it says the location in the question itself

There's no flags though

I have full access to the site, but i can't find anything with resembling a flag

im doing the Understanding Log Sources & Investigating with Splunk module and i just realized that the logs time and the one in the screenshots of the module differs,

should i be concerned about this :O unlike the module before that uses elastic, we can change the timezone there but for splunk, should i do the same if possible and where can i change it

The question says obtain a shell on the system and look for the flag in a directory, it's not on the site you need execution to get a shell.

I have two different shells already. 1 via the plugin exploit and 2 via the theme exploit. I can see the whole file system. I have checked all the folders in the /site-editor/ plugin but see no flags

I used the shell to list all the users in /etc/passwd

no flag

😅

im in the ftp server now and idk im using ls and it keeps saying transfer complete i tried switching to passive and tracing but the ls is doing shit nothing

I give up, i can't find it

Keep having to rebuild the VMs because time runs out because i can't understand the vague. not fun

What does the question say?

Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download.

I have obtained the shell, but what is the question asking for?

that's not the last question of the skill assessment in the wordpress module lol

Does it not give a hint about directory/location?

sorry i didn't realize you were looking at a different question

The hint says to look at the wpscan. I did, and i found the vulneratble plugin, then setup the shell using the expolit listed on exploit-db and can get the /etc/passwd file and have access to the whole system.

but what am i looking for?

it just says "a file"

link the module/section you're working on

https://academy.hackthebox.com/module/17/section/64

I have all the other answers just not the one i mentioned above

Is it the last question? The question tells you where to look

if you have a shell and upgrade it
(typically linux revshell you can do python3 -c 'import pty; pty.spawn("/bin/sh")') then just utilize the find command or grep -r iirc

no it's this question "Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download."

What is the wpscan output?

it's very long

Use a pastebin. Then I can take a look

I think you maybe overlooking something?

take this to private

Ok

since the module is above tier 0

ok i need to setup the vms again so it might take a bit

Ah

sharing a pastebin of output would be spoiling

Feel free to DM me

can someone please help local: .cache remote: .cache
ftp: Can't access .cache': Permission denied ftp> get . local: . remote: . ftp: Can't access .': Permission denied
ftp> get ..
local: .. remote: ..
ftp: Can't access ..': Permission denied ftp> get ... local: ... remote: ... ftp: Can't access ...': Permission denied
ftp> get aura
local: aura remote: aura
ftp: Can't access aura': Permission denied ftp> mget . ftp> mget .profile mget .profile [anpqy?]? ftp: Can't access .profile': Permission denied
ftp> mget .cache
ftp: Unable to determine real path of .cache': No such file or directory Skipping non-relative filename .cache/motd.legal-displayed'
ftp> mget .ssh
ftp: Unable to determine real path of .ssh': No such file or directory Skipping non-relative filename .ssh/id_rsa'
ftp: Unable to determine real path of .ssh': No such file or directory Skipping non-relative filename .ssh/authorized_keys'
ftp: Unable to determine real path of .ssh': No such file or directory Skipping non-relative filename .ssh/id_rsa.pub'
ftp> exit
221 Goodbye.
┌─[us-academy-2]─[10.10.14.179]─[htb-ac-1794577@htb-wtlvwk0t9e]─[/home]
└──╼ [★]$ ls
debian htb htb-ac-1794577
┌─[us-academy-2]─[10.10.14.179]─[htb-ac-1794577@htb-wtlvwk0t9e]─[/home]
└──╼ [★]$

i got this on the ftp server and i need the stupid ssh key but i cant get the file so i have no clue what to do

anyone able to help please

run ls -la within ftp

i did bro

doesn't the assessment give you some credentials?

why did u delete my message mane

yes thats how im even logged in

module is above tier 0

that's why

bro its from my cli

ok and? the information is from a skill assessment from a module that's above tier 0

and i did ls -la

and nothing wants to be fucking getted or mgeted

chill

your output showed an .ssh directory

yeah i cant get in there for some reason

you know you can cd within ftp

but if you can't cd or are getting permission denied i'd be making sure i connected to the right port as well as logged in properly

all else fails reset the lab, give it a few minutes, try again

Hello I'm new here what's the module category about

or change vpn regions and try again

i cded into the ssh file

https://academy.hackthebox.com <--

and i cant get ANYTHING

if youread #welcome it explains the layout of the server

like every single file is permission denied

ftp: Can't access id_rsa': Permission denied ftp> get authorized_keys local: authorized_keys remote: authorized_keys ftp: Can't access authorized_keys': Permission denied
ftp> get id_rsa.pub
local: id_rsa.pub remote: id_rsa.pub
ftp: Can't access `id_rsa.pub': Permission denied
ftp>

permission diened permission denied permission denied permission denied like my hod

chill for a sec

take a minute

step back

dude its 3am

and come back with a clear head

id rather js solve this im not even clouded in the head i js dont know what to do

frustration will only compound on itself

Take a break for now

it's not about being clouded in the head

it's about compounding frustration

it is 3am and i have work in 3 hours bro 😭

then you should be sleeping

and not doing htb

Mind doesn' work optimally when frustrated. You need a break. It's okay to take a break

is there any hint i can get to like get these denied keys?

the module will still be there after work

Don't try to force yoruself to do it right now

OK read everything thank you

as i said make sure you're on the right port

bro i just want to get this one over with

let me try one second

yeah im on the right port

idk im in the ssh direcotry and i see the restricted keys i lowk dont know where to go here or how to privlege escalate from here ig

you're on the right track, your frustration is just getting the better of you

im not mad anymore bro 😭 atp being called frustrated is whats making me mad

idk im looking through my notes and the actual module and idk rly where to go

you're frustrated because:

• you're assumedly doing the right thing
• it's not working

frustrated != mad

is there a way to filter owned modules so i only see the ones i havnt finished yet?

unfortunately no; /feedback <--

wait nvm i think i found it, they came up in in-progress modules if i own them even if havnt started

ah ye

forgot about that tab

yeah me to

i usually have education sub, but waiting to see how my banks looking after this week haha

are you using -p or -P to specify port

try specifying port with -P to be sure

im 100% sure because i tried 21 and i didnt have the same files at all

i just did it myself and it worked just fine ¯_(ツ)_/¯

try changing vpn regions [you'll need to respawn pwnbox and target]

it's on the alt port

i told you

alt port == not default btw

also removing your question because it's a spoiler since you have to scan for info

ffs

ok im on the alt port

hold on look

150 Opening ASCII mode data connection for file list
-rw------- 1 ceil ceil 738 Nov 10 2021 authorized_keys
-rw------- 1 ceil ceil 3381 Nov 10 2021 id_rsa
-rw-r--r-- 1 ceil ceil 738 Nov 10 2021 id_rsa.pub
226 Transfer complete
ftp> exit
221 Goodbye.

this is how mine looks

you typed exit

yeah

also the !ls <-- is to run a local command

prefixing any command in ftp with ! runs the command on your local machine

allows you to check stuff without needing to leave the comfort of the ftp shell

oh ok

ok but my issue is like i cant acess the ssh file

idk why thats why im stuck as of rn

you shouldn't be having issues; normally i wouldn't do this but dm me the exact string you used to connect

simple PEBKAC error

https://tenor.com/view/that-was-user-error-frostee-benson-luke-youngblood-fast-and-furious-spy-racers-user-error-gif-16620818

hey all still looking for help with https://academy.hackthebox.com/module/17/section/64 question #5. I found the vuln plugin from the wpscan output, but I don't know what file to download that has the flag value

i'm on hour 11 now. this questions is killing me

I even found a flag that is for something else?

🥲

have you manually searched for plugins?

Yes. I have found the vuln and have an active shell. I can view the whole file system. Only problem is the question doesn’t say which file it wants me submit.

you cant get a shell with the vuln

I know, i skipped ahead and brute forced a user got admin access then added the code and can do RCE. Ive been scanning the whole server for hours and found a fag in the uploads folder but it wasn’t accepted

I have all the other solutions already i just need #5 to finish the module

yes just look for plugins manually and look for cves

the module gives you a command to search them

I found the cvs and git the command to read files using the vuln, but now what? What file do i read to get the flag code?

It doesn’t

i just copied it from the "Plugins and Themes Enumeration" section

git?

the exploitdb one?

Exploit-db is the one i used. Im not using metasploit

dm the one youre using

Ok am gonna need a sanity check on Password Attacks: Password Mutations cos hydra has gone through ~90,000 entries and still isn't done...

• yes Im using a mutated list
• yes I grabbed the original password list and am using the custom rules provided
• yes Im not directly targeting ssh but the other service instead
• im on TCP vpn
• 48 tasks

• total of mutated list of ~180,000(am thinking this is the culprit )

iirc it took me 4hours to found one answer

[STATUS] 639.77 tries/min, 91487 tries in 02:23h, 96282 to do in 02:31h, 48 active

I hate this

If you use the commands from the section your wordlist should be roughly half the size

that list is a bit too big

looks like it may contain dupes, you don't want that

thanks @fathom pendant

Guys hello. When you have a shell with PowerShell is it possible to switch to cmd.exe?

yes

cmd <-

why you'd want to drop down to cmd is beyond me

but you do what you want

https://academy.hackthebox.com/module/41/section/442

I spent close to an hour trying to get this flag - it only worked after I skipped ahead and went back later. I swear I'm not going crazy and pasted the exact same string that got denied (I had it sitting in a notepad). It's a really obvious flag and tried all the white space combinations including the standard format without any white space

exact same string I tried many times only worked after I skipped ahead and went back

sometimes refreshing the page lets you submit the flag

it's weird

damn first time I've encuotered this, thanks

That can make sense. Permissions can be different 😉

Hi, in the "Web Attacks" Module, in IDOR section -> "Bypassing Encoded References"
https://academy.hackthebox.com/module/134/section/1187

I can´t download any contract, I am getting a 403. I found how the server is encoding but I am not able even download my own contract, so the one with uid=1, should be like that o something is wrong?

https://academy.hackthebox.com/module/88/section/922 i can t finde de answer

i run this code import requests
import re
from bs4 import BeautifulSoup

PAGE_URL = 'http://94.237.59.30:50280'

def get_html_of(url):
resp = requests.get(url)
if resp.status_code != 200:
print(f'HTTP status code of {resp.status_code} returned, but 200 was expected. Exiting...')
exit(1)
return resp.content.decode()

html = get_html_of(PAGE_URL)
soup = BeautifulSoup(html, 'html.parser')
raw_text = soup.get_text()
all_words = re.findall(r'\w+', raw_text)

word_count = {}
for word in all_words:
word = word.lower() # Convert to lowercase to ensure case-insensitive counting
if word not in word_count:
word_count[word] = 1
else:
word_count[word] += 1

top_words = sorted(word_count.items(), key=lambda item: item[1], reverse=True)

Print the top 10 words with their frequencies

for i in range(10):
print(f'{i+1}: {top_words[i][0]} ({top_words[i][1]} times)')

Output the 3rd most used word

third_most_used_word = top_words[2][0]
print(f'The 3rd most used word is: {third_most_used_word}')

did you use the url from the "spawn target" button?

as the example url you'd have to change

it s the same

what can i do?

i can find...

@rustic sage this channel isn't for challenges if it's a challenge related to the #1336347627452629033 CTF if not #challenges; read and follow #welcome to access the ones that say "no access"

@spark hinge don't dm users for help without asking

ok

I believe I'm answering this question correctly in the Linux fundamental mod, "Which kernel release is installed on the system? (Format: 1.22.3)"

I did provide the X.XX.X format based on the uname -a cmd

but it's not accepting

is it better I ask inside the academy chat?

if you type hostname what do you get

Me trying to compile juicy potato.
Visual Studio: "Hey, check it out, you can use XBox Live Pass.....!"
Me: No, go away... <click.. click.. compile..>
Clippy: "I see you're trying to compile malware! I've taken the liberty of deleting that new binary!"
Me: Arrrgh.

try GodPotato

Will do, next up. :^) edit: oh yea, that's going in the notes

htb-dzctowmm72

i believe you aren't SSHed into the target

you have to SSH first then you can start answering the questions

no wonder why it's taken me about 4 hours do get through this part

Hi , can anyone help me with this ? Authentication Bypass via Parameter Modification , Module , Broken Authentication

?

Hi, I've been following some HTB modules the last couple of weeks. I love the platform, but a lot of the content could be improved significantly in terms of writing style and clarity. Is there someone here I can get in touch with to suggest improvements? Right now I keep submitting new content tickets, but that's getting cumbersome at this scale and I'd like to do some proposals.

You can use /feedback
or write the proposals in #1234357888114364508

guys can anyone give a link to normally working JuicyPotato?

.exe

Hello (again). I'm trying to brute force vhosts on Vhost section of the information gathering-web edition. I've tried gobuster numerous times, and it is giving me back nothing. The command I'm running for reference is:
gobuster vhost -u http://83.136.251.19:43946 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain

Each time I run it, I never get any results. Is there something I missed? I keep looking in the module, and I'm not noticing anything I may have overlooked.

solved

I am trying to use foxyproxy after connecting to it i am unable to access any website

https://github.com/ohpe/juicy-potato/releases

Setting ip 121.0.0.1 and 8080

Are FoxyProxy and Burp (assuming youre using burp), on the same port?

Yes zap

Justing unable to access any website after connecting to it

Is intercept on? I know with burp you need to forward the packets or turn it off if so.

Zap it off

I use Burp, so I'm not really able to help much more beyond that... my apologies.

I am not asking about zap just help me how to use foxyproxy

127.0.0.1, not 121.0.0.1

My Citrix RDP session literally running at 1 FPS

If i am using zap in build bowser which opens a firefox window then there is no need for foxyproxy because it has inbuilt proxy ?

You need Foxyproxy to tell the browser which proxy to use.

zap does this automatically, without the need to turn it on/off

Gotcha. Thanks for the info!

@unique spruce moving the convo here since i know you're working on an academy lab

It’s cat: ‘adam2/*’: Input/Output error

well... the mount dir you said was adam1

so

there’s 2

?

Cus I tried multiple permissions

There’s adam1 and adam2

well there's your problem

They both have the same error

sudo umount adam2

gotta unmount one

Still the same error

I did unmount it though

i am doing this flag Try intercepting the ping request on the server shown above, and change the post data similarly to what we did in this section. Change the command to read 'flag.txt' using command 'cat flag.txt' for getting the flag while intersepting is on using zap getting response but but no flag

unmount both then and remount

is that the section where you have to obfuscate cat to be like c'a't?

I remounted but it’s the same error

change vpn regions; reset the lab; try again

that actually makes a difference?

intercepting web requests web proxy module

cause I/O error isn't a standard error

It’s not my fault u mean?

intercepting web requests web proxy module

could still be user error

i saw the response

did you change it to read cat /flag.txt ?

yes

HTTP/1.1 200 OK
X-Powered-By: Express
Date: Sat, 22 Mar 2025 15:01:37 GMT
Connection: keep-alive
content-length: 0

but no flag

got the flag

i was using ' in place of ;

stupid me 😅

oof

@fathom pendant im still getting the same error

try using ls to look at the directory

I alr saw the directory

The only way I’ve been able to cat files is one by one

grep -E ".*"

huh

regex

Whats rhe follow command

Full*

grep -E ".*" mount/*

Same error

looks like a permissions issue

weird you can't sudo cd into it

Yeah lemme show u hold on

did you try changing vpn regions and respawning?

Yeah I alr did that

weird

am I cooked??

Im lowk js gonna use the credentials from the walkthrough i found at the end of the day its ab the knowledge ykwim?

cd doesn't work like that. You need to be root directly.

ah

yeah that!

just sudo su

cd is just meant to change your pwd, but since none of your actual access rights would change, it wouldn't be possible to do it via sudo.

no

the password on the walkthroguh doesn’t work so I think I’m cooked

?

wdym

I FIDNIT

sudo su worked

now you can cd to your targetNFS/

Im in the directory now how can I cat all the files now

and hopefully this resolves the I/O errors too

cat *

uh I did that it’s just a blank line now

give it a sec

also "blank line" isn't helpful

screenshot?

...

yess it worked

you can use a bash loop for that

I found the credentials

yep just had to be patient kid

as you're not reading a local file, you're reading a mounted file, which is prone to network issues, likely why I/O error - delay and such

also $(pwd) returns
/example/dir

that's why grep gave you the error

you needed to add a / before the * to get it

but there's no reason to use pwd like that, when you can ./

also that

yo

i had to do sum but im back my credentials aren’t working for some reason on smb client

It’s saying session setup failed?

is anyone else having trouble connecting to their target machines? I keep timing out for some reason

have refreshed the target a few times too btw

Has anyone ever had a problem with an incorrect password when connecting to the “Internal Password Spraying - from Windows” RDP to 10.129.66.155 (ACADEMY-EA-MS01) with user “htb-student” and password “Academy_student_AD!” challenge?

how to tell if your genz without telling you are genz

😛

The way I talk or my approach?

@hushed rivet

the way you type

and the way you take screenshots haha

I am 15 man 🤷‍♂️

Module: Introduction to Windows Evasion Techniques
Section: Process Injection

Is anyone else experiencing issues with this section?
I'm trying to complete the module using micro_shell, and I'm following the guide step by step exactly as described, but for some reason, I can't get the expected results.

Is there anyone who can help?

There's no guide to solve the interactive section for that module, as it's over Tier 0. If you're following what's in the module / section, it could be you need to look at the commands you are using, and related options

Sometimes you need to research a little to find the solution.

I always used different shell code because micr0_shell never worked when it came time for dropping it on the target.

Hello guys !

On the module Protected Files from password attacks

They ask "Use the cracked password of the user Kira and log in to the host and crack the "id_rsa" SSH key. Then, submit the password for the SSH key as the answer."

What is the cracked password ?..

Actually, I tried a few things on my own, but since this is my first time dealing with something like this, I don’t know what to do or how to do it. I asked someone who has completed this module to give me a hint.

which shell code you use?

msfvenom prolly worked.

I will try, but I don’t think it will work.
Because when I read on HTB, I saw that shellcodes like msfvenom are well-known signatures and are quickly detected by Defender.
That’s why micro_shell is used by HTB

The 'Password Attacks' module… is "brilliant"! All the material is well-written and understandable, except for two pages: 'Pass the Ticket (PtT) from Windows' and 'Pass the Ticket (PtT) from Linux'. It’s like learning how to work with Python's requests library and suddenly being thrown into C++/C memory management coding halfway through the course. Seriously. They could have moved it to a separate module or placed it under the Active Directory section.

I'm reading and reading, but I don’t understand... Some crazy magic is going on — playing with keys, tokens, tickets… Where do these keys even come from? Why are they being passed around? Maybe for those who have worked extensively with Active Directory before, these pages aren't that difficult. But if you're taking CPTS as a course without any prior AD experience, these topics are next-level stuff.

Ugh, this is frustrating. Time to keep digging into this magic....

I've been trying to understand what's going on in these pages for two days. Maybe on the third day I'll understand😂

I had no problems with microshell in the module.

it definitely won't lol

did you remembter about protected files ? we have cracked kira password ?

Yeah not sure why it wasn't working when I went through it. Usually I would blame myself, but kind of hard to mess that one up. I'll have to go back and see if I documented what I used for shellcode.

I don't understand what you're talking about 😄

The question on the module Protected files say ' Use the cracked password of the user Kira and log in to the host and crack the "id_rsa" SSH key. Then, submit the password for the SSH key as the answer."

But i don't have the kira password ...

did you have to take the password from the previous page?

The previous page is about ptt and they don't talk about kira :/

this password was extracted earlier in the module, see "Credential Hunting in Linux"

Hey what's up?
Can you give me a hint for complete process injection section

It's been too long since I've done the module to help like that.

mmm yes I remember that, with the mutation of the password list, unfortunately we didn't write it down and I no longer have the password and the file has 92000 entries 💀

…

It's ok @safe star.

Form signed etc etc

i have parent consental form done please dont banish me again 💔

try to bruteforce it again, or look at the hint)

Yeah, probably best to just not talk about your age anymore, since people will react to it.

┌──(kaifux㉿kali)-[~/Downloads]
└─$ nmap -sCV 10.129.146.33
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-22 14:01 CDT
Stats: 0:00:29 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Stats: 0:01:01 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 100.00% done; ETC: 14:02 (0:00:00 remaining)
Stats: 0:01:01 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 0.00% done
Stats: 0:01:02 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 96.89% done; ETC: 14:02 (0:00:00 remaining)
Stats: 0:02:01 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.21% done; ETC: 14:03 (0:00:01 remaining)

how did it go backwards 😭

Fo' sho'

It’s just the way bro used that as an excuse for the screenshot😂

oh no thats cus i was at work

im a lifeguard aswell so the account i was on didn't let me access discord so i had to take pictures on my phone

yes.. wasted time

I definitely misspoke, as looking at my notes, I did use microshell for that section.

believe it or not, straight to jail

i am really stuck at CPTS : Double Pivots

https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn

i am already connected to vpn

https://academy.hackthebox.com/module/158/section/1439
Its this task

the page i linked provides methods to make the vpn connection more stable, if you don't think it's on your end then you can try another server or region

It finds everything, when i press yes there then after a while it disconnects me

I also tried it yesterday same issues

at that point probably best to reach out to support on the website then

i fixed it !!!!!!

hell yes

now i will start with AD 😄

I'm new to the HTB world and I want to make sure I'm utilizing my Kali VM properly within the HTB Academy. I'm in the Getting Started/Basic Tools Section and wanted to know how to connect to the target through my VM? Do I need to use openvpn for this module or....?

There are two ways, first you can use the pwnbox. Second, you can use openvpn which you can obtain from https://academy.hackthebox.com/vpn. You don't want to use both at the same time just one or the other.

If you're going to use your own VM, use the VPN

I'm on Attacking Common Services RDP, I'm trying to disable restrictedadminmode and basically, my first thought was to use evil-winrm to do the job, but its essentially not loading a shell.

what the actual fuck

im on the medium lab still i literally got it and i logged into windows and i was on the bullshit mssm and it just crashed

and then i tried to reconnect and it wouldnt let and then i reset the target and pwnbox still the same actual bullshit

is the user in the remote managment group?

why not just do it from the rdp session

this is in footprinting btw

I've done this before in the Password Attacks Module, but it was using evil-winrm

No need for that kind of language @unique spruce - if you believe there's an issue, please reach out to support. If something that was working for you previously is now not working, please redeploy again - sometimes things do come up in an unhealthy state unfortunately.

ok, ive redeployed like 5 times and i have no clue what to do atp

no difference

@tender nimbus please do not provide potential spoilers for modules over Tier 0

Ow euh yeah sorry so If someone can help in private for a SSI problem ^^

Hi guys i'm having some problems with the module Login brute forcing - skills assessment 1. Every time i use hydra it can't find the password. I've redownloaded the 2 text files from the current github repository but still nothing. Can someone help?

Is there no file in the resources of the module?

I need to download from github repository but obviously the ones from the module are not valid anymore..

Let me check

I will try give me a sec

ok

Hm, broken link @rich salmon ?

???

The links provided, could you download them ok, or was there a broken link?

no it wasn't

If you have both lists and are following the section, then the information / creds you need are there

That's all I can say I'm afraid

ok

I will try to reset the target.. let's see

maybe you tried to clone the file?

wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Common-Credentials/2023-200_most_used_passwords.txt

wget https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Usernames/top-usernames-shortlist.txt

@rich salmon

When i've downloaded the 2023 most used passwords it said the file is empty

from this repository

But when you do it with the link I did what did you get?

@rich salmon

Maybe you tried to clone the repo but you gave the full file path?

i used this repo..

Yeah but if you do git clone with this link it will not work because you only can clone "directories" and not directly files thats why

no i used wget

Hi

Im using this command to test for ssrf vulnerability

now it worked thanks

@tender nimbus

each time I run it it gives different ports open

gives it like this

anyone have any ideas why its doing that?

What command did oyu useN

Mb didn't saw it

no worries, if you have any ideas pls lmk

idk why it keeps giving diffeent ports

and why its giving in that output

Its about you filtering

I did fs 8285 and mc 200

also 127.0.0.1:FUZZ

because I needed to filter the size and made sure I only get 200

ahh cant believe i didnt see that lol

let me try tht

You trying to identyfi blind ports?

do u know how I can hide the progress?

im trying to identify open ports

Is the fs not Something went wrong?

i dont think so?

fs should be a number?

No You use strings to

You talking about these right?

also do u know how I can get rid of all these lines and just give output

nah

identifying ssrf

f man this timer is so annoying

isnt that "fr"?

Let me look quickly I will do it again

okay thanks

happened today morning too, idk why it keeps giving me different ports all the time

yeah but evil-winrm is loading no shell

its just permanently loading

Is winrm open?

no its not, which is why I'm stuck

Then it’s not gonna work

yes i know

any luck?

@pine dune for me it is just a bug

somethimes when you have that just do ctrl c and run again

thanks, I dont have the -H flag nor the index.php afte the target host...these arent neccessary right?

also Im still having the issue, Im still getting random ports opened all the time, its not consistent

I’m not sure about that ^^ tbh i don’t know I just do it’like the module tu be sure its correct

With m’y command i just received the open ports

my command

If a module is over tier 0, do not share spoilers. Repeated posts will result in more than just a post deletion

..or maybe should just add a bot to say "no t0 spoiler" every other post

😅

anyone know why Im getting this error? I dont have credentials for this

is mysql open?

yea port 3306

externally?

yea i believe so

it came up as an open port in the ssrf identification

and you fuzzed for 127.0.0.1 right?

yea

thats not external

oh sorry didnt notice

Yours is fine tbh

It was another

you can only access that on localhost

It says 3306 is open and to connect to the application

NFI which module you're working on RE that

and it just shows trying to connect to a mysql server

ssrf

identifying ssrf

you sure thats the only port?

nah theres another port

let me try that

Uhhhm, yeah,.. was gonna say, not sure you';r eon the right path

But that's a Tier 2 module, so don't give anything that could be considered a spoiler away please.

ty

how would I connect to that port? I tried the ip:port on browser

I so gotta train an AI to do this

the same way you found it

ah

let me see

also just a suggestion can we please get rid of the 5 second time limit in this channel 😅

"Ok subservient intelligence, detect content that potentially spoils any content relating to <insert path to academy writeups>, and respond accordingly"

Well, that's my evening project for tomorrow

im struggling wit this

i have some

i've found

so it has 3 ports open and I was certain it was the sql one. When I tried connecting to it its refusing

Not something you should advertise @tired atlas

and thats what they show in the example so what the heck

I just found them while trying to search the forum

it aint my fault google shows other search results

I was offering to give them to you so you can get them taken down

Yeah, but.. just don't use writeups with content meant to be completed without using writeups, and have an impact upon completion of a certification

Thanks 👍

We do our best to fight against such postings

but it's a game of continuous cat and mouse

We catch cheaters daily also unfortunately, on all sides.

i mean look, they can exist but they're not gonna help you complete the exam

Hi can you please guide me on this? I found it using ffuf

just do it the same way ffuf found it

pretty much the same with curl

I don't actively work on the leaks etc team any more.. but it still pisses me off that work our team have spent so much time on has its value diminished by assholes

But.. comes with the terriritory, and it's not unique to HTB

If there's a test of skill, cheaters gonna cheat

offsec has it down to science, every holder REFUSES to leak anything

even in a daily convo you have with a friend

There still are leaks though

and certs are revoked, as with us, and other providers we speak with

End of the day, cheaters are hurting themselves more than providers

even if you cheat and get the exam i guess, you'll get fired or on a PIP when you pen test poorly

and it's a shame

how would they know

More likely that you don't make it through the interview.

nah sometimes they dont ask you enough technical questions

Cheaters always sign it "Sincerely, cheater mccheatyface"

curl http:10.129.201.127:port ?

like for my first soc job i got, the most they asked me was "what's the difference between threat intelligence and a SOC"

I did enter the correct port too

Im just confused on why port 3306 isnt working

also because of AI people are graduating with whole degrees while knowing next to nothing

even though the ssrf scan found it open

its a damn shame

Some can learn the skills required on the job without needing to learn beforehand. That is impressive, and they may well get away with it, but it doesn't detract from the massive ego thinking they can cheat in to a role over someone who has spent time learning and building. It just makes me angry and quite sad to think of

the former is me hehehe, quick learner, but I've never cheated in my life, I'm too scared

Majority who fake their way in will just waste both their time, and the employers time, and get a black mark

Well, technically in the UK you can't be given a bad reference

But still.. you would know yourself

OMG wait you're from the UK?

Aye

I'm Australian, my bf is from the UK, I'm literally doing this cert just to get a job in the UK

Hehe, I've certainly gone in to jobs where I've had to learn on the spot, but never presented myself as having those skills in the interview

Niiice, good luck 🙂 Met a load of people at a conference today, and they were all singing praises of the certs. We're gaining traction!

free will's a beautiful thing

Yeah ofc theres this company thats on hackthebox job search that recognizes cpts that is housed right where my bf lives, about 10 minutes away

Last two jobs, I didn't know the main programming language the company used, but picked it up as I went

Just presented myself and my prior knowledge and eagerness to learn

learning a new syntax is harddddd

You get used to it

The worst for me was Ruby on Rails.. thankfully I only had to do a couple of small patches

My brother can pick up a textbook and within a day know how to code that language, prodigy

but that shit just confused me for some reason

worst for me was Java, I dont like it

If you have a good amount of experience in any general high level language, how basic logic works, scoping etc, moving to another language isn't too bad

but it's certainly a skill that takes time to pick up

I don't mind Java, but it's certainly got some aspects that are quite different to other languages.. in some cases for the better, and some.. not so

Im bad at coding in general, like it just looks like hodge podge to me, even though I have a maths background, i just can't....read it

😅 maths background, you should have seen me going through a crypto course ages ago with discrete mathematics and syntax

I wasn't just a fish out of water, I was a fish that had been desiccated for a week and thrown in to a vat of salt

after this i want to take the AI red teaming course, looking forward to all the linear algebra

..but it was fun to learn

That's the key too.. finding joy in learning

Yeah I'm pretty gucci at maths but even python for me, like I just can't learn beyond a basic program which is fine i guess for pen testing where you only need to write small automating scripts

but the big boys, they write all those tools and I"m like WOWWOOWOWWOW

😄 Yeah, for pentesting having enough to write your own little automation scripts and tooling is definitely a massive bonus, and you can go as simple as automation as in chaining some pre-existing tooling together to writing your own toolset that does more advanced analysis and reporting, but at the end of the day so long as you can research the tools that exist and understand how they work to an extent from a theoretical perspective, you'll be fine

Using other peoples tools doesn't make you a skid imho, so long as you take the time to understand how it's working

Understanding how something works doesn't mean you should be able to turn around and build something better

https://tenor.com/view/obadiah-stane-tony-stark-was-able-to-build-this-in-a-cave-with-a-box-of-scraps-tony-stark-box-of-scraps-iron-man-gif-23963164

for the first few modules of this course, I was feeling like a skid, but I'm so glad a lot of these questions are not directly taught in the module and you need to do a little bit of research

it builds those skills, with TryHackMe, the answers were quite literally taught

Nice to hear a positive comment on the research nature of the modules for once 🙂

Like I'm stuck right now, there's only an RDP port open, and I'm trying to perform a PtH but restrictedadmin is enabled, and I'm quite unsure how to do it

no

What?

look how ffuf is sending the request

employers all want a unicorn just like we all want the unicorn man or woman

the reason why Im confused about this ffuf thing is because im using ffuf to identify ports, I dont know how to connect using ffuf on a target port

True.. sometimes we find a unicorn, but more often than not we gotta change our expectations to match what is available

Getting that phenom is so rare

entry level position requiring cissp always makes me laugh

its the same thing

I'd prefer to have someone who can grow than spending a year looking for that diamond

Hahah yeah.. gates are a little high sometimes

its sending data through a post request

not just requesting the target ip

no its quite literally impossible, i can pass a cissp right now, I even jokingly put it on my resume for my first job, but the 5 year xp requirement makes it gatekept

ah yes

so we should change it to a GET request?

no

thats not how ffuf found it

Not sure I can fairly comment much, as hiring was pretty different when I finally got in to the field after working in a supermarket for 6 years

ffuf is just automating something you can do manually

I've been very lucky in my journey, never turned down, took many years to grow up to where I am.. but again

It was a different time when I got in

Now people do really have unrealistic expectations of what "entry level" is

"NEED 5 YEARS EXPERIENCE IN LANGUAGE THAT WAS RELEASED LAST YEAR"

i'm from australia where i can just go to a local csides conference, talk someone up and be offered an interview, so i cant relate that much either but the UK market now is like so different, since I have no connections I need to quite literally earn an interview from merit

10 year experience in AI, bro chat gpt was publically released in 2023, what you on about

Well I hope that you managed to get a foot in the door when you're ready 🙂

When you feel ready*

When you go for it*

If we waited until we thought we were ready, we'd never do anything

I've never been ready for anything my entire life, apart from picking up a pint

most british thing i've ever heard

My nan had a bar in her lounge

I lived in a town full of alcoholics, with more pubs than houses

sending requests

I was well trained

(ok, more pubs than houses is a stretch..)

dm the ffuf command

my dude when we met told me hes not an alchoholic as he doesnt like the taste of alcohol goes to the pub every weekend

He's a SOCIAL drinker

🙈

Not the place for it @signal cloud

#rules

British definition of alcoholic is someone who is borderline dying of poisoning

Get out of my head

..and doctors notes

(not really)

I'd rather die than get sick in the Uk tbh

NHS is abhorrent

anywho

It really is bad

general chat things in modules

I had AF for like.. 6 months until they finally got me in for a 15 minute appointment to shock me

Maybe even 9

Ah crap, we're in modules, oops

https://tenor.com/view/jail-right-to-jail-right-away-parks-and-recreation-parks-and-rec-gif-16177531

@pine dune still stuck?

You have to use burpsuite

And make a request to the port you found as date server parameter

thank you bro thats what I did and thanks to @safe star for making me understand

makes a lot more sense now

Take notes to of Every new topic/tool you use for the futer @pine dune

thanks yea I will

hi guys

i need little help

Section link: https://academy.hackthebox.com/module/41/section/441

btw why i cant type in general ?

Read and follow #welcome and #rules

thank you

OCaml is killing me rn

yo im on the footprinting hard lab any tiny tiny hint i enumerated services but so far i have nothing and im not sure if im gonna have to brute force

btw i think there's a command to disable restrictadminmode in the module section iirc so you can PtH

hello any help ?

If anyone could help

Tcp and udp

have you checked udp

oh smart people here let me check

can you help me too pls

i think my problem is a type error

is a udp scan supposed to take 15 minutes?

https://academy.hackthebox.com/module/41/section/441

Don't freakin paste flags

okey

goblin

sorry

is a udp scan supposed to be 5-20 minutes?

UDP scans are slow

and very rarely required at HTB

With UDP it's a good idea to give specific port numbers or services that are known to run on UDP.

but in this case it might be?

I don't know, I can't comment sorry

alright

im doing the footprinting hard lab

so yeah

just check the source

its a type error i found the flag

nevermind im gonna open a ticket

Look through all the sections in the module and make a list of all UDP ports that get mentioned. It can come in very handy for other modules too.

right now or after im done w footprinting

That could be seen as spoiling potentially..

is footprinting a really really long unit

cus it rly does feel like it

If UDP is required, interaction with it will be mentioned through the module somewhere no doubt

this is a lab they dont mention anything they js give u a username in this instance being HTB

thats it and ?

I can't comment

It's a Tier 2 module

the length is public dude

im just saying comparison to other modules on the cpts path is it considered long or are they all like this in length

Honestly, I do not know

yeah it felt like more of the longer ones

but theres a lot longer ones

maybe it felt like this cus school been taking away all my time

It's not the longest module, but it's larger than many

oh ok thanks!

I would suggest to not worry about length, or the time it takes you. You're jumping to this channel very quickly on any section you get to, when you should be slowing down, trying to work it out first, and researching on your own.

ur lowk right ill try to adapt to the stuck mentality rather than js giving up

They list the expected time for each module in https://academy.hackthebox.com/modules However, for me it seems like "hours" really means "days", and "days" seem to take "weeks".

yeah 2 days took me one week but i wasnt rly doing it full time and i was taking comprehensive notes

If it takes a week, but you fully understood the material, then it doesn't matter. The only bad thing you can do is to try to jump ahead of the content, and to disregard something as beneath your time. The exam won't care how quickly you complete things - only if you understood it properly.

The smallest brick can cause a house to fall

https://tenor.com/view/pei-mei-so-you-think-your-wu-tang-sword-can-defeat-me-gif-22565669

(total bs statement, just felt like saying it)

..but it kinda made sense at the time

On the password cracking module in cpts, how many tries/min is normal and should any attempt take longer than 30 mins of cracking?

Any specific piece of knowledge skipped over or discarded as just "part of the content" could be the difference between achieving a goal, or failing entirely

This is very true, and honestly impacts both new people to the modules, and people with experience. There were plenty of things I rushed through in the content, because I had a few years of experience doing boxes, and I paid the price for that in the exam, with days lost.

One day I'll do the certs.. I'm really, really reaaaally curious to see how I'd get on with a learning experience after so long

You can expect many expletives at that time, I think

You really should! CPTS wasn't just a great exam, but a great teaching tool itself. I learned a ton of things doing the exam itself, just by applying the concepts that the course had taught me. It's really well done.

Cheers for that, your PayPal tip will be in the mail Niiice!

yes but what can i use to execute the command if the only port open is RDP, and I can't RDP

fudge it's nearly 1am now, oops.. one day "I'm going to bed" will actually mean "I'm going to bed"

bruh you said goodnight to me 45 minutes ago

GO TO BED

like xfreerdp isn't allowing you to connect ?

🫡

What do you mean that you 'can't RDP'

nn all

I've been told

i can't perform pass the hash because there's a restriction policy in place

cause if you can /pth: will allow you to pth

can't you remove them with the given user?

What are you referring to?

no I tried that but there wasn't an option within \Control\Lsa to disable it

i just did the module and i think they give you the cmd command (i couldnt be bothered to go to the registry file thing)

there's an admin restriction policy in place, you need to disable it using a command

Disabling what?

Do not post module content.

does this work?

ah right ok

oh even the command isn't allowed?

i guess it does spoil, mb

I get there's a command, I read it, but without winrm port being open you can't even open a winrm shell to do it

Having some issues with https://academy.hackthebox.com/module/25/section/149
How can I get a foothold, please? with the provided list, I have tried null session with SMB, tried crackmapexec but nothing is giving...should I use kerbrute and spray? I need some creds to begin with...but I am struggling with getting started with the provided list after enumerated two servers running on the subnet. One which is a DC and another which is just another server.

Which section?

https://academy.hackthebox.com/module/116/section/1171

you can start a cmd terminal on the target machine when you rdp to it with xfreerdp, there's a searchbar on the bottom left hand corner

they should've given you a username and password

You are already RDP'd into the box, aren't you? Why are you trying to winrm?

I'm not rdp-d into the box, as admin, which is the account i need to rdp as, because there's an account restriction policy put into place, that's not allowing me

It seems like you skipped over a good portion of the section. I would go back and reread everything.

yes but when I execute the command, it says access is denied

I'll read it again, see if I missed anything

that's weird ngl

i know

i'd just restart the target if i were you

its been 5 targets later

i've waited even before using the target for a few minutes

good luck then lmao i'm not too familiar with windows registries so i can't help any more

(before I get told off, I am in bed) if you've gone through the sections, there are certain tools you will have used to get started here 🙂

You've more methods to go through over what you have already tried, you got this!

Youre in bed on your phone, blue lightttttttt, really bad for your sleep pattern, but I'm a hypocrite as I sleep hugging my laptop everynight

💯

I'm my own worst enemy.. closely followed by my phone

https://tenor.com/view/thank-you-man-david-kaplan-a-real-pain-i-appreciate-it-gif-708633000752467237

@ocean night you know...i have tried it all so far...i know my htb-student account doesnt auth to DC so I think I am stuffed untless the lab is messged up 😦

It's not supposed to. Read the description where you start the exercise.

which genius told me to scan udp ports

Implement the methods you have learned through the module.

kool, kool...thanks man. will circle my method list again...

mmhm, you have used what you need before.

Won't say any more, as phone is getting chucked down the side of the bed

..and I can't spoil, and please be mindful of what you post so as not to spoil a module that is over Tier 0

staring at all these sections now again

i thought you got it?

you dont need admin to disable here

Yeah...thanks for the tip

you can copy and paste the command straight from the module

youre right you dont, it was a target problem, i reset it a few dozen times

I'm good now

also this module was weird, its stuff we've already done before but the new things explained in the module haven't been tested. Pass the Hash was taught in Password Attacks

session hijacking would've been nice to practice

yeah definitely, i tried to session hijack the user's when i was logged on as admin but i couldn't when trying to replicate what the module taught

maybe we'll see that in more details further down the line

i took the advice of my goat rat but im stuck, i managed to get the ssh key log in as the the user in the service but im in ssh now and ive hit a brick wall

ive looked for some many AV's but eveything came up short and i have 0 sudo privileges so im js stuck i feel

@fathom pendant can u help 💔

Hey! So i am currently workign on Active Directory Enumeration and Attacks section 2.

I am on question 7: Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host.

I attempted to manually escelate my privileges using PrintSpoofer, GodPotato and JuicyPotato and it just didnt work, didnt even give me errors, it did nothing!

So i logged in to the mssql instance with metasploit, used getsystem and it worked. Does anyone have advice on how to try again manually?

Modules: Getting Started
Section: Nibbles
Sub-Section: Nibbles - Web Footprinting

Use VPN.
The /nibblelog/ shows a 404 error. What is it that goes wrong that I cannot see the /nibblelog/ page?

Both web browser and curl show 404 error.

└──╼ $curl http://10.129.41.215/nibblelog
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /nibblelog was not found on this server.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 10.129.41.215 Port 80</address>
</body></html>
┌─[parrot@parrot]─[~/Shares/Shared/lab/starting_point/nibbles]
└──╼ $curl http://10.129.41.215/nibblelog/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /nibblelog/ was not found on this server.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 10.129.41.215 Port 80</address>
</body></html>

I think it blog not log

Oh, my goodness. Been doing this since yesterday. 🙏

hi i need some help. currently on SQLmap essentials - Skills assessment. Currently am stuck on running sqlmap with the POST page, found the exploitable sql type, and (i think) the correct tamper (based on the search on this chat).

however i am still coming up empty on the database names, numbers, users, etc.

Who names their tools juicypotato like any name they could've found but they thought of juicy potato like what the hell

anyone experience the noriben.py unable to generate a CSV file report in Dynamic Analysis malware analysis modules?

https://tenor.com/view/samwise-gamgee-frodo-sam-lotr-gollum-gif-15924654

Imagine spending months making a tool only to name it juicy potato

Hahah

There's gotta be some lore to it surely

A sugared version of rotten potato

Ok, so why rotten potato

From hot potato

Curiouser and curiouser

Hot Potato
Rotten Potato
Lonely Potato
Juicy Potato
Rogue Potato
Sweet Potato
Generic Potato

Hot Potato was the first potato and was the code name of a Windows privilege escalation technique discovered by Stephen Breen

Ok so I assume it's about the payload and subsequent paylods making a number of to's and fro's before finally hitting the NTLM Relay

Kinda makes sense

Run ZAP Scanner on the target above to identify directories and potential vulnerabilities. Once you find the high-level vulnerability, try to use it to read the flag at '/flag.txt'

HTB: using web proxies cube question.

I got the high-level vulnerability. But how to get into the next step?

Research?

When you hit a wall, think about it as you would a totally blind pentest. You have something. What can you do with the thing?

Hi, does somebody know where I can get the source of ./followthegreencube.sh script from the first page of the Shells & Payloads Module? I couldn't find it on GitHub

This is just one example. You cannot download this script.

Yes, but is there any source? Maybe a similar one, which does the same?

Maybe cmatrix
https://itsfoss.com/using-cmatrix/

U r golden! Thank you

Once i finish a module and im in the target machine, what is the fastest way of finding the flag.txt? "locate" doesnt work and i usually have to manually check dev/root/usr and custom file names to find the flag.txt. Im not sure if this is done on purpose and "there is no fast way"

It's usually fairly obvious.. generally there is a low level user you get access with, and that users home directory has the user flag, and then the high level user has the root flag, named user.txt and root.txt respectively.

Oh, well.. for modules

The flag path is sometimes specified in the module / section exercise

Otherwise it should be obvious once you have completed the assessment step, as the step asks a question

Your goal is generally to answer that question to provide the answer.

ah okay, thank you for answering it on both. I had the question originally posted in Boxes as i saw you typing and switched it to this channel lol.

Hey,

Any nudge in Advanced SQL Injection Module? I got the two users and their emails. How ever the reset code is always wrong. I don't get it. What am I missing?

Need help
rdate: Could not connect socket: Connection timed out

Which module, which section and for which question?
Without this information, it should be really difficult to get help

Please , i need some help at CPTS Footprinting Lab - Medium
I have connected with success to the rpd session , and have found creds for the sa users , but when but login in with the creds keep failing , i also tried Adminstrator.

Your user does not appear to have the rights to access the database. MSSQL recognizes two types of logins. Keep this in mind when you try to log in.

Thanks for the hint , but i see five methods of authentication, and i have tried at my level , but to no avail.

Perhaps we don't mean the same thing. Send me a DM to avoid spoilers.

Hi this problem still exists, I've rebooted the VM's several times and always get this error with the command provided in the walk-through

That is a Tier 2 module, please do not share specifics pertaining to the solution.

Reach out to support if you believe the module is in fault.

noted thanks

i cant seem to connect to htb-student with ssh in linux fundamentals

I found out what it was, there is YARA rule that is broken by design for the challenge at the end.

But you don't find that out until you reach the assesment, so if you're trying to follow along with the study part of the lab, the commands don't work due to the broken rule

Please feel free to feed back to us in #1234357888114364508 - this goes direct to the team 🙂 Glad you found out the problem

any help please T.T

What credentials does Bob use with WinSCP to connect to the file server? (Format: username:password, Case-Sensitive)

Hey guys,
Is anyone facing an issue with the Transferring files module? The Windows section / the assessment server is not up, I tried to change to different VPN locations, restarting/terminating/ all with same results,

From 10.10.14.1 icmp_seq=3 Destination Host Unreachable

Not every host responds to a ping

Hi

I am on the footprinting module and in the Oraclt TNS part. I am trying sqlplus on the parrot in the browser. But somehow its giving me some library issue. Anyone got it running ???

Here is the error

┌─[us-academy-4]─[10.10.15.63]─[htb-ac-1314953@htb-cthadzwjwo]─[/tmp/instantclient_23_7]
└──╼ [★]$ ./sqlplus 
./sqlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory
┌─[us-academy-4]─[10.10.15.63]─[htb-ac-1314953@htb-cthadzwjwo]─[/tmp/instantclient_23_7]
└──╼ [★]$ export LD_LIBRARY_PATH=($pwd):$LD_LIBRARY_PATH
┌─[us-academy-4]─[10.10.15.63]─[htb-ac-1314953@htb-cthadzwjwo]─[/tmp/instantclient_23_7]
└──╼ [★]$ ./sqlplus 
./sqlplus: error while loading shared libraries: libclntsh.so.23.1: cannot open shared object file: No such file or directory
┌─[us-academy-4]─[10.10.15.63]─[htb-ac-1314953@htb-cthadzwjwo]─[/tmp/instantclient_23_7]
└──╼ [★]$ ```

Hello I am currently trying to tackle the injection attacks path. In the XPath part, blind injection I'm trying to do the assessment. I'm trying to automate the exfiltration process, however the string that lets us know whether the injection was successful or not is in script tags and for some reason doesn't appear when I issue the request via curl/python requests. I don't really understand how to fix this problem and I was wondering if anyone might be able to help em out with this

Hello,
I'm currently doing the Pass the ticket on Linux inside the Password Attack Module. I,M stuck on the svc_workstations method. I found the kt file transfert into Rubeus to get a kirbi file then ticketConverter to ger a ccache file but can't use it to logged with it because it ask me a Password... could a get help pls

83.136.251.141:59272 Try using request repeating to be able to quickly test commands. With that, try looking for the other flag.
It's not in the same directory! using zap proxy after ;ls; HTTP/1.1 200 OK
X-Powered-By: Express
Date: Sun, 23 Mar 2025 12:35:28 GMT
Connection: keep-alive
content-length: 68 flag.txt
index.html
node_modules
package-lock.json
public
server.js unable to get the flag the flag.txt is the flag already got but where is the other flag i am confused (module using web proxies , repeating requests )

stuck at the same point, even the db user is unclear for me. Contents of the user.txt, this one i got.

can anyone help with this shit

the commands are executed but i don't get no response

I expected that, but the server does not respond at all

and when i used invoke-SMBExec

it said success but i didnt get a reverce shell

change the VPN region and restart VM and target. Maybe that will help.

Now it works, I don't know what would be the issue, I've tried that for around 1 hour with different VPN zones, no progress, now works

This error is addressed in the reading

Hello! I am unable to make pgtunnel-ng work in the pivoting module of CPTS. The traffict doesnt seem to arrive to the final machine (172.. DC) may i get some help? I could make it work with chisel but i wonder if the pgtunnle tool is simply not working properly or it was me

@astral egret that is a Tier 1 module, please do not post specifics for modules over Tier 0

Ask in a way that does not involve specifics, but states which module / section you are in, and the trouble you are having.

you got it sorted? i just got to mysql, after i run thru it we can work to solve it out if you're still strugglign

No need to use that language. Read up, and see how others ask.

didnt really help

Which module, which section, which question, ask if someone can give you a nudge

That's how you do it

Password Attacks - Pass the Hash (PtH)

• Using David's hash, perform a Pass the Hash attack to connect to the shared folder \DC01\david and read the file david.txt. give me a nudge

what are you stuck on

i have no idea how to explain it to you wihtout screen shots

but im stuck and dont know how to access the shared directory or file

when i execute a command it executes sucessfully but does not give me an answer it just excutes

you pass david's hash, with it you should have the right access to read the david.txt file

no shit man

im asking how

cuz i tried the module way idk what im doing wrong

you've essentially simply said you're stuck on the question but you didn't provide info on what part you're stuck on, for all i know you're stuck on establishing an RDP connection to the target

anyone knows in "introduction to windows command line" "Skill Assestment part 3" what kind of flag should i find, it says only "If you search and find the name of this host, you will find the flag for user2."But ive tried "hostname" "systeminfo" "Get-ComputerInfo" and i dont see anytging related with a flag. Even the hint just say ||systeminfo||
https://academy.hackthebox.com/module/167/section/1633

I removed their original question as it included a lot of information of a Tier 1 module

If anyone can help give them some advice in DM, that'd be great.

But yeah.. trying to keep things to the rules RE spoilers.

go ahead and DM me if you need to provide more info you feel you can't post here

Hello everyone, I'm working on the AD Enumeration & Attacks module, and I'm currently on the Privileged Access section.
To answer the questions, I need to connect from the MS01 machine using SSH to a Linux host. I used the provided credentials, but nothing seems to work (I just can't access it).

the answer is the hostname

it's not formatted like HTB{}

hey I'm doing this module https://academy.hackthebox.com/module/19/section/118

and I'm putting the same nmap command but on my machine using the vpn I don't get the banner but on the web instance I do

anyone knows why ?

if you're using the tcp vpn that may be causing the issue, there's a note on this section that says to use the UDP vpn

also try using a udp scan to check it

yeah I saw it

I think I'm using the recommended one so the udp

nmap -sU <target>

generally you don't wanna throw -p- with -sU

yeah trust me I went to the forum

tried every possible options on the nmap

got no banner and first try using the web instance got so much stuff

but it's fine as long it's not me being wrong and it's the machine I'm happy

Hey guys, I wonder if there is a path or module towards IoT. I found a few references in the search, but no real modules.

Hello guys, I hope all of ou guys are well. I'm having issues with Information Gathering: Web Edition.

For the vhost enumeration, gobuster keeps coming up empty. The command I use is the following (which I hope it ok to share the command since it's not working for me anyway):
gobuster vhost -u <ip>:port -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain

This comes up with nothing found. Am I missing something?

youre not supposed to use the ip

I get an error when I try the vhost given (the same error is there with my /etc/hosts file updated or not)

did you add the port

try specifying the domain with --domain

without specifying a domain, append-domain doesn't know what you want the domain to be, even if it's in your hosts file, it's assuming the domain is in the -u

Anyone in here know bin reverse engineering? I have an .exe I am debugging with Olly. Its set to listen on a port and then take an input, but I am not very experienced in this realm and am not sure how to trigger a connection event when running the exe locally

#binex-rev

Oh perfect, thank you!

gobuster vhost --domain -u http://inlanefreight.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain

This is what I just tried... It says "url" not set. I doubled checked my /etc/hosts file and that is correctly set (I've doubled checked).

when using a public_ip:port you still need to specify the port

the hosts file should not contain the port; only ip vhost

the request is made http://vhost:port

the host file only contains the ip.

also the reason it says url not set is because it's taking -u as the argument for --domain

--domain requires an input to work properly

Without the -u it still says url not found... do i still need -u and the ip address?

I just tried to replicate the task. when you have only the ip adress in your /etc/hosts file, the only thing you need to do is swap the port in your command with the port you get when spawning the target. Otherwise you can copy paste the command as it is given.

did you need the vhost name?

as i said earlier you also need to specify the port in your gobuster command

and --domain you should have inlanefreight.htb after it

directly after it

Where do you specify the port? Is it inlanefreight.htb:port?

hosts file: "<IP> inlanefreight.htb" and the port goes in your command "http://inlanefreight.htb:<PORT> ..."

-u http://inlanefreight.htb:port

not https

most of the labs aren't running https

oups sorry.

muscle memory

Ah ok. I just had to step away from my computer so I'll try that when I get back home here in 10. Thank you guys!

Anyone i can ask about the pivoting module? got couple cuestions.. thx

just ask them

@fathom pendant @compact vessel I got it working properly. Thank you.

Hey peeps. Using David's hash, perform a Pass the Hash attack to connect to the shared folder \DC01\david and read the file david.txt. On Password Attacks , pash the hash. I cant do it with anything. It tells me It cant find it or I have the wrong creds

Did you try all the tools in the section?

In the socksoverRDP section, why wasnt i able to log as jason? in the hint it says its a local account. Any explanation about this please?

after couple times i could log as jason but i dont understand the reason of this at all

I am trying with invoke hash, crackmap, mimikatz. Nothing

I get david has no service management control access something error

You can DM me if you want