#modules

Can't wait for fucking Monday and fiber is back online

The only adult excited for Monday this week

Curious about your "non-standard" way you got the answer btw

Missed that part

Also sometimes: resetting the lab gets it to work properly

If you wanna submit an #1234357888114364508 if you can't get it to work, go for it

sry

@spare river deleting the references due to it spoiling the answer, basically

If you reset the lab and can recreate the issue: #1234357888114364508 is the place to post with module name, section, and issue

no problemos

Otherwise consider it a one-off error.

just wanted to help other people who might be stuck lol

even though they probably are doing it right

These things happen, labs don't spawn properly/startup scripts don't run

understandable

have a nice day

Suggestion for future troubleshooting:

• reset lab
• change vpn regions [respawn of lab will be required]

I can see that my problem has already been written about for almost a month ago

I assume the problem is not resolved

hello i started hbt yesterday and iam about to finish the network foundations but iam running into a problem when i try to use the nmap command , iam using a vitrualbox and connected to htb vpn but when i run the command it is just stuck here i restarted multiple times and tried to connect to different servers on the vpn but i still have the same issue

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-15 00:12 UTC

nmap can take a while

ive been trying for like an hour

Have you tried pressing any key during the scan? It should show you the status

it says scan about 99.99% done and that 0 time remaining

you can use the flags -T and --min-rate to increase the speed, there's also --stats-every flag to get updated every <insert time here>

You able to ping the target?

ys

yes

I'd re-run the nmap command with the flags I've mentioned

ok i will try it thank you

you can also add -vv to show status along the way instead of waiting for it to finish

it worked thank u but now i have the netcat thing it shows nc command not found

perform some basic troubleshooting, make sure it's installed.

sudo apt install netcat ?

Hey guys I need any hent at alert machine in htb , just give me a hint to get to the root or flag like : focus in the page source , use gobuster to find a directories and like that , thank you

I did used gobuster and viewed the page source and these basics but I didn’t get to something valuable

Read and follow #welcome to access #boxes

guys

can help me?

with what?

my telegram is a hack

No one here can help you, you'd have to reach out to Telegram.

okay tq

Hey, I’m new here, is anyone looking for a team?

I just joined

#1318239802931286066 if you don't have access, get verified, instructions ---> #welcome

I've read it like 70 times and I still don't understand "Get a session cookie via a valid login and then use the cookie with cURL to search for the flag via a JSON POST request to '/search.php'"

I did everything they showed in the module but nothing at all.

Hi Guys so I'm doing the Getting Started module and in the Service Scanning section the only reason I know the user is because they give it to me but is there a way of getting that user and password? am I going to see that later one?

which module?

web request

its called Getting Started second module in the pentesting path

In short yes, don't worry about it for now

ok awesome thats all i needed to know thanks

gotta be more specific when you say: I did everything they showed like what command you used and its response

when you open up a Web Developer Tools from your browser, nevigate to "network" tab & you could edit the cookie on the right hand side

It tells me to validate the cookie but I already did it dx

I must have done something wrong

might be the session cookie expired

I did it because he wouldn't let me have this other cookie that I gave

@fervent lantern @deep bay please don't post direct solutions and spoilers. if you're willing take this to dms

also you don't need to meddle with the cookie at all

my bad

read what the question wants carefully; it wants you to do a search for flag using a valid session cookie (which you'd get via logging in with the user:pass); not mess with the cookie

the reason for using curl is that the section is set up to only respond properly to the curl User-Agent

Do it from the pivot host via ssh

@dry falcon please make sure not to post content from the modules.

hoddon, I forgot which module and section is this?

https://academy.hackthebox.com/module/158/section/1428

Ohh I thought it was something else, nvm haven't done that module

@dry falcon it came up instantly for me, make sure to read the note section under the ping commands. if that's not it, try another server or region.

wow i reset machine and it work

First, try renaming any city to "flag." Then, delete it. Once that's done, search for a city named "flag" to get the flag. WTF? I did that and it didn't give me the answer. lol

Well of course, you deleted the city

XD

But that's what I asked for

lol

Bro, what the hell, how come I asked the question correctly and it didn't work for me? It's just that it's so hahaha

try deleting other cities

Developer would say; it’s not a bug, it’s a feature

Why do I get: bash: jq: command not found?

jq might not be installed

apt install jq?

sudo apt install jq

xd

Finally I solve a question myself 🥲

https://tenor.com/view/cat-cute-happy-jumping-gif-26555219

Ain't gonna lie to you you'd be much further along if you just close discord and think for a while. That being said, don't think for too long 😅

Maybe they like talking to you

https://tenor.com/view/who-me-hubie-dubois-adam-sandler-hubie-halloween-look-around-gif-18724170

because I get this error Unknown column '' in 'field list'

has anyone done the C2 Sliver module?

yeah

https://academy.hackthebox.com/module/241/section/2637

Question: "Assess further the web applicaiton and submit the name of the database user"

Was this meant to be using any particular command within sliver? I answered the other questions but after trawling through a few folders related to the app I couldnt find a db user. Wondering if I'm missing something simple.

kinda random to put in that module but its a web attack

I already got the implant uploaded, and working. and able to use sliver commands. just wondering where this question is coming from. it does seem kinda random

its not even related to sliver

just straight web 😂

cool. that was part ofmy original question. whether it was just snooping around or if it was sliver command related.

Complete the web application form now which form do you recommend I take?

Because it won't let me connect to Firefox, I get this Check that Firefox has permission to access the web (you might be connected but behind a firewall)

Hi , for some reason I can't send message in public chat , can i ask here ?

Anyone done blind sql injection module, out of band dns section? Does interactsh or burp collaborator works because lab uses an internal ip.

follow the instructions in #welcome to gain access to other channels.

Bruh im turning my pc off

It just questions about certs

Which cert? Theres channels for each of them, am pretty sure you have access to message there

It's about great ine offer or taking cpts

cpts no question about it

Any 3 certs + 1 yr premium subscription from ine or cpts

That shi is sooo hard

Ine offer cost 350 btw

You can ask in #cpts if anyone has taken both and has takes, but you can see from Googling ine isn't really held in high regard. HTB has the best content I've seen for learning.

help me please

https://tenor.com/view/rat-cute-cry-gif-10854706892825184307

What you need help with?

It won't let me connect to my vmware's internet

I don't know what you mean by that

I get this look

Hmm. We’re having trouble finding that site.

We can’t connect to the server at start.parrotsec.org.

If you entered the right address, you can:

Try again later
Check your network connection
Check that Firefox has permission to access the web (you might be connected but behind a firewall)

I don't know what to squeeze

What module and section is this from?

I asked for help because I don't know what to press on my virtual machine.

That's why I ask here on this channel

Is this a part of an academy module?

no why

then this is the wrong channel to ask

#1024429874246590575

Hi, I have no idea where to ask but where do I start hacking? Ive been wanting to learn for a while now but I’m not sure where to start.

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@urban ore

Oop, Thank you <3

Ine is trash

Hello @cloud urchin i need some help on this, please. I that the j**** user belongs to the right group to approve the cert but i am missing another permisison that is required

always best to say the module and section you're on

i am on ADCS Attacks. The last question of the Skills Assessment "Compromise DC01 and submit the value of the flag file at C:\Users\Administrator\Desktop\flag.txt"

Make sure to check all the permissions all of the users you have credentials for

Why shouldn't you be able to use your PC?
But you're probably better off in the #homelab-sysadm channel, as it has nothing to do with the Academy modules.

oups sorry

I clean all

It's all good, you don't need to delete your post.

But you probably have a better chance of getting a good answer there than you do here.

I used to be an admin for an esports team. Good topic on the right channel, avoid triggering me 🙂

tough guy

Can I ask here for a solution for the skill assessment machines found in the end of the modules?

exact solution? no, hints yes, try your best not to spoil the content especially the answers, it's usually better to take it to DMs

hello again, I did it :
i'm following this : https://pwndoc.github.io/pwndoc/#/installation
now but still din't catch how to open pwndoc as it explain into set up module, anyone to guide me please ? appreciate !

Application is accessible through https://localhost:8081
API is accessible through https://localhost:8081/api

it's meant to run as a docker container

I need help in KERBEROS ATTACKS - Unconstrained Delegation - Users
I'm supposed to use krbrelayx.py but it give me errors the module told me to remove the impacket version I have and install a new one from the soure now I have this problem

Traceback (most recent call last):
 File "/home/anan/HackTheBox/Academy/Kerberos/krbrelayx/krbrelayx.py", line 45, in <module>
   from impacket.examples import logger
ModuleNotFoundError: No module named 'impacket'```

try not calling it with python?

Hi! I'm stuck at upload files attack skill assessment

https://tenor.com/view/do-you-have-any-idea-how-little-that-narrows-it-down-that-narrows-it-down-clear-now-its-clear-now-i-understand-now-gif-21256627

How

I've done all the steps and uploaded the file

like ./krbrelayx?

Now I want to know the url to see the uploaded file

i genuinely wouldn't recommend uninstalling unless you were running into dependency errors

you have to figure that out via the methods shown in the module

figure out how to leak that info

I installed it again using the normal apt install but I still cant get the script to run

yes I leaked it and I know the directory /user_...

what I'm I supposed to do

i mean you can also install sudo pip3 install impacket the no module found error means that it's not in your python installation

check the function in the upload.php

run it locally with php -r

find out what the function is doing to your filename

I still get the error ```└─$ sudo python krbrelayx.py -p 'C@lluMDIXON'
[] Protocol Client SMB loaded..
[] Protocol Client HTTPS loaded..
[] Protocol Client HTTP loaded..
[] Protocol Client LDAPS loaded..
[] Protocol Client LDAP loaded..
[] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only.
[] Running in unconstrained delegation abuse mode using the specified credentials.
[] Setting up SMB Server
[] Setting up HTTP Server on port 80
[] Setting up DNS Server

[*] Servers started, waiting for connections
[-] Could not start DNS server. Address is already in use. To fix this error, specify the interface IP to listen on with --interface-ip
Exception in thread Thread-3:
Traceback (most recent call last):
File "/usr/lib/python3.12/threading.py", line 1075, in _bootstrap_inner
self.run()
File "/home/anan/HackTheBox/Academy/Kerberos/krbrelayx/lib/servers/dnsrelayserver.py", line 107, in run
self.server = self.DNSServer((self.config.interfaceIp, 53), self.DnsReqHandler, self.config)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/anan/HackTheBox/Academy/Kerberos/krbrelayx/lib/servers/dnsrelayserver.py", line 34, in init
raise e
File "/home/anan/HackTheBox/Academy/Kerberos/krbrelayx/lib/servers/dnsrelayserver.py", line 28, in init
TCPServer.init(self, server_address, request_handler_class)
File "/usr/lib/python3.12/socketserver.py", line 457, in init
self.server_bind()
File "/usr/lib/python3.12/socketserver.py", line 473, in server_bind
self.socket.bind(self.server_address)
OSError: [Errno 98] Address already in use```

Could not start DNS server. Address is already in use. To fix this error, specify the interface IP to listen on with --interface-ip
<--- SNIP --->
[Errno 98] Address already in use

well I noticed that lol

Oh it worked!

that's mb lol

can i use cewl on multiple sites in one command or do i have to do one site per command?

How should I proceed with docker ?

Hello, can someone have ideas to fix the RECCURENT black screen issues when using RDP ?

i tried specifying dynamic resolution, gfx, changing vpn, restarting the machine, using remina

nothing works all the time

it's either i'm lucky or i won't be able to fire that machine for the whole day

it's not even working from the attack box sometimes

The Shell & Payloads assessment is undoable rn, it keeps crashing when you scan ports, go on webpages or other small interactions

i was on the attack box

i'm just telling you what i'm seeing on the installation page you linked

well you don't need to scan any ports

you're practically told where to go for the assessment

pressing enter helps sometimes

make sure you're not running the pwnbox and your own vm at the same time

i needed to scan ports to find the web service running on another port than 80

even if i could try it by hand since it's a common one

isn't it only on windows hosts ?

shells and payloads gives you a jump host to start from; then 3 targets, i don't recall needing to do any special scanning as the info was given in the brief unless i'm forgetting something

Restore the directory containing the files needed to obtain the password hashes for local users. Submit the Administrator hash as the answer. Windows privilege escalation

can someone help me with this?

did you try restoring the directory? i believe some useful stuff is on the desktop of that machine

yeah looking at the live engagement section you don't need to scan anything; all the info is given to you

well host 3 maybe

but that's about it

yep is helping me but idk how docker is working with container i'm reading doc but I've the feeling that I just losting my main goal that's installing pwndoc

docker compose is a docker plugin that allows you to use yml files and such to orchestrate setting stuff up; it literally gives you the docker commands to stop/start and such

I restored the directory but I have to find administrators hash somehow

well look at what you restored and how it may be useful;

gotta exercise some level of thinking to figure it out

The best advice of my life)

i believe there's multiple backups you can restore

im working on shells & payloads - the live engagement, when i connected to the rdp, and gathered a few information, i didn't find a browser in the rdp, which kinda confused me i need help

firefox

Hi guys, did anyone solve this question from the windows priv esc module 'Using the techniques shown in this section, find the cleartext password for the bob_adm user on the target system'

Hey, i'm on the Sessions part from the metasploit framework module, the machine has port 80 opened, but i can't manage to browse it or even curl it

Take a look around the machine. The module shows you the various techniques you can use.

do someone have an explaination ?

(i can nmap -p80 and it's open)

I got a ps1 script and a string and I am not able to decript it to get a clear text password

Then keep looking 😉

Is that the right way to do it, or i am doing it wrong

Found some passwords too, and none of them are for bob_adm

Just look for everything. And by everything, I really mean everything.
Just because you have found something does not mean that you have all the information.

Intro to C2 Operations with Sliver / initial access - Assess further the web application and submit the name of the database user ... i dont get it, tried all users found on there, any hint ?

Give me some hints 🙄

|| Users like to write things down. ||

I gave someone a hint on this the other day. Use the search feature.

Yes the user j**** is member of the group that has right to approve certificate. I am able to request a certificate but when i try to approve it using the creds for j i got access denied

Hi, did anyone do Hacking WordPress from hackthebox academy, I need some help related to the skill assessment

link the section your on if it hasnt chagned i believe ivef insihed that

Skill assessment....

a link so i dont have to go search for it?

ok

thats usually how we format questiosn here

https://academy.hackthebox.com/module/17/section/64

@fathom pendant im wondering just how much of this obscure nmap evasion stuf i need to master to be ready for the cpts...

https://academy.hackthebox.com/module/19/section/106

thanks you on Q1?

Sorry I couldn't understand this one....

Please help me out for the skill assessment, I am having trouble with the enumeration

https://academy.hackthebox.com/module/17/section/64

The above is the section

ok so assuming you've done no enum on the target at this point what have you tried? have you ran a wpscan?

its saying that its not a wpwebsite by wpscan....

did you get your hosts and all that good stuff set up?

your /etc/hosts set with the target IP and hostname

I did the inlanefreight.htb and logistic.htb setup... in the hosts

have you done vhost boxes yet?

do you know how vhosts work and all that good stuff?

launching the lab so i can see how you got to where you did some stuff doesnt /seem/ right, at glance tho

ok so you're at http://inlanefreight.local right? does this look like a wp blog? if it just looks like a regular page that would explain why you're getting the results from wpscan, browse around on the site, what link might reveal/redirect to the wp blog?

Guys if someone has done Windows Privilege Escalation all that backup stuff pls contact me need your help

@severe lagoon ^

Yeah trying

cool cool just checking. dont over think it. this requires some manual enumeration of the page to find the wp blog then adding the url you discover it located at to hosts

aka "clicking around"

Thanks, it worked 🙂

Hello Guys ones again if there is someone who has done Windows Privilege please help me with the last question how did you find administrators hash

I am doing windows priv esc, which question DM me

there was no firefox

try bloodhound-python -u user@domain_b.com -ns <dc01.domain_a.com/ip> -d domain_a.com -c all

can someone explain the time element to modules please, do you need to complete the module within the time stated (4 hours for example) im only asking so i can better prepare for taking a module. Thanks in advance

can someone help when iam running this command from NETWORK FOUNDATION (nc -v <target ip> <dynamic port>) it is saying connection refused but in the example on the website it says open

i tried to change target ip couple of times and rerun everything and it still says refused

anyone has idea?

he's usually not wrong about these things. did you try firefox or firefox.exe from cmd line?

solved, Thank you a lot

I need help

Can someone tell me how to filter a specific persons name on wireshark

in terms of the the packet data that gets relayed?

the ascii output or whatever its called?

https://www.wireshark.org/docs/man-pages/wireshark-filter.html

frame contains "username" i think will work

thats a very broad search tho, you'd want to shrink it to something more specific to your use case like http contains 'username'

I'm in the Info Sec Foundations path on the the VPS setup module. I setup the VPS on Vultr. I'm trying to ssh to it. I'm unable to. When I ping I get network is unreachable. I've changed the network settings to have a bridged adapter on my VM. That did not fix it. Should the VPS (100.68.x.x) be on the same network as my VM (192.168.x.x) on Virtual Box? they are on different networks right now. If so how do I do that? Or is the solution something completely different?

I have the filter documents but there are not working on the actual pcap file I have

#modules message

im trying enumerate imap. When i try to log in, i get this: Plaintext authentication disallowed on non-secure (SSL/TLS).
if i were to brute force with hydra, would this works?

hydra imaps://ipaddr:993 -l usernameifound -P passlist.txt

do i need more information in order for hydra to do its magic?

looks like you're missing an -s <port> but you've included it there in the URI double check the man page. this advice was given from chatggpt right before it blocked it for content violation

does anyone know a AI proompt that doesnt do this?

its just that some place mentions using some kind of ipv6

lemme fetch what i mean

hydra -C defaults.txt -6 pop3s://[fe80::2c:31ff:fe12:ac11]:143/TLS:DIGEST-MD5

where do i get that? LOL is my command enough or do i have to add that fluff in there?

i know thats for pops

its still ssl/tls like imaps

best to include which module and section you're on, you'll get better help that way

wpscan --url http://Blogurl -U users.txt -P /usr/share/wordlists/rockyou.txt
Am I on the right track??? I need to put a reverse shell for this I am first doing a bruteforce???

I have found the users and the password

This is for the Hacking Wordpress skill assessment

https://academy.hackthebox.com/module/17/section/64

id rather not then... AEN blind. thanks anyways... ill just use hydra imaps://ipaddr:993 -l usernameifound -P passlist.txt

well AEN is just a walkthrough.. you could just look there

aen "blind". i just wanted to know if imaps is brute forceable with hydra. thats all. can it?

imaps and pops

you could man hydra

ill give it a go then

Sorry, I’m working in Linux basic room. I type the command to find the number of lines dpkg -l | wc -l ……I get the count but it says I’m wrong

tell us the exact question your on.

it looks like your cmd may be wrong, or its uinsg some syntactic sugar. if this is your first run with hydra ssl imap consult the man page it looks like you need a -f for the url and a -s <port> for the ssl port, chatgpt keeps granting then censoring the info

use chatgpt and copy it real quick you'll see the subtle diff. this could be wrong of course, but good as a sanity check if you're not getting the results you'd expect

Thanks, I found it by then, I remembered something right after I asked the question... thank you so much for the starting help....

good deal. glad you got it sorted

i found out that using somethign like pop3://ip:110 -m TLS and imap://ip:143 -m TLS works. i did "man hydra" like supernuts told me LOL

How do I find the number of packages on the target system? I put all the commands I know .

the number of installed packages according to the package manager?

it would be something like apt-cache search --installed

ok thats slightly wrong syntax dpkg list works

apt list --installed

Hello guys, I go through Intro to Assembly Language, Part "Debugging with GDB" where I need to download asm file and debug it. Task is "Download the attached file, and find the hex value in 'rax' when we reach the instruction at <_start+16>?" but when I make a breakpoint on "_start" and run the debugging there is no "<_start+16>" and when I do two steps, I get "0x401013 → add BYTE PTR [rax], al" and then "Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists."

could you please help me with this? I dont know what Im doing wrong

break at _start+16

but there is no start+16

0x401000 <_start+0000> movabs rax, 0x21796d6564616341
0x40100a <_start+000a> xor rax, 0x21449
0x401010 <_start+0010> xor rax, rax
0x401013 add BYTE PTR [rax], al
0x401015 add BYTE PTR [rax], al
0x401017 add BYTE PTR [rax], al

gef➤ b _start+16
Function "_start+16" not defined.

looks like _start+16 is just xor rax, rax

_start is at 0x401000 and _start+16 is at 0x401010

b *0x401010

You have typed the same address for _start and for _start+16 aswell

corrected!

but next to that address there is "<_start+0010>" not the "start+16". I dont get it mate

16 in decimal is the same as 0x10 in hex

I dont see anywhere in this module where is stated that I need to convert it. But you are right, RAX on this breakpoint is 0x21796d6564637708 and thats the right answer

or better said, why there is "<_start+16>" in the task, when in reality you see "<_start+0010>" in debugger?

because everybody counts in decimals even if they're writing an assembly task

hmm I think I need to get use to it..anyway, thank you very much, because I stuck here for hours -_-

hello

im on network enumeration with nmap and im on the ids ips evasion easy lab and i think i got the right os system but its sayig its wrong idk

Our client wants to know if we can identify which operating system their provided machine is running on. Submit the OS name as the answer.

this is the prompt

i put in linux as my result and its saying its wrong

idk what to put atp

Please don't spoil content from the module

soryr

are you able to help though?

nevermind

Try reviewing the host discovery section

Hi everyone, I need a hint in CRLF http attacks log injection, It gives php injection into the logs

Think about where else you may be able to inject the CRLF payload 😉

Ohk thanks SuperNuts, I will try harder, and if I cant I will get back to you. thanks

wow you are great thank you SuperNuts

im on a nmap module and im really struggling to get anything from nmap, ive tried ack, syn, quiet performance, and everything it feels any recommendations?

like EVERYTHING is showing up as filetered

the assesment? the firewall one?

its nmap firewall evasion ids hard level

just a sec i just reviewed that whole module earlier today

thank you

DM me what you've tried if you'd like

this one is a little difficult and the scenario is vague

There was a technique taught in the evasion sections
make sure to try everything you were taught

anyone here online

a lot of people

did you do this question
https://academy.hackthebox.com/module/57/section/516

anyone here have complete Login Brute Forcing Skills Assessment Part 2

please help me.anyone who did this module

i am stuck at this much time

i need youre help.🫶

@Ulq please don't post content from modules above t0

Oh really sorry

Can someone help me with a very easy Metasploit exercise? I just want to know what the right exploit to look for would be. I'm new to this area.

https://academy.hackthebox.com/module/77/section/843

did you do login bruteforcing module

Regarding the question tho

if i have a form

the form has the following attributes
id=ulqa and name=ulqw

if i want to brute force using hydra
what are the parameters is it for the id or name?
since in the module they were identical so i couldn't tell

Currently doing it
in login forms section

Have you tried visiting the target in your browser?

Yeah, simple plugin for wordpress

@severe inletbro dm me

It gives you the version too, try searching for something related to that.

@cloud urchin did you completed Login Brute Forcing module.

Ok thx

I completed it before they changed it

ok bro

Version simple backup plugin or word press?

Because of how it's emphasized on the page I'd go with the plugin

Why was attacking common services (medium) much easier than easy lol

in easy you needed to look some things up

ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether a6:ba:3b:08:59:d4 brd ff:ff:ff:ff:ff:ff
altname enp0s3
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN mode DEFAULT group default qlen 500
link/none What is the name of the network interface that MTU is set to 1500? Shouldn't this be either ens3 or tun0? Neither are working.

Genuinely can't understand a single thing in the thick clients section after obtaining a foothold 😭 . I can't see how this section genuinely makes any sense in the broader scope of cpts

Does anyone have a better resource for digging into thick clients? It's something I'd like to understand albeit after cpts

hello I just started and in the three lesson I turn on the virtual machine and try a scan with nmap and I get this Starting Nmap 7.94SVN ( https://nmap.org/ ) at 2025-03-15 21:07 UTC
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.10 seconds

Maybe try a different scan or ping. Could also just restart the machine if you suspect it's bugged

scanner/http/wp_simple_backup_file_read

Do you know if this plugin would be for a long time

Are ssh to the target?

Try the one that can traverse paths to read a flag 😉

what would be one to find flag, wouldn't that be?

guys hello can anybody teach me how to restore sam database?

fr it was the hardest of the three

Has anyone completed the challenge? CPTS > Module: Attacking Web Applications with Ffuf. > Section: Parameter Fuzzing - GET

Question: Using what you learned in this section, run a parameter fuzzing scan on this page. what is the parameter accepted by this webpage?

I tried this command but it return a lot of keywords & errors which is not really helpful

ffuf -w /opt/useful/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.academy.htb:47558/admin/admin.php?FUZZ=key -fs 900

I also Optimized Command (Extract Keywords Only) still dead end

If you want to extract only the parameter names that yield valid results:

ffuf -w /opt/useful/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ \ -u http://admin.academy.htb:47558/admin/admin.php?FUZZ=key \ -mc 200-299,301,302,307,401,403,405,500 \ -fs 900 -t 40 -v 2>/dev/null | grep -oP "(?<=\* FUZZ: ).*" | sort -u

I extracted the keywords into a txt file and used burpsuite, still no way.

i see hmm

yea thats my fault i didnt ssh into the target

Guys if there is someone very clever and has restored SAM database from Pillaging in Windows Privilege Escalation pls DM me

I have restored many folders but all of them are empty

pls share how you did it if you did

I wasn't able to 😦

when you select modules in msfconsole you can type the info command to see what they do

Find one that can maybe help you find what you're looking for

Thx

I achieved 🙂

Hard for me

Hello, following the "ADCS attacks" module, in the "ESC9" section, i wanted to perform a shadow credentials attack from a windows host instead of changing user2's password, any ideas on how to do that ?
so far i tried whisker.exe to get a TGT as user2, opened a new terminal using Rubeus's createnetonly, imported user2's TGT, Certify.exe request didn't work

I think you are over complicating it with the second command

hi All, maybe is dumm but how to i remove bad character from a address for example 0x00EEFB70, and let's say 00 is a bad character how do i remove it from address ? this is related to skills assesment for windows based buffer overflowx86

0x00EEFB70 wouldn't necessarily be a bad address

it's just padded in that case to meet the full length

but the module would teach you everything you need to know to complete the skill assessment

i figure it out, thanks @fathom pendant

hello I'm in the module "ICMP Tunneling with SOCKS", I'm using Chisel in this module because I got a lot issue with ptunnel-ng but I'm stuck creating the proxychains with RDP but i get connection error I can't figureout why is the issue

proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain ... 127.0.0.1:1080 ... timeout
[00:44:14:799] [22413:22415] [ERROR][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_FAILED [0x00020006]
[00:44:14:799] [22413:22415] [ERROR][com.freerdp.core] - failed to connect to 172.16.5.19

run proxychains with sudo

the same

use ligolo-ng instead

let me try

nothing

I'm so tired of this module in the PCTS

westing time a lot big frustration

Have you tried switching to tcp vpn?

are you sure you have it set up properly?

I used to have the same issues when i had the UDP vpn, Used to waste hours on small excersies

When i switched to TCP it worked really well Connecting from the first time aswell as never crashing

Hello, I am new here. Needs help for Cracking Into HTB - GET module. I am stucked there. Any ideas to obtain the flag?

Hey guys, I'm on Skills Assessment - Web Fuzzing module, on this question:
"One of the pages you will identify should say 'You don't have access!'. What is the full page URL?"

I write the answer, but it's not accepting it. I even checked with online solutions.

I should write "academy.htb:PORT" instead of the real port, I think maybe this can bug?

Is it only me, or does the question ask from THB is beyond the material they provided? Like, I just completed a section and can't understand how to solve the question, and when I googled, I saw people using different commands that HTB never mentioned, so I had to use those commands to get the solution without understanding what I was doing. Does every module have this problem?

Which module are you talking about?

Sometimes there are several ways to achieve a goal

That's intentional, it's to get you into the habbit of research as it's the most critical aspect of cyber

There's no world in which you learn every aspect of every service, protocol, and vulnerability, which is where research comes in, it's the most important thing that the modules are trying to teach.

Linux one (the basic starting point)

oaky and what was the task, which command did you use?

I get it and i don't mind it . But after completing the sections , I can totally see that the solution r way beyond understand by some google searching.

It was about getting the number of services running on ipv4

I used some advance concepts of gret and netstat which weren't touched in the section

Yeah that module notorious for having some quite hard sections

I don't know how you did it, I used ss. That was briefly mentioned here. The rest I could read in the man pages

https://academy.hackthebox.com/module/18/section/70

also take a look at the cheatsheet

Ahh, what about other sections

Ss , i used netstat

As I said, there are several ways to reach your goal

netstat is also mentioned in the module

Should i just Google the answers which i cant get or do u recommend anything else

I didn't see it

Might have missed my eye then

Ah , i see

You could ask ChatGPT or something if it can give you a tip on how to get such a result. You can also ask Google

Chat gpt will work , thanks

Thanks! I figured it out. I appreciate your feedback. it made me think deeper

Module/77/section/843, I have found the exploit for the plugin in .txt, renamed it to a .py file but I cant seem to use it I tried python exploit.py --target <ip-adres>

nvm, I used metasploit

1 of 1 target successfully completed, 1 valid password found

I'm on password attacks, easy lab, and I finished the hydra, took 2 hours lol, and it says 1 valid password found, but I can't really find it, it's not really indicating to me, what the valid pair is

Can anyone give a hint on LPE for the first question on AD trust attacks skills assessment? Not sure if I should be looking outside the module as I thought all the attacks require compromising the DC first

Look into foreign groups

can someone confirm for https://academy.hackthebox.com/module/231/section/2491 that http://library.inlanefreight.local connects using the websocket. For me it's saying http 400 and nothing is displaying in burp websocket's history.

library.inlanefreight.local:8001 should be correct

thanks. it connects when adding the port.

the javascript on the site does not implement it though

Look on the page in the module. All ports are specified there

thanks. i missed that!

@acoustic owl

Hi

hey could someone assist me with this? : Try to use what you learned in this section to fuzz the '/blog' directory and find all pages. One of them should contain a flag. What is the flag?
in the cbbh path , this is the command ive tried :

||i tried this but it didnt worked : ffuf -w clean_wordlist.txt:FUZZ -u http://83.136.254.23:34766/blog/indexFUZZ||

Happy to help

@tranquil axle Can I DM you about Q1 on Trust Attacks? I think I have the right path but I'm getting access denied and can't figure out why

Hi Guys, i am stuck on Pillaging moudule of windows priv sec, last question "Restore the directory containing the files needed to obtain the password hashes for local users. Submit the Administrator hash as the answer" i was able to restore the C:\Windows\sytem32 using password on the jeff's desktop , but there is config folder in that, guys how did you solve it, give me some hints

@acoustic owl did you solve this question?

What is the question @paper lodge

Restore the directory containing the files needed to obtain the password hashes for local users. Submit the Administrator hash as the answer

Restore the folder? and you've restored it?

this is the question, its from Pillaging moudule of windows priv sec

Look for interesting files that may be used to extract data

Look at secretsdump

@shut ice please don't give direct answers/spoilers

the config folder is missing

My bad, research into where local account hashes are stored

I believe there's multiple backups; so if one doesn't contain it try others

guys why the sqlite db from cat is giving me a wierd error when i try to dump the database

can someone help what is the best arg to use with sqlmap?

Anyone able to help with the section in the SQL injection section "Using Comments"?

The question is to login with the user with the id 5 to get the flag.

I'm trying with multiple variations of the following as the username: or where id=5);

I tried, using the password that i found on the jeffs desktop, can you give me some hints plzz

do i need to get the admins password to do the backup?

Nope

Pay attention to how it's being injected in the response

You have the info you need to restore and search the proper backup

I am getting access denied

Did you set the restic password environment variable?

yes, the one i found on the jeffs desktop

its for restic

After you restore it's mostly just exfiltrating the data to use

there is no config file in it

Why are you looking specifically for config files?

in the config folder

there is no config folder

If you've done the password attacks module: consider the ways that windows saves login information

Again; why are you looking for that

to dump the hashes using secretsdump

And what files does secretsdump need, exercise some logical conclusions

do you creds hunting module

Who said they'd be in a config folder

so make logical leaps and conclusions from that

I'm not holding your hand through every step, as

1. it'd be a spoiler
2. You're not paying me to

🙂

If we newbies were all that clever we wouldn't come here and asks questions)))

You've been given enough information and know what to look for

You're just trying to find a solution in x when you can just look through y

okay thanks @fathom pendant

Hello, I am stuck at this assesment. I bruteforced the ssh and got a username (or more like real name) and passwords.txt. The task says : What is the username of the ftp user you find via brute-forcing? The problem is there are no open ftp ports and i brute forced every open port i could including an SQL-Database but nothing leads anywhere. What do i do?

If I'm paid to im more than happy to provide more pointed guidance privately. It seems AJU knows the core concept but is banging their head against a brick wall when the door is 2 feet to the left

Perhaps ftp is running internally/ftpuser is the username

Public_ip:port means you're limited in scope to what you're given

Other ports are off limits

hey could someone assist me with this? : Try to use what you learned in this section to fuzz the '/blog' directory and find all pages. One of them should contain a flag. What is the flag?
in the cbbh path , this is the command ive tried :|| i tried this but it didnt worked : ffuf -w clean_wordlist.txt:FUZZ -u http://83.136.254.23:34766/blog/indexFUZZ ||

I can already tell you what's wrong without looking at the error logs

Take a close look at your url

And where you're inserting the fuzz keyword

noted

honestly i am not able to find the door, i am trying , thank you @fathom pendant

Try looking through what you restored closely

If all else fails reset the lab

okay

Ls, dir, tree, whatever you need to look for files that are juicy

Don't just look right at the surface

okay @fathom pendant

wdy think ? : ||ffuf -w /opt/useful/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://94.237.56.224:30483/blog:FUZZ ||

Thats not how you fuzz

Doesn't the section contain an example?

it is i even tried using the exact command

but no results

/blog/FUZZ, not /blog:FUZZ

:)

ok thx brb trying to fuzz it

its my time to help hahah

||ffuf -w /opt/useful/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://94.237.56.224:30483/blog/FUZZ ||

did that command but no results

Is that the list they wanted you to use? :p generally you can use the same list as referenced in the examples

yea it is

Is that server actually up/what's given to you?

:)

yeah it is the machine has an ip running for at least more 80 min

try ping it man..

ok

They won't always respond to pings

or nc the host?

Are you receiving any errors while it's running? It shouldn't be executing that quickly

It's a public docker container for one

yeah i get :

name or service unknown

For two, that's unnecessary

ping http://94.237.59.30:57416/
ping: http://94.237.59.30:57416/: Name or service not known

Yeah ping doesn't like ports or protocols

Anyone else having problems with https://academy.hackthebox.com/module/details/291 - Wi-Fi Evil Twin Attacks with the Using EAPHammer section question?

With the ESSID stripping assignement? I can't force client to authenticate to my SSID 🤔 Deauthentication gets picked up; the packet loss is growing when I'm checking with airodump-ng but can't seem to get the client to connect to me 🤔

You'd just ping the ip

Does the section give you a vhost?

yeah it gives

no vpn to connect to tho

Hello worlds! I have problem in my HTB acadmey modules whenever i create a challenge it gave me "IP" AND Not Port. While accesing the challenge throw ip don't gave me response! please someone help me

Also i was referring to the ffuf command, does it say there's errors

Then put the ip in your hosts file with the vhosts then fuzz as http://vhost:port/blog/FUZZ

ok

he is trying vhost ?

Not all labs give ip and port; if it gives a 10.129.x.x ip you need to be connected to the vpn to access

i tried on the pwnbox tho

i dont think that ffuf would be able to fuzz the vhost like what he did..

||ffuf -w /opt/useful/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://94.237.56.224:30483/blog/FUZZ.php

    /'___\  /'___\           /'___\       
   /\ \__/ /\ \__/  __  __  /\ \__/       
   \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
    \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
     \ \_\   \ \_\  \ \____/  \ \_\       
      \/_/    \/_/   \/___/    \/_/       

   v2.1.0-dev

---

:: Method : GET
:: URL : http://94.237.56.224:30483/blog/FUZZ.php
:: Wordlist : FUZZ: /opt/useful/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500

---

:: Progress: [87664/87664] :: Job [1/1] :: 6451 req/sec :: Duration: [0:00:14] :: Errors: 87664 ::
┌─[eu-academy-5]─[10.10.15.10]─[htb-ac-1577141@htb-gyp0pzvubw]─[~]
└──╼ [★]$
||

No, the section gives a vhost to use

thats the ffuf output sorry for long msg

Yep i have conted the openvpn throw my CMD terminal but still not accesing the challenge!! Also there is a problem for downloading openVpn appliction new update makeing problem to me

Yep tons of errors

thought it was normal since no extensions were found

does gobuster up to this one ??

Errors = something went wrong

noted 🙂

The issue lies between keyboard and chair for this one

damn bro

i dont think i get it..

user error

he says the issue is me

The question gives you a vhost, the lab is likely designed to not respond to http queries to the ip, but instead the vhost

ohhh yeah haha

You need to interact with the target using the given vhost

ok gotchu

I already told you how earlier, but you ignored that

.

are you comfortable with sqlite db dumping?

Not overly, but not sure what module that's related to

I'm not staff, I just yap and I (kinda) know things

i mean i have a wierd issue while im doing cat machine..

#boxes then

Keep this channel on topic to htb academy modules :)

so you cant help me with it?

I haven't done it, so no

alright no problem

But also there's a channel to ask for help with machines on the htb labs site, which is pointed you to

||ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ
-u http://94.237.59.30:57416/FUZZ \
-H "Host: 94.237.59.30:57416"
-mc 200,204,301,302,307,401,403||

i got it

https://tenor.com/view/wrong-drumpf-trump-stupid-gif-6220235

Has anyone done question 1 on AD Trust Attacks? I've got the path from Bloodhound but getting access denied trying to auth, gone back through the module twice and can't see what I'm doing wrong 😢

thx !

Thats an unconventional vhost you pointed to with the host header, typically a host is a.example.com or something like that

• vhosts required
  ^ thats the text you're looking for for the vhost

Vhost != ip

gotchu gotchu

https://tenor.com/view/back-to-basics-hunter-engel-agufish-back-to-the-start-back-to-the-beginning-gif-4132213600875189477

thank you mate already helped me

much appreciated the memes rlly gives motivation to ask q's here again

This is 101 type shit you should know before you even touch fuzzing

ok bro but i forgot

https://tenor.com/view/write-it-down-save-it-dont-forget-forgetful-notes-gif-14193006

ok men

thx for helping

Writing things down helps you remember them

i do i write all down in remnotes

just the vhost thing

didnt wrote

iirc there's a module that covers vhost

Well write it down this time

yeah yeah

Time for another 2 hour nap bc fucked sleep schedule

Getting Started Module> Priv Escalation hands on lab. In the learning module they talk about copying id_RSA, but in the answer we use netstat. They want us to look at the active connections but why would I know to use this over nmap? Nmap doesn't show port 80 evven open.

When going through modules and solving x or y through exploits, do y'all find it useful to try and run through the actions of said exploit manually?
For example, looking at the exploit's code and attempting the actions it does manually to potentially understand the design of an exploit better.

Or would this only really help you understand this specific exploit?

Possibly a very person-to-person answer but I'm just wondering, as I've been told most public exploits usually are detected easier, where I think understanding each step better could help understanding the exploitation process better.

because you're already inside the system

Understanding the exploit separates a hacker from a skid

Depends, there are that many exploits IMO it wouldn't be possible to 'understand' how they all work

But understanding the common ones (which is probably what the modules shows) would be worth it

@solar bloom How ya doing.

you don't need to understand every exploit, with the exceptions of a scenario where it needs modifications

Thanks for the quick input

i got a quick question here. is https://www.inlanefreight.com related to AEN?

Nope
https://academy.hackthebox.com/module/163/section/1542

trying to find out all info i can get... stuck on foothold for almost a week (aen blindly)

🙏

The module is structured as a walkthrough. Check the module if you get stuck.

the exam is not.

No, but here you can check what you have overlooked and then look at it again

cant do that during the exam

unless the foothold is easier on the exam 🤣

I don't think so 😉

Hello, please tell me! If I buy a monthly "gold" or "platinum" subscription, will I have access to modules such as "ADCS Attacks", "Active Directory LDAP"?

Think you have to buy ADCS Attacks, depends on the tier of module

Sure but my notes are short on this one

Monthly subs give you cubes and you have to spend them to unlock modules. You don’t unlock them all at once, that’s only with yearly sub

I take it it's better to buy cubes?

No better to buy membership you save about 30% on cubes, but you are limited to only unlock so many modules a month (until you get your next cubes), guess it depends how fast you plan on doing each module

Then if you get it yearly, you get all the tier 1-3 modules I think? (depending on silver/gold)

I want to go through all the modules for the path 'CAPE'. But I don't have the opportunity to pay for everything at once, so I'm thinking about how to go through them with payment once a month.

It would take around 7 months to do it that way.

I tried || admin’ or id=5)— || but still can’t get it

how did you come up with that number? did you divide the number of cubes cost for the total path by 30 or something?

Assuming you did the most optimal uses of platinum and gold, for the full cube cost.

i dont follow the first part, best use of plat/gold? is that there new like uh... rewards hours or something for buying cubes?

last time i checked in there was just cubes and paypal or w/e to buy them with?

(back in like july of last year?)

Monthly subs give you better cubes/cost, but are on a montly time gate.

OH, no kidding?

Noted, thanks thats super important info.

For the first tier courses, the monthly subs are generally the best option, because you will take longer than a month to finish all the modules that one month of sub unlocks. For higher tier certs, one month sub might only unlock a single module at a time.

Do you guys spar on app.hackthebox after finishing modules?

For CPTS, for example, you need 1 month of platinum, and 1 month of gold.

i mostly do NOT, this may not be advisable but i like to finish a chunk of modules or a path and get some awareness on things i dont know then go about boxes

i find myself getting frustrated on an easy/med box, i go back to the academy

yes easy boxes still whip me sometimes, rank is just rank.

im not too proud to admit.

I'd love to get the CPTS certificate one day. I've been grinding modules for a couple of months now and sparred for the first time today on app.hackthebox, but... even the easy machines are too difficult to finish without peeking at the walkthroughs. I feel like I "waste" the machines if I continue doing them. Should I finish the whole path on academy first?

thats the conclusion ive come to from the same trial and error.

i guess theres nothign wrong with it if you're "learning" but i just prefer to learn differently.

making an attempt to total frustration is not my ideal learning manner, at least not until i have "read the book" or "completed the path"

then i feel like i should be ready to exert the mental effort to total frustration and go back to drawing board (notes)

But wouldn't you also like to keep practicing what you've learned on a module? Then you do ten more modules and forget what you learned previously 😄

Sup, guys. How are ya?

Using Web Proxies - third final question of the module, how is it expecting to be the input of the answer? Input format

I get what you mean tho, the boxes require wider knowledge than just one or two modules.

How far are you on your path anyways?

i did the bbh so it seems like the web portion of cpts is clear i just started in earnest a few weeks ago and have only been doing a few hours here and there. but im gonna need to re go thru bbh as it changed with the graphql stuff since i last went thru it

so to answer your question "im not sure" but im also gonna redo everything and make sure my notes are a thousand percent solid.

im currently on footprinting -> nfs

for this i just redo the module skills assesments for the piece meal sections or w/e they're called

after moving on for a few. not like uh, finishign it then doing it again a day later while its still muscle memory

HTB{ }

I wish there was a way to reset a module you've done! I've also redone modules and found it to be great to freshen your memory and I've picked up something new what I didn't realise the first time

yeah i asked about that early on. i think there aware of the request for this.

Thanks! So I still didn't get it

i dont believe we're the only ones who have suggested this.

So, do you plan to start sparring on boxes only after you've finished the whole cpts path?

ive done a few boxes and im familiar with the overall process so at the moment im just focusing on acad. i dont have vip tho so i cant do retired boxes and i dont wanna mess with the live boxes right now and like uh... aggravate myself out of being motivated to learn. to be totally honest. but thats just me.

who knows maybe that will change in a day or two

hi

can anyone help me on skill assesments , File Upload Attacks , I am stuck by 5 days and did not find any solution :/

You can DM me

Its a tough one, you'll get it, be sure to check very carefully your error messages when fuzzing for types of extensions accepted/rejected (the error messages differ EVER so slightly)

same fuzzing your did in the module, just slow it down a bit and comb those errors carefully.

I have just finished the skills assessment for the pivoting, tunneling and port forwarding module. But I have a question: It confused me a lot that both """subnets""" had the same mask /16 (172.16.5.35 and 172.16.6.35) so technically they were in the same network and all packets were sent over the .5 . Is this correct from a networking point of view? shouldn't these two subnets be in different network segments with /24 masks?

heyoo

Did you poison the log already?

still couldn t do it , i gave up

@brave scroll It's fine to post from this module but I'm deleting your comment as it shows the flag's filename which you normally have to enumerate yourself in this skill assessment.

i believe i could NOT do the second method myself reviewing my notes and checking the assessment

@nimble scroll please DM me that so i can compare my outcome?

oh, ok. thanks i got the support from Live chat..

i am new to hack the box , i have 70 cubes and just finished academy . What should i buy with these and how can i get more cubes for free?

cubes cost money

what is a good purchase to do with my 70 cubes?

whatever looks interesting to you really

@cloud urchin i have used double quotes php shell code in burp repeater.. it didn't work even when inserting single quote code it works..

• when enter double quote access.log file stop accessing.

did you poison the log with the user agent header?

yeah

<?php system($_GET["cmd"]); ?>

you can test it like this

hi I need to ask. So tell me if I'm getting this right. I did the reverse/remote port forwarding with SSH mysql several days ago and I want to make sure I understand the concept. So we have attack host, and public IP target and private IP target. In order to reach the private IP target, the attack host listens on a port such as HTTP/HTTPS port 8000 or 8080 but with HTTP/HTTPS protocol to get a reverse shell script onto the public IP target's machine in order to establish an SSH connection with the machine and listens for that machine to connect. Upon establishing an SSH connection with the publicly available web server, it then must use that server to connect via 8000 or 8080 or some other port to the private IP server on the remote network that would not otherwise be reachable. Then, the attacker must transfer the attack script again from public IP server to private IP server on remote network not that they have access to a device that can reach the private server. But the command to transfer it has to trick the internal server into running that script so that the attack box outside the network has the traffic forwarded back from the private server to the threat actor via the public server.

I solved all the questions from that section. Do I understand the material well enough to go to next section?

as long as you have that as your user agent header, you should be able to curl the log

how can i speak to the general chat btw?

follow the instructions in #welcome

means give commands in agent-header?

no, you poison the log with the user-agent header with your php code

@cloud urchin hi I see your busy but if you could just let me know if I understand the section well enough or not that would be great.

see above

i have done this with single quote it working fin.. but when i try double quote why it didn't work..

i'm really not sure what module or section you're on, but i'd say if you were able to pass the skill assessment it seems you understand it

its a section not a module and the questions were basically following exact instructions

its the reverse/remote port forwarding with ssh section in pivoting, tunneling, and port forwarding module

I did all the questions correctly

I just want to make sure I understand the concept see the paragraph above

@cloud urchin here you can see.

single quotes and double quotes are handled differently in linux, single quote preserves the literal value of all characters inside the quotes, no variable expansion or command substitutions occur. in double quotes, it allows for variable expansion and command substitution so it will be different.

i'm not sure i understand what your paragraph is saying

ok so have you read the section?

https://academy.hackthebox.com/module/158/section/1427

if not its fine I'll ask someone else

but I just want to make sure I understand the concept before moving forward

essentially, you're forwarding a local port on the victim server through the pivot host to your computer

yes I get that

but I want to know based on my paragraph if I have a good enough understanding of the process and the different steps to move onto next section

because your one sentence is you know a short sentence but the full process has several steps and substeps and I just want to make sure I understand the details well enough.

then after that I will go onto next section as I already have done the questions

well you're not transferring http traffic

right ssh traffic

but using HTTP/HTTPS ports so ssh over HTTP/HTTPS

technically no

a port is just a port

just because it's port 80 doesn't mean it's http traffic

I know I get that

but using different port because port 80 is allowed

and SSH isn't so the change in port is to disguise traffic right?

so that its not recognized as SSH traffic and then blocked

the port doesn't matter

you can use whatever port you want

the only port that would matter is ensuring you're connecting to the correct port the service is running on in the private network/server

right exactly

ok got it I see now

you just need to open up a port to listen on from the pivot host, just like you do on your attacker

that way it forwards from that port to your attacker machine, all the way from the private server

right exactly that's how I was thining of it but I was having trouble describing it

Just think of it like using the public ip target as a bridge to the private ip target.

ok so its a similar process on pivot host as attack machine

yeah if you don't open the port on the pivot host then the traffic will just get blocked

ok thanks

so do I get it well-enough to move onto next section?

or is my understanding too impaired?

i think so...

ok will go to next section then just wanted to make sure

thank you

this module can be a mind bender

ok thanks. ya I get it I just want to make sure I learn everything and do a good job of learning everything.

ok peace out. I'm gonna do the next module now.

Guys I want to ask you one question. How many of you use AppleMacbook in your cybersecurity work?

for writing reports

8 GB basic model is really useless \

Hi! I'm still struggling with upload file attack skill assessment

how to access the url of the uploaded image ?

Please don't post spoilers from modules above t0, especially skill assessments.

Know your target, HTB is not an American company.

Sorry!

Any hints please!

#modules message

Hi all, just started the "Setting up" module today and I'm a complete n00b. Any tips on which basics to start with so it might be smoother working through modules and gaining better understanding in general? I feel like I might be overreaching here without knowing any coding etc., I managed to get Parrot OS on a VM, but that's about it for now lol, I got stuck on permanently changing the bash prompt, so I thought it might be best if I worked on some basics first.

Any knowledge you might have on building my base knowledge would be greatly appreciated honestly.

There's some sites that can help with generating bash prompts https://bash-prompt-generator.org/

Any change you make you'd have to restart bash or change the source eg. source <path to .bashrc>

Has anyone completed Web Attacks module ?

need help with the XML External Entity (XXE) Injection onwards

Yeah I've been on that website! I managed to figure that out haha, thanks. But I feel like I'm just copying code i understand nothing about, so I'm trying to find out if there are any codes/basics/knowledge/etc. I could learn that would help me understand things better instead of simply going through the motions of completing the modules without retaining useful information and skills.

Don't worry, noone understands prompt variables

There's this https://ss64.com/bash/syntax-prompt.html

lmao literally looking at it on my phone right now

guys, a query regarding HTB Academy - if i purchase Silver monthly plan - do i get access to all the modules ? or do i still need cubes to view the modules/paths?

Montly plans do not give access - they give cubes.

Except for the student monthly. That one gives access directly.

thanks for the clarification@proud pine

Can anyone give a hint on the last question in AD trust attacks SA?

Did you complete the Brute Forcing module now? Im still stuck now and have no clue what to do after part 1

I have the username from part 1 but no idea what I have to do after that

My understanding about brute forcing and the different part of that topic are well known now

but the question or the task is just poorly written... I made a medium couse few hours ago and that was much easier then this

Maybe identify a service and see if you can access it with what you have and if not perform brute forcing.

any recomendation for someone that has done the cbbh to do some boxes related to web api attacks pd: i already know htb has a feature for that!, but i want someone opinion in which box is a go to

If you're having issue with a specific module, mention the module / section here @fickle sparrow

Someone may be willing to give you a nudge in DM

i already did it

thanks thanks

Otherwise, if you are curious about machines / challenges / content on the subject, you can check https://ippsec.rocks, or https://0xdf.gitlab.io/

D: awesome, thanks

Both HTB team members, and both have searchable writeups for retired content

well actually you have to bruteforce it, if you get the username you need to create a new password list and try to brute force to the ssh port of the new IP and then you get access to the ftp and the user

Well great

bad thing, it doesnt accept passwords

Hi everyone, I'm facing an issue with a question in HTB Academy.

I'm working on the question that asks for the number of services listening on all interfaces in the linux fundamentals module/filter contents sections ,but I'm getting inconsistent results.

Here’s what I’ve tried:

ss -tulnp | grep -v "127.0.0.1" | wc -l: Getting different results each time.
netstat -tulnp | grep -v "127.0.0.1" | wc -l: Same thing, the results are inconsistent.
Using sudo when possible for more visibility, but I can’t see all the services.
I get different numbers with each attempt (e.g., 18, 21, 29) and I’m not sure which one is the correct answer. Is there something I’m missing in how I'm filtering the interfaces or any specific services I should be focusing on?

If anyone can clarify or explain why the results are different, I’d really appreciate it.

Thanks in advance!

are you doing the commands while sshd into the target?

yes i do

yo

have you tried restarting the target or swapping VPNs? that's really odd behaviour from the target

i'm Supposed to be a Developper i wanna learn CyberSecurity

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

will try

is it necessary to be in root mode ?

I did it without sudo

thanks @waxen totem ^^

#problémes 4 budget = 50 Water = 10 Chips = 3 chocolat = 1.5 #total total = Water + Chips + chocolat print(total) #Reste Reste = budget - total print(reste)

written in Python

what's that for?

is a problem

question mathemathic

@wicked temple this is not the channel for random programming problems, go to ---> #programming

If you don't have access please get verified, instructions ---> #welcome

i have not acces

for what lmao?

Mathemathic

Im still not able to find any solution, even with using all possible medusa commands

After you gain access, some light enumeration should help.

but I dont get acess, even I have the password and username for the ssh

also I didnt get any results, cause the target IP didnt work really, had to refresh it

Are you targeting the port assigned to the IP and not the default one assigned to the service?

i target the assigned one

You can DM what you are trying.

im in ssh now

i dont know why it works now, I didnt change something at all

https://academy.hackthebox.com/module/33/section/518

I am in SQLi Skills assessment

i was able to bypass the login
i was able to find a directory to write in
However i don't know how to access the file since its not in /var/www/html like the section of the module

how can i access it?

Hey 👋 there 🙂

hi

thanks i will try tomorrow I'm so tired from work today

i will

yes, i did like 20 times

File 'shell.php' already exists

i can't seem to access the file at all

have you tried specifying the cmd parameter?

The problem in the section when they uploaded the file
they uploaded in /var/www/html/shell.php which then they can access from http://<ip>:port/shell.php

But for me i couldn't write it their since i don't have permission i was able to write it somewhere else but i can't seem to find the file

I just solved it
I hate my self so much LOL i dont know why the overcomplication

but i guess im glad i did it without help

I just need the password for the second user then im also done

Is the pw in the list or do I have to create a pw list with cupp?

Login brute forcing?

Yes

But now I have the feeling I made an error

The second user I wrote the first letter in caps

You should apply the skills taught in the Custom Wordlist section

Cupp -i then

You learned 2 things there

if you have complete the web attacks module can you dm me plz!

I create the list with the full name and then use hydra with the new username

You are on the right path

You'll probably get a better response by simply asking your question here. Just make sure not to spoil content from the module.

Perfect

Sleep then continue, ty everyone! ❤️

can some one help if tried intro to whitebox module ?

i need the answer/help to one part if anyone completed it would be a great help

Just ask your question

my script wont work to download the contents i need for this one task, im not sure where to go from here i tried multiple ways/options, thats why if anyone completed Web attacks module youll be a great help rn

the Mass IDOR Enumeration section?

yes

bypassing encoded refrences im stuck on

They provide a working script I believe, you just need to modify the server and port.

yeah i tried that it doesn’t work so i tried using another script for this but no luck

do you get an error or something