#modules

🙏

you can create port forwarding rules from the target machine to the pivot machine, and then from the pivot machine back to your machine

there's an update after almost 3 hours and half...

there's a way described in the module to force frames i believe

I've tried a deauth attack

time ☠️

I'm still a bit confused with the --reverse flag on Chisel. Is that not helping the internal host get a route to my machine through pivot?

you're scanning a shitload of hosts

yeah 1st i have to scan which host is up

I've got an error when I try to use aireplay-ng (test mode).
I don't get any EAPOL packet with this methods for idk reason.

but when i do this, it tell me all ports are open.

ChatGPT says "In this case, the reverse tunnel is enabling the internal network (172.16.6.50) to access your attacker machine (10.10.16.6)."
I'm so confused atm

In a standard Chisel setup:

• The server listens for incoming connections.
• The client connects to the server and forwards traffic.

With the --reverse flag:

• The client becomes the listener, accepting incoming connections.
• The server connects to the client and forwards traffic.

did you read the text directly after that command?

yesh

it explains it right there

sorry but i can't understand what are u trying to say.

you're getting the expected result, what's wrong?

actually i want to know which host is alive but the scan saying all hosts are up.

🙃

welp, I'm gonna sleep chat.
Don't hesistate if you have any clue about my problem with the wifi pen basics.
My DMs are open if needed.
gn

idk what else to tell you.. you're getting exactly what you should be getting, if you want to know more the page explains it all

ok mate.

Lol

me too from 56 to 6 week

so 0 = 7, cuz it's 6 days + 0th or 7th day

i guess 7th will skip a week right

hello i need help. everytime that i close my pc, then i open it again. the openvpn config stops working

then ill have to download the vpn file again to make it run. but now, its just not running and im receiving a fatal error

probably should ask in #1024429874246590575

Okay, so I got a weird one, maybe there's just something obvious I'm not seeing.

For the question part of the module for "Introduction to Bash Scripting", for the "Comparison Operators" section

here is my code:

first off, I thought it was kinda scummy that they didn't cover the " " thing, but whatever. My issue is with that last "tail -c 20" bit

putting that into terminal and running it doesn't do the tail, it just runs all of it:

So I mean, I got the answer, I just manually counted the last 20 or 19 characters or so, and was solid. But I still want to get "tail" working, and am clueless as to why it's not working...

Looking at it some more, what it's doing is printing 'line 10' reporting an error, which coincidentally has the answer in it anyway. So that tail -c 10 is probably fine, but what is wrong with line 10 then? Right now it's:
if [[ $var == "$value" ]] && [[ $var -gt 113,450 ]]

I've tried it with & without those central ]] [[ bordering the &&

@outer silo You mind if I DM you? I have some questions about a question you had before.

i am stuck as well. I have multiple working xss payloads but nothing seems to trigger them :/ Im at loss. Any luck for you? I will try harder tomorrow anyway.

can i dm someone about ad enumeration and attacks skill assessment 2? I have a quick question about some of the steps

Hi guys

anyone know why I cant cd to root?

it keeps me in the same directory

(sqlmap - os exploitation)

whats another way to get into root?

the only 2 ways ik are traversing the directories and also cd /root

whats the other symbol for root?

ahh

my guess is you're not in an interactive shell

/

I am when I do ls it gives me the output of the current files

yeah upgrade to a fully interactive shell then try

any idea how I can do that? the module didnt cover that

there are lots of ways but it depends on what your current shell is. you also may not need it, you can just cat the full path or something

did you do the shells and payloads module? i think that talks about it, or you can google some ways too

I cant remember if I did that but rn im on the cbbh module and im pretty sure that module isnt on here

you can use full paths like so

ls /
ls /root
cat /root/flag.txt

e.t.c.

since this is a php reverse shell Ill google how to upgrade an php shell

thanks ill try this

gives me permission denied for the last one

are you the root user?

i dont think so, im just using an os shell from sql map

is the question asking you to get a flag in /root?

it said common directory so im assuming root

thats a very big assumption to make

it looks like the flag is already in your current directory

or am i mistaken

that was the old one

you can try something like

find / -name flag.txt 2>/dev/null

Im not sure whether it will work in a non interactive shell, but you can try it

it will just search the entire file system for all files called flag.txt

ok thanks, let me try this

gave me too much permission denied

you did the 2>/dev/null as well? 😕

yeaa

copy pasted ur command

also i tried upgrading the shell but it doesnt have python

thats pretty weird then

ik

lemme check the sqlmap module

thx

the question says "try to find another flag within the host" so im assuming u have to traverse

but for some reason its not letting me

its because its not a real shell. each time you run a command its doing something like "bash -c 'your command here'"

so every time it resets your execution path

ohh thats weird

is it a mistake on my part or did the module not clarify that? because from what i assume is that we are a real shell

its not a mistake on your part, thats just how the sqlmap os shell works. a lot of web shells are like that

ahh I see

from what i can see it should be in the base directory

as in /

i tried cating it

ahh it worked

thank u so much

the flags aren't always called flag.txt, sometimes they are called a random string to make sure that you actually have code execution and not just file reading

idk why we couldnt traverse there

glad i could help

could u pls elaborate 😅

sometimes you might be able to exploit a vulnerability that allows you to read files on the system, like file inclusion for example

in which case you could just read /flag.txt

but if the goal of the task is to get command execution (a shell) then they'll call it something random so that they force you to run ls, ensuring you actually have the ability to execute commands

ahhh I see

thank you for explaining, that makes sense 😄

no worries 🙂

im on the skills assessment now and the website is completely different. How do I check which parameters are vulnerable? As the previous websites were straightforward and only had one obvious paramter to check for 😅

Inspect everything. And keep the network tab open

or if you are stuck you could try brute forcing for parameters, which i think is explained in the module?

sounds a bit complicated 😅 I remember when there was something similar like this for my uni assessment but that was a long time ago and I forgot 😭

If it's the sqlmap module, no

I thought there was an easier way of doing this

oh ok

The method for figuring it out was explained in the module

Basically click on everything with network tab open until something sticks out

ok what should stick out?

You'll know it when you see it, otherwise it wouldn't stick out

alr cool

thanks

can i just ask the question and then delete it afterwards to avoid spoilers @fathom pendant

Tbh i barely remember it

also just to let u know it gives way to much unneccessay stuff like this

alr fair enough

I'm aware what it gives you

Again you have to use your brain a bit

When you click a button, what happens, and things like that

That's engaging with a hacker mindset

ok cool let me try

Since you know theres a vulnerability, click everything on screen you can see

make the beep boops

Also maybe consider the type of website this appears to be

ok thanks

hi

Hey @fathom pendant did the Sqlmap module cover this? In the skills assessment u said to use the network tab and afaik we haven't had to use that at all. So is there a section u could point me towards in the module please 😅

I don't recall the exact section

Had a question in the Penetration Tester path, Getting Started Module in the Public Exploits section. Are there any known issues with the exercise at the end? I've followed along with the msfconsole solution and tried the searchsploit exploit for good measure and know I am doing the exploit correctly, I'm just not getting any response from either and want to make sure it's not an HTB thing and a "it works on my computer" thing

Ahh I see

Again something to consider: what type of website is it

Ive realised in the skills assessment they usually expect us to know things they haven't taught us :/

There has to be a way to track something you do

It was definitely taught to some degree

Its a shopping website last I remember (not at my laptop rn) but its just bothering me xD

Ahh Ill have to recheck

And did you try doing something you'd typically do on a shopping website?

Ill give it a go rn, just came back home

yea when I try the checkout, nothing happens :/

That's not the only thing you can do

Guys I need help

https://tenor.com/view/that-is-incredibly-unhelpful-isaac-goodwin-sex-education-that-doesn't-help-me-at-all-that-is-useless-gif-12372771945317590256

do we need a ouija board?

If it's with an academy module, ask away. If not read #rules and #welcome

Not academy module check dm

It’s another stuff

you should read the rules first before sending that

I didn't ask to be dmed

help ！I encountered this situation and modified it to -pbkdf2, but this error still occurred.

https://tenor.com/vniC.gif

And since that's the case I'm gonna assume you're asking for something illegal

You don't need to modify anything g

Ok sorry

Make sure your code isn't adding things like a newline with echo

have also tried adding to cart and contact page but nothing crazy happens or out of the ordinary

Nothing out of the ordinary should happen... but the network tab should show something happening

thats what I meant, ill have another look tho

Something you do causes a popup/notification on screen

Think about requests

You can do this with burp as well

Can you check the code for me?

yea many GET requests from the website and also when I click submit Im expecting a POST request in the tab but nada. Also I have too many Google notifs there and apis from google

Did something you do tell you you added an item to cart

Since you seem to need to be hit in the head with a brick to get it

let me try with burp

@coarse cargo jfc you could have just asked in the chat and I could have pointed in the right direction

@analog cedar we don't share attempted solutions here.

You can also try looking up solutions to this section online to see where maybe you went wro g

ok this is weird but I reloaded the target IP and it seems to be clearer now

@coarse cargo read and follow #welcome to ask in #1263635449335910531

it wasnt showing that notification initially

Okay, I'll search for it

You likely navigated to a different subpage that wouldn't

I think I found the correct parameter now, thanks for your help

i have completed most of the module but still cannot find the answer to the Discovery Indexing section, please help me.

if u dont mind, may I please DM u regarding my questions regarding how all this would work in a real life scenario? 😅

Not accepting dms

ok np

Im just overwhelmed by this, like for example if an huge website like ebay or facebook gave me permission or bug bounty program, how would we use sqlmap for such compex websites

i think reading the source code to find the source-sink, then exploit it manually and use sqlmap

It's not so much reading the source code

Rather just messing around with features you'd normally use

Then identifying whether or not sql is used on the backend

That's the real thing about it, and why I approached helping you the way I did

hmm okay, but i still think reading source code is essential if you want to exploit a large website

It depends, and not everything will be directly available

You won't always have or be able to access the backend code that performs the function

i mean read the front end code and guess how the back end processes it

sometimes you gotta press the 'i believe' button and mess around ¯_(ツ)_/¯

I'm not sure if there's anything in the front end that would indicate what's going on for this exercise

i even just answered the above question without knowing what the "exercise" you mentioned was

¯_(ツ)_/¯-

?

Not sure what you "answered" exactly

The exercise I'm referring to is the sqlmap module. The broad answer will always be it depends

okay

someone please help me with the Discovery Indexing section in the Wordpress module

But again not sure the page source would have indicated anything special. The type of website can be more informational than the frontend

Am i doing smth wrong here?

..

I.e. something has to track and hold data

Import-module ./powerview.ps1

You have to specify the relative current path with ./

Ohhh makes sense, so that's for everywhere right, or just evil-winrm

Because by default powershell searches it's module repositories

OK! Thanks!!

So it literally searched the powershell module store for "powerview.ps1"

I just typed in ./mimikatz.exe on my evil-winrm and got spammed by this loop:

Any idea what could of gone wrong?

evil-winrm

Yeah that happens with tools like that

mimikatz.exe "command to execute" exit

so I have to make a one liner for everything or sequentially run mimikatz "cmd"

You can do it on one line

Alright, thanks heaps!

when you do it in one line the same thing will happen, just scroll up and you'll see the result.

I'm curious, why does this happen though?

Because win-rm isn't directly using powrshell

It's using http/https to pass the shell and commands through

so that makes it an infinite loop somehow? Shouldn't it have some x number of repetitions?

Nope

You expect Microsoft to be competent?

Lol, makes sense. Thanks!

Also, it's not meant to run interactive tools

Just basic [r]emote[m]anagement operations

Hi again, I can evil-winrm onto internal host but can't rdp even though both ports are open.

any help

nevermind, the delay was huge. I fixed it with /timeout option

sharphound would give me the domain data while in on proxychains rdp, but wont give when im on proxychains winrm.

any potential reasons? I'm able to ping DC from both

i don't understand what's going on with this server, please help me

how long does 1000 port scan last at average? like if i used -T5 -sV -sC

https://tenor.com/view/well-now-that-all-depends-alastor-hazbin-hotel-gif-16978035

Depends on the network connectivity, and how many ports it fins as open and therefore need to execute scripts towards

Is it well known issue with SharpHound that I can't get Bloodhound to upload the zip data generated via SharpHound.exe?

https://github.com/SpecterOps/BloodHound-Legacy/issues/700

Is there any workarounds?

you could use nxc to get the data

Right, using that now

You have to download sharphound that is compatible with the version of bloodhound you are using

Yeah found out that the compatible one is 1.10 smth

thanks

Any idea why hydra doesn't find the MSSQL credentials?

||$ netexec mssql 10.129.203.10 -u fiona -p creds.txt
MSSQL 10.129.203.10 1433 WIN-HARD [*] Windows 10 / Server 2019 Build 17763 (name:WIN-HARD) (domain:WIN-HARD)
MSSQL 10.129.203.10 1433 WIN-HARD [-] WIN-HARD\fiona:Windows Creds (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.129.203.10 1433 WIN-HARD [-] WIN-HARD\fiona: (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.129.203.10 1433 WIN-HARD [-] WIN-HARD\fiona:kAkd03SA@#! (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.129.203.10 1433 WIN-HARD [+] WIN-HARD\fiona:48Ns72!bns74@S84NNNSl

$ hydra -l fiona -P creds.txt 10.129.203.10 mssql
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-12-30 04:17:00
[DATA] max 7 tasks per 1 server, overall 7 tasks, 7 login tries (l:1/p:7), ~1 try per task
[DATA] attacking mssql://10.129.203.10:1433/
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-12-30 04:17:00||

anyone free for a nudge on MSSQL, Exchange & SCCM skills assessment?

||Trying to move laterally from DB01 --> DB02, Get-MSSQLLinkPasswords isn't returning anything - wanting to know if this is expected.||

Hello! I am practicing the "Advanced CSRF and XSS Exploitation" module, but I got one question on the lab set-up regarding the CSRF: in order to get my user promoted, how do I contact the admins? Is it via the xss vulnerable page?

Hi, on the sqlmap skills assessment, I have the right answer but htb isnt accepting it

Make sure there are no spaces at front or back

yea there arent :/

keeps saying incorrect answer and ive checked for spaces too

Dm me the flag you have and I’ll check with my notes

ok thx

hi, I am stuck with automating the blind ldap inection script. anyone can help please? my script does not iterate properly not matter how I edit it.

I have been stuck for 3 days.

Use Impacket

I tried using PowerUpSQL and it didn't give me auth even

And since you don't have a SSMS in the Exchange Server, you are pretty much locked

thanks - I've been modifying the original powershell script for hours as the required registry keys didn't even exist on the machine to begin with

When you use Impacket to connect to the RDBMS you'll will see that the path to the flag is pretty easy

can I DM?

Sure

i solved Windows Privilege Escalation Skills Assessment - Part I 1,3,4 questions but left "Find the password for the ldapadmin account somewhere on the system.", anyone can give me a hint

im only able to get it when im SYSTEM, is this the intended way? or this is any other method using a low priv access

hello im facing an issue on file upload attacks skill assessment when i click submit on /contact no post request is done

do you have burpsuite running catching the request?

DM

You have an endpoint that sends the exploit to the victim

Yes I saw it! Thanks!

is anyone able to use RDP for the sliver c2 module? It just throws a logon failure despite a reset 10 minutes of wait time. Even the solution tells you to just RDP in the first machine.

What error is returned?

[09:01:25:355] [64953:64954] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[09:01:25:355] [64953:64954] [WARN][com.freerdp.crypto] - CN = SRV09.sde.inlanefreight.local
[09:01:25:556] [64953:64954] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server
[09:01:25:556] [64953:64954] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014]
[09:01:25:556] [64953:64954] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[09:01:25:556] [64953:64954] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1

This is just a logon failure right? wrong password + user combo?

no

It looks like

actually could be

SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE this right?

didn't see the STATUS_LOGON_Failure

did you wrap the pw in single quotes?

yes

tried smbexec.py aswell and that also give a logon failure

winrm is not open

You got right to the cert verification failure, didn't you? 😂

Is it in the SA? If not, what section?

yes

Let me check if I can get a session

i got it this reset.

3rd time the charm i guess?

it just pushed it to the next line and i can't read

It opened up straight out

yes

i am currently on the Footprinting module in DNS section

i was able to answer all the questions except the last one

What is the FQDN of the host where the last octet ends with "x.x.x.203"?

i tried doing all the commands that i was taught on every subdomain i got
including trying to brute-force all of them but nothing worked

any hints?

subdomains of subdomains

are you sure you found every subdomain?

did you do a dig axfr to the base domain?

yes that provided me with some answers

but none of those had the 203 at the end

did you then try and bruteforce on one of those subdomains?

the answer will be a.b.inlanefreight.htb

i don't know why but only the base domain giving me results on my brute force

the rest of the domains give me error

its taking 20 years to load the flag 🙄

just have patience on them

yeah time-based does that

ah ok, funny thing was is that i somewhat got the flag earlier but there was an error in the flag so having to do it again after clearing cache

should i use a different wordlist or the one provided in the module?

i believe there's a hint that should help you

not sure what wordlist you're using so i can't necessarily say if you should use a different one

Hey guys doing CBBH Hacking WordPress and one of the Capstone questions is not clear to me. I am reposting the question to this channel as I was informed to do so. I was not able to find the flag value.

is there any way to speed it up? the connection reset on me and it didnt end up giving me the flag as it was reset

Resetted the target, changed the VPN server.

not have it do time based

do you have foxyproxy enabled?

ok cool

it's disabled. 🙂

or if you do, do you have burp running

:)

Got it

i take it you killed and reconnected to the vpn after changing server?

Tried all possible combinations. Usually, I wait like 1-2 minutes, after each operation (reset server or change vpn server).

i don't know what im missing i started getting subdomains in the form a.b.inlane...
but still none of them of 203 at the end i will try different lists i guess

something fierce if i recall

tried the 3 wordlists that are called default.txt , 5000.txt and 20000.txt
none of those worked

my hint was more direct than you think

my god i finally finished it

my only problem was the wordlist i guess

i thought it would've been another subdomain so i was trying every single one

i feel like maybe they should've given that as a hint?
since its just a wordlist

i thought it was in the hint button

it just says that not every wordlist gives the same results

but i feel like they shouldve been more specific about which list

since ive never heard of the fierce or whatever its called before

ah

could have sworn it used to be different

but that hint has been given plenty of times for this section in this chat

regarding the right wordlist

i believe if you sort by size in that directory it's one of those you'll get there as you try different lists

true

and i feel like its those moments where you take hours on a question that you learn the most from it

so im kinda glad that we dont have an answer list or a video explaining lol even tho its fraustrating

hey sorry i am looking for some help on a simple issue(i am assuming) i am trying to run a scan on burp, but when i got to target to run a scan on the address it simply wont work when i right click, i know thats not the best description but i see the scan option but its grayed out showing i am not able to use it, but i am wondering why i cannot

some burp features are locked behind pro version

¯_(ツ)_/¯

dam

without knowing which module or section you're working on that's the best i can answer with

zap can do it for free

yeah sorry i forgot to add the module and section, technically i am supposed to use zap but i just like burp better

¯_(ツ)_/¯

there's likely a burp plugin that allows you to scan

but i cba to google/search for you

cause i am in a easy course, the web proxies, zap scanner, but when i tried using zap it never worked(idk how to describe it) cause when i opened fire fox with zap to have the whole gui menu, when i ran it on the website none of the gui worked(again idk how to describe it), all i know is there was the debug menu saying there was a error and when i tried to spider it, it didnt do nothing, and when i manually tried, it was weird cause i am supposed to get a "high level vulnerability" which i am ment to use to get the flag, but when i manually scan it wont give the the "high level vulnerability", sorry for the yap i just dont know what to do tbh, so its just the gui that wont work and the manual wont get what is needed ig. so thats why i used (tried)burp

Hi, I am trying to do the Skill Assessment for "Pivoting, Tunneling, and Port Forwarding" but whenever I try to set a pivot the SSH connection would break or be too slow. I am trying to study from a Cafe and usually get somewhere around 9-15mbps.

Can the internet speed be an issue ?

yes a few times

i just used the actual zap menu, not the zap plugin

so no gui

use tcp instead of udp vpn; that low of speed shouldn't be *much * of an issue

i didn't need it when i ran through the module ages ago

Thank you, will try it out

tcp is more stable of a connection

ok, sorry to keep asking stuff but may you have previously encountered the same error i mentioned with the high level vulnerabilty not appearing, and any fixes?

for rdp this is a sample command from the help article: https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn
xfreerdp /u:username /p:password /v:TargetIP /cert-ignore /bpp:8 /network:modem /compression -themes -wallpaper /clipboard /audio-mode:1 /auto-reconnect -glyph-cache /dynamic-resolution

the issue more of is that whenever I set a port forward with metasploit to do this, the connection dies

stays on for a bit then gone

¯_(ツ)_/¯

(╯°□°)╯︵ ┻━┻

i genuinely wouldn't be doing this on an open wifi

Just internet issues at the house so no options for a bit

as you don't know if the Wi-Fi you're connecting to is safe

¯_(ツ)_/¯

I have tried using my phone as a hotspot for it but doesn't go as well

so this the best option for me atm

BaseUrl localhost:5001

Running delete 127.0.0.1 and leave the second option

did you finished the module ? I am working on it

Hello !

I am doing the

Module: Cross-Site Scripting (XSS)
Topic: Session Hijacking

I keep getting "The connection has timed out" whenever i submit a blind xss payload.
I submitted the same payload in the field (provided in the solution)
The same happend in the Phishing (XSS) lab also

Can someone help here please ?

Hello everyone. I am working on the last section of Getting started where I have to gain a foothold on the target IP. I have connected to the VPN. My issue is that whenever I open the IP in a browser, the page will not display until I disconnect the VPN, neither can I explore the webpage, but I can 'curl' any page on that IP while being connected to the VPN. What should I do to fix this?

are you doing http://ip?

depending on the browser; you may need to disable the automatic upgrade to https in settings (google is your friend)

i'm assuming you adjusted the payload to work with your IP

yes im using the vpn (tun0) ip with http://

Hi everyone, I’m having trouble with the skills exercise in the module Injection attacks. Can i dm somebody?
I have xpath injection but I’m not able to get the flag

i wasn't talking to you with the http://

ahh my bad
but yes i was using correct ip

Windows Local Privesc

https://academy.hackthebox.com/module/67/section/601#:~:text=Extracting Credentials from NTDS.dit

Am I missing anything? I don't seem to be able to grab the bootkey from SYSTEM

I was not using it and I just tried it with http:// and I am facing the same issue.

are you sure your browser isn't automatically making it https?

Yes I am sure. The browser indicates that it's an insecure connection

Were you able to solve this?

1. That's illegal
2. #rules

Were you able to get this?

I suggest not doing that and being patient

I’ve been stuck on it since before the weekend 😄

I don’t want the answer. I just want to know what I’m doing wrong

you literally only just asked for help like 5 minutes ago + it's near new year holiday; so many people may not even be thinking about their computer lol

Sadly not, I’ve moved on for the time being. Gonna go back through the module at some point. Hopefully I’ll see what I’m missing

it's moreso i don't wanna get pinged for something I wrote 2 days ago, let alone a month ago in some instances

so idk how others feel about that

I just tried it on chromium, it takes like 3-4 minutes to load the page, is it supposed to take this long?

it shouldn't

hi, trying to get back into this and feel like i am doing something wrong, currently on the easy lab for password attacks module, i have found 2 open tcp ports for known services.
tried hydra against both using the username + password list from the course resources, but after letting them run for a few mins they were both giving eta ~2 hours
currently trying to run an all port scan but that seems to be hanging (its been at 31% for 10mins so far)
i dont necessarily want the answer, but am i way off or is my machine misbehaving or is there really a multiple hour brute force for an easy lab?

it shouldn't take multiple hours

but ssh is super slow, so maybe don't attack that

i tried attacking ssh at first then i remembered that ssh was probably slowest so i tried ftp instead but that was almost as slow

you can increase threads with -t

i think it was running 16 threads by default but guess i could try increasing it

48 is stable from what i recall

48 threads is still giving me eta of 45mins, guess i will just let it run though

it won't take that long

eta != actual time

that's just the time it'd take to go through the whole set of lists

Hi, im searching for someone who knows a bit of HTB to help me and teach me, and also we can be friends

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

how this reads: "i want someone to teach me without providing any actual value to them"

Unfortunately I can't offer anything, I just want to learn and if I get a friend along the way that's what I get

the friends i have that helped me learn things i was friends with already before considering asking them for any help

htb academy teaches you a bunch of skills that can be used

ye i guess that is if its the last user/password combination, but knowing my luck that is how these work out :p hopefully its nearer the start

HTB won't give you something like that; at most 30 minutes is a good baseline

the pw attacks module is all about patience

ye thats why i thought i must be doing something wrong, like i get they take a bit of time but 2h felt crazy for a single question

Sorry bro

Just hang in there, password attacks is pretty bad with how much time it makes you waste waiting, the course gets better after

Eh. It makes it slightly more realistic

Not everything is gonna have instant gratification

though the intent of the course is to teach pentesting, not patience

this module was giving me a hard time lol

Pentesting requires a level of patience

a lot of patience actually

guys can I get some help for intro to assembly skill assessment, task 2, that is the only one I need now

I'm aware of this, but they should not be testing your patience when you're just trying to learn a new technique.
they should've just had a module called "having patience is key" or smth like that

The password attacks module successfully taught me to attempt online password brute force only as last resort

the shellcode doesn't executes I tried 2 different versions

I optimize the clode then extract the shellcode from it

and it just doesnt works

the earlier u develop your patience, the better it is for u later on

the whole hacking stuff is "having patience is key" module btw xd

exactly, in one of AEN's parts, I did a challenge in a specific way that was not intended, when I looked back at the walkthrough for the part that I did, I saw that the intended way was brute forcing lol.

Part of learning is tempering expectations

wtf I wanted to reply to this

olliz can u help please?

I have been stuck for like 5 hours

sudo find /home/htb-student/ -type f -name *.conf -newermt 2020-03-03 ! -newermt 2020-03-04 -size +25k -size -28k

?

Hello guys I have a question like this "Before you run your page fuzzing scan, you should first run an extension fuzzing scan. What are the different extensions accepted by the domains?" would extensions be like for example .php .html etc ?

sudo find /

same error :/

I take it you're ssh to the target?

You can dm me what you’ve tried and I can check in a bit

Run it without sudo

Just find should do

Also 2> /dev/null

At the end

Sends errors to the void

this outputted nothing

Find /

wait

the dev null is to redirect errors into the void

lmao damn I was late

it still outputted nothing :/

You are using a negation operator, you are looking for files that were not created and the question says to look for files that were created X day.

Yeah no idea where that ! Is coming from

yeah it was the ! that wascausing he problem

OMFG

I got the flag man

I literally got the flag than an error message xd

I finally moved on from the browser to the terminal and got one of the two flags. Thank you for your help.

I think it depends on what you have listed if it is an Apache you should probably look for .php extensions and then pages like index.php

I HATE assembly so much

@prime tangle @fathom pendant I was able to get a relatively stable connection with another tool, but man this is slow

hey does any1 know what "heigh level alert" your supposed to use in the using web proxies, zap scanner module cause i have 3, and i dont know which to use or if there is supposed to be a certain one, cause its taking a long time to scan and its only 40% done and i wonder if there is more, or if it scanning to much by accident

wait now there is 4

It takes patience. But honestly this one was just dumb

lol

It's way faster if you start from the certain tool and it'll identify it

i feel like after 50% it went by way faster so i am assuming starting from a point that was after that which is probably the tool your refering to, but i think i got it thanks👍 but it probably would of went way faster if i wasnt playing elden ring in the background

Hi

We can’t help you recover accounts. Please contact support from the service you lost your account from

Hello I'm newer

please stop asking, we cannot help you.

Module: Using CME
Section: BloodHound Integration

Did anyone here have problems with AV? I could start looking to obfuscate my collector, but I am just trying to follow the guide within the module

Try changing the method

--exec-method {atexec,wmiexec,smbexec,mmcexec}

thanks, working now. Do you happen to know if you can configure NXC to work with Bloodhound CE?

You mean the built in NXC collector? I don't
Might be a couple of tweaking though

yeah

looks like its still trying to work with neo4j

If you are remotely running Sharphound you can run the newer version collectors though

I mean.... Like what you did there

yeah I was able to execute the collector and get it to work

just wanted to test the built infeatures

You are scripting right?
You can set a bunch of commands to upload the collector, unzip it, run and retrieve the output files

Tbh I've never ran the NXC/CME BH collectors

yeah, I actually have a script built that will put a file, run a file and then remove it.

I built it initially for ligolo and setting your agents, but realized i can also use it for any file.

its also configured to generate a json config file so you can just enter the machine ID and it will run at what ever creds you have stored.

i just finished the module

I just finished Game reversing and modding Skill Assessment.

If somebody is stuck i can lend a hand.

are you got de correct command?

I'm sure

I finished the module. I used ChatGPT to sift through the garbage code and than is just MITM and you should be getting the flag.

I finished the module

The CME and Bloodhound Modules are really solid. I would even recommend people taking CPTS to look into them if you have extra cubes.

Im try this commad: nmap -f 10.129.54.71 -p 25,21,80,22 --source-port 53 -n -Pn --disable-arp-ping --scan-delay 3 -sV -T 2
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-30 14:24 CST
Nmap scan report for 10.129.54.71
Host is up (0.065s latency).

PORT STATE SERVICE VERSION
21/tcp closed ftp
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
25/tcp filtered smtp
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
two ports are opens an i able to see de version, but all version arent the correct answer

why aren't you scanning all ports

:)

oh, I going use -p-

also sometimes the version scan won't hold all the info you need

what's that mean?

it means exactly that

sometimes you'll need to directly connect to a port

the version scan isn't anything sophisticated

i tried connect in open ports using ncat but no working again. "ncat -nc --source-port 53 TARGET 80"

because that's not the port that's gonna give you answers

if you've scanned all ports, there should be one that stands out

I got you

Thanks to yours suggestions

i'm assuming you replaced "TARGET" with the actual target IP as well

Yeah i know that i need change that options

Hy guys

I am a little confused

The 4th question of AD skill assessment part 1

Where it requires u to rdp internal machine

mhm

https://tenor.com/view/if-you-think-of-an-gif-20132469

:)

With the compromised user is not mentioned to rdp to that machine in blood hound

I did that already

I am asking about the logic behind that

bloodhound doesn't always catch everything

i don't recall using BH all too much

Hmmm

also

q4 doesn't say anything about RDP

I think one of the questions

I left my office

https://academy.hackthebox.com/module/143/section/1278 <-- yeah?

nothing on here about rdp being directly mentioned

But it was pivoting and rdping

q4 is just "Submit the contents of the flag.txt file on the Administrator desktop on MS01"

pivoting, sure

but rdp is only one way of connecting to a machine

https://tenor.com/view/life-has-many-doors-ed-boy-ed-boy-many-doors-yes-gif-20774500

I tried psremoting

Morning! Where do I report issues with one of the modules?

Found a question that appears to be out of date, as the file/service it asks about doesn't exist on the VM

there's also winrm

BTW I did the pivoting part with meterpreter

#1234357888114364508 my i'm assuming it's the Linux fundamentals dconf.service module?

That's the one!

your method of pivoting doesn't necessarily matter

there's already a post about it #1323022693456543897

I know it was too slow for me

Could u suggest faster alternative

i use ligolo-ng

I read about it

Awesome, thank you!

I am a little lazy to install it

¯_(ツ)_/¯

well you asked for a faster alternative

I will complete the lab with it

This is ur second time helping me, tnx buddy

https://tenor.com/view/it-will-probably-cost-more-gill-engvid-it-will-be-expensive-it's-not-gonna-be-cheap-gif-9037379894260820247

I think I will spend terse in the exam

Hi there; I'm currently doing Wordpress Hacking skills assess, and they asked me to identify the only non-admin WordPress user. I found three user with wpscan and one of them has author id 1(so it's an admin account). what about the others ? how to know which is an admin user ?

any help for this error im stuck on PASSWORD ATTACKS -> Attacking LSASS ... pypykatz not working

i don't recall running into that error tbh

are you sure the file didn't get corrupted in transfer?

that makes sense

will try again

Stuck on cme skills assessment last question 1745. Have ccache file but it's not getting me anywhere. Could I get a nudge?

Or the way you dumped LSASS

@dapper moth can I DM you about the skill assessment of windows lateral movement?

Sure
Just redid this SA a couple of minutes ago

Hey all. First question on Web Fuzzing skills assessment has me confused -
https://academy.hackthebox.com/module/54/section/511

It says "Run a sub-domain/vhost fuzzing scan on '*.academy.htb' for the IP shown above. What are all the sub-domains you can identify? (Only write the sub-domain name) " Which sounds like it should just be one that comes back
I get more than one, i provided each one and none are correct

Attempt:
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:50365/ -H 'Host: FUZZ.academy.htb' -fs 985

it's gonna be multiple

and it's gonna be sub1 sub2 sub3...

not sub1.academy.htb

right no spaces nothing?

spaces between each name

ok haha, wish they mentioned that, trying

ty!

golden, done, thank you!

why wouldn't you separate the names?

🤔

haha first time i've seen that format in a flag submission

well it's not a flag

it's an answer key

Just wanted to stop by and say the Pillaging module for Windows PrivEsc of CPTS is fantastic. Great work team.

its the first time ive seen it in an answer key submission

¯_(ツ)_/¯

also for the second question, similar to the first .ext1 .ext2 .ext3

https://tenor.com/view/terrified-gif-20945782

@runic lynx don't share passwords or cracked info

re-ask your question without spoiling information

Understood -

don't want someone else just copy/pasting when you did the hard work 😉

I get it, so it's the first time posting here I think I should read the rules first 🙂

this is a nightmare haha, it has to be in the right order too all the extensions accepted by the subdomains and there is more than one subdomain that comes back with different extensions accepted

all the valid extensions

On all subdomains

in what order though

I don't think order matters

Should be 3 total

I think the password I cracked is for an SMBClient connection but I'm having trouble logging into any SMB share. When I use crackmapexec with the password I cracked, it says its a valid username and password. This is for the medium password lab for Password Attacks Module. I mean the username I got and the password that that username and crackmapexec shows it as valid username and password. Am I on the right track and why won't my attempts to log into SMB client work?

i hope not 😢

it says I have read permissions for users share

Is smb running? :p

ok i must be doing something wrong i got like 8

hold on

Also why not just use smbclient to connect instead of cme

Also use netexec in replace of cme

Hi everyone,

I'm working on this challenge:

"Extract the hash from the attached 7-Zip file, crack the hash, and submit the value of the flag.txt file contained inside the archive."

It's related to cracking passwords using Hashcat. Here's what I've done so far:

Downloaded the ZIP file and extracted the 7z file.
Generated the hash of the 7z file.
Successfully cracked the hash to get the password.

The problem is when I try to submite the password, the form says it's incorrect.

Am I missing something? Any tips or suggestions would be greatly appreciated.

You're not asked to submit the password

Read the question again

Yeah it's a little confuse because says "submit the value of the flag" but I don't the flag.txt file there :/

You cracked the zip file hash, so use it

Yeah, it's in the password protected archive. Which you just got the pw for

So I'm lose just right there because I don't know how or where to apply because I'm not getting like a pop-up or message where to put the password.

Lead a horse to water, i swear

Try to unzip the archive [7z]

I have been using SMB client but its not letting me into the shares

https://superuser.com/questions/406915/extract-7z-files-with-standard-linux-tools

Can you list the shares with the creds?

OMY, thank you -

its not letting me into any of the shares even after I run smb as that user

What does the command look like?

If a share has spaces in it, you need to wrap in quotes

But "not letting me in" is incredibly unhelpful

Are you receiving errors, if so what's the error

┌─[us-academy-1]─[10.10.15.85]─[htb-ac-605555@htb-tbricfhhoo]─[~]
└──╼ [★]$ 
└──╼ [★]$ smbclient -L <IP-address> -W <SHARE> -U <USER> -P <password>```

-L exits

oh shit

-L runs the command to list shares then exits

Also you can just do //ip/sharename

It's also advisable to put username and password first

A case of RTFM

└──╼ [★]$ smbclient -U <USER> -P <Password> -W <SHARE> <IP>
Failed to open /var/lib/samba/private/<SNIP> 
_samba_cmd_set_machine_account_s3: failed to open secrets.tdb to obtain our trust credentials for <SHARE>
Failed to set machine account: NT_STATUS_INTERNAL_ERROR

it still won't work regardless of how I order it

Wtf is your syntax lol

//ip/sharename is the common syntax for smb

-W btw is for workgroup

Not share

Been looking thru all the comments in this discord regarding wsgidav. I've gotten all the other commands / alternatives to work in the File Transfer module EXCEPT wsgidav 😭

Fuck wsgidav

Just don't bother lol

part of me overthinks and one of those thoughts was "what if it's the only file transfer method that works in CPTS/OSCP"

but fair enough I'll settle for the other methods

I'm getting closer. Now its not giving me an error but its not logging me in

Do you have permission to access it?

What error

┌─[us-academy-1]─[10.10.15.85]─[htb-ac-605555@htb-tbricfhhoo]─[~]
└──╼ [★]$ smbclient -W Users -U <USER> //10.129.74.49/                    
Password for [USERS\<USER>]:
┌─[us-academy-1]─[10.10.15.85]─[htb-ac-605555@htb-tbricfhhoo]─[~]
└──╼ [★]$ smbclient -W shells-winsvr -U <USER> //10.129.74.49/Users
Password for [SHELLS-WINSVR\<USER>]:
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
┌─[us-academy-1]─[10.10.15.85]─[htb-ac-605555@htb-tbricfhhoo]─[~]
└──╼ [★]$ smbclient -W Users -U <USER> //10.129.74.49/Users
Password for [USERS\<USER>]:
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
┌─[us-academy-1]─[10.10.15.85]─[htb-ac-605555@htb-tbricfhhoo]─[~]
└──╼ [★]$ smbclient -U <USER> //10.129.74.49/Users
Password for [WORKGROUP\<USER>]:
tree connect failed: NT_STATUS_BAD_NETWORK_NAME

Make sure the share name is correct

You don't need to supply a workgroup

the closest I come is this because no error message:

┌─[us-academy-1]─[10.10.15.85]─[htb-ac-605555@htb-tbricfhhoo]─[~]
└──╼ [★]$ smbclient -U dennis //10.129.74.49/  
Password for [WORKGROUP\dennis]:

I specify any share and it gives an error

wait I got into one

You didn’t specify a share

How much you wanna bet he was trying to get into the special$ shares

I got into one of the shares

now logged in but no commands work

dir

Remember, smb is a windows protocol

ok I know

smb: \> dir
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

Was it ipc?

yes

Ah

Yeah.

Nothing useful is there

ok

what am I missing I tried every single share?

wait, do I need to log in as root and not the the user I had earlier?

is this root's password?

Hi, were you able to complete this one? I'm really confused about nc. The instructions are not really clear on what I'm supposed to do about NC. Any help, please?

Root? On my windows machine?

At least if I'm thinking right

wait hold on

Unless it's a linux machine, then disregard

It's been a hot minute

when I sshed in as the other two users, it turned out to be linux

ya

iirc, the medium password lab was harder than the hard one 😄

have you guys done the challenge yourselves?

well, that's good to know

Which module name are you doing?

Password Attacks

this is the medium lab

Ah that was the module that made me take better notes

same here

@quasi wave did you get an ssh key?

yes

a public one and a private one. I also cracked the private one yesterday

the issue is I tried logging in as root with ssh public key and it won't work either

and smbclient won't let me into any other share besides IPC

Is that the final question?

there's only one question for medium lab

I have the cracked private key but I don't know what to use it to log in as

other than I know the user who's folder it is so I assume I have username

but the question is what can I log into with that informatoin

ssh? because that's not working

have you tried it on another user?

hold on I can try

wait a sec there's only one other user so give me one minute

ya this password won't work on either user

and I know that its not ssh password for either user

and its not ssh password for root and I found it in the ssh folder for one of the users

Oh yeah you were on the last steo

and my goal is to become root so I can get the flag in the root folder

Literally abstract thought here mark

why was the key protected

I hear you I just am having a lot of trouble figuring it out. I'm gonna need to bang my head against the wall for a while I guess.

All you need is in front of you

Last note I have is the password for the root ssh key

You have the final piece of the puzzle

Just slot it in

yeah i just logged in

does it have to do with the other user not getting the key?

like for privilege escalation?

if so wouldn't the username be root?

Separation of duties, why give an employee the super user account

Not necessarily

Ok

Think about one of the section names, and abstract it

Ok

I will do that

https://tenor.com/view/teamupforimpact-teamup-recycle-daur-ulang-gif-25294183

[Hint btw]

Only other thing I'll give at this point that "seems stupid"

Like why

But it works

You can just install ZAP and run it.

I did this one yesterday using ZAP and the in built Chrome browser it found the vuln. Make sure you're following all the steps and doing ALL the right scans

Hi

For the CME Skill Assessment Question 1, I got the answer for it, but I felt this was more painful then it should have been. ||my user list was over 3000, and I removed all groups and machine accounts from the list|| Is there a way to make this more effecient or do you just have to weather the storm.

You could use other tools to make the same attack, cme / nx to get a user lists and then kerbrute to speed things up

Did you bruteforce them?

Having a long list is normal, what you do as a next step is important

hi im struggling with AD Enumeration & Attacks - Skills Assessment Part II on the question "Obtain credentials for a user who has GenericAll rights over the Domain Admins group. What's this user's account name?"

The hint says||Think about how you obtained your initial foothold in the domain. which makes me think i need to use responder?? but only the hash of AB920 is being captured ||

I've been rereading the module for a few days but still completely lost as to what to do.

I can see the user is CT059 from bloodhound but no idea how to get the hash.

To get the hash you should do LLMNR Poisoning on one of the servers

im confused, isnt that what responder does?

Exactly, but you should try to do it on another server that you have compromised with administrator permissions.

Remember that there is also Inveight which does the same as Responder but from Windows.

I dont quite understand, i have root on the attack box, why would running it on one of the servers be different? 😕

I'll try running inveigh

@fathom pendant is the section name I’m looking for in a different module?

. Nope

Ok

Thanks

Told you the recycling logo was a bit of a hint
Reduce
Recycle
Re---

Run it on the first machine

That part of the skill assessment doesn’t make any sense

inveigh captures the hash for C**** on all three windows machines, inveigh on linux doesnt capture anything, responder for windows doesnt capture anything, WTF is going on

Don't reveal usernames

Inveigh is the Windows counterpart to NBT-NS/LLMNR poisoning

Spoiler text does fuck all

Best to first letter*

Like C*

It does actually

I think it may be something due to network limitations but as the partner says it is something that does not make sense...

wouldnt we be able to catch the user on the linux machine tho?

inveigh for linux doesnt work though

The linux machine isn't domain joined

You might poison and spoof any mistyped name resolution request or capture a specific name resolution to a machine

If it is mistyped

If it just wants a name resolution to a machine that exists, that specific Host might respond

If you are running one of these tools, you might capture that request

No… cause you are running a poisoning tool

A user might mistype a name while inputting something in a browser or a Windows explorer address bar

yeah but the linux machine is on the same network running responder.

The tools will then answer to that mistype request saying that it is the machine/address it’s searching for and will capture that request

im going off of htb explanation

when LLMNR/NBT-NS are used for name resolution, ANY host on the network can reply

seems kinda hard to simulate 2 poisioning attacks

I would be curious to see the HTB annual gold solution walkthrough for this step

it would make sense if one of the domain machines had another interface

If you send a request to a Host that you already now the name and address there shouldn’t be any NR
You can just capture that request

so what, during an internal penetration test i should be running inveigh on every single windows host i have administrator on just in case someone connects to that machine? 😕

Idk depends on where and what you find yourself into

Any port in a storm 🤷‍♂️ (I don't know)

Should you always capture network traffic once you get system!?! Hell if I know

If it were me.. that'd be a hell no

..unless the time span for the engagement was until the end of time

Specific protocols? Aye

Hahahah exactly

I’d just move on… enumerate other hosts… services…

Via AD / logs you'd surely get a map of hosts of interest too

But maybe I'm just yapping bs

(context, I have no direct knowledge of this module, just speaking from my own assumptions)

so then its sending a request to all three windows hosts? because inveigh captures the hash on all of them

Feels like this might be a "go to DMs" kinda thing

Sure

❤️

Yes, I'm still a killjoy. Let's see what 2025 brings.

Do I need to finish the module to see the recommended/related boxes?

I.. don't think so, if you're talking about that recommendation map page

Okk, thanks!

Felt a bit rude on my part for the joke, sorry

It's fine

I've said worse

..and I took it as what it was

How many services are listening on the target system on all interfaces? (Not on localhost and IPv4 only)

i feel like again none of what was on theory section so far covered how to answer this question? https://academy.hackthebox.com/module/18/section/80

netstat is useful

yh the theory hasnt mentioned this at all what does this do ?

Google is helpful

Or man <command>

hi all im new to this server is it possible if anyone can tell me the website for this discord server

Read #welcome

how?

wdym how

i dont understand it either ☹️

are you running it in winrm?

psexec

why?

i just found the batch scripts and its just like i imagined

can i dm

sure

Anyone has a min for a quick sanity check on the "Parameter Logic Bugs" Skill Assessment? I seem to have unlocked all modules but I don't see what I'm looking for.. surely I'm missing something

they used an ip for ms01 i knew it

yeah i am scratchign my head on this

i managed to output the source code using curl but bruh how am i meant to filter out all paths?

By far the only bullshit one, I used the forum to help answer this

Did you forget about attacking thick clients? lol

I solved it, it just took forever to run. I was able to narrow down the list to 1400. Just takes forever running through chisel

But did you realize you were supposed to asreproast the list?

Cause that shouldn’t take forever

No. But at least thick clients actually told you how... in a roundabout way

So there wasn’t any name resolution

Basically this case

Yeah

I was going to spin up the lab for it but was too lazy
Spent the whole afternoon going through some of the material again

Yeah I can send you it

It is

Sure

@red kraken it works fine you just need to use another file transfer method other than smb

I was wondering at the time of doing that if the whole point is it was written confusingly on purpose to simulate a stupid client.

Like "We heard a client talking about XYZ"

Is this real life? Do clients give out confusing details irl?

It's such a jarring change of language to normal academy modules that use specific language to tell you how to proceed.

Maybe not specifically this question but I remember some of the inlanefreight stuff using jarringly different and unclear cryptic language to what you're used to. But it's been a while since I did it.

Like "the client wants you to see what you can find out".

You're given prior context to "just figure it out"

There's people back when I used to work IT that didn't even know how to put a password in to login because they used Mac instead of PCs; also people i know who made passwords like tacos4me

don't macs have passwords?

idk never used one

...yes...it's just like Linux

One of the things I wondered about is if people irl have such bad passwords as on HTB machines or academy. But apparently this is accurate irl

Derivative of unix

People are lazy

yes, a resounding, yes

As someone that's worked IT, I've had to talk people out of providing me their password

that's insane can you tell me stories?

No

ok

Mostly NDA reasons

To add people into the domain they had to give us the passwords they wanted to set for their accounts, so I got a whole whiff on how little people care about their passwords

I worked OEM tech support

There's a funny image on Reddit where someone posted a form at work saying "who wants their password changed? Leave name, old password and new password"

It had several entries

https://tenor.com/view/it's-that-simple-col-nathan-r-jessep-a-few-good-men-it's-as-easy-as-pie-columbia-pictures-100-gif-2330765135657900726

Always bet on the dumbest user