#modules

-p- scans all ports

yea that didnt work andit takes ages

Whats going on here?

Thanks

theres other techniques discussed in the module in the evasion section iirc that you can read over again to see why some things may not be showing up

someone was advertising that they had social media hacks

https://tenor.com/view/wouldnt-you-like-to-know-weather-boy-gif-15559185

someone can help me with this please?

check your credentials, is Administrador correct?

it's the one that says hack the box

And put your password in single quotes

i did it too and neither

Do you get the same error message then?

/p:'password'

Be careful not to write a space after the /p:

mmm

I would say remove the :3389.
iirc there was a /port flag or smth

@ancient niche

mmm

it doesn't work with space either

3389 is the default port anyways so you dont need it

Someone told him that before, he didn't listen ig.

i don't understand because this doesn't work

what command are you trying rn

after fixing the mistakes that were pointed out

mmm

this

look at this

use single quotes, not double quotes

Nothing,honestly, I don't have a fucking clue.

try it on the pwnbox

i'm in virtual machine

Seriously this is a terror

Just use single quotes ' not double quotes "

already i did

Is the Target machine running?

here there is nothing

looks like there isnt a target for you to connect to

And which IP do you want to log in to?
You can't log in without a target machine.

here

you need to spawn a target to connect to one. it looks like this if there is one to spawn

No, that's just an example. You have to start a Target machine first, and only then can you log in.

oh my good i did think that was one target xD

hello guys.

@sturdy gate i send you a dm look on it

whats the equivalent of grep on windows powershell? I need to search through a list of services given from 'get-service' for services that are involved in updates, so i want a grep-like command that will show me all services that have 'update' in their display name:
module: https://academy.hackthebox.com/module/49/section/457

select-string

nice, i tried using it, but i have no clue how it works, and microsoft learn isnt helping either 😅

can anybody help me with this? in password attacks, pass the hash

i already do the rdp and doing the mimikatz things with thecreds but i dont get the nltm of david

Ok i found a stupid substitute by just copying the output into notepad and CTRL + F but otherwise may anyone offer a proper explanation on how to do a string search in powershell? Thanks.

Yooo

Hello

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/select-string?view=powershell-7.4&viewFallbackFrom=powershell-7.2

it has plenty of examples ^

its also covered in one of the sections for intro to windows commandline module

guys how does web shell run

like i cant understand how thecode is being ran

the web server runs it

but how

does it just return th file content

and arent files typically stored in buckets

Firewall and IDS/IPS Evasion - Hard Lab

?

you cant do it?

sudo nmap 10.129.225.138 -sS -sV -Pn -n --disable-arp-ping -D RND:5

through this scan i found only 80 and 22 port open

yes please nudge me on this.

well th module has info about ids/ips detection and bypassing

Anyone else having problems spawning academy attack targets?

i have tried with source port it got me a disclosed port.

No

Change region

And try

Got it. Sudo was the game changer

it depends on the server configuration and the type of file, but if you for example go to a php page the server isnt going to just send you php code. it interprets it and serves you the page. if that php code instead provides an interface to issue system commands, you have a web shell

yeah i got how it wors

it is taking a bit more time for them to spawn.

if you for example allow users to makecustom templates and uploadthem

you just asked how it works?

i meant from your answer i replied to

Hi, sorry for the delay, I would like to get started with HTB academy, I am really a beginner, do you think, what advice do you have for not missing out on my learning?

Take notes on everything you learn

Hello, I am having issues opening the resources from the CPTS - Documentation & reporting module. Does any1 have a working copy?

It's a locked archive

ah, damn. I feel like an idiot now, haha. Thanks

hello i have a question regarding the linux buffer overflow module
so basically in the module it says we have to check the memory address of $esp+550 to find our buffer + NOP slide + payload, but problem is that we put our payload before eip not after, so it should be before esp when it returns, so i tried doing $esp-99 (95 is the size of the payload) and sure enough i saw the payload, so why do we also see the payload when we look at a later memory address?

can anyone help me w an easy machine? im a complete beginner and i've been browsing through all sorts of tutorials but it seems im the only one tht ended up w this issue regarding SSH Tunneling

ok thank you but in terms of my notes I'm getting very confused, I don't want to copy word for word, do you have any advice

Write in your own words

Make it make sense to you

#boxes; read and follow #welcome to access

Note-taking involves reading and understanding the main topic and you can ask yourself questions such as: What are they trying to explain? and Why is it important?

In the summary, a good structure is for your notes to answer these questions:
What is it: briefly describe the concept.
Why does it matter: Explain its relevance.
How does it work: Detail the steps or process in a simple way.
What are the limitations?

thanks and sorry

ey guys someone can give me some guidance? i don't have idea what I have to doing here. I'm in module intro to academy's purple modules

The steps detail exactly what to do

but

i put the ip

and i have teamcity

Can I get yearly subscription on my university student account if yes then how ?

I don't want to do monthly, it cost me more

Hi

ok thank you so I can start even if I have no basics sometimes these modules are scary xD

Nope

Okay 👍🏻

You can probably reach out to support to figure it out

Okay, thanks

Can I have some laptop name which you guys use

No, you can't have my laptop

I use an old razer blade 2016

Some people use thinkpads

¯_(ツ)_/¯

There's no one laptop to rule them all

Hello I got a problem on the Wired Equivalent Privacy (WEP) Attacks > ARP Request Replay Attack.
The lesson explains how to setup everything to capture an ARP request and replay it in order to crack the WEP key. The lesson talks about listening to the network with airodump-ng and launching the replay attack with aireplay-ng. As soon as airodump-ng hears an ARP request, aireplay-ng will repeat it, the problem is when I put this in practice in the exercise, no ARP requests are captured, even after 10 minutes of listening, and therefore I can't go forward.
I ran the very same commands as in the lesson, adjusting for ESSIDs and BSSIDs of course:

sudo airodump-ng wlan0mon -c 1 -w WEP
sudo aireplay-ng -3 -b ap_bssid -h client_bssid wlan0mon
Am I missing something?

guys i have disconnect in xfreeerp i don't undertand because

i have NAt in virtual machine

What exactly does NAT have to do with it?

i don't know the I lose connection

Is the target server online?
Is the VPN connection active?

Just use any laptop you can find

of course i have the vpn open

The Academy VPN I assume, right?
Is the target server still online?
Is the server disconnecting you while you are active? So while you are doing things?

one moment

look at this

after of this the connection i lose

What exactly are you trying to show?
Is the target server still running?
Is the VPN connection still active?
Is the RDP endpoint disconnecting you while you are active?

the rdp disconnecting while i am active

Try restarting the target server. If it does not help, change the VPN region and/or the protocol (UDP/TCP)
If nothing helps, contact support

it was something else thanks anyway

nmap -sS 10.129.219.136 -p- -v -T 4 i only got 2 ports with this scan how am i supposed to get port 50000?

this scan already took 21 minutes

sudo nmap -p- -Pn -n -vvv -A --min-rate 3000, Try this way

what is the default minrate nmap uses?

Nmap does not specify a fixed value for the minimum rate by default, this means that nmap automatically handles the speed of the packets optimizing the balance and speed.

i see

I have trouble completing this assessment(Active Directory Password Spraying of the Pentester Job Role Path) :
https://academy.hackthebox.com/module/143/section/1422

Using the examples shown in this section, find a user with the password Winter2022. Submit the username as the answer. 

But :

Import-Module .\DomainPasswordSpray.ps1
Invoke-DomainPasswordSpray -Password Winter2022 -OutFile spray_success -ErrorAction SilentlyContinue -Force

isn't working, it's detecting 2900+ users but it's removing all users within 1 attempt of locking out from list and at the end I don't have any user to test. By the way, Im' supposed to be able to RDP in this machine but I get a back screen so I switched to WinRM (that's why I'm using the -Force option to not being asked confirmation for spraying)

To connect to the machine :

evil-winrm -i 10.129.45.194 -u htb-student -p 'Academy_student_AD!'

If you get a black screen when connecting via RDP just press enter or space.

Okay, thank
But very weird everything works with RDP and not with evilwinrm ???
I don't understand why Invoke-DomainPasswordSpray -Password Winter2022 -OutFile spray_success -ErrorAction SilentlyContinue -Force works only in a RDP window

Winrm is stupid

Question,
Web Service & API Attacks - module
The skill assessment.

Are we supposed to see the step-by-step on how to complete the SQLi in the readme.md we find within the target machine or was that forgotten there?

Don't assume something was left on accident

Hi im new can one teach me hack acc

if you're here to learn how to hack online/social media accounts i suggest you leave.

wenegade waider

I dont want

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

There are more ways to scan for ports.

hi there, I could really use some help with attacking enterprise network - exploitation & privilege escalation.. can I DM someone so I don't give away info

I think the exploit is broken

yeah dm

thanks

How can you port scan from windows?

Try powershell.

Some one help me about road map on htb

just ask your question
If it's not about the modules in the Academy, read and follow #welcome to get access to the other channels

I dıdnt find Id

I dont understand what is id

I dm'ed you.

@acoustic owl

Read and follow #welcome

Ik but wıch one ıs My ıd ı dıdnt know

You can find the ID in your HTB profile

student ıd?

or what?

on app.hackthebox.com, you'll find your account identifier in your profile settings

Hey all, attempting to get into security and I recently completed a Boot Camp and passed the Sec+ exam. Not sure where to go from here but start hands on learning. Any recommendations on how to proceed from here?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

hey is this where i can ask for help?

tottle new guy here im not even sure how to use discord

https://dontasktoask.com

Complete beginner to kali. How would you create the .py file on the brute forcing module?

you can use the touch command to create a file, or just create it from mousepad/nano/vi/etc

did anybody have a clue about this pass the hash, password attack module?

i already doing impacket-psexec to the server and connected, an im already turn the disabledrestrictedadmin to 0, but still cant do rdp

what's your rdp command

im using the pwnbox

wrap the password in single quotes

Wrap the password in single quotes

It's processing $$ as a variable call

like this "AnotherC0mpl3xP4$$" ?

no those are double quotes

Single, not double

owh okay2

thanks guys i will tried it

yap it's worked XD

If you're curious, in another terminal echo $$

new knowledge for me, thanks guys

And that's what's getting appended at the end

Guy's

it's give me 47592, how it can give me a number?

That's the process id of that terminal

owh icic thanks for the info marcielee

anybody have a clue about this?

im searching for the NLTM but doesn't find it, and the rubeus just accept the rc4, aes128, etc. doesn't accept the base64 code

Ty. Just figured it out.

You won't always get an ntlm hash. You do have a nice ticket though to use

where is the ticket? it is the base64 key?

i already use it as the module say, but it's says that it need 16 32 etc code

Yes, the ticket is base64 encoded

did i need to command it use /base64:?

Rubeus.exe ptt /ticket:<chain-base64>

From what the question tells you that you should use john's TGT to do a PTT, you should first export all the TGTs in the system and then use the same TGT or forge one and do a ptt.

so i need to export it first yes?

Exactly, once you have all the TGT, search for the user john and then do a ptt.

does to have all the TGT we need to use : rudeus.exe dump /nowrap?

i still confused how to know what is the different between TGT, PTT, etc

i just have this info when dump it, and some long key

Ok you must copy the long key in base64 and pass it to Rubeus like this: Rubeus ptt /ticket:keybase64

its says like this

You must pass the field key base64encodeticket

how can i pass it?

dm me

okayy thanks my broo

Hi, how many times can I exchange voucher exam?

thanks marcielee for single quote thingy

Don’t think there’s a limit. But if you wanna know for sure; ask support. You can only use it once though.

Hi

if you think you need to exchange voucher to complete that specific job role path. Just know you can do all role path you are allowed to access with any exam voucher equipped

1..254 | % {"172.16.5.$($): $(Test-Connection -count 1 -comp 172.15.5.$($) -quiet)"}

actually why one is 172.16.5 and one is 172.15.5?'

Okay then

???

hi I think I fixed part of what the instructions for this last question from the Attacking SMB section of the Attacking Common Services Module. I have the netcat listener running and I think I got the right PowerShell command on the other box I just think I'm doing some minor thing wrong. Can someone help me out? I already solved first two questions.

I have a screenshot but I think it will spoil too much so I don't want to post here

can someone help me out?

It seems to be a typo

Prepping for PNPT and EJPT , following the windows priv esc module..I'm lovin it !

Hello can i get some help ?
on Introduction to Digital Forensics
Skills Assessment
Q3
Determine the registry key used for persistence and enter it as your answer.

I can't find the persistence, what is the Utilize Velociraptor Artifacts i use for get registry key?

any hint

||Hint i get it , just read "Windows Forensic Overview" you will find what you want||

Hey guys, Could some one help me with (windows to windows payload transfer method) i am struggling to do this.

Hello 👋 I can help you out…Kindly send me a DM

Hello, can anyone suggest me ways to install a WIndows VM on a Linux host? Is there any extra steps that I should take or following random tutorials online should be fine?
I also went through the setting up module and they suggested a developer VM? if the vm will expire eventually, i was wondering why use that but it seemed like the site doesn't even allow me to download one anymore? https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/
Any guidance would be much appreciate!

quickemu ?

https://github.com/quickemu-project/quickemu

@wispy halo

hello, thanks!

if this what everyone is using nowadays?

never used it but will definitely take a look

I am not sure - I used it a few times and it did the trick for me

👌

hey

crackmapexec smb 172.16.1.0/24 -u Administrator -d . -H 30B3783CE2ABF1AF70F77D0660CF3453
in this command we are not specifying domain . so how does this account will be lockout by domain controller i know that authentication is carried out by domain controller so all the request will be made to domain controller . but when we specify the domain then it will happen . yeah i also know that there are ways to find your domain via dns and group policy . but i am not sure if i am on correct path to understand this

how does this work

You're gonna have to be more clear @ripe wadi - what module, what section

And what is your question exactly?

can u answer mine

No - I have not done that module - but same goes for you. Module + section

module = password attacks in section pass the hash

https://academy.hackthebox.com/module/147/section/1638

like how is the gif file being interpreted by

im on AD Enumeration & Attacks - Skills Assessment Part I
Submit this user's cleartext password.
i cant find the cleartext password for ||tpetty ||ive used mimikatz pypykatz gopher lazagne, file hunting, registry hunting

any hint

how did you try it on mimikatz ?

privilege::debug
sekurlsa::logonPasswords

and also dump lsass and tested on pypkatz

ok, I dumped lsass as well, even if it was with another tool. Maybe inspect the output again for anything you might have missed, or try other tools

which tool sir

I used netexec

argh

thanks will check that out later

Via Webshell
The code in the gif is executed by the PHP interpreter

how did u run nxc on internal host? i cant specify a specific port that i forwarded

I used ligolo-ng

ligolo can be used on windows host?

i want to cry now hahaha dumb ass me thought it can only be ran on linux host

:)

how is a img file being executed

server misconfigurations

didn't the module discuss this?

bro is back

Who says it is an image file? The extension does not mean that it is an image

the skill assessment for the assembly module felt like pretty good prep for the reverse engineering course im taking this semester, it was harder than I expected

it ends with jpg

And?

I can disguise a txt file with .jpg extension, doesn't make it an image

In the Linux Fundamentals module, I have observed that many questions at the end of each section are not related to what was taught during the section, for example in the "Filter Contents" section, the first question wants us to use ss -l -4 which I found it by searching about it online as I saw it in the cheat sheet but is this normal? Am I missing something? Shouldn't we be questioned about the stuff that the section just taught us to test our knowledge and understanding of the current content we just read?

keep at it!

you're right!

it's worth calling out, or at least letting the module creator know

Maybe this is the goal of it, to think "outside of the box", but still I am asking as I find it weird, the section is teaching something but the questions require knowledge from the next section or something that wasn't even specifically taught during the section 😅

edit for what I deleted:
mb, 25 subnet mask would make the last address be 127 in the forth octet, not the 3rd, i miscalculated 25 for 17 i guess, & yea they would not be in the same network.

module: active directory enumeration and attacks
section: internal password sparying from linux
i ssh into my attack box and try to run this command, which is mentioned in this section but this happens

I have a doubt if any one can help {Password attacks (Pass the Ticket (PtT) from Linux)}
Use the LINUX01$ Kerberos ticket to read the flag found in \\DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_).
How did we know about the kerberos ticket (linux one) as i had no idea where did it came from

so guys
that would make the subnet mask change from /25 to /24 right? to allow that range right?

I remember going through that module and thinking a subnet mask was off by one. It might have been that part but it's been a little while so I don't remember. I just kept going 🤷‍♂️

Hi im new can me teach one person

Pls

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Read that @amber badger - nobody is going to take your hand and teach you. That's what academy is for.

Ok

Hey, got stuck on "Skills Assessment - Using Web Proxies" in bug bounty where you need to encode the cookie you found. Could anyone lead me on a path a bit?

what have you tried ?

so i fuzzed, but it did not give me any exceptional outcome (talking about code, RTT or size) all came to 200 OK with similar time and size.

so i dont really know which one to encode

AD Enumeration & Attacks - Skills Assessment Part II
question
Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain.

am i suppose to use other username wordlist other than the ones in the internal linux box?

anyone can help? ive tried all the username and they dont work.. i know whats the password because i bruteforce the academy site instead

A common method could be to enumerate all the users of the domain and make a password spray with a password that complies with the security policy

I’ve checked the policy allows any kind of password and yes I’ve also enumerated the users through kerbrute and ldapsearch rid brute force

Have you tried using netexec to enumerate users with valid credentials?

I used crackmapexec

Will they produce different result

Ok, With that you can create a list and use a common password like “Welcome1” that fits the policy.

ya ive tried

crackmapexec is outdated and not maintained anymore, use netexec in all cases.

okay ill try

You should keep trying and verify that the user list is correctly set up, that's the way to go.

If you don't believe you are getting the correct users or all of the users with some tools covered in that section, you can run PowerView on the target and build out a list of users too.

i think the AB user has no permission to run a lot command, i tried running powerview commands but there are some error

got it thanks everyone

would still use help on this

what have you tried

so i fuzzed, but it did not give me any exceptional outcome (talking about code, RTT or size) all came to 200 OK with similar time and size.

im stuck at the fuzzing

used zap/burp, i keep getting 2responses on burp but everytime i repeat the attack, the response is on a different char

how are you fuzzing it with burp ?

thru intruder interface

but i did it on zap aswell

we'll need more than that to be able to help. You have a 31 character string after decoding the cookie, walk us through what you are doing to turn that into your fuzzing parameters

you can DM if you feel like it spoils

ok, i will dm

(it probaby does)

is there a bug in the module cross-site scripting (XSS) on the session hijacking part ?

im getting a callback but no script execution is being done.

it doesnt wanna execute the javascript

is it only me or the meterpreter shells fail too quickly

i think its broken

if any moderator could verify that would be great

God

It works in the PwnBox

weird didnt work for me

i tryed various ports aswell

it got to

everytime after script.js it was closing

Send me a DM with the content of your script.js file.

maybe support can look at this

thanks for double checking though bunny!

Remember that the support team does not read here. You must open a ticket if you want support to take action

ahh ok

Anyone done the AD Bloodhound module, i need help trying recreate a scenario

Hi can me help 1 person or 2

Anyone here do other hacking besides htb

Can i help you

@opal prairie

What do you need help with

I will learn hack

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Hey, stuck after mssql xp_cmdshell in escape two

Good afternoon people somoene do you know how can i log in at velociraptor?

admin/password

nothing bro

that is not

i don't understand because

i dont know, in Forensic module it's like that

nothing comes out

I fired up the lab and couldn't figure it out. I don't see it in the reading material unless it's in an earlier section. no luck with admin/admin or admin/password.

so, not just you

Hello! I'm currently on the File Inclusion academy module, and I'm having an issue, perhaps it is with my computer. Tried to do http://<SERVER_IP>:<PORT>/index.php?language=/etc/passwd and /usr/share/flag.txt with the IP and port given and the page doesn't display the information requested. Tried to do also on BurpSuite, but the page took so long to load that I already gave up. Perhaps it's a config issue with my computer or connection. Who had this problem before? Can I get some help with this issue please?

ì don't know because

looks like you're supposed to execute CVE-2023-42793, no, to bypass auth?

honestly i don't know how i can doing xD

Oh no, I see. You exploit "team city" then log into velicoraptor to observe what that looks like.
The credentials for Velociraptor are given to you a few sections back in "Available Windows DFIR Toolset"
Typically they provide credentials on the same page as the labs so it is a little unusual.

Guys Question
In the Footprinting Module , MySQL part
for this question
During our penetration test, we found weak credentials "robin:robin". We should try these against the MySQL server. What is the email address of the customer "Otto Lang"

I did this query : select email from myTable where myTable.name = "Otto lang";
I only get back 1 answer and when I try to enter it in the HTB question it says not the right answer

dunno if its a bug

Did you make sure that when you copy and paste it, it does not contain spaces?

^^^ or if that doesn't work refresh the page and try again (sometimes your session expires).

Lemme try to refresh the page and write it manually

...

That did the trick ty guys lol

Hi, let's se if somebody can help me, I'm trying to do the exercise of bypassing cors from module Advanced XSS and CSRF Exploitation, and when I try to send the exploit i get this error exploit:6 Refused to set unsafe header "Origin"

i need a team dm me

Hi guys, module Introduction to Digital Forensics, section Skills Assessment...i answered all question except one. Can someone help me?
Determine the registry key used for persistence and enter it as your answer.
I just need a hint I tried a lot of keys but no luck...

Steps to get through CWEE modules
Repeat the steps you saw on the labs 100x even though it doesn’t work

Cry
Repeat until flag

Which modules?

Injection> ldap data exfoliation

Exfiltration

I found something with a wild card, but I’m using the HTB student and reconciling the password against the wildcard thing and it doesn’t work beyond just the wild card so I’ve been using the other ones that are listed with no luck. I even tried URL encoding everything.

.* with student gets a hit but if I put A or a combination of *A doesn’t work

I figured all the stuff in the lesson I could tie back a known password for HTB student, but that’s not even working beyond the * alone

I don’t have access to my notes atm but I can try to help via dm

is passing hashes the intended method?

Dm has been slid on

i put in the same like virtual machine and neither

Yes but that happens sometimes with hashdump and I’m not sure why

I suggest dumping hashes with mimikatz if you can

its ok i already did the same exploit in different vpn server to get access haha thanks

Dear community,

I am in the middle of "ACTIVE DIRECTORY ENUMERATION & ATTACKS".
I definitely miss something, please direct me to the right direction. As a more linux person I prefer terminal stuff over RDP. So I would like to issue many commands via Evil-WinRM or impacket-wmiexec from kali instead of useing RDP and using the "cmd" terminal via GUI.
For example I would like to issue dsquery user command via impacket-wmiexec but it doesnt work, I get>

└─$ impacket-wmiexec -dc-ip 172.16.5.5 htb-student@10.129.230.228 -shell-type powershell
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Password:
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
PS C:\> dsquery user
dsquery failed:The specified directory service attribute or value does not exist.
type dsquery /? for help.

Via RDP, it works>

PS C:\Users\htb-student> dsquery user
"CN=Administrator,CN=Users,DC=INLANEFREIGHT,DC=LOCAL"
"CN=Guest,CN=Users,DC=INLANEFREIGHT,DC=LOCAL"

With the very same credentilas it works if I RDP to the lab machine and issue the command on the Windows itself.
whoami says I am "inlanefreight\htb-student" in both terminals, but many commads behave differnetly. What is the trick? Thank You.

This guy asked the very same, but did not get proper "techical" answer> https://www.reddit.com/r/activedirectory/comments/1bkugcw/wmi_rdp_with_different_behaviours_on_ad_listing/

If someone from HTB Developing content read this... please! I beg you ... make the Password Attack module "less realistic" . 😭 I mean, some of us also work and have families, lol ... do do not have 2 or 3 hrs just to crack a password

https://tenor.com/view/ain't-nobody-got-time-for-that-gif-6619742716989994207

i put in this but sill i can't log in

mmm Could you try to run the command with the path : C:\Windows\System32\dsquery.exe user?

You can use windapsearch for querying LDAP via Linux CLI

Is the difficulty of Attacking Enterprise Networks on par with Dante?

There is only one easy Prolab

Got the very same>```
└─$ impacket-wmiexec htb-student@10.129.230.228 -shell-type powershell
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

Password:
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
PS C:> C:\Windows\System32\dsquery.exe user
dsquery failed:The specified directory service attribute or value does not exist.
type dsquery /? for help.```

hi there. Thanks for your reply. Yes I could. but my primary goal is to understand why the two environments behave differently.

Yes I’m referring to Dante

I know you are

Dante is Dante.
It's a bunch of non related machines pilled up together basically

Owhhhh

Thank you

I know why

Env variables

can someone please help me with what I'm doing wrong here?
I am doing the pivoting, tunneling and port forwarding module.. I am using the credentials given to connect to the windows machine by setting up dynamic port forwarding.
The username and password given doesn't seem to work :/

Maybe it is a domain user and you should specify it, did you try?

You can try specifying the Server and credentials, @low heron

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754232(v=ws.11)

Don't know if this is the exact version, as I haven't tested

Hi everyone, I'm in the thick client section, in particular I started x64db, when I load the file, it moves too quickly, it doesn't give me the possibility to press correctly what I need, can you give me a hand?

I had to be quick to do it, if someone solved it another way I would also like to know because it was stressful hahaha

specifying the domain it was.. and now I feel stupid. Thank you for the help!

and yet by managing to catch that string the module is completed

fantastic marcielieee where are u, i need ur help

anyone who can help me is fine too, I wasted two days without solving this thing

Did you set the breakpoint properly, as dictated by the section?

set breakpoint
load executable

Thanks. Dont understand why (the environment is not convincing) but specifying the server as you suggested worked:

PS C:\> dsquery user -s 172.16.5.5
"CN=Administrator,CN=Users,DC=INLANEFREIGHT,DC=LOCAL"
"CN=Guest,CN=Users,DC=INLANEFREIGHT,DC=LOCAL"
"CN=lab_adm,CN=Users,DC=INLANEFREIGHT,DC=LOCAL"

And did you launch the program before or after setting that?

There is a variable for the DC in the PS via RDP while in the PS via wmi doesn’t.

I checked line by line but did not find

no before i set that setting but nothing changes it still goes fast

“LOGONSERVER”

That's your problem

can you explain it to me better?

As noted by the settings menu, you need to restart the program you're debugging for it to take effect

ooooo . Thanks cheers

Otherwise it's running with previous settings

Once it hits the breakpoint it'll stop and you can investigate

I've done it many times, I closed it and reopened it, as soon as I load the file, it's as if it were frozen for a moment, I go to do the dump, I save it on the desktop, when I load it on strings it doesn't give me results, except ,1.

Did you clean it up as mentioned? Iirc that's part of it

it's as if it's frozen
Yeah that's what a breakpoint does, it stops the execution

now if I load this bin on string I get this (I moved the file to the string folder for convenience):

If I feed it to de4dot I get this:

what am I doing wrong?

me in front of the discord chat, waiting for a reply

Instead of waiting for a reply actually re-read the section and go step by step

It's fine to ask questions, but you should have the drive to make sure you're not missing anything or reading things properly

God bless you, I will reread the form again, if there are any steps that are not clear to me I will come back tomorrow

guys i am doing the hashcat module and i wondered except for ntlm hashes how often do you need to crackk hashes

You mean in boxes/modules or real life?

real life

or boxes

htb is pretty real life compared to to other ctfs

Is it? Idk haven't done any other lab

For boxes you might find bcrypt and md5s

Hello, guys. I'm looking for suspicious processes among VAD artifacts gathered through Velociraptor, and there's 63k rows. Can someone advise me how I can quickly analyse such data massive and find sth suspicious in there?

"Using VAD analysis, pinpoint the suspicious process and enter its name as your answer. Answer format: _.exe"

UPD: ok, I found the answer by looking for the processes tree instead of this

and for hashcat also isnt the whole purposeof salting to not be able to crack hashes

anyone else having alot of issues connecting to any of the modules that require you connect via RDP today?

keep getting booted constantly

i've redownloaded the VPN file, and will initially connect, but shortly kick me off. Then have to keep restarting the VPN

I 've tried running this crackmap command to get the ntsd hashes from the module "Attacking Active Directory & NTDS.dit" and it doesn't return anything but: [!] Dumping the ntds can crash the DC on Windows Server 2019. Use the option --user <user> to dump a specific user safely or the module -M ntdsutil [Y/n] Y. I type in "Y" and press enter but nothing happens. Is there something wrong with the way I'm using the command? crackmapexec smb 10.129.201.57 -u jxxxxx -p xxxxxx --ntds

Question is Capture the NTDS.dit file and dump the hashes. Use the techniques taught in this section to crack Jennifer Stapleton's password. Submit her clear-text password as the answer. (Format: Case-Sensitive)

You must point to a DC in order to get the NTDS.dit

In the command? This was the example used in the module: Solarage@htb[/htb]$ crackmapexec smb 10.129.201.57 -u bwilliamson -p P@55w0rd! --ntds

look at the protectionMsg

Yes but sometimes it doesn't work copy and paste, you must know which is the Domain Controller server to get ntds.dit with cme

crackmapexec smb <IPDC> -u bwilliamson -p P@55w0rd! --ntds

Is the Data Exfilration va Response Timing section of Whitebox attacks supposed to take forever? I verified the script works correctly with a known username and am using the correct wordlist. not looking forward to the next section if I also have to wait that long for that one as well

Any hint for injection ldap data exfiltration? The cheat sheet isn’t helping, nor is the lesson plan. I’ve tried all types of combinations.

For windows lateral movement, SSH. Do you need to port scan all 65k ports via proxychains? Can't think how to find the SSH port for SRV02 other than this but it takes a long time

For the SA you mean?

Question is "which port is SRV02 using for SSH"

Just found the ssh key in ambioris but you have to find the port through the pivot?

I would scan all 65535 but that's just me.
You can try the Nmap fast scan or attempt all closely by ports (2022,2222....)

You're struggling, DreDre 😂

Which certs do you have again?

As if a piece of digital paper proved anything

Tried around 20 known SSH ports, it has to do a connect scan over proxychains though which will take hours to complete all ports

If you’re not going to help and you’re going to cause a problem get fkd 🤷

I can check my notes if I have noted something

Chill, bro
You can DM if you are stuck on some of the modules

Hey, the intended solution is that you don’t look at all vad blocks but you filter for the ones that have write and execute. Process injection often maps memory to rwx to write code and then execute it, write and execute in the same memory region is a big red flag. I agree that the module didn’t really explain that too well. In velociraptor you can filter for only those regions and then you get the answer quickly

I typed it in with the domain server

dm me

Still need help, @rustic sage ?
I didn't note down the script but just wrote one that works

Sure shoot it of if you like

You have to make a script that sends that HTTP request iterating through each character and appending each when matching that successful authentication string

For the hydra login forms module, I downloaded the 2 wordlists and inserted the hydra command with -f “target IP” -s “port”. It resulted with 0 valid passwords found. Am I missing something?

Hi guys, I have a doubt in XSS module (Pentest pathway)

This comment section is vulnerable to XSS. If I specify my script without the port as in the image, I get a hit.
If I specify the port in there, like:
http://10.10.16.16:8888/script.js
It would end up in an error.
Any reasons?

@earnest pasture Thanks for the help my guy. I appreciate your quick response

Provided, there are no issues with hosting the file

Could it be that, it has to always be the PHP server's port, and can't be the Python server's as it doesn't handle that request well?

can i see the php server running in ur cmd?

This is when I specify a port in the XSS vulnerable comment section

Otherwise, If I don't specify one, I get the flag

Bud

u specified port 80 so http://10.10.16.16:80/script.js

You're running your php server on port 80

php -S 0.0.0.0:8888 would wat u would have to run if u want to use http://10.10.16.16:8888/script.js

No need to dig deeper beyond the issue being between keyboard and chair

it will work with just nc

But i tried running php server on 8022 port, and that gave me an error too

What error

I'll post a ss

Okay 👍
@rustic sage

Have you taken a look at your dashboard??

this is when i specified my ip with port 8022

Okay

The magnitude is fluctuating wrongly

You can lose access to your wallet full function if you don't look into this

bro might be onto something😭

😄

looks the same to me

yeah, if I don't specify the port in vulnerable comment section, and let php server running on 80 port, then I get the flag

so I'm curious why this is happening

looks inside script.js
is actually .php

haha sorry if im making mistakes, but im so confused

when ur running port 8022

ur script.js file is trying to call out to port 80

which isnt open on ur end

u have to change the script.js to also be port 8022

Found the user and password but still says invalid ||user-root pass-404: Not Found ||

Thank you! @lament ridge ahahah

😩

np np np

and @fathom pendant

Yep, that'll do it

Hi, same issue is happened to me, how did u managed to solve it?

AD enumeration skills assessment 2 question 4 Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain. The target seems vulnerable to rpcdump.py @172.16.7.50 | egrep 'MS-RPRN|MS-PAR'
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
Protocol: [MS-RPRN]: Print System Remote Protocol I got this output when i try the attack it still doesnt work

gives me some error code

I thought if i could get admin shell using this method i could run mimikatz and get the users creds

i dont know what to do

Please guide me

A common method is to list users with valid credentials and try a password that matches the password security policy.

Okay

ohhh ok thanks

Good evening, how are you? I would like to ask for your help since I am working on the skills assessment for Broken Authentication. I have the user's password, I found the OTP, but I can't see the flag. Could you help me?

wat is ur current output?

When I enter the OTP I found, it takes me back to the login panel

all the time

Careful mate

from memory, look at the 2 bypasses they teach u in the module

I understand, I'm sorry, I didn't know where to look.

no all goods

lemme know if u need help aftr reviewing it

.

Hi buddy u sent me friend request why?

Is anybody available to chat about the Coercer page of the NTLM Relay attack module. I'm sure I have the correct output, but can't work out what format the anwer wants.

Regarding port forwarding, why is the given example by HTB using proxychains with nmap, and having success given that they haven't disabled host discovery? I've tried to follow the exact setup with SSH dynamic port forwarding, along with proxychains, and I cannot reproduce what was done in the AEN Internal Information Gathering.

As demonstrated, they ssh -D 8081 -i dmz01_key root@<IP> , and then add socks4 127.0.0.1 8081 to the proxychains4.conf, and then execute proxychains nmap -sT -p 21,22,80,8080 <TARGET_IP> which then successfully executes, saying which ports are open. When I tried recreating this (I have already finished AEN), I get:

Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-13 21:13 PST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.12 seconds

So I add -Pn with --reason and -v, and I get filtered no-response ports using proxychains nmap -Pn -sT -p 21,22,80,8080 --reason -v <TARGET_IP>:

Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-13 21:14 PST
Initiating Parallel DNS resolution of 1 host. at 21:14
Completed Parallel DNS resolution of 1 host. at 21:14, 0.03s elapsed
Initiating Connect Scan at 21:14
Scanning <TARGET_IP> [4 ports]
Completed Connect Scan at 21:14, 3.00s elapsed (4 total ports)
Nmap scan report for <TARGET_IP>
Host is up, received user-set.

PORT     STATE    SERVICE    REASON
21/tcp   filtered ftp        no-response
22/tcp   filtered ssh        no-response
80/tcp   filtered http       no-response
8080/tcp filtered http-proxy no-response

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 3.09 seconds

I've found an identical issue here but building Nmap from source didn't seem to work. I tried to replicate on Pwnbox and it didn't work either. https://security.stackexchange.com/questions/277187/nmap-does-not-work-through-proxychains

Any ideas?

I would highly suggest using ligolo-ng for pivoting, it's not just easier, but also faster and has less issues.

Thanks, yeah, will certainly check it out. I just am trying to make sure I really understand what's happening in the official explanation, but it doesn't seem replicable.

Well, i can't really say what would be the problem because i did not use proxychains outside the pivoting module, i always used ligolo :p

You don't need the icmp-echo to guarantee a host is up

But nmap through certain types of proxies is a pain

Just went back to look at the tunneling module, and it seems that they established an ICMP tunnel using ptunnel-ng prior to using SSH dynamic port forwarding, to then using proxychains nmap... I suppose that answers my original question. Appreciate y'all

That's a lot of work

Yeah, quite 😂

I also heavily suggest doing the AEN module without reading it

Just boot and go for domain compromise, it's relatively easy if you took good notes throughout the course

• practice writing the report.
  Practicing the report in AEN really helped with writing it during the exam

As it's a LOT of work

hey everyone, I'm still very early into the academy with intercepting web request, I was hoping someone could help explain to me why I needed %3b in front of the cat+flag ? I'm trying to find reading material online to explain it but can't find anything solifd

I wanna ask for a hint but

If you tell us which module, which section, which question and what exactly you were trying to do, I'm sure someone will be able to help you.

Okay 👍

What seems to be the query?
@unique ether

Have you been able to get the query locked into by any official
@hexed oar

yea the thing is i already asked for a hint before for the same assessment i dont wanna get the habit of asking 😦

I haven't, I understood the concept of what the module was asking, just couldn't more info on how to pass the code through

I'll try to do more reading into sql

%3b is ; (in url encoding) hope it helps

You wouldn't be the first

just ask, this is a field where working with a team is important

yoooo thank you

https://www.w3schools.com/tags/ref_urlencode.ASP

hi, for cape have anyone had the netbios timeout issue from the cme spider_plus module?

Thank you! Gonna add this to my notes

anybody can help me with this? password attack - lab easy, i already know how to doing it, but the brute force take a long of time. so do anybody have a short answer about it?

i think thats about it tbh

i did that one last

Brute force didn't take long for me iirc

Using this with Hydra should work
wget https://academy.hackthebox.com/storage/resources/Password-Attacks.zip

hello! having trouble in the ssh login for jane in login bruteforcing. i got the user and pass but it says permission denied (publickey)

Make sure you're trying to ssh to the right port

ohh okay ill run an nmap scan

cuz the target is 94.237.63.176:31794

so i thought its also the ssh port hahaha

i ran nmap and port 22 is ssh hmm

31794 is the ssh port

You'll need to specify that in your ssh command

yess i did

With ssh it's specified with -p

yeahh it says connection closed on port 31974

Well that's not the port shown in your copy/paste

i regenerated the target still connection closed T.T

You're given ip:port

yep

Make sure you don't typo <-

31794 isn't 31974

ssh jane@94.237.54.42 -p 55358

this is my new target

94.237.54.42:55358
this is from copy/paste

hmmm

Also typically giving it a few minutes after it spawns can be helpful

ohh alrightt ill try to give it some time hahaha

Hi guys, module Introduction to Digital Forensics, section Skills Assessment...i answered all question except the number 3. Can someone help me?
Determine the registry key used for persistence and enter it as your answer.
I just need a hint I tried a lot of keys but no luck...

LOL apparently, i wasnt supposed to login through ssh. i used firefox and saw a login page, got the flag now

That makes sense depending on the type of bruteforcing done

yea and another blunder by me lol i used http-post-form in bruteforcing it with hydra so ofc its a page. i was trippin cuz i took like 3 ssh exercises before this

already doing it and already cracked it thanks guys

Can anyone help with windows lateral movement, SSH? Do you need to port scan all 65k ports via proxychains? Can't think how to find the SSH port for SRV02 other than this but it takes a long time. The question is to find the SSH port but it's through a pivot so scanning takes a long time. Tried PsPing on the pivot box to scan but it just crashes.

I'm doing "AD Enumeration & Attacks - Skills Assessment Part I" but the antak.aspx webshell is unresponsive. After typing a command and pressing "Encode and Execute", the page just times out each time. I've reverted already but this doesn't fix the issue either. Anyone an idea how to fix this?

try a different shell ?

Did you solve it?

That shell is the provided foothold, so I don't think I'm supposed to look for a way to get an other shell. Should have specified that in my question 😅

ah that makes sense then

What type of command are you passing? It's a web shell, it's supposed to be limited.
And you can indeed jump for a more interactive one

just a simple whoami fails

are you running it right

i think with aspx you need to do like /c whoami

It does it automatically

ah ok

🤷‍♂️ dunno then

Will have to revert the machine. Prob something broke

Maybe the right role or a \n at the end of the encryption key

This is what I do

I'll revert again

what if u do submit instead of encode and execute ?

Just hit enter

Or submit

ye

same issue

try with pwnbox

see if u get the same issue

Will try, but just thinking about it, what would be different? Better connection or something?

have no clue mate.

appreactiate you trying to help!

your welcome

it worked 🙃

I'm losing it

sup ?

He’s losing it

yea im like why

need help with something ? @unique ether

can anybody help me with password attacks lab medium?

i already get the jason creds and open the docs but can connect the mysql things

What’s the mysql command

Have you tried ssh?

if its localhost

u dont even need -h

also dont do --password but -p it prompts u to enter password. --password can show up in logs

ah i see what u do wrong

it is remote but u forgot to specify port

it doesnt work like that with mysql

with -P u can specify port if spoiler remove pls

yap already but i didn't find anything

okay i will tried it thankss

Is it running mysql on the localhost?

in the target there is no mysql

my connection to machines are very slow, but If i am connecting with the pwnbox, it seems fine. tried many vpn files.. can any one suggest best on based on my location: India

i already do the connect but still can't

The ssh host

yapp it's connected from the ssh

thanks TLattice finally XD

Can anyone help with windows lateral movement, SSH? Do you need to port scan all 65k ports via proxychains? Can't think how to find the SSH port for SRV02 other than this but it takes a long time. The question is to find the SSH port but it's through a pivot so scanning takes a long time. Tried PsPing on the pivot box to scan but it just crashes, not really sure what else to try. Made a PS script to check ports but it crashes the shell and only have access via SSH

😭

File upload attacks skills assessment - kinda stuck, got the needed source code and the file upload directory but no matter which combination of extensions with png and php other extensions (like phar, pht) and special chars, it still filters all of it 😐

Dm the request sent

SSH isn't running here right?

Yes

Finally found it thanks, had to run a connect scan through lingolo

The script that makes wordlist , showed in earlier modules - it's not enough, you need to modify it with a few more

hey can someone hint me,been stuck for 3 hours on this question from password attacks module, " Use the user's credentials we found in the previous section and find out the credentials for MySQL. Submit the credentials as the answer. (Format: <username>:<password>)"

Which module

password attacks - Password Reuse / Default Passwords

Aw, can't help with that

https://github.com/ihebski/DefaultCreds-cheat-sheet

i did, and i found my mistake thanks to @safe star

I was missing some bytes and broke the PNG file

https://github.com/BishopFox/sliver/issues/1606

Looking for some hints. Active Directory easy Assessment, anyone can help?

What do you need?

I have admin hash on Web01 and MS01 server, I also have 58 domain users, now I think i need some password, not sure what to do from here

Are you referring the Active Directory Enumeration and Attacks Module?
Cause there are a couple of Modules that have Active Directory in the name

https://academy.hackthebox.com/module/143/section/1278

Credential dumping

i tried dumping hashes through crackmapexec but on both the server, I got only Admin hash through sam dump, and NTDS or LSA dump is not working throught CME, do I need mimikatz?

You can do it both remotely with CME/Netexec or Impacket, or locally with Mimikatz

Your choice

ok, I am going to try this one more time, though I have tried it multiple times

You can DM if it didn't work

ok thanks 🙂 will try it once more

Hello guys, i am doing the Active Directory Enumeration e Attacks module and i am stucked in the last question of the ACL Enumeration section,i tried every command with PowerView and i can't even find the answere with bloodhound, can someone help me?

Working through XSS module. For the Phishing section, I am having trouble getting the “document.getElementById(‘urlform’).remove();” inject to do what the module says it should. Our new login form populates, but it doesn’t remove the Image URL box, it simply writes the back-half of the code after / underneath our malicious login boxes and button.

You can send me what PowerView commands you tried.

Get-DomainObjectACL -ResolveGUIDS

Or Impacket's dacledit.py

Or Netexec ldap with the acl module

Good Afternoon People someone can help me with this?

Do we have to compile SharpWSUS for the SA? Doesn't look to be on the WSUS box

Yes

Ehhh wait a bit check online reset
And why it say localhost, that only pop up when u get the basic authentication prompt?

i don't know

I asked a more specific question

You can’t not know that

I’m not trying to be rude

i don't have idea

Are u traveling to localhost or academy url

the academy

They're accessing it via rdp, check ss again

i habe the vpn open

have

Oh snap thank u

Hmmmm is there a ip with a weird port at bottom?

is the virtual machine of the academy

If theres a ip and a port that’s not 8889 visit that

but

the port not ist necessary

Dude. You're just leading to more confusion

that is true

Sometimes in academy when a service is running it will be on a ip and port that might be different then the common one

They are rdp into the target, [see ip in freerdp] and they need to access a tool

i'm sure that's it

That's not the case for the intro to purple team module

Ah shit man I keep thinking he is on pwnbox or some crap. My fault bro I’m in class

Maybe just try restarting the lab and waiting 5 minutes if you haven’t already

Pwnbox ip is 10.10.x.x

And you don't rdp into it

mmm

The thing is that i can't log in to velociraptor

In the Win Lateral?
Have to download your tools

Did you give it a few minutes before attempting to sign in?

Like every SA

how can i do that marciele?

Literally wait a few minutes after spawning the machine to rdp in and do the exercise

oh really? xD

oh my good xD

Literally says to do that in this screenshot

mmm

then shut down the machine and I turn it back on and wait

¯_(ツ)_/¯

Also doesn't look like you need to rdp necessarily to do this

Should be able to [from your own browser] go to https://<target ip>:8889

mmm

neither since the browser

yo am i the only one facing connection issues in the EU region in academy? 🥲

i don't know because i have this problem

i cant connect sadly

I used the Invoke-SharpWSUS instead but trying to get onto the DC now with the VNC password

Hi

I'm new here. Unable to figure out where to ask lab query!! And unable to text in other channels :).

Need a little help here

If it’s academy you’re in the right place. If not read and follow #welcome

Then you’ll get access to more channels

You can check the hint

Also... Scan the ports on the hosts as to know where the VNC server is running

I'm already in thaks @fathom pendant

I'm pretty sure I'm trying the right thing can I DM you details? @dapper moth

Sure

Hi there, I'm getting an error running getuserspns through proxychains : KRB_AP_ERR_SKEW(Clock skew too great). Any thoughts? I tried sudo rdate -n <ip> and it gave me an error

I'm recalling a similar issue but probably in the AD module where clock skew was causing me problems and after an hour or two of trying to work around it I restarted the environment and things worked as expected.

haha okay thanks i'll restart the environment

thank you

Sync your clock to the DC

sudo ntpdate [IP Address]

okay next time i 'll try that , for now restarting the environment worked. And then to revert back to my clock is just using my ip?

I don't think it will work this way. Best to save a snapshot and then revert your machine back to their normal status

When there’s a need of brute forcing username/password, which password file is more ideal? I dont prefer rockyou

why not?

Too many

that's why it's good

I don’t think the same especially if the site has rate limit

The smaller the wordlist the less likely you are to find valid credentials

It depends, most modules have a wordlist they provide

and if not, there might be a way to narrow down wordlists like rockyou

ive just completed broken auth and that was one of the things you had to do

very interesting module and really opened my eyes to more broken auth methods

can i dm someone about the MSSQL, Exchange, and SCCM Attacks Skills Assessment ?

on the attacking common services i found the traversal vuln but i need to authenticate and the basic_auth_bypass from the last section did nit work

should i try with rockyou or bruteforcing is not the way

wondering if someone could help me with cracking linux passwords lesson: I found the hashse on the target serve I've tried running hashcat using the rockyou.txt file, the password.list file (in the ressources), and finally the mut_pass.list using the custom.rule(Ressource file). It says I cracked the password but I still don't have the answer

It's ok buddy thanks I gave up yesterday I'll try today

--show

I can't add a screenshot here can I msg you directly?

No

Hashcat has an option --show

oh nvm lol okay there's a different answer in my output file as oppose to the hashcat console nvm

https://tenor.com/view/never-give-up-fist-pump-motivation-motivational-gif-4892451

💀

Am stuck in a privesec section where I cant edit cron jobs for code execution to root. The box also has no internet connection so downloading scripts dont work , copying and pasting long scripts also break ssh session. Please help

Hi, I'm doing the command injections module and there is a part where we learn we can reverse a command to bypass some filters, but I don't understand a tip that the content has (Delete this if this is a spoiler) :

"Tip: If you wanted to bypass a character filter with the above method, you'd have to reverse them as well, or include them when reversing the original command."

Have you tried downloading the scripts on the victim from your attacker machine?

upgrade ur shell with python pty then u will be able to edit files using nano without any problems

also u can download files with scp if u cannt use wget or curl

its just explaing that if for example the command cat /etc/passwd is black listed and gets blocked u can by pass it by reversing the command like for example $(rev<<<'dwssap/cte/ tac')
try it in your machine and u will get the same resault as the cat /etc/passwd

this is a method to bypass the black list filter

Ohh thank you! English is not my mother language and I lacked some logic

yeah unfortunately it doesnt work

scp?

do exactly as i said and it will work

u can do any of these 2 techniques

guys, i can't get to the "Paths" and "Modules" sections on the main screen in the learning section. the link to them does not exist =/

is it due to technical works?

In the lower left corner where there should be a link to it is written: javascript: void(0);

just press on for example paths and they will open a list select what u want

dont just press on paths it will just open a list not redict u

thanks

yo i am having some issues with next steps on server side attacks, i am on identifing srff and i have no idea what to do next, i tried doing some scan stuff, and some sql stuff but i am assumig we want to send commands to the server so we can ls and cat a text but idk how to get those privlages

Okay ✅

sorry its not specifc but i dont really know what way i should be pointed at

Have you been able to get the query looked into?

Who is available now i need help with documentation module

Okay

Okay 👌

Connect to the testing VM using Xfreerdp and practice testing, documentation, and reporting against the target lab. Once the target spawns, browse to the WriteHat instance on port 443 and authenticate with the provided admin credentials. Play around with the tool and practice adding findings to the database to get a feel for the reporting tools available to us. Remember that all data will be lost once the target resets, so save any practice findings locally! Next, complete the in-progress penetration test. Once you achieve Domain Admin level access, submit the contents of the flag.txt file on the Administrator Desktop on the DC01 host i connect with the dc but there is no flag

How long have you been on this?
@rustic sage

10 MIN

Okay

Hello mate
@somber moss

I would like to link my wallet please

the bots are back

https://tenor.com/view/my-honest-reaction-honest-reaction-skull-skeleton-gif-7769318199696770420

anyone here can help ?

Yes mate

i am trying to find the flag

Okay

You can get all that from the servers menu

If you already finished the task just go to

C:\users

and check the desktop files of the users

i tried all users