#modules

this is definitely one I just googled and found answers for

one forum post i found particularly helpful also broke down the command

or just bruteforce the answer manually 😂

for i in range(1, 100):
  print(f"trying {i}")
  input(i)
  print("cry")

(yes ik that's not how input() works)

basically the intended way to solve it is with curl. And noticing that any reference to https://inlanefreight.com/whatever occcurs ||either within a src attribute (src='inlanefreight.com'/whatever) or an href attribute (href="inlanefreight.com/watever ). So basically it always occurs immediately after a single quote or double quote.So from there, we use tr to replace the ' and " with new line characters, and its much clearer to see. ||

its a pretty difficult question particularly if someone is truly brand new to linux

yeah it's just many people would be mind flooded, considering most of everything else was done from the context of the device

well not just linux, HTML as well

because if you don't know how html src/href works... oof

yea its a tough question for sure

so while I may mostly disagree with it's inclusion, I can understand it's importance

i havent tested it, but we could maybe right click -> view source code, copy/paste into ChatGPT and ask how many unique paths exist

would be funny

I see…
The hard part is knowing what question to ask…

it gets damn close

imo , yes

also , even being able to properly identify what the problem is , or the scope of the problem

after nudging a bit, it gets the answer

For example, i used to teach. And i had a student tell me his "virtual box wasnt detecting VM's". So i have him share his screen to show me. He has windows file explorer open, and he is double clickon on an emtpy directory. The directory happened to have the same name as a virtual machine he at one point had installed.

So the situation is, student is unable to recognize a directory in file explorer with size of 0kb

and him thinking its a virtualm machine

i wouldnt have the patience to handle that

you're not alone. I have a good friend who teaches, and spends mentoring sessions with students who dont know what a zip file is

“LEARN TO HACK”, they said… 👨🏽‍💻

“IT’LL BE FUN”, they said… 🥳

                  🫠😵‍💫🤬😖

i dont think anyone says that...

@west canopy getting chatGPT to provide code on how to get the answer, seems to be a painful process in and of itself

it keeps getting me ||16 or 19|| results

for Linux Fundamentals?

yeah i got bored

chatGPT has been running like dog sh*t for me lately though

after asking it how many and nudging a bit, it got to the right answer

today seems better

but last two weeks it would always crash

or take forever

but asking it to provide a command to do so seems to be a struggle

hi guys is it worth getting sec+ after getting oscp or cpts?
\

if you live in United States, i believe any Department of Defense job requires it

just realized this might be the wrong spot. ill move my question

I would say no. Sec+ is really only there for HR. I'd only get it if my employer paid for it or something.

Sec+ CompTIA is really only there for HR

Yeah. I do think sec+ has some value though. But he specifically asked after getting OSCP or CPTS. OSCP/CPTS is way above sec+ level

https://pauljerimy.com/security-certification-roadmap/

CompTIA is more about broad knowledge rather than specializing

maybe an error in your fib.s file?

Copied the example straight from the lesson

global  _start

section .text
_start:
    xor rax, rax    ; initialize rax to 0
    xor rbx, rbx    ; initialize rbx to 0
    inc rbx         ; increment rbx to 1
loopFib:
    add rax, rbx    ; get the next number
    xchg rax, rbx   ; swap values
    cmp rbx, 10        ; do rbx - 10
    js loopFib        ; jump if result is <0

it still segfaulting. maybe i am missing a flag

can you link me the section?

https://academy.hackthebox.com/module/85/section/893

it gets a segfault even on the copied code. not sure why

i have ran this before i believe

hi just got back to HTB after a hectic week. how am I supposed to get the file.txt file with wget? I have the ip address of a server but its not giving it to me even when I specify the port

we would need a lot more information. wget will just download whatever file you point the url argument to

yea, its intended . We are meant to run the program in the debugger. Running the actual binary results in a segfault

┌─[us-academy-2]─[10.10.14.27]─[htb-ac-605555@htb-9yvrucwdzj]─[~]
└──╼ [★]$ sudo ftp 10.129.201.55
Connected to 10.129.201.55.
220-FileZilla Server version 0.9.41 beta
220-written by Tim Kosse (Tim.Kosse@gmx.de)
220 Please visit http://sourceforge.net/projects/filezilla/
Name (10.129.201.55:root): 
331 Password required for root
Password:
530 Login or password incorrect!
Login failed.
Remote system type is UNIX.
ftp> ls
530 Please log in with USER and PASS first.
ftp: bind: Address already in use
ftp> dir
530 Please log in with USER and PASS first.
ftp> login
?Invalid command
ftp> user ^C
ftp> quit
221 Goodbye
┌─[us-academy-2]─[10.10.14.27]─[htb-ac-605555@htb-9yvrucwdzj]─[~]
└──╼ [★]$ sudo python3 -m pyftpdlib -i 10.129.201.55
Traceback (most recent call last):
  File "/usr/lib/python3.9/runpy.py", line 197, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/usr/lib/python3.9/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/usr/local/lib/python3.9/dist-packages/pyftpdlib/__main__.py", line 122, in <module>
    main()
  File "/usr/local/lib/python3.9/dist-packages/pyftpdlib/__main__.py", line 112, in main
    ftpd = FTPServer((options.interface, options.port), FTPHandler)
  File "/usr/local/lib/python3.9/dist-packages/pyftpdlib/servers.py", line 118, in __init__
    self.bind_af_unspecified(address_or_socket)
  File "/usr/local/lib/python3.9/dist-packages/pyftpdlib/ioloop.py", line 1018, in bind_af_unspecified
    raise socket.error(err)
OSError: [Errno 99] Cannot assign requested address
┌─[us-academy-2]─[10.10.14.27]─[htb-ac-605555@htb-9yvrucwdzj]─[~]
└──╼ [★]$ sudo python3 -m pyftpdlib --port 21 -i 10.129.201.55

it won't let me log into IP

need to download file

ohhhhh. i guess i am remembering something from earlier in the lesson. thanks for taking the time

in ftp you'd just type 'get' or 'mget'

it helps if you provide the section you're working on

I'm on Windows file transfer methods in file transfers section. Its been a hectic few days since I have done HTB Academy challenges.

this is for question 1 of the section

yes, we need to install the GNU debugger:

└──╼ [★]$ wget -O ~/.gdbinit-gef.py -q https://gef.blah.cat/py
┌─[us-academy-1]─[10.10.15.99]─[htb-ac-594497@htb-otawaupxfj]─[~]
└──╼ [★]$ echo source ~/.gdbinit-gef.py >> ~/.gdbinit

and then use it to analyze whats happening with fib

download the file flag.txt from the webroot of the target server

wget http://ip/file

I did that

let me try again it didn't work first time

didn't work this time either

you were trying to connect via FTP, if it's on the webroot of the server i'd imagine it's http

^

you can get better help if you provide the actual error you're getting beyond "it doesn't work"

ftp might be open

┌─[us-academy-2]─[10.10.14.27]─[htb-ac-605555@htb-9yvrucwdzj]─[~]
└──╼ [★]$ wget http://10.129.201.55/file
--2024-05-26 02:49:30-- http://10.129.201.55/file
Connecting to 10.129.201.55:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-05-26 02:49:30 ERROR 404: Not Found.

┌─[us-academy-2]─[10.10.14.27]─[htb-ac-605555@htb-9yvrucwdzj]─[~]
└──╼ [★]$ wget https://10.129.201.55/file
--2024-05-26 02:50:01-- https://10.129.201.55/file
Connecting to 10.129.201.55:443... connected.
ERROR: The certificate of ‘10.129.201.55’ is not trusted.
ERROR: The certificate of ‘10.129.201.55’ doesn't have a known issuer.
ERROR: The certificate of ‘10.129.201.55’ has expired.
The certificate has expired
The certificate's owner does not match hostname ‘10.129.201.55’

brother

file is a placeholder

do you know what a 404 error is?

hold on

not found error

replace <file> with the actual file you want to download

correct, so it can't find the file 'file'

wait I thought it was file.txt

so the command is actually working, and the server says the file doesn't exist

no

I misread its flag.txt

well that's not what you showed us with your command

and even still

you would need to specify the extension

for all you know there could be file.png, file.jpeg, file.webp

the server doesn't know what file you want (unless the file itself doesn't have an extension)

it says its a text file but when I do this it won't work either:

┌─[us-academy-2]─[10.10.14.27]─[htb-ac-605555@htb-9yvrucwdzj]─[~]
└──╼ [★]$ wget https://10.129.201.55/flag.txt
--2024-05-26 02:51:32--  https://10.129.201.55/flag.txt
Connecting to 10.129.201.55:443... connected.
ERROR: The certificate of ‘10.129.201.55’ is not trusted.
ERROR: The certificate of ‘10.129.201.55’ doesn't have a known issuer.
ERROR: The certificate of ‘10.129.201.55’ has expired.
The certificate has expired
The certificate's owner does not match hostname ‘10.129.201.55’

http not https

ok it worked got it

👍

now read the instructions above q2 carefully

ok got it

agreed. had kind of a brain fart because spent entire day at this hacker conerence

xfreerdp has the /drive: option, alongside smbserver being an option

in other words many ways to perform the action

real hackers transfer via netcat

i mean

that IS an option

my favorite: Convert the file to a base64 encoded environment variable in powershell , then use an HTTP POST to blast it like a cannonball to a netcat listener . Then decode.

plenty of ways to crack an egg

haha. my favorite is putting the file on a usb stick and moving it over

brb driving out to the datacenter to plug in my USB

the problem is depending on the size of the file , its all stored in memory so good chance u will just crash your powershell instance

magic wormhole

since it's base64 could probably just break it up into several chunks

porque why

ahh right

manually frame and segment it

true Network Engineer

xfreerdp /drive: is the the cleanest though

Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway.

floppy disk tower

lmao just reminded me of that "Dont copy that floppy" rap video

you wouldnt download a car...

i mean...if i could, ya. probably...

with the advent of mobile printers

I feel like spawn targets are getting harder lately

AD enumeration and attacks have been ridiculous to spawn today

ive had issues with them lately. specifically services just failing to start and i have to respawn

the AD modules always take longer because it's a bigger environment to boot up

except 30% of the time it's supposed to give you a linux box to ssh to, somehow a windows box appears

It took me 10 minutes and several tries to successfully spawn every target

the password attacks module was incredibly annoying because i kept spinning my wheels over targets that were unsolvable. i really wish there was a verification function you could do from the UI to check the target functionality before you just waste your time

https://tenor.com/view/crying-happy-but-sad-face-gif-19422780

the password attack module was fun

So much fun

The module doesn't explain the end of this command, what is the {} ; for?

It's the Linux Privesc Capabilites Section

{} is a placeholder that gets replaced by each file found from the find command

it acts as a place holder for the -exec to run getcap on each file, the ; is to ensure the shell terminates the commands correctly

Okay, thank you

hello i am doing LINUX PRIVILEGE ESCALATION Logrotate but the logrotate.conf file is missing on the server.

htb-student@ubuntu:~$ cat /etc/logrotate.conf
cat: /etc/logrotate.conf: No such file or directory

anybody dit this module ?

In the Cron Job Abuse section of Linux Privesc, what is this command even doing?!?!

They don't really explain it!

use ChatGPT 3.5 for explanations

find /: Start searching from the root directory.
-path /proc -prune -o: Exclude the /proc directory from the search. The -prune option is used to skip the specified directory, and the -o (or) ensures the search continues for other conditions.
-type f: Only find files (not directories).
-perm -o+w: Look for files that have the world-writable permission set.
2>/dev/null: Redirect any error messages (such as permission denied errors) to /dev/null to avoid cluttering the output.

Thank you!

no problem my bro

we are doing the same modules

When you come to Logrotate the .conf file is missing on the system

Thanks for the heads up!

Also I just pulled up ChatGPT, getting tired of explainshell.com anyway.

Good

is there any native way to execute shellcode from powershell?

yes

how do you do it?

you'd need to write a script for it

or just use powersploit's cmdlet

whats the cmdlet

Invoke-Shellcode

In Module NETWORK ENUMERATION WITH NMAP, Firewall and IDS/IPS Evasion - Easy Lab, is it referring to SMB service? Because I tried, but it didn't work as I thought

I tried nmap 10.129.142.149 --script smb-os-discovery.nse -sV, and got the result:

Mainly the header from the Apache server
You may use -sVC to run default scripts for identified services

Yeah I used it first. But I didn't see any certain service to confirm which OS. Maybe if I based on the header of port 80, I can guess the OS. But I wanna learn the service can give me the OS certainly as the hint said.

ok guys how do u do this?

Windows Evasion Module - is my code correct? keep getting errors when running

the shellcode works, tested it with a shellcode loader

the reason i ask is that i see these SNIP headings, does that mean i need to include the actual encrypted payload in those locations? (I assumed it meant copy from 'here' to 'here')

The solution in the Logrotate privesc section makes no sense! Nothing to do with the module. Why are we editing an access.log file, I thought we were supposed to make our own payload?

Should be a reverse shell too. What is going on here?!

There is no config file, how is this supposed to even work?

You can DM me about the module if you still need help, but you probably want to remove your screenshot of the actual module.

Tried to dm, wouldn't let me

no idea how it is done in the walkthrough. But to trigger the Logrotate function, a log file must be rotated. This is done when a logfile reaches a certain size or exceeds a certain number of entries.
Therefore you must write in the log file

I did it verbatim from the "show solution" when the methodology in the module didn't work. Still did not work

I've reset the machine multiple times and for some reason my erratum post is not going through

As I said, I don't know what's in the walkthrough. I don't have access to it. But with the explanations in the module and an understanding of exactly what Logrotate does, it is possible to accomplish this task.

What doesn't work is a 1:1 copy of the module. You have to think outside the box.

I've reset multiple times and it is still not working

It shows rotation, but I don't get the flag in my home directory

But no flag where it's supposed to be

For some reason it's creating a "backups2" folder temporarily instead of overwriting the file in the "backups" folder.

That's what logrotate does. However, your payload is probably not correct.

The payload is straight from the "Show Solution" section, because the one in the module was a different methodology

I'm telling you there's an issue

Are you deleting my erratum post?

I would like to get this addressed

No, I haven't deleted anything.

Reach out to support if you suspect that there is an issue with the target

How do I do that?

The conf file you are looking for is not necessary

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

So why would the VERBATIM instructions from the solution not work?!

Yeah, someone is deleting it each time, sorry thought it was you since you kept responding right when it happened.

Again, if you believe there is something wrong with the target you can reach out to support

The exercise is solvable without knowing the contents of the configuration file

It's not just the configuration file, I'm using exactly what the walkthrough solution shows and it is still not behaving as it should

I have reset the machine twice just to be sure and started from scratch

If that's the case again reach out to support

The task intentionally does not make the config file available. With the knowledge from the module on how Logrotate works, you will be able to find out for yourself how Logrotate is configured on the system

To trigger the log rotation you can also SSH into the target in a separate terminal window/tab

Says nothing about that in the solution

Or the section contents

And this doesn't mean you cannot try that

I let it sit for ~10 min and the flag appeared somehow

I knew something was off

I'm going to take the above interaction as a case study in how not to ask for support because bleh it must suck being written to like that all day every day. I apologize for when I've written this way myself. 🤦‍♀️

anyone knows about apparmor ? i created the simplest profile but im getting a parser error

hello

Hello I want to ask question 2 of https://academy.hackthebox.com/module/115/section/1103, the answer is not 7.2.1?

I tried, but it didn't seem to work

Read the Question again 😉

Thanks ( 🙏 'n *), is the PSedition

hey guys, if anyone here has completed the secure coding 101 module i would gladly accept some help for the skill assessment question 2, i'm really wrapping my head around this one, any help would be appreciated

having trouble with a target not being up. have refreshed target 3 times nmap still says target is not up

I have to use -Pn to get a scan

Hello everyone! greetings from Belgium

hlo i have a question in The Live Engagement if anyone can solve my dought

anyone working in the linux priv esc? I

Which one? They are a lot iirc

Not specific but one thing like when i scan the ips i find 4 ip out of which 3 ips are of host but the other one is for what ?

Again which module? There many live engagments?

Shells and Payloads -----> CPTS module

Shells n payload right.
3 machines with already given IP are the machines you attack. The one target you spawn is used as a footprint machine from which you attack other machines

ya but when i try to gain rev shell by upload functionality adn the ip which i am using is the foothold ip but i cant get the shelll

here i want to know about the highlited ip

when i do ifconfig this ip is also there like i cant understand this

dual interface, one is the 10.x.x.x network, the other is 172.x.x.x network

in the live engagement section

Keep in mind that the Foothold host has access to the Internal inlanefreight network (172.16.1.0/23 network) so you may want to pay careful attention to the IP address you pick when starting your listeners.

yes and 1 also for docker

Thats your IP from the foothold machine?! How does your rev shell look like?

yes i gotit like i am confused in those two ip's

Actually i am adding that 10.x.x.x. ip for rev shell

Yea no. Add the 172 since its on the same network

.this

gotit and other thing like the rdp session is very unstable is there any way to perform all that in my machine ? like using port forwarding?

I agree its unstable/ slow
Well yea you could port forward if you know how to. But it will teach you that in later modules.

If its really unstable, some other VPN regions could perform better

i will try after solving the challenge

ya US server is busy nowadays

You only missing the third machine?

naah i just start doing the challenge

In the host 1 challenge i simply created a shell.war and put the 172.x.x.5 ip and upload it and deploy but i am not getting a shell

any reason??

Sorry was cooking food. Whats your command look like?

did you use the right LHOST and port?

Are you visiting the file in the browser?

why i deployed it and reload

visit the shell in the webroot

click on it

and it should connect

You need to visit the shell aswell to execute it

a god !

Web server wont load stuff without anyone clicking on it

^

like a php-shell

^

Thank you

also don't forget to check the desktop of the jump host for the credentials needed

(for other parts as well)

okay

Hello i was doing the Pivoting, Tunneling, and Port Forwarding skill assessment and got stuck in part where we had to priv-esc on a windows host, i know that because i got stuck and checked the walkthrough and it used many windows priv-esc techniques. The module did not say anything about windows priv-esc, nor i had done any windows priv esc modules before, im doing the CPTS penetrartion tester path in the reccomended order, but im missin out on something , what do i do? Do some windows priv-esc module before continuing this one?

for now run winpeas

have a look at Password Attacks again

Will do, kinda rushed this one

what's this?

music app

sus

very sus

GONE. obliterated.

https://tenor.com/view/thanos-gone-reduced-to-atoms-end-game-infinity-war-gif-15573921

?

1. it's irrelevant to this channel 2) sus random link

hence why a mod deleted it

i suggest also reading #rules and #welcome to see how to access more of this server, and what this server is about

is a nmap supposed to take over 5min?

taking so long

generally no

oh did i do something wrong?

especially since it's crawling

it's likely a network thing; try adding -sT in your command as it forces it to do the TCP scan

instead of a SYN scan

ahh okay got it thank you 👍

or alternatively -T4 to have it be more aggressive

this is due to timeouts and nmap automatically adjusting timeouts and retries when not specified

yup just added -T4 alot quicker now

appericate the help

Challenge for you guys: split the network 10.200.20.0/27 into 4 subnets and submit the network address of the 3rd and 2nd subnet as the answer

we're not doing the intro to networking question for you

???? HOW DID YK

BECAUSE I WAS JUST HELPING YOU WITH IT YESTERDAY??? HELLOOOO???

I AM STILL STUCK ON THIS THING

it was someone else your memory is fried

no.. it's not

yahuh

LMAO because I even went through the effort of doing it myself

and offering you a secondary challenge

after you finish this

i cant even get through the first one 😭

you gooner

alright

you lil silly goose you

https://tenor.com/view/hysterical-hudson-brothers-chalk-board-scribble-gif-15784999

You tell em MarciePedia

so, we know that cidr notation is a representation of bits from left --> right correct?

how do you have a crab?

that's a spider dawg

yeah

Because I have claws 🦞

anyway

same thing theyre cousins

ANYWAY

RAWR

to divide a number by four you are dividing by 2^2 which would be 2 bits; you just add that many to your cidr

yeah so /27 would be 3 bits cuz 4 bits would just make it /28

if you're task with adding x subnets you do the nearest power of 2, even if that means going over

?

27 + 2 = 28?

nooo

break down how you got /28?

because that's just splitting it in half

every division by 2 you move to the right (or add one bit to the mask)

28/2 = 14

WRONG

take a step back for a moment

we aren't dividing any pure numbers here

/27 is a representation of the subnet

if we are splitting it in 4 we need to add 2 bits (2^2) = 4

yeah so 8 bits in /27, right?

?

no

one bit to the right is 2^1, two is 2^2...

3 is 2^3

/28 would be if we were only dividing by 2

yes

since we ONLY need to dived by 4; we only need to move two bits to the right

and add that many to cidr

OHHH

so it would be /27 + 4

each WRONG

we are adding the POWER

not the result

total 32 bits out of which /27 Network bits and 32 - 27 = 5 host bits means total usabble host per subnet is 30

let's not confuse

that was so much easier

yes but that doesn't generally answer your question

i'm teaching you the shortcut, then explaining how you arrive at the answer

i thought it would be easier

so the range is 0-30

1-30 for usable hosts

serach tomnomnom in yt here he explains in good way

you can't assign the network address

but anyway

there is some actual math to arrive at some answers too btw

pfft math aint got nothin on me

Borrowed bits
When you add bits to a classful mask, the bits added are referred to as “borrowed bits” the number of borrowed bits used determines how many subnets are created and the number of usable hosts per subnet
Calculating the number of created Subnets
Number of created subnets = 2^s; s is the number of borrowed bits
192.168.1.0 /28
2^4 = 16
Calculating Number of available hosts
2^h - 2
192.168.1.0 /28 → 32-28 = 4 → 2^4 - 2 = 14

Meaning each of the 16 subnets has 14 usable IPs
172.20.0.0 /16, 47 subnets with max hosts/subnet → /22 ; 32 - 22 = 10; 2^10 - 2 = 1022
172.20.0.0 /16, 100 hosts per subnet, max # of subnets 128 is closest = 2^7, 32 -7 = 25 172.20.0.0 /25 (255.255.255.128)

from my networking class

yeah sometimes the questions are lowkey hard

the section shows a bunch of different ways to calculate

¯_(ツ)_/¯

https://tenor.com/view/get-it-gif-21974245

again i'm doing it a lot simpler

and for ease of simplicity HTB is starting you off with a /27 and asking to divide it by 4

how do you not have pro hacker role

htb rank

gotta play on the main platform

htb has ranked??

ahahhaha

like comp?

not asking you how you'd split into max subnets and how many hosts per subnet
or needing x number of hosts with N number of subnets

just completing active boxes

there is a seasonal element as well, just no time for it rn

as you see, i'm in uni and my uni studies are taking prio atm

2 courses per term until i graduate

because 1 is too boring for me

your doing 2 courses????

You're*

thank you jetpacked

np broski

i had 4 last sem and even that is not a lot

2 courses damn

my only gripe is that there's no classes/lectures, it's just reading books and such

it's a good/bad thing

wtf im just doing a cybersecurity degree

they teach none of this shit aswell htb coming in clutch

at one point I don't have to show up to a class, but at the other it means I don't have a schedule

wtf im just here cuz im bored and wanna do sum

my notes that i pasted were from my Intro to Networking course at Uni

as you saw they had a /16 example subnet to start with

yeah fair im first year so they'll probably do more of that in 2nd year

rn it was mainly just comp sci

¯_(ツ)_/¯

my courses are also 5 weeks at a time

how do you that ive been trying like the last 5 mins

skill + issue

fr he does it quick too

/shrug you mean this?

/shrug

WHAT they removed it

https://tenor.com/view/my-brand-contacts-cries-gif-13481688

/shrug

(╯°□°)╯︵ ┻━┻

try again. ¯_(ツ)_/¯

¯_(ツ)_/¯

anywhey

¯_(ツ)_/¯

┬─┬ノ( º _ ºノ)

/cry

https://tenor.com/view/get-to-work-work-simpsons-smithers-trendizisst-gif-15496843

AYO I THOUGHT WE DID AWAY WITH THAT YEARS AGO

the subnet won't calculate itself

also

alsooo...

to detract from the bit a tiny amount

we know that the range of /27 is 32 yes? (subtract two for usable hosts)

yeah

divide that by 4 to get what your range should be for the subnet you need to divide into

the range is 1-30

well

the step range (or block size) is 32

0 would be the network, 31 would be the broadcast

30/4 = 7.5

wrong

32/4

=8

you need to use the whole block size

or the whole range

ignore host amount

ok ok

so now that we found the bits

so you always start at 0

and count up by your block size / range

and 31 will always be the broadcast address right?

no

or the last number in the range

the broadcast is always the last number before the next block

aka last number in the ragne

so 33

32

extremely loud incorrect buzzer

remember you start at 0

I GET THE DAMN POINT

so in the case of /27

each network starts every 32 decimal numbers

which is its block size (yes, this is the technical term for that range)

Hey anybody having trouble RDPing into the machine for Windows privilege escalation > Windows Server.

try with another rdp service like remmina? also be sure you're connected to the VPN?

Yeah I triple checked my vpn, I check what this remmina tool is

you can use another service. and check for VPN connection. EU 2 is the best atm

anyway back to what we're talking about, we're used to /24 networks where you might see 10.200.0.0, 10.200.1.0, 10.200.2.0 for each of it's networks, where the corresponding broadcasts would be 10.200.0.255, 10.200.1.255, 10.200.2.255

the technical block size for those is 256 (2^8) because that's how many host bits (32-24) we have

oh and then subtract 1

yep

255

even though technically you start at 0

question tho: why do we subtract 1?

because you're accounting for starting at 0

so why not subtract 0

... read that again but slowly

oh wait

as computer nerds we start counting at 0

indexes start at 0

stuff like that

0-9, 0-F, 0-1

after all 0 is important still

as it represents an "Off" signal

think of 0 as an item in a set

and binary we don't do 1-2 we do 0-1

if you have a set of numbers from 0 to 255, you have 256 numbers total

so the first subnet would be 255.255.255.224?

The cutest amount in computing is the nibble.

well all the subnets will have the same mask

it's just determining what network they're in

are they in the first, second, third network

well idk

which is found by simply looking at the last host

Hi I have to find the SAM and SYSTEM hive from a restic backup and I only know how to extract dumps from reg.exe which dumps reg keys from current memory

for instance in /27 the host ending in .33 would be in the second network

where should I look for it in system32/config?

because 0-31 is the first network

what module/section

does the question tell you where to find it?

You should add the module and section aswell for ppl to insantly know

windows priv escalation pillaging

I am trying to doing the last task

I found the backup and restored the snapshot for C:\Windows\System32\config

and where did say it restored it to

C:\Restore

so in C:\restore are there relevant files?

I only restored the latest snapshot for C:\Windows\System32\config and I cannot find any SAM or SYSTEM folder

within config directory

well then maybe that snapshot doesn't have the info you're looking for

yeah what he said

oh alright I will look for it in others thanks

im finding the IPv4, right?

thats what a subnet is

would it be a 255.255.255.x format or a 198.168.x.x format?

it would be in the ip format, the subnet mask basically just informs us of how many blocks we count by

so in the case of the networking question

10.200.20.0 is net1
10.200.20.32 is net2
10.200.20.64 is net3 ... repeat until you can't add past 255

i thought net 2 would end in .33?

no

think, 0 is start, 31 is end

so we tick up to the next network

...

it's IN the second network

i didn't say it WAS the second network

ierbvouregbv3rfgb3e

.33 --> .62 would be hosts in the second network of a /27

so it would be 198.168.62.33?

yep or whatever prefix was before it

INCORRECT ANSWER

Thanks I got it

well

because the answer is in relation to two things

https://tenor.com/view/wrong-no-incorrect-gif-14336579

dividing the subnet into 4; and 10.200.20.0

ive been dying to do that to you

so the answer is expecting 10.200.20.x

again they want you to divide /27 into 4 subnets

meaning you gotta shrink a block size of 32 --> a block size of 8

i thought the subnet was the IPv4 address, no?

think of it this way; divide the /27 into 4 separate networks

yes

(aka networks in networks, or subnet)

the MASK is the same

(the 255.255.255.x)

but each subnet will be under different things

let's circle back to my example
10.200.0.0/24
10.200.1.0/24
10.200.2.0/24

say we wanted to split 10.200.0.0/24 into two networks

or two subnets

where tf are you getting /24 from??

because in this example i'm using a /24 network

the thingy says /27

ok

then let's jump straight into the work

10.200.20.0/27 --> 4 subnets

I made a few updates on this project, any feedback is welcome!

https://github.com/umutcamliyurt/I2Proxy

It's an extension for connecting to I2P network and changing browser fingerprint

we know we have 5 host bits (2^5) which gives us a size of 32

but we need to get a block size of 8, yes?

yeah so just divide 32/8

so how many host bits would 8 need

4

no

close

wait ik this

24

8 = 2^x

2^0 = 1, 2^1 =2...

(btw i understand where you're confusion is from

2^2 = 4

2^3 = 8

bingo

LETS GOOO

SUCK IT NERDS

so what would the last octet look like in the mask, remember the 0s represent the number of host bits

the last octet would be the one closest to 27, right?

correct
11100000 is /27

so what would it need to look like to have 3 host bits

so the last octet is /32

wrong

/26

now you're going backwards

write it out

11100000 gives us 5 0s or 5 host bits (2^5)

For anybody running into this with windows server and desktop versions. this fixed the issue for me : /tls-seclevel:0

so what do you need to do to make it look like 3 host bits?

2^3

It's an old machine so it doesn't like them fancy TLS connections

well that's how many host bits

/24?

but the question is what does the binary mask look like since we need to keep 3 bits "open" or "off"

What

idky that pinged that

All good lol

if 11100000 keeps 5 bits Open/off what binary octet keeps 3 bits Open/off

oh oh ik this one min

check this out marcie you not read for this

1111 1111

cuz its the 3rd octet

how does that keep any bits open?

nope we are ONLY dealing with the last octet

since that's the only one we can manipulate

1111 1111 is all closed/on

3 bits is the 3rd octet??

no

an octet simply refers to 8 bits, remember

https://tenor.com/view/computer-stick-man-table-flip-look-at-you-9gag-gif-26257332

11100000 is the last octet in /27

we can only manipulate this one

so we have to manipulate it to /24

no

/32

nope

again slow down

let's think of this in binary real quick, and my earlier trick will make sense

this is manipulating me worse than my ex goddamn

so

we agree that
11100000 keeps 5 bits open, correct?

idfk wdym by open

off

off for what?

they represent the hosts

i.e. we can assign hosts in that range

you cant assign hosts if the binary is off?

you can't assign hosts if the mask has those bits on

so you cant assign hosts if the binary is open?

you can't assing, for instance, 10.300.20.3 to the 10.200.20.0 networks

ok

2^5 = 32 yes?

yeah

we have 5 0s

in 11100000

if you were to add those 0s together (pretending they were all 1s, so 11111) you get...

0

...

0+0+0+0+0 = 0

ok

read my statement again

pretending they were all 1s

you get 5

in binary?

...yesss...?

11111 is 5 in binary?

yes

?

no

5 in binary is 11111

that doesn't make it more correct

5 in binary is 101

HOW TF

2^0 + 2^1 + 2^2 + 2^3 +2^4

OH

HOLY SHI

though you would actually read it left to right as
2^4 + 2^3 + 2^2 + 2^1 + 2^0

What is going on in here

https://tenor.com/view/get-out-the-lion-king-comedy-humor-throw-gif-9615975

again create a table

2^7 --> 2^0; their decimal representations underneath; then the third line would be for 1s/0s

sry im having a mental breakdown

Marcie has been giving a 2 day lecture about IP's and how to calculate their subnets

it feels like you need a better visual representation

it has NOT been 2 days sir

since last night

You where going on about this yesterday

Gotcha!

but anyway

thats still less than 24 hours

I slept so a day has passed

erm not how that works buddy

diff time zones anyways

Well how you calculate subnets is also not how that works

no shit why you think im getting help captain obvious

David Bombal has a good video on it. Used his stuff a lot when I got my CCNA

my fav creator is NetworkChuck

I don't really enjoy the networking youtubers it always feels like they dance around the topic.

¯_(ツ)_/¯

(╯°□°)╯︵ ┻━┻

@stable bone create this table, make copies of it whenever you need to calculate

so to find the binary just add each one up to the number

like the binary for 6 would be

2^0 + 2^1 + 2^2 + 2^3 + 2^4 + 2^5 = 63

incorrect

break down 6 into what you'd add in this chart

also handy notes

ohhh the binary for 6 is just five zeroes

00000

is number >= my current number in the chart? yes? it gets a 1;
subtract that value from my current, continue until 0

no

00000 is 0

so is 6 >= 4?

yes it is

so, put a 1 where the 4 in binary would be

now we subtract, 6-4 = 2

is 2>= 2

10000

wrong

wait

right

https://tenor.com/view/tmnt-force-of-habit-shredder-uh-sorry-force-of-habit-tmnt-2012-gif-6245587016118277191

yes 1000 is 4

not 1000

10000

wait

no i was wrong again

100

refer back to the table

we will iteratively go back through this until true

yk theres ppl reading this chat losing braincells

remember any odd number will end in 1

that's at least an easy one

but again; refer to the chart

and these steps
Is my number >= where I am in the chart? yes - 1 no - 0

the path to certification is lined with occasional brainrot

subtract whatever value you just put in the table from your number

repeat until number = 0

https://tenor.com/view/sad-alone-sad-person-alone-cradle-sitting-along-in-corner-gif-5077584536082268233

6 > = 4, 1 in 4 spot; subtract 4 from 6 --> 2; 2>=2 : true, 1 in 2 spot; subtract 2 from 2 --> 0

is my number >= where I am on the table is the important bit here

you basically said 6 >= 8 with 1000 which is where you went wrong

remember bits are a series of adding powers of 2

from highest --> lowest

for n number of bits your first bit (the one all the way on the left) will always be 2^(n-1) since we go all the way down to 1 (2^0)

since we are dealing with computers and octets

our last bit in any octet (the one to the far left) is 2^7

just gonna ss all this rq...

we get 255 because (2^8) - 1 is 255

it's still 256 numbers because the range is 0-255

holy shit i think it just clicked maybe

Linux Priv Esc Skills Assessment

• flag4 . I know || tomcat || is running and I can || visit the webserver on port 8080 ||. I tried bruteforcing, going through /var/log, checking crons, checking the wp-config.php file I don't have access to, scripts, generic config files, but I still can't find the creds (I'm assuming I have to find them b/c bruteforcing is not working). I'd greatly appreciate any help.

nvm finally found it

oh yeah i was just about to help you too

you just have to check the thingy but make sure the thingy next to the thingy has been checked

appreciate it

real

see chat thats a real g

ong gngstashit

so did you figure it?

no i was watching YT

:(

NetworkChuck

gotta do Windoows Priv Esc P2 now...

Is there an equivilent to shh2john for .docx files?

you're not gonna believe this

i believe it's office2john or docx2john

https://tenor.com/view/noway-no-way-friends-gif-5978811

oh no way i dont believe it

*python2.7 i believe

does he believe it tho chat

Its real (REAL)

ty

i mean you can do find / -name *2john 2> /dev/null

https://tenor.com/view/true-he-has-a-true-real-facts-agree-gif-4862066548651930678

or if you have locate installed and updated, locate *2john though sometimes it can miss files

marcie are you a dude

Ticket closed, not an IT Support Issue

I am an entity

so a woman? cuz we all know they dont exist

https://tenor.com/view/good-burger-kel-mitchell-ed-im-a-dude-hes-a-dude-gif-4322957

just got 500 cubes what T3 module should I buy?

wtv your heart desires mate

whatever one interests you

fair enough thx

a variety of options ¯_(ツ)_/¯

i have 70 cubes 😎

im goated

i still need to spend my 800+ cubes

thats it?

i have 70

it's not like i'm buying cubes

70 > 800

https://tenor.com/view/minions-king-mic-drop-drop-the-mic-goodbye-gif-1901414669998509331

i had some cubes before I won the silv annual

complete module free cubes

like ~1k

from referrals?

i can get more cubes if i just get past this subnetting but i want to give up

it's that fucking vercel.app link again

<@&861185840277487616>

<@&861185840277487616>

<@&861185840277487616>

fuckin nonce

yh you tell em marcie poo

<@&861185840277487616>

nope

don't

it wont let me do a second g

the question is one of the services contains a flag? im unsure what it means by flag if anyone knows

@stable bone help

the dude is on intro to networking i dont think he can help you

ah shit

mate i started two days ago

I GOT IT THO BRO

delete this pic

what whyyy

what does a flag mean am i looking for a physical flag emoji or

because it contains the answers to the section

🚩 like that?

pretty sure everyone is past me atp

like this: HTB{t3xt_h3re}

ohhhh thats helpful thanku

it doesn't matter. you're not allowed to post answers to questions

i was excited bro

w

I see the flag in your screenshot

another thing is the text says Nmap might not be able to gather all the information

maybe manually connecting to a port will reveal the answer

maybe the one with the least info you have

ahhh okay

you should be promoted to moderator fr

but I see it in your screenshot, and you'll see it as well once you connect

they couldn't pay me to

im seriously stuck with the wordpress hacking -skills assesment i can't get a shell uploaded to /home/erika directory

that's revealing the answer

also copy/paste HTB{..}

ah shit ill delete it

220 is the status code

ohhh

appericate it

i think im gonna give up on the wordpress hacking module and continue with nmap wordpress made me waste alot of hours

A 220 code is sent in response to a new user connecting to the FTP server to indicate that the server is ready for the new client.

ah right thats strange ive been connected to that linux instance for awhile

it can take a bit for it to respond

got it 👍

yeah i started the wordpress one but was quite hard the nmap abit easier to follow

with the second part being "to indicate that the server is ready for the new client"

so you're waiting for it to tell you "ok, i'm ready for commands"

ohh rite okay

@signal bane exactly happy you understand 🙂

new life goal chat: create a dope ass video game with jets that go pew pew kapow boom

Extract and scrutinize the memory content of the suspicious PowerShell process which corresponds to PID 6744. Determine which tool from the PowerSploit repository (accessible at https://github.com/PowerShellMafia/PowerSploit) has been utilized within the process, and enter its name as your answer.

Guys I need help with this

I don't know why my burp suite tool isn't intercepting the CHANGES I made with the html text using DEV TOOLS in firefox(but its only capturing the original html text before I made the html changes in DEV TOOLS)

the "click for a chance to win a flag!" is the last step

you don't need to intercept any more after this

just keep clicking until the flag appears

it really is about getting lucky

is the exploit in the skill assessment for command injection supposed to be a cve

also changes in dev tools aren't persistent

and will only be client-side and don't require any interception

Good evening everyone I’m stuck at command injection —>skills assessment I found the vulnerable parameter I found the working operator but I can’t read the flag
I tried using $[PATH:0:1] and tried to encode with base64 and I tried using use ' but it always show me Malicious request denied!

any help?
EDIT:SOLVED
anyone stuck there fell free to dm

Someone should please help me out with this

it helps people help you if you tell us what you've tried so far

that way we don't tell you to do something you already did

as it stands it looks pretty straight forward

check the memory related to PID (Process ID) 6744; then based on that see what PowerSploit command was used

there is an event provider for this

i went to build steve and i got a warning for too many emojis

why do we have steve if i cant give him a life

this is how i spend my time chat

@ SERIOUS RULE BREAK

boi nah lets go right here rn

take you to da pavement

this isn't a gen chat

take your silliness to #general

are you mod now or sum

also have you finished the subnetting section?

OH OH MARCIE LET ME TELL YOU

:(

bruh

spoiler/answer

look at all those tabs 😭

ya goon

it took a couple hours but lets goooo yessirrr

but congrats

i hope you now somewhat better understand how networks are separated

that depending on the mask two computers might not be in the same network

i made drill seeargent proud chat

did you wanna take on my little challenge? (10.10.14.33/28, network, mask, broadcast)

you can dm me the answer if you work it out :)

your challenge aint got shit on me boiii

bet give me like

fine, /30 instead of /28

a couple days lmaooo 😭

talk shit get hit

https://tenor.com/view/shrek-you-are-a-monster-ginger-bread-man-gif-5848676

nah

yahuh

once you get one the others kinda fall in

how many subnets you want?

Q: identify the network, subnet mask, and broadcast address of 10.10.14.33/28

**Windows Priv Esc Part II Question II **
Escalate to SYSTEM

• I found || a hijackable dll via sharpup || but honestly I'm at somewhat of a loss. I've tried looking at msf at the dll injection section but so far nothing. any help would be appreciated

Can someone help me get the ZAP and Burp SSL Certs? I think the guide is a little outdated because the option "Dynamic SSL Certificate" has either been rename/move or removed.

Dlls aren't the only way. Have you tried any other methods?

it was just fine for me the other day

Is anyone else having this issue now?

maybe an issue when the authors put out a new update?

https://stackoverflow.com/questions/78067685/zap-dynamic-ssl-certificate-option-is-not-available

i was able to find it just fine from the menu ¯_(ツ)_/¯

but maybe this will help

I tried using the SeChangeNotifyPrivilege via msf but it failed

I just get this
[-] Exploit failed: NoMethodError undefined method `[]' for nil:NilClass

I've tried googling for it but idk

sometimes restarting msfconsole fixes those issues

The module went over more than two ways to escalate to another account. I suggest you go through the module and try all the ways provided. The answer is in the module. If you're still stuck once you've exhausted all the methods I'll be willing to give a hint.

understood thank you

Okay so I got the Certs for both Burp and ZAP, and I imported them into my browsers trusted certificates. But the foxyproxy extension is either not working on firefox, chrome (I think, I can't verify that because their installer is broken), or opera... or the guide's out-of-date

When I turn the proxy on, I get this page

The directions given under the error, is to go to my Browser's proxy settigns, however it's not my browser I'm running the proxy through, but foxyProxy. So I'm not sure exactly what I need to do.

Anyone able to help out with the broken authentication predictable reset token question ? please do let me know

The only thing I was able to find when google dorking ( "Burp", "FoxyProxy", "v8.9" ) was that chrome and firefox found a way to bypass the "IP" field so it was removed(?) https://github.com/foxyproxy/browser-extension/issues/134

In the Linux Privesc Shared Libraries section, what is the C binary saved as? This section is really vague towards the end.

Doesn't say to save the binary as anything in particular and doesn't explain the components of the gcc command

did you run the command? do you know what each of those flags mean?

Yeah I understand the command, I just don't know where that binary comes in above the command. Am I supposed to use that somehow?

Also, that command doesn't work

root.c is the code above

Thanks, where was I supposed to figure that out?

We can compile this as follows:

and the compiler informed you that root.c: No such file or directory

So I have root.c in there, now I'm getting a new error

I'm still trying to Building the solution for the || CVE-020-0668 ||

those are warnings, you should have your root.so

Okay, so apparently that's not an error? I was able to run the rest of it

Help plz

So why am I using the root.so when the c file is what I compiled?

This doesn't really explain, it's just telling me "hey copy and paste this command with no context"

Likely some weird shenanigans

I tried building the solution of the CVE on mac via mono but there are errors and googling has not worked. Do you have any idea how I can use the sln file to build the solution

As inlanefreight.com is a real fictitious website

this is the repo to clone it from

https://github.com/RedCursorSecurityConsulting/CVE-2020-0668

haha yeah, maybe. I just found it weird.

As long as ffuf and such can find it