but from what i remember from that module you should be fine

just go back and skim the first cluster's or diagrams, don't do the labs again, just refresh core ideas

they usually label the good bits early

ok thanks I'll just pwnbox it then ya

until my lenovo gets out of shop

tomorrow is renaissance fair

should have a backup on github or something

ok thanks

I think they said five to ten days and I submitted the machine last Friday. However, its five to ten days after they get the part ordered or something.

because they are fixing it under warranty

so its an issue with my battery I think

I'm hoping I get it fixed by next Friday

I'm hoping it will get fixed soon

its a new lenovo laptop and there's a battery issue

I remember there being a hint on the initial website (I think a comment on an order?) that tells you which port it is

Can anyone tell me how to apply for student subscription in HTB?

https://help.hackthebox.com/en/articles/7973133-getting-the-student-subscription

I've got a question with massive spoilers for the final skill assessment for the Active Directory module on the CPTS path. Is anyone who's done it open for a DM?

Hello, I had a big issue with Attacking Enterprise Networks > Lateral Movement > Privilege Escalation on MS01. The lesson suggests to use the SysaxAutomation software which contains a vulnerability where it will run stuff as SYSTEM. I kept trying and I kept gettings errors (which strongly suggested an encoding problem). The way I fixed it is by saving the pwn.bat file with ANSI encoding, now it's executed correctly. I just hope this is useful for someone in the future because I feel like encoding problems aren't so obvious. Good Luck!

eyyy guys Good Morning i have this problem with jupyter lab. I cannot open it

I think the Skill Assessment lab on AD Trust attacks is broken (specifically the last step). Anyone who’s done it around so that I can confirm?

I didn't change the encoding afaik. It worked just fine for me

Can anyone help me? i'm am stuck for hours at the module "information gathering - web edition", i'm at the skills assement page, at " What is the API key in the hidden admin directory that you have discovered on the target system?" With gobuster i found the hidden vhost. On this vhost the robots.txt file gave away an admin page, but i can't reach it, not with curl, not with firefox. And i definitely correctly added the subdomain to the /etc/hosts file.
the sudo nano command is just me checking for the 100th time if i added it correctly

or without -L :

ey guys someone had this problem with jupyter lab?

Quick Question. I am currently working on the Firewall and IDS/IPS Evasion. However, I feel like I was being even way too stealthy for the easy lab. How would you determine when it go really stealthy or not?

Depends on what the client wants

Did you try fuzzing for subdirectories?

Or visiting it in the browser?

So certain scans might require more stealthier options?

For example when scanning for OS or whatever

i visited already in the browser, but i know for sure this is the right directory, i checked some write ups because i went crazy. But from the write ups I was still no wiser

Well scan types are inherently not stealthy, with the stealthiest one being SYN scan. It depends on what the client of the pen test is requesting whether you do evasion or no evasion etc

Oh, okay! Gotcha Thank you

hi

Security Monitoring & SIEM Fundamentals
Page 2
Introduction To The Elastic Stack
Introduction To The Elastic Stack , I cannot connect to the target, did anyone find this issue?

10.129.208.183 I spawned also another target, it is up but still cannot access

pls I need help with jupyter lab

can anyone help me ?

I specified also in /etc/hosts but no success

did you specify the port when surfing for the hostname? example:"http://test.com:5389"

now it works

now I don t find Comparison Operators :/

someone can help with this pls?

Hello, I am on Introduction to Active Directory module and stuck on AD Administration Guided Lab Part II.
The task is to add a new user computer to the domain INLANEFREIGHT.LOCAL. When I looged in to new user computer and run the command to add computer to domain it worked.
However, when I logged into DC and run the powershell with admin privilege and run the command to add computer. It returns with an error Access id Denied.
Please refer to the attached screenshot for reference. My question is with Admin priv on DC, we can add any computer to domain, then why we can't in this case.

Is it possible to use the gui to add the user?

What exactly is the issue here? It seems like you can access the lab from the browser by coping the url

the program not works it ... The screen is white 😦

I think you have to copy the whole url (the entire path). The one you censored

neither works it

i don't know omg

yesterday i was worked it but today no:(

I never used juptyer lab, but this is very common in local laps, what I usually do is update/upgrade my distro and download a new vpn from HTB

but that has nothing to do with it

with the vpn friend

Which module are you working in?

bump

hello there, I am trying to do the finall assessment of XSS module. I am able to load my remote script. But after that I cannot proceed further. NEed help ty

AI

And you need Jupyter Labs for that?
Doesn't the module explain how to install it?

this is not working

Have you cleaned browser cache? Tried a different browser or private instance?

Some configuration error 🤷‍♂️

i don't know yesterday i was worked but today no

Is Jupyter needed for the Lab?
Is the installation explained in the module?

Hey @wet arrow

I tried with arp if we have access to the terminal we can run for discover host

arp -i <internal_network_interface_name>

It will response back if there are any host up

and i didn't nothing

If it is required in the module, it should be installes on the PwnBox. Does it work there?

yes is 100% for programming the AI

Guys hello can you recommend some free password audit tools?

Preferably online tools if such exist

Lemme check

im not sure if this looks like a powershell shell

module shells&payloads

someone had this problem with jupyter lab?

You are looking at the wrong step. The question targets the initial connection you established.

ahaaaaaaaaa

Footprinting module DNS host based enumeration

hey, I'm currently on this module but there seems to be alot of information on the page which is making it hard for me to memorize. Does anyone have key takeaways that I can remember instead of reading over the whole page numerous times?

doesn't that render ping sweeps practically useless?

i wonder if there's a windows equivalent of this command

Hey everyone!
I'm currently working on the Active Directory Trust Attacks - Skills Assessment and I’m stuck on the last question.
I found the shadow credentials (password and KeyCredential link), but the exploitation isn’t working as expected.
Has anyone here completed this part and could share any hints or point me in the right direction?
Thanks in advance!

I don’t think so it has its own use case and you can use arp in windows too

Like: arp -a

Are you getting an error? You can DM if you think it will spoil.

Have you tried it from the PwnBox?

the problem is I cannot work if I don't have this programm

hi, i don't know if its the right place, i'm trying to scan a target for the Public Exploit module through mu VM which is connected with the ovpn file to the lab, i can ping the targetm but if i run nmap -sC -sV it returns

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-12 15:15 UTC
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.18 seconds

if i run again with -Pn i get only a partial scan, however when i run the scan without -Pn in the pwnbox it goes through without issues, can it be a misconfiguration of the vpn my side?

the browser is in white

I’m pretty sure it’s broken. Am at the same step and I think some cert might’ve expired, breaking the lab.

but have you tried it from the PwnBox instead of your vm?

i don't tried because the virtual machine is better bro

Try it from the PwnBox anyway. Does it work there?

there if works it but i want to work it at my virtual machine

But now you know that your vm is broken and you have to look there. Probably no one here will be able to help you because no one knows exactly what you have installed/configured.

If you're doing what I think you're doing it took me resetting the lab about 4 times to get it to work from Linux.

I’ve been resetting the box since yesterday, must’ve been at least 10 times by now. Let me DM you to figure if I’m just massively unlucky or missing something

you can post this picture 100 times. It won't do any good.
No one can help you on your own vm. It works in the PwnBox

ok

I need help. I’m at the AD Enumeration & Attacks. I’m completing the DCSync assessment. When I try to rdp to the second IP (academy-EA-attack01), it gives me a login failed for display0. Can someone put me to the right direction?

Hi guys I'm stuck at the skill assessment of File Upload attack.
Try to exploit the upload form to read the flag found at the root directory "/".
Someone can help me in DM?

check if you are using the correct region VPN server, eg for EU machine make sure you have EU VPN config

Cheers to @tribal plinth for always delivering really nice content to the platform, the best it has to offer in my opinion https://academy.hackthebox.com/module/details/299

Would love to see the wireless series move to some bluetooth attacks as well

The second machine if i remember, ea-attack is a linux, try ssh instead of rdp 👍

Its written one the module bro, try rereading the whole thing

If you're still stuck you can DM.

thank you a lot

Can someone take a look at this script and tell me if I'm on the right track? I'm working on "broken auth - brute forcing weak tokens". The script runs, but it's not returning anything.

hi

Hello colleagues! I need some help. In the Information Gathering - Web Edition module in Skills Assessment (question number 3). I find the only available vhost/subdomain with the dictionary subdomains-top1million-110000.txt. I then set out to look at the robots.txt file and there is no way to find it. I looked at a couple of write ups to check that I was doing it right and it was all correct. Does anyone know if the module is broken? I still have 3/5 questions to answer and I would like to finish the module without having to lose more hair.xD
Thanks in advance to all!
PS1: I just need to know what I am doing wrong or if the module is broken.
PS2: The /etc/hosts file is updated with the correct IP and name.

if this is not applicable here please tell me where and excuse me.

please don't spam post; jupyter has nothing to do with htb academy unless it's from one of the modules; if it's a box --> #boxes

did you add the subdomain after you found it?

i need help

with?

i don't know why the academy machines so slow when i connect them via rdp or ssh there are a lot of lag

use tcp vpn; try changing vpn regions

you read the page; take notes; do the question (if there is one) then click "complete and continue" or w/e the wording is on the button

am from iraq which is the best

not sure probably one of the EU ones (note i'm not support, just a moderator), if you're continuing to have issues, reach out to support via the support bubble

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

they back in monday unfor...

they do work on the weekends

just have patience

the problem is that even my ms latency is 80-100 ms

they aren't paid, however, to monitor the discord and assist

that may just be due to distance

there's not much that can be done about that

ok thnx

yes, of course! and then i can´t found the robots...

maybe /etc/resolv.conf is bad?

why would you mess with /etc/resolv.conf?

hello guys

i have a question if someone can help me

am currently in the secuirty monitoring & siem fundementals module doing the SIEM Visualization Example 4: Users Added Or Removed From A Local Group (Within A Specific Timeframe)

Navigate to http://[Target IP]:5601, click on the side navigation toggle, and click on "Dashboard". Extend the visualization we created or the "User added or removed from a local group" visualization, if it is available, and enter the common date on which all returned events took place as your answer. Answer format: 20XX-0X-0X

this is the question and i followed the steps of the lesson and did everything as should be

something missing is extending the visual to day by day instead of weekly

the result is 3 events all with the timestamp of 2023-02-27

or the other way around

can't recall how to adjust it

can u explain further?

you can change the range at which the data is displayed

i did that and even put it last 15years and manually entered the results in order to see if any of them is correct but all were wrong

that's not what i meant

the data visualization can be showing 'week of' instead of 'this day'

uhm i still dont get it

the date you mentioned falls under the week of the 27th as it's a Monday -> Sunday week

so?

how does that come in to play

so... change the way it's displaying that

:)

instead of week of, you want the day of

i feel like a total idiot but isnt 27th a day?!

how can it be a week

the way that it works is it's displaying all events that took place on the week of the 27th

so anything in that week is classified under that same date

so do i just filter through the days of that week?

like 28th, 29th,...

well there's a way when setting up the visualization to do that instead of manually doing it

but i haven't touched it in so long i couldn't tell you

also module is above tier 0 so don't reveal answers :) (i already deleted the message that contained the answer)

i aplologize didnt know

i got the answer after manually doing so but i still havent understood how to reach it

just need to adjust the visualization a bit

could u tell me how i dms?

i really want to understand this

like i said it's been a minute since i've done that so i couldn't tell you

but i recall there being a way to do it

well either way thnx for your help man, very appreciated

ill go search it up

Are some of the modules on the CPTS path supposed to be creating instances which can be accessed outside of the vpn ?

Hello

I am new to ethical hacking

It is possible that some web modules work with Docker containers. In this case, no VPN is required.

Can anyone help me

I know how to use kali and termux

And zphisher

Help with what?

Where I can start

What to learn

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

What to look into

My name changed what?

Read #rules

Ok

And?

Read it and you will know why the name was changed

hey , i have problem in Footprinting mysql
i can't connect to the database

i test the connection using netcat and it fine

Do you get an error message? You cancel the command in each case

I had same connectivity issue when I got to that assessement, I don't know what happened but it eventually worked out so I will say keep trying.

Ok

It take Long time so I cancel it

is there a channel for box discussions ?

new to the discord

#boxes, you'll need to follow the instructions in #welcome to gain access to it.

Maybe try to restart the lab or change the vpn region

ah yes ok thank you 🙂

on linux fundamentals - curl with same options to endpoint returns different count on my machine than in pwnbox

I did but nothing change

Same problem

@iron zephyr Add me, i just finished the module, i was also stuck at question 3 (:

And if you don't pass the password directly in the line, just use -p ?

same problem

Try it from the PwnBox

Hi, I am doing the Burp Intruder section in the Using Web Proxies module currently and I looked up the answer online to see how long I should wait for Burp Community edition to fuzz the flag, it iterated over the answer and return an error, can someone tell me what the problem is with this setup because I really don't get it.
I can send a screenshot in dms since its disabled here.

For anyone facing issues with Parrot OS in certain regions regarding certificates, this is the advice I'd give until the core issue is resolved.

This is a known issue with Parrot infrastructure serving up the incorrect certificate. The only solution right now is to force to use the UK mirror IP, or another working region, by adding this to your hosts file.

178.79.175.35 parrotsec.org www.parrotsec.org deb.parrot.sh

The Parrot team have been informed, and will make the required changes as soon as possible, hopefully over the weekend, but possibly not until Monday. Apologies fore the inconvenience.

(this impacts certain Pwnbox regions as well, not just personal installs)

Hi anybody done the AEN? I have issues with running bloodhound-python ldap error anyone else did have this issue?

the ovpn file is for EU2, and the lab is in UK afaik, it only lets me chose the region of the pwnbox(UK) i live in europe

hi fellas, i'm on the information gathering - web edition module and currently going through the skills assessment and i'm stuck. for the question thats asking for the API key in the hidden admin directory, i go into the hidden directory and there's nothing in there (just a message that says 301 moved permanently). so my question is where do i go from here any help/hints appreciated. this is the only question i have left

Hi i hear alot of ppl using ligolo-ng for the exam. Is it true that ligolo-ng is sufficient for pivoting? And not the other techniques teached in the tunneling module?

I don't recall if I did, but if you can't sort it out, you could always try running sharphound instead.

Question about the sqlmap essentials skill assessment.
I know it requires a tamper, but i didnt know which one. So i started going through every one and found it. My question is, how can i do this more efficiently?
Theres no way i did that correctly, i essentially just brute forced the correct sqlmap tamper.

nvm, after some troubleshooting i figured out it must be something my end, thanks anyway

Should be resolved now.

Hello, I'm in Shells & Payloads, PHP Web shells section. First of all, isn't the FoxyProxy extension supposed to change your browser settings for you? I have to go into settings and do it manually. Anyway, each time I try to upload the php file, I get an error page: "Peer’s certificate has an invalid signature." While this is happening, I have Burpsuite running, and it doesn't capture anything. When I check the Burpsuite log, it says the same thing: Bad certificate error. Any help is appreciated.

You need to install the Burp certificate in your browser @terse sedge

I have the portswigger cert installed

You have to configure foxyproxy for 127.0.0.1:8080

Hello! I am trying to finish the File Inclusion module and I'm a bit stuck at the Skills Assessment. I am close to getting an RCE but I can't figure out what I'm doing wrong. There is even a video on youtube where someone is solving it and when I try it I don't get the expected results. Would anyone be willing to help me a bit? I just want to understand what I'm doing wrong.
Update: nevermind, solved it! 🙂

hello, i having a hard time trying to dump the lsa hashes in the attacking sam module

this is the last question of the lab

im using this command
netexec smb 10.129.232.77 --local-auth -u Bob -p HTB_@cademy_stdnt! --lsa

but i dont get any output, not even errors. im in the vpn and the target host is up

i also used different credentials to see if those worked, but i did not gget anything back

Yo

Is that Bob's password? Also wrap passwords in single quotes

yes, that is bob's password. i tried using the single quotes but i get

[-] Broken Pipe Error while attempting to login [-] Connection Error: The NETBIOS connection with the remote host timed out.

timed out

Connection issue in that case

I forget the timeout flag for nxc

it's --timeout

but, by default it is set to None

--timeout 9000

nope, now i don't get any output

Because it's waiting to timeout

🙃

9000 -> 9s

How do I hack

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

See above

I execute the command and it does not wait 9 seconds, it instantly prints no output

Reset target and try again? Try a different vpn region?

I just reseated the target, this is a new machine, but i still got no output

But I will try to switch regions and reset it again

Thanks, tho

if the issue persists

contact support

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

May I DM anyone about "Advanced SQL Injections - Error-Based SQL Injection"?
Need a sanity check. Not sure why my answer is wrong.

Hey! Am I missing something? I'm doing the File Upload Attacks module and just cannot get a reverse shell tho I'm doing exactly as the guide tells me to. I'll just get this warning msg displayed "WARNING: Failed to daemonise. This is quite common and not fatal. Connection timed out (110) "

Web Shell I can get, no probs! It's the reverse shell that's the problem

if the target is a public_ip:port -> the goal isn't a revshell

Oh, so it was just an example?

I just finished this module yesterday...if u need help text me

the public ips don't have a route to the internal network of 10.10.0.0/16 10.129.0.0/16

Can i reset the Modules when i have already done it ?

I managed to transfer the powershell script. But when I try to import the module, I get execution of scripts is disabled error. Then, I transferred Windows executable. When I try to execute it, I get error saying I first need to install .NET framework 😦

Any nudge on how to proceed forward is highly appreciated. Thank you.

No

Bypass the executing script policy

Someone wrote an extension to hide the answers. https://github.com/sudoheader/htb-academy-answer-hider

The http://interactsh.local:59651/log does not contain any password reset request, revert many times, one have an idea to solve this?

$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali

83.136.252.66 interactsh.local

::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

If I do 83.136.252.66:59651 interactsh.local in the /etc/hosts file and access the interactsh.local in browser its been automatic redirect to HTTPS and cannot find the virtual host.

for advanced sql injections skill assessment, am i supposed to have access to live remote debugging? or am i supposed to run it locally?

Which module, which section?

https://academy.hackthebox.com/module/189/section/2014

Password Reset Poisoning

Try to reset the lab

did many times

hello, i have started the into to networking module and i dont understand one thing. It says that printers should be on their own network but how do you do it?, or will it explain later in the module?

You'd separate the network into segments known as vlans this is done through layer 2(switch) configuration

Hi guys

When i run netexec with a blank password i get an error. Is there a workaround for this? I also tried with single quotes

netexec smb 10.10.11.236 -u guest -p "" --rid-brute
nxc smb: error: argument -p/--password: expected at least one argument

I had that issue with the parrot version of netexec, using the binary from the netexec release repo it worked fine. There seems to be some issue with the parsing of arguments. You can try -p="" but if its the same issue I had you will have the same problem with every argument using a space

tysm that fixed it.

Attacking Enterprise Networks
Hi guys! Have gone through the pentester job role path and am now about to start the enterprise module. To get the most of it, I just want to ask a few things:
When people recommend to do it 'blindly' would that suggest just ignoring the section questions and just start enumerating and attacking 'freely' and based on my own methodology OR would it imply still following the questions but 'ignoring' the text sections? (In that sense, I figure maybe just trying to figure out the way to gain a foothold and then just keep going from there and eventually going back to tick the questions?)
I guess It's like the other sections that when picking up the next day, the target will be reset and you will have to redo any steps to gain foothold, so no persistence techniques would persist?

Any other recommendation related to get the most practice out of the module?
Thank you in advance!

When I went through it, I just used the information provided by the Scenario & Kickoff section that I needed to begin and just started my process. I documented my process in my notes, so when I came back to it later, I was able to refresh myself with the information I knew and could essentially just pick things up again. If I came across flags along the way, I just documented them in my notes and when I was done, answered the questions where they applied. I used just my notes and if I got stuck, would only rely on what I could research via Google. I recommend if you can't move forward after referencing your notes or Google, to then reference that part in the walkthrough. Add that information to your notes, as that is obviously a gap, then push again blindly. I also wasn't wrapped up in rooting everything if it wasn't absolutely necessary to progress, although I made the effort to root everything. I also wasn't in a rush to just finish it. I probably worked on this for about a week, on and off, as I really wanted to test my enumeration, thought process, identify gaps, etc. When I was done, I then went through the walkthrough and compared it against my notes and my own walkthrough. I added parts I missed or expanded my notes a bit if they were just lacking. Hope that helps.

That sounds great, thanks a lot! That is what I will do, just kicked of information gathering, so this will be fun!

Is anyone doing burp suite these days community edition

Am having a bad time starting with it

you can get acquainted with Burp Suite in the Using Web Proxies module

Hey guys!

I'm trying to work on this module - https://academy.hackthebox.com/module/23/section/622

but I can't ssh. getting this error Connection closed by 10.129.xx.xxx port 22

• tried resetting the machine
• tried to confirm ssh service is running or not. I can see port 22 open with ssh
• got a vpn file with different region

Any other suggestions?

But how

https://academy.hackthebox.com/course/preview/using-web-proxies

Thanks a lot 🫂

just to double check, for intro to malware analysis for setting up inetsim, the ip use should be our own virtual machine ip right?

hi guys for advanced sql injection skill assessment, are we supposed to be able to live debug or check logs of our payloads?

Nope, no live debugging and no logs

https://academy.hackthebox.com/module/227/section/2499 hello, i try to resolving this exercice but i don't really understood a think, i find a string 'Gr****' but he doesn't work for the key registry

for advanced sql injections skill assessment 1, i can't seem to get anything to evaluate properly. the only thing that is working for me is || admin'/**/aNd/**/'1'='1'--n which returns true|| and || admin'/**/aNd/**/'1'='2'--n which returns false||

once i combine it with the source code while simutaneously bypassing the filters trying to enumerate the database using other sql functions, i'd assume it'd all work, but seems not

things like this query just dont work and i dont understand why || admin'/**/aNd/**/sUbStRiNg((sElEcT/**/cUrReNt_dAtAbAsE()),1,1)='p'--n||

Heya

Can I get some help from anyone? Is there a voice channel? Unable to solve the final question on this one.

SIEM Visualization Example 4: Users Added Or Removed From A Local Group (Within A Specific Timeframe)

can I have access to the general chat , please? #

Read #welcome

thanks

hey guys,
I'm currently working on the CDSA path, more specifically the Security Monitoring & SIEM Fundamentals bit

I'm stuck on this one.
SIEM Visualization Example 4: Users Added Or Removed From A Local Group (Within A Specific Timeframe)

I have been so far unable to answer the final question on this. Can someone push me gently on this by giving some guidance? Spent hours on it.

click on the side navigation toggle, and click on "Dashboard". Extend the visualization we created or the "User added or removed from a local group" visualization, if it is available, and enter the common date on which all returned events took place as your answer. Answer format: 20XX-0X-0X

thaanks

Got it figured out!! Thank you!

Anyone for help me for the course malware analysis please 🙏🏾?

What am I doing wrong here, please? I can't pass the module due to not being able to find the right answer here. 😦

Hello, I just started HTB as a total new comer
Shall I start with Linux fundamentals cuz cyber security requires Linux and python yea

Or shall I go for information security fundamentals

Which path shall I choose?

I have the same problem.
I've used both Kira's passwds the one from the begining and the one which was discovered in the id_rsa file, and john isn't cracking thye zip password.

In time,
I've created the mutated list using the custom rule with both dicovered passwds, but I have this as result:

➜ Protectd-Files hashcat --force kira_pass.lst -r custom.rule --stdout |sort -u > mut_kirapass.lst
➜ Protectd-Files head -n 5 mut_kirapass.lst
L0veme
L0veme!
L0veme01
L0veme01!
L0veme02
➜ Protectd-Files john --wordlist=mut_kirapass.lst kira_notes.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:00 DONE (2025-04-13 16:37) 0g/s 19700p/s 19700c/s 19700C/s L0veme..LoveYou199!
Session completed.
➜ Protectd-Files john kira_notes.hash --show
0 password hashes cracked, 1 left

I'm stuck...can yopu help me?

The Information Security Foundations path contains the Linux Fundamentals module.

Guys i need help

I am currently doing HTB shell and payloads in academy

I have complete the module and im in my last live engagement

Here i have to connect into parrot OS VM using "FREERDP"

I have connected to the VM but there is no any network connection

I cant even ping

Do you guys know hoe to fix this issue ?

Sorry to be a bother ya'll. I'm currently chasing for my CDSA cert and I'm going through the Linux fundamentals, but I'm totally stuck here.

Which kernel release is installed on the system? (Format: 1.22.3)

The final answer I got it 6.11.5 but it dings it as incorrect no matter what. I'm not sure what I'm doing wrong I pulled the kernel version and everything.

Are you ssh to the target

Hey @fathom pendant I'll trade u CPTS tutoring for Cloud pentesting tutoring (any CSP)

I don't do trades

Suite yourself

I'm just not in a position for that

There's no special position to be in, you just be you

Financial position

Its free

I'm having trouble with the linux privesc skills assessment. I'm getting kicked out of my ssh session within 30 seconds every time. Is this an intended part of the challenge, is something wrong, or am I doing something wrong? 😄

Yours may be, mine isn't

Error:

htb-student@nix03:~$ Read from remote host 10.129.91.247: Connection reset by peer
Connection to 10.129.91.247 closed.
client_loop: send disconnect: Broken pipe

I've reset the target and reconnected my VPN but nothing has changed.

Use a different vpn region

Or tcp vpn

Ah, tcp vpn fixed it. Thanks!!

I don’t think so. If that required any extra steps I certainly didn’t do it.i just connected to it normally.

Wdym "connected to normally"

Start instance != spawn target

Start instance starts the in-browser attack box (pwnbox)

Thats not the same as the target

Yeah I started it through pwnbox, I’m sorry.

Again: the pwnbox isn't the target, just above the questions should be a "spawn target" text to click

The module should tell you ssh syntax to connect, and gives you creds

OOOOH!

I’m a moron.

I got it.

Guys is joining hiddenwiki from chrome normal

I just joined it to check out didn't click on any links inside it

Would anybody able to look at this?

This isn't related to htb academy at all

Ye but I can't speak in general tbf

I forgot how I did it but you can adjust it to use absolute range instead of relative

If only #welcome held the key to your access

Not made any progress

so how do I get dates?

No need to post content from the module. Just read the question very carefully.

Hello, everyone.
I'm new to cybersecurity, and I want to become a cybersecurity professional. Can anyone give me some advice?
#general #modules
Do we have any experts here?

could someone chat with me on discord, I'm going nuts, spent the afternoon with this, gentle push woundlnt hurt I dont see the woods from the trees

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

please help

I got it but dont understand how 😄

can I chat to someone from the stuff about this question?

Hey guys little question about a seciton in the hacking wordpress module. I launched wpscan and it gives me 0 plugins, but the LFI that I need to exploid is via the masta (said in the exercice) plugin, is it because of the passive enumeration?

Have you tried active enumeration?

not really no the only tool that is shown in the section is wpscan if i'm not wrong

@safe mango

oh no my bad there is enum with curl to

I will try it now

Let me know how it goes

got it ^^

how can we confirm that we have the priv to connect as sysdba ?

module footprinting Oracle TNS

If it is not in the module try ask chatgpt first, I guess by trying first, he probably received special rights that allows him to connect to the sysdba

🤝

@lime cosmos check this https://chatgpt.com/share/67fc13c6-c7a0-8010-a716-a064ddf4be98

don't look the first question it was mine ^^

ok

so we can't confirm we just try to connect

Hello! While doing the module "Using Web Proxies", in the chapter called "Burp Intruder", I was trying to do the exercise for that chapter and I managed to get the flag using Burp Suite but when I tried the same thing with ffuf, it doesn't detect the page with the flag. Does anyone know why? I am using the same wordlist for both Burp and ffuf.

Hello everyone. It seems I am a little stuck on the bypassing security filters section of Web attacks. each method I have tried provide me with the flag from the previous section, which obviously does not work.
Im not sure what I am doing wrong. Some help would be appreciated

Do you mind showing the ffuf command?

I actually managed to find it. I think the reason I didn't find it in the first place was because I didn't add any header params in the ffuf command.
First I ran a basic: ffuf -w common.txt -u http://83.136.249.199:32060/admin/FUZZ -e html
This didn't find it.

After doing some research I ran: ffuf -w common.txt -u http://83.136.249.199:32060/admin/FUZZ.html
-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
-H "Accept: text/html,application/xhtml+xml"
-H "Accept-Encoding: gzip"
-H "Accept-Language: en-US,en;q=0.9"

It was able to find it with this. I didn't know these can make a difference.
When I did the module "Attacking Web Applications with ffuf" I didn't always use these header params.

Most likely > user-agent. If you're unsure why, read the section again more carefully

Actually..I did some more tests now:

ffuf -w common.txt -u http://83.136.249.199:32060/admin/FUZZ -e html //Doesn't find it

ffuf -w common.txt -u http://83.136.249.199:32060/admin/FUZZ -e .html //Finds it

So it's an easier explanation. :))

extension

It requires the .ext

yes, I added it without the . initially 🙂

have you tried to change the request method?

yes to a number of types.

Hi

silly ffuf mistakes, you won't make them once you get used to the tool. Happned to me as well

Yo wsp yall

This isn't #general ; #welcome <-- read

I can't type there

show me the post request you sent to bypass the filter

I should DM?

yes, I have solved this lab so don't worry about spoilers

Are we going to get any more modules about mobile hacking? A whole path maybe?

idk

Can I skip intro to ad and go for ad enum & attacks?

If only I pointed to a place that will lead to instructions on how to access #general (#welcome)

Sure, but some stuff may leave you confused

Depends on your goal. If you want to take the exam the intro to AD module is not included in that path so you don't have to.

It helps some underlying concepts

Yeah if you don't know what AD is it may help to take the intro module.

Iirc it teaches the basics of DACL and SACL

i guess I'll start intro soon, thank you. I'm just new to studying like this

I've been reading up tons on ad stuff while doing boxes but it would help with foundation yeah

It helps to take notes

I've been trying. not that good at dissecting important details though. need to practice

And actually test what you read

Looking through some of the previous messages here, I'm working on Stuxbot: Introduction to Threat Hunting for the following question "Some PowerShell code has been loaded into memory that scans/targets network shares. Leverage the available PowerShell logs to identify from which popular hacking tool this code derives. Answer format (one word): P____V___" I believe that I'm searching for the correct event.id but when I apply filters for the date and powershell.file.script_text it's showing 421 logs to sort through. Does anyone know if I'm searching too broadly or if we are supposed to look through 400 logs manually?

There's some text within some of the logs that'll point you to the tool

So just confirming we have to look through 400 logs for the tool in question and there's no way to filter further?

Gods no. Only a handful and some research can lead you far

Can I PM to see if my query is missing anything? From looking at previous posts I seem to be missing something and returning too many logs.

I haven't done the module myself, but you can look through some to see the commands used

The commands are part of a tool suite

Where i can learn the reverse engeenering

For malware analysis:
https://academy.hackthebox.com/module/details/227
For binary exploitation:
https://academy.hackthebox.com/module/details/89

thx

#binex-rev

Module: Active Directory Enumeration & Attacks
Skill Assessment II
[+] Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain.

Any help with this one?

Back then somebody told me to try password spraying, but the only password i fond at this point is wea*** but dosent work with other users

File Upload Attacks
Upload Exploitation
Made a php reverse shell witf msfvenom but not getting reverse shell ;v (tried netcat(nc) & msfconsole too)

try kerberoasting ( i remember)

not sure but try it

nah i already try it with Rubeus and mimikatz, dont work pal 😦

i dont remember then :v

hehe dont worry

have you tried password spraying?

the examples they used?

can the user do anything else?

Yes, at this point i only discover one password, but dont work with other users in the domain

As far as i know, yes

have you checked shares?

@fathom pendant you online? Just need to DM you about something.

https://tenor.com/view/loading-buffering-in-progress-poor-connection-gif-17072547

ok, I'll buy it later, thanks😃

guys what do you guys rank at globally?

just need to get a reality check drop in your global ranks

i am at 928

BUMP. I still need a little help with "Detecting Attacker Behavior With Splunk Based On Analytics" if anyone can offer it? I do have the correct answer but not through the correct method. I really want to work out why my query does not show the answer as an outlier asit suggests I should be able to.

As far as I know, there is no ranking in the Academy.

File Upload Attacks
Upload Exploitation
Made a php reverse shell witf msfvenom but not getting reverse shell ;v (tried netcat(nc) & msfconsole too)

I am doing Information Gathering - Web Edition - Skills Assessment.

I am stuck at this question: What is the API key in the hidden admin directory that you have discovered on the target system?

I have put in the IP Hostname in /etc/hosts:

└──╼ $cat /etc/hosts
# Others#
83.136.252.66 inlanefreight.htb

I use the following to enumerate the vhosts.

I use gobuster vhost with the following: There is no result.

gobuster vhost --append-domain --domain inlanefreight.htb -u http://83.136.255.10:37047 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt

Then, I tried with ffuf. I get results like Status: 200 for everything, which is obviously wrong.

ffuf -u http://83.136.252.66:30528 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -H "HOST:FUZZ.inlanefreight.htb"

...
alpha                   [Status: 200, Size: 120, Words: 4, Lines: 2, Duration: 303ms]
ww2                     [Status: 200, Size: 120, Words: 4, Lines: 2, Duration: 303ms]
marketing               [Status: 200, Size: 120, Words: 4, Lines: 2, Duration: 302ms]
job                     [Status: 200, Size: 120, Words: 4, Lines: 2, Duration: 303ms]
...

Could anyone give a hint on where I went wrong with my vhost enumeration?

Try otherwordlists (subdomains-top1million variants of this one)

Can anyone explain why ffuf gives all status code 200, even though the vhost or subdomains do not exist.

Is there anything wrong with my ffuf command?

ffuf -u http://83.136.252.66:30528 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -H "HOST:FUZZ.inlanefreight.htb"

...
alpha                   [Status: 200, Size: 120, Words: 4, Lines: 2, Duration: 303ms]
ww2                     [Status: 200, Size: 120, Words: 4, Lines: 2, Duration: 303ms]
marketing               [Status: 200, Size: 120, Words: 4, Lines: 2, Duration: 302ms]
job                     [Status: 200, Size: 120, Words: 4, Lines: 2, Duration: 303ms]
...

try using -fs (response size) to filter the 120 response size@cosmic plaza

in module Shells & Payloads - Bind Shells is says:
"we can test bind shell with other academy student".
I have 2 accounts so I opened up 2 workstations (yes, the same VPN server) but those 2 instances doesn't "see" each other.
any ideas why is that?
both are 10.10.14.x

Will try this -fs.

it's because you're encountering what's known as 'collision' by using the same vpn pack

so how to make it work?

Hey guys I'm doing the skills assesements from the hacking wordpress module, can someone tell me why when I'm trying to scan it it says that it don't use wordpress?

manually enumerate the website before using any tools

Has anyone done the Introduction to Windows Evasion Techniques > Open-source Software?

It goes through 3 AMSI bypasses and asks you to use 1 to solve the challenge, however the bypasses themselves now look to be getting detected by Defender?

Is patching amsiScanBuffer not really relevant anymore?

Can anyone tell me why this particular section is named "Web Services" in the "Login Brute Forcing" module ?

Cause we did not exploit any kind of "Web" Service. We just exploited normal services like SSH and FTP.

nothing of web. I think it should be renamed as just "Services".

Hello! I'm on "Advanced XSS and CSRF Exploitation" "Exploiting internal Web Applications II".

I solved the question on the assessment. But I want to ask something regarding the lines returned with the command injection. I am able to see only one line of the output of the command. Why this is happening? Is there a way to see all the output of the command?

PW Attacks
Attacking Active Directory & NTDS.dit

Got credentials for an account using CME, verified that these creds worked by additionally using nxc - Try to log in and get denied... Any nudges / help?

already tried with curl but get nothing

enumeration doesn't involve only using tools

If anyone could tell me the reason for this, would be very thankful.

No access

What are you trying to do? The account might not have remote access?

even going trough the website I can't find nothing, there is nothing else stipulated in the module

Hello all, I'm stuck on Linux Privilege Escalation Kernel Exploits. The hint suggests to use CVE-2021-3493, however when i run it on the target machine, i get the following error 'htb-student@NIX02:/tmp$ ./exploit
./exploit: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./exploit)' Do we defintely have to use CVE-2021-3493? or can we use another exploit?

Found out it's the wrong account - disregard sorry

take a break and try again, I'm sure you will find something

Okej I will try that ^^

I can not get this question right, in android emulators. I opened and created the avd and got this build number UE1A.230829.036.A4 but it wont take it. Create an AVD for 'Pixel 3a API 34 Google APIs' using Android Studio. What is the build number of the device? (Format: build_number, Example: build_number-test)

how you solve this

Aim at using the mentioned version of Android Studio, for some reason in a newer version the build number will differ for the same device

Can someone help with this please? No matter what exploit i use from 2021, i get 'GLIBC_2.33' and 'GLIBC_2.34' not found. The actual GLIBC version on target machine is 2.27

does not say what version is used im using 2024.3.1

The build number is not actually the number...

than what is the right number in the app

Its a string with a - in the middle

ill take alook

Searching your issue identified others that had similar issues. Here is a potential bit of advice that might help.

not sure where it it is i keep looking on the emulated devcie

Yes it was annoying, I suggest moving on to the other sections first. There might be a hint there.

Aha! Thank you, yes i was compiling it on my local machine with glibc of 2.36 and target is on 2.27. Thanks again, it's very much appreciated! I'll be sure to search in the future as well

i keep looking

thought this was for help the forums dont work anymore

hello

i need help on hackthebox DOG machine i dont know if i can write the question cuz its still active machine and please reply if i can do it

Better to ask in #boxes

it says that i dont have access to that chat

read #welcome to verify your discord account

yea thaanks

np

HI im just wondering for Windows Privesc module, does anyone have an explanation to why even if the privileges are Disabled, i can still use them? Like the SeImpersonate and SeBackup

Hi all
I have spent over an hour on an early enough module that I feel dumb now
I cannot figure out what exactly I am being asked to do
its in /module/77/section/843
Public Exploits
Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file. (note: the web server may take a few seconds to start)

scan for open ports on target, see what services are running on those ports then research exploits

thank you.. I have scanned the ports..
Am I meant to rely just on the modules supplied information or am I meant to start googling all the possible exploits?

google

ok.. thank you

Anyone ?

please help me in ->
Network Enumeration with Nmap -> Firewall and IDS/IPS Evasion - Hard Lab
Which linux commands do I require ?!

what is the correct channel to inquire about machines in the labs?

#boxes you need to follow the instructions in #welcome to gain access.

Hey ! I am on Password Attacks, in Crendetial Hunting in Linux.
I solved the question with a bit of assistance from the module, on this section but I wanted to ask how I'd supposed to understand that i need to use python3.9 to run the script on the victim host ?
I ran before looking at the solution python --version and these were the outputs

kira@nix01:/tmp$ python3.9 --version
Python 3.9.5
kira@nix01:/tmp$ python3.8 --version
Python 3.8.10

python3.9 did work eventually, but I am trying to figure out how I'd supposed to understand it, if someone did this specific section without any help i'd love to know how : )

hello guys , can anyone help me in this question , Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt.

im still struggling with the answer for adv in android build figured it out needed use google api version

Hi im doing sqlmap essentials skills assessment
Im stuck at finding a parameter to inject

in addition to the same section, the most updated algorithm type in linux distributions is $y$ (Yescrypt) isn't it?

using sqlmap to crawl won't help u find it. You legitimately have to press every button on the webpage and see if it triggers a Get request in console

Your glibc version has to be the same as the target machine for this to work. You either set up a docker and compile it there, or u transfer the file to the target and make the target compile.

Uh.... sanity test that pentest in a nutshell doesn't have a container tool on the linux privesc?

No. That's illegal. We don't do illegal stuff here.

I grepped my way through the linpeas and nothing comes up. If I use docker cmd, it asks me to install. I'm sort of clueless as to where from here

my own acc?

You don't own your account, Snap does. You're just using their service. The answer is no.

Hello, I'm working on the Practical Digital Forensics Scenario submodule within the Introduction to Digital Forensics course. I'm currently on the first question, which I solved by intuition. However, after analyzing the memory dump, I haven't been able to find any traces of the tool used, ||except for an encoded powershell payload which points to letsgohunt.site.|| Could anyone offer some guidance or point me in the right direction?

it should be john -w=path_to_rock hash.txt --format=something
But I'm not sure if ipmi format is supported

No it not supposed

Hash(sha1):salte
So I think I split the first part hash(sha1) and crack it with --format=sha1

Hello, I'm working on the "Miscellaneous File Transfer Methods" of the "File transfers" module, I managed to mount a linux directory on the Windows machine with freerdp, I transferred nc64.exe and nc.exe from github to the pwnbox, and from the pwnbox to the windows machine, but when I try to run it to test the commands given in the course I get an error message saying "the program or feature cannot start or run due to incompatibility with 64-bit versions" for both the exe files. Am I doing something wrong ?

Hi all, going through the pivoting, tunneling and port forwarding module. Just wondering if there is a simple way to remember when one would need to locally port forward, dynamically and reverse port forward?

locally is when you wanna have access to one specific service

dynamic is when you want to pretend you're part of the subnet (i.e. interact with it) (via your pivot)

and reverse is when you want your target inside the subnet to have access to you (through the pivot (iirc))

Okay that helps, so local when I want access to an internal service that I can't access from my attack host. Dynamic when I want to interact with the deeper internal network potentially scanning the network. Reverse when I want the deeper internal host to have a route back to me for a potential reverse shell

exactly

i mean im no pro i just did the module a few weeks ago but i think thats it

Thanks for that, I kind of had the idea but I just found it slightly confusing in the module

I think the confusion for the reverse port forward stems from the chapter already having RDP access to the target internal host, so I had a mental block thinking why would I need a reverse shell when I can get RDP access lol

but I assume I would discover an attack vector to upload a reverse shell or RCE on that internal host which I then would need a reverse port forward for

yeah same this kinda bugged my mind when i tried to create a meterpreter reverse shell thingy

Cool, nice to know I'm not alone with that 😆

I got stuck here too because the lab discusses the bypass within the console but we are sending the payload as JSON. Try {"constructor":{"prototype":{"deviceIP":"127.0.0.1; whoami"}}}

Hello, Skills Assessment - Using Web Proxies
3. Question: appended alphanum-case.txt the last letter encoded with base64 and ASCII HEX dont find anything. Also for this module in generall BURP intruder is a premium future can not be used anymore as free user.
where did i go wrong any hints?

Use zap

create a virtual python environment then run your hacking stuff

I am/was did not work

Intruder isn't premium btw

It's just really slow

if i try to use it it gives me pop up telling me its premium and if i click ok it closes intruder result

Also you have to encode the whole cookie so cookie=§sometext§ > then prefix, and run the encoding in the reverse order you decoded in

So if you decoded a -> b -> c you encode c -> b -> a

Im on the active directory skill assessment part 2 and i dumped credentials but i dont think the NTLM is correct for administrator.

maybe you dumped the local admin?

Yeah i did, am i was thinking of password reuse, am i not supposed to do that?

I think mine is broken..

any module for cloud is planned... ?

anyone on this?

@solid python

Can anyone help with the Windows Evasion SA 2? I have made two VBS scripts that get a shell when I run them manually on the target, but dropping them into the folder the target user get's a timeout? Seems like it's broken since it passes the AV checks and just timesout?

It's a lot of overhead to plan and deploy cloud infrastructure labs

Isn't there already cloud labs that used to be Enterprise?

Yes but the enterprise cost covered the overhead

Isn't it just on Academy now?

No?

I'm not in on the budgeting for htb but since each lab is meant to be able to be launched as individual instances, you have to factor that into overhead

And the cleanup/monitoring

And licensing

Ah yeah can imagine it's expensive. I just thought it had moved to academy or pro labs but must have been dreaming

No

I can share some ideas if you are still stuck on this one. Feel free to DM.

There's still the blacksky labs on EP, no big content like that is on academy

They shifted some prolab stuff around and there's some free prolabs now

awesome 🙂

footprinting lab medium the rdp dies very quickly and then you need to restart server

Use tcp vpn

thanks 🙂

Is there a problem with the inlanefreight.com page? I can't open it and doing curl from my own VM I get curl: (6) Could not resolve host: www.inlanefreight.com

So i wanna learn how to pentest webb apps etc, where should i start? I got some sections in portswigger Done 🙂

There's a bunch of web modules, the cbbh path covers a bit of them

works for me

is there not a path that is called web pentesting?

up

@small basin don't reveal any bit of answers for modules above t0, the module is expecting you to know your way around some credential harvesting/password attack techniques

OK, sorry. I'm just wondering where that technique was covered. Or does this mean the walkthrough may use techniques that were not covered in the course?

As i said it expects you to know some techniques not covered

Hmm found some models about web! 🙂

It's a tier 2 module covering something, it's not gonna teach you something related to password attack/cred harvesting

If you're doing the cpts path, I believe that the password attacks module is before pivoting

Correct. I did that before and looked for this technique in it, but I couldn't find it.

Well if you look at the mimikatz mode used: you'll see the similarity to a technique used for dumping 😉

Also i wouldn't go to the walkthrough as a "this is the only way to do this"

Sometimes it's a matter of "this is one way to do this"

The author relies a lot on utilizing the msf shelling and pivoting methods in a lot of their stuff, for instance

But that's not the only way to achieve pivoting, as showcased by the module

I and many others will swear by "ligolo-ng," granted you understand the underlying structure behind pivoting

I also urge against using the walkthrough, as it's not sufficient in teaching you why

Asking for help here isn't taboo, just avoid spoilers

Yes, I found that one, that dumps it in the same way, but then uses another way to extract the pw.
I just expected it to be covered in that way as well in the course

I know that there are often multiple ways to archive something, I just usually check afterward how the walkthrough solved it to maybe learn another way. And it looks like this time it's something partially new.

I saw ligolo-ng mentioned a lot here on Discord. Will check that out sometime.

Thanks!

This is a case of "you should already know this"

For the most part, the modules stick to their own topics

Higher tier modules expect more underlying knowledge

any one here solved whitebox attack module ?

i have a problem with a challenge so if any one here solved it

plenty did, best to just ask your question. make sure not to spoil content from the module as it's above tier 0!

i know so i need someone who solved it to text him privetly!!

You can, DM

can someone help me with "Using Splunk Application" question 2?

Please re-ask your question without spoilers from the assessment, may need to take it to private.

Can I DM you?

No sorry I'm busy

Intro to Whitebox Pentesting

Challenge: There are at least 2 different ways to obtain remote code execution on the target. So, once you are able to exploit one vulnerability, try to identify the other and exploit it as well.

The first RCE is obvious, not ez, but I got the flag. For the 2nd - can anyone tell me if the first RCE is required to "massage" some existing code prior to having an exploitable scenario?

@summer crag Please do not share specifics of the path to solve modules above Tier 0. You may ask for guidance, but as far as requesting for guidance in private.

@ocean night sorry about that. where should I go for private guidance?

Ask for assistance here, state the module and section, and someone may reach out to help with a nudge

got it, thanks!

Yo

Hey all Got stuck with burp intruder need help with it to complete exercise.

can u tell the module name and submodule to help u better

Hey all, has anyone here completed the Intro to C2 with Sliver module that could provide some insight on the last step of the skills assessment? I have compromised the first DC, but am having issues pivoting to the parent domain

Hey everyone I got stuck on module using Crackmapexec Skills Assessment. I want to gain access to DEV01 but can't seem to find a way around.
Can anyone give me a nudge?

Has anyone gotten the flag for the Prompt Injection Attacks Skills Assessment? (not asking for the answer, genuinely curious if someone has gotten it since it gave me 2 flags that did not work)

I’m looking for someone who can help me with getting to hacking any tips or tricks will be welcomed🙏🏼

Think about abusing trust, Diamond Ticket

Enumerate gMSA

Provide more info on which module/question you got stuck

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@frosty plank ^

What helped me in that question is to run all Persistence Collections (main one)

Buffer Overflow in Windows (https://academy.hackthebox.com/module/89/section/946)
Do you guys actually use ERC --pattern c 5000 over msf-pattern_create? Because ERC gives the output in double quotes and I was wondering if there was any options built within to just get the patterned payload

could anyone help me check my script for RCE on adv sql injections skill assessment question 2?

Just I wanna write something?
Discode.

Wi-Fi penetration testing basic module, I will unlock it. Did you do it?

One message removed from a suspended account.

Currently no, just a badge

Guys i wanna ask about dante prolab, idk if this spoiler or not, but is there buffer overflow on dante? I wanna try it but i have not learn about BO yet

1. yes there is; 2) you can complete it without doing BOF 😉

I see, then i can try lol

#1263635449335910531 if you dont' have access identify your account, instructions in #welcome

Honestly when I did it couple of years ago I even forgot there is BOF, it just went unnoticed

One message removed from a suspended account.

From my notes you need to use wordlists from the section

One message removed from a suspended account.

One message removed from a suspended account.

One message removed from a suspended account.

One message removed from a suspended account.

One message removed from a suspended account.

One message removed from a suspended account.

Check Resources.

One message removed from a suspended account.

One message removed from a suspended account.

Yeah I remember there is a wordlist somewhere in that section that you can use for all related attacks

wait, you need to get all users from AD

One message removed from a suspended account.

One message removed from a suspended account.

There is only 1 password to test for

One message removed from a suspended account.

One message removed from a suspended account.

One message removed from a suspended account.

One message removed from a suspended account.

One message removed from a suspended account.

Being a while since I did that module so can't remember for now. I can however tell you that section "Enumerating & Retrieving Password Policies" contains what you need. Maybe someone else who recently completed this module will provide more details.

I thank you very much for answer

One message removed from a suspended account.

One message removed from a suspended account.

Hi guys, have a problem with last question. HTB Does not accept answers 2.4
The question is
„which frequency band is known for better wall penetration, but more prone to interference?”

The last question of what?
Which module? Which section?

We def need a Tier 0 module on "How to ask questions properly" xD

in the works

does anyone know why ? 5 years of ban

htb banned me

on htb academy

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

we can't help you here

ok how long they take to respond ?

submit an email and just be patient

ok

Hello, I'm not sure if im right here, but i try.

In the CPTS Path, Linux Priv Esc. -> Logrotate

The path is to escalate the privs with logrotten to root and then gain the flag.

Sadly logrotten needs DLIBC_2.34, on the target mashine is only 2.31 installed. And its not possible to run logrotten there. I tried an older branch but it's the same requirement to run logrotten. As htb-student access to the traget you also cant update libc6.

Is this a unwanted problem or I'm on the wrong path?

Compile locally and transfer to target server?

yes, i did

but you cant run it with the old version.

you need to compile it statically, you can also compile it on the target

Thanks for the input. I'll try,

last time i asked this the answer was no, but I am wondering: is there a way to reset progress on a module? e.g. if i have one I want to re-do from two years ago for practice? Last time I used TamperMonkey to hide the answers but I was hoping there was like a reset option hidden somewhere.

Can someone tell me how ranking up to hacker works? I'm currently on script kiddie and solved active challenges. I see that I earned exp in activity but progress toward hacker stayed at 0%

Sorry if it's a bit off topic. I posted in general but can't anymore

You need to solve current boxes, not retired machines and not academy modules.

I solved active challenges. Is solving active machine the only way to progress once you get past noob?

I didn't know if those challenges give you points or not, but I guess you just confirmed they don't.

They do give exp, and I see that they do under my activity

When I ranked up from noob to script kiddie, I worked on active boxes and challenges.

But active challenges no longer seem to progress my rank

not related to Academy modules, so this should probably move to #general

I can't post in general anymore after my first message

try verifying your account -> #welcome

Got it

I've been stuck on Introduction to NoSQL Injection Skills Assessment II. I have the username. I have not been able to inject regex into the password since the post data is not in json, and changing the password parameter like the bypassing parameter section recommends throws an error of password parameter not set.

Do i will get a complete Methodology in the Pentester Job Path ?

By the end you should have developed your own methodology

I can't post in general…

You need to identify your account, instructions here: #welcome

Tanks

hello everyone

does anyone finish Signature Wrapping Attack??

Hello all. Im doing the KERBEROS ATTACKS - Unconstrained Delegation - Users Module. Using the dnstool tool script, it is giving me this error... Can someone help me?

Hey guys I was on shells and payloads live assessment connected via rdp but I can not find a browser to check out the website, there is only tor browser which does not open

I did but cannot get the NTLM hash

Added to /etc/hosts? Correct IPs? Ports are open?

Still "no"

yes...

i think the command its just fine

You sure it's the correct IPs and not 10.10.14. ?

probably someconnection problem

I can't remember the exact IPs, just a suggestion

Seems fine

In my notes:
10.129.205.* dc01.inlanefreight.local inlanefreight.local

i think it should be this IP

Hi all
I have spent over an hour on an early enough module that I feel dumb now
I cannot figure out what exactly I am being asked to do
its in /module/77/section/843
Public Exploits
Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file. (note: the web server may take a few seconds to start)

I will reset, to see if it resolves the problem

It's Simple Backup Plugin with version. Google for exploit.

yeah i did its just like im stupid i cant find anything

i did for an hr i only found 2 open port and googled them and theres nothing that i understand

MSF module

huh is that the exploit?

You need to use MSF module to exploit Simple Backup Plugin

Open the IP:Port in your browser and see what's written there

i alrdy did that like i said i was trying for an hr

So what you can see when you google for Simple Backup Plugin "version" ? Search for an exploit and use MSF module to exploit it.

alr

still with the same problem

Stupid question but are you sure you connected to a VPN? And run Nmap scan before launching the tool

yes yes 😀

let me run

pings are working

so It should be good

nmap as well

nmap also good

You have not changed the IP on a second screenshot

hey.. about the docker target
i keep trying to reset and put it on the browser but it always refuses to connect
anyone know why?

Which docker target? Which module? Which section? Which question? ...

oh yeah...

i though the -action add could be something random...

thank you for the help

getting started, basic tools, optional exercise
but uhm i already got the answer but not from putting it on the browser which i thought it would like that

or maybe im dumb..

wait what 😭 so like the answer for it is SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 but I got SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u3 from terminal

i cant even open the docker target on the browser

94.237.55.234:34780
can anyone open this

............................. 😵‍💫

I want to learn cyber security

why are my nmap results totally different with the same command on my own vm vs the modules vm

never mind, i was using different vpn files

i was working on nmap medium lab for 2 hours... then i check that im doing it correctly but the vpn has manipulate my result and it just works with the pwnbox from htb 😄 this was frustrating ..

hello i have an error trying to start apache2 in the module linux fundamentals. it says failed because control process exited with error code. anyone know what to do in this case?

were you provided with an error code? The details matter.

error 212 if i remember correctly

i did some troubleshooting earlier but couldnt figure it out

It's not ringing a bell, usually you get clearer output than that but seeing the full output might help. I'll see if I can fire up that lab and recreate. I haven't gone through that module.

great thank you!

What section are you in, "Working with webservers"? If so it isn't a lab, just on the pwnbox. The questions seems to suggest using something other than Apache.

I'm working on the HTTP Attacks module and trying to get RCE via log poisoning, but my payload isn't executing in the /log.php can someone help me with this.

yes working with web services indeed

im just trying to follow and recreate what the module is doing

Can anyone give me nudge for last flag on using crackmapexec module? I have svc_inlaneadm ccaches and i authenticated but i still don't have admin access

think i might have found the problem, thanks!

You good? Took me a bit to figure out what was going on and I've been using apache for ages.

yeah seemed to be a port issue

my first thought was to kill the process running on port 80... but then my pwnbox fell over 🙃

yea i tried that to but didn't work haha

thank you for the help though linux can be tough ive figured out haha

Good deal. Hit #welcome and link your account sometime to get permission for sharing share screen shots

Is it just me or does taking notes significantly increase the time it takes to do these modules. I suppose it is good practice and helps learning. 🙂

Hi im doing XSS module, session hijacking
Im trying to go through what i learned in the module
Im attempting to load the fields with a JS source file on my machine and i run php listener but i dont receive a connection to verify that the field is vulnerable

But its real good stuff and its just gold.

nobody@kali:/tmp$ ls -ln .


drwx------ 2 65534 65534 65536 Nov 11  2021 mount

nobody@kali:/tmp$ id
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
nobody@kali:/tmp$ cd mount
bash: cd: mount: Permission denied
nobody@kali:/tmp$ 

i try with the root and it work i could access to the folder . but i want know why i can't access to the folder even i have the same uid uid of the file perm

So i can not seem to get any answers out of this question on Introduction to Bash. I have attached screenshot of terminal output. Create a "For" loop that encodes the variable "var" 28 times in "base64". The number of characters in the 28th hash is the value that must be assigned to the "salt" variable.``` #!/bin/bash

Decrypt function

function decrypt {
# Apply all substitution rules
transformed=$(echo "$hash" | sed 's/988sn1/83unasa/g' |
sed 's/4d298d/9999/g' |
sed 's/3i8dqos82/873h4d/g' |
sed 's/4n9Ls/20X/g' |
sed 's/912oijs01/i7gg/g' |
sed 's/k32jx0aa/n391s/g' |
sed 's/nI72n/YzF1/g' |
sed 's/82ns71n/2d49/g' |
sed 's/JGcms1a/zIm12/g' |
sed 's/MS9/4SIs/g' |
sed 's/Ymxj00Ims/Uso18/g' |
sed 's/sSi8Lm/Mit/g' |
sed 's/9su2n/43n92ka/g' |
sed 's/ggf3iunds/dn3i8/g' |
sed 's/uBz/TT0K/g')

echo "[DEBUG] Transformed base64 hash: $transformed"
echo "[DEBUG] Decrypting with salt: $salt"

# Use OpenSSL with correct PBKDF2 and md
flag=$(echo "$transformed" | gbase64 -d 2>/dev/null | \
    /opt/homebrew/opt/openssl@3/bin/openssl enc -aes-128-cbc -pbkdf2 -md -md5 -d -salt -pass pass:"$salt" 2>/dev/null)

if [[ -z "$flag" ]]; then
    echo "[x] Decryption failed — trying fallback without pbkdf2"
    flag=$(echo "$transformed" | gbase64 -d 2>/dev/null | \
        /opt/homebrew/opt/openssl@3/bin/openssl enc -aes-128-cbc -md sha256 -d -salt -pass pass:"$salt" 2>/dev/null)
fi

}

Initial values

var="9M"
hash="VTJGc2RHVmtYMTl2ZnYyNTdUeERVRnBtQWVGNmFWWVUySG1wTXNmRi9rQT0K"

Encode 28 times with base64

for i in {1..28}; do
var=$(echo -n "$var" | gbase64)
done

Calculate salt as length of final base64 string

salt=$(echo -n "$var" | wc -c)
echo "[*] Salt determined from 28 encodes: $salt"

Run decrypt if salt is not empty

if [[ -n "$salt" ]]; then
decrypt
if [[ -n "$flag" ]]; then
echo "[✔] Flag: $flag"
else
echo "[✘] Still no flag. Check salt, OpenSSL version, or cipher mode."
fi
else
echo "[!] Salt not set."
exit 1
fi

[*] Salt determined from 28 encodes:    25223
[DEBUG] Transformed base64 hash: VTJGc2RHVmtYMTl2ZnYyNTdUeERVRnBtQWVGNmFWWVUySG1wTXNmRi9rQT0K
[DEBUG] Decrypting with salt:    25223
[x] Decryption failed — trying fallback without pbkdf2
[✘] Still no flag. Check salt, OpenSSL version, or cipher mode. instead of a flag

can someone help me with the module Shells & Payloads - PHP Web Shells?
I have a problem with a Burp, it's not intercepting any events (proxy settings are all set); I tried using both local browser and burp browser but nth works. I noticed that there is an error [9] The client failed to negotiate a TLS connection to 10.129.201.101:443: Received fatal alert: bad_certificate. I remember the module said that sometimes we need to accept PortSwigger Certificate but I don't know where to do it.

I once more checked browser and burp proxy settings, checked certificate and all seem in place. idk what is wrong

Hey everyone, i have a question for the people that finished in Network Enumeration with nmap the module Service enumeration, I have found the flag but I don't know how I have to put it in, maybe somebody can help me, I tried so much but I really dont know.
This is the task: Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer.
I tried it with HTB{........} AND also only the flag text inside the clamp.

http://burpsuite and the upper-right corner should have CA Certificte for you to download. Or you can get it from the burp gui with Proxy Settings > Import / export CA certificate

did you get the flag or can you not reach it?

I get the flag it was HTB{........}, of course it was not points inside, ist was a hash

maybe you got the wrong one?

Working through the fundamental modules and they are a real slog. Does it get less sloggy after the fundamentals when flags start actually being used?

whats the difference between HTB academy and HTB

Academy = learn to hack, currated content that teaches
HTB = vulnerable machines to hack. No teaching, just hacking.

so as a beginner to cybersecurity Academy is better?

Probably. HTB is kind of like jumping in the deep end. You can try it and see if you sink or swim. If you sink, then Academy as a ton of good resources to learn.

yeah i was sinking a lot tbf but the modules are confusing like the Linux fundamental where i have to find a student mail

i dont know how to

I just did that one. Check the env variables.

Also searching for hints on this discord server when you get stuck can be helpful. Typically there aren't too many spoilers just nudges to get you un-stuck

ok thanks and would it best for me to learn Linux fundamentals or start another easy module

sorry to be pain but what does env mean?

Linux Fundamentals is a good start module. There is a path called "Information Security Foundations" which is a good starting place as well.

If you type env into the terminal if will print all the currently set environmental variables to STDOUT

No problem

ok thank you so much for the help

You ever get this sorted? Same issue for me. Seems like a whole lot of people are having this issue but i cant seem to find any solutions on it haha

Need help with this question in Using Web Proxies

The directory we found above sets the cookie to the md5 hash of the username, as we can see the md5 cookie in the request for the (guest) user. Visit '/skills/' to get a request with a cookie, then try to use ZAP Fuzzer to fuzz the cookie for different md5 hashed usernames to get the flag. Use the "top-usernames-shortlist.txt" wordlist from Seclists.

I've already fuzzed through all the usernames in the suggested wordlist in both Zap and Burpsuite and still can't manage to get the flag. Been stuck on this for a few hours. Any help would be greatly appreciated.

Nvm was able to figure it out. Was something simple I overlooked.

Hello all, i have a doubt in the Kerberos - Silver Ticket Module. Can someone explain why, after performing a Silver Ticket attack, i cant do a PS Session?

What services/spns did you create tickets for?

cifs

yeah, not the correct service, right?

pssession is http

yeah, so if specify http, it will work as I wanted

Thank you!!!!

yes, thats why you were able to list with dir

hey all stuck on the information gathering - web edition module skills assesment. I got all the questions and just missing question 3. "What is the API key in the hidden admin directory that you have discovered on the target system?"

i believe i found what should be the path based off of subdomain enumeration and checking common web files. when trying to hit that path however i get a 301 redirect to a non-listening port on that same path. my /etc/hosts is correct as i can browse to the site to find the path and attempting that path on the naked domain/other found subdomain yeilds no results either.

kind of scratching my head what else i can find here

How can I get more spawns for "My workstation"

Did you end your search with / ?

Pay money to htb

Wdym? Buy VIP?

Vip is main platform, not academy, but yes for main platform that'd be it

For academy it's buying any of the subs/any num of cubes

oooof....well thanks...such a silly mistake

It happened to me too, it's so touchy

well TDIL that its common for nginx to rewrite a path appending the "/" however it doesnt preserve a nonstandard port. meaning i never ran into this until now

I'm on my dashboard how exactly do I close the "your chats" UI

good evening hackers, im looking for assistance completing the skills assessment on the introduction to windows command line module. im stuck on user7. is this the right place to ask for assistance, pls advise...

for the last question for DNS footprinting. is the answer only found with brute force?

ok, so im pretty sure i found the flag as it says "The Flag you are looking for is ________________________" (24 characters). however it is not working, pls advise...

Is there really 2 different methods to get RCE Q1 - Intro to Whitebox?? I don't think it is

Not what this discord is about. Read the #rules.

did you check for appending spaces or spaces before the flag? ( happend to me a lot of times) ;v

Hi

Is any body know that how can use wappalyzer in android phone ?😋 😋

Not the right channel for that. Maybe try in #general or something. You'll need to read the #rules and follow the instructions in #welcome to gain access.

By the way who are you ?

He’s a moderator of this server.

And you ?

I am as well.

Means ?

You’re still posting in the wrong channel. Read and follow #welcome to get access to other channels, like #general

You mean I am at a wrong place ?

Read the channel description

thank you. yes i did, i finally got it!. you have to remove them curly brackets—took me hours to figure it out 😵‍💫

wow

all good now?