Classic skid moves

How bro felt when he got his own ip from the link

https://tenor.com/view/hacker-pc-meme-matrix-codes-gif-16730883

It was masked behind a "screenshot" link

oh no

That redirected off-site

Lol

thats the worst kind

So the message from discord was to that website, which then got redirected to grabify

XD

Lol

lol now this nerd came on with an alt

No, you're not. And watch your tongue

who?

im not an alt btw

¯_(ツ)_/¯

You just happened to join at a goofy and silly time

yeah

im making a htb account rn

awww i love cats!

Alr this Is turning into general. everyone STOP 🛑

Kid probably can't hack his way out of a paper bag with a box cutter

crazy

Question about Whitebox Attacks - Skills Assessement

All the code provided is in php, so there is no prototype pollution to do? Also, type juggling doesn't seem possible since there is nothing doing any kind of serializing/deserializing on the login form, so I have no idea what to do. Can someone give me a nudge in the right direction?

Attacking Common applications - wordpress discovery & enumeration
I'm trying to find the flag.txt but i've already looked through http://blog.inlanefreight.local/wp-content/plugins/mail-masta and http://blog.inlanefreight.local/wp-content/plugins/contact-form-7/

ive been checking around and i dontsee anymore plugins other than wpdiscuz i dont know if maybe i missed a page and there's an additional plugin

one of those is definitely vulnerable to lfi

you can also get RCE vuln

:)

it's actually a fairly common vuln, you just need a user to log in with

note with wpscan, you should have found a user besides admin to do a bruteforce against

it will NOT be the same user as the example

double check your output 😄

ok i got the lfi finally im getting somewhere and ye i found a diff user

ye also don't be afraid to try multiple different methods :)

iirc it's vulnerable to a couple things (could be wrong though)

infinite target spawn glitch happening for anybody else at the moment?

nvm right as I sent that it finally worked 😄

Same happened to me

File Inclusion

Basic Bypasses Section

Hello. Cany anyone help me with the exercise on this section. I tried all bypasses taught + used very extensive wordlists to fuzz for a working bypass. Nothing works ...

you're likely overthinking it

Getting Command 'unzip' not found in the Linux file upload section… good thing I was able to bypass this entirely by extracting on my local machine with python3 -m http.server running in my Downloads directory.

as stated by the question it uses multiple methods, but they aren't too hard to figure out; as stated it's BASIC bypasses - no need to get fancy

gunzip is usually a command

¯_(ツ)_/¯

always look for alternate methods instead of just bypassing entirely

as usually there is some form of archive extraction command on a linux machine

Wouldn't it be a .gz file instead of a zip file if gunzip was intended to be used?

gunzip can still unzip .zip files

much like how winrar can be used for more than just .rar files like .7z

I went back and read the section. Tried to keep it simple and just redid the methods shown... But still I cant find it

Looking at the answer it says something about how basic filters wont stop lfi .. I could really use a good hint for this

....//

Also be aware of how the file is being pulled

how the hell did i find a flag but it's not accepting my answer 😭

Make sure no extra spaces

none

Before or after

been thru too many times to know

Refresh the page

What section?

i did is it a diff flag

wordpress discovery and enumeration

ive been here for hella long bc i didnt know how to use the exploit properly turned out it was a rlly simple mistake tho

That flag is for the next section

where would i find a flag accessible location 🤦‍♂️

man this is isnane

The flag.txt is actually titled flag.txt in an indexed location

I tried a lot of payloads like these ones:

./languages/..././..././..././..././etc/passwd
./languages/....//....//....//....//....//flag.txt
./languages/....//....//....//....//....//etc/passwd``` But none are working... I'm just trying to review this module but this section seems more difficult than the assessment ...

Don't use .languages

...

Review the wpscan output

Technically the webroot wouldn't be an accessible location on the server

It can be found without any major rce/vuln

Hint : wp-content

omg finally

I redid all variations and combinations and included ur hint to use more ....// in my variations but still nothing... I hope I could learn what my mistake was here

Just languages/

Then the payload

oh thanks. I used a . before it because the module showed that

I thought it just means that its a directory within the directory that ur in ...

You'd use ./ in front of languages

Putting .languages is telling it to start at the nonexistent hidden directory, .languages. Remember hidden directories and files are prefixed with . In linux

Thanks. U help a lot. I'm going to bed now. Gonna keep reviewing tomorrow. Cya

Yo guys in the sqlmap essentials I think I've found the right answer for flag5 (from the table dump), but when I paste that It's showing wrong. I tried dumping the table multiple times the flag value was the same even after restarting too.

then you are doing something wrong

Can I dm you to see if the flag I've got is the right one ?

HTB{700..17}

yep

no dm for helping with HTB tasks

ah okie

Iirc this one sometimes has a weird issue where it outputs the hex of one of the characters instead of the value

I'm sure you can figure it out after a point cause l337_sp34k

Dm me the flag

ohhh

Nah it just gave you a wrong answer for some reason

please not DM for helping with tasks in this server

lol

it's not against the rules to help people in dm, and marcielee helps a lot of people

Dude. He had the answer, for whatever reason - the target spat it out wrong

Literally one character wrong

That's how close it was

It's just a recommendation, that's why I ask the favor, although now that you explain it to me of course I don't see a problem in this case.

The reason I requested in dm is to compare it to mine to either see if A) he somehow grabbed a different flag or B) some other issue

This module has its fair share of dumb things that happen

As I've completed the module; I know what the answer is meant to be

it'd be a different story if I was just giving away the answer, but there was sufficient proof that for whatever reason it misprinted one character of the flag ¯_(ツ)_/¯

I've also helped them in the past

So I trust they're not just asking for the answer

And if there was an alternative to achieving it, I'd point that way

Yes only one character was misprinted...

okay f let's lighten up the mood by listening to tdoss for the 100th time 😄

Lmao

https://tenor.com/view/sleep-time-gif-25989090

https://tenor.com/view/3am-gif-25979019

hi all just trying to modify the scripts suggested in the web attacks module, I've written the below and just wondering what's the easiest way to get this to only print the new line if the grep returns a result? Currently this is working but I get a tonne of blank lines which I don't need. Any help appreciated 🙂

#!/bin/bash

url="http://SPOILER_REMOVED"

for i in {1..100}; do
        curl -s $url$i | grep -i "adm"
        echo
done

hey FWIW I had the exact same issue when I did this one a couple of weeks ago. The solution is to increase your timeout value by a not insignificant value to account for extra delay (I'm in OCE & had to use the EU server because NA was broken at the time :D) used 1337 5p3ak to get the answer rather than wait but I left it running in background and it eventually spat out the correct flag properly

ahh okie thanks

put it into chatgpt itll tell you

Module: Footprinting
section: SNMP

Enumerate the custom script that is running on the system and submit its output as the answer. 

I've tried onesixtyone, snmpwalk, could not find any script and community string either.

any hint?

i've carefully observed the output of snmp walk and braa, too nothing relevant was found.

nevermind, got it!

The modules that are focused on brute forcing attacks are driving me crazy. The service skill assessment for the Brute Forcing module is just insane. I've created multiple username and password wordlists using the exact same theory as in the module yet not a single password hit after more than an hour...

you are doing it wrong then

Or I just needed to reset the machine like 3 times since the creds where the first entries in each of my wordlists

dm with what you are doing

Hey guys, I just did the Web Service & API Attacks section Information Disclosure (with a twist of SQLi)

In the second question I used sqlmap, did someone do it without it??

I didn't manage to run it manually & curious about it

Since you know the position (as stated in the question), you can also query the data manually. ||OR|| is your friend

I thought I did...

I guess I did it wrong ...

hey guys anyone could help me to talk to real human in support ??
I subscribed to student and after 15 i got also silver subscription i got 2 right wants to refund silver so what can i do ?

@jolly cradle

@surreal rain

be patient and someone will reach out to you

it is the weekend nonetheless

binary exploitation module - intro to assembly, shellcoding tools
I tried encoding and generating multiple payloads and getting a payload from different sources but it still doesnt work out and i can't find the issue
edit: nvm i figured it out. I thought I had to enter a shell first but i can just put the command directly as CMD='cat /flag.txt'

they will do refund or not ?

I have a question: it says in drupal 7 that the php filter module is vulnerable, but if it's vulnerable and the customer hasn't installed it, what's the use of asking the customer to download it to try to get an RCE? or even in drupal 8 it's deactivated by default, so we have to ask the customer for the right to activate this module, but what's the use, knowing that it's deactivated, so the application is "Safe"?https://academy.hackthebox.com/module/113/section/1209

Are forums down rn?

Im trying to answer " After performing the ESC1 attack, connect to PKI (172.16.18.15) as 'htb-student:HTB_@cademy_stdnt!' and look at the logs. On what date was the very first certificate requested and issued?" for the PKI - ESC1 task. Im pretty sur e i have the correct answer but it keeps on giving me wrong answer. The answer im trying to provide is "12/19/2022"

guys , htb academy website down ?

cant seem to log in , onlu able to access the home page

Working perfectly.

https://status.hackthebox.com

hi i have a question , so i dont get it if from where i can get HTB cubes

Either a monthly subscription (preferred) or directly (more expensive)

if i add a user to the administrators group. I noticed im unable to have there perms untill i restart the PC. any commands to make this happen without restarting it

Nope

It's basically windows being silly

But a change isn't fully processed on an account until you log off and back on to the user

You don't need to fully restart

The effected user just needs to be not logged on

Via any rdp session, don't click the x to close the session, use the windows menu then --> sign off

Information Gathering - Web Edition Skills Assessment

For the target's IP and port, is the port supposed to be closed?

Is that part of the challenge as well?

The port shouldn't be closed?

It shows it is and I can't connet to it

Did you add to /etc/hosts? Also possible that there's some issues going on rn. Did you try respawning the target as well?

I added the IP and domain name, and I did respawn the target four times already and it gives me the same one

Hard refresh the page

Ctrl+shift+r

Did that as well

But will try again

then ig wait a bit ¯_(ツ)_/¯

Seems like some issues going on rn

.

Seems good now after couple of refreshes

👍

As to answer your other question.
Always check for subdomains
Always look for robots

Those are your two nudges

Ty

that was my only question ty, gobuster wouldn't connect and that was my question

(I've probably repeated that a dozen times

Well your question was regarding finding a hidden directory 😉

Active Directory Enumeration & Attacks -> DCSync

How can I verify that this new Powershell session is indeed running as adunn?

If I just enter some random pw it still show the same..

Generally if the pw is incorrect then it'll just launch as the user

If it's correct then you should get powershell privileges as the user you runas

Try running the dcsync commands in powershell with/without adunn creds

I followed the guide but it doesn't seem as if I have enough permissions to run the command, however it still works...?

Wdym,

Dcsync worked just fine there?

Exactly, but when looking at privilege::debug it doesnt say Privilege '20' OK

Don't focus on that lol

Ah really?

If it executes, then the user has sufficient permissions/privileges

It's likely that adunn doesn't have SeDebugPriviliges

But I think it's running as htb-student (of course it must have enough perms) however, how would you validate that the new PS session is actually running as adunn?

Try running powershell as htb-student

And running the same command

Sometimes it doesn't reflect the new user

See; htb-student doesn't have the privileges

I wonder if you do whoami /all in both if you'd get a different result

Hmm I see, just tried aswell using a random PW for adunn account, didn't work either.

Yup meaning it fell back to using your user context

I.e. it soft failed but didn't error

whoami /priv

Interesting though that it didn't fetch group info, I wonder if it's using cache/tickets loaded

And in the normal powershell?

Thats weird

And whoami /all

Ah ok

So it's able to fetch groups

That'll be how you're sure it's successful

Don't think I understand 100% tbh

In the adunn shell, it can't grab group info

In regular shell it can

👍

Yes so what does that tell me?

... it means that the shell context isn't the user you're logged in as

Understood, but it is a bit of a workaround right? In my (simple) world, it should just say INLANEFREIGHT\adunn when running whoami

windows is dumb ¯_(ツ)_/¯

whats the best way to upgrade a webshell on a windows machine after an sql injection?

Python if available?

Sql injection module?

You don't

Python generally won't be available on windows

I wonder what happens if you type powershell

🤔

https://zweilosec.github.io/posts/upgrade-windows-shell/

But you can't upgrade a webshell

yeah i saw this

You can attempt to run a command

But you're not gonna upgrade a webshell

You can do a reverse tcp command, maybe

so generally we dont upgrade webshells to reverse shells?

im really confused

It depends

But there's a difference between upgrade to reverse, and upgrade to usable

Which is likely where your confusion set in

You'd need to do a one-liner in the webshell to get it

ive tried revshells

well you'd likely need to urlencode any spaces

With either + or %20

Im struggling with the javascript deobfuscation module. I have multiple different flags and none of them seem to be working correctly

Don't work ahead of the section

It also helps to say what section you're on

The deobfuscation section, it wont let me show a picture of it tho

Bc your account isn't linked

??? linked huh?

Deobfuscate the secret.js, then look for flag=

You specified /netonly so the credentials work only for remote access. whoami is local though

Read #welcome

Yeah and its not working

If it still has + in it, then it's not fully deobfuscated

HTB{1_..r!}

Or it does again after I type it manually a 3rd time? now jesus christ this whole module. There must have been some kind of white space getting in there somewhere?

Yeah I just put that flag in about 5 times

Probably at the end

The academy desparately needs to be less sensitive about case and whitespace. I get that you wanna be teaching people to pay attention and stuff, but its really discouraging and sometimes leads me down the wrong path when I have the right answer getting marked wrong cause the input isnt getting stripped

This is not the only time ive struggled inputting something as an answer

Well flags specifically have to be case sensitive

I have a habit now of making sure there's no whitespace

With case sensitivity I was thinking of other modules that have words and stuff as answers

Put cursor at end, backspace, put cursor at front delete

It's a habit you form

I mean, from my perspective, I checked the front and back of this flag and put it in and it said it was wrong. And then it said it was right after trying repeatedly, and I have no idea even what I changed to get it accepted, but as far as I could see I was putting in the same set of characters over and over until it just... worked through stubbornness?

/feedback exists

Also sometimes the input form is just dumb

And refreshing the page makes it work

Is that a module problem or an academy problem?

Havent tried that actually. good idea.

An academy problem

If you're 100% sure it's right, no ws, refresh the page

Still better than tryhackme but these cubes arent cheap man, I should have a dedicated chat bot on the page to gripe and complain to at least if its gonna be this frustrating! lol

Javascript Deobfuscation is a tier 0 module yeah?

You'll get the cubes back when you complete it

I cant remember honestly

There's a help bot in the bottom right of academy

but ive had similar problems in some of the higher tier ones on this path

And depending on the issue. It may get raised to staff

Hi I have been trying to do the "web fuzzing skill assessment" for 2 days
Have found "http://IP:PORT/folder/file.php?parameter"

But i fuzz as asked with common.txt and find nothing > have tested with ffuf and wenum .

Any ideas ?

The parameter to use is given to you

Parameter=FUZZ

If you don't see it, then maybe you didn't find the right file.php

Guys I'm in footprinting lab in pentester path, Lab - Hard. There's 5 ports open, one is ssh which requires both password and public key, then there's POP3, ssl POP3, IMAP and SSL IMAP.
I can connect to all dovecot servers but every single command I input is invalid and it always says error. I can't do anything with the ssh port and I tried looking up the dns of the server and it seems like there's nothing there. I have no idea what to do. Do I have to use metasploit? Even the I prob wouldn't know what to do

link videos

allright, so my problem was that i thought it was a windows machine so my revshells didnt work.... lmao i needed a break

https://academy.hackthebox.com/module/81/section/789 Has anyone else had issues with this lab portion? I walked through it step by step for the last two hours and the machines just aren't generating the traffic that contains any answers, the only image file I see is is the golden retriever at flag.jpeg after using t he ftp.request .command filter. But at no point did I see anything having to do with "a certain Tranformer Leader".

I did what the lab told me and filtered "http && image-jfif" and got nothing. I was able to find a lab write up to get the answers after 2 hours of struggle bus. I am used to the bugs on OffSec but this lab just seems to not be working correctly. I was letting the packet capture run for ten minutes at a time.

hey i found the answer via the course but when i enumerate urls i don't found the examples to find the xml file containing the admin role,https://academy.hackthebox.com/module/113/section/1090

Perhaps that page isn't accessible on the target

¯_(ツ)_/¯

Also the role question specifically states "in the example"

so @fathom pendant on the LFI Assessment. if you navigate to http://94.237.62.126:42677/index.php?page=index you will find that the server doesnt respond at all. but if u try other pages than index, it does respond. So I want to see what other files I put that it doesnt respond to, maybe meaning that those pages exist

I didn't have to do a timing attack for that module assessment

I think you're trying too hard for something where the answer may be simpler, like wrappers

Yet I listed the vhost and I found an examples directory thinking that I was going to find this famous web.xml file

well it's not web.xml

the example explicitly states it as the tomcat-users.xml file

I understand good 40 minutes lost for that lol

@sterile pumice I don't do private dms for help, especially unsolicited

Sorry @fathom pendant . done that to not spoil what i have already done 🙂
But i understand! will look if someone other can help

idc why you did it, it's best to ask to DM first (especially bc #rules ); you can also ask here and redact any spoilers

There's another service you missed. Make sure to perform a full enumeration.

also ssh doesn't require BOTH password and key, it requires password OR private key

if you did whoami or id in your webshell you'd have known

i did lol

then you should have known it was linux

as with windows it's [Domain]\[user]

where with linux it's just [user]

Who do we talk to if the correct answer isnt being accepted by the question. I've reset the box 3 times, solved it, got desperate and validated my solution in "Show Solution" and it is still telling me Incorrect answer, its in Broken Authentication - Attacking Session Tokens

I can look at it in about 2 hours. Did you try submitting what show answer gave?

Show answer shows answer {hidden} I know what I am submitting is right because it is in the admin panel HTB{xxxxxxx} and I am literally just copying and pasting, I even hand typed it, and still shows incorrect

you can dm me a screenshot and i can look if you want

Since it's paid content, please don't do that.

Hopefully I'll be at my work machine in about 2 hours and can check it out for you

Thanks

Do you also have no spaces at the beginning or end of the string?
Have you restarted the browser?

OK, there was a space in front of the H , that I didnt notice, good now, my bad, false alarm, wasted an hour of my life over a space lol, Thanks all for the suggestions

look on the bright side. It will never happen to you again

Thanks @acoustic owl

I was solving a module and unable to find the flag, can anyone help me out?

the last bit looks like a function generateSerial

maybe if you prettiefy the last bit it might be easier to understand

i mean I have the image, but it won't fit all the content

try to read the last bit of your code, and see what it does. for example why is there a split("|") what does split do?

okay

Javascript Deobfuscation?

Just replace eval() with console.log()

It's easier to just have nodejs or some other tool just console.log instead of eval the script

¯_(ツ)_/¯

Also @sullen rapids try not to post things directly from the target that may have the flag

Flags won't be wrapped in quotes to submit

Just the HTB{..}

okayy..

You have the answer btw

nah...I am still stuckk

You just copied the string with quotes

You need to copy it without it

:)

le'me try it

😦

Make sure no whitespace before or after, try refreshing the page

This is the Deobfuscation section yes?

yeahh

Oh...

No...it's not

You worked way ahead

https://academy.hackthebox.com/module/41/section/441 this section yeah?

tried it

Dude

yeahh

Just read the source code of the page

:) not /secret.js

But of the spawned ip

You worked a little ahead

The hint is also in the name of the section

yeah I noticed now

Istg if you keep posting spoilers

If it contains the answer: don't post it

Ffs

ohhh my badd, I am so sorry

Gonna keep that in mind

sorry man

If it could either directly lead to the answer or is the answer [meaning someone else could just look at it without actually putting in the work] it's a spoiler

okayy, so posting the answer is prohibited or I can post it with a spoiler tag?

Prohibited

okayyy

Ty @fathom pendant

No answers

As spoiler tag literally does fuck all

Some people have them turned off in their settings

ohh..okayy..

not gonna do it next time

If you want reassurance you have the right flag you can do HTB{12..89} as the first and last 2 characters of the flag

okayy

Or in cases where the flag isn't in HTB{} just the first and last 2, or the md5sum of it

I.e.

echo "flag_here" | md5sum

okayyy

Hey guys, why does HTB usually highlights parts of the IP in their examples? Maybe this is irrelevant but I just want to confirm the intention of this

Yes I'm stupid

I've always wondered why md5sum is used in all the examples and sha256sum isn't — the latter produces output that happens to be the default format produced by PowerShell, so it plays much nicer with Windows targets.

It's just how syntax highlighting works for bash/sh

md5sum is more ubiquitous, and usually is only used for checksum verification

And also generally faster

not stupid, it's a learning process and this is to reinforce the learning.

Failure is falling down and not getting back up and learning

Hey @fathom pendant I'm on the LFI assessment and I have LFI using the filter that u know, but I am limited to the web root directory. I tried many traversal payloads with all filters but no payload allows traversal.

As u know it disallows .. so u cannot do ../../ . It also URL decodes it before assessing the 2 dots so that doesnt work either, inputting base64 with the decoder filter to decode it also doesnt work.

look for resources

Perhaps there's something hiding that doesn't get reflected to the actual page, like a comment in the source code that won't get sent to the user

Thanks successfully reviewed the LFI module now

Im doing Windows Event Logs & Finding Evil -> Tapping Into ETW

im doing something wrong so that sysmon dose not load event id 7 events (did change event id to exclude)
and at the end etc.json has no info about ManagedInteropMethodName.

Any guidance would be great. ty

Hay

I have a problem, does anyone help me?

@frosty geyser https://dontasktoask.com

I have problems in module on HTB

Ok just ask your question

If it's a hint you need it helps us help you to tell us what module and section (chapter) you're on

And what you're struggling with

We can't read your mind on what you need help with

Attack password

In you on private

I don't do private dms

Just ask here

I have problems in module password attack Lab 6

Lab 6 tells me nothing

What's the section name

Remote password attacks

Password Reuse / Default Password

👍 and what have you tried?

I didn't understand

🙄😊

Use the credentials database they linked, search for mysql

Use that to try default credentials

please be specifyc when you are asking for help

You need to first ssh to the machine using creds you found in the previous section

I didn't understand how to use Mysql

Ok sorry bro

If you're doing the pentester path. The footprinting module is earlier in the path which details how to connect to a mysql instance

I just want the method

mysql --help

I mean, enter ssh data in mysql ?

No

First: ssh into the spawned ip with the credentials

Then from the ssh session, you connect to the mysql instance

I mean, how did I connect from ssh to mysql

????

you're not connecting to ssh from mysql

...dude

it's like connecting to something from your own machine

the ssh connection just connects you to a remote machine with a user on the remote system

I mean, how do I solve the method?

??????

wdym how do you solve the method?

i literally told you the 2 steps you need to do to try

there's a resource provided in the reading to a default-cred-cheatsheet

in that; search for mysql and try those username and password combinations while in the ssh session as sam

if you run mysql --help in your terminal, and look you'll see how to pass a username, and password to authenticate with

i've basically given you half of what you need, the other half is utilizing that squishy thing in your skull called a brain

I think you should start by doing the most basic modules if you have trouble understanding the module you are currently on.

Ok thank for your time

nah he must study basics first as sec + and network+ and pts

nah

sec+ and net+ aren't needed

nice

but if he's doing the Pentester Path on academy, he skipped a few

oh

as there's a module called "Footprinting" earlier in the path, which literally details the bare bones basics of connecting to a lot of common services

ye

Im trying to answer "Windows Attacks & Defense/ PKI - ESC1 / question 2". Im pretty sure i have the correct answer but it keeps on giving me wrong answer. The answer im trying to provide is "12/19/2022". Any help is appreciated

Has anyone solved question number 2 of the Notetaking & Organization section of the DOCUMENTATION & REPORTING module?

it's given in the reading

or at least it should be

it's related to using tmux yeah?

guyyyyssss iii goooottt a first Zerrrroooo Dayyyyy CVE YYYYaaaaaaaaaaYYYYYYYYYYYY

I'm very happy

congrats

but this isn't a gen chat

if you read and follow #welcome you can access #general

I don't know what I'm doing wrong, but I have more than 6 hours alone on that question... possibly it's some nonsense I don't know, but how tiring so many hours already alone on that question.....

command prefix then the other combo

all [key1] + [key2] +[key3] + [key4]

the prefix is the part I don't know what it is because I can't find it, that's why I have this problem with the correct answer.

... ctrl + [<Another Key here>]

it's given several times

you can also probably google "tmux default command prefix"

This is what I have been doing [Ctrl] + [B] + [Shift] + ["] because when I put it in the pwnbox it creates the vertical division, but when I write it as an answer it does not validate it....

That's a horizontal division

I used this other one [Ctrl] + [b] + [Shift] + [%] and when I put it in the question it doesn't give it as valid either, I don't know what other key I need to put.

invalid I meant

Did you put % in?

Also try capital B

yes I did

And capital B

Yes, when I type it in the pwnbox Ctrl + b + Shift + % it displays the screen vertically, but as an answer in the question it is not valid.

Reach out to support then ig

It worked for me

¯_(ツ)_/¯

Make sure a space between each [key] + [key]

Do the brackets have to be right ?

Hello, I’ve been trying to go through the questions here and I just can’t figure them out. I went through all the modules prior quite easily and haven’t been able to figure out the first question even for the “C:\Logs\DLLHijack” question. I know to filter events by ID 7 but from there I’m struggling on what to do, I’ve been trying to manually go through the logs but it’s been very time consuming. Any tricks or tips would be greatly appreciated. Thank You!! Windows event logs and finding evil skills assessment.

yes brackets

just capitalize B and brackets. check whitespace

At last it helped me, if I was doing it right, but it must be that sometimes the fields of the questions give problems because it is not the first time that I notice these failures... I thank you for your support my friends...

yeah some questions are dumb

Yes

Yes, as I imagined, it was possibly something silly, but it took me hours.... But thank you very much for guiding me to have a better vision.

Here is the question? By examining the logs located in the "C:\Logs\DLLHijack" directory, determine the process responsible for executing a DLL hijacking attack. Enter the process name as your answer. Answer format: _.exe.

hi

How many Pen Testing Labs did HackTheBox have on the 8th August 2018? Answer with an integer, eg 1234.

it redirects me to another page

so i cant get the answe

Thanks man! I think the problem is the latest version of Impacket, because I tried with the 11.0 instead of 12.0-dev and it worked!

man, is every module as thick as the introduction to windows command line?

granted im reading closely and taking notes but its a bunch of infromation

Yeah majority of them are thick

I just got used it after a few modules

Previous knowledge helps tho

it's rated 4 days. there is one that is 7 days, but 4 is the higher end

I see

Can someone show me where I’m going wrong in virtual host and subdomain fuzzing?

When attempting to use gobuster to fuzz the vhost via url “inlanefreight.htb” I’m getting “no such host”, when I use the target IP, it will run but only output status: 400.

I’ve tried running the url with provided port# but “no such host”.

I can see in my /etc/hosts that the specified vhost was added. Really not sure what’s going on.

Any hints or tips appreciated, thanks.

terminal output please

@steady dagger ^

And command

+1

I have problem with module Windows Event Logs & Finding Evil -> Windows Event Logs & Finding Evil
event viewer has no logs of event id 7 and ETW has no ManagedInteropMethodName.

configured sysmon to detect Event IDS 7's (include -> exclude)
opened powershell and CMD in administrator privileges
started SILKETW command in CMD
ran SeatBelt in powershell (while silk was running)
went to ETW.json to look for the answer

im missing something but im not sure what?

have you tried going thru the logs via powershell get-event i think the cmdlet is, or something like that? also get-eventlog and get-winevent check out the docs pages for those and figure out which one will let you search by event id and see if that helps

Hello

Why is it different from the content of the results he obtained? Can someone help me?

they are showing you the format of the flag on the first screenshot. The second screenshot is the actual flag.

Hi, I need help in the hard lab of Firewall and IDS/IPS evasion pls

im scanning and i get only 2 open ports and idk how to continue the lab ( port 80 and port 22)

which module was that one?

aha found it. Try using -g 53 on nmap when scanning

Hey Guys I have a question on Web Service & API Attacks ==>> Server-Side Request Forgery (SSRF)
did someone did that question hands on ?

I know I can do the inner port scanning, but I didn't managed to do it ...

hey guyz i m stuck with the question During our examination of the USN Journal within Timeline Explorer, we observed "uninstall.exe". The attacker subsequently renamed this file. Use Zone.Identifier information to determine its new name and enter it as your answer, in Rapid Triage Examination & Analysis Tools

i found this file with file name
amd64_dual_mdmtkr.inf_31bf3856ad364e35_10.0.19041.1_none_ed481a2e40b7b510.manifest
but its incorrect can anyone help me through the walkthrough please. 🙂

You need to compare 2 journals and search for uninstall.exe

Hola!

the only way I found is to do it using **burp **on that specific port I get a delay response & on other ports that isn't open I get error response quickly...

is this the intended way?

Normally it would be time delay or differentiating the response for SSRF port scanning. That is the intended way.

then if I didn't know that specific port the enumeration would be impossible?

Whole point is to find ports that are active

cause some ports where fine some error and some are time delay ...

Btw u can use a burp extension for filtering responses with delays

You fuzz all the ports and based on time based technique or response based techniques, you figure out which one is open and which one is closed

not in that example

some where website regularly some r time base and some r closed ...

solved, thanks

that y I'm not sure

if they have another way ...

If it gave too much irregulars on whichever technique, mostly don't go for it

You don't get much false positives on the time based enumeration right?

well I guess

thanx on it ...

Then that's the way. I'm also pretty sure that's the intended way

thanx

Enjoy. Time based attacks on HTB are "advanced" so good to start getting familiar now

hello , im in Pass the Ticket module, but i cant rdp to the target with the given credentials

command:
xfreerdp /v:10.129.xx.xx /u:Administrator /p:AnotherC0mpl3xP4$$
xfreerdp output:

[06:36:16:754] [10083:10084] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[06:36:16:754] [10083:10084] [WARN][com.freerdp.crypto] - CN = MS01.inlanefreight.htb
[06:36:16:956] [10083:10084] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server
[06:36:16:956] [10083:10084] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014]
[06:36:16:956] [10083:10084] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[06:36:16:956] [10083:10084] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1

Yo

Anyone know about a virus that attacks ram

I have 8gb ram but it’s showing 2 in task manager

Wrap the password in single quotes

$$ is a variable call in bash calling the PID of the current shell

Thanks

👍 it's important to know special characters and their purpose in bash and any programming language

thanks for the advice!

I have question which is more a curiosity regarding the AD Enumeration module. Here I see that we have 2 ways to abuse GenericWrite or GenericAll permission over a user object:

• populate the SPN field with a fake one and kerberoast
• enable the "do not require Kerberos pre-authentication" setting to request the encrypted TGT and crack if offline

But I have not really seen these methods compared. Are there any pros and cons for each ACL abuse method ? So far I would say populating the SPN sounds better as you may be able to force RC4 encryption on older Window Servers, while the TGT comes AES encrypted anyway I think. At least the module did not touch on its encryption.

each way poses different risks, and either way you're triggering a log event

with the second method you're altering security settings, which may be disallowed by the company that contracted you

generally you want to go with the least intrusive way of acheiving your goal

yeah in that case seems like populating the SPN is safer, and proably easier to clean up after, when you can choose both that is

mhm :) path of least resistance

in either way you'd obviously log that you did them

just in case you either forgot or for some reason couldn't revert changes

Question:

I'm trying to get through the Setting up - Linux module rn.

I've been going at it for several hours following the instructions. I get to the part where I have to run this command : "sudo apt update -y && sudo apt full-upgrade -y && sudo apt autoremove -y && sudo apt autoclean -y"

And it just absolutely eats up all the allocated space for the disk and throws out several errors. I started with a 40gb disk, and ended up trying with a 120gb disk. No matter what it just completely ruins everything and i can't continue 😦

Am I doing something wrong? I'm following the instructions to a point. Does it make sense to even do the manual setup of a pwnbox or is there something that outdated with the module?

it's safer to use an 80GB disk size tbh

for general everyday user stuff 40 is normally fine, but you have to consider that a LOT of tools will eat up a LOT of space

:)

try running the commands one at a time

perhaps something else is going on that you don't see

also are you allocating a fresh vm? or did you add size after?

if you added size after setting up the disk, you'll need to repartition the drive to add the space using a tool like gparted

Fresh VM after each time that it filled the disk up

I basically started over completely each time

Which is why I'm suprised it even went so far as to eat up 120gb, I went in first 40 - 80 and finally 120

and you went through the install process for the OS before running the commands

yup

so when you boot up it asks you to log in to your user/password you set up?

just making sure

because currently running parrotOS in a VM @ 80 just fine myself

Actually, no I set up a password but it doesn't ask me to log in

did you unmount the install ISO after the install step?

Unmount? 😮 Didn't see anything instruction about that

Hello, the PtH academy module targets are not spawning..been waiting for almost 20 mins for them to spawn. Any help? Thanks

yep

Refresh the page

Did that

Quite a few times.. -.-'

change the vpn location, sometimes that does the trick for me

How does the unmounting work? Seeing as there is no instrution at all for it.. :/

Is it the boot loader location? Switching that from the Master Boot Record of VBOX HARDDISK into the System Partion?

basically you want it to prioritize the hard disk

but you can just click on devices --> optical drives --> the iso

Thanks it worked

Thanks for the help, I have it figured out now and it works like it's supposed to 🙂

Running into my next problem though, as I try to do the "Cat tools.list" command, it just tells me. "No such file or directory"

Do you have an idea of what is wrong this time?, tried to run the previous command again but nothing extra happened

because there is no tools.list file on your system

:)

it's that simple

you need to create that file in order for it to be found

I'm just wondering if I don't understand the module "Setting Up" at all then, since they there imply that the file already exists if you follow the the module

i cant add time to my target ip

Coming back to work on the modules after 3 weeks of PTO feels like 🫠

@west rampart

the target is a publicip:port isn't it?

not a 10.129.x.x target

yes is publicip:port

then no; you can't extend the timer

it's a slight limitation of it being a containerized instance

2 hours should be more than enough tbh

That's exactly what I was saying, I was recommending that they add a way but this guy came to tell me that it already existed

because the assumption was for the vpn academy targets

again it was a miscommunication of intent

sorry, what means tbh?

<to be honest>

ohh ok

or if it's tbqh <to be quite honest>

ok

thank you

hello

ts is crazy tbh idrk how he didn't know that

Hello

¯_(ツ)_/¯

Here is the question? By examining the logs located in the "C:\Logs\DLLHijack" directory, determine the process responsible for executing a DLL hijacking attack. Enter the process name as your answer. Answer format: _.exe.

Hello, I’ve been trying to go through the questions here and I just can’t figure them out. I went through all the modules prior quite easily and haven’t been able to figure out the first question even for the “C:\Logs\DLLHijack” question. I know to filter events by ID 7 but from there I’m struggling on what to do, I’ve been trying to manually go through the logs but it’s been very time consuming. Any tricks or tips would be greatly appreciated. Thank You!! Windows event logs and finding evil skills assessment.

are you loading the logs from that directory?

sounds totally legit 🤨

Question regarding AD Enumeration and Attacks, Cross-Forests trusts. The author mentions that if we own domain user that can authenticate to the trusting domain, we may able to kerberoast across forest trust. Question is, how can we enumerate which users from trusted domain A can authenticate to trusting domain B ? Maybe I missed it, but I have not seen it the module

Or maybe simply having an inbound/bidirectional trust with the trusting domain is enough for any account in the trusted domain to authenticate to the trusting domain ?

hey team, is someone knows how to delete a operators in sliver?

<@&861185840277487616>

generally bloodhound can sniff it out

hey can someone help me out with this backup.vhd thing on the password attacks hard lab.
I have tried to use the bitlocker2john on it but it is not converting, it keeps turning into a txt file with no signatures

Im actually so lost rn

it shouldn't be converting the file itself to anything

when you throw the hash into john does it error?

or are you making an assumption that it's not working

i tried mounting it and i cant figure out the mounting, for some reason it doesnt think that the /dev/nbd0 exists

Its not even creating the hash

did you ensure that it exists?

it could be an older version of bitlocker2john that requires python2

Yeah, i used fstab -l and it was there, but its not getting picked up when i try to do anything with it

bitlocker2john requires the -i parameter

im trying to show you what im doing but it keeps getting removed, i will just type it out:
bitlocker2john -i Backup.vhd > bitlock.txt
Error while extracting data: No signature found!

cat bitlock.txt
Encrypted device Backup.vhd opened, size 8MB

literally just did it myself and it worked just fine

yeah, i know its not a problem with the syntax

md5sum Backup.vhd 
271bd3a710ae92848c22a6c719b513f9  Backup.vhd

^ checksum

ohhh

i see the problem c5a1274fb98a216feb283ad526592b21 Backup.vhd

:) potentially a corrupt download

it keeps getting corrupt lmao. I downloaded it like 3 different times

what method?

smbclient mget

use a different method

lol

iirc i used an http upload server

ok 😢

you can also mount a local share onto an rdp session with xfreerdp /drive:

but smbclient has been known to be wonky with it

I did that to get the keepass thingy, i should have stuck to it with the vhd transfer

also

Get-Filehash -Algorithm MD5 C:\Path\to\File

just to be sure that for whatever reason mine isn't different from yours

i don't recall if i messed with it or not

powershell*

heres a previous message of this

ye

ls -lah btw will show the file size in human readable context

instead of 1313131313

I'm currently in the vulnerability assessment module the CVSS section.
Can someone explain to me what's the difference between the CIA impact in the modified base metric and the CIA requirements?

Does the vuln affect any of the Triad is the short answer

Modified Base Metrics is just a fancy way of saying "where you are at the start" vs what's expected

ok, but why did they add the CIA requirements if we have the CIA impact?

Requirements = What's required to be there
Impact = what's actually impacted

what specific section, don't recall a CVSS section

oh, thanks you made it easy for me.

btw

it's EXPLAINED IN THE READING

I think i found the problem, i kept cutting the download off before it finished. My dumbass realized this when i saw the hash changing every 5 seconds 😂

The Modified Base metrics represent the metrics that can be altered if the affected organization deems a more significant risk in Confidentiality, Integrity, and Availability to their organization. The values associated with this metric are Not Defined, High, Medium, and Low.

The Environmental metric group represents the significance of the vulnerability of an organization, taking into account the CIA triad.

😄

271bd3a710ae92848c22a6c719b513f9 Backup.vhd
Mucho better

GL you're on the final hurdle :D

thank you for your help

which reading?

of that section

literally under the subheading "Environmental Metric group"

that's where I pulled that text from

Each of the Metric Groups has their own subheading which explains them :))))))))))))))))))))

here?

Has the option to download the .ovpn for modules academy been removed? I'm probably missing something painfully obvious but I cant find it anymore.

yes lol

https://academy.hackthebox.com/vpn

if it's a publicip:port for the question, it's not required

only sections that require the vpn to connect to the target will have the vpn download option

Ah thank you. I knew it would be something plainly obvious like that. Cheers folks

Who else is literally needing to use while [ $? -ne 0 ]; do xfreerdp /<SNIP>; done to force PwnBox to work properly re "Shells & Payloads > Reverse Shells"?

that's extremely unnecessary

lol

if it's dropping; just add /timeout:900000

any tips or command to speed up rdp vm

cry

generally it's not that the rdp machines are slow; it's that your connection is shit

use the tcp vpn download

i use openvpn

yes

there is a button

to download a tcp connection

instead of udp

yeah i use tcp

ok

then try other regions

¯_(ツ)_/¯

there was a module about make the sceen less clear therefore making it faster

eh

idk i forgot about it

it depends on the root cause of the issue

oh well

life ig

is the exam machines faster

please help me im stuck

After crawling the inlanefreight.htb domain on the target system, what is the email address you have found? Respond with the full email, e.g., mail@inlanefreight.htb.

Information Gathering - Web Edition

Page 19
Skills Assessment

I've already tried with spiderfoot, with scrapy and with reconspider and nothing

also need help. I'm in the password attacks module Attacking Active Directory & NTDS.dit, and i don't know where to find the fasttrack.txt file, is it supposed to be on git? i tried both and they didn't work

When I scan with Reconspider I don't get any information, it tells me that no page has been scanned.

guys help i was on internet and i got a virus installed without my consent(.msi file) but i didnt executed or opened it i just deleted after it was installed,is my pc safe?

It depends, the virus could have planted persistence

Even with the fact that it was installed on your computer, it could have already collected all your data.

but like it just went into download folder,i didnt executed or gave him admin permission i just deleted it

it downloaded from those scam pop ups while i was trying to download smthing

i feel like this question should be posted in #general or somewhere else

You’re right.

We can’t really help you in this channel as it’s for help with Academy content. My suggestion would be to run a virus scan

ok thanks

please help me

bump

I’m sorry, not at my computer do can’t check my notes

hi, i need help. i am currently doing "Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.". I came up with a command curl https://www.inlanefreight.com | tr " " “\n” | cut -d"‘" -f2 | cut -d’"’ -f2 | grep www.inlanefreight.com | sort -u | wc -l but its not working. only thing i get in result is this ">" sign

Does anyonne know why I keep getting this error in the hard Footprinting lab? Just trying to normally see the databases and it either returns an error or just shows me nothing

okay got it somehow

@plucky hollow can I dm you?

yes

Cool. Check your dm

Because your syntax isn't correct you're leaving an open '

In your cut -d "'" with cut -down "\'"

You need to escape that quote

if someone could help with mine it would be greatly appreciated, currently banging my head against a wall trying to figure out where this fasttrack.txt wordlist is supposed to be

Module?

find / -name "fasttrack.txt"

Or locate fasttrack.txt

Might be under SecLists

Attacking Active Directory & NTDS.dit

Password Attacks

.

I'm assuming pwnbox?

yes, i do not see it anywhere already downloaded

2> /dev/null at the end

They recently updated the pwnbox

So file locations have changed

/usr/share/seclists is the new location of the seclists download

let me check

WOHOOO! I am finally done with the password attacks module.

I got severely burnt out on that module.

Check under. /usr/share/wordlists

Great job

i don't see it, maybe i should restart the pwnbox

so i shouldn't have to download anything though right? like it should already by loaded onto the pwnbox?

You might need to download it. Did you run the find command?

find / -name "fasttrack.txt" 2> /dev/null

try without semicolon and try 'show schemas'

can someone give me a hint? I need to establish a shell session with the target OS here for question 5 of assessment for shells and payloads section

Mysql statements need to end with a ;

I am thinking of trying to get a PHP shell?

like via file upload no?

What target is that for?

blog.inlanefreight.local

You can do it manually, but there's an exploit already available

i remember that a command didn't require the semicolon, but i may be wrong

See the next question

nope not there

So you'll have to download it

¯_(ツ)_/¯

what's the exploit already available? I looked at MetaSploit and couldn't find it

Read one of the followup questions about a .rb file

You can just use it

ok thanks

i've wasted like an hour and half on this, the ones that i have downloaded have not worked

@alpine ingot you just finished this section, did you have any issues finding the fasttrack.txt wordlist?

if you've downloaded it it's probably something wrong in your methodology

how do i know that's it the right list???

I tried downloading the .rb file but I end up with this.

I think its because this device is on a private IP?

and not connected to Internet?

https://raw.githubusercontent.com/drtychai/wordlists/master/fasttrack.txt

You don't need to download it you donut

In msfconsole

Just type use 5xxx.rb

thank you, i will try and make this work, i've used this one already but i'll start over again and try to see what i'm doing wrong

I couldn't identify the exploit in msfconsole. I searched for exploits and didn't see it.

Don't worry about the search part

I'm literally telling you what to do

yea i got it

msf6 > use 5xxx.rb
[-] No results from search
[-] Failed to load module: 5xxx

it doesn't have the module

wait got it

never mind I'm an idiot

msf6 > use 50064.rb
[*] Using configured payload php/meterpreter/bind_tcp

I got a meterpreter

ok got flag

i know you solved it, but over rdp you will need to file transfer with a webserver and wget, or use the rdp file share in xfreerdp

Hey

hi, struggling a little on the skill assessment for the pivoting module

I had to restart the MySQL connection and it worked guess it was just acting funny

I want to enumerate the internal network via the foothold provided (webshell). I decided to go with uploading chisel to the foothold. executing chisel server on the foothold and connecting from my atttack host using chisel in client mode specifying socks proxy option.
Then running proxychains fping -asgq 172.16.0.0/16 not sure traffic is getting across and back

But more importantly - I finally finished the Footprinting module. It was extremely time consuming since I jotted down every little tip and method but it was well worth the effort!

I'm now getting host 3's hostname which I don't know what it is and I assume that since normal nmap scans aren't working that I need to review Nmap documentation? Am I wrong?

gonna bash away a bit and then use ligolo-ng i guess

not sure what u mean

I tried a scan including pings which got ignored and tried with the -Pn option and ports are in ignored states

Hello

should I review nmap to play with the scanning a little? is this kind of thing so I don't forget nmap skills?

Hi

scanning one host?

ye

yeah u might try fiddling with nmap scan options

-Pn good so it doesn't check if host is up

u scanned for all ports?

I scanned default port scan

which I think is the common ports

try all ports

-A should work fine

-p-

@quasi wave You're on the metasploit module and what host are you trying to nmap?

I'm on the shells and payloads module on assessment question 6

and always do -T5 since you don't care about detection

ok

on a real engagement don't I care?

if anyone has any advice or thoughts on my approach

Carry on 👍

Thanks so much @fathom pendant finally got it to work, finding the right wordlist often ends up being the biggest time-sucks for me

probably just do the normal nmap since you don't want to bring down their servers in a real non-evasive engagement

or go lower than T3, i don't know how they work

ok different question... is there any point in bashing around with chisel and prrrrrroxychains when we ccccan just use ligolo-ng... i get the tunneling via dns or icmp, but ligolo-ng just seems far superior to other tools

stick with ligolo

unless we doing living off the land e.g. ssh port forwarding and we dont want to upload stuff to the foothold

Hello how do you enumerate the subnet of the 2nd network card if you don't have access to the machine? I don't know if it's possible through the webshell provided, but my advice is to find a way of accessing the machine (for example, identification information in a file or a private ssh key), then you can connect using proxychains and use your tools to pass the flow on to the other network.

i do have access to the machine via the webshell

i'm uploading chisel and trying to forward traffic through chisel running as a server on the foothold

in theory it should forward traffic on to any networks in knows about

it's not wokring for me so I'm moving on to using ligolo-ng which is a bit more intuitive and is effectively a straight netwwwork layer vpn

similar to the openvpn except it uses userland network stttttttttttack

did you verify with ipconfig/ifconfig that that is the right network? i only remember ever needing /24

yeah it's the right network

it's a /16 according to the network card

ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.16.5.15 netmask 255.255.0.0 broadcast 172.16.255.255

maybe try the same fping command with 172.16.5.0/24

mmm

i actually tried just ping the 172.16.5.15 address from my machine via proxychains also no good

my advice is to find the ssh key on the web shell and connect with Dynamic ssh -D port forwarding of course with proxychains and then ping sweep to find the other ip and enumerate its port and connect according to the protocol found.

i think the forwarding is not work

well that interface is only open to the internal network, so it is correct

@marsh echo thankssssssssssssss i'll try that

he work for me

yeah but if i run proxychains ping 172.16.5.15 and chisel is doing it's job i expect it to towrk

but it might be that ICMP doesn't get forwarded

and it's tcp layer that will work

well, dynamic port forwarding is on your attacking machine, not on the webshell 🙂

yes i understand

i think icmp doesn't get forwarded across the socks proxy provided by chisel

but good idea to use the ssh dynampic port forwarding no need to upload any tools

if I understand correctly, you managed to transfer chisel client to the target via webshell without even having access to the remote machine without ssh?

yes

i just ran an http server on my attack host

and wget from webshell

but i have ssh access as well

no issue

Nmap scan report for 172.6.1.13
Host is up.
All 10001 scanned ports on 172.6.1.13 are in ignored states.
Not shown: 10001 filtered tcp ports (no-response)

God the Exploiting Thick Clients section was like pulling teeth with how unintuitive/poorly explained things were

although ligolo-ng is still a superior solution given that with proxychains you can't forward partial connections thru the socks tunnel

because -Pn doesn't necessarily mean the host is up

could very well be that you sent blanks to a server that wasn't even talking

oh

found your typo btw

it's 172.16.1.13

172.6.1.13 is a public IP

thick clients. which module is that by the way?

:)

Attacking Common Applications

hmm

while the section is a guide. holy shit it was pulling teeth to actually get it right

ah yes, you're definitely going to make me want to do it again! 🤣

there are things that aren't intuitive to know

ah u a few modules ahead of me

like recompiling at different stages

:))))))))

https://tenor.com/view/lost-my-marbles-gif-10902317

lolol

it's not a race, my friend, the goal is to succeed in different ways in order to fully understand. pivoting was hard for me.

https://tenor.com/view/ahead-of-you-gif-18442352

me to it was really hard for me

indeed

it wasn't so much hard

u r right

as it was deciphering what was actually right/wanted from the module

vs what was being presented as just info

but pivoting i felt was finnnnnnnne, just that the doubleeee pivot section coullllld have been written better

and the whole module could benefit from some good network diagrams

i agree

like there was a whole bit about downloading the server to check the source code of it which i understand for the specific vuln but then it refers to editing Users.java ... which is both in the SERVER and CLIENT decompiled sources

it wasn't until it came to recompiling that i saw they used client and not server

Just curious so I know how much of a rabbit hole this is when I come to it, how effective would nc -ulnvp 53 be on any of this?