#modules

I highly suggest stepping through each command step by step

so you can really see what it's doing

So I'm working on Attacking Common Applications -> Attacking ColdFusion. I have the reverse shell and I cannot figure out for the life of me how to figure out the user running ColdFusion. Whoami and netstat and tasklist are not giving me the answer and I'm not sure where else to check. I also checked the logs.

Hello, I'm currently working on the bloodhound module. I'm at the first set of questions, but it's not letting me get the info I need.

• cannot collect info with bloodhound.py like in the guides, because I cannot connect to the IP. (I'm using pwnbox)
• The questions also include BH.zip files, but when uploading to bloodhound it says they are invalid json files. (I tried on VM and host machine)
  Am I missing something? Any help would be appreciated!

should work with one of the commands u mentioned, anyways dm is open

ive done most of it so far

cat sourcecodefile.txt | grep -E "src|href" | tr " " "\n"|sort -u| column

still some issues but im getting there

i mean you don't need to output to a file

also for extended grep you'll need to wrap in parenthesis for or statements

Match (A|B)

is there a grep option that allows me to query data that has a certain ammount of things?

also i recommend one of the commands from the replies to the post

no

So in this case data that has src, href, and the url

grep is an all or nothing

grep -E "(src|href|url)"

also it requires some knowledge of html coding to know what it's doing

curl -s https://www.inlanefreight.com | tr -d \'\" | grep -o -E "(href|url|src)=[^ >]+" | cut -d '=' -f 2 | grep -vE ".*(defer|\.org|google|themeansar).*" | cut -d "?" -f 1 | sort | uniq | tee /dev/stderr | wc -l

this is the command I recommend ^

see the forum article I linked for the explanation of each step

Shouldnt I be coming up with the command myself?

but thank you ill check it out and try to understand it

ah so many different options, itll be a pain to learn them all

this is one of the few times i'd recommend just grabbing it from the forum

it makes me think when someone ask a simple question on stackoverflow and they get an intricate command full of pipes and special characters in return : D

the command is explained in the forum article I linked

¯_(ツ)_/¯

i just didn't want to wall of text

i find it fascinating

and if you really want to see what it's doing, just pipe it one at a time

those things get me lost [^ >]+"

well ok, debut of line, space, greater than?

anything that's not >

within the brackets the ^ acts as a negation operator

https://www.rexegg.com/regex-quickstart.php

the + after means match everything/greedy

[^ >]+ translates to "grab every character that isn't > (until you hit the >)

as opposed to * which is 0 or more, + means there needs to be at least one instance

https://www.rexegg.com/regex-quickstart.php#anchors <--

the " at the end there is because the expression is just wrapped in doublequotes

https://regexr.com/

Going to simply use the forum command, tried and failed

cat sourcecodefile.txt | grep "inlanefreight"| tr " " "\n" | column | sort -u| cut -d"=" sourcecodefile.txt

Useful tool to learn Regex magic 🙂

because it's searching for "(href OR src OR url)=[all characters to end of bracket]"

thanks, i'll have to give a few days studying regex, because it is still a bit obscure to me. it was one of my first academy module i remember spending quite some time playing with it, but the command i crafted didnt contain regex

if you notice it's grabbing the html elements

I wanted to find text with inlanefreight, sort columize it and break lines, then get rid of all text after =

and html elements are wrapped in <>

you don't need to columnize it btw

shouldve given me only the url

yeah

cat htb.txt | tr ' ' '\n' | tr '>' ' ' | grep https://.*.hackthebox.com/ | tr '"' "'" | cut -d "'" -f2 | sort | uniq

you only need to do the sort part at the end

buit it is not as elegant

was my idea somewhat on the nose? getting rid of all text before =

somewhat

after I had created line breaks

you're just missing one key thing for html

urls are either passed in via: href, src, url (a href, a src, a url) or something like that

url is literally the term url

it's telling whatever element it's bound to that's the url it's linked to

you know you can just do tr -d to delete elements instead of replacing with spaces yeah?

maybe if i retry it now i would approach it differently

it's why the command i showed uses tr -d \'\" it's deleting the quote characters

also you can just escape quotes and such with \

instead of doing '"' and "'"

ok thats noted. thanks

same for any special character

that way bash doesn't interpret it as " and says you're missing things

Ok so it's gotta be my laptop, web stuff keeps timing me out. Nmap and privesc doesn't give me errors or anything but gobuster or whatweb and stuff like that works like 10% of times

if you're in a vm, use bridged mode; it's likely some protection causing the packets to be throttled for bandwidth

could also be filtering with your router? ive had some issues with this as i have filters attached to my router (mostly for DNS loaded with Firebog lists)

i don't have a filter with my router; using NAT mode forced my bandwidth down

likely some botnet protections on the router; i mean it's not normal to send 100s of packets to a random ip and port directly

i haven't dug into the settings

ah, right. that makes sense. my filtering was part of my homelab experiments a while ago. with private IPs its fine though, public IPs with some of our exercises it has problems.

yeah a fair bit of the web exercises uses a public_IP:port

hahaha yea, that would be a big abnormal. i found that using the AnonSurf on parrot helped with my problems for some cases (in others, it made it worse)

i had similar issues until i went into my router settings, was blocking sql injection codes and hendering a lot of things

AnonSurf for the public IP exercises, and no AnonSurf for private/VPN

ahhhh that will do it. ive been meaning to take a deeper look into mine. i should poke around a bit more.

for some reason routers don't want you sending a bunch of packets 🤔

though tbf most bounties will have you limit your threading anyway

well its malware call-back functions that are being intercepted prob

nope

ill be upgrading my router/firewall setup in the future.

not for fuzzing apps like gobuster/ffuf

it affected my ffuf :/

yeah

ffuf isn't a malware call-back

that was my point

lol

it's detecting an abnormal number of outgoing packets

ya two seperate things, but my point is the protection was an all around thing

ye

i guess in these circumstances, wouldnt a VPN solve a few of these issues, depending on where your termination point is.

depends on your router settings

PIVOTING, TUNNELING, AND PORT FORWARDING > Branching Out Our Tunnels > SOCKS5 Tunneling with Chisel > Question 1
https://academy.hackthebox.com/module/158/section/1437

What do I do in response to this error? I used go build on my host pwnbox machine before transferring chisel to the ubuntu target using scp.

I'm currently stuck on the Assembly Language skill assessment, I was hoping someone could take a look at my assembly code and maybe point me in the direction where I'm going wrong.

you'll need an older glibc version

or you'll need to compile statically/or just grab one of the old releases

Ok thank you

your glibc will not match the target glibc

Sry I don't fully understand how it would solve the problem, for what I understand a bridged connecting gives the VM it's own ip but wouldn't most filtering occur in my home router? Like wouldn't the problem still occur since all the packets would pass through it?

just trust

it worked for me and many others

it's due to how networking works

idk all the specifics of why it works

all I know is: I switched --> it worked

👍

Yea yea ofc it's that I developed this mentality of having to understand every step I do with hacking/networking and stuff like that

honestly the more you try and dive into every step the longer it'll take to learn

and some things are just not worth looking into

Doesn't it give you a deeper understanding? I started doing this when learning languages and It worked why not with hacking?

the deeper you try and dig into how it works the less you'll actually learn

most stuff is fine to dig a little into, but at some point you're diving into the bytecode and sockets where it's not beneficial to know

Hi team! I already got shell and check what is the service user run coldfusion but Why it got wrong answer?
Is this broken or something?

Got it

Thx

it's not saying what is the service user, just what user is running the service

Yaa, I got it. But why is still wrong answer?

I already check on the tasklist

make sure no extra spaces in your answer

I do

it also helps to include the module and section name

that way people aren't just shooting in the dark to try and help you

Here it is the module

also the answer is likely expecting domain\user

not just user

it helps to type it out in case someone in the future needs help with the same thing

I already submit that, but nothing

stil wrong answer

so you submitted a*\t*

wt... Ok lowercase just got me crazy

thank you btw

Got it

after all the example tools, look into ligolo-ng

much more based

Thanks, Ligolo is my favorite for pivoting and tunneling.

you can use it for all these exercises btw

there's no strict requirement to use the suggested tool

pivoting is pivoting after all

I changed the VM connection to bridged, I disabled every other network connection but my wifi from the VM and i connected to htb vpn. The websites don't load at all, and when I do whatweb <ip address> it says "no route to host"

But connection to others websites works like Amazon

Hi @fathom pendant, can you give me suggestions about module "Exploiting Web Vulnerabilities in Thick-Client Applications".
While I'm trying to do java -cp client.jar client.jar.src......java.

I always stuck on the error "cannot find symbols". Any references for this?

haven't done this module tbh

look up the walkthrough for fatty

that's what this lab is based off of

Ya, I already check all of that and the forum htb, but I think other people have no issue with that.
I'm still trying to find out

So it works on the workstation but not on my VM @fathom pendant do u know what it could be?

Hyee

Hi guys what is this

the high, medium, low load and why do I have to change ?

It's a list of the available VPN servers.

It's showing the current load on each server, and the recommended server.

yea, I wanna use EU cos im in UK but its recommending me to switch

sorry what does it mean by load?

like how many ppl are on it?

Yes

thanks

attacking Thick Clients in the Attacking Common Services....what a rollercoaster. lol

Yo I think it was my wifi, on hotspot I have no problems

This shit is fun

in the Active Directory Trust Attacks Skills Assessment, on the last question, from everything I try I cannot get the mssp.ad or fabricorp.ad domains to show up using Get-DomainTrust -Domain mssp.ad commands, as well trying to do other things with mimikatz etc does not work. Has anyone completed this module that I can DM? It seems like something is broken but I wanted to check my commands to make sure.

it should be pretty obvious, run bh on both domains and find a path

Moduele : ACL Abuse Tactics

I been researching with the CTRL + F in this channel and I saw others had the same issue, I tried resetting the machine and lab and still nothing. Was wondering if anyone had any ideas on why this could be? I do know this is a user on the domain

have you done it then? I am pretty sure I have the right commands but I always get errors. Sharphound also errors on the mssp.ad and fabricorp.ad domains.

Uhh, what?

YES

he is a master hacker

Oh dear, get ready for DMs Candy

NO

😂

Yeah, bye tim

I used bloodhound python iirc

Your error message is right there in red. It says wrong credentials.

did you define $damundsenPassword?

yes

I am changing his password

did you wrap the password in quotes?

yes

well it says wrong creds, so your password is probably wrong

you also need to define two other variables

I'm working through the File Transfer module specifically the Linux section and just playing around, I already completed the questions with multiple approaches. Everytime I try to use the /dev/tcp approach, I only get this error: zsh: no such file or directory: /dev/tcp/10.129.126.22/80. I'm running Kali Linux, so I'm not sure if there is an issue with bash, any ideas?

I think the dev/tcp functionality is a bash specific functionality not ZSH

Got it, I saw the problem

You need to switch to bash to use this feature

Okay, I had tested with a different OS and see that it's working now. Thank you

Mention of zsh gives me PTSD

That OS probably uses a bash shell

I use zsh daily

#general message

oh...

that's an entirely different situation

haha

dm if you can't figure it out

In CBBH path, the "Skills Assessment" for BROKEN AUTHENTICATION has been renewed? I can't find any hints from the entire internet.

You should be able to solve it by going through the sections of the relevant module.

Try to stay away from hints, if you can. Everything you need to solve the module assessments is included in the module content.

Ask for advice if you must, but if you go searching, you may spoil more than you want

I found the entire BROKEN AUTHENTICATION module has been renewed and I have solved all without any hints. But last Skills Assessment is giving me some pain currently.

I found that I can create a new user and I can see a session token is getting generated. But I can't find an attack vector from there. Can you advice what to do? If I at least know I am on the right direction then I will try my best.

I cannot I'm afraid

hello! someone can help me with this ? i tried with the command nmap -p- -sV 10.129.42.254
but is taking a lot of time and i dont recieve an output or answer

While the nmap scan is running press ctrl + v and you'll be able to get the scan stats

like this ?

idk how to resolve this

You could use the -T parameter to adjust the timing template

Check https://linux.die.net/man/1/nmap

I did this but the answer is incorrect

ok i going to try

What's the question

this is

I mean you can see the port telnet is running on, in the results of the scan

Default port for telnet is 23

The question asks for the non default port, which is displayed in the scan

Try reviewing the "Enumerating Users" section

i was trying 2323/tcp

and not tried 2323

Just 2323

Try only the number

thank you so much jaja

TCP is the protocol

Lol

https://tenor.com/view/well-there-it-is-jeff-goldblum-gif-14058551

that was my horrible comprension of english jajaja
first i undertand the version, not the port

and now i get it

thank you!

Every day is a school day!

Yes

Sigue asi amigo comence el curso de Pentester aprendiendo igual ingles, y mejore mucho gracias a eso.
Nice work!

eso me motiva!! estoy haciendo todo en ingles y cuesta un poco pero le estoy metiendo a full y de paso aprendo ingles jaja

English please 🙂

hi everyone, I'm having trouble with the Attacking Domain Trusts - Child -> Parent Trusts - from Windows module's lab - it seems to be showing that the target domain controller doesn't exist. I've tried rebooting instances & swapping my VPN server same issue :/ anyone able to assist please?

try c$ instead of c:

sorry that was one of my failed attempts to make it work - same issue with c$

might work with IP address

nvm same issue

did you create a golden ticket

yep

show me what klist says

what I don't understand though is I can ping the target

and even if I hadn't created the golden ticket shouldn't it show an auth error instead of just that it doesn't exist?

well show the command that works

let me see the error there

you could try ip though sure

the font is super blurry for the PS errors unsure why

so I pinged it successfully & get a different error if I try to list C: on the target with the server name vs IP address

what if you try nslookup on the host

seems to have been an issue for someone else back in Aug 2023 haha

nslookup the host not the ip

ok idk maybe change vpn regions

as in from US to EU?

I went from US x to US y and no luck 😦

ya us to eu

trying now, let's see....

so just US is broken it seems haha

tyvm @cloud urchin ❤️

just tried it on US5 and it works

https://academy.hackthebox.com/module/77/section/728
the target machine is just spawning forever, where do i report issues like this?
anyone know if HTB uses crowdstrike? xD

change vpn server

how do i do that? i'm on academy and there is just 1 vpn

im not talking about the pwnbox, its the target machine which is stuck spawning

that option is only for labs, i dont see it in academy

Thank you mate. I was able to progress a lot by now. Could you please tell one more thing? Is the otp 3-digit or 5-digit? I have tried 4-digit, but that did not work!

huh it clearly says academy servers there

i found the setting now, thx

that's the hardest part of the skill assessment probably. the answer is within the module i can tell you that..

still, changing the vpn doesn't change the fact that the target machine is stuck spawning

it never finishes spawning and it's been like this since yesterday, if i come back it is still spawning

the button to reset the machine is also not there since it never finished spawning, so i can't reset it

it worked for me , you can go to another section, spawn one there and come back again

i'll try that

I was able to spawn another target at the previous step, went back to this step and it is still spinning

It has been difficult so far, so this is even harder?!
I know it is 2FA bypass, but there should a be trick unlike the module challenge. Because after 3 failed attempts, I am getting redirected to the login page again. So I need to find an automation to do that over and over again. Am I on the right track with that mindset?

welp something is broken for you I guess, contact support, in the meantime just use 94.237.59.63:41313

the ip is different for you than me i think

where do i contact support?

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

it's a public ip for this section so it's accessible regardless of vpn

that's the last part of the skill assessment i can't really just tell you the answer. just try the methods in the module and you'll get it.

In the Windows Fundamentals assessment section, step 6 mentions disabling inheritance for the Company folder. I did this, and it removed all default groups, which makes sense since they were inherited. After disabling inheritance, they instruct to specify NTFS permissions. Disabling inheritance removes all inherited groups from the Company folder (as shown in the second screenshot). Which group should I assign the permissions to? I assumed it was the HR group mentioned earlier, so I added that group and assigned NTFS permissions. However, the next step shows assigning NTFS permissions by adding the HR group to the subfolder. Since I already assigned NTFS permissions to the parent folder, these permissions reflected on the HR subfolder as well. Why do we need to assign permissions to the subfolder again if they are already inherited from the parent folder? Did I make a mistake in the process?

This is modules 😛

but Iam on the Modules channel

Oops

thats what i was thinking ... had to double heck haha

Sorry 🤣

all good. too vigilant for your own good 😉

I need to get my eyes checked I guess haha

i assume its the weight and responsibility of that blue check mark next to your name 😛

No, I actually thought I was in general still 😅

Sorry @jolly yacht for the mistake 🙂

and i'm not sure freak. im not familiar with that exercise. sorry

No problem. Can you please give me you're insights regarding that doubt?

okay

I haven’t done windows fundamentals yet either, sorry. I’m more a web guy 🙂

you add the HR group and assign them the permissions

read the step 6 instruction directly

Adding the HR security group to the shared Company Data folder and NTFS permissions list

the reason for disabling inheritance is because it also inherits some permissions that you may not want when creating a file

Disabling inheritance allows you to be selective with the groups instead of lazily allowing all parent groups to access the share

Think of it this way: you're ensuring that ONLY HR has access to this subfolder

because say you need to add another group to the share folder permissions; you wouldn't also want them to inherit the permissions

say you need an IT folder; Company Data → IT -- you don't want IT accessing HR shares and vice versa

Company Data → HR
Company Data → IT
in essence you want these separate,

and you don't want to add the IT group to Company shares, and then it inherits down to HR

ohh, Now I understood clearly. Thanks for you're explaination 👍😄

np i've studied a bit of risk management as well and basic cybersecurity concepts (these basic concepts are what you'd find in an exam like Sec+), this operates on the principle of least privilege -- only give what's needed

could I get some help please?
AD Enumeration & Attacks - Skills Assessment Part II

Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.
||I have full rights on sq01 and ran mimikatz, have all hashes & default password. I've tried password spraying with the 'default' password, tried to rdp in with admin/hash but wasn't able to. Can't win-rim with admin/hash.|| I'm not sure what to do from here.

there is a plaintext password you can find, look into other options in mimi

I only saw 1 plaintext password

||"sekurlsa::logonpasswords" "lsadump::lsa /inject" "lsadump::sam" "lsadump::secrets"|| am I missing something?

I don't know what you got but you can try that password with that specific account

i dont think i used mimi at all in that assessment

it's not an account pass, it's "default password"

i should've taken better notes, but from what I can see I used ||mssqlclient.py|| and then used ||enable_xp_cmdshell|| to escalate. With ||enable_xp_cmdshell|| I was able to run ||PrintSpoofer|| for a revshell.

I belive they are already past that

Oh wait, i can see mimi now. just after all that i just typed. my notes say to use mimi or CME. i used CME

Yeah, that's where I'm at. I ran mimikatz after that

you haven't found the right creds then, read the output carefully in the lsa dumps

yea sorry. as i said, poor notes....lol

lol np

Ty for trying. I'm gonna reset the systems (can't even connect to one box now) and try again

did you have administrator?

on sq01 yeah

with its password?

just hash, couldn't get pw for admin

I used:
||sudo crackmapexec smb 172.16.7.60 -u administrator -p xxxx --local-auth --lsa||

well when you do, try CME next

you can pth with cme

yup. very true! I used the SQL vuln to run an exploit that forced a password change

in hindsight, PtH would've been the easier option lol!

yeah hashes are as good as passwords in windows

(for the most part)

yup when is nice and convenient. especially with the right trust domains 😉

Okay, lets try this again... lol

Hi guys, I need help with the new Broken Authentication Module, specifically in the brute forcing reset tokens part. I was able to identify the live reset token since this is not a specified user attack. But when I input the token, the response is different from the response I get from fuzzing it.

In which section for which question ?

let us know how it goes

Sorry, yeah. I'm guessing the instance was botched because I was able to ||pth evil-winrm after resetting||

oh great. that module, and password attacks, i had a lot of issues like that.

did you get ||lsa dump|| after that for the next attack?

mimi isn't giving anything new

you can use more than mimi

i used CME, but NetExec is the better choose. Use the --local-auth --lsa

yeah, I'm working through things atm. I messed something up lol

In Brute Force Attacks Section/Brute-Forcing Password Reset Tokens, the last question. Now, I get it because the token is one time use only, so when ffuf identified it through fuzzing it's as if it was used, so when I request it again in Burp or the web app, it is now an invalid token. I figured that I need to use Burp Intruder to see the requests, and just get the link of the valid token in original session, but burp community is just so slow, 1 hour, I'm in request 200+ and the valid token can be at 4000+. Any recommendations?

||Inveigh gave me a new user||, so I guess I'm on the right path

yea i got a new user and used it for the next box

i can share that username if you want to confirm? don't want to spoil it though if you want keep trying

think i used CME as i prefer to stay on linux as much as possible. if i can exploit from a linux box over a windows box, i will lol.

It was the answer for the next 2 questions, so I'm getting close

awesome

Sometimes I think resetting the instance solves all my problems

haha yea it definitely can.

its a pain sometimes though

I've spent so much time trying to do something only to have to reset everything and it works. Exact same commands (copy and paste)

yea and the AD module is prone to some of this issues

You can do everything with cURL and ffuf. You don't necessarily need Burp

oh, the assessment 1 I spent over an hour trying to just rdp into 1 of the boxes. It would keep failing, I'd have to reset instances, get back to the spot, then try again. It was a huge pain.

haha yea. i feel you there. i hope the exam is less prone to these issues. i assume we dont share it with others

for what its worth, i havent had as many issues after that module.

guys i have a question about shte module https://academy.hackthebox.com/module/81/section/789

currently i am filtering and i got the file, but i try it and say is wrong

i mean i try to send the answer usging the namefile.typefile structure

my question is, i am not sure what i am doing wrong

sorry, i havent done that module so i'm unfamilar. though hopefully payloadbunny or someone else can help

np ❤️

double check you dont have any spaces/special characters in your answer. that can be an issue sometimes

yes i try a lot of differents ways, and also i wait a lot of minutes to see if there are more than one file, but is just only one, maybe i need to extract the right name i guess

what's the first letter of the file name

f

that's the wrong one

but currently i waiting around 30 minutes for more files over X protocol

I rember that question being a pain to do so, the first letter is R

okay so i miss something, thanks for your time, i gonna keep looking what can be

❤️

anyone good at assembly? i'm doing the attacking common services module, with the 'connecting to services' section. i have the answer but not entirely sure the why behind it lol

just ask

so this is the area that I need to insert a break:
call 0x11b0 SQLDriverConnect@plt

and doing: b *0x11b0 , won't work. But instead:
b *0x5555555551b0

the 11 made me wonder if it was 11 characters, but why 5's ?

i do plan on doing some of the CDSA courses as knowing some of this is interesting but i know very little of assembly and why this works lol.

where'd you get 0x11b0

running disas main within gdb-peda

after setting disassembly to intel

try running it then disas

i did try that actually. run it, got back into gdb but got the same result

its alright. i should prob just do the assembly course. obviously this prob wont be on CPTS exam (for this specific instance) but thought i'd ask out of curiosity

you should get the right address once you run it

the longer memory reference is from the module, but its at the same place and calling the same function.

weird ... but good to know if i could across it in the future, i should get the right memory call

I'm getting the right address once I ran the program then disas

i just did disas main again, and got the right answer

i even left and ssh'ed back into with a seperate session and got the same answer as above ...

so confused as to why it didnt work a few times

sorry. i swear i tried a few times and was getting the different memory call. lol

you probably exited gdb in between, once the program is ran initially the right addresses will be loaded

yea, youre right. i guess in the future if i have short references in the call then its not likely the correct spot...lesson learned i guess lol

the assmebly module is pretty good if you want to take a crack at it

its already part of my favourites. will definitely take it

this whole module is a bit annoying tbh. i couldnt get exploiting web vulnerabilities for thick clients to work for me. (many hours trying.) and the PRTG assessment also wouldn't work for me either (even more hours lol)

yeah it can be a bit of a pain

xre cna you

check if the module of what i asking is working fine ?

the hint says can be 3 more files on the traffic but currently i just see one

does it need to be captured or it's from resources

Hey, for SOCKS5 Tunneling with Chisel module, I cannot execute chisel on the pivot's machine - i have already chmod it as well. I get this error msg :/

file chisel what's the output

make sure you have the right binary. you can download different precompiled from the git repo.

youre not on ARM

well that one is for ARM, you'd want AMD64

(well i doubt you are)

ARM is for things like a raspberry pie, arduino, etc.

are there any modules in hackthebox academy that teaches you how to use things like dnSpy?

I always get confused - so i am using M3 with kali on vm

you need the binary to match the architecture of the system its being run on.

but AMD and ARM are obviously close. i like to double check before downloading for that reason haha

but M3 is ARM ?_?

you ssh'd into the target

you're not running it on your own machine

this. youre running it on the system you're ssh'ing to

just as you'd have a different binary if you were setting it up on a windows machine.

ok is there any way that I can check in the future?

running uname -a doesnst show if it is amd or arm :/

x86_64 is the architecture

x86_64

for all academy modules you can assume the target is x64

oh ok

doh! haha thank you guys 🙂

haha all good mate

its confusing at first, but it all comes together.

https://academy.hackthebox.com/module/113/section/1102

Attacking Common Services - Other Notable Services.

I'm missing something. I've run an nmap scan and ahve the open ports and tried to connect to them to find the application running, but none of answers are being accepted.

nevermind. got the service. man that was annoying lol

So I've downloaded chisel (AMD) and am trying to build it, but couldnt 😦

I got the AMD version from here https://github.com/jpillora/chisel/releases/tag/v1.9.1

did I do it wrong? :/

Those are built executables already...

which would be preferable. just SCP (or similar) over to the pivot and execute there.

oh u mean i just need to chmod it and i can use it?

yes

yes. that should work.

ah okok! thank you!

Hello guys. I am left with 1 more question for the WaybackURL part of the gathering info module. Is regarding Facebook.com and what kind of redirect this web app was giving back in March 2022. I have found the redirect which is a combination of facebook.com the letter m and ?_rdr parameter. When i include this as a https or http link for an answer I get an error. Is there something I am missing regarding this redirect name?

You should read the question again

HI all I am stuck on brute forcing 2fa codes from broken authentication modulei did everything according to the proper ffuf syntax, and then tried to fix with chatgpt and at last i even tried from solution, while performing bruteforce, ffuf shows 302 on all codes, and it's really hard to figure what is the right 4 digit otp code

is very strange it just ask for the link that page redirected back in March 2022. I have the link

still at 'SOCKS5 Tunneling with Chisel' 😦

i have changed /etc/proxychains.conf

tunnel is set up

but when i try to rdp, proxychains keep trying to connect via the 9050 port... why is that?

this is definitely the wrong year... re-read the question 😉

Ohhhhhhhhhh my loooord :D

looks like it's not reading from the config file

it should be /etc/proxychains4.conf

😮 what is the difference?

version 4 which is the default

Hello, I'm stack on module INFORMATION GATHERING - WEB EDITION, in the section Web Archives, on question Going back to March 2000 on www.iana.org, when exacty was the site last updated? Answer with the date in the footer, eg 11-March-99

I was on web archives and tried to answer 03-March-00, and previous dates, but it isn't correct can somebody help me?

I'm hoping the thick client part of the Attacking Common Applications doesn't show back up. This part is miserable 💀

ok I have edited /etc/proxychains4.conf as well, but i still cannot rdp :/ it's still trying to connect via 9050

it's still not reading the config file

look at the start of the output

I have answered

Have you tried using socks4 instead of socks5?

do u know how i can fix that? have been googling for solution but havent seen any

in proxychains4.conf you see socks4 is now commented out, so you remove that and comment out the socks5 line.

I think they want to use socks5, the problem is that it's not reading from the config file for some reaosn

try reinstalling? https://www.kali.org/tools/proxychains-ng/

ok

if it doesn't work then just -f <file>

ive purged and reinstsalled proxychains but rdp is still trying to use 9050

^

which file?

the config file

😮

-f /etc/proxychains4.conf

as it using it as a flag together with proxychains

you don't ever use -something on its own, those are flags/switches

haha yea i was like ... whaaat. --> diff error this time

that's a rdp problem now

T_T

check if the pivot can reach the target host to begin with

if the target can reach, try with /timeout:200000

target host is unreachable

well that's a problem then

always make sure your pivot host can reach the intended target before you start the pivot

does ping goes thru proxychain? i thought it didnt

can someone help me in csrf - sesion attack

I assumed the target would be up cuz that's what the lab is asking for T_T

session*

i pinged it thru the pivot, so it should go thru?

i dont wanna spoil anyone o if i can contant someone in private

question, why have you started chisel in server mode using sudo

ah yeah sorry my bad

does this mean i should restart the lab?

you are not specifying a port that would require root privileges to listen on

idk but web01 can't reach the target to begin with

I don't remember if it's supposed to

Can anyone help me with a hint for the last question of 'Attacking Common Applications - Skills Assessment I' .... i know the application but i can't seem to figure out how im meant to get a shell

it is windows, so there is a high chance of not allowing icmp requests

ah right

does it matter?

but my rdp isnt going thru X_X - have been working on this the whole day

¯_(ツ)_/¯

in the course for the reverse pivot they say to use sudo chisel

@autumn pilot can i ask u a question in private regarding a session attack module question

also check where you're running the chisel client from, why is there an error there?

both connections are fine

it has this error when i try to rdp

so you're running the server from your local machine and client from the pivot? Maybe thats not the way.

hard to help if you dont give the command you used

Does the chisel server need to run from your machine or the pivot?

am using the reverse chisel pivot method in the module

37,7 1,00 в чем разница?

i'll try the non-reverse method later after taking a break lol.

Anyway, if the reverse method doesnt work, how would the non-reverse method work?

I just checked, web01 can ping 172.16.5.19

reset the lab

ok will try again after dinner X_X

thank you guys for ur help 🙂

in secure coding 101 is it onlyfor JS?

or htb only made it for js only

secure coding applies to every language, just that the module is js focused

emmm

so why they only picked js

because web is a very common attack vector and most web apps are writtern in js

but most of the time in modules php was introduced i was hoping they would create dedicated php secure coding but i discovered js😔

Has anyone here written a script for Injection Attacks -XPath - Blind Exploitation?

Can anyone help?

Whats your question?

they already built.

what?

you should be able to ping the target from ubuntu ssh session

almost english

What is the difference the two numbers of the learning progress ? Numbers 37,7 and 1,00 , this question is from the academy, information security foundations

module and section?

Learning progress

wait huh? isn't it just a simple minus

37.7-1

☠️ I mixed up a period and a comma

Attacking Common Apps - Skills Assessment 1, complete. that was way harder than i expected tbh. i found the RCE almost immedately but couldnt figure out how to execute in the context i was in ..

Great job

Hopefully I can get assessments 2 & 3 done tomorrow. I want to move onto privesc!

🤞

I’m sure you will!

Personally I also found the 1st one to be the hardest, at least if you don't use the metasploit module to solve it

I didn't use msf tbh

I had a learn but none of them would trigger for me

Ended up changing the python script for the CVE to execute my msfvenom revshell

Hardest part was that fuzzing gave some misleading results!

Thanks mate. After countless hours trying to do 2 other sections of the module, I moved on. Will have to officially circle back to officially do the module. Haven't enjoyed this one tbh

I know how that feels.

You’ll get there 💪

Yea I will. I can see the finishing line for CPTS. So close. Though a while off doing the exam lol

Hey guys. Just wondering when you start off a box do you do an all port nmap scan or just the default ports(as in no -p flag). And if you do an all port scan how long does it usually take?

Depends on how much enumeration you want/need to do. If you use flags like -A it takes longer but with -T 5 it will go faster. I usually scan all ports because I dont want to get stuck and then find out later I missed a port.

Bro going -T 5 like a boss

😄

lol paid subscription ftw

Im doing a -sC -sV -p- and its been going for 15 minutes. When i do ctrl+v it says about 5.68% done and 4 hours remaining 😂

Ok have you pinged the target?

Yeah, bump up the speed with -T 4 to start with

The limits on timeouts etc are pretty high by default

-T5

https://nmap.org/book/performance-timing-templates.html

https://tenor.com/view/hobbit-tempt-gandalf-dont-tempt-me-gif-5609024

Yupp the target is up and good

Fair enough

Which section are you working on?

When doing an all port scan, Is it not better to check for open ports first, then do a service and scripts on those open ones?

This is the footprinting medium lab. But honestly i have had this problem for a while 😂

When doing a -t4 how is the accuracy usually? Does it tend to miss out on stuff?

I won't Sir.

T5 on all ports it seems to me, you may miss some ports, which defeat the purpose of an all ports scan

T4 is my go to over public networks

Usually works well

On networks with lower traffic and latency, you could push T5

Depends on how noisy you want to be as well

T5 is too fast usually, T4 is good on a decent connection

at least for htb stuff

Im running on the assumption that nmap will detect the open ports first only then will it run the scripts on the open ports. Not running the scripts on every single port. Correct me if i am wrong

I've ran the nmap command in medium lab and its done in few minutes.

It seems right, but like 4 hours seems very long…

Yeahh from what I have seen others do it, it doesn't take too long. What was the command did you use?

I only used the -A flag

Ikr. Im just curious what is wrong with my scans

Im using eu academy 6 on tcp and it says its low load

What ping are you getting from the target?

Avg rtt is 375ms

I usually do nmap -A -T4 -v <target ip>

is it stable tho? what's the jitter

That is pretty high.. are you in the closest VPN server to your location?

gob any plans of having academy servers in asia?

Mdev is 100ms

Can't comment I'm afraid, but infra is continually growing and improving

Unfortunately so. Im currently back home in asia

I see, it would be really great for a lot of people

What about through a Pwnbox?

maybe find a stable server to use, seems like you're dropping packets and that's why nmap is taking such a long time

https://gist.github.com/Xre0uS/2105986d23719cf99c271842528f48a6

Hi admin today i finish my linux fundamental module but i didnt get my cubes after finishing help i want to open another module

or use a pwnbox in the server region yeah

I havent tried it through pwnbox because all my tools are in my vm. But i might just run my initial nmap scan through pwnbox and continue the rest in my vm

I'd recommend raising a support ticket via https://help.hackthebox.com - there is limited support capacity during weekends however, so you may not hear back until Monday.

Yeahh seems like the best option

The Pwnbox comes preloaded with most if not all of the tools you'll need

Hello, I just wanted to say to the people who worked on updating the Information Gathering module - Web Edition
THANK YOU VERY MUCH!

This should be the default for all modules...

Simple, concise, well explained, full of important details, focused on teaching what the thing is and how it works.
I simply loved this teaching. Whoever organized this update, please do it again in other modules.

I'll pass that on to the team, thank you for the lovely feedback @digital junco

I'm the one who thanks you, my dear!
I love Hack the box.
This platform changed my life.

Sorry for the Late Response but i think "Introduction to Windows Command Line" Module is most beginner friendly for a complete beginner comparing to either Windows Fundamentals or Linux Fundamentals. This is just my opinion that might help you to get started easily. Try out Linux Fundamental Module First and if you feel it had some complex term that you don't understand then go for the Introduction to Windows Command Line Module. it contains less likely terms that might feel confusing for a complete beginner from my experience, all the best for you're learning.

i saw you're Message yesterday itself but as I was doing "Introduction to Windows Command Line" Module and i thought it might be a solution for you.

Thank you. I'll give it a try.

I checked and they actually mention windows fundamentals as a prerequisite to windows command line.
And in the windows fundamentals intro they mention stuff like CMDLET and WMI classes.
Here is the para "We can use the Get-WmiObject cmdlet to find information about the operating system. This cmdlet can be used to get instances of WMI classes or information about available WMI classes. There are a variety of ways to find the version and build number of our system."

Admin i didnt find the page do you have a moderator who can help me with my problem

I don't know if I can help, but DM me your Academy Email Address @nova rapids - as I said, support is limited during the weekends.

I will not be around for much longer @nova rapids

Btw I have tried running the nmap scan on pwnbox with T4 and it says its gonna be around an hour. I am using the pwnbox location which is closest to me (singapore 29ms) 😂

you should use pwnbox at the server regions (US/EU) otherwise you'll probably run into the same problem

okay yeah thats true. it seems i will be using the pwnbox for nmap scans then. using the uk pwnbox is a little laggy for me. but the scans are fast. good to know i have not been doing anything wrong before this hahaha

hi guys, I have a problem this module INTRODUCTION TO C# Libraries
I don't know if I'm doing something wrong, but I keep getting the following error. dotnet run --> Unhandled exception. System.IO.FileNotFoundException: Could not load file or assembly 'Library-Question, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null'. The system cannot find the file specified.

File name: 'Library-Question, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null'

@ocean night For CWEE custom exploit development will be a part of it but will HTB also teach how to write the exploits in the modules?

That's not something I can answer, sorry

Not because I don't want to, or am prevented from doing so, but because I do not have the answer.

Okay np.

Yes, this is covered in the Intro to Whitebox Pentesting module

Apart from that, you will always have to write scripts throughout the path

Okay thank you.

Hi, anyone solve stylish? I already obtained the token and can approve my CSS, but I need references or hint on the sql injection part…

you got better chance to get help in #boxes

I don’t have access

you have to follow the steps there #welcome

thanks man

why not

damn how is it also broken on your own machine

uninstall both and try installing using pip only

ah

#modules message use this

generally you shouldn't do it

^

is it just me or the boxes in the modules wouldnt spawn

Hello
What would you recommend for someone who finished the pentester path for the tier 3 modules?

my connection is fine , and im tuned via the vpn and all

itsjust tryna spawn a machine for like a year now

I am thinking Attacking Authentication Mechanisms or the Sliver C2 modules but i am not sure

no Im not using burp

by the way now it seems work... so I think its some VPN trouble

Hi

Has anyone done XPath - Blind Exploitation part?

those two are very different stuff, choose the one that's the most interesting ig

i'd do the evasion module

I suggest not revealing info about the AEN module as many do it blind

Im sorry I deleted the message

Yes, some people have completed this module. To be precise, 416 people have completed the Injection Attacks module.

Ohh so

Have you?

Just ask your question

I have exfiltrate the 2 users

Admin and htb-stdnt

Have you exfiltrated all the data?

So my question is how to apply this methodology to all users and their properties to exfiltrate the entire data set.

@acoustic owl

Read these three sections again. Everything is explained there

Blind exploitation

Okay

All three sections explain how to extract data.

Okay

https://tenor.com/sJ6iYaZHvSx.gif

what's up everyone. im working on the api attacks module. i'm not sure if im missing something here, or it's an error or what. the first lab scenario <Broken Object Level Authorization> it states: Because the account belongs to a Supplier, we will utilize the /api/v1/authentication/suppliers/sign-in endpoint. ok makes sense.then on the next lab, broken authentication. it states: Because the account belongs to a supplier, we will utilize the /api/v1/authentication/customers/sign-in endpoint im not understanding the correlation i guess. can any one help me understand this?

Likely a typo

Ok, i thought so. I just didnt know if i was missing something. thank you. it doesnt make sense right?

I was just about to dm u, and ur message came through... l

Submit to #1234357888114364508 with screenshots

I don't do private dms

awesome thanks. that was my next q! ur so on it.

Too many people wanting and then? step by step

Critical thinking is crucial in this field

¯_(ツ)_/¯

It's useful for surface level stuff, and then digging into manual testing

there's a difference between vulnerability assessment and penetration test

^

using nessus falls in the former

Vuln assessments are just that, they assess potential vulnerabilities

It's why they have different predetermined scan types for different regulatory authorities

¯_(ツ)_/¯

It's not that bad tbh

Nessus UI is better than OpenVAS

yes it is. I rarely come here, and usually when i do its just to be a lil nosey. i dont want anyone to tell me step by step. i love that feeling when u finally get something to work, or solve a lab. i dont get that feeling if i get someone to tell me step by step. but i don't feel like finding a blog post on how to pull something off is the same thing. what do u think?

It depends. Blog posts that further explain a topic can be helpful

Different view points and all

👍 thanks... stay sane

Ok I'll give that a shot, even using the show solution button if I follow that exactly I got errors. But let me try again today, maybe I will have better luck, thanks!

It takes a minute for all the modules for nessus to load, btw you need to do the scan from the target machine anyway

(There are preloaded scans on it)

Yeah the targets have preloaded scans so you don't have to spend the 40+ minutes waiting on the scan to finish

https://academy.hackthebox.com/module/details/23

file inclusion the last part of " Skills Assessment - File Inclusion "

i CANNOT get this to work if i scan i get 9 ../ but i have tried from 1-12 (i already have the answer cuz i looked it up. but the box just will not respond to burp sweet can somebody else test this pls

how can you tell how many ../ you need? did you / your box stop responding im on box num 11 and counting all same issue same spot.

your answer lies within the "Basic Bypasses" section

you can't really tell, it's all just trying stuff out

i have specific notes about the skill assessment telling me i didn't use that method to get the answers, so you may be barking up the wrong tree in the skills assessment

Hello
Does anyone know companies that offer graduate programs for recent graduates
That also take international candidates?

You'll need to research on your own but this isn't the channel for that conversation, read and follow #welcome and ask in #careers-and-certs

@next bronze I tried bloodhound-python with both the HTB-Student user and the Administrator with the hash but both fail. Which user did you use to do that part?

that's the last question? you should use the users you have from the previous domain

either bh python or sharphound should work

Yeah last question, I just didn't have any passwords for users from the prior sections, I got all three of the first questions done just using the CHILD-DC.child.inlanefreight.ad machine and powershell... I will see if I can get a password out of another user.

huh? you can't do question 3 without a local shell

either way you should have domain accounts for mssp if you've done q3

we don't do that here

read #rules

She's not into security

doesn't matter too much as it's not relevant nor legal

Daymn, sorry will be careful next time

let's not @cloud urchin (as comical as it can be)

best bet is to just turn it off

If u have suggestions jus pm me

there's nothing you can do

report to the authorities

and move on with your life

my suggestion is if you think her account has been compromised is to reach out to the company who is providing the service, that's your only recourse

no one here can help you and anyone claiming they can is probably just going to scam you out of money

Ya ik, will do my best

i dont get what am i supposed to put in Submit root flag?

without more details the best answer i can give you is: the root flag...

the flag that can only be accessed by the root user or user with root privileges

the root flag of the machine..

usually found in /root/root.txt

i must be missing something XD

what academy module is it related to?

first one

https://tenor.com/view/do-you-have-any-idea-how-little-that-narrows-it-down-that-narrows-it-down-clear-now-its-clear-now-i-understand-now-gif-21256627

Name

xdd

the "first one" is the one you pick to start first lol

Meow

oh

that's not an academy module

that's a starting-point machine

😛

read and follow #welcome and ask in #starting-point

Hey guys,

i´m doing the "Attacking Common Applications" Module and i´m stuck on the last question of the "Attacking WordPress". I got access to the admin panel, but i can´t update the source code. It always takes forever and says it didnt work.

PIVOTING, TUNNELING, AND PORT FORWARDING > RDP and SOCKS Tunneling with SocksOverRDP
https://academy.hackthebox.com/module/158/section/1439

I am only able to RDP into the internal node if the /etc/proxychains4.conf file is set to SOCKS5 and port 1080 on my Pwnbox (Parrot OS).

Why does the configuration on Parrot OS matter when Proxifier is running on the pivot machine (htb-student)?

because you're bouncing between Attacker → A → B → C

iirc

and that's how it's set up to work

the proxifier setup you do uses socks5:127.0.0.1:1080

Got it. That tripped me up for a while.

Thanks

What is the API key in the hidden admin directory that you have discovered on the target system?

subdomains of subdomains exist

wait this exists on a single subdomain

not the double

so this one is actually just: 🤖 will lead the way

for long time i still didnt find any thing

are you using the right wordlist?

yap

you should be using the wordlist used a lot in this module; subdomains-top1million-110000.txt

ok

after that it should become clear where to look

🤖 is always an interesting file to check for

Well yeah, but I just used Enter-PSSession to do it and a kerberos ticket. I just find it odd even the solution provided does not work. But I am going to revisit it and see what I missed, thanks for the tips!

let me check which subdomains

anyone know if its possible to gain a foothold on the Linux PE skills assessment lab with the tomcat portion? i know its optional but i will like to get it

nvm found my way in

ok... well that was really hard! but I got it done finally.

is it not useradd -d? or am I not understanding the question

yeah dont even mind me

10 seconds of reading later I found it

differnce between creating and using

Module - Advanced XSS and CSRF attacks
Section - Bypassing CSRF Tokens via CORS Misconfigurations

Question - Identify a CORS misconfiguration and exploit it to conduct a CSRF attack and obtain administrator privileges.

I am trying same as section did but i cannot make sure that its Origin header is misconfigured

Just I did same but in my case origin shows null

Any hint??

i haven't done this module. But your example shows a .htb origin, then you use a .com. What if you use .htb as the example?

I have used .htb too and many types url but it shows null only

even if I type real origin it shows null

if you try in your request origin: "null" ?

i followed a how to video, still does not work lol i had 2 other ppl try again so far does not work i get to the point i enter the burp suit command stuff and the box just stops responding period. it will just spit out jibberish after this point its why im asking. i got screen shots i wish i could get a mob just find out wtf is going on.

again i have ../ ( 9 times ) via my scan but i have tried every version on 11 boxes all same results all freezes the very same spot. same way to it will work right up to the repeater then just dies (reguardless of commands)

Message support then

null

ok... sorry, that's all the tricks i got for this morning

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin

yeah and that one too: https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null

see my other messages there

Yeah but tried all possible but I think section's guide would be different then question's solution

In the first scenario where the Origin header is invalid, the server likely recognizes the origin as invalid or untrusted, resulting in the Access-Control-Allow-Origin being set to null.

In the second scenario where the Origin header is removed, the server sets Access-Control-Allow-Origin to the actual URL of the site because the request is considered same-origin.

So it is not possible to attack on origin

I think there is another way to solve the question.

hi, anyone has done the API attack module? I don't know how to solve this question: "Exploit another Broken Authentication vulnerability to gain unauthorized access to the customer with the email 'MasonJenkins@ymail.com'. Retrieve their payment options data and submit the flag."

I just want to know that
does question's solution is same as section is guiding or need to find another hint instead of attacking on origin header??

The section is not a guide. It explains the misconfiguration and how you can take advantage of it. The task is not 1:1 as described in the module

Yeah thats what I wanted to know

but can you hint me any another way to find misconfiguration?

Have you looked at the hint? If so, you know which endpoint you can exploit

You have already found the misconfig

hi, I did see the hint. But still don't know how to use it

What have you already tried?

But I did't realise it
where

#modules message

Bro
I have tried to check Origin but did't found anything

You see it in front of you
|| Access-Control-Allow-Origin: null ||

I tried use /email-otps to send a new PASSWD to the email and then use /reset/password to enumerate the newly set PASSWD

Wrong thinking

what's the right one?

When you do an OTP reset usually, what does the company send you?

send a one time pwd to my email

There you go

there's more to that section than just the CORS misconfiguration.

Try to attack that

Not enumerating passwords

I cannot login to the email

it

should I use Iframe to the script to make it null

because previous section says this

You are not supposed to login. You are supposed to hijack the account although you dont have its password.

section is showing that

it accept any url as origin and then using a script it can promote user to admin

but in my case the origin is not accepting any url , just showing Access-Control-Allow-Origin: null

if I reutilise previous section
there is null exploitation topic saying to use Iframe sandbox

I don't get it

Try it 😉

okay

ok so did you bypass csrf then?

I am just looking to bypass it
that's why trying to check origin as vulnerable or not.

#modules message

Pedant has told you what you have to do

I use /reset/email-otps and then /reset/password to set a new pass. {
"SuccessStatus": false
}

the success status always be false

you don't need to look at the previous section. this section goes over what to do.

so does it mean that Origin header is still vulnerable?

As I have tried as section did but got null instead of url

You send three parameters. ||Two of them are fix. One of them is variable...||

The rest is as shown in the module

this is what I sent

and it's from Broken Authentication in the API attack module

I deleted this because it contains spoilers.
||Look again what OTP is||

This section isn't about CORS misconfigurations. It's about bypassing CSRF via CORS misconfiguration.

does it mean
I have to look on csrf token?

considering the whole section is dedicated to bypassing csrf, yeah maybe you should look at that

that's enough, I don't think it's my problem. because, the otp is only one variable which is the email

I sent you DM

sure

No, it is not email

bro
question is Identify a CORS misconfiguration and exploit it to conduct a CSRF attack and obtain administrator privileges.

so first I have to identify CORS then CSRF??

you already identified it

hi everyone having some trouble with AD Enumeration & Attacks - Skills Assessment Part I, I'm at question 4, have the credentials for the user from steps 2 & 3 but I can't for the life of me figure out what to do next :/ I've been trying to get a tool onto the initial host to pivot from but every time I try to upload different tools through the provided webshell it just errors out, similar issue if I try drop them on using a reverse PowerShell or CMD session. Any tips please would be super appreciated!

is this
Access-Control-Allow-Origin: null

Vulnerable??

idk man. do you think the skill assessment would not be vulnerable?

maybe I am missing something

You said that I have already identified it
and same @acoustic owl have said that Access-Control-Allow-Origin: null is the misconfiguration

but I don't know how to exploit it as whenever I use script it shows nothing .

they provide a sample payload in the section

You've already given yourself the answer
#modules message

this is my payload
and it is not working

well, the 4th question tells you what to do next, you are on the right track with your pivoting. I had the same issues, i found it was easier to get an interactive session to pivot

@acoustic owl can i dm you?

sure

bro I have used in iframe in my script
but didn't get it
#modules message

you have an error in your script

Hey, for module 'ICMP Tunneling with SOCKS' i am getting this error msg for ptunnel 😦 I cannot find anything relevant for this on google

thanks, I think I may have finally managed to take the next step, do you mind if I DM you quickly please just to try understand why this has worked for me now?

Syntax error in the script it looks like

what type of error
is it word/spelling error or something other

I suggest taking this to dms

yes i can try to answer, sure DM

yeah should probably delete your code from here

okay sure