#modules

Yo, thanks a lot for your help. Eventually, swapping locations, downloading a new config file & refreshing the browser got it to work!

in module attacking common services in attacking smb . in solving the questions we have null session and we can read id_rsa of a user in a smb share when i was downloading the private key it failed and when i did with a user credential it downloaded i was thinking maybe null session only have read access on the private key that was the reason but the user i logged in only have read permisson on private key so didnt get it why it happend

Please help with Module: API Attacks / Section: Broken Authentication, I'm stuck on it... I managed to get the password changed and logged using the new credentials, then I tried to retrieve the information that is needed to get the flag and I got "Unauthorized" as response...

write access allows download iirc

but it downloaded

¯_(ツ)_/¯

could also be disallowed for guest users

or some other reason

yeah thats the only possibility

they said in the section that if no shares are writable we can use smbexec but smbexec also need a way to write the payload

Hi!
having strange problem from recent days
connecting to labs using vpn as usual (tcp, udp is banned in my country) but cant ping or connect to ssh (ip route is fine) anyone else having this?

p.s. 1 month ago it was fine

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

thanks but they will avail only tomorrow

guys i cannot find it nothing of AI in google omg

Woah

What country are you in that has that banned? That’s so interesting

try using vpn on host system

Did you reauthenticate as that user?

https://academy.hackthebox.com/module/77/section/728

how to ı can do thıs shıt modules

ıts embarresing me

hi guys, on AEN (don't exactly know which part as I'm doing it blind), I have set up a responder and I'm poissoning LLMNR and MDNS, anyways I'm not getting any hashes, I can assume it means that only kerberos authentication is carried, but I might be wrong. The output would be:

[*] [MDNS] Poisoned answer sent to 172.16.8.20     for name xxxxx-DEV.local
[*] [MDNS] Poisoned answer sent to 172.16.8.20     for name xxxxx-DEV.local
[*] [LLMNR]  Poisoned answer sent to fe80::fdc4:5f07:f1ba:b737 for name xxxxx-DEV
[*] [MDNS] Poisoned answer sent to fe80::fdc4:5f07:f1ba:b737 for name xxxxx-DEV.local
[*] [MDNS] Poisoned answer sent to fe80::fdc4:5f07:f1ba:b737 for name xxxxx-DEV.local
[*] [LLMNR]  Poisoned answer sent to fe80::fdc4:5f07:f1ba:b737 for name xxxxx-DEV
[*] [LLMNR]  Poisoned answer sent to 172.16.8.20 for name xxxxx-DEV
[*] [LLMNR]  Poisoned answer sent to 172.16.8.20 for name xxxxx-DEV

I think you are seeing interaction with other hosts but if you are not getting hashes it is because no user has interacted with your smb server to respond to a dns query.

fair enough

yes sir!... I did... then I tried the payment options endpoint that is the one needed to solve the test, and I got "Unauthorized", then tried relogin as the main user and got the same result... that's why I want to meet someone who solved so I can know it's not a bug...

You can DM what you are trying.

can someone help me check if an exe file is malicious?

No that's not what this discord or channel is about

where can I check

do u know any community that can help

no

alright

if anyone knows how to @ me

You'll just either need to sandbox or upload to a site like any.run

yeah i used hybrid analysis website

but the thing is idk how to analyse if its a malware

But that's as far as anyone here can help you in this chat

and i think my antivirus is giving me a false positive

so i want to make sure that its a false positive and not a malware

Read and follow #welcome and ask in #binex-rev

it says no access

idk whats that channel

2 parts to my statement

Read and follow #welcome

• this grants access to more of the server
  #binex-rev is a channel you'll be able to see after you do the first part

alr alr

It deals with binary exploitation and reversing

yeah ik

I'm explaining the channel you don't have access to yet

Still think I am an alt?

https://tenor.com/view/oh-um-i-don't-care.-my-fav-friends-hindi-gif-935714206712374521

Thats mostly because you're proxying traffic

Virus total

I mean if they're downloading a cracked exe (assumptions) then 9/10 times you get a free virus

Yes, the target is up and if I nc from the pivot I get the banner. I do everything according to the instructions, but I somehow don't get the real results

Because that is a banner

You can do -sV to get version info and --script banner to verify

I'm not looking for the banner. nmap should tell me that the port is open

https://nmap.org/book/man-port-scanning-basics.html

Filtered doesn't mean much

Just means that you didn't receive a reply back, as opposed to a reply saying "not open"

yeah its a cracked exe

In the walkthrough the ports are shown as open

I wouldn't bother too much with what the walkthrough says

ey guys look at this

Intro to Assembly is a t2 module please refrain from spoiling

Sorry for the inconvenience @fathom pendant, I was just thinking how I can bring it to some insight for getting suggestions. 😅

you can just state you're having an issue with getting it below the 40 bytes, someone that's done it can ask to dm and take it from there

Alright, noted and thanks

Thanks, just letting to know that I just solved it!

hey guys i need help on “Windows Lateral Movement
\ Skills Assessment”: ‘What is the password for VNC?’. I have successfully RDP to the backup server as rossy but unfornately is not admin on the server so i can not get the VNC password? Any hint after getting a shell on backup?

I checked and rossy was added in the local administrator group but it's weird i am not able to execute any command as admin
SOLVED

bruh do your full port scans correctly

didnt do it and stayed for hours figuring out how to solve the easy lab(footprinting) XD

Well tbf needing a full port scan is kind of rare

hey someone wanna help me i am new to the game

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

<@&861185840277487616>

Alr Hudson

What did he say

looking for employees or sum like that

I am following along with academy for "Using sysmon application" and used archive app for "sysmon app for splunk" , but the result is not generated by the application as in the academy is teaching? Also, app is showing "This dashboard version is missing. Update the dashboard version in source". Is version missing is causing any issue

skill issue lol

you're right lol

if so, why cant you help , instead of showing the others skills issue?

i expect academy to teach smoothly, not giving the hasels

listen buddy u gotta solve ur own issues i aint ur dad lmaooo

If you are not going to help, why you spitting

This channel is meant for asking for help in the modules lol

If you can't help, don't say anything at all, simple

I agree with you

Hey

its goku

Hi guys, I tried using burpsuite on the Academy HTB instance pwn box and when I turn intercept on it doesn t do like my home burp suite community, instead when I turn intercept on the request is immediatly intercepted and I cannot see a list or choose from the list of request that the browser is trying to do, I would like to know if this behaviour is normal and wether it is or not how do I see the list of http request without having to go to HTTP History please

Does anybody have any advice? I just finished Introduction to networking and I’ve started on Linux fundamentals but is there anything you guys specifically recommend for after introduction to networking?

introduction to traffic analysis

right click on the intercepted request and you can do a bunch of stuff

introduction to python

the main three for fundamental knowledge is linux/networking/python

Thanks man I appreciate it

anyone help me on Windows Privilege Escalation > Credential Hunting module

Try asking

Anyone else struggle with ReGex?

Hello, why i cant submit root flag at meow?

i use open vpn

hi guys, did any of you exp this while taking the sqlmap essentials module on CBBH

Every sqlmap command on my Kali machine doesn't work. For example, sqlmap -r case2.txt --dump -T flag2 --batch doesn't work on my kali machine, but when i run it on the HTB machine, it works perfectly fine.

read and follow #welcome ask in #starting-point

I didn't run into any sqlmap issues

yeah

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_expressions/Cheatsheet

https://www.rexegg.com/regex-quickstart.php

https://alf.nu/RegexGolf

YOu've got it to work. Nice 🙂

i was reading the regex cheat sheet you submitted awhile back through the search bar its just really confusing to me tbh

looks like something a cat typed by walking across the keyboard

you aint lying tho

i was looking at some of the regex codes and was like... How in the hell do people understand that ahahahah

that's why you keep a cheat sheet

you eventually learn the things you use commonly

rdp

is a common windows service found on port 3389; what about it?

i'll be honest I should really note which windows servers run on which port

rdp; 3389
SMB; 445
SMB over NetBIOS; 139
LDAP; 88
RPC; 135

https://tenor.com/view/spongebob-patrick-star-noted-notes-gif-26231953

doesn't ldap also have 636 or smthing?

that's LDAPS

LDAP over TLS

oh...right... secure mode ldap

636, or 389 (389 is unencrypted)

so there's 3 ports 👀

also 88 is KDC not LDAP

damn ldap

mb

oic

(some of this is quick google sanity checks)

Yeah you'd think with all these nmap scans I've done I'd remember which port is which

i just do basic nmap scans in most instances and go off the common port#s

same, but if it's sus I'll chuck in a udp scan

udp scan all ports

but i also have a brain like a sponge even in my advancing age

https://tenor.com/view/oopsies-ohno-gif-25793283

Hi so I am a bit stuck on the broken authentication module
Section: brute-forcing password reset tokens

Question 1 : on what do passwords recovery functionalities provided by web applications typically rely to allow users to recover their accounts.

On the course it says that it's a token I tried token in different forms and reset tokens and it still says that it's wrong I need help with that

5985, winrm

most important one

I broke one of the modules and have no idea what to do now

Getting Started -> Nibbles, the image plugin cannot upload more than a single file

i didnt upload the reverse shell one liner and now.. cant upload shit

You should be able to upload another image

I'd restart the box seems broken

Nevermind I was smoking crack and misunderstood the plugins functionality

In case you want my perspective on doing that module: https://0xw1ld.github.io/htb/2025/02/14/Nibbles.html

I know it's just something small, can someone help me

hate when that happens

hi friends i am in the skills Assessment Part 2 in Login Brute Forcing.i am stuck at finding the flag.i have access to ssh account satwossh and cant find the flag.txt

Anyone had an issue with Xfreerdp disconnecting when you click on a mapped drive? I've mapped the drive using /Linux: and as soon as I open it on the Windows VM the RDP session closes

it's trying to make sense of two file systems of different operating systems in real time

and the slightest issue can cause the entire session to collapse

Going to try it with another VM

😩

Damn hacking is just too interesting if I tell you what I just did to windows someone will put a bullet through my head 😂🤣😂

now do it on #1337844872387756104

Yeah sounds like a good idea. Thanks @waxen totem

Lmao was doing Host & Port Scanning | Network Enumeration with Nmap and found a flag for a future lab by accident

report in #1234357888114364508

hello guys, did anybody have a clue about this exploting SSTI - Twig?

Module Attacking Enterprise Networks, Section Internal Information Gathering. when i am doing ping sweep for the internal network i can only see 3 hosts: 172.16.8.3; 172.16.8.50, 172.16.8.120. But in the section there is also internal host 172.16.8.20. It is not shown for me and i cannot interact with that host to complete the module. What should i do?

Hi, Did anyone had problems with windows machines in Shells & Payloads module?. They sometimes dont even respond, the supposed to work msf exploits do not work, nmap scans are also way off etc.

Been forcing myself now from past 3 daysss🤧

i changed ip address of machine and everything working fine on the other ip. 10.129.31.197 seems to be broken

hi did anyone have any trouble working with the skills assesment portion of the AD enumeration & Attacks. The server is not responding despite me waiting for an hour and after multiple refreshes of the server. For Skills Assesment Part I, I am unable to run any command on the webshell and the web browser is constantly loading while part II, I am not able to ssh or rdp into the attack host

Hello, im in Skillassement for Web Proxies and the first q is: The /lucky.php page has a button that appears to be disabled. Try to enable the button, and then click it to get the flag.
Iv been trying with add a post requset so it is getflag=true but the response is the same, i was look at some write-up for it and it says my method is correct . What i do wrong?

Can anyone give a hint on DACL SA 2? Been stuck on the first question for a long time, I've got the NT hash for a non existing PC account that has constrained delegation to another PC that doesn't exist.

my issue with the first question was that BH did not see a very important right that Taino had on SDE09. Once I manually enumerated that right it was obvious and easy to execute

Thanks, will have a look at that now!

My request looks like this: POST /lucky.php?getflag=true HTTP/1.1
`Host: 94.237.55.157:36040
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:135.0) Gecko/20100101 Firefox/135.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: sv-SE,sv;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 16
Origin: http://94.237.55.157:36040
Connection: close
Referer: http://94.237.55.157:36040/lucky.php?getflag=true
Upgrade-Insecure-Requests: 1

getflag=true
`

Dont get what im doing wrong.. Can some one help me out? Iv been trying difrent reqsuets but no luck. I did read a wrirte-up cuz i did not get it, a was on track, but nothing i do works.

The server reject my request..

Hi , I want unlock the Module (FootPrinting) but i can't , anyOne here can help me ?

Going to take a walk outside and try again later

Do you get Cubes for it?

How

You need Cubes!

Earn or Pay

ok , How can get it ?

Did just told you, Buy a subscription

Or earn cubes by do modules

which one is better

https://help.hackthebox.com/en/articles/5297528-introduction-to-modules-paths

Earn cubes take alot timme..

hi friends i am in the skills Assessment Part 2 in Login Brute Forcing.i am stuck at finding the flag.i have access to ssh account satwossh and cant find the flag.txt

please help me anyone

😩

Dm me

Attacking Enterprise Networks , Post exploitation Need Help with this module . Can anyone help me with this ?

Ask your question here and someone will help if they can. Adding what you've already tried will help.

Try not to disclose too much here though since it's a Tier 2 module. Also, I'd recommend struggling some more and looking back on relevant modules since the AEN module is a capstone module for the CPTS.

Can I DM you about this? I've found a VBS script but not sure if this is correct path

[Agent : root@dmz01] » listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp error: listen tcp 0.0.0.0:11601: bind: address already in use . Am getting this error while using ligolo-ng to double pivot

That means the port is already used by some other process, you can find out which with the command netstat | grep 11601 or something like that

You can DM if you'd like.

hey man can i dm you please?

Hey man have you done Signature Wrapping Attack?

I was wondering if you need a bash script payload for a RCE?

Sorry, if stupid question.

Nope

Sure. Not at a pc. Will reply later

okay

@queen flame DMs are only open for #modules message as per my bio; also #rules regarding dming without asking

Oh sorry got it

Hey man can i dm you? regarding Signature Wrapping Attack

haven't done that

and literally just said the only reason my dms are open atm

sure, dm me what you got

just frustrated men i have solved this only to try and redo it and its not working dont know what htb wants

¯_(ツ)_/¯

what you need is patience; my guy

i think i have had it for over 3 weeks now to be fair , even trying harder.. i finally cracked it solved it

two days later repaeting the same thing and its not working how does that work

it doesnt the make the patience any easier you know

take a step back; frustration is the enemy of progress

frustration leads to mistakes
mistakes lead to anger
anger leads to the dark side

I think the --to argument specified is incorrect. It should be 0.0.0.0:11601.

But my solution still doesn't address why it's stating the port is already in use. I've actually never come across this scenario. Try my solution and see if it works (but I'm doubtful it will).

As @fading olive suggested, have a look into what the port is currently being used for.

also generally i suggest using the fully qualified IPs

I am relaxed its the annoyance that you already solved this and repeating the same steps and its not budging

Hello, I'm working on Attacking Common Applications - Skills Assessment I and I found a url which allows me to run the command dir on several directories even, but I can't figure out how to run anything else, like the type command or the whoami command. I found the latter in C:\Windows\System32 but I couldn't execute it. I'd be happy to get a hint as to how to proceed and/or what to try.

not the wildcard 0.0.0.0

that way you can clearly see/know where the traffic should go

The starting port in being used by session 1 i.e root@dmz01

Good Afternoon guys look at this

Hey guys, a quick question, I have this question in the filter content section which is completely unrelated to this section which I said yesterday as well,

Determine what user the ProFTPd server is running under. Submit the username as the answer.

Now how do I approach this kind of questions, if I google this one I get answer but don't learn anything, if I try to solve it myself I dont have enough knowledge to do it so will end up wasting lots of hours for a single question which is useless. So how would you approach this kind of question when googling it will give you answer and you wont learn anything. I am just confused I am not learning anything, what am I doing wrong, is it just my problem.

Yes, I'm saying it's odd that your first agent is using the port for something other than a double pivot. See if you can find out why by finding out what the port is being used for.

I don't know if it's possible to double pivot with another port other than 11601. You will have to refer to the docs.

instead of googling for the answer google for the question
"How to find a user running a service" for instance in this question

I don't know how you went about setting up your pivoting. You might already have the listener set @coarse stone

Because I had no issues pivoting with ligolo on AEN.

i tried using port 11601 then i got stuck on agent file, Program 'agent.exe' failed to run: The specified executable is not a valid application for this OS platform.At line:1 char:1

That error tells you the agent you're using is not suitable. So pick the right one.

This is my first time using ligolo-ng and i was following a guided note

You can DM me the steps you used to set up. I'll try to see what happened then.

Or just send the steps here. Whatever works for you.

Ill DM you

hey guys quick question, what's your take on the CPTS cert , is it worth taking or is best to prepare directly for OSCP instead ?

it's worth for knowledge

Do you think using gpt is good, I do know that whenever I use gpt I dont learn stuff, I just cheat but when I am trying to do the stuff without it I am just being annoyed by this little questions, I wonder how will I be able to do the whole prerequisite pathway and CPTS pathway when I am stuck at a silly question like this in an basic module like linux fundamentals

Its very frustrating and demotivting when things do not work the way I want and I have to waste lots of hours and still have nothing in hand, maybe its a me problem

bro did you complete Login Brute Forcing module

no am stuck at the linux fundamentals in infosec prerequisite pathway

for like forever

GPT is ok for some things

as it's ingested a bunch of different documentation

@keen drift this isn't an advertisement server read #rules [7]

Thanks noted

how can somebody stay motivated when things are just not working, wasting lots of hours is painful when I get nothing in return, maybe I dont know the basics or something.

taking breaks is healthy

I end up talking longer breraks than sessions

i take a few minutes go get something to snack on, and let my brain do the processing in the background

then realize i made a simple typo

you cna process things when you know those things, I just lack the knowledge

things "just not working" 9 times outta 10 is a user issue

nope

your brain processing info doesn't necessarily mean you already know something

sometimes it pops the question in your head of "did I look up xyz?"

rhats what I think its a me issue, I didn;t see anybody stuck at things like I am

"how to <do thing> in <Linux/Windows Powershell/Windows CMD>" is a common query in my google searches

"how to find out what user started a process in Linux" is something you'd ask google (or GPT) to get an answer

did you complete Login Brute Forcing module

a while ago

i need a help from you

but it's best to just ask your question (avoiding spoilers) instead of asking "Did you complete <module>"

ok

this is a vague response btw

i need this one

one of the sections teaches you something you can do; not to mention there's some important documentation given on the server

Hello good people! I am stuck in "Active Directory Enumeration & Attacks" in the part "Attacking Domain Trusts - Cross forest trust abuse - from Windows"

After identifying a cross forest user and having bidirectional trust, how to determine the computer name to attempt Enter-PSSession? klist does provide some hints, but how to be sure what is the computer name of this user in another domain?

In this case we are currently in ACADEMY-EA-MS01 and the foreign user is in ACADEMY-EA-DC03 according to the script they use next, but I couldn't find how they knew for sure

i found every where without root folder.am i right path.or flag is in another where

for Login Brute Forcing Skills Assessment Part 2

Hi can anyone give me a hand in http misconfiguraition module i am stuck with hard skill assessment

I think it depends on your previous enumeration, if it is another DC perhaps you should have already seen it in a network scan of the internal network where it can show you several hosts that may be in another domain or hosts that have another network interface with a different subnet where you have to scan IP's to identify other hosts that may belong to another domain or also from bloodhound, since you are in the last modules everything is based on the previous enumeration that you did during the tour with bloodhound or PowerView.

Can someone give me a nudge on titanic? I have user flag but am having a hard time getting a shell

when logging into mssql with linux by sqsh we need to specify either hostname or domain name to use windows authentication . what does .\username means we can also use that too . i dont get it

we can use .\username when targettting local account .

Hey guys I’m new lol

How do I get started

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Check home

Windows .\ refers to local domain

I.e. local user

[Domain\]user

. Is local

like we log in to the login prompt in windows

On a standard windows install [not domain joined] .\ is implied

Yes there were three DCs in total DC01/02/03, and yes I can enumerate all the users in those domain as well if I have trust. But my question still is, is there a way to be certain that this user in this domain is only on that PC? I can surely try all DC's to find the correct one, but like is there a function to find this for certain?

On domain joined you'd use .\ to log in a local account, i.e. IT logging into localadmin account for administrative purposes

so it is required that mssql server should be running in that computer and we are using the local account on that computer

You can send me a dm

It's just that the auth for that instance uses local account logins

It can be set up a myriad of different ways

https://learn.microsoft.com/en-us/sql/relational-databases/security/choose-an-authentication-mode?view=sql-server-ver16

yeah i get it

That looks COOL

You can use a local account on another machine if you specify the ip/fqdn

How do I get access to general?

#welcome <--

@fathom pendant after i complete cpts path can i also be a community contributor

community contributer isn't linked to completing any paths

it's just someone who's active and helps out in the community

yeah but to contribute i need knowledge

¯_(ツ)_/¯

I am not able to find answer to this in any way, all I can find needs sudo provelages which I cannot get on htb

Determine what user the ProFTPd server is running under. Submit the username as the answer.

i became a contributer well before i finished the pentester path

😅

i told you how to discover the answer in several ways

this is gettinf more and more frustraing

google is your friend

I did that

and even gpt can help

do you have second monitor

assigned for discord

"how can I find out what user started a process like ProFTPd?" <-- what i asked to chatGPT

no

i just tab in and out

dont you feel distracted

nah

Does anyone have the answer for the fourth question in the information gathering - web edition module. in the web archives section? I think I have the right answer but I'm not getting credit.

it's asking for the full thing without the ™️

2 words, remove the TM

I did. I swear its bugged.

copy/paste? (in the answer bit)

make sure no extra spaces and whatnot

Got it... Thanks for the help. I'm embarrassed. I thought I tried that..

their is only one way to know it, by looking at its config file in
/etc/proftpd/proftpd.conf. which is kindo wierd, who would have thouht that this can be the answer

just got it from reddit, such a waste of time

nope

well not exactly weird but still not the way anyone would think to get the answer

that's not the only way to know it

you need sudo privileges to know the otherways

nope

ok then, tell me one other way, I would like to see one that works, I tried a lot of things and everything needs priviliges

google and gpt both netted results to find a user of a process, didn't require sudo perms

idk how thats even possible, if someone wants to know a details about processs then the user mush be sudo to get that

ps

that's the command, there's additional options to pass through

but that'll require some extra research on your end

cant even open man page of ps by ps -h

let me try

man ps or ps --help

ps aux to see all the processes and checking for proftpd is one way to do it. THANKS ALOT

I need to learn to search things, in different ways

the man page for ps i believe gives you a brief overview of common options

would you mind if i dm you

About?

Hey :)
I'm on the Broken Authentication -Brute-Forcing Password Reset Tokens

Any idea why this command :
ffuf -w ./tokens.txt -u http://http://94.237.54.109:39810/reset_password.php?token=FUZZ -fr "The provided token is invalid"
is so slow ?
It's been 10 minutes and its only at token 4000 :/
Im running a python script rn but i wanna know why it is so slow

Hi anyone can help me with abusing http misconfiguraition module stuck in hard skill assessment

Hello I have question about Attacking Common Applications on the Attacking Thick client Application, can someone help me.

you can send me a dm

Hi. I'm working on the File Inclusion module in CPTS path. I am having difficultly completing the exercise in the log poisoning section. Specifically when trying to do an LFI for the apache logs as follows: index.php?language=/var/log/apache2/access.log I find that I get the access.log file successfully initially then subsequent attempts fail, especially after atempting to poison the logs

am I missing something and this is expected behaviour? or i should keep resetting the machine?

Take a close look at the log file and think about what happens if you want to poison the log.
Then take another look at your payload. Does it contain characters that could interfere with the log file?

thanks for the tip.... I'll try different payloads and see if i can identify characters that interfere

Look at the log and think about what would happen if you entered certain characters...

Hi, anyone can give me a hint in "Advanced Deserialization Attacks S.A"? [CWEE] I've found some potencial vulnerable functions but I cannot bypass some filter, I don't know if I'm in the right path..

Thanks!

i have ADHD

I saw on reddit that linux module is found diffult even by experienced linux users and some even suggest switching to tryhackme before htb saying htb academy isnt for begenieers. What do you guys think of switching to thm for a bit and then comming back, is it worth it.

Or is it something a begenner should do

Thm holds your hand a lot

And if that's something you prefer, up2you

But a bit of the linux module sections are solved by simple Google queries

Or reading the man pages

what does handholding even mean, they are not going to give you like answers very easily right. I mean aren't they supposed to teach me something and ask questions from that

it means that they are VERY much step-by-step instead of theory+practice

i havent tried thm but i like htb bcz i got the dopamine hit when the simple problems become hard . and then you solve it . its like awwww man i am stupid ....

yeah i it is frustrating you will likely bruteforce credential and not get it upto 3 day (my max )

Hi all.

I'm doing the Firewall and IDS/IPS Evasion - Hard Lab and I'm struggling to get flag.
I've tried what is detail in the Firewall and IDS/IPS Evasion to no avail. Anyone able to give me a clue as to what I could be missing ?

thx gonna work on it now

You missed something if you tried everything and nothing worked

Hi all, i'll try to compleate windows foundation , but can't decide servisec & process section... who can help me pls?
Identify one of the non-standard update services running on the host. Submit the full name of the service executable (not the DisplayName) as your answer.

Non-standard == not built in

So not windows or anything like that

But how i should know about it? i reviewed all proccess, but didn't look for anything

I look tutorial at youtube, but don't understand, why she write this command Get-Service | Where-Object {$.Name -like "reader"}
In this section has example
Get-Service | ? {$.Status -eq "Running"} | select -First 2 |fl
But how i must to know right way?

The module should have shown you how to get running service info

Also use backticks (`) to wrap commands

_ _ is markdown italicizing

#welcome and #general

Im lost 🤔

Oh thank you I figure out

Man these channels really should be locked to verified/academy users only.

I haven't read this channel consistently for a long time - has this been discussed?

Read and follow #welcome and you'll be able to access #general

They plan on it soon.tm

They're getting held up on the academy verification thing

im stuck on the file upload attack skill assesment i tried many file signatures and extensions and Content-Types but i still get Only images allowed error even when trying to upload no payload and no php extension?

Identified at least two chars that could cause a problem

Guys someone here termux user?

Does anyone know how to use discord server for a reverse shell?

You mean as a c2? No you can likely Google, but there's no academy modules regarding that

really stuck on file upload attacks assessment ive been on it for a month now i finally managed to upload the file when i visit the directory its supposed to be in (wont mention for spoilers) i get apache not found ?!?!?!?! honestly this lab is driving me insane does anyone mind dming to help?

send me dm 😉

Hi @fathom pendant, did U miss me? LOL
I have a problem with SMB, its enabled but...
do_connect: Connection to 10.129.201.57 failed (Error NT_STATUS_IO_TIMEOUT)

is the server ip the target ip?

noob question: are we able to use this chat as a check to see if I am doing some of the practice questions correct?

Correct

Wdym?

Modules above t0 you have to be mindful of spoilers

so like for this question

would it be ||grep -v "#" /etc/ssh/sshd_config||

#practice spoilers

hey guys, i have a problem. i'm on the knowledge check on HTB academy CPTS, after gettting Nibbles done. I have the admin credentials, and now i know that i must load a payload on the site, but dont understand how, can anyone help ?

What do you mean knowledge check for CPTS? Which module are you on @rustic tree ?

About the getting started sorry 🥲

I have scanned the IP, this and apache server. I have the admin credentials

I there is a lot of directories but I don't know where to look to do RCE to gain access to

It seems familiar to Nibbles but I can't find any exploit right now

Hi, anyone can give me a hint in "Advanced Deserialization Attacks S.A"? [CWEE] I've found some potencial vulnerable functions but I cannot bypass some filter, I don't know if I'm in the right path..

Thanks!

I see - that's Tier 0 content, so perhaps someone will reply here with a nudge, or there may be content out there to help you.

OK I will continue searching then ! Thx for the response 😇

Why not try it out first

look for plugins that are running on the site

also no shame in consulting a writeup:
||https://0xw1ld.github.io/htb/2025/02/14/Nibbles.html||

Thanks I'll search for it

~~I love how I shameless plug my writeup any time this module is mentioned ~~

i just checked it out

feels rushed

hush... we don't talk about that

🕵️

Yeah I gat it. Thanks anyway

you shouldn't be doing that

I’m new to this server, I’m guessing it’s about tips on hacking?

This channel is for modules of htb academy

Hey there, not sure if you found it already, but just in case : for nibbles there are two ways to get a foothold, one "manual" and one more..."assisted" : If you went the "assisted" route for nibbles, you might want to go back and try to do it manually 😉
If you do and you understand what you are doing, you will find how to exploit the knowledge check easily

@restive spoke Don't know if you found your answer, but sometimes what you read isn't what's really there

Any reasons why python3 -c 'import pty; pty.spawn("/bin/bash")’ Would cause the shell to freeze up without fail?

I seriously cannot figure out why this is happening I'm assuming its HTBs end freezing up

I cancelled out of the reverse shell, re-established the connection by refreshing the page (a script is ran everytime that does this in which I added the reverse shell connection one-liner)

Successfully establish a connection

Them bam, can't upgrade the shell anymore

Mm, I've had a few terminal freeze ups too, and they got fixed when I shifted to TCP version of the VPN

since you're getting a revshell before it freezes then it's more likely on your end

I can still fully interact though I don't understand, I can use ls with no issue or anything else

you could try TCP version, if you are not on one already. I used to have file transfers getting stuck, terminal freeze ups on opening large files, etc.

I'm not sure if I am or not I've always done everything through the terminal on academy

I'm just going to start fresh this is taking up too much time

Oh yeah I see the TCP/UDP option for the VPN, I'll use TCP from now on

Yea, try that one and tell if that resolves anything

Hey everyone !, I am a cybersecurity engineering major as my somphore year and I have already some Linux and some hacking tools experience, but I need an actual computers architecture + networking + cybersecurity + malware + telecommunications experience, any could help ?

#careers-and-certs

"#no-acess"

read #welcome

Christ you're kidding me its still not fucking working

I literally cannot complete this because vi has a stroke everytime I try putting the elevated shell script in the no password sudo directory

It will not register 'esc'

so I cant actually save anything I write

it's not the end of the world buddy

there're other ways

yeah I'm just tired of spending an hour on one page when I'm expected to finish HTB within the next month

Not sure why it is not working with the TCP vpn

you can use echo

hi friends, in the SQL injection skills assessment, I found the username and password from the database. Am I supposed to be able to login with these credentials? I wasn't able to so I also tried authenticating via mysql on terminal with no luck. Is the method to create a webshell directly with these credentials instead?

I think I found another work around

Cant send a screenshot but sudo -l is showing "User root may run blah blah blah: ALL : ALL

No, you are supposed to break in

Make a valid SQL injection request, and you'll be able to get in

Try think of possible scenarios (hint: commenting out stuff might help you)

It’s a sql injection skill assessment

so I need to craft a query with those credentials? or craft a webshell in a query with those credentials?

awesome

Did you ever figure this out? I'm getting the same error even though the model file works.

can you guys take it to dm please, you're talking about a skill assessment here

Listen to SuperNuts, take it to dm.

However, you should not be spoiling it for each other at all to be honest.

Totally negates the purpose of a skill assessment.

You’re right. Soz. I thought that was a silly hint

You can dm me dude if you want

my b

I got it, I was stuck on a silly error

ty all

Well done

Heya gang,
I'm attempting to solve the fourth SIEM visualization through the intended way, and not through brute-forcing the dates.
Could someone please inform me what I am doing wrong with @timestamp to still be getting only the 'week of event', as opposed to the day of event.
Much appreciated!

Hey guys. Currently doing attacking web applications with fuff final assessment

Im trying to submit my answer for the question which asks which extensions are accepted by the domains

I fuzzed all the vhosts and it is using. .. I dont know if i missed an extention or if there is a certain format i should use when submitting my answer

Hi Avesh, probably not the perfect wordlist. You are missing an extension likely

And edit your message, I reckon thats a spoiler

Thanks. Edited the message. Will try another wordlist 👍

Hi everyone. I'm having an issue with the password on page 6 in the linux fundamentals module. I returns "Permission denied, please try again". Today is the third day as I can only spawn a terminal once a day. Can anyone help here before my timer runs out? Otherwise I'll have to wait until tomorrow. 😦

Send screenshots of issue

Also, install a vm so you can practice as much as you want without having to rely on the pawnbox

Or get a subscription if you can for unlimited access

@spark fox - Will WSL with ubuntu also work?

subscription is not viable at the moment. 😦

Hey uhh how long does nmap on all ports take yall

I've been here for about 12 minutes waiting for a response and it still shows nothing beyond starting the scan

Honestly depends. You can hit space-bar and it can give you an estimate. Are you running the scan with any switches like -sV etc?
I typically like to do just a regular scan and then perform more indepth scanning on just the found ports.

or set --stats-every 5s flag

This is a great idea. I'll steal this haha

Could i get a sanity check for "Wi-Fi Penetration Testing Basics - Skills Assessment" last question?

Oh wondrful it shows a 6 hour time estimate and no

its literally just nmap (ip) -p-

Well that just saved me a lot of time. It would be great if the wonderful author of this module had put useful information in the fucking module

don't take your frustration out on the author

did you run with -v?

nmap has a ton of great documentation

You know HTB academy does put those links to the documentation for a reason, it's because it's not like they can explain everything in a single section or module

Also you're gonna have to do a lot of research when pentesting anyway, so it's good to practice

What I'm actively looking up I just wish the questions were centered around the modules it feels a bit offputting when what you just spent 20 minutes reading about applies to nothing you're being questioned on

Doesn't make much sense its like teaching someone how to operate an automatic transmission vehicle then asking them how stick shift works

I think its meant to be that way. They want us to do some extra research work and think outside the box which is essentially a skill in itself too

It would but im pretty sure a vm would be much better

It's not that they're teaching you how the tool works, they're teaching you how to learn more about it and discover things for yourself. The point is that they give you a base to build knowledge from

did anybody have a clue about SSRF module the SSTI question?

you kinda have a point

if i wanted to teach myself, i wouldn't need you 😭🙏

Being able to absorb, reuse and research based upon what you have learned is such an important skill. That is what the modules try to teach, the ability to improvise and build upon the knowledge gained through the sections.

If the answers to the modules were just laid out in front of you within the module, there really would be no point IMHO. There's got to be a degree of challenge, and in any learning environment you will never be given the exact answers to what will be on the "exam".

Of course, we are always open to /feedback, but know that the above is the nature of the HTB Academy, and is intended. It's not for everyone, but ultimately I believe if you stick with it with the approach of learn, research, apply, you will get much more value than just following a guide showing you exactly how to complete the final question. We give you everything you need - some times you just have to apply that knowledge with some innovative thinking.

Sometimes though the challenge is a massive leap from the module itself *ehem* Linux Fundamentals Filtering Section Curl Question *ehem*

Also true

And again, feedback is a gift 😄

I'm nothing directly to do with content, but I do pass on this kind of feedback to the team

Also, any feedback provided with the /feedback command also goes directly to the team.

btw @ocean night saw the change in sharing active season machine pwns, It's noice!

Oh sweet, that shipped 😄

Valid

i'm not complaining

just saying some skill assessments right after a module don't always align with what was covered

Some modules struggle with this much more than the one I'm currently on

Like at least this one stems off of nmap

Spend a few minutes looking at documentation and I got my answer lol

Understood, my wall of text was more of a comment on the nature of academy, rather than a disagreement with any particular sentiment

Sorry if it came across differently

did anybody have a clue about this?

quite a few of us, actually

Hi. Does anyone have an idea what the password is here (linux fundamentals page 6)?
The given password HTB_@cademy_stdnt! is apparently not correct. I have respawned the machine 3 times already. Always the same error... 🤔

You have the wrong IP address

The target's IP address starts within the subnet of 10.129.x.x

weell the thing is that it s not the options that lacks it is the fact that I can t get a list of intercepted request

should I provide screenshots ?

yes please

Was this comment directed at me? If so, where did you see this IP? This IP is from the top right of the pwned machine(after the VPN tag)

pwnbox != target

pwnbox is the attack box vm
"click here to spawn target" above the questions

that IP is the tun0/VPN ip of the pwnbox to use for reverse shells (and other exploits) to connect to the attack box

I did. This is the box that spawned.

nope

you clicked the "spawn instance" button

"spawn instance" and "spawn target" are two different things

w8 1 plz. trying again

Wil 2 machines run at the same time?

If not, I'll have to wait until tomrow to try this solution.

the target spawn has no bearing on the pwnbox

you can have the target and pwnbox running at the same time

In simple terms, when you spawn instance, you are spawning the machine you are going to work on to perform the task at hand. When you spawn the target, you deploy the machine you are attacking

^

Either way, thanks for the assistance. 😄

layer 8 issue fr

did anybody have a clue about SSTI twig?

Perfect! Thx everyone. 🙂

awesome

the second one being the one being the one at hackthebox academy, I don t know why it doens t show a list like the first one

whenever a request happens to be intercepted it shows it directly allowing me not to see all the intercepted request

What's the reason of intercepting the request to the vnc session of the workstation?

Additionally, you are intercepting websocket requests and not HTTP

well I don t have root access on the machine at my school so I have to use the vnc pwnbox everytime I do exercice since I can t install anything on it

ohhh, sorry to ask this but what is the difference and how do you know it ? since i have only finished the web request module

There is a Type column in your first screenshot

Well, if you don't have such access, then it is preferable to use the workstation and work solely inside it

I understand. Thank you , and that is why I ask why does the burp suite in the workstation i.e instance is not listing the requests like in the first screenshot ?

yes and I can t see those columns on the workstation, what settings do I need to change

https://academy.hackthebox.com/module/211/section/2273

Navigate to http://[Target IP]:5601, click on the side navigation toggle, and click on "Discover". Then, click on the calendar icon, specify "last 15 years", and click on "Apply". Finally, choose the "windows*" index pattern. Now, execute the KQL query that is mentioned in the "Comparison Operators" part of this section and enter the username of the disabled account as your answer. Just the username; no need to account for the domain.

I open up the VM and put it in firefox with the target IP and nothing comes up? Kibana doesnt load by iteself either. Is there something im doing wrong, what should i do?

Please @ me when you respond

I'm working on getting started module and have to exploit apache httpd 2.4.41 ((unix)) any idea? i tried msf and search sploit but didn't find any matching exploits

for "public exploits section"

Explore the service on the running port, something might stand out

attempt to use the service as it's meant to be used... you might see sometehing interesting

What is the basic things I need for a bug bounty hacking

i didn't get it

i accessed the target via pwn box firefox and explored it, found a few things: plugins,wordpress etc

is it smtg related to this?

read what is written there and look it up if it is vulnerable

@autumn pilot can you help me aswell

Hi everyone! I'm currently working on the Network Foundations module and I'm stuck on finding the flag. I've tried several approaches, but I'm hitting a wall. Could anyone provide some hints or guide me in the right direction? I'd really appreciate any help!

hello in https://academy.hackthebox.com/module/19/section/119 my target is 10.129.47.69 please help me how to slove this question

Can anyone give a hint on the DACL II skills assessment question 2. I have the SDE01 server admin and found Angel creds but not sure on the path from here to RD09. I have found I can modify a GPO but believe I need to compromise another user to link it to the RD09 box.

If you are not comfortable with the syntax within the netcat command, try using curl instead and look for the option related to the user agent

hello in https://academy.hackthebox.com/module/19/section/119 my target is 10.129.47.69 please help me how to slove this question
please

anyone help me on this: Windows Privilege Escalation > Interacting with Users

Using the techniques in this section obtain the cleartext credentials for the SCCM_SVC user.

So I'm on Shells and Payloads, automating payloads with metasploit, and I just had a question regarding how to find the correct exploit to use, I've used the ones the module suggested but I cant get a shell session to start, so i enumerated using nmap and Im currently trying to find another suitable exploit

Hi, I am not sure if you were able to get the answer right but i tried all possible ways and there were no extra spaces! tcpdump -rX /tmp/capture.pcap, -rX /tmp/capture.pcap, tcpdump -r /tmp/capture.pcap -X

All these are working in the command line, i tried with real tcp dump. Can you advise me please ! @fathom pendant

anyone ??

don't @ me randomly; i'm not on demand support

spoiler tags don't do anything

also the question says winrm, not rdp; so of course you can't use j* creds for rdp :) each service has a unique user

Oh alright sorry, thought they may help to give some context, but I'll keep looking then

https://academy.hackthebox.com/module/211/section/2273

Navigate to http://[Target IP]:5601, click on the side navigation toggle, and click on "Discover". Then, click on the calendar icon, specify "last 15 years", and click on "Apply". Finally, choose the "windows*" index pattern. Now, execute the KQL query that is mentioned in the "Comparison Operators" part of this section and enter the username of the disabled account as your answer. Just the username; no need to account for the domain.

I open up the VM and put it in firefox with the target IP and nothing comes up? Kibana doesnt load by iteself either. Is there something im doing wrong, what should i do?

thanks for this, got that one, completely overlooked a different tool

i mean i dont think he expects on demand support, he just thought you'd be able to help specifically. Why are you so cranky all the time lmfao

you could answer it in 3 hours, 7, 2 days or never

Been doing this for a long time. Typically people expect immediate answers when they @ someone

Also, when someone @'s another user, other people are less likely to help

yeah if he pestered further which he didn't but i get what you mean

I get where you're coming from: but please don't try and police how I respond to people

CAn someone help me

its just mean, like it sours the whole experience, maybe you should take a break or something if its burning you out

I'm not being burnt out

I'd appreciate if you don't try and dictate how I interact with people

With?

You're just being mean!!, its like if i was being mean and told you dont tell me how to talk to people

Ah scrolled up

Setting a boundary != being mean

Hey! Im on ACL Enumeration of the module Active Directory Enumeration & Attacks, Im struggling with the final question:

What is the ObjectAceType of the first right that the forend user has over the GPO Management group?

I'm using the command as seen in the image, and its been running for about 20 minutes. Just not sure if its meant to run more than that!

Any help would be much appreciated.

I haven't done that module @covert pine wish you luck

The acl command takes a while. But I suggest using forend sid instead

Or using forend identity

Consider the question gives you specific info

Ahh, that makes sense. Was struggling a little understanding what the quesiton meant, apprecaite it. Thanks.

Reread the section to get a better understanding of what's being asked for

If you take a look at the object (output) you'll see a lot of info you can use to search

Is it bugged or smt

Has anyone here completed the ADCS module? Reply to this msg please!~

If you think it's bugged reach out to support

Okay

I will, thank you!

Anyone? I'm really stucked on this one!

yes

Hi guys

Im having trouble on "Type Filters" for file upload attacks, any hints would be appreciated!

#modules anyone help me on this

I tried fuzzing the extensions and it gave back some that are allowed however when I try to do this in repeater it says "only images are allowed"?

"phpextenshionhere" was replaced with the valid php extension but thats the error its giving

type filter
fuzzing extensions

hi @fathom pendant I managed to upload the file but it comes up with the actual image and not the web shell

any ideas?

Cute cat! 🙂

yes, I love cats 😅

What do they mean by briefing here ? Like a power point presentation ? End of AEN module

anyone help me on this: Windows Privilege Escalation > Interacting with Users

anyone got any ideas pls 😅

i have a dissagreement about pwntools and the use of xor that in my eyes gives kind an odd and not replicateable if you want to use other tools for xoring that it in the middle of the hexstring have \n and ^ tucked in with the code you should insert to get the right answer

I think I remember reading it in the module actually 👀

write your own xor function and stop complaining

well the problem is that it expects \n ^to be in the hexcode that you should submit as answer...

since when is \n and ^ valid hexcodes...

You would need to find what really executes the webshell while also escaping whitelisting/blacklisting

I remember there was a script that you modified to fit the allowed extension in, and that generated every combination of extensions attempted at escaping blacklisting and whitelisting.

Hello, so I am working on the intermediate network analysis module and have been stuck on the first question for a while... Is the ARP_Poison.pcapng file supposed to already be installed on my PWNBOX or do I make it or what? If so where would i find it

anyone help me

Anyone else unable to click 'modules' from the other academy tabs (Dashboard, exam, etc.)? For me, the button is just a Javascript void

Same with the 'paths' page

hello everyone , i want to ask if dante is a good start on pro labs or there's a better choice ?

Hi,

I'm basicly stuck on those two questions (What is the admin email address? | Try to access the emails on the IMAP server and submit the flag) in HTB Footprinting module. I've tried every possible command but I think none of them gave me proper answer. For second question I tried Evolution but I couldn't grasp it's capabilities.

Any help - suggestions what should I try or where to start looking?

The modules and path buttons are dropdown menu triggers

Nothing is dropping down, though :/

Hello, could I DM someone to help me with the XSS module? I can't seem to figure it out what I am doing wrong and I already figured out which input field is vulnerable to XSS

Are you able to connect to IMAP and authenticate? If you're stuck after that, google for extra resources on the specific commands you're using to retrieve the emails.

I've already enumerated HTB key and got the list of all LIST using curl on imaps - also i've connected to it with openssl command

also made it to aquiring devops email address but it shows it's not the one

i've managed to connect to imaps using credentials but LSUB "" * command returns nothing whatever inbox i use

I GOT IT - FETCH !

hiya, how do i find the walkthroughs on the academy

all of the academy is basicly a walkthrough on every module 🙂

not for me man, their asking questions i have no idea even how to find the answer for

luckily i found a answer sheet online for my module and im like learning backwards kinda deal

but hey im learning

yea me too

but still what module are you participating ?

im very new to this stuff, started with a 20 hour youtube video on cli and just kinda went from there

😦

linux fundamentals i know haha point finger

nothing to be pointed finger at - hey we all started somewhere

years ago i used to just find like backdoors so easily and all didnt know any networking stuffs much or nothing

not quite like that anymore

ethically on my phone ofc

hey - let's chat on DM's, we wouldn't want to spam this tag 🙂

usually where ive forgotten passwords and the alike, locked out of myspace hmm ill find a way in its my acct no harm no foul

I'll try to assist

Am currently working on XSS skills assessment and I figured out which input field is vulnerable to XSS but when I try to grab the cookie using script.js I get 200 response but no cookie. I could use some help I've been working on this since yesterday

You might need to see at a deeper level like we do with SQL injections, making sure we add prefix and suffix to make sure our SQL Query gets executed. Thats the best hint I can give you.
Can’t really say more until I see the script.js, but if you’re using the payloads from the module, it should be good enough.

Hi, doing right now the password attacks module, PTT on linux section.
But Im not sure whats the difference between tabkeys and ccache files ?

Could I DM you the script I am using?

Sure

Cached credentials vs ticket

NVM thank you you helped me figure it out!

Could you please send me that script 😅

It is given in the modules. Edit it with the extensions you’ve found to be allowed to generate a proper wordlist containing possible evasion combinations

thank you, which section of the module is it given in?

Its under Whitelisting iirc

can i get help with Introduction to NoSQL

ok thanks

I dumped the internal with user name and password, but i dont see any username and password for for answer i need

Because you're looking for a specific length of strings

You're given the info of a first/last name

Does anyone know what the reason could be for not being able to connect Parrot to VM? I keep getting error messages about the file either being corrupt or invalid. Is this likely a system issue? (Very new to this)

Wdym "connect parrot to vm" you mean vpn?

The Virtual Machine platform

I am just in the setup module

Do you mean install parrot in a vm?

In the setup module of Info Security Foundations I have to virtual workstaion and connect it with a guest operating system, however, I am having a lot of trouble doing this and honestly, do not know enough to diagnose it. I have tried a few different things, but it has been dead-end.

but i kept getting error

Not sure what you mean by "connect" to vmware workstation. Are you attempting to run parrot in it?

Yes

Could you send a screenshot of the error?

That module is above t0 your screenshots are spoiling content

https://academy.hackthebox.com/module/211/section/2273

Navigate to http://[Target IP]:5601, click on the side navigation toggle, and click on "Discover". Then, click on the calendar icon, specify "last 15 years", and click on "Apply". Finally, choose the "windows*" index pattern. Now, execute the KQL query that is mentioned in the "Comparison Operators" part of this section and enter the username of the disabled account as your answer. Just the username; no need to account for the domain.

I open up the VM and put it in firefox with the target IP and nothing comes up? Kibana doesnt load by iteself either. Is there something im doing wrong, what should i do?

Hey everyone new to this group I wanted to start cybersecurity from health professionals backgrounds so need some study plan and step by step support please help me.wanted to do Comptia A+ exam to know little bit about it then will start for 1st line job if that’s possible what else do i need like to get in to the job role ,any other courses needed like Microsoft 900 Az or please sort this out

Read and follow #welcome and ask in #careers-and-certs

hey Im also studying for A+ and work in support

Any idea where to get access? I can’t see the channels

First part leads to the second part

@pure gazelle @light siren YAY im not the only beginner bwahahahaha

@ember ibex not at all i have spent hours researching for one question man but learning, sometimes i just wanna smash my head into a wall the verbage on the manpage can be harder then the question haha

lol dude you telling me ahahahahahah. theres even times i look up questions on a module and im like bruh how the hell did they even know how to set up the syntax like that lol

omg yes @ember ibex ❤️ went thrugh this one yesterday with a curl command, and then filter result

Man pages suck, they're usually just there for quick reference, for everything else there's USUALLY documentation that goes in depth.

explain shell couldnt even tell me

@waxen totem yeah i take advantage of the kali forum, r/linux, kali linux, stack overflow, explain shell

Also that module question is specifically one of the challenging ones for newbies, I have sent feedback about getting them to move it after the regex section of that module

all good for finding stuff usually have to use all four for the tough ones

They made it slightly better by specifying but only slightly if it's the curl one on linux fund

lmfbo @waxen totem and @fathom pendant legtimatelly helped me with that one yesterday ahahah on linux fundamentals section filter contents correct?

the regex wasnt so bad, took awhile to find a good result and figuring the correct way to use "^(This|First)' but found it

Please read #welcome so you can get verified and talk in other channels

I copy/pasted a forum answer a while back that explains the whole shebang

yeah the one on fund it was almost a two line syntax

I'm sure there's a neater command

But i stuck with the one that gave a verbose answer

idk i just found the answer, used it in the pwnbox then reverse engineered it, put each part one by one with different terminals open to compare, and plugged in the step by step into shell... the parts shell couldnt tell me i used web to search for

make sure no extra spaces

also i beleive that module is > t0 so be careful just spoiling/giving potential answers

apologies, tried removing extra spaces prior to posting with no luck.

i haven't done that module plan to soon.tm but haven't gotten around to it

alr thank you

Strictcielee how do I unlock general do I have to verify or something?

#welcome <-- instructions are there

just gotta read

im stuck on https://academy.hackthebox.com/module/268/section/3062
i dunno what it wants me to do to invoke another form of broken authentication atm

looking it up says people are talking about an otp token which i cant figure out how to make a ffuf command for it

Hello, I am trying to attend a wedding otherwise I would go through more official channels, but the problem is as follows:

https://enterprise.hackthebox.com/academy-lab/35638/11395/modules/143/1420

".\Inveigh.exe" will not load into an interactive state. I understand that I am looking for a hash, and how to use that hash once it is found but the tools are not working appropriately. Is there someone that has the hash on hand so that I may move forward?

sharing an enterprise link isn't really helpful as most people here don't have enterprise, what's the module and section name?

no one is just gonna hand you the hash as that's actually against ToS

you gotta figure out how to make it work

i'd say enjoy the wedding and chat support when you're done

¯_(ツ)_/¯

@fathom pendant
Active Directory Enumeration & Attacks > LLMNR/NBT-NS Poisoning - from Windows
The mod and section. Good to know that it is against terms of service.
All of my searching hasn't shown someone else to have the problem yet. The command executes, it just seems to exit before ever starting the interactive portion.

iirc it needs admin rights

the interactive bit of inveigh is just pressing a key while it's running iirc enter should work

could also need admin rights, been a minute so i'm rusty on that module

@fathom pendant @lusty thicket Thank you, ill make it happen.

awesome

what is the alternative to hydra for brute forcing ssh?

I heard someone on here mentioned there was a better optoin

I'm doing the medium lab for the Attacking Common Services module

I am trying out hydra but isn't there an alternative in case it doesn't work?

I know nmap shows ssh port 22 as open

also is the username and password list in the resources suffice?

or should I be using rockyou.txt?

Medusa is an alternative

ok I thought there was another alternative besides that that I forgot about but its fine I'll just use hydra

I think I see what to do

I'm trying to brute force just the username of the server in the medium lab for Attacking Common Services. I am trying this and its not working:

                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Desktop]
└─$ hydra -L users.list -e ssh://10.129.232.82 -T 32
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

[ERROR] unknown mode h for option -e, only supporting "n", "s" and "r"
                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Desktop]
└─$ 
                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Desktop]
└─$ hydra -L users.list -en ssh://10.129.232.82 -T 32
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-18 23:37:34
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 79 login tries (l:79/p:1), ~5 tries per task
[DATA] attacking ssh://10.129.232.82:22/
1 of 1 target completed, 0 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-18 23:37:49

┌──(kali㉿kali)-[~/Desktop]
└─$ hydra -L users.list -p password ssh://10.129.232.82 -T 32
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-18 23:34:24
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 79 login tries (l:79/p:1), ~5 tries per task
[DATA] attacking ssh://10.129.232.82:22/
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-18 23:35:15

can someone point me in the right direction?

do I need to use a brutespray list from /usr/share/wordlists?

because I cat that list out and it doesn't look like it will work

if that's not working, have you enumerated anything else?

I am also trying to enumerate ftp:

┌──(kali㉿kali)-[~]
└─$ perl ftp-user-enum.pl -M sol -U users.list -t 10.129.101.73
Starting ftp-user-enum v1.0 ( http://pentestmonkey.net/tools/ftp-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Mode ..................... sol
Worker Processes ......... 5
Usernames file ........... users.list
Target count ............. 1
Username count ........... 79
Target TCP port .......... 21
Query timeout ............ 15 secs

######## Scan started at Wed Feb 19 00:00:08 2025 #########
######## Scan completed at Wed Feb 19 00:00:15 2025 #########
0 results.

79 queries in 7 seconds (11.3 queries / sec)

I could try different userlist for ftp

but beyond that I don't know what to do

wait ftp port is not open

gonna look for a tool to enumerate ssh users

I think it looks like it can be done in metasploit I will read up on that later

you don't need anything outside of the module

ok

well, I will keep looking then

just make sure to enumerate everything and then investigate it all

ok thanks will do

Hey guys i'm on HTTPS/TLS attack module, at the Bleichenbacher & Drown session, the question at the end of the session demand perform the bleichenbacher attack on a target system and provide a traffic.pcap file, i do extract the premaster_share_key in the TLS client key exchange and use it to perform the attack with -connect but it seems to run nonstop until the target system expire. Is that just becuz the attack take times or i'm doing something wrong?!

Hello!
Could i get a small nudge in the correct direction
Module: Footprinting
Section: Footprinting Lab - Hard

My Nmap scan shows an open port for 22 imap and pop3.

no credentials have been able to be retrieved.
Ive tested some basic usernames and they return with a +ok in POP3 but the passwords do not allow for auth.
I did see that 993 had ubuntu on it but when i attempted to view it as a web link Firefox blocked it.

Is there something i should go read on or review? I reviewed the IMAP/POP3 module and i have the same commands in my notes with no luck of another lead on direction

you're forgetting something important

btw ubuntu is an OS not a web service

993 would be IMAPS or POP3S i forget which

yes the attack is slow

either that or you didn't specify the right parameters

I thought the ubuntu may have signified that it was a server of some kind 🙂
Is the port the area i need to focus on?

nope

just giving some general info so you're not wasting too much time

not all services are tcp

🤦‍♂️ i see. I shall go dig further and report back with an updated status

Thank you

also it is a server, the engagement letter (the blurb at the top of the skill assessment page) tells you what kind it is to boot

is that okay if i paste the command i use here, i can't figure out what is wrong with the attack and didn't wanna miss thing that can improve my understand about using the tool

that module is above t0 so it would be spoiling module content

wow in that case maybe i try to digging further

anyways, thanks guys

Annnnnd we got it! Thank you so much. Do you mind if I ping you about one of the commands?

guys i need some one to teach me

if there is any one he can dm me

No one's going to teach you personally unless you pay them to. That being said, start here:

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

i need help

i found a flag but no matter how many times i insert it in the box it says its incorrect

Restart the target, re-gather the flag and try again.

leading or trailing spaces? 😄

did you copy it or type it

does the input field ask for the flag or something else?

stop smiling like i copied from ur notes bruh relax

alright!

can i send a photo

Don't send photos of flags or flags themselves

yeah i know

i hide it

after i get the carlos.txt to my linux machine

ok

Which module is this even?

password attacks

Pass the Ticket (PtT) from Linux

if u do it now the way flag comes up its all weird

i tried doing it again

edit : that was a flag for another challenge lol !

Hey can u help me with targeted individual issue?

what module is that?

Cybercrime organized stalking

Wrong place sorry i ll send in general chat

You're in the wrong server

That's illegal

If you are targeted, contact law enforcement. Nobody here can help you. If they claim they do and ask you money for it, they are also wanting to scam you.

Regarding the issue I had with the modules dropdown yesterday: It seems it's an issue with using Firefox. Does anyone know where I can report the error? I've tried updating my Firefox, but it's still causing issues. Works perfectly fine in Chrome, though, but I don't really want to use Chrome

You can report it via /feedback

Hey there I have a question regarding the end of Attacking Enterprise Networks (I'm not stuck but wondering why one way worked while another did not) can I DM someone as to not spoil the fun for everybody else ?

python2.7 not working any help or suggestions ?

Guess you'll have to be a bit more specific in your question 😉

Im running this command in module: Windows Privilege Escalation > Windows Desktop Versions

sudo python2.7 setup.py install

Okay for what tool ? which version of it ? what is the error message you get ?

sudo python2.7 windows-exploit-suggester.py --update

trying to update windows-exploit-suggester.py

and other with python2.7

i also tried with python but no luck

Okay what is the error message you get ?

SyntaxError: multiple exception types must be parenthesized

can you provide the full error ?

File "/home/htb-ac-1306913/windows-exploit-suggester.py", line 390
except IOError, e:
^^^^^^^^^^
SyntaxError: multiple exception types must be parenthesized

/home/htb-ac-1306913/setuptools-2.0/setup.py:12: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives
from distutils.util import convert_path
Traceback (most recent call last):
File "/home/htb-ac-1306913/setuptools-2.0/setup.py", line 17, in <module>
exec(init_file.read(), command_ns)
File "<string>", line 8, in <module>
File "/home/htb-ac-1306913/setuptools-2.0/setuptools/init.py", line 11, in <module>
from setuptools.extension import Extension
File "/home/htb-ac-1306913/setuptools-2.0/setuptools/extension.py", line 5, in <module>
from setuptools.dist import _get_unpatched
File "/home/htb-ac-1306913/setuptools-2.0/setuptools/dist.py", line 16, in <module>
import pkg_resources
File "/home/htb-ac-1306913/setuptools-2.0/pkg_resources.py", line 1426, in <module>
register_loader_type(importlib_bootstrap.SourceFileLoader, DefaultProvider)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: module 'importlib._bootstrap' has no attribute 'SourceFileLoader'

By the way windows-exploit-suggester.py is about 10 years old so I guess you'll have to tinker a bit if you want it to work

Yup exactly

this error for this one

I'd suggest trying to find an alternative that's a bit more recent or trying to update the python code yourself. I personnaly haven't tried using it

any suggestions

https://github.com/bitsadmin/wesng for instance

updated 5 days ago 😁

almost lost access to internet while using proxifier for this module (SSH for Windows: plink.exe) be carfeul lads

worked another way, thanks for your response

why do my request responses look like its encrypted

got it

no problem

thank you

strange thing, in my browser the responses are not encrypted.

i feel like something is wrong with tls/ssl

but when using https it results in unsupported or unrecognized SSL message

ill restart the machine.

it's not just gzipped ?

see Content-Encoding header

but why does my chrome show it all in response, while burp encrypts it

removed the gzip

now it shows...... thats so strange, why does it show the gzip

dunno, you have gzip in Accept-Encoding request header, do you see that in chrome ?

yup

in firefox too

maybe the issue is burps cert not being installed or trusted?

it is installed and trusted

:/

strange

Serve again.
I am sitting with Skill Assessment for the Webproxies module and am a bit stuck on the question: Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload) .

I have decoded the cookie and as I said, one character is missing to get an MD5 HASH, I fuzz in Burp, but only one result of the attack stands out from the others so I test with that character without success. I've tried a few different other characters found in the attack, but the same thing there.

And one thing I don't really understand is: Once I find the right character, should I decode the MD5 HASH and then just replace the cookie with the decoded HASH to get the flag?

iirc there should be an automatic decompression option in burps options

might be wrong