#modules

Can anyone suggest me best free website for making my website portfolio

https://neocities.org/

Module: Injection Attacks
Section: https://academy.hackthebox.com/module/204/section/2230
Ques: Try to use what you learned in this section to exfiltrate the description attribute of the admin user.

Pls give a hint
I have tried so many ways but even not sure that there is any admin user

guys please some help with this

By examining the logs located in the "C:\Logs\DLLHijack" directory, determine the process responsible for executing a DLL hijacking attack. Enter the process name as your answer. Answer format: _.exe

I have tried search all dlls mentioned, fildtered by event id 7 and still cannot find the file

more than 2 hours now

at the module windows privilege escalation/ Print Operators, was somebody able to upload the uamce binary to the target host? i know i dont need it, but i tried to upload something to the host and wasn't able..just wondering if it would be possible...

yeah just use a smb share or mount a rdp drive

same as any other file transfers

ok..thanks...than i should improve my upload skills...really a noob at this..

There's a file transfer module

uuuuuhgggg i feel like i did everything

Why is Burp Suite not allowing me to modify anything in the Response section of the repeaters tab

Because it is the response?

^

You generally can't edit the response, only the request

Also this section details how to use intercept to change a response.

It won't generally be in the repeater section

Replace <some element> with <modified element>

I.e. it only changes the clientside/browser view but not the actual response sent by server

Think of using a browser plugin that blocks ads, it detects certain elements on the page identified as ads, and suppresses them

guys help here
if you have any hint

[NTLM RELAY ATTACKS - SKILLS ASSESSMENT]
Hey guys!
Currently working on skill assessment here and got stuck on the last question.
Can I have a nudge?

dm

Hi, I'm doing the Password Attack module, and I have a question about LaZagne.py for Linux. Doesn't having to install the requirements to make it work make it very easy to be detected? I mean, if I were setting up an IDS, the first checks would be on the HTTP requests for tools like Mimikatz or pypykatz, in my opinion. Or is this a common thing for these kinds of tools? Are they already considered persistent intrusion tools?

neither katz send out http requests afaik, but yes the tools are well known and will get caught by AVs

Can dm me for hints

not the tool it self but the dependency that they need. LaZagne for windows it's a binary so it's a standalone sw. Once I copied it on the target (AVs evasion aside) the tool works. Am I don't understanding something?

Hello guys

if you're worried about the dependencies getting caught you'll also have to worry about the script itself getting caught. either way you can also pack it into an elf executeable that runs on linux

that's the answer that I was looking for 😅 . That's quite interesting thank you!

pyinstaller can pack the python runtime and dependencies into an elf/exe

Still not able to find the answer to this question By examining the logs located in the "C:\Logs\DLLHijack" directory, determine the process responsible for executing a DLL hijacking attack. Enter the process name as your answer. Answer format: _.exe

followed every single step

please guys help out

so I can prepare the tool on my host, pack it, and then tranfer it as a stand-alone one. I didn't know that pyinstaller could do this

you can yes, though for lazagne specifically, there probably isn't much use for it on linux

afaik linux isnt' supported anymore

I have seen that the latest linux related commit on the repo is from 9 month ago but if it's out of support which tool would you like to acive the same task?

linpeas probably, I prefer manual enumeration tho

when you get to the linux PE module they'll teach you more

I'm looking forward so. Thank a lot for the explanation

Still having the same issue trying to transfer files for Q7 on AD Attacks And Enum Skills Assessment

Tks Bro,I spent two days using the US VPN.

Maybe someone could help me with this. If I take my exam the weekend where I only have three days left on the subscription, does this mean I cannot obtain the full 10 days for the exam + I miss the retake option? Or am I granted that. I am having a hard time finding this answer

You have an X amount of time to use the subscription, but it’s unclear if the exam also shuts off in the middle of taking it when the subscription ends. I’d imagine there would be some leniency on this, but it’s unclear

the exam should still go for the full 10 days

but check with support to be sure

I reached out to staol, and he recommended I take it two weeks before the sub ends, which is a recommendation, and not a requirement, I’m not able to find a definitive answer. I’d imagine some leniency on this because if you take the exam the last day you should be afforded the exam time fully along with the retake.

¯_(ツ)_/¯

I have no idea who staol is, contact support and get a definitive answer, no one here can give you that

He is support

Ok

That may be the support person that reached out in the support chat

We will see I followed up with him

I’d imagine you get the full time if the exam is triggered the last day but who knows. Some exam makers allow you a limited sub time but a unlimited time to take the exam, which is way fairer

I took the entire time I did half of soc all of bug and now 85% of cpts

¯_(ツ)_/¯

I tried to do multiple paths within that year and now I’m cutting it close

strugglign to find an exploit to gain a shell with this ip

I’d think the voucher is valid to be redeemed within the year. So the last day would give access to one exam. Regardless of how much time you get for the exam

Yo

Anyone on zap scanner module

I need some help

ask your question and someone may help

I got command injection its directly outputed in HTML page text format I need to use it to output flag.txt content

Hi All, I'm strugly a bit at the beginnig of "Credential Hunting in Linux" I couldn't find any vulnerability during the serivce enumeration. I had some false positive using crackmapexec on smb for will user.
Therefore, i take the Hint then try to ssh with the credential provided but no success so tried to bruteforce ssh for kira user a the provided password list.
Am I missing something? Right now I'm still brute force ssh for will user but I'm not that confidet.
any tips?

FINALLY THANK GOD

Whattt I got flag it isn't accepting it for answer

Module ---> WINDOWS PRIVILEGE ESCALATION

Section ----> Credential Hunting

One question, I found in the directory C:\Users\htb-student\Documents a file that is supposed to contain a password, is it that one or is it another file? Because when I enter it, it tells me that it is incorrect

sorry. Solved

Redact the flag dude

I can't seem to find a module for microsoft IIS httpd 10.0

Module?

cuz on the academy module they are exploiting a 6.0 version

while my httpd version i need to exploit is 10.0

msfconsole module

Perhaps then that may not be the goal

Perhaps things may be more blue

nothing elselooks exploitable

It's an eternal plague to be blue 😉

Idk what section you're referring to either

But I don't recall IIS being much of anything

im refering to using metasploit framework - meterpreter

cant seem to find a exploit for the ip

The example isn't always what you'll do

Bro it isn't working for me for some reason

Ah, I recommend viewing the webpage on that port. It may be more revealing

i tried

just loads and says site cant be rteached

?

http://ip:port

http://10.129.50.210:5000

connection timed out

Anyone know whats the issue

Weird, try resetting target or changing vpn

Make sure no extra spaces before/after flag

ima try resetting target

Also give it a few minutes before you try interacting

Bro now it worked wtf i didnt change anything

This fkin module lost my mind

marcie how many coffees do u drink a day

Yes

But on a real note, don't really drink coffee

why are my nmap scan results showing up like this 'smb protocol negotiation failed' after trying several times

it worked when i reset the target ip

old ip must have been smoked or sm shi

It just means it couldn't negotiate smb2

Aka it couldn't connect and do whatever the script needs to do to get info

Hey

Stuck on Broken Auth,predictable reset token, flag 1, i thing im doing wrong the script for the flag 1

FYI: MS01 in the AD enum skills assessment is unstable

Cannot access it, valid creds do not work either

Try changing to EU vpn

Also I take it you're trying to access via some pivot

If you don't have a pivot into the network, you can't access it

was working before, but for some reason network issues

Has there ever been discounts for the gold annual subscription? thinking of getting it but im still a student so its abit expensive for me

Only when it launched

sigh ok

Hi!
I really need help!

I have been stuck with the last flag in "FILE UPLOAD ATTACKS" in Skills Assessment for 3 days now. I have found the code that explains what it does with the file, but even if I try to upload a regular .jpeg file, it doesn't upload correctly (considering that I can't find it in the directory where it is supposed to be later..

whyyy

i connected through my VM now

but who tf is mrb3n

hes a GOAT

Likely the author of the module

what do i do now

It sounds like you're doing something wrong

i rdp

Generally you connect to targets via htb-student

So did you specify the user as htb-student?

yeah

Well it looks like your command is wrong if it's kicking you to a diff user

same one ive always been using
and the exact same one on their website

Also is rdp the intended method of connection

What module and section are you working on

Try respawning the target then

And give the target a few minutes to start up

alright

maybe there are certain filters that u need to bypass

now it just times out and wont even let me connect

oh shit nvm

yessirr

but it just shows me a blackscreen

Hit enter

i am hitting enter
but still nothing

disconnected
fucking wifi

Just download more bitrate

Try changing vpn regions

Yes, I understand that because I have completed everything else in the module. I know what is whitelisted, blacklisted, and the content-type.

I have managed to get SVG files through to retrieve the source code.

alright thank you

If enter doesn't work you can try clicking the center left third of the window, there's a button around there.

ill try that as well in a bit

Can anyone help me please?

ask your question and someone may help

I did that...

didn't scroll up..

does anyone know why I am getting the following error while doing the bloodhound module? I am trying to connect from my windows desktop. I get the same error when using CLI and GUI for RDP.

you can reply to your message to make it easier to find

Hi!
I really need help!

I have been stuck with the last flag in "FILE UPLOAD ATTACKS" in Skills Assessment for 3 days now. I have found the code that explains what it does with the file, but even if I try to upload a regular .jpeg file, it doesn't upload correctly (considering that I can't find it in the directory where it is supposed to be later..

not my message

I was going to send a picture, but I cant for some reason. The error is "Remote Desktop can't connect to the remote computer for one of these reasons: 1. Remote access to the server is not enabled. 2. the remote computer is turned off. 3. remote computer not available on the network"

actually i do know what you're supposed to do here

I am on the VPN, but I cant seem to connect

i can guarantee your file uploads correctly, you just need to figure out where it is and what it's called

Hey everyone. Can someone tell me what is the purpose of "autoroute" module? In the section it says that it is used to route all the traffic that socks_proxy gets via the meterpreter session. But won't the traffic be parsed via the meterpreter session after specifing the forwarded port in the socks_proxy module setup?

Metasploit routing table gets filled in so Metssploit knows how to route traffic through whatever session you have

the code is renaming it with 'ymd'_'test.jpeg'.
if i go to /contact/upload.php/user_feedback_submissions/240521_test.jpeg
it will tell me "only images allowed"

Hi, I am doing the Easy Skills Assessment of "Attacking Common Services" module.

So far I have performed scan and found FTP, RDP, mySQL, HTTP server and HTTPS server.
I tried anonymous login against ftp server, which is not allowed.
I tried to bruteforce the username and password for FTP service using the username and password list provided in the Resources, not found.
I found CVE-2022-22836 but it also requires authentication

I tried to bruteforce MySQL but my IP got blocked after some time.
Checked it against CVE-2012-2122, but not vulnerable.

I looked at the forum after a while, which suggests something to do with Apache cgi-bin. But I cannot figure out what. I tried directory enumeration against SecLists/Discovery/Web-Content/Apache.fuzz.txt but cannot find much, everything is Forbidden Access.

For "Core FTP HTTPS Server", it looks like there is no default creds.

I am running out of options, any hint would be very helpful.

that message from the server sounds like you need to fix your payload

unless it's a 404 message, i don't remember

I have tried normal pictures like jpeg or png. where i dont even touch the code. But still, Cant se it

then you need to figure out the filename

hellooooo

where is my love, marciel lee?? i need uu

i know witch is blacklistet or not. i even made a script that testet diffrent filnames and Character Injection - Before/After Extension

📸

Reenumerate the ports again, seems like you missed a common service that would provide some Fwd action

or someone can help me

good evening, I would like to ask a question about the last two questions of the pivoting and tunneling module, in particular the last two questions

Now, I'm not understanding something, perhaps even very stupid: I found the credentials of the second user, vf, when I use them to connect via rdp on windows, it reopens the same PC on which I pivoted, i.e. mlf , can you tell me, where am I going wrong?

you need to figure out the filename

Are you entering the correct IP ?

you upload a jpeg, and you have ||the code that tells you where the file is uploaded to|| and ||what its filename is||

Dear Friends,
I am stuck at “Password Mutations” challenge.
I follow the instructions and creates mutated password list.

But unable to crack the password
Connection getting lost when I left the system for cracking

I tried two IPs
172.16.6.35
172.16.5.35
but nothing, can you tell me how to find the right one? or can you tell me what I'm doing wrong?

Those are the same device ip

despite having all this information, why can't you view the image when you browse to it on the web server

Don't attack ssh

Can i PM you?

my loveee

Don't

I looked past it the first time

seems like same host on different network

Continue and i will block and stop helping you

Jokes aside, can you tell me where to find the right one?

i can't tell you anything more than this

Do a ping sweep

Attacking ftp

T 48 performs well with hydra.

Anythng higher can drop stuff

i would investigate ||the filename||

Tried 48 and 64 but getting same issue

I think my confusion comes from the lack of understanding of what each of the tools does.
Lets says we have the attack host (A), pivot host (B) and the target host (C).

Using tools in the section. to access the C host from A using a B as a proxy I would:

1. Use meterpreter as a tunnel from B to A (given I started a meterpreter revershell)
2. Start a socks_proxy module on the meterpreter session to be able to use other tools via the said meterpreter tunnel?
3. Use proxychains to route all the local traffic designated to the host B through the tunnel session?
4. Use the autoroute module to map-out map about the fastest route from A to C host? (that would be A-B-C) I don't see the point for doing that

I think I'm mostly confused about what each tool does in this scenerio. Could you tell explain me what is the purpose of each of 'em?

Try changing vpn regions and trying again

Switxh vpns to a different region

Thank you

Autoroute doesn't do what you think it does

Thank you will try

Autoroute just adds routes to your ip route table

Just checked. Took like 11minutes to get the password for me

is this the command?
for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply"

I know iit will be sent to ||user_feedback_submissions/|| and thhe code ads yymmdd to the filename ||yymmdd_filname.jpeg|| So the i look in ||/contact/upload.php/user_feedback_submissions/240521_test.jpeg||

U used cloud pwnmachine or own system?

you need to answer this question: #modules message

I dont remember. Wasnt that long ago but i was constantly moving countries. And when i wasnt home i had to use the pwnmachine.

and the nudge i will give you is to look at the filename, and understand what time it is right now

sorry, dont know what section you are referring to or the steps done. was just answering what autoroute does.

Yes and no, make sure you scan the right subnet

172.16.6.x and 172.16.5.x are different networks

How can I locate the entire subnet?

You're doing that with the ping sweep

with autoroute, you set your session and your network(s) you want to add. so you can then pivot

Your command will ping the devices on the 172.16.5.x network, you should also ping the 172.16.6.x network

now i try my friend

Time? Not the date?

socks_proxy module will setup a SOCKS and then you can use proxychains within that meterpreter session

but since you set the autoroute, proxychains should now pivot to that other network

you need to understand what the current time is

with the previous script it finds me alone
172.16.6.35
172.16.5.35

Just be patient

You're scanning from 1 -> 254 it takes a minute

from here I deduce that both of them, which end with .35, are not the right ones, right?

Correct

If you look at ipconfig you'll see they're the same as your machine

The time i get in the respons is ||Tue, 21 May 2024 17:08:28 GMT|| with will be ||240524_filename.jpeg||

Thanks for the responses. I'm doing the "Meterpreter Tunneling & Port Forwarding" section of the "Pivoting, Tunneling, and Port Forwarding" module. I think I will play around a bit with those tools first to better understand them because now I struggle to form some valid questions

the only different one that found me is 172.16.5.15, but wasn't this just for mlfay??

hello, i use kali VM for https://academy.hackthebox.com/module/158/section/1426,
ssh -D 9050 ubuntu@10.129.x.x
socks4 127.0.0.1 9050 and also tried socks5 but proxychains and proxychains4 cannot connect, any ideas? thanks
edited: also checked tor.service

Again you might be looking at the wrong interface

If you went from 172.16.5.15 --> 172.16.5.35 and now have a different network you can access, why not check there

there are two interfaces, .5.35 and .6.35, I did the ping sweep on 16.6.$i, and only .6.35 is available, I try to use windows rdp and nothing changes, this is what I'm doing, and I have to tell you that I'm not understanding the message you want to tell me, kindly could you be more clear?

Now I try to do it on powershell

Hey guys i'm at the end of introduction to windows cli module. I'm making the skills assessment right now. I'm at user 5 but i have a question about user 4. I have to find the flag.txt with the flag init. When i use tree /F i received a loooooot of flag.txt files. All empty (0 bytes) Wich command should you advice to find the right flag.txt with more then 0bytes in that case? Chatgpt gave me this one #forfiles /S /M flag.txt /C "cmd /c if @fsize GTR 1 echo @path"# is there another more symplified command that we learned in the module?

all crashed, damn

Anyone here had done the MODERN WEB EXPLOITATION TECHNIQUES module? I need help with it

What exactly is not working?

@rustic sage based on this image

how do we know that 172.16.5.155 is the domain controller?

@slate zinc

Well I’m at exploiting xss via websockets section and I really don’t understand how I should bypass the firewall I did try what I found on OWASP cheat sheet and payload all the things and nothing of those work

bcs for the final skills i have to connact to the domain controller via ssh but how can i find it on the host,?

idk i just wanted to post i havenet done that module as well
wait some one will answe

There is only one additional host in the network
Your PC and a host (DC)

HINT: The admin uses a firewall that prevents you from exfiltrating the cookie directly.

Can anyone give me a suggestion on how to continue please?

Okej thanks, how can i actually control that it is the DC ?

Scan the host with nmap and see what comes up

Okej i will try it thats a step further thnks 🙂

sigh... changing VPN's didnt help either. Hopefullysomeone can look into this and reset MS01 or whatever.

cause that is NOT supposed to happen

sudo

wait

that's a weird error from cme, never seen it before

Not exactly what I’m looking for but thanks

Hi, I have yesterday and today issues with Shells and Payload The Live Engagement always on second machine blog.inlanefreight.local everything is super slow and the browser takes forever to load the pages but somewhen it does so after 1-5min per load and it timeout quite often. I tried with eu and us vpn based pwnbox and restartet target several times, the rest worked well. Are there tricks to solve this? What can help? And where can I report that?

does business academy have some custom modules that are not available for the normal user account?

nmap 172.16.6.1/24
right?

You can send me a PM

In the login bruteforcing skills assessment - service login ... Should it take such a long time ? Having to respawn the machine several times and split the wordlist into chuncks... Can Anyone point me in the right direction

Why 172.16.6.x? Your Screenshot shows 172.16.5.x

U mean dm right?

marcieless said to look into this

and i try

anyone else had this issue where they can ping the target in the module, but cannot RDP into it ?

and in any case with the ping sweep it only finds me 172.16.5.35 and .15 (final) and using them with windows rdp they don't give me anything

172.16.5.255 actually points to a /24 network
I have no idea how you want to get access to the 172.16.6.x network.

I'm getting confused, I no longer understand what I can do to find the right guest

host

Which module and section are you in? Then I can take a look at my notes

I tried ping sweep from windows terminal and , found nothing on 172.16.5.%I, except .15 and .35

last 2 questions of pivoting and tunneling of skill ass

igment

This one?

Use the information you gathered to pivot to the discovered host. Submit the contents of C:\Flag.txt as the answer.

For your next hop enumerate the networks and then utilize a common remote access solution to pivot. Submit the C:\Flag.txt located on the workstation.

this one

I have the credentials of the user fran, including the password, now when I go to open the windows rdp and enter the ip address as
172.16.5.35 or 172.16.6.35 I get nothing

ip found via ping sweep

you are in the 172.16.5.x/24 Network
You have to connect to ||172.16.5.35||

any1 ?

for the ffuf module, in the third last question for skills assessment, do i need to include the port number in the url

I find myself with Windows Lefay, the same, same interface and same flag

I don't recall how long it took, if I had to guess it would have been 10 minutes. Seems like you're doing something wrong.

Were u fuzzing againt a list of usernames generated by username-anarchy or just one username ?

I used username-anarchy

i guess it is the wrong user

no bro, ip is wrong

okay thx

He has to go to the other machine on 172.16.6.x ip

For whatever reason he's not seeing it

User for .5.35 is not vfrank

He's on the step that he's m*

And can see the 172.16.6.x network I believe

He must scan the network from machine 5.35, then he will see what he is looking for

Yes

https://tenor.com/view/if-you-think-of-an-gif-20132469

He likely overlooked the successful ping on the other 172.16.6.x ip

As I said, he scans the network from the wrong machine

The 172.16.6.x machine he's on has 2 interfaces

So that it can be hopped to

i love your user and pfp lmaoooo

Snowball 🙂

guys I understood that Frank's IP is 172.16. 6. x, but scanning this IP from the machine .5.35 I'm not finding it!!!!! and I'm asking for help in doing it, I wouldn't ask for help if it weren't for the fact that I'm not understanding how to do it, I would gladly avoid it!!!!

IKKK BRO IS A MENACE

The host is on a low number

rather, could you tell me the correct script to use on the .5.35 machine?

You have the right script (if you adjust it to .6 instead of .5

||Log in to the machine 5.35.
Then scan the network twice||

After that it's looking for successes, which again, you likely over looked

@acoustic owl check ur dms plz

i changed mine inspired by you lmaooo

ok

i found it

maybe

ok thanks to all

Bunny and Lee, thanks for your patience, I finally did it

You should be able to do a ping sweep, it's just a one liner. What are you doing to ping all the IPs?

He got it now

Like i said, likely overlooked

And instead of re-evaluating output, complains

it's the lack of experience in the sector, however I stubbornly made it

netstat -a with admin cmd

lmk if im wrong but im confident ik im new

That would be wrong

damn it i really tried 😭

but but i thought arp -a and netstat -a find all the ips on the LAN no?

the arp command just shows cached things

If it's not in the cache, it'll be missed

That depends on the traffic in the network, that's great for passive recon. A for loop and literally the ping program is all you need.

how do i reset the cache? or clear it?

It depends

But that's something you can google

Some GPOs might clear cache on restart

GPO?

Group Policy Object

Group policy objects, part of a windows domain

^

yeah still no clue what that is. is it a VM like pwnbox ?

No

i give up on cyber

(not really its only my 3rd day)

https://learn.microsoft.com/en-us/previous-versions/windows/desktop/policy/group-policy-objects

we all been there man

its a long hard journey

Information Security Fundamentals path, go do that @stable bone

on modules?

Yes

im on introduction to networking right now

It's under skill paths in academy

Yeah I just graduated high school and did a ton of coding but I just go into cyber right now and holy moly it’s a lot @_@

i'll write it down

yup yup

https://tenor.com/view/tired-bored-ernest-ernest-p-worrell-reading-gif-23758850

_<

The more you read the more the gears click into place

Yeah there’s a lot to read -_-

The paths in academy are in a particular order for a reason

Building out of each other

You don't want to place advanced skills on shaky fundamentals

yeah its like a game

before the flashy mechs gotta practice basics

There's a lot to the basics since the fundamentals cover a lot of space, it gets easier with time.

i managed to solve the next question using the url i found, but its still not accepting it on this question for some reason

I found the awnser but idk how pls help

you found the answer, but you don't know how you found the answer?

me everyday

exactly

ive never read something more relatable 😭

So if someone can give me the right querry commant it should be nice :p its with Get-WinEvent

With this command i found all the events but how can i found the actual name? (Get-WinEvent -FilterHashtable @{LogName='Security' ;ID='4625'})

can someone help me with this, ive completed all the other questions except this one

hi, at this. https://academy.hackthebox.com/module/158/section/1427
can you guys able to transfer file to windows host, me stuck at 0 byte?

You can try with and without the port, but considering the answer is going to be the same for everyone and the box can spawn with a different port (I think), I would imagine you can omit the port.

tried them all i think

I just checked, the hint tells you what to do. replace the port # with the word "PORT"

yeah, that worked, thanks

any clue why couldn't i transre id_rsa via ftp on footprinting lab? i can list all files and do everything but after i go: get id_rsa it is 0% all the time

tried filezilla already aswell and still no go

maybe reboot the target

already did, upating kali and guess ill try again maybe let lab warmup a bit

crackmapexec supports FTP too

to make it more interesting I can download authorized_keys file and id_rsa.pub from same directory but not id_rsa

permission issue?

id_rsa is going to be super small you could probably just copy/pate the text inside

can you read the file?

Does bug boumty need prequesite like information security in htb

guys i cnt connect to openvpn any help?

In hack the box?

It would immensely help.

it says this Options error: In [CMD-LINE]:1: Error opening configuration file: /path/to/venge.ovpn

So it helps alot

Can you provide screenshots, of where you're running the command and the command youre running.

i cnt post pics

verify your acct real quick.

thats y im sending but i dled the config file from hack the box n did wat they said

can I do it using ftp without downloading?

In bug bounty path htb there is programming

my acc is verified by email

For bug bounty programming

oh u mean discord

how do i do it where do i send the token

yeah, read the file with less or more cant recall which works, it should open the file up in a pager (vim style), you can copy the blob, then type q to exit.

yessir.

he's in an FTP session i don't think he can do all that

There is question

check out #bot-commands on your account on the main platform at app.hacktheb.... go to settings and copy the API token

ty

sadly did not help, wonder if i got some fckd up config on vm or is it on htb side

it sounds like a permission issue, we don't know what module you're on so we can't provide much help. maybe try using another key you found to get authentication as another user who may have permission.

ok it works now

https://academy.hackthebox.com/module/112/section/1078
and already saw solution from htb - should be the way i went 😐

oh footprinting lab, which section

not sure then maybe let support know

i've heard of issues the past few days with US servers, maybe try switching to EU temporarily, or at very least changing regions

more than one way to acheive the desired goal

but in-short everything you need should be able to be sussed out fairly easily

oh wait i misread

yeah US seems to be spawning weirdly

im using EU tho, guess I'll give it 1 more go on pwnbox

try another region

wild - worked, ty all 🙂

you know what's funny

||DNS isn't even required for this||

so it was the vpn? not permissions?

I was just about to say that lmaoooo

if you find the port, you don't even gotta think about the rest of it

yas

well ik, was pretty sureprised when i saw that we were supposed to zone transfer and enum

i mean it's one way of sniffing it out

but like I said, multiple ways to skin a goat

and some people did go the full route of digging and setting up the whole /etc/hosts

and like, it's not incorrect to do it that way

im doing the password attacks section Pass the Ticket (PtT) from Linux, im trying to use one of the cache for julio and i tried both but none of the cache seems to work. i followed along as it said but its not working and i restarted and switched to a diff vpn

well one cache seems hella expired

so does the other

seems like it might have spawned weirdly

i restarted it like 3 times T-T it all comes the same

just set the clock back

-- encryption type 0 not supported

anyway did you try from EU VPN

nope ima just try that one

EU better not let me down

LMAO EU didnt even spawn the cache for julio 💀

Hey, im kind of stuck at broken auth module, in predictable tokens, i have the script, i want to know how much it taks to give me the admin reset token 😦

hey guys im studying windows fundamentals and just installed a vm in the parrot terminal i am trying to run “xfreerdp” but the command doesn’t exist any solution? sorry if my explanation sucks

you can try installing it apt install xfreerdp

Just a heads up, for the "Active Directory Enumeration & Attacks " module & connected to US VPNs, I've had to contact support regarding 3 different sections that were giving 'connection reset by peer' errors when attempting to connect from internal attack box (not PwnBox or my local machine) to internal DC. After switching to EU VPNs, connection was made immediately. Why did I switch back to US from EU? Well the connection to EU-1 earlier today stopped working, so went to US again before getting on EU-2

It seems like the Windows Labs on US are not spawning entirely too well

yeah probably since late last week maybe? Opened first ticket 3 days ago

I have put in one for NTLM relay module and also for the AD Enumeration and Attacks

not sure whats going on with the boxes, but it makes for a frustrating learning experience

I have question there web programming in hack the box for bug bounty

Or the crouse will learn me everything

posted in #1234357888114364508

if anyone wants to chime in at #1242582527206490285 with modules that you're also experiencing this on feel free

having some issues running odat on my kali linux vm I keep getting the error saying the directory dosnt exist. I assumed my path was wrong so double checked but it seems to be correct. Any advice?

What is prequesits for but bounty in htb

because it seems this is broadly affecting the US academy spawn

I need someone to answer

dude

you've asked this question a dozen times and have already been answered multiple times

it looks like the tool pulls from the cwd; so you'll need to cd to the odat directory and run it from there

I could use some help. I've been doing the skills assessment for pivoting, tunnelling, and port forwarding. When I RDP into the first pivot host, it freezes up, sometimes immediately, other times I'll get a few seconds before it freezes. I haven't found another way to access that box. I've reset the instances, used multiple ways to port forward, used multiple RDP clients, it happens on all of them.

Am I doing something wrong here?

try using EU VPN

it seems like the US VPN servers are a bit touchy atm

Okay, I'll give that a try then, thanks.

I know the prequesits for the bug bounty is information security

https://www.reddit.com/r/bugbounty/comments/17f9j7t/prerequisite_for_bug_bounty/

Reddit can help

they may be referring to the CBBH path

not just bug bounty overall

Yeah there is some info in there on CBBH i believe lol

¯_(ツ)_/¯

either way CBBH is entry level

you can look at a module before you buy it and see the modules it deems as pre-requisite or "Solid understanding" and go from there

https://academy.hackthebox.com/preview/certifications/htb-certified-bug-bounty-hunter/prerequisites

CBBH official prerequisites

Already it covers it

https://www.reddit.com/r/bugbounty/comments/17f9j7t/prerequisite_for_bug_bounty/

@inner geyser already Know I understand it!!

😍

Now get in inforamtion security
after that go to bug bounty after that portswigger

Is easy 😍

you can do things simultaneously

i.e. Learn something in academy, further practice it on portswigger

I know learning after that practice it in portsiwgger

But I have question should know programming in bug bonuty Or I will learn it

In the path

@inner geyser

you will learn some in the path

you have a habit of asking a lot of questions instead of just doing

I suggest doing then asking

considering you've been asking these types of questions for at least a month now

if not longer

K thanks

worry about taking things one step at a time

the further ahead you try and plan the longer it takes for you to just get started

If I get gold annual sub, will I still have access to completed modules when the sub ends?

What different between silver and gold?

yes

gold annual additionally gives access to tier 3 modules, alongside a voucher for the CWEE (or other future advanced certs)

But I got also sliver that after finishing the pentesting and bugbounty I will got voucher for exam

There is community for arabic htb

Silver annual comes with one (1) voucher for the entry tier exams

Ohhh so for just one exam

.

no idea

if there is one, it's not official

One attempt at CDSA/CBBH/CPTS

Gold adds CWEE to that list

(and any future T3 certs)

We have HTB meetups in arabic iirc

Can u send me link discotd

Discord

Hi, I'm on "Web Server Pivoting with Rpivot" and on the lab I am getting the error "Error binding socket". I can send screenshot for my commands but I copied and pasted them both (python2.7 client.py and server.py) and my proxychainconf is socks4 127.0.0.1 9050.

try sudo

nah that didn't work either

try socks5

ok

socks4 127.0.0.1 9050 this right?

yea

lemme try on socks5

?

i suggest not giving advice if you're unsure of what their issue is

also > address already in use

lemme try access with http and ill make duration to 100.2

it means that address/port is already in use

so it seems like something is going on there

yeah i got error too

[Error: ENOENT: no such file or directory, open 'socsk4_proxies.txt'] {
errno: -2,
code: 'ENOENT',
syscall: 'open',
path: 'socsk4_proxies.txt'
}

yea I saw this, what I read was that sometimes the ports would stay being used so people recommended restarting VM which didn't work > marcie's comment

Try restarting your whole system

ik it sounds weird, but sometimes, just sometimes it's dumb like that

🤔

alright Ill have to try that, I tried different region, different vpn and those didn't work

Those won't matter for running the tool on your machine

I would also check that no other running services are using it

Kali has a bunch of random junk that runs

ok ill try that aswell

Its being used by socks that's it 🤔

Ill restart my pc next thne thanks!

is step-by-step solutions worth it? I don't remember that being a thing, is it new?

yeah there was a recent update where they added it for subscriptions

Is it for all modules or only a few?

Or at least the modules on the cpts path?

well it's included in the subscription (a specific tier), so i'm going to guess it covers all the modules the subscription unlocks. i don't know if it gives you the solution to modules you purchase outside of that (like if you get a t4 module that's not auto-unlocked in your subscription)

Okay I was only worried about the cpts path modules so I think that would be included

yes i believe all the cpts modules are in there, but i don't have it so i don't know for sure.

i don't think it explains anything either, my understanding is it just kind of shows you commands etc to get to the solution

That might be worth it for when I get stuck

you can also reach out here

That's also true I'll sleep on it

Ok well I tried that and it still doesn't work. I don't know what is going on ggs

<@&861185840277487616>

for ptt from linux password attack module, Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_). am i suppose to find a keytab for a user called linux01? bc i manage to access that share a different way than getting the creds

no

In AD everything is an object. users, groups, computers, printers. so just as a user can have a kerberos ticket, a computer can have a kerberos ticket so the computer itself can authenticate against things. in AD, a computer object is represented by its hostname with a dollar sign after it. so "LINUX01" is the hostname of the computer, and you authenticate against kerberos as LINUX01$ to represent it's not a user but a computer using the dollar sign.

ohh got it, ive got to find a kerberos ticket for the computer LINUX01 then

yup

Hi

how can I use a wordlist to enumerate a user/username in telnet?

im on the smtp part of the footprinting module

try the "resources" section at the top of the table of contents

okay thanks ill try that

what command should I use for the wordlist to enumerate it?

like how do I use it?

the module shows it i think

there are a few ways, telnet is in there, there are built in smtp enumeraton tools in kali not sure about parrot.

SSH to 10.129.89.72 with user "htb-student" and password "HTB_@cademy_stdnt!" keeps saying permission denied... i know i am entering the password correctly idk why its not going thru.

which section is it

Evening gents,

Module: Password Attacks > Pass the Ticket (PtT) from Linux

Question: Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_).

I have obtained the kerberos file with the hash of the password to LINUX01$. My attempts to crack it with crackstation however have failed. Is there an alternative method I should be using or is this a red herring?

all it shows on the module is use VRFY command in smtp to see if a user exist

damn u found it lol , i think u should try to see if u can import the keytab not sure if itll work

How exactly would I import it? Is it changing the ENV variable or something else?

well if its a keytab cause i still havent found the kerberos ticket for LINUX01$ but if its a keytab look at the section Impersonating a User with a keytab

linux fundementals. first step lol i spawnd the machine

The section about impersonating talks about grabbing the hash and cracking it to get the plaintext password

which i've already tried :/

The other method is for ccache stuff

no not cracking it

as an example from the section kinit carlos@INLANEFREIGHT.HTB -k -t /opt/specialfiles/carlos.keytab then u can do klist and it should show up as carlos and then u can connect to the share smbclient //dc01/carlos -k -c ls

like i said i could be wrong, have u tried to brute force the ntlm hash u extracted with hashcat?

Tried with the provided password list in the module, the mutated one from the provided rules and rockyou.txt, no dice

well idk man, i havent found the kerberos ticket but i manage to access the share a diff way to get the flag LOL

F

i havent used ligolo-ng at all, i was wondering if anyone that has knows why when i do connect from a computer back to my local computer all the access to the other boxes i had cant connect anymore, i just lose connection to the boxes

like i cant reach the target machine at all once i do use ligolo-ng

you probably have some incorrect configuration

even after i do quit ligolo

yeah prolly i just followed this guid and adjust to my needs ofc https://software-sinner.medium.com/how-to-tunnel-and-pivot-networks-using-ligolo-ng-cf828e59e740

i just needed to set it up and know how to connect back from a windows to my linux and add the ip to pivot

With this one I ran linikatz and found the ticket cache...(location of the ticket wasn't in /tmp directory like the others), then exported it and the rest was similar steps to smbclient like @wanton idol mentioned earlier

i dont wanna use linikatz to find it bc i wanna see if i can find it manually LOL

this is the same guide i used

bruhh why is it giving me issues T-T

ima have to restart the pwn box every time

what VPN are you using?

EU 2

lol oh....that's even the good one

im doing the pass the ticket linux password attack, trying to do the last two questions where u move the kerberos ticket to your local machine and pivot

but i dont wanna do proxychains/chisel i wanna learn how to use ligolo thats why, i figured its a good time to learn it

yeah i prolly broke EU 2 LOL i restarted the target and the machine came out broken LOL

thank you !

Following up on this one, I did find SMTP service running as well for which I managed to get a valid user f***, but I am still not able to get any password. I tried using hydra against smtp, ftp, rdp. for the HTTPS server, I thought of trying to use hydra on the form as well. But upon inspecting the network tab, I don't see any request going to the backend.

@eager ledge Which password file did you use to brute force the services?

The one given in the resources section

Try another common wordlist 🙂

You've found a username, try it again with the other wordlist

It looks like the bruteforce is going to take a lot of time. But thank you for the hint 🙂

It wont

The time it will take is for the entire wordlist, that doesn't necessarily mean it will take that long to find a password

A general question: So, there are soo many wordlists that we can find just in the SecLists repo. When performing penetration testing, how do you decide which wordlist to use? Or do you test against all the wordlists?

seclists has it organized into different categories

The most common is probably a good place to start

you wouldn't use a DNS wordlist to brute force passwords

Sure. Let's take example of Common-Credentials, it has a lot of files in it. So, how do you decide which one should you try?

depends on the service running

and the information you have

i know there are some default passwords lists

there is one for FTP, you could throw that at a running FTP service if you can't do anonymous login

any users that you find, straight to rockyou

you want to enumerate users on an AD network? run kerbrute with names.txt

jsmith.txt would be a better choice

i use crackmapexec instead

Isn't crackmapexec slower than hydra

i mostly find myself using seclists for dir fuzzing

and subdomain fuzzing

i meant for AD enum

I am a little behind on AD network attack

@dim wolf Thank you for providing the process on how you would approach the situation

I am using the rockyou.txt with hydra -t 48, its been 30 minutes, but I am still not able to get any password 😦

Which service are you using 48 tasks on?

smtp

That's a lot of tasks to run against SMTP. Keep in mind more authentication attempts to the SMTP service may cause it to not respond since you're overwhelming the service.

For smtp I used -t 16

Reduce the tasks amount and re run the brute force

We had a discussion regarding this few weeks ago as well. So, you tuned the number of threads that is suitable for SMTP by turning the verbose mode on and seeing if any packets are being dropped?

No, I just ran the standard task set by Hydra

But ideally, you would want to make the process fast right? Previously, I had used -t 64 and it was too much. Apparently -t 48 is a sweet spot for services like ftp. So, how do we determine the sweet spot? By checking if packets are being dropped?

IIRC MarcieLee pointed out it was a "trial and error" situation. I haven't gone that far into testing task count and when it affects the service. I brute forced SMTP with 16 tasks just fine. While that was doing it's thing, I was doing other things.

I would reduce the task count and re-run the brute force

Its been 30 minutes again since I started the -t 16 . But nothing yet. Why is everything about bruteforcing

Be patient

I am learning web bug hunting
But HTB Labs are all based on penetration testing.
Is there any websites where I can practice web application bug hunting?

1 hour down the line, and nothing. I will start again tomorrow

I know as soon as I send this it'll magically spawn, but having some trouble getting the target to spawn in ACTIVE DIRECTORY ENUMERATION & ATTACKS - Bleeding Edge Vulnerabilities.

Have tried swapping VPN servers and still no dice. Any other suggestions?

Edit: we finally got a launch 😄

Smtp is a slow response service

Try with the mutated wordlist

Not needed for the easy box to brute SMTP

Also yeah, other services are better

can you guys transfer file to windows to get rev shell?
https://academy.hackthebox.com/module/158/section/1427

stuck at 0 byte and time out again

module injection attack
section: pdf generation attack

I have used all types payload but nothing workd

ngl I went through every single log on this question: " By examining the logs located in the "C:\Logs\DLLHijack" directory, determine the process responsible for executing a DLL hijacking attack. Enter the process name as your answer. Answer format: _.exe" and I am still not able to find the .exe file responsible for the dll hijack, this is WINDOWS EVENT LOGS & FINDING EVIL skills assesment

I am trying the pivoting module, DNS Tunneling with Dnscat2 section. Managed to establish a session and drop into a shell, but I don't get a response when I type any command into 'exec (OFFICEMANAGER) 1>' prompt. Am I missing anything?

Hello. I have a question regarding chisel reverse proxies.
I started a chisel reverse server on my attack host and a client on the pivot host.
On the attack host:
sudo ./chisel server --reverse -v -p 1234 --socks5

On the pivot host:
./chisel client -v 10.10.X.X:1234 R:socks

For example, I want to use proxychains to start a connection to some target host through the pivot host becuase only it can see the target.
proxychains xfreerdp /v:172.16.X.X /u:Y /p:Z

My question is, how is the data moved through the hosts? How is port 1234 and 1080 used?

That's how I see it:

1. proxychains checks it's file and moves all the traffic through the port 1080 (given it was edited to do so)
2. Socks moves the traffic through the tunnel on the 1080 port.

I don't see where is the port 1234 used really

Did you copy the pre-shared secret to the client command and execute a cmd? Maybe double-check if the IPs are correct

If I got copied the secret correctly, I should see 'Session 1 Security: ENCRYPTED AND VERIFIED!
(the security depends on the strength of your pre-shared secret!) ' right?

Yep, is that the case?

Yes, and I can start a window with 'window -i 1', which should give me 'C:\Windows\system32>
exec (OFFICEMANAGER) 1>'?

Yeah, and you don't get feedback with any commands? Did you check the IPs? I would check for any misconfigs on your part and also restart the box to make sure that it isn't a case of some service just acting up on the box

Yeah, no feedback. I'll restart, but slightly confused because if I got the IPs wrong, I cannot even establish the session, right?

Correct, or if by a miracle you pointed to some other existing host by an accident - which is highly unlikely. That's why I though It could be a box problem

Hii

Anyone have yt hack sub hack or subot if anyone k ow then dm me pls

@here

https://tenor.com/view/clown-fool-dummy-clowns-clownery-gif-14630630

hi guys, hope everyone is great! have been on this for hours .. brute forcing ..

Once you access the login page, you are tasked to brute force your way into this page as well. What is the flag hidden inside? here is the question ask

hey , if you want to get an answer specify the module and section and what have you tried

it's hard to help you this way

and i did hydra -l admin -P /usr/share/wordlists/rockyoy.txt -f targetIP -s port http-post-for "/admin_login.php:user=^USER^&pass=^PASS^:F<form name='log-in'". hydra give the password but its not showing the flag

if you got the password the use it to login on the page

login brute forcing Skills Assessment module

change the username

thank you for repying yes i did login on web but its not working i also use burp suite to intercept and nothing also

check the hint

they said use the username , you found earlier

ok

not working

In Citrix Breakout module in Windows Privilege Escalation, do i have to install citrix xenapp to be able to complete it? I followed the steps in the example and get to the point where i downloaded launch.ica but don't know where to go from there

https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html

No, you don't need to install "Citrix Xenapp" to be able to complete it

I just did rn , it's working

btw it's http-post-form

not http-post-for

and use the use user you found in the previous answer

okay thank you i'm doing that now

I tried again, this time i get his error

the start of the section told you how to connect to it

no need to install anything

look who's here

I understand that, i followed the steps, when i clicked on Default, it says default is currently unavailable

did you read the evasion module ?

rdp to the target, then go to the url given at the start of th emodule

took a quick look yeah, probably not gonna actually do it tho

it's stuff I already know

you are expert xD

nah but that module is just an intro

Ik , you read about this in CRTO ?

maldev academy

also they're using C#, if I'm acutally doing it I'll probably rewrite everything in C

nice

Thank you so much i got it omg lol

Thank you

yw ^^

Hi, I'm trying to crack Will pwd in Passwd, Shadow & Opasswd. I have already used rockyou and mut_password but no good results. Any tips?

Rdp, in. Go to the url, login with the credentials, clicked on default. "Default is currently unavailable....."

I have tried this 3 times now, using pwnbox and my own vm.

try switching vpn servers then

Will try that

You mean yoi trying to crack the root password? Will password was given as far as i remember

This one @rustic sage @tepid hemlock

The vid with the maths

root indeed. Sorry my bad

Have you tried with the password.list provided in resources?

And mutate it

yes I was only able to crack sam pwd

Switched my vpn server, now when i clicked default it downloaded launch.ica, but i'm back to where i was before. Where do i go from here? There is no connection to a windows machine anything on my screen. When i try to open launch.ica there is a popped up windows saying connection to x.x.x.x lost

Well from my notes, i see that i made with password.list and custom.rule my mut_passwordlist. Which worked.

does it connect? iirc that's all you need

thank you so much. I'll try from scratch maybe I skipped some steps

Nothing happens on my browser screen, it downloaded the launch.ica file and that's it

Hi, i have very big problems to resolve this in the Practical Digital Forensics Scenario:

Investigate the USN Journal located at "C:\Users\johndoe\Desktop\kapefiles\ntfs%5C%5C.%5CC%3A$Extend$UsnJrnl%3A$J" to determine how "advanced_ip_scanner.exe" was introduced to the compromised system. Enter the name of the associated process as your answer. Answer format: _.exe

I opened in the timelineexplorer the .csv archive of the USN journal.

I can see the advanced.zip, and the other archives that the oponent extracted of the zip... but i cannot see the flag and i'm super desesperated.... i have the percepcion that the module is not good explained...

or at least find the backup was really easy maybe where left from someone else

Its intended. Find the correct dir since in the default one there is no root hash. This backup was made by a different user. Dont remember which one

there was a .backups dir in Will's home directory. I pick the files there

Yea correct. That file has the hash for the root user

Can anyone try out Windows Privilege Escalation - Citrix Breakout? I'm not sure if it's bugged for me but I've been on this the entire day, couldn't even get on the main task because couldn't get a connection to citirix. The rdp connection I got is horrendously slow. I'm about running out of hair on my head to pull out

it should open the cirtix thing, won't be in the browser

Thank you so much for your help. As always happen the issue was between the desk and the chair.

Np. Hope you got it

I triple checked. Nothing happened other than the launch ica being downloaded. I've gone thru the reading like a million times now and have solved this box in my head. Wish someone could just gimme the answers and let me move on

Just checked the citrix section on the eu-academy-2 VPN using pwnbox and i’m successfully able to login into the Citrix box without any issues. After downloading the launch.ica file you’ll have to click on it once to open the connection.

However, i do agree RDP is a bit slow there.

yes, yesterday. I guess I didn't see it while cracking and oly now I had the idea of check the hashcat db

--show

Online? You need to crack the root password with a mutated password list

I think they mean the potfile

I did click on the launch.ica file, it gave me a "connection lost" popped up window immediately, so i thought i'm not suppsoed to do that

yeah I guess I'll remember it from now on 😅

Did you wait for few mins after the target spawn?
Usually it's recommended to wait for 5 mins after the spawn but may be try waiting for few more minutes

are you aware of any inter vm network issues for US servers? seen a few cases when things don't work in the US servers but works in the EU servers. all AD modules

well my current running instance have been running for like 15 minutes now, still not working.

try eu2

Yeah will do that. Also want to add that i personally had buggy experience in the past few days and i have been using the US vpns

Yes, there are some changes happening in the backend so i’d recommend to use EU servers for atleast a couple of days

ah figures

Trying again with EU servers. Fingers crossed

Okay. It works now using EU server. Felt like i've been gaslighted the entire day lol

Is this a server where you learn to hack?

Yes

Read #welcome to see what the server is about

And follow #rules

If you wanna learn there's HTB Academy

Hi, I am doing the Easy Skills Assessment of "Attacking Common Services" module. I have managed to get a reverse php shell. However, when I type in commands on it, it doesn't respond anything. I am using https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php and I am keeping $shell variable to cmd.exe

Well for webshells it's file.php?[variable]=<commands here>

So this is not a web shell?

Also a lot of times you can just do <? php system($_GET['c']); ?>

That's a reverse shell

For connecting back to your host on a listening port

I cannot execute the commands from this reverse shell. Why?

Because it needs to connect back to your system

You can't execute commands from a revshell in the webpage

It relies on connecting back to you

But I remember doing this before, where I upload a PHP reverse shell and when I open the php file, it connects back to my machine and I am able to execute commands in there.

Yes

You need to configure it to connect to you

Using your tun0 ip and whatever arbitrary port you decide to open

I have configured it, and it connects back:

The simple method is just basic webshell. Less tinkering required

It sounds like that shell isn't properly sending output

But when I try to execute dir command, it doesn't respond anything

So. Try something else

There's more than one shell, more than one method

But like I said, the simplest method, is just a basic webshell

Sure, I will try that

Did you mean laudanum here?

Nope

I just mean this

Literally the most basic of shells

Okay

@next bronze @tribal plinth Just completed Citrix Breakout. Really thanks for the patience and help given to troubleshoot my troubles earier. Cheers!

catch you using referral

Yes and?

https://tenor.com/view/to-get-free-stuffs-roastsmith-to-get-things-without-paying-to-get-freebies-to-get-free-things-gif-24971174

I've already got cubes pending for someone subscribing to annual

¯_(ツ)_/¯

I am stuck at the skills Assessment of File Upload attacks.
Try to exploit the upload form to read the flag found at the root directory "/". https://academy.hackthebox.com/module/136/section/1310
I have found the source code of php file with XXE attacks and everything in general, but I can't bypass mime type for my payload.
I tried prepending various bytes (like jpg, png) with no success. What am I missing here?

does anyone recommend https://academy.hackthebox.com/module/details/143 ?

It's good for learning base level attacks and tactics

And it's part of the cpts path... so

Module -----> WINDOWS PRIVILEGE ESCALATION

Section ---> Pillaging

Because when I run the restic, and put the correct password that is in the .txt file, I get it as incorrect, I have tried and I have made sure that this correctly written and gives error

or no key found

Could be that you're not in the right place

That you have to be in E:\restic?

I was typing restic2 and it's restic xd

Silly mistakes

👍

Hey guys is there any software u recommend to check the health of a laptop im gonna buy?

? There's nothing you can do without having the laptop

Also "health" is broad

Error
Free users are allowed 1 Pwnbox spawn per day. Get unlimited Pwnbox access by either subscribing for any plan or buying any amount of cubes in Academy's billing page, https://academy.hackthebox.com/billing

why cant i spawn a new instance

yesterday i was doing htb on my pc

but today laptop is this why idk

is it bc i can only use the pwn box for 2 hours a day?

is the work around using parrot or kali sorry im new

Hey, I'm doing the "RDP and SOCKS Tunneling with SocksOverRDP" of the "Pivoting, Tunneling, and Port Forwarding" module.

I have a weird problem that my SocksOverRDP-Plugin.dll file literally disappears after some time without any input from my side. When I transport it from my attack host quickly to the pivot host and try to load it using regsvr32.exe it throws me an error message, most likely because it gets deleted in the loading process

Yes

Disable real-time protection

The "work around" is indeed to use your own device and the provided vpn download

Guys does this have a VC?

That we can have a talk ?

Why do you need to have a talk

Also can't screenshare anyway in vc

uh,

Wrong channel brother

Read #rules and #welcome

I was able to finish this module, let me know if yall have questions

Good catch - forgot about that. I had to transfer the zip again to the pivot host and it worked then. Thank you!

Hello, I got a weird problem in https://academy.hackthebox.com/module/147/section/1327 on last question.
I did everything but problem is that flag.txt is empty 😐
I got it but it is empty, any idea? or it cant be fixed or I am just dumb?

Reset lab, use EU vpn

alr I will try

Also, each user is unique - so be aware of that

yes, thx I got it after making a mistake, appreciate the help.

Hi, about the "Glee with KLEE" page in the binary fuzzing module, the second question asks for the 2nd vulnerability found by klee, but for me klee finds only one (memory error: null page access), which makes sense, and it is not accepted as the solution. Am I missing something ?

module- shells and payloads, I've adjusted the content type to image/gif, forwarded the request, and disabled the Burp interceptor, but the new vendor isn't getting added.

Hi boys can someone explain what is wrong with my request?

Get-WinEvent -FilterHashtable @{Path=*'; ID=7} | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Where-Object {$_Message -match Signed: false'} | ForEach-Object {Write-Host $_Message `n}
Get-WinEvent : The parameter is incorrect
At line:1 char:1

• Get-WinEvent -FilterHashtable @{Path=‘*’; ID=7} | Select-Object TimeC ...

•   + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException
    + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWi
   nEventCommand

vendor name cannot be empty

Vendor name is a mandatory field.

Looks like your parameter for get-winevent is wrong