#modules

... read the question carefully

and you are trying to query inlanefreight.htb

Oh sorry guys

I just read it carefully

Anybody on that has finished the Modern Web Exploitation Skill Assessment? I need a nudge on the DNS Rebind part of it. Dm would be great

Sure

Hi have you solved?
Within the "webfuzzinghidden_path" path on the target system (ie http://IP:PORT/webfuzzing_hidden_path/), fuzz for folders and then files to find the flag

hey i am on the hacking wordpress module and working on the skills assesment and when i try to use wpscan to scan the wordpress cite for somthing, it returns that its not a word press cite

enumerate further

https://academy.hackthebox.com/module/134/section/1201
Any ideas what I should do
Tried brute forcing api id till 505 and already tried GET, POST

wdym like check the sorce cause i alr did

enumerate the site further

ok i will try

check the worpress root path or port
Example:
wpscan --url http://10.10.167.42/blog -e vp,u

Why doesn't this work ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://fuzz.academy.htb:37423/

because that's not how vhost fuzzing with ffuf works

with vhost fuzzing in ffuf you need to use the host header -H "HOST: FUZZ.academy.htb"

i am not crazy but i still cant find nothing

unless i am not finding anything at https://w3layouts.com/ cause i found that and i could scan that its just i dont know if i am ment to cause the cite look like it might be ligit

Thanks very much as always

to add on the <ip>/images doesnt work and thats all there really is

ffuf i use this
ffuf -u http://FUZZ.mydomain.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

wfuzz
-u 'http://cmess.thm' -H "HOST: FUZZ.cmess.thm""

I think it gives the same results

idk about wfuzz ¯_(ツ)_/¯

either way; the subdomains-top1million lists are used a fair bit in this module

Does the CBBH exam give u a scope like a real pentest?

In the module
Web Fuzzing
Directory and File Fuzzing
Does anyone have or have had problems entering the flag?

Within the "webfuzzing_hidden_path" path on the target system (ie http://IP:PORT/webfuzzing_hidden_path/), fuzz for folders and then files to find the flag.
HTB{++++++++++++++++++++++++++}

i fuzzed for folders + files
http://IP:PORT/

http://IP:PORT/webfuzzing_hidden_path/

I combined 4 wordlists to scan directories and files but didn't find any new folders or files. I always find only the same flag

Any ideas of what to try

yo still i am still looking, might take a break rq, but still no progress cause i cant find what to use WPscan on, i did check the root path and port but nothin, i might just be blind and obllivous though cause i have been doing this for a solid 2h

yes, it would be pointless to not be given a scope for a certification exam

I have flag but it does not accept

same

Yeah also recursive question

I believe it is lab issue

i just start it

I stopped it yesterday after flags were not accepted

Wasted 7 hours

On stupid lab

for the moment 2 maybe 3h

Is Paysera card not allowed to do a payment with, in hackthebox?

Message support

Can i know what bank does hackthebox use for payments and is it in europe or NA ?

message support

support is on the website

not on the discord

iirc one of the payment processors is stripe

HTB is based in EU

Couldn't chdir to /Desktop/Users/htb-student: No such file or directory

on the verge of quitting this windows fundamentals module

well yeah

it would be C:/Users/htb-student/Desktop

I thought the / before users specified root? I guess this is a different os

yes you can use / but my major point is: /Desktop/ doesn't exist

Filesystem root of Windows is C:\

users are on C:\Users\<username>

of which has Desktop/ Downloads/ Images/ ...

even in linux you wouldn't do /Desktop/home/<user>

I see, thanks

Not too familiar with windows path system

it's fairly simple ¯_(ツ)_/¯

So, with the Intro to Web Fuzzing Module, I found the directory and I found an html page that has what appears to be the flag on it. However, it keeps telling me the answer is wrong. I'm slightly confused because this seems to be correct. Any hints? Maybe they got me with a red herring lol

is it asking for the full URL?

also with flags make sure no extra spaces at front or back

Instructions say this:
Within the "webfuzzing_hidden_path" path on the target system (ie http://IP:PORT/webfuzzing_hidden_path/), fuzz for folders and then files to find the flag
And I found a directory and an HTML page with a crazy looking string of characters on it that HAS to be the flag, but it's saying I'm wrong.

@fathom pendant

Oh wait

Maybe I need to have the actual /webfuzzing_hidden_path/ bit on there literally lol. Let me try that.

Why is my VNC session so small

because you loaded a new academy webpage

refresh the vnc page and it'll fix

it's due to how the VNC session draws the screen, when you load a new academy page, it updates the size based on the new screen being drawn (Which is much smaller)

there is no workaround for this

What about using a dedicated VNC client?

it would still do the same

Makes sense since my display is 1440p and the session seems to be 1080p.

it's based on the spawn instance window

refreshing the VNC page makes it go back to the right size

Yeah, just going to keep doing that.

i suggest refraining from posting flags

My bad, I forgot about that

i haven't done the new web fuzzing module; what section specifically?

Directory and File Fuzzing

yeah it looks like you're meant to do fuzzing on http://ip:port/webfuzzing_hidden_path

the flag you got is likely for a different section

Hmm interesting. All right, I will give that another shot. I didn't see anything the first time I tried it.

I just performed the 2 fuzzing things as described; and i found the flag

HTB{w..g}

Ahh got it so it is in the /hidden_fuzzing_path/ okay I’ll take another look when I get back to my PC at home

and it indeed was under the http://ip:port/webfuzzing_hidden_path/

Got it thank you so much

overall it took ~ 10 minutes to fuzz (the directory took like 5 seconds at most

I felt like HTB was gaslighting me lol

also i highly suggest using -v for the extension one

at least in bash terminal you can ctrl-click a link to open it in your default browser

Hello, I need some help with the Skills Assessment within the BROKEN AUTHENTICATION module. (https://academy.hackthebox.com/module/80/section/848) My question would be, is ||brute forcing the OTP of the one account I found|| going in the right direction?

marcie be honest am I too reliant on this channel

im curious

sudo mount -t cifs -o username=htb-student,password=Academy_WinFun! //10.129.201.57/"cry" C:/Users/htb-student/Desktop

Took your advice and im specifying the correct path + allowing inbound traffic on ports 2049 and 111 (mount)

No, the module shows you ways of getting bypassed such things.

@acoustic owl question, getting this message when trying to mount to the share I created on my target

Couldn't chdir to C:/Users/htb-student/Desktop: No such file or directory

The path to the share isnt faulty (tested) allowed all inbound traffic that the mount command mightve used and my command has no syntax errors. any ideas?

Web Fuzzing - > Recursive Fuzzing -> HTB||{r3****ns}||

it don't accept the flag? 😒

Windows uses backslash \

you have to literally fuzz /webfuzzing_hidden_path/

cool thank ya, i got it

hi

right, thanks

is that really all?

For folks who run into this in the future. I experienced the same thing. I stopped the VM, restarted it, and ran the FFUF command just like it was before. I noticed it doesn't put any output, it's cycling through normally, then like a few seconds later, it starts sending all the 302's. I went to the top of the list, tried the 1st code where the 302 was received, and that was indeed the correct code. I logged out logged in, and put that code in and it worked.

Thank you for the help earlier @fathom pendant just had the chance to try that out and found the flag EZPZ! I didn't realize it meant for us to literally Fuzz the webfuzzing_hidden_path 🤣

also just tested for the following section; you can use the small directory list instead of the big one 😄 also check every .html result

HTB{d3..0l} btw

Good to know, I will bear that in mind as I do it in the next few minutes

44k >>>>> 175k at least for speed

i also upped threads to 1k and it didn't break the server

just got done with the malware analysis module from the soc analyst path.
my brain needs a rest fr

mb it's 175k for small and 440k for medium

Ah I'll check tomorrow 🫤 thanks

¯_(ツ)_/¯

gonna let you know the following section looks to be missing some links to wenum, but digging around it looks to be an extension of wfuzz

Also good to know! Just got the Recursive one done no problem.

it's super easy with ffuf tbqh

i just guess wenum would also give the output

nvm it just does fuzzing as well, just a diff tool

Oh cool, I didn't know that. I'm SUPER new into all of this after taking a coding bootcamp, trying to broaden my horizons a little bit more lol

coding bootcamps are scams; genuinely lol

lots of money for little tangible reward, or rushed courses that don't really teach much

Yeah I can build full stack web applications now with Python/Java/JavaScript, so at least I learned that much from it lol.

could someone advise me where can I make this file smaller?

that should be fine, remeber that you'd need shellcode, not an elf

I was using this code from the module to convert it to shellcode:
#!/usr/bin/python3

import sys
from pwn import *

context(os="linux", arch="amd64", log_level="error")

file = ELF(sys.argv[1])
shellcode = file.section(".text")
print(shellcode.hex())

I compiled the original code

then I threw it into the code above to generate the shellcode

but when I send it to the server I get an error, so I was thinking it might not be small enough

the questions says we only have 50 bytes

there are some xor you can omit, if you're xoring the entire registry it's similar in size as mov rax, 0

Do I just use mov al, 0?

you can, generally linux syscall only returns a single digit to rax
https://man7.org/linux/man-pages/man2/syscall.2.html#RETURN_VALUE

Hmmm okay

thank you, I'm going to test it avoiding the xor

/10.129.31.160/"Cry" C:\\Users\\htb-student\\Desktop 


Couldn't chdir to C:\Users\htb-student\Desktop: No such file or directory ```

Hi

• |

Hello

you're trying to mount a drive in linux using a windows path?

ive just been trying to follow along with the module section im working on

which has been error after error

the module wouldn't tell you to mount it like that

Owlzjdnnd@htb[/htb]$ sudo mount -t cifs -o username=htb-student,password=Academy_WinFun! //ipaddoftarget/"Company Data" /home/user/Desktop/

^ The module

@next bronze are u here?

Hello i am in Pass the Hash (PtH) module and there is a question Using David's hash, perform a Pass the Hash attack to connect to the shared folder \DC01\david and read the file david.txt. Now i have done pass the hash but i can t find shared folder any idea?

good job but spoilers pls remove the screen shots and redact the command thanks

well the module didn't tell you to use a windows path, the second path should be a local directory for where the mounted drive will appear
https://linuxize.com/post/how-to-mount-cifs-windows-share-on-linux/

Module: Attacking Common Services > Attacking Email Services

My attempts to target the domain inlanefreight.htb are failing as my commands are returning an NXDOMAIN error. I tried targeting the IP itself and that also fails. host -T and smtp-enum commands are failing because of this.

How exactly do I fix this? Using VPN if its relevent but i'm having the same issue in the pwndbox. I have verified my /etc/hosts points the IP to inlanefreight.htb

redact means?

just don't show the entire command

o okay

btw who are deleting the screenshots 🙂

me because it contained the flag

u can?

oh great 👍

I deleted it

all good now

hey buddy

the shared folder would be located on DC01 so you'd want to connect to that

👋

how can i get Community Contributor role 🙂

#📣-announcements message

like its necessary to do with Invoke the hash can i do it with the curr use david shell?

In Simple words : I'm not eligible

if your current session is already the right user then you can just connect to it

If you’re not eligible now, you might become in the future 🙂 be active and contribute

i am now david i login with evil-winrm using that hash now how can i access the shared folder i dont understand this thing

Sure i will when i will be a Perooo Hacker

don't use winrm, use another way to connect, you'd want a proper shell or like from mimi pth or just pivot and use smbclient

lke there is an option using Invokethe hash and then get back a rev shell btw can i use Impacket i use it and i get shell but dont find the shared domain

both will work

or use what the module taught you

Main thing is i dont find the shared folder like where it is present?

DC01

C:\Windows\system32> dir \\dc01\david
Access is denied.

C:\Windows\system32> whoami
nt authority\system

you're local system trying to access a file share on the domain, you'll need domain credentials

Still need help with this if anyone has any insights 🙂 I've also tried using the pwnbox and that has nothing either.

thanks

It doesnt tell me much of anything to be fully honest, but this is a chance for me to learn more about mounting in practice so im happy

dacl 2 is kicking my ass

anyone know why i can't ping the target?

i already connect to the vpn

@next bronze can I dm you able dacl 2?

your terminal may have been opened before the tun interface was created

close and open a new one maybe

I am lost on Server-side Attacks last task. I think I identified template as {{_self}} is __string_template__0177c07c1ce875b2c81f5871e3da1c28, so that is behaviour of Jinja2, but I tried like every payload from payloadsallthethings I can't really get a working exploit to read files or to get RCE I have been stuck now for like 1hour and I need help.

the skill assessment?

Yes

have you studied the source code, javascript, etc

oh yeah I haven't

start there

sure

Thanks for help I managed to exploit it

i already kill all the VPN and restart the VM but still can't ping to the target

Hello, I would like to ask how this solution is, I add users seem to be useless

msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll

dnscmd.exe /config /serverlevelplugindll adduser.dll

It doesn't seem to be working

are you sure your cmd is valid? i think net group takes a switch to ... nvm you put it at the end... try putting your switches in ebtween group [switches here] "domain...

verify that you've successfully added a user

and note that if you are adding yourself to the particular group/permissions you would have to find a way to update your current user token so it reflects the change (update)

Thank you. I know what the problem is, is it the absolute path versus the relative path

Hello everyone, I'm having an issue with submitting the flag in Web Fuzzing - Recursive Fuzzing. The flag was very easy to find but I don't know why it's being marked as incorrect. Any help?

check for errant spaces before or after the flag. also check that you dont need to de-obfuscate from base64 or some such

Module: Attacking Authentication Mechanisms
Section: skill assessment
Attemted solutions: ||I'm trying with Exploiting jwk, generating new key pairs and signing new token with various payloads. I've tried changing 'accountType': 'admin' (and Admin, administrator), with and without adding "isAdmin": True, with deleting accountType, leaving only isAdmin. Changing username, user id etc. Since none of that worked, I've tried with other methods, like signing with None, without signature, algorithm confusion attack. I've went through the course again but I got no new inspiration. Furthermore, I've tried those solutions without changing payload to check if any of those solutions work.||

I'm clearly missing something and would really appreciate a hint or a direction to what else I should try or what direction to take.

hey guys can some one please help my on Server-side Attacks, what am I missing?

What can I do during the exam if the target "is dumb" I thought you only had limited resets?

Hi guys I'm so sorry about a noob question. In the WEB FUZZING on HTB ACADEMY . I follow from example until got the flag and put the ANS on QNS form but It's not work.

What's the ANS form ?

Reach out to support

Also why would you have limited resets?

HTB{..}

I tryed many times

It's not work

Make sure no spaces

Also make sure you were fuzzing the /webfuzzing_hidden_path/ directory

I tryed It's not work

Wdym "it's not work"?

That's not helpful in the slightest

is that skill assessment that obvious that no one bothers to say anything? feeling ignored a little

I sent the picture on your chat.

?

I didn't agree to dms

Also you need to fuzz not use the same directory as examples

As stated

You need to start your fuzz literally from http://ip:port/webfuzzing_hidden_path/

As stated in the question

where is the upload photo option ?

You need to link your account to upload

and how do i do that

Read #welcome

Ok i'll try again.thk

does someone know whats with the port?

You kind of didn't give enough info to help you my dude

me?

Yes you

You're told to use SSRF techniques, so use those

You also didn't specify which section

but should I get a web ?
I'm on section: Identifying SSRF

I mean shouldn't I enter a website first?

... the website is that ip

http://ip

without a port ...

...brother

It's likely running port 80 by default

Considering it's a private ip

in this filter current log screen i am not able to scroll down to click OK. how to solve this problem

10.129.x.x indicates that it's a private (not public) ip and requires a vpn connection

Are you connected to the vpn?

yep

With xfreerdp did you use /dynamic-resolution?

Then do an nmap scan with the -Pn option to see what ports are open

i didn't , ok let me see

Ye it's a resolution issue

Usually readjusting the screen size makes it fit

well that's a bit off course

I thought there's something I'm missing here

Just.

I believe http should be running, if not it's https

You can specify with nmap -p80,443 to check for both defaults

CDSA is good right?

From what i heard, yes

for some reason in my browser it's turning to https
but on the parrot it stay http

do u have any idea y?

try to do a research using google

Likely firefox is autoupgrading to https. You can google how to disable it

Plenty of articles out there

but till now all was fine (did all the paths with it), weird

maybe it is the update ...

¯_(ツ)_/¯

thanx anyway bro

The only other reason it wouldn't connect is not being connected to the vpn

but on section Identifying SSTI I got a port number

and was able to connect ...

im at skill assessment on Hacking Wordpress. Anyone khow why i can't scan the web?

That proves nothing

That's a public_ip and port, reachable without the vpn

Is there a special vpn for academy?

Yes

Academy has its own vpn config

ah thats might be my issue then

have the lab open

?

What module and section?

what u mean, HTB has connection problems?

Because in gen you said IP:port is given by the target

Which means you don't need vpn

No

I just mean your screenshot of connecting to the public ip doesn't show you're connected to the vpn

I see

so let me try download a new one

How do I use nmap if I have IP:port ?

What module and section

As most sections that use an ip:port don't need nmap scan

I would like to ask you how to use this

You assume web unless the question tells otherwise

Doing the academy and the public exploit thing.. spawn the machine and got a public ip and port

module/77/section/843

Then visit that publicip:port in a browser

help me

If you're gonna do that just copy the whole link not the endpoint

im at skill assessment on Hacking Wordpress. Anyone khow why i can't scan the web?

verify that it is indeed a wordpress instance

don't just on autopilot

Not sure what you're asking?

Did that, and the website works.. still curious about checking services on that machine..

No need

u were right on the spot my man

thanx

When given a public ip and port your only scope is that given port

Everything you need is on the webpage

Ok, but the question on that module is to specify services on that machine

Is it?

ry to identify the services running on the server above, and then try to search to find public exploits to exploit them

You did identify the service; web

gah!

The way forward is SIMPLEr than you think

Hmm,,, have to slow down a bit 😄

Did you try looking up the words directly on the page with "exploit"?

Not yet, was fixed about the services isue

then why it's on hacking Wordpress Module?

part of the assessment

He means, is WordPress running on the web root

Or is it on a different endpoint

At the end of the day all of the exercises aim at pushing you a bit and not only follow the copy-paste approach

You are studying materials that are going to prepare you to become a pentester and not a robot

Imo the file upload attacks filters sections do a great job at this [unrelated]

tried dynamic resolution, still the same problem

not able to enter OK on this filter current log window

So then what with "Attacking Authentication Mechanisms" module skill assessment? I've even learned how to use and automate tests with jwk_tool, that in the module was only briefly mentioned, but that still is not enough to pass the assessment. There is no sign of OAuth or SAML in the tested app, so I figured that it must be the JWT exploit task. So what is the learning purpose here? Because if I would need to spend 5 days on manual and automated tests on a single feature and still not found anything then I would deem it secure. On the other hand if the course material is enough and the assessment is just obvious, then why nobody is saying anything, like "yea that's right direction, just try a little bit different here"?

Readjust screen size a bit, and also resize windows in the session

The people that provide hints/assistance are volunteers and are not obliged to help each and everyone

Additionally, you need to take into that there are different timezones

and someone that has solved it is not yet available to help you

I understand that, but again, I've noticed that the same question was asked here at least 2 times and was ignored (apart from the answer "Try smarter"). On official HTB forum the same question was asked repeatedly for 5 months with no hint or assistance apart from something along the lines "I've tried the same thing several times and miracously it worked somehow". So pardon my frustration, I was really excited to learn through the cwee path, and hit the brick wall...

You can upgrade your subscription to the annual one which will provide you access to the walkthroughs

And you will not wait for someone to assist you

You are currently frustrated because no one is giving you help, while you see others do get the help

that's right

Yes, I know, but unfortunately that is not available to me right now

well, thanks for replying, good day to you

you can form a study group by creating a thread in #1225791307256168448 or by asking in #cwee

Hello i need some help creating a proxy connection using chisel in the Active Dir Assesment 1

where are you struggling ?

I got everyhting, i downloaded windows and linux chisel executables amd64. I am running like the exable on piviting with the --reverse flag on server i chnaged the config to have only socks5, but i get this error when i run , it handshakes, trying to verify and then
Failed: server: Server cannot listen on R:127.0.0.1:1080=>socks

you are running that on linux correct?
i would try running it with sudo.

i run with sudo on linux yes

send output of this command:

ss -tl | grep 1080

lmk if its empty

empty

can you send the cmd ur running

to start the server

yes give me 1min

.\chisel.exe client -v 10.10.14.125:1234 R:socks

this is the client that connects to your server
did you run smth like this before u ran that cmd?
./chisel server ...

yes on the kali, i run first sudo ./chisel_1.10.0_linux_amd64 server --reverse -v -p 1234 --socks5

I have trust issues with the author "Web Fuzzing - Skill Assessment",
what would the domain be?

spoiler
||fuzzing_fun.htb OR _fun.htb OR fun.htb||

so which is giving the error, server or client
seems like server

nevermind, i tryied noe just for chnage to change the port on 1081, for some reason it work for 1081

nice 👍

.\chisel.exe client -v 10.10.14.125:1234 R:127.0.0.1:1081:socks

i chnaged first the cnofig file on 1081 then i ran this and worked

weird but nice thanks u very much !!!

Starting to get frustrated.. there is always easier solutions than those I think it is.... damn brain! 😄

where did these come from????

@twin lion
after directory/file recursive fuzz on IP:PORT
+
api parameter fuzz

||Head on over to the fuzzing_fun.htb vhost for some more fuzzing fun!||

In the Basic SMB Reconnaissance section of the Using CrackMapExec module, the final question asks for the OS version. The relevant portion of the output of the command we need to run (||crackmapexec smb <ip> -u '' -p ''||) is ||Windows 10 / Server 2019 Build 17763 x64||, but no combination of words from this (or the whole phrase) is accepted. What format does the answer need to be in? (Thanks)

It's ||fuzzing_fun.htb||

thankyou 🙃

Try Windows 10
Windows Server 2019

The guy left, thanks @fathom pendant and @sterile solstice

I did and neither work 😦

i would try just pasting in the strings it has for version

You mean the whole string?

Module: File Inclusion
Section: Basic Bypasses
Link to section: https://academy.hackthebox.com/module/23/section/1491

This is why it would be easier to use the first method.

What's the first method they're referring to here? There only seems to be one method mentioned under the sub-heading Path Truncation.

I can't include any more information since I'll be sharing too much about the section otherwise.

The method being copy/pasting the ../ whereas the second method does if in a more automated way without copy/paste, either way -- not as relevant

It's just a sidenote for older systems

Ah okay. That wasn't really clear to me, thanks.

It's also prepending more ../ to before the /etc/passwd request is the method

../../../<snip>../etc/passwd

@fathom pendant do you know why we need to use a directory that doesn't exist at the beginning of the command?

¯_(ツ)_/¯

Won't that throw an error?

Not really

As you're just backing out of it anyway

When I do it normally in the cli, for example cd this_directory_does_not_exist/../../../, it throws an error.

It's likely how the php code handles it

hello everyone for the module file upload attack i'm stuggling ... https://academy.hackthebox.com/module/136/section/1288

Think about the methods shown

I was able to do the fuzzin, I was able to pass files like php3 php4 but does not execute the code .

Try other extensions then

If you sort by size, you'll see that there's other extensions

Iirc the proper size for upload success is 230

ok thanks i'll try it thanks a lot marcie

Also as a note; since those were successes, those files were uploaded

So you can load the /profile_images/<file>.ext

You can also send to repeater

So you can switch extensions

I have the impression that does not upload the file because when I go on the url with its path absolute 404 not found

I take it you were doing a <?php system($_GET['cmd']); ?> webshell?

Some of them may still return that

But make sure it's the extensions that have the response "file uploaded successfully"

Not all of the burp intruder requests were successful uploads

I'll explain what I do: I upload a png file, I intercept it with burp, I change the content-type with a webshell, I change the file extension with an extension I've found thanks to fuzzing. and when I upload it and go to it with its absolute path, most of the time I get a 404.

you don't need to do all that just yet

this section is all about the blacklisted extensions NOT the content-type

and as I said you should check the responses in burp intruder after the attack

not just the request

note the proper ext won't be the same size as the example

i've done exactly what's asked of me

Use a different extension

The examples in these sections will not match up 1::1 with what to use

You need to use your brain and apply some logic

Go through all extensions that successfully upload

Also

You're html encoding the .

yes ..

Scroll to the bottom of the intruder payload settings and uncheck that box

It means this extension can't execute php code

But that's not the only extension that uploads successfully

ok I understand. Thanks for your help 🙂

We can sort the results by Length, and we will see that all requests with the Content-Length (193) passed the extension validation, as they all responded with File successfully uploaded. In contrast, the rest responded with an error message saying Extension not allowed. >> this is the important thing to do

the example in this case was just using phtml as an example

my point is that all extensions respond file successed there are no errors in any of the responses :/

in the nmap introduction, it says this

The company's DNS servers are usually more trusted than those from the Internet. So, for example, we could use them to interact with the hosts of the internal network.
what does that actually mean? what can you achieve using internal DNS server? are you just more likely to be able to find out additional data?

a lot of things actually, for one against windows clients you can force them to authenticate to you and capture/relay then ntlmv2

lots of mitm stuff

yo can i get some help on the hacking wordpress - on the skills assesment https://academy.hackthebox.com/module/details/17 when i try to enumerate it in anyway there is nothing to gain from, wpscan desent owrk cause it says it aint a wordpress cite and checking sorce code and sending curl request dont help much ethier cause i have checked the html on every page if has shown in the sorce code(but i did use html2text to simplify)

why the hell it is not working as the rdp is way slow + this is not working . Its Pass the Hash (PtH)

Module

maybe try using evil-winrm (if the correct port is open)? rdp is always slow for me aswell

bruh i am doing Invoke hash i need DC01/julio

hey there did anymore finished NTLM Relay Attacks module im stuck in a question

Anyone ???

Hey, anyone on Password Attacks Lab - Hard

I managed to get ||Administrator creds after checking out the files inside the drive that was on smb||, however, I tried to xfreerdp my way in with those credentials and I was rejected, I also tried logging in into xfreerdp as j* and then access the Administrator folder and entering the password and it didn't work, did I oversee anything?

I kinda think that Hashcat gave me a false positive, looking to it rn

Nevermind I forgot to copy one character from the output I want to die

https://tenor.com/view/goodfellas-gif-25580029

those aren't the admin creds :)

unless you mean the .v* file

in which case yes: copy/paste is fun

imo I like skill assessments that ties multiple techniques together; the common services module does this pretty well i think too

the hardest part of that lab though ||mounting the file||

Uhm, I saw two files on the drive, and I went for a technique in the ||Attacking SAM|| section and got it, maybe there was a different way

I don't recall another file

sorry i may be misremembering or they made it smoother

but part of that skill assessment was ||cracking the file, then mounting it||

unless we're both thinking the same thing

in which case yes

that's the intended path

i was mistaken btw i thought you were referring to a different step*

It makes sense the whole ||mounting file|| thing is kinda desperate, but made me do quite the amount of research and it was worth it, no mention about it on the Module, it could have helped

i believe it's breifly mentioned, but there's plenty of articles out there and even linked in this channel :)

i like the ones that are simple and straightforward

@foggy sierra i don't do unsolicited DMs

Can you help here then

i haven't done the module, so no

fair, I meant more in the context of the nmap module 😄

Anyone ?

if you want help, it helps others to know where you're stuck

Module
Section
What you tried (without spoiling)

Hi! im doing Windows Fundamentals module, actually im in Windows Management Instrumentation (WMI) section.
Im doing the section question "Use WMI to find the serial number of the system." but i cant resolve it.
I get Windows SN but HTB mark as failed. Anybody could help me please? Thanks

I take it you're connected to the target machine?

As well as making sure no extra spaces at start or end

Yeah im connect and i get SN in CMD and PowerShell

Ok i get it

I dont know hoy i resolved this

Just put and put SN again and again

Sometimes the input is dumb

Yes, maybe was a bug. But believe me that i put SN like 30 times hahaha

Is it just me or is the InternetArchive website really buggy? I'm trying to do the Web Archives and the first question wants me to go to Aug 8th, 2018 and the I click on that time, but jumps me to 2020

So ill try dates before or after and not even get a page and gets into a refresh loop

Don't follow any redirects; just use the domain as given

If it says .com use .com, not .org

Ah

Did you know htb didn't always use .com 😉

I did not, my guess it was a .org?

Nope

Think where they're located

duh

I need more coffee

any reason the current command wont work, top one did but thats because i provided a credentials

trying to attempt SMB NULL Session to Pull User List using crackmapexec

ends like this

Note: this is me trying stuff on the machine - the module doesnt use crackmap on the windows host so im assuming smb null is disabled on the windows enviorment lab ?

@fathom pendant look into this bruhh

no 🗿

whyyy where is the problem i dont understand in this

you need to run the command for the revshell in cmd

not in powershell

i try that also

works for me so ¯_(ツ)_/¯

which ip are you doing for rev shell bcz when i did ipconfig it shows x.x.x.5 but in forums they say .10 i used both of them

use the matching internal ip

172.16.x.x

ya but what in last

.5 or .10?

i don't remember dude

i used both of them

also make sure you don't have any encoding options selected at the bottom

the box option for encoding should be None

base64?? but in the module base 64 is used

no

it says to use the "powershell #3(Base64)" payload

not to encode it with base64

ya i am using same

make sure these are the advanced settings used

bruhh i am not begginer

Yes but I'm telling you, from your screenshot, you did something wrong

Sir i am using this

idk if i need to send it here, but just in case.
Binary notation seems to be wrong on mid-top and right-top.
Should be 4 0 1 and 4 0 0.

It's just to show what the digits represent, not their actual values

Yo can I get help on this I took a break and am coming back, but I can find the cite/thing I need to wpscsn || I have scanned all the html on the ip and I checked the website creator of the website which I could scan but it wasn't right, and I can't fins what I could scan even after checking the source and nothing and I tried to wpscan and tried using --force and some other stuff and o sadly resorted to finding a walk through but it was outdated or something, so if anyone has and hints that would be nice , I am on question one just trying to find the WordPress model||

yea took me a while to understand 😄 thx for the reply anyway

Yes that should work. I was referring to your background screenshot having something completely different

Reach out to support maybe?

Ah the error seems to be related to domain info

i used the .5 and worked for me. and from the look of the payload its wrong. the payload should start with "JAB"

since its the same payload used in the example you should have the same one generated

this one looks correct tho #modules message

Have you added anything to your hosts file?

Hey guys, doing a module called Using we proxies and i get an error from proxychains curl. Instead of getting the HTML output of the ping page, i get an error HTML page from burp suite

I can pase the error because the HTB bot blocks me

what section?

Sorry. Proxying tools

if you link your account you can post screenshots of the error

#welcome contains instructions on how

Ugh HTB gaslighting me again. I'm still in the Fuzzing module on to the Validating Findings part now. I fuzzed, found a hidden directory with a tar.gz file inside, curled it, found the Content-Length but HTB is telling me that it's wrong. Here is the question: Fuzz the target system using directory-list-2.3-medium.txt, looking for a hidden directory. Once you have found the hidden directory, responsibly determine the validity of the vulnerability by analyzing the gzip file in the directory. Answer using the full Content-Length header, eg "Content-Length: 1337"

marcielee trying to get hold on Community Contributor

hello! any chance any of you know why this query is not working on bloodhound? "match p=(g:Group)-[:CanPSRemote]->(c:Computer) return p", souldn't that return all relationships related with PSRemote to every computer?

doing very well tbh

Thank you. This is the error

[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
<html><head><title>Burp Suite Community Edition</title>
<style type="text/css">
body { background: #dedede; font-family: Arial, sans-serif; color: #404042; -webkit-font-smoothing: antialiased; }
#container { padding: 0 15px; margin: 10px auto; background-color: #ffffff; }
a { word-wrap: break-word; }
a:link, a:visited { color: #e06228; text-decoration: none; }
a:hover, a:active { color: #404042; text-decoration: underline; }
h1 { font-size: 1.6em; line-height: 1.2em; font-weight: normal; color: #404042; }
h2 { font-size: 1.3em; line-height: 1.2em; padding: 0; margin: 0.8em 0 0.3em 0; font-weight: normal; color: #404042;}
.title, .navbar { color: #ffffff; background: #e06228; padding: 10px 15px; margin: 0 -15px 10px -15px; overflow: hidden; }
.title h1 { color: #ffffff; padding: 0; margin: 0; font-size: 1.8em; }
div.navbar {position: absolute; top: 18px; right: 25px;}
div.navbar ul {list-style-type: none; margin: 0; padding: 0;}
div.navbar li {display: inline; margin-left: 20px;}
div.navbar a {color: white; padding: 10px}
div.navbar a:hover, div.navbar a:active {text-decoration: none; background: #404042;}
</style>
</head>
<body>
<div id="container">
<div class="title"><h1>Burp Suite Community Edition</h1></div>
<h1>Error</h1><p>An&#32;unknown&#32;error&#32;occurred&#46;</p>
<p>&nbsp;</p>
</div>
</body>
</html>

https://discord.com/channels/473760315293696010/1269212022919397410

🥲

it looks like you didn't fully setup burpsuite

Thank you Marcie...I feel much less crazy now lol

as that's the page shown when burpsuite's cert isn't loaded; re-do the burpsuite setting up section

me on my math exam. circles the answer closest to my calc answer

Yes i did that. I imported the cert into the Fiorefox browser but i dont see what the browser has to do with proxychains here?
Or is there another step im missing?

i've honestly not used proxychains curl ¯_(ツ)_/¯

under the proxy tab; turn off the intercept and see what happens

Was able ti fix proxychains

Dont quite know how but i did 🥹

wdym, if you mean doing somthing like rockyou.txt

Like during your enumeration. Ok, you start up the skills assessment and then start enumerating right? Did you find anything during your initial enumeration that could help you?

Hey looking for some help

i dont think so, but i will go back and see

SSH to xx.xx.xx.xx with user "htb-student" and password "HTB_@cademy_stdnt!"

I thought I would just copy and paste the ip into the broswer to access

do I have to do something with a vpn?

what module and section

also if it's the section/module i think it is; the syntax for how to ssh to a system is given

Linux Fundamentals
/module/18/section/70

the endpoint link doesn't help

what's the actual section name? (top of the page)

System Information

I recommend following your methodology that should be developing throughout each module.

end of the reading it gives you syntax

k

Oh

use it in the shell, understood

that means I have to have linux ?

yes

ok

there is the in-browser vm

but it's highly recommended to set your own up

ohhh in browser vm is only for paying

If you are still stuck feel free to reach out.

no it's not

ok I have linux on another harddrive on my laptop so Ill switch over to that

i think i got it maybe

you get 1 free spawn per day

ya, Im sorry I already used the 1 free

it's highly suggested to use a pentesting distro in a vm

not on your host system

you should use a virtual machine

pentesting? Can I just do ubuntu into my virtualbox?

kali or parrot are preferred

also, thank you, this is all a learning experience

as they contain a lot of the common tools in their repositories to be able to download

ohh i can do somthing like || nmap -sV --open -oA inital_scan||

alright cool

That's where I would start for sure.

thank you

And since its in a vm, it won't show my internal networks IP, it will translate to a different IP?

simple questions for you guys, just trying to learn, this is why IM doing it

thanks, got it

well it's just general best practice

in the event you accidentally break something, it's easier to reset a vm than it is to reinstall an OS

thanks

that makes sense,

started there i found a few open ports but nothing major, my plan rn is trying to use gobuster and getting rockyou.txt for the wordlist to manually break in

I would look at the services you identified during your nmap scan. Can you either navigate to those services or use something like curl to continue enumerating?

i definitely wouldn't use rockyou for enumeration

unless you want to spend 20 days waiting

You can def use gobuster here.

kk, i will double check for any services to try to enumerate

Hey all, doing the RDP and SOCKS tunneling with SocksOverRDP module, and I am having issues with not being able to load the SocksOverRDP dll. Windows says it contains virus or unwanted software, while all security features are disabled. What can I do?

real-time protection is running

You're right, got a different error this time, but Defender seems to not mind now 😄 thank you

k so i got lazy and left for a sec but should there be sonthing in css cause thats a new directory but there isnt nothing in it much

Have you navigated to what is being hosted?

prbably not, but i found out near its root that it uses bootstrap and not wordpress

Ok, so I would view source or just curl it.

k

Looking here should identify things that you should put in /etc/hosts

k just curl grep that

Don't curl grep what I posted.

ngl this part is hard so sorry about having to baby me its just the rest was easy then this was a big wall

Honestly this is just enumeration. If this is difficult, I highly suggest taking a step back and dialing in basic enumeration.

oof

i did just come from linux fundementals

the rest of the module of hacking wordpress was easy but the skill check is diff

but also any tips on how to not use the website pwn box bc its sooooo slow

install a virtual machine

like downloading a client

somthing like kali

yes

but i run widows how may that work

download virtualbox

its free

k, ima do that then honestly review the modules for basic enumeration

so virtualbox and the kali vm file

Why am getting this error

Exception calling "Save" with "0" argument(s): "Access is denied.
"
At C:\tool\PowerView.ps1:11685 char:17

•             $Group.Save()
  

•             ~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [], MethodInvocationException
  • FullyQualifiedErrorId : UnauthorizedAccessException

Does your user have the privilege to do what you're trying to do?

All good.

yes

🥸

sorry yes

are you running powershell as admin?

yes

are you sure

yes

what module and section are you working on as well

that way others can test and see if they can reproduce

ACLs

ad

?? that's not nearly enough info for me to figure out which module you're working on

there's a few AD modules

Intro to AD, AD enum and attacks

section/1486

Post the full module name and section, otherwise it’s getting really difficult and people won’t bother if they have to start looking where you are to help you

https://academy.hackthebox.com/module/143/section/1486

and what command are you attempting to run?

hi everyone, hope you are doing good,
im new here & started on Information Security Foundations skill path,
currently on Learning Process module,
hopefully to proceed with a job-role path later,

https://academy.hackthebox.com/module/136/section/1289 <- for this module -> i found a payload shell.phar%0a.jpg but it is not found by the browser

what am i doing wrong?

whats up guys

long time marice uve gotten old

Just because you were able to upload a file does not mean that it can be executed

Hello, I have a very silly question, I am on
Active Directory Enumeration & Attacks
LLMNR/NBT-NS Poisoning - from Linux

Question: Run Responder and obtain an NTLMv2 hash for the user wley. Crack the hash using Hashcat and submit the user's password as your answer.

I found the hash, but it didnt crack with hashcat on my windows machine but it worked on pwnbox. any idea why? attatched image 3 is exhausted while first 2 show cracking successful on pwnbox

havent revealed any answers

yes, but he'd have to do at least a code 200 to find my file, right? since it's been uploaded?

Time for the Fuzzing skill Assessment. Wish me luck fellow H4xX0R5

Being honest it's a lot simpler than you think

Gonna sound dumb: but do both files have the password

yes, both do get loaded

That's not the question I asked

I meant do both rockyou files have the intended password

you mean the hash and rockyou?

yes, it got cracked with rockyou on pwnbox

... but is the rockyou on your windows the same as in the pwnbox

oh I see, this is possible

In powershell: Get-FileHash -Algorithm md5 c:/path/to/rockyou.txt
In pwnbox: md5sum rockyou.txt

on it

If they differ, then that could be a reason if not, I blame winders

really ?!

Ye but also my friend

When you use intruder

And set the payload

understood. its different. thanks a lot.

turn off the "url encoding special characters"

yes, I noticed that it was reducing me to errors, so I've already deactivated it 🙂

but i was wondering: should i always leave it deactivated? if not, when should i activate it?

You need to make sure it does that every time as it doesn't save

The reason to deactivate it in this instance is because you're trying to figure out file extensions

Anyone know if I need to create a password list or use one that’s provided, for login brute forcing module, on the skills assessment-website part

So you don't want the . And escape characters to be encoded

Use the methods known to you

I see 🙂 thank you

Haha alright thank you!

Always start simple, like a default list

For the second question; assume the same user at first

Hello Guys, don´t wan to spoil anything. Currently working in the "Web Fuzz" module but got stuck at the Validating Findings Question, I´m pretty sure I've done everything right, but I can't get the correct answer when doing a curl -I to check the content lenght, any ideas?

Subtract one

Gotcha

Yeah that one tripped me up this morning too lol

https://discord.com/channels/473760315293696010/1269212022919397410

I'm working on the Skills Assessment for Web Fuzz right now and it's kicking my butt dude lol. Everything is ACCESS FORBIDDEN

Appreciate it, I was thinking of buteforcing it and even tried different numbers but bigger than the content length

Do you mind double checking if my hydra command is correct?

||Hydra -l **** -P path/to/list IP -s PORT Http-post-form “/admin_login.php:username^USER^&password^PASS^:F=<form name=‘log-in’”||

From what I can tell everything is correct but I’ve tried multiple al the basic password lists

Inspect element to make sure the parameters are correct

Okay I’ll double check that

It won't always be 'username' and 'password' for usernames and passwords

Or use the networking tab in dev tools and send a test/test username/password to see what gets sent

Yeah looks like I’m correct and I checked the form name in the HTML and it matches, probably just need to use a different pass list

Or

username and password aren't the right parameters

:)

I see what you mean

Well that has to be it, silly oversight

That was it, thank you!

👍

also as a note don't close this webpage

as it includes lots of information for the second assessment :)

Haha yes very good call, safe to say I can use the persons actual family from the media? To fill in parameters for cupp? Or am I trying too hard lol

you're in the right ballpark; just take note of the requirements -- i didn't the first time and my cupp list miseed a few. But always start with minimum info first like subject name/birthday/nickname AND THEN generate a bigger list if the first fails

don't forget to trim the list after you create it as well

i actually need to go back to my notes and break down the sed commands they give

i understand how they work it's just a fun thing to do

Okay thank you! Very good points to follow 🙂

trims the list from like 9k to ~3k

Anyone have any hints for the Web Fuzzing Skills Assessment? I'm not getting very far lol

Ok so I had to google this. I am in Linux Fundamentals, System Information.
The question is " What is the path to the htb-student's mail?"

I went through all of the previous pages and it doesn't say anything about how to check for that.

Are the questions based off what has been covered? or do we have to use outside sources to find out how to do it?

use env to enumerate the environment variables; there will be a MAIL variable, which will be the path

there is a big list of commands given to you

THank you

I guess the "enumerate the environment variables" language through me off. I obviously have a steep learning curve.

Not the best start 😄

think of environment variables as "here's where you find things"

for instance if something requires the $MAIL environment variable, it will get sent there

environment variables are going to be path(s) to directories that would be used for it

if there's multiple paths it may be specified with /path/1:/path/2 (usually this is in the $PATH variable, which allows you to run commands that are in the path anywhere on the system

So id use env $MAIL to find the path for the users mail

I just used env with nothing else and I found the information I was looking for, I can just stay at that step

just env

env by itself will list all environment variables

thank you, I hope Im not bothering you!

like alias will ist all aliases on the system when used by itself

also if you want to view an individual var; you can do so with echo $VARNAME (note most environment variables are full capslocked)

Ok great I just practiced that with different variables

hey guys I found the flag at the **Server-side Attacks ** Skills Assessment which I'm sure that's not the ways, but I can't get it in any other way ...

is there anybody for a quick help on that?

Does anyone knw why i am not able to log in to login form attacks section in login brute force module

? Wdym?

Short answer is: if the user/pass are the first in their respective lists, your fail string is incorrect

What

Not a lot to go off of based on this info

So I made general assumptions about your issue

I got a password while i brutr forced a login form

But i tried to use this password in the form to login and get the flag i cant seem to login

Then you fail string is incorrect

Make sure you follow the instructions on how to determine what the fail string should be

I feel exactly the same way. It doesn't seem to me to be the way to go. With my method I was able to read the scripts, but I don't see any other way. The scripts use a template function, but it doesn't seem to me to be vulnerable.

I didn't manage to get the scripts ...

at least not the ones they show anything interesting

U R referring to ||file|| right?

yes

I saw in some forums that there's a way with ||JS|| but it may be the old module, so I thought maybe this is the way ...

thanx

hackers?

yo i cant seem to again do much (no i havent been on here since 2-ish but i got bored and left but i am still wondering how i can edit the etc/hosts thing i have ||echo '<ip>' > /etc/hosts
||) but its not open so i cant figure much out cause whatever i try is secured which is good for a test but even after finishing getting started(offensive), intro to web, web requests i cant seemed to find how to pen it

Hey give me a second and I'll help you out. Shoot me a dm.

use sudo

sudo <vi/vim/nano> /etc/hosts or echo "<ip> domain" | sudo tee -a /etc/hosts

I am stuck on section Working with files and directories in the Linux Fundamentals module

I keep having to google things to find the way to do it instead of just reading what is in the section. There is nothing about inode or index numbers and how to find them in this or the previous section. Am i missing something?

Last section said nothing about -i argument but I had to figure out the index number of the sudoers file. So I needed to know -i

I want to purchase the actual membership so I dont have to come here or google things, but this isn't making me very confident

Not being able to RDP into boxes because of endless cert errors is so frustrating. I can't install Remmina on the assigned Kali box to complete the Print Spooler NTLM relay...

I can't RDP from the Kali box.. I can't RDP from Remmina on my Parrot install..

Takes each lab twice as long to complete dealing with random cert errors

A lot of learning linux is reading the man pages of tools, or the --help/-h option with a tool

It can seem unintuitive, but the big list of commands shown near the beginning are generally all you need for basics (the only one I'll grumble about is the question regarding inlanefreight.com)

That makes sense, thankyopu @fathom pendant , very helpful

I guess if I ran man ls it would show me how to list the inode or index number of a file

Yep

Along with all the other flags [options] you can run with it

will the annual membership give me some of this extra information that you have when I need help on each question? or like suggestions

Nope

The only thing the annual sub gives me is a walkthrough, but I rarely touch it unless I've already done the module

Or I'm 20 minutes deep and thinking "am I doing this right?"

Sorry a walkthrough?

it will actually show you how to do the section?

Yes

But note; it should only be used if you've really exhausted all other options

ya, I want to learn, dont need the end certification or anything

External research should be the first step

Don't know? Look it up

I am just spending so much time on each question

it will probably get easier the further I go, I think this is all part of the process

I've been guilty of googling man <command> on occasion

haha ya exactly

chatgpt

How do you define "too much time?"

I stay away from gpt personally

thats what others have said

because it can have hallucinations and give the wrong information?

it's good for small bits of information

but it isn't a search engine

it only "knows" what it's scraped/been fed

so if a tool or something has been updated, it can no longer be viable

that makes sense

for a lot of basics/explanations it's fine

just don't fall into the trap of letting it replace your brain

seen a fair bit of issues in here that were "well GPT told me to do it this way"

ya

student,password=Academy_WinFun! //10.129.83.68/"Cry" /mnt/win_share
Couldn't chdir to /mnt/win_share: No such file or directory
PR$```

thats understood and trusted well known sources on youtube or google will be helpful

that wasnt english but you get it lol

did you create a dir labeled win_share in /mnt/?

often though the answers to what to do are in the reading

some of the fundamental modules are lacking some extra building stuff but overall it teaches you to research

oh btw @humble stirrup if you wanna get comfortable with some common commands, look into this terminal game called bashcrawl -- it's a text based adventure that utilizes your linux terminal to complete the adventure :)

orly

ye

would I just download it through the terminal?

install w.e

https://gitlab.com/slackermedia/bashcrawl

wait

I thought win_share was meant to be a file?

you're running the mount command, it's going to attempt to mount the specified location to the specified directory

I also didnt know mnt was a directory I already had... thats my fault

/mnt/ is a default linux directory

it's well... where mounts go by default

i.e. new devices/drives

but you can mount anywhere

I see

Thanks marcie

tad embarassing that I did not know that

a fair bit of the root directories are self explanatory (in english) if you sound them out

its Ok I just passed Security+ and did a whole google cybersec cert. and Im having issues in the first couple sections of the Linux fundamentals

thats what you call embarassing

😄

¯_(ツ)_/¯

neither of those certs require you to interact with a linux terminal

this is why im doin it!

thats why I wont be taking any shortcuts and doing it so I can learn, Ive actually been entering all of the commands into the terminal as I go through the section just to get practice

Can't figure out the XXE part
https://academy.hackthebox.com/module/134/section/1219
Can get text to be reflected in the output but can't use any payload to read the /flag.php
I can get it to read /etc/passwd but not /flag.php which returns a empty output.

Why does mounting require a directory and not a file

im just curious

well if you want to be technical; everything in linux is a file

but it requires a directory because you're mounting a filesystem

that will have several files and subfolders within it potentially

Ive finally managed to mount the share to the mnt directory.. there wasnt really a need to make a win_share directory inside of the mnt directory if i didnt care about organization

Such a big win

I see

general best practice is to create a directory for it, so you don't accidentally mess with stuff that's already in the /mnt/ directory

@humble stirrup ask to DM next time; i don't do random dms

understood

In the DM I actually said I wont bother you with DMs after that, but thats besides the point!

My Mistake

it's also in the #rules

Still would appreciate some help with this if anyone is able ^^

you need to have the inlanefreight.htb in your /etc/hosts if you're planning to do it that way

Thats the thing, I have the ip linked to inlanefreight.htb in /etc/hosts already

ip inlanefreight.htb the NXDOMAIN error is because the public nameservers aren't able to route to it

also it helps to show the command you used

host -T MX inlanefreight.htb

i don't recall needing to use the host command

also if DNS isn't running on the server, you won't get any results

i used the smtp-user-enum script

I suppose i'll just send it with smtp-enum then

see how that goes 🙂

also be sure to be using the wordlists from the provided resources button

Good idea, i'll grab those

I can't seem to get a priv esc working on AEN. I am toward the end of the module I think, and have been working through it blind. Anyone available for a DM sanity check?

Blind == no help

I dont't have the file activity tab, this is the Understanding Log Sources & Investigating with Splunk module, section Using splunk application, did I download the wrong sysmon file?

Yeah that's cool, except I am asking for it which is my decision. Thanks chief

Would anyone be able to quickly verify the Privilege Escalation technique shown in the Lateral Movement section of AEN? Getting an errored out log message, even after machine resets. Think the module might be broken

https://academy.hackthebox.com/achievement/667914/136 woo

it would have nothing to do with any sysmon you downloaded as it would already have been running on the target, likely a version difference

@fathom pendant I'm still having trouble getting to the file activity tab, my app options don't depict it

i just downloaded it, uploaded the file -- did the restart. Then from the app menu selected the sysmon app

https://splunkbase.splunk.com/app/3544 <--

it was 1000% the app/link I download @fathom pendant thx, I knew I wasn't tweaking

did you google for it?

because the link is given in the module

Used the wrong link, I used the link for the site not the direct app so I just searched sysmon