#modules

¯_(ツ)_/¯

--data="POST DATA GO HERE"

eh, no worries. I'll keep plugging away.

hey guys ive been stuck on this question Hunt 2: Create a KQL query to hunt for "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder". Enter the content of the registry.value field in the document that is related to the first registry-based persistence action as your answer.

Can anyone help me out?

so far I've used event.code:13 as my filter alongside registry.path: Run

but im not exaclty sure what answer the question wants?

The value

registry.value?

omg, i just went one by one and copy and pasted and then one of them worked... dead

thanks, but i would really like to know the why behind the question and answer. I've been stumped on this question for a while

It's setting persistence

So a specific value is changed/added

I see its the only one that had the host.name with powershell as well

sorry, process.ext

thks! I'm looking in "Job Role Paths" section...

Hey, @everyone I'm working in Linux Fundamentals Module 18, I'm stuck on the first question. I've tried using "find /etc/ -name *.log 2>/dev/null". When I use this command I'm brought back to the Command Line. I am novice, hoping someone could walk me through this question and the second.

in **Active Directory enumeration and attacks module section Attacking Domain Trusts - Child -> Parent Trusts - from Linux ** someone pls help idk why this is happening
it takes forever for me to get a shell and it doesnt give it

i already made the golden ticket and found the domain sid, enterprise group sid and nt hash for krbtgt but it doesnt work

Where should I begin

Somebody help

target ip not spawning ???

I have no experience in hacking or programming. But I am interested in learning can somebody help

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

reset the target/switch servers

i tried that too several times

i will try again right now tho.
it's also weird that when i use lookupsid.py the output always ends in a timeout(1st img) but the output should be like (2nd img)

You won't find it in the jobs role paths, it's under the skill path

netbios timeout is usually bad connection, you sent a request and the server did not respond in time

module- intro to NOsql injection skill assess ||
i am unable to get right path
anyone can instruct me

New-ADUser -Name "MTanaka" : We issue the New-ADUser command and set the user's SamAccountName to MTanaka.

can anyone explain me this??

I had an idea that SAM accounts are used in Local machines, but HTB is saying that when we use New-ADUser command with a name, we are seting a user's sam account.

I m a bit confused

you're thinking of a SAM account. they're talking about a sAMAccountName, which is a different thing

SSTI Exploitation Example 1” Server-Side attacks module

Use what you learned in this section to obtain the flag which is hidden in the environment variables. Answer format: HTB{String}

I spent a many hours but can’t find a flag. I think I did everything

instead of tqlmap, which doesn't work, try this tool https://github.com/vladko312/SSTImap

same tool/syntax, but it actually works

i didn't write down the challenge for that, but the basic idea is identify the template engine, then inject code into that template engine based on the flow chart

I am currently in Nibbles Initial Foothold, and i am having trouble understanding this "We will add our tun0 VPN IP address in the <ATTACKING IP> placeholder and a port of our choice for <LISTENING PORT> to catch the reverse shell on our netcat listener."

is this the ip of my vm instance?

It is the IP of your VPN connection which will typically be tun0. If you do a ifconfig you'll see a tun0 interface, that IP is what you'll want. Then you'll want to pick a port available on your attacking machine that will match when listening for the remote connection.

ok, so i had that right

i set the port to listen on port 9443, and also have the port set to 9443 in the image.php file, but when i try to connect with ncat it reads "Ncat: Connection from 10.129.215.86.
Ncat: Connection from 10.129.215.86:59116.
/bin/sh: 0: can't access tty; job control turned off
"

i don't know if that was right? it appears that it established some kind of connection, but i didn't get a tty, and that port number was different. I don't know if the port number being different is relavent

nvm, i'm seeing that i am moving in the right direction, and i am at the part where i need to import python

thank you

That's the random high port the remote side used to establish the connection, normal and to be expected.

Looks like you're on the right track.

thank you!

Idk if im missing something haha is there any reason I cant post in general?

i tried after resetting the machien and nothing changes can someone pls help

trying to fix this for hours but it keeps 😭

which regions did you try?

o i only ever stay one 1 region, i should switch?

let me try that

yes, if you're US try EU, and vice versa. many regions have been having issues recently especially with internal hosts

ok

Hi I am doing the Skills Assessment section of "PIVOTING, TUNNELING, AND PORT FORWARDING" module. I am using SSH dynamic port forwarding along with proxychains to discover the internal hosts. I am currently scanning 172.16.5.0/24 network. However, nmap is showing all the IP address in this network as up. Why is it happening?

Anyone help here

I am scanning again against 172.16.5.0/16 network right now, and it shows 3 hours 48 minutes as estimated time to completion.

omg omg omg it works omg tysm my savior if it wasnt for you i would sleep with nightmares and wake up only to be in another nightmare and have nightmares until it worked

Wanted to hear your guys' take on this:

Let's say i get a rev shell that is not the most stable.

I accidentally run "python" and it is stuck inside the python cmd line

Is there any way to properly exit this when the shell is not that stable? I've tried exit() and quit() but no luck.

@ocean night

Sorry, but I cannot provide support for modules etc. Please avoid pinging people randomly like this too.

@muted kindle any hints on this please?

I don’t know what is this module and highly likely I haven’t done it

Look to the dot
It will be a blind thing 😉

try another way. ||Check if any „neighbors“ are known||

I have not used --disable-arp-ping flag in nmap command, that means that nmap will look for neighboring hosts right?

Try other methods without nmap

Hi can I DM you about this?

Do I need to encode it

Don't know which dot are you talking about

When using nmap within /24 network for host discovery, it shows all the hosts as up. I am trying to check for open ports on neighboring hosts. However, it also shows the estimated time to completion super high. I cannot think of how I can determine if any host is active in the network without using nmap.

sure

but I'm not online regularly at the moment. So don't be mad if an answer takes longer

proxychains 8 hours nmap scan

no, you don't have to encode anything

Take a very close look at the answer

It was Xre0uS who told you first, I think that's what he meant by changing servers. He's your savior. Glad you got it though.

you did tell them to change region, I didn't

**SHELLS & PAYLOADS **
The Live Engagement
https://academy.hackthebox.com/module/115/section/1139
Host-02 (blog.inlanefreight.local)

Module options (exploit/linux/50064):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   demo             yes       Blog password
   Proxies                     no        A proxy chain of format type:host:por
                                         t[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identi
                                         fier, or hosts file with syntax 'file
                                         :<path>'
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connec
                                         tions
   TARGETURI  /                yes       The URI of the arkei gate
   USERNAME   demo             yes       Blog username
   VHOST                       no        HTTP server virtual host


Payload options (php/meterpreter/bind_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LPORT  4444             yes       The listen port
   RHOST                   no        The target address


Exploit target:

   Id  Name
   --  ----
   0   PHP payload


msf6 exploit(linux/50064) > set vhost blog.inlanefreight.local
vhost => blog.inlanefreight.local
msf6 exploit(linux/50064) > run

[-] Exploit failed: One or more options failed to validate: RHOSTS.
[*] Exploit completed, but no session was created.
msf6 exploit(linux/50064) > set rhost 172.16.1.12
rhost => 172.16.1.12
msf6 exploit(linux/50064) > run

[*] Got CSRF token: 733fe2889f
[*] Logging into the blog...
[+] Successfully logged in with demo
[*] Uploading shell...
[-] Exploit aborted due to failure: unexpected-reply: Unexpected json response
[*] Exploit completed, but no session was created.
msf6 exploit(linux/50064) > 

What could I be doing wrong?

I can also see server name server01 in the note. So I am trying to perform DNS resolution for the server. I can see that DNS server is running on the target server. But it is not able to resolve the address. nslookup and dig is not present on the target server. I tried proxychains with dig, but doesn't work:

└──╼ $proxychains dig server01 @127.0.0.53
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14
;; communications error to 127.0.0.53#53: connection refused
;; communications error to 127.0.0.53#53: connection refused
;; communications error to 127.0.0.53#53: connection refused

; <<>> DiG 9.18.12-1~bpo11+1-Debian <<>> server01 @127.0.0.53
;; global options: +cmd
;; no servers could be reached

Why can’t I talk in general

<@&861185840277487616>

<b>Error</b>: Missing <i>'username'</i> parameter

this is the response
And I am really stuck what am I missing

Wym

After setting up dynamic port forwarding and proxychains, I was using proxychains nmap -v -sn -T4 -n 172.16.5.0/24 -oN host_discovery.nmap command but it showed all the hosts as active, even when they were not. Why?

Set the vhost

@spark spruce Just enter a username and password. ||You can find a potential username on the website.
See what happens if you change the username so that it is guaranteed not to exist||

Your credentials are wrong, see the hint for the second box.

He's wanting hacker for hire and deleted his message after I pinged rule break

Ah, ok

I missed that, sorry then @next bronze

idk what happened but it's all good

Wait so this is a cybersecurity server not hackers

You nailed it

Dammit

There are hackers, and there are hackers. You're in the wrong place buddy.

Dam

msf6 exploit(linux/50064) > set vhost blog.inlanefreight.local
vhost => blog.inlanefreight.local
?

Thanks! How would I know this if I hadn't used the hint? :-)

Not sure off the top of my head, don't have it in my notes. I would assume from the first host?

got it
thanx

Hello, I'm doing the windows fundamentals module, and have a question about the behavior I'm seeing.
Whenever I create an SMB share on "C:\Users\htb-student\Desktop\Company Data", and then enumerate the SMB server's shares (smbclient -L), instead of seeing the sub folder I shared I just see \Users, why was the entire \Users folder shared and not the specific folder I shared?

today i have to do everything over the clipbaord...that kind a suck...why is that?

Does anyone else feel like the RDP machines have been very slow for the past few days?

Do I need to use script for password hunting ?

Well, a script is certainly helpful in such a situation. But you can also carry out what feels like 1000 requests manually

I have tried SSJI payloads in password field
" || (this.password.match('^.*')) || ""=="

But invalid credentials
Is there any other payload need
Or
I am getting something wrong

You're on the wrong track. So, once again
||Find the difference when you enter a username.
Look at the dot||
Use this knowledge to get more data.

guys i need some help

ive been stuck at the msfconsole module for ages now

it keeps telling me Msf::OptionValidateError The following options failed to validate: RHOSTS

and yes i type RHOSTS

Guys if i purchase a module with cubes do i get access to it lifetime?

Hello I am currently on the footprinting module smb I entered to the smb server and I can't find the flag.txt.

What section are you in and what do you set RHOSTS to?

im in getting started and then the public exploits

i set the RHOSTS to the target ip

Could you send a screenshot of your options in msfconsole?

send you in dm

Did you connect to the share from the previous question and look around there?

I found that there is difference of dot when i enter wrong and correct username
but I couldn't relate this with password

anyone else having problems spawning a pnwbox atm?

@bright coral I connected and I just don't see the flag.txt

Look at this sections again
https://academy.hackthebox.com/module/171/section/1685

https://academy.hackthebox.com/module/171/section/1686

@bright coral it is the third question when it is says find flag.txt file

already looked but confused bcoz it is in json format and aslo my payload is not working

you have to explore the share a tiny bit

it's on the jump host they give you

Is anyone here CURRENTLY doing the AEN module?

In which field do you see a difference?

there is dot difference

So why are you trying the password field? 😉

bcoz you did tell me to again look for difference after getting username

@@bright coral hello how what are the commands I am currently sees only
Profile
Contents
Bash_logout
bashrc
No flag.txt

doesn't sound like an smb share to me; but look around

also what module are you working on

Take another close look at the sections.
To retrieve data, you must see a difference in the result when entering it. Either by time or by an output.
In this case it is the output.

Those are the contents of the share. One of those "files" is not like the others 😉

So what is the solution for this @bright coral

bro

ngl use your brain

just look around

that's all you gotta do

dir/ls, cd

just... look

@fathom pendant thank you for some reason I don't find it

well you're dropped into a base directory

with other directories in it

what logical place might flag.txt be in

to get the difference, payload should work
but here it is just missing error
if it not work then how would I get error difference

if you're unsure, just cd to all the directories in there

and look

Still can't find it I tried to look at every one but no such file as flag.txt I can't understand why@fathom pendant

there is definitely a flag.txt

where have you tried looking in smb?

Like I said my friend there are this
Profile
Contents
Bash_logout
Bashrc@fathom pendant

one of those is not a file; and is a directory

Yes I know I will check again

which you can cd into

like you would on any Windows/Linux machine

No one this it the problem

?

I can't send photo to show here can I send you a message

you can cd into the directory that has the flag.txt in it

that's as much as I can lead the horse to water, so to speak

Why the password field? That is completely wrong

then how did I get the password
I already have username so I cannot attack on username
I only need password

no

you see how when you do dir/ls in smb there's a letter next to filesize? that indicates if it's a Directory/Hidden/Not Hidden

i just spun up the lab myself and was able to cd to the directory

the reason you can't find it is because you haven't listened to what @bright coral or I have been telling you

is that there's another layer to look in

But how to look it if it is hidden I don't know can you please tell me @fathom pendant

brother

idk how more clearly i can say this

one of those is a DIRECTORY

as indicated by 2 things

the filesize being 0; and the dir listing as D

there's no hiding files, smb shows all files

but again you have the answer to move forward in what you can see

i've told you at least twice now that what you're looking for is a Directory

and 2 stop dming me

I highlighted the specific letter for a reason

Man I understand but I will tell you again when I am doing ls it not giving me the content of the directory

D = directory
H = hidden
N = Not hidden
in a normal OS the H files would not show up under a normal ls/dir

because you need to cd to it

ls with no arguments just lists the current directory

same thing with cd

Ohhhh I see I forgot it thank you for you help and time appreciate it💪

you can just CD to it

and then ls

and boom it works as intended

you vastly were underthinking it

can't even terminate it!

I currently can't start any exercise, tried different browsers although i am connected via vpn

yeah that's the thing with the docker instances

give it like 10 minutes

awesome, ty! appreciate it

sometimes it takes a bit; also connected via vpn has no bearing on target spawning

it's not like the labs site

you can spawn a target without being connected

I somehow can't, the button to Start the target is not there. It just says "Waiting to start"

they use to have terminate button...

the "Waiting to start" is for the pwnbox instance my guy

if there's no "Click here to spawn target" Button, then the questions solely relate to the reading/research you do

oh yeah thats true lol.
Yeah the "Click here to spawn target" button is missing. It used to be right there like 2 months ago. Maybe because I already completed the exercises?

or this section doesn't have a target instance

😭

its to early for me

Module - footprinting (smb), why am i not able to access the share anonymously after having 'guest ok = yes' in smb.conf, i have also changed the permissions of mnt and exampleshare folders

Try using -U anonymous and no pass

smbclient -U "" -N //ip/share

Perhaps since your user exists it tries to authenticate you

^

but also; you don't need to set up an smb share for this

the provided target has all the stuff

yes i was just trying to setup and learn the configuration better

-U anonymous doesnt work as well

-U ""

smb doesn't use anonymous

it uses Null/Guest Sessions

right, -U "" -N outputs the same error

did you try -U guest?

yes i did!

¯_(ツ)_/¯

didnt work

i'd say just move on with this

since technically setting it up is out of scope

did you restart the smb service is my last question

yes i think is should, i wasted a lot of time in this

yes

#homelab-sysadm may also be just a better overall place

Is there a way to locally redirect to port 80 while doing academy courses? I now got an external IP with a port, but I'd rather have it on port 80

alright, thank you 🙂

?

like redirect the pwnbox?

I am doing some web modules. So I don't have to add the port each time

that whole sentence kinda confused me ngl

yeah sorry lol

oh

no there isn't

as the ports and such aren't controlled by you

yeah that's what I thought :d

Read through the sections again.

they're on the target, and the scope of docker containers is solely the ip:port

a local tunnel from localhost:80 to docker:port perhaps

yeah but you'd have to set it up EVERY SINGLE TIME

and at that point it's just faster to copy/paste --> http://<paste>

you do know you can click the spawned IP and it copies to clipboard yeah?

Yeah. But these CSRF XSS module sections use 3 vhosts

but port 80 is taken on pwnboxes

I will just have to remember putting in the port 😄

You should be able to bend all the traffic to IP X with port 80 to IP X with port Y with iptables 😉 but remembering to use the port is probably easier

ah yes

Okay I will try my best

In this section
When it uses regex payload
It shows some result
But when I try to enumerate the password using regex
It shows missing password parameter
It means this parameter is sanitized well to avoid this payload.
Now I don't know which type of payload should I use?

The module shows you other payloads apart from regex

On the Windows Logs and Finding Evil Pg 2, Sysmon was already installed so I just ran the config file, then replicated the DLL attack yet I still can't get Event Id 7 to generate in Sysmon. I have no clue what I'm doing wrong

Let me use each of payloads

Nevermind I figured out my mistake, smh lol

For advanced XSS and CSRF exploitation module, can anyone explain to me why sometimes the line xhr.withCredentials = true; is needed and sometimes it isnt needed in the payload? i've reread the section multiple times but i still dont get it

No one is working
instead some paylaods shows internal error
what does it mean?

hey

anyone could give me a hint for third question on Sliver's skill assessment?

thank you so much ^^

I've tried Kerberos delegation and DACLs but I can't see any path to DC

Am I the only one that can't seem to get DNS working with inetsim (in my own vm)?

The DNS service just does not start up. Everything else starts up.

Is it that in these cases you are soliciting a victim's browser to make requests to the server at an endpoint base url which is also not of the "same-origin"?
https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials

Setting withCredentials has no effect on same-origin requests.

You are still using the password field.

Anyone knows how to break family link in phome without the parent noticing

There are other 2 web pages which also I have tried
Token field in /reset
And username field in /forgot

Now where should I use it?

Can anyone give me mc apk phone link

Dm me

Any idea where to find a feedback channel, having some issues with a dedicated module.

#1234357888114364508

thx a lot 🙂

└──╼ [★]$ xfreerdp /v:10.129.202.136 /u:{username}/p:{pass}
No protocol specified
[15:05:09:586] [32311:32311] [ERROR][com.freerdp.client.x11] - failed to open display: :0
[15:05:09:586] [32311:32311] [ERROR][com.freerdp.client.x11] - Please check that the $DISPLAY environment variable is properly set.

any1 know how to fix this issue?

use remmina

What are you trying to rdp to, and from where

pwnbox to the IP Address mentioned. i ahve the credential

don't use root

$ means he's in a user terminal?

can work alr. after i close all the terminal n run again

Hey, @everyone I'm working in Linux Fundamentals Module 18, I'm stuck on the first question. I've tried using "find /etc/ -name *.log 2>/dev/null". When I use this command I'm brought back to the Command Line. I am novice, hoping someone could walk me through this question and the second.

Neither. You have found the vulnerable field. Now you just have to read out the data accordingly

Source code?

Which field shows you whether the entry is correct or incorrect?

Username

If you get stuck, send me a DM.
But I won't be able to reply until later. I'm off again for a while

Okay

Anyone else experiencing issues with the module "ADVANCED XSS AND CSRF EXPLOITATION " that you have to press the deliver to victim button a few times before even 1 request comes through?

Are you sure you're looking for .log files?

Hey did you ever solve this question? I've been stuck on it for a few hours? Thanks.

Hey did you ever solve this question? I've been struggling with it for a few hours?

ah okayy thanks

hello
stuck on https://academy.hackthebox.com/module/116/section/1512

have added subdomain and domain to /etc/hosts

perhaps you need to define a server you're querying

I hope that clears it up. I don't have the full context to say for sure. And, full disclaimer, XSS is a weak point for me so if someone else has a clearer explanation please speak up.

what do you mean?

I am saying, read the page

you forgot part of the command

for your dig command you'd need the @

ah, ok

it had failed before on that but I think I understood my mistake

try it out and let us know 🙂

You know you've done too much frontend stuff for the day when you keep writing xhr.widthCredentials

what's in your hosts file? did you put in the right ip?\

should I remove the subdomain?

wait lemme remove and try

didnt work lol

the @ means that you will query that server, so in thise case you'd need it to be in your hosts file

so what happens when you keep on using subbrute and enumerate the subdomains?

Isnt it @ for dig for nameserver?

You dont need to specifiy @ with nslookup but with dig you have

Ah already got answered vy sparkling

I know this seems to be the valid one, it was a hint on the forums

I should nslookup the subdomain?

so try to dig that one

okay on it

thanks bro got it

thanks for the help

the reason your nslookup couldn't find it is that that subdomain isnt in your hostsfile

With nslookup you just put the ip/nameserver after

Also spoilers

deleted. sorry

I havent exactly understood dns it seems. need more revision.

Your other screenshot with the subbrute output

Nslookup queries nameservers

done

Iirc it has to be in resolv.conf

If you still need a nudge: Look around in directory of the user you've compromised to answer the previous question 😉

so just to clarify if the Access-Control-Allow-Credentials is set to true, i would then need the withCredentials set to true so that my payload will be sent?

Yes, that looks to me like it would be a good indicator. Again, you're way ahead of me in the material. I've only got some experience with utility-grade webapp development so thinking of things from an attackers POV isn't a strong-point yet.

Okay im q new to all these advanced web attacks too hahas

I was under the impression that I was. Again, I'm very green. I was hoping that someone with load it up and walkthrough it

why does it ask for sign in 2-3 time a day

before it used to ask sign in after 1 month

Just take the L and click sign in with htb account

And click remember me

i did many time in last 7 days but

But on a real note. Reach out to support

it always ask everyday

that's not something any of us plebs can answer ¯_(ツ)_/¯

Could be a backend misconfig not storing the cookie properly

Try a sanity check. I know /etc/ often contains .conf files. Does the command you're trying to run work if you search for something I know exists under /etc: .conf files?

$ find /etc/ -name *\.conf

If yes, then the logical conclusion is that there are no .log files in /etc. Are you looking for log files somewhere else or is what you're searching for wrong (i.e. .log)?

I won't do you the disservice of walking you through it, but I'll point the way. 🙂 Maybe someone else will though.

I'm going to try it out and you are right that is the logical explaination for why I'm not receiving an output. The question asks me to find all files with the .log extension.

Are you connected to the target?

Well the first question isn't a .log is it?

Also section name is gonna be better than page #

anyone who can I ask for help on Kerberos Attacks Skills Assessment? I guess the last question is broken, tried many ways to leverage it, could not manage to get it still.

the reason why I am making such assumption is bc pass-the-ticket was broken as well, after I messaged the support, they fixed it, so wanted to know if its me or the final part is broken, thanks

tried to reboot the target and many many attempts, still no results

it worked when I did it, if you're on US servers try switching to EU

I am on eu 5 or it was 4 I guess

can I dm you?

Anyone can help for Bypassing CSRF Tokens via CORS Misconfigurations section under ADVANCED XSS AND CSRF EXPLOITATION? I think i have the correct payload but im unable to get any response

Hello
how can i get a permession to talk in general chat ?
and
can i delete my payment methode in the academy website ?

Read and follow #welcome

Second; you gotta message support to get it removed

i will
thanks sir

Hey hope your having a good day! Working in the Information gathering module and in the Active Infrastructure Identification section question two asks which cms is in use for app.inlanefreight.local as you can see im attempting to use the whatweb -a3 command but i keep getting an error. Is my syntax wrong or is it issue with connection?

iirc it's just KUD

Is app.inlanefreight.local in your /etc/hosts?

Also http, not https

I don't recall these using https

Also your syntax for curl was bad

yeah, I was trying the user j. and an. both did not work, also tried the spooltrigger and SharpSpooltrigger, seems they are not designed for a computer KUD, only users are allowed

You can just use ip, you don't need to do ${...}

hmm I don't remember about that, but it should be pretty straightforward

have you tried using coercer?

I mean, those tools act as a coercer, I got error executing those 2, so I think coercer will not work as well, but I will try it

coercer does more than just printerbug

sorry I don't have more notes than this, all I have is just "kud, coerce auth from dc, ptt"

thanks!

hello all, i've finished the 'retrieve hardcoded credentials' in thick-clients from Attacking Common Application module. I liked it but I got a lot of whys as I go through my notes and trying to generalise if I have to do it with another one.
Some things remain kinda obscure or too magical like: 'Checking the memory maps at this stage of the execution, of particular interest is the map with a size of 0000000000003000 with a type of MAP and protection set to -RW--'.
Ok I understand the words but if it wasn't told 'look, there!', I don't know how i would have found it. Do we search for MZ magic byte and explore all MZ pattern? Or we search for memory type MAP with RW protection owned by user, then we explore each one with strings until we find something? I mean what's the key here, what's the process? How do we know to set breakpoint solely at exit? Now I feel I have to follow this vulnerable thick client rabbit hole to satisfy my curiosity but if someone has some quick insights, I would be grateful!

Tbh the thick client applications is a one-off

It was added extremely late, and from out of nowhere

Ow ok thanks! that's too bad, it feels like too less. I'll check other sources anyway, that's sometimes tricky to stay on cpts path without getting lost

The thick clients/java/mem stuff is not likely to come up again in CPTS path

https://academy.hackthebox.com/module/116/section/1173

I have the credentials, how to login into email?

Did you even read the section?

yeah ok, that's good to know, thanks! i just checked the skills assessment for that module and it seems the 3rd is about a hardcoded cred into a dll so that will be one more

Actually mb connecting is covered in the footprinting module @north bramble

Could be unrelated to the Java bit

okay thanks, I dont remember as I solved it months back.

This is why notes are important

So I suggest going back to footprinting > IMAP/POP3 and seeing how to connect via imap(s)/pop3(s)

yeah mb once I am done I am going to go through the whole path once again

on it

I suggest going back now and doing notes

Even if you don't go through the provided labs for them

sorry for bothering, how did you manage to set up the coercer? I cannot run it on rdp attacker host, bc it can't install the libs, did you set up the port forwarding tool? like ligolo or any other tool?

yeah I used ligolo

Identify if its possible to perform-a-zone-transfed-submit-the-TXT record as the answer. (Format: HTB. What they are wanting I don't understand can someone try and solve this it is footprinting module

Plenty of folks have solved it. What part is confusing and what did you try?

It wants you to perform a zone transfer, and submit the contents of the txt record of a subdomain

Manged to answer it the other question is problematic

What is the ipv4 address of the hostname DC1

Someone please

I dont know the answer maybe you need to dig further, but thats just an assumption

That is indeed part of the digging

You have the answer with digging, it sounds like you just want your hand held through the whole thing

having a bit of trouble with the first question about case 5. SQLMap gave me the flag however inputing to it answer field, it says its wrong.

https://academy.hackthebox.com/module/58/section/526

It's a bugged q you get some \xv or something like that in the middle yeah?

theres a { in the middle

Well the whole thing is HTB{7..7}

I have a problem with the module Windows Attacks & Defense, on this sub-module PKI - ESC1, im trying to log in to the RDP to WS001 , but im getting a black screen, is not loading the system.

Press enter

i did, but is not loading

Try clicking around the lower 2/3 of the screen then

Otherwise chat with support

correct, the table i get in response is HTB{7..{..7}

Well it's l337 speek for the most part

So I'd take a stab at what you think the whole phrase would be given what you see

This is a known thing with this

cool, i cheated a bit on this one question and lookup the solution, i see what it should be

the 1337 phrase makes sense now

i thought i was doing something wrong

All good, I think Jared said he spent like 5 hours with someone on this previously

ik whats wrong with it

aint got no gas in it

https://tenor.com/view/offense-texas-gif-23053045

just a quick one and I guess its a preference question, I am running trough the CREST Path, when doing the web request module obviously you can use burpsuite etc but I am assuming the ideas is to manually run through it as if I haven't got access to it etc? thanks

deleting this cus i got it

marcie boo wsggg im in a pickle rn

I believe the web req module doesn't require burp and goes at the underlying theory

https://tenor.com/view/spongebob-skill-issue-skill-gif-24485644

yeah just make sure you test the thingy first

tthanks, thought so, I completed it manually. I thought burp was cheating in the circumstances I was just checking as some will go for the easiest path rather than the one most knowledge to be gained

test the thingy? elaborate? I have it completed but that's very vague haha

dude everyone knows about the before the when you run the but only after the yk?

music taste fire tho btw @viral lotus

thanks

not sure what that was supposed to say, but I am sure you meant well

i didnt i was trolling you now i feel bad 😭

its cool lol

Ignore the kid, he's got squirrels in his brain

They are alright no harm done haha

And I'm a caffiene crackhead lmao (all in good fun)

Turns out I will be using EU to complete the skills assessment afterall.

Just need to slow down every now and then

hi, i can't connect to mysql server. Intro to MySQL. ERROR 2002 (HY000): Can't connect to MySQL server on '94.237.49.212' (115)
Why?
mysql -u root -p -P 3306 -h 94.237.49.212

Slow every bow and then

Instructions not clear, troops invading jk

Yeah, there was quite I bit I spent yesterday walking through, but now I understand the issues I had. Appreciate the time contributed Marcie!

Is that the port that was provided?

yes, it's default port

ok thank you I will try command with http. In the module example they use https and on the cheat sheet under Active Infrastructure

Yes that is the default port, but is that the port that was provided to you?

https is if it's running port 443/http over SSL (HTTPS)

I'm sorry, guys. I forgot about hint

Most only run http

"Make sure to specify the non-default MySQL port in your command."

Mood

im having a bit of hard time understanding prefix in sqlmap module. well to be clear is how to find what the prefix should be, any tips?

if i run "sqlmap -u 'http://targetip:port/case69.php?col=id' -v 3" i see the payload gives a hint but idk if thats the best method or if theres a better way of checking this

Hello I am once again asking for assistance on the "Skills Assessment" lab for the "PIVOTING, TUNNELING, AND PORT FORWARDING" module. The command: proxychains xfreerdp /v:IP /u:creds /p:"creds" /cert:ignore /drive:smbshare,/home/kali/smbshare works fine in the pwnbox but when I use it on my VM it doesn't complete. The reason to why I'm not using the pwnbox, is that every time I get to the RDP section the connection will consistently crash/disconnect/freeze. So I am back to my VM and I'm trying to figure out how to bypass/use another tool for RDP. I tried ```proxychains rdesktop IP -u creds -p "creds" -V 1.2 -r disk:smbshare=/home/kali/smbshare

Your commands are revealing answers

fixing rn

Also your screenshot is missing a character

Iirc there's a ! at the end

(For pass)

Also case sensitive

But yeah checked, you're missing a char in your pw in the screenshot

(Which is also spoiling btw)

sorry Im trying now but whenever I try to put the ! in the password it'll just delete the quotation

yea ill delete

Wrap in single quotes

ahh right

! Is a special character

welp it worked, Im a dumbass like usual, sorry for wasting your time

It happens

Slowing down and double checking often does wonders

yep I've always had the problem of tunnel vision

tunnel vision in tunneling module

😭 😭 😭

The irony

I just finished the ZAP Scanner section of Using Web Proxies Module. I had to find the answer in a write up because no matter what I did ZAP would not find the 'high-level vulnerability' referenced in the question. I have two questions 1. Is anyone able to get the scan to reveal the correct vuln at this point? 2. Is anyone willing to DM me another path to finding the flag I could put in my notes for future reference should I run into this situation again? I would prefer to learn something even if the platform isn't working as designed. TIA.

It honestly took like 10-15 minutes

It was literally just running the scan from the section and just waiting

Shoot. I tried that and waited at least that long three times. I’ll try again tomorrow. Thanks!

i know PoC stands for proof of concept in this field but i cannot stop reading it as person of color in my head

https://tenor.com/view/ironman-tony-stark-forge-gif-10677756

Just a quick question. Using fileless method to download and execute using IEX, does that only work for powershell files? Does it work with exe?

PoC 69420

it works with any file that can be downloaded and executed, the trick is that it executes it in memory instead of on-disk

fileless can also be a misnomer, if it creates persistence, for example, it has to create/edit a file to do so

Thanks @fathom pendant. Helpful as always

https://www.crowdstrike.com/cybersecurity-101/malware/fileless-malware/

as shown in the first paragraph, it basically uses native tools

I hope everyone is well! I'm hoping that someone can explain how something works. I am working on the skills assessment for the command injection module. I already solved it but want to explore different solutions to it.
$(tr '!-}' '"-~'<<<[)
$(tr 'set1' 'set2'<<<input)
How does this work exactly
I know tr translates the input such that the chars that are in the input and also in set1 are replaced by set2
In the example, the input does not contain any chars from set1 so there is nothing to convert the input to from set2, so how does this shift the character to the right by one?

magic

https://explainshell.com/explain?cmd=tr+'!-}'+'"-~'<<<[

@fathom pendant lol thanks!! This site will come in handy!!

in short it does some funky stuff that shifts it

you could probably find a lengthy article explaining it

cool cool, I found this https://stackoverflow.com/questions/6441260/how-to-shift-each-letter-of-the-string-by-a-given-number-of-letters
and then I pulled up an ascii table and noticed that set1 '!-}' is a range of chars from ! to } and set2 is the same, just right-shifted by one. So when the input is passed in, it matches it to set1 and since set2 is right-shifted by one it replaces it with the right-shifted character. At least that's how I understand it. Better than before cause it was legit just magic for me for a bit lol!!! thanks again @fathom pendant

Has anyone here done and/or finished Intro to C2 w/ Sliver? I’ve been stuck for a bit on the first question of the assessment. I’ve tried seatbelt, winpeas, kerberoasting, no luck so far. I appreciate any nudge or pointed in the right direction to look! Thanks

Is the vulnerability assessment module out of date? The vm does not have nessus pre installed and there's no scan file for me to use if I don't want to wait for it to finish like the module says

Nessus is running on the target, but have a read back and pay attention to port numbers 🙂

Fair to be said, perhaps that port number should be included on the target string provided

Note that the Pwnbox you spawn is not the target - down where you fill in the answers, there is another Spawn button to spawn the target

Forgot about that

just tested, it is indeed running on the default port (the port mentioned in a previous section) on the target

Yup me too, and got the answer (go me)

great job g0blin, maybe one day you can be a pentester too 😛

The module says to run the scan against the windows target so do I ssh to the target and run it on the Windows machine or run nessus on the parrot machine against the target

You don't need to run a scan - the results will be there waiting for you within Nessus once you have logged in

Nessus is running on the target, from the target you attack the specified IP

You can run a scan

the scan takes a long ass time

But there's one already populated, so you don't have to wait the 40+ minutes for the scan

i was going to do it but just ended up using the prefilled data

How do I remote in to the nessus session running on the "target" not that it's spawned in, cause the lab gave instructions for running it myself like I would access it from the normal desktop environment

navigate to the target's nessus web interface, attack the attack target from there

vm/pwnbox -> target box (the thing you spawn that provides an IP) -> internal ip to attack

nessues is running on the taret which you can access from the pwnbox/vm, and also has a 2nd network connected to the internal network for your victim box

https://target_ip:nessus_port

I got it

From there you're connected to the spawned 10.129.x.x nessus service

And the 10.129.x.x device has an interface, as Nut said, that connects it to the 172.16.x.x or w/e internal ip

I just got back into working through the modules now that college is slowing down for a bit and i forgot how htba has a different way of conveying instructions than I am used too

understandable, most of the time you use the vm/pwnbox to initiate attacks

or scans

Do targets get stuck spawning sometimes the openVAS target has been spawning for almost 20 mins

you can CTRL+F5 and try again, however recently there have been problems all over, especially with modules that have another internal network and boxes. if refreshing with ctrl+f5 doesn't allow you to spawn it, try changing your region entirely (eu -> US or US -> EU)

Ctrl f5 refreshed my attack vm and it cancelled the target so I'll wait and see what happens

yeah probably a region issue then

What version of the SMB server is running on the target system? Submit the entire banner as the answer
Why every answer of this is wrong

i tried smbclient -L -N //<ip>

i got SMB V3.1 but it says answer wrong

InFreight SMB v3.1
isnt this a right answer?

It's asking for the version that nmap outputs

i also used nmap,
nmap --script banner <ip> -p 445

and nmap --script smb-os-discovery <ip> -p 445

There's an example in the section that will provide the result you're seeking

Also future note, it makes it easier to provide the module/section that you're working on

do i have to reset the ip and try again?

Make sure you don't have any white space before or after your answer

okay thanks

Also delete this as it is a spoiler

okay

thanks for your help

Hi how do I compile this git project using vs code
https://github.com/itm4n/UsoDllLoader

https://code.visualstudio.com/docs/languages/cpp

thanks

use the big boi MSVC in visual studio to compile

excuse me? we can go lil bro

also random but what is github? and how do i work it

its just a long list of files idk what to do

https://en.wikipedia.org/wiki/GitHub

Module: INFORMATION GATHERING - WEB EDITION

I was on the main HackTheBox platform working on a medium machine, trying to perform subdomain enumeration. In the module I've mentioned it talks about subdomain enumeration and vhost discovery. Under the active subdomain enumeration section of the module, it uses the tool GoBuster. And in the following section it uses ffuf for Virtual host discovery.

Can someone explain the difference between the two to me? From my understanding vhosts and subdomains follow the same format (<subdomain>.<second-level-domain>.<tld>) and vhosts have the same IP address as the domain but subdomains may not. Please correct me if I'm wrong.

oh hi menace bunny... bruv i dont need the entire history just how to do the file thingys

https://www.youtube.com/results?search_query=github+tutorial

nvm its over an hour long i'll figure it out

cant focus that long

The term vHost or virtual host refers to the practice of running more than one website on a single server. This is often done on a name basis, i.e. with a subdomain.
A subdomain is an address that is easy for people to remember.

I recommend you spend several hours playing with Git and Github. You will need it again and again

Thanks, but what's the difference between the functionality of ffuf and gobuster? Like when do I use what?

Both are fuzzers. Use whichever you like better.

Please correct my understanding if I'm wrong. gobuster uses a wordlist to generate subdomain URLs and then confirms their existence with the use of DNS? Whereas fuff uses a wordlist to generate subdomain URLs and then confirms the existence by making a request to the URL?

dnsmap can also be used for subdomain enum, right?

DNS has nothing directly to do with vHosts.
You can enter various subdomains in the DNS, but these do not point to a website.
For example, a subdomain could be ns1.example.com. This subdomain would then presumably be assigned to a name server.
For a mail server, you could enter a subdomain such as mail.example.com in the DNS.

Depending on what you are looking for, you can query DNS or vHosts

Hi I am doing Pivoting Skills Assessment exercise. I have access to a domain joined Windows server. The domain is INLANEFREIGHT.LOCAL. From this Windows server, I am trying to find the domain controller. I have tried echo %LOGONSERVER%, Get-ADDomainController -DomainName INLANEFREIGHT.LOCAL, nltest /dsgetdc:INLANEFREIGHT.LOCAL, but none of these give me the Domain Controller.

Got it.

Can anyone help me on how I can find the domain controller

I'm just trying to perform subdomain enumeration on a HTB machine. Am I not supposed to use gobuster's DNS mode for it?

those should do it, what did they give you

The exercise is not asking for it. I am trying it on my own

Cuz under the man file it states "DNS subdomain brute-forcing mode" which I don't quite understand what it means by that.

It depends on which services are running and which ports are open

So you mean the above commands should give the domain controller? I am logged in as a local user. May be thats the reason I am not getting the domain controller?

the computer itself will have to be domain joined at least

I've been told that it's on the default port 80 that I should perform subdomain enum.

if you have the domain name you can try nslookup

This is the command I used.
||```
ffuf -w /usr/share/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -u http://10.10.11.13 -H "HOST: FUZZ.runner.htb" -fs 154

When running Get-ComputerInfo command in powershell, I get the output:

CsDomain                                                : INLANEFREIGHT.LOCAL

This means that the computer is domain-joined right?

Then search for vHosts

Module: Broken Authentication
Section: predictable Reset Token
I have translated the time that it shows me to epoch time with the milliseconds then hashed it with md5 and tried the script that comes with the section none of them are working. Do I have do something with the script?

So nothing's wrong with my command? I just need to use a different wordlist. Thanks

But it will lookup the global domains, won't it? I don't believe INLANEFREIGHT.LOCAL is registered globally

if -fs 154 is correct, it should work

well if it's domain joined then it will use the domain's DNS server, and it will reply with usually the DC's IP

also nltest should do it

Sorry, but could you confirm something for me? This command has the same functionality as my previous ffuf command?
||```
gobuster dns -q -d "runner.htb" -w "/usr/share/SecLists/Discovery/DNS/subdomains-top1million-20000.txt

Can you please give me the command? I have tried it but it gives me error ERROR_NO_SUCH_DOMAIN

I'm pretty sure it should be since I got a bunch of output that was that size. But I'll double confirm thx.

it's just nslookup domain.name

or just nslookup and it should tell you the DNS server

Is it possible that I am not getting the domain controller due to connectivity issue?

Like the Windows server I am currently accessing is not connected to DC at the moment?

maybe

if all else fails, sweep the subnet

How do I "sweep the subnet", you mean like ping sweep?

ping, nmap, netexec, etc

thanks mna

read #welcome so that you can post images

Can anyone help me with an error i encounter while trying to do the Print Spoller and NTLM Relaying, please. I want to use the impaket-ntlmrelayx followed by dementor but when i try to do so the output from the impaket-ntlmrelayx is the following: ^^^. Thanks!

can't give more info without the commands you used, but "wrong password"

I'm doing a box on the main platform and currently trying to perform subdomain enumeration. I used the following ffuf command and found a subdomain.

ffuf -w subdomains.list -u http://10.10.11.13 -H "HOST: FUZZ.box.htb" -fs 154

Does anyone know how I can do the same using gobuster and/or dnsmap?
I have tried the following gobuster command but it did not output the subdomain. I have confirmed that the subdomain I'm expecting in the output is part of the wordlist (subdomains.list)

gobuster dns -d box.htb -w subdomians.list

better ask in #boxes

With your ffuf command you check the vHosts.
But with Gobuster you want to query DNS

This is not the same thing

https://hackertarget.com/gobuster-tutorial/

Module: Attacking Web Applications with Ffuf > Skills Assessment - Web Fuzzing

Currently on question 3, which states "One of the pages you will identify should say 'You don't have access!'. What is the full page URL?"

I am struggling to find it. I have plenty of valid urls which return 403 Forbidden but they apparently arent the correct answer.

This is the command I am currently using to try and find this: ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://archive.academy.htb:35303/FUZZ -recursion -recursion-depth 2 -e .phps -v

Am I doing anything wrong here?

Thanks for clarifying.

What other tool would you recommend for subdomian enumeration?

in the module windows priv escaltion pillaging i need to transfer the file cookies.sqlite to my host. i tried scp and sftp but it does not work. how can i transfer the file?

use one of the methods from File Transfers module

Also, if you are on a windows host and neither SSH/FTP related service is installed why would you rely on them?

the fuck is lagging, just awful...

Swearing doesn't make the machine go any faster. If you have problems with the performance, contact support

To find vHosts, I would use ffuf.

i try to trasnfer it with smbshare. but it does not work. i started the share, try to copy after the command the file has size 0 at my windows machine and at my linux machine also size 0

not my strenght to transfer files😂

copy what

Uploading local file to share
When you copy \\IP\share\file This is downloading the file from the share and output to current directory

you are right, lol missed the file. stupid 😉

having trouble transferring shadow.bak and passwd.bak to my attack machine. struggling as the host doesn't have simple-server, uploadserver etc on the machine. I'm connected via ssh but it keeps timing out when I try to use scp to transfer. I figured I could just take the code for simpleHTTPserverwithupload.py from github and using vim save it on the machine as simpleHTTPserverwithupload.py and then move it to /usr/bin/python3 but I don't have the permissions to move it there. any ideas?

Edit: Got it, I had been using scp on the victim machine instead of my attacking host

I'm revisiting the pivoting skills assessment. I can't figure out why this wont work from my VM but tested with support via pwnbox the proxychains RDP worked. I can proxychain scan the target box. Everything is setup through msf and is in line with solutions for it to work
proxychains nmap 172.16.5.35 -Pn -sT -p3389 PORT STATE SERVICE 3389/tcp open ms-wbt-server

xfreerdp fail even after accepting the cert

Anyone have a similar issue?

how to tell the admin about error? Login Brute Forcing, last Skills Assessment, I can't connect to ip-addr. I tried on my VM and PWNBox

You can try to increase the /timeout and/or set /network:modem. Should be mentioned in one of those sections too

I'll try that, thanks

Wrong port again? 😛

Hi All, for the Windows Privilege Escalation - Citrix Outbreak. I am getting "An error occurred while making the requested connection. " When starting the Default Desktop. https://forum.hackthebox.com/t/htb-academy-windows-privilege-escalation-citrix-outbreak/314777 has anyone faced this before?

No))) it’s web)))

I simply copy and paste

what's the address that you put in your browser

It's not. Read the lines below the IP ... And the question also specifies the type of server...

Are links to modules/paths broken for anyone else?

Works here. Any extension blocking scripts?

@bright coral /timeout:10000 /network:broadband
works

What a headache this has been

I checked that but I get the same behavior in incognito. I'll need to check if my pihole is maybe blocking some stuff

Try it yourself and see for yourself

@past kite this

@bright coral https://academy.hackthebox.com/module/57/section/516

can anyone help me,
session creates for a second and then powershell gives error

Please read the last sentence of the first question. You cannot access that with a browser.

I will eat a hat if you can get a web page to load for that skill assessment only from spawning the target.

ahahahah, okay, thanks. brothers))

hello, total noob here. Anyone can tell how I can find the TARGETURI to set on metasploit ?

What module and section is that?

DNS Tunneling with Dnscat2 from Pivoting module

Knowledge check in the getting started section

It's the getting started module*

you don't need to change the URI

it's fine at its default

but in general to set an msfconsole option for an exploit it's set OPTION value

a lot of times you only need to worry about;

doesn't that mean I need to set it?

RHOST, RPORT, LHOST,LPORT

The URI is already set

if it was blank, it wouldn't be set

/ means http://10.129.9.76/ is the base path

oh ok sry I thought you'd need to have the name of a directory of some kind. I'm gonna try going forth with that. Thank you very much for your clear answers

if you set /pages/ then it would be http://10.129.9.76/pages/

the module is all about keeping it simple

nothing beyond surface level digging

What should I type to change the LHOST adress in the payload?

Is it "set payload LHOST 'adress'" ?

LHOST is YOUR tun0

you can simply do set LHOST tun0

Ok thanks !

and metasploit will do the rest

L = listening

R = Remote

understood

Hello all, I am in the “Network Enumeration with NMAP” module in the medium lab section. My initial scans were being filtered and I took some time to research issues I was having with spoofing the source IP. About 45 minutes later I returned to find that my scans are no longer being filtered and I answered the question for the section. Was this intended at the beginning or did I glitch it out by waiting somehow?

I have another question, i've been running a -p- nmap and it's been half an hour, is this normal or did something bug ?

don't spoof

add -T4 to your nmap scan

I'm not seeing anything wrong with your commands. Are you running PowerShell as administration?

Have you tried restarting the box or possibly a different VPN server?

will do

with Syn-scans they can get caught in loops and auto-readjust their retry and timers

on default

-T4 sets a limit iirc

but it's more aggressive timing overall

yes i am running as administrator

I got that off of the Google results. I was confused because my original scan “sudo nmap <ip> -p53 -Pn -n” was filtered when I first tried, then 45 minutes later was giving me the flag.

sometimes it's just dumb

but spoofing isn't required

i didn't have to spoof at all

it came back filtered because you got "blocked" which sets like a 5-10 minute timer to try again

Ok cool, so I didn’t circumvent the lab’s intent. Thanks!

even the official guide doesn't spoof

although it may have helped to do -sU

hello why i've a black screen in this section ???https://academy.hackthebox.com/module/143/section/1360

press enter

for the hundreth time regarding this

thx

SQL injection module might need a look. Skills assessment took 3 resets to get a system that had a non-empty flag file

Still stuck on this if anyone is able to point me in the right direction 🙂

@fathom pendant can you help on this

nope

i don't think i ever messed with the socat one

does anybody know why it won't let me wget linenum ?

or if I did i blocked it from my memory

because you're trying to write it to filesystem root

Hey can anyone help with the web attacks advanced file disclosure? Not sure how to create the dtd, I've read through the module sooo many times I dont get it!

you might want to check your extensions; also 403 is not the same as a page saying you dont have access.

/ is the root of the filesystem, it is a write-protected access

how do I know where I should write it ?

well /tmp/ is always world writeable

ok thanks i'll try that !

meant to hit reply, my bad

Will try some other extensions 🙂

you can match regex to match the string

also as Rad said, your ext list is missing some extensions

👀 I'll have to see if I can figure out how to do that, im assuming its in the previous text of the module?

it's not hard

just -mr "Text/regex"

https://tenor.com/view/cojestprawda-gif-2084691180186616053

since you have the text you're looking for...

should be able to filter results by that then

also as an fyi

whenever you get a bunch of results

you should probably be filtering out those response sizes

since they're all gonna be the same size, it can be safely assumed it's a default page of sorts

when I am here, is there a way to search for a file called user.txt through a command line instead of having to explore each directory ?

man find

thank you !

in the pivoting skills assessment, what did you guys use to crack the NTLM hash of user vf...., I got the lsass.dmp file, tried using rockyou.txt and mutated password list from the password attacks module, also tried xato-net-10-million

I don't think the password is part of the common lists. You might have look into the different commands for mimikatz 😉

sometimes it's right in front of you and you miss it

hmmmm

found it lol

I just had to re read the pypykatz output

@jolly trout

Hi there! I am working on Cracking into Hack the Box skill path and I got stuck at Public Exploits exercise. Is this a correct place to ask for direction to help me get unstuck? 🙏

what module?

getting-started?

if so: just view the webpage 😄

then from there you should be able to search for an appropriate exploit 😉

Yes Getting Started Cracking into hack the Box...Topic is Public Exploits

as I said

just view the webpage

and go off that info

You don't need to specify the path you're doing btw

just module name and section are enough

as modules aren't directly tied to their paths

you can even do a module without being enrolled in a path

ok, thanks! Will try to go off from here. Because I used nmap, whatweb and curl to get some info, so I could search the exploit using msf, but I couldn't get anywhere

well because you're likely looking at the wrong thing

the webpage directly tells you what plugin is being used

web browsers are also a tool you can use

in the dnsadmins section on windows privilege escalation, i had gotten the netadm user into the domain admins group, but i wasn't able to read the flag.txt until i opened another session using evil-winrm, is there a reason for this

For the error when using hashcat:
'CL_BUILD_PROGRAM_FAILURE' and 'Device #1: Kernel /usr/share/hashcat/OpenCL/shared.cl build failed.'

I found this comment on a page and it worked for me:
Using Hashcat on a VM with your AMD CPU, you just need to install POCL by using the following command : sudo apt install pocl-opencl-icd. It works just fine!!

So, I have figured out that I need to use simple backup file read exploit, which when I set with correct host and port it downloaded for me simplebackup.txt file

For interactive sessions the group membership is evaluated during logon - so in order to access local resources that require a certain group membership you have to relog

well if you read the file it should seem interesting, don't forget to check the options of the msfconsole exploit you use

There are some interesting things, but I am trying to figure out what to do with them 😅

well, read the file it downloaded -- and figure out what you might need to change

the question tells you where the flag is

Use the VM in the "Introduction" section (EVASION-DEV).

oh, of course...I forgot to put .txt when setting path :/ Thanks for directions really appreciate it

I am having this exact problem. Did you find out what is wrong?

I installed gcc compiler but I need some more help compiling this project
https://github.com/itm4n/UsoDllLoader

potentially your AV is deleting the EXE as it's detecting it as malware

just a thought though

given the error being "file.exe" does not exist

can I compile it in pwnbox?

¯_(ツ)_/¯

it looks like it's meant to be compiled in windows

i suggest adding the file(s) to an exclusion list for defender

ok

I added the folder to the whitelist but the result was same

you may have to re-download the files

or save and try and recompile

literally 70

¯_(ツ)_/¯

bro how have you not finished this

its a lot of reading and my attention span averages a few minutes

oh my god

i can tell

its 70

Bro they are credits

THANK YOU

told you it was 70

one small issue

Not boxes

they are cubes
not boxes

cubes

oh so whats a box

Whatever

A machine

boxes are the main lab site's machines

Made purposefully vulnerable

that's what's referred to as a box

For you to hack

https://tenor.com/view/doboz-szia-integet-zonad-rajz-gif-16269320

this is also a box

mine doesnt show machines... do i have to pay or sum

bro please spare us some slack and watch a introduction to htb video

No

different site

You need to sign into HTB machines

marcie how do u do it 😭

https://app.hackethebox.com has the machines
https://academy.hackthebox.com has the learning

slash google

https://app.hackthebox.com/

guys i already knew this ik everything remember

Yeah

then finish networking module

Wait is this free? The academy?

I never tried the academy

it's free* to a point

tier 0 modules are the free modules

after that it's a pay to learn system

Oh ok

relatively affordable compared to most other platforms ¯_(ツ)_/¯