connection timed out

let me try one more thing one sec

yeah nothing connection timed out

i should be using my tun0 ip correct?

correct, this indicates that your webserver is not seen by the target

what command are you using to serve the webserver?

nc -lvnp 1234

and im specifying that port in curl

show curl command

curl 10.10.16.46:1234

show ip a output on attacker machine

9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 10.10.16.46/23 scope global tun0
valid_lft forever preferred_lft forever
inet6 dead:beef:4::102c/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::6420:4b64:366e:c522/64 scope link stable-privacy proto kernel_ll
valid_lft forever preferred_lft forever

you able to ping the target?

also is that the only tun IP?

one sec

seems like you have 9 network interfaces

O_o

here ill send you the full output taking out my local ip

woundering if its docker maybe

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:84:9b:8c brd ff:ff:ff:ff:ff:ff
inet ###.###.###.###/24 brd #.#.#.255 scope global dynamic noprefixroute eth0
valid_lft 72396sec preferred_lft 72396sec
inet6 2604:3d08:6478:eed0::5fc0/128 scope global dynamic noprefixroute
valid_lft 95484sec preferred_lft 95484sec
inet6 fe80::6db3:531:224:ff77/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:39:4e:8f:fe brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 10.10.16.46/23 scope global tun0
valid_lft forever preferred_lft forever
inet6 dead:beef:4::102c/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::6420:4b64:366e:c522/64 scope link stable-privacy proto kernel_ll
valid_lft forever preferred_lft forever

let me try the ping

can you do: sudo killall openvpn and then start up a new academy VPN?

The fact that it's interface 9 is sus

i cant seem to ping the ip address intresting. but i can access it in my web browser?

lemme try telnet

Well now we know it's blocking SOME requests

telnet wont work either lol

k one sec let me try that

O_o

now its 10

10: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 10.10.16.46/23 scope global tun0
valid_lft forever preferred_lft forever
inet6 dead:beef:4::102c/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::8f77:51b5:4d03:f3c6/64 scope link stable-privacy proto kernel_ll
valid_lft forever preferred_lft forever

maybe that's intended idk

I'd restart the attacker machine

resetting it

brb

yeah still nothing

its like the vpn just wont accept incoming connections its super weird

you can try changing servers, regions, or mtu

https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn

In advanced sql injection at skills assessment
When I execute the injection, the injection is correct, but the log gives me false and Extracted SQL state class '42' from value '42601'? any hints?

let me try that

tried all 3 and nothing

so strange

I'm in login brut forcing module skill assessment 1 the command and worlist are fine, but i'm not able to get the correct user name and password and also it give me this error" [ERROR] all children were disabled due too many connection errors"

did the reconspider.py from the info gathering module work for you guys? (for the skills assessment 2 last questions)

send me dm

Hi, guys. I recently finished AEN, and had some questions. So there's a domain account that can WinRM into MS01, but it doesn't show up in BloodHound, under the Execution Privileges section. Is this expected behavior?

Was this privilege through the local group or domain rights?

I've no idea. How do I check this?

Dm

I have been trying for weeks to solve the first question of Advanced SQL Injections in Skills Assessment and I did not reach a satisfactory result. I added the log in application_properties to know my mistakes and I did not reach any solution and all the problems I face in the distance. Any hint please

Ask in #hacker-lounge, this channel is for discussion of the modules on Academy. You may need to follow the instructions in #welcome to gain access to other channels.

thanks for the link! I did learn a couple of new things from there, so will keep in mind if I need it again. So far it's working for me tonight, fingers crossed!

Sorry it was meant to be sent on general

#general is accessible if you read and follow #welcome

DM

yo cani anyone plz get me started

im new:(

i dont even know where to ask questions 😦

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

thank you hackster

In the password attacks module, the network services section, one of the question asks me to find the valid credentials and I use hydra and the wordlists provided by the section but my scan has taken more than 1 hour is it normal, or is there some issue?

no nothing really takes more than 30m.. is it the RDP question?

yup

try crowbar maybe, i had luck with that

ok

it worked

there was an academy module in the CAPE (?) path that had a large lab with a ton of ACLs, anyone remember which it is?

there was a table of all the ACLs too

nvm found it, it was in the bloodhound module

i'm just getting to the end of AEN atm, and i'm trying to run the domain passwords through hashcat, and it's finishing super quick without cracking anything. am i doing something wrong? i would have though running rockyou against every domain user would take longer than 30 seconds

here's the command that i'm using: hashcat -m 1000 ntds.txt /usr/share/wordlists/rockyou.txt --username

or are these users just super onto their password security 😂

maybe it's already cracked em: hashcat --show ntds.txt

most of them could just be the same password

i thought that since all the LM hashes were the same

i also thought the same, but using --show just prints out the passwords that i cracked during the engagement

NT hashes or LM hashes? (honestly can't remember which side was which )

LM is on the left pretty sure

Then yeah I've seen credentials with same LMs but still different passwords

i was also wondering if perhaps my ntds file wasn't formatted properly and hashcat wasn't telling me, but i've got it formatted like domain.com\username:RID:LM:NT::: which i think is correct

apparently if it's AAD3B435B51404EEAAD3B435B51404EE exactly then LM hashing is disabled

Yeah that’s not the format

probably why I've seen duplicates

I usually just grab the second part only

https://hashcat.net/wiki/doku.php?id=example_hashes

yeah i was checking there earlier. i also tried chopping the ntds file so it was just NT hashes and using mode 1000 on them

i might try applying some mutations to the wordlist and see if i can find anything that way

You're somewhat falling into a trap of going outside the course.

This same kind of thing will lead you astray in the real thing.

i haven't tried many other wordlists. i'll see if i have any success with something from seclists

Using wordlists is good, and in the course, but mutating wordlists just for the sake of mutation isn't. Even in a real life scenario, that would be a "we're out of other ideas" situation. Usually you'd only go for mutation with a wordlist that was created by you, with some relevant keywords and such.

right ok, good to know. i am kinda out of ideas though lol. feels like i'm bumping around in the dark atm

Hi, I'm trying to open the sample reports under resources, but it is password protected.. am I suppose to find the password through the lab?

The module will tell you.

Ohh right

Thank you

Anyone can give some pointers on Abusing HTTP Misconfiguration > Bypassing Flawed Validation?

the lm hashes being the same doesn't mean anything btw

if LM hash caching is disabled (Forget the actual name of it) then they'll be a default null, unnassocaiated with the NT portion

it's why you typically use the NT portion of the hash in PTH techniques [ LM:NT ]

yeah i haven't really been messing with the LM hashes at all

i typically ignore the LM portion

because it's ultimately meaningless

as even if it were enabled it's a far more limited keyspace with lowercase characters

i'm still feeling confused about putting the NTDS hashes through hashcat. i've created a text file with only the NT hashes and am running hashcat on mode 1000, but it's finishing the entire thing almost instantly which feels way too quick

is it [exhausted] or?

if they've already been cracked then --show will show whatever's been cracked

it's showing exhausted after about 30 seconds, and running --show only shows the few that i was able to crack while i was working through compromising AD

my assumption is that i should be able to crack at least a few more since surely there are a few domain users that are using bad passwords

if it wasn't formatted properly btw hashcat would yell at you about it

if the password isn't meant to be cracked, it's not meant to be cracked and i wouldn't drill into it more

Hi guys,I have doubt in splunk, while analyzing logs and got results on what I'm looking for. Then, I don't know what to do. Could someone help me?

what academy module is this related to?

Hi@fathom pendant may I DM you? I have a question regarding some module question that I want to discuss. Thanks.

and which section

this is vague, NEI also my DMs aren't open for module assistance (see bio)

i suppose you're right. perhaps i can highlight to the client that they're doing well with their AD password security

well except for all the domain creds that i found lol

AD enum and attacks

I don't get you, what you saying

that's the module name, not section name

the bleeding edge vulnerabilities section

this channel is for help with the learning modules on https://academy.hackthebox.com if it's unrelated to an academy module; then read and follow #welcome and probably #blue-team is more apt

@robust marsh My DMs aren't open for random conversation

you can ask your question here

if you're not sure what the module and section name are: read the top part of the section

<Name of module>:heart:
-------
Section Name

If you still need help, you can write me a DM

Hello, any tips for resolving this error when trying to RDP to WS001 machine from the Kali machine. I am doing the Windows Attach & Defence PKI - ESC1 Module (Question 1). Thanks

The penelope shell handler makes life so much easier.

On module Command Injections , lesson, Advanced Command Obfuscation , I got this question and I can t figure out how should I put the command , Find the output of the following command using one of the techniques you learned in this section: find /usr/share/ | grep root | grep mysql | tail -n 1

can anyone help me ?

You need to enumerate again, as what you need isn't hidden.

Resolved by terminating and redeploying the VM

Well maybe the flag is on another machine.

hey guys where i can ask question about the labs Machines ?

<@&861185840277487616>

In CAPE too

Hey everyone,

I'm having some issues running Responder through a Ligolo pivot.

Here's the situation:

I'm using Ligolo to pivot into a network.
I tried running Responder on my attacker machine through the Ligolo tunnel, but it’s not capturing anything.
However, when I ran Responder directly on the target machine (which is a Linux box), it did capture some traffic successfully.

I'm not sure what I'm missing — maybe a routing issue or something else.

Has anyone faced this before or knows how to fix it? Any help would be appreciated!

Thanks in advance! 😊

can anyone help me on Command Injections
Skills Assessment ?

I tried to do the request and fails to get the flag :/

Hello

For the evasion module how do I transfer the exploits to the target

theres no WinRM and theres no SSH

Theres only rdp

there is no one to help me on command injections ? :((

Sup guys, I was doing attacking common services module and I cracked mssqlsvc hash and I started to wonder, what can I do with that hash? Can I use it to evil-winrm with it if winrm port was exposed?

I tried to do this request and still failed to get the flag, can anyone help?

What the hell is that is that hackthebox?

yup... skill assessments

command injections, I am trying to figure this out by 1 hour and nothing

I will dm you

I could not copy

ok

Use RDP

ay doing that

Should my shellcode be indented

you're good 👍

Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload)
can i get some help with that?
its part of module Skills Assessment - Using Web Proxies
and its 3rd exercise, i have cookie but how to do this?

hello

This is a lab problem, restart the target to get another one, change servers, or change regions and get a working one.

I am new here and I was wondering if anyone could help me with a question about Network Enumeration With nmap Lab3.

Introduction to C2 Operations With Sliver > Domain Reconnaissance

Implant Timeout every time I try to execute-assembly or use alias

Getting Session via new-beacon.exe in RDP session

[server] sliver (new-beacon) > use db3b78ba-5127-4fdd-982b-a61183129bad

[*] Active beacon new-beacon (db3b78ba-5127-4fdd-982b-a61183129bad)

[server] sliver (new-beacon) > interactive

[*] Using beacon's active C2 endpoint: https://10.10.14.223:9002
[*] Tasked beacon new-beacon (d4d00ec5)

[*] Session f161143e new-beacon - 10.129.100.89:50263 (web01) - windows/amd64 - Sun, 09 Mar 2025 13:07:53 EDT

execute-assembly

[server] sliver (new-beacon) > execute-assembly /home/p1erce/SharpView.exe "get-netuser -PreauthNotRequired" -t 240 -i -E -M

[!] rpc error: code = Unknown desc = implant timeout

rubeus alias

[server] sliver (new-beacon) > sharpview -- "get-netuser -PreauthNotRequired" -t 240 -i -E -M

[!] rpc error: code = Unknown desc = implant timeout

can someone help?
i can send screenshots on pv

hi

sorry i have a questin off topic

does anyone have a great ressource to learn php

either videos docs books...

Hi, can anyone help with running SharpHound to complete the first task in Sliver skill assessments? I've tried everything but I can't figure out what the problem is

Why doesnt the flag get spawned its been 5 minutes no detection

Hi, I am stuck at the same point. The module says ```Permissions

Not every user can create functions in PostgreSQL. To do so, a user must be either a superuser, or have the CREATE privilege granted on the public schema. Additionally, C must have been added as a trusted language, since it is untrusted by default for all (non-super) users.

For reference check out the PSQL Documentation and this answer on StackOverflow.``` but I can't find any solution

I am stuck at Login Brute Forcing - Skills Assessment Part 1. Can someone please give me a hand? Here is the hydra command I am using: hydra -L top-usernames-shortlist.txt -P 2023-200_most_used_passwords.txt 83.136.249.46 http-get / -s 54017

no luck getting the creds for the basic auth login

hi guys im on XSS PHISHING SECTION iam trying to get the credential of a user and when trigger the link by mine and enter my credentials in appears in the listener but when sending the link to send.php it does not give me any credentials how i can do this ??

btw im using 127.0.0.1:8

how are you expecting to get a callback from their localhost?

127.0.0.1 is localhost meaning only your system

i tryd on 0.0.0.0:8080

but still not work

it works if i enter my credentials

because you're calling it from your browser

can i use any ip

so your browser is calling your localhost

no

use the tun0 ip :)

the one that allows you to connect to the target; 10.129.x.x

is the one that when i do ip a appear the first

when i use it and the port it tells it is used with other things than web

it's literally labeled tun0 in the ip list

yeah i use it but didn't work

if using pwnbox, port 80 is already used up

i suggest using a different port

i can use it with any port

thanks for helping me

i got it

you'd just adjust your payload to specify the port

where can i know somethings like this

it's called adaptive thinking

bc i didn't know anything about web

you need to adapt your thinking to be more flexible

no not about thinking

about know the ports and ips

? you mean knowing you can do http://ip:port?

yeah and more like this

it's a simple thing of understanding that services can run on non-default ports

¯_(ツ)_/¯

kk i wil search about this

thanks in advice

does someone know how to get access to the htb faq forum? Because its only on invite and i'd like to know if its possible to get access there

I am stuck at Login Brute Forcing - Skills Assessment Part 1. Can someone please give me a hand? Here is the hydra command I am using: hydra -L top-usernames-shortlist.txt -P 2023-200_most_used_passwords.txt 83.136.249.46 http-get / -s 54017

no luck getting the creds for the basic auth login

Got the 3rd one, and the handshake for the 1st one but dont think we are meant to break it or so. I dont think we have to set up apache the module states that this is not it purpose

Hello 👋🏻

Hi

What's up ??

Not much. Please read and follow #rules and #welcome

Ok

Any chance you have completed the evil twins module?

I didn’t do that one, sorry

It ok thanx though

forums are being nixed if you mean https://forum.hackthebox.com

I agree, handshake is not crackable.

Regarding the second flag the only technique discussed was that of the firmware update but doesnt seem to work did you manage to get it working?

No, I did not. And I tried a lot of different aproaches. Probably missed something.

I am stuck at Login Brute Forcing - Skills Assessment Part 1. Can someone please give me a hand? Here is the hydra command I am using: hydra -L top-usernames-shortlist.txt -P 2023-200_most_used_passwords.txt 83.136.249.46 http-get / -s 54017

no luck getting the creds for the basic auth login

Your command looks correct. I'm assuming the wordlists are in your working directory?

yes... I am using those wordlists as they are the recommended ones in the question.

Have you reset the target?

yes, a couple of times already.

Do you have the target up now?

yes, the new ip and port are: 83.136.249.46:43769

link to the question: https://academy.hackthebox.com/module/57/section/515

first question in there.

I just ran it and got it.

Are you on pwnbox or your own VM?

pwnbox

Can you send me a DM?

did you run hydra -L top-usernames-shortlist.txt -P 2023-200_most_used_passwords.txt 83.136.249.46 http-get / -s 43769 ?

this exact command? did you use the same wordlists?

yes, I will DM you

When running the program, we get a interactive PowerShell session and we didn't get blocked by Microsoft Defender Antivirus, because we didn't use anything known to be malicious. Even if it decides to do a memory scan of our process when powershell.exe is spawned as a child process, nothing should be detected since we won't be matching any known signatures. Is this fake news because dynamic analysis by Defender doesnt care about signatures it just looks at the behaviour. And we are spawning a PS shell remotely so that is malicious ...

If you feel there's a correction to be made you can post it in #1234357888114364508

Thanks for the information, if im allowed to ask: why was it nixed?

Very little activity, poorly moderated, Discord fills the role and more, upkeep not worth the investment when there's Discord.

• overhead costs
• not enough staff to properly moderate
• discord now fills the role

i believe staff have said they're keeping it ReadOnly but they're not allowing new posts afaik

while it sucks; discord being an async platform that most people utilize anyway allows for better/faster resolution and searching for solutions

Yeah, really like the simple way and its clearness

try ssl intercept

Hi everyone, can someone give me a hint about the MSSQL, Exchange, and SCCM Attacks SA? I feel pretty stuck after the exchange parts. I can't seem to find any way into the mssql server

Good day everyone,
I have been working through the Penetration Tester Pathway, and decided to direct my focus on specific modules such as XSS. I have found myself at a loss, confused as to why the session hijacking and assessment target web servers are blank. Even after running an nmap scan to identify additional pages, there are no pages accessable for an online form with input fields. I have read in HTB Forums that these fields should be shown. Am I overlooking something obvious?

Any hint for the second one?

If I remember correctly start netcat, msfvenom for payload.

Thats the only way i see to but doesnt seem to work i only get a get request for anything.com and stays there

Type cat flag.txt before you receive shell. Very short connection.

Nmap have any limits on windows ? I want to start and every time i use nmap in termianal i got error . Should i use linux / kali linux instead ?

In Windows Privesc > Weak Service Permissions but my question is generic PowerShell. I'm having a weird time filtering for double quotes with findstr. Typically you can escape a character with a backtick or if you need a double quote use single quote encapsulation... but with findstr neither of these is working.

PS C:\> echo "this is a `" test"
this is a " test
PS C:\> echo "this is a `" test" |findstr "a"
this is a " test
PS C:\> echo "this is a `" test" |findstr "x"
PS C:\> echo "this is a `" test" |findstr "`""
FINDSTR: No search strings
PS C:\> echo "this is a `" test" |findstr '"'
FINDSTR: No search strings

why? target doesnt seem even download the payload

Short connection time. But payload should be downloaded.

Ok, figured out a trick to escape with a backslash instead but this only works for findstr and you still have to use the single quotes.

PS C:\> echo "this is a `" test" |findstr '\"'
this is a " test

quirky

Maybe a different internet protocol version?

Hello for the evasion module did anyone make this work: https://github.com/senzee1984/micr0_shell

hi

Hi guys. Im doing the "Getting Started" module and now im learning about "msfconsole" and "searchsploit". I have this IP: 94.237.55.96:55521 . With nmap i got the port 55521 is open with http and the version is Apache httpd 2.4.41 ((Ubuntu)). Im trying everything that comes to mind, but I cannot find a "public exploit" to gain the flag.

Thanks everyone

Are you at Initial foothold ?

Public Exploits

Have you tried: Visiting the ip and port? It's an http server so it's gotta have a webpage

ye

Something should be screaming at you: "look at me!, Search for me!"

Literally the first thing when you visit

look for the source code of the page to identify what its using

also, get the directories with dirbuster, everything can help you

then searchsploit <name>

this is the web xd

when you see WordPress somewhere,

the site is asking : Hack me

I wonder what to search

search for wordpress backup plugin

when you find an exploit for it, try to understand the code and see why it is working in the first place and what its doing

Currently I'm working on Firewall and IDS/IPS Evasion - Hard Lab section from the "Network enumeration with Nmap" module, and I'm completely stuck on trying to obtain the flag. Utilizing the --source-port and using port 53 allows me to see additional info from port 50000 on the target host, and I assumed just like the sectiosn in the module suggested that I can try to netcat and use port 53 to connect to port 50000. However, I keep recieving this error. I've attempted to take away the -p 53 and I still got nothing. If anyone could give me hints that would be greatly APPRECIATED!

can i Dm u please ? rq

it says address already in use, so that means something else is already using port 53. you have to end that service first

so if your running nc end that

okay

this command should show what service is running netstat -tulnp | grep :53

add me .:)

cant its not letting me. try to add me

now ?

I'm stuck on sqlmap essentials, case 6. I got the flag just fine with the hint telling me that the prefix is '`)', but i would have never gotten it without that hint. any idea how I can figure out what the prefix is

without a hint

Hmm okay, I see that several ips are using port 53 currently. How can I end them?!

trial and error. knowing your target and knowing how SQL queries are made.

yo guys, can someone help me the module PIVOTING, im specifically at RDP and SOCKS Tunneling with SocksOverRDP, i have been stuck in this module for 2 days, becase it keeps giving me the same error when i try to execute the Remote Desktop Connection.

The error says:

Remote Desktop can't connect to the remote computer for one of these reasons:
Remote access to the server is not enabled
The remote computer is turned off
The remote computer is not available on the network
Make sure the remote computer is turned on and connected to the network, and that remote access is enabled.

is there any way to use sqlmap risk or level to find that out for you? or does it just come down to manuel enumeration?

dm

i am not sure. there might be, but you can also force sqlmap to use certain prefixes and suffixes

is there a list of good prefixes or suffixs i should have saved somehwere to test?

nah i don't know, you'd have to search i guess

or just read about how queries are constructed

i'm sure it depends on what type of db etc too

i guess i'll just try some of the prefixes i would try from sql injection essentials

still it feels like i could get completly lost on a skill assesment if I miss the right prefix then

?

Hi, I dont understand this one, I see no question here...
How should I approach and what am I finding...

https://academy.hackthebox.com/module/110/section/1055

the hint explains what to do

you can also review the encoding/decoding section

correct me if im wrong but i think only ncat has that option

But what am i finding here? I dont see the question...its just steps

i have a small question :

in IMAP, when I do : 1 SELECT <directory>,
and when there says : 4 EXISTS, how can i fetch this ?
1 FETCH 4 all ?

the cookie...

Am I supposed to decode md5 after this?

Sorry I am struggling here...kinda at beginner stage...

it's a web proxy module, do it in a web proxy and see the results when you have the correct cookie

ohk i think i got it

lets see

also please be careful not to post spoilers from modules, especially skill assessments

Anyone have any suggestions or thoughts to this?

yes sir 🫡 found it 🙂 thanks 🙏

best to just say what module/section/question you're stuck on

?

That's a very generic error indicating network issues, check your network connection through to the target.

and verify you're using the right IP or hostname.

i just did a ping, but it does not reach

is this the initial target?

if so, shut down the target. re-download the VPN if you are using the VPN. shut down the pwnbox. press ctrl+shift+r on the page, respawn the target and reconnect to the VPN or spawn the pwnbox. do not use the pwnbox and the VPN at the same time as that causes connectivity issues. this should clear up any network problems connecting to the target, unless you've had your computer/vm on for a long time then you may need to restart to reset the networks stack.

there are some additional troubleshooting steps you can take beyond that, outlined here https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn

any other machine in the module works perfectly, its just that machine.

I have tried everything I have found, and know, however nothing works.

okay but is this the initial target or something else

you are leaving out critical detials

so, im connecting to the pivoting host, throught xfreerdp, and then i need to use the tool SocksOverRDP, to do pivoting to the ip 172.16.6.155 , however when i connect throught xfreerdp to the pivoting machine and i try to do a ping to 172.16.6.155 , it does not even reach.

Hey @cloud urchin i tried all methods in lab and no "user" runs my shells and my sliver listener is empty for hours

Is it usual to get a server not feeling well when downloading cheat sheet for Process Injection Attacks and Detection?

is this the sliver module?

Evasion module

I just need a point to the right direction please

did you get the "socksoverdp plugin is enabled"? i followed the directions exactly and was able to do this.

which section

Dynamic Analysis

have you tried all 3 methods provided?

Btw I ran the shells by myself and non of them work for my own user ...

The only one I cant do is the micr0_shell one because it wont build on my Commando VM ...

Did u build it on your user host or a VM ?

i'd suggest not using sliver, just do what the module says. try option 3.

yes, i disactivated the windows defender, and ran regsvr32.exe SocksOverRDP-Plugin.dll, and everything goes well, till i try to use remote desktop connectino.

okay, then just make sure everything else is setup correctly. you need to break it down and go step by step ensuring every little thing is correct. if you're not able to connect, you're missing something. make sure the server is setup, confirm with netstat, setup proxifier correctly, etc

the error you provided is straight up a network connectivity error so somewhere along the chain something is not configured correctly

👀

Was bout to ask em how many rs in the word strawberry

anyone here know how to compile the Inveigh C# into an exe?

You could just download the compiled binary from the github page https://github.com/Kevin-Robertson/Inveigh/releases

otherwise clone the repository and compile it from there

yeah that's what I'm trying to learn, but I guess I just download the exe to save time

I read that it needs the Visual Studio Solution to compile it but I only have VSCode (the blue one)

get VS

Hey bro this binary is already provided in the HTB modules

In the Tools directory of any module VM there will be these

how am i supposed to know what the unusual process is :)))))))

U do some research son

lol i got 165 results

now whats the unusal process 🤣

im on SNMP btw, and is SNMP usually always that unstable ?

I mean when i want to get the running processes for example, it always gives me different ones

Well it's UDP so: yes

UDP doesn't do any connection checking, or acknowledgement if packets are received

i see

Which module you on?

footprinting, SNMP

stuck on last question

Ohhh... you'll definitely know it when you see it

okay thank you

and btw : how can i know the snmp version ?

if i need to use v1 or v2c

Did you run an nmap scan?

did you try to use the other enumeration tools highlighted in the section?

when i do this, only TCP ports are checked

however, in autorecon i can see that udp port 162 is open

hmm

Did you do this module after the network enumeration with nmap module? or just stand alone

afterwards

i should revisit it hah?

So you should know how to scan UDP ports

yeah i skipped maybe things
because i know that i can also scan with autorecon UDP ports

but idk how to get banner with autorecon Lets see

omggggg

i found it

it took so long because i didn't look at ||the long output||
I think i should > save.txt it next time :D

Every SNMP community string could contain valuable information

Yes
I just thought that the flag is in the running processes

Hello friends

Deletin that cos that was a spoiler

really ? oh okay

I'm new here and I want to learn please 🙏🏻

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

There is a lot to learn

@lament fossil this

I have read :
Windows MIB values
And OIDs

its the same right ?

Ok

MIBs are the databases and OIDs are the reference to objects inside those databases

doesnot this seem advance enough

Please don't post about THM stuff here, this is a channel for HTB modules

please dont complain I know I am not supposed to post here

I was not able to post in general so I did here, will delete it in few minutes

THis seems to be as good as cpts

man after knowing cpts course i am never comin back to THM 🤣

https://tenor.com/view/seriously-laugh-laughing-you-serious-jk-simmons-gif-6107729

These links are not opening

im getting :
ERROR 2026 (HY000): TLS/SSL error: self-signed certificate in certificate chain
error when trying to connect through mysql

i did some research and i could use ||--skip-ssl||
because the server has no own certificate

would this always work ?

No clue, always worked for me but there might be some edge cases

it doesn't let you connect when the certificate is signed that way

i just bypassed the check 🤷🏾‍♂️

now im in 😎

I mean it's just the difference between using HTTP and HTTPS

it's just a security layer through SSL but since your client doesn't like that the server signed its own cert you can just tell it to ignore it

hey @waxen totem did u do the process injection new module yet ?

I haven't done any of the new modules

Am only at File Transfers in PT

Hello

👋

Are u a THM mastermind or something

Hey guys

Hehe not yet, I just completed PJPT from TCM, and here to study more about penetration test.

@faint wagon @velvet jay @solemn patrol this ain't #general chat, please get Verified (instructions here --->#welcome) so you can chat in #general

doing attacking common applications assessment 1, having a hard time finding the vulnerable application on port 8080. Can someone suggest a wordlist to use please ? thanks in advance.

Seclist or rockyou. Txt both or 2gb file choose what u comfortable with.

thanks for the response ( and i could be wrong) but that doesn't sound right seclist I've used raft-large-directories and directory-2.3-medium with no success and rockyou is for passwords as far as i know.

Use hydra or something else bro.

are you looking for a subdomain?

I think is firewall or rate limit or captcha.

I'm looking for a vulnerable cgi app that will allow me to execute code on the server.

dm

Use wormgpt to ask and find bro.

Not laugh it is great ai to help us and do legal work for us

bro just talking

Except he's doing a module not anything illegal. This discord doesn't promote illegal activities and if you haven't done the modules and can't help then your input doesn't really help.

Sorry bro . I'm also saying legal purpose only not to promote illegal activities.

Make sure to read the #rules.

Again I sure to legal activities only .

Bro that is easy

Hi, on the Network Foundations module Introduction to Networks section, 2nd question, for some reason I cannot answer
In network terminology, what is the term for individual devices connected to a network? with Nodes, is this like an error because everything in the page suggests this to be the answer and I have refreshed the session as well

All other questions worked fine except for this

Nvm it was seriously caps sensitive this whole time

Thanks though

I am at the ReGex section, I have this question

Search for all lines beginning with Password and containing yes.

what exactly would you google to get the answer, if possible can you show me like how would you approach this question in googling it, I googled few things but can't get the answer

I am trying to learn how to google right thing, so far I am only getting weird answers for my searches for - regex line begenning word, don't know what else to google in this case

Hello, i'm new here, how do I contact the support in this discord server? I'm having issues with billing.

go to the support bot on htb and ask for agent or email them

Can anyone please help if possible, my pwnbox time is running out and I cannot do this regex practice on my own device, it can only be done on pwnbox

Thank you very much!

linux fundamentals

just after the filter contents section

"regex cheatsheets"

I got the answers from yt but there is no relevent cheatcheet

plenty of them to go around

I already tried looking at those

one that i use is rexegg.com

evem tried the one you have told before

https://www.rexegg.com/regex-quickstart.php

yes this one

it explains all the regex expressions

"^<text>"
outside of [], "^" is an anchor much like "$"

too much data, can know where to go and what to do

you're looking for "starts with"

"start of string" or "start of line"

if you think a cheatsheet that's fairly explanatory on what each function is is "too much data" i have bad news for your friend

is regex used very often in CPTS

for instance you're searching a list for lines that ONLY contain "abc" but not if there's a symbol or space in front or behind

"^abc$" will get you all lines that start with, and terminate at abc

yea thats a very complex regex,

that's really not that complex

that's on the simpler side of regex, and regex can save you loads of time

For you sure, but for me not so much

LInux fundamentals

i barely knew regex when i started, so i can tell you for sure, that this is on the simpler end of regex

this

some can get extremely complex

but is it though

^.*{6,} <-- this is a bit more complex
start, match any, minimum 6 characters

it's used in a couple modules for shortening wordlists, login bruteforcing iirc goes over it a bit, though a shame they replaced that portion with chained grep over using sed

but regex is super useful overall to learn

Seems like this is enough for today, I need to sleep, will ask for help tomorrow if I need it, I try not to ask for help unless stuck for hours which did happen

Wasgood

L4 sent me

no idea who that is but either way this isn't #general i suggest reading and following #welcome to access

Hello, just started hack the box academy and I am on the linix fundamentals module. All of the challenge questions are targeted for htb-student and when I enter whoami, I get htb-random numbers. How would I be able to change my user to htb-student

You need to log on the target first through ssh

Thank you

Plz send the bots when I get the money we do stream raids

etc

its on indeed.com

Lmfaoo duhh

HTTP Response Splitting anyone? I got the xss, figured out everything but the way I make the admin press my amazing payload, anyone solved it and can give me nudge on what I am missing?

Were you able to solve it? the XSS works for me, I just dont know how to deliver it to the admin..

Good morning, I'm looking for help with the Advanced CSRF & XSS module - XSS bypass flag. Managed to bypass the filter with object tag with encoded payload. Can't seem to get a call back with the exfil payload. If someone could share the solution please

dm me what you got and I will reply in a bit - starting up work - so can be 30 min or so before I respond

i just wanna say im a big hater of AD Enumeration & Attacks - Skills Assessment Part II

and everyone who also hates it , is my friend

Not sure what you mean - it's probably one of the best assessments in the course.

more like sissyphus type assasment

im in the middle and cant see the end

dont get me wrong, i have mad respect for person behind it

but there is so much to try and its so time consuming that demotivates

yeah AD enum was more difficult than some other modules in the same difficulty range

but worthwhile!

Hi, for the final chapter of Network Foundations, I am unable login as anonymous user despite copy and pasting the commands into the terminal on my VM instance

You can DM.

Hi this might seem a bit stupid but for the intermediate network traffic analysis skills assesment i wouldve thought that 52 bytes was reasonable as the lesson said 48 bytes is a normal amount

im not really articulating this well but i wrote off tunnelling for that reason

sorry if im putting spoilers

and also how would you know which ip is the host with the pcap files

idk the correct answer but have you tried just drupal ?

I tried brute force using john --format=drupal7 and hashcat -m 7900, but nothing worked

Module : SQL Injection Fundamentals
Section : SQL Injection -> Subvertiing Query Logic

SELECT * FROM logins WHERE username='tom' AND password = 'some' or '1' = '1';
T F-------->T<-----T
|------>T<--------------------|

SELECT * FROM logins WHERE username='tom or '1' = '1' AND password = 'some' or '1' = '1';
T F-------->T<-----T
|------>T<--------------------|

SELECT * FROM logins WHERE username='tom or '1' = '1' AND password = '1234';
T T------>F<--------F
|-----> T <-------|

1 and 2 give me answer of successfully login as "admin"
but why logic no 3 only give me flag.. and show successfully login as "tom"

hello people, im in the ai red teamer path - applications of ai in infosec module, in the skills assessment when i upload my .joblib file it gives me Your model accuracy is 0.0. Please improve it to at least 90% to receive the flag. which i saw someone mention it earlier but didn't find any solution to this issue, does anyone know what must i do

Update: I checked the python libraries i used in my model, which had one that wasn't included in the module's material, used the one in the module and got the flag, hope this helps

also in the validation feedback, the confusion matrix shows that 12 positives were predicted positive, and 13 negative were predicted negative, sooooo...

Can someone help me in Module : windows attacks and defense; Coercing Attacks and Unconstrained delegation?

I am having a hard time figuring out what to connect to and I lost my previous progress from other attacks. I can’t seem to connect to WS001 with bob. Now we have brought in the Kali machine 🤷‍♂️

So I have a question regarding Password Attacks: Pass the Hash

Why does Julio not have permission to access SMB folder \\DC01 when you RDP as Julio, however, when you use the Mimikatz command, you can suddenly access the shared SMB drive to get to his folder, essentially how the flag is found. How does that work

What does Mimikatz execution have that logging in as Julio via RDP doesn't have

Does it escalate his privileges or something, I dont get it

im having a problem with Network Foundations last last question. im using htb web based Pwnbox. does anyone have the same problem or a solution?

hi'

hey guys, I need help in the password attacks module network services section. The question is about finding the credentials of RDP. I have tried using both hydra and crowbar using the provided wordlists but still cant find it. Can someone give me a nudge in the right direction? Thanks.

iirc rdp does not store julio's ntlm hash in a way that can be used for network authentication

it uses kerberos (if available) or some other method, which prevents his credentials from being forwarded to another system like DC01

and since you don't have julio's ntlm hash, you cannot authenticate to smb using ntlm

Good morning, I'm looking for help with the Advanced CSRF & XSS module - XSS bypass flag. Managed to bypass the filter with object tag with encoded payload. Can't seem to get a call back with the exfil payload. If someone could share the solution please

yeah because i'm having trouble getting a rev shell

thats why i asked

please
[16:24]
help me i need help with this module
[16:24]

• 2 The directory we found above sets the cookie to the md5 hash of the username, as we can see the md5 cookie in the request for the (guest) user. Visit '/skills/' to get a request with a cookie, then try to use ZAP Fuzzer to fuzz the cookie for different md5 hashed usernames to get the flag. Use the "top-usernames-shortlist.txt" wordlist from Seclists.
  (edited)
  [16:25]
  got the request with the cookie than fuzzed with the requested wordlist but found nothing

Hi in NFS module, I'm experiencing an error message each time I'm trying to mount the module.
I'm using Exegol, so hacking from a Docker container.
Do you know why?

$ sudo mount -v -t nfs -o nolock 10.129.202.5:/var/nfs ./nfs
mount.nfs: timeout set for Mon Mar 10 13:41:16 2025
mount.nfs: trying text-based options 'nolock,vers=4.2,addr=10.129.202.5,clientaddr=10.10.16.43'
mount.nfs: mount(2): Operation not permitted
mount.nfs: trying text-based options 'nolock,addr=10.129.202.5'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: portmap query retrying: RPC: Timed out
mount.nfs: prog 100003, trying vers=3, prot=17
mount.nfs: portmap query failed: RPC: Timed out
mount.nfs: Operation not permitted

cpts ?

Hello for:

Evasion Module

Dynamic Evasion

I replicated exactly how the lab does Option 3 and it still doesnt work...

Do I need ot convert it to shell code and obfuscate it ?

If so how do I convert it to shell code ???

module NFS form CPTS path

asked in CPTS and told me to come here

wait

try mounting from the pwnbox

start with this command

sudo nmap --script nfs* 10.129.14.128 -sV -p111,2049

showmount -e 10.129.14.128

havent done this module in a while so thats my best 🙂

cause i switched to cbbh path mid cpts

the thing is if it's failing now I don't want to face the same issue during the exam where there is no PWnbox (is it right?)?

i mean

why is that?

i herd the cbbh was easier to achieve first tho i rlly rlly liked the cpts haha

already run both everything result as expected

networking and windows pentesting was fire

from the pwnbox ?

might be my next move ahaha

hhahah started last week spent like 7 hours a day bro

nop from my container let me run it quickly from the pwnbx

im on 30% soon wish me luck lol

May the Hacking lord accompagny you

😂 XD

it worked smoothly from the pwnbox...
Will the pwnbox be available during the exam?

[03/10/2025 07:52:08] C:\Alpha\Dynamic\day2.exe - OK - Starting process...
[03/10/2025 07:52:53] C:\Alpha\Dynamic\day2.exe - OK - Timeout reached, killing process```
Anyone can help with the evasion module

yes

cpts?

its in the cape path

Thanks for the mental support 😄

Is this where you are trying to get a reverse connection?

sure men

anyonecan help with fuzzing ?

no. Where i am trying (my nc listener) it doesnt receive anything at all.

However this is just the provided log for us to see what is going on with our loaded payloads.

If u are wondering - i did test and connectivity is find with my netcat and the target.

Thoughts ?

So I wasn't able to get it using the content from the section.

guys i rlly need help

you need to set your processors to md5 hashes and then in the fuzzers tab all will appear with 200 and just resend to the browser to view the flag

https://tenor.com/view/star-trek-ds9-deep-space-nine-bashir-julian-bashir-gif-11975112521853580349

can i instead just encode my wordlist ?

hahaha

Recommend including the module/section

can u help me bro ?

ok one sec

using web proxies zap fuzzer - question : + 2 The directory we found above sets the cookie to the md5 hash of the username, as we can see the md5 cookie in the request for the (guest) user. Visit '/skills/' to get a request with a cookie, then try to use ZAP Fuzzer to fuzz the cookie for different md5 hashed usernames to get the flag. Use the "top-usernames-shortlist.txt" wordlist from Seclists.

Does someone has the same problem as me today, machines in CAPE modules are so unstable today, it is not even possible to do the module normally?

Like, 2min machine is available, then 5min not

Can someone help me, i can´t find a way to get this answear right

https://academy.hackthebox.com/module/229/section/2446

Question: Inspect the ARP_Poison.pcapng file, part of this module's resources, and submit the total count of ARP requests (opcode 1) that originated from the address 08:00:27:53:0c:ba as your answer.

in the ARP_Poison.pcanpng when in wireshark, and using this filter: arp.opcode == 1 && eth.src == 08:00:27:53:0c:ba , i get nothing as an answear. What im i doing wrong?

I see. Can you recommend me the resources u used to get it ?

I'm currently trying the av evasion room on THM to help

revshells

in case you are using Exegol (advanced kali via Docker) my probleme was a container network config issue whic is solved by granting more (Sys) privileged 🙂

u solved it at the end right ?

btw idk if u do that but i personally take notes of every module , u should also write notes to urself on the module as well to have it ready in case u forget something . i personally recommend remnotes its really good

@spice star

are you sure cuz i just ran the same command and got the answer

double check youre using the right file

I do it and recommend it too, even troubleshooting settings like this 🙂
Big fan of Obsidian though

Anyone here in the field of OSINT?

Can help why?

yup, in the exercise it says to inspect ARP_Poison.pcapng, yet I had to inspect ARP_Scan.pcapng to get the right answear. After spending some time on the wrong pcaps

pretty sure i did that exact thing for another module 😭

but its crazy, that in the question they say ' Inspect the ARP_Poison.pcapng file', but in reality you have to do it in another pcap to get the answear

I have some questions related to it, I'm beginner,

Would you help?

Is kali still better than most distros? Or is parrot htb better now?

Im new to the Parrot OS but I wanna get the certificates, So should i just get rid of kali and hard focus parrot?

they both work

Hey did u see my question about evasion

#modules message

i haven't done that module

I'm experiencing the same issue right now (since yesterday), my friend. I came to Discord to see if anyone else is having the same problem.

did u use micr0_shel?

I'm reviewing the Sample Report given in the Documentation & Reporting module, and in Appendix E there's a section for most common passwords with passwords in plaintext. Should I follow this example in the exam report? Because I've seen some people say passwords and hashes should always be redacted.

I wasnt able to build that because my Commando VM had some incompatibility.

But someone else said that using the powershell script (option 3) is the solution.

For me personally I am going to go through other resources and master shellcodes before I come back

https://tryhackme.com/room/avevasionshellcode

If you're still having issues, you can DM.

take that wordlist, for username in $(cat wordlist); do md5sum $username > new_wordlist; done

you have a new wordlist with md5 hashes - use that to fuzz

hydra should work - if I remember correctly, you're bruteforcing both users and the passwords. the command from the module should work.

Hey, it really worked, thank you!
I made a small modification to the code.
If you'd like, I can share it with you.

yup I tried using the command provided to me with both wordlists. But when trying with hydra its taking more than 1,5 hours and with crowbar its showing that nothing matched.

you can try increasing the thread count in Hydra (-t flag)

sorry I don't remember more details - but I do remember that some of the hydra attempts took a long time

you should take advantage of Hydra's session saving feature, that way you don't have to repeat stuff

Hi there! I've encountered a challenging scenario in the Dante ProLab. After successfully double pivoting to a host in the 172.16.x.x range, I discovered another IP in the same subnet through a ping sweep. Despite having my tunneling properly configured, I can't get ping responses from this new target, which means I can't even use nmap or msfconsole to determine what ports might be open. Is there something i have missed? A nudge in the right direction would be greatly appreciated 🙂

Hi all! I'm stuck on the windows evasion techniques module in the open-source software section, can anyone help me? I tried using bypass which patches amsi.dll, but I still can't run the .ps1 file

I haven't done it but in theory you can use nmap without being able to ping. It's the -pn option if I remember correctly.

May someone please take the time to view my issue with the module: Windows Priv Esc: SeImpersonate and SeAssignPrimaryToken (Module 67 Section 607)

My question was posted in the Community Help Channel. Thank you in advance!
#1348722231781621790 message

Have you tried bringing them both over via RDP, then running your bypass, then the open source tool?

No I haven't tried this. I'll try it now! Thanks!

you need to run it once

so if you copy/paste the command from the module, and then remember "oh wait, my machine has a different IP", and then fix the IP/port to the one you're using, and run Juicy Potato again - it won't work

simply log out, re-establish the mssqlclient connection, enable xp_cmdshell, and re-run the command (literally just copy paste) - but run it once, with the correct IP/port

Yes okay please share it with me and share how u made it work

Question: When do I compile a CS exploit with visual studio and when do i do a quick csc command ? does it matter

Thank you for the assist, this does make sense.

Unfortunately, after quitting the mssqlclient connection and re-establishing the connection, running the required cmds leading up to the cmd to reverse shell (Setting up a listening port first on my local htb vm) I still do not receive a reverse shell back. The IP I enter within the cmd is in fact supposed to be my local htb vm IP right?

Hey guys! I'm doing the web fuzzing module with ffuf and requests/second is extremely slow right now. Yesterday I got 1k requests / second and now I only get 100 requests / second. Is this common?

Yup, that should be the one. That's weird. I just ran it (exactly what I said) and it worked for me, though I'm not using pwnbox but a VPN-joined VM on my computer.

Didnt work:/ i think i will try tomorrow.

Depends on the specific host (how many connections it can serve) and also likely on your Internet

Thanks, do you think it's possible ISP has restricted my connection because of the fuzzing?

I just tried it. Same result

I assume you at least got a better output in the SQL machine? Meaning this:

If you got that, but can't get a revshell back to your HTB VM, I'd first try resetting both the attack VM and the target VM - it's likely there's some mud in the pipes, and you can't establish a connection

I'd say that's very unlikely, ISPs don't really do that kind of thing, especially not for fuzzing.

Thank you again, I agree this was strange. I did reset both again and specified a different listening port "12345". This worked just as your screenshot shows. I assume I may have needed to verify there was not still a process running "8443", then kill the process running the listening port "8443" on my local htb vm before attempting to use this port again.

Strange either way but it works now. Thank you!

I can't text in general
Anyone know why?

Hello there, I’ve been trying to figure this out for the past hour, but I still can't get the correct answer.
Network Foundations
The question: What type of cable is used to connect components within a local area network for high-speed data transfer?

read #welcome

I haven't done that but I'd guess it's a particular category of cable, with a specific number

i think i have it

can anyone help me with this ? The above exercise contains an upload functionality that should be secure against arbitrary file uploads. Try to exploit it using one of the attacks shown in this section to read "/flag.txt"

File upload attacks , lesson Limited File Uploads

I don t understand how to proceed to get the flag, I get errors while uploading...

Sorry I was in a meeting. You can DM what you are trying.

Quick question regarding fuzzing using Burps' intruder. If I'm setting the directory to finding a certain type of file and I'm getting a 400 or 403 status message; does that mean I'm skipping a step?

this is after all the bypass sections yeah?

I see but i been trying everything but still can't get the right answer.

it's not looking for any type of 'cat'

man i got it now but dude, this is not possible without knowledge about certain softwares

i thought i can || the spoilers sorry @fathom pendant

and how can i use strg+alt+Q in kali linux? :D

spoilers don't mean shit

anyone can click on it

can u help me with a qusition on Network Foundations

yes but i explicitly wrote: "spoiler:" before it
How should i do it next time?

, @proven valley ^

ohh i see ok

that doesn't matter; anyone can still click on it, obfuscate the username with a* consider anything you find as potentially a spoiler so services and such would be considered heavy spoilers

okay. sorry again!

but everything needed to enumerate was 100% taught by the module

I don t understand

Hello, My name is Erik Heijne. Can I talk to someone who works at Hack the Box in Athens?

if you're having technical issues you should contact support

I dont. I would like to talk to someone regarding a company visit to their office in Athens. Serious business students who are interested in HTB! Any help would be great! Kind regards, Erik

you should contact support

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Hi, I study in HTB_academy and I trying to run .exe on the windows server 172.16.5.19 in module Pivoting, Tunneling, and Port Forwarding in Remote/Reverse Port Forwarding with SSH in Penetration tester path but I always getting error
I need help (изменено)

I understand. This way usually takes too long. That's why I am trying in discord. Is their someone you can connect me to, maybe a phone number or discord so we can discuss this?

There is no support on discord - only on the site.

Is their someone who sees this and could connect me to the right person? Support is not the help I need. Thank you in advance.

If you need to speak to staff, the site support is the help you need.

Alright I will try that way then. Thank you

you're only able to get support by email or on the website

can anyone help me with some tips ?

The above exercise contains an upload functionality that should be secure against arbitrary file uploads. Try to exploit it using one of the attacks shown in this section to read "/flag.txt" , I don t find any clue to get the flag

this is not in a module per say but does any know how to a listener to lingolo for a third pivot

is it the same as

listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp

have you try a svg file with XML injection code?

Hey, got stuck with Nmap-hard, i'm using the scan nmap with source 53. And geting the open 50000
PORT STATE SERVICE REASON VERSION
50000/tcp open tcpwrapped syn-ack ttl 63

but not sure, where to dig further, nc or ncat cannot connect in any way.

nc with the option -p53

Have you tried: scanning UDP? 👀

If it's not a module then ask in the proper channel for your question

F***, it's were so close. Thx bro, that small trick did the job

curl -X POST http://94.237.57.237:38154/upload.php
-H "Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydu1fIg0OKlbg8Rtr"
-F "uploadFile=@shell_b64.svg"
Only SVG images are allowed , I tried this and failed

Inside the svg file, is it something like this?

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "whoami"> ]>
<svg>&xxe;</svg>

<svg xmlns="http://www.w3.org/2000/svg" width="100" height="100">
<rect width="100" height="100" fill="red"/>
<text x="10" y="20">&xxe;</text>
<text x="10" y="40">XXE Test</text>
</svg>

curl http://94.237.57.237:38154/uploads/proc_cmdline.svg
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at 94.237.57.237 Port 38154</address>
</body></html>

@makyrhttps://youtu.be/12gXUitWyU4

still didn t get a way for the flag

all you need is uploading a svg file with XXE code in it.

it says success but could not make it to do the command

have you try viewing the website source code after upload? like ctrl + i

I did and still doesn t help me

invalid input

I still don t get how to get the flag :/

HTTP/1.1 200 OK
Date: Mon, 10 Mar 2025 20:56:36 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 26
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

File successfully uploaded

when I enter on the file it says not found ... wtf

welp, solved in the end :\

I'm having trouble on the information gathering web edition vhosts module and I can't figure out why I can't get it to work can anyone give me a hint on what I might be doing wrong?

which question that you're stuck?

i think i may be entering the answers incorrectly or I'm not sure exactly what it's asking me to find when I scan vhosts it gives me the entire list

nvm i'm dumb

it was an issue of ports

just send it to your last agent

@keen walrus read and follow #welcome to access #1347991714480128173 ;

also be mindful of spoilers

that was quick

no

Anyone who has done the WiFi-EvilTwin Attacks module? I have some questions about skill assessment, I would like to compare results

hi

Hi can someone help me with the question

Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio.

for pass the ticket from Linux in the Password Attacks module? I've been stuck on this for about 3 hours.

are you unable to use the ccache? NEI to properly help you

you just repeated the question without stating what you've tried [redacting spoiler info like full filenames]

So far I've tried following what it says in the section for importing the ccache file into the current session. I've found two ccache files for the user julio and tried exporting both of them individually. When I check afterwards with the klist command though it just gives me "No credentials cache found".

you're setting KRB5CCACHE=<filename>?

Yes I am

well = /path/to/filename

it's generally best to use the full filepath

Omg... yep, that was it. Should have seen that lol. Thank you.

Can someone give me a nudge or help on the Linux priv esc logrotate - I have logrotten compiled, made a payload one was just to read the flag from root and the other was a reverse shell like given in the module example. Neither worked. Any help appreciated

That exploit is really finnicky. You may have to restart the target a couple times. Also, once it connects, the connection is generally only up for a few seconds so make sure you have your command ready to paste to read the flag. If you weren't able to establish a shell then you may have to modify access.log a couple times with the command provided.

I believe I also found it really only works once, so if you got it to work you need to restart the target. I could be misremembering but I think this was the case.

Ahh okay so I could’ve done it just not been quick enough I just spent 4 hours pulling my hair out. I’ll try it again in a few hours. I think you are right.

I did check the forum. The log file goes from flag.txt to another log.1 or .2 very quick

I’ll try restarting the target too. Thanks

Anyone here who is finished with Internal Password Spraying - from Linux | Active Directory I can't seem to do passwordspray using kerbrute using the found usernames from the previous section. It always says KDC_ERR_ETYPE_NOSUPP

did you allow it to continue? i got that error but it still worked

Yeah, unfortunately it was finished. Says 21 out of 50+ usernames tested with 0 successful

I also tried cme but still no luck

nevermind, I just have to filter out/remove those usernames that would cause errors

I am trying to answer the first question on the Introduction to Binary Fuzzing section Glee with Klee, but it is not recognizing the LLVM bytecode when I am following the commands in the section. I installed KLEE with snap on the pwnbox to do this because I cannot pull the docker image for Klee to try it that way because the pwnbox doesn't have enough storage for it.
Question: Based on the contents of test000002.ptr.err, which line of the intermediate language (IL) file assembly.ll does the vulnerability appear on? Provide only an integer, eg 123.

Hello,

Sorry for the late reply.

Since I don’t know C#, I just gave the code to ChatGPT and asked it to modify it so that it sends the reverse shell to my own IP and port.

There was no need for any obfuscation—HTB explained the reason in the module.

If you don’t mind modifying the code yourself, please let me know. I’ll be at my computer in about 1.5 hours and can share the code then.

Thanks send it over when possible in a txt file here or dms

(U just paste it)

Alright, I’ll share it as soon as I get to work.

Thanks gonna try it in the morning 👋

@languid imp please don't post content from any modules above t0.

I made a mistake; I forgot that this was public. Sorry!

Can somebody help me or Am I hopeless?)

Hi. I am using attackbox and I get an error while getting TGT using gettgtpkinit.py. Any suggestions? Thanks.

Hi

I wanna learn hacking so where do I start

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@gleaming tundra ^

First time using bloodhound tool. It says in the academy to do sudo neo4j start says it's already running (pid 2703). Typed bloodhound says No database found at bolt://localhost:7687, I tried http://localhost:7474 still nothing.

can you type sudo netstat -tulnp | grep neo4j?

No output, but here's the output when starting neo4j

┌─[✗]─[htb-student@ea-attack01]─[~]
└──╼ $sudo neo4j start
WARNING! You are using an unsupported Java runtime. 
* Please use Oracle(R) Java(TM) 11, OpenJDK(TM) 11 to run Neo4j.
* Please see https://neo4j.com/docs/ for Neo4j installation instructions.
Directories in use:
  home:         /usr/share/neo4j
  config:       /usr/share/neo4j/conf
  logs:         /usr/share/neo4j/logs
  plugins:      /usr/share/neo4j/plugins
  import:       /usr/share/neo4j/import
  data:         /usr/share/neo4j/data
  certificates: /usr/share/neo4j/certificates
  run:          /usr/share/neo4j/run
Neo4j is already running (pid 2703).

try: sudo killall neo4j then start it up again

the same thing, at a dead end. Also tried accessing both bolt://localhost:7687 and http://localhost:7474. Still nothing

If you are starting the neo4j service on the target machine and you use the workstation (yours or academy's) to visit the above port it won't work, unless you do port-forwarding

yeah for some reason, neo4j is started by default when spawning the target. Even sudo kill can't stop this thing

Is it maybe running the daemon as a service? sudo systemctl status neo4j

Tried that also but it says not found. Also neo4j.service

am now officially confoosed

I can't finish this section also I wonder how others did it

Run bloodhound locally in a docker like everyone else

Maybe if I'll run bloodhound on my own machine then just transfer the files from the target to mine

Ahh yesss

So bloodhound's ouput is just based on the imported files (results) right?

Correct

If you can gather bloodhound data technically you can also ldap dump as an alternative

but then no graph

Wdym with no graph?

@hasty trellis please don't spoil skill assessment info :)

Upsss, sorry

anyone faced this issue before? Thanks.

https://tenor.com/view/will-smith-shades-mib-men-in-black-neuralyzer-gif-17328155

Good morning, I'm looking for help with the Advanced CSRF & XSS module - XSS bypass flag. Managed to bypass the filter with object tag with encoded payload. Can't seem to get a call back with the exfil payload. If someone could share the solution please

how did you make it worked? I got the same issue

Perhaps you'll need a different payload 😉 I found this a useful resource: https://book.hacktricks.wiki/en/pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.html

#challenges if you don't have access get verified, instructions --> #welcome
make sure you upload an image for that challenge btw

Thank you, I'll check this out. I did try the iframe Payload from the module so I'm not sure if it could be the way I'm sending it

the payloads might require some tweaks such as adding encoding - anyways, feel free to DM if you need further hints

Alright I'll give it a go, thank you!

Please don't share content on skill assessments, deleted

ok well without going into specifics I have given the IIS user write access to the DB file as described in the module but for some reason am still getting an error that it can't write to the DB, I've also double checked that my web.config file has the correct path specified for the DB

Anyone available to DM about the skill assessment for the Advanced deserialization attacks module?

I just gave the IIS user write access on the entire app folder and it worked

Hello! Could anyone give me any hint on Q3 of the ntlm relay attacks's skills assement? I am kinda hardstuck

thank you!

Hello, I am working on Windows Privilege Escalation > Skills Assessment Part II and I have found the password for the iamtheadministrator user which was the first question. I am now supposed to answer question 2: Escalate privileges to SYSTEM and submit the contents of the flag.txt file on the Administrator Desktop However I can't seem to be able to authenticate anywhere as the iamtheadministrator user. I tried with rdp, with evil-winrm, with the runas command on windows command line but everything fails. What should I do? Are you not supposed to authenticate as that user?

Try install something on that machine with the account that you have?

I'm not sure what you mean, I uploaded LaZagne.exe and SharpUp.exe to the target and ran them and it worked.

msfvenom -f .msi ?

ah ok, yes I guess I could, so should I look for a payload that will authenticate me as the iamtheadministrator user?

just try a simple reverse shell payload.

Ok why not, but I'll just have a shell as htb-student on my attack machine that's not any progress since I can already rdp into the target as htb-student

Hello im a newcommer to cybersecurity and im starting with the "Information security foundations" course from the academy. The thing is it starts with setting up linux, some bash scripting, setting up windows and a VPS server before covering the "introduction to linux" and "introduction to bash scripting". Im not sure if im meant to do as they say and copy everything they do even though i don't understand the bash scripting and other things or if it is that im missing some foundations.

you don't have to do all of that

it's more of a rough guide than full step-by-step instructions

I see, Thank you very much, was stressing a bit😆

Hey, so I just did it, I created a reverse.exe payload and I have a shell on my machine, but as I expected, I'm still authenticated as htb-student user. I still can't authenticate as iamtheadministrator...

you're likely just underthinking the issue check the registry to see if certain things like > always install elevated < is enabled and go from there

ok ok will try, but then there's nothing to try with the iamadministrator user? Kind of thought the first question was laying some basis of elevation but maybe not

maybe take a step back and evaluate your surroundings then. or just take a break and come back fresh minded

@fathom pendant any idea on the issue I got?

1. I haven't done the module
2. you didn't even say what your issue is "i need help" is vague, considering it's a t2 module you'd have to redact some info for others to understand where you're at

Hi just to make sure i understood correctly
In RDP over socks section in the pivoting module
I have 4 machines

1. My host
2. The first pivot host (10.129.x.x)
3. A second pivot host (172.16.5.19)
4. The target which is 172.16.6.155
   ?

is it me or is nmap faster when using --open? if so, is there any downside of using that parameter?

i guess, context loss

also if you're testing firewall rules, network segmentation or maybe just being through, --open is basically self sabotage

correct

probably just copium tbh

Thanks!

i dont understand both of your answers 🤣

i dont think we tackle that in cpts?

whats copium?

coping

aka it's nothing but you're coping that it is faster

should i use --open or am i better off without it

you don't generally need it

ill just continue not using it...

thanks

Hey it got deleted. can u DM me it, sorry about getting u in trouble

im doing a report of my blind AEN run using the sysreptor template for CPTS.. i have this really tedious section here.

do i have to write down every machine and every open port here?

you should, it's just a markdown table so it's not that fancy to add rows/columns a lot can just be copy/paste new rows

work hard or go home. got it!

it's meant to be professional :)

and professionals wouldn't skip details

im taking that reporting seriously. failing the exam because i can't get the flags is okay, but failing because of the report would kill me

why its not going users???? 😭
lab : https://academy.hackthebox.com/module/116/section/1173

task 1

restart the box, just for a sanity check

everything looks good otherwise.. pretty weird