#modules

i want cpts 🙂

Dude its sick😂 I feel like it instantaneously adds a level gravitas

I wish you could stack the icons, Imagine having all four next to your discord name

what for ? if you know you did it , you did it 😉

Im working in the active subdomain enumeration section for **information gathering module ** and im trying to find out how many zones exist on the target nameserver but i havent been able to find out at all can someone help me

https://www.cloudflare.com/learning/dns/glossary/dns-zone/

I saw that, but isn't it like a platinum or a gold subscription?

And isn't it like $500 - $1000 A YEAR?

Only if you're buying the annual

It's a fair few hundred dollars cheaper to do like 6 months Plat and buy the voucher

That's actually not to bad considering everything it comes with as well as an exam voucher, and hell of a lot cheaper than the other certs out there

Working on the kerberoasting from windows module right now. I rdp into the target vm with remmina, but when I try powerview or rubeus it says they don't exist on the windows machine. I did find the account with the required SPN, but I am stuck trying to extract the ticket.. Help!

The monthly plans don't include a voucher, gold annual is overpriced if you're only planning to do the cwee path, considering that silver annual is not worth it for the entry certs its kinda meh overall

Isn't the same true for the cwee cert?

good day everyone can a newbie ask questions here please

When it comes to Academy modules, then yes
Otherwise, read and follow #welcome to find better channels for your question

thank you

https://academy.hackthebox.com/module/112/section/1069 I am working on this module, I am struggling with the question regarding the zone transfer question. The hint says to give the answer in this format (Format: HTB{...))
I thought that HTB flags were given in (Format:HTB{}) is this an error or am i wrong?

just google it

or chat gpt

now I am fighting trying to find the answer to the last question

i have tried enumeration but only getting back three returns and none with the correspondign last octet

i meant dnsenum using the a few different wordlists from the DNS SecLists folder

I am not sure what I am doing wrong here

did you manage to solve this? I'm also stuck here

this is a crazy response

I don't exactly remember the thing but did you tried this

On to documentation and Reporting

Anyone body faced/facing issue with not getting the correct hash using the responder ??
I got hashes of others but not the intended one..! -_-

I am still very stuck

Did you solve this yet?

my post wasn't in response to your question, but for yours try to look recursively through subdomains

thanks, I am trying but not getting anywhre

which subdomains have you checked against? which wordlists?

i have been using the wordlists in the SecLists DNS folder

i am checking against the ips returned from when i ran the initial dig axfr command

which ones specifically?

you haven't found all the zones yet

I will delete that so it doesn't give away too much info, should i be using a command other than the dig axfr to find this?

i tried dnsenum brute forcing as well

your command was limited to internal.inlanefreight.htb

should it just be the ip?

maybe the x.x.x.203 is in a different zone

||I don't wanna give too much away, but you made the assumption its in internal.x.x, its not||

so look for other subdomains of inlanefreight.htb and scan against those

ok thanks, I will go keep at it

|| use the fierce wordlist ||

Looking at Tapping into ETW in the Windows Event Logs module- when using SilkETW to detect .NET assembly loading, where does the -uk 0x2038 come from? I know it has to do with the keywords in ETW, but is there a place you can look these up?

Or is it one of those not too well documented things that you just wing it

I am still so confused, i went back and used the dig command against the inlanefreight.htb @ip and it dumped out all those subdomains it dumps, When I use the dig against the subdomains, I don;t get any further, should I be using DNSenum with a wordlist against these domains?

Yes

thank you

@small sage glad you helped me without telling me the answer and how to do it. I feel like I know more now

ok,thanks

first question in Gitlab - Discovery & Enumeration in attacking commmon application section doesn't take the correct answer. did anyone faced the same issue

dm me your answer

Module: Active Directory Enumeration & Attacks
Section: Privileged Access
Question: What other user in the domain has CanPSRemote rights to a host?

I'm struggling with this more than expected. I can't find any evidence of anyone being able to PSRemote on the target except for the user in the example, which is fine. I can't find anything in BloodHound either. Can someone please give me a pointer? In BloodHound particularly I've queried all users and groups who "CanPSRemote" but I can only find the user mentioned in the example?

Did you used sharphound in the cmd with Administrator level priv.?

A quick tip
if you have got hold to any user, open cmd/powershell with the Admin.. if possible

Things will be little easy

No I did not, I used bloodhound.py remotely.

open cmd as admin
use sharphound
have the zip
open it on the bloodhound

there is a command in the section
run it the RAW query
look at the map what bloodhound gives

you will have all the things

it’s case-sensitive

use .py version only when use have no other option

sharphound and bloodhound.py should collect the same things

Yeah I would have thought an admin session on a domain joined host is not required.

I can run the cypher query in my instance, and I get the example demonstrated in the module. I don't however, have anything else. Which is what led me to try and enumerate groups as an example, but still nothing.

yes
but when by mistake ran with or without admin level priv. cmd gives different results
😂
made this mistake and got thinking for long what went wrong

My attempted queries are

#Module
MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2
#Remove Shortest Path
MATCH p2=(u1:User)-[:CanPSRemote*1..]->(c:Computer)
RETURN p2
#Just groups even?
MATCH (g:Group)-[:CanPSRemote*1..]->(c:Computer)
RETURN g AS Group, collect(c) AS Computers

All three of these queries give me the same output as the module

what? you only need a domain account to use bloodhound, there's no need for admin priv

means to say opening cmd/ powershell with as Administrator

I've found an interesting group, that seems relevant. But apart from its name I can't prove in BloodHound that members of that group have CanPSRemote over any hosts.

it doesn't matter, again you just need a domain account

Right, now I understand. The group isn't custom and it's built-in. So perhaps its permissions are implied. But, for a similar built-in group, such as Domain Admins you can see plenty of outbound control in BloodHound. Can anyone help me understand the discrepancy?

MATCH p=(n:Group)<-[:MemberOf*1..]-(m) WHERE n.objectid =~ "(?i)S-1-5-.*-512" RETURN p

should give you the answer

did you pivot? the target given is not the DC, how did you run bloodhoud.py?

I ran bloodhound.py on a previous section of the module, perhaps I've made a bold assumption that the domain is the same for all the "training" material?

I have full data in bloodhound I'm not concerned about that

did you have the spawn the target again?

yes

then yes it will be different

you'll know the enviroment is the same if you don't have to spawn it again

https://tenor.com/view/facepalm-really-stressed-mad-angry-gif-16109475

The user I found in my group was the correct answer though? So I'm pretty sure the data must be the same? The module even implies we are using the same domain as it is a "pen test" simulation that builds on itself.

@next bronze do you mind if I DM you?

maybe bloodhound.py wasn't collecting all the info, you can try running sharphound on the target

if you'd have to respawn the target, the something has changed, the domain and the overall environment will be the same but it's a different image so you'd have to spawn it again

I'll pull another copy using Bloodhound.py but even the query you shared seems unrelated to the question so I thought we might be talking past each other a bit.

oh oops I pasted the wrong one

MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2

Anyone???

try with sharphound

good idea I'll do that instead. I'm using the community edition just to make it all the more fun 🙂 that query you just shared is from the module and I get the expected result, but no additional user! Maybe that will change in the newly pulled data.

if you complete the modules for the Penetration Tester Job path, how close do you get to finishing the other job paths

which Ip should i put there? Source: debugging section/Malware analysis

can someone give me a hand with the last question of https://academy.hackthebox.com/module/112/section/1072 I am currently running smtp-user-enum with a large wordlist, but it's going to take forever. Is there a quicker more obvoius way to find the username that I am just missing?

Your machine's tun0 ip... as it says

There should be an included wordlist

My own Linux vm's tune0 ip? That I will only have if I connect to openvpn.

Yes

And I should RDP to the target machine using the same Linux?

That's usually how it works

yeah, that's what the hint says, but I am not sure where the wordlist is. I can't find it in this module

resources button

thank you, I'm an idiot

came back with no results

smtp-user-enum -M VRFY -U with the path to my wordlist and the IP, am I on the right track?

Thanks @next bronze -- Let all be aware that you should run a BloodHound collector in each section of the Active Directory Enumeration & Attacks module. I'll have to go eat some humble pie! I feel like this could be an #858470491676737536 it should be mentioned. Either that or it was bloodhound.py vs sharphound

can't find a file called "shadw.bak" in /vars/backup/ after using the command ls -la, i need the innode number of that file but i can't find the file in the first place https://academy.hackthebox.com/module/18/section/78

it's /var/backups, and make sure you're running the commands after you've ssh'd in

Any pointers for me? I feel lost again

Mess with the parameters

the parameters of the smtp enum command?

I dont think the user has access to /var/backups but they don't need it

Iirc the backups are somewhere else accessible

Yes

isn't that what the question asked?

thanks, will try this now

Oh wait wrong module, I was thinking of something different

I just clicked it

And yeah it's /var/backups

ah okay

oh right meant "var" not "vars" but still can't find the file in that directory

Also you need to add i to the ls command to see inode info

did you ssh

SSH to 10.129.45.240 with user "htb-student" and password "HTB_@cademy_stdnt!" does this count??

Yes

That's the system you're meant to run the commands on

could the parameter be that the SMTP is running on a non standard port?

Nope

Smtp is on a standard port, adjust the wait time

will try this, thanks

Hey done the Documentation and Reporting Skill Assessment section??

Facing some strange issue with it

can't describe here as it may be a spoiler

adjusting the timing is to get around enumeration safeguards that might be in place?

oh i see, i need to SSH into that one, the current terminal shows different, SSH'd into the right one and got the file finally, i see the innode number but when i type it in the answer box and submit, it still says incorrect???

Yes. Inode numbers will differ from the pwnbox and the target.

But if you do ls -lai /var/backups you should get the inode number

I have tried 1 second, and 4 second for the timing delay, but both are producing no results

Need more delay

Smtp is a fairly slow service

Thanks Marcie

Thank you, that makes more sense now with regard to the hint. I will make the delay 10 seconds and make a coffee lol

It won't take long with the footprinting list

That list is fairly small like < 20

You are an incredibly knowlegable individual. I greatly appreciate your help and patience as I learn these things

sorry, am i adjusting the query timeout or the delay between?

The wait time

Using -h or --help should help you understand the tool more

Ok, why was it determined that my nickname was breaking the rules when my nickname was merely Xyvil?

If your name contained any non-standard characters it gets changed

thanks, got it

Are you people experiencing constant disconnects from machines in AD Module. Went to pass through AD Skill Assessment again, but can't stay logged in more than 3 minutes

Change vpn region, use tcp

Ahhhh...So I can't use my cursive format...

Did that

Nope, as it makes it more difficult for moderation

Gotcha...

As the cursive format wouldn't show up

So if they needed to do a message history search, they'd need your username which increases the complexity

How can I change my nickname to the noncursive version then because it's greyed out for me now?

It's in the server #rules btw, also reading and following #welcome allows you to access more of the server

You can't

can I dm you?

anyone around that knows the adcs module that can help me out?

just explain what you need help with

i'm not sure how much i can say here without spoiling it

the gist is i've tried every path and there's a brick wall at each one, seems like the thing is broken or something

it's the skill assessment

explaining which question it is and what you've tried would be helpful

compromising the dc

or ws01

enumerate what you have, which esc do you think it's the most likely?

the problem i run into there is that it saves the key and i can't approve it

i've tried all three esc's

run certipy find, which do you think it's the most likely?

you need to use the right template with the right user

yeah maybe i don't have the right user but i don't see anything obvious which is why i thought maybe i had to go through ws01 too, but the question at the end is just get the dc so i think its easier than that

neither user i have can do it

again run certipy find, which esc do you think it's the most likely and what user can do it?

i guess i'm missing creds for that account then

should i focus on the box i did get system on and enumerate there for the other creds? thats not really covered in the module but i can't think of anything else

seems to be a lot of red herrings i've spent too much time on this

yeah, just because it's the adcs module doesn't mean you don't have to run your postex routine

so the answer is outside of the module?

you're given a scenario for SA after all

treat it like a pentest

i only got the one module seems weird to have a test on the module that has items outside the module

I mean adcs is a tier 3 module yeah?

yep

So it's making an assumption you know skills that would be covered in lower tier ad modules,

those prereqs dont include what you're talking about though

i feel like it's going to be specific to the subject of the module

they definitely do

you also didn't tell me which question you're trying to answer

what do you mean?

the literal question the task is asking for? "Compromise DC01 and submit the value of the flag file at C:\Users\Administrator\Desktop\flag.txt"

so you've gotten the second question?

yes

then use that

i have

i have tried every combination of command, user, target for each escalation path

each escalation path leads its own roadblock

esc10 doesn't work. esc7 doesn't work because the user doesn't have manage ca authority rights, es8 doesn't work because the user can't approve the request, and i can't get esc11 to work with any combination of machines

other tools mentioned in the module aren't loaded on the machine

Hi Guys, I was asked to identify the services running on the server, and then try to search to find public exploits to exploit them.

When I run a the nmap command for this, it show this and no services. Am I doing something wrong? should I try using -Pn like nmap suggest?

this question is from the public explots section 2nd module

-sVC -Pn

it seems this target in particular has been acting funky for some people

until analyzing malware traffic. i've followed through steps, but i am stuck at this "entry point" where it does not follow through (2nd ss). its from debugging section from malware analysis.

-sVC is like -sC and -sV combined right?

it's exactly that

Yes

also reset the target

it seems like it may be down

Be Pro Max bro

note: generally when given a public IP and port - it's a web server

if it's not you're usually informed otherwise

first check what group the user is in and what rights the user has

I reset the target and it still showed the "seems down message", I then added -Pn -sVC to the command, it now shows this.

shouldn't there be a proper name under services instead of unknown?

Hey @fathom pendant can i dm you for a thing
I am in the Documentation and reporting module and I think something is odd

haven't done that module so anything you dm me would be a spoiler for me

ok

Anyone ????

give it a few minutes after spawning it

Anyone can help me in the Skill assessment of Documentation and Reporting ????
Responder in the ssh session is doing something odd

"doing something odd" doesn't really explain a whole lot

am i supposed to be able to add an officer? i can't do that otherwise i could approve these

|| there are 2 types||

yeah going over that again now

how do you hide message?

|| spoiler ||

|| test||

thats fucking cool

chat die

i just get failed to get dynamic tcp endpoint for certsvc

well this isn't a gen chat so it's not uncommon for it to quiet down

no gn?

there is a gen chat

you just gotta read #welcome to find out how to unlock it

gn is off topic?

#bot-commands

yes as it's a chat that isn't related directly to HTB content

you need to verify/link your HTB labs account to the discord to be able to access more of it

what more will i get?

access to the rest of the server

yeah i get that like what is rest of the server?

more chats like #general and #programming and #web (Note these will say No access to you)

okay

thx

Module:MODERN WEB EXPLOITATION TECHNIQUES. Section:Exploiting SQLi via WebSockets,the url address:https://academy.hackthebox.com/module/231/section/2488.At present, I have successfully discovered the location of sql injection and obtained the version, but when I want to further obtain the flag, it always goes wrong. Is anyone willing to provide help or push? I will be grateful.

well i think i'm one step closer i was able to issue the request but get an error trying to retrieve it (Call context cannot be accessed after call completed.) going to take a little break and come back to it, my vm ran out of time anyway

this is solved,if anyone need help,all can dm me

alright i couldn't help myself i just had to finish. thanks for the help, i was really missing the forest for the trees. got the flag.

nice; it's usually the simple solution that ends up being the "I swear i checked that" or "no way" solution

Hey struggling with format of the answer
Documentation and Reporting: Documentation & Reporting Practice Lab
Question: What powerful local group does this user belong to?

I have done the rdping to the user
opened powershell
whoami /groups
and i have bunch of groups showing but i don't know the format

All the questions are being done
only this one is left

i think there's a better command for showing groups i think it's like net localgroup or something

net user <username>

a

Finally ..!! Thanks @limber river @next bronze
Documentation and Reporting DONE..!
I really want to say something regarding this.
Those who don't want spoiler or something please don't read it.
If some one need to then please go through. WHY???
Because it will save a huge amount of time looking for things here and there. I think it's super important. Otherwise things keeps getting distracted from what needed to be done.

||Starting from the beginning, as mentioned in the section the responder ran with -I eth0 but when you actually ssh to the target you need to listen to the -I ens224 -v and the other one. From ens224 you will have some hashes which can be cracked with rockyou(hashcat) and from the other one you will have the idea what are the possible internal IPs, run a IP sweep (one is mentioned in AD enumeration and attacks module).
Now after having a list of the internal IPs and username and passwords, xfreerdp to using the user which seems to have high privilege by just looking at the same itself. From there you can follow what is explained in Components of a Report or do it yourself.

From the last question use net localgroup it will save time.||

Guys I'm struck at password attack module hard lab.

|| I found J* and D* password and moved the *.vhd to windows but unable to mount it.||
since I don't know how to find user Admin password. Can anyone provide hints.

I tried dumping Sam and lsass since I don't have privilege I'm unable to dump them. Any hints would be appreciated.

did you used bitlocker to john?

Yep that password didn't work for admin

will work but need a little modification

explaining...

Transfer the virtual disk to a windows host and mount it there

Yeh I transferred but while mounting it asks for admin password but the bitlocker password is not admin password

Mutate?

well you can mount it in linux

you can find a handful of articles that have been shared about in this discord regarding mounting in linux

Thanks a lot I'll try it out!!

use bitlocaker to john and pass it to say Backup.hash
||Then open the Backup.hash copy and paste it to file say newhash.txt. {Copy from $bitlocker$0$16$6..........}||
Then use hashcat to crack it with -m 22100

Then you will have everything connected

hey did you find the answer?

there's one that's 99% braindead follow instructions 1to1 (changing only a few things)

i think he's already cracked the bitlocker pw he just needs to mount it

not between the targets users machine but to a windows VM or your own windows machine if you are running one

Earlier he said the password is not the admin password so i thought might be struggling with the password thing

context "But the bitlocker password is not the admin password"

I transferred it to target vm and was trying to mount it there without admin access in target 😆

mount it on you local windows
it will be easier

there's also like a super simple guide to mount in linux

¯_(ツ)_/¯

but whatever goats your boat

https://tenor.com/view/how-can-i-be-so-stupid-jayden-slasher-how-did-i-not-see-that-coming-why-am-i-so-dumb-gif-25655751

can you pass it to me?

yup, just run with your admin privs on your local windows

also if they're running their linux attack machine as a baremetal; it's a LOT of extra steps

you can search the discord for it

ok

discord will give you some search stuff for channels

on desktop: in:modules has:link bitlocker

okies

man......
This CPTS path in huge...
Finally can take a glance at it 💛

does any one solve this?
could you please help me?

hey...I'm totally new to any of this! just any hint it get started?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

thanks

Hey guys,
I'm doing Session Security - Skills Assessment, second question
I'm facing download pcap file issue, internet connection looks stable, I was able to connect to the VPN and solve the first question, but something wrong with the download file side, it says expected 4 - 5 hours and it's only 8MB

Any idea?

In the Kerberos Attacks module under AS_REPRoasting the very first walkthrough has you enumerate accounts with dont_req_preauth and provides a response with 3 users. in the example it shows jenna.smith whose password gets cracked with rockyou. i followed the exact steps and am unable to crack the hash on the VM or on my own machine. i went beyond using rockyou and tried real passwords with rules filters, but that didn't work either. the walkthrough shows a successful crack on that account with the password. i created a password file with just that password in it, and it still doesn't work. i was able to crack the other 2 passwords in seconds. what am i doing wrong with the jenna.smith account?

it's likely you're not meant to crack their password

:)

strange that the walkthrough shows it though

the module sections aren't always walkthroughs

it tells you to run that command against the user

just examples

alright thanks

idr it saying to do it specifically against that user

oh wait

i'm thinking something else

but if the question is expecting you to crack it

then there's the difference

is there a provided wordlist/whatever in a resources tab?

yes, rockyou.txt is on the vm it has you connect to

i meant the literally resources button on the page

(if there is one)

i don't see that

ah ok

its strange because it tells you to run the command to show you and says 'see we cracked it' etc

then maybe the hash is busted or something ¯_(ツ)_/¯

that is odd though

on the windows file transfer module the module is not accepting the output of the hasher upload_win.txt command
here is what im submitting 8990089e402b00f809810659fefb5523 am i doing smthing wrong i double check the uploaded file it has the same hash as mine

hash is wrong from what I have

got it im reading the question wrong

😄

Hi I'm new to hackthebox and new to hacking and new to kali linux. I'm on the kali linux fundamentals module. I answered the first question right but I'm having trouble trying to answer the second question as only the first question came with a hint. The rest of the questions don't have hints and I feel like a complete dumbass rn 🤦🏻‍♀️. I'm on this page: https://academy.hackthebox.com/module/18/section/70 please can anyone help me?

Module - Linux Privilege Escalation Page 5- Path Abuse
Question-Review the PATH of the htb-student user. What non-default directory is part of the user's PATH?
These are the questions that have the opportunity to burn time!
I have done the echo $PATH on htb-student user: copy of my search:
htb-student@NIX02:~$ pwd
/home/htb-student
htb-student@NIX02:~$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/tmp
What is a default directory? – Google - https://docs.oracle.com/cd/E19455-01/805-7228/6j6q7uf0n/index.html
All these directories are default directories per the oracle.
What am I missing?
I need to focus on improving my efficiency and effective methodology in my approach to answering these questions!
Getting so close to the 10 day!! Exam!!
Thanks for your positive coaching - Update - I came back - I ran LinEnum - basically it got me focused on carefully comparing the PATH per the target box to the module - there is a glaring difference - My bad - don't read into the question more than needed - so the answer was staring me in the face!

it helps to ssh to the given target

Finally completed Password Attacks module 🥹 😭 Thanks for the assist @fathom pendant @short hare @soft cedar

The second question asks: What is the path to htb-student's home directory? I put ssh as the answer but it's incorrect

because ssh isn't the answer

bcoz it is wrong

you can get the answer by using ssh to connect to the target

Oh I see OK I'll try that thank you

the two things needed: the target (click to spawn target) and credentials

which is given above the first question

you just got lucky that the pwnbox has the same machine hardware name

I think I got confused with the question bc it asked for the "path"

path just means

/path/to/location

i.e. /home/user/desktop

note: this path only exists in an environment variable for the mail question

do ~ and then type pwd

Ok

^

for a handful of questions they exist as environment variables

which you can see with the env command

some require the uname, some require other commands that's listed in the section

So all I type is ssh first?

Did you solved it?

it helps to read the section

what do I do if a target machine isn't spawning... it just says target spawning with the circle keeps spinning

f5

change vpn region

Oh I see ok

even if I'm using the attack box?

yes

the pwnbox is somewhat independent of the vpn region

ok, thanks. I'll give it a shot

pwnbox region =/= vpn region

pwnbox region ONLY dictates where the pwnbox spawns
vpn region ONLY dictates where the target spawns

pwnbox just natively connects to the vpn

that makes sense. Thank you

👍 it's not quite as obvious as it seems for some

I still seem to be having an issue. I cleared my cookies and tried all three US vpn connections

ah, nevermind

just spawned finally. Thank you!

Module:USING CRACKMAPEXEC Section:Finding Kerberoastable Accounts url:https://academy.hackthebox.com/module/84/section/807 , I dont't know what's wrong,who can help me

I have tried resetting multiple times but to no avail. Same problem.

Can you show me your hosts file?

# As a result, if you wish for changes to this file to persist
# then you will need to either
# a.) make changes to the master file in /etc/cloud/templates/hosts.debian.tmpl
# b.) change or remove the value of 'manage_etc_hosts' in
#     /etc/cloud/cloud.cfg or cloud-config from user-data
#
127.0.1.1 upcloud-capture-droplet upcloud-capture-droplet
127.0.0.1 localhost

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

127.0.0.1 localhost
127.0.1.1 htb-1x1zh1gylk htb-1x1zh1gylk.htb-cloud.com
10.129.92.137 dc01.inlanefreight.htb```

can I dm you

is dc01 on that ip?

yeah

Try adding it in caps as well, and add inlanefreight.htb as well

Also in caps

Can I dm you

Why

your screenshots in Chinese so I can't really understand the extent of what you're showing me

He’s showing the ip I guess

ye

but that doesn't mean that that's the DC01 address

What I am showing is a Chinese-English translation.

¯_(ツ)_/¯

Did you do this?

you mean echo DC01.INLANEFREIGHT.HTB in /etc/hosts and use in crackmapexec

Well no need to echo it, just type it in lol

And also add INLANEFREIGHT.HTB and inlanefreight.htb

ok

Yes, what does it say now

ok,thanks,it is successful

yeah machine and domain names are one of the few things that windows cares about being capitalized

Mostly Kerberos that can be annoying with it

nah it's cause the domain name is missing, capitalisation doesn't matter

But I think the main issue was not having inlanefreight.htb

for kerberos you need both the fqdn and the domain name on dc

As it was trying to connect there at 88

At least looking at the last line here

ok

• 0 How many partitions exist in our Pwnbox? (Format: 0)

anyone know how to find this

lsblk is a good way to find out

another is fdisk -l

ah ty found it

Same issue. Did you manage to solve it?

10 more to before I attempt to claim the glorious sword.

https://tenor.com/view/doja-cat-star-wars-gif-25078126

MODERN WEB EXPLOITATION TECHNIQUES - DNS Rebinding: SSRF Filter Bypass
What's the password for Webmin?
I'm trying a few things and I'm not getting it. Is it part of the exercise challenge to figure out the password?

there is no password

hello there, i need some help with the module ''ATTACKING COMMON APPLICATIONS" chapter "Attacking Thick Client Applications" basically i have limited understanding of what im doing but the main issue is that following the steps as in the module i did change permissions on the temp folder and generate the bat file then edit the file so it wont delete the other files generated, at this point i go to program data to check the files but i only have the ps1 file and txt file, i cant find the exe file that is suppose to be executed be the ps1 file

Can someone assist with the AD capstone part 2

Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain.

Hi I am also at the Pentesterpath 😄 Right now the chapter Web enum gives me some trouble, not in solving the task, but in accelarating I could use some help. As beginner I guess my notices are okay but not complete and not comprehensively explaining the topic. Is someone there to support with this?

Create a userlist, and password spray common weak passwords

Okay yeah I did create the userlist and I tried Password1 and Welcome1 I will try a more comprehensive list thanks

The latter of those 2 should work

I guess there’s something wrong with your user list

SQLMap Essentials - Skill Assessment i can't find the attack vector

Do you have any idea?

I saw that there is a contact form with a POST method, but it's not working.

anyone can tell me what i am doing wrong please ?

https://academy.hackthebox.com/module/136/section/1288

DM welcome

Im using the jsmith.txt wordlist ive used the 10million one in seclists. Am I missing something

You already have credentials, you can enumerate users with that

@steady dust I think I have found the vector, but struggling to find the payload

Anyone else getting booted off the labs

Is anyone here subscribed to htb? As I'm new I'm a free user but I can only use 1 spawn per day. I signed up to learn to become a bug bounty hunter but the prices to subscribe are very expensive

I swear every time I have an RDP based lab it constantly boots me off endlessly

macie what is your level

If you are a student, then there is a special subscription for $8/month
You can also use your own VM, then you have no restriction on the usage time

How to use my own VM?

https://academy.hackthebox.com/module/details/87

Yeah I'm learning through the academy

The Academy shows you how to use your own VM

I'm in the Linux fundamentals module rn

ATTACKING COMMON SERVICES: Attacking SQL Databases
Question: What is the password for the "mssqlsvc" user?

can someone help me understand the error below:

sqsh-3.0 Copyright (C) 1995-2001 Scott C. Gray
Portions Copyright (C) 2004-2014 Michael Peppler and Martin Wesdorp
This is free software with ABSOLUTELY NO WARRANTY
For more information type '\warranty'
Open Client Message
Layer 6, Origin 8, Severity 5, Number 3
ct_connect(): directory service layer: internal directory control layer error: Requested server name not found.```

I have also tried connecting to to it through ```mssqlclient.py``` but can't enter queries and have no much use. I did try running responder with Target IP but it does not print anything. Any advise on right directions with steps please?

Good Day - the ONLY way I got through this page is the following video - for a box that is open for walkthroughs - https://www.youtube.com/watch?v=3bvKLj0akMM&t=1066s - Seriously - I was LOST! This walk-though pulled me out of the deep despair of trying to figure this out - it is a LONG walkthrough!! Best Wishes -

you are viewing the source code of the page

yes

after it did not work to show what i did

try echoing the output

Please how to configure htaccess apache2

I just finished this skills assessment, DM me

hi

Im in the RDP and SOCKS tunneling with SocksOverRDP section of the pivoting and tunneling module. The issue im having is that the last ip im supposed to get to.:172.16.6.155 (jason:WellConnected123!). Isnt reachable from the windows host we have access to. Also the host used in the example, is reachable but has seperate credentials that i dont have.

Could you reccomend a tool to use to export the users easily to passwordspray them

Netexec

Hello, im doing that question in Active Directory Enumeration & Attacks Module

What is the ObjectAceType of the first right that the forend user has over the GPO Management group? (two words in the format Word-Word)

both of them give me error, are the wrong rights?

You’ll need to use PowerView for this

Afternoon everyone,

I am currently going through the Windows Fundamentals module and when I use freerdp to attempt to connect to a windows machine my connection keeps timing out and I have tried adding a timeout of 20 seconds but no luck.

I am using a Kali VM through VMware and OpenVPN is running with the TCP VPN connection file.

I should add that I can connect via rdesktop, but the connection is painfully slow.

Disregard, must have just been some kind of connection issue with HTB, it finally worked.

PowerView?

ACL privileges are not the same as ObjectAceType

Sorry I was replying to someone else
In your case you have to double pivot

You’ll need to use PowerView for this

Im confused. Im on the pivot host, so i should be able to rdp into the hosy its connected to

But i cant even ping it

No box can see the final host

the host in the example is where you pivot again. you should have the credentials for it when you used it previously as your pivot host

a --> b --> c is the answer
and you should have credentials for it, it's in the section

the credentials given in the question are for the final host

if you do ipconfig /all you'll see that the initial host isn't on the 172.16.6.0/24 network

The ip in the question isnt reachable. But the host from the example is. The issue with that host is that only the username is given

yes

Wheres the password at

it's given in the section

this module is one of the ones where it's a literal step-by-step guide

Can you show me where its shown, i must be blind xD

Ive redone this box soo many times, following the example

it's literally the second paragraph after it has you load the dll

Lemme see

the paragraph starting with "Now we can connect to 172.16.5.19"

if i remember well, that ip you mentionned is not the ip of final host

already being worked through ;)

nvm

and it is the final host

lol

i thought he was talking about skills assessement lol

my bad

no thx

hey everybody, I'm currently doing the AD skills assessment II and I'm encountering some technical issues I'd like to discuss and try to resolve but I can't really go into detail without spoilers, so I'd like to discuss in DM so if anyone is cool with that please reply to this message.

<@&861185840277487616>

hi I did the previous two SNMP questions for the SNMP section of footprinting module and I have been stuck on the third question for a while.

can someone give me a hint on how to enumerate the custom script that is running on the system in the first place?

I tried snmpwalk, braa, onesixtyone and nmap scripts and I think I'm going in the wrong direction

I have the email of admin and the customized version of SNMP server

just having trouble with the third script

Doing the walk you should see a [script].sh in the output, follow that

You're not executing the script. Just finding it, and it's output

Thanks 🙏

now I've found the folder the script is in but I don't know how else I would get output besides running script. is it something else I can do in snmpwalk?

sure

I found the flag script I'm just having trouble finding the output

can someone give me another hint without giving me answer because I found the path to the file but I don't know how I would get the output from a script without running script unless its saved somewhere

I was thinking I could use the community string for that but I am unsure if that will even help

do I use another SNMP tool besides walk?

Literally just once you find the script just follow it a few lines down to the output

you can use snmpwalk to find all 3 answers to the questions.

ok thanks

It's all in the snmp output

^

There's no need to do any attempts to rce or revshell

found it

got flag. now moving onto next section

Thank you this was much simpler when I outputted it to a text file and just found the script for the flag with ctrl-f and looked a few lines down that way. Tho I guess I could have used grep with first part of community string.

lmao I was just a little confused tbh

but now I totally get it

snmp is extremely simple

ya

[Simple] network message protocol

I was definitely overthinking it for a while ya

maybe I should come here sooner for hints

I was rereading for days and it turned out to be so simple

Nah, working through it is better until you run into a hard wall where nothing you've tried works

wouldn't recommend that.

ok

There is value in struggle, you learn a lot more

Considering your message history: you need to work on being able to solve problems and think critically to resolve your issues.

ya ok got it I agree

point taken

there is joy in tribulations and suffering 🙂

ya I will struggle through it then ya

ok so now I'm onto MySQL

Not trying to be mean, just a pattern I've seen

got it

Hello, is there a way I can get a hint for Perfection box?

You're a lot farther ahead than me. I just finished the Nmap-module and the labs forced me to go back and read through the module and it made me understand how nmap works a lot more than if I'd just googled or asked for help

In #1213545829172776980 [read and follow #welcome]

yup. that will be your only friend in the exams.

Thank you

cool

finally i am not stuck anymore ... in the end it was too easy :/

just understand what they mean is sometimes .... difficult

The module Advanced Deserialization Attacks is pretty fun guys.

Congratulations to all involved. The explanation of how to generate valid exploits manually and all the concepts is really helpful and interesting. The skill assessment shines in reversing to bypass the restrictions 🙂

fantastic module, a great refresher on assembly + learned a lot of new stuff. skills assessment was awesome

Can I ping someone for the last question on Advanced command obfuscation in the Code Injection module? i have tried just about everything I can think of, and I don't want to put spoilers in here https://academy.hackthebox.com/module/109/section/1039#questionsDiv

it awaits

any assistance on this question?

Check if you can reach the server. ping the IP.

What do you mean you can’t enter queries?

Yes Im able to ping

it doesnt allow me run sql commands to navigate

sometimes it's dumb

you might need to reset the target

iirc someone else had a similar issue recently

you're using impacket's mssqlclient?

Could you elaborate on the please?

Hmm Im not sure I used mssqlclient.py

mssqlclient.py == impackets mssqlclient

thought you said you did but it’s not allowing you to run queries. no?

yeah someone else had a similar issue where when they typed a query and hit enter it did nothing

but when they used the pwnbox it worked fine

¯_(ツ)_/¯

Alrighty.

yes thats what i meant

did the reset work?

checking

you might also need to reinstall impacket

you know what I'll just try to do this in my local vm, hopefully works

Hey guys new to the community I'm stuck on getting started web enumeration. I used Gobuster dir to enumerate and find a robot.txt file but when I try to navigate to the page Im unable to connect and see its contents any advice?

figured it out

yup even worse in my own vm. queries dont print anything.

I inputted target ip:port/robot.txt And get a unable to connect to URL page however I'm showing a 200 code on go buster die scan for /robot.txt

are you using http://?

Yes I am using that

Hello, I'm doing the skill assement for shell and payload and I'm having a lot of trouble. I have several questions:

1. if tom cat's connection information wasn't provided, how could we find the information in the hint?
2. i crafted a payload with war extension because elf files are not supported but it doesn't work why i ?
   https://academy.hackthebox.com/module/115/section/1139

what happens when you curl that url?

I tried that too and I get the same message

have you attempted looking at the desktop

the war extension can be used with the java payload

can you netcat to ip:port?

i mean netcat won't be much as it's a web service

ahhhh okok thx i undestand and no I wasn't curious enough to look at the desk, but it seemed obvious, sorry.

sometimes the docker containers are just a bit wonky

validates connectivity to l4 port

might have to restart excercise

well yes, i'm just meaning these labs have been extra funky lately

indeed

mmm no and it's honestly just seeming like a connection issue or something else is going on since it's pretty obvious the flag is in the robot.txt file

I only have 5 minutes left on this target machine so i'll maybe try to restart everything and try again

respawn it

Yeah that worked

anyone know how to solve oracle- footprinting? ive run otad for 1 hour yet no result, still searching for sid

and IPMI as well, ive run auxiliary/scanner/ipmi/ipmi_dumphashes module but no result

well otad is just to get creds

and it's easy to miss; IPMI dump should get you a hash

since the IPMI result isn't in the default list: it doesn't crack it

i dont uderstand for one question into this section, I know the vulnerability for the blog but when I search the exploit (50064) on msfconsole I get nothing, I even tried to take the exploit on the given base and update the base it doesn't find it.

I tried to connect to the blog as well but it doesn't work.

you can just use 50064

it'll work fine

yes

it'll work even if it doesn't show in the search

i know otad is to get creds and the module is to dump hash but both i dont get anything

my otad still searching for sid and the msf module dont return me the hash

it just say execution completed

you likely overlooked the result

check the example for the oracle section

and it'll show you what you're looking for

msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > run

[] Scanned 1 of 1 hosts (100% complete)
[] Auxiliary module execution completed

that's for the ipmi section?

let's stick to troubleshooting one section of the module at a time

automod detects large blocks of text as spam and autodeletes

i see

ipmi is not needed for the Oracle TNS section

./odat.py all -s 10.129.145.138
[+] Checking if target 10.129.145.138:1521 is well configured for a connection...
[+] According to a test, the TNS listener 10.129.145.138:1521 is well configured. Continue...

[1] (10.129.145.138:1521): Is it vulnerable to TNS poisoning (CVE-2012-1675)?
[+] Impossible to know if target is vulnerable to a remote TNS poisoning because SID is not given.

[2] (10.129.145.138:1521): Searching valid SIDs
[2.1] Searching valid SIDs thanks to a well known SID list on the 10.129.145.138:1521 server
[+] 'ASDB5' is a valid SID. Continue... | ETA: 00:07:31
[+] 'ASDB6' is a valid SID. Continue...
[+] 'EARTH' is a valid SID. Continue...

see its just searching for sid

weird

idr needing to do anything extra for the odat

i know but ive been stucked at these 2 module for 2 hours already

yes: but when requesting help - do it for one section at a time

okok sorry hahahaha

that way you don't get wires crossed

and miscommunication doesn't occur

the ipmi one should just be as simple as setting the RHOST correctly and running it

idr needing to set an lhost or anything

RIGHT

but idk why it just wont run

i reset the machine few times already

Can someone please help me with the skills assessment for command injections

so I just have to use 50064?

yes

i forget the command in msfconsole to reload modules and check new ones

why the academy boxes are so laggy?

but it's still there even if search isn't finding it

@clever topaz just loaded up one and ran the scanner for IPMI and it works fine, try changing vpn region then

[msf](Jobs:0 Agents:0) auxiliary(scanner/ipmi/ipmi_dumphashes) >> run

[] Scanned 1 of 1 hosts (100% complete)
[] Auxiliary module execution completed
its the same using htb instance

sad

Debugging section/ Malware analysis, my rdp machine disconnects abruptly as soon as I do "sudo inetsim"
Tried, both cases, using my own vm, hackthebox pwnbox as well.

thx i find, and for reload reload_all

@clever topaz don't forget you do need to do ./odat.py all -s $IP

yes this is what im doing

i just sanity checked both: and they both worked fine on my end

¯_(ツ)_/¯

btw im able to get the hash already when i run the module with "exploit" instead of run

zzz i tot its the same

i mean i used run when i used the scanner module

and got it just fine

ok im crying ahahahahaah

¯_(ツ)_/¯

i literally stuck at few modules because of this kind of bug

into vhost i specified blog ?

yes

this is one of the times where specifying the vhost is necessary

don't forget to set the username and password of course

yes 😉

thx a lot

all i can say is; idk why yours isn't working but it works on my machine

¯_(ツ)_/¯

i also dk

just sanity checked to see if broken: both intended methods worked fine for both modules you're stuck at

sometimes i have to restart few times to make it work

[msf](Jobs:0 Agents:0) auxiliary(scanner/ipmi/ipmi_dumphashes) >> run

[] Scanned 1 of 1 hosts (100% complete)
[] Auxiliary module execution completed
[msf](Jobs:0 Agents:0) auxiliary(scanner/ipmi/ipmi_dumphashes) >> exploit

[+] 10.129.200.203:623 - IPMI - Hash found: admin:hash

yep

now crack it with hashcat and the provided wordlist

I have filled everything in but I notice a bug the RHOST is linked when I put the host ip it also changes the target ip

i've got this error:

reset msfconsole and set it again

it's dumb like that sometimes

always the same mistake ...

when I ran into issues all i had to do was reset it and it worked ¯_(ツ)_/¯

so idk

for academy modules, sure

ask away

i give up 😦 after sleep I'll have clearer ideas

anyone having issues with pwnbox/freerdp connection? i mean even the rdp doesnt want to stay connect to its own pwnbox in the server

i use rdesktop

i trie don my own machine too with remmina and freerdp, no dice. switched to pwnbox no dice

use rdesktop he work 😉

switched vpn servers, pwnbox instances, reset, the all lot, no dice. shame cos i really want to get the cdsa done

which openvpn do you use? im from australia (yes i know), i have only EU or USA to connect to with academy openvpn

US should have lower ping, and use tcp for your vpn

I use openvpn uk

its been another hour but my ./odat.py all -s 10.129.24.217 still searching for SID instead of possible hash

Why didn't I get a reward after refering my friends,they finished the first module

That is always the line in information technology

Hi everyone! I was wondering if the Intro to Whitebox testing covered dangerous functions in more than just node js

or links to resources to find these dangerous functions 🙂

I think im going to get it, but was curious if the scope was just node js or whether it expanded on more languages

looks like a really neat module! 😄

👍

Hello, Currently I am on the exercice "DCSync" I connected into RDP to the first machine and after that I connected to the machine "172.16.5.225" with the SSH protocol. I executed the "secretdump.py" and I extracted the NTDS content. After that on the first machine I executed the command "Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like 'ENCRYPTED_TEXT_PWD_ALLOWED'} |select samaccountname,useraccountcontrol" And get an error as this command not exist.

By the way I continued And tried to execute the command with mimikatz With the user adunn, I used the password begin by Sy..........7

and got this error "ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege". I not understand if someone can help me thank 🙂

Get-DomainUser is a powerview command, you'll need to import that first, or you can use

Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl

anyone can help me to solved the MODERN WEB EXPLOITATION TECHNIQUES-Skill Assessment last queation?I know this website have ssrf exploit,but I test so many all not have successful.

Thanks

Thanks for your help but I not understand I executed on the linux server the command "Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like 'ENCRYPTED_TEXT_PWD_ALLOWED'} |select samaccountname,useraccountcontrol" but inside the file "cat inlanefreight_hashes.ntds.cleartext" But inside in the file I have no content.

May be I forgot something.

Sorry I tried against may be i got a connection issued

thanks

What do you mean you executed on the Linux server ?
Did you run it from your attacking machine?

Hello Thanks for your response. But Finally I identified my error, it's was an error during the command "secretsdump.py" I got lot of time network error but finally i got the password

thanks

now I am on mimikatz

Great.

I tried to execute mimikatz with the new account found may be it's will work 🙂

Anyone knw how to solve this last question from pass the hash section

Using Julio hash perform oaas the hash atak launch powershell console like that a question

you can use Powershell base64 rev shell for that
https://www.revshells.com/

Powershell 3 base64

yup

I did it

But not connecting to the netcat listner

under Passwd, Shadow & Opasswd section in password attacks do i need to use the mutated list i used in previous sections or the password.list or the rockyou.txt to brute force the hashed password

No use mutated alone no need of rockyou

I am not able to use pwnbox section where can I ask questions about dual boot parrot os htb edition

what IP did you use?

Ah .5

172.16.1.5

okay, did you open another terminal to catch the connection?

can you share the commands you used?

Yaa

Commands invoke wmiecec target domain username hash then the command the powershell script I got got from revshell .com

the whole command from your screen, maybe a ss

I can't share images in this group that's why I can't share it

you can verify your acc here #welcome

hi 🙂 how do i access my file ?

||-----------------------------11747533910843235883379297494

Content-Disposition: form-data; name="uploadFile"; filename="minishell.php\x00.jpg"

Content-Type: application/octet-stream

<?php system($_REQUEST['cmd']); ?>||

i always get this :

https://academy.hackthebox.com/module/136/section/1289

How to find the account identifier to put in to identify my account

I can't see the identifier in my htb page

Read #welcome

The Academy has no identifier. You must use the app.hackthebox.com account

for now*

one hell of a module lmao. feels a lot better to complete

How much time it takes to identify us

Instantly

i have other 9 sections 💀 is the Skill Assessment difficult?

the cve sections are just straight up tiring

but its not that bad

its like big terminology

The assessment doesn't deviate from the material but there are some places you need to think out of the box; even that is covered. The thing is you need to kinda trust your intuition

i mean the major recurring theme for the assessment is proper enumeration

alright

1 had one blocker in assessment the answer was staring right in my face and the second assessment was easier for me actually

from everyone that's asked for help: a lot of them were pointed in the right direction by just enumerating better

it covers stuff like nessus and openvas

i recommend it only bc of the tools

it doesnt seem that hard with BloodHound imo

bloodhound doesn't always show the full picture, it's nice to have though

alright

bloohound straight up gives everything. coz the scale of the assessment is small

i dont think it would be the same for the exam then XD

wouldn't be a tough exam if bloodhound trivialized it

kinda scary thing

the modules prep you for the exam ¯_(ツ)_/¯

I did the entire Active Directory twice. this stuff is totally new to me. I spent about a week learning these concepts

and it's not like you can't go back and read the modules again if you get stuck in the exam

if your notes fail you: the direct source of your info isn't a bad fallback plan ¯_(ツ)_/¯

yep if really the path covers close to everything watching the modules while doing the exam should be cool asf

tf, you did the module twice in 1 week?

The exams aren't proctored, right? The FAQ doesn't mention it.

not proctored

if it's not mentioned in the FAQ it's safe to assume it's not proctored

you can also just check the exam pages themselves for the info

yep. I mean i am doing this full time. solid 6-7 hrs a day

That's one of the reasons why I'm leaning towards taking one of the exams one day. Proctored exams suck because they do not replicate real world conditions where I can look up as much info as possible to get the result that I need.

i mean the exams span several days

When I'm at work, nobody is watching to make sure I don't check a man page or Google something.

I don’t think that’s the point of proctoring:)

^

Yes, they also want to verify identity.

the problem is another one ahahah

proctoring is meant to prevent cheating i.e. using a prohibited tool or asking another person for assistance

Imagine doing cpts or oscp without googling/ notes

or even pulling up a walkthrough

compTIA exam ahhhh shit

Lmao

The CompTIA exams are pretty easy at least, but Googling for a result also isn't always helpful because they give you four possible answers where 2-3 would work, but they expect you to pick a "best".

mrb3n is the only one who read the report?

no

there's several people that review exams afaik

idk if they assign one person to read your report

but there's at least a small handful of people that review the reports

think that's the same with CEH right?

wouldn't know, haven't taken

HTB exams also don't expire, right?

the cert doesn't expire

any half-decent cert doesn't expire

[laughs in CompTIA] Really though I wish more certs were perpetual. It's annoying to keep up with my CompTIA certs just to keep them on my resume.

i mean you only have to renew the highest level one

¯_(ツ)_/¯

Yeah. I just end up getting a higher level cert every 2 years.

i mean most employers don't actually check if your compTIA certs are still active

True, but I don't want to risk it. Some workplaces are very strict. i.e. federal work they require Security+ or equivalent.

this really helped, :/

Hi all, I am working on Module: Advanced XSS and CSRF Exploitation. Section CORS Misconfigurations. Found that /index.php,login.php and profile.php have a CORS misconifguration. I am trying to send a post request in the following way https://paste.offsec.com/?88db23989b5f8e48#L9VbWpPPFJMdc35K6D9rsDD2U83Vq1qpby8D2yL9EDw= but is not working. Any help will be appreciated.

why someone else nmap is super fast but mine is so slow

Me too.

Are you using PwnBox or your own VM?

both also slow

my server is just <100ms

100ms is still a bit high. Try to find a server closer to you and if that isn't possible try to eliminate the target-IP and start it again. That's just my guess 🙂

its the closest already ;(((

wonder how i enum in exam

Good question. Hope you find a solve!

AHAHAHHA

Try it via the ||HTTP header and the exploit server||

Why is it that even after modifying the LHOST it doesn't change? into module :https://academy.hackthebox.com/module/115/section/1139

Try with setg <lhost>

thx a lot

😭

tried all wordlist but ntg come out

footprinting-hard

nvm everything fixed when i switch server region zzz

Hi folks!
I’m stuck in a XSS phishing exercise, I think I understood the exercise and it’s not difficult. However my php server won’t listen when I try to test it.
What am I doing wrong? I search the internet and try many things but nothing worked.

Thank you for your time

{!}
[I’m new to hacking, the exercise it’s part of cbbh path I’m on “Cross-Site Scripting” module in “phishing” lesson.]

What do you mean, your PHP server is not listening?

Well I do [sudo php -S 0.0.0.0:8080 press enter then I go to the page and try a login with user:test pass:test

And it just don’t show any info

However if I turn on foxyproxy it shows so maybe I’m doing something wrong or missing a step

That should be the right one if not there's just the snmp.txt I believe

To test your web server, you should call it up directly.
http://<yourip>:8080
Does this give an entry in the web server log? If so, your web server is running normally. If not, the web server is not running correctly

ya im inside ssh now not sure what to do

I believe history is important

haha thanks for the hint

It gave an entry on server

I’ve followed 2 different writeups in attempt to figure out where I was wrong… can’t find any flaw… but it seemed to me the problem was the comm between site and server

Even if I do port 80 instead of 8080

Now that your web server is obviously running, your attack seems to be faulty. But I can't judge that because I don't know what you did.

i am stuck on footprinting lab hard want to guide someone who completed it

Just ask your question. I'm sure someone will be able to help you.

i find ssl certificate and generate public key according to it but i found public key error

If you find an SSL key, try to use it.
ssh -i file.key user@10.10.10.10

I’ve done this basically

And I made sure to take my time, read it follow it understand it

try this and show same erroe

i use id_rsa as a file and target ip as a ip

I even altered some strings in firewall and turn off tracker blockers and stuff

Did you set permissions?

no i could not change it

i think i miss that part

You have the private ssh keys right ?

yes

Copy the keys and save it in a file (id_rsa)

And set permissions;
chmod 600 id_rsa

ok already done

yah i did it

Now you should be able authentic to the service.

i authentic using those stuff but get an public key error

If you have the ssh key you should be able to ssh to root with that

what was your command?