#modules

btw, what broser did u guys use for the live engagement? just the tor browser?

You'd never use Tor for a live engagement I don't think

Slow, traffic potentially intercepted, and what's the point if you're on a live engagement that you have permission for?

im currently doing it now and im confused to what browser to use hahah

you can check the policies of browsers and use the one you like

Hi everyone
What's cooking

wsg

you can open browsers from the terminal(firefox)

yess i got it now i forgot about trying that earlet hahaha. thanks!

do not use your other gmails too

I don't think so, he's genuinely just asking for a doubt I guess

No. That’s one of the commands in the module

Ok cool, just wanted to make sure. Thanks guys

Wait why can't i talk in general?

Read #rules and #welcome

@eager ledge please read the subject of this channel.

That was a tier 2 module.

How do I ask question then?

@ocean night

Without pasting the content and attempted answer

Describe which module and section you're on, and a bit about how you're stuck

Someone may nudge you here, or in DMs

done

Did you follow the instructions?

Module: Linux Privilege Escalation
Section: LogRotate
Section link: https://academy.hackthebox.com/module/51/section/1589

I have compiled the binary and ran the exploit against the log file that we have write access to. The payload I am using is the reverse shell. I am triggering the log rotate by appending to the log file. However, I don't get reverse shell. Why?

Thank you @eager ledge - appreciated

Hi,

For those who are new to pentesting like myself, you may refer to Setting Up Module. It covers from ground up how we should organise and setup our VMs.

https://academy.hackthebox.com/module/87/section/879

What does the command look like?

Can I DM you? I had posted the command earlier and @ocean night removed it as content cannot be revealed for tier2 modules

I'm afraid I am unable to help with queries on content, sorry zombiiieee 😦

I was actually asking @safe star

Yea

Oh, sorry!

Start hacking with me

No

Read #rules and #welcome

Ok

@eager ledge yes sure

😭

Hello

@gloomy basin @gloomy basin hi

I’m new in crypto currency’s
I need help

This is not the server for it @gloomy basin

This server is not about crypto.

This the server is about hacking @gloomy basin

Ok teach me hacking

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Read the guide above.

hey i am on the skill assessment section of information gathering i have found till the dev subdomain and i have added it to the hosts file i have crawl dev and web both i am not able to find answer for the last 2 question what approach should i follow to do so

sup, anyone know any odat tool analog?

How can I solve this?

Focus on how you authenticate

Hi i'm on the Login Brute Forcing Module with this topic "the what is the password for the basic auth login?" on the skills assesments.

i dont want any help just clarification about this :

Why am i getting no http server is this normal bc on the forums they talk about the http server no the smpt, or ssh (i already try it)

here we go

wow

@stevemilller Look at your nmap command, what is it scanning now?

Impressive

in the ad enumeration & attacks module for question in living off the land: Utilizing techniques learned in this section, find the flag hidden in the description field of a disabled account with administrative privileges. Submit the flag as the answer. is the intended route to use wmic like in the chapter above I tried it initially it took ages, so I used Get-ADUser. In the end I got it with a wmic query was just a cog spinning question. thanks

Hi

I need help with "Bypassing Other Blacklisted Characters" in command injection. heres what Ive tried

${PATH:0:1}${IFS}home

${PATH:0:1}home

Goog Morning people i need some help. I'm stuck here

The weekly streak is still faulty - It jumped for me from 32 to 39 (now 40 after i made some module progress)

Anyone who could help me with cracking an IPMI hash?

from the ipmi footprinting module

if it's the second question - run 'hashcat -h' with the proper filtering to look for IPMI's hashcat '-m' value.

once the -m value was obtained - use it to crack the hash.

Yeah nvm i got it, i did it by exporting the hash in metasploit instead of just copy pasting it from the terminal haha

i think the formatting was a bit fucked. Thanks though

anyone can pls help me

decoding what you have tried - those are '/ home' and '/home'.
those are paths, not commands.

yeah I need to find the user in the home directory

I tried adding an ls before those paths too

well you need to find the proper combination with the bypass tricks you learned in the module

i have something thanks !

guys can anyone help me with this

helppp

Yes,that one

quick question, how do i minimize the font size

another question how do i clear terminal action history, i wanna type it out all the time even though its long for me to familirize, seeing it makes it hard to familiarize knowing you have something to copy

guys help

the simplest way is to simply switch the terminal to bash.

how do i do that sir

chsh -s /bin/bash $USER

pls someone can help me with this?

Here is how I built NimExec for both Linux and Windows. Clone it into /opt/NimExec then use Docker:

FROM nimlang/nim:1.6.12-ubuntu
WORKDIR /usr/src/app

# Install required system packages
RUN apt update && apt install -y \
    mingw-w64 && \
    apt clean && rm -rf /var/lib/apt/lists/*

# Install required Nim packages. Not 100% version 0.2.0 of ptr_math is necessary.
RUN nimble install -y nimcrypto hostname && \
    nimble install -y ptr_math@0.2.0

COPY . /usr/src/app
CMD ["bash", "-c", "nim c -d:release --gc:markAndSweep -o:NimExec Main.nim && nim c --cpu:amd64 --os:windows -d:release --cc:gcc --gcc.exe=x86_64-w64-mingw32-gcc --gcc.linkerexe=x86_64-w64-mingw32-gcc --passL='-static-libgcc -static-libstdc++ -lws2_32' -o:NimExec.exe Main.nim"]

docker build -t nimexec-builder .
docker run --rm -v /opt/NimExec:/usr/src/app nimexec-builder

sorry to bother you but i don't understand what's happening,

when i refresh the page they are always different sites on the same box, and there isn't a login (for the module login brute forcing)

all this weekend i've been refreshing ip.
Am i doing a thing wrong ? like doesn't understand topic

Thank again for your help
@soft reef

i find stuck here someone can help me?

Look at the documentation for ffuf, something about matching

matching? mm oke

but where ist that?

Instead of __f__iltering a result out you want to __m__atch it

is

Google, ffuf --help pick your poison

oke oke thanks

Get used to looking up command options

in google?

Or in the terminal

man <command>, <command> --help are common ways to figure out command options

Is this serer teaching how to be a hacker?

Ethically, yes

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

it gives me an error

Don't put the command in <>

Some commands as well may not have man pages

then?

Most commands have a -h or --help flag

this ist very difficult oh my good xD

What does the error displayed tell you?

i don't know xD

That you don’t have that file in your home directory

ahhahahahah😅 😅 😅 😅 😭 .

Well 0x56 hooked you up with the answer, but I highly recommend you take the time to troubleshoot and research errors you receive. Most things you can easily Google and others might take some Google Fu, which IMO in the end will help you out as being able to troubleshoot is just as important as everything else.

in "sqlmap essential" module "Attack tuning" session, i am finding flag6
i used the following sqlmap option but the 'col' parameter is not injectable.

||sqlmap -r req.txt --batch --dump -T flag6 --prefix="')" --suffix=" -- -" --level=3 --risk=3||

how can i resolve it?

oke oke i'm so sorry you are right if i want to work in these sector i will need do that

NOPE was my fail ... as a root i had acceess

Yes was because of using the normal user. Had to switch as root user

I still can't find it,how clumsy I am, my goodness.😅

The section is basically a walkthrough, but you can DM me

Regex filter, you don't need to do anything fancy

what what

Match regex, you already know what to match

That's gonna be the option under ffuf --help

ok I'll take a look

The question gives you the phrase to search for

I believe you also should know which file extensions to use

haha i think that's the problem xD

The questions build on each other

Also when you go to submit the answer use PORT and not the actual given port

but the port gives error

when you go to submit the answer

Not while you're fuzzing

can you answer?

Respawn the target, make sure you use http

i'm sorry bro I am very clumsy xD

where is the respawn option i see only reset option which only switches the ip

my antivirus blocked it when i tried to login i put it in exception the same issue persists

Hey i'm at https://academy.hackthebox.com/module/265/section/3160 app crashed on me and there is no way i go all these steps again xD is there a way to exfiltrate the file that i have to analyze so i can do it faster with tools?

@soft reef
i retried and i have this :

no http server, am i doing something wrong ?

Don't scan the target with nmap

Public ip and port means you're given a specific scope

It's a docker container

Yeap i know, I have already finished the module, after a lot of resets same attack worked

I feel sorry for @fathom pendant , trying to help everyone😂🙌

ty a lot

Hey, can someone help me in the SQLMap skills assessment?

That's the shop page yeah?

Open the network tab, and click around until something pops up

i find this, but i have a doubt

Consider how a shop works and work from there

in source page appear id:1, but i use this command

can i send the command here?

That'd be spoiling things. Consider just saving the request, as shown by the module

ok, i will try here

if i have another question can i ask in this channel? or have any channel for ask questions about the academy?

Nothing you'll be required to do hasn't been shown by the module

Ask

https://dontasktoask.com

hello folks... quick question about Password Attacks - Credential Hunting in Linux .

I've found two ways to resolve this. The 1st one is based on || history || and what we found there. The 2nd one, we use a tool. Is this intended? I'm just curious .

Yes

Interesting

so... two ways to do it I guess?

More than one way to cook an egg

Indeed. Thanks!

Cool module. I gotta write some notes.

**CWEE path: CSRF Exploitation > CORS Misconfigurations ** Can I DM someone? Not sure why my code isn't working...

has anyone gone through the AD module Active Directory Enumeration & Attacks recently?

in the section for Kerberoasting from Windows its suggesting hashcat mode 19700 for TGS with AES128 encryption but I cannot get this to work

nevermind its working now

i made thanks

You can send me a DM.

hi,does hackthebox teach frameworks

Wdym?

does hackthebox teach vulnerability finding

Vulnerability finding in what?

There are tons of technologies that HTB teaches.

idk like web domains

Do you mean web exploitation?

yeah something like that

Look at the CBBH path. It's all about such vulnerabilities.

alright,I will thanks

Hello brethren

hello

This academy module for mutations seems like such a mega powertrip. Could easily teach the same principles without having to waste so much of the users time brute forcing a massive list. Genuinely disappointing.

This got me too

I'm working on the final assessment of the Insecure File Upload module. I've exfiltrated the files, I've bypassed the allow and deny list, I know theoretically where the files are uploaded to, but I'm constantly receiving 404 errors when I try to navigate to them on the server. I've checked it with burp repeater and I'm at least in the correct subdirectory, but for whatever reason I can't find the file. Does anyone have any suggestions on what I need to re-read to figure this out?

If this is what I think it is and you do understand where things are, mess around with the date format. I actually have a couple of minutes, you can DM so I know exactly what you have identified.

Thanks. In coming.

Windows lateral movement - skills assessment - second question. I have IPv6 address and required password. I established pivoting with Ligolo. Still I can't see any open ports on that IPv6 address. Tried with nmap -sT -Pn and all other methods. Tried Chisel / proxychains, no result too. Any nudge?

You won’t be able to do it via a tunnel

There a couple of ways to perform that IPv6 Port Scan and they are all locally

The stuff in the txt

The Ports are methodologically configured to non-default ones

So if you Port Scan a Host, you will know what the Ports are

Make senses. I saw it's locked and I have read the hint. But what I can't understand is how to quickly identify how to move and to which service (rdp/winrm/ssh etc)?

Try the different services

So the full portscan using PowerShell from first host is the way to go? I thought it's waste of time

Forget about Port Scanning

Try the different services

But you can try the ones you have already enumerated with the Test-Connection

not sure I understand you. first you say "if you port scan the host..." then "forget about portscan" 🙂 I tried winrm/rdp/ssh as well as other things but I assume the port is random

Forget about Port Scanning IPv6 enabled interface 😂

Haven’t you Port scanned the first Host already?

yes, of course. both from 10.129 and 172.30 perspective

Again… you can do it but just locally
And most of the methods will take too much time

This

If you already scanned one Host, you know what the Ports are

You can try the services on that ports

Or if you are stubborn (like I was and spent a day just to be able to perform it), you can either use Test-Connection on those specific numbers or there is a standalone scanner for Windows from a company, but it will also take forever if you are scanning all 65535 ports

yes, thats what I thought. too much time. but I can't understand how open ports on Support host can help me move to IPv6 WSUS host. you mean if (for example) port 8920 would be RDP on Support it will mean it's also the same for WSUS? not sure I follow the path rn

It’s the same values…. It basically limits to a handful of non-default ports
You can use PowerShell to do it

Exactly

I wouldn’t trust the txt, but the answer I got from HTB is that they were not configured randomly in each Host

They followed a method

Like all Hosts having RDP running on the same non-default port

Or WinRM

If you get yourself stuck on that SA, you can DM @glass locust

thank you! let me try myself first. thx mate

nah idk why but all 65535 are filtered. I'll dm @dapper moth, fine ?

Ok

That was a fun one
https://academy.hackthebox.com/achievement/badge/648faca6-cc98-11ef-864f-bea50ffe6cb4

To get the flag, start the above exercise, then use cURL to download the file returned by '/download.php' in the server shown above. How do u do this i did curl -0 then http ip then hit ls and it says index.html how do i open it

the syntax is -o <file name>

sorry i dont follow. i have the ip so what do i do from there?

curl <link> -o <output file>

you can type man curl to see the manual (works for other commands too)

the -O also works to download the file with the same name that it has on the web root directory

it worked, but before you asked about -0 which won't work. it's -o or -O

okaty so what do io do from where i am rn

i don't know.. no idea which module you're on.. i was just answering your question on how to use curl

https://academy.hackthebox.com/module/35/section/219

try opening the downloaded file

no files are in my downloads

i think

well yeah you weren't in the download directory when you downloaded it

you can see the Downloads folder right there in your screen shot

yes?

do i click it

do i go to documents?

where did you download the file?

I dont know how do u check

.

looks like you do

i think i found it

you can type pwd to print working directory and see where you're working out of, then navigate there and double click on the file. if it doesn't open in your browser that way you can just open your browser and do open file.

i do?

How do I get my hacker rank The Box?

maybe you should do the IT Fundamentals modules to learn how to use a terminal

i just clicked my home and there was this index.html file there

I've completed 4 exercises, I'm just getting started on this

i was just doing the first thing they told me to do

but ill do that next

is that the file you downloaded tho?

it looked like he downloaded it to his home directory and just needs to output the contents of the file to see the flag

should def go back to linux fundamentals first

yeah he downloaded "download.php" right there

ok i did this and i found the file i dowloaded and opened it. Wheres the flag though?

oh he actually has the flag in his screenshot already too

idk i didn't actually do that module

dam

the hint says you see it when you open the file

that isnt the file you downloaded

found it

it worked lets go

please don't post flags

oh sorry

I thought that varied based on the ip they gave you

No, that would be insanely annoying to implement.

is anyone around? I have a quick one that I have been stuck on for a few days and I believe that I am just overthinking it

Specifically, the priviledge escalation module

ask the question

is this task asking you to generate an SSH key for the user2 and then sign in as them?

i dont know that part ur talking about

It's the first objective

Just can't upload a SS here apparently

The name of the module and name of the section helps others help you.

Privilege Escalation under the getting started

SSH into the server above with the provided credentials, and use the '-p xxxxxx' to specify the port shown above. Once you login, try to find a way to move to 'user2', to get the flag in '/home/user2/flag.txt'.

Yes

Password attacks [attacking lsass] excercise (que 2)
lsass.dmp file not getting created in c:\ for some reason i have no idea why please help
thank you

thank you

Have you tried a location other than the drive root?

trying

not working

You don't need to generate an ssh key

Check what your user can (su)do

Eh that's what I get for coming in and assuming, thanks msrcie

I am still not able to work this out. I added few extra print statements in the logrotten.c file and symlink is created but it is not able to write to the b.../c.........../ directory due to permission denied. Can someone help me?

Try to move the flag to a destination that you can access, instead of attempting to establish a reverse shell connection

Additionally, look in a directory that you have access (read and write) which may have the necessary file(s) for you to rotate the log

I'm a little lost on the Linux Privilege Escalation -> sudo section. Both of the options from the tutorial on what to do don't work. sudo -l does not list anything, and the code they gave to run does not run. I tried to find a docker image of an older version of linux so i could compile the code there but couldn't find it and didn't know if they were expecting us to go to such a length.

Elevate from sh shell to bash and then list the binaries/commands available to be run in the context of root

when i look for binaries with setid set, i don't see any important ones. when i use sudo -l -U root, it prompts for my password.

Hello guys, is it normal that I get a 10.129.xxx.xx (ACADEMY-XXX-LAB) and no port when firing up a module instance? It's the first time I get this IP with no port.

Yes, the 10.129.0.0 is the range that can be accessible by the VPN

Right, so probably I am having some issues with the VPN if I see no port in the output

wdym by no port in the output? like in a scan?

No, I mean in the HTB dashboard. I spawn the target system and I get the IP address like above, but no port for the connection.

Only public ip/docker containers give a public ip and port

The 10.129.x.x don't provide a port, and unless otherwise specified or by scanning, defaults can be assumed

So if, for instance, it's a web module you can assume default port 80

And you don't need to specify anything special in your commands to enumerate

Alright! thank you for the clarification ❤️ it is the first time I see this kind of IP for the modules.

is subscription required for downloading vpn configurations ?

Nope, you can just change to any of the free vpn configs, subscriptions I believe get you dedicated VPNs if I'm not mistaken

i mean for academy modules

still applies

i can't see the download vpn config button

but they mentioned it will below cheat sheet

Much easier to find it when you click on your account icon

Some modules don't show it cos they don't need you to use the VPN

https://tenor.com/view/eyes-widen-morty-smith-rick-and-morty-shocked-surprised-gif-2926863937185134045

is there anyone who finished the Zephyr pro lab ? DM me please

Please ask your question in #1263635449335910531

if you can't access it, read and follow #welcome to get your account verified

guys is the "getting started" module good to start off or do i choose another one?

Yep, also check out the Information Security Foundations Path

Hi guys!

I have a problem with the Cross-Site Scripting (XSS) Phishing task, where I am unable to connect to the website. This happens both in the HackTheBox virtual environment and in my external WSL environment. I tried pinging the IP address; sometimes it worked, but in the end, it didn't. I also added the IPs to the /etc/hosts file and updated my OpenVPN connection. Unfortunately, I have no other ideas, so I turned to you for help. Could you please let me know what the issue might be? Unfortunately, without being able to connect, I can't proceed. The previous IP addresses worked, and I was able to connect to the website.

Has anyone encountered this before? Do you know a solution? I was able to connect in the previous tasks.

Did ya restart the target?

Yes, about 15 times

wdym by updating OpenVPN connection? just download a new file or did you change regions as well?

But it doesn't work in the Pwnbox either

O, yah that's strange

stumped

Yes, I switched to a new one. My tun0 connection is also successful. Everything worked fine in the previous tasks as well. I don't understand :/

Thanks anyway

hello I need help According to the task, you need to find the name of the bird, but the system shows that this file does not exist what to do?

What module and section?

Information Security Foundations ( Intro to Academy )

maybe I'm doing something wrong, but I even tried to go through the options

What section

That's the skill path and module

It should be on the pwnbox, if not it shouldn't be too hard to discover

quick question, where do i find the /etc/hosts in my machine why does it say not a directory

hosts is a file, not a folder

^

how do i look for it sir

cat /etc/hosts

The error tells you: not a directory

oh sweet

found it thank you so much!

https://tenor.com/view/tolarian-community-college-kyle-hill-magic-the-gathering-i-hate-your-deck-reading-the-card-gif-22381436

Learn to read errors

how do i delete a line inside hosts btw

You'll need to use a text editor with sudo to edit

mb didnt know its a file

Well the error tells you, not a directory so... only a few logical conclusions

Interactive Sections ( Start your workstation, then use the integrated terminal to find the Linux OS flavor by running the following command: cat /etc/issue )

If that file doesn't exist on the pwnbox, then some googling may do good

That's the problem. Google didn't help me.

I wouldn’t have come here if Google and a simple search of options had helped me

It's xOS but drop the OS

Also not sure what you're meaning by options

ChatGPT my guy

Hey, could anyone help with the bug bounty? been stuck on Repeating Requests for like 2 hours now and i cant find the second flag haha

what module are you talking about @regal wedge

bug bounty>Using Web Proxies>Repeating Requests

i found the first flag, but as i understand the other flag is not in the same directory, i searched all directories by commands but it just gives me the same flag @storm elk

Check the / directory like the directory with root bin lib

One sec let me check

What's the grep for?... you're grepping for nothing

i used "HTB" and "flag"

Not all flags will be HTB

And grep doesn't read the filename

true, but the first flag in this task was in flag.txt so might aswell try again haha

Maybe try listing files first :p

does some1 knows when the CBBH changes of modules (like GraphQL replacing the Session Security) happens?

Also why are you specifically looking in that location

im trying different directories

Did you try the filesystem root?

I prefer not giving direct solutions

Lead a horse to water and whatnot

My bad

Give them a push in the right direction without outright telling them "hey do this full command"

it'll take me ages to do it still lmao, first times working with zap

I mean, you don't necessarily need zap for it. Iirc i used burp repeater for this

i liked zap more than burp haha

Much easier to work with

here any one help to connect with mosh server client showing udp port secure with firewall

Can anyone can help me on Login bruteforcing skills assessment 1. I'm trying to brute force the basic login page, and hydra is going through the wordlists provided and not finding a valid pair of credentials.

Make a simple assumption that the username is user

underpass machine , how to get root acess

#1320087957612265574; read and follow #welcome to access

if have no access

@winter schooner @fathom pendant thanks guys, with your help, learned some new interesting things

There's 2 parts to my statement

I tried "user/User" as the user, as the password. Default login credentials and still no luck.

Just user as the username

Also make sure your user and pass variables are correct iirc this is a post request

This is the login page I'm getting

how to do htb after my pwn box ended

Set up your own vm, and use the htb vpn, watch a tutorial on how to set up a vm, kali or parrot. And then see how you can connect to htb with it.

how do i know if i want a kali or a parrot

If your a beginner id say go for parrot, but its preference.

does it have all tools like kali? (also all hacking tutorials use kali)

i want to do something with the htb machines

to complete them

Only took me 2 min with the recommended wordlists for that one. Saying it like that, as if you're command is correct, you might need to reset the target.

Hey quick question, I am attempting to generate a list of usernames in a domain, kerbrute does find usernames but does not output them to the file I specified, it does create a file of that name but its contents are empty despite it finding users, here is the command I am using
kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.7.3 --output write_the_output_pls /opt/jsmith.txt

Not 100% sure youd have to do your own research or ask someone else

Ok i will try.

I can always look at your command if it persists.

I did manage to get the name with grep and awk into a text file but if someone knows how to make kerbrute behave please let me know

if i was good enough advanced i would try create my own module while using another laptop to "hack it" like that htb

kali has more tools gonna do kali if it runs on my laptop

how to make sure kali runs on vm

I'm still stuck on the linux privilege escalation -> sudo module. I was able to use a docker container for an old version of ubuntu so I could get the sudomakemeasandwich binary compatible with the target, but then when i run the file it asks me for a password and then says i don't have sudo permissions. this is circular logic since the point is to get sudo. it looks like in the past, when people did this module, sudo -l showed some exploitable binaries but it no longer shows any.

Can you run anything with sudo?

In Web Requests/GET section, it was stated that the web application's search function is communicating with some remote source to obtain the search results so we can see the network tab to see any request made by that web app as we searching anything in the search function. But it does not sending any request or there is no get request is showing up in the browser dev tool's network tab. Any help please to figure this out?

when i type sudo -l, it asks for password. this wasn't the case in the past i can see from the forum but they changed the lab.

Well do you have a password that you could input and check it with?

only the password for htb-student

Only one way to find out

anyone help me with Attacking Enterprise module - Web Enumeration & Exploitation. The second question verb tampering?

I dont get the results when altering the request

Oh that was it.

I need some help in the file inclusion prevention module. I changed php.ini to disable the system function but when I curl the web shell which uses the system function it still works so I can't generate the error log needed for the flag.

nevermind I needed to restart the apache service

Hi, I need help with Linux Privilege Escalation: Special Permissions. In the question " Find a file with the setuid bit set that was not shown in the section command output (full path to the binary)." I found a file called ipu...s, but it doesn't accept its path. Can I get a hint? Is this the right file?

You have to change more than the verb in the request, if you aren't already.

That is not the correct one from looking at my notes.

yup! Someone helped me see my mistake. thanks tho

I'm doing AD Enumeration & Attacks - Skills Assessment Part I, and there is a task to execute DCSync attack with the user I just found credentials for. Now I want to list this user's ACLs and find out if he has necessary privileges to execute DCSync. My question is: can I do it using tools on my attack machine (ldapsearch maybe?), or can it be done using built-in tools on windows host? (I don't want to use PowerView)? Any tips?

If you wanted to use tools from your attack machine, just setup a pivot.

I already have, no problem there, but I want to know how and if I can enumerate ACLs from my machine?

Was anything covered in that module that covered other methods that aren't PV?

no, just PV and Bloodhound

greetings, on module Wired Equivalent Privacy (WEP) Attacks:
section: ARP Request Replay Attack:

when I attempt to crack key for BSSID I get this:

sudo aircrack-ng -b D8:D6:3D:EB:29:D5 replay_arp-0107-173902.cap
Reading packets, please wait...
Opening replay_arp-0107-173902.cap
Read 8 packets.

1 potential targets Got 8 out of 0 IVsStarting PTW attack with 8 ivs.
Segmentation fault

can somebody give some tips why this is happening?

Well can't you run BH?

Kali doesn't necessarily have "more tools"

I'm always trying to take LOTL approach in order to learn more before going for automated tools

Well LOTL isn't really running commands from your attack machine.

I'm pretty sure they had a "manual" section, which did not use PV or BH.

then what

? Its just another OS

The tool doesn't make the man

Or another adage, a poor carpenter blames his tools

i was a kali guy but then i went to parrot and loved it more but now is hard to download kismet i went back to kali

Imo i value that parrot is a more lightweight install

but i need one that will work on my laptop too

Parrot also works on laptops and vms

¯_(ツ)_/¯

i mean a vm inside my laptop

and vms

but my ram and gpu wont work maybe

If parrot won't work in a vm, kali sure as hell won't

parrot has a better firefox browser

i got amd cpu

rtx gpu

That doesn't really matter lol

and some gb of rams

Hello, i am currently doing the starting point labs but i have got to the task called "Three" and i am left with this message and unable to complete it. I have had it say this for nearly 3 days now.

"Please wait for a few minutes until all machine related services are up and running.
Expect to see {"status":"running"} when visiting s3.thetoppers.htb"

If you have less than 8 GB of RAM good luck getting any vm working

kali-undercover is so underated

You're looking for #starting-point , read and follow #welcome to access

i have 24

Then you're fine

it saved me ones

It's all just personal preference really

whats kali undercover

wsl?

i prefer parrot because it's lightweight and they opt for stable branches ¯_(ツ)_/¯

i need tools

Yeah, and you can install pretty much the same tools

As i said previously the tool doesn't make the man

Running just a random tool because you were told to is different than running a tool because you know what its doing

so i just sudo rm -rf /tool?

Funny guy

Know the basics before worrying about needing all the bells and whistles

and for set just do *?

some guy told me this to do

Yeah

/* at end

for all tools

Do you know what rm does?

it might stand for remove

Correct

but star is just harmless

for sure or it just deletes folder called *

Nope

* is a special character

whats so special about it

It's the everything operator

so it will delete like

Say you have 10 files called file1.txt file2.txt.... file10.txt

C:/ but only / and leave C:

so its all /

You can do rm file1 down to file10

Someone know how to solve this?
Detecting Windows Attacks with Splunk ->
Detecting Golden Tickets/Silver Tickets

Or do rm file*.txt

so it iwll remove all places with /

There's no C:/ in linux

then like remove part of main drive?

/ is the filesystem root, like C:/ in windows

so it technically wipes entire hard drive?

It bricks your system, yes

so if i did del C:/ then it did same as rm -rf ?

but windows is smart and it doesnt let

Eh smart enough, so is linux

But I wouldn't run random commands someone gives you

if there were rm -rf but for entire programs in windows

so i would delete that weird red shield

called mc caffe

Locked behind admin/system on windows and root on linux

Deleting a program doesn't uninstall it

even uninstall leaves some files

And can cause some weird errors

Restart after uninstalling any programs

wait it works?

Yes lmao

That's 101

Anyway were veering way off-topic here

once after restarting i forgot about a program (vmware) and few years in future i found it again as folder

https://academy.hackthebox.com/course/preview/linux-fundamentals

https://academy.hackthebox.com/path/preview/information-security-foundations

where nmap

There's an nmap module in the pentester path

i want nmap

But like I said, basics will build you up

hascat (something like this name)

uhhhh wireshark

I'm not a search engine or fetcher for you

metasplot

do i get them in linux shell?

Yes

sudo install nmap

Parrot and kali have nmap installed by default

term sudo not recognized

sudo : The term 'sudo' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the
spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1

• sudo install nmap

•   + CategoryInfo          : ObjectNotFound: (sudo:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

tomorrow will fix

Yes... because sudo is a linux command, not windows

Are you sure one isn't an admin?

I also suggest not stating which specific exploit you utilized to get started on it

As that can be considered a spoiler

sure, didn't think mentioning the vuln might be considered one

Yes as it's a step to solving

I see it now, I was looking for a some kind of "role" field

😉 shouldn't take much longer from here

You can adjust passwords btw via this type of vulnerability

yes, already done that, I just didn't know who to impersonate to elevate privs 🙂

I had it there all the time, I guess I spent too much time in front of the screen haha

Forest for the trees

can someone pls help me for some reason im not getting any response when trying to use ssh

Are you connected to the vpn?

yes

ip a run that in a new terminal

Do you have multiple tun devices?

im not sure what that is
tun

Hi. Module Attacking Web Applications with Ffuf. End of module skills assessment. I am trying to submit the answer for the following question
One of the pages you will identify should say 'You don't have access!'. What is the full page URL?
I am as certain as I can be that I have identified the correct page. However the URL is not being accepted. What am I missing?

You have a tun0 device, do you have tun1 tun2....

Replace the port number with PORT

ah ok thank you so much

perfect accepted

You're not the first to ask that question here

no only tun0

Try resetting the vpn, also make sure you're using the academy vpn

i downloaded the file and ran this command
'sudo openvpn academy-regular.ovpn'

Kill the vpn, and run the command again

still no response. it stays like that for a while and later says:
Connection closed by 10.129.255.221 port 22

Reset target?

again same thing. should i just use pwnbox

Try changing vpn regions

And terminate -> spawn target

Detecting Windows Attacks with Splunk → Detecting Golden Tickets/Silver Tickets

Can someone help me? I'm trying to answer the question in this module, but I can't find the answer anywhere. I've used all the commands provided in the module without any success.

it worked! thanks

some one know how can I create a post on htb-forums?

#1325194376795918347 message

i'm doing the Malware Analysis module and Noriben keeps hitting error 7 "could not create CSV file" when attempting to save. because the CSV doesn't generate, the TXT report necessary to complete the exercise fails to generate also

C:\Tools\Noriben-master>python .\Noriben.py

--===[ Noriben v1.8.8
[*] Using filter file: ProcmonConfiguration.PMC
[*] Using procmon EXE: C:\ProgramData\chocolatey\bin\procmon.exe
[*] Procmon session saved to: Noriben_07_Jan_25__12_12_898349.pml
[*] Launching Procmon ...
[*] Procmon is running. Run your executable now.
[*] When runtime is complete, press CTRL+C to stop logging.

[*] Termination of Procmon commencing... please wait
[*] Procmon terminated
[!] Error detected. Could not create CSV file: Noriben_07_Jan_25__12_12_898349.csv
[*] Exiting with error code: 7: Error creating CSV

run cmd as administrator bro

The advanced XSS and CSRF exploitation labs are again not accessible for me.

They work, sometimes. But then after a few seconds, I get this error again:

Error

Failed to connect to bypassing-csrftokens.htb:443

Was having the same issue yesterday and the day before

Is it possible that these machines do not have enough resources or something?

the output shown is from an administrator command prompt...so that is not the cause of this issue.

okay, it's an issue with the default Noriben python script. it references procmon.exe when there is only 64-bit procmon present.

works fine if i change noriben.py (changing the name of prcomon64 to just 'procmon' would also work)

theres the .txt?

just submitted a ticket for the module to be corrected

yes, it automatically opened when the script successfully completed

okey, respond the question, no?

Is there someone I can DM about Broken Authentication Skill Assessment? I was able to find a user and their pass, but couldn't brute force the 2FA. (Which I guess you can't do in this exercise) I tried doing bypasses but I got stuck.

Hello! Introduction to Digital Forensics module (https://academy.hackthebox.com/module/237/section/2610)

Examine the file "/home/htb-student/MemoryDumps/Win7-2515534d.vmem" with Volatility. Enter the Pid of the process that loaded zlib1.dll as your answer.

I used dlllist to find mentioned dll but it doesn't display any PIDs.

The output: 0x000000006b2b0000 0x22000 0xffff 2023-06-22 12:31:30 UTC+0000 C:\ProgramData\ggzstcat367\TaskData\Tor\zlib1.dll

I then used cmdline and looked for the this path, there was only one .exe within this path, so I concluded that it's the answer (and it was correct). However, I wonder If I found it in intended way, how do I see the connection between ||taskhvc.exe|| and the dll? Or how can I validate the answer?

Yeah you can DM.

Crazy seeing these erratum posts and realizing that there are people that goes through the Modules with a Bug Hunting drive chasing typos 😂

yooooo

can someone help me

can we be on a call is going to be more ezier

.

Yo

yo

Hru

good you

hi folks

Got a question about Password Attacks - passwd

why the module uses unshadow? I just copied the hash I found and used hashcat directly

As a matter of fact, I was getting errors if I try to use "unshadowed.hashes". Can someone please clarify?

here's the error I was getting

when I used || hashcat -m 1800 -a 0 unshadowed.hashes ./mut_password.list ||

@rough comet Hello, can i DM

sure you can

@devout raptor Ask before DM Please

unless.... I wanna do this in bulk...whatever hash and account is in the file... I think that may be the why. Someone please correct me if I am wrong.

why

because it is the rule

Those are the rules

is just a question

ohhhh

ok sorry

my mad

If you have a question about a module, you can freely ask here and anyone online can help answer your question 🙂

#rules message

all good 🙂

Always read the rules of any Discord when joining! 😉

https://tenor.com/view/geez-wow-gif-12265142782616409394

You are gonna be banned my friend, lol

why

read: #rules message

bro is weird like that

User left

Indeed. This is if we wanna do it in bulk . It took a while but it worked , regardless of that weird error.

I only see 7 logs for the user mentioned in the question. Is it not in them?

Hey guys anyone that can help me with blueteaming?

This one's tricky because a lot of the activity with golden/silver tickets happens outside of the purview of the domain controller and so does not get logged. I found the answer in a column that was not at all self-explanatory.

I need to find the exe file that loaded a hijacked dll, i'm trying to filter on dll's that apears in writeble directories (so excluding system32 etc but the querys are invalid, quand someone help?

also does anyoe have a better url then this onehttps://techcommunity.microsoft.com/blog/askds/advanced-xml-filtering-in-the-windows-event-viewer/399761 i don't see everything

i am not sure but I believe PowerUp tool can show hijackable dlls

DLL Hijacking:

Find-ProcessDLLHijack - finds potential DLL hijacking opportunities for currently running processes
Find-PathDLLHijack - finds service %PATH% DLL hijacking opportunities
Write-HijackDll - writes out a hijackable DLL

this may lead you which dll has been hijacked so you can filter

PowerUp is nopt on the target but there is chainsaw i'm gonna take a look on uit maybe it can help

@cunning frigate also with chainsaw i find nothing

I know nothing about blue teaming all I know is powerup can show hijackable dlls

ow okej np thanks for trying ^^

I can never go blue sorry

hi im doing Pass the Ticket (PtT) from Linux in the password attacks module and im stuck on the question Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio. the ticket is expired by 3 years 😂 and not sure what im supposed to do

read the hint

yea... i dont really see how it helps, i already knew it was invalid

have you noticed the user has 2 tickets?

🥶 not sure how i missed that, thanks

It helps others help you if you provide the module and section you're working on kid

Hi guyz,

Can someone help me with some tips on NextPath Challenge machine ?

Web - Medium Difficulty?

#challenges

If you can’t access it, read and follow #welcome

Thankx for the reply.
I can access it but while solving the machine, I am getting stuck at a stage. So wanted to know how can I proceed further.

If allowed, I can post my query here

No. Not allowed. Read #welcome and get access to #challenges

There’s a channel for everything and this is just for academy modules 🙂

Okay.

I am pretty new to discord and HTB.
Just got Annual Silver in academy subscription.
Would that suffice to get into those channel ?

Nope, need to link via #welcome instructions

There’s 3 steps at the bottom of #welcome - as you’re doing challenges, it should be easy to get the identifier token

For the SOC analyst module . I was given a question that wanted me to open elasticstack and kibana together. Does anybody know how to get through that ? I was having trouble finding it.

any idea what the username and pass on bloodhound page

pwnbox

nvm

In the Network Traffic Analysis Module, when it asks for the command for the TCPDump that gives Hex and ASCII while reading from a file, how does it want the Syntax. I have tried several variations of the command that work in the command line, but it won't accept it

try neo4j:neo4j

yea i tried that it worked lol

pretty sure you have to reset it on http:7474

oh alr

thanks

I've tried sudo tcpdump -Xr, sudo tcpdump -X -r, sudo tcpdump -r file -X

It just wanta the options, not the full command

Iirc

If not you do need to tell it what file to read

Here is the question: Given the capture file at /tmp/capture.pcap, what tcpdump command will enable you to read from the capture and show the output contents in Hex and ASCII? (Please use best practices when using switches)

they actually wanted the full command this time for some reason

missing the file on one of those commands

Unless they want the ethernet headers as well, which wasn't specified in the wuestion

Nah I just omitted it

One of the commands you tried should work

Use the full filepath

thats not the file they asked

^

Since when is ~ /tmp/ ?

lol

changed it to /tmp still doesn't work

just copy the path from the question

Full filepath?

/tmp/capture.pcap isn't it?

Make sure no weird extra spaces

Otherwise try refreshing the page and putting it in again

Oh god damn it lol

Yup there was an extra space in there

For the pathway of SOC analyst in the "Security Monitoring & SIEM Fundamentals. How can I open elastic stack because it doesnt specify if it's an applicaton on VM or if I have to acess it through the web in the VM

Elastic is typically a tool running on a web port

A quick Google tells me which port, and I'm sure the reading should also tell you

okay thanks !

Lol I had to use Wireshark for the last bit of the TCPDUMP due to the resource being downloadable and not in the box. I am running Windows lol

How can I make friends?

Not sure they have a Module on that

Aw. My Pwnbox time limit ended while I was using Wireshark lol

Hi

Hence it's better to use a VM and connect via VPN

https://help.hackthebox.com/en/articles/5185687-introduction-to-lab-access

any hint for Introduction to Deserialization Attacks skill assessment 2 task 2

||i use phpggc for CodeIgniter 4.2.7 and it doesnt work !||

feel free to dm me @verbal turtle

tell me which one you're using in dm

Advanced XSS and CSRF exploitation labs still not properly working. Can anyone have another look into this? First they work, then I can't access them anymore for 5 min, then they work again for 1 min, etc etc. It's super annoying

reach out to support please

will do

I just looked into it. I cannot reproduce the issue unfortunately. The VM works fine for me without interruptions. I curled the VM every 10s for 15 minutes and there was not a single connection issue.

What region is your VM on? Maybe it's only the UK version that having issues? Or I'm overlooking something, but I can't figure it out 😅

I'm in EU Academy 2. Are you using Pwnbox? In that case let me check again from Pwnbox

I tried both VPN and Pwnbox. For VPN I'm currently on EU academy 5, don't remember what the previous one was I tried

Or could it be an issue that I'm using both Pwnbox and VPN at the same time or something? (I use Pwnbox for the http server and tools and such, but use my host + VPN for browser + burp

You cannot use both at the same time.

ah yes, you can't use both at the same time

ahh

okay got it. thanks!

Hello everyone, i need help with Firewall and IDS/IPS Evasion - Easy Lab: https://academy.hackthebox.com/module/19/section/117

nvm, i "bruteforced" it

In the NTLM Relay module what servers do I have to deactivate in the config file? Using SMB the module says to deactivate SMB in config file, but using MSSQL it doesnt say that. I assume any protocol I want to use with nltmrelay I would have to deactivate it in Responder?

In the 'Attacking common applications' module, under 'Attacking thick client applications', you're supposed to change the permissions of the temp folder to disallow it from deleting a batch file you need, but when I try to do this it never works properly. This guy in the forums had the same issue but there was never an answer: https://forum.hackthebox.com/t/attacking-common-applications-attacking-thick-client-applications/283195/26. Anyone got any ideas?

atwossh@ng-1594780-loginbfsatwo-nqtu1-6778dfc78c-99258:~$ medusa -h 127.0.0.1 -u /username-anarchy/Thomas_smith_username.txt -P passwords.txt -M ftp -t 5

this list doesnot work with me module login brute ass2

is any one did it?

I'm on the skills assessment part II of the AD Enumeration & Attacks module. I have accessed an SQL server and my user has SeImpersonatePrivilege. The relevant section in the module says "[this] can be leveraged in combination with a tool such as JuicyPotato, PrintSpoofer, or RoguePotato to escalate to SYSTEM level privileges (...) These methods are covered in the SeImpersonate and SeAssignPrimaryToken of the Windows Privilege Escalation module." I'm confused. Am I supposed to jump to that module to learn how to proceed in this skills assessment ?

I've been stuck on this for two days but tried it again just now, did everything the same, and it randomly worked. I'm very open to discuss it if anyone has ideas, but I'm no longer stuck.

the second skills assessment, but the quoted section is Privileged Access, https://academy.hackthebox.com/module/143/section/1275

Which question?

Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host.

Is SELinux really necessary to learn and if so, where can I find a manual or a guide for it? The one I found seems to be bigger than the entirety of Linux Fundamentals module.

Ok it mentions the tools in the module but not how to do it. So either using github of those tools or Windows PE can help you. But yeah kinda confusing, I can't find it in any other sections as well.

thanks, ok. It's the first time I encountered a link to an upcoming module, but I assume it won't be too hard to use one of the tools without actually jumping ahead and reading it. I'll try

That rarely happens in my experience if you follow the path. In this case github would give you enough to do it.

Hi guys! Need help in password attacks - attacking sam module in pentest path

└─$ python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[-] read length must be non-negative or -1
[*] Cleaning up...

i dont understand the readlength, like, what parameter should i change for that

Do you have all the files and filenames correct?

yes

i can transfer 2 files then the third one (system.save) just says shutting down connection, unexpected network error.

it moves the file to my attack machine but the system.save and also the next activity which is lsass.dmp cant be transferred

although other files were moved through smb

how are you transferring the files?

move file \10.10.14.117\CompData

i think its the file size

sam.save and sec.save are lower than 100k

system.save and lssas.dmp are greater than 12 million

its being moved, but not completed

for some reason the connection closes after a while therefore leaving the lsass/system file corrupted

Footprinting module, Footprinting Lab - Easy.

I have a couple of questions regarding DNS Footprinting. I was able to get the flag, and everything was fine, but then I hit the "Show Solution" button, and I was not able to understand the purpose of the dig command or the next three commands/steps.

I would appreciate some help here.

does anyone know how the module got the ip address when editing the the host files in regards to the proxying of traffic via MS01 for the Pass-The-Ticket from Linux, Password Attacks Module, any helps/tips is appreciated 🙏

in relation to the first question of the optional exercise

can someone help me, i am trying to connet with xfreerdp to a windows host, but it gets stuck loading some files:
09:17:25:367] [5440:5441] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel rdpgfx
and i get blocked from a black screen

press the enter button @cobalt osprey

TY🥲

How to enroll on a student plan i already connected my college id but I need to get to support how to do it

Good afternoon people i'm still haven't solved this problem

hello im on network enumeration with nmap - nmap scripting engine
i scanned with nmap -sV --script safe and i found this banner on port 31337: || HTB{pr0F7pDv3r510nb4nn3r} || but when i try to submit that i get incorrect answer. i don't know what else in the output could be it

Do you mean error: no such file or directory about the filelist?

double check for leading/trailing spaces... and you should not be posting flags or at least use spoiler tags by encapsulating a portion of your comment in double pipes (i.e. ||)

send the full command, we can not see it, but seems like a syntax error

oh, it clearly says "no such file or directory", you dont have that wordlist there

thanks for the edit. I went back to check on the module and can confirm you've got the right answer. Leading/trailing spaces gets me every time still.

that's weird, i cleared all whitespace and it still doesn't want to accept it

You might be able to take it to support. I can confirm you've got the right answer. Make sure you include the HTB{} bit with curly brackets.

The issue was pointed out to you yesterday or the day before I believe.

Sometimes copy/paste gets messed up. Not usually out of a terminal, but on occasion with CTF's I've found typing the flag by hand fixed problems where copy/past gummed something up with unicode.

Oh! Refresh the page too. Session expires or you get logged out sometimes.

@ancient niche as this m8 is telling you, and considering your last few questions, you need to take a closer look at the module's content, the errors you are shown... i'd suggest both "penetration testing process" and "getting started" modules at this point.

maybe you are running too much, most of the errors or problems you find are copy-pasting related.

take your time, read a bit more carefuly and try your best, not everyone starts at the same point 🙂

thanks guys but i'm not copy and pasting 🙂 i'm working hard

https://academy.hackthebox.com/billing/monthly-billing click on the student option

hmm nothing works. and the support ai says technical difficulties should be resolved through discord.

wait... what section are you on?

nse

not doubting so! just a recommendation based on what i see, keep up the job, you'll get better and better

yeah, ok... makes sense now. You found an answer for another section.

I just popped every section and found a match.

damn, but it seems to fit the question.. its a flag i found using nmap scripts

thanks friend

Not this I need to raise a ticket to add my college

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

good evening to all friends, I have a question, related to the section attacking common applications -> prtg network monitor, in particular question 2: Attack the PRTG target and gain remote code execution. Submit the contents of the flag.txt file on the administrator Desktop.

following the way in which the module is developed, I noticed this thing that I would like to ask for clarifications. Going to compile the notification, if I call it test it does not work, while if I call it pwd instead it does, it allows me to use crackmap exec and eviwinrm, can you explain why? Can I also show the screens

I add that both were configured the same way

don't answer so many that I can't handle them all 😆

hi guys, i need a hint, i am triyng to do the Enumerating & Retrieving Password Policies truck in AD dEnumeration & Attack, i have to find he minPwdLength set to in the INLANEFREIGHT.LOCAL domain? (One number) and i think i have to use this command:
ldapsearch -h 127.0.0.1 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 minPwdLength
But i am getting errors

marcieleee where are uuu, u are my mentor

Injection Attacks - Skills Assessment, I just solved the skills assessment but I have a question regarding the payload. Why the payload doesn't work when we have <iframe src="http://127.0.0.1:port/index.php?q=test *[rest_of_payload]* and it only work as <iframe src="http://127.0.0.1:port/?q=test *[rest_of_payload]* (without specifying the index.php)???

Well that’s not true, as it worked for me with index.php

I'll try it again, thank you

1. You don't pay me to be your mentor
2. Who are you

The dots in the password field are not the same count, meaning the password is not the same in both pictures for prtgadmin account.

thanks

in the past you have given me great help for some modules, and you have remained in my heart

writing a python script for IDOR Vulnerabilities

hello guys this is a noob question but I'm stuck on Exploit the target and gain a shell session. Submit the name of the folder located in C:\Shares\ (Format: all lower case) Module SHELLS & PAYLOADS and I'm trying to figure out how to get to the tomcat website from the foothold machine but I can't even access the browser to upload the shell. Does anyone know where I can even upload the shell?

Tomcat has a web page “Manager” or “Host manager” where you must provide credentials to login, there you will be able to upload the shell in the format supported by tomcat.

Okay, but am I using the browser on the foothold machine or from HOST-1? I've been trying to use the foothold browser but there's no internet connection.

I'm trying to access this link: http://127.0.0.1:8080/manager/html

Do I have to configure the IP on /etc/hosts on the pwnbox?

Why would it be on 127? Read the engagement

http://172.16.1.11:8080/manager/html is what I meant to send it was just a random address I put in the chat*

Am i accessing this webpage via the foothold target browser?

Yo i can dm someone for help on the module C2 sliver please ?

Just ask your question

Yes

hi, i dont know if this is the right place to ask, HTB didnt tell me to install ncat so i did it myself and i get this error, is my format wrong, i followed the exact format on the firewall evasion section

Reading the error explains the error

You didn't define a source port to use

so should i put the port number first then ip?

Source port is the port youre using to connect, not the open port on the target

ahh, i see

Instead of an arbitrary port, source-port allows you to define the port you're using to connect to a service

ah, that seems to have fixed it for now, thanks so much my dude :D

The problem I'm having is that the only browser on the foothold is tor and it doesn't work :/ should I file transfer mozilla via the pwnbox or something like that I'm pretty confised with this part as I already crafted the java shell payload using msfvenom

Try typing in firefox in the terminal

Yo if someone have the time i dont find this one for the module C2 sliver i do some enum web but nothing so someone can give me a hint please 🙂 ( i must use sliver for find the answer ?)

─[htb-student@skills-foothold]─[~]
└──╼ $Firefox
bash: Firefox: command not found

Lowercase

My phone auto-capitalized

huh lmao I feel soo stupid thank you

Never experienced this much pain with any course ever so thanks HTB Academy

Nah it’s a web vuln

Idek why that was added 😭

ok thanks

this is a sql injection ?

Enumerate it, poke it a bit, and the word database can help you to find where you need to focus

I'm doing the Attacking Common Services module and I'm doing the Attacking FTP section. I'm on the second question which requires me to give username for FTP. I solved question 1 which requires me to enter the port number that FTP service is running on (which happens to be a different port than normal), so this is about the question after that. I am running an nmap scan with -sC and -sV flags on the target just like the section is saying to do. However, nmap scan never completes, even if I just run it on the FTP port specified.

Can someone help me out here?

you gotta keep restarting it in my experience

ok

you could easily guess what port it is tho

I know what port it is

I solved that already. What I am scanning for is the username for the FTP login.