#modules

i have everything unlocked ❤️

anyone is here who completed attacking common applications part? i need little bit hint am stuck

attacking splunk

Source ports are your friend

hi

@analog dock @fathom pendant bruh I set all the source ports

@heavy mango I will dm you once I double-check, if that's ok 🙏

53

yes I did that 😠

You found the high port already right?

Did you scan all ports?

Does hashcat crack it?

well not originally, I did top 100, but I just did all ports and I got banned during it :^)

trying it one more time now

Do you know the hash type?

you sure it didn't crack? I forget how exactly, but you sometimes have to use john --show

ok just found the high port ffs

that is so dumb

splunk attacking section how to rce the app is not normal

What module?

I ran this exact scan I stg

https://hashcat.net/wiki/doku.php?id=example_hashes

Did you try the password.list and mutated_list as well?

From the resources

🙃

and boom, IP banned

epic

Always start with the module resources before moving to other wordlists

I believe the dns spoofing section of the ids/ips evasion section might be useful

do you mean decoys or dns proxying

I assume decoys

Nope

Dns proxying

You said you found the port

and I'm supposed to guess that DNS is open or what lol

Think: you needed a source to find the port. So you'll need to use the source to connect

Misconfigured settings to trust dns port

yes I know that

did that

lol

there are still some warnings

Ye

That'll just happen

¯_(ツ)_/¯

and I hit the limit after that nmap

?

Then your nmap isn't stelth enough

wellll it worked 😛

You got something at least

we cross that bridge when we come to it

You'll likely craft your own lists, or need to use well-known lists, or find a list on a computer somewhere

i need help related to splunk part

of...?

attacking splunk

put module and section and perhaps someone can help

attacking common applications

attacking splunk

Broken Authentication
Brute-Forcing Password Reset Tokens

On what do password recovery functionalities provided by web applications typically rely to allow users to recover their accounts?

I just can not answer this question, could somebosy help

OTP

no, doesnt work

could someone help me with the XSS phishing, module section? can't get a hit on my listener

where are you stuck exactly

It’s on the first part

Read it again

Does the test work?

I believe you can test it on one of the endpoints then you send it on the /phishing/send.php

yeah... thanks

aah ill try that out

Your welcome

Dif you replace our_ip with your tun0 ip and port you're listening on?

yeah

Also; spoilers

Even behind spoiler text

ah okay my bad

But I suggest looking at the source code to see where it's being injected

You'll also need to wrap it in script tags

i've also tried that no hit either

Well there's still one thing you may have to do

As I said look where the script gets injected

As shown by the reading

attacking common applications
attacking splunk can someone give hint

on the ADCS module , what's the exact role of the root CA certificates , I understand that the client interacte with enterprise CA to enroll a certifcate and each chain should end with root CA certifictes to be trusted but I feel like I am missing something on the exact role of the root CA certificates

State what you've tried before and where you are stuck and people might help

Root CA means that all child certificates point back to one authority that, via digital signing, can attest that a cert is valid

am not able to find right directory to upload revshell

If you look at any website's certs they all have a root CA

https://10.129.201.50:8000/en-US/manager/search/apps/local this is in the module

Basically a proof that the certification is valid

yeah , but when the client send the CSR , does the enterprise CA server check something with root CA or not ?

Yes

Think of it as a chain of trust

oh wow, i completely misread the question, got it and thank you

Did you get it yet?

Hi, I can't seem to spawn my target system. Has been saying "Target(s) are spawning..." for half an hour now. Anyone familiar with this problem?

Refresh page

Clear cache

Refreshing and clearing cashe has not fixed the problem. Navigating to the academy on another machine also shows the same.

Try changing vpn regions

Hi, I am rebuilding my parrot vm as my other one kept locking up, does parrot tend to use more resources than kali? and second part, ippsec's ansible script hasn't been updated in a while is anyone aware of any other scripts like pimpmykali but for parrot so I can just get started on course content (trying parrot to be in line with the course content)? thanks

ye

It tends to use less than kali

You don't need to do anything fancy to get started either

¯_(ツ)_/¯

interesting, my last vm I had to keep restarting it as it would just randomly freeze

That solved it, thank you very much.µ

That sounds like a personal issue with you not allocating enough resources, or too many resources from your host

Yeah? Idk why you wouldn't expect this

There have been a few windows machine in that module

???

I allocated the exact same as my kali (8gb/2-4 processors) and I have plenty of physical resources spare which is why i am curious

How did you get through the module then

Parrot doesn't tend to like >2 cores in vm

You're not gonna find much of anything outside of what you learned

Just take it one step at a time

the first one was 8gb with 4 cores and then I would get a shell and it would freeze but in workstation I would pause go back in and everything would continue to run

Remember, the flag is the end goal

I run 4gb with 2 cores just fine

I've been running Parrot with 4 cores and 6-8 gb ram for ages now, rock solid

I believe it also depends on the software

like hypervisor?

Yes

Probably, yeah, I've had bad experiences with Virtualbox in the past

Alright 👍🏼

I have vmware workstation pro, I never had any problems before I have even had my own AD lab on there with 4 boxes, just anytime I tried parrot itll freeze I have to pause it and then resume

the academy wouldn't accept my flag, but I spammed it and it did lol

no, I didn't

check this the first, if smth happens

Sometimes the answer field bugs out and refreshing the page makes it work

👍

has anyone done the attacking enterprise network - Internal Information Gathering section? the pivoting technique there doesnt works

What technique doesn't work?

ssh + proxychains. i did everything as the instructions

Your proxychains config file has the correct port you are using with your SSH command?

8081, as the instructions

You can DM if you'd like so there aren't any AEN spoilers in here.

very well

A session token can be brute-forced if it lacks sufficient what?

characters??

Detecting windows Attacks with Splunk
Detecting Golden Tickets/Silver Tickets:
For which "service" did the user named Barbi generate a silver ticket?

Does anyone have any idea how we are supposed to solve this

I did solve it throught looking at all events involving Barbi and looking at a ||particular logon event where explicit credentials are used (4648)||

but its kinda not so clear from the field names in this event

and can't be directly seen on first glance

idk if someone solved it the right way i could benefit from knowing how they attempted it

(I almost never get satisfed with my methodology anyways)

lol

I'm in password attacks doing the pass the ticket from linux modules and I'm trying to smbclient to get the flag but I'm getting a nt_status_invalid_parameter when using the -k -c option

need help with this

i found the gz file but the content length is not being accepted

what is grep parameter to remove special characters?

https://discord.com/channels/473760315293696010/1269212022919397410

oh that worked ty

getting started: privilege escalation section. TASK2 Once you gain access to 'user2', try to find a way to escalate your privileges to root, to get the flag in '/root/flag.txt'. i got the first flag so easily i doubt i did it the right way or not. now am stuck with this 2nd one. any hint? i already tried, copying the id_rsa and chmod 600 then tried connecting. does not seem to work.

Have you or @hazy brook been able to get it to work yet? Because I'm having same issue

No

still same issue

Feel free to dm me -- unsure if flag is borked or just wrong flag but value they provide def is NOT the vale that will be accepted -- correct answer is a phrase

❤️

you have to literally fuzz /webfuzzing_hidden_path/

Did you get to user 2?

If so see if that user can see anything in /root/

@fossil crescent
I have completed the path.
I'm not a native English speaker but the form seems poorly written to me

Broken Authentication
Skill Assessment

What length is otp there?

Was re-reading the question and realized that... Annoying though that they have the other flag before. Thank-you

Yeah but why would they put the flag directly in the reading 😉

Anyone know what I might be doing wrong? I'm in module/115/section/1109 the infiltrating Windows section where you're supposed to use ms17-010 to get a shell on a windows server machine. Metasploit keeps saying exploit completed but no session was created. I've checked the walkthrough and it's exactly what I already did.

What's the actual module mame

shells & payloads

I'd that the shells and payload module?

Make sure the rhost and lhost are correct

set lhost tun0

Amazing how the path illuminates after oneself becomes a fool 🤦🤣😭 - I swear like magic that text just now appeared 😅

Broken Authentication
Skill Assessment

What length is otp there?
I can not brute force it

Don't fall in the same trap for the next section

You're not meant to brute force. Try bypasses

thx

completed

Imo it doesn't help they use i.e. for this

its 2 modules left

Gl

then re-read and start cert

when they update a module they should remove previous results :(

I've gained access to user2. But can't access root/

yo can someone elaborate on this? Shows if successful exploitation of the vulnerability can affect components other than the affected one.

Unchanged (U): Successful exploitation of the vulnerability affects the vulnerable component or affects resources managed by the same security authority.

Changed (C): Successful exploitation of the vulnerability can affect components other than the affected one or resources beyond the scope of the affected component's security authority.

its from the how to write good Report on the final cbbh module

Am i stupid or did HTB lie to me when they said that the expected time to finish the password attacks module would be 8 hours?

Exactly, I just don't get it. Expected CDSA path to be completed is 23 days. Took me 3-4 months.

Probably because we take notes, get stuck and procrastinate sometimes.

I calculated their expectations, it's working 8 hours per day.

Not even that, i have been on this module for over a week.

bro, the brute forcing takes longer than 8 hours alone, thats not including the time to figure out the wordlists, the syntax, etc.

Are you doing full time? And not stuck anywhere.

Yeah, around 6 hours a day

8 hours for brute forcing? That doesn't sound efficient. I'm new to red teaming. I'm a blue team person.

Nah, i mean for all of the brute forcing combined. Usually they take like 10-20 minutes per brute force. but theres a lot of them on there

That's demotivating for me. I'm planning on completing CPTS under 6 months, cause I gotta give CEH exam.

disgusting, CEH exam.

Just study for the CEH in like 2 weeks and get it over with.

You dont need to know how to hack to do the CEH unless you are doing the 'practical' version. Which is also shit.

I know, but hype is overrated here. I can't get to interviews without it.

I would recommend you divert your attention fully to CEH for like 2-3 weeks just to get it over with. Dont let that piece of garbage hold you back on your learning.

I bought practical CEH voucher. Since I'm learning red teaming, i thought I'd just complete CPTS and get it over it.

ah, the practical one. I heard its harder but still not good

Really? I can learn that much in just 4 weeks?

i know someone who passed the CEH in like 5 days

but you gotta no life it.

Come to think of it. I actually got no life.

I got a+ net+ sec+ cysa+ pentest+ Itil4 foundations and the SSCP, in 4 months.

Its very doable for one certification in 2-3 weeks

I mean this would be my first exam, im a bit nervous about it. I want to crack it in one time. It's pretty expensive for here.

If it is your first certification i recommend you take a bit extra time

You did ceh in 2-3 weeks?

I never did the CEH, but i did the pentest+ in 3 weeks

i mean no offence dude but usually the syntax u need to use per section is the same as in the page itself

just a lil modification's to see if u really got it

Yes. I was planning on having my first cert CDSA but CEH is must for any entry level job here, so I'm learning for that.

I hate copy paste, it feels like im not learning. Usually i will just look at the tool im supposed to use and use either 'tldr toolname' or 'man toolname'

This is probably why it's taking you longer. But it's effective learning.

Guys @alpine ingot u have to talk in https://discord.com/channels/473760315293696010/588029217376043023

it's only the brute-forcing that takes 8 hours. i don't think they update the time estimates whenever they update a module, it should be at least 2 days for Password Attacks.

it is related module section only

that makes sense. It feels like there is no way to get it done in 8 hours

No offense but everytime someone does this, it kills conversation right away.

yeah bro settle down

Alright but it is not right Channel.

Shows if successful exploitation of the vulnerability can affect components other than the affected one.

Unchanged (U): Successful exploitation of the vulnerability affects the vulnerable component or affects resources managed by the same security authority.

Changed (C): Successful exploitation of the vulnerability can affect components other than the affected one or resources beyond the scope of the affected component's security authority.

its from the how to write good Report on the final cbbh module. can someone help me makes sense of this? like an example or something?

examples of this are given in the latter 3 sections

Yeah, Okay.

aight

ty @dim wolf

Anyone know of how many people have passed the CPTS?

lot of

htb

not accurate numbers

at this moment at least 592

Could you help me with the getting started module/ privilege escalation section/ task 2, where we're supposed to access root folder for flag, I'm already in user2 access?

☠️

Nice, it would be nice to have a counter or something so we could watch it grow

++

that's from the badge though, which doesn't count Enterprise members

no, i don't have any recollection of that module

That's not a lot of. But feels good for some reason. Probably because maybe we'll be one of fewer ones.

lost notes 🙂

more like no notes

Ah- Okay.

didnt do it man :\ , but i love privesc. its an artwork

is this how you learn?

Stucked in SQLMap question for about 2 Hours hehe, it is still scanning

Weird. Aren't you on cpts path?

@brave scroll you probably doing something wrong man

well i remember most of the attacks taught from the course and can apply them, so i guess it is how i learn

no sqlmap scan should take that long

keep in mind i finished the coursework a year prior

maybe possible but it will confirm 1st i will get result.

and i only passed last month

syntax?

sqlmap -u http://94.237.55.223:42657/case5.php?id=1 --level 5 --risk 3 -D testdb -T flag5 --no-cast --dump

why not using --batch?

--batch automates user input

without using --no-cast it have done very fast in 30 seconds but the answer was quite variably wrong therefore we have to use --np-cast

also u can add threads

it improves the accuracy and speed

but when u have table name + column name no automation require further

the thing is, usually u dont know the flag and table :p

ummh we can try

yeah but i got that one

i am working on it if didn't find i will come back

its the same among all cases just bad habit

imo

xD

also u can try pointing out the injectable paremeter via -p

hmm

i will try it definitely

Did you try to use ls?

No

:)

I only used one short command, it worked. For task 1st, I mean.

I got the asnwer mine command just finished and bring answer btw thanks for increasing my knowledge

you welcome bro

Try to ls -la /root/

Be mindful of file permissions as well

|user|group|others

If the file has, for instance rw-rw-r-- then everyone can read it

Let me turn on my setup.

anyone faced this issue when trying to upload a malicious module on drupal section in the common apps module ?

Idk where you're trying to hint me. But it seems it suggesting to perdue .ssh angle. Is that it?

Try and see

In illustration, they used server as 10.10.10.10, what server should I be using here? The target ip?

?

However you connected in the first place

In that case. It didn't work when I tried it. I'll try again, just to confirm.

You have read access to a certain file

Yes I know

Just copy/paste that file to your system and use it

Yes. I'll do that. Let you know.

You'll need to make sure you chmod it

I know the angle you're talking about. When you say copy to your system? Does that mean literally on my system seperate from the ssh connection?

Yes

Generally when referring to the target, I'll use the target or x-host

@fathom pendant marcielee can i msg u in private?

Weird. This time it worked. I may have missed something in commandline previously. I knew the angle. However I got first task so easily, I can't believe if that's how it's supposed to be. Can I DM you about it?

can i message u ajberserk?

@grand portal

Sure. Don't know how I can assist.

This is still not fixed.

huh?

i wanted to know if i deducted what u guys on about in private without spoiling

brother it's related to the getting started module

oh rip

i thought it was an id_rsa

it is

lol

🤦‍♂️

no

Alright

i guess u dont like to be dm'd

dms tend to lead towards people expecting more of my time for free

fair enough

On the "Web Fuzzing" skills assessment, the question is: "One of the pages you will identify should say 'You don't have access!'. What is the full page URL?"
Found the url with said page, yet submitting it says its wrong.
Do I have a typo in my answer, or some wrong format?
http://faculty.academy.htb:xxxx/xxxx/xxxx.php7

EDIT: also tried without http

literally use :PORT and not the spawned port

I did ofc 😄

also maybe without http://

tried as well

argh fck
i typed PROT instead of PORT during my iterations xD
thx

https://tenor.com/view/spelling-mistake-minor-spelling-mistake-meme-gif-23650588

@vapid python ^

So how many issues are there on HTB academy caused by updated versions of tools like the nmap v7.95 not giving the full version number for smbd etc?

There are some tools/exploits here and there that may not work from the get go, but of all the trainings I took so far academy is the most up to date and the least I had to troubleshoot issues for.

do people even care about cdsa in this chat lmao

was nmap syntax changed?!

no

just slight version differences with how x thing is done

they do

after indexing all plugins,why i cannot find the flag?

did u try to go through the directories?

i felt really dumb in that question ngl...

there are more directories to be searched

i mean if syntax is the same , id assume getting the answer might aswell be the same isnt it?

nmap -IP- -p- -T(*) any sort of flag

ill just say you know where to look 😉

hi! on exercise "AD Enumeration & Attacks - Skills Assessment Part II", would you have any hint on first foothold? i already have a list of users, but can't connect anywhere as everything is blocked with login, user as pass, ldap or smb null also not working

directory from plugin or what?

activate your brain powers man

trust me youll feel stupid aswell. i felt dumb af at the moment i figured it out

i dont wanna make it easy

literally go through the enumeration phases step by step

Module: webservice and api attacks
Hey I had a question about this module when trying to use SQLi on the username is it suppose give you a missing SOAPAction header in the response when you put the username incorrctly?

it's also the assessment

I was hitting my head into a wall

Hey in the Web Fuzzing module, Validating Findings section exercise. I use the exact wordlist it asks, find the directory, passes curl with the -I flag but when imputing the Content-Length header the platform says it's wrong

subtract one

Aww, beat me to it Marcie lol

Would you care to explain why is this!?
Just to understand...

Just an error in the content

It's being addressed

Thanks

see what they did in the soapaction spoofing and try to fit it for your needs, easier said then done

really really hated this one ngl

ok ill try that

if you look in the wsdl youll have basically all the elements you need, besides you can try the forums youll find more info there.

ok question regarding the reporting stage, lets say there is a webapp i am pentsesting , and i manage to chain few vulnerabilities, for example i use sqli to log in , Upload malicious file to gain rce, how do u calculate all of that?

do u file 3 reports? or 1 report with 3 different scores? do they affect each other score?

https://academy.hackthebox.com/achievement/667914/280 woo cleaned up the new web fuzz module

for attacking common apps, drupal section, has anyone been able to find a working python3 exploit ? I have tried many and tried to edit them too, to no avail
i know metasploit version exists, but I was wondering if anyone got it to work with python3 exploit

checked edb?

👆

yeah, only metasploit exploit, and one "manual" exploit

i guess I could try to script the manual one myself, but I am surprised nothing found for an old vuln

poison

ye, I was messing around and forgot to run the most basic thing

🖖 Hi, everyone !

Finishing this one latter today!

u could either search on google or e-db usually. u can try dorking the search for better results but maybe i didnt do that module but just maybe they intend of you using metasploit

I searched extenssively and there is nothing as I said. Academy only shows you the metasploit way for dupalarghedon3.

It's in the attaccking common apps module

Congrats Marcie! Any specific hints on the Skills Assessment on that Module? It says follow the steps, there are no steps lol. I successfully have found 2 directories in it so far and an interesting file in one of those directories, but I have no idea where to go from there.

Fuzz for extensions 😉

Congrats!

After that it's a rabbit hole basically you follow a which leads to b which leads to c...

Okay got it! I didn't even think about trying for extensions. Or maybe I did? I don't know lol. The one I found that existed was ||admin/index.php|| and I take it that might be the place to start?

There is another

But that's what through me off the scent for a good minute

Ahh! I shall find it then. I was SO stuck last night I about snapped my keyboard in half driving myself insane on what to do. Thank you!

But yeah I was going back through the sections like "what did I miss???"

The only method not used (or at least not needed) is using the api fuzzer

undetected on VirusTotal means no malware was detected?

for a file

Generally, yes

its a zipped file but it checked the hash

It just means that the file hash of a given file hasn't been given as "malicious"

ya gotcha

ty

https://academy.hackthebox.com/achievement/221679/160
thanks for the help

Gz

I'm looking for something else inside of that particular directory, correct? Everything in there I found is 403 status.

sudo ntpdate -u dc.sequel.htb
why does ntpdate only last for like 1 second and then my time changes └─$ sudo ntpdate -u dc.sequel.htb
2024-08-07 21:19:10.890715 (-0700) +28795.868857 +/- 0.145144 dc.sequel.htb 10.10.11.202 s1 no-leap
CLOCK: time stepped by 28795.868857

┌──(sam㉿kali)-[~]
└─$ certipy-ad auth -pfx administrator.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[] Using principal: administrator@sequel.htb
[] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

why dont this work?

it only lasts for like 1 s econd then reverts

is udp going to be faster for my VM academy labs?

no I dont htin kthats the issue, its my vm, its kinda slow

┌──(sam㉿kali)-[~]
└─$ sudo ntpdate -u 10.10.11.202
2024-08-08 07:40:14.878149 (+0300) +28796.042006 +/- 0.139588 10.10.11.202 s1 no-leap
CLOCK: time stepped by 28796.042006
                                                                                
┌──(sam㉿kali)-[~]
└─$ date
Thu Aug  8 07:40:16 +03 2024
                                                                                
┌──(sam㉿kali)-[~]
└─$ date
Thu Aug  8 07:40:17 +03 2024
                                                                                
┌──(sam㉿kali)-[~]
└─$ date
Thu Aug  8 07:40:18 +03 2024
                                                                                
┌──(sam㉿kali)-[~]
└─$ certipy-ad auth -pfx administrator.pfx -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[+] Trying to resolve 'sequel.htb' at '10.0.2.3'
[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
                                                                                
┌──(sam㉿kali)-[~]
└─$ date
Wed Aug  7 23:40:28 +03 2024

Don't forget extensions

What academy module is this for?

for anyone searching this, change procmon.exe to procmon64.exe in the Noriben.py file. the script will crash out if you dont do it since they havent fixed it yet. spent a while trying to figure this out

Well I think I found the way forward...slightly lol. Found another page that needs a parameter to be set correctly...am I on the path?

Yup, and they're nice enough to tell you the param!

Cool, fuzzing using that param gives me a ton of 200 codes, which tells me I'm missing something else here again lol. I'll keep digging.

Filtering results

You can either -fs <size> or -ac for ffuf to discard the junk responses

You're the GOAT

This really is a rabbit hole, isn't it?

LFI 🤣
a serious blow to self-esteem

REQUEST
GET /xxxxin/inxxxxp?log=../../../../../var/log/xxx/x.log&imhere=whoami HTTP/1.1
RESPONSE
s.log4 HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "nobody

Working on second last question of https://academy.hackthebox.com/module/147/section/1657

"Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio."

I have julio's krb5 ticket set and can start a smb client using the command ||smbclient //dc01/C$ -k -no-pass || to which I find flag.txt in \julio. The flag in there says the words new flag encoded in it but it is not the correct answer for the question...? Maybe did the machine got changed but not the question?

Any help is appreciated

"Go here"; "start here"

The flag isn't encoded

the flag i found has the words new flag in it I mean

just not as plain text since its a flag

Also connect to DC01\Julio

Iirc though, this flag had some weird chars at the start that I ignored

lmao im getting to frustrated

me too

it says "what is the last modified file in the "/var/backups/" directory

I navigate to that directory, I type ls -lt to list the contents and then list the modifiication times in order

Does last mean most recent modified file or does it mean the last file in that directory modified

I tried 3 different answers, the most recent updated file, the 2nd most recent updated file and the last file in the directory all wrong

Im going to just start typing in one response so I dont drive everyone crazy

Were you having issues connecting to that vhost via port 80 @fathom pendant ? Just need a sanity check

Sorry if this is the wrong place to post, first time making a post here. I'm working on the tier 0 ffuf module but i seem to be running into a syntax issue, or doing this wrong as i get no results.

Would someone be willing to be a second set of eyes? Trying to vhost search with ffuf
ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://admin.academy.htb:PORT/ -H 'HOST: FUZZ.academy.htb'

So In a directory when I list the files, the time of 00:00 means the file was created but never modified?

What is the inode number of the "shadow.bak" file in the "/var/backups" directory?

There is no file named shadow.bak in /var/backups/

Im starting to get frustrated honestly, there is no way anyone could complete these questions without using outside sources

going to buy the walkthrough because im not learning anything by spending 30 minutes or more on 1 question

You don't connect on port 80

You need to ssh to the target system

-u http://admin.academy.htb:PORT/ -H 'HOST: FUZZ.admin.academy.htb
OR
-u http://academy.htb:PORT/ -H 'HOST: FUZZ.academy.htb

...I knew that. Just testing you.

https://tenor.com/view/sweeettails-sweettails-gamer-gaming-gamergirl-gif-22815036

Thanks

the Hackthebox bookmarks in the bookmark bar, are those there because I opened firefox on the HTB vpn?

cool

?

The htb bookmarks are in pwnbox / parrot

in my parrot os, in firefox there are bookmarks for hackthebox

oh ok

Yeah it's parrot

Vpn can't affect your bookmarks

both these come back as zero results

ok that makes sense thanks

I guess I was opening and looking at files in my specific parrot os and not in the target system

seems we are working on the same rn
you found a vhost? i got all 403s fuzzing for a vhost 😄

? What's your command?

ok im confused because I actually already ssh'd to the target, I remember now

Well the commands need to be run from the ssh session

gobuster vhost -u http://94.237.55.44:44761 -w /usr/share/seclists/Discovery/Web-Content/common.txt --append-domain

filtered the output?

oh ok, so in a specific terminal that I do ssh, Ill stay in that terminal

There's no domain for gobuster to append

You don't need -c

if the vhost/subdomain isn't put in the /etc/hosts the sub return 301 not 200

ohhh

There's a sneaky file hanging around that you will have to find. Took me a minute to find it myself lol

now im user htb student on nixfund word

ye, i also tried
echo "94.237.55.44 academy.htb" | sudo tee -a /etc/hosts
gobuster vhost -u http://academy.htb:44761 -w /usr/share/seclists/Discovery/Web-Content/common.txt --append-domain

What module?

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://admin.academy.htb:PORT/ -H 'HOST: FUZZ.admin.academy.htb' -ac

still nada

Because the domain for the new web fuzz module isn't academy.htb

web fuzzing

Skill assessment yeah? That's not the domain

Fuzz for apis/parameters

thank god for @fathom pendant

same for inlanefreight.htb though

Yep, that indeed is not the domain

Vhost fuzzing isn't the first step

One of the places you find will reveal the domain to you

Man this Skills Assessment is going to drive me insane lol. I'm gonna have to take a break and come back in a little bit to find the "next starting point". Thank you for your help though, you truly deserve to have that Community Contributor role!

The starting point could be using the api fuzzing tool, however you can find it without. Just using the -e [extension list here]

thats where I went back to. both fuzzing tools always only return the pxxx.php and xxx/xxx.php
but I suspect those are not the ones I am looking for

one of those is what you're looking for

try curling both to see

:)

hmpf... I thought I was playing long enough with the xxxID 😕

you should be able to fuzz the value with the common wordlist

spoilers btw

also this

sry

but fuzzing will reveal the next step once you curl/visit the page with the params

it'll directly tell you what the initial VHOST will be 😉

what am I missung here? they all got the same 200 status and response size

filter out that file size

any time you're fuzzing parameters and such, you're gonna get 200 success messages even if the parameter value isn't correct

i tend to throw the -ac flag onto ffuf as that autocalibrates it and I don't have to think

hello guys, for the skills assessement file upload attack, i don't undestand a things. i succeeded at found the bypass extension but when i get him on server, 404 not found WHYYYY ?

why are you putting the 1 in there?

also spoilers

remove the _1 from the url and see if that changes anything :)

i delete my pictures

_1 is the name of file i can modify it if you can

but it's all the same

yo... found the issue I had
ffluf gave a different result on the param fuzzing than wenum did... but why?

no idea

i don't use wenum

wenum hat a result with a different response size which was the correct key ofc. in ffluf were all the same

not all would have been the same size

i was able to filter the size just fine and find the right answer ¯_(ツ)_/¯

i filtered "-fs 58" -> zero reuslts
on wenum the one result hat a size of 68

¯_(ツ)_/¯

worked for me

I really don't know what to do ... I've tried everything on burp and it tells me it's ok when I ask on the server it's not found ....

make sure you're looking for the file name correctly; i also assume you found a working extension type since you found the source code for where the files are uploaded to

I am trying to locate the next starting point here, but having no luck fuzzing. Api fuzzer didn't find it either. I might be losing my mind on this one lol

it's under the /a*/ directory, don't forget about fuzzing for extensions, try popular web framework extensions

Ahhh, got it. I didn't think that was a thing in the vhost lol

OHH

you found the vhost from the parameter?

Fuzz for another VHOST then curl it after you find it 😉

or visit in the browser

it will tell you where to start from there

i found my error when intercepting the first request i modify the file but when i submit i have to modify the file too and thanks to that i was able to find the file and also i forgot to put the jpg signature in the header

don't need the jpg sig in the header since another file format is available

Ahh okay, we got double vhosts going on here?

all techniques discussed are used

think of it like a checklist

when I didn't put the signature but just the payload it gave me the only images error

did you fuzz for available image/ types?

I was able to do the xxe attack with s*g

dude that's the shittiest obfuscation since there's only a handful of things that could be

but i take it you fuzzed the image/s* extension?

meaning you can upload the file as that

and not have to worry about the jpg sig

but i succeeded ahah as i told you i put the jpeg signature a bit like the
example GIF8 in the courtyard then I put my p[aylaod I changed the name of the file with an extension authorize thanks to my fuzzing and I was able to find my file and make my orders

with s* you just need the x* headers that tell it that it's that file

which you can just copy from the ex

:)

yes but with s* you can only read the upload code and not make a webshell to the expected directory ( unless I'm wrong 🙂 ) but the xxe step I found easily I was blocking when I had to make the webshell on the file with the right extension

you can append the php code to the end

:) the module goes over/shows doing this

seriously ?? i thought it only accepted the svg i didn't think you could add the php code at the end since it's not its extension maybe i misunderstood 😦

Okay so I found h**.vhostnamehere which is cool, but it keeps saying host couldn't be resolved when I curl it.

you're injecting php code in the jpg file...so why wouldn't it

did you add it to /etc/hosts?

alternatively use the host header instead to curl it

-H "HOST: h*.vhost"

We don’t understand each other 🤣 you told me that it was possible to inject the php code following xxe into the s*g file downloaded to the server

yes

i'm saying

the logic is as follows: you can inject it into the jpg file

why can't you inject it into other types

since you're also calling the .ph* extension

You need to locate the file upload directory.

If you can successfully upload the file, which it sounds like you can, but when you call to it you get a 404 error, well 404 means the page cannot be found, so to me it sounds like you're not looking in the correct location where the files get uploaded to

I just completed Password Attacks > Credential Hunt Linux. In that challenge SMB is available, but any values for username/password used allows listing the shares available. Does anyone know what settings would produce this result?

Although it might be considered dangerous, it stopped me from using netexec because every attempt "succeeded". Is there another way attack SMB in this scenario?

Generally no, SMB isn't attacked. The only things I can think of you can use SMB for is logging in as a user who has permissions for specific files, or if you have the capability to upload files you can farm hashes. this is of course, excluding any CVE's that allow for some kind of entry point or escalation.

Well I put the webshell once the right extension found with the( .jpg.ph**) I didn’t think we could put the php code following the xxe with the s__g extension I will test on my side but I understand better anyway thank you marcie for your help and thank you super nuts I understand better now

By attack I mean a credential dictionary attack the service which worked in sections prior. However this server was configured prevented a dictionary attack albeit in a way that revealed the shares. I guess it actually seemed almost effective at frustrating me. 🤣

I'll have to stand up my own service to see if I can reproduce it to try and figure out the config. If anyone else has encountered this and knows there's an alternate way to perform a dictionary attack that would be nice to note down.

well, you could route your traffic through an AWS gateway to use a different IP every time, but that's wildly out of the scope of the module. i can't see it blocking any other way than a simple global rate limit or by IP.

The SMB thing? It wasn't blocked. Literally any username / password combo would allow you to list the shared available, but not access the share. The result was the first username/combo in a dictionary attack would "succeed" even though it was bogus.

But if this isn't jogging your memory I'm guessing there isn't an alternative route and dict attacking SMB isn't high up on my task list if there are alternate services to investigate anyway.

Farming for hashes sounds interesting though. I'll have to explore that.

smb can be used for finding sensitive information, detecting misconfigurations (upload perms), relay attacks, CVES

it's the guest logon thing

did you make sure to include -windows-auth? or -local-auth?

yeah i totally misread that and thought he meant he couldn't brute force it

Oooh, no... I was only thinking windows vs kerberos. I guess there can be like another auth layer with Samba.

Thanks, I'll play with those arguments and see if that makes a difference.

Yeah got it straightened out...just to get a stupid troll message. I'm getting incredibly annoyed at this point.

it's not a troll message...

it's telling you where to start your recursion

well i just forgot which flag it is for it, there's no difference i just forget the syntax for it

Recursion hasn't done jack so far with the common.txt list. Did you use a different one for this?

You got it right, there's --local-auth but also -k for kerberos. No luck though even when playing around with a few other arguments I thought might help (i.e. --share to specify a particular share and --continue-on-success to see if I got any variation between accurate and inaccurate credentials).

but I've spent enough time in this rabbit hole, and I'll note the "guest" config is likely causing it. Thanks for the input everyone!

common.txt worked just fine

you need to start at the /g* directory that you said was a "troll" message

Marcie I summon you

Could i get a hint?

_DisplayName -like "*update*"?```

Im trying to find a non-standard update service, i just wanted to know if i had the right idea in mind

what's 5_ ?

I dont know why it edited some of the copied text

either way idk

alright

it helps again to give the module name and section name

That's weird, I haven't found any /g* directories. All I have is the subdomain of http://h****.f*******.htb:50018. Haven't found the /g directory yet, not sure where I'm messing up here.

don't just throw a command you tried; with little context

Windows fundamentals - Windows services and processes

what happens when you visit the that subdomain

or curl it

:)

Man, I'm dumb

i believe you said something about a "troll" message no?

it wasn't a troll

It wasn't a troll message, I'm just pissed lol

i believe i said so earlier too

HOLY DEPTH

Finally, victory is mine. Half the credit goes to @fathom pendant
https://academy.hackthebox.com/achievement/1412668/280

ahem

From what I know, a non standard service is something not pre installed onto a windows system

yes

the answer starts with F

I don’t know why this is relevant because it should’ve appeared in the command output

Maybe I just put the answer in wrong

Fo*.exe

Can you dm me the answer? I got an output with an F but I’m at the gym and can’t check, would really like to know if I’m right though

no

Dang it

make sure you have the cases in the right places

also i wouldn't be asking for help while you're not at your desk/setup to be able to act on feedback

Anyone done the Broken Authentication Module? That's the other one I'm stuck on lol

https://academy.hackthebox.com/achievement/667914/109

https://tenor.com/view/dj-khaled-another-one-one-more-time-gif-4816107

Hello, I'm a bit stuck with this question

Try all other injection operators to see if any of them is not blacklisted. Which of (new-line, &, |) is not blacklisted by the web application?

Like what is the answer format? Is it like if the "&,|" I just answer: &, | or is there anyother way to answer?

It from the Command Injection Module

there's only one answer

it's the one you don't have to URL encode

iirc

lemme double check bc i just did this lmao

I got 1 go through without deny with it say wrong answer

what section exactly?

Identifying filter

ah yeah

remember newline you have to url-encode so that's also a possible answer

refer to the chart they provided

--> %0a is the newline url encoded

hey marcielee how are u?

for the new line if answer, I answer with the encoded or no? I try both not work ... I got 2 answer work

yeah two answers work, but it's just the word as is in the question

We have to read Walkthrough before doing lab or at end??

but only one is accepted

this isn't a module related question my guy

that's a #starting-point

and 2 you'd read it as you go through/if you get stuck

Your choice

i have never seen that question that they have asked

🙂 now?

It's upto you. You can do the box without reading the walkthrough if you can figure it out too

got it... I try asnwer both that work but it only accept 1 haha

yeah it's dumb

thank a lot

It literally giving the answer in the next section T..T

yes but you're meant to work it out before going to that section

Are the academy instances shared? Something fucky seems to be happening with the IDS nmap machine

Yesss, I complete 1 before going for another

no

I'm sitting here, sending no traffic to it, watching the alert counter slowly tick up to 100

private instances are not shared

it just does that

If you do it properly those arbitrary increases don't matter

about half way through the CBBH career path now

i'm actually at the tail end of the CPTS path :)

I mean I can still do it, but it makes it kinda hard to actually evaluate how effectively my stealth measures are working lol

That's cool. I will go for CPTS once I get CBBH cert

Gonna be a long way to go

im doing this: https://academy.hackthebox.com/module/35/section/224 and i made the request with the correct cookie and it throw me an error

curl -X POST -b meme.txt -d '{"search":"london"}' -H 'Content-Type: application/json' http://94.xxx.xx.xxx:xxxxx/search.php

meme.txt is just the cookie of auth saved in a file this by curl -X POST -d 'username=admin&password=admin' http://serverip:port/ -c meme.txt

i also try writing with curl -b 'PHPSESSID=cookie' http://<SERVER_IP>:<PORT>/ and curl -H 'PHPSESSID=cookie' http://<SERVER_IP>:<PORT>/ and stills not working

you don't need to overthink it

you'd need to do -H "cookie: PHPSESSID=value"

from my answer "and curl -H 'PHPSESSID=cookie' http://<SERVER_IP>:<PORT>/ and stills not working" i just tried again and still not working

if you're using the header; PHPSESSID is in under the "cookie" header

yes thats truth let me try it

curl -X POST -H 'cookie:PHPSESSID=my_cookie -d '{"search":"london"}' -H 'Content-Type: application/json' http://target_ip/search.php
curl: (3) URL using bad/illegal format or missing URL
A valid authentication cookie is required!

same issue

That cookie is immediately recent and I have already tried renewing the cookie by authenticating again and issue persists.

alright im back home

It's more even trying from the developer tools in the browsers I get the same problem in which the cookie is not recognized as valid

This discord is about the hack the box platform, not for hiring people

hey superNuts have you done web service and api attacks?

I did web service but not api

ok I completed the module I just wanted to know if I could use this script to perform the SQLi. I need to learn python lol

Been a long time since I did it

its ok its a module called web service and api attacks

https://academy.hackthebox.com/module/details/160

wrong module

lol its broken

@storm elk Question

Im on the windows fundamentals module, Windows services and procceses

Get-Service | ? {$_.Status -eq "Running" -and $_.DisplayName -like "*update*"}

Im getting 3 results. None of them seem to work as the answer... Id like a hint as to whether im entering it in wrong or is my approach is wrong to begin with

Sorry, I can’t help you with that. I haven’t done that module yet

alright, thank you regardless

Try to narrow down the search less and look at the hint. Which of these software might have something to do with PDF?

I dont want to say the answer here but I believe ive already had it for the last 4 hours, but im entering it wrong somehow

it begins with Fo if you know what I mean

had my worldview shifted with this one. if you're still stuck:

follow the previous sections' instructions to download crackmapexec in a docker. you need to downgrade to a lower version. currently 6.1.0 works fine; they had 5.4.

*the pwnbox doesn't work either; its version is somehow too low, which is funny

oh i actually replied to your post on the forums too haha

sorry that you spent 2 days on such a dumb question

However, it asks for the ||updater||

i see

If I'm trying to do LLMNR/NBT-NS Poisoning during an engagement, for how long should I run Responder/Inveigh?

hello team can someone help withi module "Attacking Common Applications" and section "Attacking Thick Client Applications
"? thanks

haha... The output was truncating the full name of the service.. 4 hours wasted due to truncation

hackthebox moment

im stuck with bash scripting module and dont know how to proceed, i know nothing about it and no clue how to chek what i did wrong.

If you don't know anything about it, you should read the module again.

The section is a step-by-step guide. What exactly is not working?

Maybe try another source to get basic idea first is HTB module content is difficult

Hi everyone, on the LFI log poisoning module in RE: the log file poisoning, the written text suggests we execute our command with cmd=id but the screenshot seems to show &cmd=id which one is correct or am I misinterpreting something?

I believe it should be &cmd=id consistent with other examples in this section.

hi
on the module "SQL Injection Fundamentals" when trying to connect to the DB via "mysql -u root -h 94.237.49.212 -P 51351 -p"
I get the error message "ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it"

hm, okay, nvm. works with the in browser VM

You request the log page & pass through cmd the command id

(?cmd=id) it's an example

Hello, I'm kind of stuck in Skill asessment of Command Injection module.... Can anyone help me with any hint?

Without knowing what exactly you are trying to do, hints are impossible

I trying to get a command injection to work, so I can move on further to get the flag

Yes, but how do you try that, where exactly do you try that and what exactly doesn't work?
You can also send me a dm so as not to spoil things here

hydra is very nice indeed when it works, though sometimes I had issues getting it to work with http post forms and had to use python instead\

i am doing exactly like in section step by step but can't create .bat and .tmp files

Are you doing this with WIndows? If yes, activate the file name extensions
https://support.microsoft.com/en-us/windows/common-file-name-extensions-in-windows-da4a4430-8e76-89c5-59f7-1cdbbc75cb01
Otherwise they will be hidden. Your file is then called file.bat.txt, for example

Can anyone help me out with "Intro to Assembly"? I'm hard stuck at section "Functions"

I'm asked to work with a provided file called functions.s, I need to ld it with -dynamic-linker as far as I understood but I'm getting errors with everything I'm trying

so, I skipped the section and the next one is explaining dynamic linker, wich I needed in the previous section? why is this so confusing

https://academy.hackthebox.com/module/17/section/88
how to solve this assessment?i have already checked all the directory

but i cannot find the flag

ahhh thanks & to Gian84 too

not sure I know that running 7.95 only gave me the 1 digit of the version number, but running 7.94SVN gave me the full version string.

It should be there, what all directories did you check

not sure if this is the right place to ask this but, I'm trying to do the machine Greenhorn and it was working fine and now I can not seem to connect to the website for it, any suggestions?

how did you connect to the vpn?

gui or cli?

I used the lab vpn with openvpn cli, did my nmap scans, even got a reverse shell. But it disconnected and I tried doing the same methods again but can not connect to the website this time

try getting a new vpn file

that's helped me before

ok will do

Hi everyone, did ever happen to any of you that you vpn works, you can ping scan, etc ... but when you trigger an exploit like with msfconsole it always faile. While trying the exactly the same thing from the PwnBox works perfectly?

I have had that issue before yes

I'm having it quite often to be honest ..

used pwnbox instead and same exact command worked fine

but I really like athena over pwnbox though

sorry for the ignorance but what is athena?

just another linux flavor

ooo never heard .. I'll check it. Did you solved in any way the VPN issue?

hmm not really, I just made aliases to start/stop with scripts to make it not have to tie up a terminal to run it

a ok to switch back and forward between PwnBox and you pc?

yeah, use a vm at work. bare metal at home, and when I'm having issues that seem like i'm doing it right but it still doesn't work i switch to pwnbox from browser

I guess we will have to deal with it... that's sounds a good work around.

youve used -sV ?

yep

that's what gave me the single digit version on 7.95 but on 7.94 it gave me whole version

weird, wonder how it would react if u aggressively scan a specific port?

didnt know running a software back a version was duable

firewall blocked it

it was the one you have to dodge the firewall while getting the version

i need to do that module

sounds really fun

lol no it was so frustrating

I knew i was doing it right but still couldn't get the right answer

usually you need to tweak it a bit to fit your needs

yeah i get that, but there was still no reason nmap shouldn't have been giving me the full verison number

true

can i message you in privatE?

Hi guys I need help on this section, anyone available ? https://academy.hackthebox.com/module/77/section/843
I loaded the webpage but I'm stuck there idk what to do next

The webpage tells you a plugin being used. Search that

There's nothing to do with metasploit ?

You can search with metasploit

In msfconsole > search <thing>

Is it normal that in the sqlmap essential module i get like a lot of connection errors? CRITICAL] connection reset to the target URL

Not normal

my internet or it can be htb»

Either can be the culprit

Try resetting the target first

already did a few times didn't work and i'm like stuck because of the conection erros

What does your command look like?

Are you specifying the port?

sqlmap -u "url:port/case" --batch --dump -T flagX --technique=X

Are you specifying http:// ?

i find it injectable it dumps but it then stops

[09:46:44] [INFO] retrieved: 32
[09:46:45] [INFO] retrieved:
[09:46:45] [CRITICAL] connection reset to the target URL. sqlmap is going to retry the request(s)
[09:46:45] [CRITICAL] connection exception detected in dumping phase ('connection reset to the

maybe my internet

Maybe

i'll try later thak you 😉

You can visit the page in a browser yeah?

yes

or my vm pwnbox is fine

¯_(ツ)_/¯

sup everybody im on the WEB FUZZING - skills Assessment and i am stuck i reached the || fuzzing.xxx.htb|| and it tell to go to the godeep folder however i dont know what to do i did a vhosts and subdoimens scans and i didnt find anything any help?

Which page are you seeing when you visit it in the browser or curl it?

hello, i have a question
im currently doing the ZAP Scanner exercise from the Using Web Proxies module and im scanning the given host
and the scan seems to freeze at 38%
is it normal and i just have to wait?

when i try ||fuzzing.xxx.htb/godeep|| it get 404

It's h*.f*.htb

Your subdomain fuzzing should reveal a h* domain

nvm it moved

You're not gonna get the /g* endpoint on the base domain

@fathom pendant i got an issue

when i connect to the rdp it crashes on me

like the rdp will load, but then give it 2 seconds and it'll crash

/timeout:600000

I'm going to ask that you stop @ ing me for random issues

If you continue to @ me unprompted, I will block you

u dont have to be so harsh about it i only just asked and that was my first time asking you with a ping mention

but yeah i will respect your decision and just ask without pinging

I'm being harsh bc you have a habit of either @ me or replying to an unrelated thing asking for help

:)

but this was just once

I'm also tired of people @ me in general for things like this

I'm seeing a certificate failure. There's a flag to ignore the certificate or you can whack xfreerdp's cache/options directory.

that's okay, but the thing is you know better than the people who ask for help here, your help is genuinely effective to us and helps a lot we appreciate it like a lot

The xfreerdp cache is in a weird spot in Kali at least. Look in ~/.config/freerdp if I'm recalling correctly. <--- note the directory was "freerdp"

yeah sure

I don't know shit brother, being honest

I just happen to be here at the right time

When someone asks a question

well as i said your help means a lot and i've seen your responses, u give like the correct ones everytime

and it shows u just know what you're doing

yo guys, I am trying to bruteforce tomcat with hydra, but it goes through all the combinations and no positive results return. I know ||tomcat:root|| are the creds from the metasploit bruteforce module, but for some reason hydra does not find them. Any syntax mistakes or missing syntax ? It's from the module attacking common apps, tomcat section

hydra -f -L /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt -P /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt web01.inlanefreight.local -s 8180 http-get /manager/html -m "/manager/html" -vV

ok I fixed it after remembering the old trick. Sometimes it's necessary to run hydra with less threads. After using -t 4 it works now, though I wish the tool itself would tell you to slow down

I am having an issue with the: Firewall and IDS/IPS Evasion - Medium Lab from module: Network Enumeration with Nmap , I have tried all the flags and I can get to a point where it gives me a version but it isn't the right answer. How do I put it in here without spoiing it?

anyone who did the LFI module - tryna do again the php wrapper section and for some reason the expect:// doesnt seem to work for me

thanks ive just realized that im fuzzing the vhost it self so im now running it on the xxx.htb but im getting 400, 403 res
this is my payload

||gobuster vhost -u http://xxx.htb:52946 -w /usr/share/seclists/Discovery/Web-Content/common.txt --append-domain||

curl -s "http://94.237.49.212:48624/index.php?language=expect://id" - is there anything wrong with my syntax?

quotes?

i mean it is suppose to be that way

it is? i've never used quotes with curl

didnt face any issues with the other methods also including the quotations

curl -h says nothing about quotes

@sinful mulch tried with no quotations didnt work either

the expect extension is toggled in php.ini

is it http or https?

http

hmm

do you get an error message?

nop

nvm i moved on

that is the great thing about this, there's probably another way

In linux I found that sometimes " is treated differently then ', so I always use '

there are bunch of methods to get rce on that machine

got 2 out of 3, just that one that was supposedly the most simplistic havent worked

I have no technical question... how do you take note? I beleive that I have the tenedncy to try to copy everything because everything is important but I don't feel it right.

hmmm i just copy the commands under a module or section like SSRF, associated command and <--- summary of what it is used for

Try to read through things first then summarize your understanding in your own words. That can be hard with technical minutia, but often the minutia is referenceable.

Then, yeah, copy-paste commands for specific tasks you know you'll perform often. I do that too.

why does mee6 not let me send messages?

i also right the whole page aswell

i sent this message once and it sais dont send the same message over and over again 💀

i just have my own cheatsheet and notes

Well I lie to myself and tell myself I'll remember. Otherwise Obisidian or Notation is pretty good for note taking

@viral lotus what version of Nmap?

7.94

ok what command are you using -sV?

I'd go take a look at the Nmap reference guide on versions.

have you tried nc?

I think you're close. The version is a flag, so you'll know when you get it. IIRC I found an alternate solution that didn't involve nmap.

If you want to share your command, I'll take a look. You should be on the right track here.

am I ok to dm it?

I'll go try that, thanks. I just moved on and finished everything else so I wasn't wasting time.

yes, DM's open

Also, how did you figure this out?

their example command output didn't look like the netexec output i was getting

🙂

just wait until you get to the smtp section and you have to change a config file for a tool that isn't ever mentioned in the module to get it to work....

Hi there, I am having an issue in the Module Password Attacks - Skill Assessment Hard. I finally was able to mount the .vhd file and with the two files in it I used samdump2 to get the Hashes, and I got the ntlm hash for the Administrator account but it looks like it is an empty string and of course the password doesn't work and PTH techniques are not working either. I use hashcat to crack the hash locally but I also used Crackstation and it was the same result (blank or empty string). Also all the other hashes obtained from samdump2 are exactly the same. Edit: I restarted the target already several times.

Hyy

I think I understand where you are. You can DM me the NTLM hash and I will see if it matches the one in my notes.

ok thanks!

Hi

What's going on ?

Not a lot. You?