through the browser and eventually finding the flag. ||

From what I've gathered there's a CVE ||regarding the CoreFTP build running but I can't seem to get it to work for me||.

Hey I'm at ACTIVE DIRECTORY ENUMERATION & ATTACKS module and ACL Enumeration section till now most methods I used was manual and didn't try it bloodhound. But I want to know how to up and run bloodhound GUI in attack box. Is it even option is there ?

if it already has bh installed then it's just neo4j start and bloodhound

sudo nmap 10.129.2.47 -sS -sV -Pn -n --disable-arp-ping i've really tried everything even with -p- anyone have a solution for a stealth scan? https://academy.hackthebox.com/module/19/section/119

You're not gonna get the answer solely with nmap

-p- should reveal a port that normal top-x scans wont

i use nc also

Also you should really evaluate your --source-port

and source-port=53

Including with nc?

nc -p 53 ip port

Ids/ips evasion under dns proxying should give you a better clue

Everything you need has been given by the module

thank I'm still digging

I just gave you the section and subsection to look at

thanks 🙂

Aside from that it's just waiting a minute after a successful connection to get the banner

Iirc it's like 220 flag

220 is a status code

Hi I am in the attacking common services module hard lab section
I have enum 1 ftp user, 1 rdp user. After looking into the ftp server found 3 names for the mssql database.
found the creds for a user of mssql database. the user could impersonate the other 2. Found 3 databases. after impersonation could access 1 database TestAppDB. got a table from that database . It contained 2 creds 1 for a user and the other for an admin. I tried using both for all the services on the target none of them accepted. I am stuck please help

Read what the question wants and apply critical thinking, iirc it's reading a file yeah?

if you have sql_admin privs you can read any file on the associated DB's filesystem

yes i find it thank

I checked who else I could impersonate there was none I checked the privileges
SELECT IS_SRVROLEMEMBER('sysadmin')
The answer is coming 0

why port 50000 i dont undestrand :/

I have checked for all 3 users the answer comes 0. I tried to double impersonate but I could not

why do you use this port to analyze ports, knowing that when I run my analysis with -p- I only get port 22 and 80?

there is a user that you can impersonate

hint: it's the user from previous question

I tried to read it using xp_command but that was disabled

if you can impersonate someone that is an admin: then you can enable it

read the SQL section again :)

there are 2 users I can impersonate john and simon. none of them have it

I am reading it again and again but out of the 3 users none of them are sysadmins

that's odd

try resetting the lab bc that should be the way forward

simon

Maybe one of them is sysadmin on another db 🙂

^

look at information.txt

:P

the users in the table are not working

another server

enumerate for remote servers

ok

I found 1 remote server

enumerate via that path

the reason for that port is that if you do use -p- you Should see that port open

that single port scan is generally an example

if you continue to try and DM me without asking: I will block you and refuse to help you further

I'm more than willing to help you in the discord unless it's gonna heavily spoil something

you also need to learn how to adapt given code scenarios to fit your needs

i.e. > if the example has you scan a specific port; it surely should work for all ports

I do not now how connect to the remote server via mssql so I rdp using the creds for fiona then used a mssql client. I tried to use the creds discovered in the mssql table for julio and patric none worked

I am using sql authentication for this

soothe your heart I didn't understand that it was forbidden to dm I won't bother you anymore Sorry, I just wanted to understand that's all. thank you for your explanation

it's in the #rules my dude

read the SQL section again;

it has ways for you to use a current connection to interact with a remote server

I could not change my user while connecting to the remote server, but I could change admin settings cuz john had privs. I used that to run cmd commands and get the flag. but if I am missing something can you please tell me how to login as another user while connecting to the remote server. I have the flag too if you want proof I can send it as a spoiler

And I have started on the new module so thanks for the help marcie

nope you did exactly as you were intended

the previous question leaned into it

so the other databases were dummy?

yep

I feel cheated of 2 hours

you ruled out that they led nowhere

so further enumeration was required

:)

The new module pivoting looks kinda intimidating

I think I will take a break

What is the inode number of the "shadow.bak" file in the "/var/backups" directory?
How come it says 1362 on mine. when the correct answer is 265293. ???

did you ssh into the target

^

Hi. I'm very stuck on the "Attacking common services - DNS" module. I've read the questions here on discord and tried with subbrute from the pwnbox, but It's not working.

The problem is: when exeucting subbrute, I find few subdomains (where I couldn't find any more info) and eventually the execution ends with an error:

    verify_nameservers_proc.end()
AttributeError: 'verify_nameservers' object has no attribute 'end'

Here's the command

(also tried with python3)
(already added inlanefreight.htb to the hosts file and to the resolvers.txt)
(zone transfers are refused from the server)

resolvers.txt should contain the IP of the target

names.txt doesn't need to be changed

aside from that one of the results gives you the answer

yes

but I dont under stand the other stuff about the download the VPN

when I click on download it my Mac cant open it

because it's an openvpn config file

i've only modified resolvers.txt. Any of the results work as a flag

if you're using the pwnbox you don't need to use the vpn

ok ..

h* should work

h* dont work

i wasn't talking to you

hahaha ok my bad

the pwnbox is already connected to the vpn network

to ssh to the target you just need to do ssh <username>@<ip>

(replace <username> and <ip> with the relevant stuff)

the sections in linux fundamentals give you the creds to use

Shells & Payloads
Infiltrating Windows

what may be the issue here that its failing?

reset the target and try again

is the RHOSTS/LHOST Set correctly?

yep

LHOST should be your tun0 addr and RHOST should be the target IP

nothing else afaik to change

yes due no creds are given in this task

still :/
maybe the wrong exploit?

that looks correct

but it should be MS17_010_eternalblue since the question before was explicitly asking about it

unless it's the eternalromance one, which is psexec

ive tested MS17_010_psexec too

okay.. Tried both of the h* and still not working.

Wrote them on all possible ways

h*.inlanefreight.htb
h*
h*.inlanefreight.htb.
h*.
h*.inlanefreight.htb. 604800 IN A <IP>
IP of one of them (the other is not returning any)

h* is a hint

the * is to indicate any number of characters after

might take a few resets

@buoyant escarp

i usually get it first try

ah

same

aight, im gonna try a few

ds wrote my *s as a style, I understood it and tried with the full word for both cases, not only h

it definitely exists on an h* subdomain

:)

(also to prevent discord formatting, wrapping lines in backticks is helpful)

still inode 1362

dig axfr correct.domain @ipworks

just looked myself

thank you!!!

i take it your dig command was just wrong

meh

why is my pwd box so slow when im typing ? sometimes its like its stuttering

is there no download instead of this browser shit

your own vm

ok soon.. haha

also password boxes don't display anything when typing

yea

so frustrating

i gonna try with pwnbox now

eternalblue should work

i cant get it running :/

psexec one should work

what section is this?

last question of SA?

shells & payloads; infiltrating windows

Infiltrating Windows

last one yes

just ran the psexec one

it worked just fine for me

double check LHOST is set to tun0

easy to forget

the eternalblue one listed is jsut dumb

okay yes psexec works, dont know what ive missed when i tried psexec earlier xD

probably didn't re-set the lhost

yea probably something stupid like that 😄

Use the credentials for the admin user [admin:sunshine1] and upload a webshell to your target. Once you have access to the target, obtain the contents of the "flag.txt" file in the home directory for the "wp-user" directory.

Anybody available for some asssitance? I dont fully understand the question

how do I copy and paste in pwdbox ?

what’s your question

ctrl-shift-c; ctrl-shift-v

you know this never worked for me

maybe it's because I'm using firefox

it's worked fine for me

there's also the little clipboard button on the bottom right of the screen iirc

ah okay

Using remote code execution, how can I navigate directories to find the flag? Or rather, where can I look to find the answer?

that section would've walked you though how to write/upload a webshell in wordpress

It did. I have remote code execution, but for some reason I can't navigate directories

you don't have to, you know where the file will be

?cmd=find / -iname "*flag.txt" -ls 2>/dev/null
i think the browser incodes it already

encodes*

I mean, you don't need that lol

the location is given in the question

obtain the contents of the "flag.txt" file in the home directory for the "wp-user" directory.

thanks 🙂

cat /home/wp-user/flag.txt

doesn't work. Feel like im on the right track though

you don't have to cat it right away, if you aren't sure, ls still exists

I used the ls command but didnt find anything relating to the home directory or the wp-user

if I check it and it's there I'm gonna be very disappointed with you

is it maybe hidden?

it's there

I'm very disappointed

if you're doing it through curl you'll need to url encode it

Just found it

good

What is the name of the config file that has been created after 2020-03-03 and is smaller than 28k but larger than 25k
find / -type f -name *.conf -user root -size +25k -newermt 2020–03–03 -exec ls -al {} ; 2>/dev/null

Why is this not the right answer ? what have I missed ?

it's not asking for a file owned by root and you missed a filter for the size

-25 .. ?

smaller than 28k but larger than 25k

haha oh my bad

hi

find / -type f -name *.conf -size -28k -size +25k -newermt 2020–03–03 -exec ls -al {} ; 2>/dev/null
Still wrong

Hello

So🔪

again: are you ssh into the target

I need sweet revenge

<@&861185840277487616>

read #rules nerd

Ok.

When I tried to connect HTB's OpenVPN, it gave an error, so I saw a solution in edit from 1 to 0 in the folder "proc/sys/net/ipv6/conf/all/disable_ipv6" what changes were made when changing this? htb's openvpn worked after this change

wtf are you talking about

🫥

openvpn

wtf is going on here

🤷‍♂️ beats me man

yes

If you wanna pull that shit, leave the server. If not, read the #rules

that command should get what you want, I think it pulls a few files? try them

bro u know how to answer me that

openvpn needs ipv6; as you can see "disable_ipv6" is the name of it; so setting it to 0 means "don't disable"

first time I've heard that enabling ipv6 fixes the vpn

usually because it's enabled by default

so it being disabled is out of the norm ¯_(ツ)_/¯

it's 2024, how is it not enabled by default

what command ?

what you sent

the command you posted

Does this change I made leave my PC or network vulnerable? I'm a beginner, take the questions

no

ipv6 is the newer protocol; opposed to ipv4

It shows nothing .. and still when I answer on the exercise it says wrong

what module and section

Linux Fundamentals; Find Files and Directories

pretty sure that command works, make sure you're actuall ssh'ed in

it's because find doesn't recognize yy-mm-dd as a valid format

The skills assessment on attacking wordpress gave me an IP address but when I try to enumerate the wp version, it says the site is up but is not running wp

hm what can I do then ?

wait no

what kind of - are you using

Have you tried chatgpt?

yeah their dash is weird

you're using U+2013 for your dash

it's an em-dash (the longer one)

not an en-dash (the shorter/common one)

the odd part is the en-dash is in all their other parts of the command

LOL

does the target come with a port too?

how do i press the longer one then

No. Its just an ip address

chatGPT can't help with a question that requires direct interaction to get the answer to

you need the shorter one

parrotOS x Kali LinuX x BackboX x BlackArch , what is the best?

- not –

ok got it , let me try

there is no best

it's all user preference

oh that question, maybe it indeed isn't, find the page that is

find / -type f -name *.conf -size -28 -size +25k -newermt 2020-03-03 -exec ls -al {} ; 2>/dev/null
still dont work

😩

wrap "*.conf"

??

it works just fine w/o

aite nvm

it should work without quotes true

you also need to add a \ before the semicolon (not sure if you did; but your copy/paste doesn't show bc discord formatting)

ok i will try

find / -type f -name *.conf -size -28k -size +25k -newermt 2020-03-03 -exec ls -al {} \; 2>/dev/null

literally just did it and it works

dont work

did you ssh in, cause it works

like ssh htb-student@ip then enter the password

^

also reminder it's looking for just the filename; not the whole /path/to/filename.conf

when I press enter nothing shows up

copy the last 3 lines and send it here, the entire line

that is the answer, include the file extension

https://tenor.com/view/monkey-monkey-hitting-someone-sword-13world-reaction-gif-23469319

https://linuxjourney.com

delete this btw

https://tenor.com/view/steve-harvey-thank-you-jesus-grateful-praise-gif-9591328

https://tenor.com/view/steve-harvey-thank-you-jesus-grateful-praise-gif-9591328

wow I was slow there

thank you guys 🙂

happens, gj

ok

the one earlier too

👍

this is fun 😁

but I need to sleep now its 03.39 over here

Hey everyone. Hope everyone is having a great year so far. I'm getting stuck on a module and I've been scratching my head on it for 3 days now. Was wondering if someone can give me a nudge or advice on if I'm correctly doing this? The Module is INTRO TO ASSEMBLY LANGUAGE section Shellcoding Tools. The goal here is to cat out the flag on a server which will run shellcodes. I've attempted both pwntools and msfvenom and feel like I'm getting a connection however it doesn't do much after that.

I've tried using the shellcodes for amd64.linux.sh and amd.linux.cat with pwntools and get a hanging terminal. When I use msfvenom I get a broken pipe error

Any guidance would be appreciated. Not looking for answers, just a pointer in the right direction

what's the command you used the generate the shellcodes?

They are in the screenshots. I can also type them out if that's better

First time poster here, not sure how things are done so please let me know

oh right, what makes you think that the flag will be at /bin/cat/flag.txt? that's not a valid directory

There is a space in the hint, I removed it

O man I think I see the issue

the hint inst a directoy

I think I got it. I don't wan to give away the answer

one moment

Attacking Wordpress skills assessment Q1. The IP address provided is not running wordpress and I have been trying to enumerate other web pages but am unsuccessful. Can I get a hint or a nudge in a certain direction please

what are wordpress sites usually used for?

you're also missing something else, if you still havn't got it

I think I see my misunderstanding, the hint isn't pointing to a directory

that's not the only problem. the question didn't ask you to use the shellcode loader script

sqlplus was a no go for me as well, was able to use another pre installed DB manager tool from pwnbox

I see @next bronze , ok now I'm on a different error. Appreciate the guidance. I'll grind my teeth on this more before I ask again.

I'm getting this error on the AD module Kerberoasting from Linux section:

It says to clone to the repository, but the lab machine does not resolve github for some reason.

if it's a machine you ssh into, it will not have internet access, the tool is already installed

Okay, it's working now. For some reason it didn't like the python script the first time.

It's asking for a password though

The SSH password does not work.

What is the path to htb-student's home directory?

linux fundamentals

you're not supposed to use the ssh password, use forend's password

Oh, so from a previous module?

@next bronze got it, wow was I overthinking that

Appreciate the guidance

yes

go to the home directory and enter pwd

I only typed /home

thanks

its wrong version kernel

i run 'uname -r'

and 4.15.0-123-generic

use the right format, it's in the question