Can anyone give a hint on the last question for the NTLM relay skills assessment?

is the in the ad module?

It's "Compromise DC01 and submit the flag located at 'C:\Users\Administrator\Desktop\flag.txt'"

I've got the sqlftp password but can't find where to go using content from the module, the module is just called NTLM relay attacks I believe

there's several AD modules, NTLM Relay is it's own module t3 in the CAPE path

ok

i didn't know which module fantalemon was referring to

I'm still stuck on the log poisoining section of the LFI module in the CPTS path.

it doesn't break the file but it results in an empty string being logged

maybe i need to encode this

but i'm not sure that urlencoding these characters will really solve anything since i want the payload to be loaded

Hey, I just finished Attacking DNS Under attacking common services

I think I understood why it worked but I want someone to verify it for me

when we found ||the subdomain hr.inlanefreight.htb|| it was vulnerable to ||zone transfer|| because it was an NS well?

Hi all, currently working on the Skills Assessment for SQLi - https://academy.hackthebox.com/module/33/section/518

I've so far found the SQLi and able to read certain files, like the ||/etc/apache2/apache2.conf||

I've read and re-read the 'writing files' section, but I ||can't find this web-root to write the shell to.|| ||The hint talks about reading files I know.|| Should I be looking elsewhere? 🤷‍♂️

what's the error you get

permission denied?

Check your path

have you checked your path?

check the url

I think i figured something out with the log poisoning section in LFI module

certain chars are being stripped by apache so don't get logged

Permissions denied - it must be another path somewhere, but I can't figure it 🤦‍♂️

look at the url u r on

Are you at /something.php or /something/something.php

Hmmm. Perhaps this in itself has given me a clue. One sec, I'll have another bash and come back to you 🙂

gl

i'm still struggling

keep breaking access.log

and having to reboot the box

You can DM your payload if you'd like.

thank u

hi, im stuck on https://academy.hackthebox.com/module/268/section/3064
i think this is a case for ffuf, but is that wrong? i'm a little confused even with the hint

You can use something that can fuzz, so yeah that, burp, etc.

i think my commands good and im trying a really big wordlist for directories but im not getting a result

It shouldn't take much

Not sure what endpoint you are working on, but I'd try that one you were messing with earlier when we spoke.

You can DM if you aren't getting anywhere.

mhm thats what im using as a target

ill try a couple more things

Quick question how do I know which thing to connect to my pwnbox

?

NEI (Not enough info)

I'm on the first bit and it comes up with parrot

And README.licence and other things

Hi guys

on the first bit
That doesn't narrow anything down

If anyone is currently doing cpts or cbbh path, please let me know so we can connect 🙂

I'll send a pic of it

What's the module?

The introductory

Also you don't need to worry about license.txt

Intro to academy?

To rephrase; what are you trying to do

I'm on the sections bit and it comes up with parrot and other bits and bob

Trying to connect to Pwnbox

#modules message

Pwnbox is spawned when you click "spawn instance"

Sorry, I just posted in general

Doesn't mean i won't offer lol

Also if you read the link to the message it's not a warning or anything

Oh sorry let me check it

I thought u were correcting me 😅

Holy shit thats a good offer

Can I dm you @fathom pendant

Yeah

Marcie

I've pressed start instance but I don't know where the terminal is located

Can u pls help

There should be a full screen button. After that it's just looking around the screen to find it

ok

Marcie I've found the terminal but why does it come up with bash thing when u try to put cat/etc/issue

Read the error carefully

Ok

Short answer you need a space in here somewhere

this thing is doing my head in

You did cat/etc/issue which made the prompt tell you it doesn't exist
cat /etc/issue

<command>[space]<options>

you should do the linux fundamentals module

ohh i see marcie

Maybe I should tbh I haven't used Linux ever in my life

you should

Hey guys how is it going I am working on penetration tester module specifically Public Exploit section and fairly facing difficulties exploiting the system and want to know what exactly the exploit is for this task have tried in the screenshot but nothing seems working can someone please assist with this task thanks I really appreciate your support

thats not the exploit tho

its right in your face

Yes cause I’m confused about the hint it says search for plugin and I don’t see anything exploit only that one for the plugin

did you read the hint

maybe there's a clue

you can literally copy and paste the text and find it

This what I found because the server used simple backup but not working

that's a nice laptop

define "not working"

rce isn't going to work because it's a public docker container well to be more specific, a revshell isn't going to work

Thanks now I search for plugin exploits but is a lot I don’t know a lot of help just need if someone did this before need the right exploit I already know the process @lusty thicket @fathom pendant @safe star

it's in your screenshot the proper one to use

you're just using the wrong one

awesome

Hi Mods!

it's in this screenshot

Sorry, I'm unable to send a text in HTB: OFF-TOPIC

read and follow instructions in #welcome you'll need an htb account linked to https://app.hackthebox.com

I'm trying to join HTB: Seasons >> find-a-team channel.

Thanks!

I have used the same exploit but I just got this but what’s next step I cat the file but nothing in particular only showing /root/bin usr/bin and many others @fathom pendant @lusty thicket @unreal lotus

find flag.txt

look at the options and see what you can tinker with

the question tells you where to look

if you have any bit of linux knowledge you should know the file you pulled

I know that section focuses on using MSF for public exploits but I'd recommend actually looking at the vulnerability and trying to attempt it manually as well as understand any PoC you use before using it

this as well

msf for the flag; manual for the knowledge

Her what I tried but still getting same /root/bin and other things @fathom pendant @lusty thicket @waxen totem

please stop pinging us all

you're overlooking an option

it's nothing to do with the URI

infinite load on target spawning

any idea what i shoukd di

refresh

make sure you don't have something like burp proxy running

tells me to launch again

that's intercepting the request and waiting for you to forward request

no i use htb viewer

so i dont have those tools instlalled

? the pwnbox absolutely has those tools installed LOL

no thats not what i mean

nvm it launched

Patience is a virtue... that being said: Yes the module targets sometimes take their sweet time in spawning

Thanks guys for making me think deeper I got the flag eventually appreciate your help @waxen totem @fathom pendant @lusty thicket

awesome

Seriously stop pinging us all

thanks @waxen totem

Just wanted to appreciate nothing more not meant to hurt anyone

Hello everyone just starting this journey and could use a little help.

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

What is the first step in the process of a web browsing session? (Format: two questions) this one has me stopped dead in my tracks. what am i not realizing here? Navigation, entering a URL in a browser is the first step. At least i think.

I don't get the format request.

It's referring more to protocol iirc

This might be a stupid question: I'm going through the Windows Event logs module, and the challenge isn't the module but how fkn slow the machine is. Is there a way to get the event logs from the rdp'd machine and browse them locally?

use tcp vpn

tcp tends to be more reliable than the udp one, especially for RDP, a connection oriented protocol

Ahh good to know! Thanks, I'll give it a crack

I have one unanswered question while doing the 'Take Control of the EIP' section of the 'Stack-Based Buffer Overflows on Linux x86' module.

I understood the concept what they have taught there, but I am not quite sure of the process. I mean, my question is, by seeing or judging what factor, I can tell that I can taken control of the EIP register? Is it the address of the EIP and EBP that has to be the same like,

ebp [Same Address] [Same Address]
...
eip [Same Address] [Same Address]

Well, I just want to make myself ensured that, how I have actually taken control over the EIP resgister?

Giys

this is not hacker fire hire @rustic sage

overwrite eip with a known address

if execution lands where you intended and doesn't crash, then you own the flow

ebp has nothing to do with controlling eip

Thanks and noted. That gave some relief!

anyone around for some help on Attacking Common Services - Medium ? I repeated the same commands in the solution on both personal VM and pwnbox and it still does not find the port

In introduction in windows command line skills assessment I have successfully logged in as user0 and I only see an Alert! banner but it is not the correct answer. What am I doing wrong

how can I start with htb as a beginner?
any youtube vd suggestion?

nvm I restarted the lab 5 times, and on the fifth it worked, but someone should really take a look at this, it is not normal

can someone help me on Skill Assessment of Crackmapexec module in CAPE please?

it keeps showing me error:
ERROR NetBIOSError on target 172.16.15.3: Error while reading from remote

and this one:
ERROR NetBIOSTimeout on target 172.16.15.3: The NETBIOS connection with the remote host timed out

i want to enumerate share on DC, sometime it works, but most time it show me these errors

Hi
Doing the first optional question on passwords attacks PtT on linux
Im trying to use chisel to connect to dc01
But when running wmi-exec impacket cant the find dc01

--smb-timeout 120

it should fix it

thank youuu

hi, any idea why burp won't url encode injection characters like \n

Are these characters supposed to be looked up manually for their URL encoding?

Anyone ever had this issue with Bloodhound where the json files just don't upload at all?

Yes, version mismatch

Try downgrading Bloodhound. It had to do something with it 100%

Interesting, I never had this issue with bloodhound-python but now with SharpHound.exe

or

there's an area in bloodhound settings where you can download the appropriate ingestor for that version of bloodhound

Try legacy SharpHound

Ohh, follow this. Better and targeted advice

"This version of SharpHound is compatible with the 5.0.0 Release of BloodHound"

My Bloodhound version is 4.3.1 so that might be the issue

Exactly

Try bloodhound-python

INFO: Found AD domain: <redacted>
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid)
INFO: Connecting to LDAP server: <redacted>

Currently getting this when using bloodhound-python

Can anyone help with NTLM Relay Attacks Q4? - Compromise DC01 and submit the flag located at 'C:\Users\Administrator\Desktop\flag.txt'

I've got the password from Q3 but can't find where to go using content from the module 😦

in dns modul i was trying to get subdomains of a vhost with gobuster this is the command ``` gobuster vhost -u http://94.237.55.238:46777 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain -o subs.txt -k

Maybe 0 matches?

if he has 0 matches then what wordlist will match

bc it is a vhost subdomain

Brute-force vhosts on the target system. What is the full subdomain that is prefixed with "web"? Answer using the full domain, e.g. "x.inlanefreight.htb"

Try to do it via DNS

They might be using uncommon naming conventions

this wordlist is in DNS

You can dump the whole subdomain list through DNS too eg. zone transfers

axfr methode ?

Yes

i will see

Hello again, still stuck with the footprinting medium lab #modules message
Any clue about what's happening?

I am getting this error

it didn't transfer

I tried different passwords I found, run as administrator, but nothing really works

trasfer failed

There must be a catch since its DNS enumeration module

: )

lol

Instead of the ip address maybe try with something like http://inlanefreight.htb:port and make sure that it is listed on the /etc/hosts

Good morning everybody hope you’re all having an amazing day just starting digging around for penetration tester pathway anyway does anybody have done the path or currently working on it

what's the defference ??

Try and see if it has the differences

yeah it is but why

we request to an ip that have the web app or page !?

Yea i’m not sure as well, but it’s requesting vhost so we need to put on the host domain i guess, not the host ip

ahhh i see

it's like you search someon with it's internet name

Something to do with dns name mapping

Idk😵‍💫

on it

I ||reversed|| the labels but I have no good results...

hello all !!

i'm actually on the attacks common service modules , at this question : Find all available DNS records for the "inlanefreight.htb" domain on the target name server and submit the flag found as a DNS record as the answer.

i did everything, but when i want to do dig axfr it doesnt work any advice ?

Have you tried the other methods taught in the module?

which one ? actually i tried everything but not the spoofing

well, there are only a couple other tools mentioned.. i would try each one

i will then .. thank you

well it works .. but i don't really understand why when i did this : dig AXFR @ip **.inlanefreight.htb (work)

but if i do this : dig AXFR @**.inlanefreight.htb inlanefreight.htb (not working)

before i add it into the /etc/hosts

I did end up needing to use the abbreviated service name after all. Weird.

Is HTB academy works for you?

Waiting like 10 min for the instance to spawn

Try CTRL+SHIFT+R, then try spawning it again

and for the host to not answer to nmap and nmap -Pn at all?

I resetted both Target and HTB attack box and it worked

Hello everyone, so I am in the Skills assessment for NTLM-relay Q4. I have Q3 and now would need a slight hint for Q4

Do machine account passwords change on the modules? I've gone back to a lab today and the machine hash isn't working anymore

yes when you turn the vm off you have to create the machine account again

No I mean the lab VMs, not one I've made

they shouldn't

I'm sure the backup01$ hash has changed on the NTLM relay lab, we will see anyway

Hello everyone, i need a little help i am on https://academy.hackthebox.com/module/39/section/414 The meterpreter module, i am trying to use the db_nmap command, however, it will not connect when i try to connect it, is this something i need to build even if i am using the attackbox?

have you done Q4 of NTLM-relay skills?

i haven't done that module at all

haven't touched t3 modules

yes you need to build it still; but db_nmap isn't required

Thank you, i just wanted to try it like in the module to see how benificial it is to use it like that

do you have any quick links on how to build it?

make an edit to the log

it's mentioned in the module how to build the db for msf

i must have missed i will re-read it

i rarely use msfconsole personally

so it's kinda pointless

and the times i do, having a db isn't really helpful

hmmm okay, noted

but if you use msfconsole a lot then nothing wrong with it

i wish i knew enough to not use it for this module

lol

well that module basically requires it

As far as I've read the section, it doesn't mention actually writing stuff to the log file

just try

Ah yes that's how you get it to run logrotate on it! Thanks

But I still don't get a shell though...

Hello! I am in the exact same situation. Does anyone have any hint on last DACL1 SA's last question, please?

why do you need a shell?

make sure you're using the right file as well

the one in the user's home is correct

It's what's shown in the lesson but I guess I could go for a simple bash terminal spawn, the thing is if I don't get a reverse shell it means the payload isn't executed and I assume it won't be executed even if it's a bash terminal spawn that I do

why not just copy the file

not everything will be 1::1

also sometimes it can take a minute for the payload to execute

copy the flag.txt you mean?

yes

spoilers my guy, it's why i deleted your initial message

i suggest tinkering with it for a bit and having some level of patience

Yo guys, I’m entering the field of cybersecurity, and I need to buy a laptop, do you guys recommend the MacBook Pro m4 chip?

got it, thanks @fathom pendant , i just needed to start the database i was looking at building .xml files for nmap lol

ok...

you'd need ARM distributions of vms in order to be successful, a cheap thinkpad will generally get you further as most tools are built for AMD_x64 chipsets (which most cpus are)

How about the Microsoft surface laptop? Does that work too?

most vms require a minimum of 40Gb hard drive space and 4-6Gb of RAM; your host needs to have more than those to be able to smoothly run them

also read and follow #welcome to be able to chat and ask in #general

or #1024429874246590575

this channel is for help with academy modules on https://academy.hackthebox.com

Understood, the last thing I’ll say in this channel about this is I’ve been asking around for quite a while if macOS is good for cybersecurity and I’ve been getting mix opinions abt it, some say macOS is better but other say that windows is more suited

But thank you for your feedback

Guys I have question regarding Inveigh.exe. I cannot seem to be able to enter interractive mode when I press Esc key (it still poisons requests and captures NetNTLMv2 hashes), unless I am inside RDP. Reverse shells and and evil-winrm do not work. So I guess it simply needs a GUI like RDP for it to work in interactive mode with Esc key ?

In the module Cracking Passwords with Hashcat on the WPA/WPA2 I get corrupted .cap files. Is there a specific way i have to unzip the zip file or is there something wrong?

Hey there I am trying to get bloodhound-python working on the Attacking Enterprise Network module (I did it once with sharphound without issues but I am trying the other way). Whatever I try I always get an error. I'm using Ligolo for proxy. Has anyone experienced such issue ? Thanks in advance

(note it worked in the AD module)

Bloodhound uses a lot of ldap, did you make sure to update your hosts file for the network?

I have all the entries associated with the dc

What error are you getting?

May I DM it to you to avoid flooding here and spoiling the chall ?

Sure

What is your go to nmap line, one that you run generally on every host, mine is currently nmap -sV -sC but i thought there may be something better

Sent with all the details, thanks in advance 🙏

im stuck on https://academy.hackthebox.com/module/268/section/3067
i dont really get what it wants from me atm, ive tried different methods to get it to read the flag file but i cant find a way to do it succesfully

||ive tried it through api v1 products, but that fails for me, and uploading a photo tells me to contact the site admin||

Can someone explain to me, why I cant copy targets (ip+port) and paste it into the Pwnbox? I have to type it manually. Browser is firefox on windows

Enter the full screen, disable blocker, click on the note icon, that’s your clipboard

I followed the module exactly and I'm stumped

Thanks ❤️

That means you have the wrong creds

i moved on to https://academy.hackthebox.com/module/268/section/3068; the next module, and i also got stuck there, because its asking me to get 'the header' which i have no idea what that means; something to do with csrf which i have no idea how to execute

can someone please help me?

@hexed ferry avoid spoiling modules

yes

only things that matters is the log tho

My bad. Didn't think posting the example was bad...

the module is > t0

therefore info in it can be considered spoilers

I'm working on the Modern Web Exploitation -> WebSocket Analysis in Burp module and I am not really understanding how it wants me to modify the info to grab the flag. The directions aren't super clear.

Understood. I'll redact next time...

@lost nexus stop begging

Can anyone give me a hint as to why this error is happening?
$ proxychains netexec smb 172.x.x.x -u <redacted> -p <redacted> [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] Strict chain ... 127.0.0.1:8081 ... timeout [proxychains] Strict chain ... 127.0.0.1:8081 ... timeout
I double checked the proxychains.conf file and it's all good and even reset the machine several times.
I'm on the Attacking Enterprise Networks module

Hi, Can I get some help with ARP Spoofing & Abnormality Detection module?
I'm basically reading off the packet number at the bottom right after applying the filter but not getting the correct answer.
The filter I'm applying is arp.code == 1 && eth.src == 08:00:27:53:0c:ba

@rich frost my dms aren't open for module help

everything you need to know is on the section page of the module

sorry. ill go through it again

hi, I'm struggling with the session hijacking section on the XSS module in CBBH.

I can get the XSS to fire and make a call to my script.js file, but i cannot seem to get the contents of that script.js to fire and then call to index.php.

I've tried the example in the solution but i can't seem to get it to work sadly.

Pivoting, Tunneling, and Port Forwarding module: RDP and SOCKS Tunneling with SocksOverRDP the host cannot connect to 172.16.5.19 no matter what i tried i cannot ping the server either it seems like its down any help΄?

Hello everyone, i'm doing the Introduction to Windows Evasion Techniques module. I'm stuck on the Static analysis section.

The question says:

Follow the steps of this section to recreate the shellcode injector (with your own shellcode), compile it, and place the EXE file inside "C:\Alpha\Static". After placing the file, wait up to a minute; if all checks pass, the file "C:\Alpha\Static\flag.txt" will be created, containing the flag.

I have followed the steps and placed the executable in "C:\Alpha\Static". But the flag does not appear. When i checked the log file ("C:\Alpha\Static\log.txt"), it indicated:

[02/20/2025 13:56:30] C:\Alpha\Static\ConsoleApp1.exe - OK - Undetected by Microsoft Defender Antivirus

It checks every minute.

Is it normal that the flag is not created ?

your system -> A -> B -> C

A: target
B: middle host
C: question IP

middle host is provided by the reading

right now im : my system -> target host (with rdp) and trying to connect to middle host but seems down

cannot connect or ping the middle server

hey, im on the Privilege Escalation section of the Get Started module, and I've managed to access the /root/.ssh/id_rsa file. I've copied and pasted it onto a local id_rsa file, did the chmod 600, and then I am trying to do ssh root@host -i id_rsa, but I'm getting a Permission denied. (i am very new to all of this, please bear with me)

you're connecting with v*:p* ?

ping isn't necessarily a reliable thing with windows as an icmp echo request could be getting denied by default firewall rules

tried both ||mstsc.exe /v:172.16.5.19 ||and from the RDP app with the|| ip:172.16.5.19 and username:victor||

@verbal phoenix you're spoiling information about the skill assessment; i suggest just asking for a nudge

change vpn regions, and respawn target

otherwise reach out to support

ok thanks

consider anything you had to discover/find out as a spoiler

did you copy it correctly?

Yeah I think i had some issues with that one. I'll check my notes and let you know.

im pretty sure i did, i've checked a couple of times and it looks like a correct ssh key

did you create/save the rsa file with root/sudo?

@verbal phoenix the php code clearly slaps a date prefix onto your uploaded file

my bad, ok then why it is acting like that ? I've tried all methods

and null byte injection has been dead since last decade

yes, i created the file on my machine

i mean did you create it using sudo, and are trying to use it as a regular user?

it is not about null byte part i have uploaded various types with various char escapes

wait permission denied for the id file or ssh?

how exactly it is formatted ? I cant understand

if you do ls -la id_rsa do you see the owner and group as root root id_rsa

ah, sorry; misunderstood. i didnt create it using sudo, no. i just used vim and pasted the key

for ssh

@lusty thicket @verbal phoenix i suggest taking to dms

i havent done that module

i've done the chmod 600 id_rsa too, so I don't know what I could be doing wrong

👍

this section is public_ip:port yeah?

did you forget to specify port?

you can use python http server to make sure its the right one

date("ymd")

do i have to specify port if using ssh -i? im currently doing ssh root@host -i id_rsa, as indicated in the module

yes

-i doesn't do anything beyond tell ssh you're supplying an identity file

it still defaults to port 22

you still have to do as you did for the first question

how did you do the first part?

i did use -p for the first section, i didnt think i'd have to do it for the second section since the module didn't mention it

i'll try that

its the same server so the port wouldn't change

Actually I didn't have any problems with that one. You can DM if you'd like.

for anynone facing the same problem as me changing VPN region and respawning solved the problem so i was the server's issue

thanks @fathom pendant

it*

guys a little help here

public servers are spun up using a container service like docker

so the default ports are heavily locked down

for some reason htb academy is not logging me into my academy accout saying they dont have my account on records this is an account i have used over a year and even just yesterday?

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

reach out to support

HTB migrated over to a unified SSO solution; make sure you click the "sign in with htb account" button

doing it with -p worked, thank you!

i did like i am saying i used my account still fighting my SAML lab yesterday

then reach out to support to get help with your account

nothing we can do here on discord

Hi,

Does anybody have any idea why this may not be working?

my php server is showing that the 'blind xss' is downloading my javascript file which has the payload within it, but the payload doesnt appear to fire. I've followed the solution step by step but can't seem to get it to run what's in my js file.

does your script work when you open it in a browser?

if i run it in dev console it triggers a call to my php server, yes.

yes, it triggers you already said this

forward script output to the same server where your script located

both on the same server

the first script.js and then the index.php call is going to the same ip, which is my pwnbox ip, the .js works but the contents of the js doesn't, but if i put the contents of the js into dev console it runs,

its also word for word what the solution says to do, so i'm quite confused

when pasting script to js file have you removed semicolon(;) at the end ?

no its in there, is it supposed to be removed?

I was also stuck at this module for a day because this semicolon

yes

oh! let me test

sadly still not firing,

I've removed everything after index.php just to see if the payload fires at all, and i can't seem to get it to run

hm, what about port of your php server ? it is 80 ?

8888, everywhere

in your payload: are you specifying port

and you're including it in the script ?

^

mhmm

i cant paste screenshots here it seems to show you sadly 😄

that's because your account isn't linked also; spoilers

it seems like barrier is willing to help if y'all could take it to dms to troubleshoot the issues that'd be grand

sure ty, barrier are you happy to help?

why not of course

Hi, on the live engagement of the Shells & Payloads, when attacking the first host, are we meant to discover the credentials by ourselves or not? I've been trying for an hour and I can't find them so I'm starting to think we were meant to just use the hint

Desktop

Its a foothold, so enumerate your foothold a bit.

💀

thank you very much lmao i took the foothold for granted

https://tenor.com/view/dropout-game-changers-ive-been-here-the-whole-time-sam-reich-gif-17117215336918513192

kinda like a second attack box

Hi there, I'm breaking my head here on the Networking Fundementals...

The question is: What type of network cable is used to transmit data over long distances with minimal signal loss?
I know it must be Fiber or Fiber Optic Cable or in any way you would write it, but it's not taking it...
Am I too focused on Fiber?

You're so close

I believe this one is hyphenated

Bit of a PITA

try different phrasing maybe

I feel like I've tried every type of way of typing it, hyphenating it...:(

Drop the word "cable"

I just got it the second before you send me that... now I feel stupid 🤣
I think the wording threw me off compared to the last answers I had to give which had you do multiple words, like the whole way of saying it

Thank you guys for the help 🙂

Minor inconsistencies in the module expected answers

I've got to say, it's a great module! This is basically the basics of my day job in support, it gives great understanding about networking 😄

The important thing is you knew what it was talking about

just to keep you updated, Barrier confirmed everything was correct and tested it themselves, it worked, didn't work for me however. I ended up skipping it and taking the cookie from the solution page. Might be something weird with pwnbox or similar, i tried restarting them but it didn't fix it.

Ty to @verbal phoenix for their help.

Change vpn regions?

I didn';t change the pwnbox region, no. I kept it to UK the whole time but did several restarts

It didn't occur to me to test a different region, just terminated/restarted pwnbox

confirming that

hi there, i'm working on Network Enumeration with Nmap "saving the results" the nmap scan says its going to take 4 hours. ||sudo nmap 10.129.12.71 -p- -oA target|| in order for me to get the xml file. i downloaded a new vpn file and reverted the target. sudo is needed the for this command, is there something wrong i can do to fix this?

so how does this work

@astral elm

Why don’t you just scan the most common ports

-F

-p- means scan the whole 60k ports

-T5 --min-rate 9000

alrilghty, that works.

I mean the point of that section is just to save results you can just scan the most common ports: -p22,21,80

FTP , SSH , HTTP

ok, but when i did it with -F and used ||xsltproc target.xml -o target.html || i got these errors: Warning: program compiled against libxml 212 using older 209 and when i opened the html file it was flank.

nevermind, it works now. thanks!

unfortunately, it does appeaer it was looking for a higher port which i didn't get with that scan ||31337||

this worked!

Forgive me if this is a question often asked or if the answer is already obvious to most, but does HTB ever plan to add a feature to reset the modules? Redoing modules from scratch, especially ones that have been updated since you completed them previously, would be great.

idk

sup sup in the pivot module, in the chisel chapter when u try to start chisel on pivot host is it normal that glib version is to old?ubuntu@WEB01:~$ ./chisel server -v -p 1234 --socks5
./chisel: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.34' not found (required by ./chisel)
./chisel: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.32' not found (required by ./chisel)

Ctrl-f: "static compile" in this channel

is there a reason HTB wouldn't recognize a correct answer? I've tried typing it out, using the abbreviation, and both together. I've refreshed the page as well as logging out and back in. still getting incorrect answer. example: What type of architecture allows nodes to act as both client and server? "Peer-to-Peer" tells me incorrect answer.

lolllllllll

it helps if you say the module and section

lowercase the second peer

tried that to.

tried that to. ill have to give it another go tomorrow thank you

sup guys! can anyone help me for the password attacks: passwd/shadow/opasswd

cant crack the hash been stuck for almost 2 hours now hahaha

best to say which module/section you're on

if you've been cracking something for 30+ mins, you're probably doing something wrong. make sure you're using the resources in the resources section of the module or any specific lists it tells you like rockyou, etc

module 137 secion 1319

yepp im using the resources of the section

idk what names of the module/section those numbers correlate to

ohh sorry wait

im on the Password Attacks module of Pentester Job Path.

Passwd, Shadow & Opasswd section

are you using the mutated list?

the mutated list for kira right?

the mutated password list

earlier in the module it had you mutate the password list from the resources

yess i mutated it to bruteforce kira's ssh

when i use the mutated list, i get 2 passwords, none of em are correct tho..

make sure your hash is formatted correctly, you can find examples here https://hashcat.net/wiki/doku.php?id=example_hashes, or using the hashcat command itself it can also show examples although i forget the parameters off the top of my head so you'd have to man hashcat. if you're using the mutated list you should get it.

yeahh im getting 2 passwords everytime i hashcat the unshadowed, but none of the two are working..

sent you a DM

Hi, I have a question, is it normal that in: https://academy.hackthebox.com/module/23/section/1494
When I fuzz for parameters everything responds 200, according to me I can't

yes it is normal, you cut off your command so i can't see if you're filtering by size, but you also need to make sure you're filtering by size so you basically filter out all the responses with the same size and only see the responses with different sizes

autocalibration is also super strong if you're lazy

had no idea that was a thing

-ac

but it can be tricksy

so don't rely on it

Hello, has anyone encountered this behaviour?

I mounted my shared folder on the target machine while RDP-ing, upon copying some files over from the Target to my Attack Machine, I immediately got kicked out / dc-ed from the Target and am unable to RDP back in.

I tried Terminating and respawning the machine but it is like perpetually loading

Nvm... It spawned right as I asked this question

use the tcp vpn i also believe xfreerdp has an autoreconnect option

alright, thank you!

Tried exactly that and it didn't work. Attempted Enter-PSSession DC01 and got "Access Denied" after RDPing with Leon's hash.

Maybe I am an idiot, but what is the problem with this regex?
grep "^Permit" /etc/ssh/ssh_config

If I do the above without the ^, it finds a result. The above line however, returns nothing

Ahh wait, I think I get it, nevermind

Not sure what else there is here. Anyone else have any ideas?

looks like you don't have permissions to do that

Then why am I asked to in the module?

it doesn't say use enter-pssesssion it just says connect

It's literally the WinRM section of the Lateral Movement module. If not WinRM, then why is it even there?

you never said which module and section

https://academy.hackthebox.com/module/263/section/3087

i haven't done the windows lateral movement so i can't help with it

your error is pretty clear though, it says permission denied so it's a perm issue with your user and winrm

Yeah, with the very user the question is asking about, which is why I'm asking what the problem is.

Tried using Evil-WinRM with the hash directly; it doesn't deny access but it does time out.

Can we not paste module-specific info like that for modules over Tier 0 please?

As for the issue, I've not done this module, but some Googling does reveal some options based upon the error message

If one tool is working, and another is not, there's gotta be something different they are doing, right?

End of module questions sometimes require you to not only use what you have learned, but go a bit further using a bit of research. The answer is not always spelled out in the preceding content, although most of the time all or the majority of what you need is.

Problem solved now. Just needed to look back a couple of times

the "Documentation & Reporting" skills assessment teaches ONLY 1 thing: if your colleague at work leave in the middle of an engagement, don't rely on their documented work so far. Start from SCRATCH. horrible skills assessment, full of rabbit holes

man, rdp activities in the password attacks are kinda making me frustrated HAHAH disconnects me then doesnt let me reconnect anymore

@agile imp please stop cross posting the same message across multiple channels

Ultimately the module contents should have the information you require, and given the tier of the module you should not be posting such detailed messages.

If you've spoken so someone "in the know", they can surely give you a nudge

..but rest assured, the information you need is within the module and sections preceding this question. You may not be given the exact answer through the sections, and you may need to do some reading or thinking regarding the techniques.

Okay thank you! @ocean night

Posting the same message repeatedly across various channels will not help though

Then dear, you should not delete my msg on both side and i understand what you are saying.

Then dear, perhaps do not keep repeating them

If nobody has answered, perhaps nobody is able to assist

I'd advise going back and re-reading the module and sections, see if there's something you have missed

Take notes

Hey, in the network fundations module i dont understand what im supposed to enter there i tried so many things, may someone help me ?

what is the first step in the process of a web browsing session?

what does your browser do?

it still says its incorrect

ur browser be be translating the name resolution

are you fr right now bro 😭🙏

oopss alert

u joking yeah ?

my english is not realy good to be honest

@undone mesa your browser might be doing this

i'm not really sure though

Oh fair okay

Sorted -- silly me -- got the flag.

the answer is in the reading

yes i found it i just miss understood the question ty

it also helps to give the section name for others to help you

Hello, I'm still struggling on the Linux Privilege Escalation > Logrotate section.
I upload the logrotten.c file to the target, compile it then run it against log files that I have found in my user's home directory with two different payloads: one that's supposed to copy the root flag to my directory and the other that's supposed to send me a reverse shell but none work (I modify the log file to trigger logrotate). I haven't found the /etc/logrotate.conf file so logrotate could be using the "create" function as well as the "compress", so to make sure I ran logrotten with both options for both payloads but still nothing. I would appreciate some guidance on what to try next.

Hey, i'm right now in the Attacking Common Services - Easy and i'm not sure if i'm even in the right direction
I've found the user with the help of ||smtp-user-enum||
Right now I'm trying to gain the password
I tried bruteforcing the password with ||basic auth in the HTTPS service|| but doesn't seem to work finding the correct password.
Same with ||RDP||

hey i am stuck at this question in penetration testing process post exploitation section 2d question

@surreal chasm spoiler tags do nothing can you please redact username?

is that better?

👍 anyone can click spoiler tags, while they are decent for short-term messages you plan to delete, long term messages that may be helpful for others in the future would be spoiling or even just allowing people to copy your answers without doing the work

consider everything you find (especially in a skill assessment) as spoiler, and asking for help redacting usernames and passwords with first initial/letter and *
i.e.
f*
j*
j*:p*

sure, noted

anyway, try without the @domain

consider the protocol in use and why it may be formatted that way

yeah i understand that, i think i might need to brute force the other service i didnt try, i just was a little lazy because it doesnt allow multiple connections so it might take longer to get the password

How can I know when should I use the @domain on some services? like in the bruteforce in the ||HTTPS|| service

also i don't believe you need to bruteforce that service

I mean, it does have an auth mechanism, so i guess it all should be connected

not all auth mechanisms are built the same

you're right

if it's a corporate service

well rn i'm trying any lead i might have

yeah i thought about that but its not like 100%, but thank!

I've tried bruteforcing each service, with the pws.list but doesn't seem to find any
And i've tried search for CVEs but nothing can help me RN

I'm not sure if my direction is not right and what in my thought process is wrong

@heady pagoda stop asking for help with your hacking game issue

rule 9 mate

Dude.. just move on. She not worth it

https://tenor.com/view/theyre-gone-donald-winthrop-the-oval-the-command-performance-s3e14-gif-24803379

What module should i do if i want to do a man in the middle attack

do i still get cubes after completing pathway or modules with a student account

Yes

hey, can someone help?
I'm stuck on Tier 2 command injection module Skill assesemnt
https://academy.hackthebox.com/module/109/section/1042
I couldn't file the RCE by my own and after googling the tinyfilemanager 2.4.6 CVE I found a RCE cve but that requires file upload which I currently do not have with guest:guest

You don’t need a public CVE, just enumerate all the functions of the application, try some basic payloads, and look for weird responses. You’ll see it when you find it. After that, try different methods of filter evasion techniques taught in the module.

I tried all of the features with RCE none of the matched

the closest I got was something "when moving file from directory to another" and it seems like i'm searching for SSRF more than RCE right now

@honest crane can you direct me on which feature i must look into?

Moving feature is vulnerable, re read the module if you are stuck.

First, try to execute a simple command, and you will see that something is preventing it. Then, try to bypass that using all the techniques that were taugh in the module until you get some indication of success. Then, check the front page of the application to see what was moved into what.

I finally got it. thanks

for real i was searching for a way to send the file without RCE ")

Guys who had a problem when logginig into account from usb running kali linux telling you that you are a bot and not allowing to log in? How did you solve this problem?

Sorry if writing in not appropriate place

Tried on DE today, worked fine. Same with the assessment.

Tried on UK today, failed. So I think there's an issue with the UK pwnbox region with this module

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

@flint palm

has anyone managed to get the foothold on the Linux Priv Esc skills assements without the provided creds ? I think I found the exploit, but not sure what to use it with

nvm, I think I figured it out

not sure if this was pointed out, i think the parts where it uses crackmapexec might need to be changed to netexec or psmapexec, i know it's all the same concept but it's good at least to put as note since crackmapexe is not maintained https://github.com/byt3bl33d3r/CrackMapExec

I'm looking for some help regarding the Academy module Injection Attacks, skill assessment. I've identified the first vuln and am now trying to construct the injection payload.

My issue is, I'm not sure how to identify a successful injection. If someone has completed it recently, I could run through what I've tried more specifically.

Can anyone advise why I get this error when trying to use Mimikatz?
ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061
I'm an Administrator so not sure what the issue is.

did you run powershell/cmd as admin?

Have you ran privilege::debug?

Also this

Yes. and strangely running cmd as admin is not taking my PW... I guess that's the issue...

Hlo

I spent 40 minutes typing bash as the specified shell type on a module just to realize all it wanted me to do was /bin/bash

I think I might be a little stupid

So much time wasted

hey guys how are you ?

I'm curious why I can't spawn an admin CMD using my creds even though I've added my user to the local admin group... Any ideas?

Log out and log back in

i'm new in HTB , and i don't know wish module i should start with

This isn't #general, read and follow #welcome to access

if you have any advices

If you're lacking fundamentals the information Security Foundations path is a good start

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

https://tenor.com/view/homer-simpson-les-simpson-matt-groening-ouff-non-gif-11592092171817688539

Thanks @fathom pendant ... Think I need a break lol

Closing rdp != logging out

IMO really depends on what you want to do. Like marcielee said, if you're totally new you need to learn the fundamentals first. After that, really just go down a path related to the cert you want or whatever interests you like blue/red teaming.

okey sorry

Your question was relevant, just used to people going "hi" then asking a completely off-topic question

I can ask here in this room ?

This channel is about modules on the Academy platform, so yeah, asking which module you think you should start with seems fine as a topic here because it's related to the modules.

Yes and we replied to you

Lol

Okey thank you @fathom pendant

You can DM me if you’re still stuck on it

Hi! I am trying to do the AD Administration module but can't manage to spawn the machine. Does someone else have the same problem?

Try pressing CTRL+SHIFT+R on the page and then respawning. It can take up to ~5 mins for the environment to fully spawn. If that doesn't work, try changing VPN regions (ie. US -> EU or EU -> US) and try again.

I could try smtp-user-enum on port 110 but I am unsure at this point if that's even reomtely realistic

I need to get the username for a user on the server to be able to crack the password

can someone help me out here?

Careful not to reveal contents of the modules above t0, especially skill assessments please

Sorry

I didn’t mean too I was frustrated and hyperfocused on determining if I’m even on the right track

So does the fact that I accidentally spoiled something mean I got the right protocol?

no

Make sure you enumerate everything before trying to attack services

Yes

Also how do you know exactly when running netstat which target enviorment you shouudl be looking at? My host IP doesn't match with what I'm assuming is the target network range.

Thats the pwnbox, not the target

Right, my pwnbox is 10.10.15.136, so I just assumed target would be on the same subnet.

The target is a public ip and port, also it helps others help you if you give the module and section name

Thats not always going to be the case, this is noted in the intro to academy module

where do you find the recommended machines related to each module? i was told to complete the recommended machines after each module of the CPTS path

Sorry. I will do that in the future. This is literally my first interaction.

I wouldn't really recommend that tbh as the machines may only have a tangential relationship to the module you completed

how do i see them

Open module > last page > finish

oh congrats on moderator !

Should bring you to the completion page for the module

perfect thanks - hadnt completed any modules of it yet so i didnt see them

Or search the module name, click, and it'll bring you to it

There's also academyxlabs which lets you search module name

And shows all "related" content

I'm on Basic Tools, Optional Exercise. Pretty much the first one I can do under CPTS. Playing with TMUX. The objective is to grab the banner which I know is just a nc command. NMAP scan of the 10.129.0.0 network said 1 was up but didn't yield any open ports. Perhaps I have the wrong nmap input.

But if you search "footprinting" and check, you'll see why I don't recommend

Why are you trying to nmap the 10.129 subnet, you're given an ip:port

ill look

also, would you recommend i focus on all the little details in these modules? someone mentioned that the important stuff gets reintroduced throughout the duration of the path, and suggested i dont spend so much time on the super specific things

Well, the IP and port given is public. When I entered the banner for that the flag said it was wrong. I assumed that's because I needed the banner for a private IP instead. So I started running NMAP.

just wondering how i should be attacking these modules

Your scope of the question is the given target and port

You're not gonna need to dig for any "hidden" things on the outside

Basic tools, Getting Started?

Pentesting Basics/Basic Tools.

Link?

Bc I'm not finding that module name

Optional exercise at the bottom.

Getting Started
Thats the module name

I'm sorry 😦

The answer starts with SSH

Is there a way I can look for this in the future that will be of more help? Again sorry!

Top of the page above the section name

Oh jesus. Sorrrrry.

I think I have the answer but I'm just missing something. I submit the flag but says its incorrect. I'll move on. I appreciate the help tho.

There's the "reveal answer" button for you to compare

Yeah I did send you a PM on it. I had the banner but the OS didn't match so it was incorrect as a flag. Not sure what I did wrong there, seems like a simple banner grab. I used the target machine with the public IP and port 22.

When you spawn a target and it includes the port, only focus on that port. You don't need to scan the whole box.

You connected to the default port. Not the given port

Welp.

Got it. My fault. Lessons learned. Thank you.

believe it or not, straight to jail

i am here

i am on linux fundamentals module section containerization and am stuck on this docker command

idk what im supposed to do here from where it says install docker-engine

and dockerfile, can anyone maybe help-

Module: Network Enumeration with Nmap
Section: Firewall and IDS/IPS Evasion - Hard Lab
Question: Need a nudge on this lab... was able to get versions for every other service but the one they want question

NVM got it...
for those who need help, here's your nudge: 🦸 , 🛜 🐱

Click on the left Setup -> Install and choose your OS for an installation guide
https://docs.docker.com/desktop/

Here's Docker Hub, where you can get images for docker containers:
https://hub.docker.com/

i guess where it says to install engine i have to create and run the script?

Docker Engine is build into docker desktop, yep you run the script

is that the same with this part then

man theres so much that this thing just does not tell or teach you

It's designed not to dive deep into that topic since the guides available are already very good

Just follow the guide mate, stop posting it here XD

i am

its not clear

How so? It goes step-by-step

yeah if your talking about the like full walkthrough thats only if you pay for the entire year im doing month to month

I meant the one on docker's website

ah

Like I said: that section isn't meant to go in depth since it's a really deep topic and there's already good documentation which is linked in the section

yeah i saw that

so 3hour module cant be done in 3 hours when your brand new

Haha no~ I wouldn't trust the estimated times

I spent 1 month on a 10 day path

im not, thatll be me i make notes and my own terms of definitions and all while im doing the module

they had to of highlighted in green what you need to know kinda deal and all

don't worry about the time. take as much time as you need to really understand the material, that's the key is understanding it.

thats been my focus i want to know and understand

i dont just wanna like copy paste

that's good, writing down your own notes will help solidify things into memory

and i am like brand new

is there no vc's or am i just blind?

infosec foundations?

yep

one... month..? 😔

To access most channels, you'll have to verify #welcome for instructions

there are a few, you probably need to verify your account by following the instructions in #welcome to see them

praying i dont have the same experience

im ~50% done so far so

How many days you done it so far? keep in mind I was only allocating a few hours to it per day cos I got other stuff

im on my eighth day

~4-5hr/day

speeding through it then!

I usually do like 1~2 hours, half of which is spent reviewing previous topics

you started the pen test path recently too, right?

yep

hows that been? hows the progress:hours look like for you

[us-academy-6]─[10.10.15.158]─[htb-ac-1748002@htb-cshyyartu2]─[~]
└──╼ [★]$ sudo systemctl start apache2
┌─[us-academy-6]─[10.10.15.158]─[htb-ac-1748002@htb-cshyyartu2]

I've been slowing down since a new uni semester started so I've been doing about an hour per day, done 3 modules since the start of feb

that means it started correctly im assuming no news is good news typical

thats not bad at all -- whats that, 20% so far? great progress for an hr a day

10%

correct -- sudo systemctl status apache2 to verify

ah thats what i was looking for haha i kept trying to verbose it

😭 😭 gonna take you a whole year bro

tysm gentleman appreciated

i know man but idc

🤝

Nahh I'mma speed it up

i spent 14 years fixing cars and all so nbd

shittt not w midterms coming round

Hehe~ heh, HEH

ping the engine to see if the cars online

Time to quit discord ig 💀

yea i keep getting distracted here

mutual lock in

ty both

👋

Hey guys, Working on Intro to Assembly and wanted to see if someone has a solid understanding of mov and lea.

If so, then I was additionally wondering how to appropriately word what's happening with:

Code: Assembly

global _start

section .text
_start:
  lea rax, [rsp+10]
  mov rax, [rsp+10]

Thanks in advance! I see what's happening in gdb, just not sure how to best explain it 🙂

not too good at asm but as I understand it:
lea - get address at rsp+10, put into rax
mov - get value at address rsp+10, put into rax

it's almost like the difference between a pointer and a variable

lea only does address computation, never memory access

mov is context sensitive, this means it loads either a value or an address, depending on whether there's a dereference

they also do the same thing when used with static labels

yo it says login as kira

and get the id_rsa

and crack it

but john aint even cracking nothing

convert the key for john

thats the issue

it dosent convert

use the tool ssh2john

i did loll

i did all that

use the cracked password for kira and log in to the host

a bit ehhhh

in my view its like two seperate things

get that girls password

ssh2john id_rsa to a hash file?

log into some random host

get the kira password
login to the host

i swear you already said this

like three times now

sorry

loll

try with hashcat

Fantastic, thank you! Finally can add this to my notes. I'll reference accordingly.

And Thank you @waxen totem

bruh i told u hashcat is for the hash not for the key

the process of conversion the issue

awesome

do you get an error?

common sense says the password must be something related to the password we got now

but still

its just i dont get the hash thats it

run again and this time redirect stdout to another file

okay let me try again must be some silly issue

loll got it !!!

u know the was a dash missing at the end of the id_rsa key

let me guess, you initially copied it manually

like a caveman

what u want me to do use python3 server to send it

i cant be fucked doing all that

b64 is a safe option

no missing dash

or just netcat it over

yeah next time

it was only one question

awesome

both modules done now upto easy medium and hard test labs

want a cookie? 😭🙏

yeah i want some kuss

finish the really hard labs first

have u ever thought about u never solved a insane box before ?

yeah sure

Hi guys, any tips on resoslving a issue on flags? Im working on the sqlmap essentials assessment, and i found the flag, but for some reason it wont accept it.

see pinned message: #modules message

i did all those things, i also tried to find if there are any flags, but so far this is the only one. 😭

i tried to type manually, still wont accept it.

Have you tried swapping to another VPN region and grab a new flag?

hmm,let me try it on the HTB machine..

sometimes sqlmap may retrieve data in an encoding different from the expected one, or the db may be performing automatic type casting.. you might need to tweak your command syntax to account for that kind of stuff

okay, so the difference from the flag that i got from my machine and the HTB machine is just a 1 f'n letter! whhat!?

i run the same commands, btw

🤲

That can happen if you use sqlmap with a time based attack and then your connection to the vpn is a bit spotty. Sqlmap tries to extract data via Timing (if the first char is a “a” take 2 seconds to respond, otherwise respond immediately), and if your connection is bad for a bit the normal response time is the same as the “you found the right char” response. Sqlmap can’t tell the difference when using time based, so it ends up being wrong for a single char

Ideally you try to find non-timing based errors first

hey guys ,i am the new one

Hey I am a new one here

did you manage to fix this, because I get the same error.

Error: rpc error: code = Unknown desc = exit status 1 - Please make sure Metasploit framework >= v6.2 is installed and msfvenom/msfconsole are in your PATH
In sliver I cannot use the generate function. And yes, although its just a wrapper around msfvenom, I would love to fix this. Anyone know where in the settings I could force sliver to use msfvenom to use the correct path

do you have metasploit installed?

check with msfconsole --version

Hello everyone, anyone know hhow to fix this error?

When trying to execute: generate stager --lhost 10.10.14.62 --lport 4443 --format csharp --save staged.txt

[!] Error: rpc error: code = Unknown desc = exit status 1 - Please make sure Metasploit framework >= v6.2 is installed and msfvenom/msfconsole are in your PATH

In sliver

I know its just a wrapper but I still want it work

yes of course. Everything is installed but it doesn't work. Have tried playing with the path to fix it but nothing. Can you execute it with no problems?

run in debug mode

OOOOOOOOOOOOH I FIXED IT

Or rather... I bypassed it. What the issue there is, I still have no idea. All I can say is, to use the releases binaries instead of the script to install sliver

wow, okay. So the issue is the following. When I first tried accessing the armory yesterday I would constantly get a segmentation fault. Turns out that was just a rate limit issue from githup but when turning on a vpn, I was able to download all of the assets (not ideal but good enough). It took me a minute to find this out though. Initially I thought it had to do with installing via the script vs downloading the binary from the releases. The thing is that in the end it started working with the installed version via the script so I just left it at that. BUT now. it turns out the generate stager command DOES NOT work with the sliver server that's installed via the script but ONLY with the releases version.

Now my next question would be. How do I get rid of everything the install script did and only stick to the releases binary.. have some reversing to do

but at least for now, I fixed the main issue I had.

It is pretty common that using pre-built binaries is more reliable than building from scratch

Indeed, that much I have now learnt

Did you end up solving this?

I ended up guessing the name, its the powerfull standard user you have in mssql

sweet thanks got it. Now I wonder where we were supposed to retrieve this

Doesn’t —current-user work?

in sliver?

No

The question is to find out what the user of the deployed db is by "further assessing the website"

we are talking about sliver

we are not in mssql

I used sqlmap tho

on the website?

That wasn’t the right way?

Yes

oooh wow

maybe that was the right way

I tried with manual sql injection and did not manage to get sa as result to any of my queries

ooooh, right, yea there is clearly and sqli I just confirmed

I completely skipped manually trying to exploit the db. Okay this definitely sets the tone for how this module is going to be. Thanks for the help guys

confirmed!

Hello Everyone!
I am studying this Path : Penetration Testing Path >> this module Pivoting, Tunneling, and Port Forwarding >> this page : Dynamic Port Forwarding with SSH and SOCKS Tunneling
https://academy.hackthebox.com/module/158/section/1426

Question 2 : Apply the concepts taught in this section to pivot to the internal network and use RDP (credentials: victor:pass@123) to take control of the Windows target on 172.16.5.19. Submit the contents of Flag.txt located on the Desktop.
I am doing that : by confirming that first in our Pwnbox/PMVPN, the proxychains.conf file has the SOCKS4 127.0.0.1 9050 entry:

┌─[eu-academy-6]─[10.10.15.15]─[htb-ac-745983@htb-ejferdh1dn]─[~]
└──╼ [★]$ tail -4 /etc/proxychains.conf

meanwile

defaults set to "tor"

socks4 127.0.0.1 9050

Which it is

But then when I send this command :
proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123

Here what I got :

└──╼ [★]$ proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain ... 127.0.0.1:9050 ... timeout
[05:52:06:684] [57030:57032] [ERROR][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_FAILED [0x00020006]
[05:52:06:684] [57030:57032] [ERROR][com.freerdp.core] - failed to connect to 172.16.5.19
┌─[eu-academy-6]─[10.10.15.15]─[htb-ac-745983@htb-ejferdh1dn]─[~]

Any Idea Why I am getting this error ?

or like why it does not finding my proxychains !

it says nothing is listening on port 9050, did you set up the ssh connection to forward the connection?

aaah
The ssh -D

Nope I didn't !
Thanks !

Sry for not replying
I don't want to

A question regarding this
it is somehow hard to follow
when I did this : ssh -D 9050 ubuntu@10.129.145.59
it is the same as this : ssh ubuntu@10.129.145.59 (this we connect usual , using port 22)
but in the first one we used the port 22 to connect to 9050 and then connect ubuntu ? is that explanation correct ?

usally TOR i used for 9050 and 9080 should be used for socks

Nope

it can use any port specified

yes

@lusty thicket thanks

No disrespect

In ur language

aha
good to know
I am not Persian

I know my name is Milad

Lolll

Too late buddy

🤔

Cant find that anywhere

It was a set up Sherlock Holmes

Im saying I cant find anywhere that it means that

That’s what I’m saying it was a set up goofy

Cmon bro u got all them certs u still don’t know what set up means

Skill issue lollll

How is it a set up though

i would say it is just trolling

You’re just lying about something and I ask a question, great set up fam

It’s a set up like I was tryina see if he fall for it

Amazing set up

Some light

Well done

I might be trolling but u look like a troll 🧌

No disrespect

im noob at burpsuite but i cant really get it to be able to modify the response if i use match and replace i can change the javascript

no disrespect is crazy 😭🙏

always work to say no disrespect but...