idp/ids section skill assessment

at the end of nmap module

https://academy.hackthebox.com/module/19/section/119

ah yeah that one is hard

from what i can see, i should either use the ssh to do something

or toy with apache settings

or am i lost completely?

DM me ur current command, ill give u hints

how are you checking it's installed?

sql essentials module
https://academy.hackthebox.com/module/58/section/517
I can't seem to find the right command for this.

im doing the MacOS Fundamentals part of the operating systems fundamentals path, im stuck at how i should access the MacOS machine, is there even one? theres a question where i need to find the version running on my machine and submit it as the answer

where do i access the machine?

guys anybody know about this? i already do the steps like iwlist wlan0 scan with some grep. and i found the ESSID but it still wrong

i will delete this later

there is none

so the user is expected to have their own macos machine lol?

yep

can you help me with the wifi?

I've not done that module, sorry

np thanks bro

i think there is an error on the module

just restart the module and its fine, just some bug

vsftpd -v

a package can be installed but not available in your PATH env var

how would you normally check a package is installed on debian-like systems?

dpkg?

yep

Alr. I'll try that thx

worked out, thx again

cool

which question are you stuck on?

The target server is still deploying for about 10 mins...

The 3 for that section

are you able to find a working payload for the first? (case #2)

I contacted to the support and they reset my target server

i have not, i tried a -r req.req and got nothing, and a --risk 3 --level 3 and got nothing

so the question is about injection into a POST param, how do you specify that parameter for sqlmap to test?

Hi Im rying to pivot to a network using Chisel,

1. i transfered the .exe file to the windows host
   2.Started a reverse server on my host
2. Tried to connect the windows machine using chisel client.
   But i cant get a connection back to my machine
   Any ideas what could be the problem?

you are supposed to just add to the --data. I sent a --data 'id=1'. I think I should change it in the req.req. But i didn't notce that its for a POST param

And Im using the latest version

just like in curl, --data is specifically for POST data - check out the man page for sqlmap

once sqlmap has identified an injection point you can use the hint to find how to start reading data from the DB

very cool ill check it out, I think in the txt it said to change the method to PUT

i think you have misread it - you can PUT data with --data 'id=0' --method PUT, but that's not the goal in case #2

That is part of the answer. Change the channel search and you will get it. There are 2.4 and the other frequencies you need to check.

Hello,
I'm doing the Windows Privilege Escalation Skills Assessment - Part I and I'm totally stuck
I tried to get the credentials of the "ldapadmin account" by using the credential theft method ==> didn't find anything
Moved on and tried to escalated my privileges by using JuicyPotato and RoguePotato but I always endup with this error ==> COM -> recv failed with error: 10038
Do you have some advice ? Looking for some wisdom 🥲

i just got to that section, i'll have a go at it now

Cool! Please find what I've done wrong aha

Anyone else getting the "no instances available" error?

yes I had to use one over in DN

The CME section in Active Directory Enumeration & Attacks Module Page 14- Credentialed Enumeration - From Linux says

Make sure you preface all commands with **sudo**.
sudo crackmapexec smb 172.16.5.5 ...... --users

But why? what would CME / NXC do that would need su rights?

Likely some port binding shenanigans and raw packet stuff

haven't figured it out yet but i suspect the solution works off the answer to the first question (so you shouldn't be going straight to credential theft techniques)

Attacking Common Services -> Attacking DNS

im receiving issues either with the pwnbox or the lab it self, when i try to enumerate the subdomains nothing works, used tools but nothing works, tried to see if the subdomain even exist, didn't exist, should i switch from the pwnbox or what?

yeah i did add the ip and the domain on /etc/hosts

Did you include the port number in the etc host? Because you are not supposed to

no, i didn't add the port

tried some things, got 3 subdomains but when i try to use dig nothing useful

it keep saying it couldn't get address

when enumerating subdomains sometimes it's useful to point the tool in the right direction; @nameserver/ip for digging

Yeah I figured. I also tried to make some use of the 2 KB asked but no chance too

hmm that's annoying. i'm going to try again later and i'll let you know how i get on

There should be a GetCLSID.ps1 script with the JP exploit you download. Use that and then I'd try the very last entry in the CLSID.list. The exploit should have enough information on their GitHub page for you to execute all that stuff. I also wouldn't sweat trying to get the ldapadmin password until you have successfully escalated privileges.

I feel you, I've been stuck on this for 2 days 😂😭

Thank very much for the tips 🙏🏾 I'll try it later!

I have a quick question. Will i still be able to access the modules that i have finished after my gold membership expires and i choose not to renew it?

yes

Hello again, I have a basic AD question : In the academy course, a security principal is defined as anything that the operating system can authenticate and a security principle as a domain object being able to manage access to other resources within the domain.

That being said, when digging a bit to further understand the concept, I found that security principals are what the HTB course says, and security principles are general security principles, not especially linked to AD.

Could anyone help me clarify this ?

thanks

if it has a sid it's a security principal

security principles are, you know general security guidelines, least privilege, separation of duties, defense in depth etc

Ok! And a security principle is not a particular AD related thing then ?
And I guess some security principals are also able to manage access to other resources.

that's right

Alll right ! Thank you very much!

can someone help with the pioviting part in this question ‘Submit the contents of the flag.txt file on the Administrator desktop on MS01 skill assesment 1 in AD module’

I’ve tried finding the route or ip by scanning internally but all nmap shows is tcpwrapped

Broken instance???? Hi all! Is anyone familiar with the Wi-Fi modules?

This one in particular: https://academy.hackthebox.com/module/186/section/1958
When I go through the "step-by-step solutions for all questions" it says to start the instance and do an iwconfig. Should be easy enough. However, there are no wlan interfaces in the instance. scratching my head on this. Am I missing something extremely obvious or is there a problem with the instance itself? Just wondering if you had any guidance

you can DM me if you still need a nudge

Could someone help me?
Should I, in the Firewall and IDS/IPS Evasion - Hard Lab, focus on the same port we were investigating in the Easy and Medium Labs?
Cuz we were told that we should identify the version of service our client was talking about so I assumed we should scan the same port as before.
But even tho im getting its version the flag is not showing up...

The first skills assessment from that module?

yes

okay, AGAIN...
Im just not patient enough with the results of my methods, just had to wait a little longer

You can DM to avoid spoilers

Anyone who did offshore, can you dm me?:)

Hey, Anyone did "Applications of AI in InfoSec" module? I need a little help in the skill assesment. For those who know or did it, I am stuck with the model, i tried multiple models but all came out to be zero percent accurate idk how to proceed with this can anyone help me?

Hi everyone I'm new on discord
I'm stuck on https://academy.hackthebox.com/module/20/section/122, its a small module it shouldn't take much time
I would appreciate your help , please DM me

@gray yacht

@rugged bolt don't reveal info for modules above tier 0

thought i asked not revealed

what specifically do you not want me asking/revealing

hash for a user :)

stuck on Password Attacks Pass the Hash last question for a couple days now: use Julio’s hash to get a reverse shell from DC01 to MS01 and read the flag. On MS01 (172.16.1.5) as admin via RDP. Tried Invoke-SMBExec/WMIExec with Julio’s hash, Base64 payloads to 172.16.1.5 (ports 8001, 443, 445), nc.exe listening. Also shared Invoke-TheHash.ps1 and ran it on DC01 via WMI. No output, no shell. Anybody have a hint?

What are you stuck on? Cracking the hash, identifying it, etc? If you feel you might spoil something, you can DM.

Hey, im having trouble recreating the debugging to get the answer for the following question : Reproduce all the debugging procedures mentioned in this section and provide the hidden shellcode-related hex values from the final screenshot as your answer. Remove all spaces.

https://academy.hackthebox.com/module/227/section/2496

Malware Analysis -> Debugging

Has anybody completed the Process Injection - Attacks and Detections? Stuck on a question for almost 2 days. need a nudge. Thank you.

Hi, can someone give me a hand with "INTRO TO WHITEBOX ATTACKS SKILL ASSESMENTS 1 CWEE" please?

I'm in the last part but I cannot exploit the function ||ping|| because of scaping characters..

Thanks very much!

hi everyone, i am doing the login brute forcing module, and i can't use medusa because the command can't be found?

You have to put the command

no, not even medusa -h or the full command is working, it seems as if it's not even installed on the machine

What module

Login Brute Forcing

What exactly

well, i spawn a machine and target in the academy, i want to use medusa and the command is not found

what question are you on??

respawned many machines already

Medusa Web Services

hey guys, I'm having trouble with Password Attacks > Pass the Ticket (PtT) from Windows. after trying to connect to the target with xfreerdp I get this error:

I've tried using both the vpn and pwnbox

Have you tried installing it with the command given in the module?

omg 🤦‍♀️

didn't bother trying any sudo commands on the machines, thought it came with the machine since it's usually pre-installed

thanks a lot, works fine now

anyone?

Small rant, but my goal is to help the next person who comes across this.

The Module:

https://academy.hackthebox.com/module/266/section/3461

Question:
Explore the reflective loader to find the hardcoded hash for the LoadLibraryA() function. Submit the hash as the answer.

You are NOT looking at reflective_dll.x64.dll nor are you using CFF Explorer. I was told to do both by HTB Support. That is incorrect. There is a link to the source code in the module. All you will need to do is go to the link and find the answer there.

This question is horribly worded and misleading especially after what is covered in the content. Please consider changing it accordingly. Hope this helps someone.

I am having an issue with Web attacks - Bypassing Basic Authentication - https://academy.hackthebox.com/module/134/section/1175

I am doing a curl -i -X OPTIONS http://IP:PORT and not getting the allowed verbs back.

anyone know why?

i don't know what is wrong but:
Module: "Introduction to Bash Scripting"
Exercise: "Flow Control - Loops"

i am trying to find the flag for exercise. but stuck with openssl error:
*** WARNING : deprecated key derivation used. Using -iter or -pbkdf2 would be better. bad decrypt 80BB9CC9F8760000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:providers/implementations/ciphers/ciphercommon_block.c:107:

I tried changing the verb to head and post and they still require authentication.

got it to work with HEAD, but I am not sure why I can’t get the curl command to result in a list of allowed verbs. any ideas?

hi , can anyone help me on Skills Assessment - WordPress?

I edited /etc/hosts but could not figure out an aproach to find the answear for , Identify the WordPress version number.

Scan Aborted: The remote website is up, but does not seem to be running WordPress.

I changed also target , also the machine and no succes

I'm having some issues on the linux privilege escalation - enviornment enumeration section.
I have ran every command in the section including running linpeas.sh and nothing stuck out for me.
I ran all of the environment commands and every "juicy" folder i find is completely empty.
I found the ncdu with sudo -l but i dont think im supposed to get root with this particular challenge.

If you're still stuck on this maybe try a search that can enumeration information inside files. I'd start with searching for what makes up a common flag naming convention.

I got it from doing that but i figured that just searching for the HTB{..} owuld be cheating

daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
mysql:x:101:102:MySQL Server,,,:/nonexistent:/bin/false
systemd-timesync:x:102:103:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:103:105:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:104:106:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:105:107::/nonexistent:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin```
what should i focus on this output ( i try to reach a file in a web server)

theres a lot to focus on with this, might need to do some more enumeration until its blaringly obvious what to focus on.
my mind goes to the mysql

Yeah hard to say with no context. What module and section?

Generally from HTB{Whatever is in here to this end} just be sure you don't accidentally copy any leading and trailing space.

@jade trail please don't post flags

it's probably a flag for a different question

alright got it thank you, i thought i had entered it and yea ill delete

o someone got it

understood

Hello Everyone

Stuck on linux fundementals system information

I have to make SSH connection to the hackthebox but whenever I tried to type the password it says access denied

or permission denied

hey im using scrapy and i keep getting like 0 results like none

same w finalrecon im supposed to see a hidden admin directory but nun popping up

?

Show your ssh command here please

anyone have an idea what im doing wrong and i also cant find emails i lowk have no clue what to do

how do i open the general chat ?

Follow the instructions in #welcome

anyone??

Which module and section this for anyway?

information gathering web edition skills assessment

have you ever thought about the hidden directory being in a different subdomain? 👀

nx domain??

and yes i have the ip address with the domain in my etc/hosts

its a vhost so im gonna use ffuff

i got nothing wtf do i do

wtf do i do ┌──(kaifux㉿kali)-[~]
└─$ gobuster vhost -u http://inlanefreight.htb:56053 -w /home/kaifux/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -t 50 --append-domain -H "Host: inlanefreight.htb"

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

[+] Url: http://inlanefreight.htb:56053
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /home/kaifux/SecLists/Discovery/DNS/subdomains-top1million-20000.txt
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
[+] Append Domain: true

Starting gobuster in VHOST enumeration mode

Progress: 19966 / 19967 (99.99%)

Finished

┌──(kaifux㉿kali)-[~]
└─$

like whattt

nvm i found something but gobuster dir isnt working

no clue, I use ffuf

Imagine using go buster in 2025

Hey! gobuster's pretty rad

but yeah feroxbuster and ffuf's where it's at

uh i found the admin key but now i cant find the email

i tried using reconspider but i dont think its going past the first page and im getting 0 emails

you trying it on all the subdomains? 👀

theres 1 subdomain

bro im actually so confused why tf am i getting no results from anything

i js need this stupid email and where theyre gonna store new api results

I have fixed it but faced another problem when I try to connect the vpn to my own virtual machines it gives me this error Options error: Unrecognized option or missing or extra parameter(s) in my_vpn_file.ovpn:12: data-ciphers-fallback (2.4.12)

tried to fic it but nothing helps

download a new vpn file

there's an issue with the one you downloaded

which one should I download

Any one of them, just pick a new region, preferrably one that says Recommended

Alright I will try agein

Thx for the help

also be sure to run openvpn with sudo

@waxen totem please help

Please don't ping, are you sure there's only 1 subdomain? 👀

yes bro i ran fucking gobuster and ffuff and dnesnum like 30 times and i got 1 subdomai

have you tried: recursive subdomain?

regarding package mgmt both the 'APT' & 'Git' sections in linux fundamentals:

I'm a little confused if I should be cloning this from Firefox inside the PwnBox? Also should I be ssh? Will this be useful for later? I don't have a current Linux box, yet...

Well it's better to practice it on anything really, if you can do it on a Linux VM much better but practicing on the PwnBox is fine

subdomain within a subdomain

.

smart guy here

Thanks! I wasn't sure if that would be okay if I wasn't ssh...

It's not even that uncommon 😭 mostly happens with universities: <student>@student.mit.edu.us

not even sure that's an actual domain but it's usually what they would look like

Tried with 4 other files but still same problem

im done thank god

thank u for reminding of recursive domains thats like all i needed

damn, maybe check for updates to openvpn

Alright tried and update it but still didnt work🙂

but the main reason i was stuck was liek the initial subdomainign and it wasnt popping up on my kali linux for some reason but it worked fine on pwnbox i dont know 🤷‍♂️

contact support

Is there any disadvantage in using Pwnbox instead ?

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

It can be slower, take a while to spawn, and lacks customizability

but otherwise it's really good

maybe I will just stick to it

For modules, it's fine, but I wouldn't use it for an exam.

me using pwnbox to rdp to a target to ssh into a target on an internal network 💀

I am still far way from my first exam😂

still in Linux fundementals

hi guys need help module 18 sections 72 and 71 ??

Gonna need the actual names of the module and the sections here

Current Path

Current Path :Information Security Foundations
Module :Linux Fundamentals ,
sections :Service and Process Management and Task Scheduling

i have probleme on the part of exercices can u contact me and help me plz

@uneven forum @astral elm

please don't ping HTB staff

who will help me ?

Just wait for someone to help you, like I'm about to, it just takes time for me to load up academy to see exactly what you need

Have you tried using the commands provided in the module?:

systemctl list-...

you can even use the concepts you've learned in the filter section of the module:

systemctl list-... | grep "Load App...

can i do call with u and share with u me screen and ask u ?

no, just talk about it in this chat

there is no guy can do that with me ?

I mean I wont but there might be someone who's willing to, granted you'll be waiting for a long time for someone to say yes to that request

this path that i send it to u is me first path i started with on this HTB

I've given you some hints in this message: #modules message

if you're still having trouble after that then keep asking questions but I will not go into a call

so whene i am studying every section from this modules i meet a lot of diffuclt to understand a lo of things for exemple in the section network services he talk about commun services but i dont understand how realy averyone f them work exactly this is normal to do nt understand everyting ?

i already do it broo

It's normal not to understand at first but you have to take it upon yourself to understand

don t work

can i screen and send to u or something ?

Cos I didn't give exact commands for you to use, just hints at what commands you should be using

sudo openvpn --config academy-regular.ovpn
[sudo] password for howami:
Sorry, try again.
[sudo] password for howami:
2025-03-27 05:33:17 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2025-03-27 05:33:17 Note: --data-cipher-fallback with cipher 'AES-128-CBC' disables data channel offload.
2025-03-27 05:33:17 OpenVPN 2.6.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2025-03-27 05:33:17 library versions: OpenSSL 3.0.15 3 Sep 2024, LZO 2.10
2025-03-27 05:33:17 DCO version: N/A
2025-03-27 05:33:17 TCP/UDP: Preserving recently used remote address: [AF_INET]38.46.226.34:1337
2025-03-27 05:33:17 Socket Buffers: R=[212992->212992] S=[212992->212992]
2025-03-27 05:33:17 UDPv4 link local: (not bound)
2025-03-27 05:33:17 UDPv4 link remote: [AF_INET]38.46.226.34:1337
2025-03-27 05:33:17 read UDPv4 [ECONNREFUSED]: Connection refused (fd=3,code=111)
2025-03-27 05:33:19 read UDPv4 [ECONNREFUSED]: Connection refused (fd=3,code=1

why they refuse me connectio nto the vpn in the exercice ? ouffffffffffffffff

Remove --config

sudo openvpn academy-regular.ovpn
2025-03-27 05:35:27 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2025-03-27 05:35:27 Note: --data-cipher-fallback with cipher 'AES-128-CBC' disables data channel offload.
2025-03-27 05:35:27 OpenVPN 2.6.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2025-03-27 05:35:27 library versions: OpenSSL 3.0.15 3 Sep 2024, LZO 2.10
2025-03-27 05:35:27 DCO version: N/A
2025-03-27 05:35:28 TCP/UDP: Preserving recently used remote address: [AF_INET]38.46.226.34:1337
2025-03-27 05:35:28 Socket Buffers: R=[212992->212992] S=[212992->212992]
2025-03-27 05:35:28 UDPv4 link local: (not bound)
2025-03-27 05:35:28 UDPv4 link remote: [AF_INET]38.46.226.34:1337
2025-03-27 05:35:28 read UDPv4 [ECONNREFUSED]: Connection refused (fd=3,code=111)
2025-03-27 05:35:30 read UDPv4 [ECONNREFUSED]: Connection refused (fd=3,code=111)
still the probleme exist

Have you tried downloading a different vpn file? From a different region?

bro i feel that i will explose nothing work like the course i m crying and i dont understand a lot of things

i donwload the file openvpn that is next to the exercice

Tech is hard

Yeah so click on the dropdown menu and choose a different one

look i ndms i seen y screen i thin ku dont understand me

i cant send u on dms ouffffffffffffff
u see this :
Questions
Answer the question(s) below to complete this Section and earn cubes!

Target(s): Click here to spawn the target system!

SSH to with user "htb-student" and password "HTB_@cademy_stdnt!"

• 1 Use the "systemctl" command to list all units of services and submit the unit name with the description "Load AppArmor profiles managed internally by snapd" as the answer.

DMing server members without their permission is against server rules.

sorry i didnt read rules i have already too mush things to read and i m crying now and typing nothing works

Look for where to download the VPN, above it there's a box that says which region you currently have, click on that box and choose a different one and download the vpn again

Next to the exercise, there is a button called Download VPN File. When I click on it, I download it, then put it in the virtual system, then put it in the command line.

Look above that

this vpn file it s linked to the some host where i need to practice the exercice i think there is only one file vpn linked to the exercice

Like above the exercises theres a bigger button for vpns

Ox- I'm a little confused how I installed Git by using the apt command with installing impact scripts in the VM... I understood how I made the directories and how I cloned them from the web, but still confused how the impact scripts had anything to do with installing the Git onto the VM...

i.e. sudo apt install impacket-scripts -y

yeah ok ok i will try it

Well the impacket scripts are also hosted on git and you can grab em from there instead

howami@parrot]─[~]
└──╼ $cd Desktop
┌─[howami@parrot]─[~/Desktop]
└──╼ $sudo openvpn academy-regular.ovpn
[sudo] password for howami:
2025-03-27 05:43:56 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2025-03-27 05:43:56 Note: --data-cipher-fallback with cipher 'AES-128-CBC' disables data channel offload.
2025-03-27 05:43:56 OpenVPN 2.6.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2025-03-27 05:43:56 library versions: OpenSSL 3.0.15 3 Sep 2024, LZO 2.10
2025-03-27 05:43:56 DCO version: N/A
2025-03-27 05:43:56 TCP/UDP: Preserving recently used remote address: [AF_INET]38.46.226.32:1337
2025-03-27 05:43:56 Socket Buffers: R=[212992->212992] S=[212992->212992]
2025-03-27 05:43:56 UDPv4 link local: (not bound)
2025-03-27 05:43:56 UDPv4 link remote: [AF_INET]38.46.226.32:1337
2025-03-27 05:43:56 read UDPv4 [ECONNREFUSED]: Connection refused (fd=3,code=111)
2025-03-27 05:43:58 read UDPv4 [ECONNREFUSE

yeah i do it doesn t work

Try TCP

03-27 05:46:03 net_route_v6_best_gw query: dst ::
2025-03-27 05:46:03 sitnl_send: rtnl: generic error (-101): Network is unreachable
2025-03-27 05:46:03 ROUTE6: default_gateway=UNDEF
2025-03-27 05:46:03 TUN/TAP device tun0 opened
2025-03-27 05:46:03 net_iface_mtu_set: mtu 1500 for tun0
2025-03-27 05:46:03 net_iface_up: set tun0 up
2025-03-27 05:46:03 net_addr_v4_add: 10.10.16.16/23 dev tun0
2025-03-27 05:46:03 net_iface_mtu_set: mtu 1500 for tun0
2025-03-27 05:46:03 net_iface_up: set tun0 up
2025-03-27 05:46:03 net_addr_v6_add: dead:beef:4::100e/64 dev tun0
2025-03-27 05:46:03 sitnl_send: rtnl: generic error (-13): Permission denied
2025-03-27 05:46:03 Linux can't add IPv6 to interface tun0
2025-03-27 05:46:03 Exiting due to fatal error

permission denied ?

Sudo

it was successful. It was already installed on the VM. I guess, I'm just used to having to navigate to a specific script or one that I would had to have downloaded from whatever website for it to install, felt like I missed the step. But it worked... I know that Git has an app now... was cool to see this part in CLI

yeah i do it

look i will try to work with the free 1 hour on pownbox that htb give me per day

bro you been using pwnbox? No need for vpn then

Pwnbox is already connected to the network by default

nooo i was using vertuelbox

Well your vm looks like it has a network issue

Something about not having a default gateway

on the pownbox i use the commande taht u send it to me above and whene he filtred he dont show nothing i told u i tried it already before doesn t work

Mate those commands wont work cos they're not real complete commands see the ...

That means complete it yourself

yes i do it i m not stupid

but nothing shows

Are you ssh'd onto the target?

okwy wait i will copied it and past it to see

Please dont share module answers, check for leading and trailing spaces

What is the Type of the service of the "dconf.service"? the section next

also i stunk on it i use chat gpt and i tryd all the ensers

ansers

systemctl show dconf.service --property=UnitType

Honestly cant remember the command for that one

i m in section task schedchul

Yeah I cant remember that mate

it s normale to don t understand everything and also about the network services in this path he talk about it but not in detailes i understand the idea but technicly nothing

Try removing Unit in the command chatgpt gave

I'm unable to solve Question #1 in Pentest in a Nutshell in Linux information gathering section

$ ftp 10.129.233.210 21
Connected to 10.129.233.210.
220 ProFTPD Server (Debian) [10.129.233.210]
Name (10.129.233.210:hannzo): ls
331 Password required for ls
Password:
530 Login incorrect.
ftp: Login failed
ftp> ls
530 Please login with USER and PASS
530 Please login with USER and PASS
ftp: Can't bind for data connection: Address already in use
ftp>

i tried using password PASS and the other one in the section but nothing seems to work

Try to run the application as a different user

I tried earlier with ||run as administrator and tried the found creds|| but I couldn't

||Then I tried runas in the cmd and I got the administrator shell ||

😦

Have you tried actually running the mysql app itself as administrator? 👀

Sorry for not mentioning mate ,
I have done the lab after posting my query
||It seems I have been using the wrong password||

I deleted your messages cos they contained spoilers, keep in mind spoiler tags hide nothing

Damn if only there was an person who does AD religiously

Imagine that

AD ain’t that difficult to master

It’s just bunch of authentication protocols u need to know

Relax ur horses

U acting like AD is god and we can’t reach out to it like so easily

Calm down Paul 🤣

That would be you...

Module: Password Attacks; Pass the Hash (PtH); Question 6.
I can't really invest anymore time into this alone
Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01).
on MS01 as julio:

VERBOSE: [+] inlanefreight.htb\julio successfully authenticated on
DC01
VERBOSE: inlanefreight.htb\julio has Service Control Manager write
privilege on DC01
VERBOSE: Service LMHODRPBPMCEJBSNSDSD created on DC01
VERBOSE: [*] Trying to execute command on DC01
[+] Command executed with service LMHODRPBPMCEJBSNSDSD on DC01
VERBOSE: Service LMHODRPBPMCEJBSNSDSD deleted on DC01
PS C:\tools\Invoke-TheHash>```

srry for the bulky msg

last question in the module

Redact the hash please

My bad
I thought we should ask our need with what we have done so far detailed

So I posted my query with what I have done so far
Next time I will try to avoid spoiler even with masking

Do you have a listener running in a separate terminal? Mind it has to be in the rdp session because its using an internal network(unless you did some pivoting but thats out of scope for this module)

yes, it's all over RDP to MS01, nc listener running on 9999, and actively listening

Have you tried running the payload in another terminal just to see if it does connect back to you?

that's a good one. i'll give it a shot real quick

I would try Invoke-WMIExec as well

@untold ore

oop. my environment reset 🙂

Use a vm

Use a container

Anything but pwnbox

and whatever you do. dont update impacket to a random version

i only used the pwnbox, cause it wasn't working on my vm

Had a friend do that once

how'd it turn out for him

It was pretty funny

Bye bye impacket script compatability

alright, let me log this process to this john

> reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0
x0 /f

> exit

xfreerdp3 /v:10.129.79.85 /u:julio /pth:[redacted]

term1:
cd \tools
.\nc.exe -nvlp 9999

term2:
> powershell -ep bypass
> Import-Module .\Invoke-TheHash.psd1
> Invoke-WMIExec -Target DC01 -Domain inlanefreight.htb -Username julio -Hash [redacted] -Command "[payload]"
##Successful ## no shell
> Invoke-WMIExec -Target DC01 -Domain inlanefreight.htb -Username julio -Hash [redacted] -Command "[payload]"
##Successful ## no shell

And you've tried just the payload on the other terminal and it works yeah?

nah, can't get it to run 🙂

i'm so bad with windows smh

You aint alone mate. same here

double check the ip address is the one on the RDP machine

sorry, it's like 5am and my baby is still up

i got it running, but only as a loop back, so idk

You mean using the loopback IP?

yeah, just to test out the base64 script

IPs are accurate, .5 and .10

The file transfer module is very confusing

I can't connect to my share via the DavWWWRoot directory

its hosted against my eth0 interface but I'm assuming that should work?

How the hell do I know what direction I'm going here?

I'm assuming I'm supposed to, through Linux, upload a the specified file to the windows vm

However we're also instructed to RDP so why the hell would I not just RDP then download the file from the link? So am I supposed to attempt to shoot it over to the pwnbox instance?

can anyone help me with this task?

The forums are full of people stuck on the same issue so I have no idea what we're expected to do.

Identify the WordPress version number.

when I try to scan the website it says this , Scan Aborted: The remote website is up, but does not seem to be running WordPress.

How are you running the scan?

wpscan --url http://10.129.227.99 --enumerate v

I also tried this , wpscan --url http://10.129.227.99 --enumerate t

same issue

I even edited /etc/hosts but nothing changed

ok no you're ahead of me sorry, I haven't used wpscan. I was thinking it was an earlier module involving nmap scripts

:((

.5 is IPv4 whilst .10 is for DNS server, using the IPv4 address should get you connected if you set up the listener on the terminal that performed the pth on user julio

there isn t anyone to help me with Skills Assessment - WordPress ? :((

Did you try: looking at the source code of the site?

Or even nmap script/banner scan?

yes, no hints

@waxen totem You wouldnt have happened to do the skills assement for AD Attacks would you?

Nahh am still only at common services on CPTS path

Please tell me it doesnt involve kerberos in linux systems

it's much worse

Someone explain what I'm missing here 🤦‍♂️ This module doesn't really explain anything conceptually

this is what I find , 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
443/tcp open http Apache httpd 2.4.29
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

You're missing a couple slashes in front of the ip to indicate its a network share

\\10...

Is that it because I'm still getting "The system cannot find the path specified" on cmd

Also is that the entire command? You need a destination

Its copy <source> <destination>

Is it AD CS?

AD CS not that bad

Just ESCs

Idk about that

Literally just certipy --vuln (something or other cant remember exact flag)

Its showing invalid path
I'm seeing on the share terminal that a connection is being made at least. I'm not sure how the pathing syntax is.. if thats the problem

I did not find anything in source code

nmap -sV -p- 10.129.227.99
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-27 03:49 CDT
Nmap scan report for blog.inlanefreight.local (10.129.227.99)
Host is up (0.0086s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
443/tcp open http Apache httpd 2.4.29
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.63 seconds
┌─[eu-academy-5]─[10.10.15.151]─[htb-ac-555305@htb-eywryyclte]─[~]
└──╼ [★]$ nmap --script http-wordpress-enum --script-args basepath=/ -p 80 10.129.227.99
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-27 03:49 CDT
Nmap scan report for blog.inlanefreight.local (10.129.227.99)
Host is up (0.0082s latency).

PORT STATE SERVICE
80/tcp open http
| http-wordpress-enum:
| Search limited to top 100 themes/plugins
| themes
| twentysixteen 1.9
| twentyseventeen 2.1
| plugins
| akismet
| the-events-calendar 5.1.2.1
|_ duplicator 1.3.34

Nmap done: 1 IP address (1 host up) scanned in 0.79 seconds

Honestly was just spitballing, didnt actually do that module yet either

Bro uses certipy (kinda cringe ngl)

:/

The only other option is doing it in powershell and I'll be damned if I have to touch powershell

Lol

Dark....corp

Tbf I copied a bunch of code from certipy for delta2 and even use the python module

Seriously do I have to remind you that you did that

https://tenor.com/view/stopitpatrick-stoppatrick-youarescaringhim-stopitpatrickyouarescaringgim-gif-23995581

You did it, it was a masterclass for me who was just watching

Anyways lets keep this channel back on topic

You need to use the share ame (in this case you named it share )path as a path, not the actual path

This aint scp

In any case you shouldn’t be using Wordpress scripts on nmap

Second

Look at the plugins and themes

ok awesome ty

now to figure out where the default path for copy is...

I managed to solve in the end 🙂

2 questions answered 🙂

and christ I cant find the zip anywhere on the system...

I really should not be doing this while dealing with nerve pain, unncessary layer of difficulty lol

Go get better, modules can wait

Im doing AD enum and attacks skills assessment II
the question is
"Use a common method to obtain weak creds for another user"
I have been trying for a few hours now
Can i get a little nudge

Hi, anyone had the same problem in with ICMP Tunneling with SOCKS? I can tunnel via ssh, however cannot reach destination server via nmap proxychains nmap -sV -sT 172.16.5.19 -p3389 I got: proxychains nmap -sV -sT 172.16.5.19 -p3389 [proxychains] config file found: /etc/proxychains.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-27 06:37 CDT Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 3.15 seconds

Review this section from the module: Password Spraying Overview and I'd give what is used a shot.

afaik proxychains only supports TCP, so no ICMP

use Ligolo

or run nmap from the compromised host

Hello, could someone help me with the knowledge check challenge machine in the getting started module (htb academy)? I already did the reconnaissance and have the data to bypass certain part (no spoiler) but I don't know what to do with that... I'm trying to do it without metasploit to learn more… (I read some htb forums post about it, but I can not wrap my head around it… Maybe I lack some specific knowledge) All help is appreciated. thx so much

Can i DM you?

Sure

I don't know why but everytime i ask for help here regarding a skills assessment i find the solution 5 mins later
Even tho ive been stuck at it for 2 hours

rubber duck method

Sadly won't be able to abuse the rubber duck method during the exam 🥲

buy a rubber duck, talk to it while you hack, ggez

so I'm on attacking common services easy, and I've managed to execute the select outfile command to get a webshell, but when I go to that directory on the domain, it returns an empty page, I feel like I'm doing something wrong, but can't really seem to get it

did you go to the right location?

and it should be a empty page

i used the directory thats in the txt file

should it?? I dont remember a webshell returning an empty page

you mean a white page or 404?

I even executed the "https://10.129.203.7/webshell.php?cmd=whoami" command and its still an empty page

white page

yeah it should be blank

try another command

@tired atlas can you dm the directory you wrote to

yeah sure

Hi all, i'm stuck on the first question in the Linux Privilege Escalation module. I couldn't solve it using the info in the section, so looked online and apparently i need to escalate privileges to user lab_adm, which is where the flag is stored. It does not state anywhere in the section on how to escalate privileges, so how am i supposed to answer the question?

the environment enumeration?

Yes that's the one

you can use a find command or use grep

no escalation is needed

Okay noted thank you, I did try them already i obviously didn;t do it right

Thank you @fathom pendant ! I had the same issue today. Changing the region helped.

no matter what i do i get permission denied, are you sure i don;t have to escalate privileges?

Did you search for HTB?

What do you mean?

That’s the flag format

Ah! no i was just searching for flag

It’s not in a common place

Okay noted, thanks again. I'll give it another crack

It can also be inside the file not just the name

it's still saying permission denied, i know where the flag is now it's in either .cache or .viminfo but i just can't access them due to permissions. How am i meant to extract/read the info considering this?

the obvious answer is escalate privileges but i'm a noob and do not know how to and the section does not explain how to either

I'm working through the NTLM Relaying Module and am currently fiddling around with Coercer. Does anyone know whether it is possible to make HTTP authentication work with the latest version? The module mentions it's broken but I was hoping it has been fixed since the module was made. If anyone happens to have fiddled around with that too, feel free to shoot me a DM

It’s not

Have you searched the whole file system?

don't forget to throw errors to the void

$ grep -r "HTB" /home/lab_adm/
grep: /home/lab_adm/.viminfo: Permission denied
grep: /home/lab_adm/.cache: Permission denied

$ grep -r "flag" /home/lab_adm/
grep: /home/lab_adm/.viminfo: Permission denied
grep: /home/lab_adm/.cache: Permission denied

I'm working on the Linux Fund Modd: Sec section, specifically the "Working with Web Services" question about starting a simple HTTP server using npm on port 8080 (with the short argument).

I’ve tried a bunch of variations, ran it with and without SSH, even closed the terminal to make sure nothing else (like Apache) was still using port 8080. The second question worked fine for me, but this one’s got me stuck.

Could use a hint or clarification. I know I am not supposed to put answers here...

your scope is so small

What does that mean?

you're not looking at the full system

just a single user

Okay noted, i'll enumerate further

also to avoid flooding your screen 2> /dev/null

thank you

send errors to the void

lol noted thanks again

I said the whole file system

Hi im doing AD enumeration and attacks
Im trying to connect to SQL01 host via enter-PSsession using the creds i found but i get username/password is incorrect error
But they are correct
What could be the issue?

npx..npm.. isn't working

Hello, I am playing with bloodhound in the AD odule ('Credentialed Enumeration - from Linux'). After running bloodhound.py on the ACADEMY-EA-ATTACK01 towards the DC, I get the three json files. All is good sofar. But, when starting neo4j and typing 'bloodhound' as database, it cannot find it. I am overlooking something. Any clues? Thx in advance!

Brilliant thanks @safe star & @fathom pendant , i got it! Very sneaky location

Google and man page?

I have tried so many stupid noob variations lol... and yes, even ai... I give up and finally came here to ask... I don't bother you guys unless it's been an hour...

hello people

You searched npm http server?

^

that's what i did when i first did that module

sudo systemctl start npm lol
npm http-....
npx http.s...
npx http-s... -p...

the list is long....

I'm having trouble with Password Attacks > Pass the Ticket (PtT) from Windows. after trying to connect to the target with xfreerdp I get this error:

anyone know the fix?

I don’t think it’s telling you to run it

xfreerdp has worked in all other modules

it isn't

it's asking what the command is to start it

just this one isn't working

wrap password in single quotes; if you're curious why
echo Anotherc0mpl3xP4$$ to see what the bash shell is interpreting

"Find a way to start a simple HTTP server inside Pwnbox or your local VM using "npm". Submit the command that starts the web server on port 8080 (use the short argument to specify the port number)."

submit the command that starts the web server on port 8080

you don't have to start the web server

tysm

gotta be kidding me! thanks Marcie... I had it the whole time just the prefix threw me off...

You identified that user being authorized to access that host remotely using that service?

Can you DM screenshots so I can understand what you are doing?

On the password attacks module, currently doing the ntds.dit questions, was wondering how do I actually extract the hashes from the ntds.dit file? Some further research said I also need the system hive, is this correct?

Additionally, would I be using secretsdump.py to extract hashes once I obtain both files?

will do that hahaha

Yes, once you obtain the sam.save and system.save files using reg, you can extract the hashes using the secretsdump.py tool.

For the ntds.dit file?

Yes, the hashes from the NTDS.dit file can also be dumped using secretsdump.py.

Sorry, kinda sleepy, didn't read your question properly at first 😅

i used pypykatz to dump NTDS.dit

No worries, not sure why that's not explicitly mentioned in the ntds.dit chapter

And you need the system.hive file for that or nah?

I believe you can dump NTDS.dit without system.save.

okay sweet cheers mate

I'd recommend testing it out to be sure tho.

But iirc it isn't needed.

Looks like I needed to grab the system.save file aswell and then use impacket-secretsdump to dump the hashes

from what I can see pypykatz doesn't support ntds

unless I am using the wrong option

yes system is needed

system is needed

my b pypy is for lsass

No problem, guess it will stick more now I had to struggle a little lol

looks like with crackmapexec, dumping ntds remotely will sort the system file for you

-ntds btw is the flag

:)

https://wadcoms.github.io/wadcoms/Impacket-SecretsDump-NTDS/

I have a question about the password mutations part of the password attacks module.

I have understood the lesson, but is it really necesarry that we then have to wait 1-2hours for the password to crack?

that's far too long

should only take ~30-40 minutes

unless, of course, you were attacking ssh and not one of the other open ports

Ah well yeah, it says 1h51 for the list to complete but i obviously dont know where in the list it will complete

the mutated list should be ~93k words long

yeah thats it

but still, isnt 30-40 minutes a bit too long? Isnt the essence to get the lesson isntead of waiting for 30 minutes?

nope

the essence of the lesson (and the module as a whole) is patience

even with the 'right' wordlist, bruteforcing can still take a while

also yes, it's bruteforcing, not cracking

allright, i guess i can continue with other lessons whilest its bruteforcing

cracking == taking an existing hash and trying to find something that creates the same hash (due to the nature of hashing algorithms, the same input should always result in the same output)

Hey guys could anyone suggest me a vedio or anything so that I can dual boot my computer

Google. plenty of guides online on how to set that up

daimn, my pwnbox reset due to timeout

can anyone assist with Password attacks protected files module? it says to log in as kira using the cracked password 1234....this doesnot work when using ssh kira@x.x.x.x

Thats not Kiras password, you found it a while ago in the credential hunting section

Hi

ok thanks....

Always save passwords you find

i gues s i have to start over until i find it

i didnt save it

I mean you can bruteforce ftp with the mutated list and regrab it

ok that works

Hello I have some questions regarding challenge creation for HTB (catagory specific)

So I want to make a web challenge which will have two targets 1 internal and 1 external and the attackers have to figure out a way to exploit the external target and reach the internal target. But according to rules If a challenge contains a dockerized component, it shall not include multiple containers but just one. This rule kind of forbids me from creating such challenge can anyone explain this rule to me in detail and if it will contradict with my idea. My challenge will have both the hosts on the localhost just on different ports both ports will not be exposed just one of them. Both will be http and there will be a bot too.

I will apologize if this is not the right channel to ask about this, for some reason I can't access other channels so I am sending this here.

Read and follow #welcome and ask in #1024429874246590575 since this is not related to an academy module

Reach out to submissions@hackthebox.com as well

hi peoples

I've just started with Intro to Digital Forensics, i'm in the topic Evidence acquisition techniques and tools. For some reason I just can't seem to figure out how to start with the challenge where it asks you to connect to "https://127.0.0.1:8889/app/index.html#/search/all". I don't get it, am I supposed to use the VPN file and visit the target system or am I supposed to visit this localhost file, or do I have to open Velociraptor and input this as target. Can someone help me get started please

Hello, sorry for reply but could someone help me? Or maybe tell me where would be more appropriate to ask this question to get an answer plz

Code: shell
USER anonymous[Ctrl+V][Enter][Enter]
PASS anything[Ctrl+V][Enter][Enter]
PASV[Ctrl+V][Enter][Enter]

How do i run this command for Network Foundations???

I have tried a few times and it keeps saying bash: USER command not found

Hi guys! Did anyone do this module?
Module: Active Directory Trust Attacks
Section: Unconstrained Delegation
Link: https://academy.hackthebox.com/module/253/section/2803
Question: Abuse Unconstrained Delegation to get the TGT of DC01$ and submit the flag located at \DC01\UCD_flag\flag.txt

I reproduced the attack as explained in the module, but it seems that either Spoolsample isn’t functioning properly or something’s off, because no TGTs are showing up.

Connect to the target then that web connection

nc ip port

AD enum and attacks II question 7
"Sumbit the flag on the admjn desktop on SQL01"
Got to the SQL01 using mssqlclient
Got a reverse shell back to my host using xp_cmdshell
Tried to dump the registry hives using reg add, specified the location of C:\sam.save
But i dont see it after listing files in this directory.
I then tried uploading mimikatz to the host but i do not have the rights to do so
I also tried dumping the SAM using CME but with no success
Any hints what else i can try?

Did you escalate privileges

I did not

I did that, but it gives "Site took too long to respond" error. Could it be an issue from HTB's side??

¯_(ツ)_/¯

Hi guys, if i dont have the money to pay for the cubes are there any other ways to generate them?

Current season rewards cubes

Theres also referrals and very rarely giveaways

maybe you could use a .edu mail to get the student discount

an edu email is of no use at all. You need an email address of an official university.

https://help.hackthebox.com/en/articles/7973133-getting-the-student-subscription

Ye, I was referring to that should have been more specific

hey everyone i am currently tryin to establish a reverse shell connection but for some reason it won't connect on my vm but it does on the pawnbox does anybody have a clue why this is ?

Just not realistic for people who aren't students

Ah well

Thanks tho

i can reach myself using the same code on my own machine so i really don't know what is going wrong

@acoustic owl first I want to make an account hm

linux fund: dockers: are these the safe environments "containers/ dockers" that CISO & GRC can certify for A/B testing and keep from harming any live environments?

okay - looks like I'm getting ahead of myself...

https://tenor.com/view/head-slap-duh-ouch-oops-guys-gif-17785281

Are you connected to the VPN on your VM?

docker containers are specific type of virtual environments that you can set up with specific conditions to test things, so that you're not relying on the "it works on my machine" mentality

yea sorry i figured it out
i forget that i had to use the ip that i get via the vpn

Keep your head up DiNozzo

stupid mistake of me sorry for bothering y'all

Gibbs never got to smack himself...

it won't locate something in the seclist even though it's in there

how am I supposed to get help if ur just gonna delete my question

@rustic sage please refrain from spoiling content from the module

ok wait

spoiler tags don't do anything

as anyone can still click them

at their own peril?

i suggest not limiting the depth

even then, not allowed

yes but it's under the directory /x/

redacting info is the smartest way to do it

ok

since your question and the way you phrased it initially revealed way too much about where the answer would be

ffuf -u http://X.X.htb:40040/FUZZ -w Desktop/Seclists/directory-list-2.3-small.txt:FUZZ -recursion -recursion-depth 1 -e X -ic

it's under the first directory

but try not limiting the recursion depth

oh

or setting the depth to 2 instead

ok ill try that thanks

hey

can anyone help me with "Applications of AI in InfoSec" module? its tier zero I am stuck at the skill assessment of it

the answer should be

http://X.X.htb:32451/X/X.php7

When I run

ffuf -u http://X.X.htb:40040/FUZZ -w Desktop/Seclists/directory-list-2.3-small.txt:FUZZ -recursion -recursion-depth 2 -e php7 -ic

it only finds X.X.htb:40040/x but not X.X.htb:40040/x/x.php7

even though I have the extension set right and x is in the seclist

isnt the . needed for -e?

^

the . ?

i think youre running FUZZphp7 instead of FUZZ.php7

i thought it automatically adds the .

interesting

ok fixed thanks

computers are stupid, don't assume everything is automated (also it's not programmed in the functionality cos you can do kewl shi like : -e -config.cnf)

Hey guys I’m stuck on figuring out bob’s password for the smb share on the Service Scanning section of Getting Started. Can anyone explain how they figured it out

@upbeat fulcrum they show it in the section

Nvm I figured it out

bruteforce is taking long, the server dosent stay up long enough keeps timing out and i have to start over.. can you refer me to the section so that i can just redo it and get the password to move on please?

@fresh wedge

It's the same target

You can adjust threads btw

Lol i checked to see if. it was any on the Pass* option in the mutated list so i guess its not any of those 258 words.

kira's password doesn't start with [pP]ass

im running full list now all 94043 of them

that's your main issue, don't know where you got the idea it was

the previous models had like 3 users with those ending in diff numbers so i thought i would try that first

don't make assumptions, that's a big pitfall

Standard rule for brute force boxes and ctfs is 5 min of brute forcing, if you can't find the credential in that window means you are doing something wrong

There are sections of the password attacks module that don't respect this rule, sadly.

I have done the module, I don't remember it violating this rule

Unless it has been changed (which I don't think it has yet), it does. At least one section takes significant time.

they could have generated the list from the hint

in which case it doesn't

but the modules tend to break that pattern a bit

with the modules if it's taking greater than 1h then you def are doing something wrong

30-45 minutes tends to be the average

I would say 20 min max in case of server a overhead or bad vpn

Ironically this is similar to real life pen testing. Where most of the time things that you need to do your job break. Might as well embrace it

LOL been. over 20 min runing this mutated list...still runnng. already extended the time for server

4500 passwords out of 94000

-t 48 with hydra

Doesn't overload or give errors from what I've seen on that section

i am using medusa, shoud i cancel and start over with hydra?

yes -t 64 should be good 👍

in my exp 64 threads tends to have some of the worker threads die off

and can lead to missing the password from one of those threads

rather have no workers die off

this doesn't really matter on htb academy machines

it does and my experience is related to the academy module

and in the rare case that it does, hydra doesn't just forget the password

point is rather not rerun the command 5 times just to get the password

the attempt won't get counted as successful or unsuccessful

correct: the point being made is rather not have to re-run a command and wait longer when it would have taken like a marginal amount more time with less threads

if -t 64 finishes faster, even with occasional reruns

it's worth it

except with less threads that don't require re-runs, the speed won't make a meaningful difference

1hr down -t 48

did you use kira or Kira as the username; the first is the correct one

and yes, it matters

yes i used lowercase kira

let's not use "gay" as a descriptor for things especially if the connotation is negative

sorry, my appologies

So i've been at this for a while now (3days) it's the only one in the module i can't solve. Does anyone mind DMing me?

File Upload Attacks
It is only one question and I can't seem to find the right file extension
https://academy.hackthebox.com/module/136/section/1288

haa yeah im silver this season....

You can DM me

This is why you got made community mentor

A community contributor? Where?

https://tenor.com/view/askers-where-who-gif-24612724

Couldn’t be you

yeah mate, the blue means noob

Got em

Hello guys 😄

Using crackmapexec {Bloodhound Integration}
Using my own vm configured the bloodhound part of cme.conf but when i try to run the bloodhound module commands it gives error bloodhound isnt running on bolt://localhost:xxxx so how do i configure it to run on http://localhost instead of bolt

What is the best path on htb academy that will to become security researcher and in exploit development???

What should I do as a junior in HS hoping to major in cybersecurity

any extracurriculars, internships or anything type of websites

Looked at a isc 2 membership thing, what’s the membership due for

big thanks 2 @cloud urchin . My guy helped me out with a smile, and went out of his way to test the environment himself. Showed tons of knowledge and professionalism

For future purposes, if anyone is looking for the question:
Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt.

Try using a different source for your payload

Hello everyone, I am stuck on figuring out how to successfully do web enumeration on the target. Every time I try to enumerate it no matter what tool, it will tell me that the host cannot be found at the ip on port 80 or port 443. What I did was the command with
http:// targetip/

module? and submodule?

Getting Started. Web Enumeration

Getting Started. Web Enumeration

Hello everyone, I am currently stuck on Attacking Authentication Mechanisms skill assessment, I understand the vulnerability however when trying to exploit it, does not get what I needed

Whats the provided target ip and port?

Gotta specify it if it isnt one of the default ports(80/443)

can someone help me with this issue please

anyone can give me a nudge on the skill assessment: Attacking AUthentication Mechanisms?

specify the port as 0xW1LD said : )

I see should I use nmap for this? How can I find out what port it I on if it is not a common port?

When you spawn the target it tells you the port after the ip

i remember its mentioned in target ip like this IP:PORT

<IP>:<PORT>

I see

Pretty sure CME is EOL btw that module will probably be replaced by an NXC one

ohk

So it should be for example whatweb http:// targetip:port/ ?

yes

Try it

Thanks.

You can dm me 🙂

are you running neo4j?

DM sent.

yups

reconfingured the port to 4747 but its taking bolt:// schema instead of http:// one

ok.. so neo4j is the graph dbs management system and bloodhound runs the website that reads from the neo4j instance

and config file has nothing in it to specify the schema

yes you are right

you're supposed to connect bh to neo4j's bolt protocol not http

i mean i think it's the same thing really

you should also be able to access the neo4j console directly with that ip it runs on

wait i will run the tools again and will send screenshot in a while so you get better idea about the issue

alright but i don't have all night!

unfortunately its morning here its ok i will wait for whole day

Up!

Module - Using crackmapexec {Vulnerability Scan Modules}
trying running this command : crackmapexec smb 10.129.x.x-u Administrator -p 'IpreferanewP@$$' --put-file ./chisel.exe \Windows\Temp\chisel.exe --local-auth
Getting this error : [-] Error writing file to share C$: Unexpected answer from server: Got 47, Expected like this
SMB 10.129.x.x 445 WS01 [*] Windows Server 2016 Standard 14393 x64 (name:WS01) (domain:WS01) (signing:False) (SMBv1:True) SMB 10.129.x.x 445 WS01 [+] WS01\x:x (Pwn3d!) SMB 10.129.x.x 445 WS01 [*] Copying ./chisel.exe to \Windows\Temp\chisel.exe SMB 10.129.x.x 445 WS01 [-] Error writing file to share C$: Unexpected answer from server: Got 47, Expected 4

What are you still doin here

It’s late

It's 5pm

Well suit up and do some boxes

We got a box to prep for

just wanted to ask if anyone has high latency on pwnbox at all... using my own machine and use the vpn file is also quite high on latency T-T

I have some, but I'm not gonna connect to any of the red ones. especially the 'IN' mines does have a little faster speeds than what yours are showing...

Quick setup question for the pros here:

I’m working through HTB Academy and prepping for certs (HTB + CISSP). My system runs Windows 11 on C:, but I’ve got 750GB free on D:. I’m considering setting up a dedicated Kali or VirtualBox VM on D: for lab work, note-taking, and more flexibility.

But for now, would it make sense to just stick to the browser-based labs until later, and build out my local lab as I get deeper into the paths?

Curious if anyone here started the same way—Windows as host, Linux VMs on a second drive—and gradually built out their setup over time.

Appreciate any insights—trying to stay efficient but also future-proof my workflow.

all of them is red tho for me T-T

i tried switching vpn servers, it did worked once but it went back to high after i came back lol

its always higher for me too no matter the reigon

Hi, can anyone help with Hacking WordPress module ?

with advanced sql injection module does anyone know why it always gives 400 error when sending requests with script

Maybe to do with formatting? 400 is bad request

What exactly is the problem?

Hey — while we’re waiting for him, I’ve got a quick question about the workspace. I just finished the AppArmor portion under the Network Config section of Linux Fundamentals. That was a beast — I had two terminals open to test enforced profiles and behavior.

If I close those terminals now, is there any risk it could mess something up in the workspace? I’m about to move on to the TCP Wrapper section and want to start with a clean environment.

I did take notes

Do i have to close the sessions?

Not sure who that was - but thanks. Wasn't sure if it was a coincidence or not. 🙏

Would like to still know for future ref...

on what the staff pref is.

Hi, anyone have an issue on the new xfreerdp3, where you cant copy paste from windows -> kali, but the other way works

So i cant complete htb ad path because i need to copy hash from inveigh powershell

Maybe someone here have encountered similar problem

just a little lack of attention, already found by myself thx

SQLMap Essentials Skills Assessment
any hint ? i don't find any parameter to exploit.
https://academy.hackthebox.com/module/58/section/534

Did you check the hint?

First, navigate the website to find potential attack vectors.
that i don't found

Surely must have found something that it does/sends?

Did you click around? See what the website does?

Feel free to dm me to avoid further spoilers

their are some forms which don't even send filled data.

sure

So I'm currently doing the sql injection module and I'm having trouble wrapping my head around operators. I'm still getting familar with sql, does anyone have a suggestion as to better understand the module?

https://academy.hackthebox.com/module/33/section/192

So I was fighting tonight! I wanted to get my hands around the NSA tool 🤣 I was trying so hard to figure it out.

haha

Thought you would like a good Friday laugh... I'm looking forward to that next chapter, which definitely excites me to that configuration

sounds like it

oh- and you know I also tried to hunt for the files as well once my memory started kicking back in on how to navigate Linux again 🤣 - then the light stuck 💡 ahhh... that's whats sudo is for..

Hi, just a small question related to student subscription for htb academy
Is it possible to add my university email along with my main email? So that if I ever lose access to my student inbox I can shift back to my main account 🤔

Good morning community, I'm following the Network Foundations module of the academy at Tier 0 and in the chapter Components of a Network arrived at the questions I can't solve the first one which is this:

What type of network tables is used to transmit data over long distances with minimal signal loss?

I think it's obvious that we're talking about fiber but whatever nomenclature I put it always gives me an error; can someone help me?

put it exactly how it is written in the section

also please don't share the answer(or similar) in your query

Ah nice so apparently I can add my personal mail as my 2ndary 🤔

One question, can I keep my real mail as primary, but add my university mail as 2ndary and still get access to hackthebox student ?

it's actually better to use your University email as the secondary so that if the university ever revokes your email you'd still have access to your academy account

Ah crap I can't change till april 🤔

Bcs I just added my main email as secondary and made my university one as primary

So I'm currently doing the sql injection module and I'm having trouble wrapping my head around operators. I'm still getting familar with sql, does anyone have a suggestion as to better understand the module?

I'm not looking for someone to give me the answer. Just help understanding how to get the answer.

Dear HTB people, I am working on Attacking Authentication Mechanisms - Forging JWT tokens. I have followed the steps it showed, but still I get invalid token. the Section of Verify Signature is not clear. In the figure of jwt.io Verify Signature states 'secret based64 encoded'. Does this means that the cracked secret from hashcat needs to be based64 encoded? Tried also with the dot '.' at the end of the token. No luck either.

just the type, don't have to put cables

@slender totem will be deleting your message cos it contains an answer(close enough at least) to a module question

I solved it, thanks for the help!

Can you still access htb academy student plan if you use your personal email address as primary but student as secondary

Yep, that's what I do

Ah F I'm on a 14 day cool down to shift my email back

ima take it I asked a dumb question haha

I wonder if there are any mods here who can disable the cooldown

only support can help you @grand gate

mods dont have access to the platform

ah ok

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

it is this image in the course:

you having fun with attacking authentication mechanisms @thin citrus ?

ok- so it's fundamental Remote Desktop; I get it.. But umm RDP, VNC.. no c2 stuff?

Im stumped

Silver

Colbalt

anything of this era lol

or does that come much later

This was a good one for me https://sqlbolt.com

TY ill look into that

What’s the context

Hi Latice, this is the quote from the mod "For these VNC connections, many different tools are used. Among them are for example:

• TigerVNC
• TightVNC
• RealVNC
• UltraVNC
  The most used tools for such kinds of connections are UltraVNC and RealVNC because of their encryption and higher security.

In this example, we set up a TigerVNC server, and for this, we need, among other things, also the XFCE4 desktop manager since VNC connections with GNOME are somewhat unstable. Therefore we need to install the necessary packages and create a password for the VNC connection."

then we have to Pivoting, Tunneling, and Port Forwarding

Wym no c2 stuff

Cyber hacking Instagram link can you available

@dense tree if you are talking about setting up your own VM to connect to the labs, if you use a Kali VM 90% of the tools will be installed

I meant in comparison to the more advanced tools that are out today. i.e. Colbalt Strike, Silver Framework, Brutal Ratal, and BeyondTrust (way overkill)

Wait what are you comparing here

They are not tools, they are C2 frameworks that have tools built in

so I am getting ahead of myself again... sorry

If you've setup a Kali VM to connect to the labs yet, I wouldn't look into C2 frameworks just yet

lol

Yeah exactly, start with setting up a Kali VM and running through labs. C2 stuff is way way beyond that 🙂

Well - it's a pleasure to meet you guys 🙂

There are modules for Sliver (an open source C2) on HTB (I'm doing it now) but it's a Tier 3 hard module

🔥

On that note, can anyone help with this error with Sliver? I've set the beacon timeout to 180 but can't run any PowerView commands

[!] rpc error: code = Unknown desc = implant timeout

Powerview is a hit or miss with sliver

Some machines it works great and others it doesn’t at all

Are you using sharpsh or sharpview

Ah okay thanks, just sharpsh at the moment, going to try with Sharpview now

got the request Successfully executed but no reverse shell

Same thing with SharpView 🤦‍♂️ I've got an RDP session and just ran both manually from the host, just won't run through the beacon...

Hi I am on Login Bruteforce section using Hydra, In the final lab we just need to bruteforce a login page. I have initiated it with hydra but will it take 7hrs ? as per sc

@opaque walrus can you not enumerate a user somehow? Then you just need to brute-force the password?

@shut ice i have following the module with this process. How do i get which username is correct?

Sorry but is it not impossible (from my current skillset) to upload to the user without ssh to to the user to download the file from the webserver??

No worries i got it! Thanks!

If you can execute commands as the user, then yes you could run a command to download your file?

There's a variety of ways to transfer files but generally you'd need shell access on the target (there's also file upload vulnerabilities), this can be ssh or other means, ssh also provides scp which is an easy way to transfer files through ssh

See File Transfers Module for more info

Thats the module I'm working through right now lol

I just found the question confusing because it seems to imply that you're expected to make the initial steps without SSHing to the target

well you can do it without sshing into the target using scp but if that wasn't talked about yet then I'd use the file server

can't recall the exact order in which copy methods were introduced, also it's still technically sshing into the target

Oh yeah SCP was mentioned let me look back on that

I was going to do it through a webserver but I guess I should try and dabble into something I haven't done yet

Try all of the methods

during that module I was like: man when am I ever gonna need all these methods
did a box... specifically needed one of the methods

This method seems a lot simpler lol

Theres a reason I brutaly document every which way to do a singular task

I know someday it will be worth it

As long as you internalize before documenting so you're not overly reliant on your notes

I do, I also read over them every few days or so to memorize them over time, and include descriptions for flags or anything I may forget the purpose of

do not memorise, understand, conceptualize, memorization will come naturally

but revision is still a must, human brains are designed to forget things that aren't deemed important

Will do, its a bit rough though I've never had to memorize so much on a particular subject.. or sub..subjects of a subject

U

its a lot to say the least

...the host does not have unzip

and the user is not in the sudoers file

either I screwed up or this has a secondary exercise nested in it 😭

I screwed up.

@everyone i make an account in hack box then what can I do? Pls help me

Bro

Brother where I can get some role

@mental otter - why make an account on a platform you don't know what you could do there?

Yo